diff --git a/flake.lock b/flake.lock
index 30cea79..97665ed 100644
--- a/flake.lock
+++ b/flake.lock
@@ -539,11 +539,11 @@
     },
     "nix-secrets": {
       "locked": {
-        "lastModified": 1739193599,
-        "narHash": "sha256-oJBav9MiFmhZxQWt6si1T5QQuhxWqGOOQNekeJABaXU=",
+        "lastModified": 1739387047,
+        "narHash": "sha256-KpogJP00vwuMIKkGJff3zp0YfV9GfOG//UzMK4nWWUw=",
         "ref": "refs/heads/master",
-        "rev": "0d69dc15bea7b1a99fce08ea8517f392cbc253ee",
-        "revCount": 278,
+        "rev": "be51e237b5b3d441a194f3e516175f6a543aee35",
+        "revCount": 280,
         "type": "git",
         "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
       },
diff --git a/hosts/common/optional/nginx/xmpp.nix b/hosts/common/optional/nginx/xmpp.nix
index dc4d7a8..568a5ff 100644
--- a/hosts/common/optional/nginx/xmpp.nix
+++ b/hosts/common/optional/nginx/xmpp.nix
@@ -2,7 +2,7 @@
   email = configVars.email.user;
   xmppDomain = configVars.domains.xmpp;
   xmppIp = configVars.networking.addresses.xmpp.localAddress;
-  xmppPort = configVars.networking.addresses.xmpp.port;
+  xmppPort = configVars.networking.addresses.xmpp.ports.xmpp-c2s;
 in {
   networking.firewall.allowedTCPPorts = [80 443];
   users.groups.www-data = {
diff --git a/hosts/common/optional/nixos-containers/xmpp.nix b/hosts/common/optional/nixos-containers/xmpp.nix
index 72743f0..ce1719d 100644
--- a/hosts/common/optional/nixos-containers/xmpp.nix
+++ b/hosts/common/optional/nixos-containers/xmpp.nix
@@ -9,9 +9,26 @@
   xmppDomain = configVars.domains.xmpp;
   pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
   hostAddress = configVars.networking.addresses.xmpp.hostAddress;
+  externalIp = configVars.networking.addresses.cloudnix.ip;
   localAddress = configVars.networking.addresses.xmpp.localAddress;
   sops-nix = inputs.sops-nix;
-  xmppPorts = [3478 5281 5280 5269 5222 5223];
+  xmppPorts = configVars.networking.addresses.xmpp.ports;
+  xmppUDPPorts =
+    [
+      xmppPorts.coturn
+      xmppPorts.coturn-tls
+    ]
+    ++ lib.range xmppPorts.coturn-min-udp xmppPorts.coturn-max-udp;
+  xmppTCPPorts = [
+    xmppPorts.coturn
+    xmppPorts.coturn-tls
+    xmppPorts.xmpp-https
+    xmppPorts.xmpp-http
+    xmppPorts.xmpp-s2s
+    xmppPorts.xmpp-c2s
+    xmppPorts.xmpp-c2s-legacy-tls
+    xmppPorts.xmpp-s2s-tls
+  ];
 in {
   networking = {
     nat = {
@@ -21,7 +38,8 @@ in {
     };
     firewall = {
       enable = true;
-      allowedTCPPorts = xmppPorts;
+      allowedTCPPorts = xmppTCPPorts;
+      allowedUDPPorts = xmppUDPPorts;
     };
   };
 
@@ -58,10 +76,17 @@ in {
     };
     forwardPorts =
       lib.map (port: {
+        protocol = "tcp";
         containerPort = port;
         hostPort = port;
       })
-      xmppPorts;
+      xmppTCPPorts
+      ++ lib.map (port: {
+        protocol = "udp";
+        containerPort = port;
+        hostPort = port;
+      })
+      xmppUDPPorts;
     config = {
       pkgs,
       lib,
@@ -81,11 +106,18 @@ in {
         extraGroups = ["www-data"];
       };
 
+      users.users.turnserver = {
+        isSystemUser = true;
+        uid = 249;
+        extraGroups = ["www-data"];
+      };
+
       networking = {
         firewall = {
           enable = true;
           rejectPackets = true;
-          allowedTCPPorts = xmppPorts ++ [80 443];
+          allowedTCPPorts = xmppTCPPorts ++ [80 443];
+          allowedUDPPorts = xmppUDPPorts;
         };
         useHostResolvConf = lib.mkForce false;
       };
@@ -114,12 +146,13 @@ in {
         pkgs.vim
         pkgs.git
         pkgs.prosody
+        pkgs.coturn
       ];
 
       sops.templates."prosody_secrets.lua" = {
-        mode = "644";
+        mode = "444";
         content = ''
-          turn_external_secret = ${config.sops.placeholder."software/coturn/static-auth-secret"};
+          turn_external_secret = "${config.sops.placeholder."software/coturn/static-auth-secret"}";
         '';
       };
 
@@ -130,28 +163,56 @@ in {
             "turn_external"
             "conversejs"
             "admin_web"
+            "external_services"
+            "http_altconnect"
           ];
         };
-        extraModules = ["turn_external" "conversejs" "admin_web" "http" "websocket"];
+        extraModules = [
+          "server_contact_info"
+          "http_file_share"
+          "external_services"
+          "turn_external"
+          "conversejs"
+          "admin_web"
+          "http"
+          "websocket"
+          "http_altconnect"
+        ];
         allowRegistration = true;
         extraConfig = ''
-          include "${config.sops.templates."prosody_secrets.lua".path}"
+          Include "${config.sops.templates."prosody_secrets.lua".path}"
           registration_invite_only = true;
           allow_user_invites = true;
           cross_domain_bosh = true;
+          cross_domain_websocket = true;
           turn_external_host = "turn.${xmppDomain}";
-          turn_external_port = 3478;
+          turn_external_port = ${toString xmppPorts.coturn};
           http_default_host = "${xmppDomain}";
           certificates = "certs"
-          cross_domain_websocket = { "https://${xmppDomain}" }
           consider_websocket_secure = true
-          
-          legacy_ssl_ports = { 5223 }
+          external_services = {
+                {
+                  port="${toString xmppPorts.coturn}";
+                  transport="tcp";
+                  type="stun";
+                  host="turn.${xmppDomain}"
+                };
+                {
+                  port="${toString xmppPorts.coturn}";
+                  transport="udp";
+                  type="turn";
+                  host="turn.${xmppDomain}"
+                };
+          }
+          s2s_direct_tls_ports = { ${toString xmppPorts.xmpp-s2s-tls} }
+          legacy_ssl_ports = { ${toString xmppPorts.xmpp-c2s-legacy-tls} }
           legacy_ssl_ssl = {
             certificate = "/var/lib/acme/${xmppDomain}/cert.pem";
             key = "/var/lib/acme/${xmppDomain}/key.pem";
           }
-
+          contact_info = {
+            admin = { "mailto:admin@${xmppDomain}", "xmpp:admin@${xmppDomain}" };
+          }
         '';
         modules.bosh = true;
         s2sRequireEncryption = true;
@@ -160,6 +221,7 @@ in {
         admins = ["root@${xmppDomain}"];
         ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem";
         ssl.key = "/var/lib/acme/${xmppDomain}/key.pem";
+        httpFileShare.domain = "upload.${xmppDomain}";
         virtualHosts."${xmppDomain}" = {
           enabled = true;
           ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem";
@@ -171,6 +233,12 @@ in {
               invites_page = "/invite";
               invites_register_web = "/register";
             }
+            disco_items = {
+              { "upload.${xmppDomain}.com" },
+              { "rooms.${xmppDomain}.com" },
+              { "turn.${xmppDomain}.com" },
+            }
+
           '';
           domain = "${xmppDomain}";
         };
@@ -191,17 +259,16 @@ in {
         realm = "turn.${xmppDomain}";
         use-auth-secret = true;
         static-auth-secret-file = config.sops.secrets."software/coturn/static-auth-secret".path;
-      };
-
-      services.openssh = {
-        enable = true;
-        settings.PasswordAuthentication = false;
-      };
-
-      users.users = {
-        root = {
-          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
-        };
+        tls-listening-port = xmppPorts.coturn-tls;
+        cert = "/var/lib/acme/${xmppDomain}/cert.pem";
+        pkey = "/var/lib/acme/${xmppDomain}/key.pem";
+        min-port = xmppPorts.coturn-min-udp;
+        max-port = xmppPorts.coturn-max-udp;
+        extraConfig = ''
+          external-ip = ${externalIp}/${localAddress}
+          log = /var/log/turnserver.log
+          verbose
+        '';
       };
 
       system.stateVersion = "24.05";