diff --git a/flake.nix b/flake.nix
index 02adb30..9a9b537 100644
--- a/flake.nix
+++ b/flake.nix
@@ -64,7 +64,6 @@
 
             age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
             age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
-            age.secrets.turn-static-auth-secret.file = ./secrets/hel1-a/turn/static_auth_secret.age;
             age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age;
             age.secrets.synapse-registration-shared-secret.file = ./secrets/hel1-a/synapse/registration_shared_secret.age;
             age.secrets.synapse-macaroon-secret-key.file = ./secrets/hel1-a/synapse/macaroon_secret_key.age;
diff --git a/hosts/hel1-a/configuration.nix b/hosts/hel1-a/configuration.nix
index fd43cbb..b06314f 100644
--- a/hosts/hel1-a/configuration.nix
+++ b/hosts/hel1-a/configuration.nix
@@ -5,9 +5,7 @@
   agenix,
   myData,
   ...
-}: let
-  turn_cert_dir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/turn.jakstys.lt";
-in {
+}: {
   imports = [
     ./hardware-configuration.nix
     ./zfs.nix
@@ -223,9 +221,6 @@ in {
       virtualHosts."git.jakstys.lt".extraConfig = ''
         reverse_proxy 127.0.0.1:3000
       '';
-      virtualHosts."turn.jakstys.lt".extraConfig = ''
-        redir https://jakstys.lt
-      '';
       virtualHosts."www.jakstys.lt".extraConfig = ''
         redir https://jakstys.lt
       '';
@@ -271,25 +266,6 @@ in {
       };
     };
 
-    coturn = {
-      enable = true;
-      min-port = 49152;
-      max-port = 49999;
-      no-tcp-relay = true;
-      realm = "turn.jakstys.lt";
-      cert = "/run/coturn/tls-cert.pem";
-      pkey = "/run/coturn/tls-key.pem";
-      static-auth-secret-file = "\${CREDENTIALS_DIRECTORY}/static-auth-secret";
-      extraConfig = ''
-        verbose
-        no-multicast-peers
-        denied-peer-ip=10.0.0.0-10.255.255.255
-        denied-peer-ip=192.168.0.0-192.168.255.255
-        denied-peer-ip=172.16.0.0-172.31.255.255
-        denied-peer-ip=${myData.tailscale_subnet.range}
-      '';
-    };
-
     # TODO: app_service_config_files
     matrix-synapse = {
       enable = true;
@@ -321,13 +297,6 @@ in {
         database.name = "sqlite3";
         url_preview_enabled = false;
         max_upload_size = "50M";
-        turn_allow_guests = false;
-        turn_uris = [
-          "turn:turn.jakstys.lt:3487?transport=udp"
-          "turn:turn.jakstys.lt:3487?transport=tcp"
-          "turns:turn.jakstys.lt:5349?transport=udp"
-          "turns:turn.jakstys.lt:5349?transport=tcp"
-        ];
         rc_messages_per_second = 0.2;
         rc_message_burst_count = 10.0;
         federation_rc_window_size = 1000;
@@ -402,29 +371,19 @@ in {
   networking = {
     hostName = "hel1-a";
     domain = "servers.jakst";
-    firewall = let
-      coturn = with config.services.coturn; [
-        {
-          from = min-port;
-          to = max-port;
-        }
-      ];
-    in {
+    firewall = {
       allowedTCPPorts = [
         53
         80
         443
-        3478 # turn/headscale
-        5349 # turn
-        5350 # turn
+        3478 # headscale
       ];
       allowedUDPPorts = [
         53
         443
-        3478 # turn
+        3478 # headscale
         41641 # tailscale
       ];
-      allowedUDPPortRanges = coturn;
       logRefusedConnections = false;
       checkReversePath = "loose"; # for tailscale
     };
@@ -435,22 +394,6 @@ in {
   ];
 
   systemd.services = {
-    coturn = {
-      preStart = ''
-        ln -sf ''${CREDENTIALS_DIRECTORY}/tls-key.pem /run/coturn/tls-key.pem
-        ln -sf ''${CREDENTIALS_DIRECTORY}/tls-cert.pem /run/coturn/tls-cert.pem
-      '';
-      unitConfig.ConditionPathExists = [
-        "${turn_cert_dir}/turn.jakstys.lt.key"
-        "${turn_cert_dir}/turn.jakstys.lt.crt"
-      ];
-      serviceConfig.LoadCredential = [
-        "static-auth-secret:${config.age.secrets.turn-static-auth-secret.path}"
-        "tls-key.pem:${turn_cert_dir}/turn.jakstys.lt.key"
-        "tls-cert.pem:${turn_cert_dir}/turn.jakstys.lt.crt"
-      ];
-    };
-
     headscale = {
       unitConfig.StartLimitIntervalSec = "5m";
 
@@ -470,7 +413,6 @@ in {
         cat > /run/matrix-synapse/secrets.yaml <<EOF
         registration_shared_secret: "$(cat ''${CREDENTIALS_DIRECTORY}/registration_shared_secret)"
         macaroon_secret_key: "$(cat ''${CREDENTIALS_DIRECTORY}/macaroon_secret_key)"
-        turn_shared_secret: "$(cat ''${CREDENTIALS_DIRECTORY}/turn_shared_secret)"
         EOF
       '';
     in {
@@ -479,31 +421,8 @@ in {
         "jakstys_lt_signing_key:${config.age.secrets.synapse-jakstys-signing-key.path}"
         "registration_shared_secret:${config.age.secrets.synapse-registration-shared-secret.path}"
         "macaroon_secret_key:${config.age.secrets.synapse-macaroon-secret-key.path}"
-        "turn_shared_secret:${config.age.secrets.turn-static-auth-secret.path}"
       ];
     };
 
-    cert-watcher = {
-      description = "Restart coturn when tls key/cert changes";
-      wantedBy = ["multi-user.target"];
-      unitConfig = {
-        StartLimitIntervalSec = 10;
-        StartLimitBurst = 5;
-      };
-      serviceConfig = {
-        Type = "oneshot";
-        ExecStart = "${pkgs.systemd}/bin/systemctl restart coturn.service";
-      };
-    };
-  };
-
-  systemd.paths = {
-    cert-watcher = {
-      wantedBy = ["multi-user.target"];
-      pathConfig = {
-        PathChanged = "${turn_cert_dir}/turn.jakstys.lt.crt";
-        Unit = "cert-watcher.service";
-      };
-    };
   };
 }
diff --git a/secrets.nix b/secrets.nix
index f148c9e..d40e0c5 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -10,7 +10,6 @@ let
 in {
   # hel1-a + motiejus
   "secrets/hel1-a/borgbackup/password.age".publicKeys = [hel1-a] ++ motiejus;
-  "secrets/hel1-a/turn/static_auth_secret.age".publicKeys = [hel1-a] ++ motiejus;
   "secrets/hel1-a/synapse/jakstys_lt_signing_key.age".publicKeys = [hel1-a] ++ motiejus;
   "secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus;
   "secrets/hel1-a/synapse/macaroon_secret_key.age".publicKeys = [hel1-a] ++ motiejus;
diff --git a/secrets/hel1-a/turn/static_auth_secret.age b/secrets/hel1-a/turn/static_auth_secret.age
deleted file mode 100644
index 40ab080..0000000
--- a/secrets/hel1-a/turn/static_auth_secret.age
+++ /dev/null
@@ -1,13 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 vDjOfg 7IvjFsGDpA0Y7YQzvK1LKv97Aytio3P8QK6kP3zVoh8
-/HZv5HmuXHpJvB8qBUSmJ2qEqPDV4dIzUjQuEC5yKIU
--> X25519 n2ZwLm3NBIPJ8fG67O292YwQgMfMrOpMsfD9fvVKAEg
-Wj5y+8NuPl5VtyzLAt2qk3qY44cxqfr7IknpK8jzAMs
--> piv-p256 +y2G/w A8uQrdSqZAQQxlPUCpeJIR4vwmG3raRCi1Es2ORARLXl
-G4bx1broyBxj7ARPQ3uOnzD9lrxTi8wRTW6h71SVmz4
--> piv-p256 jNqd3A AiclfkktevGeKEIhwiAl0oghZEGeA58GBm+kWlD98ev4
-Y1Gu7nDRipmXehp1uYiGhCLRo0gt06+AIZYZ6ZkF7UE
--> ;\NX'-grease 4{cJ&fP
-5oT1NHoPUeN6JtDhuGYhtE/Jipo6u5qRTdLJCpWZGZ2PBnQ
---- DaaAQQvDPetK5SpVDe5BehckkP7HgdQQdHKB7IBa1rs
-8Ä	,„1À€¼dÒj%Zr¡ÏdwÑA]CÜÖWAÝ•*©JæÐŠ`Q£µ(·ðŠIô
\ No newline at end of file