Update to 2020-11-19 19:00

master
Daniel Berteaud 4 years ago
parent 3617fae9a1
commit 276ded1e44
  1. 4
      roles/coturn/defaults/main.yml
  2. 61
      roles/coturn/tasks/main.yml
  3. 13
      roles/coturn/templates/dehydrated_deploy_hook.j2
  4. 43
      roles/coturn/templates/turnserver.conf.j2
  5. 9
      roles/includes/create_selfsigned_cert.yml

@ -21,9 +21,7 @@ turn_src_ip:
- 0.0.0.0/0
turn_port: 3478
turn_alt_port: 3479
turn_tls_port: 5349
turn_alt_tls_port: 5350
# Allow non TLS relay
turn_allow_non_tls: True
@ -32,6 +30,8 @@ turn_allow_non_tls: True
turn_tls: False
# turn_tls_cert:
# turn_tls_key:
# Or alternatively, set the name of a Let's Encrypt cert
# turn_letsencrypt_cert: turn.example.org
# If behind a NAT, you must set the public IP
# turn_external_ip: 12.13.14.15

@ -1,5 +1,23 @@
---
- name: Check if turnserver is installed
stat: path=/lib/systemd/system/turnserver.service
register: turn_turnserver
tags: turn
# Migrate from the turnserver package/role
- when: turn_turnserver.stat.exists
block:
- name: Stop and disable turnserver
service: name=turnserver state=stopped enabled=False
- name: Remove turnserver package
yum: name=turnserver state=absent
- name: Remove turnserver dehydrated hook
file: path=/etc/dehydrated/hooks_deploy_cert.d/20turnserver.sh state=absent
tags: turn
- name: Install Coturn
yum: name=coturn state=present
register: turn_installed
@ -11,12 +29,25 @@
tags: turn
- name: Deploy main configuration
template: src=coturn.conf.j2 dest=/etc/coturn/coturn.conf group=coturn mode=640
template: src=turnserver.conf.j2 dest=/etc/coturn/turnserver.conf group=coturn mode=640
notify: restart coturn
tags: turn
- name: Create the ssl dir
file: path=/etc/coturn/ssl state=directory group=coturn mode=750
tags: turn
# Create a self signed cert. This is needed even if a cert is later obtained with dehydrated as
# turnserver must be started before that
- import_tasks: ../includes/create_selfsigned_cert.yml
vars:
- cert_path: /etc/coturn/ssl/cert.pem
- cert_key_path: /etc/coturn/ssl/key.pem
- cert_user: coturn
tags: turn
- name: Deploy dehydrated hook
copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/20coturn.sh mode=755
template: src=dehydrated_deploy_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/20coturn.sh mode=755
tags: turn
- name: Remove turnserver rules
@ -31,15 +62,33 @@
name: coturn_ports
state: "{{ (turn_src_ip | length > 0) | ternary('present','absent') }}"
rules: |
-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_port,turn_alt_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-A INPUT -p udp -m multiport --dports {{ [turn_port,turn_alt_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_tls_port,turn_alt_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-A INPUT -p udp -m multiport --dports {{ [turn_tls_port,turn_alt_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_port,turn_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-A INPUT -p udp -m multiport --dports {{ [turn_port,turn_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-A INPUT -p tcp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT
-A INPUT -p udp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT
when: iptables_manage | default(True)
tags: turn,firewall
- name: Create systemd unit snippet dir
file: path=/etc/systemd/system/coturn.service.d state=directory
tags: turn
- name: Customize systemd unit
copy:
content: |
[Service]
# Allow binding on privileged ports
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
dest: /etc/systemd/system/coturn.service.d/99-ansible.conf
register: turn_unit
tags: turn
- name: Reload systemd
systemd: daemon_reload=True
when: turn_unit.changed
tags: turn
- name: Start and enable the service
service: name=coturn state=started enabled=True
tags: turn

@ -0,0 +1,13 @@
#!/bin/sh
{% if turn_letsencrypt_cert is defined %}
if [ $1 == "{{ turn_letsencrypt_cert }}" ]; then
cat /var/lib/dehydrated/certificates/certs/{{ turn_letsencrypt_cert }}/privkey.pem > /etc/coturn/ssl/key.pem
cat /var/lib/dehydrated/certificates/certs/{{ turn_letsencrypt_cert }}/fullchain.pem > /etc/coturn/ssl/cert.pem
chown root:coturn /etc/coturn/ssl/*
chmod 644 /etc/coturn/ssl/cert.pem
chmod 640 /etc/coturn/ssl/key.pem
/bin/systemctl restart coturn
fi
{% endif %}

@ -0,0 +1,43 @@
pidfile="/var/run/coturn/coturn.pid"
verbose
fingerprint
{% if turn_auth_secret is defined %}
use-auth-secret
static-auth-secret {{ turn_auth_secret }}
{% else %}
lt-cred-mech
{% endif %}
no-sslv2
no-sslv3
no-loopback-peers
no-multicast-peers
realm {{ turn_realm | default(ansible_domain) }}
proc-user coturn
proc-group coturn
syslog
{% for ip in turn_listen_ip %}
listening-ip {{ ip }}
{% endfor %}
{% if not turn_allow_non_tls %}
no-tcp
no-udp
{% endif %}
listening-port {{ turn_port }}
{% if turn_tls %}
tls-listening-port {{ turn_tls_port }}
{% if turn_letsencrypt_cert is defined %}
cert /etc/coturn/ssl/cert.pem
pkey /etc/coturn/ssl/key.pem
{% else %}
cert {{ turn_tls_cert }}
pkey {{ turn_tls_key }}
{% endif %}
{% endif %}
{% if turn_external_ip is defined %}
external-ip {{ turn_external_ip }}
{% endif %}

@ -1,18 +1,13 @@
---
- name: Ensure openssl is installed
yum: name=openssl
when: ansible_os_family == 'RedHat'
- name: Ensure openssl is installed
apt: name=openssl
when: ansible_os_family == 'Debian'
package: name=openssl
- name: Create cert dir
file: path={{ cert_path | dirname }} state=directory
- name: Create private key directory
file: path={{ cert_key_path | dirname }} state=directory mode=700 owner={{ cert_user | default(omit) }}
file: path={{ cert_key_path | dirname }} state=directory owner={{ cert_user | default(omit) }}
- name: Create the self signed certificate
command: openssl req -x509 -newkey rsa:{{ cert_key_size | default(4096) }} \

Loading…
Cancel
Save