From 276ded1e446def43a42629461f1a54489c806c8a Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Thu, 19 Nov 2020 19:00:07 +0100
Subject: [PATCH] Update to 2020-11-19 19:00

---
 roles/coturn/defaults/main.yml                   |  4 +-
 roles/coturn/tasks/main.yml                      | 61 +++++++++++++++++++++---
 roles/coturn/templates/dehydrated_deploy_hook.j2 | 13 +++++
 roles/coturn/templates/turnserver.conf.j2        | 43 +++++++++++++++++
 roles/includes/create_selfsigned_cert.yml        |  9 +---
 5 files changed, 115 insertions(+), 15 deletions(-)
 create mode 100644 roles/coturn/templates/dehydrated_deploy_hook.j2
 create mode 100644 roles/coturn/templates/turnserver.conf.j2

diff --git a/roles/coturn/defaults/main.yml b/roles/coturn/defaults/main.yml
index eead33c..1d1f534 100644
--- a/roles/coturn/defaults/main.yml
+++ b/roles/coturn/defaults/main.yml
@@ -21,9 +21,7 @@ turn_src_ip:
  - 0.0.0.0/0
 
 turn_port: 3478
-turn_alt_port: 3479
 turn_tls_port: 5349
-turn_alt_tls_port: 5350
 
 # Allow non TLS relay
 turn_allow_non_tls: True
@@ -32,6 +30,8 @@ turn_allow_non_tls: True
 turn_tls: False
 # turn_tls_cert:
 # turn_tls_key:
+# Or alternatively, set the name of a Let's Encrypt cert
+# turn_letsencrypt_cert: turn.example.org
 
 # If behind a NAT, you must set the public IP
 # turn_external_ip: 12.13.14.15
diff --git a/roles/coturn/tasks/main.yml b/roles/coturn/tasks/main.yml
index d6c6c79..11fc057 100644
--- a/roles/coturn/tasks/main.yml
+++ b/roles/coturn/tasks/main.yml
@@ -1,5 +1,23 @@
 ---
 
+- name: Check if turnserver is installed
+  stat: path=/lib/systemd/system/turnserver.service
+  register: turn_turnserver
+  tags: turn
+
+  # Migrate from the turnserver package/role
+- when: turn_turnserver.stat.exists
+  block:
+    - name: Stop and disable turnserver
+      service: name=turnserver state=stopped enabled=False
+
+    - name: Remove turnserver package
+      yum: name=turnserver state=absent
+
+    - name: Remove turnserver dehydrated hook
+      file: path=/etc/dehydrated/hooks_deploy_cert.d/20turnserver.sh state=absent
+  tags: turn
+
 - name: Install Coturn
   yum: name=coturn state=present
   register: turn_installed
@@ -11,12 +29,25 @@
   tags: turn
 
 - name: Deploy main configuration
-  template: src=coturn.conf.j2 dest=/etc/coturn/coturn.conf group=coturn mode=640
+  template: src=turnserver.conf.j2 dest=/etc/coturn/turnserver.conf group=coturn mode=640
   notify: restart coturn
   tags: turn
 
+- name: Create the ssl dir
+  file: path=/etc/coturn/ssl state=directory group=coturn mode=750
+  tags: turn
+
+  # Create a self signed cert. This is needed even if a cert is later obtained with dehydrated as
+  # turnserver must be started before that
+- import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    - cert_path: /etc/coturn/ssl/cert.pem
+    - cert_key_path: /etc/coturn/ssl/key.pem
+    - cert_user: coturn
+  tags: turn
+
 - name: Deploy dehydrated hook
-  copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/20coturn.sh mode=755
+  template: src=dehydrated_deploy_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/20coturn.sh mode=755
   tags: turn
 
 - name: Remove turnserver rules
@@ -31,15 +62,33 @@
     name: coturn_ports
     state: "{{ (turn_src_ip | length > 0) | ternary('present','absent') }}"
     rules: |
-      -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_port,turn_alt_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-      -A INPUT -p udp -m multiport --dports {{ [turn_port,turn_alt_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-      -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_tls_port,turn_alt_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-      -A INPUT -p udp -m multiport --dports {{ [turn_tls_port,turn_alt_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
+      -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_port,turn_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
+      -A INPUT -p udp -m multiport --dports {{ [turn_port,turn_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
       -A INPUT -p tcp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT
       -A INPUT -p udp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT
   when: iptables_manage | default(True)
   tags: turn,firewall
 
+- name: Create systemd unit snippet dir
+  file: path=/etc/systemd/system/coturn.service.d state=directory
+  tags: turn
+
+- name: Customize systemd unit
+  copy:
+    content: |
+      [Service]
+      # Allow binding on privileged ports
+      CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+      AmbientCapabilities=CAP_NET_BIND_SERVICE
+    dest: /etc/systemd/system/coturn.service.d/99-ansible.conf
+  register: turn_unit
+  tags: turn
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: turn_unit.changed
+  tags: turn
+
 - name: Start and enable the service
   service: name=coturn state=started enabled=True
   tags: turn
diff --git a/roles/coturn/templates/dehydrated_deploy_hook.j2 b/roles/coturn/templates/dehydrated_deploy_hook.j2
new file mode 100644
index 0000000..f956062
--- /dev/null
+++ b/roles/coturn/templates/dehydrated_deploy_hook.j2
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+{% if turn_letsencrypt_cert is defined %}
+if [ $1 == "{{ turn_letsencrypt_cert }}" ]; then
+  cat /var/lib/dehydrated/certificates/certs/{{ turn_letsencrypt_cert }}/privkey.pem > /etc/coturn/ssl/key.pem
+  cat /var/lib/dehydrated/certificates/certs/{{ turn_letsencrypt_cert }}/fullchain.pem > /etc/coturn/ssl/cert.pem
+  chown root:coturn /etc/coturn/ssl/*
+  chmod 644 /etc/coturn/ssl/cert.pem
+  chmod 640 /etc/coturn/ssl/key.pem
+
+  /bin/systemctl restart coturn
+fi
+{% endif %}
diff --git a/roles/coturn/templates/turnserver.conf.j2 b/roles/coturn/templates/turnserver.conf.j2
new file mode 100644
index 0000000..7b1eda6
--- /dev/null
+++ b/roles/coturn/templates/turnserver.conf.j2
@@ -0,0 +1,43 @@
+pidfile="/var/run/coturn/coturn.pid"
+verbose
+fingerprint
+{% if turn_auth_secret is defined %}
+use-auth-secret
+static-auth-secret {{ turn_auth_secret }}
+{% else %}
+lt-cred-mech
+{% endif %}
+no-sslv2
+no-sslv3
+no-loopback-peers
+no-multicast-peers
+realm {{ turn_realm | default(ansible_domain) }}
+proc-user coturn
+proc-group coturn
+syslog
+
+{% for ip in turn_listen_ip %}
+listening-ip {{ ip }}
+{% endfor %}
+
+{% if not turn_allow_non_tls %}
+no-tcp
+no-udp
+{% endif %}
+
+listening-port {{ turn_port }}
+
+{% if turn_tls %}
+tls-listening-port {{ turn_tls_port }}
+{% if turn_letsencrypt_cert is defined %}
+cert /etc/coturn/ssl/cert.pem
+pkey /etc/coturn/ssl/key.pem
+{% else %}
+cert {{ turn_tls_cert }}
+pkey {{ turn_tls_key }}
+{% endif %}
+{% endif %}
+
+{% if turn_external_ip is defined %}
+external-ip {{ turn_external_ip }}
+{% endif %}
diff --git a/roles/includes/create_selfsigned_cert.yml b/roles/includes/create_selfsigned_cert.yml
index c9951b7..aad651f 100644
--- a/roles/includes/create_selfsigned_cert.yml
+++ b/roles/includes/create_selfsigned_cert.yml
@@ -1,18 +1,13 @@
 ---
 
 - name: Ensure openssl is installed
-  yum: name=openssl
-  when: ansible_os_family == 'RedHat'
-
-- name: Ensure openssl is installed
-  apt: name=openssl
-  when: ansible_os_family == 'Debian'
+  package: name=openssl
 
 - name: Create cert dir
   file: path={{ cert_path | dirname }} state=directory
 
 - name: Create private key directory
-  file: path={{ cert_key_path | dirname }} state=directory mode=700 owner={{ cert_user | default(omit) }}
+  file: path={{ cert_key_path | dirname }} state=directory owner={{ cert_user | default(omit) }}
 
 - name: Create the self signed certificate
   command: openssl req -x509 -newkey rsa:{{ cert_key_size | default(4096) }} \