fws
/
ansible-roles
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to 2020-11-19 19:00

Browse Source
master
Daniel Berteaud 4 years ago
parent 3617fae9a1
commit 276ded1e44
5 changed files with 115 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      roles/coturn/defaults/main.yml
  2. 61
      roles/coturn/tasks/main.yml
  3. 13
      roles/coturn/templates/dehydrated_deploy_hook.j2
  4. 43
      roles/coturn/templates/turnserver.conf.j2
  5. 9
      roles/includes/create_selfsigned_cert.yml

4
roles/coturn/defaults/main.yml
Unescape View File

@ -21,9 +21,7 @@ turn_src_ip:
- 0.0.0.0/0 - 0.0.0.0/0
turn_port: 3478 turn_port: 3478
turn_alt_port: 3479
turn_tls_port: 5349 turn_tls_port: 5349
turn_alt_tls_port: 5350
# Allow non TLS relay # Allow non TLS relay
turn_allow_non_tls: True turn_allow_non_tls: True
@ -32,6 +30,8 @@ turn_allow_non_tls: True
turn_tls: False turn_tls: False
# turn_tls_cert: # turn_tls_cert:
# turn_tls_key: # turn_tls_key:
# Or alternatively, set the name of a Let's Encrypt cert
# turn_letsencrypt_cert: turn.example.org
# If behind a NAT, you must set the public IP # If behind a NAT, you must set the public IP
# turn_external_ip: 12.13.14.15 # turn_external_ip: 12.13.14.15

61
roles/coturn/tasks/main.yml
Unescape View File

@ -1,5 +1,23 @@
--- ---
- name: Check if turnserver is installed
stat: path=/lib/systemd/system/turnserver.service
register: turn_turnserver
tags: turn
# Migrate from the turnserver package/role
- when: turn_turnserver.stat.exists
block:
- name: Stop and disable turnserver
service: name=turnserver state=stopped enabled=False
- name: Remove turnserver package
yum: name=turnserver state=absent
- name: Remove turnserver dehydrated hook
file: path=/etc/dehydrated/hooks_deploy_cert.d/20turnserver.sh state=absent
tags: turn
- name: Install Coturn - name: Install Coturn
yum: name=coturn state=present yum: name=coturn state=present
register: turn_installed register: turn_installed
@ -11,12 +29,25 @@
tags: turn tags: turn
- name: Deploy main configuration - name: Deploy main configuration
template: src=coturn.conf.j2 dest=/etc/coturn/coturn.conf group=coturn mode=640 template: src=turnserver.conf.j2 dest=/etc/coturn/turnserver.conf group=coturn mode=640
notify: restart coturn notify: restart coturn
tags: turn tags: turn
- name: Create the ssl dir
file: path=/etc/coturn/ssl state=directory group=coturn mode=750
tags: turn
# Create a self signed cert. This is needed even if a cert is later obtained with dehydrated as
# turnserver must be started before that
- import_tasks: ../includes/create_selfsigned_cert.yml
vars:
- cert_path: /etc/coturn/ssl/cert.pem
- cert_key_path: /etc/coturn/ssl/key.pem
- cert_user: coturn
tags: turn
- name: Deploy dehydrated hook - name: Deploy dehydrated hook
copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/20coturn.sh mode=755 template: src=dehydrated_deploy_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/20coturn.sh mode=755
tags: turn tags: turn
- name: Remove turnserver rules - name: Remove turnserver rules
@ -31,15 +62,33 @@
name: coturn_ports name: coturn_ports
state: "{{ (turn_src_ip | length > 0) | ternary('present','absent') }}" state: "{{ (turn_src_ip | length > 0) | ternary('present','absent') }}"
rules: | rules: |
-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_port,turn_alt_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_port,turn_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-A INPUT -p udp -m multiport --dports {{ [turn_port,turn_alt_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT -A INPUT -p udp -m multiport --dports {{ [turn_port,turn_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_tls_port,turn_alt_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-A INPUT -p udp -m multiport --dports {{ [turn_tls_port,turn_alt_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-A INPUT -p tcp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT -A INPUT -p tcp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT
-A INPUT -p udp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT -A INPUT -p udp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT
when: iptables_manage | default(True) when: iptables_manage | default(True)
tags: turn,firewall tags: turn,firewall
- name: Create systemd unit snippet dir
file: path=/etc/systemd/system/coturn.service.d state=directory
tags: turn
- name: Customize systemd unit
copy:
content: |
[Service]
# Allow binding on privileged ports
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
dest: /etc/systemd/system/coturn.service.d/99-ansible.conf
register: turn_unit
tags: turn
- name: Reload systemd
systemd: daemon_reload=True
when: turn_unit.changed
tags: turn
- name: Start and enable the service - name: Start and enable the service
service: name=coturn state=started enabled=True service: name=coturn state=started enabled=True
tags: turn tags: turn

13
roles/coturn/templates/dehydrated_deploy_hook.j2
Unescape View File

@ -0,0 +1,13 @@
#!/bin/sh
{% if turn_letsencrypt_cert is defined %}
if [ $1 == "{{ turn_letsencrypt_cert }}" ]; then
cat /var/lib/dehydrated/certificates/certs/{{ turn_letsencrypt_cert }}/privkey.pem > /etc/coturn/ssl/key.pem
cat /var/lib/dehydrated/certificates/certs/{{ turn_letsencrypt_cert }}/fullchain.pem > /etc/coturn/ssl/cert.pem
chown root:coturn /etc/coturn/ssl/*
chmod 644 /etc/coturn/ssl/cert.pem
chmod 640 /etc/coturn/ssl/key.pem
/bin/systemctl restart coturn
fi
{% endif %}

43
roles/coturn/templates/turnserver.conf.j2
Unescape View File

@ -0,0 +1,43 @@
pidfile="/var/run/coturn/coturn.pid"
verbose
fingerprint
{% if turn_auth_secret is defined %}
use-auth-secret
static-auth-secret {{ turn_auth_secret }}
{% else %}
lt-cred-mech
{% endif %}
no-sslv2
no-sslv3
no-loopback-peers
no-multicast-peers
realm {{ turn_realm | default(ansible_domain) }}
proc-user coturn
proc-group coturn
syslog
{% for ip in turn_listen_ip %}
listening-ip {{ ip }}
{% endfor %}
{% if not turn_allow_non_tls %}
no-tcp
no-udp
{% endif %}
listening-port {{ turn_port }}
{% if turn_tls %}
tls-listening-port {{ turn_tls_port }}
{% if turn_letsencrypt_cert is defined %}
cert /etc/coturn/ssl/cert.pem
pkey /etc/coturn/ssl/key.pem
{% else %}
cert {{ turn_tls_cert }}
pkey {{ turn_tls_key }}
{% endif %}
{% endif %}
{% if turn_external_ip is defined %}
external-ip {{ turn_external_ip }}
{% endif %}

9
roles/includes/create_selfsigned_cert.yml
Unescape View File

@ -1,18 +1,13 @@
--- ---
- name: Ensure openssl is installed - name: Ensure openssl is installed
yum: name=openssl package: name=openssl
when: ansible_os_family == 'RedHat'
- name: Ensure openssl is installed
apt: name=openssl
when: ansible_os_family == 'Debian'
- name: Create cert dir - name: Create cert dir
file: path={{ cert_path | dirname }} state=directory file: path={{ cert_path | dirname }} state=directory
- name: Create private key directory - name: Create private key directory
file: path={{ cert_key_path | dirname }} state=directory mode=700 owner={{ cert_user | default(omit) }} file: path={{ cert_key_path | dirname }} state=directory owner={{ cert_user | default(omit) }}
- name: Create the self signed certificate - name: Create the self signed certificate
command: openssl req -x509 -newkey rsa:{{ cert_key_size | default(4096) }} \ command: openssl req -x509 -newkey rsa:{{ cert_key_size | default(4096) }} \

Write Preview
Loading…
Cancel
Save