Update to 2020-11-19 19:00

4 years ago · 276ded1e44
parent 3617fae9a1
commit 276ded1e44
5 changed files with 115 additions and 15 deletions
--- a/roles/coturn/defaults/main.yml
+++ b/roles/coturn/defaults/main.yml
@ -21,9 +21,7 @@ turn_src_ip:
 - 0.0.0.0/0

 turn_port: 3478
-turn_alt_port: 3479
 turn_tls_port: 5349
-turn_alt_tls_port: 5350

 # Allow non TLS relay
 turn_allow_non_tls: True
@ -32,6 +30,8 @@ turn_allow_non_tls: True
 turn_tls: False
 # turn_tls_cert:
 # turn_tls_key:
+# Or alternatively, set the name of a Let's Encrypt cert
+# turn_letsencrypt_cert: turn.example.org

 # If behind a NAT, you must set the public IP
 # turn_external_ip: 12.13.14.15
--- a/roles/coturn/tasks/main.yml
+++ b/roles/coturn/tasks/main.yml
@ -1,5 +1,23 @@
 ---

+- name: Check if turnserver is installed
+  stat: path=/lib/systemd/system/turnserver.service
+  register: turn_turnserver
+  tags: turn
+
+  # Migrate from the turnserver package/role
+- when: turn_turnserver.stat.exists
+  block:
+    - name: Stop and disable turnserver
+      service: name=turnserver state=stopped enabled=False
+
+    - name: Remove turnserver package
+      yum: name=turnserver state=absent
+
+    - name: Remove turnserver dehydrated hook
+      file: path=/etc/dehydrated/hooks_deploy_cert.d/20turnserver.sh state=absent
+  tags: turn
+
 - name: Install Coturn
  yum: name=coturn state=present
  register: turn_installed
@ -11,12 +29,25 @@
  tags: turn

 - name: Deploy main configuration
-  template: src=coturn.conf.j2 dest=/etc/coturn/coturn.conf group=coturn mode=640
+  template: src=turnserver.conf.j2 dest=/etc/coturn/turnserver.conf group=coturn mode=640
  notify: restart coturn
  tags: turn

+- name: Create the ssl dir
+  file: path=/etc/coturn/ssl state=directory group=coturn mode=750
+  tags: turn
+
+  # Create a self signed cert. This is needed even if a cert is later obtained with dehydrated as
+  # turnserver must be started before that
+- import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    - cert_path: /etc/coturn/ssl/cert.pem
+    - cert_key_path: /etc/coturn/ssl/key.pem
+    - cert_user: coturn
+  tags: turn
+
 - name: Deploy dehydrated hook
-  copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/20coturn.sh mode=755
+  template: src=dehydrated_deploy_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/20coturn.sh mode=755
  tags: turn

 - name: Remove turnserver rules
@ -31,15 +62,33 @@
    name: coturn_ports
    state: "{{ (turn_src_ip | length > 0) | ternary('present','absent') }}"
    rules: |
-      -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_port,turn_alt_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-      -A INPUT -p udp -m multiport --dports {{ [turn_port,turn_alt_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-      -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_tls_port,turn_alt_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
-      -A INPUT -p udp -m multiport --dports {{ [turn_tls_port,turn_alt_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
+      -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_port,turn_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
+      -A INPUT -p udp -m multiport --dports {{ [turn_port,turn_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
      -A INPUT -p tcp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT
      -A INPUT -p udp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT
  when: iptables_manage | default(True)
  tags: turn,firewall

+- name: Create systemd unit snippet dir
+  file: path=/etc/systemd/system/coturn.service.d state=directory
+  tags: turn
+
+- name: Customize systemd unit
+  copy:
+    content: |
+      [Service]
+      # Allow binding on privileged ports
+      CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+      AmbientCapabilities=CAP_NET_BIND_SERVICE
+    dest: /etc/systemd/system/coturn.service.d/99-ansible.conf
+  register: turn_unit
+  tags: turn
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: turn_unit.changed
+  tags: turn
+
 - name: Start and enable the service
  service: name=coturn state=started enabled=True
  tags: turn
--- a/roles/coturn/templates/dehydrated_deploy_hook.j2
+++ b/roles/coturn/templates/dehydrated_deploy_hook.j2
@ -0,0 +1,13 @@
+#!/bin/sh
+
+{% if turn_letsencrypt_cert is defined %}
+if [ $1 == "{{ turn_letsencrypt_cert }}" ]; then
+  cat /var/lib/dehydrated/certificates/certs/{{ turn_letsencrypt_cert }}/privkey.pem > /etc/coturn/ssl/key.pem
+  cat /var/lib/dehydrated/certificates/certs/{{ turn_letsencrypt_cert }}/fullchain.pem > /etc/coturn/ssl/cert.pem
+  chown root:coturn /etc/coturn/ssl/*
+  chmod 644 /etc/coturn/ssl/cert.pem
+  chmod 640 /etc/coturn/ssl/key.pem
+
+  /bin/systemctl restart coturn
+fi
+{% endif %}
--- a/roles/coturn/templates/turnserver.conf.j2
+++ b/roles/coturn/templates/turnserver.conf.j2
@ -0,0 +1,43 @@
+pidfile="/var/run/coturn/coturn.pid"
+verbose
+fingerprint
+{% if turn_auth_secret is defined %}
+use-auth-secret
+static-auth-secret {{ turn_auth_secret }}
+{% else %}
+lt-cred-mech
+{% endif %}
+no-sslv2
+no-sslv3
+no-loopback-peers
+no-multicast-peers
+realm {{ turn_realm | default(ansible_domain) }}
+proc-user coturn
+proc-group coturn
+syslog
+
+{% for ip in turn_listen_ip %}
+listening-ip {{ ip }}
+{% endfor %}
+
+{% if not turn_allow_non_tls %}
+no-tcp
+no-udp
+{% endif %}
+
+listening-port {{ turn_port }}
+
+{% if turn_tls %}
+tls-listening-port {{ turn_tls_port }}
+{% if turn_letsencrypt_cert is defined %}
+cert /etc/coturn/ssl/cert.pem
+pkey /etc/coturn/ssl/key.pem
+{% else %}
+cert {{ turn_tls_cert }}
+pkey {{ turn_tls_key }}
+{% endif %}
+{% endif %}
+
+{% if turn_external_ip is defined %}
+external-ip {{ turn_external_ip }}
+{% endif %}
--- a/roles/includes/create_selfsigned_cert.yml
+++ b/roles/includes/create_selfsigned_cert.yml
@ -1,18 +1,13 @@
 ---

 - name: Ensure openssl is installed
-  yum: name=openssl
-  when: ansible_os_family == 'RedHat'
-
- name: Ensure openssl is installed
-  apt: name=openssl
-  when: ansible_os_family == 'Debian'
+  package: name=openssl

 - name: Create cert dir
  file: path={{ cert_path | dirname }} state=directory

 - name: Create private key directory
-  file: path={{ cert_key_path | dirname }} state=directory mode=700 owner={{ cert_user | default(omit) }}
+  file: path={{ cert_key_path | dirname }} state=directory owner={{ cert_user | default(omit) }}

 - name: Create the self signed certificate
  command: openssl req -x509 -newkey rsa:{{ cert_key_size | default(4096) }} \