diff --git a/roles/coturn/handlers/main.yml b/roles/coturn/handlers/main.yml index ad831f4..bdea2ea 100644 --- a/roles/coturn/handlers/main.yml +++ b/roles/coturn/handlers/main.yml @@ -1,4 +1,10 @@ --- +- name: Reload systemd + systemd: daemon_reload=yes + - name: Restart coturn service: name=coturn state=restarted + +- name: Run acertmgr + command: /usr/bin/acertmgr diff --git a/roles/coturn/meta/main.yml b/roles/coturn/meta/main.yml new file mode 100644 index 0000000..a456842 --- /dev/null +++ b/roles/coturn/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: +- { role: acertmgr } diff --git a/roles/coturn/tasks/main.yml b/roles/coturn/tasks/main.yml index 1c9b473..97fb498 100644 --- a/roles/coturn/tasks/main.yml +++ b/roles/coturn/tasks/main.yml @@ -3,6 +3,28 @@ - name: Install coturn apt: name=coturn +- name: Create coturn service override directory + file: path=/etc/systemd/system/coturn.service.d state=directory + +- name: Configure coturn service override + template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf + notify: + - Reload systemd + - Restart coturn + +- name: Create gitea directories + file: path={{ item }} state=directory owner=turnserver + with_items: + - /etc/turnserver + - /etc/turnserver/certs + +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt + +- name: Configure certificate manager + template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf + notify: Run acertmgr + - name: Configure coturn template: src={{ item }}.j2 dest=/etc/{{ item }} with_items: diff --git a/roles/coturn/templates/certs.j2 b/roles/coturn/templates/certs.j2 new file mode 100644 index 0000000..2cbeac1 --- /dev/null +++ b/roles/coturn/templates/certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ coturn_realm }}: +- path: /etc/turnserver/certs/{{ coturn_realm }}.key + user: turnserver + group: turnserver + perm: '400' + format: key + action: '/usr/sbin/service coturn restart' +- path: /etc/turnserver/certs/{{ coturn_realm }}.crt + user: turnserver + group: turnserver + perm: '400' + format: crt,ca + action: '/usr/sbin/service coturn restart' diff --git a/roles/coturn/templates/coturn.override.j2 b/roles/coturn/templates/coturn.override.j2 new file mode 100644 index 0000000..31df96c --- /dev/null +++ b/roles/coturn/templates/coturn.override.j2 @@ -0,0 +1,2 @@ +[Service] +AmbientCapabilities=CAP_NET_BIND_SERVICE diff --git a/roles/coturn/templates/turnserver.conf.j2 b/roles/coturn/templates/turnserver.conf.j2 index 25c68b0..1de73bc 100644 --- a/roles/coturn/templates/turnserver.conf.j2 +++ b/roles/coturn/templates/turnserver.conf.j2 @@ -15,7 +15,7 @@ # Note: actually, TLS & DTLS sessions can connect to the # "plain" TCP & UDP port(s), too - if allowed by configuration. # -#listening-port=3478 +listening-port=443 # TURN listener port for TLS (Default: 5349). # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS @@ -27,7 +27,7 @@ # TLS version 1.0, 1.1 and 1.2. # For secure UDP connections, Coturn supports DTLS version 1. # -#tls-listening-port=5349 +tls-listening-port=443 # Alternative listening port for UDP and TCP listeners; # default (or zero) value means "listening port plus one". @@ -125,7 +125,10 @@ # # By default, this value is empty, and no address mapping is used. # -#external-ip=60.70.80.91 +external-ip={{ ansible_default_ipv4.address }} +{% if ansible_default_ipv6.address is defined %} +external-ip={{ ansible_default_ipv6.address }} +{% endif %} # #OR: # @@ -399,17 +402,17 @@ realm={{ coturn_realm }} # Uncomment if no TCP client listener is desired. # By default TCP client listener is always started. # -no-tcp +#no-tcp # Uncomment if no TLS client listener is desired. # By default TLS client listener is always started. # -no-tls +#no-tls # Uncomment if no DTLS client listener is desired. # By default DTLS client listener is always started. # -no-dtls +#no-dtls # Uncomment if no UDP relay endpoints are allowed. # By default UDP relay endpoints are enabled (like in RFC 5766). @@ -746,6 +749,6 @@ mobility # Do not allow an TLS/DTLS version of protocol # -no-tlsv1 -no-tlsv1_1 -no-tlsv1_2 +#no-tlsv1 +#no-tlsv1_1 +#no-tlsv1_2 diff --git a/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2 b/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2 index 82a9d74..fff9311 100644 --- a/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2 +++ b/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2 @@ -1145,7 +1145,7 @@ oembed: # The public URIs of the TURN server to give to clients # -turn_uris: ["turn:{{ coturn_realm }}:3478?transport=udp"] +turn_uris: ["turn:{{ coturn_realm }}:443?transport=udp"] # The shared secret used to compute passwords for the TURN server #