coturn: configure TURN for use with BBB

roles/coturn/handlers/main.yml

@@ -1,4 +1,10 @@
 ---
 
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
 - name: Restart coturn
   service: name=coturn state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/coturn/meta/main.yml

@@ -0,0 +1,4 @@
+---
+
+dependencies:
+- { role: acertmgr }

roles/coturn/tasks/main.yml

@@ -3,6 +3,28 @@
 - name: Install coturn
   apt: name=coturn
 
+- name: Create coturn service override directory
+  file: path=/etc/systemd/system/coturn.service.d state=directory
+
+- name: Configure coturn service override
+  template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
+  notify:
+  - Reload systemd
+  - Restart coturn
+
+- name: Create gitea directories
+  file: path={{ item }} state=directory owner=turnserver
+  with_items:
+  - /etc/turnserver
+  - /etc/turnserver/certs
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
+
+- name: Configure certificate manager
+  template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
+  notify: Run acertmgr
+
 - name: Configure coturn
   template: src={{ item }}.j2 dest=/etc/{{ item }}
   with_items:

roles/coturn/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ coturn_realm }}:
+- path: /etc/turnserver/certs/{{ coturn_realm }}.key
+  user: turnserver
+  group: turnserver
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service coturn restart'
+- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
+  user: turnserver
+  group: turnserver
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service coturn restart'

roles/coturn/templates/coturn.override.j2

@@ -0,0 +1,2 @@
+[Service]
+AmbientCapabilities=CAP_NET_BIND_SERVICE

roles/coturn/templates/turnserver.conf.j2

@@ -15,7 +15,7 @@
 # Note: actually, TLS & DTLS sessions can connect to the
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 #
-#listening-port=3478
+listening-port=443
 
 # TURN listener port for TLS (Default: 5349).
 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
@@ -27,7 +27,7 @@
 # TLS version 1.0, 1.1 and 1.2.
 # For secure UDP connections, Coturn supports DTLS version 1.
 #
-#tls-listening-port=5349
+tls-listening-port=443
 
 # Alternative listening port for UDP and TCP listeners;
 # default (or zero) value means "listening port plus one".
@@ -125,7 +125,10 @@
 #
 # By default, this value is empty, and no address mapping is used.
 #
-#external-ip=60.70.80.91
+external-ip={{ ansible_default_ipv4.address }}
+{% if ansible_default_ipv6.address is defined %}
+external-ip={{ ansible_default_ipv6.address }}
+{% endif %}
 #
 #OR:
 #
@@ -399,17 +402,17 @@ realm={{ coturn_realm }}
 # Uncomment if no TCP client listener is desired.
 # By default TCP client listener is always started.
 #
-no-tcp
+#no-tcp
 
 # Uncomment if no TLS client listener is desired.
 # By default TLS client listener is always started.
 #
-no-tls
+#no-tls
 
 # Uncomment if no DTLS client listener is desired.
 # By default DTLS client listener is always started.
 #
-no-dtls
+#no-dtls
 
 # Uncomment if no UDP relay endpoints are allowed.
 # By default UDP relay endpoints are enabled (like in RFC 5766).
@@ -746,6 +749,6 @@ mobility
 
 # Do not allow an TLS/DTLS version of protocol
 #
-no-tlsv1
+#no-tlsv1
-no-tlsv1_1
+#no-tlsv1_1
-no-tlsv1_2
+#no-tlsv1_2

roles/matrix/templates/matrix-synapse/homeserver.yaml.j2

@@ -1145,7 +1145,7 @@ oembed:
 
 # The public URIs of the TURN server to give to clients
 #
-turn_uris: ["turn:{{ coturn_realm }}:3478?transport=udp"]
+turn_uris: ["turn:{{ coturn_realm }}:443?transport=udp"]
 
 # The shared secret used to compute passwords for the TURN server
 #