This repository has been archived by the owner on Nov 17, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
turn.yml
104 lines (92 loc) · 3.65 KB
/
turn.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
---
- hosts: turn
vars:
turnserver_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
61643630616332343933343663623032346565636431613332373031663834616662343763353863
3165323337616264353335613036396663356666666333310a333530383736376134646332633638
37633763623039326364356661616436663136623838343734316633373936353465636538353366
6236356562343335370a356530353563353865383635643239666438323365346137626634356533
31633538363865323066323166323564633439326538386230323132663032653731303165623132
3064313963616432383936626437313566653637313130666430
tasks:
- name: Basic setup
include_role: name=common
vars:
nft_extra: |
tcp dport {3478, 5349} counter accept comment "coturn listening port"
udp dport {3478, 5349} counter accept comment "coturn listening port"
udp dport 32769-65535 counter accept comment "relay ports range"
- name: Install coturn and certbot
apt:
name: [coturn, certbot]
state: present
- name: Get TLS certificate
command: certbot certonly --standalone --preferred-challenges http -d turn.afpy.org -n --agree-tos -m {{ letsencrypt_email | quote }}
register: certbot
changed_when: '"no action taken." not in certbot.stdout'
- name: Ensure coturn can read certs
file:
path: /etc/letsencrypt/renewal-hooks/deploy
state: directory
mode: 0755
- name: Configure certbot renewal hook for coturn
copy:
dest: /etc/letsencrypt/renewal-hooks/deploy/coturn
mode: 0755
content: |
#!/bin/bash -e
for certfile in fullchain.pem privkey.pem ; do
cp -L /etc/letsencrypt/live/turn.afpy.org/"${certfile}" /etc/turnserver/"${certfile}".new
chown turnserver:turnserver /etc/turnserver/"${certfile}".new
mv /etc/turnserver/"${certfile}".new /etc/turnserver/"${certfile}"
done
systemctl kill -sUSR2 coturn.service
- name: Configure turnserver
blockinfile:
path: /etc/turnserver.conf
block: |
fingerprint
use-auth-secret
static-auth-secret={{turnserver_secret}}
realm=afpy.org
cert=/etc/turnserver/fullchain.pem
pkey=/etc/turnserver/privkey.pem
# From https://ssl-config.mozilla.org/ Intermediate, openssl 1.1.0g, 2020-01
cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
dh-file=/etc/turnserver/dhp.pem
no-cli
no-tlsv1
no-tlsv1_1
no-loopback-peers
no-multicast-peers
notify: restart coturn
- name: Create dph.pem file directory
file:
path: /etc/turnserver
state: directory
mode: 0755
- name: Create dph.pem file
command: openssl dhparam -dsaparam -out /etc/turnserver/dhp.pem 2048
args:
creates: etc/turnserver/dhp.pem
- name: Create coturn service directory
file:
path: /etc/systemd/system/coturn.service.d
state: directory
mode: 0755
- name: Configure coturn service override
copy:
dest: /etc/systemd/system/coturn.service.d/override.conf
content: |
[Service]
LimitNOFILE=1048576
AmbientCapabilities=CAP_NET_BIND_SERVICE
Restart=always
notify: restart coturn
handlers:
- name: restart coturn
systemd:
name: coturn
state: restarted
daemon_reload: true