ansible, docker: Initial attempt at adding coturn

ansible/files/bin/start-coturn.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+CERTFILE="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/fullchain.pem";
+KEYFILE="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/privkey.pem";
+
+echo "Waiting for certificates to become available..."
+while ! test -f "$CERTFILE" -a -f "$KEYFILE"; do
+  sleep 1;
+  echo ".";
+done
+
+exec /usr/bin/turnserver -c /etc/turnserver.conf --prod \
+     --static-auth-secret="$(cat /snikket/prosody/turn-auth-secret)" \
+     --cert="$CERTFILE" --pkey "$KEYFILE"

ansible/files/prosody.cfg.lua

@@ -51,6 +51,7 @@ modules_enabled = {
 		"default_bookmarks";
 		"roster_allinall";
 		"update_check";
+		"turncredentials";
 
 	-- TODO...
 		--"groups"; -- Shared roster support
@@ -110,6 +111,9 @@ update_check_dns = "_{branch}.update.snikket.net"
 http_host = DOMAIN
 http_external_url = "https://"..DOMAIN.."/"
 
+turncredentials_host = DOMAIN
+turncredentials_secret = assert(io.open("/snikket/prosody/turn-auth-secret")):read("*a");
+
 VirtualHost (DOMAIN)
 	authentication = "internal_hashed"
 

ansible/files/supervisord.conf

@@ -23,3 +23,13 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 redirect_stderr=true
 umask=002
+
+[program:coturn]
+command=start-coturn.sh
+startsecs=0
+autorestart=true
+stopwaitsecs=30
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+umask=002

ansible/files/turnserver.conf

@@ -0,0 +1,92 @@
+# Coturn TURN SERVER configuration file
+#
+# Boolean values note: where boolean value is supposed to be used,
+# you can use '0', 'off', 'no', 'false', 'f' as 'false, 
+# and you can use '1', 'on', 'yes', 'true', 't' as 'true' 
+# If the value is missed, then it means 'true'.
+#
+
+# TURN listener port for UDP and TCP (Default: 3478).
+# Note: actually, TLS & DTLS sessions can connect to the 
+# "plain" TCP & UDP port(s), too - if allowed by configuration.
+#
+listening-port=3478
+
+# TURN listener port for TLS (Default: 5349).
+# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
+# port(s), too - if allowed by configuration. The TURN server 
+# "automatically" recognizes the type of traffic. Actually, two listening
+# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
+# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
+# For secure TCP connections, we currently support SSL version 3 and 
+# TLS version 1.0, 1.1 and 1.2.
+# For secure UDP connections, we support DTLS version 1.
+#
+tls-listening-port=5349
+
+# Alternative listening port for UDP and TCP listeners;
+# default (or zero) value means "listening port plus one". 
+# This is needed for RFC 5780 support
+# (STUN extension specs, NAT behavior discovery). The TURN Server 
+# supports RFC 5780 only if it is started with more than one 
+# listening IP address of the same family (IPv4 or IPv6).
+# RFC 5780 is supported only by UDP protocol, other protocols
+# are listening to that endpoint only for "symmetry".
+#
+alt-listening-port=0
+							 
+# Alternative listening port for TLS and DTLS protocols.
+# Default (or zero) value means "TLS listening port plus one".
+#
+alt-tls-listening-port=0
+	
+# Lower and upper bounds of the UDP relay endpoints:
+# (default values are 49152 and 65535)
+#
+min-port=49152
+max-port=65535
+	
+# TURN REST API flag.
+# Flag that sets a special authorization option that is based upon authentication secret.
+# This feature can be used with the long-term authentication mechanism, only.
+# This feature purpose is to support "TURN Server REST API", see
+# "TURN REST API" link in the project's page 
+# https://github.com/coturn/coturn/
+#
+# This option is used with timestamp:
+# 
+# usercombo -> "timestamp:userid"
+# turn user -> usercombo
+# turn password -> base64(hmac(secret key, usercombo))
+#
+# This allows TURN credentials to be accounted for a specific user id.
+# If you don't have a suitable id, the timestamp alone can be used.
+# This option is just turning on secret-based authentication.
+# The actual value of the secret is defined either by option static-auth-secret,
+# or can be found in the turn_secret table in the database (see below).
+# 
+use-auth-secret
+
+# Option to set the log file name.
+# By default, the turnserver tries to open a log file in
+# /var/log, /var/tmp, /tmp and current directories directories
+# (which open operation succeeds first that file will be used).
+# With this option you can set the definite log file name.
+# The special names are "stdout" and "-" - they will force everything
+# to the stdout. Also, the "syslog" name will force everything to
+# the system log (syslog).
+# In the runtime, the logfile can be reset with the SIGHUP signal
+# to the turnserver process.
+#
+log-file=stdout
+
+# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
+# This is an extra security measure.
+#
+no-multicast-peers
+
+# Turn OFF the CLI support.
+# By default it is always ON.
+# See also options cli-ip and cli-port.
+#
+no-cli

ansible/tasks/coturn.yml

@@ -0,0 +1,24 @@
+---
+
+- name: "Install coturn package"
+  apt:
+    name: coturn
+    state: present
+    install_recommends: yes
+- name: "Disable coturn service"
+  service:
+    name: coturn
+    enabled: no
+- name: "Stop coturn if running"
+  service:
+    name: coturn
+    state: stopped
+- name: Configure coturn
+  copy:
+    src: ../files/turnserver.conf
+    dest: /etc/turnserver.conf
+- name: Deploy coturn start script
+  copy:
+    src: ../files/start-coturn.sh
+    dest: /usr/local/bin/
+    mode: 755

docker/entrypoint.sh

@@ -42,4 +42,9 @@ install -o letsencrypt -g letsencrypt -m 755 -d /var/www/.well-known/acme-challe
 
 chown -R letsencrypt:letsencrypt /snikket/letsencrypt
 
+## Generate secret for coturn auth if necessary
+if ! test -f /snikket/prosody/turn-auth-secret; then
+	head -c 32 /dev/urandom | sha256sum > /snikket/prosody/turn-auth-secret;
+fi
+
 exec supervisord -c /etc/supervisor/supervisord.conf