diff --git a/ansible/files/bin/start-coturn.sh b/ansible/files/bin/start-coturn.sh new file mode 100644 index 0000000..a043dce --- /dev/null +++ b/ansible/files/bin/start-coturn.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +CERTFILE="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/fullchain.pem"; +KEYFILE="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/privkey.pem"; + +echo "Waiting for certificates to become available..." +while ! test -f "$CERTFILE" -a -f "$KEYFILE"; do + sleep 1; + echo "."; +done + +exec /usr/bin/turnserver -c /etc/turnserver.conf --prod \ + --static-auth-secret="$(cat /snikket/prosody/turn-auth-secret)" \ + --cert="$CERTFILE" --pkey "$KEYFILE" diff --git a/ansible/files/prosody.cfg.lua b/ansible/files/prosody.cfg.lua index 0177f5e..82b61c5 100644 --- a/ansible/files/prosody.cfg.lua +++ b/ansible/files/prosody.cfg.lua @@ -51,6 +51,7 @@ modules_enabled = { "default_bookmarks"; "roster_allinall"; "update_check"; + "turncredentials"; -- TODO... --"groups"; -- Shared roster support @@ -110,6 +111,9 @@ update_check_dns = "_{branch}.update.snikket.net" http_host = DOMAIN http_external_url = "https://"..DOMAIN.."/" +turncredentials_host = DOMAIN +turncredentials_secret = assert(io.open("/snikket/prosody/turn-auth-secret")):read("*a"); + VirtualHost (DOMAIN) authentication = "internal_hashed" diff --git a/ansible/files/supervisord.conf b/ansible/files/supervisord.conf index 4a2357f..4856966 100644 --- a/ansible/files/supervisord.conf +++ b/ansible/files/supervisord.conf @@ -23,3 +23,13 @@ stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0 redirect_stderr=true umask=002 + +[program:coturn] +command=start-coturn.sh +startsecs=0 +autorestart=true +stopwaitsecs=30 +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +redirect_stderr=true +umask=002 diff --git a/ansible/files/turnserver.conf b/ansible/files/turnserver.conf new file mode 100644 index 0000000..6990ffa --- /dev/null +++ b/ansible/files/turnserver.conf @@ -0,0 +1,92 @@ +# Coturn TURN SERVER configuration file +# +# Boolean values note: where boolean value is supposed to be used, +# you can use '0', 'off', 'no', 'false', 'f' as 'false, +# and you can use '1', 'on', 'yes', 'true', 't' as 'true' +# If the value is missed, then it means 'true'. +# + +# TURN listener port for UDP and TCP (Default: 3478). +# Note: actually, TLS & DTLS sessions can connect to the +# "plain" TCP & UDP port(s), too - if allowed by configuration. +# +listening-port=3478 + +# TURN listener port for TLS (Default: 5349). +# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS +# port(s), too - if allowed by configuration. The TURN server +# "automatically" recognizes the type of traffic. Actually, two listening +# endpoints (the "plain" one and the "tls" one) are equivalent in terms of +# functionality; but we keep both endpoints to satisfy the RFC 5766 specs. +# For secure TCP connections, we currently support SSL version 3 and +# TLS version 1.0, 1.1 and 1.2. +# For secure UDP connections, we support DTLS version 1. +# +tls-listening-port=5349 + +# Alternative listening port for UDP and TCP listeners; +# default (or zero) value means "listening port plus one". +# This is needed for RFC 5780 support +# (STUN extension specs, NAT behavior discovery). The TURN Server +# supports RFC 5780 only if it is started with more than one +# listening IP address of the same family (IPv4 or IPv6). +# RFC 5780 is supported only by UDP protocol, other protocols +# are listening to that endpoint only for "symmetry". +# +alt-listening-port=0 + +# Alternative listening port for TLS and DTLS protocols. +# Default (or zero) value means "TLS listening port plus one". +# +alt-tls-listening-port=0 + +# Lower and upper bounds of the UDP relay endpoints: +# (default values are 49152 and 65535) +# +min-port=49152 +max-port=65535 + +# TURN REST API flag. +# Flag that sets a special authorization option that is based upon authentication secret. +# This feature can be used with the long-term authentication mechanism, only. +# This feature purpose is to support "TURN Server REST API", see +# "TURN REST API" link in the project's page +# https://github.com/coturn/coturn/ +# +# This option is used with timestamp: +# +# usercombo -> "timestamp:userid" +# turn user -> usercombo +# turn password -> base64(hmac(secret key, usercombo)) +# +# This allows TURN credentials to be accounted for a specific user id. +# If you don't have a suitable id, the timestamp alone can be used. +# This option is just turning on secret-based authentication. +# The actual value of the secret is defined either by option static-auth-secret, +# or can be found in the turn_secret table in the database (see below). +# +use-auth-secret + +# Option to set the log file name. +# By default, the turnserver tries to open a log file in +# /var/log, /var/tmp, /tmp and current directories directories +# (which open operation succeeds first that file will be used). +# With this option you can set the definite log file name. +# The special names are "stdout" and "-" - they will force everything +# to the stdout. Also, the "syslog" name will force everything to +# the system log (syslog). +# In the runtime, the logfile can be reset with the SIGHUP signal +# to the turnserver process. +# +log-file=stdout + +# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*). +# This is an extra security measure. +# +no-multicast-peers + +# Turn OFF the CLI support. +# By default it is always ON. +# See also options cli-ip and cli-port. +# +no-cli diff --git a/ansible/tasks/coturn.yml b/ansible/tasks/coturn.yml new file mode 100644 index 0000000..b8b39df --- /dev/null +++ b/ansible/tasks/coturn.yml @@ -0,0 +1,24 @@ +--- + +- name: "Install coturn package" + apt: + name: coturn + state: present + install_recommends: yes +- name: "Disable coturn service" + service: + name: coturn + enabled: no +- name: "Stop coturn if running" + service: + name: coturn + state: stopped +- name: Configure coturn + copy: + src: ../files/turnserver.conf + dest: /etc/turnserver.conf +- name: Deploy coturn start script + copy: + src: ../files/start-coturn.sh + dest: /usr/local/bin/ + mode: 755 diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 7ddfad6..1fc73ec 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -42,4 +42,9 @@ install -o letsencrypt -g letsencrypt -m 755 -d /var/www/.well-known/acme-challe chown -R letsencrypt:letsencrypt /snikket/letsencrypt +## Generate secret for coturn auth if necessary +if ! test -f /snikket/prosody/turn-auth-secret; then + head -c 32 /dev/urandom | sha256sum > /snikket/prosody/turn-auth-secret; +fi + exec supervisord -c /etc/supervisor/supervisord.conf