ansible, docker: Improve turnserver secret generation

The original implementation unintentionally included whitespace
and other noise in the secret file.

The new secret is stored in a -v2 file, the old one is cleaned up
if present.

ansible/files/bin/start-coturn.sh

@@ -13,6 +13,6 @@ TURN_EXTERNAL_IP="$(snikket-turn-addresses "$SNIKKET_DOMAIN")"
 
 
 exec /usr/bin/turnserver -c /etc/turnserver.conf --prod \
-     --static-auth-secret="$(cat /snikket/prosody/turn-auth-secret)" \
+     --static-auth-secret="$(cat /snikket/prosody/turn-auth-secret-v2)" \
      --cert="$CERTFILE" --pkey "$KEYFILE" -r "$SNIKKET_DOMAIN" \
      -X "$TURN_EXTERNAL_IP"

ansible/files/prosody.cfg.lua

@@ -115,7 +115,7 @@ http_host = DOMAIN
 http_external_url = "https://"..DOMAIN.."/"
 
 turncredentials_host = DOMAIN
-turncredentials_secret = assert(io.open("/snikket/prosody/turn-auth-secret")):read("*a");
+turncredentials_secret = assert(io.open("/snikket/prosody/turn-auth-secret-v2")):read("*l");
 
 VirtualHost (DOMAIN)
 	authentication = "internal_hashed"

docker/entrypoint.sh

@@ -47,8 +47,13 @@ install -o letsencrypt -g letsencrypt -m 755 -d /var/www/.well-known/acme-challe
 chown -R letsencrypt:letsencrypt /snikket/letsencrypt
 
 ## Generate secret for coturn auth if necessary
-if ! test -f /snikket/prosody/turn-auth-secret; then
-	head -c 32 /dev/urandom | sha256sum > /snikket/prosody/turn-auth-secret;
+if ! test -f /snikket/prosody/turn-auth-secret-v2; then
+	tr -dc 'a-z0-9' < /dev/urandom | head -c32 > /snikket/prosody/turn-auth-secret-v2;
+fi
+
+# COMPAT w/ alpha.20200513: remove older format
+if test -f /snikket/prosody/turn-auth-secret; then
+	rm /snikket/prosody/turn-auth-secret;
 fi
 
 exec supervisord -c /etc/supervisor/supervisord.conf