ansible, docker: Improve turnserver secret generation
The original implementation unintentionally included whitespace and other noise in the secret file. The new secret is stored in a -v2 file, the old one is cleaned up if present.
This commit is contained in:
parent
4a0ca2b2d7
commit
ec33e74684
|
@ -13,6 +13,6 @@ TURN_EXTERNAL_IP="$(snikket-turn-addresses "$SNIKKET_DOMAIN")"
|
||||||
|
|
||||||
|
|
||||||
exec /usr/bin/turnserver -c /etc/turnserver.conf --prod \
|
exec /usr/bin/turnserver -c /etc/turnserver.conf --prod \
|
||||||
--static-auth-secret="$(cat /snikket/prosody/turn-auth-secret)" \
|
--static-auth-secret="$(cat /snikket/prosody/turn-auth-secret-v2)" \
|
||||||
--cert="$CERTFILE" --pkey "$KEYFILE" -r "$SNIKKET_DOMAIN" \
|
--cert="$CERTFILE" --pkey "$KEYFILE" -r "$SNIKKET_DOMAIN" \
|
||||||
-X "$TURN_EXTERNAL_IP"
|
-X "$TURN_EXTERNAL_IP"
|
||||||
|
|
|
@ -115,7 +115,7 @@ http_host = DOMAIN
|
||||||
http_external_url = "https://"..DOMAIN.."/"
|
http_external_url = "https://"..DOMAIN.."/"
|
||||||
|
|
||||||
turncredentials_host = DOMAIN
|
turncredentials_host = DOMAIN
|
||||||
turncredentials_secret = assert(io.open("/snikket/prosody/turn-auth-secret")):read("*a");
|
turncredentials_secret = assert(io.open("/snikket/prosody/turn-auth-secret-v2")):read("*l");
|
||||||
|
|
||||||
VirtualHost (DOMAIN)
|
VirtualHost (DOMAIN)
|
||||||
authentication = "internal_hashed"
|
authentication = "internal_hashed"
|
||||||
|
|
|
@ -47,8 +47,13 @@ install -o letsencrypt -g letsencrypt -m 755 -d /var/www/.well-known/acme-challe
|
||||||
chown -R letsencrypt:letsencrypt /snikket/letsencrypt
|
chown -R letsencrypt:letsencrypt /snikket/letsencrypt
|
||||||
|
|
||||||
## Generate secret for coturn auth if necessary
|
## Generate secret for coturn auth if necessary
|
||||||
if ! test -f /snikket/prosody/turn-auth-secret; then
|
if ! test -f /snikket/prosody/turn-auth-secret-v2; then
|
||||||
head -c 32 /dev/urandom | sha256sum > /snikket/prosody/turn-auth-secret;
|
tr -dc 'a-z0-9' < /dev/urandom | head -c32 > /snikket/prosody/turn-auth-secret-v2;
|
||||||
|
fi
|
||||||
|
|
||||||
|
# COMPAT w/ alpha.20200513: remove older format
|
||||||
|
if test -f /snikket/prosody/turn-auth-secret; then
|
||||||
|
rm /snikket/prosody/turn-auth-secret;
|
||||||
fi
|
fi
|
||||||
|
|
||||||
exec supervisord -c /etc/supervisor/supervisord.conf
|
exec supervisord -c /etc/supervisor/supervisord.conf
|
||||||
|
|
Loading…
Reference in New Issue