add coturn server for glt

12 files changed, 153 insertions, 4 deletions

diff --git a/inventory/group_vars/glt-live/vars.yml b/inventory/group_vars/glt-live/vars.yml
new file mode 100644
index 00000000..42f824c8
--- /dev/null
+++ b/inventory/group_vars/glt-live/vars.yml
@@ -0,0 +1,16 @@
+---
+zsh_banner: spreadspace
+
+acmetool_account_email: equinox@spreadspace.org
+acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+
+install:
+  cloud:
+    credentials:
+      token: "{{ vault_hcloud_api_token }}"
+
+network: {}
+
+apt_repo_blackmagic_auth:
+  username: "spreadspace"
+  password: "{{ vault_apt_repo_blackmagic_auth.password }}"
diff --git a/inventory/host_vars/glt-coturn.yml b/inventory/host_vars/glt-coturn.yml
new file mode 100644
index 00000000..5511d75a
--- /dev/null
+++ b/inventory/host_vars/glt-coturn.yml
@@ -0,0 +1,29 @@
+---
+docker_lvm:
+  vg: "{{ host_name }}"
+  lv: docker
+  size: 5G
+  fs: ext4
+
+kubelet_lvm:
+  vg: "{{ host_name }}"
+  lv: kubelet
+  size: 5G
+  fs: ext4
+
+kubernetes_version: 1.20.5
+kubernetes_container_runtime: docker
+kubernetes_standalone_max_pods: 100
+kubernetes_standalone_pod_cidr: 192.168.255.0/24
+kubernetes_standalone_cni_variant: with-portmap
+
+
+coturn_version: 4.5.2
+coturn_realm: linuxtage.at
+coturn_hostnames:
+ - cdn13.linuxtage.at
+
+coturn_auth_secret: "{{ vault_coturn_auth_secret }}"
+coturn_listening_port: 3478
+coturn_tls_listening_port: 443
+coturn_install_nginx_vhost: no
diff --git a/inventory/hosts.ini b/inventory/hosts.ini
index 1e052e8f..06c4fc47 100644
--- a/inventory/hosts.ini
+++ b/inventory/hosts.ini
@@ -132,6 +132,14 @@ lw-live-02 host_name=cdn-02
 lw-live-03 host_name=cdn-03
 
 
+[glt-live:vars]
+host_domain=linuxtage.at
+env_group=spreadspace
+
+[glt-live]
+glt-coturn host_name=cdn13
+
+
 ###############################
 # environment: dan
 
@@ -351,6 +359,7 @@ sk-tomnext
 [hcloud]
 ch-mimas2
 ele-lt
+glt-coturn
 
 [hcloud:children]
 emc-dist
@@ -408,6 +417,7 @@ lw-thetys
 s2-thetys
 sk-tomnext-nc
 ch-thetys
+glt-coturn
 
 [kubernetes:children]
 kubernetes-cluster
diff --git a/roles/apps/collabora/code/tasks/custom-image.yml b/roles/apps/collabora/code/tasks/custom-image.yml
index 38c453fa..84f6b1ae 100644
--- a/roles/apps/collabora/code/tasks/custom-image.yml
+++ b/roles/apps/collabora/code/tasks/custom-image.yml
@@ -10,13 +10,13 @@
       FROM {{ item.value.custom_image.from | default('collabora/code:' + item.value.version) }}
       {{ item.value.custom_image.dockerfile }}
     dest: "{{ collabora_code_base_path }}/{{ item.key }}/build/Dockerfile"
-  register: nextcloud_custom_image_docker
+  register: collabora_code_custom_image_docker
 
 - name: build custom image
   docker_image:
     name: "collabora/code/{{ item.key }}:{{ item.value.version }}"
     state: present
-    force_source: "{{ nextcloud_custom_image_docker is changed }}"
+    force_source: "{{ collabora_code_custom_image_docker is changed }}"
     source: build
     build:
       path: "{{ collabora_code_base_path }}/{{ item.key }}/build"
diff --git a/roles/apps/coturn/defaults/main.yml b/roles/apps/coturn/defaults/main.yml
index a7a461bb..34629dbd 100644
--- a/roles/apps/coturn/defaults/main.yml
+++ b/roles/apps/coturn/defaults/main.yml
@@ -16,3 +16,8 @@ coturn_threads: 0
 # coturn_auth_secret: change-me
 
 coturn_dhparam_size: 2048
+
+coturn_listening_port: 3478
+coturn_tls_listening_port: 5349
+
+coturn_install_nginx_vhost: yes
diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml
index 176be664..a35734a8 100644
--- a/roles/apps/coturn/tasks/main.yml
+++ b/roles/apps/coturn/tasks/main.yml
@@ -59,6 +59,7 @@
     daemon_reload: yes
 
 - name: configure nginx vhost
+  when: coturn_install_nginx_vhost
   vars:
     nginx_vhost:
       name: "coturn-{{ coturn_realm }}"
@@ -68,6 +69,18 @@
   include_role:
     name: nginx/vhost
 
+- name: get certificate using acmetool
+  when: not coturn_install_nginx_vhost
+  import_role:
+    name: acmetool/cert
+  vars:
+    acmetool_cert_name: "coturn-{{ coturn_realm }}"
+    acmetool_cert_hostnames: "{{ coturn_hostnames }}"
+
+- name: apply hacky fix to support binding to privileged ports
+  when: (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024)
+  import_tasks: privileged-ports-hack.yml
+
 - name: install pod manifest
   vars:
     kubernetes_standalone_pod:
diff --git a/roles/apps/coturn/tasks/privileged-ports-hack.yml b/roles/apps/coturn/tasks/privileged-ports-hack.yml
new file mode 100644
index 00000000..bafff0aa
--- /dev/null
+++ b/roles/apps/coturn/tasks/privileged-ports-hack.yml
@@ -0,0 +1,31 @@
+---
+### This hack is necessary becasue: https://github.com/kubernetes/kubernetes/issues/56374 and https://github.com/moby/moby/issues/8460
+### at the moment there are two possible workarounds:
+##  - Setting sysctl net.ipv4.ip_unprivileged_port_start=0.
+##    This does not work because kubelet would not allow this for containers using host networking (and actually this would be a bad idea anyway).
+##  - Adding the CAP_NET_BIND_SERVICE capability on the turnserver binary file inside the container.
+##    This what we are doning here.
+
+- name: create build directory for custom image
+  file:
+    path: "{{ coturn_base_path }}/{{ coturn_realm }}/build"
+    state: directory
+
+- name: generate Dockerfile for custom image
+  copy:
+    content: |
+      FROM instrumentisto/coturn:{{ coturn_version }}
+      RUN apk --no-cache add libcap && setcap CAP_NET_BIND_SERVICE=+ep /usr/bin/turnserver
+    dest: "{{ coturn_base_path }}/{{ coturn_realm }}/build/Dockerfile"
+  register: coturn_custom_image_docker
+
+- name: build custom image
+  docker_image:
+    name: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}"
+    state: present
+    force_source: "{{ coturn_custom_image_docker is changed }}"
+    source: build
+    build:
+      path: "{{ coturn_base_path }}/{{ coturn_realm }}/build"
+      network: host
+      pull: yes
diff --git a/roles/apps/coturn/templates/pod-spec.yml.j2 b/roles/apps/coturn/templates/pod-spec.yml.j2
index d157af37..a0842784 100644
--- a/roles/apps/coturn/templates/pod-spec.yml.j2
+++ b/roles/apps/coturn/templates/pod-spec.yml.j2
@@ -2,10 +2,21 @@ securityContext:
   allowPrivilegeEscalation: false
   runAsUser: {{ coturn_uid }}
   runAsGroup: {{ coturn_gid }}
+{# this does not work: https://github.com/kubernetes/kubernetes/issues/56374, https://github.com/moby/moby/issues/8460
+{% if (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) %}
+  capabilities:
+    add: ["NET_BIND_SERVICE"]
+{% endif %}
+#}
+terminationGracePeriodSeconds: 0
 hostNetwork: true
 containers:
 - name: coturn
+{% if (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) %}
+  image: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}"
+{% else %}
   image: "instrumentisto/coturn:{{ coturn_version }}"
+{% endif %}
   args:
     - --log-file=stdout
   resources:
diff --git a/roles/apps/coturn/templates/turnserver.conf.j2 b/roles/apps/coturn/templates/turnserver.conf.j2
index d61cdad3..9a587951 100644
--- a/roles/apps/coturn/templates/turnserver.conf.j2
+++ b/roles/apps/coturn/templates/turnserver.conf.j2
@@ -1,8 +1,8 @@
 realm={{ coturn_realm }}
 fingerprint
 
-listening-port=3478
-tls-listening-port=5349
+listening-port={{ coturn_listening_port }}
+tls-listening-port={{ coturn_tls_listening_port }}
 
 cert=/etc/coturn/ssl/cert.pem
 pkey=/etc/coturn/ssl/privkey.pem
diff --git a/spreadspace/glt-coturn.yml b/spreadspace/glt-coturn.yml
new file mode 100644
index 00000000..4cb46213
--- /dev/null
+++ b/spreadspace/glt-coturn.yml
@@ -0,0 +1,14 @@
+---
+- name: Basic Setup
+  hosts: glt-coturn
+  roles:
+  - role: apt-repo/base
+  - role: core/base
+  - role: core/sshd
+  - role: core/zsh
+  - role: core/ntp
+  - role: kubernetes/base
+  - role: kubernetes/standalone/base
+  - role: apt-repo/spreadspace
+  - role: acmetool/base
+  - role: apps/coturn
diff --git a/spreadspace/group_vars/glt-live.yml b/spreadspace/group_vars/glt-live.yml
new file mode 100644
index 00000000..59924bba
--- /dev/null
+++ b/spreadspace/group_vars/glt-live.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.2;AES256;spreadspace
+30363032353531613732386332346431623532356466353765633939656635353835353930376561
+6537383665376330653366313635396134376464383462380a376530623330343934363738316565
+37336134663631303061623438346631306562386564386531623536313063386137326635663637
+3131653239393838390a623838333532663938643361333931343534663331396231393434656363
+66656536653534303835663732346563653662313164323333643939616330653861636439666461
+65326163656439306339383338623337643535653331343737663936666132656233353236343331
+32646132623334343264336131323138383231613831303735633237323463663638343639346638
+39336339326266363133326638646438313665346635663836356334616564643132373633386232
+6431
diff --git a/spreadspace/host_vars/glt-coturn.yml b/spreadspace/host_vars/glt-coturn.yml
new file mode 100644
index 00000000..5a25939b
--- /dev/null
+++ b/spreadspace/host_vars/glt-coturn.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.2;AES256;spreadspace
+66623933363135653535643038353239653765363938623335663961626538313036346263376636
+6634313836393163336339666639663233383564346363630a313136343838393366333765623130
+63613934363564626161653562623833323230393265613234616239333237373837356532363161
+6335306637396339610a363634343637613332393464623339333230666531343837323138393965
+62383266643466643430663030313531313063616666646439616330376537393137663234303761
+66646639643865376233366235383831383165656663666162383663356163363661383865656163
+36643163313634356239643435323137643861666139643834363539656465613539626637336634
+62643866613138613530316635316561616461346666623135313838663138313336323562623266
+62626536333832343931613064363231316637323462303037333234336563313135