add app coturn (WIP)

4 files changed, 110 insertions, 0 deletions

diff --git a/roles/apps/coturn/defaults/main.yml b/roles/apps/coturn/defaults/main.yml
new file mode 100644
index 00000000..cf5558bf
--- /dev/null
+++ b/roles/apps/coturn/defaults/main.yml
@@ -0,0 +1,16 @@
+---
+coturn_uid: 930
+coturn_gid: 930
+coturn_base_path: /srv/storage/coturn
+
+coturn_version: 4.5.1.1
+coturn_realm: example.com
+coturn_hostnames:
+  - stun.example.com
+  - turn.example.com
+
+coturn_max_bps: 0
+coturn_bps_capacity: 0
+coturn_threads: 0
+
+# coturn_auth_secret: change-me
diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml
new file mode 100644
index 00000000..4631d1b7
--- /dev/null
+++ b/roles/apps/coturn/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: add group for coturn
+  group:
+    name: coturn
+    gid: "{{ coturn_gid }}"
+
+- name: add user for coturn
+  user:
+    name: coturn
+    uid: "{{ coturn_uid }}"
+    group: coturn
+    password: "!"
+
+- name: create coturn config subdirectory
+  file:
+    path: "{{ coturn_base_path }}/{{ coturn_realm }}/config"
+    state: directory
+
+- name: create coturn config
+  template:
+    src: turnserver.conf.j2
+    dest: "{{ coturn_base_path }}/{{ coturn_realm }}/config/turnserver.conf"
+    group: coturn
+    mode: 0640
+
+- name: generate pod manifests
+  template:
+    src: "pod.yml.j2"
+    dest: "/etc/kubernetes/manifests/coturn-{{ coturn_realm }}.yml"
+    mode: 0600
diff --git a/roles/apps/coturn/templates/pod.yml.j2 b/roles/apps/coturn/templates/pod.yml.j2
new file mode 100644
index 00000000..7c127c13
--- /dev/null
+++ b/roles/apps/coturn/templates/pod.yml.j2
@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "coturn-{{ coturn_realm }}"
+spec:
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsUser: {{ coturn_uid }}
+    runAsGroup: {{ coturn_gid }}
+  hostNetwork: true
+  containers:
+  - name: coturn
+    image: "instrumentisto/coturn:{{ coturn_version }}"
+    args:
+      - --log-file=stdout
+    resources:
+      limits:
+        memory: "1Gi"
+    volumeMounts:
+    - name: config
+      mountPath: /etc/coturn/
+      readOnly: true
+    - name: run
+      mountPath: /var/run
+    - name: lib
+      mountPath: /var/lib/coturn
+  volumes:
+  - name: config
+    hostPath:
+      path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/"
+      type: Directory
+  - name: run
+    emptyDir:
+      medium: Memory
+  - name: lib
+    emptyDir:
+      medium: Memory
diff --git a/roles/apps/coturn/templates/turnserver.conf.j2 b/roles/apps/coturn/templates/turnserver.conf.j2
new file mode 100644
index 00000000..9462f148
--- /dev/null
+++ b/roles/apps/coturn/templates/turnserver.conf.j2
@@ -0,0 +1,27 @@
+realm={{ coturn_realm }}
+fingerprint
+
+listening-port=3478
+# tls-listening-port=5349
+
+# cert=/etc/coturn/ssl/cert.pem
+# pkey=/etc/coturn/ssl/privkey.pem
+# dh-file=/etc/coturn/ssl/dhparam.pem
+# cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:!RSA:!ADH:!AECDH:!MD5"
+# no-tlsv1
+# no-tlsv1_1
+no-tls
+no-dtls
+
+use-auth-secret
+static-auth-secret={{ coturn_auth_secret }}
+stale-nonce=600
+
+max-bps={{ coturn_max_bps }}
+bps-capacity={{ coturn_bps_capacity }}
+relay-threads={{ coturn_threads }}
+
+no-multicast-peers
+denied-peer-ip={{ kubernetes_standalone_pod_cidr | ipaddr('network') }}-{{ kubernetes_standalone_pod_cidr | ipaddr('broadcast') }}
+
+no-cli