From edf5603dfadb9aded010412ca1751e1e61cfe642 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 26 Mar 2020 03:07:10 +0100
Subject: coturn mostly done

---
 roles/apps/coturn/defaults/main.yml               |  2 ++
 roles/apps/coturn/tasks/main.yml                  | 31 +++++++++++++++++++++++
 roles/apps/coturn/templates/acmetool-reload.sh.j2 | 26 +++++++++++++++++++
 roles/apps/coturn/templates/nginx-vhost.conf.j2   | 27 ++++++++++++++++++++
 roles/apps/coturn/templates/turnserver.conf.j2    | 16 +++++-------
 5 files changed, 93 insertions(+), 9 deletions(-)
 create mode 100644 roles/apps/coturn/templates/acmetool-reload.sh.j2
 create mode 100644 roles/apps/coturn/templates/nginx-vhost.conf.j2

(limited to 'roles')

diff --git a/roles/apps/coturn/defaults/main.yml b/roles/apps/coturn/defaults/main.yml
index cf5558bf..c4de3ec8 100644
--- a/roles/apps/coturn/defaults/main.yml
+++ b/roles/apps/coturn/defaults/main.yml
@@ -14,3 +14,5 @@ coturn_bps_capacity: 0
 coturn_threads: 0
 
 # coturn_auth_secret: change-me
+
+coturn_dhparam_size: 2048
diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml
index 4631d1b7..29a87d6f 100644
--- a/roles/apps/coturn/tasks/main.yml
+++ b/roles/apps/coturn/tasks/main.yml
@@ -23,6 +23,37 @@
     group: coturn
     mode: 0640
 
+- name: create coturn ssl subdirectory
+  file:
+    path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl"
+    state: directory
+    owner: coturn
+    group: coturn
+    mode: 0700
+
+- name: generate Diffie-Hellman parameters
+  openssl_dhparam:
+    path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl/dhparams.pem"
+    size: "{{ coturn_dhparam_size }}"
+    owner: coturn
+    group: coturn
+
+- name: install acmetool hook script
+  template:
+    src: acmetool-reload.sh.j2
+    dest: "/etc/acme/hooks/coturn-{{ coturn_realm }}"
+    mode: 0755
+
+- name: configure nginx vhost
+  vars:
+    nginx_vhost:
+      name: "coturn-{{ coturn_realm }}"
+      content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}"
+      acme: true
+      hostnames: "{{ coturn_hostnames }}"
+  include_role:
+    name: nginx/vhost
+
 - name: generate pod manifests
   template:
     src: "pod.yml.j2"
diff --git a/roles/apps/coturn/templates/acmetool-reload.sh.j2 b/roles/apps/coturn/templates/acmetool-reload.sh.j2
new file mode 100644
index 00000000..70e0b686
--- /dev/null
+++ b/roles/apps/coturn/templates/acmetool-reload.sh.j2
@@ -0,0 +1,26 @@
+#!/bin/sh
+set -e
+EVENT_NAME="$1"
+[ "$EVENT_NAME" = "live-updated" ] || exit 42
+
+MAIN_HOSTNAME="{{ coturn_hostnames[0] }}"
+SSL_D="{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl"
+USER="coturn"
+GROUP="coturn"
+
+while read name; do
+  certdir="$ACME_STATE_DIR/live/$name"
+  if [ -z "$name" -o ! -e "$certdir" ]; then
+    continue
+  fi
+  if [ "$name" != "$MAIN_HOSTNAME" ]; then
+    continue
+  fi
+
+  cp "$certdir/fullchain" "$SSL_D/cert.pem"
+  cp "$certdir/privkey" "$SSL_D/privkey.pem"
+  chown "$USER:$GROUP" "$SSL_D/cert.pem"  "$SSL_D/privkey.pem"
+  break
+
+  ## TODO: trigger restart of coturn!!!
+done
diff --git a/roles/apps/coturn/templates/nginx-vhost.conf.j2 b/roles/apps/coturn/templates/nginx-vhost.conf.j2
new file mode 100644
index 00000000..0639fbe1
--- /dev/null
+++ b/roles/apps/coturn/templates/nginx-vhost.conf.j2
@@ -0,0 +1,27 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ coturn_hostnames | join(' ') }};
+
+    include snippets/acmetool.conf;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name {{ coturn_hostnames | join(' ') }};
+
+    include snippets/acmetool.conf;
+    include snippets/tls.conf;
+    ssl_certificate     /var/lib/acme/live/{{ coturn_hostnames[0] }}/fullchain;
+    ssl_certificate_key /var/lib/acme/live/{{ coturn_hostnames[0] }}/privkey;
+    include snippets/hsts.conf;
+
+    location / {
+        return 404;
+    }
+}
diff --git a/roles/apps/coturn/templates/turnserver.conf.j2 b/roles/apps/coturn/templates/turnserver.conf.j2
index 9462f148..d61cdad3 100644
--- a/roles/apps/coturn/templates/turnserver.conf.j2
+++ b/roles/apps/coturn/templates/turnserver.conf.j2
@@ -2,16 +2,14 @@ realm={{ coturn_realm }}
 fingerprint
 
 listening-port=3478
-# tls-listening-port=5349
+tls-listening-port=5349
 
-# cert=/etc/coturn/ssl/cert.pem
-# pkey=/etc/coturn/ssl/privkey.pem
-# dh-file=/etc/coturn/ssl/dhparam.pem
-# cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:!RSA:!ADH:!AECDH:!MD5"
-# no-tlsv1
-# no-tlsv1_1
-no-tls
-no-dtls
+cert=/etc/coturn/ssl/cert.pem
+pkey=/etc/coturn/ssl/privkey.pem
+dh-file=/etc/coturn/ssl/dhparams.pem
+cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:!RSA:!ADH:!AECDH:!MD5"
+no-tlsv1
+no-tlsv1_1
 
 use-auth-secret
 static-auth-secret={{ coturn_auth_secret }}
-- 
cgit v1.2.3