---
### This hack is necessary because: https://github.com/kubernetes/kubernetes/issues/56374 and https://github.com/moby/moby/issues/8460.
### AFAIK there are two possible workarounds at the moment:
##  - Setting sysctl net.ipv4.ip_unprivileged_port_start=0.
##    This does not work because kubelet would not allow this for containers using host networking (and actually this would be a bad idea anyway).
##  - Adding the CAP_NET_BIND_SERVICE capability on the turnserver binary file inside the container.
##    This is what we are doing here - at least until the upstream container includes this: https://github.com/instrumentisto/coturn-docker-image/issues/40

- name: create build directory for custom image
  file:
    path: "{{ coturn_base_path }}/{{ coturn_realm }}/build"
    state: directory

- name: generate Dockerfile for custom image
  copy:
    content: |
      FROM instrumentisto/coturn:{{ coturn_version }}
      RUN apk --no-cache add libcap && setcap CAP_NET_BIND_SERVICE=+ep /usr/bin/turnserver
    dest: "{{ coturn_base_path }}/{{ coturn_realm }}/build/Dockerfile"
  register: coturn_custom_image_docker

- name: build custom image
  docker_image:
    name: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}"
    state: present
    force_source: "{{ coturn_custom_image_docker is changed }}"
    source: build
    build:
      path: "{{ coturn_base_path }}/{{ coturn_realm }}/build"
      network: host
      pull: yes