From 03e231af19308346507ed83db310bfd78512ca00 Mon Sep 17 00:00:00 2001 From: Mathieu Gauthier-Pilote Date: Fri, 18 Aug 2023 10:06:18 -0400 Subject: [PATCH] coturn --- webapps/jitsimeet/tasks/main.yml | 23 ++++++++-- .../certbot/coturn-certbot-deploy.sh.j2 | 30 ++++++++++++ .../templates/coturn/turnserver.conf.j2 | 46 +++++++++++++++++++ webapps/jitsimeet/templates/meet/config.js.j2 | 4 +- .../templates/{ => nginx}/vhost.conf.j2 | 0 .../sip-communicator.properties.j2 | 2 +- 6 files changed, 98 insertions(+), 7 deletions(-) create mode 100644 webapps/jitsimeet/templates/certbot/coturn-certbot-deploy.sh.j2 create mode 100644 webapps/jitsimeet/templates/coturn/turnserver.conf.j2 rename webapps/jitsimeet/templates/{ => nginx}/vhost.conf.j2 (100%) diff --git a/webapps/jitsimeet/tasks/main.yml b/webapps/jitsimeet/tasks/main.yml index f2fc0924..529d640c 100644 --- a/webapps/jitsimeet/tasks/main.yml +++ b/webapps/jitsimeet/tasks/main.yml @@ -66,7 +66,20 @@ ansible.builtin.apt: name: jitsi-meet state: present - install_recommends: no + install_recommends: yes + +- name: Add certs dir for coturn/letsencrypt if needed + file: + path: "{{ item }}" + state: directory + mode: '700' + owner: 'turnserver' + group: 'turnserver' + loop: + - /etc/coturn + - /etc/coturn/certs + - /etc/letsencrypt/renewal-hooks + - /etc/letsencrypt/renewal-hooks/deploy - name: Template config files template: @@ -80,6 +93,8 @@ - { src: 'videobridge/sip-communicator.properties.j2', dest: "/etc/jitsi/videobridge/sip-communicator.properties", owner: "jvb", group: "jitsi", mode: "0640" } - { src: 'meet/config.js.j2', dest: "/etc/jitsi/meet/{{ domains | first }}-config.js", owner: "root", group: "root", mode: "0644" } - { src: 'prosody/virtualhost.cfg.lua.j2', dest: "/etc/prosody/conf.avail/{{ domains | first }}.cfg.lua", owner: "root", group: "root", mode: "0644" } + - { src: 'coturn/turnserver.conf.j2', dest: "/etc/turnserver.conf", owner: "root", group: "turnserver", mode: "0640" } + - { src: 'certbot/coturn-certbot-deploy.sh.j2', dest: "/etc/letsencrypt/renewal-hooks/deploy/coturn-certbot-deploy.sh", owner: "root", group: "turnserver", mode: "0700" } - name: Add bloc to jicofo.conf to disable sctp ansible.builtin.blockinfile: @@ -121,9 +136,9 @@ block: - name: Template vhost without SSL for successfull LE challengce template: - src: "vhost.conf.j2" + src: "nginx/vhost.conf.j2" dest: "/etc/nginx/sites-available/{{ domains |first }}.conf" - - name: Enable temporary nginx vhost for peertube + - name: Enable temporary nginx vhost file: src: "/etc/nginx/sites-available/{{ domains |first }}.conf" dest: "/etc/nginx/sites-enabled/{{ domains |first }}.conf" @@ -148,7 +163,7 @@ - name: (Re)template conf file for nginx vhost with SSL template: - src: "vhost.conf.j2" + src: "nginx/vhost.conf.j2" dest: "/etc/nginx/sites-available/{{ domains |first }}.conf" - name: Enable nginx vhost diff --git a/webapps/jitsimeet/templates/certbot/coturn-certbot-deploy.sh.j2 b/webapps/jitsimeet/templates/certbot/coturn-certbot-deploy.sh.j2 new file mode 100644 index 00000000..de032ab5 --- /dev/null +++ b/webapps/jitsimeet/templates/certbot/coturn-certbot-deploy.sh.j2 @@ -0,0 +1,30 @@ +#!/bin/sh + +# https://serverfault.com/questions/849683/how-to-setup-coturn-with-letsencrypt + +set -e + +for domain in $RENEWED_DOMAINS; do + case $domain in + {{ domains | first }}) + daemon_cert_root=/etc/coturn/certs + + # Make sure the certificate and private key files are + # never world readable, even just for an instant while + # we're copying them into daemon_cert_root. + umask 077 + + cp "$RENEWED_LINEAGE/fullchain.pem" "$daemon_cert_root/$domain.crt" + cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/$domain.key" + + # Apply the proper file ownership and permissions for + # the daemon to read its certificate and key. + chown turnserver "$daemon_cert_root/$domain.crt" \ + "$daemon_cert_root/$domain.key" + chmod 400 "$daemon_cert_root/$domain.crt" \ + "$daemon_cert_root/$domain.key" + + service coturn restart >/dev/null + ;; + esac +done diff --git a/webapps/jitsimeet/templates/coturn/turnserver.conf.j2 b/webapps/jitsimeet/templates/coturn/turnserver.conf.j2 new file mode 100644 index 00000000..1bf95f1d --- /dev/null +++ b/webapps/jitsimeet/templates/coturn/turnserver.conf.j2 @@ -0,0 +1,46 @@ +# jitsi-meet coturn config. Do not modify this line +use-auth-secret +keep-address-family +static-auth-secret={{ jitsi_meet_turn_secret }} +realm={{ domains | first }} +cert=/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem +pkey=/etc/letsencrypt/live/{{ domains | first }}/privkey.pem +no-multicast-peers +no-cli +no-loopback-peers +no-tcp-relay +no-tcp +listening-port=3478 +tls-listening-port=5349 +no-tlsv1 +no-tlsv1_1 +# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4 +cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +# without it there are errors when running on Ubuntu 20.04 +dh2066 +# jitsi-meet coturn relay disable config. Do not modify this line +denied-peer-ip=0.0.0.0-0.255.255.255 +denied-peer-ip=10.0.0.0-10.255.255.255 +denied-peer-ip=100.64.0.0-100.127.255.255 +denied-peer-ip=127.0.0.0-127.255.255.255 +denied-peer-ip=169.254.0.0-169.254.255.255 +denied-peer-ip=127.0.0.0-127.255.255.255 +denied-peer-ip=172.16.0.0-172.31.255.255 +denied-peer-ip=192.0.0.0-192.0.0.255 +denied-peer-ip=192.0.2.0-192.0.2.255 +denied-peer-ip=192.88.99.0-192.88.99.255 +denied-peer-ip=192.168.0.0-192.168.255.255 +denied-peer-ip=198.18.0.0-198.19.255.255 +denied-peer-ip=198.51.100.0-198.51.100.255 +denied-peer-ip=203.0.113.0-203.0.113.255 +denied-peer-ip=240.0.0.0-255.255.255.255 +denied-peer-ip=::1 +denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff +denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 +denied-peer-ip=100::-100::ffff:ffff:ffff:ffff +denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff +denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff +denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff +syslog + diff --git a/webapps/jitsimeet/templates/meet/config.js.j2 b/webapps/jitsimeet/templates/meet/config.js.j2 index ee762f64..6fa9886a 100644 --- a/webapps/jitsimeet/templates/meet/config.js.j2 +++ b/webapps/jitsimeet/templates/meet/config.js.j2 @@ -946,8 +946,8 @@ var config = { // The STUN servers that will be used in the peer to peer connections stunServers: [ - // { urls: 'stun:{{ domains | first }}:3478' }, - { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }, + { urls: 'stun:{{ domains | first }}:3478' }, + //{ urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }, ], }, diff --git a/webapps/jitsimeet/templates/vhost.conf.j2 b/webapps/jitsimeet/templates/nginx/vhost.conf.j2 similarity index 100% rename from webapps/jitsimeet/templates/vhost.conf.j2 rename to webapps/jitsimeet/templates/nginx/vhost.conf.j2 diff --git a/webapps/jitsimeet/templates/videobridge/sip-communicator.properties.j2 b/webapps/jitsimeet/templates/videobridge/sip-communicator.properties.j2 index 617622e8..f8fca054 100644 --- a/webapps/jitsimeet/templates/videobridge/sip-communicator.properties.j2 +++ b/webapps/jitsimeet/templates/videobridge/sip-communicator.properties.j2 @@ -1,5 +1,5 @@ org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true -org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443 +org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES={{ domains | first }}:3478 org.jitsi.videobridge.ENABLE_STATISTICS=true org.jitsi.videobridge.STATISTICS_TRANSPORT=muc org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost