coturn

2023-08-18 10:06:18 -04:00 · 2023-08-18 10:06:18 -04:00 · 879d7fc044
parent 0350a97f8c
commit 879d7fc044
6 changed files with 98 additions and 7 deletions
--- a/webapps/jitsimeet/tasks/main.yml
+++ b/webapps/jitsimeet/tasks/main.yml
@ -66,7 +66,20 @@
  ansible.builtin.apt:
    name: jitsi-meet
    state: present
-    install_recommends: no
+    install_recommends: yes
+
+- name: Add certs dir for coturn/letsencrypt if needed
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '700'
+    owner: 'turnserver'
+    group: 'turnserver'
+  loop: 
+    - /etc/coturn
+    - /etc/coturn/certs
+    - /etc/letsencrypt/renewal-hooks
+    - /etc/letsencrypt/renewal-hooks/deploy

 - name: Template config files
  template:
@ -80,6 +93,8 @@
    - { src: 'videobridge/sip-communicator.properties.j2', dest: "/etc/jitsi/videobridge/sip-communicator.properties", owner: "jvb", group: "jitsi", mode: "0640" }
    - { src: 'meet/config.js.j2', dest: "/etc/jitsi/meet/{{ domains | first }}-config.js", owner: "root", group: "root", mode: "0644" }
    - { src: 'prosody/virtualhost.cfg.lua.j2', dest: "/etc/prosody/conf.avail/{{ domains | first }}.cfg.lua", owner: "root", group: "root", mode: "0644" }
+    - { src: 'coturn/turnserver.conf.j2', dest: "/etc/turnserver.conf", owner: "root", group: "turnserver", mode: "0640" }
+    - { src: 'certbot/coturn-certbot-deploy.sh.j2', dest: "/etc/letsencrypt/renewal-hooks/deploy/coturn-certbot-deploy.sh", owner: "root", group: "turnserver", mode: "0700" }

 - name: Add bloc to jicofo.conf to disable sctp
  ansible.builtin.blockinfile:
@ -121,9 +136,9 @@
  block:
  - name: Template vhost without SSL for successfull LE challengce
    template: 
-      src: "vhost.conf.j2"
+      src: "nginx/vhost.conf.j2"
      dest: "/etc/nginx/sites-available/{{ domains |first }}.conf"
-  - name: Enable temporary nginx vhost for peertube
+  - name: Enable temporary nginx vhost
    file:
      src: "/etc/nginx/sites-available/{{ domains |first }}.conf"
      dest: "/etc/nginx/sites-enabled/{{ domains |first }}.conf"
@ -148,7 +163,7 @@

 - name: (Re)template conf file for nginx vhost with SSL
  template:
-    src: "vhost.conf.j2"
+    src: "nginx/vhost.conf.j2"
    dest: "/etc/nginx/sites-available/{{ domains |first }}.conf"

 - name: Enable nginx vhost
--- a/webapps/jitsimeet/templates/certbot/coturn-certbot-deploy.sh.j2
+++ b/webapps/jitsimeet/templates/certbot/coturn-certbot-deploy.sh.j2
@ -0,0 +1,30 @@
+#!/bin/sh
+
+# https://serverfault.com/questions/849683/how-to-setup-coturn-with-letsencrypt
+
+set -e
+
+for domain in $RENEWED_DOMAINS; do
+        case $domain in
+        {{ domains | first }})
+                daemon_cert_root=/etc/coturn/certs
+
+                # Make sure the certificate and private key files are
+                # never world readable, even just for an instant while
+                # we're copying them into daemon_cert_root.
+                umask 077
+
+                cp "$RENEWED_LINEAGE/fullchain.pem" "$daemon_cert_root/$domain.crt"
+                cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/$domain.key"
+
+                # Apply the proper file ownership and permissions for
+                # the daemon to read its certificate and key.
+                chown turnserver "$daemon_cert_root/$domain.crt" \
+                        "$daemon_cert_root/$domain.key"
+                chmod 400 "$daemon_cert_root/$domain.crt" \
+                        "$daemon_cert_root/$domain.key"
+
+                service coturn restart >/dev/null
+                ;;
+        esac
+done
--- a/webapps/jitsimeet/templates/coturn/turnserver.conf.j2
+++ b/webapps/jitsimeet/templates/coturn/turnserver.conf.j2
@ -0,0 +1,46 @@
+# jitsi-meet coturn config. Do not modify this line
+use-auth-secret
+keep-address-family
+static-auth-secret={{ jitsi_meet_turn_secret }}
+realm={{ domains | first }}
+cert=/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem
+pkey=/etc/letsencrypt/live/{{ domains | first }}/privkey.pem
+no-multicast-peers
+no-cli
+no-loopback-peers
+no-tcp-relay
+no-tcp
+listening-port=3478
+tls-listening-port=5349
+no-tlsv1
+no-tlsv1_1
+# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+# without it there are errors when running on Ubuntu 20.04
+dh2066
+# jitsi-meet coturn relay disable config. Do not modify this line
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+denied-peer-ip=::1
+denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+syslog
+
--- a/webapps/jitsimeet/templates/meet/config.js.j2
+++ b/webapps/jitsimeet/templates/meet/config.js.j2
@ -946,8 +946,8 @@ var config = {
        // The STUN servers that will be used in the peer to peer connections
        stunServers: [

-            // { urls: 'stun:{{ domains | first }}:3478' },
-            { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' },
+             { urls: 'stun:{{ domains | first }}:3478' },
+            //{ urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' },
        ],
    },

--- a/webapps/jitsimeet/templates/nginx/vhost.conf.j2
+++ b/webapps/jitsimeet/templates/nginx/vhost.conf.j2
--- a/webapps/jitsimeet/templates/videobridge/sip-communicator.properties.j2
+++ b/webapps/jitsimeet/templates/videobridge/sip-communicator.properties.j2
@ -1,5 +1,5 @@
 org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
-org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
+org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES={{ domains | first }}:3478
 org.jitsi.videobridge.ENABLE_STATISTICS=true
 org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
 org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost