coturn
This commit is contained in:
parent
0350a97f8c
commit
879d7fc044
|
@ -66,7 +66,20 @@
|
|||
ansible.builtin.apt:
|
||||
name: jitsi-meet
|
||||
state: present
|
||||
install_recommends: no
|
||||
install_recommends: yes
|
||||
|
||||
- name: Add certs dir for coturn/letsencrypt if needed
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: '700'
|
||||
owner: 'turnserver'
|
||||
group: 'turnserver'
|
||||
loop:
|
||||
- /etc/coturn
|
||||
- /etc/coturn/certs
|
||||
- /etc/letsencrypt/renewal-hooks
|
||||
- /etc/letsencrypt/renewal-hooks/deploy
|
||||
|
||||
- name: Template config files
|
||||
template:
|
||||
|
@ -80,6 +93,8 @@
|
|||
- { src: 'videobridge/sip-communicator.properties.j2', dest: "/etc/jitsi/videobridge/sip-communicator.properties", owner: "jvb", group: "jitsi", mode: "0640" }
|
||||
- { src: 'meet/config.js.j2', dest: "/etc/jitsi/meet/{{ domains | first }}-config.js", owner: "root", group: "root", mode: "0644" }
|
||||
- { src: 'prosody/virtualhost.cfg.lua.j2', dest: "/etc/prosody/conf.avail/{{ domains | first }}.cfg.lua", owner: "root", group: "root", mode: "0644" }
|
||||
- { src: 'coturn/turnserver.conf.j2', dest: "/etc/turnserver.conf", owner: "root", group: "turnserver", mode: "0640" }
|
||||
- { src: 'certbot/coturn-certbot-deploy.sh.j2', dest: "/etc/letsencrypt/renewal-hooks/deploy/coturn-certbot-deploy.sh", owner: "root", group: "turnserver", mode: "0700" }
|
||||
|
||||
- name: Add bloc to jicofo.conf to disable sctp
|
||||
ansible.builtin.blockinfile:
|
||||
|
@ -121,9 +136,9 @@
|
|||
block:
|
||||
- name: Template vhost without SSL for successfull LE challengce
|
||||
template:
|
||||
src: "vhost.conf.j2"
|
||||
src: "nginx/vhost.conf.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ domains |first }}.conf"
|
||||
- name: Enable temporary nginx vhost for peertube
|
||||
- name: Enable temporary nginx vhost
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ domains |first }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ domains |first }}.conf"
|
||||
|
@ -148,7 +163,7 @@
|
|||
|
||||
- name: (Re)template conf file for nginx vhost with SSL
|
||||
template:
|
||||
src: "vhost.conf.j2"
|
||||
src: "nginx/vhost.conf.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ domains |first }}.conf"
|
||||
|
||||
- name: Enable nginx vhost
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
#!/bin/sh
|
||||
|
||||
# https://serverfault.com/questions/849683/how-to-setup-coturn-with-letsencrypt
|
||||
|
||||
set -e
|
||||
|
||||
for domain in $RENEWED_DOMAINS; do
|
||||
case $domain in
|
||||
{{ domains | first }})
|
||||
daemon_cert_root=/etc/coturn/certs
|
||||
|
||||
# Make sure the certificate and private key files are
|
||||
# never world readable, even just for an instant while
|
||||
# we're copying them into daemon_cert_root.
|
||||
umask 077
|
||||
|
||||
cp "$RENEWED_LINEAGE/fullchain.pem" "$daemon_cert_root/$domain.crt"
|
||||
cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/$domain.key"
|
||||
|
||||
# Apply the proper file ownership and permissions for
|
||||
# the daemon to read its certificate and key.
|
||||
chown turnserver "$daemon_cert_root/$domain.crt" \
|
||||
"$daemon_cert_root/$domain.key"
|
||||
chmod 400 "$daemon_cert_root/$domain.crt" \
|
||||
"$daemon_cert_root/$domain.key"
|
||||
|
||||
service coturn restart >/dev/null
|
||||
;;
|
||||
esac
|
||||
done
|
46
webapps/jitsimeet/templates/coturn/turnserver.conf.j2
Normal file
46
webapps/jitsimeet/templates/coturn/turnserver.conf.j2
Normal file
|
@ -0,0 +1,46 @@
|
|||
# jitsi-meet coturn config. Do not modify this line
|
||||
use-auth-secret
|
||||
keep-address-family
|
||||
static-auth-secret={{ jitsi_meet_turn_secret }}
|
||||
realm={{ domains | first }}
|
||||
cert=/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem
|
||||
pkey=/etc/letsencrypt/live/{{ domains | first }}/privkey.pem
|
||||
no-multicast-peers
|
||||
no-cli
|
||||
no-loopback-peers
|
||||
no-tcp-relay
|
||||
no-tcp
|
||||
listening-port=3478
|
||||
tls-listening-port=5349
|
||||
no-tlsv1
|
||||
no-tlsv1_1
|
||||
# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
|
||||
cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
# without it there are errors when running on Ubuntu 20.04
|
||||
dh2066
|
||||
# jitsi-meet coturn relay disable config. Do not modify this line
|
||||
denied-peer-ip=0.0.0.0-0.255.255.255
|
||||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||
denied-peer-ip=100.64.0.0-100.127.255.255
|
||||
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||
denied-peer-ip=169.254.0.0-169.254.255.255
|
||||
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||
denied-peer-ip=192.0.0.0-192.0.0.255
|
||||
denied-peer-ip=192.0.2.0-192.0.2.255
|
||||
denied-peer-ip=192.88.99.0-192.88.99.255
|
||||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||
denied-peer-ip=198.18.0.0-198.19.255.255
|
||||
denied-peer-ip=198.51.100.0-198.51.100.255
|
||||
denied-peer-ip=203.0.113.0-203.0.113.255
|
||||
denied-peer-ip=240.0.0.0-255.255.255.255
|
||||
denied-peer-ip=::1
|
||||
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
||||
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
|
||||
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
syslog
|
||||
|
|
@ -946,8 +946,8 @@ var config = {
|
|||
// The STUN servers that will be used in the peer to peer connections
|
||||
stunServers: [
|
||||
|
||||
// { urls: 'stun:{{ domains | first }}:3478' },
|
||||
{ urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' },
|
||||
{ urls: 'stun:{{ domains | first }}:3478' },
|
||||
//{ urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' },
|
||||
],
|
||||
},
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
|
||||
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
|
||||
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES={{ domains | first }}:3478
|
||||
org.jitsi.videobridge.ENABLE_STATISTICS=true
|
||||
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
|
||||
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost
|
||||
|
|
Loading…
Reference in a new issue