coturn
This commit is contained in:
parent
0350a97f8c
commit
879d7fc044
|
@ -66,7 +66,20 @@
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: jitsi-meet
|
name: jitsi-meet
|
||||||
state: present
|
state: present
|
||||||
install_recommends: no
|
install_recommends: yes
|
||||||
|
|
||||||
|
- name: Add certs dir for coturn/letsencrypt if needed
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
mode: '700'
|
||||||
|
owner: 'turnserver'
|
||||||
|
group: 'turnserver'
|
||||||
|
loop:
|
||||||
|
- /etc/coturn
|
||||||
|
- /etc/coturn/certs
|
||||||
|
- /etc/letsencrypt/renewal-hooks
|
||||||
|
- /etc/letsencrypt/renewal-hooks/deploy
|
||||||
|
|
||||||
- name: Template config files
|
- name: Template config files
|
||||||
template:
|
template:
|
||||||
|
@ -80,6 +93,8 @@
|
||||||
- { src: 'videobridge/sip-communicator.properties.j2', dest: "/etc/jitsi/videobridge/sip-communicator.properties", owner: "jvb", group: "jitsi", mode: "0640" }
|
- { src: 'videobridge/sip-communicator.properties.j2', dest: "/etc/jitsi/videobridge/sip-communicator.properties", owner: "jvb", group: "jitsi", mode: "0640" }
|
||||||
- { src: 'meet/config.js.j2', dest: "/etc/jitsi/meet/{{ domains | first }}-config.js", owner: "root", group: "root", mode: "0644" }
|
- { src: 'meet/config.js.j2', dest: "/etc/jitsi/meet/{{ domains | first }}-config.js", owner: "root", group: "root", mode: "0644" }
|
||||||
- { src: 'prosody/virtualhost.cfg.lua.j2', dest: "/etc/prosody/conf.avail/{{ domains | first }}.cfg.lua", owner: "root", group: "root", mode: "0644" }
|
- { src: 'prosody/virtualhost.cfg.lua.j2', dest: "/etc/prosody/conf.avail/{{ domains | first }}.cfg.lua", owner: "root", group: "root", mode: "0644" }
|
||||||
|
- { src: 'coturn/turnserver.conf.j2', dest: "/etc/turnserver.conf", owner: "root", group: "turnserver", mode: "0640" }
|
||||||
|
- { src: 'certbot/coturn-certbot-deploy.sh.j2', dest: "/etc/letsencrypt/renewal-hooks/deploy/coturn-certbot-deploy.sh", owner: "root", group: "turnserver", mode: "0700" }
|
||||||
|
|
||||||
- name: Add bloc to jicofo.conf to disable sctp
|
- name: Add bloc to jicofo.conf to disable sctp
|
||||||
ansible.builtin.blockinfile:
|
ansible.builtin.blockinfile:
|
||||||
|
@ -121,9 +136,9 @@
|
||||||
block:
|
block:
|
||||||
- name: Template vhost without SSL for successfull LE challengce
|
- name: Template vhost without SSL for successfull LE challengce
|
||||||
template:
|
template:
|
||||||
src: "vhost.conf.j2"
|
src: "nginx/vhost.conf.j2"
|
||||||
dest: "/etc/nginx/sites-available/{{ domains |first }}.conf"
|
dest: "/etc/nginx/sites-available/{{ domains |first }}.conf"
|
||||||
- name: Enable temporary nginx vhost for peertube
|
- name: Enable temporary nginx vhost
|
||||||
file:
|
file:
|
||||||
src: "/etc/nginx/sites-available/{{ domains |first }}.conf"
|
src: "/etc/nginx/sites-available/{{ domains |first }}.conf"
|
||||||
dest: "/etc/nginx/sites-enabled/{{ domains |first }}.conf"
|
dest: "/etc/nginx/sites-enabled/{{ domains |first }}.conf"
|
||||||
|
@ -148,7 +163,7 @@
|
||||||
|
|
||||||
- name: (Re)template conf file for nginx vhost with SSL
|
- name: (Re)template conf file for nginx vhost with SSL
|
||||||
template:
|
template:
|
||||||
src: "vhost.conf.j2"
|
src: "nginx/vhost.conf.j2"
|
||||||
dest: "/etc/nginx/sites-available/{{ domains |first }}.conf"
|
dest: "/etc/nginx/sites-available/{{ domains |first }}.conf"
|
||||||
|
|
||||||
- name: Enable nginx vhost
|
- name: Enable nginx vhost
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# https://serverfault.com/questions/849683/how-to-setup-coturn-with-letsencrypt
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
for domain in $RENEWED_DOMAINS; do
|
||||||
|
case $domain in
|
||||||
|
{{ domains | first }})
|
||||||
|
daemon_cert_root=/etc/coturn/certs
|
||||||
|
|
||||||
|
# Make sure the certificate and private key files are
|
||||||
|
# never world readable, even just for an instant while
|
||||||
|
# we're copying them into daemon_cert_root.
|
||||||
|
umask 077
|
||||||
|
|
||||||
|
cp "$RENEWED_LINEAGE/fullchain.pem" "$daemon_cert_root/$domain.crt"
|
||||||
|
cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/$domain.key"
|
||||||
|
|
||||||
|
# Apply the proper file ownership and permissions for
|
||||||
|
# the daemon to read its certificate and key.
|
||||||
|
chown turnserver "$daemon_cert_root/$domain.crt" \
|
||||||
|
"$daemon_cert_root/$domain.key"
|
||||||
|
chmod 400 "$daemon_cert_root/$domain.crt" \
|
||||||
|
"$daemon_cert_root/$domain.key"
|
||||||
|
|
||||||
|
service coturn restart >/dev/null
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
46
webapps/jitsimeet/templates/coturn/turnserver.conf.j2
Normal file
46
webapps/jitsimeet/templates/coturn/turnserver.conf.j2
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
# jitsi-meet coturn config. Do not modify this line
|
||||||
|
use-auth-secret
|
||||||
|
keep-address-family
|
||||||
|
static-auth-secret={{ jitsi_meet_turn_secret }}
|
||||||
|
realm={{ domains | first }}
|
||||||
|
cert=/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem
|
||||||
|
pkey=/etc/letsencrypt/live/{{ domains | first }}/privkey.pem
|
||||||
|
no-multicast-peers
|
||||||
|
no-cli
|
||||||
|
no-loopback-peers
|
||||||
|
no-tcp-relay
|
||||||
|
no-tcp
|
||||||
|
listening-port=3478
|
||||||
|
tls-listening-port=5349
|
||||||
|
no-tlsv1
|
||||||
|
no-tlsv1_1
|
||||||
|
# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
|
||||||
|
cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
|
# without it there are errors when running on Ubuntu 20.04
|
||||||
|
dh2066
|
||||||
|
# jitsi-meet coturn relay disable config. Do not modify this line
|
||||||
|
denied-peer-ip=0.0.0.0-0.255.255.255
|
||||||
|
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||||
|
denied-peer-ip=100.64.0.0-100.127.255.255
|
||||||
|
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||||
|
denied-peer-ip=169.254.0.0-169.254.255.255
|
||||||
|
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||||
|
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||||
|
denied-peer-ip=192.0.0.0-192.0.0.255
|
||||||
|
denied-peer-ip=192.0.2.0-192.0.2.255
|
||||||
|
denied-peer-ip=192.88.99.0-192.88.99.255
|
||||||
|
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||||
|
denied-peer-ip=198.18.0.0-198.19.255.255
|
||||||
|
denied-peer-ip=198.51.100.0-198.51.100.255
|
||||||
|
denied-peer-ip=203.0.113.0-203.0.113.255
|
||||||
|
denied-peer-ip=240.0.0.0-255.255.255.255
|
||||||
|
denied-peer-ip=::1
|
||||||
|
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
||||||
|
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
|
||||||
|
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
|
||||||
|
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
|
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
|
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
|
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
|
syslog
|
||||||
|
|
|
@ -946,8 +946,8 @@ var config = {
|
||||||
// The STUN servers that will be used in the peer to peer connections
|
// The STUN servers that will be used in the peer to peer connections
|
||||||
stunServers: [
|
stunServers: [
|
||||||
|
|
||||||
// { urls: 'stun:{{ domains | first }}:3478' },
|
{ urls: 'stun:{{ domains | first }}:3478' },
|
||||||
{ urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' },
|
//{ urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' },
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
|
org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
|
||||||
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
|
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES={{ domains | first }}:3478
|
||||||
org.jitsi.videobridge.ENABLE_STATISTICS=true
|
org.jitsi.videobridge.ENABLE_STATISTICS=true
|
||||||
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
|
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
|
||||||
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost
|
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost
|
||||||
|
|
Loading…
Reference in a new issue