WIP making synapse work with coturn

2021-01-19 19:44:16 +01:00 · 2021-01-19 19:44:16 +01:00 · ad01130979
commit ad01130979
parent e3a21fce4e
3 changed files with 48 additions and 17 deletions
--- a/deployer/group_vars/all/vars.yml
+++ b/deployer/group_vars/all/vars.yml
@ -173,6 +173,7 @@ sites:
    max_upload_size: 20M
    # Coturn server
    coturn:
+      # URL is fixed to "turn.{{ site.url }}" - take that for granted
      static_auth_secret : "{{ vault_synapse_coturn_static_auth_secret }}"
      listening_port: 3578
      min_port: 49152
@ -182,9 +183,9 @@ sites:
      # Set to null if you want to disable quota
      user_quota: 12
      total_quota: 1200
-      denied_peer_ips:
-        - '10.0.0.0-10.255.255.255'
-        - '172.16.0.0-172.31.255.255'
+      denied_peer_ips: []
+        #- '10.0.0.0-10.255.255.255'
+        #- '172.16.0.0-172.31.255.255'
      allowed_peer_ips: []


--- a/deployer/roles/build/templates/synapse/coturn/turnserver.conf.j2
+++ b/deployer/roles/build/templates/synapse/coturn/turnserver.conf.j2
@ -4,12 +4,36 @@
 # https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/matrix-coturn/templates/turnserver.conf.j2
 # in Jan. 2021

+realm=turn.{{ site.url }}
+use-auth-secret
+static-auth-secret={{ site.coturn.static_auth_secret }}
+
+# Listener IP address of relay server. Multiple listeners can be specified.
+# If no IP(s) specified in the config file or in the command line options,
+# then all IPv4 and IPv6 system IPs will be used for listening.
+#
+listening-ip={{ site.coturn.external_ip }}
+
+# Relay address (the local IP address that will be used to relay the
+# packets to the peer).
+# Multiple relay addresses may be used.
+# The same IP(s) can be used as both listening IP(s) and relay IP(s).
+#
+# If no relay IP(s) specified, then the turnserver will apply the default
+# policy: it will decide itself which relay addresses to be used, and it
+# will always be using the client socket IP address as the relay IP address
+# of the TURN session (if the requested relay address family is the same
+# as the family of the client socket).
+# 
+#relay-ip={{ site.coturn.external_ip }}
+
+#external-ip={{ site.coturn.external_ip }}
+
 # TURN listener port for UDP and TCP (Default: 3478).
 # Note: actually, TLS & DTLS sessions can connect to the
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 listening-port={{ site.coturn.listening_port }}

-
 # Alternative listening port for UDP and TCP listeners;
 # default (or zero) value means "listening port plus one".
 # This is needed for RFC 5780 support
@ -19,25 +43,26 @@ listening-port={{ site.coturn.listening_port }}
 # RFC 5780 is supported only by UDP protocol, other protocols
 # are listening to that endpoint only for "symmetry".
 #
-alt-listening-port=0
+#alt-listening-port=0

-use-auth-secret
-static-auth-secret={{ site.coturn.static_auth_secret }}
-realm=turn.{{ site.url }}

 min-port={{ site.coturn.min_port }}
 max-port={{ site.coturn.min_port }}
-external-ip={{ site.coturn.external_ip }}
+

 log-file=stdout
-pidfile=/var/tmp/turnserver.pid
-userdb=/var/tmp/turnserver.db
+pidfile=/var/lib/coturn/turnserver.pid
+userdb=/var/lib/coturn/turnserver.db
+
+# PROD
+#prod
+# DEBUG
+verbose

 no-cli
 no-tls
 no-dtls

-prod
 no-tcp-relay

 {% if site.coturn.user_quota != None %}
@ -52,4 +77,5 @@ denied-peer-ip={{ ip_range }}
 {% endfor %}
 {% for ip_range in site.coturn.allowed_peer_ips %}
 allowed-peer-ip={{ ip_range }}
-{% endfor %}
+{% endfor %}
+allowed-peer-ip={{ site.coturn.external_ip }}
--- a/deployer/roles/build/templates/synapse/homeserver.yaml.j2
+++ b/deployer/roles/build/templates/synapse/homeserver.yaml.j2
@ -894,11 +894,15 @@ enable_registration_captcha: false

 # The public URIs of the TURN server to give to clients
 #
-#turn_uris: []
+turn_uris: 
+  - "turn:turn.{{ site.url }}:{{ site.coturn.listening_port }}?transport=udp" 
+  - "turn:turn.{{ site.url }}:{{ site.coturn.listening_port }}?transport=tcp"
+  # - "turns:turn.{{ site.url }}:{{ site.coturn.listening_port }}?transport=udp"
+  # - "turns:turn.{{ site.url }}:{{ site.coturn.listening_port }}?transport=tcp"

 # The shared secret used to compute passwords for the TURN server
 #
-#turn_shared_secret: "YOUR_SHARED_SECRET"
+turn_shared_secret: "{{ site.coturn.static_auth_secret }}"

 # The Username and password if the TURN server needs them and
 # does not use a token
@ -908,7 +912,7 @@ enable_registration_captcha: false

 # How long generated TURN credentials last
 #
-#turn_user_lifetime: 1h
+turn_user_lifetime: 1d

 # Whether guests should be allowed to use the TURN server.
 # This defaults to True, otherwise VoIP will be unreliable for guests.
@ -916,7 +920,7 @@ enable_registration_captcha: false
 # connect to arbitrary endpoints without having first signed up for a
 # valid account (e.g. by passing a CAPTCHA).
 #
-#turn_allow_guests: true
+turn_allow_guests: true


 ## Registration ##