diff --git a/deployer/group_vars/all/vars.yml b/deployer/group_vars/all/vars.yml index 98952b7..560d4d1 100644 --- a/deployer/group_vars/all/vars.yml +++ b/deployer/group_vars/all/vars.yml @@ -173,6 +173,7 @@ sites: max_upload_size: 20M # Coturn server coturn: + # URL is fixed to "turn.{{ site.url }}" - take that for granted static_auth_secret : "{{ vault_synapse_coturn_static_auth_secret }}" listening_port: 3578 min_port: 49152 @@ -182,9 +183,9 @@ sites: # Set to null if you want to disable quota user_quota: 12 total_quota: 1200 - denied_peer_ips: - - '10.0.0.0-10.255.255.255' - - '172.16.0.0-172.31.255.255' + denied_peer_ips: [] + #- '10.0.0.0-10.255.255.255' + #- '172.16.0.0-172.31.255.255' allowed_peer_ips: [] diff --git a/deployer/roles/build/templates/synapse/coturn/turnserver.conf.j2 b/deployer/roles/build/templates/synapse/coturn/turnserver.conf.j2 index 80cdd6e..241bfaf 100644 --- a/deployer/roles/build/templates/synapse/coturn/turnserver.conf.j2 +++ b/deployer/roles/build/templates/synapse/coturn/turnserver.conf.j2 @@ -4,12 +4,36 @@ # https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/matrix-coturn/templates/turnserver.conf.j2 # in Jan. 2021 +realm=turn.{{ site.url }} +use-auth-secret +static-auth-secret={{ site.coturn.static_auth_secret }} + +# Listener IP address of relay server. Multiple listeners can be specified. +# If no IP(s) specified in the config file or in the command line options, +# then all IPv4 and IPv6 system IPs will be used for listening. +# +listening-ip={{ site.coturn.external_ip }} + +# Relay address (the local IP address that will be used to relay the +# packets to the peer). +# Multiple relay addresses may be used. +# The same IP(s) can be used as both listening IP(s) and relay IP(s). +# +# If no relay IP(s) specified, then the turnserver will apply the default +# policy: it will decide itself which relay addresses to be used, and it +# will always be using the client socket IP address as the relay IP address +# of the TURN session (if the requested relay address family is the same +# as the family of the client socket). +# +#relay-ip={{ site.coturn.external_ip }} + +#external-ip={{ site.coturn.external_ip }} + # TURN listener port for UDP and TCP (Default: 3478). # Note: actually, TLS & DTLS sessions can connect to the # "plain" TCP & UDP port(s), too - if allowed by configuration. listening-port={{ site.coturn.listening_port }} - # Alternative listening port for UDP and TCP listeners; # default (or zero) value means "listening port plus one". # This is needed for RFC 5780 support @@ -19,25 +43,26 @@ listening-port={{ site.coturn.listening_port }} # RFC 5780 is supported only by UDP protocol, other protocols # are listening to that endpoint only for "symmetry". # -alt-listening-port=0 +#alt-listening-port=0 -use-auth-secret -static-auth-secret={{ site.coturn.static_auth_secret }} -realm=turn.{{ site.url }} min-port={{ site.coturn.min_port }} max-port={{ site.coturn.min_port }} -external-ip={{ site.coturn.external_ip }} + log-file=stdout -pidfile=/var/tmp/turnserver.pid -userdb=/var/tmp/turnserver.db +pidfile=/var/lib/coturn/turnserver.pid +userdb=/var/lib/coturn/turnserver.db + +# PROD +#prod +# DEBUG +verbose no-cli no-tls no-dtls -prod no-tcp-relay {% if site.coturn.user_quota != None %} @@ -52,4 +77,5 @@ denied-peer-ip={{ ip_range }} {% endfor %} {% for ip_range in site.coturn.allowed_peer_ips %} allowed-peer-ip={{ ip_range }} -{% endfor %} \ No newline at end of file +{% endfor %} +allowed-peer-ip={{ site.coturn.external_ip }} \ No newline at end of file diff --git a/deployer/roles/build/templates/synapse/homeserver.yaml.j2 b/deployer/roles/build/templates/synapse/homeserver.yaml.j2 index 1529524..e8840f1 100644 --- a/deployer/roles/build/templates/synapse/homeserver.yaml.j2 +++ b/deployer/roles/build/templates/synapse/homeserver.yaml.j2 @@ -894,11 +894,15 @@ enable_registration_captcha: false # The public URIs of the TURN server to give to clients # -#turn_uris: [] +turn_uris: + - "turn:turn.{{ site.url }}:{{ site.coturn.listening_port }}?transport=udp" + - "turn:turn.{{ site.url }}:{{ site.coturn.listening_port }}?transport=tcp" + # - "turns:turn.{{ site.url }}:{{ site.coturn.listening_port }}?transport=udp" + # - "turns:turn.{{ site.url }}:{{ site.coturn.listening_port }}?transport=tcp" # The shared secret used to compute passwords for the TURN server # -#turn_shared_secret: "YOUR_SHARED_SECRET" +turn_shared_secret: "{{ site.coturn.static_auth_secret }}" # The Username and password if the TURN server needs them and # does not use a token @@ -908,7 +912,7 @@ enable_registration_captcha: false # How long generated TURN credentials last # -#turn_user_lifetime: 1h +turn_user_lifetime: 1d # Whether guests should be allowed to use the TURN server. # This defaults to True, otherwise VoIP will be unreliable for guests. @@ -916,7 +920,7 @@ enable_registration_captcha: false # connect to arbitrary endpoints without having first signed up for a # valid account (e.g. by passing a CAPTCHA). # -#turn_allow_guests: true +turn_allow_guests: true ## Registration ##