WIP making synapse work with coturn

deployer/group_vars/all/vars.yml

@@ -173,6 +173,7 @@ sites:
     max_upload_size: 20M
     # Coturn server
     coturn:
+      # URL is fixed to "turn.{{ site.url }}" - take that for granted
       static_auth_secret : "{{ vault_synapse_coturn_static_auth_secret }}"
       listening_port: 3578
       min_port: 49152
@@ -182,9 +183,9 @@ sites:
       # Set to null if you want to disable quota
       user_quota: 12
       total_quota: 1200
-      denied_peer_ips:
+      denied_peer_ips: []
-        - '10.0.0.0-10.255.255.255'
+        #- '10.0.0.0-10.255.255.255'
-        - '172.16.0.0-172.31.255.255'
+        #- '172.16.0.0-172.31.255.255'
       allowed_peer_ips: []
 
 

deployer/roles/build/templates/synapse/coturn/turnserver.conf.j2

@@ -4,12 +4,36 @@
 # https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/matrix-coturn/templates/turnserver.conf.j2
 # in Jan. 2021
 
+realm=turn.{{ site.url }}
+use-auth-secret
+static-auth-secret={{ site.coturn.static_auth_secret }}
+
+# Listener IP address of relay server. Multiple listeners can be specified.
+# If no IP(s) specified in the config file or in the command line options,
+# then all IPv4 and IPv6 system IPs will be used for listening.
+#
+listening-ip={{ site.coturn.external_ip }}
+
+# Relay address (the local IP address that will be used to relay the
+# packets to the peer).
+# Multiple relay addresses may be used.
+# The same IP(s) can be used as both listening IP(s) and relay IP(s).
+#
+# If no relay IP(s) specified, then the turnserver will apply the default
+# policy: it will decide itself which relay addresses to be used, and it
+# will always be using the client socket IP address as the relay IP address
+# of the TURN session (if the requested relay address family is the same
+# as the family of the client socket).
+# 
+#relay-ip={{ site.coturn.external_ip }}
+
+#external-ip={{ site.coturn.external_ip }}
+
 # TURN listener port for UDP and TCP (Default: 3478).
 # Note: actually, TLS & DTLS sessions can connect to the
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 listening-port={{ site.coturn.listening_port }}
 
-
 # Alternative listening port for UDP and TCP listeners;
 # default (or zero) value means "listening port plus one".
 # This is needed for RFC 5780 support
@@ -19,25 +43,26 @@ listening-port={{ site.coturn.listening_port }}
 # RFC 5780 is supported only by UDP protocol, other protocols
 # are listening to that endpoint only for "symmetry".
 #
-alt-listening-port=0
+#alt-listening-port=0
 
-use-auth-secret
-static-auth-secret={{ site.coturn.static_auth_secret }}
-realm=turn.{{ site.url }}
 
 min-port={{ site.coturn.min_port }}
 max-port={{ site.coturn.min_port }}
-external-ip={{ site.coturn.external_ip }}
+
 
 log-file=stdout
-pidfile=/var/tmp/turnserver.pid
+pidfile=/var/lib/coturn/turnserver.pid
-userdb=/var/tmp/turnserver.db
+userdb=/var/lib/coturn/turnserver.db
+
+# PROD
+#prod
+# DEBUG
+verbose
 
 no-cli
 no-tls
 no-dtls
 
-prod
 no-tcp-relay
 
 {% if site.coturn.user_quota != None %}
@@ -52,4 +77,5 @@ denied-peer-ip={{ ip_range }}
 {% endfor %}
 {% for ip_range in site.coturn.allowed_peer_ips %}
 allowed-peer-ip={{ ip_range }}
-{% endfor %}
+{% endfor %}
+allowed-peer-ip={{ site.coturn.external_ip }}

deployer/roles/build/templates/synapse/homeserver.yaml.j2

@@ -894,11 +894,15 @@ enable_registration_captcha: false
 
 # The public URIs of the TURN server to give to clients
 #
-#turn_uris: []
+turn_uris: 
+  - "turn:turn.{{ site.url }}:{{ site.coturn.listening_port }}?transport=udp" 
+  - "turn:turn.{{ site.url }}:{{ site.coturn.listening_port }}?transport=tcp"
+  # - "turns:turn.{{ site.url }}:{{ site.coturn.listening_port }}?transport=udp"
+  # - "turns:turn.{{ site.url }}:{{ site.coturn.listening_port }}?transport=tcp"
 
 # The shared secret used to compute passwords for the TURN server
 #
-#turn_shared_secret: "YOUR_SHARED_SECRET"
+turn_shared_secret: "{{ site.coturn.static_auth_secret }}"
 
 # The Username and password if the TURN server needs them and
 # does not use a token
@@ -908,7 +912,7 @@ enable_registration_captcha: false
 
 # How long generated TURN credentials last
 #
-#turn_user_lifetime: 1h
+turn_user_lifetime: 1d
 
 # Whether guests should be allowed to use the TURN server.
 # This defaults to True, otherwise VoIP will be unreliable for guests.
@@ -916,7 +920,7 @@ enable_registration_captcha: false
 # connect to arbitrary endpoints without having first signed up for a
 # valid account (e.g. by passing a CAPTCHA).
 #
-#turn_allow_guests: true
+turn_allow_guests: true
 
 
 ## Registration ##