before testing coturn

2021-01-17 21:22:35 +01:00 · 2021-01-17 21:22:35 +01:00 · cb1f738eea
commit cb1f738eea
parent 7778ea82e8
4 changed files with 52 additions and 5 deletions
--- a/deployer/group_vars/all/vars.yml
+++ b/deployer/group_vars/all/vars.yml
@ -174,6 +174,7 @@ sites:
    # Coturn server
    coturn:
      static_auth_secret : "{{ vault_synapse_coturn_static_auth_secret }}"
+      listening_port: 3578
      min_port: 49152
      max_port: 49172
      external_ip: 92.243.8.85
--- a/deployer/roles/build/tasks/synapse.yml
+++ b/deployer/roles/build/tasks/synapse.yml
@ -54,6 +54,27 @@
      import_tasks: postgres.yml
      tags: postgres

+    ###########################################
+    # Allow coturn inbound connections in UFW #
+    ###########################################
+
+    - name: "Allow inbound port {{ site.coturn.listening_port }} for coturn in UFW"
+      ufw:
+        direction: in
+        from_ip: any 
+        to_port: {{ site.coturn.listening_port }}
+        proto: any 
+        rule: allow
+        comment: "coturn TCP/UDP"
+
+    - name: "Allow inbound UDP ports {{ site.coturn.min_port }}-{{ site.coturn.max_port }} for coturn un UFW"
+      ufw:
+        direction: in 
+        from_ip: any 
+        to_port: "{{ item }}"
+      loop: "{{ range({{ site.coturn.min_port }}, {{ site.coturn.max_port }} + 1)|list }}"
+
+
    #################
    # Setup backups #
    #################
--- a/deployer/roles/build/templates/synapse/coturn/turnserver.conf.j2
+++ b/deployer/roles/build/templates/synapse/coturn/turnserver.conf.j2
@ -4,6 +4,23 @@
 # https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/matrix-coturn/templates/turnserver.conf.j2
 # in Jan. 2021

+# TURN listener port for UDP and TCP (Default: 3478).
+# Note: actually, TLS & DTLS sessions can connect to the
+# "plain" TCP & UDP port(s), too - if allowed by configuration.
+listening-port={{ site.coturn.listening_port }}
+
+
+# Alternative listening port for UDP and TCP listeners;
+# default (or zero) value means "listening port plus one".
+# This is needed for RFC 5780 support
+# (STUN extension specs, NAT behavior discovery). The TURN Server
+# supports RFC 5780 only if it is started with more than one
+# listening IP address of the same family (IPv4 or IPv6).
+# RFC 5780 is supported only by UDP protocol, other protocols
+# are listening to that endpoint only for "symmetry".
+#
+alt-listening-port=0
+
 use-auth-secret
 static-auth-secret={{ site.coturn.static_auth_secret }}
 realm=turn.{{ site.url }}
--- a/deployer/roles/build/templates/synapse/docker-compose.yml.j2
+++ b/deployer/roles/build/templates/synapse/docker-compose.yml.j2
@ -21,12 +21,20 @@ services:
        ipv4_address: "{{ site.subnet_site_ip }}"

  turn: 
-    image: coturn/coturn:latest
+    # We use: https://github.com/instrumentisto/coturn-docker-image
+    image: instrumentisto/coturn-docker-image:latest
    restart: unless-stopped
-    # TODO
-    # network_mode == host 
-    # give it the turnserver.conf 
-    # Anything else?
+    # We bind directly to host (no proxying the NAT piercer)
+    # TCP/UDP: {{ site.coturn.listening_port }}
+    # UDP: {{ site.coturn.min_port }} - {{ site.coturn.max_port }}
+    network: host
+    # 
+    volumes:
+      - type: tmpfs
+        target: /var/lib/coturn
+      - type: volume
+        source: "{{ sites_path }}/{{ site.slug }}/turnserver.conf"
+        destination: /etc/coturn/turnserver.conf

 networks:
  net: