diff --git a/deployer/group_vars/all/vars.yml b/deployer/group_vars/all/vars.yml index 6105c89..98952b7 100644 --- a/deployer/group_vars/all/vars.yml +++ b/deployer/group_vars/all/vars.yml @@ -174,6 +174,7 @@ sites: # Coturn server coturn: static_auth_secret : "{{ vault_synapse_coturn_static_auth_secret }}" + listening_port: 3578 min_port: 49152 max_port: 49172 external_ip: 92.243.8.85 diff --git a/deployer/roles/build/tasks/synapse.yml b/deployer/roles/build/tasks/synapse.yml index 351da53..bdfda82 100644 --- a/deployer/roles/build/tasks/synapse.yml +++ b/deployer/roles/build/tasks/synapse.yml @@ -54,6 +54,27 @@ import_tasks: postgres.yml tags: postgres + ########################################### + # Allow coturn inbound connections in UFW # + ########################################### + + - name: "Allow inbound port {{ site.coturn.listening_port }} for coturn in UFW" + ufw: + direction: in + from_ip: any + to_port: {{ site.coturn.listening_port }} + proto: any + rule: allow + comment: "coturn TCP/UDP" + + - name: "Allow inbound UDP ports {{ site.coturn.min_port }}-{{ site.coturn.max_port }} for coturn un UFW" + ufw: + direction: in + from_ip: any + to_port: "{{ item }}" + loop: "{{ range({{ site.coturn.min_port }}, {{ site.coturn.max_port }} + 1)|list }}" + + ################# # Setup backups # ################# diff --git a/deployer/roles/build/templates/synapse/turnserver.conf.j2 b/deployer/roles/build/templates/synapse/coturn/turnserver.conf.j2 similarity index 55% rename from deployer/roles/build/templates/synapse/turnserver.conf.j2 rename to deployer/roles/build/templates/synapse/coturn/turnserver.conf.j2 index 61ac3eb..3093235 100644 --- a/deployer/roles/build/templates/synapse/turnserver.conf.j2 +++ b/deployer/roles/build/templates/synapse/coturn/turnserver.conf.j2 @@ -4,6 +4,23 @@ # https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/matrix-coturn/templates/turnserver.conf.j2 # in Jan. 2021 +# TURN listener port for UDP and TCP (Default: 3478). +# Note: actually, TLS & DTLS sessions can connect to the +# "plain" TCP & UDP port(s), too - if allowed by configuration. +listening-port={{ site.coturn.listening_port }} + + +# Alternative listening port for UDP and TCP listeners; +# default (or zero) value means "listening port plus one". +# This is needed for RFC 5780 support +# (STUN extension specs, NAT behavior discovery). The TURN Server +# supports RFC 5780 only if it is started with more than one +# listening IP address of the same family (IPv4 or IPv6). +# RFC 5780 is supported only by UDP protocol, other protocols +# are listening to that endpoint only for "symmetry". +# +alt-listening-port=0 + use-auth-secret static-auth-secret={{ site.coturn.static_auth_secret }} realm=turn.{{ site.url }} diff --git a/deployer/roles/build/templates/synapse/docker-compose.yml.j2 b/deployer/roles/build/templates/synapse/docker-compose.yml.j2 index 5a8a37e..813edd5 100644 --- a/deployer/roles/build/templates/synapse/docker-compose.yml.j2 +++ b/deployer/roles/build/templates/synapse/docker-compose.yml.j2 @@ -21,12 +21,20 @@ services: ipv4_address: "{{ site.subnet_site_ip }}" turn: - image: coturn/coturn:latest + # We use: https://github.com/instrumentisto/coturn-docker-image + image: instrumentisto/coturn-docker-image:latest restart: unless-stopped - # TODO - # network_mode == host - # give it the turnserver.conf - # Anything else? + # We bind directly to host (no proxying the NAT piercer) + # TCP/UDP: {{ site.coturn.listening_port }} + # UDP: {{ site.coturn.min_port }} - {{ site.coturn.max_port }} + network: host + # + volumes: + - type: tmpfs + target: /var/lib/coturn + - type: volume + source: "{{ sites_path }}/{{ site.slug }}/turnserver.conf" + destination: /etc/coturn/turnserver.conf networks: net: