From 784d9a4867959735852a585154830993f49c755a Mon Sep 17 00:00:00 2001
From: Julien Palard <julien@palard.fr>
Date: Wed, 1 Dec 2021 23:20:10 +0100
Subject: [PATCH] Hello turn.afpy.org.

---
 host_vars/bbb2.afpy.org/vars   |   4 ++
 inventory                      |   3 +
 roles/common/defaults/main.yml |   3 +
 roles/common/handlers/main.yml |   3 +
 roles/common/tasks/main.yml    |  26 ++++++++-
 turn.yml                       | 104 +++++++++++++++++++++++++++++++++
 6 files changed, 141 insertions(+), 2 deletions(-)
 create mode 100644 host_vars/bbb2.afpy.org/vars
 create mode 100644 roles/common/defaults/main.yml
 create mode 100644 turn.yml

diff --git a/host_vars/bbb2.afpy.org/vars b/host_vars/bbb2.afpy.org/vars
new file mode 100644
index 0000000..7b845d2
--- /dev/null
+++ b/host_vars/bbb2.afpy.org/vars
@@ -0,0 +1,4 @@
+---
+
+nft_extra: |
+  udp dport 16384-32768 counter accept comment "FreeSWITCH/HTML5 RTP streams"
diff --git a/inventory b/inventory
index f485530..8d2c2fc 100644
--- a/inventory
+++ b/inventory
@@ -1,6 +1,9 @@
 [webservers]
 deb2.afpy.org
 
+[turn]
+turn1.afpy.org
+
 [dl]
 deb2.afpy.org
 
diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
new file mode 100644
index 0000000..db6d8d5
--- /dev/null
+++ b/roles/common/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+
+nft_extra: ""
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 1a3f868..0ef2fd5 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -5,3 +5,6 @@
 
 - name: reload exim4
   service: name=exim4 state=reloaded
+
+- name: restart sshd
+  service: name=sshd state=restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 7dd2084..e9df25b 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -64,8 +64,6 @@
 
   - package: name=nftables state=present
 
-  - service: name=nftables enabled=yes state=started daemon_reload=yes
-
   - copy:
       content: |
         #!/usr/sbin/nft -f
@@ -78,6 +76,7 @@
                 iif lo accept
                 ct state established,related accept
                 tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept
+                {{ nft_extra }}
                 counter drop
             }
         }
@@ -88,6 +87,8 @@
       mode: 0755
     notify: reload nftables
 
+  - service: name=nftables enabled=yes state=started daemon_reload=yes
+
   - name: Update via apt (mandatory on first run)
     apt:
       update_cache: yes
@@ -128,4 +129,25 @@
       name: ["mlocate", "locate"]
       state: absent
 
+  # From https://infosec.mozilla.org/guidelines/openssh
+  - name: SSHd hardening
+    blockinfile:
+      marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
+      path: /etc/ssh/sshd_config
+      state: present
+      create: true
+      block: |
+        KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+        Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+        MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+        HostKey /etc/ssh/ssh_host_ed25519_key
+        HostKey /etc/ssh/ssh_host_rsa_key
+        HostKey /etc/ssh/ssh_host_ecdsa_key
+
+        AuthenticationMethods publickey
+        LogLevel VERBOSE
+    notify: restart sshd
+    tags: ssh
+
   tags: common
diff --git a/turn.yml b/turn.yml
new file mode 100644
index 0000000..532187b
--- /dev/null
+++ b/turn.yml
@@ -0,0 +1,104 @@
+---
+
+- hosts: turn
+  vars:
+    turnserver_secret: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          61643630616332343933343663623032346565636431613332373031663834616662343763353863
+          3165323337616264353335613036396663356666666333310a333530383736376134646332633638
+          37633763623039326364356661616436663136623838343734316633373936353465636538353366
+          6236356562343335370a356530353563353865383635643239666438323365346137626634356533
+          31633538363865323066323166323564633439326538386230323132663032653731303165623132
+          3064313963616432383936626437313566653637313130666430
+
+  tasks:
+    - name: Basic setup
+      include_role: name=common
+      vars:
+        nft_extra: |
+          tcp dport {3478, 5349} counter accept comment "coturn listening port"
+          udp dport {3478, 5349} counter accept comment "coturn listening port"
+          udp dport 32769-65535 counter accept comment "relay ports range"
+
+    - name: Install coturn and certbot
+      apt:
+        name: [coturn, certbot]
+        state: present
+
+    - name: Get TLS certificate
+      command: certbot certonly --standalone --preferred-challenges http -d turn.afpy.org -n --agree-tos -m {{ letsencrypt_email | quote }}
+      register: certbot
+      changed_when: '"no action taken." not in certbot.stdout'
+
+    - name: Ensure coturn can read certs
+      file:
+        path: /etc/letsencrypt/renewal-hooks/deploy
+        state: directory
+        mode: 0755
+
+    - name: Configure certbot renewal hook for coturn
+      copy:
+        dest: /etc/letsencrypt/renewal-hooks/deploy/coturn
+        mode: 0755
+        content: |
+          #!/bin/bash -e
+          for certfile in fullchain.pem privkey.pem ; do
+              cp -L /etc/letsencrypt/live/turn.afpy.org/"${certfile}" /etc/turnserver/"${certfile}".new
+              chown turnserver:turnserver /etc/turnserver/"${certfile}".new
+              mv /etc/turnserver/"${certfile}".new /etc/turnserver/"${certfile}"
+          done
+          systemctl kill -sUSR2 coturn.service
+
+    - name: Configure turnserver
+      blockinfile:
+        path: /etc/turnserver.conf
+        block: |
+          fingerprint
+          use-auth-secret
+          static-auth-secret={{turnserver_secret}}
+          realm=afpy.org
+          cert=/etc/turnserver/fullchain.pem
+          pkey=/etc/turnserver/privkey.pem
+          # From https://ssl-config.mozilla.org/ Intermediate, openssl 1.1.0g, 2020-01
+          cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+          dh-file=/etc/turnserver/dhp.pem
+          no-cli
+          no-tlsv1
+          no-tlsv1_1
+          no-loopback-peers
+          no-multicast-peers
+      notify: restart coturn
+
+    - name: Create dph.pem file directory
+      file:
+        path: /etc/turnserver
+        state: directory
+        mode: 0755
+
+    - name: Create dph.pem file
+      command: openssl dhparam -dsaparam  -out /etc/turnserver/dhp.pem 2048
+      args:
+        creates: etc/turnserver/dhp.pem
+
+    - name: Create coturn service directory
+      file:
+        path: /etc/systemd/system/coturn.service.d
+        state: directory
+        mode: 0755
+
+    - name: Configure coturn service override
+      copy:
+        dest: /etc/systemd/system/coturn.service.d/override.conf
+        content: |
+          [Service]
+          LimitNOFILE=1048576
+          AmbientCapabilities=CAP_NET_BIND_SERVICE
+          Restart=always
+      notify: restart coturn
+
+  handlers:
+    - name: restart coturn
+      systemd:
+        name: coturn
+        state: restarted
+        daemon_reload: true