Hello turn.afpy.org.
This commit is contained in:
parent
b9018a9171
commit
784d9a4867
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
nft_extra: |
|
||||||
|
udp dport 16384-32768 counter accept comment "FreeSWITCH/HTML5 RTP streams"
|
|
@ -1,6 +1,9 @@
|
||||||
[webservers]
|
[webservers]
|
||||||
deb2.afpy.org
|
deb2.afpy.org
|
||||||
|
|
||||||
|
[turn]
|
||||||
|
turn1.afpy.org
|
||||||
|
|
||||||
[dl]
|
[dl]
|
||||||
deb2.afpy.org
|
deb2.afpy.org
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
nft_extra: ""
|
|
@ -5,3 +5,6 @@
|
||||||
|
|
||||||
- name: reload exim4
|
- name: reload exim4
|
||||||
service: name=exim4 state=reloaded
|
service: name=exim4 state=reloaded
|
||||||
|
|
||||||
|
- name: restart sshd
|
||||||
|
service: name=sshd state=restarted
|
||||||
|
|
|
@ -64,8 +64,6 @@
|
||||||
|
|
||||||
- package: name=nftables state=present
|
- package: name=nftables state=present
|
||||||
|
|
||||||
- service: name=nftables enabled=yes state=started daemon_reload=yes
|
|
||||||
|
|
||||||
- copy:
|
- copy:
|
||||||
content: |
|
content: |
|
||||||
#!/usr/sbin/nft -f
|
#!/usr/sbin/nft -f
|
||||||
|
@ -78,6 +76,7 @@
|
||||||
iif lo accept
|
iif lo accept
|
||||||
ct state established,related accept
|
ct state established,related accept
|
||||||
tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept
|
tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept
|
||||||
|
{{ nft_extra }}
|
||||||
counter drop
|
counter drop
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -88,6 +87,8 @@
|
||||||
mode: 0755
|
mode: 0755
|
||||||
notify: reload nftables
|
notify: reload nftables
|
||||||
|
|
||||||
|
- service: name=nftables enabled=yes state=started daemon_reload=yes
|
||||||
|
|
||||||
- name: Update via apt (mandatory on first run)
|
- name: Update via apt (mandatory on first run)
|
||||||
apt:
|
apt:
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
@ -128,4 +129,25 @@
|
||||||
name: ["mlocate", "locate"]
|
name: ["mlocate", "locate"]
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
|
# From https://infosec.mozilla.org/guidelines/openssh
|
||||||
|
- name: SSHd hardening
|
||||||
|
blockinfile:
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
state: present
|
||||||
|
create: true
|
||||||
|
block: |
|
||||||
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||||
|
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
|
||||||
|
AuthenticationMethods publickey
|
||||||
|
LogLevel VERBOSE
|
||||||
|
notify: restart sshd
|
||||||
|
tags: ssh
|
||||||
|
|
||||||
tags: common
|
tags: common
|
||||||
|
|
|
@ -0,0 +1,104 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- hosts: turn
|
||||||
|
vars:
|
||||||
|
turnserver_secret: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
61643630616332343933343663623032346565636431613332373031663834616662343763353863
|
||||||
|
3165323337616264353335613036396663356666666333310a333530383736376134646332633638
|
||||||
|
37633763623039326364356661616436663136623838343734316633373936353465636538353366
|
||||||
|
6236356562343335370a356530353563353865383635643239666438323365346137626634356533
|
||||||
|
31633538363865323066323166323564633439326538386230323132663032653731303165623132
|
||||||
|
3064313963616432383936626437313566653637313130666430
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Basic setup
|
||||||
|
include_role: name=common
|
||||||
|
vars:
|
||||||
|
nft_extra: |
|
||||||
|
tcp dport {3478, 5349} counter accept comment "coturn listening port"
|
||||||
|
udp dport {3478, 5349} counter accept comment "coturn listening port"
|
||||||
|
udp dport 32769-65535 counter accept comment "relay ports range"
|
||||||
|
|
||||||
|
- name: Install coturn and certbot
|
||||||
|
apt:
|
||||||
|
name: [coturn, certbot]
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Get TLS certificate
|
||||||
|
command: certbot certonly --standalone --preferred-challenges http -d turn.afpy.org -n --agree-tos -m {{ letsencrypt_email | quote }}
|
||||||
|
register: certbot
|
||||||
|
changed_when: '"no action taken." not in certbot.stdout'
|
||||||
|
|
||||||
|
- name: Ensure coturn can read certs
|
||||||
|
file:
|
||||||
|
path: /etc/letsencrypt/renewal-hooks/deploy
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Configure certbot renewal hook for coturn
|
||||||
|
copy:
|
||||||
|
dest: /etc/letsencrypt/renewal-hooks/deploy/coturn
|
||||||
|
mode: 0755
|
||||||
|
content: |
|
||||||
|
#!/bin/bash -e
|
||||||
|
for certfile in fullchain.pem privkey.pem ; do
|
||||||
|
cp -L /etc/letsencrypt/live/turn.afpy.org/"${certfile}" /etc/turnserver/"${certfile}".new
|
||||||
|
chown turnserver:turnserver /etc/turnserver/"${certfile}".new
|
||||||
|
mv /etc/turnserver/"${certfile}".new /etc/turnserver/"${certfile}"
|
||||||
|
done
|
||||||
|
systemctl kill -sUSR2 coturn.service
|
||||||
|
|
||||||
|
- name: Configure turnserver
|
||||||
|
blockinfile:
|
||||||
|
path: /etc/turnserver.conf
|
||||||
|
block: |
|
||||||
|
fingerprint
|
||||||
|
use-auth-secret
|
||||||
|
static-auth-secret={{turnserver_secret}}
|
||||||
|
realm=afpy.org
|
||||||
|
cert=/etc/turnserver/fullchain.pem
|
||||||
|
pkey=/etc/turnserver/privkey.pem
|
||||||
|
# From https://ssl-config.mozilla.org/ Intermediate, openssl 1.1.0g, 2020-01
|
||||||
|
cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
||||||
|
dh-file=/etc/turnserver/dhp.pem
|
||||||
|
no-cli
|
||||||
|
no-tlsv1
|
||||||
|
no-tlsv1_1
|
||||||
|
no-loopback-peers
|
||||||
|
no-multicast-peers
|
||||||
|
notify: restart coturn
|
||||||
|
|
||||||
|
- name: Create dph.pem file directory
|
||||||
|
file:
|
||||||
|
path: /etc/turnserver
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Create dph.pem file
|
||||||
|
command: openssl dhparam -dsaparam -out /etc/turnserver/dhp.pem 2048
|
||||||
|
args:
|
||||||
|
creates: etc/turnserver/dhp.pem
|
||||||
|
|
||||||
|
- name: Create coturn service directory
|
||||||
|
file:
|
||||||
|
path: /etc/systemd/system/coturn.service.d
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Configure coturn service override
|
||||||
|
copy:
|
||||||
|
dest: /etc/systemd/system/coturn.service.d/override.conf
|
||||||
|
content: |
|
||||||
|
[Service]
|
||||||
|
LimitNOFILE=1048576
|
||||||
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||||
|
Restart=always
|
||||||
|
notify: restart coturn
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: restart coturn
|
||||||
|
systemd:
|
||||||
|
name: coturn
|
||||||
|
state: restarted
|
||||||
|
daemon_reload: true
|
Loading…
Reference in New Issue