From c4843a33cf2b244c7e1a86f87766bfd4b6a45079 Mon Sep 17 00:00:00 2001
From: Julien Palard <julien@palard.fr>
Date: Tue, 28 Mar 2023 16:01:09 +0200
Subject: [PATCH] Move handwritten things to a playbook.

---
 README.md |  55 ++++-----------------------
 inventory |   3 ++
 turn.yml  | 111 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 121 insertions(+), 48 deletions(-)

diff --git a/README.md b/README.md
index eabf1cd..66e5670 100644
--- a/README.md
+++ b/README.md
@@ -77,7 +77,13 @@ C’est un VPS `V-R8 4 CPUs · 8 GB RAM`.
 
 C’est une Ubuntu 18.04 (c’est imposé par BBB).
 
-Elle n’est **pas** gérée par Ansible, c’est un peu particulier BBB.
+Elle n’est **pas** gérée par Ansible, c’est un peu particulier BBB,
+mais le serveur `turn` l'est, et le playbook `turn.yml` configure
+quand même un fichier sur BBB.
+
+D'ailleurs pour tester la configurtion turn/stun:
+
+https://docs.bigbluebutton.org/administration/turn-server#test-your-turn-server
 
 J’y ai appliqué un poil de ssh-hardening :
 
@@ -151,53 +157,6 @@ Il faut configurer le `.env` tel que:
 Puis vérifier qu’exim et le firewall (attention c’est peut-être `ufw`)
 les acceptent.
 
-
-### Configuration TURN/STUN
-
-L’installation de BBB n’étant pas gérée par Ansible, pour le moment la
-conf TURN/STUN est faite à la main, c’est la seule chose à faire, elle
-ressemble à :
-
-```xml
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://www.springframework.org/schema/beans
-            http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
-            ">
-
-    <bean id="stun0" class="org.bigbluebutton.web.services.turn.StunServer">
-        <constructor-arg index="0" value="stun:turn.afpy.org"/>
-    </bean>
-
-    <bean id="turn0" class="org.bigbluebutton.web.services.turn.TurnServer">
-        <constructor-arg index="0" value="[redacte]"/>
-        <constructor-arg index="1" value="turns:turn.afpy.org:443?transport=tcp"/>
-        <constructor-arg index="2" value="86400"/>
-    </bean>
-
-    <bean id="stunTurnService" class="org.bigbluebutton.web.services.turn.StunTurnService">
-        <property name="stunServers">
-            <set>
-                <ref bean="stun0" />
-            </set>
-        </property>
-        <property name="turnServers">
-            <set>
-              <ref bean="turn0" />
-            </set>
-        </property>
-        <property name="remoteIceCandidates">
-            <set>
-            </set>
-        </property>
-    </bean>
-</beans>
-```
-
-dans `/usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml`.
-
-
 ## backup1.afpy.org
 
 ♥ Machine sponsorisée par Gandi ♥
diff --git a/inventory b/inventory
index 9925fb7..af7b518 100644
--- a/inventory
+++ b/inventory
@@ -22,6 +22,9 @@ turn1.afpy.org
 [dl]
 deb2.afpy.org
 
+[bbb]
+bbb2.afpy.org
+
 [rsnapshotted]
 deb2.afpy.org
 bbb2.afpy.org
diff --git a/turn.yml b/turn.yml
index 67f7167..070c85f 100644
--- a/turn.yml
+++ b/turn.yml
@@ -48,20 +48,64 @@
       blockinfile:
         path: /etc/turnserver.conf
         block: |
+          listening-port=3478
+          tls-listening-port=443
+
+          listening-ip={{ansible_default_ipv4.address}}
+          relay-ip={{ansible_default_ipv4.address}}
+
+          min-port=32769
+          max-port=65535
+          verbose
+
           fingerprint
+          lt-cred-mech
           use-auth-secret
           static-auth-secret={{turnserver_secret}}
+
           realm=afpy.org
+
           cert=/etc/turnserver/fullchain.pem
           pkey=/etc/turnserver/privkey.pem
           # From https://ssl-config.mozilla.org/ Intermediate, openssl 1.1.0g, 2020-01
           cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
           dh-file=/etc/turnserver/dhp.pem
+
+          keep-address-family
+
           no-cli
           no-tlsv1
           no-tlsv1_1
+
+          # Block connections to IP ranges which shouldn't be reachable
           no-loopback-peers
           no-multicast-peers
+
+          # Private (LAN) addresses
+          # If you are running BigBlueButton within a LAN, you might need to add an "allow" rule for your address range.
+          # IPv4 Private-Use
+          denied-peer-ip=10.0.0.0-10.255.255.255
+          denied-peer-ip=172.16.0.0-172.31.255.255
+          denied-peer-ip=192.168.0.0-192.168.255.255
+          # Other IPv4 Special-Purpose addresses
+          denied-peer-ip=100.64.0.0-100.127.255.255
+          denied-peer-ip=169.254.0.0-169.254.255.255
+          denied-peer-ip=192.0.0.0-192.0.0.255
+          denied-peer-ip=192.0.2.0-192.0.2.255
+          denied-peer-ip=198.18.0.0-198.19.255.255
+          denied-peer-ip=198.51.100.0-198.51.100.255
+          denied-peer-ip=203.0.113.0-203.0.113.255
+          # IPv6 Unique-Local
+          denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+          # IPv6 Link-Local Unicast
+          denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+          # Other IPv6 Special-Purpose assignments
+          denied-peer-ip=::ffff:0:0-::ffff:ffff:ffff
+          denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+          denied-peer-ip=64:ff9b:1::-64:ff9b:1:ffff:ffff:ffff:ffff:ffff
+          denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+          denied-peer-ip=2001:db8::-2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
+          denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
       notify: restart coturn
 
     - name: Create dph.pem file directory
@@ -97,3 +141,70 @@
         name: coturn
         state: restarted
         daemon_reload: true
+
+- hosts: bbb
+  tasks:
+    - name: configure turn host
+      notify: restart bbb
+      copy:
+        dest: /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml
+        owner: root
+        group: root
+        mode: 0644
+        content: |
+          <?xml version="1.0" encoding="UTF-8"?>
+          <!--
+
+          BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
+
+          Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
+
+          This program is free software; you can redistribute it and/or modify it under the
+          terms of the GNU Lesser General Public License as published by the Free Software
+          Foundation; either version 3.0 of the License, or (at your option) any later
+          version.
+
+          BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+          WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+          PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+
+          You should have received a copy of the GNU Lesser General Public License along
+          with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+
+          -->
+          <beans xmlns="http://www.springframework.org/schema/beans"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:schemaLocation="http://www.springframework.org/schema/beans
+                      http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
+                      ">
+
+              <bean id="stun0" class="org.bigbluebutton.web.services.turn.StunServer">
+                  <constructor-arg index="0" value="stun:turn.afpy.org"/>
+              </bean>
+
+              <bean id="turn0" class="org.bigbluebutton.web.services.turn.TurnServer">
+                  <constructor-arg index="0" value="d24028cadb57a2029b6baab40c5a2e92"/>
+                  <constructor-arg index="1" value="turn:turn.afpy.org:443?transport=tcp"/>
+                  <constructor-arg index="2" value="86400"/>
+              </bean>
+
+              <bean id="stunTurnService" class="org.bigbluebutton.web.services.turn.StunTurnService">
+                  <property name="stunServers">
+                      <set>
+                          <ref bean="stun0" />
+                      </set>
+                  </property>
+                  <property name="turnServers">
+                      <set>
+                        <ref bean="turn0" />
+                      </set>
+                  </property>
+                  <property name="remoteIceCandidates">
+                      <set>
+                      </set>
+                  </property>
+              </bean>
+          </beans>
+  handlers:
+    - name: restart bbb
+      command: bbb-conf --restart