---

- hosts: turn
  vars:
    turnserver_secret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          61643630616332343933343663623032346565636431613332373031663834616662343763353863
          3165323337616264353335613036396663356666666333310a333530383736376134646332633638
          37633763623039326364356661616436663136623838343734316633373936353465636538353366
          6236356562343335370a356530353563353865383635643239666438323365346137626634356533
          31633538363865323066323166323564633439326538386230323132663032653731303165623132
          3064313963616432383936626437313566653637313130666430

  tasks:
    - name: Basic setup
      include_role: name=common

    - name: Install coturn and certbot
      apt:
        name: [coturn, certbot]
        state: present

    - name: Get TLS certificate
      command: certbot certonly --standalone --preferred-challenges http -d turn.afpy.org -n --agree-tos -m {{ letsencrypt_email | quote }}
      register: certbot
      changed_when: '"no action taken." not in certbot.stdout'

    - name: Ensure coturn can read certs
      file:
        path: /etc/letsencrypt/renewal-hooks/deploy
        state: directory
        mode: 0755

    - name: Configure certbot renewal hook for coturn
      copy:
        dest: /etc/letsencrypt/renewal-hooks/deploy/coturn
        mode: 0755
        content: |
          #!/bin/bash -e
          for certfile in fullchain.pem privkey.pem ; do
              cp -L /etc/letsencrypt/live/turn.afpy.org/"${certfile}" /etc/turnserver/"${certfile}".new
              chown turnserver:turnserver /etc/turnserver/"${certfile}".new
              mv /etc/turnserver/"${certfile}".new /etc/turnserver/"${certfile}"
          done
          systemctl kill -sUSR2 coturn.service

    - name: Configure turnserver
      blockinfile:
        path: /etc/turnserver.conf
        block: |
          listening-port=3478
          tls-listening-port=443

          listening-ip={{ansible_default_ipv4.address}}
          relay-ip={{ansible_default_ipv4.address}}

          min-port=32769
          max-port=65535
          verbose

          fingerprint
          lt-cred-mech
          use-auth-secret
          static-auth-secret={{turnserver_secret}}

          realm=afpy.org

          cert=/etc/turnserver/fullchain.pem
          pkey=/etc/turnserver/privkey.pem
          # From https://ssl-config.mozilla.org/ Intermediate, openssl 1.1.0g, 2020-01
          cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
          dh-file=/etc/turnserver/dhp.pem

          keep-address-family

          no-cli
          no-tlsv1
          no-tlsv1_1

          # Block connections to IP ranges which shouldn't be reachable
          no-loopback-peers
          no-multicast-peers

          # Private (LAN) addresses
          # If you are running BigBlueButton within a LAN, you might need to add an "allow" rule for your address range.
          # IPv4 Private-Use
          denied-peer-ip=10.0.0.0-10.255.255.255
          denied-peer-ip=172.16.0.0-172.31.255.255
          denied-peer-ip=192.168.0.0-192.168.255.255
          # Other IPv4 Special-Purpose addresses
          denied-peer-ip=100.64.0.0-100.127.255.255
          denied-peer-ip=169.254.0.0-169.254.255.255
          denied-peer-ip=192.0.0.0-192.0.0.255
          denied-peer-ip=192.0.2.0-192.0.2.255
          denied-peer-ip=198.18.0.0-198.19.255.255
          denied-peer-ip=198.51.100.0-198.51.100.255
          denied-peer-ip=203.0.113.0-203.0.113.255
          # IPv6 Unique-Local
          denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
          # IPv6 Link-Local Unicast
          denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
          # Other IPv6 Special-Purpose assignments
          denied-peer-ip=::ffff:0:0-::ffff:ffff:ffff
          denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
          denied-peer-ip=64:ff9b:1::-64:ff9b:1:ffff:ffff:ffff:ffff:ffff
          denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
          denied-peer-ip=2001:db8::-2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
          denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      notify: restart coturn

    - name: Create dph.pem file directory
      file:
        path: /etc/turnserver
        state: directory
        mode: 0755

    - name: Create dph.pem file
      command: openssl dhparam -dsaparam  -out /etc/turnserver/dhp.pem 2048
      args:
        creates: /etc/turnserver/dhp.pem

    - name: Create coturn service directory
      file:
        path: /etc/systemd/system/coturn.service.d
        state: directory
        mode: 0755

    - name: Configure coturn service override
      copy:
        dest: /etc/systemd/system/coturn.service.d/override.conf
        content: |
          [Service]
          LimitNOFILE=1048576
          AmbientCapabilities=CAP_NET_BIND_SERVICE
          Restart=always
      notify: restart coturn

  handlers:
    - name: restart coturn
      systemd:
        name: coturn
        state: restarted
        daemon_reload: true

- hosts: bbb
  tasks:
    - name: configure turn host
      notify: restart bbb
      copy:
        dest: /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml
        owner: root
        group: root
        mode: 0644
        content: |
          <?xml version="1.0" encoding="UTF-8"?>
          <!--

          BigBlueButton open source conferencing system - http://www.bigbluebutton.org/

          Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).

          This program is free software; you can redistribute it and/or modify it under the
          terms of the GNU Lesser General Public License as published by the Free Software
          Foundation; either version 3.0 of the License, or (at your option) any later
          version.

          BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
          WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
          PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

          You should have received a copy of the GNU Lesser General Public License along
          with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.

          -->
          <beans xmlns="http://www.springframework.org/schema/beans"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://www.springframework.org/schema/beans
                      http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                      ">

              <bean id="stun0" class="org.bigbluebutton.web.services.turn.StunServer">
                  <constructor-arg index="0" value="stun:turn.afpy.org"/>
              </bean>

              <bean id="turn0" class="org.bigbluebutton.web.services.turn.TurnServer">
                  <constructor-arg index="0" value="d24028cadb57a2029b6baab40c5a2e92"/>
                  <constructor-arg index="1" value="turn:turn.afpy.org:443?transport=tcp"/>
                  <constructor-arg index="2" value="86400"/>
              </bean>

              <bean id="stunTurnService" class="org.bigbluebutton.web.services.turn.StunTurnService">
                  <property name="stunServers">
                      <set>
                          <ref bean="stun0" />
                      </set>
                  </property>
                  <property name="turnServers">
                      <set>
                        <ref bean="turn0" />
                      </set>
                  </property>
                  <property name="remoteIceCandidates">
                      <set>
                      </set>
                  </property>
              </bean>
          </beans>
  handlers:
    - name: restart bbb
      command: bbb-conf --restart