211 lines
7.9 KiB
YAML
211 lines
7.9 KiB
YAML
---
|
|
|
|
- hosts: turn
|
|
vars:
|
|
turnserver_secret: !vault |
|
|
$ANSIBLE_VAULT;1.1;AES256
|
|
61643630616332343933343663623032346565636431613332373031663834616662343763353863
|
|
3165323337616264353335613036396663356666666333310a333530383736376134646332633638
|
|
37633763623039326364356661616436663136623838343734316633373936353465636538353366
|
|
6236356562343335370a356530353563353865383635643239666438323365346137626634356533
|
|
31633538363865323066323166323564633439326538386230323132663032653731303165623132
|
|
3064313963616432383936626437313566653637313130666430
|
|
|
|
tasks:
|
|
- name: Basic setup
|
|
include_role: name=common
|
|
|
|
- name: Install coturn and certbot
|
|
apt:
|
|
name: [coturn, certbot]
|
|
state: present
|
|
|
|
- name: Get TLS certificate
|
|
command: certbot certonly --standalone --preferred-challenges http -d turn.afpy.org -n --agree-tos -m {{ letsencrypt_email | quote }}
|
|
register: certbot
|
|
changed_when: '"no action taken." not in certbot.stdout'
|
|
|
|
- name: Ensure coturn can read certs
|
|
file:
|
|
path: /etc/letsencrypt/renewal-hooks/deploy
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: Configure certbot renewal hook for coturn
|
|
copy:
|
|
dest: /etc/letsencrypt/renewal-hooks/deploy/coturn
|
|
mode: 0755
|
|
content: |
|
|
#!/bin/bash -e
|
|
for certfile in fullchain.pem privkey.pem ; do
|
|
cp -L /etc/letsencrypt/live/turn.afpy.org/"${certfile}" /etc/turnserver/"${certfile}".new
|
|
chown turnserver:turnserver /etc/turnserver/"${certfile}".new
|
|
mv /etc/turnserver/"${certfile}".new /etc/turnserver/"${certfile}"
|
|
done
|
|
systemctl kill -sUSR2 coturn.service
|
|
|
|
- name: Configure turnserver
|
|
blockinfile:
|
|
path: /etc/turnserver.conf
|
|
block: |
|
|
listening-port=3478
|
|
tls-listening-port=443
|
|
|
|
listening-ip={{ansible_default_ipv4.address}}
|
|
relay-ip={{ansible_default_ipv4.address}}
|
|
|
|
min-port=32769
|
|
max-port=65535
|
|
verbose
|
|
|
|
fingerprint
|
|
lt-cred-mech
|
|
use-auth-secret
|
|
static-auth-secret={{turnserver_secret}}
|
|
|
|
realm=afpy.org
|
|
|
|
cert=/etc/turnserver/fullchain.pem
|
|
pkey=/etc/turnserver/privkey.pem
|
|
# From https://ssl-config.mozilla.org/ Intermediate, openssl 1.1.0g, 2020-01
|
|
cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
|
dh-file=/etc/turnserver/dhp.pem
|
|
|
|
keep-address-family
|
|
|
|
no-cli
|
|
no-tlsv1
|
|
no-tlsv1_1
|
|
|
|
# Block connections to IP ranges which shouldn't be reachable
|
|
no-loopback-peers
|
|
no-multicast-peers
|
|
|
|
# Private (LAN) addresses
|
|
# If you are running BigBlueButton within a LAN, you might need to add an "allow" rule for your address range.
|
|
# IPv4 Private-Use
|
|
denied-peer-ip=10.0.0.0-10.255.255.255
|
|
denied-peer-ip=172.16.0.0-172.31.255.255
|
|
denied-peer-ip=192.168.0.0-192.168.255.255
|
|
# Other IPv4 Special-Purpose addresses
|
|
denied-peer-ip=100.64.0.0-100.127.255.255
|
|
denied-peer-ip=169.254.0.0-169.254.255.255
|
|
denied-peer-ip=192.0.0.0-192.0.0.255
|
|
denied-peer-ip=192.0.2.0-192.0.2.255
|
|
denied-peer-ip=198.18.0.0-198.19.255.255
|
|
denied-peer-ip=198.51.100.0-198.51.100.255
|
|
denied-peer-ip=203.0.113.0-203.0.113.255
|
|
# IPv6 Unique-Local
|
|
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
# IPv6 Link-Local Unicast
|
|
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
# Other IPv6 Special-Purpose assignments
|
|
denied-peer-ip=::ffff:0:0-::ffff:ffff:ffff
|
|
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
|
denied-peer-ip=64:ff9b:1::-64:ff9b:1:ffff:ffff:ffff:ffff:ffff
|
|
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
denied-peer-ip=2001:db8::-2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
|
|
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
notify: restart coturn
|
|
|
|
- name: Create dph.pem file directory
|
|
file:
|
|
path: /etc/turnserver
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: Create dph.pem file
|
|
command: openssl dhparam -dsaparam -out /etc/turnserver/dhp.pem 2048
|
|
args:
|
|
creates: /etc/turnserver/dhp.pem
|
|
|
|
- name: Create coturn service directory
|
|
file:
|
|
path: /etc/systemd/system/coturn.service.d
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: Configure coturn service override
|
|
copy:
|
|
dest: /etc/systemd/system/coturn.service.d/override.conf
|
|
content: |
|
|
[Service]
|
|
LimitNOFILE=1048576
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
Restart=always
|
|
notify: restart coturn
|
|
|
|
handlers:
|
|
- name: restart coturn
|
|
systemd:
|
|
name: coturn
|
|
state: restarted
|
|
daemon_reload: true
|
|
|
|
- hosts: bbb
|
|
tasks:
|
|
- name: configure turn host
|
|
notify: restart bbb
|
|
copy:
|
|
dest: /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
content: |
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
|
|
BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
|
|
|
|
Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
|
|
|
|
This program is free software; you can redistribute it and/or modify it under the
|
|
terms of the GNU Lesser General Public License as published by the Free Software
|
|
Foundation; either version 3.0 of the License, or (at your option) any later
|
|
version.
|
|
|
|
BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
|
PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public License along
|
|
with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
|
|
|
|
-->
|
|
<beans xmlns="http://www.springframework.org/schema/beans"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://www.springframework.org/schema/beans
|
|
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
|
|
">
|
|
|
|
<bean id="stun0" class="org.bigbluebutton.web.services.turn.StunServer">
|
|
<constructor-arg index="0" value="stun:turn.afpy.org"/>
|
|
</bean>
|
|
|
|
<bean id="turn0" class="org.bigbluebutton.web.services.turn.TurnServer">
|
|
<constructor-arg index="0" value="d24028cadb57a2029b6baab40c5a2e92"/>
|
|
<constructor-arg index="1" value="turn:turn.afpy.org:443?transport=tcp"/>
|
|
<constructor-arg index="2" value="86400"/>
|
|
</bean>
|
|
|
|
<bean id="stunTurnService" class="org.bigbluebutton.web.services.turn.StunTurnService">
|
|
<property name="stunServers">
|
|
<set>
|
|
<ref bean="stun0" />
|
|
</set>
|
|
</property>
|
|
<property name="turnServers">
|
|
<set>
|
|
<ref bean="turn0" />
|
|
</set>
|
|
</property>
|
|
<property name="remoteIceCandidates">
|
|
<set>
|
|
</set>
|
|
</property>
|
|
</bean>
|
|
</beans>
|
|
handlers:
|
|
- name: restart bbb
|
|
command: bbb-conf --restart
|