Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
a33ade02
Verified
Commit
a33ade02
authored
Oct 05, 2020
by
Jan Alexander Steffens (heftig)
Browse files
matrix: Install coturn and enable TURN support
parent
839ba493
Pipeline
#2048
passed with stage
in 42 seconds
Changes
8
Pipelines
1
Expand all
Hide whitespace changes
Inline
Side-by-side
group_vars/all/vault_matrix.yml
View file @
a33ade02
This diff is collapsed.
Click to expand it.
roles/matrix/files/letsencrypt.hook.d
0 → 100644
View file @
a33ade02
#
!/
bin
/
sh
test
"$1"
=
renew
||
exit
0
systemctl
try
-
reload
-
or
-
restart
turnserver
roles/matrix/files/synapse.service
View file @
a33ade02
[Unit]
Description
=
Synapse Matrix homeserver
Requires
=
postgresql.service redis.service
After
=
network.target postgresql.service
Wants
=
turnserver.service
After
=
network.target postgresql.service turnserver.service
[Service]
Type
=
notify
...
...
roles/matrix/files/turnserver.service
0 → 100644
View file @
a33ade02
[Unit]
Description
=
STUN and TURN relay server for VoIP and WebRTC
After
=
network.target
[Service]
Type
=
forking
ExecStart
=
/usr/bin/turnserver -o -v -c /etc/turnserver/turnserver.conf --pidfile /run/turnserver/turnserver.pid
PIDFile
=
/run/turnserver/turnserver.pid
RuntimeDirectory
=
turnserver
RuntimeDirectoryMode
=
0700
LogsDirectory
=
turnserver
[Install]
WantedBy
=
multi-user.target
roles/matrix/handlers/main.yml
View file @
a33ade02
---
-
name
:
restart turnserver
systemd
:
name
:
turnserver
state
:
restarted
enabled
:
yes
daemon_reload
:
yes
-
name
:
restart synapse
systemd
:
name
:
synapse
...
...
roles/matrix/tasks/main.yml
View file @
a33ade02
...
...
@@ -7,6 +7,7 @@
-
name
:
install packages
pacman
:
name
:
-
coturn
-
freetype2
-
gcc
-
git
...
...
@@ -161,6 +162,14 @@
when
:
'
matrix_domain
is
defined'
tags
:
[
'
nginx'
]
-
name
:
install turnserver.conf
template
:
src=turnserver.conf.j2 dest=/etc/turnserver/turnserver.conf owner=root group=root mode=0644
notify
:
-
restart turnserver
-
name
:
install turnserver cert renewal hook
copy
:
src=letsencrypt.hook.d dest=/etc/letsencrypt/hook.d/turnserver owner=root group=root mode=0755
-
name
:
install synapse units
copy
:
src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items
:
...
...
@@ -176,6 +185,13 @@
notify
:
-
restart matrix-appservice-irc
-
name
:
install turnserver units
copy
:
src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items
:
-
turnserver.service
notify
:
-
restart turnserver
-
name
:
enable synapse units
service
:
name={{ item }} enabled=yes
with_items
:
...
...
@@ -194,10 +210,24 @@
notify
:
-
restart matrix-appservice-irc
-
name
:
enable turnserver units
service
:
name={{ item }} enabled=yes
with_items
:
-
turnserver.service
notify
:
-
restart turnserver
-
name
:
open firewall holes
ansible.posix.firewalld
:
port={{ item }} permanent=true state=enabled immediate=yes
with_items
:
# synapse's identd
-
113/tcp
# turnserver
-
3478-3479/tcp
-
3478-3479/udp
-
5349-5350/tcp
-
5349-5350/udp
-
33000-33999/udp
when
:
configure_firewall
tags
:
-
firewall
roles/matrix/templates/homeserver.yaml.j2
View file @
a33ade02
...
...
@@ -1019,11 +1019,15 @@ url_preview_accept_language:
# The public URIs of the TURN server to give to clients
#
#turn_uris: []
turn_uris
:
-
"
turns:{{
matrix_domain
}}?transport=udp"
-
"
turns:{{
matrix_domain
}}?transport=tcp"
-
"
turn:{{
matrix_domain
}}?transport=udp"
-
"
turn:{{
matrix_domain
}}?transport=tcp"
# The shared secret used to compute passwords for the TURN server
#
#
turn_shared_secret: "
YOUR_SHARED_SECRET
"
turn_shared_secret
:
"
{{
vault_matrix_secrets[matrix_server_name].turn_shared_secret
}}
"
# The Username and password if the TURN server needs them and
# does not use a token
...
...
roles/matrix/templates/turnserver.conf.j2
0 → 100644
View file @
a33ade02
# Lower and upper bounds of the UDP relay endpoints:
min-port=33000
max-port=33999
# TURN REST API flag.
use-auth-secret
# 'Static' authentication secret value (a string) for TURN REST API only.
static-auth-secret="{{ vault_matrix_secrets[matrix_server_name].turn_shared_secret }}"
# The default realm to be used for the users when no explicit
# origin/realm relationship is found in the database, or if the TURN
# server is not using any database (just the commands-line settings
# and the userdb file). Must be used with long-term credentials
# mechanism or with TURN REST API.
realm={{ matrix_domain }}
# Uncomment if no TCP relay endpoints are allowed.
no-tcp-relay
# Certificate file.
cert=/etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem
# Private key file.
pkey=/etc/letsencrypt/live/{{ matrix_domain }}/privkey.pem
# Allowed OpenSSL cipher list for TLS/DTLS connections.
cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
# Use custom DH TLS key, stored in PEM format in the file.
dh-file=/etc/ssl/dhparams.pem
# Flag to prevent stdout log messages.
no-stdout-log
# Option to set the log file name.
log-file=/var/log/turnserver/turn.log
# Option to redirect all log output into system log (syslog).
syslog
# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
no-multicast-peers
# User name to run the process. After the initialization, the turnserver process
# will attempt to change the current user ID to that user.
proc-user=turnserver
# Group name to run the process. After the initialization, the turnserver process
# will attempt to change the current group ID to that group.
proc-group=turnserver
# Turn OFF the CLI support.
no-cli
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment