matrix: Install coturn and enable TURN support

a33ade02 · Jan Alexander Steffens (heftig) · 839ba493 · a33ade02 · a33ade02 · a33ade02
Verified Commit a33ade02 authored Oct 05, 2020 by Jan Alexander Steffens (heftig)
--- a/group_vars/all/vault_matrix.yml
+++ b/group_vars/all/vault_matrix.yml
--- a/roles/matrix/files/letsencrypt.hook.d
+++ b/roles/matrix/files/letsencrypt.hook.d
+#!/bin/sh
+
+test "$1" = renew || exit 0
+
+systemctl try-reload-or-restart turnserver
--- a/roles/matrix/files/synapse.service
+++ b/roles/matrix/files/synapse.service
 [Unit]
 Description=Synapse Matrix homeserver
 Requires=postgresql.service redis.service
-After=network.target postgresql.service
+Wants=turnserver.service
+After=network.target postgresql.service turnserver.service

 [Service]
 Type=notify

--- a/roles/matrix/files/turnserver.service
+++ b/roles/matrix/files/turnserver.service
+[Unit]
+Description=STUN and TURN relay server for VoIP and WebRTC
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/turnserver -o -v -c /etc/turnserver/turnserver.conf --pidfile /run/turnserver/turnserver.pid
+PIDFile=/run/turnserver/turnserver.pid
+RuntimeDirectory=turnserver
+RuntimeDirectoryMode=0700
+LogsDirectory=turnserver
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/matrix/handlers/main.yml
+++ b/roles/matrix/handlers/main.yml
 ---

+- name: restart turnserver
+  systemd:
+    name: turnserver
+    state: restarted
+    enabled: yes
+    daemon_reload: yes
+
 - name: restart synapse
  systemd:
    name: synapse

--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@@ -7,6 +7,7 @@
 - name: install packages
  pacman:
    name:
+      - coturn
      - freetype2
      - gcc
      - git
@@ -161,6 +162,14 @@
  when: 'matrix_domain is defined'
  tags: ['nginx']

+- name: install turnserver.conf
+  template: src=turnserver.conf.j2 dest=/etc/turnserver/turnserver.conf owner=root group=root mode=0644
+  notify:
+    - restart turnserver
+
+- name: install turnserver cert renewal hook
+  copy: src=letsencrypt.hook.d dest=/etc/letsencrypt/hook.d/turnserver owner=root group=root mode=0755
+
 - name: install synapse units
  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
  with_items:
@@ -176,6 +185,13 @@
  notify:
    - restart matrix-appservice-irc

+- name: install turnserver units
+  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
+  with_items:
+    - turnserver.service
+  notify:
+    - restart turnserver
+
 - name: enable synapse units
  service: name={{ item }} enabled=yes
  with_items:
@@ -194,10 +210,24 @@
  notify:
    - restart matrix-appservice-irc

+- name: enable turnserver units
+  service: name={{ item }} enabled=yes
+  with_items:
+    - turnserver.service
+  notify:
+    - restart turnserver
+
 - name: open firewall holes
  ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
  with_items:
+    # synapse's identd
    - 113/tcp
+    # turnserver
+    - 3478-3479/tcp
+    - 3478-3479/udp
+    - 5349-5350/tcp
+    - 5349-5350/udp
+    - 33000-33999/udp
  when: configure_firewall
  tags:
    - firewall
--- a/roles/matrix/templates/homeserver.yaml.j2
+++ b/roles/matrix/templates/homeserver.yaml.j2
@@ -1019,11 +1019,15 @@ url_preview_accept_language:

 # The public URIs of the TURN server to give to clients
 #
-#turn_uris: []
+turn_uris:
+  - "turns:{{ matrix_domain }}?transport=udp"
+  - "turns:{{ matrix_domain }}?transport=tcp"
+  - "turn:{{ matrix_domain }}?transport=udp"
+  - "turn:{{ matrix_domain }}?transport=tcp"

 # The shared secret used to compute passwords for the TURN server
 #
-#turn_shared_secret: "YOUR_SHARED_SECRET"
+turn_shared_secret: "{{ vault_matrix_secrets[matrix_server_name].turn_shared_secret }}"

 # The Username and password if the TURN server needs them and
 # does not use a token

--- a/roles/matrix/templates/turnserver.conf.j2
+++ b/roles/matrix/templates/turnserver.conf.j2
+# Lower and upper bounds of the UDP relay endpoints:
+min-port=33000
+max-port=33999
+
+# TURN REST API flag.
+use-auth-secret
+
+# 'Static' authentication secret value (a string) for TURN REST API only.
+static-auth-secret="{{ vault_matrix_secrets[matrix_server_name].turn_shared_secret }}"
+
+# The default realm to be used for the users when no explicit
+# origin/realm relationship is found in the database, or if the TURN
+# server is not using any database (just the commands-line settings
+# and the userdb file). Must be used with long-term credentials
+# mechanism or with TURN REST API.
+realm={{ matrix_domain }}
+
+# Uncomment if no TCP relay endpoints are allowed.
+no-tcp-relay
+
+# Certificate file.
+cert=/etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem
+
+# Private key file.
+pkey=/etc/letsencrypt/live/{{ matrix_domain }}/privkey.pem
+
+# Allowed OpenSSL cipher list for TLS/DTLS connections.
+cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+
+# Use custom DH TLS key, stored in PEM format in the file.
+dh-file=/etc/ssl/dhparams.pem
+
+# Flag to prevent stdout log messages.
+no-stdout-log
+
+# Option to set the log file name.
+log-file=/var/log/turnserver/turn.log
+
+# Option to redirect all log output into system log (syslog).
+syslog
+
+# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
+no-multicast-peers
+
+# User name to run the process. After the initialization, the turnserver process
+# will attempt to change the current user ID to that user.
+proc-user=turnserver
+
+# Group name to run the process. After the initialization, the turnserver process
+# will attempt to change the current group ID to that group.
+proc-group=turnserver
+
+# Turn OFF the CLI support.
+no-cli