Verified Commit a33ade02 authored by Jan Alexander Steffens (heftig)'s avatar Jan Alexander Steffens (heftig)
Browse files

matrix: Install coturn and enable TURN support

parent 839ba493
Pipeline #2048 passed with stage
in 42 seconds
This diff is collapsed.
#!/bin/sh
test "$1" = renew || exit 0
systemctl try-reload-or-restart turnserver
[Unit]
Description=Synapse Matrix homeserver
Requires=postgresql.service redis.service
After=network.target postgresql.service
Wants=turnserver.service
After=network.target postgresql.service turnserver.service
[Service]
Type=notify
......
[Unit]
Description=STUN and TURN relay server for VoIP and WebRTC
After=network.target
[Service]
Type=forking
ExecStart=/usr/bin/turnserver -o -v -c /etc/turnserver/turnserver.conf --pidfile /run/turnserver/turnserver.pid
PIDFile=/run/turnserver/turnserver.pid
RuntimeDirectory=turnserver
RuntimeDirectoryMode=0700
LogsDirectory=turnserver
[Install]
WantedBy=multi-user.target
---
- name: restart turnserver
systemd:
name: turnserver
state: restarted
enabled: yes
daemon_reload: yes
- name: restart synapse
systemd:
name: synapse
......
......@@ -7,6 +7,7 @@
- name: install packages
pacman:
name:
- coturn
- freetype2
- gcc
- git
......@@ -161,6 +162,14 @@
when: 'matrix_domain is defined'
tags: ['nginx']
- name: install turnserver.conf
template: src=turnserver.conf.j2 dest=/etc/turnserver/turnserver.conf owner=root group=root mode=0644
notify:
- restart turnserver
- name: install turnserver cert renewal hook
copy: src=letsencrypt.hook.d dest=/etc/letsencrypt/hook.d/turnserver owner=root group=root mode=0755
- name: install synapse units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
......@@ -176,6 +185,13 @@
notify:
- restart matrix-appservice-irc
- name: install turnserver units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- turnserver.service
notify:
- restart turnserver
- name: enable synapse units
service: name={{ item }} enabled=yes
with_items:
......@@ -194,10 +210,24 @@
notify:
- restart matrix-appservice-irc
- name: enable turnserver units
service: name={{ item }} enabled=yes
with_items:
- turnserver.service
notify:
- restart turnserver
- name: open firewall holes
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
with_items:
# synapse's identd
- 113/tcp
# turnserver
- 3478-3479/tcp
- 3478-3479/udp
- 5349-5350/tcp
- 5349-5350/udp
- 33000-33999/udp
when: configure_firewall
tags:
- firewall
......@@ -1019,11 +1019,15 @@ url_preview_accept_language:
# The public URIs of the TURN server to give to clients
#
#turn_uris: []
turn_uris:
- "turns:{{ matrix_domain }}?transport=udp"
- "turns:{{ matrix_domain }}?transport=tcp"
- "turn:{{ matrix_domain }}?transport=udp"
- "turn:{{ matrix_domain }}?transport=tcp"
# The shared secret used to compute passwords for the TURN server
#
#turn_shared_secret: "YOUR_SHARED_SECRET"
turn_shared_secret: "{{ vault_matrix_secrets[matrix_server_name].turn_shared_secret }}"
# The Username and password if the TURN server needs them and
# does not use a token
......
# Lower and upper bounds of the UDP relay endpoints:
min-port=33000
max-port=33999
# TURN REST API flag.
use-auth-secret
# 'Static' authentication secret value (a string) for TURN REST API only.
static-auth-secret="{{ vault_matrix_secrets[matrix_server_name].turn_shared_secret }}"
# The default realm to be used for the users when no explicit
# origin/realm relationship is found in the database, or if the TURN
# server is not using any database (just the commands-line settings
# and the userdb file). Must be used with long-term credentials
# mechanism or with TURN REST API.
realm={{ matrix_domain }}
# Uncomment if no TCP relay endpoints are allowed.
no-tcp-relay
# Certificate file.
cert=/etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem
# Private key file.
pkey=/etc/letsencrypt/live/{{ matrix_domain }}/privkey.pem
# Allowed OpenSSL cipher list for TLS/DTLS connections.
cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
# Use custom DH TLS key, stored in PEM format in the file.
dh-file=/etc/ssl/dhparams.pem
# Flag to prevent stdout log messages.
no-stdout-log
# Option to set the log file name.
log-file=/var/log/turnserver/turn.log
# Option to redirect all log output into system log (syslog).
syslog
# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
no-multicast-peers
# User name to run the process. After the initialization, the turnserver process
# will attempt to change the current user ID to that user.
proc-user=turnserver
# Group name to run the process. After the initialization, the turnserver process
# will attempt to change the current group ID to that group.
proc-group=turnserver
# Turn OFF the CLI support.
no-cli
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment