Use domain instead of IP, add TLS endpoints

2023-12-17 17:57:49 +01:00 · 2023-12-17 17:57:49 +01:00 · 8a97ebf4f8
commit 8a97ebf4f8
parent ca3f06f831
6 changed files with 40 additions and 13 deletions
--- a/environments/production.json
+++ b/environments/production.json
@ -17,7 +17,7 @@
      "public_url": "https://drone.kosmos.org"
    },
    "ejabberd": {
-      "turn_ip_address": "148.251.83.201"
+      "turn_domain": "turn.kosmos.org"
    },
    "garage": {
      "replication_mode": "2",
--- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb
@ -1,8 +1,8 @@
 node.default["ejabberd"]["version"] = "23.10"
 node.default["ejabberd"]["package_version"] = "1"
 node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77"
-node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org"
+node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org"
 node.default["ejabberd"]["stun_turn_port"] = 3478
+node.default["ejabberd"]["stun_turn_port_tls"] = 5349
 node.default["ejabberd"]["turn_min_port"] = 50000
 node.default["ejabberd"]["turn_max_port"] = 50999
-node.default["ejabberd"]["turn_ip_address"] = nil
--- a/site-cookbooks/kosmos-ejabberd/recipes/coturn.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/coturn.rb
@ -5,19 +5,27 @@

 apt_package 'coturn'

+domain = node["ejabberd"]["turn_domain"]
 credentials = data_bag_item("credentials", "ejabberd")

+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
 template "/etc/turnserver.conf" do
  source "turnserver.conf.erb"
  mode 0644
  variables listening_port: node["ejabberd"]["stun_turn_port"],
-            tls_listening_port: node["ejabberd"]["stun_turn_port"],
-            listening_ip: node["ejabberd"]["turn_ip_address"],
-            relay_ip: node["ejabberd"]["turn_ip_address"],
+            tls_listening_port: node["ejabberd"]["stun_turn_port_tls"],
+            listening_ip: node["ipaddress"],
+            relay_ip: node["ipaddress"],
            min_port: node["ejabberd"]["turn_min_port"],
            max_port: node["ejabberd"]["turn_max_port"],
            static_auth_secret: credentials["stun_secret"],
-            realm: node["ejabberd"]["stun_auth_realm"]
+            realm: domain,
+            cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            pkey: "/etc/letsencrypt/live/#{domain}/privkey.pem"
  notifies :restart, "service[coturn]", :delayed
 end

@ -27,6 +35,12 @@ firewall_rule 'ejabberd_stun_turn' do
  command  :allow
 end

+firewall_rule 'ejabberd_stun_turn_tls' do
+  port     node["ejabberd"]["stun_turn_port_tls"]
+  protocol :udp
+  command  :allow
+end
+
 firewall_rule 'ejabberd_turn' do
  port     node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"]
  protocol :udp
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@ -183,10 +183,11 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
  sensitive true
  variables hosts: hosts,
            admin_users: admin_users,
-            stun_auth_realm: node["ejabberd"]["stun_auth_realm"],
+            stun_auth_realm: node["ejabberd"]["turn_domain"],
            stun_secret: ejabberd_credentials['stun_secret'],
            turn_ip_address: node["ejabberd"]["turn_ip_address"],
            stun_turn_port: node["ejabberd"]["stun_turn_port"],
+            stun_turn_port_tls: node["ejabberd"]["stun_turn_port_tls"],
            turn_min_port: node["ejabberd"]["turn_min_port"],
            turn_max_port: node["ejabberd"]["turn_max_port"],
            private_ip_address: node["knife_zero"]["host"],
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@ -233,17 +233,29 @@ modules:
    secret: <%= @stun_secret %>
    services:
      -
-        host: <%= @turn_ip_address %>
+        host: <%= @turn_domain %>
        port: <%= @stun_turn_port %>
        type: stun
        transport: udp
        restricted: false
      -
-        host: <%= @turn_ip_address %>
+        host: <%= @turn_domain %>
+        port: <%= @stun_turn_port_tls %>
+        type: stuns
+        transport: udp
+        restricted: false
+      -
+        host: <%= @turn_domain %>
        port: <%= @stun_turn_port %>
        type: turn
        transport: udp
        restricted: true
+      -
+        host: <%= @turn_domain %>
+        port: <%= @stun_turn_port_tls %>
+        type: turns
+        transport: tcp
+        restricted: true
  mod_vcard:
    search: false
  mod_vcard_xupdate: {}
--- a/site-cookbooks/kosmos-ejabberd/templates/turnserver.conf.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/turnserver.conf.erb
@ -436,14 +436,14 @@ realm=<%= @realm %>
 # Use an absolute path or path relative to the 
 # configuration file.
 #
-#cert=/usr/local/etc/turn_server_cert.pem
+cert=<%= @cert %>

 # Private key file.
 # Use an absolute path or path relative to the 
 # configuration file.
 # Use PEM file format.
 #
-#pkey=/usr/local/etc/turn_server_pkey.pem
+pkey=<%= @pkey %>

 # Private key file password, if it is in encoded format.
 # This option has no default value.
@ -642,7 +642,7 @@ syslog
 # By default it is always ON.
 # See also options cli-ip and cli-port.
 #
-#no-cli
+no-cli

 #Local system IP address to be used for CLI server endpoint. Default value
 # is 127.0.0.1.