From 8a97ebf4f80e46913c20c34a951b84f5fe0e0789 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Sun, 17 Dec 2023 17:57:49 +0100 Subject: [PATCH] Use domain instead of IP, add TLS endpoints --- environments/production.json | 2 +- .../kosmos-ejabberd/attributes/default.rb | 4 ++-- .../kosmos-ejabberd/recipes/coturn.rb | 22 +++++++++++++++---- .../kosmos-ejabberd/recipes/default.rb | 3 ++- .../templates/ejabberd.yml.erb | 16 ++++++++++++-- .../templates/turnserver.conf.erb | 6 ++--- 6 files changed, 40 insertions(+), 13 deletions(-) diff --git a/environments/production.json b/environments/production.json index cdc5ada..bb9c577 100644 --- a/environments/production.json +++ b/environments/production.json @@ -17,7 +17,7 @@ "public_url": "https://drone.kosmos.org" }, "ejabberd": { - "turn_ip_address": "148.251.83.201" + "turn_domain": "turn.kosmos.org" }, "garage": { "replication_mode": "2", diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb index b428b7e..a0930f4 100644 --- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb @@ -1,8 +1,8 @@ node.default["ejabberd"]["version"] = "23.10" node.default["ejabberd"]["package_version"] = "1" node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77" -node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org" +node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org" node.default["ejabberd"]["stun_turn_port"] = 3478 +node.default["ejabberd"]["stun_turn_port_tls"] = 5349 node.default["ejabberd"]["turn_min_port"] = 50000 node.default["ejabberd"]["turn_max_port"] = 50999 -node.default["ejabberd"]["turn_ip_address"] = nil diff --git a/site-cookbooks/kosmos-ejabberd/recipes/coturn.rb b/site-cookbooks/kosmos-ejabberd/recipes/coturn.rb index b7ee512..a9b581b 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/coturn.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/coturn.rb @@ -5,19 +5,27 @@ apt_package 'coturn' +domain = node["ejabberd"]["turn_domain"] credentials = data_bag_item("credentials", "ejabberd") +tls_cert_for domain do + auth "gandi_dns" + action :create +end + template "/etc/turnserver.conf" do source "turnserver.conf.erb" mode 0644 variables listening_port: node["ejabberd"]["stun_turn_port"], - tls_listening_port: node["ejabberd"]["stun_turn_port"], - listening_ip: node["ejabberd"]["turn_ip_address"], - relay_ip: node["ejabberd"]["turn_ip_address"], + tls_listening_port: node["ejabberd"]["stun_turn_port_tls"], + listening_ip: node["ipaddress"], + relay_ip: node["ipaddress"], min_port: node["ejabberd"]["turn_min_port"], max_port: node["ejabberd"]["turn_max_port"], static_auth_secret: credentials["stun_secret"], - realm: node["ejabberd"]["stun_auth_realm"] + realm: domain, + cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + pkey: "/etc/letsencrypt/live/#{domain}/privkey.pem" notifies :restart, "service[coturn]", :delayed end @@ -27,6 +35,12 @@ firewall_rule 'ejabberd_stun_turn' do command :allow end +firewall_rule 'ejabberd_stun_turn_tls' do + port node["ejabberd"]["stun_turn_port_tls"] + protocol :udp + command :allow +end + firewall_rule 'ejabberd_turn' do port node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"] protocol :udp diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index a34a7f7..9c98357 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -183,10 +183,11 @@ template "/opt/ejabberd/conf/ejabberd.yml" do sensitive true variables hosts: hosts, admin_users: admin_users, - stun_auth_realm: node["ejabberd"]["stun_auth_realm"], + stun_auth_realm: node["ejabberd"]["turn_domain"], stun_secret: ejabberd_credentials['stun_secret'], turn_ip_address: node["ejabberd"]["turn_ip_address"], stun_turn_port: node["ejabberd"]["stun_turn_port"], + stun_turn_port_tls: node["ejabberd"]["stun_turn_port_tls"], turn_min_port: node["ejabberd"]["turn_min_port"], turn_max_port: node["ejabberd"]["turn_max_port"], private_ip_address: node["knife_zero"]["host"], diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 79bd591..64b89df 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -233,17 +233,29 @@ modules: secret: <%= @stun_secret %> services: - - host: <%= @turn_ip_address %> + host: <%= @turn_domain %> port: <%= @stun_turn_port %> type: stun transport: udp restricted: false - - host: <%= @turn_ip_address %> + host: <%= @turn_domain %> + port: <%= @stun_turn_port_tls %> + type: stuns + transport: udp + restricted: false + - + host: <%= @turn_domain %> port: <%= @stun_turn_port %> type: turn transport: udp restricted: true + - + host: <%= @turn_domain %> + port: <%= @stun_turn_port_tls %> + type: turns + transport: tcp + restricted: true mod_vcard: search: false mod_vcard_xupdate: {} diff --git a/site-cookbooks/kosmos-ejabberd/templates/turnserver.conf.erb b/site-cookbooks/kosmos-ejabberd/templates/turnserver.conf.erb index 257684d..cdb1054 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/turnserver.conf.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/turnserver.conf.erb @@ -436,14 +436,14 @@ realm=<%= @realm %> # Use an absolute path or path relative to the # configuration file. # -#cert=/usr/local/etc/turn_server_cert.pem +cert=<%= @cert %> # Private key file. # Use an absolute path or path relative to the # configuration file. # Use PEM file format. # -#pkey=/usr/local/etc/turn_server_pkey.pem +pkey=<%= @pkey %> # Private key file password, if it is in encoded format. # This option has no default value. @@ -642,7 +642,7 @@ syslog # By default it is always ON. # See also options cli-ip and cli-port. # -#no-cli +no-cli #Local system IP address to be used for CLI server endpoint. Default value # is 127.0.0.1.