Use domain instead of IP, add TLS endpoints

2023-12-17 17:57:49 +01:00
parent ca3f06f831
commit 8a97ebf4f8
6 changed files with 40 additions and 13 deletions
--- a/site-cookbooks/kosmos-ejabberd/recipes/coturn.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/coturn.rb
@@ -5,19 +5,27 @@

 apt_package 'coturn'

+domain = node["ejabberd"]["turn_domain"]
 credentials = data_bag_item("credentials", "ejabberd")

+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
 template "/etc/turnserver.conf" do
  source "turnserver.conf.erb"
  mode 0644
  variables listening_port: node["ejabberd"]["stun_turn_port"],
-            tls_listening_port: node["ejabberd"]["stun_turn_port"],
-            listening_ip: node["ejabberd"]["turn_ip_address"],
-            relay_ip: node["ejabberd"]["turn_ip_address"],
+            tls_listening_port: node["ejabberd"]["stun_turn_port_tls"],
+            listening_ip: node["ipaddress"],
+            relay_ip: node["ipaddress"],
            min_port: node["ejabberd"]["turn_min_port"],
            max_port: node["ejabberd"]["turn_max_port"],
            static_auth_secret: credentials["stun_secret"],
-            realm: node["ejabberd"]["stun_auth_realm"]
+            realm: domain,
+            cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            pkey: "/etc/letsencrypt/live/#{domain}/privkey.pem"
  notifies :restart, "service[coturn]", :delayed
 end

@@ -27,6 +35,12 @@ firewall_rule 'ejabberd_stun_turn' do
  command  :allow
 end

+firewall_rule 'ejabberd_stun_turn_tls' do
+  port     node["ejabberd"]["stun_turn_port_tls"]
+  protocol :udp
+  command  :allow
+end
+
 firewall_rule 'ejabberd_turn' do
  port     node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"]
  protocol :udp
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -183,10 +183,11 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
  sensitive true
  variables hosts: hosts,
            admin_users: admin_users,
-            stun_auth_realm: node["ejabberd"]["stun_auth_realm"],
+            stun_auth_realm: node["ejabberd"]["turn_domain"],
            stun_secret: ejabberd_credentials['stun_secret'],
            turn_ip_address: node["ejabberd"]["turn_ip_address"],
            stun_turn_port: node["ejabberd"]["stun_turn_port"],
+            stun_turn_port_tls: node["ejabberd"]["stun_turn_port_tls"],
            turn_min_port: node["ejabberd"]["turn_min_port"],
            turn_max_port: node["ejabberd"]["turn_max_port"],
            private_ip_address: node["knife_zero"]["host"],