kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Configure STUN/TURN for ejabberd and nginx proxy

Browse Source
This commit is contained in:
Basti
2022-05-11 15:12:10 +02:00
parent 36e52a3cf1
commit c158f845f0
9 changed files with 185 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
site-cookbooks/kosmos-ejabberd/attributes/default.rb
View File

@@ -1,7 +1,9 @@
node.default["kosmos-ejabberd"]["version"] = "20.12"
node.default["kosmos-ejabberd"]["checksum"] = "3d2a4e9d1aa2d189017f4f310eff4d0b6c6d7cd911209cfbcca7b0ec5b577b65"
node.default["kosmos-ejabberd"]["turn_ip_address"] = "148.251.83.201"
node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478
node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
node.default["kosmos-ejabberd"]["turn_max_port"] = 55000
node.default["kosmos-ejabberd"]["turn_max_port"] = 50050
node.override["tor"]["HiddenServices"]["ejabberd"] = {
"HiddenServicePorts" => [

4
site-cookbooks/kosmos-ejabberd/recipes/default.rb
View File

@@ -161,7 +161,9 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
variables hosts: hosts,
admin_users: admin_users,
stun_auth_realm: "kosmos.org",
turn_ip_address: node["knife_zero"]["host"],
stun_secret: ejabberd_credentials['stun_secret'],
turn_ip_address: node["kosmos-ejabberd"]["turn_ip_address"],
stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"],
akkounts_ip_addresses: akkounts_ip_addresses

6
site-cookbooks/kosmos-ejabberd/recipes/firewall.rb
View File

@@ -25,13 +25,13 @@ firewall_rule 'erlang_cluster' do
end
firewall_rule 'ejabberd_stun_turn' do
port 3478
protocol :tcp
port node["kosmos-ejabberd"]["stun_turn_port"]
protocol :udp
command :allow
end
firewall_rule 'ejabberd_turn' do
port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
protocol :tcp
protocol :udp
command :allow
end

52
site-cookbooks/kosmos-ejabberd/recipes/nginx.rb Normal file
View File

@@ -0,0 +1,52 @@
#
# Cookbook:: kosmos-ejabberd
# Recipe:: nginx
#
include_recipe "kosmos-base::firewall"
ejabberd_hosts = []
search(:node, "role:ejabberd").each do |node|
ejabberd_hosts << node["knife_zero"]["host"]
end
ejabberd_hosts.each do |ip_address|
IPAddr.new ip_address
rescue IPAddr::InvalidAddressError
ejabberd_hosts.delete ip_address
next
end
template "#{node['nginx']['dir']}/streams-available/ejabberd" do
source "nginx_conf_streams.erb"
owner 'www-data'
mode 0640
# variables ejabberd_hosts: ejabberd_hosts
variables ejabberd_hosts: ["10.1.1.113"],
stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
notifies :reload, 'service[nginx]', :delayed
end
nginx_stream "ejabberd" do
action :enable
end
firewall_rule "ejabberd" do
port [5222, 5223, 5269, 5443]
protocol :tcp
command :allow
end
firewall_rule 'ejabberd_stun_turn' do
port node["kosmos-ejabberd"]["stun_turn_port"]
protocol :udp
command :allow
end
firewall_rule 'ejabberd_turn' do
port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
protocol :udp
command :allow
end

23
site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
View File

@@ -78,12 +78,13 @@ listen:
## register: true
captcha: false
-
port: 3478
transport: tcp
port: <%= @stun_turn_port %>
transport: udp
module: ejabberd_stun
auth_realm: <%= @stun_auth_realm %>
use_turn: true
turn_ip: <%= @turn_ip_address %>
tls: false
turn_ipv4_address: <%= @turn_ip_address %>
turn_min_port: <%= @turn_min_port %>
turn_max_port: <%= @turn_max_port %>
@@ -230,7 +231,21 @@ modules:
versioning: true
store_current_id: true
mod_shared_roster: {}
mod_stun_disco: {}
mod_stun_disco:
secret: <%= @stun_secret %>
services:
-
host: <%= @turn_ip_address %>
port: <%= @stun_turn_port %>
type: stun
transport: udp
restricted: false
-
host: <%= @turn_ip_address %>
port: <%= @stun_turn_port %>
type: turn
transport: udp
restricted: true
mod_vcard:
search: false
mod_vcard_xupdate: {}

81
site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb Normal file
View File

@@ -0,0 +1,81 @@
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /var/log/nginx/streams.log proxy buffer=32k flush=1m;
upstream ejabberd_c2s {
hash $remote_addr consistent;
<% @ejabberd_hosts.each do |ip_address| %>
server <%= ip_address %>:5222;
<% end %>
}
upstream ejabberd_c2s_tls {
hash $remote_addr consistent;
<% @ejabberd_hosts.each do |ip_address| %>
server <%= ip_address %>:5223;
<% end %>
}
upstream ejabberd_s2s {
hash $remote_addr consistent;
<% @ejabberd_hosts.each do |ip_address| %>
server <%= ip_address %>:5269;
<% end %>
}
upstream ejabberd_https {
hash $remote_addr consistent;
<% @ejabberd_hosts.each do |ip_address| %>
server <%= ip_address %>:5443;
<% end %>
}
upstream ejabberd_stun_turn {
hash $remote_addr consistent;
<% @ejabberd_hosts.each do |ip_address| %>
server <%= ip_address %>:<%= @stun_turn_port %>;
<% end %>
}
upstream ejabberd_turn {
hash $remote_addr consistent;
<% @ejabberd_hosts.each do |ip_address| %>
<% (@turn_min_port..@turn_max_port).each do |port| %>
server <%= "#{ip_address}:#{port.to_s}" %>;
<% end %>
<% end %>
}
server {
listen 5222;
proxy_pass ejabberd_c2s;
}
server {
listen 5223;
proxy_pass ejabberd_c2s;
}
server {
listen 5269;
proxy_pass ejabberd_s2s;
}
server {
listen 5443;
proxy_pass ejabberd_https;
}
server {
listen <%= @stun_turn_port %> udp;
proxy_pass ejabberd_stun_turn;
}
server {
listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp;
proxy_pass 10.1.1.113:$server_port;
#proxy_pass ejabberd_turn;
}