environments/production.json

@@ -17,7 +17,7 @@
       "public_url": "https://drone.kosmos.org"
     },
     "ejabberd": {
-      "turn_ip_address": "148.251.83.201"
+      "turn_domain": "turn.kosmos.org"
     },
     "garage": {
       "replication_mode": "2",

site-cookbooks/kosmos-ejabberd/attributes/default.rb

@@ -1,8 +1,8 @@
 node.default["ejabberd"]["version"] = "23.10"
 node.default["ejabberd"]["package_version"] = "1"
 node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77"
-node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org"
+node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org"
 node.default["ejabberd"]["stun_turn_port"] = 3478
+node.default["ejabberd"]["stun_turn_port_tls"] = 5349
 node.default["ejabberd"]["turn_min_port"] = 50000
 node.default["ejabberd"]["turn_max_port"] = 50999
-node.default["ejabberd"]["turn_ip_address"] = nil

site-cookbooks/kosmos-ejabberd/recipes/coturn.rb

@@ -5,19 +5,27 @@
 
 apt_package 'coturn'
 
+domain = node["ejabberd"]["turn_domain"]
 credentials = data_bag_item("credentials", "ejabberd")
 
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
 template "/etc/turnserver.conf" do
   source "turnserver.conf.erb"
   mode 0644
   variables listening_port: node["ejabberd"]["stun_turn_port"],
-            tls_listening_port: node["ejabberd"]["stun_turn_port"],
+            tls_listening_port: node["ejabberd"]["stun_turn_port_tls"],
-            listening_ip: node["ejabberd"]["turn_ip_address"],
+            listening_ip: node["ipaddress"],
-            relay_ip: node["ejabberd"]["turn_ip_address"],
+            relay_ip: node["ipaddress"],
             min_port: node["ejabberd"]["turn_min_port"],
             max_port: node["ejabberd"]["turn_max_port"],
             static_auth_secret: credentials["stun_secret"],
-            realm: node["ejabberd"]["stun_auth_realm"]
+            realm: domain,
+            cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            pkey: "/etc/letsencrypt/live/#{domain}/privkey.pem"
   notifies :restart, "service[coturn]", :delayed
 end
 
@@ -27,6 +35,12 @@ firewall_rule 'ejabberd_stun_turn' do
   command  :allow
 end
 
+firewall_rule 'ejabberd_stun_turn_tls' do
+  port     node["ejabberd"]["stun_turn_port_tls"]
+  protocol :udp
+  command  :allow
+end
+
 firewall_rule 'ejabberd_turn' do
   port     node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"]
   protocol :udp

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -183,10 +183,11 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
   sensitive true
   variables hosts: hosts,
             admin_users: admin_users,
-            stun_auth_realm: node["ejabberd"]["stun_auth_realm"],
+            stun_auth_realm: node["ejabberd"]["turn_domain"],
             stun_secret: ejabberd_credentials['stun_secret'],
             turn_ip_address: node["ejabberd"]["turn_ip_address"],
             stun_turn_port: node["ejabberd"]["stun_turn_port"],
+            stun_turn_port_tls: node["ejabberd"]["stun_turn_port_tls"],
             turn_min_port: node["ejabberd"]["turn_min_port"],
             turn_max_port: node["ejabberd"]["turn_max_port"],
             private_ip_address: node["knife_zero"]["host"],

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -233,17 +233,29 @@ modules:
     secret: <%= @stun_secret %>
     services:
       -
-        host: <%= @turn_ip_address %>
+        host: <%= @turn_domain %>
         port: <%= @stun_turn_port %>
         type: stun
         transport: udp
         restricted: false
       -
-        host: <%= @turn_ip_address %>
+        host: <%= @turn_domain %>
+        port: <%= @stun_turn_port_tls %>
+        type: stuns
+        transport: udp
+        restricted: false
+      -
+        host: <%= @turn_domain %>
         port: <%= @stun_turn_port %>
         type: turn
         transport: udp
         restricted: true
+      -
+        host: <%= @turn_domain %>
+        port: <%= @stun_turn_port_tls %>
+        type: turns
+        transport: tcp
+        restricted: true
   mod_vcard:
     search: false
   mod_vcard_xupdate: {}

site-cookbooks/kosmos-ejabberd/templates/turnserver.conf.erb

@@ -436,14 +436,14 @@ realm=<%= @realm %>
 # Use an absolute path or path relative to the 
 # configuration file.
 #
-#cert=/usr/local/etc/turn_server_cert.pem
+cert=<%= @cert %>
 
 # Private key file.
 # Use an absolute path or path relative to the 
 # configuration file.
 # Use PEM file format.
 #
-#pkey=/usr/local/etc/turn_server_pkey.pem
+pkey=<%= @pkey %>
 
 # Private key file password, if it is in encoded format.
 # This option has no default value.
@@ -642,7 +642,7 @@ syslog
 # By default it is always ON.
 # See also options cli-ip and cli-port.
 #
-#no-cli
+no-cli
 
 #Local system IP address to be used for CLI server endpoint. Default value
 # is 127.0.0.1.