Update to 2022-03-07 14:00

roles/unmaintained/turnserver/defaults/main.yml

@@ -0,0 +1,38 @@
+---
+
+# Set turnserver realm. Default to the domain name if unset
+# turnserver_realm: turn.example.com
+
+# The static, shared auth secret. If not set, will use long term auth.
+# See turnserver_lt_users
+# turnserver_auth_secret: 
+
+# Long term users
+turnserver_lt_users: []
+# - name: asterisk
+#   pass: S3cr3t.
+
+
+turnserver_listen_ip:
+  - 0.0.0.0
+
+# If defined, restrict who can access the service
+turnserver_src_ip:
+ - 0.0.0.0/0
+
+turnserver_port: 3478
+turnserver_alt_port: 3479
+turnserver_tls_port: 5349
+turnserver_alt_tls_port: 5350
+
+# Allow non TLS relay
+turnserver_allow_non_tls: True
+
+# Turn on TLS listener. If true, certificate must be present
+turnserver_tls: False
+# turnserver_tls_cert:
+# turnserver_tls_key:
+
+# If behind a NAT, you must set the public IP
+# turnserver_external_ip: 12.13.14.15
+

roles/unmaintained/turnserver/files/dehydrated_deploy_hook

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/sbin/service turnserver restart

roles/unmaintained/turnserver/files/turnserver.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=coturn
+Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
+After=syslog.target network.target
+
+[Service]
+Type=simple
+EnvironmentFile=/etc/sysconfig/turnserver
+ExecStart=/usr/bin/turnserver -c /etc/turnserver/turnserver.conf $EXTRA_OPTIONS
+Restart=on-failure
+
+LimitCORE=infinity
+LimitNOFILE=999999
+LimitNPROC=60000
+LimitRTPRIO=infinity
+LimitRTTIME=7000000
+UMask=0007
+
+[Install]
+WantedBy=multi-user.target
+

roles/unmaintained/turnserver/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+
+- include: ../common/handlers/main.yml
+- name: restart turnserver
+  service: name=turnserver state=restarted enabled=yes

roles/unmaintained/turnserver/tasks/main.yml

@@ -0,0 +1,79 @@
+---
+
+- name: Install Coturn
+  yum: name=turnserver state=present
+  tags: turn
+
+- name: Deploy main configuration
+  template: src=turnserver.conf.j2 dest=/etc/turnserver/turnserver.conf group=turnserver mode=640
+  notify: restart turnserver
+  tags: turn
+
+- name: Override systemd unit
+  copy: src=turnserver.service dest=/etc/systemd/system/turnserver.service
+  register: turn_unit
+  notify: restart turnserver
+  tags: turn
+
+- name: Reload systemùd
+  systemd: daemon_reload=True
+  when: turn_unit.changed
+  tags: turn
+
+- name: Create dehydrated hooks dir
+  file: path=/etc/dehydrated/hooks_deploy_cert.d/ state=directory
+  tags: turn
+
+- name: Deploy dehydrated hook
+  copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/20turnserver.sh mode=755
+  tags: turn
+
+- name: Create tmpfile fragment
+  copy: content="d /var/run/turnserver 775 root turnserver" dest=/etc/tmpfiles.d/turnserver.conf
+  notify: systemd-tmpfiles
+  tags: turn
+
+- name: Handle turnserver ports
+  iptables_raw:
+    name: turnserver_ports
+    state: "{{ (turnserver_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turnserver_port,turnserver_alt_port] | join(',') }} -s {{ turnserver_src_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -p udp -m multiport --dports {{ [turnserver_port,turnserver_alt_port] | join(',') }} -s {{ turnserver_src_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turnserver_tls_port,turnserver_alt_tls_port] | join(',') }} -s {{ turnserver_src_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -p udp -m multiport --dports {{ [turnserver_tls_port,turnserver_alt_tls_port] | join(',') }} -s {{ turnserver_src_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -p tcp --dport 49152:65535 -s {{ turnserver_src_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -p udp --dport 49152:65535 -s {{ turnserver_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: turn,firewall
+
+- name: Start and enable the service
+  service: name=turnserver state=started enabled=True
+  tags: turn
+
+- name: Add long term users
+  command: turnadmin --add --user={{ item.name }} --password={{ item.pass | quote }} --realm={{ turnserver_realm | default(ansible_domain) }}
+  loop: "{{ turnserver_lt_users }}"
+  tags: turn
+
+- name: Remove users with unknown realm
+  shell: |
+    for U in $(turnadmin --list | grep -v '\[{{ turnserver_realm | default(ansible_domain) }}\]'); do
+      user=$(echo $U | cut -d'[' -f1)
+      realm=$(echo $U | perl -pe 's/.*\[(.*)\]/$1/')
+      turnadmin --delete --user=$user --realm=$realm
+    done
+  changed_when: False
+  tags: turn
+
+- name: List long term users
+  shell: turnadmin --list | grep -vP '^0:\s+(log file opened|SQLite connection)' | cut -d'[' -f1
+  register: turn_lt_existing_users
+  changed_when: False
+  tags: turn
+
+- name: Remove unmanaged long term users
+  command: turnadmin --delete --user={{ item }} --realm={{ turnserver_realm | default(ansible_domain) }}
+  when: item not in turnserver_lt_users | map(attribute='name') | list
+  loop: "{{ turn_lt_existing_users.stdout_lines }}"
+  tags: turn
+

roles/unmaintained/turnserver/templates/turnserver.conf.j2

@@ -0,0 +1,40 @@
+pidfile="/var/run/turnserver/turnserver.pid"
+verbose
+fingerprint
+{% if turnserver_auth_secret is defined %}
+use-auth-secret
+static-auth-secret {{ turnserver_auth_secret }}
+{% else %}
+lt-cred-mech
+{% endif %}
+no-sslv2
+no-sslv3
+no-loopback-peers
+no-multicast-peers
+realm {{ turnserver_realm | default(ansible_domain) }}
+proc-user turnserver
+proc-group turnserver
+syslog
+
+{% for ip in turnserver_listen_ip %}
+listening-ip {{ ip }}
+{% endfor %}
+
+{% if not turnserver_allow_non_tls %}
+no-tcp
+no-udp
+{% endif %}
+
+listening-port {{ turnserver_port }}
+alt-listening-port {{ turnserver_alt_port }}
+
+{% if turnserver_tls %}
+tls-listening-port {{ turnserver_tls_port }}
+alt-tls-listening-port {{ turnserver_alt_tls_port }}
+cert {{ turnserver_tls_cert }}
+pkey {{ turnserver_tls_key }}
+{% endif %}
+
+{% if turnserver_external_ip is defined %}
+external-ip {{ turnserver_external_ip }}
+{% endif %}