This commit is a refactoring of the initial effort in order to make i…

…t work as a standalone role. It includes the following changes:

* bring it up to date with the official documentation
* make it work on Ubuntu 20.04 and Centos 8
* move some config from the override file to the config file
* make tls stuff more configurable and usable without letsencrypt
* change dh-params from auto-generated to the recommended file from https://ssl-config.mozilla.org/ffdhe2048.txt
* remove superfluous tasks
* add firewall configurations for ubuntu and centos
* flesh out readme

README.md

@@ -1 +1,17 @@
-# ansible-role-coturn
+# Set up a TURN/STUN server for [BigBlueButton](https://bigbluebutton.org/)
+
+This is an ansible-role to set up [coturn](https://github.com/coturn/coturn) and largely follows the [official BigBlueButton documentation](https://docs.bigbluebutton.org/admin/setup-turn-server.html).
+
+## Setup
+
+The role works on Ubuntu 20.04 and Centos 8.
+You should carefully look through the [defaults](defaults/main.yml) to see which variables you need to set.
+For most parts, the default values of the coturn configuration should already be optimal for use with BigBlueButton.
+But pay particular attention to the following:
+
+* You need to set `coturn_static_auth_secret` to the same secret you specified in your BigBlueButton setup.
+* `coturn_realm`, althoug optional, should be set (often to you domain name).
+* You _really should_ configure **TLS**. When you do so, coturn needs access to your certificate files.
+This is why you need to specify their directory and the cert- and key-files.
+In practice, this means that you usually set up your tls certificates _before_ running the coturn role.
+If you have a special tls user group, you can optionally set it as well.

defaults/main.yml

@@ -1,17 +1,32 @@
 ---
 coturn_listening_port: 3478
-coturn_tls_listening_port: 443
-listening_ip: "{{ ansible_host }}"
+coturn_min_port: 32769
+coturn_max_port: 65535
+coturn_listening_ip: "{{ ansible_host }}"
+
+# You need to set the same static authentification secret
+# for this coturn instance here *and* in BigBlueButton
+# (obviously, never use the default).
+coturn_static_auth_secret: 1234
 
-# (D)TLS is currently unsupported by Nextcloud Talk and does not have a real
-# security benefit anyway. For further information, see:
-# * https://github.com/coturn/coturn/issues/33
-# * https://github.com/nextcloud/spreed/issues/257
-coturn_tls: True
-coturn_tls_cert: "/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem"
-coturn_tls_key: "/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem"
+# You should specify the realm of you coturn (see turnserver
+# config options), otherwise it defaults to the host domain name.
+# coturn_realm:
 
-coturn_dhparam_length: 2048
+# The tls variables should all be defined if you set
+# coturn_use_tls to true (recommended).
+coturn_use_tls: true
+coturn_tls_listening_port: 443
+# If you use tls you need to define the directory where
+# your tls certificate files are located
+# (e.g. /etc/letsencrypt/ or /etc/nginx/ssl/).
+coturn_tls_cert_dir:
+# If you use tls you need to specify the full name and path
+# to the tls certificate and key files.
+coturn_tls_cert:
+coturn_tls_key:
+# You can specify the coturn tls_group (optional).
+# coturn_tls_group:
 
 coturn_denied_peer_ips:
   - 0.0.0.0-0.255.255.255
@@ -31,3 +46,6 @@ coturn_denied_peer_ips:
 
 # 1 for verbose, 2 for Verbose (very verbose)
 coturn_verbosity: 0
+
+# coturn username on the host
+turn_user: "{{ 'coturn' if ansible_os_family == 'RedHat' else 'turnserver' }}"

files/dhparam.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

files/override.conf

@@ -0,0 +1,6 @@
+[Service]
+LimitNOFILE=1048576
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+ExecStart=
+ExecStart=/usr/bin/turnserver --daemon -c /etc/turnserver.conf
+Restart=always

handlers/main.yml

@@ -1,5 +1,9 @@
 ---
 
+- name: systemd daemon-reload
+  systemd:
+    daemon_reload: yes
+
 - name: restart coturn
   service:
     name: coturn

tasks/firewalld.yml

@@ -0,0 +1,24 @@
+---
+
+- name: firewalld enable coturn standard ports
+  firewalld:
+    port: "{{ item.port }}/{{ item.proto }}"
+    permanent: yes
+    state: enabled
+  loop:
+    - port: "{{ coturn_listening_port }}"
+      proto: tcp
+    - port: "{{ coturn_listening_port }}"
+      proto: udp
+    - port: "{{ coturn_min_port }}-{{ coturn_max_port }}"
+      proto: udp
+
+- name: firewalld enable coturn tls ports
+  firewalld:
+    port: item
+    permanent: yes
+    state: enabled
+  loop:
+    - "{{ coturn_tls_listening_port }}/tcp"
+    - "{{ coturn_tls_listening_port }}/udp"
+  when: coturn_use_tls

tasks/main.yml

@@ -1,25 +1,41 @@
 ---
 
-- name: install coturn
-  apt:
-    pkg: coturn
+- name: Install coturn
+  package:
+    name: coturn
     state: latest
 
-- name: Give coturn access to TLS cert
-  user:
-    name: turnserver
-    groups: "{{ coturn_tls_group }}"
-    append: true
-  when: coturn_tls and coturn_tls_group is defined
-
-- name: Grant user Turnserver read execute access to /etc/letsencrypt/
-  acl:
-    path: /etc/letsencrypt/
-    entity: turnserver
-    etype: user
-    permissions: rx
-    recursive: yes
-    state: present
+- name: Manage tls permissions
+  block:
+  - name: Fail if tls should be used but required values are not set
+    assert:
+      that:
+        - coturn_tls_listening_port is defined and coturn_tls_listening_port is truthy
+        - coturn_tls_cert_dir is defined and coturn_tls_cert_dir is truthy
+        - coturn_tls_cert is defined and coturn_tls_cert is truthy
+        - coturn_tls_key is defined and coturn_tls_key is truthy
+  - name: Add turnserver user to TLS group
+    user:
+      name: "{{ turn_user }}"
+      groups: "{{ coturn_tls_group }}"
+      append: true
+    when: coturn_tls_group is defined
+  - name: Grant turnserver user access to certificate folder
+    acl:
+      path: "{{ coturn_tls_cert_dir }}"
+      entity: "{{ turn_user }}"
+      etype: user
+      permissions: rx
+      recursive: yes
+      state: present
+  - name: Copy Diffie-Hellmann parameter (from https://ssl-config.mozilla.org/ffdhe2048.txt)
+    copy:
+      src: dhparam.pem
+      dest: /etc/dhparam.pem
+      owner: root
+      group: root
+      mode: '0644'
+  when: coturn_use_tls
 
 - name: Create systemd override for coturn
   block:
@@ -28,60 +44,49 @@
         path: /etc/systemd/system/coturn.service.d/
         state: directory
         mode: '0755'
-    - name: Apply coturn override template
-      template:
+    - name: Copy coturn systemd override file
+      copy:
         src: override.conf
         dest: /etc/systemd/system/coturn.service.d/override.conf
         owner: root
         group: root
         mode: '0644'
+      notify:
+        - systemd daemon-reload
+        - restart coturn
 
 - name: Create lograte structure
   block:
     - name: Create needed folder
       file:
         path: /var/log/turnserver
-        owner: turnserver
-        group: turnserver
+        owner: "{{ turn_user }}"
+        group: "{{ turn_user }}"
         state: directory
         mode: '0755'
-    - name: Template logrotate
-      template:
+    - name: Copy logrotate config
+      copy:
         src: logging.conf
         dest: /etc/logrotate.d/coturn
         owner: root
         group: root
         mode: '0644'
 
-- name: Set cap_net_bind_service=+ep on /usr/bin/turnserver
-  capabilities:
-    path: /usr/bin/turnserver
-    capability: cap_net_bind_service=+ep
-    state: present
-
-- name: ensure coturn is enabled
-  lineinfile:
-    dest: /etc/default/coturn
-    line: TURNSERVER_ENABLED=1
-    regexp: "^#?TURNSERVER_ENABLED="
-
-- name: Create parameters for Diffie–Hellman (could take a while)
-  command: "openssl dhparam -out /etc/coturn-dh-{{ coturn_dhparam_length }}.pem {{ coturn_dhparam_length }}"
-  args:
-    creates: /etc/coturn-dh-{{ coturn_dhparam_length }}.pem
-  when: coturn_tls
-  notify: restart coturn
-
-- name: configure coturn
+- name: Configure coturn
   template:
-    dest: /etc/turnserver.conf
     src: turnserver.conf.j2
+    dest: /etc/turnserver.conf
     owner: root
     group: root
     mode: 0644
   notify: restart coturn
 
-- name: Start / Restart coturn
-  service:
-    name: coturn
-    state: restarted
+- name: configure firewall on ubuntu
+  include: ufw.yml
+  when: ansible_os_family == 'Debian'
+  notify: restart coturn
+
+- name: configure firewall on Centos
+  include: firewalld.yml
+  when: ansible_os_family == 'RedHat'
+  notify: restart coturn

tasks/ufw.yml

@@ -0,0 +1,42 @@
+---
+
+- name: install dependencies
+  apt:
+    update_cache: true
+    name: ufw
+
+- name: ufw allow known services
+  ufw:
+    rule: allow
+    name: OpenSSH
+
+- name: ufw allow coturn standard ports
+  ufw:
+    rule: allow
+    port: "{{ item.port }}"
+    proto: "{{ item.proto }}"
+  loop:
+    - port: "{{ coturn_listening_port }}"
+      proto: tcp
+    - port: "{{ coturn_listening_port }}"
+      proto: udp
+    - port: "{{ coturn_min_port }}:{{ coturn_max_port }}"
+      proto: udp
+
+- name: ufw allow coturn tls port
+  ufw:
+    rule: allow
+    port: "{{ item.port }}"
+    proto: "{{ item.proto }}"
+  loop:
+    - port: "{{ coturn_tls_listening_port }}"
+      proto: tcp
+    - port: "{{ coturn_tls_listening_port }}"
+      proto: udp
+  when: coturn_use_tls
+
+- name: enable firewall
+  ufw:
+    state: enabled
+    policy: reject
+    logging: off