From 14b70537a72536e50c15811d93cf383acfaf70b1 Mon Sep 17 00:00:00 2001
From: lhahn <lhahn@huehner-cloud.de>
Date: Sat, 26 Aug 2023 21:08:53 +0200
Subject: [PATCH] fix split of coturn and nextcloud

---
 defaults/main.yml                             | 36 +++++++++++++++----
 tasks/coturn.yml                              | 32 +++++++++++++++++
 tasks/janus.yml                               |  6 ----
 tasks/main.yml                                |  2 ++
 templates/app/signaling-server/server.conf.j2 |  4 +--
 5 files changed, 66 insertions(+), 14 deletions(-)
 create mode 100755 tasks/coturn.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index 4297a18..5530bd5 100755
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -4,12 +4,36 @@ cloud_storage: /opt/storage
 cloud_stage: prod
 cloud_update: false
 
-ncloud_coturn_pass: SomeRandomString
-ncloud_coturn_port: 5349
-ncloud_domain:
-  - my_domain.tld
+coturn_domain: my_domain.tld
+
+coturn_pass: SomeRandomString
+coturn_port: 5349
+coturn_parallel_connection: 0 #0 is unlimited
+coturn_bandwitdh: 0 #0 B/s is unlimited
+coturn_session_lifetime: 600
+
+coturn_cert: "/etc/letsencrypt/live/{{ coturn_domain }}/fullchain.pem"
+coturn_pkey: "/etc/letsencrypt/live/{{ coturn_domain }}/privkey.pem"
+coturn_dhparam: "/etc/letsencrypt/ssl-dhparams.pem"
+
+coturn_configs:
+  - "tls-listening-port={{ coturn_port }}"
+  - fingerprint
+  - use-auth-secret
+  - "static-auth-secret={{ coturn_pass }}"
+  - "realm={{ ncloud_domain[0] }}"
+  - "total-quota={{ coturn_parallel_connection }}"
+  - "bps-capacity={{ coturn_bandwitdh }}"
+  - "stale-nonce={{ coturn_session_lifetime }}"
+  - cipher-list=\“ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384\″
+  - no-multicast-peers
+  - no-tlsv1
+  - no-tlsv1_1
+  - no-stdout-log
+  - "cert={{ coturn_cert }}"
+  - "pkey={{ coturn_pkey }}"
+  - "dh-file={{ coturn_dhparam }}"
 
-signaling_janus_deb_target: "http://ftp.de.debian.org/debian/pool/main/j/janus/janus_1.0.0-4~bpo11+1_amd64.deb"
 
 signaling_janus_api_key: MyVeryCoolApiKeyInBase64
 signaling_hash_key: VeryCoolHashKeyForSignaling
@@ -25,6 +49,6 @@ signaling_janus_port: 8188
 
 signaling_janus_configs:
   - 'stun_server = "{{ ncloud_domain[0] }}"'
-  - 'stun_port = {{ ncloud_coturn_port }}'
+  - 'stun_port = {{ coturn_port }}'
   - 'full_trickle = true'
   - 'turn_rest_api_key = "{{ signaling_janus_api_key }}"'
\ No newline at end of file
diff --git a/tasks/coturn.yml b/tasks/coturn.yml
new file mode 100755
index 0000000..eb4d732
--- /dev/null
+++ b/tasks/coturn.yml
@@ -0,0 +1,32 @@
+---
+- name: install coturn server
+  apt:
+    update_cache: yes
+    state: "{% if cloud_update | bool %}latest{% else %}present{% endif %}"
+    install_recommends: yes
+    pkg:
+      - "coturn"
+
+- name: enable coturn server
+  lineinfile:
+    path: "/etc/default/coturn"
+    regexp: '^#?TURNSERVER_ENABLED='
+    line: "TURNSERVER_ENABLED=1"
+  notify: restart coturn
+
+- name: enable coturn server
+  lineinfile:
+    path: "/etc/turnserver.conf"
+    regexp: '^#?{{ configline.split("=")[0] }}{% if configline.split("=") | length > 1 %}={% endif %}'
+    line: "{{ configline }}"
+  loop: "{{ coturn_configs }}"
+  loop_control:
+    loop_var: configline
+    label: "{{ configline }}"
+  notify: restart coturn
+
+- name: set coturn capabilities for port setting
+  capabilities:
+    path: /usr/bin/turnserver
+    capability: cap_net_bind_service=+ep
+    state: present
diff --git a/tasks/janus.yml b/tasks/janus.yml
index 23fdd0b..4ecee66 100755
--- a/tasks/janus.yml
+++ b/tasks/janus.yml
@@ -1,10 +1,4 @@
 ---
-#- name: install janus from deb file
-#  apt:
-#    deb: "{{ signaling_janus_deb_target }}"
-#    state: "{% if cloud_update | bool %}latest{% else %}present{% endif %}"
-#    install_recommends: yes
-
 - name: install janus
   apt:
     update_cache: yes
diff --git a/tasks/main.yml b/tasks/main.yml
index aac3764..b5c21e5 100755
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -51,6 +51,8 @@
 
 - include_tasks: nats.yml
 
+- include_tasks: coturn.yml
+
 - name: setup signaling systemd service unit
   template:
     src: "etc/systemd/system/signaling.service.j2"
diff --git a/templates/app/signaling-server/server.conf.j2 b/templates/app/signaling-server/server.conf.j2
index 112f715..ece1094 100755
--- a/templates/app/signaling-server/server.conf.j2
+++ b/templates/app/signaling-server/server.conf.j2
@@ -187,11 +187,11 @@ apikey = {{ signaling_janus_api_key }}
 
 # The shared secret to use for generating TURN credentials. This must be the
 # same as on the TURN server.
-secret = {{ ncloud_coturn_pass }}
+secret = {{ coturn_pass }}
 
 # A comma-separated list of TURN servers to use. Leave empty to disable the
 # TURN REST API.
-servers = turn:{{ ncloud_domain[0] }}:{{ ncloud_coturn_port }}?transport=udp,turn:{{ ncloud_domain[0] }}:{{ ncloud_coturn_port }}?transport=tcp
+servers = turn:{{ ncloud_domain[0] }}:{{ coturn_port }}?transport=udp,turn:{{ ncloud_domain[0] }}:{{ coturn_port }}?transport=tcp
 
 [geoip]
 # License key to use when downloading the MaxMind GeoIP database. You can