Resolve "installation d'un coturn externe"

2021-04-27 10:19:53 +00:00
parent 7c4cf16d05
commit 38c5dc95bf
14 changed files with 205 additions and 47 deletions
@@ -0,0 +1,8 @@
+---
+- name: restart coturn
+  systemd:
+    name: coturn
+    state: restarted
+    daemon_reload: true
+    enabled: true
+
@@ -0,0 +1,15 @@
+- name: Installation de snapd
+  apt:
+    name:
+      - snapd
+    state: present
+
+- name: Initialisation de snap et installtion de certbot (prendre bien 5min, soyez patient)
+  command: "{{ item }}"
+  loop:
+    - snap install core
+    - snap refresh core
+    - snap install --classic certbot
+
+- name: Création du certificat SSL
+  command: /snap/bin/certbot certonly --standalone -d  {{ inventory_hostname }} -m supervision@nereide.fr --agree-tos --non-interactive
@@ -0,0 +1,49 @@
+---
+- name: vérification des variables obligatoire
+  fail:
+    msg: |
+      il faut définir la variable `coturn_secret` pour utiliser ce role
+  when: coturn_secret is not defined
+
+- name: Installation de coturn
+  apt:
+    name:
+      - coturn
+    update_cache: true
+
+- name: Y-a-t un certificat SSL dans l'avion?
+  stat:
+    path: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+  register: ssl_file
+
+- include_tasks: letsencrypt.yml
+  when: not ssl_file.stat.exists
+
+
+- name: Donne les droits a coturn de lire les certificats SSL
+  file:
+    path: "{{ item }}"
+    owner: turnserver
+    group: turnserver
+    state: directory
+    recurse: yes
+  loop:
+    - /etc/letsencrypt/live
+    - /etc/letsencrypt/archive
+
+- name: set la config coturn
+  template:
+    src: ../templates/turnserver.conf.j2
+    dest: /etc/turnserver.conf
+  notify: restart coturn
+
+- name: Ajout des capabilities à coturn
+  lineinfile:
+    path: /etc/systemd/system/coturn.service.d/override.conf
+    create: yes
+    line: |
+      [Service]
+      AmbientCapabilities=CAP_NET_BIND_SERVICE
+  notify: restart coturn
+
+
@@ -0,0 +1,36 @@
+# jitsi-meet coturn config. Do not modify this line
+use-auth-secret
+keep-address-family
+static-auth-secret={{ coturn_secret }}
+realm={{ inventory_hostname }}
+server-name={{ inventory_hostname }}
+cert=/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+pkey=/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
+no-multicast-peers
+no-cli
+no-loopback-peers
+no-tcp-relay
+no-tcp
+listening-port=3478
+tls-listening-port=443
+no-tlsv1
+no-tlsv1_1
+# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+# jitsi-meet coturn relay disable config. Do not modify this line
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+syslog