Add TLS support to Coturn

roles/matrix-coturn/defaults/main.yml

@@ -38,3 +38,10 @@ matrix_coturn_allowed_peer_ips: []
 matrix_coturn_denied_peer_ips: []
 matrix_coturn_user_quota: null
 matrix_coturn_total_quota: null
+
+# To enable TLS, you need to provide paths to certificates.
+# Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.
+# Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`.
+matrix_coturn_tls_enabled: false
+matrix_coturn_tls_cert_path: ~
+matrix_coturn_tls_key_path: ~

roles/matrix-coturn/tasks/setup_coturn.yml

@@ -61,15 +61,40 @@
     immediate: yes
     permanent: yes
   with_items:
-    - '3478/tcp' # STUN
-    - '3478/udp' # STUN
+    - '3478/tcp'
+    - '3478/udp'
+    - '5349/tcp'
+    - '5349/udp'
     - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
   when: "matrix_coturn_enabled and ansible_os_family == 'RedHat'"
 
+# This may be unnecessary when more long-lived certificates are used.
+# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
+# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
+- name: Ensure periodic reloading of matrix-coturn is configured for SSL renewal (matrix-coturn-reload)
+  cron:
+    user: root
+    cron_file: matrix-coturn-ssl-reload
+    name: matrix-coturn-ssl-reload
+    state: present
+    hour: 4
+    minute: 20
+    day: "*/5"
+    job: /bin/systemctl reload matrix-coturn.service
+  when: matrix_coturn_enabled and matrix_coturn_tls_enabled
+
+
 #
 # Tasks related to getting rid of Coturn (if it was previously enabled)
 #
 
+- name: Ensure matrix-coturn-ssl-reload cronjob removed
+  cron:
+    user: root
+    cron_file: matrix-coturn-ssl-reload
+    state: absent
+  when: "not matrix_coturn_enabled or not matrix_coturn_tls_enabled"
+
 - name: Check existence of matrix-coturn service
   stat:
     path: "/etc/systemd/system/matrix-coturn.service"

roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2

@@ -9,15 +9,19 @@ After={{ service }}
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-coturn
 ExecStartPre=-/usr/bin/docker rm matrix-coturn
+
 ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
+			--entrypoint=turnserver \
 			--read-only \
 			--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
 			--network={{ matrix_coturn_docker_network }} \
 			-p 3478:3478 \
 			-p 3478:3478/udp \
+			-p 5349:5349 \
+			-p 5349:5349/udp \
 			-p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
 			-v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \
 			{% for volume in matrix_coturn_container_additional_volumes %}
@@ -25,8 +29,14 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
 			{% endfor %}
 			{{ matrix_coturn_docker_image }} \
 			-c /turnserver.conf
+
 ExecStop=-/usr/bin/docker kill matrix-coturn
 ExecStop=-/usr/bin/docker rm matrix-coturn
+
+# This only reloads certificates (not other configuration).
+# See: https://github.com/coturn/coturn/pull/236
+ExecReload=/usr/bin/docker exec matrix-coturn kill -USR2 1
+
 Restart=always
 RestartSec=30
 

roles/matrix-coturn/templates/turnserver.conf.j2

@@ -1,23 +1,35 @@
 use-auth-secret
 static-auth-secret={{ matrix_coturn_turn_static_auth_secret }}
 realm=turn.{{ matrix_server_fqn_matrix }}
+
 min-port={{ matrix_coturn_turn_udp_min_port }}
 max-port={{ matrix_coturn_turn_udp_max_port }}
 external-ip={{ matrix_coturn_turn_external_ip_address }}
+
 log-file=stdout
 pidfile=/var/tmp/turnserver.pid
 userdb=/var/tmp/turnserver.db
+
 no-cli
+
+{% if matrix_coturn_tls_enabled %}
+cert={{ matrix_coturn_tls_cert_path }}
+pkey={{ matrix_coturn_tls_key_path }}
+{% else %}
 no-tls
 no-dtls
+{% endif %}
+
 prod
 no-tcp-relay
+
 {% if matrix_coturn_user_quota != None %}
 user-quota={{ matrix_coturn_user_quota }}
 {% endif %}
 {% if matrix_coturn_total_quota != None %}
 total-quota={{ matrix_coturn_total_quota }}
 {% endif %}
+
 {% for ip_range in matrix_coturn_denied_peer_ips %}
 denied-peer-ip={{ ip_range }}
 {% endfor %}