finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Relocate coturn to MASH project (#4906)

Browse Source 
* Fetch ansible-role-coturn from MASH project

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace "matrix_coturn" with "coturn"

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace "custom/matrix-coturn" with "galaxy/coturn"

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set `coturn_identifier`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Move `coturn_base_path` to matrix_servers for the playbook

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set `coturn_uid` and `coturn_gid`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set empty value to `coturn_turn_external_ip_address_auto_detection_echoip_service_url` on main.yml

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace `coturn_docker_image_*`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Move `coturn_container_image_registry_prefix` to matrix_servers

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace "matrix-coturn" with "coturn" on matrix_servers

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace "matrix-coturn" with "coturn"

Keep "matrix-coturn" on documentation as-is, since it is specified so with `coturn_identifier`.

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Remove roles/custom/matrix-coturn

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update CHANGELOG.md

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

---------

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
This commit is contained in:
Suguru Hirahara
2026-02-11 13:06:27 +00:00
committed by GitHub
parent fa7b784c5b
commit 7b7b6feb5b
23 changed files with 125 additions and 784 deletions
Download Patch File Download Diff File Expand all files Collapse all files

237
roles/custom/matrix-coturn/defaults/main.yml
View File

@@ -1,237 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 Stuart Mumford
# SPDX-FileCopyrightText: 2019 Sylvia van Os
# SPDX-FileCopyrightText: 2020 - 2021 Dan Arnfield
# SPDX-FileCopyrightText: 2020 Horvath Gergely
# SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2021 Ahmad Haghighi
# SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Hefty Zauk
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# Project source code URL: https://github.com/coturn/coturn
matrix_coturn_enabled: true
matrix_coturn_hostname: ""
matrix_coturn_container_image_self_build: false
matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
# renovate: datasource=docker depName=coturn/coturn versioning=loose
matrix_coturn_version: 4.8.0
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_registry_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
matrix_coturn_docker_image_registry_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_coturn_docker_image_registry_prefix_upstream }}"
matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_coturn_docker_image_registry_prefix_upstream_default }}"
matrix_coturn_docker_image_registry_prefix_upstream_default: docker.io/
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
# The Docker network that coturn would be put into.
#
# Because coturn relays traffic to unvalidated IP addresses,
# using a dedicated network, isolated from other Docker (and local) services is preferable.
#
# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
#
# Setting `matrix_coturn_container_network` to 'host' will run the container with host networking,
# which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.
# Running with host networking can be dangerous, as it potentially exposes your local network and its services to coturn peers.
# Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`,
# which hopefully prevents access to such private network ranges.
# When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.
matrix_coturn_container_network: "matrix-coturn"
matrix_coturn_container_additional_networks: "{{ matrix_coturn_container_additional_networks_auto + matrix_coturn_container_additional_networks_custom }}"
matrix_coturn_container_additional_networks_auto: []
matrix_coturn_container_additional_networks_custom: []
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src"
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
# List of systemd services that matrix-coturn.service depends on
matrix_coturn_systemd_required_services_list: "{{ matrix_coturn_systemd_required_services_list_default + matrix_coturn_systemd_required_services_list_auto + matrix_coturn_systemd_required_services_list_custom }}"
matrix_coturn_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
matrix_coturn_systemd_required_services_list_auto: []
matrix_coturn_systemd_required_services_list_custom: []
# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically at runtime. You can provide a different default value,
# if you wish to mount your own files into the container.
# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.
# See the `--mount` documentation for the `docker run` command.
matrix_coturn_container_additional_volumes: []
# A list of extra arguments to pass to the container
matrix_coturn_container_extra_arguments: []
# Controls whether the coturn container exposes its plain STUN port (tcp/3478 in the container) over TCP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
matrix_coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its plain STUN port (udp/3478 in the container) over UDP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
#
# Ideally, we'd like to set this to "" to avoid exposing this port and decrease the risk of DDoS amplification attacks.
# See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit
# In practice, old Element clients only support talking to the STUN port over UDP, not TCP, so we need to keep this enabled for now.
matrix_coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
matrix_coturn_container_stun_tls_host_bind_port_tcp: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its TLS STUN port (udp/5349 in the container) over UDP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
#
# This is enabled by default, unlike `matrix_coturn_container_stun_plain_host_bind_port_udp`,
# because the risk of DDoS amplification attacks is lower for TLS
# due to the handshake requiring two-way authentication and being generally more expensive.
matrix_coturn_container_stun_tls_host_bind_port_udp: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its TURN UDP port range and which interface to do it on.
#
# Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.
# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
#
# The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.
matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_container_network != 'host' else 'none' }}"
# UDP port-range to use for TURN
matrix_coturn_turn_udp_min_port: 49152
matrix_coturn_turn_udp_max_port: 49172
# Controls the `realm` configuration option
matrix_coturn_realm: "turn.{{ matrix_coturn_hostname }}"
# Controls which authentication method to enable.
#
# lt-cred-mech likely provides better compatibility,
# as described here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3191
# but those claims are unverified.
#
# For now, we still default to `auth-secret` like we've always done.
#
# Known values: auth-secret, lt-cred-mech
matrix_coturn_authentication_method: auth-secret
# A shared secret used for authentication when `matrix_coturn_authentication_method` is `auth-secret`.
# You can put any string here, but generating a strong one is preferred. You can create one with a command like `pwgen -s 64 1`.
matrix_coturn_turn_static_auth_secret: ""
# A username used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.
matrix_coturn_lt_cred_mech_username: ""
# A password used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.
matrix_coturn_lt_cred_mech_password: ""
# The external IP address of the machine where coturn is.
# If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.
# See `matrix_coturn_turn_external_ip_address_auto_detection_enabled`
matrix_coturn_turn_external_ip_address: ""
matrix_coturn_turn_external_ip_addresses: "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}"
# Controls whether external IP address auto-detection should be attempted.
# We try to do this if there is no external IP address explicitly configured and if an EchoIP service URL is specified.
# See matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url
matrix_coturn_turn_external_ip_address_auto_detection_enabled: "{{ matrix_coturn_turn_external_ip_addresses | length == 0 and matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url != '' }}"
# Specifies the address of the EchoIP service (https://github.com/mpolden/echoip) to use for detecting the external IP address.
# By default, we use the official public instance.
matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url: https://ifconfig.co/json
# Controls whether SSL certificates will be validated when contacting the EchoIP service (matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url)
matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs: true
matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count: "{{ devture_playbook_help_geturl_retries_count }}"
matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay: "{{ devture_playbook_help_geturl_retries_delay }}"
matrix_coturn_allowed_peer_ips: []
# We block loopback interfaces and private networks by default to prevent private resources from being accessible.
# This is especially important when coturn does not run within a container network (e.g. `matrix_coturn_container_network: host`).
#
# Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
#
# If you're running coturn for local network peers, you may wish to override these rules.
matrix_coturn_denied_peer_ips:
- 0.0.0.0-0.255.255.255
- 10.0.0.0-10.255.255.255
- 100.64.0.0-100.127.255.255
- 127.0.0.0-127.255.255.255
- 169.254.0.0-169.254.255.255
- 172.16.0.0-172.31.255.255
- 192.0.0.0-192.0.0.255
- 192.0.2.0-192.0.2.255
- 192.88.99.0-192.88.99.255
- 192.168.0.0-192.168.255.255
- 198.18.0.0-198.19.255.255
- 198.51.100.0-198.51.100.255
- 203.0.113.0-203.0.113.255
- 240.0.0.0-255.255.255.255
- ::1
- 64:ff9b::-64:ff9b::ffff:ffff
- ::ffff:0.0.0.0-::ffff:255.255.255.255
- 100::-100::ffff:ffff:ffff:ffff
- 2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
- 2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
matrix_coturn_user_quota: null
matrix_coturn_total_quota: null
# Controls whether `no-tcp-relay` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L419-L422
matrix_coturn_no_tcp_relay_enabled: true
# Controls whether `no-multicast-peers` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L629-L632
matrix_coturn_no_multicast_peers_enabled: true
# Controls whether `no-rfc5780` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L770-L781
matrix_coturn_no_rfc5780_enabled: true
# Controls whether `no-stun-backward-compatibility` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L783-L789
matrix_coturn_no_stun_backward_compatibility_enabled: true
# Controls whether `response-origin-only-with-rfc5780` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L791-L796
matrix_coturn_response_origin_only_with_rfc5780_enabled: true
# Additional configuration to be passed to turnserver.conf
# Example:
# matrix_coturn_additional_configuration: |
# simple-log
# aux-server=1.2.3.4
# relay-ip=4.3.2.1
matrix_coturn_additional_configuration: ""
# To enable TLS, you need to provide paths to certificates.
# Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.
# Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`.
matrix_coturn_tls_enabled: false
matrix_coturn_tls_cert_path: ~
matrix_coturn_tls_key_path: ~
matrix_coturn_tls_v1_enabled: false
matrix_coturn_tls_v1_1_enabled: false
# systemd calendar configuration for the reload job
# the actual job may run with a delay (see matrix_coturn_reload_schedule_randomized_delay_sec)
matrix_coturn_reload_schedule: "*-*-* 06:30:00"
# the delay with which the systemd timer may run in relation to the `matrix_coturn_reload_schedule` schedule
matrix_coturn_reload_schedule_randomized_delay_sec: 1h

26
roles/custom/matrix-coturn/tasks/main.yml
View File

@@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2023 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 Dan Arnfield
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- tags:
- setup-all
- setup-coturn
- install-all
- install-coturn
block:
- when: matrix_coturn_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_coturn_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- tags:
- setup-all
- setup-coturn
block:
- when: not matrix_coturn_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"

146
roles/custom/matrix-coturn/tasks/setup_install.yml
View File

@@ -1,146 +0,0 @@
# SPDX-FileCopyrightText: 2018 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 - 2020 MDAD project contributors
# SPDX-FileCopyrightText: 2019 Dan Arnfield
# SPDX-FileCopyrightText: 2020 Béla Becker
# SPDX-FileCopyrightText: 2020 Chris van Dijk
# SPDX-FileCopyrightText: 2020 Horvath Gergely
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
# SPDX-FileCopyrightText: 2024 David Mehren
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- when: matrix_coturn_turn_external_ip_address_auto_detection_enabled | bool
block:
- name: Fail if enabled, but EchoIP service URL unset
when: matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url == ''
ansible.builtin.fail:
msg: "To use the external IP address auto-detection feature, you need to set matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url"
# Note:
# `ansible.builtin.uri` does not provide a way to configure whether IPv4 or IPv6 is used.
# Luckily, the default instance we use does not define AAAA records for now, so it's always IPv4.
- name: Fetch IP address information from EchoIP service
ansible.builtin.uri:
url: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}"
headers:
Content-Type: application/json
follow_redirects: none
validate_certs: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs }}"
register: result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response
ignore_errors: true
check_mode: false
retries: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count }}"
delay: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay }}"
until: not result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed
- name: Fail if EchoIP service failed
when: "(result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed or 'json' not in result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response)"
ansible.builtin.fail:
msg: "Failed contacting EchoIP service API at `{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}` (controlled by `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url`). Full error: {{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response }}"
- ansible.builtin.set_fact:
matrix_coturn_turn_external_ip_address: "{{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.json.ip }}"
- name: Ensure Matrix coturn path exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
when: "item.when | bool"
- name: Ensure coturn image is pulled
community.docker.docker_image:
name: "{{ matrix_coturn_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}"
when: "not matrix_coturn_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- when: "matrix_coturn_container_image_self_build | bool"
block:
- name: Ensure coturn repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_coturn_container_image_self_build_repo }}"
dest: "{{ matrix_coturn_docker_src_files_path }}"
version: "{{ matrix_coturn_container_image_self_build_repo_version }}"
force: "yes"
become: true
become_user: "{{ matrix_user_name }}"
register: matrix_coturn_git_pull_results
- name: Ensure coturn Docker image is built
community.docker.docker_image:
name: "{{ matrix_coturn_docker_image }}"
source: build
force_source: "{{ matrix_coturn_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_git_pull_results.changed }}"
build:
dockerfile: "{{ matrix_coturn_container_image_self_build_repo_dockerfile_path }}"
path: "{{ matrix_coturn_docker_src_files_path }}"
pull: true
- name: Ensure coturn configuration path exists
ansible.builtin.file:
path: "{{ matrix_coturn_base_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure turnserver.conf installed
ansible.builtin.template:
src: "{{ role_path }}/templates/turnserver.conf.j2"
dest: "{{ matrix_coturn_config_path }}"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure coturn network is created in Docker
when: matrix_coturn_container_network not in ['', 'host']
community.docker.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_coturn_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure matrix-coturn.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service"
mode: 0644
# This may be unnecessary when more long-lived certificates are used.
# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
- name: Ensure reloading systemd units installed, if necessary
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/{{ item }}.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}"
mode: 0644
when: "matrix_coturn_tls_enabled | bool"
with_items:
- matrix-coturn-reload.service
- matrix-coturn-reload.timer
# A similar task exists in `setup_uninstall.yml`
- name: Ensure reloading systemd units uninstalled, if unnecessary
ansible.builtin.file:
path: "{{ item }}"
state: absent
when: "not matrix_coturn_tls_enabled | bool"
with_items:
- matrix-coturn-reload.service
- matrix-coturn-reload.timer

43
roles/custom/matrix-coturn/tasks/setup_uninstall.yml
View File

@@ -1,43 +0,0 @@
# SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-coturn service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service"
register: matrix_coturn_service_stat
when: "not matrix_coturn_enabled | bool"
- when: matrix_coturn_service_stat.stat.exists | bool
block:
- name: Ensure matrix-coturn is stopped
ansible.builtin.service:
name: matrix-coturn
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-coturn-reload.timer is stopped
ansible.builtin.service:
name: matrix-coturn
state: stopped
enabled: false
daemon_reload: true
failed_when: false
- name: Ensure systemd units don't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}"
state: absent
with_items:
- matrix-coturn.service
- matrix-coturn-reload.service
- matrix-coturn-reload.timer
- name: Ensure Matrix coturn paths don't exist
ansible.builtin.file:
path: "{{ matrix_coturn_base_path }}"
state: absent

35
roles/custom/matrix-coturn/tasks/validate_config.yml
View File

@@ -1,35 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: (Deprecation) Catch and report renamed coturn settings
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
with_items:
- {'old': 'matrix_coturn_docker_network', 'new': 'matrix_coturn_container_network'}
- {'old': 'matrix_coturn_container_stun_plain_host_bind_port', 'new': 'superseded by matrix_coturn_container_stun_plain_host_bind_port_tcp and matrix_coturn_container_stun_plain_host_bind_port_udp'}
- {'old': 'matrix_coturn_container_stun_tls_host_bind_port', 'new': 'superseded by matrix_coturn_container_stun_tls_host_bind_port_tcp and matrix_coturn_container_stun_tls_host_bind_port_udp'}
- {'old': 'matrix_coturn_container_image_name_prefix', 'new': 'matrix_coturn_docker_image_registry_prefix'}
- name: Fail if matrix_coturn_authentication_method is invalid
ansible.builtin.fail:
msg: >-
Invalid authentication method specified in `matrix_coturn_authentication_method`
when: "matrix_coturn_authentication_method not in ['auth-secret', 'lt-cred-mech']"
- name: Fail if required coturn settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {'name': 'matrix_coturn_hostname', when: true}
- {'name': 'matrix_coturn_turn_static_auth_secret', when: "{{ matrix_coturn_authentication_method == 'auth-secret' }}"}
- {'name': 'matrix_coturn_lt_cred_mech_username', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}
- {'name': 'matrix_coturn_lt_cred_mech_password', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}

12
roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2
View File

@@ -1,12 +0,0 @@
{#
SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
[Unit]
Description=Reloads matrix-coturn so that new SSL certificates can kick in
[Service]
Type=oneshot
ExecStart={{ devture_systemd_docker_base_host_command_systemctl }} reload matrix-coturn.service

18
roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
View File

@@ -1,18 +0,0 @@
{#
SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
SPDX-FileCopyrightText: 2021 Hardy Erlinger
SPDX-FileCopyrightText: 2025 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
#}
[Unit]
Description=Reloads matrix-coturn periodically so that new SSL certificates can kick in
[Timer]
Unit=matrix-coturn-reload.service
OnCalendar={{ matrix_coturn_reload_schedule }}
RandomizedDelaySec={{ matrix_coturn_reload_schedule_randomized_delay_sec }}
[Install]
WantedBy=timers.target

70
roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2
View File

@@ -1,70 +0,0 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix coturn server
{% for service in matrix_coturn_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-coturn \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
--entrypoint=turnserver \
--read-only \
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
--network={{ matrix_coturn_container_network }} \
{% if matrix_coturn_container_stun_plain_host_bind_port_tcp != '' %}
-p {{ matrix_coturn_container_stun_plain_host_bind_port_tcp }}:3478 \
{% endif %}
{% if matrix_coturn_container_stun_plain_host_bind_port_udp != '' %}
-p {{ matrix_coturn_container_stun_plain_host_bind_port_udp }}:3478/udp \
{% endif %}
{% if matrix_coturn_container_stun_tls_host_bind_port_tcp != '' %}
-p {{ matrix_coturn_container_stun_tls_host_bind_port_tcp }}:5349 \
{% endif %}
{% if matrix_coturn_container_stun_tls_host_bind_port_udp != '' %}
-p {{ matrix_coturn_container_stun_tls_host_bind_port_udp }}:5349/udp \
{% endif %}
{% if matrix_coturn_container_turn_range_listen_interface is not in [none, 'none'] %}
-p {{ matrix_coturn_container_turn_range_listen_interface }}{{ ':' if matrix_coturn_container_turn_range_listen_interface else '' }}{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
{% endif %}
--mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \
{% for volume in matrix_coturn_container_additional_volumes %}
--mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \
{% endfor %}
{% for arg in matrix_coturn_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_coturn_docker_image }} \
-c /turnserver.conf
{% for network in matrix_coturn_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-coturn
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-coturn
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'
# This only reloads certificates (not other configuration).
# See: https://github.com/coturn/coturn/pull/236
ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-coturn kill -USR2 1
Restart=always
RestartSec=30
SyslogIdentifier=matrix-coturn
[Install]
WantedBy=multi-user.target

8
roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2.license
View File

@@ -1,8 +0,0 @@
SPDX-FileCopyrightText: 2018 - 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 Hugues De Keyzer
SPDX-FileCopyrightText: 2019 Sylvia van Os
SPDX-FileCopyrightText: 2020 Chris van Dijk
SPDX-FileCopyrightText: 2021 Dan Arnfield
SPDX-FileCopyrightText: 2024 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later

78
roles/custom/matrix-coturn/templates/turnserver.conf.j2
View File

@@ -1,78 +0,0 @@
#jinja2: lstrip_blocks: True
{% if matrix_coturn_authentication_method == 'auth-secret' %}
use-auth-secret
static-auth-secret={{ matrix_coturn_turn_static_auth_secret }}
userdb=/var/tmp/turnserver.db
{% endif %}
{% if matrix_coturn_authentication_method == 'lt-cred-mech' %}
lt-cred-mech
user={{ matrix_coturn_lt_cred_mech_username }}:{{ matrix_coturn_lt_cred_mech_password }}
{% endif %}
realm={{ matrix_coturn_realm }}
min-port={{ matrix_coturn_turn_udp_min_port }}
max-port={{ matrix_coturn_turn_udp_max_port }}
{% for ip in matrix_coturn_turn_external_ip_addresses %}
external-ip={{ ip }}
{% endfor %}
log-file=stdout
pidfile=/var/tmp/turnserver.pid
no-cli
{% if matrix_coturn_tls_enabled %}
cert={{ matrix_coturn_tls_cert_path }}
pkey={{ matrix_coturn_tls_key_path }}
{% if not matrix_coturn_tls_v1_enabled %}
no-tlsv1
{% endif %}
{% if not matrix_coturn_tls_v1_1_enabled %}
no-tlsv1_1
{% endif %}
{% else %}
no-tls
no-dtls
{% endif %}
prod
{% if matrix_coturn_no_tcp_relay_enabled %}
no-tcp-relay
{% endif %}
{% if matrix_coturn_no_rfc5780_enabled %}
no-rfc5780
{% endif %}
{% if matrix_coturn_no_stun_backward_compatibility_enabled %}
no-stun-backward-compatibility
{% endif %}
{% if matrix_coturn_response_origin_only_with_rfc5780_enabled %}
response-origin-only-with-rfc5780
{% endif %}
{% if matrix_coturn_user_quota != None %}
user-quota={{ matrix_coturn_user_quota }}
{% endif %}
{% if matrix_coturn_total_quota != None %}
total-quota={{ matrix_coturn_total_quota }}
{% endif %}
{% if matrix_coturn_no_multicast_peers_enabled %}
no-multicast-peers
{% endif %}
{% for ip_range in matrix_coturn_denied_peer_ips %}
denied-peer-ip={{ ip_range }}
{% endfor %}
{% for ip_range in matrix_coturn_allowed_peer_ips %}
allowed-peer-ip={{ ip_range }}
{% endfor %}
{{ matrix_coturn_additional_configuration }}

6
roles/custom/matrix-coturn/templates/turnserver.conf.j2.license
View File

@@ -1,6 +0,0 @@
SPDX-FileCopyrightText: 2018 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 Hugues De Keyzer
SPDX-FileCopyrightText: 2019 Stuart Mumford
SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
SPDX-License-Identifier: AGPL-3.0-or-later

21
roles/custom/matrix-coturn/vars/main.yml
View File

@@ -1,21 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
matrix_coturn_turn_uris: |-
{{
([
'turns:' + matrix_coturn_hostname + '?transport=udp',
'turns:' + matrix_coturn_hostname + '?transport=tcp',
] if matrix_coturn_tls_enabled else [])
+
([
'turn:' + matrix_coturn_hostname + '?transport=udp',
] if (matrix_coturn_container_stun_plain_host_bind_port_udp != '' or matrix_coturn_container_network == 'host') else [])
+
([
'turn:' + matrix_coturn_hostname + '?transport=tcp',
] if (matrix_coturn_container_stun_plain_host_bind_port_tcp != '' or matrix_coturn_container_network == 'host') else [])
}}

18
roles/custom/matrix_playbook_migration/tasks/validate_config.yml
View File

@@ -80,6 +80,11 @@
- {'old': 'cinny_docker_image_registry_prefix_upstream', 'new': 'cinny_container_image_registry_prefix_upstream'}
- {'old': 'cinny_docker_image_registry_prefix_upstream_default', 'new': 'cinny_container_image_registry_prefix_upstream_default'}
- {'old': 'coturn_docker_image', 'new': 'coturn_container_image'}
- {'old': 'coturn_docker_image_registry_prefix', 'new': 'coturn_container_image_registry_prefix'}
- {'old': 'coturn_docker_image_registry_prefix_upstream', 'new': 'coturn_container_image_registry_prefix_upstream'}
- {'old': 'coturn_docker_image_registry_prefix_upstream_default', 'new': 'coturn_container_image_registry_prefix_upstream_default'}
- {'old': 'ddclient_docker_image', 'new': 'ddclient_container_image'}
- {'old': 'ddclient_docker_image_registry_prefix', 'new': 'ddclient_container_image_registry_prefix'}
- {'old': 'ddclient_docker_image_registry_prefix_upstream', 'new': 'ddclient_container_image_registry_prefix_upstream'}
@@ -595,6 +600,19 @@
The following variables in your configuration need to be renamed: {{ lookup('ansible.builtin.varnames', '^matrix_client_cinny_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_client_cinny_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report matrix-coturn variables
ansible.builtin.fail:
msg: |-
The matrix-coturn role in the playbook now lives under the MASH organization (https://github.com/mother-of-all-self-hosting/ansible-role-coturn).
The new role is pretty much the same, but uses differently named variables.
Please rename all `matrix_coturn_`-prefixed variables (`matrix_coturn_*` -> `coturn_*`) on your configuration file (vars.yml).
After renaming them, please do not forget to fetch the Ansible role. See docs/maintenance-upgrading-services.md for details about how to do so.
The following variables in your configuration need to be renamed: {{ lookup('ansible.builtin.varnames', '^matrix_coturn_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_coturn_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report matrix-conduwuit variables
ansible.builtin.fail:
msg: |-