From dbbb3510f3224cd6486da8e9cfb6380b6829b2aa Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Sat, 27 Sep 2025 14:18:29 +0200 Subject: [PATCH] Refactor TURN/STUN config: - Removed ?transport=udp from Nextcloud Talk TURN server definitions - Dropped --no-tcp-relay to allow TCP fallback - Removed invalid UDP mapping on TLS port - Introduced switch between REST secret auth and lt-cred-mech via COTURN_USER_AUTH_ENABLED - Added user_auth_enabled flag in coturn config for flexibility See: https://chatgpt.com/share/68d7d601-3558-800f-bc84-00d7e8fc3243 --- .../templates/docker-compose.override.yml.j2 | 1 - roles/web-app-nextcloud/vars/main.yml | 4 ++-- roles/web-svc-coturn/config/main.yml | 19 ++++++++++--------- .../templates/docker-compose.yml.j2 | 9 +++++---- roles/web-svc-coturn/vars/main.yml | 1 + 5 files changed, 18 insertions(+), 16 deletions(-) diff --git a/roles/web-app-bigbluebutton/templates/docker-compose.override.yml.j2 b/roles/web-app-bigbluebutton/templates/docker-compose.override.yml.j2 index a03c4684..f7543e15 100644 --- a/roles/web-app-bigbluebutton/templates/docker-compose.override.yml.j2 +++ b/roles/web-app-bigbluebutton/templates/docker-compose.override.yml.j2 @@ -21,7 +21,6 @@ services: --fingerprint --no-multicast-peers --no-cli - --no-tcp-relay --min-port={{ BBB_RELAY_PORT_START }} --max-port={{ BBB_RELAY_PORT_END }} --external-ip=${EXTERNAL_IPv4} diff --git a/roles/web-app-nextcloud/vars/main.yml b/roles/web-app-nextcloud/vars/main.yml index 30ff45f8..11f4fbdb 100644 --- a/roles/web-app-nextcloud/vars/main.yml +++ b/roles/web-app-nextcloud/vars/main.yml @@ -85,7 +85,7 @@ NEXTCLOUD_TALK_STUN_ONBOARD_CONFIG: "{{ NEXTCLOUD_TALK_DOMAIN }}:{{ NE NEXTCLOUD_TALK_TURN_ONBOARD_CONFIG: >- {{ { - 'server': NEXTCLOUD_TALK_DOMAIN ~ ':' ~ NEXTCLOUD_TALK_TURN_ONBOARD_PORT ~ '?transport=udp', + 'server': NEXTCLOUD_TALK_DOMAIN ~ ':' ~ NEXTCLOUD_TALK_TURN_ONBOARD_PORT, 'secret': NEXTCLOUD_TALK_TURN_ONBOARD_SECRET, 'ttl': 86400, 'protocols': 'udp,tcp' @@ -102,7 +102,7 @@ NEXTCLOUD_TALK_STUN_STANDALONE_CONFIG: "{{ NEXTCLOUD_TALK_TURN_STANDALONE NEXTCLOUD_TALK_TURN_STANDALONE_CONFIG: >- {{ { - 'server': NEXTCLOUD_TALK_TURN_STANDALONE_DOMAIN ~ ':' ~ NEXTCLOUD_TALK_TURN_STANDALONE_PORT ~ '?transport=udp', + 'server': NEXTCLOUD_TALK_TURN_STANDALONE_DOMAIN ~ ':' ~ NEXTCLOUD_TALK_TURN_STANDALONE_PORT, 'secret': NEXTCLOUD_TALK_TURN_STANDALONE_SECRET, 'ttl': 86400, 'protocols': 'udp,tcp' diff --git a/roles/web-svc-coturn/config/main.yml b/roles/web-svc-coturn/config/main.yml index a24e72a6..55aa64b3 100644 --- a/roles/web-svc-coturn/config/main.yml +++ b/roles/web-svc-coturn/config/main.yml @@ -6,14 +6,15 @@ server: docker: services: coturn: - image: "coturn/coturn" - version: "latest" - cpus: 1.0 - mem_reservation: 512m - mem_limit: 1g - pids_limit: 256 - network_mode: host + image: "coturn/coturn" + version: "latest" + user_auth_enabled: false + cpus: 1.0 + mem_reservation: 512m + mem_limit: 1g + pids_limit: 256 + network_mode: host redis: - enabled: false + enabled: false database: - enabled: false + enabled: false diff --git a/roles/web-svc-coturn/templates/docker-compose.yml.j2 b/roles/web-svc-coturn/templates/docker-compose.yml.j2 index 121733d7..157f0e47 100644 --- a/roles/web-svc-coturn/templates/docker-compose.yml.j2 +++ b/roles/web-svc-coturn/templates/docker-compose.yml.j2 @@ -10,7 +10,6 @@ - "{{ COTURN_STUN_TURN_PORT }}:{{ COTURN_STUN_TURN_PORT }}/udp" - "{{ COTURN_STUN_TURN_PORT }}:{{ COTURN_STUN_TURN_PORT }}/tcp" - "{{ COTURN_STUN_TURN_PORT_TLS }}:{{ COTURN_STUN_TURN_PORT_TLS }}/tcp" - - "{{ COTURN_STUN_TURN_PORT_TLS }}:{{ COTURN_STUN_TURN_PORT_TLS }}/udp" - "{{ COTURN_RELAY_PORT_RANGE }}/udp" {% include 'roles/docker-container/templates/networks.yml.j2' %} {% endif %} @@ -18,10 +17,13 @@ - "{{ COTURN_TLS_CERT_PATH }}:{{ COTURN_TLS_CERT_PATH }}:ro" - "{{ COTURN_TLS_KEY_PATH }}:{{ COTURN_TLS_KEY_PATH }}:ro" command: > - --use-auth-secret - --static-auth-secret="${COTURN_STATIC_AUTH_SECRET}" +{% if COTURN_USER_AUTH_ENABLED | bool %} --lt-cred-mech --user="${COTURN_USER_NAME}:${COTURN_USER_PASSWORD}" +{% else %} + --use-auth-secret + --static-auth-secret="${COTURN_STATIC_AUTH_SECRET}" +{% endif %} --log-file=stdout --external-ip={{ networks.internet.ip4 }} {% if networks.internet.ip6|default('') %} @@ -33,7 +35,6 @@ --stale-nonce --no-multicast-peers --no-cli - --no-tcp-relay --listening-port={{ COTURN_STUN_TURN_PORT }} --tls-listening-port={{ COTURN_STUN_TURN_PORT_TLS }} --min-port={{ COTURN_RELAY_PORT_START }} diff --git a/roles/web-svc-coturn/vars/main.yml b/roles/web-svc-coturn/vars/main.yml index c66bfda4..0b05e7db 100644 --- a/roles/web-svc-coturn/vars/main.yml +++ b/roles/web-svc-coturn/vars/main.yml @@ -23,6 +23,7 @@ COTURN_RELAY_PORT_RANGE: "{{ COTURN_RELAY_PORT_START }}-{{ COTURN_RELAY_PORT_ COTURN_USER_NAME: "{{ applications | get_app_conf(application_id, 'username') }}" COTURN_USER_PASSWORD: "{{ applications | get_app_conf(application_id, 'credentials.user_password') }}" COTURN_STATIC_AUTH_SECRET: "{{ applications | get_app_conf(application_id, 'credentials.auth_secret') }}" +COTURN_USER_AUTH_ENABLED: "{{ applications | get_app_conf(application_id, 'docker.services.' ~ entity_name ~ '.user_auth_enabled') }}" ## Certificates COTURN_TLS_CERT_PATH: "{{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder, 'fullchain.pem' ] | path_join }}"