matrix-docker-ansible-deploy/roles/matrix-coturn/defaults/main.yml

matrix_coturn_enabled: true

matrix_coturn_container_image_self_build: false
matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git"

matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.2"
matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}"
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

# The Docker network that Coturn would be put into.
#
# Because Coturn relays traffic to unvalidated IP addresses,
# using a dedicated network, isolated from other Docker (and local) services is preferrable.
#
# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
matrix_coturn_docker_network: "matrix-coturn"

matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src"
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"

# List of systemd services that matrix-coturn.service depends on
matrix_coturn_systemd_required_services_list: ['docker.service']

# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically at runtime. You can provide a different default value,
# if you wish to mount your own files into the container.
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
matrix_coturn_container_additional_volumes: []

# A list of extra arguments to pass to the container
matrix_coturn_container_extra_arguments: []

# Controls whether the Coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
matrix_coturn_container_stun_plain_host_bind_port: '3478'

# Controls whether the Coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
matrix_coturn_container_stun_tls_host_bind_port: '5349'

# Controls whether the Coturn container exposes its TURN UDP port range and which interface to do it on.
#
# Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.
# Takes a null/none value (`~`) to prevent listening.
#
# The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.
matrix_coturn_container_turn_range_listen_interface: ''

# UDP port-range to use for TURN
matrix_coturn_turn_udp_min_port: 49152
matrix_coturn_turn_udp_max_port: 49172

# A shared secret (between Synapse and Coturn) used for authentication.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_coturn_turn_static_auth_secret: ""

# The external IP address of the machine where Coturn is.
matrix_coturn_turn_external_ip_address: ''

matrix_coturn_allowed_peer_ips: []
matrix_coturn_denied_peer_ips: []
matrix_coturn_user_quota: null
matrix_coturn_total_quota: null

# To enable TLS, you need to provide paths to certificates.
# Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.
# Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`.
matrix_coturn_tls_enabled: false
matrix_coturn_tls_cert_path: ~
matrix_coturn_tls_key_path: ~
Make roles more independent of one another With this change, the following roles are now only dependent on the minimal `matrix-base` role: - `matrix-corporal` - `matrix-coturn` - `matrix-mailer` - `matrix-mxisd` - `matrix-postgres` - `matrix-riot-web` - `matrix-synapse` The `matrix-nginx-proxy` role still does too much and remains dependent on the others. Wiring up the various (now-independent) roles happens via a glue variables file (`group_vars/matrix-servers`). It's triggered for all hosts in the `matrix-servers` group. According to Ansible's rules of priority, we have the following chain of inclusion/overriding now: - role defaults (mostly empty or good for independent usage) - playbook glue variables (`group_vars/matrix-servers`) - inventory host variables (`inventory/host_vars/matrix.<your-domain>`) All roles default to enabling their main component (e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`). Reasoning: if a role is included in a playbook (especially separately, in another playbook), it should "work" by default. Our playbook disables some of those if they are not generally useful (e.g. `matrix_corporal_enabled: false`). 2019-01-16 16:05:48 +00:00			`matrix_coturn_enabled: true`
Wire matrix_container_images_self_build to self_build variables via group_vars/matrix_servers This keeps the roles cleaner and more independent of matrix-base, which may be important for people building their own playbook out of the individual roles and not using the matrix-base role. 2020-03-15 08:10:41 +00:00
Rename some variables for consistency 2020-03-15 08:15:27 +00:00			`matrix_coturn_container_image_self_build: false`
Move self-building git repository URLs to variables (stop hardcoding) 2020-11-28 19:34:14 +00:00			`matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git"`
Make roles more independent of one another With this change, the following roles are now only dependent on the minimal `matrix-base` role: - `matrix-corporal` - `matrix-coturn` - `matrix-mailer` - `matrix-mxisd` - `matrix-postgres` - `matrix-riot-web` - `matrix-synapse` The `matrix-nginx-proxy` role still does too much and remains dependent on the others. Wiring up the various (now-independent) roles happens via a glue variables file (`group_vars/matrix-servers`). It's triggered for all hosts in the `matrix-servers` group. According to Ansible's rules of priority, we have the following chain of inclusion/overriding now: - role defaults (mostly empty or good for independent usage) - playbook glue variables (`group_vars/matrix-servers`) - inventory host variables (`inventory/host_vars/matrix.<your-domain>`) All roles default to enabling their main component (e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`). Reasoning: if a role is included in a playbook (especially separately, in another playbook), it should "work" by default. Our playbook disables some of those if they are not generally useful (e.g. `matrix_corporal_enabled: false`). 2019-01-16 16:05:48 +00:00
Upgrade matrix-coturn (4.5.1.3 -> 4.5.2) 2021-01-17 22:41:47 +00:00			`matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.2"`
Improve self-building experience (avoid conflict with pullable images) Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/716 This patch makes us use more fully-qualified container image names (either prefixed with docker.io/ or with localhost/). The latter happens when self-building is enabled. We've recently had issues where if an image was removed manually and the service was restarted (making `docker run` fetch it from Docker Hub, etc.), we'd end up with a pulled image, even though we're aiming for a self-built one. Re-running the playbook would then not do a rebuild, because: - the image with that name already exists (even though it's something else) - we sometimes had conditional logic where we'd build only if the git repo changed By explicitly changing the name of the images (prefixing with localhost/), we avoid such confusion and the possibility that we'd automatically pul something which is not what we expect. Also, I've removed that condition where building would happen on git changes only. We now always build (unless an image with that name already exists). We just force-build when the git repo changes. 2020-11-14 20:47:14 +00:00			`matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}"`
Automatically force-pull :latest images We do use some `:latest` images by default for the following services: - matrix-dimension - Goofys (in the matrix-synapse role) - matrix-bridge-appservice-irc - matrix-bridge-appservice-discord - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-whatsapp It's terribly unfortunate that those software projects don't release anything other than `:latest`, but that's how it is for now. Updating that software requires that users manually do `docker pull` on the server. The playbook didn't force-repull images that it already had. With this patch, it starts doing so. Any image tagged `:latest` will be force re-pulled by the playbook every time it's executed. It should be noted that even though we ask the `docker_image` module to force-pull, it only reports "changed" when it actually pulls something new. This is nice, because it lets people know exactly when something gets updated, as opposed to giving the indication that it's always updating the images (even though it isn't). 2019-06-10 11:23:51 +00:00			`matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"`
Split playbook into multiple roles As suggested in #63 (Github issue), splitting the playbook's logic into multiple roles will be beneficial for maintainability. This patch realizes this split. Still, some components affect others, so the roles are not really independent of one another. For example: - disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse and riot-web to reconfigure themselves with other (public) Identity servers. - enabling matrix-corporal (`matrix_corporal_enabled: true`) affects how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to put matrix-corporal's gateway server in front of Synapse We may be able to move away from such dependencies in the future, at the expense of a more complicated manual configuration, but it's probably not worth sacrificing the convenience we have now. As part of this work, the way we do "start components" has been redone now to use a loop, as suggested in #65 (Github issue). This should make restarting faster and more reliable. 2019-01-12 15:53:00 +00:00
Isolate Coturn from services in the default Docker network Most (all?) of our Matrix services are running in the `matrix` network, so they were safe -- not accessible from Coturn to begin with. Isolating Coturn into its own network is a security improvement for people who were starting other services in the default Docker network. Those services were potentially reachable over the private Docker network from Coturn. Discussed in #120 (Github Pull Request) 2019-03-18 15:36:00 +00:00			`# The Docker network that Coturn would be put into.`
			`#`
			`# Because Coturn relays traffic to unvalidated IP addresses,`
			`# using a dedicated network, isolated from other Docker (and local) services is preferrable.`
			`#`
			# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
			`# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.`
			`matrix_coturn_docker_network: "matrix-coturn"`

Split playbook into multiple roles As suggested in #63 (Github issue), splitting the playbook's logic into multiple roles will be beneficial for maintainability. This patch realizes this split. Still, some components affect others, so the roles are not really independent of one another. For example: - disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse and riot-web to reconfigure themselves with other (public) Identity servers. - enabling matrix-corporal (`matrix_corporal_enabled: true`) affects how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to put matrix-corporal's gateway server in front of Synapse We may be able to move away from such dependencies in the future, at the expense of a more complicated manual configuration, but it's probably not worth sacrificing the convenience we have now. As part of this work, the way we do "start components" has been redone now to use a loop, as suggested in #65 (Github issue). This should make restarting faster and more reliable. 2019-01-12 15:53:00 +00:00			`matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"`
refactor variable names 2020-03-07 23:28:14 +00:00			`matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src"`
Split playbook into multiple roles As suggested in #63 (Github issue), splitting the playbook's logic into multiple roles will be beneficial for maintainability. This patch realizes this split. Still, some components affect others, so the roles are not really independent of one another. For example: - disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse and riot-web to reconfigure themselves with other (public) Identity servers. - enabling matrix-corporal (`matrix_corporal_enabled: true`) affects how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to put matrix-corporal's gateway server in front of Synapse We may be able to move away from such dependencies in the future, at the expense of a more complicated manual configuration, but it's probably not worth sacrificing the convenience we have now. As part of this work, the way we do "start components" has been redone now to use a loop, as suggested in #65 (Github issue). This should make restarting faster and more reliable. 2019-01-12 15:53:00 +00:00			`matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"`

Make roles more independent of one another With this change, the following roles are now only dependent on the minimal `matrix-base` role: - `matrix-corporal` - `matrix-coturn` - `matrix-mailer` - `matrix-mxisd` - `matrix-postgres` - `matrix-riot-web` - `matrix-synapse` The `matrix-nginx-proxy` role still does too much and remains dependent on the others. Wiring up the various (now-independent) roles happens via a glue variables file (`group_vars/matrix-servers`). It's triggered for all hosts in the `matrix-servers` group. According to Ansible's rules of priority, we have the following chain of inclusion/overriding now: - role defaults (mostly empty or good for independent usage) - playbook glue variables (`group_vars/matrix-servers`) - inventory host variables (`inventory/host_vars/matrix.<your-domain>`) All roles default to enabling their main component (e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`). Reasoning: if a role is included in a playbook (especially separately, in another playbook), it should "work" by default. Our playbook disables some of those if they are not generally useful (e.g. `matrix_corporal_enabled: false`). 2019-01-16 16:05:48 +00:00			`# List of systemd services that matrix-coturn.service depends on`
			`matrix_coturn_systemd_required_services_list: ['docker.service']`

Add support for mounting additional volumes to matrix-coturn 2019-03-19 07:16:30 +00:00			`# A list of additional "volumes" to mount in the container.`
			`# This list gets populated dynamically at runtime. You can provide a different default value,`
			`# if you wish to mount your own files into the container.`
			# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw\|ro\|slave\|.."}
			`matrix_coturn_container_additional_volumes: []`

Add the possibility to pass extra flags to the docker container 2019-04-30 14:35:18 +00:00			`# A list of extra arguments to pass to the container`
			`matrix_coturn_container_extra_arguments: []`

Make it possible to control Coturn ports and listen interfaces Related to #330 (Github Issue). 2019-12-20 10:21:43 +00:00			`# Controls whether the Coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container).`
			`#`
			`# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.`
			`matrix_coturn_container_stun_plain_host_bind_port: '3478'`

			`# Controls whether the Coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container).`
			`#`
			`# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.`
			`matrix_coturn_container_stun_tls_host_bind_port: '5349'`

			`# Controls whether the Coturn container exposes its TURN UDP port range and which interface to do it on.`
			`#`
			`# Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.`
			# Takes a null/none value (`~`) to prevent listening.
			`#`
			# The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.
			`matrix_coturn_container_turn_range_listen_interface: ''`
Split playbook into multiple roles As suggested in #63 (Github issue), splitting the playbook's logic into multiple roles will be beneficial for maintainability. This patch realizes this split. Still, some components affect others, so the roles are not really independent of one another. For example: - disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse and riot-web to reconfigure themselves with other (public) Identity servers. - enabling matrix-corporal (`matrix_corporal_enabled: true`) affects how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to put matrix-corporal's gateway server in front of Synapse We may be able to move away from such dependencies in the future, at the expense of a more complicated manual configuration, but it's probably not worth sacrificing the convenience we have now. As part of this work, the way we do "start components" has been redone now to use a loop, as suggested in #65 (Github issue). This should make restarting faster and more reliable. 2019-01-12 15:53:00 +00:00
			`# UDP port-range to use for TURN`
			`matrix_coturn_turn_udp_min_port: 49152`
			`matrix_coturn_turn_udp_max_port: 49172`

Make it possible to control Coturn ports and listen interfaces Related to #330 (Github Issue). 2019-12-20 10:21:43 +00:00			`# A shared secret (between Synapse and Coturn) used for authentication.`
			# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
			`matrix_coturn_turn_static_auth_secret: ""`

Define matrix_coturn_turn_external_ip_address in the playbook group vars This is more explicit than hiding it in the role defaults. People who reuse the roles in their own playbook (and not only) may incorrectly define `ansible_host` to be a hostname or some local address. Making it more explicit is more likely to prevent such mistakes. 2019-03-18 15:04:40 +00:00			`# The external IP address of the machine where Coturn is.`
			`matrix_coturn_turn_external_ip_address: ''`

Add defaults for ips 2019-03-18 11:44:40 +00:00			`matrix_coturn_allowed_peer_ips: []`
			`matrix_coturn_denied_peer_ips: []`
Add nulls for quotas as well 2019-03-18 11:58:52 +00:00			`matrix_coturn_user_quota: null`
			`matrix_coturn_total_quota: null`
Add TLS support to Coturn 2019-03-19 08:24:39 +00:00
			`# To enable TLS, you need to provide paths to certificates.`
			# Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.
			# Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`.
			`matrix_coturn_tls_enabled: false`
			`matrix_coturn_tls_cert_path: ~`
			`matrix_coturn_tls_key_path: ~`