From 9a33e5c7adc59c122be91eeb240f912c0415960b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 20 Dec 2019 12:21:43 +0200 Subject: [PATCH] Make it possible to control Coturn ports and listen interfaces Related to #330 (Github Issue). --- roles/matrix-coturn/defaults/main.yml | 24 ++++++++++++++++--- .../systemd/matrix-coturn.service.j2 | 16 +++++++++---- 2 files changed, 32 insertions(+), 8 deletions(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 08cc3877..4bcbb223 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -27,14 +27,32 @@ matrix_coturn_container_additional_volumes: [] # A list of extra arguments to pass to the container matrix_coturn_container_extra_arguments: [] -# A shared secret (between Synapse and Coturn) used for authentication. -# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_coturn_turn_static_auth_secret: "" +# Controls whether the Coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:3478"), or empty string to not expose. +matrix_coturn_container_stun_plain_host_bind_port: '3478' + +# Controls whether the Coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:5349"), or empty string to not expose. +matrix_coturn_container_stun_tls_host_bind_port: '5349' + +# Controls whether the Coturn container exposes its TURN UDP port range and which interface to do it on. +# +# Takes an interface "" (e.g. "127.0.0.1"), or empty string to listen on all interfaces. +# Takes a null/none value (`~`) to prevent listening. +# +# The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`. +matrix_coturn_container_turn_range_listen_interface: '' # UDP port-range to use for TURN matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 +# A shared secret (between Synapse and Coturn) used for authentication. +# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). +matrix_coturn_turn_static_auth_secret: "" + # The external IP address of the machine where Coturn is. matrix_coturn_turn_external_ip_address: '' diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index aebaa197..35198616 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -19,11 +19,17 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ --read-only \ --tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \ --network={{ matrix_coturn_docker_network }} \ - -p 3478:3478 \ - -p 3478:3478/udp \ - -p 5349:5349 \ - -p 5349:5349/udp \ - -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ + {% if matrix_coturn_container_stun_plain_host_bind_port != '' %} + -p {{ matrix_coturn_container_stun_plain_host_bind_port }}:3478 \ + -p {{ matrix_coturn_container_stun_plain_host_bind_port }}:3478/udp \ + {% endif %} + {% if matrix_coturn_container_stun_tls_host_bind_port != '' %} + -p {{ matrix_coturn_container_stun_tls_host_bind_port }}:5349 \ + -p {{ matrix_coturn_container_stun_tls_host_bind_port }}:5349/udp \ + {% endif %} + {% if matrix_coturn_container_turn_range_listen_interface is not none %} + -p {{ matrix_coturn_container_turn_range_listen_interface }}{{ ':' if matrix_coturn_container_turn_range_listen_interface else '' }}{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ + {% endif %} -v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \ {% for volume in matrix_coturn_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \