diff --git a/servers/ansible/playbook.yaml b/servers/ansible/playbook.yaml index b604f44c..036c5de7 100644 --- a/servers/ansible/playbook.yaml +++ b/servers/ansible/playbook.yaml @@ -58,6 +58,10 @@ ansible.posix.synchronize: src: ../stalwart/ dest: /etc/stalwart + - name: Copy coturn config + ansible.posix.synchronize: + src: ../coturn/ + dest: /etc/coturn # Pull mautrix config: # rsync --rsync-path="sudo rsync" -r -t -z -P --include "*/" --include="*.yaml" --exclude="*" ansible@213.32.25.24:/var/opt/mautrix/ ./mautrix - name: Copy mautrix config diff --git a/servers/containers/conduwuit-testing.container b/servers/containers/conduwuit-testing.container index 01dfccd1..5aebdcfe 100644 --- a/servers/containers/conduwuit-testing.container +++ b/servers/containers/conduwuit-testing.container @@ -55,6 +55,10 @@ Environment="CONDUWUIT_WELL_KNOWN={ \ client=https://matrix.pissing.dev, \ server=matrix.pissing.dev:443 \ }" + +Environment="CONDUWUIT_TURN_URIS=[\"turns:coturn.ellis.link?transport=udp\",\"turns:coturn.ellis.link?transport=tcp\",\"turn:coturn.ellis.link?transport=udp\",\"turn:coturn.ellis.link?transport=tcp\"]" +Environment="CONDUWUIT_TURN_SECRET=qjRh55G51K7V0ZqB7Z8ZEkxZjBLJMgkwEs8acFjx" + # Environment="CONDUWUIT_SENTRY=true" # Environment="CONDUWUIT_SENTRY_ENDPOINT=https://c885d1475cef5c54bbd32b1512e0ae20@o4507835405369344.ingest.de.sentry.io/4508059491696720" diff --git a/servers/containers/conduwuit.container b/servers/containers/conduwuit.container index 3dffab8f..76d5aade 100644 --- a/servers/containers/conduwuit.container +++ b/servers/containers/conduwuit.container @@ -54,8 +54,8 @@ client=https://matrix.ellis.link, \ server=matrix.ellis.link:443 \ }" -# Environment="CONDUWUIT_TURN_URIS=[\"turns:coturn.ellis.link?transport=udp\",\"turns:coturn.ellis.link?transport=tcp\"]" -# Environment="CONDUWUIT_TURN_SECRET=qjRh55G51K7V0ZqB7Z8ZEkxZjBLJMgkwEs8acFjx" +Environment="CONDUWUIT_TURN_URIS=[\"turns:coturn.ellis.link?transport=udp\",\"turns:coturn.ellis.link?transport=tcp\",\"turn:coturn.ellis.link?transport=udp\",\"turn:coturn.ellis.link?transport=tcp\"]" +Environment="CONDUWUIT_TURN_SECRET=qjRh55G51K7V0ZqB7Z8ZEkxZjBLJMgkwEs8acFjx" Environment="CONDUWUIT_SENTRY=true" Environment="CONDUWUIT_SENTRY_ENDPOINT=https://c885d1475cef5c54bbd32b1512e0ae20@o4507835405369344.ingest.de.sentry.io/4508059491696720" diff --git a/servers/containers/coturn.container b/servers/containers/coturn.container index aaad3b1a..695e6706 100644 --- a/servers/containers/coturn.container +++ b/servers/containers/coturn.container @@ -10,38 +10,35 @@ After=network-online.target ContainerName=coturn NoNewPrivileges=true Image=docker.io/coturn/coturn:latest -ReadOnly=true +# ReadOnly=true AutoUpdate=registry -Network=web.network +# Network=web.network +Volume=/etc/coturn/turnserver.conf:/etc/coturn/turnserver.conf:ro,z +Volume=traefik-certs.volume:/data/certs:ro,U +# TODO: TURN TLS PublishPort=0.0.0.0:60006-65535:60006-65535/udp PublishPort=[::]:60006-65535:60006-65535/udp -# PublishPort=0.0.0.0:3478:3478 -# PublishPort=[::]:3478:3478 -# PublishPort=0.0.0.0:3478:3478/udp -# PublishPort=[::]:3478:3478/udp -# PublishPort=0.0.0.0:5349:5349 -# PublishPort=[::]:5349:5349 -# PublishPort=0.0.0.0:5349:5349/udp -# PublishPort=[::]:5349:5349/udp +PublishPort=0.0.0.0:3478:3478 +PublishPort=[::]:3478:3478 +PublishPort=0.0.0.0:3478:3478/udp +PublishPort=[::]:3478:3478/udp +PublishPort=0.0.0.0:5349:5349 +PublishPort=[::]:5349:5349 +PublishPort=0.0.0.0:5349:5349/udp +PublishPort=[::]:5349:5349/udp -Exec= --realm coturn.ellis.link \ ---tls-listening-port=443 \ ---listening-ip=0.0.0.0 \ ---min-port=60006 \ ---max-port=65535 \ ---use-auth-secret \ ---static-auth-secret=qjRh55G51K7V0ZqB7Z8ZEkxZjBLJMgkwEs8acFjx -Label="traefik.enable=true" + +Label="traefik.enable=false" Label="traefik.http.routers.coturn.rule=Host(`coturn.ellis.link`)" -Label="traefik.http.routers.coturn.entrypoints=https" +# Label="traefik.http.routers.coturn.entrypoints=https" -Label="traefik.http.routers.coturn.middlewares=default@file" +# Label="traefik.http.routers.coturn.middlewares=default@file" Label="homepage.group=Services" Label="homepage.name=coturn" -Label="homepage.href=https://coturn.ellis.link" +# Label="homepage.href=https://coturn.ellis.link" # Label="kuma.coturn.http.name=Uptime Kuma" # Label=kuma.__web='"coturn.ellis.link"' @@ -60,4 +57,4 @@ TimeoutStartSec=2m StartLimitBurst=5 [Install] -# WantedBy=default.target \ No newline at end of file +WantedBy=default.target \ No newline at end of file diff --git a/servers/coturn/turnserver.conf b/servers/coturn/turnserver.conf new file mode 100644 index 00000000..3844f375 --- /dev/null +++ b/servers/coturn/turnserver.conf @@ -0,0 +1,45 @@ +realm=coturn.ellis.link +min-port=60006 +max-port=65535 +use-auth-secret +static-auth-secret=qjRh55G51K7V0ZqB7Z8ZEkxZjBLJMgkwEs8acFjx +listening-ip=0.0.0.0 + +#public ipv4 and ipv6 addresses +external-ip=213.32.25.24 +external-ip=2001:41d0:1004:3918::1 +# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay. +no-tcp-relay + +cert=/data/certs/coturn.ellis.link/cert.pem +# TLS private key file +pkey=/data/certs/coturn.ellis.link/key.pem + +# don't let the relay ever try to connect to private IP address ranges within your network (if any) +# given the turn server is likely behind your firewall, remember to include any privileged public IPs too. +denied-peer-ip=10.0.0.0-10.255.255.255 +denied-peer-ip=192.168.0.0-192.168.255.255 +denied-peer-ip=172.16.0.0-172.31.255.255 + +# recommended additional local peers to block, to mitigate external access to internal services. +# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability +no-multicast-peers +denied-peer-ip=0.0.0.0-0.255.255.255 +denied-peer-ip=100.64.0.0-100.127.255.255 +denied-peer-ip=127.0.0.0-127.255.255.255 +denied-peer-ip=169.254.0.0-169.254.255.255 +denied-peer-ip=192.0.0.0-192.0.0.255 +denied-peer-ip=192.0.2.0-192.0.2.255 +denied-peer-ip=192.88.99.0-192.88.99.255 +denied-peer-ip=198.18.0.0-198.19.255.255 +denied-peer-ip=198.51.100.0-198.51.100.255 +denied-peer-ip=203.0.113.0-203.0.113.255 +denied-peer-ip=240.0.0.0-255.255.255.255 + +# special case the turn server itself so that client->TURN->TURN->client flows work +# this should be one of the turn server's listening IPs +allowed-peer-ip=0.0.0.0 + +# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. +user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. +total-quota=1200