From 439acc69c58f6188453145f03c7817b2b2d6ee4d Mon Sep 17 00:00:00 2001 From: Suguru Hirahara Date: Tue, 10 Feb 2026 21:31:58 +0900 Subject: [PATCH] Remove roles/custom/matrix-coturn Signed-off-by: Suguru Hirahara --- roles/custom/matrix-coturn/defaults/main.yml | 235 ------------------ roles/custom/matrix-coturn/tasks/main.yml | 26 -- .../matrix-coturn/tasks/setup_install.yml | 146 ----------- .../matrix-coturn/tasks/setup_uninstall.yml | 43 ---- .../matrix-coturn/tasks/validate_config.yml | 35 --- .../systemd/matrix-coturn-reload.service.j2 | 12 - .../systemd/matrix-coturn-reload.timer.j2 | 18 -- .../systemd/matrix-coturn.service.j2 | 70 ------ .../systemd/matrix-coturn.service.j2.license | 8 - .../templates/turnserver.conf.j2 | 78 ------ .../templates/turnserver.conf.j2.license | 6 - roles/custom/matrix-coturn/vars/main.yml | 21 -- 12 files changed, 698 deletions(-) delete mode 100644 roles/custom/matrix-coturn/defaults/main.yml delete mode 100644 roles/custom/matrix-coturn/tasks/main.yml delete mode 100644 roles/custom/matrix-coturn/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-coturn/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-coturn/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2 delete mode 100644 roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 delete mode 100644 roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 delete mode 100644 roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2.license delete mode 100644 roles/custom/matrix-coturn/templates/turnserver.conf.j2 delete mode 100644 roles/custom/matrix-coturn/templates/turnserver.conf.j2.license delete mode 100644 roles/custom/matrix-coturn/vars/main.yml diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml deleted file mode 100644 index dae7ec125..000000000 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ /dev/null @@ -1,235 +0,0 @@ -# SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev -# SPDX-FileCopyrightText: 2019 Stuart Mumford -# SPDX-FileCopyrightText: 2019 Sylvia van Os -# SPDX-FileCopyrightText: 2020 - 2021 Dan Arnfield -# SPDX-FileCopyrightText: 2020 Horvath Gergely -# SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors -# SPDX-FileCopyrightText: 2021 Ahmad Haghighi -# SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi -# SPDX-FileCopyrightText: 2022 Hefty Zauk -# SPDX-FileCopyrightText: 2022 Marko Weltzer -# SPDX-FileCopyrightText: 2023 Samuel Meenzen -# SPDX-FileCopyrightText: 2025 Suguru Hirahara -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- -# Project source code URL: https://github.com/coturn/coturn - -coturn_enabled: true - -coturn_hostname: "" - -coturn_container_image_self_build: false -coturn_container_image_self_build_repo: "https://github.com/coturn/coturn" -coturn_container_image_self_build_repo_version: "docker/{{ coturn_version }}" -coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" - -# renovate: datasource=docker depName=coturn/coturn versioning=loose -coturn_version: 4.8.0 -coturn_container_image: "{{ coturn_container_image_registry_prefix }}coturn/coturn:{{ coturn_version }}-alpine" -coturn_container_image_registry_prefix_upstream: "{{ coturn_container_image_registry_prefix_upstream_default }}" -coturn_container_image_registry_prefix_upstream_default: docker.io/ -coturn_container_image_force_pull: "{{ coturn_container_image.endswith(':latest') }}" - -# The Docker network that coturn would be put into. -# -# Because coturn relays traffic to unvalidated IP addresses, -# using a dedicated network, isolated from other Docker (and local) services is preferable. -# -# Setting up deny/allow rules with `coturn_allowed_peer_ips`/`coturn_denied_peer_ips` is also -# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking. -# -# Setting `coturn_container_network` to 'host' will run the container with host networking, -# which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port. -# Running with host networking can be dangerous, as it potentially exposes your local network and its services to coturn peers. -# Regardless of the networking mode, we apply a deny list which via `coturn_denied_peer_ips`, -# which hopefully prevents access to such private network ranges. -# When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened. -coturn_container_network: "matrix-coturn" - -coturn_container_additional_networks: "{{ coturn_container_additional_networks_auto + coturn_container_additional_networks_custom }}" -coturn_container_additional_networks_auto: [] -coturn_container_additional_networks_custom: [] - -coturn_docker_src_files_path: "{{ coturn_base_path }}/docker-src" -coturn_config_path: "{{ coturn_base_path }}/turnserver.conf" - -# List of systemd services that matrix-coturn.service depends on -coturn_systemd_required_services_list: "{{ coturn_systemd_required_services_list_default + coturn_systemd_required_services_list_auto + coturn_systemd_required_services_list_custom }}" -coturn_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" -coturn_systemd_required_services_list_auto: [] -coturn_systemd_required_services_list_custom: [] - -# A list of additional "volumes" to mount in the container. -# This list gets populated dynamically at runtime. You can provide a different default value, -# if you wish to mount your own files into the container. -# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}. -# See the `--mount` documentation for the `docker run` command. -coturn_container_additional_volumes: [] - -# A list of extra arguments to pass to the container -coturn_container_extra_arguments: [] - -# Controls whether the coturn container exposes its plain STUN port (tcp/3478 in the container) over TCP. -# -# Takes an ":" or "" value (e.g. "127.0.0.1:3478"), or empty string to not expose. -coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if coturn_container_network != 'host' else '' }}" - -# Controls whether the coturn container exposes its plain STUN port (udp/3478 in the container) over UDP. -# -# Takes an ":" or "" value (e.g. "127.0.0.1:3478"), or empty string to not expose. -# -# Ideally, we'd like to set this to "" to avoid exposing this port and decrease the risk of DDoS amplification attacks. -# See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit -# In practice, old Element clients only support talking to the STUN port over UDP, not TCP, so we need to keep this enabled for now. -coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if coturn_container_network != 'host' else '' }}" - -# Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP. -# -# Takes an ":" or "" value (e.g. "127.0.0.1:5349"), or empty string to not expose. -coturn_container_stun_tls_host_bind_port_tcp: "{{ '5349' if coturn_container_network != 'host' else '' }}" - -# Controls whether the coturn container exposes its TLS STUN port (udp/5349 in the container) over UDP. -# -# Takes an ":" or "" value (e.g. "127.0.0.1:5349"), or empty string to not expose. -# -# This is enabled by default, unlike `coturn_container_stun_plain_host_bind_port_udp`, -# because the risk of DDoS amplification attacks is lower for TLS -# due to the handshake requiring two-way authentication and being generally more expensive. -coturn_container_stun_tls_host_bind_port_udp: "{{ '5349' if coturn_container_network != 'host' else '' }}" - -# Controls whether the coturn container exposes its TURN UDP port range and which interface to do it on. -# -# Takes an interface "" (e.g. "127.0.0.1"), or empty string to listen on all interfaces. -# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening. -# -# The UDP port-range itself is specified using `coturn_turn_udp_min_port` and `coturn_turn_udp_max_port`. -coturn_container_turn_range_listen_interface: "{{ '' if coturn_container_network != 'host' else 'none' }}" - -# UDP port-range to use for TURN -coturn_turn_udp_min_port: 49152 -coturn_turn_udp_max_port: 49172 - -# Controls the `realm` configuration option -coturn_realm: "turn.{{ coturn_hostname }}" - -# Controls which authentication method to enable. -# -# lt-cred-mech likely provides better compatibility, -# as described here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3191 -# but those claims are unverified. -# -# For now, we still default to `auth-secret` like we've always done. -# -# Known values: auth-secret, lt-cred-mech -coturn_authentication_method: auth-secret - -# A shared secret used for authentication when `coturn_authentication_method` is `auth-secret`. -# You can put any string here, but generating a strong one is preferred. You can create one with a command like `pwgen -s 64 1`. -coturn_turn_static_auth_secret: "" - -# A username used authentication when `coturn_authentication_method` is `lt-cred-mech`. -coturn_lt_cred_mech_username: "" -# A password used authentication when `coturn_authentication_method` is `lt-cred-mech`. -coturn_lt_cred_mech_password: "" - -# The external IP address of the machine where coturn is. -# If do not define an IP address here or in `coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done. -# See `coturn_turn_external_ip_address_auto_detection_enabled` -coturn_turn_external_ip_address: "" -coturn_turn_external_ip_addresses: "{{ [coturn_turn_external_ip_address] if coturn_turn_external_ip_address != '' else [] }}" - -# Controls whether external IP address auto-detection should be attempted. -# We try to do this if there is no external IP address explicitly configured and if an EchoIP service URL is specified. -# See coturn_turn_external_ip_address_auto_detection_echoip_service_url -coturn_turn_external_ip_address_auto_detection_enabled: "{{ coturn_turn_external_ip_addresses | length == 0 and coturn_turn_external_ip_address_auto_detection_echoip_service_url != '' }}" - -# Specifies the address of the EchoIP service (https://github.com/mpolden/echoip) to use for detecting the external IP address. -# Example: https://ifconfig.co/json -coturn_turn_external_ip_address_auto_detection_echoip_service_url: "" - -# Controls whether SSL certificates will be validated when contacting the EchoIP service (coturn_turn_external_ip_address_auto_detection_echoip_service_url) -coturn_turn_external_ip_address_auto_detection_echoip_validate_certs: true - -coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count: "{{ devture_playbook_help_geturl_retries_count }}" -coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay: "{{ devture_playbook_help_geturl_retries_delay }}" - -coturn_allowed_peer_ips: [] - -# We block loopback interfaces and private networks by default to prevent private resources from being accessible. -# This is especially important when coturn does not run within a container network (e.g. `coturn_container_network: host`). -# -# Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/ -# -# If you're running coturn for local network peers, you may wish to override these rules. -coturn_denied_peer_ips: - - 0.0.0.0-0.255.255.255 - - 10.0.0.0-10.255.255.255 - - 100.64.0.0-100.127.255.255 - - 127.0.0.0-127.255.255.255 - - 169.254.0.0-169.254.255.255 - - 172.16.0.0-172.31.255.255 - - 192.0.0.0-192.0.0.255 - - 192.0.2.0-192.0.2.255 - - 192.88.99.0-192.88.99.255 - - 192.168.0.0-192.168.255.255 - - 198.18.0.0-198.19.255.255 - - 198.51.100.0-198.51.100.255 - - 203.0.113.0-203.0.113.255 - - 240.0.0.0-255.255.255.255 - - ::1 - - 64:ff9b::-64:ff9b::ffff:ffff - - ::ffff:0.0.0.0-::ffff:255.255.255.255 - - 100::-100::ffff:ffff:ffff:ffff - - 2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff - - 2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff - - fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - - fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff - -coturn_user_quota: null -coturn_total_quota: null - -# Controls whether `no-tcp-relay` is added to the configuration -# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L419-L422 -coturn_no_tcp_relay_enabled: true - -# Controls whether `no-multicast-peers` is added to the configuration -# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L629-L632 -coturn_no_multicast_peers_enabled: true - -# Controls whether `no-rfc5780` is added to the configuration -# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L770-L781 -coturn_no_rfc5780_enabled: true - -# Controls whether `no-stun-backward-compatibility` is added to the configuration -# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L783-L789 -coturn_no_stun_backward_compatibility_enabled: true - -# Controls whether `response-origin-only-with-rfc5780` is added to the configuration -# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L791-L796 -coturn_response_origin_only_with_rfc5780_enabled: true - -# Additional configuration to be passed to turnserver.conf -# Example: -# coturn_additional_configuration: | -# simple-log -# aux-server=1.2.3.4 -# relay-ip=4.3.2.1 -coturn_additional_configuration: "" - -# To enable TLS, you need to provide paths to certificates. -# Paths defined in `coturn_tls_cert_path` and `coturn_tls_key_path` are in-container paths. -# Files on the host can be mounted into the container using `coturn_container_additional_volumes`. -coturn_tls_enabled: false -coturn_tls_cert_path: ~ -coturn_tls_key_path: ~ - -coturn_tls_v1_enabled: false -coturn_tls_v1_1_enabled: false - -# systemd calendar configuration for the reload job -# the actual job may run with a delay (see coturn_reload_schedule_randomized_delay_sec) -coturn_reload_schedule: "*-*-* 06:30:00" -# the delay with which the systemd timer may run in relation to the `coturn_reload_schedule` schedule -coturn_reload_schedule_randomized_delay_sec: 1h diff --git a/roles/custom/matrix-coturn/tasks/main.yml b/roles/custom/matrix-coturn/tasks/main.yml deleted file mode 100644 index 8a8f194a2..000000000 --- a/roles/custom/matrix-coturn/tasks/main.yml +++ /dev/null @@ -1,26 +0,0 @@ -# SPDX-FileCopyrightText: 2019 - 2023 Slavi Pantaleev -# SPDX-FileCopyrightText: 2019 Dan Arnfield -# SPDX-FileCopyrightText: 2022 Marko Weltzer -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- tags: - - setup-all - - setup-coturn - - install-all - - install-coturn - block: - - when: coturn_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: coturn_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - -- tags: - - setup-all - - setup-coturn - block: - - when: not coturn_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-coturn/tasks/setup_install.yml b/roles/custom/matrix-coturn/tasks/setup_install.yml deleted file mode 100644 index 39321ef92..000000000 --- a/roles/custom/matrix-coturn/tasks/setup_install.yml +++ /dev/null @@ -1,146 +0,0 @@ -# SPDX-FileCopyrightText: 2018 - 2025 Slavi Pantaleev -# SPDX-FileCopyrightText: 2019 - 2020 MDAD project contributors -# SPDX-FileCopyrightText: 2019 Dan Arnfield -# SPDX-FileCopyrightText: 2020 Béla Becker -# SPDX-FileCopyrightText: 2020 Chris van Dijk -# SPDX-FileCopyrightText: 2020 Horvath Gergely -# SPDX-FileCopyrightText: 2022 Marko Weltzer -# SPDX-FileCopyrightText: 2022 Nikita Chernyi -# SPDX-FileCopyrightText: 2022 Sebastian Gumprich -# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara -# SPDX-FileCopyrightText: 2024 David Mehren -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- when: coturn_turn_external_ip_address_auto_detection_enabled | bool - block: - - name: Fail if enabled, but EchoIP service URL unset - when: coturn_turn_external_ip_address_auto_detection_echoip_service_url == '' - ansible.builtin.fail: - msg: "To use the external IP address auto-detection feature, you need to set coturn_turn_external_ip_address_auto_detection_echoip_service_url" - - # Note: - # `ansible.builtin.uri` does not provide a way to configure whether IPv4 or IPv6 is used. - # Luckily, the default instance we use does not define AAAA records for now, so it's always IPv4. - - name: Fetch IP address information from EchoIP service - ansible.builtin.uri: - url: "{{ coturn_turn_external_ip_address_auto_detection_echoip_service_url }}" - headers: - Content-Type: application/json - follow_redirects: none - validate_certs: "{{ coturn_turn_external_ip_address_auto_detection_echoip_validate_certs }}" - register: result_coturn_turn_external_ip_address_auto_detection_echoip_response - ignore_errors: true - check_mode: false - retries: "{{ coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count }}" - delay: "{{ coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay }}" - until: not result_coturn_turn_external_ip_address_auto_detection_echoip_response.failed - - - name: Fail if EchoIP service failed - when: "(result_coturn_turn_external_ip_address_auto_detection_echoip_response.failed or 'json' not in result_coturn_turn_external_ip_address_auto_detection_echoip_response)" - ansible.builtin.fail: - msg: "Failed contacting EchoIP service API at `{{ coturn_turn_external_ip_address_auto_detection_echoip_service_url }}` (controlled by `coturn_turn_external_ip_address_auto_detection_echoip_service_url`). Full error: {{ result_coturn_turn_external_ip_address_auto_detection_echoip_response }}" - - - ansible.builtin.set_fact: - coturn_turn_external_ip_address: "{{ result_coturn_turn_external_ip_address_auto_detection_echoip_response.json.ip }}" - -- name: Ensure Matrix coturn path exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - with_items: - - {path: "{{ coturn_docker_src_files_path }}", when: "{{ coturn_container_image_self_build }}"} - when: "item.when | bool" - -- name: Ensure coturn image is pulled - community.docker.docker_image: - name: "{{ coturn_container_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ coturn_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else coturn_container_image_force_pull }}" - when: "not coturn_container_image_self_build | bool" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- when: "coturn_container_image_self_build | bool" - block: - - name: Ensure coturn repository is present on self-build - ansible.builtin.git: - repo: "{{ coturn_container_image_self_build_repo }}" - dest: "{{ coturn_docker_src_files_path }}" - version: "{{ coturn_container_image_self_build_repo_version }}" - force: "yes" - become: true - become_user: "{{ matrix_user_name }}" - register: coturn_git_pull_results - - - name: Ensure coturn Docker image is built - community.docker.docker_image: - name: "{{ coturn_container_image }}" - source: build - force_source: "{{ coturn_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else coturn_git_pull_results.changed }}" - build: - dockerfile: "{{ coturn_container_image_self_build_repo_dockerfile_path }}" - path: "{{ coturn_docker_src_files_path }}" - pull: true - -- name: Ensure coturn configuration path exists - ansible.builtin.file: - path: "{{ coturn_base_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - -- name: Ensure turnserver.conf installed - ansible.builtin.template: - src: "{{ role_path }}/templates/turnserver.conf.j2" - dest: "{{ coturn_config_path }}" - mode: 0644 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - -- name: Ensure coturn network is created in Docker - when: coturn_container_network not in ['', 'host'] - community.docker.docker_network: - enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" - name: "{{ coturn_container_network }}" - driver: bridge - driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" - -- name: Ensure matrix-coturn.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service" - mode: 0644 - -# This may be unnecessary when more long-lived certificates are used. -# We optimize for the common use-case though (short-lived Let's Encrypt certificates). -# Reloading doesn't hurt anyway, so there's no need to make this more flexible. -- name: Ensure reloading systemd units installed, if necessary - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/{{ item }}.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}" - mode: 0644 - when: "coturn_tls_enabled | bool" - with_items: - - matrix-coturn-reload.service - - matrix-coturn-reload.timer - -# A similar task exists in `setup_uninstall.yml` -- name: Ensure reloading systemd units uninstalled, if unnecessary - ansible.builtin.file: - path: "{{ item }}" - state: absent - when: "not coturn_tls_enabled | bool" - with_items: - - matrix-coturn-reload.service - - matrix-coturn-reload.timer diff --git a/roles/custom/matrix-coturn/tasks/setup_uninstall.yml b/roles/custom/matrix-coturn/tasks/setup_uninstall.yml deleted file mode 100644 index 598d8ac53..000000000 --- a/roles/custom/matrix-coturn/tasks/setup_uninstall.yml +++ /dev/null @@ -1,43 +0,0 @@ -# SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev -# SPDX-FileCopyrightText: 2022 Marko Weltzer -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- name: Check existence of matrix-coturn service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service" - register: coturn_service_stat - when: "not coturn_enabled | bool" - -- when: coturn_service_stat.stat.exists | bool - block: - - name: Ensure matrix-coturn is stopped - ansible.builtin.service: - name: matrix-coturn - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-coturn-reload.timer is stopped - ansible.builtin.service: - name: matrix-coturn - state: stopped - enabled: false - daemon_reload: true - failed_when: false - - - name: Ensure systemd units don't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}" - state: absent - with_items: - - matrix-coturn.service - - matrix-coturn-reload.service - - matrix-coturn-reload.timer - - - name: Ensure Matrix coturn paths don't exist - ansible.builtin.file: - path: "{{ coturn_base_path }}" - state: absent diff --git a/roles/custom/matrix-coturn/tasks/validate_config.yml b/roles/custom/matrix-coturn/tasks/validate_config.yml deleted file mode 100644 index 70e3afbe0..000000000 --- a/roles/custom/matrix-coturn/tasks/validate_config.yml +++ /dev/null @@ -1,35 +0,0 @@ -# SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev -# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- name: (Deprecation) Catch and report renamed coturn settings - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml). - when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0" - with_items: - - {'old': 'coturn_docker_network', 'new': 'coturn_container_network'} - - {'old': 'coturn_container_stun_plain_host_bind_port', 'new': 'superseded by coturn_container_stun_plain_host_bind_port_tcp and coturn_container_stun_plain_host_bind_port_udp'} - - {'old': 'coturn_container_stun_tls_host_bind_port', 'new': 'superseded by coturn_container_stun_tls_host_bind_port_tcp and coturn_container_stun_tls_host_bind_port_udp'} - - {'old': 'coturn_container_image_name_prefix', 'new': 'coturn_container_image_registry_prefix'} - -- name: Fail if coturn_authentication_method is invalid - ansible.builtin.fail: - msg: >- - Invalid authentication method specified in `coturn_authentication_method` - when: "coturn_authentication_method not in ['auth-secret', 'lt-cred-mech']" - -- name: Fail if required coturn settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" - with_items: - - {'name': 'coturn_hostname', when: true} - - {'name': 'coturn_turn_static_auth_secret', when: "{{ coturn_authentication_method == 'auth-secret' }}"} - - {'name': 'coturn_lt_cred_mech_username', when: "{{ coturn_authentication_method == 'lt-cred-mech' }}"} - - {'name': 'coturn_lt_cred_mech_password', when: "{{ coturn_authentication_method == 'lt-cred-mech' }}"} diff --git a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2 b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2 deleted file mode 100644 index f1f3d0f6a..000000000 --- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2 +++ /dev/null @@ -1,12 +0,0 @@ -{# -SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -[Unit] -Description=Reloads matrix-coturn so that new SSL certificates can kick in - -[Service] -Type=oneshot -ExecStart={{ devture_systemd_docker_base_host_command_systemctl }} reload matrix-coturn.service diff --git a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 deleted file mode 100644 index 5380b8452..000000000 --- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 +++ /dev/null @@ -1,18 +0,0 @@ -{# -SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev -SPDX-FileCopyrightText: 2021 Hardy Erlinger -SPDX-FileCopyrightText: 2025 Suguru Hirahara - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -[Unit] -Description=Reloads matrix-coturn periodically so that new SSL certificates can kick in - -[Timer] -Unit=matrix-coturn-reload.service -OnCalendar={{ coturn_reload_schedule }} -RandomizedDelaySec={{ coturn_reload_schedule_randomized_delay_sec }} - -[Install] -WantedBy=timers.target diff --git a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 deleted file mode 100644 index a5933ce8e..000000000 --- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ /dev/null @@ -1,70 +0,0 @@ -#jinja2: lstrip_blocks: True -[Unit] -Description=Matrix coturn server -{% for service in coturn_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true' - -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ - --rm \ - --name=matrix-coturn \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --cap-add=NET_BIND_SERVICE \ - --entrypoint=turnserver \ - --read-only \ - --tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \ - --network={{ coturn_container_network }} \ - {% if coturn_container_stun_plain_host_bind_port_tcp != '' %} - -p {{ coturn_container_stun_plain_host_bind_port_tcp }}:3478 \ - {% endif %} - {% if coturn_container_stun_plain_host_bind_port_udp != '' %} - -p {{ coturn_container_stun_plain_host_bind_port_udp }}:3478/udp \ - {% endif %} - {% if coturn_container_stun_tls_host_bind_port_tcp != '' %} - -p {{ coturn_container_stun_tls_host_bind_port_tcp }}:5349 \ - {% endif %} - {% if coturn_container_stun_tls_host_bind_port_udp != '' %} - -p {{ coturn_container_stun_tls_host_bind_port_udp }}:5349/udp \ - {% endif %} - {% if coturn_container_turn_range_listen_interface is not in [none, 'none'] %} - -p {{ coturn_container_turn_range_listen_interface }}{{ ':' if coturn_container_turn_range_listen_interface else '' }}{{ coturn_turn_udp_min_port }}-{{ coturn_turn_udp_max_port }}:{{ coturn_turn_udp_min_port }}-{{ coturn_turn_udp_max_port }}/udp \ - {% endif %} - --mount type=bind,src={{ coturn_config_path }},dst=/turnserver.conf,ro \ - {% for volume in coturn_container_additional_volumes %} - --mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \ - {% endfor %} - {% for arg in coturn_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ coturn_container_image }} \ - -c /turnserver.conf - -{% for network in coturn_container_additional_networks %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-coturn -{% endfor %} - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-coturn - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true' - -# This only reloads certificates (not other configuration). -# See: https://github.com/coturn/coturn/pull/236 -ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-coturn kill -USR2 1 - -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-coturn - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2.license b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2.license deleted file mode 100644 index df5eb9b5a..000000000 --- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2.license +++ /dev/null @@ -1,8 +0,0 @@ -SPDX-FileCopyrightText: 2018 - 2025 Slavi Pantaleev -SPDX-FileCopyrightText: 2019 Hugues De Keyzer -SPDX-FileCopyrightText: 2019 Sylvia van Os -SPDX-FileCopyrightText: 2020 Chris van Dijk -SPDX-FileCopyrightText: 2021 Dan Arnfield -SPDX-FileCopyrightText: 2024 Suguru Hirahara - -SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 deleted file mode 100644 index 6378b5ec4..000000000 --- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 +++ /dev/null @@ -1,78 +0,0 @@ -#jinja2: lstrip_blocks: True - -{% if coturn_authentication_method == 'auth-secret' %} -use-auth-secret -static-auth-secret={{ coturn_turn_static_auth_secret }} -userdb=/var/tmp/turnserver.db -{% endif %} - -{% if coturn_authentication_method == 'lt-cred-mech' %} -lt-cred-mech -user={{ coturn_lt_cred_mech_username }}:{{ coturn_lt_cred_mech_password }} -{% endif %} - -realm={{ coturn_realm }} - -min-port={{ coturn_turn_udp_min_port }} -max-port={{ coturn_turn_udp_max_port }} - -{% for ip in coturn_turn_external_ip_addresses %} -external-ip={{ ip }} -{% endfor %} - -log-file=stdout -pidfile=/var/tmp/turnserver.pid - -no-cli - -{% if coturn_tls_enabled %} -cert={{ coturn_tls_cert_path }} -pkey={{ coturn_tls_key_path }} -{% if not coturn_tls_v1_enabled %} -no-tlsv1 -{% endif %} -{% if not coturn_tls_v1_1_enabled %} -no-tlsv1_1 -{% endif %} -{% else %} -no-tls -no-dtls -{% endif %} - -prod - -{% if coturn_no_tcp_relay_enabled %} -no-tcp-relay -{% endif %} - -{% if coturn_no_rfc5780_enabled %} -no-rfc5780 -{% endif %} - -{% if coturn_no_stun_backward_compatibility_enabled %} -no-stun-backward-compatibility -{% endif %} - -{% if coturn_response_origin_only_with_rfc5780_enabled %} -response-origin-only-with-rfc5780 -{% endif %} - -{% if coturn_user_quota != None %} -user-quota={{ coturn_user_quota }} -{% endif %} -{% if coturn_total_quota != None %} -total-quota={{ coturn_total_quota }} -{% endif %} - -{% if coturn_no_multicast_peers_enabled %} -no-multicast-peers -{% endif %} - -{% for ip_range in coturn_denied_peer_ips %} -denied-peer-ip={{ ip_range }} -{% endfor %} -{% for ip_range in coturn_allowed_peer_ips %} -allowed-peer-ip={{ ip_range }} -{% endfor %} - -{{ coturn_additional_configuration }} diff --git a/roles/custom/matrix-coturn/templates/turnserver.conf.j2.license b/roles/custom/matrix-coturn/templates/turnserver.conf.j2.license deleted file mode 100644 index 98807515d..000000000 --- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2.license +++ /dev/null @@ -1,6 +0,0 @@ -SPDX-FileCopyrightText: 2018 - 2024 Slavi Pantaleev -SPDX-FileCopyrightText: 2019 Hugues De Keyzer -SPDX-FileCopyrightText: 2019 Stuart Mumford -SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors - -SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/roles/custom/matrix-coturn/vars/main.yml b/roles/custom/matrix-coturn/vars/main.yml deleted file mode 100644 index 7b6861e1c..000000000 --- a/roles/custom/matrix-coturn/vars/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -# SPDX-FileCopyrightText: 2025 Slavi Pantaleev -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -coturn_turn_uris: |- - {{ - ([ - 'turns:' + coturn_hostname + '?transport=udp', - 'turns:' + coturn_hostname + '?transport=tcp', - ] if coturn_tls_enabled else []) - + - ([ - 'turn:' + coturn_hostname + '?transport=udp', - ] if (coturn_container_stun_plain_host_bind_port_udp != '' or coturn_container_network == 'host') else []) - + - ([ - 'turn:' + coturn_hostname + '?transport=tcp', - ] if (coturn_container_stun_plain_host_bind_port_tcp != '' or coturn_container_network == 'host') else []) - }}