overmind
/
matrix-docker-ansible-deploy
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
Matrix Docker Ansible eploy
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10838 Commits
11 Branches
1.0 GiB
 
 
Tree: b3f364933d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b3f364933d'
${ noResults }
matrix-docker-ansible-deploy/roles/custom/matrix-coturn/defaults/main.yml

237 lines
12 KiB
Raw Blame History 

  1. # SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev

  2. # SPDX-FileCopyrightText: 2019 Stuart Mumford

  3. # SPDX-FileCopyrightText: 2019 Sylvia van Os

  4. # SPDX-FileCopyrightText: 2020 - 2021 Dan Arnfield

  5. # SPDX-FileCopyrightText: 2020 Horvath Gergely

  6. # SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors

  7. # SPDX-FileCopyrightText: 2021 Ahmad Haghighi

  8. # SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi

  9. # SPDX-FileCopyrightText: 2022 Hefty Zauk

  10. # SPDX-FileCopyrightText: 2022 Marko Weltzer

  11. # SPDX-FileCopyrightText: 2023 Samuel Meenzen

  12. # SPDX-FileCopyrightText: 2025 Suguru Hirahara

  13. #

  14. # SPDX-License-Identifier: AGPL-3.0-or-later

  15. 

  16. ---

  17. # Project source code URL: https://github.com/coturn/coturn

  18. 

  19. coturn_enabled: true

  20. 

  21. coturn_hostname: ""

  22. 

  23. coturn_container_image_self_build: false

  24. coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"

  25. coturn_container_image_self_build_repo_version: "docker/{{ coturn_version }}"

  26. coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"

  27. 

  28. # renovate: datasource=docker depName=coturn/coturn versioning=loose

  29. coturn_version: 4.8.0

  30. coturn_container_image: "{{ coturn_container_image_registry_prefix }}coturn/coturn:{{ coturn_version }}-alpine"

  31. coturn_container_image_registry_prefix: "{{ 'localhost/' if coturn_container_image_self_build else coturn_container_image_registry_prefix_upstream }}"

  32. coturn_container_image_registry_prefix_upstream: "{{ coturn_container_image_registry_prefix_upstream_default }}"

  33. coturn_container_image_registry_prefix_upstream_default: docker.io/

  34. coturn_container_image_force_pull: "{{ coturn_container_image.endswith(':latest') }}"

  35. 

  36. # The Docker network that coturn would be put into.

  37. #

  38. # Because coturn relays traffic to unvalidated IP addresses,

  39. # using a dedicated network, isolated from other Docker (and local) services is preferable.

  40. #

  41. # Setting up deny/allow rules with `coturn_allowed_peer_ips`/`coturn_denied_peer_ips` is also

  42. # possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.

  43. #

  44. # Setting `coturn_container_network` to 'host' will run the container with host networking,

  45. # which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.

  46. # Running with host networking can be dangerous, as it potentially exposes your local network and its services to coturn peers.

  47. # Regardless of the networking mode, we apply a deny list which via `coturn_denied_peer_ips`,

  48. # which hopefully prevents access to such private network ranges.

  49. # When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.

  50. coturn_container_network: "matrix-coturn"

  51. 

  52. coturn_container_additional_networks: "{{ coturn_container_additional_networks_auto + coturn_container_additional_networks_custom }}"

  53. coturn_container_additional_networks_auto: []

  54. coturn_container_additional_networks_custom: []

  55. 

  56. coturn_docker_src_files_path: "{{ coturn_base_path }}/docker-src"

  57. coturn_config_path: "{{ coturn_base_path }}/turnserver.conf"

  58. 

  59. # List of systemd services that matrix-coturn.service depends on

  60. coturn_systemd_required_services_list: "{{ coturn_systemd_required_services_list_default + coturn_systemd_required_services_list_auto + coturn_systemd_required_services_list_custom }}"

  61. coturn_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"

  62. coturn_systemd_required_services_list_auto: []

  63. coturn_systemd_required_services_list_custom: []

  64. 

  65. # A list of additional "volumes" to mount in the container.

  66. # This list gets populated dynamically at runtime. You can provide a different default value,

  67. # if you wish to mount your own files into the container.

  68. # Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.

  69. # See the `--mount` documentation for the `docker run` command.

  70. coturn_container_additional_volumes: []

  71. 

  72. # A list of extra arguments to pass to the container

  73. coturn_container_extra_arguments: []

  74. 

  75. # Controls whether the coturn container exposes its plain STUN port (tcp/3478 in the container) over TCP.

  76. #

  77. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.

  78. coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if coturn_container_network != 'host' else '' }}"

  79. 

  80. # Controls whether the coturn container exposes its plain STUN port (udp/3478 in the container) over UDP.

  81. #

  82. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.

  83. #

  84. # Ideally, we'd like to set this to "" to avoid exposing this port and decrease the risk of DDoS amplification attacks.

  85. # See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit

  86. # In practice, old Element clients only support talking to the STUN port over UDP, not TCP, so we need to keep this enabled for now.

  87. coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if coturn_container_network != 'host' else '' }}"

  88. 

  89. # Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP.

  90. #

  91. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.

  92. coturn_container_stun_tls_host_bind_port_tcp: "{{ '5349' if coturn_container_network != 'host' else '' }}"

  93. 

  94. # Controls whether the coturn container exposes its TLS STUN port (udp/5349 in the container) over UDP.

  95. #

  96. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.

  97. #

  98. # This is enabled by default, unlike `coturn_container_stun_plain_host_bind_port_udp`,

  99. # because the risk of DDoS amplification attacks is lower for TLS

  100. # due to the handshake requiring two-way authentication and being generally more expensive.

  101. coturn_container_stun_tls_host_bind_port_udp: "{{ '5349' if coturn_container_network != 'host' else '' }}"

  102. 

  103. # Controls whether the coturn container exposes its TURN UDP port range and which interface to do it on.

  104. #

  105. # Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.

  106. # Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.

  107. #

  108. # The UDP port-range itself is specified using `coturn_turn_udp_min_port` and `coturn_turn_udp_max_port`.

  109. coturn_container_turn_range_listen_interface: "{{ '' if coturn_container_network != 'host' else 'none' }}"

  110. 

  111. # UDP port-range to use for TURN

  112. coturn_turn_udp_min_port: 49152

  113. coturn_turn_udp_max_port: 49172

  114. 

  115. # Controls the `realm` configuration option

  116. coturn_realm: "turn.{{ coturn_hostname }}"

  117. 

  118. # Controls which authentication method to enable.

  119. #

  120. # lt-cred-mech likely provides better compatibility,

  121. # as described here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3191

  122. # but those claims are unverified.

  123. #

  124. # For now, we still default to `auth-secret` like we've always done.

  125. #

  126. # Known values: auth-secret, lt-cred-mech

  127. coturn_authentication_method: auth-secret

  128. 

  129. # A shared secret used for authentication when `coturn_authentication_method` is `auth-secret`.

  130. # You can put any string here, but generating a strong one is preferred. You can create one with a command like `pwgen -s 64 1`.

  131. coturn_turn_static_auth_secret: ""

  132. 

  133. # A username used authentication when `coturn_authentication_method` is `lt-cred-mech`.

  134. coturn_lt_cred_mech_username: ""

  135. # A password used authentication when `coturn_authentication_method` is `lt-cred-mech`.

  136. coturn_lt_cred_mech_password: ""

  137. 

  138. # The external IP address of the machine where coturn is.

  139. # If do not define an IP address here or in `coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.

  140. # See `coturn_turn_external_ip_address_auto_detection_enabled`

  141. coturn_turn_external_ip_address: ""

  142. coturn_turn_external_ip_addresses: "{{ [coturn_turn_external_ip_address] if coturn_turn_external_ip_address != '' else [] }}"

  143. 

  144. # Controls whether external IP address auto-detection should be attempted.

  145. # We try to do this if there is no external IP address explicitly configured and if an EchoIP service URL is specified.

  146. # See coturn_turn_external_ip_address_auto_detection_echoip_service_url

  147. coturn_turn_external_ip_address_auto_detection_enabled: "{{ coturn_turn_external_ip_addresses | length == 0 and coturn_turn_external_ip_address_auto_detection_echoip_service_url != '' }}"

  148. 

  149. # Specifies the address of the EchoIP service (https://github.com/mpolden/echoip) to use for detecting the external IP address.

  150. # Example: https://ifconfig.co/json

  151. coturn_turn_external_ip_address_auto_detection_echoip_service_url: ""

  152. 

  153. # Controls whether SSL certificates will be validated when contacting the EchoIP service (coturn_turn_external_ip_address_auto_detection_echoip_service_url)

  154. coturn_turn_external_ip_address_auto_detection_echoip_validate_certs: true

  155. 

  156. coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count: "{{ devture_playbook_help_geturl_retries_count }}"

  157. coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay: "{{ devture_playbook_help_geturl_retries_delay }}"

  158. 

  159. coturn_allowed_peer_ips: []

  160. 

  161. # We block loopback interfaces and private networks by default to prevent private resources from being accessible.

  162. # This is especially important when coturn does not run within a container network (e.g. `coturn_container_network: host`).

  163. #

  164. # Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/

  165. #

  166. # If you're running coturn for local network peers, you may wish to override these rules.

  167. coturn_denied_peer_ips:

  168.   - 0.0.0.0-0.255.255.255

  169.   - 10.0.0.0-10.255.255.255

  170.   - 100.64.0.0-100.127.255.255

  171.   - 127.0.0.0-127.255.255.255

  172.   - 169.254.0.0-169.254.255.255

  173.   - 172.16.0.0-172.31.255.255

  174.   - 192.0.0.0-192.0.0.255

  175.   - 192.0.2.0-192.0.2.255

  176.   - 192.88.99.0-192.88.99.255

  177.   - 192.168.0.0-192.168.255.255

  178.   - 198.18.0.0-198.19.255.255

  179.   - 198.51.100.0-198.51.100.255

  180.   - 203.0.113.0-203.0.113.255

  181.   - 240.0.0.0-255.255.255.255

  182.   - ::1

  183.   - 64:ff9b::-64:ff9b::ffff:ffff

  184.   - ::ffff:0.0.0.0-::ffff:255.255.255.255

  185.   - 100::-100::ffff:ffff:ffff:ffff

  186.   - 2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff

  187.   - 2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff

  188.   - fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

  189.   - fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff

  190. 

  191. coturn_user_quota: null

  192. coturn_total_quota: null

  193. 

  194. # Controls whether `no-tcp-relay` is added to the configuration

  195. # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L419-L422

  196. coturn_no_tcp_relay_enabled: true

  197. 

  198. # Controls whether `no-multicast-peers` is added to the configuration

  199. # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L629-L632

  200. coturn_no_multicast_peers_enabled: true

  201. 

  202. # Controls whether `no-rfc5780` is added to the configuration

  203. # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L770-L781

  204. coturn_no_rfc5780_enabled: true

  205. 

  206. # Controls whether `no-stun-backward-compatibility` is added to the configuration

  207. # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L783-L789

  208. coturn_no_stun_backward_compatibility_enabled: true

  209. 

  210. # Controls whether `response-origin-only-with-rfc5780` is added to the configuration

  211. # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L791-L796

  212. coturn_response_origin_only_with_rfc5780_enabled: true

  213. 

  214. # Additional configuration to be passed to turnserver.conf

  215. # Example:

  216. # coturn_additional_configuration: |

  217. #   simple-log

  218. #   aux-server=1.2.3.4

  219. #   relay-ip=4.3.2.1

  220. coturn_additional_configuration: ""

  221. 

  222. # To enable TLS, you need to provide paths to certificates.

  223. # Paths defined in `coturn_tls_cert_path` and `coturn_tls_key_path` are in-container paths.

  224. # Files on the host can be mounted into the container using `coturn_container_additional_volumes`.

  225. coturn_tls_enabled: false

  226. coturn_tls_cert_path: ~

  227. coturn_tls_key_path: ~

  228. 

  229. coturn_tls_v1_enabled: false

  230. coturn_tls_v1_1_enabled: false

  231. 

  232. # systemd calendar configuration for the reload job

  233. # the actual job may run with a delay (see coturn_reload_schedule_randomized_delay_sec)

  234. coturn_reload_schedule: "*-*-* 06:30:00"

  235. # the delay with which the systemd timer may run in relation to the `coturn_reload_schedule` schedule

  236. coturn_reload_schedule_randomized_delay_sec: 1h