overmind
/
matrix-docker-ansible-deploy
miroir de https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Bifurcation 0
Code Tickets 0 Versions 0 Wiki Activité
Matrix Docker Ansible eploy
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
10832 Révisions
13 Branches
36 MiB
 
 
Aborescence: fa7b784c5b
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de 'fa7b784c5b'
${ noResults }
matrix-docker-ansible-deploy/roles/custom/matrix-coturn/defaults/main.yml

238 lignes
13 KiB
Brut Annotations Historique 

  1. # SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev

  2. # SPDX-FileCopyrightText: 2019 Stuart Mumford

  3. # SPDX-FileCopyrightText: 2019 Sylvia van Os

  4. # SPDX-FileCopyrightText: 2020 - 2021 Dan Arnfield

  5. # SPDX-FileCopyrightText: 2020 Horvath Gergely

  6. # SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors

  7. # SPDX-FileCopyrightText: 2021 Ahmad Haghighi

  8. # SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi

  9. # SPDX-FileCopyrightText: 2022 Hefty Zauk

  10. # SPDX-FileCopyrightText: 2022 Marko Weltzer

  11. # SPDX-FileCopyrightText: 2023 Samuel Meenzen

  12. # SPDX-FileCopyrightText: 2025 Suguru Hirahara

  13. #

  14. # SPDX-License-Identifier: AGPL-3.0-or-later

  15. 

  16. ---

  17. # Project source code URL: https://github.com/coturn/coturn

  18. 

  19. matrix_coturn_enabled: true

  20. 

  21. matrix_coturn_hostname: ""

  22. 

  23. matrix_coturn_container_image_self_build: false

  24. matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"

  25. matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"

  26. matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"

  27. 

  28. # renovate: datasource=docker depName=coturn/coturn versioning=loose

  29. matrix_coturn_version: 4.8.0

  30. matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_registry_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"

  31. matrix_coturn_docker_image_registry_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_coturn_docker_image_registry_prefix_upstream }}"

  32. matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_coturn_docker_image_registry_prefix_upstream_default }}"

  33. matrix_coturn_docker_image_registry_prefix_upstream_default: docker.io/

  34. matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

  35. 

  36. # The Docker network that coturn would be put into.

  37. #

  38. # Because coturn relays traffic to unvalidated IP addresses,

  39. # using a dedicated network, isolated from other Docker (and local) services is preferable.

  40. #

  41. # Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also

  42. # possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.

  43. #

  44. # Setting `matrix_coturn_container_network` to 'host' will run the container with host networking,

  45. # which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.

  46. # Running with host networking can be dangerous, as it potentially exposes your local network and its services to coturn peers.

  47. # Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`,

  48. # which hopefully prevents access to such private network ranges.

  49. # When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.

  50. matrix_coturn_container_network: "matrix-coturn"

  51. 

  52. matrix_coturn_container_additional_networks: "{{ matrix_coturn_container_additional_networks_auto + matrix_coturn_container_additional_networks_custom }}"

  53. matrix_coturn_container_additional_networks_auto: []

  54. matrix_coturn_container_additional_networks_custom: []

  55. 

  56. matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"

  57. matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src"

  58. matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"

  59. 

  60. # List of systemd services that matrix-coturn.service depends on

  61. matrix_coturn_systemd_required_services_list: "{{ matrix_coturn_systemd_required_services_list_default + matrix_coturn_systemd_required_services_list_auto + matrix_coturn_systemd_required_services_list_custom }}"

  62. matrix_coturn_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"

  63. matrix_coturn_systemd_required_services_list_auto: []

  64. matrix_coturn_systemd_required_services_list_custom: []

  65. 

  66. # A list of additional "volumes" to mount in the container.

  67. # This list gets populated dynamically at runtime. You can provide a different default value,

  68. # if you wish to mount your own files into the container.

  69. # Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.

  70. # See the `--mount` documentation for the `docker run` command.

  71. matrix_coturn_container_additional_volumes: []

  72. 

  73. # A list of extra arguments to pass to the container

  74. matrix_coturn_container_extra_arguments: []

  75. 

  76. # Controls whether the coturn container exposes its plain STUN port (tcp/3478 in the container) over TCP.

  77. #

  78. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.

  79. matrix_coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"

  80. 

  81. # Controls whether the coturn container exposes its plain STUN port (udp/3478 in the container) over UDP.

  82. #

  83. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.

  84. #

  85. # Ideally, we'd like to set this to "" to avoid exposing this port and decrease the risk of DDoS amplification attacks.

  86. # See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit

  87. # In practice, old Element clients only support talking to the STUN port over UDP, not TCP, so we need to keep this enabled for now.

  88. matrix_coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"

  89. 

  90. # Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP.

  91. #

  92. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.

  93. matrix_coturn_container_stun_tls_host_bind_port_tcp: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"

  94. 

  95. # Controls whether the coturn container exposes its TLS STUN port (udp/5349 in the container) over UDP.

  96. #

  97. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.

  98. #

  99. # This is enabled by default, unlike `matrix_coturn_container_stun_plain_host_bind_port_udp`,

  100. # because the risk of DDoS amplification attacks is lower for TLS

  101. # due to the handshake requiring two-way authentication and being generally more expensive.

  102. matrix_coturn_container_stun_tls_host_bind_port_udp: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"

  103. 

  104. # Controls whether the coturn container exposes its TURN UDP port range and which interface to do it on.

  105. #

  106. # Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.

  107. # Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.

  108. #

  109. # The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.

  110. matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_container_network != 'host' else 'none' }}"

  111. 

  112. # UDP port-range to use for TURN

  113. matrix_coturn_turn_udp_min_port: 49152

  114. matrix_coturn_turn_udp_max_port: 49172

  115. 

  116. # Controls the `realm` configuration option

  117. matrix_coturn_realm: "turn.{{ matrix_coturn_hostname }}"

  118. 

  119. # Controls which authentication method to enable.

  120. #

  121. # lt-cred-mech likely provides better compatibility,

  122. # as described here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3191

  123. # but those claims are unverified.

  124. #

  125. # For now, we still default to `auth-secret` like we've always done.

  126. #

  127. # Known values: auth-secret, lt-cred-mech

  128. matrix_coturn_authentication_method: auth-secret

  129. 

  130. # A shared secret used for authentication when `matrix_coturn_authentication_method` is `auth-secret`.

  131. # You can put any string here, but generating a strong one is preferred. You can create one with a command like `pwgen -s 64 1`.

  132. matrix_coturn_turn_static_auth_secret: ""

  133. 

  134. # A username used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.

  135. matrix_coturn_lt_cred_mech_username: ""

  136. # A password used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.

  137. matrix_coturn_lt_cred_mech_password: ""

  138. 

  139. # The external IP address of the machine where coturn is.

  140. # If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.

  141. # See `matrix_coturn_turn_external_ip_address_auto_detection_enabled`

  142. matrix_coturn_turn_external_ip_address: ""

  143. matrix_coturn_turn_external_ip_addresses: "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}"

  144. 

  145. # Controls whether external IP address auto-detection should be attempted.

  146. # We try to do this if there is no external IP address explicitly configured and if an EchoIP service URL is specified.

  147. # See matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url

  148. matrix_coturn_turn_external_ip_address_auto_detection_enabled: "{{ matrix_coturn_turn_external_ip_addresses | length == 0 and matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url != '' }}"

  149. 

  150. # Specifies the address of the EchoIP service (https://github.com/mpolden/echoip) to use for detecting the external IP address.

  151. # By default, we use the official public instance.

  152. matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url: https://ifconfig.co/json

  153. 

  154. # Controls whether SSL certificates will be validated when contacting the EchoIP service (matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url)

  155. matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs: true

  156. 

  157. matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count: "{{ devture_playbook_help_geturl_retries_count }}"

  158. matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay: "{{ devture_playbook_help_geturl_retries_delay }}"

  159. 

  160. matrix_coturn_allowed_peer_ips: []

  161. 

  162. # We block loopback interfaces and private networks by default to prevent private resources from being accessible.

  163. # This is especially important when coturn does not run within a container network (e.g. `matrix_coturn_container_network: host`).

  164. #

  165. # Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/

  166. #

  167. # If you're running coturn for local network peers, you may wish to override these rules.

  168. matrix_coturn_denied_peer_ips:

  169.   - 0.0.0.0-0.255.255.255

  170.   - 10.0.0.0-10.255.255.255

  171.   - 100.64.0.0-100.127.255.255

  172.   - 127.0.0.0-127.255.255.255

  173.   - 169.254.0.0-169.254.255.255

  174.   - 172.16.0.0-172.31.255.255

  175.   - 192.0.0.0-192.0.0.255

  176.   - 192.0.2.0-192.0.2.255

  177.   - 192.88.99.0-192.88.99.255

  178.   - 192.168.0.0-192.168.255.255

  179.   - 198.18.0.0-198.19.255.255

  180.   - 198.51.100.0-198.51.100.255

  181.   - 203.0.113.0-203.0.113.255

  182.   - 240.0.0.0-255.255.255.255

  183.   - ::1

  184.   - 64:ff9b::-64:ff9b::ffff:ffff

  185.   - ::ffff:0.0.0.0-::ffff:255.255.255.255

  186.   - 100::-100::ffff:ffff:ffff:ffff

  187.   - 2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff

  188.   - 2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff

  189.   - fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

  190.   - fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff

  191. 

  192. matrix_coturn_user_quota: null

  193. matrix_coturn_total_quota: null

  194. 

  195. # Controls whether `no-tcp-relay` is added to the configuration

  196. # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L419-L422

  197. matrix_coturn_no_tcp_relay_enabled: true

  198. 

  199. # Controls whether `no-multicast-peers` is added to the configuration

  200. # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L629-L632

  201. matrix_coturn_no_multicast_peers_enabled: true

  202. 

  203. # Controls whether `no-rfc5780` is added to the configuration

  204. # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L770-L781

  205. matrix_coturn_no_rfc5780_enabled: true

  206. 

  207. # Controls whether `no-stun-backward-compatibility` is added to the configuration

  208. # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L783-L789

  209. matrix_coturn_no_stun_backward_compatibility_enabled: true

  210. 

  211. # Controls whether `response-origin-only-with-rfc5780` is added to the configuration

  212. # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L791-L796

  213. matrix_coturn_response_origin_only_with_rfc5780_enabled: true

  214. 

  215. # Additional configuration to be passed to turnserver.conf

  216. # Example:

  217. # matrix_coturn_additional_configuration: |

  218. #   simple-log

  219. #   aux-server=1.2.3.4

  220. #   relay-ip=4.3.2.1

  221. matrix_coturn_additional_configuration: ""

  222. 

  223. # To enable TLS, you need to provide paths to certificates.

  224. # Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.

  225. # Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`.

  226. matrix_coturn_tls_enabled: false

  227. matrix_coturn_tls_cert_path: ~

  228. matrix_coturn_tls_key_path: ~

  229. 

  230. matrix_coturn_tls_v1_enabled: false

  231. matrix_coturn_tls_v1_1_enabled: false

  232. 

  233. # systemd calendar configuration for the reload job

  234. # the actual job may run with a delay (see matrix_coturn_reload_schedule_randomized_delay_sec)

  235. matrix_coturn_reload_schedule: "*-*-* 06:30:00"

  236. # the delay with which the systemd timer may run in relation to the `matrix_coturn_reload_schedule` schedule

  237. matrix_coturn_reload_schedule_randomized_delay_sec: 1h