feat(talk/turn/signaling/hpb): add role for Talk with backend services

2026-05-22 01:10:56 +02:00 · 2026-05-22 01:10:56 +02:00 · 05fb62c75d
commit 05fb62c75d
parent 2c2dbbc648
25 changed files with 930 additions and 0 deletions
--- a/roles/coturn/defaults/main.yml
+++ b/roles/coturn/defaults/main.yml
@ -0,0 +1,77 @@
+#SPDX-License-Identifier: MIT-0
+---
+# defaults file for coturn
+
+# Base directories (inherited from base role)
+docker_compose_base_dir: /etc/docker/compose
+docker_volume_base_dir: /srv/data
+
+# Service-specific paths
+coturn_service_name: coturn
+coturn_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ coturn_service_name }}"
+coturn_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ coturn_service_name }}"
+
+# Container images (pin per host_vars in production)
+coturn_image: "coturn/coturn:4.6.2-r5-alpine"
+coturn_acme_image: "neilpang/acme.sh:3.1.0"
+
+# Public DNS name used for the realm and the public certificate
+coturn_realm: "stun.example.test"
+# Optional second DNS name issued on the same certificate (for split-horizon "internal" name)
+coturn_internal_realm: ""  # e.g. "stun.int.example.test"
+
+# Ports
+# Defaults follow IANA standards (3478/TURN, 5349/TURNS) so coturn can
+# co-exist with a Traefik instance on the same host. Override to 443/443
+# in restrictive-network environments where punching through firewalls matters.
+coturn_listening_port: 3478      # TURN / STUN (TCP+UDP)
+coturn_tls_listening_port: 5349  # TURNS (TCP+UDP)
+coturn_min_relay_port: 49160
+coturn_max_relay_port: 49200
+
+# IP advertisement: must be set in host_vars for production
+# Format follows coturn's --external-ip: "PUBLIC_IP" or "PUBLIC_IP/PRIVATE_IP"
+coturn_external_ip: ""           # e.g. "203.0.113.10/172.18.0.2"
+coturn_listening_ip: "0.0.0.0"
+
+# Shared secret used by HPB to mint short-lived TURN credentials.
+# Loaded by default from a plain file in playbooks/secrets/{host}/coturn_static_auth_secret
+# Override per host_vars if you want to use a vault or different lookup.
+coturn_static_auth_secret: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/coturn_static_auth_secret') }}"
+
+# Additional CLI flags (list of strings, appended verbatim to command:)
+coturn_extra_args: []
+
+# --- TLS certificate ---
+# 'acme'        : run an acme.sh sidecar that issues + renews via RFC2136 / nsupdate, restarts coturn
+# 'file'        : assume a certificate already lives at {{ coturn_cert_dir }}/{{ coturn_cert_file }} on the host (you manage it)
+# 'selfsigned'  : generate a selfsigned cert on first run (for vagrant/dev only)
+coturn_cert_mode: "file"
+
+coturn_cert_dir: "{{ docker_volume_base_dir }}/acme/certs"
+coturn_cert_file: "fullchain.cer"
+coturn_key_file: "{{ coturn_realm }}.key"
+
+# --- acme.sh sidecar (only used when coturn_cert_mode == 'acme') ---
+coturn_acme_email: "admin@example.test"
+coturn_acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
+# Stage URL for testing: "https://acme-staging-v02.api.letsencrypt.org/directory"
+coturn_acme_keylength: "ec-256"
+coturn_acme_dnssleep: 60
+coturn_acme_data_dir: "{{ docker_volume_base_dir }}/acme/acme"
+
+# DNS-01 RFC2136 / nsupdate configuration
+coturn_acme_nsupdate_server: ""        # e.g. "ns1.example.test"
+coturn_acme_nsupdate_server_ip: ""     # optional extra_hosts pin (string IP) for the server
+coturn_acme_nsupdate_zone: ""          # e.g. "example._acme.example.test"
+# Per-name challenge alias zones (one entry per SAN)
+# When empty (default), built automatically as "{{ realm }}._acme.{{ zone-tail }}"
+coturn_acme_challenge_aliases: []
+# Example:
+#   - name: stun.example.test
+#     alias: stun.example._acme.example.test
+#   - name: stun.int.example.test
+#     alias: stun.int.example._acme.example.test
+
+# Path of the TSIG key file inside the container (mounted from secrets)
+coturn_acme_nsupdate_key_src: "{{ playbook_dir }}/secrets/{{ inventory_hostname }}/nsupdate.key"