feat(talk/turn/signaling/hpb): add role for Talk with backend services

roles/coturn/tasks/main.yml

@@ -0,0 +1,110 @@
+#SPDX-License-Identifier: MIT-0
+---
+# tasks file for coturn
+
+- name: Assert minimum configuration
+  ansible.builtin.assert:
+    that:
+      - coturn_realm | length > 0
+      - coturn_external_ip | length > 0
+      - coturn_static_auth_secret | length > 0
+    fail_msg: >
+      coturn_realm, coturn_external_ip and coturn_static_auth_secret must be set.
+      Provide them in host_vars or via a secrets file.
+
+- name: Create coturn compose directory
+  ansible.builtin.file:
+    path: "{{ coturn_docker_compose_dir }}"
+    state: directory
+    mode: "0755"
+
+- name: Create coturn data directory
+  ansible.builtin.file:
+    path: "{{ coturn_docker_volume_dir }}"
+    state: directory
+    mode: "0755"
+
+- name: Create certificate directory
+  ansible.builtin.file:
+    path: "{{ coturn_cert_dir }}"
+    state: directory
+    mode: "0755"
+
+# --- TLS certificate provisioning -------------------------------------------------
+
+- name: Configure acme.sh sidecar (TSIG key + acme data dir)
+  when: coturn_cert_mode == 'acme'
+  block:
+    - name: Create acme.sh data directory
+      ansible.builtin.file:
+        path: "{{ coturn_acme_data_dir }}"
+        state: directory
+        mode: "0700"
+
+    - name: Deploy nsupdate TSIG key
+      ansible.builtin.copy:
+        src: "{{ coturn_acme_nsupdate_key_src }}"
+        dest: "{{ coturn_docker_compose_dir }}/nsupdate.key"
+        mode: "0600"
+      no_log: true
+      notify: Restart coturn container
+
+    - name: Build effective challenge alias list (default if not provided)
+      ansible.builtin.set_fact:
+        _coturn_challenge_aliases: >-
+          {{ coturn_acme_challenge_aliases
+             if coturn_acme_challenge_aliases | length > 0
+             else (
+               [{'name': coturn_realm,
+                 'alias': (coturn_realm.split('.')[:-2] | join('.')) ~ '.' ~ coturn_acme_nsupdate_zone }]
+               + ([{'name': coturn_internal_realm,
+                    'alias': (coturn_internal_realm.split('.')[:-2] | join('.')) ~ '.' ~ coturn_acme_nsupdate_zone }]
+                  if coturn_internal_realm | length > 0 else [])
+             )
+          }}
+
+- name: Generate selfsigned certificate (vagrant / dev only)
+  when: coturn_cert_mode == 'selfsigned'
+  block:
+    - name: Ensure openssl is available
+      ansible.builtin.package:
+        name: openssl
+        state: present
+
+    - name: Generate selfsigned private key
+      community.crypto.openssl_privatekey:
+        path: "{{ coturn_cert_dir }}/{{ coturn_key_file }}"
+        type: ECC
+        curve: secp256r1
+        mode: "0600"
+
+    - name: Generate selfsigned CSR
+      community.crypto.openssl_csr:
+        path: "{{ coturn_cert_dir }}/{{ coturn_realm }}.csr"
+        privatekey_path: "{{ coturn_cert_dir }}/{{ coturn_key_file }}"
+        common_name: "{{ coturn_realm }}"
+        subject_alt_name:
+          - "DNS:{{ coturn_realm }}"
+        mode: "0644"
+
+    - name: Issue selfsigned certificate
+      community.crypto.x509_certificate:
+        path: "{{ coturn_cert_dir }}/{{ coturn_cert_file }}"
+        privatekey_path: "{{ coturn_cert_dir }}/{{ coturn_key_file }}"
+        csr_path: "{{ coturn_cert_dir }}/{{ coturn_realm }}.csr"
+        provider: selfsigned
+        mode: "0644"
+
+# --- Compose + start --------------------------------------------------------------
+
+- name: Generate docker-compose.yml for coturn
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: "{{ coturn_docker_compose_dir }}/docker-compose.yml"
+    mode: "0644"
+  notify: Restart coturn container
+
+- name: Start coturn stack
+  community.docker.docker_compose_v2:
+    project_src: "{{ coturn_docker_compose_dir }}"
+    state: present