feat(talk/turn/signaling/hpb): add role for Talk with backend services

2026-05-22 01:10:56 +02:00 · 2026-05-22 01:10:56 +02:00 · 27255a4bfa
commit 27255a4bfa
parent 78095cca1d
25 changed files with 930 additions and 0 deletions
--- a/roles/coturn/templates/docker-compose.yml.j2
+++ b/roles/coturn/templates/docker-compose.yml.j2
@ -0,0 +1,78 @@
+services:
+  coturn:
+    image: {{ coturn_image }}
+    container_name: {{ coturn_service_name }}
+    restart: always
+    network_mode: host
+    volumes:
+      - {{ coturn_cert_dir }}:/certs:ro
+    command:
+      - --use-auth-secret
+      - --static-auth-secret={{ coturn_static_auth_secret }}
+      - --realm={{ coturn_realm }}
+      - --fingerprint
+      - --no-multicast-peers
+      - --no-cli
+      - --listening-ip={{ coturn_listening_ip }}
+      - --listening-port={{ coturn_listening_port }}
+      - --tls-listening-port={{ coturn_tls_listening_port }}
+      - --min-port={{ coturn_min_relay_port }}
+      - --max-port={{ coturn_max_relay_port }}
+      - --cert=/certs/{{ coturn_cert_file }}
+      - --pkey=/certs/{{ coturn_key_file }}
+      - --external-ip={{ coturn_external_ip }}
+{% for arg in coturn_extra_args %}
+      - {{ arg }}
+{% endfor %}
+
+{% if coturn_cert_mode == 'acme' %}
+  acme:
+    image: {{ coturn_acme_image }}
+    container_name: acme-{{ coturn_service_name }}
+    restart: always
+    environment:
+      NSUPDATE_SERVER: "{{ coturn_acme_nsupdate_server }}"
+      NSUPDATE_KEY: "/acme.sh/nsupdate.key"
+      ACME_DIRECTORY: "{{ coturn_acme_directory }}"
+      NSUPDATE_ZONE: "{{ coturn_acme_nsupdate_zone }}"
+{% if coturn_acme_nsupdate_server_ip | length > 0 %}
+    extra_hosts:
+      - "{{ coturn_acme_nsupdate_server }}:{{ coturn_acme_nsupdate_server_ip }}"
+{% endif %}
+    volumes:
+      - {{ coturn_cert_dir }}:/certs
+      - /var/run/docker.sock:/var/run/docker.sock
+      - {{ coturn_docker_compose_dir }}/nsupdate.key:/acme.sh/nsupdate.key:ro
+      - {{ coturn_acme_data_dir }}:/acme.sh
+    entrypoint:
+      - /bin/sh
+      - -c
+      - |
+        set -eu
+        acme.sh --set-default-ca --server "$$ACME_DIRECTORY"
+        acme.sh --register-account -m {{ coturn_acme_email }} || true
+        set +e
+        acme.sh --issue \
+{% for san in _coturn_challenge_aliases %}
+          -d {{ san.name }} \
+          --challenge-alias {{ san.alias }} \
+{% endfor %}
+          --dns dns_nsupdate \
+          --keylength {{ coturn_acme_keylength }} \
+          --dnssleep {{ coturn_acme_dnssleep }}
+        rc=$$?
+        set -e
+        if [ "$$rc" -eq 0 ]; then
+          echo "Issue: success"
+        elif [ "$$rc" -eq 2 ]; then
+          echo "Issue: not due, continuing"
+        else
+          echo "Issue: failed with rc=$$rc"
+          exit "$$rc"
+        fi
+        acme.sh --install-cert -d {{ coturn_realm }} --ecc \
+          --fullchain-file /certs/{{ coturn_cert_file }} \
+          --key-file /certs/{{ coturn_key_file }} \
+          --reloadcmd 'curl --fail --silent --show-error --unix-socket /var/run/docker.sock -X POST http://localhost/v1.41/containers/{{ coturn_service_name }}/restart' || true
+        exec crond -f
+{% endif %}