110 lines
3.6 KiB
YAML
110 lines
3.6 KiB
YAML
#SPDX-License-Identifier: MIT-0
|
|
---
|
|
# tasks file for coturn
|
|
|
|
- name: Assert minimum configuration
|
|
ansible.builtin.assert:
|
|
that:
|
|
- coturn_realm | length > 0
|
|
- coturn_external_ip | length > 0
|
|
- coturn_static_auth_secret | length > 0
|
|
fail_msg: >
|
|
coturn_realm, coturn_external_ip and coturn_static_auth_secret must be set.
|
|
Provide them in host_vars or via a secrets file.
|
|
|
|
- name: Create coturn compose directory
|
|
ansible.builtin.file:
|
|
path: "{{ coturn_docker_compose_dir }}"
|
|
state: directory
|
|
mode: "0755"
|
|
|
|
- name: Create coturn data directory
|
|
ansible.builtin.file:
|
|
path: "{{ coturn_docker_volume_dir }}"
|
|
state: directory
|
|
mode: "0755"
|
|
|
|
- name: Create certificate directory
|
|
ansible.builtin.file:
|
|
path: "{{ coturn_cert_dir }}"
|
|
state: directory
|
|
mode: "0755"
|
|
|
|
# --- TLS certificate provisioning -------------------------------------------------
|
|
|
|
- name: Configure acme.sh sidecar (TSIG key + acme data dir)
|
|
when: coturn_cert_mode == 'acme'
|
|
block:
|
|
- name: Create acme.sh data directory
|
|
ansible.builtin.file:
|
|
path: "{{ coturn_acme_data_dir }}"
|
|
state: directory
|
|
mode: "0700"
|
|
|
|
- name: Deploy nsupdate TSIG key
|
|
ansible.builtin.copy:
|
|
src: "{{ coturn_acme_nsupdate_key_src }}"
|
|
dest: "{{ coturn_docker_compose_dir }}/nsupdate.key"
|
|
mode: "0600"
|
|
no_log: true
|
|
notify: Restart coturn container
|
|
|
|
- name: Build effective challenge alias list (default if not provided)
|
|
ansible.builtin.set_fact:
|
|
_coturn_challenge_aliases: >-
|
|
{{ coturn_acme_challenge_aliases
|
|
if coturn_acme_challenge_aliases | length > 0
|
|
else (
|
|
[{'name': coturn_realm,
|
|
'alias': (coturn_realm.split('.')[:-2] | join('.')) ~ '.' ~ coturn_acme_nsupdate_zone }]
|
|
+ ([{'name': coturn_internal_realm,
|
|
'alias': (coturn_internal_realm.split('.')[:-2] | join('.')) ~ '.' ~ coturn_acme_nsupdate_zone }]
|
|
if coturn_internal_realm | length > 0 else [])
|
|
)
|
|
}}
|
|
|
|
- name: Generate selfsigned certificate (vagrant / dev only)
|
|
when: coturn_cert_mode == 'selfsigned'
|
|
block:
|
|
- name: Ensure openssl is available
|
|
ansible.builtin.package:
|
|
name: openssl
|
|
state: present
|
|
|
|
- name: Generate selfsigned private key
|
|
community.crypto.openssl_privatekey:
|
|
path: "{{ coturn_cert_dir }}/{{ coturn_key_file }}"
|
|
type: ECC
|
|
curve: secp256r1
|
|
mode: "0600"
|
|
|
|
- name: Generate selfsigned CSR
|
|
community.crypto.openssl_csr:
|
|
path: "{{ coturn_cert_dir }}/{{ coturn_realm }}.csr"
|
|
privatekey_path: "{{ coturn_cert_dir }}/{{ coturn_key_file }}"
|
|
common_name: "{{ coturn_realm }}"
|
|
subject_alt_name:
|
|
- "DNS:{{ coturn_realm }}"
|
|
mode: "0644"
|
|
|
|
- name: Issue selfsigned certificate
|
|
community.crypto.x509_certificate:
|
|
path: "{{ coturn_cert_dir }}/{{ coturn_cert_file }}"
|
|
privatekey_path: "{{ coturn_cert_dir }}/{{ coturn_key_file }}"
|
|
csr_path: "{{ coturn_cert_dir }}/{{ coturn_realm }}.csr"
|
|
provider: selfsigned
|
|
mode: "0644"
|
|
|
|
# --- Compose + start --------------------------------------------------------------
|
|
|
|
- name: Generate docker-compose.yml for coturn
|
|
ansible.builtin.template:
|
|
src: docker-compose.yml.j2
|
|
dest: "{{ coturn_docker_compose_dir }}/docker-compose.yml"
|
|
mode: "0644"
|
|
notify: Restart coturn container
|
|
|
|
- name: Start coturn stack
|
|
community.docker.docker_compose_v2:
|
|
project_src: "{{ coturn_docker_compose_dir }}"
|
|
state: present
|