77 lines
3.5 KiB
YAML
77 lines
3.5 KiB
YAML
#SPDX-License-Identifier: MIT-0
|
|
---
|
|
# defaults file for coturn
|
|
|
|
# Base directories (inherited from base role)
|
|
docker_compose_base_dir: /etc/docker/compose
|
|
docker_volume_base_dir: /srv/data
|
|
|
|
# Service-specific paths
|
|
coturn_service_name: coturn
|
|
coturn_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ coturn_service_name }}"
|
|
coturn_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ coturn_service_name }}"
|
|
|
|
# Container images (pin per host_vars in production)
|
|
coturn_image: "coturn/coturn:4.6.2-r5-alpine"
|
|
coturn_acme_image: "neilpang/acme.sh:3.1.0"
|
|
|
|
# Public DNS name used for the realm and the public certificate
|
|
coturn_realm: "stun.example.test"
|
|
# Optional second DNS name issued on the same certificate (for split-horizon "internal" name)
|
|
coturn_internal_realm: "" # e.g. "stun.int.example.test"
|
|
|
|
# Ports
|
|
# Defaults follow IANA standards (3478/TURN, 5349/TURNS) so coturn can
|
|
# co-exist with a Traefik instance on the same host. Override to 443/443
|
|
# in restrictive-network environments where punching through firewalls matters.
|
|
coturn_listening_port: 3478 # TURN / STUN (TCP+UDP)
|
|
coturn_tls_listening_port: 5349 # TURNS (TCP+UDP)
|
|
coturn_min_relay_port: 49160
|
|
coturn_max_relay_port: 49200
|
|
|
|
# IP advertisement: must be set in host_vars for production
|
|
# Format follows coturn's --external-ip: "PUBLIC_IP" or "PUBLIC_IP/PRIVATE_IP"
|
|
coturn_external_ip: "" # e.g. "203.0.113.10/172.18.0.2"
|
|
coturn_listening_ip: "0.0.0.0"
|
|
|
|
# Shared secret used by HPB to mint short-lived TURN credentials.
|
|
# Loaded by default from a plain file in playbooks/secrets/{host}/coturn_static_auth_secret
|
|
# Override per host_vars if you want to use a vault or different lookup.
|
|
coturn_static_auth_secret: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/coturn_static_auth_secret') }}"
|
|
|
|
# Additional CLI flags (list of strings, appended verbatim to command:)
|
|
coturn_extra_args: []
|
|
|
|
# --- TLS certificate ---
|
|
# 'acme' : run an acme.sh sidecar that issues + renews via RFC2136 / nsupdate, restarts coturn
|
|
# 'file' : assume a certificate already lives at {{ coturn_cert_dir }}/{{ coturn_cert_file }} on the host (you manage it)
|
|
# 'selfsigned' : generate a selfsigned cert on first run (for vagrant/dev only)
|
|
coturn_cert_mode: "file"
|
|
|
|
coturn_cert_dir: "{{ docker_volume_base_dir }}/acme/certs"
|
|
coturn_cert_file: "fullchain.cer"
|
|
coturn_key_file: "{{ coturn_realm }}.key"
|
|
|
|
# --- acme.sh sidecar (only used when coturn_cert_mode == 'acme') ---
|
|
coturn_acme_email: "admin@example.test"
|
|
coturn_acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
|
|
# Stage URL for testing: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
coturn_acme_keylength: "ec-256"
|
|
coturn_acme_dnssleep: 60
|
|
coturn_acme_data_dir: "{{ docker_volume_base_dir }}/acme/acme"
|
|
|
|
# DNS-01 RFC2136 / nsupdate configuration
|
|
coturn_acme_nsupdate_server: "" # e.g. "ns1.example.test"
|
|
coturn_acme_nsupdate_server_ip: "" # optional extra_hosts pin (string IP) for the server
|
|
coturn_acme_nsupdate_zone: "" # e.g. "example._acme.example.test"
|
|
# Per-name challenge alias zones (one entry per SAN)
|
|
# When empty (default), built automatically as "{{ realm }}._acme.{{ zone-tail }}"
|
|
coturn_acme_challenge_aliases: []
|
|
# Example:
|
|
# - name: stun.example.test
|
|
# alias: stun.example._acme.example.test
|
|
# - name: stun.int.example.test
|
|
# alias: stun.int.example._acme.example.test
|
|
|
|
# Path of the TSIG key file inside the container (mounted from secrets)
|
|
coturn_acme_nsupdate_key_src: "{{ playbook_dir }}/secrets/{{ inventory_hostname }}/nsupdate.key"
|