instance-turnserver.cfg.jinja2.in 4.83 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110
{% set part_list = [] -%}
{% set server_name = slapparameter_dict.get('server-name', 'turn.example.com') -%}

[directory]
recipe = slapos.cookbook:mkdirectory
etc = ${buildout:directory}/etc
bin = ${buildout:directory}/bin
srv = ${buildout:directory}/srv
var = ${buildout:directory}/var
run = ${:var}/run
log = ${:var}/log
scripts = ${:etc}/run
services = ${:etc}/service
plugins = ${:etc}/plugin
ssl = ${:etc}/ssl

[file-base]
recipe = slapos.recipe.template:jinja2
template = inline:{{ '{{ content }}' }}


{% macro simplefile(section_name, file_path, content, mode='') -%}
{%   set content_section_name = section_name ~ '-content' -%}
[{{  content_section_name }}]
content = {{ dumps(content) }}
[{{  section_name }}]
< = file-base
rendered = {{ file_path }}
context = key content {{ content_section_name }}:content
mode = {{ mode }}
{% do part_list.append(section_name) -%}
{%- endmacro %}

{% if slapparameter_dict.get('ssl-key') and slapparameter_dict.get('ssl-crt') -%}
{{ simplefile('ssl-certificate', '${turnserver-ssl:certificate}', slapparameter_dict.get('ssl-crt')) }}
{{ simplefile('ssl-key', '${turnserver-ssl:key}', slapparameter_dict.get('ssl-key'), 600) }}
{% else -%}
{%  do part_list.append('gen-certificate') -%}
[gen-certificate]
recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${turnserver-ssl:key}" -out "${turnserver-ssl:certificate}"
{% endif -%}

[turnserver-ssl]
recipe = plone.recipe.command
certificate = ${directory:ssl}/cert.pem
key = ${directory:ssl}/key.pem
dhparam = ${directory:ssl}/dhparam.pem
command =
  if [ ! -s "${directory:ssl}//dhparam.pem" ]; then
    "{{ parameter_dict['openssl'] }}/bin/openssl" dhparam -out ${:dhparam} 4096
  fi

[gen-secret]
recipe = plone.recipe.command
secret-file = ${directory:etc}/.turnsecret
command =
  if [ ! -s "${:secret-file}" ]; then
    cat <<EOF > ${:secret-file}
    [turnserver]
    secret = $("{{ parameter_dict['openssl'] }}/bin/openssl" rand -hex 32)
    EOF
  fi
  chmod 600 ${:secret-file}

[read-secret]
recipe = slapos.cookbook:zero-knowledge.read
file-path = ${gen-secret:secret-file}
secret =

{% set turn_port = slapparameter_dict.get('port', 3478) -%}
{% set turn_tls_port = slapparameter_dict.get('tls-port', 5349) -%}
{% set listining_ip = slapparameter_dict.get('listening-ip', (ipv4 | list)[0]) -%}
[turnserver-config]
recipe = collective.recipe.template
input = inline:
  listening-port={{ turn_port }}
  tls-listening-port={{ turn_tls_port }}
  fingerprint
  lt-cred-mech
  use-auth-secret
  static-auth-secret=${read-secret:secret}
  listening-ip={{ listining_ip }}
{% if slapparameter_dict.get('external-ip', '') %}
  external-ip={{ slapparameter_dict['external-ip'] }}
{% endif %}
  server-name={{ server_name }}
  realm={{ server_name }}
  total-quota=100
  bps-capacity=0
  stale-nonce=600
  cert=${turnserver-ssl:certificate}
  pkey=${turnserver-ssl:key}
  dh-file=${turnserver-ssl:dhparam}
  cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5"
  no-loopback-peers
  no-multicast-peers
  mobility
  no-tlsv1
  no-tlsv1_1
  no-stdout-log
  log-file=${directory:log}/turnserver.log
  userdb=${directory:srv}/turndb
  pidfile=${directory:run}/turnserver.pid
  verbose
output = ${directory:etc}/turnserver.conf
mode = 644

[turnserver-wrapper]
recipe = slapos.cookbook:wrapper
111 112 113 114 115 116
# XXX on first invocation of read-secret, the secret file is not yet generated
# so on first buildout run turnserver-config has an empty secret.
# We don't want to start the server when config file is not complete.
command-line =
  bash -c "egrep static-auth-secret=.+ ${turnserver-config:output} && \
  {{ parameter_dict['turnserver-location'] }}/bin/turnserver -c ${turnserver-config:output}"
117
wrapper-path = ${directory:services}/turnserver
118
hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155

[promise-check-turnserver-port]
<= monitor-promise-base
module = check_port_listening
name = turnserver-port-listening.py
config-hostname = {{ listining_ip }}
config-port = {{ turn_port }}

[promise-check-turnserver-tls-port]
<= monitor-promise-base
module = check_port_listening
name = turnserver-tls-port-listening.py
config-hostname = {{ listining_ip }}
config-port = {{ turn_tls_port }}

[publish-connection-information]
<= monitor-publish
recipe = slapos.cookbook:publish
turn-url = {{ server_name ~ ':' ~ turn_port }}
turn-tls-url = {{ server_name ~ ':' ~ turn_tls_port }}
secret = ${read-secret:secret}

[buildout]

extends = {{ template_monitor }}

parts =
  publish-connection-information
# Complete parts with sections
  {{ part_list | join('\n  ') }}
# turn server
  turnserver-wrapper
  promise-check-turnserver-tls-port
  promise-check-turnserver-port

eggs-directory = {{ eggs_directory }}
develop-eggs-directory = {{ develop_eggs_directory }}
156
offline = true