Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ansible/playbooks/paas/roles/fail2ban/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ fail2ban_404_findtime: 600
fail2ban_404_bantime: 600

# Rate limit
fail2ban_ratelimit_enabled: true
fail2ban_ratelimit_enabled: false
fail2ban_ratelimit_maxretry: 50
fail2ban_ratelimit_findtime: 30
fail2ban_ratelimit_bantime: 600
8 changes: 4 additions & 4 deletions ansible/playbooks/paas/roles/nomad/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,8 @@ nomad_job_files_dir: "/var/tmp"
nomad_disable_anonymous_signature: false
nomad_disable_update_check: false

nomad_leave_on_terminate: true
nomad_leave_on_interrupt: true
nomad_leave_on_terminate: false
nomad_leave_on_interrupt: false

nomad_client_auto_join: true
nomad_server_auto_join: true
Expand Down Expand Up @@ -170,8 +170,8 @@ nomad_client_server_join_retry_max: 3
nomad_client_server_join_retry_interval: 15s

nomad_client_drain_on_shutdown_deadline: 1m
nomad_client_drain_on_shutdown_force: true
nomad_client_drain_on_shutdown_ignore_system_jobs: true
nomad_client_drain_on_shutdown_force: false
nomad_client_drain_on_shutdown_ignore_system_jobs: false

nomad_client_cpu_total_compute: 0
nomad_client_memory_total_mb: 0
Expand Down
5 changes: 5 additions & 0 deletions ansible/playbooks/paas/roles/nomad/tasks/05_install.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,11 @@
update_cache: true
when: nomad_version is not defined

- name: "Nomad Install | Install nomad-driver-exec2"
ansible.builtin.apt:
name: nomad-driver-exec2
state: latest

- name: "Nomad Install | Install binary"
ansible.builtin.apt:
name: "nomad={{ nomad_version }}-1"
Expand Down
9 changes: 9 additions & 0 deletions ansible/playbooks/paas/roles/nomad/tasks/06_configuration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,15 @@
mode: '0644'
when: nomad_node_role == 'client' or nomad_node_role == 'both'

- name: "Nomad Configuration | Insert Nomad exec2 configuration"
ansible.builtin.template:
src: exec2.hcl.j2
dest: "{{ nomad_config_dir }}/exec2.hcl"
owner: nomad
group: nomad
mode: '0644'
when: nomad_node_role == 'client' or nomad_node_role == 'both'

- name: "Nomad Install | Copy configurations files"
ansible.builtin.template:
src: nomad.hcl.j2
Expand Down
7 changes: 7 additions & 0 deletions ansible/playbooks/paas/roles/nomad/templates/exec2.hcl.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
plugin "nomad-driver-exec2" {
config {
unveil_defaults = true
unveil_paths = []
unveil_by_task = true
}
}
2 changes: 2 additions & 0 deletions ansible/playbooks/paas/roles/nomad/templates/nomad.hcl.j2
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ disable_update_check = {{ nomad_disable_update_check | lower }}

data_dir = "{{ nomad_data_dir }}"

plugin_dir = "{{ nomad_data_dir }}/data/plugins"

bind_addr = "{{ nomad_bind_address }}"

advertise {
Expand Down
2 changes: 2 additions & 0 deletions ansible/playbooks/paas/roles/nomad/templates/override.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,7 @@ After=docker.service
ExecReload=/bin/kill --signal HUP $MAINPID
{% if nomad_node_role in ['both', 'client'] %}
ExecStartPost=/usr/bin/nomad node eligibility -enable -address={{ nomad_http_scheme }}://{{ hostvars[nomad_primary_master_node | default(inventory_hostname)]['ansible_' + nomad_iface].ipv4.address | default('127.0.0.1') }}:{{ nomad_http_port }} -ca-cert={{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_ca_pubkey }} -client-cert={{ nomad_tls_host_certificate_dir }}/{{ inventory_hostname }}-dc1-client-nomad.pem -client-key={{ nomad_tls_host_certificate_dir }}/{{ inventory_hostname }}-dc1-client-nomad.key -token={{ lookup('simple-stack-ui', type='secret', key=nomad_primary_master_node | default(inventory_hostname), subkey='nomad_management_token', missing='error') }} {{ node_id }}
{% if nomad_client_drain_on_shutdown_force %}
ExecStop=/usr/bin/nomad node drain -enable -address={{ nomad_http_scheme }}://{{ hostvars[nomad_primary_master_node | default(inventory_hostname)]['ansible_' + nomad_iface].ipv4.address | default('127.0.0.1') }}:{{ nomad_http_port }} -ca-cert={{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_ca_pubkey }} -client-cert={{ nomad_tls_host_certificate_dir }}/{{ inventory_hostname }}-dc1-client-nomad.pem -client-key={{ nomad_tls_host_certificate_dir }}/{{ inventory_hostname }}-dc1-client-nomad.key -token={{ lookup('simple-stack-ui', type='secret', key=nomad_primary_master_node | default(inventory_hostname), subkey='nomad_management_token', missing='error') }} {{ node_id }}
{% endif %}
{% endif %}
47 changes: 47 additions & 0 deletions ansible/playbooks/saas/roles/coturn/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Role: `coturn`

## How to use this Ansible role?

1. In your `host_vars` directory, create a subdirectory with the name of your instance.
2. Inside this subdirectory, create a YAML file (e.g., `turn.domain.com.yml`) and define the following variables:

```yaml
turn.domain.com:
software: coturn
size: small
realm: domain.com
external_ip: 1.2.3.4
```

## Ports to open (UFW / firewall)

| Port | Protocol | Usage |
|------|----------|-------|
| 3478 | TCP/UDP | STUN/TURN |
| 49152-49252 | UDP | Media relay (configurable) |

Add the following to the host variables (`ufw_custom_rules`) of the instance where coturn is deployed:

```yaml
ufw_custom_rules:
- port: 3478
proto: tcp
rule: allow
- port: 3478
proto: udp
rule: allow
- port: 49152:49252
proto: udp
rule: allow
```

The relay port range is configurable via:

- `min_relay_port` (default: `49152`)
- `max_relay_port` (default: `49252`)

Adjust the port range accordingly depending on the number of simultaneous calls needed (1 port = 1 relayed call).

## Secret

The `turn_shared_secret` is auto-generated and must be shared with the Synapse role to enable TURN authentication.
1 change: 1 addition & 0 deletions ansible/playbooks/saas/roles/coturn/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
---
1 change: 1 addition & 0 deletions ansible/playbooks/saas/roles/coturn/tasks/backup.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
---
12 changes: 12 additions & 0 deletions ansible/playbooks/saas/roles/coturn/tasks/build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
- name: Include upstream variables
ansible.builtin.include_vars: upstream.yml

- name: Set custom variables
ansible.builtin.set_fact:
image_version: "{{ latest_version }}"
image_definition: "{{ image }}"

- name: End playbook if no new version
ansible.builtin.meta: end_host
when: catalogs[catalog_image_name] is defined and catalogs[catalog_image_name].version == image_version
5 changes: 5 additions & 0 deletions ansible/playbooks/saas/roles/coturn/tasks/destroy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
- name: Destroy service
ansible.builtin.include_role:
name: common
tasks_from: destroy.yml
14 changes: 14 additions & 0 deletions ansible/playbooks/saas/roles/coturn/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
- name: Copy nomad job to destination
ansible.builtin.template:
src: nomad.hcl
dest: "/var/tmp/{{ domain }}.nomad"
owner: root
group: root
mode: '0600'
delegate_to: "{{ software.instance }}"

- name: Run nomad job
ansible.builtin.include_role:
name: nomad
tasks_from: job_start.yml
1 change: 1 addition & 0 deletions ansible/playbooks/saas/roles/coturn/tasks/restore.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
---
80 changes: 80 additions & 0 deletions ansible/playbooks/saas/roles/coturn/templates/nomad.hcl
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
job "{{ domain }}" {
region = "{{ fact_instance.region }}"
datacenters = ["{{ fact_instance.datacenter }}"]
type = "service"

{% if software.constraints is defined and software.constraints.location is defined %}
constraint {
attribute = "${meta.location}"
set_contains = "{{ software.constraints.location }}"
}
{% endif %}

constraint {
attribute = "${meta.instance}"
set_contains = "{{ software.instance }}"
}

group "coturn" {

count = 1

restart {
attempts = 2
interval = "10m"
delay = "15s"
mode = "fail"
}

network {
port "stun" {
static = 3478
to = 3478
}
}

service {
name = "{{ service_name }}"
port = "stun"
provider = "nomad"
tags = []
check {
name = "{{ service_name }}"
type = "tcp"
interval = "60s"
timeout = "30s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}

task "{{ domain }}-coturn" {

driver = "docker"

config {
image = "coturn/coturn:{{ catalogs.coturn.version }}"
network_mode = "host"
volumes = [
"local/turnserver.conf:/etc/coturn/turnserver.conf:ro"
]
}

template {
change_mode = "restart"
destination = "local/turnserver.conf"
data = <<EOH
{{ lookup('ansible.builtin.template', 'templates/turnserver.conf.j2') }}
EOH
}

resources {
cpu = {{ size[software.size].cpu }}
memory = {{ size[software.size].memory | int }}
}
}
}
}
15 changes: 15 additions & 0 deletions ansible/playbooks/saas/roles/coturn/templates/turnserver.conf.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
listening-port=3478
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret={{ lookup('simple-stack-ui', type='secret', key=domain, subkey='turn_shared_secret', missing='create', length=32) }}
realm={{ software.realm | default(domain) }}
total-quota=100
bps-capacity=0
stale-nonce
no-multicast-peers
min-port={{ software.min_relay_port | default(49152) }}
max-port={{ software.max_relay_port | default(49252) }}
{% if software.external_ip is defined %}
external-ip={{ software.external_ip }}
{% endif %}
11 changes: 11 additions & 0 deletions ansible/playbooks/saas/roles/coturn/vars/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
image:
build: false
forkable: false
upstream:
source: github
user: coturn
repo: coturn
type: release
labels: {}
name: coturn
2 changes: 2 additions & 0 deletions ansible/playbooks/saas/roles/coturn/vars/upstream.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
---
latest_version: "{{ (lookup('url', 'https://api.github.com/repos/' + image.upstream.user + '/' + image.upstream.repo + '/releases/latest', headers={'Accept': 'application/vnd.github+json', 'Authorization': 'Bearer ' + lookup('ansible.builtin.env', 'GITHUB_API_TOKEN') }) | from_json).get('tag_name') | replace('docker/', '') }}"
1 change: 1 addition & 0 deletions ansible/playbooks/saas/roles/element_web/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
---
1 change: 1 addition & 0 deletions ansible/playbooks/saas/roles/element_web/tasks/backup.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
---
12 changes: 12 additions & 0 deletions ansible/playbooks/saas/roles/element_web/tasks/build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
- name: Include upstream variables
ansible.builtin.include_vars: upstream.yml

- name: Set custom variables
ansible.builtin.set_fact:
image_version: "{{ latest_version }}"
image_definition: "{{ image }}"

- name: End playbook if no new version
ansible.builtin.meta: end_host
when: catalogs[catalog_image_name] is defined and catalogs[catalog_image_name].version == image_version
5 changes: 5 additions & 0 deletions ansible/playbooks/saas/roles/element_web/tasks/destroy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
- name: Destroy service
ansible.builtin.include_role:
name: common
tasks_from: destroy.yml
14 changes: 14 additions & 0 deletions ansible/playbooks/saas/roles/element_web/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
- name: Copy nomad job to destination
ansible.builtin.template:
src: nomad.hcl
dest: "/var/tmp/{{ domain }}.nomad"
owner: root
group: root
mode: '0600'
delegate_to: "{{ software.instance }}"

- name: Run nomad job
ansible.builtin.include_role:
name: nomad
tasks_from: job_start.yml
1 change: 1 addition & 0 deletions ansible/playbooks/saas/roles/element_web/tasks/restore.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
---
21 changes: 21 additions & 0 deletions ansible/playbooks/saas/roles/element_web/templates/config.json.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://{{ software.matrix_domain }}",
"server_name": "{{ software.matrix_domain }}"
}
},
"brand": "Element",
"disable_custom_urls": false,
"disable_guests": true,
"disable_login_language_selector": false,
"disable_3pid_login": false,
"default_country_code": "{{ software.default_country_code | default('FR') }}",
"show_labs_settings": false,
"default_theme": "{{ software.theme | default('light') }}",
"room_directory": {
"servers": [
"{{ software.matrix_domain }}"
]
}
}
Loading
Loading