2024-12-07 18:40:11 +01:00
# SPDX-FileCopyrightText: 2022 MDAD Team and contributors
2024-12-07 17:34:44 +01:00
#
# SPDX-License-Identifier: AGPL-3.0-or-later
2022-02-05 21:32:54 +01:00
---
2022-07-16 22:59:21 +02:00
# Project source code URL: https://github.com/coturn/coturn
2022-02-05 21:32:54 +01:00
2019-01-16 17:05:48 +01:00
matrix_coturn_enabled : true
2020-03-15 09:10:41 +01:00
2020-03-15 09:15:27 +01:00
matrix_coturn_container_image_self_build : false
2021-04-24 19:31:25 +02:00
matrix_coturn_container_image_self_build_repo : "https://github.com/coturn/coturn"
2021-07-03 09:06:09 +02:00
matrix_coturn_container_image_self_build_repo_version : "docker/{{ matrix_coturn_version }}"
2021-04-24 19:31:25 +02:00
matrix_coturn_container_image_self_build_repo_dockerfile_path : "docker/coturn/alpine/Dockerfile"
2019-01-16 17:05:48 +01:00
2023-10-06 14:14:03 +02:00
# renovate: datasource=docker depName=coturn/coturn
2024-07-26 14:15:51 +02:00
matrix_coturn_version : 4.6 .2 -r11
2021-04-22 14:05:27 +02:00
matrix_coturn_docker_image : "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
2021-04-12 14:39:16 +02:00
matrix_coturn_docker_image_name_prefix : "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
2019-06-10 13:23:51 +02:00
matrix_coturn_docker_image_force_pull : "{{ matrix_coturn_docker_image.endswith(':latest') }}"
2019-01-12 16:53:00 +01:00
2019-03-18 16:36:00 +01:00
# The Docker network that Coturn would be put into.
#
# Because Coturn relays traffic to unvalidated IP addresses,
# using a dedicated network, isolated from other Docker (and local) services is preferrable.
#
# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
2023-01-26 16:16:20 +01:00
#
2024-01-15 10:16:08 +01:00
# Setting `matrix_coturn_container_network` to 'host' will run the container with host networking,
2023-01-26 16:16:20 +01:00
# which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.
# Running with host networking can be dangerous, as it potentially exposes your local network and its services to Coturn peers.
# Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`,
# which hopefully prevents access to such private network ranges.
# When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.
2024-01-15 10:16:08 +01:00
matrix_coturn_container_network : "matrix-coturn"
matrix_coturn_container_additional_networks : "{{ matrix_coturn_container_additional_networks_auto + matrix_coturn_container_additional_networks_custom }}"
matrix_coturn_container_additional_networks_auto : [ ]
matrix_coturn_container_additional_networks_custom : [ ]
2019-03-18 16:36:00 +01:00
2019-01-12 16:53:00 +01:00
matrix_coturn_base_path : "{{ matrix_base_data_path }}/coturn"
2020-03-08 00:28:14 +01:00
matrix_coturn_docker_src_files_path : "{{ matrix_coturn_base_path }}/docker-src"
2019-01-12 16:53:00 +01:00
matrix_coturn_config_path : "{{ matrix_coturn_base_path }}/turnserver.conf"
2019-01-16 17:05:48 +01:00
# List of systemd services that matrix-coturn.service depends on
2024-06-04 12:14:34 +02:00
matrix_coturn_systemd_required_services_list : "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
2019-01-16 17:05:48 +01:00
2019-03-19 08:16:30 +01:00
# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically at runtime. You can provide a different default value,
# if you wish to mount your own files into the container.
2023-02-15 05:03:55 +01:00
# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.
# See the `--mount` documentation for the `docker run` command.
2019-03-19 08:16:30 +01:00
matrix_coturn_container_additional_volumes : [ ]
2019-04-30 16:35:18 +02:00
# A list of extra arguments to pass to the container
matrix_coturn_container_extra_arguments : [ ]
2019-12-20 11:21:43 +01:00
# Controls whether the Coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
2024-01-15 10:16:08 +01:00
matrix_coturn_container_stun_plain_host_bind_port : "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"
2019-12-20 11:21:43 +01:00
# Controls whether the Coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
2024-01-15 10:16:08 +01:00
matrix_coturn_container_stun_tls_host_bind_port : "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
2019-12-20 11:21:43 +01:00
# Controls whether the Coturn container exposes its TURN UDP port range and which interface to do it on.
#
# Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.
2023-01-26 16:16:20 +01:00
# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
2019-12-20 11:21:43 +01:00
#
# The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.
2024-01-15 10:16:08 +01:00
matrix_coturn_container_turn_range_listen_interface : "{{ '' if matrix_coturn_container_network != 'host' else 'none' }}"
2019-01-12 16:53:00 +01:00
# UDP port-range to use for TURN
matrix_coturn_turn_udp_min_port : 49152
matrix_coturn_turn_udp_max_port : 49172
2024-02-18 08:52:00 +01:00
# Controls which authentication method to enable.
#
# lt-cred-mech likely provides better compatibility,
# as described here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3191
# but those claims are unverified.
#
# For now, we still default to `auth-secret` like we've always done.
#
# Known values: auth-secret, lt-cred-mech
matrix_coturn_authentication_method : auth-secret
# A shared secret used for authentication when `matrix_coturn_authentication_method` is `auth-secret`.
2019-12-20 11:21:43 +01:00
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_coturn_turn_static_auth_secret : ""
2024-02-18 08:52:00 +01:00
# A username used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.
matrix_coturn_lt_cred_mech_username : ""
# A password used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.
matrix_coturn_lt_cred_mech_password : ""
2019-03-18 16:04:40 +01:00
# The external IP address of the machine where Coturn is.
2023-10-10 10:10:21 +02:00
# If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.
# See `matrix_coturn_turn_external_ip_address_auto_detection_enabled`
2022-04-11 12:50:41 +02:00
matrix_coturn_turn_external_ip_address : ''
2023-10-10 10:10:21 +02:00
matrix_coturn_turn_external_ip_addresses : "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}"
# Controls whether external IP address auto-detection should be attempted.
# We try to do this if there is no external IP address explicitly configured and if an EchoIP service URL is specified.
# See matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url
matrix_coturn_turn_external_ip_address_auto_detection_enabled : "{{ matrix_coturn_turn_external_ip_addresses | length == 0 and matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url != '' }}"
# Specifies the address of the EchoIP service (https://github.com/mpolden/echoip) to use for detecting the external IP address.
# By default, we use the official public instance.
matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url : https://ifconfig.co/json
# Controls whether SSL certificates will be validated when contacting the EchoIP service (matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url)
matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs : true
matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count : "{{ devture_playbook_help_geturl_retries_count }}"
matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay : "{{ devture_playbook_help_geturl_retries_delay }}"
2019-03-18 16:04:40 +01:00
2019-03-18 12:44:40 +01:00
matrix_coturn_allowed_peer_ips : [ ]
2023-01-26 16:15:44 +01:00
# We block loopback interfaces and private networks by default to prevent private resources from being accessible.
2024-01-15 10:16:08 +01:00
# This is especially important when Coturn does not run within a container network (e.g. `matrix_coturn_container_network: host`).
2023-01-26 16:15:44 +01:00
#
# Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
#
# If you're running Coturn for local network peers, you may wish to override these rules.
matrix_coturn_denied_peer_ips :
- 0.0 .0 .0 -0.255 .255 .255
- 10.0 .0 .0 -10.255 .255 .255
- 100.64 .0 .0 -100.127 .255 .255
- 127.0 .0 .0 -127.255 .255 .255
- 169.254 .0 .0 -169.254 .255 .255
- 172.16 .0 .0 -172.31 .255 .255
- 192.0 .0 .0 -192.0 .0 .255
- 192.0 .2 .0 -192.0 .2 .255
- 192.88 .99 .0 -192.88 .99 .255
- 192.168 .0 .0 -192.168 .255 .255
- 198.18 .0 .0 -198.19 .255 .255
- 198.51 .100 .0 -198.51 .100 .255
- 203.0 .113 .0 -203.0 .113 .255
- 240.0 .0 .0 -255.255 .255 .255
- : : 1
- 64 : ff9b::-64:ff9b::ffff:ffff
- : : ffff:0.0.0.0-::ffff:255.255.255.255
- 100 : : -100 : : ffff:ffff:ffff:ffff
- 2001 : : -2001 : 1ff:ffff:ffff:ffff:ffff:ffff:ffff
- 2002 : : -2002 : ffff:ffff:ffff:ffff:ffff:ffff:ffff
- fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
2019-03-18 12:58:52 +01:00
matrix_coturn_user_quota : null
matrix_coturn_total_quota : null
2019-03-19 09:24:39 +01:00
2023-01-26 16:08:05 +01:00
# Controls whether `no-tcp-relay` is added to the configuration
2023-03-22 07:04:25 +01:00
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L419-L422
2023-01-26 16:08:05 +01:00
matrix_coturn_no_tcp_relay_enabled : true
2023-01-26 16:04:04 +01:00
# Controls whether `no-multicast-peers` is added to the configuration
2023-03-22 07:04:25 +01:00
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L629-L632
2023-01-26 16:04:04 +01:00
matrix_coturn_no_multicast_peers_enabled : true
2023-03-22 07:04:25 +01:00
# Controls whether `no-rfc5780` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L770-L781
matrix_coturn_no_rfc5780_enabled : true
# Controls whether `no-stun-backward-compatibility` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L783-L789
matrix_coturn_no_stun_backward_compatibility_enabled : true
# Controls whether `response-origin-only-with-rfc5780` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L791-L796
matrix_coturn_response_origin_only_with_rfc5780_enabled : true
2023-01-26 16:07:36 +01:00
# Additional configuration to be passed to turnserver.conf
# Example:
# matrix_coturn_additional_configuration: |
# simple-log
# aux-server=1.2.3.4
# relay-ip=4.3.2.1
matrix_coturn_additional_configuration : ''
2019-03-19 09:24:39 +01:00
# To enable TLS, you need to provide paths to certificates.
# Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.
# Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`.
matrix_coturn_tls_enabled : false
matrix_coturn_tls_cert_path : ~
matrix_coturn_tls_key_path : ~
2021-04-16 08:29:32 +02:00
matrix_coturn_tls_v1_enabled : false
matrix_coturn_tls_v1_1_enabled : false