mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-12-24 01:48:29 +01:00
Isolate Coturn from services in the default Docker network
Most (all?) of our Matrix services are running in the `matrix` network, so they were safe -- not accessible from Coturn to begin with. Isolating Coturn into its own network is a security improvement for people who were starting other services in the default Docker network. Those services were potentially reachable over the private Docker network from Coturn. Discussed in #120 (Github Pull Request)
This commit is contained in:
parent
c6858d2a08
commit
24cf27c60c
@ -90,6 +90,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati
|
||||
######################################################################
|
||||
|
||||
matrix_coturn_enabled: true
|
||||
|
||||
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
|
||||
|
||||
######################################################################
|
||||
|
@ -2,6 +2,15 @@ matrix_coturn_enabled: true
|
||||
|
||||
matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1"
|
||||
|
||||
# The Docker network that Coturn would be put into.
|
||||
#
|
||||
# Because Coturn relays traffic to unvalidated IP addresses,
|
||||
# using a dedicated network, isolated from other Docker (and local) services is preferrable.
|
||||
#
|
||||
# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
|
||||
# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
|
||||
matrix_coturn_docker_network: "matrix-coturn"
|
||||
|
||||
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
|
||||
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
|
||||
|
||||
|
@ -25,6 +25,22 @@
|
||||
mode: 0644
|
||||
when: matrix_coturn_enabled
|
||||
|
||||
# `docker_network` doesn't work as expected when the given network
|
||||
# is a substring of a network that already exists.
|
||||
#
|
||||
# See our other comments in `roles/matrix-base/tasks/setup_matrix_base.yml`
|
||||
- name: Check existence of Coturn network in Docker
|
||||
shell:
|
||||
cmd: "docker network ls -q --filter='name=^{{ matrix_coturn_docker_network }}$'"
|
||||
register: matrix_coturn_result_docker_network
|
||||
changed_when: false
|
||||
when: matrix_coturn_enabled
|
||||
|
||||
- name: Create Coturn network in Docker
|
||||
shell:
|
||||
cmd: "docker network create --driver=bridge {{ matrix_coturn_docker_network }}"
|
||||
when: "matrix_coturn_enabled and matrix_coturn_result_docker_network.stdout == ''"
|
||||
|
||||
- name: Ensure matrix-coturn.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
|
||||
|
@ -15,6 +15,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
|
||||
--network={{ matrix_coturn_docker_network }} \
|
||||
-p 3478:3478 \
|
||||
-p 3478:3478/udp \
|
||||
-p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
|
||||
|
Loading…
Reference in New Issue
Block a user