update talk setup and ufw rules

update osuv target
update coturn dns
--- a/+ 4
+++ b/+ 4
@ -20,4 +20,7 @@ localhost: ## install localhost as workstation
 	ansible-galaxy collection install markuman.hetzner_dns
 	touch defaults.yml
 	sudo ls
 	ansible-playbook -i inventories/localhost.ini main.yml --tags workstation --extra-vars '{"CONFIG": {"USER": "$$(whoami)"}}'
 	ansible-playbook -i inventories/localhost.ini main.yml --tags workstation --extra-vars '{"CONFIG": {"USER": "$$(whoami)"}}'

 osuv: ## rollout osuv.de
 	ansible-playbook -i inventories/inventory.ini main.yml --tags osuvde
--- a/dns_records.yml
+++ b/dns_records.yml
@ -106,8 +106,13 @@ RECORDS:
    zone_id: jbKFKm7sUEf8DEj4HgHram
  - name: "coturn"
    type: A
    value: 78.47.44.230
    ttl: 300
    value: 78.47.76.92
    ttl: 60
    zone_id: jbKFKm7sUEf8DEj4HgHram
  - name: coturn
    type: AAAA
    value: 2a01:4f8:c2c:5a49::1
    ttl: 60
    zone_id: jbKFKm7sUEf8DEj4HgHram
  - name: "mail"
    type: A
--- a/roles/containers/tasks/coturn.yml
+++ b/roles/containers/tasks/coturn.yml
@ -10,6 +10,27 @@
  notify:
    - reload systemd

 - name: coturn config
  copy:
    dest: /mnt/data/coturn/turnserver.conf
    content: |
      listening-port=3478
      external-ip=78.47.76.92
      external-ip=2a01:4f8:c2c:5a49::1
      fingerprint
      use-auth-secret
      static-auth-secret={{ CONFIG.COTURN_STATIC_SECRET }}
      realm=coturn.osuv.de
      total-quota=0
      bps-capacity=0
      no-tls
      no-dtls
      stale-nonce
      no-loopback-peers
      no-multicast-peers
      proc-user=turnserver
      proc-group=turnserver

 - name: add coturn script
  copy:
    dest: "/opt/{{ THIS_SERVICE }}"
@ -17,13 +38,8 @@
      #!/bin/bash
      docker run --rm --name {{ THIS_SERVICE }} \
      --detach=false \
      --network osuv \
      -v {{ DOCKER_DATA }}/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/home.osuv.de/home.osuv.de.crt:/cert.pem:ro \
      -v {{ DOCKER_DATA }}/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/home.osuv.de/home.osuv.de.key:/privkey.pem:ro \
      -p 5349:5349/tcp \
      -p 5349:5349/udp \
      -e STATIC_SECRET="{{ CONFIG.COTURN_STATIC_SECRET }}" \
      -e REALM=home.osuv.de \
      --network host \
      -v {{ DOCKER_DATA }}/coturn/turnserver.conf:/etc/turnserver.conf:ro \
      coturn
    mode: +x
  register: myservice
--- a/roles/requirements/tasks/ufw.yml
+++ b/roles/requirements/tasks/ufw.yml
@ -29,6 +29,10 @@
      proto: tcp
    - port: "51820"
      proto: udp
    - port: "3478"
      proto: tcp
    - port: "3478"
      proto: udp

 - name: Allow all access from RFC1918 networks to this host
  community.general.ufw:
--- a/talk.yml
+++ b/talk.yml
@ -79,6 +79,8 @@
        - name: janus key
          command: openssl rand -base64 16
          register: J
          until: '"/" not in J.stdout'
          retries: 10

        - name: set fact
          set_fact:
@ -98,14 +100,21 @@
            port: ssh
            proto: tcp

        - name: allow 80 & 443
          community.general.ufw:
        - name: http, https and coturn tcp
          become: yes
          ufw:
            rule: allow
            port: "{{ item }}"
            proto: tcp
            port: "{{ item.port }}"
            proto: "{{ item.proto }}"
          with_items:
            - "80"
            - "443"
            - port: "80"
              proto: tcp
            - port: "443"
              proto: tcp
            - port: "3478"
              proto: tcp
            - port: "3478"
              proto: udp

        - name: hacker way to start ufw without reboot using ansible ftw
          shell: yes | ufw enable
@ -120,13 +129,16 @@
            deb: "{{ item }}"
            update_cache: yes
          with_items:
            - https://packaging.gitlab.io/janus/focal/pool/main/libs/libsrtp2/libsrtp2-1_2.3.0-4_amd64.deb
            - http://de.archive.ubuntu.com/ubuntu/pool/universe/libs/libsrtp2/libsrtp2-1_2.3.0-4_amd64.deb
            - https://packaging.gitlab.io/janus/focal/pool/main/p/paho.mqtt.c/libpaho-mqtt1.3_1.3.5-1_amd64.deb
            - https://packaging.gitlab.io/janus/focal/pool/main/j/janus/janus_0.10.9-1_amd64.deb
            - https://packaging.gitlab.io/nats-server/pool/main/n/nats-server/nats-server_2.1.9-p3_amd64.deb
            - https://packaging.gitlab.io/nextcloud-spreed-signaling/pool/main/n/nextcloud-spreed-signaling/nextcloud-spreed-signaling_0.2.0-p2_amd64.deb
            - https://github.com/caddyserver/caddy/releases/download/v2.3.0/caddy_2.3.0_linux_amd64.deb

        - name: janus
          apt:
            name: janus
            update_cache: yes

        - name: copy janus config
          copy: 
@ -134,7 +146,7 @@
            content: |
              nat: {
                      stun_server = "78.47.76.92"
                      stun_port = 5349
                      stun_port = 3478
                      nice_debug = false
                      full_trickle = true
                      turn_rest_api_key = "{{ JANUS_TALK_API }}"
Author	SHA1	Message	Date
Markus Bergholz	5b081d95e5	update talk setup and ufw rules	2 months ago
Markus Bergholz	0e6c22801f	update osuv target	2 months ago
Markus Bergholz	7bb33c2772	update coturn dns	2 months ago
Markus Bergholz	2a5836ea45	fix coturn setup	2 months ago