mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-01-21 07:55:00 +00:00
78d78d84a7
Fixes: #2069. Without a listening port, coturn will try to enumerate the non-local IP addresses and try to listen on them. If coturn is started before network is fully setup, it finds no usable IP addresses and fails. Furthermore, if IPs are added to the system, it does not automatically listen on them. A better approach as advised by systemd NetworkTarget documentation is to listen on a wildcard address. This does not require network to be online and works well for IP addresses being added/removed from the system. coturn is itself unable to make changes to its default listening behavior for backward compatibility. Tests: - Freshly install coturn. Observe that listening-ip is properly set in the configuration file. coturn is listening on 3478, 3479, 5349, 5350. coturn is listening on ::1 and * addresses instead of individual IP addresses. - Install coturn without the patch. Apply the patch and restart FreedomBox. coturn setup will run. listening-ips get added to the configuration file. The static-auth-secret is not changed from earlier. coturn will be restarted. coturn is listening on 3478, 3479, 5349, 5350. coturn is listening on ::1 and * addresses instead of individual IP addresses. - Install coturn without the patch. Disable coturn. Apply the patch and restart FreedomBox. coturn setup will run. coturn will not be enabled. coturn will be running after setup. - Functional tests pass. - All ports able to connect using netcat (nc command) with IPv4 (-4 option) and IPv6 (-6 option). Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
122 lines
3.4 KiB
Python
Executable File
122 lines
3.4 KiB
Python
Executable File
#!/usr/bin/python3
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""
|
|
Configuration helper for Coturn daemon.
|
|
"""
|
|
|
|
import argparse
|
|
import json
|
|
import pathlib
|
|
import random
|
|
import shutil
|
|
import string
|
|
|
|
import augeas
|
|
|
|
from plinth import action_utils
|
|
|
|
CONFIG_FILE = pathlib.Path('/etc/coturn/freedombox.conf')
|
|
|
|
|
|
def parse_arguments():
|
|
"""Return parsed command line arguments as dictionary."""
|
|
parser = argparse.ArgumentParser()
|
|
subparsers = parser.add_subparsers(dest='subcommand', help='Sub command')
|
|
|
|
subparsers.add_parser('setup', help='Setup Coturn server')
|
|
subparsers.add_parser('get-config',
|
|
help='Return the current configuration')
|
|
subparser = subparsers.add_parser('set-domain', help='Set the TLS domain')
|
|
subparser.add_argument('domain_name', help='TLS domain name to set')
|
|
|
|
subparsers.required = True
|
|
return parser.parse_args()
|
|
|
|
|
|
def _key_path(key):
|
|
"""Return the augeas path for a key."""
|
|
return '/files' + str(CONFIG_FILE) + '/' + key
|
|
|
|
|
|
def subcommand_setup(_):
|
|
"""Setup Coturn server."""
|
|
CONFIG_FILE.parent.mkdir(exist_ok=True)
|
|
if not CONFIG_FILE.exists():
|
|
CONFIG_FILE.touch(0o640)
|
|
shutil.chown(CONFIG_FILE, group='turnserver')
|
|
|
|
action_utils.service_daemon_reload()
|
|
|
|
aug = augeas_load()
|
|
|
|
# XXX: Should we set external-ip
|
|
aug.set(_key_path('min-port'), '49152')
|
|
aug.set(_key_path('max-port'), '50175')
|
|
aug.set(_key_path('use-auth-secret'), 'true')
|
|
if not aug.get(_key_path('static-auth-secret')):
|
|
secret = ''.join(
|
|
random.choice(string.ascii_letters + string.digits)
|
|
for _ in range(64))
|
|
aug.set(_key_path('static-auth-secret'), secret)
|
|
|
|
aug.set(_key_path('cert'), '/etc/coturn/certs/cert.pem')
|
|
aug.set(_key_path('pkey'), '/etc/coturn/certs/pkey.pem')
|
|
aug.set(_key_path('no-tlsv1'), 'true')
|
|
aug.set(_key_path('no-tlsv1_1'), 'true')
|
|
aug.set(_key_path('no-cli'), 'true')
|
|
aug.set(_key_path('listening-ip[1]'), '::')
|
|
# Keep ::1 because at least two IP addresses of same class are needed for
|
|
# enabling alternate port (port + 1). This is in turn needed for NAT
|
|
# Behavior Discovery (RFC 5780).
|
|
aug.set(_key_path('listening-ip[2]'), '::1')
|
|
|
|
aug.save()
|
|
|
|
action_utils.service_try_restart('coturn')
|
|
|
|
|
|
def subcommand_get_config(_):
|
|
"""Return the current configuration in JSON format."""
|
|
aug = augeas_load()
|
|
config = {
|
|
'static_auth_secret': aug.get(_key_path('static-auth-secret')),
|
|
'realm': aug.get(_key_path('realm')),
|
|
}
|
|
print(json.dumps(config))
|
|
|
|
|
|
def subcommand_set_domain(arguments):
|
|
"""Set the TLS domain.
|
|
|
|
This value is usually not stored. So, set realm value even though it is not
|
|
needed to set realm for REST API based authentication.
|
|
|
|
"""
|
|
aug = augeas_load()
|
|
aug.set(_key_path('realm'), arguments.domain_name)
|
|
aug.save()
|
|
|
|
|
|
def augeas_load():
|
|
"""Initialize Augeas."""
|
|
aug = augeas.Augeas(flags=augeas.Augeas.NO_LOAD +
|
|
augeas.Augeas.NO_MODL_AUTOLOAD)
|
|
aug.set('/augeas/load/Simplevars/lens', 'Simplevars.lns')
|
|
aug.set('/augeas/load/Simplevars/incl[last() + 1]', str(CONFIG_FILE))
|
|
aug.load()
|
|
|
|
return aug
|
|
|
|
|
|
def main():
|
|
"""Parse arguments and perform all duties."""
|
|
arguments = parse_arguments()
|
|
|
|
subcommand = arguments.subcommand.replace('-', '_')
|
|
subcommand_method = globals()['subcommand_' + subcommand]
|
|
subcommand_method(arguments)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|