srizan/archived-vdo.ninja
1
0
Fork 0
mirror of https://github.com/SrIzan10/vdo.ninja.git synced 2026-05-01 11:05:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

fine turning turnserver install script

Browse Source
This commit is contained in:
steveseguin
2025-01-12 19:20:02 -05:00
parent c1c4a0def1
commit 6f06a8a8e8
3 changed files with 55 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
turnserver_install.sh.sample
View File

@@ -5,14 +5,23 @@ if [ "$EUID" -ne 0 ]; then
exit 1
fi
configure_ssl() {
setup_permissions() {
local DOMAIN=$1
# Generate DH params first
if [ ! -f /etc/turnserver/dhparam.pem ]; then
mkdir -p /etc/turnserver
openssl dhparam -out /etc/turnserver/dhparam.pem 2066
fi
# Create secure directory for coturn certs
mkdir -p /etc/coturn/certs
# Copy certificates with proper permissions
cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /etc/coturn/certs/
cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/coturn/certs/
# Set proper ownership and permissions
chown -R turnserver:turnserver /etc/coturn/certs
chmod 600 /etc/coturn/certs/*.pem
}
configure_ssl() {
local DOMAIN=$1
# Check if port 80 is in use
if netstat -tuln | grep ':80 '; then
@@ -52,28 +61,22 @@ configure_ssl() {
# Update turnserver.conf with SSL settings
cat >> /etc/turnserver.conf << EOL
# SSL Configuration
cert=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
pkey=/etc/letsencrypt/live/${DOMAIN}/privkey.pem
dh-file=/etc/turnserver/dhparam.pem
# Cipher Suite
cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
cert=/etc/coturn/certs/fullchain.pem
pkey=/etc/coturn/certs/privkey.pem
tls-listening-port=443
EOL
# Set proper permissions
chown -R turnserver:turnserver /etc/turnserver
chmod 700 /etc/turnserver
chmod 600 /etc/turnserver/dhparam.pem
# Setup permissions after getting certificates
setup_permissions "$DOMAIN"
# Also ensure proper permissions for SSL certs
chown -R turnserver:turnserver /etc/letsencrypt/live/${DOMAIN}/
chmod -R 700 /etc/letsencrypt/live/${DOMAIN}/
# Create renewal hook
# Update the renewal hook to copy new certs
mkdir -p /etc/letsencrypt/renewal-hooks/deploy
cat > /etc/letsencrypt/renewal-hooks/deploy/coturn-reload << EOL
#!/bin/bash
cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /etc/coturn/certs/
cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/coturn/certs/
chown turnserver:turnserver /etc/coturn/certs/*.pem
chmod 600 /etc/coturn/certs/*.pem
systemctl --signal=SIGUSR2 kill coturn
EOL
chmod +x /etc/letsencrypt/renewal-hooks/deploy/coturn-reload
@@ -89,7 +92,7 @@ install_coturn() {
# Install required packages
apt-get update
apt-get install coturn curl dnsutils openssl -y
apt-get install coturn curl dnsutils -y
# Configure system limits
echo "fs.file-max = 65535" >> /etc/sysctl.conf
@@ -101,30 +104,33 @@ install_coturn() {
# Generate base turnserver configuration
cat > /etc/turnserver.conf << EOL
# Listening Ports
listening-port=3478
alt-listening-port=3479
tls-listening-port=443
# Authentication
alt-listening-port=0
fingerprint
lt-cred-mech
user=${USERNAME}:${PASSWORD}
stale-nonce=600
# Server Configuration
realm=${DOMAIN}
server-name=${DOMAIN}
min-port=49152
max-port=65535
# Security
user=${USERNAME}:${PASSWORD}
stale-nonce=600
realm=${DOMAIN}
server-name=${DOMAIN}
no-multicast-peers
no-stdout-log
EOL
# Set proper permissions for binding to privileged ports
setcap cap_net_bind_service=+ep /usr/bin/turnserver
# Configure journald log limits
mkdir -p /etc/systemd/journald.conf.d/
cat > /etc/systemd/journald.conf.d/coturn.conf << EOL
[Journal]
SystemMaxUse=50M
RuntimeMaxUse=50M
EOL
# Restart journald to apply changes
systemctl restart systemd-journald
# Start services
systemctl daemon-reload
@@ -176,7 +182,7 @@ echo "Installation complete!"
echo "----------------------------------------"
echo "Domain: $DOMAIN"
echo "Username: $USERNAME"
echo "STUN/TURN ports: 3478 (default), 3479 (alt)"
echo "STUN/TURN ports: 3478 (default)"
if [ "${ENABLE_SSL,,}" = "y" ]; then
echo "TLS enabled on port 443"
echo "SSL certificates will automatically renew via certbot"