From 7910336c5d75d6b3ee99be424c58a66ed7d29355 Mon Sep 17 00:00:00 2001
From: kitoy <kitoy@kitoy.me>
Date: Tue, 31 Oct 2023 02:11:43 +0100
Subject: [PATCH] add coturn service

---
 Turnservice.yml                    |  20 ++++++
 make_template.yml                  |  13 ++++
 roles/common/tasks/main.yml        |   2 +-
 roles/coturn/files/certbot-cron    |   4 ++
 roles/coturn/files/turnserver.conf |  17 +++++
 roles/coturn/tasks/main.yml        | 107 +++++++++++++++++++++++++++++
 roles/dnsdist/files/cetbot-cron    |   5 ++
 roles/dnsdist/tasks/main.yml       |  11 ++-
 roles/dnsdist/tasks/main.yml~      |  88 ++++++++++++++++++++++++
 9 files changed, 265 insertions(+), 2 deletions(-)
 create mode 100644 Turnservice.yml
 create mode 100644 make_template.yml
 create mode 100644 roles/coturn/files/certbot-cron
 create mode 100644 roles/coturn/files/turnserver.conf
 create mode 100644 roles/coturn/tasks/main.yml
 create mode 100644 roles/dnsdist/files/cetbot-cron
 create mode 100644 roles/dnsdist/tasks/main.yml~

diff --git a/Turnservice.yml b/Turnservice.yml
new file mode 100644
index 0000000..4ee9a20
--- /dev/null
+++ b/Turnservice.yml
@@ -0,0 +1,20 @@
+
+---
+- hosts: iloth
+  roles:
+    - common
+    - ssl-cert
+    - coturn
+    # déclarations des variables globales
+  vars:
+    ip_listen: 89.234.152.134
+    ip_public: 89.234.152.134
+    turnserver_port: 13780
+    passphrase: ILOTH # Va être afficher publiquement donc osef
+    cthostname: turn
+    domain: turn.iloth.net
+    create_user: False
+    installCertbot: True
+    email: contact@iloth.net # pour la certification avec certbot
+    mode: standalone # nginx or standalone
+    alt_domains: "" # -d sub.domain.told
diff --git a/make_template.yml b/make_template.yml
new file mode 100644
index 0000000..5247c49
--- /dev/null
+++ b/make_template.yml
@@ -0,0 +1,13 @@
+
+---
+- hosts: iloth
+  roles:
+    - common
+    # déclarations des variables globales
+  vars:
+    cthostname: tpl
+    domain: tpl.iloth.net
+    create_user: False
+    installCertbot: True
+    mode: standalone # nginx or standalone
+    alt_domains: "" # -d sub.domain.told
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 0a3d52f..df8bbf2 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -9,7 +9,7 @@
 
 - name: Reload sshd service
   service:
-    name: sshd
+    name: ssh
     state: reloaded
 
 
diff --git a/roles/coturn/files/certbot-cron b/roles/coturn/files/certbot-cron
new file mode 100644
index 0000000..c05c153
--- /dev/null
+++ b/roles/coturn/files/certbot-cron
@@ -0,0 +1,4 @@
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --no-random-sleep-on-renew; setfacl -R -m u:turnserver:rx /etc/letsencrypt/; systemctl restart coturn;
diff --git a/roles/coturn/files/turnserver.conf b/roles/coturn/files/turnserver.conf
new file mode 100644
index 0000000..d829dee
--- /dev/null
+++ b/roles/coturn/files/turnserver.conf
@@ -0,0 +1,17 @@
+tls-listening-port=__PORT__
+listening-ip=__IP_CONTAINER__
+relay-ip=__IP_CONTAINER__
+external-ip=__IP_EXT__
+server-name=__HOSTNAME__ 
+lt-cred-mech
+realm=__HOSTNAME__
+#use-auth-secret
+#static-auth-secret=""
+cert=__SSL_CRT__
+pkey=__SSL_KEY__
+no-stdout-log
+cipher-list="EECDH+AESGCM:EDH+AESGCM"
+ec-curve-name=secp384r1
+dh2066
+no-tlsv1
+no-tlsv1_1
diff --git a/roles/coturn/tasks/main.yml b/roles/coturn/tasks/main.yml
new file mode 100644
index 0000000..ba78b0a
--- /dev/null
+++ b/roles/coturn/tasks/main.yml
@@ -0,0 +1,107 @@
+- name: Install CoTurn
+  apt:
+    name: 
+      - coturn
+      - acl
+    state: present
+
+- name: Allow Turnserver connexions
+  ufw:
+    rule: allow
+    port: "{{ turnserver_port }}"
+    proto: any
+
+- name: Copy Configuration file for coturn
+  ansible.builtin.copy:
+    src: turnserver.conf
+    dest: /etc/turnserver.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+
+- name: Add port to listen on turnserver.conf
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__PORT__'
+    replace: '{{ turnserver_port }}' 
+
+- name: Add hostname on turnserver.conf      
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf   
+    regexp: '__HOSTNAME__'
+    replace: '{{ domain }}'
+
+- name: Add IP to listen on turnserver.conf      
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__IP_CONTAINER__'   
+    replace: '{{ ip_listen }}'
+
+- name: Add IP public on turnserver.conf  
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__IP_EXT__' 
+    replace: '{{ ip_public }}'     
+
+- name: Add port to listen on turnserver.conf
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__PASSPHRASE__'
+    replace: '{{ passphrase }}' 
+
+
+
+- name: Add SSL keys to turnserver.conf
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__SSL_CRT__'
+    replace: '/etc/ssl/{{ domain}}.crt'
+  when: installCertbot == False
+
+- name: Add SSL keys to turnserver.conf
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__SSL_KEY__'
+    replace: '/etc/ssl/{{ domain}}.key'
+  when: installCertbot == False
+
+- name: permission to ssl cert 
+  shell: |
+    setfacl -R -m u:turnserver:rx /etc/ssl/"{{ domain }}".key
+    setfacl -R -m u:turnserver:rx /etc/ssl/"{{ domain }}".crt
+  when: installCertbot == False
+
+- name: Add SSL keys to turnserver.conf
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__SSL_CRT__'
+    replace: '/etc/letsencrypt/live/{{ domain }}/fullchain.pem'
+  when: installCertbot == True
+
+- name: Add SSL keys to turnserver.conf
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__SSL_KEY__'
+    replace: '/etc/letsencrypt/live/{{ domain }}/privkey.pem'
+  when: installCertbot == True
+
+- name: Set permission letsencrypt SSL keys 
+  shell: setfacl -R -m u:turnserver:rx /etc/letsencrypt/
+  when: installCertbot == True
+
+- name: Start coturn service
+  shell: "systemctl start coturn"
+
+- name: Enable systemd service
+  shell: "systemctl enable coturn"
+
+- name: Copy Configuration file for coturn
+  ansible.builtin.copy:
+    src: certbot-cron
+    dest: /etc/cron.d/certbot
+    owner: root
+    group: root
+    mode: '0644'
+  when: installCertbot == True
+  
\ No newline at end of file
diff --git a/roles/dnsdist/files/cetbot-cron b/roles/dnsdist/files/cetbot-cron
new file mode 100644
index 0000000..fd8e72b
--- /dev/null
+++ b/roles/dnsdist/files/cetbot-cron
@@ -0,0 +1,5 @@
+
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew; setfacl -R -m u:_dnsdist:rx /etc/letsencrypt/; systemctl restart dnsdist;
diff --git a/roles/dnsdist/tasks/main.yml b/roles/dnsdist/tasks/main.yml
index 4026db2..f2932f7 100644
--- a/roles/dnsdist/tasks/main.yml
+++ b/roles/dnsdist/tasks/main.yml
@@ -85,4 +85,13 @@
 
 
 - name: Enable systemd service
-  shell: "systemctl enable dnsdist"
\ No newline at end of file
+  shell: "systemctl enable dnsdist"
+
+- name: Copy cron certbot service
+  ansible.builtin.copy:
+    src: certbot-cron
+    dest: /etc/cron.d/certbot
+    owner: root
+    group: root
+    mode: '0644'
+    when: installCertbot == True
diff --git a/roles/dnsdist/tasks/main.yml~ b/roles/dnsdist/tasks/main.yml~
new file mode 100644
index 0000000..4026db2
--- /dev/null
+++ b/roles/dnsdist/tasks/main.yml~
@@ -0,0 +1,88 @@
+---
+- name: Install dnsdist
+  apt:
+    name: 
+      - dnsdist
+      - acl
+    state: present
+
+- name: Allow DoT connexions
+  ufw:
+    rule: allow
+    port: 853
+    proto: tcp
+
+- name: Allow DoH connexions
+  ufw:
+    rule: allow
+    port: 443
+    proto: tcp
+    
+- name: Allow DNS connexions
+  ufw: 
+    rule: allow
+    port: 53
+    proto: any
+
+- name: Copy Configuration file for DNSdist
+  ansible.builtin.copy:
+    src: dnsdist.conf
+    dest: /etc/dnsdist/dnsdist.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+
+- name: Add SSL keys to dnsdist.conf
+  ansible.builtin.replace:
+    path: /etc/dnsdist/dnsdist.conf
+    regexp: '__SSL_CRT__'
+    replace: '/etc/ssl/{{ domain}}.crt'
+  when: installCertbot == False
+
+- name: Add SSL keys to dnsdist.conf
+  ansible.builtin.replace:
+    path: /etc/dnsdist/dnsdist.conf
+    regexp: '__SSL_KEY__'
+    replace: '/etc/ssl/{{ domain}}.key'
+  when: installCertbot == False
+
+- name: permission to ssl cert 
+  shell: |
+    setfacl -R -m u:_dnsdist:rx /etc/ssl/"{{ domain }}".key
+    setfacl -R -m u:_dnsdist:rx /etc/ssl/"{{ domain }}".crt
+  when: installCertbot == False
+
+
+
+- name: Add SSL keys to dnsdist.conf
+  ansible.builtin.replace:
+    path: /etc/dnsdist/dnsdist.conf
+    regexp: '__SSL_CRT__'
+    replace: '/etc/letsencrypt/live/{{ domain}}/fullchain.pem'
+  when: installCertbot == True
+
+- name: Add SSL keys to dnsdist.conf
+  ansible.builtin.replace:
+    path: /etc/dnsdist/dnsdist.conf
+    regexp: '__SSL_KEY__'
+    replace: '/etc/letsencrypt/live/{{ domain}}/privkey.pem'
+  when: installCertbot == True
+
+- name: Set permission letsencrypt SSL keys 
+  shell: setfacl -R -m u:_dnsdist:rx /etc/letsencrypt/
+  when: installCertbot == True
+
+
+- name: Disable and stop systemd-resolved
+  shell: |
+    systemctl disable systemd-resolved
+    systemctl stop systemd-resolved || echo "systemd-resolved is already stopped"
+  
+- name: Start dnsdist service
+  shell: "systemctl start dnsdist"
+
+
+
+- name: Enable systemd service
+  shell: "systemctl enable dnsdist"
\ No newline at end of file