Merge 8da1bf2a26 into 72dd9ae25c

conf/coturn-pairdrop.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=Coturn STUN/TURN Server for __APP__
+Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
+After=syslog.target network.target
+
+[Service]
+User=turnserver
+Group=turnserver
+Type=forking
+EnvironmentFile=/etc/default/coturn-__APP__
+PIDFile=/run/coturn-__APP__/turnserver.pid
+RuntimeDirectory=coturn-__APP__
+RuntimeDirectoryMode=0755
+ExecStart=/usr/bin/turnserver -o -c /etc/__APP__/coturn.conf $EXTRA_OPTIONS
+ExecStopPost=/bin/rm -f /run/coturn-__APP__/turnserver.pid
+Restart=on-abort
+
+LimitCORE=infinity
+LimitNOFILE=999999
+LimitNPROC=60000
+LimitRTPRIO=infinity
+LimitRTTIME=7000000
+CPUSchedulingPolicy=other
+UMask=0007
+
+[Install]
+WantedBy=multi-user.target

conf/coturn/default_coturn

@@ -0,0 +1,5 @@
+#
+# Uncomment it if you want to have the turnserver running as 
+# an automatic system service daemon
+#
+TURNSERVER_ENABLED=1

conf/coturn/turnserver.conf

@@ -0,0 +1,33 @@
+# TURN server name and realm
+realm=__DOMAIN__
+
+# Enable long-term credential mechanism
+lt-cred-mech
+
+# Specify the user for the TURN authentification
+user=__APP__:__TURNSERVER_PWD__
+
+# Main listening port
+listening-port=__PORT_TURNSERVER__
+
+# Further ports that are open for communication
+min-port=49152
+max-port=65535
+
+# SSL certificates
+cert=/etc/yunohost/certs/__DOMAIN__/crt.pem
+pkey=/etc/yunohost/certs/__DOMAIN__/key.pem
+dh-file=/etc/ssl/private/dh2048.pem
+
+# Log file path
+log-file=/var/log/__APP__/turnserver.log
+pidfile=/run/coturn-__APP__/turnserver.pid
+simple-log
+
+no-sslv2
+no-sslv3
+no-tlsv1
+no-tlsv1_1
+no-loopback-peers
+no-multicast-peers
+no-cli

conf/rtc_config.json

@@ -2,7 +2,9 @@
   "sdpSemantics": "unified-plan",
   "iceServers": [
     {
-      "urls": "stun:stun.l.google.com:19302"
+      "urls": "turn:__DOMAIN__:__PORT_TURNSERVER__",
+      "username": "__APP__",
+      "credential": "__TURNSERVER_PWD__"
     }
   ]
-}
+}

manifest.toml

@@ -57,3 +57,8 @@ ram.runtime = "50M"
     main.url = "/"
 
     [resources.ports]
+    turnserver.default = 1194
+    turnserver.exposed = "Both"
+
+    [resources.apt]
+    packages = "coturn"

scripts/backup

@@ -20,6 +20,7 @@ ynh_print_info --message="Declaring files to be backed up..."
 #=================================================
 
 ynh_backup --src_path="$install_dir"
+ynh_backup --src_path="/etc/$app"
 
 #=================================================
 # BACKUP THE NGINX CONFIGURATION
@@ -27,11 +28,21 @@ ynh_backup --src_path="$install_dir"
 
 ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 
+#=================================================
+# BACKUP LOGROTATE
+#=================================================
+
+ynh_backup --src_path="/var/log/$app"
+
+ynh_backup --src_path="/etc/logrotate.d/$app"
+
 #=================================================
 # BACKUP SYSTEMD
 #=================================================
 
 ynh_backup --src_path="/etc/systemd/system/$app.service"
+ynh_backup --src_path="/etc/default/coturn-$app"
+ynh_backup --src_path="/etc/systemd/system/coturn-$app.service"
 
 #=================================================
 # END OF SCRIPT

scripts/install

@@ -29,6 +29,15 @@ ynh_setup_source --dest_dir="$install_dir"
 
 chown -R $app:www-data "$install_dir"
 
+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Configuring system user..." --weight=3
+
+# Create a system user
+ynh_system_user_create --username=turnserver
+adduser turnserver ssl-cert
+
 #=================================================
 # SYSTEM CONFIGURATION
 #=================================================
@@ -40,7 +49,58 @@ ynh_add_nginx_config
 # Create a dedicated systemd config
 ynh_add_systemd_config
 
+mkdir -p /etc/$app
+# Create systemd service for turnserver
+cp ../conf/coturn/default_coturn /etc/default/coturn-$app
+ynh_add_systemd_config --service=coturn-$app --template=coturn-pairdrop.service
+
 yunohost service add $app --description="Local file sharing in your browser" --log="/var/log/$app/$app.log"
+yunohost service add coturn-$app --description="Coturn TURN server" --log="/var/log/$app/turnserver.log" --needs_exposed_ports $port_turnserver
+
+#=================================================
+# SETUP LOGROTATE
+#=================================================
+ynh_script_progression --message="Configuring log rotation..." --weight=1
+
+# Create log directory
+mkdir -p /var/log/$app
+touch /var/log/$app/$app.log
+chown $app -R /var/log/$app
+
+# Setup logrotate
+ynh_use_logrotate --logfile "/var/log/$app"
+
+#=================================================
+# SET COTURN CONFIG
+#=================================================
+ynh_script_progression --message="Configuring Coturn..." --weight=1
+
+# Find password for turnserver
+turnserver_pwd=$(ynh_string_random --length=30)
+ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd
+
+coturn_config_path="/etc/$app/coturn.conf"
+
+ynh_add_config --template="../conf/coturn/turnserver.conf" --destination="$coturn_config_path"
+
+# Get public IP and set as external IP for coturn
+# note: '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
+public_ip4="$(curl -s ip.yunohost.org)" || true
+public_ip6="$(curl -s ipv6.yunohost.org)" || true
+
+if ( [[ -n "$public_ip4" ]] && ynh_validate_ip4 --ip_address="$public_ip4" || [[ -n "$public_ip6" ]] && ynh_validate_ip6 --ip_address="$public_ip6" )
+then
+    echo "external-ip=${public_ip4}/${public_ip6}" >> "$coturn_config_path"
+fi
+
+ynh_store_file_checksum --file="$coturn_config_path"
+
+# Set permissions to app files
+chown -R $app:root /etc/$app
+chown turnserver:root /etc/$app/coturn.conf
+chmod -R u=rwX,g=rX,o= /etc/$app
+setfacl -R -m user:turnserver:rX  /etc/$app
+setfacl -R -m user:turnserver:rwX  /var/log/$app
 
 #=================================================
 # BUILD YARN DEPENDENCIES
@@ -73,6 +133,7 @@ ynh_script_progression --message="Starting a systemd service..." --weight=1
 
 # Start a systemd service
 ynh_systemd_action --service_name=$app --action="start" --log_path="systemd"
+ynh_systemd_action --service_name=coturn-$app.service --action=restart --log_path="/var/log/$app/turnserver.log"
 
 #=================================================
 # END OF SCRIPT

scripts/remove

@@ -25,13 +25,27 @@ then
 	yunohost service remove $app
 fi
 
+if ynh_exec_warn_less yunohost service status coturn-$app >/dev/null
+then
+	ynh_script_progression --message="Removing coturn-$app service integration..." --weight=1
+	yunohost service remove coturn-$app
+fi
+
+# Remove the app-specific logrotate config
+ynh_remove_logrotate
+
 ynh_remove_systemd_config
+ynh_remove_systemd_config --service=coturn-$app
 
 ynh_remove_nginx_config
 
 # Remove NodeJS
 ynh_remove_nodejs
 
+ynh_secure_remove --file=/etc/default/coturn-$app
+
+ynh_system_user_delete --username=turnserver
+
 #=================================================
 # END OF SCRIPT
 #=================================================

scripts/restore

@@ -34,12 +34,38 @@ chown -R $app:www-data "$install_dir"
 #=================================================
 ynh_script_progression --message="Restoring system configurations related to $app..." --weight=1
 
+ynh_system_user_create --username=turnserver
+adduser turnserver ssl-cert
+
+ynh_restore_file --origin_path="/etc/$app"
+
+ynh_restore_file --origin_path="/var/log/$app"
+
 ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 
 ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
 systemctl enable $app.service --quiet
 
+ynh_restore_file --origin_path="/etc/default/coturn-$app"
+ynh_restore_file --origin_path="/etc/systemd/system/coturn-$app.service"
+systemctl enable coturn-$app.service --quiet
+
+ynh_restore_file --origin_path="/etc/logrotate.d/$app"
+
 yunohost service add $app --description="Local file sharing in your browser" --log="/var/log/$app/$app.log"
+yunohost service add coturn-$app --description="Coturn TURN server" --log="/var/log/$app/turnserver.log" --needs_exposed_ports $port_turnserver
+
+#=================================================
+# RESTORE USER RIGHTS
+#=================================================
+ynh_script_progression --message="Restoring permissions..." --weight=1
+
+chown -R $app:root /var/log/$app
+chown -R $app:root /etc/$app
+chown turnserver:root /etc/$app/coturn.conf
+chmod -R u=rwX,g=rX,o= /etc/$app
+setfacl -R -m user:turnserver:rX  /etc/$app
+setfacl -R -m user:turnserver:rwX  /var/log/$app
 
 #=================================================
 # GENERIC FINALIZATION

scripts/upgrade

@@ -34,6 +34,61 @@ fi
 
 chown -R $app:www-data "$install_dir"
 
+#=================================================
+# MULTINSTANCE SUPPORT
+#=================================================
+
+if [ ! -e /etc/$app/coturn.conf ]
+then
+    ynh_script_progression --message="Creating an independant service for Coturn..." --weight=1
+
+    #=================================================
+    # CREATE AN INDEPENDANT SERVICE FOR COTURN
+    #=================================================
+
+    # Disable default config for turnserver and create a new service
+    systemctl stop coturn.service
+
+    # Set by default the system config for coturn
+    echo "" > /etc/turnserver.conf
+    ynh_replace_string --match_string="TURNSERVER_ENABLED=1" --replace_string="TURNSERVER_ENABLED=0" --target_file=/etc/default/coturn
+
+    #=================================================
+    # MAKE A CLEAN LOGROTATE CONFIG
+    #=================================================
+
+    ynh_use_logrotate --logfile /var/log/$app --nonappend
+fi
+
+#=================================================
+# UPDATE COTURN CONFIG
+#=================================================
+ynh_script_progression --message="Updating Coturn config..." --weight=1
+
+ynh_add_config --template="../conf/coturn/turnserver.conf" --destination="/etc/$app/coturn.conf"
+
+# Get public IP and set as external IP for coturn
+# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
+public_ip4="$(curl -s ip.yunohost.org)" || true
+public_ip6="$(curl -s ipv6.yunohost.org)" || true
+
+if ( [[ -n "$public_ip4" ]] && ynh_validate_ip4 --ip_address="$public_ip4" || [[ -n "$public_ip6" ]] && ynh_validate_ip6 --ip_address="$public_ip6" )
+then
+    echo "external-ip=${public_ip4}/${public_ip6}" >> "/etc/$app/coturn.conf"
+fi
+
+ynh_store_file_checksum --file="/etc/$app/coturn.conf"
+
+ynh_system_user_create --username=turnserver
+adduser turnserver ssl-cert
+
+# Set permissions on app files
+chown -R $app:root /etc/$app
+chown turnserver:root "/etc/$app/coturn.conf"
+chmod -R u=rwX,g=rX,o= /etc/$app
+setfacl -R -m user:turnserver:rX  /etc/$app
+setfacl -R -m user:turnserver:rwX  /var/log/$app
+
 #=================================================
 # UPGRADE DEPENDENCIES
 #=================================================
@@ -52,6 +107,7 @@ ynh_add_nginx_config
 ynh_add_systemd_config
 
 yunohost service add $app --description="Local file sharing in your browser" --log="/var/log/$app/$app.log"
+yunohost service add coturn-$app --description="Coturn TURN server" --log="/var/log/$app/turnserver.log" --needs_exposed_ports $port_turnserver
 
 #=================================================
 # BUILD YARN DEPENDENCIES
@@ -81,6 +137,7 @@ popd
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
 ynh_systemd_action --service_name=$app --action="start" --log_path="systemd"
+ynh_systemd_action --service_name=coturn-$app.service --action=restart --log_path="/var/log/$app/turnserver.log"
 
 #=================================================
 # END OF SCRIPT