move to eturnal

Signed-off-by: Zoey <zoey@z0ey.de>
2025-01-01 11:32:27 +08:00 · 2023-06-24 17:54:12 +02:00 · 2023-06-24 17:54:12 +02:00 · aeae72f5ba
commit aeae72f5ba
parent 7fb3e4c4fa
3 changed files with 53 additions and 52 deletions
--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@ -1,4 +1,5 @@
 FROM nats:2.9.21-scratch as nats
+FROM eturnal/eturnal:1.11.1 AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:1.1.3 as signaling
 FROM alpine:3.18.3 as janus

@ -32,8 +33,15 @@ RUN set -ex; \
    make configs; \
    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample

-FROM coturn/coturn:4.6.2-alpine3.18
-USER root
+FROM alpine:3.18.2
+
+COPY --from=janus     /usr/local                          /usr/local
+COPY --from=eturnal   /opt/eturnal                        /opt/eturnal
+COPY --from=nats      /nats-server                        /usr/local/bin/nats-server
+COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
+
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=664 supervisord.conf /supervisord.conf

 RUN set -ex; \
    apk add --no-cache \
@ -57,7 +65,7 @@ RUN set -ex; \
        libwebsockets \
        \
        shadow; \
-    useradd --system talk; \
+    useradd --system eturnal; \
    apk del --no-cache \
        shadow; \
    \
@ -74,32 +82,22 @@ RUN set -ex; \
        /var/log/supervisord \
        /var/run/supervisord \
        /usr/local/lib/janus/loggers; \
-    chown talk:talk -R \
+    chown eturnal:eturnal -R \
        /usr \
+        /opt/eturnal \
        /etc/nats.conf \
-        /var/lib/turn \
        /var/log/supervisord \
        /var/run/supervisord; \
    chmod 777 -R \
        /tmp \
        /conf \
+        /opt/eturnal \
        /var/run/supervisord \
-        /var/lib/turn \
        /var/log/supervisord;

-COPY --from=janus /usr/local /usr/local
-COPY --from=nats /nats-server /usr/local/bin/nats-server
-COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
-
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=664 supervisord.conf /supervisord.conf
-
-# Set default talk port https://github.com/nextcloud/all-in-one/issues/1011
-ENV TALK_PORT=3478
-
-USER talk
+USER eturnal
 ENTRYPOINT ["/start.sh"]
 CMD ["supervisord", "-c", "/supervisord.conf"]

-HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT") || exit 1
+HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT" && eturnalctl status) || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@ -4,6 +4,9 @@
 if [ -z "$NC_DOMAIN" ]; then
    echo "You need to provide the NC_DOMAIN."
    exit 1
+elif [ -z "$TALK_PORT" ]; then
+    echo "You need to provide the TALK_PORT."
+    exit 1
 elif [ -z "$TURN_SECRET" ]; then
    echo "You need to provide the TURN_SECRET."
    exit 1
@ -16,43 +19,43 @@ elif [ -z "$INTERNAL_SECRET" ]; then
 fi

 set -x
-IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short)"
+IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short | grep -E "^[0-9.]+$" | sort | head -n1)"
+IPv6_ADDRESS_TALK="$(dig nextcloud-aio-talk AAAA +short | grep -E "^[0-9a-f:]+$" | sort | head -n1)"
+
+IPv4_ADDRESS_NC="$(dig "$NC_DOMAIN" A +short +https +tls-ca=/etc/ssl/certs/ca-certificates.crt @1.1.1.1 | grep "^[0-9.]\+$" | sort | head -n1)"
+IPv6_ADDRESS_NC="$(dig "$NC_DOMAIN" AAAA +short +https +tls-ca=/etc/ssl/certs/ca-certificates.crt @1.1.1.1 | grep "^[0-9a-f:]\+$" | sort | head -n1)"
+#if [ -z "$IPv4_ADDRESS_NC" ] && [ -z "$IPv6_ADDRESS_NC" ]; then
+#    export STUN_SERVICE="stun.nextcloud.com 443"
+#fi
 set +x

 # Turn
-cat << TURN_CONF > "/conf/turnserver.conf"
-listening-port=$TALK_PORT
-fingerprint
-use-auth-secret
-static-auth-secret=$TURN_SECRET
-realm=$NC_DOMAIN
-total-quota=0
-bps-capacity=0
-stale-nonce
-no-multicast-peers
-simple-log
-pidfile=/var/tmp/turnserver.pid
-no-tls
-no-dtls
-userdb=/var/lib/turn/turndb
-# Based on https://nextcloud-talk.readthedocs.io/en/latest/TURN/#turn-server-and-internal-networks
-allowed-peer-ip=$IPv4_ADDRESS_TALK
-denied-peer-ip=0.0.0.0-0.255.255.255
-denied-peer-ip=10.0.0.0-10.255.255.255
-denied-peer-ip=100.64.0.0-100.127.255.255
-denied-peer-ip=127.0.0.0-127.255.255.255
-denied-peer-ip=169.254.0.0-169.254.255.255
-denied-peer-ip=172.16.0.0-172.31.255.255
-denied-peer-ip=192.0.0.0-192.0.0.255
-denied-peer-ip=192.0.2.0-192.0.2.255
-denied-peer-ip=192.88.99.0-192.88.99.255
-denied-peer-ip=192.168.0.0-192.168.255.255
-denied-peer-ip=198.18.0.0-198.19.255.255
-denied-peer-ip=198.51.100.0-198.51.100.255
-denied-peer-ip=203.0.113.0-203.0.113.255
-denied-peer-ip=240.0.0.0-255.255.255.255
+cat << TURN_CONF > "/opt/eturnal/etc/eturnal.yml"
+eturnal:
+  listen:
+    - ip: "::"
+      port: $TALK_PORT
+      transport: udp
+    - ip: "::"
+      port: $TALK_PORT
+      transport: tcp
+  log_dir: stdout
+  log_level: warning
+  secret: "$TURN_SECRET"
+  relay_ipv4_addr: "$IPv4_ADDRESS_NC"
+  relay_ipv6_addr: "$IPv6_ADDRESS_NC"
+  blacklist:
+  - recommended
+  whitelist:
+  - 127.0.0.1
+  - ::1
+  - "$IPv4_ADDRESS_TALK"
+  - "$IPv6_ADDRESS_TALK"
 TURN_CONF

+# Remove empty lines so that the config is not invalid
+sed -i '/""/d' /opt/eturnal/etc/eturnal.yml
+
 # Signling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
--- a/Containers/talk/supervisord.conf
+++ b/Containers/talk/supervisord.conf
@ -7,12 +7,12 @@ logfile_maxbytes=50MB
 logfile_backups=10                              
 loglevel=error

-[program:turnserver]
+[program:eturnal]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=turnserver -c /conf/turnserver.conf
+command=eturnalctl foreground

 [program:nats-server]
 stdout_logfile=/dev/stdout