coturn: Enable and startup on health-checks

2023-10-29 14:05:16 +00:00 · 2023-10-29 14:05:16 +00:00 · 36e1e3039e
parent fcf9175060
commit 36e1e3039e
7 changed files with 23 additions and 1 deletions
--- a/host/base/spec.bu
+++ b/host/base/spec.bu
@ -18,3 +18,5 @@ systemd:
  units:
    - name: coreos-home-server-update.timer
      enabled: true
+    - name: podman-auto-update.timer
+      enabled: true
--- a/host/virtual/spec.bu
+++ b/host/virtual/spec.bu
@ -51,6 +51,8 @@ systemd:
      mask: true
    - name: coreos-home-server-update.timer
      mask: true
+    - name: podman-auto-update.timer
+      mask: true

    # Enable default web services.
    - name: container-build@static.localhost.service
--- a/service/coturn/Containerfile
+++ b/service/coturn/Containerfile
@ -6,6 +6,7 @@ RUN apt-get update -y && apt-get upgrade -y && \

 COPY container/config /etc/coturn
 COPY container/run-coturn /run-coturn
+COPY container/run-healthcheck /run-healthcheck

 # STUN/TURN ports.
 EXPOSE 3478 3478/udp 5349 5349/udp
--- a/service/coturn/container/config/turnserver.conf.template
+++ b/service/coturn/container/config/turnserver.conf.template
@ -628,6 +628,7 @@ denied-peer-ip=240.0.0.0-255.255.255.255
 # Examples:
 # denied-peer-ip=83.166.64.0-83.166.95.255
 # allowed-peer-ip=83.166.68.45
+allowed-peer-ip=${COTURN_EXTERNAL_IP}

 # File name to store the pid of the process.
 # Default is /var/run/turnserver.pid (if superuser account is used) or
--- a/service/coturn/container/run-coturn
+++ b/service/coturn/container/run-coturn
@ -1,4 +1,5 @@
 #!/bin/sh
+set -eu

 # Prepare configuration files for environment variable substitution.
 ENV_NAMES="$(env | awk -F= '{printf "$%s ", $1}')"
--- a/service/coturn/container/run-healthcheck
+++ b/service/coturn/container/run-healthcheck
@ -0,0 +1,13 @@
+#!/bin/sh
+set -eu
+
+external_ip="$1"
+auth_secret="$2"
+auth_expiry=86400
+
+username="$(( $(date +%s) + $auth_expiry ))"
+password="$(echo -n $username | openssl dgst -binary -sha1 -hmac "$auth_secret" | openssl base64)"
+
+if ! turnutils_uclient -T "$external_ip" -u "$username" -w "$password" 2>&1 > /dev/null; then
+    exit 1
+fi
--- a/service/coturn/quadlet/coturn.container
+++ b/service/coturn/quadlet/coturn.container
@ -4,8 +4,10 @@ Wants=container-build@%N.service container-volume@%N.service
 After=container-build@%N.service container-volume@%N.service

 [Container]
+AutoUpdate=local
 ContainerName=%N
 EnvironmentFile=%E/coreos-home-server/%N/%N.env
+HealthCmd=/run-healthcheck $COTURN_EXTERNAL_IP $COTURN_AUTH_SECRET
 Image=localhost/%N:latest
 PublishPort=3478:3478
 PublishPort=3478:3478/udp
@ -15,7 +17,7 @@ PublishPort=5349:5349
 PublishPort=5349:5349/udp
 PublishPort=5350:5350
 PublishPort=5350:5350/udp
-PodmanArgs=--publish ${COTURN_RELAY_PORT_MIN}-${COTURN_RELAY_PORT_MAX}:${COTURN_RELAY_PORT_MIN}-${COTURN_RELAY_PORT_MAX}/udp
+PodmanArgs=--publish ${COTURN_RELAY_PORT_MIN}-${COTURN_RELAY_PORT_MAX}:${COTURN_RELAY_PORT_MIN}-${COTURN_RELAY_PORT_MAX}/udp --sdnotify=healthy
 Volume=%N:/var/lib/%N:z
 Volume=letsencrypt:/etc/ssl/private:z,ro