Fix Coturn TURNS configuration and add blog deployment automation

Coturn improvements: - Enable TURNS-only mode (port 5349) for encrypted signaling - Disable unencrypted TURN (port 3478) for better security - Fix certificate permission issues for turnserver user - Remove incompatible config options (no-loopback-peers, lt-cred-mech) - Add automatic private key permission fixing on deploy - Configure firewall rules for TURNS port 5349 WireGuard improvements: - Add server key persistence via vault - Server keys now stored in vault (wireguard_server_private_key/public_key) - Keys persist across server rebuilds - Fallback to key generation if vault keys not defined Blog deployment automation: - Add blog_deploy role for automated deployment user setup - Creates blogdeploy user with SSH key pair - Sets up /var/www/blog directory structure - Configures authorized_keys for GitHub Actions deployment - Provides instructions for adding SSH key to GitHub secrets Configuration updates: - Comment out TURN port 3478 (using TURNS-only) - Add TURNS port 5349 to external ports - Update vault with WireGuard server keys
2025-12-12 18:42:49 +03:00 · 2025-12-12 18:42:49 +03:00 · 4b3e939891
commit 4b3e939891
parent e38a231159
8 changed files with 215 additions and 102 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -26,9 +26,12 @@ ports:
    ocserv_personal:
      port: 443
      type: udp
-    coturn:
-      port: 3478
-      type: both  # UDP and TCP
+    # coturn:
+    #   port: 3478
+    #   type: both  # UDP and TCP (TURN - disabled, using TURNS only)
+    coturn_tls:
+      port: 5349
+      type: both  # UDP and TCP (TURNS)
    coturn_relay_min:
      port: 49152
      type: udp
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,86 +1,94 @@
 $ANSIBLE_VAULT;1.1;AES256
-64386439353733366437613030616131643630626636326437336266633036393238383837316130
-3863383230643334666130616432653738306264303539320a633461653933626262616139303636
-65613661353566643733323633346331613738313263616166343739306534353765336430353237
-3064653034373730660a643263376532636639313134393432333833373566333337386564653263
-32633261643231353262383630346232353133643762363538313633666635663561356564653364
-38663630666232326230333731313064626463623939363933336132616536356236613630323331
-38383032333532333263643736653137646261316133393537333365623064363134393630326364
-31386536396362666237643263313933336431396662393832323764313435316532633563303133
-38343463626232663066333334613733633736353432393937373037643732343430653538326630
-37623635353166643761626465346537323034346165626436323764663536643461636338373830
-62346637343739313964313462646533616666616331623131656132333133343134656437636463
-37633839393831386136373933313432316666613135393839346431386666363239336331646632
-62313265343933316231373331306436656239303838666338653532316565303139623333353134
-39366362326362383833386562323538353864636265623237663438343764353537336432633339
-33356538373530646465343563376237326664363732653438613562323936653364663631333534
-37306538623566633063376562333037643930316465313432646333626364386565663566613463
-33343162646462346431643930383065306266643534616531343031656239376434613335383661
-37363232373633396466386433333834333334323462313736323265363438646435626137633734
-38353533323932663263623665313130623333613839303938306333343538313435636165373561
-35313164383030633231653030333935393338393364633136353761303665376531656232613163
-63373265303935306563613432613237343533623930323462306361613335386437303537613830
-36383637343961383730363039633037346639613935616537303636373830383364326633313932
-34353839646437663266326132316236613361626463363961616465333139333632356134323763
-39376639316234333962643865333531356435346136663736623038346664363361373865663863
-31316333323366633666373064373439613661653936356536396164346466393230333430626261
-66346136353632613632656533663032366230396533616530366465613139656136626136313663
-39336663623536393132356634336631326537386261613537343331356265623463383136336463
-38363461613731383165313933653230313737633731613262356437633866393433373633333233
-65306432653635646663643163653837373163376234316466646562386336666362633135396662
-61376633663465656365396466303330616435666436626131626665343764346139383230643662
-61376139373733323831666439373565386164623137653234643632623064646261303266633733
-34333031396266636232666334616162646136613737326432313964303530393536336566333439
-38663135306562376636373766373936333836363837623064303965376162656433653134356336
-62613230393537306136373635383234356638303362633739323236613333376532613136363737
-65313662653562393665333363353839656365346539633864313333386264393966613431343535
-38396633346532306664323466613139343639663235316339333132343965393365653030633231
-63366439613335363465613938383666626239323863613065643864633035616333623866343865
-64393038366136643839663364373930616535663761333632376166613739353337376166636136
-63633636396634366261303563643131373630636263336264306466373366653964376161383535
-62303236316162616430613238353465643837366463323132636332653131656539623761343236
-35633665643038396336346334326334326162363336366636326365333339343430306432633638
-37653537636432343066393965343164633438623431386632376538636135666533623438346265
-32626234343863336631336639376139633361313231373732646432303033313166343631653431
-33383137343866653665303263616138376630636530636235336463633938653538383935363963
-37303932353137636235666364623531393563363634313032373861366266396633326661323539
-65666161363064363537326330636339336236353436393761393330376162646638313437396635
-65656530626161326230353531393136356531346465663331356462316566323265313535666230
-63343263623533373464343564373062613832313861613166626632613366613162323832663232
-32666364333937343730303666643132363732626637633562633763343631343037633732323066
-62646132643261353965643365343638393061643936373864363330623332353035326364623663
-36666238663962646239343763366132643361646535646138653638353237346163656465386265
-39366433386434623335393931336331636163653161643839613566303131666265616566653630
-62643431636361613464373432666465623966333932396636363637383833343133353462363839
-35623865646538643464336262386135336539386637623466326665633137333162633765626334
-34346165373830656438313132366261383332626430356131316165396233306365343735663335
-31623832316130313837666431623930636366646631663334626637626365316130316231653134
-37346335326163306335366133346234386634376538386134363134623532663462663566616432
-65353630333337353464343536633161333635626363613136333064313731306431636133346163
-30643835656262353837356164616238616265363135353763616436373265653731306637663131
-62666666343730333134393731313636363238353962633131393533326563343234643938663431
-62363134333765316663633435353233616631626532363632336237653163323739646561313663
-33646432323030636165613130303036353038306135323231613639313635313931336532333836
-31633037313065643131336161376530656435643035613533363631323335626632386331336439
-33623337663765356633623165333135636331656230633831383462656665653936656462313961
-62386463376661343366653032316163626637316665366131643834356435623930616233383562
-33623761333466343233353666623631376334653834616130366230646164653465326331323030
-34366462383139323736313661633330306166373564333332653832363535386332383632383933
-65303762303631646634663661383365636130336163376236663764633265633633353836336431
-61653564396562656263623233306663616665626336333333376536613462633830313836336638
-30303964653966613832373539383539363038326563343736353139656536633761383230376263
-30666539633730386361366533396637333764306366353134323936623664653239393664313162
-64313233613065643232393232363032303335386534363864313733336638373231383362653662
-66336262356634666231643832623466626634616236363534663764333530326137653861363662
-38633837353630623661373338646633653133363438303666363830363830353238623662353337
-33393431366365616132643637613137643833623961363831366131616236383830393934303837
-37316562653132613261383336363434626465613132356535336463393238643866336566383837
-33666432636230313763663061343736353432343334623263353466353864356230616664396165
-30356230643466333062336665643930393631346630656237626561333963653932623332316331
-66343965333535376635653161316130313234666434383965623263346538386261393132356366
-34316431633034356166376164363039333533613234353166653038623863313930663663663430
-31386138353933643262613031336562306239313432666261306130613630346566636433633962
-36626139363631636635653339383534623463303266643335356338333562323061343939646633
-66393436323463636532343735363861633937366530613965623731653731323931333265663838
-38353261643636343866346562366136623563616437333863616362646139616637633664666633
-66316437343234313833623239343834313564636231643337343662663435346236
+37616639646365353962383166383464383166646361353664313839663032616630346234333236
+3063356338666530323863303964623164313134656165390a623466376562333634626234613137
+66663163643131343264353834346131633330346333313635666262343031363138653465643561
+3538363732316239660a376139346633326332353639333661623233303534306434643763356263
+34356265323663353231336133323931663436376264663130386330333535303965613062373636
+39643433316534333236313538316337343734316330343466363562666130643536396362333764
+35383532653637633339386164646464343031613035363037666336393139653765386561613536
+33643931383565356261356632633161386632653330326330386266303034343631633735306562
+38396634326231636531303239363261306239313230666131356430316136343136643633373933
+61663738393636326630663963343232323635313963333337383764343765386364326631353433
+61313464373238616361396262633164646230313530663364396266623633366565653939623262
+62323130663663373035636136666235346433663665653134353830643261393235623163393765
+33663834633434326663633439383639343733326437396561306438613036333264383236313366
+30356264396362353564366333343330333333333865366661623136393734326236616137353036
+61326237363335396538656264653132306235656164336132643031663735366663663961626535
+30333439306239626638616632653938323239373062366231366362306462386635333865353761
+32656339616632306365386436316137613364316462366137343166313064386434653463616237
+37313730323361323833326365333563393833386264343162383336303039333865643763656530
+37616565366135353332313362346362336334323636343132623135613266386161653839623366
+62636435396639663561306534653135383835306663303136393832366339303131386338613632
+32373565323732616138343338623236613635336364343361623334613339383830343061633261
+33303761633331323763616161303931613136343935616464383938333034613534663839326166
+62666566643230663966353765633664353364393664326438666637363966363936346335393931
+34623636666664386330343766653064623336623539623637323237666665653230303865633230
+35313234626339313033333366313639666534663762323334376231353162646432306434636266
+33373461346364333265353737623635306536326138646231626664366134393437363232653431
+36623332346537643738616130663562623564393732336538376531326265656164646166333765
+35626438636137386563333962623132626266366166643532396633633733323435353739613937
+36376366306339313864343638646636363862653834633464373764333766623931373035643164
+36363362343334313264626562393138626534323034343464323235343562386461326435613662
+61353036353131653034393861373138303864623435623931386133383934316433393732666338
+64663039376331643130353039353562376537313538663164343862353362643939643261326162
+35363730613165336265643561623539636530353037353838653938663962313665323233376237
+32356132366264633861343934353062653062623836666335386634626439633138663865343733
+33646238306238363332633238653136306333353634333831386337363238393062376231336231
+62326265623461343835303334343132366334623361343136306133343832343862636665343335
+38393130623137653035363630393432656132616434353431373736346662313166336565646236
+39616230363861643464386331323134353362643761633538326432623430373034396231303932
+30633438343337396432646364326566333539646533323066363266633261393237643833326435
+65316337316333363865306530666363333637386435323731663632646665333862336334313838
+30393362626463333537663834336265323031663433303164306435303930616631333466666631
+30383435396462323337613338393431623966333638393737373764363062343336353261396134
+38646261356465626361626363393133393165663139363536666132666130356563643432356433
+66373834336637363564613631353962343562326363303334346463643166613539373138303732
+38366533656337306630393061636130376231393135396334323365653162393438366234663236
+65643061376432646537653034626239393737363637393566313839356561353039393336313432
+36623264643234636164613832396237386434376561396634653461663235363936313764663262
+38336337663931366561323432613237306563323536616163656264376164656666646231666130
+63333636656135343338633563653864366136636631373734306531623930343263356134303830
+30653262656236366233353164623037363738616633363263373931393230326465366664666434
+31343132646339306364306430616261306165646661643965323431346339326439356332303038
+39376561623732656261363230663132393834373065623139333731373666623836303131653331
+33646334326161333161636463333734623338393939616432393864663861653237373561376531
+66646433323965663366323630353862386165333366363434323636613363666566343138646637
+66353939623362653835636561626666393535326633613136393736623632346635343261633633
+31303435633330393332633463633937333835306434323939376334396162636333653361663238
+38343634366265656535386334663266646466643831393735666339653062356636313939633833
+38636131376261613639363161613033633661373636323830343965373938393833613234643031
+36303337326639623431303334313864366265663032386339636136346439616534343266313663
+36333236303039373362376534373239623363336335383037633133616436393336613936366233
+31653138386261616332633565373935353666393263663265386266316364353335626437323530
+31346237653765326666616637363863303764633734656634363134663036653739656631313530
+63613765663037323239623734633632376339633430373933303437383765373334643638356561
+64316636663438353364623062643166613939356636386632303336663563343930613638333331
+35343639373437323034633234343430653765663830646164373563393233653438646464623365
+32346237363766666431323861396538656130333335366539646539313661623233656634353033
+30663962373533383030623663636232383766386338333130363536396439393065316635306436
+30326232353635363464343366623366383536316562623330363463323334313463323733623737
+30653938343630353033623934336566306337326334346637313235623236336331343739663762
+38663239336638623763613161646164303863313634646664643761363864326262386137356130
+34333965343134326166623363376134366661636637366336333461373330626366633637363337
+30363235623435303737363865663431343435366139343163353331373161613362333934653539
+33626565393738653364323632663339653732313261393339353864353365303138343065613931
+33356465303864386466663136623436623461656162653666333837623061656266323034316439
+38646565393733383766396263396234623531313962393333366136363066346132343066346266
+38653137323831393132383635346333343933613962396365303364623238376466376134666164
+66646435313935333162303964656362333832353934333363323233363938643866303365623663
+65356639633362656535653565616530636666343565366339303032666339666133373435386134
+39323134633433326437633138663438623336666564666634333330646339643939336162386265
+65346430393933336434666435303964643264366639323566313638663162306232396239373361
+66623539336232323236313965653364353263363831303965333462306538363938393939333236
+32396333323434613061613063633936653732643561633766643832303033396166613136313462
+39643739623666663464373663386630633730313963623537636562366132343135376538326332
+38653336353835656537626663373039323432363863396332303733366335663865326162633137
+31663462643765363230373563303762313139366437333536663663373330656337663436376466
+33303730323933396131323764613036386462356666396233613039336531663632663735306561
+31616531396663396536613039623439336635396336303831333561313230323437396162346132
+63323139383637653666346565633633333664306637656164653931646239333662373664356638
+38366364313832346439373762316335353961666534323134356164326365356437386131643535
+61646161333664646232613936323635653737396461323864316138353535366130393532336262
+33306230343930633836623964623131663130306437366339666666653139663064663361346531
+65333034663439373436646435353832326165383165626261353063393866373134316532363634
+3936
--- a/roles/blog_deploy/tasks/main.yml
+++ b/roles/blog_deploy/tasks/main.yml
@ -0,0 +1,82 @@
+---
+- name: Create blogdeploy user
+  user:
+    name: blogdeploy
+    shell: /bin/bash
+    create_home: yes
+    state: present
+
+- name: Create blog directory
+  file:
+    path: /var/www/blog
+    state: directory
+    owner: blogdeploy
+    group: blogdeploy
+    mode: '0755'
+
+- name: Create .ssh directory for blogdeploy
+  file:
+    path: /home/blogdeploy/.ssh
+    state: directory
+    owner: blogdeploy
+    group: blogdeploy
+    mode: '0700'
+
+- name: Check if SSH key exists
+  stat:
+    path: /home/blogdeploy/.ssh/deploy_key
+  register: deploy_key_stat
+
+- name: Generate SSH key pair for blog deployment
+  command: ssh-keygen -t ed25519 -f /home/blogdeploy/.ssh/deploy_key -N ""
+  args:
+    creates: /home/blogdeploy/.ssh/deploy_key
+  when: not deploy_key_stat.stat.exists
+
+- name: Set ownership on SSH keys
+  file:
+    path: "{{ item }}"
+    owner: blogdeploy
+    group: blogdeploy
+    mode: '0600'
+  loop:
+    - /home/blogdeploy/.ssh/deploy_key
+    - /home/blogdeploy/.ssh/deploy_key.pub
+
+- name: Read public key from remote server
+  slurp:
+    src: /home/blogdeploy/.ssh/deploy_key.pub
+  register: blog_deploy_public_key
+
+- name: Add public key to authorized_keys
+  authorized_key:
+    user: blogdeploy
+    key: "{{ blog_deploy_public_key.content | b64decode }}"
+    state: present
+
+- name: Display instructions for GitHub secrets setup
+  debug:
+    msg: |
+
+      ========================================
+      BLOG DEPLOYMENT SSH KEY GENERATED
+      ========================================
+
+      SSH key pair created at: /home/blogdeploy/.ssh/deploy_key
+
+      To add the private key to GitHub Secrets:
+
+      1. SSH to your server and read the private key:
+         ssh your-vps
+         sudo cat /home/blogdeploy/.ssh/deploy_key
+
+      2. Copy the entire output (including BEGIN/END lines)
+
+      3. Go to GitHub → Your repo → Settings → Secrets and variables → Actions
+         Create new secret:
+         Name: SSH_PRIVATE_KEY
+         Value: [paste the private key]
+
+      ========================================
+
+  when: not deploy_key_stat.stat.exists
--- a/roles/coturn/defaults/main.yml
+++ b/roles/coturn/defaults/main.yml
@ -1,4 +1,4 @@
-coturn_listening_port: "{{ ports.external.coturn.port }}"
+# coturn_listening_port: "{{ ports.external.coturn.port }}"  # Disabled - using TURNS only
 coturn_relay_min_port: "{{ ports.external.coturn_relay_min.port }}"
 coturn_relay_max_port: "{{ ports.external.coturn_relay_max.port }}"
 coturn_realm: "{{ domains.coturn }}"
--- a/roles/coturn/tasks/main.yml
+++ b/roles/coturn/tasks/main.yml
@ -54,6 +54,13 @@
    mode: '0755'
    state: directory

+- name: Fix private key permissions for coturn
+  shell: |
+    find /etc/letsencrypt/archive/{{ coturn_realm }}/ -name 'privkey*.pem' -exec chgrp ssl-cert {} \; -exec chmod 640 {} \;
+  args:
+    warn: false
+  changed_when: false
+
 - name: Enable and start coturn service
  systemd:
    name: coturn
--- a/roles/coturn/templates/turnserver.conf.j2
+++ b/roles/coturn/templates/turnserver.conf.j2
@ -1,8 +1,8 @@
 # Coturn TURN/STUN server configuration for Nextcloud Talk
 # {{ ansible_managed }}

-# Listening port for STUN/TURN
-listening-port={{ coturn_listening_port }}
+# Listening port for STUN/TURN (disabled - using TURNS only)
+# listening-port=3478

 # Listening IP (0.0.0.0 for all interfaces)
 listening-ip=0.0.0.0
@ -42,8 +42,8 @@ cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES
 # Disable TCP relay endpoints (optional, use only if needed)
 # no-tcp-relay

-# Enable TLS
-# tls-listening-port=5349
+# Enable TLS/TURNS
+tls-listening-port=5349

 # Disable TLS 1.0 and 1.1
 no-tlsv1
@ -55,15 +55,9 @@ mobility
 # Fingerprint in TURN messages
 fingerprint

-# Long-term credentials mechanism
-lt-cred-mech
-
 # No multicast peers
 no-multicast-peers

-# Deny peer access to private IP ranges
-no-loopback-peers
-
 # User quota (max 100 concurrent sessions per user)
 user-quota=100

--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@ -5,26 +5,44 @@
    state: present
    update_cache: yes

+- name: Write server private key from vault
+  copy:
+    content: "{{ wireguard_server_private_key }}"
+    dest: "{{ wireguard_private_key_path }}"
+    mode: '0600'
+  when: wireguard_server_private_key is defined
+  no_log: true
+
+- name: Write server public key from vault
+  copy:
+    content: "{{ wireguard_server_public_key }}"
+    dest: "{{ wireguard_public_key_path }}"
+    mode: '0600'
+  when: wireguard_server_public_key is defined
+
 - name: Check if private key exists
  stat:
    path: "{{ wireguard_private_key_path }}"
  register: private_key_file

- name: Generate private key if not exists
+- name: Generate private key if not exists and not in vault
  shell: wg genkey > {{ wireguard_private_key_path }}
  args:
    creates: "{{ wireguard_private_key_path }}"
-  when: not private_key_file.stat.exists
+  when:
+    - not private_key_file.stat.exists
+    - wireguard_server_private_key is not defined

 - name: Read private key
  slurp:
    src: "{{ wireguard_private_key_path }}"
  register: wireguard_private_key

- name: Generate public key
+- name: Generate public key if not exists and not in vault
  shell: echo "{{ wireguard_private_key.content | b64decode }}" | wg pubkey > {{ wireguard_public_key_path }}
  args:
    creates: "{{ wireguard_public_key_path }}"
+  when: wireguard_server_public_key is not defined

 - name: Read public key
  slurp:
--- a/site.yml
+++ b/site.yml
@ -24,6 +24,7 @@
    - certbot
    - haproxy
    - nginx
+    - blog_deploy
    - ocserv
    - coturn
    - certbot_renewal_config