From c4f27bfafeab82dd0d00b210d128792851820a12 Mon Sep 17 00:00:00 2001
From: goacid <goacid@kurty.net>
Date: Fri, 27 Nov 2020 15:57:41 +0100
Subject: [PATCH] Turn : Add Letsencrypt support.

---
 turn.yml                                  |  5 ++
 turn/Dockerfile                           |  2 +
 turn/rootfs/defaults/docker-entrypoint.sh | 42 ------------
 turn/rootfs/defaults/letsencrypt-renew    |  7 ++
 turn/rootfs/docker-entrypoint.sh          | 84 +++++++++++++++++++++++
 5 files changed, 98 insertions(+), 42 deletions(-)
 delete mode 100755 turn/rootfs/defaults/docker-entrypoint.sh
 create mode 100644 turn/rootfs/defaults/letsencrypt-renew
 create mode 100755 turn/rootfs/docker-entrypoint.sh

diff --git a/turn.yml b/turn.yml
index d52d44c2f9..46ee9a4d84 100644
--- a/turn.yml
+++ b/turn.yml
@@ -12,6 +12,7 @@ services:
             - '${TURN_PORT}:${TURN_PORT}/udp'
             - '${TURN_RTP_MIN}-${TURN_RTP_MAX}:${TURN_RTP_MIN}-${TURN_RTP_MAX}/udp'
             - '${TURN_ADMIN_PORT}:${TURN_ADMIN_PORT}/tcp'
+            - '80:80'
         environment:
             - DOCKER_HOST_ADDRESS
             - TURN_SECRET
@@ -25,6 +26,10 @@ services:
             - TURN_ADMIN_USER
             - TURN_ADMIN_SECRET
             - TURN_ADMIN_PORT
+            - DISABLE_HTTPS
+            - ENABLE_LETSENCRYPT
+            - LETSENCRYPT_DOMAIN
+            - LETSENCRYPT_EMAIL
         networks:
             meet.jitsi:
 
diff --git a/turn/Dockerfile b/turn/Dockerfile
index da62b7148a..365f0ab423 100644
--- a/turn/Dockerfile
+++ b/turn/Dockerfile
@@ -2,6 +2,8 @@ ARG VERSION
 FROM instrumentisto/coturn:${VERSION:-latest}
 
 RUN apk add --no-cache openssl
+RUN apk add --no-cache certbot
+RUN apk add --no-cache bash
 
 ADD ./rootfs/defaults/docker-entrypoint.sh /docker-entrypoint.sh
 
diff --git a/turn/rootfs/defaults/docker-entrypoint.sh b/turn/rootfs/defaults/docker-entrypoint.sh
deleted file mode 100755
index 28e397fb5a..0000000000
--- a/turn/rootfs/defaults/docker-entrypoint.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/ash
-
-# make certs if not exist
-if [[ ! -f /config/cert.crt || ! -f /config/cert.key  ]]; then
-  openssl req -newkey rsa:2048 -nodes -keyout /config/cert.key -x509 -days 3650 -out /config/cert.crt -subj "/C=US/ST=NY/L=NY/O=IT/CN=${TURN_HOST}"
-fi
-
-# use non empty TURN_PUBLIC_IP variable, othervise set it dynamically.
-[ -z "${TURN_PUBLIC_IP}" ] && export TURN_PUBLIC_IP=$(curl -4ks https://icanhazip.com)
-[ -z "${TURN_PUBLIC_IP}" ] && echo "ERROR: variable TURN_PUBLIC_IP is not set and can not be set dynamically!" && kill 1
-
-# set coturn web-admin access
-if [[ "${TURN_ADMIN_ENABLE}" == "1" || "${TURN_ADMIN_ENABLE}" == "true" ]]; then
-  turnadmin -A -u ${TURN_ADMIN_USER:-admin} -p ${TURN_ADMIN_SECRET:-changeme}
-  export TURN_ADMIN_OPTIONS="--web-admin --web-admin-ip=$(hostname -i) --web-admin-port=${TURN_ADMIN_PORT:-8443}"
-fi
-
-# run coturn server with API auth method enabled.
-turnserver -n ${TURN_ADMIN_OPTIONS} \
---verbose \
---prod \
---no-tlsv1 \
---no-tlsv1_1 \
---log-file=stdout \
---listening-port=${TURN_PORT:-5349} \
---tls-listening-port=${TURN_PORT:-5349} \
---alt-listening-port=${TURN_PORT:-5349} \
---alt-tls-listening-port=${TURN_PORT:-5349} \
---cert=/config/cert.crt \
---pkey=/config/cert.key \
---min-port=${TURN_RTP_MIN:-10000} \
---max-port=${TURN_RTP_MAX:-11000} \
---no-stun \
---use-auth-secret \
---static-auth-secret=${TURN_SECRET:-keepthissecret} \
---no-multicast-peers \
---realm=${TURN_REALM:-realm} \
---listening-ip=$(hostname -i) \
---external-ip=${TURN_PUBLIC_IP} \
---cli-password=NotReallyCliUs3d \
---no-cli
-
diff --git a/turn/rootfs/defaults/letsencrypt-renew b/turn/rootfs/defaults/letsencrypt-renew
new file mode 100644
index 0000000000..62233dfb9c
--- /dev/null
+++ b/turn/rootfs/defaults/letsencrypt-renew
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+certbot --no-self-upgrade -n renew >> /config/le-renew.log
+
+# Not sur it reload the service ...
+/bin/kill -HUP `cat /var/run/turnserver.pid 2>/dev/null` 2> /dev/null || true
+exit 0
\ No newline at end of file
diff --git a/turn/rootfs/docker-entrypoint.sh b/turn/rootfs/docker-entrypoint.sh
new file mode 100755
index 0000000000..ad303a2696
--- /dev/null
+++ b/turn/rootfs/docker-entrypoint.sh
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+mkdir -p /config/keys
+# make certs if not exist
+# generate keys (maybe)
+if [[ $DISABLE_HTTPS -ne 1 ]]; then
+  if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
+    if [[ ! -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
+      if ! certbot \
+        certonly \
+        --no-self-upgrade \
+        --noninteractive \
+        --standalone \
+        --preferred-challenges http \
+        -d $LETSENCRYPT_DOMAIN \
+        --agree-tos \
+        --email $LETSENCRYPT_EMAIL; then
+
+        echo "Failed to obtain a certificate from the Let's Encrypt CA."
+        # this tries to get the user's attention and to spare the
+        # authority's rate limit:
+        sleep 15
+        echo "Exiting."
+        exit 1
+      else
+        echo "Let's Encrypt certificate generated."
+        cp -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem /config/keys/cert.crt
+        cp -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/privkey.pem /config/keys/cert.key
+      fi
+    fi
+
+    # setup certbot renewal script
+    if [[ ! -f /etc/periodic/weekly/letencrypt-renew ]]; then
+      cp /defaults/letsencrypt-renew /etc/periodic/weekly/
+    fi
+  else
+    # use self-signed certs
+    if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then
+      echo "using keys found in /config/keys"
+    else
+      echo "generating self-signed keys in /config/keys, you can replace these with your own keys if required"
+      SUBJECT="/C=US/ST=TX/L=Austin/O=jitsi.org/OU=Jitsi Server/CN=*"
+      openssl req -new -x509 -days 3650 -nodes -out /config/keys/cert.crt -keyout /config/keys/cert.key -subj "$SUBJECT"
+    fi
+  fi
+fi
+
+# use non empty TURN_PUBLIC_IP variable, othervise set it dynamically.
+[ -z "${TURN_PUBLIC_IP}" ] && export TURN_PUBLIC_IP=$(curl -4ks https://icanhazip.com)
+[ -z "${TURN_PUBLIC_IP}" ] && echo "ERROR: variable TURN_PUBLIC_IP is not set and can not be set dynamically!" && kill 1
+
+# set coturn web-admin access
+if [[ "${TURN_ADMIN_ENABLE}" == "1" || "${TURN_ADMIN_ENABLE}" == "true" ]]; then
+  turnadmin -A -u ${TURN_ADMIN_USER:-admin} -p ${TURN_ADMIN_SECRET:-changeme}
+  export TURN_ADMIN_OPTIONS="--web-admin --web-admin-ip=$(hostname -i) --web-admin-port=${TURN_ADMIN_PORT:-8443}"
+fi
+
+#run cron
+crond
+
+# run coturn server with API auth method enabled.
+turnserver -n ${TURN_ADMIN_OPTIONS} \
+  --verbose \
+  --prod \
+  --no-tlsv1 \
+  --no-tlsv1_1 \
+  --log-file=stdout \
+  --listening-port=${TURN_PORT:-5349} \
+  --tls-listening-port=${TURN_PORT:-5349} \
+  --alt-listening-port=${TURN_PORT:-5349} \
+  --alt-tls-listening-port=${TURN_PORT:-5349} \
+  --cert=/config/keys/cert.crt \
+  --pkey=/config/keys/cert.key \
+  --min-port=${TURN_RTP_MIN:-10000} \
+  --max-port=${TURN_RTP_MAX:-11000} \
+  --no-stun \
+  --use-auth-secret \
+  --static-auth-secret=${TURN_SECRET:-keepthissecret} \
+  --no-multicast-peers \
+  --realm=${TURN_REALM:-realm} \
+  --listening-ip=$(hostname -i) \
+  --external-ip=${TURN_PUBLIC_IP} \
+  --cli-password=NotReallyCliUs3d \
+  --no-cli