move to eturnal

Signed-off-by: Zoey <zoey@z0ey.de>

Containers/talk/Dockerfile

@@ -1,18 +1,16 @@
 FROM nats:2.9.18-scratch as nats
 FROM strukturag/nextcloud-spreed-signaling:1.1.2 as signaling
-FROM coturn/coturn:4.6.2-r3-alpine
-USER root
-# Pin alpine version manually as long as https://github.com/coturn/coturn/issues/1226 is not done
-ENV ALPINE_VERSION=3.18
+FROM ghcr.io/processone/eturnal:x.x.x-otpxx AS eturnal
+FROM alpine:3.18.2
 
-COPY --from=nats /nats-server /usr/local/bin/nats-server
+COPY --from=eturnal   /opt/eturnal                        /opt/eturnal
+COPY --from=nats      /nats-server                        /usr/local/bin/nats-server
 COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=664 supervisord.conf /supervisord.conf
 
 RUN set -ex; \
-    grep VERSION_ID /etc/os-release | grep -q "$ALPINE_VERSION.[0-9]\+$"; \
     apk add --no-cache \
         ca-certificates \
         tzdata \
@@ -28,9 +26,11 @@ RUN set -ex; \
         wget \
         lua5.3-dev \
         luarocks5.3; \
-    useradd --system talk; \
+    useradd --system eturnal; \
     luarocks-5.3 install luajson; \
     luarocks-5.3 install ansicolors; \
+    ln -s /opt/eturnal/bin/eturnalctl /usr/local/bin/eturnalctl; \
+    ln -s /opt/eturnal/bin/stun /usr/local/bin/stun; \
     rename -v ".jcfg.sample" ".jcfg" /etc/janus/*.sample; \
     apk del --no-cache \
         shadow \
@@ -45,30 +45,23 @@ RUN set -ex; \
     \
     touch \
         /etc/nats.conf \
-        /etc/signaling.conf \
-        /etc/turnserver.conf; \
+        /etc/signaling.conf; \
     echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
     mkdir -p \
-        /var/tmp \
-        /var/lib/turn \
         /var/log/supervisord \
         /var/run/supervisord; \
-    chown talk:talk -R \
+    chown eturnal:eturnal -R \
         /usr \
         /etc/janus \
+        /opt/eturnal \
         /etc/nats.conf \
         /etc/signaling.conf \
-        /etc/turnserver.conf \
-        /var/lib/turn \
         /var/log/supervisord \
         /var/run/supervisord;
 
-# Set default talk port https://github.com/nextcloud/all-in-one/issues/1011
-ENV TALK_PORT=3478
-
-USER talk
+USER eturnal
 ENTRYPOINT ["/start.sh"]
 CMD ["supervisord", "-c", "/supervisord.conf"]
 
-HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT") || exit 1
+HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT" && eturnalctl status) || exit 1
 LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/talk/start.sh

@@ -4,6 +4,9 @@
 if [ -z "$NC_DOMAIN" ]; then
     echo "You need to provide the NC_DOMAIN."
     exit 1
+elif [ -z "$TALK_PORT" ]; then
+    echo "You need to provide the TALK_PORT."
+    exit 1
 elif [ -z "$TURN_SECRET" ]; then
     echo "You need to provide the TURN_SECRET."
     exit 1
@@ -16,43 +19,48 @@ elif [ -z "$INTERNAL_SECRET" ]; then
 fi
 
 set -x
-IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short)"
+if [ -n "$(dig nextcloud-aio-talk A +short | grep -E "^[0-9.]+$" | head -n1)" ]; then
+    IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short | grep -E "^[0-9.]+$" | head -n1)"
+fi
+if [ -n "$(dig nextcloud-aio-talk AAAA +short | grep -E "^[0-9a-fA-F:]+$" | head -n1)" ]; then
+    IPv6_ADDRESS_TALK="$(dig nextcloud-aio-talk AAAA +short | grep -E "^[0-9a-fA-F:]+$" | head -n1)"
+fi
+
+if [ -n "$(dig "$NC_DOMAIN" A +short | grep -E "^[0-9.]+$" | head -n1)" ]; then
+    IPv4_ADDRESS_NC="$(dig "$NC_DOMAIN" A +short | grep -E "^[0-9.]+$" | head -n1)"
+fi
+if [ -n "$(dig "$NC_DOMAIN" AAAA +short | grep -E "^[0-9a-fA-F:]+$" | head -n1)" ]; then
+    IPv6_ADDRESS_NC="$(dig "$NC_DOMAIN" AAAA +short | grep -E "^[0-9a-fA-F:]+$" | head -n1)"
+fi
 set +x
 
 # Turn
-cat << TURN_CONF > "/etc/turnserver.conf"
-listening-port=$TALK_PORT
-fingerprint
-use-auth-secret
-static-auth-secret=$TURN_SECRET
-realm=$NC_DOMAIN
-total-quota=0
-bps-capacity=0
-stale-nonce
-no-multicast-peers
-simple-log
-pidfile=/var/tmp/turnserver.pid
-no-tls
-no-dtls
-userdb=/var/lib/turn/turndb
-# Based on https://nextcloud-talk.readthedocs.io/en/latest/TURN/#turn-server-and-internal-networks
-allowed-peer-ip=$IPv4_ADDRESS_TALK
-denied-peer-ip=0.0.0.0-0.255.255.255
-denied-peer-ip=10.0.0.0-10.255.255.255
-denied-peer-ip=100.64.0.0-100.127.255.255
-denied-peer-ip=127.0.0.0-127.255.255.255
-denied-peer-ip=169.254.0.0-169.254.255.255
-denied-peer-ip=172.16.0.0-172.31.255.255
-denied-peer-ip=192.0.0.0-192.0.0.255
-denied-peer-ip=192.0.2.0-192.0.2.255
-denied-peer-ip=192.88.99.0-192.88.99.255
-denied-peer-ip=192.168.0.0-192.168.255.255
-denied-peer-ip=198.18.0.0-198.19.255.255
-denied-peer-ip=198.51.100.0-198.51.100.255
-denied-peer-ip=203.0.113.0-203.0.113.255
-denied-peer-ip=240.0.0.0-255.255.255.255
+cat << TURN_CONF > "/opt/eturnal/etc/eturnal.yml"
+eturnal:
+  listen:
+    - ip: "::"
+      port: $TALK_PORT
+      transport: udp
+    - ip: "::"
+      port: $TALK_PORT
+      transport: tcp
+  log_dir: stdout
+  log_level: warning
+  secret: "$TURN_SECRET"
+  relay_ipv4_addr: "$IPv4_ADDRESS_NC"
+  relay_ipv6_addr: "$IPv6_ADDRESS_NC"
+  whitelist:
+  - 127.0.0.1
+  - ::1
+  - "$IPv4_ADDRESS_TALK"
+  - "$IPv6_ADDRESS_TALK"
+  blacklist:
+  - recommended
+  max_bps: unlimited
 TURN_CONF
 
+sed -i '/""/d' /opt/eturnal/etc/eturnal.yml
+
 # Signling
 cat << SIGNALING_CONF > "/etc/signaling.conf"
 [http]

Containers/talk/supervisord.conf

@@ -13,7 +13,7 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=turnserver -c /etc/turnserver.conf
+command=eturnalctl foreground
 
 [program:nats-server]
 stdout_logfile=/dev/stdout