24cf27c60c
Most (all?) of our Matrix services are running in the `matrix` network, so they were safe -- not accessible from Coturn to begin with. Isolating Coturn into its own network is a security improvement for people who were starting other services in the default Docker network. Those services were potentially reachable over the private Docker network from Coturn. Discussed in #120 (Github Pull Request)
35 lines
1.4 KiB
YAML
35 lines
1.4 KiB
YAML
matrix_coturn_enabled: true
|
|
|
|
matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1"
|
|
|
|
# The Docker network that Coturn would be put into.
|
|
#
|
|
# Because Coturn relays traffic to unvalidated IP addresses,
|
|
# using a dedicated network, isolated from other Docker (and local) services is preferrable.
|
|
#
|
|
# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
|
|
# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
|
|
matrix_coturn_docker_network: "matrix-coturn"
|
|
|
|
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
|
|
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
|
|
|
|
# List of systemd services that matrix-coturn.service depends on
|
|
matrix_coturn_systemd_required_services_list: ['docker.service']
|
|
|
|
# A shared secret (between Synapse and Coturn) used for authentication.
|
|
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
|
|
matrix_coturn_turn_static_auth_secret: ""
|
|
|
|
# UDP port-range to use for TURN
|
|
matrix_coturn_turn_udp_min_port: 49152
|
|
matrix_coturn_turn_udp_max_port: 49172
|
|
|
|
# The external IP address of the machine where Coturn is.
|
|
matrix_coturn_turn_external_ip_address: ''
|
|
|
|
matrix_coturn_allowed_peer_ips: []
|
|
matrix_coturn_denied_peer_ips: []
|
|
matrix_coturn_user_quota: null
|
|
matrix_coturn_total_quota: null
|