Merge pull request #65 from systemli/enh/debian12

Add support for debian12, remove debian10
systemli · Aug 5, 2023 · 02a22d2 · 02a22d2
2 parents f407945 + 903ba4e
commit 02a22d2
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 6 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -20,4 +20,4 @@ jobs:
     name: Integration
     uses: systemli/github-ansible-workflow/.github/workflows/ansible-integration-workflow.yaml@v1.2.0
     with:
-      distros: '[ "debian11", "debian10" ]'
+      distros: '[ "debian12", "debian11" ]'
diff --git a/meta/main.yml b/meta/main.yml
@@ -8,8 +8,8 @@ galaxy_info:
   platforms:
     - name: Debian
       versions:
+        - bookworm
         - bullseye
-        - buster
   galaxy_tags:
     - networking
     - nextcloud

diff --git a/templates/turnserver.conf.j2 b/templates/turnserver.conf.j2
@@ -207,7 +207,7 @@ fingerprint
 #
 # You can simply run the turnserver and access the port 9641 and path /metrics
 #
-# For mor info on the prometheus exporter and metrics
+# For more info on the prometheus exporter and metrics
 # https://prometheus.io/docs/introduction/overview/
 # https://prometheus.io/docs/concepts/data_model/
 #
@@ -518,7 +518,7 @@ stale-nonce
 #dh1066
 
 # Use custom DH TLS key, stored in PEM format in the file.
-# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
+# Flags --dh566 and --dh1066 are ignored when the DH key is taken from a file.
 #
 {% if not coturn_tls %}#{% endif %}dh-file=/etc/coturn-dh-{{ coturn_dhparam_length }}.pem
 
@@ -546,6 +546,11 @@ no-stdout-log
 #
 syslog
 
+# Set syslog facility for syslog messages
+# Default values is ''.
+#
+#syslog-facility="LOG_LOCAL1"
+
 # This flag means that no log file rollover will be used, and the log file
 # name will be constructed as-is, without PID and date appendage.
 # This option can be used, for example, together with the logrotate tool.
@@ -555,7 +560,7 @@ syslog
 # Enable full ISO-8601 timestamp in all logs.
 #new-log-timestamp
 
-# Set timestamp format (in strftime(1) format)
+# Set timestamp format (in strftime(1) format). Depends on new-log-timestamp to be enabled.
 #new-log-timestamp-format "%FT%T%z"
 
 # Disabled by default binding logging in verbose log mode to avoid DoS attacks.
@@ -682,14 +687,24 @@ allowed-peer-ip={{ ip }}
 #
 #mobility
 
-# Allocate Address Family according
+# Allocate Address Family according (DEPRECATED and will be removed in favour of allocation-default-address-family)
 # If enabled then TURN server allocates address family according  the TURN
 # Client <=> Server communication address family.
 # (By default Coturn works according RFC 6156.)
 # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
 #
 #keep-address-family
 
+# TURN server allocates address family according TURN client requested address family.
+# If address family not requested explicitly by the client, then it falls back to this default.
+# The standard RFC explicitly define that this default must be IPv4, 
+# so use other option values with care! 
+# Possible values: "ipv4" or "ipv6" or "keep" 
+# "keep" sets the allocation default address family according to 
+# the TURN client allocation request connection address family.
+#allocation-default-address-family="ipv4"
+#allocation-default-address-family="ipv4"
+
 
 # User name to run the process. After the initialization, the turnserver process
 # will attempt to change the current user ID to that user.
@@ -773,3 +788,31 @@ no-cli
 no-tlsv1
 no-tlsv1_1
 #no-tlsv1_2
+
+# Disable RFC5780 (NAT behavior discovery).
+#
+# Originally, if there are more than one listener address from the same
+# address family, then by default the NAT behavior discovery feature enabled.
+# This option disables the original behavior, because the NAT behavior
+# discovery adds extra attributes to response, and this increase the
+# possibility of an amplification attack.
+#
+# Strongly encouraged to use this option to decrease gain factor in STUN
+# binding responses.
+#
+no-rfc5780
+
+# Disable handling old STUN Binding requests and disable MAPPED-ADDRESS
+# attribute in binding response (use only the XOR-MAPPED-ADDRESS).
+#
+# Strongly encouraged to use this option to decrease gain factor in STUN
+# binding responses.
+#
+no-stun-backward-compatibility
+
+# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
+#
+# Strongly encouraged to use this option to decrease gain factor in STUN
+# binding responses.
+#
+response-origin-only-with-rfc5780