41_turn_prom.sh

#!/usr/bin/env bash
set -euo pipefail
source ./90_lib.sh; load_env

[[ "${TURN_ENABLE}" == "true" ]] || { info "TURN disabled; skipping"; exit 0; }

# --- helpers: write/copy only if content changed --------------------------------
write_if_changed() { # usage: write_if_changed <dest> <<'EOF' ... EOF
  local dest="$1"; shift
  local tmp; tmp="$(mktemp)"
  cat > "$tmp"
  if [[ ! -f "$dest" ]] || ! cmp -s "$tmp" "$dest"; then
    install -D -m 0644 "$tmp" "$dest"
    echo "updated:$dest"
    changed_any=1
  else
    echo "unchanged:$dest"
  fi
  rm -f "$tmp"
}

copy_if_changed() { # usage: copy_if_changed <src> <dest> <mode> <owner> <group>
  local src="$1" dest="$2" mode="${3:-0644}" owner="${4:-root}" group="${5:-root}"
  if [[ ! -f "$dest" ]] || ! cmp -s "$src" "$dest"; then
    install -D -m "$mode" -o "$owner" -g "$group" "$src" "$dest"
    echo "updated:$dest"
    changed_any=1
  else
    echo "unchanged:$dest"
  fi
}

changed_any=0

# --- deps -----------------------------------------------------------------------
log "TURN: deps"
ensure_pkg coturn
ensure_snap_certbot_cf

# --- certs ----------------------------------------------------------------------
log "TURN: cert"
issue_cert "${TURN_DOMAIN}" "${TURN_PROPAGATION_SECONDS:-${CF_PROPAGATION_SECONDS:-30}}"

# Coturn-readable copies of LE certs (owner: turnserver)
install -d -m 0750 -o turnserver -g turnserver /etc/coturn/certs
copy_if_changed "/etc/letsencrypt/live/${TURN_DOMAIN}/fullchain.pem" /etc/coturn/certs/fullchain.pem 0640 turnserver turnserver
copy_if_changed "/etc/letsencrypt/live/${TURN_DOMAIN}/privkey.pem"  /etc/coturn/certs/privkey.pem  0640 turnserver turnserver

# --- config ---------------------------------------------------------------------
# Optional Prometheus metrics (Ubuntu 24.04 often supports this)
# Enable by setting TURN_PROM_ENABLE=true in your .env
PROM_LINE=""
if [[ "${TURN_PROM_ENABLE:-false}" == "true" ]]; then
  PROM_LINE=$'prometheus\n#prometheus-port=9641'
fi

log "TURN: config"
write_if_changed /etc/turnserver.conf <<CFG
listening-port=3478
tls-listening-port=5349

realm=${TURN_REALM}
user=${TURN_USER}:${TURN_PASS}

cert=/etc/coturn/certs/fullchain.pem
pkey=/etc/coturn/certs/privkey.pem

min-port=${TURN_MIN_PORT}
max-port=${TURN_MAX_PORT}

no-sslv2
no-sslv3
no-tlsv1
fingerprint
lt-cred-mech
verbose
${PROM_LINE}
CFG

# Enable service on boot in /etc/default/coturn without rewriting if already set
if ! grep -q '^TURNSERVER_ENABLED=1' /etc/default/coturn 2>/dev/null; then
  sed -i 's/^#\?TURNSERVER_ENABLED=.*/TURNSERVER_ENABLED=1/' /etc/default/coturn || true
  echo "updated:/etc/default/coturn"
  changed_any=1
else
  echo "unchanged:/etc/default/coturn"
fi

# Firewall rules (ufw is idempotent enough)
ufw allow 3478,5349/tcp || true
ufw allow 3478,5349/udp || true
ufw allow ${TURN_MIN_PORT}:${TURN_MAX_PORT}/udp || true
# (Do NOT open 9641; Prometheus can scrape locally if metrics are enabled)

# --- service --------------------------------------------------------------------
systemctl enable --now coturn
if [[ $changed_any -eq 1 ]]; then
  systemctl try-restart coturn
  info "coturn restarted (changes applied)"
else
  info "No changes detected; coturn left running"
fi

# --- report ---------------------------------------------------------------------
log "TURN: report"
systemctl status coturn --no-pager --lines=0 || true
ss -luntp | awk 'NR==1 || /:3478|:5349/' || true
info "TLS: $(echo | openssl s_client -connect ${TURN_DOMAIN}:5349 -servername ${TURN_DOMAIN} 2>/dev/null | openssl x509 -noout -subject -issuer -enddate || true)"

# If Prometheus metrics were enabled, show a quick hint
if [[ "${TURN_PROM_ENABLE:-false}" == "true" ]]; then
  info "If supported by your coturn build, metrics at: http://127.0.0.1:9641/metrics"
fi