From f67ccd17ea15dee30555c6d3d82ceffe07423f83 Mon Sep 17 00:00:00 2001
From: Felix Bartels <1257835+fbartels@users.noreply.github.com>
Date: Mon, 5 Oct 2020 08:53:36 +0200
Subject: [PATCH] add new option for kwmbridge dnat mode (#463)

* add new option for kwmbridge dnat mode
* add local config for test of nat functionality
* use variable instead of real ip
* move turn configuration to the right place
* update kwmbridge
* remove trivy
---
 .ci/setup-tools.sh                |  8 +-------
 docker-compose.kwmbridge-dnat.yml | 31 +++++++++++++++++++++++++++++++
 docker-compose.yml                |  4 ++--
 kwmbridge/Dockerfile              |  2 +-
 kwmbridge/wrapper.sh              | 20 +++++++++++++++-----
 5 files changed, 50 insertions(+), 15 deletions(-)
 create mode 100644 docker-compose.kwmbridge-dnat.yml

diff --git a/.ci/setup-tools.sh b/.ci/setup-tools.sh
index 0460c9c..d3c216b 100755
--- a/.ci/setup-tools.sh
+++ b/.ci/setup-tools.sh
@@ -9,7 +9,6 @@ GOSS_VERSION=0.3.11
 HADOLINT_VERSION=1.17.6
 REG_VERSION=0.16.1
 SHELLCHECK_VERSION=0.7.1
-TRIVY_VERSION=0.11.0
 
 progname=$(basename "$0")
 tempdir=$(mktemp -d "/tmp/$progname.XXXXXX")
@@ -30,11 +29,6 @@ if ! command -v docker-compose > /dev/null; then
 	sudo chmod +rx /usr/local/bin/docker-compose
 fi
 
-if ! command -v trivy > /dev/null; then
-	wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
-	sudo tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -C /usr/local/bin trivy
-fi
-
 if ! command -v goss > /dev/null; then
 	sudo curl -L https://github.com/aelsabbahy/goss/releases/download/v$GOSS_VERSION/goss-linux-amd64 -o /usr/local/bin/goss
 	sudo chmod +rx /usr/local/bin/goss
@@ -90,4 +84,4 @@ fi
 
 if ! command -v jq > /dev/null; then
 	sudo apt install -y jq
-fi
\ No newline at end of file
+fi
diff --git a/docker-compose.kwmbridge-dnat.yml b/docker-compose.kwmbridge-dnat.yml
new file mode 100644
index 0000000..a432a92
--- /dev/null
+++ b/docker-compose.kwmbridge-dnat.yml
@@ -0,0 +1,31 @@
+version: "3.5"
+
+services:
+  kopano_kwmserver:
+    environment:
+      - enable_mcu_api=yes
+      - pipeline_forced_regexp=@conference/.*
+      #- pipeline_forced_regexp=@group/.*
+
+  kopano_kwmbridge:
+    image: ${docker_repo:-zokradonh}/kopano_kwmbridge:${KWMBRIDGE_VERSION:-latest}
+    read_only: true
+    restart: unless-stopped
+    depends_on:
+      - kopano_kwmserver
+    environment:
+      - INSECURE=${INSECURE}
+      - oidc_issuer_identifier=https://${FQDN}
+      - kwm_server_urls=https://${FQDN}
+      - use_nat_1to1_ips=${PUBLICIP}
+      - use_nat_1to1_candidate_type=host
+      - ice_udp_port_range=65435:65535
+    volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /etc/machine-id:/var/lib/dbus/machine-id
+      - kopanossl/:/kopano/ssl
+      - /root/kopano-docker/kwmbridge/kwmbridged:/usr/local/bin/kwmbridged
+    ports:
+      - 65535:65535/udp
+    tmpfs:
+      - /tmp
diff --git a/docker-compose.yml b/docker-compose.yml
index 605910a..f3687b6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -465,6 +465,8 @@ services:
       - oidc_issuer_identifier=https://${FQDN}
       - public_guest_access_regexp=^group/public/.*
       - registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml
+      - turn_service_credentials_password=${TURN_PASSWORD:-}
+      - turn_service_credentials_user=${TURN_USER:-}
     env_file:
       - kopano_kwmserver.env
     volumes:
@@ -485,8 +487,6 @@ services:
       - KCCONF_MEET_guests_enabled=true
       - KCCONF_MEET_minimumVersion=20200121 # can be used force updates of Meet
       - KCCONF_MEET_oidc_useImplicitFlow=true # workaround for guest login with meet https://stash.kopano.io/projects/KWM/repos/meet/pull-requests/102/overview
-      - turn_service_credentials_password=${TURN_PASSWORD:-}
-      - turn_service_credentials_user=${TURN_USER:-}
     env_file:
       - kopano_meet.env
     depends_on:
diff --git a/kwmbridge/Dockerfile b/kwmbridge/Dockerfile
index 2dada16..586eab0 100644
--- a/kwmbridge/Dockerfile
+++ b/kwmbridge/Dockerfile
@@ -1,4 +1,4 @@
-ARG CODE_VERSION=0.1.2
+ARG CODE_VERSION=0.1.3
 FROM kopano/kwmbridged:${CODE_VERSION}
 
 ARG CODE_VERSION
diff --git a/kwmbridge/wrapper.sh b/kwmbridge/wrapper.sh
index 19ba9dc..eeada3a 100755
--- a/kwmbridge/wrapper.sh
+++ b/kwmbridge/wrapper.sh
@@ -33,6 +33,16 @@ if [ -n "${ice_udp_port_range:-}" ]; then
 	set -- "$@" --use-ice-udp-port-range="$ice_udp_port_range"
 fi
 
+if [ -n "${use_nat_1to1_ips:-}" ]; then
+	for use_nat_1to1_ip in $use_nat_1to1_ips; do
+		set -- "$@" --use-nat-1to1-ip="$use_nat_1to1_ip"
+	done
+fi
+
+if [ -n "${use_nat_1to1_candidate_type:-}" ]; then
+	set -- "$@" --use-nat-1to1-candidate-type="$use_nat_1to1_candidate_type"
+fi
+
 if [ "${with_metrics:-}" = "yes" ]; then
 	set -- "$@" --with-metrics
 fi
@@ -48,13 +58,13 @@ fi
 if [ "${AUTOCONFIGURE}" = true ]; then
 	if [ "$INSECURE" = "yes" ]; then
 		dockerize \
-		-skip-tls-verify \
-		-wait "$oidc_issuer_identifier"/.well-known/openid-configuration \
-		-timeout 360s
+			-skip-tls-verify \
+			-wait "$oidc_issuer_identifier"/.well-known/openid-configuration \
+			-timeout 360s
 	else
 		dockerize \
-		-wait "$oidc_issuer_identifier"/.well-known/openid-configuration \
-		-timeout 360s
+			-wait "$oidc_issuer_identifier"/.well-known/openid-configuration \
+			-timeout 360s
 	fi
 
 	# services need to be aware of the machine-id