Merge branch 'next' into 'next'

Allow TURN secret to be read from file

See merge request famedly/conduit!719

docs/configuration.md

@@ -56,6 +56,7 @@ The `global` section contains the following fields:
 | `turn_password` | `string` | The TURN password | `""` |
 | `turn_uris` | `array` | The TURN URIs | `[]` |
 | `turn_secret` | `string` | The TURN secret | `""` |
+| `turn_secret_file` | `string` | Path to a file containing the TURN secret | `""` |
 | `turn_ttl` | `integer` | The TURN TTL in seconds | `86400` |
 | `emergency_password` | `string` | Set a password to login as the `conduit` user in case of emergency | N/A |
 | `well_known` | `table` | Used for [delegation](delegation.md) | See [delegation](delegation.md) |
@@ -94,7 +95,7 @@ An array of tables that contain the following fields:
 
 Both `include` and `exclude` allow for glob pattern matching.
 ##### Example
-In this example, all requests to domains ending in `.onion` and `matrix.secretly-an-onion-domain.xyz` 
+In this example, all requests to domains ending in `.onion` and `matrix.secretly-an-onion-domain.xyz`
 will be proxied via `socks://localhost:9050`, except for domains ending in `.myspecial.onion`. You can add as many `by_domain` tables as you need.
 ```toml
 [[global.proxy.by_domain]]

docs/turn.md

@@ -7,13 +7,17 @@
 ## Edit/Add a few settings to your existing conduit.toml
 
 ```
-# Refer to your Coturn settings. 
+# Refer to your Coturn settings.
 # `your.turn.url` has to match the REALM setting of your Coturn as well as `transport`.
 turn_uris = ["turn:your.turn.url?transport=udp", "turn:your.turn.url?transport=tcp"]
 
 # static-auth-secret of your turnserver
 turn_secret = "ADD SECRET HERE"
 
+# alternatively: read turn credentials from a file.
+# turn_secret overrides turn_secret_file if both are set.
+turn_secret_file = "/path/to/the/secret"
+
 # If you have your TURN server configured to use a username and password
 # you can provide these information too. In this case comment out `turn_secret above`!
 #turn_username = ""

src/config/mod.rs

@@ -80,6 +80,8 @@ pub struct Config {
     pub turn_uris: Vec<String>,
     #[serde(default)]
     pub turn_secret: String,
+    #[serde(default)]
+    pub turn_secret_file: String,
     #[serde(default = "default_turn_ttl")]
     pub turn_ttl: u64,
 
@@ -215,10 +217,12 @@ impl fmt::Display for Config {
                 }
             }),
             ("TURN secret", {
-                if self.turn_secret.is_empty() {
-                    "not set"
-                } else {
+                if !self.turn_secret.is_empty() {
                     "set"
+                } else if !self.turn_secret_file.is_empty() {
+                    &format!("set in {}", self.turn_secret_file)
+                } else {
+                    "not set"
                 }
             }),
             ("Turn TTL", &self.turn_ttl.to_string()),

src/service/globals/mod.rs

@@ -33,7 +33,7 @@ use std::{
 };
 use tokio::sync::{broadcast, watch::Receiver, Mutex, RwLock, Semaphore};
 use tower_service::Service as TowerService;
-use tracing::{error, info};
+use tracing::{error, info, warn};
 
 use base64::{engine::general_purpose, Engine as _};
 
@@ -372,8 +372,21 @@ impl Service {
         &self.config.turn_username
     }
 
-    pub fn turn_secret(&self) -> &String {
-        &self.config.turn_secret
+    pub fn turn_secret(&self) -> String {
+        if !self.config.turn_secret.is_empty() || self.config.turn_secret_file.is_empty() {
+            return self.config.turn_secret.clone();
+        }
+
+        match fs::read_to_string(&self.config.turn_secret_file) {
+            Ok(turn_secret) => turn_secret,
+            Err(e) => {
+                warn!(
+                    "Could not read from \"{}\": {e}",
+                    &self.config.turn_secret_file
+                );
+                String::default()
+            }
+        }
     }
 
     pub fn emergency_password(&self) -> &Option<String> {