support reading TURN secret from a file (turn_secret_file)

Signed-off-by: strawberry <strawberry@puppygock.gay>

src/api/client/voip.rs

@@ -24,7 +24,7 @@ pub(crate) async fn turn_server_route(
 		return Err!(Request(NotFound("Not Found")));
 	}
 
-	let turn_secret = services.globals.turn_secret().clone();
+	let turn_secret = services.globals.turn_secret.clone();
 
 	let (username, password) = if !turn_secret.is_empty() {
 		let expiry = SecondsSinceUnixEpoch::from_system_time(

src/core/config/mod.rs

@@ -194,6 +194,7 @@ pub struct Config {
 	pub turn_uris: Vec<String>,
 	#[serde(default)]
 	pub turn_secret: String,
+	pub turn_secret_file: Option<PathBuf>,
 	#[serde(default = "default_turn_ttl")]
 	pub turn_ttl: u64,
 
@@ -681,12 +682,17 @@ impl fmt::Display for Config {
 			}
 		});
 		line("TURN secret", {
-			if self.turn_secret.is_empty() {
+			if self.turn_secret.is_empty() && self.turn_secret_file.is_none() {
 				"not set"
 			} else {
 				"set"
 			}
 		});
+		line("TURN secret file path", {
+			self.turn_secret_file
+				.as_ref()
+				.map_or("", |path| path.to_str().unwrap_or_default())
+		});
 		line("Turn TTL", &self.turn_ttl.to_string());
 		line("Turn URIs", {
 			let mut lst = vec![];

src/service/globals/mod.rs

@@ -40,6 +40,7 @@ pub struct Service {
 	pub stateres_mutex: Arc<Mutex<()>>,
 	pub server_user: OwnedUserId,
 	pub admin_alias: OwnedRoomAliasId,
+	pub turn_secret: String,
 }
 
 type RateLimitState = (Instant, u32); // Time if last failed try, number of failed tries
@@ -84,6 +85,17 @@ impl crate::Service for Service {
 			.collect::<Result<_, String>>()
 			.map_err(|e| err!(Config("ip_range_denylist", e)))?;
 
+		let turn_secret = config
+			.turn_secret_file
+			.as_ref()
+			.map_or(config.turn_secret.clone(), |path| {
+				std::fs::read_to_string(path).unwrap_or_else(|e| {
+					error!("Failed to read the TURN secret file: {e}");
+
+					config.turn_secret.clone()
+				})
+			});
+
 		let mut s = Self {
 			db,
 			config: config.clone(),
@@ -99,6 +111,7 @@ impl crate::Service for Service {
 				.expect("#admins:server_name is valid alias name"),
 			server_user: UserId::parse_with_server_name(String::from("conduit"), &config.server_name)
 				.expect("@conduit:server_name is valid"),
+			turn_secret,
 		};
 
 		if !s
@@ -207,8 +220,6 @@ impl Service {
 
 	pub fn turn_username(&self) -> &String { &self.config.turn_username }
 
-	pub fn turn_secret(&self) -> &String { &self.config.turn_secret }
-
 	pub fn allow_profile_lookup_federation_requests(&self) -> bool {
 		self.config.allow_profile_lookup_federation_requests
 	}