Merge branch '10-installation-d-un-coturn-externe' into 'master'

Resolve "installation d'un coturn externe" Closes #10 See merge request 10031/visio!16
2021-04-27 10:19:54 +00:00
parent 7c4cf16d05 38c5dc95bf
commit 1c1dd147a9
14 changed files with 205 additions and 47 deletions
@@ -1,30 +1,33 @@
 $ANSIBLE_VAULT;1.1;AES256
-61333538356632383839336135343862353764643963663538313239376562666665613137353333
-3138326361613439353838396162653263383839376234390a643963343962313935373134313465
-66656662386135353434313935636135336336323833626666383931623665366264663438663134
-6237656662356632350a313232376331393031366330336363613963343366393338323366313338
-34626231356530646163623738356462646463646261383735633166316133653631613466323161
-65323438316165646263343566303336663261616333636231336632653662383935626165643331
-65643839303730313134643866313963613532623635653735643433396530653035336161393930
-33626338306561333461383036356235666130313635643864343831363237613066613138326633
-32343761663533323635363034666165393063653438336533333232663237316431333863336165
-34306565623337316433653531383731343366626666616233633630363736333234316565313436
-30616331626365656333646262633130336166353137333139303764363165346133393836626233
-64323962666263303263343535396266623966356439653833313139653838363866626365366434
-66633461636637373264633130313438383461613835646463663061653531306362633737376562
-61376536633162303337336266386465353139306265386365316434346462653464366663316663
-66323335393361613432313430653865356137663261643037303663663535346366383366626339
-36356332373631393464623566303832666638356134643738646138396631353434343436623036
-30313137656363303939613734646463333039343838303162333165613432393634356432386538
-34613566623436303632666566306462626438663739353432663265653237633661396132376331
-31636637333132396464353036313362623234386435366661656134336436373030623830643038
-38643862306332663831363935326361316661333737616230633961393261643261653364373731
-65336433656362663961636666326430363432353537316164643662343634306538376165666639
-65616135643438353738376665613561353663356466306633653266303738323830346330386334
-61386537333935376134373134383666616564636565343261303161303064656436363064666432
-34653737616161386265623164336137363663653264643239326337383139336336643063313434
-33326166633263616537613365306335626562303835643637323162383831333234613136643464
-61646531646332393032366362383538616636656261373036373164323531393430363837393066
-37663865646338393866653636326131316237613030663964663962313366666136633634633731
-32626263316633306363313031626666316139393735616236653031626166383434646166353366
-63303163626335333735626338306332333037366239646631393138316364313932
+66376665636436366538646536616266356136383562326135313565616137343661633066633838
+3766383364643637316661393762333639333335373835650a306239363535346436363930376665
+39643865613032386563323262313934353634633432333837613933663766303661363664333132
+3230326235373636380a663264376161616235636638383764343265373866323437393033633535
+66356235643963353265336633643438393136613630313339623764666339653934336631363664
+61623965396537326562326436346132613061326164353263376161313736323334373263623539
+64633136366632623138313066633664663739393236303862313236613333353730646462646433
+37393137313336313835343935633137663336373363663964353630353231643530336536326666
+63373833316337396166643465663966333037373863663533326133613830366631653561376631
+31386362343330313131366534613732396162343864623436646163613339383038303562353138
+37313334343363646639623161373339626365383034613432383335353261306130356465363066
+61626535306139393639643066653930646532336530653563393034353665366136363335353731
+65386439613331396339343630303031313565626264393532393739373531656436616634636630
+32376531323562653835396334306634623830336136313864653535323337346161363363376430
+34356133653631303138303337383238333835356238373261336465356538326439333537666533
+64383832353065383463643632343064663734613239613135663564343333373331623663326235
+62666362383962623833376331323930366361306132376131633066323935643763366336333036
+38323765383137663832613838353131353161336239656633373565333564316164376331393663
+62333565313531373539663932653530333663653431393333663436643363663433343266663064
+63373930343430393261343138363963663065393634663734636565616331343364666331313432
+66613931383765383766623662353831353538313932396332343030326137336438646432666534
+38626533386666373961363838636639323230316632626635323266626139313462386638343137
+36663864626166383861633765343432373539333237303364656338616233383934336365623132
+38623637383366643063616339636633653538303663303364366436396562323835386433383534
+34653132303465356464643966303032646331653162373130333730616439336438333930623236
+37393036636237306165626563643165346461303861396165333937313030653933643630336163
+38353533626531383239336539633238333139633034353437356234626565343863656634623734
+64366636633938663165666530386634363637396535656232363039383936623065303033643166
+32393631656362373566633230393436313138396430383130643339633432363765373539313230
+34393236346332366462623466383463626432613931653961643730643330666662333838366466
+36353439363565653436616236353830633763353236353331623333306239653835393034343237
+33393937303630616136
@@ -0,0 +1,2 @@
+---
+coturn_secret: "{{ vault_coturn_secret }}"
@@ -2,3 +2,5 @@
 ansible_user: root
 jitsi_logo: jitsi.komuniki.fr.svg
 jitsi_logo_url: https://komuniki.fr
+coturn_hostname: coturn.komuniki.fr
+coturn_secret: "{{ vault_coturn_secret }}"
@@ -1,6 +1,6 @@
 ---
-jitsi_user: imio
-jitsi_pass: logiciellibre
 jitsi_logo: visio.imio.be.svg
 jitsi_logo_url: https://imio.be
-jitsi_mutidomain_domain: ['visio-cpas.be']
+jitsi_multidomain_domain: ['visio-cpas.be']
+coturn_hostname: origan.champs-libres.be
+coturn_secret: "{{ vault_coturn_secret }}"
@@ -1,2 +1,3 @@
 pp.jitsi.komuniki.fr
-imio2.komuniki.fr ansible_user=root
+imio2.komuniki.fr ansible_user=root
+coturn.komuniki.fr ansible_user=root
@@ -7,6 +7,10 @@
    - role: jitsi-add-logo
    - role: jitsi-enable-video-optimisation
    - role: jitsi-enable-metrics
+    - role: jitsi-enable-prejoinPage
+    - role: jitsi-enable-external-coturn
+    - role: jitsi-enable-multidomain
+    - role: jitsi-enable-specific-imio
  tags:
    - imio

@@ -5,6 +5,7 @@
    - role: jitsi-pre-install
    - role: jitsi-install
    - role: jitsi-enable-prejoinPage
+    - role: jitsi-enable-external-coturn
    - role: jitsi-enable-metrics
    - role: jitsi-enable-fr-ln
    - role: jitsi-add-logo
@@ -22,3 +23,9 @@
    - role: jitsi-enable-specific-imio
  tags:
    - imio2
+
+- hosts: coturn.komuniki.fr
+  roles:
+    - role: coturn-install
+  tags:
+    - coturn.komki
@@ -0,0 +1,8 @@
+---
+- name: restart coturn
+  systemd:
+    name: coturn
+    state: restarted
+    daemon_reload: true
+    enabled: true
+
@@ -0,0 +1,15 @@
+- name: Installation de snapd
+  apt:
+    name:
+      - snapd
+    state: present
+
+- name: Initialisation de snap et installtion de certbot (prendre bien 5min, soyez patient)
+  command: "{{ item }}"
+  loop:
+    - snap install core
+    - snap refresh core
+    - snap install --classic certbot
+
+- name: Création du certificat SSL
+  command: /snap/bin/certbot certonly --standalone -d  {{ inventory_hostname }} -m supervision@nereide.fr --agree-tos --non-interactive
@@ -0,0 +1,49 @@
+---
+- name: vérification des variables obligatoire
+  fail:
+    msg: |
+      il faut définir la variable `coturn_secret` pour utiliser ce role
+  when: coturn_secret is not defined
+
+- name: Installation de coturn
+  apt:
+    name:
+      - coturn
+    update_cache: true
+
+- name: Y-a-t un certificat SSL dans l'avion?
+  stat:
+    path: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+  register: ssl_file
+
+- include_tasks: letsencrypt.yml
+  when: not ssl_file.stat.exists
+
+
+- name: Donne les droits a coturn de lire les certificats SSL
+  file:
+    path: "{{ item }}"
+    owner: turnserver
+    group: turnserver
+    state: directory
+    recurse: yes
+  loop:
+    - /etc/letsencrypt/live
+    - /etc/letsencrypt/archive
+
+- name: set la config coturn
+  template:
+    src: ../templates/turnserver.conf.j2
+    dest: /etc/turnserver.conf
+  notify: restart coturn
+
+- name: Ajout des capabilities à coturn
+  lineinfile:
+    path: /etc/systemd/system/coturn.service.d/override.conf
+    create: yes
+    line: |
+      [Service]
+      AmbientCapabilities=CAP_NET_BIND_SERVICE
+  notify: restart coturn
+
+
@@ -0,0 +1,36 @@
+# jitsi-meet coturn config. Do not modify this line
+use-auth-secret
+keep-address-family
+static-auth-secret={{ coturn_secret }}
+realm={{ inventory_hostname }}
+server-name={{ inventory_hostname }}
+cert=/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+pkey=/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
+no-multicast-peers
+no-cli
+no-loopback-peers
+no-tcp-relay
+no-tcp
+listening-port=3478
+tls-listening-port=443
+no-tlsv1
+no-tlsv1_1
+# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+# jitsi-meet coturn relay disable config. Do not modify this line
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+syslog
@@ -0,0 +1,7 @@
+---
+- name: restart prosody
+  systemd:
+    name: prosody
+    state: restarted
+    daemon_reload: true
+    enabled: true
@@ -0,0 +1,35 @@
+---
+- name: vérification des variables obligatoire
+  fail:
+    msg: |
+      il faut définir les variables `coturn_hostname` et
+      `coturn_secret` pour utiliser ce role
+  when: (coturn_secret is not defined) or
+        (coturn_hostname is not defined)
+
+# Attention doit etre joué toujours avant la tache d'après
+# Car commente le paramètre `turncredentials_secret`
+# qui est ensuite renseigné par la tache suivante
+- name: indique a jitsi d'utiliser un coturn externe
+  replace:
+    path: /etc/prosody/conf.d/{{ inventory_hostname }}.cfg.lua
+    regexp: '{{ item[0] }}'
+    replace: '{{ item[1] }}'
+  loop:
+    - ['host = "{{ inventory_hostname }}"','host = "{{ coturn_hostname }}"']
+    - ['-- https_ports = { };','https_ports = { };']
+    - ['^external_service_secret =', '-- external_service_secret =']
+    - ['port = 3478','port = 443']
+    - ['port = 5349','port = 443']
+  notify: restart prosody
+
+- name: indique a jitsi les règles d'échange des credentials pour le coturn externe
+  blockinfile:
+    path: /etc/prosody/conf.d/{{ inventory_hostname }}.cfg.lua
+    marker: "-- {mark} ANSIBLE MANAGED BLOCK"
+    insertbefore: 'external_services = {'
+    block: |
+      external_service_secret = "{{ coturn_secret }}";
+      external_service_port = 443;
+      external_service_ttl = 86400;
+  notify: restart prosody
@@ -1,21 +1,10 @@
 ---
 - name:  Conf Jitsi - webcam en qualité medium par defaut
-  blockinfile:
+  lineinfile:
    path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
    marker: "// {mark} ANSIBLE MANAGED BLOCK"
-    insertafter: "[^?]// Video"
-    block: |
-        resolution: 360,
-        constraints: {
-          video: {
-            aspectRatio: 16 / 9,
-            height: {
-              ideal: 360,
-              max: 360,
-              min: 240
-            }
-          }
-        },
+    insertafter: "[^?]// resolution: 720,"
+    line: "resolution: 360,"

 - name: Conf Jitsi - Désactive l'effet floutage d'arrière plan
  replace: