Merge branch '4-parametrage-multi-domaine' into 'master'

Resolve "migration Jitsi IMIO"

Closes #4 et #9

See merge request 10031/visio!6

README.md

@@ -1,13 +1,30 @@
-# Gestion du mot de passe principal ansible-vault
+# Depot ansible de gestion des configurations pour les jitsi et BBB géré par Néréide
+## Gestion du mot de passe principal ansible-vault
 
  * Demander-le via mattermost à Antoine ou Samuel de Néréide.
  * Puis copier le dans le fichier vault_passwd à la racine du projet `echo "motdepassevault" > vault-pass` et il sera pris automatiquement par ansible
 
-# Jitsi
+## TIPS
 
-## Installation
+### Installation d'un BBB
+Installé à l'aide du script officiel fournit ici : 
+https://docs.bigbluebutton.org/2.2/install.html#bbb-installsh
 
-## Connexion LDAP
+### Ajout d'un compte administrateur BBB
+`docker exec greenlight-v2 bundle exec rake user:create["LOGIN","MAIL","PASS","admin"]`
+
+### Modifier l'URL d'une room BBB
+``` sh
+docker exec -it greenlight-v2 bash
+bundle exec rails c
+Room.find_by(uid: "CURRENT_ROOM_ID").update_attribute(:uid, "NEW_CUSTOM_ID")
+```
+
+### Liens utiles
+Page qui liste différents paramétrages possible de BBB
+ * https://gitlab.com/MaadiX/bbb-tuning/-/wikis/Big-Blue-Button-Custom-settings
+
+### Connexion LDAP LE pour Jitsi
 
 On suit la solution 'ldap2' proposée par la communauté :
 https://github.com/jitsi/jitsi-meet/wiki/LDAP-Authentication
@@ -30,27 +47,4 @@ ldap = {
         namefield = 'cn',
     },
 }
-```
+```
-
-# BigBlueButton
-
-## Installation
-Installé à l'aide du script officiel fournit ici : 
-https://docs.bigbluebutton.org/2.2/install.html#bbb-installsh
-
-## Ajout d'un compte administrateur
-`docker exec greenlight-v2 bundle exec rake user:create["LOGIN","MAIL","PASS","admin"]`
-
-## Connexion LDAP
-utiliser le role `bbb-enable-ldap-LE` dans le fichier playbook_prod.yml pour votre machine
-
-## Modifier l'URL d'une room
-``` sh
-docker exec -it greenlight-v2 bash
-bundle exec rails c
-Room.find_by(uid: "CURRENT_ROOM_ID").update_attribute(:uid, "NEW_CUSTOM_ID")
-```
-
-## Liens utiles
-Page qui liste différents paramétrages possible de BBB
- * https://gitlab.com/MaadiX/bbb-tuning/-/wikis/Big-Blue-Button-Custom-settings

host_vars/imio2.komuniki.fr.yml

@@ -0,0 +1,4 @@
+---
+jitsi_logo: visio.imio.be.svg
+jitsi_logo_url: https://imio.be
+jitsi_multidomain_domain: ['imio2-cpas.komuniki.fr']

host_vars/visio.imio.be.yml

@@ -2,4 +2,5 @@
 jitsi_user: imio
 jitsi_pass: logiciellibre
 jitsi_logo: visio.imio.be.svg
-jitsi_logo_url: https://imio.be
+jitsi_logo_url: https://imio.be
+jitsi_mutidomain_domain: ['visio-cpas.be']

inventory_staging

@@ -1 +1,2 @@
 pp.jitsi.komuniki.fr
+imio2.komuniki.fr ansible_user=root

playbook_staging.yml

@@ -12,3 +12,13 @@
   tags:
     - ppkomki
 
+- hosts: imio2.komuniki.fr
+  roles:
+    - role: jitsi-pre-install
+    - role: jitsi-install
+    - role: jitsi-enable-fr-ln
+    - role: jitsi-add-logo
+    - role: jitsi-enable-multidomain
+    - role: jitsi-enable-specific-imio
+  tags:
+    - imio2

roles/jitsi-enable-multidomain/handlers/main.yml

@@ -0,0 +1,12 @@
+---
+- name: restart jitsi-videobridge2
+  systemd:
+    name: jitsi-videobridge2
+    state: restarted
+    enabled: true
+
+- name: restart nginx
+  systemd:
+    name: nginx
+    state: restarted
+    enabled: true

roles/jitsi-enable-multidomain/tasks/jitsi.yml

@@ -0,0 +1,9 @@
+---
+- name: Conf Jitsi MultiDomain - rend l'url bosh dynamique dans la conf js
+  replace:
+    path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
+    regexp: '[^?]{{ inventory_hostname }}/http-bind'
+    replace: '<!--# echo var="http_host" -->/<!--# echo var="subdir" default="" -->http-bind'
+  notify:
+    - restart jitsi-videobridge2
+    - restart nginx

roles/jitsi-enable-multidomain/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- include_tasks: nginx.yml
+  loop: "{{ jitsi_multidomain_domain }}"
+  loop_control:
+    loop_var: hostname
+- include_tasks: ssl.yml
+- include_tasks: jitsi.yml

roles/jitsi-enable-multidomain/tasks/nginx.yml

@@ -0,0 +1,39 @@
+---
+- name: Check that the somefile.conf exists
+  stat:
+    path: /etc/nginx/sites-available/{{ hostname }}.conf
+  register: nginx_file
+
+- name: Conf Jitsi MultiDomain - Duplication de la conf nginx
+  copy:
+    src: /etc/nginx/sites-available/{{ inventory_hostname }}.conf
+    dest: /etc/nginx/sites-available/{{ hostname }}.conf
+    remote_src: yes
+  when: not nginx_file.stat.exists
+
+- name: Conf Jitsi MultiDomain - Change le ServerName des conf nginx
+  replace:
+    path: /etc/nginx/sites-available/{{ hostname }}.conf
+    regexp: "[^?]server_name {{ inventory_hostname }}"
+    replace: "server_name {{ hostname }}"
+
+- name: Conf Jitsi MultiDomain - surcharge le header proxy
+  replace:
+    path: /etc/nginx/sites-available/{{ hostname }}.conf
+    regexp: '[^?]\$http_host'
+    replace: ' {{ inventory_hostname }}'
+
+- name: Conf Jitsi MultiDomain - suppression du paramètre server_names_hash_bucket_size car génère une erreur si en doublon
+  lineinfile:
+    path: /etc/nginx/sites-available/{{ hostname }}.conf
+    state: absent
+    regexp: '^server_names_hash_bucket_size'
+
+- name: Activation des nouvelles conf nginx
+  file:
+    src: /etc/nginx/sites-available/{{ hostname }}.conf
+    dest: /etc/nginx/sites-enabled/{{ hostname }}.conf
+    state: link
+  notify:
+    - restart jitsi-videobridge2
+    - restart nginx

roles/jitsi-enable-multidomain/tasks/ssl.yml

@@ -0,0 +1,43 @@
+---
+- name: Check that the somefile.conf exists
+  stat:
+    path: /usr/share/jitsi-meet/scripts/install-letsencrypt-cert-with-param.sh
+  register: ssl_file
+
+- name: Conf SSL MultiDomain - Duplication du script Let's Encrypt d'origine
+  copy:
+    src: /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
+    dest: /usr/share/jitsi-meet/scripts/install-letsencrypt-cert-with-param.sh
+    mode: u+x
+    remote_src: yes
+  when: not ssl_file.stat.exists
+
+- name: Conf SSL MultiDomain - rend le nom de domaine paramétrable dans le script certbot de jitsi
+  replace:
+    path: /usr/share/jitsi-meet/scripts/install-letsencrypt-cert-with-param.sh
+    regexp: '^DOMAIN="\${DEB_CONF_RESULT##\*:}"'
+    replace: "DOMAIN=$1"
+
+- name: Conf SSL MultiDomain - Exécution du script lets encrypt
+  shell:
+    cmd: "/usr/share/jitsi-meet/scripts/install-letsencrypt-cert-with-param.sh {{ item }}"
+    creates: /etc/letsencrypt/live/{{ item }}/fullchain.pem # Execute le script que si ce fichier n'existe pas
+  loop: "{{ jitsi_multidomain_domain }}"
+
+- name: Conf Jitsi MultiDomain - Change le ServerName des conf nginx
+  replace:
+    path: /etc/nginx/sites-available/{{ item }}.conf
+    regexp: "[^?]ssl_certificate /etc/letsencrypt/live/{{ inventory_hostname }}.*$"
+    replace: "ssl_certificate /etc/letsencrypt/live/{{ item }}/fullchain.pem;"
+  loop: "{{ jitsi_multidomain_domain }}"
+  notify:
+    - restart nginx
+
+- name: Conf Jitsi MultiDomain - Change le ServerName des conf nginx
+  replace:
+    path: /etc/nginx/sites-available/{{ item }}.conf
+    regexp: "[^?]ssl_certificate_key /etc/letsencrypt/live/{{ inventory_hostname }}.*$"
+    replace: "ssl_certificate_key /etc/letsencrypt/live/{{ item }}/privkey.pem;"
+  loop: "{{ jitsi_multidomain_domain }}"
+  notify:
+    - restart nginx

roles/jitsi-enable-specific-imio/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload nginx
+  systemd:
+    name: nginx
+    state: reloaded

roles/jitsi-enable-specific-imio/tasks/main.yml

@@ -0,0 +1,66 @@
+---
+- name: création du répertoire pour recevoir les fichiers statiques de IMIO
+  file:
+    path: /usr/share/jitsi-meet/static-imio
+    state: directory
+
+- name: personnalise la config nginx de l'accès jitsi principal
+  blockinfile:
+    path: /etc/nginx/sites-enabled/{{ inventory_hostname }}.conf
+    marker: "# {mark} ANSIBLE MANAGED BLOCK"
+    insertafter: "gzip_min_length 512;"
+    block: |
+      ### Pages static
+        location = /rgpd {
+            try_files /static-imio/imio-rgpd.html =404;
+        }
+
+        location ~ ^/$ {
+            try_files /static-imio/imio-index.html =404;
+        }
+
+        location ~ ^/static-imio/(.*)$ {
+          alias /usr/share/jitsi-meet/static-imio/$1;
+        }
+  notify:
+    - reload nginx
+
+- name: personnalise la config nginx de l'accès à cpas
+  blockinfile:
+    path: /etc/nginx/sites-enabled/{{ jitsi_multidomain_domain[0] }}.conf
+    marker: "# {mark} ANSIBLE MANAGED BLOCK"
+    insertafter: "gzip_min_length 512;"
+    block: |
+      #### Pages static
+          location = /cpas {
+            try_files /static-imio/cpas-cpas.html =404;
+          }
+
+          location = /rgpd {
+              try_files /static-imio/cpas-rgpd.html =404;
+          }
+
+          location ~ ^/$ {
+            try_files /static-imio/cpas-index.html =404;
+          }
+
+          location ~ ^/static-imio/(.*)$ {
+            alias /usr/share/jitsi-meet/static-imio/$1;
+          }
+  notify:
+    - reload nginx
+
+- name: gestion du cookie la config nginx
+  blockinfile:
+    path: /etc/nginx/sites-enabled/{{ item }}.conf
+    marker: "# {mark} ANSIBLE MANAGED COOKIE BLOCK"
+    insertbefore: 'try_files \$uri @root_path'
+    block: |
+        # Ajout du cookie
+        set $room $1;
+        if ($http_cookie !~* "rgpd") {
+           return 302 $scheme://$host/rgpd?room=$room;
+        }
+  loop: "{{ jitsi_multidomain_domain }}"
+  notify:
+    - reload nginx

roles/jitsi-install/tasks/main.yml

@@ -12,7 +12,7 @@
       EMAIL=supervision@nereide.fr
 
 - name: Exécution du script lets encrypt
-  shell: 
+  shell:
     cmd: /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh >> jitsi-le.log
     creates: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem # Execute le script que si ce fichier n'existe pas