From 38c5dc95bf71bc02b47c914505ce570b0771ab5b Mon Sep 17 00:00:00 2001 From: Antoine Ouvrard Date: Tue, 27 Apr 2021 10:19:53 +0000 Subject: [PATCH] Resolve "installation d'un coturn externe" --- group_vars/all/vault | 61 ++++++++++--------- host_vars/coturn.komuniki.fr.yml | 2 + host_vars/pp.jitsi.komuniki.fr.yml | 2 + host_vars/visio.imio.be.yml | 6 +- inventory_staging | 3 +- playbook_prod.yml | 4 ++ playbook_staging.yml | 7 +++ roles/coturn-install/handlers/main.yml | 8 +++ roles/coturn-install/tasks/letsencrypt.yml | 15 +++++ roles/coturn-install/tasks/main.yml | 49 +++++++++++++++ .../templates/turnserver.conf.j2 | 36 +++++++++++ .../handlers/main.yml | 7 +++ .../tasks/main.yml | 35 +++++++++++ .../tasks/main.yml | 17 +----- 14 files changed, 205 insertions(+), 47 deletions(-) create mode 100644 host_vars/coturn.komuniki.fr.yml create mode 100644 roles/coturn-install/handlers/main.yml create mode 100644 roles/coturn-install/tasks/letsencrypt.yml create mode 100644 roles/coturn-install/tasks/main.yml create mode 100644 roles/coturn-install/templates/turnserver.conf.j2 create mode 100644 roles/jitsi-enable-external-coturn/handlers/main.yml create mode 100644 roles/jitsi-enable-external-coturn/tasks/main.yml diff --git a/group_vars/all/vault b/group_vars/all/vault index c834b83..ebd51d1 100644 --- a/group_vars/all/vault +++ b/group_vars/all/vault @@ -1,30 +1,33 @@ $ANSIBLE_VAULT;1.1;AES256 -61333538356632383839336135343862353764643963663538313239376562666665613137353333 -3138326361613439353838396162653263383839376234390a643963343962313935373134313465 -66656662386135353434313935636135336336323833626666383931623665366264663438663134 -6237656662356632350a313232376331393031366330336363613963343366393338323366313338 -34626231356530646163623738356462646463646261383735633166316133653631613466323161 -65323438316165646263343566303336663261616333636231336632653662383935626165643331 -65643839303730313134643866313963613532623635653735643433396530653035336161393930 -33626338306561333461383036356235666130313635643864343831363237613066613138326633 -32343761663533323635363034666165393063653438336533333232663237316431333863336165 -34306565623337316433653531383731343366626666616233633630363736333234316565313436 -30616331626365656333646262633130336166353137333139303764363165346133393836626233 -64323962666263303263343535396266623966356439653833313139653838363866626365366434 -66633461636637373264633130313438383461613835646463663061653531306362633737376562 -61376536633162303337336266386465353139306265386365316434346462653464366663316663 -66323335393361613432313430653865356137663261643037303663663535346366383366626339 -36356332373631393464623566303832666638356134643738646138396631353434343436623036 -30313137656363303939613734646463333039343838303162333165613432393634356432386538 -34613566623436303632666566306462626438663739353432663265653237633661396132376331 -31636637333132396464353036313362623234386435366661656134336436373030623830643038 -38643862306332663831363935326361316661333737616230633961393261643261653364373731 -65336433656362663961636666326430363432353537316164643662343634306538376165666639 -65616135643438353738376665613561353663356466306633653266303738323830346330386334 -61386537333935376134373134383666616564636565343261303161303064656436363064666432 -34653737616161386265623164336137363663653264643239326337383139336336643063313434 -33326166633263616537613365306335626562303835643637323162383831333234613136643464 -61646531646332393032366362383538616636656261373036373164323531393430363837393066 -37663865646338393866653636326131316237613030663964663962313366666136633634633731 -32626263316633306363313031626666316139393735616236653031626166383434646166353366 -63303163626335333735626338306332333037366239646631393138316364313932 +66376665636436366538646536616266356136383562326135313565616137343661633066633838 +3766383364643637316661393762333639333335373835650a306239363535346436363930376665 +39643865613032386563323262313934353634633432333837613933663766303661363664333132 +3230326235373636380a663264376161616235636638383764343265373866323437393033633535 +66356235643963353265336633643438393136613630313339623764666339653934336631363664 +61623965396537326562326436346132613061326164353263376161313736323334373263623539 +64633136366632623138313066633664663739393236303862313236613333353730646462646433 +37393137313336313835343935633137663336373363663964353630353231643530336536326666 +63373833316337396166643465663966333037373863663533326133613830366631653561376631 +31386362343330313131366534613732396162343864623436646163613339383038303562353138 +37313334343363646639623161373339626365383034613432383335353261306130356465363066 +61626535306139393639643066653930646532336530653563393034353665366136363335353731 +65386439613331396339343630303031313565626264393532393739373531656436616634636630 +32376531323562653835396334306634623830336136313864653535323337346161363363376430 +34356133653631303138303337383238333835356238373261336465356538326439333537666533 +64383832353065383463643632343064663734613239613135663564343333373331623663326235 +62666362383962623833376331323930366361306132376131633066323935643763366336333036 +38323765383137663832613838353131353161336239656633373565333564316164376331393663 +62333565313531373539663932653530333663653431393333663436643363663433343266663064 +63373930343430393261343138363963663065393634663734636565616331343364666331313432 +66613931383765383766623662353831353538313932396332343030326137336438646432666534 +38626533386666373961363838636639323230316632626635323266626139313462386638343137 +36663864626166383861633765343432373539333237303364656338616233383934336365623132 +38623637383366643063616339636633653538303663303364366436396562323835386433383534 +34653132303465356464643966303032646331653162373130333730616439336438333930623236 +37393036636237306165626563643165346461303861396165333937313030653933643630336163 +38353533626531383239336539633238333139633034353437356234626565343863656634623734 +64366636633938663165666530386634363637396535656232363039383936623065303033643166 +32393631656362373566633230393436313138396430383130643339633432363765373539313230 +34393236346332366462623466383463626432613931653961643730643330666662333838366466 +36353439363565653436616236353830633763353236353331623333306239653835393034343237 +33393937303630616136 diff --git a/host_vars/coturn.komuniki.fr.yml b/host_vars/coturn.komuniki.fr.yml new file mode 100644 index 0000000..69b5aca --- /dev/null +++ b/host_vars/coturn.komuniki.fr.yml @@ -0,0 +1,2 @@ +--- +coturn_secret: "{{ vault_coturn_secret }}" \ No newline at end of file diff --git a/host_vars/pp.jitsi.komuniki.fr.yml b/host_vars/pp.jitsi.komuniki.fr.yml index 2aa503b..855c804 100644 --- a/host_vars/pp.jitsi.komuniki.fr.yml +++ b/host_vars/pp.jitsi.komuniki.fr.yml @@ -2,3 +2,5 @@ ansible_user: root jitsi_logo: jitsi.komuniki.fr.svg jitsi_logo_url: https://komuniki.fr +coturn_hostname: coturn.komuniki.fr +coturn_secret: "{{ vault_coturn_secret }}" \ No newline at end of file diff --git a/host_vars/visio.imio.be.yml b/host_vars/visio.imio.be.yml index 42063e5..ecfe371 100644 --- a/host_vars/visio.imio.be.yml +++ b/host_vars/visio.imio.be.yml @@ -1,6 +1,6 @@ --- -jitsi_user: imio -jitsi_pass: logiciellibre jitsi_logo: visio.imio.be.svg jitsi_logo_url: https://imio.be -jitsi_mutidomain_domain: ['visio-cpas.be'] \ No newline at end of file +jitsi_multidomain_domain: ['visio-cpas.be'] +coturn_hostname: origan.champs-libres.be +coturn_secret: "{{ vault_coturn_secret }}" \ No newline at end of file diff --git a/inventory_staging b/inventory_staging index 1e074e0..3967dc9 100644 --- a/inventory_staging +++ b/inventory_staging @@ -1,2 +1,3 @@ pp.jitsi.komuniki.fr -imio2.komuniki.fr ansible_user=root \ No newline at end of file +imio2.komuniki.fr ansible_user=root +coturn.komuniki.fr ansible_user=root \ No newline at end of file diff --git a/playbook_prod.yml b/playbook_prod.yml index 2a7596b..f8f97b8 100644 --- a/playbook_prod.yml +++ b/playbook_prod.yml @@ -7,6 +7,10 @@ - role: jitsi-add-logo - role: jitsi-enable-video-optimisation - role: jitsi-enable-metrics + - role: jitsi-enable-prejoinPage + - role: jitsi-enable-external-coturn + - role: jitsi-enable-multidomain + - role: jitsi-enable-specific-imio tags: - imio diff --git a/playbook_staging.yml b/playbook_staging.yml index dff60c6..45bc59b 100644 --- a/playbook_staging.yml +++ b/playbook_staging.yml @@ -5,6 +5,7 @@ - role: jitsi-pre-install - role: jitsi-install - role: jitsi-enable-prejoinPage + - role: jitsi-enable-external-coturn - role: jitsi-enable-metrics - role: jitsi-enable-fr-ln - role: jitsi-add-logo @@ -22,3 +23,9 @@ - role: jitsi-enable-specific-imio tags: - imio2 + +- hosts: coturn.komuniki.fr + roles: + - role: coturn-install + tags: + - coturn.komki \ No newline at end of file diff --git a/roles/coturn-install/handlers/main.yml b/roles/coturn-install/handlers/main.yml new file mode 100644 index 0000000..4ac752d --- /dev/null +++ b/roles/coturn-install/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: restart coturn + systemd: + name: coturn + state: restarted + daemon_reload: true + enabled: true + diff --git a/roles/coturn-install/tasks/letsencrypt.yml b/roles/coturn-install/tasks/letsencrypt.yml new file mode 100644 index 0000000..3b0228a --- /dev/null +++ b/roles/coturn-install/tasks/letsencrypt.yml @@ -0,0 +1,15 @@ +- name: Installation de snapd + apt: + name: + - snapd + state: present + +- name: Initialisation de snap et installtion de certbot (prendre bien 5min, soyez patient) + command: "{{ item }}" + loop: + - snap install core + - snap refresh core + - snap install --classic certbot + +- name: Création du certificat SSL + command: /snap/bin/certbot certonly --standalone -d {{ inventory_hostname }} -m supervision@nereide.fr --agree-tos --non-interactive \ No newline at end of file diff --git a/roles/coturn-install/tasks/main.yml b/roles/coturn-install/tasks/main.yml new file mode 100644 index 0000000..848d7de --- /dev/null +++ b/roles/coturn-install/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- name: vérification des variables obligatoire + fail: + msg: | + il faut définir la variable `coturn_secret` pour utiliser ce role + when: coturn_secret is not defined + +- name: Installation de coturn + apt: + name: + - coturn + update_cache: true + +- name: Y-a-t un certificat SSL dans l'avion? + stat: + path: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem + register: ssl_file + +- include_tasks: letsencrypt.yml + when: not ssl_file.stat.exists + + +- name: Donne les droits a coturn de lire les certificats SSL + file: + path: "{{ item }}" + owner: turnserver + group: turnserver + state: directory + recurse: yes + loop: + - /etc/letsencrypt/live + - /etc/letsencrypt/archive + +- name: set la config coturn + template: + src: ../templates/turnserver.conf.j2 + dest: /etc/turnserver.conf + notify: restart coturn + +- name: Ajout des capabilities à coturn + lineinfile: + path: /etc/systemd/system/coturn.service.d/override.conf + create: yes + line: | + [Service] + AmbientCapabilities=CAP_NET_BIND_SERVICE + notify: restart coturn + + diff --git a/roles/coturn-install/templates/turnserver.conf.j2 b/roles/coturn-install/templates/turnserver.conf.j2 new file mode 100644 index 0000000..a8d82ce --- /dev/null +++ b/roles/coturn-install/templates/turnserver.conf.j2 @@ -0,0 +1,36 @@ +# jitsi-meet coturn config. Do not modify this line +use-auth-secret +keep-address-family +static-auth-secret={{ coturn_secret }} +realm={{ inventory_hostname }} +server-name={{ inventory_hostname }} +cert=/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem +pkey=/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem +no-multicast-peers +no-cli +no-loopback-peers +no-tcp-relay +no-tcp +listening-port=3478 +tls-listening-port=443 +no-tlsv1 +no-tlsv1_1 +# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4 +cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +# jitsi-meet coturn relay disable config. Do not modify this line +denied-peer-ip=0.0.0.0-0.255.255.255 +denied-peer-ip=10.0.0.0-10.255.255.255 +denied-peer-ip=100.64.0.0-100.127.255.255 +denied-peer-ip=127.0.0.0-127.255.255.255 +denied-peer-ip=169.254.0.0-169.254.255.255 +denied-peer-ip=127.0.0.0-127.255.255.255 +denied-peer-ip=172.16.0.0-172.31.255.255 +denied-peer-ip=192.0.0.0-192.0.0.255 +denied-peer-ip=192.0.2.0-192.0.2.255 +denied-peer-ip=192.88.99.0-192.88.99.255 +denied-peer-ip=192.168.0.0-192.168.255.255 +denied-peer-ip=198.18.0.0-198.19.255.255 +denied-peer-ip=198.51.100.0-198.51.100.255 +denied-peer-ip=203.0.113.0-203.0.113.255 +denied-peer-ip=240.0.0.0-255.255.255.255 +syslog \ No newline at end of file diff --git a/roles/jitsi-enable-external-coturn/handlers/main.yml b/roles/jitsi-enable-external-coturn/handlers/main.yml new file mode 100644 index 0000000..8c25b12 --- /dev/null +++ b/roles/jitsi-enable-external-coturn/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: restart prosody + systemd: + name: prosody + state: restarted + daemon_reload: true + enabled: true \ No newline at end of file diff --git a/roles/jitsi-enable-external-coturn/tasks/main.yml b/roles/jitsi-enable-external-coturn/tasks/main.yml new file mode 100644 index 0000000..2ea64b2 --- /dev/null +++ b/roles/jitsi-enable-external-coturn/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: vérification des variables obligatoire + fail: + msg: | + il faut définir les variables `coturn_hostname` et + `coturn_secret` pour utiliser ce role + when: (coturn_secret is not defined) or + (coturn_hostname is not defined) + +# Attention doit etre joué toujours avant la tache d'après +# Car commente le paramètre `turncredentials_secret` +# qui est ensuite renseigné par la tache suivante +- name: indique a jitsi d'utiliser un coturn externe + replace: + path: /etc/prosody/conf.d/{{ inventory_hostname }}.cfg.lua + regexp: '{{ item[0] }}' + replace: '{{ item[1] }}' + loop: + - ['host = "{{ inventory_hostname }}"','host = "{{ coturn_hostname }}"'] + - ['-- https_ports = { };','https_ports = { };'] + - ['^external_service_secret =', '-- external_service_secret ='] + - ['port = 3478','port = 443'] + - ['port = 5349','port = 443'] + notify: restart prosody + +- name: indique a jitsi les règles d'échange des credentials pour le coturn externe + blockinfile: + path: /etc/prosody/conf.d/{{ inventory_hostname }}.cfg.lua + marker: "-- {mark} ANSIBLE MANAGED BLOCK" + insertbefore: 'external_services = {' + block: | + external_service_secret = "{{ coturn_secret }}"; + external_service_port = 443; + external_service_ttl = 86400; + notify: restart prosody diff --git a/roles/jitsi-enable-video-optimisation/tasks/main.yml b/roles/jitsi-enable-video-optimisation/tasks/main.yml index 03895e0..b86867d 100644 --- a/roles/jitsi-enable-video-optimisation/tasks/main.yml +++ b/roles/jitsi-enable-video-optimisation/tasks/main.yml @@ -1,21 +1,10 @@ --- - name: Conf Jitsi - webcam en qualité medium par defaut - blockinfile: + lineinfile: path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js marker: "// {mark} ANSIBLE MANAGED BLOCK" - insertafter: "[^?]// Video" - block: | - resolution: 360, - constraints: { - video: { - aspectRatio: 16 / 9, - height: { - ideal: 360, - max: 360, - min: 240 - } - } - }, + insertafter: "[^?]// resolution: 720," + line: "resolution: 360," - name: Conf Jitsi - Désactive l'effet floutage d'arrière plan replace: