Resolve "installation d'un coturn externe"

2021-04-27 10:19:53 +00:00
parent 7c4cf16d05
commit 38c5dc95bf
14 changed files with 205 additions and 47 deletions
@@ -0,0 +1,8 @@
+---
+- name: restart coturn
+  systemd:
+    name: coturn
+    state: restarted
+    daemon_reload: true
+    enabled: true
+
@@ -0,0 +1,15 @@
+- name: Installation de snapd
+  apt:
+    name:
+      - snapd
+    state: present
+
+- name: Initialisation de snap et installtion de certbot (prendre bien 5min, soyez patient)
+  command: "{{ item }}"
+  loop:
+    - snap install core
+    - snap refresh core
+    - snap install --classic certbot
+
+- name: Création du certificat SSL
+  command: /snap/bin/certbot certonly --standalone -d  {{ inventory_hostname }} -m supervision@nereide.fr --agree-tos --non-interactive
@@ -0,0 +1,49 @@
+---
+- name: vérification des variables obligatoire
+  fail:
+    msg: |
+      il faut définir la variable `coturn_secret` pour utiliser ce role
+  when: coturn_secret is not defined
+
+- name: Installation de coturn
+  apt:
+    name:
+      - coturn
+    update_cache: true
+
+- name: Y-a-t un certificat SSL dans l'avion?
+  stat:
+    path: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+  register: ssl_file
+
+- include_tasks: letsencrypt.yml
+  when: not ssl_file.stat.exists
+
+
+- name: Donne les droits a coturn de lire les certificats SSL
+  file:
+    path: "{{ item }}"
+    owner: turnserver
+    group: turnserver
+    state: directory
+    recurse: yes
+  loop:
+    - /etc/letsencrypt/live
+    - /etc/letsencrypt/archive
+
+- name: set la config coturn
+  template:
+    src: ../templates/turnserver.conf.j2
+    dest: /etc/turnserver.conf
+  notify: restart coturn
+
+- name: Ajout des capabilities à coturn
+  lineinfile:
+    path: /etc/systemd/system/coturn.service.d/override.conf
+    create: yes
+    line: |
+      [Service]
+      AmbientCapabilities=CAP_NET_BIND_SERVICE
+  notify: restart coturn
+
+
@@ -0,0 +1,36 @@
+# jitsi-meet coturn config. Do not modify this line
+use-auth-secret
+keep-address-family
+static-auth-secret={{ coturn_secret }}
+realm={{ inventory_hostname }}
+server-name={{ inventory_hostname }}
+cert=/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+pkey=/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
+no-multicast-peers
+no-cli
+no-loopback-peers
+no-tcp-relay
+no-tcp
+listening-port=3478
+tls-listening-port=443
+no-tlsv1
+no-tlsv1_1
+# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+# jitsi-meet coturn relay disable config. Do not modify this line
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+syslog
@@ -0,0 +1,7 @@
+---
+- name: restart prosody
+  systemd:
+    name: prosody
+    state: restarted
+    daemon_reload: true
+    enabled: true
@@ -0,0 +1,35 @@
+---
+- name: vérification des variables obligatoire
+  fail:
+    msg: |
+      il faut définir les variables `coturn_hostname` et
+      `coturn_secret` pour utiliser ce role
+  when: (coturn_secret is not defined) or
+        (coturn_hostname is not defined)
+
+# Attention doit etre joué toujours avant la tache d'après
+# Car commente le paramètre `turncredentials_secret`
+# qui est ensuite renseigné par la tache suivante
+- name: indique a jitsi d'utiliser un coturn externe
+  replace:
+    path: /etc/prosody/conf.d/{{ inventory_hostname }}.cfg.lua
+    regexp: '{{ item[0] }}'
+    replace: '{{ item[1] }}'
+  loop:
+    - ['host = "{{ inventory_hostname }}"','host = "{{ coturn_hostname }}"']
+    - ['-- https_ports = { };','https_ports = { };']
+    - ['^external_service_secret =', '-- external_service_secret =']
+    - ['port = 3478','port = 443']
+    - ['port = 5349','port = 443']
+  notify: restart prosody
+
+- name: indique a jitsi les règles d'échange des credentials pour le coturn externe
+  blockinfile:
+    path: /etc/prosody/conf.d/{{ inventory_hostname }}.cfg.lua
+    marker: "-- {mark} ANSIBLE MANAGED BLOCK"
+    insertbefore: 'external_services = {'
+    block: |
+      external_service_secret = "{{ coturn_secret }}";
+      external_service_port = 443;
+      external_service_ttl = 86400;
+  notify: restart prosody
@@ -1,21 +1,10 @@
 ---
 - name:  Conf Jitsi - webcam en qualité medium par defaut
-  blockinfile:
+  lineinfile:
    path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
    marker: "// {mark} ANSIBLE MANAGED BLOCK"
-    insertafter: "[^?]// Video"
-    block: |
-        resolution: 360,
-        constraints: {
-          video: {
-            aspectRatio: 16 / 9,
-            height: {
-              ideal: 360,
-              max: 360,
-              min: 240
-            }
-          }
-        },
+    insertafter: "[^?]// resolution: 720,"
+    line: "resolution: 360,"

 - name: Conf Jitsi - Désactive l'effet floutage d'arrière plan
  replace: