From 465876051e22fb7f986ff4ab7329c741382857bf Mon Sep 17 00:00:00 2001
From: Antoine Ouvrard <antoine.ouvrard@nereide.fr>
Date: Wed, 15 Apr 2020 12:16:23 +0200
Subject: [PATCH] ajout de la machine entrouvert

---
 inventory_prod                          |  1 +
 inventory_test                          |  2 -
 playbook_prod.yml                       |  6 +++
 roles/common/files/jitsi-letsencrypt.sh | 49 +++++++++----------------
 4 files changed, 24 insertions(+), 34 deletions(-)

diff --git a/inventory_prod b/inventory_prod
index 7408399..f757566 100644
--- a/inventory_prod
+++ b/inventory_prod
@@ -1,3 +1,4 @@
 visio2.nereide.fr ansible_user=root
 visio443.champs-libres.be ansible_user=debian ansible_become=true
 visio.imio.be ansible_user=debian ansible_become=true
+jitsi.entrouvert.com ansible_user=root
diff --git a/inventory_test b/inventory_test
index f9790ef..5b82a5a 100644
--- a/inventory_test
+++ b/inventory_test
@@ -1,4 +1,2 @@
-visio.imio.be
 visio.nereide.fr
-visio.entrouvert.com
 pp.visio.nereide.fr ansible_user=root
diff --git a/playbook_prod.yml b/playbook_prod.yml
index 82c0cac..6bbff89 100644
--- a/playbook_prod.yml
+++ b/playbook_prod.yml
@@ -19,3 +19,9 @@
         hostname: visio443.champs-libres.be
   tags:
     - cl
+
+- hosts: jitsi.entrouvert.com
+  roles:
+    - role: common
+  tags:
+    - eo
diff --git a/roles/common/files/jitsi-letsencrypt.sh b/roles/common/files/jitsi-letsencrypt.sh
index c05e089..13e2968 100644
--- a/roles/common/files/jitsi-letsencrypt.sh
+++ b/roles/common/files/jitsi-letsencrypt.sh
@@ -14,6 +14,8 @@ echo "- Download certbot-auto from https://dl.eff.org to /usr/local/sbin"
 echo "- Install additional dependencies in order to request Let’s Encrypt certificate"
 echo "- If running with jetty serving web content, will stop Jitsi Videobridge"
 echo "- Configure and reload nginx or apache2, whichever is used"
+echo "- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks"
+echo "- Add command in weekly cron job to renew certificates regularly"
 echo ""
 echo "You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) "
 echo "by providing an email address for important account notifications"
@@ -41,10 +43,21 @@ CERT_CRT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
 
 if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
 
+    TURN_CONFIG="/etc/turnserver.conf"
+    TURN_HOOK=/etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh
+    if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
+        mkdir -p $(dirname $TURN_HOOK)
+
+        cp /usr/share/jitsi-meet-turnserver/coturn-certbot-deploy.sh $TURN_HOOK
+        chmod u+x $TURN_HOOK
+        sed -i "s/jitsi-meet.example.com/$DOMAIN/g" $TURN_HOOK
+    fi
+
     ./certbot-auto certonly --noninteractive \
     --webroot --webroot-path /usr/share/jitsi-meet \
     -d $DOMAIN \
-    --agree-tos --email $EMAIL
+    --agree-tos --email $EMAIL \
+    --deploy-hook $TURN_HOOK
 
     echo "Configuring nginx"
 
@@ -60,16 +73,6 @@ if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
 
     echo "service nginx reload" >> $CRON_FILE
     service nginx reload
-
-    TURN_CONFIG="/etc/turnserver.conf"
-    if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
-        echo "Configuring turnserver"
-        sed -i "s/cert=\/etc\/jitsi\/meet\/.*crt/cert=$CERT_CRT_ESC/g" $TURN_CONFIG
-        sed -i "s/pkey=\/etc\/jitsi\/meet\/.*key/pkey=$CERT_KEY_ESC/g" $TURN_CONFIG
-
-        echo "service coturn restart" >> $CRON_FILE
-        service coturn restart
-    fi
 elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
 
     ./certbot-auto certonly --noninteractive \
@@ -91,25 +94,7 @@ elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
 
     echo "service apache2 reload" >> $CRON_FILE
     service apache2 reload
-else
-    service jitsi-videobridge stop
-
-    ./certbot-auto certonly --noninteractive \
-    --standalone \
-    -d $DOMAIN \
-    --agree-tos --email $EMAIL
-
-    echo "Configuring jetty"
-
-    CERT_P12="/etc/jitsi/videobridge/$DOMAIN.p12"
-    CERT_JKS="/etc/jitsi/videobridge/$DOMAIN.jks"
-    # create jks from  certs
-    openssl pkcs12 -export \
-        -in $CERT_CRT -inkey $CERT_KEY -passout pass:changeit > $CERT_P12
-    keytool -importkeystore -destkeystore $CERT_JKS \
-        -srckeystore $CERT_P12 -srcstoretype pkcs12 \
-        -noprompt -storepass changeit -srcstorepass changeit
-
-    service jitsi-videobridge start
-
 fi
+
+# the cron file that will renew certificates
+chmod a+x $CRON_FILE
\ No newline at end of file