antoine/visio_nrd
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fusion des role jitsi-install et jitsi-pre-install

Browse Source
This commit is contained in:
Antoine Ouvrard
2021-05-04 15:08:47 +02:00
parent 9dcdc63326
commit 5edcb56305
8 changed files with 53 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files
roles/jitsi-install/files/fail2ban-override.conf
+7
View File
@@ -0,0 +1,7 @@
[Unit]
After=nftables.service
PartOf=nftables.service
[Service]
ExecStartPre=nft add table inet filter
ExecStartPre=nft add chain inet filter input { type filter hook input priority 0; policy accept; }
roles/jitsi-install/files/jail.conf
+10
View File
@@ -0,0 +1,10 @@
[DEFAULT]
backend = systemd
banaction = nftables-multiport
# 92.154.111.181 - IP des bureaux de nereide
ignoreip = 127.0.0.1 92.154.111.181
findtime = 1h
bantime = 1d
maxretry = 3
roles/jitsi-install/files/nftables.conf
+35
View File
@@ -0,0 +1,35 @@
#!/usr/sbin/nftables -f
flush ruleset
# family `inet` c'est pour ipv4/ipv6
table inet myfilter {
chain myglobal {
# par défaut on accepte tous les paquets entrant
type filter hook input priority 0; policy accept;
# accepte les ping (mais pas plus de 1 par seconde)
ip protocol icmp icmp type { echo-request, echo-reply } limit rate 1/second accept
ip protocol icmp icmp type { echo-request, echo-reply } drop
ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } limit rate 1/second accept
ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } drop
# on accepte tout le reste du traffic icmp
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# accepte le traffic qui vient de nous
ct state established,related accept
ct state invalid drop
# accepte le traffic localhost
iif lo accept
# accepte tout le traffic ssh peut importe l'origine
tcp dport 22 accept
# accepte le traffic tcp depuis le reste du monde si la cible est un des ports http, https, smtp
tcp dport {80, 443} accept
# ouvre les port udp I/O 10000 et 44446 pour jitsi
udp dport {10000, 4446} accept
udp sport {10000, 4446} accept
# count and drop any other traffic
counter drop
}
}
roles/jitsi-install/handlers/main.yml
+13
View File
@@ -0,0 +1,13 @@
---
- name: restart fail2ban
systemd:
name: fail2ban
state: restarted
daemon_reload: true
enabled: true
- name: restart nftables
systemd:
name: nftables
state: restarted
enabled: true
roles/jitsi-install/tasks/main.yml
+52
View File
@@ -1,4 +1,56 @@
---
- name: Installation des prérequis
apt:
name:
- sshguard
- ufw
- gnupg2
- nginx-full
update_cache: true
state: present
- name: Mise en place des règle firewall tcp et udp
# source : https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart#setup-and-configure-your-firewall
ufw:
state: enabled
rule: allow
port: '{{ item[0] }}'
proto: '{{ item[1] }}'
loop:
- ['80', 'tcp']
- ['443', 'tcp']
- ['4443', 'tcp']
- ['22', 'tcp']
- ['10000', 'udp']
- ['3478', 'udp']
- ['5349', 'tcp']
- ['5222', 'tcp'] # XMPP port for recorder
- name: Import de la clé GPG # source: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart#add-the-jitsi-package-repository
apt_key:
id: FFD65A0DA2BEBDEB73D44C8BB4D2D216F1FD7806
url: https://download.jitsi.org/jitsi-key.gpg.key
keyring: /etc/apt/trusted.gpg.d/jitsi.gpg
- name: Ajout du depot jitsi
apt_repository:
repo: deb [signed-by=/etc/apt/trusted.gpg.d/jitsi.gpg] https://download.jitsi.org stable/
update_cache: true
- name: Application du hostname avant installation
debconf:
name: jitsi-meet-web-config
question: jitsi-videobridge/jvb-hostname
value: '{{ inventory_hostname }}'
vtype: string
- name: On veut un certificat autogénéré
debconf:
name: jitsi-meet-web-config
question: jitsi-meet/cert-choice
value: "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)"
vtype: string
- name: installation de jitsi
apt:
name: jitsi-meet