antoine/visio_nrd
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch '6-execution-des-roles-plus-flexible' into 'master'

Browse Source 
Resolve "execution des roles plus flexible"

Closes #6

See merge request 10031/visio!8
This commit is contained in:
Antoine Ouvrard
2020-04-20 21:00:39 +02:00
parent 465876051e dd883c8c1a
commit 6c43fa10e1
18 changed files with 106 additions and 170 deletions
Download Patch File Download Diff File Expand all files Collapse all files
inventory_test → inventory_staging
+1
View File
@@ -1,2 +1,3 @@
visio.nereide.fr
pp.visio.nereide.fr ansible_user=root
pp.imio.nereide.fr ansible_user=root
playbook_prod.yml
+19 -5
View File
@@ -1,20 +1,32 @@
---
- hosts: visio.imio.be
roles:
- role: common
- role: jitsi-pre-install
- role: jitsi-install
- role: jitsi-enable-LE
- role: jitsi-enable-UIandCamTricks
- role: jitsi-enable-stats
tags:
- imio
- hosts: visio2.nereide.fr
roles:
- role: common
- role: auth
- role: jitsi-pre-install
- role: jitsi-install
- role: jitsi-enable-LE
- role: jitsi-enable-UIandCamTricks
- role: jitsi-enable-stats
- role: jitsi-enable-auth
tags:
- nrd
- hosts: visio443.champs-libres.be
roles:
- role: common
- role: jitsi-pre-install
- role: jitsi-install
- role: jitsi-enable-LE
- role: jitsi-enable-UIandCamTricks
- role: jitsi-enable-stats
vars:
hostname: visio443.champs-libres.be
tags:
@@ -22,6 +34,8 @@
- hosts: jitsi.entrouvert.com
roles:
- role: common
- role: jitsi-pre-install
- role: jitsi-enable-LE
- role: jitsi-enable-UIandCamTricks
tags:
- eo
playbook_staging.yml
+36
View File
@@ -0,0 +1,36 @@
#Roles possible:
# - role: jitsi-pre-install
# - role: jitsi-install
# - role: jitsi-enable-LE
# - role: jitsi-enable-UIandCamTricks
# - role: jitsi-enable-stats
# - role: jitsi-enable-auth
---
- hosts: pp.visio.nereide.fr
roles:
- role: jitsi-pre-install
tags:
- ppnrd-pre-install
- hosts: pp.visio.nereide.fr
roles:
- role: jitsi-enable-LE
- role: jitsi-enable-UIandCamTricks
- role: jitsi-enable-stats
tags:
- ppnrd-post-install
- hosts: pp.imio.nereide.fr
roles:
- role: jitsi-pre-install
tags:
- ppimio-pre-install
- hosts: pp.imio.nereide.fr
roles:
- role: jitsi-enable-LE
- role: jitsi-enable-UIandCamTricks
- role: jitsi-enable-stats
tags:
- ppimio-post-install
playbook_test.yml
-7
View File
@@ -1,7 +0,0 @@
---
- hosts: pp.visio.nereide.fr
roles:
- role: common
- role: auth
tags:
- ppnrd
roles/common/files/jitsi-letsencrypt.sh
-100
View File
@@ -1,100 +0,0 @@
#!/bin/bash
set -e
DEB_CONF_RESULT=`debconf-show jitsi-meet-web-config | grep jvb-hostname`
DOMAIN="${DEB_CONF_RESULT##*:}"
# remove whitespace
DOMAIN="$(echo -e "${DOMAIN}" | tr -d '[:space:]')"
echo "-------------------------------------------------------------------------"
echo "This script will:"
echo "- Need a working DNS record pointing to this machine(for domain ${DOMAIN})"
echo "- Download certbot-auto from https://dl.eff.org to /usr/local/sbin"
echo "- Install additional dependencies in order to request Lets Encrypt certificate"
echo "- If running with jetty serving web content, will stop Jitsi Videobridge"
echo "- Configure and reload nginx or apache2, whichever is used"
echo "- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks"
echo "- Add command in weekly cron job to renew certificates regularly"
echo ""
echo "You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) "
echo "by providing an email address for important account notifications"
#echo -n "Enter your email and press [ENTER]: "
#read EMAIL
EMAIL=supervision@nereide.fr
cd /usr/local/sbin
if [ ! -f certbot-auto ] ; then
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
fi
CRON_FILE="/etc/cron.weekly/letsencrypt-renew"
if [ ! -d "/etc/cron.weekly" ] ; then
mkdir "/etc/cron.weekly"
fi
echo "#!/bin/bash" > $CRON_FILE
echo "/usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log" >> $CRON_FILE
CERT_KEY="/etc/letsencrypt/live/$DOMAIN/privkey.pem"
CERT_CRT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
TURN_CONFIG="/etc/turnserver.conf"
TURN_HOOK=/etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh
if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
mkdir -p $(dirname $TURN_HOOK)
cp /usr/share/jitsi-meet-turnserver/coturn-certbot-deploy.sh $TURN_HOOK
chmod u+x $TURN_HOOK
sed -i "s/jitsi-meet.example.com/$DOMAIN/g" $TURN_HOOK
fi
./certbot-auto certonly --noninteractive \
--webroot --webroot-path /usr/share/jitsi-meet \
-d $DOMAIN \
--agree-tos --email $EMAIL \
--deploy-hook $TURN_HOOK
echo "Configuring nginx"
CONF_FILE="/etc/nginx/sites-available/$DOMAIN.conf"
CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g')
CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g')
sed -i "s/ssl_certificate_key\ \/etc\/jitsi\/meet\/.*key/ssl_certificate_key\ $CERT_KEY_ESC/g" \
$CONF_FILE
CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
sed -i "s/ssl_certificate\ \/etc\/jitsi\/meet\/.*crt/ssl_certificate\ $CERT_CRT_ESC/g" \
$CONF_FILE
echo "service nginx reload" >> $CRON_FILE
service nginx reload
elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
./certbot-auto certonly --noninteractive \
--webroot --webroot-path /usr/share/jitsi-meet \
-d $DOMAIN \
--agree-tos --email $EMAIL
echo "Configuring apache2"
CONF_FILE="/etc/apache2/sites-available/$DOMAIN.conf"
CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g')
CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g')
sed -i "s/SSLCertificateKeyFile\ \/etc\/jitsi\/meet\/.*key/SSLCertificateKeyFile\ $CERT_KEY_ESC/g" \
$CONF_FILE
CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
sed -i "s/SSLCertificateFile\ \/etc\/jitsi\/meet\/.*crt/SSLCertificateFile\ $CERT_CRT_ESC/g" \
$CONF_FILE
echo "service apache2 reload" >> $CRON_FILE
service apache2 reload
fi
# the cron file that will renew certificates
chmod a+x $CRON_FILE
roles/common/tasks/main.yml
-6
View File
@@ -1,6 +0,0 @@
---
- include_tasks: sys_conf.yml
- include_tasks: jitsi_install.yml
- include_tasks: jitsi_conf.yml
- include_tasks: jitsi_stats.yml
roles/common/tasks/sys_conf.yml
-35
View File
@@ -1,35 +0,0 @@
---
- name: Installation de fail2ban et nftables
apt:
pkg:
- fail2ban
- nftables
update_cache: true
state: present
- name: Appliquation des règles de ban ssh
template:
src: ../files/jail.conf
dest: /etc/fail2ban/jail.d/jail.conf
notify:
- restart fail2ban
- name: Création du répertoire pour la surcharge systemd
file:
name: /etc/systemd/system/fail2ban.service.d
state: directory
- name: Règle de base pour nftables
template:
src: ../files/service-override.conf
dest: /etc/systemd/system/fail2ban.service.d/override.conf
- name: Déploiement des règles nftables (base)
tags:
- nftables
template:
src: ../files/nftables.conf
dest: /etc/nftables.conf
notify:
- restart nftables
- restart fail2ban
roles/jitsi-enable-LE/tasks/main.yml
+11
View File
@@ -0,0 +1,11 @@
---
- name: Conf let's encrypt - désactivation de la demande du mail de supervision
replace:
path: /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
regexp: "^read EMAIL"
replace: |
#read EMAIL
EMAIL=supervision@nereide.fr
- name: Exécution du script lets encrypt
shell: /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh >> jitsi-le.log
roles/common/tasks/jitsi_conf.yml → roles/jitsi-enable-UIandCamTricks/tasks/main.yml
+3 -11
View File
@@ -1,25 +1,17 @@
---
- name: Configuration de let's encrypt
script: files/jitsi-letsencrypt.sh > jitsi-letsencrypt.log
- name: Conf Jitsi - UI en fr
lineinfile:
path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
insertafter: "[^?]// defaultLanguage: 'en'"
line: " defaultLanguage: 'fr',"
- name: Conf Jitsi - webcam en qualité medium par defaut 1/2
lineinfile:
path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
insertafter: "[^?]// resolution: 720"
line: " resolution: 360,"
- name: Conf Jitsi - webcam en qualité medium par defaut 2/2
- name: Conf Jitsi - webcam en qualité medium par defaut
blockinfile:
path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
marker: "// {mark} ANSIBLE MANAGED BLOCK"
insertafter: "// ratio of 16:9 with an ideal resolution of 720."
insertafter: "[^?]// Video"
block: |
resolution: 360,
constraints: {
video: {
aspectRatio: 16 / 9,
roles/auth/handlers/main.yml → roles/jitsi-enable-auth/handlers/main.yml
View File
roles/auth/tasks/main.yml → roles/jitsi-enable-auth/tasks/main.yml
View File
roles/common/tasks/jitsi_stats.yml → roles/jitsi-enable-stats/tasks/main.yml
View File
roles/jitsi-install/tasks/main.yml
+4
View File
@@ -0,0 +1,4 @@
---
- name: installation de jitsi
apt:
name: jitsi-meet
roles/common/files/service-override.conf → roles/jitsi-pre-install/files/fail2ban-override.conf
View File
roles/common/files/jail.conf → roles/jitsi-pre-install/files/jail.conf
View File
roles/common/files/nftables.conf → roles/jitsi-pre-install/files/nftables.conf
+1 -1
View File
@@ -24,7 +24,7 @@ table inet myfilter {
# accepte tout le traffic ssh peut importe l'origine
tcp dport 22 accept
# accepte le traffic tcp depuis le reste du monde si la cible est un des ports http, https, smtp
tcp dport {25, 80, 443} accept
tcp dport {80, 443} accept
# ouvre les port udp I/O 10000 et 44446 pour jitsi
udp dport {10000, 4446} accept
udp sport {10000, 4446} accept
roles/common/handlers/main.yml → roles/jitsi-pre-install/handlers/main.yml
View File
roles/common/tasks/jitsi_install.yml → roles/jitsi-pre-install/tasks/main.yml
+31 -5
View File
@@ -1,11 +1,41 @@
---
- name: installation de gpg si requis
- name: Installation de fail2ban, nftables, gnupg2, apt-transport-https
apt:
name:
- fail2ban
- nftables
- gnupg2
- apt-transport-https
update_cache: true
state: present
- name: Appliquation des règles de ban ssh
template:
src: ../files/jail.conf
dest: /etc/fail2ban/jail.d/jail.conf
notify:
- restart fail2ban
- name: Création du répertoire pour la surcharge systemd
file:
name: /etc/systemd/system/fail2ban.service.d
state: directory
- name: Règle de base pour nftables
template:
src: ../files/fail2ban-override.conf
dest: /etc/systemd/system/fail2ban.service.d/override.conf
- name: Déploiement des règles nftables (base)
tags:
- nftables
template:
src: ../files/nftables.conf
dest: /etc/nftables.conf
notify:
- restart nftables
- restart fail2ban
- name: Ajout de la clé GPG pour le depot jitsi
apt_key:
url: http://download.jitsi.org/jitsi-key.gpg.key
@@ -31,7 +61,3 @@
question: jitsi-meet/cert-choice
value: "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)"
vtype: string
- name: installation de jitsi
apt:
name: jitsi-meet