Merge branch '6-execution-des-roles-plus-flexible' into 'master'

Resolve "execution des roles plus flexible"

Closes #6

See merge request 10031/visio!8

inventory_staging

@@ -1,2 +1,3 @@
 visio.nereide.fr
 pp.visio.nereide.fr ansible_user=root
+pp.imio.nereide.fr ansible_user=root

playbook_prod.yml

@@ -1,20 +1,32 @@
 ---
 - hosts: visio.imio.be
   roles:
-    - role: common
+    - role: jitsi-pre-install
+    - role: jitsi-install
+    - role: jitsi-enable-LE
+    - role: jitsi-enable-UIandCamTricks
+    - role: jitsi-enable-stats
   tags:
     - imio
 
 - hosts: visio2.nereide.fr
   roles:
-    - role: common
+    - role: jitsi-pre-install
-    - role: auth
+    - role: jitsi-install
+    - role: jitsi-enable-LE
+    - role: jitsi-enable-UIandCamTricks
+    - role: jitsi-enable-stats
+    - role: jitsi-enable-auth
   tags:
     - nrd
 
 - hosts: visio443.champs-libres.be
   roles:
-    - role: common
+    - role: jitsi-pre-install
+    - role: jitsi-install
+    - role: jitsi-enable-LE
+    - role: jitsi-enable-UIandCamTricks
+    - role: jitsi-enable-stats
       vars:
         hostname: visio443.champs-libres.be
   tags:
@@ -22,6 +34,8 @@
 
 - hosts: jitsi.entrouvert.com
   roles:
-    - role: common
+    - role: jitsi-pre-install
+    - role: jitsi-enable-LE
+    - role: jitsi-enable-UIandCamTricks
   tags:
     - eo

playbook_staging.yml

@@ -0,0 +1,36 @@
+#Roles possible:
+#    - role: jitsi-pre-install
+#    - role: jitsi-install
+#    - role: jitsi-enable-LE
+#    - role: jitsi-enable-UIandCamTricks
+#    - role: jitsi-enable-stats
+#    - role: jitsi-enable-auth
+
+---
+- hosts: pp.visio.nereide.fr
+  roles:
+    - role: jitsi-pre-install
+  tags:
+    - ppnrd-pre-install
+
+- hosts: pp.visio.nereide.fr
+  roles:
+    - role: jitsi-enable-LE
+    - role: jitsi-enable-UIandCamTricks
+    - role: jitsi-enable-stats
+  tags:
+    - ppnrd-post-install
+
+- hosts: pp.imio.nereide.fr
+  roles:
+    - role: jitsi-pre-install
+  tags:
+    - ppimio-pre-install
+
+- hosts: pp.imio.nereide.fr
+  roles:
+    - role: jitsi-enable-LE
+    - role: jitsi-enable-UIandCamTricks
+    - role: jitsi-enable-stats
+  tags:
+    - ppimio-post-install

playbook_test.yml

@@ -1,7 +0,0 @@
----
-- hosts: pp.visio.nereide.fr
-  roles:
-    - role: common
-    - role: auth
-  tags:
-    - ppnrd

roles/common/files/jitsi-letsencrypt.sh

@@ -1,100 +0,0 @@
-#!/bin/bash
-
-set -e
-
-DEB_CONF_RESULT=`debconf-show jitsi-meet-web-config | grep jvb-hostname`
-DOMAIN="${DEB_CONF_RESULT##*:}"
-# remove whitespace
-DOMAIN="$(echo -e "${DOMAIN}" | tr -d '[:space:]')"
-
-echo "-------------------------------------------------------------------------"
-echo "This script will:"
-echo "- Need a working DNS record pointing to this machine(for domain ${DOMAIN})"
-echo "- Download certbot-auto from https://dl.eff.org to /usr/local/sbin"
-echo "- Install additional dependencies in order to request Let’s Encrypt certificate"
-echo "- If running with jetty serving web content, will stop Jitsi Videobridge"
-echo "- Configure and reload nginx or apache2, whichever is used"
-echo "- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks"
-echo "- Add command in weekly cron job to renew certificates regularly"
-echo ""
-echo "You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) "
-echo "by providing an email address for important account notifications"
-
-#echo -n "Enter your email and press [ENTER]: "
-#read EMAIL
-EMAIL=supervision@nereide.fr
-
-cd /usr/local/sbin
-
-if [ ! -f certbot-auto ] ; then
-  wget https://dl.eff.org/certbot-auto
-  chmod a+x ./certbot-auto
-fi
-
-CRON_FILE="/etc/cron.weekly/letsencrypt-renew"
-if [ ! -d "/etc/cron.weekly" ] ; then
-    mkdir "/etc/cron.weekly"
-fi
-echo "#!/bin/bash" > $CRON_FILE
-echo "/usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log" >> $CRON_FILE
-
-CERT_KEY="/etc/letsencrypt/live/$DOMAIN/privkey.pem"
-CERT_CRT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
-
-if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
-
-    TURN_CONFIG="/etc/turnserver.conf"
-    TURN_HOOK=/etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh
-    if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
-        mkdir -p $(dirname $TURN_HOOK)
-
-        cp /usr/share/jitsi-meet-turnserver/coturn-certbot-deploy.sh $TURN_HOOK
-        chmod u+x $TURN_HOOK
-        sed -i "s/jitsi-meet.example.com/$DOMAIN/g" $TURN_HOOK
-    fi
-
-    ./certbot-auto certonly --noninteractive \
-    --webroot --webroot-path /usr/share/jitsi-meet \
-    -d $DOMAIN \
-    --agree-tos --email $EMAIL \
-    --deploy-hook $TURN_HOOK
-
-    echo "Configuring nginx"
-
-    CONF_FILE="/etc/nginx/sites-available/$DOMAIN.conf"
-    CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g')
-    CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g')
-    sed -i "s/ssl_certificate_key\ \/etc\/jitsi\/meet\/.*key/ssl_certificate_key\ $CERT_KEY_ESC/g" \
-        $CONF_FILE
-    CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
-    CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
-    sed -i "s/ssl_certificate\ \/etc\/jitsi\/meet\/.*crt/ssl_certificate\ $CERT_CRT_ESC/g" \
-        $CONF_FILE
-
-    echo "service nginx reload" >> $CRON_FILE
-    service nginx reload
-elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
-
-    ./certbot-auto certonly --noninteractive \
-    --webroot --webroot-path /usr/share/jitsi-meet \
-    -d $DOMAIN \
-    --agree-tos --email $EMAIL
-
-    echo "Configuring apache2"
-
-    CONF_FILE="/etc/apache2/sites-available/$DOMAIN.conf"
-    CERT_KEY_ESC=$(echo $CERT_KEY | sed 's/\./\\\./g')
-    CERT_KEY_ESC=$(echo $CERT_KEY_ESC | sed 's/\//\\\//g')
-    sed -i "s/SSLCertificateKeyFile\ \/etc\/jitsi\/meet\/.*key/SSLCertificateKeyFile\ $CERT_KEY_ESC/g" \
-        $CONF_FILE
-    CERT_CRT_ESC=$(echo $CERT_CRT | sed 's/\./\\\./g')
-    CERT_CRT_ESC=$(echo $CERT_CRT_ESC | sed 's/\//\\\//g')
-    sed -i "s/SSLCertificateFile\ \/etc\/jitsi\/meet\/.*crt/SSLCertificateFile\ $CERT_CRT_ESC/g" \
-        $CONF_FILE
-
-    echo "service apache2 reload" >> $CRON_FILE
-    service apache2 reload
-fi
-
-# the cron file that will renew certificates
-chmod a+x $CRON_FILE

roles/common/tasks/main.yml

@@ -1,6 +0,0 @@
----
-- include_tasks: sys_conf.yml
-- include_tasks: jitsi_install.yml
-- include_tasks: jitsi_conf.yml
-- include_tasks: jitsi_stats.yml
-

roles/common/tasks/sys_conf.yml

@@ -1,35 +0,0 @@
----
-- name: Installation de fail2ban et nftables
-  apt:
-    pkg:
-      - fail2ban
-      - nftables
-    update_cache: true
-    state: present
-
-- name: Appliquation des règles de ban ssh
-  template:
-    src: ../files/jail.conf
-    dest: /etc/fail2ban/jail.d/jail.conf
-  notify:
-    - restart fail2ban
-
-- name: Création du répertoire pour la surcharge systemd
-  file:
-    name: /etc/systemd/system/fail2ban.service.d
-    state: directory
-
-- name: Règle de base pour nftables
-  template:
-    src: ../files/service-override.conf
-    dest: /etc/systemd/system/fail2ban.service.d/override.conf
-
-- name: Déploiement des règles nftables (base)
-  tags:
-    - nftables
-  template:
-    src: ../files/nftables.conf
-    dest: /etc/nftables.conf
-  notify:
-    - restart nftables
-    - restart fail2ban

roles/jitsi-enable-LE/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Conf let's encrypt - désactivation de la demande du mail de supervision
+  replace:
+    path: /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
+    regexp: "^read EMAIL"
+    replace: |
+      #read EMAIL
+      EMAIL=supervision@nereide.fr
+
+- name: Exécution du script lets encrypt
+  shell: /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh >> jitsi-le.log

roles/jitsi-enable-UIandCamTricks/tasks/main.yml

@@ -1,25 +1,17 @@
 ---
-- name: Configuration de let's encrypt
-  script: files/jitsi-letsencrypt.sh > jitsi-letsencrypt.log
-
 - name: Conf Jitsi - UI en fr
   lineinfile:
     path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
     insertafter: "[^?]// defaultLanguage: 'en'"
     line: "    defaultLanguage: 'fr',"
 
-- name: Conf Jitsi - webcam en qualité medium par defaut 1/2
+- name:  Conf Jitsi - webcam en qualité medium par defaut
-  lineinfile:
-    path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
-    insertafter: "[^?]// resolution: 720"
-    line: "    resolution: 360,"
-
-- name:  Conf Jitsi - webcam en qualité medium par defaut 2/2
   blockinfile:
     path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
     marker: "// {mark} ANSIBLE MANAGED BLOCK"
-    insertafter: "// ratio of 16:9 with an ideal resolution of 720."
+    insertafter: "[^?]// Video"
     block: |
+        resolution: 360,
         constraints: {
           video: {
             aspectRatio: 16 / 9,

roles/jitsi-install/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- name: installation de jitsi
+  apt:
+    name: jitsi-meet

roles/jitsi-pre-install/files/nftables.conf

@@ -24,7 +24,7 @@ table inet myfilter {
                 # accepte tout le traffic ssh peut importe l'origine
                 tcp dport 22 accept
                 # accepte le traffic tcp depuis le reste du monde si la cible est un des ports http, https, smtp
-                tcp dport {25, 80, 443} accept
+                tcp dport {80, 443} accept
                 # ouvre les port udp I/O 10000 et 44446 pour jitsi
                 udp dport {10000, 4446} accept
                 udp sport {10000, 4446} accept

roles/jitsi-pre-install/tasks/main.yml

@@ -1,11 +1,41 @@
 ---
-- name: installation de gpg si requis
+- name: Installation de fail2ban, nftables, gnupg2, apt-transport-https
   apt:
     name:
+      - fail2ban
+      - nftables
       - gnupg2
       - apt-transport-https
+    update_cache: true
     state: present
 
+- name: Appliquation des règles de ban ssh
+  template:
+    src: ../files/jail.conf
+    dest: /etc/fail2ban/jail.d/jail.conf
+  notify:
+    - restart fail2ban
+
+- name: Création du répertoire pour la surcharge systemd
+  file:
+    name: /etc/systemd/system/fail2ban.service.d
+    state: directory
+
+- name: Règle de base pour nftables
+  template:
+    src: ../files/fail2ban-override.conf
+    dest: /etc/systemd/system/fail2ban.service.d/override.conf
+
+- name: Déploiement des règles nftables (base)
+  tags:
+    - nftables
+  template:
+    src: ../files/nftables.conf
+    dest: /etc/nftables.conf
+  notify:
+    - restart nftables
+    - restart fail2ban
+
 - name: Ajout de la clé GPG pour le depot jitsi
   apt_key:
     url: http://download.jitsi.org/jitsi-key.gpg.key
@@ -31,7 +61,3 @@
     question: jitsi-meet/cert-choice
     value: "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)"
     vtype: string
-
-- name: installation de jitsi
-  apt:
-    name: jitsi-meet