diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2021-03-21 15:55:10 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2021-03-21 15:55:10 +0100 |
| commit | 891c7dc3cd11bd3e8a11ed19672bb057787d36c2 (patch) | |
| tree | 9f7b43b1421c9f3e71aa718c036c309fcd3ff4c5 | |
| parent | add some ssh keys for linuxtage (diff) | |
add mumble to glt-coturn
| -rw-r--r-- | inventory/host_vars/glt-coturn.yml | 12 | ||||
| -rw-r--r-- | roles/apps/mumble/defaults/main.yml | 18 | ||||
| -rw-r--r-- | roles/apps/mumble/tasks/main.yml | 87 | ||||
| -rw-r--r-- | roles/apps/mumble/templates/acmetool-reload.sh.j2 | 31 | ||||
| -rw-r--r-- | roles/apps/mumble/templates/config.ini.j2 | 10 | ||||
| -rw-r--r-- | roles/apps/mumble/templates/pod-spec.yml.j2 | 31 | ||||
| -rw-r--r-- | spreadspace/glt-coturn.yml | 1 | ||||
| -rw-r--r-- | spreadspace/host_vars/glt-coturn.yml | 21 |
8 files changed, 202 insertions, 9 deletions
diff --git a/inventory/host_vars/glt-coturn.yml b/inventory/host_vars/glt-coturn.yml index 5511d75a..859c1ccd 100644 --- a/inventory/host_vars/glt-coturn.yml +++ b/inventory/host_vars/glt-coturn.yml @@ -27,3 +27,15 @@ coturn_auth_secret: "{{ vault_coturn_auth_secret }}" coturn_listening_port: 3478 coturn_tls_listening_port: 443 coturn_install_nginx_vhost: no + + +mumble_version: 1.3.4 +mumble_instance: linuxtage.at +mumble_hostnames: + - mumble.linuxtage.at + +mumble_superuser_password: "{{ vault_mumble_superuser_password }}" + +mumble_config_options: + bonjour: false + welcometext: "Willkommen im Mumble der Grazer Linuxtage <br>Intercom für Helfer und Orga während der GLT21" diff --git a/roles/apps/mumble/defaults/main.yml b/roles/apps/mumble/defaults/main.yml new file mode 100644 index 00000000..01f4ef94 --- /dev/null +++ b/roles/apps/mumble/defaults/main.yml @@ -0,0 +1,18 @@ +--- +mumble_uid: 910 +mumble_gid: 910 +mumble_base_path: /srv/mumble + +# mumble_version: 1.3.4 +# mumble_instance: example.com +# mumble_hostnames: +# - mumble.example.com + +# mumble_superuser_password: secret + +mumble_dhparam_size: 2048 + +mumble_timezone: "Europe/Vienna" + +mumble_config_options: + bonjour: false diff --git a/roles/apps/mumble/tasks/main.yml b/roles/apps/mumble/tasks/main.yml new file mode 100644 index 00000000..0e16e54b --- /dev/null +++ b/roles/apps/mumble/tasks/main.yml @@ -0,0 +1,87 @@ +--- +- name: add group for mumble + group: + name: mumble + gid: "{{ mumble_gid }}" + +- name: add user for mumble + user: + name: mumble + uid: "{{ mumble_uid }}" + group: mumble + password: "!" + +- name: create mumble config subdirectory + file: + path: "{{ mumble_base_path }}/{{ mumble_instance }}/config" + state: directory + +- name: create mumble config + template: + src: config.ini.j2 + dest: "{{ mumble_base_path }}/{{ mumble_instance }}/config/config.ini" + group: mumble + mode: 0640 + +- name: create mumble ssl subdirectory + file: + path: "{{ mumble_base_path }}/{{ mumble_instance }}/config/ssl" + state: directory + owner: root + group: mumble + mode: 0750 + +- name: generate Diffie-Hellman parameters + openssl_dhparam: + path: "{{ mumble_base_path }}/{{ mumble_instance }}/config/ssl/dhparams.pem" + size: "{{ mumble_dhparam_size }}" + owner: root + group: mumble + mode: 0644 + +- name: install acmetool hook script + template: + src: acmetool-reload.sh.j2 + dest: "/etc/acme/hooks/mumble-{{ mumble_instance }}" + mode: 0755 + +- name: install acmetool systemd unit snippet + copy: + dest: "/etc/systemd/system/acmetool.service.d/mumble-{{ mumble_instance }}.conf" + content: | + [Service] + ReadWritePaths={{ mumble_base_path }}/{{ mumble_instance }}/config/ssl + register: mumble_acmetool_snippet + +- name: reload systemd + when: mumble_acmetool_snippet is changed + systemd: + daemon_reload: yes + +- name: get certificate using acmetool + import_role: + name: acmetool/cert + vars: + acmetool_cert_name: "mumble-{{ mumble_instance }}" + acmetool_cert_hostnames: "{{ mumble_hostnames }}" + +- name: create mumble database directory + file: + path: "{{ mumble_base_path }}/{{ mumble_instance }}/db" + state: directory + owner: mumble + group: mumble + mode: 0750 + +- name: install pod manifest + vars: + kubernetes_standalone_pod: + name: "mumble-{{ mumble_instance }}" + spec: "{{ lookup('template', 'pod-spec.yml.j2') }}" + mode: "0600" + config_hash_items: + - path: "{{ mumble_base_path }}/{{ mumble_instance }}/config/config.ini" + properties: + - checksum + include_role: + name: kubernetes/standalone/pod diff --git a/roles/apps/mumble/templates/acmetool-reload.sh.j2 b/roles/apps/mumble/templates/acmetool-reload.sh.j2 new file mode 100644 index 00000000..e3b8dbb7 --- /dev/null +++ b/roles/apps/mumble/templates/acmetool-reload.sh.j2 @@ -0,0 +1,31 @@ +#!/bin/sh +set -e +EVENT_NAME="$1" +[ "$EVENT_NAME" = "live-updated" ] || exit 42 + +MAIN_HOSTNAME="{{ mumble_hostnames[0] }}" +SSL_D="{{ mumble_base_path }}/{{ mumble_instance }}/config/ssl" + +while read name; do + certdir="$ACME_STATE_DIR/live/$name" + if [ -z "$name" -o ! -e "$certdir" ]; then + continue + fi + if [ "$name" != "$MAIN_HOSTNAME" ]; then + continue + fi + + install -m 0644 -o root -g mumble "$certdir/fullchain" "$SSL_D/cert.pem" + install -m 0640 -o root -g mumble "$certdir/privkey" "$SSL_D/privkey.pem" + +{% if kubernetes_cri_socket %} + export CONTAINER_RUNTIME_ENDPOINT="{{ kubernetes_cri_socket }}" +{% endif %} + pod_id=$(crictl pods -q --state ready --name "^mumble-{{ mumble_instance }}-{{ ansible_nodename }}$") + [ -n "$pod_id" ] || exit 42 + container_id=$(crictl ps -q --name '^mumble$' -p "$pod_id") + [ -n "$container_id" ] || exit 42 + crictl exec "$container_id" kill -USR1 1 + + break +done diff --git a/roles/apps/mumble/templates/config.ini.j2 b/roles/apps/mumble/templates/config.ini.j2 new file mode 100644 index 00000000..c182492d --- /dev/null +++ b/roles/apps/mumble/templates/config.ini.j2 @@ -0,0 +1,10 @@ +database=/srv/mumble/db/murmur.sqlite + +sslCert=/etc/mumble/ssl/cert.pem +sslKey=/etc/mumble/ssl/privkey.pem +sslDHParams=/etc/mumble/ssl/dhparams.pem +sslCiphers="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:!RSA:!ADH:!AECDH:!MD5" + +{% for opt, value in mumble_config_options.items() %} +{{ opt }}={{ value }} +{% endfor %} diff --git a/roles/apps/mumble/templates/pod-spec.yml.j2 b/roles/apps/mumble/templates/pod-spec.yml.j2 new file mode 100644 index 00000000..5308e72c --- /dev/null +++ b/roles/apps/mumble/templates/pod-spec.yml.j2 @@ -0,0 +1,31 @@ +securityContext: + allowPrivilegeEscalation: false + runAsUser: {{ mumble_uid }} + runAsGroup: {{ mumble_gid }} +hostNetwork: true +containers: +- name: mumble + image: "phlak/mumble:{{ mumble_version }}" + env: + - name: TZ + value: "{{ mumble_timezone }}" + - name: SUPERUSER_PASSWORD + value: "{{ mumble_superuser_password }}" + resources: + limits: + memory: "512Mi" + volumeMounts: + - name: config + mountPath: /etc/mumble + readOnly: true + - name: db + mountPath: /srv/mumble/db +volumes: +- name: config + hostPath: + path: "{{ mumble_base_path }}/{{ mumble_instance }}/config" + type: Directory +- name: db + hostPath: + path: "{{ mumble_base_path }}/{{ mumble_instance }}/db" + type: Directory diff --git a/spreadspace/glt-coturn.yml b/spreadspace/glt-coturn.yml index 4cb46213..3300c6ba 100644 --- a/spreadspace/glt-coturn.yml +++ b/spreadspace/glt-coturn.yml @@ -12,3 +12,4 @@ - role: apt-repo/spreadspace - role: acmetool/base - role: apps/coturn + - role: apps/mumble diff --git a/spreadspace/host_vars/glt-coturn.yml b/spreadspace/host_vars/glt-coturn.yml index 5a25939b..8db669d5 100644 --- a/spreadspace/host_vars/glt-coturn.yml +++ b/spreadspace/host_vars/glt-coturn.yml @@ -1,10 +1,13 @@ $ANSIBLE_VAULT;1.2;AES256;spreadspace -66623933363135653535643038353239653765363938623335663961626538313036346263376636 -6634313836393163336339666639663233383564346363630a313136343838393366333765623130 -63613934363564626161653562623833323230393265613234616239333237373837356532363161 -6335306637396339610a363634343637613332393464623339333230666531343837323138393965 -62383266643466643430663030313531313063616666646439616330376537393137663234303761 -66646639643865376233366235383831383165656663666162383663356163363661383865656163 -36643163313634356239643435323137643861666139643834363539656465613539626637336634 -62643866613138613530316635316561616461346666623135313838663138313336323562623266 -62626536333832343931613064363231316637323462303037333234336563313135 +34643737663831333765666266333265633032346535306135383838643031633362343338393334 +6362383337353530346563316630313437313138633763370a613938353666646462316332353065 +66653436613537666465633263626632386263633734663330373430323865613733396463343363 +3837626238356534300a316361623361303430623863376661636233383436366131316338376230 +31326533353032666437643533633631333935643037636231333264386135646436383163663435 +33343838353534663932643630396236363636393131383539663536363738363539363238343965 +65633362636466623865366431623132366462386232653665393231646465323662663464356232 +30396239643238313734623461323366303961343463623433663133333761323933653534623037 +37313366636130366230343365393064396163313761626566366530613665306132656364623237 +65333239386435346465663234653339633930323766636631393134306235613636623339626638 +62313739346630343538366265336232646438306432353133393465333934376363653338373537 +66376330366533353937 |