add mumble to glt-coturn

5 files changed, 177 insertions, 0 deletions

diff --git a/roles/apps/mumble/defaults/main.yml b/roles/apps/mumble/defaults/main.yml
new file mode 100644
index 00000000..01f4ef94
--- /dev/null
+++ b/roles/apps/mumble/defaults/main.yml
@@ -0,0 +1,18 @@
+---
+mumble_uid: 910
+mumble_gid: 910
+mumble_base_path: /srv/mumble
+
+# mumble_version: 1.3.4
+# mumble_instance: example.com
+# mumble_hostnames:
+#  - mumble.example.com
+
+# mumble_superuser_password: secret
+
+mumble_dhparam_size: 2048
+
+mumble_timezone: "Europe/Vienna"
+
+mumble_config_options:
+  bonjour: false
diff --git a/roles/apps/mumble/tasks/main.yml b/roles/apps/mumble/tasks/main.yml
new file mode 100644
index 00000000..0e16e54b
--- /dev/null
+++ b/roles/apps/mumble/tasks/main.yml
@@ -0,0 +1,87 @@
+---
+- name: add group for mumble
+  group:
+    name: mumble
+    gid: "{{ mumble_gid }}"
+
+- name: add user for mumble
+  user:
+    name: mumble
+    uid: "{{ mumble_uid }}"
+    group: mumble
+    password: "!"
+
+- name: create mumble config subdirectory
+  file:
+    path: "{{ mumble_base_path }}/{{ mumble_instance }}/config"
+    state: directory
+
+- name: create mumble config
+  template:
+    src: config.ini.j2
+    dest: "{{ mumble_base_path }}/{{ mumble_instance }}/config/config.ini"
+    group: mumble
+    mode: 0640
+
+- name: create mumble ssl subdirectory
+  file:
+    path: "{{ mumble_base_path }}/{{ mumble_instance }}/config/ssl"
+    state: directory
+    owner: root
+    group: mumble
+    mode: 0750
+
+- name: generate Diffie-Hellman parameters
+  openssl_dhparam:
+    path: "{{ mumble_base_path }}/{{ mumble_instance }}/config/ssl/dhparams.pem"
+    size: "{{ mumble_dhparam_size }}"
+    owner: root
+    group: mumble
+    mode: 0644
+
+- name: install acmetool hook script
+  template:
+    src: acmetool-reload.sh.j2
+    dest: "/etc/acme/hooks/mumble-{{ mumble_instance }}"
+    mode: 0755
+
+- name: install acmetool systemd unit snippet
+  copy:
+    dest: "/etc/systemd/system/acmetool.service.d/mumble-{{ mumble_instance }}.conf"
+    content: |
+      [Service]
+      ReadWritePaths={{ mumble_base_path }}/{{ mumble_instance }}/config/ssl
+  register: mumble_acmetool_snippet
+
+- name: reload systemd
+  when: mumble_acmetool_snippet is changed
+  systemd:
+    daemon_reload: yes
+
+- name: get certificate using acmetool
+  import_role:
+    name: acmetool/cert
+  vars:
+    acmetool_cert_name: "mumble-{{ mumble_instance }}"
+    acmetool_cert_hostnames: "{{ mumble_hostnames }}"
+
+- name: create mumble database directory
+  file:
+    path: "{{ mumble_base_path }}/{{ mumble_instance }}/db"
+    state: directory
+    owner: mumble
+    group: mumble
+    mode: 0750
+
+- name: install pod manifest
+  vars:
+    kubernetes_standalone_pod:
+      name: "mumble-{{ mumble_instance }}"
+      spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
+      mode: "0600"
+      config_hash_items:
+      - path: "{{ mumble_base_path }}/{{ mumble_instance }}/config/config.ini"
+        properties:
+        - checksum
+  include_role:
+    name: kubernetes/standalone/pod
diff --git a/roles/apps/mumble/templates/acmetool-reload.sh.j2 b/roles/apps/mumble/templates/acmetool-reload.sh.j2
new file mode 100644
index 00000000..e3b8dbb7
--- /dev/null
+++ b/roles/apps/mumble/templates/acmetool-reload.sh.j2
@@ -0,0 +1,31 @@
+#!/bin/sh
+set -e
+EVENT_NAME="$1"
+[ "$EVENT_NAME" = "live-updated" ] || exit 42
+
+MAIN_HOSTNAME="{{ mumble_hostnames[0] }}"
+SSL_D="{{ mumble_base_path }}/{{ mumble_instance }}/config/ssl"
+
+while read name; do
+  certdir="$ACME_STATE_DIR/live/$name"
+  if [ -z "$name" -o ! -e "$certdir" ]; then
+    continue
+  fi
+  if [ "$name" != "$MAIN_HOSTNAME" ]; then
+    continue
+  fi
+
+  install -m 0644 -o root -g mumble "$certdir/fullchain" "$SSL_D/cert.pem"
+  install -m 0640 -o root -g mumble "$certdir/privkey" "$SSL_D/privkey.pem"
+
+{% if kubernetes_cri_socket %}
+  export CONTAINER_RUNTIME_ENDPOINT="{{ kubernetes_cri_socket }}"
+{% endif %}
+  pod_id=$(crictl pods -q --state ready --name "^mumble-{{ mumble_instance }}-{{ ansible_nodename }}$")
+  [ -n "$pod_id" ] || exit 42
+  container_id=$(crictl ps -q --name '^mumble$' -p "$pod_id")
+  [ -n "$container_id" ] || exit 42
+  crictl exec "$container_id" kill -USR1 1
+
+  break
+done
diff --git a/roles/apps/mumble/templates/config.ini.j2 b/roles/apps/mumble/templates/config.ini.j2
new file mode 100644
index 00000000..c182492d
--- /dev/null
+++ b/roles/apps/mumble/templates/config.ini.j2
@@ -0,0 +1,10 @@
+database=/srv/mumble/db/murmur.sqlite
+
+sslCert=/etc/mumble/ssl/cert.pem
+sslKey=/etc/mumble/ssl/privkey.pem
+sslDHParams=/etc/mumble/ssl/dhparams.pem
+sslCiphers="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:!RSA:!ADH:!AECDH:!MD5"
+
+{% for opt, value in mumble_config_options.items() %}
+{{ opt }}={{ value }}
+{% endfor %}
diff --git a/roles/apps/mumble/templates/pod-spec.yml.j2 b/roles/apps/mumble/templates/pod-spec.yml.j2
new file mode 100644
index 00000000..5308e72c
--- /dev/null
+++ b/roles/apps/mumble/templates/pod-spec.yml.j2
@@ -0,0 +1,31 @@
+securityContext:
+  allowPrivilegeEscalation: false
+  runAsUser: {{ mumble_uid }}
+  runAsGroup: {{ mumble_gid }}
+hostNetwork: true
+containers:
+- name: mumble
+  image: "phlak/mumble:{{ mumble_version }}"
+  env:
+  - name: TZ
+    value: "{{ mumble_timezone }}"
+  - name: SUPERUSER_PASSWORD
+    value: "{{ mumble_superuser_password }}"
+  resources:
+    limits:
+      memory: "512Mi"
+  volumeMounts:
+  - name: config
+    mountPath: /etc/mumble
+    readOnly: true
+  - name: db
+    mountPath: /srv/mumble/db
+volumes:
+- name: config
+  hostPath:
+    path: "{{ mumble_base_path }}/{{ mumble_instance }}/config"
+    type: Directory
+- name: db
+  hostPath:
+    path: "{{ mumble_base_path }}/{{ mumble_instance }}/db"
+    type: Directory