From 189c36c66367a5312f6bb837a4fc7811c8b590ee Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 15 Apr 2020 13:00:05 +0200 Subject: [PATCH] Update to 2020-04-15 13:00 --- README.md | 20 ++++++++++++ roles/jitsi/defaults/main.yml | 28 ++++++++++++---- roles/jitsi/handlers/main.yml | 2 +- roles/jitsi/tasks/conf.yml | 4 +-- roles/jitsi/tasks/facts.yml | 16 +++++---- roles/jitsi/tasks/services.yml | 4 +++ roles/jitsi/templates/jicofo/jicofo.conf.j2 | 2 +- roles/jitsi/templates/jigasi/jigasi.conf.j2 | 2 +- .../jigasi/sip-communicator.properties.j2 | 38 +++++++++++++++++++--- roles/jitsi/templates/jitsi-jigasi.service.j2 | 10 ++++-- 10 files changed, 103 insertions(+), 23 deletions(-) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..e893add --- /dev/null +++ b/README.md @@ -0,0 +1,20 @@ +# ansible-roles + +At [Firewall Services](https://www.firewall-services.com), we use Ansible. And we use it **a lot**. Like, there's now nearly nothing we deploy manually, without it. As such we've written a lot of roles, to deploy and manage various applications. This include : + +* Basic system configuration +* Authentication (eg, configure LDAP auth, or join an AD domain automatically) +* Plumber layers (like deploy a MySQL server, a PHP stack etc.) +* Authentication services (Samba4 in AD DC mode, Lemonldap::NG etc.) +* Collaborative apps (like Zimbra, Matrix, Etherpad, Seafile, OnlyOffice, Jitsi etc.) +* Monitoring tools (deploy Zabbix agent, proxy and server, Fusion Inventory agent, Graylog server) +* Web applications (GLPI, Ampache, Kanboard, Wordpress, Dolibarr, Matomo, Framadate, Dokuwiki etc.) +* Dev tools (Deploy a Gitea server) +* Security tools (OpenXPKI, Bitwareden_RS, manage SSH keys etc.) +* A lot more :-) + +Most of our roles and CentOS centric, and are made to be deployed on CentOS 7 servers. Basic roles (like basic system configuration, postfix etc.) also supports Debian systems, but are less tested. + +Our roles are often dependent on other roles. For example, if you deploy glpi, it'll first pull all the required web and PHP stack. + +All this is available on our GIT repo : https://git.fws.fr/fws/ansible-roles diff --git a/roles/jitsi/defaults/main.yml b/roles/jitsi/defaults/main.yml index e0c5fb5..5e2cf42 100644 --- a/roles/jitsi/defaults/main.yml +++ b/roles/jitsi/defaults/main.yml @@ -28,18 +28,22 @@ jitsi_stun_servers: [] jitsi_turn_secret: "{{ turnserver_auth_secret | default('p@ssw0rd') }}" -# Authentication. If set to sso, you'll have to protect /login and /logout -# with your sso, and pass email in the mail http header and displayName in the -# displayName http header. -# If set to False or 'none', no authentication will take place -jitsi_auth: sso +# Authentication. Can be set to +# * False : no authentication at all (can also be None) +# * sso : In this case, you have to protect /login with your SSO system (through a reverse proxy) +# And once authenticated, send the HTTP headers mail and displayName with the appropriate values +# Note that jitsi Android client does not support sso authentication, so mobile users will be able +# to join an existing conf, but not create one easily +# * ldap : Will use an LDAP server for authentication. Works on mobile, but is a bit less convinient +# than sso for desktop users. See all the jitsi_ldap_xxxx settings +jitsi_auth: False # Secret to register on the XMPP server. A random one will be generated if not defined # jitsi_videobridge_xmpp_secret: S3cr3t. # jitsi_jicofo_xmpp_secret: p@ssw0rd # Password for the focus user on the auth domain -# jitsi_jicofo_focus_pass: p@ssw0rd +# jitsi_jicofo_xmpp_pass: p@ssw0rd jitsi_domain: "{{ inventory_hostname }}" jitsi_auth_domain: auth.{{ jitsi_domain }} @@ -96,4 +100,16 @@ jitsi_ldap_bind_pass: "{{ prosody_ldap_bind_pass | default(None) }}" jitsi_ldap_filter: "{{ prosody_ldap_filter | default(ad_auth | default(False) | ternary('(&(objectClass=user)(sAMAccountName=%s))','(&(objectClass=inetOrgPerson)(uid=%s))')) }}" jitsi_ldap_starttls: "{{ prosody_ldap_starttls | default(True) }}" +# Jigasi settings +# Default room on which to connect inbound SIP calls +# if no Jitsi-Conference-Room SIP header is found +jitsi_jigasi_default_room: sip + +# SIP settings +#jitsi_jigasi_sip_user: +#jitsi_jigasi_sip_secret: +#jitsi_jigasi_sip_server: + +# Password to auth as an XMPP user. A random one will be created if missing +#jitsi_jigasi_xmpp_pass: diff --git a/roles/jitsi/handlers/main.yml b/roles/jitsi/handlers/main.yml index 01fd82d..ccf63ed 100644 --- a/roles/jitsi/handlers/main.yml +++ b/roles/jitsi/handlers/main.yml @@ -7,4 +7,4 @@ service: name=jitsi-jicofo state=restarted - name: restart jitsi-jigasi - service: name=jitsi-jigasi state=restarted + service: name=jitsi-jigasi state={{ jitsi_jigasi | ternary('restarted', 'stopped') }} diff --git a/roles/jitsi/tasks/conf.yml b/roles/jitsi/tasks/conf.yml index 2af23f0..9b35435 100644 --- a/roles/jitsi/tasks/conf.yml +++ b/roles/jitsi/tasks/conf.yml @@ -12,10 +12,10 @@ service: name=prosody state=restarted - name: Register the focus user - command: prosodyctl register focus {{ jitsi_auth_domain }} '{{ jitsi_jicofo_focus_pass }}' + command: prosodyctl register focus {{ jitsi_auth_domain }} '{{ jitsi_jicofo_xmpp_pass }}' - name: Register the jigasi user - command: prosodyctl register jigasi {{ jitsi_auth_domain }} '{{ jitsi_jicofo_pass }}' + command: prosodyctl register jigasi {{ jitsi_auth_domain }} '{{ jitsi_jigasi_xmpp_pass }}' when: jitsi_prosody_conf is defined and jitsi_prosody_conf.changed tags: jitsi diff --git a/roles/jitsi/tasks/facts.yml b/roles/jitsi/tasks/facts.yml index 42b02a7..2f8e551 100644 --- a/roles/jitsi/tasks/facts.yml +++ b/roles/jitsi/tasks/facts.yml @@ -6,6 +6,10 @@ - set_fact: jitsi_videobridge_current_version='' tags: jitsi +- name: Set if jigasi is used + set_fact: jitsi_jigasi={{ (jitsi_jigasi_sip_user is defined and jitsi_jigasi_sip_secret is defined) | ternary(True, False) }} + tags: jitsi + - name: Check if videobridge is installed stat: path={{ jitsi_root_dir }}/meta/ansible_videobridge_version register: jitsi_videobridge_version_file @@ -53,9 +57,9 @@ block: - import_tasks: ../includes/get_rand_pass.yml vars: - - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jicofo_focus_pass" - - set_fact: jitsi_jicofo_focus_pass={{ rand_pass }} - when: jitsi_jicofo_focus_pass is not defined + - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jicofo_xmpp_pass" + - set_fact: jitsi_jicofo_xmpp_pass={{ rand_pass }} + when: jitsi_jicofo_xmpp_pass is not defined tags: jitsi - name: Generate a random secret for jigasi @@ -71,9 +75,9 @@ block: - import_tasks: ../includes/get_rand_pass.yml vars: - - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jigasi_pass" - - set_fact: jitsi_jigasi_pass={{ rand_pass }} - when: jitsi_jigasi_pass is not defined + - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jigasi_xmpp_pass" + - set_fact: jitsi_jigasi_xmpp_pass={{ rand_pass }} + when: jitsi_jigasi_xmpp_pass is not defined tags: jitsi - name: Set certificate path diff --git a/roles/jitsi/tasks/services.yml b/roles/jitsi/tasks/services.yml index 59b3690..3ab6d9b 100644 --- a/roles/jitsi/tasks/services.yml +++ b/roles/jitsi/tasks/services.yml @@ -6,3 +6,7 @@ - jitsi-videobridge - jitsi-jicofo tags: jitsi + +- name: Start and enable jigasi + service: name=jitsi-jigasi state={{ jitsi_jigasi | ternary('started', 'stopped') }} enabled={{ jitsi_jigasi }} + tags: jitsi diff --git a/roles/jitsi/templates/jicofo/jicofo.conf.j2 b/roles/jitsi/templates/jicofo/jicofo.conf.j2 index 4449a81..06d5022 100644 --- a/roles/jitsi/templates/jicofo/jicofo.conf.j2 +++ b/roles/jitsi/templates/jicofo/jicofo.conf.j2 @@ -4,6 +4,6 @@ JICOFO_DOMAIN={{ jitsi_domain }} JICOFO_USER=focus JICOFO_USERDOMAIN={{ jitsi_auth_domain }} JICOFO_SECRET='{{ jitsi_jicofo_xmpp_secret }}' -JICOFO_USER_PASS='{{ jitsi_jicofo_focus_pass }}' +JICOFO_USER_PASS='{{ jitsi_jicofo_xmpp_pass }}' JICOFO_OPTS='' JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION={{ jitsi_root_dir }}/etc -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo" diff --git a/roles/jitsi/templates/jigasi/jigasi.conf.j2 b/roles/jitsi/templates/jigasi/jigasi.conf.j2 index 1cee798..36f5e10 100644 --- a/roles/jitsi/templates/jigasi/jigasi.conf.j2 +++ b/roles/jitsi/templates/jigasi/jigasi.conf.j2 @@ -4,4 +4,4 @@ JIGASI_DOMAIN={{ jitsi_domain }} JIGASI_SUBDOMAIN=callcontrol JIGASI_SECRET='{{ jitsi_jigasi_xmpp_secret }}' JIGASI_OPTS='' -JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION={{ jitsi_root_dir }}/etc -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jigasi" +JAVA_SYS_PROPS='' diff --git a/roles/jitsi/templates/jigasi/sip-communicator.properties.j2 b/roles/jitsi/templates/jigasi/sip-communicator.properties.j2 index bdbd312..6125a8f 100644 --- a/roles/jitsi/templates/jigasi/sip-communicator.properties.j2 +++ b/roles/jitsi/templates/jigasi/sip-communicator.properties.j2 @@ -1,5 +1,35 @@ -{% if jitsi_auth == 'sso' %} -org.jitsi.jicofo.auth.URL=shibboleth:default -{% elif jitsi_auth == 'ldap' %} -org.jitsi.jicofo.auth.URL=XMPP:{{ jitsi_domain }} +# Default room to which inbound called without a Jitsi-Conference-Room header +org.jitsi.jigasi.DEFAULT_JVB_ROOM_NAME={{ jitsi_jigasi_default_room }} + +net.java.sip.communicator.impl.protocol.SingleCallInProgressPolicy.enabled=false + +# Disable packet capture +net.java.sip.communicator.packetlogging.PACKET_LOGGING_ENABLED=false + +{% if jitsi_jigasi %} +# SIP acount +net.java.sip.communicator.impl.protocol.sip.account=account +net.java.sip.communicator.impl.protocol.sip.account.ACCOUNT_UID=SIP\:{{ jitsi_jigasi_sip_user }} +net.java.sip.communicator.impl.protocol.sip.account.PASSWORD={{ jitsi_jigasi_sip_secret | b64encode }} +net.java.sip.communicator.impl.protocol.sip.account.PROTOCOL_NAME=SIP +net.java.sip.communicator.impl.protocol.sip.account.SERVER_ADDRESS={{ jitsi_jigasi_sip_server }} +net.java.sip.communicator.impl.protocol.sip.account.USER_ID={{ jitsi_jigasi_sip_user }} +net.java.sip.communicator.impl.protocol.sip.account.KEEP_ALIVE_INTERVAL=25 +net.java.sip.communicator.impl.protocol.sip.account.KEEP_ALIVE_METHOD=OPTIONS +net.java.sip.communicator.impl.protocol.sip.account.VOICEMAIL_ENABLED=false +net.java.sip.communicator.impl.protocol.sip.account.OVERRIDE_ENCODINGS=false +{% else %} +# No SIP account configured, jigasi will be disabled {% endif %} + +# XMPP account +org.jitsi.jigasi.xmpp.acc.USER_ID=jigasi@auth.{{ jitsi_domain }} +org.jitsi.jigasi.xmpp.acc.PASS={{ jitsi_jigasi_xmpp_pass }} +org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false +org.jitsi.jigasi.xmpp.acc.IS_SERVER_OVERRIDDEN=true +org.jitsi.jigasi.xmpp.acc.SERVER_ADDRESS={{ inventory_hostname }} +org.jitsi.jigasi.xmpp.acc.JINGLE_NODES_ENABLED=false +org.jitsi.jigasi.xmpp.acc.AUTO_DISCOVER_STUN=false +org.jitsi.jigasi.xmpp.acc.IM_DISABLED=true +org.jitsi.jigasi.xmpp.acc.SERVER_STORED_INFO_DISABLED=true +org.jitsi.jigasi.xmpp.acc.IS_FILE_TRANSFER_DISABLED=true diff --git a/roles/jitsi/templates/jitsi-jigasi.service.j2 b/roles/jitsi/templates/jitsi-jigasi.service.j2 index 8acf285..6ff1e65 100644 --- a/roles/jitsi/templates/jitsi-jigasi.service.j2 +++ b/roles/jitsi/templates/jitsi-jigasi.service.j2 @@ -12,11 +12,17 @@ PrivateTmp=true PrivateDevices=true ProtectHome=true ProtectSystem=full -ReadOnlyDirectories={{ jitsi_root_dir }}/etc {{ jitsi_root_dir }}/jigasi Restart=on-failure StartLimitInterval=0 RestartSec=30 -ExecStart=/opt/jitsi/jigasi/jigasi.sh --host=${JIGASI_HOST} --domain=${JIGASI_DOMAIN} --secret=${JIGASI_SECRET} ${JIGASI_OPT} +ExecStart=/opt/jitsi/jigasi/jigasi.sh \ + --configdir={{ jitsi_root_dir }}/etc \ + --configdirname=jigasi \ + --host=${JIGASI_HOST} \ + --domain=${JIGASI_DOMAIN} \ + --subdomain=callcontrol \ + --secret=${JIGASI_SECRET} \ + ${JIGASI_OPT} [Install] WantedBy=multi-user.target