Update to 2020-04-15 13:00

README.md

@@ -0,0 +1,20 @@
+# ansible-roles
+
+At [Firewall Services](https://www.firewall-services.com), we use Ansible. And we use it **a lot**. Like, there's now nearly nothing we deploy manually, without it. As such we've written a lot of roles, to deploy and manage various applications. This include :
+
+* Basic system configuration
+* Authentication (eg, configure LDAP auth, or join an AD domain automatically)
+* Plumber layers (like deploy a MySQL server, a PHP stack etc.)
+* Authentication services (Samba4 in AD DC mode, Lemonldap::NG etc.)
+* Collaborative apps (like Zimbra, Matrix, Etherpad, Seafile, OnlyOffice, Jitsi etc.)
+* Monitoring tools (deploy Zabbix agent, proxy and server, Fusion Inventory agent, Graylog server)
+* Web applications (GLPI, Ampache, Kanboard, Wordpress, Dolibarr, Matomo, Framadate, Dokuwiki etc.)
+* Dev tools (Deploy a Gitea server)
+* Security tools (OpenXPKI, Bitwareden_RS, manage SSH keys etc.)
+* A lot more :-)
+
+Most of our roles and CentOS centric, and are made to be deployed on CentOS 7 servers. Basic roles (like basic system configuration, postfix etc.) also supports Debian systems, but are less tested.
+
+Our roles are often dependent on other roles. For example, if you deploy glpi, it'll first pull all the required web and PHP stack. 
+
+All this is available on our GIT repo : https://git.fws.fr/fws/ansible-roles

roles/jitsi/defaults/main.yml

@@ -28,18 +28,22 @@ jitsi_stun_servers: []
 
 jitsi_turn_secret: "{{ turnserver_auth_secret | default('p@ssw0rd') }}"
 
-# Authentication. If set to sso, you'll have to protect /login and /logout
+# Authentication. Can be set to
-# with your sso, and pass email in the mail http header and displayName in the
+#  * False : no authentication at all (can also be None)
-# displayName http header.
+#  * sso : In this case, you have to protect /login with your SSO system (through a reverse proxy)
-# If set to False or 'none', no authentication will take place
+#    And once authenticated, send the HTTP headers mail and displayName with the appropriate values
-jitsi_auth: sso
+#    Note that jitsi Android client does not support sso authentication, so mobile users will be able
+#    to join an existing conf, but not create one easily
+#  * ldap : Will use an LDAP server for authentication. Works on mobile, but is a bit less convinient
+#    than sso for desktop users. See all the jitsi_ldap_xxxx settings
+jitsi_auth: False
 
 # Secret to register on the XMPP server. A random one will be generated if not defined
 # jitsi_videobridge_xmpp_secret: S3cr3t.
 # jitsi_jicofo_xmpp_secret: p@ssw0rd
 
 # Password for the focus user on the auth domain
-# jitsi_jicofo_focus_pass: p@ssw0rd
+# jitsi_jicofo_xmpp_pass: p@ssw0rd
 
 jitsi_domain: "{{ inventory_hostname }}"
 jitsi_auth_domain: auth.{{ jitsi_domain }}
@@ -96,4 +100,16 @@ jitsi_ldap_bind_pass: "{{ prosody_ldap_bind_pass | default(None) }}"
 jitsi_ldap_filter: "{{ prosody_ldap_filter | default(ad_auth | default(False) | ternary('(&(objectClass=user)(sAMAccountName=%s))','(&(objectClass=inetOrgPerson)(uid=%s))')) }}"
 jitsi_ldap_starttls: "{{ prosody_ldap_starttls | default(True) }}"
 
+# Jigasi settings
 
+# Default room on which to connect inbound SIP calls
+# if no Jitsi-Conference-Room SIP header is found
+jitsi_jigasi_default_room: sip
+
+# SIP settings
+#jitsi_jigasi_sip_user:
+#jitsi_jigasi_sip_secret:
+#jitsi_jigasi_sip_server:
+
+# Password to auth as an XMPP user. A random one will be created if missing
+#jitsi_jigasi_xmpp_pass:

roles/jitsi/handlers/main.yml

@@ -7,4 +7,4 @@
   service: name=jitsi-jicofo state=restarted
 
 - name: restart jitsi-jigasi
-  service: name=jitsi-jigasi state=restarted
+  service: name=jitsi-jigasi state={{ jitsi_jigasi | ternary('restarted', 'stopped') }}

roles/jitsi/tasks/conf.yml

@@ -12,10 +12,10 @@
       service: name=prosody state=restarted
 
     - name: Register the focus user
-      command: prosodyctl register focus {{ jitsi_auth_domain }} '{{ jitsi_jicofo_focus_pass }}'
+      command: prosodyctl register focus {{ jitsi_auth_domain }} '{{ jitsi_jicofo_xmpp_pass }}'
 
     - name: Register the jigasi user
-      command: prosodyctl register jigasi {{ jitsi_auth_domain }} '{{ jitsi_jicofo_pass }}'
+      command: prosodyctl register jigasi {{ jitsi_auth_domain }} '{{ jitsi_jigasi_xmpp_pass }}'
   when: jitsi_prosody_conf is defined and jitsi_prosody_conf.changed
   tags: jitsi
 

roles/jitsi/tasks/facts.yml

@@ -6,6 +6,10 @@
     - set_fact: jitsi_videobridge_current_version=''
   tags: jitsi
 
+- name: Set if jigasi is used
+  set_fact: jitsi_jigasi={{ (jitsi_jigasi_sip_user is defined and jitsi_jigasi_sip_secret is defined) | ternary(True, False) }}
+  tags: jitsi
+
 - name: Check if videobridge is installed
   stat: path={{ jitsi_root_dir }}/meta/ansible_videobridge_version
   register: jitsi_videobridge_version_file
@@ -53,9 +57,9 @@
   block:
     - import_tasks: ../includes/get_rand_pass.yml
       vars:
-        - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jicofo_focus_pass"
+        - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jicofo_xmpp_pass"
-    - set_fact: jitsi_jicofo_focus_pass={{ rand_pass }}
+    - set_fact: jitsi_jicofo_xmpp_pass={{ rand_pass }}
-  when: jitsi_jicofo_focus_pass is not defined
+  when: jitsi_jicofo_xmpp_pass is not defined
   tags: jitsi
 
 - name: Generate a random secret for jigasi
@@ -71,9 +75,9 @@
   block:
     - import_tasks: ../includes/get_rand_pass.yml
       vars:
-        - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jigasi_pass"
+        - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jigasi_xmpp_pass"
-    - set_fact: jitsi_jigasi_pass={{ rand_pass }}
+    - set_fact: jitsi_jigasi_xmpp_pass={{ rand_pass }}
-  when: jitsi_jigasi_pass is not defined
+  when: jitsi_jigasi_xmpp_pass is not defined
   tags: jitsi
 
 - name: Set certificate path

roles/jitsi/tasks/services.yml

@@ -6,3 +6,7 @@
     - jitsi-videobridge
     - jitsi-jicofo
   tags: jitsi
+
+- name: Start and enable jigasi
+  service: name=jitsi-jigasi state={{ jitsi_jigasi | ternary('started', 'stopped') }} enabled={{ jitsi_jigasi }}
+  tags: jitsi

roles/jitsi/templates/jicofo/jicofo.conf.j2

@@ -4,6 +4,6 @@ JICOFO_DOMAIN={{ jitsi_domain }}
 JICOFO_USER=focus
 JICOFO_USERDOMAIN={{ jitsi_auth_domain }}
 JICOFO_SECRET='{{ jitsi_jicofo_xmpp_secret }}'
-JICOFO_USER_PASS='{{ jitsi_jicofo_focus_pass }}'
+JICOFO_USER_PASS='{{ jitsi_jicofo_xmpp_pass }}'
 JICOFO_OPTS=''
 JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION={{ jitsi_root_dir }}/etc -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo"

roles/jitsi/templates/jigasi/jigasi.conf.j2

@@ -4,4 +4,4 @@ JIGASI_DOMAIN={{ jitsi_domain }}
 JIGASI_SUBDOMAIN=callcontrol
 JIGASI_SECRET='{{ jitsi_jigasi_xmpp_secret }}'
 JIGASI_OPTS=''
-JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION={{ jitsi_root_dir }}/etc -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jigasi"
+JAVA_SYS_PROPS=''

roles/jitsi/templates/jigasi/sip-communicator.properties.j2

@@ -1,5 +1,35 @@
-{% if jitsi_auth == 'sso' %}
+# Default room to which inbound called without a Jitsi-Conference-Room header
-org.jitsi.jicofo.auth.URL=shibboleth:default
+org.jitsi.jigasi.DEFAULT_JVB_ROOM_NAME={{ jitsi_jigasi_default_room }}
-{% elif jitsi_auth == 'ldap' %}
+
-org.jitsi.jicofo.auth.URL=XMPP:{{ jitsi_domain }}
+net.java.sip.communicator.impl.protocol.SingleCallInProgressPolicy.enabled=false
+
+# Disable packet capture
+net.java.sip.communicator.packetlogging.PACKET_LOGGING_ENABLED=false
+
+{% if jitsi_jigasi %}
+# SIP acount
+net.java.sip.communicator.impl.protocol.sip.account=account
+net.java.sip.communicator.impl.protocol.sip.account.ACCOUNT_UID=SIP\:{{ jitsi_jigasi_sip_user }}
+net.java.sip.communicator.impl.protocol.sip.account.PASSWORD={{ jitsi_jigasi_sip_secret | b64encode }}
+net.java.sip.communicator.impl.protocol.sip.account.PROTOCOL_NAME=SIP
+net.java.sip.communicator.impl.protocol.sip.account.SERVER_ADDRESS={{ jitsi_jigasi_sip_server }}
+net.java.sip.communicator.impl.protocol.sip.account.USER_ID={{ jitsi_jigasi_sip_user }}
+net.java.sip.communicator.impl.protocol.sip.account.KEEP_ALIVE_INTERVAL=25
+net.java.sip.communicator.impl.protocol.sip.account.KEEP_ALIVE_METHOD=OPTIONS
+net.java.sip.communicator.impl.protocol.sip.account.VOICEMAIL_ENABLED=false
+net.java.sip.communicator.impl.protocol.sip.account.OVERRIDE_ENCODINGS=false
+{% else %}
+# No SIP account configured, jigasi will be disabled
 {% endif %}
+
+# XMPP account
+org.jitsi.jigasi.xmpp.acc.USER_ID=jigasi@auth.{{ jitsi_domain }}
+org.jitsi.jigasi.xmpp.acc.PASS={{ jitsi_jigasi_xmpp_pass }}
+org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false
+org.jitsi.jigasi.xmpp.acc.IS_SERVER_OVERRIDDEN=true
+org.jitsi.jigasi.xmpp.acc.SERVER_ADDRESS={{ inventory_hostname }}
+org.jitsi.jigasi.xmpp.acc.JINGLE_NODES_ENABLED=false
+org.jitsi.jigasi.xmpp.acc.AUTO_DISCOVER_STUN=false
+org.jitsi.jigasi.xmpp.acc.IM_DISABLED=true
+org.jitsi.jigasi.xmpp.acc.SERVER_STORED_INFO_DISABLED=true
+org.jitsi.jigasi.xmpp.acc.IS_FILE_TRANSFER_DISABLED=true

roles/jitsi/templates/jitsi-jigasi.service.j2

@@ -12,11 +12,17 @@ PrivateTmp=true
 PrivateDevices=true
 ProtectHome=true
 ProtectSystem=full
-ReadOnlyDirectories={{ jitsi_root_dir }}/etc {{ jitsi_root_dir }}/jigasi
 Restart=on-failure
 StartLimitInterval=0
 RestartSec=30
-ExecStart=/opt/jitsi/jigasi/jigasi.sh --host=${JIGASI_HOST} --domain=${JIGASI_DOMAIN} --secret=${JIGASI_SECRET} ${JIGASI_OPT}
+ExecStart=/opt/jitsi/jigasi/jigasi.sh \
+            --configdir={{ jitsi_root_dir }}/etc \
+            --configdirname=jigasi \
+            --host=${JIGASI_HOST} \
+            --domain=${JIGASI_DOMAIN} \
+            --subdomain=callcontrol \
+            --secret=${JIGASI_SECRET} \
+            ${JIGASI_OPT}
 
 [Install]
 WantedBy=multi-user.target