initial commit

2020-04-13 14:46:45 +02:00
commit 961498e32b
76 changed files with 2715 additions and 0 deletions
--- a/roles/mumble/templates/mumble-web.js.j2
+++ b/roles/mumble/templates/mumble-web.js.j2
@@ -0,0 +1,23 @@
+{{ ansible_managed | comment('c') }}
+// You can overwrite the default configuration values set in [config.js] here.
+// There should never be any required changes to this file and you can always
+// simply copy it over when updating to a new version.
+
+let config = window.mumbleWebConfig // eslint-disable-line no-unused-vars
+
+// E.g. changing default address and theme:
+// config.defaults.address = 'voice.example.com'
+// config.defaults.theme = 'MetroMumbleDark
+
+// Which fields to show on the Connect to Server dialog
+config.connectDialog.address = false
+config.connectDialog.port = false
+config.connectDialog.token = false
+config.connectDialog.password = {{ (umurmur_user_password != '') | lower }}
+
+// Default values for user settings
+// You can see your current value by typing `localStorage.getItem('mumble.$setting')` in the web console.
+config.settings.pttKey = 'shift'
+
+// Default values (can be changed by passing a query parameter of the same name)
+config.defaults.address = "{{ mumble_web_domain }}/mumble"
--- a/roles/mumble/templates/mumble-web.service.j2
+++ b/roles/mumble/templates/mumble-web.service.j2
@@ -0,0 +1,26 @@
+[Unit]
+Description=Mumble web client using websockets
+After=network.target
+
+[Service]
+Type=simple
+User=nobody
+Group=nogroup
+Restart=on-failure
+RestartSec=3
+PIDFile=/run/mumble-web.pid
+ExecStart=/usr/bin/websockify --ssl-target {{ mumble_web_websockify_port }} localhost:{{ umurmur_port }}
+ExecReload=/bin/kill -HUP $MAINPID
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+NoNewPrivileges=yes
+LimitRTPRIO=1
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/mumble/templates/nginx.conf.j2
+++ b/roles/mumble/templates/nginx.conf.j2
@@ -0,0 +1,65 @@
+{{ ansible_managed | comment }}
+server {
+  listen 80;
+  listen [::]:80;
+  server_name {{ mumble_web_domain }};
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+  
+{% if acme_challenge_dir is defined %}
+  location ^~ /.well-known/acme-challenge/ {
+		allow all;
+		root {{ acme_challenge_dir }};
+		try_files $uri =404;
+	}
+{% endif %}
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name {{ mumble_web_domain }};
+
+  ssl_certificate {{ mumble_web_certificate }};
+  ssl_certificate_key {{ mumble_web_private_key }};
+
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:AnsibleSSL:10m;  # about 40000 sessions
+  ssl_session_tickets off;
+
+{% if mumble_web_dhparam is defined and mumble_web_dhparam != '' %}
+  ssl_dhparam {{ mumble_web_dhparam }};
+{% endif %}
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  # OCSP stapling
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  # Verify chain of trust of OCSP response using Root CA and Intermediate certs
+  ssl_trusted_certificate {{ mumble_web_trusted_certificate }};
+
+  location / {
+    root /var/www/mumble-web/dist/;
+  }
+
+  location /mumble {
+    proxy_pass http://127.0.0.1:{{ mumble_web_websockify_port }};
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+  }
+}
+
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+}
--- a/roles/mumble/templates/umurmur.conf.j2
+++ b/roles/mumble/templates/umurmur.conf.j2
@@ -0,0 +1,72 @@
+{{ ansible_managed | comment }}
+max_bandwidth = 48000;
+welcometext = {{ umurmur_welcome_text
+    if umurmur_welcome_text is string 
+    else (umurmur_welcome_text | join('<br />')) 
+  | to_json }};
+certificate = {{ umurmur_certificate | to_json }};
+private_key = {{ umurmur_private_key | to_json }};
+password = {{ umurmur_user_password | to_json }};
+{% if umurmur_admin_password is defined %}
+admin_password = {{ umurmur_admin_password | to_json }};   # Set to enable admin functionality.
+{% endif %}
+# ban_length = 0;            # Length in seconds for a ban. Default is 0. 0 = forever.
+# enable_ban = false;        # Default is false
+# banfile = "banfile.txt";   # File to save bans to. Default is to not save bans to file.
+# sync_banfile = false;      # Keep banfile synced. Default is false, which means it is saved to at shutdown only.
+allow_textmessage = true;  # Default is true
+# opus_threshold = 100;      # Percentage of users supporting Opus codec for it to be chosen. Default is 100.
+# show_addresses = true;     # Whether to show client's IP addresses under user information
+max_users = {{ umurmur_max_users }};
+
+bindport = {{ umurmur_port }};
+# bindaddr = "0.0.0.0";
+
+# username and groupname for privilege dropping.
+# Will attempt to switch user if set. 
+# username = "";
+# If groupname not set the user's default login group will be used
+# groupname = "";
+
+# Log to file option. Default is logging to syslog.
+# umurmurd will close and reopen the logfile if SIGHUP is received.
+logfile = "/var/log/umurmurd.log";
+
+# CA location for CA-signed certificates
+# ca_path = "/path/to/ca/certificates/";
+
+# Channel tree definition:
+# Root channel must always be defined first.
+# If a channel has a parent, the parent must be defined before the child channel(s).
+channels = (
+{% for channel in umurmur_channels %}
+  {
+    name = {{ channel.name | to_json }};
+    description = {{ channel.description | default('') | to_json }};
+    parent = {{ channel.parent | default('') | to_json }};
+    noenter = {{ channel.noenter | default(false) | string | lower }};
+    silent = {{ channel.silent | default(false) | string | lower }};
+{% if channel.position is defined %}
+    position = {{ channel.position }};
+{% endif %}
+{% if channel.password is defined %}
+    password = {{ channel.password | to_json }};
+{% endif %}
+  }{{ loop.last | ternary("", ",") }}
+{% endfor %}
+);
+# Channel links configuration.
+channel_links = (
+{% for channel in umurmur_channel_links %}
+{% for destination in channel.destinations %}
+  {
+    source = {{ channel.source | to_json }};
+    destination = {{ destination | to_json }};
+  }{{ loop.last | ternary('', ',') }}
+{% endfor %}
+{% endfor %}
+);
+
+# The channel in which users will appear in when connecting.
+# Note that default channel can't have 'noenter = true' or password set
+default_channel = {{ umurmur_default_channel | to_json }};
--- a/roles/mumble/templates/umurmur.service.j2
+++ b/roles/mumble/templates/umurmur.service.j2
@@ -0,0 +1,28 @@
+[Unit]
+Description=Minimalistic Mumble server
+After=network.target
+
+[Service]
+Type=simple
+User=nobody
+Group={{ umurmur_ssl_group }}
+Restart=on-failure
+RestartSec=3
+PIDFile=/run/umurmurd.pid
+ExecStartPre=/usr/local/bin/umurmurd -t -c /usr/local/etc/umurmur.conf
+ExecStart=/usr/local/bin/umurmurd -d -r -c /usr/local/etc/umurmur.conf
+ExecReload=/bin/kill -HUP $MAINPID
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ReadWriteDirectories=/usr/local/etc/
+ProtectHome=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+NoNewPrivileges=yes
+LimitRTPRIO=1
+
+[Install]
+WantedBy=multi-user.target