extract mumble and acme roles into separate repos

master
HgO 2020-05-21 22:31:03 +02:00
parent 476746f999
commit bae636a391
24 changed files with 125 additions and 832 deletions

17
ansible.cfg 100644
View File

@ -0,0 +1,17 @@
[defaults]
vault_identity=62a40f49-7deb-45e3-8c17-639277033357
vault_password_file=scripts/gopass-client.py
host_key_checking = False
inventory = inventories/hosts.ini
roles_path = ~/.ansible/roles:./roles:/usr/share/ansible/roles:/etc/ansible/roles
[gopass]
key_path=ansible
[ssh_connection]
ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null
pipelining = True
scp_if_ssh = True
[persistent_connection]
connect_timeout = 300

View File

@ -4,7 +4,7 @@ umurmur_domain: mumble.parley.be
umurmur_welcome_text: umurmur_welcome_text:
- Welcome to Parley Talk! - Welcome to Parley Talk!
- You can talk to the people in the room you joined. - You can talk to the people in the room you joined.
- You start in the Welcome room, to join another channel right click the room name and choose "Join Channel" - You start in the Welcome room, to join another channel double click on the room name.
umurmur_admin_password: wC7yZ4vV2ocb7AkBfQ2RwuhRqYVyiwY42Rjpw3pfJ umurmur_admin_password: wC7yZ4vV2ocb7AkBfQ2RwuhRqYVyiwY42Rjpw3pfJ
umurmur_max_users: 100 umurmur_max_users: 100
@ -43,4 +43,4 @@ umurmur_channels:
umurmur_default_channel: Welcome umurmur_default_channel: Welcome
mumble_web_domain: talk.parley.be mumble_web_domain: talk.parley.be
mumble_web_version: c03b78d096eae69e1cec82e148f65e7a8541bd68 mumble_web_version: master

View File

@ -6,5 +6,4 @@
- "{{ umurmur_domain }}" - "{{ umurmur_domain }}"
- "{{ mumble_web_domain }}" - "{{ mumble_web_domain }}"
roles: roles:
- acme - ppbe.mumble
- mumble

8
requirements.yml 100644
View File

@ -0,0 +1,8 @@
- name: ppbe.acme
src: https://dev.parley.be/PPBe/ansible-role-acme.git
scm: git
version: master
- name: ppbe.mumble
src: https://dev.parley.be/PPBe/ansible-role-mumble.git
scm: git
version: master

View File

@ -1,9 +0,0 @@
acme_directory: https://acme-v02.api.letsencrypt.org/directory
acme_config_dir: /etc/ssl
acme_keys_dir: "{{ acme_config_dir }}/private"
acme_csr_dir: "{{ acme_config_dir }}/csr"
acme_certs_dir: "{{ acme_config_dir }}/certs"
acme_accounts_dir: "{{ acme_config_dir }}/accounts"
acme_account_key: "acme_account.key"
acme_ssl_group: ssl-cert
acme_challenge_dir: /var/www/acme

View File

@ -1,184 +0,0 @@
#!/usr/bin/python3
import logging
import os
import sys
from datetime import datetime
import josepy as jose
from OpenSSL import crypto
from acme import client, messages, challenges, crypto_util
SSL_CONFIG_DIR="/etc/ssl"
OPENSSL_DATE_FORMAT = '%Y%m%d%H%M%SZ'
USER_AGENT="python-acme"
def select_http01_challenge(order):
for auth in order.authorizations:
for challenge in auth.body.challenges:
if isinstance(challenge.chall, challenges.HTTP01):
return challenge
raise Exception("HTTP-01 challenge was not offered by the CA server.")
def perform_http01_challenge(client_acme, challenge, order, challenge_dir):
response, validation = challenge.response_and_validation(client_acme.net.key)
validation_filename, validation_content = validation.split('.')
challenge_path = os.path.join(challenge_dir, validation_filename)
with open(challenge_path, 'w') as f_out:
f_out.write(validation_content)
client_acme.answer_challenge(challenge, response)
fullchain_pem = client_acme.poll_and_finalize(order).fullchain_pem
os.remove(challenge_path)
return fullchain_pem
def renew_cert(domain,
account_key_path,
privkey_path,
csr_path,
certs_dir,
challenge_dir,
directory_url,
days_before_renewal,
force = False):
logging.info(f"Checking {domain} certificate's expiration date…")
now = datetime.now()
cert_expiration_date = now
fullchain_path = os.path.join(certs_dir, "fullchain.pem")
try:
with open(fullchain_path, 'rb') as pem_in:
fullchain_pem = crypto.load_certificate(crypto.FILETYPE_PEM, pem_in.read())
cert_expiration_date = datetime.strptime(fullchain_pem.get_notAfter().decode(), OPENSSL_DATE_FORMAT)
except IOError as e:
logging.warning(f"Unable to load {domain} certificate: {e}")
cert_expiration_days = (cert_expiration_date - now).days
if not force and cert_expiration_days >= days_before_renewal:
logging.info(f"Certificate expires in {cert_expiration_days} days. Nothing to do.")
return
logging.info(f"Certificate expires in {cert_expiration_days} days! Renewing certificate…")
logging.info(f"Loading account key from {account_key_path}")
with open(account_key_path, 'rb') as pem_in:
account_pem = crypto.load_privatekey(crypto.FILETYPE_PEM, pem_in.read())
account_jwk = jose.JWKRSA(key=account_pem.to_cryptography_key())
account_jwk_pub = account_jwk.public_key()
logging.info(f"Loading {domain} CSR file from {csr_path}")
try:
with open(csr_path, 'r') as pem_in:
csr_pem = pem_in.read()
except IOError as e:
logging.warning(f"Unable to load CSR file: {e}")
logging.info(f"Loading {domain} private key from {privkey_path}")
with open(privkey_path, 'r') as pem_in:
privkey_pem = pem_in.read()
csr_pem = crypto_util.make_csr(privkey_pem, [domain])
client_network = client.ClientNetwork(account_jwk, user_agent=USER_AGENT)
directory = messages.Directory.from_json(client_network.get(directory_url).json())
client_acme = client.ClientV2(directory, net=client_network)
logging.info("Registering with ACME account…")
# Here we assume we already have an account
registration_message = messages.NewRegistration(
key=account_jwk_pub,
only_return_existing=True)
registration_response = client_acme._post(directory["newAccount"], registration_message)
account = client_acme._regr_from_response(registration_response)
client_acme.net.account = account
logging.info("Ordering ACME challenge…")
order = client_acme.new_order(csr_pem)
logging.info("Selecting HTTP-01 ACME challenge…")
challenge = select_http01_challenge(order)
logging.info("Performing HTTP-01 ACME challenge…")
fullchain_pem = perform_http01_challenge(client_acme, challenge, order, challenge_dir)
logging.info(f"Writing {domain} certificates into {certs_dir}")
certs_pem = []
for line in fullchain_pem.split('\n'):
if 'BEGIN CERTIFICATE' in line:
cert_pem = ''
cert_pem += line + '\n'
if 'END CERTIFICATE' in line:
certs_pem.append(cert_pem)
cert_path = os.path.join(certs_dir, "cert.pem")
with open(cert_path, 'w') as pem_out:
pem_out.write(certs_pem[0])
chain_path = os.path.join(certs_dir, "chain.pem")
with open(chain_path, 'w') as pem_out:
pem_out.write(''.join(certs_pem[1:]))
with open(fullchain_path, 'w') as pem_out:
pem_out.write(fullchain_pem)
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser(
description="Renew ACME certificates for a list of domains. This script assumes you already have an account on the CA server and a private key for each certificate.",
formatter_class=argparse.ArgumentDefaultsHelpFormatter)
parser.add_argument("domains", nargs='+',
help="List of domain names for which to renew the certificate.")
parser.add_argument("--account_key", "-a",
default=os.path.join(SSL_CONFIG_DIR, "accounts", "acme_account.key"),
help="Path to the account key.")
parser.add_argument("--privkey", "-p",
default=os.path.join(SSL_CONFIG_DIR, "private", "{domain}.pem"),
help="Path to the private certificate.")
parser.add_argument("--csr", "-r",
default=os.path.join(SSL_CONFIG_DIR, "csr", "{domain}.pem"),
help="Path to the CSR file. If the file doesn't exist, it will be generated from the private key and the domain name.")
parser.add_argument("--certs", "-o",
default=os.path.join(SSL_CONFIG_DIR, "certs", "{domain}.d"),
help="Path to the certificates directory.")
parser.add_argument("--challenge", "-c",
default="/var/www/html/.well-known/acme-challenge",
help="Path to the challenge directory.")
parser.add_argument("--directory_url", "-u",
default="https://acme-v02.api.letsencrypt.org/directory",
help="Directory URL on which performing ACME challenges. Only ACME v2 is supported.")
parser.add_argument("--days", "-d", type=int,
default=30,
help="Days before attempting to renew the certificates.")
parser.add_argument("--quiet", "-q",
action="store_true",
help="Quiet mode.")
parser.add_argument("--force", "-f",
action="store_true",
help="Force certificates renewal without checking their expiration date.")
args = parser.parse_args()
log_level = logging.WARN if args.quiet else logging.INFO
logging.basicConfig(stream=sys.stdout, level=log_level, format="%(levelname)s:%(message)s")
for domain in args.domains:
account_key = args.account_key.format(domain=domain)
privkey = args.privkey.format(domain=domain)
csr = args.csr.format(domain=domain)
certs_dir = args.certs.format(domain=domain)
challenge_dir = args.challenge.format(domain=domain)
renew_cert(domain,
account_key_path=account_key,
privkey_path=privkey,
csr_path=csr,
certs_dir=certs_dir,
challenge_dir=challenge_dir,
directory_url=args.directory_url,
days_before_renewal=args.days,
force=args.force)

View File

@ -1,76 +0,0 @@
- name: Install ACME dependencies
apt:
name: python3-acme
state: present
tags: acme_install
- name: Create Let's Encrypt config directories
file:
path: "{{ config_dir }}"
state: directory
owner: root
group: "{{ acme_ssl_group }}"
mode: "711"
loop:
- "{{ acme_config_dir }}"
- "{{ acme_keys_dir }}"
- "{{ acme_accounts_dir }}"
- "{{ acme_csr_dir }}"
loop_control:
loop_var: config_dir
tags: acme_install
- name: Create challenge directory
file:
path: "{{ acme_challenge_dir }}/.well-known/acme-challenge"
state: directory
owner: root
group: root
mode: "755"
tags: acme_install
- name: Perform ACME challenge for each domain
include_tasks:
file: challenge.yml
apply:
tags: acme_challenge
loop: "{{ acme_domains | unique }}"
loop_control:
loop_var: domain_name
tags: acme_challenge
- name: Create directory for certificate renewal tool
file:
path: /opt/acme
owner: root
group: root
mode: "755"
state: directory
tags: acme_renew
- name: Copy script to renew ACME certificates
copy:
src: acme_renew_cert.py
dest: /opt/acme/acme_renew_cert.py
owner: root
group: root
mode: "755"
tags: acme_renew
- name: Setup cron job for ACME certificates renewal of {{ domain_name }}
cron:
name: acme renew {{ domain_name }} cert
job: >-
sleep $((RANDOM % 3600)) && /opt/acme/acme_renew_cert.py {{ domain_name }} -q
-a {{ (acme_accounts_dir + '/' + acme_account_key) | quote }}
-p {{ acme_keys_dir | quote }}/{domain}.pem
-r {{ acme_csr_dir | quote }}/{domain}.csr
-o {{ acme_certs_dir | quote }}/{domain}.d
-c {{ acme_challenge_dir | quote }}/.well-known/acme-challenge
minute: "30"
hour: "2"
state: present
loop: "{{ acme_domains | unique }}"
loop_control:
loop_var: domain_name
tags: acme_renew

View File

@ -1,91 +0,0 @@
- name: Create {{ domain_name }} certificates directory
file:
path: "{{ acme_certs_dir }}/{{ domain_name }}.d"
state: directory
owner: root
group: "{{ acme_ssl_group }}"
mode: "755"
tags: acme_install
- name: Generate Let's Encrypt account key
openssl_privatekey:
path: "{{ acme_accounts_dir }}/{{ acme_account_key }}"
owner: root
group: root
mode: "600"
type: RSA
size: 4096
tags: acme_account
- name: Generate Let's Encrypt private key for {{ domain_name }}
openssl_privatekey:
path: "{{ acme_keys_dir }}/{{ domain_name }}.pem"
owner: root
group: "{{ acme_ssl_group }}"
mode: "640"
type: RSA
size: 4096
- name: Generate Let's Encrypt CSR for {{ domain_name }}
openssl_csr:
path: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
owner: root
group: "{{ acme_ssl_group }}"
mode: "644"
privatekey_path: "{{ acme_keys_dir }}/{{ domain_name }}.pem"
common_name: "{{ domain_name }}"
# - name: Check if Let's Encrypt certificate already exists for {{ domain_name }}
# stat:
# path: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
# register: _acme_cert_file
# - name: Check Let's Encrypt certificate expiration date for {{ domain_name }}
# openssl_certificate_info:
# path: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
# valid_at:
# thirty_days: "+30d"
# register: _acme_cert_validity
# when: _acme_cert_file.stat.isreg is defined and _acme_cert_file.stat.isreg
- name: Begin Let's Encrypt challenges for {{ domain_name }}
acme_certificate:
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
account_key_src: "{{ acme_accounts_dir }}/{{ acme_account_key }}"
account_email: "{{ acme_email }}"
terms_agreed: yes
challenge: http-01
csr: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
fullchain_dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/fullchain.pem"
remaining_days: 30
register: _acme_challenge
# when: _acme_cert_validity is skipped or not _acme_cert_validity.valid_at.thirty_days
- debug:
var: _acme_challenge
# - name: Implement and complete Let's Encrypt challenge for {{ domain_name }}
# when: _acme_challenge is not skipped
# block:
# - name: Implement http-01 challenge files for {{ domain_name }}
# copy:
# content: "{{ _acme_challenge.challenge_data[domain_name]['http-01'].resource_value }}"
# dest: "{{ acme_challenge_dir }}/{{ _acme_challenge.challenge_data[domain_name]['http-01'].resource }}"
# owner: root
# group: root
# mode: "644"
# - name: Complete Let's Encrypt challenges for {{ domain_name }}
# acme_certificate:
# acme_directory: "{{ acme_directory }}"
# acme_version: "{{ acme_version }}"
# account_key_src: "{{ acme_accounts_dir }}/{{ acme_account_key }}"
# account_email: "{{ acme_email }}"
# challenge: http-01
# csr: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
# dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
# chain_dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/chain.pem"
# fullchain_dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/fullchain.pem"
# data: "{{ _acme_challenge }}"

View File

@ -1,2 +0,0 @@
- import_tasks: acme.yml
tags: acme

View File

@ -1 +0,0 @@
acme_version: 2

View File

@ -1,24 +0,0 @@
umurmur_user_password: ""
umurmur_channel_links:
- source: "{{ umurmur_default_channel }}"
destinations: >-
{{ umurmur_channels
| selectattr('parent', 'defined')
| selectattr('parent', '==', umurmur_default_channel)
| map(attribute='name')
| list
}}
umurmur_ssl_group: "{{ acme_ssl_group }}"
umurmur_certificate: "{{ acme_certs_dir }}/{{ umurmur_domain }}.d/fullchain.pem"
umurmur_private_key: "{{ acme_keys_dir }}/{{ umurmur_domain }}.pem"
umurmur_version: master
umurmur_ispublic: yes
umurmur_port: "64738"
mumble_web_certificate: "{{ acme_certs_dir }}/{{ mumble_web_domain }}.d/fullchain.pem"
mumble_web_trusted_certificate: "{{ acme_certs_dir }}/{{ mumble_web_domain }}.d/chain.pem"
mumble_web_private_key: "{{ acme_keys_dir }}/{{ mumble_web_domain }}.pem"
mumble_web_dhparam: "/etc/nginx/ssl/dhparam.pem"
mumble_web_www_dir: /var/www/mumble-web
mumble_web_version: master
mumble_web_websockify_port: "64737"

View File

@ -1,21 +0,0 @@
- name: reload systemd
systemd:
daemon_reload: yes
register: systemd_reloaded
- name: restart umurmur
service:
name: umurmur
state: restarted
when:
- not (umurmur_started.changed | default(false)) or (systemd_reloaded.changed | default(false))
- name: restart mumble-web
service:
name: mumble-web
state: restarted
when:
- not (mumble_web_started.changed | default(false)) or (systemd_reloaded.changed | default(false))
- name: reload nginx
include_tasks: ../handlers/nginx.yml

View File

@ -1,7 +0,0 @@
- name: Validate Nginx config
command: nginx -t
- name: Reload Nginx server
service:
name: nginx
state: reloaded

View File

@ -1,5 +0,0 @@
dependencies:
- role: geerlingguy.nodejs
vars:
nodejs_install_npm_user: root
tags: [nodejs,mumble_web]

View File

@ -1,11 +0,0 @@
- name: Install and configure umurmur server
import_tasks: umurmur.yml
tags: umurmur
- name: Install and configure mumble web client
import_tasks: mumble_web.yml
tags: mumble_web
- name: Configure Nginx for mumble web client
import_tasks: nginx.yml
tags: nginx

View File

@ -1,77 +0,0 @@
- name: Install websockify
apt:
name: websockify
state: present
notify: restart mumble-web
tags: mumble_web_install
- name: Clone mumble-web git repository
git:
repo: https://github.com/Johni0702/mumble-web.git
dest: "{{ mumble_web_www_dir }}"
version: "{{ mumble_web_version }}"
tags: mumble_web_install
- name: Change mumble-web git repository's permissions
file:
path: "{{ mumble_web_www_dir }}"
owner: root
group: www-data
mode: "755"
state: directory
tags: mumble_web_install
- name: Build mumble-web from sources
command: npm install
args:
chdir: "{{ mumble_web_www_dir }}"
register: _mumble_web_installed
changed_when: _mumble_web_installed.stdout is regex('(added|removed) [0-9]+ package')
tags: [mumble_web_install,mumble_web_build]
- name: Apply security suggestions
command: npm audit fix
args:
chdir: "{{ mumble_web_www_dir }}"
when: _mumble_web_installed is changed and _mumble_web_installed.stdout is search('npm audit fix')
tags: [mumble_web_install,mumble_web_build]
- name: Build mumble-web assets
command: npm run build
args:
chdir: "{{ mumble_web_www_dir }}"
register: _mumble_web_assets_built
when: _mumble_web_installed is changed
tags: [mumble_web_install,mumble_web_build]
- name: Copy mumble-web config file
template:
src: mumble-web.js.j2
dest: "{{ mumble_web_www_dir }}/dist/config.local.js"
owner: root
group: www-data
mode: "640"
tags: [mumble_web_install,mumble_web_config]
- name: Copy mumble-web systemd service
template:
src: mumble-web.service.j2
dest: /etc/systemd/system/mumble-web.service
owner: root
group: root
mode: "644"
notify:
- reload systemd
- restart mumble-web
tags: [mumble_web_install,mumble_web_config]
- name: Start mumble-web service
service:
name: mumble-web
state: started
enabled: yes
register: mumble_web_started
tags: mumble_web_run
- name: Trigger mumble-web handlers
meta: flush_handlers

View File

@ -1,18 +0,0 @@
- name: Copy Nginx config file
template:
src: nginx.conf.j2
dest: /etc/nginx/sites-available/mumble.conf
owner: root
group: www-data
mode: "755"
notify: reload nginx
- name: Enable Nginx config file
file:
src: /etc/nginx/sites-available/mumble.conf
path: /etc/nginx/sites-enabled/mumble.conf
state: link
notify: reload nginx
- name: Trigger Nginx handlers
meta: flush_handlers

View File

@ -1,88 +0,0 @@
- name: Install umurmur build dependencies
apt:
name:
- git
- build-essential
- cmake
- libconfig-dev
- libprotobuf-c-dev
- libmbedtls-dev
- ssl-cert
- name: Clone umurmur git repository
git:
repo: https://github.com/umurmur/umurmur.git
dest: /opt/umurmur
version: "{{ umurmur_version }}"
- name: Change umurmur git repository's permissions
file:
path: /opt/umurmur
owner: root
group: root
mode: "775"
state: directory
- name: Create the build directory
file:
path: /opt/umurmur/build
owner: root
group: root
mode: "775"
state: directory
- name: Generate the Makefile with cmake
shell: cd /opt/umurmur/build && cmake .. -DSSL=mbedtls
changed_when: no
- name: Build umurmur from source
make:
chdir: /opt/umurmur/build
changed_when: _umurmur_built.stdout_lines | length > 1
register: _umurmur_built
- name: Install umurmur
make:
chdir: /opt/umurmur/build
target: install
changed_when: "'Installing' in _umurmur_installed.stdout"
register: _umurmur_installed
notify: restart umurmur
- name: Copy umurmur config file
template:
src: umurmur.conf.j2
dest: /usr/local/etc/umurmur.conf
owner: root
group: "{{ umurmur_ssl_group }}"
mode: "640"
validate: /usr/local/bin/umurmurd -t -c %s
notify: restart umurmur
tags: umurmur_config
- name: Copy umurmur systemd service
template:
src: umurmur.service.j2
dest: /etc/systemd/system/umurmur.service
owner: root
group: root
mode: "644"
notify:
- reload systemd
- restart umurmur
- name: Start umurmur service
service:
name: umurmur
enabled: yes
state: started
register: umurmur_started
- name: Trigger umurmur handlers
meta: flush_handlers
- name: Open umurmur port with UFW
ufw:
rule: allow
port: "{{ umurmur_port }}"
when: umurmur_ispublic | bool

View File

@ -1,23 +0,0 @@
{{ ansible_managed | comment('c') }}
// You can overwrite the default configuration values set in [config.js] here.
// There should never be any required changes to this file and you can always
// simply copy it over when updating to a new version.
let config = window.mumbleWebConfig // eslint-disable-line no-unused-vars
// E.g. changing default address and theme:
// config.defaults.address = 'voice.example.com'
// config.defaults.theme = 'MetroMumbleDark
// Which fields to show on the Connect to Server dialog
config.connectDialog.address = false
config.connectDialog.port = false
config.connectDialog.token = false
config.connectDialog.password = {{ (umurmur_user_password != '') | lower }}
// Default values for user settings
// You can see your current value by typing `localStorage.getItem('mumble.$setting')` in the web console.
config.settings.pttKey = 'shift'
// Default values (can be changed by passing a query parameter of the same name)
config.defaults.address = "{{ mumble_web_domain }}/mumble"

View File

@ -1,26 +0,0 @@
[Unit]
Description=Mumble web client using websockets
After=network.target
[Service]
Type=simple
User=nobody
Group=nogroup
Restart=on-failure
RestartSec=3
PIDFile=/run/mumble-web.pid
ExecStart=/usr/bin/websockify --ssl-target {{ mumble_web_websockify_port }} localhost:{{ umurmur_port }}
ExecReload=/bin/kill -HUP $MAINPID
PrivateDevices=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
NoNewPrivileges=yes
LimitRTPRIO=1
[Install]
WantedBy=multi-user.target

View File

@ -1,65 +0,0 @@
{{ ansible_managed | comment }}
server {
listen 80;
listen [::]:80;
server_name {{ mumble_web_domain }};
location / {
return 301 https://$host$request_uri;
}
{% if acme_challenge_dir is defined %}
location ^~ /.well-known/acme-challenge/ {
allow all;
root {{ acme_challenge_dir }};
try_files $uri =404;
}
{% endif %}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ mumble_web_domain }};
ssl_certificate {{ mumble_web_certificate }};
ssl_certificate_key {{ mumble_web_private_key }};
ssl_session_timeout 1d;
ssl_session_cache shared:AnsibleSSL:10m; # about 40000 sessions
ssl_session_tickets off;
{% if mumble_web_dhparam is defined and mumble_web_dhparam != '' %}
ssl_dhparam {{ mumble_web_dhparam }};
{% endif %}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate {{ mumble_web_trusted_certificate }};
location / {
root /var/www/mumble-web/dist/;
}
location /mumble {
proxy_pass http://127.0.0.1:{{ mumble_web_websockify_port }};
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

View File

@ -1,72 +0,0 @@
{{ ansible_managed | comment }}
max_bandwidth = 48000;
welcometext = {{ umurmur_welcome_text
if umurmur_welcome_text is string
else (umurmur_welcome_text | join('<br />'))
| to_json }};
certificate = {{ umurmur_certificate | to_json }};
private_key = {{ umurmur_private_key | to_json }};
password = {{ umurmur_user_password | to_json }};
{% if umurmur_admin_password is defined %}
admin_password = {{ umurmur_admin_password | to_json }}; # Set to enable admin functionality.
{% endif %}
# ban_length = 0; # Length in seconds for a ban. Default is 0. 0 = forever.
# enable_ban = false; # Default is false
# banfile = "banfile.txt"; # File to save bans to. Default is to not save bans to file.
# sync_banfile = false; # Keep banfile synced. Default is false, which means it is saved to at shutdown only.
allow_textmessage = true; # Default is true
# opus_threshold = 100; # Percentage of users supporting Opus codec for it to be chosen. Default is 100.
# show_addresses = true; # Whether to show client's IP addresses under user information
max_users = {{ umurmur_max_users }};
bindport = {{ umurmur_port }};
# bindaddr = "0.0.0.0";
# username and groupname for privilege dropping.
# Will attempt to switch user if set.
# username = "";
# If groupname not set the user's default login group will be used
# groupname = "";
# Log to file option. Default is logging to syslog.
# umurmurd will close and reopen the logfile if SIGHUP is received.
logfile = "/var/log/umurmurd.log";
# CA location for CA-signed certificates
# ca_path = "/path/to/ca/certificates/";
# Channel tree definition:
# Root channel must always be defined first.
# If a channel has a parent, the parent must be defined before the child channel(s).
channels = (
{% for channel in umurmur_channels %}
{
name = {{ channel.name | to_json }};
description = {{ channel.description | default('') | to_json }};
parent = {{ channel.parent | default('') | to_json }};
noenter = {{ channel.noenter | default(false) | string | lower }};
silent = {{ channel.silent | default(false) | string | lower }};
{% if channel.position is defined %}
position = {{ channel.position }};
{% endif %}
{% if channel.password is defined %}
password = {{ channel.password | to_json }};
{% endif %}
}{{ loop.last | ternary("", ",") }}
{% endfor %}
);
# Channel links configuration.
channel_links = (
{% for channel in umurmur_channel_links %}
{% for destination in channel.destinations %}
{
source = {{ channel.source | to_json }};
destination = {{ destination | to_json }};
}{{ loop.last | ternary('', ',') }}
{% endfor %}
{% endfor %}
);
# The channel in which users will appear in when connecting.
# Note that default channel can't have 'noenter = true' or password set
default_channel = {{ umurmur_default_channel | to_json }};

View File

@ -1,28 +0,0 @@
[Unit]
Description=Minimalistic Mumble server
After=network.target
[Service]
Type=simple
User=nobody
Group={{ umurmur_ssl_group }}
Restart=on-failure
RestartSec=3
PIDFile=/run/umurmurd.pid
ExecStartPre=/usr/local/bin/umurmurd -t -c /usr/local/etc/umurmur.conf
ExecStart=/usr/local/bin/umurmurd -d -r -c /usr/local/etc/umurmur.conf
ExecReload=/bin/kill -HUP $MAINPID
PrivateDevices=yes
PrivateTmp=yes
ProtectSystem=strict
ReadWriteDirectories=/usr/local/etc/
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
NoNewPrivileges=yes
LimitRTPRIO=1
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,97 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
import configparser
import logging
import os
import subprocess
import sys
ANSIBLE_ENV_DIR = os.getenv("ANSIBLE_CONFIG")
ANSIBLE_DIR = "/etc/ansible"
CURRENT_DIR = os.getcwd()
HOME_DIR = os.getenv("HOME")
ANSIBLE_CONFIG_SECTION = "gopass"
ANSIBLE_CONFIG_KEY = "key_path"
class ShutdownHandler(logging.Handler):
def emit(self, record):
logging.shutdown()
sys.exit(1)
def find_ansible_config_value(section, key):
config = configparser.ConfigParser()
ansible_config_dirs = [CURRENT_DIR, HOME_DIR, ANSIBLE_DIR]
if ANSIBLE_ENV_DIR:
ansible_config_dirs.insert(0, ANSIBLE_ENV_DIR)
for ansible_config_dir in ansible_config_dirs:
ansible_config_path = os.path.join(ansible_config_dir, "ansible.cfg")
config.read(ansible_config_path)
try:
return config[section][key]
except KeyError:
logging.debug(f"Cannot find '{key}' key in '{ansible_config_path}' config file")
ansible_config_paths = ':'.join(ansible_config_dirs)
raise RuntimeError(f"Cannot find key '{ANSIBLE_CONFIG_KEY}' in {ansible_config_paths}")
def build_arg_parser():
parser = argparse.ArgumentParser(description='Get a vault password from user keyring')
parser.add_argument('--vault-id', action='store', default='',
dest='vault_id',
help='Name of the vault secret to get from keyring')
return parser
def main():
logger = logging.getLogger()
logger.setLevel(logging.NOTSET)
formatter = logging.Formatter("%(levelname)s: %(message)s")
stdout_handler = logging.StreamHandler(sys.stdout)
stdout_handler.setLevel(logging.INFO)
stdout_handler.addFilter(lambda record: record.levelno <= logging.INFO)
stdout_handler.setFormatter(formatter)
logger.addHandler(stdout_handler)
stderr_handler = logging.StreamHandler(sys.stderr)
stderr_handler.setLevel(logging.WARNING)
stderr_handler.setFormatter(formatter)
logger.addHandler(stderr_handler)
logger.addHandler(ShutdownHandler(level=logging.ERROR))
try:
ansible_config_value = find_ansible_config_value(ANSIBLE_CONFIG_SECTION, ANSIBLE_CONFIG_KEY)
except RuntimeError as e:
logging.error(e)
arg_parser = build_arg_parser()
args = arg_parser.parse_args()
ansible_vault_id = args.vault_id
gopass_key_path = os.path.join(ansible_config_value, ansible_vault_id)
gopass_keys_cmd = subprocess.run(["gopass", "ls", "--flat"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if gopass_keys_cmd.returncode != 0:
logging.error(gopass_keys_cmd.stderr.decode())
gopass_keys = map(bytes.decode, gopass_keys_cmd.stdout.splitlines())
try:
gopass_keyname = next(key for key in gopass_keys if key.endswith(gopass_key_path))
except StopIteration:
logging.error(f"Cannot find '{gopass_key_path}' entry in gopass")
ansible_vault_pass_cmd = subprocess.run(["gopass", "show", "-o", gopass_keyname], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if ansible_vault_pass_cmd.returncode != 0:
logging.error(ansible_vault_pass_cmd.stderr.decode())
print(ansible_vault_pass_cmd.stdout.decode())
if __name__ == '__main__':
main()