create mumble role

defaults/main.yml

@@ -0,0 +1,26 @@
+umurmur_user_password: ""
+umurmur_channel_links:
+- source: "{{ umurmur_default_channel }}"
+  destinations: >-
+    {{ umurmur_channels
+      | selectattr('parent', 'defined')
+      | selectattr('parent', '==', umurmur_default_channel)
+      | map(attribute='name')
+      | list
+    }}
+umurmur_ssl_group: "{{ acme_ssl_group }}"
+umurmur_certificate: "{{ acme_certs_dir }}/{{ umurmur_domain }}.d/fullchain.pem"
+umurmur_private_key: "{{ acme_keys_dir }}/{{ umurmur_domain }}.pem"
+umurmur_version: master
+umurmur_ispublic: yes
+umurmur_port: "64738"
+
+mumble_web_owner: mumble-web
+mumble_web_group: "{{ mumble_web_owner }}"
+mumble_web_certificate: "{{ acme_certs_dir }}/{{ mumble_web_domain }}.d/fullchain.pem"
+mumble_web_trusted_certificate: "{{ acme_certs_dir }}/{{ mumble_web_domain }}.d/chain.pem"
+mumble_web_private_key: "{{ acme_keys_dir }}/{{ mumble_web_domain }}.pem"
+mumble_web_dhparam: "/etc/nginx/ssl/dhparam.pem"
+mumble_web_www_dir: /var/www/mumble-web
+mumble_web_version: master
+mumble_web_websockify_port: "64737"

handlers/main.yml

@@ -0,0 +1,23 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+  register: systemd_reloaded
+
+# In order to take into account rooms config changes, umurmur must be restarted.
+# A simple reload won't work for rooms positionning, for instance.
+- name: restart umurmur
+  service:
+    name: umurmur
+    state: restarted
+  when:
+  - not (umurmur_started.changed | default(false))
+
+- name: reload mumble-web
+  service:
+    name: mumble-web
+    state: reloaded
+  when:
+  - not (mumble_web_started.changed | default(false))
+
+- name: reload nginx
+  include_tasks: ../handlers/nginx.yml

handlers/nginx.yml

@@ -0,0 +1,7 @@
+- name: Validate Nginx config
+  command: nginx -t
+
+- name: Reload Nginx server
+  service:
+    name: nginx
+    state: reloaded

meta/main.yml

@@ -0,0 +1,59 @@
+
+dependencies:
+- role: acme
+  tags: [acme]
+- role: geerlingguy.nodejs
+  vars:
+    nodejs_install_npm_user: root
+  tags: [nodejs,mumble_web]
+
+galaxy_info:
+  role_name: mumble
+  author: HgO
+  description: Ansible role to install umurmur, the minimalistic Mumble server, and mumble-web client.
+  company: PPBe
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Some suggested licenses:
+  # - BSD (default)
+  # - MIT
+  # - GPLv2
+  # - GPLv3
+  # - Apache
+  # - CC-BY
+  license: GPLv3
+
+  min_ansible_version: 2.9
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  # Optionally specify the branch Galaxy will use when accessing the GitHub
+  # repo for this role. During role install, if no tags are available,
+  # Galaxy will use this branch. During import Galaxy will access files on
+  # this branch. If Travis integration is configured, only notifications for this
+  # branch will be accepted. Otherwise, in all cases, the repo's default branch
+  # (usually master) will be used.
+  #github_branch:
+
+  #
+  # platforms is a list of platforms, and each platform has a name and a list of versions.
+  #
+  platforms:
+  - name: Ubuntu
+    versions:
+    - all
+  - name: Debian
+    versions:
+    - all
+
+  galaxy_tags: [mumble,voip,umurmur]
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.

tasks/main.yml

@@ -0,0 +1,11 @@
+- name: Install and configure umurmur server
+  import_tasks: umurmur.yml
+  tags: umurmur
+
+- name: Install and configure mumble web client
+  import_tasks: mumble_web.yml
+  tags: mumble_web
+
+- name: Configure Nginx for mumble web client
+  import_tasks: nginx.yml
+  tags: nginx

tasks/mumble_web.yml

@@ -0,0 +1,78 @@
+- name: Install websockify
+  apt:
+    name: websockify
+    state: present
+  notify: reload mumble-web
+  tags: mumble_web_install
+
+- name: Create mumble-web system user
+  user:
+    name: "{{ mumble_web_owner }}"
+    home: "{{ mumble_web_www_dir }}"
+    groups:
+    - www-data
+    shell: /sbin/nologin
+    password: '*'
+    state: present
+    system: yes
+    append: yes
+    create_home: no
+
+- name: Change mumble-web home directory's permissions
+  file:
+    path: "{{ mumble_web_www_dir }}"
+    owner: "{{ mumble_web_owner }}"
+    group: "{{ mumble_web_group }}"
+    mode: "755"
+    state: directory
+  tags: mumble_web_install
+
+- name: Clone mumble-web git repository
+  git:
+    repo: https://github.com/Johni0702/mumble-web.git
+    dest: "{{ mumble_web_www_dir }}"
+    version: "{{ mumble_web_version }}"
+  register: mumble_web_cloned
+  become_user: "{{ mumble_web_owner }}"
+  tags: mumble_web_install
+
+- name: Build mumble-web from sources
+  command: npm clean-install
+  args:
+    chdir: "{{ mumble_web_www_dir }}"
+  register: _mumble_web_installed
+  become_user: "{{ mumble_web_owner }}"
+  when: mumble_web_cloned is changed
+  tags: [mumble_web_install,mumble_web_build]
+
+- name: Copy mumble-web config file
+  template:
+    src: mumble-web.js.j2
+    dest: "{{ mumble_web_www_dir }}/dist/config.local.js"
+    owner: "{{ mumble_web_owner }}"
+    group: "{{ mumble_web_group }}"
+    mode: "644"
+  tags: [mumble_web_install,mumble_web_config]
+
+- name: Copy mumble-web systemd service
+  template:
+    src: mumble-web.service.j2
+    dest: /etc/systemd/system/mumble-web.service
+    owner: root
+    group: root
+    mode: "644"
+  notify:
+  - reload systemd
+  - reload mumble-web
+  tags: [mumble_web_install,mumble_web_config]
+
+- name: Start mumble-web service
+  service:
+    name: mumble-web
+    state: started
+    enabled: yes
+  register: mumble_web_started
+  tags: mumble_web_run
+
+- name: Trigger mumble-web handlers
+  meta: flush_handlers

tasks/nginx.yml

@@ -0,0 +1,18 @@
+- name: Copy Nginx config file
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/sites-available/mumble.conf
+    owner: root
+    group: www-data
+    mode: "755"
+  notify: reload nginx
+
+- name: Enable Nginx config file
+  file:
+    src: /etc/nginx/sites-available/mumble.conf
+    path: /etc/nginx/sites-enabled/mumble.conf
+    state: link
+  notify: reload nginx
+
+- name: Trigger Nginx handlers
+  meta: flush_handlers

tasks/umurmur.yml

@@ -0,0 +1,91 @@
+- name: Install umurmur build dependencies
+  apt:
+    name: "{{ package }}"
+  loop:
+  - git
+  - build-essential
+  - cmake
+  - libconfig-dev
+  - libprotobuf-c-dev
+  - libmbedtls-dev
+  - ssl-cert
+  loop_control:
+    loop_var: package
+
+- name: Clone umurmur git repository
+  git:
+    repo: https://github.com/umurmur/umurmur.git
+    dest: /opt/umurmur
+    version: "{{ umurmur_version }}"
+
+- name: Change umurmur git repository's permissions
+  file:
+    path: /opt/umurmur
+    owner: root
+    group: root
+    mode: "775"
+    state: directory
+
+- name: Create the build directory
+  file:
+    path: /opt/umurmur/build
+    owner: root
+    group: root
+    mode: "775"
+    state: directory
+
+- name: Generate the Makefile with cmake
+  shell: cd /opt/umurmur/build && cmake .. -DSSL=mbedtls
+  changed_when: no
+
+- name: Build umurmur from source
+  make:
+    chdir: /opt/umurmur/build
+  changed_when: _umurmur_built.stdout_lines | length > 1
+  register: _umurmur_built
+
+- name: Install umurmur
+  make:
+    chdir: /opt/umurmur/build
+    target: install
+  changed_when: "'Installing' in _umurmur_installed.stdout"
+  register: _umurmur_installed
+  notify: restart umurmur
+
+- name: Copy umurmur config file
+  template:
+    src: umurmur.conf.j2
+    dest: /usr/local/etc/umurmur.conf
+    owner: root
+    group: "{{ umurmur_ssl_group }}"
+    mode: "640"
+    validate: /usr/local/bin/umurmurd -t -c %s
+  notify: restart umurmur
+  tags: umurmur_config
+
+- name: Copy umurmur systemd service
+  template:
+    src: umurmur.service.j2
+    dest: /etc/systemd/system/umurmur.service
+    owner: root
+    group: root
+    mode: "644"
+  notify:
+  - reload systemd
+  - restart umurmur
+
+- name: Start umurmur service
+  service:
+    name: umurmur
+    enabled: yes
+    state: started
+  register: umurmur_started
+
+- name: Trigger umurmur handlers
+  meta: flush_handlers
+
+- name: Open umurmur port with UFW
+  ufw:
+    rule: allow
+    port: "{{ umurmur_port }}"
+  when: umurmur_ispublic | bool

templates/mumble-web.js.j2

@@ -0,0 +1,23 @@
+{{ ansible_managed | comment('c') }}
+// You can overwrite the default configuration values set in [config.js] here.
+// There should never be any required changes to this file and you can always
+// simply copy it over when updating to a new version.
+
+let config = window.mumbleWebConfig // eslint-disable-line no-unused-vars
+
+// E.g. changing default address and theme:
+// config.defaults.address = 'voice.example.com'
+// config.defaults.theme = 'MetroMumbleDark
+
+// Which fields to show on the Connect to Server dialog
+config.connectDialog.address = false
+config.connectDialog.port = false
+config.connectDialog.token = false
+config.connectDialog.password = {{ (umurmur_user_password != '') | lower }}
+
+// Default values for user settings
+// You can see your current value by typing `localStorage.getItem('mumble.$setting')` in the web console.
+config.settings.pttKey = 'shift'
+
+// Default values (can be changed by passing a query parameter of the same name)
+config.defaults.address = "{{ mumble_web_domain }}/mumble"

templates/mumble-web.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=Mumble web client using websockets
+After=network.target umurmur.service
+Wants=umurmur.service
+
+[Service]
+Type=simple
+User=nobody
+Group=nogroup
+Restart=always
+RestartSec=3
+ExecStart=/usr/bin/websockify --ssl-target {{ mumble_web_websockify_port }} localhost:{{ umurmur_port }}
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target

templates/nginx.conf.j2

@@ -0,0 +1,65 @@
+{{ ansible_managed | comment }}
+server {
+  listen 80;
+  listen [::]:80;
+  server_name {{ mumble_web_domain }};
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+  
+{% if acme_challenge_dir is defined %}
+  location ^~ /.well-known/acme-challenge/ {
+		allow all;
+		root {{ acme_challenge_dir }};
+		try_files $uri =404;
+	}
+{% endif %}
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name {{ mumble_web_domain }};
+
+  ssl_certificate {{ mumble_web_certificate }};
+  ssl_certificate_key {{ mumble_web_private_key }};
+
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:AnsibleSSL:10m;  # about 40000 sessions
+  ssl_session_tickets off;
+
+{% if mumble_web_dhparam is defined and mumble_web_dhparam != '' %}
+  ssl_dhparam {{ mumble_web_dhparam }};
+{% endif %}
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  # OCSP stapling
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  # Verify chain of trust of OCSP response using Root CA and Intermediate certs
+  ssl_trusted_certificate {{ mumble_web_trusted_certificate }};
+
+  location / {
+    root /var/www/mumble-web/dist/;
+  }
+
+  location /mumble {
+    proxy_pass http://127.0.0.1:{{ mumble_web_websockify_port }};
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+  }
+}
+
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+}

templates/umurmur.conf.j2

@@ -0,0 +1,72 @@
+{{ ansible_managed | comment }}
+max_bandwidth = 48000;
+welcometext = {{ umurmur_welcome_text
+    if umurmur_welcome_text is string 
+    else (umurmur_welcome_text | join('<br />')) 
+  | to_json }};
+certificate = {{ umurmur_certificate | to_json }};
+private_key = {{ umurmur_private_key | to_json }};
+password = {{ umurmur_user_password | to_json }};
+{% if umurmur_admin_password is defined %}
+admin_password = {{ umurmur_admin_password | to_json }};   # Set to enable admin functionality.
+{% endif %}
+# ban_length = 0;            # Length in seconds for a ban. Default is 0. 0 = forever.
+# enable_ban = false;        # Default is false
+# banfile = "banfile.txt";   # File to save bans to. Default is to not save bans to file.
+# sync_banfile = false;      # Keep banfile synced. Default is false, which means it is saved to at shutdown only.
+allow_textmessage = true;  # Default is true
+# opus_threshold = 100;      # Percentage of users supporting Opus codec for it to be chosen. Default is 100.
+# show_addresses = true;     # Whether to show client's IP addresses under user information
+max_users = {{ umurmur_max_users }};
+
+bindport = {{ umurmur_port }};
+# bindaddr = "0.0.0.0";
+
+# username and groupname for privilege dropping.
+# Will attempt to switch user if set. 
+# username = "";
+# If groupname not set the user's default login group will be used
+# groupname = "";
+
+# Log to file option. Default is logging to syslog.
+# umurmurd will close and reopen the logfile if SIGHUP is received.
+logfile = "/var/log/umurmurd.log";
+
+# CA location for CA-signed certificates
+# ca_path = "/path/to/ca/certificates/";
+
+# Channel tree definition:
+# Root channel must always be defined first.
+# If a channel has a parent, the parent must be defined before the child channel(s).
+channels = (
+{% for channel in umurmur_channels %}
+  {
+    name = {{ channel.name | to_json }};
+    description = {{ channel.description | default('') | to_json }};
+    parent = {{ channel.parent | default('') | to_json }};
+    noenter = {{ channel.noenter | default(false) | string | lower }};
+    silent = {{ channel.silent | default(false) | string | lower }};
+{% if channel.position is defined %}
+    position = {{ channel.position }};
+{% endif %}
+{% if channel.password is defined %}
+    password = {{ channel.password | to_json }};
+{% endif %}
+  }{{ loop.last | ternary("", ",") }}
+{% endfor %}
+);
+# Channel links configuration.
+channel_links = (
+{% for channel in umurmur_channel_links %}
+{% for destination in channel.destinations %}
+  {
+    source = {{ channel.source | to_json }};
+    destination = {{ destination | to_json }};
+  }{{ loop.last | ternary('', ',') }}
+{% endfor %}
+{% endfor %}
+);
+
+# The channel in which users will appear in when connecting.
+# Note that default channel can't have 'noenter = true' or password set
+default_channel = {{ umurmur_default_channel | to_json }};

templates/umurmur.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=Minimalistic Mumble server
+After=network.target
+
+[Service]
+Type=simple
+User=nobody
+Group={{ umurmur_ssl_group }}
+Restart=always
+RestartSec=3
+ExecStartPre=/usr/local/bin/umurmurd -t -c /usr/local/etc/umurmur.conf
+ExecStart=/usr/local/bin/umurmurd -d -r -c /usr/local/etc/umurmur.conf
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target