diff --git a/defaults/main.yml b/defaults/main.yml index 4e170b2..c9961be 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,73 @@ -umurmur_user_password: "" +mumble_web_domain: "mumble.example.com" +mumble_web_owner: mumble-web +mumble_web_group: "{{ mumble_web_owner }}" +mumble_web_certificate: "{{ acme_certs_dir }}/{{ mumble_web_domain }}.d/fullchain.pem" +mumble_web_trusted_certificate: "{{ acme_certs_dir }}/{{ mumble_web_domain }}.d/chain.pem" +mumble_web_private_key: "{{ acme_keys_dir }}/{{ mumble_web_domain }}.pem" +mumble_web_dhparam: "/etc/nginx/ssl/dhparam.pem" +mumble_web_www_dir: /var/www/mumble-web +mumble_web_version: master +mumble_web_websockify_port: "64737" + +murmur_domain: "{{ mumble_web_domain }}" +murmur_enabled: yes +murmur_database: + path: "/var/lib/mumble-server/mumble-server.sqlite" + # driver: "QMYSQL" + # username: "mumble" + # password: "password" + # host: "localhost" + # port: 3306 + # prefix: "murmur_" +murmur_ice: "tcp -h 127.0.0.1 -p 6502" +# murmur_icesecret_read: "somesecret" +# murmur_ice_secret_write: "anothersecret" +murmur_autoban_attempts: 10 +murmur_autoban_timeframe: 120 +murmur_autoban_time: 300 +murmur_log_file: "/var/log/mumble-server/mumble-server.log" +murmur_pid_file: "/var/run/mumble-server/mumble-server.pid" +murmur_welcome_text: "Welcome on the {{ inventory_hostname }} Mumble server!" +murmur_port: 64738 +# Leave blank to let Murmur bind to all available addresses +murmur_host: "" +murmur_server_password: "" +murmur_max_bandwidth: 72000 +murmur_max_users: 100 +murmur_opusthreshold: 100 +murmur_channel_nesting_limit: 10 +murmur_channel_count_limit: 1000 +# Regex to validate channel or usernames +# murmur_channel_name_regex: "" +# murmur_username_regex: "" +murmur_text_message_max_length: 5000 +murmur_image_message_length: 131072 +murmur_allow_html: yes +# Set to 0 to keep logs forever, or -1 to disable logging to the DB. +murmur_log_days: -1 +# Name for root channel and entry in mumble main server list +# murmur_register: +# name: "MyMumbleServerRegisterName" +# password: "password" +# url: "https://mymumbleserverurl.org" +# hostname: "mymumblehostname.domain.org" +# Enable Bonjour for dev purpose +murmur_bonjour_enabled: no +murmur_certificate: "{{ acme_certs_dir }}/{{ murmur_domain }}.d/fullchain.pem" +murmur_trusted_certificate: "{{ acme_certs_dir }}/{{ murmur_domain }}.d/chain.pem" +murmur_private_key: "{{ acme_keys_dir }}/{{ murmur_domain }}.pem" +murmur_dhparam: "@ffdhe4096" +murmur_owner: "mumble-server" +murmur_group: "{{ murmur_owner }}" +murmur_client_certificate_required: no +murmur_send_server_version: yes +murmur_ice_warn_unknown_properties: 1 +murmur_ice_message_size_max: 65536 + +umurmur_domain: "{{ mumble_web_domain }}" +umurmur_enabled: yes +umurmur_max_bandwidth: 48000 +umurmur_server_password: "" umurmur_channel_links: - source: "{{ umurmur_default_channel }}" destinations: >- @@ -14,13 +83,3 @@ umurmur_private_key: "{{ acme_keys_dir }}/{{ umurmur_domain }}.pem" umurmur_version: master umurmur_ispublic: yes umurmur_port: "64738" - -mumble_web_owner: mumble-web -mumble_web_group: "{{ mumble_web_owner }}" -mumble_web_certificate: "{{ acme_certs_dir }}/{{ mumble_web_domain }}.d/fullchain.pem" -mumble_web_trusted_certificate: "{{ acme_certs_dir }}/{{ mumble_web_domain }}.d/chain.pem" -mumble_web_private_key: "{{ acme_keys_dir }}/{{ mumble_web_domain }}.pem" -mumble_web_dhparam: "/etc/nginx/ssl/dhparam.pem" -mumble_web_www_dir: /var/www/mumble-web -mumble_web_version: master -mumble_web_websockify_port: "64737" \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml index bb55ed2..8725e14 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -12,6 +12,13 @@ when: - not (umurmur_started.changed | default(false)) +- name: restart murmur + service: + name: mumble-server + state: restarted + when: + - not (murmur_started.changed | default(false)) + - name: reload mumble-web service: name: mumble-web diff --git a/tasks/main.yml b/tasks/main.yml index ead630d..b8d5753 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,11 +1,19 @@ -- name: Install and configure umurmur server +- name: Deploy uMurmur server import_tasks: umurmur.yml + when: umurmur_enabled tags: umurmur -- name: Install and configure mumble web client +- name: Deploy Murmur server + import_tasks: murmur.yml + when: murmur_enabled + tags: murmur + +- name: Deploy mumble web client import_tasks: mumble_web.yml + when: mumble_web_enabled tags: mumble_web - name: Configure Nginx for mumble web client import_tasks: nginx.yml + when: mumble_web_enabled tags: nginx \ No newline at end of file diff --git a/tasks/murmur.yml b/tasks/murmur.yml new file mode 100644 index 0000000..b52b5d2 --- /dev/null +++ b/tasks/murmur.yml @@ -0,0 +1,36 @@ +- name: Install mumble-server package + apt: + name: mumble-server + state: present + register: murmur_installed + +- name: Copy Murmur config file + template: + src: mumble-server.ini.j2 + dest: /etc/mumble-server.ini + owner: root + group: "{{ murmur_group }}" + mode: "640" + notify: restart murmur + +- name: Start mumble-server service + service: + name: mumble-server + enabled: yes + state: started + +# TODO: Handle superuser password + +# - name: Write superuser password to a file +# copy: +# content: "{{ murmur_superuser_password }}" +# dest: /etc/mumble-superuser +# owner: root +# group: root +# mode: "600" +# when: murmur_superuser_password is defined +# notify: set superuser password + +# - name: set superuser password +# command: murmurd -ini /etc/mumble-server.ini -supw "{{ murmur_superuser_password }}" +# failed_when: False \ No newline at end of file diff --git a/templates/mumble-server.ini.j2 b/templates/mumble-server.ini.j2 new file mode 100644 index 0000000..a4e1063 --- /dev/null +++ b/templates/mumble-server.ini.j2 @@ -0,0 +1,323 @@ +{{ ansible_managed | comment(decoration="; ") }} +; Murmur configuration file. +; +; General notes: +; * Settings in this file are default settings and many of them can be overridden +; with virtual server specific configuration via the Ice or DBus interface. +; * Due to the way this configuration file is read some rules have to be +; followed when specifying variable values (as in variable = value): +; * Make sure to quote the value when using commas in strings or passwords. +; NOT variable = super,secret BUT variable = "super,secret" +; * Make sure to escape special characters like '\' or '"' correctly +; NOT variable = """ BUT variable = "\"" +; NOT regex = \w* BUT regex = \\w* + +; Path to database. If blank, will search for +; murmur.sqlite in default locations or create it if not found. +database={{ murmur_database.path | to_json }} + +; Murmur defaults to using SQLite with its default rollback journal. +; In some situations, using SQLite's write-ahead log (WAL) can be +; advantageous. +; If you encounter slowdowns when moving between channels and similar +; operations, enabling the SQLite write-ahead log might help. +; +; To use SQLite's write-ahead log, set sqlite_wal to one of the following +; values: +; +; 0 - Use SQLite's default rollback journal. +; 1 - Use write-ahead log with synchronous=NORMAL. +; If Murmur crashes, the database will be in a consistent state, but +; the most recent changes might be lost if the operating system did +; not write them to disk yet. This option can improve Murmur's +; interactivity on busy servers, or servers with slow storage. +; 2 - Use write-ahead log with synchronous=FULL. +; All database writes are synchronized to disk when they are made. +; If Murmur crashes, the database will be include all completed writes. +;sqlite_wal=0 + +; If you wish to use something other than SQLite, you'll need to set the name +; of the database above, and also uncomment the below. +; Sticking with SQLite is strongly recommended, as it's the most well tested +; and by far the fastest solution. +; +;dbDriver=QMYSQL +;dbUsername= +;dbPassword= +;dbHost= +;dbPort= +;dbPrefix=murmur_ +;dbOpts= +{% if murmur_database.driver is defined %} +dbDriver={{ murmur_database.driver | to_json }} +dbUsername={{ murmur_database.username | to_json }} +dbPassword={{ murmur_database.password | to_json }} +dbHost={{ murmur_database.host | default('localhost') | to_json }} +dbPort={{ murmur_database.port }} +dbPrefix={{ murmur_database.prefix | default('') | to_json }} +dbOpts={{ murmur_database.opts | default('') | to_json }} +{% endif %} + +; Murmur defaults to not using D-Bus. If you wish to use dbus, which is one of the +; RPC methods available in Murmur, please specify so here. +; +;dbus=session + +; Alternate D-Bus service name. Only use if you are running distinct +; murmurd processes connected to the same D-Bus daemon. +;dbusservice=net.sourceforge.mumble.murmur + +; If you want to use ZeroC Ice to communicate with Murmur, you need +; to specify the endpoint to use. Since there is no authentication +; with ICE, you should only use it if you trust all the users who have +; shell access to your machine. +; Please see the ICE documentation on how to specify endpoints. +ice="{{ murmur_ice }}" + +; Ice primarily uses local sockets. This means anyone who has a +; user account on your machine can connect to the Ice services. +; You can set a plaintext "secret" on the Ice connection, and +; any script attempting to access must then have this secret +; (as context with name "secret"). +; Access is split in read (look only) and write (modify) +; operations. Write access always includes read access, +; unless read is explicitly denied (see note below). +; +; Note that if this is uncommented and with empty content, +; access will be denied. + +{% if murmur_ice_secret_read is defined %} +icesecretread={{ murmur_ice_secret_read | to_json }} +{% else %} +;icesecretread= +{% endif %} +{% if murmur_ice_secret_write is defined %} +icesecretwrite={{ murmur_ice_secret_write | to_json }} +{% else %} +icesecretwrite= +{% endif %} + +; If you want to expose Murmur's experimental gRPC API, you +; need to specify an address to bind on. +; Note: not all builds of Murmur support gRPC. If gRPC is not +; available, Murmur will warn you in its log output. +;grpc="127.0.0.1:50051" +; Specifying both a certificate and key file below will cause gRPC to use +; secured, TLS connections. +;grpccert="" +;grpckey="" + +; How many login attempts do we tolerate from one IP +; inside a given timeframe before we ban the connection? +; Note that this is global (shared between all virtual servers), and that +; it counts both successfull and unsuccessfull connection attempts. +; Set either Attempts or Timeframe to 0 to disable. +;autobanAttempts = 10 +;autobanTimeframe = 120 +;autobanTime = 300 +autobanAttempts={{ murmur_autoban_attempts }} +autobanTimeframe={{ murmur_autoban_timeframe }} +autobanTime={{ murmur_autoban_time }} + +; Specifies the file Murmur should log to. By default, Murmur +; logs to the file 'murmur.log'. If you leave this field blank +; on Unix-like systems, Murmur will force itself into foreground +; mode which logs to the console. +;logfile=murmur.log +logfile={{ murmur_log_file | to_json }} + +; If set, Murmur will write its process ID to this file +; when running in daemon mode (when the -fg flag is not +; specified on the command line). Only available on +; Unix-like systems. +;pidfile= +pidfile={{ murmur_pid_file | to_json }} + +; The below will be used as defaults for new configured servers. +; If you're just running one server (the default), it's easier to +; configure it here than through D-Bus or Ice. +; +; Welcome message sent to clients when they connect. +; If the welcome message is set to an empty string, +; no welcome message will be sent to clients. +welcometext={{ murmur_welcome_text | to_json }} + +; Port to bind TCP and UDP sockets to. +port={{ murmur_port }} + +; Specific IP or hostname to bind to. +; If this is left blank (default), Murmur will bind to all available addresses. +;host= +host={{ murmur_host | to_json }} + +; Password to join server. +serverpassword={{ murmur_server_password | to_json }} + +; Maximum bandwidth (in bits per second) clients are allowed +; to send speech at. +bandwidth={{ murmur_max_bandwidth }} + +; Maximum number of concurrent clients allowed. +users={{ murmur_max_users }} + +; Per-user rate limiting +; +; These two settings allow to configure the per-user rate limiter for some +; command messages sent from the client to the server. The messageburst setting +; specifies an amount of messages which are allowed in short bursts. The +; messagelimit setting specifies the number of messages per second allowed over +; a longer period. If a user hits the rate limit, his packages are then ignored +; for some time. Both of these settings have a minimum of 1 as setting either to +; 0 could render the server unusable. +messageburst=5 +messagelimit=1 + +; Respond to UDP ping packets. +; +; Setting to true exposes the current user count, the maximum user count, and +; the server's maximum bandwidth per client to unauthenticated users. In the +; Mumble client, this information is shown in the Connect dialog. +allowping=true + +; Amount of users with Opus support needed to force Opus usage, in percent. +; 0 = Always enable Opus, 100 = enable Opus if it's supported by all clients. +;opusthreshold=100 +opusthreshold={{ murmur_opus_threshold }} + +; Maximum depth of channel nesting. Note that some databases like MySQL using +; InnoDB will fail when operating on deeply nested channels. +;channelnestinglimit=10 +channelnestinglimit={{ murmur_channel_nesting_limit }} + +; Maximum number of channels per server. 0 for unlimited. Note that an +; excessive number of channels will impact server performance +;channelcountlimit=1000 +channelcountlimit={{ murmur_channel_count_limit }} + +; Regular expression used to validate channel names. +; (Note that you have to escape backslashes with \ ) +;channelname=[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+ +{% if murmur_channel_name_regex is defined %} +channelname={{ murmur_channel_name_regex }} +{% endif %} + +; Regular expression used to validate user names. +; (Note that you have to escape backslashes with \ ) +;username=[-=\\w\\[\\]\\{\\}\\(\\)\\@\\|\\.]+ +{% if murmur_username_regex is defined %} +username={{ murmur_username_regex }} +{% endif %} + +; Maximum length of text messages in characters. 0 for no limit. +;textmessagelength=5000 +textmessagelength={{ murmur_text_message_max_length }} + +; Maximum length of text messages in characters, with image data. 0 for no limit. +;imagemessagelength=131072 +imagemessagelength={{ murmur_image_message_max_length }} + +; Allow clients to use HTML in messages, user comments and channel descriptions? +;allowhtml=true +allowhtml={{ murmur_allow_html }} + +; Murmur retains the per-server log entries in an internal database which +; allows it to be accessed over D-Bus/ICE. +; How many days should such entries be kept? +; Set to 0 to keep forever, or -1 to disable logging to the DB. +;logdays=31 +logdays={{ murmur_log_days }} + +{% if murmur_register.name is defined %} +; To enable public server registration, the serverpassword must be blank, and +; this must all be filled out. +; The password here is used to create a registry for the server name; subsequent +; updates will need the same password. Don't lose your password. +; The URL is your own website, and only set the registerHostname for static IP +; addresses. +; Only uncomment the 'registerName' parameter if you wish to give your "Root" channel a custom name. +; +registerName={{ murmur_register.name | to_json }} +registerPassword={{ murmur_register.password | to_json }} +registerUrl={{ murmur_register.url | to_json }} +registerHostname={{ murmur_register.hostname | to_json }} +{% endif %} + +; If this option is enabled, the server will announce its presence via the +; bonjour service discovery protocol. To change the name announced by bonjour +; adjust the registerName variable. +; See http://developer.apple.com/networking/bonjour/index.html for more information +; about bonjour. +;bonjour=True +bonjour={{ murmur_bonjour_enabled }} + +; If you have a proper SSL certificate, you can provide the filenames here. +; Otherwise, Murmur will create its own certificate automatically. +;sslCert= +;sslKey= +sslCert={{ murmur_certificate | to_json }} +sslKey={{ murmur_private_key | to_json }} +sslCa={{ murmur_trusted_certificate | to_json }} + +; The sslDHParams option allows you to specify a PEM-encoded file with +; Diffie-Hellman parameters, which will be used as the default Diffie- +; Hellman parameters for all virtual servers. +; +; Instead of pointing sslDHParams to a file, you can also use the option +; to specify a named set of Diffie-Hellman parameters for Murmur to use. +; Murmur comes bundled with the Diffie-Hellman parameters from RFC 7919. +; These parameters are available by using the following names: +; +; @ffdhe2048, @ffdhe3072, @ffdhe4096, @ffdhe6144, @ffdhe8192 +; +; By default, Murmur uses @ffdhe2048. +sslDHParams={{ murmur_dhparam | to_json }} + +; The sslCiphers option chooses the cipher suites to make available for use +; in SSL/TLS. This option is server-wide, and cannot be set on a +; per-virtual-server basis. +; +; This option is specified using OpenSSL cipher list notation (see +; https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT). +; +; It is recommended that you try your cipher string using 'openssl ciphers ' +; before setting it here, to get a feel for which cipher suites you will get. +; +; After setting this option, it is recommend that you inspect your Murmur log +; to ensure that Murmur is using the cipher suites that you expected it to. +; +; Note: Changing this option may impact the backwards compatibility of your +; Murmur server, and can remove the ability for older Mumble clients to be able +; to connect to it. +;sslCiphers=EECDH+AESGCM:EDH+aRSA+AESGCM:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA + +; If Murmur is started as root, which user should it switch to? +; This option is ignored if Murmur isn't started with root privileges. +;uname= +uname={{ murmur_owner }} + +; If this options is enabled, only clients which have a certificate are allowed +; to connect. +;certrequired=False +certrequired={{ murmur_client_certificate_required }} + +; If enabled, clients are sent information about the servers version and operating +; system. +;sendversion=True +sendversion={{ murmur_send_server_version }} + +; This sets password hash storage to legacy mode (1.2.4 and before) +; (Note that setting this to true is insecure and should not be used unless absolutely necessary) +;legacyPasswordHash=false + +; By default a strong amount of PBKDF2 iterations are chosen automatically. If >0 this setting +; overrides the automatic benchmark and forces a specific number of iterations. +; (Note that you should only change this value if you know what you are doing) +;kdfIterations=-1 + +; You can configure any of the configuration options for Ice here. We recommend +; leave the defaults as they are. +; Please note that this section has to be last in the configuration file. +; +[Ice] +Ice.Warn.UnknownProperties={{ murmur_ice_warn_unknown_properties }} +Ice.MessageSizeMax={{ murmur_ice_message_size_max }} diff --git a/templates/mumble-web.js.j2 b/templates/mumble-web.js.j2 index b18d954..e118056 100644 --- a/templates/mumble-web.js.j2 +++ b/templates/mumble-web.js.j2 @@ -13,7 +13,7 @@ let config = window.mumbleWebConfig // eslint-disable-line no-unused-vars config.connectDialog.address = false config.connectDialog.port = false config.connectDialog.token = false -config.connectDialog.password = {{ (umurmur_user_password != '') | lower }} +config.connectDialog.password = {{ (umurmur_server_password != '') | lower }} // Default values for user settings // You can see your current value by typing `localStorage.getItem('mumble.$setting')` in the web console. diff --git a/templates/umurmur.conf.j2 b/templates/umurmur.conf.j2 index eeb63fa..e44907e 100644 --- a/templates/umurmur.conf.j2 +++ b/templates/umurmur.conf.j2 @@ -1,12 +1,12 @@ {{ ansible_managed | comment }} -max_bandwidth = 48000; +max_bandwidth = {{ umurmur_max_bandwidth }}; welcometext = {{ umurmur_welcome_text if umurmur_welcome_text is string else (umurmur_welcome_text | join('
')) | to_json }}; certificate = {{ umurmur_certificate | to_json }}; private_key = {{ umurmur_private_key | to_json }}; -password = {{ umurmur_user_password | to_json }}; +password = {{ umurmur_server_password | to_json }}; {% if umurmur_admin_password is defined %} admin_password = {{ umurmur_admin_password | to_json }}; # Set to enable admin functionality. {% endif %}