playbook.yml 5.56 KB
Newer Older
markus's avatar
markus committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
- hosts: all
  tasks:
  # General
  - name: auto-upgrades
    apt:
      name: unattended-upgrades
  - name: Install packages
    apt:
      name: "{{ packages }}"
    vars:
      packages:
        - unattended-upgrades
        - htop
        - screen
        - tmux
        - nftables
  - name: Remove useless packages from the cache
    apt:
      autoclean: yes 
  - name: Remove dependencies that are no longer required
    apt:
      autoremove: yes 

  # Users
  - name: Add users
    user:
      name: "{{ item.name }}"
      groups: "{{ item.groups }}"
      password: "{{ item.password }}"
      update_password: "on_create"
      shell: "/bin/bash"
    with_items:
      - name: markus
        groups: "sudo"
        password: "$6$ukExBdf1pxl30$j8PzbiSXFOEynLfWJnd7yXJjQ5FGvbl9mP0ysw6rUHjM2qOQd3sR.6l5ezYFAzboHeJNmIiXsgGmrXn/2n72J/"
      - name: neunr
        groups: "sudo"
        password: "$6$3Ppvwt/4vrHp55xb$a/DqR2DlJJ5LzUWTvSHw3.Wo.94dZuLawaN.2rK0gvliBxe4yTEyia3XwNrXQqkRVydQRnv3nJNzRft1X809G0"

  # SSH
  - name: Set up authorized keys for markus
    authorized_key:
      user: markus
      key:  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUiwpETwMRVueebO8aC6fBv0uYvuByJPPnpczP8kAIP markus"
  - name: Set up authorized keys for neunr
    authorized_key:
      user: neunr
      key:  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyWcvk8smOkAtTBI0WDw+VmiGw4jOxvCt1LsCXJMrO+ 9R"
  - name: Disable Password Authentication
    lineinfile:
          dest=/etc/ssh/sshd_config
          regexp='^#PasswordAuthentication'
          line="PasswordAuthentication no"
          state=present
    notify:
      - restart ssh
  - name: Disable Root Login
    lineinfile:
          dest=/etc/ssh/sshd_config
          regexp='^#PermitRootLogin'
          line="PermitRootLogin no"
          state=present
    notify:
      - restart ssh

  # Networking
  - name: Create nftables config
    template:
      src: templates/nftables.conf.j2
      dest: /etc/nftables.conf
    notify:
      - reload nftables
  - name: enable nftables service
    systemd:
      name: nftables
      enabled: yes

  # Jitsi
  - name: Configure signing key for Jitsi repository.
    apt_key:
      id: "66A9CD0595D6AFA247290D3BEF8B479E2DC1389C"
      url: "https://download.jitsi.org/jitsi-key.gpg.key"
      state: present
  - name: Install Jitsi apt repo.
    apt_repository:
      repo: "deb https://download.jitsi.org/ stable/"
      state: "present"
      # Ansible will automatically add the ".list" suffix.
      filename: /etc/apt/sources.list.d/jitsi_meet
  - name: Set debconf options for jitsi-meet.
    debconf:
      name: "{{ item.name }}"
      question: "{{ item.question }}"
      value: "{{ item.value }}"
      vtype: "{{ item.vtype }}"
    with_items:
      # Test if these three work as intended
      - name: jitsi-meet
        question: jitsi-meet/cert-choice
        value: "I want to use my own certificate"
        vtype: string
      - name: jitsi-meet
        question: jitsi-meet/cert-path-crt
        value: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/fullchain.pem"
        vtype: string
      - name: jitsi-meet
        question: jitsi-meet/cert-path-key
        value: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/privkey.pem"
        vtype: string

      - name: jitsi-videobridge
        question: jitsi-videobridge/jvb-hostname
        value: "{{ jitsi_meet_server_name }}"
        vtype: string
      - name: jicofo
        question: jitsi-videobridge/jvb-hostname
        value: "{{ jitsi_meet_server_name }}"
        vtype: string
      - name: jitsi-meet-prosody
        question: jitsi-videobridge/jvb-hostname
        value: "{{ jitsi_meet_server_name }}"
        vtype: string
      - name: jitsi-meet-prosody
        question: jitsi-meet-prosody/jvb-hostname
        value: "{{ jitsi_meet_server_name }}"
        vtype: string
      - name: jitsi-meet-web-config
        question: jitsi-videobridge/jvb-hostname
        value: "{{ jitsi_meet_server_name }}"
        vtype: string
      - name: jitsi-meet-web-config
        question: jitsi-meet/cert-choice
        value: "I want to use my own certificate"
        vtype: string

      # The following two do not seem to work as intended
      - name: jitsi-meet-web-config
        question: jitsi-meet/cert-path-crt
        value: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/fullchain.pem"
        vtype: string
      - name: jitsi-meet-web-config
        question: jitsi-meet/cert-path-key
        value: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/privkey.pem"
        vtype: string
  - name: Install Jitsi Meet
    apt:
      name: jitsi-meet
      state: latest
      update_cache: yes 
      cache_valid_time: 3600

  # Configuration
  - name: Overwrite Nginx Site Config
    template:
      src: templates/nginx_site_config.j2
      dest: "/etc/nginx/sites-available/{{ jitsi_meet_server_name }}.conf"
    notify:
      - restart nginx
  - name: Overwrite Nginx Config
    template:
      src: templates/nginx.conf.j2
      dest: "/etc/nginx/nginx.conf"
    notify:
      - restart nginx
  - name: Overwrite Jitsi Web Config
    template:
      src: templates/jitsi-config.js.j2
      dest: "/etc/jitsi/meet/{{ jitsi_meet_server_name }}-config.js"

  roles:
    - role: ansible-letsencrypt
      letsencrypt_email: "fnord@{{ jitsi_meet_server_name }}"
      letsencrypt_cert_domains:
        - "{{ jitsi_meet_server_name }}"
      tags: letsencrypt

  handlers:
  - name: restart ssh
    service:
      name=sshd
      state=restarted
  - name: reload nftables
    service:
      name=nftables
      state=reloaded
  - name: restart nginx
    service:
      name=nginx
      state=restarted