Commit 02848216 authored by markus's avatar markus

Initial commit

parents
[submodule "roles/ansible-letsencrypt"]
path = roles/ansible-letsencrypt
url = https://github.com/thefinn93/ansible-letsencrypt
88.99.191.193 jitsi_meet_server_name=meet.fnord.group
- hosts: all
tasks:
# General
- name: auto-upgrades
apt:
name: unattended-upgrades
- name: Install packages
apt:
name: "{{ packages }}"
vars:
packages:
- unattended-upgrades
- htop
- screen
- tmux
- nftables
- name: Remove useless packages from the cache
apt:
autoclean: yes
- name: Remove dependencies that are no longer required
apt:
autoremove: yes
# Users
- name: Add users
user:
name: "{{ item.name }}"
groups: "{{ item.groups }}"
password: "{{ item.password }}"
update_password: "on_create"
shell: "/bin/bash"
with_items:
- name: markus
groups: "sudo"
password: "$6$ukExBdf1pxl30$j8PzbiSXFOEynLfWJnd7yXJjQ5FGvbl9mP0ysw6rUHjM2qOQd3sR.6l5ezYFAzboHeJNmIiXsgGmrXn/2n72J/"
- name: neunr
groups: "sudo"
password: "$6$3Ppvwt/4vrHp55xb$a/DqR2DlJJ5LzUWTvSHw3.Wo.94dZuLawaN.2rK0gvliBxe4yTEyia3XwNrXQqkRVydQRnv3nJNzRft1X809G0"
# SSH
- name: Set up authorized keys for markus
authorized_key:
user: markus
key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUiwpETwMRVueebO8aC6fBv0uYvuByJPPnpczP8kAIP markus"
- name: Set up authorized keys for neunr
authorized_key:
user: neunr
key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyWcvk8smOkAtTBI0WDw+VmiGw4jOxvCt1LsCXJMrO+ 9R"
- name: Disable Password Authentication
lineinfile:
dest=/etc/ssh/sshd_config
regexp='^#PasswordAuthentication'
line="PasswordAuthentication no"
state=present
notify:
- restart ssh
- name: Disable Root Login
lineinfile:
dest=/etc/ssh/sshd_config
regexp='^#PermitRootLogin'
line="PermitRootLogin no"
state=present
notify:
- restart ssh
# Networking
- name: Create nftables config
template:
src: templates/nftables.conf.j2
dest: /etc/nftables.conf
notify:
- reload nftables
- name: enable nftables service
systemd:
name: nftables
enabled: yes
# Jitsi
- name: Configure signing key for Jitsi repository.
apt_key:
id: "66A9CD0595D6AFA247290D3BEF8B479E2DC1389C"
url: "https://download.jitsi.org/jitsi-key.gpg.key"
state: present
- name: Install Jitsi apt repo.
apt_repository:
repo: "deb https://download.jitsi.org/ stable/"
state: "present"
# Ansible will automatically add the ".list" suffix.
filename: /etc/apt/sources.list.d/jitsi_meet
- name: Set debconf options for jitsi-meet.
debconf:
name: "{{ item.name }}"
question: "{{ item.question }}"
value: "{{ item.value }}"
vtype: "{{ item.vtype }}"
with_items:
# Test if these three work as intended
- name: jitsi-meet
question: jitsi-meet/cert-choice
value: "I want to use my own certificate"
vtype: string
- name: jitsi-meet
question: jitsi-meet/cert-path-crt
value: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/fullchain.pem"
vtype: string
- name: jitsi-meet
question: jitsi-meet/cert-path-key
value: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/privkey.pem"
vtype: string
- name: jitsi-videobridge
question: jitsi-videobridge/jvb-hostname
value: "{{ jitsi_meet_server_name }}"
vtype: string
- name: jicofo
question: jitsi-videobridge/jvb-hostname
value: "{{ jitsi_meet_server_name }}"
vtype: string
- name: jitsi-meet-prosody
question: jitsi-videobridge/jvb-hostname
value: "{{ jitsi_meet_server_name }}"
vtype: string
- name: jitsi-meet-prosody
question: jitsi-meet-prosody/jvb-hostname
value: "{{ jitsi_meet_server_name }}"
vtype: string
- name: jitsi-meet-web-config
question: jitsi-videobridge/jvb-hostname
value: "{{ jitsi_meet_server_name }}"
vtype: string
- name: jitsi-meet-web-config
question: jitsi-meet/cert-choice
value: "I want to use my own certificate"
vtype: string
# The following two do not seem to work as intended
- name: jitsi-meet-web-config
question: jitsi-meet/cert-path-crt
value: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/fullchain.pem"
vtype: string
- name: jitsi-meet-web-config
question: jitsi-meet/cert-path-key
value: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/privkey.pem"
vtype: string
- name: Install Jitsi Meet
apt:
name: jitsi-meet
state: latest
update_cache: yes
cache_valid_time: 3600
# Configuration
- name: Overwrite Nginx Site Config
template:
src: templates/nginx_site_config.j2
dest: "/etc/nginx/sites-available/{{ jitsi_meet_server_name }}.conf"
notify:
- restart nginx
- name: Overwrite Nginx Config
template:
src: templates/nginx.conf.j2
dest: "/etc/nginx/nginx.conf"
notify:
- restart nginx
- name: Overwrite Jitsi Web Config
template:
src: templates/jitsi-config.js.j2
dest: "/etc/jitsi/meet/{{ jitsi_meet_server_name }}-config.js"
roles:
- role: ansible-letsencrypt
letsencrypt_email: "fnord@{{ jitsi_meet_server_name }}"
letsencrypt_cert_domains:
- "{{ jitsi_meet_server_name }}"
tags: letsencrypt
handlers:
- name: restart ssh
service:
name=sshd
state=restarted
- name: reload nftables
service:
name=nftables
state=reloaded
- name: restart nginx
service:
name=nginx
state=restarted
Subproject commit f4b5687073a20e2a744115e97fa87ef278e4b2bf
/* eslint-disable no-unused-vars, no-var */
var config = {
// Connection
//
hosts: {
// XMPP domain.
domain: '{{ jitsi_meet_server_name }}',
// When using authentication, domain for guest users.
// anonymousdomain: 'guest.example.com',
// Domain for authenticated users. Defaults to <domain>.
// authdomain: '{{ jitsi_meet_server_name }}',
// Jirecon recording component domain.
// jirecon: 'jirecon.{{ jitsi_meet_server_name }}',
// Call control component (Jigasi).
// call_control: 'callcontrol.{{ jitsi_meet_server_name }}',
// Focus component domain. Defaults to focus.<domain>.
// focus: 'focus.{{ jitsi_meet_server_name }}',
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
muc: 'conference.{{ jitsi_meet_server_name }}'
},
// BOSH URL. FIXME: use XEP-0156 to discover it.
bosh: '//{{ jitsi_meet_server_name }}/http-bind',
// The name of client node advertised in XEP-0115 'c' stanza
clientNode: 'http://jitsi.org/jitsimeet',
// The real JID of focus participant - can be overridden here
// focusUserJid: 'focus@auth.{{ jitsi_meet_server_name }}',
// Testing / experimental features.
//
testing: {
// Enables experimental simulcast support on Firefox.
enableFirefoxSimulcast: false,
// P2P test mode disables automatic switching to P2P when there are 2
// participants in the conference.
p2pTestMode: false
// Enables the test specific features consumed by jitsi-meet-torture
// testMode: false
// Disables the auto-play behavior of *all* newly created video element.
// This is useful when the client runs on a host with limited resources.
// noAutoPlayVideo: false
},
// Disables ICE/UDP by filtering out local and remote UDP candidates in
// signalling.
// webrtcIceUdpDisable: false,
// Disables ICE/TCP by filtering out local and remote TCP candidates in
// signalling.
// webrtcIceTcpDisable: false,
// Media
//
// Audio
// Disable measuring of audio levels.
// disableAudioLevels: false,
// Start the conference in audio only mode (no video is being received nor
// sent).
startAudioOnly: true,
// Every participant after the Nth will start audio muted.
// startAudioMuted: 10,
// Start calls with audio muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithAudioMuted: false,
// Enabling it (with #params) will disable local audio output of remote
// participants and to enable it back a reload is needed.
// startSilent: false
// Video
// Sets the preferred resolution (height) for local video. Defaults to 720.
// resolution: 720,
// w3c spec-compliant video constraints to use for video capture. Currently
// used by browsers that return true from lib-jitsi-meet's
// util#browser#usesNewGumFlow. The constraints are independency from
// this config's resolution value. Defaults to requesting an ideal aspect
// ratio of 16:9 with an ideal resolution of 720.
// constraints: {
// video: {
// aspectRatio: 16 / 9,
// height: {
// ideal: 720,
// max: 720,
// min: 240
// }
// }
// },
// Enable / disable simulcast support.
// disableSimulcast: false,
// Enable / disable layer suspension. If enabled, endpoints whose HD
// layers are not in use will be suspended (no longer sent) until they
// are requested again.
// enableLayerSuspension: false,
// Every participant after the Nth will start video muted.
// startVideoMuted: 10,
// Start calls with video muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithVideoMuted: false,
// If set to true, prefer to use the H.264 video codec (if supported).
// Note that it's not recommended to do this because simulcast is not
// supported when using H.264. For 1-to-1 calls this setting is enabled by
// default and can be toggled in the p2p section.
// preferH264: true,
// If set to true, disable H.264 video codec by stripping it out of the
// SDP.
// disableH264: false,
// Desktop sharing
// The ID of the jidesha extension for Chrome.
desktopSharingChromeExtId: null,
// Whether desktop sharing should be disabled on Chrome.
// desktopSharingChromeDisabled: false,
// The media sources to use when using screen sharing with the Chrome
// extension.
desktopSharingChromeSources: [ 'screen', 'window', 'tab' ],
// Required version of Chrome extension
desktopSharingChromeMinExtVersion: '0.1',
// Whether desktop sharing should be disabled on Firefox.
// desktopSharingFirefoxDisabled: false,
// Optional desktop sharing frame rate options. Default value: min:5, max:5.
// desktopSharingFrameRate: {
// min: 5,
// max: 5
// },
// Try to start calls with screen-sharing instead of camera video.
// startScreenSharing: false,
// Recording
// Whether to enable file recording or not.
// fileRecordingsEnabled: false,
// Enable the dropbox integration.
// dropbox: {
// appKey: '<APP_KEY>' // Specify your app key here.
// // A URL to redirect the user to, after authenticating
// // by default uses:
// // 'https://{{ jitsi_meet_server_name }}/static/oauth.html'
// redirectURI:
// 'https://{{ jitsi_meet_server_name }}/subfolder/static/oauth.html'
// },
// When integrations like dropbox are enabled only that will be shown,
// by enabling fileRecordingsServiceEnabled, we show both the integrations
// and the generic recording service (its configuration and storage type
// depends on jibri configuration)
// fileRecordingsServiceEnabled: false,
// Whether to show the possibility to share file recording with other people
// (e.g. meeting participants), based on the actual implementation
// on the backend.
// fileRecordingsServiceSharingEnabled: false,
// Whether to enable live streaming or not.
// liveStreamingEnabled: false,
// Transcription (in interface_config,
// subtitles and buttons can be configured)
// transcribingEnabled: false,
// Enables automatic turning on captions when recording is started
// autoCaptionOnRecord: false,
// Misc
// Default value for the channel "last N" attribute. -1 for unlimited.
channelLastN: -1,
// Disables or enables RTX (RFC 4588) (defaults to false).
// disableRtx: false,
// Disables or enables TCC (the default is in Jicofo and set to true)
// (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting
// affects congestion control, it practically enables send-side bandwidth
// estimations.
// enableTcc: true,
// Disables or enables REMB (the default is in Jicofo and set to false)
// (draft-alvestrand-rmcat-remb-03). This setting affects congestion
// control, it practically enables recv-side bandwidth estimations. When
// both TCC and REMB are enabled, TCC takes precedence. When both are
// disabled, then bandwidth estimations are disabled.
// enableRemb: false,
// Defines the minimum number of participants to start a call (the default
// is set in Jicofo and set to 2).
// minParticipants: 2,
// Use XEP-0215 to fetch STUN and TURN servers.
// useStunTurn: true,
// Enable IPv6 support.
// useIPv6: true,
// Enables / disables a data communication channel with the Videobridge.
// Values can be 'datachannel', 'websocket', true (treat it as
// 'datachannel'), undefined (treat it as 'datachannel') and false (don't
// open any channel).
// openBridgeChannel: true,
// UI
//
// Use display name as XMPP nickname.
// useNicks: false,
// Require users to always specify a display name.
// requireDisplayName: true,
// Whether to use a welcome page or not. In case it's false a random room
// will be joined when no room is specified.
enableWelcomePage: true,
// Enabling the close page will ignore the welcome page redirection when
// a call is hangup.
// enableClosePage: false,
// Disable hiding of remote thumbnails when in a 1-on-1 conference call.
// disable1On1Mode: false,
// Default language for the user interface.
// defaultLanguage: 'en',
// If true all users without a token will be considered guests and all users
// with token will be considered non-guests. Only guests will be allowed to
// edit their profile.
enableUserRolesBasedOnToken: false,
// Whether or not some features are checked based on token.
// enableFeaturesBasedOnToken: false,
// Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests.
// lockRoomGuestEnabled: false,
// When enabled the password used for locking a room is restricted to up to the number of digits specified
// roomPasswordNumberOfDigits: 10,
// default: roomPasswordNumberOfDigits: false,
// Message to show the users. Example: 'The service will be down for
// maintenance at 01:00 AM GMT,
// noticeMessage: '',
// Enables calendar integration, depends on googleApiApplicationClientID
// and microsoftApiApplicationClientID
// enableCalendarIntegration: false,
// Stats
//
// Whether to enable stats collection or not in the TraceablePeerConnection.
// This can be useful for debugging purposes (post-processing/analysis of
// the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
// estimation tests.
// gatherStats: false,
// To enable sending statistics to callstats.io you must provide the
// Application ID and Secret.
// callStatsID: '',
// callStatsSecret: '',
// enables sending participants display name to callstats
// enableDisplayNameInStats: false
// enables sending participants email if available to callstats and other analytics
// enableEmailInStats: false
// Privacy
//
// If third party requests are disabled, no other server will be contacted.
// This means avatars will be locally generated and callstats integration
// will not function.
disableThirdPartyRequests: true,
// Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
//
p2p: {
// Enables peer to peer mode. When enabled the system will try to
// establish a direct connection when there are exactly 2 participants
// in the room. If that succeeds the conference will stop sending data
// through the JVB and use the peer to peer connection instead. When a
// 3rd participant joins the conference will be moved back to the JVB
// connection.
enabled: false,
// Use XEP-0215 to fetch STUN and TURN servers.
// useStunTurn: true,
// The STUN servers that will be used in the peer to peer connections
stunServers: [
{ urls: 'stun:stun.l.google.com:19302' },
{ urls: 'stun:stun1.l.google.com:19302' },
{ urls: 'stun:stun2.l.google.com:19302' }
],
// Sets the ICE transport policy for the p2p connection. At the time
// of this writing the list of possible values are 'all' and 'relay',
// but that is subject to change in the future. The enum is defined in
// the WebRTC standard:
// https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
// If not set, the effective value is 'all'.
// iceTransportPolicy: 'all',
// If set to true, it will prefer to use H.264 for P2P calls (if H.264
// is supported).
preferH264: true
// If set to true, disable H.264 video codec by stripping it out of the
// SDP.
// disableH264: false,
// How long we're going to wait, before going back to P2P after the 3rd
// participant has left the conference (to filter out page reload).
// backToP2PDelay: 5
},
analytics: {
// The Google Analytics Tracking ID:
// googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
// The Amplitude APP Key:
// amplitudeAPPKey: '<APP_KEY>'
// Array of script URLs to load as lib-jitsi-meet "analytics handlers".
// scriptURLs: [
// "libs/analytics-ga.min.js", // google-analytics
// "https://example.com/my-custom-analytics.js"
// ],
},
// Information about the jitsi-meet instance we are connecting to, including
// the user region as seen by the server.
deploymentInfo: {
// shard: "shard1",
// region: "europe",
// userRegion: "asia"
}
// Local Recording
//
// localRecording: {
// Enables local recording.
// Additionally, 'localrecording' (all lowercase) needs to be added to
// TOOLBAR_BUTTONS in interface_config.js for the Local Recording
// button to show up on the toolbar.
//
// enabled: true,
//
// The recording format, can be one of 'ogg', 'flac' or 'wav'.
// format: 'flac'
//
// }
// Options related to end-to-end (participant to participant) ping.
// e2eping: {
// // The interval in milliseconds at which pings will be sent.
// // Defaults to 10000, set to <= 0 to disable.
// pingInterval: 10000,
//
// // The interval in milliseconds at which analytics events
// // with the measured RTT will be sent. Defaults to 60000, set
// // to <= 0 to disable.
// analyticsInterval: 60000,
// }
// If set, will attempt to use the provided video input device label when
// triggering a screenshare, instead of proceeding through the normal flow
// for obtaining a desktop stream.
// NOTE: This option is experimental and is currently intended for internal
// use only.
// _desktopSharingSourceDevice: 'sample-id-or-label'
// If true, any checks to handoff to another application will be prevented
// and instead the app will continue to display in the current browser.
// disableDeepLinking: false
// A property to disable the right click context menu for localVideo
// the menu has option to flip the locally seen video for local presentations
// disableLocalVideoFlip: false
// Deployment specific URLs.
// deploymentUrls: {
// // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
// // user documentation.
// userDocumentationURL: 'https://docs.example.com/video-meetings.html',
// // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
// // to the specified URL for an app download page.
// downloadAppsUrl: 'https://docs.example.com/our-apps.html'
// }
// List of undocumented settings used in jitsi-meet
/**
_immediateReloadThreshold
autoRecord
autoRecordToken
debug
debugAudioLevels
deploymentInfo
dialInConfCodeUrl
dialInNumbersUrl
dialOutAuthUrl
dialOutCodesUrl
disableRemoteControl
displayJids
etherpad_base
externalConnectUrl
firefox_fake_device
googleApiApplicationClientID
iAmRecorder
iAmSipGateway
microsoftApiApplicationClientID
peopleSearchQueryTypes
peopleSearchUrl
requireDisplayName
tokenAuthUrl
*/
// List of undocumented settings used in lib-jitsi-meet
/**
_peerConnStatusOutOfLastNTimeout
_peerConnStatusRtcMuteTimeout
abTesting
avgRtpStatsN
callStatsConfIDNamespace
callStatsCustomScriptUrl
desktopSharingSources
disableAEC
disableAGC
disableAP
disableHPF
disableNS