Commit fb14d09a authored by PizZaKatZe's avatar PizZaKatZe
Browse files

Complete Jitsi playbook

parent d129ab7b
......@@ -36,6 +36,7 @@ Vagrant.configure("2") do |config|
ansible.host_vars = {
jitsi: {
addr: machines[:jitsi],
env: "staging",
},
}
end
......
......@@ -3,4 +3,5 @@
ansible_python_interpreter: /usr/bin/python3
addr: "{{ ansible_host }}"
env: production
fqdn: "{{ subdomain }}.{{ domain }}"
# vim: et sw=2 ts=2
---
domain: cyber4edu.org
domain: hasi.it
hostname: jitsi
subdomain: meet
# vim: et sw=2 ts=2 filetype=yaml
---
all:
hosts:
jitsi:
ansible_host: 144.76.44.83
ansible_user: root
vars:
env: production
---
# handlers file for jitsi
\ No newline at end of file
- name: Restart jitsi
systemd:
name: "{{ item }}.service"
state: restarted
with_items:
- jicofo
- jitsi-videobridge2
- prosody
- name: Restart nginx
systemd:
name: nginx.service
state: restarted
---
# tasks file for jitsi
# inspired by:
# * https://fatiherikci.com/en/install-jitsi-meet-on-debian-10/
# * https://github.com/UdelaRInterior/ansible-role-jitsi-meet
- name: Install dependencies
apt:
pkg:
- apt-transport-https
- debconf-utils
- gpg
- nginx
- ufw
- name: Import APT repository key
apt_key:
url: https://download.jitsi.org/jitsi-key.gpg.key
- name: Add APT repository key
- name: Add APT repository
apt_repository:
repo: deb https://download.jitsi.org stable/
......@@ -26,3 +33,121 @@
apt:
pkg: jitsi-meet
update_cache: yes
- name: Fix JVB TCP harvester port
lineinfile:
path: /etc/jitsi/videobridge/sip-communicator.properties
regex: 'org\.jitsi\.videobridge\.TCP_HARVESTER_PORT='
line: 'org.jitsi.videobridge.TCP_HARVESTER_PORT=4443'
notify: Restart jitsi
- name: Allow TCP ports 22, 80 and 443
ufw:
rule: allow
port: "{{ item }}"
proto: tcp
with_items:
- '22'
- '80'
- '443'
- '4443'
- name: Open UDP port 10000 for jitsi-videobridge
ufw:
rule: allow
port: '10000'
proto: udp
- name: Enable firewall
ufw:
state: enabled
- name: Disable p2p so we don't have to rely on external STUN servers
lineinfile:
path: "/etc/jitsi/meet/{{ fqdn }}-config.js"
insertafter: " *// connection\\."
regexp: " enabled: .*,"
line: " enabled: false,"
notify: Restart jitsi
- name: Disable third-party requests
lineinfile:
path: "/etc/jitsi/meet/{{ fqdn }}-config.js"
regexp: "disableThirdPartyRequests: .*,"
line: " disableThirdPartyRequests: true,"
notify: Restart jitsi
- name: Disable gathering statistics
lineinfile:
path: "/etc/jitsi/meet/{{ fqdn }}-config.js"
regexp: "gatherStats: .*,"
line: " gatherStats: false,"
notify: Restart jitsi
- name: Require users to specify a name
lineinfile:
path: "/etc/jitsi/meet/{{ fqdn }}-config.js"
regexp: "requireDisplayName: .*,"
line: " requireDisplayName: true,"
notify: Restart jitsi
- name: Mute microphone for new connections
lineinfile:
path: "/etc/jitsi/meet/{{ fqdn }}-config.js"
regexp: "startWithAudioMuted: .*,"
line: " startWithAudioMuted: true,"
notify: Restart jitsi
- name: Disable camera for new connections
lineinfile:
path: "/etc/jitsi/meet/{{ fqdn }}-config.js"
regexp: "startWithVideoMuted: .*,"
line: " startWithVideoMuted: true,"
notify: Restart jitsi
- name: Set default language to DE
lineinfile:
path: "/etc/jitsi/meet/{{ fqdn }}-config.js"
regexp: "defaultLanguage: .*,"
line: " defaultLanguage: 'de',"
notify: Restart jitsi
- name: Lock out incompatible browsers
lineinfile:
path: /usr/share/jitsi-meet/interface_config.js
regexp: "UNSUPPORTED_BROWSERS:"
line: " UNSUPPORTED_BROWSERS: ['edge'],"
notify: Restart jitsi
- name: "Force TLSv1.2 or better"
lineinfile:
path: "/etc/nginx/sites-available/{{ fqdn }}.conf"
regexp: "ssl_protocols .*;"
line: " ssl_protocols TLSv1.2 TLSv1.3;"
notify: Restart jitsi
- name: "Force strong TLS ciphers"
lineinfile:
path: "/etc/nginx/sites-available/{{ fqdn }}.conf"
regexp: "ssl_ciphers .*;"
line: " ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
notify: Restart jitsi
- name: Disable HSTS in staging environment
lineinfile:
path: "/etc/nginx/sites-available/{{ fqdn }}.conf"
regex: 'add_header Strict-Transport-Security'
line: ' #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;'
when: env == "staging"
notify: Restart nginx
- name: Enable HSTS in production environment
lineinfile:
path: "/etc/nginx/sites-available/{{ fqdn }}.conf"
regex: 'add_header Strict-Transport-Security'
line: ' add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;'
when: env != "staging"
notify: Restart nginx
- name: Issue TLS certificate
shell: "echo 'webmaster@{{ domain }}.conf' | /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment