From 5a2b3559dbca992a00eeb636f344a71c455094ca Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Wed, 20 May 2020 09:57:18 +0200 Subject: [PATCH] jitsi: new role (on host zirconium.binary-kitchen.net) --- group_vars/all/vars.yml | 2 ++ host_vars/zirconium.binary-kitchen.net | 4 ++++ hosts | 1 + roles/jitsi/handlers/main.yml | 7 +++++++ roles/jitsi/meta/main.yml | 5 +++++ roles/jitsi/tasks/main.yml | 17 ++++++++++++++++ roles/jitsi/templates/certs.j2 | 14 +++++++++++++ roles/jitsi/templates/vhost.j2 | 27 ++++++++++++++++++++++++++ site.yml | 7 ++++++- 9 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 host_vars/zirconium.binary-kitchen.net create mode 100644 roles/jitsi/handlers/main.yml create mode 100644 roles/jitsi/meta/main.yml create mode 100644 roles/jitsi/tasks/main.yml create mode 100644 roles/jitsi/templates/certs.j2 create mode 100644 roles/jitsi/templates/vhost.j2 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index b16afd5..71c0ba0 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -28,6 +28,8 @@ hackmd_dbuser: hackmd hackmd_dbpass: "{{ vault_hackmd_dbpass }}" hackmd_secret: "{{ vault_hackmd_secret }}" +jitsi_domain: jitsi.binary-kitchen.de + ldap_uri: ldaps://ldap.binary.kitchen ldap_host: ldap.binary.kitchen ldap_base: dc=binary-kitchen,dc=de diff --git a/host_vars/zirconium.binary-kitchen.net b/host_vars/zirconium.binary-kitchen.net new file mode 100644 index 0000000..a31468e --- /dev/null +++ b/host_vars/zirconium.binary-kitchen.net @@ -0,0 +1,4 @@ +--- + +root_keys_host: +- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess" diff --git a/hosts b/hosts index 05a1bdf..2e5e611 100644 --- a/hosts +++ b/hosts @@ -21,3 +21,4 @@ neon.binary-kitchen.net sodium.binary-kitchen.net krypton.binary-kitchen.net yttrium.binary-kitchen.net +zirconium.binary-kitchen.net diff --git a/roles/jitsi/handlers/main.yml b/roles/jitsi/handlers/main.yml new file mode 100644 index 0000000..2c3a4e3 --- /dev/null +++ b/roles/jitsi/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Restart nginx + service: name=nginx state=restarted + +- name: Run acertmgr + command: /opt/acertmgr/acertmgr.py diff --git a/roles/jitsi/meta/main.yml b/roles/jitsi/meta/main.yml new file mode 100644 index 0000000..8fcf724 --- /dev/null +++ b/roles/jitsi/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: acertmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/jitsi/tasks/main.yml b/roles/jitsi/tasks/main.yml new file mode 100644 index 0000000..e715caf --- /dev/null +++ b/roles/jitsi/tasks/main.yml @@ -0,0 +1,17 @@ +--- + +- name: Ensure jitsi certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ jitsi_domain }}.key -out /etc/nginx/ssl/{{ jitsi_domain }}.crt -days 730 -subj "/CN={{ jitsi_domain }}" creates=/etc/nginx/ssl/{{ jitsi_domain }}.crt + notify: Restart nginx + +- name: Configure certificate manager + template: src=certs.j2 dest=/etc/acertmgr/{{ jitsi_domain }}.conf + notify: Run acertmgr + +- name: Configure vhosts + template: src=vhost.j2 dest=/etc/nginx/sites-available/jitsi + notify: Restart nginx + +- name: Enable vhosts + file: src=/etc/nginx/sites-available/jitsi dest=/etc/nginx/sites-enabled/jitsi state=link + notify: Restart nginx diff --git a/roles/jitsi/templates/certs.j2 b/roles/jitsi/templates/certs.j2 new file mode 100644 index 0000000..60b6040 --- /dev/null +++ b/roles/jitsi/templates/certs.j2 @@ -0,0 +1,14 @@ +--- +{{ jitsi_domain }}: +- path: /etc/nginx/ssl/{{ jitsi_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ jitsi_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' diff --git a/roles/jitsi/templates/vhost.j2 b/roles/jitsi/templates/vhost.j2 new file mode 100644 index 0000000..1d09dd2 --- /dev/null +++ b/roles/jitsi/templates/vhost.j2 @@ -0,0 +1,27 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ jitsi_domain }}; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + location / { + return 301 https://{{ jitsi_domain }}$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ jitsi_domain }}; + + ssl_certificate_key /etc/nginx/ssl/{{ jitsi_domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ jitsi_domain }}.crt; + + root /var/www/jitsi; +} diff --git a/site.yml b/site.yml index 448a8e1..e7ddebb 100644 --- a/site.yml +++ b/site.yml @@ -8,7 +8,7 @@ - root-keys - name: Setup unattended updates - hosts: [sulis.binary.kitchen, nabia.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, krypton.binary-kitchen.net, sodium.binary-kitchen.net, yttrium.binary-kitchen.net] + hosts: [sulis.binary.kitchen, nabia.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, krypton.binary-kitchen.net, sodium.binary-kitchen.net, yttrium.binary-kitchen.net, zirconium.binary-kitchen.net] roles: - uau @@ -88,3 +88,8 @@ hosts: krypton.binary-kitchen.net roles: - partdb + +- name: Setup jitsi server + hosts: zirconium.binary-kitchen.net + roles: + - jitsi