From 229d733e0963b894c257f08efc653f66fa61abb3 Mon Sep 17 00:00:00 2001
From: les <lesion@autistici.org>
Date: Wed, 6 Jan 2021 13:02:22 +0100
Subject: [PATCH] start with mumble role

---
 roles/stable/mumble/defaults/main.yml         |  65 ++++
 roles/stable/mumble/meta/main.yml             |  11 +
 roles/stable/mumble/tasks/main.yml            |   7 +
 roles/stable/mumble/tasks/mumble-web.yml      |  53 +++
 roles/stable/mumble/tasks/mumble.yml          |  29 ++
 .../mumble/templates/config.local.js.j2       |  11 +
 .../mumble/templates/mumle-server.ini.j2      | 328 ++++++++++++++++++
 .../mumble/templates/mumle-web.service.j2     |  27 ++
 8 files changed, 531 insertions(+)
 create mode 100644 roles/stable/mumble/defaults/main.yml
 create mode 100644 roles/stable/mumble/meta/main.yml
 create mode 100644 roles/stable/mumble/tasks/main.yml
 create mode 100644 roles/stable/mumble/tasks/mumble-web.yml
 create mode 100644 roles/stable/mumble/tasks/mumble.yml
 create mode 100644 roles/stable/mumble/templates/config.local.js.j2
 create mode 100644 roles/stable/mumble/templates/mumle-server.ini.j2
 create mode 100644 roles/stable/mumble/templates/mumle-web.service.j2

diff --git a/roles/stable/mumble/defaults/main.yml b/roles/stable/mumble/defaults/main.yml
new file mode 100644
index 0000000..de35356
--- /dev/null
+++ b/roles/stable/mumble/defaults/main.yml
@@ -0,0 +1,65 @@
+---
+
+murmur_database: "/var/lib/mumble-server/mumble-server.sqlite"
+murmur_dbdriver: ""
+murmur_ice: "tcp -h 127.0.0.1 -p 6502"
+murmur_icesecretread: ""
+murmur_icesecretwrite: ""
+murmur_autobanattempts: "10"
+murmur_autobantimeframe: "120"
+murmur_autobantime: "300"
+murmur_logfile: "/var/log/mumble-server/mumble-server.log"
+murmur_pidfile: "/var/run/mumble-server/mumble-server.pid"
+murmur_welcometext: "Welcome on my mumble server!"
+murmur_port: "64738"
+murmur_host: ""
+murmur_serverpassword: ""
+murmur_bandwidth: "72000"
+murmur_users: "500"
+murmur_opusthreshold: "100"
+murmur_channelcountlimit: "1000"
+murmur_channelnestinglimit: "10"
+
+# regexp to validate channel or usernames
+murmur_channelname: ""
+
+murmur_username: ""
+murmur_textmessagelength: "5000"
+murmur_imagemessagelength: "131072"
+murmur_allowhtml: "True"
+
+# murmur_logdays: "-1" to disable logging to db
+murmur_logdays: "-1"
+
+# name for root channel and entry in mumble main server list
+murmur_registername: "MyMumbleServerRegisterName"
+
+murmur_registerpassword: "password"
+
+murmur_registerurl: "https://mymumbleserverurl.org"
+murmur_registerhostname: "mymumblehostname.domain.org"
+
+# for dev
+# murmur_bonjour: "True"
+murmur_bonjour: "False"
+murmur_uname: "mumble-server"
+murmur_certrequired: "False"
+murmur_sendversion: "True"
+murmur_icewarnunknownproperties: "1"
+murmur_icemessagesizemax: "65536"
+
+murmur_sslcert: "/etc/ssl/mumble-server-cert.pem"
+murmur_sslkey: "/etc/ssl/mumble-server-key.pem"
+murmur_sslca: "/etc/ssl/letsencrypt_chain.pem"
+
+# mumble-web settings
+mumble_web: true
+mumble_web_path: /srv/mumble/mumble-web/
+# to define use yaml multiline string
+mumble_web_config: ""
+# mumble_web_supplementary_groups:
+#   - letsencrypt
+
+mumble_web_listen: "443"
+mumble_web_ssl_activated: True
+mumble_web_ssl_target: True
diff --git a/roles/stable/mumble/meta/main.yml b/roles/stable/mumble/meta/main.yml
new file mode 100644
index 0000000..ca4754a
--- /dev/null
+++ b/roles/stable/mumble/meta/main.yml
@@ -0,0 +1,11 @@
+---
+dependencies:
+
+  # install nodejs
+  - role: stable/nodejs
+
+  # backup sqlitedb, certs, etc
+  - role: stable/restic
+    when: with_backup | bool
+    vars:
+      restic_folders: ['/srv/murmur']
\ No newline at end of file
diff --git a/roles/stable/mumble/tasks/main.yml b/roles/stable/mumble/tasks/main.yml
new file mode 100644
index 0000000..67375cb
--- /dev/null
+++ b/roles/stable/mumble/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+
+- include: mumble.yml
+
+- include: mumble-web.yml
+  when: mumble_web | bool
+  tags: mumble-web
diff --git a/roles/stable/mumble/tasks/mumble-web.yml b/roles/stable/mumble/tasks/mumble-web.yml
new file mode 100644
index 0000000..d29c721
--- /dev/null
+++ b/roles/stable/mumble/tasks/mumble-web.yml
@@ -0,0 +1,53 @@
+---
+
+- name: install dependencies
+  apt:
+    pkg: websockify
+
+- name: ensure mumble user is present
+  user:
+    name: "mumble"
+    home: "/srv/mumble"
+    shell: "/bin/bash"
+    state: present
+
+
+- name: install mumble-web
+  git:
+    repo: "https://github.com/johni0702/mumble-web"
+    dest: "/srv/mumble/mumble-web"
+    force: true
+  become: true
+  become_user: "mumble"
+
+
+- name: copy mumble-web unit file
+  template:
+    src: mumble-web.service.j2
+    dest: /etc/systemd/system/mumble-web.service
+    owner: root
+    group: root
+    mode: 0644
+  register: servicefile
+  notify: restart mumble-web
+
+- name: Allow to python to inherit socket binding capability
+  capabilities:
+    path: /usr/bin/python2.7
+    capability: cap_net_bind_service=ei
+  when: servicefile.changed
+
+- name: configure mumble-web
+  template:
+    src: config.local.js.j2
+    dest: "{{ mumble_web_path }}/dist/config.local.js"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: enable and start mumble-web
+  systemd:
+    name: mumble-web
+    daemon-reload: yes
+    enabled: True
+    state: started
\ No newline at end of file
diff --git a/roles/stable/mumble/tasks/mumble.yml b/roles/stable/mumble/tasks/mumble.yml
new file mode 100644
index 0000000..8d5f96f
--- /dev/null
+++ b/roles/stable/mumble/tasks/mumble.yml
@@ -0,0 +1,29 @@
+---
+- name: ensure required packages are present
+  apt:
+    pkg: mumble-server
+
+- name: generate the Murmur config file
+  template:
+    src: "mumble-server.ini.j2"
+    dest: "/etc/mumble-server.ini"
+    owner: root
+    group: mumble-server
+    mode: 0640
+  notify: restart murmur
+
+- name: always start service
+  service:
+    name: mumble-server
+    enabled: True
+    state: started
+
+- name: write superuser password to a file
+  copy:
+    content: "{{ murmur_superuser_password }}"
+    dest: /etc/mumble-superuser
+    owner: root
+    group: root
+    mode: 0600
+  when: murmur_superuser_password is defined
+  notify: set superuser password
\ No newline at end of file
diff --git a/roles/stable/mumble/templates/config.local.js.j2 b/roles/stable/mumble/templates/config.local.js.j2
new file mode 100644
index 0000000..b781675
--- /dev/null
+++ b/roles/stable/mumble/templates/config.local.js.j2
@@ -0,0 +1,11 @@
+// You can overwrite the default configuration values set in [config.js] here.
+// There should never be any required changes to this file and you can always
+// simply copy it over when updating to a new version.
+
+let config = window.mumbleWebConfig // eslint-disable-line no-unused-vars
+
+// E.g. changing default address and theme:
+// config.defaults.address = 'voice.example.com'
+// config.defaults.theme = 'MetroMumbleDark'
+
+{{ mumble_web_config }}
\ No newline at end of file
diff --git a/roles/stable/mumble/templates/mumle-server.ini.j2 b/roles/stable/mumble/templates/mumle-server.ini.j2
new file mode 100644
index 0000000..0e0a78f
--- /dev/null
+++ b/roles/stable/mumble/templates/mumle-server.ini.j2
@@ -0,0 +1,328 @@
+; Murmur configuration file.
+;
+; General notes:
+; * Settings in this file are default settings and many of them can be overridden
+;   with virtual server specific configuration via the Ice or DBus interface.
+; * Due to the way this configuration file is read some rules have to be
+;   followed when specifying variable values (as in variable = value):
+;     * Make sure to quote the value when using commas in strings or passwords.
+;        NOT variable = super,secret BUT variable = "super,secret"
+;     * Make sure to escape special characters like '\' or '"' correctly
+;        NOT variable = """ BUT variable = "\""
+;        NOT regex = \w* BUT regex = \\w*
+
+; Path to database. If blank, will search for
+; murmur.sqlite in default locations or create it if not found.
+database={{ murmur_database }}
+
+; Murmur defaults to using SQLite with its default rollback journal.
+; In some situations, using SQLite's write-ahead log (WAL) can be
+; advantageous.
+; If you encounter slowdowns when moving between channels and similar
+; operations, enabling the SQLite write-ahead log might help.
+;
+; To use SQLite's write-ahead log, set sqlite_wal to one of the following
+; values:
+;
+; 0 - Use SQLite's default rollback journal.
+; 1 - Use write-ahead log with synchronous=NORMAL.
+;     If Murmur crashes, the database will be in a consistent state, but
+;     the most recent changes might be lost if the operating system did
+;     not write them to disk yet. This option can improve Murmur's
+;     interactivity on busy servers, or servers with slow storage.
+; 2 - Use write-ahead log with synchronous=FULL.
+;     All database writes are synchronized to disk when they are made.
+;     If Murmur crashes, the database will be include all completed writes.
+;sqlite_wal=0
+
+; If you wish to use something other than SQLite, you'll need to set the name
+; of the database above, and also uncomment the below.
+; Sticking with SQLite is strongly recommended, as it's the most well tested
+; and by far the fastest solution.
+;
+;dbDriver=QMYSQL
+;dbUsername=
+;dbPassword=
+;dbHost=
+;dbPort=
+;dbPrefix=murmur_
+;dbOpts=
+{% if murmur_dbdriver %}
+dbDriver={{ murmur_dbdriver }}
+dbUsername={{ murmur_dbusername }}
+dbPassword={{ murmur_dbpassword }}
+dbHost={{ murmur_dbhost }}
+dbPort={{ murmur_dbport }}
+dbPrefix={{ murmur_dbprefix }}
+dbOpts={{ murmur_dbopts }}
+{% endif %}
+
+; Murmur defaults to not using D-Bus. If you wish to use dbus, which is one of the
+; RPC methods available in Murmur, please specify so here.
+;
+;dbus=session
+
+; Alternate D-Bus service name. Only use if you are running distinct
+; murmurd processes connected to the same D-Bus daemon.
+;dbusservice=net.sourceforge.mumble.murmur
+
+; If you want to use ZeroC Ice to communicate with Murmur, you need
+; to specify the endpoint to use. Since there is no authentication
+; with ICE, you should only use it if you trust all the users who have
+; shell access to your machine.
+; Please see the ICE documentation on how to specify endpoints.
+ice="{{ murmur_ice }}"
+
+; Ice primarily uses local sockets. This means anyone who has a
+; user account on your machine can connect to the Ice services.
+; You can set a plaintext "secret" on the Ice connection, and
+; any script attempting to access must then have this secret
+; (as context with name "secret").
+; Access is split in read (look only) and write (modify)
+; operations. Write access always includes read access,
+; unless read is explicitly denied (see note below).
+;
+; Note that if this is uncommented and with empty content,
+; access will be denied.
+
+{% if murmur_icesecretread %}
+icesecretread={{ murmur_icesecretread }}
+{% else %}
+;icesecretread=
+{% endif %}
+{% if murmur_icesecretwrite %}
+icesecretwrite={{ murmur_icesecretwrite }}
+{% else %}
+icesecretwrite=
+{% endif %}
+
+; If you want to expose Murmur's experimental gRPC API, you
+; need to specify an address to bind on.
+; Note: not all builds of Murmur support gRPC. If gRPC is not
+; available, Murmur will warn you in its log output.
+;grpc="127.0.0.1:50051"
+; Specifying both a certificate and key file below will cause gRPC to use
+; secured, TLS connections.
+;grpccert=""
+;grpckey=""
+
+; How many login attempts do we tolerate from one IP
+; inside a given timeframe before we ban the connection?
+; Note that this is global (shared between all virtual servers), and that
+; it counts both successfull and unsuccessfull connection attempts.
+; Set either Attempts or Timeframe to 0 to disable.
+;autobanAttempts = 10
+;autobanTimeframe = 120
+;autobanTime = 300
+autobanAttempts={{ murmur_autobanattempts }}
+autobanTimeframe={{ murmur_autobantimeframe }}
+autobanTime={{ murmur_autobantime }}
+
+; Specifies the file Murmur should log to. By default, Murmur
+; logs to the file 'murmur.log'. If you leave this field blank
+; on Unix-like systems, Murmur will force itself into foreground
+; mode which logs to the console.
+;logfile=murmur.log
+logfile={{ murmur_logfile }}
+
+; If set, Murmur will write its process ID to this file
+; when running in daemon mode (when the -fg flag is not
+; specified on the command line). Only available on
+; Unix-like systems.
+;pidfile=
+pidfile={{ murmur_pidfile }}
+
+; The below will be used as defaults for new configured servers.
+; If you're just running one server (the default), it's easier to
+; configure it here than through D-Bus or Ice.
+;
+; Welcome message sent to clients when they connect.
+; If the welcome message is set to an empty string,
+; no welcome message will be sent to clients.
+welcometext="{{ murmur_welcometext }}"
+
+; Port to bind TCP and UDP sockets to.
+port={{ murmur_port }}
+
+; Specific IP or hostname to bind to.
+; If this is left blank (default), Murmur will bind to all available addresses.
+;host=
+{% if murmur_host %}
+host={{ murmur_host }}
+{% endif %}
+
+; Password to join server.
+serverpassword={{ murmur_serverpassword }}
+
+; Maximum bandwidth (in bits per second) clients are allowed
+; to send speech at.
+bandwidth={{ murmur_bandwidth }}
+
+; Maximum number of concurrent clients allowed.
+users={{ murmur_users }}
+
+; Per-user rate limiting
+;
+; These two settings allow to configure the per-user rate limiter for some
+; command messages sent from the client to the server. The messageburst setting
+; specifies an amount of messages which are allowed in short bursts. The
+; messagelimit setting specifies the number of messages per second allowed over
+; a longer period. If a user hits the rate limit, his packages are then ignored
+; for some time. Both of these settings have a minimum of 1 as setting either to
+; 0 could render the server unusable.
+messageburst=5
+messagelimit=1
+
+; Respond to UDP ping packets.
+;
+; Setting to true exposes the current user count, the maximum user count, and
+; the server's maximum bandwidth per client to unauthenticated users. In the
+; Mumble client, this information is shown in the Connect dialog.
+allowping=true
+
+; Amount of users with Opus support needed to force Opus usage, in percent.
+; 0 = Always enable Opus, 100 = enable Opus if it's supported by all clients.
+;opusthreshold=100
+opusthreshold={{ murmur_opusthreshold }}
+
+; Maximum depth of channel nesting. Note that some databases like MySQL using
+; InnoDB will fail when operating on deeply nested channels.
+;channelnestinglimit=10
+channelnestinglimit={{ murmur_channelnestinglimit }}
+
+; Maximum number of channels per server. 0 for unlimited. Note that an
+; excessive number of channels will impact server performance
+;channelcountlimit=1000
+{% if murmur_channelcountlimit %}
+channelcountlimit={{ murmur_channelcountlimit }}
+{% endif %}
+
+; Regular expression used to validate channel names.
+; (Note that you have to escape backslashes with \ )
+;channelname=[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+
+{% if murmur_channelname %}
+channelname={{ murmur_channelname }}
+{% endif %}
+
+; Regular expression used to validate user names.
+; (Note that you have to escape backslashes with \ )
+;username=[-=\\w\\[\\]\\{\\}\\(\\)\\@\\|\\.]+
+{% if murmur_username %}
+username={{ murmur_username }}
+{% endif %}
+
+; Maximum length of text messages in characters. 0 for no limit.
+;textmessagelength=5000
+textmessagelength={{ murmur_textmessagelength }}
+
+; Maximum length of text messages in characters, with image data. 0 for no limit.
+;imagemessagelength=131072
+imagemessagelength={{ murmur_imagemessagelength }}
+
+; Allow clients to use HTML in messages, user comments and channel descriptions?
+;allowhtml=true
+allowhtml={{ murmur_allowhtml }}
+
+; Murmur retains the per-server log entries in an internal database which
+; allows it to be accessed over D-Bus/ICE.
+; How many days should such entries be kept?
+; Set to 0 to keep forever, or -1 to disable logging to the DB.
+;logdays=31
+logdays={{ murmur_logdays }}
+
+{% if murmur_registername %}
+; To enable public server registration, the serverpassword must be blank, and
+; this must all be filled out.
+; The password here is used to create a registry for the server name; subsequent
+; updates will need the same password. Don't lose your password.
+; The URL is your own website, and only set the registerHostname for static IP
+; addresses.
+; Only uncomment the 'registerName' parameter if you wish to give your "Root" channel a custom name.
+;
+registerName={{ murmur_registername }}
+registerPassword={{ murmur_registerpassword }}
+registerUrl={{ murmur_registerurl }}
+registerHostname={{ murmur_registerhostname }}
+{% endif %}
+
+; If this option is enabled, the server will announce its presence via the
+; bonjour service discovery protocol. To change the name announced by bonjour
+; adjust the registerName variable.
+; See http://developer.apple.com/networking/bonjour/index.html for more information
+; about bonjour.
+;bonjour=True
+bonjour={{ murmur_bonjour }}
+
+; If you have a proper SSL certificate, you can provide the filenames here.
+; Otherwise, Murmur will create its own certificate automatically.
+;sslCert=
+;sslKey=
+{% if murmur_sslcert %}
+sslCert={{ murmur_sslcert }}
+sslKey={{ murmur_sslkey }}
+sslCa={{ murmur_sslca }}
+{% endif %}
+
+; The sslDHParams option allows you to specify a PEM-encoded file with
+; Diffie-Hellman parameters, which will be used as the default Diffie-
+; Hellman parameters for all virtual servers.
+;
+; Instead of pointing sslDHParams to a file, you can also use the option
+; to specify a named set of Diffie-Hellman parameters for Murmur to use.
+; Murmur comes bundled with the Diffie-Hellman parameters from RFC 7919.
+; These parameters are available by using the following names:
+;
+; @ffdhe2048, @ffdhe3072, @ffdhe4096, @ffdhe6144, @ffdhe8192
+;
+; By default, Murmur uses @ffdhe2048.
+;sslDHParams=@ffdhe2048
+
+; The sslCiphers option chooses the cipher suites to make available for use
+; in SSL/TLS. This option is server-wide, and cannot be set on a
+; per-virtual-server basis.
+;
+; This option is specified using OpenSSL cipher list notation (see
+; https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT).
+;
+; It is recommended that you try your cipher string using 'openssl ciphers <string>'
+; before setting it here, to get a feel for which cipher suites you will get.
+;
+; After setting this option, it is recommend that you inspect your Murmur log
+; to ensure that Murmur is using the cipher suites that you expected it to.
+;
+; Note: Changing this option may impact the backwards compatibility of your
+; Murmur server, and can remove the ability for older Mumble clients to be able
+; to connect to it.
+;sslCiphers=EECDH+AESGCM:EDH+aRSA+AESGCM:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA
+
+; If Murmur is started as root, which user should it switch to?
+; This option is ignored if Murmur isn't started with root privileges.
+;uname=
+uname={{ murmur_uname }}
+
+; If this options is enabled, only clients which have a certificate are allowed
+; to connect.
+;certrequired=False
+certrequired={{ murmur_certrequired }}
+
+; If enabled, clients are sent information about the servers version and operating
+; system.
+;sendversion=True
+sendversion={{ murmur_sendversion }}
+
+; This sets password hash storage to legacy mode (1.2.4 and before)
+; (Note that setting this to true is insecure and should not be used unless absolutely necessary)
+;legacyPasswordHash=false
+
+; By default a strong amount of PBKDF2 iterations are chosen automatically. If >0 this setting
+; overrides the automatic benchmark and forces a specific number of iterations.
+; (Note that you should only change this value if you know what you are doing)
+;kdfIterations=-1
+
+; You can configure any of the configuration options for Ice here. We recommend
+; leave the defaults as they are.
+; Please note that this section has to be last in the configuration file.
+;
+[Ice]
+Ice.Warn.UnknownProperties={{ murmur_icewarnunknownproperties }}
+Ice.MessageSizeMax={{ murmur_icemessagesizemax }}
diff --git a/roles/stable/mumble/templates/mumle-web.service.j2 b/roles/stable/mumble/templates/mumle-web.service.j2
new file mode 100644
index 0000000..7a1cb9b
--- /dev/null
+++ b/roles/stable/mumble/templates/mumle-web.service.j2
@@ -0,0 +1,27 @@
+[Unit]
+Description=Mumble-web
+
+[Service]
+SyslogIdentifier=mumble-web
+ExecStart=/usr/bin/python2.7 /usr/bin/python2-websockify \
+{% if mumble_web_ssl_activated %}
+  --cert={{ murmur_sslcert }} --key={{ murmur_sslkey }} --ssl-only \
+{% endif %}
+{% if mumble_web_ssl_target %}
+  --ssl-target \
+{% endif %}
+  --web={{ mumble_web_path }}/dist {{ mumble_web_listen }} localhost:{{ murmur_port }}
+DynamicUser=true
+; we need access to the certs
+{% if mumble_web_supplementary_groups is defined %}
+SupplementaryGroups={{ mumble_web_supplementary_groups }}
+{% endif %}
+; The following additional security directives only work with systemd v229 or later.
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+; Always run
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file