commit
fe49830515
@ -0,0 +1,66 @@ |
||||
## Creating the database |
||||
On coffee, login as the `postgres` user, run `psql`, then run the following: |
||||
```sql |
||||
CREATE USER greenlight WITH PASSWORD 'replace_this_password'; |
||||
CREATE DATABASE greenlight; |
||||
ALTER DATABASE greenlight OWNER TO greenlight; |
||||
``` |
||||
|
||||
## Running the playbook |
||||
Just the usual: |
||||
``` |
||||
ansible-playbook playbook.yml |
||||
``` |
||||
Once the playbook has finished, open `/opt/greenlight/.env` and set the |
||||
value of `DB_PASSWORD`. |
||||
|
||||
Also, place copies of `csclub-wildcard-chain.crt` and `csclub-wildcard.key` |
||||
(the wildcard CSC SSL certificate and key, respectively) in the directory |
||||
`/etc/nginx/ssl`. The key file must have permissions 0600. |
||||
|
||||
Then, restart BBB: |
||||
```sh |
||||
bbb-conf --restart |
||||
``` |
||||
|
||||
## Running as the greenlight user |
||||
Add the following lines to `/opt/greenlight/.profile`: |
||||
``` |
||||
export PATH=$HOME/.gem/ruby/2.5.0/bin:$PATH |
||||
export $(grep -v '^#' ~/.env) |
||||
export RAILS_ENV=production |
||||
export BUNDLE_APP_CONFIG=~/.bundle |
||||
``` |
||||
This will allow you to use the `bundle` command after running |
||||
`su - greenlight`, if you need to do so. |
||||
|
||||
## Running Greenlight |
||||
Enable and run the systemd service: |
||||
```sh |
||||
systemctl enable greenlight |
||||
systemctl start greenlight |
||||
``` |
||||
|
||||
## Creating an administrator account |
||||
Theoretically, there is a [bundle command](https://docs.bigbluebutton.org/greenlight/gl-admin.html#creating-an-administrator-account) |
||||
which should be able to create an administrator account. However, when |
||||
I did this, I found that I was unable to login using the new admin |
||||
credentials. Might be because of LDAP. Here's my workaround: |
||||
|
||||
1. Login once using your CSC credentials. |
||||
2. Log out. |
||||
3. On coffee, login as `postgres`, run `psql`, and run the following: |
||||
```sql |
||||
\c greenlight |
||||
UPDATE users SET role_id = 2 WHERE username = 'my_csc_username'; |
||||
``` |
||||
|
||||
When you log back in, you should now be an admin. |
||||
|
||||
## Greenlight customization |
||||
To ensure that future sysadmins automatically become Greenlight admins, |
||||
create a new role called "sysadmin" from the org settings in Greenlight. |
||||
|
||||
To set a custom logo in the top left corner, go to 'Site Settings', |
||||
and replace the branding image URL. I'm using a small CSC logo hosted |
||||
on our git server in the csc-propaganda repo. |
@ -0,0 +1,86 @@ |
||||
server { |
||||
listen 80; |
||||
listen [::]:80; |
||||
server_name bbb.csclub.uwaterloo.ca; |
||||
# Redirect all HTTP requests to HTTPS |
||||
return 301 https://$server_name$request_uri; |
||||
} |
||||
|
||||
server { |
||||
server_name bbb.csclub.uwaterloo.ca; |
||||
|
||||
listen 443 ssl; |
||||
listen [::]:443 ssl; |
||||
|
||||
ssl_certificate /etc/nginx/ssl/csclub-wildcard-chain.crt; |
||||
ssl_certificate_key /etc/nginx/ssl/csclub-wildcard.key; |
||||
ssl_session_cache shared:SSL:10m; |
||||
ssl_session_timeout 10m; |
||||
ssl_protocols TLSv1.2; |
||||
ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256"; |
||||
ssl_prefer_server_ciphers on; |
||||
ssl_dhparam /etc/nginx/ssl/dhp-4096.pem; |
||||
|
||||
access_log /var/log/nginx/bigbluebutton.access.log; |
||||
|
||||
# Handle RTMPT (RTMP Tunneling). Forwards requests |
||||
# to Red5 on port 5080 |
||||
location ~ (/open/|/close/|/idle/|/send/|/fcs/) { |
||||
proxy_pass http://127.0.0.1:5080; |
||||
proxy_redirect off; |
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||
|
||||
client_max_body_size 10m; |
||||
client_body_buffer_size 128k; |
||||
|
||||
proxy_connect_timeout 90; |
||||
proxy_send_timeout 90; |
||||
proxy_read_timeout 90; |
||||
|
||||
proxy_buffering off; |
||||
keepalive_requests 1000000000; |
||||
} |
||||
|
||||
# Handle desktop sharing tunneling. Forwards |
||||
# requests to Red5 on port 5080. |
||||
location /deskshare { |
||||
proxy_pass http://127.0.0.1:5080; |
||||
proxy_redirect default; |
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||
client_max_body_size 10m; |
||||
client_body_buffer_size 128k; |
||||
proxy_connect_timeout 90; |
||||
proxy_send_timeout 90; |
||||
proxy_read_timeout 90; |
||||
proxy_buffer_size 4k; |
||||
proxy_buffers 4 32k; |
||||
proxy_busy_buffers_size 64k; |
||||
proxy_temp_file_write_size 64k; |
||||
include fastcgi_params; |
||||
} |
||||
|
||||
# BigBlueButton landing page. |
||||
location / { |
||||
root /var/www/bigbluebutton-default; |
||||
index index.html index.htm; |
||||
expires 1m; |
||||
} |
||||
|
||||
# Include specific rules for record and playback |
||||
include /etc/bigbluebutton/nginx/*.nginx; |
||||
|
||||
#error_page 404 /404.html; |
||||
|
||||
# Redirect server error pages to the static page /50x.html |
||||
# |
||||
error_page 500 502 503 504 /50x.html; |
||||
location = /50x.html { |
||||
root /var/www/nginx-default; |
||||
} |
||||
|
||||
# Set Greenlight to be the default landing page |
||||
location = / { |
||||
return 307 /b; |
||||
} |
||||
} |
||||
|
@ -0,0 +1,270 @@ |
||||
--- |
||||
- hosts: 127.0.0.1 |
||||
connection: local |
||||
vars: |
||||
bundle: /opt/greenlight/.gem/ruby/2.5.0/bin/bundle |
||||
tasks: |
||||
- name: add PPA for bigbluebutton support packages |
||||
apt_repository: |
||||
repo: ppa:bigbluebutton/support |
||||
- name: add PPA for yq |
||||
apt_repository: |
||||
repo: ppa:rmescandon/yq |
||||
- name: add PPA for libreoffice |
||||
apt_repository: |
||||
repo: ppa:libreoffice/ppa |
||||
- name: add GPG key for MongoDB |
||||
apt_key: |
||||
url: https://www.mongodb.org/static/pgp/server-3.4.asc |
||||
- name: add repo for MongoDB |
||||
apt_repository: |
||||
repo: "deb [arch=amd64] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" |
||||
filename: mongodb-org-3.4 |
||||
- name: add GPG key for Nodesource |
||||
apt_key: |
||||
url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key |
||||
- name: add repo for Nodesource |
||||
apt_repository: |
||||
repo: deb https://deb.nodesource.com/node_8.x xenial main |
||||
filename: nodesource |
||||
- name: add GPG key for bigbluebutton |
||||
apt_key: |
||||
url: https://ubuntu.bigbluebutton.org/repo/bigbluebutton.asc |
||||
- name: add repo for bigbluebutton |
||||
apt_repository: |
||||
repo: deb https://ubuntu.bigbluebutton.org/xenial-22/ bigbluebutton-xenial main |
||||
filename: bigbluebutton |
||||
- name: add GPG key for Brightbox ruby-ng |
||||
apt_key: |
||||
keyserver: keyserver.ubuntu.com |
||||
id: 80F70E11F0F0D5F10CB20E62F5DA5F09C3173AA6 |
||||
- name: add repo for Brightbox ruby-ng |
||||
apt_repository: |
||||
repo: deb http://ppa.launchpad.net/brightbox/ruby-ng/ubuntu xenial main |
||||
filename: brightbox.ruby-ng |
||||
- name: add GPG key for CSC |
||||
apt_key: |
||||
url: http://debian.csclub.uwaterloo.ca/csclub.asc |
||||
- name: add CSC Debian repo |
||||
apt_repository: |
||||
repo: deb http://debian.csclub.uwaterloo.ca xenial main |
||||
filename: csclub |
||||
- name: update apt cache |
||||
apt: |
||||
update_cache: true |
||||
- name: install apt-transport-https |
||||
apt: |
||||
name: apt-transport-https |
||||
state: latest |
||||
- name: install curl |
||||
apt: |
||||
name: curl |
||||
state: latest |
||||
- name: install MongoDB |
||||
apt: |
||||
name: mongodb-org |
||||
state: latest |
||||
- name: install nodejs |
||||
apt: |
||||
# consider apt pinning this to version 8 |
||||
name: nodejs |
||||
state: latest |
||||
- name: install bigbluebutton |
||||
apt: |
||||
name: bigbluebutton |
||||
state: latest |
||||
- name: install bbb-html5 |
||||
apt: |
||||
name: bbb-html5 |
||||
state: latest |
||||
- name: install ruby2.5 |
||||
apt: |
||||
name: ruby2.5 |
||||
state: latest |
||||
- name: install greenlight |
||||
apt: |
||||
name: greenlight |
||||
state: latest |
||||
- name: set BBB hostname |
||||
# We should only need to do this once. Make sure to remove |
||||
# /tmp/bbb-setip-done if the FQDN changes for whatever reason. |
||||
shell: 'bbb-conf --setip {{ ansible_fqdn }} && touch /tmp/bbb-setip-done' |
||||
args: |
||||
creates: /tmp/bbb-setip-done |
||||
# Make sure to place the certificate and key in this directory, |
||||
# and run `chmod 0600` on the key |
||||
- name: create SSL directory |
||||
file: |
||||
path: /etc/nginx/ssl |
||||
state: directory |
||||
- name: create Diffie-Hellman params |
||||
command: |
||||
cmd: openssl dhparam -out /etc/nginx/ssl/dhp-4096.pem 4096 |
||||
creates: /etc/nginx/ssl/dhp-4096.pem |
||||
- name: update NGINX config |
||||
copy: |
||||
src: '{{ playbook_dir }}/bigbluebutton.nginx' |
||||
dest: /etc/nginx/sites-available/bigbluebutton |
||||
- name: update SIP config to use HTTPS |
||||
replace: |
||||
path: /etc/bigbluebutton/nginx/sip.nginx |
||||
regexp: '^(\s*)proxy_pass http://(.*):5066;$' |
||||
replace: '\1proxy_pass https://\2:7443;' |
||||
- name: configure BBB to load session via HTTPS (1) |
||||
replace: |
||||
path: /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties |
||||
regexp: 'http://' |
||||
replace: 'https://' |
||||
- name: configure BBB to load session via HTTPS (2) |
||||
replace: |
||||
path: /usr/share/red5/webapps/screenshare/WEB-INF/screenshare.properties |
||||
regexp: 'http://' |
||||
replace: 'https://' |
||||
- name: configure BBB to load session via HTTPS (3) |
||||
replace: |
||||
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml |
||||
regexp: 'ws://' |
||||
replace: 'wss://' |
||||
- name: configure BBB to load session via HTTPS (4) |
||||
replace: |
||||
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml |
||||
regexp: 'http://' |
||||
replace: 'https://' |
||||
- name: configure BBB to load session via HTTPS (5) |
||||
replace: |
||||
path: /usr/local/bigbluebutton/core/scripts/bigbluebutton.yml |
||||
regexp: '^playback_protocol: http$' |
||||
replace: 'playback_protocol: https' |
||||
- name: configure BBB to support IPv6 |
||||
copy: |
||||
dest: /etc/nginx/conf.d/bigbluebutton_sip_addr_map.conf |
||||
content: | |
||||
map $remote_addr $freeswitch_addr { |
||||
"~:" [{{ ansible_default_ipv6.address }}]; |
||||
default {{ ansible_default_ipv4.address }}; |
||||
} |
||||
- name: update SIP config to support IPv6 (1) |
||||
replace: |
||||
path: /etc/bigbluebutton/nginx/sip.nginx |
||||
regexp: '^(\s*)proxy_pass https://(.*):7443;$' |
||||
replace: '\1proxy_pass https://$freeswitch_addr:7443;' |
||||
- name: update SIP config to support IPv6 (2) |
||||
replace: |
||||
path: /opt/freeswitch/etc/freeswitch/sip_profiles/external-ipv6.xml |
||||
regexp: '^(\s*)<!--\s*<param name="enable-3pcc" value="true"/>\s*-->$' |
||||
replace: '\1<param name="enable-3pcc" value="true"/>' |
||||
- name: increase file number limit for bbb-web |
||||
replace: |
||||
path: /lib/systemd/system/bbb-web.service |
||||
regexp: '^LimitNOFILE=\d+$' |
||||
replace: 'LimitNOFILE=8192' |
||||
notify: |
||||
- reload systemd |
||||
- name: disable recording |
||||
replace: |
||||
path: /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties |
||||
regexp: '^{{ item.key }}=.*$' |
||||
replace: '{{ item.key }}={{ item.value }}' |
||||
with_dict: |
||||
disableRecordingDefault: 'true' |
||||
allowStartStopRecording: 'false' |
||||
- name: turn off certain sound effects |
||||
replace: |
||||
path: /opt/freeswitch/etc/freeswitch/autoload_configs/conference.conf.xml |
||||
regexp: '^(\s*){{ item }}$' |
||||
replace: '\1<!-- {{ item }} -->' |
||||
loop: |
||||
- '<param name="muted-sound" value="conference/conf-muted.wav"/>' |
||||
- '<param name="unmuted-sound" value="conference/conf-unmuted.wav"/>' |
||||
- '<param name="alone-sound" value="conference/conf-alone.wav"/>' |
||||
- name: skip echo test |
||||
replace: |
||||
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml |
||||
regexp: '^(\s*)skipCheck: false$' |
||||
replace: '\1skipCheck: true' |
||||
- name: increase maximum number of breakout rooms |
||||
replace: |
||||
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml |
||||
regexp: '^(\s*)breakoutRoomLimit: \d+$' |
||||
replace: '\1breakoutRoomLimit: 16' |
||||
- name: use custom STUN servers |
||||
copy: |
||||
src: '{{ playbook_dir }}/turn-stun-servers.xml' |
||||
dest: /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml |
||||
- name: update FreeSWITCH to listen for connections on external IP (1) |
||||
replace: |
||||
path: /opt/freeswitch/conf/vars.xml |
||||
regexp: '^(\s*)<X-PRE-PROCESS cmd="set" data="external_{{ item }}_ip=.*"/>$' |
||||
replace: '\1<X-PRE-PROCESS cmd="set" data="external_{{ item }}_ip={{ ansible_default_ipv4.address }}"/>' |
||||
loop: |
||||
- 'rtp' |
||||
- 'sip' |
||||
- name: update FreeSWITCH to listen for connections on external IP (2) |
||||
replace: |
||||
path: /opt/freeswitch/conf/sip_profiles/external.xml |
||||
regexp: '^(\s*)<param name="ext-{{ item }}-ip" value=".*"/>$' |
||||
replace: '\1<param name="ext-{{ item }}-ip" value="$${external_{{ item }}_ip}"/>' |
||||
loop: |
||||
- 'rtp' |
||||
- 'sip' |
||||
- name: install bundler for greenlight |
||||
become: yes |
||||
become_user: greenlight |
||||
command: gem install --user-install bundler |
||||
args: |
||||
creates: '{{ bundle }}' |
||||
- name: configure NGINX to route to Greenlight |
||||
copy: |
||||
src: /opt/greenlight/greenlight.nginx |
||||
dest: /etc/bigbluebutton/nginx/greenlight.nginx |
||||
- name: create secret key for Rails |
||||
become: yes |
||||
become_user: greenlight |
||||
shell: '{{ bundle }} exec rake secret | tee /opt/greenlight/rake_secret' |
||||
args: |
||||
creates: /opt/greenlight/rake_secret |
||||
- name: obtain BBB API secret |
||||
shell: "bbb-conf --secret | grep -oP 'Secret: \\K[[:alnum:]]+'" |
||||
register: api_secret |
||||
- name: create .env file for greenlight |
||||
copy: |
||||
src: /opt/greenlight/sample.env |
||||
dest: /opt/greenlight/.env |
||||
force: no |
||||
owner: greenlight |
||||
group: greenlight |
||||
- name: update .env file for greenlight |
||||
replace: |
||||
path: /opt/greenlight/.env |
||||
regexp: '^{{ item.key }}=.*$' |
||||
replace: '{{ item.key }}={{ item.value }}' |
||||
with_dict: |
||||
SECRET_KEY_BASE: "{{ lookup('file', '/opt/greenlight/rake_secret') }}" |
||||
BIGBLUEBUTTON_ENDPOINT: 'https://{{ ansible_fqdn }}/bigbluebutton/' |
||||
BIGBLUEBUTTON_SECRET: '{{ api_secret.stdout }}' |
||||
SAFE_HOSTS: '{{ ansible_fqdn }}' |
||||
LDAP_SERVER: auth1.csclub.uwaterloo.ca |
||||
LDAP_PORT: '636' |
||||
LDAP_METHOD: 'ssl' |
||||
LDAP_UID: 'uid' |
||||
LDAP_BASE: 'dc=csclub,dc=uwaterloo,dc=ca' |
||||
LDAP_AUTH: 'user' |
||||
# make sure to create a role in Greenlight called "sysadmin" |
||||
LDAP_ROLE_FIELD: 'position' |
||||
ALLOW_GREENLIGHT_ACCOUNTS: 'false' |
||||
DEFAULT_REGISTRATION: open |
||||
ROOM_FEATURES: 'mute-on-join,require-moderator-approval' |
||||
DB_ADAPTER: postgresql |
||||
DB_HOST: coffee.csclub.uwaterloo.ca |
||||
DB_PORT: 5432 |
||||
DB_NAME: greenlight |
||||
DB_USERNAME: greenlight |
||||
- name: reminder for DB credentials |
||||
debug: |
||||
msg: >- |
||||
Make sure to create a database and user for greenlight and |
||||
update /opt/greenlight/.env with the Postgres credentials. |
||||
|
||||
handlers: |
||||
- name: reload systemd |
||||
command: systemctl daemon-reload |
@ -0,0 +1,78 @@ |
||||
<?xml version="1.0" encoding="UTF-8"?> |
||||
<!-- |
||||
|
||||
BigBlueButton open source conferencing system - http://www.bigbluebutton.org/ |
||||
|
||||
Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below). |
||||
|
||||
This program is free software; you can redistribute it and/or modify it under the |
||||
terms of the GNU Lesser General Public License as published by the Free Software |
||||
Foundation; either version 3.0 of the License, or (at your option) any later |
||||
version. |
||||
|
||||
BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY |
||||
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A |
||||
PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. |
||||
|
||||
You should have received a copy of the GNU Lesser General Public License along |
||||
with BigBlueButton; if not, see <http://www.gnu.org/licenses/>. |
||||
|
||||
--> |
||||
<beans xmlns="http://www.springframework.org/schema/beans" |
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans |
||||
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd |
||||
"> |
||||
|
||||
<bean id="stun1" class="org.bigbluebutton.web.services.turn.StunServer"> |
||||
<constructor-arg index="0" value="stun:stun.l.google.com:19302"/> |
||||
</bean> |
||||
|
||||
<bean id="stun2" class="org.bigbluebutton.web.services.turn.StunServer"> |
||||
<constructor-arg index="0" value="stun:stun.freeswitch.org"/> |
||||
</bean> |
||||
|
||||
<!--bean id="iceCandidate1" class="org.bigbluebutton.web.services.turn.RemoteIceCandidate"> |
||||
<constructor-arg index="0" value="192.168.0.1"/> |
||||
</bean--> |
||||
|
||||
<!-- Turn servers are configured with a secret that's compatible with |
||||
http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00 |
||||
as supported by the coturn and rfc5766-turn-server turn servers --> |
||||
|
||||
<!--bean id="turn1" class="org.bigbluebutton.web.services.turn.TurnServer"> |
||||
Secret: |
||||
<constructor-arg index="0" value="secret"/> |
||||
TURN server URL, use turn: or turns: |
||||
<constructor-arg index="1" value="turn:turn1.example.com"/> |
||||
TTL in seconds for shared secret |
||||
<constructor-arg index="2" value="86400"/> |
||||
</bean--> |
||||
|
||||
<!--bean id="turn2" class="org.bigbluebutton.web.services.turn.TurnServer"> |
||||
<constructor-arg index="0" value="secret"/> |
||||
<constructor-arg index="1" value="turns:turn2.example.com:443"/> |
||||
<constructor-arg index="2" value="86400"/> |
||||
</bean--> |
||||
|
||||
<bean id="stunTurnService" class="org.bigbluebutton.web.services.turn.StunTurnService"> |
||||
<property name="stunServers"> |
||||
<set> |
||||
<ref bean="stun1" /> |
||||
<!-- <ref bean="stun2" /> --> |
||||
</set> |
||||
</property> |
||||
<property name="turnServers"> |
||||
<set> |
||||
<!--ref bean="turn1" /--> |
||||
<!--ref bean="turn2" /--> |
||||
</set> |
||||
</property> |
||||
<property name="remoteIceCandidates"> |
||||
<set> |
||||
<!--ref bean="iceCandidate1" /--> |
||||
<!--ref bean="iceCandidate2" /--> |
||||
</set> |
||||
</property> |
||||
</bean> |
||||
</beans> |
Loading…
Reference in new issue