merenber
/
bbb-setup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

initial commit

Browse Source
master
Max Erenberg 2 years ago committed by root
commit fe49830515
4 changed files with 500 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 66
      README.md
  2. 86
      bigbluebutton.nginx
  3. 270
      playbook.yml
  4. 78
      turn-stun-servers.xml

66
README.md
Unescape View File

@ -0,0 +1,66 @@
## Creating the database
On coffee, login as the `postgres` user, run `psql`, then run the following:
```sql
CREATE USER greenlight WITH PASSWORD 'replace_this_password';
CREATE DATABASE greenlight;
ALTER DATABASE greenlight OWNER TO greenlight;
```
## Running the playbook
Just the usual:
```
ansible-playbook playbook.yml
```
Once the playbook has finished, open `/opt/greenlight/.env` and set the
value of `DB_PASSWORD`.
Also, place copies of `csclub-wildcard-chain.crt` and `csclub-wildcard.key`
(the wildcard CSC SSL certificate and key, respectively) in the directory
`/etc/nginx/ssl`. The key file must have permissions 0600.
Then, restart BBB:
```sh
bbb-conf --restart
```
## Running as the greenlight user
Add the following lines to `/opt/greenlight/.profile`:
```
export PATH=$HOME/.gem/ruby/2.5.0/bin:$PATH
export $(grep -v '^#' ~/.env)
export RAILS_ENV=production
export BUNDLE_APP_CONFIG=~/.bundle
```
This will allow you to use the `bundle` command after running
`su - greenlight`, if you need to do so.
## Running Greenlight
Enable and run the systemd service:
```sh
systemctl enable greenlight
systemctl start greenlight
```
## Creating an administrator account
Theoretically, there is a [bundle command](https://docs.bigbluebutton.org/greenlight/gl-admin.html#creating-an-administrator-account)
which should be able to create an administrator account. However, when
I did this, I found that I was unable to login using the new admin
credentials. Might be because of LDAP. Here's my workaround:
1. Login once using your CSC credentials.
2. Log out.
3. On coffee, login as `postgres`, run `psql`, and run the following:
```sql
\c greenlight
UPDATE users SET role_id = 2 WHERE username = 'my_csc_username';
```
When you log back in, you should now be an admin.
## Greenlight customization
To ensure that future sysadmins automatically become Greenlight admins,
create a new role called "sysadmin" from the org settings in Greenlight.
To set a custom logo in the top left corner, go to 'Site Settings',
and replace the branding image URL. I'm using a small CSC logo hosted
on our git server in the csc-propaganda repo.

86
bigbluebutton.nginx
Unescape View File

@ -0,0 +1,86 @@
server {
listen 80;
listen [::]:80;
server_name bbb.csclub.uwaterloo.ca;
# Redirect all HTTP requests to HTTPS
return 301 https://$server_name$request_uri;
}
server {
server_name bbb.csclub.uwaterloo.ca;
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/ssl/csclub-wildcard-chain.crt;
ssl_certificate_key /etc/nginx/ssl/csclub-wildcard.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2;
ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhp-4096.pem;
access_log /var/log/nginx/bigbluebutton.access.log;
# Handle RTMPT (RTMP Tunneling). Forwards requests
# to Red5 on port 5080
location ~ (/open/|/close/|/idle/|/send/|/fcs/) {
proxy_pass http://127.0.0.1:5080;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffering off;
keepalive_requests 1000000000;
}
# Handle desktop sharing tunneling. Forwards
# requests to Red5 on port 5080.
location /deskshare {
proxy_pass http://127.0.0.1:5080;
proxy_redirect default;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
include fastcgi_params;
}
# BigBlueButton landing page.
location / {
root /var/www/bigbluebutton-default;
index index.html index.htm;
expires 1m;
}
# Include specific rules for record and playback
include /etc/bigbluebutton/nginx/*.nginx;
#error_page 404 /404.html;
# Redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/nginx-default;
}
# Set Greenlight to be the default landing page
location = / {
return 307 /b;
}
}

270
playbook.yml
Unescape View File

@ -0,0 +1,270 @@
---
- hosts: 127.0.0.1
connection: local
vars:
bundle: /opt/greenlight/.gem/ruby/2.5.0/bin/bundle
tasks:
- name: add PPA for bigbluebutton support packages
apt_repository:
repo: ppa:bigbluebutton/support
- name: add PPA for yq
apt_repository:
repo: ppa:rmescandon/yq
- name: add PPA for libreoffice
apt_repository:
repo: ppa:libreoffice/ppa
- name: add GPG key for MongoDB
apt_key:
url: https://www.mongodb.org/static/pgp/server-3.4.asc
- name: add repo for MongoDB
apt_repository:
repo: "deb [arch=amd64] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse"
filename: mongodb-org-3.4
- name: add GPG key for Nodesource
apt_key:
url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
- name: add repo for Nodesource
apt_repository:
repo: deb https://deb.nodesource.com/node_8.x xenial main
filename: nodesource
- name: add GPG key for bigbluebutton
apt_key:
url: https://ubuntu.bigbluebutton.org/repo/bigbluebutton.asc
- name: add repo for bigbluebutton
apt_repository:
repo: deb https://ubuntu.bigbluebutton.org/xenial-22/ bigbluebutton-xenial main
filename: bigbluebutton
- name: add GPG key for Brightbox ruby-ng
apt_key:
keyserver: keyserver.ubuntu.com
id: 80F70E11F0F0D5F10CB20E62F5DA5F09C3173AA6
- name: add repo for Brightbox ruby-ng
apt_repository:
repo: deb http://ppa.launchpad.net/brightbox/ruby-ng/ubuntu xenial main
filename: brightbox.ruby-ng
- name: add GPG key for CSC
apt_key:
url: http://debian.csclub.uwaterloo.ca/csclub.asc
- name: add CSC Debian repo
apt_repository:
repo: deb http://debian.csclub.uwaterloo.ca xenial main
filename: csclub
- name: update apt cache
apt:
update_cache: true
- name: install apt-transport-https
apt:
name: apt-transport-https
state: latest
- name: install curl
apt:
name: curl
state: latest
- name: install MongoDB
apt:
name: mongodb-org
state: latest
- name: install nodejs
apt:
# consider apt pinning this to version 8
name: nodejs
state: latest
- name: install bigbluebutton
apt:
name: bigbluebutton
state: latest
- name: install bbb-html5
apt:
name: bbb-html5
state: latest
- name: install ruby2.5
apt:
name: ruby2.5
state: latest
- name: install greenlight
apt:
name: greenlight
state: latest
- name: set BBB hostname
# We should only need to do this once. Make sure to remove
# /tmp/bbb-setip-done if the FQDN changes for whatever reason.
shell: 'bbb-conf --setip {{ ansible_fqdn }} && touch /tmp/bbb-setip-done'
args:
creates: /tmp/bbb-setip-done
# Make sure to place the certificate and key in this directory,
# and run `chmod 0600` on the key
- name: create SSL directory
file:
path: /etc/nginx/ssl
state: directory
- name: create Diffie-Hellman params
command:
cmd: openssl dhparam -out /etc/nginx/ssl/dhp-4096.pem 4096
creates: /etc/nginx/ssl/dhp-4096.pem
- name: update NGINX config
copy:
src: '{{ playbook_dir }}/bigbluebutton.nginx'
dest: /etc/nginx/sites-available/bigbluebutton
- name: update SIP config to use HTTPS
replace:
path: /etc/bigbluebutton/nginx/sip.nginx
regexp: '^(\s*)proxy_pass http://(.*):5066;$'
replace: '\1proxy_pass https://\2:7443;'
- name: configure BBB to load session via HTTPS (1)
replace:
path: /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties
regexp: 'http://'
replace: 'https://'
- name: configure BBB to load session via HTTPS (2)
replace:
path: /usr/share/red5/webapps/screenshare/WEB-INF/screenshare.properties
regexp: 'http://'
replace: 'https://'
- name: configure BBB to load session via HTTPS (3)
replace:
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
regexp: 'ws://'
replace: 'wss://'
- name: configure BBB to load session via HTTPS (4)
replace:
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
regexp: 'http://'
replace: 'https://'
- name: configure BBB to load session via HTTPS (5)
replace:
path: /usr/local/bigbluebutton/core/scripts/bigbluebutton.yml
regexp: '^playback_protocol: http$'
replace: 'playback_protocol: https'
- name: configure BBB to support IPv6
copy:
dest: /etc/nginx/conf.d/bigbluebutton_sip_addr_map.conf
content: |
map $remote_addr $freeswitch_addr {
"~:" [{{ ansible_default_ipv6.address }}];
default {{ ansible_default_ipv4.address }};
}
- name: update SIP config to support IPv6 (1)
replace:
path: /etc/bigbluebutton/nginx/sip.nginx
regexp: '^(\s*)proxy_pass https://(.*):7443;$'
replace: '\1proxy_pass https://$freeswitch_addr:7443;'
- name: update SIP config to support IPv6 (2)
replace:
path: /opt/freeswitch/etc/freeswitch/sip_profiles/external-ipv6.xml
regexp: '^(\s*)<!--\s*<param name="enable-3pcc" value="true"/>\s*-->$'
replace: '\1<param name="enable-3pcc" value="true"/>'
- name: increase file number limit for bbb-web
replace:
path: /lib/systemd/system/bbb-web.service
regexp: '^LimitNOFILE=\d+$'
replace: 'LimitNOFILE=8192'
notify:
- reload systemd
- name: disable recording
replace:
path: /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties
regexp: '^{{ item.key }}=.*$'
replace: '{{ item.key }}={{ item.value }}'
with_dict:
disableRecordingDefault: 'true'
allowStartStopRecording: 'false'
- name: turn off certain sound effects
replace:
path: /opt/freeswitch/etc/freeswitch/autoload_configs/conference.conf.xml
regexp: '^(\s*){{ item }}$'
replace: '\1<!-- {{ item }} -->'
loop:
- '<param name="muted-sound" value="conference/conf-muted.wav"/>'
- '<param name="unmuted-sound" value="conference/conf-unmuted.wav"/>'
- '<param name="alone-sound" value="conference/conf-alone.wav"/>'
- name: skip echo test
replace:
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
regexp: '^(\s*)skipCheck: false$'
replace: '\1skipCheck: true'
- name: increase maximum number of breakout rooms
replace:
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
regexp: '^(\s*)breakoutRoomLimit: \d+$'
replace: '\1breakoutRoomLimit: 16'
- name: use custom STUN servers
copy:
src: '{{ playbook_dir }}/turn-stun-servers.xml'
dest: /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml
- name: update FreeSWITCH to listen for connections on external IP (1)
replace:
path: /opt/freeswitch/conf/vars.xml
regexp: '^(\s*)<X-PRE-PROCESS cmd="set" data="external_{{ item }}_ip=.*"/>$'
replace: '\1<X-PRE-PROCESS cmd="set" data="external_{{ item }}_ip={{ ansible_default_ipv4.address }}"/>'
loop:
- 'rtp'
- 'sip'
- name: update FreeSWITCH to listen for connections on external IP (2)
replace:
path: /opt/freeswitch/conf/sip_profiles/external.xml
regexp: '^(\s*)<param name="ext-{{ item }}-ip" value=".*"/>$'
replace: '\1<param name="ext-{{ item }}-ip" value="$${external_{{ item }}_ip}"/>'
loop:
- 'rtp'
- 'sip'
- name: install bundler for greenlight
become: yes
become_user: greenlight
command: gem install --user-install bundler
args:
creates: '{{ bundle }}'
- name: configure NGINX to route to Greenlight
copy:
src: /opt/greenlight/greenlight.nginx
dest: /etc/bigbluebutton/nginx/greenlight.nginx
- name: create secret key for Rails
become: yes
become_user: greenlight
shell: '{{ bundle }} exec rake secret | tee /opt/greenlight/rake_secret'
args:
creates: /opt/greenlight/rake_secret
- name: obtain BBB API secret
shell: "bbb-conf --secret | grep -oP 'Secret: \\K[[:alnum:]]+'"
register: api_secret
- name: create .env file for greenlight
copy:
src: /opt/greenlight/sample.env
dest: /opt/greenlight/.env
force: no
owner: greenlight
group: greenlight
- name: update .env file for greenlight
replace:
path: /opt/greenlight/.env
regexp: '^{{ item.key }}=.*$'
replace: '{{ item.key }}={{ item.value }}'
with_dict:
SECRET_KEY_BASE: "{{ lookup('file', '/opt/greenlight/rake_secret') }}"
BIGBLUEBUTTON_ENDPOINT: 'https://{{ ansible_fqdn }}/bigbluebutton/'
BIGBLUEBUTTON_SECRET: '{{ api_secret.stdout }}'
SAFE_HOSTS: '{{ ansible_fqdn }}'
LDAP_SERVER: auth1.csclub.uwaterloo.ca
LDAP_PORT: '636'
LDAP_METHOD: 'ssl'
LDAP_UID: 'uid'
LDAP_BASE: 'dc=csclub,dc=uwaterloo,dc=ca'
LDAP_AUTH: 'user'
# make sure to create a role in Greenlight called "sysadmin"
LDAP_ROLE_FIELD: 'position'
ALLOW_GREENLIGHT_ACCOUNTS: 'false'
DEFAULT_REGISTRATION: open
ROOM_FEATURES: 'mute-on-join,require-moderator-approval'
DB_ADAPTER: postgresql
DB_HOST: coffee.csclub.uwaterloo.ca
DB_PORT: 5432
DB_NAME: greenlight
DB_USERNAME: greenlight
- name: reminder for DB credentials
debug:
msg: >-
Make sure to create a database and user for greenlight and
update /opt/greenlight/.env with the Postgres credentials.
handlers:
- name: reload systemd
command: systemctl daemon-reload

78
turn-stun-servers.xml
Unescape View File

@ -0,0 +1,78 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
This program is free software; you can redistribute it and/or modify it under the
terms of the GNU Lesser General Public License as published by the Free Software
Foundation; either version 3.0 of the License, or (at your option) any later
version.
BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along
with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
">
<bean id="stun1" class="org.bigbluebutton.web.services.turn.StunServer">
<constructor-arg index="0" value="stun:stun.l.google.com:19302"/>
</bean>
<bean id="stun2" class="org.bigbluebutton.web.services.turn.StunServer">
<constructor-arg index="0" value="stun:stun.freeswitch.org"/>
</bean>
<!--bean id="iceCandidate1" class="org.bigbluebutton.web.services.turn.RemoteIceCandidate">
<constructor-arg index="0" value="192.168.0.1"/>
</bean-->
<!-- Turn servers are configured with a secret that's compatible with
http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
as supported by the coturn and rfc5766-turn-server turn servers -->
<!--bean id="turn1" class="org.bigbluebutton.web.services.turn.TurnServer">
Secret:
<constructor-arg index="0" value="secret"/>
TURN server URL, use turn: or turns:
<constructor-arg index="1" value="turn:turn1.example.com"/>
TTL in seconds for shared secret
<constructor-arg index="2" value="86400"/>
</bean-->
<!--bean id="turn2" class="org.bigbluebutton.web.services.turn.TurnServer">
<constructor-arg index="0" value="secret"/>
<constructor-arg index="1" value="turns:turn2.example.com:443"/>
<constructor-arg index="2" value="86400"/>
</bean-->
<bean id="stunTurnService" class="org.bigbluebutton.web.services.turn.StunTurnService">
<property name="stunServers">
<set>
<ref bean="stun1" />
<!-- <ref bean="stun2" /> -->
</set>
</property>
<property name="turnServers">
<set>
<!--ref bean="turn1" /-->
<!--ref bean="turn2" /-->
</set>
</property>
<property name="remoteIceCandidates">
<set>
<!--ref bean="iceCandidate1" /-->
<!--ref bean="iceCandidate2" /-->
</set>
</property>
</bean>
</beans>
Write Preview
Loading…
Cancel
Save