initial commit

master
Max Erenberg 2 years ago committed by root
commit fe49830515
  1. 66
      README.md
  2. 86
      bigbluebutton.nginx
  3. 270
      playbook.yml
  4. 78
      turn-stun-servers.xml

@ -0,0 +1,66 @@
## Creating the database
On coffee, login as the `postgres` user, run `psql`, then run the following:
```sql
CREATE USER greenlight WITH PASSWORD 'replace_this_password';
CREATE DATABASE greenlight;
ALTER DATABASE greenlight OWNER TO greenlight;
```
## Running the playbook
Just the usual:
```
ansible-playbook playbook.yml
```
Once the playbook has finished, open `/opt/greenlight/.env` and set the
value of `DB_PASSWORD`.
Also, place copies of `csclub-wildcard-chain.crt` and `csclub-wildcard.key`
(the wildcard CSC SSL certificate and key, respectively) in the directory
`/etc/nginx/ssl`. The key file must have permissions 0600.
Then, restart BBB:
```sh
bbb-conf --restart
```
## Running as the greenlight user
Add the following lines to `/opt/greenlight/.profile`:
```
export PATH=$HOME/.gem/ruby/2.5.0/bin:$PATH
export $(grep -v '^#' ~/.env)
export RAILS_ENV=production
export BUNDLE_APP_CONFIG=~/.bundle
```
This will allow you to use the `bundle` command after running
`su - greenlight`, if you need to do so.
## Running Greenlight
Enable and run the systemd service:
```sh
systemctl enable greenlight
systemctl start greenlight
```
## Creating an administrator account
Theoretically, there is a [bundle command](https://docs.bigbluebutton.org/greenlight/gl-admin.html#creating-an-administrator-account)
which should be able to create an administrator account. However, when
I did this, I found that I was unable to login using the new admin
credentials. Might be because of LDAP. Here's my workaround:
1. Login once using your CSC credentials.
2. Log out.
3. On coffee, login as `postgres`, run `psql`, and run the following:
```sql
\c greenlight
UPDATE users SET role_id = 2 WHERE username = 'my_csc_username';
```
When you log back in, you should now be an admin.
## Greenlight customization
To ensure that future sysadmins automatically become Greenlight admins,
create a new role called "sysadmin" from the org settings in Greenlight.
To set a custom logo in the top left corner, go to 'Site Settings',
and replace the branding image URL. I'm using a small CSC logo hosted
on our git server in the csc-propaganda repo.

@ -0,0 +1,86 @@
server {
listen 80;
listen [::]:80;
server_name bbb.csclub.uwaterloo.ca;
# Redirect all HTTP requests to HTTPS
return 301 https://$server_name$request_uri;
}
server {
server_name bbb.csclub.uwaterloo.ca;
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/ssl/csclub-wildcard-chain.crt;
ssl_certificate_key /etc/nginx/ssl/csclub-wildcard.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2;
ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhp-4096.pem;
access_log /var/log/nginx/bigbluebutton.access.log;
# Handle RTMPT (RTMP Tunneling). Forwards requests
# to Red5 on port 5080
location ~ (/open/|/close/|/idle/|/send/|/fcs/) {
proxy_pass http://127.0.0.1:5080;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffering off;
keepalive_requests 1000000000;
}
# Handle desktop sharing tunneling. Forwards
# requests to Red5 on port 5080.
location /deskshare {
proxy_pass http://127.0.0.1:5080;
proxy_redirect default;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
include fastcgi_params;
}
# BigBlueButton landing page.
location / {
root /var/www/bigbluebutton-default;
index index.html index.htm;
expires 1m;
}
# Include specific rules for record and playback
include /etc/bigbluebutton/nginx/*.nginx;
#error_page 404 /404.html;
# Redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/nginx-default;
}
# Set Greenlight to be the default landing page
location = / {
return 307 /b;
}
}

@ -0,0 +1,270 @@
---
- hosts: 127.0.0.1
connection: local
vars:
bundle: /opt/greenlight/.gem/ruby/2.5.0/bin/bundle
tasks:
- name: add PPA for bigbluebutton support packages
apt_repository:
repo: ppa:bigbluebutton/support
- name: add PPA for yq
apt_repository:
repo: ppa:rmescandon/yq
- name: add PPA for libreoffice
apt_repository:
repo: ppa:libreoffice/ppa
- name: add GPG key for MongoDB
apt_key:
url: https://www.mongodb.org/static/pgp/server-3.4.asc
- name: add repo for MongoDB
apt_repository:
repo: "deb [arch=amd64] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse"
filename: mongodb-org-3.4
- name: add GPG key for Nodesource
apt_key:
url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
- name: add repo for Nodesource
apt_repository:
repo: deb https://deb.nodesource.com/node_8.x xenial main
filename: nodesource
- name: add GPG key for bigbluebutton
apt_key:
url: https://ubuntu.bigbluebutton.org/repo/bigbluebutton.asc
- name: add repo for bigbluebutton
apt_repository:
repo: deb https://ubuntu.bigbluebutton.org/xenial-22/ bigbluebutton-xenial main
filename: bigbluebutton
- name: add GPG key for Brightbox ruby-ng
apt_key:
keyserver: keyserver.ubuntu.com
id: 80F70E11F0F0D5F10CB20E62F5DA5F09C3173AA6
- name: add repo for Brightbox ruby-ng
apt_repository:
repo: deb http://ppa.launchpad.net/brightbox/ruby-ng/ubuntu xenial main
filename: brightbox.ruby-ng
- name: add GPG key for CSC
apt_key:
url: http://debian.csclub.uwaterloo.ca/csclub.asc
- name: add CSC Debian repo
apt_repository:
repo: deb http://debian.csclub.uwaterloo.ca xenial main
filename: csclub
- name: update apt cache
apt:
update_cache: true
- name: install apt-transport-https
apt:
name: apt-transport-https
state: latest
- name: install curl
apt:
name: curl
state: latest
- name: install MongoDB
apt:
name: mongodb-org
state: latest
- name: install nodejs
apt:
# consider apt pinning this to version 8
name: nodejs
state: latest
- name: install bigbluebutton
apt:
name: bigbluebutton
state: latest
- name: install bbb-html5
apt:
name: bbb-html5
state: latest
- name: install ruby2.5
apt:
name: ruby2.5
state: latest
- name: install greenlight
apt:
name: greenlight
state: latest
- name: set BBB hostname
# We should only need to do this once. Make sure to remove
# /tmp/bbb-setip-done if the FQDN changes for whatever reason.
shell: 'bbb-conf --setip {{ ansible_fqdn }} && touch /tmp/bbb-setip-done'
args:
creates: /tmp/bbb-setip-done
# Make sure to place the certificate and key in this directory,
# and run `chmod 0600` on the key
- name: create SSL directory
file:
path: /etc/nginx/ssl
state: directory
- name: create Diffie-Hellman params
command:
cmd: openssl dhparam -out /etc/nginx/ssl/dhp-4096.pem 4096
creates: /etc/nginx/ssl/dhp-4096.pem
- name: update NGINX config
copy:
src: '{{ playbook_dir }}/bigbluebutton.nginx'
dest: /etc/nginx/sites-available/bigbluebutton
- name: update SIP config to use HTTPS
replace:
path: /etc/bigbluebutton/nginx/sip.nginx
regexp: '^(\s*)proxy_pass http://(.*):5066;$'
replace: '\1proxy_pass https://\2:7443;'
- name: configure BBB to load session via HTTPS (1)
replace:
path: /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties
regexp: 'http://'
replace: 'https://'
- name: configure BBB to load session via HTTPS (2)
replace:
path: /usr/share/red5/webapps/screenshare/WEB-INF/screenshare.properties
regexp: 'http://'
replace: 'https://'
- name: configure BBB to load session via HTTPS (3)
replace:
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
regexp: 'ws://'
replace: 'wss://'
- name: configure BBB to load session via HTTPS (4)
replace:
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
regexp: 'http://'
replace: 'https://'
- name: configure BBB to load session via HTTPS (5)
replace:
path: /usr/local/bigbluebutton/core/scripts/bigbluebutton.yml
regexp: '^playback_protocol: http$'
replace: 'playback_protocol: https'
- name: configure BBB to support IPv6
copy:
dest: /etc/nginx/conf.d/bigbluebutton_sip_addr_map.conf
content: |
map $remote_addr $freeswitch_addr {
"~:" [{{ ansible_default_ipv6.address }}];
default {{ ansible_default_ipv4.address }};
}
- name: update SIP config to support IPv6 (1)
replace:
path: /etc/bigbluebutton/nginx/sip.nginx
regexp: '^(\s*)proxy_pass https://(.*):7443;$'
replace: '\1proxy_pass https://$freeswitch_addr:7443;'
- name: update SIP config to support IPv6 (2)
replace:
path: /opt/freeswitch/etc/freeswitch/sip_profiles/external-ipv6.xml
regexp: '^(\s*)<!--\s*<param name="enable-3pcc" value="true"/>\s*-->$'
replace: '\1<param name="enable-3pcc" value="true"/>'
- name: increase file number limit for bbb-web
replace:
path: /lib/systemd/system/bbb-web.service
regexp: '^LimitNOFILE=\d+$'
replace: 'LimitNOFILE=8192'
notify:
- reload systemd
- name: disable recording
replace:
path: /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties
regexp: '^{{ item.key }}=.*$'
replace: '{{ item.key }}={{ item.value }}'
with_dict:
disableRecordingDefault: 'true'
allowStartStopRecording: 'false'
- name: turn off certain sound effects
replace:
path: /opt/freeswitch/etc/freeswitch/autoload_configs/conference.conf.xml
regexp: '^(\s*){{ item }}$'
replace: '\1<!-- {{ item }} -->'
loop:
- '<param name="muted-sound" value="conference/conf-muted.wav"/>'
- '<param name="unmuted-sound" value="conference/conf-unmuted.wav"/>'
- '<param name="alone-sound" value="conference/conf-alone.wav"/>'
- name: skip echo test
replace:
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
regexp: '^(\s*)skipCheck: false$'
replace: '\1skipCheck: true'
- name: increase maximum number of breakout rooms
replace:
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
regexp: '^(\s*)breakoutRoomLimit: \d+$'
replace: '\1breakoutRoomLimit: 16'
- name: use custom STUN servers
copy:
src: '{{ playbook_dir }}/turn-stun-servers.xml'
dest: /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml
- name: update FreeSWITCH to listen for connections on external IP (1)
replace:
path: /opt/freeswitch/conf/vars.xml
regexp: '^(\s*)<X-PRE-PROCESS cmd="set" data="external_{{ item }}_ip=.*"/>$'
replace: '\1<X-PRE-PROCESS cmd="set" data="external_{{ item }}_ip={{ ansible_default_ipv4.address }}"/>'
loop:
- 'rtp'
- 'sip'
- name: update FreeSWITCH to listen for connections on external IP (2)
replace:
path: /opt/freeswitch/conf/sip_profiles/external.xml
regexp: '^(\s*)<param name="ext-{{ item }}-ip" value=".*"/>$'
replace: '\1<param name="ext-{{ item }}-ip" value="$${external_{{ item }}_ip}"/>'
loop:
- 'rtp'
- 'sip'
- name: install bundler for greenlight
become: yes
become_user: greenlight
command: gem install --user-install bundler
args:
creates: '{{ bundle }}'
- name: configure NGINX to route to Greenlight
copy:
src: /opt/greenlight/greenlight.nginx
dest: /etc/bigbluebutton/nginx/greenlight.nginx
- name: create secret key for Rails
become: yes
become_user: greenlight
shell: '{{ bundle }} exec rake secret | tee /opt/greenlight/rake_secret'
args:
creates: /opt/greenlight/rake_secret
- name: obtain BBB API secret
shell: "bbb-conf --secret | grep -oP 'Secret: \\K[[:alnum:]]+'"
register: api_secret
- name: create .env file for greenlight
copy:
src: /opt/greenlight/sample.env
dest: /opt/greenlight/.env
force: no
owner: greenlight
group: greenlight
- name: update .env file for greenlight
replace:
path: /opt/greenlight/.env
regexp: '^{{ item.key }}=.*$'
replace: '{{ item.key }}={{ item.value }}'
with_dict:
SECRET_KEY_BASE: "{{ lookup('file', '/opt/greenlight/rake_secret') }}"
BIGBLUEBUTTON_ENDPOINT: 'https://{{ ansible_fqdn }}/bigbluebutton/'
BIGBLUEBUTTON_SECRET: '{{ api_secret.stdout }}'
SAFE_HOSTS: '{{ ansible_fqdn }}'
LDAP_SERVER: auth1.csclub.uwaterloo.ca
LDAP_PORT: '636'
LDAP_METHOD: 'ssl'
LDAP_UID: 'uid'
LDAP_BASE: 'dc=csclub,dc=uwaterloo,dc=ca'
LDAP_AUTH: 'user'
# make sure to create a role in Greenlight called "sysadmin"
LDAP_ROLE_FIELD: 'position'
ALLOW_GREENLIGHT_ACCOUNTS: 'false'
DEFAULT_REGISTRATION: open
ROOM_FEATURES: 'mute-on-join,require-moderator-approval'
DB_ADAPTER: postgresql
DB_HOST: coffee.csclub.uwaterloo.ca
DB_PORT: 5432
DB_NAME: greenlight
DB_USERNAME: greenlight
- name: reminder for DB credentials
debug:
msg: >-
Make sure to create a database and user for greenlight and
update /opt/greenlight/.env with the Postgres credentials.
handlers:
- name: reload systemd
command: systemctl daemon-reload

@ -0,0 +1,78 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
This program is free software; you can redistribute it and/or modify it under the
terms of the GNU Lesser General Public License as published by the Free Software
Foundation; either version 3.0 of the License, or (at your option) any later
version.
BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along
with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
">
<bean id="stun1" class="org.bigbluebutton.web.services.turn.StunServer">
<constructor-arg index="0" value="stun:stun.l.google.com:19302"/>
</bean>
<bean id="stun2" class="org.bigbluebutton.web.services.turn.StunServer">
<constructor-arg index="0" value="stun:stun.freeswitch.org"/>
</bean>
<!--bean id="iceCandidate1" class="org.bigbluebutton.web.services.turn.RemoteIceCandidate">
<constructor-arg index="0" value="192.168.0.1"/>
</bean-->
<!-- Turn servers are configured with a secret that's compatible with
http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
as supported by the coturn and rfc5766-turn-server turn servers -->
<!--bean id="turn1" class="org.bigbluebutton.web.services.turn.TurnServer">
Secret:
<constructor-arg index="0" value="secret"/>
TURN server URL, use turn: or turns:
<constructor-arg index="1" value="turn:turn1.example.com"/>
TTL in seconds for shared secret
<constructor-arg index="2" value="86400"/>
</bean-->
<!--bean id="turn2" class="org.bigbluebutton.web.services.turn.TurnServer">
<constructor-arg index="0" value="secret"/>
<constructor-arg index="1" value="turns:turn2.example.com:443"/>
<constructor-arg index="2" value="86400"/>
</bean-->
<bean id="stunTurnService" class="org.bigbluebutton.web.services.turn.StunTurnService">
<property name="stunServers">
<set>
<ref bean="stun1" />
<!-- <ref bean="stun2" /> -->
</set>
</property>
<property name="turnServers">
<set>
<!--ref bean="turn1" /-->
<!--ref bean="turn2" /-->
</set>
</property>
<property name="remoteIceCandidates">
<set>
<!--ref bean="iceCandidate1" /-->
<!--ref bean="iceCandidate2" /-->
</set>
</property>
</bean>
</beans>
Loading…
Cancel
Save