---
- hosts: 127.0.0.1
connection: local
vars:
ruby_version: 2.7.0
gem: gem2.7
bundle: "/opt/greenlight/.gem/ruby/{{ ruby_version }}/bin/bundle"
tasks:
- name: install prerequisites
apt:
name:
- software-properties-common
- apt-transport-https
- sudo
- net-tools
- openjdk-8-jre
- curl
- wget
- gpg-agent
- dirmngr
- name: update-java-alternatives
command: update-java-alternatives -s java-1.8.0-openjdk-amd64
- name: add PPA for bigbluebutton support packages
apt_repository:
repo: ppa:bigbluebutton/support
- name: add PPA for yq
apt_repository:
repo: ppa:rmescandon/yq
- name: add PPA for libreoffice
apt_repository:
repo: ppa:libreoffice/ppa
- name: add GPG key for MongoDB
apt_key:
url: https://www.mongodb.org/static/pgp/server-4.2.asc
- name: add repo for MongoDB
apt_repository:
repo: "deb [arch=amd64] http://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.2 multiverse"
filename: mongodb-org-4.2
- name: add GPG key for Nodesource
apt_key:
url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
- name: add repo for Nodesource
apt_repository:
repo: deb https://deb.nodesource.com/node_14.x bionic main
filename: nodesource
- name: add GPG key for bigbluebutton
apt_key:
url: https://ubuntu.bigbluebutton.org/repo/bigbluebutton.asc
- name: add repo for bigbluebutton
apt_repository:
repo: deb https://ubuntu.bigbluebutton.org/bionic-23/ bigbluebutton-bionic main
filename: bigbluebutton
- name: add repo for Brightbox ruby-ng
apt_repository:
repo: ppa:brightbox/ruby-ng
- name: add GPG key for CSC
apt_key:
url: http://debian.csclub.uwaterloo.ca/csclub.asc
- name: add CSC Debian repo
apt_repository:
repo: deb http://debian.csclub.uwaterloo.ca bionic main
filename: csclub
- name: update apt cache
apt:
update_cache: true
- name: install packages
apt:
name:
- mongodb-org
- nodejs
- bigbluebutton
- bbb-html5
- greenlight
- name: set BBB hostname
# We should only need to do this once. Make sure to remove
# /tmp/bbb-setip-done if the FQDN changes for whatever reason.
shell: 'bbb-conf --setip {{ ansible_fqdn }} && touch /tmp/bbb-setip-done'
args:
creates: /tmp/bbb-setip-done
- name: disable CPUSchedulingPolicy for Freeswitch
replace:
path: /lib/systemd/system/freeswitch.service
regexp: "^CPUSchedulingPolicy=rr"
replace: "#CPUSchedulingPolicy=rr"
notify: reload systemd
- name: disable IOSchedulingClass for Freeswitch
replace:
path: /lib/systemd/system/freeswitch.service
regexp: "^IOSchedulingClass=realtime"
replace: "#IOSchedulingClass=realtime"
notify: reload systemd
- name: disable CPUSchedulingPolicy for bbb-html5
replace:
path: /usr/lib/systemd/system/bbb-html5-backend@.service
regexp: "^CPUSchedulingPolicy=fifo"
replace: "#CPUSchedulingPolicy=fifo"
notify: reload systemd
# Make sure to place the certificate and key in this directory,
# and run `chmod 0600` on the key
- name: create SSL directory
file:
path: /etc/nginx/ssl
state: directory
- name: create Diffie-Hellman params
command:
cmd: openssl dhparam -out /etc/nginx/ssl/dhp-4096.pem 4096
creates: /etc/nginx/ssl/dhp-4096.pem
- name: update NGINX config
copy:
src: '{{ playbook_dir }}/bigbluebutton.nginx'
dest: /etc/nginx/sites-available/bigbluebutton
- name: update SIP config to use HTTPS
replace:
path: /etc/bigbluebutton/nginx/sip.nginx
regexp: '^(\s*)proxy_pass http://(.*):5066;$'
replace: '\1proxy_pass https://\2:7443;'
- name: configure BBB to load session via HTTPS (1)
replace:
path: /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties
regexp: 'http://'
replace: 'https://'
#- name: configure BBB to load session via HTTPS (2)
# replace:
# path: /usr/share/red5/webapps/screenshare/WEB-INF/screenshare.properties
# regexp: 'http://'
# replace: 'https://'
- name: configure BBB to load session via HTTPS (3)
replace:
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
regexp: 'ws://'
replace: 'wss://'
- name: configure BBB to load session via HTTPS (4)
replace:
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
regexp: 'http://'
replace: 'https://'
- name: configure BBB to load session via HTTPS (5)
replace:
path: /usr/local/bigbluebutton/core/scripts/bigbluebutton.yml
regexp: '^playback_protocol: http$'
replace: 'playback_protocol: https'
- name: configure BBB to support IPv6
copy:
dest: /etc/nginx/conf.d/bigbluebutton_sip_addr_map.conf
content: |
map $remote_addr $freeswitch_addr {
"~:" [{{ ansible_default_ipv6.address }}];
default {{ ansible_default_ipv4.address }};
}
- name: update SIP config to support IPv6 (1)
replace:
path: /etc/bigbluebutton/nginx/sip.nginx
regexp: '^(\s*)proxy_pass https://(.*):7443;$'
replace: '\1proxy_pass https://$freeswitch_addr:7443;'
- name: update SIP config to support IPv6 (2)
replace:
path: /opt/freeswitch/etc/freeswitch/sip_profiles/external-ipv6.xml
regexp: '^(\s*)$'
replace: '\1'
- name: increase file number limit for bbb-web
replace:
path: /lib/systemd/system/bbb-web.service
regexp: '^LimitNOFILE=\d+$'
replace: 'LimitNOFILE=8192'
notify:
- reload systemd
- name: disable recording
replace:
path: /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties
regexp: '^{{ item.key }}=.*$'
replace: '{{ item.key }}={{ item.value }}'
with_dict:
disableRecordingDefault: 'true'
allowStartStopRecording: 'false'
- name: turn off certain sound effects
replace:
path: /opt/freeswitch/etc/freeswitch/autoload_configs/conference.conf.xml
regexp: '^(\s*){{ item }}$'
replace: '\1'
loop:
- ''
- ''
- ''
- name: skip echo test
replace:
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
regexp: '^(\s*)skipCheck: false$'
replace: '\1skipCheck: true'
- name: increase maximum number of breakout rooms
replace:
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
regexp: '^(\s*)breakoutRoomLimit: \d+$'
replace: '\1breakoutRoomLimit: 32'
- name: use custom STUN servers
copy:
src: '{{ playbook_dir }}/turn-stun-servers.xml'
dest: /etc/bigbluebutton/turn-stun-servers.xml
- name: update FreeSWITCH to listen for connections on external IP (1)
replace:
path: /opt/freeswitch/conf/vars.xml
regexp: '^(\s*)$'
replace: '\1'
loop:
- 'rtp'
- 'sip'
- name: update FreeSWITCH to listen for connections on external IP (2)
replace:
path: /opt/freeswitch/conf/sip_profiles/external.xml
regexp: '^(\s*)$'
replace: '\1'
loop:
- 'rtp'
- 'sip'
- name: install bundler for greenlight
become: yes
become_user: greenlight
command: '{{ gem }} install --user-install bundler'
args:
creates: '{{ bundle }}'
- name: configure NGINX to route to Greenlight
copy:
src: /opt/greenlight/greenlight.nginx
dest: /etc/bigbluebutton/nginx/greenlight.nginx
- name: create secret key for Rails
become: yes
become_user: greenlight
shell: '{{ bundle }} exec rake secret | tee /opt/greenlight/rake_secret'
args:
creates: /opt/greenlight/rake_secret
- name: assert rake secret was created
assert:
that:
- lookup('file', '/opt/greenlight/rake_secret') != ''
- name: obtain BBB API secret
shell: "bbb-conf --secret | grep -oP 'Secret: \\K[[:alnum:]]+'"
register: api_secret
- name: create .env file for greenlight
copy:
src: /opt/greenlight/sample.env
dest: /opt/greenlight/.env
force: no
owner: greenlight
group: greenlight
- name: update .env file for greenlight
replace:
path: /opt/greenlight/.env
regexp: '^{{ item.key }}=.*$'
replace: '{{ item.key }}={{ item.value }}'
with_dict:
SECRET_KEY_BASE: "{{ lookup('file', '/opt/greenlight/rake_secret') }}"
BIGBLUEBUTTON_ENDPOINT: 'https://{{ ansible_fqdn }}/bigbluebutton/'
BIGBLUEBUTTON_SECRET: '{{ api_secret.stdout }}'
SAFE_HOSTS: '{{ ansible_fqdn }}'
LDAP_SERVER: auth1.csclub.uwaterloo.ca
LDAP_PORT: '636'
LDAP_METHOD: 'ssl'
LDAP_UID: 'uid'
LDAP_BASE: 'dc=csclub,dc=uwaterloo,dc=ca'
LDAP_AUTH: 'user'
# make sure to create a role in Greenlight called "sysadmin"
LDAP_ROLE_FIELD: 'position'
ALLOW_GREENLIGHT_ACCOUNTS: 'false'
DEFAULT_REGISTRATION: open
ROOM_FEATURES: 'mute-on-join,require-moderator-approval'
DB_ADAPTER: postgresql
DB_HOST: coffee.csclub.uwaterloo.ca
DB_PORT: 5432
DB_NAME: greenlight
DB_USERNAME: greenlight
- name: reminder for DB credentials
debug:
msg: >-
Make sure to create a database and user for greenlight and
update /opt/greenlight/.env with the Postgres credentials.
handlers:
- name: reload systemd
command: systemctl daemon-reload