279 lines
10 KiB
YAML
279 lines
10 KiB
YAML
---
|
|
- hosts: 127.0.0.1
|
|
connection: local
|
|
vars:
|
|
ruby_version: 2.7.0
|
|
gem: gem2.7
|
|
bundle: "/opt/greenlight/.gem/ruby/{{ ruby_version }}/bin/bundle"
|
|
tasks:
|
|
- name: install prerequisites
|
|
apt:
|
|
name:
|
|
- software-properties-common
|
|
- apt-transport-https
|
|
- sudo
|
|
- net-tools
|
|
- openjdk-8-jre
|
|
- curl
|
|
- wget
|
|
- gpg-agent
|
|
- dirmngr
|
|
- name: update-java-alternatives
|
|
command: update-java-alternatives -s java-1.8.0-openjdk-amd64
|
|
- name: add PPA for bigbluebutton support packages
|
|
apt_repository:
|
|
repo: ppa:bigbluebutton/support
|
|
- name: add PPA for yq
|
|
apt_repository:
|
|
repo: ppa:rmescandon/yq
|
|
- name: add PPA for libreoffice
|
|
apt_repository:
|
|
repo: ppa:libreoffice/ppa
|
|
- name: add GPG key for MongoDB
|
|
apt_key:
|
|
url: https://www.mongodb.org/static/pgp/server-4.2.asc
|
|
- name: add repo for MongoDB
|
|
apt_repository:
|
|
repo: "deb [arch=amd64] http://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.2 multiverse"
|
|
filename: mongodb-org-4.2
|
|
- name: add GPG key for Nodesource
|
|
apt_key:
|
|
url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
|
|
- name: add repo for Nodesource
|
|
apt_repository:
|
|
repo: deb https://deb.nodesource.com/node_14.x bionic main
|
|
filename: nodesource
|
|
- name: add GPG key for bigbluebutton
|
|
apt_key:
|
|
url: https://ubuntu.bigbluebutton.org/repo/bigbluebutton.asc
|
|
- name: add repo for bigbluebutton
|
|
apt_repository:
|
|
repo: deb https://ubuntu.bigbluebutton.org/bionic-23/ bigbluebutton-bionic main
|
|
filename: bigbluebutton
|
|
- name: add repo for Brightbox ruby-ng
|
|
apt_repository:
|
|
repo: ppa:brightbox/ruby-ng
|
|
- name: add GPG key for CSC
|
|
apt_key:
|
|
url: http://debian.csclub.uwaterloo.ca/csclub.asc
|
|
- name: add CSC Debian repo
|
|
apt_repository:
|
|
repo: deb http://debian.csclub.uwaterloo.ca bionic main
|
|
filename: csclub
|
|
- name: update apt cache
|
|
apt:
|
|
update_cache: true
|
|
- name: install packages
|
|
apt:
|
|
name:
|
|
- mongodb-org
|
|
- nodejs
|
|
- bigbluebutton
|
|
- bbb-html5
|
|
- greenlight
|
|
- name: set BBB hostname
|
|
# We should only need to do this once. Make sure to remove
|
|
# /tmp/bbb-setip-done if the FQDN changes for whatever reason.
|
|
shell: 'bbb-conf --setip {{ ansible_fqdn }} && touch /tmp/bbb-setip-done'
|
|
args:
|
|
creates: /tmp/bbb-setip-done
|
|
- name: disable CPUSchedulingPolicy for Freeswitch
|
|
replace:
|
|
path: /lib/systemd/system/freeswitch.service
|
|
regexp: "^CPUSchedulingPolicy=rr"
|
|
replace: "#CPUSchedulingPolicy=rr"
|
|
notify: reload systemd
|
|
- name: disable IOSchedulingClass for Freeswitch
|
|
replace:
|
|
path: /lib/systemd/system/freeswitch.service
|
|
regexp: "^IOSchedulingClass=realtime"
|
|
replace: "#IOSchedulingClass=realtime"
|
|
notify: reload systemd
|
|
- name: disable CPUSchedulingPolicy for bbb-html5
|
|
replace:
|
|
path: /usr/lib/systemd/system/bbb-html5-backend@.service
|
|
regexp: "^CPUSchedulingPolicy=fifo"
|
|
replace: "#CPUSchedulingPolicy=fifo"
|
|
notify: reload systemd
|
|
# Make sure to place the certificate and key in this directory,
|
|
# and run `chmod 0600` on the key
|
|
- name: create SSL directory
|
|
file:
|
|
path: /etc/nginx/ssl
|
|
state: directory
|
|
- name: create Diffie-Hellman params
|
|
command:
|
|
cmd: openssl dhparam -out /etc/nginx/ssl/dhp-4096.pem 4096
|
|
creates: /etc/nginx/ssl/dhp-4096.pem
|
|
- name: update NGINX config
|
|
copy:
|
|
src: '{{ playbook_dir }}/bigbluebutton.nginx'
|
|
dest: /etc/nginx/sites-available/bigbluebutton
|
|
- name: update SIP config to use HTTPS
|
|
replace:
|
|
path: /etc/bigbluebutton/nginx/sip.nginx
|
|
regexp: '^(\s*)proxy_pass http://(.*):5066;$'
|
|
replace: '\1proxy_pass https://\2:7443;'
|
|
- name: configure BBB to load session via HTTPS (1)
|
|
replace:
|
|
path: /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties
|
|
regexp: 'http://'
|
|
replace: 'https://'
|
|
#- name: configure BBB to load session via HTTPS (2)
|
|
# replace:
|
|
# path: /usr/share/red5/webapps/screenshare/WEB-INF/screenshare.properties
|
|
# regexp: 'http://'
|
|
# replace: 'https://'
|
|
- name: configure BBB to load session via HTTPS (3)
|
|
replace:
|
|
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
|
|
regexp: 'ws://'
|
|
replace: 'wss://'
|
|
- name: configure BBB to load session via HTTPS (4)
|
|
replace:
|
|
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
|
|
regexp: 'http://'
|
|
replace: 'https://'
|
|
- name: configure BBB to load session via HTTPS (5)
|
|
replace:
|
|
path: /usr/local/bigbluebutton/core/scripts/bigbluebutton.yml
|
|
regexp: '^playback_protocol: http$'
|
|
replace: 'playback_protocol: https'
|
|
- name: configure BBB to support IPv6
|
|
copy:
|
|
dest: /etc/nginx/conf.d/bigbluebutton_sip_addr_map.conf
|
|
content: |
|
|
map $remote_addr $freeswitch_addr {
|
|
"~:" [{{ ansible_default_ipv6.address }}];
|
|
default {{ ansible_default_ipv4.address }};
|
|
}
|
|
- name: update SIP config to support IPv6 (1)
|
|
replace:
|
|
path: /etc/bigbluebutton/nginx/sip.nginx
|
|
regexp: '^(\s*)proxy_pass https://(.*):7443;$'
|
|
replace: '\1proxy_pass https://$freeswitch_addr:7443;'
|
|
- name: update SIP config to support IPv6 (2)
|
|
replace:
|
|
path: /opt/freeswitch/etc/freeswitch/sip_profiles/external-ipv6.xml
|
|
regexp: '^(\s*)<!--\s*<param name="enable-3pcc" value="true"/>\s*-->$'
|
|
replace: '\1<param name="enable-3pcc" value="true"/>'
|
|
- name: increase file number limit for bbb-web
|
|
replace:
|
|
path: /lib/systemd/system/bbb-web.service
|
|
regexp: '^LimitNOFILE=\d+$'
|
|
replace: 'LimitNOFILE=8192'
|
|
notify:
|
|
- reload systemd
|
|
- name: disable recording
|
|
replace:
|
|
path: /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties
|
|
regexp: '^{{ item.key }}=.*$'
|
|
replace: '{{ item.key }}={{ item.value }}'
|
|
with_dict:
|
|
disableRecordingDefault: 'true'
|
|
allowStartStopRecording: 'false'
|
|
- name: turn off certain sound effects
|
|
replace:
|
|
path: /opt/freeswitch/etc/freeswitch/autoload_configs/conference.conf.xml
|
|
regexp: '^(\s*){{ item }}$'
|
|
replace: '\1<!-- {{ item }} -->'
|
|
loop:
|
|
- '<param name="muted-sound" value="conference/conf-muted.wav"/>'
|
|
- '<param name="unmuted-sound" value="conference/conf-unmuted.wav"/>'
|
|
- '<param name="alone-sound" value="conference/conf-alone.wav"/>'
|
|
- name: skip echo test
|
|
replace:
|
|
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
|
|
regexp: '^(\s*)skipCheck: false$'
|
|
replace: '\1skipCheck: true'
|
|
- name: increase maximum number of breakout rooms
|
|
replace:
|
|
path: /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
|
|
regexp: '^(\s*)breakoutRoomLimit: \d+$'
|
|
replace: '\1breakoutRoomLimit: 32'
|
|
- name: use custom STUN servers
|
|
copy:
|
|
src: '{{ playbook_dir }}/turn-stun-servers.xml'
|
|
dest: /etc/bigbluebutton/turn-stun-servers.xml
|
|
- name: update FreeSWITCH to listen for connections on external IP (1)
|
|
replace:
|
|
path: /opt/freeswitch/conf/vars.xml
|
|
regexp: '^(\s*)<X-PRE-PROCESS cmd="set" data="external_{{ item }}_ip=.*"/>$'
|
|
replace: '\1<X-PRE-PROCESS cmd="set" data="external_{{ item }}_ip={{ ansible_default_ipv4.address }}"/>'
|
|
loop:
|
|
- 'rtp'
|
|
- 'sip'
|
|
- name: update FreeSWITCH to listen for connections on external IP (2)
|
|
replace:
|
|
path: /opt/freeswitch/conf/sip_profiles/external.xml
|
|
regexp: '^(\s*)<param name="ext-{{ item }}-ip" value=".*"/>$'
|
|
replace: '\1<param name="ext-{{ item }}-ip" value="$${external_{{ item }}_ip}"/>'
|
|
loop:
|
|
- 'rtp'
|
|
- 'sip'
|
|
- name: install bundler for greenlight
|
|
become: yes
|
|
become_user: greenlight
|
|
command: '{{ gem }} install --user-install bundler'
|
|
args:
|
|
creates: '{{ bundle }}'
|
|
- name: configure NGINX to route to Greenlight
|
|
copy:
|
|
src: /opt/greenlight/greenlight.nginx
|
|
dest: /etc/bigbluebutton/nginx/greenlight.nginx
|
|
- name: create secret key for Rails
|
|
become: yes
|
|
become_user: greenlight
|
|
shell: '{{ bundle }} exec rake secret | tee /opt/greenlight/rake_secret'
|
|
args:
|
|
creates: /opt/greenlight/rake_secret
|
|
- name: assert rake secret was created
|
|
assert:
|
|
that:
|
|
- lookup('file', '/opt/greenlight/rake_secret') != ''
|
|
- name: obtain BBB API secret
|
|
shell: "bbb-conf --secret | grep -oP 'Secret: \\K[[:alnum:]]+'"
|
|
register: api_secret
|
|
- name: create .env file for greenlight
|
|
copy:
|
|
src: /opt/greenlight/sample.env
|
|
dest: /opt/greenlight/.env
|
|
force: no
|
|
owner: greenlight
|
|
group: greenlight
|
|
- name: update .env file for greenlight
|
|
replace:
|
|
path: /opt/greenlight/.env
|
|
regexp: '^{{ item.key }}=.*$'
|
|
replace: '{{ item.key }}={{ item.value }}'
|
|
with_dict:
|
|
SECRET_KEY_BASE: "{{ lookup('file', '/opt/greenlight/rake_secret') }}"
|
|
BIGBLUEBUTTON_ENDPOINT: 'https://{{ ansible_fqdn }}/bigbluebutton/'
|
|
BIGBLUEBUTTON_SECRET: '{{ api_secret.stdout }}'
|
|
SAFE_HOSTS: '{{ ansible_fqdn }}'
|
|
LDAP_SERVER: auth1.csclub.uwaterloo.ca
|
|
LDAP_PORT: '636'
|
|
LDAP_METHOD: 'ssl'
|
|
LDAP_UID: 'uid'
|
|
LDAP_BASE: 'dc=csclub,dc=uwaterloo,dc=ca'
|
|
LDAP_AUTH: 'user'
|
|
# make sure to create a role in Greenlight called "sysadmin"
|
|
LDAP_ROLE_FIELD: 'position'
|
|
ALLOW_GREENLIGHT_ACCOUNTS: 'false'
|
|
DEFAULT_REGISTRATION: open
|
|
ROOM_FEATURES: 'mute-on-join,require-moderator-approval'
|
|
DB_ADAPTER: postgresql
|
|
DB_HOST: coffee.csclub.uwaterloo.ca
|
|
DB_PORT: 5432
|
|
DB_NAME: greenlight
|
|
DB_USERNAME: greenlight
|
|
- name: reminder for DB credentials
|
|
debug:
|
|
msg: >-
|
|
Make sure to create a database and user for greenlight and
|
|
update /opt/greenlight/.env with the Postgres credentials.
|
|
|
|
handlers:
|
|
- name: reload systemd
|
|
command: systemctl daemon-reload
|