Ajout des serveurs de voix

2019-09-05 22:40:23 +02:00
parent 84afea328a
commit d43e55e20a
13 changed files with 391 additions and 18 deletions
--- a/icecast2.yml
+++ b/icecast2.yml
@@ -0,0 +1,3 @@
 - hosts: icecastservers
  roles:
      - icecast2
--- a/mumble.yml
+++ b/mumble.yml
@@ -0,0 +1,3 @@
 - hosts: mumbleservers
  roles:
      - mumble
--- a/production/hosts
+++ b/production/hosts
@@ -24,6 +24,7 @@ web1.dmz.mateu.be
 web2.dmz.mateu.be
 mail.dmz.mateu.be borg_backup_path="['/home', '/etc', '/var/lib/mailman']"
 jabber.dmz.mateu.be borg_backup_path="['/etc', '/var/lib/prosody']"
 voice1.dmz.mateu.be borg_backup_path="['/etc', '/var/lib/mumble-server']"
 ror.dmz.mateu.be
 [nut:children]
@@ -45,6 +46,7 @@ web1.dmz.mateu.be web_hostname="['fav.libertus.eu', 'rss.libertus.eu', 'o.libert
 web2.dmz.mateu.be web_hostname="['analyse.nintendojo.fr', 'nintendojo.fr', 'www.nintendojo.fr', 'forum.nintendojo.fr', 'intendo.fr', 'www.intendo.fr']"
 ror.dmz.mateu.be web_hostname="['m.nintendojo.fr']"
 jabber.dmz.mateu.be web_hostname="['libertus.eu', 'upload.libertus.eu', 'xmpp.libertus.eu']"
 voice3.dmz.mateu.be web_hostname="['radio.nintendojo.fr']"
 #mail.dmz.mateu.be
 [phpservers]
@@ -73,3 +75,8 @@ haproxy.dmz.mateu.be
 [transmission]
 bt.dmz.mateu.be
 [mumbleservers]
 voice1.dmz.mateu.be
 [icecastservers]
 voice3.dmz.mateu.be
--- a/roles/firewall/templates/firewall.j2
+++ b/roles/firewall/templates/firewall.j2
@@ -142,15 +142,15 @@ config rule
 #	option target 'ACCEPT'
 #	option family 'ipv6'
-config rule
+#config rule
-	option name 'n0box2-mumble'
+#	option name 'n0box2-mumble'
-	option src 'wan'
+#	option src 'wan'
-	option proto 'tcpudp'
+#	option proto 'tcpudp'
-	option dest 'lan'
+#	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
+#	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
-	option dest_port '64738'
+#	option dest_port '64738'
-	option target 'ACCEPT'
+#	option target 'ACCEPT'
-	option family 'ipv6'
+#	option family 'ipv6'
 config redirect
 	option name 'n0box2-SMTP'
@@ -232,15 +232,15 @@ config redirect
 #	option dest_port '9987'
 #	option target 'DNAT'
-config redirect
+#config redirect
-	option name 'n0box2-mumble'
+#	option name 'n0box2-mumble'
-	option src 'wan'
+#	option src 'wan'
-	option src_dport '64738'
+#	option src_dport '64738'
-	option proto 'tcpudp'
+#	option proto 'tcpudp'
-	option dest 'lan'
+#	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
+#	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option dest_port '64738'
+#	option dest_port '64738'
-	option target 'DNAT'
+#	option target 'DNAT'
 ### DMZ Rules
 ## General Rules
@@ -488,6 +488,27 @@ config rule
 	option target 'ACCEPT'
 	option family 'ipv6'
 # Allow Mumble traffic
 config rule
 	option name 'Allow-INPUT-mumble'
 	option src 'wan'
 	option proto 'tcpudp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
 	option dest_port '64738'
 	option target 'ACCEPT'
 	option family 'ipv6'
 config redirect
 	option name 'Allow-INPUT-mumble'
 	option src 'wan'
 	option src_dport '64738'
 	option proto 'tcpudp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '64738'
 	option target 'DNAT'
 ## Default configuration
 config defaults
 	option syn_flood '1'
--- a/roles/icecast2/defaults/main.yml
+++ b/roles/icecast2/defaults/main.yml
@@ -0,0 +1,28 @@
 source_pass: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          36383738646636353839616365316537653865666335353136666166336137636635663062626265
          6464633337633063326632303332623264336462383635360a336362623464623061666230366366
          32366135323936386430333735666362303132623764646439316330666334333739306432616538
          3836323434303637370a643864666439373934306439353030613266303139333732353138653238
          6531
 relay_pass: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          61663166303239323862656262303332313365616132633765666264376234316630656330356333
          6264646531643936616466653832656537316533303161630a393763303536356631666631393161
          32393762366231386665633962613332333163323530313032343430383335643962336535366639
          3366316330326363660a643664626461623833323531336134353233343235346631303765333066
          6366
 admin_pass: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          62353032653634373261396231393539393530313639613730386163383933313863306561336164
          3632663966353336353330356230373038623037663665380a393038633039326261353266633331
          63383237636536663036346335613933356161346166396331323863643731656661643934313835
          6565303963393631310a666131313933623834313732633261633932326266376462333637356439
          6238
 admin_user: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          39306532623732636431353461353062346464343630303438373935666338356566373538336264
          6662376439323937663565353636343865366132623230620a336130313131656332313864383434
          36643430616330363235373139333935383133376439353535363739376131303432333266626263
          3638646466316361350a333533313134633762383535646164663364633633336439656538343333
          3964
--- a/roles/icecast2/handlers/main.yml
+++ b/roles/icecast2/handlers/main.yml
@@ -0,0 +1,4 @@
 - name: restart icecast2
  service:
      name: icecast2
      state: restarted
--- a/roles/icecast2/tasks/main.yml
+++ b/roles/icecast2/tasks/main.yml
@@ -0,0 +1,12 @@
 - name: install icecast2
  package:
      name: icecast2
      state: present
 - name: configuration file
  template:
      src: icecast.xml.j2
      dest: /etc/icecast2/icecast.xml
  notify:
      - restart icecast2
--- a/roles/icecast2/templates/icecast.xml.j2
+++ b/roles/icecast2/templates/icecast.xml.j2
@@ -0,0 +1,174 @@
 <icecast>
    <limits>
        <clients>200</clients>
        <sources>2</sources>
        <threadpool>5</threadpool>
        <queue-size>8192</queue-size>
        <client-timeout>30</client-timeout>
        <header-timeout>15</header-timeout>
        <source-timeout>10</source-timeout>
        <!-- If enabled, this will provide a burst of data when a client 
             first connects, thereby significantly reducing the startup 
             time for listeners that do substantial buffering. However,
             it also significantly increases latency between the source
             client and listening client.  For low-latency setups, you
             might want to disable this. -->
        <burst-on-connect>0</burst-on-connect>
        <!-- same as burst-on-connect, but this allows for being more
             specific on how much to burst. Most people won't need to
             change from the default 64k. Applies to all mountpoints  -->
        <burst-size>8192</burst-size>
    </limits>
    <authentication>
        <!-- Sources log in with username 'source' -->
        <source-password>{{ source_pass }}</source-password>
        <!-- Relays log in username 'relay' -->
        <relay-password>{{ relay_pass }}</relay-password>
        <!-- Admin logs in with the username given below -->
        <admin-user>{{ admin_user }}</admin-user>
        <admin-password>{{ admin_pass }}</admin-password>
    </authentication>
    <!-- set the mountpoint for a shoutcast source to use, the default if not
         specified is /stream but you can change it here if an alternative is
         wanted or an extension is required
    <shoutcast-mount>/live.nsv</shoutcast-mount>
    -->
    <!-- Uncomment this if you want directory listings -->
    <!--
    <directory>
        <yp-url-timeout>15</yp-url-timeout>
        <yp-url>http://dir.xiph.org/cgi-bin/yp-cgi</yp-url>
    </directory>
     -->
    <!-- This is the hostname other people will use to connect to your server.
    It affects mainly the urls generated by Icecast for playlists and yp
    listings. -->
    <hostname>localhost</hostname>
    <!-- You may have multiple <listener> elements -->
    <listen-socket>
        <port>8000</port>
        <!-- <bind-address>127.0.0.1</bind-address> -->
        <!-- <shoutcast-mount>/stream</shoutcast-mount> -->
    </listen-socket>
    <!--
    <listen-socket>
        <port>8001</port>
    </listen-socket>
    -->
    <!--<master-server>127.0.0.1</master-server>-->
    <!--<master-server-port>8001</master-server-port>-->
    <!--<master-update-interval>120</master-update-interval>-->
    <!--<master-password>hackme</master-password>-->
    <!-- setting this makes all relays on-demand unless overridden, this is
         useful for master relays which do not have <relay> definitions here.
         The default is 0 -->
    <!--<relays-on-demand>1</relays-on-demand>-->
    <!--
    <relay>
        <server>127.0.0.1</server>
        <port>8001</port>
        <mount>/example.ogg</mount>
        <local-mount>/different.ogg</local-mount>
        <on-demand>0</on-demand>
        <relay-shoutcast-metadata>0</relay-shoutcast-metadata>
    </relay>
    -->
    <!-- Only define a <mount> section if you want to use advanced options,
         like alternative usernames or passwords
    <mount>
        <mount-name>/example-complex.ogg</mount-name>
        <username>othersource</username>
        <password>hackmemore</password>
        <max-listeners>1</max-listeners>
        <dump-file>/tmp/dump-example1.ogg</dump-file>
        <burst-size>65536</burst-size>
        <fallback-mount>/example2.ogg</fallback-mount>
        <fallback-override>1</fallback-override>
        <fallback-when-full>1</fallback-when-full>
        <intro>/example_intro.ogg</intro>
        <hidden>1</hidden>
        <no-yp>1</no-yp>
        <authentication type="htpasswd">
                <option name="filename" value="myauth"/>
                <option name="allow_duplicate_users" value="0"/>
        </authentication>
        <on-connect>/home/icecast/bin/stream-start</on-connect>
        <on-disconnect>/home/icecast/bin/stream-stop</on-disconnect>
    </mount>
    <mount>
        <mount-name>/auth_example.ogg</mount-name>
        <authentication type="url">
            <option name="mount_add"       value="http://myauthserver.net/notify_mount.php"/>
            <option name="mount_remove"    value="http://myauthserver.net/notify_mount.php"/>
            <option name="listener_add"    value="http://myauthserver.net/notify_listener.php"/>
            <option name="listener_remove" value="http://myauthserver.net/notify_listener.php"/>
        </authentication>
    </mount>
    -->
    <fileserve>1</fileserve>
    <paths>
 		<!-- basedir is only used if chroot is enabled -->
        <basedir>/usr/share/icecast2</basedir>
        <!-- Note that if <chroot> is turned on below, these paths must both
             be relative to the new root, not the original root -->
        <logdir>/var/log/icecast2</logdir>
        <webroot>/usr/share/icecast2/web</webroot>
        <adminroot>/usr/share/icecast2/admin</adminroot>
        <!-- <pidfile>/usr/share/icecast2/icecast.pid</pidfile> -->
        <!-- Aliases: treat requests for 'source' path as being for 'dest' path
             May be made specific to a port or bound address using the "port"
             and "bind-address" attributes.
          -->
        <!--
        <alias source="/foo" dest="/bar"/>
          -->
        <!-- Aliases: can also be used for simple redirections as well,
             this example will redirect all requests for http://server:port/ to
             the status page
          -->
        <alias source="/" dest="/status.xsl"/>
    </paths>
    <logging>
        <accesslog>access.log</accesslog>
        <errorlog>error.log</errorlog>
        <!-- <playlistlog>playlist.log</playlistlog> -->
      	<loglevel>3</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
      	<logsize>10000</logsize> <!-- Max size of a logfile -->
        <!-- If logarchive is enabled (1), then when logsize is reached
             the logfile will be moved to [error|access|playlist].log.DATESTAMP,
             otherwise it will be moved to [error|access|playlist].log.old.
             Default is non-archive mode (i.e. overwrite)
        -->
        <!-- <logarchive>1</logarchive> -->
    </logging>
    <security>
        <chroot>0</chroot>
        <!--
        <changeowner>
            <user>nobody</user>
            <group>nogroup</group>
        </changeowner>
        -->
    </security>
 </icecast>
--- a/roles/mumble/files/mumble-server.ini
+++ b/roles/mumble/files/mumble-server.ini
@@ -0,0 +1,97 @@
 # Path to database. If blank, will search for
 # murmur.sqlite in default locations or create it if not found.
 # If you wish to use something other than SQLite, you'll need to set the name
 # of the database above, and also uncomment the below.
 #
 database=/var/lib/mumble-server/mumble-server.sqlite
 # Murmur defaults to not using D-Bus. If you wish to use dbus, which is one of the
 # RPC methods available in murmur, please specify so here.
 #
 #dbus=system
 # Alternate service name. Only use if you are running distinct
 # murmurd processes connected to the same D-Bus daemon.
 #dbusservice=net.sourceforge.mumble.murmur
 # If you want to use ZeroC ICE to communicate with Murmur, you need
 # to specify the endpoint to use. Since there is no authentication
 # with ICE, you should only use it if you trust all the users who have
 # shell access to your machine.
 # Please see the ICE documentation on how to specify endpoints.
 #ice="tcp -h 127.0.0.1 -p 6502"
 # How many login attempts do we tolerate from one IP
 # inside a given timeframe before we ban the connection?
 # Note that this is global (shared between all virtual servers), and that
 # it counts both successfull and unsuccessfull connection attempts.
 # Set either Attempts or Timeframe to 0 to disable.
 #autobanAttempts = 10
 #autobanTimeframe = 120
 #autobanTime = 300
 # Murmur default to logging to murmur.log. If you leave this blank,
 # murmur will log to the console (linux) or through message boxes (win32).
 logfile=/var/log/mumble-server/mumble-server.log
 # Where Murmur should store it's .pid file. Leave blank to use current
 # directory. This option does nothing on Win32.
 pidfile=/var/run/mumble-server/mumble-server.pid
 # The below will be used as defaults for new configured servers.
 # If you're just running one server (the default), it's easier to
 # configure it here than through D-Bus or Ice.
 #
 # Welcome message sent to clients when they connect
 welcometext="<br />Welcome to this server running <b>Murmur</b>.<br />Enjoy your stay!<br />"
 # Port to bind TCP and UDP sockets to
 port=64738
 # Specific IP or hostname to bind to.
 # If this is left blank (default), murmur will bind to all available addresses.
 host=
 # Password to join server
 serverpassword=
 # Maximum bandwidth (in bytes per second) clients are allowed
 # to send speech at.
 bandwidth=100000
 # Maximum number of concurrent clients allowed.
 users=100
 # Murmur retains the per-server log entries in an internal database which
 # allows it to be accessed over D-Bus/ICE.
 # How many days should such entries be kept?
 #logdays=31
 # To enable public server registration, the serverpassword must be blank, and
 # this must all be filled out.
 # The password here is used to create a registry for the server name; subsequent
 # updates will need the same password. Don't lose your password.
 # The URL is your own website, and only set the registerHostname for static IP
 # addresses.
 #
 #registerName=Mumble Server
 #registerPassword=secret
 #registerUrl=http://mumble.sourceforge.net/
 #registerHostname=
 # If you have a proper SSL certificate, you can provide the filenames here.
 #sslCert=
 #sslKey=
 # To enable username registration through
 # http://webserver/cgi-bin/mumble-server/register.cgi
 # then this value must be set to a valid email
 # and you must be running a SMTP server on this
 # machine.
 # This option is only used for a pre-packaged system-wide installation,
 # and does nothing if you just start murmurd yourself.
 #emailfrom =
 # If murmur is started as root, which user should it switch to?
 # This option is ignored if murmur isn't started with root privileges.
--- a/roles/mumble/handlers/main.yml
+++ b/roles/mumble/handlers/main.yml
@@ -0,0 +1,4 @@
 - name: restart mumble
  service:
      name: mumble-server
      state: restarted
--- a/roles/mumble/tasks/main.yml
+++ b/roles/mumble/tasks/main.yml
@@ -0,0 +1,11 @@
 - name: install mumble
  package:
      name: mumble-server
      state: present
 - name: configuration files
  copy:
      src: ./files/mumble-server.ini
      dest: /etc/mumble-server.ini
  notify:
      - restart mumble
--- a/roles/nginx/templates/vhosts/radio.nintendojo.fr.conf.j2
+++ b/roles/nginx/templates/vhosts/radio.nintendojo.fr.conf.j2
@@ -0,0 +1,7 @@
 server {
 {% include './templates/header.conf.j2' %}
 	location / {
 		proxy_pass http://127.0.0.1:8000;
 	}
 }
--- a/site.yml
+++ b/site.yml
@@ -12,3 +12,5 @@
 - import_playbook: mariadb.yml
 - import_playbook: pgsql.yml
 - import_playbook: bittorrent.yml
 - import_playbook: mumble.yml
 - import_playbook: icecast2.yml