Move handwritten things to a playbook.
This commit is contained in:
parent
194c4c1296
commit
c4843a33cf
55
README.md
55
README.md
|
@ -77,7 +77,13 @@ C’est un VPS `V-R8 4 CPUs · 8 GB RAM`.
|
|||
|
||||
C’est une Ubuntu 18.04 (c’est imposé par BBB).
|
||||
|
||||
Elle n’est **pas** gérée par Ansible, c’est un peu particulier BBB.
|
||||
Elle n’est **pas** gérée par Ansible, c’est un peu particulier BBB,
|
||||
mais le serveur `turn` l'est, et le playbook `turn.yml` configure
|
||||
quand même un fichier sur BBB.
|
||||
|
||||
D'ailleurs pour tester la configurtion turn/stun:
|
||||
|
||||
https://docs.bigbluebutton.org/administration/turn-server#test-your-turn-server
|
||||
|
||||
J’y ai appliqué un poil de ssh-hardening :
|
||||
|
||||
|
@ -151,53 +157,6 @@ Il faut configurer le `.env` tel que:
|
|||
Puis vérifier qu’exim et le firewall (attention c’est peut-être `ufw`)
|
||||
les acceptent.
|
||||
|
||||
|
||||
### Configuration TURN/STUN
|
||||
|
||||
L’installation de BBB n’étant pas gérée par Ansible, pour le moment la
|
||||
conf TURN/STUN est faite à la main, c’est la seule chose à faire, elle
|
||||
ressemble à :
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans
|
||||
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
|
||||
">
|
||||
|
||||
<bean id="stun0" class="org.bigbluebutton.web.services.turn.StunServer">
|
||||
<constructor-arg index="0" value="stun:turn.afpy.org"/>
|
||||
</bean>
|
||||
|
||||
<bean id="turn0" class="org.bigbluebutton.web.services.turn.TurnServer">
|
||||
<constructor-arg index="0" value="[redacte]"/>
|
||||
<constructor-arg index="1" value="turns:turn.afpy.org:443?transport=tcp"/>
|
||||
<constructor-arg index="2" value="86400"/>
|
||||
</bean>
|
||||
|
||||
<bean id="stunTurnService" class="org.bigbluebutton.web.services.turn.StunTurnService">
|
||||
<property name="stunServers">
|
||||
<set>
|
||||
<ref bean="stun0" />
|
||||
</set>
|
||||
</property>
|
||||
<property name="turnServers">
|
||||
<set>
|
||||
<ref bean="turn0" />
|
||||
</set>
|
||||
</property>
|
||||
<property name="remoteIceCandidates">
|
||||
<set>
|
||||
</set>
|
||||
</property>
|
||||
</bean>
|
||||
</beans>
|
||||
```
|
||||
|
||||
dans `/usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml`.
|
||||
|
||||
|
||||
## backup1.afpy.org
|
||||
|
||||
♥ Machine sponsorisée par Gandi ♥
|
||||
|
|
|
@ -22,6 +22,9 @@ turn1.afpy.org
|
|||
[dl]
|
||||
deb2.afpy.org
|
||||
|
||||
[bbb]
|
||||
bbb2.afpy.org
|
||||
|
||||
[rsnapshotted]
|
||||
deb2.afpy.org
|
||||
bbb2.afpy.org
|
||||
|
|
111
turn.yml
111
turn.yml
|
@ -48,20 +48,64 @@
|
|||
blockinfile:
|
||||
path: /etc/turnserver.conf
|
||||
block: |
|
||||
listening-port=3478
|
||||
tls-listening-port=443
|
||||
|
||||
listening-ip={{ansible_default_ipv4.address}}
|
||||
relay-ip={{ansible_default_ipv4.address}}
|
||||
|
||||
min-port=32769
|
||||
max-port=65535
|
||||
verbose
|
||||
|
||||
fingerprint
|
||||
lt-cred-mech
|
||||
use-auth-secret
|
||||
static-auth-secret={{turnserver_secret}}
|
||||
|
||||
realm=afpy.org
|
||||
|
||||
cert=/etc/turnserver/fullchain.pem
|
||||
pkey=/etc/turnserver/privkey.pem
|
||||
# From https://ssl-config.mozilla.org/ Intermediate, openssl 1.1.0g, 2020-01
|
||||
cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
||||
dh-file=/etc/turnserver/dhp.pem
|
||||
|
||||
keep-address-family
|
||||
|
||||
no-cli
|
||||
no-tlsv1
|
||||
no-tlsv1_1
|
||||
|
||||
# Block connections to IP ranges which shouldn't be reachable
|
||||
no-loopback-peers
|
||||
no-multicast-peers
|
||||
|
||||
# Private (LAN) addresses
|
||||
# If you are running BigBlueButton within a LAN, you might need to add an "allow" rule for your address range.
|
||||
# IPv4 Private-Use
|
||||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||
# Other IPv4 Special-Purpose addresses
|
||||
denied-peer-ip=100.64.0.0-100.127.255.255
|
||||
denied-peer-ip=169.254.0.0-169.254.255.255
|
||||
denied-peer-ip=192.0.0.0-192.0.0.255
|
||||
denied-peer-ip=192.0.2.0-192.0.2.255
|
||||
denied-peer-ip=198.18.0.0-198.19.255.255
|
||||
denied-peer-ip=198.51.100.0-198.51.100.255
|
||||
denied-peer-ip=203.0.113.0-203.0.113.255
|
||||
# IPv6 Unique-Local
|
||||
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
# IPv6 Link-Local Unicast
|
||||
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
# Other IPv6 Special-Purpose assignments
|
||||
denied-peer-ip=::ffff:0:0-::ffff:ffff:ffff
|
||||
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
||||
denied-peer-ip=64:ff9b:1::-64:ff9b:1:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=2001:db8::-2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
notify: restart coturn
|
||||
|
||||
- name: Create dph.pem file directory
|
||||
|
@ -97,3 +141,70 @@
|
|||
name: coturn
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- hosts: bbb
|
||||
tasks:
|
||||
- name: configure turn host
|
||||
notify: restart bbb
|
||||
copy:
|
||||
dest: /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
content: |
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!--
|
||||
|
||||
BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
|
||||
|
||||
Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
|
||||
|
||||
This program is free software; you can redistribute it and/or modify it under the
|
||||
terms of the GNU Lesser General Public License as published by the Free Software
|
||||
Foundation; either version 3.0 of the License, or (at your option) any later
|
||||
version.
|
||||
|
||||
BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
|
||||
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public License along
|
||||
with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
-->
|
||||
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans
|
||||
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
|
||||
">
|
||||
|
||||
<bean id="stun0" class="org.bigbluebutton.web.services.turn.StunServer">
|
||||
<constructor-arg index="0" value="stun:turn.afpy.org"/>
|
||||
</bean>
|
||||
|
||||
<bean id="turn0" class="org.bigbluebutton.web.services.turn.TurnServer">
|
||||
<constructor-arg index="0" value="d24028cadb57a2029b6baab40c5a2e92"/>
|
||||
<constructor-arg index="1" value="turn:turn.afpy.org:443?transport=tcp"/>
|
||||
<constructor-arg index="2" value="86400"/>
|
||||
</bean>
|
||||
|
||||
<bean id="stunTurnService" class="org.bigbluebutton.web.services.turn.StunTurnService">
|
||||
<property name="stunServers">
|
||||
<set>
|
||||
<ref bean="stun0" />
|
||||
</set>
|
||||
</property>
|
||||
<property name="turnServers">
|
||||
<set>
|
||||
<ref bean="turn0" />
|
||||
</set>
|
||||
</property>
|
||||
<property name="remoteIceCandidates">
|
||||
<set>
|
||||
</set>
|
||||
</property>
|
||||
</bean>
|
||||
</beans>
|
||||
handlers:
|
||||
- name: restart bbb
|
||||
command: bbb-conf --restart
|
||||
|
|
Loading…
Reference in New Issue