From a639c7b9ea1a97941dafd537b4d289a7e4a8d551 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorben=20G=C3=BCnther?= Date: Mon, 6 Feb 2023 16:54:04 +0100 Subject: [PATCH] Mumble: Migrate from murmur to mumble-server Closes: https://todo.xenrox.net/~xenrox/infrastructure/15 --- playbooks/avalon.yml | 2 +- .../files/mumble-server.hook} | 4 +- .../files/mumble-server.ini} | 106 ++++++++---------- roles/mumble-server/handlers/main.yml | 10 ++ .../{murmur => mumble-server}/tasks/main.yml | 32 ++---- roles/murmur/handlers/main.yml | 8 -- 6 files changed, 70 insertions(+), 92 deletions(-) rename roles/{murmur/files/murmur.hook => mumble-server/files/mumble-server.hook} (53%) rename roles/{murmur/files/murmur.ini => mumble-server/files/mumble-server.ini} (82%) create mode 100644 roles/mumble-server/handlers/main.yml rename roles/{murmur => mumble-server}/tasks/main.yml (59%) delete mode 100644 roles/murmur/handlers/main.yml diff --git a/playbooks/avalon.yml b/playbooks/avalon.yml index 77427b4..f83b73a 100644 --- a/playbooks/avalon.yml +++ b/playbooks/avalon.yml @@ -38,7 +38,7 @@ - { role: vault } - { role: keycloak } - { role: grafana } - - { role: murmur } + - { role: mumble-server } - { role: borg } - { role: navidrome } # - { role: screego } # docker diff --git a/roles/murmur/files/murmur.hook b/roles/mumble-server/files/mumble-server.hook similarity index 53% rename from roles/murmur/files/murmur.hook rename to roles/mumble-server/files/mumble-server.hook index b3ecf09..ef468e1 100644 --- a/roles/murmur/files/murmur.hook +++ b/roles/mumble-server/files/mumble-server.hook @@ -3,6 +3,6 @@ test "$1" = renew || exit 0 for pem in /etc/letsencrypt/live/xenrox.net/{privkey,fullchain,cert}.pem; do - install -o murmur -g murmur -m 400 $pem /etc/murmur/ + install -o _mumble-server -g _mumble-server -m 400 $pem /etc/mumble/ done -/usr/bin/killall -SIGUSR1 murmurd +systemctl restart mumble-server diff --git a/roles/murmur/files/murmur.ini b/roles/mumble-server/files/mumble-server.ini similarity index 82% rename from roles/murmur/files/murmur.ini rename to roles/mumble-server/files/mumble-server.ini index 8d3b90f..7243bbd 100644 --- a/roles/murmur/files/murmur.ini +++ b/roles/mumble-server/files/mumble-server.ini @@ -1,4 +1,4 @@ -; Murmur configuration file. +; Mumble server configuration file. ; ; General notes: ; * Settings in this file are default settings and many of them can be overridden @@ -12,10 +12,10 @@ ; NOT regex = \w* BUT regex = \\w* ; Path to database. If blank, will search for -; murmur.sqlite in default locations or create it if not found. -database=/var/db/murmur/murmur.sqlite +; mumble-server.sqlite in default locations or create it if not found. +database=/var/lib/mumble-server/mumble-server.sqlite -; Murmur defaults to using SQLite with its default rollback journal. +; The server defaults to using SQLite with its default rollback journal. ; In some situations, using SQLite's write-ahead log (WAL) can be ; advantageous. ; If you encounter slowdowns when moving between channels and similar @@ -26,13 +26,13 @@ database=/var/db/murmur/murmur.sqlite ; ; 0 - Use SQLite's default rollback journal. ; 1 - Use write-ahead log with synchronous=NORMAL. -; If Murmur crashes, the database will be in a consistent state, but +; If the server crashes, the database will be in a consistent state, but ; the most recent changes might be lost if the operating system did -; not write them to disk yet. This option can improve Murmur's +; not write them to disk yet. This option can improve the server's ; interactivity on busy servers, or servers with slow storage. ; 2 - Use write-ahead log with synchronous=FULL. ; All database writes are synchronized to disk when they are made. -; If Murmur crashes, the database will be include all completed writes. +; If the server crashes, the database will be include all completed writes. ;sqlite_wal=0 ; If you wish to use something other than SQLite, you'll need to set the name @@ -45,19 +45,19 @@ database=/var/db/murmur/murmur.sqlite ;dbPassword= ;dbHost= ;dbPort= -;dbPrefix=murmur_ +;dbPrefix=mumble-server_ ;dbOpts= -; Murmur defaults to not using D-Bus. If you wish to use dbus, which is one of the -; RPC methods available in Murmur, please specify so here. +; The server defaults to not using D-Bus. If you wish to use dbus, which is one of the +; RPC methods available in the server, please specify so here. ; ;dbus=session ; Alternate D-Bus service name. Only use if you are running distinct -; murmurd processes connected to the same D-Bus daemon. +; mumble server processes connected to the same D-Bus daemon. ;dbusservice=net.sourceforge.mumble.murmur -; If you want to use ZeroC Ice to communicate with Murmur, you need +; If you want to use ZeroC Ice to communicate with the server, you need ; to specify the endpoint to use. Since there is no authentication ; with ICE, you should only use it if you trust all the users who have ; shell access to your machine. @@ -79,29 +79,13 @@ ice="tcp -h 127.0.0.1 -p 6502" ;icesecretread= icesecretwrite= -; If you want to expose Murmur's experimental gRPC API, you -; need to specify an address to bind on. -; Note: not all builds of Murmur support gRPC. If gRPC is not -; available, Murmur will warn you in its log output. -;grpc="127.0.0.1:50051" -; Specifying both a certificate and key file below will cause gRPC to use -; secured, TLS connections. -; When using secured connections you need to also set the list of authorized -; clients. grpcauthorized is a space delimited list of SHA256 fingerprints -; for authorized client certificates. -; Get this from the command line: -; openssl x509 -in cert.pem -SHA256 -noout -fingerprint -;grpccert="" -;grpckey="" -;grpcauthorized="" - -; Specifies the file Murmur should log to. By default, Murmur -; logs to the file 'murmur.log'. If you leave this field blank -; on Unix-like systems, Murmur will force itself into foreground +; Specifies the file the server should log to. By default the server +; logs to the file 'mumble-server.log'. If you leave this field blank +; on Unix-like systems, the server will force itself into foreground ; mode which logs to the console. logfile= -; If set, Murmur will write its process ID to this file +; If set, the server will write its process ID to this file ; when running in daemon mode (when the -fg flag is not ; specified on the command line). Only available on ; Unix-like systems. @@ -125,7 +109,7 @@ welcometext="
Welcome to xenrox's Mumble server
" port=64738 ; Specific IP or hostname to bind to. -; If this is left blank (default), Murmur will bind to all available addresses. +; If this is left blank (default), the server will bind to all available addresses. ;host= ; Password to join server. @@ -135,8 +119,8 @@ serverpassword= ; to send speech at. bandwidth=558000 -; Murmur and Mumble are usually pretty good about cleaning up hung clients, but -; occasionally one will get stuck on the server. The timeout setting will cause +; The Mumble client and server are usually pretty good about cleaning up hung clients, +; but occasionally one will get stuck on the server. The timeout setting will cause ; a periodic check of all clients who haven't communicated with the server in ; this many seconds - causing zombie clients to be disconnected. ; @@ -209,7 +193,7 @@ opusthreshold=0 ; moved into that channel instead. Note that this is the numeric ID of the ; channel, which can be a little tricky to get (you'll either need to use an ; RPC mechanism, watch the console of a debug client, or root around through -; the Murmur Database to get it). +; the server database to get it). ; ;defaultchannel=0 @@ -233,7 +217,7 @@ opusthreshold=0 ; Allow clients to use HTML in messages, user comments and channel descriptions? ;allowhtml=true -; Murmur retains the per-server log entries in an internal database which +; The server retains the per-server log entries in an internal database which ; allows it to be accessed over D-Bus/ICE. ; How many days should such entries be kept? ; Set to 0 to keep forever, or -1 to disable logging to the DB. @@ -265,34 +249,34 @@ registerName=xenrox Mumble ;bonjour=true ; If you have a proper SSL certificate, you can provide the filenames here. -; Otherwise, Murmur will create its own certificate automatically. -sslCert=/etc/murmur/cert.pem -sslKey=/etc/murmur/privkey.pem +; Otherwise, the server will create its own certificate automatically. +sslCert=/etc/mumble/cert.pem +sslKey=/etc/mumble/privkey.pem ; If the keyfile specified above is encrypted with a passphrase, you can enter ; it in this setting. It must be plaintext, so you may wish to adjust the -; permissions on your murmur.ini file accordingly. +; permissions on your mumble-server.ini file accordingly. ;sslPassPhrase= ; If your certificate is signed by an authority that uses a sub-signed or ; "intermediate" certificate, you probably need to bundle it with your -; certificate in order to get Murmur to accept it. You can either concatenate +; certificate in order to get the server to accept it. You can either concatenate ; the two certificates into one file, or you can put it in a file by itself and ; put the path to that PEM-file in sslCA. -sslCA=/etc/murmur/fullchain.pem +sslCA=/etc/mumble/fullchain.pem ; The sslDHParams option allows you to specify a PEM-encoded file with ; Diffie-Hellman parameters, which will be used as the default Diffie- ; Hellman parameters for all virtual servers. ; ; Instead of pointing sslDHParams to a file, you can also use the option -; to specify a named set of Diffie-Hellman parameters for Murmur to use. -; Murmur comes bundled with the Diffie-Hellman parameters from RFC 7919. +; to specify a named set of Diffie-Hellman parameters for the server to use. +; The server comes bundled with the Diffie-Hellman parameters from RFC 7919. ; These parameters are available by using the following names: ; ; @ffdhe2048, @ffdhe3072, @ffdhe4096, @ffdhe6144, @ffdhe8192 ; -; By default, Murmur uses @ffdhe2048. +; By default, the server uses @ffdhe2048. ;sslDHParams=@ffdhe2048 ; The sslCiphers option chooses the cipher suites to make available for use @@ -305,21 +289,21 @@ sslCA=/etc/murmur/fullchain.pem ; It is recommended that you try your cipher string using 'openssl ciphers ' ; before setting it here, to get a feel for which cipher suites you will get. ; -; After setting this option, it is recommend that you inspect your Murmur log -; to ensure that Murmur is using the cipher suites that you expected it to. +; After setting this option, it is recommend that you inspect your server log +; to ensure that the server is using the cipher suites that you expected it to. ; ; Note: Changing this option may impact the backwards compatibility of your -; Murmur server, and can remove the ability for older Mumble clients to be able +; server, and can remove the ability for older Mumble clients to be able ; to connect to it. ;sslCiphers=EECDH+AESGCM:EDH+aRSA+AESGCM:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA -; If Murmur is started as root, which user should it switch to? -; This option is ignored if Murmur isn't started with root privileges. +; If the server is started as root, which user should it switch to? +; This option is ignored if the server isn't started with root privileges. ;uname= ; By default, in log files and in the user status window for privileged users, ; Mumble will show IP addresses - in some situations you may find this unwanted -; behavior. If obfuscate is set to true, Murmur will randomize the IP addresses +; behavior. If obfuscate is set to true, the server will randomize the IP addresses ; of connecting users. ; ; The obfuscate function only affects the log file and DOES NOT effect the user @@ -377,19 +361,19 @@ sslCA=/etc/murmur/fullchain.pem ;kdfiterations=-1 ; In order to prevent misconfigured, impolite or malicious clients from -; affecting the low-latency of other users, Murmur has a rudimentary global-ban +; affecting the low-latency of other users, the server has a rudimentary global-ban ; system. It's configured using the autobanAttempts, autobanTimeframe and ; autobanTime settings. ; ; If a client attempts autobanAttempts connections in autobanTimeframe seconds, ; they will be banned for autobanTime seconds. This is a global ban, from all -; virtual servers on the Murmur process. It will not show up in any of the +; virtual servers on the server process. It will not show up in any of the ; ban-lists on the server, and they can't be removed without restarting the -; Murmur process - just let them expire. A single, properly functioning client +; server process - just let them expire. A single, properly functioning client ; should not trip these bans. ; ; To disable, set autobanAttempts or autobanTimeframe to 0. Commenting these -; settings out will cause Murmur to use the defaults: +; settings out will cause the server to use the defaults: ; ; To avoid autobanning successful connection attempts from the same IP address, ; set autobanSuccessfulConnections=false. @@ -401,15 +385,15 @@ sslCA=/etc/murmur/fullchain.pem ; Enables logging of group changes. This means that every time a group in a ; channel changes, the server will log all groups and their members from before -; the change and after the change. Deault is false. This option was introduced -; with Murmur 1.4.0. +; the change and after the change. Default is false. This option was introduced +; with Mumble server 1.4.0. ; ;loggroupchanges=false ; Enables logging of ACL changes. This means that every time the ACL in a ; channel changes, the server will log all ACLs from before the change and -; after the change. Default is false. This option was introduced with Murmur -; 1.4.0. +; after the change. Default is false. This option was introduced with +; Mumble server 1.4.0. ; ;logaclchanges=false @@ -417,7 +401,7 @@ sslCA=/etc/murmur/fullchain.pem ; clients will respect this option in the UI (e.g. disable the recording feature ; in the UI). Additionally any client that tries to start a recording is kicked ; from the server with a corresponding message, if recording is disabled. -; Default is true. This option was introduced with Murmur 1.5.0. +; Default is true. This option was introduced with Mumble server 1.5.0. ; ; allowRecording=true diff --git a/roles/mumble-server/handlers/main.yml b/roles/mumble-server/handlers/main.yml new file mode 100644 index 0000000..523998a --- /dev/null +++ b/roles/mumble-server/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: Set supw + ansible.builtin.command: mumble-server -ini /etc/mumble/mumble-server.ini -supw "{{ mumble_secrets['su_password'] }}" + become: true + become_user: _mumble-server + +- name: Restart mumble-server + ansible.builtin.systemd: + name: mumble-server + state: restarted diff --git a/roles/murmur/tasks/main.yml b/roles/mumble-server/tasks/main.yml similarity index 59% rename from roles/murmur/tasks/main.yml rename to roles/mumble-server/tasks/main.yml index 18d9b98..375197b 100644 --- a/roles/murmur/tasks/main.yml +++ b/roles/mumble-server/tasks/main.yml @@ -1,38 +1,30 @@ --- - name: Get secrets ansible.builtin.set_fact: - murmur_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/murmur') }}" + mumble_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/mumble') }}" - name: Install community.general.pacman: - name: murmur + name: mumble-server state: present notify: Set supw - name: Configure ansible.builtin.copy: - src: murmur.ini - dest: /etc/murmur.ini + src: mumble-server.ini + dest: /etc/mumble/mumble-server.ini owner: root - group: murmur + group: _mumble-server mode: 0640 - notify: Restart murmur - -- name: Create certificate dir - ansible.builtin.file: - path: /etc/murmur - state: directory - owner: murmur - group: murmur - mode: 0700 + notify: Restart mumble-server - name: Copy certificate ansible.builtin.copy: src: /etc/letsencrypt/live/xenrox.net/{{ item }} - dest: /etc/murmur/{{ item }} + dest: /etc/mumble/{{ item }} remote_src: true - owner: murmur - group: murmur + owner: _mumble-server + group: _mumble-server mode: 0400 with_items: - fullchain.pem @@ -41,7 +33,7 @@ - name: Start and enable ansible.builtin.systemd: - name: murmur + name: mumble-server enabled: true state: started @@ -54,8 +46,8 @@ - name: Install certificate hook ansible.builtin.copy: - src: murmur.hook - dest: /etc/letsencrypt/hook.d/murmur + src: mumble-server.hook + dest: /etc/letsencrypt/hook.d/mumble-server owner: root group: root mode: 0755 diff --git a/roles/murmur/handlers/main.yml b/roles/murmur/handlers/main.yml deleted file mode 100644 index 6ab6fd2..0000000 --- a/roles/murmur/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Set supw - ansible.builtin.command: murmurd -ini /etc/murmur.ini -supw "{{ murmur_secrets['su_password'] }}" - -- name: Restart murmur - ansible.builtin.systemd: - name: murmur - state: restarted -- 2.44.0