Merge pull request 'Ansible should use libssh for persistent connections' (#5) from feature/ansible-use-libssh-for-persistent-connections into master

Reviewed-on: #5

README.md

@@ -25,8 +25,7 @@ The main goals of this project are:
 - [ONLYOFFICE Document Server](https://www.onlyoffice.com/) (integrates with Nextcloud)
 - [Collabora Online Development Edition](https://www.collaboraoffice.com/code/) (integrates with Nextcloud)
 - [Cryptpad](https://cryptpad.fr/)
-
-For hosting several isolated instances of these services on the same server, see the section on [multitenancy](#multitenancy).
+- [Coturn TURN/STUN server](https://github.com/coturn/coturn)
 
 ### WIP
 
@@ -159,21 +158,6 @@ Restic assumes untrusted environments, hence backups are always encrypted using
 
 The `common` role comes with a [firewall](https://galaxy.ansible.com/geerlingguy/firewall) based on iptables. If you don't allow SSH (usually port 22) then you might lock yourself out. Have a look at `group_vars/vagrant.yml` for an example config. Add the corresponding [firewall parameters](https://galaxy.ansible.com/geerlingguy/firewall) to your `host_vars` and adapt them according to your needs.
 
-## Multitenancy
-
-The roles used to provide the above services support multitenancy setups by offering the possibility to specify the installation path and further variables for proper routing of requests to the individual instances. 
-Note that in this setup, Traefik serves as the central entry point (and is not running multiple times!) and routes the request by the domain they were issued from.
-
-An example how to structure variables related to the individual instances and how to write an according inventory can be found under [examples/multitenancy](examples/multitenancy).
-The main idea is to define **multiple hosts targeting the same machine** and providing a different set of service variables for each. 
-
-Most importantly, to configure multiple instances for the same service, a unique `<service>_install_path` and `<service>_multitenant_label` need to be specified identifying the instance towards Traefik.
-Also, exposed ports **must** differ per instance as docker maps container port to the host's network (even if the containers reside in a user-defined network).
-
-In the examples you'll find additional `group_vars` that can be used to ease up setting up individual install paths by introducting `tenant_name`s and deploying services into a unified directory structure depending on that.
-For each individual host, all variables will be concatenated so that they are available in the service roles.
-
-
 ## Alternatives
 
 - [HomelabOS](https://gitlab.com/NickBusey/HomelabOS)

ansible.cfg

@@ -19,3 +19,6 @@ ssh_args = -o ControlMaster=auto -o ControlPersist=600s -o ServerAliveInterval=6
 control_path = %(directory)s/%%h-%%r
 pipelining = True
 timeout = 10
+
+[persistent_connection]
+ssh_type = libssh

coturn.yml

@@ -0,0 +1,7 @@
+---
+# coturn TURN server
+
+- hosts: coturn
+  become: true
+  roles:
+    - jotbe.coturn-docker

docker.yml

@@ -3,7 +3,9 @@
 
 - hosts: docker
   become: true
+  pre_tasks:
+    - name: Install pip packages for Docker
+      ansible.builtin.pip: 
+        name: "{{ pip_install_packages }}"
   roles:
-    - geerlingguy.pip
-    - geerlingguy.docker
     - jotbe.traefik-docker

examples/multitenancy/group_vars/all.yml

@@ -1,8 +0,0 @@
-# Deployment users and paths
-default_user: '{{ ansible_user }}'
-default_install_path: "/home/{{ default_user }}"
-default_services_path: "{{ default_install_path }}/services"
-
-# Defaults for multitenant setups
-tenant_name: ''
-tenant_install_path: "{{ default_services_path }}{{ '/' + tenant_name if (tenant_name) else '' }}"

examples/multitenancy/host_vars/server1/firewall.yml

@@ -1,16 +0,0 @@
-# Firewall
-firewall_disable_ufw: true
-firewall_flush_rules_and_chains: true
-firewall_additional_rules:
-  - "iptables --policy INPUT DENY"
-firewall_allowed_tcp_ports:
-  - "22"
-  - "80"
-  - "443"
-  # Jitsi
-  - "4443" # tenant_a
-  - "4543" # tenant_b
-firewall_allowed_udp_ports:
-  # Jitsi
-  - "10000" # tenant_a
-  - "11000" # tenant_b

examples/multitenancy/host_vars/server1/server1.yml

@@ -1,6 +0,0 @@
-# General settings
-ansible_user: deploy
-update_hostname: yes
-hostname: "multitenant-server1"
-users: []
-sudoers: []

examples/multitenancy/host_vars/server1/traefik.yml

@@ -1,8 +0,0 @@
-# Traefik proxy
-traefik_letsencrypt_email: max@example.com
-traefik_install_user: "{{ default_user }}"
-traefik_expose_internally: True
-traefik_expose_externally: False
-traefik_enable_acme: True
-traefik_use_acme_staging: False
-traefik_dns_challenge_provider: False

examples/multitenancy/host_vars/server1_tenant_a/jitsi_docker.yml

@@ -1,26 +0,0 @@
-jitsi_install_user: "{{ default_user }}"
-jitsi_install_path: "{{ tenant_install_path }}"
-jitsi_multitenant_label: "tenant_a"
-jitsi_docker_image_tag: 'latest'
-jitsi_public_url: https://tenant-a.example.com
-jitsi_docker_host_address: "{{ ansible_host }}"
-jitsi_exposed_http_port: 8010
-jitsi_exposed_https_port: 8453
-jitsi_bridge_udp_port: 11000
-jitsi_bridge_tcp_port: 4543
-jitsi_timezone: Europe/Amsterdam
-jitsi_enable_letsencrypt: False
-jitsi_virtual_host: tenant-a.example.com
-jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443
-# Passwords
-jitsi_jibri_recorder_password: secret1-CHANGE-ME
-jitsi_jibri_recorder_user: recorder
-jitsi_jibri_xmpp_password: secret2-CHANGE-ME
-jitsi_jibri_xmpp_user: jibri
-jitsi_jicofo_auth_password: secret3-CHANGE-ME
-jitsi_jicofo_auth_user: focus
-jitsi_jicofo_component_secret: secret4-CHANGE-ME
-jitsi_jigasi_xmpp_password: secret5-CHANGE-ME
-jitsi_jigasi_xmpp_user: jigasi
-jitsi_jvb_auth_user: jvb
-jitsi_jvb_auth_password: secret6-CHANGE-ME

examples/multitenancy/host_vars/server1_tenant_a/server1_tenant_a.yml

@@ -1,3 +0,0 @@
-ansible_user: deploy
-# Multitenant setup for tenant_a
-tenant_name: "tenant_a"

examples/multitenancy/host_vars/server1_tenant_b/jitsi_docker.yml

@@ -1,26 +0,0 @@
-jitsi_install_user: "{{ default_user }}"
-jitsi_install_path: "{{ tenant_install_path }}"
-jitsi_multitenant_label: "tenant_b"
-jitsi_docker_image_tag: 'latest'
-jitsi_public_url: https://tenant-b.example.com
-jitsi_docker_host_address: "{{ ansible_host }}"
-jitsi_exposed_http_port: 8010
-jitsi_exposed_https_port: 8453
-jitsi_bridge_udp_port: 11000
-jitsi_bridge_tcp_port: 4543
-jitsi_timezone: Europe/Amsterdam
-jitsi_enable_letsencrypt: False
-jitsi_virtual_host: tenant-b.example.com
-jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443
-# Passwords
-jitsi_jibri_recorder_password: secret1-CHANGE-ME
-jitsi_jibri_recorder_user: recorder
-jitsi_jibri_xmpp_password: secret2-CHANGE-ME
-jitsi_jibri_xmpp_user: jibri
-jitsi_jicofo_auth_password: secret3-CHANGE-ME
-jitsi_jicofo_auth_user: focus
-jitsi_jicofo_component_secret: secret4-CHANGE-ME
-jitsi_jigasi_xmpp_password: secret5-CHANGE-ME
-jitsi_jigasi_xmpp_user: jigasi
-jitsi_jvb_auth_user: jvb
-jitsi_jvb_auth_password: secret6-CHANGE-ME

examples/multitenancy/host_vars/server1_tenant_b/server1_tenant_b.yml

@@ -1,3 +0,0 @@
-ansible_user: deploy
-# Multitenant setup for tenant_b
-tenant_name: "tenant_b"

examples/multitenancy/inventory.ini.sample

@@ -1,35 +0,0 @@
-[server1_hosts]
-# Main host
-server1
-# Tenants
-server1_tenant_a
-server1_tenant_b
-
-[server1_hosts:vars]
-ansible_host=1.2.3.4
-ansible_ssh_host=1.2.3.4
-
-[common]
-server1
-
-[docker]
-server1
-
-[traefik]
-server1 # Must only be running on the main host
-
-[nextcloud]
-tenant_a
-
-[jitsi_docker]
-tenant_a
-tenant_b # Tenant B might only use Jitsi service
-
-[collabora]
-tenant_a
-
-[onlyoffice]
-tenant_a
-
-[cryptpad]
-tenant_a

group_vars/docker.yml

@@ -1,11 +1,6 @@
-pip_package: python3-pip
+#pip_package: python3-pip
 pip_install_packages:
-  - name: docker
-  - name: docker-compose
-docker_edition: "ce"
-docker_version: "19.03.5"
-docker_package: "docker-{{ docker_edition }}"
-docker_package_state: present
-docker_compose_version: "1.25.0"
+  - docker
+  - docker-compose
 docker_users:
   - deploy

group_vars/vagrant.yml

@@ -16,14 +16,11 @@ firewall_allowed_udp_ports:
 users:
   - deploy
 sudoers: []
-docker_user: deploy
-cryptpad_install_user: "{{ docker_user }}"
 cryptpad_virtual_host: pad.satt.local
 cryptpad_safe_virtual_host: pad-sandbox.satt.local
 cryptpad_admin_email: admin@example.tld
 cryptpad_block_daily_check: yes
-nextcloud_install_user: "{{ docker_user }}"
-nextcloud_mariadb_root_password: password
+mariadb_root_password: password
 nextcloud_mariadb_user: nextcloud
 nextcloud_mariadb_password: password
 nextcloud_admin_user: admin
@@ -34,18 +31,15 @@ nextcloud_overwrite_host: nextcloud.satt.local
 nextcloud_overwrite_protocol: http
 nextcloud_enable_restic_compose_backup: False
 nextcloud_virtual_host: nextcloud.satt.local
-collabora_install_user: "{{ docker_user }}"
 collabora_virtual_host: collabora.satt.local
 collabora_domain_regex_pattern: nextcloud\.satt\.local
 collabora_admin_user: admin
 collabora_admin_password: password
-onlyoffice_install_user: "{{ docker_user }}"
 onlyoffice_virtual_host: documentserver.satt.local
 onlyoffice_allow_origin_list: "{{ nextcloud_overwrite_cli_url }}"
 onlyoffice_jwt_enabled: "true"
 onlyoffice_jwt_secret: topsecrettoken
 onlyoffice_jwt_header: Authorization
-jitsi_install_user: "{{ docker_user }}"
 jitsi_public_url: https://jitsi.satt.local
 jitsi_docker_host_address: "{{ ansible_host }}"
 jitsi_exposed_http_port: 8000
@@ -55,10 +49,11 @@ jitsi_enable_letsencrypt: False
 jitsi_virtual_host: jitsi.satt.local
 jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443
 jitsi_web_channel_last_n: 2
-traefik_install_user: "{{ docker_user }}"
-traefik_expose_internally: True
-traefik_expose_externally: False
-traefik_enable_acme: False
-traefik_use_acme_staging: False
-traefik_dns_challenge_provider: False
+docker_user: deploy
+traefik:
+  expose_internally: True
+  expose_externally: False
+  enable_acme: False
+  use_acme_staging: False
+  dns_challenge_provider: False
 

requirements.yml

@@ -1,25 +1,35 @@
-- geerlingguy.firewall
-- geerlingguy.pip
-- geerlingguy.docker
+collections:
+  - community.docker
 
-- name: jotbe.common
+roles:
+  - geerlingguy.firewall
+  - geerlingguy.pip
+  # - geerlingguy.docker
+
+  - name: jotbe.common
     src: https://git.jotbe.io/jotbe/ansible-role-common.git
     scm: git
-- name: jotbe.traefik-docker
+  - name: jotbe.traefik-docker
     src: https://git.jotbe.io/jotbe/ansible-role-traefik-docker.git
     scm: git
-- name: jotbe.nextcloud-docker
+  - name: jotbe.nextcloud-docker
+    version: v1.0.2
     src: https://git.jotbe.io/jotbe/ansible-role-nextcloud-docker.git
     scm: git
-- name: jotbe.jitsi-docker
+  - name: jotbe.coturn-docker
+    src: https://git.jotbe.io/jotbe/ansible-role-coturn-docker.git
+    scm: git
+  - name: jotbe.jitsi-docker
+    version: v1.0.0
     src: https://git.jotbe.io/jotbe/ansible-role-jitsi-docker.git
     scm: git
-- name: jotbe.collabora-online-docker
+  - name: jotbe.collabora-online-docker
+    version: v1.0.0
     src: https://git.jotbe.io/jotbe/ansible-role-collabora-online-docker.git
     scm: git
-- name: jotbe.onlyoffice-document-server-docker
+  - name: jotbe.onlyoffice-document-server-docker
     src: https://git.jotbe.io/jotbe/ansible-role-onlyoffice-document-server-docker.git
     scm: git
-- name: jotbe.cryptpad-docker
+  - name: jotbe.cryptpad-docker
     src: https://git.jotbe.io/jotbe/ansible-role-cryptpad-docker.git
     scm: git

site.yml

@@ -5,5 +5,6 @@
 - import_playbook: docker.yml
 - import_playbook: nextcloud.yml
 - import_playbook: collabora-online.yml
+- import_playbook: coturn.yml
 - import_playbook: jitsi.yml
 - import_playbook: cryptpad.yml