Initial commit

This commit is contained in:
Alex 2020-05-21 20:05:46 +02:00
commit 385fda1e1b
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
4 changed files with 68 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
vault/

23
tasks/main.yml Normal file
View File

@ -0,0 +1,23 @@
- name: Include sensitive info
include_vars:
dir: '/vault/main.yml'
tags:
- vault
- name: Copy configuration
template:
follow: yes
src: 'murmur.ini.j2'
dest: '{{ murmur.configpath }}/mumble-server.ini'
tags:
- murmur
- vault
notify: Run service actions
- name: Copy systemd service file
template:
follow: yes
src: 'murmur.service.j2'
dest: '/etc/systemd/system/murmur.service'
notify: Run service actions
tags:
- murmur
- systemd

18
templates/murmur.ini.j2 Normal file
View File

@ -0,0 +1,18 @@
database={{ murmur.database.dbname|default("murmur") }}
dbDriver={{ murmur.database.driver|default("QPSQL") }}
dbUsername={{ murmur.database.username|default("murmur") }}
dbPassword={{ murmur.database.password }}
dbHost={{ murmur.database.host|default("localhost") }}
dbPort={{ murmur.database.port|default(5432) }}
registerName="{{ murmur.database.name }}"
registerPassword={{ murmur.register.password }}
registerUrl=https://{{ murmur.register.url }}/
registerHostname={{ murmur.register.host }}
host={{ murmur.listen.host|default("0.0.0.0 ::") }}
uname={{ murmur.username|default("nobody") }}
opusthreshold=10
port={{ murmur.listen.port|default(51413) }}
defaultchannel={{ murmur.defaultchan|default(0) }}
welcometext="
{{ murmur.motd }}
"

View File

@ -0,0 +1,26 @@
[Unit]
Description=Murmur Voice server
After=network-online.target
[Service]
ExecStart=/usr/sbin/murmurd -fg -ini {{ murmur.configpath }}/mumble-server.ini
Restart=always
ProtectSystem=strict
PrivateUsers=true
NoNewPrivileges=yes
TemporaryFileSystem=/:ro
BindReadOnlyPaths={{ murmur.configpath }} /usr /lib /lib64
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
PrivateTmp=yes
PrivateDevices=yes
[Install]
WantedBy=multi-user.target