commit 385fda1e1b093c0478865238b6778d5cee85a8e1
Author: Alex <caskd@420blaze.it>
Date:   Thu May 21 20:05:46 2020 +0200

    Initial commit

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4dc51e8
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+vault/
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..e4e9db3
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,23 @@
+- name: Include sensitive info
+  include_vars:
+        dir: '/vault/main.yml'
+  tags:
+        - vault
+- name: Copy configuration
+  template:
+        follow: yes
+        src: 'murmur.ini.j2'
+        dest: '{{ murmur.configpath }}/mumble-server.ini'
+  tags:
+        - murmur
+        - vault
+  notify: Run service actions
+- name: Copy systemd service file
+  template:
+        follow: yes
+        src: 'murmur.service.j2'
+        dest: '/etc/systemd/system/murmur.service'
+  notify: Run service actions
+  tags:
+        - murmur
+        - systemd
diff --git a/templates/murmur.ini.j2 b/templates/murmur.ini.j2
new file mode 100644
index 0000000..5a5729e
--- /dev/null
+++ b/templates/murmur.ini.j2
@@ -0,0 +1,18 @@
+database={{ murmur.database.dbname|default("murmur") }}
+dbDriver={{ murmur.database.driver|default("QPSQL") }}
+dbUsername={{ murmur.database.username|default("murmur") }}
+dbPassword={{ murmur.database.password }}
+dbHost={{ murmur.database.host|default("localhost") }}
+dbPort={{ murmur.database.port|default(5432) }}
+registerName="{{ murmur.database.name }}"
+registerPassword={{ murmur.register.password }}
+registerUrl=https://{{ murmur.register.url }}/
+registerHostname={{ murmur.register.host }}
+host={{ murmur.listen.host|default("0.0.0.0 ::") }}
+uname={{ murmur.username|default("nobody") }}
+opusthreshold=10
+port={{ murmur.listen.port|default(51413) }}
+defaultchannel={{ murmur.defaultchan|default(0) }}
+welcometext="
+{{ murmur.motd }}
+"
diff --git a/templates/murmur.service.j2 b/templates/murmur.service.j2
new file mode 100644
index 0000000..e9a6086
--- /dev/null
+++ b/templates/murmur.service.j2
@@ -0,0 +1,26 @@
+[Unit]
+Description=Murmur Voice server
+After=network-online.target
+
+[Service]
+ExecStart=/usr/sbin/murmurd -fg -ini {{ murmur.configpath }}/mumble-server.ini
+Restart=always
+ProtectSystem=strict
+PrivateUsers=true
+NoNewPrivileges=yes
+TemporaryFileSystem=/:ro
+BindReadOnlyPaths={{ murmur.configpath }} /usr /lib /lib64
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+PrivateTmp=yes
+PrivateDevices=yes
+
+[Install]
+WantedBy=multi-user.target