Initial commit

2020-05-21 20:05:46 +02:00 · 2020-05-21 20:05:46 +02:00 · 385fda1e1b
commit 385fda1e1b
4 changed files with 68 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+vault/
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,23 @@
+- name: Include sensitive info
+  include_vars:
+        dir: '/vault/main.yml'
+  tags:
+        - vault
+- name: Copy configuration
+  template:
+        follow: yes
+        src: 'murmur.ini.j2'
+        dest: '{{ murmur.configpath }}/mumble-server.ini'
+  tags:
+        - murmur
+        - vault
+  notify: Run service actions
+- name: Copy systemd service file
+  template:
+        follow: yes
+        src: 'murmur.service.j2'
+        dest: '/etc/systemd/system/murmur.service'
+  notify: Run service actions
+  tags:
+        - murmur
+        - systemd
--- a/templates/murmur.ini.j2
+++ b/templates/murmur.ini.j2
@ -0,0 +1,18 @@
+database={{ murmur.database.dbname|default("murmur") }}
+dbDriver={{ murmur.database.driver|default("QPSQL") }}
+dbUsername={{ murmur.database.username|default("murmur") }}
+dbPassword={{ murmur.database.password }}
+dbHost={{ murmur.database.host|default("localhost") }}
+dbPort={{ murmur.database.port|default(5432) }}
+registerName="{{ murmur.database.name }}"
+registerPassword={{ murmur.register.password }}
+registerUrl=https://{{ murmur.register.url }}/
+registerHostname={{ murmur.register.host }}
+host={{ murmur.listen.host|default("0.0.0.0 ::") }}
+uname={{ murmur.username|default("nobody") }}
+opusthreshold=10
+port={{ murmur.listen.port|default(51413) }}
+defaultchannel={{ murmur.defaultchan|default(0) }}
+welcometext="
+{{ murmur.motd }}
+"
--- a/templates/murmur.service.j2
+++ b/templates/murmur.service.j2
@ -0,0 +1,26 @@
+[Unit]
+Description=Murmur Voice server
+After=network-online.target
+
+[Service]
+ExecStart=/usr/sbin/murmurd -fg -ini {{ murmur.configpath }}/mumble-server.ini
+Restart=always
+ProtectSystem=strict
+PrivateUsers=true
+NoNewPrivileges=yes
+TemporaryFileSystem=/:ro
+BindReadOnlyPaths={{ murmur.configpath }} /usr /lib /lib64
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+PrivateTmp=yes
+PrivateDevices=yes
+
+[Install]
+WantedBy=multi-user.target