ITSquad/Mumble

From Pirate Party Belgium
Jump to: navigation, search
Mumble Toicon-icon-avocado-build.svg
Workgroup ITSquad
Start date Sun 22 March 2020
Contact it [at] pirateparty (point) be
Status In progress

Description

Mumble is a server for holding audio conferences.

Since March 2020, the PPBe is hosting a Mumble server together with a web client on https://talk.parley.be.

It is also possible to connect through another Mumble client at mumble.parley.be with port 64738.

To connect you can give the username you wish. No password is needed, although we could decide to setup a password if we see that there are too much spam.

As we are using umurmur, a lightweight Mumble server, there are some limitations. For instance, the number of rooms is fixed on server startup, and we cannot grant permissions for certain users. There is only one admin password, which gives the right to silent people.

Install

Note: We are using two separate domain names, one for the mumble server and another for the web interface. However, you can as well use a single domain name for both applications. Indeed, the mumble server listens on port 64738, while the client listens on ports 80 and 443, so they won't conflict ;) Just reuse the same certificate for both applications and you should be fine.

Server

Install dependencies:

apt install git build-essential cmake libconfig-dev libprotobuf-c-dev libmbedtls-dev ssl-cert

Create the directory for the server sources:

mkdir /opt/umurmur
cd /opt/umurmur

Clone the umurmur git repository:

git clone https://github.com/umurmur/umurmur.git .

Checkout to the latest version (see the releases list):

git checkout 0.2.17

Create the build directory:

mkdir ./build
cd ./build

Build the sources:

cmake .. -DSSL=mbedtls
make

Install the umurmur binary on the system:

make install

You can now edit the configuration file at /usr/local/etc/umurmur.conf. Check the doc for an example. We will define the certificates later on. You can setup a password if you wish.

Generate a random password for the admin:

pwgen -s 42 1

And copy/paste this password to the umurmur config file.

Create the systemd service unit (just copy/paste this block):

cat > /etc/systemd/system/umurmur.service << EOF
[Unit]
Description=Minimalistic Mumble server
After=network.target

[Service]
Type=simple
User=nobody
Group=ssl-cert
Restart=on-failure
RestartSec=3
PIDFile=/run/umurmurd.pid
ExecStartPre=/usr/local/bin/umurmurd -t -c /usr/local/etc/umurmur.conf
ExecStart=/usr/local/bin/umurmurd -d -r -c /usr/local/etc/umurmur.conf
ExecReload=/bin/kill -HUP $MAINPID
PrivateDevices=yes
PrivateTmp=yes
ProtectSystem=strict
ReadWriteDirectories=/usr/local/etc/
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
NoNewPrivileges=yes
LimitRTPRIO=1

[Install]
WantedBy=multi-user.target
EOF

Reload the systemd service unit config:

systemctl daemon-reload

Web client

Install nodejs repository (LTS is v0.12.x):

curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -

Install nodejs and websockify:

apt install nodejs websockify

Create the directory for mumble-web:

mkdir /var/www/mumble-web
cd /var/www/mumble-web

Clone the mumble-web git repository:

git clone https://github.com/Johni0702/mumble-web.git .

Build the sources:

npm install
npm audit fix

Build the assets and config:

npm run build

Edit the configuration file at ./dist/config.local.js. Add the following options in the config file:

// Which fields to show on the Connect to Server dialog
config.connectDialog.address = false
config.connectDialog.port = false
config.connectDialog.token = false
config.connectDialog.password = false

// Default values for user settings
config.settings.pttKey = 'shift'

// Default values (can be changed by passing a query parameter of the same name)
config.defaults.address = 'talk.parley.be/mumble'

This will tell the client to only ask for an username. If you setup a password for the server, you can set it to true.

The config also indicates to which address the client should connect. The /mumble path will be defined later in the Nginx section, but basically we will create a websocket proxy to the mumble server.

Create the systemd service unit (just copy paste this block):

cat > /etc/systemd/system/mumble-web.service << EOF
[Unit]
Description=Mumble web client using websockets
After=network.target

[Service]
Type=simple
User=nobody
Group=nogroup
Restart=on-failure
RestartSec=3
PIDFile=/run/mumble-web.pid
ExecStart=/usr/bin/websockify --ssl-target 64737 localhost:64738
ExecReload=/bin/kill -HUP $MAINPID
PrivateDevices=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
NoNewPrivileges=yes
LimitRTPRIO=1

[Install]
WantedBy=multi-user.target
EOF

Reload the systemd service unit config:

systemctl daemon-reload

Nginx

Install nginx:

apt install nginx

Create the config for your web client (just copy/paste this block):

cat > /etc/nginx/sites-available/mumble.conf << EOF
server {
  listen 80;
  listen [::]:80;
  server_name talk.parley.be mumble.parley.be;
  
  # Useful for Let's Encrypt
  location /.well-known/acme-challenge/ {
    allow all;
  }
  
  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name talk.parley.be;

  ssl_certificate /etc/letsencrypt/live/talk.parley.be/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/talk.parley.be/privkey.pem;

  include /etc/letsencrypt/options-ssl-nginx.conf;

  location / {
    root /var/www/mumble-web/dist/;
  }

  location /mumble {
    proxy_pass http://127.0.0.1:64737;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
  }
}

map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
}
EOF

Install certbot for managing the certificates (check on their website if you need to install the certbot repository):

apt install certbot python-certbot-nginx

Add the following hook in /etc/letsencrypt/cli.ini:

post-hook = chmod 0640 /etc/letsencrypt/archive/*/privkey*.pem && chmod g+rx /etc/letsencrypt/live /etc/letsencrypt/archive && chown -R root:ssl-cert /etc/letsencrypt/live /etc/letsencrypt/archive

This will give the read permissions for the group ssl-certs. It is required for the umurmur server which will be run as member of that group.

Generate two certificates, one for the client and one for the server:

certbot certonly --nginx -d talk.parley.be
certbot certonly --nginx -d mumble.parley.be

Enable the nginx configuration:

ln -s /etc/nginx/sites-available/mumble.conf /etc/nginx/sites-enabled/

Check that everything is fine:

nginx -t

Reload the nginx server:

systemctl reload nginx

Change the certificates for umurmur in the config file /usr/local/etc/umurmur.conf. The paths should be something like:

certificate = "/etc/letsencrypt/live/mumble.parley.be/fullchain.pem";
private_key = "/etc/letsencrypt/live/mumble.parley.be/privkey.pem";

You can finally start the client and server:

systemctl start umurmur
systemctl start mumble-web

Don't forget to open the port 64738 of your firewall if you want to allow people connecting from the desktop Mumble client!

When everything looks good, enable the services:

systemctl enable umurmur mumble-web

Enjoy!