ITSquad/Mumble
| |||
| Workgroup | ITSquad | ||
|---|---|---|---|
| Start date | Sun 22 March 2020 | ||
| Contact | it [at] pirateparty (point) be | ||
| Status | In progress | ||
Description
Mumble is a server for holding audio conferences.
Since March 2020, the PPBe is hosting a Mumble server together with a web client on https://talk.parley.be.
It is also possible to connect through another Mumble client at mumble.parley.be with port 64738.
To connect you can give the username you wish. No password is needed, although we could decide to setup a password if we see that there are too much spam.
As we are using umurmur, a lightweight Mumble server, there are some limitations. For instance, the number of rooms is fixed on server startup, and we cannot grant permissions for certain users. There is only one admin password, which gives the right to silent people.
Install
Note: We are using two separate domain names, one for the mumble server and another for the web interface. However, you can as well use a single domain name for both applications. Indeed, the mumble server listens on port 64738, while the client listens on ports 80 and 443, so they won't conflict ;) Just reuse the same certificate for both applications and you should be fine.
Server
Install dependencies:
apt install git build-essential cmake libconfig-dev libprotobuf-c-dev libmbedtls-dev ssl-cert
Create the directory for the server sources:
mkdir /opt/umurmur cd /opt/umurmur
Clone the umurmur git repository:
git clone https://github.com/umurmur/umurmur.git .
Checkout to the latest version (see the releases list):
git checkout 0.2.17
Create the build directory:
mkdir ./build cd ./build
Build the sources:
cmake .. -DSSL=mbedtls make
Install the umurmur binary on the system:
make install
You can now edit the configuration file at /usr/local/etc/umurmur.conf. Check the doc for an example. We will define the certificates later on. You can setup a password if you wish.
Generate a random password for the admin:
pwgen -s 42 1
And copy/paste this password to the umurmur config file.
Create the systemd service unit (just copy/paste this block):
cat > /etc/systemd/system/umurmur.service << EOF [Unit] Description=Minimalistic Mumble server After=network.target [Service] Type=simple User=nobody Group=ssl-cert Restart=on-failure RestartSec=3 PIDFile=/run/umurmurd.pid ExecStartPre=/usr/local/bin/umurmurd -t -c /usr/local/etc/umurmur.conf ExecStart=/usr/local/bin/umurmurd -d -r -c /usr/local/etc/umurmur.conf ExecReload=/bin/kill -HUP $MAINPID PrivateDevices=yes PrivateTmp=yes ProtectSystem=strict ReadWriteDirectories=/usr/local/etc/ ProtectHome=yes ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes LockPersonality=yes NoNewPrivileges=yes LimitRTPRIO=1 [Install] WantedBy=multi-user.target EOF
Reload the systemd service unit config:
systemctl daemon-reload
Web client
Install nodejs repository (LTS is v0.12.x):
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
Install nodejs and websockify:
apt install nodejs websockify
Create the directory for mumble-web:
mkdir /var/www/mumble-web cd /var/www/mumble-web
Clone the mumble-web git repository:
git clone https://github.com/Johni0702/mumble-web.git .
Build the sources:
npm install npm audit fix
Build the assets and config:
npm run build
Edit the configuration file at ./dist/config.local.js. Change the following options in connectDialog section:
// Which fields to show on the Connect to Server dialog config.connectDialog.address = false config.connectDialog.port = false config.connectDialog.token = false config.connectDialog.password = false // Default values for user settings config.settings.pttKey = 'shift' // Default values (can be changed by passing a query parameter of the same name) config.defaults.address = 'talk.parley.be/mumble'
This will tell the client to only ask for an username. If you setup a password for the server, you can set it to true.
The config also indicates to which address the client should connect. The /mumble path will be defined later in the Nginx section, but basically we will create a websocket proxy to the mumble server.
Create the systemd service unit (just copy paste this block):
cat > /etc/systemd/system/mumble-web.service << EOF [Unit] Description=Mumble web client using websockets After=network.target [Service] Type=simple User=nobody Group=nogroup Restart=on-failure RestartSec=3 PIDFile=/run/mumble-web.pid ExecStart=/usr/bin/websockify --ssl-target 64737 localhost:64738 ExecReload=/bin/kill -HUP $MAINPID PrivateDevices=yes PrivateTmp=yes ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes LockPersonality=yes NoNewPrivileges=yes LimitRTPRIO=1 [Install] WantedBy=multi-user.target EOF
Reload the systemd service unit config:
systemctl daemon-reload
Nginx
Install nginx:
apt install nginx
Create the config for your web client (just copy/paste this block):
cat > /etc/nginx/sites-available/mumble.conf << EOF
server {
listen 80;
listen [::]:80;
server_name talk.parley.be mumble.parley.be;
# Useful for Let's Encrypt
location /.well-known/acme-challenge/ {
allow all;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name talk.parley.be;
ssl_certificate /etc/letsencrypt/live/talk.parley.be/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/talk.parley.be/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
location / {
root /var/www/mumble-web/dist/;
}
location /mumble {
proxy_pass http://127.0.0.1:64737;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
EOF
Install certbot for managing the certificates (check on their website if you need to install the certbot repository):
apt install certbot python-certbot-nginx
Add the following hook in /etc/letsencrypt/cli.ini:
post-hook = chmod 0640 /etc/letsencrypt/archive/*/privkey*.pem && chmod g+rx /etc/letsencrypt/live /etc/letsencrypt/archive && chown -R root:ssl-cert /etc/letsencrypt/live /etc/letsencrypt/archive
This will give the read permissions for the group ssl-certs. It is required for the umurmur server which will be run as member of that group.
Generate two certificates, one for the client and one for the server:
certbot certonly --nginx -d talk.parley.be certbot certonly --nginx -d mumble.parley.be
Enable the nginx configuration:
ln -s /etc/nginx/sites-available/mumble.conf /etc/nginx/sites-enabled/
Check that everything is fine:
nginx -t
Reload the nginx server:
systemctl reload nginx
Change the certificates for umurmur in the config file /usr/local/etc/umurmur.conf. The paths should be something like:
certificate = "/etc/letsencrypt/live/mumble.parley.be/fullchain.pem"; private_key = "/etc/letsencrypt/live/mumble.parley.be/privkey.pem";
You can finally start the client and server:
systemctl start umurmur systemctl start mumble-web
Don't forget to open the port 64738 of your firewall if you want to allow people connecting from the desktop Mumble client!
When everything looks good, enable the services:
systemctl enable umurmur mumble-web
Enjoy!