diff --git a/roles/murmur/defaults/main.json b/roles/murmur/defaults/main.json
index 33156cb..2f81b61 100644
--- a/roles/murmur/defaults/main.json
+++ b/roles/murmur/defaults/main.json
@@ -1,6 +1,8 @@
{
"var_murmur_database_path": "/var/lib/mumble-server/mumble-server.sqlite",
+ "var_murmur_domain": "murmur.example.org",
"var_murmur_port": 64738,
"var_murmur_welcome_text": "
Welcome to this server running Murmur.
Enjoy your stay!
",
- "var_murmur_admin_password": "REPLACE_ME"
+ "var_murmur_admin_password": "REPLACE_ME",
+ "var_murmur_tls": true
}
diff --git a/roles/murmur/tasks/main.json b/roles/murmur/tasks/main.json
index 1b9ed12..5b61756 100644
--- a/roles/murmur/tasks/main.json
+++ b/roles/murmur/tasks/main.json
@@ -9,6 +9,31 @@
]
}
},
+ {
+ "name": "tls | directory",
+ "when": "var_murmur_tls",
+ "become": true,
+ "ansible.builtin.file": {
+ "state": "directory",
+ "path": "/var/murmur"
+ }
+ },
+ {
+ "name": "tls | files",
+ "when": "var_murmur_tls",
+ "become": true,
+ "loop": [
+ {"from": "/etc/ssl/private/{{var_murmur_domain}}.pem", "to": "/var/murmur/tls-key.pem"},
+ {"from": "/etc/ssl/fullchains/{{var_murmur_domain}}.pem", "to": "/var/murmur/tls-fullchain.pem"}
+ ],
+ "ansible.builtin.copy": {
+ "state": "directory",
+ "remote_src": true,
+ "src": "{{item.from}}",
+ "dest": "{{item.to}}",
+ "mode": "0444"
+ }
+ },
{
"name": "configuration",
"become": true,
diff --git a/roles/murmur/templates/mumble-server.ini.j2 b/roles/murmur/templates/mumble-server.ini.j2
index 4db3508..37ea8ce 100644
--- a/roles/murmur/templates/mumble-server.ini.j2
+++ b/roles/murmur/templates/mumble-server.ini.j2
@@ -242,8 +242,13 @@ allowping=true
; If you have a proper SSL certificate, you can provide the filenames here.
; Otherwise, Murmur will create its own certificate automatically.
-;sslCert=
+{% if var_murmur_tls %}
+sslKey=/var/murmurd/tls-key.pem
+sslCert=/var/murmurd/tls-fullchain.pem
+{% else %}
;sslKey=
+;sslCert=
+{% endif %}
; If the keyfile specified above is encrypted with a passphrase, you can enter
; it in this setting. It must be plaintext, so you may wish to adjust the