[mod] role:murmur:tls

roles/murmur/defaults/main.json

@@ -1,6 +1,8 @@
 {
 	"var_murmur_database_path": "/var/lib/mumble-server/mumble-server.sqlite",
+	"var_murmur_domain": "murmur.example.org",
 	"var_murmur_port": 64738,
 	"var_murmur_welcome_text": "<br />Welcome to this server running <b>Murmur</b>.<br />Enjoy your stay!<br />",
-	"var_murmur_admin_password": "REPLACE_ME"
+	"var_murmur_admin_password": "REPLACE_ME",
+	"var_murmur_tls": true
 }

roles/murmur/tasks/main.json

@@ -9,6 +9,31 @@
 			]
 		}
 	},
+	{
+		"name": "tls | directory",
+		"when": "{{var_murmur_tls}}",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "/var/murmur"
+		}
+	},
+	{
+		"name": "tls | files",
+		"when": "{{var_murmur_tls}}",
+		"become": true,
+		"loop": [
+			{"from": "/etc/ssl/private/{{var_murmur_domain}}.pem", "to": "/var/murmur/tls-key.pem"},
+			{"from": "/etc/ssl/fullchains/{{var_murmur_domain}}.pem", "to": "/var/murmur/tls-fullchain.pem"}
+		],
+		"ansible.builtin.copy": {
+			"state": "directory",
+			"remote_src": true,
+			"src": "{{item.from}}",
+			"dest": "{{item.to}}",
+			"mode": "0444"
+		}
+	},
 	{
 		"name": "configuration",
 		"become": true,

roles/murmur/templates/mumble-server.ini.j2

@@ -242,8 +242,13 @@ allowping=true
 
 ; If you have a proper SSL certificate, you can provide the filenames here.
 ; Otherwise, Murmur will create its own certificate automatically.
-;sslCert=
+{% if var_murmur_tls %}
+sslKey=/var/murmurd/tls-key.pem
+sslCert=/var/murmurd/tls-fullchain.pem
+{% else %}
 ;sslKey=
+;sslCert=
+{% endif %}
 
 ; If the keyfile specified above is encrypted with a passphrase, you can enter
 ; it in this setting. It must be plaintext, so you may wish to adjust the