Mathis/allianceauth
1
0
Fork 0
mirror of https://gitlab.com/allianceauth/allianceauth.git synced 2025-07-09 12:30:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

generate some basic docker install guides for services

Browse Source
This commit is contained in:
Ariel Rin 2023-12-26 20:41:53 +10:00
parent 8184461b48
commit 51b86f88b9
No known key found for this signature in database
5 changed files with 573 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/features/services/index.md
View File

@ -10,10 +10,13 @@
discord
discourse
mumble
mumble-docker
openfire
openfire-docker
phpbb3
smf
teamspeak3
teamspeak3-docker
xenforo
:::

207
docs/features/services/mumble-docker.md Normal file
View File

@ -0,0 +1,207 @@
# Mumble
An alternate install guide for Mumble using Docker, better suited to an Alliance Auth Docker install
Mumble is a free voice chat server. While not as flashy as TeamSpeak, it has all the functionality and is easier to customize. And is better. I may be slightly biased.
## Configuring Auth
In your auth project's settings file (`aa-docker/conf/local.py`), do the following:
- Add `'allianceauth.services.modules.mumble',` to your `INSTALLED_APPS` list
- Append the following to your auth project's settings file:
```python
# Mumble Configuration
MUMBLE_URL = "mumble.example.com"
```
Add the following lines to your `.env` file
```env
# Mumble
MUMBLE_SUPERUSER_PASSWORD = superuser_password
MUMBLE_ICESECRETWRITE = icesecretwrite
MUMBLE_SERVERPASSWORD = serverpassword
```
Finally, restart your stack and run migrations
```shell
docker compose --env-file=.env up -d
docker compose exec allianceauth_gunicorn bash
auth migrate
```
## Docker Installations
### Installing Mumble and Authenticator
Inside your `aa-docker` directory, clone the authenticator to a sub directory as follows
```shell
git clone https://gitlab.com/allianceauth/mumble-authenticator.git
```
Add the following to your `docker-compose.yml` under the `services:` section
```docker
mumble-server:
image: mumblevoip/mumble-server:latest
restart: always
environment:
- MUMBLE_SUPERUSER_PASSWORD=${MUMBLE_SUPERUSER_PASSWORD}
- MUMBLE_CONFIG_ice="tcp -h 127.0.0.1 -p 6502"
- MUMBLE_CONFIG_icesecretwrite=${MUMBLE_ICESECRETWRITE}
- MUMBLE_CONFIG_serverpassword=${MUMBLE_SERVERPASSWORD}
- MUMBLE_CONFIG_opusthreshold=0
- MUMBLE_CONFIG_suggestPushToTalk=true
- MUMBLE_CONFIG_suggestVersion=1.4.0
ports:
- 64738:64738
- 64738:64738/udp
logging:
driver: "json-file"
options:
max-size: "10Mb"
max-file: "5"
mumble-authenticator:
build
context: .
dockerfile: ./mumble-authenticator/Dockerfile
restart: always
volumes:
- ./mumble-authenticator/authenticator.py:/authenticator.py
- ./mumble-authenticator/authenticator.ini.docker:/authenticator.ini
environment:
- MUMBLE_SUPERUSER_PASSWORD=${MUMBLE_SUPERUSER_PASSWORD}
- MUMBLE_CONFIG_ice="tcp -h 127.0.0.1 -p 6502"
- MUMBLE_CONFIG_icesecretwrite=${MUMBLE_ICESECRETWRITE}
- MUMBLE_CONFIG_serverpassword=${MUMBLE_SERVERPASSWORD}
depends_on:
- mumble-server
- auth_mysql
logging:
driver: "json-file"
options:
max-size: "10Mb"
max-file: "5"
```
## Permissions
To use this service, users will require some of the following.
```{eval-rst}
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+=======================================+==================+==========================================================================+
| mumble.access_mumble | None | Can Access the Mumble Service |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
```
## ACL configuration
On a freshly installed mumble server only your superuser has the right to configure ACLs and create channels. The credentials for logging in with your superuser are:
- user: `SuperUser`
- password: *what you defined when configuring your mumble server*
## Optimizing a Mumble Server
The needs and available resources will vary between Alliance Auth installations. Consider yours when applying these settings.
### Bandwidth
<https://wiki.mumble.info/wiki/Murmur.ini#bandwidth>
This is likely the most important setting for scaling a Mumble install, The default maximum Bandwidth is 72000bps Per User. Reducing this value will cause your clients to automatically scale back their bandwidth transmitted, while causing a reduction in voice quality. A value thats still high may cause robotic voices or users with bad connections to drop due entirely due to network load.
Please tune this value to your individual needs, the below scale may provide a rough starting point.
72000 - Superior voice quality - Less than 50 users.
54000 - No noticeable reduction in quality - 50+ Users or many channels with active audio.
36000 - Mild reduction in quality - 100+ Users
30000 - Noticeable reduction in quality but not function - 250+ Users
### Forcing Opus
<https://wiki.mumble.info/wiki/Murmur.ini#opusthreshold>
A Mumble server by default, will fall back to the older CELT codec as soon as a single user connects with an old client. This will significantly reduce your audio quality and likely place higher load on your server. We *highly* reccommend setting this to Zero, to force OPUS to be used at all times. Be aware any users with Mumble clients prior to 1.2.4 (From 2013...) Will not hear any audio.
Our default config sets this as follows
```docker
mumble-authenticator:
environment:
`MUMBLE_CONFIG_opusthreshold=0`
```
### AutoBan and Rate Limiting
<https://wiki.mumble.info/wiki/Murmur.ini#autobanAttempts.2C_autobanTimeframe_and_autobanTime>
The AutoBan feature has some sensible settings by default, You may wish to tune these if your users keep locking themselves out by opening two clients by mistake, or if you are receiving unwanted attention
<https://wiki.mumble.info/wiki/Murmur.ini#messagelimit_and_messageburst>
This too, is set to a sensible configuration by default. Take note on upgrading older installs, as this may actually be set too restrictively and will rate-limit your admins accidentally, take note of the configuration in <https://github.com/mumble-voip/mumble/blob/master/scripts/murmur.ini#L156>
```docker
mumble-authenticator:
environment:
MUMBLE_CONFIG_messagelimit=
MUMBLE_CONFIG_messageburst=
MUMBLE_CONFIG_autobanAttempts=10
MUMBLE_CONFIG_autobanTimeframe=120
MUMBLE_CONFIG_autobanTime=30
MUMBLE_CONFIG_autobanSuccessfulConnections=false
```
### "Suggest" Options
There is no way to force your users to update their clients or use Push to Talk, but these options will throw an error into their Mumble Client.
<https://wiki.mumble.info/wiki/Murmur.ini#Miscellany>
We suggest using Mumble 1.4.0+ for your server and Clients, you can tune this to the latest Patch version.
If Push to Talk is to your tastes, configure the suggestion as follows
```docker
mumble-authenticator:
environment:
MUMBLE_CONFIG_suggestVersion=s1.4.287
MUMBLE_CONFIG_suggestPushToTalk=true
```
## General notes
### Server password
With the default Mumble configuration your mumble server is public. Meaning that everyone who has the address can at least connect to it and might also be able join all channels that don't have any permissions set (Depending on your ACL configured for the root channel).
We have changed this behaviour by setting a Server Password by default, to change this password modify `MUMBLE_SERVERPASSWORD` in `.env`.
Restart the container to apply the change.
```shell
docker compose restart mumble-server
```
It is not reccommended to share/use this password, instead use the Mumble Authenticator whenever possible.
As only registered member can join your mumble server. If you still want to allow guests to join you have 2 options.
- Allow the "Guest" state to activate the Mumble service in your Auth instance
- Use [Mumble temporary links](https://github.com/pvyParts/allianceauth-mumble-temp)
### Enabling Avatars in Overlay (V1.0.0+)
Ensure you have an up to date Mumble-Authenticator, this feature was added in V1.0.0
Edit `authenticator.ini` and change (or add for older installs) This code block.
```ini
;If enabled, textures are automatically set as player's EvE avatar for use on overlay.
avatar_enable = True
;Get EvE avatar images from this location. {charid} will be filled in.
ccp_avatar_url = https://images.evetech.net/characters/{charid}/portrait?size=32
```

8
docs/features/services/mumble.md
View File

@ -9,7 +9,8 @@ Note that this guide assumes that you have installed Auth with the official :doc
:::{warning}
This guide is currently for Ubuntu only.
:::
## Installations
## Bare Metal Installations
### Installing Mumble Server
@ -35,7 +36,6 @@ sudo apt-get install python-software-properties mumble-server libqt5sql5-mysql
:::
::::
### Installing Mumble Authenticator
Next, we need to download the latest authenticator release from the [authenticator repository](https://gitlab.com/allianceauth/mumble-authenticator).
@ -236,7 +236,7 @@ Please tune this value to your individual needs, the below scale may provide a r
### Forcing Opus
<https://wiki.mumble.info/wiki/Murmur.ini#opusthreshold>
A Mumble server by default, will fall back to the older CELT codec as soon as a single user connects with an old client. This will significantly reduce your audio quality and likely place higher load on your server. We _highly_ reccommend setting this to Zero, to force OPUS to be used at all times. Be aware any users with Mumble clients prior to 1.2.4 (From 2013...) Will not hear any audio.
A Mumble server by default, will fall back to the older CELT codec as soon as a single user connects with an old client. This will significantly reduce your audio quality and likely place higher load on your server. We *highly* reccommend setting this to Zero, to force OPUS to be used at all times. Be aware any users with Mumble clients prior to 1.2.4 (From 2013...) Will not hear any audio.
`opusthreshold=0`
@ -255,7 +255,7 @@ There is no way to force your users to update their clients or use Push to Talk,
<https://wiki.mumble.info/wiki/Murmur.ini#Miscellany>
We suggest using Mumble 1.4.0+ for your server and Clients, you can tune this to the latest Patch version.
`suggestVersion=1.4.230`
`suggestVersion=1.4.287`
If Push to Talk is to your tastes, configure the suggestion as follows
`suggestPushToTalk=true`

180
docs/features/services/openfire-docker.md Normal file
View File

@ -0,0 +1,180 @@
# Openfire
An alternate install guide for Openfire using Docker, better suited to an Alliance Auth Docker install
Openfire is a Jabber (XMPP) server.
## Configuring Auth
In your auth project's settings file (`aa-docker/conf/local.py`), do the following:
- Add `'allianceauth.services.modules.openfire',` to your `INSTALLED_APPS` list
- Append the following to your auth project's settings file:
```python
# Jabber Configuration
JABBER_URL = SITE_URL
JABBER_PORT = os.environ.get('JABBER_PORT', 5223)
JABBER_SERVER = SITE_URL
OPENFIRE_ADDRESS = SITE_URL
OPENFIRE_SECRET_KEY = os.environ.get('OPENFIRE_SECRET_KEY', '')
BROADCAST_USER = ""
BROADCAST_USER_PASSWORD = os.environ.get('BROADCAST_USER_PASSWORD', '127.0.0.1')
BROADCAST_SERVICE_NAME = "broadcast"
```
Add the following lines to your `.env` file
```env
# Openfire
OPENFIRE_SECRET_KEY = superuser_password
BROADCAST_USER_PASSWORD = icesecretwrite
```
Finally, restart your stack and run migrations
```shell
docker compose --env-file=.env up -d
docker compose exec allianceauth_gunicorn bash
auth migrate
```
## Docker Installation
Add the following to your `docker-compose.yml` under the `services:` section
```docker
openfire:
image: nasqueron/openfire:4.7.5
ports:
- "5222:5222/tcp"
- "5223:5223/tcp"
- "7777:7777/tcp"
volumes:
- openfire-data:/var/lib/openfire
depends_on:
- auth_mysql
logging:
driver: "json-file"
options:
max-size: "50Mb"
max-file: "5"
```
### Create Database
We have a Mariadb container already as part of the Alliance Auth stack, enter it and create a database for it.
```shell
docker exec -it auth_mysql
mysql -u root -p $AA_DB_ROOT_PASSWORD
```
```sql
create database alliance_jabber;
grant all privileges on alliance_jabber . * to 'aauth'@'localhost';
exit;
exit
```
### Configure Webserver
In Nginx Proxy Manager `http://yourdomain:81/`, go to `Proxy Hosts`, Click `Add Proxy Host`. You can refer to :doc:`/installation-containerized/docker`
Domain Name: `jabber.yourdomain`
Forward Hostname `openfire`
forward port `9090` for http, `9091` for https
### Web Configuration
The remainder of the setup occurs through Openfires web interface. Navigate to <http://jabber.yourdomain.com>
Select your language, our guide will assume English
Under Server Settings, set the Domain to `jabber.yourdomain.com` replacing it with your actual domain. Dont touch the rest.
Under Database Settings, select `Standard Database Connection`
On the next page, select `MySQL` from the dropdown list and change the following:
- `[server]`: `auth_mysql`
- `[database]`: `alliance_jabber`
- `[user]`: `aauth`
- `[password]: Your database users password
If Openfire returns with a failed to connect error, re-check these settings. Note the lack of square brackets.
Under Profile Settings, leave `Default` selected.
Create an administrator account. The actual name is irrelevant, just dont lose this login information.
Finally, log in to the console with your admin account.
Edit your auth project's settings file (`aa-docker/conf/local.py`) and enter the values you just set:
- `JABBER_URL` is the pubic address of your jabber server
- `JABBER_PORT` is the port for clients to connect to (usually 5223)
- `JABBER_SERVER` is the name of the jabber server. If you didn't alter it during install it'll usually be your domain (eg `jabber.example.com`)
- `OPENFIRE_ADDRESS` is the web address of Openfire's web interface. Use http:// with port 9090 or https:// with port 9091 if you configure SSL in Openfire and Nginx Proxy Manager
### REST API Setup
Navigate to the `plugins` tab, and then `Available Plugins` on the left navigation bar. Youll need to fetch the list of available plugins by clicking the link.
Once loaded, press the green plus on the right for `REST API`.
Navigate the `Server` tab, `Sever Settings` subtab. At the bottom of the left navigation bar select `REST API`.
Select `Enabled`, and `Secret Key Auth`. Update your auth project's settings with this secret key as `OPENFIRE_SECRET_KEY`.
### Broadcast Plugin Setup
Navigate to the `Users/Groups` tab and select `Create New User` from the left navigation bar.
Pick a username (e.g. `broadcast`) and password for your ping user. Enter these in your auth project's settings file as `BROADCAST_USER` and `BROADCAST_USER_PASSWORD`. Note that `BROADCAST_USER` needs to be in the format `user@example.com` matching your jabber server name. Press `Create User` to save this user.
Broadcasting requires a plugin. Navigate to the `plugins` tab, press the green plus for the `Broadcast` plugin.
Navigate to the `Server` tab, `Server Manager` subtab, and select `System Properties`. Enter the following:
- Name: `plugin.broadcast.disableGroupPermissions`
- Value: `True`
- Do not encrypt this property value
- Name: `plugin.broadcast.allowedUsers`
- Value: `broadcast@example.com`, replacing the domain name with yours
- Do not encrypt this property value
If you have troubles getting broadcasts to work, you can try setting the optional (you will need to add it) `BROADCAST_IGNORE_INVALID_CERT` setting to `True`. This will allow invalid certificates to be used when connecting to the Openfire server to send a broadcast.
### Preparing Auth
Once all settings are entered, run migrations and restart Gunicorn and Celery.
### Group Chat
Channels are available which function like a chat room. Access can be controlled either by password or ACL (not unlike mumble).
Navigate to the `Group Chat` tab and select `Create New Room` from the left navigation bar.
- Room ID is a short, easy-to-type version of the rooms name users will connect to
- Room Name is the full name for the room
- Description is short text describing the rooms purpose
- Set a password if you want password authentication
- Every other setting is optional. Save changes.
Now select your new room. On the left navigation bar, select `Permissions`.
ACL is achieved by assigning groups to each of the three tiers: `Owners`, `Admins` and `Members`. `Outcast` is the blacklist. Youll usually only be assigning groups to the `Member` category.
## Permissions
To use this service, users will require some of the following.
```{eval-rst}
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+=======================================+==================+==========================================================================+
| openfire.access_openfire | None | Can Access the Openfire Service |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
```

179
docs/features/services/teamspeak3-docker.md Normal file
View File

@ -0,0 +1,179 @@
# TeamSpeak 3
## Overview
TeamSpeak3 is the most popular VOIP program for gamers.
But have you considered using Mumble? Not only is it free, but it has features and performance far superior to Teamspeak3.
## Setup
Sticking with TS3? Alright, I tried.
## Configuring Auth
In your auth project's settings file (`aa-docker/conf/local.py`), do the following:
- Add `'allianceauth.services.modules.teamspeak',` to your `INSTALLED_APPS` list
- Append the following to your auth project's settings file:
```python
# Teamspeak3 Configuration
TEAMSPEAK3_SERVER_IP = os.environ.get('TEAMSPEAK3_SERVER_IP', '127.0.0.1')
TEAMSPEAK3_SERVER_PORT = os.environ.get('TEAMSPEAK3_SERVER_PORT', 10011)
TEAMSPEAK3_SERVERQUERY_USER = os.environ.get('TEAMSPEAK3_SERVERQUERY_USER', "serverquery")
TEAMSPEAK3_SERVERQUERY_PASSWORD = os.environ.get('TEAMSPEAK3_SERVERQUERY_PASSWORD', "")
TEAMSPEAK3_VIRTUAL_SERVER = os.environ.get('TEAMSPEAK3_VIRTUAL_SERVER', 1)
TEAMSPEAK3_PUBLIC_URL = SITE_URL
CELERYBEAT_SCHEDULE['run_ts3_group_update'] = {
'task': 'allianceauth.services.modules.teamspeak3.tasks.run_ts3_group_update',"
'schedule': crontab(minute='*/30'),
}
```
Add the following lines to your `.env` file
```env
# Temspeak
TEAMSPEAK3_SERVERQUERY_USER = "serverquery"
TEAMSPEAK3_SERVERQUERY_PASSWORD = ""
```
## Docker Installation
Add the following to your `docker-compose.yml` under the `services:` section
```docker
teamspeak:
image: teamspeak:3.13
restart: always
environment:
TS3SERVER_LICENSE: accept
ports:
- 9987:9987/udp
- 30033:30033
volumes:
- teamspeak-data:/var/ts3server/
logging:
driver: "json-file"
options:
max-size: "10Mb"
max-file: "5"
```
### Update Settings
In (`aa-docker/conf/local.py`), update the following
- `TEAMSPEAK_VIRTUAL_SERVER` is the virtual server ID of the server to be managed - it will only ever not be 1 if your server is hosted by a professional company
- `TEAMSPEAK3_PUBLIC_URL` is the public address of your TeamSpeak server. Do not include any leading http:// or teamspeak://
In your `.env` file, update the following, obtained from the logs of the Teamspeak server initaliztion `docker compose logs teamspeak`
- `TEAMSPEAK3_SERVERQUERY_USER` is `loginname` from the above bash command (usually `serveradmin`)
- `TEAMSPEAK3_SERVERQUERY_PASSWORD` is `password` following the equals in `serveradmin_password=`
Once settings are entered, run migrations and restart your stack
```shell
docker compose --env-file=.env up -d
docker compose exec allianceauth_gunicorn bash
auth migrate
```
### Generate User Account
And now we can generate ourselves a user account. Navigate to the services in Alliance Auth for your user account and press the checkmark for TeamSpeak 3.
Click the URL provided to automatically connect to our server. It will prompt you to redeem the serveradmin token, enter the `token` from startup.
### Groups
Now we need to make groups. AllianceAuth handles groups in teamspeak differently: instead of creating groups it creates an association between groups in TeamSpeak and groups in AllianceAuth. Go ahead and make the groups you want to associate with auth groups, keeping in mind multiple TeamSpeak groups can be associated with a single auth group.
Navigate back to the AllianceAuth admin interface (example.com/admin) and under `Teamspeak3`, select `Auth / TS Groups`.
In the top-right corner click, first click on `Update TS3 Groups` to fetch the newly created server groups from TS3 (this may take a minute to complete). Then click on `Add Auth / TS Group` to link Auth groups with TS3 server groups.
The dropdown box provides all auth groups. Select one and assign TeamSpeak groups from the panels below. If these panels are empty, wait a minute for the database update to run, or see the [troubleshooting section](#ts-group-models-not-populating-on-admin-site) below.
## Troubleshooting
### `Insufficient client permissions (failed on Invalid permission: 0x26)`
Using the advanced permissions editor, ensure the `Guest` group has the permission `Use Privilege Keys to gain permissions` (under `Virtual Server` expand the `Administration` section)
To enable advanced permissions, on your client go to the `Tools` menu, `Application`, and under the `Misc` section, tick `Advanced permission system`
### TS group models not populating on admin site
The method which populates these runs every 30 minutes. To populate manually you start the process from the admin site or from the Django shell.
#### Admin Site
Navigate to the AllianceAuth admin interface and under `Teamspeak3`, select `Auth / TS Groups`.
Then, in the top-right corner click, click on `Update TS3 Groups` to start the process of fetching the server groups from TS3 (this may take a minute to complete).
#### Django Shell
Start a django shell with:
```shell
docker compose exec allianceauth_gunicorn bash
auth shell
```
And execute the update as follows:
```python
from allianceauth.services.modules.teamspeak3.tasks import Teamspeak3Tasks
Teamspeak3Tasks.run_ts3_group_update()
```
Ensure that command does not return an error.
### `2564 access to default group is forbidden`
This usually occurs because auth is trying to remove a user from the `Guest` group (group ID 8). The guest group is only assigned to a user when they have no other groups, unless you have changed the default teamspeak server config.
Teamspeak servers v3.0.13 and up are especially susceptible to this. Ensure the Channel Admin Group is not set to `Guest (8)`. Check by right clicking on the server name, `Edit virtual server`, and in the middle of the panel select the `Misc` tab.
### `TypeError: string indices must be integers, not str`
This error generally means teamspeak returned an error message that went unhandled. The full traceback is required for proper debugging, which the logs do not record. Please check the superuser notifications for this record and get in touch with a developer.
### `3331 flood ban`
This most commonly happens when your teamspeak server is externally hosted. You need to add the auth server IP to the teamspeak serverquery whitelist. This varies by provider.
If you have SSH access to the server hosting it, you need to locate the teamspeak server folder and add the auth server IP on a new line in `query_ip_allowlist.txt` (named `query_ip_whitelist.txt` on older teamspeak versions).
### `520 invalid loginname or password`
The serverquery account login specified in local.py is incorrect. Please verify `TEAMSPEAK3_SERVERQUERY_USER` and `TEAMSPEAK3_SERVERQUERY_PASSWORD`. The [installation section](#update-settings) describes where to get them.
### `2568 insufficient client permissions`
This usually occurs if you've created a separate serverquery user to use with auth. It has not been assigned sufficient permissions to complete all the tasks required of it. The full list of required permissions is not known, so assign liberally.
## Permissions
To use and configure this service, users will require some of the following.
```{eval-rst}
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+=======================================+==================+==========================================================================+
| teamspeak.access_teamspeak | None | Can Access the TeamSpeak Service |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| teamspeak.add_authts | Can Add Model | None |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| teamspeak.change_authts | Can Change Model | None |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| teamspeak.delete_authts | Can Delete Model | None |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| teamspeak.view_authts | Can View Model | None |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
```