diff options
author | Quentin Dufour <quentin@deuxfleurs.fr> | 2020-03-27 09:03:39 +0100 |
---|---|---|
committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2020-03-27 09:03:39 +0100 |
commit | fd6e6aa1413602fc11bf79f7cf08120d996b8b3a (patch) | |
tree | 5e3b2e7f6ad788ef8a0f785056400442bb4d1cc7 | |
parent | 08101b82621457195c9a080237913d2c5a30208e (diff) | |
parent | a95017cf1e1761fef1ec029105d1c25f954741d4 (diff) | |
download | infrastructure-fd6e6aa1413602fc11bf79f7cf08120d996b8b3a.tar.gz infrastructure-fd6e6aa1413602fc11bf79f7cf08120d996b8b3a.zip |
Merge branch 'feature/jitsi'
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | consul/configuration/traefik/traefik.toml | 4 | ||||
-rw-r--r-- | docker/jitsi/01_gen_certs.yml | 8 | ||||
-rw-r--r-- | docker/jitsi/02_run.yml | 36 | ||||
-rw-r--r-- | docker/jitsi/README.md | 26 | ||||
-rw-r--r-- | docker/jitsi/dev.env | 9 | ||||
-rw-r--r-- | docker/jitsi/jitsi-certs/.gitignore | 2 | ||||
-rw-r--r-- | docker/jitsi/jitsi-conference-focus/Dockerfile | 22 | ||||
-rwxr-xr-x | docker/jitsi/jitsi-conference-focus/jicofo | 16 | ||||
-rw-r--r-- | docker/jitsi/jitsi-front/Dockerfile | 20 | ||||
-rw-r--r-- | docker/jitsi/jitsi-front/config.js | 517 | ||||
-rwxr-xr-x | docker/jitsi/jitsi-front/entrypoint.sh | 38 | ||||
-rw-r--r-- | docker/jitsi/jitsi-videobridge/Dockerfile | 21 | ||||
-rwxr-xr-x | docker/jitsi/jitsi-videobridge/jvb_run | 23 | ||||
-rw-r--r-- | docker/jitsi/jitsi-xmpp/Dockerfile | 11 | ||||
-rw-r--r-- | docker/jitsi/jitsi-xmpp/external_components.cfg.lua | 2 | ||||
-rwxr-xr-x | docker/jitsi/jitsi-xmpp/xmpp_conf | 42 | ||||
-rwxr-xr-x | docker/jitsi/jitsi-xmpp/xmpp_gen | 9 | ||||
-rwxr-xr-x | docker/jitsi/jitsi-xmpp/xmpp_run | 19 | ||||
-rw-r--r-- | nomad/traefik.hcl | 5 |
20 files changed, 824 insertions, 7 deletions
@@ -1,3 +1,4 @@ *.retry .git_old/ debug/gladdrinfo +*.swp diff --git a/consul/configuration/traefik/traefik.toml b/consul/configuration/traefik/traefik.toml index ce50532..6145ffb 100644 --- a/consul/configuration/traefik/traefik.toml +++ b/consul/configuration/traefik/traefik.toml @@ -36,12 +36,12 @@ defaultEntryPoints = ["http", "https"] dashboard = true [consul] - endpoint = "consul.service.2.cluster.deuxfleurs.fr:8500" + endpoint = "172.17.0.1:8500" watch = true prefix = "traefik" [consulCatalog] - endpoint = "consul.service.2.cluster.deuxfleurs.fr:8500" + endpoint = "172.17.0.1:8500" prefix = "traefik" domain = "web.deuxfleurs.fr" exposedByDefault = false diff --git a/docker/jitsi/01_gen_certs.yml b/docker/jitsi/01_gen_certs.yml new file mode 100644 index 0000000..8c97384 --- /dev/null +++ b/docker/jitsi/01_gen_certs.yml @@ -0,0 +1,8 @@ +version: '3' +services: + jitsi-xmpp: + build: ./jitsi-xmpp + command: ["/usr/local/bin/xmpp_gen"] + volumes: [ './jitsi-certs/:/certs:rw' ] + env_file: [ 'dev.env' ] + diff --git a/docker/jitsi/02_run.yml b/docker/jitsi/02_run.yml new file mode 100644 index 0000000..af615a9 --- /dev/null +++ b/docker/jitsi/02_run.yml @@ -0,0 +1,36 @@ +version: '3' +services: + jitsi-xmpp: + build: ./jitsi-xmpp + image: superboum/amd64_jitsi_xmpp:v1 + network_mode: host + ports: + - "5222:5222" + - "5347:5347" + - "5280:5280" + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + jitsi-front: + build: ./jitsi-front + image: superboum/amd64_jitsi_front:v1 + network_mode: host + ports: + - "443:443" + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + jitsi-conference-focus: + build: ./jitsi-conference-focus + image: superboum/amd64_jitsi_conference_focus:v1 + network_mode: host + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + jitsi-videobridge: + build: ./jitsi-videobridge + image: superboum/amd64_jitsi_videobridge:v1 + network_mode: host + ports: + - "4443:4443" + - "10000:10000/udp" + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + diff --git a/docker/jitsi/README.md b/docker/jitsi/README.md new file mode 100644 index 0000000..70b59fc --- /dev/null +++ b/docker/jitsi/README.md @@ -0,0 +1,26 @@ +This installation is inspired by: https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md + +To build images: + +``` +docker-compose -f 02_run.yml build +``` + +To gen the certs: + +``` +docker-compose -f 01_gen_certs.yml up --force-recreate +``` + +To run the stack: + + +``` +docker-compose -f 02_run.yml up --force-recreate +``` + +To push the stack on the docker registry: + +``` +docker-compose -f 02_run.yml push +``` diff --git a/docker/jitsi/dev.env b/docker/jitsi/dev.env new file mode 100644 index 0000000..722ca1d --- /dev/null +++ b/docker/jitsi/dev.env @@ -0,0 +1,9 @@ +JITSI_SECRET_VIDEOBRIDGE=S3CR3T01 +JITSI_SECRET_JICOFO_COMPONENT=S3CR3T02 +JITSI_SECRET_JICOFO_USER=S3CR3T03 +JITSI_PROSODY_BOSH_PORT=5280 +JITSI_PROSODY_BOSH_HOST=127.0.0.1 +JITSI_PROSODY_HOST=127.0.0.1 +JITSI_CERTS_FOLDER=/certs/ +JITSI_NAT_PUBLIC_IP=77.204.7.239 +JITSI_NAT_LOCAL_IP=192.168.0.18 diff --git a/docker/jitsi/jitsi-certs/.gitignore b/docker/jitsi/jitsi-certs/.gitignore new file mode 100644 index 0000000..d6b7ef3 --- /dev/null +++ b/docker/jitsi/jitsi-certs/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/docker/jitsi/jitsi-conference-focus/Dockerfile b/docker/jitsi/jitsi-conference-focus/Dockerfile new file mode 100644 index 0000000..190010e --- /dev/null +++ b/docker/jitsi/jitsi-conference-focus/Dockerfile @@ -0,0 +1,22 @@ +FROM debian:buster AS builder + +RUN apt-get update && \ + apt-get install -y openjdk-11-jdk maven git unzip && \ + git clone --depth=1 https://github.com/jitsi/jicofo.git && \ + cd jicofo && \ + mvn package -DskipTests -Dassembly.skipAssembly=false + +RUN cd jicofo && \ + unzip target/jicofo-1.1-SNAPSHOT-archive.zip && \ + mv jicofo-1.1-SNAPSHOT /srv/jicofo + + +FROM debian:buster + +RUN apt-get update && \ + apt-get install -y openjdk-11-jdk ca-certificates + +COPY --from=builder /srv/jicofo /srv/jicofo +COPY jicofo /usr/local/bin/jicofo + +CMD ["/usr/local/bin/jicofo"] diff --git a/docker/jitsi/jitsi-conference-focus/jicofo b/docker/jitsi/jitsi-conference-focus/jicofo new file mode 100755 index 0000000..2bc6e3f --- /dev/null +++ b/docker/jitsi/jitsi-conference-focus/jicofo @@ -0,0 +1,16 @@ +#!/bin/bash + +cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt +update-ca-certificates -f + +cat >> /etc/hosts <<EOF +${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr +127.0.0.1 `hostname` +EOF + +/srv/jicofo/jicofo.sh \ + --host=${JITSI_PROSODY_HOST} \ + --domain=jitsi.deuxfleurs.fr \ + --secret=${JITSI_SECRET_JICOFO_COMPONENT} \ + --user_domain=auth.jitsi.deuxfleurs.fr \ + --user_password=${JITSI_SECRET_JICOFO_USER} diff --git a/docker/jitsi/jitsi-front/Dockerfile b/docker/jitsi/jitsi-front/Dockerfile new file mode 100644 index 0000000..239372e --- /dev/null +++ b/docker/jitsi/jitsi-front/Dockerfile @@ -0,0 +1,20 @@ +FROM debian:buster AS builder + +RUN apt-get update && \ + apt-get install -y npm git nodejs make && \ + git clone --depth=1 https://github.com/jitsi/jitsi-meet.git && \ + cd jitsi-meet && \ + npm install && \ + make + +FROM debian:buster + +COPY --from=builder /jitsi-meet /srv/jitsi-meet +RUN apt-get update && \ + apt-get install -y nginx && \ + rm /etc/nginx/sites-enabled/* + +COPY config.js /srv/jitsi-meet/config.js +COPY entrypoint.sh /usr/local/bin/entrypoint +ENTRYPOINT ["/usr/local/bin/entrypoint"] +CMD ["/usr/sbin/nginx", "-g", "daemon off;"] diff --git a/docker/jitsi/jitsi-front/config.js b/docker/jitsi/jitsi-front/config.js new file mode 100644 index 0000000..34f0662 --- /dev/null +++ b/docker/jitsi/jitsi-front/config.js @@ -0,0 +1,517 @@ +/* eslint-disable no-unused-vars, no-var */ + +var config = { + // Connection + // + + hosts: { + // XMPP domain. + domain: 'jitsi.deuxfleurs.fr', + + // When using authentication, domain for guest users. + // anonymousdomain: 'guest.example.com', + + // Domain for authenticated users. Defaults to <domain>. + // authdomain: 'jitsi-meet.example.com', + + // Jirecon recording component domain. + // jirecon: 'jirecon.jitsi-meet.example.com', + + // Call control component (Jigasi). + // call_control: 'callcontrol.jitsi-meet.example.com', + + // Focus component domain. Defaults to focus.<domain>. + // focus: 'focus.jitsi-meet.example.com', + + // XMPP MUC domain. FIXME: use XEP-0030 to discover it. + muc: 'conference.jitsi.deuxfleurs.fr' + }, + + // BOSH URL. FIXME: use XEP-0156 to discover it. + bosh: '//jitsi.deuxfleurs.fr/http-bind', + + // Websocket URL + // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket', + + // The name of client node advertised in XEP-0115 'c' stanza + clientNode: 'http://jitsi.org/jitsimeet', + + // The real JID of focus participant - can be overridden here + // focusUserJid: 'focus@auth.jitsi-meet.example.com', + + + // Testing / experimental features. + // + + testing: { + // Enables experimental simulcast support on Firefox. + enableFirefoxSimulcast: false, + + // P2P test mode disables automatic switching to P2P when there are 2 + // participants in the conference. + p2pTestMode: false + + // Enables the test specific features consumed by jitsi-meet-torture + // testMode: false + + // Disables the auto-play behavior of *all* newly created video element. + // This is useful when the client runs on a host with limited resources. + // noAutoPlayVideo: false + }, + + // Disables ICE/UDP by filtering out local and remote UDP candidates in + // signalling. + // webrtcIceUdpDisable: false, + + // Disables ICE/TCP by filtering out local and remote TCP candidates in + // signalling. + // webrtcIceTcpDisable: false, + + + // Media + // + + // Audio + + // Disable measuring of audio levels. + // disableAudioLevels: false, + // audioLevelsInterval: 200, + + // Enabling this will run the lib-jitsi-meet no audio detection module which + // will notify the user if the current selected microphone has no audio + // input and will suggest another valid device if one is present. + enableNoAudioDetection: true, + + // Enabling this will run the lib-jitsi-meet noise detection module which will + // notify the user if there is noise, other than voice, coming from the current + // selected microphone. The purpose it to let the user know that the input could + // be potentially unpleasant for other meeting participants. + enableNoisyMicDetection: true, + + // Start the conference in audio only mode (no video is being received nor + // sent). + // startAudioOnly: false, + + // Every participant after the Nth will start audio muted. + // startAudioMuted: 10, + + // Start calls with audio muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithAudioMuted: false, + + // Enabling it (with #params) will disable local audio output of remote + // participants and to enable it back a reload is needed. + // startSilent: false + + // Video + + // Sets the preferred resolution (height) for local video. Defaults to 720. + // resolution: 720, + + // w3c spec-compliant video constraints to use for video capture. Currently + // used by browsers that return true from lib-jitsi-meet's + // util#browser#usesNewGumFlow. The constraints are independency from + // this config's resolution value. Defaults to requesting an ideal aspect + // ratio of 16:9 with an ideal resolution of 720. + // constraints: { + // video: { + // aspectRatio: 16 / 9, + // height: { + // ideal: 720, + // max: 720, + // min: 240 + // } + // } + // }, + + // Enable / disable simulcast support. + // disableSimulcast: false, + + // Enable / disable layer suspension. If enabled, endpoints whose HD + // layers are not in use will be suspended (no longer sent) until they + // are requested again. + // enableLayerSuspension: false, + + // Every participant after the Nth will start video muted. + // startVideoMuted: 10, + + // Start calls with video muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithVideoMuted: false, + + // If set to true, prefer to use the H.264 video codec (if supported). + // Note that it's not recommended to do this because simulcast is not + // supported when using H.264. For 1-to-1 calls this setting is enabled by + // default and can be toggled in the p2p section. + // preferH264: true, + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // Desktop sharing + + // The ID of the jidesha extension for Chrome. + desktopSharingChromeExtId: null, + + // Whether desktop sharing should be disabled on Chrome. + // desktopSharingChromeDisabled: false, + + // The media sources to use when using screen sharing with the Chrome + // extension. + desktopSharingChromeSources: [ 'screen', 'window', 'tab' ], + + // Required version of Chrome extension + desktopSharingChromeMinExtVersion: '0.1', + + // Whether desktop sharing should be disabled on Firefox. + // desktopSharingFirefoxDisabled: false, + + // Optional desktop sharing frame rate options. Default value: min:5, max:5. + // desktopSharingFrameRate: { + // min: 5, + // max: 5 + // }, + + // Try to start calls with screen-sharing instead of camera video. + // startScreenSharing: false, + + // Recording + + // Whether to enable file recording or not. + // fileRecordingsEnabled: false, + // Enable the dropbox integration. + // dropbox: { + // appKey: '<APP_KEY>' // Specify your app key here. + // // A URL to redirect the user to, after authenticating + // // by default uses: + // // 'https://jitsi-meet.example.com/static/oauth.html' + // redirectURI: + // 'https://jitsi-meet.example.com/subfolder/static/oauth.html' + // }, + // When integrations like dropbox are enabled only that will be shown, + // by enabling fileRecordingsServiceEnabled, we show both the integrations + // and the generic recording service (its configuration and storage type + // depends on jibri configuration) + // fileRecordingsServiceEnabled: false, + // Whether to show the possibility to share file recording with other people + // (e.g. meeting participants), based on the actual implementation + // on the backend. + // fileRecordingsServiceSharingEnabled: false, + + // Whether to enable live streaming or not. + // liveStreamingEnabled: false, + + // Transcription (in interface_config, + // subtitles and buttons can be configured) + // transcribingEnabled: false, + + // Enables automatic turning on captions when recording is started + // autoCaptionOnRecord: false, + + // Misc + + // Default value for the channel "last N" attribute. -1 for unlimited. + channelLastN: -1, + + // Disables or enables RTX (RFC 4588) (defaults to false). + // disableRtx: false, + + // Disables or enables TCC (the default is in Jicofo and set to true) + // (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting + // affects congestion control, it practically enables send-side bandwidth + // estimations. + // enableTcc: true, + + // Disables or enables REMB (the default is in Jicofo and set to false) + // (draft-alvestrand-rmcat-remb-03). This setting affects congestion + // control, it practically enables recv-side bandwidth estimations. When + // both TCC and REMB are enabled, TCC takes precedence. When both are + // disabled, then bandwidth estimations are disabled. + // enableRemb: false, + + // Defines the minimum number of participants to start a call (the default + // is set in Jicofo and set to 2). + // minParticipants: 2, + + // Use XEP-0215 to fetch STUN and TURN servers. + // useStunTurn: true, + + // Enable IPv6 support. + // useIPv6: true, + + // Enables / disables a data communication channel with the Videobridge. + // Values can be 'datachannel', 'websocket', true (treat it as + // 'datachannel'), undefined (treat it as 'datachannel') and false (don't + // open any channel). + // openBridgeChannel: true, + + + // UI + // + + // Use display name as XMPP nickname. + // useNicks: false, + + // Require users to always specify a display name. + // requireDisplayName: true, + + // Whether to use a welcome page or not. In case it's false a random room + // will be joined when no room is specified. + enableWelcomePage: true, + + // Enabling the close page will ignore the welcome page redirection when + // a call is hangup. + // enableClosePage: false, + + // Disable hiding of remote thumbnails when in a 1-on-1 conference call. + // disable1On1Mode: false, + + // Default language for the user interface. + // defaultLanguage: 'en', + + // If true all users without a token will be considered guests and all users + // with token will be considered non-guests. Only guests will be allowed to + // edit their profile. + enableUserRolesBasedOnToken: false, + + // Whether or not some features are checked based on token. + // enableFeaturesBasedOnToken: false, + + // Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests. + // lockRoomGuestEnabled: false, + + // When enabled the password used for locking a room is restricted to up to the number of digits specified + // roomPasswordNumberOfDigits: 10, + // default: roomPasswordNumberOfDigits: false, + + // Message to show the users. Example: 'The service will be down for + // maintenance at 01:00 AM GMT, + // noticeMessage: '', + + // Enables calendar integration, depends on googleApiApplicationClientID + // and microsoftApiApplicationClientID + // enableCalendarIntegration: false, + + // Stats + // + + // Whether to enable stats collection or not in the TraceablePeerConnection. + // This can be useful for debugging purposes (post-processing/analysis of + // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth + // estimation tests. + // gatherStats: false, + + // The interval at which PeerConnection.getStats() is called. Defaults to 10000 + // pcStatsInterval: 10000, + + // To enable sending statistics to callstats.io you must provide the + // Application ID and Secret. + // callStatsID: '', + // callStatsSecret: '', + + // enables sending participants display name to callstats + // enableDisplayNameInStats: false + + // enables sending participants email if available to callstats and other analytics + // enableEmailInStats: false + + // Privacy + // + + // If third party requests are disabled, no other server will be contacted. + // This means avatars will be locally generated and callstats integration + // will not function. + // disableThirdPartyRequests: false, + + + // Peer-To-Peer mode: used (if enabled) when there are just 2 participants. + // + + p2p: { + // Enables peer to peer mode. When enabled the system will try to + // establish a direct connection when there are exactly 2 participants + // in the room. If that succeeds the conference will stop sending data + // through the JVB and use the peer to peer connection instead. When a + // 3rd participant joins the conference will be moved back to the JVB + // connection. + enabled: true, + + // Use XEP-0215 to fetch STUN and TURN servers. + // useStunTurn: true, + + // The STUN servers that will be used in the peer to peer connections + stunServers: [ + + // { urls: 'stun:jitsi-meet.example.com:443' }, + { urls: 'stun:stun.l.google.com:19302' }, + { urls: 'stun:stun1.l.google.com:19302' }, + { urls: 'stun:stun2.l.google.com:19302' } + ], + + // Sets the ICE transport policy for the p2p connection. At the time + // of this writing the list of possible values are 'all' and 'relay', + // but that is subject to change in the future. The enum is defined in + // the WebRTC standard: + // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum. + // If not set, the effective value is 'all'. + // iceTransportPolicy: 'all', + + // If set to true, it will prefer to use H.264 for P2P calls (if H.264 + // is supported). + preferH264: true + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // How long we're going to wait, before going back to P2P after the 3rd + // participant has left the conference (to filter out page reload). + // backToP2PDelay: 5 + }, + + analytics: { + // The Google Analytics Tracking ID: + // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' + + // The Amplitude APP Key: + // amplitudeAPPKey: '<APP_KEY>' + + // Array of script URLs to load as lib-jitsi-meet "analytics handlers". + // scriptURLs: [ + // "libs/analytics-ga.min.js", // google-analytics + // "https://example.com/my-custom-analytics.js" + // ], + }, + + // Information about the jitsi-meet instance we are connecting to, including + // the user region as seen by the server. + deploymentInfo: { + // shard: "shard1", + // region: "europe", + // userRegion: "asia" + } + + // Information for the chrome extension banner + // chromeExtensionBanner: { + // // The chrome extension to be installed address + // url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb', + + // // Extensions info which allows checking if they are installed or not + // chromeExtensionsInfo: [ + // { + // id: 'kglhbbefdnlheedjiejgomgmfplipfeb', + // path: 'jitsi-logo-48x48.png' + // } + // ] + // } + + // Local Recording + // + + // localRecording: { + // Enables local recording. + // Additionally, 'localrecording' (all lowercase) needs to be added to + // TOOLBAR_BUTTONS in interface_config.js for the Local Recording + // button to show up on the toolbar. + // + // enabled: true, + // + + // The recording format, can be one of 'ogg', 'flac' or 'wav'. + // format: 'flac' + // + + // } + + // Options related to end-to-end (participant to participant) ping. + // e2eping: { + // // The interval in milliseconds at which pings will be sent. + // // Defaults to 10000, set to <= 0 to disable. + // pingInterval: 10000, + // + // // The interval in milliseconds at which analytics events + // // with the measured RTT will be sent. Defaults to 60000, set + // // to <= 0 to disable. + // analyticsInterval: 60000, + // } + + // If set, will attempt to use the provided video input device label when + // triggering a screenshare, instead of proceeding through the normal flow + // for obtaining a desktop stream. + // NOTE: This option is experimental and is currently intended for internal + // use only. + // _desktopSharingSourceDevice: 'sample-id-or-label' + + // If true, any checks to handoff to another application will be prevented + // and instead the app will continue to display in the current browser. + // disableDeepLinking: false + + // A property to disable the right click context menu for localVideo + // the menu has option to flip the locally seen video for local presentations + // disableLocalVideoFlip: false + + // Deployment specific URLs. + // deploymentUrls: { + // // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for + // // user documentation. + // userDocumentationURL: 'https://docs.example.com/video-meetings.html', + // // If specified a 'Download our apps' button will be displayed in the overflow menu with a link + // // to the specified URL for an app download page. + // downloadAppsUrl: 'https://docs.example.com/our-apps.html' + // } + + // List of undocumented settings used in jitsi-meet + /** + _immediateReloadThreshold + autoRecord + autoRecordToken + debug + debugAudioLevels + deploymentInfo + dialInConfCodeUrl + dialInNumbersUrl + dialOutAuthUrl + dialOutCodesUrl + disableRemoteControl + displayJids + etherpad_base + externalConnectUrl + firefox_fake_device + googleApiApplicationClientID + iAmRecorder + iAmSipGateway + microsoftApiApplicationClientID + peopleSearchQueryTypes + peopleSearchUrl + requireDisplayName + tokenAuthUrl + */ + + // List of undocumented settings used in lib-jitsi-meet + /** + _peerConnStatusOutOfLastNTimeout + _peerConnStatusRtcMuteTimeout + abTesting + avgRtpStatsN + callStatsConfIDNamespace + callStatsCustomScriptUrl + desktopSharingSources + disableAEC + disableAGC + disableAP + disableHPF + disableNS + enableLipSync + enableTalkWhileMuted + forceJVB121Ratio + hiddenDomain + ignoreStartMuted + nick + startBitrate + */ + +}; + +/* eslint-enable no-unused-vars, no-var */ + diff --git a/docker/jitsi/jitsi-front/entrypoint.sh b/docker/jitsi/jitsi-front/entrypoint.sh new file mode 100755 index 0000000..1e18bd1 --- /dev/null +++ b/docker/jitsi/jitsi-front/entrypoint.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +cat > /etc/nginx/sites-available/jitsi <<EOF +server_names_hash_bucket_size 64; + +server { + listen 0.0.0.0:443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + server_name _; + ssl_certificate ${JITSI_CERTS_FOLDER}/jitsi.deuxfleurs.fr.crt; + ssl_certificate_key ${JITSI_CERTS_FOLDER}/jitsi.deuxfleurs.fr.key; + root /srv/jitsi-meet; + index index.html; + location ~ ^/([a-zA-Z0-9=\?]+)$ { + rewrite ^/(.*)$ / break; + } + location / { + ssi on; + } + # BOSH, Bidirectional-streams Over Synchronous HTTP + # https://en.wikipedia.org/wiki/BOSH_(protocol) + location /http-bind { + proxy_pass http://${JITSI_PROSODY_BOSH_HOST}:${JITSI_PROSODY_BOSH_PORT}/http-bind; + proxy_set_header X-Forwarded-For \$remote_addr; + proxy_set_header Host \$http_host; + } + # external_api.js must be accessible from the root of the + # installation for the electron version of Jitsi Meet to work + # https://github.com/jitsi/jitsi-meet-electron + location /external_api.js { + alias /srv/jitsi-meet/libs/external_api.min.js; + } +} +EOF + +ln -sf /etc/nginx/sites-available/jitsi /etc/nginx/sites-enabled/jitsi + +exec "$@" diff --git a/docker/jitsi/jitsi-videobridge/Dockerfile b/docker/jitsi/jitsi-videobridge/Dockerfile new file mode 100644 index 0000000..e34d000 --- /dev/null +++ b/docker/jitsi/jitsi-videobridge/Dockerfile @@ -0,0 +1,21 @@ +FROM debian:buster AS builder + +RUN apt-get update && \ + apt-get install -y wget unzip + +ENV VERSION=1132 +RUN wget https://download.jitsi.org/jitsi-videobridge/linux/jitsi-videobridge-linux-x64-${VERSION}.zip -O jvb.zip && \ + unzip jvb.zip && \ + mv jitsi-videobridge-linux-x64-${VERSION} jvb + +FROM debian:buster + +RUN apt-get update && \ + apt-get install -y openjdk-11-jdk + +COPY --from=builder /jvb /srv/jvb +ENV HOME=/srv/jvb +WORKDIR /srv/jvb +COPY jvb_run /usr/local/bin/jvb_run + +CMD ["/usr/local/bin/jvb_run"] diff --git a/docker/jitsi/jitsi-videobridge/jvb_run b/docker/jitsi/jitsi-videobridge/jvb_run new file mode 100755 index 0000000..2431081 --- /dev/null +++ b/docker/jitsi/jitsi-videobridge/jvb_run @@ -0,0 +1,23 @@ +#!/bin/bash + +cat >> /etc/hosts <<EOF +${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr +127.0.0.1 `hostname` +EOF + +cd /srv/jvb + +cat > ~/.sip-communicator/sip-communicator.properties <<EOF +org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false +# The videobridge uses 443 by default with 4443 as a fallback, but since we're already +# running nginx on 443 in this example doc, we specify 4443 manually to avoid a race condition +org.jitsi.videobridge.TCP_HARVESTER_PORT=4443 +org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=${JITSI_NAT_LOCAL_IP} +org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=${JITSI_NAT_PUBLIC_IP} +EOF + +./jvb.sh \ + --host=${JITSI_PROSODY_HOST} \ + --domain=jitsi.deuxfleurs.fr \ + --port=5347 \ + --secret=${JITSI_SECRET_VIDEOBRIDGE} diff --git a/docker/jitsi/jitsi-xmpp/Dockerfile b/docker/jitsi/jitsi-xmpp/Dockerfile new file mode 100644 index 0000000..3733d49 --- /dev/null +++ b/docker/jitsi/jitsi-xmpp/Dockerfile @@ -0,0 +1,11 @@ +FROM debian:buster + +RUN apt-get update && \ + apt-get install -y prosody + +COPY external_components.cfg.lua /etc/prosody/conf.d/external_components.cfg.lua +COPY xmpp_conf /usr/local/bin/xmpp_conf +COPY xmpp_gen /usr/local/bin/xmpp_gen +COPY xmpp_run /usr/local/bin/xmpp_run + +CMD ["/usr/local/bin/xmpp_run"] diff --git a/docker/jitsi/jitsi-xmpp/external_components.cfg.lua b/docker/jitsi/jitsi-xmpp/external_components.cfg.lua new file mode 100644 index 0000000..beaaa87 --- /dev/null +++ b/docker/jitsi/jitsi-xmpp/external_components.cfg.lua @@ -0,0 +1,2 @@ +component_ports = { 5347 } +component_interface = "0.0.0.0" diff --git a/docker/jitsi/jitsi-xmpp/xmpp_conf b/docker/jitsi/jitsi-xmpp/xmpp_conf new file mode 100755 index 0000000..2a9278e --- /dev/null +++ b/docker/jitsi/jitsi-xmpp/xmpp_conf @@ -0,0 +1,42 @@ +#!/bin/bash + +cat >> /etc/hosts <<EOF +${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr +127.0.0.1 `hostname` +EOF + +mkdir -p /etc/prosody/conf.{d,avail}/ +cat > /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua <<EOF +VirtualHost "jitsi.deuxfleurs.fr" + authentication = "anonymous" + ssl = { + key = "/var/lib/prosody/jitsi.deuxfleurs.fr.key"; + certificate = "/var/lib/prosody/jitsi.deuxfleurs.fr.crt"; + } + modules_enabled = { + "bosh"; + "pubsub"; + } + c2s_require_encryption = false + +VirtualHost "auth.jitsi.deuxfleurs.fr" + ssl = { + key = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.key"; + certificate = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt"; + } + authentication = "internal_plain" + +admins = { "focus@auth.jitsi.deuxfleurs.fr" } + +Component "conference.jitsi.deuxfleurs.fr" "muc" +Component "jitsi-videobridge.jitsi.deuxfleurs.fr" + component_secret = "${JITSI_SECRET_VIDEOBRIDGE}" +Component "focus.jitsi.deuxfleurs.fr" + component_secret = "${JITSI_SECRET_JICOFO_COMPONENT}" +EOF + +ln -sf \ + /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua \ + /etc/prosody/conf.d/jitsi.deuxfleurs.fr.cfg.lua + + diff --git a/docker/jitsi/jitsi-xmpp/xmpp_gen b/docker/jitsi/jitsi-xmpp/xmpp_gen new file mode 100755 index 0000000..3a2e04a --- /dev/null +++ b/docker/jitsi/jitsi-xmpp/xmpp_gen @@ -0,0 +1,9 @@ +#!/bin/bash + +/usr/local/bin/xmpp_conf + +prosodyctl cert generate jitsi.deuxfleurs.fr +prosodyctl cert generate auth.jitsi.deuxfleurs.fr + +cp /var/lib/prosody/*.crt ${JITSI_CERTS_FOLDER} +cp /var/lib/prosody/*.key ${JITSI_CERTS_FOLDER} diff --git a/docker/jitsi/jitsi-xmpp/xmpp_run b/docker/jitsi/jitsi-xmpp/xmpp_run new file mode 100755 index 0000000..8dfdf86 --- /dev/null +++ b/docker/jitsi/jitsi-xmpp/xmpp_run @@ -0,0 +1,19 @@ +#!/bin/bash + +/usr/local/bin/xmpp_conf +cp ${JITSI_CERTS_FOLDER}/* /var/lib/prosody/ +chown -R prosody:prosody /var/lib/prosody + +mkdir -p /usr/local/share/ca-certificates/ +ln -sf \ + /var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt \ + /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt + +prosodyctl register focus auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_JICOFO_USER} + +mkdir /run/prosody +touch /run/prosody/prosody.pid +chown -R prosody:prosody /run/prosody + +cd /var/lib/prosody +su - prosody -s /bin/bash -c prosody diff --git a/nomad/traefik.hcl b/nomad/traefik.hcl index 8b9788e..3796c2d 100644 --- a/nomad/traefik.hcl +++ b/nomad/traefik.hcl @@ -60,11 +60,6 @@ job "frontend" { data = "{{ key \"configuration/traefik/traefik.toml\" }}" destination = "secrets/traefik.toml" } - template { - data = "{{ key \"configuration/traefik/cloudflare.env\" }}" - destination = "secrets/cloudflare.env" - env = true - } } } } |