diff options
| author | Quentin Dufour <quentin@dufour.io> | 2021-02-01 09:50:38 +0100 |
|---|---|---|
| committer | Quentin Dufour <quentin@dufour.io> | 2021-02-01 09:50:38 +0100 |
| commit | 088c9df20ce62019244b71120edef9b9bded9523 (patch) | |
| tree | 2ba4a73e5e5fdc62e48017f81a692cc3907edabf | |
| parent | 0a87d26e47646fb0a3e9a9399ea83b39640583b1 (diff) | |
| download | infrastructure-088c9df20ce62019244b71120edef9b9bded9523.tar.gz infrastructure-088c9df20ce62019244b71120edef9b9bded9523.zip | |
Prepare Nomad deployment
| -rw-r--r-- | app/jitsi/config/config.js | 773 | ||||
| -rw-r--r-- | app/jitsi/config/global_env.tpl | 10 | ||||
| -rw-r--r-- | app/jitsi/config/jicofo.conf | 273 | ||||
| -rw-r--r-- | app/jitsi/config/nginx.conf | 42 | ||||
| -rw-r--r-- | app/jitsi/config/prosody.cfg.lua | 135 | ||||
| -rw-r--r-- | app/jitsi/config/videobridge.conf | 290 | ||||
| -rw-r--r-- | app/jitsi/deploy/jitsi.hcl | 155 | ||||
| -rw-r--r-- | app/jitsi/integration/jvb/videobridge.conf | 1 | ||||
| -rw-r--r-- | app/jitsi/secrets/jitsi/auth.jitsi.crt | 1 | ||||
| -rw-r--r-- | app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt | 1 | ||||
| -rw-r--r-- | app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key | 1 | ||||
| -rw-r--r-- | app/jitsi/secrets/jitsi/auth.jitsi.key | 1 | ||||
| -rw-r--r-- | app/jitsi/secrets/jitsi/jicofo_pass | 1 | ||||
| -rw-r--r-- | app/jitsi/secrets/jitsi/jitsi.crt | 1 | ||||
| -rw-r--r-- | app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt | 1 | ||||
| -rw-r--r-- | app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key | 1 | ||||
| -rw-r--r-- | app/jitsi/secrets/jitsi/jitsi.key | 1 | ||||
| -rw-r--r-- | app/jitsi/secrets/jitsi/jvb_pass | 1 |
18 files changed, 1611 insertions, 78 deletions
diff --git a/app/jitsi/config/config.js b/app/jitsi/config/config.js new file mode 100644 index 0000000..9464f37 --- /dev/null +++ b/app/jitsi/config/config.js @@ -0,0 +1,773 @@ +/* eslint-disable no-unused-vars, no-var */ + +var config = { + // Connection + // + + hosts: { + // XMPP domain. + domain: 'jitsi', + + // When using authentication, domain for guest users. + // anonymousdomain: 'guest.example.com', + + // Domain for authenticated users. Defaults to <domain>. + // authdomain: 'jitsi-meet.example.com', + + // Focus component domain. Defaults to focus.<domain>. + // focus: 'focus.jitsi-meet.example.com', + + // XMPP MUC domain. FIXME: use XEP-0030 to discover it. + muc: 'conference.jitsi' + }, + + // BOSH URL. FIXME: use XEP-0156 to discover it. + bosh: '//jitsi.deuxfleurs.fr/http-bind', + + // Websocket URL + // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket', + + // The name of client node advertised in XEP-0115 'c' stanza + clientNode: 'http://jitsi.org/jitsimeet', + + // The real JID of focus participant - can be overridden here + // Do not change username - FIXME: Make focus username configurable + // https://github.com/jitsi/jitsi-meet/issues/7376 + // focusUserJid: 'focus@auth.jitsi-meet.example.com', + + + // Testing / experimental features. + // + + testing: { + // Disables the End to End Encryption feature. Useful for debugging + // issues related to insertable streams. + // disableE2EE: false, + + // P2P test mode disables automatic switching to P2P when there are 2 + // participants in the conference. + p2pTestMode: false + + // Enables the test specific features consumed by jitsi-meet-torture + // testMode: false + + // Disables the auto-play behavior of *all* newly created video element. + // This is useful when the client runs on a host with limited resources. + // noAutoPlayVideo: false + + // Enable / disable 500 Kbps bitrate cap on desktop tracks. When enabled, + // simulcast is turned off for the desktop share. If presenter is turned + // on while screensharing is in progress, the max bitrate is automatically + // adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines + // the probability for this to be enabled. + // capScreenshareBitrate: 1 // 0 to disable + + // Enable callstats only for a percentage of users. + // This takes a value between 0 and 100 which determines the probability for + // the callstats to be enabled. + // callStatsThreshold: 5 // enable callstats for 5% of the users. + }, + + // Disables ICE/UDP by filtering out local and remote UDP candidates in + // signalling. + // webrtcIceUdpDisable: false, + + // Disables ICE/TCP by filtering out local and remote TCP candidates in + // signalling. + // webrtcIceTcpDisable: false, + + + // Media + // + + // Audio + + // Disable measuring of audio levels. + // disableAudioLevels: false, + // audioLevelsInterval: 200, + + // Enabling this will run the lib-jitsi-meet no audio detection module which + // will notify the user if the current selected microphone has no audio + // input and will suggest another valid device if one is present. + enableNoAudioDetection: true, + + // Enabling this will show a "Save Logs" link in the GSM popover that can be + // used to collect debug information (XMPP IQs, SDP offer/answer cycles) + // about the call. + // enableSaveLogs: false, + + // Enabling this will run the lib-jitsi-meet noise detection module which will + // notify the user if there is noise, other than voice, coming from the current + // selected microphone. The purpose it to let the user know that the input could + // be potentially unpleasant for other meeting participants. + enableNoisyMicDetection: false, + + // Start the conference in audio only mode (no video is being received nor + // sent). + startAudioOnly: false, + + // Every participant after the Nth will start audio muted. + startAudioMuted: 5, + + // Start calls with audio muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithAudioMuted: false, + + // Enabling it (with #params) will disable local audio output of remote + // participants and to enable it back a reload is needed. + // startSilent: false + + // Sets the preferred target bitrate for the Opus audio codec by setting its + // 'maxaveragebitrate' parameter. Currently not available in p2p mode. + // Valid values are in the range 6000 to 510000 + // opusMaxAverageBitrate: 20000, + + // Enables support for opus-red (redundancy for Opus). + // enableOpusRed: false + + // Video + + // Sets the preferred resolution (height) for local video. Defaults to 720. + // resolution: 720, + + // How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD. + // Use -1 to disable. + // maxFullResolutionParticipants: 2, + + // w3c spec-compliant video constraints to use for video capture. Currently + // used by browsers that return true from lib-jitsi-meet's + // util#browser#usesNewGumFlow. The constraints are independent from + // this config's resolution value. Defaults to requesting an ideal + // resolution of 720p. + // constraints: { + // video: { + // height: { + // ideal: 720, + // max: 720, + // min: 240 + // } + // } + // }, + + // Enable / disable simulcast support. + // disableSimulcast: false, + + // Enable / disable layer suspension. If enabled, endpoints whose HD + // layers are not in use will be suspended (no longer sent) until they + // are requested again. + // enableLayerSuspension: false, + + // Every participant after the Nth will start video muted. + startVideoMuted: 5, + + // Start calls with video muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithVideoMuted: false, + + // If set to true, prefer to use the H.264 video codec (if supported). + // Note that it's not recommended to do this because simulcast is not + // supported when using H.264. For 1-to-1 calls this setting is enabled by + // default and can be toggled in the p2p section. + // This option has been deprecated, use preferredCodec under videoQuality section instead. + // preferH264: true, + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // Desktop sharing + + // Optional desktop sharing frame rate options. Default value: min:5, max:5. + // desktopSharingFrameRate: { + // min: 5, + // max: 5 + // }, + + // Try to start calls with screen-sharing instead of camera video. + // startScreenSharing: false, + + // Recording + + // Whether to enable file recording or not. + // fileRecordingsEnabled: false, + // Enable the dropbox integration. + // dropbox: { + // appKey: '<APP_KEY>' // Specify your app key here. + // // A URL to redirect the user to, after authenticating + // // by default uses: + // // 'https://jitsi-meet.example.com/static/oauth.html' + // redirectURI: + // 'https://jitsi-meet.example.com/subfolder/static/oauth.html' + // }, + // When integrations like dropbox are enabled only that will be shown, + // by enabling fileRecordingsServiceEnabled, we show both the integrations + // and the generic recording service (its configuration and storage type + // depends on jibri configuration) + // fileRecordingsServiceEnabled: false, + // Whether to show the possibility to share file recording with other people + // (e.g. meeting participants), based on the actual implementation + // on the backend. + // fileRecordingsServiceSharingEnabled: false, + + // Whether to enable live streaming or not. + // liveStreamingEnabled: false, + + // Transcription (in interface_config, + // subtitles and buttons can be configured) + // transcribingEnabled: false, + + // Enables automatic turning on captions when recording is started + // autoCaptionOnRecord: false, + + // Misc + + // Default value for the channel "last N" attribute. -1 for unlimited. + channelLastN: -1, + + // Provides a way to use different "last N" values based on the number of participants in the conference. + // The keys in an Object represent number of participants and the values are "last N" to be used when number of + // participants gets to or above the number. + // + // For the given example mapping, "last N" will be set to 20 as long as there are at least 5, but less than + // 29 participants in the call and it will be lowered to 15 when the 30th participant joins. The 'channelLastN' + // will be used as default until the first threshold is reached. + // + // lastNLimits: { + // 5: 20, + // 30: 15, + // 50: 10, + // 70: 5, + // 90: 2 + // }, + + // Specify the settings for video quality optimizations on the client. + // videoQuality: { + // // Provides a way to prevent a video codec from being negotiated on the JVB connection. The codec specified + // // here will be removed from the list of codecs present in the SDP answer generated by the client. If the + // // same codec is specified for both the disabled and preferred option, the disable settings will prevail. + // // Note that 'VP8' cannot be disabled since it's a mandatory codec, the setting will be ignored in this case. + // disabledCodec: 'H264', + // + // // Provides a way to set a preferred video codec for the JVB connection. If 'H264' is specified here, + // // simulcast will be automatically disabled since JVB doesn't support H264 simulcast yet. This will only + // // rearrange the the preference order of the codecs in the SDP answer generated by the browser only if the + // // preferred codec specified here is present. Please ensure that the JVB offers the specified codec for this + // // to take effect. + // preferredCodec: 'VP8', + // + // // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for + // // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values + // // are the max.bitrates to be set on that particular type of stream. The actual send may vary based on + // // the available bandwidth calculated by the browser, but it will be capped by the values specified here. + // // This is currently not implemented on app based clients on mobile. + // maxBitratesVideo: { + // low: 200000, + // standard: 500000, + // high: 1500000 + // }, + // + // // The options can be used to override default thresholds of video thumbnail heights corresponding to + // // the video quality levels used in the application. At the time of this writing the allowed levels are: + // // 'low' - for the low quality level (180p at the time of this writing) + // // 'standard' - for the medium quality level (360p) + // // 'high' - for the high quality level (720p) + // // The keys should be positive numbers which represent the minimal thumbnail height for the quality level. + // // + // // With the default config value below the application will use 'low' quality until the thumbnails are + // // at least 360 pixels tall. If the thumbnail height reaches 720 pixels then the application will switch to + // // the high quality. + // minHeightForQualityLvl: { + // 360: 'standard', + // 720: 'high' + // }, + // + // // Provides a way to resize the desktop track to 720p (if it is greater than 720p) before creating a canvas + // // for the presenter mode (camera picture-in-picture mode with screenshare). + // resizeDesktopForPresenter: false + // }, + + // // Options for the recording limit notification. + // recordingLimit: { + // + // // The recording limit in minutes. Note: This number appears in the notification text + // // but doesn't enforce the actual recording time limit. This should be configured in + // // jibri! + // limit: 60, + // + // // The name of the app with unlimited recordings. + // appName: 'Unlimited recordings APP', + // + // // The URL of the app with unlimited recordings. + // appURL: 'https://unlimited.recordings.app.com/' + // }, + + // Disables or enables RTX (RFC 4588) (defaults to false). + // disableRtx: false, + + // Disables or enables TCC support in this client (default: enabled). + // enableTcc: true, + + // Disables or enables REMB support in this client (default: enabled). + // enableRemb: true, + + // Enables ICE restart logic in LJM and displays the page reload overlay on + // ICE failure. Current disabled by default because it's causing issues with + // signaling when Octo is enabled. Also when we do an "ICE restart"(which is + // not a real ICE restart), the client maintains the TCC sequence number + // counter, but the bridge resets it. The bridge sends media packets with + // TCC sequence numbers starting from 0. + // enableIceRestart: false, + + // Use TURN/UDP servers for the jitsi-videobridge connection (by default + // we filter out TURN/UDP because it is usually not needed since the + // bridge itself is reachable via UDP) + // useTurnUdp: false + + // UI + // + + // Disables responsive tiles. + // disableResponsiveTiles: false, + + // Hides lobby button + // hideLobbyButton: false, + + // Require users to always specify a display name. + // requireDisplayName: true, + + // Whether to use a welcome page or not. In case it's false a random room + // will be joined when no room is specified. + enableWelcomePage: true, + + // Disable app shortcuts that are registered upon joining a conference + // disableShortcuts: false, + + // Disable initial browser getUserMedia requests. + // This is useful for scenarios where users might want to start a conference for screensharing only + // disableInitialGUM: false, + + // Enabling the close page will ignore the welcome page redirection when + // a call is hangup. + // enableClosePage: false, + + // Disable hiding of remote thumbnails when in a 1-on-1 conference call. + // disable1On1Mode: false, + + // Default language for the user interface. + defaultLanguage: 'fr', + + // Disables profile and the edit of all fields from the profile settings (display name and email) + // disableProfile: false, + + // Whether or not some features are checked based on token. + // enableFeaturesBasedOnToken: false, + + // When enabled the password used for locking a room is restricted to up to the number of digits specified + // roomPasswordNumberOfDigits: 10, + // default: roomPasswordNumberOfDigits: false, + + // Message to show the users. Example: 'The service will be down for + // maintenance at 01:00 AM GMT, + // noticeMessage: '', + + // Enables calendar integration, depends on googleApiApplicationClientID + // and microsoftApiApplicationClientID + // enableCalendarIntegration: false, + + // When 'true', it shows an intermediate page before joining, where the user can configure their devices. + prejoinPageEnabled: true, + + // If etherpad integration is enabled, setting this to true will + // automatically open the etherpad when a participant joins. This + // does not affect the mobile app since opening an etherpad + // obscures the conference controls -- it's better to let users + // choose to open the pad on their own in that case. + // openSharedDocumentOnJoin: false, + + // If true, shows the unsafe room name warning label when a room name is + // deemed unsafe (due to the simplicity in the name) and a password is not + // set or the lobby is not enabled. + // enableInsecureRoomNameWarning: false, + + // Whether to automatically copy invitation URL after creating a room. + // Document should be focused for this option to work + // enableAutomaticUrlCopy: false, + + // Base URL for a Gravatar-compatible service. Defaults to libravatar. + // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/'; + + // Stats + // + + // Whether to enable stats collection or not in the TraceablePeerConnection. + // This can be useful for debugging purposes (post-processing/analysis of + // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth + // estimation tests. + // gatherStats: false, + + // The interval at which PeerConnection.getStats() is called. Defaults to 10000 + // pcStatsInterval: 10000, + + // To enable sending statistics to callstats.io you must provide the + // Application ID and Secret. + // callStatsID: '', + // callStatsSecret: '', + + // Enables sending participants' display names to callstats + // enableDisplayNameInStats: false, + + // Enables sending participants' emails (if available) to callstats and other analytics + // enableEmailInStats: false, + + // Privacy + // + + // If third party requests are disabled, no other server will be contacted. + // This means avatars will be locally generated and callstats integration + // will not function. + // disableThirdPartyRequests: false, + + + // Peer-To-Peer mode: used (if enabled) when there are just 2 participants. + // + + p2p: { + // Enables peer to peer mode. When enabled the system will try to + // establish a direct connection when there are exactly 2 participants + // in the room. If that succeeds the conference will stop sending data + // through the JVB and use the peer to peer connection instead. When a + // 3rd participant joins the conference will be moved back to the JVB + // connection. + enabled: true, + + // The STUN servers that will be used in the peer to peer connections + stunServers: [ + + // { urls: 'stun:jitsi-meet.example.com:3478' }, + { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' } + ] + + // Sets the ICE transport policy for the p2p connection. At the time + // of this writing the list of possible values are 'all' and 'relay', + // but that is subject to change in the future. The enum is defined in + // the WebRTC standard: + // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum. + // If not set, the effective value is 'all'. + // iceTransportPolicy: 'all', + + // If set to true, it will prefer to use H.264 for P2P calls (if H.264 + // is supported). This setting is deprecated, use preferredCodec instead. + // preferH264: true + + // Provides a way to set the video codec preference on the p2p connection. Acceptable + // codec values are 'VP8', 'VP9' and 'H264'. + // preferredCodec: 'H264', + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. This setting is deprecated, use disabledCodec instead. + // disableH264: false, + + // Provides a way to prevent a video codec from being negotiated on the p2p connection. + // disabledCodec: '', + + // How long we're going to wait, before going back to P2P after the 3rd + // participant has left the conference (to filter out page reload). + // backToP2PDelay: 5 + }, + + analytics: { + // The Google Analytics Tracking ID: + // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' + + // Matomo configuration: + // matomoEndpoint: 'https://your-matomo-endpoint/', + // matomoSiteID: '42', + + // The Amplitude APP Key: + // amplitudeAPPKey: '<APP_KEY>' + + // Configuration for the rtcstats server: + // By enabling rtcstats server every time a conference is joined the rtcstats + // module connects to the provided rtcstatsEndpoint and sends statistics regarding + // PeerConnection states along with getStats metrics polled at the specified + // interval. + // rtcstatsEnabled: true, + + // In order to enable rtcstats one needs to provide a endpoint url. + // rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/, + + // The interval at which rtcstats will poll getStats, defaults to 1000ms. + // If the value is set to 0 getStats won't be polled and the rtcstats client + // will only send data related to RTCPeerConnection events. + // rtcstatsPolIInterval: 1000 + + // Array of script URLs to load as lib-jitsi-meet "analytics handlers". + // scriptURLs: [ + // "libs/analytics-ga.min.js", // google-analytics + // "https://example.com/my-custom-analytics.js" + // ], + }, + + // Logs that should go be passed through the 'log' event if a handler is defined for it + // apiLogLevels: ['warn', 'log', 'error', 'info', 'debug'], + + // Information about the jitsi-meet instance we are connecting to, including + // the user region as seen by the server. + deploymentInfo: { + // shard: "shard1", + // region: "europe", + // userRegion: "asia" + }, + + // Decides whether the start/stop recording audio notifications should play on record. + // disableRecordAudioNotification: false, + + // Information for the chrome extension banner + // chromeExtensionBanner: { + // // The chrome extension to be installed address + // url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb', + + // // Extensions info which allows checking if they are installed or not + // chromeExtensionsInfo: [ + // { + // id: 'kglhbbefdnlheedjiejgomgmfplipfeb', + // path: 'jitsi-logo-48x48.png' + // } + // ] + // }, + + // Local Recording + // + + // localRecording: { + // Enables local recording. + // Additionally, 'localrecording' (all lowercase) needs to be added to + // TOOLBAR_BUTTONS in interface_config.js for the Local Recording + // button to show up on the toolbar. + // + // enabled: true, + // + + // The recording format, can be one of 'ogg', 'flac' or 'wav'. + // format: 'flac' + // + + // }, + + // Options related to end-to-end (participant to participant) ping. + // e2eping: { + // // The interval in milliseconds at which pings will be sent. + // // Defaults to 10000, set to <= 0 to disable. + // pingInterval: 10000, + // + // // The interval in milliseconds at which analytics events + // // with the measured RTT will be sent. Defaults to 60000, set + // // to <= 0 to disable. + // analyticsInterval: 60000, + // }, + + // If set, will attempt to use the provided video input device label when + // triggering a screenshare, instead of proceeding through the normal flow + // for obtaining a desktop stream. + // NOTE: This option is experimental and is currently intended for internal + // use only. + // _desktopSharingSourceDevice: 'sample-id-or-label', + + // If true, any checks to handoff to another application will be prevented + // and instead the app will continue to display in the current browser. + // disableDeepLinking: false, + + // A property to disable the right click context menu for localVideo + // the menu has option to flip the locally seen video for local presentations + // disableLocalVideoFlip: false, + + // Mainly privacy related settings + + // Disables all invite functions from the app (share, invite, dial out...etc) + // disableInviteFunctions: true, + + // Disables storing the room name to the recents list + // doNotStoreRoom: true, + + // Deployment specific URLs. + // deploymentUrls: { + // // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for + // // user documentation. + // userDocumentationURL: 'https://docs.example.com/video-meetings.html', + // // If specified a 'Download our apps' button will be displayed in the overflow menu with a link + // // to the specified URL for an app download page. + // downloadAppsUrl: 'https://docs.example.com/our-apps.html' + // }, + + // Options related to the remote participant menu. + // remoteVideoMenu: { + // // If set to true the 'Kick out' button will be disabled. + // disableKick: true + // }, + + // If set to true all muting operations of remote participants will be disabled. + // disableRemoteMute: true, + + // Enables support for lip-sync for this client (if the browser supports it). + // enableLipSync: false + + /** + External API url used to receive branding specific information. + If there is no url set or there are missing fields, the defaults are applied. + None of the fields are mandatory and the response must have the shape: + { + // The hex value for the colour used as background + backgroundColor: '#fff', + // The url for the image used as background + backgroundImageUrl: 'https://example.com/background-img.png', + // The anchor url used when clicking the logo image + logoClickUrl: 'https://example-company.org', + // The url used for the image used as logo + logoImageUrl: 'https://example.com/logo-img.png' + } + */ + // dynamicBrandingUrl: '', + + // The URL of the moderated rooms microservice, if available. If it + // is present, a link to the service will be rendered on the welcome page, + // otherwise the app doesn't render it. + // moderatedRoomServiceUrl: 'https://moderated.jitsi-meet.example.com', + + // If true, tile view will not be enabled automatically when the participants count threshold is reached. + // disableTileView: true, + + // Hides the conference subject + // hideConferenceSubject: true + + // Hides the conference timer. + // hideConferenceTimer: true, + + // Hides the participants stats + // hideParticipantsStats: true + + // Sets the conference subject + // subject: 'Conference Subject', + + // List of undocumented settings used in jitsi-meet + /** + _immediateReloadThreshold + debug + debugAudioLevels + deploymentInfo + dialInConfCodeUrl + dialInNumbersUrl + dialOutAuthUrl + dialOutCodesUrl + disableRemoteControl + displayJids + etherpad_base + externalConnectUrl + firefox_fake_device + googleApiApplicationClientID + iAmRecorder + iAmSipGateway + microsoftApiApplicationClientID + peopleSearchQueryTypes + peopleSearchUrl + requireDisplayName + tokenAuthUrl + */ + + /** + * This property can be used to alter the generated meeting invite links (in combination with a branding domain + * which is retrieved internally by jitsi meet) (e.g. https://meet.jit.si/someMeeting + * can become https://brandedDomain/roomAlias) + */ + // brandingRoomAlias: null, + + // List of undocumented settings used in lib-jitsi-meet + /** + _peerConnStatusOutOfLastNTimeout + _peerConnStatusRtcMuteTimeout + abTesting + avgRtpStatsN + callStatsConfIDNamespace + callStatsCustomScriptUrl + desktopSharingSources + disableAEC + disableAGC + disableAP + disableHPF + disableNS + enableTalkWhileMuted + forceJVB121Ratio + forceTurnRelay + hiddenDomain + ignoreStartMuted + websocketKeepAlive + websocketKeepAliveUrl + */ + + /** + Use this array to configure which notifications will be shown to the user + The items correspond to the title or description key of that notification + Some of these notifications also depend on some other internal logic to be displayed or not, + so adding them here will not ensure they will always be displayed + + A falsy value for this prop will result in having all notifications enabled (e.g null, undefined, false) + */ + // notifications: [ + // 'connection.CONNFAIL', // shown when the connection fails, + // 'dialog.cameraNotSendingData', // shown when there's no feed from user's camera + // 'dialog.kickTitle', // shown when user has been kicked + // 'dialog.liveStreaming', // livestreaming notifications (pending, on, off, limits) + // 'dialog.lockTitle', // shown when setting conference password fails + // 'dialog.maxUsersLimitReached', // shown when maximmum users limit has been reached + // 'dialog.micNotSendingData', // shown when user's mic is not sending any audio + // 'dialog.passwordNotSupportedTitle', // shown when setting conference password fails due to password format + // 'dialog.recording', // recording notifications (pending, on, off, limits) + // 'dialog.remoteControlTitle', // remote control notifications (allowed, denied, start, stop, error) + // 'dialog.reservationError', + // 'dialog.serviceUnavailable', // shown when server is not reachable + // 'dialog.sessTerminated', // shown when there is a failed conference session + // 'dialog.tokenAuthFailed', // show when an invalid jwt is used + // 'dialog.transcribing', // transcribing notifications (pending, off) + // 'dialOut.statusMessage', // shown when dial out status is updated. + // 'liveStreaming.busy', // shown when livestreaming service is busy + // 'liveStreaming.failedToStart', // shown when livestreaming fails to start + // 'liveStreaming.unavailableTitle', // shown when livestreaming service is not reachable + // 'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected + // 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied + // 'localRecording.localRecording', // shown when a local recording is started + // 'notify.disconnected', // shown when a participant has left + // 'notify.grantedTo', // shown when moderator rights were granted to a participant + // 'notify.invitedOneMember', // shown when 1 participant has been invited + // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited + // 'notify.invitedTwoMembers', // shown when 2 participants have been invited + // 'notify.kickParticipant', // shown when a participant is kicked + // 'notify.mutedRemotelyTitle', // shown when user is muted by a remote party + // 'notify.mutedTitle', // shown when user has been muted upon joining, + // 'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device + // 'notify.newDeviceCameraTitle', // prompts the user to use a newly detected camera + // 'notify.passwordRemovedRemotely', // shown when a password has been removed remotely + // 'notify.passwordSetRemotely', // shown when a password has been set remotely + // 'notify.raisedHand', // shown when a partcipant used raise hand, + // 'notify.startSilentTitle', // shown when user joined with no audio + // 'prejoin.errorDialOut', + // 'prejoin.errorDialOutDisconnected', + // 'prejoin.errorDialOutFailed', + // 'prejoin.errorDialOutStatus', + // 'prejoin.errorStatusCode', + // 'prejoin.errorValidation', + // 'recording.busy', // shown when recording service is busy + // 'recording.failedToStart', // shown when recording fails to start + // 'recording.unavailableTitle', // shown when recording service is not reachable + // 'toolbar.noAudioSignalTitle', // shown when a broken mic is detected + // 'toolbar.noisyAudioInputTitle', // shown when noise is detected for the current microphone + // 'toolbar.talkWhileMutedPopup', // shown when user tries to speak while muted + // 'transcribing.failedToStart' // shown when transcribing fails to start + // ] + + // Allow all above example options to include a trailing comma and + // prevent fear when commenting out the last value. + makeJsonParserHappy: 'even if last key had a trailing comma' + + // no configuration value should follow this line. +}; + +/* eslint-enable no-unused-vars, no-var */ diff --git a/app/jitsi/config/global_env.tpl b/app/jitsi/config/global_env.tpl deleted file mode 100644 index d78975d..0000000 --- a/app/jitsi/config/global_env.tpl +++ /dev/null @@ -1,10 +0,0 @@ -JITSI_SECRET_VIDEOBRIDGE={{ key "secrets/jitsi/jitsi_secret_videobridge" }} -JITSI_SECRET_JICOFO_COMPONENT={{ key "secrets/jitsi/jitsi_secret_jicofo_component" }} -JITSI_SECRET_JICOFO_USER={{ key "secrets/jitsi/jitsi_secret_jicofo_user" }} -JITSI_PROSODY_BOSH_PORT={{ env "NOMAD_PORT_bosh_port" }} -JITSI_PROSODY_BOSH_HOST=127.0.0.1 -JITSI_PROSODY_HOST=127.0.0.1 -JITSI_CERTS_FOLDER=/secrets/certs/ -JITSI_NAT_PUBLIC_IP=78.197.205.190 -JITSI_NAT_LOCAL_IP={{ env "NOMAD_IP_video1_port" }} -NGINX_PORT={{ env "NOMAD_PORT_https_port" }} diff --git a/app/jitsi/config/jicofo.conf b/app/jitsi/config/jicofo.conf new file mode 100644 index 0000000..1d33b9c --- /dev/null +++ b/app/jitsi/config/jicofo.conf @@ -0,0 +1,273 @@ +jicofo { + // Authentication with external services + authentication { + enabled = false + // The type of authentication. Supported values are XMPP, JWT or SHIBBOLETH (default). + type = SHIBBOLETH + + // The pattern of authentication URL. See ShibbolethAuthAuthority for more information. + # login-url = + + # logout-url = + + authentication-lifetime = 24 hours + enable-auto-login = true + } + // Configuration related to jitsi-videobridge + bridge { + // The maximum number of participants in a single conference to put on one bridge (use -1 for no maximum). + max-bridge-participants = -1 + // The assumed maximum packet rate that a bridge can handle. + max-bridge-packet-rate = 50000 + // The assumed average packet rate per participant. + average-participant-packet-rate-pps = 500 + // The assumed average stress per participant. + average-participant-stress = 0.01 + // The assumed time that an endpoint takes to start contributing fully to the load on a bridge. To avoid allocating + // a burst of endpoints to the same bridge, the bridge stress is adjusted by adding the number of new endpoints + // in the last [participant-rampup-time] multiplied by [average-participant-stress]. + participant-rampup-interval = 20 seconds + // The stress level above which a bridge is considered overstressed. + stress-threshold = 0.8 + // The amount of to wait before retrying using a failed bridge. + failure-reset-threshold = 1 minute + // The bridge selection strategy. The built-in strategies are: + // SingleBridgeSelectionStrategy: Use the least loaded bridge, do not split a conference between bridges (Octo). + // SplitBridgeSelectionStrategy: Use a separate bridge for each participant (for testing). + // RegionBasedBridgeSelectionStrategy: Attempt to put each participant in a bridge in their local region (i.e. use + // Octo for geo-location). + // IntraRegionBridgeSelectionStrategy: Use additional bridges when a bridge becomes overloaded (i.e. use Octo for + // load balancing). + // + // Additionally, you can use the fully qualified class name for custom BridgeSelectionStrategy implementations. + selection-strategy = SingleBridgeSelectionStrategy + health-checks { + // Whether jicofo should perform periodic health checks to the connected bridges. + enabled = true + // The interval at which to perform health checks. + interval = 10 seconds + // When a health checks times out, jicofo will retry and only consider it fail after the retry fails. This + // configures the delay between the original health check timing out and the second health check being sent. + // It is a duration and defaults to half the [interval]. + # retry-delay = 5 seconds + } + + // The JID of the MUC to be used as a brewery for bridge instances. + brewery-jid = "jvbbrewery@internal.auth.jitsi" + } + // Configure the codecs and RTP extensions to be used in the offer sent to clients. + codec { + video { + vp8 { + enabled = true + pt = 100 + // Payload type for the associated RTX stream. Set to -1 to disable RTX. + rtx-pt = 96 + } + vp9 { + enabled = true + pt = 101 + // Payload type for the associated RTX stream. Set to -1 to disable RTX. + rtx-pt = 97 + } + h264 { + enabled = true + pt = 107 + // Payload type for the associated RTX stream. Set to -1 to disable RTX. + rtx-pt = 99 + } + } + + audio { + isac-16000 { + enabled = true + pt = 103 + } + isac-32000 { + enabled = true + pt = 104 + } + opus { + enabled = true + pt = 111 + minptime = 10 + use-inband-fec = true + red { + enabled = false + pt = 112 + } + } + telephone-event { + enabled = true + pt = 126 + } + } + + // RTP header extensions + rtp-extensions { + audio-level { + enabled = true + id = 1 + } + tof { + // TOF is currently disabled, because we don't support it in the bridge + // (and currently clients seem to not use it when abs-send-time is + // available). + enabled = false + id = 2 + } + abs-send-time { + enabled = true + id = 3 + } + rid { + enabled = false + id = 4 + } + tcc { + enabled = true + id = 5 + } + video-content-type { + enabled = false + id = 7 + } + framemarking { + enabled = false + id = 9 + } + } + } + + conference { + // Whether to automatically grant the 'owner' role to the first participant in the conference (and subsequently to + // the next in line when the current owner leaves). + enable-auto-owner = true + + // How long to wait for the initial participant in a conference. + initial-timeout = 15 seconds + + // Whether jicofo should inject a random SSRC for endpoints which don't advertise any SSRCs. This is a temporary + // workaround for an issue with signaling endpoints for Octo. + inject-ssrc-for-recv-only-endpoints = false + + max-ssrcs-per-user = 20 + + // How long a participant's media session will be kept alive once it remains the only participant in the room. + single-participant-timeout = 20 seconds + + // The minimum number of participants required for the conference to be started. + min-participants = 2 + + // Experimental. + enable-lip-sync = false + + shared-document { + // If `true` the shared document uses a random name. Otherwise, it uses the conference name. + use-random-name = false + } + } + + // Configuration for the internal health checks performed by jicofo. + health { + // Whether to perform health checks. + enabled = false + + // The interval between health checks. If set to 0, periodic health checks will not be performed. + interval = 10 seconds + + # The timeout for a health check + timeout = 30 seconds + + # If performing a health check takes longer than this, it is considered unsuccessful. + max-check-duration = 20 seconds + + # The prefix to use when creating MUC rooms for the purpose of health checks. + room-name-prefix = "__jicofo-health-check" + } + + jibri { + // The JID of the MUC to be used as a brewery for jibri instances for streaming. + # brewery-jid = "jibribrewery@example.com" + + // How many times to retry a given Jibri request before giving up. Set to -1 to allow infinite retries. + num-retries = 5 + + // How long to wait for Jibri to start recording from the time it accepts a START request. + pending-timeout = 90 seconds + } + + jibri-sip { + // The JID of the MUC to be used as a brewery for jibri instances for SIP. + # brewery-jid = "jibrisipbrewery@example.com" + } + + jigasi { + // The JID of the MUC to be used as a brewery for jigasi instances. + # brewery-jid = "jigasibrewery@example.com" + } + + // The region in which the machine is running. + #local-region="us-east-1" + + octo { + // Whether or not to use Octo. Note that when enabled, its use will be determined by + // $jicofo.bridge.selection-strategy. + enabled = false + + // An identifier of the Jicofo instance, used for the purpose of generating conference IDs unique across a set of + // Jicofo instances. Valid values are [1, 65535]. The value 0 is used when none is explicitly configured. + id = 1 + } + + rest { + port = 8888 + tls-port = 8843 + } + + sctp { + // Whether to allocate SCTP channels on the bridge (only when the client advertises support, and SCTP is + // enabled in the per-conference configuration). + enabled = true + } + + task-pools { + shared-pool-max-threads = 1500 + } + + xmpp { + // The separate XMPP connection used for communication with clients (endpoints). + client { + enabled = true + hostname = "{{ env "NOMAD_IP_xmpp_port" }}" + port = {{ env "NOMAD_PORT_xmpp_port" }} + domain = "auth.jitsi" + username = "focus" + password = {{ key "secrets/jitsi/jitsi_secret_jicofo_user" }} + + // How long to wait for a response to a stanza before giving up. + reply-timeout = 15 seconds + + // The JID/domain of the MUC service used for conferencing. + conference-muc-jid = conference.jitsi + + // A flag to suppress the TLS certificate verification. + disable-certificate-verification = false + } + // The separate XMPP connection used for internal services (currently only jitsi-videobridge). + service { + enabled = false + hostname = "jitsi-xmpp" + port = 5222 + domain = "auth.jitsi" + username = "focus" + password = "jicofopass" + + // How long to wait for a response to a stanza before giving up. + reply-timeout = 15 seconds + + // A flag to suppress the TLS certificate verification. + disable-certificate-verification = false + } + } +} diff --git a/app/jitsi/config/nginx.conf b/app/jitsi/config/nginx.conf new file mode 100644 index 0000000..b2213e9 --- /dev/null +++ b/app/jitsi/config/nginx.conf @@ -0,0 +1,42 @@ +# some doc: https://www.nginx.com/resources/wiki/start/topics/examples/full/ +error_log /dev/stderr; + +events {} + +http { + access_log /dev/stdout; + server_names_hash_bucket_size 64; + + server { + listen 0.0.0.0:{{ env "NOMAD_PORT_https_port" }} ssl http2 default_server; + listen [::]:{{ env "NOMAD_PORT_https_port" }} ssl http2 default_server; + server_name _; + ssl_certificate /etc/nginx/jitsi.crt; + ssl_certificate_key /etc/nginx/jitsi.key; + root /srv/jitsi-meet; + index index.html; + + # lot of work would be needed to improve location rules + # - in order to allow - and _ in the URL, even space + # - while not shadowing other files (.js and following locations) + # - passed some times twice on the problem, not as easy as it seems + location ~ ^/([a-zA-Z0-9=\?]+)$ { + rewrite ^/(.*)$ / break; + } + location / { + ssi on; + } + + location /external_api.js { + alias /srv/jitsi-meet/libs/external_api.min.js; + } + + location /http-bind { + proxy_pass http://{{ env "NOMAD_ADDR_xmpp_port" }}/http-bind; + proxy_set_header X-Forwarded-For \$remote_addr; + proxy_set_header Host \$http_host; + } + + + } +} diff --git a/app/jitsi/config/prosody.cfg.lua b/app/jitsi/config/prosody.cfg.lua new file mode 100644 index 0000000..65dabf6 --- /dev/null +++ b/app/jitsi/config/prosody.cfg.lua @@ -0,0 +1,135 @@ +modules_enabled = { + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "pep"; -- Enables users to publish their mood, activity, playing music and more + -- jitsi + --"smacks"; -- not shipped with prosody + "carbons"; + "mam"; + "lastactivity"; + "offline"; + "pubsub"; + "adhoc"; + "websocket"; + --"http_altconnect"; -- not shipped with prosody +} +modules_disabled = { "s2s" } + +plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" } + +log = { + --log less on console with warn="*console"; or err="*console" or more with debug="*console" + info="*console"; +} +daemonize = false +use_libevent = true + +-- domain mapper options, must at least have domain base set to use the mapper +muc_mapper_domain_base = "jitsi.deuxfleurs.fr"; + +--@FIXME would be great to configure it +--turncredentials_secret = "__turnSecret__"; + +--turncredentials = { +-- { type = "stun", host = "jitmeet.example.com", port = "3478" }, +-- { type = "turn", host = "jitmeet.example.com", port = "3478", transport = "udp" }, +-- { type = "turns", host = "jitmeet.example.com", port = "5349", transport = "tcp" } +--}; + +cross_domain_bosh = false; +consider_bosh_secure = true; +component_ports = { } -- it seems we don't need external components for now... +https_ports = { } -- we don't need https +http_ports = { 5280 } +c2s_ports = { 5222 } + + +-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4 +ssl = { + protocol = "tlsv1_2+"; + ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" +} + +VirtualHost "jitsi" + enabled = true -- Remove this line to enable this host + authentication = "anonymous" + -- Properties below are modified by jitsi-meet-tokens package config + -- and authentication above is switched to "token" + --app_id="example_app_id" + --app_secret="example_app_secret" + -- Assign this host a certificate for TLS, otherwise it would use the one + -- set in the global section (if any). + -- Note that old-style SSL on port 5223 only supports one certificate, and will always + -- use the global one. + ssl = { + key = "/var/lib/prosody/jitsi.key"; + certificate = "/var/lib/prosody/jitsi.crt"; + } + speakerstats_component = "speakerstats.jitsi" + conference_duration_component = "conferenceduration.jitsi" + -- we need bosh + modules_enabled = { + "bosh"; + "pubsub"; + "ping"; -- Enable mod_ping + "speakerstats"; + --"turncredentials"; not supported yet + "conference_duration"; + "muc_lobby_rooms"; + } + c2s_require_encryption = false + lobby_muc = "lobby.jitsi" + main_muc = "conference.jitsi" + -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms + +Component "conference.jitsi" "muc" + storage = "memory" + modules_enabled = { + "muc_meeting_id"; + "muc_domain_mapper"; + --"token_verification"; + } + admins = { "focus@auth.jitsi" } + muc_room_locking = false + muc_room_default_public_jids = true + +-- internal muc component +Component "internal.auth.jitsi" "muc" + storage = "memory" + modules_enabled = { + "ping"; + } + admins = { "focus@auth.jitsi", "jvb@auth.jitsi" } + muc_room_locking = false + muc_room_default_public_jids = true + +VirtualHost "auth.jitsi" + ssl = { + key = "/var/lib/prosody/auth.jitsi.key"; + certificate = "/var/lib/prosody/auth.jitsi.crt"; + } + authentication = "internal_plain" + +Component "focus.jitsi" "client_proxy" + target_address = "focus@auth.jitsi" + +Component "speakerstats.jitsi" "speakerstats_component" + muc_component = "conference.jitsi" + +Component "conferenceduration.jitsi" "conference_duration_component" + muc_component = "conference.jitsi" + +Component "lobby.jitsi" "muc" + storage = "memory" + restrict_room_creation = true + muc_room_locking = false + muc_room_default_public_jids = true + diff --git a/app/jitsi/config/videobridge.conf b/app/jitsi/config/videobridge.conf new file mode 100644 index 0000000..9307945 --- /dev/null +++ b/app/jitsi/config/videobridge.conf @@ -0,0 +1,290 @@ +videobridge { + entity-expiration { + # If an entity has no activity after this timeout, it is expired + timeout=1 minute + + # The interval at which the videobridge will check for expired entities + check-interval=${videobridge.entity-expiration.timeout} + } + health { + # The interval between health checks + interval=10 seconds + + # The timeout for a health check + timeout=30 seconds + + # If performing a health check takes longer than this, it is considered unsuccessful. + max-check-duration=3 seconds + + # Whether or not health check failures should be 'sticky' + # (i.e. once the bridge becomes unhealthy, it will never + # go back to a healthy state) + sticky-failures=false + } + ep-connection-status { + # How long we'll wait for an endpoint to *start* sending + # data before we consider it 'inactive' + first-transfer-timeout=15 seconds + + # How long an endpoint can be 'inactive' before it will + # be considered disconnected + max-inactivity-limit=3 seconds + + # How often we check endpoint's connectivity status + check-interval=500 milliseconds + } + cc { + bwe-change-threshold=0.15 + thumbnail-max-height-px=180 + onstage-ideal-height-px=1080 + onstage-preferred-height-px=360 + onstage-preferred-framerate=30 + enable-onstage-video-suspend=false + trust-bwe=true + + # How often we check to send probing data + padding-period=15ms + + # How often we'll force recalculations of forwarded + # streams + max-time-between-calculations = 15 seconds + + # A JVB-wide last-n value, observed by all endpoints. Endpoints + # will take the minimum of their setting and this one (-1 implies + # no last-n limit) + jvb-last-n = -1 + } + # The APIs by which the JVB can be controlled + apis { + xmpp-client { + # The interval at which presence is published in the configured MUCs. + presence-interval = ${videobridge.stats.interval} + + configs { + unique-xmpp-server { + hostname="{{ env "NOMAD_IP_xmpp_port" }}" + port = {{ env "NOMAD_PORT_xmpp_port" }} + domain = "auth.jitsi" + username = "jvb" + password = "{{ key "secrets/jitsi/jitsi_secret_jvb_user" }}" + muc_jids = "jvbbrewery@internal.auth.jitsi" + # The muc_nickname must be unique across all jitsi-videobridge instances + muc_nickname = "unique-jvb-server" + disable_certificate_verification = false + } + # example-connection-id { + # For the properties which should be + # filled out here, see MucClientConfiguration + # } + } + } + # The COLIBRI REST API + rest { + enabled = true + } + jvb-api { + enabled = true + } + } + # Configuration of the different REST APIs. + # Note that the COLIBRI REST API is configured under videobridge.apis.rest instead. + rest { + debug { + enabled = true + } + health { + enabled = true + } + shutdown { + # Note that the shutdown API requires the COLIBRI API to also be enabled. + enabled = false + } + version { + enabled = true + } + } + http-servers { + # The HTTP server which hosts services intended for 'public' use + # (e.g. websockets for the bridge channel connection) + public { + # See JettyBundleActivatorConfig in Jicoco for values + port = -1 + tls-port = -1 + } + # The HTTP server which hosts services intended for 'private' use + # (e.g. health or debug stats) + private { + # See JettyBundleActivatorConfig in Jicoco for values + host = 127.0.0.1 + } + } + octo { + # Whether or not Octo is enabled + enabled=false + + # A string denoting the 'region' of this JVB. This region + # will be used by Jicofo in the selection of a bridge for + # a client by comparing it to the client's region. + # Must be set when 'enabled' is true + #region="us-west-1" + + # The address on which the Octo relay should bind + # Must be set when 'enabled' is true + #bind-address=198.51.100.1 + + # The port to which the Octo relay should bind + bind-port=4096 + + # The address which controls the public address which + # will be part of the Octo relayId + #public-address=198.51.100.1 + + # The size of the incoming octo queue. This queue is per-remote-endpoint, + # so it matches what we use for local endpoints + recv-queue-size=1024 + + # The size of the outgoing octo queue. This is a per-originating-endpoint + # queue, so assuming all packets are routed (as they currently are for Octo) + # it should be the same size as the transceiver recv queue in + # jitsi-media-transform. Repeating the description from there: + # Assuming 300pps for high-definition, 200pps for standard-definition, + # 100pps for low-definition and 50pps for audio, this queue is fed + # 650pps, so its size in terms of millis is 1024/650*1000 ~= 1575ms. + send-queue-size=1024 + } + load-management { + # Whether or not the reducer will be enabled to take actions to mitigate load + reducer-enabled = false + load-measurements { + packet-rate { + # The packet rate at which we'll consider the bridge overloaded + load-threshold = 50000 + # The packet rate at which we'll consider the bridge 'underloaded' enough + # to start recovery + recovery-threshold = 40000 + } + } + load-reducers { + last-n { + # The factor by which we'll reduce the current last-n when trying to reduce load + reduction-scale = .75 + # The factor by which we'll increase the current last-n when trying to recover + recover-scale = 1.25 + # The minimum time in between runs of the last-n reducer to reduce or recover from + # load + impact-time = 1 minute + # The lowest value we'll set for last-n + minimum-last-n-value = 0 + # The highest last-n value we'll enforce. Once the enforced last-n exceeds this value + # we'll remove the limit entirely + maximum-enforced-last-n-value = 40 + } + } + } + sctp { + # Whether SCTP data channels are enabled. + enabled=true + } + stats { + # Whether periodic collection of statistics is enabled or not. When enabled they are accessible through the REST + # API (at `/colibri/stats`), and are available to other modules (e.g. to be pushed to callstats or in a MUC). + enabled = true + + # The interval at which stats are gathered. + interval = 5 seconds + + # Configuration related to pushing statistics to callstats.io. + callstats { + # An integer application ID (use 0 to disable pushing stats to callstats). + app-id = 0 + + # The shared secred to authentication with callstats.io. + //app-secret = "s3cret" + + # ID of the key that was used to generate token. + //key-id = "abcd" + + # The path to private key file. + //key-path = "/etc/jitsi/videobridge/ecpriv.jwk" + + # The ID of the server instance to be used when reporting to callstats. + bridge-id = "jitsi" + + # TODO: document + //conference-id-prefix = "abcd" + + # The interval at which statististics will be published to callstats. This affects both per-conference and global + # statistics. + # Note that this value will be overriden if a "callstatsio" transport is defined in the parent "stats" section. + interval = ${videobridge.stats.interval} + } + } + websockets { + enabled=false + server-id="default-id" + + # Optional, even when 'enabled' is set to true + # tls=true + # Must be set when enabled = true + #domain="some-domain" + } + ice { + tcp { + # Whether ICE/TCP is enabled. + enabled = true + + # The port to bind to for ICE/TCP. + port = {{ env "NOMAD_PORT_video_port" }} + + # An optional additional port to advertise. + # mapped-port = 8443 + # Whether to use "ssltcp" or plain "tcp". + ssltcp = true + } + + udp { + # The port for ICE/UDP. + port = {{ env "NOMAD_PORT_video_port" }} + } + + # An optional prefix to include in STUN username fragments generated by the bridge. + #ufrag-prefix = "jvb-123:" + + # Which candidate pairs to keep alive. The accepted values are defined in ice4j's KeepAliveStrategy: + # "selected_and_tcp", "selected_only", or "all_succeeded". + keep-alive-strategy = "selected_and_tcp" + + # Whether to use the "component socket" feature of ice4j. + use-component-socket = true + + # Whether to attempt DNS resolution for remote candidates that contain a non-literal address. When set to 'false' + # such candidates will be ignored. + resolve-remote-candidates = false + + # The nomination strategy to use for ICE. THe accepted values are defined in ice4j's NominationStrategy: + # "NominateFirstValid", "NominateHighestPriority", "NominateFirstHostOrReflexiveValid", or "NominateBestRTT". + nomination-strategy = "NominateFirstValid" + } + + transport { + send { + # The size of the dtls-transport outgoing queue. This is a per-participant + # queue. Packets from the egress end-up in this queue right before + # transmission by the outgoing srtp pipeline (which mainly consists of the + # packet sender). + # + # Its size needs to be of the same order of magnitude as the rtp sender + # queue. In a 100 participant call, assuming 300pps for the on-stage and + # 100pps for low-definition, last-n 20 and 2 participants talking, so + # 2*50pps for audio, this queue is fed 300+19*100+2*50 = 2300pps, so its + # size in terms of millis is 1024/2300*1000 ~= 445ms. + queue-size=1024 + } + } + + version { + // Wheather to announe the jitsi-videobridge version to clients in the ServerHello message. + announce = false + } +} + diff --git a/app/jitsi/deploy/jitsi.hcl b/app/jitsi/deploy/jitsi.hcl index 1e625bb..82fdfcd 100644 --- a/app/jitsi/deploy/jitsi.hcl +++ b/app/jitsi/deploy/jitsi.hcl @@ -11,46 +11,59 @@ job "jitsi" { network { port "bosh_port" { } - port "ext_port" { static = 5347 } - port "xmpp_port" { static = 5222 } + port "xmpp_port" { } port "https_port" { } - port "video1_port" { static = 8081 } - port "video2_port" { static = 10000 } + port "video_port" { static = 8080 } } task "xmpp" { driver = "docker" config { - image = "superboum/amd64_jitsi_xmpp:v8" - ports = [ "bosh_port", "ext_port", "xmpp_port" ] + image = "superboum/amd64_jitsi_xmpp:v9" + ports = [ "bosh_port", "xmpp_port" ] network_mode = "host" + volumes = [ + "secrets/prosody.cfg.lua:/etc/prosody/prosody.cfg.lua" + "secrets/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt" + "secrets/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key" + "secrets/certs/jitsi.crt:/var/lib/prosody/jitsi.crt" + "secrets/certs/jitsi.key:/var/lib/prosody/jitsi.key" + ] } template { - data = file("../config/global_env.tpl") + data = <<EOF +JICOFO_AUTH_PASSWORD={{ key "secrets/jitsi/jicofo_pass" }} +JVB_AUTH_PASSWORD={{ key "secrets/jitsi/jvb_pass" }} +EOF destination = "secrets/global_env" env = true } + template { + data = file("../config/prosody.cfg.lua") + destination = "secrets/prosody.cfg.lua" + } + # --- secrets --- template { - data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt\" }}" - destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.crt" + data = "{{ key \"secrets/jitsi/auth.jitsi.crt\" }}" + destination = "secrets/certs/auth.jitsi.crt" } template { - data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.key\" }}" - destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.key" + data = "{{ key \"secrets/jitsi/auth.jitsi.key\" }}" + destination = "secrets/certs/auth.jitsi.key" } template { - data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}" - destination = "secrets/certs/jitsi.deuxfleurs.fr.crt" + data = "{{ key \"secrets/jitsi/jitsi.crt\" }}" + destination = "secrets/certs/jitsi.crt" } template { - data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.key\" }}" - destination = "secrets/certs/jitsi.deuxfleurs.fr.key" + data = "{{ key \"secrets/jitsi/jitsi.key\" }}" + destination = "secrets/certs/jitsi.key" } resources { @@ -62,7 +75,7 @@ job "jitsi" { tags = [ "jitsi", "bosh" ] port = "bosh_port" address_mode = "host" - name = "jitsi-xmpp-bosh" + name = "bosh-jitsi" check { type = "tcp" port = "bosh_port" @@ -77,42 +90,47 @@ job "jitsi" { } service { - tags = [ "jitsi", "ext" ] - port = "ext_port" - address_mode = "host" - name = "jitsi-ext" - } - - service { tags = [ "jitsi", "xmpp" ] port = "xmpp_port" address_mode = "host" - name = "jitsi-xmpp" + name = "xmpp-jitsi" } } task "front" { driver = "docker" config { - image = "superboum/amd64_jitsi_meet:v3" + image = "superboum/amd64_jitsi_meet:v4" network_mode = "host" ports = [ "https_port" ] + volumes = [ + "secrets/certs/jitsi.crt:/etc/nginx/jitsi.crt" + "secrets/certs/jitsi.key:/etc/nginx/jitsi.key" + "secrets/config.js:/srv/jitsi-meet/config.js" + "secrets/nginx.conf:/etc/nginx/nginx.conf" + ] } template { - data = file("../config/global_env.tpl") - destination = "secrets/global_env" + data = file("../config/config.js") + destination = "secrets/config.js" + env = true + } + + template { + data = file("../config/nginx.conf") + destination = "secrets/nginx.conf" env = true } # --- secrets --- template { - data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}" - destination = "secrets/certs/jitsi.deuxfleurs.fr.crt" + data = "{{ key \"secrets/jitsi/jitsi.crt\" }}" + destination = "secrets/certs/jitsi.crt" } template { - data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.key\" }}" - destination = "secrets/certs/jitsi.deuxfleurs.fr.key" + data = "{{ key \"secrets/jitsi/jitsi.key\" }}" + destination = "secrets/certs/jitsi.key" } resources { @@ -130,7 +148,7 @@ job "jitsi" { ] port = "https_port" address_mode = "host" - name = "jitsi-front-https" + name = "https-jitsi" check { type = "tcp" port = "https_port" @@ -148,25 +166,29 @@ job "jitsi" { task "jicofo" { driver = "docker" config { - image = "superboum/amd64_jitsi_conference_focus:v6" + image = "superboum/amd64_jitsi_conference_focus:v7" network_mode = "host" + volumes = [ + "secrets/certs/jitsi.crt:/usr/local/share/ca-certificates/jitsi.crt" + "secrets/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt" + "secrets/jicofo.conf:/etc/jitsi/jicofo.conf" + ] } template { - data = file("../config/global_env.tpl") - destination = "secrets/global_env" - env = true + data = file("../config/jicofo.conf") + destination = "secrets/jicofo.conf" } #--- secrets --- template { - data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}" - destination = "secrets/certs/jitsi.deuxfleurs.fr.crt" + data = "{{ key \"secrets/jitsi/jitsi.crt\" }}" + destination = "secrets/certs/jitsi.crt" } template { - data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt\" }}" - destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.crt" + data = "{{ key \"secrets/jitsi/auth.jitsi.crt\" }}" + destination = "secrets/certs/auth.jitsi.crt" } resources { @@ -178,56 +200,61 @@ job "jitsi" { task "videobridge" { driver = "docker" config { - image = "superboum/amd64_jitsi_videobridge:v16" + image = "superboum/amd64_jitsi_videobridge:v17" network_mode = "host" - ports = [ "video1_port", "video2_port" ] + ports = [ "video_port" ] ulimit { nofile = "1048576:1048576" nproc = "65536:65536" } + volumes = [ + "secrets/certs/jitsi.crt:/usr/local/share/ca-certificates/jitsi.crt" + "secrets/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt" + "secrets/videobridge.conf:/etc/jitsi/videobridge.conf" + ] } env { - #JITSI_DEBUG = 1 - JITSI_VIDEO_TCP = 8081 - VIDEOBRIDGE_MAX_MEMORY = "1450m" + # Our container can autodetect the public IP with the ifconfig.me service + # However we would like to avoid relying on a 3rd party service for production use + # That's why I am setting the public IP address statically here VVVV + JITSI_NAT_PUBLIC_IP = "78.197.205.190" } template { - data = file("../config/global_env.tpl") - destination = "secrets/global_env" + data = file("../config/videobridge.conf") + destination = "secrets/videobridge.conf" env = true } + # --- secrets --- + template { + data = "{{ key \"secrets/jitsi/jitsi.crt\" }}" + destination = "secrets/certs/jitsi.crt" + } + + template { + data = "{{ key \"secrets/jitsi/auth.jitsi.crt\" }}" + destination = "secrets/certs/auth.jitsi.crt" + } + resources { cpu = 900 - memory = 1500 + memory = 3000 } service { - tags = [ "jitsi", "(diplonat (tcp_port 8081))" ] - port = "video1_port" + tags = [ "jitsi", "(diplonat (tcp_port 8080) (udp_port 8080))" ] + port = "video_port" address_mode = "host" - name = "jitsi-videobridge-video1" + name = "video-jitsi" check { type = "tcp" - port = "video1_port" + port = "video_port" interval = "60s" timeout = "5s" - check_restart { - limit = 3 - grace = "90s" - ignore_warnings = false - } } } - - service { - tags = [ "jitsi", "(diplonat (udp_port 10000))" ] - port = "video2_port" - address_mode = "host" - name = "jitsi-videobridge-video2" - } } } } diff --git a/app/jitsi/integration/jvb/videobridge.conf b/app/jitsi/integration/jvb/videobridge.conf index 418be5e..a11edc6 100644 --- a/app/jitsi/integration/jvb/videobridge.conf +++ b/app/jitsi/integration/jvb/videobridge.conf @@ -66,6 +66,7 @@ videobridge { domain = "auth.jitsi" username = "jvb" password = "jvbpass" + port = 5222 muc_jids = "jvbbrewery@internal.auth.jitsi" # The muc_nickname must be unique across all jitsi-videobridge instances muc_nickname = "unique-jvb-server" diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.crt b/app/jitsi/secrets/jitsi/auth.jitsi.crt new file mode 100644 index 0000000..f4ab925 --- /dev/null +++ b/app/jitsi/secrets/jitsi/auth.jitsi.crt @@ -0,0 +1 @@ +SSL_CERT jitsi_auth auth.jitsi diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt deleted file mode 100644 index f2c4d4b..0000000 --- a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt +++ /dev/null @@ -1 +0,0 @@ -SSL_CERT jitsi_auth autj.jitsi.deuxfleurs.fr diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key deleted file mode 100644 index 4a332f8..0000000 --- a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key +++ /dev/null @@ -1 +0,0 @@ -SSL_KEY jitsi_auth autj.jitsi.deuxfleurs.fr diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.key b/app/jitsi/secrets/jitsi/auth.jitsi.key new file mode 100644 index 0000000..82e7b6b --- /dev/null +++ b/app/jitsi/secrets/jitsi/auth.jitsi.key @@ -0,0 +1 @@ +SSL_KEY jitsi_auth auth.jitsi diff --git a/app/jitsi/secrets/jitsi/jicofo_pass b/app/jitsi/secrets/jitsi/jicofo_pass new file mode 100644 index 0000000..6a0f5fc --- /dev/null +++ b/app/jitsi/secrets/jitsi/jicofo_pass @@ -0,0 +1 @@ +CMD openssl rand -base64 24 diff --git a/app/jitsi/secrets/jitsi/jitsi.crt b/app/jitsi/secrets/jitsi/jitsi.crt new file mode 100644 index 0000000..2eed97c --- /dev/null +++ b/app/jitsi/secrets/jitsi/jitsi.crt @@ -0,0 +1 @@ +SSL_CERT jitsi jitsi diff --git a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt deleted file mode 100644 index 32750d3..0000000 --- a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt +++ /dev/null @@ -1 +0,0 @@ -SSL_CERT jitsi jitsi.deuxfleurs.fr diff --git a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key deleted file mode 100644 index 7676132..0000000 --- a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key +++ /dev/null @@ -1 +0,0 @@ -SSL_KEY jitsi diff --git a/app/jitsi/secrets/jitsi/jitsi.key b/app/jitsi/secrets/jitsi/jitsi.key new file mode 100644 index 0000000..af53ca0 --- /dev/null +++ b/app/jitsi/secrets/jitsi/jitsi.key @@ -0,0 +1 @@ +SSL_KEY jitsi jitsi diff --git a/app/jitsi/secrets/jitsi/jvb_pass b/app/jitsi/secrets/jitsi/jvb_pass new file mode 100644 index 0000000..6a0f5fc --- /dev/null +++ b/app/jitsi/secrets/jitsi/jvb_pass @@ -0,0 +1 @@ +CMD openssl rand -base64 24 |