Rework prosody's configuration

5 files changed, 177 insertions, 67 deletions

diff --git a/app/jitsi/integration/README.md b/app/jitsi/integration/README.md
index 7f334af..82fa91d 100644
--- a/app/jitsi/integration/README.md
+++ b/app/jitsi/integration/README.md
@@ -56,6 +56,12 @@ prosodyctl cert generate jitsi
 
 https://github.com/jitsi/jitsi-meet/blob/master/doc/example-config-files/prosody.cfg.lua.example
 
+but this one is not the one used by the [debian postinst script](https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-prosody.postinst)
+instead, we should look at this one: https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
+
+Jitsi can be configured to authenticated through tokens,
+the postinst file is here: https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-tokens.postinst
+
 ## Resources to understand jitsi
 
   - [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst)
diff --git a/app/jitsi/integration/docker-compose.yml b/app/jitsi/integration/docker-compose.yml
index 64cd82d..70bb41a 100644
--- a/app/jitsi/integration/docker-compose.yml
+++ b/app/jitsi/integration/docker-compose.yml
@@ -9,14 +9,17 @@ services:
       - "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key:ro"
       - "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt:ro"
       - "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key:ro"
-  jitsi-meet:
-    image: superboum/amd64_jitsi_meet:v1
-    ports:
-      - "443:443"
   jitsi-conference-focus:
-    image: superboum/amd64_jitsi_conference_focus:v4
-  jitsi-videobridge:
-    image: superboum/amd64_jitsi_videobridge:v14
-    ports:
-      - "8080:8080/tcp"
-      - "10000:10000/udp"
+    image: superboum/amd64_jitsi_conference_focus:v7
+    volumes:
+      - "./prosody/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt:ro"
+      - "./jicofo/jicofo.conf:/etc/jitsi/jicofo.conf:ro"
+#  jitsi-meet:
+#    image: superboum/amd64_jitsi_meet:v1
+#    ports:
+#      - "443:443"
+#  jitsi-videobridge:
+#    image: superboum/amd64_jitsi_videobridge:v14
+#    ports:
+#      - "8080:8080/tcp"
+#      - "10000:10000/udp"
diff --git a/app/jitsi/integration/jicofo/jicofo.conf b/app/jitsi/integration/jicofo/jicofo.conf
index 203cd15..c4fe5e4 100644
--- a/app/jitsi/integration/jicofo/jicofo.conf
+++ b/app/jitsi/integration/jicofo/jicofo.conf
@@ -53,7 +53,7 @@ jicofo {
     }
 
     // The JID of the MUC to be used as a brewery for bridge instances.
-    brewery-jid = "jvbbrewery@example.com"
+    brewery-jid = "jvbbrewery@jitsi"
   }
   // Configure the codecs and RTP extensions to be used in the offer sent to clients.
   codec {
@@ -256,12 +256,12 @@ jicofo {
     }
     // The separate XMPP connection used for internal services (currently only jitsi-videobridge).
     service {
-      enabled = false
-      hostname = "localhost"
-      port = 6222
-      #domain =
-      #username =
-      #password =
+      enabled = true
+      hostname = "jitsi-xmpp"
+      port = 5222
+      domain = "auth.jitsi"
+      username = "focus"
+      password = "xxx"
 
       // How long to wait for a response to a stanza before giving up.
       reply-timeout = 15 seconds
diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua b/app/jitsi/integration/prosody/prosody.cfg.lua
index 2f75d83..da38be9 100644
--- a/app/jitsi/integration/prosody/prosody.cfg.lua
+++ b/app/jitsi/integration/prosody/prosody.cfg.lua
@@ -1,64 +1,101 @@
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
 daemonize = false
-allow_registration = false
 use_libevent = true
+
+-- domain mapper options, must at least have domain base set to use the mapper
+muc_mapper_domain_base = "jitsi.deuxfleurs.fr";
+
+--@FIXME would be great to configure it
+--turncredentials_secret = "__turnSecret__";
+
+--turncredentials = {
+--    { type = "stun", host = "jitmeet.example.com", port = "3478" },
+--    { type = "turn", host = "jitmeet.example.com", port = "3478", transport = "udp" },
+--    { type = "turns", host = "jitmeet.example.com", port = "5349", transport = "tcp" }
+--};
+
+cross_domain_bosh = false;
+consider_bosh_secure = true;
+https_ports = { }; -- Remove this line to prevent listening on port 5284
 component_interface = "0.0.0.0"
 component_ports = { 5347 }
 http_ports = { 5280 }
-https_ports = {}
 
--- Not sure all modules are required
-modules_enabled = {
-  "roster"; -- Allow users to have a roster. Recommended ;)
-  "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
-  "tls"; -- Add support for secure TLS on c2s/s2s connections
-  "dialback"; -- s2s dialback support
-  "disco"; -- Service discovery
-  "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
-  "version"; -- Replies to server version requests
-  "uptime"; -- Report how long server has been running
-  "time"; -- Let others know the time here on this server
-  "ping"; -- Replies to XMPP pings with pongs
-  "pep"; -- Enables users to publish their mood, activity, playing music and more
-  -- jitsi
-  --"smacks"; -- not shipped with prosody
-  "carbons";
-  "mam";
-  "lastactivity";
-  "offline";
-  "pubsub";
-  "adhoc";
-  "websocket";
-  --"http_altconnect"; -- not shipped with prosody
-}
 
-log = {
-  --log less on console with warn="*console"; or err="*console" or more with debug="*console"
-  info="*console";
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+ssl = {
+    protocol = "tlsv1_2+";
+    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 }
 
 VirtualHost "jitsi"
-  authentication = "anonymous"
-  ssl = {
-    key = "/var/lib/prosody/jitsi.key";
-    certificate = "/var/lib/prosody/jitsi.crt";
-  }
-  modules_enabled = {
-    "bosh";
-    "pubsub";
-  }
-  c2s_require_encryption = false
-
-VirtualHost "auth.jitsi"
-  ssl = {
-    key = "/var/lib/prosody/auth.jitsi.key";
-    certificate = "/var/lib/prosody/auth.jitsi.crt";
-  }
-  authentication = "internal_plain"
-  admins = { "focus@auth.jitsi"}
+    -- enabled = false -- Remove this line to enable this host
+    authentication = "anonymous"
+    -- Properties below are modified by jitsi-meet-tokens package config
+    -- and authentication above is switched to "token"
+    --app_id="example_app_id"
+    --app_secret="example_app_secret"
+    -- Assign this host a certificate for TLS, otherwise it would use the one
+    -- set in the global section (if any).
+    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
+    -- use the global one.
+    ssl = {
+        key = "/var/lib/prosody/jitsi.key";
+        certificate = "/var/lib/prosody/jitsi.crt";
+    }
+    speakerstats_component = "speakerstats.jitsi"
+    conference_duration_component = "conferenceduration.jitsi"
+    -- we need bosh
+    modules_enabled = {
+        "bosh";
+        "pubsub";
+        "ping"; -- Enable mod_ping
+        "speakerstats";
+        --"turncredentials"; not supported yet
+        "conference_duration";
+        "muc_lobby_rooms";
+    }
+    c2s_require_encryption = false
+    lobby_muc = "lobby.jitsi"
+    main_muc = "conference.jitsi"
+    -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
 
 Component "conference.jitsi" "muc"
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        --"token_verification";
+    }
+    admins = { "focusUser@auth.jitsi" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+-- internal muc component
 Component "internal.auth.jitsi" "muc"
-  storage = "memory"
-  modules_enabled = { "ping"; }
-  admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
+    storage = "memory"
+    modules_enabled = {
+        "ping";
+    }
+    admins = { "focusUser@auth.jitsi", "jvb@auth.jitsi" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+VirtualHost "auth.jitsi"
+    authentication = "internal_plain"
+
+Component "focus.jitsi"
+    component_secret = "focusSecret"
+
+Component "speakerstats.jitsi" "speakerstats_component"
+    muc_component = "conference.jitsi"
+
+Component "conferenceduration.jitsi" "conference_duration_component"
+    muc_component = "conference.jitsi"
+
+Component "lobby.jitsi" "muc"
+    storage = "memory"
+    restrict_room_creation = true
+    muc_room_locking = false
+    muc_room_default_public_jids = true
 
diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua.back b/app/jitsi/integration/prosody/prosody.cfg.lua.back
new file mode 100644
index 0000000..d03d7c9
--- /dev/null
+++ b/app/jitsi/integration/prosody/prosody.cfg.lua.back
@@ -0,0 +1,64 @@
+daemonize = false
+allow_registration = false
+use_libevent = true
+component_interface = "0.0.0.0"
+component_ports = { 5347 }
+http_ports = { 5280 }
+https_ports = {}
+
+-- Not sure all modules are required
+modules_enabled = {
+  "roster"; -- Allow users to have a roster. Recommended ;)
+  "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+  "tls"; -- Add support for secure TLS on c2s/s2s connections
+  "dialback"; -- s2s dialback support
+  "disco"; -- Service discovery
+  "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+  "version"; -- Replies to server version requests
+  "uptime"; -- Report how long server has been running
+  "time"; -- Let others know the time here on this server
+  "ping"; -- Replies to XMPP pings with pongs
+  "pep"; -- Enables users to publish their mood, activity, playing music and more
+  -- jitsi
+  --"smacks"; -- not shipped with prosody
+  "carbons";
+  "mam";
+  "lastactivity";
+  "offline";
+  "pubsub";
+  "adhoc";
+  "websocket";
+  --"http_altconnect"; -- not shipped with prosody
+}
+
+log = {
+  --log less on console with warn="*console"; or err="*console" or more with debug="*console"
+  debug="*console";
+}
+
+VirtualHost "jitsi"
+  authentication = "anonymous"
+  ssl = {
+    key = "/var/lib/prosody/jitsi.key";
+    certificate = "/var/lib/prosody/jitsi.crt";
+  }
+  modules_enabled = {
+    "bosh";
+    "pubsub";
+  }
+  c2s_require_encryption = false
+
+VirtualHost "auth.jitsi"
+  ssl = {
+    key = "/var/lib/prosody/auth.jitsi.key";
+    certificate = "/var/lib/prosody/auth.jitsi.crt";
+  }
+  authentication = "internal_plain"
+  admins = { "focus@auth.jitsi"}
+
+Component "conference.jitsi" "muc"
+Component "internal.auth.jitsi" "muc"
+  storage = "memory"
+  modules_enabled = { "ping"; }
+  admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
+