diff options
author | Quentin Dufour <quentin@deuxfleurs.fr> | 2021-01-28 21:05:10 +0100 |
---|---|---|
committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2021-01-28 21:05:10 +0100 |
commit | 47bcdaaf0dc6d8caaaa8bd30055420ae90cc73eb (patch) | |
tree | fb4aef2d82b4a95c3f18b62765f7fa0c90f87ac7 /app/jitsi | |
parent | 0e848bb2d0e705e5e0858fe8f2c02a3c9c8f45e5 (diff) | |
download | infrastructure-47bcdaaf0dc6d8caaaa8bd30055420ae90cc73eb.tar.gz infrastructure-47bcdaaf0dc6d8caaaa8bd30055420ae90cc73eb.zip |
Rework prosody's configuration
Diffstat (limited to 'app/jitsi')
-rwxr-xr-x | app/jitsi/build/jitsi-conference-focus/jicofo | 6 | ||||
-rw-r--r-- | app/jitsi/build/jitsi-xmpp/Dockerfile | 16 | ||||
-rw-r--r-- | app/jitsi/integration/README.md | 6 | ||||
-rw-r--r-- | app/jitsi/integration/docker-compose.yml | 23 | ||||
-rw-r--r-- | app/jitsi/integration/jicofo/jicofo.conf | 14 | ||||
-rw-r--r-- | app/jitsi/integration/prosody/prosody.cfg.lua | 137 | ||||
-rw-r--r-- | app/jitsi/integration/prosody/prosody.cfg.lua.back | 64 |
7 files changed, 190 insertions, 76 deletions
diff --git a/app/jitsi/build/jitsi-conference-focus/jicofo b/app/jitsi/build/jitsi-conference-focus/jicofo index 31cd9c4..2225e98 100755 --- a/app/jitsi/build/jitsi-conference-focus/jicofo +++ b/app/jitsi/build/jitsi-conference-focus/jicofo @@ -1,13 +1,7 @@ #!/bin/bash -cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt update-ca-certificates -f -cat >> /etc/hosts <<EOF -${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr -127.0.0.1 `hostname` -EOF - exec java \ -Xmx400m \ -XX:+HeapDumpOnOutOfMemoryError \ diff --git a/app/jitsi/build/jitsi-xmpp/Dockerfile b/app/jitsi/build/jitsi-xmpp/Dockerfile index 6357cc6..e3a8f8f 100644 --- a/app/jitsi/build/jitsi-xmpp/Dockerfile +++ b/app/jitsi/build/jitsi-xmpp/Dockerfile @@ -1,7 +1,16 @@ -FROM debian:buster +FROM debian:buster as builder + +ARG MEET_VERSION +WORKDIR /tmp +RUN apt-get update && \ + apt-get install -y wget unzip && \ + wget https://github.com/jitsi/jitsi-meet/archive/stable/jitsi-meet_${MEET_VERSION}.zip -O meet.zip && \ + unzip meet.zip && \ + mv jitsi-meet-* jitsi-meet -ARG VERSION +FROM debian:buster +ARG PROSODY_VERSION RUN apt-get update && \ apt-get install -y wget gnupg2 && \ echo deb http://packages.prosody.im/debian buster main \ @@ -9,7 +18,7 @@ RUN apt-get update && \ wget https://prosody.im/files/prosody-debian-packages.key -O - \ | apt-key add - && \ apt-get update && \ - apt-get install -y prosody=${VERSION} lua-event + apt-get install -y prosody=${PROSODY_VERSION} lua-event RUN mkdir -p /usr/local/share/ca-certificates/ && \ ln -sf \ @@ -20,6 +29,7 @@ RUN mkdir -p /usr/local/share/ca-certificates/ && \ mkdir -p /var/lib/prosody && \ chown -R prosody:prosody /var/lib/prosody /run/prosody +COPY --from=builder /tmp/jitsi-meet/resources/prosody-plugins /usr/share/jitsi-meet/prosody-plugins/ COPY xmpp_prosody /usr/local/bin/xmpp_prosody WORKDIR /var/lib/prosody diff --git a/app/jitsi/integration/README.md b/app/jitsi/integration/README.md index 7f334af..82fa91d 100644 --- a/app/jitsi/integration/README.md +++ b/app/jitsi/integration/README.md @@ -56,6 +56,12 @@ prosodyctl cert generate jitsi https://github.com/jitsi/jitsi-meet/blob/master/doc/example-config-files/prosody.cfg.lua.example +but this one is not the one used by the [debian postinst script](https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-prosody.postinst) +instead, we should look at this one: https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example + +Jitsi can be configured to authenticated through tokens, +the postinst file is here: https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-tokens.postinst + ## Resources to understand jitsi - [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst) diff --git a/app/jitsi/integration/docker-compose.yml b/app/jitsi/integration/docker-compose.yml index 64cd82d..70bb41a 100644 --- a/app/jitsi/integration/docker-compose.yml +++ b/app/jitsi/integration/docker-compose.yml @@ -9,14 +9,17 @@ services: - "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key:ro" - "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt:ro" - "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key:ro" - jitsi-meet: - image: superboum/amd64_jitsi_meet:v1 - ports: - - "443:443" jitsi-conference-focus: - image: superboum/amd64_jitsi_conference_focus:v4 - jitsi-videobridge: - image: superboum/amd64_jitsi_videobridge:v14 - ports: - - "8080:8080/tcp" - - "10000:10000/udp" + image: superboum/amd64_jitsi_conference_focus:v7 + volumes: + - "./prosody/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt:ro" + - "./jicofo/jicofo.conf:/etc/jitsi/jicofo.conf:ro" +# jitsi-meet: +# image: superboum/amd64_jitsi_meet:v1 +# ports: +# - "443:443" +# jitsi-videobridge: +# image: superboum/amd64_jitsi_videobridge:v14 +# ports: +# - "8080:8080/tcp" +# - "10000:10000/udp" diff --git a/app/jitsi/integration/jicofo/jicofo.conf b/app/jitsi/integration/jicofo/jicofo.conf index 203cd15..c4fe5e4 100644 --- a/app/jitsi/integration/jicofo/jicofo.conf +++ b/app/jitsi/integration/jicofo/jicofo.conf @@ -53,7 +53,7 @@ jicofo { } // The JID of the MUC to be used as a brewery for bridge instances. - brewery-jid = "jvbbrewery@example.com" + brewery-jid = "jvbbrewery@jitsi" } // Configure the codecs and RTP extensions to be used in the offer sent to clients. codec { @@ -256,12 +256,12 @@ jicofo { } // The separate XMPP connection used for internal services (currently only jitsi-videobridge). service { - enabled = false - hostname = "localhost" - port = 6222 - #domain = - #username = - #password = + enabled = true + hostname = "jitsi-xmpp" + port = 5222 + domain = "auth.jitsi" + username = "focus" + password = "xxx" // How long to wait for a response to a stanza before giving up. reply-timeout = 15 seconds diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua b/app/jitsi/integration/prosody/prosody.cfg.lua index 2f75d83..da38be9 100644 --- a/app/jitsi/integration/prosody/prosody.cfg.lua +++ b/app/jitsi/integration/prosody/prosody.cfg.lua @@ -1,64 +1,101 @@ +plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" } daemonize = false -allow_registration = false use_libevent = true + +-- domain mapper options, must at least have domain base set to use the mapper +muc_mapper_domain_base = "jitsi.deuxfleurs.fr"; + +--@FIXME would be great to configure it +--turncredentials_secret = "__turnSecret__"; + +--turncredentials = { +-- { type = "stun", host = "jitmeet.example.com", port = "3478" }, +-- { type = "turn", host = "jitmeet.example.com", port = "3478", transport = "udp" }, +-- { type = "turns", host = "jitmeet.example.com", port = "5349", transport = "tcp" } +--}; + +cross_domain_bosh = false; +consider_bosh_secure = true; +https_ports = { }; -- Remove this line to prevent listening on port 5284 component_interface = "0.0.0.0" component_ports = { 5347 } http_ports = { 5280 } -https_ports = {} --- Not sure all modules are required -modules_enabled = { - "roster"; -- Allow users to have a roster. Recommended ;) - "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. - "tls"; -- Add support for secure TLS on c2s/s2s connections - "dialback"; -- s2s dialback support - "disco"; -- Service discovery - "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. - "version"; -- Replies to server version requests - "uptime"; -- Report how long server has been running - "time"; -- Let others know the time here on this server - "ping"; -- Replies to XMPP pings with pongs - "pep"; -- Enables users to publish their mood, activity, playing music and more - -- jitsi - --"smacks"; -- not shipped with prosody - "carbons"; - "mam"; - "lastactivity"; - "offline"; - "pubsub"; - "adhoc"; - "websocket"; - --"http_altconnect"; -- not shipped with prosody -} -log = { - --log less on console with warn="*console"; or err="*console" or more with debug="*console" - info="*console"; +-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4 +ssl = { + protocol = "tlsv1_2+"; + ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" } VirtualHost "jitsi" - authentication = "anonymous" - ssl = { - key = "/var/lib/prosody/jitsi.key"; - certificate = "/var/lib/prosody/jitsi.crt"; - } - modules_enabled = { - "bosh"; - "pubsub"; - } - c2s_require_encryption = false - -VirtualHost "auth.jitsi" - ssl = { - key = "/var/lib/prosody/auth.jitsi.key"; - certificate = "/var/lib/prosody/auth.jitsi.crt"; - } - authentication = "internal_plain" - admins = { "focus@auth.jitsi"} + -- enabled = false -- Remove this line to enable this host + authentication = "anonymous" + -- Properties below are modified by jitsi-meet-tokens package config + -- and authentication above is switched to "token" + --app_id="example_app_id" + --app_secret="example_app_secret" + -- Assign this host a certificate for TLS, otherwise it would use the one + -- set in the global section (if any). + -- Note that old-style SSL on port 5223 only supports one certificate, and will always + -- use the global one. + ssl = { + key = "/var/lib/prosody/jitsi.key"; + certificate = "/var/lib/prosody/jitsi.crt"; + } + speakerstats_component = "speakerstats.jitsi" + conference_duration_component = "conferenceduration.jitsi" + -- we need bosh + modules_enabled = { + "bosh"; + "pubsub"; + "ping"; -- Enable mod_ping + "speakerstats"; + --"turncredentials"; not supported yet + "conference_duration"; + "muc_lobby_rooms"; + } + c2s_require_encryption = false + lobby_muc = "lobby.jitsi" + main_muc = "conference.jitsi" + -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms Component "conference.jitsi" "muc" + storage = "memory" + modules_enabled = { + "muc_meeting_id"; + "muc_domain_mapper"; + --"token_verification"; + } + admins = { "focusUser@auth.jitsi" } + muc_room_locking = false + muc_room_default_public_jids = true + +-- internal muc component Component "internal.auth.jitsi" "muc" - storage = "memory" - modules_enabled = { "ping"; } - admins = { "focus@auth.jitsi", "jvb@auth.jitsi" } + storage = "memory" + modules_enabled = { + "ping"; + } + admins = { "focusUser@auth.jitsi", "jvb@auth.jitsi" } + muc_room_locking = false + muc_room_default_public_jids = true + +VirtualHost "auth.jitsi" + authentication = "internal_plain" + +Component "focus.jitsi" + component_secret = "focusSecret" + +Component "speakerstats.jitsi" "speakerstats_component" + muc_component = "conference.jitsi" + +Component "conferenceduration.jitsi" "conference_duration_component" + muc_component = "conference.jitsi" + +Component "lobby.jitsi" "muc" + storage = "memory" + restrict_room_creation = true + muc_room_locking = false + muc_room_default_public_jids = true diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua.back b/app/jitsi/integration/prosody/prosody.cfg.lua.back new file mode 100644 index 0000000..d03d7c9 --- /dev/null +++ b/app/jitsi/integration/prosody/prosody.cfg.lua.back @@ -0,0 +1,64 @@ +daemonize = false +allow_registration = false +use_libevent = true +component_interface = "0.0.0.0" +component_ports = { 5347 } +http_ports = { 5280 } +https_ports = {} + +-- Not sure all modules are required +modules_enabled = { + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "pep"; -- Enables users to publish their mood, activity, playing music and more + -- jitsi + --"smacks"; -- not shipped with prosody + "carbons"; + "mam"; + "lastactivity"; + "offline"; + "pubsub"; + "adhoc"; + "websocket"; + --"http_altconnect"; -- not shipped with prosody +} + +log = { + --log less on console with warn="*console"; or err="*console" or more with debug="*console" + debug="*console"; +} + +VirtualHost "jitsi" + authentication = "anonymous" + ssl = { + key = "/var/lib/prosody/jitsi.key"; + certificate = "/var/lib/prosody/jitsi.crt"; + } + modules_enabled = { + "bosh"; + "pubsub"; + } + c2s_require_encryption = false + +VirtualHost "auth.jitsi" + ssl = { + key = "/var/lib/prosody/auth.jitsi.key"; + certificate = "/var/lib/prosody/auth.jitsi.crt"; + } + authentication = "internal_plain" + admins = { "focus@auth.jitsi"} + +Component "conference.jitsi" "muc" +Component "internal.auth.jitsi" "muc" + storage = "memory" + modules_enabled = { "ping"; } + admins = { "focus@auth.jitsi", "jvb@auth.jitsi" } + |