aboutsummaryrefslogtreecommitdiff
path: root/app/jitsi
diff options
context:
space:
mode:
authorQuentin Dufour <quentin@deuxfleurs.fr>2021-01-28 21:05:10 +0100
committerQuentin Dufour <quentin@deuxfleurs.fr>2021-01-28 21:05:10 +0100
commit47bcdaaf0dc6d8caaaa8bd30055420ae90cc73eb (patch)
treefb4aef2d82b4a95c3f18b62765f7fa0c90f87ac7 /app/jitsi
parent0e848bb2d0e705e5e0858fe8f2c02a3c9c8f45e5 (diff)
downloadinfrastructure-47bcdaaf0dc6d8caaaa8bd30055420ae90cc73eb.tar.gz
infrastructure-47bcdaaf0dc6d8caaaa8bd30055420ae90cc73eb.zip
Rework prosody's configuration
Diffstat (limited to 'app/jitsi')
-rwxr-xr-xapp/jitsi/build/jitsi-conference-focus/jicofo6
-rw-r--r--app/jitsi/build/jitsi-xmpp/Dockerfile16
-rw-r--r--app/jitsi/integration/README.md6
-rw-r--r--app/jitsi/integration/docker-compose.yml23
-rw-r--r--app/jitsi/integration/jicofo/jicofo.conf14
-rw-r--r--app/jitsi/integration/prosody/prosody.cfg.lua137
-rw-r--r--app/jitsi/integration/prosody/prosody.cfg.lua.back64
7 files changed, 190 insertions, 76 deletions
diff --git a/app/jitsi/build/jitsi-conference-focus/jicofo b/app/jitsi/build/jitsi-conference-focus/jicofo
index 31cd9c4..2225e98 100755
--- a/app/jitsi/build/jitsi-conference-focus/jicofo
+++ b/app/jitsi/build/jitsi-conference-focus/jicofo
@@ -1,13 +1,7 @@
#!/bin/bash
-cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
update-ca-certificates -f
-cat >> /etc/hosts <<EOF
-${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
-127.0.0.1 `hostname`
-EOF
-
exec java \
-Xmx400m \
-XX:+HeapDumpOnOutOfMemoryError \
diff --git a/app/jitsi/build/jitsi-xmpp/Dockerfile b/app/jitsi/build/jitsi-xmpp/Dockerfile
index 6357cc6..e3a8f8f 100644
--- a/app/jitsi/build/jitsi-xmpp/Dockerfile
+++ b/app/jitsi/build/jitsi-xmpp/Dockerfile
@@ -1,7 +1,16 @@
-FROM debian:buster
+FROM debian:buster as builder
+
+ARG MEET_VERSION
+WORKDIR /tmp
+RUN apt-get update && \
+ apt-get install -y wget unzip && \
+ wget https://github.com/jitsi/jitsi-meet/archive/stable/jitsi-meet_${MEET_VERSION}.zip -O meet.zip && \
+ unzip meet.zip && \
+ mv jitsi-meet-* jitsi-meet
-ARG VERSION
+FROM debian:buster
+ARG PROSODY_VERSION
RUN apt-get update && \
apt-get install -y wget gnupg2 && \
echo deb http://packages.prosody.im/debian buster main \
@@ -9,7 +18,7 @@ RUN apt-get update && \
wget https://prosody.im/files/prosody-debian-packages.key -O - \
| apt-key add - && \
apt-get update && \
- apt-get install -y prosody=${VERSION} lua-event
+ apt-get install -y prosody=${PROSODY_VERSION} lua-event
RUN mkdir -p /usr/local/share/ca-certificates/ && \
ln -sf \
@@ -20,6 +29,7 @@ RUN mkdir -p /usr/local/share/ca-certificates/ && \
mkdir -p /var/lib/prosody && \
chown -R prosody:prosody /var/lib/prosody /run/prosody
+COPY --from=builder /tmp/jitsi-meet/resources/prosody-plugins /usr/share/jitsi-meet/prosody-plugins/
COPY xmpp_prosody /usr/local/bin/xmpp_prosody
WORKDIR /var/lib/prosody
diff --git a/app/jitsi/integration/README.md b/app/jitsi/integration/README.md
index 7f334af..82fa91d 100644
--- a/app/jitsi/integration/README.md
+++ b/app/jitsi/integration/README.md
@@ -56,6 +56,12 @@ prosodyctl cert generate jitsi
https://github.com/jitsi/jitsi-meet/blob/master/doc/example-config-files/prosody.cfg.lua.example
+but this one is not the one used by the [debian postinst script](https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-prosody.postinst)
+instead, we should look at this one: https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
+
+Jitsi can be configured to authenticated through tokens,
+the postinst file is here: https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-tokens.postinst
+
## Resources to understand jitsi
- [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst)
diff --git a/app/jitsi/integration/docker-compose.yml b/app/jitsi/integration/docker-compose.yml
index 64cd82d..70bb41a 100644
--- a/app/jitsi/integration/docker-compose.yml
+++ b/app/jitsi/integration/docker-compose.yml
@@ -9,14 +9,17 @@ services:
- "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key:ro"
- "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt:ro"
- "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key:ro"
- jitsi-meet:
- image: superboum/amd64_jitsi_meet:v1
- ports:
- - "443:443"
jitsi-conference-focus:
- image: superboum/amd64_jitsi_conference_focus:v4
- jitsi-videobridge:
- image: superboum/amd64_jitsi_videobridge:v14
- ports:
- - "8080:8080/tcp"
- - "10000:10000/udp"
+ image: superboum/amd64_jitsi_conference_focus:v7
+ volumes:
+ - "./prosody/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt:ro"
+ - "./jicofo/jicofo.conf:/etc/jitsi/jicofo.conf:ro"
+# jitsi-meet:
+# image: superboum/amd64_jitsi_meet:v1
+# ports:
+# - "443:443"
+# jitsi-videobridge:
+# image: superboum/amd64_jitsi_videobridge:v14
+# ports:
+# - "8080:8080/tcp"
+# - "10000:10000/udp"
diff --git a/app/jitsi/integration/jicofo/jicofo.conf b/app/jitsi/integration/jicofo/jicofo.conf
index 203cd15..c4fe5e4 100644
--- a/app/jitsi/integration/jicofo/jicofo.conf
+++ b/app/jitsi/integration/jicofo/jicofo.conf
@@ -53,7 +53,7 @@ jicofo {
}
// The JID of the MUC to be used as a brewery for bridge instances.
- brewery-jid = "jvbbrewery@example.com"
+ brewery-jid = "jvbbrewery@jitsi"
}
// Configure the codecs and RTP extensions to be used in the offer sent to clients.
codec {
@@ -256,12 +256,12 @@ jicofo {
}
// The separate XMPP connection used for internal services (currently only jitsi-videobridge).
service {
- enabled = false
- hostname = "localhost"
- port = 6222
- #domain =
- #username =
- #password =
+ enabled = true
+ hostname = "jitsi-xmpp"
+ port = 5222
+ domain = "auth.jitsi"
+ username = "focus"
+ password = "xxx"
// How long to wait for a response to a stanza before giving up.
reply-timeout = 15 seconds
diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua b/app/jitsi/integration/prosody/prosody.cfg.lua
index 2f75d83..da38be9 100644
--- a/app/jitsi/integration/prosody/prosody.cfg.lua
+++ b/app/jitsi/integration/prosody/prosody.cfg.lua
@@ -1,64 +1,101 @@
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
daemonize = false
-allow_registration = false
use_libevent = true
+
+-- domain mapper options, must at least have domain base set to use the mapper
+muc_mapper_domain_base = "jitsi.deuxfleurs.fr";
+
+--@FIXME would be great to configure it
+--turncredentials_secret = "__turnSecret__";
+
+--turncredentials = {
+-- { type = "stun", host = "jitmeet.example.com", port = "3478" },
+-- { type = "turn", host = "jitmeet.example.com", port = "3478", transport = "udp" },
+-- { type = "turns", host = "jitmeet.example.com", port = "5349", transport = "tcp" }
+--};
+
+cross_domain_bosh = false;
+consider_bosh_secure = true;
+https_ports = { }; -- Remove this line to prevent listening on port 5284
component_interface = "0.0.0.0"
component_ports = { 5347 }
http_ports = { 5280 }
-https_ports = {}
--- Not sure all modules are required
-modules_enabled = {
- "roster"; -- Allow users to have a roster. Recommended ;)
- "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
- "tls"; -- Add support for secure TLS on c2s/s2s connections
- "dialback"; -- s2s dialback support
- "disco"; -- Service discovery
- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
- "version"; -- Replies to server version requests
- "uptime"; -- Report how long server has been running
- "time"; -- Let others know the time here on this server
- "ping"; -- Replies to XMPP pings with pongs
- "pep"; -- Enables users to publish their mood, activity, playing music and more
- -- jitsi
- --"smacks"; -- not shipped with prosody
- "carbons";
- "mam";
- "lastactivity";
- "offline";
- "pubsub";
- "adhoc";
- "websocket";
- --"http_altconnect"; -- not shipped with prosody
-}
-log = {
- --log less on console with warn="*console"; or err="*console" or more with debug="*console"
- info="*console";
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+ssl = {
+ protocol = "tlsv1_2+";
+ ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
VirtualHost "jitsi"
- authentication = "anonymous"
- ssl = {
- key = "/var/lib/prosody/jitsi.key";
- certificate = "/var/lib/prosody/jitsi.crt";
- }
- modules_enabled = {
- "bosh";
- "pubsub";
- }
- c2s_require_encryption = false
-
-VirtualHost "auth.jitsi"
- ssl = {
- key = "/var/lib/prosody/auth.jitsi.key";
- certificate = "/var/lib/prosody/auth.jitsi.crt";
- }
- authentication = "internal_plain"
- admins = { "focus@auth.jitsi"}
+ -- enabled = false -- Remove this line to enable this host
+ authentication = "anonymous"
+ -- Properties below are modified by jitsi-meet-tokens package config
+ -- and authentication above is switched to "token"
+ --app_id="example_app_id"
+ --app_secret="example_app_secret"
+ -- Assign this host a certificate for TLS, otherwise it would use the one
+ -- set in the global section (if any).
+ -- Note that old-style SSL on port 5223 only supports one certificate, and will always
+ -- use the global one.
+ ssl = {
+ key = "/var/lib/prosody/jitsi.key";
+ certificate = "/var/lib/prosody/jitsi.crt";
+ }
+ speakerstats_component = "speakerstats.jitsi"
+ conference_duration_component = "conferenceduration.jitsi"
+ -- we need bosh
+ modules_enabled = {
+ "bosh";
+ "pubsub";
+ "ping"; -- Enable mod_ping
+ "speakerstats";
+ --"turncredentials"; not supported yet
+ "conference_duration";
+ "muc_lobby_rooms";
+ }
+ c2s_require_encryption = false
+ lobby_muc = "lobby.jitsi"
+ main_muc = "conference.jitsi"
+ -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.jitsi" "muc"
+ storage = "memory"
+ modules_enabled = {
+ "muc_meeting_id";
+ "muc_domain_mapper";
+ --"token_verification";
+ }
+ admins = { "focusUser@auth.jitsi" }
+ muc_room_locking = false
+ muc_room_default_public_jids = true
+
+-- internal muc component
Component "internal.auth.jitsi" "muc"
- storage = "memory"
- modules_enabled = { "ping"; }
- admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
+ storage = "memory"
+ modules_enabled = {
+ "ping";
+ }
+ admins = { "focusUser@auth.jitsi", "jvb@auth.jitsi" }
+ muc_room_locking = false
+ muc_room_default_public_jids = true
+
+VirtualHost "auth.jitsi"
+ authentication = "internal_plain"
+
+Component "focus.jitsi"
+ component_secret = "focusSecret"
+
+Component "speakerstats.jitsi" "speakerstats_component"
+ muc_component = "conference.jitsi"
+
+Component "conferenceduration.jitsi" "conference_duration_component"
+ muc_component = "conference.jitsi"
+
+Component "lobby.jitsi" "muc"
+ storage = "memory"
+ restrict_room_creation = true
+ muc_room_locking = false
+ muc_room_default_public_jids = true
diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua.back b/app/jitsi/integration/prosody/prosody.cfg.lua.back
new file mode 100644
index 0000000..d03d7c9
--- /dev/null
+++ b/app/jitsi/integration/prosody/prosody.cfg.lua.back
@@ -0,0 +1,64 @@
+daemonize = false
+allow_registration = false
+use_libevent = true
+component_interface = "0.0.0.0"
+component_ports = { 5347 }
+http_ports = { 5280 }
+https_ports = {}
+
+-- Not sure all modules are required
+modules_enabled = {
+ "roster"; -- Allow users to have a roster. Recommended ;)
+ "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+ "tls"; -- Add support for secure TLS on c2s/s2s connections
+ "dialback"; -- s2s dialback support
+ "disco"; -- Service discovery
+ "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+ "version"; -- Replies to server version requests
+ "uptime"; -- Report how long server has been running
+ "time"; -- Let others know the time here on this server
+ "ping"; -- Replies to XMPP pings with pongs
+ "pep"; -- Enables users to publish their mood, activity, playing music and more
+ -- jitsi
+ --"smacks"; -- not shipped with prosody
+ "carbons";
+ "mam";
+ "lastactivity";
+ "offline";
+ "pubsub";
+ "adhoc";
+ "websocket";
+ --"http_altconnect"; -- not shipped with prosody
+}
+
+log = {
+ --log less on console with warn="*console"; or err="*console" or more with debug="*console"
+ debug="*console";
+}
+
+VirtualHost "jitsi"
+ authentication = "anonymous"
+ ssl = {
+ key = "/var/lib/prosody/jitsi.key";
+ certificate = "/var/lib/prosody/jitsi.crt";
+ }
+ modules_enabled = {
+ "bosh";
+ "pubsub";
+ }
+ c2s_require_encryption = false
+
+VirtualHost "auth.jitsi"
+ ssl = {
+ key = "/var/lib/prosody/auth.jitsi.key";
+ certificate = "/var/lib/prosody/auth.jitsi.crt";
+ }
+ authentication = "internal_plain"
+ admins = { "focus@auth.jitsi"}
+
+Component "conference.jitsi" "muc"
+Component "internal.auth.jitsi" "muc"
+ storage = "memory"
+ modules_enabled = { "ping"; }
+ admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
+