diff options
author | Quentin <quentin@dufour.io> | 2021-01-18 08:18:21 +0100 |
---|---|---|
committer | Quentin <quentin@dufour.io> | 2021-01-18 08:18:21 +0100 |
commit | ad6017eea058f7cb6fdf078783f992a4f45a3e15 (patch) | |
tree | 6620bcc9e1ea61a5689b763b9ad8280275e35e76 /app/jitsi | |
parent | 79b7273ff2a487d6721d393682c8ad3927467a75 (diff) | |
parent | c642370def01f09d966b3b9c643cfe416ea115cf (diff) | |
download | infrastructure-ad6017eea058f7cb6fdf078783f992a4f45a3e15.tar.gz infrastructure-ad6017eea058f7cb6fdf078783f992a4f45a3e15.zip |
Merge pull request 'Reorganize app/ and add script for secret management' (#29) from test_reorganize into master
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/pulls/29
Diffstat (limited to 'app/jitsi')
24 files changed, 1126 insertions, 0 deletions
diff --git a/app/jitsi/build/jitsi-conference-focus/Dockerfile b/app/jitsi/build/jitsi-conference-focus/Dockerfile new file mode 100644 index 0000000..e2c459c --- /dev/null +++ b/app/jitsi/build/jitsi-conference-focus/Dockerfile @@ -0,0 +1,27 @@ +FROM debian:buster AS builder + +ARG PREFIXV +ARG VERSION +RUN apt-get update && \ + apt-get install -y openjdk-11-jdk maven wget unzip && \ + wget https://github.com/jitsi/jicofo/archive/${PREFIXV}${VERSION}.zip -O jicofo.zip + +RUN unzip jicofo.zip && \ + mv jicofo*${VERSION} jicofo && \ + cd jicofo && \ + mvn package -DskipTests -Dassembly.skipAssembly=false && \ + unzip target/jicofo-1.1-SNAPSHOT-archive.zip && \ + mv jicofo-1.1-SNAPSHOT /srv/build + +FROM debian:buster + +RUN apt-get update && \ + apt-get install -y openjdk-11-jre-headless ca-certificates + +ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi" + +COPY --from=builder /srv/build /srv/jicofo +COPY jicofo /usr/local/bin/jicofo +COPY sip-communicator.properties /root/.sip-communicator/sip-communicator.properties + +CMD ["/usr/local/bin/jicofo"] diff --git a/app/jitsi/build/jitsi-conference-focus/jicofo b/app/jitsi/build/jitsi-conference-focus/jicofo new file mode 100755 index 0000000..2bc6e3f --- /dev/null +++ b/app/jitsi/build/jitsi-conference-focus/jicofo @@ -0,0 +1,16 @@ +#!/bin/bash + +cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt +update-ca-certificates -f + +cat >> /etc/hosts <<EOF +${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr +127.0.0.1 `hostname` +EOF + +/srv/jicofo/jicofo.sh \ + --host=${JITSI_PROSODY_HOST} \ + --domain=jitsi.deuxfleurs.fr \ + --secret=${JITSI_SECRET_JICOFO_COMPONENT} \ + --user_domain=auth.jitsi.deuxfleurs.fr \ + --user_password=${JITSI_SECRET_JICOFO_USER} diff --git a/app/jitsi/build/jitsi-conference-focus/sip-communicator.properties b/app/jitsi/build/jitsi-conference-focus/sip-communicator.properties new file mode 100644 index 0000000..53c32e2 --- /dev/null +++ b/app/jitsi/build/jitsi-conference-focus/sip-communicator.properties @@ -0,0 +1,2 @@ +org.jitsi.jicofo.SHORT_ID=1 +org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr diff --git a/app/jitsi/build/jitsi-meet/Dockerfile b/app/jitsi/build/jitsi-meet/Dockerfile new file mode 100644 index 0000000..feef115 --- /dev/null +++ b/app/jitsi/build/jitsi-meet/Dockerfile @@ -0,0 +1,28 @@ +FROM debian:buster AS builder + +ARG PREFIXV +ARG VERSION + +RUN apt-get update && \ + apt-get install -y curl && \ + curl -sL https://deb.nodesource.com/setup_14.x | bash - && \ + apt-get install -y git nodejs make wget unzip && \ + wget https://github.com/jitsi/jitsi-meet/archive/${PREFIXV}${VERSION}.zip -O jitsi-meet.zip + +RUN unzip jitsi-meet.zip && \ + mv jitsi-meet-*${VERSION} jitsi-meet && \ + cd jitsi-meet && \ + npm install && \ + make + +FROM debian:buster + +COPY --from=builder /jitsi-meet /srv/jitsi-meet +RUN apt-get update && \ + apt-get install -y nginx && \ + rm /etc/nginx/sites-enabled/* + +COPY config.js /srv/jitsi-meet/config.js +COPY entrypoint.sh /usr/local/bin/entrypoint +ENTRYPOINT ["/usr/local/bin/entrypoint"] +CMD ["/usr/sbin/nginx", "-g", "daemon off;"] diff --git a/app/jitsi/build/jitsi-meet/config.js b/app/jitsi/build/jitsi-meet/config.js new file mode 100644 index 0000000..18ff319 --- /dev/null +++ b/app/jitsi/build/jitsi-meet/config.js @@ -0,0 +1,517 @@ +/* eslint-disable no-unused-vars, no-var */ + +var config = { + // Connection + // + + hosts: { + // XMPP domain. + domain: 'jitsi.deuxfleurs.fr', + + // When using authentication, domain for guest users. + // anonymousdomain: 'guest.example.com', + + // Domain for authenticated users. Defaults to <domain>. + // authdomain: 'jitsi-meet.example.com', + + // Jirecon recording component domain. + // jirecon: 'jirecon.jitsi-meet.example.com', + + // Call control component (Jigasi). + // call_control: 'callcontrol.jitsi-meet.example.com', + + // Focus component domain. Defaults to focus.<domain>. + // focus: 'focus.jitsi-meet.example.com', + + // XMPP MUC domain. FIXME: use XEP-0030 to discover it. + muc: 'conference.jitsi.deuxfleurs.fr' + }, + + // BOSH URL. FIXME: use XEP-0156 to discover it. + bosh: '//jitsi.deuxfleurs.fr/http-bind', + + // Websocket URL + // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket', + + // The name of client node advertised in XEP-0115 'c' stanza + clientNode: 'http://jitsi.org/jitsimeet', + + // The real JID of focus participant - can be overridden here + // focusUserJid: 'focus@auth.jitsi-meet.example.com', + + + // Testing / experimental features. + // + + testing: { + // Enables experimental simulcast support on Firefox. + enableFirefoxSimulcast: false, + + // P2P test mode disables automatic switching to P2P when there are 2 + // participants in the conference. + p2pTestMode: false + + // Enables the test specific features consumed by jitsi-meet-torture + // testMode: false + + // Disables the auto-play behavior of *all* newly created video element. + // This is useful when the client runs on a host with limited resources. + // noAutoPlayVideo: false + }, + + // Disables ICE/UDP by filtering out local and remote UDP candidates in + // signalling. + // webrtcIceUdpDisable: false, + + // Disables ICE/TCP by filtering out local and remote TCP candidates in + // signalling. + // webrtcIceTcpDisable: false, + + + // Media + // + + // Audio + + // Disable measuring of audio levels. + // disableAudioLevels: false, + // audioLevelsInterval: 200, + + // Enabling this will run the lib-jitsi-meet no audio detection module which + // will notify the user if the current selected microphone has no audio + // input and will suggest another valid device if one is present. + enableNoAudioDetection: true, + + // Enabling this will run the lib-jitsi-meet noise detection module which will + // notify the user if there is noise, other than voice, coming from the current + // selected microphone. The purpose it to let the user know that the input could + // be potentially unpleasant for other meeting participants. + enableNoisyMicDetection: true, + + // Start the conference in audio only mode (no video is being received nor + // sent). + // startAudioOnly: false, + + // Every participant after the Nth will start audio muted. + // startAudioMuted: 10, + + // Start calls with audio muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithAudioMuted: false, + + // Enabling it (with #params) will disable local audio output of remote + // participants and to enable it back a reload is needed. + // startSilent: false + + // Video + + // Sets the preferred resolution (height) for local video. Defaults to 720. + resolution: 480, + + // w3c spec-compliant video constraints to use for video capture. Currently + // used by browsers that return true from lib-jitsi-meet's + // util#browser#usesNewGumFlow. The constraints are independency from + // this config's resolution value. Defaults to requesting an ideal aspect + // ratio of 16:9 with an ideal resolution of 720. + constraints: { + video: { + aspectRatio: 16 / 9, + height: { + ideal: 480, + max: 720, + min: 240 + } + } + }, + + // Enable / disable simulcast support. + // disableSimulcast: false, + + // Enable / disable layer suspension. If enabled, endpoints whose HD + // layers are not in use will be suspended (no longer sent) until they + // are requested again. + // enableLayerSuspension: false, + + // Every participant after the Nth will start video muted. + // startVideoMuted: 10, + + // Start calls with video muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithVideoMuted: false, + + // If set to true, prefer to use the H.264 video codec (if supported). + // Note that it's not recommended to do this because simulcast is not + // supported when using H.264. For 1-to-1 calls this setting is enabled by + // default and can be toggled in the p2p section. + // preferH264: true, + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // Desktop sharing + + // The ID of the jidesha extension for Chrome. + desktopSharingChromeExtId: null, + + // Whether desktop sharing should be disabled on Chrome. + // desktopSharingChromeDisabled: false, + + // The media sources to use when using screen sharing with the Chrome + // extension. + desktopSharingChromeSources: [ 'screen', 'window', 'tab' ], + + // Required version of Chrome extension + desktopSharingChromeMinExtVersion: '0.1', + + // Whether desktop sharing should be disabled on Firefox. + // desktopSharingFirefoxDisabled: false, + + // Optional desktop sharing frame rate options. Default value: min:5, max:5. + // desktopSharingFrameRate: { + // min: 5, + // max: 5 + // }, + + // Try to start calls with screen-sharing instead of camera video. + // startScreenSharing: false, + + // Recording + + // Whether to enable file recording or not. + // fileRecordingsEnabled: false, + // Enable the dropbox integration. + // dropbox: { + // appKey: '<APP_KEY>' // Specify your app key here. + // // A URL to redirect the user to, after authenticating + // // by default uses: + // // 'https://jitsi-meet.example.com/static/oauth.html' + // redirectURI: + // 'https://jitsi-meet.example.com/subfolder/static/oauth.html' + // }, + // When integrations like dropbox are enabled only that will be shown, + // by enabling fileRecordingsServiceEnabled, we show both the integrations + // and the generic recording service (its configuration and storage type + // depends on jibri configuration) + // fileRecordingsServiceEnabled: false, + // Whether to show the possibility to share file recording with other people + // (e.g. meeting participants), based on the actual implementation + // on the backend. + // fileRecordingsServiceSharingEnabled: false, + + // Whether to enable live streaming or not. + // liveStreamingEnabled: false, + + // Transcription (in interface_config, + // subtitles and buttons can be configured) + // transcribingEnabled: false, + + // Enables automatic turning on captions when recording is started + // autoCaptionOnRecord: false, + + // Misc + + // Default value for the channel "last N" attribute. -1 for unlimited. + channelLastN: -1, + + // Disables or enables RTX (RFC 4588) (defaults to false). + // disableRtx: false, + + // Disables or enables TCC (the default is in Jicofo and set to true) + // (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting + // affects congestion control, it practically enables send-side bandwidth + // estimations. + // enableTcc: true, + + // Disables or enables REMB (the default is in Jicofo and set to false) + // (draft-alvestrand-rmcat-remb-03). This setting affects congestion + // control, it practically enables recv-side bandwidth estimations. When + // both TCC and REMB are enabled, TCC takes precedence. When both are + // disabled, then bandwidth estimations are disabled. + // enableRemb: false, + + // Defines the minimum number of participants to start a call (the default + // is set in Jicofo and set to 2). + // minParticipants: 2, + + // Use XEP-0215 to fetch STUN and TURN servers. + // useStunTurn: true, + + // Enable IPv6 support. + // useIPv6: true, + + // Enables / disables a data communication channel with the Videobridge. + // Values can be 'datachannel', 'websocket', true (treat it as + // 'datachannel'), undefined (treat it as 'datachannel') and false (don't + // open any channel). + // openBridgeChannel: true, + + + // UI + // + + // Use display name as XMPP nickname. + // useNicks: false, + + // Require users to always specify a display name. + // requireDisplayName: true, + + // Whether to use a welcome page or not. In case it's false a random room + // will be joined when no room is specified. + enableWelcomePage: true, + + // Enabling the close page will ignore the welcome page redirection when + // a call is hangup. + // enableClosePage: false, + + // Disable hiding of remote thumbnails when in a 1-on-1 conference call. + // disable1On1Mode: false, + + // Default language for the user interface. + defaultLanguage: 'fr', + + // If true all users without a token will be considered guests and all users + // with token will be considered non-guests. Only guests will be allowed to + // edit their profile. + enableUserRolesBasedOnToken: false, + + // Whether or not some features are checked based on token. + // enableFeaturesBasedOnToken: false, + + // Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests. + // lockRoomGuestEnabled: false, + + // When enabled the password used for locking a room is restricted to up to the number of digits specified + // roomPasswordNumberOfDigits: 10, + // default: roomPasswordNumberOfDigits: false, + + // Message to show the users. Example: 'The service will be down for + // maintenance at 01:00 AM GMT, + // noticeMessage: '', + + // Enables calendar integration, depends on googleApiApplicationClientID + // and microsoftApiApplicationClientID + // enableCalendarIntegration: false, + + // Stats + // + + // Whether to enable stats collection or not in the TraceablePeerConnection. + // This can be useful for debugging purposes (post-processing/analysis of + // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth + // estimation tests. + // gatherStats: false, + + // The interval at which PeerConnection.getStats() is called. Defaults to 10000 + // pcStatsInterval: 10000, + + // To enable sending statistics to callstats.io you must provide the + // Application ID and Secret. + // callStatsID: '', + // callStatsSecret: '', + + // enables sending participants display name to callstats + // enableDisplayNameInStats: false + + // enables sending participants email if available to callstats and other analytics + // enableEmailInStats: false + + // Privacy + // + + // If third party requests are disabled, no other server will be contacted. + // This means avatars will be locally generated and callstats integration + // will not function. + // disableThirdPartyRequests: false, + + + // Peer-To-Peer mode: used (if enabled) when there are just 2 participants. + // + + p2p: { + // Enables peer to peer mode. When enabled the system will try to + // establish a direct connection when there are exactly 2 participants + // in the room. If that succeeds the conference will stop sending data + // through the JVB and use the peer to peer connection instead. When a + // 3rd participant joins the conference will be moved back to the JVB + // connection. + enabled: true, + + // Use XEP-0215 to fetch STUN and TURN servers. + // useStunTurn: true, + + // The STUN servers that will be used in the peer to peer connections + stunServers: [ + + // { urls: 'stun:jitsi-meet.example.com:443' }, + { urls: 'stun:stun.l.google.com:19302' }, + { urls: 'stun:stun1.l.google.com:19302' }, + { urls: 'stun:stun2.l.google.com:19302' } + ], + + // Sets the ICE transport policy for the p2p connection. At the time + // of this writing the list of possible values are 'all' and 'relay', + // but that is subject to change in the future. The enum is defined in + // the WebRTC standard: + // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum. + // If not set, the effective value is 'all'. + // iceTransportPolicy: 'all', + + // If set to true, it will prefer to use H.264 for P2P calls (if H.264 + // is supported). + preferH264: true, + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // How long we're going to wait, before going back to P2P after the 3rd + // participant has left the conference (to filter out page reload). + backToP2PDelay: 60 + }, + + analytics: { + // The Google Analytics Tracking ID: + // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' + + // The Amplitude APP Key: + // amplitudeAPPKey: '<APP_KEY>' + + // Array of script URLs to load as lib-jitsi-meet "analytics handlers". + // scriptURLs: [ + // "libs/analytics-ga.min.js", // google-analytics + // "https://example.com/my-custom-analytics.js" + // ], + }, + + // Information about the jitsi-meet instance we are connecting to, including + // the user region as seen by the server. + deploymentInfo: { + // shard: "shard1", + // region: "europe", + // userRegion: "asia" + } + + // Information for the chrome extension banner + // chromeExtensionBanner: { + // // The chrome extension to be installed address + // url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb', + + // // Extensions info which allows checking if they are installed or not + // chromeExtensionsInfo: [ + // { + // id: 'kglhbbefdnlheedjiejgomgmfplipfeb', + // path: 'jitsi-logo-48x48.png' + // } + // ] + // } + + // Local Recording + // + + // localRecording: { + // Enables local recording. + // Additionally, 'localrecording' (all lowercase) needs to be added to + // TOOLBAR_BUTTONS in interface_config.js for the Local Recording + // button to show up on the toolbar. + // + // enabled: true, + // + + // The recording format, can be one of 'ogg', 'flac' or 'wav'. + // format: 'flac' + // + + // } + + // Options related to end-to-end (participant to participant) ping. + // e2eping: { + // // The interval in milliseconds at which pings will be sent. + // // Defaults to 10000, set to <= 0 to disable. + // pingInterval: 10000, + // + // // The interval in milliseconds at which analytics events + // // with the measured RTT will be sent. Defaults to 60000, set + // // to <= 0 to disable. + // analyticsInterval: 60000, + // } + + // If set, will attempt to use the provided video input device label when + // triggering a screenshare, instead of proceeding through the normal flow + // for obtaining a desktop stream. + // NOTE: This option is experimental and is currently intended for internal + // use only. + // _desktopSharingSourceDevice: 'sample-id-or-label' + + // If true, any checks to handoff to another application will be prevented + // and instead the app will continue to display in the current browser. + // disableDeepLinking: false + + // A property to disable the right click context menu for localVideo + // the menu has option to flip the locally seen video for local presentations + // disableLocalVideoFlip: false + + // Deployment specific URLs. + // deploymentUrls: { + // // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for + // // user documentation. + // userDocumentationURL: 'https://docs.example.com/video-meetings.html', + // // If specified a 'Download our apps' button will be displayed in the overflow menu with a link + // // to the specified URL for an app download page. + // downloadAppsUrl: 'https://docs.example.com/our-apps.html' + // } + + // List of undocumented settings used in jitsi-meet + /** + _immediateReloadThreshold + autoRecord + autoRecordToken + debug + debugAudioLevels + deploymentInfo + dialInConfCodeUrl + dialInNumbersUrl + dialOutAuthUrl + dialOutCodesUrl + disableRemoteControl + displayJids + etherpad_base + externalConnectUrl + firefox_fake_device + googleApiApplicationClientID + iAmRecorder + iAmSipGateway + microsoftApiApplicationClientID + peopleSearchQueryTypes + peopleSearchUrl + requireDisplayName + tokenAuthUrl + */ + + // List of undocumented settings used in lib-jitsi-meet + /** + _peerConnStatusOutOfLastNTimeout + _peerConnStatusRtcMuteTimeout + abTesting + avgRtpStatsN + callStatsConfIDNamespace + callStatsCustomScriptUrl + desktopSharingSources + disableAEC + disableAGC + disableAP + disableHPF + disableNS + enableLipSync + enableTalkWhileMuted + forceJVB121Ratio + hiddenDomain + ignoreStartMuted + nick + startBitrate + */ + +}; + +/* eslint-enable no-unused-vars, no-var */ + diff --git a/app/jitsi/build/jitsi-meet/entrypoint.sh b/app/jitsi/build/jitsi-meet/entrypoint.sh new file mode 100755 index 0000000..1cd96dc --- /dev/null +++ b/app/jitsi/build/jitsi-meet/entrypoint.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +cat > /etc/nginx/sites-available/jitsi <<EOF +server_names_hash_bucket_size 64; + +server { + listen 0.0.0.0:${NGINX_PORT} ssl http2 default_server; + listen [::]:${NGINX_PORT} ssl http2 default_server; + server_name _; + ssl_certificate ${JITSI_CERTS_FOLDER}/jitsi.deuxfleurs.fr.crt; + ssl_certificate_key ${JITSI_CERTS_FOLDER}/jitsi.deuxfleurs.fr.key; + root /srv/jitsi-meet; + index index.html; + location ~ ^/([a-zA-Z0-9=\?]+)$ { + rewrite ^/(.*)$ / break; + } + location / { + ssi on; + } + # BOSH, Bidirectional-streams Over Synchronous HTTP + # https://en.wikipedia.org/wiki/BOSH_(protocol) + location /http-bind { + proxy_pass http://${JITSI_PROSODY_BOSH_HOST}:${JITSI_PROSODY_BOSH_PORT}/http-bind; + proxy_set_header X-Forwarded-For \$remote_addr; + proxy_set_header Host \$http_host; + } + # external_api.js must be accessible from the root of the + # installation for the electron version of Jitsi Meet to work + # https://github.com/jitsi/jitsi-meet-electron + location /external_api.js { + alias /srv/jitsi-meet/libs/external_api.min.js; + } +} +EOF + +ln -sf /etc/nginx/sites-available/jitsi /etc/nginx/sites-enabled/jitsi + +exec "$@" diff --git a/app/jitsi/build/jitsi-videobridge/Dockerfile b/app/jitsi/build/jitsi-videobridge/Dockerfile new file mode 100644 index 0000000..c17fb4f --- /dev/null +++ b/app/jitsi/build/jitsi-videobridge/Dockerfile @@ -0,0 +1,30 @@ +FROM debian:buster AS builder + +ARG PREFIXV +ARG VERSION + +RUN apt-get update && \ + apt-get install -y wget unzip maven openjdk-11-jdk && \ + wget https://github.com/jitsi/jitsi-videobridge/archive/${PREFIXV}${VERSION}.zip -O jvb.zip + +RUN unzip jvb.zip && \ + mv jitsi-videobridge*${VERSION} jvb && \ + cd jvb && \ + mvn package -DskipTests && \ + ls jvb/target && \ + unzip jvb/target/jitsi-videobridge*.zip && \ + mv jitsi-videobridge-*-SNAPSHOT build + +FROM debian:buster + +RUN apt-get update && \ + apt-get install -y openjdk-11-jre-headless + +COPY --from=builder /jvb/build /srv/jvb +ENV HOME=/root +WORKDIR /root +COPY jvb_run /usr/local/bin/jvb_run + +ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi" + +CMD ["/usr/local/bin/jvb_run"] diff --git a/app/jitsi/build/jitsi-videobridge/jvb_run b/app/jitsi/build/jitsi-videobridge/jvb_run new file mode 100755 index 0000000..b86c911 --- /dev/null +++ b/app/jitsi/build/jitsi-videobridge/jvb_run @@ -0,0 +1,54 @@ +#!/bin/bash + +cat >> /etc/hosts <<EOF +${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr +127.0.0.1 `hostname` +EOF + +mkdir -p /root/.sip-communicator + +cat > /root/.sip-communicator/sip-communicator.properties <<EOF +# Enable broadcasting stats/presence in a MUC +org.jitsi.videobridge.ENABLE_STATISTICS=true +org.jitsi.videobridge.STATISTICS_TRANSPORT=muc + +# Connect to the first XMPP server +org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=jitsi.deuxfleurs.fr +org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.jitsi.deuxfleurs.fr +org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb +org.jitsi.videobridge.xmpp.user.shard.PASSWORD=${JITSI_SECRET_VIDEOBRIDGE} +org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr +org.jitsi.videobridge.xmpp.user.shard.MUC=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr +org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=singleton +org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true + +# Do we need it? @FIXME +org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false + +# NAT things, two times just in case... +org.ice4j.ice.harvest.TCP_HARVESTER_PORT=${JITSI_VIDEO_TCP} +org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=${JITSI_NAT_LOCAL_IP} +org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=${JITSI_NAT_PUBLIC_IP} +org.jitsi.videobridge.TCP_HARVESTER_PORT=${JITSI_VIDEO_TCP} +org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=${JITSI_NAT_LOCAL_IP} +org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=${JITSI_NAT_PUBLIC_IP} +org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false +EOF + +[ -v JITSI_DEBUG ] && cat >> /root/.sip-communicator/sip-communicator.properties <<EOF +net.java.sip.communicator.packetlogging.PACKET_LOGGING_ENABLED=true +net.java.sip.communicator.packetlogging.PACKET_LOGGING_ARBITRARY_ENABLED=true +net.java.sip.communicator.packetlogging.PACKET_LOGGING_SIP_ENABLED=true +net.java.sip.communicator.packetlogging.PACKET_LOGGING_JABBER_ENABLED=true +net.java.sip.communicator.packetlogging.PACKET_LOGGING_RTP_ENABLED=true +net.java.sip.communicator.packetlogging.PACKET_LOGGING_ICE4j_ENABLED=true +net.java.sip.communicator.packetlogging.PACKET_LOGGING_FILE_COUNT=1 +net.java.sip.communicator.packetlogging.PACKET_LOGGING_FILE_SIZE=-1 +EOF + +/srv/jvb/jvb.sh \ + --host=${JITSI_PROSODY_HOST} \ + --domain=jitsi.deuxfleurs.fr \ + --port=5347 \ + --secret=${JITSI_SECRET_VIDEOBRIDGE} \ + --apis=xmpp,rest diff --git a/app/jitsi/build/jitsi-xmpp/Dockerfile b/app/jitsi/build/jitsi-xmpp/Dockerfile new file mode 100644 index 0000000..f3dcd36 --- /dev/null +++ b/app/jitsi/build/jitsi-xmpp/Dockerfile @@ -0,0 +1,13 @@ +FROM debian:buster + +ARG VERSION + +RUN apt-get update && \ + apt-get install -y prosody=${VERSION} + +COPY external_components.cfg.lua /etc/prosody/conf.d/external_components.cfg.lua +COPY xmpp_conf /usr/local/bin/xmpp_conf +COPY xmpp_gen /usr/local/bin/xmpp_gen +COPY xmpp_run /usr/local/bin/xmpp_run + +CMD ["/usr/local/bin/xmpp_run"] diff --git a/app/jitsi/build/jitsi-xmpp/external_components.cfg.lua b/app/jitsi/build/jitsi-xmpp/external_components.cfg.lua new file mode 100644 index 0000000..beaaa87 --- /dev/null +++ b/app/jitsi/build/jitsi-xmpp/external_components.cfg.lua @@ -0,0 +1,2 @@ +component_ports = { 5347 } +component_interface = "0.0.0.0" diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_conf b/app/jitsi/build/jitsi-xmpp/xmpp_conf new file mode 100755 index 0000000..34b2cb3 --- /dev/null +++ b/app/jitsi/build/jitsi-xmpp/xmpp_conf @@ -0,0 +1,49 @@ +#!/bin/bash + +cat >> /etc/hosts <<EOF +${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr +127.0.0.1 `hostname` +EOF + +mkdir -p /etc/prosody/conf.{d,avail}/ +cat > /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua <<EOF +http_ports = { ${JITSI_PROSODY_BOSH_PORT} } + +VirtualHost "jitsi.deuxfleurs.fr" + authentication = "anonymous" + ssl = { + key = "/var/lib/prosody/jitsi.deuxfleurs.fr.key"; + certificate = "/var/lib/prosody/jitsi.deuxfleurs.fr.crt"; + } + modules_enabled = { + "bosh"; + "pubsub"; + } + c2s_require_encryption = false + +VirtualHost "auth.jitsi.deuxfleurs.fr" + ssl = { + key = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.key"; + certificate = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt"; + } + authentication = "internal_plain" + admins = { "focus@auth.jitsi.deuxfleurs.fr"} + +Component "conference.jitsi.deuxfleurs.fr" "muc" +Component "internal.auth.jitsi.deuxfleurs.fr" "muc" + storage = "memory" + modules_enabled = { "ping"; } + admins = { "focus@auth.jitsi.deuxfleurs.fr", "jvb@auth.jitsi.deuxfleurs.fr" } + +Component "jitsi-videobridge.jitsi.deuxfleurs.fr" + component_secret = "${JITSI_SECRET_VIDEOBRIDGE}" +Component "focus.jitsi.deuxfleurs.fr" + component_secret = "${JITSI_SECRET_JICOFO_COMPONENT}" + +EOF + +ln -sf \ + /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua \ + /etc/prosody/conf.d/jitsi.deuxfleurs.fr.cfg.lua + + diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_gen b/app/jitsi/build/jitsi-xmpp/xmpp_gen new file mode 100755 index 0000000..3a2e04a --- /dev/null +++ b/app/jitsi/build/jitsi-xmpp/xmpp_gen @@ -0,0 +1,9 @@ +#!/bin/bash + +/usr/local/bin/xmpp_conf + +prosodyctl cert generate jitsi.deuxfleurs.fr +prosodyctl cert generate auth.jitsi.deuxfleurs.fr + +cp /var/lib/prosody/*.crt ${JITSI_CERTS_FOLDER} +cp /var/lib/prosody/*.key ${JITSI_CERTS_FOLDER} diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_run b/app/jitsi/build/jitsi-xmpp/xmpp_run new file mode 100755 index 0000000..6383b65 --- /dev/null +++ b/app/jitsi/build/jitsi-xmpp/xmpp_run @@ -0,0 +1,20 @@ +#!/bin/bash + +/usr/local/bin/xmpp_conf +cp ${JITSI_CERTS_FOLDER}/* /var/lib/prosody/ +chown -R prosody:prosody /var/lib/prosody + +mkdir -p /usr/local/share/ca-certificates/ +ln -sf \ + /var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt \ + /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt + +prosodyctl register focus auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_JICOFO_USER} +prosodyctl register jvb auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_VIDEOBRIDGE} + +mkdir /run/prosody +touch /run/prosody/prosody.pid +chown -R prosody:prosody /run/prosody + +cd /var/lib/prosody +su - prosody -s /bin/bash -c prosody diff --git a/app/jitsi/config/global_env.tpl b/app/jitsi/config/global_env.tpl new file mode 100644 index 0000000..836a131 --- /dev/null +++ b/app/jitsi/config/global_env.tpl @@ -0,0 +1,10 @@ +JITSI_SECRET_VIDEOBRIDGE={{ key "secrets/jitsi/jitsi_secret_videobridge" }} +JITSI_SECRET_JICOFO_COMPONENT={{ key "secrets/jitsi/jitsi_secret_jicofo_component" }} +JITSI_SECRET_JICOFO_USER={{ key "secrets/jitsi/jitsi_secret_jicofo_user" }} +JITSI_PROSODY_BOSH_PORT={{ env "NOMAD_PORT_bosh_port" }} +JITSI_PROSODY_BOSH_HOST=127.0.0.1 +JITSI_PROSODY_HOST=127.0.0.1 +JITSI_CERTS_FOLDER=/secrets/certs/ +JITSI_NAT_PUBLIC_IP=82.253.205.190 +JITSI_NAT_LOCAL_IP={{ env "NOMAD_IP_video1_port" }} +NGINX_PORT={{ env "NOMAD_PORT_https_port" }} diff --git a/app/jitsi/deploy/jitsi.hcl b/app/jitsi/deploy/jitsi.hcl new file mode 100644 index 0000000..852e1e6 --- /dev/null +++ b/app/jitsi/deploy/jitsi.hcl @@ -0,0 +1,234 @@ +job "jitsi" { + datacenters = ["dc1"] + type = "service" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "core" { + + network { + port "bosh_port" { } + port "ext_port" { static = 5347 } + port "xmpp_port" { static = 5222 } + port "https_port" { } + port "video1_port" { static = 8080 } + port "video2_port" { static = 10000 } + } + + task "xmpp" { + driver = "docker" + config { + image = "superboum/amd64_jitsi_xmpp:v8" + ports = [ "bosh_port", "ext_port", "xmpp_port" ] + network_mode = "host" + } + + template { + data = file("../config/global_env.tpl") + destination = "secrets/global_env" + env = true + } + + # --- secrets --- + template { + data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt\" }}" + destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.crt" + } + + template { + data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.key\" }}" + destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.key" + } + + template { + data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}" + destination = "secrets/certs/jitsi.deuxfleurs.fr.crt" + } + + template { + data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.key\" }}" + destination = "secrets/certs/jitsi.deuxfleurs.fr.key" + } + + resources { + cpu = 300 + memory = 200 + } + + service { + tags = [ "jitsi", "bosh" ] + port = "bosh_port" + address_mode = "host" + name = "jitsi-xmpp-bosh" + check { + type = "tcp" + port = "bosh_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + tags = [ "jitsi", "ext" ] + port = "ext_port" + address_mode = "host" + name = "jitsi-ext" + } + + service { + tags = [ "jitsi", "xmpp" ] + port = "xmpp_port" + address_mode = "host" + name = "jitsi-xmpp" + } + } + + task "front" { + driver = "docker" + config { + image = "superboum/amd64_jitsi_meet:v3" + network_mode = "host" + ports = [ "https_port" ] + } + + template { + data = file("../config/global_env.tpl") + destination = "secrets/global_env" + env = true + } + + # --- secrets --- + template { + data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}" + destination = "secrets/certs/jitsi.deuxfleurs.fr.crt" + } + template { + data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.key\" }}" + destination = "secrets/certs/jitsi.deuxfleurs.fr.key" + } + + resources { + cpu = 300 + memory = 200 + } + + service { + tags = [ + "jitsi", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:jitsi.deuxfleurs.fr;PathPrefix:/", + "traefik.protocol=https" + ] + port = "https_port" + address_mode = "host" + name = "jitsi-front-https" + check { + type = "tcp" + port = "https_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + + task "jicofo" { + driver = "docker" + config { + image = "superboum/amd64_jitsi_conference_focus:v6" + network_mode = "host" + } + + template { + data = file("../config/global_env.tpl") + destination = "secrets/global_env" + env = true + } + + #--- secrets --- + template { + data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}" + destination = "secrets/certs/jitsi.deuxfleurs.fr.crt" + } + + template { + data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt\" }}" + destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.crt" + } + + resources { + cpu = 300 + memory = 400 + } + } + + task "videobridge" { + driver = "docker" + config { + image = "superboum/amd64_jitsi_videobridge:v16" + network_mode = "host" + ports = [ "video1_port", "video2_port" ] + ulimit { + nofile = "1048576:1048576" + nproc = "65536:65536" + } + } + + env { + #JITSI_DEBUG = 1 + JITSI_VIDEO_TCP = 8080 + VIDEOBRIDGE_MAX_MEMORY = "1450m" + } + + template { + data = file("../config/global_env.tpl") + destination = "secrets/global_env" + env = true + } + + resources { + cpu = 900 + memory = 1500 + } + + service { + tags = [ "jitsi", "(diplonat (tcp_port 8080))" ] + port = "video1_port" + address_mode = "host" + name = "jitsi-videobridge-video1" + check { + type = "tcp" + port = "video1_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + tags = [ "jitsi", "(diplonat (udp_port 10000))" ] + port = "video2_port" + address_mode = "host" + name = "jitsi-videobridge-video2" + } + } + } +} + diff --git a/app/jitsi/integratio/01_gen_certs.yml b/app/jitsi/integratio/01_gen_certs.yml new file mode 100644 index 0000000..bf73291 --- /dev/null +++ b/app/jitsi/integratio/01_gen_certs.yml @@ -0,0 +1,8 @@ +version: '3' +services: + jitsi-xmpp: + image: superboum/amd64_jitsi_xmpp:v2 + command: ["/usr/local/bin/xmpp_gen"] + volumes: [ './jitsi-certs/:/certs:rw' ] + env_file: [ 'dev.env' ] + diff --git a/app/jitsi/integratio/02_run.yml b/app/jitsi/integratio/02_run.yml new file mode 100644 index 0000000..73eefad --- /dev/null +++ b/app/jitsi/integratio/02_run.yml @@ -0,0 +1,27 @@ +version: '3.4' +services: + jitsi-xmpp: + image: superboum/amd64_jitsi_xmpp:v3 + ports: + - "5222:5222" + - "5347:5347" + - "5280:5280" + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + jitsi-meet: + image: superboum/amd64_jitsi_meet:v1 + ports: + - "443:443" + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + jitsi-conference-focus: + image: superboum/amd64_jitsi_conference_focus:v4 + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + jitsi-videobridge: + image: superboum/amd64_jitsi_videobridge:v14 + ports: + - "8080:8080/tcp" + - "10000:10000/udp" + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] diff --git a/app/jitsi/integratio/README.md b/app/jitsi/integratio/README.md new file mode 100644 index 0000000..70b59fc --- /dev/null +++ b/app/jitsi/integratio/README.md @@ -0,0 +1,26 @@ +This installation is inspired by: https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md + +To build images: + +``` +docker-compose -f 02_run.yml build +``` + +To gen the certs: + +``` +docker-compose -f 01_gen_certs.yml up --force-recreate +``` + +To run the stack: + + +``` +docker-compose -f 02_run.yml up --force-recreate +``` + +To push the stack on the docker registry: + +``` +docker-compose -f 02_run.yml push +``` diff --git a/app/jitsi/integratio/dev.env b/app/jitsi/integratio/dev.env new file mode 100644 index 0000000..1dd2122 --- /dev/null +++ b/app/jitsi/integratio/dev.env @@ -0,0 +1,10 @@ +JITSI_SECRET_VIDEOBRIDGE=S3CR3T01 +JITSI_SECRET_JICOFO_COMPONENT=S3CR3T02 +JITSI_SECRET_JICOFO_USER=S3CR3T03 +JITSI_PROSODY_BOSH_PORT=5280 +JITSI_PROSODY_BOSH_HOST=172.17.0.1 +JITSI_PROSODY_HOST=172.17.0.1 +JITSI_CERTS_FOLDER=/certs/ +JITSI_NAT_PUBLIC_IP=37.164.35.154 +JITSI_NAT_LOCAL_IP=192.168.0.231 +JITSI_VIDEO_TCP=8080 diff --git a/app/jitsi/integratio/jitsi-certs/.gitignore b/app/jitsi/integratio/jitsi-certs/.gitignore new file mode 100644 index 0000000..d6b7ef3 --- /dev/null +++ b/app/jitsi/integratio/jitsi-certs/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt new file mode 100644 index 0000000..f2c4d4b --- /dev/null +++ b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt @@ -0,0 +1 @@ +SSL_CERT jitsi_auth autj.jitsi.deuxfleurs.fr diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key new file mode 100644 index 0000000..4a332f8 --- /dev/null +++ b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key @@ -0,0 +1 @@ +SSL_KEY jitsi_auth autj.jitsi.deuxfleurs.fr diff --git a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt new file mode 100644 index 0000000..32750d3 --- /dev/null +++ b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt @@ -0,0 +1 @@ +SSL_CERT jitsi jitsi.deuxfleurs.fr diff --git a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key new file mode 100644 index 0000000..7676132 --- /dev/null +++ b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key @@ -0,0 +1 @@ +SSL_KEY jitsi |