Merge branch 'master' of git.deuxfleurs.fr:Deuxfleurs/infrastructure

45 files changed, 930 insertions, 206 deletions

diff --git a/app/backup/secrets/backup/id_ed25519 b/app/backup/secrets/backup/id_ed25519
new file mode 100644
index 0000000..9d7fd46
--- /dev/null
+++ b/app/backup/secrets/backup/id_ed25519
@@ -0,0 +1 @@
+USER_LONG Private ed25519 key of the container doing the backup
diff --git a/app/backup/secrets/backup/id_ed25519.pub b/app/backup/secrets/backup/id_ed25519.pub
new file mode 100644
index 0000000..0a2ab35
--- /dev/null
+++ b/app/backup/secrets/backup/id_ed25519.pub
@@ -0,0 +1 @@
+USER Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)
diff --git a/app/backup/secrets/backup/target_ssh_dir b/app/backup/secrets/backup/target_ssh_dir
new file mode 100644
index 0000000..3b2a4da
--- /dev/null
+++ b/app/backup/secrets/backup/target_ssh_dir
@@ -0,0 +1 @@
+USER Directory where to store backups on target host
diff --git a/app/backup/secrets/backup/target_ssh_fingerprint b/app/backup/secrets/backup/target_ssh_fingerprint
new file mode 100644
index 0000000..608f3ec
--- /dev/null
+++ b/app/backup/secrets/backup/target_ssh_fingerprint
@@ -0,0 +1 @@
+USER SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)
diff --git a/app/backup/secrets/backup/target_ssh_host b/app/backup/secrets/backup/target_ssh_host
new file mode 100644
index 0000000..6268f87
--- /dev/null
+++ b/app/backup/secrets/backup/target_ssh_host
@@ -0,0 +1 @@
+USER Hostname of the backup target host
diff --git a/app/backup/secrets/backup/target_ssh_port b/app/backup/secrets/backup/target_ssh_port
new file mode 100644
index 0000000..309dd38
--- /dev/null
+++ b/app/backup/secrets/backup/target_ssh_port
@@ -0,0 +1 @@
+USER SSH port number to connect to the target host
diff --git a/app/backup/secrets/backup/target_ssh_user b/app/backup/secrets/backup/target_ssh_user
new file mode 100644
index 0000000..98b3046
--- /dev/null
+++ b/app/backup/secrets/backup/target_ssh_user
@@ -0,0 +1 @@
+USER SSH username to log in as on the target host
diff --git a/app/docker-compose.yml b/app/docker-compose.yml
index df7fee4..717e8ce 100644
--- a/app/docker-compose.yml
+++ b/app/docker-compose.yml
@@ -48,33 +48,35 @@ services:
       args:
         # https://github.com/jitsi/jitsi-meet
         PREFIXV: stable/jitsi-meet_
-        VERSION: 5390
-    image: superboum/amd64_jitsi_meet:v3
+        VERSION: 5463
+    image: superboum/amd64_jitsi_meet:v4
 
   jitsi-conference-focus:
     build:
       context: ./jitsi/build/jitsi-conference-focus
       args:
         # https://github.com/jitsi/jicofo
-        PREFIXV: stable/jitsi-meet_
-        VERSION: 5390
-    image: superboum/amd64_jitsi_conference_focus:v6
+        PREFIXV: jitsi-meet_
+        VERSION: 5463
+    image: superboum/amd64_jitsi_conference_focus:v7
 
   jitsi-videobridge:
     build:
       context: ./jitsi/build/jitsi-videobridge
       args:
         # https://github.com/jitsi/jitsi-videobridge
-        PREFIXV: stable/jitsi-meet_
-        VERSION: 5390
-    image: superboum/amd64_jitsi_videobridge:v16
+        PREFIXV: jitsi-meet_
+        VERSION: 5463
+    image: superboum/amd64_jitsi_videobridge:v17
 
   jitsi-xmpp:
     build:
       context: ./jitsi/build/jitsi-xmpp
       args:
-        VERSION: 0.11.2-1
-    image: superboum/amd64_jitsi_xmpp:v8
+        PREFIXV: jitsi-meet_
+        MEET_VERSION: 5463
+        PROSODY_VERSION: 0.11.7-1~buster4
+    image: superboum/amd64_jitsi_xmpp:v9
 
   plume:
     build:
diff --git a/app/garage/secrets/garage/garage-ca.crt b/app/garage/secrets/garage/garage-ca.crt
new file mode 100644
index 0000000..8488ab6
--- /dev/null
+++ b/app/garage/secrets/garage/garage-ca.crt
@@ -0,0 +1 @@
+USER_LONG garage-ca.crt (generated with Garage's genkeys.sh script)
diff --git a/app/garage/secrets/garage/garage-ca.key b/app/garage/secrets/garage/garage-ca.key
new file mode 100644
index 0000000..ca3e90c
--- /dev/null
+++ b/app/garage/secrets/garage/garage-ca.key
@@ -0,0 +1 @@
+USER_LONG garage-ca.key (generated with Garage's genkeys.sh script)
diff --git a/app/garage/secrets/garage/garage.crt b/app/garage/secrets/garage/garage.crt
new file mode 100644
index 0000000..6044ab8
--- /dev/null
+++ b/app/garage/secrets/garage/garage.crt
@@ -0,0 +1 @@
+USER_LONG garage.crt (generated with Garage's genkeys.sh script)
diff --git a/app/garage/secrets/garage/garage.key b/app/garage/secrets/garage/garage.key
new file mode 100644
index 0000000..db3cb0e
--- /dev/null
+++ b/app/garage/secrets/garage/garage.key
@@ -0,0 +1 @@
+USER_LONG garage.key (generated with Garage's genkeys.sh script)
diff --git a/app/im/secrets/chat/easybridge/as_token b/app/im/secrets/chat/easybridge/as_token
new file mode 100644
index 0000000..5fa4e3c
--- /dev/null
+++ b/app/im/secrets/chat/easybridge/as_token
@@ -0,0 +1 @@
+CMD openssl rand -hex 32
diff --git a/app/im/secrets/chat/easybridge/db_pass b/app/im/secrets/chat/easybridge/db_pass
new file mode 100644
index 0000000..7e1f94b
--- /dev/null
+++ b/app/im/secrets/chat/easybridge/db_pass
@@ -0,0 +1 @@
+SERVICE_PASSWORD easybridge
diff --git a/app/im/secrets/chat/easybridge/db_user b/app/im/secrets/chat/easybridge/db_user
new file mode 100644
index 0000000..436267c
--- /dev/null
+++ b/app/im/secrets/chat/easybridge/db_user
@@ -0,0 +1 @@
+CONST easybridge
diff --git a/app/im/secrets/chat/easybridge/hs_token b/app/im/secrets/chat/easybridge/hs_token
new file mode 100644
index 0000000..5fa4e3c
--- /dev/null
+++ b/app/im/secrets/chat/easybridge/hs_token
@@ -0,0 +1 @@
+CMD openssl rand -hex 32
diff --git a/app/im/secrets/chat/easybridge/web_session_key b/app/im/secrets/chat/easybridge/web_session_key
new file mode 100644
index 0000000..614bed7
--- /dev/null
+++ b/app/im/secrets/chat/easybridge/web_session_key
@@ -0,0 +1,2 @@
+CMD openssl rand -hex 32
+
diff --git a/app/im/secrets/chat/fb2mx/as_token b/app/im/secrets/chat/fb2mx/as_token
index 20b76d4..5fa4e3c 100644
--- a/app/im/secrets/chat/fb2mx/as_token
+++ b/app/im/secrets/chat/fb2mx/as_token
@@ -1 +1 @@
-USER fb2mx API server token
+CMD openssl rand -hex 32
diff --git a/app/im/secrets/chat/fb2mx/hs_token b/app/im/secrets/chat/fb2mx/hs_token
index 8808f8f..5fa4e3c 100644
--- a/app/im/secrets/chat/fb2mx/hs_token
+++ b/app/im/secrets/chat/fb2mx/hs_token
@@ -1 +1 @@
-USER fb2mx homeserver token
+CMD openssl rand -hex 32
diff --git a/app/im/secrets/chat/synapse/homeserver.signing.key b/app/im/secrets/chat/synapse/homeserver.signing.key
new file mode 100644
index 0000000..099bd18
--- /dev/null
+++ b/app/im/secrets/chat/synapse/homeserver.signing.key
@@ -0,0 +1 @@
+USER Synapse homeserver ed25519 signing key
diff --git a/app/im/secrets/chat/synapse/registration_shared_secret b/app/im/secrets/chat/synapse/registration_shared_secret
index 395cccc..b82f191 100644
--- a/app/im/secrets/chat/synapse/registration_shared_secret
+++ b/app/im/secrets/chat/synapse/registration_shared_secret
@@ -1 +1 @@
-USER Shared secret for homeserver registrations (?)
+CMD head -c 32 /dev/urandom | base64
diff --git a/app/jitsi/build/jitsi-conference-focus/Dockerfile b/app/jitsi/build/jitsi-conference-focus/Dockerfile
index e2c459c..db50746 100644
--- a/app/jitsi/build/jitsi-conference-focus/Dockerfile
+++ b/app/jitsi/build/jitsi-conference-focus/Dockerfile
@@ -1,11 +1,10 @@
-FROM debian:buster AS builder
+FROM fedora:33 AS builder
+
+RUN dnf install -y java-latest-openjdk-headless maven wget unzip
 
 ARG PREFIXV
 ARG VERSION
-RUN apt-get update && \
-    apt-get install -y openjdk-11-jdk maven wget unzip && \
-    wget https://github.com/jitsi/jicofo/archive/${PREFIXV}${VERSION}.zip -O jicofo.zip
-
+RUN wget https://github.com/jitsi/jicofo/archive/${PREFIXV}${VERSION}.zip -O jicofo.zip
 RUN unzip jicofo.zip && \
     mv jicofo*${VERSION} jicofo && \
     cd jicofo && \
@@ -13,15 +12,12 @@ RUN unzip jicofo.zip && \
     unzip target/jicofo-1.1-SNAPSHOT-archive.zip && \
     mv jicofo-1.1-SNAPSHOT /srv/build
 
-FROM debian:buster
+FROM debian:bullseye
 
 RUN apt-get update && \
     apt-get install -y openjdk-11-jre-headless ca-certificates
 
-ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi"
-
-COPY --from=builder /srv/build /srv/jicofo
-COPY jicofo /usr/local/bin/jicofo
-COPY sip-communicator.properties /root/.sip-communicator/sip-communicator.properties
+COPY --from=builder /srv/build /usr/share/jicofo
+COPY jicofo /usr/local/bin
 
 CMD ["/usr/local/bin/jicofo"]
diff --git a/app/jitsi/build/jitsi-conference-focus/jicofo b/app/jitsi/build/jitsi-conference-focus/jicofo
index 2bc6e3f..2225e98 100755
--- a/app/jitsi/build/jitsi-conference-focus/jicofo
+++ b/app/jitsi/build/jitsi-conference-focus/jicofo
@@ -1,16 +1,13 @@
 #!/bin/bash
 
-cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
 update-ca-certificates -f
 
-cat >> /etc/hosts <<EOF
-${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
-127.0.0.1 `hostname`
-EOF
-
-/srv/jicofo/jicofo.sh \
-  --host=${JITSI_PROSODY_HOST} \
-  --domain=jitsi.deuxfleurs.fr \
-  --secret=${JITSI_SECRET_JICOFO_COMPONENT} \
-  --user_domain=auth.jitsi.deuxfleurs.fr \
-  --user_password=${JITSI_SECRET_JICOFO_USER}
+exec java \
+  -Xmx400m \
+  -XX:+HeapDumpOnOutOfMemoryError \
+  -XX:HeapDumpPath=/tmp \
+  -Djdk.tls.ephemeralDHKeySize=2048 \
+  -Djava.util.logging.config.file=/usr/share/jicofo/lib/logging.properties \
+  -Dconfig.file=/etc/jitsi/jicofo.conf \
+  -cp "/usr/share/jicofo/*:/usr/share/jicofo/lib/*" \
+  org.jitsi.jicofo.Main
diff --git a/app/jitsi/build/jitsi-conference-focus/sip-communicator.properties b/app/jitsi/build/jitsi-conference-focus/sip-communicator.properties
deleted file mode 100644
index 53c32e2..0000000
--- a/app/jitsi/build/jitsi-conference-focus/sip-communicator.properties
+++ /dev/null
@@ -1,2 +0,0 @@
-org.jitsi.jicofo.SHORT_ID=1
-org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr
diff --git a/app/jitsi/build/jitsi-xmpp/Dockerfile b/app/jitsi/build/jitsi-xmpp/Dockerfile
index f3dcd36..90aae76 100644
--- a/app/jitsi/build/jitsi-xmpp/Dockerfile
+++ b/app/jitsi/build/jitsi-xmpp/Dockerfile
@@ -1,13 +1,38 @@
-FROM debian:buster
+FROM debian:buster as builder
 
-ARG VERSION
+WORKDIR /tmp
+ARG MEET_VERSION
+ARG PREFIXV
+RUN apt-get update && \
+    apt-get install -y wget unzip
+RUN wget https://github.com/jitsi/jitsi-meet/archive/${PREFIXV}${MEET_VERSION}.zip -O meet.zip
+RUN unzip meet.zip && \
+    mv jitsi-meet-* jitsi-meet
 
+FROM debian:buster
+
+ARG PROSODY_VERSION
 RUN apt-get update && \
-    apt-get install -y prosody=${VERSION}
+    apt-get install -y wget gnupg2 && \
+    echo deb http://packages.prosody.im/debian buster main \
+    | tee -a /etc/apt/sources.list && \
+    wget https://prosody.im/files/prosody-debian-packages.key -O - \
+    | apt-key add - && \
+    apt-get update && \
+    apt-get install -y prosody=${PROSODY_VERSION} lua-event
+
+RUN mkdir -p /usr/local/share/ca-certificates/ && \
+    ln -sf \
+      /var/lib/prosody/certs/auth.jitsi.crt \
+      /usr/local/share/ca-certificates/auth.jitsi.crt && \
+    mkdir /run/prosody && \
+    touch /run/prosody/prosody.pid && \
+    mkdir -p /var/lib/prosody && \
+    chown -R prosody:prosody /var/lib/prosody /run/prosody
 
-COPY external_components.cfg.lua /etc/prosody/conf.d/external_components.cfg.lua
-COPY xmpp_conf /usr/local/bin/xmpp_conf
-COPY xmpp_gen /usr/local/bin/xmpp_gen
-COPY xmpp_run /usr/local/bin/xmpp_run
+COPY --from=builder /tmp/jitsi-meet/resources/prosody-plugins /usr/share/jitsi-meet/prosody-plugins/
+COPY xmpp_prosody /usr/local/bin/xmpp_prosody
 
-CMD ["/usr/local/bin/xmpp_run"]
+WORKDIR /var/lib/prosody
+USER prosody
+CMD ["/usr/local/bin/xmpp_prosody"]
diff --git a/app/jitsi/build/jitsi-xmpp/external_components.cfg.lua b/app/jitsi/build/jitsi-xmpp/external_components.cfg.lua
deleted file mode 100644
index beaaa87..0000000
--- a/app/jitsi/build/jitsi-xmpp/external_components.cfg.lua
+++ /dev/null
@@ -1,2 +0,0 @@
-component_ports = { 5347 }
-component_interface = "0.0.0.0"
diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_conf b/app/jitsi/build/jitsi-xmpp/xmpp_conf
deleted file mode 100755
index 34b2cb3..0000000
--- a/app/jitsi/build/jitsi-xmpp/xmpp_conf
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/bash
-
-cat >> /etc/hosts <<EOF
-${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
-127.0.0.1 `hostname`
-EOF
-
-mkdir -p /etc/prosody/conf.{d,avail}/
-cat > /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua <<EOF
-http_ports = { ${JITSI_PROSODY_BOSH_PORT} }
-
-VirtualHost "jitsi.deuxfleurs.fr"
-  authentication = "anonymous"
-  ssl = {
-    key = "/var/lib/prosody/jitsi.deuxfleurs.fr.key";
-    certificate = "/var/lib/prosody/jitsi.deuxfleurs.fr.crt";
-  }
-  modules_enabled = {
-    "bosh";
-    "pubsub";
-  }
-  c2s_require_encryption = false
-
-VirtualHost "auth.jitsi.deuxfleurs.fr"
-  ssl = {
-    key = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.key";
-    certificate = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt";
-  }
-  authentication = "internal_plain"
-  admins = { "focus@auth.jitsi.deuxfleurs.fr"}
-
-Component "conference.jitsi.deuxfleurs.fr" "muc"
-Component "internal.auth.jitsi.deuxfleurs.fr" "muc"
-  storage = "memory"
-  modules_enabled = { "ping"; }
-  admins = { "focus@auth.jitsi.deuxfleurs.fr", "jvb@auth.jitsi.deuxfleurs.fr" }
-
-Component "jitsi-videobridge.jitsi.deuxfleurs.fr"
-    component_secret = "${JITSI_SECRET_VIDEOBRIDGE}"
-Component "focus.jitsi.deuxfleurs.fr"
-    component_secret = "${JITSI_SECRET_JICOFO_COMPONENT}"
-
-EOF
-
-ln -sf \
-  /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua \
-  /etc/prosody/conf.d/jitsi.deuxfleurs.fr.cfg.lua
-
-
diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_gen b/app/jitsi/build/jitsi-xmpp/xmpp_gen
deleted file mode 100755
index 3a2e04a..0000000
--- a/app/jitsi/build/jitsi-xmpp/xmpp_gen
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-/usr/local/bin/xmpp_conf
-
-prosodyctl cert generate jitsi.deuxfleurs.fr
-prosodyctl cert generate auth.jitsi.deuxfleurs.fr
-
-cp /var/lib/prosody/*.crt ${JITSI_CERTS_FOLDER}
-cp /var/lib/prosody/*.key ${JITSI_CERTS_FOLDER}
diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_prosody b/app/jitsi/build/jitsi-xmpp/xmpp_prosody
new file mode 100755
index 0000000..af179e5
--- /dev/null
+++ b/app/jitsi/build/jitsi-xmpp/xmpp_prosody
@@ -0,0 +1,9 @@
+#!/bin/bash
+prosodyctl register focus auth.jitsi ${JICOFO_AUTH_PASSWORD}
+prosodyctl register jvb auth.jitsi ${JVB_AUTH_PASSWORD}
+
+# copied from jitsi-meet.postinst
+# Make sure the focus@auth user's roster includes the proxy component (this is idempotent)
+prosodyctl mod_roster_command subscribe focus.jitsi focus@auth.jitsi
+
+exec prosody
diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_run b/app/jitsi/build/jitsi-xmpp/xmpp_run
deleted file mode 100755
index 6383b65..0000000
--- a/app/jitsi/build/jitsi-xmpp/xmpp_run
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-/usr/local/bin/xmpp_conf
-cp ${JITSI_CERTS_FOLDER}/* /var/lib/prosody/
-chown -R prosody:prosody /var/lib/prosody
-
-mkdir -p /usr/local/share/ca-certificates/
-ln -sf \
-  /var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt \
-  /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
-
-prosodyctl register focus auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_JICOFO_USER}
-prosodyctl register jvb auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_VIDEOBRIDGE}
-
-mkdir /run/prosody
-touch /run/prosody/prosody.pid
-chown -R prosody:prosody /run/prosody
-
-cd /var/lib/prosody
-su - prosody -s /bin/bash -c prosody
diff --git a/app/jitsi/config/global_env.tpl b/app/jitsi/config/global_env.tpl
index 836a131..d78975d 100644
--- a/app/jitsi/config/global_env.tpl
+++ b/app/jitsi/config/global_env.tpl
@@ -5,6 +5,6 @@ JITSI_PROSODY_BOSH_PORT={{ env "NOMAD_PORT_bosh_port" }}
 JITSI_PROSODY_BOSH_HOST=127.0.0.1
 JITSI_PROSODY_HOST=127.0.0.1
 JITSI_CERTS_FOLDER=/secrets/certs/
-JITSI_NAT_PUBLIC_IP=82.253.205.190
+JITSI_NAT_PUBLIC_IP=78.197.205.190
 JITSI_NAT_LOCAL_IP={{ env "NOMAD_IP_video1_port" }}
 NGINX_PORT={{ env "NOMAD_PORT_https_port" }}
diff --git a/app/jitsi/deploy/jitsi.hcl b/app/jitsi/deploy/jitsi.hcl
index 852e1e6..1e625bb 100644
--- a/app/jitsi/deploy/jitsi.hcl
+++ b/app/jitsi/deploy/jitsi.hcl
@@ -14,7 +14,7 @@ job "jitsi" {
       port "ext_port" { static = 5347 }
       port "xmpp_port" { static = 5222 }
       port "https_port" { }
-      port "video1_port" { static = 8080 }
+      port "video1_port" { static = 8081 }
       port "video2_port" { static = 10000 }
     }
 
@@ -189,7 +189,7 @@ job "jitsi" {
 
       env {
         #JITSI_DEBUG = 1
-        JITSI_VIDEO_TCP = 8080
+        JITSI_VIDEO_TCP = 8081
         VIDEOBRIDGE_MAX_MEMORY = "1450m"
       }
 
@@ -205,7 +205,7 @@ job "jitsi" {
       } 
 
       service {
-        tags = [ "jitsi", "(diplonat (tcp_port 8080))" ]
+        tags = [ "jitsi", "(diplonat (tcp_port 8081))" ]
         port = "video1_port"
         address_mode = "host"
         name = "jitsi-videobridge-video1"
diff --git a/app/jitsi/integratio/01_gen_certs.yml b/app/jitsi/integratio/01_gen_certs.yml
deleted file mode 100644
index bf73291..0000000
--- a/app/jitsi/integratio/01_gen_certs.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-version: '3'
-services:
-  jitsi-xmpp:
-    image: superboum/amd64_jitsi_xmpp:v2
-    command: ["/usr/local/bin/xmpp_gen"]
-    volumes: [ './jitsi-certs/:/certs:rw' ]
-    env_file: [ 'dev.env' ]
-
diff --git a/app/jitsi/integratio/02_run.yml b/app/jitsi/integratio/02_run.yml
deleted file mode 100644
index 73eefad..0000000
--- a/app/jitsi/integratio/02_run.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-version: '3.4'
-services:
-  jitsi-xmpp:
-    image: superboum/amd64_jitsi_xmpp:v3
-    ports:
-      - "5222:5222"
-      - "5347:5347"
-      - "5280:5280"
-    env_file: [ 'dev.env' ]
-    volumes: [ './jitsi-certs/:/certs:ro' ]
-  jitsi-meet:
-    image: superboum/amd64_jitsi_meet:v1
-    ports:
-      - "443:443"
-    env_file: [ 'dev.env' ]
-    volumes: [ './jitsi-certs/:/certs:ro' ]
-  jitsi-conference-focus:
-    image: superboum/amd64_jitsi_conference_focus:v4
-    env_file: [ 'dev.env' ]
-    volumes: [ './jitsi-certs/:/certs:ro' ]
-  jitsi-videobridge:
-    image: superboum/amd64_jitsi_videobridge:v14
-    ports:
-      - "8080:8080/tcp"
-      - "10000:10000/udp"
-    env_file: [ 'dev.env' ]
-    volumes: [ './jitsi-certs/:/certs:ro' ]
diff --git a/app/jitsi/integratio/README.md b/app/jitsi/integratio/README.md
deleted file mode 100644
index 70b59fc..0000000
--- a/app/jitsi/integratio/README.md
+++ /dev/null
@@ -1,26 +0,0 @@
-This installation is inspired by: https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md
-
-To build images:
-
-```
-docker-compose -f 02_run.yml build
-```
-
-To gen the certs:
-
-```
-docker-compose -f 01_gen_certs.yml up --force-recreate
-```
-
-To run the stack:
-
-
-```
-docker-compose -f 02_run.yml up --force-recreate
-```
-
-To push the stack on the docker registry:
-
-```
-docker-compose -f 02_run.yml push
-```
diff --git a/app/jitsi/integratio/dev.env b/app/jitsi/integratio/dev.env
deleted file mode 100644
index 1dd2122..0000000
--- a/app/jitsi/integratio/dev.env
+++ /dev/null
@@ -1,10 +0,0 @@
-JITSI_SECRET_VIDEOBRIDGE=S3CR3T01
-JITSI_SECRET_JICOFO_COMPONENT=S3CR3T02
-JITSI_SECRET_JICOFO_USER=S3CR3T03
-JITSI_PROSODY_BOSH_PORT=5280
-JITSI_PROSODY_BOSH_HOST=172.17.0.1
-JITSI_PROSODY_HOST=172.17.0.1
-JITSI_CERTS_FOLDER=/certs/
-JITSI_NAT_PUBLIC_IP=37.164.35.154
-JITSI_NAT_LOCAL_IP=192.168.0.231
-JITSI_VIDEO_TCP=8080
diff --git a/app/jitsi/integratio/jitsi-certs/.gitignore b/app/jitsi/integratio/jitsi-certs/.gitignore
deleted file mode 100644
index d6b7ef3..0000000
--- a/app/jitsi/integratio/jitsi-certs/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-*
-!.gitignore
diff --git a/app/jitsi/integration/README.md b/app/jitsi/integration/README.md
new file mode 100644
index 0000000..82fa91d
--- /dev/null
+++ b/app/jitsi/integration/README.md
@@ -0,0 +1,68 @@
+## About Jitsi
+
+Several server components:
+  - prosody XMPP (ext)
+  - jitsi videobridge aka JVB
+  - jitsi conference focus aka jicofo aka focus
+  - jitsi meet
+  - octo
+  - jigasi
+  - jibri
+  - etc.
+
+Some libs:
+  - libjitsi
+  - jicoco
+  - jitsi-utils
+  - etc.
+
+Client components:
+  - jitsi meet electron
+  - jitsi android/ios
+  - etc.
+
+## Conf
+
+Base conf:
+
+  - [videobridge.conf](https://github.com/jitsi/jitsi-videobridge/blob/master/jvb/src/main/resources/reference.conf)
+  - [jicofo.conf](https://github.com/jitsi/jicofo/blob/master/src/main/resources/reference.conf)
+
+the following is used in videobridge.conf:
+[jicoco/MucClientConfiguration](https://github.com/jitsi/jicoco/blob/master/jicoco/src/main/java/org/jitsi/xmpp/mucclient/MucClientConfiguration.java)
+
+How the new configuration is read in jicoco:
+https://github.com/jitsi/jicoco/blob/master/jicoco-config/src/main/kotlin/org/jitsi/config/JitsiConfig.kt#L83-L91
+They use this library: https://github.com/lightbend/config
+We are particularly interested by: https://github.com/lightbend/config#standard-behavior
+Using 'application.conf' with classpath does not seem to work.
+But, specifying the file path as `-Dconfig.file=/etc/jitsi/jicofo.conf` works!
+
+Some parameters are also set independently of lightbend hocon config.
+They are seen in jicofo entrypoint:
+https://github.com/jitsi/jicofo/blob/master/src/main/java/org/jitsi/jicofo/Main.java
+Many of these parameters can be in fact read from the HOCON file except one: the `--secret` parameter or the `JICOFO_SECRET` env variable.
+But we can see this is a deprecated thing, it has been already removed from master: https://github.com/jitsi/jicofo/commit/c9e5b50a8b4e77f8b8cb8831a4a044a53edfcf48
+For now (as per v5390) we will keep `JICOFO_SECRET` environment variable but will assume no other environment variable is set
+But maybe this value is deprecated: the check is still here but it is not used anymore?!
+
+## Generate certs with prosody
+```
+prosodyctl cert generate auth.jitsi
+prosodyctl cert generate jitsi
+```
+
+## An example prosody configuration file
+
+https://github.com/jitsi/jitsi-meet/blob/master/doc/example-config-files/prosody.cfg.lua.example
+
+but this one is not the one used by the [debian postinst script](https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-prosody.postinst)
+instead, we should look at this one: https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
+
+Jitsi can be configured to authenticated through tokens,
+the postinst file is here: https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-tokens.postinst
+
+## Resources to understand jitsi
+
+  - [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst)
+  - [videobridge/debian/postinst](https://github.com/jitsi/jitsi-videobridge/blob/master/debian/postinst)
diff --git a/app/jitsi/integration/docker-compose.yml b/app/jitsi/integration/docker-compose.yml
new file mode 100644
index 0000000..2f8141a
--- /dev/null
+++ b/app/jitsi/integration/docker-compose.yml
@@ -0,0 +1,37 @@
+version: '3.4'
+services:
+  jitsi-xmpp:
+    image: superboum/amd64_jitsi_xmpp:v9
+    volumes:
+      - "./prosody/prosody.cfg.lua:/etc/prosody/prosody.cfg.lua:ro"
+      - "./prosody/certs/jitsi.crt:/var/lib/prosody/jitsi.crt:ro"
+      - "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key:ro"
+      - "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt:ro"
+      - "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key:ro"
+    environment:
+      - JICOFO_AUTH_PASSWORD=jicofopass
+      - JVB_AUTH_PASSWORD=jvbpass
+ 
+  jitsi-conference-focus:
+    image: superboum/amd64_jitsi_conference_focus:v7
+    volumes:
+      - "./prosody/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt:ro"
+      - "./jicofo/jicofo.conf:/etc/jitsi/jicofo.conf:ro"
+    environment:
+      - JDOMAIN=jitsi
+      - JHOST=jitsi-xmpp
+      - JPORT=5347
+      - JSUBDOMAIN=focus
+      - JICOFO_SECRET=jicofosecretpass
+      - JUSERDOMAIN=auth.jitsi
+      - JUSERNAME=focus
+      - JICOFO_AUTH_PASSWORD=jicofopass
+#  jitsi-meet:
+#    image: superboum/amd64_jitsi_meet:v1
+#    ports:
+#      - "443:443"
+#  jitsi-videobridge:
+#    image: superboum/amd64_jitsi_videobridge:v14
+#    ports:
+#      - "8080:8080/tcp"
+#      - "10000:10000/udp"
diff --git a/app/jitsi/integration/jicofo/jicofo.conf b/app/jitsi/integration/jicofo/jicofo.conf
new file mode 100644
index 0000000..4ef175f
--- /dev/null
+++ b/app/jitsi/integration/jicofo/jicofo.conf
@@ -0,0 +1,273 @@
+jicofo {
+  // Authentication with external services
+  authentication {
+    enabled = false
+    // The type of authentication. Supported values are XMPP, JWT or SHIBBOLETH (default).
+    type = SHIBBOLETH
+
+    // The pattern of authentication URL. See ShibbolethAuthAuthority for more information.
+    # login-url =
+
+    # logout-url =
+
+    authentication-lifetime = 24 hours
+    enable-auto-login = true
+  }
+  // Configuration related to jitsi-videobridge
+  bridge {
+    // The maximum number of participants in a single conference to put on one bridge (use -1 for no maximum).
+    max-bridge-participants = -1
+    // The assumed maximum packet rate that a bridge can handle.
+    max-bridge-packet-rate = 50000
+    // The assumed average packet rate per participant.
+    average-participant-packet-rate-pps = 500
+    // The assumed average stress per participant.
+    average-participant-stress = 0.01
+    // The assumed time that an endpoint takes to start contributing fully to the load on a bridge. To avoid allocating
+    // a burst of endpoints to the same bridge, the bridge stress is adjusted by adding the number of new endpoints
+    // in the last [participant-rampup-time] multiplied by [average-participant-stress].
+    participant-rampup-interval = 20 seconds
+    // The stress level above which a bridge is considered overstressed.
+    stress-threshold = 0.8
+    // The amount of to wait before retrying using a failed bridge.
+    failure-reset-threshold = 1 minute
+    // The bridge selection strategy. The built-in strategies are:
+    // SingleBridgeSelectionStrategy: Use the least loaded bridge, do not split a conference between bridges (Octo).
+    // SplitBridgeSelectionStrategy: Use a separate bridge for each participant (for testing).
+    // RegionBasedBridgeSelectionStrategy: Attempt to put each participant in a bridge in their local region (i.e. use
+    //    Octo for geo-location).
+    // IntraRegionBridgeSelectionStrategy: Use additional bridges when a bridge becomes overloaded (i.e. use Octo for
+    //    load balancing).
+    //
+    // Additionally, you can use the fully qualified class name for custom BridgeSelectionStrategy implementations.
+    selection-strategy = SingleBridgeSelectionStrategy
+    health-checks {
+      // Whether jicofo should perform periodic health checks to the connected bridges.
+      enabled = true
+      // The interval at which to perform health checks.
+      interval = 10 seconds
+      // When a health checks times out, jicofo will retry and only consider it fail after the retry fails. This
+      // configures the delay between the original health check timing out and the second health check being sent.
+      // It is a duration and defaults to half the [interval].
+      # retry-delay = 5 seconds
+    }
+
+    // The JID of the MUC to be used as a brewery for bridge instances.
+    brewery-jid = "jvbbrewery@jitsi"
+  }
+  // Configure the codecs and RTP extensions to be used in the offer sent to clients.
+  codec {
+    video {
+      vp8 {
+        enabled = true
+        pt = 100
+        // Payload type for the associated RTX stream. Set to -1 to disable RTX.
+        rtx-pt = 96
+      }
+      vp9 {
+        enabled = true
+        pt = 101
+        // Payload type for the associated RTX stream. Set to -1 to disable RTX.
+        rtx-pt = 97
+      }
+      h264 {
+        enabled = true
+        pt = 107
+        // Payload type for the associated RTX stream. Set to -1 to disable RTX.
+        rtx-pt = 99
+      }
+    }
+
+    audio {
+      isac-16000 {
+        enabled = true
+        pt = 103
+      }
+      isac-32000 {
+        enabled = true
+        pt = 104
+      }
+      opus {
+        enabled = true
+        pt = 111
+        minptime = 10
+        use-inband-fec = true
+        red {
+          enabled = false
+          pt = 112
+        }
+      }
+      telephone-event {
+        enabled = true
+        pt = 126
+      }
+    }
+
+    // RTP header extensions
+    rtp-extensions {
+      audio-level {
+        enabled = true
+        id = 1
+      }
+      tof {
+        // TOF is currently disabled, because we don't support it in the bridge
+        // (and currently clients seem to not use it when abs-send-time is
+        // available).
+        enabled = false
+        id = 2
+      }
+      abs-send-time {
+        enabled = true
+        id = 3
+      }
+      rid {
+        enabled = false
+        id = 4
+      }
+      tcc {
+        enabled = true
+        id = 5
+      }
+      video-content-type {
+        enabled = false
+        id = 7
+      }
+      framemarking {
+        enabled = false
+        id = 9
+      }
+    }
+  }
+
+  conference {
+    // Whether to automatically grant the 'owner' role to the first participant in the conference (and subsequently to
+    // the next in line when the current owner leaves).
+    enable-auto-owner = true
+
+    // How long to wait for the initial participant in a conference.
+    initial-timeout = 15 seconds
+
+    // Whether jicofo should inject a random SSRC for endpoints which don't advertise any SSRCs. This is a temporary
+    // workaround for an issue with signaling endpoints for Octo.
+    inject-ssrc-for-recv-only-endpoints = false
+
+    max-ssrcs-per-user = 20
+
+    // How long a participant's media session will be kept alive once it remains the only participant in the room.
+    single-participant-timeout = 20 seconds
+
+    // The minimum number of participants required for the conference to be started.
+    min-participants = 2
+
+    // Experimental.
+    enable-lip-sync = false
+
+    shared-document {
+      // If `true` the shared document uses a random name. Otherwise, it uses the conference name.
+      use-random-name = false
+    }
+  }
+
+  // Configuration for the internal health checks performed by jicofo.
+  health {
+    // Whether to perform health checks.
+    enabled = false
+
+    // The interval between health checks. If set to 0, periodic health checks will not be performed.
+    interval = 10 seconds
+
+    # The timeout for a health check
+    timeout = 30 seconds
+
+    # If performing a health check takes longer than this, it is considered unsuccessful.
+    max-check-duration = 20 seconds
+
+    # The prefix to use when creating MUC rooms for the purpose of health checks.
+    room-name-prefix = "__jicofo-health-check"
+  }
+
+  jibri {
+    // The JID of the MUC to be used as a brewery for jibri instances for streaming.
+    # brewery-jid = "jibribrewery@example.com"
+
+    // How many times to retry a given Jibri request before giving up. Set to -1 to allow infinite retries.
+    num-retries = 5
+
+    // How long to wait for Jibri to start recording from the time it accepts a START request.
+    pending-timeout = 90 seconds
+  }
+
+  jibri-sip {
+    // The JID of the MUC to be used as a brewery for jibri instances for SIP.
+    # brewery-jid = "jibrisipbrewery@example.com"
+  }
+
+  jigasi {
+    // The JID of the MUC to be used as a brewery for jigasi instances.
+    # brewery-jid = "jigasibrewery@example.com"
+  }
+
+  // The region in which the machine is running.
+  #local-region="us-east-1"
+
+  octo {
+    // Whether or not to use Octo. Note that when enabled, its use will be determined by
+    // $jicofo.bridge.selection-strategy.
+    enabled = false
+
+    // An identifier of the Jicofo instance, used for the purpose of generating conference IDs unique across a set of
+    // Jicofo instances. Valid values are [1, 65535]. The value 0 is used when none is explicitly configured.
+    id = 1
+  }
+
+  rest {
+    port = 8888
+    tls-port = 8843
+  }
+
+  sctp {
+    // Whether to allocate SCTP channels on the bridge (only when the client advertises support, and SCTP is
+    // enabled in the per-conference configuration).
+    enabled = true
+  }
+
+  task-pools {
+    shared-pool-max-threads = 1500
+  }
+
+  xmpp {
+    // The separate XMPP connection used for communication with clients (endpoints).
+    client {
+      enabled = true
+      hostname = "jitsi-xmpp"
+      port = 5222
+      domain = "auth.jitsi"
+      username = "focus"
+      password = "jicofopass"
+
+      // How long to wait for a response to a stanza before giving up.
+      reply-timeout = 15 seconds
+
+      // The JID/domain of the MUC service used for conferencing.
+      conference-muc-jid = conference.jitsi
+
+      // A flag to suppress the TLS certificate verification.
+      disable-certificate-verification = false
+    }
+    // The separate XMPP connection used for internal services (currently only jitsi-videobridge).
+    service {
+      enabled = true
+      hostname = "jitsi-xmpp"
+      port = 5222
+      domain = "auth.jitsi"
+      username = "focus"
+      password = "jicofopass"
+
+      // How long to wait for a response to a stanza before giving up.
+      reply-timeout = 15 seconds
+
+      // A flag to suppress the TLS certificate verification.
+      disable-certificate-verification = false
+    }
+  }
+}
diff --git a/app/jitsi/integration/jvb/videobridge.conf b/app/jitsi/integration/jvb/videobridge.conf
new file mode 100644
index 0000000..e9bded0
--- /dev/null
+++ b/app/jitsi/integration/jvb/videobridge.conf
@@ -0,0 +1,279 @@
+videobridge {
+  entity-expiration {
+    # If an entity has no activity after this timeout, it is expired
+    timeout=1 minute
+
+    # The interval at which the videobridge will check for expired entities
+    check-interval=${videobridge.entity-expiration.timeout}
+  }
+  health {
+    # The interval between health checks
+    interval=10 seconds
+
+    # The timeout for a health check
+    timeout=30 seconds
+
+    # If performing a health check takes longer than this, it is considered unsuccessful.
+    max-check-duration=3 seconds
+
+    # Whether or not health check failures should be 'sticky'
+    # (i.e. once the bridge becomes unhealthy, it will never
+    # go back to a healthy state)
+    sticky-failures=false
+  }
+  ep-connection-status {
+    # How long we'll wait for an endpoint to *start* sending
+    # data before we consider it 'inactive'
+    first-transfer-timeout=15 seconds
+
+    # How long an endpoint can be 'inactive' before it will
+    # be considered disconnected
+    max-inactivity-limit=3 seconds
+
+    # How often we check endpoint's connectivity status
+    check-interval=500 milliseconds
+  }
+  cc {
+    bwe-change-threshold=0.15
+    thumbnail-max-height-px=180
+    onstage-ideal-height-px=1080
+    onstage-preferred-height-px=360
+    onstage-preferred-framerate=30
+    enable-onstage-video-suspend=false
+    trust-bwe=true
+
+    # How often we check to send probing data
+    padding-period=15ms
+
+    # How often we'll force recalculations of forwarded
+    # streams
+    max-time-between-calculations = 15 seconds
+
+    # A JVB-wide last-n value, observed by all endpoints.  Endpoints
+    # will take the minimum of their setting and this one (-1 implies
+    # no last-n limit)
+    jvb-last-n = -1
+  }
+  # The APIs by which the JVB can be controlled
+  apis {
+    xmpp-client {
+      # The interval at which presence is published in the configured MUCs.
+      presence-interval = ${videobridge.stats.interval}
+
+      configs {
+        # example-connection-id {
+        #   For the properties which should be
+        #   filled out here, see MucClientConfiguration
+        # }
+      }
+    }
+    # The COLIBRI REST API
+    rest {
+      enabled = false
+    }
+    jvb-api {
+      enabled = false
+    }
+  }
+  # Configuration of the different REST APIs.
+  # Note that the COLIBRI REST API is configured under videobridge.apis.rest instead.
+  rest {
+    debug {
+      enabled = true
+    }
+    health {
+      enabled = true
+    }
+    shutdown {
+      # Note that the shutdown API requires the COLIBRI API to also be enabled.
+      enabled = false
+    }
+    version {
+      enabled = true
+    }
+  }
+  http-servers {
+    # The HTTP server which hosts services intended for 'public' use
+    # (e.g. websockets for the bridge channel connection)
+    public {
+      # See JettyBundleActivatorConfig in Jicoco for values
+      port = -1
+      tls-port = -1
+    }
+    # The HTTP server which hosts services intended for 'private' use
+    # (e.g. health or debug stats)
+    private {
+      # See JettyBundleActivatorConfig in Jicoco for values
+      host = 127.0.0.1
+    }
+  }
+  octo {
+    # Whether or not Octo is enabled
+    enabled=false
+
+    # A string denoting the 'region' of this JVB.  This region
+    # will be used by Jicofo in the selection of a bridge for
+    # a client by comparing it to the client's region.
+    # Must be set when 'enabled' is true
+    #region="us-west-1"
+
+    # The address on which the Octo relay should bind
+    # Must be set when 'enabled' is true
+    #bind-address=198.51.100.1
+
+    # The port to which the Octo relay should bind
+    bind-port=4096
+
+    # The address which controls the public address which
+    # will be part of the Octo relayId
+    #public-address=198.51.100.1
+
+    # The size of the incoming octo queue. This queue is per-remote-endpoint,
+    # so it matches what we use for local endpoints
+    recv-queue-size=1024
+
+    # The size of the outgoing octo queue.  This is a per-originating-endpoint
+    # queue, so assuming all packets are routed (as they currently are for Octo)
+    # it should be the same size as the transceiver recv queue in
+    # jitsi-media-transform.  Repeating the description from there:
+    #   Assuming 300pps for high-definition, 200pps for standard-definition,
+    #   100pps for low-definition and 50pps for audio, this queue is fed
+    #   650pps, so its size in terms of millis is 1024/650*1000 ~= 1575ms.
+    send-queue-size=1024
+  }
+  load-management {
+    # Whether or not the reducer will be enabled to take actions to mitigate load
+    reducer-enabled = false
+    load-measurements {
+      packet-rate {
+        # The packet rate at which we'll consider the bridge overloaded
+        load-threshold = 50000
+        # The packet rate at which we'll consider the bridge 'underloaded' enough
+        # to start recovery
+        recovery-threshold = 40000
+      }
+    }
+    load-reducers {
+      last-n {
+        # The factor by which we'll reduce the current last-n when trying to reduce load
+        reduction-scale = .75
+        # The factor by which we'll increase the current last-n when trying to recover
+        recover-scale = 1.25
+        # The minimum time in between runs of the last-n reducer to reduce or recover from
+        # load
+        impact-time = 1 minute
+        # The lowest value we'll set for last-n
+        minimum-last-n-value = 0
+        # The highest last-n value we'll enforce.  Once the enforced last-n exceeds this value
+        # we'll remove the limit entirely
+        maximum-enforced-last-n-value = 40
+      }
+    }
+  }
+  sctp {
+    # Whether SCTP data channels are enabled.
+    enabled=true
+  }
+  stats {
+    # Whether periodic collection of statistics is enabled or not. When enabled they are accessible through the REST
+    # API (at `/colibri/stats`), and are available to other modules (e.g. to be pushed to callstats or in a MUC).
+    enabled = false
+
+    # The interval at which stats are gathered.
+    interval = 5 seconds
+
+    # Configuration related to pushing statistics to callstats.io.
+    callstats {
+      # An integer application ID (use 0 to disable pushing stats to callstats).
+      app-id = 0
+
+      # The shared secred to authentication with callstats.io.
+      //app-secret = "s3cret"
+
+      # ID of the key that was used to generate token.
+      //key-id = "abcd"
+
+      # The path to private key file.
+      //key-path = "/etc/jitsi/videobridge/ecpriv.jwk"
+
+      # The ID of the server instance to be used when reporting to callstats.
+      bridge-id = "jitsi"
+
+      # TODO: document
+      //conference-id-prefix = "abcd"
+
+      # The interval at which statististics will be published to callstats. This affects both per-conference and global
+      # statistics.
+      # Note that this value will be overriden if a "callstatsio" transport is defined in the parent "stats" section.
+      interval = ${videobridge.stats.interval}
+    }
+  }
+  websockets {
+    enabled=false
+    server-id="default-id"
+
+    # Optional, even when 'enabled' is set to true
+    # tls=true
+    # Must be set when enabled = true
+    #domain="some-domain"
+  }
+  ice {
+    tcp {
+      # Whether ICE/TCP is enabled.
+      enabled = true
+
+      # The port to bind to for ICE/TCP.
+      port = 8080
+
+      # An optional additional port to advertise.
+      # mapped-port = 8443
+      # Whether to use "ssltcp" or plain "tcp".
+      ssltcp = true
+    }
+
+    udp {
+        # The port for ICE/UDP.
+        port = 10000
+    }
+
+    # An optional prefix to include in STUN username fragments generated by the bridge.
+    #ufrag-prefix = "jvb-123:"
+
+    # Which candidate pairs to keep alive. The accepted values are defined in ice4j's KeepAliveStrategy:
+    # "selected_and_tcp", "selected_only", or "all_succeeded".
+    keep-alive-strategy = "selected_and_tcp"
+
+    # Whether to use the "component socket" feature of ice4j.
+    use-component-socket = true
+
+    # Whether to attempt DNS resolution for remote candidates that contain a non-literal address. When set to 'false'
+    # such candidates will be ignored.
+    resolve-remote-candidates = false
+
+    # The nomination strategy to use for ICE.  THe accepted values are defined in ice4j's NominationStrategy:
+    # "NominateFirstValid", "NominateHighestPriority", "NominateFirstHostOrReflexiveValid", or "NominateBestRTT".
+    nomination-strategy = "NominateFirstValid"
+  }
+
+  transport {
+    send {
+      # The size of the dtls-transport outgoing queue. This is a per-participant
+      # queue. Packets from the egress end-up in this queue right before
+      # transmission by the outgoing srtp pipeline (which mainly consists of the
+      # packet sender).
+      #
+      # Its size needs to be of the same order of magnitude as the rtp sender
+      # queue. In a 100 participant call, assuming 300pps for the on-stage and
+      # 100pps for low-definition, last-n 20 and 2 participants talking, so
+      # 2*50pps for audio, this queue is fed 300+19*100+2*50 = 2300pps, so its
+      # size in terms of millis is 1024/2300*1000 ~= 445ms.
+      queue-size=1024
+    }
+  }
+
+  version {
+    // Wheather to announe the jitsi-videobridge version to clients in the ServerHello message.
+    announce = false
+  }
+}
+
diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua b/app/jitsi/integration/prosody/prosody.cfg.lua
new file mode 100644
index 0000000..215bb5b
--- /dev/null
+++ b/app/jitsi/integration/prosody/prosody.cfg.lua
@@ -0,0 +1,106 @@
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
+
+log = {
+  --log less on console with warn="*console"; or err="*console" or more with debug="*console"
+  debug="*console";
+}
+daemonize = false
+use_libevent = true
+
+-- domain mapper options, must at least have domain base set to use the mapper
+muc_mapper_domain_base = "jitsi.deuxfleurs.fr";
+
+--@FIXME would be great to configure it
+--turncredentials_secret = "__turnSecret__";
+
+--turncredentials = {
+--    { type = "stun", host = "jitmeet.example.com", port = "3478" },
+--    { type = "turn", host = "jitmeet.example.com", port = "3478", transport = "udp" },
+--    { type = "turns", host = "jitmeet.example.com", port = "5349", transport = "tcp" }
+--};
+
+cross_domain_bosh = false;
+consider_bosh_secure = true;
+https_ports = { }; -- Remove this line to prevent listening on port 5284
+component_interface = "0.0.0.0"
+component_ports = { 5347 }
+http_ports = { 5280 }
+
+
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+ssl = {
+    protocol = "tlsv1_2+";
+    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+}
+
+VirtualHost "jitsi"
+    enabled = true -- Remove this line to enable this host
+    authentication = "anonymous"
+    -- Properties below are modified by jitsi-meet-tokens package config
+    -- and authentication above is switched to "token"
+    --app_id="example_app_id"
+    --app_secret="example_app_secret"
+    -- Assign this host a certificate for TLS, otherwise it would use the one
+    -- set in the global section (if any).
+    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
+    -- use the global one.
+    ssl = {
+        key = "/var/lib/prosody/jitsi.key";
+        certificate = "/var/lib/prosody/jitsi.crt";
+    }
+    speakerstats_component = "speakerstats.jitsi"
+    conference_duration_component = "conferenceduration.jitsi"
+    -- we need bosh
+    modules_enabled = {
+        "bosh";
+        "pubsub";
+        "ping"; -- Enable mod_ping
+        "speakerstats";
+        --"turncredentials"; not supported yet
+        "conference_duration";
+        "muc_lobby_rooms";
+    }
+    c2s_require_encryption = false
+    lobby_muc = "lobby.jitsi"
+    main_muc = "conference.jitsi"
+    -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
+
+Component "conference.jitsi" "muc"
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        --"token_verification";
+    }
+    admins = { "focus@auth.jitsi" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+-- internal muc component
+Component "internal.auth.jitsi" "muc"
+    storage = "memory"
+    modules_enabled = {
+        "ping";
+    }
+    admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+VirtualHost "auth.jitsi"
+    authentication = "internal_plain"
+
+Component "focus.jitsi"
+    component_secret = "jicofosecretpass"
+
+Component "speakerstats.jitsi" "speakerstats_component"
+    muc_component = "conference.jitsi"
+
+Component "conferenceduration.jitsi" "conference_duration_component"
+    muc_component = "conference.jitsi"
+
+Component "lobby.jitsi" "muc"
+    storage = "memory"
+    restrict_room_creation = true
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua.back b/app/jitsi/integration/prosody/prosody.cfg.lua.back
new file mode 100644
index 0000000..d03d7c9
--- /dev/null
+++ b/app/jitsi/integration/prosody/prosody.cfg.lua.back
@@ -0,0 +1,64 @@
+daemonize = false
+allow_registration = false
+use_libevent = true
+component_interface = "0.0.0.0"
+component_ports = { 5347 }
+http_ports = { 5280 }
+https_ports = {}
+
+-- Not sure all modules are required
+modules_enabled = {
+  "roster"; -- Allow users to have a roster. Recommended ;)
+  "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+  "tls"; -- Add support for secure TLS on c2s/s2s connections
+  "dialback"; -- s2s dialback support
+  "disco"; -- Service discovery
+  "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+  "version"; -- Replies to server version requests
+  "uptime"; -- Report how long server has been running
+  "time"; -- Let others know the time here on this server
+  "ping"; -- Replies to XMPP pings with pongs
+  "pep"; -- Enables users to publish their mood, activity, playing music and more
+  -- jitsi
+  --"smacks"; -- not shipped with prosody
+  "carbons";
+  "mam";
+  "lastactivity";
+  "offline";
+  "pubsub";
+  "adhoc";
+  "websocket";
+  --"http_altconnect"; -- not shipped with prosody
+}
+
+log = {
+  --log less on console with warn="*console"; or err="*console" or more with debug="*console"
+  debug="*console";
+}
+
+VirtualHost "jitsi"
+  authentication = "anonymous"
+  ssl = {
+    key = "/var/lib/prosody/jitsi.key";
+    certificate = "/var/lib/prosody/jitsi.crt";
+  }
+  modules_enabled = {
+    "bosh";
+    "pubsub";
+  }
+  c2s_require_encryption = false
+
+VirtualHost "auth.jitsi"
+  ssl = {
+    key = "/var/lib/prosody/auth.jitsi.key";
+    certificate = "/var/lib/prosody/auth.jitsi.crt";
+  }
+  authentication = "internal_plain"
+  admins = { "focus@auth.jitsi"}
+
+Component "conference.jitsi" "muc"
+Component "internal.auth.jitsi" "muc"
+  storage = "memory"
+  modules_enabled = { "ping"; }
+  admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
+
diff --git a/app/plume/secrets/plume/pgsql_pw b/app/plume/secrets/plume/pgsql_pw
index 978be54..0f831bb 100644
--- a/app/plume/secrets/plume/pgsql_pw
+++ b/app/plume/secrets/plume/pgsql_pw
@@ -1 +1 @@
-CMD openssl rand -base64 32
+SERVICE_PASSWORD plume
diff --git a/app/secretmgr.py b/app/secretmgr.py
index 950e5c0..62eb93a 100755
--- a/app/secretmgr.py
+++ b/app/secretmgr.py
@@ -43,6 +43,9 @@ USER_LONG <description>
 CMD <command>
 (a secret that is generated by running this command)
 
+CMD_ONCE <command>
+(same, but value is not changed when doing a regen)
+
 CONST <constant value>
 (the secret has a constant value set here)
 
@@ -81,6 +84,7 @@ consul_server = consul.Consul()
 USER             = "USER"
 USER_LONG        = "USER_LONG"
 CMD              = "CMD"
+CMD_ONCE         = "CMD_ONCE"
 CONST            = "CONST"
 CONST_LONG       = "CONST_LONG"
 SERVICE_DN       = "SERVICE_DN"
@@ -111,7 +115,7 @@ def read_secret(key, file_path):
     secret = {"type": stype, "key": key}
     if stype in [USER, USER_LONG]:
         secret["desc"] = " ".join(l0[1:])
-    elif stype == CMD:
+    elif stype in [CMD, CMD_ONCE]:
         secret["cmd"] = " ".join(l0[1:])
     elif stype == CONST:
         secret["value"] = " ".join(l0[1:])
@@ -154,6 +158,7 @@ def get_secrets_services(secrets):
         if svc not in services:
             services[svc] = {
                 "dn": "cn=%s,%s"%(svc, SERVICE_DN_SUFFIX),
+                "desc": "(not provided)",
                 "pass": None,
                 "dn_at": [],
                 "pass_at": [],
@@ -292,7 +297,7 @@ def gen_secrets_base(secrets, regen):
             consul_server.kv.put(key, secret["value"])
             print(bcolors.OKCYAN, "Value set.", bcolors.ENDC)
 
-        if secret["type"] == CMD:
+        if secret["type"] == CMD or (secret["type"] == CMD_ONCE and data is None):
             print("----")
             print(key)
             print("Executing command:", secret["cmd"])