aboutsummaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
Diffstat (limited to 'app')
-rw-r--r--app/jitsi/config/config.js773
-rw-r--r--app/jitsi/config/global_env.tpl10
-rw-r--r--app/jitsi/config/jicofo.conf273
-rw-r--r--app/jitsi/config/nginx.conf42
-rw-r--r--app/jitsi/config/prosody.cfg.lua135
-rw-r--r--app/jitsi/config/videobridge.conf290
-rw-r--r--app/jitsi/deploy/jitsi.hcl155
-rw-r--r--app/jitsi/integration/jvb/videobridge.conf1
-rw-r--r--app/jitsi/secrets/jitsi/auth.jitsi.crt1
-rw-r--r--app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt1
-rw-r--r--app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key1
-rw-r--r--app/jitsi/secrets/jitsi/auth.jitsi.key1
-rw-r--r--app/jitsi/secrets/jitsi/jicofo_pass1
-rw-r--r--app/jitsi/secrets/jitsi/jitsi.crt1
-rw-r--r--app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt1
-rw-r--r--app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key1
-rw-r--r--app/jitsi/secrets/jitsi/jitsi.key1
-rw-r--r--app/jitsi/secrets/jitsi/jvb_pass1
18 files changed, 1611 insertions, 78 deletions
diff --git a/app/jitsi/config/config.js b/app/jitsi/config/config.js
new file mode 100644
index 0000000..9464f37
--- /dev/null
+++ b/app/jitsi/config/config.js
@@ -0,0 +1,773 @@
+/* eslint-disable no-unused-vars, no-var */
+
+var config = {
+ // Connection
+ //
+
+ hosts: {
+ // XMPP domain.
+ domain: 'jitsi',
+
+ // When using authentication, domain for guest users.
+ // anonymousdomain: 'guest.example.com',
+
+ // Domain for authenticated users. Defaults to <domain>.
+ // authdomain: 'jitsi-meet.example.com',
+
+ // Focus component domain. Defaults to focus.<domain>.
+ // focus: 'focus.jitsi-meet.example.com',
+
+ // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
+ muc: 'conference.jitsi'
+ },
+
+ // BOSH URL. FIXME: use XEP-0156 to discover it.
+ bosh: '//jitsi.deuxfleurs.fr/http-bind',
+
+ // Websocket URL
+ // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket',
+
+ // The name of client node advertised in XEP-0115 'c' stanza
+ clientNode: 'http://jitsi.org/jitsimeet',
+
+ // The real JID of focus participant - can be overridden here
+ // Do not change username - FIXME: Make focus username configurable
+ // https://github.com/jitsi/jitsi-meet/issues/7376
+ // focusUserJid: 'focus@auth.jitsi-meet.example.com',
+
+
+ // Testing / experimental features.
+ //
+
+ testing: {
+ // Disables the End to End Encryption feature. Useful for debugging
+ // issues related to insertable streams.
+ // disableE2EE: false,
+
+ // P2P test mode disables automatic switching to P2P when there are 2
+ // participants in the conference.
+ p2pTestMode: false
+
+ // Enables the test specific features consumed by jitsi-meet-torture
+ // testMode: false
+
+ // Disables the auto-play behavior of *all* newly created video element.
+ // This is useful when the client runs on a host with limited resources.
+ // noAutoPlayVideo: false
+
+ // Enable / disable 500 Kbps bitrate cap on desktop tracks. When enabled,
+ // simulcast is turned off for the desktop share. If presenter is turned
+ // on while screensharing is in progress, the max bitrate is automatically
+ // adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines
+ // the probability for this to be enabled.
+ // capScreenshareBitrate: 1 // 0 to disable
+
+ // Enable callstats only for a percentage of users.
+ // This takes a value between 0 and 100 which determines the probability for
+ // the callstats to be enabled.
+ // callStatsThreshold: 5 // enable callstats for 5% of the users.
+ },
+
+ // Disables ICE/UDP by filtering out local and remote UDP candidates in
+ // signalling.
+ // webrtcIceUdpDisable: false,
+
+ // Disables ICE/TCP by filtering out local and remote TCP candidates in
+ // signalling.
+ // webrtcIceTcpDisable: false,
+
+
+ // Media
+ //
+
+ // Audio
+
+ // Disable measuring of audio levels.
+ // disableAudioLevels: false,
+ // audioLevelsInterval: 200,
+
+ // Enabling this will run the lib-jitsi-meet no audio detection module which
+ // will notify the user if the current selected microphone has no audio
+ // input and will suggest another valid device if one is present.
+ enableNoAudioDetection: true,
+
+ // Enabling this will show a "Save Logs" link in the GSM popover that can be
+ // used to collect debug information (XMPP IQs, SDP offer/answer cycles)
+ // about the call.
+ // enableSaveLogs: false,
+
+ // Enabling this will run the lib-jitsi-meet noise detection module which will
+ // notify the user if there is noise, other than voice, coming from the current
+ // selected microphone. The purpose it to let the user know that the input could
+ // be potentially unpleasant for other meeting participants.
+ enableNoisyMicDetection: false,
+
+ // Start the conference in audio only mode (no video is being received nor
+ // sent).
+ startAudioOnly: false,
+
+ // Every participant after the Nth will start audio muted.
+ startAudioMuted: 5,
+
+ // Start calls with audio muted. Unlike the option above, this one is only
+ // applied locally. FIXME: having these 2 options is confusing.
+ // startWithAudioMuted: false,
+
+ // Enabling it (with #params) will disable local audio output of remote
+ // participants and to enable it back a reload is needed.
+ // startSilent: false
+
+ // Sets the preferred target bitrate for the Opus audio codec by setting its
+ // 'maxaveragebitrate' parameter. Currently not available in p2p mode.
+ // Valid values are in the range 6000 to 510000
+ // opusMaxAverageBitrate: 20000,
+
+ // Enables support for opus-red (redundancy for Opus).
+ // enableOpusRed: false
+
+ // Video
+
+ // Sets the preferred resolution (height) for local video. Defaults to 720.
+ // resolution: 720,
+
+ // How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD.
+ // Use -1 to disable.
+ // maxFullResolutionParticipants: 2,
+
+ // w3c spec-compliant video constraints to use for video capture. Currently
+ // used by browsers that return true from lib-jitsi-meet's
+ // util#browser#usesNewGumFlow. The constraints are independent from
+ // this config's resolution value. Defaults to requesting an ideal
+ // resolution of 720p.
+ // constraints: {
+ // video: {
+ // height: {
+ // ideal: 720,
+ // max: 720,
+ // min: 240
+ // }
+ // }
+ // },
+
+ // Enable / disable simulcast support.
+ // disableSimulcast: false,
+
+ // Enable / disable layer suspension. If enabled, endpoints whose HD
+ // layers are not in use will be suspended (no longer sent) until they
+ // are requested again.
+ // enableLayerSuspension: false,
+
+ // Every participant after the Nth will start video muted.
+ startVideoMuted: 5,
+
+ // Start calls with video muted. Unlike the option above, this one is only
+ // applied locally. FIXME: having these 2 options is confusing.
+ // startWithVideoMuted: false,
+
+ // If set to true, prefer to use the H.264 video codec (if supported).
+ // Note that it's not recommended to do this because simulcast is not
+ // supported when using H.264. For 1-to-1 calls this setting is enabled by
+ // default and can be toggled in the p2p section.
+ // This option has been deprecated, use preferredCodec under videoQuality section instead.
+ // preferH264: true,
+
+ // If set to true, disable H.264 video codec by stripping it out of the
+ // SDP.
+ // disableH264: false,
+
+ // Desktop sharing
+
+ // Optional desktop sharing frame rate options. Default value: min:5, max:5.
+ // desktopSharingFrameRate: {
+ // min: 5,
+ // max: 5
+ // },
+
+ // Try to start calls with screen-sharing instead of camera video.
+ // startScreenSharing: false,
+
+ // Recording
+
+ // Whether to enable file recording or not.
+ // fileRecordingsEnabled: false,
+ // Enable the dropbox integration.
+ // dropbox: {
+ // appKey: '<APP_KEY>' // Specify your app key here.
+ // // A URL to redirect the user to, after authenticating
+ // // by default uses:
+ // // 'https://jitsi-meet.example.com/static/oauth.html'
+ // redirectURI:
+ // 'https://jitsi-meet.example.com/subfolder/static/oauth.html'
+ // },
+ // When integrations like dropbox are enabled only that will be shown,
+ // by enabling fileRecordingsServiceEnabled, we show both the integrations
+ // and the generic recording service (its configuration and storage type
+ // depends on jibri configuration)
+ // fileRecordingsServiceEnabled: false,
+ // Whether to show the possibility to share file recording with other people
+ // (e.g. meeting participants), based on the actual implementation
+ // on the backend.
+ // fileRecordingsServiceSharingEnabled: false,
+
+ // Whether to enable live streaming or not.
+ // liveStreamingEnabled: false,
+
+ // Transcription (in interface_config,
+ // subtitles and buttons can be configured)
+ // transcribingEnabled: false,
+
+ // Enables automatic turning on captions when recording is started
+ // autoCaptionOnRecord: false,
+
+ // Misc
+
+ // Default value for the channel "last N" attribute. -1 for unlimited.
+ channelLastN: -1,
+
+ // Provides a way to use different "last N" values based on the number of participants in the conference.
+ // The keys in an Object represent number of participants and the values are "last N" to be used when number of
+ // participants gets to or above the number.
+ //
+ // For the given example mapping, "last N" will be set to 20 as long as there are at least 5, but less than
+ // 29 participants in the call and it will be lowered to 15 when the 30th participant joins. The 'channelLastN'
+ // will be used as default until the first threshold is reached.
+ //
+ // lastNLimits: {
+ // 5: 20,
+ // 30: 15,
+ // 50: 10,
+ // 70: 5,
+ // 90: 2
+ // },
+
+ // Specify the settings for video quality optimizations on the client.
+ // videoQuality: {
+ // // Provides a way to prevent a video codec from being negotiated on the JVB connection. The codec specified
+ // // here will be removed from the list of codecs present in the SDP answer generated by the client. If the
+ // // same codec is specified for both the disabled and preferred option, the disable settings will prevail.
+ // // Note that 'VP8' cannot be disabled since it's a mandatory codec, the setting will be ignored in this case.
+ // disabledCodec: 'H264',
+ //
+ // // Provides a way to set a preferred video codec for the JVB connection. If 'H264' is specified here,
+ // // simulcast will be automatically disabled since JVB doesn't support H264 simulcast yet. This will only
+ // // rearrange the the preference order of the codecs in the SDP answer generated by the browser only if the
+ // // preferred codec specified here is present. Please ensure that the JVB offers the specified codec for this
+ // // to take effect.
+ // preferredCodec: 'VP8',
+ //
+ // // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for
+ // // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values
+ // // are the max.bitrates to be set on that particular type of stream. The actual send may vary based on
+ // // the available bandwidth calculated by the browser, but it will be capped by the values specified here.
+ // // This is currently not implemented on app based clients on mobile.
+ // maxBitratesVideo: {
+ // low: 200000,
+ // standard: 500000,
+ // high: 1500000
+ // },
+ //
+ // // The options can be used to override default thresholds of video thumbnail heights corresponding to
+ // // the video quality levels used in the application. At the time of this writing the allowed levels are:
+ // // 'low' - for the low quality level (180p at the time of this writing)
+ // // 'standard' - for the medium quality level (360p)
+ // // 'high' - for the high quality level (720p)
+ // // The keys should be positive numbers which represent the minimal thumbnail height for the quality level.
+ // //
+ // // With the default config value below the application will use 'low' quality until the thumbnails are
+ // // at least 360 pixels tall. If the thumbnail height reaches 720 pixels then the application will switch to
+ // // the high quality.
+ // minHeightForQualityLvl: {
+ // 360: 'standard',
+ // 720: 'high'
+ // },
+ //
+ // // Provides a way to resize the desktop track to 720p (if it is greater than 720p) before creating a canvas
+ // // for the presenter mode (camera picture-in-picture mode with screenshare).
+ // resizeDesktopForPresenter: false
+ // },
+
+ // // Options for the recording limit notification.
+ // recordingLimit: {
+ //
+ // // The recording limit in minutes. Note: This number appears in the notification text
+ // // but doesn't enforce the actual recording time limit. This should be configured in
+ // // jibri!
+ // limit: 60,
+ //
+ // // The name of the app with unlimited recordings.
+ // appName: 'Unlimited recordings APP',
+ //
+ // // The URL of the app with unlimited recordings.
+ // appURL: 'https://unlimited.recordings.app.com/'
+ // },
+
+ // Disables or enables RTX (RFC 4588) (defaults to false).
+ // disableRtx: false,
+
+ // Disables or enables TCC support in this client (default: enabled).
+ // enableTcc: true,
+
+ // Disables or enables REMB support in this client (default: enabled).
+ // enableRemb: true,
+
+ // Enables ICE restart logic in LJM and displays the page reload overlay on
+ // ICE failure. Current disabled by default because it's causing issues with
+ // signaling when Octo is enabled. Also when we do an "ICE restart"(which is
+ // not a real ICE restart), the client maintains the TCC sequence number
+ // counter, but the bridge resets it. The bridge sends media packets with
+ // TCC sequence numbers starting from 0.
+ // enableIceRestart: false,
+
+ // Use TURN/UDP servers for the jitsi-videobridge connection (by default
+ // we filter out TURN/UDP because it is usually not needed since the
+ // bridge itself is reachable via UDP)
+ // useTurnUdp: false
+
+ // UI
+ //
+
+ // Disables responsive tiles.
+ // disableResponsiveTiles: false,
+
+ // Hides lobby button
+ // hideLobbyButton: false,
+
+ // Require users to always specify a display name.
+ // requireDisplayName: true,
+
+ // Whether to use a welcome page or not. In case it's false a random room
+ // will be joined when no room is specified.
+ enableWelcomePage: true,
+
+ // Disable app shortcuts that are registered upon joining a conference
+ // disableShortcuts: false,
+
+ // Disable initial browser getUserMedia requests.
+ // This is useful for scenarios where users might want to start a conference for screensharing only
+ // disableInitialGUM: false,
+
+ // Enabling the close page will ignore the welcome page redirection when
+ // a call is hangup.
+ // enableClosePage: false,
+
+ // Disable hiding of remote thumbnails when in a 1-on-1 conference call.
+ // disable1On1Mode: false,
+
+ // Default language for the user interface.
+ defaultLanguage: 'fr',
+
+ // Disables profile and the edit of all fields from the profile settings (display name and email)
+ // disableProfile: false,
+
+ // Whether or not some features are checked based on token.
+ // enableFeaturesBasedOnToken: false,
+
+ // When enabled the password used for locking a room is restricted to up to the number of digits specified
+ // roomPasswordNumberOfDigits: 10,
+ // default: roomPasswordNumberOfDigits: false,
+
+ // Message to show the users. Example: 'The service will be down for
+ // maintenance at 01:00 AM GMT,
+ // noticeMessage: '',
+
+ // Enables calendar integration, depends on googleApiApplicationClientID
+ // and microsoftApiApplicationClientID
+ // enableCalendarIntegration: false,
+
+ // When 'true', it shows an intermediate page before joining, where the user can configure their devices.
+ prejoinPageEnabled: true,
+
+ // If etherpad integration is enabled, setting this to true will
+ // automatically open the etherpad when a participant joins. This
+ // does not affect the mobile app since opening an etherpad
+ // obscures the conference controls -- it's better to let users
+ // choose to open the pad on their own in that case.
+ // openSharedDocumentOnJoin: false,
+
+ // If true, shows the unsafe room name warning label when a room name is
+ // deemed unsafe (due to the simplicity in the name) and a password is not
+ // set or the lobby is not enabled.
+ // enableInsecureRoomNameWarning: false,
+
+ // Whether to automatically copy invitation URL after creating a room.
+ // Document should be focused for this option to work
+ // enableAutomaticUrlCopy: false,
+
+ // Base URL for a Gravatar-compatible service. Defaults to libravatar.
+ // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/';
+
+ // Stats
+ //
+
+ // Whether to enable stats collection or not in the TraceablePeerConnection.
+ // This can be useful for debugging purposes (post-processing/analysis of
+ // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
+ // estimation tests.
+ // gatherStats: false,
+
+ // The interval at which PeerConnection.getStats() is called. Defaults to 10000
+ // pcStatsInterval: 10000,
+
+ // To enable sending statistics to callstats.io you must provide the
+ // Application ID and Secret.
+ // callStatsID: '',
+ // callStatsSecret: '',
+
+ // Enables sending participants' display names to callstats
+ // enableDisplayNameInStats: false,
+
+ // Enables sending participants' emails (if available) to callstats and other analytics
+ // enableEmailInStats: false,
+
+ // Privacy
+ //
+
+ // If third party requests are disabled, no other server will be contacted.
+ // This means avatars will be locally generated and callstats integration
+ // will not function.
+ // disableThirdPartyRequests: false,
+
+
+ // Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
+ //
+
+ p2p: {
+ // Enables peer to peer mode. When enabled the system will try to
+ // establish a direct connection when there are exactly 2 participants
+ // in the room. If that succeeds the conference will stop sending data
+ // through the JVB and use the peer to peer connection instead. When a
+ // 3rd participant joins the conference will be moved back to the JVB
+ // connection.
+ enabled: true,
+
+ // The STUN servers that will be used in the peer to peer connections
+ stunServers: [
+
+ // { urls: 'stun:jitsi-meet.example.com:3478' },
+ { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
+ ]
+
+ // Sets the ICE transport policy for the p2p connection. At the time
+ // of this writing the list of possible values are 'all' and 'relay',
+ // but that is subject to change in the future. The enum is defined in
+ // the WebRTC standard:
+ // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
+ // If not set, the effective value is 'all'.
+ // iceTransportPolicy: 'all',
+
+ // If set to true, it will prefer to use H.264 for P2P calls (if H.264
+ // is supported). This setting is deprecated, use preferredCodec instead.
+ // preferH264: true
+
+ // Provides a way to set the video codec preference on the p2p connection. Acceptable
+ // codec values are 'VP8', 'VP9' and 'H264'.
+ // preferredCodec: 'H264',
+
+ // If set to true, disable H.264 video codec by stripping it out of the
+ // SDP. This setting is deprecated, use disabledCodec instead.
+ // disableH264: false,
+
+ // Provides a way to prevent a video codec from being negotiated on the p2p connection.
+ // disabledCodec: '',
+
+ // How long we're going to wait, before going back to P2P after the 3rd
+ // participant has left the conference (to filter out page reload).
+ // backToP2PDelay: 5
+ },
+
+ analytics: {
+ // The Google Analytics Tracking ID:
+ // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
+
+ // Matomo configuration:
+ // matomoEndpoint: 'https://your-matomo-endpoint/',
+ // matomoSiteID: '42',
+
+ // The Amplitude APP Key:
+ // amplitudeAPPKey: '<APP_KEY>'
+
+ // Configuration for the rtcstats server:
+ // By enabling rtcstats server every time a conference is joined the rtcstats
+ // module connects to the provided rtcstatsEndpoint and sends statistics regarding
+ // PeerConnection states along with getStats metrics polled at the specified
+ // interval.
+ // rtcstatsEnabled: true,
+
+ // In order to enable rtcstats one needs to provide a endpoint url.
+ // rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/,
+
+ // The interval at which rtcstats will poll getStats, defaults to 1000ms.
+ // If the value is set to 0 getStats won't be polled and the rtcstats client
+ // will only send data related to RTCPeerConnection events.
+ // rtcstatsPolIInterval: 1000
+
+ // Array of script URLs to load as lib-jitsi-meet "analytics handlers".
+ // scriptURLs: [
+ // "libs/analytics-ga.min.js", // google-analytics
+ // "https://example.com/my-custom-analytics.js"
+ // ],
+ },
+
+ // Logs that should go be passed through the 'log' event if a handler is defined for it
+ // apiLogLevels: ['warn', 'log', 'error', 'info', 'debug'],
+
+ // Information about the jitsi-meet instance we are connecting to, including
+ // the user region as seen by the server.
+ deploymentInfo: {
+ // shard: "shard1",
+ // region: "europe",
+ // userRegion: "asia"
+ },
+
+ // Decides whether the start/stop recording audio notifications should play on record.
+ // disableRecordAudioNotification: false,
+
+ // Information for the chrome extension banner
+ // chromeExtensionBanner: {
+ // // The chrome extension to be installed address
+ // url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
+
+ // // Extensions info which allows checking if they are installed or not
+ // chromeExtensionsInfo: [
+ // {
+ // id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
+ // path: 'jitsi-logo-48x48.png'
+ // }
+ // ]
+ // },
+
+ // Local Recording
+ //
+
+ // localRecording: {
+ // Enables local recording.
+ // Additionally, 'localrecording' (all lowercase) needs to be added to
+ // TOOLBAR_BUTTONS in interface_config.js for the Local Recording
+ // button to show up on the toolbar.
+ //
+ // enabled: true,
+ //
+
+ // The recording format, can be one of 'ogg', 'flac' or 'wav'.
+ // format: 'flac'
+ //
+
+ // },
+
+ // Options related to end-to-end (participant to participant) ping.
+ // e2eping: {
+ // // The interval in milliseconds at which pings will be sent.
+ // // Defaults to 10000, set to <= 0 to disable.
+ // pingInterval: 10000,
+ //
+ // // The interval in milliseconds at which analytics events
+ // // with the measured RTT will be sent. Defaults to 60000, set
+ // // to <= 0 to disable.
+ // analyticsInterval: 60000,
+ // },
+
+ // If set, will attempt to use the provided video input device label when
+ // triggering a screenshare, instead of proceeding through the normal flow
+ // for obtaining a desktop stream.
+ // NOTE: This option is experimental and is currently intended for internal
+ // use only.
+ // _desktopSharingSourceDevice: 'sample-id-or-label',
+
+ // If true, any checks to handoff to another application will be prevented
+ // and instead the app will continue to display in the current browser.
+ // disableDeepLinking: false,
+
+ // A property to disable the right click context menu for localVideo
+ // the menu has option to flip the locally seen video for local presentations
+ // disableLocalVideoFlip: false,
+
+ // Mainly privacy related settings
+
+ // Disables all invite functions from the app (share, invite, dial out...etc)
+ // disableInviteFunctions: true,
+
+ // Disables storing the room name to the recents list
+ // doNotStoreRoom: true,
+
+ // Deployment specific URLs.
+ // deploymentUrls: {
+ // // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
+ // // user documentation.
+ // userDocumentationURL: 'https://docs.example.com/video-meetings.html',
+ // // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
+ // // to the specified URL for an app download page.
+ // downloadAppsUrl: 'https://docs.example.com/our-apps.html'
+ // },
+
+ // Options related to the remote participant menu.
+ // remoteVideoMenu: {
+ // // If set to true the 'Kick out' button will be disabled.
+ // disableKick: true
+ // },
+
+ // If set to true all muting operations of remote participants will be disabled.
+ // disableRemoteMute: true,
+
+ // Enables support for lip-sync for this client (if the browser supports it).
+ // enableLipSync: false
+
+ /**
+ External API url used to receive branding specific information.
+ If there is no url set or there are missing fields, the defaults are applied.
+ None of the fields are mandatory and the response must have the shape:
+ {
+ // The hex value for the colour used as background
+ backgroundColor: '#fff',
+ // The url for the image used as background
+ backgroundImageUrl: 'https://example.com/background-img.png',
+ // The anchor url used when clicking the logo image
+ logoClickUrl: 'https://example-company.org',
+ // The url used for the image used as logo
+ logoImageUrl: 'https://example.com/logo-img.png'
+ }
+ */
+ // dynamicBrandingUrl: '',
+
+ // The URL of the moderated rooms microservice, if available. If it
+ // is present, a link to the service will be rendered on the welcome page,
+ // otherwise the app doesn't render it.
+ // moderatedRoomServiceUrl: 'https://moderated.jitsi-meet.example.com',
+
+ // If true, tile view will not be enabled automatically when the participants count threshold is reached.
+ // disableTileView: true,
+
+ // Hides the conference subject
+ // hideConferenceSubject: true
+
+ // Hides the conference timer.
+ // hideConferenceTimer: true,
+
+ // Hides the participants stats
+ // hideParticipantsStats: true
+
+ // Sets the conference subject
+ // subject: 'Conference Subject',
+
+ // List of undocumented settings used in jitsi-meet
+ /**
+ _immediateReloadThreshold
+ debug
+ debugAudioLevels
+ deploymentInfo
+ dialInConfCodeUrl
+ dialInNumbersUrl
+ dialOutAuthUrl
+ dialOutCodesUrl
+ disableRemoteControl
+ displayJids
+ etherpad_base
+ externalConnectUrl
+ firefox_fake_device
+ googleApiApplicationClientID
+ iAmRecorder
+ iAmSipGateway
+ microsoftApiApplicationClientID
+ peopleSearchQueryTypes
+ peopleSearchUrl
+ requireDisplayName
+ tokenAuthUrl
+ */
+
+ /**
+ * This property can be used to alter the generated meeting invite links (in combination with a branding domain
+ * which is retrieved internally by jitsi meet) (e.g. https://meet.jit.si/someMeeting
+ * can become https://brandedDomain/roomAlias)
+ */
+ // brandingRoomAlias: null,
+
+ // List of undocumented settings used in lib-jitsi-meet
+ /**
+ _peerConnStatusOutOfLastNTimeout
+ _peerConnStatusRtcMuteTimeout
+ abTesting
+ avgRtpStatsN
+ callStatsConfIDNamespace
+ callStatsCustomScriptUrl
+ desktopSharingSources
+ disableAEC
+ disableAGC
+ disableAP
+ disableHPF
+ disableNS
+ enableTalkWhileMuted
+ forceJVB121Ratio
+ forceTurnRelay
+ hiddenDomain
+ ignoreStartMuted
+ websocketKeepAlive
+ websocketKeepAliveUrl
+ */
+
+ /**
+ Use this array to configure which notifications will be shown to the user
+ The items correspond to the title or description key of that notification
+ Some of these notifications also depend on some other internal logic to be displayed or not,
+ so adding them here will not ensure they will always be displayed
+
+ A falsy value for this prop will result in having all notifications enabled (e.g null, undefined, false)
+ */
+ // notifications: [
+ // 'connection.CONNFAIL', // shown when the connection fails,
+ // 'dialog.cameraNotSendingData', // shown when there's no feed from user's camera
+ // 'dialog.kickTitle', // shown when user has been kicked
+ // 'dialog.liveStreaming', // livestreaming notifications (pending, on, off, limits)
+ // 'dialog.lockTitle', // shown when setting conference password fails
+ // 'dialog.maxUsersLimitReached', // shown when maximmum users limit has been reached
+ // 'dialog.micNotSendingData', // shown when user's mic is not sending any audio
+ // 'dialog.passwordNotSupportedTitle', // shown when setting conference password fails due to password format
+ // 'dialog.recording', // recording notifications (pending, on, off, limits)
+ // 'dialog.remoteControlTitle', // remote control notifications (allowed, denied, start, stop, error)
+ // 'dialog.reservationError',
+ // 'dialog.serviceUnavailable', // shown when server is not reachable
+ // 'dialog.sessTerminated', // shown when there is a failed conference session
+ // 'dialog.tokenAuthFailed', // show when an invalid jwt is used
+ // 'dialog.transcribing', // transcribing notifications (pending, off)
+ // 'dialOut.statusMessage', // shown when dial out status is updated.
+ // 'liveStreaming.busy', // shown when livestreaming service is busy
+ // 'liveStreaming.failedToStart', // shown when livestreaming fails to start
+ // 'liveStreaming.unavailableTitle', // shown when livestreaming service is not reachable
+ // 'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected
+ // 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied
+ // 'localRecording.localRecording', // shown when a local recording is started
+ // 'notify.disconnected', // shown when a participant has left
+ // 'notify.grantedTo', // shown when moderator rights were granted to a participant
+ // 'notify.invitedOneMember', // shown when 1 participant has been invited
+ // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited
+ // 'notify.invitedTwoMembers', // shown when 2 participants have been invited
+ // 'notify.kickParticipant', // shown when a participant is kicked
+ // 'notify.mutedRemotelyTitle', // shown when user is muted by a remote party
+ // 'notify.mutedTitle', // shown when user has been muted upon joining,
+ // 'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device
+ // 'notify.newDeviceCameraTitle', // prompts the user to use a newly detected camera
+ // 'notify.passwordRemovedRemotely', // shown when a password has been removed remotely
+ // 'notify.passwordSetRemotely', // shown when a password has been set remotely
+ // 'notify.raisedHand', // shown when a partcipant used raise hand,
+ // 'notify.startSilentTitle', // shown when user joined with no audio
+ // 'prejoin.errorDialOut',
+ // 'prejoin.errorDialOutDisconnected',
+ // 'prejoin.errorDialOutFailed',
+ // 'prejoin.errorDialOutStatus',
+ // 'prejoin.errorStatusCode',
+ // 'prejoin.errorValidation',
+ // 'recording.busy', // shown when recording service is busy
+ // 'recording.failedToStart', // shown when recording fails to start
+ // 'recording.unavailableTitle', // shown when recording service is not reachable
+ // 'toolbar.noAudioSignalTitle', // shown when a broken mic is detected
+ // 'toolbar.noisyAudioInputTitle', // shown when noise is detected for the current microphone
+ // 'toolbar.talkWhileMutedPopup', // shown when user tries to speak while muted
+ // 'transcribing.failedToStart' // shown when transcribing fails to start
+ // ]
+
+ // Allow all above example options to include a trailing comma and
+ // prevent fear when commenting out the last value.
+ makeJsonParserHappy: 'even if last key had a trailing comma'
+
+ // no configuration value should follow this line.
+};
+
+/* eslint-enable no-unused-vars, no-var */
diff --git a/app/jitsi/config/global_env.tpl b/app/jitsi/config/global_env.tpl
deleted file mode 100644
index d78975d..0000000
--- a/app/jitsi/config/global_env.tpl
+++ /dev/null
@@ -1,10 +0,0 @@
-JITSI_SECRET_VIDEOBRIDGE={{ key "secrets/jitsi/jitsi_secret_videobridge" }}
-JITSI_SECRET_JICOFO_COMPONENT={{ key "secrets/jitsi/jitsi_secret_jicofo_component" }}
-JITSI_SECRET_JICOFO_USER={{ key "secrets/jitsi/jitsi_secret_jicofo_user" }}
-JITSI_PROSODY_BOSH_PORT={{ env "NOMAD_PORT_bosh_port" }}
-JITSI_PROSODY_BOSH_HOST=127.0.0.1
-JITSI_PROSODY_HOST=127.0.0.1
-JITSI_CERTS_FOLDER=/secrets/certs/
-JITSI_NAT_PUBLIC_IP=78.197.205.190
-JITSI_NAT_LOCAL_IP={{ env "NOMAD_IP_video1_port" }}
-NGINX_PORT={{ env "NOMAD_PORT_https_port" }}
diff --git a/app/jitsi/config/jicofo.conf b/app/jitsi/config/jicofo.conf
new file mode 100644
index 0000000..1d33b9c
--- /dev/null
+++ b/app/jitsi/config/jicofo.conf
@@ -0,0 +1,273 @@
+jicofo {
+ // Authentication with external services
+ authentication {
+ enabled = false
+ // The type of authentication. Supported values are XMPP, JWT or SHIBBOLETH (default).
+ type = SHIBBOLETH
+
+ // The pattern of authentication URL. See ShibbolethAuthAuthority for more information.
+ # login-url =
+
+ # logout-url =
+
+ authentication-lifetime = 24 hours
+ enable-auto-login = true
+ }
+ // Configuration related to jitsi-videobridge
+ bridge {
+ // The maximum number of participants in a single conference to put on one bridge (use -1 for no maximum).
+ max-bridge-participants = -1
+ // The assumed maximum packet rate that a bridge can handle.
+ max-bridge-packet-rate = 50000
+ // The assumed average packet rate per participant.
+ average-participant-packet-rate-pps = 500
+ // The assumed average stress per participant.
+ average-participant-stress = 0.01
+ // The assumed time that an endpoint takes to start contributing fully to the load on a bridge. To avoid allocating
+ // a burst of endpoints to the same bridge, the bridge stress is adjusted by adding the number of new endpoints
+ // in the last [participant-rampup-time] multiplied by [average-participant-stress].
+ participant-rampup-interval = 20 seconds
+ // The stress level above which a bridge is considered overstressed.
+ stress-threshold = 0.8
+ // The amount of to wait before retrying using a failed bridge.
+ failure-reset-threshold = 1 minute
+ // The bridge selection strategy. The built-in strategies are:
+ // SingleBridgeSelectionStrategy: Use the least loaded bridge, do not split a conference between bridges (Octo).
+ // SplitBridgeSelectionStrategy: Use a separate bridge for each participant (for testing).
+ // RegionBasedBridgeSelectionStrategy: Attempt to put each participant in a bridge in their local region (i.e. use
+ // Octo for geo-location).
+ // IntraRegionBridgeSelectionStrategy: Use additional bridges when a bridge becomes overloaded (i.e. use Octo for
+ // load balancing).
+ //
+ // Additionally, you can use the fully qualified class name for custom BridgeSelectionStrategy implementations.
+ selection-strategy = SingleBridgeSelectionStrategy
+ health-checks {
+ // Whether jicofo should perform periodic health checks to the connected bridges.
+ enabled = true
+ // The interval at which to perform health checks.
+ interval = 10 seconds
+ // When a health checks times out, jicofo will retry and only consider it fail after the retry fails. This
+ // configures the delay between the original health check timing out and the second health check being sent.
+ // It is a duration and defaults to half the [interval].
+ # retry-delay = 5 seconds
+ }
+
+ // The JID of the MUC to be used as a brewery for bridge instances.
+ brewery-jid = "jvbbrewery@internal.auth.jitsi"
+ }
+ // Configure the codecs and RTP extensions to be used in the offer sent to clients.
+ codec {
+ video {
+ vp8 {
+ enabled = true
+ pt = 100
+ // Payload type for the associated RTX stream. Set to -1 to disable RTX.
+ rtx-pt = 96
+ }
+ vp9 {
+ enabled = true
+ pt = 101
+ // Payload type for the associated RTX stream. Set to -1 to disable RTX.
+ rtx-pt = 97
+ }
+ h264 {
+ enabled = true
+ pt = 107
+ // Payload type for the associated RTX stream. Set to -1 to disable RTX.
+ rtx-pt = 99
+ }
+ }
+
+ audio {
+ isac-16000 {
+ enabled = true
+ pt = 103
+ }
+ isac-32000 {
+ enabled = true
+ pt = 104
+ }
+ opus {
+ enabled = true
+ pt = 111
+ minptime = 10
+ use-inband-fec = true
+ red {
+ enabled = false
+ pt = 112
+ }
+ }
+ telephone-event {
+ enabled = true
+ pt = 126
+ }
+ }
+
+ // RTP header extensions
+ rtp-extensions {
+ audio-level {
+ enabled = true
+ id = 1
+ }
+ tof {
+ // TOF is currently disabled, because we don't support it in the bridge
+ // (and currently clients seem to not use it when abs-send-time is
+ // available).
+ enabled = false
+ id = 2
+ }
+ abs-send-time {
+ enabled = true
+ id = 3
+ }
+ rid {
+ enabled = false
+ id = 4
+ }
+ tcc {
+ enabled = true
+ id = 5
+ }
+ video-content-type {
+ enabled = false
+ id = 7
+ }
+ framemarking {
+ enabled = false
+ id = 9
+ }
+ }
+ }
+
+ conference {
+ // Whether to automatically grant the 'owner' role to the first participant in the conference (and subsequently to
+ // the next in line when the current owner leaves).
+ enable-auto-owner = true
+
+ // How long to wait for the initial participant in a conference.
+ initial-timeout = 15 seconds
+
+ // Whether jicofo should inject a random SSRC for endpoints which don't advertise any SSRCs. This is a temporary
+ // workaround for an issue with signaling endpoints for Octo.
+ inject-ssrc-for-recv-only-endpoints = false
+
+ max-ssrcs-per-user = 20
+
+ // How long a participant's media session will be kept alive once it remains the only participant in the room.
+ single-participant-timeout = 20 seconds
+
+ // The minimum number of participants required for the conference to be started.
+ min-participants = 2
+
+ // Experimental.
+ enable-lip-sync = false
+
+ shared-document {
+ // If `true` the shared document uses a random name. Otherwise, it uses the conference name.
+ use-random-name = false
+ }
+ }
+
+ // Configuration for the internal health checks performed by jicofo.
+ health {
+ // Whether to perform health checks.
+ enabled = false
+
+ // The interval between health checks. If set to 0, periodic health checks will not be performed.
+ interval = 10 seconds
+
+ # The timeout for a health check
+ timeout = 30 seconds
+
+ # If performing a health check takes longer than this, it is considered unsuccessful.
+ max-check-duration = 20 seconds
+
+ # The prefix to use when creating MUC rooms for the purpose of health checks.
+ room-name-prefix = "__jicofo-health-check"
+ }
+
+ jibri {
+ // The JID of the MUC to be used as a brewery for jibri instances for streaming.
+ # brewery-jid = "jibribrewery@example.com"
+
+ // How many times to retry a given Jibri request before giving up. Set to -1 to allow infinite retries.
+ num-retries = 5
+
+ // How long to wait for Jibri to start recording from the time it accepts a START request.
+ pending-timeout = 90 seconds
+ }
+
+ jibri-sip {
+ // The JID of the MUC to be used as a brewery for jibri instances for SIP.
+ # brewery-jid = "jibrisipbrewery@example.com"
+ }
+
+ jigasi {
+ // The JID of the MUC to be used as a brewery for jigasi instances.
+ # brewery-jid = "jigasibrewery@example.com"
+ }
+
+ // The region in which the machine is running.
+ #local-region="us-east-1"
+
+ octo {
+ // Whether or not to use Octo. Note that when enabled, its use will be determined by
+ // $jicofo.bridge.selection-strategy.
+ enabled = false
+
+ // An identifier of the Jicofo instance, used for the purpose of generating conference IDs unique across a set of
+ // Jicofo instances. Valid values are [1, 65535]. The value 0 is used when none is explicitly configured.
+ id = 1
+ }
+
+ rest {
+ port = 8888
+ tls-port = 8843
+ }
+
+ sctp {
+ // Whether to allocate SCTP channels on the bridge (only when the client advertises support, and SCTP is
+ // enabled in the per-conference configuration).
+ enabled = true
+ }
+
+ task-pools {
+ shared-pool-max-threads = 1500
+ }
+
+ xmpp {
+ // The separate XMPP connection used for communication with clients (endpoints).
+ client {
+ enabled = true
+ hostname = "{{ env "NOMAD_IP_xmpp_port" }}"
+ port = {{ env "NOMAD_PORT_xmpp_port" }}
+ domain = "auth.jitsi"
+ username = "focus"
+ password = {{ key "secrets/jitsi/jitsi_secret_jicofo_user" }}
+
+ // How long to wait for a response to a stanza before giving up.
+ reply-timeout = 15 seconds
+
+ // The JID/domain of the MUC service used for conferencing.
+ conference-muc-jid = conference.jitsi
+
+ // A flag to suppress the TLS certificate verification.
+ disable-certificate-verification = false
+ }
+ // The separate XMPP connection used for internal services (currently only jitsi-videobridge).
+ service {
+ enabled = false
+ hostname = "jitsi-xmpp"
+ port = 5222
+ domain = "auth.jitsi"
+ username = "focus"
+ password = "jicofopass"
+
+ // How long to wait for a response to a stanza before giving up.
+ reply-timeout = 15 seconds
+
+ // A flag to suppress the TLS certificate verification.
+ disable-certificate-verification = false
+ }
+ }
+}
diff --git a/app/jitsi/config/nginx.conf b/app/jitsi/config/nginx.conf
new file mode 100644
index 0000000..b2213e9
--- /dev/null
+++ b/app/jitsi/config/nginx.conf
@@ -0,0 +1,42 @@
+# some doc: https://www.nginx.com/resources/wiki/start/topics/examples/full/
+error_log /dev/stderr;
+
+events {}
+
+http {
+ access_log /dev/stdout;
+ server_names_hash_bucket_size 64;
+
+ server {
+ listen 0.0.0.0:{{ env "NOMAD_PORT_https_port" }} ssl http2 default_server;
+ listen [::]:{{ env "NOMAD_PORT_https_port" }} ssl http2 default_server;
+ server_name _;
+ ssl_certificate /etc/nginx/jitsi.crt;
+ ssl_certificate_key /etc/nginx/jitsi.key;
+ root /srv/jitsi-meet;
+ index index.html;
+
+ # lot of work would be needed to improve location rules
+ # - in order to allow - and _ in the URL, even space
+ # - while not shadowing other files (.js and following locations)
+ # - passed some times twice on the problem, not as easy as it seems
+ location ~ ^/([a-zA-Z0-9=\?]+)$ {
+ rewrite ^/(.*)$ / break;
+ }
+ location / {
+ ssi on;
+ }
+
+ location /external_api.js {
+ alias /srv/jitsi-meet/libs/external_api.min.js;
+ }
+
+ location /http-bind {
+ proxy_pass http://{{ env "NOMAD_ADDR_xmpp_port" }}/http-bind;
+ proxy_set_header X-Forwarded-For \$remote_addr;
+ proxy_set_header Host \$http_host;
+ }
+
+
+ }
+}
diff --git a/app/jitsi/config/prosody.cfg.lua b/app/jitsi/config/prosody.cfg.lua
new file mode 100644
index 0000000..65dabf6
--- /dev/null
+++ b/app/jitsi/config/prosody.cfg.lua
@@ -0,0 +1,135 @@
+modules_enabled = {
+ "roster"; -- Allow users to have a roster. Recommended ;)
+ "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+ "tls"; -- Add support for secure TLS on c2s/s2s connections
+ "dialback"; -- s2s dialback support
+ "disco"; -- Service discovery
+ "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+ "version"; -- Replies to server version requests
+ "uptime"; -- Report how long server has been running
+ "time"; -- Let others know the time here on this server
+ "ping"; -- Replies to XMPP pings with pongs
+ "pep"; -- Enables users to publish their mood, activity, playing music and more
+ -- jitsi
+ --"smacks"; -- not shipped with prosody
+ "carbons";
+ "mam";
+ "lastactivity";
+ "offline";
+ "pubsub";
+ "adhoc";
+ "websocket";
+ --"http_altconnect"; -- not shipped with prosody
+}
+modules_disabled = { "s2s" }
+
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
+
+log = {
+ --log less on console with warn="*console"; or err="*console" or more with debug="*console"
+ info="*console";
+}
+daemonize = false
+use_libevent = true
+
+-- domain mapper options, must at least have domain base set to use the mapper
+muc_mapper_domain_base = "jitsi.deuxfleurs.fr";
+
+--@FIXME would be great to configure it
+--turncredentials_secret = "__turnSecret__";
+
+--turncredentials = {
+-- { type = "stun", host = "jitmeet.example.com", port = "3478" },
+-- { type = "turn", host = "jitmeet.example.com", port = "3478", transport = "udp" },
+-- { type = "turns", host = "jitmeet.example.com", port = "5349", transport = "tcp" }
+--};
+
+cross_domain_bosh = false;
+consider_bosh_secure = true;
+component_ports = { } -- it seems we don't need external components for now...
+https_ports = { } -- we don't need https
+http_ports = { 5280 }
+c2s_ports = { 5222 }
+
+
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+ssl = {
+ protocol = "tlsv1_2+";
+ ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+}
+
+VirtualHost "jitsi"
+ enabled = true -- Remove this line to enable this host
+ authentication = "anonymous"
+ -- Properties below are modified by jitsi-meet-tokens package config
+ -- and authentication above is switched to "token"
+ --app_id="example_app_id"
+ --app_secret="example_app_secret"
+ -- Assign this host a certificate for TLS, otherwise it would use the one
+ -- set in the global section (if any).
+ -- Note that old-style SSL on port 5223 only supports one certificate, and will always
+ -- use the global one.
+ ssl = {
+ key = "/var/lib/prosody/jitsi.key";
+ certificate = "/var/lib/prosody/jitsi.crt";
+ }
+ speakerstats_component = "speakerstats.jitsi"
+ conference_duration_component = "conferenceduration.jitsi"
+ -- we need bosh
+ modules_enabled = {
+ "bosh";
+ "pubsub";
+ "ping"; -- Enable mod_ping
+ "speakerstats";
+ --"turncredentials"; not supported yet
+ "conference_duration";
+ "muc_lobby_rooms";
+ }
+ c2s_require_encryption = false
+ lobby_muc = "lobby.jitsi"
+ main_muc = "conference.jitsi"
+ -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
+
+Component "conference.jitsi" "muc"
+ storage = "memory"
+ modules_enabled = {
+ "muc_meeting_id";
+ "muc_domain_mapper";
+ --"token_verification";
+ }
+ admins = { "focus@auth.jitsi" }
+ muc_room_locking = false
+ muc_room_default_public_jids = true
+
+-- internal muc component
+Component "internal.auth.jitsi" "muc"
+ storage = "memory"
+ modules_enabled = {
+ "ping";
+ }
+ admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
+ muc_room_locking = false
+ muc_room_default_public_jids = true
+
+VirtualHost "auth.jitsi"
+ ssl = {
+ key = "/var/lib/prosody/auth.jitsi.key";
+ certificate = "/var/lib/prosody/auth.jitsi.crt";
+ }
+ authentication = "internal_plain"
+
+Component "focus.jitsi" "client_proxy"
+ target_address = "focus@auth.jitsi"
+
+Component "speakerstats.jitsi" "speakerstats_component"
+ muc_component = "conference.jitsi"
+
+Component "conferenceduration.jitsi" "conference_duration_component"
+ muc_component = "conference.jitsi"
+
+Component "lobby.jitsi" "muc"
+ storage = "memory"
+ restrict_room_creation = true
+ muc_room_locking = false
+ muc_room_default_public_jids = true
+
diff --git a/app/jitsi/config/videobridge.conf b/app/jitsi/config/videobridge.conf
new file mode 100644
index 0000000..9307945
--- /dev/null
+++ b/app/jitsi/config/videobridge.conf
@@ -0,0 +1,290 @@
+videobridge {
+ entity-expiration {
+ # If an entity has no activity after this timeout, it is expired
+ timeout=1 minute
+
+ # The interval at which the videobridge will check for expired entities
+ check-interval=${videobridge.entity-expiration.timeout}
+ }
+ health {
+ # The interval between health checks
+ interval=10 seconds
+
+ # The timeout for a health check
+ timeout=30 seconds
+
+ # If performing a health check takes longer than this, it is considered unsuccessful.
+ max-check-duration=3 seconds
+
+ # Whether or not health check failures should be 'sticky'
+ # (i.e. once the bridge becomes unhealthy, it will never
+ # go back to a healthy state)
+ sticky-failures=false
+ }
+ ep-connection-status {
+ # How long we'll wait for an endpoint to *start* sending
+ # data before we consider it 'inactive'
+ first-transfer-timeout=15 seconds
+
+ # How long an endpoint can be 'inactive' before it will
+ # be considered disconnected
+ max-inactivity-limit=3 seconds
+
+ # How often we check endpoint's connectivity status
+ check-interval=500 milliseconds
+ }
+ cc {
+ bwe-change-threshold=0.15
+ thumbnail-max-height-px=180
+ onstage-ideal-height-px=1080
+ onstage-preferred-height-px=360
+ onstage-preferred-framerate=30
+ enable-onstage-video-suspend=false
+ trust-bwe=true
+
+ # How often we check to send probing data
+ padding-period=15ms
+
+ # How often we'll force recalculations of forwarded
+ # streams
+ max-time-between-calculations = 15 seconds
+
+ # A JVB-wide last-n value, observed by all endpoints. Endpoints
+ # will take the minimum of their setting and this one (-1 implies
+ # no last-n limit)
+ jvb-last-n = -1
+ }
+ # The APIs by which the JVB can be controlled
+ apis {
+ xmpp-client {
+ # The interval at which presence is published in the configured MUCs.
+ presence-interval = ${videobridge.stats.interval}
+
+ configs {
+ unique-xmpp-server {
+ hostname="{{ env "NOMAD_IP_xmpp_port" }}"
+ port = {{ env "NOMAD_PORT_xmpp_port" }}
+ domain = "auth.jitsi"
+ username = "jvb"
+ password = "{{ key "secrets/jitsi/jitsi_secret_jvb_user" }}"
+ muc_jids = "jvbbrewery@internal.auth.jitsi"
+ # The muc_nickname must be unique across all jitsi-videobridge instances
+ muc_nickname = "unique-jvb-server"
+ disable_certificate_verification = false
+ }
+ # example-connection-id {
+ # For the properties which should be
+ # filled out here, see MucClientConfiguration
+ # }
+ }
+ }
+ # The COLIBRI REST API
+ rest {
+ enabled = true
+ }
+ jvb-api {
+ enabled = true
+ }
+ }
+ # Configuration of the different REST APIs.
+ # Note that the COLIBRI REST API is configured under videobridge.apis.rest instead.
+ rest {
+ debug {
+ enabled = true
+ }
+ health {
+ enabled = true
+ }
+ shutdown {
+ # Note that the shutdown API requires the COLIBRI API to also be enabled.
+ enabled = false
+ }
+ version {
+ enabled = true
+ }
+ }
+ http-servers {
+ # The HTTP server which hosts services intended for 'public' use
+ # (e.g. websockets for the bridge channel connection)
+ public {
+ # See JettyBundleActivatorConfig in Jicoco for values
+ port = -1
+ tls-port = -1
+ }
+ # The HTTP server which hosts services intended for 'private' use
+ # (e.g. health or debug stats)
+ private {
+ # See JettyBundleActivatorConfig in Jicoco for values
+ host = 127.0.0.1
+ }
+ }
+ octo {
+ # Whether or not Octo is enabled
+ enabled=false
+
+ # A string denoting the 'region' of this JVB. This region
+ # will be used by Jicofo in the selection of a bridge for
+ # a client by comparing it to the client's region.
+ # Must be set when 'enabled' is true
+ #region="us-west-1"
+
+ # The address on which the Octo relay should bind
+ # Must be set when 'enabled' is true
+ #bind-address=198.51.100.1
+
+ # The port to which the Octo relay should bind
+ bind-port=4096
+
+ # The address which controls the public address which
+ # will be part of the Octo relayId
+ #public-address=198.51.100.1
+
+ # The size of the incoming octo queue. This queue is per-remote-endpoint,
+ # so it matches what we use for local endpoints
+ recv-queue-size=1024
+
+ # The size of the outgoing octo queue. This is a per-originating-endpoint
+ # queue, so assuming all packets are routed (as they currently are for Octo)
+ # it should be the same size as the transceiver recv queue in
+ # jitsi-media-transform. Repeating the description from there:
+ # Assuming 300pps for high-definition, 200pps for standard-definition,
+ # 100pps for low-definition and 50pps for audio, this queue is fed
+ # 650pps, so its size in terms of millis is 1024/650*1000 ~= 1575ms.
+ send-queue-size=1024
+ }
+ load-management {
+ # Whether or not the reducer will be enabled to take actions to mitigate load
+ reducer-enabled = false
+ load-measurements {
+ packet-rate {
+ # The packet rate at which we'll consider the bridge overloaded
+ load-threshold = 50000
+ # The packet rate at which we'll consider the bridge 'underloaded' enough
+ # to start recovery
+ recovery-threshold = 40000
+ }
+ }
+ load-reducers {
+ last-n {
+ # The factor by which we'll reduce the current last-n when trying to reduce load
+ reduction-scale = .75
+ # The factor by which we'll increase the current last-n when trying to recover
+ recover-scale = 1.25
+ # The minimum time in between runs of the last-n reducer to reduce or recover from
+ # load
+ impact-time = 1 minute
+ # The lowest value we'll set for last-n
+ minimum-last-n-value = 0
+ # The highest last-n value we'll enforce. Once the enforced last-n exceeds this value
+ # we'll remove the limit entirely
+ maximum-enforced-last-n-value = 40
+ }
+ }
+ }
+ sctp {
+ # Whether SCTP data channels are enabled.
+ enabled=true
+ }
+ stats {
+ # Whether periodic collection of statistics is enabled or not. When enabled they are accessible through the REST
+ # API (at `/colibri/stats`), and are available to other modules (e.g. to be pushed to callstats or in a MUC).
+ enabled = true
+
+ # The interval at which stats are gathered.
+ interval = 5 seconds
+
+ # Configuration related to pushing statistics to callstats.io.
+ callstats {
+ # An integer application ID (use 0 to disable pushing stats to callstats).
+ app-id = 0
+
+ # The shared secred to authentication with callstats.io.
+ //app-secret = "s3cret"
+
+ # ID of the key that was used to generate token.
+ //key-id = "abcd"
+
+ # The path to private key file.
+ //key-path = "/etc/jitsi/videobridge/ecpriv.jwk"
+
+ # The ID of the server instance to be used when reporting to callstats.
+ bridge-id = "jitsi"
+
+ # TODO: document
+ //conference-id-prefix = "abcd"
+
+ # The interval at which statististics will be published to callstats. This affects both per-conference and global
+ # statistics.
+ # Note that this value will be overriden if a "callstatsio" transport is defined in the parent "stats" section.
+ interval = ${videobridge.stats.interval}
+ }
+ }
+ websockets {
+ enabled=false
+ server-id="default-id"
+
+ # Optional, even when 'enabled' is set to true
+ # tls=true
+ # Must be set when enabled = true
+ #domain="some-domain"
+ }
+ ice {
+ tcp {
+ # Whether ICE/TCP is enabled.
+ enabled = true
+
+ # The port to bind to for ICE/TCP.
+ port = {{ env "NOMAD_PORT_video_port" }}
+
+ # An optional additional port to advertise.
+ # mapped-port = 8443
+ # Whether to use "ssltcp" or plain "tcp".
+ ssltcp = true
+ }
+
+ udp {
+ # The port for ICE/UDP.
+ port = {{ env "NOMAD_PORT_video_port" }}
+ }
+
+ # An optional prefix to include in STUN username fragments generated by the bridge.
+ #ufrag-prefix = "jvb-123:"
+
+ # Which candidate pairs to keep alive. The accepted values are defined in ice4j's KeepAliveStrategy:
+ # "selected_and_tcp", "selected_only", or "all_succeeded".
+ keep-alive-strategy = "selected_and_tcp"
+
+ # Whether to use the "component socket" feature of ice4j.
+ use-component-socket = true
+
+ # Whether to attempt DNS resolution for remote candidates that contain a non-literal address. When set to 'false'
+ # such candidates will be ignored.
+ resolve-remote-candidates = false
+
+ # The nomination strategy to use for ICE. THe accepted values are defined in ice4j's NominationStrategy:
+ # "NominateFirstValid", "NominateHighestPriority", "NominateFirstHostOrReflexiveValid", or "NominateBestRTT".
+ nomination-strategy = "NominateFirstValid"
+ }
+
+ transport {
+ send {
+ # The size of the dtls-transport outgoing queue. This is a per-participant
+ # queue. Packets from the egress end-up in this queue right before
+ # transmission by the outgoing srtp pipeline (which mainly consists of the
+ # packet sender).
+ #
+ # Its size needs to be of the same order of magnitude as the rtp sender
+ # queue. In a 100 participant call, assuming 300pps for the on-stage and
+ # 100pps for low-definition, last-n 20 and 2 participants talking, so
+ # 2*50pps for audio, this queue is fed 300+19*100+2*50 = 2300pps, so its
+ # size in terms of millis is 1024/2300*1000 ~= 445ms.
+ queue-size=1024
+ }
+ }
+
+ version {
+ // Wheather to announe the jitsi-videobridge version to clients in the ServerHello message.
+ announce = false
+ }
+}
+
diff --git a/app/jitsi/deploy/jitsi.hcl b/app/jitsi/deploy/jitsi.hcl
index 1e625bb..82fdfcd 100644
--- a/app/jitsi/deploy/jitsi.hcl
+++ b/app/jitsi/deploy/jitsi.hcl
@@ -11,46 +11,59 @@ job "jitsi" {
network {
port "bosh_port" { }
- port "ext_port" { static = 5347 }
- port "xmpp_port" { static = 5222 }
+ port "xmpp_port" { }
port "https_port" { }
- port "video1_port" { static = 8081 }
- port "video2_port" { static = 10000 }
+ port "video_port" { static = 8080 }
}
task "xmpp" {
driver = "docker"
config {
- image = "superboum/amd64_jitsi_xmpp:v8"
- ports = [ "bosh_port", "ext_port", "xmpp_port" ]
+ image = "superboum/amd64_jitsi_xmpp:v9"
+ ports = [ "bosh_port", "xmpp_port" ]
network_mode = "host"
+ volumes = [
+ "secrets/prosody.cfg.lua:/etc/prosody/prosody.cfg.lua"
+ "secrets/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt"
+ "secrets/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key"
+ "secrets/certs/jitsi.crt:/var/lib/prosody/jitsi.crt"
+ "secrets/certs/jitsi.key:/var/lib/prosody/jitsi.key"
+ ]
}
template {
- data = file("../config/global_env.tpl")
+ data = <<EOF
+JICOFO_AUTH_PASSWORD={{ key "secrets/jitsi/jicofo_pass" }}
+JVB_AUTH_PASSWORD={{ key "secrets/jitsi/jvb_pass" }}
+EOF
destination = "secrets/global_env"
env = true
}
+ template {
+ data = file("../config/prosody.cfg.lua")
+ destination = "secrets/prosody.cfg.lua"
+ }
+
# --- secrets ---
template {
- data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt\" }}"
- destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.crt"
+ data = "{{ key \"secrets/jitsi/auth.jitsi.crt\" }}"
+ destination = "secrets/certs/auth.jitsi.crt"
}
template {
- data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.key\" }}"
- destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.key"
+ data = "{{ key \"secrets/jitsi/auth.jitsi.key\" }}"
+ destination = "secrets/certs/auth.jitsi.key"
}
template {
- data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}"
- destination = "secrets/certs/jitsi.deuxfleurs.fr.crt"
+ data = "{{ key \"secrets/jitsi/jitsi.crt\" }}"
+ destination = "secrets/certs/jitsi.crt"
}
template {
- data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.key\" }}"
- destination = "secrets/certs/jitsi.deuxfleurs.fr.key"
+ data = "{{ key \"secrets/jitsi/jitsi.key\" }}"
+ destination = "secrets/certs/jitsi.key"
}
resources {
@@ -62,7 +75,7 @@ job "jitsi" {
tags = [ "jitsi", "bosh" ]
port = "bosh_port"
address_mode = "host"
- name = "jitsi-xmpp-bosh"
+ name = "bosh-jitsi"
check {
type = "tcp"
port = "bosh_port"
@@ -77,42 +90,47 @@ job "jitsi" {
}
service {
- tags = [ "jitsi", "ext" ]
- port = "ext_port"
- address_mode = "host"
- name = "jitsi-ext"
- }
-
- service {
tags = [ "jitsi", "xmpp" ]
port = "xmpp_port"
address_mode = "host"
- name = "jitsi-xmpp"
+ name = "xmpp-jitsi"
}
}
task "front" {
driver = "docker"
config {
- image = "superboum/amd64_jitsi_meet:v3"
+ image = "superboum/amd64_jitsi_meet:v4"
network_mode = "host"
ports = [ "https_port" ]
+ volumes = [
+ "secrets/certs/jitsi.crt:/etc/nginx/jitsi.crt"
+ "secrets/certs/jitsi.key:/etc/nginx/jitsi.key"
+ "secrets/config.js:/srv/jitsi-meet/config.js"
+ "secrets/nginx.conf:/etc/nginx/nginx.conf"
+ ]
}
template {
- data = file("../config/global_env.tpl")
- destination = "secrets/global_env"
+ data = file("../config/config.js")
+ destination = "secrets/config.js"
+ env = true
+ }
+
+ template {
+ data = file("../config/nginx.conf")
+ destination = "secrets/nginx.conf"
env = true
}
# --- secrets ---
template {
- data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}"
- destination = "secrets/certs/jitsi.deuxfleurs.fr.crt"
+ data = "{{ key \"secrets/jitsi/jitsi.crt\" }}"
+ destination = "secrets/certs/jitsi.crt"
}
template {
- data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.key\" }}"
- destination = "secrets/certs/jitsi.deuxfleurs.fr.key"
+ data = "{{ key \"secrets/jitsi/jitsi.key\" }}"
+ destination = "secrets/certs/jitsi.key"
}
resources {
@@ -130,7 +148,7 @@ job "jitsi" {
]
port = "https_port"
address_mode = "host"
- name = "jitsi-front-https"
+ name = "https-jitsi"
check {
type = "tcp"
port = "https_port"
@@ -148,25 +166,29 @@ job "jitsi" {
task "jicofo" {
driver = "docker"
config {
- image = "superboum/amd64_jitsi_conference_focus:v6"
+ image = "superboum/amd64_jitsi_conference_focus:v7"
network_mode = "host"
+ volumes = [
+ "secrets/certs/jitsi.crt:/usr/local/share/ca-certificates/jitsi.crt"
+ "secrets/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt"
+ "secrets/jicofo.conf:/etc/jitsi/jicofo.conf"
+ ]
}
template {
- data = file("../config/global_env.tpl")
- destination = "secrets/global_env"
- env = true
+ data = file("../config/jicofo.conf")
+ destination = "secrets/jicofo.conf"
}
#--- secrets ---
template {
- data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}"
- destination = "secrets/certs/jitsi.deuxfleurs.fr.crt"
+ data = "{{ key \"secrets/jitsi/jitsi.crt\" }}"
+ destination = "secrets/certs/jitsi.crt"
}
template {
- data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt\" }}"
- destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.crt"
+ data = "{{ key \"secrets/jitsi/auth.jitsi.crt\" }}"
+ destination = "secrets/certs/auth.jitsi.crt"
}
resources {
@@ -178,56 +200,61 @@ job "jitsi" {
task "videobridge" {
driver = "docker"
config {
- image = "superboum/amd64_jitsi_videobridge:v16"
+ image = "superboum/amd64_jitsi_videobridge:v17"
network_mode = "host"
- ports = [ "video1_port", "video2_port" ]
+ ports = [ "video_port" ]
ulimit {
nofile = "1048576:1048576"
nproc = "65536:65536"
}
+ volumes = [
+ "secrets/certs/jitsi.crt:/usr/local/share/ca-certificates/jitsi.crt"
+ "secrets/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt"
+ "secrets/videobridge.conf:/etc/jitsi/videobridge.conf"
+ ]
}
env {
- #JITSI_DEBUG = 1
- JITSI_VIDEO_TCP = 8081
- VIDEOBRIDGE_MAX_MEMORY = "1450m"
+ # Our container can autodetect the public IP with the ifconfig.me service
+ # However we would like to avoid relying on a 3rd party service for production use
+ # That's why I am setting the public IP address statically here VVVV
+ JITSI_NAT_PUBLIC_IP = "78.197.205.190"
}
template {
- data = file("../config/global_env.tpl")
- destination = "secrets/global_env"
+ data = file("../config/videobridge.conf")
+ destination = "secrets/videobridge.conf"
env = true
}
+ # --- secrets ---
+ template {
+ data = "{{ key \"secrets/jitsi/jitsi.crt\" }}"
+ destination = "secrets/certs/jitsi.crt"
+ }
+
+ template {
+ data = "{{ key \"secrets/jitsi/auth.jitsi.crt\" }}"
+ destination = "secrets/certs/auth.jitsi.crt"
+ }
+
resources {
cpu = 900
- memory = 1500
+ memory = 3000
}
service {
- tags = [ "jitsi", "(diplonat (tcp_port 8081))" ]
- port = "video1_port"
+ tags = [ "jitsi", "(diplonat (tcp_port 8080) (udp_port 8080))" ]
+ port = "video_port"
address_mode = "host"
- name = "jitsi-videobridge-video1"
+ name = "video-jitsi"
check {
type = "tcp"
- port = "video1_port"
+ port = "video_port"
interval = "60s"
timeout = "5s"
- check_restart {
- limit = 3
- grace = "90s"
- ignore_warnings = false
- }
}
}
-
- service {
- tags = [ "jitsi", "(diplonat (udp_port 10000))" ]
- port = "video2_port"
- address_mode = "host"
- name = "jitsi-videobridge-video2"
- }
}
}
}
diff --git a/app/jitsi/integration/jvb/videobridge.conf b/app/jitsi/integration/jvb/videobridge.conf
index 418be5e..a11edc6 100644
--- a/app/jitsi/integration/jvb/videobridge.conf
+++ b/app/jitsi/integration/jvb/videobridge.conf
@@ -66,6 +66,7 @@ videobridge {
domain = "auth.jitsi"
username = "jvb"
password = "jvbpass"
+ port = 5222
muc_jids = "jvbbrewery@internal.auth.jitsi"
# The muc_nickname must be unique across all jitsi-videobridge instances
muc_nickname = "unique-jvb-server"
diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.crt b/app/jitsi/secrets/jitsi/auth.jitsi.crt
new file mode 100644
index 0000000..f4ab925
--- /dev/null
+++ b/app/jitsi/secrets/jitsi/auth.jitsi.crt
@@ -0,0 +1 @@
+SSL_CERT jitsi_auth auth.jitsi
diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt
deleted file mode 100644
index f2c4d4b..0000000
--- a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt
+++ /dev/null
@@ -1 +0,0 @@
-SSL_CERT jitsi_auth autj.jitsi.deuxfleurs.fr
diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key
deleted file mode 100644
index 4a332f8..0000000
--- a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key
+++ /dev/null
@@ -1 +0,0 @@
-SSL_KEY jitsi_auth autj.jitsi.deuxfleurs.fr
diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.key b/app/jitsi/secrets/jitsi/auth.jitsi.key
new file mode 100644
index 0000000..82e7b6b
--- /dev/null
+++ b/app/jitsi/secrets/jitsi/auth.jitsi.key
@@ -0,0 +1 @@
+SSL_KEY jitsi_auth auth.jitsi
diff --git a/app/jitsi/secrets/jitsi/jicofo_pass b/app/jitsi/secrets/jitsi/jicofo_pass
new file mode 100644
index 0000000..6a0f5fc
--- /dev/null
+++ b/app/jitsi/secrets/jitsi/jicofo_pass
@@ -0,0 +1 @@
+CMD openssl rand -base64 24
diff --git a/app/jitsi/secrets/jitsi/jitsi.crt b/app/jitsi/secrets/jitsi/jitsi.crt
new file mode 100644
index 0000000..2eed97c
--- /dev/null
+++ b/app/jitsi/secrets/jitsi/jitsi.crt
@@ -0,0 +1 @@
+SSL_CERT jitsi jitsi
diff --git a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt
deleted file mode 100644
index 32750d3..0000000
--- a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt
+++ /dev/null
@@ -1 +0,0 @@
-SSL_CERT jitsi jitsi.deuxfleurs.fr
diff --git a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key
deleted file mode 100644
index 7676132..0000000
--- a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key
+++ /dev/null
@@ -1 +0,0 @@
-SSL_KEY jitsi
diff --git a/app/jitsi/secrets/jitsi/jitsi.key b/app/jitsi/secrets/jitsi/jitsi.key
new file mode 100644
index 0000000..af53ca0
--- /dev/null
+++ b/app/jitsi/secrets/jitsi/jitsi.key
@@ -0,0 +1 @@
+SSL_KEY jitsi jitsi
diff --git a/app/jitsi/secrets/jitsi/jvb_pass b/app/jitsi/secrets/jitsi/jvb_pass
new file mode 100644
index 0000000..6a0f5fc
--- /dev/null
+++ b/app/jitsi/secrets/jitsi/jvb_pass
@@ -0,0 +1 @@
+CMD openssl rand -base64 24