First iteration to sort out and clean the mess of the official docker-compose multi-container stack

4 years ago · 3e9e6f8b53
commit 3e9e6f8b53
8 changed files with 501 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@ -0,0 +1,92 @@
+# Global Settings
+LOCAL_STACK_DIR=/srv/docker/volumes/jitsi-meet
+TZ=Europe/Berlin
+
+# Jitsi Web Frontend
+WEB_IMG=
+WEB_TAG=
+WEB_CONTAINER_NAME=
+WEB_RESTART=
+
+# Prosody (XMPP Server)
+PRS_IMG=
+PRS_TAG=
+PRS_CONTAINER_NAME=
+PRS_RESTART=
+
+# Jicofo (Focus Component)
+JCF_IMG=
+JCF_TAG=
+JCF_CONTAINER_NAME=
+JCF_RESTART=
+
+# Jvb (Video Bridge)
+JVB_IMG=
+JVB_TAG=
+JVB_CONTAINER_NAME=
+JVB_RESTART=
+# Media port
+JVB_PORT=10000
+
+# Public URL for the web service (required)
+PUBLIC_URL=https://sub.domain.tld
+
+#
+# Security
+#
+# - Set these to strong passwords to avoid intruders from impersonating a
+#   service account.
+# - The service(s) won't start unless these are specified.
+# - Running ./gen-passwords.sh will update .env with strong passwords.
+# - You may skip the Jigasi and Jibri passwords if you are not using those.
+# - DO NOT reuse passwords.
+#
+# Prosody (XMPP Server) and Jicofo (Focus Component)
+#
+# XMPP component password for Jicofo
+JICOFO_COMPONENT_SECRET=
+# XMPP password for Jicofo client connections
+JICOFO_AUTH_PASSWORD=
+#
+# Prosody (XMPP Server) and Jvb (Video Bridge)
+#
+# XMPP password for JVB client connections
+JVB_AUTH_PASSWORD=
+
+#
+# Authentication configuration (see handbook for details)
+#
+# Enable authentication
+ENABLE_AUTH=1
+# Enable guest access
+ENABLE_GUESTS=1
+# Select authentication type: internal, jwt or ldap
+AUTH_TYPE=internal
+
+#
+# Advanced configuration options (you generally don't need to change these)
+#
+# Internal XMPP domain
+XMPP_DOMAIN=meet.jitsi
+# Internal XMPP server
+XMPP_SERVER=xmpp.meet.jitsi
+# Internal XMPP domain for authenticated services
+XMPP_AUTH_DOMAIN=auth.meet.jitsi
+# XMPP domain for the MUC
+XMPP_MUC_DOMAIN=muc.meet.jitsi
+# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
+XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
+# XMPP domain for unauthenticated users
+XMPP_GUEST_DOMAIN=guest.meet.jitsi
+
+# MUC for the JVB pool
+JVB_BREWERY_MUC=jvbbrewery
+# XMPP user for JVB client connections
+JVB_AUTH_USER=jvb
+
+# XMPP user for Jicofo client connections.
+# NOTE: this option doesn't currently work due to a bug
+JICOFO_AUTH_USER=focus
+
+# XMPP domain for the jibri recorder
+XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+*.env
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,131 @@
+version: "3"
+
+services:
+  web:
+    image: ${WEB_IMG:-jitsi/web}:${WEB_TAG:-latest}
+    container_name: ${WEB_CONTAINER_NAME:-jitsi-web}
+    restart: ${WEB_RESTART:-unless-stopped}
+    expose:
+      - "80"
+      - "8443"
+    networks:
+      meet.jitsi:
+        aliases:
+          - ${XMPP_DOMAIN}
+      webservices:
+    volumes:
+      - ${LOCAL_STACK_DIR}/web:/config:Z
+      - ${LOCAL_STACK_DIR}/transcripts:/usr/share/jitsi-meet/transcripts:Z
+      - ${LOCAL_STACK_DIR}/web/custom/images:/usr/share/jitsi-meet/images:ro
+      - ${LOCAL_STACK_DIR}/web/custom/title.html:/usr/share/jitsi-meet/title.html:ro
+    env_file:
+      - web.env
+    environment:
+      - TZ
+      - ENABLE_XMPP_WEBSOCKET
+      - PUBLIC_URL
+      - ENABLE_AUTH
+      - ENABLE_GUESTS
+      - JICOFO_AUTH_USER
+      - XMPP_AUTH_DOMAIN
+      - XMPP_DOMAIN
+      - XMPP_GUEST_DOMAIN
+      - XMPP_MUC_DOMAIN
+      - XMPP_RECORDER_DOMAIN
+
+  prosody:
+    image: ${PRS_IMG:-jitsi/prosody}:${PRS_TAG:-latest}
+    container_name: ${PRS_CONTAINER_NAME:-jitsi-prosody}
+    restart: ${PRS_RESTART:-unless-stopped}
+    expose:
+      - "5222"
+      - "5347"
+      - "5280"
+    networks:
+      meet.jitsi:
+        aliases:
+          - ${XMPP_SERVER}
+    volumes:
+      - ${LOCAL_STACK_DIR}/prosody/config:/config:Z
+      - ${LOCAL_STACK_DIR}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
+    env_file:
+      - prosody.env
+    environment:
+      - TZ
+      - JICOFO_COMPONENT_SECRET
+      - JICOFO_AUTH_PASSWORD
+      - JVB_AUTH_PASSWORD
+      - AUTH_TYPE
+      - ENABLE_AUTH
+      - ENABLE_GUESTS
+      - ENABLE_XMPP_WEBSOCKET
+      - XMPP_DOMAIN
+      - XMPP_AUTH_DOMAIN
+      - XMPP_GUEST_DOMAIN
+      - XMPP_MUC_DOMAIN
+      - XMPP_INTERNAL_MUC_DOMAIN
+      - XMPP_RECORDER_DOMAIN
+      - JICOFO_AUTH_USER
+      - JVB_AUTH_USER
+      - PUBLIC_URL
+
+  jicofo:
+    image: ${JCF_IMG:-jitsi/jicofo}:${JCF_TAG:-latest}
+    container_name: ${JCF_CONTAINER_NAME:-jitsi-jicofo}
+    restart: ${JCF_RESTART:-unless-stopped}
+    networks:
+      meet.jitsi:
+    volumes:
+      - ${LOCAL_STACK_DIR}/jicofo:/config:Z
+    env_file:
+      - jicofo.env
+    environment:
+      - TZ
+      - JICOFO_COMPONENT_SECRET
+      - JICOFO_AUTH_PASSWORD
+      - AUTH_TYPE
+      - ENABLE_AUTH
+      - XMPP_DOMAIN
+      - XMPP_AUTH_DOMAIN
+      - XMPP_INTERNAL_MUC_DOMAIN
+      - XMPP_MUC_DOMAIN
+      - XMPP_SERVER
+      - JICOFO_AUTH_USER
+      - JVB_BREWERY_MUC
+    depends_on:
+      - prosody
+
+  jvb:
+    image: ${JVB_IMG:-jitsi/jvb}:${JVB_TAG:-latest}
+    container_name: ${JVB_CONTAINER_NAME:-jitsi-jvb}
+    restart: ${JVB_RESTART:-unless-stopped}
+    ports:
+      - "${JVB_PORT}:${JVB_PORT}/udp"
+      - "${JVB_TCP_PORT}:${JVB_TCP_PORT}"
+    networks:
+      meet.jitsi:
+        aliases:
+          - jvb.meet.jitsi
+    volumes:
+      - ${LOCAL_STACK_DIR}/jvb:/config:Z
+    env_file:
+      - jvb.env
+    environment:
+      - TZ
+      - JVB_AUTH_PASSWORD
+      - XMPP_AUTH_DOMAIN
+      - XMPP_INTERNAL_MUC_DOMAIN
+      - XMPP_SERVER
+      - JVB_AUTH_USER
+      - JVB_BREWERY_MUC
+      - JVB_PORT
+      - PUBLIC_URL
+    depends_on:
+      - prosody
+
+# Custom network so all services can communicate using a FQDN
+networks:
+  meet.jitsi:
+  webservices:
+    external:
+      name: webservices
--- a/gen-passwords.sh
+++ b/gen-passwords.sh
@ -0,0 +1,21 @@
+#!/bin/bash
+
+function generatePassword() {
+    openssl rand -hex 16
+}
+
+JICOFO_COMPONENT_SECRET=$(generatePassword)
+JICOFO_AUTH_PASSWORD=$(generatePassword)
+JVB_AUTH_PASSWORD=$(generatePassword)
+JIGASI_XMPP_PASSWORD=$(generatePassword)
+JIBRI_RECORDER_PASSWORD=$(generatePassword)
+JIBRI_XMPP_PASSWORD=$(generatePassword)
+
+sed -i.bak \
+    -e "s#JICOFO_COMPONENT_SECRET=.*#JICOFO_COMPONENT_SECRET=${JICOFO_COMPONENT_SECRET}#g" \
+    -e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \
+    -e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \
+    -e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \
+    -e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \
+    -e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \
+    "$(dirname "$0")/*.env"
--- a/jicofo.env.example
+++ b/jicofo.env.example
@ -0,0 +1,19 @@
+
+# Base URL of Jicofo's reservation REST API
+#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
+# MUC name for the Jigasi pool
+JIGASI_BREWERY_MUC=jigasibrewery
+
+# SIP URI for incoming / outgoing calls
+#JIGASI_SIP_URI=test@sip2sip.info
+
+# MUC name for the Jibri pool
+JIBRI_BREWERY_MUC=jibribrewery
+
+# MUC connection timeout
+JIBRI_PENDING_TIMEOUT=90
+
+# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
+#JICOFO_ENABLE_HEALTH_CHECKS=true
+
+JICOFO_MAX_MEMORY=500m
--- a/jvb.env.example
+++ b/jvb.env.example
@ -0,0 +1,19 @@
+
+# IP address of the Docker host
+# See the "Running behind NAT or on a LAN environment" section in the Handbook:
+# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
+#DOCKER_HOST_ADDRESS=192.168.1.1
+# TCP Fallback for Jitsi Videobridge for when UDP isn't available
+JVB_TCP_HARVESTER_DISABLED=true
+JVB_TCP_PORT=4443
+JVB_TCP_MAPPED_PORT=4443
+# STUN servers used to discover the server's public IP
+JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
+# A comma separated list of APIs to enable when the JVB is started [default: none]
+# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
+#JVB_ENABLE_APIS=rest,colibri
+
+JVB_WS_DOMAIN
+JVB_WS_SERVER_ID
+
+VIDEOBRIDGE_MAX_MEMORY=500m
--- a/prosody.env.example
+++ b/prosody.env.example
@ -0,0 +1,116 @@
+
+
+# Control whether the lobby feature should be enabled or not
+ENABLE_LOBBY=1
+
+GLOBAL_MODULES
+GLOBAL_CONFIG
+# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
+#
+
+# LDAP url for connection
+#LDAP_URL=ldaps://ldap.domain.com/
+
+# LDAP base DN. Can be empty
+#LDAP_BASE=DC=example,DC=domain,DC=com
+
+# LDAP user DN. Do not specify this parameter for the anonymous bind
+#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
+
+# LDAP user password. Do not specify this parameter for the anonymous bind
+#LDAP_BINDPW=LdapUserPassw0rd
+
+# LDAP filter. Tokens example:
+# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
+# %s - %s is replaced by the complete service string
+# %r - %r is replaced by the complete realm string
+#LDAP_FILTER=(sAMAccountName=%u)
+
+# LDAP authentication method
+#LDAP_AUTH_METHOD=bind
+
+# LDAP version
+#LDAP_VERSION=3
+
+# LDAP TLS using
+#LDAP_USE_TLS=1
+
+# List of SSL/TLS ciphers to allow
+#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
+
+# Require and verify server certificate
+#LDAP_TLS_CHECK_PEER=1
+
+# Path to CA cert file. Used when server certificate verify is enabled
+#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# Path to CA certs directory. Used when server certificate verify is enabled
+#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
+
+# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
+# LDAP_START_TLS=1
+
+# Custom Prosody modules for XMPP_DOMAIN (comma separated)
+XMPP_MODULES=
+
+# Custom Prosody modules for MUC component (comma separated)
+XMPP_MUC_MODULES=
+
+# Custom Prosody modules for internal MUC component (comma separated)
+XMPP_INTERNAL_MUC_MODULES=
+
+# XMPP user for Jigasi MUC client connections
+JIGASI_XMPP_USER=jigasi
+
+# XMPP password for Jigasi MUC client connections
+JIGASI_XMPP_PASSWORD=
+
+
+# XMPP user for Jibri client connections
+JIBRI_XMPP_USER=jibri
+# XMPP password for Jibri client connections
+JIBRI_XMPP_PASSWORD=
+# XMPP recorder user for Jibri client connections
+JIBRI_RECORDER_USER=recorder
+# XMPP recorder password for Jibri client connections
+JIBRI_RECORDER_PASSWORD=
+
+# Directory for recordings inside Jibri container
+JIBRI_RECORDING_DIR=/config/recordings
+
+# The finalizing script. Will run after recording is complete
+JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
+
+# When jibri gets a request to start a service for a room, the room
+# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
+# We'll build the url for the call by transforming that into:
+# https://xmpp_domain/subdomain/roomName
+# So if there are any prefixes in the jid (like jitsi meet, which
+# has its participants join a muc at conference.xmpp_domain) then
+# list that prefix here so it can be stripped out to generate
+# the call url correctly
+#JIBRI_STRIP_DOMAIN_JID=muc
+
+# Directory for logs inside Jibri container
+#JIBRI_LOGS_DIR=/config/logs
+
+# JWT authentication
+#
+
+# Application identifier
+#JWT_APP_ID=my_jitsi_app_id
+
+# Application secret known only to your token
+#JWT_APP_SECRET=my_jitsi_app_secret
+
+# (Optional) Set asap_accepted_issuers as a comma separated list
+#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
+
+# (Optional) Set asap_accepted_audiences as a comma separated list
+#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
+
+JWT_ASAP_KEYSERVER
+JWT_ALLOW_EMPTY
+JWT_AUTH_TYPE
+JWT_TOKEN_AUTH_MODULE
+LOG_LEVEL
--- a/web.env.example
+++ b/web.env.example
@ -0,0 +1,102 @@
+APP_NAME="Jitsi Meet"
+
+# Enable Let's Encrypt certificate generation
+ENABLE_LETSENCRYPT=0
+
+# Redirect HTTP traffic to HTTPS
+# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
+#ENABLE_HTTP_REDIRECT=1
+
+# Disable HTTPS: handle TLS connections outside of this setup
+#DISABLE_HTTPS=1
+
+# Domain for which to generate the certificate
+#LETSENCRYPT_DOMAIN=meet.example.com
+
+# Use the staging server (for avoiding rate limits while testing)
+#LETSENCRYPT_USE_STAGING=1
+
+# Reverse-proxy and certbot
+VIRTUAL_HOST=sub.domain.tld
+VIRTUAL_PORT=80
+LETSENCRYPT_HOST=sub.domain.tld
+LETSENCRYPT_EMAIL=account@domain.tld
+
+#
+# Stuff to sort out
+#
+AMPLITUDE_ID
+ANALYTICS_SCRIPT_URLS
+ANALYTICS_WHITELISTED_EVENTS
+BRIDGE_CHANNEL
+BRANDING_DATA_URL
+CALLSTATS_CUSTOM_SCRIPT_URL
+CALLSTATS_ID
+CALLSTATS_SECRET
+CHROME_EXTENSION_BANNER_JSON
+CONFCODE_URL
+CONFIG_EXTERNAL_CONNECT
+DEPLOYMENTINFO_ENVIRONMENT
+DEPLOYMENTINFO_ENVIRONMENT_TYPE
+DEPLOYMENTINFO_USERREGION
+DIALIN_NUMBERS_URL
+DIALOUT_AUTH_URL
+DIALOUT_CODES_URL
+DROPBOX_APPKEY
+DROPBOX_REDIRECT_URI
+ENABLE_AUDIO_PROCESSING
+ENABLE_CALENDAR
+ENABLE_FILE_RECORDING_SERVICE
+ENABLE_FILE_RECORDING_SERVICE_SHARING
+ENABLE_IPV6
+ENABLE_LIPSYNC
+ENABLE_NO_AUDIO_DETECTION
+ENABLE_P2P
+
+# Show a prejoin page before entering a conference
+ENABLE_PREJOIN_PAGE=1
+# Enable recording
+ENABLE_RECORDING=0
+
+ENABLE_REMB
+ENABLE_REQUIRE_DISPLAY_NAME
+ENABLE_SIMULCAST
+ENABLE_STATS_ID
+ENABLE_STEREO
+ENABLE_SUBDOMAINS
+ENABLE_TALK_WHILE_MUTED
+ENABLE_TCC
+
+# Enable Jigasi transcription
+ENABLE_TRANSCRIPTIONS=0
+
+# Set etherpad-lite public URL (uncomment to enable)
+#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain
+
+# Set etherpad-lite URL in docker local network (uncomment to enable)
+#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
+GOOGLE_ANALYTICS_ID
+GOOGLE_API_APP_CLIENT_ID
+INVITE_SERVICE_URL
+
+MATOMO_ENDPOINT
+MATOMO_SITE_ID
+MICROSOFT_API_APP_CLIENT_ID
+NGINX_RESOLVER
+PEOPLE_SEARCH_URL
+RESOLUTION
+RESOLUTION_MIN
+RESOLUTION_WIDTH
+RESOLUTION_WIDTH_MIN
+START_AUDIO_ONLY
+START_AUDIO_MUTED
+START_BITRATE
+START_VIDEO_MUTED
+TESTING_CAP_SCREENSHARE_BITRATE
+TESTING_OCTO_PROBABILITY
+
+# Internal XMPP server URL
+XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
+
+# Authenticate using external service or just focus external auth window if there is one already.
+# TOKEN_AUTH_URL=https://auth.meet.example.com/{room}