commit 3e9e6f8b53fa753c54a876ecd8cc8bdfbc33da00 Author: meliurwen Date: Fri May 28 12:40:21 2021 +0200 First iteration to sort out and clean the mess of the official docker-compose multi-container stack diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..376d4ac --- /dev/null +++ b/.env.example @@ -0,0 +1,92 @@ +# Global Settings +LOCAL_STACK_DIR=/srv/docker/volumes/jitsi-meet +TZ=Europe/Berlin + +# Jitsi Web Frontend +WEB_IMG= +WEB_TAG= +WEB_CONTAINER_NAME= +WEB_RESTART= + +# Prosody (XMPP Server) +PRS_IMG= +PRS_TAG= +PRS_CONTAINER_NAME= +PRS_RESTART= + +# Jicofo (Focus Component) +JCF_IMG= +JCF_TAG= +JCF_CONTAINER_NAME= +JCF_RESTART= + +# Jvb (Video Bridge) +JVB_IMG= +JVB_TAG= +JVB_CONTAINER_NAME= +JVB_RESTART= +# Media port +JVB_PORT=10000 + +# Public URL for the web service (required) +PUBLIC_URL=https://sub.domain.tld + +# +# Security +# +# - Set these to strong passwords to avoid intruders from impersonating a +# service account. +# - The service(s) won't start unless these are specified. +# - Running ./gen-passwords.sh will update .env with strong passwords. +# - You may skip the Jigasi and Jibri passwords if you are not using those. +# - DO NOT reuse passwords. +# +# Prosody (XMPP Server) and Jicofo (Focus Component) +# +# XMPP component password for Jicofo +JICOFO_COMPONENT_SECRET= +# XMPP password for Jicofo client connections +JICOFO_AUTH_PASSWORD= +# +# Prosody (XMPP Server) and Jvb (Video Bridge) +# +# XMPP password for JVB client connections +JVB_AUTH_PASSWORD= + +# +# Authentication configuration (see handbook for details) +# +# Enable authentication +ENABLE_AUTH=1 +# Enable guest access +ENABLE_GUESTS=1 +# Select authentication type: internal, jwt or ldap +AUTH_TYPE=internal + +# +# Advanced configuration options (you generally don't need to change these) +# +# Internal XMPP domain +XMPP_DOMAIN=meet.jitsi +# Internal XMPP server +XMPP_SERVER=xmpp.meet.jitsi +# Internal XMPP domain for authenticated services +XMPP_AUTH_DOMAIN=auth.meet.jitsi +# XMPP domain for the MUC +XMPP_MUC_DOMAIN=muc.meet.jitsi +# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools +XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi +# XMPP domain for unauthenticated users +XMPP_GUEST_DOMAIN=guest.meet.jitsi + +# MUC for the JVB pool +JVB_BREWERY_MUC=jvbbrewery +# XMPP user for JVB client connections +JVB_AUTH_USER=jvb + +# XMPP user for Jicofo client connections. +# NOTE: this option doesn't currently work due to a bug +JICOFO_AUTH_USER=focus + +# XMPP domain for the jibri recorder +XMPP_RECORDER_DOMAIN=recorder.meet.jitsi diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..03bd412 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.env diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..4776867 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,131 @@ +version: "3" + +services: + web: + image: ${WEB_IMG:-jitsi/web}:${WEB_TAG:-latest} + container_name: ${WEB_CONTAINER_NAME:-jitsi-web} + restart: ${WEB_RESTART:-unless-stopped} + expose: + - "80" + - "8443" + networks: + meet.jitsi: + aliases: + - ${XMPP_DOMAIN} + webservices: + volumes: + - ${LOCAL_STACK_DIR}/web:/config:Z + - ${LOCAL_STACK_DIR}/transcripts:/usr/share/jitsi-meet/transcripts:Z + - ${LOCAL_STACK_DIR}/web/custom/images:/usr/share/jitsi-meet/images:ro + - ${LOCAL_STACK_DIR}/web/custom/title.html:/usr/share/jitsi-meet/title.html:ro + env_file: + - web.env + environment: + - TZ + - ENABLE_XMPP_WEBSOCKET + - PUBLIC_URL + - ENABLE_AUTH + - ENABLE_GUESTS + - JICOFO_AUTH_USER + - XMPP_AUTH_DOMAIN + - XMPP_DOMAIN + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_RECORDER_DOMAIN + + prosody: + image: ${PRS_IMG:-jitsi/prosody}:${PRS_TAG:-latest} + container_name: ${PRS_CONTAINER_NAME:-jitsi-prosody} + restart: ${PRS_RESTART:-unless-stopped} + expose: + - "5222" + - "5347" + - "5280" + networks: + meet.jitsi: + aliases: + - ${XMPP_SERVER} + volumes: + - ${LOCAL_STACK_DIR}/prosody/config:/config:Z + - ${LOCAL_STACK_DIR}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z + env_file: + - prosody.env + environment: + - TZ + - JICOFO_COMPONENT_SECRET + - JICOFO_AUTH_PASSWORD + - JVB_AUTH_PASSWORD + - AUTH_TYPE + - ENABLE_AUTH + - ENABLE_GUESTS + - ENABLE_XMPP_WEBSOCKET + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_RECORDER_DOMAIN + - JICOFO_AUTH_USER + - JVB_AUTH_USER + - PUBLIC_URL + + jicofo: + image: ${JCF_IMG:-jitsi/jicofo}:${JCF_TAG:-latest} + container_name: ${JCF_CONTAINER_NAME:-jitsi-jicofo} + restart: ${JCF_RESTART:-unless-stopped} + networks: + meet.jitsi: + volumes: + - ${LOCAL_STACK_DIR}/jicofo:/config:Z + env_file: + - jicofo.env + environment: + - TZ + - JICOFO_COMPONENT_SECRET + - JICOFO_AUTH_PASSWORD + - AUTH_TYPE + - ENABLE_AUTH + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_SERVER + - JICOFO_AUTH_USER + - JVB_BREWERY_MUC + depends_on: + - prosody + + jvb: + image: ${JVB_IMG:-jitsi/jvb}:${JVB_TAG:-latest} + container_name: ${JVB_CONTAINER_NAME:-jitsi-jvb} + restart: ${JVB_RESTART:-unless-stopped} + ports: + - "${JVB_PORT}:${JVB_PORT}/udp" + - "${JVB_TCP_PORT}:${JVB_TCP_PORT}" + networks: + meet.jitsi: + aliases: + - jvb.meet.jitsi + volumes: + - ${LOCAL_STACK_DIR}/jvb:/config:Z + env_file: + - jvb.env + environment: + - TZ + - JVB_AUTH_PASSWORD + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_SERVER + - JVB_AUTH_USER + - JVB_BREWERY_MUC + - JVB_PORT + - PUBLIC_URL + depends_on: + - prosody + +# Custom network so all services can communicate using a FQDN +networks: + meet.jitsi: + webservices: + external: + name: webservices diff --git a/gen-passwords.sh b/gen-passwords.sh new file mode 100755 index 0000000..43d5b95 --- /dev/null +++ b/gen-passwords.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +function generatePassword() { + openssl rand -hex 16 +} + +JICOFO_COMPONENT_SECRET=$(generatePassword) +JICOFO_AUTH_PASSWORD=$(generatePassword) +JVB_AUTH_PASSWORD=$(generatePassword) +JIGASI_XMPP_PASSWORD=$(generatePassword) +JIBRI_RECORDER_PASSWORD=$(generatePassword) +JIBRI_XMPP_PASSWORD=$(generatePassword) + +sed -i.bak \ + -e "s#JICOFO_COMPONENT_SECRET=.*#JICOFO_COMPONENT_SECRET=${JICOFO_COMPONENT_SECRET}#g" \ + -e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \ + -e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \ + -e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \ + -e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \ + -e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \ + "$(dirname "$0")/*.env" diff --git a/jicofo.env.example b/jicofo.env.example new file mode 100644 index 0000000..39065d8 --- /dev/null +++ b/jicofo.env.example @@ -0,0 +1,19 @@ + +# Base URL of Jicofo's reservation REST API +#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com +# MUC name for the Jigasi pool +JIGASI_BREWERY_MUC=jigasibrewery + +# SIP URI for incoming / outgoing calls +#JIGASI_SIP_URI=test@sip2sip.info + +# MUC name for the Jibri pool +JIBRI_BREWERY_MUC=jibribrewery + +# MUC connection timeout +JIBRI_PENDING_TIMEOUT=90 + +# Enable Jicofo's health check REST API (http://:8888/about/health) +#JICOFO_ENABLE_HEALTH_CHECKS=true + +JICOFO_MAX_MEMORY=500m diff --git a/jvb.env.example b/jvb.env.example new file mode 100644 index 0000000..2d17fe8 --- /dev/null +++ b/jvb.env.example @@ -0,0 +1,19 @@ + +# IP address of the Docker host +# See the "Running behind NAT or on a LAN environment" section in the Handbook: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment +#DOCKER_HOST_ADDRESS=192.168.1.1 +# TCP Fallback for Jitsi Videobridge for when UDP isn't available +JVB_TCP_HARVESTER_DISABLED=true +JVB_TCP_PORT=4443 +JVB_TCP_MAPPED_PORT=4443 +# STUN servers used to discover the server's public IP +JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443 +# A comma separated list of APIs to enable when the JVB is started [default: none] +# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information +#JVB_ENABLE_APIS=rest,colibri + +JVB_WS_DOMAIN +JVB_WS_SERVER_ID + +VIDEOBRIDGE_MAX_MEMORY=500m diff --git a/prosody.env.example b/prosody.env.example new file mode 100644 index 0000000..1ebf6a1 --- /dev/null +++ b/prosody.env.example @@ -0,0 +1,116 @@ + + +# Control whether the lobby feature should be enabled or not +ENABLE_LOBBY=1 + +GLOBAL_MODULES +GLOBAL_CONFIG +# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) +# + +# LDAP url for connection +#LDAP_URL=ldaps://ldap.domain.com/ + +# LDAP base DN. Can be empty +#LDAP_BASE=DC=example,DC=domain,DC=com + +# LDAP user DN. Do not specify this parameter for the anonymous bind +#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com + +# LDAP user password. Do not specify this parameter for the anonymous bind +#LDAP_BINDPW=LdapUserPassw0rd + +# LDAP filter. Tokens example: +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail +# %s - %s is replaced by the complete service string +# %r - %r is replaced by the complete realm string +#LDAP_FILTER=(sAMAccountName=%u) + +# LDAP authentication method +#LDAP_AUTH_METHOD=bind + +# LDAP version +#LDAP_VERSION=3 + +# LDAP TLS using +#LDAP_USE_TLS=1 + +# List of SSL/TLS ciphers to allow +#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC + +# Require and verify server certificate +#LDAP_TLS_CHECK_PEER=1 + +# Path to CA cert file. Used when server certificate verify is enabled +#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt + +# Path to CA certs directory. Used when server certificate verify is enabled +#LDAP_TLS_CACERT_DIR=/etc/ssl/certs + +# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps:// +# LDAP_START_TLS=1 + +# Custom Prosody modules for XMPP_DOMAIN (comma separated) +XMPP_MODULES= + +# Custom Prosody modules for MUC component (comma separated) +XMPP_MUC_MODULES= + +# Custom Prosody modules for internal MUC component (comma separated) +XMPP_INTERNAL_MUC_MODULES= + +# XMPP user for Jigasi MUC client connections +JIGASI_XMPP_USER=jigasi + +# XMPP password for Jigasi MUC client connections +JIGASI_XMPP_PASSWORD= + + +# XMPP user for Jibri client connections +JIBRI_XMPP_USER=jibri +# XMPP password for Jibri client connections +JIBRI_XMPP_PASSWORD= +# XMPP recorder user for Jibri client connections +JIBRI_RECORDER_USER=recorder +# XMPP recorder password for Jibri client connections +JIBRI_RECORDER_PASSWORD= + +# Directory for recordings inside Jibri container +JIBRI_RECORDING_DIR=/config/recordings + +# The finalizing script. Will run after recording is complete +JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh + +# When jibri gets a request to start a service for a room, the room +# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain +# We'll build the url for the call by transforming that into: +# https://xmpp_domain/subdomain/roomName +# So if there are any prefixes in the jid (like jitsi meet, which +# has its participants join a muc at conference.xmpp_domain) then +# list that prefix here so it can be stripped out to generate +# the call url correctly +#JIBRI_STRIP_DOMAIN_JID=muc + +# Directory for logs inside Jibri container +#JIBRI_LOGS_DIR=/config/logs + +# JWT authentication +# + +# Application identifier +#JWT_APP_ID=my_jitsi_app_id + +# Application secret known only to your token +#JWT_APP_SECRET=my_jitsi_app_secret + +# (Optional) Set asap_accepted_issuers as a comma separated list +#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client + +# (Optional) Set asap_accepted_audiences as a comma separated list +#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 + +JWT_ASAP_KEYSERVER +JWT_ALLOW_EMPTY +JWT_AUTH_TYPE +JWT_TOKEN_AUTH_MODULE +LOG_LEVEL diff --git a/web.env.example b/web.env.example new file mode 100644 index 0000000..47c7a31 --- /dev/null +++ b/web.env.example @@ -0,0 +1,102 @@ +APP_NAME="Jitsi Meet" + +# Enable Let's Encrypt certificate generation +ENABLE_LETSENCRYPT=0 + +# Redirect HTTP traffic to HTTPS +# Necessary for Let's Encrypt, relies on standard HTTPS port (443) +#ENABLE_HTTP_REDIRECT=1 + +# Disable HTTPS: handle TLS connections outside of this setup +#DISABLE_HTTPS=1 + +# Domain for which to generate the certificate +#LETSENCRYPT_DOMAIN=meet.example.com + +# Use the staging server (for avoiding rate limits while testing) +#LETSENCRYPT_USE_STAGING=1 + +# Reverse-proxy and certbot +VIRTUAL_HOST=sub.domain.tld +VIRTUAL_PORT=80 +LETSENCRYPT_HOST=sub.domain.tld +LETSENCRYPT_EMAIL=account@domain.tld + +# +# Stuff to sort out +# +AMPLITUDE_ID +ANALYTICS_SCRIPT_URLS +ANALYTICS_WHITELISTED_EVENTS +BRIDGE_CHANNEL +BRANDING_DATA_URL +CALLSTATS_CUSTOM_SCRIPT_URL +CALLSTATS_ID +CALLSTATS_SECRET +CHROME_EXTENSION_BANNER_JSON +CONFCODE_URL +CONFIG_EXTERNAL_CONNECT +DEPLOYMENTINFO_ENVIRONMENT +DEPLOYMENTINFO_ENVIRONMENT_TYPE +DEPLOYMENTINFO_USERREGION +DIALIN_NUMBERS_URL +DIALOUT_AUTH_URL +DIALOUT_CODES_URL +DROPBOX_APPKEY +DROPBOX_REDIRECT_URI +ENABLE_AUDIO_PROCESSING +ENABLE_CALENDAR +ENABLE_FILE_RECORDING_SERVICE +ENABLE_FILE_RECORDING_SERVICE_SHARING +ENABLE_IPV6 +ENABLE_LIPSYNC +ENABLE_NO_AUDIO_DETECTION +ENABLE_P2P + +# Show a prejoin page before entering a conference +ENABLE_PREJOIN_PAGE=1 +# Enable recording +ENABLE_RECORDING=0 + +ENABLE_REMB +ENABLE_REQUIRE_DISPLAY_NAME +ENABLE_SIMULCAST +ENABLE_STATS_ID +ENABLE_STEREO +ENABLE_SUBDOMAINS +ENABLE_TALK_WHILE_MUTED +ENABLE_TCC + +# Enable Jigasi transcription +ENABLE_TRANSCRIPTIONS=0 + +# Set etherpad-lite public URL (uncomment to enable) +#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain + +# Set etherpad-lite URL in docker local network (uncomment to enable) +#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 +GOOGLE_ANALYTICS_ID +GOOGLE_API_APP_CLIENT_ID +INVITE_SERVICE_URL + +MATOMO_ENDPOINT +MATOMO_SITE_ID +MICROSOFT_API_APP_CLIENT_ID +NGINX_RESOLVER +PEOPLE_SEARCH_URL +RESOLUTION +RESOLUTION_MIN +RESOLUTION_WIDTH +RESOLUTION_WIDTH_MIN +START_AUDIO_ONLY +START_AUDIO_MUTED +START_BITRATE +START_VIDEO_MUTED +TESTING_CAP_SCREENSHARE_BITRATE +TESTING_OCTO_PROBABILITY + +# Internal XMPP server URL +XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 + +# Authenticate using external service or just focus external auth window if there is one already. +# TOKEN_AUTH_URL=https://auth.meet.example.com/{room}