First iteration to sort out and clean the mess of the official docker-compose multi-container stack

master
Meliurwen 3 years ago
commit 3e9e6f8b53
Signed by: meliurwen
GPG Key ID: 818A8B35E9F1CE10
  1. 92
      .env.example
  2. 1
      .gitignore
  3. 131
      docker-compose.yml
  4. 21
      gen-passwords.sh
  5. 19
      jicofo.env.example
  6. 19
      jvb.env.example
  7. 116
      prosody.env.example
  8. 102
      web.env.example

@ -0,0 +1,92 @@
# Global Settings
LOCAL_STACK_DIR=/srv/docker/volumes/jitsi-meet
TZ=Europe/Berlin
# Jitsi Web Frontend
WEB_IMG=
WEB_TAG=
WEB_CONTAINER_NAME=
WEB_RESTART=
# Prosody (XMPP Server)
PRS_IMG=
PRS_TAG=
PRS_CONTAINER_NAME=
PRS_RESTART=
# Jicofo (Focus Component)
JCF_IMG=
JCF_TAG=
JCF_CONTAINER_NAME=
JCF_RESTART=
# Jvb (Video Bridge)
JVB_IMG=
JVB_TAG=
JVB_CONTAINER_NAME=
JVB_RESTART=
# Media port
JVB_PORT=10000
# Public URL for the web service (required)
PUBLIC_URL=https://sub.domain.tld
#
# Security
#
# - Set these to strong passwords to avoid intruders from impersonating a
# service account.
# - The service(s) won't start unless these are specified.
# - Running ./gen-passwords.sh will update .env with strong passwords.
# - You may skip the Jigasi and Jibri passwords if you are not using those.
# - DO NOT reuse passwords.
#
# Prosody (XMPP Server) and Jicofo (Focus Component)
#
# XMPP component password for Jicofo
JICOFO_COMPONENT_SECRET=
# XMPP password for Jicofo client connections
JICOFO_AUTH_PASSWORD=
#
# Prosody (XMPP Server) and Jvb (Video Bridge)
#
# XMPP password for JVB client connections
JVB_AUTH_PASSWORD=
#
# Authentication configuration (see handbook for details)
#
# Enable authentication
ENABLE_AUTH=1
# Enable guest access
ENABLE_GUESTS=1
# Select authentication type: internal, jwt or ldap
AUTH_TYPE=internal
#
# Advanced configuration options (you generally don't need to change these)
#
# Internal XMPP domain
XMPP_DOMAIN=meet.jitsi
# Internal XMPP server
XMPP_SERVER=xmpp.meet.jitsi
# Internal XMPP domain for authenticated services
XMPP_AUTH_DOMAIN=auth.meet.jitsi
# XMPP domain for the MUC
XMPP_MUC_DOMAIN=muc.meet.jitsi
# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
# XMPP domain for unauthenticated users
XMPP_GUEST_DOMAIN=guest.meet.jitsi
# MUC for the JVB pool
JVB_BREWERY_MUC=jvbbrewery
# XMPP user for JVB client connections
JVB_AUTH_USER=jvb
# XMPP user for Jicofo client connections.
# NOTE: this option doesn't currently work due to a bug
JICOFO_AUTH_USER=focus
# XMPP domain for the jibri recorder
XMPP_RECORDER_DOMAIN=recorder.meet.jitsi

1
.gitignore vendored

@ -0,0 +1 @@
*.env

@ -0,0 +1,131 @@
version: "3"
services:
web:
image: ${WEB_IMG:-jitsi/web}:${WEB_TAG:-latest}
container_name: ${WEB_CONTAINER_NAME:-jitsi-web}
restart: ${WEB_RESTART:-unless-stopped}
expose:
- "80"
- "8443"
networks:
meet.jitsi:
aliases:
- ${XMPP_DOMAIN}
webservices:
volumes:
- ${LOCAL_STACK_DIR}/web:/config:Z
- ${LOCAL_STACK_DIR}/transcripts:/usr/share/jitsi-meet/transcripts:Z
- ${LOCAL_STACK_DIR}/web/custom/images:/usr/share/jitsi-meet/images:ro
- ${LOCAL_STACK_DIR}/web/custom/title.html:/usr/share/jitsi-meet/title.html:ro
env_file:
- web.env
environment:
- TZ
- ENABLE_XMPP_WEBSOCKET
- PUBLIC_URL
- ENABLE_AUTH
- ENABLE_GUESTS
- JICOFO_AUTH_USER
- XMPP_AUTH_DOMAIN
- XMPP_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
prosody:
image: ${PRS_IMG:-jitsi/prosody}:${PRS_TAG:-latest}
container_name: ${PRS_CONTAINER_NAME:-jitsi-prosody}
restart: ${PRS_RESTART:-unless-stopped}
expose:
- "5222"
- "5347"
- "5280"
networks:
meet.jitsi:
aliases:
- ${XMPP_SERVER}
volumes:
- ${LOCAL_STACK_DIR}/prosody/config:/config:Z
- ${LOCAL_STACK_DIR}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
env_file:
- prosody.env
environment:
- TZ
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_PASSWORD
- JVB_AUTH_PASSWORD
- AUTH_TYPE
- ENABLE_AUTH
- ENABLE_GUESTS
- ENABLE_XMPP_WEBSOCKET
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- JICOFO_AUTH_USER
- JVB_AUTH_USER
- PUBLIC_URL
jicofo:
image: ${JCF_IMG:-jitsi/jicofo}:${JCF_TAG:-latest}
container_name: ${JCF_CONTAINER_NAME:-jitsi-jicofo}
restart: ${JCF_RESTART:-unless-stopped}
networks:
meet.jitsi:
volumes:
- ${LOCAL_STACK_DIR}/jicofo:/config:Z
env_file:
- jicofo.env
environment:
- TZ
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_PASSWORD
- AUTH_TYPE
- ENABLE_AUTH
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_SERVER
- JICOFO_AUTH_USER
- JVB_BREWERY_MUC
depends_on:
- prosody
jvb:
image: ${JVB_IMG:-jitsi/jvb}:${JVB_TAG:-latest}
container_name: ${JVB_CONTAINER_NAME:-jitsi-jvb}
restart: ${JVB_RESTART:-unless-stopped}
ports:
- "${JVB_PORT}:${JVB_PORT}/udp"
- "${JVB_TCP_PORT}:${JVB_TCP_PORT}"
networks:
meet.jitsi:
aliases:
- jvb.meet.jitsi
volumes:
- ${LOCAL_STACK_DIR}/jvb:/config:Z
env_file:
- jvb.env
environment:
- TZ
- JVB_AUTH_PASSWORD
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_SERVER
- JVB_AUTH_USER
- JVB_BREWERY_MUC
- JVB_PORT
- PUBLIC_URL
depends_on:
- prosody
# Custom network so all services can communicate using a FQDN
networks:
meet.jitsi:
webservices:
external:
name: webservices

@ -0,0 +1,21 @@
#!/bin/bash
function generatePassword() {
openssl rand -hex 16
}
JICOFO_COMPONENT_SECRET=$(generatePassword)
JICOFO_AUTH_PASSWORD=$(generatePassword)
JVB_AUTH_PASSWORD=$(generatePassword)
JIGASI_XMPP_PASSWORD=$(generatePassword)
JIBRI_RECORDER_PASSWORD=$(generatePassword)
JIBRI_XMPP_PASSWORD=$(generatePassword)
sed -i.bak \
-e "s#JICOFO_COMPONENT_SECRET=.*#JICOFO_COMPONENT_SECRET=${JICOFO_COMPONENT_SECRET}#g" \
-e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \
-e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \
-e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \
-e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \
-e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \
"$(dirname "$0")/*.env"

@ -0,0 +1,19 @@
# Base URL of Jicofo's reservation REST API
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
# MUC name for the Jigasi pool
JIGASI_BREWERY_MUC=jigasibrewery
# SIP URI for incoming / outgoing calls
#JIGASI_SIP_URI=test@sip2sip.info
# MUC name for the Jibri pool
JIBRI_BREWERY_MUC=jibribrewery
# MUC connection timeout
JIBRI_PENDING_TIMEOUT=90
# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
#JICOFO_ENABLE_HEALTH_CHECKS=true
JICOFO_MAX_MEMORY=500m

@ -0,0 +1,19 @@
# IP address of the Docker host
# See the "Running behind NAT or on a LAN environment" section in the Handbook:
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
#DOCKER_HOST_ADDRESS=192.168.1.1
# TCP Fallback for Jitsi Videobridge for when UDP isn't available
JVB_TCP_HARVESTER_DISABLED=true
JVB_TCP_PORT=4443
JVB_TCP_MAPPED_PORT=4443
# STUN servers used to discover the server's public IP
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
# A comma separated list of APIs to enable when the JVB is started [default: none]
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
#JVB_ENABLE_APIS=rest,colibri
JVB_WS_DOMAIN
JVB_WS_SERVER_ID
VIDEOBRIDGE_MAX_MEMORY=500m

@ -0,0 +1,116 @@
# Control whether the lobby feature should be enabled or not
ENABLE_LOBBY=1
GLOBAL_MODULES
GLOBAL_CONFIG
# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
#
# LDAP url for connection
#LDAP_URL=ldaps://ldap.domain.com/
# LDAP base DN. Can be empty
#LDAP_BASE=DC=example,DC=domain,DC=com
# LDAP user DN. Do not specify this parameter for the anonymous bind
#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
# LDAP user password. Do not specify this parameter for the anonymous bind
#LDAP_BINDPW=LdapUserPassw0rd
# LDAP filter. Tokens example:
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
# %s - %s is replaced by the complete service string
# %r - %r is replaced by the complete realm string
#LDAP_FILTER=(sAMAccountName=%u)
# LDAP authentication method
#LDAP_AUTH_METHOD=bind
# LDAP version
#LDAP_VERSION=3
# LDAP TLS using
#LDAP_USE_TLS=1
# List of SSL/TLS ciphers to allow
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
# Require and verify server certificate
#LDAP_TLS_CHECK_PEER=1
# Path to CA cert file. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
# Path to CA certs directory. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
# LDAP_START_TLS=1
# Custom Prosody modules for XMPP_DOMAIN (comma separated)
XMPP_MODULES=
# Custom Prosody modules for MUC component (comma separated)
XMPP_MUC_MODULES=
# Custom Prosody modules for internal MUC component (comma separated)
XMPP_INTERNAL_MUC_MODULES=
# XMPP user for Jigasi MUC client connections
JIGASI_XMPP_USER=jigasi
# XMPP password for Jigasi MUC client connections
JIGASI_XMPP_PASSWORD=
# XMPP user for Jibri client connections
JIBRI_XMPP_USER=jibri
# XMPP password for Jibri client connections
JIBRI_XMPP_PASSWORD=
# XMPP recorder user for Jibri client connections
JIBRI_RECORDER_USER=recorder
# XMPP recorder password for Jibri client connections
JIBRI_RECORDER_PASSWORD=
# Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/config/recordings
# The finalizing script. Will run after recording is complete
JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
# When jibri gets a request to start a service for a room, the room
# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
# We'll build the url for the call by transforming that into:
# https://xmpp_domain/subdomain/roomName
# So if there are any prefixes in the jid (like jitsi meet, which
# has its participants join a muc at conference.xmpp_domain) then
# list that prefix here so it can be stripped out to generate
# the call url correctly
#JIBRI_STRIP_DOMAIN_JID=muc
# Directory for logs inside Jibri container
#JIBRI_LOGS_DIR=/config/logs
# JWT authentication
#
# Application identifier
#JWT_APP_ID=my_jitsi_app_id
# Application secret known only to your token
#JWT_APP_SECRET=my_jitsi_app_secret
# (Optional) Set asap_accepted_issuers as a comma separated list
#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
# (Optional) Set asap_accepted_audiences as a comma separated list
#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
JWT_ASAP_KEYSERVER
JWT_ALLOW_EMPTY
JWT_AUTH_TYPE
JWT_TOKEN_AUTH_MODULE
LOG_LEVEL

@ -0,0 +1,102 @@
APP_NAME="Jitsi Meet"
# Enable Let's Encrypt certificate generation
ENABLE_LETSENCRYPT=0
# Redirect HTTP traffic to HTTPS
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
#ENABLE_HTTP_REDIRECT=1
# Disable HTTPS: handle TLS connections outside of this setup
#DISABLE_HTTPS=1
# Domain for which to generate the certificate
#LETSENCRYPT_DOMAIN=meet.example.com
# Use the staging server (for avoiding rate limits while testing)
#LETSENCRYPT_USE_STAGING=1
# Reverse-proxy and certbot
VIRTUAL_HOST=sub.domain.tld
VIRTUAL_PORT=80
LETSENCRYPT_HOST=sub.domain.tld
LETSENCRYPT_EMAIL=account@domain.tld
#
# Stuff to sort out
#
AMPLITUDE_ID
ANALYTICS_SCRIPT_URLS
ANALYTICS_WHITELISTED_EVENTS
BRIDGE_CHANNEL
BRANDING_DATA_URL
CALLSTATS_CUSTOM_SCRIPT_URL
CALLSTATS_ID
CALLSTATS_SECRET
CHROME_EXTENSION_BANNER_JSON
CONFCODE_URL
CONFIG_EXTERNAL_CONNECT
DEPLOYMENTINFO_ENVIRONMENT
DEPLOYMENTINFO_ENVIRONMENT_TYPE
DEPLOYMENTINFO_USERREGION
DIALIN_NUMBERS_URL
DIALOUT_AUTH_URL
DIALOUT_CODES_URL
DROPBOX_APPKEY
DROPBOX_REDIRECT_URI
ENABLE_AUDIO_PROCESSING
ENABLE_CALENDAR
ENABLE_FILE_RECORDING_SERVICE
ENABLE_FILE_RECORDING_SERVICE_SHARING
ENABLE_IPV6
ENABLE_LIPSYNC
ENABLE_NO_AUDIO_DETECTION
ENABLE_P2P
# Show a prejoin page before entering a conference
ENABLE_PREJOIN_PAGE=1
# Enable recording
ENABLE_RECORDING=0
ENABLE_REMB
ENABLE_REQUIRE_DISPLAY_NAME
ENABLE_SIMULCAST
ENABLE_STATS_ID
ENABLE_STEREO
ENABLE_SUBDOMAINS
ENABLE_TALK_WHILE_MUTED
ENABLE_TCC
# Enable Jigasi transcription
ENABLE_TRANSCRIPTIONS=0
# Set etherpad-lite public URL (uncomment to enable)
#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain
# Set etherpad-lite URL in docker local network (uncomment to enable)
#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
GOOGLE_ANALYTICS_ID
GOOGLE_API_APP_CLIENT_ID
INVITE_SERVICE_URL
MATOMO_ENDPOINT
MATOMO_SITE_ID
MICROSOFT_API_APP_CLIENT_ID
NGINX_RESOLVER
PEOPLE_SEARCH_URL
RESOLUTION
RESOLUTION_MIN
RESOLUTION_WIDTH
RESOLUTION_WIDTH_MIN
START_AUDIO_ONLY
START_AUDIO_MUTED
START_BITRATE
START_VIDEO_MUTED
TESTING_CAP_SCREENSHARE_BITRATE
TESTING_OCTO_PROBABILITY
# Internal XMPP server URL
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
# Authenticate using external service or just focus external auth window if there is one already.
# TOKEN_AUTH_URL=https://auth.meet.example.com/{room}
Loading…
Cancel
Save