From fe8736a48fa9e6ae2360212049a9d832d2e12a39 Mon Sep 17 00:00:00 2001 From: meliurwen Date: Tue, 22 Feb 2022 12:15:08 +0100 Subject: [PATCH] More sane jitsi config --- .env.example | 61 ++----------------- .gitignore | 1 + docker-compose.yml | 104 +++++++++++++-------------------- jicofo-jvb.env.example | 2 + prosody-jicofo-jvb.env.example | 2 + prosody-jicofo.env.example | 9 +++ prosody-jvb.env.example | 7 +++ web-prosody-jicofo.env.example | 12 ++++ web-prosody.env.example | 10 ++++ web.env.example | 5 +- 10 files changed, 88 insertions(+), 125 deletions(-) create mode 100644 jicofo-jvb.env.example create mode 100644 prosody-jicofo-jvb.env.example create mode 100644 prosody-jicofo.env.example create mode 100644 prosody-jvb.env.example create mode 100644 web-prosody-jicofo.env.example create mode 100644 web-prosody.env.example diff --git a/.env.example b/.env.example index 577f8ac..581855d 100644 --- a/.env.example +++ b/.env.example @@ -26,68 +26,17 @@ JVB_TAG= JVB_CONTAINER_NAME= JVB_RESTART= # Media port -JVB_PORT=10000 -JVB_TCP_PORT=4443 +JVB_PORT= # Public URL for the web service (required) PUBLIC_URL=https://sub.domain.tld -# -# Security -# -# - Set these to strong passwords to avoid intruders from impersonating a -# service account. -# - The service(s) won't start unless these are specified. -# - Running ./gen-passwords.sh will update .env with strong passwords. -# - You may skip the Jigasi and Jibri passwords if you are not using those. -# - DO NOT reuse passwords. -# -# Prosody (XMPP Server) and Jicofo (Focus Component) -# -# XMPP component password for Jicofo -JICOFO_COMPONENT_SECRET= -# XMPP password for Jicofo client connections -JICOFO_AUTH_PASSWORD= -# -# Prosody (XMPP Server) and Jvb (Video Bridge) -# -# XMPP password for JVB client connections -JVB_AUTH_PASSWORD= - -# -# Authentication configuration (see handbook for details) -# -# Enable authentication -ENABLE_AUTH=1 -# Enable guest access -ENABLE_GUESTS=1 -# Select authentication type: internal, jwt or ldap -AUTH_TYPE=internal - # # Advanced configuration options (you generally don't need to change these) # -# Internal XMPP domain -XMPP_DOMAIN=meet.jitsi # Internal XMPP server -XMPP_SERVER=xmpp.meet.jitsi +XMPP_SERVER= # Internal XMPP domain for authenticated services -XMPP_AUTH_DOMAIN=auth.meet.jitsi -# XMPP domain for the MUC -XMPP_MUC_DOMAIN=muc.meet.jitsi -# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools -XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi -# XMPP domain for unauthenticated users -XMPP_GUEST_DOMAIN=guest.meet.jitsi - -# MUC for the JVB pool -JVB_BREWERY_MUC=jvbbrewery -# XMPP user for JVB client connections -JVB_AUTH_USER=jvb - -# XMPP user for Jicofo client connections. -# NOTE: this option doesn't currently work due to a bug -JICOFO_AUTH_USER=focus - -# XMPP domain for the jibri recorder -XMPP_RECORDER_DOMAIN=recorder.meet.jitsi +XMPP_AUTH_DOMAIN= +# Internal XMPP server URL +XMPP_BOSH_URL_BASE= diff --git a/.gitignore b/.gitignore index 03bd412..908ca92 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.env +vol/ diff --git a/docker-compose.yml b/docker-compose.yml index 2045ed0..ee9e316 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,33 +7,26 @@ services: restart: ${WEB_RESTART:-unless-stopped} expose: - "80" - - "8443" + - "443" networks: meet.jitsi: - aliases: - - ${XMPP_DOMAIN} webservices: volumes: - - ${LOCAL_STACK_DIR}/web:/config:Z - - ${LOCAL_STACK_DIR}/transcripts:/usr/share/jitsi-meet/transcripts:Z - - ${LOCAL_STACK_DIR}/web/custom/images:/usr/share/jitsi-meet/images:ro - - ${LOCAL_STACK_DIR}/web/custom/title.html:/usr/share/jitsi-meet/title.html:ro - - ${LOCAL_STACK_DIR}/web/custom/body.html:/usr/share/jitsi-meet/body.html:ro - - ${LOCAL_STACK_DIR}/web/custom/css/custom.css:/usr/share/jitsi-meet/css/custom.css:ro + - ${LOCAL_STACK_DIR:-./vol}/web:/config:Z + - ${LOCAL_STACK_DIR:-./vol}/transcripts:/usr/share/jitsi-meet/transcripts:Z + - ${LOCAL_STACK_DIR:-./vol}/web/custom/images:/usr/share/jitsi-meet/images:ro + - ${LOCAL_STACK_DIR:-./vol}/web/custom/title.html:/usr/share/jitsi-meet/title.html:ro + - ${LOCAL_STACK_DIR:-./vol}/web/custom/body.html:/usr/share/jitsi-meet/body.html:ro + - ${LOCAL_STACK_DIR:-./vol}/web/custom/css/custom.css:/usr/share/jitsi-meet/css/custom.css:ro env_file: - web.env + - web-prosody-jicofo.env + - web-prosody.env environment: - - TZ - - ENABLE_XMPP_WEBSOCKET + - TZ=${TZ:-Etc/UTC} - PUBLIC_URL - - ENABLE_AUTH - - ENABLE_GUESTS - - JICOFO_AUTH_USER - - XMPP_AUTH_DOMAIN - - XMPP_DOMAIN - - XMPP_GUEST_DOMAIN - - XMPP_MUC_DOMAIN - - XMPP_RECORDER_DOMAIN + - XMPP_AUTH_DOMAIN=${XMPP_AUTH_DOMAIN:-auth.meet.jitsi} + - XMPP_BOSH_URL_BASE=${XMPP_BOSH_URL_BASE:-http://xmpp.meet.jitsi:5280} prosody: image: ${PRS_IMG:-jitsi/prosody}:${PRS_TAG:-latest} @@ -46,30 +39,21 @@ services: networks: meet.jitsi: aliases: - - ${XMPP_SERVER} + - ${XMPP_SERVER:-xmpp.meet.jitsi} volumes: - - ${LOCAL_STACK_DIR}/prosody/config:/config:Z - - ${LOCAL_STACK_DIR}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z + - ${LOCAL_STACK_DIR:-./vol}/prosody/config:/config:Z + - ${LOCAL_STACK_DIR:-./vol}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z env_file: - prosody.env + - prosody-jicofo.env + - prosody-jvb.env + - web-prosody-jicofo.env + - web-prosody.env + - prosody-jicofo-jvb.env environment: - - TZ - - JICOFO_COMPONENT_SECRET - - JICOFO_AUTH_PASSWORD - - JVB_AUTH_PASSWORD - - AUTH_TYPE - - ENABLE_AUTH - - ENABLE_GUESTS - - ENABLE_XMPP_WEBSOCKET - - XMPP_DOMAIN - - XMPP_AUTH_DOMAIN - - XMPP_GUEST_DOMAIN - - XMPP_MUC_DOMAIN - - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_RECORDER_DOMAIN - - JICOFO_AUTH_USER - - JVB_AUTH_USER + - TZ=${TZ:-Etc/UTC} - PUBLIC_URL + - XMPP_AUTH_DOMAIN=${XMPP_AUTH_DOMAIN:-auth.meet.jitsi} jicofo: image: ${JCF_IMG:-jitsi/jicofo}:${JCF_TAG:-latest} @@ -78,22 +62,17 @@ services: networks: meet.jitsi: volumes: - - ${LOCAL_STACK_DIR}/jicofo:/config:Z + - ${LOCAL_STACK_DIR:-./vol}/jicofo:/config:Z env_file: - jicofo.env + - prosody-jicofo.env + - web-prosody-jicofo.env + - prosody-jicofo-jvb.env + - jicofo-jvb.env environment: - - TZ - - JICOFO_COMPONENT_SECRET - - JICOFO_AUTH_PASSWORD - - AUTH_TYPE - - ENABLE_AUTH - - XMPP_DOMAIN - - XMPP_AUTH_DOMAIN - - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_MUC_DOMAIN - - XMPP_SERVER - - JICOFO_AUTH_USER - - JVB_BREWERY_MUC + - TZ=${TZ:-Etc/UTC} + - XMPP_AUTH_DOMAIN=${XMPP_AUTH_DOMAIN:-auth.meet.jitsi} + - XMPP_SERVER=${XMPP_SERVER:-xmpp.meet.jitsi} depends_on: - prosody @@ -102,27 +81,22 @@ services: container_name: ${JVB_CONTAINER_NAME:-jitsi-jvb} restart: ${JVB_RESTART:-unless-stopped} ports: - - ${JVB_PORT}:${JVB_PORT}/udp - - ${JVB_TCP_PORT}:${JVB_TCP_PORT} + - ${JVB_PORT:-10000}:${JVB_PORT:-10000}/udp networks: meet.jitsi: - aliases: - - jvb.meet.jitsi volumes: - - ${LOCAL_STACK_DIR}/jvb:/config:Z + - ${LOCAL_STACK_DIR:-./vol}/jvb:/config:Z env_file: - jvb.env + - prosody-jvb.env + - prosody-jicofo-jvb.env + - jicofo-jvb.env environment: - - TZ - - JVB_AUTH_PASSWORD - - XMPP_AUTH_DOMAIN - - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_SERVER - - JVB_AUTH_USER - - JVB_BREWERY_MUC - - JVB_TCP_PORT - - JVB_PORT + - TZ=${TZ:-Etc/UTC} - PUBLIC_URL + - XMPP_AUTH_DOMAIN=${XMPP_AUTH_DOMAIN:-auth.meet.jitsi} + - XMPP_SERVER=${XMPP_SERVER:-xmpp.meet.jitsi} + - JVB_PORT=${JVB_PORT:-10000} depends_on: - prosody diff --git a/jicofo-jvb.env.example b/jicofo-jvb.env.example new file mode 100644 index 0000000..f5b02d3 --- /dev/null +++ b/jicofo-jvb.env.example @@ -0,0 +1,2 @@ +# MUC for the JVB pool +JVB_BREWERY_MUC=jvbbrewery diff --git a/prosody-jicofo-jvb.env.example b/prosody-jicofo-jvb.env.example new file mode 100644 index 0000000..7199110 --- /dev/null +++ b/prosody-jicofo-jvb.env.example @@ -0,0 +1,2 @@ +# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools +XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi diff --git a/prosody-jicofo.env.example b/prosody-jicofo.env.example new file mode 100644 index 0000000..82c7b73 --- /dev/null +++ b/prosody-jicofo.env.example @@ -0,0 +1,9 @@ +# Prosody (XMPP Server) and Jicofo (Focus Component) +# +# XMPP component password for Jicofo +JICOFO_COMPONENT_SECRET=q9jw8pt7v7dplm548yg8uksz0gylemg5 +# XMPP password for Jicofo client connections +JICOFO_AUTH_PASSWORD=q9jw8pt7v7dplm548yg8uksz0gylemg5 + +# Select authentication type: internal, jwt or ldap +AUTH_TYPE=internal diff --git a/prosody-jvb.env.example b/prosody-jvb.env.example new file mode 100644 index 0000000..1d85a90 --- /dev/null +++ b/prosody-jvb.env.example @@ -0,0 +1,7 @@ +# Prosody (XMPP Server) and Jvb (Video Bridge) +# +# XMPP password for JVB client connections +JVB_AUTH_PASSWORD=9m0elmhpkblm5pwiixdnpkviu0u7slpd + +# XMPP user for JVB client connections +JVB_AUTH_USER=jvb diff --git a/web-prosody-jicofo.env.example b/web-prosody-jicofo.env.example new file mode 100644 index 0000000..a5c76f7 --- /dev/null +++ b/web-prosody-jicofo.env.example @@ -0,0 +1,12 @@ +# Enable authentication +ENABLE_AUTH=1 + +# Internal XMPP domain +XMPP_DOMAIN=meet.jitsi + +# XMPP domain for the MUC +XMPP_MUC_DOMAIN=muc.meet.jitsi + +# XMPP user for Jicofo client connections. +# NOTE: this option doesn't currently work due to a bug +JICOFO_AUTH_USER=focus diff --git a/web-prosody.env.example b/web-prosody.env.example new file mode 100644 index 0000000..90949bf --- /dev/null +++ b/web-prosody.env.example @@ -0,0 +1,10 @@ +# Enable guest access +ENABLE_GUESTS=1 + +# XMPP domain for unauthenticated users +XMPP_GUEST_DOMAIN=guest.meet.jitsi + +# XMPP domain for the jibri recorder +XMPP_RECORDER_DOMAIN=recorder.meet.jitsi + +ENABLE_XMPP_WEBSOCKET=1 diff --git a/web.env.example b/web.env.example index 47c7a31..b571faf 100644 --- a/web.env.example +++ b/web.env.example @@ -8,7 +8,7 @@ ENABLE_LETSENCRYPT=0 #ENABLE_HTTP_REDIRECT=1 # Disable HTTPS: handle TLS connections outside of this setup -#DISABLE_HTTPS=1 +DISABLE_HTTPS=1 # Domain for which to generate the certificate #LETSENCRYPT_DOMAIN=meet.example.com @@ -95,8 +95,5 @@ START_VIDEO_MUTED TESTING_CAP_SCREENSHARE_BITRATE TESTING_OCTO_PROBABILITY -# Internal XMPP server URL -XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 - # Authenticate using external service or just focus external auth window if there is one already. # TOKEN_AUTH_URL=https://auth.meet.example.com/{room}