From b8a2ca2af368e33e98e4298fa79c9e44b04389f6 Mon Sep 17 00:00:00 2001 From: Joschka Seydell Date: Sun, 29 Nov 2020 03:21:22 -0800 Subject: [PATCH 1/4] Added install path and consolidated var usage. --- README.md | 3 ++- defaults/main.yml | 3 ++- tasks/main.yml | 40 ++++++++++++++++++++-------------------- 3 files changed, 24 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index a10e2d9..87bfe81 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,8 @@ Role Variables | Variable | Description | Default | | --------------------------- | ------------------------------------------------------------------------------- | ------------------ | -| docker_user | The user who is going to manage/run the Docker Compose services | deploy | +| jitsi_install_user | The user who is going to manage/run the Docker Compose services | {{ ansible_user }} | +| jitsi_install_path | The location where the service should be deployed | /home/{{ jitsi_install_user }} | | jitsi_build_latest_image_from_source | Will fetch the master of `jitsi_docker_upstream_repo_url` and build the docker image as sometimes the latest available images in the Docker Hub are too old | yes | | jitsi_docker_upstream_repo_url | Git repo of docker-jitsi-meet required by `jitsi_build_latest_image_from_source` | https://github.com/jitsi/docker-jitsi-meet.git | | *jitsi_letsencrypt_email* | E-Mail adress used for requesting certificates | Not set | diff --git a/defaults/main.yml b/defaults/main.yml index 66d322e..3d60f34 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,7 @@ --- # defaults file for jitsi -docker_user: deploy +jitsi_install_user: '{{ ansible_user }}' # This user must be present on the host +jitsi_install_path: '/home/{{ jitsi_install_user }}' #jitsi_letsencrypt_email:alice@host.tld jitsi_enable_letsencrypt: no jitsi_exposed_http_port: 8000 diff --git a/tasks/main.yml b/tasks/main.yml index 1ef8919..3fcbaa0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,51 +2,51 @@ # tasks file for jitsi - name: Ensure jitsi Docker Compose config directory exists file: - path: /home/{{ docker_user }}/jitsi + path: "{{ jitsi_install_path }}/jitsi" state: directory - owner: '{{ docker_user }}' - group: '{{ docker_user }}' + owner: '{{ jitsi_install_user }}' + group: '{{ jitsi_install_user }}' tags: config - name: "Teardown: Remove Jitsi runtime config" file: - path: /home/{{ docker_user }}/jitsi/conf + path: "{{ jitsi_install_path }}/jitsi/conf" state: absent tags: ['never', 'teardown'] - name: Ensure jitsi config directory exists file: - path: /home/{{ docker_user }}/jitsi/conf + path: "{{ jitsi_install_path }}/jitsi/conf" state: directory - owner: '{{ docker_user }}' - group: '{{ docker_user }}' + owner: '{{ jitsi_install_user }}' + group: '{{ jitsi_install_user }}' tags: config - name: "Git: Pull latest upstream docker-jitsi-meet sources (master)" git: repo: "{{ jitsi_docker_upstream_repo_url }}" - dest: /home/{{ docker_user }}/jitsi/docker-jitsi-meet-src + dest: "{{ jitsi_install_path }}/jitsi/docker-jitsi-meet-src" version: master register: git_pull_jitsi_docker_upstream_repo when: jitsi_build_latest_image_from_source == True - name: "Build Jitsi Docker images" shell: - chdir: /home/{{ docker_user }}/jitsi/docker-jitsi-meet-src + chdir: "{{ jitsi_install_path }}/jitsi/docker-jitsi-meet-src" cmd: make when: git_pull_jitsi_docker_upstream_repo.changed - name: Provide docker-compose.yml template: src: templates/docker-compose.jitsi.yml.j2 - dest: /home/{{ docker_user }}/jitsi/docker-compose.yml - owner: "{{ docker_user }}" - group: "{{ docker_user }}" + dest: "{{ jitsi_install_path }}/jitsi/docker-compose.yml" + owner: "{{ jitsi_install_user }}" + group: "{{ jitsi_install_user }}" mode: '0644' tags: config - name: Output docker-compose.yml - shell: cat /home/{{ docker_user }}/jitsi/docker-compose.yml + shell: cat {{ jitsi_install_path }}/jitsi/docker-compose.yml register: output tags: config @@ -56,21 +56,21 @@ - name: Provide Jitsi env vars template: src: templates/env.jitsi.j2 - dest: /home/{{ docker_user }}/jitsi/.env - owner: "{{ docker_user }}" - group: "{{ docker_user }}" + dest: "{{ jitsi_install_path }}/jitsi/.env" + owner: "{{ jitsi_install_user }}" + group: "{{ jitsi_install_user }}" mode: '0640' tags: config - name: "docker-compose: Teardown existing Jitsi service" docker_compose: - project_src: "/home/{{ docker_user }}/jitsi/" + project_src: "{{ jitsi_install_path }}/jitsi/" state: absent tags: ['never', 'teardown'] - name: "docker-compose: Bootstrap Jitsi service" docker_compose: - project_src: "/home/{{ docker_user }}/jitsi/" + project_src: "{{ jitsi_install_path }}/jitsi/" pull: yes register: output @@ -98,7 +98,7 @@ - name: "Config: Set channelLastN" lineinfile: - path: /home/{{ docker_user }}/jitsi/conf/web/config.js + path: "{{ jitsi_install_path }}/jitsi/conf/web/config.js" regexp: '(\s*)channelLastN:\s*[^,]+,' line: '\1channelLastN: {{jitsi_web_channel_last_n|default("-1")}},' backrefs: yes @@ -106,7 +106,7 @@ - name: "Config: Disable third party requests" lineinfile: - path: /home/{{ docker_user }}/jitsi/conf/web/config.js + path: "{{ jitsi_install_path }}/jitsi/conf/web/config.js" regexp: '(\s*)(//\s*)?disableThirdPartyRequests:\s*false,' line: '\1disableThirdPartyRequests: true,' backrefs: yes From 87d2cd58ec47058859a8ef74660ed6151de7c7a3 Mon Sep 17 00:00:00 2001 From: Joschka Seydell Date: Mon, 30 Nov 2020 13:38:06 -0800 Subject: [PATCH 2/4] Adjusted variables and docker-compose file to account for multitenancy setups. --- README.md | 3 +++ defaults/main.yml | 7 ++++++- tasks/main.yml | 2 +- templates/docker-compose.jitsi.yml.j2 | 28 +++++++++++++-------------- templates/env.jitsi.j2 | 10 ++++++++-- templates/etherpad.yml | 1 + templates/jibri.yml | 1 + templates/jigasi.yml | 1 + 8 files changed, 35 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 87bfe81..04c23cd 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ Role Variables | --------------------------- | ------------------------------------------------------------------------------- | ------------------ | | jitsi_install_user | The user who is going to manage/run the Docker Compose services | {{ ansible_user }} | | jitsi_install_path | The location where the service should be deployed | /home/{{ jitsi_install_user }} | +| jitsi_multitenant_label | A label (unique accross all instances on this host) identifying the tenant | | | jitsi_build_latest_image_from_source | Will fetch the master of `jitsi_docker_upstream_repo_url` and build the docker image as sometimes the latest available images in the Docker Hub are too old | yes | | jitsi_docker_upstream_repo_url | Git repo of docker-jitsi-meet required by `jitsi_build_latest_image_from_source` | https://github.com/jitsi/docker-jitsi-meet.git | | *jitsi_letsencrypt_email* | E-Mail adress used for requesting certificates | Not set | @@ -26,6 +27,8 @@ Role Variables | jitsi_enable_third_party_requests | Whether to allow third party requests, e.g. to Gravatar (if a user sets her email address) | no | | jitsi_exposed_http_port | Exposed container port for HTTP | 8000 | | jitsi_exposed_https_port | Exposed container port for HTTPS | 8443 | +| jitsi_bridge_udp_port | Port for this instance's Jitsi Video Bridge | 10000 | +| jitsi_bridge_tcp_port | TCP fallback port for the Jitsi Video Bridge | 4443 | | jitsi_jibri_recorder_password | Provide a secure password\* | | | jitsi_jibri_recorder_user | | | | jitsi_jibri_xmpp_password | | | diff --git a/defaults/main.yml b/defaults/main.yml index 3d60f34..053e9e6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,10 +2,13 @@ # defaults file for jitsi jitsi_install_user: '{{ ansible_user }}' # This user must be present on the host jitsi_install_path: '/home/{{ jitsi_install_user }}' +jitsi_multitenant_label: #jitsi_letsencrypt_email:alice@host.tld jitsi_enable_letsencrypt: no jitsi_exposed_http_port: 8000 jitsi_exposed_https_port: 8443 +jitsi_bridge_udp_port: 10000 +jitsi_bridge_tcp_port: 4443 jitsi_virtual_host: localhost jitsi_public_url: http://{{ jitsi_virtual_host }} jitsi_timezone: Europe/Amsterdam @@ -13,4 +16,6 @@ jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443 jitsi_web_channel_last_n: 3 jitsi_build_latest_image_from_source: yes jitsi_docker_upstream_repo_url: https://github.com/jitsi/docker-jitsi-meet.git -jitsi_enable_third_party_requests: no \ No newline at end of file +jitsi_enable_third_party_requests: no +# Internal variables +jitsi_multitenant_postfix: "{{ '_' + jitsi_multitenant_label if (jitsi_multitenant_label) else '' }}" \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 3fcbaa0..fc79769 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -79,7 +79,7 @@ - assert: that: - - "output.ansible_facts['web']['jitsi_web_1'].state.running" + - "output.ansible_facts['web']['jitsi{{ jitsi_multitenant_postfix }}_web_1'].state.running" - name: "Test whether Jitsi is healthy from the outside" when: not ansible_check_mode diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index 86fba7f..1273131 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -38,20 +38,20 @@ services: labels: - "traefik.enable=true" - "traefik.docker.network=traefik_public" - - "traefik.http.routers.jitsi.rule=Host(`{{ jitsi_virtual_host }}`)" - - "traefik.http.routers.jitsi.entrypoints=websecure" - - "traefik.http.routers.jitsi.tls=true" - - "traefik.http.routers.jitsi.tls.certresolver=defaultresolver" - - "traefik.http.middlewares.jitsi-headers.headers.SSLRedirect=true" - - "traefik.http.middlewares.jitsi-headers.headers.browserXSSFilter=true" - - "traefik.http.middlewares.jitsi-headers.headers.contentTypeNosniff=true" - - "traefik.http.middlewares.jitsi-headers.headers.forceSTSHeader=true" - - "traefik.http.middlewares.jitsi-headers.headers.STSSeconds=315360000" - - "traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains=true" - - "traefik.http.middlewares.jitsi-headers.headers.STSPreload=true" - - "traefik.http.middlewares.jitsi-headers.headers.featurePolicy=geolocation 'none'; payment 'none'" - - "traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content" - - "traefik.http.routers.jitsi.middlewares=jitsi-headers" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.rule=Host(`{{ jitsi_virtual_host }}`)" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.entrypoints=websecure" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.tls=true" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.tls.certresolver=defaultresolver" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.SSLRedirect=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.browserXSSFilter=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.contentTypeNosniff=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.forceSTSHeader=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSSeconds=315360000" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSIncludeSubdomains=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSPreload=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.featurePolicy=geolocation 'none'; payment 'none'" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.middlewares=jitsi{{ jitsi_multitenant_postfix }}-headers" networks: public: meet.jitsi: diff --git a/templates/env.jitsi.j2 b/templates/env.jitsi.j2 index e023c0a..5f017ed 100644 --- a/templates/env.jitsi.j2 +++ b/templates/env.jitsi.j2 @@ -1,3 +1,9 @@ +# +# Docker Compose configuration +# +# Project name for this Docker Compose setup +COMPOSE_PROJECT_NAME=jitsi{{ jitsi_multitenant_postfix }} + # # Basic configuration options # @@ -187,11 +193,11 @@ JVB_AUTH_PASSWORD={{ jitsi_jvb_auth_password }} JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }} # Media port for the Jitsi Videobridge -JVB_PORT=10000 +JVB_PORT={{ jitsi_bridge_udp_port }} # TCP Fallback for Jitsi Videobridge for when UDP isn't available JVB_TCP_HARVESTER_DISABLED=true -JVB_TCP_PORT=4443 +JVB_TCP_PORT={{ jitsi_bridge_tcp_port }} # A comma separated list of APIs to enable when the JVB is started. The default is none. # See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information diff --git a/templates/etherpad.yml b/templates/etherpad.yml index e033a99..200f669 100644 --- a/templates/etherpad.yml +++ b/templates/etherpad.yml @@ -4,6 +4,7 @@ services: # Etherpad: real-time collaborative document editing etherpad: image: jitsi/etherpad + restart: unless-stopped networks: meet.jitsi: aliases: diff --git a/templates/jibri.yml b/templates/jibri.yml index 2f5a3e7..3efbc8b 100644 --- a/templates/jibri.yml +++ b/templates/jibri.yml @@ -3,6 +3,7 @@ version: '3' services: jibri: image: jitsi/jibri + restart: unless-stopped volumes: - ${CONFIG}/jibri:/config - /dev/shm:/dev/shm diff --git a/templates/jigasi.yml b/templates/jigasi.yml index 46f1584..0bcf1d2 100644 --- a/templates/jigasi.yml +++ b/templates/jigasi.yml @@ -4,6 +4,7 @@ services: # SIP gateway (audio) jigasi: image: jitsi/jigasi + restart: unless-stopped ports: - '${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}:${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}/udp' volumes: From 89a5c3571052fe00d60f5cde39df959e20d11ffb Mon Sep 17 00:00:00 2001 From: Joschka Seydell Date: Sat, 12 Dec 2020 06:59:14 -0800 Subject: [PATCH 3/4] Add PUBLIC_URL to all Jitsi containers to allow for proper routing by Traefik. --- templates/docker-compose.jitsi.yml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index 1273131..2c1a6ae 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -87,6 +87,7 @@ services: - LDAP_TLS_CACERT_FILE - LDAP_TLS_CACERT_DIR - LDAP_START_TLS + - PUBLIC_URL - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_GUEST_DOMAIN @@ -130,6 +131,7 @@ services: - ${CONFIG}/jicofo:/config environment: - ENABLE_AUTH + - PUBLIC_URL - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN @@ -159,6 +161,7 @@ services: - ${CONFIG}/jvb:/config environment: - DOCKER_HOST_ADDRESS + - PUBLIC_URL - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER From 63f8b543024d98e74bd8cd6d2fb0dd21ae3d8a70 Mon Sep 17 00:00:00 2001 From: Joschka Seydell Date: Sat, 13 Nov 2021 12:31:39 -0800 Subject: [PATCH 4/4] Add exporter container if metrics shall be exposed. --- README.md | 1 + defaults/main.yml | 1 + src | 2 +- tasks/main.yml | 10 ++++++++++ templates/docker-compose.jitsi.yml.j2 | 14 ++++++++++++++ templates/exporter.env.j2 | 6 ++++++ 6 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 templates/exporter.env.j2 diff --git a/README.md b/README.md index 04c23cd..e2ae4fd 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ Role Variables | jitsi_public_url | The public URL under which Jitsi Meet can be accessed | http://localhost | | jitsi_timezone | | Europe/Amsterdam | | jitsi_virtual_host | The virtual host that is e.g. used by Traefik, usually part of the public url | localhost | +| jitsi_expose_metrics | Determine whether an additional expoerter for the Jitsi metrics shall be run | False | \* It is important to provide a dedicated secure password for each service. Generate passwords with e.g. `openssl rand -hex 16` diff --git a/defaults/main.yml b/defaults/main.yml index 053e9e6..f339808 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,5 +17,6 @@ jitsi_web_channel_last_n: 3 jitsi_build_latest_image_from_source: yes jitsi_docker_upstream_repo_url: https://github.com/jitsi/docker-jitsi-meet.git jitsi_enable_third_party_requests: no +jitsi_expose_metrics: False # Internal variables jitsi_multitenant_postfix: "{{ '_' + jitsi_multitenant_label if (jitsi_multitenant_label) else '' }}" \ No newline at end of file diff --git a/src b/src index eae3f5c..9b686c6 160000 --- a/src +++ b/src @@ -1 +1 @@ -Subproject commit eae3f5ce2d7627afe4115f52a61cc7ae3e3e8a31 +Subproject commit 9b686c6f4aa74cd33ddcd4dd35decc76a9470e1e diff --git a/tasks/main.yml b/tasks/main.yml index fc79769..1912265 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -62,6 +62,16 @@ mode: '0640' tags: config +- name: Provide metric exporter environment + template: + src: templates/exporter.env.j2 + dest: "{{ jitsi_install_path }}/jitsi/exporter.env" + owner: "{{ jitsi_install_user }}" + group: "{{ jitsi_install_user }}" + mode: '0640' + tags: config + when: jitsi_expose_metrics + - name: "docker-compose: Teardown existing Jitsi service" docker_compose: project_src: "{{ jitsi_install_path }}/jitsi/" diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index 2c1a6ae..7f5a8c8 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -179,6 +179,20 @@ services: networks: meet.jitsi: + {% if jitsi_expose_metrics %} + # Data exporter + exporter: + image: goberle/jitsi-prom-exporter + restart: unless-stopped + env_file: exporter.env + depends_on: + - jicofo + networks: + # Expose the data exporter to the public network managed by traefik + public: + meet.jitsi: + {% endif %} + # Custom network so all services can communicate using a FQDN networks: meet.jitsi: diff --git a/templates/exporter.env.j2 b/templates/exporter.env.j2 new file mode 100644 index 0000000..fdc04ff --- /dev/null +++ b/templates/exporter.env.j2 @@ -0,0 +1,6 @@ +XMPP_USER={{ jitsi_jicofo_auth_user }} +XMPP_PW={{ jitsi_jicofo_auth_password }} +XMPP_SERVER=xmpp.meet.jitsi +XMPP_PORT=5222 +XMPP_AUTH_DOMAIN=auth.meet.jitsi +XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi \ No newline at end of file