diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index 674c3d8..0000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,8 +0,0 @@ -## Changelog - -### 0.9.0 - -* Updated to [Jitsi stable-7830](https://github.com/jitsi/docker-jitsi-meet/tree/stable-7830) -* Adds `jitsi_jvb_advertise_ips`, which supports a comma separated list of IPs -* Content-Security-Policy now allows `base-uri 'self'` (instead of `none`) -* Fixed `jitsi_enable_letsencrypt` handling (please note: you will still have to uncomment `LETSENCRYPT_USE_STAGING=1` in the .env file/template if you only want to test Let's Encrypt) diff --git a/README.md b/README.md index 16b5f10..e2ae4fd 100644 --- a/README.md +++ b/README.md @@ -16,16 +16,19 @@ Role Variables | Variable | Description | Default | | --------------------------- | ------------------------------------------------------------------------------- | ------------------ | -| docker_user | The user who is going to manage/run the Docker Compose services | deploy | +| jitsi_install_user | The user who is going to manage/run the Docker Compose services | {{ ansible_user }} | +| jitsi_install_path | The location where the service should be deployed | /home/{{ jitsi_install_user }} | +| jitsi_multitenant_label | A label (unique accross all instances on this host) identifying the tenant | | | jitsi_build_latest_image_from_source | Will fetch the master of `jitsi_docker_upstream_repo_url` and build the docker image as sometimes the latest available images in the Docker Hub are too old | yes | | jitsi_docker_upstream_repo_url | Git repo of docker-jitsi-meet required by `jitsi_build_latest_image_from_source` | https://github.com/jitsi/docker-jitsi-meet.git | | *jitsi_letsencrypt_email* | E-Mail adress used for requesting certificates | Not set | -| jitsi_docker_host_address | | -| jitsi_jvb_advertise_ips | supports a comma separated list of IPs | | | +| jitsi_docker_host_address | | | | jitsi_enable_letsencrypt | Jitsi will take care of Let's Encrypt certificates | 0 | | jitsi_enable_third_party_requests | Whether to allow third party requests, e.g. to Gravatar (if a user sets her email address) | no | | jitsi_exposed_http_port | Exposed container port for HTTP | 8000 | | jitsi_exposed_https_port | Exposed container port for HTTPS | 8443 | +| jitsi_bridge_udp_port | Port for this instance's Jitsi Video Bridge | 10000 | +| jitsi_bridge_tcp_port | TCP fallback port for the Jitsi Video Bridge | 4443 | | jitsi_jibri_recorder_password | Provide a secure password\* | | | jitsi_jibri_recorder_user | | | | jitsi_jibri_xmpp_password | | | @@ -42,6 +45,7 @@ Role Variables | jitsi_public_url | The public URL under which Jitsi Meet can be accessed | http://localhost | | jitsi_timezone | | Europe/Amsterdam | | jitsi_virtual_host | The virtual host that is e.g. used by Traefik, usually part of the public url | localhost | +| jitsi_expose_metrics | Determine whether an additional expoerter for the Jitsi metrics shall be run | False | \* It is important to provide a dedicated secure password for each service. Generate passwords with e.g. `openssl rand -hex 16` diff --git a/defaults/main.yml b/defaults/main.yml index 4c4bea9..f339808 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,28 +1,22 @@ --- # defaults file for jitsi -docker_user: deploy -jitsi_image_version: stable-8960-1 +jitsi_install_user: '{{ ansible_user }}' # This user must be present on the host +jitsi_install_path: '/home/{{ jitsi_install_user }}' +jitsi_multitenant_label: #jitsi_letsencrypt_email:alice@host.tld jitsi_enable_letsencrypt: no jitsi_exposed_http_port: 8000 jitsi_exposed_https_port: 8443 +jitsi_bridge_udp_port: 10000 +jitsi_bridge_tcp_port: 4443 jitsi_virtual_host: localhost jitsi_public_url: http://{{ jitsi_virtual_host }} jitsi_timezone: Europe/Amsterdam +jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443 jitsi_web_channel_last_n: 3 jitsi_build_latest_image_from_source: yes jitsi_docker_upstream_repo_url: https://github.com/jitsi/docker-jitsi-meet.git jitsi_enable_third_party_requests: no -jitsi_jvb_advertise_ips: "{{ jitsi_docker_host_address }}" - -jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443 -jitsi_jvb_port: 10000 -jitsi_jvb_tcp_port: 4443 -jitsi_jvb_tcp_mapped_port: 4443 - - -# jitsi_turn_credentials: -# jitsi_turn_host: -jitsi_turn_port: 3478 -# jitsi_turns_host: -jitsi_turns_port: 5349 \ No newline at end of file +jitsi_expose_metrics: False +# Internal variables +jitsi_multitenant_postfix: "{{ '_' + jitsi_multitenant_label if (jitsi_multitenant_label) else '' }}" \ No newline at end of file diff --git a/src b/src index fe5dea3..9b686c6 160000 --- a/src +++ b/src @@ -1 +1 @@ -Subproject commit fe5dea34021da7048492f93e6fb90bfd59763153 +Subproject commit 9b686c6f4aa74cd33ddcd4dd35decc76a9470e1e diff --git a/tasks/main.yml b/tasks/main.yml index 4cb9289..1912265 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,51 +2,51 @@ # tasks file for jitsi - name: Ensure jitsi Docker Compose config directory exists file: - path: /home/{{ docker_user }}/jitsi + path: "{{ jitsi_install_path }}/jitsi" state: directory - owner: '{{ docker_user }}' - group: '{{ docker_user }}' + owner: '{{ jitsi_install_user }}' + group: '{{ jitsi_install_user }}' tags: config - name: "Teardown: Remove Jitsi runtime config" file: - path: /home/{{ docker_user }}/jitsi/conf + path: "{{ jitsi_install_path }}/jitsi/conf" state: absent tags: ['never', 'teardown'] - name: Ensure jitsi config directory exists file: - path: /home/{{ docker_user }}/jitsi/conf + path: "{{ jitsi_install_path }}/jitsi/conf" state: directory - owner: '{{ docker_user }}' - group: '{{ docker_user }}' + owner: '{{ jitsi_install_user }}' + group: '{{ jitsi_install_user }}' tags: config - name: "Git: Pull latest upstream docker-jitsi-meet sources (master)" git: repo: "{{ jitsi_docker_upstream_repo_url }}" - dest: /home/{{ docker_user }}/jitsi/docker-jitsi-meet-src + dest: "{{ jitsi_install_path }}/jitsi/docker-jitsi-meet-src" version: master register: git_pull_jitsi_docker_upstream_repo when: jitsi_build_latest_image_from_source == True - name: "Build Jitsi Docker images" shell: - chdir: /home/{{ docker_user }}/jitsi/docker-jitsi-meet-src + chdir: "{{ jitsi_install_path }}/jitsi/docker-jitsi-meet-src" cmd: make when: git_pull_jitsi_docker_upstream_repo.changed - name: Provide docker-compose.yml template: src: templates/docker-compose.jitsi.yml.j2 - dest: /home/{{ docker_user }}/jitsi/docker-compose.yml - owner: "{{ docker_user }}" - group: "{{ docker_user }}" + dest: "{{ jitsi_install_path }}/jitsi/docker-compose.yml" + owner: "{{ jitsi_install_user }}" + group: "{{ jitsi_install_user }}" mode: '0644' tags: config - name: Output docker-compose.yml - shell: cat /home/{{ docker_user }}/jitsi/docker-compose.yml + shell: cat {{ jitsi_install_path }}/jitsi/docker-compose.yml register: output tags: config @@ -56,21 +56,31 @@ - name: Provide Jitsi env vars template: src: templates/env.jitsi.j2 - dest: /home/{{ docker_user }}/jitsi/.env - owner: "{{ docker_user }}" - group: "{{ docker_user }}" + dest: "{{ jitsi_install_path }}/jitsi/.env" + owner: "{{ jitsi_install_user }}" + group: "{{ jitsi_install_user }}" mode: '0640' tags: config +- name: Provide metric exporter environment + template: + src: templates/exporter.env.j2 + dest: "{{ jitsi_install_path }}/jitsi/exporter.env" + owner: "{{ jitsi_install_user }}" + group: "{{ jitsi_install_user }}" + mode: '0640' + tags: config + when: jitsi_expose_metrics + - name: "docker-compose: Teardown existing Jitsi service" docker_compose: - project_src: "/home/{{ docker_user }}/jitsi/" + project_src: "{{ jitsi_install_path }}/jitsi/" state: absent tags: ['never', 'teardown'] - name: "docker-compose: Bootstrap Jitsi service" docker_compose: - project_src: "/home/{{ docker_user }}/jitsi/" + project_src: "{{ jitsi_install_path }}/jitsi/" pull: yes register: output @@ -79,30 +89,13 @@ - assert: that: - - "output.services['web']['jitsi_web_1'].state.running" - -- name: "Config: Set channelLastN" - lineinfile: - path: /home/{{ docker_user }}/jitsi/conf/web/config.js - regexp: '(\s*)channelLastN:\s*[^,]+,' - line: '\1channelLastN: {{jitsi_web_channel_last_n|default("-1")}},' - backrefs: yes - tags: config - -- name: "Config: Disable third party requests" - lineinfile: - path: /home/{{ docker_user }}/jitsi/conf/web/config.js - regexp: '(\s*)(//\s*)?disableThirdPartyRequests:\s*false,' - line: '\1disableThirdPartyRequests: true,' - backrefs: yes - when: jitsi_enable_third_party_requests == False - tags: config + - "output.ansible_facts['web']['jitsi{{ jitsi_multitenant_postfix }}_web_1'].state.running" - name: "Test whether Jitsi is healthy from the outside" when: not ansible_check_mode become: false uri: - url: "{{ jitsi_public_url }}" + url: https://{{ jitsi_virtual_host }} return_content: yes timeout: 300 validate_certs: no @@ -112,3 +105,21 @@ retries: 5 delay: 10 tags: health + +- name: "Config: Set channelLastN" + lineinfile: + path: "{{ jitsi_install_path }}/jitsi/conf/web/config.js" + regexp: '(\s*)channelLastN:\s*[^,]+,' + line: '\1channelLastN: {{jitsi_web_channel_last_n|default("-1")}},' + backrefs: yes + tags: config + +- name: "Config: Disable third party requests" + lineinfile: + path: "{{ jitsi_install_path }}/jitsi/conf/web/config.js" + regexp: '(\s*)(//\s*)?disableThirdPartyRequests:\s*false,' + line: '\1disableThirdPartyRequests: true,' + backrefs: yes + when: jitsi_enable_third_party_requests == False + tags: config + diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index f576462..7f5a8c8 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -1,266 +1,93 @@ -version: '3.5' +version: '3' services: # Frontend web: - image: jitsi/web:${JITSI_IMAGE_VERSION:-unstable} - restart: ${RESTART_POLICY:-unless-stopped} - ports: - - '${HTTP_PORT}:80' - - '${HTTPS_PORT}:443' + image: jitsi/web + restart: unless-stopped volumes: - - ${CONFIG}/web:/config:Z - - ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z - - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z + - ${CONFIG}/web:/config + - ${CONFIG}/web/letsencrypt:/etc/letsencrypt + - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts environment: - - AMPLITUDE_ID - - ANALYTICS_SCRIPT_URLS - - ANALYTICS_WHITELISTED_EVENTS - - AUDIO_QUALITY_OPUS_BITRATE - - AUTO_CAPTION_ON_RECORD - - BRANDING_DATA_URL - - CALLSTATS_CUSTOM_SCRIPT_URL - - CALLSTATS_ID - - CALLSTATS_SECRET - - CHROME_EXTENSION_BANNER_JSON - - COLIBRI_WEBSOCKET_PORT - - CONFCODE_URL - - CONFIG_EXTERNAL_CONNECT - - DEFAULT_LANGUAGE - - DEPLOYMENTINFO_ENVIRONMENT - - DEPLOYMENTINFO_ENVIRONMENT_TYPE - - DEPLOYMENTINFO_REGION - - DEPLOYMENTINFO_SHARD - - DEPLOYMENTINFO_USERREGION - - DESKTOP_SHARING_FRAMERATE_MIN - - DESKTOP_SHARING_FRAMERATE_MAX - - DIALIN_NUMBERS_URL - - DIALOUT_AUTH_URL - - DIALOUT_CODES_URL - - DISABLE_AUDIO_LEVELS - - DISABLE_DEEP_LINKING - - DISABLE_GRANT_MODERATOR - - DISABLE_HTTPS - - DISABLE_KICKOUT - - DISABLE_LOCAL_RECORDING - - DISABLE_POLLS - - DISABLE_PRIVATE_CHAT - - DISABLE_PROFILE - - DISABLE_REACTIONS - - DISABLE_REMOTE_VIDEO_MENU - - DISABLE_START_FOR_ALL - - DROPBOX_APPKEY - - DROPBOX_REDIRECT_URI - - DYNAMIC_BRANDING_URL - - ENABLE_AUDIO_PROCESSING - ENABLE_AUTH - - ENABLE_BREAKOUT_ROOMS - - ENABLE_CALENDAR - - ENABLE_COLIBRI_WEBSOCKET - - ENABLE_E2EPING - - ENABLE_FILE_RECORDING_SHARING - ENABLE_GUESTS - - ENABLE_HSTS - - ENABLE_HTTP_REDIRECT - - ENABLE_IPV6 - ENABLE_LETSENCRYPT - - ENABLE_LIPSYNC - - ENABLE_NO_AUDIO_DETECTION - - ENABLE_NOISY_MIC_DETECTION - - ENABLE_OCTO - - ENABLE_OPUS_RED - - ENABLE_PREJOIN_PAGE - - ENABLE_P2P - - ENABLE_WELCOME_PAGE - - ENABLE_CLOSE_PAGE - - ENABLE_LIVESTREAMING - - ENABLE_LIVESTREAMING_DATA_PRIVACY_LINK - - ENABLE_LIVESTREAMING_HELP_LINK - - ENABLE_LIVESTREAMING_TERMS_LINK - - ENABLE_LIVESTREAMING_VALIDATOR_REGEXP_STRING - - ENABLE_LOCAL_RECORDING_NOTIFY_ALL_PARTICIPANT - - ENABLE_LOCAL_RECORDING_SELF_START - - ENABLE_RECORDING - - ENABLE_REMB - - ENABLE_REQUIRE_DISPLAY_NAME - - ENABLE_SERVICE_RECORDING - - ENABLE_SIMULCAST - - ENABLE_STATS_ID - - ENABLE_STEREO - - ENABLE_SUBDOMAINS - - ENABLE_TALK_WHILE_MUTED - - ENABLE_TCC + - ENABLE_HTTP_REDIRECT - ENABLE_TRANSCRIPTIONS - - ENABLE_XMPP_WEBSOCKET - - ENABLE_JAAS_COMPONENTS - - ETHERPAD_PUBLIC_URL - - ETHERPAD_URL_BASE - - E2EPING_NUM_REQUESTS - - E2EPING_MAX_CONFERENCE_SIZE - - E2EPING_MAX_MESSAGE_PER_SECOND - - GOOGLE_ANALYTICS_ID - - GOOGLE_API_APP_CLIENT_ID - - HIDE_PREMEETING_BUTTONS - - HIDE_PREJOIN_DISPLAY_NAME - - HIDE_PREJOIN_EXTRA_BUTTONS - - INVITE_SERVICE_URL - - MATOMO_ENDPOINT - - MATOMO_SITE_ID - - MICROSOFT_API_APP_CLIENT_ID - - NGINX_RESOLVER - - NGINX_WORKER_PROCESSES - - NGINX_WORKER_CONNECTIONS - - PEOPLE_SEARCH_URL - - PREFERRED_LANGUAGE + - DISABLE_HTTPS + - JICOFO_AUTH_USER + - LETSENCRYPT_DOMAIN + - LETSENCRYPT_EMAIL - PUBLIC_URL - - P2P_PREFERRED_CODEC - - RESOLUTION - - RESOLUTION_MIN - - RESOLUTION_WIDTH - - RESOLUTION_WIDTH_MIN - - START_AUDIO_MUTED - - START_AUDIO_ONLY - - START_BITRATE - - START_SILENT - - START_WITH_AUDIO_MUTED - - START_VIDEO_MUTED - - START_WITH_VIDEO_MUTED - - TESTING_CAP_SCREENSHARE_BITRATE - - TESTING_OCTO_PROBABILITY - - TOKEN_AUTH_URL - - TOOLBAR_BUTTONS - - TRANSLATION_LANGUAGES - - TRANSLATION_LANGUAGES_HEAD - - TZ - - USE_APP_LANGUAGE - - VIDEOQUALITY_BITRATE_H264_LOW - - VIDEOQUALITY_BITRATE_H264_STANDARD - - VIDEOQUALITY_BITRATE_H264_HIGH - - VIDEOQUALITY_BITRATE_VP8_LOW - - VIDEOQUALITY_BITRATE_VP8_STANDARD - - VIDEOQUALITY_BITRATE_VP8_HIGH - - VIDEOQUALITY_BITRATE_VP9_LOW - - VIDEOQUALITY_BITRATE_VP9_STANDARD - - VIDEOQUALITY_BITRATE_VP9_HIGH - - VIDEOQUALITY_ENFORCE_PREFERRED_CODEC - - VIDEOQUALITY_PREFERRED_CODEC + - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_BOSH_URL_BASE - - XMPP_DOMAIN - XMPP_GUEST_DOMAIN - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN - - XMPP_PORT - - WHITEBOARD_ENABLED - - WHITEBOARD_COLLAB_SERVER_PUBLIC_URL + - ETHERPAD_URL_BASE + - TZ + - JIBRI_BREWERY_MUC + - JIBRI_PENDING_TIMEOUT + - JIBRI_XMPP_USER + - JIBRI_XMPP_PASSWORD + - JIBRI_RECORDER_USER + - JIBRI_RECORDER_PASSWORD + - ENABLE_RECORDING labels: - traefik.enable: true - traefik.docker.network: traefik_public - traefik.http.routers.jitsi.rule: Host(`{{ jitsi_virtual_host }}`) - traefik.http.routers.jitsi.entrypoints: websecure - traefik.http.routers.jitsi.tls: true - traefik.http.routers.jitsi.tls.certresolver: defaultresolver - traefik.http.middlewares.jitsi-headers.headers.SSLRedirect: true - traefik.http.middlewares.jitsi-headers.headers.browserXSSFilter: true - traefik.http.middlewares.jitsi-headers.headers.contentTypeNosniff: true - traefik.http.middlewares.jitsi-headers.headers.forceSTSHeader: true - traefik.http.middlewares.jitsi-headers.headers.STSSeconds: 315360000 - traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains: true - traefik.http.middlewares.jitsi-headers.headers.STSPreload: true - traefik.http.middlewares.jitsi-headers.headers.featurePolicy: geolocation 'none'; payment 'none' - traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; worker-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content - traefik.http.routers.jitsi.middlewares: jitsi-headers + - "traefik.enable=true" + - "traefik.docker.network=traefik_public" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.rule=Host(`{{ jitsi_virtual_host }}`)" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.entrypoints=websecure" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.tls=true" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.tls.certresolver=defaultresolver" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.SSLRedirect=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.browserXSSFilter=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.contentTypeNosniff=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.forceSTSHeader=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSSeconds=315360000" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSIncludeSubdomains=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSPreload=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.featurePolicy=geolocation 'none'; payment 'none'" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.middlewares=jitsi{{ jitsi_multitenant_postfix }}-headers" networks: public: meet.jitsi: + aliases: + - ${XMPP_DOMAIN} # XMPP server prosody: - image: jitsi/prosody:${JITSI_IMAGE_VERSION:-unstable} - restart: ${RESTART_POLICY:-unless-stopped} + image: jitsi/prosody + restart: unless-stopped expose: - - '${XMPP_PORT:-5222}' + - '5222' - '5347' - '5280' volumes: - - ${CONFIG}/prosody/config:/config:Z - - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z + - ${CONFIG}/prosody:/config environment: - AUTH_TYPE - - DISABLE_POLLS - ENABLE_AUTH - - ENABLE_AV_MODERATION - - ENABLE_BREAKOUT_ROOMS - - ENABLE_END_CONFERENCE - ENABLE_GUESTS - - ENABLE_IPV6 - - ENABLE_LOBBY - - ENABLE_RECORDING - - ENABLE_XMPP_WEBSOCKET - - ENABLE_JAAS_COMPONENTS - - GC_TYPE - - GC_INC_TH - - GC_INC_SPEED - - GC_INC_STEP_SIZE - - GC_GEN_MIN_TH - - GC_GEN_MAX_TH - - GLOBAL_CONFIG - GLOBAL_MODULES - - JIBRI_RECORDER_USER - - JIBRI_RECORDER_PASSWORD - - JIBRI_XMPP_USER - - JIBRI_XMPP_PASSWORD - - JICOFO_AUTH_PASSWORD - - JICOFO_COMPONENT_SECRET - - JIGASI_XMPP_USER - - JIGASI_XMPP_PASSWORD - - JVB_AUTH_USER - - JVB_AUTH_PASSWORD - - JWT_APP_ID - - JWT_APP_SECRET - - JWT_ACCEPTED_ISSUERS - - JWT_ACCEPTED_AUDIENCES - - JWT_ASAP_KEYSERVER - - JWT_ALLOW_EMPTY - - JWT_AUTH_TYPE - - JWT_ENABLE_DOMAIN_VERIFICATION - - JWT_TOKEN_AUTH_MODULE - - MATRIX_UVS_URL - - MATRIX_UVS_ISSUER - - MATRIX_UVS_AUTH_TOKEN - - MATRIX_UVS_SYNC_POWER_LEVELS - - LOG_LEVEL - - LDAP_AUTH_METHOD + - GLOBAL_CONFIG + - LDAP_URL - LDAP_BASE - LDAP_BINDDN - LDAP_BINDPW - LDAP_FILTER + - LDAP_AUTH_METHOD - LDAP_VERSION + - LDAP_USE_TLS - LDAP_TLS_CIPHERS - LDAP_TLS_CHECK_PEER - LDAP_TLS_CACERT_FILE - LDAP_TLS_CACERT_DIR - LDAP_START_TLS - - LDAP_URL - - LDAP_USE_TLS - - MAX_PARTICIPANTS - - PROSODY_AUTH_TYPE - - PROSODY_RESERVATION_ENABLED - - PROSODY_RESERVATION_REST_BASE_URL - - PROSODY_ENABLE_RATE_LIMITS - - PROSODY_RATE_LIMIT_LOGIN_RATE - - PROSODY_RATE_LIMIT_SESSION_RATE - - PROSODY_RATE_LIMIT_TIMEOUT - - PROSODY_RATE_LIMIT_ALLOW_RANGES - - PROSODY_RATE_LIMIT_CACHE_SIZE - PUBLIC_URL - - TURN_CREDENTIALS - - TURN_HOST - - TURNS_HOST - - TURN_PORT - - TURNS_PORT - - TURN_TRANSPORT - - TZ - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_GUEST_DOMAIN @@ -268,79 +95,56 @@ services: - XMPP_INTERNAL_MUC_DOMAIN - XMPP_MODULES - XMPP_MUC_MODULES - - XMPP_MUC_CONFIGURATION - XMPP_INTERNAL_MUC_MODULES - XMPP_RECORDER_DOMAIN - - XMPP_PORT + - JICOFO_COMPONENT_SECRET + - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD + - JVB_AUTH_USER + - JVB_AUTH_PASSWORD + - JIGASI_XMPP_USER + - JIGASI_XMPP_PASSWORD + - JIBRI_XMPP_USER + - JIBRI_XMPP_PASSWORD + - JIBRI_RECORDER_USER + - JIBRI_RECORDER_PASSWORD + - JWT_APP_ID + - JWT_APP_SECRET + - JWT_ACCEPTED_ISSUERS + - JWT_ACCEPTED_AUDIENCES + - JWT_ASAP_KEYSERVER + - JWT_ALLOW_EMPTY + - JWT_AUTH_TYPE + - JWT_TOKEN_AUTH_MODULE + - LOG_LEVEL + - TZ networks: meet.jitsi: aliases: - - ${XMPP_SERVER:-xmpp.meet.jitsi} + - ${XMPP_SERVER} # Focus component jicofo: - image: jitsi/jicofo:${JITSI_IMAGE_VERSION:-unstable} - restart: ${RESTART_POLICY:-unless-stopped} - ports: - - '127.0.0.1:${JICOFO_REST_PORT:-8888}:8888' + image: jitsi/jicofo + restart: unless-stopped volumes: - - ${CONFIG}/jicofo:/config:Z + - ${CONFIG}/jicofo:/config environment: - - AUTH_TYPE - - BRIDGE_AVG_PARTICIPANT_STRESS - - BRIDGE_STRESS_THRESHOLD - ENABLE_AUTH - - ENABLE_AUTO_OWNER - - ENABLE_CODEC_VP8 - - ENABLE_CODEC_VP9 - - ENABLE_CODEC_H264 - - ENABLE_CODEC_OPUS_RED - - ENABLE_JVB_XMPP_SERVER - - ENABLE_OCTO - - ENABLE_RECORDING - - ENABLE_SCTP - - ENABLE_AUTO_LOGIN - - JICOFO_AUTH_LIFETIME - - JICOFO_AUTH_PASSWORD - - JICOFO_AUTH_TYPE - - JICOFO_BRIDGE_REGION_GROUPS - - JICOFO_ENABLE_AUTH - - JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS - - JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT - - JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT - - JICOFO_CONF_SOURCE_SIGNALING_DELAYS - - JICOFO_CONF_MAX_AUDIO_SENDERS - - JICOFO_CONF_MAX_VIDEO_SENDERS - - JICOFO_CONF_STRIP_SIMULCAST - - JICOFO_CONF_SSRC_REWRITING - - JICOFO_ENABLE_HEALTH_CHECKS - - JICOFO_ENABLE_REST - - JICOFO_HEALTH_CHECKS_USE_PRESENCE - - JICOFO_MULTI_STREAM_BACKWARD_COMPAT - - JICOFO_OCTO_REGION - - JIBRI_BREWERY_MUC - - JIBRI_REQUEST_RETRIES - - JIBRI_PENDING_TIMEOUT - - JIGASI_BREWERY_MUC - - JIGASI_SIP_URI - - JVB_BREWERY_MUC - - JVB_XMPP_AUTH_DOMAIN - - JVB_XMPP_INTERNAL_MUC_DOMAIN - - JVB_XMPP_PORT - - JVB_XMPP_SERVER - - MAX_BRIDGE_PARTICIPANTS - - OCTO_BRIDGE_SELECTION_STRATEGY - - SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}" - - SENTRY_ENVIRONMENT - - SENTRY_RELEASE - - TZ + - PUBLIC_URL - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_MUC_DOMAIN - - XMPP_RECORDER_DOMAIN - XMPP_SERVER - - XMPP_PORT + - JICOFO_COMPONENT_SECRET + - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD + - JICOFO_RESERVATION_REST_BASE_URL + - JVB_BREWERY_MUC + - JIGASI_BREWERY_MUC + - JIBRI_BREWERY_MUC + - JIBRI_PENDING_TIMEOUT + - TZ depends_on: - prosody networks: @@ -348,56 +152,46 @@ services: # Video bridge jvb: - image: jitsi/jvb:${JITSI_IMAGE_VERSION:-unstable} - restart: ${RESTART_POLICY:-unless-stopped} + image: jitsi/jvb + restart: unless-stopped ports: - - '${JVB_PORT:-10000}:${JVB_PORT:-10000}/udp' - - '${JVB_TCP_MAPPED_PORT:-4443}:${JVB_TCP_PORT:-4443}' - - '127.0.0.1:${JVB_COLIBRI_PORT:-8080}:8080' + - '${JVB_PORT}:${JVB_PORT}/udp' + - '${JVB_TCP_PORT}:${JVB_TCP_PORT}' volumes: - - ${CONFIG}/jvb:/config:Z + - ${CONFIG}/jvb:/config environment: - DOCKER_HOST_ADDRESS - - ENABLE_COLIBRI_WEBSOCKET - - ENABLE_JVB_XMPP_SERVER - - ENABLE_OCTO - - JVB_ADVERTISE_IPS - - JVB_ADVERTISE_PRIVATE_CANDIDATES - - JVB_AUTH_USER - - JVB_AUTH_PASSWORD - - JVB_BREWERY_MUC - - JVB_DISABLE_STUN - - JVB_PORT - - JVB_MUC_NICKNAME - - JVB_STUN_SERVERS - - JVB_OCTO_BIND_ADDRESS - - JVB_OCTO_REGION - - JVB_OCTO_RELAY_ID - - JVB_WS_DOMAIN - - JVB_WS_SERVER_ID - - JVB_XMPP_AUTH_DOMAIN - - JVB_XMPP_INTERNAL_MUC_DOMAIN - - JVB_XMPP_PORT - - JVB_XMPP_SERVER - PUBLIC_URL - - SENTRY_DSN="${JVB_SENTRY_DSN:-0}" - - SENTRY_ENVIRONMENT - - SENTRY_RELEASE - - COLIBRI_REST_ENABLED - - SHUTDOWN_REST_ENABLED - - TZ - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER - - XMPP_PORT + - JVB_AUTH_USER + - JVB_AUTH_PASSWORD + - JVB_BREWERY_MUC + - JVB_PORT + - JVB_TCP_HARVESTER_DISABLED + - JVB_TCP_PORT + - JVB_STUN_SERVERS + - JVB_ENABLE_APIS + - TZ depends_on: - prosody networks: meet.jitsi: - labels: - traefik.udp.routers.jvb.entrypoints: video - traefik.udp.routers.jvb.service: jvb - traefik.udp.services.jvb.loadbalancer.server.port: '10000' + + {% if jitsi_expose_metrics %} + # Data exporter + exporter: + image: goberle/jitsi-prom-exporter + restart: unless-stopped + env_file: exporter.env + depends_on: + - jicofo + networks: + # Expose the data exporter to the public network managed by traefik + public: + meet.jitsi: + {% endif %} # Custom network so all services can communicate using a FQDN networks: diff --git a/templates/env.jitsi.j2 b/templates/env.jitsi.j2 index 0f30bf2..5f017ed 100644 --- a/templates/env.jitsi.j2 +++ b/templates/env.jitsi.j2 @@ -1,33 +1,26 @@ -# shellcheck disable=SC2034 - -################################################################################ -################################################################################ -# Welcome to the Jitsi Meet Docker setup! # -# This sample .env file contains some basic options to get you started. -# The full options reference can be found here: -# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker -################################################################################ -################################################################################ - +# Docker Compose configuration +# +# Project name for this Docker Compose setup +COMPOSE_PROJECT_NAME=jitsi{{ jitsi_multitenant_postfix }} # # Basic configuration options # -# Directory where all configuration will be stored +# Directory where all configuration will be stored. CONFIG=./conf -# Exposed HTTP port +# Exposed HTTP port. HTTP_PORT={{ jitsi_exposed_http_port }} -# Exposed HTTPS port +# Exposed HTTPS port. HTTPS_PORT={{ jitsi_exposed_https_port }} -# System time zone +# System time zone. TZ={{ jitsi_timezone }} -# Public URL for the web service (required) +# Public URL for the web service. PUBLIC_URL={{ jitsi_public_url }} VIRTUAL_HOST={{ jitsi_virtual_host }} @@ -35,48 +28,13 @@ VIRTUAL_HOST={{ jitsi_virtual_host }} # in the README. DOCKER_HOST_ADDRESS={{ jitsi_docker_host_address }} -# Media IP addresses to advertise by the JVB -# This setting deprecates DOCKER_HOST_ADDRESS, and supports a comma separated list of IPs -# See the "Running behind NAT or on a LAN environment" section in the Handbook: -# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment -JVB_ADVERTISE_IPS={{ jitsi_jvb_advertise_ips }} - -JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }} - -# Media port for the Jitsi Videobridge -JVB_PORT={{ jitsi_jvb_port }} - -# TCP Fallback for Jitsi Videobridge for when UDP isn't available -JVB_TCP_HARVESTER_DISABLED=true -JVB_TCP_PORT={{ jitsi_jvb_tcp_port }} -JVB_TCP_MAPPED_PORT={{ jitsi_jvb_tcp_mapped_port }} - -# A comma separated list of APIs to enable when the JVB is started [default: none] -# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information -JVB_ENABLE_APIS=rest,colibri - -TURN_CREDENTIALS={{ jitsi_turn_credentials }} -TURNS_HOST={{ jitsi_turns_host }} -TURNS_PORT={{ jitsi_turns_port }} -TURN_HOST={{ jitsi_turn_host }} -TURN_PORT={{ jitsi_turn_port }} - -# -# JaaS Components (beta) -# https://jaas.8x8.vc -# - -# Enable JaaS Components (hosted Jigasi) -# NOTE: if Let's Encrypt is enabled a JaaS account will be automatically created, using the provided email in LETSENCRYPT_EMAIL -#ENABLE_JAAS_COMPONENTS=0 - {% if jitsi_enable_letsencrypt %} # # Let's Encrypt configuration # # Enable Let's Encrypt certificate generation. -ENABLE_LETSENCRYPT=1 +ENABLE_LETSENCRYPT=0 # Domain for which to generate the certificate. LETSENCRYPT_DOMAIN={{ jitsi_virtual_host }} @@ -84,45 +42,27 @@ LETSENCRYPT_DOMAIN={{ jitsi_virtual_host }} # E-Mail for receiving important account notifications (mandatory). LETSENCRYPT_EMAIL={{ jitsi_letsencrypt_email }} -# Use the staging server (for avoiding rate limits while testing) -#LETSENCRYPT_USE_STAGING=1 - {% endif -%} # # Etherpad integration (for document sharing) # -# Set etherpad-lite URL in docker local network (uncomment to enable) +# Set etherpad-lite URL (uncomment to enable). #ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 -# Set etherpad-lite public URL, including /p/ pad path fragment (uncomment to enable) -#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain/p/ - -# Name your etherpad instance! -ETHERPAD_TITLE=Video Chat - -# The default text of a pad -ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n" - -# Name of the skin for etherpad -ETHERPAD_SKIN_NAME=colibris - -# Skin variants for etherpad -ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor" - # # Basic Jigasi configuration options (needed for SIP gateway support) # -# SIP URI for incoming / outgoing calls +# SIP URI for incoming / outgoing calls. #JIGASI_SIP_URI=test@sip2sip.info # Password for the specified SIP account as a clear text #JIGASI_SIP_PASSWORD=passw0rd -# SIP server (use the SIP account domain if in doubt) +# SIP server (use the SIP account domain if in doubt). #JIGASI_SIP_SERVER=sip2sip.info # SIP server port @@ -131,54 +71,54 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background # SIP server transport #JIGASI_SIP_TRANSPORT=UDP - # -# Authentication configuration (see handbook for details) +# Authentication configuration (see README for details) # -# Enable authentication +# Enable authentication. #ENABLE_AUTH=1 -# Enable guest access +# Enable guest access. #ENABLE_GUESTS=1 -# Select authentication type: internal, jwt, ldap or matrix +# Select authentication type: internal, jwt or ldap #AUTH_TYPE=internal -# JWT authentication +# JWT auuthentication # -# Application identifier +# Application identifier. #JWT_APP_ID=my_jitsi_app_id -# Application secret known only to your token generator +# Application secret known only to your token. #JWT_APP_SECRET=my_jitsi_app_secret -# (Optional) Set asap_accepted_issuers as a comma separated list +# (Optional) Set asap_accepted_issuers as a comma separated list. #JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client -# (Optional) Set asap_accepted_audiences as a comma separated list +# (Optional) Set asap_accepted_audiences as a comma separated list. #JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 + # LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) # -# LDAP url for connection +# LDAP url for connection. #LDAP_URL=ldaps://ldap.domain.com/ # LDAP base DN. Can be empty #LDAP_BASE=DC=example,DC=domain,DC=com -# LDAP user DN. Do not specify this parameter for the anonymous bind +# LDAP user DN. Do not specify this parameter for the anonymous bind. #LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com -# LDAP user password. Do not specify this parameter for the anonymous bind +# LDAP user password. Do not specify this parameter for the anonymous bind. #LDAP_BINDPW=LdapUserPassw0rd # LDAP filter. Tokens example: -# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail -# %s - %s is replaced by the complete service string -# %r - %r is replaced by the complete realm string +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail. +# %s - %s is replaced by the complete service string. +# %r - %r is replaced by the complete realm string. #LDAP_FILTER=(sAMAccountName=%u) # LDAP authentication method @@ -190,16 +130,16 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background # LDAP TLS using #LDAP_USE_TLS=1 -# List of SSL/TLS ciphers to allow +# List of SSL/TLS ciphers to allow. #LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC # Require and verify server certificate #LDAP_TLS_CHECK_PEER=1 -# Path to CA cert file. Used when server certificate verify is enabled +# Path to CA cert file. Used when server sertificate verify is enabled. #LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt -# Path to CA certs directory. Used when server certificate verify is enabled +# Path to CA certs directory. Used when server sertificate verify is enabled. #LDAP_TLS_CACERT_DIR=/etc/ssl/certs # Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps:// @@ -207,40 +147,164 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background # -# Security -# -# Set these to strong passwords to avoid intruders from impersonating a service account -# The service(s) won't start unless these are specified -# Running ./gen-passwords.sh will update .env with strong passwords -# You may skip the Jigasi and Jibri passwords if you are not using those -# DO NOT reuse passwords +# Advanced configuration options (you generally don't need to change these) # -# XMPP password for Jicofo client connections -JICOFO_AUTH_PASSWORD={{ jitsi_jicofo_auth_password }} +# Internal XMPP domain. +XMPP_DOMAIN=meet.jitsi -# XMPP password for JVB client connections +# Internal XMPP server +XMPP_SERVER=xmpp.meet.jitsi + +# Internal XMPP server URL +XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 + +# Internal XMPP domain for authenticated services. +XMPP_AUTH_DOMAIN=auth.meet.jitsi + +# XMPP domain for the MUC. +XMPP_MUC_DOMAIN=muc.meet.jitsi + +# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools. +XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi + +# XMPP domain for unauthenticated users. +XMPP_GUEST_DOMAIN=guest.meet.jitsi + +# Custom Prosody modules for XMPP_DOMAIN (comma separated) +XMPP_MODULES= + +# Custom Prosody modules for MUC component (comma separated) +XMPP_MUC_MODULES= + +# Custom Prosody modules for internal MUC component (comma separated) +XMPP_INTERNAL_MUC_MODULES= + +# MUC for the JVB pool. +JVB_BREWERY_MUC=jvbbrewery + +# XMPP user for JVB client connections. +JVB_AUTH_USER={{ jitsi_jvb_auth_user }} + +# XMPP password for JVB client connections. JVB_AUTH_PASSWORD={{ jitsi_jvb_auth_password }} -# XMPP password for Jigasi MUC client connections +# STUN servers used to discover the server's public IP. +JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }} + +# Media port for the Jitsi Videobridge +JVB_PORT={{ jitsi_bridge_udp_port }} + +# TCP Fallback for Jitsi Videobridge for when UDP isn't available +JVB_TCP_HARVESTER_DISABLED=true +JVB_TCP_PORT={{ jitsi_bridge_tcp_port }} + +# A comma separated list of APIs to enable when the JVB is started. The default is none. +# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information +#JVB_ENABLE_APIS=rest,colibri + +# XMPP component password for Jicofo. +JICOFO_COMPONENT_SECRET={{ jitsi_jicofo_component_secret }} + +# XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug. +JICOFO_AUTH_USER={{ jitsi_jicofo_auth_user }} + +# XMPP password for Jicofo client connections. +JICOFO_AUTH_PASSWORD={{ jitsi_jicofo_auth_password }} + +# Base URL of Jicofo's reservation REST API +#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com + +# XMPP user for Jigasi MUC client connections. +JIGASI_XMPP_USER={{ jitsi_jigasi_xmpp_user }} + +# XMPP password for Jigasi MUC client connections. JIGASI_XMPP_PASSWORD={{ jitsi_jigasi_xmpp_password }} -# XMPP recorder password for Jibri client connections +# MUC name for the Jigasi pool. +JIGASI_BREWERY_MUC=jigasibrewery + +# Minimum port for media used by Jigasi. +JIGASI_PORT_MIN=20000 + +# Maximum port for media used by Jigasi. +JIGASI_PORT_MAX=20050 + +# Enable SDES srtp +#JIGASI_ENABLE_SDES_SRTP=1 + +# Keepalive method +#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS + +# Health-check extension +#JIGASI_HEALTH_CHECK_SIP_URI=keepalive + +# Health-check interval +#JIGASI_HEALTH_CHECK_INTERVAL=300000 +# +# Enable Jigasi transcription. +#ENABLE_TRANSCRIPTIONS=1 + +# Jigasi will recordord an audio when transcriber is on. Default false. +#JIGASI_TRANSCRIBER_RECORD_AUDIO=true + +# Jigasi will send transcribed text to the chat when transcriber is on. Default false. +#JIGASI_TRANSCRIBER_SEND_TXT=true + +# Jigasi post to the chat an url with transcription file. Default false. +#JIGASI_TRANSCRIBER_ADVERTISE_URL=true + +# Credentials for connect to Cloud Google API from Jigasi. Path located inside the container. +# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol +# section "Before you begin" from 1 to 5 paragraph. Copy the key on +# the docker host to ${CONFIG}/jigasi/key.json and to enable this setting: +#GOOGLE_APPLICATION_CREDENTIALS=/config/key.json + +# Enable recording +#ENABLE_RECORDING=1 + +# XMPP domain for the jibri recorder +XMPP_RECORDER_DOMAIN=recorder.meet.jitsi + +# XMPP recorder user for Jibri client connections. +JIBRI_RECORDER_USER={{ jitsi_jibri_recorder_user }} + +# XMPP recorder password for Jibri client connections. JIBRI_RECORDER_PASSWORD={{ jitsi_jibri_recorder_password }} -# XMPP password for Jibri client connections +# Directory for recordings inside Jibri container. +JIBRI_RECORDING_DIR=/config/recordings + +# The finalizing script. Will run after recording is complete. +JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh + +# XMPP user for Jibri client connections. +JIBRI_XMPP_USER={{ jitsi_jibri_xmpp_user }} + +# XMPP password for Jibri client connections. JIBRI_XMPP_PASSWORD={{ jitsi_jibri_xmpp_password }} -# -# Docker Compose options -# +# MUC name for the Jibri pool. +JIBRI_BREWERY_MUC=jibribrewery -# Container restart policy -# Defaults to unless-stopped -RESTART_POLICY=unless-stopped +# MUC connection timeout +JIBRI_PENDING_TIMEOUT=90 -# Jitsi image version (useful for local development) -JITSI_IMAGE_VERSION={{ jitsi_image_version }} +# When jibri gets a request to start a service for a room, the room +# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain +# We'll build the url for the call by transforming that into: +# https://xmpp_domain/subdomain/roomName +# So if there are any prefixes in the jid (like jitsi meet, which +# has its participants join a muc at conference.xmpp_domain) then +# list that prefix here so it can be stripped out to generate +# the call url correctly. +JIBRI_STRIP_DOMAIN_JID=muc -# https://github.com/jitsi/docker-jitsi-meet/issues/1566#issuecomment-1609404560 -JVB_DISABLE_STUN=true \ No newline at end of file +# Directory for logs inside Jibri container. +JIBRI_LOGS_DIR=/config/logs + +# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup. +#DISABLE_HTTPS=1 + +# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443). +#ENABLE_HTTP_REDIRECT=1 diff --git a/templates/etherpad.yml b/templates/etherpad.yml index 49f9be0..200f669 100644 --- a/templates/etherpad.yml +++ b/templates/etherpad.yml @@ -1,17 +1,11 @@ -version: '3.5' +version: '3' services: # Etherpad: real-time collaborative document editing etherpad: - image: etherpad/etherpad:1.8.6 - restart: ${RESTART_POLICY:-unless-stopped} - environment: - - TITLE=${ETHERPAD_TITLE} - - DEFAULT_PAD_TEXT=${ETHERPAD_DEFAULT_PAD_TEXT} - - SKIN_NAME=${ETHERPAD_SKIN_NAME} - - SKIN_VARIANTS=${ETHERPAD_SKIN_VARIANTS} + image: jitsi/etherpad + restart: unless-stopped networks: meet.jitsi: aliases: - etherpad.meet.jitsi - diff --git a/templates/exporter.env.j2 b/templates/exporter.env.j2 new file mode 100644 index 0000000..fdc04ff --- /dev/null +++ b/templates/exporter.env.j2 @@ -0,0 +1,6 @@ +XMPP_USER={{ jitsi_jicofo_auth_user }} +XMPP_PW={{ jitsi_jicofo_auth_password }} +XMPP_SERVER=xmpp.meet.jitsi +XMPP_PORT=5222 +XMPP_AUTH_DOMAIN=auth.meet.jitsi +XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi \ No newline at end of file diff --git a/templates/jibri.yml b/templates/jibri.yml index 826797d..3efbc8b 100644 --- a/templates/jibri.yml +++ b/templates/jibri.yml @@ -1,22 +1,23 @@ -version: '3.5' +version: '3' services: jibri: - image: jitsi/jibri:${JITSI_IMAGE_VERSION:-stable-7830} - restart: ${RESTART_POLICY:-unless-stopped} + image: jitsi/jibri + restart: unless-stopped volumes: - - ${CONFIG}/jibri:/config:Z - shm_size: '2gb' + - ${CONFIG}/jibri:/config + - /dev/shm:/dev/shm cap_add: - SYS_ADMIN + - NET_BIND_SERVICE + devices: + - /dev/snd:/dev/snd environment: - - CHROMIUM_FLAGS - - DISPLAY=:0 - - ENABLE_STATS_D - - JIBRI_HTTP_API_EXTERNAL_PORT - - JIBRI_HTTP_API_INTERNAL_PORT - - JIBRI_RECORDING_RESOLUTION - - JIBRI_USAGE_TIMEOUT + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_RECORDER_DOMAIN + - XMPP_SERVER + - XMPP_DOMAIN - JIBRI_XMPP_USER - JIBRI_XMPP_PASSWORD - JIBRI_BREWERY_MUC @@ -25,18 +26,9 @@ services: - JIBRI_RECORDING_DIR - JIBRI_FINALIZE_RECORDING_SCRIPT_PATH - JIBRI_STRIP_DOMAIN_JID - - PUBLIC_URL + - JIBRI_LOGS_DIR + - DISPLAY=:0 - TZ - - XMPP_AUTH_DOMAIN - - XMPP_DOMAIN - - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_MUC_DOMAIN - - XMPP_RECORDER_DOMAIN - - XMPP_SERVER - - XMPP_PORT - - XMPP_TRUST_ALL_CERTS - depends_on: - - jicofo networks: meet.jitsi: diff --git a/templates/jigasi.yml b/templates/jigasi.yml index d6cb0e2..0bcf1d2 100644 --- a/templates/jigasi.yml +++ b/templates/jigasi.yml @@ -3,31 +3,25 @@ version: '3' services: # SIP gateway (audio) jigasi: - image: jitsi/jigasi:${JITSI_IMAGE_VERSION:-stable-7830} - restart: ${RESTART_POLICY:-unless-stopped} + image: jitsi/jigasi + restart: unless-stopped ports: - - '${JIGASI_PORT_MIN:-20000}-${JIGASI_PORT_MAX:-20050}:${JIGASI_PORT_MIN:-20000}-${JIGASI_PORT_MAX:-20050}/udp' + - '${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}:${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}/udp' volumes: - - ${CONFIG}/jigasi:/config:Z - - ${CONFIG}/transcripts:/tmp/transcripts:Z + - ${CONFIG}/jigasi:/config + - ${CONFIG}/transcripts:/tmp/transcripts environment: - ENABLE_AUTH - - ENABLE_GUESTS - XMPP_AUTH_DOMAIN - - XMPP_GUEST_DOMAIN - - XMPP_MUC_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER - - XMPP_PORT - XMPP_DOMAIN - PUBLIC_URL - - JIGASI_DISABLE_SIP - JIGASI_SIP_URI - JIGASI_SIP_PASSWORD - JIGASI_SIP_SERVER - JIGASI_SIP_PORT - JIGASI_SIP_TRANSPORT - - JIGASI_SIP_DEFAULT_ROOM - JIGASI_XMPP_USER - JIGASI_XMPP_PASSWORD - JIGASI_BREWERY_MUC @@ -41,18 +35,9 @@ services: - JIGASI_TRANSCRIBER_ADVERTISE_URL - JIGASI_TRANSCRIBER_RECORD_AUDIO - JIGASI_TRANSCRIBER_SEND_TXT - - GC_PROJECT_ID - - GC_PRIVATE_KEY_ID - - GC_PRIVATE_KEY - - GC_CLIENT_EMAIL - - GC_CLIENT_ID - - GC_CLIENT_CERT_URL - - SENTRY_DSN="${JIGASI_SENTRY_DSN:-0}" - - SENTRY_ENVIRONMENT - - SENTRY_RELEASE + - GOOGLE_APPLICATION_CREDENTIALS - TZ depends_on: - prosody networks: meet.jitsi: -