From b8a2ca2af368e33e98e4298fa79c9e44b04389f6 Mon Sep 17 00:00:00 2001 From: Joschka Seydell Date: Sun, 29 Nov 2020 03:21:22 -0800 Subject: [PATCH 01/18] Added install path and consolidated var usage. --- README.md | 3 ++- defaults/main.yml | 3 ++- tasks/main.yml | 40 ++++++++++++++++++++-------------------- 3 files changed, 24 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index a10e2d9..87bfe81 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,8 @@ Role Variables | Variable | Description | Default | | --------------------------- | ------------------------------------------------------------------------------- | ------------------ | -| docker_user | The user who is going to manage/run the Docker Compose services | deploy | +| jitsi_install_user | The user who is going to manage/run the Docker Compose services | {{ ansible_user }} | +| jitsi_install_path | The location where the service should be deployed | /home/{{ jitsi_install_user }} | | jitsi_build_latest_image_from_source | Will fetch the master of `jitsi_docker_upstream_repo_url` and build the docker image as sometimes the latest available images in the Docker Hub are too old | yes | | jitsi_docker_upstream_repo_url | Git repo of docker-jitsi-meet required by `jitsi_build_latest_image_from_source` | https://github.com/jitsi/docker-jitsi-meet.git | | *jitsi_letsencrypt_email* | E-Mail adress used for requesting certificates | Not set | diff --git a/defaults/main.yml b/defaults/main.yml index 66d322e..3d60f34 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,7 @@ --- # defaults file for jitsi -docker_user: deploy +jitsi_install_user: '{{ ansible_user }}' # This user must be present on the host +jitsi_install_path: '/home/{{ jitsi_install_user }}' #jitsi_letsencrypt_email:alice@host.tld jitsi_enable_letsencrypt: no jitsi_exposed_http_port: 8000 diff --git a/tasks/main.yml b/tasks/main.yml index 1ef8919..3fcbaa0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,51 +2,51 @@ # tasks file for jitsi - name: Ensure jitsi Docker Compose config directory exists file: - path: /home/{{ docker_user }}/jitsi + path: "{{ jitsi_install_path }}/jitsi" state: directory - owner: '{{ docker_user }}' - group: '{{ docker_user }}' + owner: '{{ jitsi_install_user }}' + group: '{{ jitsi_install_user }}' tags: config - name: "Teardown: Remove Jitsi runtime config" file: - path: /home/{{ docker_user }}/jitsi/conf + path: "{{ jitsi_install_path }}/jitsi/conf" state: absent tags: ['never', 'teardown'] - name: Ensure jitsi config directory exists file: - path: /home/{{ docker_user }}/jitsi/conf + path: "{{ jitsi_install_path }}/jitsi/conf" state: directory - owner: '{{ docker_user }}' - group: '{{ docker_user }}' + owner: '{{ jitsi_install_user }}' + group: '{{ jitsi_install_user }}' tags: config - name: "Git: Pull latest upstream docker-jitsi-meet sources (master)" git: repo: "{{ jitsi_docker_upstream_repo_url }}" - dest: /home/{{ docker_user }}/jitsi/docker-jitsi-meet-src + dest: "{{ jitsi_install_path }}/jitsi/docker-jitsi-meet-src" version: master register: git_pull_jitsi_docker_upstream_repo when: jitsi_build_latest_image_from_source == True - name: "Build Jitsi Docker images" shell: - chdir: /home/{{ docker_user }}/jitsi/docker-jitsi-meet-src + chdir: "{{ jitsi_install_path }}/jitsi/docker-jitsi-meet-src" cmd: make when: git_pull_jitsi_docker_upstream_repo.changed - name: Provide docker-compose.yml template: src: templates/docker-compose.jitsi.yml.j2 - dest: /home/{{ docker_user }}/jitsi/docker-compose.yml - owner: "{{ docker_user }}" - group: "{{ docker_user }}" + dest: "{{ jitsi_install_path }}/jitsi/docker-compose.yml" + owner: "{{ jitsi_install_user }}" + group: "{{ jitsi_install_user }}" mode: '0644' tags: config - name: Output docker-compose.yml - shell: cat /home/{{ docker_user }}/jitsi/docker-compose.yml + shell: cat {{ jitsi_install_path }}/jitsi/docker-compose.yml register: output tags: config @@ -56,21 +56,21 @@ - name: Provide Jitsi env vars template: src: templates/env.jitsi.j2 - dest: /home/{{ docker_user }}/jitsi/.env - owner: "{{ docker_user }}" - group: "{{ docker_user }}" + dest: "{{ jitsi_install_path }}/jitsi/.env" + owner: "{{ jitsi_install_user }}" + group: "{{ jitsi_install_user }}" mode: '0640' tags: config - name: "docker-compose: Teardown existing Jitsi service" docker_compose: - project_src: "/home/{{ docker_user }}/jitsi/" + project_src: "{{ jitsi_install_path }}/jitsi/" state: absent tags: ['never', 'teardown'] - name: "docker-compose: Bootstrap Jitsi service" docker_compose: - project_src: "/home/{{ docker_user }}/jitsi/" + project_src: "{{ jitsi_install_path }}/jitsi/" pull: yes register: output @@ -98,7 +98,7 @@ - name: "Config: Set channelLastN" lineinfile: - path: /home/{{ docker_user }}/jitsi/conf/web/config.js + path: "{{ jitsi_install_path }}/jitsi/conf/web/config.js" regexp: '(\s*)channelLastN:\s*[^,]+,' line: '\1channelLastN: {{jitsi_web_channel_last_n|default("-1")}},' backrefs: yes @@ -106,7 +106,7 @@ - name: "Config: Disable third party requests" lineinfile: - path: /home/{{ docker_user }}/jitsi/conf/web/config.js + path: "{{ jitsi_install_path }}/jitsi/conf/web/config.js" regexp: '(\s*)(//\s*)?disableThirdPartyRequests:\s*false,' line: '\1disableThirdPartyRequests: true,' backrefs: yes From 87d2cd58ec47058859a8ef74660ed6151de7c7a3 Mon Sep 17 00:00:00 2001 From: Joschka Seydell Date: Mon, 30 Nov 2020 13:38:06 -0800 Subject: [PATCH 02/18] Adjusted variables and docker-compose file to account for multitenancy setups. --- README.md | 3 +++ defaults/main.yml | 7 ++++++- tasks/main.yml | 2 +- templates/docker-compose.jitsi.yml.j2 | 28 +++++++++++++-------------- templates/env.jitsi.j2 | 10 ++++++++-- templates/etherpad.yml | 1 + templates/jibri.yml | 1 + templates/jigasi.yml | 1 + 8 files changed, 35 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 87bfe81..04c23cd 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ Role Variables | --------------------------- | ------------------------------------------------------------------------------- | ------------------ | | jitsi_install_user | The user who is going to manage/run the Docker Compose services | {{ ansible_user }} | | jitsi_install_path | The location where the service should be deployed | /home/{{ jitsi_install_user }} | +| jitsi_multitenant_label | A label (unique accross all instances on this host) identifying the tenant | | | jitsi_build_latest_image_from_source | Will fetch the master of `jitsi_docker_upstream_repo_url` and build the docker image as sometimes the latest available images in the Docker Hub are too old | yes | | jitsi_docker_upstream_repo_url | Git repo of docker-jitsi-meet required by `jitsi_build_latest_image_from_source` | https://github.com/jitsi/docker-jitsi-meet.git | | *jitsi_letsencrypt_email* | E-Mail adress used for requesting certificates | Not set | @@ -26,6 +27,8 @@ Role Variables | jitsi_enable_third_party_requests | Whether to allow third party requests, e.g. to Gravatar (if a user sets her email address) | no | | jitsi_exposed_http_port | Exposed container port for HTTP | 8000 | | jitsi_exposed_https_port | Exposed container port for HTTPS | 8443 | +| jitsi_bridge_udp_port | Port for this instance's Jitsi Video Bridge | 10000 | +| jitsi_bridge_tcp_port | TCP fallback port for the Jitsi Video Bridge | 4443 | | jitsi_jibri_recorder_password | Provide a secure password\* | | | jitsi_jibri_recorder_user | | | | jitsi_jibri_xmpp_password | | | diff --git a/defaults/main.yml b/defaults/main.yml index 3d60f34..053e9e6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,10 +2,13 @@ # defaults file for jitsi jitsi_install_user: '{{ ansible_user }}' # This user must be present on the host jitsi_install_path: '/home/{{ jitsi_install_user }}' +jitsi_multitenant_label: #jitsi_letsencrypt_email:alice@host.tld jitsi_enable_letsencrypt: no jitsi_exposed_http_port: 8000 jitsi_exposed_https_port: 8443 +jitsi_bridge_udp_port: 10000 +jitsi_bridge_tcp_port: 4443 jitsi_virtual_host: localhost jitsi_public_url: http://{{ jitsi_virtual_host }} jitsi_timezone: Europe/Amsterdam @@ -13,4 +16,6 @@ jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443 jitsi_web_channel_last_n: 3 jitsi_build_latest_image_from_source: yes jitsi_docker_upstream_repo_url: https://github.com/jitsi/docker-jitsi-meet.git -jitsi_enable_third_party_requests: no \ No newline at end of file +jitsi_enable_third_party_requests: no +# Internal variables +jitsi_multitenant_postfix: "{{ '_' + jitsi_multitenant_label if (jitsi_multitenant_label) else '' }}" \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 3fcbaa0..fc79769 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -79,7 +79,7 @@ - assert: that: - - "output.ansible_facts['web']['jitsi_web_1'].state.running" + - "output.ansible_facts['web']['jitsi{{ jitsi_multitenant_postfix }}_web_1'].state.running" - name: "Test whether Jitsi is healthy from the outside" when: not ansible_check_mode diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index 86fba7f..1273131 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -38,20 +38,20 @@ services: labels: - "traefik.enable=true" - "traefik.docker.network=traefik_public" - - "traefik.http.routers.jitsi.rule=Host(`{{ jitsi_virtual_host }}`)" - - "traefik.http.routers.jitsi.entrypoints=websecure" - - "traefik.http.routers.jitsi.tls=true" - - "traefik.http.routers.jitsi.tls.certresolver=defaultresolver" - - "traefik.http.middlewares.jitsi-headers.headers.SSLRedirect=true" - - "traefik.http.middlewares.jitsi-headers.headers.browserXSSFilter=true" - - "traefik.http.middlewares.jitsi-headers.headers.contentTypeNosniff=true" - - "traefik.http.middlewares.jitsi-headers.headers.forceSTSHeader=true" - - "traefik.http.middlewares.jitsi-headers.headers.STSSeconds=315360000" - - "traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains=true" - - "traefik.http.middlewares.jitsi-headers.headers.STSPreload=true" - - "traefik.http.middlewares.jitsi-headers.headers.featurePolicy=geolocation 'none'; payment 'none'" - - "traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content" - - "traefik.http.routers.jitsi.middlewares=jitsi-headers" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.rule=Host(`{{ jitsi_virtual_host }}`)" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.entrypoints=websecure" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.tls=true" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.tls.certresolver=defaultresolver" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.SSLRedirect=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.browserXSSFilter=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.contentTypeNosniff=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.forceSTSHeader=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSSeconds=315360000" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSIncludeSubdomains=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSPreload=true" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.featurePolicy=geolocation 'none'; payment 'none'" + - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content" + - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.middlewares=jitsi{{ jitsi_multitenant_postfix }}-headers" networks: public: meet.jitsi: diff --git a/templates/env.jitsi.j2 b/templates/env.jitsi.j2 index e023c0a..5f017ed 100644 --- a/templates/env.jitsi.j2 +++ b/templates/env.jitsi.j2 @@ -1,3 +1,9 @@ +# +# Docker Compose configuration +# +# Project name for this Docker Compose setup +COMPOSE_PROJECT_NAME=jitsi{{ jitsi_multitenant_postfix }} + # # Basic configuration options # @@ -187,11 +193,11 @@ JVB_AUTH_PASSWORD={{ jitsi_jvb_auth_password }} JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }} # Media port for the Jitsi Videobridge -JVB_PORT=10000 +JVB_PORT={{ jitsi_bridge_udp_port }} # TCP Fallback for Jitsi Videobridge for when UDP isn't available JVB_TCP_HARVESTER_DISABLED=true -JVB_TCP_PORT=4443 +JVB_TCP_PORT={{ jitsi_bridge_tcp_port }} # A comma separated list of APIs to enable when the JVB is started. The default is none. # See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information diff --git a/templates/etherpad.yml b/templates/etherpad.yml index e033a99..200f669 100644 --- a/templates/etherpad.yml +++ b/templates/etherpad.yml @@ -4,6 +4,7 @@ services: # Etherpad: real-time collaborative document editing etherpad: image: jitsi/etherpad + restart: unless-stopped networks: meet.jitsi: aliases: diff --git a/templates/jibri.yml b/templates/jibri.yml index 2f5a3e7..3efbc8b 100644 --- a/templates/jibri.yml +++ b/templates/jibri.yml @@ -3,6 +3,7 @@ version: '3' services: jibri: image: jitsi/jibri + restart: unless-stopped volumes: - ${CONFIG}/jibri:/config - /dev/shm:/dev/shm diff --git a/templates/jigasi.yml b/templates/jigasi.yml index 46f1584..0bcf1d2 100644 --- a/templates/jigasi.yml +++ b/templates/jigasi.yml @@ -4,6 +4,7 @@ services: # SIP gateway (audio) jigasi: image: jitsi/jigasi + restart: unless-stopped ports: - '${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}:${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}/udp' volumes: From 59f4cd124b87a4c1d259eca89e21c74c6444c442 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sat, 12 Dec 2020 18:44:18 +0100 Subject: [PATCH 03/18] Added PUBLIC_URL to Prosody --- templates/docker-compose.jitsi.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index 86fba7f..fc89e20 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -116,6 +116,7 @@ services: - JWT_AUTH_TYPE - JWT_TOKEN_AUTH_MODULE - LOG_LEVEL + - PUBLIC_URL - TZ networks: meet.jitsi: From c636d5bfb5c3a8826c71b55d74a4040482c64853 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 13 Dec 2020 00:30:57 +0100 Subject: [PATCH 04/18] Updated Docker-Compose config and env to reflect upstream changes from PR810 See "update example for Traefik2": https://github.com/jitsi/docker-jitsi-meet/pull/810 --- templates/docker-compose.jitsi.yml.j2 | 90 ++++++++++++++++++++++----- templates/env.jitsi.j2 | 28 +++++++++ 2 files changed, 102 insertions(+), 16 deletions(-) diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index fc89e20..15b8fd6 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -10,31 +10,79 @@ services: - ${CONFIG}/web/letsencrypt:/etc/letsencrypt - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts environment: - - ENABLE_AUTH - - ENABLE_GUESTS - ENABLE_LETSENCRYPT - ENABLE_HTTP_REDIRECT - - ENABLE_TRANSCRIPTIONS + - ENABLE_XMPP_WEBSOCKET - DISABLE_HTTPS - - JICOFO_AUTH_USER - - LETSENCRYPT_DOMAIN - - LETSENCRYPT_EMAIL - PUBLIC_URL - - XMPP_DOMAIN + - TZ + - AMPLITUDE_ID + - ANALYTICS_SCRIPT_URLS + - ANALYTICS_WHITELISTED_EVENTS + - BRIDGE_CHANNEL + - BRANDING_DATA_URL + - CALLSTATS_CUSTOM_SCRIPT_URL + - CALLSTATS_ID + - CALLSTATS_SECRET + - CHROME_EXTENSION_BANNER_JSON + - CONFCODE_URL + - CONFIG_EXTERNAL_CONNECT + - DEPLOYMENTINFO_ENVIRONMENT + - DEPLOYMENTINFO_ENVIRONMENT_TYPE + - DEPLOYMENTINFO_USERREGION + - DIALIN_NUMBERS_URL + - DIALOUT_AUTH_URL + - DIALOUT_CODES_URL + - DROPBOX_APPKEY + - DROPBOX_REDIRECT_URI + - ENABLE_AUDIO_PROCESSING + - ENABLE_AUTH + - ENABLE_CALENDAR + - ENABLE_FILE_RECORDING_SERVICE + - ENABLE_FILE_RECORDING_SERVICE_SHARING + - ENABLE_GUESTS + - ENABLE_IPV6 + - ENABLE_LIPSYNC + - ENABLE_NO_AUDIO_DETECTION + - ENABLE_P2P + - ENABLE_PREJOIN_PAGE + - ENABLE_RECORDING + - ENABLE_REMB + - ENABLE_REQUIRE_DISPLAY_NAME + - ENABLE_SIMULCAST + - ENABLE_STATS_ID + - ENABLE_STEREO + - ENABLE_SUBDOMAINS + - ENABLE_TALK_WHILE_MUTED + - ENABLE_TCC + - ENABLE_TRANSCRIPTIONS + - ETHERPAD_PUBLIC_URL + - ETHERPAD_URL_BASE + - GOOGLE_ANALYTICS_ID + - GOOGLE_API_APP_CLIENT_ID + - INVITE_SERVICE_URL + - JICOFO_AUTH_USER + - MATOMO_ENDPOINT + - MATOMO_SITE_ID + - MICROSOFT_API_APP_CLIENT_ID + - NGINX_RESOLVER + - PEOPLE_SEARCH_URL + - RESOLUTION + - RESOLUTION_MIN + - RESOLUTION_WIDTH + - RESOLUTION_WIDTH_MIN + - START_AUDIO_ONLY + - START_AUDIO_MUTED + - START_BITRATE + - START_VIDEO_MUTED + - TESTING_CAP_SCREENSHARE_BITRATE + - TESTING_OCTO_PROBABILITY - XMPP_AUTH_DOMAIN - XMPP_BOSH_URL_BASE + - XMPP_DOMAIN - XMPP_GUEST_DOMAIN - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN - - ETHERPAD_URL_BASE - - TZ - - JIBRI_BREWERY_MUC - - JIBRI_PENDING_TIMEOUT - - JIBRI_XMPP_USER - - JIBRI_XMPP_PASSWORD - - JIBRI_RECORDER_USER - - JIBRI_RECORDER_PASSWORD - - ENABLE_RECORDING labels: - "traefik.enable=true" - "traefik.docker.network=traefik_public" @@ -72,6 +120,8 @@ services: - AUTH_TYPE - ENABLE_AUTH - ENABLE_GUESTS + - ENABLE_LOBBY + - ENABLE_XMPP_WEBSOCKET - GLOBAL_MODULES - GLOBAL_CONFIG - LDAP_URL @@ -169,13 +219,21 @@ services: - JVB_PORT - JVB_TCP_HARVESTER_DISABLED - JVB_TCP_PORT + - JVB_TCP_MAPPED_PORT - JVB_STUN_SERVERS - JVB_ENABLE_APIS + - JVB_WS_DOMAIN + - JVB_WS_SERVER_ID + - PUBLIC_URL - TZ depends_on: - prosody networks: meet.jitsi: + labels: + traefik.udp.routers.jvb.entrypoints: video + traefik.udp.routers.jvb.service: jvb + traefik.udp.services.jvb.loadbalancer.server.port: '10000' # Custom network so all services can communicate using a FQDN networks: diff --git a/templates/env.jitsi.j2 b/templates/env.jitsi.j2 index e023c0a..8bcb9f1 100644 --- a/templates/env.jitsi.j2 +++ b/templates/env.jitsi.j2 @@ -45,6 +45,18 @@ LETSENCRYPT_EMAIL={{ jitsi_letsencrypt_email }} # Set etherpad-lite URL (uncomment to enable). #ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 +# Name your etherpad instance! +ETHERPAD_TITLE="Video Chat" + +# The default text of a pad +ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n" + +# Name of the skin for etherpad +ETHERPAD_SKIN_NAME="colibris" + +# Skin variants for etherpad +ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor" + # # Basic Jigasi configuration options (needed for SIP gateway support) @@ -165,6 +177,10 @@ XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi # XMPP domain for unauthenticated users. XMPP_GUEST_DOMAIN=guest.meet.jitsi +# Comma separated list of domains for cross domain policy or "true" to allow all +# The PUBLIC_URL is always allowed +#XMPP_CROSS_DOMAIN=true + # Custom Prosody modules for XMPP_DOMAIN (comma separated) XMPP_MODULES= @@ -192,6 +208,7 @@ JVB_PORT=10000 # TCP Fallback for Jitsi Videobridge for when UDP isn't available JVB_TCP_HARVESTER_DISABLED=true JVB_TCP_PORT=4443 +JVB_TCP_MAPPED_PORT=4443 # A comma separated list of APIs to enable when the JVB is started. The default is none. # See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information @@ -302,3 +319,14 @@ JIBRI_LOGS_DIR=/config/logs # Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443). #ENABLE_HTTP_REDIRECT=1 + +# Enable IPv6 +# Provides means to disable IPv6 in environments that don't support it (get with the times, people!) +#ENABLE_IPV6=1 + +# Container restart policy +# Defaults to unless-stopped +RESTART_POLICY=unless-stopped + +# Authenticate using external service or just focus external auth window if there is one already. +# TOKEN_AUTH_URL=https://auth.meet.example.com/{room} From fb6cb0c52db49dde3f7cc266466d4a2a18406989 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 13 Dec 2020 00:32:38 +0100 Subject: [PATCH 05/18] Sorted ENV vars --- templates/docker-compose.jitsi.yml.j2 | 128 +++++++++++++------------- 1 file changed, 64 insertions(+), 64 deletions(-) diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index 15b8fd6..f2d68ae 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -10,17 +10,11 @@ services: - ${CONFIG}/web/letsencrypt:/etc/letsencrypt - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts environment: - - ENABLE_LETSENCRYPT - - ENABLE_HTTP_REDIRECT - - ENABLE_XMPP_WEBSOCKET - - DISABLE_HTTPS - - PUBLIC_URL - - TZ - AMPLITUDE_ID - ANALYTICS_SCRIPT_URLS - ANALYTICS_WHITELISTED_EVENTS - - BRIDGE_CHANNEL - BRANDING_DATA_URL + - BRIDGE_CHANNEL - CALLSTATS_CUSTOM_SCRIPT_URL - CALLSTATS_ID - CALLSTATS_SECRET @@ -33,6 +27,7 @@ services: - DIALIN_NUMBERS_URL - DIALOUT_AUTH_URL - DIALOUT_CODES_URL + - DISABLE_HTTPS - DROPBOX_APPKEY - DROPBOX_REDIRECT_URI - ENABLE_AUDIO_PROCESSING @@ -41,7 +36,9 @@ services: - ENABLE_FILE_RECORDING_SERVICE - ENABLE_FILE_RECORDING_SERVICE_SHARING - ENABLE_GUESTS + - ENABLE_HTTP_REDIRECT - ENABLE_IPV6 + - ENABLE_LETSENCRYPT - ENABLE_LIPSYNC - ENABLE_NO_AUDIO_DETECTION - ENABLE_P2P @@ -56,6 +53,7 @@ services: - ENABLE_TALK_WHILE_MUTED - ENABLE_TCC - ENABLE_TRANSCRIPTIONS + - ENABLE_XMPP_WEBSOCKET - ETHERPAD_PUBLIC_URL - ETHERPAD_URL_BASE - GOOGLE_ANALYTICS_ID @@ -67,16 +65,18 @@ services: - MICROSOFT_API_APP_CLIENT_ID - NGINX_RESOLVER - PEOPLE_SEARCH_URL + - PUBLIC_URL - RESOLUTION - RESOLUTION_MIN - RESOLUTION_WIDTH - RESOLUTION_WIDTH_MIN - - START_AUDIO_ONLY - START_AUDIO_MUTED + - START_AUDIO_ONLY - START_BITRATE - START_VIDEO_MUTED - TESTING_CAP_SCREENSHARE_BITRATE - TESTING_OCTO_PROBABILITY + - TZ - XMPP_AUTH_DOMAIN - XMPP_BOSH_URL_BASE - XMPP_DOMAIN @@ -122,52 +122,52 @@ services: - ENABLE_GUESTS - ENABLE_LOBBY - ENABLE_XMPP_WEBSOCKET - - GLOBAL_MODULES - GLOBAL_CONFIG - - LDAP_URL + - GLOBAL_MODULES + - JIBRI_RECORDER_PASSWORD + - JIBRI_RECORDER_USER + - JIBRI_XMPP_PASSWORD + - JIBRI_XMPP_USER + - JICOFO_AUTH_PASSWORD + - JICOFO_AUTH_USER + - JICOFO_COMPONENT_SECRET + - JIGASI_XMPP_PASSWORD + - JIGASI_XMPP_USER + - JVB_AUTH_PASSWORD + - JVB_AUTH_USER + - JWT_ACCEPTED_AUDIENCES + - JWT_ACCEPTED_ISSUERS + - JWT_ALLOW_EMPTY + - JWT_APP_ID + - JWT_APP_SECRET + - JWT_ASAP_KEYSERVER + - JWT_AUTH_TYPE + - JWT_TOKEN_AUTH_MODULE + - LDAP_AUTH_METHOD - LDAP_BASE - LDAP_BINDDN - LDAP_BINDPW - LDAP_FILTER - - LDAP_AUTH_METHOD - - LDAP_VERSION - - LDAP_USE_TLS - - LDAP_TLS_CIPHERS - - LDAP_TLS_CHECK_PEER - - LDAP_TLS_CACERT_FILE - - LDAP_TLS_CACERT_DIR - LDAP_START_TLS - - XMPP_DOMAIN - - XMPP_AUTH_DOMAIN - - XMPP_GUEST_DOMAIN - - XMPP_MUC_DOMAIN - - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_MODULES - - XMPP_MUC_MODULES - - XMPP_INTERNAL_MUC_MODULES - - XMPP_RECORDER_DOMAIN - - JICOFO_COMPONENT_SECRET - - JICOFO_AUTH_USER - - JICOFO_AUTH_PASSWORD - - JVB_AUTH_USER - - JVB_AUTH_PASSWORD - - JIGASI_XMPP_USER - - JIGASI_XMPP_PASSWORD - - JIBRI_XMPP_USER - - JIBRI_XMPP_PASSWORD - - JIBRI_RECORDER_USER - - JIBRI_RECORDER_PASSWORD - - JWT_APP_ID - - JWT_APP_SECRET - - JWT_ACCEPTED_ISSUERS - - JWT_ACCEPTED_AUDIENCES - - JWT_ASAP_KEYSERVER - - JWT_ALLOW_EMPTY - - JWT_AUTH_TYPE - - JWT_TOKEN_AUTH_MODULE + - LDAP_TLS_CACERT_DIR + - LDAP_TLS_CACERT_FILE + - LDAP_TLS_CHECK_PEER + - LDAP_TLS_CIPHERS + - LDAP_URL + - LDAP_USE_TLS + - LDAP_VERSION - LOG_LEVEL - PUBLIC_URL - TZ + - XMPP_AUTH_DOMAIN + - XMPP_DOMAIN + - XMPP_GUEST_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_INTERNAL_MUC_MODULES + - XMPP_MODULES + - XMPP_MUC_DOMAIN + - XMPP_MUC_MODULES + - XMPP_RECORDER_DOMAIN networks: meet.jitsi: aliases: @@ -181,19 +181,19 @@ services: - ${CONFIG}/jicofo:/config environment: - ENABLE_AUTH - - XMPP_DOMAIN - - XMPP_AUTH_DOMAIN - - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_SERVER - - JICOFO_COMPONENT_SECRET - - JICOFO_AUTH_USER - - JICOFO_AUTH_PASSWORD - - JICOFO_RESERVATION_REST_BASE_URL - - JVB_BREWERY_MUC - - JIGASI_BREWERY_MUC - JIBRI_BREWERY_MUC - JIBRI_PENDING_TIMEOUT + - JICOFO_AUTH_PASSWORD + - JICOFO_AUTH_USER + - JICOFO_COMPONENT_SECRET + - JICOFO_RESERVATION_REST_BASE_URL + - JIGASI_BREWERY_MUC + - JVB_BREWERY_MUC - TZ + - XMPP_AUTH_DOMAIN + - XMPP_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_SERVER depends_on: - prosody networks: @@ -210,22 +210,22 @@ services: - ${CONFIG}/jvb:/config environment: - DOCKER_HOST_ADDRESS - - XMPP_AUTH_DOMAIN - - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_SERVER - - JVB_AUTH_USER - JVB_AUTH_PASSWORD + - JVB_AUTH_USER - JVB_BREWERY_MUC - - JVB_PORT - - JVB_TCP_HARVESTER_DISABLED - - JVB_TCP_PORT - - JVB_TCP_MAPPED_PORT - - JVB_STUN_SERVERS - JVB_ENABLE_APIS + - JVB_PORT + - JVB_STUN_SERVERS + - JVB_TCP_HARVESTER_DISABLED + - JVB_TCP_MAPPED_PORT + - JVB_TCP_PORT - JVB_WS_DOMAIN - JVB_WS_SERVER_ID - PUBLIC_URL - TZ + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_SERVER depends_on: - prosody networks: From 14ecfa184df66092bf46f3a6c6730097a08867b1 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 13 Dec 2020 00:46:27 +0100 Subject: [PATCH 06/18] Changed label syntax to improve readability --- templates/docker-compose.jitsi.yml.j2 | 32 +++++++++++++-------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index f2d68ae..3277c95 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -84,22 +84,22 @@ services: - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN labels: - - "traefik.enable=true" - - "traefik.docker.network=traefik_public" - - "traefik.http.routers.jitsi.rule=Host(`{{ jitsi_virtual_host }}`)" - - "traefik.http.routers.jitsi.entrypoints=websecure" - - "traefik.http.routers.jitsi.tls=true" - - "traefik.http.routers.jitsi.tls.certresolver=defaultresolver" - - "traefik.http.middlewares.jitsi-headers.headers.SSLRedirect=true" - - "traefik.http.middlewares.jitsi-headers.headers.browserXSSFilter=true" - - "traefik.http.middlewares.jitsi-headers.headers.contentTypeNosniff=true" - - "traefik.http.middlewares.jitsi-headers.headers.forceSTSHeader=true" - - "traefik.http.middlewares.jitsi-headers.headers.STSSeconds=315360000" - - "traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains=true" - - "traefik.http.middlewares.jitsi-headers.headers.STSPreload=true" - - "traefik.http.middlewares.jitsi-headers.headers.featurePolicy=geolocation 'none'; payment 'none'" - - "traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content" - - "traefik.http.routers.jitsi.middlewares=jitsi-headers" + traefik.enable: true + traefik.docker.network: traefik_public + traefik.http.routers.jitsi.rule: Host(`{{ jitsi_virtual_host }}`) + traefik.http.routers.jitsi.entrypoints: websecure + traefik.http.routers.jitsi.tls: true + traefik.http.routers.jitsi.tls.certresolver: defaultresolver + traefik.http.middlewares.jitsi-headers.headers.SSLRedirect: true + traefik.http.middlewares.jitsi-headers.headers.browserXSSFilter: true + traefik.http.middlewares.jitsi-headers.headers.contentTypeNosniff: true + traefik.http.middlewares.jitsi-headers.headers.forceSTSHeader: true + traefik.http.middlewares.jitsi-headers.headers.STSSeconds: 315360000 + traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains: true + traefik.http.middlewares.jitsi-headers.headers.STSPreload: true + traefik.http.middlewares.jitsi-headers.headers.featurePolicy: geolocation 'none'; payment 'none' + traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy: default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content + traefik.http.routers.jitsi.middlewares: jitsi-headers networks: public: meet.jitsi: From d2091d4b97b33a90469334c6189e6b4347ad2074 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 13 Dec 2020 00:52:40 +0100 Subject: [PATCH 07/18] Added label loadbalancer.server.port --- templates/docker-compose.jitsi.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index 3277c95..8f123f3 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -90,6 +90,7 @@ services: traefik.http.routers.jitsi.entrypoints: websecure traefik.http.routers.jitsi.tls: true traefik.http.routers.jitsi.tls.certresolver: defaultresolver + traefik.http.routers.jitsi.loadbalancer.server.port: '80' traefik.http.middlewares.jitsi-headers.headers.SSLRedirect: true traefik.http.middlewares.jitsi-headers.headers.browserXSSFilter: true traefik.http.middlewares.jitsi-headers.headers.contentTypeNosniff: true From 5ed074e4691fbe31d07e3026e7c802e78270513c Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 13 Dec 2020 00:57:52 +0100 Subject: [PATCH 08/18] Revert "Added label loadbalancer.server.port" This reverts commit d2091d4b97b33a90469334c6189e6b4347ad2074. --- templates/docker-compose.jitsi.yml.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index 8f123f3..3277c95 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -90,7 +90,6 @@ services: traefik.http.routers.jitsi.entrypoints: websecure traefik.http.routers.jitsi.tls: true traefik.http.routers.jitsi.tls.certresolver: defaultresolver - traefik.http.routers.jitsi.loadbalancer.server.port: '80' traefik.http.middlewares.jitsi-headers.headers.SSLRedirect: true traefik.http.middlewares.jitsi-headers.headers.browserXSSFilter: true traefik.http.middlewares.jitsi-headers.headers.contentTypeNosniff: true From d3077f101c8294b321da0a263e7122c8b2e08c11 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Fri, 18 Feb 2022 21:57:07 +0100 Subject: [PATCH 09/18] Updates Jitsi to stable-6865 --- tasks/main.yml | 2 +- templates/docker-compose.jitsi.yml.j2 | 176 +++++++++++++----- templates/env.jitsi.j2 | 246 +++++++++++++++++--------- templates/etherpad.yml | 8 +- templates/jibri.yml | 29 ++- templates/jigasi.yml | 21 ++- 6 files changed, 344 insertions(+), 138 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 1ef8919..df582f2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -79,7 +79,7 @@ - assert: that: - - "output.ansible_facts['web']['jitsi_web_1'].state.running" + - "output.services['web']['jitsi_web_1'].state.running" - name: "Test whether Jitsi is healthy from the outside" when: not ansible_check_mode diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index 3277c95..b8c6d7c 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -3,12 +3,15 @@ version: '3' services: # Frontend web: - image: jitsi/web - restart: unless-stopped + image: jitsi/web:stable-6865 + restart: ${RESTART_POLICY} + ports: + - '${HTTP_PORT}:80' + - '${HTTPS_PORT}:443' volumes: - - ${CONFIG}/web:/config - - ${CONFIG}/web/letsencrypt:/etc/letsencrypt - - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts + - ${CONFIG}/web:/config:Z + - ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z + - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z environment: - AMPLITUDE_ID - ANALYTICS_SCRIPT_URLS @@ -21,28 +24,47 @@ services: - CHROME_EXTENSION_BANNER_JSON - CONFCODE_URL - CONFIG_EXTERNAL_CONNECT + - DEFAULT_LANGUAGE - DEPLOYMENTINFO_ENVIRONMENT - DEPLOYMENTINFO_ENVIRONMENT_TYPE + - DEPLOYMENTINFO_REGION + - DEPLOYMENTINFO_SHARD - DEPLOYMENTINFO_USERREGION + - DESKTOP_SHARING_FRAMERATE_MIN + - DESKTOP_SHARING_FRAMERATE_MAX - DIALIN_NUMBERS_URL - DIALOUT_AUTH_URL - DIALOUT_CODES_URL + - DISABLE_AUDIO_LEVELS + - DISABLE_DEEP_LINKING + - DISABLE_GRANT_MODERATOR - DISABLE_HTTPS + - DISABLE_KICKOUT + - DISABLE_POLLS + - DISABLE_REACTIONS - DROPBOX_APPKEY - DROPBOX_REDIRECT_URI + - DYNAMIC_BRANDING_URL - ENABLE_AUDIO_PROCESSING - ENABLE_AUTH + - ENABLE_BREAKOUT_ROOMS - ENABLE_CALENDAR + - ENABLE_COLIBRI_WEBSOCKET - ENABLE_FILE_RECORDING_SERVICE - ENABLE_FILE_RECORDING_SERVICE_SHARING + - ENABLE_FLOC - ENABLE_GUESTS + - ENABLE_HSTS - ENABLE_HTTP_REDIRECT - ENABLE_IPV6 - ENABLE_LETSENCRYPT - ENABLE_LIPSYNC - ENABLE_NO_AUDIO_DETECTION - - ENABLE_P2P + - ENABLE_NOISY_MIC_DETECTION - ENABLE_PREJOIN_PAGE + - ENABLE_P2P + - ENABLE_WELCOME_PAGE + - ENABLE_CLOSE_PAGE - ENABLE_RECORDING - ENABLE_REMB - ENABLE_REQUIRE_DISPLAY_NAME @@ -58,14 +80,21 @@ services: - ETHERPAD_URL_BASE - GOOGLE_ANALYTICS_ID - GOOGLE_API_APP_CLIENT_ID + - HIDE_PREMEETING_BUTTONS - INVITE_SERVICE_URL - JICOFO_AUTH_USER + - LETSENCRYPT_DOMAIN + - LETSENCRYPT_EMAIL + - LETSENCRYPT_USE_STAGING - MATOMO_ENDPOINT - MATOMO_SITE_ID - MICROSOFT_API_APP_CLIENT_ID - NGINX_RESOLVER + - NGINX_WORKER_PROCESSES + - NGINX_WORKER_CONNECTIONS - PEOPLE_SEARCH_URL - PUBLIC_URL + - P2P_PREFERRED_CODEC - RESOLUTION - RESOLUTION_MIN - RESOLUTION_WIDTH @@ -73,10 +102,26 @@ services: - START_AUDIO_MUTED - START_AUDIO_ONLY - START_BITRATE + - START_SILENT + - START_WITH_AUDIO_MUTED - START_VIDEO_MUTED + - START_WITH_VIDEO_MUTED - TESTING_CAP_SCREENSHARE_BITRATE - TESTING_OCTO_PROBABILITY + - TOKEN_AUTH_URL + - TOOLBAR_BUTTONS - TZ + - VIDEOQUALITY_BITRATE_H264_LOW + - VIDEOQUALITY_BITRATE_H264_STANDARD + - VIDEOQUALITY_BITRATE_H264_HIGH + - VIDEOQUALITY_BITRATE_VP8_LOW + - VIDEOQUALITY_BITRATE_VP8_STANDARD + - VIDEOQUALITY_BITRATE_VP8_HIGH + - VIDEOQUALITY_BITRATE_VP9_LOW + - VIDEOQUALITY_BITRATE_VP9_STANDARD + - VIDEOQUALITY_BITRATE_VP9_HIGH + - VIDEOQUALITY_ENFORCE_PREFERRED_CODEC + - VIDEOQUALITY_PREFERRED_CODEC - XMPP_AUTH_DOMAIN - XMPP_BOSH_URL_BASE - XMPP_DOMAIN @@ -108,66 +153,76 @@ services: # XMPP server prosody: - image: jitsi/prosody - restart: unless-stopped + image: jitsi/prosody:stable-6865 + restart: ${RESTART_POLICY} expose: - '5222' - '5347' - '5280' volumes: - - ${CONFIG}/prosody:/config + - ${CONFIG}/prosody/config:/config:Z + - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z environment: - AUTH_TYPE + - DISABLE_POLLS - ENABLE_AUTH + - ENABLE_AV_MODERATION + - ENABLE_BREAKOUT_ROOMS - ENABLE_GUESTS - ENABLE_LOBBY - ENABLE_XMPP_WEBSOCKET - GLOBAL_CONFIG - GLOBAL_MODULES - - JIBRI_RECORDER_PASSWORD - JIBRI_RECORDER_USER - - JIBRI_XMPP_PASSWORD + - JIBRI_RECORDER_PASSWORD - JIBRI_XMPP_USER - - JICOFO_AUTH_PASSWORD + - JIBRI_XMPP_PASSWORD - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD - JICOFO_COMPONENT_SECRET - - JIGASI_XMPP_PASSWORD - JIGASI_XMPP_USER - - JVB_AUTH_PASSWORD + - JIGASI_XMPP_PASSWORD - JVB_AUTH_USER - - JWT_ACCEPTED_AUDIENCES - - JWT_ACCEPTED_ISSUERS - - JWT_ALLOW_EMPTY + - JVB_AUTH_PASSWORD - JWT_APP_ID - JWT_APP_SECRET + - JWT_ACCEPTED_ISSUERS + - JWT_ACCEPTED_AUDIENCES - JWT_ASAP_KEYSERVER + - JWT_ALLOW_EMPTY - JWT_AUTH_TYPE - JWT_TOKEN_AUTH_MODULE + - LOG_LEVEL - LDAP_AUTH_METHOD - LDAP_BASE - LDAP_BINDDN - LDAP_BINDPW - LDAP_FILTER - - LDAP_START_TLS - - LDAP_TLS_CACERT_DIR - - LDAP_TLS_CACERT_FILE - - LDAP_TLS_CHECK_PEER + - LDAP_VERSION - LDAP_TLS_CIPHERS + - LDAP_TLS_CHECK_PEER + - LDAP_TLS_CACERT_FILE + - LDAP_TLS_CACERT_DIR + - LDAP_START_TLS - LDAP_URL - LDAP_USE_TLS - - LDAP_VERSION - - LOG_LEVEL - PUBLIC_URL + - TURN_CREDENTIALS + - TURN_HOST + - TURNS_HOST + - TURN_PORT + - TURNS_PORT - TZ - - XMPP_AUTH_DOMAIN - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN - XMPP_GUEST_DOMAIN - - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_INTERNAL_MUC_MODULES - - XMPP_MODULES - XMPP_MUC_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MODULES - XMPP_MUC_MODULES + - XMPP_INTERNAL_MUC_MODULES - XMPP_RECORDER_DOMAIN + - XMPP_CROSS_DOMAIN networks: meet.jitsi: aliases: @@ -175,24 +230,49 @@ services: # Focus component jicofo: - image: jitsi/jicofo - restart: unless-stopped + image: jitsi/jicofo:stable-6865 + restart: ${RESTART_POLICY} volumes: - - ${CONFIG}/jicofo:/config + - ${CONFIG}/jicofo:/config:Z environment: + - AUTH_TYPE + - BRIDGE_AVG_PARTICIPANT_STRESS + - BRIDGE_STRESS_THRESHOLD - ENABLE_AUTH - - JIBRI_BREWERY_MUC - - JIBRI_PENDING_TIMEOUT - - JICOFO_AUTH_PASSWORD + - ENABLE_AUTO_OWNER + - ENABLE_CODEC_VP8 + - ENABLE_CODEC_VP9 + - ENABLE_CODEC_H264 + - ENABLE_OCTO + - ENABLE_RECORDING + - ENABLE_SCTP + - ENABLE_AUTO_LOGIN - JICOFO_AUTH_USER - - JICOFO_COMPONENT_SECRET + - JICOFO_AUTH_PASSWORD + - JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS + - JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT + - JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT + - JICOFO_ENABLE_HEALTH_CHECKS + - JICOFO_SHORT_ID + - JICOFO_RESERVATION_ENABLED - JICOFO_RESERVATION_REST_BASE_URL + - JIBRI_BREWERY_MUC + - JIBRI_REQUEST_RETRIES + - JIBRI_PENDING_TIMEOUT - JIGASI_BREWERY_MUC + - JIGASI_SIP_URI - JVB_BREWERY_MUC + - MAX_BRIDGE_PARTICIPANTS + - OCTO_BRIDGE_SELECTION_STRATEGY + - SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}" + - SENTRY_ENVIRONMENT + - SENTRY_RELEASE - TZ - - XMPP_AUTH_DOMAIN - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_RECORDER_DOMAIN - XMPP_SERVER depends_on: - prosody @@ -201,27 +281,39 @@ services: # Video bridge jvb: - image: jitsi/jvb - restart: unless-stopped + image: jitsi/jvb:stable-6865 + restart: ${RESTART_POLICY} ports: - '${JVB_PORT}:${JVB_PORT}/udp' - '${JVB_TCP_PORT}:${JVB_TCP_PORT}' volumes: - - ${CONFIG}/jvb:/config + - ${CONFIG}/jvb:/config:Z environment: - DOCKER_HOST_ADDRESS - - JVB_AUTH_PASSWORD + - ENABLE_COLIBRI_WEBSOCKET + - ENABLE_OCTO - JVB_AUTH_USER + - JVB_AUTH_PASSWORD - JVB_BREWERY_MUC - - JVB_ENABLE_APIS + #- JVB_ENABLE_APIS - JVB_PORT - - JVB_STUN_SERVERS + - JVB_MUC_NICKNAME - JVB_TCP_HARVESTER_DISABLED - - JVB_TCP_MAPPED_PORT - JVB_TCP_PORT + - JVB_TCP_MAPPED_PORT + - JVB_STUN_SERVERS + - JVB_OCTO_BIND_ADDRESS + - JVB_OCTO_PUBLIC_ADDRESS + - JVB_OCTO_BIND_PORT + - JVB_OCTO_REGION - JVB_WS_DOMAIN - JVB_WS_SERVER_ID - PUBLIC_URL + - SENTRY_DSN="${JVB_SENTRY_DSN:-0}" + - SENTRY_ENVIRONMENT + - SENTRY_RELEASE + - COLIBRI_REST_ENABLED + - SHUTDOWN_REST_ENABLED - TZ - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN diff --git a/templates/env.jitsi.j2 b/templates/env.jitsi.j2 index 8bcb9f1..ebbec30 100644 --- a/templates/env.jitsi.j2 +++ b/templates/env.jitsi.j2 @@ -1,27 +1,79 @@ +# shellcheck disable=SC2034 + +# Security +# +# Set these to strong passwords to avoid intruders from impersonating a service account +# The service(s) won't start unless these are specified +# Running ./gen-passwords.sh will update .env with strong passwords +# You may skip the Jigasi and Jibri passwords if you are not using those +# DO NOT reuse passwords +# + +# XMPP password for Jicofo client connections +JICOFO_AUTH_PASSWORD={{ jitsi_jicofo_auth_password }} + +# XMPP password for JVB client connections +JVB_AUTH_PASSWORD={{ jitsi_jvb_auth_password }} + +# XMPP password for Jigasi MUC client connections +JIGASI_XMPP_PASSWORD={{ jitsi_jigasi_xmpp_password }} + +# XMPP recorder password for Jibri client connections +JIBRI_RECORDER_PASSWORD={{ jitsi_jibri_recorder_password }} + +# XMPP password for Jibri client connections +JIBRI_XMPP_PASSWORD={{ jitsi_jibri_xmpp_password }} + + # # Basic configuration options # -# Directory where all configuration will be stored. +# Directory where all configuration will be stored CONFIG=./conf -# Exposed HTTP port. +# Exposed HTTP port HTTP_PORT={{ jitsi_exposed_http_port }} -# Exposed HTTPS port. +# Exposed HTTPS port HTTPS_PORT={{ jitsi_exposed_https_port }} -# System time zone. +# System time zone TZ={{ jitsi_timezone }} -# Public URL for the web service. +# Public URL for the web service (required) PUBLIC_URL={{ jitsi_public_url }} VIRTUAL_HOST={{ jitsi_virtual_host }} -# IP address of the Docker host. See the "Running on a LAN environment" section -# in the README. +# IP address of the Docker host +# See the "Running behind NAT or on a LAN environment" section in the Handbook: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment DOCKER_HOST_ADDRESS={{ jitsi_docker_host_address }} +# Control whether the lobby feature should be enabled or not +#ENABLE_LOBBY=1 + +# Control whether the A/V moderation should be enabled or not +#ENABLE_AV_MODERATION=1 + +# Show a prejoin page before entering a conference +#ENABLE_PREJOIN_PAGE=0 + +# Enable the welcome page +#ENABLE_WELCOME_PAGE=1 + +# Enable the close page +#ENABLE_CLOSE_PAGE=0 + +# Disable measuring of audio levels +#DISABLE_AUDIO_LEVELS=0 + +# Enable noisy mic detection +#ENABLE_NOISY_MIC_DETECTION=1 + +# Enable breakout rooms +#ENABLE_BREAKOUT_ROOMS=1 + {% if jitsi_enable_letsencrypt %} # # Let's Encrypt configuration @@ -42,17 +94,20 @@ LETSENCRYPT_EMAIL={{ jitsi_letsencrypt_email }} # Etherpad integration (for document sharing) # -# Set etherpad-lite URL (uncomment to enable). +# Set etherpad-lite URL in docker local network (uncomment to enable) #ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 +# Set etherpad-lite public URL, including /p/ pad path fragment (uncomment to enable) +#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain/p/ + # Name your etherpad instance! -ETHERPAD_TITLE="Video Chat" +ETHERPAD_TITLE=Video Chat # The default text of a pad ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n" # Name of the skin for etherpad -ETHERPAD_SKIN_NAME="colibris" +ETHERPAD_SKIN_NAME=colibris # Skin variants for etherpad ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor" @@ -62,13 +117,13 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background # Basic Jigasi configuration options (needed for SIP gateway support) # -# SIP URI for incoming / outgoing calls. +# SIP URI for incoming / outgoing calls #JIGASI_SIP_URI=test@sip2sip.info # Password for the specified SIP account as a clear text #JIGASI_SIP_PASSWORD=passw0rd -# SIP server (use the SIP account domain if in doubt). +# SIP server (use the SIP account domain if in doubt) #JIGASI_SIP_SERVER=sip2sip.info # SIP server port @@ -78,53 +133,53 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background #JIGASI_SIP_TRANSPORT=UDP # -# Authentication configuration (see README for details) +# Authentication configuration (see handbook for details) # -# Enable authentication. +# Enable authentication #ENABLE_AUTH=1 -# Enable guest access. +# Enable guest access #ENABLE_GUESTS=1 # Select authentication type: internal, jwt or ldap #AUTH_TYPE=internal -# JWT auuthentication +# JWT authentication # -# Application identifier. +# Application identifier #JWT_APP_ID=my_jitsi_app_id -# Application secret known only to your token. +# Application secret known only to your token generator #JWT_APP_SECRET=my_jitsi_app_secret -# (Optional) Set asap_accepted_issuers as a comma separated list. +# (Optional) Set asap_accepted_issuers as a comma separated list #JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client -# (Optional) Set asap_accepted_audiences as a comma separated list. +# (Optional) Set asap_accepted_audiences as a comma separated list #JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 # LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) # -# LDAP url for connection. +# LDAP url for connection #LDAP_URL=ldaps://ldap.domain.com/ # LDAP base DN. Can be empty #LDAP_BASE=DC=example,DC=domain,DC=com -# LDAP user DN. Do not specify this parameter for the anonymous bind. +# LDAP user DN. Do not specify this parameter for the anonymous bind #LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com -# LDAP user password. Do not specify this parameter for the anonymous bind. +# LDAP user password. Do not specify this parameter for the anonymous bind #LDAP_BINDPW=LdapUserPassw0rd # LDAP filter. Tokens example: -# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail. -# %s - %s is replaced by the complete service string. -# %r - %r is replaced by the complete realm string. +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail +# %s - %s is replaced by the complete service string +# %r - %r is replaced by the complete realm string #LDAP_FILTER=(sAMAccountName=%u) # LDAP authentication method @@ -136,16 +191,16 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background # LDAP TLS using #LDAP_USE_TLS=1 -# List of SSL/TLS ciphers to allow. +# List of SSL/TLS ciphers to allow #LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC # Require and verify server certificate #LDAP_TLS_CHECK_PEER=1 -# Path to CA cert file. Used when server sertificate verify is enabled. +# Path to CA cert file. Used when server certificate verify is enabled #LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt -# Path to CA certs directory. Used when server sertificate verify is enabled. +# Path to CA certs directory. Used when server certificate verify is enabled #LDAP_TLS_CACERT_DIR=/etc/ssl/certs # Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps:// @@ -156,7 +211,7 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background # Advanced configuration options (you generally don't need to change these) # -# Internal XMPP domain. +# Internal XMPP domain XMPP_DOMAIN=meet.jitsi # Internal XMPP server @@ -165,16 +220,16 @@ XMPP_SERVER=xmpp.meet.jitsi # Internal XMPP server URL XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 -# Internal XMPP domain for authenticated services. +# Internal XMPP domain for authenticated services XMPP_AUTH_DOMAIN=auth.meet.jitsi -# XMPP domain for the MUC. +# XMPP domain for the MUC XMPP_MUC_DOMAIN=muc.meet.jitsi -# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools. +# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi -# XMPP domain for unauthenticated users. +# XMPP domain for unauthenticated users XMPP_GUEST_DOMAIN=guest.meet.jitsi # Comma separated list of domains for cross domain policy or "true" to allow all @@ -190,16 +245,13 @@ XMPP_MUC_MODULES= # Custom Prosody modules for internal MUC component (comma separated) XMPP_INTERNAL_MUC_MODULES= -# MUC for the JVB pool. +# MUC for the JVB pool JVB_BREWERY_MUC=jvbbrewery -# XMPP user for JVB client connections. +# XMPP user for JVB client connections JVB_AUTH_USER={{ jitsi_jvb_auth_user }} -# XMPP password for JVB client connections. -JVB_AUTH_PASSWORD={{ jitsi_jvb_auth_password }} - -# STUN servers used to discover the server's public IP. +# STUN servers used to discover the server's public IP JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }} # Media port for the Jitsi Videobridge @@ -210,35 +262,26 @@ JVB_TCP_HARVESTER_DISABLED=true JVB_TCP_PORT=4443 JVB_TCP_MAPPED_PORT=4443 -# A comma separated list of APIs to enable when the JVB is started. The default is none. -# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information -#JVB_ENABLE_APIS=rest,colibri - -# XMPP component password for Jicofo. -JICOFO_COMPONENT_SECRET={{ jitsi_jicofo_component_secret }} - -# XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug. +# XMPP user for Jicofo client connections. +# NOTE: this option doesn't currently work due to a bug JICOFO_AUTH_USER={{ jitsi_jicofo_auth_user }} -# XMPP password for Jicofo client connections. -JICOFO_AUTH_PASSWORD={{ jitsi_jicofo_auth_password }} - # Base URL of Jicofo's reservation REST API #JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com -# XMPP user for Jigasi MUC client connections. +# Enable Jicofo's health check REST API (http://:8888/about/health) +#JICOFO_ENABLE_HEALTH_CHECKS=true + +# XMPP user for Jigasi MUC client connections JIGASI_XMPP_USER={{ jitsi_jigasi_xmpp_user }} -# XMPP password for Jigasi MUC client connections. -JIGASI_XMPP_PASSWORD={{ jitsi_jigasi_xmpp_password }} - -# MUC name for the Jigasi pool. +# MUC name for the Jigasi pool JIGASI_BREWERY_MUC=jigasibrewery -# Minimum port for media used by Jigasi. +# Minimum port for media used by Jigasi JIGASI_PORT_MIN=20000 -# Maximum port for media used by Jigasi. +# Maximum port for media used by Jigasi JIGASI_PORT_MAX=20050 # Enable SDES srtp @@ -253,23 +296,28 @@ JIGASI_PORT_MAX=20050 # Health-check interval #JIGASI_HEALTH_CHECK_INTERVAL=300000 # -# Enable Jigasi transcription. +# Enable Jigasi transcription #ENABLE_TRANSCRIPTIONS=1 -# Jigasi will recordord an audio when transcriber is on. Default false. +# Jigasi will record audio when transcriber is on [default: false] #JIGASI_TRANSCRIBER_RECORD_AUDIO=true -# Jigasi will send transcribed text to the chat when transcriber is on. Default false. +# Jigasi will send transcribed text to the chat when transcriber is on [default: false] #JIGASI_TRANSCRIBER_SEND_TXT=true -# Jigasi post to the chat an url with transcription file. Default false. +# Jigasi will post an url to the chat with transcription file [default: false] #JIGASI_TRANSCRIBER_ADVERTISE_URL=true -# Credentials for connect to Cloud Google API from Jigasi. Path located inside the container. +# Credentials for connect to Cloud Google API from Jigasi # Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol -# section "Before you begin" from 1 to 5 paragraph. Copy the key on -# the docker host to ${CONFIG}/jigasi/key.json and to enable this setting: -#GOOGLE_APPLICATION_CREDENTIALS=/config/key.json +# section "Before you begin" paragraph 1 to 5 +# Copy the values from the json to the related env vars +#GC_PROJECT_ID= +#GC_PRIVATE_KEY_ID= +#GC_PRIVATE_KEY= +#GC_CLIENT_EMAIL= +#GC_CLIENT_ID= +#GC_CLIENT_CERT_URL= # Enable recording #ENABLE_RECORDING=1 @@ -277,25 +325,19 @@ JIGASI_PORT_MAX=20050 # XMPP domain for the jibri recorder XMPP_RECORDER_DOMAIN=recorder.meet.jitsi -# XMPP recorder user for Jibri client connections. +# XMPP recorder user for Jibri client connections JIBRI_RECORDER_USER={{ jitsi_jibri_recorder_user }} -# XMPP recorder password for Jibri client connections. -JIBRI_RECORDER_PASSWORD={{ jitsi_jibri_recorder_password }} - -# Directory for recordings inside Jibri container. +# Directory for recordings inside Jibri container JIBRI_RECORDING_DIR=/config/recordings -# The finalizing script. Will run after recording is complete. -JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh +# The finalizing script. Will run after recording is complete +#JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh -# XMPP user for Jibri client connections. +# XMPP user for Jibri client connections JIBRI_XMPP_USER={{ jitsi_jibri_xmpp_user }} -# XMPP password for Jibri client connections. -JIBRI_XMPP_PASSWORD={{ jitsi_jibri_xmpp_password }} - -# MUC name for the Jibri pool. +# MUC name for the Jibri pool JIBRI_BREWERY_MUC=jibribrewery # MUC connection timeout @@ -308,18 +350,35 @@ JIBRI_PENDING_TIMEOUT=90 # So if there are any prefixes in the jid (like jitsi meet, which # has its participants join a muc at conference.xmpp_domain) then # list that prefix here so it can be stripped out to generate -# the call url correctly. +# the call url correctly JIBRI_STRIP_DOMAIN_JID=muc -# Directory for logs inside Jibri container. +# Directory for logs inside Jibri container JIBRI_LOGS_DIR=/config/logs -# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup. +# Configure an external TURN server +# TURN_CREDENTIALS=secret +# TURN_HOST=turnserver.example.com +# TURN_PORT=443 +# TURNS_HOST=turnserver.example.com +# TURNS_PORT=443 + +# Disable HTTPS: handle TLS connections outside of this setup #DISABLE_HTTPS=1 -# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443). +# Enable FLoC +# Opt-In to Federated Learning of Cohorts tracking +#ENABLE_FLOC=0 + +# Redirect HTTP traffic to HTTPS +# Necessary for Let's Encrypt, relies on standard HTTPS port (443) #ENABLE_HTTP_REDIRECT=1 +# Send a `strict-transport-security` header to force browsers to use +# a secure and trusted connection. Recommended for production use. +# Defaults to 1 (send the header). +# ENABLE_HSTS=1 + # Enable IPv6 # Provides means to disable IPv6 in environments that don't support it (get with the times, people!) #ENABLE_IPV6=1 @@ -330,3 +389,26 @@ RESTART_POLICY=unless-stopped # Authenticate using external service or just focus external auth window if there is one already. # TOKEN_AUTH_URL=https://auth.meet.example.com/{room} + +# Sentry Error Tracking +# Sentry Data Source Name (Endpoint for Sentry project) +# Example: https://public:private@host:port/1 +#JVB_SENTRY_DSN= +#JICOFO_SENTRY_DSN= +#JIGASI_SENTRY_DSN= + +# Optional environment info to filter events +#SENTRY_ENVIRONMENT=production + +# Optional release info to filter events +#SENTRY_RELEASE=1.0.0 + +# Optional properties for shutdown api +#COLIBRI_REST_ENABLED=true +#SHUTDOWN_REST_ENABLED=true + +# Configure toolbar buttons. Add the buttons name separated with comma(no spaces between comma) +#TOOLBAR_BUTTONS= + +# Hide the buttons at pre-join screen. Add the buttons name separated with comma +#HIDE_PREMEETING_BUTTONS= diff --git a/templates/etherpad.yml b/templates/etherpad.yml index e033a99..bab9378 100644 --- a/templates/etherpad.yml +++ b/templates/etherpad.yml @@ -3,7 +3,13 @@ version: '3' services: # Etherpad: real-time collaborative document editing etherpad: - image: jitsi/etherpad + image: etherpad/etherpad:1.8.6 + restart: ${RESTART_POLICY} + environment: + - TITLE=${ETHERPAD_TITLE} + - DEFAULT_PAD_TEXT=${ETHERPAD_DEFAULT_PAD_TEXT} + - SKIN_NAME=${ETHERPAD_SKIN_NAME} + - SKIN_VARIANTS=${ETHERPAD_SKIN_VARIANTS} networks: meet.jitsi: aliases: diff --git a/templates/jibri.yml b/templates/jibri.yml index 2f5a3e7..e51af2a 100644 --- a/templates/jibri.yml +++ b/templates/jibri.yml @@ -2,9 +2,10 @@ version: '3' services: jibri: - image: jitsi/jibri + image: jitsi/jibri:stable-6865 + restart: ${RESTART_POLICY} volumes: - - ${CONFIG}/jibri:/config + - ${CONFIG}/jibri:/config:Z - /dev/shm:/dev/shm cap_add: - SYS_ADMIN @@ -12,11 +13,15 @@ services: devices: - /dev/snd:/dev/snd environment: - - XMPP_AUTH_DOMAIN - - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_RECORDER_DOMAIN - - XMPP_SERVER - - XMPP_DOMAIN + - CHROMIUM_FLAGS + - DISPLAY=:0 + - ENABLE_STATS_D + - JIBRI_FFMPEG_AUDIO_SOURCE + - JIBRI_FFMPEG_AUDIO_DEVICE + - JIBRI_HTTP_API_EXTERNAL_PORT + - JIBRI_HTTP_API_INTERNAL_PORT + - JIBRI_RECORDING_RESOLUTION + - JIBRI_USAGE_TIMEOUT - JIBRI_XMPP_USER - JIBRI_XMPP_PASSWORD - JIBRI_BREWERY_MUC @@ -26,8 +31,16 @@ services: - JIBRI_FINALIZE_RECORDING_SCRIPT_PATH - JIBRI_STRIP_DOMAIN_JID - JIBRI_LOGS_DIR - - DISPLAY=:0 + - PUBLIC_URL - TZ + - XMPP_AUTH_DOMAIN + - XMPP_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_RECORDER_DOMAIN + - XMPP_SERVER + - XMPP_TRUST_ALL_CERTS + depends_on: + - jicofo networks: meet.jitsi: diff --git a/templates/jigasi.yml b/templates/jigasi.yml index 46f1584..ef8f0d6 100644 --- a/templates/jigasi.yml +++ b/templates/jigasi.yml @@ -3,15 +3,19 @@ version: '3' services: # SIP gateway (audio) jigasi: - image: jitsi/jigasi + image: jitsi/jigasi:stable-6865 + restart: ${RESTART_POLICY} ports: - '${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}:${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}/udp' volumes: - - ${CONFIG}/jigasi:/config - - ${CONFIG}/transcripts:/tmp/transcripts + - ${CONFIG}/jigasi:/config:Z + - ${CONFIG}/transcripts:/tmp/transcripts:Z environment: - ENABLE_AUTH + - ENABLE_GUESTS - XMPP_AUTH_DOMAIN + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER - XMPP_DOMAIN @@ -21,6 +25,7 @@ services: - JIGASI_SIP_SERVER - JIGASI_SIP_PORT - JIGASI_SIP_TRANSPORT + - JIGASI_SIP_DEFAULT_ROOM - JIGASI_XMPP_USER - JIGASI_XMPP_PASSWORD - JIGASI_BREWERY_MUC @@ -34,7 +39,15 @@ services: - JIGASI_TRANSCRIBER_ADVERTISE_URL - JIGASI_TRANSCRIBER_RECORD_AUDIO - JIGASI_TRANSCRIBER_SEND_TXT - - GOOGLE_APPLICATION_CREDENTIALS + - GC_PROJECT_ID + - GC_PRIVATE_KEY_ID + - GC_PRIVATE_KEY + - GC_CLIENT_EMAIL + - GC_CLIENT_ID + - GC_CLIENT_CERT_URL + - SENTRY_DSN="${JIGASI_SENTRY_DSN:-0}" + - SENTRY_ENVIRONMENT + - SENTRY_RELEASE - TZ depends_on: - prosody From 80cd68a5c4815b3fdf4ce96382cc325d021ab74f Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Fri, 18 Feb 2022 22:05:58 +0100 Subject: [PATCH 10/18] CSP: Allow 'data' schema in img-src --- templates/docker-compose.jitsi.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index b8c6d7c..a6dcd48 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -143,7 +143,7 @@ services: traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains: true traefik.http.middlewares.jitsi-headers.headers.STSPreload: true traefik.http.middlewares.jitsi-headers.headers.featurePolicy: geolocation 'none'; payment 'none' - traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy: default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content + traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content traefik.http.routers.jitsi.middlewares: jitsi-headers networks: public: From 9183e360d8e0b1516af53f8d97b679bc2f0cbc7d Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 2 Oct 2022 22:27:12 +0200 Subject: [PATCH 11/18] Updated Jitsi to stable-7830; Addressed some config issues --- CHANGELOG.md | 8 + README.md | 3 +- defaults/main.yml | 3 +- templates/docker-compose.jitsi.yml.j2 | 89 +++++--- templates/env.jitsi.j2 | 288 +++++--------------------- templates/etherpad.yml | 5 +- templates/jibri.yml | 16 +- templates/jigasi.yml | 9 +- 8 files changed, 138 insertions(+), 283 deletions(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..75f3e79 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,8 @@ +## Changelog + +### stable-7830 + +* Updates all Docker Compose templates +* Adds `jitsi_jvb_advertise_ips`, which supports a comma separated list of IPs +* Content-Security-Policy now allows `base-uri 'self'` (instead of `none`) +* Fixed `jitsi_enable_letsencrypt` handling (please note: you will still have to uncomment `LETSENCRYPT_USE_STAGING=1` in the .env file/template if you only want to test Let's Encrypt) diff --git a/README.md b/README.md index a10e2d9..16b5f10 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,8 @@ Role Variables | jitsi_build_latest_image_from_source | Will fetch the master of `jitsi_docker_upstream_repo_url` and build the docker image as sometimes the latest available images in the Docker Hub are too old | yes | | jitsi_docker_upstream_repo_url | Git repo of docker-jitsi-meet required by `jitsi_build_latest_image_from_source` | https://github.com/jitsi/docker-jitsi-meet.git | | *jitsi_letsencrypt_email* | E-Mail adress used for requesting certificates | Not set | -| jitsi_docker_host_address | | | +| jitsi_docker_host_address | | +| jitsi_jvb_advertise_ips | supports a comma separated list of IPs | | | | jitsi_enable_letsencrypt | Jitsi will take care of Let's Encrypt certificates | 0 | | jitsi_enable_third_party_requests | Whether to allow third party requests, e.g. to Gravatar (if a user sets her email address) | no | | jitsi_exposed_http_port | Exposed container port for HTTP | 8000 | diff --git a/defaults/main.yml b/defaults/main.yml index 66d322e..bbc459b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,4 +12,5 @@ jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443 jitsi_web_channel_last_n: 3 jitsi_build_latest_image_from_source: yes jitsi_docker_upstream_repo_url: https://github.com/jitsi/docker-jitsi-meet.git -jitsi_enable_third_party_requests: no \ No newline at end of file +jitsi_enable_third_party_requests: no +jitsi_jvb_advertise_ips: "{{ jitsi_docker_host_address }}" \ No newline at end of file diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index a6dcd48..a6ce02c 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -1,10 +1,10 @@ -version: '3' +version: '3.5' services: # Frontend web: - image: jitsi/web:stable-6865 - restart: ${RESTART_POLICY} + image: jitsi/web:${JITSI_IMAGE_VERSION:-stable-7830} + restart: ${RESTART_POLICY:-unless-stopped} ports: - '${HTTP_PORT}:80' - '${HTTPS_PORT}:443' @@ -16,8 +16,8 @@ services: - AMPLITUDE_ID - ANALYTICS_SCRIPT_URLS - ANALYTICS_WHITELISTED_EVENTS + - AUDIO_QUALITY_OPUS_BITRATE - BRANDING_DATA_URL - - BRIDGE_CHANNEL - CALLSTATS_CUSTOM_SCRIPT_URL - CALLSTATS_ID - CALLSTATS_SECRET @@ -40,8 +40,12 @@ services: - DISABLE_GRANT_MODERATOR - DISABLE_HTTPS - DISABLE_KICKOUT + - DISABLE_LOCAL_RECORDING - DISABLE_POLLS + - DISABLE_PRIVATE_CHAT + - DISABLE_PROFILE - DISABLE_REACTIONS + - DISABLE_REMOTE_VIDEO_MENU - DROPBOX_APPKEY - DROPBOX_REDIRECT_URI - DYNAMIC_BRANDING_URL @@ -50,9 +54,8 @@ services: - ENABLE_BREAKOUT_ROOMS - ENABLE_CALENDAR - ENABLE_COLIBRI_WEBSOCKET - - ENABLE_FILE_RECORDING_SERVICE - - ENABLE_FILE_RECORDING_SERVICE_SHARING - - ENABLE_FLOC + - ENABLE_E2EPING + - ENABLE_FILE_RECORDING_SHARING - ENABLE_GUESTS - ENABLE_HSTS - ENABLE_HTTP_REDIRECT @@ -61,13 +64,19 @@ services: - ENABLE_LIPSYNC - ENABLE_NO_AUDIO_DETECTION - ENABLE_NOISY_MIC_DETECTION + - ENABLE_OCTO + - ENABLE_OPUS_RED - ENABLE_PREJOIN_PAGE - ENABLE_P2P - ENABLE_WELCOME_PAGE - ENABLE_CLOSE_PAGE + - ENABLE_LIVESTREAMING + - ENABLE_LOCAL_RECORDING_NOTIFY_ALL_PARTICIPANT + - ENABLE_LOCAL_RECORDING_SELF_START - ENABLE_RECORDING - ENABLE_REMB - ENABLE_REQUIRE_DISPLAY_NAME + - ENABLE_SERVICE_RECORDING - ENABLE_SIMULCAST - ENABLE_STATS_ID - ENABLE_STEREO @@ -76,11 +85,18 @@ services: - ENABLE_TCC - ENABLE_TRANSCRIPTIONS - ENABLE_XMPP_WEBSOCKET + - ENABLE_JAAS_COMPONENTS + - ENABLE_MULTI_STREAM - ETHERPAD_PUBLIC_URL - ETHERPAD_URL_BASE + - E2EPING_NUM_REQUESTS + - E2EPING_MAX_CONFERENCE_SIZE + - E2EPING_MAX_MESSAGE_PER_SECOND - GOOGLE_ANALYTICS_ID - GOOGLE_API_APP_CLIENT_ID - HIDE_PREMEETING_BUTTONS + - HIDE_PREJOIN_DISPLAY_NAME + - HIDE_PREJOIN_EXTRA_BUTTONS - INVITE_SERVICE_URL - JICOFO_AUTH_USER - LETSENCRYPT_DOMAIN @@ -128,6 +144,7 @@ services: - XMPP_GUEST_DOMAIN - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN + - XMPP_PORT labels: traefik.enable: true traefik.docker.network: traefik_public @@ -143,7 +160,7 @@ services: traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains: true traefik.http.middlewares.jitsi-headers.headers.STSPreload: true traefik.http.middlewares.jitsi-headers.headers.featurePolicy: geolocation 'none'; payment 'none' - traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content + traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content traefik.http.routers.jitsi.middlewares: jitsi-headers networks: public: @@ -153,10 +170,10 @@ services: # XMPP server prosody: - image: jitsi/prosody:stable-6865 - restart: ${RESTART_POLICY} + image: jitsi/prosody:${JITSI_IMAGE_VERSION:-stable-7830} + restart: ${RESTART_POLICY:-unless-stopped} expose: - - '5222' + - '${XMPP_PORT:-5222}' - '5347' - '5280' volumes: @@ -168,9 +185,19 @@ services: - ENABLE_AUTH - ENABLE_AV_MODERATION - ENABLE_BREAKOUT_ROOMS + - ENABLE_END_CONFERENCE - ENABLE_GUESTS + - ENABLE_IPV6 - ENABLE_LOBBY + - ENABLE_RECORDING - ENABLE_XMPP_WEBSOCKET + - ENABLE_JAAS_COMPONENTS + - GC_TYPE + - GC_INC_TH + - GC_INC_SPEED + - GC_INC_STEP_SIZE + - GC_GEN_MIN_TH + - GC_GEN_MAX_TH - GLOBAL_CONFIG - GLOBAL_MODULES - JIBRI_RECORDER_USER @@ -191,7 +218,12 @@ services: - JWT_ASAP_KEYSERVER - JWT_ALLOW_EMPTY - JWT_AUTH_TYPE + - JWT_ENABLE_DOMAIN_VERIFICATION - JWT_TOKEN_AUTH_MODULE + - MATRIX_UVS_URL + - MATRIX_UVS_ISSUER + - MATRIX_UVS_AUTH_TOKEN + - MATRIX_UVS_SYNC_POWER_LEVELS - LOG_LEVEL - LDAP_AUTH_METHOD - LDAP_BASE @@ -206,6 +238,9 @@ services: - LDAP_START_TLS - LDAP_URL - LDAP_USE_TLS + - MAX_PARTICIPANTS + - PROSODY_RESERVATION_ENABLED + - PROSODY_RESERVATION_REST_BASE_URL - PUBLIC_URL - TURN_CREDENTIALS - TURN_HOST @@ -220,18 +255,19 @@ services: - XMPP_INTERNAL_MUC_DOMAIN - XMPP_MODULES - XMPP_MUC_MODULES + - XMPP_MUC_CONFIGURATION - XMPP_INTERNAL_MUC_MODULES - XMPP_RECORDER_DOMAIN - - XMPP_CROSS_DOMAIN + - XMPP_PORT networks: meet.jitsi: aliases: - - ${XMPP_SERVER} + - ${XMPP_SERVER:-xmpp.meet.jitsi} # Focus component jicofo: - image: jitsi/jicofo:stable-6865 - restart: ${RESTART_POLICY} + image: jitsi/jicofo:${JITSI_IMAGE_VERSION:-stable-7830} + restart: ${RESTART_POLICY:-unless-stopped} volumes: - ${CONFIG}/jicofo:/config:Z environment: @@ -254,8 +290,6 @@ services: - JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT - JICOFO_ENABLE_HEALTH_CHECKS - JICOFO_SHORT_ID - - JICOFO_RESERVATION_ENABLED - - JICOFO_RESERVATION_REST_BASE_URL - JIBRI_BREWERY_MUC - JIBRI_REQUEST_RETRIES - JIBRI_PENDING_TIMEOUT @@ -274,6 +308,7 @@ services: - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN - XMPP_SERVER + - XMPP_PORT depends_on: - prosody networks: @@ -281,31 +316,30 @@ services: # Video bridge jvb: - image: jitsi/jvb:stable-6865 - restart: ${RESTART_POLICY} + image: jitsi/jvb:${JITSI_IMAGE_VERSION:-stable-7830} + restart: ${RESTART_POLICY:-unless-stopped} ports: - - '${JVB_PORT}:${JVB_PORT}/udp' - - '${JVB_TCP_PORT}:${JVB_TCP_PORT}' + - '${JVB_PORT:-10000}:${JVB_PORT:-10000}/udp' + - '127.0.0.1:${JVB_COLIBRI_PORT:-8080}:8080' volumes: - ${CONFIG}/jvb:/config:Z environment: - DOCKER_HOST_ADDRESS - ENABLE_COLIBRI_WEBSOCKET - ENABLE_OCTO + - ENABLE_MULTI_STREAM + - JVB_ADVERTISE_IPS + - JVB_ADVERTISE_PRIVATE_CANDIDATES - JVB_AUTH_USER - JVB_AUTH_PASSWORD - JVB_BREWERY_MUC - #- JVB_ENABLE_APIS + - JVB_DISABLE_STUN - JVB_PORT - JVB_MUC_NICKNAME - - JVB_TCP_HARVESTER_DISABLED - - JVB_TCP_PORT - - JVB_TCP_MAPPED_PORT - JVB_STUN_SERVERS - JVB_OCTO_BIND_ADDRESS - - JVB_OCTO_PUBLIC_ADDRESS - - JVB_OCTO_BIND_PORT - JVB_OCTO_REGION + - JVB_OCTO_RELAY_ID - JVB_WS_DOMAIN - JVB_WS_SERVER_ID - PUBLIC_URL @@ -318,6 +352,7 @@ services: - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER + - XMPP_PORT depends_on: - prosody networks: diff --git a/templates/env.jitsi.j2 b/templates/env.jitsi.j2 index ebbec30..b0a2292 100644 --- a/templates/env.jitsi.j2 +++ b/templates/env.jitsi.j2 @@ -1,28 +1,14 @@ # shellcheck disable=SC2034 -# Security +################################################################################ +################################################################################ +# Welcome to the Jitsi Meet Docker setup! # -# Set these to strong passwords to avoid intruders from impersonating a service account -# The service(s) won't start unless these are specified -# Running ./gen-passwords.sh will update .env with strong passwords -# You may skip the Jigasi and Jibri passwords if you are not using those -# DO NOT reuse passwords -# - -# XMPP password for Jicofo client connections -JICOFO_AUTH_PASSWORD={{ jitsi_jicofo_auth_password }} - -# XMPP password for JVB client connections -JVB_AUTH_PASSWORD={{ jitsi_jvb_auth_password }} - -# XMPP password for Jigasi MUC client connections -JIGASI_XMPP_PASSWORD={{ jitsi_jigasi_xmpp_password }} - -# XMPP recorder password for Jibri client connections -JIBRI_RECORDER_PASSWORD={{ jitsi_jibri_recorder_password }} - -# XMPP password for Jibri client connections -JIBRI_XMPP_PASSWORD={{ jitsi_jibri_xmpp_password }} +# This sample .env file contains some basic options to get you started. +# The full options reference can be found here: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker +################################################################################ +################################################################################ # @@ -45,34 +31,25 @@ TZ={{ jitsi_timezone }} PUBLIC_URL={{ jitsi_public_url }} VIRTUAL_HOST={{ jitsi_virtual_host }} -# IP address of the Docker host -# See the "Running behind NAT or on a LAN environment" section in the Handbook: -# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment +# IP address of the Docker host. See the "Running on a LAN environment" section +# in the README. DOCKER_HOST_ADDRESS={{ jitsi_docker_host_address }} -# Control whether the lobby feature should be enabled or not -#ENABLE_LOBBY=1 +# Media IP addresses to advertise by the JVB +# This setting deprecates DOCKER_HOST_ADDRESS, and supports a comma separated list of IPs +# See the "Running behind NAT or on a LAN environment" section in the Handbook: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment +#JVB_ADVERTISE_IPS={{ jitsi_jvb_advertise_ips }} -# Control whether the A/V moderation should be enabled or not -#ENABLE_AV_MODERATION=1 +JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }} -# Show a prejoin page before entering a conference -#ENABLE_PREJOIN_PAGE=0 +# +# JaaS Components (beta) +# https://jaas.8x8.vc +# -# Enable the welcome page -#ENABLE_WELCOME_PAGE=1 - -# Enable the close page -#ENABLE_CLOSE_PAGE=0 - -# Disable measuring of audio levels -#DISABLE_AUDIO_LEVELS=0 - -# Enable noisy mic detection -#ENABLE_NOISY_MIC_DETECTION=1 - -# Enable breakout rooms -#ENABLE_BREAKOUT_ROOMS=1 +# Enable JaaS Components (hosted Jigasi) +#ENABLE_JAAS_COMPONENTS=0 {% if jitsi_enable_letsencrypt %} # @@ -80,7 +57,7 @@ DOCKER_HOST_ADDRESS={{ jitsi_docker_host_address }} # # Enable Let's Encrypt certificate generation. -ENABLE_LETSENCRYPT=0 +ENABLE_LETSENCRYPT=1 # Domain for which to generate the certificate. LETSENCRYPT_DOMAIN={{ jitsi_virtual_host }} @@ -88,6 +65,9 @@ LETSENCRYPT_DOMAIN={{ jitsi_virtual_host }} # E-Mail for receiving important account notifications (mandatory). LETSENCRYPT_EMAIL={{ jitsi_letsencrypt_email }} +# Use the staging server (for avoiding rate limits while testing) +#LETSENCRYPT_USE_STAGING=1 + {% endif -%} # @@ -132,6 +112,7 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background # SIP server transport #JIGASI_SIP_TRANSPORT=UDP + # # Authentication configuration (see handbook for details) # @@ -142,7 +123,7 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background # Enable guest access #ENABLE_GUESTS=1 -# Select authentication type: internal, jwt or ldap +# Select authentication type: internal, jwt, ldap or matrix #AUTH_TYPE=internal # JWT authentication @@ -160,7 +141,6 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background # (Optional) Set asap_accepted_audiences as a comma separated list #JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 - # LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) # @@ -208,207 +188,37 @@ ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background # -# Advanced configuration options (you generally don't need to change these) +# Security +# +# Set these to strong passwords to avoid intruders from impersonating a service account +# The service(s) won't start unless these are specified +# Running ./gen-passwords.sh will update .env with strong passwords +# You may skip the Jigasi and Jibri passwords if you are not using those +# DO NOT reuse passwords # -# Internal XMPP domain -XMPP_DOMAIN=meet.jitsi +# XMPP password for Jicofo client connections +JICOFO_AUTH_PASSWORD={{ jitsi_jicofo_auth_password }} -# Internal XMPP server -XMPP_SERVER=xmpp.meet.jitsi +# XMPP password for JVB client connections +JVB_AUTH_PASSWORD={{ jitsi_jvb_auth_password }} -# Internal XMPP server URL -XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 +# XMPP password for Jigasi MUC client connections +JIGASI_XMPP_PASSWORD={{ jitsi_jigasi_xmpp_password }} -# Internal XMPP domain for authenticated services -XMPP_AUTH_DOMAIN=auth.meet.jitsi +# XMPP recorder password for Jibri client connections +JIBRI_RECORDER_PASSWORD={{ jitsi_jibri_recorder_password }} -# XMPP domain for the MUC -XMPP_MUC_DOMAIN=muc.meet.jitsi +# XMPP password for Jibri client connections +JIBRI_XMPP_PASSWORD={{ jitsi_jibri_xmpp_password }} -# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools -XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi - -# XMPP domain for unauthenticated users -XMPP_GUEST_DOMAIN=guest.meet.jitsi - -# Comma separated list of domains for cross domain policy or "true" to allow all -# The PUBLIC_URL is always allowed -#XMPP_CROSS_DOMAIN=true - -# Custom Prosody modules for XMPP_DOMAIN (comma separated) -XMPP_MODULES= - -# Custom Prosody modules for MUC component (comma separated) -XMPP_MUC_MODULES= - -# Custom Prosody modules for internal MUC component (comma separated) -XMPP_INTERNAL_MUC_MODULES= - -# MUC for the JVB pool -JVB_BREWERY_MUC=jvbbrewery - -# XMPP user for JVB client connections -JVB_AUTH_USER={{ jitsi_jvb_auth_user }} - -# STUN servers used to discover the server's public IP -JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }} - -# Media port for the Jitsi Videobridge -JVB_PORT=10000 - -# TCP Fallback for Jitsi Videobridge for when UDP isn't available -JVB_TCP_HARVESTER_DISABLED=true -JVB_TCP_PORT=4443 -JVB_TCP_MAPPED_PORT=4443 - -# XMPP user for Jicofo client connections. -# NOTE: this option doesn't currently work due to a bug -JICOFO_AUTH_USER={{ jitsi_jicofo_auth_user }} - -# Base URL of Jicofo's reservation REST API -#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com - -# Enable Jicofo's health check REST API (http://:8888/about/health) -#JICOFO_ENABLE_HEALTH_CHECKS=true - -# XMPP user for Jigasi MUC client connections -JIGASI_XMPP_USER={{ jitsi_jigasi_xmpp_user }} - -# MUC name for the Jigasi pool -JIGASI_BREWERY_MUC=jigasibrewery - -# Minimum port for media used by Jigasi -JIGASI_PORT_MIN=20000 - -# Maximum port for media used by Jigasi -JIGASI_PORT_MAX=20050 - -# Enable SDES srtp -#JIGASI_ENABLE_SDES_SRTP=1 - -# Keepalive method -#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS - -# Health-check extension -#JIGASI_HEALTH_CHECK_SIP_URI=keepalive - -# Health-check interval -#JIGASI_HEALTH_CHECK_INTERVAL=300000 # -# Enable Jigasi transcription -#ENABLE_TRANSCRIPTIONS=1 - -# Jigasi will record audio when transcriber is on [default: false] -#JIGASI_TRANSCRIBER_RECORD_AUDIO=true - -# Jigasi will send transcribed text to the chat when transcriber is on [default: false] -#JIGASI_TRANSCRIBER_SEND_TXT=true - -# Jigasi will post an url to the chat with transcription file [default: false] -#JIGASI_TRANSCRIBER_ADVERTISE_URL=true - -# Credentials for connect to Cloud Google API from Jigasi -# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol -# section "Before you begin" paragraph 1 to 5 -# Copy the values from the json to the related env vars -#GC_PROJECT_ID= -#GC_PRIVATE_KEY_ID= -#GC_PRIVATE_KEY= -#GC_CLIENT_EMAIL= -#GC_CLIENT_ID= -#GC_CLIENT_CERT_URL= - -# Enable recording -#ENABLE_RECORDING=1 - -# XMPP domain for the jibri recorder -XMPP_RECORDER_DOMAIN=recorder.meet.jitsi - -# XMPP recorder user for Jibri client connections -JIBRI_RECORDER_USER={{ jitsi_jibri_recorder_user }} - -# Directory for recordings inside Jibri container -JIBRI_RECORDING_DIR=/config/recordings - -# The finalizing script. Will run after recording is complete -#JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh - -# XMPP user for Jibri client connections -JIBRI_XMPP_USER={{ jitsi_jibri_xmpp_user }} - -# MUC name for the Jibri pool -JIBRI_BREWERY_MUC=jibribrewery - -# MUC connection timeout -JIBRI_PENDING_TIMEOUT=90 - -# When jibri gets a request to start a service for a room, the room -# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain -# We'll build the url for the call by transforming that into: -# https://xmpp_domain/subdomain/roomName -# So if there are any prefixes in the jid (like jitsi meet, which -# has its participants join a muc at conference.xmpp_domain) then -# list that prefix here so it can be stripped out to generate -# the call url correctly -JIBRI_STRIP_DOMAIN_JID=muc - -# Directory for logs inside Jibri container -JIBRI_LOGS_DIR=/config/logs - -# Configure an external TURN server -# TURN_CREDENTIALS=secret -# TURN_HOST=turnserver.example.com -# TURN_PORT=443 -# TURNS_HOST=turnserver.example.com -# TURNS_PORT=443 - -# Disable HTTPS: handle TLS connections outside of this setup -#DISABLE_HTTPS=1 - -# Enable FLoC -# Opt-In to Federated Learning of Cohorts tracking -#ENABLE_FLOC=0 - -# Redirect HTTP traffic to HTTPS -# Necessary for Let's Encrypt, relies on standard HTTPS port (443) -#ENABLE_HTTP_REDIRECT=1 - -# Send a `strict-transport-security` header to force browsers to use -# a secure and trusted connection. Recommended for production use. -# Defaults to 1 (send the header). -# ENABLE_HSTS=1 - -# Enable IPv6 -# Provides means to disable IPv6 in environments that don't support it (get with the times, people!) -#ENABLE_IPV6=1 +# Docker Compose options +# # Container restart policy # Defaults to unless-stopped RESTART_POLICY=unless-stopped -# Authenticate using external service or just focus external auth window if there is one already. -# TOKEN_AUTH_URL=https://auth.meet.example.com/{room} - -# Sentry Error Tracking -# Sentry Data Source Name (Endpoint for Sentry project) -# Example: https://public:private@host:port/1 -#JVB_SENTRY_DSN= -#JICOFO_SENTRY_DSN= -#JIGASI_SENTRY_DSN= - -# Optional environment info to filter events -#SENTRY_ENVIRONMENT=production - -# Optional release info to filter events -#SENTRY_RELEASE=1.0.0 - -# Optional properties for shutdown api -#COLIBRI_REST_ENABLED=true -#SHUTDOWN_REST_ENABLED=true - -# Configure toolbar buttons. Add the buttons name separated with comma(no spaces between comma) -#TOOLBAR_BUTTONS= - -# Hide the buttons at pre-join screen. Add the buttons name separated with comma -#HIDE_PREMEETING_BUTTONS= +# Jitsi image version (useful for local development) +#JITSI_IMAGE_VERSION=latest diff --git a/templates/etherpad.yml b/templates/etherpad.yml index bab9378..49f9be0 100644 --- a/templates/etherpad.yml +++ b/templates/etherpad.yml @@ -1,10 +1,10 @@ -version: '3' +version: '3.5' services: # Etherpad: real-time collaborative document editing etherpad: image: etherpad/etherpad:1.8.6 - restart: ${RESTART_POLICY} + restart: ${RESTART_POLICY:-unless-stopped} environment: - TITLE=${ETHERPAD_TITLE} - DEFAULT_PAD_TEXT=${ETHERPAD_DEFAULT_PAD_TEXT} @@ -14,3 +14,4 @@ services: meet.jitsi: aliases: - etherpad.meet.jitsi + diff --git a/templates/jibri.yml b/templates/jibri.yml index e51af2a..826797d 100644 --- a/templates/jibri.yml +++ b/templates/jibri.yml @@ -1,23 +1,18 @@ -version: '3' +version: '3.5' services: jibri: - image: jitsi/jibri:stable-6865 - restart: ${RESTART_POLICY} + image: jitsi/jibri:${JITSI_IMAGE_VERSION:-stable-7830} + restart: ${RESTART_POLICY:-unless-stopped} volumes: - ${CONFIG}/jibri:/config:Z - - /dev/shm:/dev/shm + shm_size: '2gb' cap_add: - SYS_ADMIN - - NET_BIND_SERVICE - devices: - - /dev/snd:/dev/snd environment: - CHROMIUM_FLAGS - DISPLAY=:0 - ENABLE_STATS_D - - JIBRI_FFMPEG_AUDIO_SOURCE - - JIBRI_FFMPEG_AUDIO_DEVICE - JIBRI_HTTP_API_EXTERNAL_PORT - JIBRI_HTTP_API_INTERNAL_PORT - JIBRI_RECORDING_RESOLUTION @@ -30,14 +25,15 @@ services: - JIBRI_RECORDING_DIR - JIBRI_FINALIZE_RECORDING_SCRIPT_PATH - JIBRI_STRIP_DOMAIN_JID - - JIBRI_LOGS_DIR - PUBLIC_URL - TZ - XMPP_AUTH_DOMAIN - XMPP_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN - XMPP_SERVER + - XMPP_PORT - XMPP_TRUST_ALL_CERTS depends_on: - jicofo diff --git a/templates/jigasi.yml b/templates/jigasi.yml index ef8f0d6..d6cb0e2 100644 --- a/templates/jigasi.yml +++ b/templates/jigasi.yml @@ -3,10 +3,10 @@ version: '3' services: # SIP gateway (audio) jigasi: - image: jitsi/jigasi:stable-6865 - restart: ${RESTART_POLICY} + image: jitsi/jigasi:${JITSI_IMAGE_VERSION:-stable-7830} + restart: ${RESTART_POLICY:-unless-stopped} ports: - - '${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}:${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}/udp' + - '${JIGASI_PORT_MIN:-20000}-${JIGASI_PORT_MAX:-20050}:${JIGASI_PORT_MIN:-20000}-${JIGASI_PORT_MAX:-20050}/udp' volumes: - ${CONFIG}/jigasi:/config:Z - ${CONFIG}/transcripts:/tmp/transcripts:Z @@ -18,8 +18,10 @@ services: - XMPP_MUC_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER + - XMPP_PORT - XMPP_DOMAIN - PUBLIC_URL + - JIGASI_DISABLE_SIP - JIGASI_SIP_URI - JIGASI_SIP_PASSWORD - JIGASI_SIP_SERVER @@ -53,3 +55,4 @@ services: - prosody networks: meet.jitsi: + From f25cf1e12e0b267410bda4f0be3cc38d371ab13d Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 2 Oct 2022 23:06:36 +0000 Subject: [PATCH 12/18] Update 'CHANGELOG.md' --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 75f3e79..674c3d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ ## Changelog -### stable-7830 +### 0.9.0 -* Updates all Docker Compose templates +* Updated to [Jitsi stable-7830](https://github.com/jitsi/docker-jitsi-meet/tree/stable-7830) * Adds `jitsi_jvb_advertise_ips`, which supports a comma separated list of IPs * Content-Security-Policy now allows `base-uri 'self'` (instead of `none`) * Fixed `jitsi_enable_letsencrypt` handling (please note: you will still have to uncomment `LETSENCRYPT_USE_STAGING=1` in the .env file/template if you only want to test Let's Encrypt) From 99f7dced9e74acf69bc5de0d498c4ca312de5e0c Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Mon, 3 Oct 2022 12:54:09 +0200 Subject: [PATCH 13/18] Updated src to stable-7830 --- src | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src b/src index eae3f5c..aec6021 160000 --- a/src +++ b/src @@ -1 +1 @@ -Subproject commit eae3f5ce2d7627afe4115f52a61cc7ae3e3e8a31 +Subproject commit aec6021f2098435650c19ba85b27de114dd8bde0 From 04fc0023df5dc2ef40205a4e344b4961c9416907 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Mon, 30 Oct 2023 00:56:32 +0100 Subject: [PATCH 14/18] Updates Jitsi to stable-8960-1 --- defaults/main.yml | 16 ++++++- tasks/main.yml | 29 ++++++------ templates/docker-compose.jitsi.yml.j2 | 67 +++++++++++++++++++++------ templates/env.jitsi.j2 | 26 ++++++++++- 4 files changed, 104 insertions(+), 34 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index bbc459b..4c4bea9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,7 @@ --- # defaults file for jitsi docker_user: deploy +jitsi_image_version: stable-8960-1 #jitsi_letsencrypt_email:alice@host.tld jitsi_enable_letsencrypt: no jitsi_exposed_http_port: 8000 @@ -8,9 +9,20 @@ jitsi_exposed_https_port: 8443 jitsi_virtual_host: localhost jitsi_public_url: http://{{ jitsi_virtual_host }} jitsi_timezone: Europe/Amsterdam -jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443 jitsi_web_channel_last_n: 3 jitsi_build_latest_image_from_source: yes jitsi_docker_upstream_repo_url: https://github.com/jitsi/docker-jitsi-meet.git jitsi_enable_third_party_requests: no -jitsi_jvb_advertise_ips: "{{ jitsi_docker_host_address }}" \ No newline at end of file +jitsi_jvb_advertise_ips: "{{ jitsi_docker_host_address }}" + +jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443 +jitsi_jvb_port: 10000 +jitsi_jvb_tcp_port: 4443 +jitsi_jvb_tcp_mapped_port: 4443 + + +# jitsi_turn_credentials: +# jitsi_turn_host: +jitsi_turn_port: 3478 +# jitsi_turns_host: +jitsi_turns_port: 5349 \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index df582f2..4cb9289 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -81,21 +81,6 @@ that: - "output.services['web']['jitsi_web_1'].state.running" -- name: "Test whether Jitsi is healthy from the outside" - when: not ansible_check_mode - become: false - uri: - url: https://{{ jitsi_virtual_host }} - return_content: yes - timeout: 300 - validate_certs: no - register: url_check - delegate_to: localhost - until: "'Jitsi Meet' in url_check.content" - retries: 5 - delay: 10 - tags: health - - name: "Config: Set channelLastN" lineinfile: path: /home/{{ docker_user }}/jitsi/conf/web/config.js @@ -113,3 +98,17 @@ when: jitsi_enable_third_party_requests == False tags: config +- name: "Test whether Jitsi is healthy from the outside" + when: not ansible_check_mode + become: false + uri: + url: "{{ jitsi_public_url }}" + return_content: yes + timeout: 300 + validate_certs: no + register: url_check + delegate_to: localhost + until: "'<title>Jitsi Meet' in url_check.content" + retries: 5 + delay: 10 + tags: health diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index a6ce02c..e63e39e 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -3,7 +3,7 @@ version: '3.5' services: # Frontend web: - image: jitsi/web:${JITSI_IMAGE_VERSION:-stable-7830} + image: jitsi/web:${JITSI_IMAGE_VERSION:-unstable} restart: ${RESTART_POLICY:-unless-stopped} ports: - '${HTTP_PORT}:80' @@ -17,11 +17,13 @@ services: - ANALYTICS_SCRIPT_URLS - ANALYTICS_WHITELISTED_EVENTS - AUDIO_QUALITY_OPUS_BITRATE + - AUTO_CAPTION_ON_RECORD - BRANDING_DATA_URL - CALLSTATS_CUSTOM_SCRIPT_URL - CALLSTATS_ID - CALLSTATS_SECRET - CHROME_EXTENSION_BANNER_JSON + - COLIBRI_WEBSOCKET_PORT - CONFCODE_URL - CONFIG_EXTERNAL_CONNECT - DEFAULT_LANGUAGE @@ -46,6 +48,7 @@ services: - DISABLE_PROFILE - DISABLE_REACTIONS - DISABLE_REMOTE_VIDEO_MENU + - DISABLE_START_FOR_ALL - DROPBOX_APPKEY - DROPBOX_REDIRECT_URI - DYNAMIC_BRANDING_URL @@ -71,6 +74,10 @@ services: - ENABLE_WELCOME_PAGE - ENABLE_CLOSE_PAGE - ENABLE_LIVESTREAMING + - ENABLE_LIVESTREAMING_DATA_PRIVACY_LINK + - ENABLE_LIVESTREAMING_HELP_LINK + - ENABLE_LIVESTREAMING_TERMS_LINK + - ENABLE_LIVESTREAMING_VALIDATOR_REGEXP_STRING - ENABLE_LOCAL_RECORDING_NOTIFY_ALL_PARTICIPANT - ENABLE_LOCAL_RECORDING_SELF_START - ENABLE_RECORDING @@ -86,7 +93,6 @@ services: - ENABLE_TRANSCRIPTIONS - ENABLE_XMPP_WEBSOCKET - ENABLE_JAAS_COMPONENTS - - ENABLE_MULTI_STREAM - ETHERPAD_PUBLIC_URL - ETHERPAD_URL_BASE - E2EPING_NUM_REQUESTS @@ -98,10 +104,6 @@ services: - HIDE_PREJOIN_DISPLAY_NAME - HIDE_PREJOIN_EXTRA_BUTTONS - INVITE_SERVICE_URL - - JICOFO_AUTH_USER - - LETSENCRYPT_DOMAIN - - LETSENCRYPT_EMAIL - - LETSENCRYPT_USE_STAGING - MATOMO_ENDPOINT - MATOMO_SITE_ID - MICROSOFT_API_APP_CLIENT_ID @@ -109,6 +111,7 @@ services: - NGINX_WORKER_PROCESSES - NGINX_WORKER_CONNECTIONS - PEOPLE_SEARCH_URL + - PREFERRED_LANGUAGE - PUBLIC_URL - P2P_PREFERRED_CODEC - RESOLUTION @@ -126,7 +129,10 @@ services: - TESTING_OCTO_PROBABILITY - TOKEN_AUTH_URL - TOOLBAR_BUTTONS + - TRANSLATION_LANGUAGES + - TRANSLATION_LANGUAGES_HEAD - TZ + - USE_APP_LANGUAGE - VIDEOQUALITY_BITRATE_H264_LOW - VIDEOQUALITY_BITRATE_H264_STANDARD - VIDEOQUALITY_BITRATE_H264_HIGH @@ -145,6 +151,8 @@ services: - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN - XMPP_PORT + - WHITEBOARD_ENABLED + - WHITEBOARD_COLLAB_SERVER_PUBLIC_URL labels: traefik.enable: true traefik.docker.network: traefik_public @@ -165,12 +173,10 @@ services: networks: public: meet.jitsi: - aliases: - - ${XMPP_DOMAIN} # XMPP server prosody: - image: jitsi/prosody:${JITSI_IMAGE_VERSION:-stable-7830} + image: jitsi/prosody:${JITSI_IMAGE_VERSION:-unstable} restart: ${RESTART_POLICY:-unless-stopped} expose: - '${XMPP_PORT:-5222}' @@ -204,7 +210,6 @@ services: - JIBRI_RECORDER_PASSWORD - JIBRI_XMPP_USER - JIBRI_XMPP_PASSWORD - - JICOFO_AUTH_USER - JICOFO_AUTH_PASSWORD - JICOFO_COMPONENT_SECRET - JIGASI_XMPP_USER @@ -239,14 +244,22 @@ services: - LDAP_URL - LDAP_USE_TLS - MAX_PARTICIPANTS + - PROSODY_AUTH_TYPE - PROSODY_RESERVATION_ENABLED - PROSODY_RESERVATION_REST_BASE_URL + - PROSODY_ENABLE_RATE_LIMITS + - PROSODY_RATE_LIMIT_LOGIN_RATE + - PROSODY_RATE_LIMIT_SESSION_RATE + - PROSODY_RATE_LIMIT_TIMEOUT + - PROSODY_RATE_LIMIT_ALLOW_RANGES + - PROSODY_RATE_LIMIT_CACHE_SIZE - PUBLIC_URL - TURN_CREDENTIALS - TURN_HOST - TURNS_HOST - TURN_PORT - TURNS_PORT + - TURN_TRANSPORT - TZ - XMPP_DOMAIN - XMPP_AUTH_DOMAIN @@ -266,8 +279,10 @@ services: # Focus component jicofo: - image: jitsi/jicofo:${JITSI_IMAGE_VERSION:-stable-7830} + image: jitsi/jicofo:${JITSI_IMAGE_VERSION:-unstable} restart: ${RESTART_POLICY:-unless-stopped} + ports: + - '127.0.0.1:${JICOFO_REST_PORT:-8888}:8888' volumes: - ${CONFIG}/jicofo:/config:Z environment: @@ -279,23 +294,40 @@ services: - ENABLE_CODEC_VP8 - ENABLE_CODEC_VP9 - ENABLE_CODEC_H264 + - ENABLE_CODEC_OPUS_RED + - ENABLE_JVB_XMPP_SERVER - ENABLE_OCTO - ENABLE_RECORDING - ENABLE_SCTP - ENABLE_AUTO_LOGIN - - JICOFO_AUTH_USER + - JICOFO_AUTH_LIFETIME - JICOFO_AUTH_PASSWORD + - JICOFO_AUTH_TYPE + - JICOFO_BRIDGE_REGION_GROUPS + - JICOFO_ENABLE_AUTH - JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS - JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT - JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT + - JICOFO_CONF_SOURCE_SIGNALING_DELAYS + - JICOFO_CONF_MAX_AUDIO_SENDERS + - JICOFO_CONF_MAX_VIDEO_SENDERS + - JICOFO_CONF_STRIP_SIMULCAST + - JICOFO_CONF_SSRC_REWRITING - JICOFO_ENABLE_HEALTH_CHECKS - - JICOFO_SHORT_ID + - JICOFO_ENABLE_REST + - JICOFO_HEALTH_CHECKS_USE_PRESENCE + - JICOFO_MULTI_STREAM_BACKWARD_COMPAT + - JICOFO_OCTO_REGION - JIBRI_BREWERY_MUC - JIBRI_REQUEST_RETRIES - JIBRI_PENDING_TIMEOUT - JIGASI_BREWERY_MUC - JIGASI_SIP_URI - JVB_BREWERY_MUC + - JVB_XMPP_AUTH_DOMAIN + - JVB_XMPP_INTERNAL_MUC_DOMAIN + - JVB_XMPP_PORT + - JVB_XMPP_SERVER - MAX_BRIDGE_PARTICIPANTS - OCTO_BRIDGE_SELECTION_STRATEGY - SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}" @@ -316,18 +348,19 @@ services: # Video bridge jvb: - image: jitsi/jvb:${JITSI_IMAGE_VERSION:-stable-7830} + image: jitsi/jvb:${JITSI_IMAGE_VERSION:-unstable} restart: ${RESTART_POLICY:-unless-stopped} ports: - '${JVB_PORT:-10000}:${JVB_PORT:-10000}/udp' + - '${JVB_TCP_MAPPED_PORT:-4443}:${JVB_TCP_PORT:-4443}' - '127.0.0.1:${JVB_COLIBRI_PORT:-8080}:8080' volumes: - ${CONFIG}/jvb:/config:Z environment: - DOCKER_HOST_ADDRESS - ENABLE_COLIBRI_WEBSOCKET + - ENABLE_JVB_XMPP_SERVER - ENABLE_OCTO - - ENABLE_MULTI_STREAM - JVB_ADVERTISE_IPS - JVB_ADVERTISE_PRIVATE_CANDIDATES - JVB_AUTH_USER @@ -342,6 +375,10 @@ services: - JVB_OCTO_RELAY_ID - JVB_WS_DOMAIN - JVB_WS_SERVER_ID + - JVB_XMPP_AUTH_DOMAIN + - JVB_XMPP_INTERNAL_MUC_DOMAIN + - JVB_XMPP_PORT + - JVB_XMPP_SERVER - PUBLIC_URL - SENTRY_DSN="${JVB_SENTRY_DSN:-0}" - SENTRY_ENVIRONMENT diff --git a/templates/env.jitsi.j2 b/templates/env.jitsi.j2 index b0a2292..0f30bf2 100644 --- a/templates/env.jitsi.j2 +++ b/templates/env.jitsi.j2 @@ -39,16 +39,35 @@ DOCKER_HOST_ADDRESS={{ jitsi_docker_host_address }} # This setting deprecates DOCKER_HOST_ADDRESS, and supports a comma separated list of IPs # See the "Running behind NAT or on a LAN environment" section in the Handbook: # https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment -#JVB_ADVERTISE_IPS={{ jitsi_jvb_advertise_ips }} +JVB_ADVERTISE_IPS={{ jitsi_jvb_advertise_ips }} JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }} +# Media port for the Jitsi Videobridge +JVB_PORT={{ jitsi_jvb_port }} + +# TCP Fallback for Jitsi Videobridge for when UDP isn't available +JVB_TCP_HARVESTER_DISABLED=true +JVB_TCP_PORT={{ jitsi_jvb_tcp_port }} +JVB_TCP_MAPPED_PORT={{ jitsi_jvb_tcp_mapped_port }} + +# A comma separated list of APIs to enable when the JVB is started [default: none] +# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information +JVB_ENABLE_APIS=rest,colibri + +TURN_CREDENTIALS={{ jitsi_turn_credentials }} +TURNS_HOST={{ jitsi_turns_host }} +TURNS_PORT={{ jitsi_turns_port }} +TURN_HOST={{ jitsi_turn_host }} +TURN_PORT={{ jitsi_turn_port }} + # # JaaS Components (beta) # https://jaas.8x8.vc # # Enable JaaS Components (hosted Jigasi) +# NOTE: if Let's Encrypt is enabled a JaaS account will be automatically created, using the provided email in LETSENCRYPT_EMAIL #ENABLE_JAAS_COMPONENTS=0 {% if jitsi_enable_letsencrypt %} @@ -221,4 +240,7 @@ JIBRI_XMPP_PASSWORD={{ jitsi_jibri_xmpp_password }} RESTART_POLICY=unless-stopped # Jitsi image version (useful for local development) -#JITSI_IMAGE_VERSION=latest +JITSI_IMAGE_VERSION={{ jitsi_image_version }} + +# https://github.com/jitsi/docker-jitsi-meet/issues/1566#issuecomment-1609404560 +JVB_DISABLE_STUN=true \ No newline at end of file From 85d00d96fe073972ca56dc356c8ac514401f9255 Mon Sep 17 00:00:00 2001 From: Jan Beilicke <dev@jotbe.io> Date: Fri, 8 Dec 2023 22:00:15 +0100 Subject: [PATCH 15/18] Fixes CSP webworker-src --- templates/docker-compose.jitsi.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index e63e39e..f576462 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -168,7 +168,7 @@ services: traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains: true traefik.http.middlewares.jitsi-headers.headers.STSPreload: true traefik.http.middlewares.jitsi-headers.headers.featurePolicy: geolocation 'none'; payment 'none' - traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content + traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; worker-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content traefik.http.routers.jitsi.middlewares: jitsi-headers networks: public: From 89a5c3571052fe00d60f5cde39df959e20d11ffb Mon Sep 17 00:00:00 2001 From: Joschka Seydell <joschka@seydell.org> Date: Sat, 12 Dec 2020 06:59:14 -0800 Subject: [PATCH 16/18] Add PUBLIC_URL to all Jitsi containers to allow for proper routing by Traefik. --- templates/docker-compose.jitsi.yml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index 1273131..2c1a6ae 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -87,6 +87,7 @@ services: - LDAP_TLS_CACERT_FILE - LDAP_TLS_CACERT_DIR - LDAP_START_TLS + - PUBLIC_URL - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_GUEST_DOMAIN @@ -130,6 +131,7 @@ services: - ${CONFIG}/jicofo:/config environment: - ENABLE_AUTH + - PUBLIC_URL - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN @@ -159,6 +161,7 @@ services: - ${CONFIG}/jvb:/config environment: - DOCKER_HOST_ADDRESS + - PUBLIC_URL - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER From 63f8b543024d98e74bd8cd6d2fb0dd21ae3d8a70 Mon Sep 17 00:00:00 2001 From: Joschka Seydell <joschka@seydell.org> Date: Sat, 13 Nov 2021 12:31:39 -0800 Subject: [PATCH 17/18] Add exporter container if metrics shall be exposed. --- README.md | 1 + defaults/main.yml | 1 + src | 2 +- tasks/main.yml | 10 ++++++++++ templates/docker-compose.jitsi.yml.j2 | 14 ++++++++++++++ templates/exporter.env.j2 | 6 ++++++ 6 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 templates/exporter.env.j2 diff --git a/README.md b/README.md index 04c23cd..e2ae4fd 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ Role Variables | jitsi_public_url | The public URL under which Jitsi Meet can be accessed | http://localhost | | jitsi_timezone | | Europe/Amsterdam | | jitsi_virtual_host | The virtual host that is e.g. used by Traefik, usually part of the public url | localhost | +| jitsi_expose_metrics | Determine whether an additional expoerter for the Jitsi metrics shall be run | False | \* It is important to provide a dedicated secure password for each service. Generate passwords with e.g. `openssl rand -hex 16` diff --git a/defaults/main.yml b/defaults/main.yml index 053e9e6..f339808 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,5 +17,6 @@ jitsi_web_channel_last_n: 3 jitsi_build_latest_image_from_source: yes jitsi_docker_upstream_repo_url: https://github.com/jitsi/docker-jitsi-meet.git jitsi_enable_third_party_requests: no +jitsi_expose_metrics: False # Internal variables jitsi_multitenant_postfix: "{{ '_' + jitsi_multitenant_label if (jitsi_multitenant_label) else '' }}" \ No newline at end of file diff --git a/src b/src index eae3f5c..9b686c6 160000 --- a/src +++ b/src @@ -1 +1 @@ -Subproject commit eae3f5ce2d7627afe4115f52a61cc7ae3e3e8a31 +Subproject commit 9b686c6f4aa74cd33ddcd4dd35decc76a9470e1e diff --git a/tasks/main.yml b/tasks/main.yml index fc79769..1912265 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -62,6 +62,16 @@ mode: '0640' tags: config +- name: Provide metric exporter environment + template: + src: templates/exporter.env.j2 + dest: "{{ jitsi_install_path }}/jitsi/exporter.env" + owner: "{{ jitsi_install_user }}" + group: "{{ jitsi_install_user }}" + mode: '0640' + tags: config + when: jitsi_expose_metrics + - name: "docker-compose: Teardown existing Jitsi service" docker_compose: project_src: "{{ jitsi_install_path }}/jitsi/" diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index 2c1a6ae..7f5a8c8 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -179,6 +179,20 @@ services: networks: meet.jitsi: + {% if jitsi_expose_metrics %} + # Data exporter + exporter: + image: goberle/jitsi-prom-exporter + restart: unless-stopped + env_file: exporter.env + depends_on: + - jicofo + networks: + # Expose the data exporter to the public network managed by traefik + public: + meet.jitsi: + {% endif %} + # Custom network so all services can communicate using a FQDN networks: meet.jitsi: diff --git a/templates/exporter.env.j2 b/templates/exporter.env.j2 new file mode 100644 index 0000000..fdc04ff --- /dev/null +++ b/templates/exporter.env.j2 @@ -0,0 +1,6 @@ +XMPP_USER={{ jitsi_jicofo_auth_user }} +XMPP_PW={{ jitsi_jicofo_auth_password }} +XMPP_SERVER=xmpp.meet.jitsi +XMPP_PORT=5222 +XMPP_AUTH_DOMAIN=auth.meet.jitsi +XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi \ No newline at end of file From 3b0af814638f1b567feac42a65d36784c75fdd78 Mon Sep 17 00:00:00 2001 From: Jan Beilicke <dev@jotbe.io> Date: Wed, 22 May 2024 22:22:34 +0200 Subject: [PATCH 18/18] Updates src --- src | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src b/src index aec6021..fe5dea3 160000 --- a/src +++ b/src @@ -1 +1 @@ -Subproject commit aec6021f2098435650c19ba85b27de114dd8bde0 +Subproject commit fe5dea34021da7048492f93e6fb90bfd59763153