diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..75f3e79 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,8 @@ +## Changelog + +### stable-7830 + +* Updates all Docker Compose templates +* Adds `jitsi_jvb_advertise_ips`, which supports a comma separated list of IPs +* Content-Security-Policy now allows `base-uri 'self'` (instead of `none`) +* Fixed `jitsi_enable_letsencrypt` handling (please note: you will still have to uncomment `LETSENCRYPT_USE_STAGING=1` in the .env file/template if you only want to test Let's Encrypt) diff --git a/README.md b/README.md index a10e2d9..16b5f10 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,8 @@ Role Variables | jitsi_build_latest_image_from_source | Will fetch the master of `jitsi_docker_upstream_repo_url` and build the docker image as sometimes the latest available images in the Docker Hub are too old | yes | | jitsi_docker_upstream_repo_url | Git repo of docker-jitsi-meet required by `jitsi_build_latest_image_from_source` | https://github.com/jitsi/docker-jitsi-meet.git | | *jitsi_letsencrypt_email* | E-Mail adress used for requesting certificates | Not set | -| jitsi_docker_host_address | | | +| jitsi_docker_host_address | | +| jitsi_jvb_advertise_ips | supports a comma separated list of IPs | | | | jitsi_enable_letsencrypt | Jitsi will take care of Let's Encrypt certificates | 0 | | jitsi_enable_third_party_requests | Whether to allow third party requests, e.g. to Gravatar (if a user sets her email address) | no | | jitsi_exposed_http_port | Exposed container port for HTTP | 8000 | diff --git a/defaults/main.yml b/defaults/main.yml index 66d322e..bbc459b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,4 +12,5 @@ jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443 jitsi_web_channel_last_n: 3 jitsi_build_latest_image_from_source: yes jitsi_docker_upstream_repo_url: https://github.com/jitsi/docker-jitsi-meet.git -jitsi_enable_third_party_requests: no \ No newline at end of file +jitsi_enable_third_party_requests: no +jitsi_jvb_advertise_ips: "{{ jitsi_docker_host_address }}" \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 1ef8919..df582f2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -79,7 +79,7 @@ - assert: that: - - "output.ansible_facts['web']['jitsi_web_1'].state.running" + - "output.services['web']['jitsi_web_1'].state.running" - name: "Test whether Jitsi is healthy from the outside" when: not ansible_check_mode diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2 index 86fba7f..a6ce02c 100644 --- a/templates/docker-compose.jitsi.yml.j2 +++ b/templates/docker-compose.jitsi.yml.j2 @@ -1,57 +1,167 @@ -version: '3' +version: '3.5' services: # Frontend web: - image: jitsi/web - restart: unless-stopped + image: jitsi/web:${JITSI_IMAGE_VERSION:-stable-7830} + restart: ${RESTART_POLICY:-unless-stopped} + ports: + - '${HTTP_PORT}:80' + - '${HTTPS_PORT}:443' volumes: - - ${CONFIG}/web:/config - - ${CONFIG}/web/letsencrypt:/etc/letsencrypt - - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts + - ${CONFIG}/web:/config:Z + - ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z + - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z environment: - - ENABLE_AUTH - - ENABLE_GUESTS - - ENABLE_LETSENCRYPT - - ENABLE_HTTP_REDIRECT - - ENABLE_TRANSCRIPTIONS + - AMPLITUDE_ID + - ANALYTICS_SCRIPT_URLS + - ANALYTICS_WHITELISTED_EVENTS + - AUDIO_QUALITY_OPUS_BITRATE + - BRANDING_DATA_URL + - CALLSTATS_CUSTOM_SCRIPT_URL + - CALLSTATS_ID + - CALLSTATS_SECRET + - CHROME_EXTENSION_BANNER_JSON + - CONFCODE_URL + - CONFIG_EXTERNAL_CONNECT + - DEFAULT_LANGUAGE + - DEPLOYMENTINFO_ENVIRONMENT + - DEPLOYMENTINFO_ENVIRONMENT_TYPE + - DEPLOYMENTINFO_REGION + - DEPLOYMENTINFO_SHARD + - DEPLOYMENTINFO_USERREGION + - DESKTOP_SHARING_FRAMERATE_MIN + - DESKTOP_SHARING_FRAMERATE_MAX + - DIALIN_NUMBERS_URL + - DIALOUT_AUTH_URL + - DIALOUT_CODES_URL + - DISABLE_AUDIO_LEVELS + - DISABLE_DEEP_LINKING + - DISABLE_GRANT_MODERATOR - DISABLE_HTTPS + - DISABLE_KICKOUT + - DISABLE_LOCAL_RECORDING + - DISABLE_POLLS + - DISABLE_PRIVATE_CHAT + - DISABLE_PROFILE + - DISABLE_REACTIONS + - DISABLE_REMOTE_VIDEO_MENU + - DROPBOX_APPKEY + - DROPBOX_REDIRECT_URI + - DYNAMIC_BRANDING_URL + - ENABLE_AUDIO_PROCESSING + - ENABLE_AUTH + - ENABLE_BREAKOUT_ROOMS + - ENABLE_CALENDAR + - ENABLE_COLIBRI_WEBSOCKET + - ENABLE_E2EPING + - ENABLE_FILE_RECORDING_SHARING + - ENABLE_GUESTS + - ENABLE_HSTS + - ENABLE_HTTP_REDIRECT + - ENABLE_IPV6 + - ENABLE_LETSENCRYPT + - ENABLE_LIPSYNC + - ENABLE_NO_AUDIO_DETECTION + - ENABLE_NOISY_MIC_DETECTION + - ENABLE_OCTO + - ENABLE_OPUS_RED + - ENABLE_PREJOIN_PAGE + - ENABLE_P2P + - ENABLE_WELCOME_PAGE + - ENABLE_CLOSE_PAGE + - ENABLE_LIVESTREAMING + - ENABLE_LOCAL_RECORDING_NOTIFY_ALL_PARTICIPANT + - ENABLE_LOCAL_RECORDING_SELF_START + - ENABLE_RECORDING + - ENABLE_REMB + - ENABLE_REQUIRE_DISPLAY_NAME + - ENABLE_SERVICE_RECORDING + - ENABLE_SIMULCAST + - ENABLE_STATS_ID + - ENABLE_STEREO + - ENABLE_SUBDOMAINS + - ENABLE_TALK_WHILE_MUTED + - ENABLE_TCC + - ENABLE_TRANSCRIPTIONS + - ENABLE_XMPP_WEBSOCKET + - ENABLE_JAAS_COMPONENTS + - ENABLE_MULTI_STREAM + - ETHERPAD_PUBLIC_URL + - ETHERPAD_URL_BASE + - E2EPING_NUM_REQUESTS + - E2EPING_MAX_CONFERENCE_SIZE + - E2EPING_MAX_MESSAGE_PER_SECOND + - GOOGLE_ANALYTICS_ID + - GOOGLE_API_APP_CLIENT_ID + - HIDE_PREMEETING_BUTTONS + - HIDE_PREJOIN_DISPLAY_NAME + - HIDE_PREJOIN_EXTRA_BUTTONS + - INVITE_SERVICE_URL - JICOFO_AUTH_USER - LETSENCRYPT_DOMAIN - LETSENCRYPT_EMAIL + - LETSENCRYPT_USE_STAGING + - MATOMO_ENDPOINT + - MATOMO_SITE_ID + - MICROSOFT_API_APP_CLIENT_ID + - NGINX_RESOLVER + - NGINX_WORKER_PROCESSES + - NGINX_WORKER_CONNECTIONS + - PEOPLE_SEARCH_URL - PUBLIC_URL - - XMPP_DOMAIN + - P2P_PREFERRED_CODEC + - RESOLUTION + - RESOLUTION_MIN + - RESOLUTION_WIDTH + - RESOLUTION_WIDTH_MIN + - START_AUDIO_MUTED + - START_AUDIO_ONLY + - START_BITRATE + - START_SILENT + - START_WITH_AUDIO_MUTED + - START_VIDEO_MUTED + - START_WITH_VIDEO_MUTED + - TESTING_CAP_SCREENSHARE_BITRATE + - TESTING_OCTO_PROBABILITY + - TOKEN_AUTH_URL + - TOOLBAR_BUTTONS + - TZ + - VIDEOQUALITY_BITRATE_H264_LOW + - VIDEOQUALITY_BITRATE_H264_STANDARD + - VIDEOQUALITY_BITRATE_H264_HIGH + - VIDEOQUALITY_BITRATE_VP8_LOW + - VIDEOQUALITY_BITRATE_VP8_STANDARD + - VIDEOQUALITY_BITRATE_VP8_HIGH + - VIDEOQUALITY_BITRATE_VP9_LOW + - VIDEOQUALITY_BITRATE_VP9_STANDARD + - VIDEOQUALITY_BITRATE_VP9_HIGH + - VIDEOQUALITY_ENFORCE_PREFERRED_CODEC + - VIDEOQUALITY_PREFERRED_CODEC - XMPP_AUTH_DOMAIN - XMPP_BOSH_URL_BASE + - XMPP_DOMAIN - XMPP_GUEST_DOMAIN - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN - - ETHERPAD_URL_BASE - - TZ - - JIBRI_BREWERY_MUC - - JIBRI_PENDING_TIMEOUT - - JIBRI_XMPP_USER - - JIBRI_XMPP_PASSWORD - - JIBRI_RECORDER_USER - - JIBRI_RECORDER_PASSWORD - - ENABLE_RECORDING + - XMPP_PORT labels: - - "traefik.enable=true" - - "traefik.docker.network=traefik_public" - - "traefik.http.routers.jitsi.rule=Host(`{{ jitsi_virtual_host }}`)" - - "traefik.http.routers.jitsi.entrypoints=websecure" - - "traefik.http.routers.jitsi.tls=true" - - "traefik.http.routers.jitsi.tls.certresolver=defaultresolver" - - "traefik.http.middlewares.jitsi-headers.headers.SSLRedirect=true" - - "traefik.http.middlewares.jitsi-headers.headers.browserXSSFilter=true" - - "traefik.http.middlewares.jitsi-headers.headers.contentTypeNosniff=true" - - "traefik.http.middlewares.jitsi-headers.headers.forceSTSHeader=true" - - "traefik.http.middlewares.jitsi-headers.headers.STSSeconds=315360000" - - "traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains=true" - - "traefik.http.middlewares.jitsi-headers.headers.STSPreload=true" - - "traefik.http.middlewares.jitsi-headers.headers.featurePolicy=geolocation 'none'; payment 'none'" - - "traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content" - - "traefik.http.routers.jitsi.middlewares=jitsi-headers" + traefik.enable: true + traefik.docker.network: traefik_public + traefik.http.routers.jitsi.rule: Host(`{{ jitsi_virtual_host }}`) + traefik.http.routers.jitsi.entrypoints: websecure + traefik.http.routers.jitsi.tls: true + traefik.http.routers.jitsi.tls.certresolver: defaultresolver + traefik.http.middlewares.jitsi-headers.headers.SSLRedirect: true + traefik.http.middlewares.jitsi-headers.headers.browserXSSFilter: true + traefik.http.middlewares.jitsi-headers.headers.contentTypeNosniff: true + traefik.http.middlewares.jitsi-headers.headers.forceSTSHeader: true + traefik.http.middlewares.jitsi-headers.headers.STSSeconds: 315360000 + traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains: true + traefik.http.middlewares.jitsi-headers.headers.STSPreload: true + traefik.http.middlewares.jitsi-headers.headers.featurePolicy: geolocation 'none'; payment 'none' + traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content + traefik.http.routers.jitsi.middlewares: jitsi-headers networks: public: meet.jitsi: @@ -60,53 +170,47 @@ services: # XMPP server prosody: - image: jitsi/prosody - restart: unless-stopped + image: jitsi/prosody:${JITSI_IMAGE_VERSION:-stable-7830} + restart: ${RESTART_POLICY:-unless-stopped} expose: - - '5222' + - '${XMPP_PORT:-5222}' - '5347' - '5280' volumes: - - ${CONFIG}/prosody:/config + - ${CONFIG}/prosody/config:/config:Z + - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z environment: - AUTH_TYPE + - DISABLE_POLLS - ENABLE_AUTH + - ENABLE_AV_MODERATION + - ENABLE_BREAKOUT_ROOMS + - ENABLE_END_CONFERENCE - ENABLE_GUESTS - - GLOBAL_MODULES + - ENABLE_IPV6 + - ENABLE_LOBBY + - ENABLE_RECORDING + - ENABLE_XMPP_WEBSOCKET + - ENABLE_JAAS_COMPONENTS + - GC_TYPE + - GC_INC_TH + - GC_INC_SPEED + - GC_INC_STEP_SIZE + - GC_GEN_MIN_TH + - GC_GEN_MAX_TH - GLOBAL_CONFIG - - LDAP_URL - - LDAP_BASE - - LDAP_BINDDN - - LDAP_BINDPW - - LDAP_FILTER - - LDAP_AUTH_METHOD - - LDAP_VERSION - - LDAP_USE_TLS - - LDAP_TLS_CIPHERS - - LDAP_TLS_CHECK_PEER - - LDAP_TLS_CACERT_FILE - - LDAP_TLS_CACERT_DIR - - LDAP_START_TLS - - XMPP_DOMAIN - - XMPP_AUTH_DOMAIN - - XMPP_GUEST_DOMAIN - - XMPP_MUC_DOMAIN - - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_MODULES - - XMPP_MUC_MODULES - - XMPP_INTERNAL_MUC_MODULES - - XMPP_RECORDER_DOMAIN - - JICOFO_COMPONENT_SECRET - - JICOFO_AUTH_USER - - JICOFO_AUTH_PASSWORD - - JVB_AUTH_USER - - JVB_AUTH_PASSWORD - - JIGASI_XMPP_USER - - JIGASI_XMPP_PASSWORD - - JIBRI_XMPP_USER - - JIBRI_XMPP_PASSWORD + - GLOBAL_MODULES - JIBRI_RECORDER_USER - JIBRI_RECORDER_PASSWORD + - JIBRI_XMPP_USER + - JIBRI_XMPP_PASSWORD + - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD + - JICOFO_COMPONENT_SECRET + - JIGASI_XMPP_USER + - JIGASI_XMPP_PASSWORD + - JVB_AUTH_USER + - JVB_AUTH_PASSWORD - JWT_APP_ID - JWT_APP_SECRET - JWT_ACCEPTED_ISSUERS @@ -114,35 +218,97 @@ services: - JWT_ASAP_KEYSERVER - JWT_ALLOW_EMPTY - JWT_AUTH_TYPE + - JWT_ENABLE_DOMAIN_VERIFICATION - JWT_TOKEN_AUTH_MODULE + - MATRIX_UVS_URL + - MATRIX_UVS_ISSUER + - MATRIX_UVS_AUTH_TOKEN + - MATRIX_UVS_SYNC_POWER_LEVELS - LOG_LEVEL + - LDAP_AUTH_METHOD + - LDAP_BASE + - LDAP_BINDDN + - LDAP_BINDPW + - LDAP_FILTER + - LDAP_VERSION + - LDAP_TLS_CIPHERS + - LDAP_TLS_CHECK_PEER + - LDAP_TLS_CACERT_FILE + - LDAP_TLS_CACERT_DIR + - LDAP_START_TLS + - LDAP_URL + - LDAP_USE_TLS + - MAX_PARTICIPANTS + - PROSODY_RESERVATION_ENABLED + - PROSODY_RESERVATION_REST_BASE_URL + - PUBLIC_URL + - TURN_CREDENTIALS + - TURN_HOST + - TURNS_HOST + - TURN_PORT + - TURNS_PORT - TZ + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MODULES + - XMPP_MUC_MODULES + - XMPP_MUC_CONFIGURATION + - XMPP_INTERNAL_MUC_MODULES + - XMPP_RECORDER_DOMAIN + - XMPP_PORT networks: meet.jitsi: aliases: - - ${XMPP_SERVER} + - ${XMPP_SERVER:-xmpp.meet.jitsi} # Focus component jicofo: - image: jitsi/jicofo - restart: unless-stopped + image: jitsi/jicofo:${JITSI_IMAGE_VERSION:-stable-7830} + restart: ${RESTART_POLICY:-unless-stopped} volumes: - - ${CONFIG}/jicofo:/config + - ${CONFIG}/jicofo:/config:Z environment: + - AUTH_TYPE + - BRIDGE_AVG_PARTICIPANT_STRESS + - BRIDGE_STRESS_THRESHOLD - ENABLE_AUTH + - ENABLE_AUTO_OWNER + - ENABLE_CODEC_VP8 + - ENABLE_CODEC_VP9 + - ENABLE_CODEC_H264 + - ENABLE_OCTO + - ENABLE_RECORDING + - ENABLE_SCTP + - ENABLE_AUTO_LOGIN + - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD + - JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS + - JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT + - JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT + - JICOFO_ENABLE_HEALTH_CHECKS + - JICOFO_SHORT_ID + - JIBRI_BREWERY_MUC + - JIBRI_REQUEST_RETRIES + - JIBRI_PENDING_TIMEOUT + - JIGASI_BREWERY_MUC + - JIGASI_SIP_URI + - JVB_BREWERY_MUC + - MAX_BRIDGE_PARTICIPANTS + - OCTO_BRIDGE_SELECTION_STRATEGY + - SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}" + - SENTRY_ENVIRONMENT + - SENTRY_RELEASE + - TZ - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_RECORDER_DOMAIN - XMPP_SERVER - - JICOFO_COMPONENT_SECRET - - JICOFO_AUTH_USER - - JICOFO_AUTH_PASSWORD - - JICOFO_RESERVATION_REST_BASE_URL - - JVB_BREWERY_MUC - - JIGASI_BREWERY_MUC - - JIBRI_BREWERY_MUC - - JIBRI_PENDING_TIMEOUT - - TZ + - XMPP_PORT depends_on: - prosody networks: @@ -150,31 +316,51 @@ services: # Video bridge jvb: - image: jitsi/jvb - restart: unless-stopped + image: jitsi/jvb:${JITSI_IMAGE_VERSION:-stable-7830} + restart: ${RESTART_POLICY:-unless-stopped} ports: - - '${JVB_PORT}:${JVB_PORT}/udp' - - '${JVB_TCP_PORT}:${JVB_TCP_PORT}' + - '${JVB_PORT:-10000}:${JVB_PORT:-10000}/udp' + - '127.0.0.1:${JVB_COLIBRI_PORT:-8080}:8080' volumes: - - ${CONFIG}/jvb:/config + - ${CONFIG}/jvb:/config:Z environment: - DOCKER_HOST_ADDRESS - - XMPP_AUTH_DOMAIN - - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_SERVER + - ENABLE_COLIBRI_WEBSOCKET + - ENABLE_OCTO + - ENABLE_MULTI_STREAM + - JVB_ADVERTISE_IPS + - JVB_ADVERTISE_PRIVATE_CANDIDATES - JVB_AUTH_USER - JVB_AUTH_PASSWORD - JVB_BREWERY_MUC + - JVB_DISABLE_STUN - JVB_PORT - - JVB_TCP_HARVESTER_DISABLED - - JVB_TCP_PORT + - JVB_MUC_NICKNAME - JVB_STUN_SERVERS - - JVB_ENABLE_APIS + - JVB_OCTO_BIND_ADDRESS + - JVB_OCTO_REGION + - JVB_OCTO_RELAY_ID + - JVB_WS_DOMAIN + - JVB_WS_SERVER_ID + - PUBLIC_URL + - SENTRY_DSN="${JVB_SENTRY_DSN:-0}" + - SENTRY_ENVIRONMENT + - SENTRY_RELEASE + - COLIBRI_REST_ENABLED + - SHUTDOWN_REST_ENABLED - TZ + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_SERVER + - XMPP_PORT depends_on: - prosody networks: meet.jitsi: + labels: + traefik.udp.routers.jvb.entrypoints: video + traefik.udp.routers.jvb.service: jvb + traefik.udp.services.jvb.loadbalancer.server.port: '10000' # Custom network so all services can communicate using a FQDN networks: diff --git a/templates/env.jitsi.j2 b/templates/env.jitsi.j2 index e023c0a..b0a2292 100644 --- a/templates/env.jitsi.j2 +++ b/templates/env.jitsi.j2 @@ -1,20 +1,33 @@ +# shellcheck disable=SC2034 + +################################################################################ +################################################################################ +# Welcome to the Jitsi Meet Docker setup! +# +# This sample .env file contains some basic options to get you started. +# The full options reference can be found here: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker +################################################################################ +################################################################################ + + # # Basic configuration options # -# Directory where all configuration will be stored. +# Directory where all configuration will be stored CONFIG=./conf -# Exposed HTTP port. +# Exposed HTTP port HTTP_PORT={{ jitsi_exposed_http_port }} -# Exposed HTTPS port. +# Exposed HTTPS port HTTPS_PORT={{ jitsi_exposed_https_port }} -# System time zone. +# System time zone TZ={{ jitsi_timezone }} -# Public URL for the web service. +# Public URL for the web service (required) PUBLIC_URL={{ jitsi_public_url }} VIRTUAL_HOST={{ jitsi_virtual_host }} @@ -22,13 +35,29 @@ VIRTUAL_HOST={{ jitsi_virtual_host }} # in the README. DOCKER_HOST_ADDRESS={{ jitsi_docker_host_address }} +# Media IP addresses to advertise by the JVB +# This setting deprecates DOCKER_HOST_ADDRESS, and supports a comma separated list of IPs +# See the "Running behind NAT or on a LAN environment" section in the Handbook: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment +#JVB_ADVERTISE_IPS={{ jitsi_jvb_advertise_ips }} + +JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }} + +# +# JaaS Components (beta) +# https://jaas.8x8.vc +# + +# Enable JaaS Components (hosted Jigasi) +#ENABLE_JAAS_COMPONENTS=0 + {% if jitsi_enable_letsencrypt %} # # Let's Encrypt configuration # # Enable Let's Encrypt certificate generation. -ENABLE_LETSENCRYPT=0 +ENABLE_LETSENCRYPT=1 # Domain for which to generate the certificate. LETSENCRYPT_DOMAIN={{ jitsi_virtual_host }} @@ -36,27 +65,45 @@ LETSENCRYPT_DOMAIN={{ jitsi_virtual_host }} # E-Mail for receiving important account notifications (mandatory). LETSENCRYPT_EMAIL={{ jitsi_letsencrypt_email }} +# Use the staging server (for avoiding rate limits while testing) +#LETSENCRYPT_USE_STAGING=1 + {% endif -%} # # Etherpad integration (for document sharing) # -# Set etherpad-lite URL (uncomment to enable). +# Set etherpad-lite URL in docker local network (uncomment to enable) #ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 +# Set etherpad-lite public URL, including /p/ pad path fragment (uncomment to enable) +#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain/p/ + +# Name your etherpad instance! +ETHERPAD_TITLE=Video Chat + +# The default text of a pad +ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n" + +# Name of the skin for etherpad +ETHERPAD_SKIN_NAME=colibris + +# Skin variants for etherpad +ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor" + # # Basic Jigasi configuration options (needed for SIP gateway support) # -# SIP URI for incoming / outgoing calls. +# SIP URI for incoming / outgoing calls #JIGASI_SIP_URI=test@sip2sip.info # Password for the specified SIP account as a clear text #JIGASI_SIP_PASSWORD=passw0rd -# SIP server (use the SIP account domain if in doubt). +# SIP server (use the SIP account domain if in doubt) #JIGASI_SIP_SERVER=sip2sip.info # SIP server port @@ -65,54 +112,54 @@ LETSENCRYPT_EMAIL={{ jitsi_letsencrypt_email }} # SIP server transport #JIGASI_SIP_TRANSPORT=UDP + # -# Authentication configuration (see README for details) +# Authentication configuration (see handbook for details) # -# Enable authentication. +# Enable authentication #ENABLE_AUTH=1 -# Enable guest access. +# Enable guest access #ENABLE_GUESTS=1 -# Select authentication type: internal, jwt or ldap +# Select authentication type: internal, jwt, ldap or matrix #AUTH_TYPE=internal -# JWT auuthentication +# JWT authentication # -# Application identifier. +# Application identifier #JWT_APP_ID=my_jitsi_app_id -# Application secret known only to your token. +# Application secret known only to your token generator #JWT_APP_SECRET=my_jitsi_app_secret -# (Optional) Set asap_accepted_issuers as a comma separated list. +# (Optional) Set asap_accepted_issuers as a comma separated list #JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client -# (Optional) Set asap_accepted_audiences as a comma separated list. +# (Optional) Set asap_accepted_audiences as a comma separated list #JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 - # LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) # -# LDAP url for connection. +# LDAP url for connection #LDAP_URL=ldaps://ldap.domain.com/ # LDAP base DN. Can be empty #LDAP_BASE=DC=example,DC=domain,DC=com -# LDAP user DN. Do not specify this parameter for the anonymous bind. +# LDAP user DN. Do not specify this parameter for the anonymous bind #LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com -# LDAP user password. Do not specify this parameter for the anonymous bind. +# LDAP user password. Do not specify this parameter for the anonymous bind #LDAP_BINDPW=LdapUserPassw0rd # LDAP filter. Tokens example: -# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail. -# %s - %s is replaced by the complete service string. -# %r - %r is replaced by the complete realm string. +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail +# %s - %s is replaced by the complete service string +# %r - %r is replaced by the complete realm string #LDAP_FILTER=(sAMAccountName=%u) # LDAP authentication method @@ -124,16 +171,16 @@ LETSENCRYPT_EMAIL={{ jitsi_letsencrypt_email }} # LDAP TLS using #LDAP_USE_TLS=1 -# List of SSL/TLS ciphers to allow. +# List of SSL/TLS ciphers to allow #LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC # Require and verify server certificate #LDAP_TLS_CHECK_PEER=1 -# Path to CA cert file. Used when server sertificate verify is enabled. +# Path to CA cert file. Used when server certificate verify is enabled #LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt -# Path to CA certs directory. Used when server sertificate verify is enabled. +# Path to CA certs directory. Used when server certificate verify is enabled #LDAP_TLS_CACERT_DIR=/etc/ssl/certs # Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps:// @@ -141,164 +188,37 @@ LETSENCRYPT_EMAIL={{ jitsi_letsencrypt_email }} # -# Advanced configuration options (you generally don't need to change these) +# Security +# +# Set these to strong passwords to avoid intruders from impersonating a service account +# The service(s) won't start unless these are specified +# Running ./gen-passwords.sh will update .env with strong passwords +# You may skip the Jigasi and Jibri passwords if you are not using those +# DO NOT reuse passwords # -# Internal XMPP domain. -XMPP_DOMAIN=meet.jitsi - -# Internal XMPP server -XMPP_SERVER=xmpp.meet.jitsi - -# Internal XMPP server URL -XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 - -# Internal XMPP domain for authenticated services. -XMPP_AUTH_DOMAIN=auth.meet.jitsi - -# XMPP domain for the MUC. -XMPP_MUC_DOMAIN=muc.meet.jitsi - -# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools. -XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi - -# XMPP domain for unauthenticated users. -XMPP_GUEST_DOMAIN=guest.meet.jitsi - -# Custom Prosody modules for XMPP_DOMAIN (comma separated) -XMPP_MODULES= - -# Custom Prosody modules for MUC component (comma separated) -XMPP_MUC_MODULES= - -# Custom Prosody modules for internal MUC component (comma separated) -XMPP_INTERNAL_MUC_MODULES= - -# MUC for the JVB pool. -JVB_BREWERY_MUC=jvbbrewery - -# XMPP user for JVB client connections. -JVB_AUTH_USER={{ jitsi_jvb_auth_user }} - -# XMPP password for JVB client connections. -JVB_AUTH_PASSWORD={{ jitsi_jvb_auth_password }} - -# STUN servers used to discover the server's public IP. -JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }} - -# Media port for the Jitsi Videobridge -JVB_PORT=10000 - -# TCP Fallback for Jitsi Videobridge for when UDP isn't available -JVB_TCP_HARVESTER_DISABLED=true -JVB_TCP_PORT=4443 - -# A comma separated list of APIs to enable when the JVB is started. The default is none. -# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information -#JVB_ENABLE_APIS=rest,colibri - -# XMPP component password for Jicofo. -JICOFO_COMPONENT_SECRET={{ jitsi_jicofo_component_secret }} - -# XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug. -JICOFO_AUTH_USER={{ jitsi_jicofo_auth_user }} - -# XMPP password for Jicofo client connections. +# XMPP password for Jicofo client connections JICOFO_AUTH_PASSWORD={{ jitsi_jicofo_auth_password }} -# Base URL of Jicofo's reservation REST API -#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com +# XMPP password for JVB client connections +JVB_AUTH_PASSWORD={{ jitsi_jvb_auth_password }} -# XMPP user for Jigasi MUC client connections. -JIGASI_XMPP_USER={{ jitsi_jigasi_xmpp_user }} - -# XMPP password for Jigasi MUC client connections. +# XMPP password for Jigasi MUC client connections JIGASI_XMPP_PASSWORD={{ jitsi_jigasi_xmpp_password }} -# MUC name for the Jigasi pool. -JIGASI_BREWERY_MUC=jigasibrewery - -# Minimum port for media used by Jigasi. -JIGASI_PORT_MIN=20000 - -# Maximum port for media used by Jigasi. -JIGASI_PORT_MAX=20050 - -# Enable SDES srtp -#JIGASI_ENABLE_SDES_SRTP=1 - -# Keepalive method -#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS - -# Health-check extension -#JIGASI_HEALTH_CHECK_SIP_URI=keepalive - -# Health-check interval -#JIGASI_HEALTH_CHECK_INTERVAL=300000 -# -# Enable Jigasi transcription. -#ENABLE_TRANSCRIPTIONS=1 - -# Jigasi will recordord an audio when transcriber is on. Default false. -#JIGASI_TRANSCRIBER_RECORD_AUDIO=true - -# Jigasi will send transcribed text to the chat when transcriber is on. Default false. -#JIGASI_TRANSCRIBER_SEND_TXT=true - -# Jigasi post to the chat an url with transcription file. Default false. -#JIGASI_TRANSCRIBER_ADVERTISE_URL=true - -# Credentials for connect to Cloud Google API from Jigasi. Path located inside the container. -# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol -# section "Before you begin" from 1 to 5 paragraph. Copy the key on -# the docker host to ${CONFIG}/jigasi/key.json and to enable this setting: -#GOOGLE_APPLICATION_CREDENTIALS=/config/key.json - -# Enable recording -#ENABLE_RECORDING=1 - -# XMPP domain for the jibri recorder -XMPP_RECORDER_DOMAIN=recorder.meet.jitsi - -# XMPP recorder user for Jibri client connections. -JIBRI_RECORDER_USER={{ jitsi_jibri_recorder_user }} - -# XMPP recorder password for Jibri client connections. +# XMPP recorder password for Jibri client connections JIBRI_RECORDER_PASSWORD={{ jitsi_jibri_recorder_password }} -# Directory for recordings inside Jibri container. -JIBRI_RECORDING_DIR=/config/recordings - -# The finalizing script. Will run after recording is complete. -JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh - -# XMPP user for Jibri client connections. -JIBRI_XMPP_USER={{ jitsi_jibri_xmpp_user }} - -# XMPP password for Jibri client connections. +# XMPP password for Jibri client connections JIBRI_XMPP_PASSWORD={{ jitsi_jibri_xmpp_password }} -# MUC name for the Jibri pool. -JIBRI_BREWERY_MUC=jibribrewery +# +# Docker Compose options +# -# MUC connection timeout -JIBRI_PENDING_TIMEOUT=90 +# Container restart policy +# Defaults to unless-stopped +RESTART_POLICY=unless-stopped -# When jibri gets a request to start a service for a room, the room -# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain -# We'll build the url for the call by transforming that into: -# https://xmpp_domain/subdomain/roomName -# So if there are any prefixes in the jid (like jitsi meet, which -# has its participants join a muc at conference.xmpp_domain) then -# list that prefix here so it can be stripped out to generate -# the call url correctly. -JIBRI_STRIP_DOMAIN_JID=muc - -# Directory for logs inside Jibri container. -JIBRI_LOGS_DIR=/config/logs - -# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup. -#DISABLE_HTTPS=1 - -# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443). -#ENABLE_HTTP_REDIRECT=1 +# Jitsi image version (useful for local development) +#JITSI_IMAGE_VERSION=latest diff --git a/templates/etherpad.yml b/templates/etherpad.yml index e033a99..49f9be0 100644 --- a/templates/etherpad.yml +++ b/templates/etherpad.yml @@ -1,10 +1,17 @@ -version: '3' +version: '3.5' services: # Etherpad: real-time collaborative document editing etherpad: - image: jitsi/etherpad + image: etherpad/etherpad:1.8.6 + restart: ${RESTART_POLICY:-unless-stopped} + environment: + - TITLE=${ETHERPAD_TITLE} + - DEFAULT_PAD_TEXT=${ETHERPAD_DEFAULT_PAD_TEXT} + - SKIN_NAME=${ETHERPAD_SKIN_NAME} + - SKIN_VARIANTS=${ETHERPAD_SKIN_VARIANTS} networks: meet.jitsi: aliases: - etherpad.meet.jitsi + diff --git a/templates/jibri.yml b/templates/jibri.yml index 2f5a3e7..826797d 100644 --- a/templates/jibri.yml +++ b/templates/jibri.yml @@ -1,22 +1,22 @@ -version: '3' +version: '3.5' services: jibri: - image: jitsi/jibri + image: jitsi/jibri:${JITSI_IMAGE_VERSION:-stable-7830} + restart: ${RESTART_POLICY:-unless-stopped} volumes: - - ${CONFIG}/jibri:/config - - /dev/shm:/dev/shm + - ${CONFIG}/jibri:/config:Z + shm_size: '2gb' cap_add: - SYS_ADMIN - - NET_BIND_SERVICE - devices: - - /dev/snd:/dev/snd environment: - - XMPP_AUTH_DOMAIN - - XMPP_INTERNAL_MUC_DOMAIN - - XMPP_RECORDER_DOMAIN - - XMPP_SERVER - - XMPP_DOMAIN + - CHROMIUM_FLAGS + - DISPLAY=:0 + - ENABLE_STATS_D + - JIBRI_HTTP_API_EXTERNAL_PORT + - JIBRI_HTTP_API_INTERNAL_PORT + - JIBRI_RECORDING_RESOLUTION + - JIBRI_USAGE_TIMEOUT - JIBRI_XMPP_USER - JIBRI_XMPP_PASSWORD - JIBRI_BREWERY_MUC @@ -25,9 +25,18 @@ services: - JIBRI_RECORDING_DIR - JIBRI_FINALIZE_RECORDING_SCRIPT_PATH - JIBRI_STRIP_DOMAIN_JID - - JIBRI_LOGS_DIR - - DISPLAY=:0 + - PUBLIC_URL - TZ + - XMPP_AUTH_DOMAIN + - XMPP_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_RECORDER_DOMAIN + - XMPP_SERVER + - XMPP_PORT + - XMPP_TRUST_ALL_CERTS + depends_on: + - jicofo networks: meet.jitsi: diff --git a/templates/jigasi.yml b/templates/jigasi.yml index 46f1584..d6cb0e2 100644 --- a/templates/jigasi.yml +++ b/templates/jigasi.yml @@ -3,24 +3,31 @@ version: '3' services: # SIP gateway (audio) jigasi: - image: jitsi/jigasi + image: jitsi/jigasi:${JITSI_IMAGE_VERSION:-stable-7830} + restart: ${RESTART_POLICY:-unless-stopped} ports: - - '${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}:${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}/udp' + - '${JIGASI_PORT_MIN:-20000}-${JIGASI_PORT_MAX:-20050}:${JIGASI_PORT_MIN:-20000}-${JIGASI_PORT_MAX:-20050}/udp' volumes: - - ${CONFIG}/jigasi:/config - - ${CONFIG}/transcripts:/tmp/transcripts + - ${CONFIG}/jigasi:/config:Z + - ${CONFIG}/transcripts:/tmp/transcripts:Z environment: - ENABLE_AUTH + - ENABLE_GUESTS - XMPP_AUTH_DOMAIN + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER + - XMPP_PORT - XMPP_DOMAIN - PUBLIC_URL + - JIGASI_DISABLE_SIP - JIGASI_SIP_URI - JIGASI_SIP_PASSWORD - JIGASI_SIP_SERVER - JIGASI_SIP_PORT - JIGASI_SIP_TRANSPORT + - JIGASI_SIP_DEFAULT_ROOM - JIGASI_XMPP_USER - JIGASI_XMPP_PASSWORD - JIGASI_BREWERY_MUC @@ -34,9 +41,18 @@ services: - JIGASI_TRANSCRIBER_ADVERTISE_URL - JIGASI_TRANSCRIBER_RECORD_AUDIO - JIGASI_TRANSCRIBER_SEND_TXT - - GOOGLE_APPLICATION_CREDENTIALS + - GC_PROJECT_ID + - GC_PRIVATE_KEY_ID + - GC_PRIVATE_KEY + - GC_CLIENT_EMAIL + - GC_CLIENT_ID + - GC_CLIENT_CERT_URL + - SENTRY_DSN="${JIGASI_SENTRY_DSN:-0}" + - SENTRY_ENVIRONMENT + - SENTRY_RELEASE - TZ depends_on: - prosody networks: meet.jitsi: +