jotbe/ansible-role-jitsi-docker
1
0
Fork 0
Code Issues 1 Pull requests 1 Releases Wiki Activity

feature/latest-upstream-docker-compose #2

Merged
jotbe merged 9 commits from feature/latest-upstream-docker-compose into master 2022-10-03 00:59:35 +02:00
Conversation 1 Commits 9 Files changed 9 +445 -297
9 changed files with 445 additions and 297 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
CHANGELOG.md Normal file
View file

@ -0,0 +1,8 @@
## Changelog
### stable-7830
* Updates all Docker Compose templates
* Adds `jitsi_jvb_advertise_ips`, which supports a comma separated list of IPs
* Content-Security-Policy now allows `base-uri 'self'` (instead of `none`)
* Fixed `jitsi_enable_letsencrypt` handling (please note: you will still have to uncomment `LETSENCRYPT_USE_STAGING=1` in the .env file/template if you only want to test Let's Encrypt)

3
README.md
View file

@ -20,7 +20,8 @@ Role Variables
| jitsi_build_latest_image_from_source | Will fetch the master of `jitsi_docker_upstream_repo_url` and build the docker image as sometimes the latest available images in the Docker Hub are too old | yes |
| jitsi_docker_upstream_repo_url | Git repo of docker-jitsi-meet required by `jitsi_build_latest_image_from_source` | https://github.com/jitsi/docker-jitsi-meet.git |
| *jitsi_letsencrypt_email* | E-Mail adress used for requesting certificates | Not set |
| jitsi_docker_host_address | | |
| jitsi_docker_host_address | |
| jitsi_jvb_advertise_ips | supports a comma separated list of IPs | | |
| jitsi_enable_letsencrypt | Jitsi will take care of Let's Encrypt certificates | 0 |
| jitsi_enable_third_party_requests | Whether to allow third party requests, e.g. to Gravatar (if a user sets her email address) | no |
| jitsi_exposed_http_port | Exposed container port for HTTP | 8000 |

3
defaults/main.yml
View file

@ -12,4 +12,5 @@ jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443
jitsi_web_channel_last_n: 3
jitsi_build_latest_image_from_source: yes
jitsi_docker_upstream_repo_url: https://github.com/jitsi/docker-jitsi-meet.git
jitsi_enable_third_party_requests: no
jitsi_enable_third_party_requests: no
jitsi_jvb_advertise_ips: "{{ jitsi_docker_host_address }}"

2
tasks/main.yml
View file

@ -79,7 +79,7 @@
- assert:
that:
- "output.ansible_facts['web']['jitsi_web_1'].state.running"
- "output.services['web']['jitsi_web_1'].state.running"
- name: "Test whether Jitsi is healthy from the outside"
when: not ansible_check_mode

380
templates/docker-compose.jitsi.yml.j2
View file

@ -1,57 +1,167 @@
version: '3'
version: '3.5'
services:
# Frontend
web:
image: jitsi/web
restart: unless-stopped
image: jitsi/web:${JITSI_IMAGE_VERSION:-stable-7830}
restart: ${RESTART_POLICY:-unless-stopped}
ports:
- '${HTTP_PORT}:80'
- '${HTTPS_PORT}:443'
volumes:
- ${CONFIG}/web:/config
- ${CONFIG}/web/letsencrypt:/etc/letsencrypt
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
- ${CONFIG}/web:/config:Z
- ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
environment:
- ENABLE_AUTH
- ENABLE_GUESTS
- ENABLE_LETSENCRYPT
- ENABLE_HTTP_REDIRECT
- ENABLE_TRANSCRIPTIONS
- AMPLITUDE_ID
- ANALYTICS_SCRIPT_URLS
- ANALYTICS_WHITELISTED_EVENTS
- AUDIO_QUALITY_OPUS_BITRATE
- BRANDING_DATA_URL
- CALLSTATS_CUSTOM_SCRIPT_URL
- CALLSTATS_ID
- CALLSTATS_SECRET
- CHROME_EXTENSION_BANNER_JSON
- CONFCODE_URL
- CONFIG_EXTERNAL_CONNECT
- DEFAULT_LANGUAGE
- DEPLOYMENTINFO_ENVIRONMENT
- DEPLOYMENTINFO_ENVIRONMENT_TYPE
- DEPLOYMENTINFO_REGION
- DEPLOYMENTINFO_SHARD
- DEPLOYMENTINFO_USERREGION
- DESKTOP_SHARING_FRAMERATE_MIN
- DESKTOP_SHARING_FRAMERATE_MAX
- DIALIN_NUMBERS_URL
- DIALOUT_AUTH_URL
- DIALOUT_CODES_URL
- DISABLE_AUDIO_LEVELS
- DISABLE_DEEP_LINKING
- DISABLE_GRANT_MODERATOR
- DISABLE_HTTPS
- DISABLE_KICKOUT
- DISABLE_LOCAL_RECORDING
- DISABLE_POLLS
- DISABLE_PRIVATE_CHAT
- DISABLE_PROFILE
- DISABLE_REACTIONS
- DISABLE_REMOTE_VIDEO_MENU
- DROPBOX_APPKEY
- DROPBOX_REDIRECT_URI
- DYNAMIC_BRANDING_URL
- ENABLE_AUDIO_PROCESSING
- ENABLE_AUTH
- ENABLE_BREAKOUT_ROOMS
- ENABLE_CALENDAR
- ENABLE_COLIBRI_WEBSOCKET
jotbe marked this conversation as resolved Outdated
jsydll commented 2020-12-13 13:21:14 +01:00
Outdated
Review
Copy link

For some env vars like this one, there are no entries/descriptions in the env.example from upstream Jitsi repo. Using the existing .env file will lead to default values here - but I like this preparatory step.

For some env vars like this one, there are no entries/descriptions in the `env.example` from upstream Jitsi repo. Using the existing `.env` file will lead to default values here - but I like this preparatory step.
- ENABLE_E2EPING
- ENABLE_FILE_RECORDING_SHARING
- ENABLE_GUESTS
- ENABLE_HSTS
- ENABLE_HTTP_REDIRECT
- ENABLE_IPV6
- ENABLE_LETSENCRYPT
- ENABLE_LIPSYNC
- ENABLE_NO_AUDIO_DETECTION
- ENABLE_NOISY_MIC_DETECTION
- ENABLE_OCTO
- ENABLE_OPUS_RED
- ENABLE_PREJOIN_PAGE
- ENABLE_P2P
- ENABLE_WELCOME_PAGE
- ENABLE_CLOSE_PAGE
- ENABLE_LIVESTREAMING
- ENABLE_LOCAL_RECORDING_NOTIFY_ALL_PARTICIPANT
- ENABLE_LOCAL_RECORDING_SELF_START
- ENABLE_RECORDING
- ENABLE_REMB
- ENABLE_REQUIRE_DISPLAY_NAME
- ENABLE_SERVICE_RECORDING
- ENABLE_SIMULCAST
- ENABLE_STATS_ID
- ENABLE_STEREO
- ENABLE_SUBDOMAINS
- ENABLE_TALK_WHILE_MUTED
- ENABLE_TCC
- ENABLE_TRANSCRIPTIONS
- ENABLE_XMPP_WEBSOCKET
- ENABLE_JAAS_COMPONENTS
- ENABLE_MULTI_STREAM
- ETHERPAD_PUBLIC_URL
- ETHERPAD_URL_BASE
- E2EPING_NUM_REQUESTS
- E2EPING_MAX_CONFERENCE_SIZE
- E2EPING_MAX_MESSAGE_PER_SECOND
- GOOGLE_ANALYTICS_ID
- GOOGLE_API_APP_CLIENT_ID
- HIDE_PREMEETING_BUTTONS
- HIDE_PREJOIN_DISPLAY_NAME
- HIDE_PREJOIN_EXTRA_BUTTONS
- INVITE_SERVICE_URL
- JICOFO_AUTH_USER
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
- LETSENCRYPT_USE_STAGING
- MATOMO_ENDPOINT
- MATOMO_SITE_ID
- MICROSOFT_API_APP_CLIENT_ID
- NGINX_RESOLVER
- NGINX_WORKER_PROCESSES
- NGINX_WORKER_CONNECTIONS
- PEOPLE_SEARCH_URL
- PUBLIC_URL
- XMPP_DOMAIN
- P2P_PREFERRED_CODEC
- RESOLUTION
- RESOLUTION_MIN
- RESOLUTION_WIDTH
- RESOLUTION_WIDTH_MIN
- START_AUDIO_MUTED
- START_AUDIO_ONLY
- START_BITRATE
- START_SILENT
- START_WITH_AUDIO_MUTED
- START_VIDEO_MUTED
- START_WITH_VIDEO_MUTED
- TESTING_CAP_SCREENSHARE_BITRATE
- TESTING_OCTO_PROBABILITY
- TOKEN_AUTH_URL
- TOOLBAR_BUTTONS
- TZ
- VIDEOQUALITY_BITRATE_H264_LOW
- VIDEOQUALITY_BITRATE_H264_STANDARD
- VIDEOQUALITY_BITRATE_H264_HIGH
- VIDEOQUALITY_BITRATE_VP8_LOW
- VIDEOQUALITY_BITRATE_VP8_STANDARD
- VIDEOQUALITY_BITRATE_VP8_HIGH
- VIDEOQUALITY_BITRATE_VP9_LOW
- VIDEOQUALITY_BITRATE_VP9_STANDARD
- VIDEOQUALITY_BITRATE_VP9_HIGH
- VIDEOQUALITY_ENFORCE_PREFERRED_CODEC
- VIDEOQUALITY_PREFERRED_CODEC
- XMPP_AUTH_DOMAIN
- XMPP_BOSH_URL_BASE
- XMPP_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- ETHERPAD_URL_BASE
- TZ
- JIBRI_BREWERY_MUC
- JIBRI_PENDING_TIMEOUT
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- JIBRI_RECORDER_USER
- JIBRI_RECORDER_PASSWORD
- ENABLE_RECORDING
- XMPP_PORT
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_public"
- "traefik.http.routers.jitsi.rule=Host(`{{ jitsi_virtual_host }}`)"
- "traefik.http.routers.jitsi.entrypoints=websecure"
- "traefik.http.routers.jitsi.tls=true"
- "traefik.http.routers.jitsi.tls.certresolver=defaultresolver"
- "traefik.http.middlewares.jitsi-headers.headers.SSLRedirect=true"
- "traefik.http.middlewares.jitsi-headers.headers.browserXSSFilter=true"
- "traefik.http.middlewares.jitsi-headers.headers.contentTypeNosniff=true"
- "traefik.http.middlewares.jitsi-headers.headers.forceSTSHeader=true"
- "traefik.http.middlewares.jitsi-headers.headers.STSSeconds=315360000"
- "traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains=true"
- "traefik.http.middlewares.jitsi-headers.headers.STSPreload=true"
- "traefik.http.middlewares.jitsi-headers.headers.featurePolicy=geolocation 'none'; payment 'none'"
- "traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content"
- "traefik.http.routers.jitsi.middlewares=jitsi-headers"
traefik.enable: true
traefik.docker.network: traefik_public
traefik.http.routers.jitsi.rule: Host(`{{ jitsi_virtual_host }}`)
traefik.http.routers.jitsi.entrypoints: websecure
traefik.http.routers.jitsi.tls: true
traefik.http.routers.jitsi.tls.certresolver: defaultresolver
traefik.http.middlewares.jitsi-headers.headers.SSLRedirect: true
traefik.http.middlewares.jitsi-headers.headers.browserXSSFilter: true
traefik.http.middlewares.jitsi-headers.headers.contentTypeNosniff: true
traefik.http.middlewares.jitsi-headers.headers.forceSTSHeader: true
traefik.http.middlewares.jitsi-headers.headers.STSSeconds: 315360000
traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains: true
traefik.http.middlewares.jitsi-headers.headers.STSPreload: true
traefik.http.middlewares.jitsi-headers.headers.featurePolicy: geolocation 'none'; payment 'none'
traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content
traefik.http.routers.jitsi.middlewares: jitsi-headers
networks:
public:
meet.jitsi:
@ -60,53 +170,47 @@ services:
# XMPP server
prosody:
image: jitsi/prosody
restart: unless-stopped
image: jitsi/prosody:${JITSI_IMAGE_VERSION:-stable-7830}
restart: ${RESTART_POLICY:-unless-stopped}
expose:
- '5222'
- '${XMPP_PORT:-5222}'
- '5347'
- '5280'
volumes:
- ${CONFIG}/prosody:/config
- ${CONFIG}/prosody/config:/config:Z
- ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
environment:
- AUTH_TYPE
- DISABLE_POLLS
- ENABLE_AUTH
- ENABLE_AV_MODERATION
- ENABLE_BREAKOUT_ROOMS
- ENABLE_END_CONFERENCE
- ENABLE_GUESTS
- GLOBAL_MODULES
- ENABLE_IPV6
- ENABLE_LOBBY
- ENABLE_RECORDING
- ENABLE_XMPP_WEBSOCKET
- ENABLE_JAAS_COMPONENTS
- GC_TYPE
- GC_INC_TH
- GC_INC_SPEED
- GC_INC_STEP_SIZE
- GC_GEN_MIN_TH
- GC_GEN_MAX_TH
- GLOBAL_CONFIG
- LDAP_URL
- LDAP_BASE
- LDAP_BINDDN
- LDAP_BINDPW
- LDAP_FILTER
- LDAP_AUTH_METHOD
- LDAP_VERSION
- LDAP_USE_TLS
- LDAP_TLS_CIPHERS
- LDAP_TLS_CHECK_PEER
- LDAP_TLS_CACERT_FILE
- LDAP_TLS_CACERT_DIR
- LDAP_START_TLS
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MODULES
- XMPP_MUC_MODULES
- XMPP_INTERNAL_MUC_MODULES
- XMPP_RECORDER_DOMAIN
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- GLOBAL_MODULES
- JIBRI_RECORDER_USER
- JIBRI_RECORDER_PASSWORD
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JICOFO_COMPONENT_SECRET
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JWT_APP_ID
- JWT_APP_SECRET
- JWT_ACCEPTED_ISSUERS
@ -114,35 +218,97 @@ services:
- JWT_ASAP_KEYSERVER
- JWT_ALLOW_EMPTY
- JWT_AUTH_TYPE
- JWT_ENABLE_DOMAIN_VERIFICATION
- JWT_TOKEN_AUTH_MODULE
- MATRIX_UVS_URL
- MATRIX_UVS_ISSUER
- MATRIX_UVS_AUTH_TOKEN
- MATRIX_UVS_SYNC_POWER_LEVELS
- LOG_LEVEL
- LDAP_AUTH_METHOD
- LDAP_BASE
- LDAP_BINDDN
- LDAP_BINDPW
- LDAP_FILTER
- LDAP_VERSION
- LDAP_TLS_CIPHERS
- LDAP_TLS_CHECK_PEER
jotbe marked this conversation as resolved Outdated
jsydll commented 2020-12-13 13:27:35 +01:00
Outdated
Review
Copy link

What's the purpose of the service dict var?

What's the purpose of the service dict var?
jotbe commented 2020-12-13 14:16:29 +01:00
Outdated
Review
Copy link

This should define a service entity for traefik which allows e.g. for loadbalancing. I haven't tried the loadbalancing yet. On the other hand, that entrypoint video is not further defined here. I am not sure whether other configuration is missing here.

This should define a service entity for traefik which allows e.g. for loadbalancing. I haven't tried the loadbalancing yet. On the other hand, that entrypoint `video` is not further defined here. I am not sure whether other configuration is missing here.
jsydll commented 2020-12-13 14:31:23 +01:00
Outdated
Review
Copy link

As long as this does not break our current setup, I'm fine with having the new labels here.

As long as this does not break our current setup, I'm fine with having the new labels here.
- LDAP_TLS_CACERT_FILE
jotbe marked this conversation as resolved Outdated
jsydll commented 2020-12-13 13:28:08 +01:00
Outdated
Review
Copy link

Could that be parameterized with ${JVB_PORT}?

Could that be parameterized with `${JVB_PORT}`?
jotbe commented 2020-12-13 14:22:09 +01:00
Outdated
Review
Copy link

Good point! Yes, could be, but it makes sense to create an Ansible var to allow a config of that JVB_PORT which is still more or less hardcoded in the env file.

Good point! Yes, could be, but it makes sense to create an Ansible var to allow a config of that `JVB_PORT` which is still more or less hardcoded in the env file.
jsydll commented 2020-12-13 14:29:56 +01:00
Outdated
Review
Copy link

To my knowledge, this variable already exists: jitsi_bridge_udp_port. Or do I mix up things here?

To my knowledge, this variable already exists: `jitsi_bridge_udp_port`. Or do I mix up things here?
jotbe commented 2020-12-13 17:50:29 +01:00
Outdated
Review
Copy link

Where is that? I cannot find that string in the code.

Where is that? I cannot find that string in the code.
jsydll commented 2020-12-14 07:34:25 +01:00
Outdated
Review
Copy link

I'm sorry, got that mixed up with one of my branches where I also needed to introduce such a variable :D

I'm sorry, got that mixed up with one of my branches where I also needed to introduce such a variable :D
- LDAP_TLS_CACERT_DIR
- LDAP_START_TLS
- LDAP_URL
- LDAP_USE_TLS
- MAX_PARTICIPANTS
- PROSODY_RESERVATION_ENABLED
- PROSODY_RESERVATION_REST_BASE_URL
- PUBLIC_URL
- TURN_CREDENTIALS
- TURN_HOST
- TURNS_HOST
- TURN_PORT
- TURNS_PORT
- TZ
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MODULES
- XMPP_MUC_MODULES
- XMPP_MUC_CONFIGURATION
- XMPP_INTERNAL_MUC_MODULES
- XMPP_RECORDER_DOMAIN
- XMPP_PORT
networks:
meet.jitsi:
aliases:
- ${XMPP_SERVER}
- ${XMPP_SERVER:-xmpp.meet.jitsi}
# Focus component
jicofo:
image: jitsi/jicofo
restart: unless-stopped
image: jitsi/jicofo:${JITSI_IMAGE_VERSION:-stable-7830}
restart: ${RESTART_POLICY:-unless-stopped}
volumes:
- ${CONFIG}/jicofo:/config
- ${CONFIG}/jicofo:/config:Z
environment:
- AUTH_TYPE
- BRIDGE_AVG_PARTICIPANT_STRESS
- BRIDGE_STRESS_THRESHOLD
- ENABLE_AUTH
- ENABLE_AUTO_OWNER
- ENABLE_CODEC_VP8
- ENABLE_CODEC_VP9
- ENABLE_CODEC_H264
- ENABLE_OCTO
- ENABLE_RECORDING
- ENABLE_SCTP
- ENABLE_AUTO_LOGIN
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS
- JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT
- JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT
- JICOFO_ENABLE_HEALTH_CHECKS
- JICOFO_SHORT_ID
- JIBRI_BREWERY_MUC
- JIBRI_REQUEST_RETRIES
- JIBRI_PENDING_TIMEOUT
- JIGASI_BREWERY_MUC
- JIGASI_SIP_URI
- JVB_BREWERY_MUC
- MAX_BRIDGE_PARTICIPANTS
- OCTO_BRIDGE_SELECTION_STRATEGY
- SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}"
- SENTRY_ENVIRONMENT
- SENTRY_RELEASE
- TZ
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- XMPP_SERVER
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JICOFO_RESERVATION_REST_BASE_URL
- JVB_BREWERY_MUC
- JIGASI_BREWERY_MUC
- JIBRI_BREWERY_MUC
- JIBRI_PENDING_TIMEOUT
- TZ
- XMPP_PORT
depends_on:
- prosody
networks:
@ -150,31 +316,51 @@ services:
# Video bridge
jvb:
image: jitsi/jvb
restart: unless-stopped
image: jitsi/jvb:${JITSI_IMAGE_VERSION:-stable-7830}
restart: ${RESTART_POLICY:-unless-stopped}
ports:
- '${JVB_PORT}:${JVB_PORT}/udp'
- '${JVB_TCP_PORT}:${JVB_TCP_PORT}'
- '${JVB_PORT:-10000}:${JVB_PORT:-10000}/udp'
- '127.0.0.1:${JVB_COLIBRI_PORT:-8080}:8080'
volumes:
- ${CONFIG}/jvb:/config
- ${CONFIG}/jvb:/config:Z
environment:
- DOCKER_HOST_ADDRESS
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_SERVER
- ENABLE_COLIBRI_WEBSOCKET
- ENABLE_OCTO
- ENABLE_MULTI_STREAM
- JVB_ADVERTISE_IPS
- JVB_ADVERTISE_PRIVATE_CANDIDATES
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JVB_BREWERY_MUC
- JVB_DISABLE_STUN
- JVB_PORT
- JVB_TCP_HARVESTER_DISABLED
- JVB_TCP_PORT
- JVB_MUC_NICKNAME
- JVB_STUN_SERVERS
- JVB_ENABLE_APIS
- JVB_OCTO_BIND_ADDRESS
- JVB_OCTO_REGION
- JVB_OCTO_RELAY_ID
- JVB_WS_DOMAIN
- JVB_WS_SERVER_ID
- PUBLIC_URL
- SENTRY_DSN="${JVB_SENTRY_DSN:-0}"
- SENTRY_ENVIRONMENT
- SENTRY_RELEASE
- COLIBRI_REST_ENABLED
- SHUTDOWN_REST_ENABLED
- TZ
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_SERVER
- XMPP_PORT
depends_on:
- prosody
networks:
meet.jitsi:
labels:
traefik.udp.routers.jvb.entrypoints: video
traefik.udp.routers.jvb.service: jvb
traefik.udp.services.jvb.loadbalancer.server.port: '10000'
# Custom network so all services can communicate using a FQDN
networks:

272
templates/env.jitsi.j2
View file

@ -1,20 +1,33 @@
# shellcheck disable=SC2034
################################################################################
################################################################################
# Welcome to the Jitsi Meet Docker setup!
#
# This sample .env file contains some basic options to get you started.
# The full options reference can be found here:
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker
################################################################################
################################################################################
#
# Basic configuration options
#
# Directory where all configuration will be stored.
# Directory where all configuration will be stored
CONFIG=./conf
# Exposed HTTP port.
# Exposed HTTP port
HTTP_PORT={{ jitsi_exposed_http_port }}
# Exposed HTTPS port.
# Exposed HTTPS port
HTTPS_PORT={{ jitsi_exposed_https_port }}
# System time zone.
# System time zone
TZ={{ jitsi_timezone }}
# Public URL for the web service.
# Public URL for the web service (required)
PUBLIC_URL={{ jitsi_public_url }}
VIRTUAL_HOST={{ jitsi_virtual_host }}
@ -22,13 +35,29 @@ VIRTUAL_HOST={{ jitsi_virtual_host }}
# in the README.
DOCKER_HOST_ADDRESS={{ jitsi_docker_host_address }}
# Media IP addresses to advertise by the JVB
# This setting deprecates DOCKER_HOST_ADDRESS, and supports a comma separated list of IPs
# See the "Running behind NAT or on a LAN environment" section in the Handbook:
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
#JVB_ADVERTISE_IPS={{ jitsi_jvb_advertise_ips }}
JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }}
#
# JaaS Components (beta)
# https://jaas.8x8.vc
#
# Enable JaaS Components (hosted Jigasi)
#ENABLE_JAAS_COMPONENTS=0
{% if jitsi_enable_letsencrypt %}
#
# Let's Encrypt configuration
#
# Enable Let's Encrypt certificate generation.
ENABLE_LETSENCRYPT=0
ENABLE_LETSENCRYPT=1
# Domain for which to generate the certificate.
LETSENCRYPT_DOMAIN={{ jitsi_virtual_host }}
@ -36,27 +65,45 @@ LETSENCRYPT_DOMAIN={{ jitsi_virtual_host }}
# E-Mail for receiving important account notifications (mandatory).
LETSENCRYPT_EMAIL={{ jitsi_letsencrypt_email }}
# Use the staging server (for avoiding rate limits while testing)
#LETSENCRYPT_USE_STAGING=1
{% endif -%}
#
# Etherpad integration (for document sharing)
#
# Set etherpad-lite URL (uncomment to enable).
# Set etherpad-lite URL in docker local network (uncomment to enable)
#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
# Set etherpad-lite public URL, including /p/ pad path fragment (uncomment to enable)
#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain/p/
# Name your etherpad instance!
ETHERPAD_TITLE=Video Chat
# The default text of a pad
ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n"
# Name of the skin for etherpad
ETHERPAD_SKIN_NAME=colibris
# Skin variants for etherpad
ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"
#
# Basic Jigasi configuration options (needed for SIP gateway support)
#
# SIP URI for incoming / outgoing calls.
# SIP URI for incoming / outgoing calls
#JIGASI_SIP_URI=test@sip2sip.info
# Password for the specified SIP account as a clear text
#JIGASI_SIP_PASSWORD=passw0rd
# SIP server (use the SIP account domain if in doubt).
# SIP server (use the SIP account domain if in doubt)
#JIGASI_SIP_SERVER=sip2sip.info
# SIP server port
@ -65,54 +112,54 @@ LETSENCRYPT_EMAIL={{ jitsi_letsencrypt_email }}
# SIP server transport
#JIGASI_SIP_TRANSPORT=UDP
#
# Authentication configuration (see README for details)
# Authentication configuration (see handbook for details)
#
# Enable authentication.
# Enable authentication
#ENABLE_AUTH=1
# Enable guest access.
# Enable guest access
#ENABLE_GUESTS=1
# Select authentication type: internal, jwt or ldap
# Select authentication type: internal, jwt, ldap or matrix
#AUTH_TYPE=internal
# JWT auuthentication
# JWT authentication
#
# Application identifier.
# Application identifier
#JWT_APP_ID=my_jitsi_app_id
# Application secret known only to your token.
# Application secret known only to your token generator
#JWT_APP_SECRET=my_jitsi_app_secret
# (Optional) Set asap_accepted_issuers as a comma separated list.
# (Optional) Set asap_accepted_issuers as a comma separated list
#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
# (Optional) Set asap_accepted_audiences as a comma separated list.
# (Optional) Set asap_accepted_audiences as a comma separated list
#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
#
# LDAP url for connection.
# LDAP url for connection
#LDAP_URL=ldaps://ldap.domain.com/
# LDAP base DN. Can be empty
#LDAP_BASE=DC=example,DC=domain,DC=com
# LDAP user DN. Do not specify this parameter for the anonymous bind.
# LDAP user DN. Do not specify this parameter for the anonymous bind
#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
# LDAP user password. Do not specify this parameter for the anonymous bind.
# LDAP user password. Do not specify this parameter for the anonymous bind
#LDAP_BINDPW=LdapUserPassw0rd
# LDAP filter. Tokens example:
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail.
# %s - %s is replaced by the complete service string.
# %r - %r is replaced by the complete realm string.
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
# %s - %s is replaced by the complete service string
# %r - %r is replaced by the complete realm string
#LDAP_FILTER=(sAMAccountName=%u)
# LDAP authentication method
@ -124,16 +171,16 @@ LETSENCRYPT_EMAIL={{ jitsi_letsencrypt_email }}
# LDAP TLS using
#LDAP_USE_TLS=1
# List of SSL/TLS ciphers to allow.
# List of SSL/TLS ciphers to allow
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
# Require and verify server certificate
#LDAP_TLS_CHECK_PEER=1
# Path to CA cert file. Used when server sertificate verify is enabled.
# Path to CA cert file. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
# Path to CA certs directory. Used when server sertificate verify is enabled.
# Path to CA certs directory. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
@ -141,164 +188,37 @@ LETSENCRYPT_EMAIL={{ jitsi_letsencrypt_email }}
#
# Advanced configuration options (you generally don't need to change these)
# Security
#
# Set these to strong passwords to avoid intruders from impersonating a service account
# The service(s) won't start unless these are specified
# Running ./gen-passwords.sh will update .env with strong passwords
# You may skip the Jigasi and Jibri passwords if you are not using those
# DO NOT reuse passwords
#
# Internal XMPP domain.
XMPP_DOMAIN=meet.jitsi
# Internal XMPP server
XMPP_SERVER=xmpp.meet.jitsi
# Internal XMPP server URL
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
# Internal XMPP domain for authenticated services.
XMPP_AUTH_DOMAIN=auth.meet.jitsi
# XMPP domain for the MUC.
XMPP_MUC_DOMAIN=muc.meet.jitsi
# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools.
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
# XMPP domain for unauthenticated users.
XMPP_GUEST_DOMAIN=guest.meet.jitsi
# Custom Prosody modules for XMPP_DOMAIN (comma separated)
XMPP_MODULES=
# Custom Prosody modules for MUC component (comma separated)
XMPP_MUC_MODULES=
# Custom Prosody modules for internal MUC component (comma separated)
XMPP_INTERNAL_MUC_MODULES=
# MUC for the JVB pool.
JVB_BREWERY_MUC=jvbbrewery
# XMPP user for JVB client connections.
JVB_AUTH_USER={{ jitsi_jvb_auth_user }}
# XMPP password for JVB client connections.
JVB_AUTH_PASSWORD={{ jitsi_jvb_auth_password }}
# STUN servers used to discover the server's public IP.
JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }}
# Media port for the Jitsi Videobridge
JVB_PORT=10000
# TCP Fallback for Jitsi Videobridge for when UDP isn't available
JVB_TCP_HARVESTER_DISABLED=true
JVB_TCP_PORT=4443
# A comma separated list of APIs to enable when the JVB is started. The default is none.
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
#JVB_ENABLE_APIS=rest,colibri
# XMPP component password for Jicofo.
JICOFO_COMPONENT_SECRET={{ jitsi_jicofo_component_secret }}
# XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug.
JICOFO_AUTH_USER={{ jitsi_jicofo_auth_user }}
# XMPP password for Jicofo client connections.
# XMPP password for Jicofo client connections
JICOFO_AUTH_PASSWORD={{ jitsi_jicofo_auth_password }}
# Base URL of Jicofo's reservation REST API
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
# XMPP password for JVB client connections
JVB_AUTH_PASSWORD={{ jitsi_jvb_auth_password }}
# XMPP user for Jigasi MUC client connections.
JIGASI_XMPP_USER={{ jitsi_jigasi_xmpp_user }}
# XMPP password for Jigasi MUC client connections.
# XMPP password for Jigasi MUC client connections
JIGASI_XMPP_PASSWORD={{ jitsi_jigasi_xmpp_password }}
# MUC name for the Jigasi pool.
JIGASI_BREWERY_MUC=jigasibrewery
# Minimum port for media used by Jigasi.
JIGASI_PORT_MIN=20000
# Maximum port for media used by Jigasi.
JIGASI_PORT_MAX=20050
# Enable SDES srtp
#JIGASI_ENABLE_SDES_SRTP=1
# Keepalive method
#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS
# Health-check extension
#JIGASI_HEALTH_CHECK_SIP_URI=keepalive
# Health-check interval
#JIGASI_HEALTH_CHECK_INTERVAL=300000
#
# Enable Jigasi transcription.
#ENABLE_TRANSCRIPTIONS=1
# Jigasi will recordord an audio when transcriber is on. Default false.
#JIGASI_TRANSCRIBER_RECORD_AUDIO=true
# Jigasi will send transcribed text to the chat when transcriber is on. Default false.
#JIGASI_TRANSCRIBER_SEND_TXT=true
# Jigasi post to the chat an url with transcription file. Default false.
#JIGASI_TRANSCRIBER_ADVERTISE_URL=true
# Credentials for connect to Cloud Google API from Jigasi. Path located inside the container.
# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol
# section "Before you begin" from 1 to 5 paragraph. Copy the key on
# the docker host to ${CONFIG}/jigasi/key.json and to enable this setting:
#GOOGLE_APPLICATION_CREDENTIALS=/config/key.json
# Enable recording
#ENABLE_RECORDING=1
# XMPP domain for the jibri recorder
XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
# XMPP recorder user for Jibri client connections.
JIBRI_RECORDER_USER={{ jitsi_jibri_recorder_user }}
# XMPP recorder password for Jibri client connections.
# XMPP recorder password for Jibri client connections
JIBRI_RECORDER_PASSWORD={{ jitsi_jibri_recorder_password }}
# Directory for recordings inside Jibri container.
JIBRI_RECORDING_DIR=/config/recordings
# The finalizing script. Will run after recording is complete.
JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
# XMPP user for Jibri client connections.
JIBRI_XMPP_USER={{ jitsi_jibri_xmpp_user }}
# XMPP password for Jibri client connections.
# XMPP password for Jibri client connections
JIBRI_XMPP_PASSWORD={{ jitsi_jibri_xmpp_password }}
# MUC name for the Jibri pool.
JIBRI_BREWERY_MUC=jibribrewery
#
# Docker Compose options
#
# MUC connection timeout
JIBRI_PENDING_TIMEOUT=90
# Container restart policy
# Defaults to unless-stopped
RESTART_POLICY=unless-stopped
# When jibri gets a request to start a service for a room, the room
# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
# We'll build the url for the call by transforming that into:
# https://xmpp_domain/subdomain/roomName
# So if there are any prefixes in the jid (like jitsi meet, which
# has its participants join a muc at conference.xmpp_domain) then
# list that prefix here so it can be stripped out to generate
# the call url correctly.
JIBRI_STRIP_DOMAIN_JID=muc
# Directory for logs inside Jibri container.
JIBRI_LOGS_DIR=/config/logs
# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup.
#DISABLE_HTTPS=1
# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443).
#ENABLE_HTTP_REDIRECT=1
# Jitsi image version (useful for local development)
#JITSI_IMAGE_VERSION=latest

11
templates/etherpad.yml
View file

@ -1,10 +1,17 @@
version: '3'
version: '3.5'
services:
# Etherpad: real-time collaborative document editing
etherpad:
image: jitsi/etherpad
image: etherpad/etherpad:1.8.6
restart: ${RESTART_POLICY:-unless-stopped}
environment:
- TITLE=${ETHERPAD_TITLE}
- DEFAULT_PAD_TEXT=${ETHERPAD_DEFAULT_PAD_TEXT}
- SKIN_NAME=${ETHERPAD_SKIN_NAME}
- SKIN_VARIANTS=${ETHERPAD_SKIN_VARIANTS}
networks:
meet.jitsi:
aliases:
- etherpad.meet.jitsi

37
templates/jibri.yml
View file

@ -1,22 +1,22 @@
version: '3'
version: '3.5'
services:
jibri:
image: jitsi/jibri
image: jitsi/jibri:${JITSI_IMAGE_VERSION:-stable-7830}
restart: ${RESTART_POLICY:-unless-stopped}
volumes:
- ${CONFIG}/jibri:/config
- /dev/shm:/dev/shm
- ${CONFIG}/jibri:/config:Z
shm_size: '2gb'
cap_add:
- SYS_ADMIN
- NET_BIND_SERVICE
devices:
- /dev/snd:/dev/snd
environment:
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- XMPP_SERVER
- XMPP_DOMAIN
- CHROMIUM_FLAGS
- DISPLAY=:0
- ENABLE_STATS_D
- JIBRI_HTTP_API_EXTERNAL_PORT
- JIBRI_HTTP_API_INTERNAL_PORT
- JIBRI_RECORDING_RESOLUTION
- JIBRI_USAGE_TIMEOUT
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- JIBRI_BREWERY_MUC
@ -25,9 +25,18 @@ services:
- JIBRI_RECORDING_DIR
- JIBRI_FINALIZE_RECORDING_SCRIPT_PATH
- JIBRI_STRIP_DOMAIN_JID
- JIBRI_LOGS_DIR
- DISPLAY=:0
- PUBLIC_URL
- TZ
- XMPP_AUTH_DOMAIN
- XMPP_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- XMPP_SERVER
- XMPP_PORT
- XMPP_TRUST_ALL_CERTS
depends_on:
- jicofo
networks:
meet.jitsi:

26
templates/jigasi.yml
View file

@ -3,24 +3,31 @@ version: '3'
services:
# SIP gateway (audio)
jigasi:
image: jitsi/jigasi
image: jitsi/jigasi:${JITSI_IMAGE_VERSION:-stable-7830}
restart: ${RESTART_POLICY:-unless-stopped}
ports:
- '${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}:${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}/udp'
- '${JIGASI_PORT_MIN:-20000}-${JIGASI_PORT_MAX:-20050}:${JIGASI_PORT_MIN:-20000}-${JIGASI_PORT_MAX:-20050}/udp'
volumes:
- ${CONFIG}/jigasi:/config
- ${CONFIG}/transcripts:/tmp/transcripts
- ${CONFIG}/jigasi:/config:Z
- ${CONFIG}/transcripts:/tmp/transcripts:Z
environment:
- ENABLE_AUTH
- ENABLE_GUESTS
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_SERVER
- XMPP_PORT
- XMPP_DOMAIN
- PUBLIC_URL
- JIGASI_DISABLE_SIP
- JIGASI_SIP_URI
- JIGASI_SIP_PASSWORD
- JIGASI_SIP_SERVER
- JIGASI_SIP_PORT
- JIGASI_SIP_TRANSPORT
- JIGASI_SIP_DEFAULT_ROOM
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JIGASI_BREWERY_MUC
@ -34,9 +41,18 @@ services:
- JIGASI_TRANSCRIBER_ADVERTISE_URL
- JIGASI_TRANSCRIBER_RECORD_AUDIO
- JIGASI_TRANSCRIBER_SEND_TXT
- GOOGLE_APPLICATION_CREDENTIALS
- GC_PROJECT_ID
- GC_PRIVATE_KEY_ID
- GC_PRIVATE_KEY
- GC_CLIENT_EMAIL
- GC_CLIENT_ID
- GC_CLIENT_CERT_URL
- SENTRY_DSN="${JIGASI_SENTRY_DSN:-0}"
- SENTRY_ENVIRONMENT
- SENTRY_RELEASE
- TZ
depends_on:
- prosody
networks:
meet.jitsi: