diff --git a/coturn/coturn.container b/coturn/coturn.container new file mode 100644 index 0000000..d0e4a58 --- /dev/null +++ b/coturn/coturn.container @@ -0,0 +1,17 @@ +[Unit] +Description=Coturn Container + +[Container] +Pod=nginx-proxy.pod +ContainerName=coturn +Image=docker.io/coturn/coturn:alpine + +# Enable auto-update container +AutoUpdate=registry + +[Service] +Restart=always +TimeoutStartSec=300 + +[Install] +WantedBy=default.target diff --git a/jitsi/env.example b/jitsi/env.example new file mode 100644 index 0000000..07eae6a --- /dev/null +++ b/jitsi/env.example @@ -0,0 +1,227 @@ +# shellcheck disable=SC2034 + +################################################################################ +################################################################################ +# Welcome to the Jitsi Meet Docker setup! +# +# This sample .env file contains some basic options to get you started. +# The full options reference can be found here: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker +################################################################################ +################################################################################ + + +# +# Basic configuration options +# + +# Directory where all configuration will be stored +CONFIG=~/.jitsi-meet-cfg + +# Exposed HTTP port (will redirect to HTTPS port) +HTTP_PORT=8000 + +# Exposed HTTPS port +HTTPS_PORT=8443 + +# System time zone +TZ=UTC + +# Public URL for the web service (required) +# Keep in mind that if you use a non-standard HTTPS port, it has to appear in the public URL +#PUBLIC_URL=https://meet.example.com:${HTTPS_PORT} + +# Media IP addresses to advertise by the JVB +# This setting deprecates DOCKER_HOST_ADDRESS, and supports a comma separated list of IPs +# See the "Running behind NAT or on a LAN environment" section in the Handbook: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment +#JVB_ADVERTISE_IPS=192.168.1.1,1.2.3.4 + +# +# Memory limits for Java components +# + +#JICOFO_MAX_MEMORY=3072m +#VIDEOBRIDGE_MAX_MEMORY=3072m + +# +# JaaS Components (beta) +# https://jaas.8x8.vc +# + +# Enable JaaS Components (hosted Jigasi) +# NOTE: if Let's Encrypt is enabled a JaaS account will be automatically created, using the provided email in LETSENCRYPT_EMAIL +#ENABLE_JAAS_COMPONENTS=0 + +# +# Let's Encrypt configuration +# + +# Enable Let's Encrypt certificate generation +#ENABLE_LETSENCRYPT=1 + +# Domain for which to generate the certificate +#LETSENCRYPT_DOMAIN=meet.example.com + +# E-Mail for receiving important account notifications (mandatory) +#LETSENCRYPT_EMAIL=alice@atlanta.net + +# Use the staging server (for avoiding rate limits while testing) +#LETSENCRYPT_USE_STAGING=1 + +# Set ACME server. Default is zerossl, you can peek one at https://github.com/acmesh-official/acme.sh/wiki/Server +#LETSENCRYPT_ACME_SERVER="letsencrypt" + +# +# Etherpad integration (for document sharing) +# + +# Set the etherpad-lite URL in the docker local network (uncomment to enable) +#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 + +# Set etherpad-lite public URL, including /p/ pad path fragment (uncomment to enable) +#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain/p/ + + +# +# Whiteboard integration +# + +# Set the excalidraw-backend URL in the docker local network (uncomment to enable) +#WHITEBOARD_COLLAB_SERVER_URL_BASE=http://whiteboard.meet.jitsi + +# Set the excalidraw-backend public URL (uncomment to enable) +#WHITEBOARD_COLLAB_SERVER_PUBLIC_URL=https://whiteboard.meet.my.domain + + +# +# Basic Jigasi configuration options (needed for SIP gateway support) +# + +# SIP URI for incoming / outgoing calls +#JIGASI_SIP_URI=test@sip2sip.info + +# Password for the specified SIP account as a clear text +#JIGASI_SIP_PASSWORD=passw0rd + +# SIP server (use the SIP account domain if in doubt) +#JIGASI_SIP_SERVER=sip2sip.info + +# SIP server port +#JIGASI_SIP_PORT=5060 + +# SIP server transport +#JIGASI_SIP_TRANSPORT=UDP + + +# +# Authentication configuration (see handbook for details) +# + +# Enable authentication (will ask for login and password to join the meeting) +#ENABLE_AUTH=1 + +# Enable guest access (if authentication is enabled, this allows for users to be held in lobby until registered user lets them in) +#ENABLE_GUESTS=1 + +# Select authentication type: internal, jwt, ldap or matrix +#AUTH_TYPE=internal + +# JWT authentication +# + +# Application identifier +#JWT_APP_ID=my_jitsi_app_id + +# Application secret known only to your token generator +#JWT_APP_SECRET=my_jitsi_app_secret + +# (Optional) Set asap_accepted_issuers as a comma separated list +#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client + +# (Optional) Set asap_accepted_audiences as a comma separated list +#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 + +# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) +# + +# LDAP url for connection +#LDAP_URL=ldaps://ldap.domain.com/ + +# LDAP base DN. Can be empty +#LDAP_BASE=DC=example,DC=domain,DC=com + +# LDAP user DN. Do not specify this parameter for the anonymous bind +#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com + +# LDAP user password. Do not specify this parameter for the anonymous bind +#LDAP_BINDPW=LdapUserPassw0rd + +# LDAP filter. Tokens example: +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail +# %s - %s is replaced by the complete service string +# %r - %r is replaced by the complete realm string +#LDAP_FILTER=(sAMAccountName=%u) + +# LDAP authentication method +#LDAP_AUTH_METHOD=bind + +# LDAP version +#LDAP_VERSION=3 + +# LDAP TLS using +#LDAP_USE_TLS=1 + +# List of SSL/TLS ciphers to allow +#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC + +# Require and verify server certificate +#LDAP_TLS_CHECK_PEER=1 + +# Path to CA cert file. Used when server certificate verify is enabled +#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt + +# Path to CA certs directory. Used when server certificate verify is enabled +#LDAP_TLS_CACERT_DIR=/etc/ssl/certs + +# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps:// +# LDAP_START_TLS=1 + + +# +# Security +# +# Set these to strong passwords to avoid intruders from impersonating a service account +# The service(s) won't start unless these are specified +# Running ./gen-passwords.sh will update .env with strong passwords +# You may skip the Jigasi and Jibri passwords if you are not using those +# DO NOT reuse passwords +# + +# XMPP password for Jicofo client connections +JICOFO_AUTH_PASSWORD= + +# XMPP password for JVB client connections +JVB_AUTH_PASSWORD= + +# XMPP password for Jigasi MUC client connections +JIGASI_XMPP_PASSWORD= + +# XMPP password for Jigasi transcriber client connections +JIGASI_TRANSCRIBER_PASSWORD= + +# XMPP recorder password for Jibri client connections +JIBRI_RECORDER_PASSWORD= + +# XMPP password for Jibri client connections +JIBRI_XMPP_PASSWORD= + +# +# Docker Compose options +# + +# Container restart policy +#RESTART_POLICY=unless-stopped + +# Jitsi image version (useful for local development) +#JITSI_IMAGE_VERSION=latest diff --git a/jitsi/gen-passwords.sh b/jitsi/gen-passwords.sh new file mode 100755 index 0000000..a499e55 --- /dev/null +++ b/jitsi/gen-passwords.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +function generatePassword() { + openssl rand -hex 16 +} + +JICOFO_AUTH_PASSWORD=$(generatePassword) +JVB_AUTH_PASSWORD=$(generatePassword) +JIGASI_XMPP_PASSWORD=$(generatePassword) +JIBRI_RECORDER_PASSWORD=$(generatePassword) +JIBRI_XMPP_PASSWORD=$(generatePassword) +JIGASI_TRANSCRIBER_PASSWORD=$(generatePassword) + +sed -i.bak \ + -e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \ + -e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \ + -e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \ + -e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \ + -e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \ + -e "s#JIGASI_TRANSCRIBER_PASSWORD=.*#JIGASI_TRANSCRIBER_PASSWORD=${JIGASI_TRANSCRIBER_PASSWORD}#g" \ + "$(dirname "$0")/.env" diff --git a/jitsi/jitsi-jicofo.container b/jitsi/jitsi-jicofo.container new file mode 100644 index 0000000..726539a --- /dev/null +++ b/jitsi/jitsi-jicofo.container @@ -0,0 +1,21 @@ +[Unit] +Description=Jitsi Jicofo +Requires=jitsi-prosody.service +After=jitsi-prosody.service + +[Container] +Pod=jitsi.pod +ContainerName=jitsi-jicofo +Image=docker.io/jitsi/jicofo:stable +EnvironmentFile=./.env +AutoUpdate=registry +Volume=${CONFIG}/jicofo:/config + +[Service] +EnvironmentFile=%h/.config/containers/systemd/jitsi/.env +Restart=always +TimeoutStartSec=300 + +[Install] +WantedBy=default.target + diff --git a/jitsi/jitsi-jvb.container b/jitsi/jitsi-jvb.container new file mode 100644 index 0000000..06ce7cb --- /dev/null +++ b/jitsi/jitsi-jvb.container @@ -0,0 +1,21 @@ +[Unit] +Description=Jitsi VideoBridge +Requires=jitsi-prosody.service +After=jitsi-prosody.service + +[Container] +Pod=jitsi.pod +ContainerName=jitsi-jvb +Image=docker.io/jitsi/jvb:stable +EnvironmentFile=./.env +AutoUpdate=registry +Volume=${CONFIG}/jvb:/config + +[Service] +EnvironmentFile=%h/.config/containers/systemd/jitsi/.env +Restart=always +TimeoutStartSec=300 + +[Install] +WantedBy=default.target + diff --git a/jitsi/jitsi-prosody.container b/jitsi/jitsi-prosody.container new file mode 100644 index 0000000..88382a3 --- /dev/null +++ b/jitsi/jitsi-prosody.container @@ -0,0 +1,20 @@ +[Unit] +Description=Jitsi Prosody XMPP Server + +[Container] +Pod=jitsi.pod +ContainerName=jitsi-prosody +Image=docker.io/jitsi/prosody:stable +EnvironmentFile=./.env +AutoUpdate=registry +Volume=${CONFIG}/prosody/config:/config +Volume=${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom + +[Service] +EnvironmentFile=%h/.config/containers/systemd/jitsi/.env +Restart=always +TimeoutStartSec=300 + +[Install] +WantedBy=default.target + diff --git a/jitsi/jitsi-web.container b/jitsi/jitsi-web.container new file mode 100644 index 0000000..1fc385e --- /dev/null +++ b/jitsi/jitsi-web.container @@ -0,0 +1,24 @@ +[Unit] +Description=Jitsi Web UI +Requires=jitsi-jvb.container +After=jitsi-jvb.container + +[Container] +Pod=jitsi.pod +ContainerName=jitsi-web +Image=docker.io/jitsi/web:stable +EnvironmentFile=./.env +AutoUpdate=registry +Volume=${CONFIG}/web:/config +Volume=${CONFIG}/web/crontabs:/var/spool/cron/crontabs +Volume=${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts +Volume=${CONFIG}/web/load-test:/usr/share/jitsi-meet/load-test + +[Service] +EnvironmentFile=%h/.config/containers/systemd/jitsi/.env +Restart=always +TimeoutStartSec=300 + +[Install] +WantedBy=default.target + diff --git a/jitsi/jitsi.pod b/jitsi/jitsi.pod new file mode 100644 index 0000000..1d02534 --- /dev/null +++ b/jitsi/jitsi.pod @@ -0,0 +1,10 @@ +[Unit] +Description=Jitsi Pod + +[Pod] +PodName=jitsi +PublishPort=8000:80 +PublishPort=10000:10000 +AddHost=meet.jitsi:127.0.0.1 +AddHost=xmpp.meet.jitsi:127.0.0.1 +AddHost=jvb.meet.jitsi:127.0.0.1 diff --git a/jitsi/readme.md b/jitsi/readme.md new file mode 100644 index 0000000..126b739 --- /dev/null +++ b/jitsi/readme.md @@ -0,0 +1,18 @@ +# Jitsi + +This directory contains all the stack required to setup Jitsi + +## Instructions + +- Create folders in directory specified in .env + ```sh + mkdir -p ${CONFIG}/{jicofo,jvb,prosody/config,prosody/prosody-plugins-custom,web/crontabs,web/transcripts,web/load-test} + ``` + +- Add this line in /etc/hosts to make the nginx in pod not shitting itself out + ```sh + 127.0.0.1 xmpp.meet.jitsi + ``` + +## Major Problem +- None, this is the only service that deployed painlessly. 😭