feat: jitsi and coturn

2025-12-20 03:45:16 +05:30 · 2025-05-04 02:04:30 +05:30
parent d4688d519c
commit d3aca449d2
9 changed files with 379 additions and 0 deletions
--- a/jitsi/env.example
+++ b/jitsi/env.example
@@ -0,0 +1,227 @@
+# shellcheck disable=SC2034
+
+################################################################################
+################################################################################
+# Welcome to the Jitsi Meet Docker setup!
+#
+# This sample .env file contains some basic options to get you started.
+# The full options reference can be found here:
+# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker
+################################################################################
+################################################################################
+
+
+#
+# Basic configuration options
+#
+
+# Directory where all configuration will be stored
+CONFIG=~/.jitsi-meet-cfg
+
+# Exposed HTTP port (will redirect to HTTPS port)
+HTTP_PORT=8000
+
+# Exposed HTTPS port
+HTTPS_PORT=8443
+
+# System time zone
+TZ=UTC
+
+# Public URL for the web service (required)
+# Keep in mind that if you use a non-standard HTTPS port, it has to appear in the public URL
+#PUBLIC_URL=https://meet.example.com:${HTTPS_PORT}
+
+# Media IP addresses to advertise by the JVB
+# This setting deprecates DOCKER_HOST_ADDRESS, and supports a comma separated list of IPs
+# See the "Running behind NAT or on a LAN environment" section in the Handbook:
+# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
+#JVB_ADVERTISE_IPS=192.168.1.1,1.2.3.4
+
+#
+# Memory limits for Java components
+#
+
+#JICOFO_MAX_MEMORY=3072m
+#VIDEOBRIDGE_MAX_MEMORY=3072m
+
+#
+# JaaS Components (beta)
+# https://jaas.8x8.vc
+#
+
+# Enable JaaS Components (hosted Jigasi)
+# NOTE: if Let's Encrypt is enabled a JaaS account will be automatically created, using the provided email in LETSENCRYPT_EMAIL
+#ENABLE_JAAS_COMPONENTS=0
+
+#
+# Let's Encrypt configuration
+#
+
+# Enable Let's Encrypt certificate generation
+#ENABLE_LETSENCRYPT=1
+
+# Domain for which to generate the certificate
+#LETSENCRYPT_DOMAIN=meet.example.com
+
+# E-Mail for receiving important account notifications (mandatory)
+#LETSENCRYPT_EMAIL=alice@atlanta.net
+
+# Use the staging server (for avoiding rate limits while testing)
+#LETSENCRYPT_USE_STAGING=1
+
+# Set ACME server. Default is zerossl, you can peek one at https://github.com/acmesh-official/acme.sh/wiki/Server
+#LETSENCRYPT_ACME_SERVER="letsencrypt"
+
+#
+# Etherpad integration (for document sharing)
+#
+
+# Set the etherpad-lite URL in the docker local network (uncomment to enable)
+#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
+
+# Set etherpad-lite public URL, including /p/ pad path fragment (uncomment to enable)
+#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain/p/
+
+
+#
+# Whiteboard integration
+#
+
+# Set the excalidraw-backend URL in the docker local network (uncomment to enable)
+#WHITEBOARD_COLLAB_SERVER_URL_BASE=http://whiteboard.meet.jitsi
+
+# Set the excalidraw-backend public URL (uncomment to enable)
+#WHITEBOARD_COLLAB_SERVER_PUBLIC_URL=https://whiteboard.meet.my.domain
+
+
+#
+# Basic Jigasi configuration options (needed for SIP gateway support)
+#
+
+# SIP URI for incoming / outgoing calls
+#JIGASI_SIP_URI=test@sip2sip.info
+
+# Password for the specified SIP account as a clear text
+#JIGASI_SIP_PASSWORD=passw0rd
+
+# SIP server (use the SIP account domain if in doubt)
+#JIGASI_SIP_SERVER=sip2sip.info
+
+# SIP server port
+#JIGASI_SIP_PORT=5060
+
+# SIP server transport
+#JIGASI_SIP_TRANSPORT=UDP
+
+
+#
+# Authentication configuration (see handbook for details)
+#
+
+# Enable authentication (will ask for login and password to join the meeting)
+#ENABLE_AUTH=1
+
+# Enable guest access (if authentication is enabled, this allows for users to be held in lobby until registered user lets them in)
+#ENABLE_GUESTS=1
+
+# Select authentication type: internal, jwt, ldap or matrix
+#AUTH_TYPE=internal
+
+# JWT authentication
+#
+
+# Application identifier
+#JWT_APP_ID=my_jitsi_app_id
+
+# Application secret known only to your token generator
+#JWT_APP_SECRET=my_jitsi_app_secret
+
+# (Optional) Set asap_accepted_issuers as a comma separated list
+#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
+
+# (Optional) Set asap_accepted_audiences as a comma separated list
+#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
+
+# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
+#
+
+# LDAP url for connection
+#LDAP_URL=ldaps://ldap.domain.com/
+
+# LDAP base DN. Can be empty
+#LDAP_BASE=DC=example,DC=domain,DC=com
+
+# LDAP user DN. Do not specify this parameter for the anonymous bind
+#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
+
+# LDAP user password. Do not specify this parameter for the anonymous bind
+#LDAP_BINDPW=LdapUserPassw0rd
+
+# LDAP filter. Tokens example:
+# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
+# %s - %s is replaced by the complete service string
+# %r - %r is replaced by the complete realm string
+#LDAP_FILTER=(sAMAccountName=%u)
+
+# LDAP authentication method
+#LDAP_AUTH_METHOD=bind
+
+# LDAP version
+#LDAP_VERSION=3
+
+# LDAP TLS using
+#LDAP_USE_TLS=1
+
+# List of SSL/TLS ciphers to allow
+#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
+
+# Require and verify server certificate
+#LDAP_TLS_CHECK_PEER=1
+
+# Path to CA cert file. Used when server certificate verify is enabled
+#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# Path to CA certs directory. Used when server certificate verify is enabled
+#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
+
+# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
+# LDAP_START_TLS=1
+
+
+#
+# Security
+#
+# Set these to strong passwords to avoid intruders from impersonating a service account
+# The service(s) won't start unless these are specified
+# Running ./gen-passwords.sh will update .env with strong passwords
+# You may skip the Jigasi and Jibri passwords if you are not using those
+# DO NOT reuse passwords
+#
+
+# XMPP password for Jicofo client connections
+JICOFO_AUTH_PASSWORD=
+
+# XMPP password for JVB client connections
+JVB_AUTH_PASSWORD=
+
+# XMPP password for Jigasi MUC client connections
+JIGASI_XMPP_PASSWORD=
+
+# XMPP password for Jigasi transcriber client connections
+JIGASI_TRANSCRIBER_PASSWORD=
+
+# XMPP recorder password for Jibri client connections
+JIBRI_RECORDER_PASSWORD=
+
+# XMPP password for Jibri client connections
+JIBRI_XMPP_PASSWORD=
+
+#
+# Docker Compose options
+#
+
+# Container restart policy
+#RESTART_POLICY=unless-stopped
+
+# Jitsi image version (useful for local development)
+#JITSI_IMAGE_VERSION=latest
--- a/jitsi/gen-passwords.sh
+++ b/jitsi/gen-passwords.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+function generatePassword() {
+    openssl rand -hex 16
+}
+
+JICOFO_AUTH_PASSWORD=$(generatePassword)
+JVB_AUTH_PASSWORD=$(generatePassword)
+JIGASI_XMPP_PASSWORD=$(generatePassword)
+JIBRI_RECORDER_PASSWORD=$(generatePassword)
+JIBRI_XMPP_PASSWORD=$(generatePassword)
+JIGASI_TRANSCRIBER_PASSWORD=$(generatePassword)
+
+sed -i.bak \
+    -e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \
+    -e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \
+    -e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \
+    -e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \
+    -e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \
+    -e "s#JIGASI_TRANSCRIBER_PASSWORD=.*#JIGASI_TRANSCRIBER_PASSWORD=${JIGASI_TRANSCRIBER_PASSWORD}#g" \
+    "$(dirname "$0")/.env"
--- a/jitsi/jitsi-jicofo.container
+++ b/jitsi/jitsi-jicofo.container
@@ -0,0 +1,21 @@
+[Unit]
+Description=Jitsi Jicofo
+Requires=jitsi-prosody.service
+After=jitsi-prosody.service
+
+[Container]
+Pod=jitsi.pod
+ContainerName=jitsi-jicofo
+Image=docker.io/jitsi/jicofo:stable
+EnvironmentFile=./.env
+AutoUpdate=registry
+Volume=${CONFIG}/jicofo:/config
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/jitsi/.env
+Restart=always
+TimeoutStartSec=300
+
+[Install]
+WantedBy=default.target
+
--- a/jitsi/jitsi-jvb.container
+++ b/jitsi/jitsi-jvb.container
@@ -0,0 +1,21 @@
+[Unit]
+Description=Jitsi VideoBridge
+Requires=jitsi-prosody.service
+After=jitsi-prosody.service
+
+[Container]
+Pod=jitsi.pod
+ContainerName=jitsi-jvb
+Image=docker.io/jitsi/jvb:stable
+EnvironmentFile=./.env
+AutoUpdate=registry
+Volume=${CONFIG}/jvb:/config
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/jitsi/.env
+Restart=always
+TimeoutStartSec=300
+
+[Install]
+WantedBy=default.target
+
--- a/jitsi/jitsi-prosody.container
+++ b/jitsi/jitsi-prosody.container
@@ -0,0 +1,20 @@
+[Unit]
+Description=Jitsi Prosody XMPP Server
+
+[Container]
+Pod=jitsi.pod
+ContainerName=jitsi-prosody
+Image=docker.io/jitsi/prosody:stable
+EnvironmentFile=./.env
+AutoUpdate=registry
+Volume=${CONFIG}/prosody/config:/config
+Volume=${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/jitsi/.env
+Restart=always
+TimeoutStartSec=300
+
+[Install]
+WantedBy=default.target
+
--- a/jitsi/jitsi-web.container
+++ b/jitsi/jitsi-web.container
@@ -0,0 +1,24 @@
+[Unit]
+Description=Jitsi Web UI
+Requires=jitsi-jvb.container
+After=jitsi-jvb.container
+
+[Container]
+Pod=jitsi.pod
+ContainerName=jitsi-web
+Image=docker.io/jitsi/web:stable
+EnvironmentFile=./.env
+AutoUpdate=registry
+Volume=${CONFIG}/web:/config
+Volume=${CONFIG}/web/crontabs:/var/spool/cron/crontabs
+Volume=${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
+Volume=${CONFIG}/web/load-test:/usr/share/jitsi-meet/load-test
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/jitsi/.env
+Restart=always
+TimeoutStartSec=300
+
+[Install]
+WantedBy=default.target
+
--- a/jitsi/jitsi.pod
+++ b/jitsi/jitsi.pod
@@ -0,0 +1,10 @@
+[Unit]
+Description=Jitsi Pod
+
+[Pod]
+PodName=jitsi
+PublishPort=8000:80
+PublishPort=10000:10000
+AddHost=meet.jitsi:127.0.0.1
+AddHost=xmpp.meet.jitsi:127.0.0.1
+AddHost=jvb.meet.jitsi:127.0.0.1
--- a/jitsi/readme.md
+++ b/jitsi/readme.md
@@ -0,0 +1,18 @@
+# Jitsi
+
+This directory contains all the stack required to setup Jitsi
+
+## Instructions
+
+- Create folders in directory specified in .env
+    ```sh
+        mkdir -p ${CONFIG}/{jicofo,jvb,prosody/config,prosody/prosody-plugins-custom,web/crontabs,web/transcripts,web/load-test}
+    ```
+
+- Add this line in /etc/hosts to make the nginx in pod not shitting itself out
+    ```sh
+        127.0.0.1 xmpp.meet.jitsi
+    ```
+
+## Major Problem
+- None, this is the only service that deployed painlessly. 😭