add jitsi role, remove xmpp role (prosody conflicting)

README.md

@@ -103,6 +103,7 @@ Create `A` and `AAAA` or `CNAME` records which point to your server's IP address
 * `comments.example.com` (for commento)
 * `iot.example.com` (for grafana)
 * `wiki.example.com` (for dokuwiki)
+* `jitsi.example.com` (for jitsi)
 
 #### Run the Ansible Playbooks
 

roles/jitsi/DESIGN.md

@@ -0,0 +1,12 @@
+# Design Description for Jitsi Role
+
+This role installs Jitsi using the official upstream Debian packages.
+
+Setup as described in:
+https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
+
+Authentication according to:
+https://jitsi.github.io/handbook/docs/devops-guide/secure-domain
+
+This was used for the Apache config:
+https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.example-apache

roles/jitsi/defaults/main.yml

@@ -0,0 +1,6 @@
+jitsi_subdomain: "jitsi"
+jitsi_domain: "{{ jitsi_subdomain }}.{{ domain }}"
+
+jitsi_accounts:
+  - name: "{{ main_user_name }}"
+    password: "{{ lookup('password', secret + '/' + 'jitsi_main_user_password length=32') }}"

roles/jitsi/handlers/main.yml

@@ -0,0 +1,9 @@
+- name: restart jitsi
+  command: systemctl restart {{ item }}
+  with_items:
+    - prosody
+    - jicofo
+    - jitsi-videobridge2
+
+- name: restart apache
+  service: name=apache2 state=restarted

roles/jitsi/tasks/jitsi.yml

@@ -0,0 +1,111 @@
+- name: Ensure repository key for Jitsi is in place
+  apt_key: url=https://download.jitsi.org/jitsi-key.gpg.key state=present
+  tags:
+    - dependencies
+
+- name: Add Jitsi repository
+  apt_repository: repo="deb https://download.jitsi.org stable/"
+  tags:
+    - dependencies
+
+- name: Set firewall rules for Jitsi TCP
+  ufw: rule=allow port={{ item }} proto=tcp
+  with_items:
+    - 80
+    - 443
+    - 22
+    - 5349
+  tags: ufw
+
+- name: Set firewall rules for Jitsi UDP
+  ufw: rule=allow port={{ item }} proto=udp
+  with_items:
+    - 10000
+    - 3478
+  tags: ufw
+
+- name: Set Jitsi Certificate Selection
+  debconf:
+    name: jitsi-meet
+    question: jitsi-meet/cert-choice
+    value: I want to use my own certificate
+    vtype: select
+
+- name: Set Jitsi Certificate Key
+  debconf:
+    name: jitsi-meet
+    question: jitsi-meet/cert-path-key
+    value: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
+    vtype: string
+
+- name: Set Jitsi Certificate
+  debconf:
+    name: jitsi-meet
+    question: jitsi-meet/cert-path-crt
+    value: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem"
+    vtype: string
+
+- name: Set Jitsi Hostname
+  debconf:
+    name: "{{ item }}"
+    question: "{{ item }}/jvb-hostname"
+    value: "{{ jitsi_domain }}"
+    vtype: string
+  with_items:
+    - jitsi-meet
+    - jitsi-meet-prosody
+    - jitsi-videobridge
+
+- name: Install Jitsi and dependencies from official repository
+  apt:
+    name: "{{ packages }}"
+    state: present
+    update_cache: yes
+  vars:
+    packages:
+    - jitsi-meet
+  tags:
+    - dependencies
+
+- name: Create the Jitsi Prosody Config
+  template:
+    src=etc_prosody_conf.avail_jitsi_domain.cfg.lua.j2
+    dest=/etc/prosody/conf.avail/{{ jitsi_domain }}.cfg.lua
+    owner=root
+    group=root
+  notify: restart jitsi
+
+- name: Create the Jitsi Config
+  template:
+    src=etc_jitsi_meet_jitsi_domain-config.js.j2
+    dest=/etc/jitsi/meet/{{ jitsi_domain }}-config.js
+    owner=root
+    group=root
+  notify: restart jitsi
+
+- name: Create the Jicofo Config
+  template:
+    src=etc_jitsi_jicofo_sip-communicator.properties.j2
+    dest=/etc/jitsi/jicofo/sip-communicator.properties
+    owner=root
+    group=root
+  notify: restart jitsi
+
+- name: Create the Apache Jitsi sites config files
+  template:
+    src=etc_apache2_sites-available_jitsi.j2
+    dest=/etc/apache2/sites-available/jitsi_{{ item.name }}.conf
+    owner=root
+    group=root
+  with_items: "{{ virtual_domains }}"
+  notify: restart apache
+
+- name: Enable Apache sites (creates new sites-enabled symlinks)
+  command: a2ensite jitsi_{{ item }}.conf creates=/etc/apache2/sites-enabled/jitsi_{{ item }}.conf
+  notify: restart apache
+  with_items: "{{ virtual_domains | json_query('[*].name') }}"
+
+- name: Create Jitsi accounts
+  command: prosodyctl register {{ item.name }} {{ jitsi_domain }} {{ item.password }}
+  with_items: "{{ jitsi_accounts }}"
+  ignore_errors: True

roles/jitsi/tasks/main.yml

@@ -0,0 +1,2 @@
+---
+- include: jitsi.yml tags=jitsi

roles/jitsi/templates/etc_apache2_sites-available_jitsi.j2

@@ -0,0 +1,53 @@
+<VirtualHost *:80>
+    ServerName {{ jitsi_subdomain }}.{{ item.name }}
+
+    Redirect temp / https://{{ jitsi_subdomain }}.{{ item.name }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ jitsi_subdomain }}.{{ item.name }}
+
+    # enable HTTP/2, if available
+    Protocols h2 http/1.1
+
+    SSLEngine               On
+    SSLProxyEngine          On
+
+    Header always set Strict-Transport-Security "max-age=63072000"
+
+    DocumentRoot "/usr/share/jitsi-meet"
+    <Directory "/usr/share/jitsi-meet">
+        Options Indexes MultiViews Includes FollowSymLinks
+        AddOutputFilter Includes html
+        AllowOverride All
+        Order allow,deny
+        Allow from all
+    </Directory>
+
+    ErrorDocument 404 /static/404.html
+
+    Alias "/config.js" "/etc/jitsi/meet/{{ jitsi_domain }}-config.js"
+    <Location /config.js>
+        Require all granted
+    </Location>
+
+    Alias "/external_api.js" "/usr/share/jitsi-meet/libs/external_api.min.js"
+    <Location /external_api.js>
+        Require all granted
+    </Location>
+
+    ProxyPreserveHost on
+    ProxyPass /http-bind http://localhost:5280/http-bind
+    ProxyPassReverse /http-bind http://localhost:5280/http-bind
+    ProxyPass /xmpp-websocket ws://localhost:5280/xmpp-websocket
+    ProxyPassReverse /xmpp-websocket ws://localhost:5280/xmpp-websocket
+    ProxyPass /colibri-ws/default-id ws://localhost:9090/colibri-ws/default-id
+    ProxyPassReverse /colibri-ws/default-id ws://localhost:9090/colibri-ws/default-id
+
+    RewriteEngine on
+    RewriteRule ^/([a-zA-Z0-9]+)$ /index.html
+
+    LogLevel                warn
+    ErrorLog                /var/log/apache2/jitsi.info-error_log
+    CustomLog               /var/log/apache2/jitsi.info-access_log common
+</VirtualHost>

roles/jitsi/templates/etc_jitsi_jicofo_sip-communicator.properties.j2

@@ -0,0 +1,2 @@
+org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.{{ jitsi_domain }}
+org.jitsi.jicofo.auth.URL=XMPP:{{ jitsi_domain }}

roles/jitsi/templates/etc_jitsi_meet_jitsi_domain-config.js.j2

@@ -0,0 +1,854 @@
+/* eslint-disable no-unused-vars, no-var */
+
+var config = {
+    // Connection
+    //
+
+    hosts: {
+        // XMPP domain.
+        domain: '{{ jitsi_domain }}',
+        anonymousdomain: 'guest.{{ jitsi_domain }}',
+
+        // When using authentication, domain for guest users.
+        // anonymousdomain: 'guest.example.com',
+
+        // Domain for authenticated users. Defaults to <domain>.
+        // authdomain: '{{ jitsi_domain }}',
+
+        // Focus component domain. Defaults to focus.<domain>.
+        // focus: 'focus.{{ jitsi_domain }}',
+
+        // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
+        muc: 'conference.{{ jitsi_domain }}'
+    },
+
+    // BOSH URL. FIXME: use XEP-0156 to discover it.
+    bosh: '//{{ jitsi_domain }}/http-bind',
+
+    // Websocket URL
+    // websocket: 'wss://{{ jitsi_domain }}/xmpp-websocket',
+
+    // The name of client node advertised in XEP-0115 'c' stanza
+    clientNode: 'http://jitsi.org/jitsimeet',
+
+    // The real JID of focus participant - can be overridden here
+    // Do not change username - FIXME: Make focus username configurable
+    // https://github.com/jitsi/jitsi-meet/issues/7376
+    // focusUserJid: 'focus@auth.{{ jitsi_domain }}',
+
+
+    // Testing / experimental features.
+    //
+
+    testing: {
+        // Disables the End to End Encryption feature. Useful for debugging
+        // issues related to insertable streams.
+        // disableE2EE: false,
+
+        // P2P test mode disables automatic switching to P2P when there are 2
+        // participants in the conference.
+        p2pTestMode: false
+
+        // Enables the test specific features consumed by jitsi-meet-torture
+        // testMode: false
+
+        // Disables the auto-play behavior of *all* newly created video element.
+        // This is useful when the client runs on a host with limited resources.
+        // noAutoPlayVideo: false
+
+        // Enable / disable 500 Kbps bitrate cap on desktop tracks. When enabled,
+        // simulcast is turned off for the desktop share. If presenter is turned
+        // on while screensharing is in progress, the max bitrate is automatically
+        // adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines
+        // the probability for this to be enabled. This setting has been deprecated.
+        // desktopSharingFrameRate.max now determines whether simulcast will be enabled
+        // or disabled for the screenshare.
+        // capScreenshareBitrate: 1 // 0 to disable - deprecated.
+
+        // Enable callstats only for a percentage of users.
+        // This takes a value between 0 and 100 which determines the probability for
+        // the callstats to be enabled.
+        // callStatsThreshold: 5 // enable callstats for 5% of the users.
+    },
+
+    // Disables ICE/UDP by filtering out local and remote UDP candidates in
+    // signalling.
+    // webrtcIceUdpDisable: false,
+
+    // Disables ICE/TCP by filtering out local and remote TCP candidates in
+    // signalling.
+    // webrtcIceTcpDisable: false,
+
+
+    // Media
+    //
+
+    // Audio
+
+    // Disable measuring of audio levels.
+    // disableAudioLevels: false,
+    // audioLevelsInterval: 200,
+
+    // Enabling this will run the lib-jitsi-meet no audio detection module which
+    // will notify the user if the current selected microphone has no audio
+    // input and will suggest another valid device if one is present.
+    enableNoAudioDetection: true,
+
+    // Enabling this will show a "Save Logs" link in the GSM popover that can be
+    // used to collect debug information (XMPP IQs, SDP offer/answer cycles)
+    // about the call.
+    // enableSaveLogs: false,
+
+    // Enabling this will run the lib-jitsi-meet noise detection module which will
+    // notify the user if there is noise, other than voice, coming from the current
+    // selected microphone. The purpose it to let the user know that the input could
+    // be potentially unpleasant for other meeting participants.
+    enableNoisyMicDetection: true,
+
+    // Start the conference in audio only mode (no video is being received nor
+    // sent).
+    // startAudioOnly: false,
+
+    // Every participant after the Nth will start audio muted.
+    // startAudioMuted: 10,
+
+    // Start calls with audio muted. Unlike the option above, this one is only
+    // applied locally. FIXME: having these 2 options is confusing.
+    // startWithAudioMuted: false,
+
+    // Enabling it (with #params) will disable local audio output of remote
+    // participants and to enable it back a reload is needed.
+    // startSilent: false
+
+    // Enables support for opus-red (redundancy for Opus).
+    // enableOpusRed: false,
+
+    // Specify audio quality stereo and opusMaxAverageBitrate values in order to enable HD audio.
+    // Beware, by doing so, you are disabling echo cancellation, noise suppression and AGC.
+    // audioQuality: {
+    //     stereo: false,
+    //     opusMaxAverageBitrate: null // Value to fit the 6000 to 510000 range.
+    // },
+
+    // Video
+
+    // Sets the preferred resolution (height) for local video. Defaults to 720.
+    // resolution: 720,
+
+    // How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD.
+    // Use -1 to disable.
+    // maxFullResolutionParticipants: 2,
+
+    // w3c spec-compliant video constraints to use for video capture. Currently
+    // used by browsers that return true from lib-jitsi-meet's
+    // util#browser#usesNewGumFlow. The constraints are independent from
+    // this config's resolution value. Defaults to requesting an ideal
+    // resolution of 720p.
+    // constraints: {
+    //     video: {
+    //         height: {
+    //             ideal: 720,
+    //             max: 720,
+    //             min: 240
+    //         }
+    //     }
+    // },
+
+    // Enable / disable simulcast support.
+    // disableSimulcast: false,
+
+    // Enable / disable layer suspension.  If enabled, endpoints whose HD
+    // layers are not in use will be suspended (no longer sent) until they
+    // are requested again.
+    // enableLayerSuspension: false,
+
+    // Every participant after the Nth will start video muted.
+    // startVideoMuted: 10,
+
+    // Start calls with video muted. Unlike the option above, this one is only
+    // applied locally. FIXME: having these 2 options is confusing.
+    // startWithVideoMuted: false,
+
+    // If set to true, prefer to use the H.264 video codec (if supported).
+    // Note that it's not recommended to do this because simulcast is not
+    // supported when  using H.264. For 1-to-1 calls this setting is enabled by
+    // default and can be toggled in the p2p section.
+    // This option has been deprecated, use preferredCodec under videoQuality section instead.
+    // preferH264: true,
+
+    // If set to true, disable H.264 video codec by stripping it out of the
+    // SDP.
+    // disableH264: false,
+
+    // Desktop sharing
+
+    // Optional desktop sharing frame rate options. Default value: min:5, max:5.
+    // desktopSharingFrameRate: {
+    //     min: 5,
+    //     max: 5
+    // },
+
+    // Try to start calls with screen-sharing instead of camera video.
+    // startScreenSharing: false,
+
+    // Recording
+
+    // Whether to enable file recording or not.
+    // fileRecordingsEnabled: false,
+    // Enable the dropbox integration.
+    // dropbox: {
+    //     appKey: '<APP_KEY>' // Specify your app key here.
+    //     // A URL to redirect the user to, after authenticating
+    //     // by default uses:
+    //     // 'https://{{ jitsi_domain }}/static/oauth.html'
+    //     redirectURI:
+    //          'https://{{ jitsi_domain }}/subfolder/static/oauth.html'
+    // },
+    // When integrations like dropbox are enabled only that will be shown,
+    // by enabling fileRecordingsServiceEnabled, we show both the integrations
+    // and the generic recording service (its configuration and storage type
+    // depends on jibri configuration)
+    // fileRecordingsServiceEnabled: false,
+    // Whether to show the possibility to share file recording with other people
+    // (e.g. meeting participants), based on the actual implementation
+    // on the backend.
+    // fileRecordingsServiceSharingEnabled: false,
+
+    // Whether to enable live streaming or not.
+    // liveStreamingEnabled: false,
+
+    // Transcription (in interface_config,
+    // subtitles and buttons can be configured)
+    // transcribingEnabled: false,
+
+    // Enables automatic turning on captions when recording is started
+    // autoCaptionOnRecord: false,
+
+    // Misc
+
+    // Default value for the channel "last N" attribute. -1 for unlimited.
+    channelLastN: -1,
+
+    // Provides a way for the lastN value to be controlled through the UI.
+    // When startLastN is present, conference starts with a last-n value of startLastN and channelLastN
+    // value will be used when the quality level is selected using "Manage Video Quality" slider.
+    // startLastN: 1,
+
+    // Provides a way to use different "last N" values based on the number of participants in the conference.
+    // The keys in an Object represent number of participants and the values are "last N" to be used when number of
+    // participants gets to or above the number.
+    //
+    // For the given example mapping, "last N" will be set to 20 as long as there are at least 5, but less than
+    // 29 participants in the call and it will be lowered to 15 when the 30th participant joins. The 'channelLastN'
+    // will be used as default until the first threshold is reached.
+    //
+    // lastNLimits: {
+    //     5: 20,
+    //     30: 15,
+    //     50: 10,
+    //     70: 5,
+    //     90: 2
+    // },
+
+    // Provides a way to translate the legacy bridge signaling messages, 'LastNChangedEvent',
+    // 'SelectedEndpointsChangedEvent' and 'ReceiverVideoConstraint' into the new 'ReceiverVideoConstraints' message
+    // that invokes the new bandwidth allocation algorithm in the bridge which is described here
+    // - https://github.com/jitsi/jitsi-videobridge/blob/master/doc/allocation.md.
+    // useNewBandwidthAllocationStrategy: false,
+
+    // Specify the settings for video quality optimizations on the client.
+    // videoQuality: {
+    //    // Provides a way to prevent a video codec from being negotiated on the JVB connection. The codec specified
+    //    // here will be removed from the list of codecs present in the SDP answer generated by the client. If the
+    //    // same codec is specified for both the disabled and preferred option, the disable settings will prevail.
+    //    // Note that 'VP8' cannot be disabled since it's a mandatory codec, the setting will be ignored in this case.
+    //    disabledCodec: 'H264',
+    //
+    //    // Provides a way to set a preferred video codec for the JVB connection. If 'H264' is specified here,
+    //    // simulcast will be automatically disabled since JVB doesn't support H264 simulcast yet. This will only
+    //    // rearrange the the preference order of the codecs in the SDP answer generated by the browser only if the
+    //    // preferred codec specified here is present. Please ensure that the JVB offers the specified codec for this
+    //    // to take effect.
+    //    preferredCodec: 'VP8',
+    //
+    //    // Provides a way to enforce the preferred codec for the conference even when the conference has endpoints
+    //    // that do not support the preferred codec. For example, older versions of Safari do not support VP9 yet.
+    //    // This will result in Safari not being able to decode video from endpoints sending VP9 video.
+    //    // When set to false, the conference falls back to VP8 whenever there is an endpoint that doesn't support the
+    //    // preferred codec and goes back to the preferred codec when that endpoint leaves.
+    //    // enforcePreferredCodec: false,
+    //
+    //    // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for
+    //    // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values
+    //    // are the max.bitrates to be set on that particular type of stream. The actual send may vary based on
+    //    // the available bandwidth calculated by the browser, but it will be capped by the values specified here.
+    //    // This is currently not implemented on app based clients on mobile.
+    //    maxBitratesVideo: {
+    //          H264: {
+    //              low: 200000,
+    //              standard: 500000,
+    //              high: 1500000
+    //          },
+    //          VP8 : {
+    //              low: 200000,
+    //              standard: 500000,
+    //              high: 1500000
+    //          },
+    //          VP9: {
+    //              low: 100000,
+    //              standard: 300000,
+    //              high:  1200000
+    //          }
+    //    },
+    //
+    //    // The options can be used to override default thresholds of video thumbnail heights corresponding to
+    //    // the video quality levels used in the application. At the time of this writing the allowed levels are:
+    //    //     'low' - for the low quality level (180p at the time of this writing)
+    //    //     'standard' - for the medium quality level (360p)
+    //    //     'high' - for the high quality level (720p)
+    //    // The keys should be positive numbers which represent the minimal thumbnail height for the quality level.
+    //    //
+    //    // With the default config value below the application will use 'low' quality until the thumbnails are
+    //    // at least 360 pixels tall. If the thumbnail height reaches 720 pixels then the application will switch to
+    //    // the high quality.
+    //    minHeightForQualityLvl: {
+    //        360: 'standard',
+    //        720: 'high'
+    //    },
+    //
+    //    // Provides a way to resize the desktop track to 720p (if it is greater than 720p) before creating a canvas
+    //    // for the presenter mode (camera picture-in-picture mode with screenshare).
+    //    resizeDesktopForPresenter: false
+    // },
+
+    // // Options for the recording limit notification.
+    // recordingLimit: {
+    //
+    //    // The recording limit in minutes. Note: This number appears in the notification text
+    //    // but doesn't enforce the actual recording time limit. This should be configured in
+    //    // jibri!
+    //    limit: 60,
+    //
+    //    // The name of the app with unlimited recordings.
+    //    appName: 'Unlimited recordings APP',
+    //
+    //    // The URL of the app with unlimited recordings.
+    //    appURL: 'https://unlimited.recordings.app.com/'
+    // },
+
+    // Disables or enables RTX (RFC 4588) (defaults to false).
+    // disableRtx: false,
+
+    // Disables or enables TCC support in this client (default: enabled).
+    // enableTcc: true,
+
+    // Disables or enables REMB support in this client (default: enabled).
+    // enableRemb: true,
+
+    // Enables ICE restart logic in LJM and displays the page reload overlay on
+    // ICE failure. Current disabled by default because it's causing issues with
+    // signaling when Octo is enabled. Also when we do an "ICE restart"(which is
+    // not a real ICE restart), the client maintains the TCC sequence number
+    // counter, but the bridge resets it. The bridge sends media packets with
+    // TCC sequence numbers starting from 0.
+    // enableIceRestart: false,
+
+    // Enables forced reload of the client when the call is migrated as a result of
+    // the bridge going down.
+    // enableForcedReload: true,
+
+    // Use TURN/UDP servers for the jitsi-videobridge connection (by default
+    // we filter out TURN/UDP because it is usually not needed since the
+    // bridge itself is reachable via UDP)
+    // useTurnUdp: false
+
+    // UI
+    //
+
+    // Disables responsive tiles.
+    // disableResponsiveTiles: false,
+
+    // Hides lobby button
+    // hideLobbyButton: false,
+
+    // Require users to always specify a display name.
+    // requireDisplayName: true,
+
+    // Whether to use a welcome page or not. In case it's false a random room
+    // will be joined when no room is specified.
+    enableWelcomePage: true,
+
+    // Disable app shortcuts that are registered upon joining a conference
+    // disableShortcuts: false,
+
+    // Disable initial browser getUserMedia requests.
+    // This is useful for scenarios where users might want to start a conference for screensharing only
+    // disableInitialGUM: false,
+
+    // Enabling the close page will ignore the welcome page redirection when
+    // a call is hangup.
+    // enableClosePage: false,
+
+    // Disable hiding of remote thumbnails when in a 1-on-1 conference call.
+    // disable1On1Mode: false,
+
+    // Default language for the user interface.
+    // defaultLanguage: 'en',
+
+    // Disables profile and the edit of all fields from the profile settings (display name and email)
+    // disableProfile: false,
+
+    // Whether or not some features are checked based on token.
+    // enableFeaturesBasedOnToken: false,
+
+    // When enabled the password used for locking a room is restricted to up to the number of digits specified
+    // roomPasswordNumberOfDigits: 10,
+    // default: roomPasswordNumberOfDigits: false,
+
+    // Message to show the users. Example: 'The service will be down for
+    // maintenance at 01:00 AM GMT,
+    // noticeMessage: '',
+
+    // Enables calendar integration, depends on googleApiApplicationClientID
+    // and microsoftApiApplicationClientID
+    // enableCalendarIntegration: false,
+
+    // When 'true', it shows an intermediate page before joining, where the user can configure their devices.
+    // prejoinPageEnabled: false,
+
+    // If etherpad integration is enabled, setting this to true will
+    // automatically open the etherpad when a participant joins.  This
+    // does not affect the mobile app since opening an etherpad
+    // obscures the conference controls -- it's better to let users
+    // choose to open the pad on their own in that case.
+    // openSharedDocumentOnJoin: false,
+
+    // If true, shows the unsafe room name warning label when a room name is
+    // deemed unsafe (due to the simplicity in the name) and a password is not
+    // set or the lobby is not enabled.
+    // enableInsecureRoomNameWarning: false,
+
+    // Whether to automatically copy invitation URL after creating a room.
+    // Document should be focused for this option to work
+    // enableAutomaticUrlCopy: false,
+
+    // Base URL for a Gravatar-compatible service. Defaults to libravatar.
+    // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/',
+
+    // Moved from interfaceConfig(TOOLBAR_BUTTONS).
+    // The name of the toolbar buttons to display in the toolbar, including the
+    // "More actions" menu. If present, the button will display. Exceptions are
+    // "livestreaming" and "recording" which also require being a moderator and
+    // some other values in config.js to be enabled. Also, the "profile" button will
+    // not display for users with a JWT.
+    // Notes:
+    // - it's impossible to choose which buttons go in the "More actions" menu
+    // - it's impossible to control the placement of buttons
+    // - 'desktop' controls the "Share your screen" button
+    // - if `toolbarButtons` is undefined, we fallback to enabling all buttons on the UI
+    // toolbarButtons: [
+    //    'microphone', 'camera', 'closedcaptions', 'desktop', 'embedmeeting', 'fullscreen',
+    //    'fodeviceselection', 'hangup', 'profile', 'chat', 'recording',
+    //    'livestreaming', 'etherpad', 'sharedvideo', 'shareaudio', 'settings', 'raisehand',
+    //    'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts',
+    //    'tileview', 'select-background', 'download', 'help', 'mute-everyone', 'mute-video-everyone', 'security'
+    // ],
+
+    // Stats
+    //
+
+    // Whether to enable stats collection or not in the TraceablePeerConnection.
+    // This can be useful for debugging purposes (post-processing/analysis of
+    // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
+    // estimation tests.
+    // gatherStats: false,
+
+    // The interval at which PeerConnection.getStats() is called. Defaults to 10000
+    // pcStatsInterval: 10000,
+
+    // To enable sending statistics to callstats.io you must provide the
+    // Application ID and Secret.
+    // callStatsID: '',
+    // callStatsSecret: '',
+
+    // Enables sending participants' display names to callstats
+    // enableDisplayNameInStats: false,
+
+    // Enables sending participants' emails (if available) to callstats and other analytics
+    // enableEmailInStats: false,
+
+    // Controls the percentage of automatic feedback shown to participants when callstats is enabled.
+    // The default value is 100%. If set to 0, no automatic feedback will be requested
+    // feedbackPercentage: 100,
+
+    // Privacy
+    //
+
+    // If third party requests are disabled, no other server will be contacted.
+    // This means avatars will be locally generated and callstats integration
+    // will not function.
+    // disableThirdPartyRequests: false,
+
+
+    // Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
+    //
+
+    p2p: {
+        // Enables peer to peer mode. When enabled the system will try to
+        // establish a direct connection when there are exactly 2 participants
+        // in the room. If that succeeds the conference will stop sending data
+        // through the JVB and use the peer to peer connection instead. When a
+        // 3rd participant joins the conference will be moved back to the JVB
+        // connection.
+        enabled: true,
+
+        // Sets the ICE transport policy for the p2p connection. At the time
+        // of this writing the list of possible values are 'all' and 'relay',
+        // but that is subject to change in the future. The enum is defined in
+        // the WebRTC standard:
+        // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
+        // If not set, the effective value is 'all'.
+        // iceTransportPolicy: 'all',
+
+        // If set to true, it will prefer to use H.264 for P2P calls (if H.264
+        // is supported). This setting is deprecated, use preferredCodec instead.
+        // preferH264: true,
+
+        // Provides a way to set the video codec preference on the p2p connection. Acceptable
+        // codec values are 'VP8', 'VP9' and 'H264'.
+        // preferredCodec: 'H264',
+
+        // If set to true, disable H.264 video codec by stripping it out of the
+        // SDP. This setting is deprecated, use disabledCodec instead.
+        // disableH264: false,
+
+        // Provides a way to prevent a video codec from being negotiated on the p2p connection.
+        // disabledCodec: '',
+
+        // How long we're going to wait, before going back to P2P after the 3rd
+        // participant has left the conference (to filter out page reload).
+        // backToP2PDelay: 5,
+
+        // The STUN servers that will be used in the peer to peer connections
+        stunServers: [
+
+            // { urls: 'stun:{{ jitsi_domain }}:3478' },
+            { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
+        ]
+    },
+
+    analytics: {
+        // The Google Analytics Tracking ID:
+        // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
+
+        // Matomo configuration:
+        // matomoEndpoint: 'https://your-matomo-endpoint/',
+        // matomoSiteID: '42',
+
+        // The Amplitude APP Key:
+        // amplitudeAPPKey: '<APP_KEY>'
+
+        // Configuration for the rtcstats server:
+        // By enabling rtcstats server every time a conference is joined the rtcstats
+        // module connects to the provided rtcstatsEndpoint and sends statistics regarding
+        // PeerConnection states along with getStats metrics polled at the specified
+        // interval.
+        // rtcstatsEnabled: true,
+
+        // In order to enable rtcstats one needs to provide a endpoint url.
+        // rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/,
+
+        // The interval at which rtcstats will poll getStats, defaults to 1000ms.
+        // If the value is set to 0 getStats won't be polled and the rtcstats client
+        // will only send data related to RTCPeerConnection events.
+        // rtcstatsPolIInterval: 1000,
+
+        // Array of script URLs to load as lib-jitsi-meet "analytics handlers".
+        // scriptURLs: [
+        //      "libs/analytics-ga.min.js", // google-analytics
+        //      "https://example.com/my-custom-analytics.js"
+        // ],
+    },
+
+    // Logs that should go be passed through the 'log' event if a handler is defined for it
+    // apiLogLevels: ['warn', 'log', 'error', 'info', 'debug'],
+
+    // Information about the jitsi-meet instance we are connecting to, including
+    // the user region as seen by the server.
+    deploymentInfo: {
+        // shard: "shard1",
+        // region: "europe",
+        // userRegion: "asia"
+    },
+
+    // Decides whether the start/stop recording audio notifications should play on record.
+    // disableRecordAudioNotification: false,
+
+    // Disables the sounds that play when other participants join or leave the
+    // conference (if set to true, these sounds will not be played).
+    // disableJoinLeaveSounds: false,
+
+    // Information for the chrome extension banner
+    // chromeExtensionBanner: {
+    //     // The chrome extension to be installed address
+    //     url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
+
+    //     // Extensions info which allows checking if they are installed or not
+    //     chromeExtensionsInfo: [
+    //         {
+    //             id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
+    //             path: 'jitsi-logo-48x48.png'
+    //         }
+    //     ]
+    // },
+
+    // Local Recording
+    //
+
+    // localRecording: {
+    // Enables local recording.
+    // Additionally, 'localrecording' (all lowercase) needs to be added to
+    // TOOLBAR_BUTTONS in interface_config.js for the Local Recording
+    // button to show up on the toolbar.
+    //
+    //     enabled: true,
+    //
+
+    // The recording format, can be one of 'ogg', 'flac' or 'wav'.
+    //     format: 'flac'
+    //
+
+    // },
+
+    // Options related to end-to-end (participant to participant) ping.
+    // e2eping: {
+    //   // The interval in milliseconds at which pings will be sent.
+    //   // Defaults to 10000, set to <= 0 to disable.
+    //   pingInterval: 10000,
+    //
+    //   // The interval in milliseconds at which analytics events
+    //   // with the measured RTT will be sent. Defaults to 60000, set
+    //   // to <= 0 to disable.
+    //   analyticsInterval: 60000,
+    //   },
+
+    // If set, will attempt to use the provided video input device label when
+    // triggering a screenshare, instead of proceeding through the normal flow
+    // for obtaining a desktop stream.
+    // NOTE: This option is experimental and is currently intended for internal
+    // use only.
+    // _desktopSharingSourceDevice: 'sample-id-or-label',
+
+    // If true, any checks to handoff to another application will be prevented
+    // and instead the app will continue to display in the current browser.
+    // disableDeepLinking: false,
+
+    // A property to disable the right click context menu for localVideo
+    // the menu has option to flip the locally seen video for local presentations
+    // disableLocalVideoFlip: false,
+
+    // A property used to unset the default flip state of the local video.
+    // When it is set to 'true', the local(self) video will not be mirrored anymore.
+    // doNotFlipLocalVideo: false,
+
+    // Mainly privacy related settings
+
+    // Disables all invite functions from the app (share, invite, dial out...etc)
+    // disableInviteFunctions: true,
+
+    // Disables storing the room name to the recents list
+    // doNotStoreRoom: true,
+
+    // Deployment specific URLs.
+    // deploymentUrls: {
+    //    // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
+    //    // user documentation.
+    //    userDocumentationURL: 'https://docs.example.com/video-meetings.html',
+    //    // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
+    //    // to the specified URL for an app download page.
+    //    downloadAppsUrl: 'https://docs.example.com/our-apps.html'
+    // },
+
+    // Options related to the remote participant menu.
+    // remoteVideoMenu: {
+    //     // If set to true the 'Kick out' button will be disabled.
+    //     disableKick: true,
+    //     // If set to true the 'Grant moderator' button will be disabled.
+    //     disableGrantModerator: true
+    // },
+
+    // If set to true all muting operations of remote participants will be disabled.
+    // disableRemoteMute: true,
+
+    // Enables support for lip-sync for this client (if the browser supports it).
+    // enableLipSync: false
+
+    /**
+     External API url used to receive branding specific information.
+     If there is no url set or there are missing fields, the defaults are applied.
+     None of the fields are mandatory and the response must have the shape:
+     {
+         // The hex value for the colour used as background
+         backgroundColor: '#fff',
+         // The url for the image used as background
+         backgroundImageUrl: 'https://example.com/background-img.png',
+         // The anchor url used when clicking the logo image
+         logoClickUrl: 'https://example-company.org',
+         // The url used for the image used as logo
+         logoImageUrl: 'https://example.com/logo-img.png'
+     }
+    */
+    // dynamicBrandingUrl: '',
+
+    // Sets the background transparency level. '0' is fully transparent, '1' is opaque.
+    // backgroundAlpha: 1,
+
+    // The URL of the moderated rooms microservice, if available. If it
+    // is present, a link to the service will be rendered on the welcome page,
+    // otherwise the app doesn't render it.
+    // moderatedRoomServiceUrl: 'https://moderated.{{ jitsi_domain }}',
+
+    // If true, tile view will not be enabled automatically when the participants count threshold is reached.
+    // disableTileView: true,
+
+    // Hides the conference subject
+    // hideConferenceSubject: true,
+
+    // Hides the conference timer.
+    // hideConferenceTimer: true,
+
+    // Hides the participants stats
+    // hideParticipantsStats: true,
+
+    // Sets the conference subject
+    // subject: 'Conference Subject',
+
+    // This property is related to the use case when jitsi-meet is used via the IFrame API. When the property is true
+    // jitsi-meet will use the local storage of the host page instead of its own. This option is useful if the browser
+    // is not persisting the local storage inside the iframe.
+    // useHostPageLocalStorage: true,
+
+    // List of undocumented settings used in jitsi-meet
+    /**
+     _immediateReloadThreshold
+     debug
+     debugAudioLevels
+     deploymentInfo
+     dialInConfCodeUrl
+     dialInNumbersUrl
+     dialOutAuthUrl
+     dialOutCodesUrl
+     disableRemoteControl
+     displayJids
+     etherpad_base
+     externalConnectUrl
+     firefox_fake_device
+     googleApiApplicationClientID
+     iAmRecorder
+     iAmSipGateway
+     microsoftApiApplicationClientID
+     peopleSearchQueryTypes
+     peopleSearchUrl
+     requireDisplayName
+     tokenAuthUrl
+     */
+
+    /**
+     * This property can be used to alter the generated meeting invite links (in combination with a branding domain
+     * which is retrieved internally by jitsi meet) (e.g. https://meet.jit.si/someMeeting
+     * can become https://brandedDomain/roomAlias)
+     */
+    // brandingRoomAlias: null,
+
+    // List of undocumented settings used in lib-jitsi-meet
+    /**
+     _peerConnStatusOutOfLastNTimeout
+     _peerConnStatusRtcMuteTimeout
+     abTesting
+     avgRtpStatsN
+     callStatsConfIDNamespace
+     callStatsCustomScriptUrl
+     desktopSharingSources
+     disableAEC
+     disableAGC
+     disableAP
+     disableHPF
+     disableNS
+     enableTalkWhileMuted
+     forceJVB121Ratio
+     forceTurnRelay
+     hiddenDomain
+     ignoreStartMuted
+     websocketKeepAlive
+     websocketKeepAliveUrl
+     */
+
+    /**
+        Use this array to configure which notifications will be shown to the user
+        The items correspond to the title or description key of that notification
+        Some of these notifications also depend on some other internal logic to be displayed or not,
+        so adding them here will not ensure they will always be displayed
+
+        A falsy value for this prop will result in having all notifications enabled (e.g null, undefined, false)
+    */
+    // notifications: [
+    //     'connection.CONNFAIL', // shown when the connection fails,
+    //     'dialog.cameraNotSendingData', // shown when there's no feed from user's camera
+    //     'dialog.kickTitle', // shown when user has been kicked
+    //     'dialog.liveStreaming', // livestreaming notifications (pending, on, off, limits)
+    //     'dialog.lockTitle', // shown when setting conference password fails
+    //     'dialog.maxUsersLimitReached', // shown when maximmum users limit has been reached
+    //     'dialog.micNotSendingData', // shown when user's mic is not sending any audio
+    //     'dialog.passwordNotSupportedTitle', // shown when setting conference password fails due to password format
+    //     'dialog.recording', // recording notifications (pending, on, off, limits)
+    //     'dialog.remoteControlTitle', // remote control notifications (allowed, denied, start, stop, error)
+    //     'dialog.reservationError',
+    //     'dialog.serviceUnavailable', // shown when server is not reachable
+    //     'dialog.sessTerminated', // shown when there is a failed conference session
+    //     'dialog.sessionRestarted', // show when a client reload is initiated because of bridge migration
+    //     'dialog.tokenAuthFailed', // show when an invalid jwt is used
+    //     'dialog.transcribing', // transcribing notifications (pending, off)
+    //     'dialOut.statusMessage', // shown when dial out status is updated.
+    //     'liveStreaming.busy', // shown when livestreaming service is busy
+    //     'liveStreaming.failedToStart', // shown when livestreaming fails to start
+    //     'liveStreaming.unavailableTitle', // shown when livestreaming service is not reachable
+    //     'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected
+    //     'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied
+    //     'localRecording.localRecording', // shown when a local recording is started
+    //     'notify.disconnected', // shown when a participant has left
+    //     'notify.grantedTo', // shown when moderator rights were granted to a participant
+    //     'notify.invitedOneMember', // shown when 1 participant has been invited
+    //     'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited
+    //     'notify.invitedTwoMembers', // shown when 2 participants have been invited
+    //     'notify.kickParticipant', // shown when a participant is kicked
+    //     'notify.mutedRemotelyTitle', // shown when user is muted by a remote party
+    //     'notify.mutedTitle', // shown when user has been muted upon joining,
+    //     'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device
+    //     'notify.newDeviceCameraTitle', // prompts the user to use a newly detected camera
+    //     'notify.passwordRemovedRemotely', // shown when a password has been removed remotely
+    //     'notify.passwordSetRemotely', // shown when a password has been set remotely
+    //     'notify.raisedHand', // shown when a partcipant used raise hand,
+    //     'notify.startSilentTitle', // shown when user joined with no audio
+    //     'prejoin.errorDialOut',
+    //     'prejoin.errorDialOutDisconnected',
+    //     'prejoin.errorDialOutFailed',
+    //     'prejoin.errorDialOutStatus',
+    //     'prejoin.errorStatusCode',
+    //     'prejoin.errorValidation',
+    //     'recording.busy', // shown when recording service is busy
+    //     'recording.failedToStart', // shown when recording fails to start
+    //     'recording.unavailableTitle', // shown when recording service is not reachable
+    //     'toolbar.noAudioSignalTitle', // shown when a broken mic is detected
+    //     'toolbar.noisyAudioInputTitle', // shown when noise is detected for the current microphone
+    //     'toolbar.talkWhileMutedPopup', // shown when user tries to speak while muted
+    //     'transcribing.failedToStart' // shown when transcribing fails to start
+    // ]
+
+    // Allow all above example options to include a trailing comma and
+    // prevent fear when commenting out the last value.
+    makeJsonParserHappy: 'even if last key had a trailing comma'
+
+    // no configuration value should follow this line.
+};
+
+/* eslint-enable no-unused-vars, no-var */

roles/jitsi/templates/etc_prosody_conf.avail_jitsi_domain.cfg.lua.j2

@@ -0,0 +1,102 @@
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
+
+-- domain mapper options, must at least have domain base set to use the mapper
+muc_mapper_domain_base = "{{ jitsi_domain }}";
+
+external_service_secret = "6XhEs5NEtN735NXh";
+external_services = {
+     { type = "stun", host = "{{ jitsi_domain }}", port = 3478 },
+     { type = "turn", host = "{{ jitsi_domain }}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
+     { type = "turns", host = "{{ jitsi_domain }}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
+};
+
+cross_domain_bosh = false;
+consider_bosh_secure = true;
+-- https_ports = { }; -- Remove this line to prevent listening on port 5284
+
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+ssl = {
+    protocol = "tlsv1_2+";
+    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+}
+
+VirtualHost "{{ jitsi_domain }}"
+    -- enabled = false -- Remove this line to enable this host
+    -- authentication = "anonymous"
+    authentication = "internal_hashed"
+    -- Properties below are modified by jitsi-meet-tokens package config
+    -- and authentication above is switched to "token"
+    --app_id="example_app_id"
+    --app_secret="example_app_secret"
+    -- Assign this host a certificate for TLS, otherwise it would use the one
+    -- set in the global section (if any).
+    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
+    -- use the global one.
+    ssl = {
+        key = "/etc/prosody/certs/{{ jitsi_domain }}.key";
+        certificate = "/etc/prosody/certs/{{ jitsi_domain }}.crt";
+    }
+    speakerstats_component = "speakerstats.{{ jitsi_domain }}"
+    conference_duration_component = "conferenceduration.{{ jitsi_domain }}"
+    -- we need bosh
+    modules_enabled = {
+        "bosh";
+        "pubsub";
+        "ping"; -- Enable mod_ping
+        "speakerstats";
+        "external_services";
+        "conference_duration";
+        "muc_lobby_rooms";
+    }
+    c2s_require_encryption = false
+    lobby_muc = "lobby.{{ jitsi_domain }}"
+    main_muc = "conference.{{ jitsi_domain }}"
+    -- muc_lobby_whitelist = { "recorder.{{ jitsi_domain }}" } -- Here we can whitelist jibri to enter lobby enabled rooms
+
+VirtualHost "guest.{{ jitsi_domain }}"
+    authentication = "anonymous"
+    c2s_require_encryption = false
+
+Component "conference.{{ jitsi_domain }}" "muc"
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        --"token_verification";
+    }
+    admins = { "focus@auth.{{ jitsi_domain }}" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+-- internal muc component
+Component "internal.auth.{{ jitsi_domain }}" "muc"
+    storage = "memory"
+    modules_enabled = {
+        "ping";
+    }
+    admins = { "focus@auth.{{ jitsi_domain }}", "jvb@auth.{{ jitsi_domain }}" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+VirtualHost "auth.{{ jitsi_domain }}"
+    ssl = {
+        key = "/etc/prosody/certs/auth.{{ jitsi_domain }}.key";
+        certificate = "/etc/prosody/certs/auth.{{ jitsi_domain }}.crt";
+    }
+    authentication = "internal_hashed"
+
+-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
+Component "focus.{{ jitsi_domain }}" "client_proxy"
+    target_address = "focus@auth.{{ jitsi_domain }}"
+
+Component "speakerstats.{{ jitsi_domain }}" "speakerstats_component"
+    muc_component = "conference.{{ jitsi_domain }}"
+
+Component "conferenceduration.{{ jitsi_domain }}" "conference_duration_component"
+    muc_component = "conference.{{ jitsi_domain }}"
+
+Component "lobby.{{ jitsi_domain }}" "muc"
+    storage = "memory"
+    restrict_room_creation = true
+    muc_room_locking = false
+    muc_room_default_public_jids = true

roles/monitoring/files/etc_monit_conf.d_jitsi

@@ -0,0 +1,13 @@
+check process jicofo matching jicofo
+  group social
+  start program = "/bin/systemctl start jicofo"
+  stop program = "/bin/systemctl stop jicofo"
+  if does not exist then restart
+  if 5 restarts within 5 cycles then timeout
+
+check process jitsi-videobridge2 matching jitsi-videobridge
+  group social
+  start program = "/bin/systemctl start jitsi-videobridge2"
+  stop program = "/bin/systemctl stop jitsi-videobridge2"
+  if does not exist then restart
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/tasks/monit.yml

@@ -72,6 +72,10 @@
   stat: path=/etc/openvpn/server.conf
   register: openvpn_config_file
 
+- name: Determine if Jitsi is installed
+  stat: path=/etc/jitsi/jicofo/config
+  register: jitsi_config_file
+
 - name: Copy ZNC monit service config files into place
   copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
   notify: restart monit
@@ -82,6 +86,11 @@
   notify: restart monit
   when: prosody_config_file.stat.exists == True
 
+- name: Copy Jitsi monit service config files into place
+  copy: src=etc_monit_conf.d_jitsi dest=/etc/monit/conf.d/jitsi
+  notify: restart monit
+  when: jitsi_config_file.stat.exists == True
+
 - name: Copy Fathom monit service config files into place
   copy: src=etc_monit_conf.d_fathom dest=/etc/monit/conf.d/fathom
   notify: restart monit

roles/sslletsencrypt/files/letsencrypt-gencert

@@ -18,7 +18,7 @@ for domain in "$@"; do
 
   # subdomains - www.foo.com mail.foo.com ...
   # TODO includes servername (eddie / stage)!
-  for sub in stage www mail autoconfig stats news cloud git matrix status social comments iot wiki; do
+  for sub in stage www mail autoconfig stats news cloud git matrix status social comments iot wiki jitsi; do
     # only add if the DNS entry for the subdomain does actually exist
     if (getent hosts $sub.$domain > /dev/null); then
       if [ -z "$d" ]; then

roles/xmpp/defaults/main.yml

@@ -1,5 +0,0 @@
-prosody_admin: "{{ admin_email }}"
-prosody_accounts:
-  - name: "{{ main_user_name }}"
-    domain: "{{ domain }}"
-    password: "{{ lookup('password', secret + '/' + 'xmpp_main_user_password length=32') }}"

roles/xmpp/files/etc_letsencrypt_postrenew_prosody.sh

@@ -1,3 +0,0 @@
-#!/bin/bash
-
-systemctl restart prosody.service

roles/xmpp/handlers/main.yml

@@ -1,2 +0,0 @@
-- name: restart prosody
-  command: systemctl restart prosody

roles/xmpp/tasks/main.yml

@@ -1,4 +0,0 @@
----
-# Provides the Prosody Jabber/XMPP server.
-
-- include: prosody.yml tags=prosody

roles/xmpp/tasks/prosody.yml

@@ -1,45 +0,0 @@
-- name: Ensure repository key for Prosody is in place
-  apt_key: url=https://prosody.im/files/prosody-debian-packages.key state=present
-  tags:
-    - dependencies
-
-- name: Add Prosody repository
-  apt_repository: repo="deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main"
-  tags:
-    - dependencies
-
-- name: Install Prosody and dependencies from official repository
-  apt:
-    name: "{{ packages }}"
-    state: present
-    update_cache: yes
-  vars:
-    packages:
-    - prosody
-    - lua-sec
-  tags:
-    - dependencies
-
-- name: Add prosody user to ssl-cert group
-  user: name=prosody group=ssl-cert
-
-- name: Add cert postrenew task
-  copy: src=etc_letsencrypt_postrenew_prosody.sh dest=/etc/letsencrypt/postrenew/prosody.sh mode=0755
-
-- name: Create Prosody data directory
-  file: state=directory path=/data/prosody owner=prosody group=prosody
-
-- name: Configure Prosody
-  template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=root mode=0644
-  notify: restart prosody
-
-- name: Create Prosody accounts
-  command: prosodyctl register {{ item.name }} {{ item.domain }} "{{ item.password }}"
-  with_items: "{{ prosody_accounts }}"
-
-- name: Set firewall rules for Prosody
-  ufw: rule=allow port={{ item }} proto=tcp
-  with_items:
-    - 5222  # xmpp c2s
-    - 5269  # xmpp s2s
-  tags: ufw

roles/xmpp/templates/prosody.cfg.lua.j2

@@ -1,177 +0,0 @@
---
---
---
-
-
----------- Server-wide settings ----------
-
-admins = { "{{ prosody_admin }}" }
-
---use_libevent = true;
-
-modules_enabled = {
-
-	-- Generally required
-		"roster"; -- Allow users to have a roster. Recommended ;)
-		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
-		"tls"; -- Add support for secure TLS on c2s/s2s connections
-		"dialback"; -- s2s dialback support
-		"disco"; -- Service discovery
-		"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
-
-	-- Not essential, but recommended
-		"private"; -- Private XML storage (for room bookmarks, etc.)
-		"vcard"; -- Allow users to set vCards
-
-	-- These are commented by default as they have a performance impact
-                "blocklist"; -- Support blocking users
-		--"compression"; -- Stream compression (requires the lua-zlib package installed)
-
-	-- Nice to have
-		"version"; -- Replies to server version requests
-		"uptime"; -- Report how long server has been running
-		"time"; -- Let others know the time here on this server
-		"ping"; -- Replies to XMPP pings with pongs
-		-- "pep"; -- Enables users to publish their mood, activity, playing music and more
-		"register"; -- Allow users to register on this server using a client and change passwords
-
-	-- Admin interfaces
-		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
-		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-
-	-- HTTP modules
-		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
-		--"http_files"; -- Serve static files from a directory over HTTP
-
-	-- Other specific functionality
-		--"groups"; -- Shared roster support
-		--"announce"; -- Send announcement to all online users
-		--"welcome"; -- Welcome users who register accounts
-		--"watchregistrations"; -- Alert admins of registrations
-		--"motd"; -- Send a message to users when they log in
-		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
-};
-
-modules_disabled = {
-	-- "offline"; -- Store offline messages
-	-- "c2s"; -- Handle client connections
-	-- "s2s"; -- Handle server-to-server connections
-};
-
-allow_registration = false;
-
-ssl = {
-	key = "/etc/letsencrypt/live/{{ domain }}/privkey.pem";
-	certificate = "/etc/letsencrypt/live/{{ domain }}/cert.pem";
-}
-
-
-c2s_require_encryption = true
-
-
-s2s_secure_auth = false
-
-
---s2s_insecure_domains = { "gmail.com" }
-
-
---s2s_secure_domains = { "jabber.org" }
-
-pidfile = "/var/run/prosody/prosody.pid"
-
-
-authentication = "internal_hashed"
-
-
---storage = "sql" -- Default is "internal"
-
---sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
---sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
---sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
-
-log = {
-	info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
-	error = "/var/log/prosody/prosody.err";
-	"*syslog";
-}
-
-data_path = "/data/prosody"
-
------------ Virtual hosts -----------
-
-{% for vd in virtual_domains %}
-VirtualHost "{{ vd.name }}"
-{% endfor %}
-
------- Components ------
-
----Set up a MUC (multi-user chat) room server on conference.example.com:
---Component "conference.example.com" "muc"
-
---Component "proxy.example.com" "proxy65"
-
----Set up an external component (default component port is 5347)
---
---
---Component "gateway.example.com"
---	component_secret = "password"