Переглянути джерело

add jitsi role, remove xmpp role (prosody conflicting)

Thomas Buck 3 роки тому
джерело
коміт
a1614fe810

+ 1
- 0
README.md Переглянути файл

@@ -103,6 +103,7 @@ Create `A` and `AAAA` or `CNAME` records which point to your server's IP address
103 103
 * `comments.example.com` (for commento)
104 104
 * `iot.example.com` (for grafana)
105 105
 * `wiki.example.com` (for dokuwiki)
106
+* `jitsi.example.com` (for jitsi)
106 107
 
107 108
 #### Run the Ansible Playbooks
108 109
 

+ 12
- 0
roles/jitsi/DESIGN.md Переглянути файл

@@ -0,0 +1,12 @@
1
+# Design Description for Jitsi Role
2
+
3
+This role installs Jitsi using the official upstream Debian packages.
4
+
5
+Setup as described in:
6
+https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
7
+
8
+Authentication according to:
9
+https://jitsi.github.io/handbook/docs/devops-guide/secure-domain
10
+
11
+This was used for the Apache config:
12
+https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.example-apache

+ 6
- 0
roles/jitsi/defaults/main.yml Переглянути файл

@@ -0,0 +1,6 @@
1
+jitsi_subdomain: "jitsi"
2
+jitsi_domain: "{{ jitsi_subdomain }}.{{ domain }}"
3
+
4
+jitsi_accounts:
5
+  - name: "{{ main_user_name }}"
6
+    password: "{{ lookup('password', secret + '/' + 'jitsi_main_user_password length=32') }}"

+ 9
- 0
roles/jitsi/handlers/main.yml Переглянути файл

@@ -0,0 +1,9 @@
1
+- name: restart jitsi
2
+  command: systemctl restart {{ item }}
3
+  with_items:
4
+    - prosody
5
+    - jicofo
6
+    - jitsi-videobridge2
7
+
8
+- name: restart apache
9
+  service: name=apache2 state=restarted

+ 111
- 0
roles/jitsi/tasks/jitsi.yml Переглянути файл

@@ -0,0 +1,111 @@
1
+- name: Ensure repository key for Jitsi is in place
2
+  apt_key: url=https://download.jitsi.org/jitsi-key.gpg.key state=present
3
+  tags:
4
+    - dependencies
5
+
6
+- name: Add Jitsi repository
7
+  apt_repository: repo="deb https://download.jitsi.org stable/"
8
+  tags:
9
+    - dependencies
10
+
11
+- name: Set firewall rules for Jitsi TCP
12
+  ufw: rule=allow port={{ item }} proto=tcp
13
+  with_items:
14
+    - 80
15
+    - 443
16
+    - 22
17
+    - 5349
18
+  tags: ufw
19
+
20
+- name: Set firewall rules for Jitsi UDP
21
+  ufw: rule=allow port={{ item }} proto=udp
22
+  with_items:
23
+    - 10000
24
+    - 3478
25
+  tags: ufw
26
+
27
+- name: Set Jitsi Certificate Selection
28
+  debconf:
29
+    name: jitsi-meet
30
+    question: jitsi-meet/cert-choice
31
+    value: I want to use my own certificate
32
+    vtype: select
33
+
34
+- name: Set Jitsi Certificate Key
35
+  debconf:
36
+    name: jitsi-meet
37
+    question: jitsi-meet/cert-path-key
38
+    value: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
39
+    vtype: string
40
+
41
+- name: Set Jitsi Certificate
42
+  debconf:
43
+    name: jitsi-meet
44
+    question: jitsi-meet/cert-path-crt
45
+    value: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem"
46
+    vtype: string
47
+
48
+- name: Set Jitsi Hostname
49
+  debconf:
50
+    name: "{{ item }}"
51
+    question: "{{ item }}/jvb-hostname"
52
+    value: "{{ jitsi_domain }}"
53
+    vtype: string
54
+  with_items:
55
+    - jitsi-meet
56
+    - jitsi-meet-prosody
57
+    - jitsi-videobridge
58
+
59
+- name: Install Jitsi and dependencies from official repository
60
+  apt:
61
+    name: "{{ packages }}"
62
+    state: present
63
+    update_cache: yes
64
+  vars:
65
+    packages:
66
+    - jitsi-meet
67
+  tags:
68
+    - dependencies
69
+
70
+- name: Create the Jitsi Prosody Config
71
+  template:
72
+    src=etc_prosody_conf.avail_jitsi_domain.cfg.lua.j2
73
+    dest=/etc/prosody/conf.avail/{{ jitsi_domain }}.cfg.lua
74
+    owner=root
75
+    group=root
76
+  notify: restart jitsi
77
+
78
+- name: Create the Jitsi Config
79
+  template:
80
+    src=etc_jitsi_meet_jitsi_domain-config.js.j2
81
+    dest=/etc/jitsi/meet/{{ jitsi_domain }}-config.js
82
+    owner=root
83
+    group=root
84
+  notify: restart jitsi
85
+
86
+- name: Create the Jicofo Config
87
+  template:
88
+    src=etc_jitsi_jicofo_sip-communicator.properties.j2
89
+    dest=/etc/jitsi/jicofo/sip-communicator.properties
90
+    owner=root
91
+    group=root
92
+  notify: restart jitsi
93
+
94
+- name: Create the Apache Jitsi sites config files
95
+  template:
96
+    src=etc_apache2_sites-available_jitsi.j2
97
+    dest=/etc/apache2/sites-available/jitsi_{{ item.name }}.conf
98
+    owner=root
99
+    group=root
100
+  with_items: "{{ virtual_domains }}"
101
+  notify: restart apache
102
+
103
+- name: Enable Apache sites (creates new sites-enabled symlinks)
104
+  command: a2ensite jitsi_{{ item }}.conf creates=/etc/apache2/sites-enabled/jitsi_{{ item }}.conf
105
+  notify: restart apache
106
+  with_items: "{{ virtual_domains | json_query('[*].name') }}"
107
+
108
+- name: Create Jitsi accounts
109
+  command: prosodyctl register {{ item.name }} {{ jitsi_domain }} {{ item.password }}
110
+  with_items: "{{ jitsi_accounts }}"
111
+  ignore_errors: True

+ 2
- 0
roles/jitsi/tasks/main.yml Переглянути файл

@@ -0,0 +1,2 @@
1
+---
2
+- include: jitsi.yml tags=jitsi

+ 53
- 0
roles/jitsi/templates/etc_apache2_sites-available_jitsi.j2 Переглянути файл

@@ -0,0 +1,53 @@
1
+<VirtualHost *:80>
2
+    ServerName {{ jitsi_subdomain }}.{{ item.name }}
3
+
4
+    Redirect temp / https://{{ jitsi_subdomain }}.{{ item.name }}/
5
+</VirtualHost>
6
+
7
+<VirtualHost *:443>
8
+    ServerName {{ jitsi_subdomain }}.{{ item.name }}
9
+
10
+    # enable HTTP/2, if available
11
+    Protocols h2 http/1.1
12
+
13
+    SSLEngine               On
14
+    SSLProxyEngine          On
15
+
16
+    Header always set Strict-Transport-Security "max-age=63072000"
17
+
18
+    DocumentRoot "/usr/share/jitsi-meet"
19
+    <Directory "/usr/share/jitsi-meet">
20
+        Options Indexes MultiViews Includes FollowSymLinks
21
+        AddOutputFilter Includes html
22
+        AllowOverride All
23
+        Order allow,deny
24
+        Allow from all
25
+    </Directory>
26
+
27
+    ErrorDocument 404 /static/404.html
28
+
29
+    Alias "/config.js" "/etc/jitsi/meet/{{ jitsi_domain }}-config.js"
30
+    <Location /config.js>
31
+        Require all granted
32
+    </Location>
33
+
34
+    Alias "/external_api.js" "/usr/share/jitsi-meet/libs/external_api.min.js"
35
+    <Location /external_api.js>
36
+        Require all granted
37
+    </Location>
38
+
39
+    ProxyPreserveHost on
40
+    ProxyPass /http-bind http://localhost:5280/http-bind
41
+    ProxyPassReverse /http-bind http://localhost:5280/http-bind
42
+    ProxyPass /xmpp-websocket ws://localhost:5280/xmpp-websocket
43
+    ProxyPassReverse /xmpp-websocket ws://localhost:5280/xmpp-websocket
44
+    ProxyPass /colibri-ws/default-id ws://localhost:9090/colibri-ws/default-id
45
+    ProxyPassReverse /colibri-ws/default-id ws://localhost:9090/colibri-ws/default-id
46
+
47
+    RewriteEngine on
48
+    RewriteRule ^/([a-zA-Z0-9]+)$ /index.html
49
+
50
+    LogLevel                warn
51
+    ErrorLog                /var/log/apache2/jitsi.info-error_log
52
+    CustomLog               /var/log/apache2/jitsi.info-access_log common
53
+</VirtualHost>

+ 2
- 0
roles/jitsi/templates/etc_jitsi_jicofo_sip-communicator.properties.j2 Переглянути файл

@@ -0,0 +1,2 @@
1
+org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.{{ jitsi_domain }}
2
+org.jitsi.jicofo.auth.URL=XMPP:{{ jitsi_domain }}

+ 854
- 0
roles/jitsi/templates/etc_jitsi_meet_jitsi_domain-config.js.j2 Переглянути файл

@@ -0,0 +1,854 @@
1
+/* eslint-disable no-unused-vars, no-var */
2
+
3
+var config = {
4
+    // Connection
5
+    //
6
+
7
+    hosts: {
8
+        // XMPP domain.
9
+        domain: '{{ jitsi_domain }}',
10
+        anonymousdomain: 'guest.{{ jitsi_domain }}',
11
+
12
+        // When using authentication, domain for guest users.
13
+        // anonymousdomain: 'guest.example.com',
14
+
15
+        // Domain for authenticated users. Defaults to <domain>.
16
+        // authdomain: '{{ jitsi_domain }}',
17
+
18
+        // Focus component domain. Defaults to focus.<domain>.
19
+        // focus: 'focus.{{ jitsi_domain }}',
20
+
21
+        // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
22
+        muc: 'conference.{{ jitsi_domain }}'
23
+    },
24
+
25
+    // BOSH URL. FIXME: use XEP-0156 to discover it.
26
+    bosh: '//{{ jitsi_domain }}/http-bind',
27
+
28
+    // Websocket URL
29
+    // websocket: 'wss://{{ jitsi_domain }}/xmpp-websocket',
30
+
31
+    // The name of client node advertised in XEP-0115 'c' stanza
32
+    clientNode: 'http://jitsi.org/jitsimeet',
33
+
34
+    // The real JID of focus participant - can be overridden here
35
+    // Do not change username - FIXME: Make focus username configurable
36
+    // https://github.com/jitsi/jitsi-meet/issues/7376
37
+    // focusUserJid: 'focus@auth.{{ jitsi_domain }}',
38
+
39
+
40
+    // Testing / experimental features.
41
+    //
42
+
43
+    testing: {
44
+        // Disables the End to End Encryption feature. Useful for debugging
45
+        // issues related to insertable streams.
46
+        // disableE2EE: false,
47
+
48
+        // P2P test mode disables automatic switching to P2P when there are 2
49
+        // participants in the conference.
50
+        p2pTestMode: false
51
+
52
+        // Enables the test specific features consumed by jitsi-meet-torture
53
+        // testMode: false
54
+
55
+        // Disables the auto-play behavior of *all* newly created video element.
56
+        // This is useful when the client runs on a host with limited resources.
57
+        // noAutoPlayVideo: false
58
+
59
+        // Enable / disable 500 Kbps bitrate cap on desktop tracks. When enabled,
60
+        // simulcast is turned off for the desktop share. If presenter is turned
61
+        // on while screensharing is in progress, the max bitrate is automatically
62
+        // adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines
63
+        // the probability for this to be enabled. This setting has been deprecated.
64
+        // desktopSharingFrameRate.max now determines whether simulcast will be enabled
65
+        // or disabled for the screenshare.
66
+        // capScreenshareBitrate: 1 // 0 to disable - deprecated.
67
+
68
+        // Enable callstats only for a percentage of users.
69
+        // This takes a value between 0 and 100 which determines the probability for
70
+        // the callstats to be enabled.
71
+        // callStatsThreshold: 5 // enable callstats for 5% of the users.
72
+    },
73
+
74
+    // Disables ICE/UDP by filtering out local and remote UDP candidates in
75
+    // signalling.
76
+    // webrtcIceUdpDisable: false,
77
+
78
+    // Disables ICE/TCP by filtering out local and remote TCP candidates in
79
+    // signalling.
80
+    // webrtcIceTcpDisable: false,
81
+
82
+
83
+    // Media
84
+    //
85
+
86
+    // Audio
87
+
88
+    // Disable measuring of audio levels.
89
+    // disableAudioLevels: false,
90
+    // audioLevelsInterval: 200,
91
+
92
+    // Enabling this will run the lib-jitsi-meet no audio detection module which
93
+    // will notify the user if the current selected microphone has no audio
94
+    // input and will suggest another valid device if one is present.
95
+    enableNoAudioDetection: true,
96
+
97
+    // Enabling this will show a "Save Logs" link in the GSM popover that can be
98
+    // used to collect debug information (XMPP IQs, SDP offer/answer cycles)
99
+    // about the call.
100
+    // enableSaveLogs: false,
101
+
102
+    // Enabling this will run the lib-jitsi-meet noise detection module which will
103
+    // notify the user if there is noise, other than voice, coming from the current
104
+    // selected microphone. The purpose it to let the user know that the input could
105
+    // be potentially unpleasant for other meeting participants.
106
+    enableNoisyMicDetection: true,
107
+
108
+    // Start the conference in audio only mode (no video is being received nor
109
+    // sent).
110
+    // startAudioOnly: false,
111
+
112
+    // Every participant after the Nth will start audio muted.
113
+    // startAudioMuted: 10,
114
+
115
+    // Start calls with audio muted. Unlike the option above, this one is only
116
+    // applied locally. FIXME: having these 2 options is confusing.
117
+    // startWithAudioMuted: false,
118
+
119
+    // Enabling it (with #params) will disable local audio output of remote
120
+    // participants and to enable it back a reload is needed.
121
+    // startSilent: false
122
+
123
+    // Enables support for opus-red (redundancy for Opus).
124
+    // enableOpusRed: false,
125
+
126
+    // Specify audio quality stereo and opusMaxAverageBitrate values in order to enable HD audio.
127
+    // Beware, by doing so, you are disabling echo cancellation, noise suppression and AGC.
128
+    // audioQuality: {
129
+    //     stereo: false,
130
+    //     opusMaxAverageBitrate: null // Value to fit the 6000 to 510000 range.
131
+    // },
132
+
133
+    // Video
134
+
135
+    // Sets the preferred resolution (height) for local video. Defaults to 720.
136
+    // resolution: 720,
137
+
138
+    // How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD.
139
+    // Use -1 to disable.
140
+    // maxFullResolutionParticipants: 2,
141
+
142
+    // w3c spec-compliant video constraints to use for video capture. Currently
143
+    // used by browsers that return true from lib-jitsi-meet's
144
+    // util#browser#usesNewGumFlow. The constraints are independent from
145
+    // this config's resolution value. Defaults to requesting an ideal
146
+    // resolution of 720p.
147
+    // constraints: {
148
+    //     video: {
149
+    //         height: {
150
+    //             ideal: 720,
151
+    //             max: 720,
152
+    //             min: 240
153
+    //         }
154
+    //     }
155
+    // },
156
+
157
+    // Enable / disable simulcast support.
158
+    // disableSimulcast: false,
159
+
160
+    // Enable / disable layer suspension.  If enabled, endpoints whose HD
161
+    // layers are not in use will be suspended (no longer sent) until they
162
+    // are requested again.
163
+    // enableLayerSuspension: false,
164
+
165
+    // Every participant after the Nth will start video muted.
166
+    // startVideoMuted: 10,
167
+
168
+    // Start calls with video muted. Unlike the option above, this one is only
169
+    // applied locally. FIXME: having these 2 options is confusing.
170
+    // startWithVideoMuted: false,
171
+
172
+    // If set to true, prefer to use the H.264 video codec (if supported).
173
+    // Note that it's not recommended to do this because simulcast is not
174
+    // supported when  using H.264. For 1-to-1 calls this setting is enabled by
175
+    // default and can be toggled in the p2p section.
176
+    // This option has been deprecated, use preferredCodec under videoQuality section instead.
177
+    // preferH264: true,
178
+
179
+    // If set to true, disable H.264 video codec by stripping it out of the
180
+    // SDP.
181
+    // disableH264: false,
182
+
183
+    // Desktop sharing
184
+
185
+    // Optional desktop sharing frame rate options. Default value: min:5, max:5.
186
+    // desktopSharingFrameRate: {
187
+    //     min: 5,
188
+    //     max: 5
189
+    // },
190
+
191
+    // Try to start calls with screen-sharing instead of camera video.
192
+    // startScreenSharing: false,
193
+
194
+    // Recording
195
+
196
+    // Whether to enable file recording or not.
197
+    // fileRecordingsEnabled: false,
198
+    // Enable the dropbox integration.
199
+    // dropbox: {
200
+    //     appKey: '<APP_KEY>' // Specify your app key here.
201
+    //     // A URL to redirect the user to, after authenticating
202
+    //     // by default uses:
203
+    //     // 'https://{{ jitsi_domain }}/static/oauth.html'
204
+    //     redirectURI:
205
+    //          'https://{{ jitsi_domain }}/subfolder/static/oauth.html'
206
+    // },
207
+    // When integrations like dropbox are enabled only that will be shown,
208
+    // by enabling fileRecordingsServiceEnabled, we show both the integrations
209
+    // and the generic recording service (its configuration and storage type
210
+    // depends on jibri configuration)
211
+    // fileRecordingsServiceEnabled: false,
212
+    // Whether to show the possibility to share file recording with other people
213
+    // (e.g. meeting participants), based on the actual implementation
214
+    // on the backend.
215
+    // fileRecordingsServiceSharingEnabled: false,
216
+
217
+    // Whether to enable live streaming or not.
218
+    // liveStreamingEnabled: false,
219
+
220
+    // Transcription (in interface_config,
221
+    // subtitles and buttons can be configured)
222
+    // transcribingEnabled: false,
223
+
224
+    // Enables automatic turning on captions when recording is started
225
+    // autoCaptionOnRecord: false,
226
+
227
+    // Misc
228
+
229
+    // Default value for the channel "last N" attribute. -1 for unlimited.
230
+    channelLastN: -1,
231
+
232
+    // Provides a way for the lastN value to be controlled through the UI.
233
+    // When startLastN is present, conference starts with a last-n value of startLastN and channelLastN
234
+    // value will be used when the quality level is selected using "Manage Video Quality" slider.
235
+    // startLastN: 1,
236
+
237
+    // Provides a way to use different "last N" values based on the number of participants in the conference.
238
+    // The keys in an Object represent number of participants and the values are "last N" to be used when number of
239
+    // participants gets to or above the number.
240
+    //
241
+    // For the given example mapping, "last N" will be set to 20 as long as there are at least 5, but less than
242
+    // 29 participants in the call and it will be lowered to 15 when the 30th participant joins. The 'channelLastN'
243
+    // will be used as default until the first threshold is reached.
244
+    //
245
+    // lastNLimits: {
246
+    //     5: 20,
247
+    //     30: 15,
248
+    //     50: 10,
249
+    //     70: 5,
250
+    //     90: 2
251
+    // },
252
+
253
+    // Provides a way to translate the legacy bridge signaling messages, 'LastNChangedEvent',
254
+    // 'SelectedEndpointsChangedEvent' and 'ReceiverVideoConstraint' into the new 'ReceiverVideoConstraints' message
255
+    // that invokes the new bandwidth allocation algorithm in the bridge which is described here
256
+    // - https://github.com/jitsi/jitsi-videobridge/blob/master/doc/allocation.md.
257
+    // useNewBandwidthAllocationStrategy: false,
258
+
259
+    // Specify the settings for video quality optimizations on the client.
260
+    // videoQuality: {
261
+    //    // Provides a way to prevent a video codec from being negotiated on the JVB connection. The codec specified
262
+    //    // here will be removed from the list of codecs present in the SDP answer generated by the client. If the
263
+    //    // same codec is specified for both the disabled and preferred option, the disable settings will prevail.
264
+    //    // Note that 'VP8' cannot be disabled since it's a mandatory codec, the setting will be ignored in this case.
265
+    //    disabledCodec: 'H264',
266
+    //
267
+    //    // Provides a way to set a preferred video codec for the JVB connection. If 'H264' is specified here,
268
+    //    // simulcast will be automatically disabled since JVB doesn't support H264 simulcast yet. This will only
269
+    //    // rearrange the the preference order of the codecs in the SDP answer generated by the browser only if the
270
+    //    // preferred codec specified here is present. Please ensure that the JVB offers the specified codec for this
271
+    //    // to take effect.
272
+    //    preferredCodec: 'VP8',
273
+    //
274
+    //    // Provides a way to enforce the preferred codec for the conference even when the conference has endpoints
275
+    //    // that do not support the preferred codec. For example, older versions of Safari do not support VP9 yet.
276
+    //    // This will result in Safari not being able to decode video from endpoints sending VP9 video.
277
+    //    // When set to false, the conference falls back to VP8 whenever there is an endpoint that doesn't support the
278
+    //    // preferred codec and goes back to the preferred codec when that endpoint leaves.
279
+    //    // enforcePreferredCodec: false,
280
+    //
281
+    //    // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for
282
+    //    // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values
283
+    //    // are the max.bitrates to be set on that particular type of stream. The actual send may vary based on
284
+    //    // the available bandwidth calculated by the browser, but it will be capped by the values specified here.
285
+    //    // This is currently not implemented on app based clients on mobile.
286
+    //    maxBitratesVideo: {
287
+    //          H264: {
288
+    //              low: 200000,
289
+    //              standard: 500000,
290
+    //              high: 1500000
291
+    //          },
292
+    //          VP8 : {
293
+    //              low: 200000,
294
+    //              standard: 500000,
295
+    //              high: 1500000
296
+    //          },
297
+    //          VP9: {
298
+    //              low: 100000,
299
+    //              standard: 300000,
300
+    //              high:  1200000
301
+    //          }
302
+    //    },
303
+    //
304
+    //    // The options can be used to override default thresholds of video thumbnail heights corresponding to
305
+    //    // the video quality levels used in the application. At the time of this writing the allowed levels are:
306
+    //    //     'low' - for the low quality level (180p at the time of this writing)
307
+    //    //     'standard' - for the medium quality level (360p)
308
+    //    //     'high' - for the high quality level (720p)
309
+    //    // The keys should be positive numbers which represent the minimal thumbnail height for the quality level.
310
+    //    //
311
+    //    // With the default config value below the application will use 'low' quality until the thumbnails are
312
+    //    // at least 360 pixels tall. If the thumbnail height reaches 720 pixels then the application will switch to
313
+    //    // the high quality.
314
+    //    minHeightForQualityLvl: {
315
+    //        360: 'standard',
316
+    //        720: 'high'
317
+    //    },
318
+    //
319
+    //    // Provides a way to resize the desktop track to 720p (if it is greater than 720p) before creating a canvas
320
+    //    // for the presenter mode (camera picture-in-picture mode with screenshare).
321
+    //    resizeDesktopForPresenter: false
322
+    // },
323
+
324
+    // // Options for the recording limit notification.
325
+    // recordingLimit: {
326
+    //
327
+    //    // The recording limit in minutes. Note: This number appears in the notification text
328
+    //    // but doesn't enforce the actual recording time limit. This should be configured in
329
+    //    // jibri!
330
+    //    limit: 60,
331
+    //
332
+    //    // The name of the app with unlimited recordings.
333
+    //    appName: 'Unlimited recordings APP',
334
+    //
335
+    //    // The URL of the app with unlimited recordings.
336
+    //    appURL: 'https://unlimited.recordings.app.com/'
337
+    // },
338
+
339
+    // Disables or enables RTX (RFC 4588) (defaults to false).
340
+    // disableRtx: false,
341
+
342
+    // Disables or enables TCC support in this client (default: enabled).
343
+    // enableTcc: true,
344
+
345
+    // Disables or enables REMB support in this client (default: enabled).
346
+    // enableRemb: true,
347
+
348
+    // Enables ICE restart logic in LJM and displays the page reload overlay on
349
+    // ICE failure. Current disabled by default because it's causing issues with
350
+    // signaling when Octo is enabled. Also when we do an "ICE restart"(which is
351
+    // not a real ICE restart), the client maintains the TCC sequence number
352
+    // counter, but the bridge resets it. The bridge sends media packets with
353
+    // TCC sequence numbers starting from 0.
354
+    // enableIceRestart: false,
355
+
356
+    // Enables forced reload of the client when the call is migrated as a result of
357
+    // the bridge going down.
358
+    // enableForcedReload: true,
359
+
360
+    // Use TURN/UDP servers for the jitsi-videobridge connection (by default
361
+    // we filter out TURN/UDP because it is usually not needed since the
362
+    // bridge itself is reachable via UDP)
363
+    // useTurnUdp: false
364
+
365
+    // UI
366
+    //
367
+
368
+    // Disables responsive tiles.
369
+    // disableResponsiveTiles: false,
370
+
371
+    // Hides lobby button
372
+    // hideLobbyButton: false,
373
+
374
+    // Require users to always specify a display name.
375
+    // requireDisplayName: true,
376
+
377
+    // Whether to use a welcome page or not. In case it's false a random room
378
+    // will be joined when no room is specified.
379
+    enableWelcomePage: true,
380
+
381
+    // Disable app shortcuts that are registered upon joining a conference
382
+    // disableShortcuts: false,
383
+
384
+    // Disable initial browser getUserMedia requests.
385
+    // This is useful for scenarios where users might want to start a conference for screensharing only
386
+    // disableInitialGUM: false,
387
+
388
+    // Enabling the close page will ignore the welcome page redirection when
389
+    // a call is hangup.
390
+    // enableClosePage: false,
391
+
392
+    // Disable hiding of remote thumbnails when in a 1-on-1 conference call.
393
+    // disable1On1Mode: false,
394
+
395
+    // Default language for the user interface.
396
+    // defaultLanguage: 'en',
397
+
398
+    // Disables profile and the edit of all fields from the profile settings (display name and email)
399
+    // disableProfile: false,
400
+
401
+    // Whether or not some features are checked based on token.
402
+    // enableFeaturesBasedOnToken: false,
403
+
404
+    // When enabled the password used for locking a room is restricted to up to the number of digits specified
405
+    // roomPasswordNumberOfDigits: 10,
406
+    // default: roomPasswordNumberOfDigits: false,
407
+
408
+    // Message to show the users. Example: 'The service will be down for
409
+    // maintenance at 01:00 AM GMT,
410
+    // noticeMessage: '',
411
+
412
+    // Enables calendar integration, depends on googleApiApplicationClientID
413
+    // and microsoftApiApplicationClientID
414
+    // enableCalendarIntegration: false,
415
+
416
+    // When 'true', it shows an intermediate page before joining, where the user can configure their devices.
417
+    // prejoinPageEnabled: false,
418
+
419
+    // If etherpad integration is enabled, setting this to true will
420
+    // automatically open the etherpad when a participant joins.  This
421
+    // does not affect the mobile app since opening an etherpad
422
+    // obscures the conference controls -- it's better to let users
423
+    // choose to open the pad on their own in that case.
424
+    // openSharedDocumentOnJoin: false,
425
+
426
+    // If true, shows the unsafe room name warning label when a room name is
427
+    // deemed unsafe (due to the simplicity in the name) and a password is not
428
+    // set or the lobby is not enabled.
429
+    // enableInsecureRoomNameWarning: false,
430
+
431
+    // Whether to automatically copy invitation URL after creating a room.
432
+    // Document should be focused for this option to work
433
+    // enableAutomaticUrlCopy: false,
434
+
435
+    // Base URL for a Gravatar-compatible service. Defaults to libravatar.
436
+    // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/',
437
+
438
+    // Moved from interfaceConfig(TOOLBAR_BUTTONS).
439
+    // The name of the toolbar buttons to display in the toolbar, including the
440
+    // "More actions" menu. If present, the button will display. Exceptions are
441
+    // "livestreaming" and "recording" which also require being a moderator and
442
+    // some other values in config.js to be enabled. Also, the "profile" button will
443
+    // not display for users with a JWT.
444
+    // Notes:
445
+    // - it's impossible to choose which buttons go in the "More actions" menu
446
+    // - it's impossible to control the placement of buttons
447
+    // - 'desktop' controls the "Share your screen" button
448
+    // - if `toolbarButtons` is undefined, we fallback to enabling all buttons on the UI
449
+    // toolbarButtons: [
450
+    //    'microphone', 'camera', 'closedcaptions', 'desktop', 'embedmeeting', 'fullscreen',
451
+    //    'fodeviceselection', 'hangup', 'profile', 'chat', 'recording',
452
+    //    'livestreaming', 'etherpad', 'sharedvideo', 'shareaudio', 'settings', 'raisehand',
453
+    //    'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts',
454
+    //    'tileview', 'select-background', 'download', 'help', 'mute-everyone', 'mute-video-everyone', 'security'
455
+    // ],
456
+
457
+    // Stats
458
+    //
459
+
460
+    // Whether to enable stats collection or not in the TraceablePeerConnection.
461
+    // This can be useful for debugging purposes (post-processing/analysis of
462
+    // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
463
+    // estimation tests.
464
+    // gatherStats: false,
465
+
466
+    // The interval at which PeerConnection.getStats() is called. Defaults to 10000
467
+    // pcStatsInterval: 10000,
468
+
469
+    // To enable sending statistics to callstats.io you must provide the
470
+    // Application ID and Secret.
471
+    // callStatsID: '',
472
+    // callStatsSecret: '',
473
+
474
+    // Enables sending participants' display names to callstats
475
+    // enableDisplayNameInStats: false,
476
+
477
+    // Enables sending participants' emails (if available) to callstats and other analytics
478
+    // enableEmailInStats: false,
479
+
480
+    // Controls the percentage of automatic feedback shown to participants when callstats is enabled.
481
+    // The default value is 100%. If set to 0, no automatic feedback will be requested
482
+    // feedbackPercentage: 100,
483
+
484
+    // Privacy
485
+    //
486
+
487
+    // If third party requests are disabled, no other server will be contacted.
488
+    // This means avatars will be locally generated and callstats integration
489
+    // will not function.
490
+    // disableThirdPartyRequests: false,
491
+
492
+
493
+    // Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
494
+    //
495
+
496
+    p2p: {
497
+        // Enables peer to peer mode. When enabled the system will try to
498
+        // establish a direct connection when there are exactly 2 participants
499
+        // in the room. If that succeeds the conference will stop sending data
500
+        // through the JVB and use the peer to peer connection instead. When a
501
+        // 3rd participant joins the conference will be moved back to the JVB
502
+        // connection.
503
+        enabled: true,
504
+
505
+        // Sets the ICE transport policy for the p2p connection. At the time
506
+        // of this writing the list of possible values are 'all' and 'relay',
507
+        // but that is subject to change in the future. The enum is defined in
508
+        // the WebRTC standard:
509
+        // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
510
+        // If not set, the effective value is 'all'.
511
+        // iceTransportPolicy: 'all',
512
+
513
+        // If set to true, it will prefer to use H.264 for P2P calls (if H.264
514
+        // is supported). This setting is deprecated, use preferredCodec instead.
515
+        // preferH264: true,
516
+
517
+        // Provides a way to set the video codec preference on the p2p connection. Acceptable
518
+        // codec values are 'VP8', 'VP9' and 'H264'.
519
+        // preferredCodec: 'H264',
520
+
521
+        // If set to true, disable H.264 video codec by stripping it out of the
522
+        // SDP. This setting is deprecated, use disabledCodec instead.
523
+        // disableH264: false,
524
+
525
+        // Provides a way to prevent a video codec from being negotiated on the p2p connection.
526
+        // disabledCodec: '',
527
+
528
+        // How long we're going to wait, before going back to P2P after the 3rd
529
+        // participant has left the conference (to filter out page reload).
530
+        // backToP2PDelay: 5,
531
+
532
+        // The STUN servers that will be used in the peer to peer connections
533
+        stunServers: [
534
+
535
+            // { urls: 'stun:{{ jitsi_domain }}:3478' },
536
+            { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
537
+        ]
538
+    },
539
+
540
+    analytics: {
541
+        // The Google Analytics Tracking ID:
542
+        // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
543
+
544
+        // Matomo configuration:
545
+        // matomoEndpoint: 'https://your-matomo-endpoint/',
546
+        // matomoSiteID: '42',
547
+
548
+        // The Amplitude APP Key:
549
+        // amplitudeAPPKey: '<APP_KEY>'
550
+
551
+        // Configuration for the rtcstats server:
552
+        // By enabling rtcstats server every time a conference is joined the rtcstats
553
+        // module connects to the provided rtcstatsEndpoint and sends statistics regarding
554
+        // PeerConnection states along with getStats metrics polled at the specified
555
+        // interval.
556
+        // rtcstatsEnabled: true,
557
+
558
+        // In order to enable rtcstats one needs to provide a endpoint url.
559
+        // rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/,
560
+
561
+        // The interval at which rtcstats will poll getStats, defaults to 1000ms.
562
+        // If the value is set to 0 getStats won't be polled and the rtcstats client
563
+        // will only send data related to RTCPeerConnection events.
564
+        // rtcstatsPolIInterval: 1000,
565
+
566
+        // Array of script URLs to load as lib-jitsi-meet "analytics handlers".
567
+        // scriptURLs: [
568
+        //      "libs/analytics-ga.min.js", // google-analytics
569
+        //      "https://example.com/my-custom-analytics.js"
570
+        // ],
571
+    },
572
+
573
+    // Logs that should go be passed through the 'log' event if a handler is defined for it
574
+    // apiLogLevels: ['warn', 'log', 'error', 'info', 'debug'],
575
+
576
+    // Information about the jitsi-meet instance we are connecting to, including
577
+    // the user region as seen by the server.
578
+    deploymentInfo: {
579
+        // shard: "shard1",
580
+        // region: "europe",
581
+        // userRegion: "asia"
582
+    },
583
+
584
+    // Decides whether the start/stop recording audio notifications should play on record.
585
+    // disableRecordAudioNotification: false,
586
+
587
+    // Disables the sounds that play when other participants join or leave the
588
+    // conference (if set to true, these sounds will not be played).
589
+    // disableJoinLeaveSounds: false,
590
+
591
+    // Information for the chrome extension banner
592
+    // chromeExtensionBanner: {
593
+    //     // The chrome extension to be installed address
594
+    //     url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
595
+
596
+    //     // Extensions info which allows checking if they are installed or not
597
+    //     chromeExtensionsInfo: [
598
+    //         {
599
+    //             id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
600
+    //             path: 'jitsi-logo-48x48.png'
601
+    //         }
602
+    //     ]
603
+    // },
604
+
605
+    // Local Recording
606
+    //
607
+
608
+    // localRecording: {
609
+    // Enables local recording.
610
+    // Additionally, 'localrecording' (all lowercase) needs to be added to
611
+    // TOOLBAR_BUTTONS in interface_config.js for the Local Recording
612
+    // button to show up on the toolbar.
613
+    //
614
+    //     enabled: true,
615
+    //
616
+
617
+    // The recording format, can be one of 'ogg', 'flac' or 'wav'.
618
+    //     format: 'flac'
619
+    //
620
+
621
+    // },
622
+
623
+    // Options related to end-to-end (participant to participant) ping.
624
+    // e2eping: {
625
+    //   // The interval in milliseconds at which pings will be sent.
626
+    //   // Defaults to 10000, set to <= 0 to disable.
627
+    //   pingInterval: 10000,
628
+    //
629
+    //   // The interval in milliseconds at which analytics events
630
+    //   // with the measured RTT will be sent. Defaults to 60000, set
631
+    //   // to <= 0 to disable.
632
+    //   analyticsInterval: 60000,
633
+    //   },
634
+
635
+    // If set, will attempt to use the provided video input device label when
636
+    // triggering a screenshare, instead of proceeding through the normal flow
637
+    // for obtaining a desktop stream.
638
+    // NOTE: This option is experimental and is currently intended for internal
639
+    // use only.
640
+    // _desktopSharingSourceDevice: 'sample-id-or-label',
641
+
642
+    // If true, any checks to handoff to another application will be prevented
643
+    // and instead the app will continue to display in the current browser.
644
+    // disableDeepLinking: false,
645
+
646
+    // A property to disable the right click context menu for localVideo
647
+    // the menu has option to flip the locally seen video for local presentations
648
+    // disableLocalVideoFlip: false,
649
+
650
+    // A property used to unset the default flip state of the local video.
651
+    // When it is set to 'true', the local(self) video will not be mirrored anymore.
652
+    // doNotFlipLocalVideo: false,
653
+
654
+    // Mainly privacy related settings
655
+
656
+    // Disables all invite functions from the app (share, invite, dial out...etc)
657
+    // disableInviteFunctions: true,
658
+
659
+    // Disables storing the room name to the recents list
660
+    // doNotStoreRoom: true,
661
+
662
+    // Deployment specific URLs.
663
+    // deploymentUrls: {
664
+    //    // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
665
+    //    // user documentation.
666
+    //    userDocumentationURL: 'https://docs.example.com/video-meetings.html',
667
+    //    // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
668
+    //    // to the specified URL for an app download page.
669
+    //    downloadAppsUrl: 'https://docs.example.com/our-apps.html'
670
+    // },
671
+
672
+    // Options related to the remote participant menu.
673
+    // remoteVideoMenu: {
674
+    //     // If set to true the 'Kick out' button will be disabled.
675
+    //     disableKick: true,
676
+    //     // If set to true the 'Grant moderator' button will be disabled.
677
+    //     disableGrantModerator: true
678
+    // },
679
+
680
+    // If set to true all muting operations of remote participants will be disabled.
681
+    // disableRemoteMute: true,
682
+
683
+    // Enables support for lip-sync for this client (if the browser supports it).
684
+    // enableLipSync: false
685
+
686
+    /**
687
+     External API url used to receive branding specific information.
688
+     If there is no url set or there are missing fields, the defaults are applied.
689
+     None of the fields are mandatory and the response must have the shape:
690
+     {
691
+         // The hex value for the colour used as background
692
+         backgroundColor: '#fff',
693
+         // The url for the image used as background
694
+         backgroundImageUrl: 'https://example.com/background-img.png',
695
+         // The anchor url used when clicking the logo image
696
+         logoClickUrl: 'https://example-company.org',
697
+         // The url used for the image used as logo
698
+         logoImageUrl: 'https://example.com/logo-img.png'
699
+     }
700
+    */
701
+    // dynamicBrandingUrl: '',
702
+
703
+    // Sets the background transparency level. '0' is fully transparent, '1' is opaque.
704
+    // backgroundAlpha: 1,
705
+
706
+    // The URL of the moderated rooms microservice, if available. If it
707
+    // is present, a link to the service will be rendered on the welcome page,
708
+    // otherwise the app doesn't render it.
709
+    // moderatedRoomServiceUrl: 'https://moderated.{{ jitsi_domain }}',
710
+
711
+    // If true, tile view will not be enabled automatically when the participants count threshold is reached.
712
+    // disableTileView: true,
713
+
714
+    // Hides the conference subject
715
+    // hideConferenceSubject: true,
716
+
717
+    // Hides the conference timer.
718
+    // hideConferenceTimer: true,
719
+
720
+    // Hides the participants stats
721
+    // hideParticipantsStats: true,
722
+
723
+    // Sets the conference subject
724
+    // subject: 'Conference Subject',
725
+
726
+    // This property is related to the use case when jitsi-meet is used via the IFrame API. When the property is true
727
+    // jitsi-meet will use the local storage of the host page instead of its own. This option is useful if the browser
728
+    // is not persisting the local storage inside the iframe.
729
+    // useHostPageLocalStorage: true,
730
+
731
+    // List of undocumented settings used in jitsi-meet
732
+    /**
733
+     _immediateReloadThreshold
734
+     debug
735
+     debugAudioLevels
736
+     deploymentInfo
737
+     dialInConfCodeUrl
738
+     dialInNumbersUrl
739
+     dialOutAuthUrl
740
+     dialOutCodesUrl
741
+     disableRemoteControl
742
+     displayJids
743
+     etherpad_base
744
+     externalConnectUrl
745
+     firefox_fake_device
746
+     googleApiApplicationClientID
747
+     iAmRecorder
748
+     iAmSipGateway
749
+     microsoftApiApplicationClientID
750
+     peopleSearchQueryTypes
751
+     peopleSearchUrl
752
+     requireDisplayName
753
+     tokenAuthUrl
754
+     */
755
+
756
+    /**
757
+     * This property can be used to alter the generated meeting invite links (in combination with a branding domain
758
+     * which is retrieved internally by jitsi meet) (e.g. https://meet.jit.si/someMeeting
759
+     * can become https://brandedDomain/roomAlias)
760
+     */
761
+    // brandingRoomAlias: null,
762
+
763
+    // List of undocumented settings used in lib-jitsi-meet
764
+    /**
765
+     _peerConnStatusOutOfLastNTimeout
766
+     _peerConnStatusRtcMuteTimeout
767
+     abTesting
768
+     avgRtpStatsN
769
+     callStatsConfIDNamespace
770
+     callStatsCustomScriptUrl
771
+     desktopSharingSources
772
+     disableAEC
773
+     disableAGC
774
+     disableAP
775
+     disableHPF
776
+     disableNS
777
+     enableTalkWhileMuted
778
+     forceJVB121Ratio
779
+     forceTurnRelay
780
+     hiddenDomain
781
+     ignoreStartMuted
782
+     websocketKeepAlive
783
+     websocketKeepAliveUrl
784
+     */
785
+
786
+    /**
787
+        Use this array to configure which notifications will be shown to the user
788
+        The items correspond to the title or description key of that notification
789
+        Some of these notifications also depend on some other internal logic to be displayed or not,
790
+        so adding them here will not ensure they will always be displayed
791
+
792
+        A falsy value for this prop will result in having all notifications enabled (e.g null, undefined, false)
793
+    */
794
+    // notifications: [
795
+    //     'connection.CONNFAIL', // shown when the connection fails,
796
+    //     'dialog.cameraNotSendingData', // shown when there's no feed from user's camera
797
+    //     'dialog.kickTitle', // shown when user has been kicked
798
+    //     'dialog.liveStreaming', // livestreaming notifications (pending, on, off, limits)
799
+    //     'dialog.lockTitle', // shown when setting conference password fails
800
+    //     'dialog.maxUsersLimitReached', // shown when maximmum users limit has been reached
801
+    //     'dialog.micNotSendingData', // shown when user's mic is not sending any audio
802
+    //     'dialog.passwordNotSupportedTitle', // shown when setting conference password fails due to password format
803
+    //     'dialog.recording', // recording notifications (pending, on, off, limits)
804
+    //     'dialog.remoteControlTitle', // remote control notifications (allowed, denied, start, stop, error)
805
+    //     'dialog.reservationError',
806
+    //     'dialog.serviceUnavailable', // shown when server is not reachable
807
+    //     'dialog.sessTerminated', // shown when there is a failed conference session
808
+    //     'dialog.sessionRestarted', // show when a client reload is initiated because of bridge migration
809
+    //     'dialog.tokenAuthFailed', // show when an invalid jwt is used
810
+    //     'dialog.transcribing', // transcribing notifications (pending, off)
811
+    //     'dialOut.statusMessage', // shown when dial out status is updated.
812
+    //     'liveStreaming.busy', // shown when livestreaming service is busy
813
+    //     'liveStreaming.failedToStart', // shown when livestreaming fails to start
814
+    //     'liveStreaming.unavailableTitle', // shown when livestreaming service is not reachable
815
+    //     'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected
816
+    //     'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied
817
+    //     'localRecording.localRecording', // shown when a local recording is started
818
+    //     'notify.disconnected', // shown when a participant has left
819
+    //     'notify.grantedTo', // shown when moderator rights were granted to a participant
820
+    //     'notify.invitedOneMember', // shown when 1 participant has been invited
821
+    //     'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited
822
+    //     'notify.invitedTwoMembers', // shown when 2 participants have been invited
823
+    //     'notify.kickParticipant', // shown when a participant is kicked
824
+    //     'notify.mutedRemotelyTitle', // shown when user is muted by a remote party
825
+    //     'notify.mutedTitle', // shown when user has been muted upon joining,
826
+    //     'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device
827
+    //     'notify.newDeviceCameraTitle', // prompts the user to use a newly detected camera
828
+    //     'notify.passwordRemovedRemotely', // shown when a password has been removed remotely
829
+    //     'notify.passwordSetRemotely', // shown when a password has been set remotely
830
+    //     'notify.raisedHand', // shown when a partcipant used raise hand,
831
+    //     'notify.startSilentTitle', // shown when user joined with no audio
832
+    //     'prejoin.errorDialOut',
833
+    //     'prejoin.errorDialOutDisconnected',
834
+    //     'prejoin.errorDialOutFailed',
835
+    //     'prejoin.errorDialOutStatus',
836
+    //     'prejoin.errorStatusCode',
837
+    //     'prejoin.errorValidation',
838
+    //     'recording.busy', // shown when recording service is busy
839
+    //     'recording.failedToStart', // shown when recording fails to start
840
+    //     'recording.unavailableTitle', // shown when recording service is not reachable
841
+    //     'toolbar.noAudioSignalTitle', // shown when a broken mic is detected
842
+    //     'toolbar.noisyAudioInputTitle', // shown when noise is detected for the current microphone
843
+    //     'toolbar.talkWhileMutedPopup', // shown when user tries to speak while muted
844
+    //     'transcribing.failedToStart' // shown when transcribing fails to start
845
+    // ]
846
+
847
+    // Allow all above example options to include a trailing comma and
848
+    // prevent fear when commenting out the last value.
849
+    makeJsonParserHappy: 'even if last key had a trailing comma'
850
+
851
+    // no configuration value should follow this line.
852
+};
853
+
854
+/* eslint-enable no-unused-vars, no-var */

+ 102
- 0
roles/jitsi/templates/etc_prosody_conf.avail_jitsi_domain.cfg.lua.j2 Переглянути файл

@@ -0,0 +1,102 @@
1
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
2
+
3
+-- domain mapper options, must at least have domain base set to use the mapper
4
+muc_mapper_domain_base = "{{ jitsi_domain }}";
5
+
6
+external_service_secret = "6XhEs5NEtN735NXh";
7
+external_services = {
8
+     { type = "stun", host = "{{ jitsi_domain }}", port = 3478 },
9
+     { type = "turn", host = "{{ jitsi_domain }}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
10
+     { type = "turns", host = "{{ jitsi_domain }}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
11
+};
12
+
13
+cross_domain_bosh = false;
14
+consider_bosh_secure = true;
15
+-- https_ports = { }; -- Remove this line to prevent listening on port 5284
16
+
17
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
18
+ssl = {
19
+    protocol = "tlsv1_2+";
20
+    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
21
+}
22
+
23
+VirtualHost "{{ jitsi_domain }}"
24
+    -- enabled = false -- Remove this line to enable this host
25
+    -- authentication = "anonymous"
26
+    authentication = "internal_hashed"
27
+    -- Properties below are modified by jitsi-meet-tokens package config
28
+    -- and authentication above is switched to "token"
29
+    --app_id="example_app_id"
30
+    --app_secret="example_app_secret"
31
+    -- Assign this host a certificate for TLS, otherwise it would use the one
32
+    -- set in the global section (if any).
33
+    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
34
+    -- use the global one.
35
+    ssl = {
36
+        key = "/etc/prosody/certs/{{ jitsi_domain }}.key";
37
+        certificate = "/etc/prosody/certs/{{ jitsi_domain }}.crt";
38
+    }
39
+    speakerstats_component = "speakerstats.{{ jitsi_domain }}"
40
+    conference_duration_component = "conferenceduration.{{ jitsi_domain }}"
41
+    -- we need bosh
42
+    modules_enabled = {
43
+        "bosh";
44
+        "pubsub";
45
+        "ping"; -- Enable mod_ping
46
+        "speakerstats";
47
+        "external_services";
48
+        "conference_duration";
49
+        "muc_lobby_rooms";
50
+    }
51
+    c2s_require_encryption = false
52
+    lobby_muc = "lobby.{{ jitsi_domain }}"
53
+    main_muc = "conference.{{ jitsi_domain }}"
54
+    -- muc_lobby_whitelist = { "recorder.{{ jitsi_domain }}" } -- Here we can whitelist jibri to enter lobby enabled rooms
55
+
56
+VirtualHost "guest.{{ jitsi_domain }}"
57
+    authentication = "anonymous"
58
+    c2s_require_encryption = false
59
+
60
+Component "conference.{{ jitsi_domain }}" "muc"
61
+    storage = "memory"
62
+    modules_enabled = {
63
+        "muc_meeting_id";
64
+        "muc_domain_mapper";
65
+        --"token_verification";
66
+    }
67
+    admins = { "focus@auth.{{ jitsi_domain }}" }
68
+    muc_room_locking = false
69
+    muc_room_default_public_jids = true
70
+
71
+-- internal muc component
72
+Component "internal.auth.{{ jitsi_domain }}" "muc"
73
+    storage = "memory"
74
+    modules_enabled = {
75
+        "ping";
76
+    }
77
+    admins = { "focus@auth.{{ jitsi_domain }}", "jvb@auth.{{ jitsi_domain }}" }
78
+    muc_room_locking = false
79
+    muc_room_default_public_jids = true
80
+
81
+VirtualHost "auth.{{ jitsi_domain }}"
82
+    ssl = {
83
+        key = "/etc/prosody/certs/auth.{{ jitsi_domain }}.key";
84
+        certificate = "/etc/prosody/certs/auth.{{ jitsi_domain }}.crt";
85
+    }
86
+    authentication = "internal_hashed"
87
+
88
+-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
89
+Component "focus.{{ jitsi_domain }}" "client_proxy"
90
+    target_address = "focus@auth.{{ jitsi_domain }}"
91
+
92
+Component "speakerstats.{{ jitsi_domain }}" "speakerstats_component"
93
+    muc_component = "conference.{{ jitsi_domain }}"
94
+
95
+Component "conferenceduration.{{ jitsi_domain }}" "conference_duration_component"
96
+    muc_component = "conference.{{ jitsi_domain }}"
97
+
98
+Component "lobby.{{ jitsi_domain }}" "muc"
99
+    storage = "memory"
100
+    restrict_room_creation = true
101
+    muc_room_locking = false
102
+    muc_room_default_public_jids = true

+ 13
- 0
roles/monitoring/files/etc_monit_conf.d_jitsi Переглянути файл

@@ -0,0 +1,13 @@
1
+check process jicofo matching jicofo
2
+  group social
3
+  start program = "/bin/systemctl start jicofo"
4
+  stop program = "/bin/systemctl stop jicofo"
5
+  if does not exist then restart
6
+  if 5 restarts within 5 cycles then timeout
7
+
8
+check process jitsi-videobridge2 matching jitsi-videobridge
9
+  group social
10
+  start program = "/bin/systemctl start jitsi-videobridge2"
11
+  stop program = "/bin/systemctl stop jitsi-videobridge2"
12
+  if does not exist then restart
13
+  if 5 restarts within 5 cycles then timeout

+ 9
- 0
roles/monitoring/tasks/monit.yml Переглянути файл

@@ -72,6 +72,10 @@
72 72
   stat: path=/etc/openvpn/server.conf
73 73
   register: openvpn_config_file
74 74
 
75
+- name: Determine if Jitsi is installed
76
+  stat: path=/etc/jitsi/jicofo/config
77
+  register: jitsi_config_file
78
+
75 79
 - name: Copy ZNC monit service config files into place
76 80
   copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
77 81
   notify: restart monit
@@ -82,6 +86,11 @@
82 86
   notify: restart monit
83 87
   when: prosody_config_file.stat.exists == True
84 88
 
89
+- name: Copy Jitsi monit service config files into place
90
+  copy: src=etc_monit_conf.d_jitsi dest=/etc/monit/conf.d/jitsi
91
+  notify: restart monit
92
+  when: jitsi_config_file.stat.exists == True
93
+
85 94
 - name: Copy Fathom monit service config files into place
86 95
   copy: src=etc_monit_conf.d_fathom dest=/etc/monit/conf.d/fathom
87 96
   notify: restart monit

+ 1
- 1
roles/sslletsencrypt/files/letsencrypt-gencert Переглянути файл

@@ -18,7 +18,7 @@ for domain in "$@"; do
18 18
 
19 19
   # subdomains - www.foo.com mail.foo.com ...
20 20
   # TODO includes servername (eddie / stage)!
21
-  for sub in stage www mail autoconfig stats news cloud git matrix status social comments iot wiki; do
21
+  for sub in stage www mail autoconfig stats news cloud git matrix status social comments iot wiki jitsi; do
22 22
     # only add if the DNS entry for the subdomain does actually exist
23 23
     if (getent hosts $sub.$domain > /dev/null); then
24 24
       if [ -z "$d" ]; then

+ 0
- 5
roles/xmpp/defaults/main.yml Переглянути файл

@@ -1,5 +0,0 @@
1
-prosody_admin: "{{ admin_email }}"
2
-prosody_accounts:
3
-  - name: "{{ main_user_name }}"
4
-    domain: "{{ domain }}"
5
-    password: "{{ lookup('password', secret + '/' + 'xmpp_main_user_password length=32') }}"

+ 0
- 3
roles/xmpp/files/etc_letsencrypt_postrenew_prosody.sh Переглянути файл

@@ -1,3 +0,0 @@
1
-#!/bin/bash
2
-
3
-systemctl restart prosody.service

+ 0
- 2
roles/xmpp/handlers/main.yml Переглянути файл

@@ -1,2 +0,0 @@
1
-- name: restart prosody
2
-  command: systemctl restart prosody

+ 0
- 4
roles/xmpp/tasks/main.yml Переглянути файл

@@ -1,4 +0,0 @@
1
----
2
-# Provides the Prosody Jabber/XMPP server.
3
-
4
-- include: prosody.yml tags=prosody

+ 0
- 45
roles/xmpp/tasks/prosody.yml Переглянути файл

@@ -1,45 +0,0 @@
1
-- name: Ensure repository key for Prosody is in place
2
-  apt_key: url=https://prosody.im/files/prosody-debian-packages.key state=present
3
-  tags:
4
-    - dependencies
5
-
6
-- name: Add Prosody repository
7
-  apt_repository: repo="deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main"
8
-  tags:
9
-    - dependencies
10
-
11
-- name: Install Prosody and dependencies from official repository
12
-  apt:
13
-    name: "{{ packages }}"
14
-    state: present
15
-    update_cache: yes
16
-  vars:
17
-    packages:
18
-    - prosody
19
-    - lua-sec
20
-  tags:
21
-    - dependencies
22
-
23
-- name: Add prosody user to ssl-cert group
24
-  user: name=prosody group=ssl-cert
25
-
26
-- name: Add cert postrenew task
27
-  copy: src=etc_letsencrypt_postrenew_prosody.sh dest=/etc/letsencrypt/postrenew/prosody.sh mode=0755
28
-
29
-- name: Create Prosody data directory
30
-  file: state=directory path=/data/prosody owner=prosody group=prosody
31
-
32
-- name: Configure Prosody
33
-  template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=root mode=0644
34
-  notify: restart prosody
35
-
36
-- name: Create Prosody accounts
37
-  command: prosodyctl register {{ item.name }} {{ item.domain }} "{{ item.password }}"
38
-  with_items: "{{ prosody_accounts }}"
39
-
40
-- name: Set firewall rules for Prosody
41
-  ufw: rule=allow port={{ item }} proto=tcp
42
-  with_items:
43
-    - 5222  # xmpp c2s
44
-    - 5269  # xmpp s2s
45
-  tags: ufw

+ 0
- 117
roles/xmpp/templates/prosody.cfg.lua.j2 Переглянути файл

@@ -1,177 +0,0 @@
1
---
2
---
3
---
4
-
5
-
6
----------- Server-wide settings ----------
7
-
8
-admins = { "{{ prosody_admin }}" }
9
-
10
---use_libevent = true;
11
-
12
-modules_enabled = {
13
-
14
-	-- Generally required
15
-		"roster"; -- Allow users to have a roster. Recommended ;)
16
-		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
17
-		"tls"; -- Add support for secure TLS on c2s/s2s connections
18
-		"dialback"; -- s2s dialback support
19
-		"disco"; -- Service discovery
20
-		"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
21
-
22
-	-- Not essential, but recommended
23
-		"private"; -- Private XML storage (for room bookmarks, etc.)
24
-		"vcard"; -- Allow users to set vCards
25
-
26
-	-- These are commented by default as they have a performance impact
27
-                "blocklist"; -- Support blocking users
28
-		--"compression"; -- Stream compression (requires the lua-zlib package installed)
29
-
30
-	-- Nice to have
31
-		"version"; -- Replies to server version requests
32
-		"uptime"; -- Report how long server has been running
33
-		"time"; -- Let others know the time here on this server
34
-		"ping"; -- Replies to XMPP pings with pongs
35
-		-- "pep"; -- Enables users to publish their mood, activity, playing music and more
36
-		"register"; -- Allow users to register on this server using a client and change passwords
37
-
38
-	-- Admin interfaces
39
-		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
40
-		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
41
-
42
-	-- HTTP modules
43
-		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
44
-		--"http_files"; -- Serve static files from a directory over HTTP
45
-
46
-	-- Other specific functionality
47
-		--"groups"; -- Shared roster support
48
-		--"announce"; -- Send announcement to all online users
49
-		--"welcome"; -- Welcome users who register accounts
50
-		--"watchregistrations"; -- Alert admins of registrations
51
-		--"motd"; -- Send a message to users when they log in
52
-		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
53
-};
54
-
55
-modules_disabled = {
56
-	-- "offline"; -- Store offline messages
57
-	-- "c2s"; -- Handle client connections
58
-	-- "s2s"; -- Handle server-to-server connections
59
-};
60
-
61
-allow_registration = false;
62
-
63
-ssl = {
64
-	key = "/etc/letsencrypt/live/{{ domain }}/privkey.pem";
65
-	certificate = "/etc/letsencrypt/live/{{ domain }}/cert.pem";
66
-}
67
-
68
-
69
-c2s_require_encryption = true
70
-
71
-
72
-s2s_secure_auth = false
73
-
74
-
75
---s2s_insecure_domains = { "gmail.com" }
76
-
77
-
78
---s2s_secure_domains = { "jabber.org" }
79
-
80
-pidfile = "/var/run/prosody/prosody.pid"
81
-
82
-
83
-authentication = "internal_hashed"
84
-
85
-
86
---storage = "sql" -- Default is "internal"
87
-
88
---sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
89
---sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
90
---sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
91
-
92
-log = {
93
-	info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
94
-	error = "/var/log/prosody/prosody.err";
95
-	"*syslog";
96
-}
97
-
98
-data_path = "/data/prosody"
99
-
100
------------ Virtual hosts -----------
101
-
102
-{% for vd in virtual_domains %}
103
-VirtualHost "{{ vd.name }}"
104
-{% endfor %}
105
-
106
------- Components ------
107
-
108
----Set up a MUC (multi-user chat) room server on conference.example.com:
109
---Component "conference.example.com" "muc"
110
-
111
---Component "proxy.example.com" "proxy65"
112
-
113
----Set up an external component (default component port is 5347)
114
---
115
---
116
---Component "gateway.example.com"
117
---	component_secret = "password"

Завантаження…
Відмінити
Зберегти