Rework prosody's configuration
This commit is contained in:
parent
0e848bb2d0
commit
47bcdaaf0d
8 changed files with 193 additions and 78 deletions
|
@ -73,7 +73,8 @@ services:
|
||||||
build:
|
build:
|
||||||
context: ./jitsi/build/jitsi-xmpp
|
context: ./jitsi/build/jitsi-xmpp
|
||||||
args:
|
args:
|
||||||
VERSION: 0.11.7-1~buster4
|
MEET_VERSION: 5390
|
||||||
|
PROSODY_VERSION: 0.11.7-1~buster4
|
||||||
image: superboum/amd64_jitsi_xmpp:v9
|
image: superboum/amd64_jitsi_xmpp:v9
|
||||||
|
|
||||||
plume:
|
plume:
|
||||||
|
|
|
@ -1,13 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
|
|
||||||
update-ca-certificates -f
|
update-ca-certificates -f
|
||||||
|
|
||||||
cat >> /etc/hosts <<EOF
|
|
||||||
${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
|
|
||||||
127.0.0.1 `hostname`
|
|
||||||
EOF
|
|
||||||
|
|
||||||
exec java \
|
exec java \
|
||||||
-Xmx400m \
|
-Xmx400m \
|
||||||
-XX:+HeapDumpOnOutOfMemoryError \
|
-XX:+HeapDumpOnOutOfMemoryError \
|
||||||
|
|
|
@ -1,7 +1,16 @@
|
||||||
|
FROM debian:buster as builder
|
||||||
|
|
||||||
|
ARG MEET_VERSION
|
||||||
|
WORKDIR /tmp
|
||||||
|
RUN apt-get update && \
|
||||||
|
apt-get install -y wget unzip && \
|
||||||
|
wget https://github.com/jitsi/jitsi-meet/archive/stable/jitsi-meet_${MEET_VERSION}.zip -O meet.zip && \
|
||||||
|
unzip meet.zip && \
|
||||||
|
mv jitsi-meet-* jitsi-meet
|
||||||
|
|
||||||
FROM debian:buster
|
FROM debian:buster
|
||||||
|
|
||||||
ARG VERSION
|
ARG PROSODY_VERSION
|
||||||
|
|
||||||
RUN apt-get update && \
|
RUN apt-get update && \
|
||||||
apt-get install -y wget gnupg2 && \
|
apt-get install -y wget gnupg2 && \
|
||||||
echo deb http://packages.prosody.im/debian buster main \
|
echo deb http://packages.prosody.im/debian buster main \
|
||||||
|
@ -9,7 +18,7 @@ RUN apt-get update && \
|
||||||
wget https://prosody.im/files/prosody-debian-packages.key -O - \
|
wget https://prosody.im/files/prosody-debian-packages.key -O - \
|
||||||
| apt-key add - && \
|
| apt-key add - && \
|
||||||
apt-get update && \
|
apt-get update && \
|
||||||
apt-get install -y prosody=${VERSION} lua-event
|
apt-get install -y prosody=${PROSODY_VERSION} lua-event
|
||||||
|
|
||||||
RUN mkdir -p /usr/local/share/ca-certificates/ && \
|
RUN mkdir -p /usr/local/share/ca-certificates/ && \
|
||||||
ln -sf \
|
ln -sf \
|
||||||
|
@ -20,6 +29,7 @@ RUN mkdir -p /usr/local/share/ca-certificates/ && \
|
||||||
mkdir -p /var/lib/prosody && \
|
mkdir -p /var/lib/prosody && \
|
||||||
chown -R prosody:prosody /var/lib/prosody /run/prosody
|
chown -R prosody:prosody /var/lib/prosody /run/prosody
|
||||||
|
|
||||||
|
COPY --from=builder /tmp/jitsi-meet/resources/prosody-plugins /usr/share/jitsi-meet/prosody-plugins/
|
||||||
COPY xmpp_prosody /usr/local/bin/xmpp_prosody
|
COPY xmpp_prosody /usr/local/bin/xmpp_prosody
|
||||||
|
|
||||||
WORKDIR /var/lib/prosody
|
WORKDIR /var/lib/prosody
|
||||||
|
|
|
@ -56,6 +56,12 @@ prosodyctl cert generate jitsi
|
||||||
|
|
||||||
https://github.com/jitsi/jitsi-meet/blob/master/doc/example-config-files/prosody.cfg.lua.example
|
https://github.com/jitsi/jitsi-meet/blob/master/doc/example-config-files/prosody.cfg.lua.example
|
||||||
|
|
||||||
|
but this one is not the one used by the [debian postinst script](https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-prosody.postinst)
|
||||||
|
instead, we should look at this one: https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
|
||||||
|
|
||||||
|
Jitsi can be configured to authenticated through tokens,
|
||||||
|
the postinst file is here: https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-tokens.postinst
|
||||||
|
|
||||||
## Resources to understand jitsi
|
## Resources to understand jitsi
|
||||||
|
|
||||||
- [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst)
|
- [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst)
|
||||||
|
|
|
@ -9,14 +9,17 @@ services:
|
||||||
- "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key:ro"
|
- "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key:ro"
|
||||||
- "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt:ro"
|
- "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt:ro"
|
||||||
- "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key:ro"
|
- "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key:ro"
|
||||||
jitsi-meet:
|
|
||||||
image: superboum/amd64_jitsi_meet:v1
|
|
||||||
ports:
|
|
||||||
- "443:443"
|
|
||||||
jitsi-conference-focus:
|
jitsi-conference-focus:
|
||||||
image: superboum/amd64_jitsi_conference_focus:v4
|
image: superboum/amd64_jitsi_conference_focus:v7
|
||||||
jitsi-videobridge:
|
volumes:
|
||||||
image: superboum/amd64_jitsi_videobridge:v14
|
- "./prosody/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt:ro"
|
||||||
ports:
|
- "./jicofo/jicofo.conf:/etc/jitsi/jicofo.conf:ro"
|
||||||
- "8080:8080/tcp"
|
# jitsi-meet:
|
||||||
- "10000:10000/udp"
|
# image: superboum/amd64_jitsi_meet:v1
|
||||||
|
# ports:
|
||||||
|
# - "443:443"
|
||||||
|
# jitsi-videobridge:
|
||||||
|
# image: superboum/amd64_jitsi_videobridge:v14
|
||||||
|
# ports:
|
||||||
|
# - "8080:8080/tcp"
|
||||||
|
# - "10000:10000/udp"
|
||||||
|
|
|
@ -53,7 +53,7 @@ jicofo {
|
||||||
}
|
}
|
||||||
|
|
||||||
// The JID of the MUC to be used as a brewery for bridge instances.
|
// The JID of the MUC to be used as a brewery for bridge instances.
|
||||||
brewery-jid = "jvbbrewery@example.com"
|
brewery-jid = "jvbbrewery@jitsi"
|
||||||
}
|
}
|
||||||
// Configure the codecs and RTP extensions to be used in the offer sent to clients.
|
// Configure the codecs and RTP extensions to be used in the offer sent to clients.
|
||||||
codec {
|
codec {
|
||||||
|
@ -256,12 +256,12 @@ jicofo {
|
||||||
}
|
}
|
||||||
// The separate XMPP connection used for internal services (currently only jitsi-videobridge).
|
// The separate XMPP connection used for internal services (currently only jitsi-videobridge).
|
||||||
service {
|
service {
|
||||||
enabled = false
|
enabled = true
|
||||||
hostname = "localhost"
|
hostname = "jitsi-xmpp"
|
||||||
port = 6222
|
port = 5222
|
||||||
#domain =
|
domain = "auth.jitsi"
|
||||||
#username =
|
username = "focus"
|
||||||
#password =
|
password = "xxx"
|
||||||
|
|
||||||
// How long to wait for a response to a stanza before giving up.
|
// How long to wait for a response to a stanza before giving up.
|
||||||
reply-timeout = 15 seconds
|
reply-timeout = 15 seconds
|
||||||
|
|
|
@ -1,64 +1,101 @@
|
||||||
|
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
|
||||||
daemonize = false
|
daemonize = false
|
||||||
allow_registration = false
|
|
||||||
use_libevent = true
|
use_libevent = true
|
||||||
|
|
||||||
|
-- domain mapper options, must at least have domain base set to use the mapper
|
||||||
|
muc_mapper_domain_base = "jitsi.deuxfleurs.fr";
|
||||||
|
|
||||||
|
--@FIXME would be great to configure it
|
||||||
|
--turncredentials_secret = "__turnSecret__";
|
||||||
|
|
||||||
|
--turncredentials = {
|
||||||
|
-- { type = "stun", host = "jitmeet.example.com", port = "3478" },
|
||||||
|
-- { type = "turn", host = "jitmeet.example.com", port = "3478", transport = "udp" },
|
||||||
|
-- { type = "turns", host = "jitmeet.example.com", port = "5349", transport = "tcp" }
|
||||||
|
--};
|
||||||
|
|
||||||
|
cross_domain_bosh = false;
|
||||||
|
consider_bosh_secure = true;
|
||||||
|
https_ports = { }; -- Remove this line to prevent listening on port 5284
|
||||||
component_interface = "0.0.0.0"
|
component_interface = "0.0.0.0"
|
||||||
component_ports = { 5347 }
|
component_ports = { 5347 }
|
||||||
http_ports = { 5280 }
|
http_ports = { 5280 }
|
||||||
https_ports = {}
|
|
||||||
|
|
||||||
-- Not sure all modules are required
|
|
||||||
modules_enabled = {
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"pep"; -- Enables users to publish their mood, activity, playing music and more
|
|
||||||
-- jitsi
|
|
||||||
--"smacks"; -- not shipped with prosody
|
|
||||||
"carbons";
|
|
||||||
"mam";
|
|
||||||
"lastactivity";
|
|
||||||
"offline";
|
|
||||||
"pubsub";
|
|
||||||
"adhoc";
|
|
||||||
"websocket";
|
|
||||||
--"http_altconnect"; -- not shipped with prosody
|
|
||||||
}
|
|
||||||
|
|
||||||
log = {
|
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
|
||||||
--log less on console with warn="*console"; or err="*console" or more with debug="*console"
|
ssl = {
|
||||||
info="*console";
|
protocol = "tlsv1_2+";
|
||||||
|
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
||||||
}
|
}
|
||||||
|
|
||||||
VirtualHost "jitsi"
|
VirtualHost "jitsi"
|
||||||
authentication = "anonymous"
|
-- enabled = false -- Remove this line to enable this host
|
||||||
ssl = {
|
authentication = "anonymous"
|
||||||
key = "/var/lib/prosody/jitsi.key";
|
-- Properties below are modified by jitsi-meet-tokens package config
|
||||||
certificate = "/var/lib/prosody/jitsi.crt";
|
-- and authentication above is switched to "token"
|
||||||
}
|
--app_id="example_app_id"
|
||||||
modules_enabled = {
|
--app_secret="example_app_secret"
|
||||||
"bosh";
|
-- Assign this host a certificate for TLS, otherwise it would use the one
|
||||||
"pubsub";
|
-- set in the global section (if any).
|
||||||
}
|
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
||||||
c2s_require_encryption = false
|
-- use the global one.
|
||||||
|
ssl = {
|
||||||
VirtualHost "auth.jitsi"
|
key = "/var/lib/prosody/jitsi.key";
|
||||||
ssl = {
|
certificate = "/var/lib/prosody/jitsi.crt";
|
||||||
key = "/var/lib/prosody/auth.jitsi.key";
|
}
|
||||||
certificate = "/var/lib/prosody/auth.jitsi.crt";
|
speakerstats_component = "speakerstats.jitsi"
|
||||||
}
|
conference_duration_component = "conferenceduration.jitsi"
|
||||||
authentication = "internal_plain"
|
-- we need bosh
|
||||||
admins = { "focus@auth.jitsi"}
|
modules_enabled = {
|
||||||
|
"bosh";
|
||||||
|
"pubsub";
|
||||||
|
"ping"; -- Enable mod_ping
|
||||||
|
"speakerstats";
|
||||||
|
--"turncredentials"; not supported yet
|
||||||
|
"conference_duration";
|
||||||
|
"muc_lobby_rooms";
|
||||||
|
}
|
||||||
|
c2s_require_encryption = false
|
||||||
|
lobby_muc = "lobby.jitsi"
|
||||||
|
main_muc = "conference.jitsi"
|
||||||
|
-- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
|
||||||
|
|
||||||
Component "conference.jitsi" "muc"
|
Component "conference.jitsi" "muc"
|
||||||
Component "internal.auth.jitsi" "muc"
|
storage = "memory"
|
||||||
storage = "memory"
|
modules_enabled = {
|
||||||
modules_enabled = { "ping"; }
|
"muc_meeting_id";
|
||||||
admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
|
"muc_domain_mapper";
|
||||||
|
--"token_verification";
|
||||||
|
}
|
||||||
|
admins = { "focusUser@auth.jitsi" }
|
||||||
|
muc_room_locking = false
|
||||||
|
muc_room_default_public_jids = true
|
||||||
|
|
||||||
|
-- internal muc component
|
||||||
|
Component "internal.auth.jitsi" "muc"
|
||||||
|
storage = "memory"
|
||||||
|
modules_enabled = {
|
||||||
|
"ping";
|
||||||
|
}
|
||||||
|
admins = { "focusUser@auth.jitsi", "jvb@auth.jitsi" }
|
||||||
|
muc_room_locking = false
|
||||||
|
muc_room_default_public_jids = true
|
||||||
|
|
||||||
|
VirtualHost "auth.jitsi"
|
||||||
|
authentication = "internal_plain"
|
||||||
|
|
||||||
|
Component "focus.jitsi"
|
||||||
|
component_secret = "focusSecret"
|
||||||
|
|
||||||
|
Component "speakerstats.jitsi" "speakerstats_component"
|
||||||
|
muc_component = "conference.jitsi"
|
||||||
|
|
||||||
|
Component "conferenceduration.jitsi" "conference_duration_component"
|
||||||
|
muc_component = "conference.jitsi"
|
||||||
|
|
||||||
|
Component "lobby.jitsi" "muc"
|
||||||
|
storage = "memory"
|
||||||
|
restrict_room_creation = true
|
||||||
|
muc_room_locking = false
|
||||||
|
muc_room_default_public_jids = true
|
||||||
|
|
||||||
|
|
64
app/jitsi/integration/prosody/prosody.cfg.lua.back
Normal file
64
app/jitsi/integration/prosody/prosody.cfg.lua.back
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
daemonize = false
|
||||||
|
allow_registration = false
|
||||||
|
use_libevent = true
|
||||||
|
component_interface = "0.0.0.0"
|
||||||
|
component_ports = { 5347 }
|
||||||
|
http_ports = { 5280 }
|
||||||
|
https_ports = {}
|
||||||
|
|
||||||
|
-- Not sure all modules are required
|
||||||
|
modules_enabled = {
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"pep"; -- Enables users to publish their mood, activity, playing music and more
|
||||||
|
-- jitsi
|
||||||
|
--"smacks"; -- not shipped with prosody
|
||||||
|
"carbons";
|
||||||
|
"mam";
|
||||||
|
"lastactivity";
|
||||||
|
"offline";
|
||||||
|
"pubsub";
|
||||||
|
"adhoc";
|
||||||
|
"websocket";
|
||||||
|
--"http_altconnect"; -- not shipped with prosody
|
||||||
|
}
|
||||||
|
|
||||||
|
log = {
|
||||||
|
--log less on console with warn="*console"; or err="*console" or more with debug="*console"
|
||||||
|
debug="*console";
|
||||||
|
}
|
||||||
|
|
||||||
|
VirtualHost "jitsi"
|
||||||
|
authentication = "anonymous"
|
||||||
|
ssl = {
|
||||||
|
key = "/var/lib/prosody/jitsi.key";
|
||||||
|
certificate = "/var/lib/prosody/jitsi.crt";
|
||||||
|
}
|
||||||
|
modules_enabled = {
|
||||||
|
"bosh";
|
||||||
|
"pubsub";
|
||||||
|
}
|
||||||
|
c2s_require_encryption = false
|
||||||
|
|
||||||
|
VirtualHost "auth.jitsi"
|
||||||
|
ssl = {
|
||||||
|
key = "/var/lib/prosody/auth.jitsi.key";
|
||||||
|
certificate = "/var/lib/prosody/auth.jitsi.crt";
|
||||||
|
}
|
||||||
|
authentication = "internal_plain"
|
||||||
|
admins = { "focus@auth.jitsi"}
|
||||||
|
|
||||||
|
Component "conference.jitsi" "muc"
|
||||||
|
Component "internal.auth.jitsi" "muc"
|
||||||
|
storage = "memory"
|
||||||
|
modules_enabled = { "ping"; }
|
||||||
|
admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
|
||||||
|
|
Reference in a new issue