Rework prosody's configuration

app/docker-compose.yml

@@ -73,7 +73,8 @@ services:
     build:
       context: ./jitsi/build/jitsi-xmpp
       args:
-        VERSION: 0.11.7-1~buster4
+        MEET_VERSION: 5390
+        PROSODY_VERSION: 0.11.7-1~buster4
     image: superboum/amd64_jitsi_xmpp:v9
 
   plume:

app/jitsi/build/jitsi-conference-focus/jicofo

@@ -1,13 +1,7 @@
 #!/bin/bash
 
-cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
 update-ca-certificates -f
 
-cat >> /etc/hosts <<EOF
-${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
-127.0.0.1 `hostname`
-EOF
-
 exec java \
   -Xmx400m \
   -XX:+HeapDumpOnOutOfMemoryError \

app/jitsi/build/jitsi-xmpp/Dockerfile

@@ -1,7 +1,16 @@
+FROM debian:buster as builder
+
+ARG MEET_VERSION
+WORKDIR /tmp
+RUN apt-get update && \
+    apt-get install -y wget unzip && \
+    wget https://github.com/jitsi/jitsi-meet/archive/stable/jitsi-meet_${MEET_VERSION}.zip -O meet.zip && \
+    unzip meet.zip && \
+    mv jitsi-meet-* jitsi-meet
+
 FROM debian:buster
 
-ARG VERSION
-
+ARG PROSODY_VERSION
 RUN apt-get update && \
     apt-get install -y wget gnupg2 && \
     echo deb http://packages.prosody.im/debian buster main \
@@ -9,7 +18,7 @@ RUN apt-get update && \
     wget https://prosody.im/files/prosody-debian-packages.key -O - \
     | apt-key add - && \
     apt-get update && \
-    apt-get install -y prosody=${VERSION} lua-event
+    apt-get install -y prosody=${PROSODY_VERSION} lua-event
 
 RUN mkdir -p /usr/local/share/ca-certificates/ && \
     ln -sf \
@@ -20,6 +29,7 @@ RUN mkdir -p /usr/local/share/ca-certificates/ && \
     mkdir -p /var/lib/prosody && \
     chown -R prosody:prosody /var/lib/prosody /run/prosody
 
+COPY --from=builder /tmp/jitsi-meet/resources/prosody-plugins /usr/share/jitsi-meet/prosody-plugins/
 COPY xmpp_prosody /usr/local/bin/xmpp_prosody
 
 WORKDIR /var/lib/prosody

app/jitsi/integration/README.md

@@ -56,6 +56,12 @@ prosodyctl cert generate jitsi
 
 https://github.com/jitsi/jitsi-meet/blob/master/doc/example-config-files/prosody.cfg.lua.example
 
+but this one is not the one used by the [debian postinst script](https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-prosody.postinst)
+instead, we should look at this one: https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
+
+Jitsi can be configured to authenticated through tokens,
+the postinst file is here: https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-tokens.postinst
+
 ## Resources to understand jitsi
 
   - [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst)

app/jitsi/integration/docker-compose.yml

@@ -9,14 +9,17 @@ services:
       - "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key:ro"
       - "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt:ro"
       - "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key:ro"
-  jitsi-meet:
-    image: superboum/amd64_jitsi_meet:v1
-    ports:
-      - "443:443"
   jitsi-conference-focus:
-    image: superboum/amd64_jitsi_conference_focus:v4
-  jitsi-videobridge:
-    image: superboum/amd64_jitsi_videobridge:v14
-    ports:
-      - "8080:8080/tcp"
-      - "10000:10000/udp"
+    image: superboum/amd64_jitsi_conference_focus:v7
+    volumes:
+      - "./prosody/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt:ro"
+      - "./jicofo/jicofo.conf:/etc/jitsi/jicofo.conf:ro"
+#  jitsi-meet:
+#    image: superboum/amd64_jitsi_meet:v1
+#    ports:
+#      - "443:443"
+#  jitsi-videobridge:
+#    image: superboum/amd64_jitsi_videobridge:v14
+#    ports:
+#      - "8080:8080/tcp"
+#      - "10000:10000/udp"

app/jitsi/integration/jicofo/jicofo.conf

@@ -53,7 +53,7 @@ jicofo {
     }
 
     // The JID of the MUC to be used as a brewery for bridge instances.
-    brewery-jid = "jvbbrewery@example.com"
+    brewery-jid = "jvbbrewery@jitsi"
   }
   // Configure the codecs and RTP extensions to be used in the offer sent to clients.
   codec {
@@ -256,12 +256,12 @@ jicofo {
     }
     // The separate XMPP connection used for internal services (currently only jitsi-videobridge).
     service {
-      enabled = false
-      hostname = "localhost"
-      port = 6222
-      #domain =
-      #username =
-      #password =
+      enabled = true
+      hostname = "jitsi-xmpp"
+      port = 5222
+      domain = "auth.jitsi"
+      username = "focus"
+      password = "xxx"
 
       // How long to wait for a response to a stanza before giving up.
       reply-timeout = 15 seconds

app/jitsi/integration/prosody/prosody.cfg.lua

@@ -1,64 +1,101 @@
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
 daemonize = false
-allow_registration = false
 use_libevent = true
+
+-- domain mapper options, must at least have domain base set to use the mapper
+muc_mapper_domain_base = "jitsi.deuxfleurs.fr";
+
+--@FIXME would be great to configure it
+--turncredentials_secret = "__turnSecret__";
+
+--turncredentials = {
+--    { type = "stun", host = "jitmeet.example.com", port = "3478" },
+--    { type = "turn", host = "jitmeet.example.com", port = "3478", transport = "udp" },
+--    { type = "turns", host = "jitmeet.example.com", port = "5349", transport = "tcp" }
+--};
+
+cross_domain_bosh = false;
+consider_bosh_secure = true;
+https_ports = { }; -- Remove this line to prevent listening on port 5284
 component_interface = "0.0.0.0"
 component_ports = { 5347 }
 http_ports = { 5280 }
-https_ports = {}
 
--- Not sure all modules are required
-modules_enabled = {
-  "roster"; -- Allow users to have a roster. Recommended ;)
-  "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
-  "tls"; -- Add support for secure TLS on c2s/s2s connections
-  "dialback"; -- s2s dialback support
-  "disco"; -- Service discovery
-  "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
-  "version"; -- Replies to server version requests
-  "uptime"; -- Report how long server has been running
-  "time"; -- Let others know the time here on this server
-  "ping"; -- Replies to XMPP pings with pongs
-  "pep"; -- Enables users to publish their mood, activity, playing music and more
-  -- jitsi
-  --"smacks"; -- not shipped with prosody
-  "carbons";
-  "mam";
-  "lastactivity";
-  "offline";
-  "pubsub";
-  "adhoc";
-  "websocket";
-  --"http_altconnect"; -- not shipped with prosody
-}
 
-log = {
-  --log less on console with warn="*console"; or err="*console" or more with debug="*console"
-  info="*console";
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+ssl = {
+    protocol = "tlsv1_2+";
+    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 }
 
 VirtualHost "jitsi"
-  authentication = "anonymous"
-  ssl = {
-    key = "/var/lib/prosody/jitsi.key";
-    certificate = "/var/lib/prosody/jitsi.crt";
-  }
-  modules_enabled = {
-    "bosh";
-    "pubsub";
-  }
-  c2s_require_encryption = false
-
-VirtualHost "auth.jitsi"
-  ssl = {
-    key = "/var/lib/prosody/auth.jitsi.key";
-    certificate = "/var/lib/prosody/auth.jitsi.crt";
-  }
-  authentication = "internal_plain"
-  admins = { "focus@auth.jitsi"}
+    -- enabled = false -- Remove this line to enable this host
+    authentication = "anonymous"
+    -- Properties below are modified by jitsi-meet-tokens package config
+    -- and authentication above is switched to "token"
+    --app_id="example_app_id"
+    --app_secret="example_app_secret"
+    -- Assign this host a certificate for TLS, otherwise it would use the one
+    -- set in the global section (if any).
+    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
+    -- use the global one.
+    ssl = {
+        key = "/var/lib/prosody/jitsi.key";
+        certificate = "/var/lib/prosody/jitsi.crt";
+    }
+    speakerstats_component = "speakerstats.jitsi"
+    conference_duration_component = "conferenceduration.jitsi"
+    -- we need bosh
+    modules_enabled = {
+        "bosh";
+        "pubsub";
+        "ping"; -- Enable mod_ping
+        "speakerstats";
+        --"turncredentials"; not supported yet
+        "conference_duration";
+        "muc_lobby_rooms";
+    }
+    c2s_require_encryption = false
+    lobby_muc = "lobby.jitsi"
+    main_muc = "conference.jitsi"
+    -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
 
 Component "conference.jitsi" "muc"
-Component "internal.auth.jitsi" "muc"
-  storage = "memory"
-  modules_enabled = { "ping"; }
-  admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        --"token_verification";
+    }
+    admins = { "focusUser@auth.jitsi" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+-- internal muc component
+Component "internal.auth.jitsi" "muc"
+    storage = "memory"
+    modules_enabled = {
+        "ping";
+    }
+    admins = { "focusUser@auth.jitsi", "jvb@auth.jitsi" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+VirtualHost "auth.jitsi"
+    authentication = "internal_plain"
+
+Component "focus.jitsi"
+    component_secret = "focusSecret"
+
+Component "speakerstats.jitsi" "speakerstats_component"
+    muc_component = "conference.jitsi"
+
+Component "conferenceduration.jitsi" "conference_duration_component"
+    muc_component = "conference.jitsi"
+
+Component "lobby.jitsi" "muc"
+    storage = "memory"
+    restrict_room_creation = true
+    muc_room_locking = false
+    muc_room_default_public_jids = true
 

app/jitsi/integration/prosody/prosody.cfg.lua.back

@@ -0,0 +1,64 @@
+daemonize = false
+allow_registration = false
+use_libevent = true
+component_interface = "0.0.0.0"
+component_ports = { 5347 }
+http_ports = { 5280 }
+https_ports = {}
+
+-- Not sure all modules are required
+modules_enabled = {
+  "roster"; -- Allow users to have a roster. Recommended ;)
+  "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+  "tls"; -- Add support for secure TLS on c2s/s2s connections
+  "dialback"; -- s2s dialback support
+  "disco"; -- Service discovery
+  "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+  "version"; -- Replies to server version requests
+  "uptime"; -- Report how long server has been running
+  "time"; -- Let others know the time here on this server
+  "ping"; -- Replies to XMPP pings with pongs
+  "pep"; -- Enables users to publish their mood, activity, playing music and more
+  -- jitsi
+  --"smacks"; -- not shipped with prosody
+  "carbons";
+  "mam";
+  "lastactivity";
+  "offline";
+  "pubsub";
+  "adhoc";
+  "websocket";
+  --"http_altconnect"; -- not shipped with prosody
+}
+
+log = {
+  --log less on console with warn="*console"; or err="*console" or more with debug="*console"
+  debug="*console";
+}
+
+VirtualHost "jitsi"
+  authentication = "anonymous"
+  ssl = {
+    key = "/var/lib/prosody/jitsi.key";
+    certificate = "/var/lib/prosody/jitsi.crt";
+  }
+  modules_enabled = {
+    "bosh";
+    "pubsub";
+  }
+  c2s_require_encryption = false
+
+VirtualHost "auth.jitsi"
+  ssl = {
+    key = "/var/lib/prosody/auth.jitsi.key";
+    certificate = "/var/lib/prosody/auth.jitsi.crt";
+  }
+  authentication = "internal_plain"
+  admins = { "focus@auth.jitsi"}
+
+Component "conference.jitsi" "muc"
+Component "internal.auth.jitsi" "muc"
+  storage = "memory"
+  modules_enabled = { "ping"; }
+  admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
+