Rework prosody's configuration

This commit is contained in:
Quentin 2021-01-28 21:05:10 +01:00
parent 0e848bb2d0
commit 47bcdaaf0d
8 changed files with 193 additions and 78 deletions

View file

@ -73,7 +73,8 @@ services:
build: build:
context: ./jitsi/build/jitsi-xmpp context: ./jitsi/build/jitsi-xmpp
args: args:
VERSION: 0.11.7-1~buster4 MEET_VERSION: 5390
PROSODY_VERSION: 0.11.7-1~buster4
image: superboum/amd64_jitsi_xmpp:v9 image: superboum/amd64_jitsi_xmpp:v9
plume: plume:

View file

@ -1,13 +1,7 @@
#!/bin/bash #!/bin/bash
cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
update-ca-certificates -f update-ca-certificates -f
cat >> /etc/hosts <<EOF
${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
127.0.0.1 `hostname`
EOF
exec java \ exec java \
-Xmx400m \ -Xmx400m \
-XX:+HeapDumpOnOutOfMemoryError \ -XX:+HeapDumpOnOutOfMemoryError \

View file

@ -1,7 +1,16 @@
FROM debian:buster as builder
ARG MEET_VERSION
WORKDIR /tmp
RUN apt-get update && \
apt-get install -y wget unzip && \
wget https://github.com/jitsi/jitsi-meet/archive/stable/jitsi-meet_${MEET_VERSION}.zip -O meet.zip && \
unzip meet.zip && \
mv jitsi-meet-* jitsi-meet
FROM debian:buster FROM debian:buster
ARG VERSION ARG PROSODY_VERSION
RUN apt-get update && \ RUN apt-get update && \
apt-get install -y wget gnupg2 && \ apt-get install -y wget gnupg2 && \
echo deb http://packages.prosody.im/debian buster main \ echo deb http://packages.prosody.im/debian buster main \
@ -9,7 +18,7 @@ RUN apt-get update && \
wget https://prosody.im/files/prosody-debian-packages.key -O - \ wget https://prosody.im/files/prosody-debian-packages.key -O - \
| apt-key add - && \ | apt-key add - && \
apt-get update && \ apt-get update && \
apt-get install -y prosody=${VERSION} lua-event apt-get install -y prosody=${PROSODY_VERSION} lua-event
RUN mkdir -p /usr/local/share/ca-certificates/ && \ RUN mkdir -p /usr/local/share/ca-certificates/ && \
ln -sf \ ln -sf \
@ -20,6 +29,7 @@ RUN mkdir -p /usr/local/share/ca-certificates/ && \
mkdir -p /var/lib/prosody && \ mkdir -p /var/lib/prosody && \
chown -R prosody:prosody /var/lib/prosody /run/prosody chown -R prosody:prosody /var/lib/prosody /run/prosody
COPY --from=builder /tmp/jitsi-meet/resources/prosody-plugins /usr/share/jitsi-meet/prosody-plugins/
COPY xmpp_prosody /usr/local/bin/xmpp_prosody COPY xmpp_prosody /usr/local/bin/xmpp_prosody
WORKDIR /var/lib/prosody WORKDIR /var/lib/prosody

View file

@ -56,6 +56,12 @@ prosodyctl cert generate jitsi
https://github.com/jitsi/jitsi-meet/blob/master/doc/example-config-files/prosody.cfg.lua.example https://github.com/jitsi/jitsi-meet/blob/master/doc/example-config-files/prosody.cfg.lua.example
but this one is not the one used by the [debian postinst script](https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-prosody.postinst)
instead, we should look at this one: https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
Jitsi can be configured to authenticated through tokens,
the postinst file is here: https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-tokens.postinst
## Resources to understand jitsi ## Resources to understand jitsi
- [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst) - [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst)

View file

@ -9,14 +9,17 @@ services:
- "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key:ro" - "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key:ro"
- "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt:ro" - "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt:ro"
- "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key:ro" - "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key:ro"
jitsi-meet:
image: superboum/amd64_jitsi_meet:v1
ports:
- "443:443"
jitsi-conference-focus: jitsi-conference-focus:
image: superboum/amd64_jitsi_conference_focus:v4 image: superboum/amd64_jitsi_conference_focus:v7
jitsi-videobridge: volumes:
image: superboum/amd64_jitsi_videobridge:v14 - "./prosody/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt:ro"
ports: - "./jicofo/jicofo.conf:/etc/jitsi/jicofo.conf:ro"
- "8080:8080/tcp" # jitsi-meet:
- "10000:10000/udp" # image: superboum/amd64_jitsi_meet:v1
# ports:
# - "443:443"
# jitsi-videobridge:
# image: superboum/amd64_jitsi_videobridge:v14
# ports:
# - "8080:8080/tcp"
# - "10000:10000/udp"

View file

@ -53,7 +53,7 @@ jicofo {
} }
// The JID of the MUC to be used as a brewery for bridge instances. // The JID of the MUC to be used as a brewery for bridge instances.
brewery-jid = "jvbbrewery@example.com" brewery-jid = "jvbbrewery@jitsi"
} }
// Configure the codecs and RTP extensions to be used in the offer sent to clients. // Configure the codecs and RTP extensions to be used in the offer sent to clients.
codec { codec {
@ -256,12 +256,12 @@ jicofo {
} }
// The separate XMPP connection used for internal services (currently only jitsi-videobridge). // The separate XMPP connection used for internal services (currently only jitsi-videobridge).
service { service {
enabled = false enabled = true
hostname = "localhost" hostname = "jitsi-xmpp"
port = 6222 port = 5222
#domain = domain = "auth.jitsi"
#username = username = "focus"
#password = password = "xxx"
// How long to wait for a response to a stanza before giving up. // How long to wait for a response to a stanza before giving up.
reply-timeout = 15 seconds reply-timeout = 15 seconds

View file

@ -1,64 +1,101 @@
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
daemonize = false daemonize = false
allow_registration = false
use_libevent = true use_libevent = true
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "jitsi.deuxfleurs.fr";
--@FIXME would be great to configure it
--turncredentials_secret = "__turnSecret__";
--turncredentials = {
-- { type = "stun", host = "jitmeet.example.com", port = "3478" },
-- { type = "turn", host = "jitmeet.example.com", port = "3478", transport = "udp" },
-- { type = "turns", host = "jitmeet.example.com", port = "5349", transport = "tcp" }
--};
cross_domain_bosh = false;
consider_bosh_secure = true;
https_ports = { }; -- Remove this line to prevent listening on port 5284
component_interface = "0.0.0.0" component_interface = "0.0.0.0"
component_ports = { 5347 } component_ports = { 5347 }
http_ports = { 5280 } http_ports = { 5280 }
https_ports = {}
-- Not sure all modules are required
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"pep"; -- Enables users to publish their mood, activity, playing music and more
-- jitsi
--"smacks"; -- not shipped with prosody
"carbons";
"mam";
"lastactivity";
"offline";
"pubsub";
"adhoc";
"websocket";
--"http_altconnect"; -- not shipped with prosody
}
log = { -- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
--log less on console with warn="*console"; or err="*console" or more with debug="*console" ssl = {
info="*console"; protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
} }
VirtualHost "jitsi" VirtualHost "jitsi"
authentication = "anonymous" -- enabled = false -- Remove this line to enable this host
ssl = { authentication = "anonymous"
key = "/var/lib/prosody/jitsi.key"; -- Properties below are modified by jitsi-meet-tokens package config
certificate = "/var/lib/prosody/jitsi.crt"; -- and authentication above is switched to "token"
} --app_id="example_app_id"
modules_enabled = { --app_secret="example_app_secret"
"bosh"; -- Assign this host a certificate for TLS, otherwise it would use the one
"pubsub"; -- set in the global section (if any).
} -- Note that old-style SSL on port 5223 only supports one certificate, and will always
c2s_require_encryption = false -- use the global one.
ssl = {
VirtualHost "auth.jitsi" key = "/var/lib/prosody/jitsi.key";
ssl = { certificate = "/var/lib/prosody/jitsi.crt";
key = "/var/lib/prosody/auth.jitsi.key"; }
certificate = "/var/lib/prosody/auth.jitsi.crt"; speakerstats_component = "speakerstats.jitsi"
} conference_duration_component = "conferenceduration.jitsi"
authentication = "internal_plain" -- we need bosh
admins = { "focus@auth.jitsi"} modules_enabled = {
"bosh";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
--"turncredentials"; not supported yet
"conference_duration";
"muc_lobby_rooms";
}
c2s_require_encryption = false
lobby_muc = "lobby.jitsi"
main_muc = "conference.jitsi"
-- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.jitsi" "muc" Component "conference.jitsi" "muc"
Component "internal.auth.jitsi" "muc" storage = "memory"
storage = "memory" modules_enabled = {
modules_enabled = { "ping"; } "muc_meeting_id";
admins = { "focus@auth.jitsi", "jvb@auth.jitsi" } "muc_domain_mapper";
--"token_verification";
}
admins = { "focusUser@auth.jitsi" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.jitsi" "muc"
storage = "memory"
modules_enabled = {
"ping";
}
admins = { "focusUser@auth.jitsi", "jvb@auth.jitsi" }
muc_room_locking = false
muc_room_default_public_jids = true
VirtualHost "auth.jitsi"
authentication = "internal_plain"
Component "focus.jitsi"
component_secret = "focusSecret"
Component "speakerstats.jitsi" "speakerstats_component"
muc_component = "conference.jitsi"
Component "conferenceduration.jitsi" "conference_duration_component"
muc_component = "conference.jitsi"
Component "lobby.jitsi" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true

View file

@ -0,0 +1,64 @@
daemonize = false
allow_registration = false
use_libevent = true
component_interface = "0.0.0.0"
component_ports = { 5347 }
http_ports = { 5280 }
https_ports = {}
-- Not sure all modules are required
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"pep"; -- Enables users to publish their mood, activity, playing music and more
-- jitsi
--"smacks"; -- not shipped with prosody
"carbons";
"mam";
"lastactivity";
"offline";
"pubsub";
"adhoc";
"websocket";
--"http_altconnect"; -- not shipped with prosody
}
log = {
--log less on console with warn="*console"; or err="*console" or more with debug="*console"
debug="*console";
}
VirtualHost "jitsi"
authentication = "anonymous"
ssl = {
key = "/var/lib/prosody/jitsi.key";
certificate = "/var/lib/prosody/jitsi.crt";
}
modules_enabled = {
"bosh";
"pubsub";
}
c2s_require_encryption = false
VirtualHost "auth.jitsi"
ssl = {
key = "/var/lib/prosody/auth.jitsi.key";
certificate = "/var/lib/prosody/auth.jitsi.crt";
}
authentication = "internal_plain"
admins = { "focus@auth.jitsi"}
Component "conference.jitsi" "muc"
Component "internal.auth.jitsi" "muc"
storage = "memory"
modules_enabled = { "ping"; }
admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }