forked from Deuxfleurs/infrastructure
Rework prosody's configuration
This commit is contained in:
parent
0e848bb2d0
commit
47bcdaaf0d
8 changed files with 193 additions and 78 deletions
|
@ -73,7 +73,8 @@ services:
|
|||
build:
|
||||
context: ./jitsi/build/jitsi-xmpp
|
||||
args:
|
||||
VERSION: 0.11.7-1~buster4
|
||||
MEET_VERSION: 5390
|
||||
PROSODY_VERSION: 0.11.7-1~buster4
|
||||
image: superboum/amd64_jitsi_xmpp:v9
|
||||
|
||||
plume:
|
||||
|
|
|
@ -1,13 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
|
||||
update-ca-certificates -f
|
||||
|
||||
cat >> /etc/hosts <<EOF
|
||||
${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
|
||||
127.0.0.1 `hostname`
|
||||
EOF
|
||||
|
||||
exec java \
|
||||
-Xmx400m \
|
||||
-XX:+HeapDumpOnOutOfMemoryError \
|
||||
|
|
|
@ -1,7 +1,16 @@
|
|||
FROM debian:buster as builder
|
||||
|
||||
ARG MEET_VERSION
|
||||
WORKDIR /tmp
|
||||
RUN apt-get update && \
|
||||
apt-get install -y wget unzip && \
|
||||
wget https://github.com/jitsi/jitsi-meet/archive/stable/jitsi-meet_${MEET_VERSION}.zip -O meet.zip && \
|
||||
unzip meet.zip && \
|
||||
mv jitsi-meet-* jitsi-meet
|
||||
|
||||
FROM debian:buster
|
||||
|
||||
ARG VERSION
|
||||
|
||||
ARG PROSODY_VERSION
|
||||
RUN apt-get update && \
|
||||
apt-get install -y wget gnupg2 && \
|
||||
echo deb http://packages.prosody.im/debian buster main \
|
||||
|
@ -9,7 +18,7 @@ RUN apt-get update && \
|
|||
wget https://prosody.im/files/prosody-debian-packages.key -O - \
|
||||
| apt-key add - && \
|
||||
apt-get update && \
|
||||
apt-get install -y prosody=${VERSION} lua-event
|
||||
apt-get install -y prosody=${PROSODY_VERSION} lua-event
|
||||
|
||||
RUN mkdir -p /usr/local/share/ca-certificates/ && \
|
||||
ln -sf \
|
||||
|
@ -20,6 +29,7 @@ RUN mkdir -p /usr/local/share/ca-certificates/ && \
|
|||
mkdir -p /var/lib/prosody && \
|
||||
chown -R prosody:prosody /var/lib/prosody /run/prosody
|
||||
|
||||
COPY --from=builder /tmp/jitsi-meet/resources/prosody-plugins /usr/share/jitsi-meet/prosody-plugins/
|
||||
COPY xmpp_prosody /usr/local/bin/xmpp_prosody
|
||||
|
||||
WORKDIR /var/lib/prosody
|
||||
|
|
|
@ -56,6 +56,12 @@ prosodyctl cert generate jitsi
|
|||
|
||||
https://github.com/jitsi/jitsi-meet/blob/master/doc/example-config-files/prosody.cfg.lua.example
|
||||
|
||||
but this one is not the one used by the [debian postinst script](https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-prosody.postinst)
|
||||
instead, we should look at this one: https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
|
||||
|
||||
Jitsi can be configured to authenticated through tokens,
|
||||
the postinst file is here: https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-tokens.postinst
|
||||
|
||||
## Resources to understand jitsi
|
||||
|
||||
- [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst)
|
||||
|
|
|
@ -9,14 +9,17 @@ services:
|
|||
- "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key:ro"
|
||||
- "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt:ro"
|
||||
- "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key:ro"
|
||||
jitsi-meet:
|
||||
image: superboum/amd64_jitsi_meet:v1
|
||||
ports:
|
||||
- "443:443"
|
||||
jitsi-conference-focus:
|
||||
image: superboum/amd64_jitsi_conference_focus:v4
|
||||
jitsi-videobridge:
|
||||
image: superboum/amd64_jitsi_videobridge:v14
|
||||
ports:
|
||||
- "8080:8080/tcp"
|
||||
- "10000:10000/udp"
|
||||
image: superboum/amd64_jitsi_conference_focus:v7
|
||||
volumes:
|
||||
- "./prosody/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt:ro"
|
||||
- "./jicofo/jicofo.conf:/etc/jitsi/jicofo.conf:ro"
|
||||
# jitsi-meet:
|
||||
# image: superboum/amd64_jitsi_meet:v1
|
||||
# ports:
|
||||
# - "443:443"
|
||||
# jitsi-videobridge:
|
||||
# image: superboum/amd64_jitsi_videobridge:v14
|
||||
# ports:
|
||||
# - "8080:8080/tcp"
|
||||
# - "10000:10000/udp"
|
||||
|
|
|
@ -53,7 +53,7 @@ jicofo {
|
|||
}
|
||||
|
||||
// The JID of the MUC to be used as a brewery for bridge instances.
|
||||
brewery-jid = "jvbbrewery@example.com"
|
||||
brewery-jid = "jvbbrewery@jitsi"
|
||||
}
|
||||
// Configure the codecs and RTP extensions to be used in the offer sent to clients.
|
||||
codec {
|
||||
|
@ -256,12 +256,12 @@ jicofo {
|
|||
}
|
||||
// The separate XMPP connection used for internal services (currently only jitsi-videobridge).
|
||||
service {
|
||||
enabled = false
|
||||
hostname = "localhost"
|
||||
port = 6222
|
||||
#domain =
|
||||
#username =
|
||||
#password =
|
||||
enabled = true
|
||||
hostname = "jitsi-xmpp"
|
||||
port = 5222
|
||||
domain = "auth.jitsi"
|
||||
username = "focus"
|
||||
password = "xxx"
|
||||
|
||||
// How long to wait for a response to a stanza before giving up.
|
||||
reply-timeout = 15 seconds
|
||||
|
|
|
@ -1,64 +1,101 @@
|
|||
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
|
||||
daemonize = false
|
||||
allow_registration = false
|
||||
use_libevent = true
|
||||
|
||||
-- domain mapper options, must at least have domain base set to use the mapper
|
||||
muc_mapper_domain_base = "jitsi.deuxfleurs.fr";
|
||||
|
||||
--@FIXME would be great to configure it
|
||||
--turncredentials_secret = "__turnSecret__";
|
||||
|
||||
--turncredentials = {
|
||||
-- { type = "stun", host = "jitmeet.example.com", port = "3478" },
|
||||
-- { type = "turn", host = "jitmeet.example.com", port = "3478", transport = "udp" },
|
||||
-- { type = "turns", host = "jitmeet.example.com", port = "5349", transport = "tcp" }
|
||||
--};
|
||||
|
||||
cross_domain_bosh = false;
|
||||
consider_bosh_secure = true;
|
||||
https_ports = { }; -- Remove this line to prevent listening on port 5284
|
||||
component_interface = "0.0.0.0"
|
||||
component_ports = { 5347 }
|
||||
http_ports = { 5280 }
|
||||
https_ports = {}
|
||||
|
||||
-- Not sure all modules are required
|
||||
modules_enabled = {
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"pep"; -- Enables users to publish their mood, activity, playing music and more
|
||||
-- jitsi
|
||||
--"smacks"; -- not shipped with prosody
|
||||
"carbons";
|
||||
"mam";
|
||||
"lastactivity";
|
||||
"offline";
|
||||
"pubsub";
|
||||
"adhoc";
|
||||
"websocket";
|
||||
--"http_altconnect"; -- not shipped with prosody
|
||||
}
|
||||
|
||||
log = {
|
||||
--log less on console with warn="*console"; or err="*console" or more with debug="*console"
|
||||
info="*console";
|
||||
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
|
||||
ssl = {
|
||||
protocol = "tlsv1_2+";
|
||||
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
||||
}
|
||||
|
||||
VirtualHost "jitsi"
|
||||
-- enabled = false -- Remove this line to enable this host
|
||||
authentication = "anonymous"
|
||||
-- Properties below are modified by jitsi-meet-tokens package config
|
||||
-- and authentication above is switched to "token"
|
||||
--app_id="example_app_id"
|
||||
--app_secret="example_app_secret"
|
||||
-- Assign this host a certificate for TLS, otherwise it would use the one
|
||||
-- set in the global section (if any).
|
||||
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
||||
-- use the global one.
|
||||
ssl = {
|
||||
key = "/var/lib/prosody/jitsi.key";
|
||||
certificate = "/var/lib/prosody/jitsi.crt";
|
||||
}
|
||||
speakerstats_component = "speakerstats.jitsi"
|
||||
conference_duration_component = "conferenceduration.jitsi"
|
||||
-- we need bosh
|
||||
modules_enabled = {
|
||||
"bosh";
|
||||
"pubsub";
|
||||
"ping"; -- Enable mod_ping
|
||||
"speakerstats";
|
||||
--"turncredentials"; not supported yet
|
||||
"conference_duration";
|
||||
"muc_lobby_rooms";
|
||||
}
|
||||
c2s_require_encryption = false
|
||||
|
||||
VirtualHost "auth.jitsi"
|
||||
ssl = {
|
||||
key = "/var/lib/prosody/auth.jitsi.key";
|
||||
certificate = "/var/lib/prosody/auth.jitsi.crt";
|
||||
}
|
||||
authentication = "internal_plain"
|
||||
admins = { "focus@auth.jitsi"}
|
||||
lobby_muc = "lobby.jitsi"
|
||||
main_muc = "conference.jitsi"
|
||||
-- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
|
||||
|
||||
Component "conference.jitsi" "muc"
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"muc_meeting_id";
|
||||
"muc_domain_mapper";
|
||||
--"token_verification";
|
||||
}
|
||||
admins = { "focusUser@auth.jitsi" }
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
-- internal muc component
|
||||
Component "internal.auth.jitsi" "muc"
|
||||
storage = "memory"
|
||||
modules_enabled = { "ping"; }
|
||||
admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
|
||||
modules_enabled = {
|
||||
"ping";
|
||||
}
|
||||
admins = { "focusUser@auth.jitsi", "jvb@auth.jitsi" }
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
VirtualHost "auth.jitsi"
|
||||
authentication = "internal_plain"
|
||||
|
||||
Component "focus.jitsi"
|
||||
component_secret = "focusSecret"
|
||||
|
||||
Component "speakerstats.jitsi" "speakerstats_component"
|
||||
muc_component = "conference.jitsi"
|
||||
|
||||
Component "conferenceduration.jitsi" "conference_duration_component"
|
||||
muc_component = "conference.jitsi"
|
||||
|
||||
Component "lobby.jitsi" "muc"
|
||||
storage = "memory"
|
||||
restrict_room_creation = true
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
|
|
64
app/jitsi/integration/prosody/prosody.cfg.lua.back
Normal file
64
app/jitsi/integration/prosody/prosody.cfg.lua.back
Normal file
|
@ -0,0 +1,64 @@
|
|||
daemonize = false
|
||||
allow_registration = false
|
||||
use_libevent = true
|
||||
component_interface = "0.0.0.0"
|
||||
component_ports = { 5347 }
|
||||
http_ports = { 5280 }
|
||||
https_ports = {}
|
||||
|
||||
-- Not sure all modules are required
|
||||
modules_enabled = {
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"pep"; -- Enables users to publish their mood, activity, playing music and more
|
||||
-- jitsi
|
||||
--"smacks"; -- not shipped with prosody
|
||||
"carbons";
|
||||
"mam";
|
||||
"lastactivity";
|
||||
"offline";
|
||||
"pubsub";
|
||||
"adhoc";
|
||||
"websocket";
|
||||
--"http_altconnect"; -- not shipped with prosody
|
||||
}
|
||||
|
||||
log = {
|
||||
--log less on console with warn="*console"; or err="*console" or more with debug="*console"
|
||||
debug="*console";
|
||||
}
|
||||
|
||||
VirtualHost "jitsi"
|
||||
authentication = "anonymous"
|
||||
ssl = {
|
||||
key = "/var/lib/prosody/jitsi.key";
|
||||
certificate = "/var/lib/prosody/jitsi.crt";
|
||||
}
|
||||
modules_enabled = {
|
||||
"bosh";
|
||||
"pubsub";
|
||||
}
|
||||
c2s_require_encryption = false
|
||||
|
||||
VirtualHost "auth.jitsi"
|
||||
ssl = {
|
||||
key = "/var/lib/prosody/auth.jitsi.key";
|
||||
certificate = "/var/lib/prosody/auth.jitsi.crt";
|
||||
}
|
||||
authentication = "internal_plain"
|
||||
admins = { "focus@auth.jitsi"}
|
||||
|
||||
Component "conference.jitsi" "muc"
|
||||
Component "internal.auth.jitsi" "muc"
|
||||
storage = "memory"
|
||||
modules_enabled = { "ping"; }
|
||||
admins = { "focus@auth.jitsi", "jvb@auth.jitsi" }
|
||||
|
Loading…
Reference in a new issue