diff --git a/.env.sample b/.env.sample index c88d965..34dae1e 100644 --- a/.env.sample +++ b/.env.sample @@ -1,8 +1,235 @@ TYPE=jitsi +TIMEOUT=900 +ENABLE_AUTO_UPDATE=true -DOMAIN=jitsi.example.com - +DOMAIN=meet.example.com ## Domain aliases -#EXTRA_DOMAINS=', `www.jitsi.example.com`' - +#EXTRA_DOMAINS=', `www.meet.example.com`' LETS_ENCRYPT_ENV=production + +COMPOSE_FILE="compose.yml" +#COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml" + +ADMIN_USER=admin + +SECRET_JICOFO_AUTH_PASSWORD_VERSION=v1 +SECRET_JVB_AUTH_PASSWORD_VERSION=v1 + +EXTRA_VOLUME=/dev/null:/tmp/.dummy + +# shellcheck disable=SC2034 + +################################################################################ +################################################################################ +# Welcome to the Jitsi Meet Docker setup! +# +# This sample .env file contains some basic options to get you started. +# The full options reference can be found here: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker +################################################################################ +################################################################################ + + +# +# Basic configuration options +# + +# Directory where all configuration will be stored +CONFIG=~/.jitsi-meet-cfg + +# Exposed HTTP port +HTTP_PORT=80 + +# Exposed HTTPS port +HTTPS_PORT=443 + +# System time zone +TZ=UTC + +# Public URL for the web service (required) +PUBLIC_URL=https://meet.example.com + +# Media IP addresses to advertise by the JVB +# This setting deprecates DOCKER_HOST_ADDRESS, and supports a comma separated list of IPs +# See the "Running behind NAT or on a LAN environment" section in the Handbook: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment +#JVB_ADVERTISE_IPS=192.168.1.1,1.2.3.4 + + +# +# JaaS Components (beta) +# https://jaas.8x8.vc +# + +# Enable JaaS Components (hosted Jigasi) +# NOTE: if Let's Encrypt is enabled a JaaS account will be automatically created, using the provided email in LETSENCRYPT_EMAIL +#ENABLE_JAAS_COMPONENTS=0 + +# +# Let's Encrypt configuration +# + +# Enable Let's Encrypt certificate generation +#ENABLE_LETSENCRYPT=1 + +# Domain for which to generate the certificate +#LETSENCRYPT_DOMAIN=meet.example.com + +# E-Mail for receiving important account notifications (mandatory) +#LETSENCRYPT_EMAIL=alice@atlanta.net + +# Use the staging server (for avoiding rate limits while testing) +#LETSENCRYPT_USE_STAGING=1 + + +# +# Etherpad integration (for document sharing) +# + +# Set etherpad-lite URL in docker local network (uncomment to enable) +#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 + +# Set etherpad-lite public URL, including /p/ pad path fragment (uncomment to enable) +#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain/p/ + +# Name your etherpad instance! +ETHERPAD_TITLE=Video Chat + +# The default text of a pad +ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n" + +# Name of the skin for etherpad +ETHERPAD_SKIN_NAME=colibris + +# Skin variants for etherpad +ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor" + + +# +# Basic Jigasi configuration options (needed for SIP gateway support) +# + +# SIP URI for incoming / outgoing calls +#JIGASI_SIP_URI=test@sip2sip.info + +# Password for the specified SIP account as a clear text +#JIGASI_SIP_PASSWORD=passw0rd + +# SIP server (use the SIP account domain if in doubt) +#JIGASI_SIP_SERVER=sip2sip.info + +# SIP server port +#JIGASI_SIP_PORT=5060 + +# SIP server transport +#JIGASI_SIP_TRANSPORT=UDP + + +# +# Authentication configuration (see handbook for details) +# + +# Enable authentication +#ENABLE_AUTH=1 + +# Enable guest access +#ENABLE_GUESTS=1 + +# Select authentication type: internal, jwt, ldap or matrix +#AUTH_TYPE=internal + +# JWT authentication +# + +# Application identifier +#JWT_APP_ID=my_jitsi_app_id + +# Application secret known only to your token generator +#JWT_APP_SECRET=my_jitsi_app_secret + +# (Optional) Set asap_accepted_issuers as a comma separated list +#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client + +# (Optional) Set asap_accepted_audiences as a comma separated list +#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 + +# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) +# + +# LDAP url for connection +#LDAP_URL=ldaps://ldap.domain.com/ + +# LDAP base DN. Can be empty +#LDAP_BASE=DC=example,DC=domain,DC=com + +# LDAP user DN. Do not specify this parameter for the anonymous bind +#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com + +# LDAP user password. Do not specify this parameter for the anonymous bind +#LDAP_BINDPW=LdapUserPassw0rd + +# LDAP filter. Tokens example: +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail +# %s - %s is replaced by the complete service string +# %r - %r is replaced by the complete realm string +#LDAP_FILTER=(sAMAccountName=%u) + +# LDAP authentication method +#LDAP_AUTH_METHOD=bind + +# LDAP version +#LDAP_VERSION=3 + +# LDAP TLS using +#LDAP_USE_TLS=1 + +# List of SSL/TLS ciphers to allow +#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC + +# Require and verify server certificate +#LDAP_TLS_CHECK_PEER=1 + +# Path to CA cert file. Used when server certificate verify is enabled +#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt + +# Path to CA certs directory. Used when server certificate verify is enabled +#LDAP_TLS_CACERT_DIR=/etc/ssl/certs + +# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps:// +# LDAP_START_TLS=1 + + +# +# Security +# +# Set these to strong passwords to avoid intruders from impersonating a service account +# The service(s) won't start unless these are specified +# Running ./gen-passwords.sh will update .env with strong passwords +# You may skip the Jigasi and Jibri passwords if you are not using those +# DO NOT reuse passwords +# + +# XMPP password for Jicofo client connections +#JICOFO_AUTH_PASSWORD= + +# XMPP password for JVB client connections +#JVB_AUTH_PASSWORD= + +# XMPP password for Jigasi MUC client connections +#JIGASI_XMPP_PASSWORD= + +# XMPP recorder password for Jibri client connections +#JIBRI_RECORDER_PASSWORD= + +# XMPP password for Jibri client connections +#JIBRI_XMPP_PASSWORD= + +# +# Docker Compose options +# + +# Container restart policy +#RESTART_POLICY=unless-stopped + +# Jitsi image version (useful for local development) +#JITSI_IMAGE_VERSION=latest diff --git a/abra.sh b/abra.sh new file mode 100644 index 0000000..a4ea66f --- /dev/null +++ b/abra.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +export ENTRYPOINT_VERSION=v1 + +#example_command() { +# ls +#} \ No newline at end of file diff --git a/compose.yml b/compose.yml index a2c3805..d9aff99 100644 --- a/compose.yml +++ b/compose.yml @@ -2,31 +2,148 @@ version: "3.8" services: - app: - image: nginx:1.20.0 + jitsi-web: + image: jitsi/web:stable-8719 + volumes: + - jitsiconfig:/config + - jitsicrontabs:/var/spool/cron/crontabs + - jitsitranscripts:/usr/share/jitsi-meet/transcripts + - ${EXTRA_VOLUME} + environment: + - CONFIG + - HTTP_PORT + - HTTPS_PORT + - TZ + - PUBLIC_URL networks: - proxy + - internal deploy: - restart_policy: - condition: on-failure + update_config: + failure_action: rollback + order: start-first labels: - "traefik.enable=true" + - "traefik.docker.network=proxy" - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})" - - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - ## Redirect from EXTRA_DOMAINS to DOMAIN - #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" - #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" - #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" - - "coop-cloud.${STACK_NAME}.version=" - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost"] - interval: 30s - timeout: 10s - retries: 10 - start_period: 1m + - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" +# - "backupbot.backup=true" +# - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/" + - "caddy=${DOMAIN}" + - "caddy.reverse_proxy={{upstreams 80}}" + - "caddy.tls.on_demand=" + - "coop-cloud.${STACK_NAME}.version=0.0.1+8719" +# healthcheck: +# test: ["CMD-SHELL", 'curl -s -N curl -Ns localhost/status.php | grep "installed\":true"'] +# interval: 30s +# timeout: 10s +# retries: 10 +# start_period: 5m + + prosody: + image: jitsi/prosody:stable-8719 + volumes: + - jitsiprosodyconfig:/config + - jitsiprosody:/prosody-plugins-custom + environment: + - JICOFO_AUTH_PASSWORD_FILE=/run/secrets/jicofo_auth_password + - JVB_AUTH_PASSWORD_FILE=/run/secrets/jvb_auth_password + configs: + - source: entrypoint + target: /custom-entrypoint.sh + mode: 555 + entrypoint: /custom-entrypoint.sh + secrets: + - jicofo_auth_password + - jvb_auth_password + networks: + internal: + aliases: + - ${XMPP_SERVER:-xmpp.meet.jitsi} + deploy: + update_config: + failure_action: rollback + order: start-first + + jicofo: + image: jitsi/jicofo:stable-8719 + volumes: + - jitsijicofoconfig:/config + environment: + - JICOFO_AUTH_PASSWORD_FILE=/run/secrets/jicofo_auth_password + configs: + - source: entrypoint + target: /custom-entrypoint.sh + mode: 555 + entrypoint: /custom-entrypoint.sh + secrets: + - jicofo_auth_password + depends_on: + - prosody + networks: + internal: + deploy: + update_config: + failure_action: rollback + order: start-first + + jvb: + image: jitsi/jvb:stable-8719 + volumes: + - jitsijvbconfig:/config + environment: + - JVB_AUTH_PASSWORD_FILE=/run/secrets/jvb_auth_password + configs: + - source: entrypoint + target: /custom-entrypoint.sh + mode: 555 + entrypoint: /custom-entrypoint.sh + secrets: + - jvb_auth_password + depends_on: + - prosody + networks: + internal: + deploy: + update_config: + failure_action: rollback + order: start-first + +secrets: + jicofo_auth_password: + external: true + name: ${STACK_NAME}_jicofo_auth_password_${SECRET_JICOFO_AUTH_PASSWORD_VERSION} + jvb_auth_password: + external: true + name: ${STACK_NAME}_jvb_auth_password_${SECRET_JVB_AUTH_PASSWORD_VERSION} + # jigasi_xmpp_password: + # external: true + # name: ${STACK_NAME}_jigasi_xmpp_password_${SECRET_JIGASI_XMPP_PASSWORD_VERSION} + # jibri_recorder_password: + # external: true + # name: ${STACK_NAME}_jibri_recorder_password_${SECRET_JIBRI_RECORDER_PASSWORD_VERSION} + # jibri_xmpp_password: + # external: true + # name: ${STACK_NAME}_jibri_xmpp_password_${SECRET_JIBRI_XMPP_PASSWORD_VERSION} + +volumes: + jitsiconfig: + jitsicrontabs: + jitsitranscripts: + jitsiprosodyconfig: + jitsiprosody: + jitsijicofoconfig: + jitsijvbconfig: + +configs: + entrypoint: + name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION} + file: entrypoint.sh.tmpl + template_driver: golang networks: proxy: external: true + internal: \ No newline at end of file diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl new file mode 100644 index 0000000..8c24027 --- /dev/null +++ b/entrypoint.sh.tmpl @@ -0,0 +1,29 @@ +#!/bin/bash + +set -eu + +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + + export "$var"="$val" + unset "$fileVar" +} + +file_env "JICOFO_AUTH_PASSWORD" +file_env "JVB_AUTH_PASSWORD" + +/init \ No newline at end of file