initial

.env.sample

@@ -1,8 +1,235 @@
 TYPE=jitsi
+TIMEOUT=900
+ENABLE_AUTO_UPDATE=true
 
-DOMAIN=jitsi.example.com
+DOMAIN=meet.example.com
-
 ## Domain aliases
-#EXTRA_DOMAINS=', `www.jitsi.example.com`'
+#EXTRA_DOMAINS=', `www.meet.example.com`'
-
 LETS_ENCRYPT_ENV=production
+
+COMPOSE_FILE="compose.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
+
+ADMIN_USER=admin
+
+SECRET_JICOFO_AUTH_PASSWORD_VERSION=v1
+SECRET_JVB_AUTH_PASSWORD_VERSION=v1
+
+EXTRA_VOLUME=/dev/null:/tmp/.dummy
+
+# shellcheck disable=SC2034
+
+################################################################################
+################################################################################
+# Welcome to the Jitsi Meet Docker setup!
+#
+# This sample .env file contains some basic options to get you started.
+# The full options reference can be found here:
+# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker
+################################################################################
+################################################################################
+
+
+#
+# Basic configuration options
+#
+
+# Directory where all configuration will be stored
+CONFIG=~/.jitsi-meet-cfg
+
+# Exposed HTTP port
+HTTP_PORT=80
+
+# Exposed HTTPS port
+HTTPS_PORT=443
+
+# System time zone
+TZ=UTC
+
+# Public URL for the web service (required)
+PUBLIC_URL=https://meet.example.com
+
+# Media IP addresses to advertise by the JVB
+# This setting deprecates DOCKER_HOST_ADDRESS, and supports a comma separated list of IPs
+# See the "Running behind NAT or on a LAN environment" section in the Handbook:
+# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
+#JVB_ADVERTISE_IPS=192.168.1.1,1.2.3.4
+
+
+#
+# JaaS Components (beta)
+# https://jaas.8x8.vc
+#
+
+# Enable JaaS Components (hosted Jigasi)
+# NOTE: if Let's Encrypt is enabled a JaaS account will be automatically created, using the provided email in LETSENCRYPT_EMAIL
+#ENABLE_JAAS_COMPONENTS=0
+
+#
+# Let's Encrypt configuration
+#
+
+# Enable Let's Encrypt certificate generation
+#ENABLE_LETSENCRYPT=1
+
+# Domain for which to generate the certificate
+#LETSENCRYPT_DOMAIN=meet.example.com
+
+# E-Mail for receiving important account notifications (mandatory)
+#LETSENCRYPT_EMAIL=alice@atlanta.net
+
+# Use the staging server (for avoiding rate limits while testing)
+#LETSENCRYPT_USE_STAGING=1
+
+
+#
+# Etherpad integration (for document sharing)
+#
+
+# Set etherpad-lite URL in docker local network (uncomment to enable)
+#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
+
+# Set etherpad-lite public URL, including /p/ pad path fragment (uncomment to enable)
+#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain/p/
+
+# Name your etherpad instance!
+ETHERPAD_TITLE=Video Chat
+
+# The default text of a pad
+ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n"
+
+# Name of the skin for etherpad
+ETHERPAD_SKIN_NAME=colibris
+
+# Skin variants for etherpad
+ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"
+
+
+#
+# Basic Jigasi configuration options (needed for SIP gateway support)
+#
+
+# SIP URI for incoming / outgoing calls
+#JIGASI_SIP_URI=test@sip2sip.info
+
+# Password for the specified SIP account as a clear text
+#JIGASI_SIP_PASSWORD=passw0rd
+
+# SIP server (use the SIP account domain if in doubt)
+#JIGASI_SIP_SERVER=sip2sip.info
+
+# SIP server port
+#JIGASI_SIP_PORT=5060
+
+# SIP server transport
+#JIGASI_SIP_TRANSPORT=UDP
+
+
+#
+# Authentication configuration (see handbook for details)
+#
+
+# Enable authentication
+#ENABLE_AUTH=1
+
+# Enable guest access
+#ENABLE_GUESTS=1
+
+# Select authentication type: internal, jwt, ldap or matrix
+#AUTH_TYPE=internal
+
+# JWT authentication
+#
+
+# Application identifier
+#JWT_APP_ID=my_jitsi_app_id
+
+# Application secret known only to your token generator
+#JWT_APP_SECRET=my_jitsi_app_secret
+
+# (Optional) Set asap_accepted_issuers as a comma separated list
+#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
+
+# (Optional) Set asap_accepted_audiences as a comma separated list
+#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
+
+# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
+#
+
+# LDAP url for connection
+#LDAP_URL=ldaps://ldap.domain.com/
+
+# LDAP base DN. Can be empty
+#LDAP_BASE=DC=example,DC=domain,DC=com
+
+# LDAP user DN. Do not specify this parameter for the anonymous bind
+#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
+
+# LDAP user password. Do not specify this parameter for the anonymous bind
+#LDAP_BINDPW=LdapUserPassw0rd
+
+# LDAP filter. Tokens example:
+# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
+# %s - %s is replaced by the complete service string
+# %r - %r is replaced by the complete realm string
+#LDAP_FILTER=(sAMAccountName=%u)
+
+# LDAP authentication method
+#LDAP_AUTH_METHOD=bind
+
+# LDAP version
+#LDAP_VERSION=3
+
+# LDAP TLS using
+#LDAP_USE_TLS=1
+
+# List of SSL/TLS ciphers to allow
+#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
+
+# Require and verify server certificate
+#LDAP_TLS_CHECK_PEER=1
+
+# Path to CA cert file. Used when server certificate verify is enabled
+#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# Path to CA certs directory. Used when server certificate verify is enabled
+#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
+
+# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
+# LDAP_START_TLS=1
+
+
+#
+# Security
+#
+# Set these to strong passwords to avoid intruders from impersonating a service account
+# The service(s) won't start unless these are specified
+# Running ./gen-passwords.sh will update .env with strong passwords
+# You may skip the Jigasi and Jibri passwords if you are not using those
+# DO NOT reuse passwords
+#
+
+# XMPP password for Jicofo client connections
+#JICOFO_AUTH_PASSWORD=
+
+# XMPP password for JVB client connections
+#JVB_AUTH_PASSWORD=
+
+# XMPP password for Jigasi MUC client connections
+#JIGASI_XMPP_PASSWORD=
+
+# XMPP recorder password for Jibri client connections
+#JIBRI_RECORDER_PASSWORD=
+
+# XMPP password for Jibri client connections
+#JIBRI_XMPP_PASSWORD=
+
+#
+# Docker Compose options
+#
+
+# Container restart policy
+#RESTART_POLICY=unless-stopped
+
+# Jitsi image version (useful for local development)
+#JITSI_IMAGE_VERSION=latest

abra.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+export ENTRYPOINT_VERSION=v1
+
+#example_command() {
+#    ls
+#}

compose.yml

@@ -2,31 +2,148 @@
 version: "3.8"
 
 services:
-  app:
+  jitsi-web:
-    image: nginx:1.20.0
+    image: jitsi/web:stable-8719
+    volumes:
+      - jitsiconfig:/config
+      - jitsicrontabs:/var/spool/cron/crontabs
+      - jitsitranscripts:/usr/share/jitsi-meet/transcripts
+      - ${EXTRA_VOLUME}
+    environment:
+      - CONFIG
+      - HTTP_PORT
+      - HTTPS_PORT
+      - TZ
+      - PUBLIC_URL
     networks:
       - proxy
+      - internal
     deploy:
-      restart_policy:
+      update_config:
-        condition: on-failure
+        failure_action: rollback
+        order: start-first
       labels:
         - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+#        - "backupbot.backup=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+#        - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "caddy=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version="
+        - "caddy.reverse_proxy={{upstreams 80}}"
-    healthcheck:
+        - "caddy.tls.on_demand="
-      test: ["CMD", "curl", "-f", "http://localhost"]
+        - "coop-cloud.${STACK_NAME}.version=0.0.1+8719"
-      interval: 30s
+#    healthcheck:
-      timeout: 10s
+#      test: ["CMD-SHELL", 'curl -s -N curl -Ns localhost/status.php |  grep "installed\":true"']
-      retries: 10
+#      interval: 30s
-      start_period: 1m
+#      timeout: 10s
+#      retries: 10
+#      start_period: 5m
+
+  prosody:
+    image: jitsi/prosody:stable-8719
+    volumes:
+      - jitsiprosodyconfig:/config
+      - jitsiprosody:/prosody-plugins-custom
+    environment:
+      - JICOFO_AUTH_PASSWORD_FILE=/run/secrets/jicofo_auth_password
+      - JVB_AUTH_PASSWORD_FILE=/run/secrets/jvb_auth_password
+    configs:
+      - source: entrypoint
+        target: /custom-entrypoint.sh
+        mode: 555
+    entrypoint: /custom-entrypoint.sh
+    secrets:
+      - jicofo_auth_password
+      - jvb_auth_password
+    networks:
+      internal:
+        aliases:
+          - ${XMPP_SERVER:-xmpp.meet.jitsi}
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+
+  jicofo:
+    image: jitsi/jicofo:stable-8719
+    volumes:
+      - jitsijicofoconfig:/config
+    environment:
+      - JICOFO_AUTH_PASSWORD_FILE=/run/secrets/jicofo_auth_password
+    configs:
+      - source: entrypoint
+        target: /custom-entrypoint.sh
+        mode: 555
+    entrypoint: /custom-entrypoint.sh
+    secrets:
+      - jicofo_auth_password
+    depends_on:
+        - prosody      
+    networks:
+      internal:
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+
+  jvb:
+    image: jitsi/jvb:stable-8719
+    volumes:
+      - jitsijvbconfig:/config
+    environment:
+    - JVB_AUTH_PASSWORD_FILE=/run/secrets/jvb_auth_password
+    configs:
+      - source: entrypoint
+        target: /custom-entrypoint.sh
+        mode: 555
+    entrypoint: /custom-entrypoint.sh
+    secrets:
+      - jvb_auth_password
+    depends_on:
+        - prosody
+    networks:
+      internal:
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+
+secrets:
+  jicofo_auth_password:
+    external: true
+    name: ${STACK_NAME}_jicofo_auth_password_${SECRET_JICOFO_AUTH_PASSWORD_VERSION}
+  jvb_auth_password:
+    external: true
+    name: ${STACK_NAME}_jvb_auth_password_${SECRET_JVB_AUTH_PASSWORD_VERSION}
+  # jigasi_xmpp_password:
+  #   external: true
+  #   name: ${STACK_NAME}_jigasi_xmpp_password_${SECRET_JIGASI_XMPP_PASSWORD_VERSION}
+  # jibri_recorder_password:
+  #   external: true
+  #   name: ${STACK_NAME}_jibri_recorder_password_${SECRET_JIBRI_RECORDER_PASSWORD_VERSION}
+  # jibri_xmpp_password:
+  #   external: true
+  #   name: ${STACK_NAME}_jibri_xmpp_password_${SECRET_JIBRI_XMPP_PASSWORD_VERSION}
+
+volumes:
+  jitsiconfig:
+  jitsicrontabs:
+  jitsitranscripts:
+  jitsiprosodyconfig:
+  jitsiprosody:
+  jitsijicofoconfig:
+  jitsijvbconfig:
+
+configs:
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
 
 networks:
   proxy:
     external: true
+  internal:

entrypoint.sh.tmpl

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "JICOFO_AUTH_PASSWORD"
+file_env "JVB_AUTH_PASSWORD"
+
+/init