matze/cdist-contrib
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

base: matze:master
Branches Tags
matze:master
matze:netbox
matze:__matrix_synapse
matze:root-mail-dma
..
compare: matze:__matrix_synapse
Branches Tags
matze:netbox
matze:master
matze:__matrix_synapse
matze:root-mail-dma

2 commits
master ... __matrix_s

Author SHA1 Message Date
Timothée Floure
716b4de8e1 __matrix_synapse: make shellcheck happy! 2020-07-28 14:44:37 +02:00
Timothée Floure
451f09d746 Import __matrix_synapse type from ungleich's dot-cdist 2020-06-25 11:16:20 +02:00
211 changed files with 2468 additions and 7540 deletions
Download patch file Download diff file Expand all files Collapse all files

21
.gitlab-ci.yml
View file

@ -1,29 +1,14 @@
stages:
- test
- doc
image: code.ungleich.ch:5050/ungleich-public/cdist-contrib/ci-container:latest
image: code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest
shellcheck:
stage: test
script:
- make lint
- ./scripts/run-shellcheck.sh
manpages:
stage: test
script:
- make check-manpages
docs:
stage: doc
only:
- master
before_script:
- eval $(ssh-agent -s)
- echo "$CD_SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
- mkdir -p ~/.ssh
- echo "$CD_SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts
- chmod 644 ~/.ssh/known_hosts
script:
- make html
- sftp fnux@staticwebhosting.ungleich.ch:public_html/cdist-contrib <<< "put -r docs/dist/html/*"
- ./scripts/run-manpage-checks.sh

4
CHANGELOG.md Normal file
View file

@ -0,0 +1,4 @@
# cdist-contrib changes
* 2020-06-03: New type: __unbound (Timothée Floure)
* 2020-04-28: New type: __find_exec (Ander Punnar)

70
Makefile
View file

@ -1,70 +0,0 @@
.PHONY: help
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo "man build only man user documentation"
@echo "html build only html user documentation"
@echo "docs build both man and html user documentation"
@echo "check-manpages check for manpage in types"
@echo "lint run shellcheck on types"
@echo "check run both type manpage checks and linting"
@echo "clean clean"
DOCS_SRC_DIR=./docs/src
TYPEDIR=./type
SPHINXM=make -C $(DOCS_SRC_DIR) man
SPHINXH=make -C $(DOCS_SRC_DIR) html
SPHINXC=make -C $(DOCS_SRC_DIR) clean
################################################################################
# Manpages
#
MAN7DSTDIR=$(DOCS_SRC_DIR)/man7
# Use shell / ls to get complete list - $(TYPEDIR)/*/man.rst does not work
# Using ls does not work if no file with given pattern exist, so use wildcard
MANTYPESRC=$(wildcard $(TYPEDIR)/*/man.rst)
MANTYPEPREFIX=$(subst $(TYPEDIR)/,$(MAN7DSTDIR)/cdist-type,$(MANTYPESRC))
MANTYPES=$(subst /man.rst,.rst,$(MANTYPEPREFIX))
# Link manpage: do not create man.html but correct named file
$(MAN7DSTDIR)/cdist-type%.rst: $(TYPEDIR)/%/man.rst
mkdir -p $(MAN7DSTDIR)
ln -sf "../../../$^" $@
DOCSINDEX=$(MAN7DSTDIR)/index.rst
DOCSINDEXH=$(DOCS_SRC_DIR)/index.rst.sh
$(DOCSINDEX): $(DOCSINDEXH)
$(DOCSINDEXH)
# Manpages: .cdist Types
DOT_CDIST_PATH=${HOME}/.cdist
DOTMAN7DSTDIR=$(MAN7DSTDIR)
DOTTYPEDIR=$(DOT_CDIST_PATH)/type
# Link manpage: do not create man.html but correct named file
$(DOTMAN7DSTDIR)/cdist-type%.rst: $(DOTTYPEDIR)/%/man.rst
ln -sf "$^" $@
man: $(MANTYPES) $(DOCSINDEX)
$(SPHINXM)
html: $(MANTYPES) $(DOCSINDEX)
$(SPHINXH)
docs: man html
check-manpages:
./scripts/run-manpage-checks.sh
lint:
./scripts/run-shellcheck.sh
check: check-manpages lint
clean:
$(SPHINXC)
rm -f docs/src/index.rst
rm -rf docs/src/man7/
rm -rf docs/src/__pycache__/

18
README.md
View file

@ -5,9 +5,8 @@ tool with community-maitained types which are either too specific to fit/be
maintained in cdist itself or were not accepted in code cdist but could still
be useful.
This project does not have releases and is continously updated: see git history
for change log. You will find HTML documentation at
[contrib.cdi.st](https://contrib.cdi.st).
This project does not have releases and is continously updated: see
`CHANGELOG.md` for details.
## Using cdist-contrib
@ -33,11 +32,14 @@ And you would run [cdist][cdist] from the same directory as follows:
## Participating in the [cdist][cdist] community
Join us on [#cdist:ungleich.ch][cdistmatrix] on matrix!
Join us on [#cdist:ungleich.ch][cdistmatrix] on matrix or on
[#cdist over mattermost][cdistmattermost].
[cdist]: https://www.cdi.st/
[cdistconfig]: https://www.cdi.st/manual/latest/cdist-configuration.html
[cdistmatrix]: https://matrix.to/#/#cdist:ungleich.ch
[cdistmattermost]: https://chat.ungleich.ch/ungleich/channels/cdist
## Contributing
@ -51,11 +53,3 @@ Every type in cdist-contrib must:
* Have a `man.rst` documentation page.
* Pass [shellcheck](http://shellcheck.net/) without errors.
## Other resources
Some people/organizations are known to keep some cdist types that might be of
interest to others:
* [cdist-evilham](https://git.sr.ht/~evilham/cdist-evilham): Evilham's cdist-types
* [cdist-recycledcloud](https://code.recycled.cloud/e-Durable/cdist-recycledcloud): e-Durable SA / Recycled Cloud public types

235
docs/src/Makefile
View file

@ -1,235 +0,0 @@
# Makefile for Sphinx documentation
#
# You can set these variables from the command line.
SPHINXOPTS ?=
SPHINXBUILD ?= sphinx-build
PAPER ?=
BUILDDIR ?= ../dist
# for cache, etc.
_BUILDDIR = _build
# User-friendly check for sphinx-build
ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don\'t have Sphinx installed, grab it from http://sphinx-doc.org/)
endif
# Internal variables.
PAPEROPT_a4 = -D latex_paper_size=a4
PAPEROPT_letter = -D latex_paper_size=letter
ALLSPHINXOPTS = -d $(_BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
# the i18n builder cannot share the environment and doctrees with the others
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
.PHONY: help
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " html to make standalone HTML files"
@echo " dirhtml to make HTML files named index.html in directories"
@echo " singlehtml to make a single large HTML file"
@echo " pickle to make pickle files"
@echo " json to make JSON files"
@echo " htmlhelp to make HTML files and a HTML help project"
@echo " qthelp to make HTML files and a qthelp project"
@echo " applehelp to make an Apple Help Book"
@echo " devhelp to make HTML files and a Devhelp project"
@echo " epub to make an epub"
@echo " epub3 to make an epub3"
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
@echo " latexpdf to make LaTeX files and run them through pdflatex"
@echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
@echo " text to make text files"
@echo " man to make manual pages"
@echo " texinfo to make Texinfo files"
@echo " info to make Texinfo files and run them through makeinfo"
@echo " gettext to make PO message catalogs"
@echo " changes to make an overview of all changed/added/deprecated items"
@echo " xml to make Docutils-native XML files"
@echo " pseudoxml to make pseudoxml-XML files for display purposes"
@echo " linkcheck to check all external links for integrity"
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
@echo " coverage to run coverage check of the documentation (if enabled)"
@echo " dummy to check syntax errors of document sources"
.PHONY: clean
clean:
rm -rf $(BUILDDIR)/*
rm -rf $(_BUILDDIR)/*
.PHONY: html
html:
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
.PHONY: dirhtml
dirhtml:
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
.PHONY: singlehtml
singlehtml:
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
@echo
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
.PHONY: pickle
pickle:
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
@echo
@echo "Build finished; now you can process the pickle files."
.PHONY: json
json:
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
@echo
@echo "Build finished; now you can process the JSON files."
.PHONY: htmlhelp
htmlhelp:
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
@echo
@echo "Build finished; now you can run HTML Help Workshop with the" \
".hhp project file in $(BUILDDIR)/htmlhelp."
.PHONY: qthelp
qthelp:
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
@echo
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/cdist-docs.qhcp"
@echo "To view the help file:"
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/cdist-docs.qhc"
.PHONY: applehelp
applehelp:
$(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp
@echo
@echo "Build finished. The help book is in $(BUILDDIR)/applehelp."
@echo "N.B. You won't be able to view it unless you put it in" \
"~/Library/Documentation/Help or install it in your application" \
"bundle."
.PHONY: devhelp
devhelp:
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
@echo
@echo "Build finished."
@echo "To view the help file:"
@echo "# mkdir -p $$HOME/.local/share/devhelp/cdist-docs"
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/cdist-docs"
@echo "# devhelp"
.PHONY: epub
epub:
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
@echo
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
.PHONY: epub3
epub3:
$(SPHINXBUILD) -b epub3 $(ALLSPHINXOPTS) $(BUILDDIR)/epub3
@echo
@echo "Build finished. The epub3 file is in $(BUILDDIR)/epub3."
.PHONY: latex
latex:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
@echo "Run \`make' in that directory to run these through (pdf)latex" \
"(use \`make latexpdf' here to do that automatically)."
.PHONY: latexpdf
latexpdf:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through pdflatex..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
.PHONY: latexpdfja
latexpdfja:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through platex and dvipdfmx..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
.PHONY: text
text:
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
@echo
@echo "Build finished. The text files are in $(BUILDDIR)/text."
.PHONY: man
man:
$(SPHINXBUILD) -b cman $(ALLSPHINXOPTS) $(BUILDDIR)/man
mkdir -p $(BUILDDIR)/man/man7
mv -f $(BUILDDIR)/man/*.7 $(BUILDDIR)/man/man7/
@echo
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
.PHONY: texinfo
texinfo:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
@echo "Run \`make' in that directory to run these through makeinfo" \
"(use \`make info' here to do that automatically)."
.PHONY: info
info:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo "Running Texinfo files through makeinfo..."
make -C $(BUILDDIR)/texinfo info
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
.PHONY: gettext
gettext:
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
@echo
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
.PHONY: changes
changes:
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
@echo
@echo "The overview file is in $(BUILDDIR)/changes."
.PHONY: linkcheck
linkcheck:
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
@echo
@echo "Link check complete; look for any errors in the above output " \
"or in $(BUILDDIR)/linkcheck/output.txt."
.PHONY: doctest
doctest:
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
@echo "Testing of doctests in the sources finished, look at the " \
"results in $(BUILDDIR)/doctest/output.txt."
.PHONY: coverage
coverage:
$(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage
@echo "Testing of coverage in the sources finished, look at the " \
"results in $(BUILDDIR)/coverage/python.txt."
.PHONY: xml
xml:
$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
@echo
@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
.PHONY: pseudoxml
pseudoxml:
$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
@echo
@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
.PHONY: dummy
dummy:
$(SPHINXBUILD) -b dummy $(ALLSPHINXOPTS) $(BUILDDIR)/dummy
@echo
@echo "Build finished. Dummy builder generates no files."

101
docs/src/conf.py
View file

@ -1,101 +0,0 @@
#!/usr/bin/env python3
import sys
import os
import sphinx_rtd_theme
from datetime import date
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
# sys.path.insert(0, os.path.abspath('.'))
sys.path.insert(0, os.path.abspath(os.path.join(
os.path.dirname(os.path.realpath(__file__)), "..", "..")))
# -- General configuration ------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
# needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'docs.src.manpage',
'sphinx.ext.extlinks',
]
# The suffix(es) of source filenames.
# You can specify multiple suffix as a list of string:
source_suffix = ['.rst']
# The encoding of source files.
# source_encoding = 'utf-8-sig'
# The master toctree document.
master_doc = 'index'
# General information about the project.
project = 'cdist-contrib'
copyright = 'cdist-contrib contributors'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
version = str(date.today())
release = os.popen('git rev-parse HEAD').read()
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
#
# This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases.
language = None
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
# If true, `todo` and `todoList` produce output, else they produce nothing.
todo_include_todos = False
# -- Options for HTML output ----------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
html_theme = 'sphinx_rtd_theme'
html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
# Output file base name for HTML help builder.
htmlhelp_basename = 'cdistcontribdoc'
# -- Options for manual page output ---------------------------------------
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
root_mandir = os.path.dirname(os.path.realpath(__file__))
mandirs = []
for mansubdir in ('man7',):
mandirs.append((os.path.join(root_mandir, mansubdir), mansubdir[-1]))
man_pages = []
for mandir, section in mandirs:
for root, dirs, files in os.walk(mandir):
for fname in files:
froot, fext = os.path.splitext(fname)
if fext == '.rst':
man_page = (os.path.join('man' + str(section), froot),
froot, '', [], section)
man_pages.append(man_page)
# man_pages = [
# ('cdist-type', 'cdist-type', 'cdist-type documentation',
# [author], 1),
# ('man7/cdist-type__file', 'cdist-type__file',
# '', [], 1),
# ('cdist-type__directory', 'cdist-type__directory',
# 'cdist-type__directory documentation', [author], 1),
# ]
# If true, show URL addresses after external links.
# man_show_urls = False

40
docs/src/index.rst.sh
View file

@ -1,40 +0,0 @@
#!/bin/sh
__cdist_pwd="$(pwd -P)"
__cdist_mydir="${0%/*}";
__cdist_abs_mydir="$(cd "$__cdist_mydir" && pwd -P)"
__cdist_myname=${0##*/};
__cdist_abs_myname="$__cdist_abs_mydir/$__cdist_myname"
filename="${__cdist_myname%.sh}"
dest="$__cdist_abs_mydir/$filename"
if ! command -v pandoc > /dev/null; then
echo "Pandoc is required to generate HTML index from README." >&2
exit 1
fi
cd "$__cdist_abs_mydir"
exec > "$dest"
pandoc -f markdown -t rst ../../README.md
cat << EOF
.. toctree::
:hidden:
EOF
# If there is no such file then ls prints error to stderr,
# so redirect stderr to /dev/null.
for type in $(ls man7/cdist-type__*.rst 2>/dev/null | LC_ALL=C sort); do
no_dir="${type#man7/}";
no_type="${no_dir#cdist-type}";
name="${no_type%.rst}";
manref="${no_dir%.rst}"
man="${manref}(7)"
echo " $name" "<man7/${manref}>"
done

87
docs/src/manpage.py
View file

@ -1,87 +0,0 @@
import sphinx.builders.manpage
import sphinx.writers.manpage
from docutils.frontend import OptionParser
from sphinx.util.console import bold, darkgreen
from six import string_types
from docutils.io import FileOutput
from os import path
from sphinx.util.nodes import inline_all_toctrees
from sphinx import addnodes
from sphinx.util import logging
"""
Extension based on sphinx builtin manpage.
It does not write its own .SH NAME based on config,
but leaves everything to actual reStructuredText file content.
"""
logger = logging.getLogger(__name__)
class ManualPageTranslator(sphinx.writers.manpage.ManualPageTranslator):
def header(self):
tmpl = (".TH \"%(title_upper)s\" \"%(manual_section)s\""
" \"%(date)s\" \"%(version)s\" \"%(manual_group)s\"\n")
return tmpl % self._docinfo
class ManualPageWriter(sphinx.writers.manpage.ManualPageWriter):
def __init__(self, builder):
super().__init__(builder)
self.translator_class = (
self.builder.get_translator_class() or ManualPageTranslator)
class ManualPageBuilder(sphinx.builders.manpage.ManualPageBuilder):
name = 'cman'
default_translator_class = ManualPageTranslator
def write(self, *ignored):
docwriter = ManualPageWriter(self)
docsettings = OptionParser(
defaults=self.env.settings,
components=(docwriter,),
read_config_files=True).get_default_values()
logger.info(bold('writing... '), nonl=True)
for info in self.config.man_pages:
docname, name, description, authors, section = info
if isinstance(authors, string_types):
if authors:
authors = [authors]
else:
authors = []
targetname = '%s.%s' % (name, section)
logger.info(darkgreen(targetname) + ' { ', nonl=True)
destination = FileOutput(
destination_path=path.join(self.outdir, targetname),
encoding='utf-8')
tree = self.env.get_doctree(docname)
docnames = set()
largetree = inline_all_toctrees(self, docnames, docname, tree,
darkgreen, [docname])
logger.info('} ', nonl=True)
self.env.resolve_references(largetree, docname, self)
# remove pending_xref nodes
for pendingnode in largetree.traverse(addnodes.pending_xref):
pendingnode.replace_self(pendingnode.children)
largetree.settings = docsettings
largetree.settings.title = name
largetree.settings.subtitle = description
largetree.settings.authors = authors
largetree.settings.section = section
docwriter.write(largetree, destination)
logger.info("")
def setup(app):
app.add_builder(ManualPageBuilder)

7
scripts/ci-container/Dockerfile
View file

@ -1,7 +0,0 @@
# This image is used in the cdist-contrib CI for linting and generating the
# documentation.
FROM fedora:latest
MAINTAINER Timothée Floure <fnux@ungleich.ch>
RUN dnf install -y git findutils make python3-sphinx python3-sphinx_rtd_theme \
ShellCheck openssh-clients pandoc

26
scripts/run-shellcheck.sh
View file

@ -1,29 +1,21 @@
#!/bin/sh -eu
#!/bin/sh
SHELLCHECKCMD='shellcheck -s sh -f gcc -x'
SHELLCHECKCMD="shellcheck -s sh -f gcc -x"
# Skip SC2154 for variables starting with __ since such variables are cdist
# environment variables.
SHELLCHECK_SKIP=': __.*is referenced but not assigned.*\[SC2154\]'
SHELLCHECKTMP='.shellcheck.tmp'
SHELLCHECKTMP=".shellcheck.tmp"
# Move to top-level cdist-contrib directory.
cd "$(dirname $0)"/..
cd $(dirname $0)/..
check() {
find type/ -type f "$@" -exec ${SHELLCHECKCMD} {} + \
| grep -v "${SHELLCHECK_SKIP}" >>"${SHELLCHECKTMP}" || true
check () {
find type/ -type f $1 $2 -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" > "${SHELLCHECKTMP}"
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
}
rm -f "${SHELLCHECKTMP}"
check -path '*/explorer/*'
check -path '*/files/*' -name '*.sh'
check -path "*/explorer/*"
check -path "*/files/*"
check -name manifest
check -name gencode-local
check -name gencode-remote
if test -s "${SHELLCHECKTMP}"
then
cat "${SHELLCHECKTMP}" >&2
exit 1
fi

36
type/__borg_repo/gencode-remote
View file

@ -1,36 +0,0 @@
#!/bin/sh
passphrase=
appendonly=
case "$(cat "${__object:?}/parameter/encryption")" in
none)
enc=none
;;
repokey)
enc=repokey
if [ -f "${__object:?}/parameter/passphrase" ];
then
passphrase="$(cat "${__object:?}/parameter/passphrase")"
else
echo "__borg_repo cannot use repokey encryption with no passphrase. Aborting." >&2;
exit 1;
fi
;;
*)
echo "$enc is not a known encryption mode for __borg_repo. Aborting." >&2
exit 1;
esac
if [ -f "${__object:?}/parameter/append-only" ];
then
appendonly='--append-only'
fi
cat <<- EOF
if ! borg check --repository-only 1>&2 2>/dev/null "/${__object_id:?}";
then
BORG_NEW_PASSPHRASE=$passphrase borg init -e ${enc:?} $appendonly /${__object_id:?}
fi
EOF

43
type/__borg_repo/man.rst
View file

@ -1,43 +0,0 @@
cdist-type__borg_repo(7)
========================
NAME
----
cdist-type__borg_repo - Configure a borg repository on host
DESCRIPTION
-----------
Initializes a borg repository at the location specified in the
`${__object_id}`. Nothing is done if the repository already exists.
Currently, only `none` and `repokey` are supported as encryption modes;
`repokey` requires the `passphrase` argument to be given. The default is
`none`.
REQUIRED PARAMETERS
-------------------
encryption
The encryption to use.
OPTIONAL PARAMETERS
-------------------
passphrase
The passphrase to encrypt the keyfile with.
BOOLEAN PARAMETERS
------------------
append-only
If the repository is append-only
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2020 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

14
type/__borg_repo/manifest
View file

@ -1,14 +0,0 @@
#!/bin/sh
os="$(cat "${__global:?}"/explorer/os)"
case "$os" in
"alpine")
borg_package=borgbackup
;;
*)
echo "__borg_repo is not yet implemented for os $os. Aborting." >&2;
exit 1;
esac
__package "$borg_package"

1
type/__borg_repo/parameter/boolean
View file

@ -1 +0,0 @@
append-only

1
type/__borg_repo/parameter/default/encryption
View file

@ -1 +0,0 @@
none

1
type/__borg_repo/parameter/optional
View file

@ -1 +0,0 @@
passphrase

1
type/__borg_repo/parameter/required
View file

@ -1 +0,0 @@
encryption

49
type/__dma/explorer/auth_conf
View file

@ -1,49 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# This explorer determines the path of dma's auth.conf file
# No dma.conf -> use default
test -f /etc/dma/dma.conf || {
echo /etc/dma/auth.conf
exit 0
}
test -r /etc/dma/dma.conf || {
echo 'Cannot read /etc/dma/dma.conf' >&2
exit 1
}
# Get AUTHPATH from dma.conf
awk -F'[ \t]' '
{
sub(/#.*$/, "", $0) # remove comments
if (!$0) next # ignore empty lines
}
$1 == "AUTHPATH" {
# Store authpath. In dma conf parsing last wins.
if ($2) authpath = substr($0, index($0, " ") + 1)
}
END {
if (authpath) {
print authpath
exit 0
} else exit 1
}
' /etc/dma/dma.conf \
|| echo /etc/dma/auth.conf # default

34
type/__dma/explorer/conf
View file

@ -1,34 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# This explorer returns a sorted list of "active" (= non-commented) lines
# in the dma.conf file.
# "Trailing" line comments are stripped off.
#
# NOTE: This explorer assumes that the sort(1) utility supports the non-POXIX
# -s (stable sort) option.
CONF_PATH=/etc/dma # set in Makefile
dma_conf="${CONF_PATH:?}/dma.conf"
test -f "${dma_conf}" || exit 0
grep -v -e '^[ \t]*#\|^$' "${dma_conf}" \
| sed -e 's/[ \t]*#.*$//' \
| sort -s -k 1,1

178
type/__dma/files/update_dma_conf.awk
View file

@ -1,178 +0,0 @@
#!/usr/bin/awk -f
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
function comment_line(line) {
# returns the position in line at which the comment's text starts
# (0 if the line is not a comment)
match(line, /^[ \t]*\#+[ \t]*/)
return RSTART ? (RLENGTH + 1) : 0
}
function empty_line(line) { return line ~ /^[ \t]*$/ }
function is_word(s) { return s ~ /^[A-Z_]+$/ } # "looks like a plausible word"
function first(line, sep_re) {
# returns the part of the line until sep is found
# (or the whole line if sep is not found)
if (!sep_re) sep_re = "[" SUBSEP "]"
match(line, sep_re)
return RSTART ? substr(line, 1, RSTART - 1) : line
}
function rest(line, sep_re) {
# returns the part of the line after the first occurrence of sep is found.
# (or nothing if sep is not found)
if (!sep_re) sep_re = "[" SUBSEP "]"
if (match(line, sep_re))
return substr(line, RSTART + RLENGTH)
}
function conf_pop(word, value) {
# returns the next value for the config `word` and delete it from the list.
# if value is set, this function will only return value if it is the first
# option in the list, otherwise it returns 0.
if (!(word in conf)) return 0
if (!value) {
if (index(conf[word], SUBSEP)) # more than one element?
value = substr(conf[word], 1, index(conf[word], SUBSEP) - 1)
else
value = conf[word]
}
if (index(conf[word], SUBSEP)) {
if (index(conf[word], value SUBSEP) != 1) return 0
conf[word] = substr(conf[word], length(value) + 2)
} else {
if (conf[word] != value) return 0
delete conf[word]
}
return value
}
function print_conf(word, value) {
# print a config line with the given parameters
printf "%s", word
if (value) printf " %s", value
printf "\n"
}
function print_confs(word, value) {
# print config lines for all values stored in conf[word].
if (!(word in conf)) return
if (conf[word]) {
while (value = conf_pop(word))
print_conf(word, value)
} else {
print_conf(word)
delete conf[word]
}
}
BEGIN {
FS = "\n"
EQS = "[ \t]" # copied from dma/conf.c
if (ARGV[2]) exit (e=1)
# Loop over file twice!
ARGV[2] = ARGV[1]
ARGC++
# read the "should" state into the `conf` array.
while (getline < "/dev/stdin") {
word = first($0, EQS)
if ((word in conf))
conf[word] = conf[word] SUBSEP rest($0, EQS)
else
conf[word] = rest($0, EQS)
}
}
# first pass, gather information about where which information is stored in the
# current config file. This information will be used in the second pass.
NR == FNR {
if (comment_line($0)) {
# comment line
word = first(substr($0, comment_line($0)), " ")
if (is_word(word)) last_occ["#" word] = FNR
} else {
word = first($0, EQS)
if (is_word(word)) last_occ[word] = FNR
}
}
# before second pass prepare hashes containing location information to be used
# in the second pass.
NR > FNR && FNR == 1 {
# First we drop the locations of commented-out options if a non-commented
# option is available. If a non-commented option is available, we will
# append new config options there to have them all at one place.
for (k in last_occ)
if (k ~ /^\#/ && (substr(k, 2) in last_occ))
delete last_occ[k]
# Reverse the option => line mapping. The line_map allows for easier lookups
# in the second pass.
for (k in last_occ) line_map[last_occ[k]] = k
}
# second pass, generate and output new config
NR > FNR {
if (comment_line($0) || empty_line($0)) {
# comment or empty line
print
if ((FNR in line_map)) {
if (line_map[FNR] ~ /^\#/) {
# This line contains a commented config option. If the conf hash
# contains options to be set, we output them here because this
# option is not used in the current config.
k = substr(line_map[FNR], 2)
if ((k in conf)) print_confs(k)
}
if (("INSECURE" in conf) && line_map[FNR] ~ /^\#?SECURE$/) {
# INSECURE goes where SECURE comment is.
print_confs("INSECURE")
}
}
} else {
word = first($0, EQS)
value = rest($0, EQS)
sub(/[ \t]*\#.*$/, "", value) # ignore comments in value
if ((word in conf) && value == first(conf[word])) {
# keep config options we want
conf_pop(word)
print
}
if ((FNR in line_map) && line_map[FNR] == word) {
# rest of config options should be here
print_confs(word)
}
}
}
END {
if (e) exit
# print rest of config options (
for (word in conf) print_confs(word)
}

177
type/__dma/gencode-remote
View file

@ -1,177 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
CONF_PATH=/etc/dma # set in Makefile
# Determine mailname
if test -f "${__object:?}/parameter/mailname"
then
mailname=$(cat "${__object:?}/parameter/mailname")
else
case $(cat "${__global:?}/explorer/os")
in
(debian|devuan|ubuntu)
# On Debian-like systems use /etc/mailname unless --mailname is used
mailname='/etc/mailname'
;;
(*)
mailname=${__target_fqdn:?}
;;
esac
fi
# Generate "should" values for config
conf_should=$(
if test -s "${__object:?}/parameter/smarthost"
then
printf 'SMARTHOST %s\n' "$(cat "${__object:?}/parameter/smarthost")"
fi
printf 'MAILNAME %s\n' "${mailname}"
if test -s "${__object:?}/explorer/auth_conf"
then
printf "AUTHPATH %s\n" "$(cat "${__object:?}/explorer/auth_conf")"
fi
case $(cat "${__object:?}/parameter/security")
in
(ssl|tls)
default_smtp_port=465
echo 'SECURETRANSFER'
;;
(starttls)
default_smtp_port=587
echo 'SECURETRANSFER'
echo 'STARTTLS'
;;
(opportunistic)
default_smtp_port=25
echo 'SECURETRANSFER'
echo 'STARTTLS'
echo 'OPPORTUNISTIC_TLS'
;;
(insecure)
default_smtp_port=25
echo 'INSECURE'
;;
esac
if test -s "${__object:?}/parameter/port"
then
printf 'PORT %u\n' "$(cat "${__object:?}/parameter/port")"
elif test "${default_smtp_port}" -ne 25 # DMA uses port 25 by default
then
printf 'PORT %u\n' "${default_smtp_port}"
fi
if test -f "${__object:?}/parameter/masquerade"
then
while read -r line
do
printf 'MASQUERADE %s\n' "${line}"
done <"${__object:?}/parameter/masquerade"
fi
if test -f "${__object:?}/parameter/defer"
then
echo 'DEFER'
fi
if test -f "${__object:?}/parameter/fullbounce"
then
echo 'FULLBOUNCE'
fi
if test -f "${__object:?}/parameter/nullclient"
then
test -s "${__object:?}/parameter/smarthost" || {
echo '--nullclient requires a --smarthost to be defined' >&2
exit 1
}
echo 'NULLCLIENT'
fi
)
# Sort conf_should to compare against "conf_is"
conf_should=$(echo "${conf_should}" | sort -s -k 1,1)
config_updated=false
if ! echo "${conf_should}" | cmp -s "${__object:?}/explorer/conf" -
then
# config needs to be updated
dma_conf="${CONF_PATH:?}/dma.conf"
# The following AWK script will output the new config file to be stored on
# disk. To do so it reads the current dma.conf file and the config options
# that should be set (from stdin).
# Note that the path to the current dma.conf is passed to AWK twice, because
# the new file cannot be generated in one pass.
# The logic tries to place options at a sensible location, that is:
# a) if the option is already used in the config file:
# group all similar options (e.g. MASQUERADE) at one place in the order
# they are listed in stdin.
# b) if it is a new option and a "default comment" (e.g. "#PORT 25") exists:
# place options grouped directly after the comment (the comment is left
# alone)
# c) otherwise:
# options are grouped by word (the first word in the line) and appended
# at the end of the file.
cat <<-CODE
awk $(drop_awk_comments "${__type:?}/files/update_dma_conf.awk") $(quote "${dma_conf}") <<'EOF' >$(quote "${dma_conf}.tmp") \
&& cat $(quote "${dma_conf}.tmp") >$(quote "${dma_conf}")
${conf_should}
EOF
rm $(quote "${dma_conf}.tmp")
CODE
config_updated=true
echo 'config updated' >>"${__messages_out:?}"
fi
# Send a test email if enabled and necessary (=configuration changed)
if test -f "${__object:?}/parameter/send-test-mail"
then
if grep -q '^__mail_alias/root:' "${__messages_in:?}" \
|| grep -q '^__dma_auth/' "${__messages_in:?}" \
|| ${config_updated}
then
cat <<-CODE
sendmail root <<'EOF'
Subject: [cdist] Test mail from '${__target_fqdn:?}'
Hi,
you can ignore this message.
Its sole purpose is to notify you that root mail on ${__target_fqdn:?}
will be redirected to you.
Enjoy!
EOF
CODE
fi
fi

112
type/__dma/man.rst
View file

@ -1,112 +0,0 @@
cdist-type__dma(7)
============================
NAME
----
cdist-type__dma - Setup the DragonFly Mail Agent as the MTA.
DESCRIPTION
-----------
This (singleton) type uses DMA, a small Mail Transport Agent (MTA), to accept
mails from locally installed Mail User Agents (MUA) and either deliver the mails
to a remote smart host for delivery or communicate with remote SMTP servers
directly.
REQUIRED PARAMETERS
-------------------
None.
BOOLEAN PARAMETERS
------------------
defer
If enabled, mail will not be sent immediately, but stored in a queue.
To flush the queue and send the mails, ```dma -q`` has to be run
periodically (e.g. using a cron job.)
This type does not manage such a cron job, but some operating systems ship
such a cron job with the package.
fullbounce
Enable if bounce messages should include the complete original message,
not just the headers.
nullclient
Enable to bypass aliases and local delivery, and instead forward all mails
to the defined ``--smarthost``.
send-test-mail
If set, this type will send a test email to root after setup, to check if
the configured settings work.
OPTIONAL PARAMETERS
-------------------
mailname
If present, this will be the hostname used to identify this host and the
remote part of the sender addresses.
If not defined, it defaults to ``/etc/mailname`` on Debian derivatives and
to ``__target_fqdn`` otherwise.
See `dma(8)` for more information.
Note: on Debian derivatives the ``/etc/mailname`` file should be updated
instead of using this parameter.
masquerade
Masquerade the envelope-from addresses with this address/hostname.
Use this setting if mails are not accepted by destination mail servers
because your sender domain is invalid.
This option can be used multiple times.
For more information see the `dma(8)` man page.
port
The port on which to deliver email.
If not provided, a sensible default port will be used based on the
``--security`` argument.
security
Configures whether and how DMA should use secure connections.
ssl/tls
Enable TLS/SSL secured transfer.
starttls
Use STARTTLS to establish a secure connection.
opportunistic (default)
Will try to establish a secure connection using STARTTLS, but allow
unencrypted transfer if STARTTLS fails.
Most useful when dma is used without a smarthost, delivering remote
messages directly to the outside mail exchangers.
insecure
allow plain text SMTP login over an insecure connection.
Should really *not* be used anymore!
smarthost
The mail server used to send email.
It must be configured to act as a relay for the host being configured by
this type so that mail can be sent to users non-local to the smarthost.
EXAMPLES
--------
.. code-block:: sh
# Install DMA and use the smarthost mx1.domain.tld to send mail.
__dma --smarthost mx1.domain.tld --send-test-mail
# Install DMA in a default configuration.
__dma
SEE ALSO
--------
- `DragonFly Mail Agent <https://github.com/corecode/dma>`_
- `DragonFly Handbook MTA <https://www.dragonflybsd.org/handbook/mta/>`_
AUTHORS
-------
Evilham <contact@evilham.com>
Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
COPYING
-------
Copyright \(C) 2020 Evilham and Dennis Camera. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

66
type/__dma/manifest
View file

@ -1,66 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "${__global:?}/explorer/os")
# Install DMA
case ${os}
in
(alpine)
__package dma --state present
export require='__package/dma'
;;
(debian|devuan|ubuntu)
__package dma --state present
export require='__package/dma'
;;
(freebsd)
# Stop sendmail if necessary
__process 'sendmail' --name 'sendmail.*' --state absent \
--stop '/etc/rc.d/sendmail onestop'
# ... and disable it
__key_value 'rcconf-sendmail-enable' --file '/etc/rc.conf' \
--key 'sendmail_enable' --delimiter '=' --value '"NONE"' \
--exact_delimiter
# Setup mailwrapper accordingly
__file '/etc/mail/mailer.conf' --mode 0644 --source - <<-'EOF'
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
sendmail /usr/libexec/dma
send-mail /usr/libexec/dma
mailq /usr/libexec/dma
newaliases /usr/libexec/dma
rmail /usr/libexec/dma
EOF
;;
(*)
cat <<EOF >&2
Your OS (${os}) is not supported yet.
Maybe adding support is as simple as adapting the packages or allowing it,
we highly encourage you to open a PR with the necessary changes.
See: https://code.ungleich.ch/ungleich-public/cdist-contrib/
EOF
exit 1
;;
esac

4
type/__dma/parameter/boolean
View file

@ -1,4 +0,0 @@
defer
fullbounce
nullclient
send-test-mail

1
type/__dma/parameter/default/security
View file

@ -1 +0,0 @@
opportunistic

4
type/__dma/parameter/optional
View file

@ -1,4 +0,0 @@
mailname
port
security
smarthost

1
type/__dma/parameter/optional_multiple
View file

@ -1 +0,0 @@
masquerade

1
type/__dma_auth/explorer/auth_conf
View file

@ -1 +0,0 @@
../../__dma/explorer/auth_conf

91
type/__dma_auth/explorer/state
View file

@ -1,91 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# This explorer looks for a line matching the server parameter
# in dma's auth.conf and reports:
# present: a line matching login + host + password exists
# absent: no line matching login + host exists
# different_login: a line exists but with a different login user
# different_password: a line exists but with a different password
# multiple: multiple lines matching host exist (should not happen)
auth_conf=$("${__type_explorer:?}/auth_conf")
test -r "${auth_conf}" || exit 0
awk -F'\n' '
function getvalue(path) {
# Reads the first line of the file located at path and returns it.
getline < path
close(path)
return $0
}
BEGIN {
DP = "[: \t]" # copied from dma/conf.c
parameter_dir = ENVIRON["__object"] "/parameter/"
# Read the parameters of this object
host_param = ENVIRON["__object_id"]
login_param = getvalue(parameter_dir "login")
passwd_param = getvalue(parameter_dir "password")
state = "absent"
}
/^#/ || /^$/ {
# skip comments and empty lines
next
}
{
# parse line
login = substr($0, 1, index($0, "|") - 1)
if (!login) { login = $0 } # if no "|" found
host = substr($0, length(login) + 2)
if (match(host, DP)) {
passwd = substr(host, RSTART + 1)
host = substr(host, 1, RSTART - 1)
} else {
passwd = ""
}
}
host == host_param {
# a match…
if (state == "absent") {
if (login != login_param)
state = "different_login"
else if (passwd != passwd_param)
state = "different_password"
else
state = "present"
} else {
# report "multiple" to that the type can remove the duplicates.
state = "multiple"
}
}
END {
print state
}
' "${auth_conf}"

93
type/__dma_auth/files/update_dma_auth.awk
View file

@ -1,93 +0,0 @@
#!/usr/bin/awk -f
#
# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
function getvalue(path) {
# Reads the first line of the file located at path and returns it.
getline < path
close(path)
return $0
}
function print_should() {
printf "%s|%s:%s\n", login_param, host_param, passwd_param
}
BEGIN {
FS = "\n"
DP = "[: \t]" # copied from dma/conf.c
parameter_dir = ENVIRON["__object"] "/parameter/"
mode = (getvalue(parameter_dir "state") != "absent")
host_param = ENVIRON["__object_id"]
login_param = getvalue(parameter_dir "login")
passwd_param = getvalue(parameter_dir "password")
}
# skip comments and empty lines
/^#/ || /^$/ {
print
next
}
{
# parse line (like dma/conf.c would)
login = substr($0, 1, index($0, "|") - 1)
if (!login) { login = $0 } # if no "|" found
host = substr($0, length(login) + 2)
if (match(host, DP)) {
passwd = substr(host, RSTART + 1)
host = substr(host, 1, RSTART - 1)
} else {
passwd = ""
}
}
host == host_param {
if (mode) {
# state_should == present
if (!written) {
# replace first line if host matches (but only if no line has
# been written already -> no duplicates)
print_should()
written = 1
}
next
} else {
# state_should == absent
next
}
}
# leave other lines alone
{
print
}
END {
if (mode && !written) {
# append line if no match to replace was found
print_should()
}
}

72
type/__dma_auth/gencode-remote
View file

@ -1,72 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
state_is=$(cat "${__object:?}/explorer/state")
state_should=$(cat "${__object:?}/parameter/state")
server=${__object_id:?}
login=$(cat "${__object:?}/parameter/login")
auth_conf=$(cat "${__object:?}/explorer/auth_conf")
test -n "${auth_conf}" || {
echo 'Cannot determine path of dma auth.conf' >&2
exit 1
}
if test "${state_is}" = "${state_should}"
then
# state is as it should
exit 0
fi
case ${state_should}
in
(present)
test -n "${login}" || { echo '--login must be non-empty' >&2; exit 1; }
if test "${state_is}" = 'absent'
then
printf 'add authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
else
printf 'set authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
fi
;;
(absent)
printf 'delete authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
;;
(*)
printf 'Invalid --state: %s.\n' "${state_should}" >&2
printf 'Acceptable values are: present, absent.\n' >&2
exit 1
;;
esac
cat <<EOF
test -f $(quote "${auth_conf}") || touch $(quote "${auth_conf}")
awk $(drop_awk_comments "${__type:?}/files/update_dma_auth.awk") <$(quote "${auth_conf}") >$(quote "${auth_conf}.tmp") \
&& cat $(quote "${auth_conf}.tmp") >$(quote "${auth_conf}")
rm -f $(quote "${auth_conf}.tmp")
EOF

66
type/__dma_auth/man.rst
View file

@ -1,66 +0,0 @@
cdist-type__dma_auth(7)
=======================
NAME
----
cdist-type__dma_auth - Configure SMTP logins for the DragonFly Mail Agent MTA.
DESCRIPTION
-----------
This cdist type allows you to set up credentials to log in to remote SMTP
servers.
NB: dma currently (v0.13) does not differentiate between users on a host.
It will use whatever user it finds in the ``auth.conf`` first.
Thus, this type will use the ``__object_id`` as the host specifier.
REQUIRED PARAMETERS
-------------------
login
The user's LOGIN name on the SMTP server.
password
The user's password (in plain text.)
OPTIONAL PARAMETERS
-------------------
state
Either ``present`` or ``absent``. Defaults to ``present``.
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
--------
.. code-block:: sh
# Set the password for smarthost
__dma_auth smarthost.example.com --login joe --password hunter2
# Set credentials for user at an external provider
__dma_auth mail.provider.com --login paul@example.com --password letmein
# Delete credentials for example.com (for all users)
__dma_auth example.com --login '' --password '' --state absent
SEE ALSO
--------
:strong:`cdist-type__dma`\ (7), :strong:`dma`\ (8)
AUTHORS
-------
Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
COPYING
-------
Copyright \(C) 2020 Dennis Camera. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

1
type/__dma_auth/parameter/default/state
View file

@ -1 +0,0 @@
present

1
type/__dma_auth/parameter/optional
View file

@ -1 +0,0 @@
state

2
type/__dma_auth/parameter/required
View file

@ -1,2 +0,0 @@
login
password

7
type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version
View file

@ -1,7 +0,0 @@
#!/bin/sh -e
EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
if [ -f "${EXPORTER_VERSION_FILE}" ]; then
cat "${EXPORTER_VERSION_FILE}"
fi

56
type/__jitsi_meet/files/debconf_settings.sh
View file

@ -1,56 +0,0 @@
#!/bin/sh -e
# This can be obtained with debconf-get-selections on a host with jitsi
# (and also analysing the deb-src)
if false; then
# We are currently not using these, just here as documentation
DEBCONF_SETTINGS="$(cat <<EOF
# Jicofo user password:
jicofo jicofo/jicofo-authpassword password STH
jitsi-meet-prosody jicofo/jicofo-authpassword password STH
# The secret used to connect to xmpp server as component
jitsi-meet-prosody jitsi-videobridge/jvbsecret password STH
jitsi-videobridge jitsi-videobridge/jvbsecret password STH
jitsi-videobridge2 jitsi-videobridge/jvbsecret password STH
# Jicofo Component secret:
jicofo jicofo/jicofosecret password STH
jitsi-meet-prosody jicofo/jicofosecret password STH
# Jicofo username:
jicofo jicofo/jicofo-authuser string focus
jitsi-meet-prosody jicofo/jicofo-authuser string focus
# The hostname of the current installation:
jitsi-meet-turnserver jitsi-meet-turnserver/jvb-hostname string ${JITSI_HOST}
# Full local server path to the SSL certificate file:
jitsi-meet-web-config jitsi-meet/cert-path-crt string
# Full local server path to the SSL key file:
jitsi-meet-web-config jitsi-meet/cert-path-key string
EOF
)"
fi
DEBCONF_SETTINGS="$(cat <<EOF
# The hostname of the current installation:
jitsi-meet-web-config jitsi-meet/jvb-hostname string ${JITSI_HOST}
# Hostname:
jicofo jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
jitsi-meet-prosody jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
jitsi-meet-turnserver jitsi-videobridge/jvb-hostname string ${TURN_SERVER}
jitsi-meet-web-config jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
jitsi-videobridge jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
jitsi-videobridge2 jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
# The hostname of the current installation:
jitsi-meet-prosody jitsi-meet-prosody/jvb-hostname string ${JITSI_HOST}
# SSL certificate for the Jitsi Meet instance
# Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)
EOF
)"
if [ -n "${TURN_SECRET}" ]; then
DEBCONF_SETTINGS="$(cat <<EOF
${DEBCONF_SETTINGS}
# The turn server secret
jitsi-meet-prosody jitsi-meet-prosody/turn-secret string ${TURN_SECRET}
EOF
)"
fi

10
type/__jitsi_meet/files/ufw
View file

@ -1,10 +0,0 @@
#!/bin/sh -e
# Setup firewall
__ufw
# Allow jitsi ports
require="__ufw" __ufw_rule http --rule 'allow 80/tcp'
require="__ufw" __ufw_rule https --rule 'allow 443/tcp'
require="__ufw" __ufw_rule jitsi_prom --rule 'allow 9888/tcp'
require="__ufw" __ufw_rule avfallback --rule 'allow 4443/tcp'
require="__ufw" __ufw_rule avdefault --rule 'allow 10000/udp'

5
type/__jitsi_meet/gencode-remote
View file

@ -1,5 +0,0 @@
#!/bin/sh -e
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
echo "service nginx reload"
fi

84
type/__jitsi_meet/man.rst
View file

@ -1,84 +0,0 @@
cdist-type__jitsi_meet(7)
=================================
NAME
----
cdist-type__jitsi_meet - Setup the server-side of Jitsi-Meet.
DESCRIPTION
-----------
This (singleton) type installs and configures jitsi-meet automatically.
It does so by following loosely the official quick-install instructions and
eXO's notes for installing and managing Jitsi Meet instances.
This type also sets up nginx in a way that is compatible with
`__letsencrypt_cert` and assumes that it will only serve Jitsi instances.
You will also need the `__jitsi_meet_domain` type in order to finish setting up
the web frontend (including TLS certificates) and its settings.
You may want to use the `files/ufw` example manifest for a `__ufw`-based
firewall compatible with this type.
This file does not include rules for TCP port 9888, which exposes the
prometheus exporter if not disabled.
You should apply your own rules here.
This type only works on De{bi,vu}an systems.
NOTE: This type currently does not deal with setting up coturn.
For that, you might want to check `__coturn` in
https://code.ungleich.ch/ungleich-public/cdist-contrib
In that case, this type should run *after* `__coturn`.
OPTIONAL PARAMETERS
-------------------
turn-secret
The shared secret for the TURN server.
turn-server
The hostname of the TURN server.
This will assume that it is listening with TLS on port 443.
BOOLEAN PARAMETERS
------------------
disable-prometheus-exporter
This type enables a prometheus exporter for jitsi by default, if you would
rather not have that, pass this parameter.
The explorer is based on:
https://github.com/systemli/prometheus-jitsi-meet-exporter
EXAMPLES
--------
.. code-block:: sh
# Setup the firewall
. "${__global}/type/__jitsi_meet/files/ufw"
export require="__ufw"
# Setup Jitsi on this host
__jitsi_meet \
--turn-server "turn.exo.cat" \
--turn-secret "WeNeedGoodSecurity"
SEE ALSO
--------
- `__jitsi_meet_domain`
AUTHORS
-------
Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2020 Evilham.

197
type/__jitsi_meet/manifest
View file

@ -1,197 +0,0 @@
#!/bin/sh -e
os="$(cat "${__global}/explorer/os")"
init="$(cat "${__global}/explorer/init")"
case "${os}" in
devuan|debian)
;;
*)
echo "Your OS '${os}' is currently not supported." > /dev/stderr
exit 1
;;
esac
JITSI_HOST="${__target_host}"
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
if [ -z "${TURN_SERVER}" ]; then
TURN_SERVER="${JITSI_HOST}"
fi
PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")"
# The rest is loosely based on Jitsi's documentation
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
# Setup repositories
## First the signing keys
__package gnupg2
require="__package/gnupg2" __apt_key_uri jitsi_meet \
--name 'Jitsi <dev@jitsi.org>' \
--uri https://download.jitsi.org/jitsi-key.gpg.key \
--state present
## Now the repositories (they are a tad weird, so distribution is 'stable/')
require="__apt_key_uri/jitsi_meet" __apt_source jitsi_meet \
--uri 'https://download.jitsi.org' \
--distribution 'stable/' \
--state present
## Ensure apt cache is up-to-date
require="__apt_source/jitsi_meet" __apt_update_index
export require="${require} __apt_source/jitsi_meet __apt_update_index"
# Pre-feed debconf settings, so Jitsi's installation has a good config
# shellcheck source=type/__jitsi_meet/files/debconf_settings.sh
. "${__type}/files/debconf_settings.sh" # This defines DEBCONF_SETTINGS
__debconf_set_selections jitsi_meet --file - <<EOF
${DEBCONF_SETTINGS}
EOF
export require="${require} __debconf_set_selections/jitsi_meet"
# Install and upgrade packages as needed
__package jitsi-meet
# Proceed only after installation/upgrade has finished
export require="__package/jitsi-meet"
# TODO: generalise and move out
# Prep nginx for acme settings
NGINX_ETC="/etc/nginx"
#
# Setup the acme-challenge snippet
#
__directory "${NGINX_ETC}/snippets" --state present
require="__directory${NGINX_ETC}/snippets" __file "${NGINX_ETC}/snippets/acme-challenge.conf" \
--mode 644 \
--source - << EOF
# This file is managed remotely, all changes will be lost
# This was heavily inspired by debops.org.
# Automatic Certificate Management Environment (ACME) support.
# https://tools.ietf.org/html/draft-ietf-acme-acme-01
# https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
# Return the ACME challenge present in the server public root.
# If not found, switch to global web server root.
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
try_files \$uri @well-known-acme-challenge;
}
# Return the ACME challenge present in the global server public root.
# If not present, redirect request to a specified domain.
location @well-known-acme-challenge {
root /usr/share/jitsi-meet;
default_type "text/plain";
try_files \$uri @redirect-acme-challenge;
}
# Redirect the ACME challenge to a different host. If a redirect loop is
# detected, return 404.
location @redirect-acme-challenge {
if (\$arg_redirect) {
return 404;
}
return 307 \$scheme://${ACME_DOMAIN}\$request_uri?redirect=yes;
}
# Return 404 if ACME challenge well known path is accessed directly.
location = /.well-known/acme-challenge/ {
return 404;
}
EOF
__directory "${NGINX_ETC}/sites-available" --state present
require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-available/default" \
--mode 644 \
--source - << EOF
# This file is managed remotely, all changes will be lost
# nginx server configuration for:
server {
# Listen on IPv4
listen 80;
# Note: there is an ipv6only=off flag, but it is Linux-only
# incidentally, that defaults to "on", which is what causes
# not having the double listen to listen on IPv6-only
listen [::]:80;
server_name welcome;
root /srv/www/sites/welcome/public;
include snippets/acme-challenge.conf;
location / {
return 301 https://\$host\$request_uri;
}
}
EOF
# These two should be changed on new release
PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.2"
PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:c64852b1cf63efd1632ec07ac9fcead09baccc1bd8c7b21ca830a0d82d00fb3d"
PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64"
PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
case "${init}" in
init|sysvinit)
__runit
require="__runit" __runit_service \
prometheus-jitsi-meet-exporter --log --source - <<EOF
#!/bin/sh -e
cd /tmp
exec chpst -u "nobody:nogroup" env HOME="/tmp" \\
prometheus-jitsi-meet-exporter \\
-videobridge-url 'http://localhost:8888/stats' \\
-web.listen-address ':9888' 2>&1
EOF
export require="__runit_service/prometheus-jitsi-meet-exporter"
JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter"
;;
systemd)
__systemd_unit prometheus-jitsi-meet-exporter.service \
--source "-" \
--enablement-state "enabled" <<EOF
[Unit]
Description=Metrics Exporter for Jitsi Meet
After=network.target
[Service]
Type=simple
DynamicUser=yes
ExecStart=/usr/local/bin/prometheus-jitsi-meet-exporter -videobridge-url 'http://localhost:8888/stats' -web.listen-address ':9888'
Restart=always
[Install]
WantedBy=multi-user.target
EOF
export require="__systemd_unit/prometheus-jitsi-meet-exporter.service"
JITSI_MEET_EXPORTER_SERVICE="service prometheus-jitsi-meet-exporter %s"
;;
esac
if [ "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" != \
"${PROMETHEUS_JITSI_EXPORTER_IS_VERSION}" ]; then
# shellcheck disable=SC2059
__download \
/tmp/prometheus-jitsi-meet-exporter \
--url "${PROMETHEUS_JITSI_EXPORTER_URL}" \
--download remote \
--sum "${PROMETHEUS_JITSI_EXPORTER_CHECKSUM}" \
--onchange "$(printf "${JITSI_MEET_EXPORTER_SERVICE}" "stop") || true; chmod 555 /tmp/prometheus-jitsi-meet-exporter && mv /tmp/prometheus-jitsi-meet-exporter /usr/local/bin/prometheus-jitsi-meet-exporter && $(printf "${JITSI_MEET_EXPORTER_SERVICE}" "restart")"
printf "%s" "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" | \
require="${require} __download/tmp/prometheus-jitsi-meet-exporter" __file \
"${PROMETHEUS_JITSI_EXPORTER_VERSION_FILE}" \
--source "-"
fi
fi
# TODO: disable the exporter if it is deployed and then admin changes their mind

1
type/__jitsi_meet/parameter/boolean
View file

@ -1 +0,0 @@
disable-prometheus-exporter

2
type/__jitsi_meet/parameter/optional
View file

@ -1,2 +0,0 @@
turn-secret
turn-server

700
type/__jitsi_meet_domain/files/config.js.sh
View file

@ -1,700 +0,0 @@
#!/bin/sh -e
# shellcheck disable=SC2034 # This is intended to be included
JITSI_CONFIG_JS="$(cat <<EOF
/* eslint-disable no-unused-vars, no-var */
var config = {
// Connection
//
hosts: {
// XMPP domain.
domain: '${JITSI_HOST}',
// When using authentication, domain for guest users.
// anonymousdomain: 'guest.example.com',
// Domain for authenticated users. Defaults to <domain>.
// authdomain: '${JITSI_HOST}',
// Call control component (Jigasi).
// call_control: 'callcontrol.${JITSI_HOST}',
// Focus component domain. Defaults to focus.<domain>.
// focus: 'focus.${JITSI_HOST}',
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
muc: 'conference.<!--# echo var="subdomain" default="" -->${JITSI_HOST}'
},
// BOSH URL. FIXME: use XEP-0156 to discover it.
bosh: '//${JITSI_HOST}/http-bind',
// Websocket URL
// websocket: 'wss://${JITSI_HOST}/xmpp-websocket',
// The name of client node advertised in XEP-0115 'c' stanza
clientNode: 'http://jitsi.org/jitsimeet',
// The real JID of focus participant - can be overridden here
// Do not change username - FIXME: Make focus username configurable
// https://github.com/jitsi/jitsi-meet/issues/7376
// focusUserJid: 'focus@auth.${JITSI_HOST}',
// Testing / experimental features.
//
testing: {
// Disables the End to End Encryption feature. Useful for debugging
// issues related to insertable streams.
// disableE2EE: false,
// P2P test mode disables automatic switching to P2P when there are 2
// participants in the conference.
p2pTestMode: false
// Enables the test specific features consumed by jitsi-meet-torture
// testMode: false
// Disables the auto-play behavior of *all* newly created video element.
// This is useful when the client runs on a host with limited resources.
// noAutoPlayVideo: false
// Enable / disable 500 Kbps bitrate cap on desktop tracks. When enabled,
// simulcast is turned off for the desktop share. If presenter is turned
// on while screensharing is in progress, the max bitrate is automatically
// adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines
// the probability for this to be enabled.
// capScreenshareBitrate: 1 // 0 to disable
// Enable callstats only for a percentage of users.
// This takes a value between 0 and 100 which determines the probability for
// the callstats to be enabled.
// callStatsThreshold: 5 // enable callstats for 5% of the users.
},
// Disables ICE/UDP by filtering out local and remote UDP candidates in
// signalling.
// webrtcIceUdpDisable: false,
// Disables ICE/TCP by filtering out local and remote TCP candidates in
// signalling.
// webrtcIceTcpDisable: false,
// Media
//
// Audio
// Disable measuring of audio levels.
disableAudioLevels: $(if [ -n "${DISABLE_AUDIO_LEVELS}" ]; then printf "true"; else printf "false"; fi),
// audioLevelsInterval: 200,
// Enabling this will run the lib-jitsi-meet no audio detection module which
// will notify the user if the current selected microphone has no audio
// input and will suggest another valid device if one is present.
enableNoAudioDetection: true,
// Enabling this will run the lib-jitsi-meet noise detection module which will
// notify the user if there is noise, other than voice, coming from the current
// selected microphone. The purpose it to let the user know that the input could
// be potentially unpleasant for other meeting participants.
enableNoisyMicDetection: true,
// Start the conference in audio only mode (no video is being received nor
// sent).
// startAudioOnly: false,
// Every participant after the Nth will start audio muted.
// startAudioMuted: 10,
// Start calls with audio muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithAudioMuted: false,
// Enabling it (with #params) will disable local audio output of remote
// participants and to enable it back a reload is needed.
// startSilent: false
// Sets the preferred target bitrate for the Opus audio codec by setting its
// 'maxaveragebitrate' parameter. Currently not available in p2p mode.
// Valid values are in the range 6000 to 510000
// opusMaxAverageBitrate: 20000,
// Enables redundancy for Opus
// enableOpusRed: false
// Video
// Sets the preferred resolution (height) for local video. Defaults to 720.
// resolution: 720,
// How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD.
// Use -1 to disable.
// maxFullResolutionParticipants: 2,
// w3c spec-compliant video constraints to use for video capture. Currently
// used by browsers that return true from lib-jitsi-meet's
// util#browser#usesNewGumFlow. The constraints are independent from
// this config's resolution value. Defaults to requesting an ideal
// resolution of 720p.
// constraints: {
// video: {
// height: {
// ideal: 720,
// max: 720,
// min: 240
// }
// }
// },
$(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// Enable / disable simulcast support.
// disableSimulcast: false,
// Enable / disable layer suspension. If enabled, endpoints whose HD
// layers are not in use will be suspended (no longer sent) until they
// are requested again.
// enableLayerSuspension: false,
// Every participant after the Nth will start video muted.
startVideoMuted: ${START_VIDEO_MUTED},
// Start calls with video muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithVideoMuted: false,
// If set to true, prefer to use the H.264 video codec (if supported).
// Note that it's not recommended to do this because simulcast is not
// supported when using H.264. For 1-to-1 calls this setting is enabled by
// default and can be toggled in the p2p section.
// This option has been deprecated, use preferredCodec under videoQuality section instead.
// preferH264: true,
// If set to true, disable H.264 video codec by stripping it out of the
// SDP.
// disableH264: false,
// Desktop sharing
// Optional desktop sharing frame rate options. Default value: min:5, max:5.
// desktopSharingFrameRate: {
// min: 5,
// max: 5
// },
// Try to start calls with screen-sharing instead of camera video.
// startScreenSharing: false,
// Recording
// Whether to enable file recording or not.
// fileRecordingsEnabled: false,
// Enable the dropbox integration.
// dropbox: {
// appKey: '<APP_KEY>' // Specify your app key here.
// // A URL to redirect the user to, after authenticating
// // by default uses:
// // 'https://${JITSI_HOST}/static/oauth.html'
// redirectURI:
// 'https://${JITSI_HOST}/subfolder/static/oauth.html'
// },
// When integrations like dropbox are enabled only that will be shown,
// by enabling fileRecordingsServiceEnabled, we show both the integrations
// and the generic recording service (its configuration and storage type
// depends on jibri configuration)
// fileRecordingsServiceEnabled: false,
// Whether to show the possibility to share file recording with other people
// (e.g. meeting participants), based on the actual implementation
// on the backend.
// fileRecordingsServiceSharingEnabled: false,
// Whether to enable live streaming or not.
// liveStreamingEnabled: false,
// Transcription (in interface_config,
// subtitles and buttons can be configured)
// transcribingEnabled: false,
// Enables automatic turning on captions when recording is started
// autoCaptionOnRecord: false,
// Misc
// Default value for the channel "last N" attribute. -1 for unlimited.
channelLastN: ${CHANNEL_LAST_N},
// Provides a way to use different "last N" values based on the number of participants in the conference.
// The keys in an Object represent number of participants and the values are "last N" to be used when number of
// participants gets to or above the number.
//
// For the given example mapping, "last N" will be set to 20 as long as there are at least 5, but less than
// 29 participants in the call and it will be lowered to 15 when the 30th participant joins. The 'channelLastN'
// will be used as default until the first threshold is reached.
//
// lastNLimits: {
// 5: 20,
// 30: 15,
// 50: 10,
// 70: 5,
// 90: 2
// },
// Specify the settings for video quality optimizations on the client.
// videoQuality: {
// // Provides a way to prevent a video codec from being negotiated on the JVB connection. The codec specified
// // here will be removed from the list of codecs present in the SDP answer generated by the client. If the
// // same codec is specified for both the disabled and preferred option, the disable settings will prevail.
// // Note that 'VP8' cannot be disabled since it's a mandatory codec, the setting will be ignored in this case.
// disabledCodec: 'H264',
//
// // Provides a way to set a preferred video codec for the JVB connection. If 'H264' is specified here,
// // simulcast will be automatically disabled since JVB doesn't support H264 simulcast yet. This will only
// // rearrange the the preference order of the codecs in the SDP answer generated by the browser only if the
// // preferred codec specified here is present. Please ensure that the JVB offers the specified codec for this
// // to take effect.
// preferredCodec: 'VP8',
//
// // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for
// // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values
// // are the max.bitrates to be set on that particular type of stream. The actual send may vary based on
// // the available bandwidth calculated by the browser, but it will be capped by the values specified here.
// // This is currently not implemented on app based clients on mobile.
// maxBitratesVideo: {
// low: 200000,
// standard: 500000,
// high: 1500000
// },
//
// // The options can be used to override default thresholds of video thumbnail heights corresponding to
// // the video quality levels used in the application. At the time of this writing the allowed levels are:
// // 'low' - for the low quality level (180p at the time of this writing)
// // 'standard' - for the medium quality level (360p)
// // 'high' - for the high quality level (720p)
// // The keys should be positive numbers which represent the minimal thumbnail height for the quality level.
// //
// // With the default config value below the application will use 'low' quality until the thumbnails are
// // at least 360 pixels tall. If the thumbnail height reaches 720 pixels then the application will switch to
// // the high quality.
// minHeightForQualityLvl: {
// 360: 'standard,
// 720: 'high'
// }
// },
// // Options for the recording limit notification.
// recordingLimit: {
//
// // The recording limit in minutes. Note: This number appears in the notification text
// // but doesn't enforce the actual recording time limit. This should be configured in
// // jibri!
// limit: 60,
//
// // The name of the app with unlimited recordings.
// appName: 'Unlimited recordings APP',
//
// // The URL of the app with unlimited recordings.
// appURL: 'https://unlimited.recordings.app.com/'
// },
// Disables or enables RTX (RFC 4588) (defaults to false).
// disableRtx: false,
// Disables or enables TCC (the default is in Jicofo and set to true)
// (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting
// affects congestion control, it practically enables send-side bandwidth
// estimations.
// enableTcc: true,
// Disables or enables REMB (the default is in Jicofo and set to false)
// (draft-alvestrand-rmcat-remb-03). This setting affects congestion
// control, it practically enables recv-side bandwidth estimations. When
// both TCC and REMB are enabled, TCC takes precedence. When both are
// disabled, then bandwidth estimations are disabled.
// enableRemb: false,
// Enables ICE restart logic in LJM and displays the page reload overlay on
// ICE failure. Current disabled by default because it's causing issues with
// signaling when Octo is enabled. Also when we do an "ICE restart"(which is
// not a real ICE restart), the client maintains the TCC sequence number
// counter, but the bridge resets it. The bridge sends media packets with
// TCC sequence numbers starting from 0.
// enableIceRestart: false,
// Defines the minimum number of participants to start a call (the default
// is set in Jicofo and set to 2).
// minParticipants: 2,
// Use TURN/UDP servers for the jitsi-videobridge connection (by default
// we filter out TURN/UDP because it is usually not needed since the
// bridge itself is reachable via UDP)
// useTurnUdp: false
// Enables / disables a data communication channel with the Videobridge.
// Values can be 'datachannel', 'websocket', true (treat it as
// 'datachannel'), undefined (treat it as 'datachannel') and false (don't
// open any channel).
// openBridgeChannel: true,
openBridgeChannel: 'websocket',
// UI
//
// Hides lobby button
// hideLobbyButton: false,
// Require users to always specify a display name.
// requireDisplayName: true,
// Whether to use a welcome page or not. In case it's false a random room
// will be joined when no room is specified.
enableWelcomePage: true,
// Enabling the close page will ignore the welcome page redirection when
// a call is hangup.
// enableClosePage: false,
// Disable hiding of remote thumbnails when in a 1-on-1 conference call.
// disable1On1Mode: false,
// Default language for the user interface.
defaultLanguage: '${DEFAULT_LANGUAGE}',
// If true all users without a token will be considered guests and all users
// with token will be considered non-guests. Only guests will be allowed to
// edit their profile.
enableUserRolesBasedOnToken: false,
// Whether or not some features are checked based on token.
// enableFeaturesBasedOnToken: false,
// Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests.
// lockRoomGuestEnabled: false,
// When enabled the password used for locking a room is restricted to up to the number of digits specified
// roomPasswordNumberOfDigits: 10,
// default: roomPasswordNumberOfDigits: false,
// Message to show the users. Example: 'The service will be down for
// maintenance at 01:00 AM GMT,
noticeMessage: '${NOTICE_MESSAGE}',
// Enables calendar integration, depends on googleApiApplicationClientID
// and microsoftApiApplicationClientID
// enableCalendarIntegration: false,
// When 'true', it shows an intermediate page before joining, where the user can configure their devices.
// prejoinPageEnabled: false,
// If true, shows the unsafe room name warning label when a room name is
// deemed unsafe (due to the simplicity in the name) and a password is not
// set or the lobby is not enabled.
// enableInsecureRoomNameWarning: false,
// Whether to automatically copy invitation URL after creating a room.
// Document should be focused for this option to work
// enableAutomaticUrlCopy: false,
// Stats
//
// Whether to enable stats collection or not in the TraceablePeerConnection.
// This can be useful for debugging purposes (post-processing/analysis of
// the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
// estimation tests.
// gatherStats: false,
// The interval at which PeerConnection.getStats() is called. Defaults to 10000
// pcStatsInterval: 10000,
// To enable sending statistics to callstats.io you must provide the
// Application ID and Secret.
// callStatsID: '',
// callStatsSecret: '',
// Enables sending participants' display names to callstats
// enableDisplayNameInStats: false,
// Enables sending participants' emails (if available) to callstats and other analytics
// enableEmailInStats: false,
// Privacy
//
// If third party requests are disabled, no other server will be contacted.
// This means avatars will be locally generated and callstats integration
// will not function.
disableThirdPartyRequests: $(if [ -z "${ENABLE_THIRD_PARTY_REQUESTS}" ]; then printf "true"; else printf "false"; fi),
// Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
//
p2p: {
// Enables peer to peer mode. When enabled the system will try to
// establish a direct connection when there are exactly 2 participants
// in the room. If that succeeds the conference will stop sending data
// through the JVB and use the peer to peer connection instead. When a
// 3rd participant joins the conference will be moved back to the JVB
// connection.
enabled: true,
// The STUN servers that will be used in the peer to peer connections
stunServers: [
{ urls: 'stun:${TURN_SERVER}:443' }
]
// Sets the ICE transport policy for the p2p connection. At the time
// of this writing the list of possible values are 'all' and 'relay',
// but that is subject to change in the future. The enum is defined in
// the WebRTC standard:
// https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
// If not set, the effective value is 'all'.
// iceTransportPolicy: 'all',
// If set to true, it will prefer to use H.264 for P2P calls (if H.264
// is supported). This setting is deprecated, use preferredCodec instead.
// preferH264: true
// Provides a way to set the video codec preference on the p2p connection. Acceptable
// codec values are 'VP8', 'VP9' and 'H264'.
// preferredCodec: 'H264',
// If set to true, disable H.264 video codec by stripping it out of the
// SDP. This setting is deprecated, use disabledCodec instead.
// disableH264: false,
// Provides a way to prevent a video codec from being negotiated on the p2p connection.
// disabledCodec: '',
// How long we're going to wait, before going back to P2P after the 3rd
// participant has left the conference (to filter out page reload).
// backToP2PDelay: 5
},
analytics: {
// The Google Analytics Tracking ID:
// googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
// Matomo configuration:
// matomoEndpoint: 'https://your-matomo-endpoint/',
// matomoSiteID: '42',
// The Amplitude APP Key:
// amplitudeAPPKey: '<APP_KEY>'
// Configuration for the rtcstats server:
// By enabling rtcstats server every time a conference is joined the rtcstats
// module connects to the provided rtcstatsEndpoint and sends statistics regarding
// PeerConnection states along with getStats metrics polled at the specified
// interval.
// rtcstatsEnabled: true,
// In order to enable rtcstats one needs to provide a endpoint url.
// rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/,
// The interval at which rtcstats will poll getStats, defaults to 1000ms.
// If the value is set to 0 getStats won't be polled and the rtcstats client
// will only send data related to RTCPeerConnection events.
// rtcstatsPolIInterval: 1000
// Array of script URLs to load as lib-jitsi-meet "analytics handlers".
// scriptURLs: [
// "libs/analytics-ga.min.js", // google-analytics
// "https://example.com/my-custom-analytics.js"
// ],
},
// Logs that should go be passed through the 'log' event if a handler is defined for it
// apiLogLevels: ['warn', 'log', 'error', 'info', 'debug'],
// Information about the jitsi-meet instance we are connecting to, including
// the user region as seen by the server.
deploymentInfo: {
// shard: "shard1",
// region: "europe",
// userRegion: "asia"
},
// Decides whether the start/stop recording audio notifications should play on record.
// disableRecordAudioNotification: false,
// Information for the chrome extension banner
// chromeExtensionBanner: {
// // The chrome extension to be installed address
// url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
// // Extensions info which allows checking if they are installed or not
// chromeExtensionsInfo: [
// {
// id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
// path: 'jitsi-logo-48x48.png'
// }
// ]
// },
// Local Recording
//
// localRecording: {
// Enables local recording.
// Additionally, 'localrecording' (all lowercase) needs to be added to
// TOOLBAR_BUTTONS in interface_config.js for the Local Recording
// button to show up on the toolbar.
//
// enabled: true,
//
// The recording format, can be one of 'ogg', 'flac' or 'wav'.
// format: 'flac'
//
// },
// Options related to end-to-end (participant to participant) ping.
// e2eping: {
// // The interval in milliseconds at which pings will be sent.
// // Defaults to 10000, set to <= 0 to disable.
// pingInterval: 10000,
//
// // The interval in milliseconds at which analytics events
// // with the measured RTT will be sent. Defaults to 60000, set
// // to <= 0 to disable.
// analyticsInterval: 60000,
// },
// If set, will attempt to use the provided video input device label when
// triggering a screenshare, instead of proceeding through the normal flow
// for obtaining a desktop stream.
// NOTE: This option is experimental and is currently intended for internal
// use only.
// _desktopSharingSourceDevice: 'sample-id-or-label',
// If true, any checks to handoff to another application will be prevented
// and instead the app will continue to display in the current browser.
// disableDeepLinking: false,
// A property to disable the right click context menu for localVideo
// the menu has option to flip the locally seen video for local presentations
// disableLocalVideoFlip: false,
// Mainly privacy related settings
// Disables all invite functions from the app (share, invite, dial out...etc)
// disableInviteFunctions: true,
// Disables storing the room name to the recents list
// doNotStoreRoom: true,
// Deployment specific URLs.
// deploymentUrls: {
// // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
// // user documentation.
// userDocumentationURL: 'https://docs.example.com/video-meetings.html',
// // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
// // to the specified URL for an app download page.
// downloadAppsUrl: 'https://docs.example.com/our-apps.html'
// },
// Options related to the remote participant menu.
// remoteVideoMenu: {
// // If set to true the 'Kick out' button will be disabled.
// disableKick: true
// },
// If set to true all muting operations of remote participants will be disabled.
// disableRemoteMute: true,
/**
External API url used to receive branding specific information.
If there is no url set or there are missing fields, the defaults are applied.
None of the fields are mandatory and the response must have the shape:
{
// The hex value for the colour used as background
backgroundColor: '#fff',
// The url for the image used as background
backgroundImageUrl: 'https://example.com/background-img.png',
// The anchor url used when clicking the logo image
logoClickUrl: 'https://example-company.org',
// The url used for the image used as logo
logoImageUrl: 'https://example.com/logo-img.png'
}
*/
brandingDataUrl: "$(if [ -n "${BRANDING_JSON}" ]; then printf "/branding.json"; fi)",
// The URL of the moderated rooms microservice, if available. If it
// is present, a link to the service will be rendered on the welcome page,
// otherwise the app doesn't render it.
// moderatedRoomServiceUrl: 'https://moderated.${JITSI_HOST}',
// List of undocumented settings used in jitsi-meet
/**
_immediateReloadThreshold
debug
debugAudioLevels
deploymentInfo
dialInConfCodeUrl
dialInNumbersUrl
dialOutAuthUrl
dialOutCodesUrl
disableRemoteControl
displayJids
etherpad_base
externalConnectUrl
firefox_fake_device
googleApiApplicationClientID
iAmRecorder
iAmSipGateway
microsoftApiApplicationClientID
peopleSearchQueryTypes
peopleSearchUrl
requireDisplayName
tokenAuthUrl
*/
/**
* This property can be used to alter the generated meeting invite links (in combination with a branding domain
* which is retrieved internally by jitsi meet) (e.g. https://meet.jit.si/someMeeting
* can become https://brandedDomain/roomAlias)
*/
// brandingRoomAlias: null,
// List of undocumented settings used in lib-jitsi-meet
/**
_peerConnStatusOutOfLastNTimeout
_peerConnStatusRtcMuteTimeout
abTesting
avgRtpStatsN
callStatsConfIDNamespace
callStatsCustomScriptUrl
desktopSharingSources
disableAEC
disableAGC
disableAP
disableHPF
disableNS
enableLipSync
enableTalkWhileMuted
forceJVB121Ratio
hiddenDomain
ignoreStartMuted
nick
startBitrate
*/
// Allow all above example options to include a trailing comma and
// prevent fear when commenting out the last value.
makeJsonParserHappy: 'even if last key had a trailing comma'
// no configuration value should follow this line.
};
/* eslint-enable no-unused-vars, no-var */
EOF
)"

694
type/__jitsi_meet_domain/files/config.js.sh.orig
View file

@ -1,694 +0,0 @@
/* eslint-disable no-unused-vars, no-var */
var config = {
// Connection
//
hosts: {
// XMPP domain.
domain: 'jitsi-meet.example.org',
// When using authentication, domain for guest users.
// anonymousdomain: 'guest.example.com',
// Domain for authenticated users. Defaults to <domain>.
// authdomain: 'jitsi-meet.example.org',
// Call control component (Jigasi).
// call_control: 'callcontrol.jitsi-meet.example.org',
// Focus component domain. Defaults to focus.<domain>.
// focus: 'focus.jitsi-meet.example.org',
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
muc: 'conference.<!--# echo var="subdomain" default="" -->jitsi-meet.example.org'
},
// BOSH URL. FIXME: use XEP-0156 to discover it.
bosh: '//jitsi-meet.example.org/http-bind',
// Websocket URL
// websocket: 'wss://jitsi-meet.example.org/xmpp-websocket',
// The name of client node advertised in XEP-0115 'c' stanza
clientNode: 'http://jitsi.org/jitsimeet',
// The real JID of focus participant - can be overridden here
// Do not change username - FIXME: Make focus username configurable
// https://github.com/jitsi/jitsi-meet/issues/7376
// focusUserJid: 'focus@auth.jitsi-meet.example.org',
// Testing / experimental features.
//
testing: {
// Disables the End to End Encryption feature. Useful for debugging
// issues related to insertable streams.
// disableE2EE: false,
// P2P test mode disables automatic switching to P2P when there are 2
// participants in the conference.
p2pTestMode: false
// Enables the test specific features consumed by jitsi-meet-torture
// testMode: false
// Disables the auto-play behavior of *all* newly created video element.
// This is useful when the client runs on a host with limited resources.
// noAutoPlayVideo: false
// Enable / disable 500 Kbps bitrate cap on desktop tracks. When enabled,
// simulcast is turned off for the desktop share. If presenter is turned
// on while screensharing is in progress, the max bitrate is automatically
// adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines
// the probability for this to be enabled.
// capScreenshareBitrate: 1 // 0 to disable
// Enable callstats only for a percentage of users.
// This takes a value between 0 and 100 which determines the probability for
// the callstats to be enabled.
// callStatsThreshold: 5 // enable callstats for 5% of the users.
},
// Disables ICE/UDP by filtering out local and remote UDP candidates in
// signalling.
// webrtcIceUdpDisable: false,
// Disables ICE/TCP by filtering out local and remote TCP candidates in
// signalling.
// webrtcIceTcpDisable: false,
// Media
//
// Audio
// Disable measuring of audio levels.
// disableAudioLevels: false,
// audioLevelsInterval: 200,
// Enabling this will run the lib-jitsi-meet no audio detection module which
// will notify the user if the current selected microphone has no audio
// input and will suggest another valid device if one is present.
enableNoAudioDetection: true,
// Enabling this will run the lib-jitsi-meet noise detection module which will
// notify the user if there is noise, other than voice, coming from the current
// selected microphone. The purpose it to let the user know that the input could
// be potentially unpleasant for other meeting participants.
enableNoisyMicDetection: true,
// Start the conference in audio only mode (no video is being received nor
// sent).
// startAudioOnly: false,
// Every participant after the Nth will start audio muted.
// startAudioMuted: 10,
// Start calls with audio muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithAudioMuted: false,
// Enabling it (with #params) will disable local audio output of remote
// participants and to enable it back a reload is needed.
// startSilent: false
// Sets the preferred target bitrate for the Opus audio codec by setting its
// 'maxaveragebitrate' parameter. Currently not available in p2p mode.
// Valid values are in the range 6000 to 510000
// opusMaxAverageBitrate: 20000,
// Enables redundancy for Opus
// enableOpusRed: false
// Video
// Sets the preferred resolution (height) for local video. Defaults to 720.
// resolution: 720,
// How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD.
// Use -1 to disable.
// maxFullResolutionParticipants: 2,
// w3c spec-compliant video constraints to use for video capture. Currently
// used by browsers that return true from lib-jitsi-meet's
// util#browser#usesNewGumFlow. The constraints are independent from
// this config's resolution value. Defaults to requesting an ideal
// resolution of 720p.
// constraints: {
// video: {
// height: {
// ideal: 720,
// max: 720,
// min: 240
// }
// }
// },
// Enable / disable simulcast support.
// disableSimulcast: false,
// Enable / disable layer suspension. If enabled, endpoints whose HD
// layers are not in use will be suspended (no longer sent) until they
// are requested again.
// enableLayerSuspension: false,
// Every participant after the Nth will start video muted.
// startVideoMuted: 10,
// Start calls with video muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithVideoMuted: false,
// If set to true, prefer to use the H.264 video codec (if supported).
// Note that it's not recommended to do this because simulcast is not
// supported when using H.264. For 1-to-1 calls this setting is enabled by
// default and can be toggled in the p2p section.
// This option has been deprecated, use preferredCodec under videoQuality section instead.
// preferH264: true,
// If set to true, disable H.264 video codec by stripping it out of the
// SDP.
// disableH264: false,
// Desktop sharing
// Optional desktop sharing frame rate options. Default value: min:5, max:5.
// desktopSharingFrameRate: {
// min: 5,
// max: 5
// },
// Try to start calls with screen-sharing instead of camera video.
// startScreenSharing: false,
// Recording
// Whether to enable file recording or not.
// fileRecordingsEnabled: false,
// Enable the dropbox integration.
// dropbox: {
// appKey: '<APP_KEY>' // Specify your app key here.
// // A URL to redirect the user to, after authenticating
// // by default uses:
// // 'https://jitsi-meet.example.org/static/oauth.html'
// redirectURI:
// 'https://jitsi-meet.example.org/subfolder/static/oauth.html'
// },
// When integrations like dropbox are enabled only that will be shown,
// by enabling fileRecordingsServiceEnabled, we show both the integrations
// and the generic recording service (its configuration and storage type
// depends on jibri configuration)
// fileRecordingsServiceEnabled: false,
// Whether to show the possibility to share file recording with other people
// (e.g. meeting participants), based on the actual implementation
// on the backend.
// fileRecordingsServiceSharingEnabled: false,
// Whether to enable live streaming or not.
// liveStreamingEnabled: false,
// Transcription (in interface_config,
// subtitles and buttons can be configured)
// transcribingEnabled: false,
// Enables automatic turning on captions when recording is started
// autoCaptionOnRecord: false,
// Misc
// Default value for the channel "last N" attribute. -1 for unlimited.
channelLastN: -1,
// Provides a way to use different "last N" values based on the number of participants in the conference.
// The keys in an Object represent number of participants and the values are "last N" to be used when number of
// participants gets to or above the number.
//
// For the given example mapping, "last N" will be set to 20 as long as there are at least 5, but less than
// 29 participants in the call and it will be lowered to 15 when the 30th participant joins. The 'channelLastN'
// will be used as default until the first threshold is reached.
//
// lastNLimits: {
// 5: 20,
// 30: 15,
// 50: 10,
// 70: 5,
// 90: 2
// },
// Specify the settings for video quality optimizations on the client.
// videoQuality: {
// // Provides a way to prevent a video codec from being negotiated on the JVB connection. The codec specified
// // here will be removed from the list of codecs present in the SDP answer generated by the client. If the
// // same codec is specified for both the disabled and preferred option, the disable settings will prevail.
// // Note that 'VP8' cannot be disabled since it's a mandatory codec, the setting will be ignored in this case.
// disabledCodec: 'H264',
//
// // Provides a way to set a preferred video codec for the JVB connection. If 'H264' is specified here,
// // simulcast will be automatically disabled since JVB doesn't support H264 simulcast yet. This will only
// // rearrange the the preference order of the codecs in the SDP answer generated by the browser only if the
// // preferred codec specified here is present. Please ensure that the JVB offers the specified codec for this
// // to take effect.
// preferredCodec: 'VP8',
//
// // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for
// // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values
// // are the max.bitrates to be set on that particular type of stream. The actual send may vary based on
// // the available bandwidth calculated by the browser, but it will be capped by the values specified here.
// // This is currently not implemented on app based clients on mobile.
// maxBitratesVideo: {
// low: 200000,
// standard: 500000,
// high: 1500000
// },
//
// // The options can be used to override default thresholds of video thumbnail heights corresponding to
// // the video quality levels used in the application. At the time of this writing the allowed levels are:
// // 'low' - for the low quality level (180p at the time of this writing)
// // 'standard' - for the medium quality level (360p)
// // 'high' - for the high quality level (720p)
// // The keys should be positive numbers which represent the minimal thumbnail height for the quality level.
// //
// // With the default config value below the application will use 'low' quality until the thumbnails are
// // at least 360 pixels tall. If the thumbnail height reaches 720 pixels then the application will switch to
// // the high quality.
// minHeightForQualityLvl: {
// 360: 'standard,
// 720: 'high'
// }
// },
// // Options for the recording limit notification.
// recordingLimit: {
//
// // The recording limit in minutes. Note: This number appears in the notification text
// // but doesn't enforce the actual recording time limit. This should be configured in
// // jibri!
// limit: 60,
//
// // The name of the app with unlimited recordings.
// appName: 'Unlimited recordings APP',
//
// // The URL of the app with unlimited recordings.
// appURL: 'https://unlimited.recordings.app.com/'
// },
// Disables or enables RTX (RFC 4588) (defaults to false).
// disableRtx: false,
// Disables or enables TCC (the default is in Jicofo and set to true)
// (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting
// affects congestion control, it practically enables send-side bandwidth
// estimations.
// enableTcc: true,
// Disables or enables REMB (the default is in Jicofo and set to false)
// (draft-alvestrand-rmcat-remb-03). This setting affects congestion
// control, it practically enables recv-side bandwidth estimations. When
// both TCC and REMB are enabled, TCC takes precedence. When both are
// disabled, then bandwidth estimations are disabled.
// enableRemb: false,
// Enables ICE restart logic in LJM and displays the page reload overlay on
// ICE failure. Current disabled by default because it's causing issues with
// signaling when Octo is enabled. Also when we do an "ICE restart"(which is
// not a real ICE restart), the client maintains the TCC sequence number
// counter, but the bridge resets it. The bridge sends media packets with
// TCC sequence numbers starting from 0.
// enableIceRestart: false,
// Defines the minimum number of participants to start a call (the default
// is set in Jicofo and set to 2).
// minParticipants: 2,
// Use TURN/UDP servers for the jitsi-videobridge connection (by default
// we filter out TURN/UDP because it is usually not needed since the
// bridge itself is reachable via UDP)
// useTurnUdp: false
// Enables / disables a data communication channel with the Videobridge.
// Values can be 'datachannel', 'websocket', true (treat it as
// 'datachannel'), undefined (treat it as 'datachannel') and false (don't
// open any channel).
// openBridgeChannel: true,
openBridgeChannel: 'websocket',
// UI
//
// Hides lobby button
// hideLobbyButton: false,
// Require users to always specify a display name.
// requireDisplayName: true,
// Whether to use a welcome page or not. In case it's false a random room
// will be joined when no room is specified.
enableWelcomePage: true,
// Enabling the close page will ignore the welcome page redirection when
// a call is hangup.
// enableClosePage: false,
// Disable hiding of remote thumbnails when in a 1-on-1 conference call.
// disable1On1Mode: false,
// Default language for the user interface.
// defaultLanguage: 'en',
// If true all users without a token will be considered guests and all users
// with token will be considered non-guests. Only guests will be allowed to
// edit their profile.
enableUserRolesBasedOnToken: false,
// Whether or not some features are checked based on token.
// enableFeaturesBasedOnToken: false,
// Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests.
// lockRoomGuestEnabled: false,
// When enabled the password used for locking a room is restricted to up to the number of digits specified
// roomPasswordNumberOfDigits: 10,
// default: roomPasswordNumberOfDigits: false,
// Message to show the users. Example: 'The service will be down for
// maintenance at 01:00 AM GMT,
// noticeMessage: '',
// Enables calendar integration, depends on googleApiApplicationClientID
// and microsoftApiApplicationClientID
// enableCalendarIntegration: false,
// When 'true', it shows an intermediate page before joining, where the user can configure their devices.
// prejoinPageEnabled: false,
// If true, shows the unsafe room name warning label when a room name is
// deemed unsafe (due to the simplicity in the name) and a password is not
// set or the lobby is not enabled.
// enableInsecureRoomNameWarning: false,
// Whether to automatically copy invitation URL after creating a room.
// Document should be focused for this option to work
// enableAutomaticUrlCopy: false,
// Stats
//
// Whether to enable stats collection or not in the TraceablePeerConnection.
// This can be useful for debugging purposes (post-processing/analysis of
// the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
// estimation tests.
// gatherStats: false,
// The interval at which PeerConnection.getStats() is called. Defaults to 10000
// pcStatsInterval: 10000,
// To enable sending statistics to callstats.io you must provide the
// Application ID and Secret.
// callStatsID: '',
// callStatsSecret: '',
// Enables sending participants' display names to callstats
// enableDisplayNameInStats: false,
// Enables sending participants' emails (if available) to callstats and other analytics
// enableEmailInStats: false,
// Privacy
//
// If third party requests are disabled, no other server will be contacted.
// This means avatars will be locally generated and callstats integration
// will not function.
// disableThirdPartyRequests: false,
// Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
//
p2p: {
// Enables peer to peer mode. When enabled the system will try to
// establish a direct connection when there are exactly 2 participants
// in the room. If that succeeds the conference will stop sending data
// through the JVB and use the peer to peer connection instead. When a
// 3rd participant joins the conference will be moved back to the JVB
// connection.
enabled: true,
// The STUN servers that will be used in the peer to peer connections
stunServers: [
// { urls: 'stun:jitsi-meet.example.org:3478' },
{ urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
]
// Sets the ICE transport policy for the p2p connection. At the time
// of this writing the list of possible values are 'all' and 'relay',
// but that is subject to change in the future. The enum is defined in
// the WebRTC standard:
// https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
// If not set, the effective value is 'all'.
// iceTransportPolicy: 'all',
// If set to true, it will prefer to use H.264 for P2P calls (if H.264
// is supported). This setting is deprecated, use preferredCodec instead.
// preferH264: true
// Provides a way to set the video codec preference on the p2p connection. Acceptable
// codec values are 'VP8', 'VP9' and 'H264'.
// preferredCodec: 'H264',
// If set to true, disable H.264 video codec by stripping it out of the
// SDP. This setting is deprecated, use disabledCodec instead.
// disableH264: false,
// Provides a way to prevent a video codec from being negotiated on the p2p connection.
// disabledCodec: '',
// How long we're going to wait, before going back to P2P after the 3rd
// participant has left the conference (to filter out page reload).
// backToP2PDelay: 5
},
analytics: {
// The Google Analytics Tracking ID:
// googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
// Matomo configuration:
// matomoEndpoint: 'https://your-matomo-endpoint/',
// matomoSiteID: '42',
// The Amplitude APP Key:
// amplitudeAPPKey: '<APP_KEY>'
// Configuration for the rtcstats server:
// By enabling rtcstats server every time a conference is joined the rtcstats
// module connects to the provided rtcstatsEndpoint and sends statistics regarding
// PeerConnection states along with getStats metrics polled at the specified
// interval.
// rtcstatsEnabled: true,
// In order to enable rtcstats one needs to provide a endpoint url.
// rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/,
// The interval at which rtcstats will poll getStats, defaults to 1000ms.
// If the value is set to 0 getStats won't be polled and the rtcstats client
// will only send data related to RTCPeerConnection events.
// rtcstatsPolIInterval: 1000
// Array of script URLs to load as lib-jitsi-meet "analytics handlers".
// scriptURLs: [
// "libs/analytics-ga.min.js", // google-analytics
// "https://example.com/my-custom-analytics.js"
// ],
},
// Logs that should go be passed through the 'log' event if a handler is defined for it
// apiLogLevels: ['warn', 'log', 'error', 'info', 'debug'],
// Information about the jitsi-meet instance we are connecting to, including
// the user region as seen by the server.
deploymentInfo: {
// shard: "shard1",
// region: "europe",
// userRegion: "asia"
},
// Decides whether the start/stop recording audio notifications should play on record.
// disableRecordAudioNotification: false,
// Information for the chrome extension banner
// chromeExtensionBanner: {
// // The chrome extension to be installed address
// url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
// // Extensions info which allows checking if they are installed or not
// chromeExtensionsInfo: [
// {
// id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
// path: 'jitsi-logo-48x48.png'
// }
// ]
// },
// Local Recording
//
// localRecording: {
// Enables local recording.
// Additionally, 'localrecording' (all lowercase) needs to be added to
// TOOLBAR_BUTTONS in interface_config.js for the Local Recording
// button to show up on the toolbar.
//
// enabled: true,
//
// The recording format, can be one of 'ogg', 'flac' or 'wav'.
// format: 'flac'
//
// },
// Options related to end-to-end (participant to participant) ping.
// e2eping: {
// // The interval in milliseconds at which pings will be sent.
// // Defaults to 10000, set to <= 0 to disable.
// pingInterval: 10000,
//
// // The interval in milliseconds at which analytics events
// // with the measured RTT will be sent. Defaults to 60000, set
// // to <= 0 to disable.
// analyticsInterval: 60000,
// },
// If set, will attempt to use the provided video input device label when
// triggering a screenshare, instead of proceeding through the normal flow
// for obtaining a desktop stream.
// NOTE: This option is experimental and is currently intended for internal
// use only.
// _desktopSharingSourceDevice: 'sample-id-or-label',
// If true, any checks to handoff to another application will be prevented
// and instead the app will continue to display in the current browser.
// disableDeepLinking: false,
// A property to disable the right click context menu for localVideo
// the menu has option to flip the locally seen video for local presentations
// disableLocalVideoFlip: false,
// Mainly privacy related settings
// Disables all invite functions from the app (share, invite, dial out...etc)
// disableInviteFunctions: true,
// Disables storing the room name to the recents list
// doNotStoreRoom: true,
// Deployment specific URLs.
// deploymentUrls: {
// // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
// // user documentation.
// userDocumentationURL: 'https://docs.example.com/video-meetings.html',
// // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
// // to the specified URL for an app download page.
// downloadAppsUrl: 'https://docs.example.com/our-apps.html'
// },
// Options related to the remote participant menu.
// remoteVideoMenu: {
// // If set to true the 'Kick out' button will be disabled.
// disableKick: true
// },
// If set to true all muting operations of remote participants will be disabled.
// disableRemoteMute: true,
/**
External API url used to receive branding specific information.
If there is no url set or there are missing fields, the defaults are applied.
None of the fields are mandatory and the response must have the shape:
{
// The hex value for the colour used as background
backgroundColor: '#fff',
// The url for the image used as background
backgroundImageUrl: 'https://example.com/background-img.png',
// The anchor url used when clicking the logo image
logoClickUrl: 'https://example-company.org',
// The url used for the image used as logo
logoImageUrl: 'https://example.com/logo-img.png'
}
*/
// brandingDataUrl: '',
// The URL of the moderated rooms microservice, if available. If it
// is present, a link to the service will be rendered on the welcome page,
// otherwise the app doesn't render it.
// moderatedRoomServiceUrl: 'https://moderated.jitsi-meet.example.org',
// List of undocumented settings used in jitsi-meet
/**
_immediateReloadThreshold
debug
debugAudioLevels
deploymentInfo
dialInConfCodeUrl
dialInNumbersUrl
dialOutAuthUrl
dialOutCodesUrl
disableRemoteControl
displayJids
etherpad_base
externalConnectUrl
firefox_fake_device
googleApiApplicationClientID
iAmRecorder
iAmSipGateway
microsoftApiApplicationClientID
peopleSearchQueryTypes
peopleSearchUrl
requireDisplayName
tokenAuthUrl
*/
/**
* This property can be used to alter the generated meeting invite links (in combination with a branding domain
* which is retrieved internally by jitsi meet) (e.g. https://meet.jit.si/someMeeting
* can become https://brandedDomain/roomAlias)
*/
// brandingRoomAlias: null,
// List of undocumented settings used in lib-jitsi-meet
/**
_peerConnStatusOutOfLastNTimeout
_peerConnStatusRtcMuteTimeout
abTesting
avgRtpStatsN
callStatsConfIDNamespace
callStatsCustomScriptUrl
desktopSharingSources
disableAEC
disableAGC
disableAP
disableHPF
disableNS
enableLipSync
enableTalkWhileMuted
forceJVB121Ratio
hiddenDomain
ignoreStartMuted
nick
startBitrate
*/
// Allow all above example options to include a trailing comma and
// prevent fear when commenting out the last value.
makeJsonParserHappy: 'even if last key had a trailing comma'
// no configuration value should follow this line.
};
/* eslint-enable no-unused-vars, no-var */

156
type/__jitsi_meet_domain/files/nginx.sh
View file

@ -1,156 +0,0 @@
#!/bin/sh -e
# shellcheck disable=SC2034 # This is intended to be included
JITSI_NGINX_CONFIG="$(cat <<EOF
server_names_hash_bucket_size 64;
server {
listen 80;
listen [::]:80;
server_name ${DOMAIN};
include snippets/acme-challenge.conf;
location / {
return 301 https://\$host\$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name ${DOMAIN};
include snippets/acme-challenge.conf;
# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m; # about 40000 sessions
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
root /usr/share/jitsi-meet;
# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;
# Try the custom page for this domain, fallback to default page
index index-${DOMAIN}.html index.html index.htm;
error_page 404 /static/404.html;
gzip on;
gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
gzip_vary on;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 512;
# We expect this domain to be properly configured, the file should exist
location = /config.js {
alias /etc/jitsi/meet/${DOMAIN}-config.js;
}
# This may or may not exist; it will be set up in config.js if needed
location = /branding.json {
alias /etc/jitsi/meet/${DOMAIN}-branding.json;
}
# Try custom image and fallback to default
location = /images/watermark.png {
try_files /images/watermark-${DOMAIN}.png \$uri;
}
location = /external_api.js {
alias /usr/share/jitsi-meet/libs/external_api.min.js;
}
#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/\$1/\$2;
# cache all versioned files
if (\$arg_v) {
expires 1y;
}
}
# BOSH
location = /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For \$remote_addr;
# Prevision for 'multi-domain' jitsi instances
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
proxy_set_header Host ${JITSI_HOST};
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
# Prevision for 'multi-domain' jitsi instances
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
proxy_set_header Host ${JITSI_HOST};
tcp_nodelay on;
}
# colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
tcp_nodelay on;
}
location ~ ^/([^/?&:'"]+)\$ {
try_files \$uri @root_path;
}
location @root_path {
rewrite ^/(.*)\$ / break;
}
location ~ ^/([^/?&:'"]+)/config.js\$
{
set \$subdomain "\$1.";
set \$subdir "\$1/";
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
}
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)\$ {
set \$subdomain "\$1.";
set \$subdir "\$1/";
rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set \$subdomain "\$1.";
set \$subdir "\$1/";
set \$prefix "\$1";
rewrite ^/(.*)\$ /http-bind;
}
# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
set \$subdomain "\$1.";
set \$subdir "\$1/";
set \$prefix "\$1";
rewrite ^/(.*)\$ /xmpp-websocket;
}
}
EOF
)"

139
type/__jitsi_meet_domain/files/nginx.sh.orig
View file

@ -1,139 +0,0 @@
server_names_hash_bucket_size 64;
server {
listen 80;
listen [::]:80;
server_name jitsi-meet.example.com;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /usr/share/jitsi-meet;
}
location = /.well-known/acme-challenge/ {
return 404;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name jitsi-meet.example.com;
# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m; # about 40000 sessions
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
root /usr/share/jitsi-meet;
# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;
index index.html index.htm;
error_page 404 /static/404.html;
gzip on;
gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
gzip_vary on;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 512;
location = /config.js {
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
}
location = /external_api.js {
alias /usr/share/jitsi-meet/libs/external_api.min.js;
}
#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/$1/$2;
# cache all versioned files
if ($arg_v) {
expires 1y;
}
}
# BOSH
location = /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
tcp_nodelay on;
}
# colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
tcp_nodelay on;
}
location ~ ^/([^/?&:'"]+)$ {
try_files $uri @root_path;
}
location @root_path {
rewrite ^/(.*)$ / break;
}
location ~ ^/([^/?&:'"]+)/config.js$
{
set $subdomain "$1.";
set $subdir "$1/";
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
}
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
set $subdomain "$1.";
set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /http-bind;
}
# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /xmpp-websocket;
}
}

5
type/__jitsi_meet_domain/gencode-remote
View file

@ -1,5 +0,0 @@
#!/bin/sh -e
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
echo "service nginx reload"
fi

150
type/__jitsi_meet_domain/man.rst
View file

@ -1,150 +0,0 @@
cdist-type__jitsi_meet_domain(7)
========================================
NAME
----
cdist-type__jitsi_meet_domain - Setup a frontend for Jitsi-Meet.
DESCRIPTION
-----------
This type installs and configures the frontend for Jitsi-Meet.
This supports "multi-domain" installations, notice that in such a setup, all
rooms are shared across the different URLs, e.g.
https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
equivalent.
This is due to the underlying XMPP and signaling rooms being common.
There might be a way to perform tricks on the Nginx-side to avoid this, but
time is lacking :-).
This assumes `__jitsi_meet` has already been ran on the target host, and,
amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
This type will take care of TLS settings, branding and client-side
configuration for Jitsi.
This type only works on De{bi,vu}an systems.
REQUIRED PARAMETERS
-------------------
object id
The domain that will be configured as a Jitsi-Meet instance.
admin-email
Where to send Let's Encrypt emails like "certificate needs renewal".
OPTIONAL PARAMETERS
-------------------
channel-last-n
Default value for the "last N" attribute.
Defaults to 20. Set to -1 for unlimited.
default-language
Default language for the user interface.
Defaults to 'en'.
notice-message
Message to show the users when they join a room.
start-video-muted
Every participant after the Nth will start video muted.
Defaults to 10.
turn-server
The TURN server to be used.
Defaults to `__target_host`.
video-constraints
w3c spec-compliant video constraints to use for video capture. Currently
used by browsers that return true from lib-jitsi-meet's
util#browser#usesNewGumFlow. The constraints are independent from
this config's resolution value. Defaults to requesting an ideal
resolution of 720p.
It must not have a trailing comma, see `constraints` in
`__jitsi_meet_domain/files/config.js.sh`.
branding-json
Path to a JSON file that will be served as the `brandingDataUrl`.
For information on the format see `brandingDataUrl` in
`__jitsi_meet_domain/files/config.js.sh`.
If not set, no branding will be set up.
branding-index
Path to an HTML file that will be served instead of Jitsi-Meet's default
one.
If not set, the default index file will be used.
branding-watermark
Path to a png file that will be served instead of Jitsi-Meet's default
one.
If not set, the default watermark will be used.
BOOLEAN PARAMETERS
------------------
disable-audio-levels
Disable measuring of audio levels.
This has been reported to improve performance on clients.
enable-third-party-requests
This type disables third-party requests by default, this flag re-enables
them, restoring Jitsi-Meet's defaults.
This affects things like avatars, callstats, ...
EXAMPLES
--------
.. code-block:: sh
# Setup a Jitsi frontend for jitsi.exo.cat
__jitsi_meet_domain "jitsi.exo.cat" \
--admin-email "info@exo.cat" \
--turn-server "turn.exo.cat" \
--notice-message "Hola!" \
--disable-audio-levels \
--turn-secret "WeNeedGoodSecurity" \
--video-constraints "$(cat <<EOF
constraints: {
video: {
height: {
ideal: 320,
max: 320,
min: 180
}
}
}
EOF
)"
SEE ALSO
--------
- `__jitsi_meet`
AUTHORS
-------
Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2020 Evilham.

90
type/__jitsi_meet_domain/manifest
View file

@ -1,90 +0,0 @@
#!/bin/sh -e
os="$(cat "${__global}/explorer/os")"
case "${os}" in
devuan|debian)
;;
*)
echo "Your OS '${os}' is currently not supported." > /dev/stderr
exit 1
;;
esac
DOMAIN="${__object_id}"
ADMIN_EMAIL="$(cat "${__object}/parameter/admin-email")"
CHANNEL_LAST_N="$(cat "${__object}/parameter/channel-last-n")"
DEFAULT_LANGUAGE="$(cat "${__object}/parameter/default-language")"
NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")"
START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
if [ -f "${__object}/parameter/enable-third-party-requests" ]; then
ENABLE_THIRD_PARTY_REQUESTS="YES"
fi
if [ -f "${__object}/parameter/disable-audio-levels" ]; then
DISABLE_AUDIO_LEVELS="YES"
fi
if [ -z "${TURN_SERVER}" ]; then
TURN_SERVER="${__target_host}"
fi
if [ -z "${JITSI_HOST}" ]; then
JITSI_HOST="${__target_host}"
fi
#
# Deal with certbot
#
# use object id as domain
__letsencrypt_cert "${DOMAIN}" \
--admin-email "${ADMIN_EMAIL}" \
--automatic-renewal \
--renew-hook "service nginx reload" \
--webroot /usr/share/jitsi-meet
# Create virtualhost for nginx
# shellcheck source=type/__jitsi_meet_domain/files/nginx.sh
. "${__type}/files/nginx.sh" # This defines JITSI_NGINX_CONFIG
require="__letsencrypt_cert/${DOMAIN}" __file \
"/etc/nginx/sites-enabled/${DOMAIN}.conf" \
--mode 0644 --source "-" <<EOF
${JITSI_NGINX_CONFIG}
EOF
# Setup jitsi config
# shellcheck source=type/__jitsi_meet_domain/files/config.js.sh
. "${__type}/files/config.js.sh" # This defines JITSI_CONFIG_JS
__file "/etc/jitsi/meet/${DOMAIN}-config.js" \
--mode 0644 --source "-" <<EOF
${JITSI_CONFIG_JS}
EOF
#
# Deal with branding as requested
#
# Helper function to manage the state of the target branding file
_var_state() {
if [ -n "${1}" ]; then
echo "present"
else
echo "absent"
fi
}
__file "/usr/share/jitsi-meet/index-${DOMAIN}.html" \
--mode 0644 \
--state "$(_var_state "${BRANDING_INDEX}")" \
--source "${BRANDING_INDEX}"
__file "/etc/jitsi/meet/${DOMAIN}-branding.json" \
--mode 0644 \
--state "$(_var_state "${BRANDING_JSON}")" \
--source "${BRANDING_JSON}"
__file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
--mode 0644 \
--state "$(_var_state "${BRANDING_WATERMARK}")" \
--source "${BRANDING_WATERMARK}"

2
type/__jitsi_meet_domain/parameter/boolean
View file

@ -1,2 +0,0 @@
disable-audio-levels
enable-third-party-requests

1
type/__jitsi_meet_domain/parameter/default/channel-last-n
View file

@ -1 +0,0 @@
20

1
type/__jitsi_meet_domain/parameter/default/default-language
View file

@ -1 +0,0 @@
en

1
type/__jitsi_meet_domain/parameter/default/start-video-muted
View file

@ -1 +0,0 @@
10

0
type/__jitsi_meet_domain/parameter/default/video-constraints
View file

9
type/__jitsi_meet_domain/parameter/optional
View file

@ -1,9 +0,0 @@
channel-last-n
default-language
notice-message
start-video-muted
turn-server
video-constraints
branding-json
branding-index
branding-watermark

1
type/__jitsi_meet_domain/parameter/required
View file

@ -1 +0,0 @@
admin-email

73
type/__mail_alias/explorer/aliases
View file

@ -1,73 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Find aliases for a given user name and print the aliases (each one on a
# separate line)
aliases_file=$("${__type_explorer:?}/aliases_file")
test -r "${aliases_file}" || exit 0
: "${__object_id:?}" # assert __object_id is set, because it is used in AWK
awk -F ':[ \t]*' '
function print_aliases(aliases, matches) {
# prints comma-separated aliases (one per line)
split(aliases, matches, /,[ \t]*/)
for (i in matches) {
gsub(/^[ \t]*|[ \t]*$/, "", matches[i])
if (matches[i]) print matches[i]
}
}
/^#/ {
# comment line (ignore)
select = 0; cont = 0 # comments terminate alias lists and continuations
next
}
{
# is this line a continuation line?
# (the prev. line ended in a backslash or the line starts with whitespace)
is_cont = /^[ \t]/ || cont
# detect if the line is a line to be continued (ends with a backslash)
cont = /\\$/
# if it is, we drop the backslash from the line
if (cont) sub(/[ \t]*\\$/, "", $0)
}
is_cont {
# if in the alias list of the "target" user, we also print these aliases.
if (select) print_aliases($0)
next
}
$1 == ENVIRON["__object_id"] {
# "target" user -> print alias list
select = 1
print_aliases($2)
next
}
{
# other user
select = 0
}
' "${aliases_file}"

52
type/__mail_alias/explorer/aliases_file
View file

@ -1,52 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# This explorer finds the aliases file to modify.
found() { echo "$*"; exit 0; }
check_file() {
if test -f "$1"
then
found "$1"
fi
}
case $("${__explorer:?}/os")
in
(freebsd|openbsd|solaris)
check_file /etc/mail/aliases
# default
found /etc/mail/aliases
;;
(alpine|debian|devuan|ubuntu)
check_file /etc/aliases
# default
found /etc/aliases
;;
(*)
check_file /etc/mail/aliases
check_file /etc/aliases
# default
found /etc/aliases
;;
esac

96
type/__mail_alias/files/update_aliases.awk
View file

@ -1,96 +0,0 @@
#!/usr/bin/awk -f
#
# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
function getvalue(path, line) {
# Reads the first line of the file located at path and returns it.
getline line < path
close(path)
return line
}
function sepafter(f, def, _) {
# finds the separator between field $f and $(f+1)
_ = substr($0, length($f)+1, index(substr($0, length($f)+1), $(f+1))-1)
return _ ? _ : def
}
function write_aliases( line) {
if (aliases_written) return
# print aliases line
printf "%s%s", ENVIRON["__object_id"], sepafter(1, ": ")
while ((getline line < aliases_should_file) > 0) {
if (aliases_written) printf ", "
printf "%s", line
aliases_written = 1
}
printf "\n"
close(aliases_should_file)
}
BEGIN {
FS = ":[ \t]*"
parameter_dir = ENVIRON["__object"] "/parameter/"
mode = (getvalue(parameter_dir "state") != "absent")
aliases_should_file = (parameter_dir "/alias")
}
/^[ \t]*\#/ {
# comment line (leave alone)
select = 0; cont = 0 # comments terminate alias lists and continuations
print
next
}
{
# is this line a continuation line?
# (the prev. line ended in a backslash or the line starts with whitespace)
is_cont = /^[ \t]/ || cont
# detect if the line is a line to be continued (ends with a backslash)
cont = /\\$/
}
is_cont {
# we only print the line if it has not been rewritten (select)
if (!select) print
next
}
$1 == ENVIRON["__object_id"] {
# "target" user -> rewrite aliases list
select = 1
if (mode) write_aliases()
next
}
{
# other user
select = 0
print
}
END {
# if the last line was an alias, the separator will be reused (looks better)
if (mode && !aliases_written)
write_aliases()
}

87
type/__mail_alias/gencode-remote
View file

@ -1,87 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
aliases_file=$(cat "${__object:?}/explorer/aliases_file")
test -n "${aliases_file}" || {
echo 'Could not determine aliases file path.' >&2
exit 1
}
state_should=$(cat "${__object:?}/parameter/state")
case ${state_should}
in
(present)
if cmp -s "${__object:?}/explorer/aliases" "${__object:?}/parameter/alias"
then
# all good!
exit 0
fi
test -s "${__object:?}/parameter/alias" || {
printf 'The --alias parameter is required if --state present.\n' >&2
printf 'Use --state absent to remove all aliases.\n' >&2
exit 1
}
if test -s "${__object:?}/explorer/aliases"
then
echo "update aliases" >>"${__messages_out:?}"
else
echo "add aliases" >>"${__messages_out:?}"
fi
;;
(absent)
# nothing to do if no aliases found.
test -s "${__object:?}/explorer/aliases" || exit 0
echo "delete aliases" >>"${__messages_out:?}"
;;
(*)
printf 'Invalid --state: %s.\n' "${state_should}" >&2
printf 'Acceptable values are: present, absent.\n' >&2
exit 1
esac
cat <<EOF
test -f $(quote "${aliases_file}") || touch $(quote "${aliases_file}")
awk $(drop_awk_comments "${__type:?}/files/update_aliases.awk") <$(quote "${aliases_file}") >$(quote "${aliases_file}.tmp") \
|| {
rm -f $(quote "${aliases_file}.tmp")
echo 'Generating new aliases file failed!' >&2
exit 1
}
if ! cmp -s $(quote "${aliases_file}") $(quote "${aliases_file}.tmp")
then
# aliases file was modified, replace:
cat $(quote "${aliases_file}.tmp") >$(quote "${aliases_file}")
# then, run newaliases if present ("missing" on Alpine Linux because of typo)
command -v newaliases >/dev/null 2>&1 && newaliases || true
fi
rm -f $(quote "${aliases_file}.tmp")
EOF

76
type/__mail_alias/man.rst
View file

@ -1,76 +0,0 @@
cdist-type__mail_alias(7)
=========================
NAME
----
cdist-type__mail_alias - Manage mail aliases.
DESCRIPTION
-----------
This cdist type allows you to configure mail aliases (/etc/aliases).
REQUIRED PARAMETERS
-------------------
None.
OPTIONAL PARAMETERS
-------------------
state
'present' or 'absent', defaults to 'present'
alias
an alias, i.e. a mail address where mail for the user should be redirected
to.
This parameter can be specified multiple times to redirect to multiple
recipients.
If ``--state`` is ``present`` this parameter is required.
See `aliases(5)` for the different forms this parameter can take.
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
--------
.. code-block:: sh
# Redirect root mail to a "real" email address
__mail_alias root --alias admin@example.com
# Disable redirection of mail for joe
__mail_alias joe --state absent
BUGS
----
- Quoted strings are not parsed by this type. As a result, aliases
containing ``,`` (commas) are treated incorrectly (they are treated as
separate aliases.)
Make sure that email addresses, file names, and pipe commands do not contain
commas.
- ``:include:`` directives in the aliases file are not evaluated by this type.
They are treated like a regular alias, the values of the included file are
not expanded.
SEE ALSO
--------
:strong:`aliases`\ (5)
AUTHORS
-------
Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
COPYING
-------
Copyright \(C) 2020 Dennis Camera. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

0
type/__mail_alias/nonparallel
View file

1
type/__mail_alias/parameter/default/state
View file

@ -1 +0,0 @@
present

1
type/__mail_alias/parameter/optional
View file

@ -1 +0,0 @@
state

1
type/__mail_alias/parameter/optional_multiple
View file

@ -1 +0,0 @@
alias

90
type/__matrix_element/files/config.json.sh
View file

@ -1,90 +0,0 @@
#!/bin/sh
#
# Upstream configuration guide/documentation:
# https://github.com/vector-im/riot-web/blob/develop/docs/config.md
generate_embedded_pages () {
if [ "$EMBED_HOMEPAGE" != "" ]; then
cat << EOF
"embeddedPages": {
"homeUrl": "home.html"
},
EOF
fi
}
generate_jitsi_config () {
if [ "$JITSI_DOMAIN" != "" ]; then
cat << EOF
"jitsi": {
"preferredDomain": "$JITSI_DOMAIN"
},
EOF
fi
}
generate_branding () {
echo '"branding": {'
if [ "$BRANDING_AUTH_HEADER_LOGO_URL" != "" ]; then
cat << EOF
"authHeaderLogoUrl": "$BRANDING_AUTH_HEADER_LOGO_URL",
EOF
fi
if [ "$BRANDING_AUTH_FOOTER_LINKS" != "" ]; then
cat << EOF
"authFooterLinks": "$BRANDING_AUTH_FOOTER_LINKS",
EOF
fi
cat << EOF
"welcomeBackgroundUrl": "themes/element/img/backgrounds/lake.jpg"
EOF
echo '},'
}
cat << EOF
{
"default_server_config": {
"m.homeserver": {
"base_url": "$DEFAULT_SERVER_URL",
"server_name": "$DEFAULT_SERVER_NAME"
},
"m.identity_server": {
"base_url": "https://vector.im"
}
},
"brand": "$BRAND",
$(generate_branding)
"defaultCountryCode": "$DEFAULT_COUNTRY_CODE",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
"integrations_widgets_urls": [
"https://scalar.vector.im/_matrix/integrations/v1",
"https://scalar.vector.im/api",
"https://scalar-staging.vector.im/_matrix/integrations/v1",
"https://scalar-staging.vector.im/api",
"https://scalar-staging.riot.im/scalar/api"
],
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
"roomDirectory": {
"servers": [
$ROOM_DIRECTORY_SERVERS
]
},
"disable_custom_urls": "$DISABLE_CUSTOM_URLS",
$(generate_embedded_pages)
$(generate_jitsi_config)
"terms_and_conditions_links": [
{
"url": "$PRIVACY_POLICY_URL",
"text": "Privacy Policy"
},
{
"url": "$COOKIE_POLICY_URL",
"text": "Cookie Policy"
}
]
}
EOF

95
type/__matrix_element/gencode-remote
View file

@ -1,95 +0,0 @@
#!/bin/sh -e
#
# 2019 Timothée Floure (timothee.floure@ungleich.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Function to compare version strings. Returns success (0) if the version
# given by stdin is higher than the version provided by the argument.
#
# Taken from the cdist core type __sensible_editor.
version_ge() {
awk -F '[^0-9.]' -v target="${1:?}" '
function max(x, y) { return x > y ? x : y; }
BEGIN {
getline;
nx = split($1, x, ".");
ny = split(target, y, ".");
for (i = 1; i <= max(nx, ny); ++i) {
diff = int(x[i]) - int(y[i]);
if (diff < 0) exit 1;
else if (diff > 0) exit 0;
else continue;
}
}'
}
VERSION=$(cat "$__object/parameter/version")
INSTALL_DIR=$(cat "$__object/parameter/install_dir")
OWNER=$(cat "$__object/parameter/owner")
# tarball name changed due to application renaming
if echo "$VERSION" | version_ge 1.7.14; then
src="element-v$VERSION"
else
src="riot-v$VERSION"
fi
archive="$src.tar.gz"
url="https://github.com/vector-im/riot-web/releases/download/v$VERSION/$archive"
# tar and curl are installed by the __matrix-riot manifest. mktemp is usually
# provided by coreutils and assumed installed.
cat << EOF
set -e
# Ensure that coreutils is installed.
if [ ! -x \$(which mktemp) ]; then
echo "mktemp is not available on the remote host." >&2
exit 1
fi
# Create temporary working directory.
tmpdir=\$(mktemp -d)
custom_files_dir="\$tmpdir/custom_files"
cd \$tmpdir
# Download and extract sources.
curl -L '$url' > $archive
tar xf $archive
# Backup files deployed by __matrix_element.
mkdir -p \$custom_files_dir
for file in $INSTALL_DIR/cdist/*; do
cp "\$file" "\$custom_files_dir"
done
# Deploy sources and restore configuration.
rm -r '$INSTALL_DIR'
mv '$src' '$INSTALL_DIR'
for file in \$custom_files_dir/*; do
cp "\$file" '$INSTALL_DIR'
done
# Chown deployed files to requested owner.
chown -R '$OWNER' '$INSTALL_DIR'
# Remove temporary working directory.
cd /
rm -r \$tmpdir
EOF

87
type/__matrix_element/man.rst
View file

@ -1,87 +0,0 @@
cdist-type__matrix_element(7)
=============================
NAME
----
cdist-type__matrix_element - Install and configure Element, a web Matrix client.
DESCRIPTION
-----------
This type install and configure the Element web client.
REQUIRED PARAMETERS
-------------------
install_dir
Root directory of Element's static files.
version
Release of Element to install.
OPTIONAL PARAMETERS
-------------------
default_server_name
Name of matrix homeserver to connect to, defaults to 'matrix.org'.
default_server_url
URL of matrix homeserver to connect to, defaults to 'https://matrix-client.matrix.org'.
owner
Owner of the deployed files, passed to `chown`. Defaults to 'root'.
brand
Web UI branding, defaults to 'Element'.
default_country_code
ISO 3166 alpha2 country code to use when showing country selectors, such as
phone number inputs. Defaults to GB.
privacy_policy_url
Defaults to 'https://element.io/privacy'.
cookie_policy_url
Defaults to 'https://matrix.org/docs/guides/element_im_cookie_policy'.
jitsi_domain
Domain name of preferred Jitsi instance (default is jitsi.element.im). This is
used whenever a user clicks on the voice/video call buttons.
homepage
Path to custom homepage, displayed once logged in.
welcomepage
Path to custom welcome (= login) page.
custom_asset
Serve a file a the top-level directory (e.g. /my-custom-logo.svg). Can be specified multiple times.
BOOLEAN PARAMETERS
-------------------
disable_custom_urls
Disallow the user to change the default homeserver when signing up or logging in.
EXAMPLES
--------
.. code-block:: sh
__matrix_element my-element --install_dir /var/www/element-web --version 1.5.6
SEE ALSO
--------
- `cdist-type__matrix_synapse(7) <cdist-type__matrix_synapse.html>`_
AUTHORS
-------
Timothée Floure <timothee.floure@ungleich.ch>
COPYING
-------
Copyright \(C) 2019 Timothée Floure. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

106
type/__matrix_element/manifest
View file

@ -1,106 +0,0 @@
#!/bin/sh -e
#
# 2019 Timothée Floure (timothee.floure@ungleich.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
# Ignore "Declare and assign separately to avoid masking return values. [SC2155]"
# => not relevant for the type arguments.
# shellcheck disable=SC2155
INSTALL_DIR=$(cat "$__object/parameter/install_dir")
export DEFAULT_SERVER_NAME=$(cat "$__object/parameter/default_server_name")
export DEFAULT_SERVER_URL=$(cat "$__object/parameter/default_server_url")
export BRAND=$(cat "$__object/parameter/brand")
export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code")
export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers")
export PRIVACY_POLICY_URL=$(cat "$__object/parameter/privacy_policy_url")
export COOKIE_POLICY_URL=$(cat "$__object/parameter/cookie_policy_url")
if [ -f "$__object/parameter/jitsi_domain" ]; then
export JITSI_DOMAIN=$(cat "$__object/parameter/jitsi_domain")
fi
if [ -f "$__object/parameter/branding_auth_header_logo_url" ]; then
export BRANDING_AUTH_HEADER_LOGO_URL=$(cat "$__object/parameter/branding_auth_header_logo_url")
fi
if [ -f "$__object/parameter/branding_auth_footer_links" ]; then
export BRANDING_AUTH_FOOTER_LINKS=$(cat "$__object/parameter/branding_auth_footer_links")
fi
if [ -f "$__object/parameter/homepage" ]; then
export EMBED_HOMEPAGE=1
homepage=$(cat "$__object/parameter/homepage")
fi
if [ -f "$__object/parameter/welcomepage" ]; then
export EMBED_WELCOMEPAGE=1
welcomepage=$(cat "$__object/parameter/welcomepage")
fi
if [ -f "$__object/parameter/custom_asset" ]; then
"$__object/parameter/custom_asset" | while IFS= read -r file; do
require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/$(basename "$file")" \
--source "$file" \
--mode 0664 \
--state present
done
fi
if [ -f "$__object/parameter/disable_custom_urls" ]; then
export DISABLE_CUSTOM_URLS='true'
else
export DISABLE_CUSTOM_URLS='false'
fi
# Owner of the uploaded files.
owner=$(cat "$__object/parameter/owner")
# Ensure that curl and tar are installed, as they will be required by the
# gencode-remote script.
__package curl --state present
__package tar --state present
# Generate and deploy configuration file.
mkdir -p "$__object/files"
"$__type/files/config.json.sh" > "$__object/files/config.json"
# Install the config.json configuration file. The application's sources are
# downloaded and deployed by gencode-remote.
__directory "$INSTALL_DIR/cdist" \
--owner "$owner" --mode 0755 --parents \
--state present
require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/config.json" \
--source "$__object/files/config.json" \
--mode 0664 \
--state present
if [ $EMBED_HOMEPAGE ]; then
require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/home.html" \
--source "$homepage" \
--mode 0664 \
--state present
fi
if [ $EMBED_WELCOMEPAGE ]; then
require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/welcome.html" \
--source "$welcomepage" \
--mode 0664 \
--state present
fi

1
type/__matrix_element/parameter/boolean
View file

@ -1 +0,0 @@
disable_custom_urls

1
type/__matrix_element/parameter/default/brand
View file

@ -1 +0,0 @@
Element

1
type/__matrix_element/parameter/default/cookie_policy_url
View file

@ -1 +0,0 @@
https://matrix.org/docs/guides/riot_im_cookie_policy

1
type/__matrix_element/parameter/default/default_country_code
View file

@ -1 +0,0 @@
GB

1
type/__matrix_element/parameter/default/default_server_name
View file

@ -1 +0,0 @@
matrix.org

1
type/__matrix_element/parameter/default/default_server_url
View file

@ -1 +0,0 @@
https://matrix-client.matrix.org

1
type/__matrix_element/parameter/default/owner
View file

@ -1 +0,0 @@
root

1
type/__matrix_element/parameter/default/privacy_policy_url
View file

@ -1 +0,0 @@
https://element.io/privacy

1
type/__matrix_element/parameter/default/room_directory_servers
View file

@ -1 +0,0 @@
"matrix.org"

13
type/__matrix_element/parameter/optional
View file

@ -1,13 +0,0 @@
default_server_url
default_server_name
brand
default_country_code
privacy_policy_url
cookie_policy_url
room_directory_servers
owner
homepage
welcomepage
jitsi_domain
branding_auth_header_logo_url
branding_auth_footer_links

1
type/__matrix_element/parameter/optional_multiple
View file

@ -1 +0,0 @@
custom_asset

2
type/__matrix_element/parameter/required
View file

@ -1,2 +0,0 @@
version
install_dir

6
type/__matrix_synapse/files/environment.sh Normal file
View file

@ -0,0 +1,6 @@
#!/bin/sh
cat << EOF
# Specify environment variables used when running Synapse
SYNAPSE_CACHE_FACTOR=$CACHE_FACTOR
EOF

1785
type/__matrix_synapse/files/homeserver.yaml.sh Executable file
View file

File diff suppressed because it is too large Load diff

60
type/__matrix_synapse/files/log.config.sh Executable file
View file

@ -0,0 +1,60 @@
#!/bin/sh
cat << EOF
version: 1
formatters:
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
journal_fmt:
format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
file:
class: logging.handlers.WatchedFileHandler
formatter: precise
filename: $LOG_DIR/homeserver.log
filters: [context]
level: DEBUG
encoding: utf8
console:
class: logging.StreamHandler
formatter: precise
level: WARN
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
loggers:
twisted:
level: WARN
synapse:
level: INFO
# the following levels are more verbose than most users want
# set them to INFO if you need more logging
synapse.metrics:
level: WARN
synapse.http.federation.well_known_resolver:
level: WARN
synapse.storage.TIME:
level: WARN
synapse.http.matrixfederationclient:
level: WARN
root:
level: INFO
handlers: [file, journal]
EOF

180
type/__matrix_synapse/man.rst Normal file
View file

@ -0,0 +1,180 @@
cdist-type__matrix_synapse(7)
======================
NAME
----
cdist-type__matrix_synapse - Install and configure Synapse, a Matrix homeserver
DESCRIPTION
-----------
This type install and configure the Synapse Matrix homeserver. This is a
signleton type.
REQUIRED PARAMETERS
-------------------
server_name
Name of your homeserver (e.g. ungleich.ch) used as part of your MXIDs. This
value cannot be changed without meddling with the database once the server is
being used.
base_url
Public URL of your homeserver (e.g. http://matrix.ungleich.ch).
database_engine
'sqlite3' or 'postgresql'
database_name
Path to the database if SQLite3 is used or database name if PostgresSQL is
used.
OPTIONAL PARAMETERS
-------------------
database_host
Database node address, only used with PostgresSQL.
database_user
Database user, only used with PostgresSQL.
database_password
Database password, only used with PostgresSQL.
ldap_uri
Address of your LDAP server.
ldap_base_dn
Base DN of your LDAP tree.
ldap_uid_attribute
LDAP attriute mapping to Synapse's uid field, default to uid.
ldap_mail_attribute
LDAP attriute mapping to Synapse's mail field, default to mail.
ldap_name_attribute
LDAP attriute mapping to Synapse's name field, default to givenName.
ldap_bind_dn
User used to authenticate against your LDAP server in 'search' mode.
ldap_bind_password
Password used to authenticate against your LDAP server in 'search' mode.
ldap_filter
LDAP user filter, defaulting to `(objectClass=posixAccount)`.
turn_uri
URI to TURN server, can be provided multiple times if there is more than one
server.
turn_shared_secret
Shared secret used to access the TURN REST API.
turn_user_lifetime
Lifetime of TURN credentials. Defaults to 1h.
max_upload_size
Maximum size for user-uploaded files. Defaults to 10M.
rc_message_per_second
Message rate-limiting (per second). Defaults to 0.17.
rc_message_burst
Message rate-limiting (burst). Defaults to 3.
rc_login_per_second
Login rate-limiting (per-second). Defaults to 0.17.
rc_login_burst
Login rate-limiting (burst). Defaults to 3.
branding_auth_header_logo_url
A logo that is shown in the header during authentication flows.
branding_auth_footer_links
A list of links to show in the authentication page footer: `[{"text": "Link text", "url": "https://link.target"}, {"text": "Other link", ...}]`
registration_allows_email_pattern
Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`.
auto_join_room
Room where newly-registered users are automatically added. Can be specified multiple times.
app_service_config_file
Path (on remote) of an application service configuration file to load. Can be specified multiple times.
extra_setting
Arbitrary string to be added to the configuration file. Can be specified multiple times.
BOOLEAN PARAMETERS
------------------
allow_registration
Enables user registration on the homeserver.
enable_ldap_auth
Enables ldap-backed authentication.
ldap_search_mode
Enables 'search' mode for LDAP auth backend.
report_stats
Whether or not to report anonymized homeserver usage statistics.
expose_metrics
Expose metrics endpoint for Prometheus.
disable_federation
Disable federation to the broader matrix network.
registration_require_email
Make email a required field on registration.
allow_public_rooms_over_federation
Allow other homeservers to fetch this server's public room directory.
allow_public_rooms_without_auth
If set to 'false', requires authentication to access the server's public rooms directory through the client API.
enable_server_notices
Enable the server notices room.
global_cache_factor
Controls the global cache factor, which is the default cache factor
for all caches if a specific factor for that cache is not otherwise
set. Defaults to 0.5.
event_cache_size
Number of events to cache in memory. Defaults to 10K.
allow_guest_access
Allows users to register as guests without a password/email/etc, and
participate in rooms hosted on this server which have been made accessible to
anonymous users.
EXAMPLES
--------
.. code-block:: sh
__matrix_synapse --server_name ungleich.ch \
--base_url https://matrix.ungleich.ch \
--database_engine sqlite3 \
--database_name /var/lib/matrix-syanpse/homeserver.db
SEE ALSO
--------
- `cdist-type__matrix_riot(7) <cdist-type__matrix_riot.html>`_
AUTHORS
-------
Timothée Floure <timothee.floure@ungleich.ch>
COPYING
-------
Copyright \(C) 2019 Timothée Floure. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

320
type/__matrix_synapse/manifest Executable file
View file

@ -0,0 +1,320 @@
#!/bin/sh -e
#
# 2019 Timothée Floure (timothee.floure@ungleich.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# OS-specific configuration.
os=$(cat "$__global/explorer/os")
distribution=$(cat "$__global/explorer/lsb_codename")
case "$os" in
debian)
synapse_user=matrix-synapse
synapse_pkg=matrix-synapse
synapse_service=matrix-synapse
ldap_auth_provider_pkg=matrix-synapse-ldap3
psycopg2_pkg=python3-psycopg2
synapse_conf_dir='/etc/matrix-synapse'
synapse_data_dir='/var/lib/matrix-synapse'
if [ ! -f "$__global/explorer/lsb_codename" ]; then
ls "$__global/explorer" >&2
echo "Could not determine Debian release, ensure that lsb-release is installed on the target." >&2
exit 1
fi
;;
fedora)
synapse_user=synapse
synapse_pkg=matrix-synapse
synapse_service=synapse
ldap_auth_provider_pkg=python-matrix-synapse-ldap3
synapse_conf_dir='/etc/synapse'
synapse_data_dir='/var/lib/synapse'
;;
freebsd)
synapse_user=synapse
synapse_pkg=py36-matrix-synapse
synapse_service=synapse
ldap_auth_provider_pkg=py36-matrix-synapse-ldap3
synapse_conf_dir='/usr/local/etc/matrix-synapse'
synapse_data_dir='/var/matrix-synapse'
;;
alpine)
echo "As of 2019-12-19 matrix-synapse is not in alpine stable. Exiting."
exit 1
;;
*)
printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
# Required parameters:
SERVER_NAME=$(cat "$__object/parameter/server_name")
export SERVER_NAME
BASE_URL=$(cat "$__object/parameter/base_url")
export BASE_URL
export DATA_DIR=$synapse_data_dir
export LOG_DIR='/var/log/matrix-synapse'
export PIDFILE='/var/run/matrix/homeserver.pid'
export LOG_CONFIG_PATH="$synapse_conf_dir/log.yaml"
export SIGNING_KEY_PATH="$synapse_conf_dir/signin.key"
DATABASE_ENGINE=$(cat "$__object/parameter/database_engine")
export DATABASE_ENGINE
DATABASE_NAME=$(cat "$__object/parameter/database_name")
export DATABASE_NAME
# Optional parameters:
DATABASE_HOST=$(cat "$__object/parameter/database_host")
export DATABASE_HOST
DATABASE_USER=$(cat "$__object/parameter/database_user")
export DATABASE_USER
DATABASE_PASSWORD=$(cat "$__object/parameter/database_password")
export DATABASE_PASSWORD
GLOBAL_CACHE_FACTOR=$(cat "$__object/parameter/global_cache_factor")
export GLOBAL_CACHE_FACTOR
EVENT_CACHE_SIZE=$(cat "$__object/parameter/event_cache_size")
export EVENT_CACHE_SIZE
LDAP_FILTER=$(cat "$__object/parameter/ldap_filter")
export LDAP_FILTER
LDAP_UID_ATTRIBUTE=$(cat "$__object/parameter/ldap_uid_attribute")
export LDAP_UID_ATTRIBUTE
LDAP_MAIL_ATTRIBUTE=$(cat "$__object/parameter/ldap_mail_attribute")
export LDAP_MAIL_ATTRIBUTE
LDAP_NAME_ATTRIBUTE=$(cat "$__object/parameter/ldap_name_attribute")
export LDAP_NAME_ATTRIBUTE
LDAP_URI=$(cat "$__object/parameter/ldap_uri")
export LDAP_URI
LDAP_BASE_DN=$(cat "$__object/parameter/ldap_base_dn")
export LDAP_BASE_DN
LDAP_BIND_DN=$(cat "$__object/parameter/ldap_bind_dn")
export LDAP_BIND_DN
LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap_bind_password")
export LDAP_BIND_PASSWORD
TURN_USER_LIFETIME=$(cat "$__object/parameter/turn_user_lifetime")
export TURN_USER_LIFETIME
if [ -f "$__object/parameter/turn_shared_secret" ]; then
TURN_SHARED_SECRET=$(cat "$__object/parameter/turn_shared_secret")
export TURN_SHARED_SECRET
fi
if [ -f "$__object/parameter/turn_uri" ]; then
uris=$(tr "\n" "," < "$__object/parameter/turn_uri" | sed 's/,$//')
export TURN_URIS="[$uris]"
fi
if [ -f "$__object/parameter/registration_allows_email_pattern" ]; then
RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration_allows_email_pattern")
export RESGISTRATION_ALLOWS_EMAIL_PATTERN
fi
if [ -f "$__object/parameter/auto_join_room" ]; then
AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto_join_room")"
export AUTO_JOIN_ROOMS
fi
if [ -f "$__object/parameter/app_service_config_file" ]; then
APP_SERVICE_CONFIG_FILES=$(cat "$__object/parameter/app_service_config_file")
export APP_SERVICE_CONFIG_FILES
fi
MAX_UPLOAD_SIZE=$(cat "$__object/parameter/max_upload_size")
export MAX_UPLOAD_SIZE
RIOT_BASE_URL=$(cat "$__object/parameter/riot_base_url")
export RIOT_BASE_URL
SMTP_HOST=$(cat "$__object/parameter/smtp_host")
export SMTP_HOST
SMTP_PORT=$(cat "$__object/parameter/smtp_port")
export SMTP_PORT
SMTP_USER=$(cat "$__object/parameter/smtp_user")
export SMTP_USER
SMTP_PASS=$(cat "$__object/parameter/smtp_pass")
export SMTP_PASS
RC_MESSAGE_PER_SECOND=$(cat "$__object/parameter/rc_message_per_second")
export RC_MESSAGE_PER_SECOND
RC_MESSAGE_BURST=$(cat "$__object/parameter/rc_message_burst")
export RC_MESSAGE_BURST
RC_LOGIN_PER_SECOND=$(cat "$__object/parameter/rc_login_per_second")
export RC_LOGIN_PER_SECOND
RC_LOGIN_BURST=$(cat "$__object/parameter/rc_login_burst")
export RC_LOGIN_BURST
if [ -f "$__object/parameter/extra_setting" ]; then
EXTRA_SETTINGS=$(cat "$__object/parameter/extra_setting")
export EXTRA_SETTINGS
fi
# Boolean parameters:
if [ -f "$__object/parameter/report_stats" ]; then
export REPORT_STATS='true'
else
export REPORT_STATS='false'
fi
if [ -f "$__object/parameter/allow_registration" ]; then
export ALLOW_REGISTRATION='true'
else
export ALLOW_REGISTRATION='false'
fi
if [ -f "$__object/parameter/enable_ldap_auth" ]; then
export ENABLE_LDAP_AUTH='true'
else
export ENABLE_LDAP_AUTH='false'
fi
if [ -f "$__object/parameter/ldap_search_mode" ]; then
export LDAP_SEARCH_MODE=1
fi
if [ -f "$__object/parameter/expose_metrics" ]; then
export EXPOSE_METRICS='true'
else
export EXPOSE_METRICS='false'
fi
if [ -f "$__object/parameter/enable_notifications" ]; then
export ENABLE_NOTIFICATIONS='true'
else
export ENABLE_NOTIFICATIONS='false'
fi
if [ -f "$__object/parameter/enable_notifications_by_default" ]; then
export ENABLE_NOTIFICATIONS_BY_DEFAULT='true'
else
export ENABLE_NOTIFICATIONS_BY_DEFAULT='false'
fi
if [ -f "$__object/parameter/smtp_requires_tls" ]; then
export SMTP_TLS='true'
else
export SMTP_TLS='false'
fi
if [ -f "$__object/parameter/disable_federation" ]; then
export DISABLE_FEDERATION='true'
else
export DISABLE_FEDERATION='false'
fi
if [ -f "$__object/parameter/allow_guest_access" ]; then
export ALLOW_GUEST_ACCESS='true'
else
export ALLOW_GUEST_ACCESS='false'
fi
if [ -f "$__object/parameter/registration_requires_email" ]; then
export REGISTRATION_REQUIRES_EMAIL=1
fi
if [ -f "$__object/parameter/allow_public_rooms_over_federation" ]; then
export ALLOW_PUBLIC_ROOMS_OVER_FEDERATION='true'
else
export ALLOW_PUBLIC_ROOMS_OVER_FEDERATION='false'
fi
if [ -f "$__object/parameter/allow_public_rooms_without_auth" ]; then
export ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH='true'
else
export ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH='false'
fi
if [ -f "$__object/parameter/enable_server_notices" ]; then
export ENABLE_SERVER_NOTICES=1
fi
# Specific case for debian-buster, boilerplate but there's not much I can do
# about it.
installation_reqs=""
if [ "$os" = "debian" ] && [ "$distribution" = "buster" ]; then
# Enable debian-backports for debian Buster, as the 'stable'
# matrix-synapse package is ways too old (< 1.0).
__apt_source debian-backports \
--uri http://deb.debian.org/debian/ \
--distribution "$distribution-backports" \
--component main
require="__apt_source/debian-backports" __apt_update_index
# Install base matrix-synapse package.
require="__apt_update_index" __package_apt $synapse_pkg \
--state present \
--target-release "$distribution-backports"
# Install LdapAuthProvider module if LDAP auth is enabled.
if [ "$ENABLE_LDAP_AUTH" = "true" ]; then
require="__package_apt/$synapse_pkg" __package_apt $ldap_auth_provider_pkg \
--state present \
--target-release "$distribution-backports"
installation_reqs="$installation_reqs __package_apt/$ldap_auth_provider_pkg"
fi
# For some reason, psycopg2 is not considered a dependency of
# matrix-synapse in matrix.org's APT repository.
if [ "$DATABASE_ENGINE" = "psycopg2" ]; then
require="__package_apt/$synapse_pkg" __package_apt $psycopg2_pkg \
--state present
installation_reqs="$installation_reqs __package_apt/$psycopg2_pkg"
fi
# Used for dependency order resolution.
installation_reqs="$installation_reqs __package_apt/$synapse_pkg"
else
# Install base matrix-synapse package.
__package $synapse_pkg --state present
# Install LdapAuthProvider module if LDAP auth is enabled.
if [ "$ENABLE_LDAP_AUTH" = "true" ]; then
require="__package/$synapse_pkg" __package $ldap_auth_provider_pkg \
--state present
fi
# Used for dependency order resolution.
installation_reqs="__package/$synapse_pkg"
fi
# Generate and deploy configuration files.
mkdir -p "$__object/files"
"$__type/files/homeserver.yaml.sh" > "$__object/files/homeserver.yaml"
"$__type/files/log.config.sh" > "$__object/files/log.config"
require="$installation_reqs" __file "$synapse_conf_dir/homeserver.yaml" \
--state present \
--owner $synapse_user \
--mode 600 \
--source "$__object/files/homeserver.yaml"
require="$installation_reqs" __file "$LOG_CONFIG_PATH" \
--state present \
--owner $synapse_user \
--mode 600 \
--source "$__object/files/log.config"
require="$installation_reqs" __directory $DATA_DIR --state present --owner $synapse_user
require="$installation_reqs" __directory $LOG_DIR --state present --owner $synapse_user
# Work around dpkg-reconfigure for Debian package.
RESTART_REQUIRES="__file/$synapse_conf_dir/homeserver.yaml"
if [ "$os" = "debian" ]; then
require="$installation_reqs" __file "$synapse_conf_dir/conf.d/server_name.yaml" \
--state present --owner $synapse_user --source - << EOF
server_name: "$SERVER_NAME"
EOF
require="$installation_reqs" __file "$synapse_conf_dir/conf.d/report_stats.yaml" \
--state present --owner $synapse_user --source - << EOF
report_stats: $REPORT_STATS
EOF
RESTART_REQUIRES="$RESTART_REQUIRES __file/$synapse_conf_dir/conf.d/server_name.yaml \
__file/$synapse_conf_dir/conf.d/report_stats.yaml"
fi
# Restart synapse homeserver to reload configuration.
require="$RESTART_REQUIRES" __service $synapse_service --action restart

14
type/__matrix_synapse/parameter/boolean Normal file
View file

@ -0,0 +1,14 @@
allow_registration
enable_ldap_auth
ldap_search_mode
report_stats
expose_metrics
enable_notifications
enable_notifications_by_default
smtp_requires_tls
disable_federation
registration_requires_email
allow_public_rooms_over_federation
enable_server_notices
allow_guest_access
allow_public_rooms_without_auth

0
type/__dma/singleton → type/__matrix_synapse/parameter/default/database_host
View file

0
type/__dma_auth/nonparallel → type/__matrix_synapse/parameter/default/database_password
View file

0
type/__jitsi_meet/parameter/default/turn-server → type/__matrix_synapse/parameter/default/database_user
View file

1
type/__matrix_synapse/parameter/default/event_cache_size Normal file
View file

@ -0,0 +1 @@
10K

1
type/__matrix_synapse/parameter/default/global_cache_factor Normal file
View file

@ -0,0 +1 @@
0.5

0
type/__jitsi_meet/singleton → type/__matrix_synapse/parameter/default/ldap_base_dn
View file

0
type/__jitsi_meet_domain/parameter/default/branding-index → type/__matrix_synapse/parameter/default/ldap_bind_dn
View file

0
type/__jitsi_meet_domain/parameter/default/branding-json → type/__matrix_synapse/parameter/default/ldap_bind_password
View file

1
type/__matrix_synapse/parameter/default/ldap_filter Normal file
View file

@ -0,0 +1 @@
(objectClass=posixAccount)

1
type/__matrix_synapse/parameter/default/ldap_mail_attribute Normal file
View file

@ -0,0 +1 @@
mail

1
type/__matrix_synapse/parameter/default/ldap_name_attribute Normal file
View file

@ -0,0 +1 @@
givenName

1
type/__matrix_synapse/parameter/default/ldap_uid_attribute Normal file
View file

@ -0,0 +1 @@
uid

Some files were not shown because too many files have changed in this diff Show more