2022-04-21 11:20:30 +00:00
|
|
|
#!/bin/sh -eu
|
|
|
|
|
|
|
|
# Source:
|
|
|
|
# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
|
|
|
|
FOCUS_USER="focus"
|
|
|
|
JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
|
|
|
|
# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
|
|
|
|
PROSODY_SECUREDOMAIN_START="--[["
|
|
|
|
PROSODY_SECUREDOMAIN_END="--]]"
|
|
|
|
if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
|
|
|
|
PROSODY_MAIN_START=""
|
|
|
|
PROSODY_MAIN_END=""
|
|
|
|
PROSODY_DOMAIN_START="--[["
|
|
|
|
PROSODY_DOMAIN_END="--]]"
|
|
|
|
else
|
|
|
|
PROSODY_MAIN_START="--[["
|
|
|
|
PROSODY_MAIN_END="--]]"
|
|
|
|
PROSODY_DOMAIN_START=""
|
|
|
|
PROSODY_DOMAIN_END=""
|
|
|
|
if [ -n "${SECURED_DOMAINS}" ]; then
|
|
|
|
PROSODY_SECUREDOMAIN_START=""
|
|
|
|
PROSODY_SECUREDOMAIN_END=""
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
# Websockets haven't been fully tested in this type and don't work reliably
|
|
|
|
PROSODY_WEBSOCKET="-- "
|
|
|
|
|
|
|
|
# shellcheck disable=SC2034 # This is intended to be included
|
|
|
|
PROSODY_CONFIG="$(cat <<EOFPROSODY
|
|
|
|
-- Managed remotely, changes will be lost
|
|
|
|
${PROSODY_MAIN_START}
|
|
|
|
-- This will be managed by __jitsi_meet
|
|
|
|
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
|
|
|
|
|
|
|
|
-- domain mapper options, must at least have domain base set to use the mapper
|
|
|
|
muc_mapper_domain_base = "${JITSI_HOST:?}";
|
|
|
|
|
|
|
|
external_service_secret = "${TURN_SECRET:-TurnSecret}";
|
|
|
|
external_services = {
|
|
|
|
{ type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
|
|
|
|
{ type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
|
|
|
|
{ type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
|
|
|
|
};
|
|
|
|
|
|
|
|
cross_domain_bosh = false;
|
|
|
|
consider_bosh_secure = true;
|
|
|
|
-- Use websockets
|
|
|
|
-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
|
|
|
|
${PROSODY_WEBSOCKET}consider_websocket_secure = true;
|
|
|
|
|
|
|
|
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
|
|
|
|
|
2022-04-21 13:52:47 +00:00
|
|
|
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
|
|
|
|
--http_cors_override = {
|
|
|
|
-- bosh = {
|
|
|
|
-- enabled = false;
|
|
|
|
-- };
|
|
|
|
-- websocket = {
|
|
|
|
-- enabled = false;
|
|
|
|
-- };
|
|
|
|
--}
|
|
|
|
|
2022-04-21 11:20:30 +00:00
|
|
|
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
|
|
|
|
ssl = {
|
|
|
|
protocol = "tlsv1_2+";
|
|
|
|
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
|
|
|
}
|
|
|
|
|
|
|
|
unlimited_jids = {
|
|
|
|
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
|
|
|
|
"jvb@auth.${JITSI_HOST:?}"
|
|
|
|
}
|
|
|
|
${PROSODY_MAIN_END}
|
|
|
|
|
|
|
|
${PROSODY_DOMAIN_START}
|
|
|
|
-- This will be managed by __jitsi_meet_domain
|
|
|
|
VirtualHost "${JITSI_DOMAIN:?}"
|
|
|
|
-- enabled = false -- Remove this line to enable this host
|
|
|
|
authentication = "anonymous"
|
|
|
|
-- Properties below are modified by jitsi-meet-tokens package config
|
|
|
|
-- and authentication above is switched to "token"
|
|
|
|
--app_id="example_app_id"
|
|
|
|
--app_secret="example_app_secret"
|
|
|
|
-- Assign this host a certificate for TLS, otherwise it would use the one
|
|
|
|
-- set in the global section (if any).
|
|
|
|
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
|
|
|
-- use the global one.
|
|
|
|
ssl = {
|
|
|
|
key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
|
|
|
|
certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
|
|
|
|
}
|
|
|
|
av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
|
|
|
|
speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
|
|
|
|
conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
|
|
|
|
-- we need bosh
|
|
|
|
modules_enabled = {
|
|
|
|
"bosh";
|
|
|
|
"pubsub";
|
|
|
|
"ping"; -- Enable mod_ping
|
|
|
|
"speakerstats";
|
|
|
|
"external_services";
|
|
|
|
"conference_duration";
|
|
|
|
"muc_lobby_rooms";
|
|
|
|
"muc_breakout_rooms";
|
|
|
|
"av_moderation";
|
|
|
|
${PROSODY_WEBSOCKET} "websocket";
|
|
|
|
${PROSODY_WEBSOCKET} "smacks";
|
|
|
|
}
|
|
|
|
smacks_max_unacked_stanzas = 5;
|
|
|
|
smacks_hibernation_time = 60;
|
|
|
|
smacks_max_hibernated_sessions = 1;
|
|
|
|
smacks_max_old_sessions = 1;
|
|
|
|
c2s_require_encryption = false
|
|
|
|
lobby_muc = "lobby.${JITSI_DOMAIN:?}"
|
|
|
|
breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
|
|
|
|
main_muc = "conference.${JITSI_DOMAIN:?}"
|
|
|
|
-- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
|
|
|
|
|
|
|
|
Component "conference.${JITSI_DOMAIN:?}" "muc"
|
|
|
|
restrict_room_creation = true
|
|
|
|
storage = "memory"
|
|
|
|
modules_enabled = {
|
|
|
|
"muc_meeting_id";
|
|
|
|
"muc_domain_mapper";
|
|
|
|
"polls";
|
|
|
|
--"token_verification";
|
|
|
|
"muc_rate_limit";
|
|
|
|
}
|
|
|
|
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
|
|
|
|
muc_room_locking = false
|
|
|
|
muc_room_default_public_jids = true
|
|
|
|
|
|
|
|
Component "breakout.${JITSI_DOMAIN:?}" "muc"
|
|
|
|
restrict_room_creation = true
|
|
|
|
storage = "memory"
|
|
|
|
modules_enabled = {
|
|
|
|
"muc_meeting_id";
|
|
|
|
"muc_domain_mapper";
|
|
|
|
--"token_verification";
|
|
|
|
"muc_rate_limit";
|
|
|
|
"polls";
|
|
|
|
}
|
|
|
|
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
|
|
|
|
muc_room_locking = false
|
|
|
|
muc_room_default_public_jids = true
|
|
|
|
|
|
|
|
-- internal muc component
|
|
|
|
Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
|
|
|
|
storage = "memory"
|
|
|
|
modules_enabled = {
|
|
|
|
"ping";
|
|
|
|
}
|
|
|
|
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
|
|
|
|
muc_room_locking = false
|
|
|
|
muc_room_default_public_jids = true
|
|
|
|
${PROSODY_DOMAIN_END}
|
|
|
|
${PROSODY_MAIN_START}
|
|
|
|
-- This will be managed by __jitsi_meet
|
|
|
|
|
|
|
|
VirtualHost "auth.${JITSI_DOMAIN:?}"
|
|
|
|
ssl = {
|
|
|
|
key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
|
|
|
|
certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
|
|
|
|
}
|
|
|
|
|
|
|
|
modules_enabled = {
|
|
|
|
"limits_exception";
|
|
|
|
}
|
|
|
|
authentication = "internal_hashed"
|
|
|
|
${PROSODY_MAIN_END}
|
|
|
|
${PROSODY_DOMAIN_START}
|
|
|
|
-- This will be managed by __jitsi_meet_domain
|
|
|
|
|
|
|
|
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
|
|
|
|
Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
|
|
|
|
-- Single focus user for the whole instance
|
|
|
|
target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
|
|
|
|
|
|
|
|
Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
|
|
|
|
muc_component = "conference.${JITSI_DOMAIN:?}"
|
|
|
|
|
|
|
|
Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
|
|
|
|
muc_component = "conference.${JITSI_DOMAIN:?}"
|
|
|
|
|
|
|
|
Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
|
|
|
|
muc_component = "conference.${JITSI_DOMAIN:?}"
|
|
|
|
|
|
|
|
Component "lobby.${JITSI_DOMAIN:?}" "muc"
|
|
|
|
storage = "memory"
|
|
|
|
restrict_room_creation = true
|
|
|
|
muc_room_locking = false
|
|
|
|
muc_room_default_public_jids = true
|
|
|
|
modules_enabled = {
|
|
|
|
"muc_rate_limit";
|
|
|
|
"polls";
|
|
|
|
}
|
|
|
|
${PROSODY_DOMAIN_END}
|
|
|
|
|
|
|
|
${PROSODY_SECUREDOMAIN_START}
|
|
|
|
-- Only used on secured domains
|
|
|
|
VirtualHost "${JITSI_DOMAIN}"
|
|
|
|
authentication = "internal_plain"
|
|
|
|
|
|
|
|
VirtualHost "guest.${JITSI_DOMAIN}"
|
|
|
|
authentication = "anonymous"
|
|
|
|
c2s_require_encryption = false
|
|
|
|
${PROSODY_SECUREDOMAIN_END}
|
|
|
|
EOFPROSODY
|
|
|
|
)"
|