From 1d867f4778e415cc8f39e01df54570e055089af6 Mon Sep 17 00:00:00 2001 From: Evilham Date: Sat, 30 Oct 2021 12:34:14 +0200 Subject: [PATCH 01/24] [__haproxy_dualstack] New type with PROXY protocol support This is backwards compatible with what is already used internally @ungleich, but adds on top of that the ability to customise ports and, most importantly, it adds PROXY protocol support. --- type/__haproxy_dualstack/files/http | 8 + type/__haproxy_dualstack/files/https | 10 ++ type/__haproxy_dualstack/files/imaps | 12 ++ type/__haproxy_dualstack/files/smtps | 12 ++ type/__haproxy_dualstack/man.rst | 122 ++++++++++++++ type/__haproxy_dualstack/manifest | 155 ++++++++++++++++++ .../parameter/default/protocol | 1 + .../parameter/optional_multiple | 3 + type/__haproxy_dualstack/singleton | 0 9 files changed, 323 insertions(+) create mode 100644 type/__haproxy_dualstack/files/http create mode 100644 type/__haproxy_dualstack/files/https create mode 100644 type/__haproxy_dualstack/files/imaps create mode 100644 type/__haproxy_dualstack/files/smtps create mode 100644 type/__haproxy_dualstack/man.rst create mode 100644 type/__haproxy_dualstack/manifest create mode 100644 type/__haproxy_dualstack/parameter/default/protocol create mode 100644 type/__haproxy_dualstack/parameter/optional_multiple create mode 100644 type/__haproxy_dualstack/singleton diff --git a/type/__haproxy_dualstack/files/http b/type/__haproxy_dualstack/files/http new file mode 100644 index 0000000..0508a46 --- /dev/null +++ b/type/__haproxy_dualstack/files/http @@ -0,0 +1,8 @@ +frontend http + bind BIND@:80 + mode http + option httplog + default_backend http + +backend http + mode http diff --git a/type/__haproxy_dualstack/files/https b/type/__haproxy_dualstack/files/https new file mode 100644 index 0000000..73deac4 --- /dev/null +++ b/type/__haproxy_dualstack/files/https @@ -0,0 +1,10 @@ +frontend https + bind BIND@:443 + mode tcp + option tcplog + tcp-request inspect-delay 5s + tcp-request content accept if { req_ssl_hello_type 1 } + default_backend https + +backend https + mode tcp diff --git a/type/__haproxy_dualstack/files/imaps b/type/__haproxy_dualstack/files/imaps new file mode 100644 index 0000000..b1ec379 --- /dev/null +++ b/type/__haproxy_dualstack/files/imaps @@ -0,0 +1,12 @@ +frontend imaps + bind BIND@:143 + bind BIND@:993 + + mode tcp + option tcplog + tcp-request inspect-delay 5s + tcp-request content accept if { req_ssl_hello_type 1 } + default_backend imaps + +backend imaps + mode tcp diff --git a/type/__haproxy_dualstack/files/smtps b/type/__haproxy_dualstack/files/smtps new file mode 100644 index 0000000..dce6ed4 --- /dev/null +++ b/type/__haproxy_dualstack/files/smtps @@ -0,0 +1,12 @@ +frontend smtps + bind BIND@:25 + bind BIND@:465 + + mode tcp + option tcplog + tcp-request inspect-delay 5s + tcp-request content accept if { req_ssl_hello_type 1 } + default_backend smtps + +backend smtps + mode tcp diff --git a/type/__haproxy_dualstack/man.rst b/type/__haproxy_dualstack/man.rst new file mode 100644 index 0000000..901eeda --- /dev/null +++ b/type/__haproxy_dualstack/man.rst @@ -0,0 +1,122 @@ +cdist-type__haproxy_dualstack(7) +================================ + + +NAME +---- +cdist-type__haproxy_dualstack - Proxy services from a dual-stack server + + +DESCRIPTION +----------- +This (singleton) type installs and configures haproxy to act as a dual-stack +proxy for single-stack services. + +This can be useful to add IPv4 support to IPv6-only services while only using +one IPv4 for many such services. + +By default this type uses the plain TCP proxy mode, which means that there is no +need for TLS termination on this host when SNI is supported. +This also means that proxied service will not receive the client's IP address, +but will see the proxy's IP address instead (that of `$__target_host`). + +This can be solved by using the PROXY protocol, but do take into account that, +e.g. nginx cannot serve both regular HTTP(S) and PROXY protocols on the same +port, so you will need to use other ports for that. + +As a recommendation in this type: use TCP ports 8080 and 591 respectively to +serve HTTP and HTTPS using the PROXY protocol. + +See the EXAMPLES for more details. + + + +OPTIONAL PARAMETERS +------------------- +v4proxy + Proxy incoming IPv4 connections to the equivalent IPv6 endpoint. + In its simplest use, it must be a NAME with an `AAAA` DNS entry, which is + the IP address actually providing the proxied services. + The full format of this argument is: + `[proxy:]NAME[[:PROTOCOL_1=PORT_1]...[:PROTOCOL_N=PORT_N]]` + Where starting with `proxy:` determines that the PROXY protocol must be + used and each `:PROTOCOL=PORT` (e.g. `:http=8080` or `:https=591`) is a PORT + override for the given PROTOCOL (see `--protocol`), if not present the + PROTOCOL's default port will be used. + + +v6proxy + Proxy incoming IPv6 connections to the equivalent IPv4 endpoint. + In its simplest use, it must be a NAME with an `A` DNS entry, which is + the IP address actually providing the proxied services. + See `--v4proxy` for more options and details. + +protocol + Can be passed multiple times or as a space-separated list of protocols. + Currently supported protocols are: `http`, `https`, `imaps`, `smtps`. + This defaults to: `http https imaps smtps`. + + +EXAMPLES +-------- + +.. code-block:: sh + + # Proxy the IPv6-only services so IPv4-only clients can access them + # This uses HAProxy's TCP mode for http, https, imaps and smtps + __haproxy_dualstack \ + --v4proxy ipv6.chat \ + --v4proxy matrix.ungleich.ch + + # Proxy the IPv6-only HTTP(S) services so IPv4-only clients can access them + # Note this means that the backend IPv6-only server will only see + # the IPv6 address of the haproxy host managed by cdist, which can be + # troublesome if this information is relevant for analytics/security/... + # See the PROXY example below + __haproxy_dualstack \ + --protocol http --protocol https \ + --v4proxy ipv6.chat \ + --v4proxy matrix.ungleich.ch + + # Use the PROXY protocol to proxy the IPv6-only HTTP(S) services enabling + # IPv4-only clients to access them while maintaining the client's IP address + __haproxy_dualstack \ + --protocol http --protocol https \ + --v4proxy proxy:ipv6.chat:http=8080:https=591 \ + --v4proxy proxy:matrix.ungleich.ch:http=8080:https=591 + # Note however that the PROXY protocol is not compatible with regular + # HTTP(S) protocols, so your nginx will have to listen on different ports + # with the PROXY settings. + # Note that you will need to restrict access to the 8080 port to prevent + # Client IP spoofing. + # This can be something like: + # server { + # # listen for regular HTTP connections + # listen [::]:80 default_server; + # listen 80 default_server; + # # listen for PROXY HTTP connections + # listen [::]:8080 proxy_protocol; + # # Accept the Client's IP from the PROXY protocol + # real_ip_header proxy_protocol; + # } + + +SEE ALSO +-------- +- https://www.haproxy.com/blog/haproxy/proxy-protocol/ +- https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ +- https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ + + +AUTHORS +------- +ungleich +Evilham + + +COPYING +------- +Copyright \(C) 2021 ungleich glarus ag. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/type/__haproxy_dualstack/manifest b/type/__haproxy_dualstack/manifest new file mode 100644 index 0000000..d110eea --- /dev/null +++ b/type/__haproxy_dualstack/manifest @@ -0,0 +1,155 @@ +#!/bin/sh -eu + +__package haproxy +require="__package/haproxy" __start_on_boot haproxy + +tmpdir="$__object/files" +mkdir "$tmpdir" +configtmp="$__object/files/haproxy.cfg" + +os=$(cat "$__global/explorer/os") +case $os in + freebsd) + CONFIG_FILE="/usr/local/etc/haproxy.conf" + cat < "$configtmp" +global + maxconn 4000 + user nobody + group nogroup + daemon + +EOF + + ;; + *) + CONFIG_FILE="/etc/haproxy/haproxy.cfg" + cat < "$configtmp" +global + log [::1] local2 + chroot /var/lib/haproxy + pidfile /var/run/haproxy.pid + maxconn 4000 + user haproxy + group haproxy + daemon + + # turn on stats unix socket + stats socket /var/lib/haproxy/stats + +EOF + ;; +esac + +cat <> "$configtmp" +defaults + retries 3 + log global + timeout http-request 10s + timeout queue 1m + timeout connect 10s + timeout client 1m + timeout server 1m + timeout http-keep-alive 10s + timeout check 10s +EOF + +dig_cmd="$(command -v dig || true)" +get_ip() { + # Usage: get_ip (ipv4|ipv6) NAME + # uses "dig" if available, else fallback to "host" + case $1 in + ipv4) + if [ -n "${dig_cmd}" ]; then + ${dig_cmd} +short A "$2" + else + host -t A "$2" | cut -d ' ' -f 4 | grep -v 'found:' + fi + ;; + ipv6) + if [ -n "${dig_cmd}" ]; then + ${dig_cmd} +short AAAA "$2" + else + host -t AAAA "$2" | cut -d ' ' -f 5 | grep -v 'NXDOMAIN' + fi + ;; + esac +} + +PROTOCOLS="$(cat "$__object/parameter/protocol")" + +for proxy in v4proxy v6proxy; do + param=$__object/parameter/$proxy + # no backend? skip generating code + if [ ! -f "$param" ]; then + continue + fi + + # turn backend name into bind parameter: v4backend -> ipv4@ + bind=$(echo $proxy | sed -e 's/^/ip/' -e 's/proxy//') + + case $bind in + ipv4) + backendproto=ipv6 + ;; + ipv6) + backendproto=ipv4 + ;; + esac + + for proto in ${PROTOCOLS}; do + # Add protocol "header" + printf "\n# %s %s \n" "${bind}" "${proto}" >> "$configtmp" + + sed -e "s/BIND/$bind/" \ + -e "s/\(frontend[[:space:]].*\)/\1$bind/" \ + -e "s/\(backend[[:space:]].*\)/\\1$bind/" \ + "$__type/files/$proto" >> "$configtmp" + + while read -r hostdefinition; do + if echo "$hostdefinition" | grep -qE '^proxy:'; then + # Proxy protocol was requested + host="$(echo "$hostdefinition" | sed -E 's/^proxy:([^:]+).*$/\1/')" + send_proxy=" send-proxy" + else + # Just use tcp proxy mode + host="$hostdefinition" + send_proxy="" + fi + if echo "$hostdefinition" | grep -qE ":${proto}="; then + # Use custom port definition if requested + port="$(echo "$hostdefinition" | sed -E "s/^(.*:)?${proto}=([0-9]+).*$/:\2/")" + else + # Else use the default + port="" + fi + servername=$host + + res=$(get_ip "$bind" "$servername") + + if [ -z "$res" ]; then + echo "$servername does not resolve - aborting config" >&2 + exit 1 + fi + + # Treat protocols without TLS+SNI specially + if [ "$proto" = http ]; then + echo " use-server $servername if { hdr(host) -i $host }" >> "$configtmp" + else + echo " use-server $servername if { req_ssl_sni -i $host }" >> "$configtmp" + fi + + # Create the "server" itself. + # Note that port and send_proxy will be empty unless + # they were requested by the type user + echo " server $servername ${backendproto}@${host}${port}${send_proxy}" >> "$configtmp" + + done < "$param" + done +done + +# Create config file +require="__package/haproxy" __file ${CONFIG_FILE} --source "$configtmp" --mode 0644 + +require="__file${CONFIG_FILE}" __check_messages "haproxy_reload" \ + --pattern "^__file${CONFIG_FILE}" \ + --execute "service haproxy reload || service haproxy restart" diff --git a/type/__haproxy_dualstack/parameter/default/protocol b/type/__haproxy_dualstack/parameter/default/protocol new file mode 100644 index 0000000..dc8bb7b --- /dev/null +++ b/type/__haproxy_dualstack/parameter/default/protocol @@ -0,0 +1 @@ +http https imaps smtps diff --git a/type/__haproxy_dualstack/parameter/optional_multiple b/type/__haproxy_dualstack/parameter/optional_multiple new file mode 100644 index 0000000..8c482bd --- /dev/null +++ b/type/__haproxy_dualstack/parameter/optional_multiple @@ -0,0 +1,3 @@ +protocol +v4proxy +v6proxy diff --git a/type/__haproxy_dualstack/singleton b/type/__haproxy_dualstack/singleton new file mode 100644 index 0000000..e69de29 From f9515def9288651a6c1817f0f2d042d9078205a0 Mon Sep 17 00:00:00 2001 From: Evilham Date: Sat, 30 Oct 2021 12:49:00 +0200 Subject: [PATCH 02/24] [__haproxy_dualstack] Improve manpage --- type/__haproxy_dualstack/man.rst | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/type/__haproxy_dualstack/man.rst b/type/__haproxy_dualstack/man.rst index 901eeda..6c131cb 100644 --- a/type/__haproxy_dualstack/man.rst +++ b/type/__haproxy_dualstack/man.rst @@ -17,7 +17,7 @@ one IPv4 for many such services. By default this type uses the plain TCP proxy mode, which means that there is no need for TLS termination on this host when SNI is supported. -This also means that proxied service will not receive the client's IP address, +This also means that proxied services will not receive the client's IP address, but will see the proxy's IP address instead (that of `$__target_host`). This can be solved by using the PROXY protocol, but do take into account that, @@ -30,7 +30,6 @@ serve HTTP and HTTPS using the PROXY protocol. See the EXAMPLES for more details. - OPTIONAL PARAMETERS ------------------- v4proxy @@ -103,9 +102,9 @@ EXAMPLES SEE ALSO -------- +- https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ - https://www.haproxy.com/blog/haproxy/proxy-protocol/ - https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ -- https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ AUTHORS From 18f02e24aa0170b71515013bac2a4975c02c06bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 16 Nov 2021 14:16:16 +0100 Subject: [PATCH 03/24] __matrix_synapse: use upstream matrix.org APT repository on debian --- type/__matrix_synapse/manifest | 48 ++++++++++------------------------ 1 file changed, 14 insertions(+), 34 deletions(-) diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 4650a17..40ce138 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -25,29 +25,22 @@ distribution=$(cat "$__global/explorer/lsb_codename") case "$os" in debian) synapse_user=matrix-synapse - synapse_pkg=matrix-synapse + synapse_pkg=matrix-synapse-py3 synapse_service=matrix-synapse ldap_auth_provider_pkg=matrix-synapse-ldap3 synapse_conf_dir='/etc/matrix-synapse' synapse_data_dir='/var/lib/matrix-synapse' - # See https://packages.debian.org/bullseye/matrix-synapse for state of - # synapse packaging in debian. + # We use upstream's APT repository in order to stay up-to-date: upstream + # moves fast and downstream debian package is necessarily delayed. case "$distribution" in - stretch) - echo "The matrix-synapse package in debian stretch is outdated and unusable." >&2 - exit 1 - ;; - buster) - # Enable debian-backports for debian Buster, as the 'stable' - # matrix-synapse package is ways too old (< 1.0). - apt_target_release=buster-backports - __apt_backports - ;; - bullseye|sid) - # As of writting (2021-02), the default matrix-synapse of those - # release is perfectly usable. - : + buster|bulleye|bookworm|sid) + __apt_key matrix-org \ + --uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg + require="__apt_key/matrix-org" __apt_source matrix-org \ + --uri https://packages.matrix.org/debian/ \ + --component main + package_req="__apt_source/matrix-org" ;; *) echo "Unknown debian release '$distribution'. Exiting" >&2 @@ -309,25 +302,12 @@ case "$DATABASE_ENGINE" in esac -# Install OS packages. We have a bit of boilerplate to handle the debian -# backports situation. -synapse_req= -if [ -n "$apt_target_release" ]; then - require="__apt_backports" __package_apt "$synapse_pkg" \ - --target-release "$apt_target_release" - synapse_req="__package_apt/$synapse_pkg" -else - __package "$synapse_pkg" - synapse_req="__package/$synapse_pkg" -fi +# Install OS packages. +require="$package_req" __package "$synapse_pkg" +synapse_req="__package/$synapse_pkg" if [ -n "$ENABLE_LDAP_AUTH" ]; then - if [ -n "$apt_target_release" ]; then - require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \ - --target-release "$apt_target_release" - else - __package "$ldap_auth_provider_pkg" - fi + require="$package_req" __package "$ldap_auth_provider_pkg" fi # Generate and deploy configuration files. From fc6764be449ef81cd0fed10d8cffd8163df2eab3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 16 Nov 2021 15:13:16 +0100 Subject: [PATCH 04/24] __matrix_synapse_worker: change synapse call to fit matrix.org packaging --- .../files/matrix-synapse-worker@.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/type/__matrix_synapse_worker/files/matrix-synapse-worker@.service b/type/__matrix_synapse_worker/files/matrix-synapse-worker@.service index 6352b00..6f89cd8 100644 --- a/type/__matrix_synapse_worker/files/matrix-synapse-worker@.service +++ b/type/__matrix_synapse_worker/files/matrix-synapse-worker@.service @@ -15,7 +15,7 @@ NotifyAccess=main User=matrix-synapse WorkingDirectory=/var/lib/matrix-synapse EnvironmentFile=/etc/default/matrix-synapse -ExecStart=/usr/bin/python3 -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml +ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure RestartSec=3 From 25406ea3a09cd6bad51b44246b77905198a75384 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 30 Nov 2021 13:32:03 +0100 Subject: [PATCH 05/24] __matrix_synapse: add support for Ubuntu --- type/__matrix_synapse/gencode-remote | 2 +- type/__matrix_synapse/manifest | 30 ++++++++++------------------ 2 files changed, 11 insertions(+), 21 deletions(-) diff --git a/type/__matrix_synapse/gencode-remote b/type/__matrix_synapse/gencode-remote index cf7c648..30770ed 100755 --- a/type/__matrix_synapse/gencode-remote +++ b/type/__matrix_synapse/gencode-remote @@ -8,7 +8,7 @@ case "$os" in synapse_conf_dir=/etc/synapse synapse_service=synapse ;; - debian) + debian|ubuntu) synapse_conf_dir=/etc/matrix-synapse synapse_service=matrix-synapse ;; diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 40ce138..04ccd42 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -20,10 +20,9 @@ # OS-specific configuration. os=$(cat "$__global/explorer/os") -distribution=$(cat "$__global/explorer/lsb_codename") case "$os" in - debian) + debian|ubuntu) synapse_user=matrix-synapse synapse_pkg=matrix-synapse-py3 synapse_service=matrix-synapse @@ -31,22 +30,13 @@ case "$os" in synapse_conf_dir='/etc/matrix-synapse' synapse_data_dir='/var/lib/matrix-synapse' - # We use upstream's APT repository in order to stay up-to-date: upstream - # moves fast and downstream debian package is necessarily delayed. - case "$distribution" in - buster|bulleye|bookworm|sid) - __apt_key matrix-org \ - --uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg - require="__apt_key/matrix-org" __apt_source matrix-org \ - --uri https://packages.matrix.org/debian/ \ - --component main - package_req="__apt_source/matrix-org" - ;; - *) - echo "Unknown debian release '$distribution'. Exiting" >&2 - exit 1 - ;; - esac + __apt_key matrix-org \ + --uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg + + require="__apt_key/matrix-org" __apt_source matrix-org \ + --uri https://packages.matrix.org/debian/ \ + --component main + package_req="__apt_source/matrix-org" ;; alpine) synapse_user=synapse @@ -330,8 +320,8 @@ for directory in $DATA_DIR $LOG_DIR; do --owner $synapse_user done -# Make dpkg-reconfigure happy on debian systems. -if [ "$os" = "debian" ]; then +# Make dpkg-reconfigure happy on debian-based systems. +if [ "$os" = "debian" ] || [ "$os" = "ubuntu" ]; then require="$synapse_req" __file "$synapse_conf_dir/conf.d/server_name.yaml" \ --owner $synapse_user \ --source - <<- EOF From 08e81d1e978e293ceb10585edfca29729782448c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 1 Dec 2021 08:32:37 +0100 Subject: [PATCH 06/24] __matrix_synapse: fixe ignored registration-shared-secret parameter --- type/__matrix_synapse/files/homeserver.yaml.sh | 3 +++ type/__matrix_synapse/manifest | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index bc94391..2952919 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1330,9 +1330,12 @@ EOF if [ -n "$REGISTRATION_SHARED_SECRET" ]; then echo "registration_shared_secret: '$REGISTRATION_SHARED_SECRET'" +else + echo "# registration_shared_secret: 'secret'" fi cat << EOF + # Set the number of bcrypt rounds used to generate password hash. # Larger numbers increase the work factor needed to generate the hash. # The default number is 12 (which equates to 2^12 rounds). diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 04ccd42..d2bb9fd 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -172,7 +172,7 @@ ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations') USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users') export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS -if [ -f "$__object/parameter/registration-shared-token" ]; then +if [ -f "$__object/parameter/registration-shared-secret" ]; then REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret") export REGISTRATION_SHARED_SECRET fi From d872f1d4f069717ca3f746b572a2c9e35ced02f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 1 Dec 2021 15:55:34 +0100 Subject: [PATCH 07/24] __matrix_synapse: add --turn-username and --turn-password flags --- type/__matrix_synapse/files/homeserver.yaml.sh | 18 +++++++++++++++--- type/__matrix_synapse/man.rst | 8 ++++++++ type/__matrix_synapse/manifest | 10 ++++++++++ type/__matrix_synapse/parameter/optional | 2 ++ 4 files changed, 35 insertions(+), 3 deletions(-) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index 2952919..5ba7d1a 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1175,14 +1175,26 @@ fi cat << EOF # The shared secret used to compute passwords for the TURN server # -turn_shared_secret: "$TURN_SHARED_SECRET" +EOF +if [ -n "$TURN_SHARED_SECRET" ]; then + echo "turn_shared_secret: \"$TURN_SHARED_SECRET\"" +fi + +cat << EOF # The Username and password if the TURN server needs them and # does not use a token # -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" +EOF +if [ -n "$TURN_USERNAME" ] || [ "$TURN_PASSWORD" ]; then + cat <<- EOF + turn_username: "$TURN_USERNAME" + turn_password: "$TURN_PASSWORD" + EOF +fi + +cat << EOF # How long generated TURN credentials last # turn_user_lifetime: ${TURN_USER_LIFETIME:?} diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index 4eb23bb..c3de79d 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -133,6 +133,14 @@ turn-uri turn-shared-secret Shared secret used to access the TURN REST API. +turn-username + Username used to authenticate against the TURN server if needed / a shared + secret token is not used. + +turn-password + Password used to authenticate against the TURN server if needed / a shared + secret token is not used. + turn-user-lifetime Lifetime of TURN credentials. Defaults to 1h. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index d2bb9fd..dbf318f 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -246,6 +246,16 @@ if [ -f "$__object/parameter/turn-uri" ]; then export TURN_URIS fi +if [ -f "$__object/parameter/turn-username" ]; then + TURN_USERNAME=$(cat "$__object/parameter/turn-username") + export TURN_USERNAME +fi + +if [ -f "$__object/parameter/turn-password" ]; then + TURN_PASSWORD=$(cat "$__object/parameter/turn-password") + export TURN_PASSWORD +fi + # Worker-mode configuration. export MAIN_LISTENER_PORT=8008 export ENABLE_MEDIA_REPO='true' diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index 1378365..67250d7 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -13,6 +13,8 @@ ldap-bind-password ldap-filter turn-shared-secret turn-user-lifetime +turn-username +turn-password max-upload-size smtp-host smtp-port From 96beae4c2fe0525cf8141ac2bbd791195d289697 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Thu, 2 Dec 2021 11:38:26 +0100 Subject: [PATCH 08/24] __matrix_synapse:add --smal2-idp-metadata-uri flag --- type/__matrix_synapse/files/homeserver.yaml.sh | 10 ++++++++++ type/__matrix_synapse/manifest | 9 +++++++++ type/__matrix_synapse/parameter/optional | 1 + 3 files changed, 20 insertions(+) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index 5ba7d1a..caf259b 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1711,7 +1711,17 @@ saml2_config: # local: ["saml2/idp.xml"] # remote: # - url: https://our_idp/metadata.xml +EOF +if [ -n "$SAML2_IDP_METADATA_URL" ]; then + cat << EOF + metadata: + remote: + - url: "$SAML2_IDP_METADATA_URL" +EOF +fi + +cat << EOF # Allowed clock difference in seconds between the homeserver and IdP. # # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index dbf318f..c85e4fc 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -191,6 +191,15 @@ if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then export RESGISTRATION_ALLOWS_EMAIL_PATTERN fi +if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then + # Synapse fails to start while trying to parse IDP metadata if this package + # is not installed. + __package xmlsec1 + + SAML2_IDP_METADATA_URL=$(cat "$__object/parameter/saml2-idp-metadata-url") + export SAML2_IDP_METADATA_URL +fi + # Federation. ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation') ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth') diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index 67250d7..0547e1a 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -36,3 +36,4 @@ background-tasks-worker tls-cert tls-private-key registration-shared-secret +saml2-idp-metadata-url From 7b27eb5445a363043a68ed8fb332d6d668b76da3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Thu, 2 Dec 2021 13:07:06 +0100 Subject: [PATCH 09/24] __matrix_synapse: add --default-identity-server flag --- type/__matrix_synapse/files/homeserver.yaml.sh | 6 ++++++ type/__matrix_synapse/manifest | 5 +++++ type/__matrix_synapse/parameter/optional | 1 + 3 files changed, 12 insertions(+) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index caf259b..2e7670e 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1368,7 +1368,13 @@ allow_guest_access: ${ALLOW_GUEST_ACCESS:?} # (By default, no suggestion is made, so it is left up to the client.) # #default_identity_server: https://matrix.org +EOF +if [ -n "$DEFAULT_IDENTITY_SERVER" ]; then + echo "default_identity_server: \"$DEFAULT_IDENTITY_SERVER\"" +fi + +cat << EOF # Handle threepid (email/phone etc) registration and password resets through a set of # *trusted* identity servers. Note that this allows the configured identity server to # reset passwords for accounts! diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index c85e4fc..8ba9152 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -200,6 +200,11 @@ if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then export SAML2_IDP_METADATA_URL fi +if [ -f "$__object/parameter/default-identity-server" ]; then + DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server") + export DEFAULT_IDENTITY_SERVER +fi + # Federation. ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation') ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth') diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index 0547e1a..599e00b 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -37,3 +37,4 @@ tls-cert tls-private-key registration-shared-secret saml2-idp-metadata-url +default-identity-server From 698525fcd224bf2051578aa3b9e32b1fea7d0cc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 6 Dec 2021 08:41:13 +0100 Subject: [PATCH 10/24] __matrix_synapse: add saml2-idp-medatada-url flag to manpage --- type/__matrix_synapse/man.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index c3de79d..c368755 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -189,6 +189,9 @@ bind-address Address used to bind the synapse listeners. Can be specified multiple times. Defaults to '::1' and '127.0.0.1'. +saml2-idp-metadata-url + HTTP(S) url to SAML2 Identity Provider (IdP), used for Single Sign On (SSO) logic. + extra-setting Arbitrary string to be added to the configuration file. Can be specified multiple times. From a38275f6d7b051ff6186603b9ad594c6b0d85c1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 14 Dec 2021 12:37:18 +0100 Subject: [PATCH 11/24] __uacme*, __nginx: allow external ACME provider, EAB authentication --- type/__nginx/man.rst | 10 ++++++++++ type/__nginx/manifest | 22 +++++++++++++++++++++- type/__nginx/parameter/optional | 2 ++ type/__uacme_account/gencode-remote | 17 ++++++++++++++++- type/__uacme_account/man.rst | 11 +++++++++++ type/__uacme_account/parameter/optional | 2 ++ type/__uacme_obtain/files/renew.sh.sh | 4 ++-- type/__uacme_obtain/manifest | 16 ++++++++++++++++ type/__uacme_obtain/parameter/optional | 2 ++ 9 files changed, 82 insertions(+), 4 deletions(-) diff --git a/type/__nginx/man.rst b/type/__nginx/man.rst index 71d47e7..c1827c0 100644 --- a/type/__nginx/man.rst +++ b/type/__nginx/man.rst @@ -28,6 +28,16 @@ uacme-hookscript Custom hook passed to the __uacme_obtain type: useful to integrate the dns-01 challenge with third-party DNS providers. +acme-url + ACMEv2 server directory object URL. Lets'Encrypt is used by default. + +acme-eab-credentials + Specify RFC8555 External Account Binding credentials according to + https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new + ACME account with an existing account in a non-ACME system such as a CA + customer database. KEYID must be an ASCII string. KEY must be + base64url-encoded. + EXAMPLES -------- diff --git a/type/__nginx/manifest b/type/__nginx/manifest index b552319..cdd483a 100644 --- a/type/__nginx/manifest +++ b/type/__nginx/manifest @@ -36,6 +36,20 @@ then set_custom_uacme_hookscript="--hookscript $uacme_hookscript" fi +set_custom_acme_url= +if [ -f "${__object:?}/parameter/acme-url" ]; +then + custom_acme_url=$(cat "${__object:?}/parameter/acme-url") + set_custom_acme_url="--acme-url $custom_acme_url" +fi + +set_acme_eab_credentials= +if [ -f "${__object:?}/parameter/acme-eab-credentials" ]; +then + acme_eab_credentials=$(cat "${__object:?}/parameter/acme-eab-credentials") + set_acme_eab_credentials="--eab-credentials $acme_eab_credentials" +fi + # Deploy simple HTTP vhost, allowing to serve ACME challenges. __nginx_vhost "301-to-https-$domain" \ --domain "$domain" --altdomains "$altdomains" --to-https @@ -46,12 +60,18 @@ if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to") fi -__uacme_account +# shellcheck disable=SC2086 +__uacme_account \ + $set_custom_acme_url \ + $set_acme_eab_credentials \ + # shellcheck disable=SC2086 require="__nginx_vhost/301-to-https-$domain __uacme_account" \ __uacme_obtain "$domain" \ --altdomains "$altdomains" \ $set_custom_uacme_hookscript \ + $set_custom_acme_url \ + $set_acme_eab_credentials \ --owner "$cert_ownership" \ --install-key-to "$nginx_certdir/$domain/privkey.pem" \ --install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \ diff --git a/type/__nginx/parameter/optional b/type/__nginx/parameter/optional index 1a5fb95..8d6fae6 100644 --- a/type/__nginx/parameter/optional +++ b/type/__nginx/parameter/optional @@ -2,4 +2,6 @@ config domain altdomains uacme-hookscript +acme-url +acme-eab-credentials force-cert-ownership-to diff --git a/type/__uacme_account/gencode-remote b/type/__uacme_account/gencode-remote index e1d9551..b75d2d7 100644 --- a/type/__uacme_account/gencode-remote +++ b/type/__uacme_account/gencode-remote @@ -18,6 +18,21 @@ then admin_mail="$(cat "${__object:?}/parameter/admin-mail")"; fi +# Autoaccept ACME server terms (if any) upon new account creation. +uacme_opts="--yes" + +# Non-default ACMEv2 server directory object URL. +if [ -f "${__object:?}/parameter/acme-url" ]; then + custom_acme_url=$(cat "${__object:?}/parameter/acme-url") + uacme_opts="$uacme_opts --acme-url $custom_acme_url" +fi + +# Specify RFC8555 External Account Binding credentials. +if [ -f "${__object:?}/parameter/eab-credentials" ]; then + eab_credentials=$(cat "${__object:?}/parameter/eab-credentials") + uacme_opts="$uacme_opts --eab $eab_credentials" +fi + confdir="${default_confdir:?}" if [ -f "${__object:?}/parameter/confdir" ]; then @@ -27,6 +42,6 @@ fi cat << EOF if ! [ -f "${confdir}/private/key.pem" ]; then - uacme -y new ${admin_mail} + uacme $uacme_opts new ${admin_mail} fi EOF diff --git a/type/__uacme_account/man.rst b/type/__uacme_account/man.rst index be5efc6..c18bb40 100644 --- a/type/__uacme_account/man.rst +++ b/type/__uacme_account/man.rst @@ -23,6 +23,16 @@ confdir admin-mail Administrative contact email to register the account with. +acme-url + ACMEv2 server directory object URL. Lets'Encrypt is used by default. + +eab-credentials + Specify RFC8555 External Account Binding credentials according to + https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new + ACME account with an existing account in a non-ACME system such as a CA + customer database. KEYID must be an ASCII string. KEY must be + base64url-encoded. This is parameter is not supported by uacme < 1.6. + EXAMPLES -------- @@ -43,6 +53,7 @@ SEE ALSO AUTHORS ------- Joachim Desroches +Timothée Floure COPYING ------- diff --git a/type/__uacme_account/parameter/optional b/type/__uacme_account/parameter/optional index 0eaba67..dff247c 100644 --- a/type/__uacme_account/parameter/optional +++ b/type/__uacme_account/parameter/optional @@ -1,2 +1,4 @@ confdir admin-mail +acme-url +eab-credentials diff --git a/type/__uacme_obtain/files/renew.sh.sh b/type/__uacme_obtain/files/renew.sh.sh index 18bf061..dc82fd9 100755 --- a/type/__uacme_obtain/files/renew.sh.sh +++ b/type/__uacme_obtain/files/renew.sh.sh @@ -7,8 +7,8 @@ UACME_CHALLENGE_PATH=${CHALLENGEDIR:?} export UACME_CHALLENGE_PATH # Issue certificate. -uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${MUST_STAPLE?} ${KEYTYPE?} \\ - issue -- ${DOMAIN:?} +uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${ACME_URL?} \\ + ${EAB_CREDENTIALS?} ${MUST_STAPLE?} ${KEYTYPE?} issue -- ${DOMAIN:?} # Note: exit code 0 means that certificate was issued. # Note: exit code 1 means that certificate was still valid, hence not renewed. diff --git a/type/__uacme_obtain/manifest b/type/__uacme_obtain/manifest index f41e881..b41ddde 100644 --- a/type/__uacme_obtain/manifest +++ b/type/__uacme_obtain/manifest @@ -69,6 +69,22 @@ then fi export MUST_STAPLE +# Non-default ACMEv2 server directory object URL. +ACME_URL= +if [ -f "${__object:?}/parameter/acme-url" ]; then + custom_acme_url=$(cat "${__object:?}/parameter/acme-url") + ACME_URL="--acme-url $custom_acme_url" +fi +export ACME_URL + +# Specify RFC8555 External Account Binding credentials. +EAB_CREDENTIALS= +if [ -f "${__object:?}/parameter/eab-credentials" ]; then + eab_credentials_param=$(cat "${__object:?}/parameter/eab-credentials") + EAB_CREDENTIALS="--eab $eab_credentials_param" +fi +export EAB_CREDENTIALS + OWNER=root if [ -f "${__object:?}/parameter/owner" ]; then diff --git a/type/__uacme_obtain/parameter/optional b/type/__uacme_obtain/parameter/optional index fd721af..9fa9846 100644 --- a/type/__uacme_obtain/parameter/optional +++ b/type/__uacme_obtain/parameter/optional @@ -5,3 +5,5 @@ owner install-cert-to install-key-to renew-hook +acme-url +eab-credentials From e052178122d565e4fcc2a651b93a83587e10d73e Mon Sep 17 00:00:00 2001 From: Evilham Date: Wed, 22 Dec 2021 20:05:37 +0100 Subject: [PATCH 12/24] [__jitsi*] Update to 2.0.6726 Sponsored by: plataformess.org --- type/__jitsi_meet/manifest | 5 +- .../files/_update_jitsi_configurations.sh | 30 ++ type/__jitsi_meet_domain/files/config.js.sh | 461 +++++++++++++++-- .../files/config.js.sh.orig | 462 ++++++++++++++++-- .../files/interface_config.js.sh | 83 ++-- .../files/interface_config.js.sh.orig | 83 ++-- type/__jitsi_meet_domain/files/nginx.sh | 58 ++- type/__jitsi_meet_domain/files/nginx.sh.orig | 58 ++- 8 files changed, 1001 insertions(+), 239 deletions(-) create mode 100755 type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 1cae2be..0364db6 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -125,7 +125,10 @@ require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-ava server_names_hash_bucket_size 64; -# nginx server configuration for: +types { +# nginx's default mime.types doesn't include a mapping for wasm + application/wasm wasm; +} server { diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh new file mode 100755 index 0000000..295bdf0 --- /dev/null +++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh @@ -0,0 +1,30 @@ +#!/bin/sh -eu + +# This is a helper to update the '.sh.orig' files for jitsi's +# configuration files. +# Then the changes must be propagated to their corresponding .sh +# files by the type maintainer or a contributor + +# We could automate this, but are using it as an indicator for the +# latest branch with which we conciliated changes. +BRANCH="jitsi-meet_6726" +REPO="https://github.com/jitsi/jitsi-meet" + +get_url() { + file="${1}" + printf "%s/raw/stable/%s/%s" "${REPO}" "${BRANCH}" "${file}" + +} + +download_file() { + file="${1}" + destination="${2:-${file}.sh.orig}" + url="$(get_url "${file}")" + echo "Downloading ${destination}" + curl -L "${url}" > "${destination}" + echo +} + +download_file config.js +download_file interface_config.js +download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index f825761..4532ba6 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -39,9 +39,6 @@ fi // Websocket URL // websocket: 'wss://${JITSI_HOST}/xmpp-websocket', - // The name of client node advertised in XEP-0115 'c' stanza - clientNode: 'http://jitsi.org/jitsimeet', - // The real JID of focus participant - can be overridden here // Do not change username - FIXME: Make focus username configurable // https://github.com/jitsi/jitsi-meet/issues/7376 @@ -56,9 +53,16 @@ fi // issues related to insertable streams. // disableE2EE: false, + // Enables/disables thumbnail reordering in the filmstrip. It is enabled by default unless explicitly + // disabled by the below option. + // enableThumbnailReordering: true, + + // Enables XMPP WebSocket (as opposed to BOSH) for the given amount of users. + // mobileXmppWsThreshold: 10 // enable XMPP WebSockets on mobile for 10% of the users + // P2P test mode disables automatic switching to P2P when there are 2 // participants in the conference. - p2pTestMode: false + // p2pTestMode: false, // Enables the test specific features consumed by jitsi-meet-torture // testMode: false @@ -71,8 +75,10 @@ fi // simulcast is turned off for the desktop share. If presenter is turned // on while screensharing is in progress, the max bitrate is automatically // adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines - // the probability for this to be enabled. - // capScreenshareBitrate: 1 // 0 to disable + // the probability for this to be enabled. This setting has been deprecated. + // desktopSharingFrameRate.max now determines whether simulcast will be enabled + // or disabled for the screenshare. + // capScreenshareBitrate: 1 // 0 to disable - deprecated. // Enable callstats only for a percentage of users. // This takes a value between 0 and 100 which determines the probability for @@ -80,6 +86,18 @@ fi // callStatsThreshold: 5 // enable callstats for 5% of the users. }, + // Disables moderator indicators. + // disableModeratorIndicator: false, + + // Disables the reactions feature. + // disableReactions: true, + + // Disables polls feature. + // disablePolls: false, + + // Disables self-view tile. (hides it from tile view and from filmstrip) + // disableSelfView: false, + // Disables ICE/UDP by filtering out local and remote UDP candidates in // signalling. // webrtcIceUdpDisable: false, @@ -92,6 +110,9 @@ fi // Media // + // Enable unified plan implementation support on Chromium based browsers. + // enableUnifiedOnChrome: false, + // Audio // Disable measuring of audio levels. @@ -108,6 +129,10 @@ fi // about the call. // enableSaveLogs: false, + // Enabling this will hide the "Show More" link in the GSM popover that can be + // used to display more statistics about the connection (IP, Port, protocol, etc). + // disableShowMoreStats: true, + // Enabling this will run the lib-jitsi-meet noise detection module which will // notify the user if there is noise, other than voice, coming from the current // selected microphone. The purpose it to let the user know that the input could @@ -129,19 +154,34 @@ fi // participants and to enable it back a reload is needed. // startSilent: false - // Sets the preferred target bitrate for the Opus audio codec by setting its - // 'maxaveragebitrate' parameter. Currently not available in p2p mode. - // Valid values are in the range 6000 to 510000 - // opusMaxAverageBitrate: 20000, - // Enables support for opus-red (redundancy for Opus). // enableOpusRed: false, + // Specify audio quality stereo and opusMaxAverageBitrate values in order to enable HD audio. + // Beware, by doing so, you are disabling echo cancellation, noise suppression and AGC. + // audioQuality: { + // stereo: false, + // opusMaxAverageBitrate: null // Value to fit the 6000 to 510000 range. + // }, + // Video // Sets the preferred resolution (height) for local video. Defaults to 720. // resolution: 720, + // Specifies whether the raised hand will hide when someone becomes a dominant speaker or not + // disableRemoveRaisedHandOnFocus: false, + + // Specifies whether there will be a search field in speaker stats or not + // disableSpeakerStatsSearch: false, + + // Specifies whether participants in speaker stats should be ordered or not, and with what priority + // speakerStatsOrder: [ + // 'role', <- Moderators on top + // 'name', <- Alphabetically by name + // 'hasLeft', <- The ones that have left in the bottom + // ] <- the order of the array elements determines priority + // How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD. // Use -1 to disable. // maxFullResolutionParticipants: 2, @@ -165,9 +205,10 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Enable / disable simulcast support. // disableSimulcast: false, - // Enable / disable layer suspension. If enabled, endpoints whose HD - // layers are not in use will be suspended (no longer sent) until they - // are requested again. + // Enable / disable layer suspension. If enabled, endpoints whose HD layers are not in use will be suspended + // (no longer sent) until they are requested again. This is enabled by default. This must be enabled for screen + // sharing to work as expected on Chrome. Disabling this might result in low resolution screenshare being sent + // by the client. // enableLayerSuspension: false, // Every participant after the Nth will start video muted. @@ -229,6 +270,18 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // subtitles and buttons can be configured) // transcribingEnabled: false, + // If true transcriber will use the application language. + // The application language is either explicitly set by participants in their settings or automatically + // detected based on the environment, e.g. if the app is opened in a chrome instance which is using french as its + // default language then transcriptions for that participant will be in french. + // Defaults to true. + // transcribeWithAppLanguage: true, + + // Transcriber language. This settings will only work if "transcribeWithAppLanguage" is explicitly set to false. + // Available languages can be found in + // ./src/react/features/transcribing/transcriber-langs.json. + // preferredTranscribeLanguage: 'en-US', + // Enables automatic turning on captions when recording is started // autoCaptionOnRecord: false, @@ -237,6 +290,20 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Default value for the channel "last N" attribute. -1 for unlimited. channelLastN: ${CHANNEL_LAST_N}, + // Connection indicators + // connectionIndicators: { + // autoHide: true, + // autoHideTimeout: 5000, + // disabled: false, + // disableDetails: false, + // inactiveDisabled: false + // }, + + // Provides a way for the lastN value to be controlled through the UI. + // When startLastN is present, conference starts with a last-n value of startLastN and channelLastN + // value will be used when the quality level is selected using "Manage Video Quality" slider. + // startLastN: 1, + // Provides a way to use different "last N" values based on the number of participants in the conference. // The keys in an Object represent number of participants and the values are "last N" to be used when number of // participants gets to or above the number. @@ -274,12 +341,24 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // // to take effect. // preferredCodec: 'VP8', // + // // Provides a way to enforce the preferred codec for the conference even when the conference has endpoints + // // that do not support the preferred codec. For example, older versions of Safari do not support VP9 yet. + // // This will result in Safari not being able to decode video from endpoints sending VP9 video. + // // When set to false, the conference falls back to VP8 whenever there is an endpoint that doesn't support the + // // preferred codec and goes back to the preferred codec when that endpoint leaves. + // // enforcePreferredCodec: false, + // // // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for // // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values // // are the max.bitrates to be set on that particular type of stream. The actual send may vary based on // // the available bandwidth calculated by the browser, but it will be capped by the values specified here. // // This is currently not implemented on app based clients on mobile. // maxBitratesVideo: { + // H264: { + // low: 200000, + // standard: 500000, + // high: 1500000 + // }, // VP8 : { // low: 200000, // standard: 500000, @@ -288,7 +367,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // VP9: { // low: 100000, // standard: 300000, - // high: 1200000 + // high: 1200000 // } // }, // @@ -312,6 +391,13 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // resizeDesktopForPresenter: false // }, + // Notification timeouts + // notificationTimeouts: { + // short: 2500, + // medium: 5000, + // long: 10000 + // }, + // // Options for the recording limit notification. // recordingLimit: { // @@ -330,6 +416,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Disables or enables RTX (RFC 4588) (defaults to false). // disableRtx: false, + // Moves all Jitsi Meet 'beforeunload' logic (cleanup, leaving, disconnecting, etc) to the 'unload' event. + // disableBeforeUnloadHandlers: true, + // Disables or enables TCC support in this client (default: enabled). // enableTcc: true, @@ -345,8 +434,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // enableIceRestart: false, // Enables forced reload of the client when the call is migrated as a result of - // the bridge going down. Currently enabled by default as call migration through - // session-terminate is causing siganling issues when Octo is enabled. + // the bridge going down. // enableForcedReload: true, // Use TURN/UDP servers for the jitsi-videobridge connection (by default @@ -354,6 +442,11 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // bridge itself is reachable via UDP) // useTurnUdp: false + // Enable support for encoded transform in supported browsers. This allows + // E2EE to work in Safari if the corresponding flag is enabled in the browser. + // Experimental. + // enableEncodedTransformSupport: false, + // UI // @@ -363,6 +456,12 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Hides lobby button // hideLobbyButton: false, + // If Lobby is enabled starts knocking automatically. + // autoKnockLobby: false, + + // Hides add breakout room button + // hideAddRoomButton: false, + // Require users to always specify a display name. // requireDisplayName: true, @@ -382,7 +481,15 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // enableClosePage: false, // Disable hiding of remote thumbnails when in a 1-on-1 conference call. - // disable1On1Mode: false, + // Setting this to null, will also disable showing the remote videos + // when the toolbar is shown on mouse movements + // disable1On1Mode: null | false | true, + + // Default local name to be displayed + // defaultLocalDisplayName: 'me', + + // Default remote name to be displayed + // defaultRemoteDisplayName: 'Fellow Jitster', // Default language for the user interface. defaultLanguage: '${DEFAULT_LANGUAGE}', @@ -405,8 +512,18 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // and microsoftApiApplicationClientID // enableCalendarIntegration: false, - // When 'true', it shows an intermediate page before joining, where the user can configure their devices. - // prejoinPageEnabled: false, + // Configs for prejoin page. + // prejoinConfig: { + // // When 'true', it shows an intermediate page before joining, where the user can configure their devices. + // // This replaces \`prejoinPageEnabled\`. + // enabled: true, + // // List of buttons to hide from the extra join options dropdown. + // hideExtraJoinButtons: ['no-audio', 'by-phone'] + // }, + + // When 'true', the user cannot edit the display name. + // (Mainly useful when used in conjuction with the JWT so the JWT name becomes read only.) + // readOnlyName: false, // If etherpad integration is enabled, setting this to true will // automatically open the etherpad when a participant joins. This @@ -427,6 +544,10 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Base URL for a Gravatar-compatible service. Defaults to libravatar. // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/', + // App name to be displayed in the invitation email subject, as an alternative to + // interfaceConfig.APP_NAME. + // inviteAppName: null, + // Moved from interfaceConfig(TOOLBAR_BUTTONS). // The name of the toolbar buttons to display in the toolbar, including the // "More actions" menu. If present, the button will display. Exceptions are @@ -439,13 +560,94 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // - 'desktop' controls the "Share your screen" button // - if \`toolbarButtons\` is undefined, we fallback to enabling all buttons on the UI // toolbarButtons: [ - // 'microphone', 'camera', 'closedcaptions', 'desktop', 'embedmeeting', 'fullscreen', - // 'fodeviceselection', 'hangup', 'profile', 'chat', 'recording', - // 'livestreaming', 'etherpad', 'sharedvideo', 'shareaudio', 'settings', 'raisehand', - // 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts', - // 'tileview', 'select-background', 'download', 'help', 'mute-everyone', 'mute-video-everyone', 'security' + // 'camera', + // 'chat', + // 'closedcaptions', + // 'desktop', + // 'download', + // 'embedmeeting', + // 'etherpad', + // 'feedback', + // 'filmstrip', + // 'fullscreen', + // 'hangup', + // 'help', + // 'invite', + // 'livestreaming', + // 'microphone', + // 'mute-everyone', + // 'mute-video-everyone', + // 'participants-pane', + // 'profile', + // 'raisehand', + // 'recording', + // 'security', + // 'select-background', + // 'settings', + // 'shareaudio', + // 'sharedvideo', + // 'shortcuts', + // 'stats', + // 'tileview', + // 'toggle-camera', + // 'videoquality', + // '__end' // ], + // Holds values related to toolbar visibility control. + // toolbarConfig: { + // // Moved from interfaceConfig.INITIAL_TOOLBAR_TIMEOUT + // // The initial numer of miliseconds for the toolbar buttons to be visible on screen. + // initialTimeout: 20000, + // // Moved from interfaceConfig.TOOLBAR_TIMEOUT + // // Number of miliseconds for the toolbar buttons to be visible on screen. + // timeout: 4000, + // // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE + // // Whether toolbar should be always visible or should hide after x miliseconds. + // alwaysVisible: false + // }, + + // Toolbar buttons which have their click event exposed through the API on + // \`toolbarButtonClicked\` event instead of executing the normal click routine. + // buttonsWithNotifyClick: [ + // 'camera', + // 'chat', + // 'closedcaptions', + // 'desktop', + // 'download', + // 'embedmeeting', + // 'etherpad', + // 'feedback', + // 'filmstrip', + // 'fullscreen', + // 'hangup', + // 'help', + // 'invite', + // 'livestreaming', + // 'microphone', + // 'mute-everyone', + // 'mute-video-everyone', + // 'participants-pane', + // 'profile', + // 'raisehand', + // 'recording', + // 'security', + // 'select-background', + // 'settings', + // 'shareaudio', + // 'sharedvideo', + // 'shortcuts', + // 'stats', + // 'tileview', + // 'toggle-camera', + // 'videoquality', + // '__end' + // ], + + // List of pre meeting screens buttons to hide. The values must be one or more of the 5 allowed buttons: + // 'microphone', 'camera', 'select-background', 'invite', 'settings' + // hiddenPremeetingButtons: [], + // Stats // @@ -463,12 +665,37 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // callStatsID: '', // callStatsSecret: '', + // The callstats initialize config params as described in the API: + // https://docs.callstats.io/docs/javascript#callstatsinitialize-with-app-secret + // callStatsConfigParams: { + // disableBeforeUnloadHandler: true, // disables callstats.js's window.onbeforeunload parameter. + // applicationVersion: "app_version", // Application version specified by the developer. + // disablePrecalltest: true, // disables the pre-call test, it is enabled by default. + // siteID: "siteID", // The name/ID of the site/campus from where the call/pre-call test is made. + // additionalIDs: { // additionalIDs object, contains application related IDs. + // customerID: "Customer Identifier. Example, walmart.", + // tenantID: "Tenant Identifier. Example, monster.", + // productName: "Product Name. Example, Jitsi.", + // meetingsName: "Meeting Name. Example, Jitsi loves callstats.", + // serverName: "Server/MiddleBox Name. Example, jvb-prod-us-east-mlkncws12.", + // pbxID: "PBX Identifier. Example, walmart.", + // pbxExtensionID: "PBX Extension Identifier. Example, 5625.", + // fqExtensionID: "Fully qualified Extension Identifier. Example, +71 (US) +5625.", + // sessionID: "Session Identifier. Example, session-12-34" + // }, + // collectLegacyStats: true, //enables the collection of legacy stats in chrome browser + // collectIP: true //enables the collection localIP address + // }, + // Enables sending participants' display names to callstats // enableDisplayNameInStats: false, // Enables sending participants' emails (if available) to callstats and other analytics // enableEmailInStats: false, + // Enables detecting faces of participants and get their expression and send it to other participants + // enableFacialRecognition: true, + // Controls the percentage of automatic feedback shown to participants when callstats is enabled. // The default value is 100%. If set to 0, no automatic feedback will be requested // feedbackPercentage: 100, @@ -494,11 +721,8 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // connection. enabled: true, - // The STUN servers that will be used in the peer to peer connections - stunServers: [ - - { urls: 'stun:${TURN_SERVER}:443' } - ] + // Enable unified plan implementation support on Chromium for p2p connection. + // enableUnifiedOnChrome: false, // Sets the ICE transport policy for the p2p connection. At the time // of this writing the list of possible values are 'all' and 'relay', @@ -525,10 +749,20 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // How long we're going to wait, before going back to P2P after the 3rd // participant has left the conference (to filter out page reload). - // backToP2PDelay: 5 + // backToP2PDelay: 5, + + // The STUN servers that will be used in the peer to peer connections + stunServers: [ + + // { urls: 'stun:jitsi-meet.example.com:3478' }, + { urls: 'stun:${TURN_SERVER}:443' } + ] }, analytics: { + // True if the analytics should be disabled + // disabled: false, + // The Google Analytics Tracking ID: // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' @@ -544,7 +778,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // module connects to the provided rtcstatsEndpoint and sends statistics regarding // PeerConnection states along with getStats metrics polled at the specified // interval. - // rtcstatsEnabled: true, + // rtcstatsEnabled: false, // In order to enable rtcstats one needs to provide a endpoint url. // rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/, @@ -572,13 +806,43 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // userRegion: "asia" }, + // Array of disabled sounds. + // Possible values: + // - 'ASKED_TO_UNMUTE_SOUND' + // - 'E2EE_OFF_SOUND' + // - 'E2EE_ON_SOUND' + // - 'INCOMING_MSG_SOUND' + // - 'KNOCKING_PARTICIPANT_SOUND' + // - 'LIVE_STREAMING_OFF_SOUND' + // - 'LIVE_STREAMING_ON_SOUND' + // - 'NO_AUDIO_SIGNAL_SOUND' + // - 'NOISY_AUDIO_INPUT_SOUND' + // - 'OUTGOING_CALL_EXPIRED_SOUND' + // - 'OUTGOING_CALL_REJECTED_SOUND' + // - 'OUTGOING_CALL_RINGING_SOUND' + // - 'OUTGOING_CALL_START_SOUND' + // - 'PARTICIPANT_JOINED_SOUND' + // - 'PARTICIPANT_LEFT_SOUND' + // - 'RAISE_HAND_SOUND' + // - 'REACTION_SOUND' + // - 'RECORDING_OFF_SOUND' + // - 'RECORDING_ON_SOUND' + // - 'TALK_WHILE_MUTED_SOUND' + // disabledSounds: [], + + // DEPRECATED! Use \`disabledSounds\` instead. // Decides whether the start/stop recording audio notifications should play on record. // disableRecordAudioNotification: false, + // DEPRECATED! Use \`disabledSounds\` instead. // Disables the sounds that play when other participants join or leave the // conference (if set to true, these sounds will not be played). // disableJoinLeaveSounds: false, + // DEPRECATED! Use \`disabledSounds\` instead. + // Disables the sounds that play when a chat message is received. + // disableIncomingMessageSound: false, + // Information for the chrome extension banner // chromeExtensionBanner: { // // The chrome extension to be installed address @@ -599,8 +863,8 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // localRecording: { // Enables local recording. // Additionally, 'localrecording' (all lowercase) needs to be added to - // TOOLBAR_BUTTONS in interface_config.js for the Local Recording - // button to show up on the toolbar. + // the \`toolbarButtons\`-array for the Local Recording button to show up + // on the toolbar. // // enabled: true, // @@ -609,6 +873,10 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // format: 'flac' // + // }, + // e2ee: { + // labels, + // externallyManagedKey: false // }, // Options related to end-to-end (participant to participant) ping. @@ -663,7 +931,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Options related to the remote participant menu. // remoteVideoMenu: { // // If set to true the 'Kick out' button will be disabled. - // disableKick: true + // disableKick: true, + // // If set to true the 'Grant moderator' button will be disabled. + // disableGrantModerator: true // }, // If set to true all muting operations of remote participants will be disabled. @@ -675,20 +945,67 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) /** External API url used to receive branding specific information. If there is no url set or there are missing fields, the defaults are applied. + The config file should be in JSON. None of the fields are mandatory and the response must have the shape: - { - // The hex value for the colour used as background - backgroundColor: '#fff', - // The url for the image used as background - backgroundImageUrl: 'https://example.com/background-img.png', - // The anchor url used when clicking the logo image - logoClickUrl: 'https://example-company.org', - // The url used for the image used as logo - logoImageUrl: 'https://example.com/logo-img.png' - } + { + // The domain url to apply (will replace the domain in the sharing conference link/embed section) + inviteDomain: 'example-company.org, + // The hex value for the colour used as background + backgroundColor: '#fff', + // The url for the image used as background + backgroundImageUrl: 'https://example.com/background-img.png', + // The anchor url used when clicking the logo image + logoClickUrl: 'https://example-company.org', + // The url used for the image used as logo + logoImageUrl: 'https://example.com/logo-img.png', + // Overwrite for pool of background images for avatars + avatarBackgrounds: ['url(https://example.com/avatar-background-1.png)', '#FFF'], + // The lobby/prejoin screen background + premeetingBackground: 'url(https://example.com/premeeting-background.png)', + // A list of images that can be used as video backgrounds. + // When this field is present, the default images will be replaced with those provided. + virtualBackgrounds: ['https://example.com/img.jpg'], + // Object containing a theme's properties. It also supports partial overwrites of the main theme. + // For a list of all possible theme tokens and their current defaults, please check: + // https://github.com/jitsi/jitsi-meet/tree/master/resources/custom-theme/custom-theme.json + // For a short explanations on each of the tokens, please check: + // https://github.com/jitsi/jitsi-meet/blob/master/react/features/base/ui/Tokens.js + // IMPORTANT!: This is work in progress so many of the various tokens are not yet applied in code + // or they are partially applied. + customTheme: { + palette: { + ui01: "orange !important", + ui02: "maroon", + surface02: 'darkgreen', + ui03: "violet", + ui04: "magenta", + ui05: "blueviolet", + field02Hover: 'red', + action01: 'green', + action01Hover: 'lightgreen', + action02Disabled: 'beige', + success02: 'cadetblue', + action02Hover: 'aliceblue' + }, + typography: { + labelRegular: { + fontSize: 25, + lineHeight: 30, + fontWeight: 500 + } + } + } + } */ dynamicBrandingUrl: "${DYNAMIC_BRANDING_URL}", + // When true the user cannot add more images to be used as virtual background. + // Only the default ones from will be available. + // disableAddingBackgroundImages: false, + + // Disables using screensharing as virtual background. + // disableScreensharingVirtualBackground: false, + // Sets the background transparency level. '0' is fully transparent, '1' is opaque. // backgroundAlpha: 1, @@ -700,12 +1017,35 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // If true, tile view will not be enabled automatically when the participants count threshold is reached. // disableTileView: true, + // If true, the tiles will be displayed contained within the available space rather than enlarged to cover it. + // disableTileEnlargement: true, + + // Controls the visibility and behavior of the top header conference info labels. + // If a label's id is not in any of the 2 arrays, it will not be visible at all on the header. + // conferenceInfo: { + // // those labels will not be hidden in tandem with the toolbox. + // alwaysVisible: ['recording', 'local-recording'], + // // those labels will be auto-hidden in tandem with the toolbox buttons. + // autoHide: [ + // 'subject', + // 'conference-timer', + // 'participants-count', + // 'e2ee', + // 'transcribing', + // 'video-quality', + // 'insecure-room' + // ] + // }, + // Hides the conference subject // hideConferenceSubject: true, // Hides the conference timer. // hideConferenceTimer: true, + // Hides the recording label + // hideRecordingLabel: false, + // Hides the participants stats // hideParticipantsStats: true, @@ -717,6 +1057,13 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // is not persisting the local storage inside the iframe. // useHostPageLocalStorage: true, + // etherpad ("shared document") integration. + // + + // If set, add a "Open shared document" link to the bottom right menu that + // will open an etherpad document. + // etherpad_base: 'https://your-etherpad-installati.on/p/', + // List of undocumented settings used in jitsi-meet /** _immediateReloadThreshold @@ -729,8 +1076,8 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) dialOutCodesUrl disableRemoteControl displayJids - etherpad_base externalConnectUrl + e2eeLabels firefox_fake_device googleApiApplicationClientID iAmRecorder @@ -772,6 +1119,11 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) websocketKeepAliveUrl */ + /** + * Default interval (milliseconds) for triggering mouseMoved iframe API event + */ + mouseMoveCallbackInterval: 1000, + /** Use this array to configure which notifications will be shown to the user The items correspond to the title or description key of that notification @@ -805,11 +1157,19 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied // 'localRecording.localRecording', // shown when a local recording is started // 'notify.disconnected', // shown when a participant has left + // 'notify.connectedOneMember', // show when a participant joined + // 'notify.connectedTwoMembers', // show when two participants joined simultaneously + // 'notify.connectedThreePlusMembers', // show when more than 2 participants joined simultaneously // 'notify.grantedTo', // shown when moderator rights were granted to a participant // 'notify.invitedOneMember', // shown when 1 participant has been invited // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited // 'notify.invitedTwoMembers', // shown when 2 participants have been invited // 'notify.kickParticipant', // shown when a participant is kicked + // 'notify.moderationStartedTitle', // shown when AV moderation is activated + // 'notify.moderationStoppedTitle', // shown when AV moderation is deactivated + // 'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation + // 'notify.moderationInEffectVideoTitle', // shown when user attempts to enable video during AV moderation + // 'notify.moderationInEffectCSTitle', // shown when user attempts to share content during AV moderation // 'notify.mutedRemotelyTitle', // shown when user is muted by a remote party // 'notify.mutedTitle', // shown when user has been muted upon joining, // 'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device @@ -818,6 +1178,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // 'notify.passwordSetRemotely', // shown when a password has been set remotely // 'notify.raisedHand', // shown when a partcipant used raise hand, // 'notify.startSilentTitle', // shown when user joined with no audio + // 'notify.unmute', // shown to moderator when user raises hand during AV moderation // 'prejoin.errorDialOut', // 'prejoin.errorDialOutDisconnected', // 'prejoin.errorDialOutFailed', @@ -831,7 +1192,13 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // 'toolbar.noisyAudioInputTitle', // shown when noise is detected for the current microphone // 'toolbar.talkWhileMutedPopup', // shown when user tries to speak while muted // 'transcribing.failedToStart' // shown when transcribing fails to start - // ] + // ], + + // Prevent the filmstrip from autohiding when screen width is under a certain threshold + // disableFilmstripAutohiding: false, + + // Specifies whether the chat emoticons are disabled or not + // disableChatSmileys: false, // Allow all above example options to include a trailing comma and // prevent fear when commenting out the last value. diff --git a/type/__jitsi_meet_domain/files/config.js.sh.orig b/type/__jitsi_meet_domain/files/config.js.sh.orig index 9d49d52..eb30636 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh.orig +++ b/type/__jitsi_meet_domain/files/config.js.sh.orig @@ -27,9 +27,6 @@ var config = { // Websocket URL // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket', - // The name of client node advertised in XEP-0115 'c' stanza - clientNode: 'http://jitsi.org/jitsimeet', - // The real JID of focus participant - can be overridden here // Do not change username - FIXME: Make focus username configurable // https://github.com/jitsi/jitsi-meet/issues/7376 @@ -44,9 +41,16 @@ var config = { // issues related to insertable streams. // disableE2EE: false, + // Enables/disables thumbnail reordering in the filmstrip. It is enabled by default unless explicitly + // disabled by the below option. + // enableThumbnailReordering: true, + + // Enables XMPP WebSocket (as opposed to BOSH) for the given amount of users. + // mobileXmppWsThreshold: 10 // enable XMPP WebSockets on mobile for 10% of the users + // P2P test mode disables automatic switching to P2P when there are 2 // participants in the conference. - p2pTestMode: false + // p2pTestMode: false, // Enables the test specific features consumed by jitsi-meet-torture // testMode: false @@ -59,8 +63,10 @@ var config = { // simulcast is turned off for the desktop share. If presenter is turned // on while screensharing is in progress, the max bitrate is automatically // adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines - // the probability for this to be enabled. - // capScreenshareBitrate: 1 // 0 to disable + // the probability for this to be enabled. This setting has been deprecated. + // desktopSharingFrameRate.max now determines whether simulcast will be enabled + // or disabled for the screenshare. + // capScreenshareBitrate: 1 // 0 to disable - deprecated. // Enable callstats only for a percentage of users. // This takes a value between 0 and 100 which determines the probability for @@ -68,6 +74,18 @@ var config = { // callStatsThreshold: 5 // enable callstats for 5% of the users. }, + // Disables moderator indicators. + // disableModeratorIndicator: false, + + // Disables the reactions feature. + // disableReactions: true, + + // Disables polls feature. + // disablePolls: false, + + // Disables self-view tile. (hides it from tile view and from filmstrip) + // disableSelfView: false, + // Disables ICE/UDP by filtering out local and remote UDP candidates in // signalling. // webrtcIceUdpDisable: false, @@ -80,6 +98,9 @@ var config = { // Media // + // Enable unified plan implementation support on Chromium based browsers. + // enableUnifiedOnChrome: false, + // Audio // Disable measuring of audio levels. @@ -96,6 +117,10 @@ var config = { // about the call. // enableSaveLogs: false, + // Enabling this will hide the "Show More" link in the GSM popover that can be + // used to display more statistics about the connection (IP, Port, protocol, etc). + // disableShowMoreStats: true, + // Enabling this will run the lib-jitsi-meet noise detection module which will // notify the user if there is noise, other than voice, coming from the current // selected microphone. The purpose it to let the user know that the input could @@ -117,19 +142,34 @@ var config = { // participants and to enable it back a reload is needed. // startSilent: false - // Sets the preferred target bitrate for the Opus audio codec by setting its - // 'maxaveragebitrate' parameter. Currently not available in p2p mode. - // Valid values are in the range 6000 to 510000 - // opusMaxAverageBitrate: 20000, - // Enables support for opus-red (redundancy for Opus). // enableOpusRed: false, + // Specify audio quality stereo and opusMaxAverageBitrate values in order to enable HD audio. + // Beware, by doing so, you are disabling echo cancellation, noise suppression and AGC. + // audioQuality: { + // stereo: false, + // opusMaxAverageBitrate: null // Value to fit the 6000 to 510000 range. + // }, + // Video // Sets the preferred resolution (height) for local video. Defaults to 720. // resolution: 720, + // Specifies whether the raised hand will hide when someone becomes a dominant speaker or not + // disableRemoveRaisedHandOnFocus: false, + + // Specifies whether there will be a search field in speaker stats or not + // disableSpeakerStatsSearch: false, + + // Specifies whether participants in speaker stats should be ordered or not, and with what priority + // speakerStatsOrder: [ + // 'role', <- Moderators on top + // 'name', <- Alphabetically by name + // 'hasLeft', <- The ones that have left in the bottom + // ] <- the order of the array elements determines priority + // How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD. // Use -1 to disable. // maxFullResolutionParticipants: 2, @@ -152,9 +192,10 @@ var config = { // Enable / disable simulcast support. // disableSimulcast: false, - // Enable / disable layer suspension. If enabled, endpoints whose HD - // layers are not in use will be suspended (no longer sent) until they - // are requested again. + // Enable / disable layer suspension. If enabled, endpoints whose HD layers are not in use will be suspended + // (no longer sent) until they are requested again. This is enabled by default. This must be enabled for screen + // sharing to work as expected on Chrome. Disabling this might result in low resolution screenshare being sent + // by the client. // enableLayerSuspension: false, // Every participant after the Nth will start video muted. @@ -216,6 +257,18 @@ var config = { // subtitles and buttons can be configured) // transcribingEnabled: false, + // If true transcriber will use the application language. + // The application language is either explicitly set by participants in their settings or automatically + // detected based on the environment, e.g. if the app is opened in a chrome instance which is using french as its + // default language then transcriptions for that participant will be in french. + // Defaults to true. + // transcribeWithAppLanguage: true, + + // Transcriber language. This settings will only work if "transcribeWithAppLanguage" is explicitly set to false. + // Available languages can be found in + // ./src/react/features/transcribing/transcriber-langs.json. + // preferredTranscribeLanguage: 'en-US', + // Enables automatic turning on captions when recording is started // autoCaptionOnRecord: false, @@ -224,6 +277,20 @@ var config = { // Default value for the channel "last N" attribute. -1 for unlimited. channelLastN: -1, + // Connection indicators + // connectionIndicators: { + // autoHide: true, + // autoHideTimeout: 5000, + // disabled: false, + // disableDetails: false, + // inactiveDisabled: false + // }, + + // Provides a way for the lastN value to be controlled through the UI. + // When startLastN is present, conference starts with a last-n value of startLastN and channelLastN + // value will be used when the quality level is selected using "Manage Video Quality" slider. + // startLastN: 1, + // Provides a way to use different "last N" values based on the number of participants in the conference. // The keys in an Object represent number of participants and the values are "last N" to be used when number of // participants gets to or above the number. @@ -261,12 +328,24 @@ var config = { // // to take effect. // preferredCodec: 'VP8', // + // // Provides a way to enforce the preferred codec for the conference even when the conference has endpoints + // // that do not support the preferred codec. For example, older versions of Safari do not support VP9 yet. + // // This will result in Safari not being able to decode video from endpoints sending VP9 video. + // // When set to false, the conference falls back to VP8 whenever there is an endpoint that doesn't support the + // // preferred codec and goes back to the preferred codec when that endpoint leaves. + // // enforcePreferredCodec: false, + // // // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for // // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values // // are the max.bitrates to be set on that particular type of stream. The actual send may vary based on // // the available bandwidth calculated by the browser, but it will be capped by the values specified here. // // This is currently not implemented on app based clients on mobile. // maxBitratesVideo: { + // H264: { + // low: 200000, + // standard: 500000, + // high: 1500000 + // }, // VP8 : { // low: 200000, // standard: 500000, @@ -275,7 +354,7 @@ var config = { // VP9: { // low: 100000, // standard: 300000, - // high: 1200000 + // high: 1200000 // } // }, // @@ -299,6 +378,13 @@ var config = { // resizeDesktopForPresenter: false // }, + // Notification timeouts + // notificationTimeouts: { + // short: 2500, + // medium: 5000, + // long: 10000 + // }, + // // Options for the recording limit notification. // recordingLimit: { // @@ -317,6 +403,9 @@ var config = { // Disables or enables RTX (RFC 4588) (defaults to false). // disableRtx: false, + // Moves all Jitsi Meet 'beforeunload' logic (cleanup, leaving, disconnecting, etc) to the 'unload' event. + // disableBeforeUnloadHandlers: true, + // Disables or enables TCC support in this client (default: enabled). // enableTcc: true, @@ -332,8 +421,7 @@ var config = { // enableIceRestart: false, // Enables forced reload of the client when the call is migrated as a result of - // the bridge going down. Currently enabled by default as call migration through - // session-terminate is causing siganling issues when Octo is enabled. + // the bridge going down. // enableForcedReload: true, // Use TURN/UDP servers for the jitsi-videobridge connection (by default @@ -341,6 +429,11 @@ var config = { // bridge itself is reachable via UDP) // useTurnUdp: false + // Enable support for encoded transform in supported browsers. This allows + // E2EE to work in Safari if the corresponding flag is enabled in the browser. + // Experimental. + // enableEncodedTransformSupport: false, + // UI // @@ -350,6 +443,12 @@ var config = { // Hides lobby button // hideLobbyButton: false, + // If Lobby is enabled starts knocking automatically. + // autoKnockLobby: false, + + // Hides add breakout room button + // hideAddRoomButton: false, + // Require users to always specify a display name. // requireDisplayName: true, @@ -369,7 +468,15 @@ var config = { // enableClosePage: false, // Disable hiding of remote thumbnails when in a 1-on-1 conference call. - // disable1On1Mode: false, + // Setting this to null, will also disable showing the remote videos + // when the toolbar is shown on mouse movements + // disable1On1Mode: null | false | true, + + // Default local name to be displayed + // defaultLocalDisplayName: 'me', + + // Default remote name to be displayed + // defaultRemoteDisplayName: 'Fellow Jitster', // Default language for the user interface. // defaultLanguage: 'en', @@ -392,8 +499,18 @@ var config = { // and microsoftApiApplicationClientID // enableCalendarIntegration: false, - // When 'true', it shows an intermediate page before joining, where the user can configure their devices. - // prejoinPageEnabled: false, + // Configs for prejoin page. + // prejoinConfig: { + // // When 'true', it shows an intermediate page before joining, where the user can configure their devices. + // // This replaces `prejoinPageEnabled`. + // enabled: true, + // // List of buttons to hide from the extra join options dropdown. + // hideExtraJoinButtons: ['no-audio', 'by-phone'] + // }, + + // When 'true', the user cannot edit the display name. + // (Mainly useful when used in conjuction with the JWT so the JWT name becomes read only.) + // readOnlyName: false, // If etherpad integration is enabled, setting this to true will // automatically open the etherpad when a participant joins. This @@ -414,6 +531,10 @@ var config = { // Base URL for a Gravatar-compatible service. Defaults to libravatar. // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/', + // App name to be displayed in the invitation email subject, as an alternative to + // interfaceConfig.APP_NAME. + // inviteAppName: null, + // Moved from interfaceConfig(TOOLBAR_BUTTONS). // The name of the toolbar buttons to display in the toolbar, including the // "More actions" menu. If present, the button will display. Exceptions are @@ -426,13 +547,94 @@ var config = { // - 'desktop' controls the "Share your screen" button // - if `toolbarButtons` is undefined, we fallback to enabling all buttons on the UI // toolbarButtons: [ - // 'microphone', 'camera', 'closedcaptions', 'desktop', 'embedmeeting', 'fullscreen', - // 'fodeviceselection', 'hangup', 'profile', 'chat', 'recording', - // 'livestreaming', 'etherpad', 'sharedvideo', 'shareaudio', 'settings', 'raisehand', - // 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts', - // 'tileview', 'select-background', 'download', 'help', 'mute-everyone', 'mute-video-everyone', 'security' + // 'camera', + // 'chat', + // 'closedcaptions', + // 'desktop', + // 'download', + // 'embedmeeting', + // 'etherpad', + // 'feedback', + // 'filmstrip', + // 'fullscreen', + // 'hangup', + // 'help', + // 'invite', + // 'livestreaming', + // 'microphone', + // 'mute-everyone', + // 'mute-video-everyone', + // 'participants-pane', + // 'profile', + // 'raisehand', + // 'recording', + // 'security', + // 'select-background', + // 'settings', + // 'shareaudio', + // 'sharedvideo', + // 'shortcuts', + // 'stats', + // 'tileview', + // 'toggle-camera', + // 'videoquality', + // '__end' // ], + // Holds values related to toolbar visibility control. + // toolbarConfig: { + // // Moved from interfaceConfig.INITIAL_TOOLBAR_TIMEOUT + // // The initial numer of miliseconds for the toolbar buttons to be visible on screen. + // initialTimeout: 20000, + // // Moved from interfaceConfig.TOOLBAR_TIMEOUT + // // Number of miliseconds for the toolbar buttons to be visible on screen. + // timeout: 4000, + // // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE + // // Whether toolbar should be always visible or should hide after x miliseconds. + // alwaysVisible: false + // }, + + // Toolbar buttons which have their click event exposed through the API on + // `toolbarButtonClicked` event instead of executing the normal click routine. + // buttonsWithNotifyClick: [ + // 'camera', + // 'chat', + // 'closedcaptions', + // 'desktop', + // 'download', + // 'embedmeeting', + // 'etherpad', + // 'feedback', + // 'filmstrip', + // 'fullscreen', + // 'hangup', + // 'help', + // 'invite', + // 'livestreaming', + // 'microphone', + // 'mute-everyone', + // 'mute-video-everyone', + // 'participants-pane', + // 'profile', + // 'raisehand', + // 'recording', + // 'security', + // 'select-background', + // 'settings', + // 'shareaudio', + // 'sharedvideo', + // 'shortcuts', + // 'stats', + // 'tileview', + // 'toggle-camera', + // 'videoquality', + // '__end' + // ], + + // List of pre meeting screens buttons to hide. The values must be one or more of the 5 allowed buttons: + // 'microphone', 'camera', 'select-background', 'invite', 'settings' + // hiddenPremeetingButtons: [], + // Stats // @@ -450,12 +652,37 @@ var config = { // callStatsID: '', // callStatsSecret: '', + // The callstats initialize config params as described in the API: + // https://docs.callstats.io/docs/javascript#callstatsinitialize-with-app-secret + // callStatsConfigParams: { + // disableBeforeUnloadHandler: true, // disables callstats.js's window.onbeforeunload parameter. + // applicationVersion: "app_version", // Application version specified by the developer. + // disablePrecalltest: true, // disables the pre-call test, it is enabled by default. + // siteID: "siteID", // The name/ID of the site/campus from where the call/pre-call test is made. + // additionalIDs: { // additionalIDs object, contains application related IDs. + // customerID: "Customer Identifier. Example, walmart.", + // tenantID: "Tenant Identifier. Example, monster.", + // productName: "Product Name. Example, Jitsi.", + // meetingsName: "Meeting Name. Example, Jitsi loves callstats.", + // serverName: "Server/MiddleBox Name. Example, jvb-prod-us-east-mlkncws12.", + // pbxID: "PBX Identifier. Example, walmart.", + // pbxExtensionID: "PBX Extension Identifier. Example, 5625.", + // fqExtensionID: "Fully qualified Extension Identifier. Example, +71 (US) +5625.", + // sessionID: "Session Identifier. Example, session-12-34" + // }, + // collectLegacyStats: true, //enables the collection of legacy stats in chrome browser + // collectIP: true //enables the collection localIP address + // }, + // Enables sending participants' display names to callstats // enableDisplayNameInStats: false, // Enables sending participants' emails (if available) to callstats and other analytics // enableEmailInStats: false, + // Enables detecting faces of participants and get their expression and send it to other participants + // enableFacialRecognition: true, + // Controls the percentage of automatic feedback shown to participants when callstats is enabled. // The default value is 100%. If set to 0, no automatic feedback will be requested // feedbackPercentage: 100, @@ -481,12 +708,8 @@ var config = { // connection. enabled: true, - // The STUN servers that will be used in the peer to peer connections - stunServers: [ - - // { urls: 'stun:jitsi-meet.example.com:3478' }, - { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' } - ] + // Enable unified plan implementation support on Chromium for p2p connection. + // enableUnifiedOnChrome: false, // Sets the ICE transport policy for the p2p connection. At the time // of this writing the list of possible values are 'all' and 'relay', @@ -513,10 +736,20 @@ var config = { // How long we're going to wait, before going back to P2P after the 3rd // participant has left the conference (to filter out page reload). - // backToP2PDelay: 5 + // backToP2PDelay: 5, + + // The STUN servers that will be used in the peer to peer connections + stunServers: [ + + // { urls: 'stun:jitsi-meet.example.com:3478' }, + { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' } + ] }, analytics: { + // True if the analytics should be disabled + // disabled: false, + // The Google Analytics Tracking ID: // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' @@ -532,7 +765,7 @@ var config = { // module connects to the provided rtcstatsEndpoint and sends statistics regarding // PeerConnection states along with getStats metrics polled at the specified // interval. - // rtcstatsEnabled: true, + // rtcstatsEnabled: false, // In order to enable rtcstats one needs to provide a endpoint url. // rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/, @@ -560,13 +793,43 @@ var config = { // userRegion: "asia" }, + // Array of disabled sounds. + // Possible values: + // - 'ASKED_TO_UNMUTE_SOUND' + // - 'E2EE_OFF_SOUND' + // - 'E2EE_ON_SOUND' + // - 'INCOMING_MSG_SOUND' + // - 'KNOCKING_PARTICIPANT_SOUND' + // - 'LIVE_STREAMING_OFF_SOUND' + // - 'LIVE_STREAMING_ON_SOUND' + // - 'NO_AUDIO_SIGNAL_SOUND' + // - 'NOISY_AUDIO_INPUT_SOUND' + // - 'OUTGOING_CALL_EXPIRED_SOUND' + // - 'OUTGOING_CALL_REJECTED_SOUND' + // - 'OUTGOING_CALL_RINGING_SOUND' + // - 'OUTGOING_CALL_START_SOUND' + // - 'PARTICIPANT_JOINED_SOUND' + // - 'PARTICIPANT_LEFT_SOUND' + // - 'RAISE_HAND_SOUND' + // - 'REACTION_SOUND' + // - 'RECORDING_OFF_SOUND' + // - 'RECORDING_ON_SOUND' + // - 'TALK_WHILE_MUTED_SOUND' + // disabledSounds: [], + + // DEPRECATED! Use `disabledSounds` instead. // Decides whether the start/stop recording audio notifications should play on record. // disableRecordAudioNotification: false, + // DEPRECATED! Use `disabledSounds` instead. // Disables the sounds that play when other participants join or leave the // conference (if set to true, these sounds will not be played). // disableJoinLeaveSounds: false, + // DEPRECATED! Use `disabledSounds` instead. + // Disables the sounds that play when a chat message is received. + // disableIncomingMessageSound: false, + // Information for the chrome extension banner // chromeExtensionBanner: { // // The chrome extension to be installed address @@ -587,8 +850,8 @@ var config = { // localRecording: { // Enables local recording. // Additionally, 'localrecording' (all lowercase) needs to be added to - // TOOLBAR_BUTTONS in interface_config.js for the Local Recording - // button to show up on the toolbar. + // the `toolbarButtons`-array for the Local Recording button to show up + // on the toolbar. // // enabled: true, // @@ -597,6 +860,10 @@ var config = { // format: 'flac' // + // }, + // e2ee: { + // labels, + // externallyManagedKey: false // }, // Options related to end-to-end (participant to participant) ping. @@ -651,7 +918,9 @@ var config = { // Options related to the remote participant menu. // remoteVideoMenu: { // // If set to true the 'Kick out' button will be disabled. - // disableKick: true + // disableKick: true, + // // If set to true the 'Grant moderator' button will be disabled. + // disableGrantModerator: true // }, // If set to true all muting operations of remote participants will be disabled. @@ -663,20 +932,67 @@ var config = { /** External API url used to receive branding specific information. If there is no url set or there are missing fields, the defaults are applied. + The config file should be in JSON. None of the fields are mandatory and the response must have the shape: - { - // The hex value for the colour used as background - backgroundColor: '#fff', - // The url for the image used as background - backgroundImageUrl: 'https://example.com/background-img.png', - // The anchor url used when clicking the logo image - logoClickUrl: 'https://example-company.org', - // The url used for the image used as logo - logoImageUrl: 'https://example.com/logo-img.png' - } + { + // The domain url to apply (will replace the domain in the sharing conference link/embed section) + inviteDomain: 'example-company.org, + // The hex value for the colour used as background + backgroundColor: '#fff', + // The url for the image used as background + backgroundImageUrl: 'https://example.com/background-img.png', + // The anchor url used when clicking the logo image + logoClickUrl: 'https://example-company.org', + // The url used for the image used as logo + logoImageUrl: 'https://example.com/logo-img.png', + // Overwrite for pool of background images for avatars + avatarBackgrounds: ['url(https://example.com/avatar-background-1.png)', '#FFF'], + // The lobby/prejoin screen background + premeetingBackground: 'url(https://example.com/premeeting-background.png)', + // A list of images that can be used as video backgrounds. + // When this field is present, the default images will be replaced with those provided. + virtualBackgrounds: ['https://example.com/img.jpg'], + // Object containing a theme's properties. It also supports partial overwrites of the main theme. + // For a list of all possible theme tokens and their current defaults, please check: + // https://github.com/jitsi/jitsi-meet/tree/master/resources/custom-theme/custom-theme.json + // For a short explanations on each of the tokens, please check: + // https://github.com/jitsi/jitsi-meet/blob/master/react/features/base/ui/Tokens.js + // IMPORTANT!: This is work in progress so many of the various tokens are not yet applied in code + // or they are partially applied. + customTheme: { + palette: { + ui01: "orange !important", + ui02: "maroon", + surface02: 'darkgreen', + ui03: "violet", + ui04: "magenta", + ui05: "blueviolet", + field02Hover: 'red', + action01: 'green', + action01Hover: 'lightgreen', + action02Disabled: 'beige', + success02: 'cadetblue', + action02Hover: 'aliceblue' + }, + typography: { + labelRegular: { + fontSize: 25, + lineHeight: 30, + fontWeight: 500 + } + } + } + } */ // dynamicBrandingUrl: '', + // When true the user cannot add more images to be used as virtual background. + // Only the default ones from will be available. + // disableAddingBackgroundImages: false, + + // Disables using screensharing as virtual background. + // disableScreensharingVirtualBackground: false, + // Sets the background transparency level. '0' is fully transparent, '1' is opaque. // backgroundAlpha: 1, @@ -688,12 +1004,35 @@ var config = { // If true, tile view will not be enabled automatically when the participants count threshold is reached. // disableTileView: true, + // If true, the tiles will be displayed contained within the available space rather than enlarged to cover it. + // disableTileEnlargement: true, + + // Controls the visibility and behavior of the top header conference info labels. + // If a label's id is not in any of the 2 arrays, it will not be visible at all on the header. + // conferenceInfo: { + // // those labels will not be hidden in tandem with the toolbox. + // alwaysVisible: ['recording', 'local-recording'], + // // those labels will be auto-hidden in tandem with the toolbox buttons. + // autoHide: [ + // 'subject', + // 'conference-timer', + // 'participants-count', + // 'e2ee', + // 'transcribing', + // 'video-quality', + // 'insecure-room' + // ] + // }, + // Hides the conference subject // hideConferenceSubject: true, // Hides the conference timer. // hideConferenceTimer: true, + // Hides the recording label + // hideRecordingLabel: false, + // Hides the participants stats // hideParticipantsStats: true, @@ -705,6 +1044,13 @@ var config = { // is not persisting the local storage inside the iframe. // useHostPageLocalStorage: true, + // etherpad ("shared document") integration. + // + + // If set, add a "Open shared document" link to the bottom right menu that + // will open an etherpad document. + // etherpad_base: 'https://your-etherpad-installati.on/p/', + // List of undocumented settings used in jitsi-meet /** _immediateReloadThreshold @@ -717,8 +1063,8 @@ var config = { dialOutCodesUrl disableRemoteControl displayJids - etherpad_base externalConnectUrl + e2eeLabels firefox_fake_device googleApiApplicationClientID iAmRecorder @@ -760,6 +1106,11 @@ var config = { websocketKeepAliveUrl */ + /** + * Default interval (milliseconds) for triggering mouseMoved iframe API event + */ + mouseMoveCallbackInterval: 1000, + /** Use this array to configure which notifications will be shown to the user The items correspond to the title or description key of that notification @@ -793,11 +1144,19 @@ var config = { // 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied // 'localRecording.localRecording', // shown when a local recording is started // 'notify.disconnected', // shown when a participant has left + // 'notify.connectedOneMember', // show when a participant joined + // 'notify.connectedTwoMembers', // show when two participants joined simultaneously + // 'notify.connectedThreePlusMembers', // show when more than 2 participants joined simultaneously // 'notify.grantedTo', // shown when moderator rights were granted to a participant // 'notify.invitedOneMember', // shown when 1 participant has been invited // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited // 'notify.invitedTwoMembers', // shown when 2 participants have been invited // 'notify.kickParticipant', // shown when a participant is kicked + // 'notify.moderationStartedTitle', // shown when AV moderation is activated + // 'notify.moderationStoppedTitle', // shown when AV moderation is deactivated + // 'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation + // 'notify.moderationInEffectVideoTitle', // shown when user attempts to enable video during AV moderation + // 'notify.moderationInEffectCSTitle', // shown when user attempts to share content during AV moderation // 'notify.mutedRemotelyTitle', // shown when user is muted by a remote party // 'notify.mutedTitle', // shown when user has been muted upon joining, // 'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device @@ -806,6 +1165,7 @@ var config = { // 'notify.passwordSetRemotely', // shown when a password has been set remotely // 'notify.raisedHand', // shown when a partcipant used raise hand, // 'notify.startSilentTitle', // shown when user joined with no audio + // 'notify.unmute', // shown to moderator when user raises hand during AV moderation // 'prejoin.errorDialOut', // 'prejoin.errorDialOutDisconnected', // 'prejoin.errorDialOutFailed', @@ -819,7 +1179,13 @@ var config = { // 'toolbar.noisyAudioInputTitle', // shown when noise is detected for the current microphone // 'toolbar.talkWhileMutedPopup', // shown when user tries to speak while muted // 'transcribing.failedToStart' // shown when transcribing fails to start - // ] + // ], + + // Prevent the filmstrip from autohiding when screen width is under a certain threshold + // disableFilmstripAutohiding: false, + + // Specifies whether the chat emoticons are disabled or not + // disableChatSmileys: false, // Allow all above example options to include a trailing comma and // prevent fear when commenting out the last value. diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh b/type/__jitsi_meet_domain/files/interface_config.js.sh index 2a65bfc..abcf68b 100644 --- a/type/__jitsi_meet_domain/files/interface_config.js.sh +++ b/type/__jitsi_meet_domain/files/interface_config.js.sh @@ -36,42 +36,13 @@ var interfaceConfig = { BRAND_WATERMARK_LINK: '', CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it - /** - * Whether the connection indicator icon should hide itself based on - * connection strength. If true, the connection indicator will remain - * displayed while the participant has a weak connection and will hide - * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is - * strong. - * - * @type {boolean} - */ - CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true, - - /** - * How long the connection indicator should remain displayed before hiding. - * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED. - * - * @type {number} - */ - CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000, - - /** - * If true, hides the connection indicators completely. - * - * @type {boolean} - */ - CONNECTION_INDICATOR_DISABLED: false, DEFAULT_BACKGROUND: '#474747', - DEFAULT_LOCAL_DISPLAY_NAME: 'me', DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}', - DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}', DISABLE_DOMINANT_SPEAKER_INDICATOR: false, - DISABLE_FOCUS_INDICATOR: false, - /** * If true, notifications regarding joining/leaving are no longer displayed. */ @@ -127,7 +98,6 @@ var interfaceConfig = { */ HIDE_INVITE_MORE_HEADER: false, - INITIAL_TOOLBAR_TIMEOUT: 20000, JITSI_WATERMARK_LINK: 'https://jitsi.org', LANG_DETECTION: true, // Allow i18n to detect the system language @@ -196,10 +166,10 @@ var interfaceConfig = { SHOW_BRAND_WATERMARK: false, /** - * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. - * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) - * being already installed is done before rendering. - */ + * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. + * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) + * being already installed is done before rendering. + */ SHOW_CHROME_EXTENSION_BANNER: false, SHOW_DEEP_LINKING_IMAGE: false, @@ -213,16 +183,6 @@ var interfaceConfig = { */ SUPPORT_URL: 'https://community.jitsi.org/', - TOOLBAR_ALWAYS_VISIBLE: false, - - /** - * DEPRECATED! - * This config was moved to config.js as \`toolbarButtons\`. - */ - // TOOLBAR_BUTTONS: [], - - TOOLBAR_TIMEOUT: 4000, - // Browsers, in addition to those which do not fully support WebRTC, that // are not supported and should show the unsupported browser page. UNSUPPORTED_BROWSERS: [], @@ -274,19 +234,40 @@ var interfaceConfig = { */ // ANDROID_APP_PACKAGE: 'org.jitsi.meet', - /** - * Override the behavior of some notifications to remain displayed until - * explicitly dismissed through a user action. The value is how long, in - * milliseconds, those notifications should remain displayed. - */ - // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000, - // List of undocumented settings /** INDICATOR_FONT_SIZES PHONE_NUMBER_REGEX */ + // -----------------DEPRECATED CONFIGS BELOW THIS LINE----------------------------- + + // Connection indicators ( + // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED, + // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT, + // CONNECTION_INDICATOR_DISABLED) got moved to config.js. + + // Please use disableModeratorIndicator from config.js + // DISABLE_FOCUS_INDICATOR: false, + + // Please use defaultLocalDisplayName from config.js + // DEFAULT_LOCAL_DISPLAY_NAME: 'me', + + // Please use defaultRemoteDisplayName from config.js + // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', + + // Moved to config.js as \`toolbarConfig.initialTimeout\`. + // INITIAL_TOOLBAR_TIMEOUT: 20000, + + // Moved to config.js as \`toolbarConfig.alwaysVisible\`. + // TOOLBAR_ALWAYS_VISIBLE: false, + + // This config was moved to config.js as \`toolbarButtons\`. + // TOOLBAR_BUTTONS: [], + + // Moved to config.js as \`toolbarConfig.timeout\`. + // TOOLBAR_TIMEOUT: 4000, + // Allow all above example options to include a trailing comma and // prevent fear when commenting out the last value. // eslint-disable-next-line sort-keys diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh.orig b/type/__jitsi_meet_domain/files/interface_config.js.sh.orig index fb8dd48..c3a76af 100644 --- a/type/__jitsi_meet_domain/files/interface_config.js.sh.orig +++ b/type/__jitsi_meet_domain/files/interface_config.js.sh.orig @@ -25,42 +25,13 @@ var interfaceConfig = { BRAND_WATERMARK_LINK: '', CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it - /** - * Whether the connection indicator icon should hide itself based on - * connection strength. If true, the connection indicator will remain - * displayed while the participant has a weak connection and will hide - * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is - * strong. - * - * @type {boolean} - */ - CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true, - - /** - * How long the connection indicator should remain displayed before hiding. - * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED. - * - * @type {number} - */ - CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000, - - /** - * If true, hides the connection indicators completely. - * - * @type {boolean} - */ - CONNECTION_INDICATOR_DISABLED: false, DEFAULT_BACKGROUND: '#474747', - DEFAULT_LOCAL_DISPLAY_NAME: 'me', DEFAULT_LOGO_URL: 'images/watermark.svg', - DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg', DISABLE_DOMINANT_SPEAKER_INDICATOR: false, - DISABLE_FOCUS_INDICATOR: false, - /** * If true, notifications regarding joining/leaving are no longer displayed. */ @@ -116,7 +87,6 @@ var interfaceConfig = { */ HIDE_INVITE_MORE_HEADER: false, - INITIAL_TOOLBAR_TIMEOUT: 20000, JITSI_WATERMARK_LINK: 'https://jitsi.org', LANG_DETECTION: true, // Allow i18n to detect the system language @@ -185,10 +155,10 @@ var interfaceConfig = { SHOW_BRAND_WATERMARK: false, /** - * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. - * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) - * being already installed is done before rendering. - */ + * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. + * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) + * being already installed is done before rendering. + */ SHOW_CHROME_EXTENSION_BANNER: false, SHOW_DEEP_LINKING_IMAGE: false, @@ -202,16 +172,6 @@ var interfaceConfig = { */ SUPPORT_URL: 'https://community.jitsi.org/', - TOOLBAR_ALWAYS_VISIBLE: false, - - /** - * DEPRECATED! - * This config was moved to config.js as `toolbarButtons`. - */ - // TOOLBAR_BUTTONS: [], - - TOOLBAR_TIMEOUT: 4000, - // Browsers, in addition to those which do not fully support WebRTC, that // are not supported and should show the unsupported browser page. UNSUPPORTED_BROWSERS: [], @@ -263,19 +223,40 @@ var interfaceConfig = { */ // ANDROID_APP_PACKAGE: 'org.jitsi.meet', - /** - * Override the behavior of some notifications to remain displayed until - * explicitly dismissed through a user action. The value is how long, in - * milliseconds, those notifications should remain displayed. - */ - // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000, - // List of undocumented settings /** INDICATOR_FONT_SIZES PHONE_NUMBER_REGEX */ + // -----------------DEPRECATED CONFIGS BELOW THIS LINE----------------------------- + + // Connection indicators ( + // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED, + // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT, + // CONNECTION_INDICATOR_DISABLED) got moved to config.js. + + // Please use disableModeratorIndicator from config.js + // DISABLE_FOCUS_INDICATOR: false, + + // Please use defaultLocalDisplayName from config.js + // DEFAULT_LOCAL_DISPLAY_NAME: 'me', + + // Please use defaultRemoteDisplayName from config.js + // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', + + // Moved to config.js as `toolbarConfig.initialTimeout`. + // INITIAL_TOOLBAR_TIMEOUT: 20000, + + // Moved to config.js as `toolbarConfig.alwaysVisible`. + // TOOLBAR_ALWAYS_VISIBLE: false, + + // This config was moved to config.js as `toolbarButtons`. + // TOOLBAR_BUTTONS: [], + + // Moved to config.js as `toolbarConfig.timeout`. + // TOOLBAR_TIMEOUT: 4000, + // Allow all above example options to include a trailing comma and // prevent fear when commenting out the last value. // eslint-disable-next-line sort-keys diff --git a/type/__jitsi_meet_domain/files/nginx.sh b/type/__jitsi_meet_domain/files/nginx.sh index 8b124e2..6e874c1 100644 --- a/type/__jitsi_meet_domain/files/nginx.sh +++ b/type/__jitsi_meet_domain/files/nginx.sh @@ -2,6 +2,14 @@ # shellcheck disable=SC2034 # This is intended to be included JITSI_NGINX_CONFIG="$(cat < Date: Thu, 23 Dec 2021 10:46:21 +0100 Subject: [PATCH 13/24] __matrix_synapse: add --saml2-sp-key and --saml2-sp-cert flags --- type/__matrix_synapse/files/homeserver.yaml.sh | 7 +++++++ type/__matrix_synapse/man.rst | 6 ++++++ type/__matrix_synapse/manifest | 18 ++++++++++++++++++ type/__matrix_synapse/parameter/optional | 2 ++ 4 files changed, 33 insertions(+) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index 2e7670e..f0df206 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1727,6 +1727,13 @@ if [ -n "$SAML2_IDP_METADATA_URL" ]; then EOF fi +if [ -n "$SAML2_SP_CERT" ] || [ -n "$SAML2_SP_KEY" ]; then + cat << EOF + key_file: "$SAML2_SP_KEY" + cert_file: "$SAML2_SP_CERT" +EOF +fi + cat << EOF # Allowed clock difference in seconds between the homeserver and IdP. # diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index c368755..125a9ac 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -192,6 +192,12 @@ bind-address saml2-idp-metadata-url HTTP(S) url to SAML2 Identity Provider (IdP), used for Single Sign On (SSO) logic. +saml2-sp-key + Path to PEM-formatted key file for use by PySAML2. + +saml2-sp-cert + Path to PEM-formatted cert file for use by PySAML2. + extra-setting Arbitrary string to be added to the configuration file. Can be specified multiple times. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 8ba9152..078d395 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -200,6 +200,24 @@ if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then export SAML2_IDP_METADATA_URL fi +if [ -f "$__object/parameter/saml2-sp-key" ]; then + SAML2_SP_KEY=$(cat "$__object/parameter/saml2-sp-key") + export SAML2_SP_KEY +fi + +if [ -f "$__object/parameter/saml2-sp-cert" ]; then + SAML2_SP_CERT=$(cat "$__object/parameter/saml2-sp-cert") + export SAML2_SP_CERT +fi + +if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then + echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2 + exit 1 +elif [ -n "$SAML2_SP_CERT" ] && [ -z "$SAML2_SP_KEY" ]; then + echo "--saml2-sp-key must be set if --saml2-sp-cert is provided." >&2 + exit 1 +fi + if [ -f "$__object/parameter/default-identity-server" ]; then DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server") export DEFAULT_IDENTITY_SERVER diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index 599e00b..be44ca7 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -37,4 +37,6 @@ tls-cert tls-private-key registration-shared-secret saml2-idp-metadata-url +saml2-sp-key +saml2-sp-cert default-identity-server From afe76af6792d260edc8f082188550a5431a36ed8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Thu, 23 Dec 2021 12:30:58 +0100 Subject: [PATCH 14/24] __matterbridge: add support for ubuntu, fix configuration via STDIN --- type/__matterbridge/manifest | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/type/__matterbridge/manifest b/type/__matterbridge/manifest index ef02112..2b5738b 100755 --- a/type/__matterbridge/manifest +++ b/type/__matterbridge/manifest @@ -20,7 +20,7 @@ os=$(cat "$__global/explorer/os") case "$os" in - debian) + debian|ubuntu) # This type assume systemd for service installation. ;; *) @@ -31,11 +31,13 @@ case "$os" in esac # Required parameters. -VERSION=$(cat "$__object/parameter/version") +version=$(cat "$__object/parameter/version") if [ -f "$__object/parameter/config" ]; then - CONFIG="$(cat "$__object/parameter/config")" - if [ "$CONFIG" = "-" ]; then - CONFIG=$(cat "$__object/stdin") + config="$(cat "$__object/parameter/config")" + if [ "$config" = "-" ]; then + mkdir -p "$__object/files" + config="$__object/files/matterbridge.toml" + cat "$__object/stdin" > "$config" fi fi @@ -46,11 +48,11 @@ export USER=matterbridge export GROUP=$USER # Internal variables. -artefact="matterbridge-$VERSION-linux-64bit" +artefact="matterbridge-$version-linux-64bit" checksum_file="checksums.txt" release_download_url=https://github.com/42wim/matterbridge/releases/download -binary_url="$release_download_url/v$VERSION/$artefact" -checksum_file_url="$release_download_url/v$VERSION/$checksum_file" +binary_url="$release_download_url/v$version/$artefact" +checksum_file_url="$release_download_url/v$version/$checksum_file" config_dir=$(dirname $CONFIG_PATH) systemd_unit_path='/etc/systemd/system/matterbridge.service' @@ -88,7 +90,7 @@ require="__user/$USER" __directory "$config_dir" \ require="__directory/$config_dir" __file "$CONFIG_PATH" \ --owner "$USER" \ --mode 0640 \ - --source "$CONFIG" + --source "$config" __file "$systemd_unit_path" \ --source "$__object/files/matterbridge.service" From c4667331118807df4adb47de8ff87bdae7cbff43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Fri, 7 Jan 2022 11:42:13 +0100 Subject: [PATCH 15/24] __matrix_synapse: add --enable-3pid-lookups flag, normalize indentation --- .../__matrix_synapse/files/homeserver.yaml.sh | 2 +- type/__matrix_synapse/man.rst | 3 + type/__matrix_synapse/manifest | 68 ++++++++++--------- type/__matrix_synapse/parameter/boolean | 1 + 4 files changed, 42 insertions(+), 32 deletions(-) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index f0df206..6437f1b 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1334,7 +1334,7 @@ fi cat << EOF # Enable 3PIDs lookup requests to identity servers from this server. # -#enable_3pid_lookup: true +enable_3pid_lookup: ${ENABLE_3PID_LOOKUPS:?} # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index 125a9ac..dbcc993 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -239,6 +239,9 @@ allow-public-rooms-without-auth enable-server-notices Enable the server notices room. +enable-3pid-lookups + Enable 3PIDs lookup requests to identity servers from this server. + allow-guest-access Allows users to register as guests without a password/email/etc, and participate in rooms hosted on this server which have been made accessible diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 078d395..70232a8 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -37,7 +37,7 @@ case "$os" in --uri https://packages.matrix.org/debian/ \ --component main package_req="__apt_source/matrix-org" - ;; + ;; alpine) synapse_user=synapse synapse_pkg=synapse @@ -96,7 +96,7 @@ export SERVER_NAME BASE_URL REPORT_STATS MAX_UPLOAD_SIZE EXPOSE_METRICS \ WEB_CLIENT_URL ROOM_ENCRYPTION_POLICY BIND_ADDRESSES if [ -f "$__object/parameter/enable-server-notices" ]; then - export ENABLE_SERVER_NOTICES=1 + export ENABLE_SERVER_NOTICES=1 fi # TLS. @@ -178,51 +178,57 @@ if [ -f "$__object/parameter/registration-shared-secret" ]; then fi if [ -f "$__object/parameter/registration-requires-email" ]; then - export REGISTRATION_REQUIRES_EMAIL=1 + export REGISTRATION_REQUIRES_EMAIL=1 fi if [ -f "$__object/parameter/auto-join-room" ]; then - AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")" - export AUTO_JOIN_ROOMS + AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")" + export AUTO_JOIN_ROOMS fi if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then - RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern") - export RESGISTRATION_ALLOWS_EMAIL_PATTERN + RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern") + export RESGISTRATION_ALLOWS_EMAIL_PATTERN fi if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then - # Synapse fails to start while trying to parse IDP metadata if this package - # is not installed. - __package xmlsec1 + # Synapse fails to start while trying to parse IDP metadata if this package + # is not installed. + __package xmlsec1 - SAML2_IDP_METADATA_URL=$(cat "$__object/parameter/saml2-idp-metadata-url") - export SAML2_IDP_METADATA_URL + SAML2_IDP_METADATA_URL=$(cat "$__object/parameter/saml2-idp-metadata-url") + export SAML2_IDP_METADATA_URL fi if [ -f "$__object/parameter/saml2-sp-key" ]; then - SAML2_SP_KEY=$(cat "$__object/parameter/saml2-sp-key") - export SAML2_SP_KEY + SAML2_SP_KEY=$(cat "$__object/parameter/saml2-sp-key") + export SAML2_SP_KEY fi if [ -f "$__object/parameter/saml2-sp-cert" ]; then - SAML2_SP_CERT=$(cat "$__object/parameter/saml2-sp-cert") - export SAML2_SP_CERT + SAML2_SP_CERT=$(cat "$__object/parameter/saml2-sp-cert") + export SAML2_SP_CERT fi if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then - echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2 - exit 1 + echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2 + exit 1 elif [ -n "$SAML2_SP_CERT" ] && [ -z "$SAML2_SP_KEY" ]; then - echo "--saml2-sp-key must be set if --saml2-sp-cert is provided." >&2 - exit 1 + echo "--saml2-sp-key must be set if --saml2-sp-cert is provided." >&2 + exit 1 fi if [ -f "$__object/parameter/default-identity-server" ]; then - DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server") - export DEFAULT_IDENTITY_SERVER + DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server") + export DEFAULT_IDENTITY_SERVER fi +ENABLE_3PID_LOOKUPS='false' +if [ -f "$__object/parameter/enable-3pid-lookup" ]; then + ENABLE_3PID_LOOKUPS='true' +fi +export ENABLE_3PID_LOOKUPS + # Federation. ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation') ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth') @@ -321,16 +327,16 @@ export ENABLE_REPLICATION ENABLE_REDIS_SUPPORT WORKER_REPLICATION_SECRET \ case "$DATABASE_ENGINE" in sqlite3) : - ;; + ;; psycopg2) when='database engine is psycopg2' is_required_when "$DATABASE_HOST" '--database-host' "$when" is_required_when "$DATABASE_USER" '--database-user' "$when" - ;; + ;; *) echo "Invalid database engine: $DATABASE_ENGINE." >&2 exit 1 - ;; + ;; esac @@ -348,13 +354,13 @@ mkdir -p "$__object/files" "$__type/files/log.config.sh" > "$__object/files/log.config" require="$synapse_req" __file "$synapse_conf_dir/homeserver.yaml" \ - --owner $synapse_user \ - --mode 600 \ - --source "$__object/files/homeserver.yaml" + --owner $synapse_user \ + --mode 600 \ + --source "$__object/files/homeserver.yaml" require="$synapse_req" __file "$LOG_CONFIG_PATH" \ - --owner $synapse_user \ - --mode 600 \ - --source "$__object/files/log.config" + --owner $synapse_user \ + --mode 600 \ + --source "$__object/files/log.config" for directory in $DATA_DIR $LOG_DIR; do require="$synapse_req" __directory $directory \ diff --git a/type/__matrix_synapse/parameter/boolean b/type/__matrix_synapse/parameter/boolean index 7ff48de..ac87271 100644 --- a/type/__matrix_synapse/parameter/boolean +++ b/type/__matrix_synapse/parameter/boolean @@ -17,3 +17,4 @@ user-directory-search-all-users enable-message-retention-policy worker-mode enable-url-preview +enable-3pid-lookups From 023206d3d920e3f12de4a57816977c6f38dc6f28 Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Mon, 4 Oct 2021 11:47:19 +0200 Subject: [PATCH 16/24] borg-repo: add ubuntu as supported OS. --- type/__borg_repo/manifest | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/type/__borg_repo/manifest b/type/__borg_repo/manifest index 968066d..4e4d35e 100644 --- a/type/__borg_repo/manifest +++ b/type/__borg_repo/manifest @@ -3,7 +3,7 @@ os="$(cat "${__global:?}"/explorer/os)" case "$os" in - "alpine") + "alpine"|"ubuntu") borg_package=borgbackup ;; *) @@ -17,3 +17,4 @@ if [ -f "${__object:?}/parameter/owner" ]; then __package sudo fi + From eecb2b4629d36fd971aa5456df8dedbddf3f19e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 11 Jan 2022 16:12:06 +0100 Subject: [PATCH 17/24] __bird_ospf: ass -extra-area-configuration parameter --- type/__bird_ospf/man.rst | 13 +++++++------ type/__bird_ospf/manifest | 17 +++++++++++++++++ type/__bird_ospf/parameter/optional | 1 + type/__bird_ospf/parameter/optional_multiple | 1 + type/__bird_ospf/parameter/required_multiple | 1 - 5 files changed, 26 insertions(+), 7 deletions(-) delete mode 100644 type/__bird_ospf/parameter/required_multiple diff --git a/type/__bird_ospf/man.rst b/type/__bird_ospf/man.rst index f3f4c9a..66c2e4a 100644 --- a/type/__bird_ospf/man.rst +++ b/type/__bird_ospf/man.rst @@ -24,12 +24,6 @@ import export The keyword or filter to decide what to export in the above channel. - -REQUIRED MULTIPLE PARAMETERS ----------------------------- -interface - An interface to include in OSPF area 0. - OPTIONAL PARAMETERS ------------------- description @@ -39,12 +33,19 @@ instance-id An OSPF instance ID, allowing several OSPF instances to run on the same links. +extra-area-configuration + Configuration string added to the `area` section of the OSPF configuration. + OPTIONAL MULTIPLE PARAMETERS ---------------------------- stubnet Add an optionless stubnet definition to the configuration. +interface + An interface to include in OSPF area 0. Is required unless + extra-area-configuration is set. + SEE ALSO -------- cdist-type__bird_core(7) diff --git a/type/__bird_ospf/manifest b/type/__bird_ospf/manifest index 211e91d..68d9c16 100755 --- a/type/__bird_ospf/manifest +++ b/type/__bird_ospf/manifest @@ -44,6 +44,21 @@ then instance_id="$(cat "${__object:?}/parameter/instance-id")" fi +extra_area_configuration= +if [ -f "${__object:?}/parameter/extra-area-configuration" ]; +then + extra_area_configuration="$(cat "${__object:?}/parameter/extra-area-configuration")" + + if [ "$extra_area_configuration" = "-" ]; then + extra_area_configuration=$(cat "$__object/stdin") + fi +fi + +if [ ! -f "${__object:?}/parameter/interface" ] && [ -z "$extra_area_configuration" ]; then + echo "Either --interface or --extra-area-configuration must be set." >&2 + exit 1 +fi + __file "${confdir:?}/ospf-${__object_id:?}.conf" \ --mode 0640 --owner root --group bird \ --source - << EOF @@ -59,6 +74,8 @@ $([ -n "${instance_id?}" ] && printf "\tinstance id %s;\n" "${instance_id?}") area 0 { $(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface") $(sed -e 's/^/\t\tsubnet /' -e 's/$/;/' "${__object:?}/parameter/subnet") + + $extra_area_configuration }; } EOF diff --git a/type/__bird_ospf/parameter/optional b/type/__bird_ospf/parameter/optional index cf6dd53..880f228 100644 --- a/type/__bird_ospf/parameter/optional +++ b/type/__bird_ospf/parameter/optional @@ -1,2 +1,3 @@ description instance-id +extra-area-configuration diff --git a/type/__bird_ospf/parameter/optional_multiple b/type/__bird_ospf/parameter/optional_multiple index ed3f25a..8e5902d 100644 --- a/type/__bird_ospf/parameter/optional_multiple +++ b/type/__bird_ospf/parameter/optional_multiple @@ -1 +1,2 @@ stubnet +interface diff --git a/type/__bird_ospf/parameter/required_multiple b/type/__bird_ospf/parameter/required_multiple deleted file mode 100644 index b529896..0000000 --- a/type/__bird_ospf/parameter/required_multiple +++ /dev/null @@ -1 +0,0 @@ -interface From b2c1fee672f3246963341e90ebf47888a46bbde0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 12 Jan 2022 16:21:17 +0100 Subject: [PATCH 18/24] __matrix_synapse: add --saml2-mapping-provider-module flag --- type/__matrix_synapse/files/homeserver.yaml.sh | 8 ++++++++ type/__matrix_synapse/man.rst | 3 +++ type/__matrix_synapse/manifest | 5 +++++ type/__matrix_synapse/parameter/optional | 1 + 4 files changed, 17 insertions(+) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index 6437f1b..be924d3 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1808,7 +1808,15 @@ cat << EOF # The custom module's class. Uncomment to use a custom module. # #module: mapping_provider.SamlMappingProvider +EOF +if [ -n "$SAML2_MAPPING_PROVIDER_MODULE" ]; then + cat << EOF + module: "$SAML2_MAPPING_PROVIDER_MODULE" +EOF +fi + +cat << EOF # Custom configuration values for the module. Below options are # intended for the built-in provider, they should be changed if # using a custom module. This section will be passed as a Python diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index dbcc993..ace5ce0 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -198,6 +198,9 @@ saml2-sp-key saml2-sp-cert Path to PEM-formatted cert file for use by PySAML2. +saml2-mapping-provider-module + Name of custom Python module used to map SAML2 attributes to synapse internals. + extra-setting Arbitrary string to be added to the configuration file. Can be specified multiple times. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 70232a8..12f27ff 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -210,6 +210,11 @@ if [ -f "$__object/parameter/saml2-sp-cert" ]; then export SAML2_SP_CERT fi +if [ -f "$__object/parameter/saml2-mapping-provider-module" ]; then + SAML2_MAPPING_PROVIDER_MODULE=$(cat "$__object/parameter/saml2-mapping-provider-module") + export SAML2_MAPPING_PROVIDER_MODULE +fi + if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2 exit 1 diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index be44ca7..2e265e9 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -40,3 +40,4 @@ saml2-idp-metadata-url saml2-sp-key saml2-sp-cert default-identity-server +saml2-mapping-provider-module From 35e147752135e97f2e1873ba49c8d6d1aed5470a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 12 Jan 2022 16:21:46 +0100 Subject: [PATCH 19/24] __matrix_synapse: fix ignored --enable-3pid-lookups flag --- type/__matrix_synapse/manifest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 12f27ff..3d62a13 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -229,7 +229,7 @@ if [ -f "$__object/parameter/default-identity-server" ]; then fi ENABLE_3PID_LOOKUPS='false' -if [ -f "$__object/parameter/enable-3pid-lookup" ]; then +if [ -f "$__object/parameter/enable-3pid-lookups" ]; then ENABLE_3PID_LOOKUPS='true' fi export ENABLE_3PID_LOOKUPS From c198a74a34e7307426b80e91186d4668d8da7d87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 12 Jan 2022 16:22:21 +0100 Subject: [PATCH 20/24] __matrix_element: add --identity_server_url flag --- type/__matrix_element/files/config.json.sh | 2 +- type/__matrix_element/man.rst | 6 ++++++ type/__matrix_element/manifest | 1 + type/__matrix_element/parameter/optional | 1 + 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/type/__matrix_element/files/config.json.sh b/type/__matrix_element/files/config.json.sh index 9791f38..30ba9e7 100755 --- a/type/__matrix_element/files/config.json.sh +++ b/type/__matrix_element/files/config.json.sh @@ -52,7 +52,7 @@ cat << EOF "server_name": "$DEFAULT_SERVER_NAME" }, "m.identity_server": { - "base_url": "https://vector.im" + "base_url": "$IDENTITY_SERVER_URL" } }, "brand": "$BRAND", diff --git a/type/__matrix_element/man.rst b/type/__matrix_element/man.rst index 05f0685..c91379f 100644 --- a/type/__matrix_element/man.rst +++ b/type/__matrix_element/man.rst @@ -27,6 +27,12 @@ default_server_name default_server_url URL of matrix homeserver to connect to, defaults to 'https://matrix-client.matrix.org'. +identity_server_url + URL of matrix identity server to connect to, defaults to 'https://vector.im'. + See element documentation + `_` + for details. + owner Owner of the deployed files, passed to `chown`. Defaults to 'root'. diff --git a/type/__matrix_element/manifest b/type/__matrix_element/manifest index 544bd96..292cefd 100755 --- a/type/__matrix_element/manifest +++ b/type/__matrix_element/manifest @@ -25,6 +25,7 @@ INSTALL_DIR=$(cat "$__object/parameter/install_dir") export DEFAULT_SERVER_NAME=$(cat "$__object/parameter/default_server_name") export DEFAULT_SERVER_URL=$(cat "$__object/parameter/default_server_url") +export IDENTITY_SERVER_URL=$(cat "$__object/parameter/identity_server_url") export BRAND=$(cat "$__object/parameter/brand") export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code") export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers") diff --git a/type/__matrix_element/parameter/optional b/type/__matrix_element/parameter/optional index 21a2faf..65a142b 100644 --- a/type/__matrix_element/parameter/optional +++ b/type/__matrix_element/parameter/optional @@ -1,5 +1,6 @@ default_server_url default_server_name +identity_server_url brand default_country_code privacy_policy_url From 974e42e20e00a7e1dcf26d40aef5cc1aa34365df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Sun, 16 Jan 2022 12:41:03 +0100 Subject: [PATCH 21/24] __matrix_synapse: add --saml2-mapping-provider-extra-settings flag --- type/__matrix_synapse/files/homeserver.yaml.sh | 11 +++++++++++ type/__matrix_synapse/man.rst | 4 ++++ type/__matrix_synapse/manifest | 5 +++++ type/__matrix_synapse/parameter/optional_multiple | 1 + 4 files changed, 21 insertions(+) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index be924d3..d8e6653 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1846,6 +1846,17 @@ cat << EOF # value will be used instead. # #mxid_mapping: dotreplace +EOF + +if [ -n "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" ]; then + echo "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" | while IFS= read -r entry; do + cat << EOF + $entry +EOF + done +fi + +cat << EOF # In previous versions of synapse, the mapping from SAML attribute to # MXID was always calculated dynamically rather than stored in a diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index ace5ce0..7da9282 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -201,6 +201,10 @@ saml2-sp-cert saml2-mapping-provider-module Name of custom Python module used to map SAML2 attributes to synapse internals. +saml2-mapping-provider-extra-settings + Extra YAML-formatted key/pair values provided as configuration to the SAML2 + mapping provider module (e.g. 'key: value'). Can be specified multiple times. + extra-setting Arbitrary string to be added to the configuration file. Can be specified multiple times. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 3d62a13..5a9871d 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -215,6 +215,11 @@ if [ -f "$__object/parameter/saml2-mapping-provider-module" ]; then export SAML2_MAPPING_PROVIDER_MODULE fi +if [ -f "$__object/parameter/saml2-mapping-provider-extra-config" ]; then + SAML2_MAPPING_PROVIDER_EXTRA_CONFIG=$(cat "$__object/parameter/saml2-mapping-provider-extra-config") + export SAML2_MAPPING_PROVIDER_EXTRA_CONFIG +fi + if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2 exit 1 diff --git a/type/__matrix_synapse/parameter/optional_multiple b/type/__matrix_synapse/parameter/optional_multiple index 8871dd6..dfd69cb 100644 --- a/type/__matrix_synapse/parameter/optional_multiple +++ b/type/__matrix_synapse/parameter/optional_multiple @@ -5,3 +5,4 @@ app-service-config-file extra-setting bind-address outbound-federation-worker +saml2-mapping-provider-extra-config From 723d7ed2508d386fc4605fafbcec6843d98d07d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Sun, 16 Jan 2022 14:14:42 +0100 Subject: [PATCH 22/24] __matrix_element: add more branding parameters --- type/__matrix_element/files/config.json.sh | 10 +++++++--- type/__matrix_element/man.rst | 10 ++++++++++ type/__matrix_element/manifest | 19 +++++++++++++++---- .../default/branding_welcome_background_url | 1 + .../parameter/default/identity_server | 0 type/__matrix_element/parameter/optional | 1 + 6 files changed, 34 insertions(+), 7 deletions(-) create mode 100644 type/__matrix_element/parameter/default/branding_welcome_background_url create mode 100644 type/__matrix_element/parameter/default/identity_server diff --git a/type/__matrix_element/files/config.json.sh b/type/__matrix_element/files/config.json.sh index 30ba9e7..fa30cda 100755 --- a/type/__matrix_element/files/config.json.sh +++ b/type/__matrix_element/files/config.json.sh @@ -34,12 +34,12 @@ EOF if [ "$BRANDING_AUTH_FOOTER_LINKS" != "" ]; then cat << EOF - "authFooterLinks": "$BRANDING_AUTH_FOOTER_LINKS", + "authFooterLinks": $BRANDING_AUTH_FOOTER_LINKS, EOF fi cat << EOF - "welcomeBackgroundUrl": "themes/element/img/backgrounds/lake.jpg" + "welcomeBackgroundUrl": "$BRANDING_WELCOME_BACKGROUND_URL" EOF echo '},' } @@ -85,6 +85,10 @@ cat << EOF "url": "$COOKIE_POLICY_URL", "text": "Cookie Policy" } - ] + ], + "embeddedPages": { + "welcomeUrl": "$WELCOME_PAGE_URL", + "homeUrl": "$HOME_PAGE_URL" + } } EOF diff --git a/type/__matrix_element/man.rst b/type/__matrix_element/man.rst index c91379f..0d748a3 100644 --- a/type/__matrix_element/man.rst +++ b/type/__matrix_element/man.rst @@ -39,6 +39,16 @@ owner brand Web UI branding, defaults to 'Element'. +branding_auth_header_logo_url + A logo image that is shown in the header during authentication flows. + +branding_welcome_background_url + An image to use as a wallpaper outside the app during authentication flows. If an array is passed, an image is chosen randomly for each visit. + +branding_auth_footer_links + a list of links to show in the authentication page footer: `[{"text": "Link + text", "url": "https://link.target"}, {"text": "Other link", ...}]` + default_country_code ISO 3166 alpha2 country code to use when showing country selectors, such as phone number inputs. Defaults to GB. diff --git a/type/__matrix_element/manifest b/type/__matrix_element/manifest index 292cefd..fe937c5 100755 --- a/type/__matrix_element/manifest +++ b/type/__matrix_element/manifest @@ -31,6 +31,7 @@ export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code") export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers") export PRIVACY_POLICY_URL=$(cat "$__object/parameter/privacy_policy_url") export COOKIE_POLICY_URL=$(cat "$__object/parameter/cookie_policy_url") +export BRANDING_WELCOME_BACKGROUND_URL=$(cat "$__object/parameter/branding_welcome_background_url") if [ -f "$__object/parameter/jitsi_domain" ]; then export JITSI_DOMAIN=$(cat "$__object/parameter/jitsi_domain") @@ -45,14 +46,24 @@ if [ -f "$__object/parameter/branding_auth_footer_links" ]; then fi if [ -f "$__object/parameter/homepage" ]; then - export EMBED_HOMEPAGE=1 homepage=$(cat "$__object/parameter/homepage") + if [ -f "$homepage" ]; then + upload_homepage=1 + else + export HOME_PAGE_URL=$homepage + fi fi +WELCOME_PAGE_URL="welcome.html" if [ -f "$__object/parameter/welcomepage" ]; then - export EMBED_WELCOMEPAGE=1 welcomepage=$(cat "$__object/parameter/welcomepage") + if [ -f welcomepage ]; then + export UPLOAD_WELCOMEPAGE=1 + else + WELCOME_PAGE_URL=$welcomepage + fi fi +export WELCOME_PAGE_URL if [ -f "$__object/parameter/custom_asset" ]; then "$__object/parameter/custom_asset" | while IFS= read -r file; do @@ -92,14 +103,14 @@ require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/config.json" --mode 0664 \ --state present -if [ $EMBED_HOMEPAGE ]; then +if [ $upload_homepage ]; then require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/home.html" \ --source "$homepage" \ --mode 0664 \ --state present fi -if [ $EMBED_WELCOMEPAGE ]; then +if [ $upload_welcomepage ]; then require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/welcome.html" \ --source "$welcomepage" \ --mode 0664 \ diff --git a/type/__matrix_element/parameter/default/branding_welcome_background_url b/type/__matrix_element/parameter/default/branding_welcome_background_url new file mode 100644 index 0000000..5f5acef --- /dev/null +++ b/type/__matrix_element/parameter/default/branding_welcome_background_url @@ -0,0 +1 @@ +themes/element/img/backgrounds/lake.jpg diff --git a/type/__matrix_element/parameter/default/identity_server b/type/__matrix_element/parameter/default/identity_server new file mode 100644 index 0000000..e69de29 diff --git a/type/__matrix_element/parameter/optional b/type/__matrix_element/parameter/optional index 65a142b..2830f81 100644 --- a/type/__matrix_element/parameter/optional +++ b/type/__matrix_element/parameter/optional @@ -12,3 +12,4 @@ welcomepage jitsi_domain branding_auth_header_logo_url branding_auth_footer_links +branding_welcome_background_url From 287d8df9bd1682e4bc1f0bdd5d39c05a5b58271c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 24 Jan 2022 08:56:12 +0100 Subject: [PATCH 23/24] __matrix_synapse: set message min lifetime (although currently ignored by synapse) --- type/__matrix_synapse/files/homeserver.yaml.sh | 2 +- type/__matrix_synapse/manifest | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index d8e6653..bc8cff0 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -448,7 +448,7 @@ retention: # matter much because Synapse doesn't take it into account yet. # default_policy: - min_lifetime: 1d + min_lifetime: ${MESSAGE_RETENTION_POLICY_MIN_LIFETIME:?} max_lifetime: ${MESSAGE_RETENTION_POLICY_MAX_LIFETIME:?} # Retention policy limits. If set, and the state of a room contains a diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 5a9871d..9e1a07c 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -254,7 +254,8 @@ fi # Message retention. ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy') MESSAGE_RETENTION_POLICY_MAX_LIFETIME=$(cat "$__object/parameter/message-max-lifetime") -export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME +MESSAGE_RETENTION_POLICY_MIN_LIFETIME=$MESSAGE_RETENTION_POLICY_MAX_LIFETIME +export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME MESSAGE_RETENTION_POLICY_MIN_LIFETIME # Previews. ENABLE_URL_PREVIEW=$(get_boolean_for 'enable-url-preview') From c32a1836aa0e2eb203392b9d4c3598a4da43eb9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 24 Jan 2022 11:23:38 +0100 Subject: [PATCH 24/24] __matrix_synapse: add --sso-template-dir parameter --- type/__matrix_synapse/files/homeserver.yaml.sh | 2 +- type/__matrix_synapse/man.rst | 3 +++ type/__matrix_synapse/manifest | 3 +++ type/__matrix_synapse/parameter/default/sso-template-dir | 1 + type/__matrix_synapse/parameter/optional | 1 + 5 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 type/__matrix_synapse/parameter/default/sso-template-dir diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index bc8cff0..d719d3f 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -2191,7 +2191,7 @@ sso: # You can see the default templates at: # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates # - #template_dir: "res/templates" + template_dir: "${SSO_TEMPLATE_DIR:?}" # JSON web token integration. The following settings can be used to make diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index 7da9282..0589a5e 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -205,6 +205,9 @@ saml2-mapping-provider-extra-settings Extra YAML-formatted key/pair values provided as configuration to the SAML2 mapping provider module (e.g. 'key: value'). Can be specified multiple times. +sso-template-dir + Directory used to source SSO-related HTML templates. + extra-setting Arbitrary string to be added to the configuration file. Can be specified multiple times. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 9e1a07c..6a89de6 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -220,6 +220,9 @@ if [ -f "$__object/parameter/saml2-mapping-provider-extra-config" ]; then export SAML2_MAPPING_PROVIDER_EXTRA_CONFIG fi +SSO_TEMPLATE_DIR=$(cat "$__object/parameter/sso-template-dir") +export SSO_TEMPLATE_DIR + if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2 exit 1 diff --git a/type/__matrix_synapse/parameter/default/sso-template-dir b/type/__matrix_synapse/parameter/default/sso-template-dir new file mode 100644 index 0000000..b51bcdc --- /dev/null +++ b/type/__matrix_synapse/parameter/default/sso-template-dir @@ -0,0 +1 @@ +res/template diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index 2e265e9..1786dd1 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -41,3 +41,4 @@ saml2-sp-key saml2-sp-cert default-identity-server saml2-mapping-provider-module +sso-template-dir