Commit graph

354 commits

Author SHA1 Message Date
fe523fe993
__opendkim: fix start_on_boot on FreeBSD
There was a bit of an oddity with this, it is implemented in a way
that should not be an issue for other systems.

Reviewed at:	ungleich-public/cdist-contrib#31
2024-05-24 13:32:22 +02:00
0f281d4118 __jitsi_meet: improve screensharing in certain situations
We had been noticing issues when sharing screen that required
refreshing (sometimes from presentors, sometimes from receivers), or
else people would get a shared black screen or hanging screen after
some time.

This somewhat undocumented jitsi-videobridge setting appears to have
fixed the issue on all instances tested:

    videobridge.cc.trust-bwe = false

Announcement: https://agora.exo.cat/t/exofasia-3/276#meetexocatguifinet-4

Relevant links:
- https://community.jitsi.org/t/jitsi-users-video-turned-off-to-save-bandwidth-on-meet-jit-si/12735/2
- https://github.com/jitsi/jitsi-videobridge/blob/master/CONFIG.md#migrating-from-old-config

Sponsored by:	camilion.eu, eXO.cat
2024-05-24 07:29:52 +00:00
624bf996f6 [__jitsi_meet*] Update to 2.0.9457
Changelog:	https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#209457-2024-04-23

Sponsored by:	camilion.eu, eXO.cat
2024-05-24 07:29:52 +00:00
b7ba43553b
[__php_fpm*] add support for Debian and Ubuntu 2024-05-16 17:05:45 +02:00
116acebd10
[__opendkim] Deprecate --userid
The parameter could produce inconsistencies permissions-wise.

Users of the type that need this functionality can still use:
--custom-config 'UserId $USERID'

Closes #17
2024-05-15 13:48:38 +02:00
79baaf02b1 [__opendkim_genkey] Improve error text for unsupported OS
It was not listing FreeBSD, which is currently supported.
2024-05-15 11:45:51 +00:00
cc2b1af653 [__opendkim_key] Overall improvements in key management
While developing this, I noticed that the type was handling inconsistently the
expectation that a cdist object with the same __object_id gets *modified*.
Instead more and more lines were added to, e.g. SigningTable and KeyTable.

In order to solve this, some backwards compatibility breaking is necessary.

This is probably not too terrible since:

- the `--selector` parameter was mandatory, therefore the fallback for the key
location is triggered.
- OpenDKIM uses the first match in `SigningTable` and `KeyTable`
- __line and __block respectively append if they do not match

Closes #19 and #20.
2024-05-15 11:45:51 +00:00
f2850de5eb [__php_fpm_pool] remove mention to recycledcloud / e-Durable SA 2024-05-15 10:18:03 +00:00
3bc9a9ff4a __php_fpm{,_pool}: initial implementation. 2024-05-15 10:18:03 +00:00
f01f110463
[__bird_radv] add --default-lifetime parameter 2024-02-21 13:38:08 +01:00
f101ea4afa
[__bird_radv] fix MTU setting, link routing tables to __object_id, add preference parameters 2024-02-19 12:41:05 +01:00
2511218dd6
__runit_service: move logs out of etc
Some systems use etckeeper and having the logs there was not a great
idea to begin with :-).
2023-04-21 14:48:09 +02:00
7cd606a52f
__single_binary_service: envvars and user-reuse support
The new --env flag allows type users to pass env files that will be
used to setup environment variables on both sytemd and runit.

While there, also solve a minor issue where users managed by this type
could not be re-used for multiple services.
2023-04-21 14:47:49 +02:00
239a1f20cf
[__runit] Add support for older Devuan systems 2023-03-06 15:17:21 +01:00
c07487ea69
[__jitsi_meet*] Update to 2.0.8319-1
Changelog:      https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#208319-2023-02-21

Sponsored by:   camilion.eu, eXO.cat
2023-03-06 15:06:46 +01:00
11ecb37dd9
[__jitsi_meet] Add --abort-conference-count parameter
Only has an effect if the prometheus exporter is enabled and if it is not
empty (default).
If at least this many conferences are active on the server, the type will
bail out before making any changes.
This is useful if you want to avoid service disruptions due to e.g. an SLA.

Sponsored by:	camilion.eu
2022-06-21 11:19:11 +02:00
03a9b8b333
[__jitsi_meet*] Update to 2.0.7439-1
Changelog:	https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#207439-2022-06-17

Sponsored by:	camilion.eu, eXO.cat
2022-06-21 11:12:27 +02:00
7a3b706b16
[__jitsi_meet*] Update to 2.0.7416-1
Changelog:	https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#207416-2022-06-16

Sponsored by:	camilion.eu, eXO.cat
2022-06-16 17:43:30 +02:00
756e5b17c6
[__jitsi_meet*] Update to 2.0.7287-1
Sponsored by:	camilion.eu, eXO.cat
2022-06-07 15:00:00 +02:00
797f7c8648
[__jitsi_meet] Improve manpage regarding ufw and SSH
This documents the fact that this type does not make decisions about anything
other than Jitsi-Meet itself and therefore care should be taken with the SSH
port.

Related to:	ungleich-public/cdist-contrib#23
Reported by:	@pedro
2022-05-08 21:47:26 +02:00
1791d35f84
[__jitsi_meet_domain] Add a muc_room_cache_size for jibri
@pedro is working on this and this change matched my workflow better :-)
2022-04-28 17:43:33 +02:00
8e1d0b68f1
[__jitsi_meet*] Add new parameters for heavier branding
This uses nginx' server-side includes, so each domain configured by
`__jitsi_meet_domain` can have its own customisation.

Note that the file customisation file must exist for each domain,
`__jitsi_meet_domain` takes care of that already.

Sponsored by:   camilion.eu, eXO.cat
2022-04-28 17:42:30 +02:00
aa3f2eeb00
[__jitsi_meet_domain] Make shellcheck happy and fix escaping issue
The escaping issue was overlooked because it was in a comment block; it wasn't
relevant.

No functional changes intended.

Sponsored by:   camilion.eu, eXO.cat
2022-04-28 17:34:32 +02:00
a63d9ec458
[__jitsi_meet] Configure jicofo so metrics are more useful
By default the REST API provided by jicofo is less useful than desired.
This is a tad under-documented, so finding the right settings was tricky :-).

Sponsored by:   camilion.eu, eXO.cat
2022-04-28 17:32:15 +02:00
0cff414884
[__jitsi_meet] Simplify exporter logic and update it to 1.2.0
This uses the newly merged __single_binary_service and:

- Fixes the bug where once added, the exporter could not be removed
- Simplifies keeping it up to date

Sponsored by:   camilion.eu, eXO.cat
2022-04-28 17:28:46 +02:00
977b530dab
[__single_binary_service] Update manpage to remove __evilham prefix 2022-04-28 17:22:19 +02:00
1865ff9dce Add 'type/__single_binary_service/' from commit '1af7e960fa882efc7202cad5cc01d3136886fa0a'
git-subtree-dir: type/__single_binary_service
git-subtree-mainline: 67bc8aa02b
git-subtree-split: 1af7e960fa
2022-04-28 17:20:02 +02:00
67bc8aa02b
__uacme_obtain: allow use of stdin with the --renew-hook parameter 2022-04-25 17:10:50 +02:00
151dc32fb5
[__jitsi_meet*] Add support for simultaneous interpretations
By using https://gitlab.com/mfmt/jsi which consists of very small and simple
static files, we enable interpretations by default.

With this commit, any DOMAIN created with __jitsi_meet_domain will serve jsi on
https://DOMAIN/i/ and any ROOM can be used with simultaneous interpretation on
https://DOMAIN/i/ROOM

Sponsored by:   camilion.eu, eXO.cat
2022-04-21 19:46:03 +02:00
7e2ba98d36
[__jitsi_meet] Fix issue with jicofo memory adaptation
That was being a bit of a mess.

Sponsored by:   camilion.eu, eXO.cat
2022-04-21 17:52:49 +02:00
1658121549
[__jitsi_meet*] Update to 2.0.7210
While there, make things a tad easier to maintain.

Note that in this version, jitsi switches to using nginx upstreams; it shouldn't
be relevant for instances fully managed with these types.

Sponsored by:   camilion.eu, eXO.cat
2022-04-21 15:52:47 +02:00
c5070a3a33
[__jitsi_meet] Fix adjustment of jicofo's max memory
Leftover from last commit >,<

Sponsored by:   camilion.eu, eXO.cat
2022-04-21 14:44:10 +02:00
80bbbd3aa8
[__jitsi_meet] Adapt jicofo and videobridge memory usage
This enables us to setup smaller jitsi instances that work reliably.

We set 3 threshholds:
- < 3G RAM: use 0.75G max memory
- < 5G RAM: use 1G max memory
- < 8G RAM: use 2G max memory
- >= 8G RAM: use 3G max memory (jitsi's default)

For more information as to why and how this is done, see:
https://gitlab.com/guifi-exo/projectes/-/issues/318
https://github.com/jitsi/jitsi-meet/issues/6589
as investigated back in the day by @pedro

Sponsored by:   camilion.eu, eXO.cat
2022-04-21 14:37:08 +02:00
87cc109bf1
[__jitsi_meet*] Make rooms on different domains not equivalent
This is a backwards-compatible change.

We switch the approach from "treat all domains as if they were the main domain"
to: "each domain has its own prosody settings".

This works perfectly fine, even with secured domains.

There is a caveat with secured domains, in that they use the main domain to log
in; this means that users are shared across all domains (as they were before
this commit).

This is due to jicofo refusing to start meetings from a domain that is not
configured, and it only accepting one domain.

Right now, this is acceptable, however we could want to authenticate against
e.g. different LDAP / IMAP servers in the future, so this would need addressing
at that stage.

Probably the best way to solve it is by patching jicofo, so it accepts starting
conferences from multiple domains and getting that patch upstream.

Sponsored by:   camilion.eu, eXO.cat
2022-04-21 13:20:30 +02:00
a12b343660
[__jitsi_meet_domain] Add analytics settings parameter
with this, admins can take advantage of e.g. matomo to have some usage
statistics.

The parameter defaults to `disabled: true`, which is the most privacy-friendly!

Sponsored by:   camilion.eu
2022-04-21 13:13:12 +02:00
29cafd4f9a
[__jitsi_meet_domain] Simplify logic for secured domains 2022-04-16 13:22:16 +02:00
fa37ede84f
[__jitsi_meet] Unconfuse jitsi-version and secured domains
Closes #14 by committing to keeping the package up to date as promptly as
possible; else weird  things happen and there are no real good solutions for
this.  E.g. we have seen in the past that due to security issues, a jitsi
dependency  needs to be upgraded, but some package that jitsi-meet depends upon
also has an upper limit on that package's version.

A note was added to the manpage in order make it explicit that maintenance of
this type can be sponsored to ensure its proper functioning.

Closes #15 by using `__file`. This will also allow us to have more control over
jicofo's settings, which might be important when we start doing recordings.

Sponsored by:	lafede.cat
2022-04-10 19:45:08 +02:00
af04f7464b
[__nginx_vhost]: follow Alpine vhost default directory change.
Since nginx package version v1.10.1-r3, Alpine packagers have changed
the default vhost directory from conf.d to http.d [0]. This reflects
this change.

[0]: alpine package commit 383ba9c0a200ed1f4b11d7db74207526ad90bbe3
2022-03-14 16:15:58 +01:00
a6f6a7fba8
[__jitsi_meet]: Fix deprecated usage of __debconf_set_selections.
Replace the --file parameter with the --line parameter, as recommended
since cdist 6.9.6.
2022-03-14 15:30:11 +01:00
a1b3a034c7
[__jitsi_meet_domain] Support the --state parameter
This enables removing domains in a simple fashion.

Closes #3.
2022-03-10 21:28:28 +01:00
ac99cd8d84
[__jitsi_meet_domain] Update to 2.0.7001-1
Obsoletes #13
2022-03-10 21:23:45 +01:00
ac03f05766 [__jitsi_meet] Fix bug with secured domains
This is a leftover from when we were using __line instead of __block.

Closes #15

Reported by:  @pedro
2022-03-10 21:20:52 +01:00
ecd10de2d3
[__opendkim*] FreeBSD support and minor fixes
While adding FreeBSD support to the type I noticed various issues:

- We were making sure that the KeyTable and SigningTable were created in
  __opendkim_genkey, but that was being done with the default cdist permissions
  (0400) which could result in issues when reloading the service after privilege
  drop.
  This is addressed by checking that it exists/creating it in __opendkim (just
  once, not once per __opendkim_genkey call) with laxer permissions (0444).
- In __opendkim, the service was being started after the config file was
  installed. This is insufficient as OpenDKIM will refuse to start with the
  generated config if either SigningTable or KeyTable do not exist yet.
- __opendkim_genkey had the implicit assumption that the --directory parameter
  always ended in a slash. This was not documented and error-prone; we are now
  a bit laxer and add the trailing slash if it is missing.
- __opendkim_genkey was not changing permissions for the resulting .txt file.
  This was not critical for it to function, but it was inconsistent.
- As documented in #17, __opendkim allows for a --userid parameter that might
  cause issues with keys generated by __opendkim_genkey.
  This issue has not been addressed yet, but I recommend deprecating the
  --userid parameter.
2022-03-10 20:08:51 +01:00
422b97bc1b
[systemd_resolved]: make singleton. 2022-02-28 16:18:51 +01:00
f6d0cbbeb7
__systemd_resolved: initial implementation. 2022-02-28 16:18:49 +01:00
9a779aafa3
__matrix_synapse: add --disable-{displayname,3pid}-changes flag 2022-02-08 13:45:29 +01:00
727fbd55fb
[bird_radv] Add option to include MTU in RAs. 2022-02-07 13:46:08 +01:00
6310db7301
[bird_bgp]: minor cleanup. 2022-02-07 13:33:57 +01:00
3f52e758fc
__systemd-network: initial implementation. 2022-02-02 14:09:16 +01:00
4fdba43dd6
[__matrix_synapse]: typos in manpage. 2022-02-02 11:49:50 +01:00