From 51d0b817fe0e56a733cd1b445b81321831b0c4f3 Mon Sep 17 00:00:00 2001 From: Evilham Date: Fri, 18 Jun 2021 20:52:58 +0200 Subject: [PATCH 01/81] [__single_binary_service] Type to manage very simple services. --- explorer/explorer-version | 10 +++ manifest | 158 +++++++++++++++++++++++++++++++++ parameter/boolean | 1 + parameter/default/service-args | 0 parameter/default/state | 1 + parameter/default/user | 1 + parameter/optional | 8 ++ parameter/optional_multiple | 1 + parameter/required | 3 + 9 files changed, 183 insertions(+) create mode 100755 explorer/explorer-version create mode 100755 manifest create mode 100644 parameter/boolean create mode 100644 parameter/default/service-args create mode 100644 parameter/default/state create mode 100644 parameter/default/user create mode 100644 parameter/optional create mode 100644 parameter/optional_multiple create mode 100644 parameter/required diff --git a/explorer/explorer-version b/explorer/explorer-version new file mode 100755 index 0000000..690cc5f --- /dev/null +++ b/explorer/explorer-version @@ -0,0 +1,10 @@ +#!/bin/sh -e + +BIN_PREFIX="/usr/local/bin" +SERVICE_NAME="${__object_id}" + +VERSION_FILE="${BIN_PREFIX}/.${SERVICE_NAME}.cdist.version" + +if [ -f "${VERSION_FILE}" ]; then + cat "${VERSION_FILE}" +fi diff --git a/manifest b/manifest new file mode 100755 index 0000000..d5df410 --- /dev/null +++ b/manifest @@ -0,0 +1,158 @@ +#!/bin/sh -e + +BIN_DIR="/usr/local/bin" + +# Ensure the target bin dir exists +__directory "${BIN_DIR}" \ + --mode 0755 +export require="${require} __directory${BIN_DIR}" + +STATE="$(cat "${__object}/parameter/state")" +USER="$(cat "${__object}/parameter/user")" +GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)" +if [ -z "${GROUP}" ]; then + GROUP="${USER}" +fi + +SERVICE_NAME="${__object_id}" + +BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)" +if [ -z "${BINARY}" ]; then + BINARY="${SERVICE_NAME}" +fi +EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)" +# This only makes sense for file archives +if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then + cat >> /dev/stderr <<-EOF + You cannot specify extra binaries without the --unpack argument. + Make sure that the --url argument points to a file archive. +EOF +fi + +SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)" +if [ -z "${SERVICE_EXEC}" ]; then + SERVICE_EXEC="${BIN_DIR}/${BINARY}" +fi +SERVICE_EXEC="${SERVICE_EXEC} $(cat "${__object}/parameter/service-args")" + +SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \ + 2>/dev/null || true)" +if [ -z "${SERVICE_DESCRIPTION}" ]; then + SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service" +fi + +DOWNLOAD_URL="$(cat "${__object}/parameter/url")" +CHECKSUM="$(cat "${__object}/parameter/checksum")" +SHOULD_VERSION="$(cat "${__object}/parameter/version")" + +# Create a user for the service if it is not root +if [ "${USER}" != "root" ]; then + __user "${USER}" \ + --system \ + --state "${STATE}" \ + --home /nonexistent \ + --comment "cdist-managed ${SERVICE_NAME} user" + # Track dependencies + service_require="${service_require} __user/${USER}" +fi + +# TODO: Support non-systemd +__systemd_unit "${SERVICE_NAME}.service" \ + --source "-" \ + --state "${STATE}" \ + --enablement-state "enabled" </dev/null || true)" + # Download packed file + __download "${TMP_PATH}.tar.gz" \ + --url "${DOWNLOAD_URL}" \ + --download remote \ + --sum "${CHECKSUM}" + + # Unpack file and also perform service upgrade + # shellcheck disable=SC2086 + require="__download${TMP_PATH}.tar.gz" \ + __unpack "${TMP_PATH}.tar.gz" \ + ${UNPACK_ARGS} \ + --destination "${TMP_PATH}" \ + --onchange "$(cat < Date: Fri, 18 Jun 2021 22:01:45 +0200 Subject: [PATCH 02/81] [__single_binary_service] Add manpage, config-file and better absent With these changes the type is good for general consumption (modulo the limitations mentioned in the manpage under TODO). --- man.rst | 169 +++++++++++++++++++++++++++++++++++++++++++++ manifest | 39 ++++++++++- parameter/boolean | 1 + parameter/optional | 1 + 4 files changed, 208 insertions(+), 2 deletions(-) create mode 100644 man.rst diff --git a/man.rst b/man.rst new file mode 100644 index 0000000..8f384bf --- /dev/null +++ b/man.rst @@ -0,0 +1,169 @@ +cdist-type__evilham_single_binary_service(7) +============================================ + +NAME +---- +cdist-type__evilham_single_binary_service - Setup a single-binary service + + +DESCRIPTION +----------- +This type is designed to easily deploy and configure a single-binary service +named `${__object_id}`. + +A good example of this are Prometheus exporters. + +This type makes certain assumptions that might not be correct on your system. +If you need more flexibility, please get in touch and provide a use-case +(and hopefully a backwards-compatible patch). + +This type will place the downloaded binary and, if requested, other extra +binaries in `/usr/local/bin`. + +If a `--config-file-source` is provided, it will be placed under: +`/etc/${__object_id}.conf`. + +TODO (patches welcome!): +- It currently only supports `.tar.gz` archives. +- It currently only supports systemd units. +- Does not handle properly BSD-systems (wheel group, /usr/local/etc, systemd) + + +REQUIRED PARAMETERS +------------------- +checksum + This will be passed verbatim to `__download(7)`. + Use something like `sha256:...`. + +url + This will be passed verbatim to `__download(7)`. + +version + This type will use a thumbstone file with a "version" number to track + whether or not a service must be updated. + This thumbstone file is placed under + `/usr/local/bin/.${__object_id}.cdist.version`. + + +BOOLEAN PARAMETERS +------------------ +unpack + If present, the contents of `--url` will be treated as an archive to be + unpacked with `__unpack(7)`. + See also `--unpack-args` and `--extra-binary`. + +do-not-manage-user + Always considered present when `--user` is `root`. + If present, the user in `--user` will not be managed by this type with + `__user`, this means it *must* exist beforehand when installing the service + and it will not be removed by this type. + + +OPTIONAL PARAMETERS +------------------- +config-file-source + If present, this file's contents will be placed under + `/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to + `--user` and `--group`. + If `-` is passed, this type's `stdin` will be used. + +user + The user under which the service will run. Defaults to `root`. + If this user is not `root` and `--do-not-manage-user` is not present, + this user will be created or removed as per the `--state` parameter. + +group + The group under which the service will run. Defaults to `--user`. + +state + Whether the service is to be `present` (default) or `absent`. + When `absent`, this type will clean any binaries listed in `--extra-binary` + and also the config file as described in `--config-file-source`. + +binary + This will be the binary name. Defaults to `${__object_id}`. + If `--unpack` is used, a binary with this name must be unpacked. + Otherwise, the contents of `--url` will be placed under this binary name. + +service-args + Any extra arguments to pass along with `--service-exec`. + +service-exec + The executable to use for this service. + Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the + resulting value of `--binary`. + +service-description + The service description to be used in, e.g. the systemd unit file. + Defaults to `cdist-managed '${__object_id}' service`. + +unpack-args + Only has an effect if `--unpack` is used. + These arguments will be passed verbatim to `__unpack(7)`. + Very useful as this type assumes the archive does not have the binaries in + subdirectories; that can be worked around with + `--unpack-args '--tar-strip 1'`. + + +OPTIONAL MULTIPLE PARAMETERS +---------------------------- +extra-binary + Only useful with `--unpack`. + If passed, these binaries will also be installed when `--state` is `present` + and removed when `--state` is `absent`. + Handle with care :-). + + +EXAMPLES +-------- + +.. code-block:: sh + + # Install and enable the ipmi_exporter service + # The variables are defined in the manifest previously + __evilham_single_binary_service ipmi_exporter \ + --user "${USER}" \ + --service-args ' --config.file=/etc/ipmi_exporter.conf' \ + --version "${SHOULD_VERSION}" \ + --checksum "${CHECKSUM}" \ + --url "${DOWNLOAD_URL}" \ + --state "present" \ + --unpack \ + --unpack-args "--tar-strip 1" \ + --config-file-source '-' <<-EOF + # Remotely managed, changes will be lost + # [...] config contents goes here + EOF + + # Remove the ipmi_exporter service along with the user and its config + __evilham_single_binary_service ipmi_exporter \ + --user "${USER}" \ + --version "${SHOULD_VERSION}" \ + --checksum "${CHECKSUM}" \ + --url "${DOWNLOAD_URL}" \ + --state "absent" + + # Same, but the service was using my user! Let's not delete that! + __evilham_single_binary_service ipmi_exporter \ + --user "evilham" \ + --do-not-manage-user \ + --version "${SHOULD_VERSION}" \ + --checksum "${CHECKSUM}" \ + --url "${DOWNLOAD_URL}" \ + --state "absent" + + +SEE ALSO +-------- +- `__download(7)` +- `__unpack(7)` + + +AUTHORS +------- +Evilham + + +COPYING +------- +Copyright \(C) 2021 Evilham. diff --git a/manifest b/manifest index d5df410..e279a05 100755 --- a/manifest +++ b/manifest @@ -1,9 +1,12 @@ #!/bin/sh -e BIN_DIR="/usr/local/bin" +ETC_DIR="/etc" # Ensure the target bin dir exists +# Care, we never want to remove it :-D __directory "${BIN_DIR}" \ + --state "exists" \ --mode 0755 export require="${require} __directory${BIN_DIR}" @@ -46,8 +49,13 @@ CHECKSUM="$(cat "${__object}/parameter/checksum")" SHOULD_VERSION="$(cat "${__object}/parameter/version")" # Create a user for the service if it is not root -if [ "${USER}" != "root" ]; then - __user "${USER}" \ +if [ "${USER}" != "root" ] && \ + [ ! -f "${__object}/parameter/do-not-manage-user" ]; then + if [ "${STATE}" = "absent" ]; then + # When removing, ensure user is not being used + user_require="__systemd_unit/${SERVICE_NAME}.service" + fi + require="${require} ${user_require}" __user "${USER}" \ --system \ --state "${STATE}" \ --home /nonexistent \ @@ -56,10 +64,29 @@ if [ "${USER}" != "root" ]; then service_require="${service_require} __user/${USER}" fi +# Place config file if necessary +CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf" +CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)" +if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then + CONFIG_FILE_SOURCE="${__object}/stdin" +fi +if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then + require="${require} __user/${USER}" __file \ + "${CONFIG_FILE_DEST}" \ + --owner "${USER}" \ + --group "${GROUP}" \ + --mode "0440" \ + --source "${CONFIG_FILE_SOURCE}" + service_required="${service_required} __file${CONFIG_FILE_DEST}" +fi + + + # TODO: Support non-systemd __systemd_unit "${SERVICE_NAME}.service" \ --source "-" \ --state "${STATE}" \ + --restart \ --enablement-state "enabled" < Date: Tue, 22 Jun 2021 13:46:32 +0200 Subject: [PATCH 03/81] Import nginx types from e-Durable's cdist repositories --- type/__recycledcloud_nginx/man.rst | 40 +++++ type/__recycledcloud_nginx/manifest | 76 ++++++++ .../parameter/default/http-port | 1 + .../parameter/default/https-port | 1 + type/__recycledcloud_nginx/parameter/optional | 5 + .../files/301-to-https | 4 + .../files/generic.conf.sh | 37 ++++ type/__recycledcloud_nginx_vhost/files/hsts | 1 + .../files/index.html | 12 ++ .../files/static.conf.sh | 13 ++ .../files/to-https.conf.sh | 25 +++ .../gencode-remote | 26 +++ type/__recycledcloud_nginx_vhost/man.rst | 83 +++++++++ type/__recycledcloud_nginx_vhost/manifest | 162 ++++++++++++++++++ .../parameter/boolean | 4 + .../parameter/default/index | 1 + .../parameter/optional | 4 + 17 files changed, 495 insertions(+) create mode 100644 type/__recycledcloud_nginx/man.rst create mode 100644 type/__recycledcloud_nginx/manifest create mode 100644 type/__recycledcloud_nginx/parameter/default/http-port create mode 100644 type/__recycledcloud_nginx/parameter/default/https-port create mode 100644 type/__recycledcloud_nginx/parameter/optional create mode 100644 type/__recycledcloud_nginx_vhost/files/301-to-https create mode 100755 type/__recycledcloud_nginx_vhost/files/generic.conf.sh create mode 100644 type/__recycledcloud_nginx_vhost/files/hsts create mode 100644 type/__recycledcloud_nginx_vhost/files/index.html create mode 100755 type/__recycledcloud_nginx_vhost/files/static.conf.sh create mode 100755 type/__recycledcloud_nginx_vhost/files/to-https.conf.sh create mode 100644 type/__recycledcloud_nginx_vhost/gencode-remote create mode 100644 type/__recycledcloud_nginx_vhost/man.rst create mode 100644 type/__recycledcloud_nginx_vhost/manifest create mode 100644 type/__recycledcloud_nginx_vhost/parameter/boolean create mode 100644 type/__recycledcloud_nginx_vhost/parameter/default/index create mode 100644 type/__recycledcloud_nginx_vhost/parameter/optional diff --git a/type/__recycledcloud_nginx/man.rst b/type/__recycledcloud_nginx/man.rst new file mode 100644 index 0000000..b1de718 --- /dev/null +++ b/type/__recycledcloud_nginx/man.rst @@ -0,0 +1,40 @@ +cdist-type__recycledcloud_nginx(7) +=================================== + +NAME +---- +cdist-type__recycledcloud_nginx - Serve web content with NGINX + + +DESCRIPTION +----------- +Leverages `__recycledcloud_nginx_vhost` to serve web content. + +REQUIRED PARAMETERS +------------------- +domain + Domain name to be served. + +OPTIONAL PARAMETERS +------------------- +config + Custom NGINX logic, templated within a standard `server` section with + `server_name` and TLS parameters set. Defaults to simple static hosting. + +altdomains + Alternative domain names for this vhost and related TLS certificate. + +uacme-hookscript + Custom hook passed to the __uacme_obtain type: useful to integrate the + dns-01 challenge with third-party DNS providers. + +AUTHORS +------- +Timothée Floure + +COPYING +------- +Copyright \(C) 2020 Joachim Desroches. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/type/__recycledcloud_nginx/manifest b/type/__recycledcloud_nginx/manifest new file mode 100644 index 0000000..75db7cd --- /dev/null +++ b/type/__recycledcloud_nginx/manifest @@ -0,0 +1,76 @@ +#!/bin/sh + +os="$(cat "${__global:?}"/explorer/os)" +case "$os" in + alpine) + nginx_user=nginx + nginx_certdir=/etc/nginx/ssl + ;; + debian|ubuntu) + nginx_user=www-data + nginx_certdir=/etc/nginx/ssl + ;; + *) + echo "This type does not support $os yet. Aborting." >&2; + exit 1; + ;; +esac + +if [ -f "${__object:?}/parameter/domain" ]; +then + domain="$(cat "${__object:?}/parameter/domain")" +else + domain="${__object_id:?}" +fi + +altdomains= +if [ -f "${__object:?}/parameter/altdomains" ]; +then + altdomains="$(cat "${__object:?}/parameter/altdomains")" +fi + +set_custom_uacme_hookscript= +if [ -f "${__object:?}/parameter/uacme-hookscript" ]; +then + uacme_hookscript="$(cat "${__object:?}/parameter/uacme-hookscript")" + set_custom_uacme_hookscript="--hookscript $uacme_hookscript" +fi + +# Deploy simple HTTP vhost, allowing to serve ACME challenges. +__recycledcloud_nginx_vhost "301-to-https-$domain" \ + --domain "$domain" --altdomains "$altdomains" --to-https + +# Obtaining TLS cert. +cert_ownership=$nginx_user +if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then + cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to") +fi + +__uacme_account +# shellcheck disable=SC2086 +require="__recycledcloud_nginx_vhost/301-to-https-$domain __uacme_account" \ + __uacme_obtain "$domain" \ + --altdomains "$altdomains" \ + $set_custom_uacme_hookscript \ + --owner "$cert_ownership" \ + --install-key-to "$nginx_certdir/$domain/privkey.pem" \ + --install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \ + --renew-hook "service nginx reload" + +# Deploy HTTPS nginx vhost. +if [ -f "${__object:?}/parameter/config" ]; then + if [ "$(cat "${__object:?}/parameter/config")" = "-" ]; then + nginx_logic="${__object:?}/stdin" + else + nginx_logic="${__object:?}/parameter/config" + fi + + mkdir -p "${__object:?}/files" + cat "$nginx_logic" > "${__object:?}/files/config" + + require="__uacme_obtain/$domain" __recycledcloud_nginx_vhost "$domain" \ + --altdomains "$altdomains" --config "${__object:?}/files/config" +else + require="__uacme_obtain/$domain" __recycledcloud_nginx_vhost "$domain" \ + --altdomains "$altdomains" +fi diff --git a/type/__recycledcloud_nginx/parameter/default/http-port b/type/__recycledcloud_nginx/parameter/default/http-port new file mode 100644 index 0000000..d15a2cc --- /dev/null +++ b/type/__recycledcloud_nginx/parameter/default/http-port @@ -0,0 +1 @@ +80 diff --git a/type/__recycledcloud_nginx/parameter/default/https-port b/type/__recycledcloud_nginx/parameter/default/https-port new file mode 100644 index 0000000..6a13cf6 --- /dev/null +++ b/type/__recycledcloud_nginx/parameter/default/https-port @@ -0,0 +1 @@ +443 diff --git a/type/__recycledcloud_nginx/parameter/optional b/type/__recycledcloud_nginx/parameter/optional new file mode 100644 index 0000000..1a5fb95 --- /dev/null +++ b/type/__recycledcloud_nginx/parameter/optional @@ -0,0 +1,5 @@ +config +domain +altdomains +uacme-hookscript +force-cert-ownership-to diff --git a/type/__recycledcloud_nginx_vhost/files/301-to-https b/type/__recycledcloud_nginx_vhost/files/301-to-https new file mode 100644 index 0000000..2675732 --- /dev/null +++ b/type/__recycledcloud_nginx_vhost/files/301-to-https @@ -0,0 +1,4 @@ +# Redirect request to this page in HTTPS. +location / { + return 301 https://$host$request_uri; +} diff --git a/type/__recycledcloud_nginx_vhost/files/generic.conf.sh b/type/__recycledcloud_nginx_vhost/files/generic.conf.sh new file mode 100755 index 0000000..13e36aa --- /dev/null +++ b/type/__recycledcloud_nginx_vhost/files/generic.conf.sh @@ -0,0 +1,37 @@ +#!/bin/sh +# Template for static NGINX hosting. + +echo 'server {' + +# Listen +cat <<- EOF + listen ${LPORT:?} $TLS; + listen [::]:${LPORT:?} $TLS; +EOF + +# Name +echo "server_name ${DOMAIN:?} $ALTDOMAINS;" + +# ACME challenges. +cat << EOF +location /.well-known/acme-challenge/ { + alias ${ACME_CHALLENGE_DIR:?}; +} +EOF + +if [ -n "$TLS" ]; +then + if [ -n "$HSTS" ]; + then + echo 'include snippets/hsts;' + fi + + cat <<- EOF + ssl_certificate ${NGINX_CERTDIR:?}/${DOMAIN:?}/fullchain.pem; + ssl_certificate_key ${NGINX_CERTDIR:?}/${DOMAIN:?}/privkey.pem; + EOF +fi + +echo "${NGINX_LOGIC:?}" + +echo '}' diff --git a/type/__recycledcloud_nginx_vhost/files/hsts b/type/__recycledcloud_nginx_vhost/files/hsts new file mode 100644 index 0000000..7e4a854 --- /dev/null +++ b/type/__recycledcloud_nginx_vhost/files/hsts @@ -0,0 +1 @@ +add_header Strict-Transport-Security "max-age=31536000" always; diff --git a/type/__recycledcloud_nginx_vhost/files/index.html b/type/__recycledcloud_nginx_vhost/files/index.html new file mode 100644 index 0000000..bcadf4d --- /dev/null +++ b/type/__recycledcloud_nginx_vhost/files/index.html @@ -0,0 +1,12 @@ + + + + + + cdist configured! + + + You have successfully configured a vhost with + cdist. You can now upload content! + + diff --git a/type/__recycledcloud_nginx_vhost/files/static.conf.sh b/type/__recycledcloud_nginx_vhost/files/static.conf.sh new file mode 100755 index 0000000..363f228 --- /dev/null +++ b/type/__recycledcloud_nginx_vhost/files/static.conf.sh @@ -0,0 +1,13 @@ +#!/bin/sh +# Template for static NGINX hosting. + +NGINX_LOGIC="$(cat << EOF + location / { + root ${NGINX_WEBROOT:?}/${DOMAIN:?}; + index index.html; + } +EOF +)" +export NGINX_LOGIC + +"${__type:?}/files/generic.conf.sh" diff --git a/type/__recycledcloud_nginx_vhost/files/to-https.conf.sh b/type/__recycledcloud_nginx_vhost/files/to-https.conf.sh new file mode 100755 index 0000000..77dd45b --- /dev/null +++ b/type/__recycledcloud_nginx_vhost/files/to-https.conf.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# Template for HTTPS redirection. + +echo 'server {' + +# Listen +cat <<- EOF + listen ${LPORT:?}; + listen [::]:${LPORT:?}; +EOF + +# Name +echo "server_name ${DOMAIN:?} $ALTDOMAINS;" + +# ACME challenges. +cat << EOF +location /.well-known/acme-challenge/ { + alias ${ACME_CHALLENGE_DIR:?}; +} +EOF + +# HTTPS redirection. +echo 'include snippets/301-to-https;' + +echo '}' diff --git a/type/__recycledcloud_nginx_vhost/gencode-remote b/type/__recycledcloud_nginx_vhost/gencode-remote new file mode 100644 index 0000000..d634d83 --- /dev/null +++ b/type/__recycledcloud_nginx_vhost/gencode-remote @@ -0,0 +1,26 @@ +#!/bin/sh + +os="$(cat "${__global:?}"/explorer/os)" + +case "$os" in + alpine) + reload_hook="service nginx --ifstopped start;\ + service nginx --ifstarted reload" + ;; + debian|ubuntu|*) + reload_hook="systemctl reload-or-restart nginx" + ;; +esac + +# Check configuration and reload if valid. +# TODO: only check if configuration was changed (= listen for __file's +# messages). +cat << EOF +if nginx -t; then + $reload_hook +else + echo "NGINX configuration is invalid. Exiting." >2& + nginx -t >2& + exit 1 +fi +EOF diff --git a/type/__recycledcloud_nginx_vhost/man.rst b/type/__recycledcloud_nginx_vhost/man.rst new file mode 100644 index 0000000..28767d7 --- /dev/null +++ b/type/__recycledcloud_nginx_vhost/man.rst @@ -0,0 +1,83 @@ +cdist-type__nginx_vhost(7) +=================================== + +NAME +---- +cdist-type__nginx_vhost - Have nginx serve content for a virtual host + + +DESCRIPTION +----------- +This type setups up nginx with reasonable defaults and creates a vhost to be +served, optionally with TLS certificates obtained from the Let's Encrypt CA +through the ACME HTTP-01 challenge-response mechanism. + +By default, if no rules are specified, then the vhost will serve as-is the +contents of the `WEBROOT/foo.com` directory, where WEBROOT is +determined depending on the OS, adhering as close to `hier(7)` as possible. + +NGINX expects files in the vhost to be served to be at least readable by the +`USER` group, that it creates if it does not exist. It is recommended to have +the user owning the files to be someone else, and the files beeing +group-readable but not writeable. + +Finally, if TLS is not disabled, then this type makes nginx expect the +fullchain certificate and the private key in +`CERTDIR/domain/{fullchain,privkey}.pem`. + ++------------------+---------+-------------------+-----------------------------+ +| Operating System | USER | WEBROOT | CERTDIR | ++==================+=========+===================+=============================+ +| Alpine Linux | `nginx` | `/srv/www/` | `/etc/nginx/ssl/` | ++------------------+---------+-------------------+-----------------------------+ +| Arch Linux | `www` | `/srv/www/` | `/etc/nginx/ssl/` | ++------------------+---------+-------------------+-----------------------------+ +| FreeBSD | `www` | `/usr/local/www/` | `/usr/local/etc/nginx/ssl/` | ++------------------+---------+-------------------+-----------------------------+ + +OPTIONAL PARAMETERS +------------------- + +config + A custom configuration file for the vhost, inserted in a server section + populated with `server_name` and TLS parameters unless `--standalone-config` + is specified. Can be specified either as a file path, or if the value of this + flag is '-', then the configuration is read from stdin. + +domain + The domain this server will respond to. If this is omitted, then the + `__object_id` is used. + +lport + The port to which we listen. If this is omitted, the defaults of `80` for + HTTP and `443` for HTTPS are used. + +altdomains + Alternative domain names for this vhost. + +BOOLEAN PARAMETERS +------------------ + +no-hsts + Do not use HSTS pinning. + +no-tls + Do not serve over HTTPS. + +to-https + Ignore --config flag and redirect to HTTPS. Implies --no-tls. + +standalone-config + Insert the content of + +AUTHORS +------- +Joachim Desroches +Timothée Floure + +COPYING +------- +Copyright \(C) 2020 Joachim Desroches. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/type/__recycledcloud_nginx_vhost/manifest b/type/__recycledcloud_nginx_vhost/manifest new file mode 100644 index 0000000..3e7b913 --- /dev/null +++ b/type/__recycledcloud_nginx_vhost/manifest @@ -0,0 +1,162 @@ +#!/bin/sh +# +# 2020 Joachim Desroches +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# +# Create NGINX vhosts + +os="$(cat "${__global:?}"/explorer/os)" +mkdir -p "${__object:?}/files" + +case "$os" in + alpine) + __package nginx + + nginx_confdir="/etc/nginx" + install_reqs="__package/nginx" + + require="$install_reqs" __start_on_boot nginx + + export NGINX_SITEDIR="$nginx_confdir/conf.d" + export NGINX_CERTDIR="$nginx_confdir/ssl" + export NGINX_SNIPPETSDIR="$nginx_confdir/snippets" + export NGINX_WEBROOT="/var/www" + export ACME_CHALLENGE_DIR="$NGINX_WEBROOT/.well-known/acme-challenge/" + ;; + debian|ubuntu) + __package nginx + + nginx_confdir="/etc/nginx" + install_reqs="__package/nginx" + + export NGINX_SITEDIR="$nginx_confdir/sites-enabled" + export NGINX_CERTDIR="$nginx_confdir/ssl" + export NGINX_SNIPPETSDIR="$nginx_confdir/snippets" + export NGINX_WEBROOT="/var/www" + export ACME_CHALLENGE_DIR="$NGINX_WEBROOT/.well-known/acme-challenge/" + ;; + *) + echo "This type does not support $os yet. Aborting." >&2; + exit 1; +esac + +# Domain +if [ -f "${__object:?}/parameter/domain" ]; +then + DOMAIN="$(cat "${__object:?}/parameter/domain")" +else + DOMAIN="${__object_id:?}" +fi +export DOMAIN + +ALTDOMAINS= +if [ -f "${__object:?}/parameter/altdomains" ]; +then + ALTDOMAINS="$(cat "${__object:?}/parameter/altdomains")" +fi +export ALTDOMAINS + +# Use TLS ? +if [ -f "${__object:?}/parameter/no-tls" ]; +then + TLS= + echo "WARNING: you have disabled TLS for vhost $DOMAIN" >&2 +else + TLS=ssl +fi +export TLS + +# Use HSTS ? +if [ -f "${__object:?}/parameter/no-hsts" ]; +then + HSTS= +else + HSTS=true +fi +export HSTS + +# Redirect to HTTPS ? +if [ -f "${__object:?}/parameter/to-https" ]; +then + TO_HTTPS=true +else + TO_HTTPS= +fi +export HSTS + +# Port to listen on +if [ -f "${__object:?}/parameter/lport" ]; +then + LPORT="$(cat "${__object:?}/parameter/lport")" +else + if [ -n "$TLS" ] && [ -z "$TO_HTTPS" ]; + then + LPORT=443 + else + LPORT=80 + fi +fi +export LPORT + +# Server definition +if [ -n "$TO_HTTPS" ]; +then + # Ignore configuration, simply serve ACME challenge and redirect to HTTPS. + "${__type:?}/files/to-https.conf.sh" > "${__object:?}/files/vhost.conf" + vhost_conf="${__object:?}/files/vhost.conf" +elif [ -f "${__object:?}/parameter/config" ]; +then + # Extract nginx config from type parameter. + if [ "$(cat "${__object:?}/parameter/config")" = "-" ]; + then + vhost_partial="${__object:?}/stdin" + else + vhost_partial=$(cat "${__object:?}/parameter/config") + fi + + # Either use config as-in or template it in generic vhost structure. + if [ -f "${__object:?}/parameter/standalone-config" ]; then + vhost_conf=$vhost_partial + else + NGINX_LOGIC=$(cat "$vhost_partial") "${__type:?}/files/generic.conf.sh" \ + > "${__object:?}/files/vhost.conf" + + vhost_conf="${__object:?}/files/vhost.conf" + fi +else + # Default to simple static configuration. + "${__type:?}/files/static.conf.sh" > "${__object:?}/files/vhost.conf" + vhost_conf="${__object:?}/files/vhost.conf" + + require="$install_reqs" __directory "$NGINX_WEBROOT/$DOMAIN" + require="__directory$NGINX_WEBROOT/$DOMAIN" \ + __file "$NGINX_WEBROOT/$DOMAIN/index.html" --state exists \ + --source "${__type:?}/files/index.html" \ + --mode 0644 +fi + +# Install snippets. +require="$install_reqs" __directory "$NGINX_SNIPPETSDIR" +for snippet in hsts 301-to-https; do + require="__directory/$NGINX_SNIPPETSDIR" __file \ + "$NGINX_SNIPPETSDIR/$snippet" --source "${__type:?}/files/$snippet" +done + +# Install vhost. +require="$install_reqs" __file "$NGINX_SITEDIR/$__object_id.conf" \ + --source "$vhost_conf" \ + --mode 0644 diff --git a/type/__recycledcloud_nginx_vhost/parameter/boolean b/type/__recycledcloud_nginx_vhost/parameter/boolean new file mode 100644 index 0000000..aa06036 --- /dev/null +++ b/type/__recycledcloud_nginx_vhost/parameter/boolean @@ -0,0 +1,4 @@ +no-tls +no-hsts +to-https +standalone-config diff --git a/type/__recycledcloud_nginx_vhost/parameter/default/index b/type/__recycledcloud_nginx_vhost/parameter/default/index new file mode 100644 index 0000000..d5b7a40 --- /dev/null +++ b/type/__recycledcloud_nginx_vhost/parameter/default/index @@ -0,0 +1 @@ +index.html index.htm diff --git a/type/__recycledcloud_nginx_vhost/parameter/optional b/type/__recycledcloud_nginx_vhost/parameter/optional new file mode 100644 index 0000000..9c47616 --- /dev/null +++ b/type/__recycledcloud_nginx_vhost/parameter/optional @@ -0,0 +1,4 @@ +domain +config +altdomains +lport From 8db890deb4f4293e30e166a3bb77977440103783 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 22 Jun 2021 13:50:48 +0200 Subject: [PATCH 04/81] Unbrand nginx types from e-Durable --- type/{__recycledcloud_nginx => __nginx}/man.rst | 7 ++++--- type/{__recycledcloud_nginx => __nginx}/manifest | 8 ++++---- .../parameter/default/http-port | 0 .../parameter/default/https-port | 0 .../{__recycledcloud_nginx => __nginx}/parameter/optional | 0 .../files/301-to-https | 0 .../files/generic.conf.sh | 0 .../files/hsts | 0 .../files/index.html | 0 .../files/static.conf.sh | 0 .../files/to-https.conf.sh | 0 .../gencode-remote | 0 .../man.rst | 0 .../manifest | 1 + .../parameter/boolean | 0 .../parameter/default/index | 0 .../parameter/optional | 0 17 files changed, 9 insertions(+), 7 deletions(-) rename type/{__recycledcloud_nginx => __nginx}/man.rst (84%) rename type/{__recycledcloud_nginx => __nginx}/manifest (86%) rename type/{__recycledcloud_nginx => __nginx}/parameter/default/http-port (100%) rename type/{__recycledcloud_nginx => __nginx}/parameter/default/https-port (100%) rename type/{__recycledcloud_nginx => __nginx}/parameter/optional (100%) rename type/{__recycledcloud_nginx_vhost => __nginx_vhost}/files/301-to-https (100%) rename type/{__recycledcloud_nginx_vhost => __nginx_vhost}/files/generic.conf.sh (100%) rename type/{__recycledcloud_nginx_vhost => __nginx_vhost}/files/hsts (100%) rename type/{__recycledcloud_nginx_vhost => __nginx_vhost}/files/index.html (100%) rename type/{__recycledcloud_nginx_vhost => __nginx_vhost}/files/static.conf.sh (100%) rename type/{__recycledcloud_nginx_vhost => __nginx_vhost}/files/to-https.conf.sh (100%) rename type/{__recycledcloud_nginx_vhost => __nginx_vhost}/gencode-remote (100%) rename type/{__recycledcloud_nginx_vhost => __nginx_vhost}/man.rst (100%) rename type/{__recycledcloud_nginx_vhost => __nginx_vhost}/manifest (98%) rename type/{__recycledcloud_nginx_vhost => __nginx_vhost}/parameter/boolean (100%) rename type/{__recycledcloud_nginx_vhost => __nginx_vhost}/parameter/default/index (100%) rename type/{__recycledcloud_nginx_vhost => __nginx_vhost}/parameter/optional (100%) diff --git a/type/__recycledcloud_nginx/man.rst b/type/__nginx/man.rst similarity index 84% rename from type/__recycledcloud_nginx/man.rst rename to type/__nginx/man.rst index b1de718..fa4c5db 100644 --- a/type/__recycledcloud_nginx/man.rst +++ b/type/__nginx/man.rst @@ -1,14 +1,14 @@ -cdist-type__recycledcloud_nginx(7) +cdist-type__nginx(7) =================================== NAME ---- -cdist-type__recycledcloud_nginx - Serve web content with NGINX +cdist-type__nginx - Serve web content with NGINX DESCRIPTION ----------- -Leverages `__recycledcloud_nginx_vhost` to serve web content. +Leverages `__nginx_vhost` to serve web content. REQUIRED PARAMETERS ------------------- @@ -31,6 +31,7 @@ uacme-hookscript AUTHORS ------- Timothée Floure +Joachim Desroches COPYING ------- diff --git a/type/__recycledcloud_nginx/manifest b/type/__nginx/manifest similarity index 86% rename from type/__recycledcloud_nginx/manifest rename to type/__nginx/manifest index 75db7cd..b552319 100644 --- a/type/__recycledcloud_nginx/manifest +++ b/type/__nginx/manifest @@ -37,7 +37,7 @@ then fi # Deploy simple HTTP vhost, allowing to serve ACME challenges. -__recycledcloud_nginx_vhost "301-to-https-$domain" \ +__nginx_vhost "301-to-https-$domain" \ --domain "$domain" --altdomains "$altdomains" --to-https # Obtaining TLS cert. @@ -48,7 +48,7 @@ fi __uacme_account # shellcheck disable=SC2086 -require="__recycledcloud_nginx_vhost/301-to-https-$domain __uacme_account" \ +require="__nginx_vhost/301-to-https-$domain __uacme_account" \ __uacme_obtain "$domain" \ --altdomains "$altdomains" \ $set_custom_uacme_hookscript \ @@ -68,9 +68,9 @@ if [ -f "${__object:?}/parameter/config" ]; then mkdir -p "${__object:?}/files" cat "$nginx_logic" > "${__object:?}/files/config" - require="__uacme_obtain/$domain" __recycledcloud_nginx_vhost "$domain" \ + require="__uacme_obtain/$domain" __nginx_vhost "$domain" \ --altdomains "$altdomains" --config "${__object:?}/files/config" else - require="__uacme_obtain/$domain" __recycledcloud_nginx_vhost "$domain" \ + require="__uacme_obtain/$domain" __nginx_vhost "$domain" \ --altdomains "$altdomains" fi diff --git a/type/__recycledcloud_nginx/parameter/default/http-port b/type/__nginx/parameter/default/http-port similarity index 100% rename from type/__recycledcloud_nginx/parameter/default/http-port rename to type/__nginx/parameter/default/http-port diff --git a/type/__recycledcloud_nginx/parameter/default/https-port b/type/__nginx/parameter/default/https-port similarity index 100% rename from type/__recycledcloud_nginx/parameter/default/https-port rename to type/__nginx/parameter/default/https-port diff --git a/type/__recycledcloud_nginx/parameter/optional b/type/__nginx/parameter/optional similarity index 100% rename from type/__recycledcloud_nginx/parameter/optional rename to type/__nginx/parameter/optional diff --git a/type/__recycledcloud_nginx_vhost/files/301-to-https b/type/__nginx_vhost/files/301-to-https similarity index 100% rename from type/__recycledcloud_nginx_vhost/files/301-to-https rename to type/__nginx_vhost/files/301-to-https diff --git a/type/__recycledcloud_nginx_vhost/files/generic.conf.sh b/type/__nginx_vhost/files/generic.conf.sh similarity index 100% rename from type/__recycledcloud_nginx_vhost/files/generic.conf.sh rename to type/__nginx_vhost/files/generic.conf.sh diff --git a/type/__recycledcloud_nginx_vhost/files/hsts b/type/__nginx_vhost/files/hsts similarity index 100% rename from type/__recycledcloud_nginx_vhost/files/hsts rename to type/__nginx_vhost/files/hsts diff --git a/type/__recycledcloud_nginx_vhost/files/index.html b/type/__nginx_vhost/files/index.html similarity index 100% rename from type/__recycledcloud_nginx_vhost/files/index.html rename to type/__nginx_vhost/files/index.html diff --git a/type/__recycledcloud_nginx_vhost/files/static.conf.sh b/type/__nginx_vhost/files/static.conf.sh similarity index 100% rename from type/__recycledcloud_nginx_vhost/files/static.conf.sh rename to type/__nginx_vhost/files/static.conf.sh diff --git a/type/__recycledcloud_nginx_vhost/files/to-https.conf.sh b/type/__nginx_vhost/files/to-https.conf.sh similarity index 100% rename from type/__recycledcloud_nginx_vhost/files/to-https.conf.sh rename to type/__nginx_vhost/files/to-https.conf.sh diff --git a/type/__recycledcloud_nginx_vhost/gencode-remote b/type/__nginx_vhost/gencode-remote similarity index 100% rename from type/__recycledcloud_nginx_vhost/gencode-remote rename to type/__nginx_vhost/gencode-remote diff --git a/type/__recycledcloud_nginx_vhost/man.rst b/type/__nginx_vhost/man.rst similarity index 100% rename from type/__recycledcloud_nginx_vhost/man.rst rename to type/__nginx_vhost/man.rst diff --git a/type/__recycledcloud_nginx_vhost/manifest b/type/__nginx_vhost/manifest similarity index 98% rename from type/__recycledcloud_nginx_vhost/manifest rename to type/__nginx_vhost/manifest index 3e7b913..f9ad84d 100644 --- a/type/__recycledcloud_nginx_vhost/manifest +++ b/type/__nginx_vhost/manifest @@ -1,6 +1,7 @@ #!/bin/sh # # 2020 Joachim Desroches +# 2021 Timothée Floure # # This file is part of cdist. # diff --git a/type/__recycledcloud_nginx_vhost/parameter/boolean b/type/__nginx_vhost/parameter/boolean similarity index 100% rename from type/__recycledcloud_nginx_vhost/parameter/boolean rename to type/__nginx_vhost/parameter/boolean diff --git a/type/__recycledcloud_nginx_vhost/parameter/default/index b/type/__nginx_vhost/parameter/default/index similarity index 100% rename from type/__recycledcloud_nginx_vhost/parameter/default/index rename to type/__nginx_vhost/parameter/default/index diff --git a/type/__recycledcloud_nginx_vhost/parameter/optional b/type/__nginx_vhost/parameter/optional similarity index 100% rename from type/__recycledcloud_nginx_vhost/parameter/optional rename to type/__nginx_vhost/parameter/optional From 502cb54ce2593aad3deba111639cbaef78a16cc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 23 Jun 2021 10:24:27 +0200 Subject: [PATCH 05/81] __nginx_vhost: make configuration reload more robust --- type/__nginx_vhost/gencode-remote | 51 ++++++++++++++++++------------- 1 file changed, 30 insertions(+), 21 deletions(-) diff --git a/type/__nginx_vhost/gencode-remote b/type/__nginx_vhost/gencode-remote index d634d83..dd6539d 100644 --- a/type/__nginx_vhost/gencode-remote +++ b/type/__nginx_vhost/gencode-remote @@ -1,26 +1,35 @@ #!/bin/sh os="$(cat "${__global:?}"/explorer/os)" +init=$(cat "$__global/explorer/init") +nginx_confdir="/etc/nginx" -case "$os" in - alpine) - reload_hook="service nginx --ifstopped start;\ - service nginx --ifstarted reload" - ;; - debian|ubuntu|*) - reload_hook="systemctl reload-or-restart nginx" - ;; -esac - -# Check configuration and reload if valid. -# TODO: only check if configuration was changed (= listen for __file's -# messages). -cat << EOF -if nginx -t; then - $reload_hook -else - echo "NGINX configuration is invalid. Exiting." >2& - nginx -t >2& - exit 1 +# The nginx service is not automatically started on alpine. +if [ "$os" = "alpine" ]; then + echo "service nginx --ifstopped start" +fi + +if grep -qE "^__file$nginx_confdir" "${__messages_in:?}"; then + case "$init" in + systemd) + reload_hook="systemctl reload-or-restart nginx" + ;; + busybox-init+openrc) + reload_hook="service nginx reload" + ;; + *) + echo "Unknown init $init." >&2 + exit 1 + ;; + esac + + cat <<- EOF + if nginx -t; then + $reload_hook + else + echo "NGINX configuration is invalid. Exiting." >2& + nginx -t >2& + exit 1 + fi + EOF fi -EOF From f116272f9216981656e4e5ab94c63f0b44212b1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 23 Jun 2021 10:47:21 +0200 Subject: [PATCH 06/81] __nginx_vhost: drop mention of unsupported FreeBSD from manpage --- type/__nginx_vhost/man.rst | 2 -- 1 file changed, 2 deletions(-) diff --git a/type/__nginx_vhost/man.rst b/type/__nginx_vhost/man.rst index 28767d7..8aa63ca 100644 --- a/type/__nginx_vhost/man.rst +++ b/type/__nginx_vhost/man.rst @@ -32,8 +32,6 @@ fullchain certificate and the private key in +------------------+---------+-------------------+-----------------------------+ | Arch Linux | `www` | `/srv/www/` | `/etc/nginx/ssl/` | +------------------+---------+-------------------+-----------------------------+ -| FreeBSD | `www` | `/usr/local/www/` | `/usr/local/etc/nginx/ssl/` | -+------------------+---------+-------------------+-----------------------------+ OPTIONAL PARAMETERS ------------------- From 5102fe466ef71f99d6b2d2199531698de284fdac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 23 Jun 2021 11:23:30 +0200 Subject: [PATCH 07/81] __matrix_synapse: use matrix.org APT repository for Debian --- type/__matrix_synapse/manifest | 50 ++++++++++------------------------ 1 file changed, 15 insertions(+), 35 deletions(-) diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 4650a17..bbe0461 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -20,40 +20,22 @@ # OS-specific configuration. os=$(cat "$__global/explorer/os") -distribution=$(cat "$__global/explorer/lsb_codename") case "$os" in debian) synapse_user=matrix-synapse - synapse_pkg=matrix-synapse + synapse_pkg=matrix-synapse-py3 synapse_service=matrix-synapse ldap_auth_provider_pkg=matrix-synapse-ldap3 synapse_conf_dir='/etc/matrix-synapse' synapse_data_dir='/var/lib/matrix-synapse' - # See https://packages.debian.org/bullseye/matrix-synapse for state of - # synapse packaging in debian. - case "$distribution" in - stretch) - echo "The matrix-synapse package in debian stretch is outdated and unusable." >&2 - exit 1 - ;; - buster) - # Enable debian-backports for debian Buster, as the 'stable' - # matrix-synapse package is ways too old (< 1.0). - apt_target_release=buster-backports - __apt_backports - ;; - bullseye|sid) - # As of writting (2021-02), the default matrix-synapse of those - # release is perfectly usable. - : - ;; - *) - echo "Unknown debian release '$distribution'. Exiting" >&2 - exit 1 - ;; - esac + # We directly use upstream's APT repository. + # See https://code.ungleich.ch/ungleich-public/cdist-contrib/-/issues/11 for details. + __apt_key matrix-org --uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg + require="__apt_key/matrix-org" __apt_source matrix-org \ + --uri https://packages.matrix.org/debian/ \ + --component main ;; alpine) synapse_user=synapse @@ -309,12 +291,10 @@ case "$DATABASE_ENGINE" in esac -# Install OS packages. We have a bit of boilerplate to handle the debian -# backports situation. +# Install OS packages. We have a bit of boilerplate to handle the debian case. synapse_req= -if [ -n "$apt_target_release" ]; then - require="__apt_backports" __package_apt "$synapse_pkg" \ - --target-release "$apt_target_release" +if [ "$os" = "Debian" ]; then + require="__apt_source/matrix-org" __package_apt "$synapse_pkg" synapse_req="__package_apt/$synapse_pkg" else __package "$synapse_pkg" @@ -322,12 +302,12 @@ else fi if [ -n "$ENABLE_LDAP_AUTH" ]; then - if [ -n "$apt_target_release" ]; then - require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \ - --target-release "$apt_target_release" - else - __package "$ldap_auth_provider_pkg" + if [ "$os" = "Debian" ]; then + require="__apt_source/matrix-org" __package_apt "$ldap_auth_provider_pkg" + else + __package "$ldap_auth_provider_pkg" fi + synapse_req="$synapse_req __package_apt/$ldap_auth_provider_pkg" fi # Generate and deploy configuration files. From 55d832851d5172cdf8266841b95cf27143c8bc7c Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Tue, 6 Jul 2021 14:44:07 +0200 Subject: [PATCH 08/81] Add __networktime type. --- type/__networktime/man.rst | 50 +++++++++++++ type/__networktime/manifest | 74 +++++++++++++++++++ .../__networktime/parameter/required_multiple | 1 + type/__networktime/singleton | 0 4 files changed, 125 insertions(+) create mode 100644 type/__networktime/man.rst create mode 100755 type/__networktime/manifest create mode 100644 type/__networktime/parameter/required_multiple create mode 100644 type/__networktime/singleton diff --git a/type/__networktime/man.rst b/type/__networktime/man.rst new file mode 100644 index 0000000..41beeb6 --- /dev/null +++ b/type/__networktime/man.rst @@ -0,0 +1,50 @@ +cdist-type__networktime(7) +========================== + +NAME +---- +cdist-type__networktime - Generic time synchronization type + + +DESCRIPTION +----------- + +This type is intended to be a simple abstraction over the various backends and +programs available for network time synchronization. This type only takes a +list of peers to synchronize to as argument, and then chooses an appropriate +backend depending on the operating system, configures, starts and enables it to +start on boot. + +Currently, the following OSes are supported with the following backends: + +- Alpine Linux: builtin busybox NTPd +- Debian/Ubuntu: systemd-timesyncd + + +REQUIRED MULTIPLE PARAMETERS +------------------- +peer: + The name or IP address of a peer to synchronize to. + + +EXAMPLES +-------- + +.. code-block:: sh + + # 2.XXX.ntp.org are IPv6-enabled pools + __networktime --peer 2.ch.pool.ntp.org \ + --peer 2.europe.pool.ntp.org + + +AUTHORS +------- +Joachim Desroches + + +COPYING +------- +Copyright \(C) 2021 Joachim Desroches. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/type/__networktime/manifest b/type/__networktime/manifest new file mode 100755 index 0000000..1febf66 --- /dev/null +++ b/type/__networktime/manifest @@ -0,0 +1,74 @@ +#!/bin/sh -e +# +# 2021 Joachim Desroches (joachim.desroches@epfl.ch) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +os=$(cat "${__global:?}/explorer/os") + +case "$os" in +'alpine') + backend=busybox-openrc + ;; +'debian' | 'ubuntu') + backend=systemd-timesyncd + ;; +*) + printf "__networktime is not yet implemented for %s.\n" "$os" >&2 + printf "Please contribute an implementation for it if you can.\n" >&2 + exit 1 + ;; +esac + +case "$backend" in +'busybox-openrc') + argstring="-N" + while read -r peer; + do + argstring="$argstring -p $peer" + done < "${__object:?}/parameter/peer" + + __start_on_boot ntpd + + __file /etc/conf.d/ntpd \ + --mode 0644 --onchange "service ntpd restart"\ + --source - <<- EOF + # NTPd OpenRC configuration file. Managed by cdist. + NTPD_OPTS="$argstring" + EOF + ;; + +'systemd-timesyncd') + peers="$(tr '\n' ' ' < "${__object:?}/parameter/peer")" + + __package ntp --state absent + require="__package/ntp" __systemd_unit systemd-timesyncd \ + --enablement-state enabled --restart + + __file /etc/systemd/timesyncd.conf \ + --mode 0644 --onchange "systemctl restart systemd-timesyncd" \ + --source - <<- EOF + # timesyncd(8) configuration file. Managed by cdist. + [Time] + NTP=$peers + EOF + ;; +*) + printf "Unkown backend in __networktime. This is a bug.\n" >&2 + exit 1 + ;; +esac diff --git a/type/__networktime/parameter/required_multiple b/type/__networktime/parameter/required_multiple new file mode 100644 index 0000000..c9f6d41 --- /dev/null +++ b/type/__networktime/parameter/required_multiple @@ -0,0 +1 @@ +peer diff --git a/type/__networktime/singleton b/type/__networktime/singleton new file mode 100644 index 0000000..e69de29 From 2ce8223fa793588d1e5f3e6a9a03ee4d52bfdc54 Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Tue, 6 Jul 2021 14:59:30 +0200 Subject: [PATCH 09/81] [matrix-synapse] Fix typo in `$os` matches. --- type/__matrix_synapse/manifest | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index bbe0461..64c7c85 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -19,7 +19,7 @@ # # OS-specific configuration. -os=$(cat "$__global/explorer/os") +os=$(cat "${__global:?}/explorer/os") case "$os" in debian) @@ -56,7 +56,7 @@ esac # Small helper used to get boolean values which can be used as-is in the # configuration template. get_boolean_for () { - if [ -f "$__object/parameter/${1:?}" ]; then + if [ -f "${__object:?}/parameter/${1:?}" ]; then echo 'true' else echo 'false' @@ -293,7 +293,7 @@ esac # Install OS packages. We have a bit of boilerplate to handle the debian case. synapse_req= -if [ "$os" = "Debian" ]; then +if [ "$os" = "debian" ]; then require="__apt_source/matrix-org" __package_apt "$synapse_pkg" synapse_req="__package_apt/$synapse_pkg" else @@ -302,7 +302,7 @@ else fi if [ -n "$ENABLE_LDAP_AUTH" ]; then - if [ "$os" = "Debian" ]; then + if [ "$os" = "debian" ]; then require="__apt_source/matrix-org" __package_apt "$ldap_auth_provider_pkg" else __package "$ldap_auth_provider_pkg" From 653c85e948197b48dac2b090f585fad7d3cb5398 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 6 Jul 2021 16:43:16 +0200 Subject: [PATCH 10/81] __nginx_vhost: complete truncated sentence in manpage --- type/__nginx_vhost/man.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/type/__nginx_vhost/man.rst b/type/__nginx_vhost/man.rst index 8aa63ca..c078b10 100644 --- a/type/__nginx_vhost/man.rst +++ b/type/__nginx_vhost/man.rst @@ -66,7 +66,8 @@ to-https Ignore --config flag and redirect to HTTPS. Implies --no-tls. standalone-config - Insert the content of + Use as-in the vhost configuration (= do not wrap in generic server section) + the content of the `config` parameter. AUTHORS ------- From 735a1dddca4912bfafeda4e8478adc23942dffac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 6 Jul 2021 16:43:52 +0200 Subject: [PATCH 11/81] __nginx: add minimal usage example --- type/__nginx/man.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/type/__nginx/man.rst b/type/__nginx/man.rst index fa4c5db..71d47e7 100644 --- a/type/__nginx/man.rst +++ b/type/__nginx/man.rst @@ -28,6 +28,22 @@ uacme-hookscript Custom hook passed to the __uacme_obtain type: useful to integrate the dns-01 challenge with third-party DNS providers. +EXAMPLES +-------- + +.. code-block:: sh + + # TLS-enabled vhost serving static files in $WEBROOT/domain.tld (OS-specific, + # usually `/var/www` on GNU/Linux systemd). + __nginx domain.tld + + # TLS-enabled vhost with custom configuration. + __nginx files.domain.tld \ + --config - <<- EOF + root /var/www/files.domain.tld/; + autoindex on; + EOF + AUTHORS ------- Timothée Floure From c5929f397db9107e8cbf82e03912f6fae34e948b Mon Sep 17 00:00:00 2001 From: Evilham Date: Wed, 4 Aug 2021 20:27:08 +0200 Subject: [PATCH 12/81] [__single_binary_service] Adapt bug fixes proposed by pedro there are several typos, some style issues and now there is at most one service restart in all cases. Submitted by: pedro --- gencode-remote | 21 ++++++++++++++++ man.rst | 4 ++- manifest | 68 +++++++++++++++++++++++++++++--------------------- 3 files changed, 64 insertions(+), 29 deletions(-) create mode 100644 gencode-remote diff --git a/gencode-remote b/gencode-remote new file mode 100644 index 0000000..fe769fa --- /dev/null +++ b/gencode-remote @@ -0,0 +1,21 @@ +#!/bin/sh -e + +STATE="$(cat "${__object}/parameter/state")" +if [ "${STATE}" != "present" ]; then + exit +fi + +ETC_DIR="/etc" +SERVICE_NAME="${__object_id}" +CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf" + +BIN_DIR="/usr/local/bin" +VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version" + +# We only restart here if there was a config change +# but there was not a version change +if grep -qE "^__file${CONFIG_FILE_DEST}" "${__messages_in}" && \ + grep -qvE "^__file${VERSION_FILE}" "${__messages_in}"; then + echo "service ${SERVICE_NAME} restart" +fi + diff --git a/man.rst b/man.rst index 8f384bf..804b465 100644 --- a/man.rst +++ b/man.rst @@ -86,7 +86,9 @@ binary Otherwise, the contents of `--url` will be placed under this binary name. service-args - Any extra arguments to pass along with `--service-exec`. + Any extra arguments to pass along with `--service-exec`. Beware that any + service-args having the format `--config=/etc/foo.cfg` should be + represented in the following way `--service-exec='--config=/etc/foo.cfg'` service-exec The executable to use for this service. diff --git a/manifest b/manifest index e279a05..be967eb 100755 --- a/manifest +++ b/manifest @@ -1,5 +1,20 @@ #!/bin/sh -e +OS="$(cat "${__global}/explorer/os")" + +case "${OS}" in + debian) + SUPER_USER_GROUP=root + ;; + *bsd) + SUPER_USER_GROUP=wheel + ;; + *) + echo "Your OS '${OS}' is currently not supported." >&2 + exit 1 + ;; +esac + BIN_DIR="/usr/local/bin" ETC_DIR="/etc" @@ -26,7 +41,7 @@ fi EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)" # This only makes sense for file archives if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then - cat >> /dev/stderr <<-EOF + cat >&2 <<-EOF You cannot specify extra binaries without the --unpack argument. Make sure that the --url argument points to a file archive. EOF @@ -36,7 +51,8 @@ SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)" if [ -z "${SERVICE_EXEC}" ]; then SERVICE_EXEC="${BIN_DIR}/${BINARY}" fi -SERVICE_EXEC="${SERVICE_EXEC} $(cat "${__object}/parameter/service-args")" +SERVICE_ARGS="$(cat "${__object}/parameter/service-args")" +SERVICE_EXEC="${SERVICE_EXEC} ${SERVICE_ARGS}" SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \ 2>/dev/null || true)" @@ -77,17 +93,19 @@ if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then --group "${GROUP}" \ --mode "0440" \ --source "${CONFIG_FILE_SOURCE}" - service_required="${service_required} __file${CONFIG_FILE_DEST}" + service_require="${service_require} __file${CONFIG_FILE_DEST}" fi +INIT="$(cat "${__global}/explorer/init")" # TODO: Support non-systemd -__systemd_unit "${SERVICE_NAME}.service" \ - --source "-" \ - --state "${STATE}" \ - --restart \ - --enablement-state "enabled" <&2 + exit 1 + ;; +esac # Proceed after user and service description have been prepared export require="${require} ${service_require}" -# Perform a service restart if config has changed -if [ "${STATE}" = "present" ]; then - __check_messages "${SERVICE_NAME}_config" \ - --pattern "^__file${CONFIG_FILE_DEST}" \ - --execute "service ${SERVICE_NAME} restart" -fi - VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version" IS_VERSION="$(cat "${__object}/explorer/explorer-version")" @@ -130,8 +148,7 @@ if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ] && \ service ${SERVICE_NAME} stop || true for bin_file in ${BINARY} ${EXTRA_BINARIES}; do bin_path="${TMP_PATH}/\${bin_file}" - # TODO: on the BSDs, the super user group is wheel - chown root:root "\${bin_path}" + chown root:${SUPER_USER_GROUP} "\${bin_path}" chmod 0555 "\${bin_path}" cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}" done @@ -154,39 +171,34 @@ EOF require="__download${TMP_PATH}.tar.gz" \ __unpack "${TMP_PATH}.tar.gz" \ ${UNPACK_ARGS} \ - --destination "${TMP_PATH}" \ - --onchange "$(cat < Date: Wed, 4 Aug 2021 21:00:52 +0200 Subject: [PATCH 13/81] [__single_binary_service] Support customisation of systemd units Requested by pedro --- manifest | 14 ++++++++++---- parameter/optional | 1 + 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/manifest b/manifest index be967eb..fe9ef74 100755 --- a/manifest +++ b/manifest @@ -60,6 +60,8 @@ if [ -z "${SERVICE_DESCRIPTION}" ]; then SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service" fi +SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)" + DOWNLOAD_URL="$(cat "${__object}/parameter/url")" CHECKSUM="$(cat "${__object}/parameter/checksum")" SHOULD_VERSION="$(cat "${__object}/parameter/version")" @@ -102,10 +104,8 @@ INIT="$(cat "${__global}/explorer/init")" # TODO: Support non-systemd case "${INIT}" in systemd) - __systemd_unit "${SERVICE_NAME}.service" \ - --source "-" \ - --state "${STATE}" \ - --enablement-state "enabled" < Date: Wed, 4 Aug 2021 21:02:37 +0200 Subject: [PATCH 14/81] [__single_binary_service] Do not use echo echo echo --- manifest | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/manifest b/manifest index fe9ef74..e05b630 100755 --- a/manifest +++ b/manifest @@ -123,10 +123,12 @@ WantedBy=multi-user.target EOF )" fi - echo ${SERVICE_DEFINITION} | __systemd_unit "${SERVICE_NAME}.service" \ + __systemd_unit "${SERVICE_NAME}.service" \ --source "-" \ --state "${STATE}" \ - --enablement-state "enabled" + --enablement-state "enabled" < Date: Wed, 15 Sep 2021 16:59:32 +0200 Subject: [PATCH 15/81] __bird_ospf: add stubnets option This commit adds the ability for the bird OSPF type to use stubnets. --- type/__bird_ospf/man.rst | 6 ++++++ type/__bird_ospf/manifest | 1 + type/__bird_ospf/parameter/optional_multiple | 1 + 3 files changed, 8 insertions(+) create mode 100644 type/__bird_ospf/parameter/optional_multiple diff --git a/type/__bird_ospf/man.rst b/type/__bird_ospf/man.rst index 9b9a20f..f3f4c9a 100644 --- a/type/__bird_ospf/man.rst +++ b/type/__bird_ospf/man.rst @@ -39,6 +39,12 @@ instance-id An OSPF instance ID, allowing several OSPF instances to run on the same links. +OPTIONAL MULTIPLE PARAMETERS +---------------------------- + +stubnet + Add an optionless stubnet definition to the configuration. + SEE ALSO -------- cdist-type__bird_core(7) diff --git a/type/__bird_ospf/manifest b/type/__bird_ospf/manifest index 0e219ae..211e91d 100755 --- a/type/__bird_ospf/manifest +++ b/type/__bird_ospf/manifest @@ -58,6 +58,7 @@ $([ -n "${instance_id?}" ] && printf "\tinstance id %s;\n" "${instance_id?}") area 0 { $(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface") +$(sed -e 's/^/\t\tsubnet /' -e 's/$/;/' "${__object:?}/parameter/subnet") }; } EOF diff --git a/type/__bird_ospf/parameter/optional_multiple b/type/__bird_ospf/parameter/optional_multiple new file mode 100644 index 0000000..ed3f25a --- /dev/null +++ b/type/__bird_ospf/parameter/optional_multiple @@ -0,0 +1 @@ +stubnet From affd398cff8d61126f77bad67d73b6e1109eba31 Mon Sep 17 00:00:00 2001 From: Evilham Date: Fri, 1 Oct 2021 11:51:50 +0200 Subject: [PATCH 16/81] [__jitsi*] Update to 2.0.6293 --- type/__jitsi_meet/manifest | 24 ++++++++++++++----- .../files/interface_config.js.sh | 13 ++++------ .../files/interface_config.js.sh.orig | 13 ++++------ 3 files changed, 26 insertions(+), 24 deletions(-) diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 26d7528..54bd204 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -13,6 +13,7 @@ esac JITSI_HOST="${__target_host}" +# Currently unused, see below JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")" TURN_SERVER="$(cat "${__object}/parameter/turn-server")" TURN_SECRET="$(cat "${__object}/parameter/turn-secret")" @@ -56,7 +57,11 @@ EOF export require="${require} __debconf_set_selections/jitsi_meet" # Install and upgrade packages as needed -__package_apt jitsi-meet --version "${JITSI_VERSION}" +__package_apt jitsi-meet +# We are not doing version pinning anymore because it breaks when +# the version is not the latest. +# This happens because dependencies cannot be properly resolved. +# --version "${JITSI_VERSION}" # Proceed only after installation/upgrade has finished export require="__package_apt/jitsi-meet" @@ -163,11 +168,18 @@ VirtualHost "guest.${JITSI_HOST}" c2s_require_encryption = false EOF -__line jitsi_jicofo_secured_domains \ - --file /etc/jitsi/jicofo/sip-communicator.properties \ - --line "org.jitsi.jicofo.auth.URL=XMPP:${JITSI_HOST}" \ - --regex "org.jitsi.jicofo.auth.URL=" \ - --state ${SECURED_DOMAINS_STATE_JICOFO} +__block jitsi_jicofo_secured_domains \ + --prefix "// begin cdist: jicofo_secured_domains" \ + --suffix "// end cdist: jicofo_secured_domains" \ + --file /etc/jitsi/jicofo/jicofo.conf \ + --state "${SECURED_DOMAINS_STATE_JICOFO}" \ + --text '-' < Date: Fri, 1 Oct 2021 12:00:50 +0200 Subject: [PATCH 17/81] [__jitsi_meet] Fix shellchek of unused variable --- type/__jitsi_meet/manifest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 54bd204..1cae2be 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -14,7 +14,7 @@ esac JITSI_HOST="${__target_host}" # Currently unused, see below -JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")" +# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")" TURN_SERVER="$(cat "${__object}/parameter/turn-server")" TURN_SECRET="$(cat "${__object}/parameter/turn-secret")" From 2038244ec4de3497fda1ffb430cf206991150002 Mon Sep 17 00:00:00 2001 From: Evilham Date: Sat, 30 Oct 2021 10:40:01 +0200 Subject: [PATCH 18/81] [__runit*] Add support for Debian/Devuan Apparently these types were only supporting FreeBSD, this brings in support for Debian and Devuan by taking advantage of https://packages.debian.org/bullseye/runit-run --- type/__runit/gencode-remote | 7 ++++++ type/__runit/manifest | 25 +++++++++++++++----- type/__runit_service/man.rst | 5 ++++ type/__runit_service/manifest | 21 ++++++++++++++-- type/__runit_service/parameter/default/state | 1 + type/__runit_service/parameter/optional | 1 + 6 files changed, 52 insertions(+), 8 deletions(-) create mode 100644 type/__runit_service/parameter/default/state create mode 100644 type/__runit_service/parameter/optional diff --git a/type/__runit/gencode-remote b/type/__runit/gencode-remote index fd2a3e0..d4e4fe8 100755 --- a/type/__runit/gencode-remote +++ b/type/__runit/gencode-remote @@ -1,5 +1,12 @@ #!/bin/sh -e + +os="$(cat "${__global}/explorer/os")" +if [ "${os}" != "freebsd" ]; then + exit +fi + +# FreeBSD-specific svdir="/var/service" svdir_exists="$(cat "${__object}/explorer/svdir-exists")" runit_etc="$(cat "${__object}/explorer/runit-etc")" diff --git a/type/__runit/manifest b/type/__runit/manifest index 195a70e..6ba174c 100755 --- a/type/__runit/manifest +++ b/type/__runit/manifest @@ -2,9 +2,22 @@ __package "runit" -__key_value \ - --file "/etc/rc.conf" \ - --key "runsvdir_enable" \ - --delimiter "=" \ - --value "yes" \ - "runsvdir_enable" +os="$(cat "${__global}/explorer/os")" +case "${os}" in + debian|devuan) + # zero-config sysvinit and systemd compatibility + __package runit-run + ;; + freebsd) + __key_value \ + --file "/etc/rc.conf" \ + --key "runsvdir_enable" \ + --delimiter "=" \ + --value "yes" \ + "runsvdir_enable" + ;; + *) + echo "Your OS '${os}' is currently not supported." >&2 + exit 1 + ;; +esac diff --git a/type/__runit_service/man.rst b/type/__runit_service/man.rst index 7b1db84..edd19e3 100644 --- a/type/__runit_service/man.rst +++ b/type/__runit_service/man.rst @@ -27,6 +27,11 @@ BOOLEAN PARAMETERS log Setup logging with `svlogd -tt ./main`. +OPTIONAL PARAMETERS +------------------- +state + Whether this service is to be 'present' (default) or 'absent'. + EXAMPLES -------- diff --git a/type/__runit_service/manifest b/type/__runit_service/manifest index 29f3312..83114fd 100755 --- a/type/__runit_service/manifest +++ b/type/__runit_service/manifest @@ -1,8 +1,21 @@ #!/bin/sh -e -svdir="/var/service" +os="$(cat "${__global}/explorer/os")" +case "${os}" in + debian|devuan) + svdir="/etc/service" + ;; + *bsd) + svdir="/var/service" + ;; + *) + echo "Your OS '${OS}' is currently not supported." >&2 + exit 1 + ;; +esac + sv="${__object_id}" -state="present" +state="$(cat "${__object}/parameter/state")" run_file="${svdir}/${sv}/run" source="$(cat "$__object/parameter/source")" @@ -15,6 +28,10 @@ __directory --state "${state}" "${svdir}/${sv}" export require="__directory${svdir}/${sv}" +if [ "${state}" != "present" ]; then + # We are done here, the service gets removed + exit +fi if [ -f "${__object}/parameter/log" ]; then # Setup logger if requested diff --git a/type/__runit_service/parameter/default/state b/type/__runit_service/parameter/default/state new file mode 100644 index 0000000..568612b --- /dev/null +++ b/type/__runit_service/parameter/default/state @@ -0,0 +1 @@ +present \ No newline at end of file diff --git a/type/__runit_service/parameter/optional b/type/__runit_service/parameter/optional new file mode 100644 index 0000000..ff72b5c --- /dev/null +++ b/type/__runit_service/parameter/optional @@ -0,0 +1 @@ +state From 1af7e960fa882efc7202cad5cc01d3136886fa0a Mon Sep 17 00:00:00 2001 From: Evilham Date: Sat, 30 Oct 2021 15:36:49 +0200 Subject: [PATCH 19/81] [__single_binary_service] Many improvements + runit support Amongst other things compressed files can be of a type other than .tar.gz (it remains the default) and we now properly support runit services, FreeBSD and Devuan. --- gencode-remote | 21 ---- man.rst | 27 ++++- manifest | 173 +++++++++++++++++++++-------- parameter/default/unpack-extension | 1 + parameter/default/user-home-dir | 1 + parameter/optional | 3 + 6 files changed, 152 insertions(+), 74 deletions(-) delete mode 100644 gencode-remote create mode 100644 parameter/default/unpack-extension create mode 100644 parameter/default/user-home-dir diff --git a/gencode-remote b/gencode-remote deleted file mode 100644 index fe769fa..0000000 --- a/gencode-remote +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh -e - -STATE="$(cat "${__object}/parameter/state")" -if [ "${STATE}" != "present" ]; then - exit -fi - -ETC_DIR="/etc" -SERVICE_NAME="${__object_id}" -CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf" - -BIN_DIR="/usr/local/bin" -VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version" - -# We only restart here if there was a config change -# but there was not a version change -if grep -qE "^__file${CONFIG_FILE_DEST}" "${__messages_in}" && \ - grep -qvE "^__file${VERSION_FILE}" "${__messages_in}"; then - echo "service ${SERVICE_NAME} restart" -fi - diff --git a/man.rst b/man.rst index 804b465..cb40330 100644 --- a/man.rst +++ b/man.rst @@ -23,10 +23,8 @@ binaries in `/usr/local/bin`. If a `--config-file-source` is provided, it will be placed under: `/etc/${__object_id}.conf`. -TODO (patches welcome!): -- It currently only supports `.tar.gz` archives. -- It currently only supports systemd units. -- Does not handle properly BSD-systems (wheel group, /usr/local/etc, systemd) +This type supports services managed by `__runit(7)` when `systemd` is not +the init system being used. REQUIRED PARAMETERS @@ -72,6 +70,13 @@ user If this user is not `root` and `--do-not-manage-user` is not present, this user will be created or removed as per the `--state` parameter. +user-home-dir + Does not have an effect if `--do-not-manage-user` is used or `--user` is + `root`. + The home directory of the service user. It will be created. + Defaults to `/nonexistent`, in this case the home directory will not be + created. + group The group under which the service will run. Defaults to `--user`. @@ -95,6 +100,13 @@ service-exec Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the resulting value of `--binary`. +service-definition + The service definition to be used as an override. + Note that this type decides dinammically between runit and systemd, and + you can currently only define either a systemd unit or a runit script here. + Use this parameter only for testing and get in touch to discuss how your + particular use-case can be supported by the type. + service-description The service description to be used in, e.g. the systemd unit file. Defaults to `cdist-managed '${__object_id}' service`. @@ -106,6 +118,13 @@ unpack-args subdirectories; that can be worked around with `--unpack-args '--tar-strip 1'`. +unpack-extension + Only has an effect if `--unpack` is used. + The file extension of the file to unpack, defaults to `.tar.gz`. + +working-directory + If set, the working directory with which the service will be started. + OPTIONAL MULTIPLE PARAMETERS ---------------------------- diff --git a/manifest b/manifest index e05b630..8288b94 100755 --- a/manifest +++ b/manifest @@ -1,22 +1,43 @@ #!/bin/sh -e +SERVICE_NAME="${__object_id}" OS="$(cat "${__global}/explorer/os")" case "${OS}" in - debian) - SUPER_USER_GROUP=root - ;; - *bsd) - SUPER_USER_GROUP=wheel - ;; - *) - echo "Your OS '${OS}' is currently not supported." >&2 - exit 1 - ;; + debian|devuan) + SUPER_USER_GROUP=root + ETC_DIR="/etc" + ;; + *bsd) + SUPER_USER_GROUP=wheel + ETC_DIR="/usr/local/etc" + ;; + *) + echo "Your OS '${OS}' is currently not supported." >&2 + exit 1 + ;; +esac +INIT="$(cat "${__global}/explorer/init")" + +case "${INIT}" in + systemd) + service_definition_require="__systemd_unit/${SERVICE_NAME}.service" + service_command="service ${SERVICE_NAME} %s" + ;; + runit|sysvinit) + # We will use runit to manage these services + __runit + export require="__runit" + service_definition_require="__runit_service/${SERVICE_NAME}" + service_command="sv %s ${SERVICE_NAME}" + ;; + *) + echo "Init system ${INIT}' is currently not supported." >&2 + exit 1 + ;; esac BIN_DIR="/usr/local/bin" -ETC_DIR="/etc" # Ensure the target bin dir exists # Care, we never want to remove it :-D @@ -29,10 +50,13 @@ STATE="$(cat "${__object}/parameter/state")" USER="$(cat "${__object}/parameter/user")" GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)" if [ -z "${GROUP}" ]; then - GROUP="${USER}" + if [ "${USER}" != "root" ]; then + GROUP="${USER}" + else + GROUP="${SUPER_USER_GROUP}" + fi fi -SERVICE_NAME="${__object_id}" BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)" if [ -z "${BINARY}" ]; then @@ -62,22 +86,34 @@ fi SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)" +WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)" +if [ -n "${WORKING_DIRECTORY_PATH}" ]; then + WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}" + WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'" +fi + DOWNLOAD_URL="$(cat "${__object}/parameter/url")" CHECKSUM="$(cat "${__object}/parameter/checksum")" SHOULD_VERSION="$(cat "${__object}/parameter/version")" # Create a user for the service if it is not root +USER_HOME_DIR="/root" if [ "${USER}" != "root" ] && \ [ ! -f "${__object}/parameter/do-not-manage-user" ]; then if [ "${STATE}" = "absent" ]; then # When removing, ensure user is not being used - user_require="__systemd_unit/${SERVICE_NAME}.service" + user_require="${service_definition_require}" + fi + USER_HOME_DIR="$(cat "${__object}/parameter/user-home-dir")" + if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then + USER_CREATE_HOME="--create-home" fi require="${require} ${user_require}" __user "${USER}" \ --system \ --state "${STATE}" \ - --home /nonexistent \ - --comment "cdist-managed ${SERVICE_NAME} user" + --home "${USER_HOME_DIR}" \ + --comment "cdist-managed ${SERVICE_NAME} user" \ + ${USER_CREATE_HOME} # Track dependencies service_require="${service_require} __user/${USER}" fi @@ -100,8 +136,8 @@ fi -INIT="$(cat "${__global}/explorer/init")" -# TODO: Support non-systemd +# This should setup the object in $service_definition_require +# See above. case "${INIT}" in systemd) if [ -z "${SERVICE_DEFINITION}" ]; then @@ -117,6 +153,7 @@ User=${USER} Group=${GROUP} ExecStart=${SERVICE_EXEC} Restart=always +${WORKING_DIRECTORY_SYSTEMD} [Install] WantedBy=multi-user.target @@ -129,14 +166,28 @@ EOF --enablement-state "enabled" <&2 - exit 1 - ;; + ;; + runit|sysvinit) + if [ -z "${SERVICE_DEFINITION}" ]; then + SERVICE_DEFINITION="$(cat </dev/null || true)" # Download packed file - __download "${TMP_PATH}.tar.gz" \ + __download "${TMP_PATH}${UNPACK_EXTENSION}" \ --url "${DOWNLOAD_URL}" \ --download remote \ --sum "${CHECKSUM}" # Unpack file and also perform service upgrade # shellcheck disable=SC2086 - require="__download${TMP_PATH}.tar.gz" \ - __unpack "${TMP_PATH}.tar.gz" \ + require="__download${TMP_PATH}${UNPACK_EXTENSION}" \ + __unpack "${TMP_PATH}${UNPACK_EXTENSION}" \ ${UNPACK_ARGS} \ --destination "${TMP_PATH}" - version_bump_require="__unpack${TMP_PATH}.tar.gz" + version_bump_require="__unpack${TMP_PATH}${UNPACK_EXTENSION}" else # Create temp directory __directory "${TMP_PATH}" @@ -196,18 +272,17 @@ EOF # Perform update of cdist-managed version file # And also perform service upgrade + # This is a bug if service_upgrade fails >,< printf "%s" "${SHOULD_VERSION}" | \ require="${version_bump_require}" __file \ "${VERSION_FILE}" \ --onchange "${perform_service_upgrade}" \ --source "-" -fi - -if [ "${STATE}" = "absent" ]; then - # Perform cleanup of generated files - for bin_file in ${BINARY} ${EXTRA_BINARIES}; do - __file "${BIN_DIR}/${bin_file}" --state "absent" - done - __file "${VERSION_FILE}" --state "absent" - __file "${CONFIG_FILE_DEST}" --state "absent" +else + # We only restart here if there was a config change + # but there was not a version change + require="${service_require}" __check_messages \ + "single_binary_service_${__object_id}" \ + --pattern "^__file${CONFIG_FILE_DEST}" \ + --execute "$(sv_cmd restart)" fi diff --git a/parameter/default/unpack-extension b/parameter/default/unpack-extension new file mode 100644 index 0000000..c95e2e9 --- /dev/null +++ b/parameter/default/unpack-extension @@ -0,0 +1 @@ +.tar.gz \ No newline at end of file diff --git a/parameter/default/user-home-dir b/parameter/default/user-home-dir new file mode 100644 index 0000000..4d21ca6 --- /dev/null +++ b/parameter/default/user-home-dir @@ -0,0 +1 @@ +/nonexistent diff --git a/parameter/optional b/parameter/optional index 7c2ca06..7c88cb4 100644 --- a/parameter/optional +++ b/parameter/optional @@ -7,4 +7,7 @@ service-args service-exec service-description service-definition +unpack-extension unpack-args +user-home-dir +working-directory From 18f02e24aa0170b71515013bac2a4975c02c06bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 16 Nov 2021 14:16:16 +0100 Subject: [PATCH 20/81] __matrix_synapse: use upstream matrix.org APT repository on debian --- type/__matrix_synapse/manifest | 48 ++++++++++------------------------ 1 file changed, 14 insertions(+), 34 deletions(-) diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 4650a17..40ce138 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -25,29 +25,22 @@ distribution=$(cat "$__global/explorer/lsb_codename") case "$os" in debian) synapse_user=matrix-synapse - synapse_pkg=matrix-synapse + synapse_pkg=matrix-synapse-py3 synapse_service=matrix-synapse ldap_auth_provider_pkg=matrix-synapse-ldap3 synapse_conf_dir='/etc/matrix-synapse' synapse_data_dir='/var/lib/matrix-synapse' - # See https://packages.debian.org/bullseye/matrix-synapse for state of - # synapse packaging in debian. + # We use upstream's APT repository in order to stay up-to-date: upstream + # moves fast and downstream debian package is necessarily delayed. case "$distribution" in - stretch) - echo "The matrix-synapse package in debian stretch is outdated and unusable." >&2 - exit 1 - ;; - buster) - # Enable debian-backports for debian Buster, as the 'stable' - # matrix-synapse package is ways too old (< 1.0). - apt_target_release=buster-backports - __apt_backports - ;; - bullseye|sid) - # As of writting (2021-02), the default matrix-synapse of those - # release is perfectly usable. - : + buster|bulleye|bookworm|sid) + __apt_key matrix-org \ + --uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg + require="__apt_key/matrix-org" __apt_source matrix-org \ + --uri https://packages.matrix.org/debian/ \ + --component main + package_req="__apt_source/matrix-org" ;; *) echo "Unknown debian release '$distribution'. Exiting" >&2 @@ -309,25 +302,12 @@ case "$DATABASE_ENGINE" in esac -# Install OS packages. We have a bit of boilerplate to handle the debian -# backports situation. -synapse_req= -if [ -n "$apt_target_release" ]; then - require="__apt_backports" __package_apt "$synapse_pkg" \ - --target-release "$apt_target_release" - synapse_req="__package_apt/$synapse_pkg" -else - __package "$synapse_pkg" - synapse_req="__package/$synapse_pkg" -fi +# Install OS packages. +require="$package_req" __package "$synapse_pkg" +synapse_req="__package/$synapse_pkg" if [ -n "$ENABLE_LDAP_AUTH" ]; then - if [ -n "$apt_target_release" ]; then - require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \ - --target-release "$apt_target_release" - else - __package "$ldap_auth_provider_pkg" - fi + require="$package_req" __package "$ldap_auth_provider_pkg" fi # Generate and deploy configuration files. From fc6764be449ef81cd0fed10d8cffd8163df2eab3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 16 Nov 2021 15:13:16 +0100 Subject: [PATCH 21/81] __matrix_synapse_worker: change synapse call to fit matrix.org packaging --- .../files/matrix-synapse-worker@.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/type/__matrix_synapse_worker/files/matrix-synapse-worker@.service b/type/__matrix_synapse_worker/files/matrix-synapse-worker@.service index 6352b00..6f89cd8 100644 --- a/type/__matrix_synapse_worker/files/matrix-synapse-worker@.service +++ b/type/__matrix_synapse_worker/files/matrix-synapse-worker@.service @@ -15,7 +15,7 @@ NotifyAccess=main User=matrix-synapse WorkingDirectory=/var/lib/matrix-synapse EnvironmentFile=/etc/default/matrix-synapse -ExecStart=/usr/bin/python3 -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml +ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure RestartSec=3 From 25406ea3a09cd6bad51b44246b77905198a75384 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 30 Nov 2021 13:32:03 +0100 Subject: [PATCH 22/81] __matrix_synapse: add support for Ubuntu --- type/__matrix_synapse/gencode-remote | 2 +- type/__matrix_synapse/manifest | 30 ++++++++++------------------ 2 files changed, 11 insertions(+), 21 deletions(-) diff --git a/type/__matrix_synapse/gencode-remote b/type/__matrix_synapse/gencode-remote index cf7c648..30770ed 100755 --- a/type/__matrix_synapse/gencode-remote +++ b/type/__matrix_synapse/gencode-remote @@ -8,7 +8,7 @@ case "$os" in synapse_conf_dir=/etc/synapse synapse_service=synapse ;; - debian) + debian|ubuntu) synapse_conf_dir=/etc/matrix-synapse synapse_service=matrix-synapse ;; diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 40ce138..04ccd42 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -20,10 +20,9 @@ # OS-specific configuration. os=$(cat "$__global/explorer/os") -distribution=$(cat "$__global/explorer/lsb_codename") case "$os" in - debian) + debian|ubuntu) synapse_user=matrix-synapse synapse_pkg=matrix-synapse-py3 synapse_service=matrix-synapse @@ -31,22 +30,13 @@ case "$os" in synapse_conf_dir='/etc/matrix-synapse' synapse_data_dir='/var/lib/matrix-synapse' - # We use upstream's APT repository in order to stay up-to-date: upstream - # moves fast and downstream debian package is necessarily delayed. - case "$distribution" in - buster|bulleye|bookworm|sid) - __apt_key matrix-org \ - --uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg - require="__apt_key/matrix-org" __apt_source matrix-org \ - --uri https://packages.matrix.org/debian/ \ - --component main - package_req="__apt_source/matrix-org" - ;; - *) - echo "Unknown debian release '$distribution'. Exiting" >&2 - exit 1 - ;; - esac + __apt_key matrix-org \ + --uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg + + require="__apt_key/matrix-org" __apt_source matrix-org \ + --uri https://packages.matrix.org/debian/ \ + --component main + package_req="__apt_source/matrix-org" ;; alpine) synapse_user=synapse @@ -330,8 +320,8 @@ for directory in $DATA_DIR $LOG_DIR; do --owner $synapse_user done -# Make dpkg-reconfigure happy on debian systems. -if [ "$os" = "debian" ]; then +# Make dpkg-reconfigure happy on debian-based systems. +if [ "$os" = "debian" ] || [ "$os" = "ubuntu" ]; then require="$synapse_req" __file "$synapse_conf_dir/conf.d/server_name.yaml" \ --owner $synapse_user \ --source - <<- EOF From 08e81d1e978e293ceb10585edfca29729782448c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 1 Dec 2021 08:32:37 +0100 Subject: [PATCH 23/81] __matrix_synapse: fixe ignored registration-shared-secret parameter --- type/__matrix_synapse/files/homeserver.yaml.sh | 3 +++ type/__matrix_synapse/manifest | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index bc94391..2952919 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1330,9 +1330,12 @@ EOF if [ -n "$REGISTRATION_SHARED_SECRET" ]; then echo "registration_shared_secret: '$REGISTRATION_SHARED_SECRET'" +else + echo "# registration_shared_secret: 'secret'" fi cat << EOF + # Set the number of bcrypt rounds used to generate password hash. # Larger numbers increase the work factor needed to generate the hash. # The default number is 12 (which equates to 2^12 rounds). diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 04ccd42..d2bb9fd 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -172,7 +172,7 @@ ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations') USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users') export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS -if [ -f "$__object/parameter/registration-shared-token" ]; then +if [ -f "$__object/parameter/registration-shared-secret" ]; then REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret") export REGISTRATION_SHARED_SECRET fi From d872f1d4f069717ca3f746b572a2c9e35ced02f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 1 Dec 2021 15:55:34 +0100 Subject: [PATCH 24/81] __matrix_synapse: add --turn-username and --turn-password flags --- type/__matrix_synapse/files/homeserver.yaml.sh | 18 +++++++++++++++--- type/__matrix_synapse/man.rst | 8 ++++++++ type/__matrix_synapse/manifest | 10 ++++++++++ type/__matrix_synapse/parameter/optional | 2 ++ 4 files changed, 35 insertions(+), 3 deletions(-) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index 2952919..5ba7d1a 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1175,14 +1175,26 @@ fi cat << EOF # The shared secret used to compute passwords for the TURN server # -turn_shared_secret: "$TURN_SHARED_SECRET" +EOF +if [ -n "$TURN_SHARED_SECRET" ]; then + echo "turn_shared_secret: \"$TURN_SHARED_SECRET\"" +fi + +cat << EOF # The Username and password if the TURN server needs them and # does not use a token # -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" +EOF +if [ -n "$TURN_USERNAME" ] || [ "$TURN_PASSWORD" ]; then + cat <<- EOF + turn_username: "$TURN_USERNAME" + turn_password: "$TURN_PASSWORD" + EOF +fi + +cat << EOF # How long generated TURN credentials last # turn_user_lifetime: ${TURN_USER_LIFETIME:?} diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index 4eb23bb..c3de79d 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -133,6 +133,14 @@ turn-uri turn-shared-secret Shared secret used to access the TURN REST API. +turn-username + Username used to authenticate against the TURN server if needed / a shared + secret token is not used. + +turn-password + Password used to authenticate against the TURN server if needed / a shared + secret token is not used. + turn-user-lifetime Lifetime of TURN credentials. Defaults to 1h. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index d2bb9fd..dbf318f 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -246,6 +246,16 @@ if [ -f "$__object/parameter/turn-uri" ]; then export TURN_URIS fi +if [ -f "$__object/parameter/turn-username" ]; then + TURN_USERNAME=$(cat "$__object/parameter/turn-username") + export TURN_USERNAME +fi + +if [ -f "$__object/parameter/turn-password" ]; then + TURN_PASSWORD=$(cat "$__object/parameter/turn-password") + export TURN_PASSWORD +fi + # Worker-mode configuration. export MAIN_LISTENER_PORT=8008 export ENABLE_MEDIA_REPO='true' diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index 1378365..67250d7 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -13,6 +13,8 @@ ldap-bind-password ldap-filter turn-shared-secret turn-user-lifetime +turn-username +turn-password max-upload-size smtp-host smtp-port From 96beae4c2fe0525cf8141ac2bbd791195d289697 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Thu, 2 Dec 2021 11:38:26 +0100 Subject: [PATCH 25/81] __matrix_synapse:add --smal2-idp-metadata-uri flag --- type/__matrix_synapse/files/homeserver.yaml.sh | 10 ++++++++++ type/__matrix_synapse/manifest | 9 +++++++++ type/__matrix_synapse/parameter/optional | 1 + 3 files changed, 20 insertions(+) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index 5ba7d1a..caf259b 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1711,7 +1711,17 @@ saml2_config: # local: ["saml2/idp.xml"] # remote: # - url: https://our_idp/metadata.xml +EOF +if [ -n "$SAML2_IDP_METADATA_URL" ]; then + cat << EOF + metadata: + remote: + - url: "$SAML2_IDP_METADATA_URL" +EOF +fi + +cat << EOF # Allowed clock difference in seconds between the homeserver and IdP. # # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index dbf318f..c85e4fc 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -191,6 +191,15 @@ if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then export RESGISTRATION_ALLOWS_EMAIL_PATTERN fi +if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then + # Synapse fails to start while trying to parse IDP metadata if this package + # is not installed. + __package xmlsec1 + + SAML2_IDP_METADATA_URL=$(cat "$__object/parameter/saml2-idp-metadata-url") + export SAML2_IDP_METADATA_URL +fi + # Federation. ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation') ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth') diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index 67250d7..0547e1a 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -36,3 +36,4 @@ background-tasks-worker tls-cert tls-private-key registration-shared-secret +saml2-idp-metadata-url From 7b27eb5445a363043a68ed8fb332d6d668b76da3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Thu, 2 Dec 2021 13:07:06 +0100 Subject: [PATCH 26/81] __matrix_synapse: add --default-identity-server flag --- type/__matrix_synapse/files/homeserver.yaml.sh | 6 ++++++ type/__matrix_synapse/manifest | 5 +++++ type/__matrix_synapse/parameter/optional | 1 + 3 files changed, 12 insertions(+) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index caf259b..2e7670e 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1368,7 +1368,13 @@ allow_guest_access: ${ALLOW_GUEST_ACCESS:?} # (By default, no suggestion is made, so it is left up to the client.) # #default_identity_server: https://matrix.org +EOF +if [ -n "$DEFAULT_IDENTITY_SERVER" ]; then + echo "default_identity_server: \"$DEFAULT_IDENTITY_SERVER\"" +fi + +cat << EOF # Handle threepid (email/phone etc) registration and password resets through a set of # *trusted* identity servers. Note that this allows the configured identity server to # reset passwords for accounts! diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index c85e4fc..8ba9152 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -200,6 +200,11 @@ if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then export SAML2_IDP_METADATA_URL fi +if [ -f "$__object/parameter/default-identity-server" ]; then + DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server") + export DEFAULT_IDENTITY_SERVER +fi + # Federation. ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation') ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth') diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index 0547e1a..599e00b 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -37,3 +37,4 @@ tls-cert tls-private-key registration-shared-secret saml2-idp-metadata-url +default-identity-server From 698525fcd224bf2051578aa3b9e32b1fea7d0cc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 6 Dec 2021 08:41:13 +0100 Subject: [PATCH 27/81] __matrix_synapse: add saml2-idp-medatada-url flag to manpage --- type/__matrix_synapse/man.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index c3de79d..c368755 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -189,6 +189,9 @@ bind-address Address used to bind the synapse listeners. Can be specified multiple times. Defaults to '::1' and '127.0.0.1'. +saml2-idp-metadata-url + HTTP(S) url to SAML2 Identity Provider (IdP), used for Single Sign On (SSO) logic. + extra-setting Arbitrary string to be added to the configuration file. Can be specified multiple times. From a38275f6d7b051ff6186603b9ad594c6b0d85c1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 14 Dec 2021 12:37:18 +0100 Subject: [PATCH 28/81] __uacme*, __nginx: allow external ACME provider, EAB authentication --- type/__nginx/man.rst | 10 ++++++++++ type/__nginx/manifest | 22 +++++++++++++++++++++- type/__nginx/parameter/optional | 2 ++ type/__uacme_account/gencode-remote | 17 ++++++++++++++++- type/__uacme_account/man.rst | 11 +++++++++++ type/__uacme_account/parameter/optional | 2 ++ type/__uacme_obtain/files/renew.sh.sh | 4 ++-- type/__uacme_obtain/manifest | 16 ++++++++++++++++ type/__uacme_obtain/parameter/optional | 2 ++ 9 files changed, 82 insertions(+), 4 deletions(-) diff --git a/type/__nginx/man.rst b/type/__nginx/man.rst index 71d47e7..c1827c0 100644 --- a/type/__nginx/man.rst +++ b/type/__nginx/man.rst @@ -28,6 +28,16 @@ uacme-hookscript Custom hook passed to the __uacme_obtain type: useful to integrate the dns-01 challenge with third-party DNS providers. +acme-url + ACMEv2 server directory object URL. Lets'Encrypt is used by default. + +acme-eab-credentials + Specify RFC8555 External Account Binding credentials according to + https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new + ACME account with an existing account in a non-ACME system such as a CA + customer database. KEYID must be an ASCII string. KEY must be + base64url-encoded. + EXAMPLES -------- diff --git a/type/__nginx/manifest b/type/__nginx/manifest index b552319..cdd483a 100644 --- a/type/__nginx/manifest +++ b/type/__nginx/manifest @@ -36,6 +36,20 @@ then set_custom_uacme_hookscript="--hookscript $uacme_hookscript" fi +set_custom_acme_url= +if [ -f "${__object:?}/parameter/acme-url" ]; +then + custom_acme_url=$(cat "${__object:?}/parameter/acme-url") + set_custom_acme_url="--acme-url $custom_acme_url" +fi + +set_acme_eab_credentials= +if [ -f "${__object:?}/parameter/acme-eab-credentials" ]; +then + acme_eab_credentials=$(cat "${__object:?}/parameter/acme-eab-credentials") + set_acme_eab_credentials="--eab-credentials $acme_eab_credentials" +fi + # Deploy simple HTTP vhost, allowing to serve ACME challenges. __nginx_vhost "301-to-https-$domain" \ --domain "$domain" --altdomains "$altdomains" --to-https @@ -46,12 +60,18 @@ if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to") fi -__uacme_account +# shellcheck disable=SC2086 +__uacme_account \ + $set_custom_acme_url \ + $set_acme_eab_credentials \ + # shellcheck disable=SC2086 require="__nginx_vhost/301-to-https-$domain __uacme_account" \ __uacme_obtain "$domain" \ --altdomains "$altdomains" \ $set_custom_uacme_hookscript \ + $set_custom_acme_url \ + $set_acme_eab_credentials \ --owner "$cert_ownership" \ --install-key-to "$nginx_certdir/$domain/privkey.pem" \ --install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \ diff --git a/type/__nginx/parameter/optional b/type/__nginx/parameter/optional index 1a5fb95..8d6fae6 100644 --- a/type/__nginx/parameter/optional +++ b/type/__nginx/parameter/optional @@ -2,4 +2,6 @@ config domain altdomains uacme-hookscript +acme-url +acme-eab-credentials force-cert-ownership-to diff --git a/type/__uacme_account/gencode-remote b/type/__uacme_account/gencode-remote index e1d9551..b75d2d7 100644 --- a/type/__uacme_account/gencode-remote +++ b/type/__uacme_account/gencode-remote @@ -18,6 +18,21 @@ then admin_mail="$(cat "${__object:?}/parameter/admin-mail")"; fi +# Autoaccept ACME server terms (if any) upon new account creation. +uacme_opts="--yes" + +# Non-default ACMEv2 server directory object URL. +if [ -f "${__object:?}/parameter/acme-url" ]; then + custom_acme_url=$(cat "${__object:?}/parameter/acme-url") + uacme_opts="$uacme_opts --acme-url $custom_acme_url" +fi + +# Specify RFC8555 External Account Binding credentials. +if [ -f "${__object:?}/parameter/eab-credentials" ]; then + eab_credentials=$(cat "${__object:?}/parameter/eab-credentials") + uacme_opts="$uacme_opts --eab $eab_credentials" +fi + confdir="${default_confdir:?}" if [ -f "${__object:?}/parameter/confdir" ]; then @@ -27,6 +42,6 @@ fi cat << EOF if ! [ -f "${confdir}/private/key.pem" ]; then - uacme -y new ${admin_mail} + uacme $uacme_opts new ${admin_mail} fi EOF diff --git a/type/__uacme_account/man.rst b/type/__uacme_account/man.rst index be5efc6..c18bb40 100644 --- a/type/__uacme_account/man.rst +++ b/type/__uacme_account/man.rst @@ -23,6 +23,16 @@ confdir admin-mail Administrative contact email to register the account with. +acme-url + ACMEv2 server directory object URL. Lets'Encrypt is used by default. + +eab-credentials + Specify RFC8555 External Account Binding credentials according to + https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new + ACME account with an existing account in a non-ACME system such as a CA + customer database. KEYID must be an ASCII string. KEY must be + base64url-encoded. This is parameter is not supported by uacme < 1.6. + EXAMPLES -------- @@ -43,6 +53,7 @@ SEE ALSO AUTHORS ------- Joachim Desroches +Timothée Floure COPYING ------- diff --git a/type/__uacme_account/parameter/optional b/type/__uacme_account/parameter/optional index 0eaba67..dff247c 100644 --- a/type/__uacme_account/parameter/optional +++ b/type/__uacme_account/parameter/optional @@ -1,2 +1,4 @@ confdir admin-mail +acme-url +eab-credentials diff --git a/type/__uacme_obtain/files/renew.sh.sh b/type/__uacme_obtain/files/renew.sh.sh index 18bf061..dc82fd9 100755 --- a/type/__uacme_obtain/files/renew.sh.sh +++ b/type/__uacme_obtain/files/renew.sh.sh @@ -7,8 +7,8 @@ UACME_CHALLENGE_PATH=${CHALLENGEDIR:?} export UACME_CHALLENGE_PATH # Issue certificate. -uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${MUST_STAPLE?} ${KEYTYPE?} \\ - issue -- ${DOMAIN:?} +uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${ACME_URL?} \\ + ${EAB_CREDENTIALS?} ${MUST_STAPLE?} ${KEYTYPE?} issue -- ${DOMAIN:?} # Note: exit code 0 means that certificate was issued. # Note: exit code 1 means that certificate was still valid, hence not renewed. diff --git a/type/__uacme_obtain/manifest b/type/__uacme_obtain/manifest index f41e881..b41ddde 100644 --- a/type/__uacme_obtain/manifest +++ b/type/__uacme_obtain/manifest @@ -69,6 +69,22 @@ then fi export MUST_STAPLE +# Non-default ACMEv2 server directory object URL. +ACME_URL= +if [ -f "${__object:?}/parameter/acme-url" ]; then + custom_acme_url=$(cat "${__object:?}/parameter/acme-url") + ACME_URL="--acme-url $custom_acme_url" +fi +export ACME_URL + +# Specify RFC8555 External Account Binding credentials. +EAB_CREDENTIALS= +if [ -f "${__object:?}/parameter/eab-credentials" ]; then + eab_credentials_param=$(cat "${__object:?}/parameter/eab-credentials") + EAB_CREDENTIALS="--eab $eab_credentials_param" +fi +export EAB_CREDENTIALS + OWNER=root if [ -f "${__object:?}/parameter/owner" ]; then diff --git a/type/__uacme_obtain/parameter/optional b/type/__uacme_obtain/parameter/optional index fd721af..9fa9846 100644 --- a/type/__uacme_obtain/parameter/optional +++ b/type/__uacme_obtain/parameter/optional @@ -5,3 +5,5 @@ owner install-cert-to install-key-to renew-hook +acme-url +eab-credentials From e052178122d565e4fcc2a651b93a83587e10d73e Mon Sep 17 00:00:00 2001 From: Evilham Date: Wed, 22 Dec 2021 20:05:37 +0100 Subject: [PATCH 29/81] [__jitsi*] Update to 2.0.6726 Sponsored by: plataformess.org --- type/__jitsi_meet/manifest | 5 +- .../files/_update_jitsi_configurations.sh | 30 ++ type/__jitsi_meet_domain/files/config.js.sh | 461 +++++++++++++++-- .../files/config.js.sh.orig | 462 ++++++++++++++++-- .../files/interface_config.js.sh | 83 ++-- .../files/interface_config.js.sh.orig | 83 ++-- type/__jitsi_meet_domain/files/nginx.sh | 58 ++- type/__jitsi_meet_domain/files/nginx.sh.orig | 58 ++- 8 files changed, 1001 insertions(+), 239 deletions(-) create mode 100755 type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 1cae2be..0364db6 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -125,7 +125,10 @@ require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-ava server_names_hash_bucket_size 64; -# nginx server configuration for: +types { +# nginx's default mime.types doesn't include a mapping for wasm + application/wasm wasm; +} server { diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh new file mode 100755 index 0000000..295bdf0 --- /dev/null +++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh @@ -0,0 +1,30 @@ +#!/bin/sh -eu + +# This is a helper to update the '.sh.orig' files for jitsi's +# configuration files. +# Then the changes must be propagated to their corresponding .sh +# files by the type maintainer or a contributor + +# We could automate this, but are using it as an indicator for the +# latest branch with which we conciliated changes. +BRANCH="jitsi-meet_6726" +REPO="https://github.com/jitsi/jitsi-meet" + +get_url() { + file="${1}" + printf "%s/raw/stable/%s/%s" "${REPO}" "${BRANCH}" "${file}" + +} + +download_file() { + file="${1}" + destination="${2:-${file}.sh.orig}" + url="$(get_url "${file}")" + echo "Downloading ${destination}" + curl -L "${url}" > "${destination}" + echo +} + +download_file config.js +download_file interface_config.js +download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index f825761..4532ba6 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -39,9 +39,6 @@ fi // Websocket URL // websocket: 'wss://${JITSI_HOST}/xmpp-websocket', - // The name of client node advertised in XEP-0115 'c' stanza - clientNode: 'http://jitsi.org/jitsimeet', - // The real JID of focus participant - can be overridden here // Do not change username - FIXME: Make focus username configurable // https://github.com/jitsi/jitsi-meet/issues/7376 @@ -56,9 +53,16 @@ fi // issues related to insertable streams. // disableE2EE: false, + // Enables/disables thumbnail reordering in the filmstrip. It is enabled by default unless explicitly + // disabled by the below option. + // enableThumbnailReordering: true, + + // Enables XMPP WebSocket (as opposed to BOSH) for the given amount of users. + // mobileXmppWsThreshold: 10 // enable XMPP WebSockets on mobile for 10% of the users + // P2P test mode disables automatic switching to P2P when there are 2 // participants in the conference. - p2pTestMode: false + // p2pTestMode: false, // Enables the test specific features consumed by jitsi-meet-torture // testMode: false @@ -71,8 +75,10 @@ fi // simulcast is turned off for the desktop share. If presenter is turned // on while screensharing is in progress, the max bitrate is automatically // adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines - // the probability for this to be enabled. - // capScreenshareBitrate: 1 // 0 to disable + // the probability for this to be enabled. This setting has been deprecated. + // desktopSharingFrameRate.max now determines whether simulcast will be enabled + // or disabled for the screenshare. + // capScreenshareBitrate: 1 // 0 to disable - deprecated. // Enable callstats only for a percentage of users. // This takes a value between 0 and 100 which determines the probability for @@ -80,6 +86,18 @@ fi // callStatsThreshold: 5 // enable callstats for 5% of the users. }, + // Disables moderator indicators. + // disableModeratorIndicator: false, + + // Disables the reactions feature. + // disableReactions: true, + + // Disables polls feature. + // disablePolls: false, + + // Disables self-view tile. (hides it from tile view and from filmstrip) + // disableSelfView: false, + // Disables ICE/UDP by filtering out local and remote UDP candidates in // signalling. // webrtcIceUdpDisable: false, @@ -92,6 +110,9 @@ fi // Media // + // Enable unified plan implementation support on Chromium based browsers. + // enableUnifiedOnChrome: false, + // Audio // Disable measuring of audio levels. @@ -108,6 +129,10 @@ fi // about the call. // enableSaveLogs: false, + // Enabling this will hide the "Show More" link in the GSM popover that can be + // used to display more statistics about the connection (IP, Port, protocol, etc). + // disableShowMoreStats: true, + // Enabling this will run the lib-jitsi-meet noise detection module which will // notify the user if there is noise, other than voice, coming from the current // selected microphone. The purpose it to let the user know that the input could @@ -129,19 +154,34 @@ fi // participants and to enable it back a reload is needed. // startSilent: false - // Sets the preferred target bitrate for the Opus audio codec by setting its - // 'maxaveragebitrate' parameter. Currently not available in p2p mode. - // Valid values are in the range 6000 to 510000 - // opusMaxAverageBitrate: 20000, - // Enables support for opus-red (redundancy for Opus). // enableOpusRed: false, + // Specify audio quality stereo and opusMaxAverageBitrate values in order to enable HD audio. + // Beware, by doing so, you are disabling echo cancellation, noise suppression and AGC. + // audioQuality: { + // stereo: false, + // opusMaxAverageBitrate: null // Value to fit the 6000 to 510000 range. + // }, + // Video // Sets the preferred resolution (height) for local video. Defaults to 720. // resolution: 720, + // Specifies whether the raised hand will hide when someone becomes a dominant speaker or not + // disableRemoveRaisedHandOnFocus: false, + + // Specifies whether there will be a search field in speaker stats or not + // disableSpeakerStatsSearch: false, + + // Specifies whether participants in speaker stats should be ordered or not, and with what priority + // speakerStatsOrder: [ + // 'role', <- Moderators on top + // 'name', <- Alphabetically by name + // 'hasLeft', <- The ones that have left in the bottom + // ] <- the order of the array elements determines priority + // How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD. // Use -1 to disable. // maxFullResolutionParticipants: 2, @@ -165,9 +205,10 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Enable / disable simulcast support. // disableSimulcast: false, - // Enable / disable layer suspension. If enabled, endpoints whose HD - // layers are not in use will be suspended (no longer sent) until they - // are requested again. + // Enable / disable layer suspension. If enabled, endpoints whose HD layers are not in use will be suspended + // (no longer sent) until they are requested again. This is enabled by default. This must be enabled for screen + // sharing to work as expected on Chrome. Disabling this might result in low resolution screenshare being sent + // by the client. // enableLayerSuspension: false, // Every participant after the Nth will start video muted. @@ -229,6 +270,18 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // subtitles and buttons can be configured) // transcribingEnabled: false, + // If true transcriber will use the application language. + // The application language is either explicitly set by participants in their settings or automatically + // detected based on the environment, e.g. if the app is opened in a chrome instance which is using french as its + // default language then transcriptions for that participant will be in french. + // Defaults to true. + // transcribeWithAppLanguage: true, + + // Transcriber language. This settings will only work if "transcribeWithAppLanguage" is explicitly set to false. + // Available languages can be found in + // ./src/react/features/transcribing/transcriber-langs.json. + // preferredTranscribeLanguage: 'en-US', + // Enables automatic turning on captions when recording is started // autoCaptionOnRecord: false, @@ -237,6 +290,20 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Default value for the channel "last N" attribute. -1 for unlimited. channelLastN: ${CHANNEL_LAST_N}, + // Connection indicators + // connectionIndicators: { + // autoHide: true, + // autoHideTimeout: 5000, + // disabled: false, + // disableDetails: false, + // inactiveDisabled: false + // }, + + // Provides a way for the lastN value to be controlled through the UI. + // When startLastN is present, conference starts with a last-n value of startLastN and channelLastN + // value will be used when the quality level is selected using "Manage Video Quality" slider. + // startLastN: 1, + // Provides a way to use different "last N" values based on the number of participants in the conference. // The keys in an Object represent number of participants and the values are "last N" to be used when number of // participants gets to or above the number. @@ -274,12 +341,24 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // // to take effect. // preferredCodec: 'VP8', // + // // Provides a way to enforce the preferred codec for the conference even when the conference has endpoints + // // that do not support the preferred codec. For example, older versions of Safari do not support VP9 yet. + // // This will result in Safari not being able to decode video from endpoints sending VP9 video. + // // When set to false, the conference falls back to VP8 whenever there is an endpoint that doesn't support the + // // preferred codec and goes back to the preferred codec when that endpoint leaves. + // // enforcePreferredCodec: false, + // // // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for // // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values // // are the max.bitrates to be set on that particular type of stream. The actual send may vary based on // // the available bandwidth calculated by the browser, but it will be capped by the values specified here. // // This is currently not implemented on app based clients on mobile. // maxBitratesVideo: { + // H264: { + // low: 200000, + // standard: 500000, + // high: 1500000 + // }, // VP8 : { // low: 200000, // standard: 500000, @@ -288,7 +367,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // VP9: { // low: 100000, // standard: 300000, - // high: 1200000 + // high: 1200000 // } // }, // @@ -312,6 +391,13 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // resizeDesktopForPresenter: false // }, + // Notification timeouts + // notificationTimeouts: { + // short: 2500, + // medium: 5000, + // long: 10000 + // }, + // // Options for the recording limit notification. // recordingLimit: { // @@ -330,6 +416,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Disables or enables RTX (RFC 4588) (defaults to false). // disableRtx: false, + // Moves all Jitsi Meet 'beforeunload' logic (cleanup, leaving, disconnecting, etc) to the 'unload' event. + // disableBeforeUnloadHandlers: true, + // Disables or enables TCC support in this client (default: enabled). // enableTcc: true, @@ -345,8 +434,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // enableIceRestart: false, // Enables forced reload of the client when the call is migrated as a result of - // the bridge going down. Currently enabled by default as call migration through - // session-terminate is causing siganling issues when Octo is enabled. + // the bridge going down. // enableForcedReload: true, // Use TURN/UDP servers for the jitsi-videobridge connection (by default @@ -354,6 +442,11 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // bridge itself is reachable via UDP) // useTurnUdp: false + // Enable support for encoded transform in supported browsers. This allows + // E2EE to work in Safari if the corresponding flag is enabled in the browser. + // Experimental. + // enableEncodedTransformSupport: false, + // UI // @@ -363,6 +456,12 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Hides lobby button // hideLobbyButton: false, + // If Lobby is enabled starts knocking automatically. + // autoKnockLobby: false, + + // Hides add breakout room button + // hideAddRoomButton: false, + // Require users to always specify a display name. // requireDisplayName: true, @@ -382,7 +481,15 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // enableClosePage: false, // Disable hiding of remote thumbnails when in a 1-on-1 conference call. - // disable1On1Mode: false, + // Setting this to null, will also disable showing the remote videos + // when the toolbar is shown on mouse movements + // disable1On1Mode: null | false | true, + + // Default local name to be displayed + // defaultLocalDisplayName: 'me', + + // Default remote name to be displayed + // defaultRemoteDisplayName: 'Fellow Jitster', // Default language for the user interface. defaultLanguage: '${DEFAULT_LANGUAGE}', @@ -405,8 +512,18 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // and microsoftApiApplicationClientID // enableCalendarIntegration: false, - // When 'true', it shows an intermediate page before joining, where the user can configure their devices. - // prejoinPageEnabled: false, + // Configs for prejoin page. + // prejoinConfig: { + // // When 'true', it shows an intermediate page before joining, where the user can configure their devices. + // // This replaces \`prejoinPageEnabled\`. + // enabled: true, + // // List of buttons to hide from the extra join options dropdown. + // hideExtraJoinButtons: ['no-audio', 'by-phone'] + // }, + + // When 'true', the user cannot edit the display name. + // (Mainly useful when used in conjuction with the JWT so the JWT name becomes read only.) + // readOnlyName: false, // If etherpad integration is enabled, setting this to true will // automatically open the etherpad when a participant joins. This @@ -427,6 +544,10 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Base URL for a Gravatar-compatible service. Defaults to libravatar. // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/', + // App name to be displayed in the invitation email subject, as an alternative to + // interfaceConfig.APP_NAME. + // inviteAppName: null, + // Moved from interfaceConfig(TOOLBAR_BUTTONS). // The name of the toolbar buttons to display in the toolbar, including the // "More actions" menu. If present, the button will display. Exceptions are @@ -439,13 +560,94 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // - 'desktop' controls the "Share your screen" button // - if \`toolbarButtons\` is undefined, we fallback to enabling all buttons on the UI // toolbarButtons: [ - // 'microphone', 'camera', 'closedcaptions', 'desktop', 'embedmeeting', 'fullscreen', - // 'fodeviceselection', 'hangup', 'profile', 'chat', 'recording', - // 'livestreaming', 'etherpad', 'sharedvideo', 'shareaudio', 'settings', 'raisehand', - // 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts', - // 'tileview', 'select-background', 'download', 'help', 'mute-everyone', 'mute-video-everyone', 'security' + // 'camera', + // 'chat', + // 'closedcaptions', + // 'desktop', + // 'download', + // 'embedmeeting', + // 'etherpad', + // 'feedback', + // 'filmstrip', + // 'fullscreen', + // 'hangup', + // 'help', + // 'invite', + // 'livestreaming', + // 'microphone', + // 'mute-everyone', + // 'mute-video-everyone', + // 'participants-pane', + // 'profile', + // 'raisehand', + // 'recording', + // 'security', + // 'select-background', + // 'settings', + // 'shareaudio', + // 'sharedvideo', + // 'shortcuts', + // 'stats', + // 'tileview', + // 'toggle-camera', + // 'videoquality', + // '__end' // ], + // Holds values related to toolbar visibility control. + // toolbarConfig: { + // // Moved from interfaceConfig.INITIAL_TOOLBAR_TIMEOUT + // // The initial numer of miliseconds for the toolbar buttons to be visible on screen. + // initialTimeout: 20000, + // // Moved from interfaceConfig.TOOLBAR_TIMEOUT + // // Number of miliseconds for the toolbar buttons to be visible on screen. + // timeout: 4000, + // // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE + // // Whether toolbar should be always visible or should hide after x miliseconds. + // alwaysVisible: false + // }, + + // Toolbar buttons which have their click event exposed through the API on + // \`toolbarButtonClicked\` event instead of executing the normal click routine. + // buttonsWithNotifyClick: [ + // 'camera', + // 'chat', + // 'closedcaptions', + // 'desktop', + // 'download', + // 'embedmeeting', + // 'etherpad', + // 'feedback', + // 'filmstrip', + // 'fullscreen', + // 'hangup', + // 'help', + // 'invite', + // 'livestreaming', + // 'microphone', + // 'mute-everyone', + // 'mute-video-everyone', + // 'participants-pane', + // 'profile', + // 'raisehand', + // 'recording', + // 'security', + // 'select-background', + // 'settings', + // 'shareaudio', + // 'sharedvideo', + // 'shortcuts', + // 'stats', + // 'tileview', + // 'toggle-camera', + // 'videoquality', + // '__end' + // ], + + // List of pre meeting screens buttons to hide. The values must be one or more of the 5 allowed buttons: + // 'microphone', 'camera', 'select-background', 'invite', 'settings' + // hiddenPremeetingButtons: [], + // Stats // @@ -463,12 +665,37 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // callStatsID: '', // callStatsSecret: '', + // The callstats initialize config params as described in the API: + // https://docs.callstats.io/docs/javascript#callstatsinitialize-with-app-secret + // callStatsConfigParams: { + // disableBeforeUnloadHandler: true, // disables callstats.js's window.onbeforeunload parameter. + // applicationVersion: "app_version", // Application version specified by the developer. + // disablePrecalltest: true, // disables the pre-call test, it is enabled by default. + // siteID: "siteID", // The name/ID of the site/campus from where the call/pre-call test is made. + // additionalIDs: { // additionalIDs object, contains application related IDs. + // customerID: "Customer Identifier. Example, walmart.", + // tenantID: "Tenant Identifier. Example, monster.", + // productName: "Product Name. Example, Jitsi.", + // meetingsName: "Meeting Name. Example, Jitsi loves callstats.", + // serverName: "Server/MiddleBox Name. Example, jvb-prod-us-east-mlkncws12.", + // pbxID: "PBX Identifier. Example, walmart.", + // pbxExtensionID: "PBX Extension Identifier. Example, 5625.", + // fqExtensionID: "Fully qualified Extension Identifier. Example, +71 (US) +5625.", + // sessionID: "Session Identifier. Example, session-12-34" + // }, + // collectLegacyStats: true, //enables the collection of legacy stats in chrome browser + // collectIP: true //enables the collection localIP address + // }, + // Enables sending participants' display names to callstats // enableDisplayNameInStats: false, // Enables sending participants' emails (if available) to callstats and other analytics // enableEmailInStats: false, + // Enables detecting faces of participants and get their expression and send it to other participants + // enableFacialRecognition: true, + // Controls the percentage of automatic feedback shown to participants when callstats is enabled. // The default value is 100%. If set to 0, no automatic feedback will be requested // feedbackPercentage: 100, @@ -494,11 +721,8 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // connection. enabled: true, - // The STUN servers that will be used in the peer to peer connections - stunServers: [ - - { urls: 'stun:${TURN_SERVER}:443' } - ] + // Enable unified plan implementation support on Chromium for p2p connection. + // enableUnifiedOnChrome: false, // Sets the ICE transport policy for the p2p connection. At the time // of this writing the list of possible values are 'all' and 'relay', @@ -525,10 +749,20 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // How long we're going to wait, before going back to P2P after the 3rd // participant has left the conference (to filter out page reload). - // backToP2PDelay: 5 + // backToP2PDelay: 5, + + // The STUN servers that will be used in the peer to peer connections + stunServers: [ + + // { urls: 'stun:jitsi-meet.example.com:3478' }, + { urls: 'stun:${TURN_SERVER}:443' } + ] }, analytics: { + // True if the analytics should be disabled + // disabled: false, + // The Google Analytics Tracking ID: // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' @@ -544,7 +778,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // module connects to the provided rtcstatsEndpoint and sends statistics regarding // PeerConnection states along with getStats metrics polled at the specified // interval. - // rtcstatsEnabled: true, + // rtcstatsEnabled: false, // In order to enable rtcstats one needs to provide a endpoint url. // rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/, @@ -572,13 +806,43 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // userRegion: "asia" }, + // Array of disabled sounds. + // Possible values: + // - 'ASKED_TO_UNMUTE_SOUND' + // - 'E2EE_OFF_SOUND' + // - 'E2EE_ON_SOUND' + // - 'INCOMING_MSG_SOUND' + // - 'KNOCKING_PARTICIPANT_SOUND' + // - 'LIVE_STREAMING_OFF_SOUND' + // - 'LIVE_STREAMING_ON_SOUND' + // - 'NO_AUDIO_SIGNAL_SOUND' + // - 'NOISY_AUDIO_INPUT_SOUND' + // - 'OUTGOING_CALL_EXPIRED_SOUND' + // - 'OUTGOING_CALL_REJECTED_SOUND' + // - 'OUTGOING_CALL_RINGING_SOUND' + // - 'OUTGOING_CALL_START_SOUND' + // - 'PARTICIPANT_JOINED_SOUND' + // - 'PARTICIPANT_LEFT_SOUND' + // - 'RAISE_HAND_SOUND' + // - 'REACTION_SOUND' + // - 'RECORDING_OFF_SOUND' + // - 'RECORDING_ON_SOUND' + // - 'TALK_WHILE_MUTED_SOUND' + // disabledSounds: [], + + // DEPRECATED! Use \`disabledSounds\` instead. // Decides whether the start/stop recording audio notifications should play on record. // disableRecordAudioNotification: false, + // DEPRECATED! Use \`disabledSounds\` instead. // Disables the sounds that play when other participants join or leave the // conference (if set to true, these sounds will not be played). // disableJoinLeaveSounds: false, + // DEPRECATED! Use \`disabledSounds\` instead. + // Disables the sounds that play when a chat message is received. + // disableIncomingMessageSound: false, + // Information for the chrome extension banner // chromeExtensionBanner: { // // The chrome extension to be installed address @@ -599,8 +863,8 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // localRecording: { // Enables local recording. // Additionally, 'localrecording' (all lowercase) needs to be added to - // TOOLBAR_BUTTONS in interface_config.js for the Local Recording - // button to show up on the toolbar. + // the \`toolbarButtons\`-array for the Local Recording button to show up + // on the toolbar. // // enabled: true, // @@ -609,6 +873,10 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // format: 'flac' // + // }, + // e2ee: { + // labels, + // externallyManagedKey: false // }, // Options related to end-to-end (participant to participant) ping. @@ -663,7 +931,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Options related to the remote participant menu. // remoteVideoMenu: { // // If set to true the 'Kick out' button will be disabled. - // disableKick: true + // disableKick: true, + // // If set to true the 'Grant moderator' button will be disabled. + // disableGrantModerator: true // }, // If set to true all muting operations of remote participants will be disabled. @@ -675,20 +945,67 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) /** External API url used to receive branding specific information. If there is no url set or there are missing fields, the defaults are applied. + The config file should be in JSON. None of the fields are mandatory and the response must have the shape: - { - // The hex value for the colour used as background - backgroundColor: '#fff', - // The url for the image used as background - backgroundImageUrl: 'https://example.com/background-img.png', - // The anchor url used when clicking the logo image - logoClickUrl: 'https://example-company.org', - // The url used for the image used as logo - logoImageUrl: 'https://example.com/logo-img.png' - } + { + // The domain url to apply (will replace the domain in the sharing conference link/embed section) + inviteDomain: 'example-company.org, + // The hex value for the colour used as background + backgroundColor: '#fff', + // The url for the image used as background + backgroundImageUrl: 'https://example.com/background-img.png', + // The anchor url used when clicking the logo image + logoClickUrl: 'https://example-company.org', + // The url used for the image used as logo + logoImageUrl: 'https://example.com/logo-img.png', + // Overwrite for pool of background images for avatars + avatarBackgrounds: ['url(https://example.com/avatar-background-1.png)', '#FFF'], + // The lobby/prejoin screen background + premeetingBackground: 'url(https://example.com/premeeting-background.png)', + // A list of images that can be used as video backgrounds. + // When this field is present, the default images will be replaced with those provided. + virtualBackgrounds: ['https://example.com/img.jpg'], + // Object containing a theme's properties. It also supports partial overwrites of the main theme. + // For a list of all possible theme tokens and their current defaults, please check: + // https://github.com/jitsi/jitsi-meet/tree/master/resources/custom-theme/custom-theme.json + // For a short explanations on each of the tokens, please check: + // https://github.com/jitsi/jitsi-meet/blob/master/react/features/base/ui/Tokens.js + // IMPORTANT!: This is work in progress so many of the various tokens are not yet applied in code + // or they are partially applied. + customTheme: { + palette: { + ui01: "orange !important", + ui02: "maroon", + surface02: 'darkgreen', + ui03: "violet", + ui04: "magenta", + ui05: "blueviolet", + field02Hover: 'red', + action01: 'green', + action01Hover: 'lightgreen', + action02Disabled: 'beige', + success02: 'cadetblue', + action02Hover: 'aliceblue' + }, + typography: { + labelRegular: { + fontSize: 25, + lineHeight: 30, + fontWeight: 500 + } + } + } + } */ dynamicBrandingUrl: "${DYNAMIC_BRANDING_URL}", + // When true the user cannot add more images to be used as virtual background. + // Only the default ones from will be available. + // disableAddingBackgroundImages: false, + + // Disables using screensharing as virtual background. + // disableScreensharingVirtualBackground: false, + // Sets the background transparency level. '0' is fully transparent, '1' is opaque. // backgroundAlpha: 1, @@ -700,12 +1017,35 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // If true, tile view will not be enabled automatically when the participants count threshold is reached. // disableTileView: true, + // If true, the tiles will be displayed contained within the available space rather than enlarged to cover it. + // disableTileEnlargement: true, + + // Controls the visibility and behavior of the top header conference info labels. + // If a label's id is not in any of the 2 arrays, it will not be visible at all on the header. + // conferenceInfo: { + // // those labels will not be hidden in tandem with the toolbox. + // alwaysVisible: ['recording', 'local-recording'], + // // those labels will be auto-hidden in tandem with the toolbox buttons. + // autoHide: [ + // 'subject', + // 'conference-timer', + // 'participants-count', + // 'e2ee', + // 'transcribing', + // 'video-quality', + // 'insecure-room' + // ] + // }, + // Hides the conference subject // hideConferenceSubject: true, // Hides the conference timer. // hideConferenceTimer: true, + // Hides the recording label + // hideRecordingLabel: false, + // Hides the participants stats // hideParticipantsStats: true, @@ -717,6 +1057,13 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // is not persisting the local storage inside the iframe. // useHostPageLocalStorage: true, + // etherpad ("shared document") integration. + // + + // If set, add a "Open shared document" link to the bottom right menu that + // will open an etherpad document. + // etherpad_base: 'https://your-etherpad-installati.on/p/', + // List of undocumented settings used in jitsi-meet /** _immediateReloadThreshold @@ -729,8 +1076,8 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) dialOutCodesUrl disableRemoteControl displayJids - etherpad_base externalConnectUrl + e2eeLabels firefox_fake_device googleApiApplicationClientID iAmRecorder @@ -772,6 +1119,11 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) websocketKeepAliveUrl */ + /** + * Default interval (milliseconds) for triggering mouseMoved iframe API event + */ + mouseMoveCallbackInterval: 1000, + /** Use this array to configure which notifications will be shown to the user The items correspond to the title or description key of that notification @@ -805,11 +1157,19 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied // 'localRecording.localRecording', // shown when a local recording is started // 'notify.disconnected', // shown when a participant has left + // 'notify.connectedOneMember', // show when a participant joined + // 'notify.connectedTwoMembers', // show when two participants joined simultaneously + // 'notify.connectedThreePlusMembers', // show when more than 2 participants joined simultaneously // 'notify.grantedTo', // shown when moderator rights were granted to a participant // 'notify.invitedOneMember', // shown when 1 participant has been invited // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited // 'notify.invitedTwoMembers', // shown when 2 participants have been invited // 'notify.kickParticipant', // shown when a participant is kicked + // 'notify.moderationStartedTitle', // shown when AV moderation is activated + // 'notify.moderationStoppedTitle', // shown when AV moderation is deactivated + // 'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation + // 'notify.moderationInEffectVideoTitle', // shown when user attempts to enable video during AV moderation + // 'notify.moderationInEffectCSTitle', // shown when user attempts to share content during AV moderation // 'notify.mutedRemotelyTitle', // shown when user is muted by a remote party // 'notify.mutedTitle', // shown when user has been muted upon joining, // 'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device @@ -818,6 +1178,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // 'notify.passwordSetRemotely', // shown when a password has been set remotely // 'notify.raisedHand', // shown when a partcipant used raise hand, // 'notify.startSilentTitle', // shown when user joined with no audio + // 'notify.unmute', // shown to moderator when user raises hand during AV moderation // 'prejoin.errorDialOut', // 'prejoin.errorDialOutDisconnected', // 'prejoin.errorDialOutFailed', @@ -831,7 +1192,13 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // 'toolbar.noisyAudioInputTitle', // shown when noise is detected for the current microphone // 'toolbar.talkWhileMutedPopup', // shown when user tries to speak while muted // 'transcribing.failedToStart' // shown when transcribing fails to start - // ] + // ], + + // Prevent the filmstrip from autohiding when screen width is under a certain threshold + // disableFilmstripAutohiding: false, + + // Specifies whether the chat emoticons are disabled or not + // disableChatSmileys: false, // Allow all above example options to include a trailing comma and // prevent fear when commenting out the last value. diff --git a/type/__jitsi_meet_domain/files/config.js.sh.orig b/type/__jitsi_meet_domain/files/config.js.sh.orig index 9d49d52..eb30636 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh.orig +++ b/type/__jitsi_meet_domain/files/config.js.sh.orig @@ -27,9 +27,6 @@ var config = { // Websocket URL // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket', - // The name of client node advertised in XEP-0115 'c' stanza - clientNode: 'http://jitsi.org/jitsimeet', - // The real JID of focus participant - can be overridden here // Do not change username - FIXME: Make focus username configurable // https://github.com/jitsi/jitsi-meet/issues/7376 @@ -44,9 +41,16 @@ var config = { // issues related to insertable streams. // disableE2EE: false, + // Enables/disables thumbnail reordering in the filmstrip. It is enabled by default unless explicitly + // disabled by the below option. + // enableThumbnailReordering: true, + + // Enables XMPP WebSocket (as opposed to BOSH) for the given amount of users. + // mobileXmppWsThreshold: 10 // enable XMPP WebSockets on mobile for 10% of the users + // P2P test mode disables automatic switching to P2P when there are 2 // participants in the conference. - p2pTestMode: false + // p2pTestMode: false, // Enables the test specific features consumed by jitsi-meet-torture // testMode: false @@ -59,8 +63,10 @@ var config = { // simulcast is turned off for the desktop share. If presenter is turned // on while screensharing is in progress, the max bitrate is automatically // adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines - // the probability for this to be enabled. - // capScreenshareBitrate: 1 // 0 to disable + // the probability for this to be enabled. This setting has been deprecated. + // desktopSharingFrameRate.max now determines whether simulcast will be enabled + // or disabled for the screenshare. + // capScreenshareBitrate: 1 // 0 to disable - deprecated. // Enable callstats only for a percentage of users. // This takes a value between 0 and 100 which determines the probability for @@ -68,6 +74,18 @@ var config = { // callStatsThreshold: 5 // enable callstats for 5% of the users. }, + // Disables moderator indicators. + // disableModeratorIndicator: false, + + // Disables the reactions feature. + // disableReactions: true, + + // Disables polls feature. + // disablePolls: false, + + // Disables self-view tile. (hides it from tile view and from filmstrip) + // disableSelfView: false, + // Disables ICE/UDP by filtering out local and remote UDP candidates in // signalling. // webrtcIceUdpDisable: false, @@ -80,6 +98,9 @@ var config = { // Media // + // Enable unified plan implementation support on Chromium based browsers. + // enableUnifiedOnChrome: false, + // Audio // Disable measuring of audio levels. @@ -96,6 +117,10 @@ var config = { // about the call. // enableSaveLogs: false, + // Enabling this will hide the "Show More" link in the GSM popover that can be + // used to display more statistics about the connection (IP, Port, protocol, etc). + // disableShowMoreStats: true, + // Enabling this will run the lib-jitsi-meet noise detection module which will // notify the user if there is noise, other than voice, coming from the current // selected microphone. The purpose it to let the user know that the input could @@ -117,19 +142,34 @@ var config = { // participants and to enable it back a reload is needed. // startSilent: false - // Sets the preferred target bitrate for the Opus audio codec by setting its - // 'maxaveragebitrate' parameter. Currently not available in p2p mode. - // Valid values are in the range 6000 to 510000 - // opusMaxAverageBitrate: 20000, - // Enables support for opus-red (redundancy for Opus). // enableOpusRed: false, + // Specify audio quality stereo and opusMaxAverageBitrate values in order to enable HD audio. + // Beware, by doing so, you are disabling echo cancellation, noise suppression and AGC. + // audioQuality: { + // stereo: false, + // opusMaxAverageBitrate: null // Value to fit the 6000 to 510000 range. + // }, + // Video // Sets the preferred resolution (height) for local video. Defaults to 720. // resolution: 720, + // Specifies whether the raised hand will hide when someone becomes a dominant speaker or not + // disableRemoveRaisedHandOnFocus: false, + + // Specifies whether there will be a search field in speaker stats or not + // disableSpeakerStatsSearch: false, + + // Specifies whether participants in speaker stats should be ordered or not, and with what priority + // speakerStatsOrder: [ + // 'role', <- Moderators on top + // 'name', <- Alphabetically by name + // 'hasLeft', <- The ones that have left in the bottom + // ] <- the order of the array elements determines priority + // How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD. // Use -1 to disable. // maxFullResolutionParticipants: 2, @@ -152,9 +192,10 @@ var config = { // Enable / disable simulcast support. // disableSimulcast: false, - // Enable / disable layer suspension. If enabled, endpoints whose HD - // layers are not in use will be suspended (no longer sent) until they - // are requested again. + // Enable / disable layer suspension. If enabled, endpoints whose HD layers are not in use will be suspended + // (no longer sent) until they are requested again. This is enabled by default. This must be enabled for screen + // sharing to work as expected on Chrome. Disabling this might result in low resolution screenshare being sent + // by the client. // enableLayerSuspension: false, // Every participant after the Nth will start video muted. @@ -216,6 +257,18 @@ var config = { // subtitles and buttons can be configured) // transcribingEnabled: false, + // If true transcriber will use the application language. + // The application language is either explicitly set by participants in their settings or automatically + // detected based on the environment, e.g. if the app is opened in a chrome instance which is using french as its + // default language then transcriptions for that participant will be in french. + // Defaults to true. + // transcribeWithAppLanguage: true, + + // Transcriber language. This settings will only work if "transcribeWithAppLanguage" is explicitly set to false. + // Available languages can be found in + // ./src/react/features/transcribing/transcriber-langs.json. + // preferredTranscribeLanguage: 'en-US', + // Enables automatic turning on captions when recording is started // autoCaptionOnRecord: false, @@ -224,6 +277,20 @@ var config = { // Default value for the channel "last N" attribute. -1 for unlimited. channelLastN: -1, + // Connection indicators + // connectionIndicators: { + // autoHide: true, + // autoHideTimeout: 5000, + // disabled: false, + // disableDetails: false, + // inactiveDisabled: false + // }, + + // Provides a way for the lastN value to be controlled through the UI. + // When startLastN is present, conference starts with a last-n value of startLastN and channelLastN + // value will be used when the quality level is selected using "Manage Video Quality" slider. + // startLastN: 1, + // Provides a way to use different "last N" values based on the number of participants in the conference. // The keys in an Object represent number of participants and the values are "last N" to be used when number of // participants gets to or above the number. @@ -261,12 +328,24 @@ var config = { // // to take effect. // preferredCodec: 'VP8', // + // // Provides a way to enforce the preferred codec for the conference even when the conference has endpoints + // // that do not support the preferred codec. For example, older versions of Safari do not support VP9 yet. + // // This will result in Safari not being able to decode video from endpoints sending VP9 video. + // // When set to false, the conference falls back to VP8 whenever there is an endpoint that doesn't support the + // // preferred codec and goes back to the preferred codec when that endpoint leaves. + // // enforcePreferredCodec: false, + // // // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for // // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values // // are the max.bitrates to be set on that particular type of stream. The actual send may vary based on // // the available bandwidth calculated by the browser, but it will be capped by the values specified here. // // This is currently not implemented on app based clients on mobile. // maxBitratesVideo: { + // H264: { + // low: 200000, + // standard: 500000, + // high: 1500000 + // }, // VP8 : { // low: 200000, // standard: 500000, @@ -275,7 +354,7 @@ var config = { // VP9: { // low: 100000, // standard: 300000, - // high: 1200000 + // high: 1200000 // } // }, // @@ -299,6 +378,13 @@ var config = { // resizeDesktopForPresenter: false // }, + // Notification timeouts + // notificationTimeouts: { + // short: 2500, + // medium: 5000, + // long: 10000 + // }, + // // Options for the recording limit notification. // recordingLimit: { // @@ -317,6 +403,9 @@ var config = { // Disables or enables RTX (RFC 4588) (defaults to false). // disableRtx: false, + // Moves all Jitsi Meet 'beforeunload' logic (cleanup, leaving, disconnecting, etc) to the 'unload' event. + // disableBeforeUnloadHandlers: true, + // Disables or enables TCC support in this client (default: enabled). // enableTcc: true, @@ -332,8 +421,7 @@ var config = { // enableIceRestart: false, // Enables forced reload of the client when the call is migrated as a result of - // the bridge going down. Currently enabled by default as call migration through - // session-terminate is causing siganling issues when Octo is enabled. + // the bridge going down. // enableForcedReload: true, // Use TURN/UDP servers for the jitsi-videobridge connection (by default @@ -341,6 +429,11 @@ var config = { // bridge itself is reachable via UDP) // useTurnUdp: false + // Enable support for encoded transform in supported browsers. This allows + // E2EE to work in Safari if the corresponding flag is enabled in the browser. + // Experimental. + // enableEncodedTransformSupport: false, + // UI // @@ -350,6 +443,12 @@ var config = { // Hides lobby button // hideLobbyButton: false, + // If Lobby is enabled starts knocking automatically. + // autoKnockLobby: false, + + // Hides add breakout room button + // hideAddRoomButton: false, + // Require users to always specify a display name. // requireDisplayName: true, @@ -369,7 +468,15 @@ var config = { // enableClosePage: false, // Disable hiding of remote thumbnails when in a 1-on-1 conference call. - // disable1On1Mode: false, + // Setting this to null, will also disable showing the remote videos + // when the toolbar is shown on mouse movements + // disable1On1Mode: null | false | true, + + // Default local name to be displayed + // defaultLocalDisplayName: 'me', + + // Default remote name to be displayed + // defaultRemoteDisplayName: 'Fellow Jitster', // Default language for the user interface. // defaultLanguage: 'en', @@ -392,8 +499,18 @@ var config = { // and microsoftApiApplicationClientID // enableCalendarIntegration: false, - // When 'true', it shows an intermediate page before joining, where the user can configure their devices. - // prejoinPageEnabled: false, + // Configs for prejoin page. + // prejoinConfig: { + // // When 'true', it shows an intermediate page before joining, where the user can configure their devices. + // // This replaces `prejoinPageEnabled`. + // enabled: true, + // // List of buttons to hide from the extra join options dropdown. + // hideExtraJoinButtons: ['no-audio', 'by-phone'] + // }, + + // When 'true', the user cannot edit the display name. + // (Mainly useful when used in conjuction with the JWT so the JWT name becomes read only.) + // readOnlyName: false, // If etherpad integration is enabled, setting this to true will // automatically open the etherpad when a participant joins. This @@ -414,6 +531,10 @@ var config = { // Base URL for a Gravatar-compatible service. Defaults to libravatar. // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/', + // App name to be displayed in the invitation email subject, as an alternative to + // interfaceConfig.APP_NAME. + // inviteAppName: null, + // Moved from interfaceConfig(TOOLBAR_BUTTONS). // The name of the toolbar buttons to display in the toolbar, including the // "More actions" menu. If present, the button will display. Exceptions are @@ -426,13 +547,94 @@ var config = { // - 'desktop' controls the "Share your screen" button // - if `toolbarButtons` is undefined, we fallback to enabling all buttons on the UI // toolbarButtons: [ - // 'microphone', 'camera', 'closedcaptions', 'desktop', 'embedmeeting', 'fullscreen', - // 'fodeviceselection', 'hangup', 'profile', 'chat', 'recording', - // 'livestreaming', 'etherpad', 'sharedvideo', 'shareaudio', 'settings', 'raisehand', - // 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts', - // 'tileview', 'select-background', 'download', 'help', 'mute-everyone', 'mute-video-everyone', 'security' + // 'camera', + // 'chat', + // 'closedcaptions', + // 'desktop', + // 'download', + // 'embedmeeting', + // 'etherpad', + // 'feedback', + // 'filmstrip', + // 'fullscreen', + // 'hangup', + // 'help', + // 'invite', + // 'livestreaming', + // 'microphone', + // 'mute-everyone', + // 'mute-video-everyone', + // 'participants-pane', + // 'profile', + // 'raisehand', + // 'recording', + // 'security', + // 'select-background', + // 'settings', + // 'shareaudio', + // 'sharedvideo', + // 'shortcuts', + // 'stats', + // 'tileview', + // 'toggle-camera', + // 'videoquality', + // '__end' // ], + // Holds values related to toolbar visibility control. + // toolbarConfig: { + // // Moved from interfaceConfig.INITIAL_TOOLBAR_TIMEOUT + // // The initial numer of miliseconds for the toolbar buttons to be visible on screen. + // initialTimeout: 20000, + // // Moved from interfaceConfig.TOOLBAR_TIMEOUT + // // Number of miliseconds for the toolbar buttons to be visible on screen. + // timeout: 4000, + // // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE + // // Whether toolbar should be always visible or should hide after x miliseconds. + // alwaysVisible: false + // }, + + // Toolbar buttons which have their click event exposed through the API on + // `toolbarButtonClicked` event instead of executing the normal click routine. + // buttonsWithNotifyClick: [ + // 'camera', + // 'chat', + // 'closedcaptions', + // 'desktop', + // 'download', + // 'embedmeeting', + // 'etherpad', + // 'feedback', + // 'filmstrip', + // 'fullscreen', + // 'hangup', + // 'help', + // 'invite', + // 'livestreaming', + // 'microphone', + // 'mute-everyone', + // 'mute-video-everyone', + // 'participants-pane', + // 'profile', + // 'raisehand', + // 'recording', + // 'security', + // 'select-background', + // 'settings', + // 'shareaudio', + // 'sharedvideo', + // 'shortcuts', + // 'stats', + // 'tileview', + // 'toggle-camera', + // 'videoquality', + // '__end' + // ], + + // List of pre meeting screens buttons to hide. The values must be one or more of the 5 allowed buttons: + // 'microphone', 'camera', 'select-background', 'invite', 'settings' + // hiddenPremeetingButtons: [], + // Stats // @@ -450,12 +652,37 @@ var config = { // callStatsID: '', // callStatsSecret: '', + // The callstats initialize config params as described in the API: + // https://docs.callstats.io/docs/javascript#callstatsinitialize-with-app-secret + // callStatsConfigParams: { + // disableBeforeUnloadHandler: true, // disables callstats.js's window.onbeforeunload parameter. + // applicationVersion: "app_version", // Application version specified by the developer. + // disablePrecalltest: true, // disables the pre-call test, it is enabled by default. + // siteID: "siteID", // The name/ID of the site/campus from where the call/pre-call test is made. + // additionalIDs: { // additionalIDs object, contains application related IDs. + // customerID: "Customer Identifier. Example, walmart.", + // tenantID: "Tenant Identifier. Example, monster.", + // productName: "Product Name. Example, Jitsi.", + // meetingsName: "Meeting Name. Example, Jitsi loves callstats.", + // serverName: "Server/MiddleBox Name. Example, jvb-prod-us-east-mlkncws12.", + // pbxID: "PBX Identifier. Example, walmart.", + // pbxExtensionID: "PBX Extension Identifier. Example, 5625.", + // fqExtensionID: "Fully qualified Extension Identifier. Example, +71 (US) +5625.", + // sessionID: "Session Identifier. Example, session-12-34" + // }, + // collectLegacyStats: true, //enables the collection of legacy stats in chrome browser + // collectIP: true //enables the collection localIP address + // }, + // Enables sending participants' display names to callstats // enableDisplayNameInStats: false, // Enables sending participants' emails (if available) to callstats and other analytics // enableEmailInStats: false, + // Enables detecting faces of participants and get their expression and send it to other participants + // enableFacialRecognition: true, + // Controls the percentage of automatic feedback shown to participants when callstats is enabled. // The default value is 100%. If set to 0, no automatic feedback will be requested // feedbackPercentage: 100, @@ -481,12 +708,8 @@ var config = { // connection. enabled: true, - // The STUN servers that will be used in the peer to peer connections - stunServers: [ - - // { urls: 'stun:jitsi-meet.example.com:3478' }, - { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' } - ] + // Enable unified plan implementation support on Chromium for p2p connection. + // enableUnifiedOnChrome: false, // Sets the ICE transport policy for the p2p connection. At the time // of this writing the list of possible values are 'all' and 'relay', @@ -513,10 +736,20 @@ var config = { // How long we're going to wait, before going back to P2P after the 3rd // participant has left the conference (to filter out page reload). - // backToP2PDelay: 5 + // backToP2PDelay: 5, + + // The STUN servers that will be used in the peer to peer connections + stunServers: [ + + // { urls: 'stun:jitsi-meet.example.com:3478' }, + { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' } + ] }, analytics: { + // True if the analytics should be disabled + // disabled: false, + // The Google Analytics Tracking ID: // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' @@ -532,7 +765,7 @@ var config = { // module connects to the provided rtcstatsEndpoint and sends statistics regarding // PeerConnection states along with getStats metrics polled at the specified // interval. - // rtcstatsEnabled: true, + // rtcstatsEnabled: false, // In order to enable rtcstats one needs to provide a endpoint url. // rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/, @@ -560,13 +793,43 @@ var config = { // userRegion: "asia" }, + // Array of disabled sounds. + // Possible values: + // - 'ASKED_TO_UNMUTE_SOUND' + // - 'E2EE_OFF_SOUND' + // - 'E2EE_ON_SOUND' + // - 'INCOMING_MSG_SOUND' + // - 'KNOCKING_PARTICIPANT_SOUND' + // - 'LIVE_STREAMING_OFF_SOUND' + // - 'LIVE_STREAMING_ON_SOUND' + // - 'NO_AUDIO_SIGNAL_SOUND' + // - 'NOISY_AUDIO_INPUT_SOUND' + // - 'OUTGOING_CALL_EXPIRED_SOUND' + // - 'OUTGOING_CALL_REJECTED_SOUND' + // - 'OUTGOING_CALL_RINGING_SOUND' + // - 'OUTGOING_CALL_START_SOUND' + // - 'PARTICIPANT_JOINED_SOUND' + // - 'PARTICIPANT_LEFT_SOUND' + // - 'RAISE_HAND_SOUND' + // - 'REACTION_SOUND' + // - 'RECORDING_OFF_SOUND' + // - 'RECORDING_ON_SOUND' + // - 'TALK_WHILE_MUTED_SOUND' + // disabledSounds: [], + + // DEPRECATED! Use `disabledSounds` instead. // Decides whether the start/stop recording audio notifications should play on record. // disableRecordAudioNotification: false, + // DEPRECATED! Use `disabledSounds` instead. // Disables the sounds that play when other participants join or leave the // conference (if set to true, these sounds will not be played). // disableJoinLeaveSounds: false, + // DEPRECATED! Use `disabledSounds` instead. + // Disables the sounds that play when a chat message is received. + // disableIncomingMessageSound: false, + // Information for the chrome extension banner // chromeExtensionBanner: { // // The chrome extension to be installed address @@ -587,8 +850,8 @@ var config = { // localRecording: { // Enables local recording. // Additionally, 'localrecording' (all lowercase) needs to be added to - // TOOLBAR_BUTTONS in interface_config.js for the Local Recording - // button to show up on the toolbar. + // the `toolbarButtons`-array for the Local Recording button to show up + // on the toolbar. // // enabled: true, // @@ -597,6 +860,10 @@ var config = { // format: 'flac' // + // }, + // e2ee: { + // labels, + // externallyManagedKey: false // }, // Options related to end-to-end (participant to participant) ping. @@ -651,7 +918,9 @@ var config = { // Options related to the remote participant menu. // remoteVideoMenu: { // // If set to true the 'Kick out' button will be disabled. - // disableKick: true + // disableKick: true, + // // If set to true the 'Grant moderator' button will be disabled. + // disableGrantModerator: true // }, // If set to true all muting operations of remote participants will be disabled. @@ -663,20 +932,67 @@ var config = { /** External API url used to receive branding specific information. If there is no url set or there are missing fields, the defaults are applied. + The config file should be in JSON. None of the fields are mandatory and the response must have the shape: - { - // The hex value for the colour used as background - backgroundColor: '#fff', - // The url for the image used as background - backgroundImageUrl: 'https://example.com/background-img.png', - // The anchor url used when clicking the logo image - logoClickUrl: 'https://example-company.org', - // The url used for the image used as logo - logoImageUrl: 'https://example.com/logo-img.png' - } + { + // The domain url to apply (will replace the domain in the sharing conference link/embed section) + inviteDomain: 'example-company.org, + // The hex value for the colour used as background + backgroundColor: '#fff', + // The url for the image used as background + backgroundImageUrl: 'https://example.com/background-img.png', + // The anchor url used when clicking the logo image + logoClickUrl: 'https://example-company.org', + // The url used for the image used as logo + logoImageUrl: 'https://example.com/logo-img.png', + // Overwrite for pool of background images for avatars + avatarBackgrounds: ['url(https://example.com/avatar-background-1.png)', '#FFF'], + // The lobby/prejoin screen background + premeetingBackground: 'url(https://example.com/premeeting-background.png)', + // A list of images that can be used as video backgrounds. + // When this field is present, the default images will be replaced with those provided. + virtualBackgrounds: ['https://example.com/img.jpg'], + // Object containing a theme's properties. It also supports partial overwrites of the main theme. + // For a list of all possible theme tokens and their current defaults, please check: + // https://github.com/jitsi/jitsi-meet/tree/master/resources/custom-theme/custom-theme.json + // For a short explanations on each of the tokens, please check: + // https://github.com/jitsi/jitsi-meet/blob/master/react/features/base/ui/Tokens.js + // IMPORTANT!: This is work in progress so many of the various tokens are not yet applied in code + // or they are partially applied. + customTheme: { + palette: { + ui01: "orange !important", + ui02: "maroon", + surface02: 'darkgreen', + ui03: "violet", + ui04: "magenta", + ui05: "blueviolet", + field02Hover: 'red', + action01: 'green', + action01Hover: 'lightgreen', + action02Disabled: 'beige', + success02: 'cadetblue', + action02Hover: 'aliceblue' + }, + typography: { + labelRegular: { + fontSize: 25, + lineHeight: 30, + fontWeight: 500 + } + } + } + } */ // dynamicBrandingUrl: '', + // When true the user cannot add more images to be used as virtual background. + // Only the default ones from will be available. + // disableAddingBackgroundImages: false, + + // Disables using screensharing as virtual background. + // disableScreensharingVirtualBackground: false, + // Sets the background transparency level. '0' is fully transparent, '1' is opaque. // backgroundAlpha: 1, @@ -688,12 +1004,35 @@ var config = { // If true, tile view will not be enabled automatically when the participants count threshold is reached. // disableTileView: true, + // If true, the tiles will be displayed contained within the available space rather than enlarged to cover it. + // disableTileEnlargement: true, + + // Controls the visibility and behavior of the top header conference info labels. + // If a label's id is not in any of the 2 arrays, it will not be visible at all on the header. + // conferenceInfo: { + // // those labels will not be hidden in tandem with the toolbox. + // alwaysVisible: ['recording', 'local-recording'], + // // those labels will be auto-hidden in tandem with the toolbox buttons. + // autoHide: [ + // 'subject', + // 'conference-timer', + // 'participants-count', + // 'e2ee', + // 'transcribing', + // 'video-quality', + // 'insecure-room' + // ] + // }, + // Hides the conference subject // hideConferenceSubject: true, // Hides the conference timer. // hideConferenceTimer: true, + // Hides the recording label + // hideRecordingLabel: false, + // Hides the participants stats // hideParticipantsStats: true, @@ -705,6 +1044,13 @@ var config = { // is not persisting the local storage inside the iframe. // useHostPageLocalStorage: true, + // etherpad ("shared document") integration. + // + + // If set, add a "Open shared document" link to the bottom right menu that + // will open an etherpad document. + // etherpad_base: 'https://your-etherpad-installati.on/p/', + // List of undocumented settings used in jitsi-meet /** _immediateReloadThreshold @@ -717,8 +1063,8 @@ var config = { dialOutCodesUrl disableRemoteControl displayJids - etherpad_base externalConnectUrl + e2eeLabels firefox_fake_device googleApiApplicationClientID iAmRecorder @@ -760,6 +1106,11 @@ var config = { websocketKeepAliveUrl */ + /** + * Default interval (milliseconds) for triggering mouseMoved iframe API event + */ + mouseMoveCallbackInterval: 1000, + /** Use this array to configure which notifications will be shown to the user The items correspond to the title or description key of that notification @@ -793,11 +1144,19 @@ var config = { // 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied // 'localRecording.localRecording', // shown when a local recording is started // 'notify.disconnected', // shown when a participant has left + // 'notify.connectedOneMember', // show when a participant joined + // 'notify.connectedTwoMembers', // show when two participants joined simultaneously + // 'notify.connectedThreePlusMembers', // show when more than 2 participants joined simultaneously // 'notify.grantedTo', // shown when moderator rights were granted to a participant // 'notify.invitedOneMember', // shown when 1 participant has been invited // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited // 'notify.invitedTwoMembers', // shown when 2 participants have been invited // 'notify.kickParticipant', // shown when a participant is kicked + // 'notify.moderationStartedTitle', // shown when AV moderation is activated + // 'notify.moderationStoppedTitle', // shown when AV moderation is deactivated + // 'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation + // 'notify.moderationInEffectVideoTitle', // shown when user attempts to enable video during AV moderation + // 'notify.moderationInEffectCSTitle', // shown when user attempts to share content during AV moderation // 'notify.mutedRemotelyTitle', // shown when user is muted by a remote party // 'notify.mutedTitle', // shown when user has been muted upon joining, // 'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device @@ -806,6 +1165,7 @@ var config = { // 'notify.passwordSetRemotely', // shown when a password has been set remotely // 'notify.raisedHand', // shown when a partcipant used raise hand, // 'notify.startSilentTitle', // shown when user joined with no audio + // 'notify.unmute', // shown to moderator when user raises hand during AV moderation // 'prejoin.errorDialOut', // 'prejoin.errorDialOutDisconnected', // 'prejoin.errorDialOutFailed', @@ -819,7 +1179,13 @@ var config = { // 'toolbar.noisyAudioInputTitle', // shown when noise is detected for the current microphone // 'toolbar.talkWhileMutedPopup', // shown when user tries to speak while muted // 'transcribing.failedToStart' // shown when transcribing fails to start - // ] + // ], + + // Prevent the filmstrip from autohiding when screen width is under a certain threshold + // disableFilmstripAutohiding: false, + + // Specifies whether the chat emoticons are disabled or not + // disableChatSmileys: false, // Allow all above example options to include a trailing comma and // prevent fear when commenting out the last value. diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh b/type/__jitsi_meet_domain/files/interface_config.js.sh index 2a65bfc..abcf68b 100644 --- a/type/__jitsi_meet_domain/files/interface_config.js.sh +++ b/type/__jitsi_meet_domain/files/interface_config.js.sh @@ -36,42 +36,13 @@ var interfaceConfig = { BRAND_WATERMARK_LINK: '', CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it - /** - * Whether the connection indicator icon should hide itself based on - * connection strength. If true, the connection indicator will remain - * displayed while the participant has a weak connection and will hide - * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is - * strong. - * - * @type {boolean} - */ - CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true, - - /** - * How long the connection indicator should remain displayed before hiding. - * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED. - * - * @type {number} - */ - CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000, - - /** - * If true, hides the connection indicators completely. - * - * @type {boolean} - */ - CONNECTION_INDICATOR_DISABLED: false, DEFAULT_BACKGROUND: '#474747', - DEFAULT_LOCAL_DISPLAY_NAME: 'me', DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}', - DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}', DISABLE_DOMINANT_SPEAKER_INDICATOR: false, - DISABLE_FOCUS_INDICATOR: false, - /** * If true, notifications regarding joining/leaving are no longer displayed. */ @@ -127,7 +98,6 @@ var interfaceConfig = { */ HIDE_INVITE_MORE_HEADER: false, - INITIAL_TOOLBAR_TIMEOUT: 20000, JITSI_WATERMARK_LINK: 'https://jitsi.org', LANG_DETECTION: true, // Allow i18n to detect the system language @@ -196,10 +166,10 @@ var interfaceConfig = { SHOW_BRAND_WATERMARK: false, /** - * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. - * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) - * being already installed is done before rendering. - */ + * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. + * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) + * being already installed is done before rendering. + */ SHOW_CHROME_EXTENSION_BANNER: false, SHOW_DEEP_LINKING_IMAGE: false, @@ -213,16 +183,6 @@ var interfaceConfig = { */ SUPPORT_URL: 'https://community.jitsi.org/', - TOOLBAR_ALWAYS_VISIBLE: false, - - /** - * DEPRECATED! - * This config was moved to config.js as \`toolbarButtons\`. - */ - // TOOLBAR_BUTTONS: [], - - TOOLBAR_TIMEOUT: 4000, - // Browsers, in addition to those which do not fully support WebRTC, that // are not supported and should show the unsupported browser page. UNSUPPORTED_BROWSERS: [], @@ -274,19 +234,40 @@ var interfaceConfig = { */ // ANDROID_APP_PACKAGE: 'org.jitsi.meet', - /** - * Override the behavior of some notifications to remain displayed until - * explicitly dismissed through a user action. The value is how long, in - * milliseconds, those notifications should remain displayed. - */ - // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000, - // List of undocumented settings /** INDICATOR_FONT_SIZES PHONE_NUMBER_REGEX */ + // -----------------DEPRECATED CONFIGS BELOW THIS LINE----------------------------- + + // Connection indicators ( + // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED, + // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT, + // CONNECTION_INDICATOR_DISABLED) got moved to config.js. + + // Please use disableModeratorIndicator from config.js + // DISABLE_FOCUS_INDICATOR: false, + + // Please use defaultLocalDisplayName from config.js + // DEFAULT_LOCAL_DISPLAY_NAME: 'me', + + // Please use defaultRemoteDisplayName from config.js + // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', + + // Moved to config.js as \`toolbarConfig.initialTimeout\`. + // INITIAL_TOOLBAR_TIMEOUT: 20000, + + // Moved to config.js as \`toolbarConfig.alwaysVisible\`. + // TOOLBAR_ALWAYS_VISIBLE: false, + + // This config was moved to config.js as \`toolbarButtons\`. + // TOOLBAR_BUTTONS: [], + + // Moved to config.js as \`toolbarConfig.timeout\`. + // TOOLBAR_TIMEOUT: 4000, + // Allow all above example options to include a trailing comma and // prevent fear when commenting out the last value. // eslint-disable-next-line sort-keys diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh.orig b/type/__jitsi_meet_domain/files/interface_config.js.sh.orig index fb8dd48..c3a76af 100644 --- a/type/__jitsi_meet_domain/files/interface_config.js.sh.orig +++ b/type/__jitsi_meet_domain/files/interface_config.js.sh.orig @@ -25,42 +25,13 @@ var interfaceConfig = { BRAND_WATERMARK_LINK: '', CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it - /** - * Whether the connection indicator icon should hide itself based on - * connection strength. If true, the connection indicator will remain - * displayed while the participant has a weak connection and will hide - * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is - * strong. - * - * @type {boolean} - */ - CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true, - - /** - * How long the connection indicator should remain displayed before hiding. - * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED. - * - * @type {number} - */ - CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000, - - /** - * If true, hides the connection indicators completely. - * - * @type {boolean} - */ - CONNECTION_INDICATOR_DISABLED: false, DEFAULT_BACKGROUND: '#474747', - DEFAULT_LOCAL_DISPLAY_NAME: 'me', DEFAULT_LOGO_URL: 'images/watermark.svg', - DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg', DISABLE_DOMINANT_SPEAKER_INDICATOR: false, - DISABLE_FOCUS_INDICATOR: false, - /** * If true, notifications regarding joining/leaving are no longer displayed. */ @@ -116,7 +87,6 @@ var interfaceConfig = { */ HIDE_INVITE_MORE_HEADER: false, - INITIAL_TOOLBAR_TIMEOUT: 20000, JITSI_WATERMARK_LINK: 'https://jitsi.org', LANG_DETECTION: true, // Allow i18n to detect the system language @@ -185,10 +155,10 @@ var interfaceConfig = { SHOW_BRAND_WATERMARK: false, /** - * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. - * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) - * being already installed is done before rendering. - */ + * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. + * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) + * being already installed is done before rendering. + */ SHOW_CHROME_EXTENSION_BANNER: false, SHOW_DEEP_LINKING_IMAGE: false, @@ -202,16 +172,6 @@ var interfaceConfig = { */ SUPPORT_URL: 'https://community.jitsi.org/', - TOOLBAR_ALWAYS_VISIBLE: false, - - /** - * DEPRECATED! - * This config was moved to config.js as `toolbarButtons`. - */ - // TOOLBAR_BUTTONS: [], - - TOOLBAR_TIMEOUT: 4000, - // Browsers, in addition to those which do not fully support WebRTC, that // are not supported and should show the unsupported browser page. UNSUPPORTED_BROWSERS: [], @@ -263,19 +223,40 @@ var interfaceConfig = { */ // ANDROID_APP_PACKAGE: 'org.jitsi.meet', - /** - * Override the behavior of some notifications to remain displayed until - * explicitly dismissed through a user action. The value is how long, in - * milliseconds, those notifications should remain displayed. - */ - // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000, - // List of undocumented settings /** INDICATOR_FONT_SIZES PHONE_NUMBER_REGEX */ + // -----------------DEPRECATED CONFIGS BELOW THIS LINE----------------------------- + + // Connection indicators ( + // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED, + // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT, + // CONNECTION_INDICATOR_DISABLED) got moved to config.js. + + // Please use disableModeratorIndicator from config.js + // DISABLE_FOCUS_INDICATOR: false, + + // Please use defaultLocalDisplayName from config.js + // DEFAULT_LOCAL_DISPLAY_NAME: 'me', + + // Please use defaultRemoteDisplayName from config.js + // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', + + // Moved to config.js as `toolbarConfig.initialTimeout`. + // INITIAL_TOOLBAR_TIMEOUT: 20000, + + // Moved to config.js as `toolbarConfig.alwaysVisible`. + // TOOLBAR_ALWAYS_VISIBLE: false, + + // This config was moved to config.js as `toolbarButtons`. + // TOOLBAR_BUTTONS: [], + + // Moved to config.js as `toolbarConfig.timeout`. + // TOOLBAR_TIMEOUT: 4000, + // Allow all above example options to include a trailing comma and // prevent fear when commenting out the last value. // eslint-disable-next-line sort-keys diff --git a/type/__jitsi_meet_domain/files/nginx.sh b/type/__jitsi_meet_domain/files/nginx.sh index 8b124e2..6e874c1 100644 --- a/type/__jitsi_meet_domain/files/nginx.sh +++ b/type/__jitsi_meet_domain/files/nginx.sh @@ -2,6 +2,14 @@ # shellcheck disable=SC2034 # This is intended to be included JITSI_NGINX_CONFIG="$(cat < Date: Thu, 23 Dec 2021 10:46:21 +0100 Subject: [PATCH 30/81] __matrix_synapse: add --saml2-sp-key and --saml2-sp-cert flags --- type/__matrix_synapse/files/homeserver.yaml.sh | 7 +++++++ type/__matrix_synapse/man.rst | 6 ++++++ type/__matrix_synapse/manifest | 18 ++++++++++++++++++ type/__matrix_synapse/parameter/optional | 2 ++ 4 files changed, 33 insertions(+) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index 2e7670e..f0df206 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1727,6 +1727,13 @@ if [ -n "$SAML2_IDP_METADATA_URL" ]; then EOF fi +if [ -n "$SAML2_SP_CERT" ] || [ -n "$SAML2_SP_KEY" ]; then + cat << EOF + key_file: "$SAML2_SP_KEY" + cert_file: "$SAML2_SP_CERT" +EOF +fi + cat << EOF # Allowed clock difference in seconds between the homeserver and IdP. # diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index c368755..125a9ac 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -192,6 +192,12 @@ bind-address saml2-idp-metadata-url HTTP(S) url to SAML2 Identity Provider (IdP), used for Single Sign On (SSO) logic. +saml2-sp-key + Path to PEM-formatted key file for use by PySAML2. + +saml2-sp-cert + Path to PEM-formatted cert file for use by PySAML2. + extra-setting Arbitrary string to be added to the configuration file. Can be specified multiple times. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 8ba9152..078d395 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -200,6 +200,24 @@ if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then export SAML2_IDP_METADATA_URL fi +if [ -f "$__object/parameter/saml2-sp-key" ]; then + SAML2_SP_KEY=$(cat "$__object/parameter/saml2-sp-key") + export SAML2_SP_KEY +fi + +if [ -f "$__object/parameter/saml2-sp-cert" ]; then + SAML2_SP_CERT=$(cat "$__object/parameter/saml2-sp-cert") + export SAML2_SP_CERT +fi + +if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then + echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2 + exit 1 +elif [ -n "$SAML2_SP_CERT" ] && [ -z "$SAML2_SP_KEY" ]; then + echo "--saml2-sp-key must be set if --saml2-sp-cert is provided." >&2 + exit 1 +fi + if [ -f "$__object/parameter/default-identity-server" ]; then DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server") export DEFAULT_IDENTITY_SERVER diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index 599e00b..be44ca7 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -37,4 +37,6 @@ tls-cert tls-private-key registration-shared-secret saml2-idp-metadata-url +saml2-sp-key +saml2-sp-cert default-identity-server From afe76af6792d260edc8f082188550a5431a36ed8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Thu, 23 Dec 2021 12:30:58 +0100 Subject: [PATCH 31/81] __matterbridge: add support for ubuntu, fix configuration via STDIN --- type/__matterbridge/manifest | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/type/__matterbridge/manifest b/type/__matterbridge/manifest index ef02112..2b5738b 100755 --- a/type/__matterbridge/manifest +++ b/type/__matterbridge/manifest @@ -20,7 +20,7 @@ os=$(cat "$__global/explorer/os") case "$os" in - debian) + debian|ubuntu) # This type assume systemd for service installation. ;; *) @@ -31,11 +31,13 @@ case "$os" in esac # Required parameters. -VERSION=$(cat "$__object/parameter/version") +version=$(cat "$__object/parameter/version") if [ -f "$__object/parameter/config" ]; then - CONFIG="$(cat "$__object/parameter/config")" - if [ "$CONFIG" = "-" ]; then - CONFIG=$(cat "$__object/stdin") + config="$(cat "$__object/parameter/config")" + if [ "$config" = "-" ]; then + mkdir -p "$__object/files" + config="$__object/files/matterbridge.toml" + cat "$__object/stdin" > "$config" fi fi @@ -46,11 +48,11 @@ export USER=matterbridge export GROUP=$USER # Internal variables. -artefact="matterbridge-$VERSION-linux-64bit" +artefact="matterbridge-$version-linux-64bit" checksum_file="checksums.txt" release_download_url=https://github.com/42wim/matterbridge/releases/download -binary_url="$release_download_url/v$VERSION/$artefact" -checksum_file_url="$release_download_url/v$VERSION/$checksum_file" +binary_url="$release_download_url/v$version/$artefact" +checksum_file_url="$release_download_url/v$version/$checksum_file" config_dir=$(dirname $CONFIG_PATH) systemd_unit_path='/etc/systemd/system/matterbridge.service' @@ -88,7 +90,7 @@ require="__user/$USER" __directory "$config_dir" \ require="__directory/$config_dir" __file "$CONFIG_PATH" \ --owner "$USER" \ --mode 0640 \ - --source "$CONFIG" + --source "$config" __file "$systemd_unit_path" \ --source "$__object/files/matterbridge.service" From c4667331118807df4adb47de8ff87bdae7cbff43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Fri, 7 Jan 2022 11:42:13 +0100 Subject: [PATCH 32/81] __matrix_synapse: add --enable-3pid-lookups flag, normalize indentation --- .../__matrix_synapse/files/homeserver.yaml.sh | 2 +- type/__matrix_synapse/man.rst | 3 + type/__matrix_synapse/manifest | 68 ++++++++++--------- type/__matrix_synapse/parameter/boolean | 1 + 4 files changed, 42 insertions(+), 32 deletions(-) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index f0df206..6437f1b 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1334,7 +1334,7 @@ fi cat << EOF # Enable 3PIDs lookup requests to identity servers from this server. # -#enable_3pid_lookup: true +enable_3pid_lookup: ${ENABLE_3PID_LOOKUPS:?} # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index 125a9ac..dbcc993 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -239,6 +239,9 @@ allow-public-rooms-without-auth enable-server-notices Enable the server notices room. +enable-3pid-lookups + Enable 3PIDs lookup requests to identity servers from this server. + allow-guest-access Allows users to register as guests without a password/email/etc, and participate in rooms hosted on this server which have been made accessible diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 078d395..70232a8 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -37,7 +37,7 @@ case "$os" in --uri https://packages.matrix.org/debian/ \ --component main package_req="__apt_source/matrix-org" - ;; + ;; alpine) synapse_user=synapse synapse_pkg=synapse @@ -96,7 +96,7 @@ export SERVER_NAME BASE_URL REPORT_STATS MAX_UPLOAD_SIZE EXPOSE_METRICS \ WEB_CLIENT_URL ROOM_ENCRYPTION_POLICY BIND_ADDRESSES if [ -f "$__object/parameter/enable-server-notices" ]; then - export ENABLE_SERVER_NOTICES=1 + export ENABLE_SERVER_NOTICES=1 fi # TLS. @@ -178,51 +178,57 @@ if [ -f "$__object/parameter/registration-shared-secret" ]; then fi if [ -f "$__object/parameter/registration-requires-email" ]; then - export REGISTRATION_REQUIRES_EMAIL=1 + export REGISTRATION_REQUIRES_EMAIL=1 fi if [ -f "$__object/parameter/auto-join-room" ]; then - AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")" - export AUTO_JOIN_ROOMS + AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")" + export AUTO_JOIN_ROOMS fi if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then - RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern") - export RESGISTRATION_ALLOWS_EMAIL_PATTERN + RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern") + export RESGISTRATION_ALLOWS_EMAIL_PATTERN fi if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then - # Synapse fails to start while trying to parse IDP metadata if this package - # is not installed. - __package xmlsec1 + # Synapse fails to start while trying to parse IDP metadata if this package + # is not installed. + __package xmlsec1 - SAML2_IDP_METADATA_URL=$(cat "$__object/parameter/saml2-idp-metadata-url") - export SAML2_IDP_METADATA_URL + SAML2_IDP_METADATA_URL=$(cat "$__object/parameter/saml2-idp-metadata-url") + export SAML2_IDP_METADATA_URL fi if [ -f "$__object/parameter/saml2-sp-key" ]; then - SAML2_SP_KEY=$(cat "$__object/parameter/saml2-sp-key") - export SAML2_SP_KEY + SAML2_SP_KEY=$(cat "$__object/parameter/saml2-sp-key") + export SAML2_SP_KEY fi if [ -f "$__object/parameter/saml2-sp-cert" ]; then - SAML2_SP_CERT=$(cat "$__object/parameter/saml2-sp-cert") - export SAML2_SP_CERT + SAML2_SP_CERT=$(cat "$__object/parameter/saml2-sp-cert") + export SAML2_SP_CERT fi if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then - echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2 - exit 1 + echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2 + exit 1 elif [ -n "$SAML2_SP_CERT" ] && [ -z "$SAML2_SP_KEY" ]; then - echo "--saml2-sp-key must be set if --saml2-sp-cert is provided." >&2 - exit 1 + echo "--saml2-sp-key must be set if --saml2-sp-cert is provided." >&2 + exit 1 fi if [ -f "$__object/parameter/default-identity-server" ]; then - DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server") - export DEFAULT_IDENTITY_SERVER + DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server") + export DEFAULT_IDENTITY_SERVER fi +ENABLE_3PID_LOOKUPS='false' +if [ -f "$__object/parameter/enable-3pid-lookup" ]; then + ENABLE_3PID_LOOKUPS='true' +fi +export ENABLE_3PID_LOOKUPS + # Federation. ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation') ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth') @@ -321,16 +327,16 @@ export ENABLE_REPLICATION ENABLE_REDIS_SUPPORT WORKER_REPLICATION_SECRET \ case "$DATABASE_ENGINE" in sqlite3) : - ;; + ;; psycopg2) when='database engine is psycopg2' is_required_when "$DATABASE_HOST" '--database-host' "$when" is_required_when "$DATABASE_USER" '--database-user' "$when" - ;; + ;; *) echo "Invalid database engine: $DATABASE_ENGINE." >&2 exit 1 - ;; + ;; esac @@ -348,13 +354,13 @@ mkdir -p "$__object/files" "$__type/files/log.config.sh" > "$__object/files/log.config" require="$synapse_req" __file "$synapse_conf_dir/homeserver.yaml" \ - --owner $synapse_user \ - --mode 600 \ - --source "$__object/files/homeserver.yaml" + --owner $synapse_user \ + --mode 600 \ + --source "$__object/files/homeserver.yaml" require="$synapse_req" __file "$LOG_CONFIG_PATH" \ - --owner $synapse_user \ - --mode 600 \ - --source "$__object/files/log.config" + --owner $synapse_user \ + --mode 600 \ + --source "$__object/files/log.config" for directory in $DATA_DIR $LOG_DIR; do require="$synapse_req" __directory $directory \ diff --git a/type/__matrix_synapse/parameter/boolean b/type/__matrix_synapse/parameter/boolean index 7ff48de..ac87271 100644 --- a/type/__matrix_synapse/parameter/boolean +++ b/type/__matrix_synapse/parameter/boolean @@ -17,3 +17,4 @@ user-directory-search-all-users enable-message-retention-policy worker-mode enable-url-preview +enable-3pid-lookups From 023206d3d920e3f12de4a57816977c6f38dc6f28 Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Mon, 4 Oct 2021 11:47:19 +0200 Subject: [PATCH 33/81] borg-repo: add ubuntu as supported OS. --- type/__borg_repo/manifest | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/type/__borg_repo/manifest b/type/__borg_repo/manifest index 968066d..4e4d35e 100644 --- a/type/__borg_repo/manifest +++ b/type/__borg_repo/manifest @@ -3,7 +3,7 @@ os="$(cat "${__global:?}"/explorer/os)" case "$os" in - "alpine") + "alpine"|"ubuntu") borg_package=borgbackup ;; *) @@ -17,3 +17,4 @@ if [ -f "${__object:?}/parameter/owner" ]; then __package sudo fi + From eecb2b4629d36fd971aa5456df8dedbddf3f19e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 11 Jan 2022 16:12:06 +0100 Subject: [PATCH 34/81] __bird_ospf: ass -extra-area-configuration parameter --- type/__bird_ospf/man.rst | 13 +++++++------ type/__bird_ospf/manifest | 17 +++++++++++++++++ type/__bird_ospf/parameter/optional | 1 + type/__bird_ospf/parameter/optional_multiple | 1 + type/__bird_ospf/parameter/required_multiple | 1 - 5 files changed, 26 insertions(+), 7 deletions(-) delete mode 100644 type/__bird_ospf/parameter/required_multiple diff --git a/type/__bird_ospf/man.rst b/type/__bird_ospf/man.rst index f3f4c9a..66c2e4a 100644 --- a/type/__bird_ospf/man.rst +++ b/type/__bird_ospf/man.rst @@ -24,12 +24,6 @@ import export The keyword or filter to decide what to export in the above channel. - -REQUIRED MULTIPLE PARAMETERS ----------------------------- -interface - An interface to include in OSPF area 0. - OPTIONAL PARAMETERS ------------------- description @@ -39,12 +33,19 @@ instance-id An OSPF instance ID, allowing several OSPF instances to run on the same links. +extra-area-configuration + Configuration string added to the `area` section of the OSPF configuration. + OPTIONAL MULTIPLE PARAMETERS ---------------------------- stubnet Add an optionless stubnet definition to the configuration. +interface + An interface to include in OSPF area 0. Is required unless + extra-area-configuration is set. + SEE ALSO -------- cdist-type__bird_core(7) diff --git a/type/__bird_ospf/manifest b/type/__bird_ospf/manifest index 211e91d..68d9c16 100755 --- a/type/__bird_ospf/manifest +++ b/type/__bird_ospf/manifest @@ -44,6 +44,21 @@ then instance_id="$(cat "${__object:?}/parameter/instance-id")" fi +extra_area_configuration= +if [ -f "${__object:?}/parameter/extra-area-configuration" ]; +then + extra_area_configuration="$(cat "${__object:?}/parameter/extra-area-configuration")" + + if [ "$extra_area_configuration" = "-" ]; then + extra_area_configuration=$(cat "$__object/stdin") + fi +fi + +if [ ! -f "${__object:?}/parameter/interface" ] && [ -z "$extra_area_configuration" ]; then + echo "Either --interface or --extra-area-configuration must be set." >&2 + exit 1 +fi + __file "${confdir:?}/ospf-${__object_id:?}.conf" \ --mode 0640 --owner root --group bird \ --source - << EOF @@ -59,6 +74,8 @@ $([ -n "${instance_id?}" ] && printf "\tinstance id %s;\n" "${instance_id?}") area 0 { $(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface") $(sed -e 's/^/\t\tsubnet /' -e 's/$/;/' "${__object:?}/parameter/subnet") + + $extra_area_configuration }; } EOF diff --git a/type/__bird_ospf/parameter/optional b/type/__bird_ospf/parameter/optional index cf6dd53..880f228 100644 --- a/type/__bird_ospf/parameter/optional +++ b/type/__bird_ospf/parameter/optional @@ -1,2 +1,3 @@ description instance-id +extra-area-configuration diff --git a/type/__bird_ospf/parameter/optional_multiple b/type/__bird_ospf/parameter/optional_multiple index ed3f25a..8e5902d 100644 --- a/type/__bird_ospf/parameter/optional_multiple +++ b/type/__bird_ospf/parameter/optional_multiple @@ -1 +1,2 @@ stubnet +interface diff --git a/type/__bird_ospf/parameter/required_multiple b/type/__bird_ospf/parameter/required_multiple deleted file mode 100644 index b529896..0000000 --- a/type/__bird_ospf/parameter/required_multiple +++ /dev/null @@ -1 +0,0 @@ -interface From b2c1fee672f3246963341e90ebf47888a46bbde0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 12 Jan 2022 16:21:17 +0100 Subject: [PATCH 35/81] __matrix_synapse: add --saml2-mapping-provider-module flag --- type/__matrix_synapse/files/homeserver.yaml.sh | 8 ++++++++ type/__matrix_synapse/man.rst | 3 +++ type/__matrix_synapse/manifest | 5 +++++ type/__matrix_synapse/parameter/optional | 1 + 4 files changed, 17 insertions(+) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index 6437f1b..be924d3 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1808,7 +1808,15 @@ cat << EOF # The custom module's class. Uncomment to use a custom module. # #module: mapping_provider.SamlMappingProvider +EOF +if [ -n "$SAML2_MAPPING_PROVIDER_MODULE" ]; then + cat << EOF + module: "$SAML2_MAPPING_PROVIDER_MODULE" +EOF +fi + +cat << EOF # Custom configuration values for the module. Below options are # intended for the built-in provider, they should be changed if # using a custom module. This section will be passed as a Python diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index dbcc993..ace5ce0 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -198,6 +198,9 @@ saml2-sp-key saml2-sp-cert Path to PEM-formatted cert file for use by PySAML2. +saml2-mapping-provider-module + Name of custom Python module used to map SAML2 attributes to synapse internals. + extra-setting Arbitrary string to be added to the configuration file. Can be specified multiple times. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 70232a8..12f27ff 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -210,6 +210,11 @@ if [ -f "$__object/parameter/saml2-sp-cert" ]; then export SAML2_SP_CERT fi +if [ -f "$__object/parameter/saml2-mapping-provider-module" ]; then + SAML2_MAPPING_PROVIDER_MODULE=$(cat "$__object/parameter/saml2-mapping-provider-module") + export SAML2_MAPPING_PROVIDER_MODULE +fi + if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2 exit 1 diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index be44ca7..2e265e9 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -40,3 +40,4 @@ saml2-idp-metadata-url saml2-sp-key saml2-sp-cert default-identity-server +saml2-mapping-provider-module From 35e147752135e97f2e1873ba49c8d6d1aed5470a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 12 Jan 2022 16:21:46 +0100 Subject: [PATCH 36/81] __matrix_synapse: fix ignored --enable-3pid-lookups flag --- type/__matrix_synapse/manifest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 12f27ff..3d62a13 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -229,7 +229,7 @@ if [ -f "$__object/parameter/default-identity-server" ]; then fi ENABLE_3PID_LOOKUPS='false' -if [ -f "$__object/parameter/enable-3pid-lookup" ]; then +if [ -f "$__object/parameter/enable-3pid-lookups" ]; then ENABLE_3PID_LOOKUPS='true' fi export ENABLE_3PID_LOOKUPS From c198a74a34e7307426b80e91186d4668d8da7d87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 12 Jan 2022 16:22:21 +0100 Subject: [PATCH 37/81] __matrix_element: add --identity_server_url flag --- type/__matrix_element/files/config.json.sh | 2 +- type/__matrix_element/man.rst | 6 ++++++ type/__matrix_element/manifest | 1 + type/__matrix_element/parameter/optional | 1 + 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/type/__matrix_element/files/config.json.sh b/type/__matrix_element/files/config.json.sh index 9791f38..30ba9e7 100755 --- a/type/__matrix_element/files/config.json.sh +++ b/type/__matrix_element/files/config.json.sh @@ -52,7 +52,7 @@ cat << EOF "server_name": "$DEFAULT_SERVER_NAME" }, "m.identity_server": { - "base_url": "https://vector.im" + "base_url": "$IDENTITY_SERVER_URL" } }, "brand": "$BRAND", diff --git a/type/__matrix_element/man.rst b/type/__matrix_element/man.rst index 05f0685..c91379f 100644 --- a/type/__matrix_element/man.rst +++ b/type/__matrix_element/man.rst @@ -27,6 +27,12 @@ default_server_name default_server_url URL of matrix homeserver to connect to, defaults to 'https://matrix-client.matrix.org'. +identity_server_url + URL of matrix identity server to connect to, defaults to 'https://vector.im'. + See element documentation + `_` + for details. + owner Owner of the deployed files, passed to `chown`. Defaults to 'root'. diff --git a/type/__matrix_element/manifest b/type/__matrix_element/manifest index 544bd96..292cefd 100755 --- a/type/__matrix_element/manifest +++ b/type/__matrix_element/manifest @@ -25,6 +25,7 @@ INSTALL_DIR=$(cat "$__object/parameter/install_dir") export DEFAULT_SERVER_NAME=$(cat "$__object/parameter/default_server_name") export DEFAULT_SERVER_URL=$(cat "$__object/parameter/default_server_url") +export IDENTITY_SERVER_URL=$(cat "$__object/parameter/identity_server_url") export BRAND=$(cat "$__object/parameter/brand") export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code") export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers") diff --git a/type/__matrix_element/parameter/optional b/type/__matrix_element/parameter/optional index 21a2faf..65a142b 100644 --- a/type/__matrix_element/parameter/optional +++ b/type/__matrix_element/parameter/optional @@ -1,5 +1,6 @@ default_server_url default_server_name +identity_server_url brand default_country_code privacy_policy_url From 974e42e20e00a7e1dcf26d40aef5cc1aa34365df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Sun, 16 Jan 2022 12:41:03 +0100 Subject: [PATCH 38/81] __matrix_synapse: add --saml2-mapping-provider-extra-settings flag --- type/__matrix_synapse/files/homeserver.yaml.sh | 11 +++++++++++ type/__matrix_synapse/man.rst | 4 ++++ type/__matrix_synapse/manifest | 5 +++++ type/__matrix_synapse/parameter/optional_multiple | 1 + 4 files changed, 21 insertions(+) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index be924d3..d8e6653 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1846,6 +1846,17 @@ cat << EOF # value will be used instead. # #mxid_mapping: dotreplace +EOF + +if [ -n "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" ]; then + echo "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" | while IFS= read -r entry; do + cat << EOF + $entry +EOF + done +fi + +cat << EOF # In previous versions of synapse, the mapping from SAML attribute to # MXID was always calculated dynamically rather than stored in a diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index ace5ce0..7da9282 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -201,6 +201,10 @@ saml2-sp-cert saml2-mapping-provider-module Name of custom Python module used to map SAML2 attributes to synapse internals. +saml2-mapping-provider-extra-settings + Extra YAML-formatted key/pair values provided as configuration to the SAML2 + mapping provider module (e.g. 'key: value'). Can be specified multiple times. + extra-setting Arbitrary string to be added to the configuration file. Can be specified multiple times. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 3d62a13..5a9871d 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -215,6 +215,11 @@ if [ -f "$__object/parameter/saml2-mapping-provider-module" ]; then export SAML2_MAPPING_PROVIDER_MODULE fi +if [ -f "$__object/parameter/saml2-mapping-provider-extra-config" ]; then + SAML2_MAPPING_PROVIDER_EXTRA_CONFIG=$(cat "$__object/parameter/saml2-mapping-provider-extra-config") + export SAML2_MAPPING_PROVIDER_EXTRA_CONFIG +fi + if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2 exit 1 diff --git a/type/__matrix_synapse/parameter/optional_multiple b/type/__matrix_synapse/parameter/optional_multiple index 8871dd6..dfd69cb 100644 --- a/type/__matrix_synapse/parameter/optional_multiple +++ b/type/__matrix_synapse/parameter/optional_multiple @@ -5,3 +5,4 @@ app-service-config-file extra-setting bind-address outbound-federation-worker +saml2-mapping-provider-extra-config From 723d7ed2508d386fc4605fafbcec6843d98d07d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Sun, 16 Jan 2022 14:14:42 +0100 Subject: [PATCH 39/81] __matrix_element: add more branding parameters --- type/__matrix_element/files/config.json.sh | 10 +++++++--- type/__matrix_element/man.rst | 10 ++++++++++ type/__matrix_element/manifest | 19 +++++++++++++++---- .../default/branding_welcome_background_url | 1 + .../parameter/default/identity_server | 0 type/__matrix_element/parameter/optional | 1 + 6 files changed, 34 insertions(+), 7 deletions(-) create mode 100644 type/__matrix_element/parameter/default/branding_welcome_background_url create mode 100644 type/__matrix_element/parameter/default/identity_server diff --git a/type/__matrix_element/files/config.json.sh b/type/__matrix_element/files/config.json.sh index 30ba9e7..fa30cda 100755 --- a/type/__matrix_element/files/config.json.sh +++ b/type/__matrix_element/files/config.json.sh @@ -34,12 +34,12 @@ EOF if [ "$BRANDING_AUTH_FOOTER_LINKS" != "" ]; then cat << EOF - "authFooterLinks": "$BRANDING_AUTH_FOOTER_LINKS", + "authFooterLinks": $BRANDING_AUTH_FOOTER_LINKS, EOF fi cat << EOF - "welcomeBackgroundUrl": "themes/element/img/backgrounds/lake.jpg" + "welcomeBackgroundUrl": "$BRANDING_WELCOME_BACKGROUND_URL" EOF echo '},' } @@ -85,6 +85,10 @@ cat << EOF "url": "$COOKIE_POLICY_URL", "text": "Cookie Policy" } - ] + ], + "embeddedPages": { + "welcomeUrl": "$WELCOME_PAGE_URL", + "homeUrl": "$HOME_PAGE_URL" + } } EOF diff --git a/type/__matrix_element/man.rst b/type/__matrix_element/man.rst index c91379f..0d748a3 100644 --- a/type/__matrix_element/man.rst +++ b/type/__matrix_element/man.rst @@ -39,6 +39,16 @@ owner brand Web UI branding, defaults to 'Element'. +branding_auth_header_logo_url + A logo image that is shown in the header during authentication flows. + +branding_welcome_background_url + An image to use as a wallpaper outside the app during authentication flows. If an array is passed, an image is chosen randomly for each visit. + +branding_auth_footer_links + a list of links to show in the authentication page footer: `[{"text": "Link + text", "url": "https://link.target"}, {"text": "Other link", ...}]` + default_country_code ISO 3166 alpha2 country code to use when showing country selectors, such as phone number inputs. Defaults to GB. diff --git a/type/__matrix_element/manifest b/type/__matrix_element/manifest index 292cefd..fe937c5 100755 --- a/type/__matrix_element/manifest +++ b/type/__matrix_element/manifest @@ -31,6 +31,7 @@ export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code") export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers") export PRIVACY_POLICY_URL=$(cat "$__object/parameter/privacy_policy_url") export COOKIE_POLICY_URL=$(cat "$__object/parameter/cookie_policy_url") +export BRANDING_WELCOME_BACKGROUND_URL=$(cat "$__object/parameter/branding_welcome_background_url") if [ -f "$__object/parameter/jitsi_domain" ]; then export JITSI_DOMAIN=$(cat "$__object/parameter/jitsi_domain") @@ -45,14 +46,24 @@ if [ -f "$__object/parameter/branding_auth_footer_links" ]; then fi if [ -f "$__object/parameter/homepage" ]; then - export EMBED_HOMEPAGE=1 homepage=$(cat "$__object/parameter/homepage") + if [ -f "$homepage" ]; then + upload_homepage=1 + else + export HOME_PAGE_URL=$homepage + fi fi +WELCOME_PAGE_URL="welcome.html" if [ -f "$__object/parameter/welcomepage" ]; then - export EMBED_WELCOMEPAGE=1 welcomepage=$(cat "$__object/parameter/welcomepage") + if [ -f welcomepage ]; then + export UPLOAD_WELCOMEPAGE=1 + else + WELCOME_PAGE_URL=$welcomepage + fi fi +export WELCOME_PAGE_URL if [ -f "$__object/parameter/custom_asset" ]; then "$__object/parameter/custom_asset" | while IFS= read -r file; do @@ -92,14 +103,14 @@ require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/config.json" --mode 0664 \ --state present -if [ $EMBED_HOMEPAGE ]; then +if [ $upload_homepage ]; then require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/home.html" \ --source "$homepage" \ --mode 0664 \ --state present fi -if [ $EMBED_WELCOMEPAGE ]; then +if [ $upload_welcomepage ]; then require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/welcome.html" \ --source "$welcomepage" \ --mode 0664 \ diff --git a/type/__matrix_element/parameter/default/branding_welcome_background_url b/type/__matrix_element/parameter/default/branding_welcome_background_url new file mode 100644 index 0000000..5f5acef --- /dev/null +++ b/type/__matrix_element/parameter/default/branding_welcome_background_url @@ -0,0 +1 @@ +themes/element/img/backgrounds/lake.jpg diff --git a/type/__matrix_element/parameter/default/identity_server b/type/__matrix_element/parameter/default/identity_server new file mode 100644 index 0000000..e69de29 diff --git a/type/__matrix_element/parameter/optional b/type/__matrix_element/parameter/optional index 65a142b..2830f81 100644 --- a/type/__matrix_element/parameter/optional +++ b/type/__matrix_element/parameter/optional @@ -12,3 +12,4 @@ welcomepage jitsi_domain branding_auth_header_logo_url branding_auth_footer_links +branding_welcome_background_url From 287d8df9bd1682e4bc1f0bdd5d39c05a5b58271c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 24 Jan 2022 08:56:12 +0100 Subject: [PATCH 40/81] __matrix_synapse: set message min lifetime (although currently ignored by synapse) --- type/__matrix_synapse/files/homeserver.yaml.sh | 2 +- type/__matrix_synapse/manifest | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index d8e6653..bc8cff0 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -448,7 +448,7 @@ retention: # matter much because Synapse doesn't take it into account yet. # default_policy: - min_lifetime: 1d + min_lifetime: ${MESSAGE_RETENTION_POLICY_MIN_LIFETIME:?} max_lifetime: ${MESSAGE_RETENTION_POLICY_MAX_LIFETIME:?} # Retention policy limits. If set, and the state of a room contains a diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 5a9871d..9e1a07c 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -254,7 +254,8 @@ fi # Message retention. ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy') MESSAGE_RETENTION_POLICY_MAX_LIFETIME=$(cat "$__object/parameter/message-max-lifetime") -export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME +MESSAGE_RETENTION_POLICY_MIN_LIFETIME=$MESSAGE_RETENTION_POLICY_MAX_LIFETIME +export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME MESSAGE_RETENTION_POLICY_MIN_LIFETIME # Previews. ENABLE_URL_PREVIEW=$(get_boolean_for 'enable-url-preview') From c32a1836aa0e2eb203392b9d4c3598a4da43eb9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 24 Jan 2022 11:23:38 +0100 Subject: [PATCH 41/81] __matrix_synapse: add --sso-template-dir parameter --- type/__matrix_synapse/files/homeserver.yaml.sh | 2 +- type/__matrix_synapse/man.rst | 3 +++ type/__matrix_synapse/manifest | 3 +++ type/__matrix_synapse/parameter/default/sso-template-dir | 1 + type/__matrix_synapse/parameter/optional | 1 + 5 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 type/__matrix_synapse/parameter/default/sso-template-dir diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index bc8cff0..d719d3f 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -2191,7 +2191,7 @@ sso: # You can see the default templates at: # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates # - #template_dir: "res/templates" + template_dir: "${SSO_TEMPLATE_DIR:?}" # JSON web token integration. The following settings can be used to make diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index 7da9282..0589a5e 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -205,6 +205,9 @@ saml2-mapping-provider-extra-settings Extra YAML-formatted key/pair values provided as configuration to the SAML2 mapping provider module (e.g. 'key: value'). Can be specified multiple times. +sso-template-dir + Directory used to source SSO-related HTML templates. + extra-setting Arbitrary string to be added to the configuration file. Can be specified multiple times. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 9e1a07c..6a89de6 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -220,6 +220,9 @@ if [ -f "$__object/parameter/saml2-mapping-provider-extra-config" ]; then export SAML2_MAPPING_PROVIDER_EXTRA_CONFIG fi +SSO_TEMPLATE_DIR=$(cat "$__object/parameter/sso-template-dir") +export SSO_TEMPLATE_DIR + if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2 exit 1 diff --git a/type/__matrix_synapse/parameter/default/sso-template-dir b/type/__matrix_synapse/parameter/default/sso-template-dir new file mode 100644 index 0000000..b51bcdc --- /dev/null +++ b/type/__matrix_synapse/parameter/default/sso-template-dir @@ -0,0 +1 @@ +res/template diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index 2e265e9..1786dd1 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -41,3 +41,4 @@ saml2-sp-key saml2-sp-cert default-identity-server saml2-mapping-provider-module +sso-template-dir From 4fdba43dd65b785601372c31ba76f5eb80df1aea Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Thu, 20 Jan 2022 12:39:55 +0100 Subject: [PATCH 42/81] [__matrix_synapse]: typos in manpage. --- type/__matrix_synapse/man.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index 0589a5e..d13e80a 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -1,5 +1,5 @@ cdist-type__matrix_synapse(7) -====================== +============================= NAME ---- @@ -8,7 +8,7 @@ cdist-type__matrix_synapse - Install and configure Synapse, a Matrix homeserver DESCRIPTION ----------- -This type install and configure the Synapse Matrix homeserver. This is a +This type installs and configures the Synapse Matrix homeserver. This is a signleton type. @@ -52,13 +52,13 @@ ldap-base-dn Base DN of your LDAP tree. ldap-uid-attribute - LDAP attriute mapping to Synapse's uid field, default to uid. + LDAP attribute mapping to Synapse's uid field, default to uid. ldap-mail-attribute - LDAP attriute mapping to Synapse's mail field, default to mail. + LDAP attribute mapping to Synapse's mail field, default to mail. ldap-name-attribute - LDAP attriute mapping to Synapse's name field, default to givenName. + LDAP attribute mapping to Synapse's name field, default to givenName. ldap-bind-dn User used to authenticate against your LDAP server in 'search' mode. @@ -81,7 +81,7 @@ smtp-host The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. smtp-port - # The port on the mail server for outgoing SMTP. Defaults to 25. + The port on the mail server for outgoing SMTP. Defaults to 25. smtp-user Username for authentication to the SMTP server. By From 3f52e758fc298974604875f596b9e4fb2cb7af95 Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Wed, 2 Feb 2022 14:01:47 +0100 Subject: [PATCH 43/81] __systemd-network: initial implementation. --- type/__systemd_network/gencode-remote | 20 +++++ type/__systemd_network/man.rst | 68 +++++++++++++++ type/__systemd_network/manifest | 84 +++++++++++++++++++ type/__systemd_network/parameter/boolean | 1 + type/__systemd_network/parameter/optional | 1 + .../parameter/optional_multiple | 1 + 6 files changed, 175 insertions(+) create mode 100755 type/__systemd_network/gencode-remote create mode 100644 type/__systemd_network/man.rst create mode 100755 type/__systemd_network/manifest create mode 100644 type/__systemd_network/parameter/boolean create mode 100644 type/__systemd_network/parameter/optional create mode 100644 type/__systemd_network/parameter/optional_multiple diff --git a/type/__systemd_network/gencode-remote b/type/__systemd_network/gencode-remote new file mode 100755 index 0000000..af16ca6 --- /dev/null +++ b/type/__systemd_network/gencode-remote @@ -0,0 +1,20 @@ +#!/bin/sh -e +# +# 2022 Joachim Desroches (joachim.desroches@epfl.ch) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . + +systemctl enable systemd-networkd diff --git a/type/__systemd_network/man.rst b/type/__systemd_network/man.rst new file mode 100644 index 0000000..1b7b7a6 --- /dev/null +++ b/type/__systemd_network/man.rst @@ -0,0 +1,68 @@ +cdist-type__systemd-network(7) +============================== + +NAME +---- +cdist-type__systemd-network - Configure systemd.network(5) file. + + +DESCRIPTION +----------- + +This type allows you to configure network interfaces by generating a +systemd.network(5) file. It will enable systemd-networkd, so be sure to remove +any conflicting network configuration tool if appropriate! + +Note that the systemd.network(5) system is very complete, and this type does +not aim at providing every possible option. Are currently available only the +most common options: feel free to add anything you need to this type which +hopefully will grow over time. + + +REQUIRED PARAMETERS +------------------- +None. + + +OPTIONAL PARAMETERS +------------------- +description + A text field used when displaying details about this network. + +OPTIONAL MULTIPLE PARAMETERS +---------------------------- +match-name + A text field that will be set in the `Name` option of the `[Match]` section. + + +BOOLEAN PARAMETERS +------------------ +ipv6ra-usedomains + Set the `UseDomains` option of the `[IPv6AcceptRA]` section to `True`. + + +EXAMPLES +-------- + +.. code-block:: sh + + # TODO + __systemd-network + + +SEE ALSO +-------- +`cdist-type_systemd-resolved`\ (7) +`systemd.network`\ (5) + +AUTHORS +------- +Joachim Desroches + + +COPYING +------- +Copyright \(C) 2022 Joachim Desroches. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/type/__systemd_network/manifest b/type/__systemd_network/manifest new file mode 100755 index 0000000..a2c1805 --- /dev/null +++ b/type/__systemd_network/manifest @@ -0,0 +1,84 @@ +#!/bin/sh -e +# +# 2022 Joachim Desroches (joachim.desroches@epfl.ch) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +os=$(cat "${__global:?}/explorer/os") + +case "$os" in +'debian' | 'ubuntu' | 'archlinux') + : + ;; +*) + printf "Your operating system (%s) is currently not supported by systemd-network\n" "$os" >&2 + printf "Please contribute an implementation for it if you can.\n" >&2 + exit 1 + ;; +esac + +# XXX: Please keep the option parsing organized in order per-section, with +# sections in the same order as they are in the manpage. This will make hacking +# and maintaining this type much easier. + +output_file="${__object:?}/files/${__object_id:?}.network" + +cat << EOF > "$output_file" +# This file is managed by cdist. Do not edit by hand! +EOF + +# Match section +# Ensure section is needed, OR existence of optional params. +if [ -f "${__object:?}/parameter/match-name" ]; +then + printf "\n[Match]\n" >> "$output_file" + + if [ -f "${__object:?}/parameter/match-name" ]; + then + sed -e 's/^/Name=/' \ + "${__object:?}/parameter/match-name" >> "$output_file" + fi +fi + +# Network section +# Ensure section is needed, OR existence of optional params. +if [ -f "${__object:?}/parameter/description" ]; +then + printf "\n[Network]\n" >> "$output_file" + + if [ -f "${__object:?}/parameter/description" ]; + then + sed -e 's/^/Description=/' \ + "${__object:?}/parameter/description" >> "$output_file" + fi +fi + +# IPv6AcceptRA section +# Ensure section is needed, OR existence of optional params. +if [ -f "${__object:?}/parameter/ipv6ra-usedomains" ]; +then + printf "\n[IPv6AcceptRA]\n" >> "$output_file" + + if [ -f "${__object:?}/parameter/ipv6ra-usedomains" ]; + then + printf "UseDomains=True\n" >> "$output_file" + fi + +fi + +__file "/etc/systemd/network/${__object_id:?}.network" \ + --source "$output_file" diff --git a/type/__systemd_network/parameter/boolean b/type/__systemd_network/parameter/boolean new file mode 100644 index 0000000..b23dcdc --- /dev/null +++ b/type/__systemd_network/parameter/boolean @@ -0,0 +1 @@ +ipv6ra-usedomains diff --git a/type/__systemd_network/parameter/optional b/type/__systemd_network/parameter/optional new file mode 100644 index 0000000..e1b39b0 --- /dev/null +++ b/type/__systemd_network/parameter/optional @@ -0,0 +1 @@ +description diff --git a/type/__systemd_network/parameter/optional_multiple b/type/__systemd_network/parameter/optional_multiple new file mode 100644 index 0000000..c97c387 --- /dev/null +++ b/type/__systemd_network/parameter/optional_multiple @@ -0,0 +1 @@ +match-name From 6310db73011dea428700be033fc46359b176267d Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Mon, 7 Feb 2022 13:33:57 +0100 Subject: [PATCH 44/81] [bird_bgp]: minor cleanup. --- type/__bird_bgp/manifest | 1 - 1 file changed, 1 deletion(-) diff --git a/type/__bird_bgp/manifest b/type/__bird_bgp/manifest index a1d79f2..7525bb5 100755 --- a/type/__bird_bgp/manifest +++ b/type/__bird_bgp/manifest @@ -89,7 +89,6 @@ ipv4_import= if [ -f "${__object:?}"/parameter/ipv4-import ]; then ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)" - echo "FOO" >&2 fi export ipv4_import From 727fbd55fb0ff47b4453727ad24bd48068aee64b Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Mon, 7 Feb 2022 13:44:10 +0100 Subject: [PATCH 45/81] [bird_radv] Add option to include MTU in RAs. --- type/__bird_radv/man.rst | 10 ++++++++-- type/__bird_radv/manifest | 10 +++++++++- type/__bird_radv/parameter/optional | 1 + .../parameter/{required_multiple => required} | 0 type/__systemd_network/gencode-remote | 2 +- type/__systemd_network/manifest | 4 +++- 6 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 type/__bird_radv/parameter/optional rename type/__bird_radv/parameter/{required_multiple => required} (100%) diff --git a/type/__bird_radv/man.rst b/type/__bird_radv/man.rst index 118fd60..819b213 100644 --- a/type/__bird_radv/man.rst +++ b/type/__bird_radv/man.rst @@ -15,12 +15,17 @@ autoconfigure IPv6 hosts, this type is a rudimentary implementation to generate configuration for Bird to do so. -REQUIRED MULTIPLE PARAMETERS ----------------------------- +REQUIRED PARAMETERS +------------------- interface The interfaces to activate the protocol on. RAs will be sent using the prefixes configured on these interfaces. +OPTIONAL PARAMETERS +------------------- +mtu + An optional MTU setting to include in the router advertisements. + OPTIONAL MULTIPLE PARAMETERS ---------------------------- @@ -41,6 +46,7 @@ EXAMPLES __bird_radv datacenter \ --interface eth1 \ + --mtu 9000 \ --route ::/0 \ --ns 2001:DB8:cafe::4 \ --ns 2001:DB8:cafe::14 \ diff --git a/type/__bird_radv/manifest b/type/__bird_radv/manifest index a95e88e..aee8690 100755 --- a/type/__bird_radv/manifest +++ b/type/__bird_radv/manifest @@ -55,6 +55,12 @@ then DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl") fi +MTU= +if [ -f "${__object:?}/parameter/mtu" ]; +then + MTU="link mtu $(cat "${__object:?}/parameter/mtu")" +fi + __file "${confdir:?}/radv-${__object_id:?}.conf" \ --mode 0640 --owner root --group bird \ --source - << EOF @@ -71,7 +77,9 @@ protocol radv ${__object_id:?} { propagate routes ${have_routes:?}; ipv6 { table radv_routes; export all; }; -$(sed -e 's/^/\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface") + interface "$(cat "${__object:?}/parameter/interface")" { + $MTU + }; $RDNS diff --git a/type/__bird_radv/parameter/optional b/type/__bird_radv/parameter/optional new file mode 100644 index 0000000..ee48c5c --- /dev/null +++ b/type/__bird_radv/parameter/optional @@ -0,0 +1 @@ +mtu diff --git a/type/__bird_radv/parameter/required_multiple b/type/__bird_radv/parameter/required similarity index 100% rename from type/__bird_radv/parameter/required_multiple rename to type/__bird_radv/parameter/required diff --git a/type/__systemd_network/gencode-remote b/type/__systemd_network/gencode-remote index af16ca6..13c16c9 100755 --- a/type/__systemd_network/gencode-remote +++ b/type/__systemd_network/gencode-remote @@ -17,4 +17,4 @@ # You should have received a copy of the GNU General Public License # along with cdist. If not, see . -systemctl enable systemd-networkd +echo "systemctl enable systemd-networkd" diff --git a/type/__systemd_network/manifest b/type/__systemd_network/manifest index a2c1805..49eb792 100755 --- a/type/__systemd_network/manifest +++ b/type/__systemd_network/manifest @@ -35,6 +35,7 @@ esac # sections in the same order as they are in the manpage. This will make hacking # and maintaining this type much easier. +mkdir "${__object:?}/files" output_file="${__object:?}/files/${__object_id:?}.network" cat << EOF > "$output_file" @@ -81,4 +82,5 @@ then fi __file "/etc/systemd/network/${__object_id:?}.network" \ - --source "$output_file" + --source "$output_file" \ + --mode 0644 From 9a779aafa3a2ae1d2f92058b8eda2202db96e00b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 8 Feb 2022 13:45:03 +0100 Subject: [PATCH 46/81] __matrix_synapse: add --disable-{displayname,3pid}-changes flag --- type/__matrix_synapse/files/homeserver.yaml.sh | 4 ++-- type/__matrix_synapse/man.rst | 6 ++++++ type/__matrix_synapse/manifest | 12 ++++++++++++ type/__matrix_synapse/parameter/boolean | 2 ++ 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index d719d3f..64b40ee 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1406,7 +1406,7 @@ account_threepid_delegates: # # Does not apply to server administrators. Defaults to 'true' # -#enable_set_displayname: false +enable_set_displayname: ${ENABLE_SET_DISPLAYNAME:?} # Whether users are allowed to change their avatar after it has been # initially set. Useful when provisioning users based on the contents @@ -1421,7 +1421,7 @@ account_threepid_delegates: # # Defaults to 'true' # -#enable_3pid_changes: false +enable_3pid_changes: ${ENABLE_3PID_CHANGES:?} # Users who register on this homeserver will automatically be joined # to these rooms. diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index d13e80a..0ec7a94 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -162,6 +162,12 @@ rc-login-burst registration-allows-email-pattern Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`. +disable-displayname-changes + Whether users are allowed to change their displayname after it has been initially set. + +disable-3pid-changes + Whether users can change the 3PIDs associated with their accounts (email address and msisdn). + auto-join-room Room where newly-registered users are automatically added. Can be specified multiple times. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 6a89de6..bc76143 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -181,6 +181,18 @@ if [ -f "$__object/parameter/registration-requires-email" ]; then export REGISTRATION_REQUIRES_EMAIL=1 fi +ENABLE_SET_DISPLAYNAME='true' +if [ -f "$__object/parameter/disable-displayname-changes" ]; then + ENABLE_SET_DISPLAYNAME='false' +fi +export ENABLE_SET_DISPLAYNAME + +ENABLE_3PID_CHANGES='true' +if [ -f "$__object/parameter/disable-3pid-changes" ]; then + ENABLE_3PID_CHANGES='false' +fi +export ENABLE_3PID_CHANGES + if [ -f "$__object/parameter/auto-join-room" ]; then AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")" export AUTO_JOIN_ROOMS diff --git a/type/__matrix_synapse/parameter/boolean b/type/__matrix_synapse/parameter/boolean index ac87271..54c383a 100644 --- a/type/__matrix_synapse/parameter/boolean +++ b/type/__matrix_synapse/parameter/boolean @@ -18,3 +18,5 @@ enable-message-retention-policy worker-mode enable-url-preview enable-3pid-lookups +disable-3pid-changes +disable-displayname-changes From f6d0cbbeb7c043150d603297710325d2e1433a9a Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Mon, 7 Feb 2022 14:15:05 +0100 Subject: [PATCH 47/81] __systemd_resolved: initial implementation. --- type/__systemd_resolved/gencode-remote | 21 ++++++++++++ type/__systemd_resolved/man.rst | 47 ++++++++++++++++++++++++++ type/__systemd_resolved/manifest | 42 +++++++++++++++++++++++ 3 files changed, 110 insertions(+) create mode 100755 type/__systemd_resolved/gencode-remote create mode 100644 type/__systemd_resolved/man.rst create mode 100755 type/__systemd_resolved/manifest diff --git a/type/__systemd_resolved/gencode-remote b/type/__systemd_resolved/gencode-remote new file mode 100755 index 0000000..115b99b --- /dev/null +++ b/type/__systemd_resolved/gencode-remote @@ -0,0 +1,21 @@ +#!/bin/sh -e +# +# 2022 Joachim Desroches (joachim.desroches@epfl.ch) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +echo "systemctl enable systemd-resolved" diff --git a/type/__systemd_resolved/man.rst b/type/__systemd_resolved/man.rst new file mode 100644 index 0000000..213c725 --- /dev/null +++ b/type/__systemd_resolved/man.rst @@ -0,0 +1,47 @@ +cdist-type__systemd_resolved(7) +=============================== + +NAME +---- +cdist-type__systemd_resolved - Configure system to use systemd-resolved. + + +DESCRIPTION +----------- +*systemd-resolved* is a systemd service that provides network name resolution +to local applications via a D-Bus interface, the resolve NSS service +(nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. + +This type enables and starts this type, and helps with some minimal +configuration. In particular, systemd-resolved has four modes of handling the +`/etc/resolv.conf` file: stub, static, uplink and foreign. See the +systemd-resolved(8) manpage for details. By default, this type uses stub mode: +if you need another one, please provide an implementation in this type! + + +EXAMPLES +-------- + +.. code-block:: sh + + __systemd_resolved + + +SEE ALSO +-------- +`systemd.network`\ (5) +`systemd-resolved`\ (8) +`nss-resolve`\ (8) + + +AUTHORS +------- +Joachim Desroches + + +COPYING +------- +Copyright \(C) 2022 Joachim Desroches. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/type/__systemd_resolved/manifest b/type/__systemd_resolved/manifest new file mode 100755 index 0000000..3b99592 --- /dev/null +++ b/type/__systemd_resolved/manifest @@ -0,0 +1,42 @@ +#!/bin/sh -e +# +# 2022 Joachim Desroches (joachim.desroches@epfl.ch) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +os=$(cat "${__global:?}/explorer/os") + +case "$os" in +'debian') + : + ;; +*) + printf "Your operating system (%s) is currently not supported by __systemd_resolved\n" "$os" >&2 + printf "Please contribute an implementation for it if you can.\n" >&2 + exit 1 + ;; +esac + +__link /etc/resolv.conf \ + --type symbolic \ + --source ../run/systemd/resolve/stub-resolv.conf + +require=__link/etc/resolv.conf \ + __systemd_service systemd-resolved \ + --state running \ + --action restart \ + --if-required From 422b97bc1b310c8f3515f3911794d2d674eb964a Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Mon, 7 Feb 2022 15:12:23 +0100 Subject: [PATCH 48/81] [systemd_resolved]: make singleton. --- type/__systemd_resolved/singleton | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 type/__systemd_resolved/singleton diff --git a/type/__systemd_resolved/singleton b/type/__systemd_resolved/singleton new file mode 100644 index 0000000..e69de29 From ecd10de2d3517be874ac5b54b4c03214afe12672 Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 10 Mar 2022 20:08:51 +0100 Subject: [PATCH 49/81] [__opendkim*] FreeBSD support and minor fixes While adding FreeBSD support to the type I noticed various issues: - We were making sure that the KeyTable and SigningTable were created in __opendkim_genkey, but that was being done with the default cdist permissions (0400) which could result in issues when reloading the service after privilege drop. This is addressed by checking that it exists/creating it in __opendkim (just once, not once per __opendkim_genkey call) with laxer permissions (0444). - In __opendkim, the service was being started after the config file was installed. This is insufficient as OpenDKIM will refuse to start with the generated config if either SigningTable or KeyTable do not exist yet. - __opendkim_genkey had the implicit assumption that the --directory parameter always ended in a slash. This was not documented and error-prone; we are now a bit laxer and add the trailing slash if it is missing. - __opendkim_genkey was not changing permissions for the resulting .txt file. This was not critical for it to function, but it was inconsistent. - As documented in #17, __opendkim allows for a --userid parameter that might cause issues with keys generated by __opendkim_genkey. This issue has not been addressed yet, but I recommend deprecating the --userid parameter. --- type/__opendkim/files/opendkim.conf.sh | 5 +-- type/__opendkim/man.rst | 12 ++++--- type/__opendkim/manifest | 28 ++++++++++++--- type/__opendkim_genkey/gencode-remote | 10 ++++-- type/__opendkim_genkey/man.rst | 7 ++-- type/__opendkim_genkey/manifest | 47 ++++++++++++++++++-------- 6 files changed, 79 insertions(+), 30 deletions(-) diff --git a/type/__opendkim/files/opendkim.conf.sh b/type/__opendkim/files/opendkim.conf.sh index a21eecc..468b262 100755 --- a/type/__opendkim/files/opendkim.conf.sh +++ b/type/__opendkim/files/opendkim.conf.sh @@ -1,6 +1,7 @@ #!/bin/sh -e # Generate an opendkim.conf(5) file for opendkim(8). +echo "# Managed remotely, manual changes will be lost." # Optional chdir(2) if [ "$BASEDIR" ]; @@ -33,8 +34,8 @@ then fi # Key and Domain tables -echo 'KeyTable /etc/opendkim/KeyTable' -echo 'SigningTable /etc/opendkim/SigningTable' +echo "KeyTable ${CFG_DIR}/KeyTable" +echo "SigningTable ${CFG_DIR}/SigningTable" # Required socket to listen on printf "Socket %s\n" "${SOCKET:?}" diff --git a/type/__opendkim/man.rst b/type/__opendkim/man.rst index 205ca65..e3f3e7a 100644 --- a/type/__opendkim/man.rst +++ b/type/__opendkim/man.rst @@ -14,8 +14,8 @@ installation and basic configuration of an instance of OpenDKIM. Note that this type does not generate or ensure that a key is present: use `cdist-type__opendkim-genkey(7)` for that. -Note that this type is currently only implemented for Alpine Linux. Please -contribute an implementation if you can. +Note that this type is currently only implemented for Alpine Linux and FreeBSD. +Please contribute an implementation if you can. REQUIRED PARAMETERS @@ -42,8 +42,9 @@ umask Set the umask for the socket and PID file. userid - Change the user the opendkim program is to run as. By default, Alpine Linux's - OpenRC service will set this to `opendkim` on the command-line. + Change the user the opendkim program is to run as. + By default, Alpine Linux's OpenRC service will set this to `opendkim` on the + command-line and FreeBSD's rc will set it to `mailnull`. custom-config The string following this parameter is appended as-is in the configuration, to @@ -86,11 +87,12 @@ SEE ALSO AUTHORS ------- Joachim Desroches +Evilham COPYING ------- -Copyright \(C) 2021 Joachim Desroches. You can redistribute it +Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/type/__opendkim/manifest b/type/__opendkim/manifest index e3325b4..dbd9fc0 100755 --- a/type/__opendkim/manifest +++ b/type/__opendkim/manifest @@ -20,16 +20,23 @@ os=$(cat "${__global:?}/explorer/os") +CFG_DIR="/etc/opendkim" +service="opendkim" case "$os" in 'alpine') : ;; +'freebsd') + CFG_DIR="/usr/local/etc/mail" + service="milter-opendkim" + ;; *) printf "__opendkim does not yet support %s.\n" "$os" >&2 printf "Please contribute an implementation if you can.\n" >&2 exit 1 ;; esac +export CFG_DIR __package opendkim @@ -68,7 +75,7 @@ fi # Generate and deploy configuration file. source_file="${__object:?}/files/opendkim.conf" -target_file="/etc/opendkim/opendkim.conf" +target_file="${CFG_DIR}/opendkim.conf" mkdir -p "${__object:?}/files" @@ -83,9 +90,22 @@ fi require="__package/opendkim" __file "$target_file" \ --source "$source_file" --mode 0644 -require="__package/opendkim" __start_on_boot opendkim +require="__package/opendkim" __start_on_boot "${service}" -require="__file${target_file}" \ +# Ensure Key and Signing tables exist and have proper permissions +key_table="${CFG_DIR}/KeyTable" +signing_table="${CFG_DIR}/SigningTable" + +require="__package/opendkim" \ + __file "${key_table}" \ + --mode 444 + +require="__package/opendkim" \ + __file "${signing_table}" \ + --mode 444 + +require="__file${target_file} __file${key_table} + __file${signing_table} __start_on_boot/${service}" \ __check_messages opendkim \ --pattern "^__file${target_file}" \ - --execute "service opendkim restart" + --execute "service ${service} restart" diff --git a/type/__opendkim_genkey/gencode-remote b/type/__opendkim_genkey/gencode-remote index 65ce934..d8dfb4d 100755 --- a/type/__opendkim_genkey/gencode-remote +++ b/type/__opendkim_genkey/gencode-remote @@ -30,7 +30,8 @@ fi DIRECTORY="/var/db/dkim/" if [ -f "${__object:?}/parameter/directory" ]; then - DIRECTORY="$(cat "${__object:?}/parameter/directory")" + # Be forgiving about a lack of trailing slash + DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")" fi # Boolean parameters @@ -44,7 +45,12 @@ if [ -f "${__object:?}/parameters/unrestricted" ]; then RESTRICTED= fi +user="$(cat "${__object:?}/user")" +group="$(cat "${__object:?}/group")" + if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS" - echo "chown opendkim:opendkim ${DIRECTORY}${SELECTOR}.private" + echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.private" + # This is usually generated, if it weren't we do not want to fail + echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.txt || true" fi diff --git a/type/__opendkim_genkey/man.rst b/type/__opendkim_genkey/man.rst index 46e6505..b3fd013 100644 --- a/type/__opendkim_genkey/man.rst +++ b/type/__opendkim_genkey/man.rst @@ -17,8 +17,8 @@ will be added to the OpenDKIM signing table, using either the domain or the provided key for the `domain:selector:keyfile` value in the table. An existing key will not be overwritten. -Currently, this type is only implemented for Alpine Linux. Please contribute an -implementation if you can. +Currently, this type is only implemented for Alpine Linux and FreeBSD. +Please contribute an implementation if you can. REQUIRED PARAMETERS ------------------- @@ -85,11 +85,12 @@ SEE ALSO AUTHORS ------- Joachim Desroches +Evilham COPYING ------- -Copyright \(C) 2021 Joachim Desroches. You can redistribute it +Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/type/__opendkim_genkey/manifest b/type/__opendkim_genkey/manifest index 7c506e9..50dcee5 100755 --- a/type/__opendkim_genkey/manifest +++ b/type/__opendkim_genkey/manifest @@ -21,10 +21,18 @@ os=$(cat "${__global:?}/explorer/os") +CFG_DIR="/etc/opendkim" +user="opendkim" +group="opendkim" case "$os" in 'alpine') : ;; +'freebsd') + CFG_DIR="/usr/local/etc/mail" + user="mailnull" + group="mailnull" +;; *) cat <<- EOF >&2 __opendkim_genkey currently only supports Alpine Linux. Please @@ -32,6 +40,9 @@ case "$os" in EOF ;; esac +# Persist user and group for gencode-remote +printf '%s' "${user}" > "${__object:?}/user" +printf '%s' "${group}" > "${__object:?}/group" SELECTOR="$(cat "${__object:?}/parameter/selector")" DOMAIN="$(cat "${__object:?}/parameter/domain")" @@ -39,7 +50,8 @@ DOMAIN="$(cat "${__object:?}/parameter/domain")" DIRECTORY="/var/db/dkim/" if [ -f "${__object:?}/parameter/directory" ]; then - DIRECTORY="$(cat "${__object:?}/parameter/directory")" + # Be forgiving about a lack of trailing slash + DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")" fi SIGKEY="${DOMAIN:?}" @@ -48,19 +60,26 @@ then SIGKEY="$(cat "${__object:?}/parameter/sigkey")" fi -__package opendkim-utils +# Ensure the key-container directory exists with the proper permissions +__directory "${DIRECTORY}" \ + --mode 0750 \ + --owner "${user}" --group "${group}" -require='__package/opendkim-utils' \ - __file /etc/opendkim/KeyTable -require='__package/opendkim-utils' \ - __file /etc/opendkim/SigningTable +# OS-specific code +case "$os" in +'alpine') + # This is needed for opendkim-genkey + __package opendkim-utils +;; +esac -require='__file/etc/opendkim/KeyTable' \ - __line "line-key-${__object_id:?}" \ - --file /etc/opendkim/KeyTable \ - --line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private" +key_table="${CFG_DIR}/KeyTable" +signing_table="${CFG_DIR}/SigningTable" -require='__file/etc/opendkim/SigningTable' \ - __line "line-sig-${__object_id:?}" \ - --file /etc/opendkim/SigningTable \ - --line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}" +__line "line-key-${__object_id:?}" \ + --file "${key_table}" \ + --line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private" + +__line "line-sig-${__object_id:?}" \ + --file "${signing_table}" \ + --line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}" From ac03f05766f2ef12b893918b6d206b281d32e263 Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 10 Mar 2022 21:20:52 +0100 Subject: [PATCH 50/81] [__jitsi_meet] Fix bug with secured domains This is a leftover from when we were using __line instead of __block. Closes #15 Reported by: @pedro --- type/__jitsi_meet/manifest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 0364db6..279444a 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -153,7 +153,7 @@ EOF if [ -f "${__object}/parameter/secured-domains" ]; then SECURED_DOMAINS_STATE='present' - SECURED_DOMAINS_STATE_JICOFO='replace' + SECURED_DOMAINS_STATE_JICOFO='present' else SECURED_DOMAINS_STATE='absent' SECURED_DOMAINS_STATE_JICOFO='absent' From ac99cd8d84af340188a7e10a97ab829d540572bc Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 10 Mar 2022 21:23:45 +0100 Subject: [PATCH 51/81] [__jitsi_meet_domain] Update to 2.0.7001-1 Obsoletes #13 --- .../parameter/default/jitsi-version | 2 +- .../files/_update_jitsi_configurations.sh | 2 +- type/__jitsi_meet_domain/files/config.js.sh | 166 ++++++++++++++---- .../files/config.js.sh.orig | 166 ++++++++++++++---- .../files/interface_config.js.sh | 2 +- .../files/interface_config.js.sh.orig | 2 +- 6 files changed, 258 insertions(+), 82 deletions(-) diff --git a/type/__jitsi_meet/parameter/default/jitsi-version b/type/__jitsi_meet/parameter/default/jitsi-version index 9fe8252..4b02224 100644 --- a/type/__jitsi_meet/parameter/default/jitsi-version +++ b/type/__jitsi_meet/parameter/default/jitsi-version @@ -1 +1 @@ -2.0.5765-1 +2.0.7001-1 diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh index 295bdf0..6029cf7 100755 --- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh +++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh @@ -7,7 +7,7 @@ # We could automate this, but are using it as an indicator for the # latest branch with which we conciliated changes. -BRANCH="jitsi-meet_6726" +BRANCH="jitsi-meet_7001" REPO="https://github.com/jitsi/jitsi-meet" get_url() { diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index 4532ba6..58df3fc 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -86,18 +86,41 @@ fi // callStatsThreshold: 5 // enable callstats for 5% of the users. }, + // Feature Flags. + flags: { + // Enables source names in the signaling. + // sourceNameSignaling: false, + }, + // Disables moderator indicators. // disableModeratorIndicator: false, // Disables the reactions feature. // disableReactions: true, + // Disables the reactions moderation feature. + // disableReactionsModeration: false, + // Disables polls feature. // disablePolls: false, // Disables self-view tile. (hides it from tile view and from filmstrip) // disableSelfView: false, + // Disables self-view settings in UI + // disableSelfViewSettings: false, + + // screenshotCapture : { + // Enables the screensharing capture feature. + // enabled: false, + // + // The mode for the screenshot capture feature. + // Can be either 'recording' - screensharing screenshots are taken + // only when the recording is also on, + // or 'always' - screensharing screenshots are always taken. + // mode: 'recording' + // } + // Disables ICE/UDP by filtering out local and remote UDP candidates in // signalling. // webrtcIceUdpDisable: false, @@ -237,7 +260,11 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // max: 5 // }, - // Try to start calls with screen-sharing instead of camera video. + // This option has been deprecated since it is no longer supported as per the w3c spec. + // https://w3c.github.io/mediacapture-screen-share/#dom-mediadevices-getdisplaymedia. If the user has not + // interacted with the webpage before the getDisplayMedia call, the promise will be rejected by the browser. This + // has already been implemented in Firefox and Safari and will be implemented in Chrome soon. + // https://bugs.chromium.org/p/chromium/issues/detail?id=1198918 // startScreenSharing: false, // Recording @@ -459,6 +486,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // If Lobby is enabled starts knocking automatically. // autoKnockLobby: false, + // DEPRECATED! Use \`breakoutRooms.hideAddRoomButton\` instead. // Hides add breakout room button // hideAddRoomButton: false, @@ -491,12 +519,21 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Default remote name to be displayed // defaultRemoteDisplayName: 'Fellow Jitster', + // Hides the display name from the participant thumbnail + // hideDisplayName: false, + + // Hides the dominant speaker name badge that hovers above the toolbox + // hideDominantSpeakerBadge: false, + // Default language for the user interface. defaultLanguage: '${DEFAULT_LANGUAGE}', // Disables profile and the edit of all fields from the profile settings (display name and email) // disableProfile: false, + // Hides the email section under profile settings. + // hideEmailInSettings: false, + // Whether or not some features are checked based on token. // enableFeaturesBasedOnToken: false, @@ -541,6 +578,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Document should be focused for this option to work // enableAutomaticUrlCopy: false, + // Array with avatar URL prefixes that need to use CORS. + // corsAvatarURLs: [ 'https://www.gravatar.com/avatar/' ], + // Base URL for a Gravatar-compatible service. Defaults to libravatar. // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/', @@ -607,41 +647,61 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // alwaysVisible: false // }, - // Toolbar buttons which have their click event exposed through the API on - // \`toolbarButtonClicked\` event instead of executing the normal click routine. + // Toolbar buttons which have their click/tap event exposed through the API on + // \`toolbarButtonClicked\`. Passing a string for the button key will + // prevent execution of the click/tap routine; passing an object with \`key\` and + // \`preventExecution\` flag on false will not prevent execution of the click/tap + // routine. Below array with mixed mode for passing the buttons. // buttonsWithNotifyClick: [ - // 'camera', - // 'chat', - // 'closedcaptions', - // 'desktop', - // 'download', - // 'embedmeeting', - // 'etherpad', - // 'feedback', - // 'filmstrip', - // 'fullscreen', - // 'hangup', - // 'help', - // 'invite', - // 'livestreaming', - // 'microphone', - // 'mute-everyone', - // 'mute-video-everyone', - // 'participants-pane', - // 'profile', - // 'raisehand', - // 'recording', - // 'security', - // 'select-background', - // 'settings', - // 'shareaudio', - // 'sharedvideo', - // 'shortcuts', - // 'stats', - // 'tileview', - // 'toggle-camera', - // 'videoquality', - // '__end' + // 'camera', + // { + // key: 'chat', + // preventExecution: false + // }, + // { + // key: 'closedcaptions', + // preventExecution: true + // }, + // 'desktop', + // 'download', + // 'embedmeeting', + // 'etherpad', + // 'feedback', + // 'filmstrip', + // 'fullscreen', + // 'hangup', + // 'help', + // { + // key: 'invite', + // preventExecution: false + // }, + // 'livestreaming', + // 'microphone', + // 'mute-everyone', + // 'mute-video-everyone', + // 'participants-pane', + // 'profile', + // { + // key: 'raisehand', + // preventExecution: true + // }, + // 'recording', + // 'security', + // 'select-background', + // 'settings', + // 'shareaudio', + // 'sharedvideo', + // 'shortcuts', + // 'stats', + // 'tileview', + // 'toggle-camera', + // 'videoquality', + // // The add passcode button from the security dialog. + // { + // key: 'add-passcode', + // preventExecution: false + // } + // '__end' // ], // List of pre meeting screens buttons to hide. The values must be one or more of the 5 allowed buttons: @@ -696,6 +756,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Enables detecting faces of participants and get their expression and send it to other participants // enableFacialRecognition: true, + // Enables displaying facial expressions in speaker stats + // enableDisplayFacialExpressions: true, + // Controls the percentage of automatic feedback shown to participants when callstats is enabled. // The default value is 100%. If set to 0, no automatic feedback will be requested // feedbackPercentage: 100, @@ -999,6 +1062,14 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) */ dynamicBrandingUrl: "${DYNAMIC_BRANDING_URL}", + // Options related to the breakout rooms feature. + // breakoutRooms: { + // // Hides the add breakout room button. This replaces \`hideAddRoomButton\`. + // hideAddRoomButton: false, + // // Hides the join breakout room button. + // hideJoinRoomButton: false + // }, + // When true the user cannot add more images to be used as virtual background. // Only the default ones from will be available. // disableAddingBackgroundImages: false, @@ -1017,14 +1088,15 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // If true, tile view will not be enabled automatically when the participants count threshold is reached. // disableTileView: true, - // If true, the tiles will be displayed contained within the available space rather than enlarged to cover it. + // If true, the tiles will be displayed contained within the available space rather than enlarged to cover it, + // with a 16:9 aspect ratio (old behaviour). // disableTileEnlargement: true, // Controls the visibility and behavior of the top header conference info labels. // If a label's id is not in any of the 2 arrays, it will not be visible at all on the header. // conferenceInfo: { // // those labels will not be hidden in tandem with the toolbox. - // alwaysVisible: ['recording', 'local-recording'], + // alwaysVisible: ['recording', 'local-recording', 'raised-hands-count'], // // those labels will be auto-hidden in tandem with the toolbox buttons. // autoHide: [ // 'subject', @@ -1038,10 +1110,10 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // }, // Hides the conference subject - // hideConferenceSubject: true, + // hideConferenceSubject: false, // Hides the conference timer. - // hideConferenceTimer: true, + // hideConferenceTimer: false, // Hides the recording label // hideRecordingLabel: false, @@ -1052,6 +1124,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Sets the conference subject // subject: 'Conference Subject', + // Sets the conference local subject + // localSubject: 'Conference Local Subject', + // This property is related to the use case when jitsi-meet is used via the IFrame API. When the property is true // jitsi-meet will use the local storage of the host page instead of its own. This option is useful if the browser // is not persisting the local storage inside the iframe. @@ -1114,6 +1189,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) forceJVB121Ratio forceTurnRelay hiddenDomain + hiddenFromRecorderFeatureEnabled ignoreStartMuted websocketKeepAlive websocketKeepAliveUrl @@ -1156,10 +1232,14 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // 'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected // 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied // 'localRecording.localRecording', // shown when a local recording is started + // 'notify.chatMessages', // shown when receiving chat messages while the chat window is closed // 'notify.disconnected', // shown when a participant has left // 'notify.connectedOneMember', // show when a participant joined // 'notify.connectedTwoMembers', // show when two participants joined simultaneously // 'notify.connectedThreePlusMembers', // show when more than 2 participants joined simultaneously + // 'notify.leftOneMember', // show when a participant left + // 'notify.leftTwoMembers', // show when two participants left simultaneously + // 'notify.leftThreePlusMembers', // show when more than 2 participants left simultaneously // 'notify.grantedTo', // shown when moderator rights were granted to a participant // 'notify.invitedOneMember', // shown when 1 participant has been invited // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited @@ -1174,6 +1254,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // 'notify.mutedTitle', // shown when user has been muted upon joining, // 'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device // 'notify.newDeviceCameraTitle', // prompts the user to use a newly detected camera + // 'notify.participantWantsToJoin', // shown when lobby is enabled and participant requests to join meeting // 'notify.passwordRemovedRemotely', // shown when a password has been removed remotely // 'notify.passwordSetRemotely', // shown when a password has been set remotely // 'notify.raisedHand', // shown when a partcipant used raise hand, @@ -1197,6 +1278,13 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Prevent the filmstrip from autohiding when screen width is under a certain threshold // disableFilmstripAutohiding: false, + // filmstrip: { + // // Disables user resizable filmstrip. Also, allows configuration of the filmstrip + // // (width, tiles aspect ratios) through the interfaceConfig options. + // disableResizable: false, + // } + + // Specifies whether the chat emoticons are disabled or not // disableChatSmileys: false, diff --git a/type/__jitsi_meet_domain/files/config.js.sh.orig b/type/__jitsi_meet_domain/files/config.js.sh.orig index eb30636..0976642 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh.orig +++ b/type/__jitsi_meet_domain/files/config.js.sh.orig @@ -74,18 +74,41 @@ var config = { // callStatsThreshold: 5 // enable callstats for 5% of the users. }, + // Feature Flags. + flags: { + // Enables source names in the signaling. + // sourceNameSignaling: false, + }, + // Disables moderator indicators. // disableModeratorIndicator: false, // Disables the reactions feature. // disableReactions: true, + // Disables the reactions moderation feature. + // disableReactionsModeration: false, + // Disables polls feature. // disablePolls: false, // Disables self-view tile. (hides it from tile view and from filmstrip) // disableSelfView: false, + // Disables self-view settings in UI + // disableSelfViewSettings: false, + + // screenshotCapture : { + // Enables the screensharing capture feature. + // enabled: false, + // + // The mode for the screenshot capture feature. + // Can be either 'recording' - screensharing screenshots are taken + // only when the recording is also on, + // or 'always' - screensharing screenshots are always taken. + // mode: 'recording' + // } + // Disables ICE/UDP by filtering out local and remote UDP candidates in // signalling. // webrtcIceUdpDisable: false, @@ -224,7 +247,11 @@ var config = { // max: 5 // }, - // Try to start calls with screen-sharing instead of camera video. + // This option has been deprecated since it is no longer supported as per the w3c spec. + // https://w3c.github.io/mediacapture-screen-share/#dom-mediadevices-getdisplaymedia. If the user has not + // interacted with the webpage before the getDisplayMedia call, the promise will be rejected by the browser. This + // has already been implemented in Firefox and Safari and will be implemented in Chrome soon. + // https://bugs.chromium.org/p/chromium/issues/detail?id=1198918 // startScreenSharing: false, // Recording @@ -446,6 +473,7 @@ var config = { // If Lobby is enabled starts knocking automatically. // autoKnockLobby: false, + // DEPRECATED! Use `breakoutRooms.hideAddRoomButton` instead. // Hides add breakout room button // hideAddRoomButton: false, @@ -478,12 +506,21 @@ var config = { // Default remote name to be displayed // defaultRemoteDisplayName: 'Fellow Jitster', + // Hides the display name from the participant thumbnail + // hideDisplayName: false, + + // Hides the dominant speaker name badge that hovers above the toolbox + // hideDominantSpeakerBadge: false, + // Default language for the user interface. // defaultLanguage: 'en', // Disables profile and the edit of all fields from the profile settings (display name and email) // disableProfile: false, + // Hides the email section under profile settings. + // hideEmailInSettings: false, + // Whether or not some features are checked based on token. // enableFeaturesBasedOnToken: false, @@ -528,6 +565,9 @@ var config = { // Document should be focused for this option to work // enableAutomaticUrlCopy: false, + // Array with avatar URL prefixes that need to use CORS. + // corsAvatarURLs: [ 'https://www.gravatar.com/avatar/' ], + // Base URL for a Gravatar-compatible service. Defaults to libravatar. // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/', @@ -594,41 +634,61 @@ var config = { // alwaysVisible: false // }, - // Toolbar buttons which have their click event exposed through the API on - // `toolbarButtonClicked` event instead of executing the normal click routine. + // Toolbar buttons which have their click/tap event exposed through the API on + // `toolbarButtonClicked`. Passing a string for the button key will + // prevent execution of the click/tap routine; passing an object with `key` and + // `preventExecution` flag on false will not prevent execution of the click/tap + // routine. Below array with mixed mode for passing the buttons. // buttonsWithNotifyClick: [ - // 'camera', - // 'chat', - // 'closedcaptions', - // 'desktop', - // 'download', - // 'embedmeeting', - // 'etherpad', - // 'feedback', - // 'filmstrip', - // 'fullscreen', - // 'hangup', - // 'help', - // 'invite', - // 'livestreaming', - // 'microphone', - // 'mute-everyone', - // 'mute-video-everyone', - // 'participants-pane', - // 'profile', - // 'raisehand', - // 'recording', - // 'security', - // 'select-background', - // 'settings', - // 'shareaudio', - // 'sharedvideo', - // 'shortcuts', - // 'stats', - // 'tileview', - // 'toggle-camera', - // 'videoquality', - // '__end' + // 'camera', + // { + // key: 'chat', + // preventExecution: false + // }, + // { + // key: 'closedcaptions', + // preventExecution: true + // }, + // 'desktop', + // 'download', + // 'embedmeeting', + // 'etherpad', + // 'feedback', + // 'filmstrip', + // 'fullscreen', + // 'hangup', + // 'help', + // { + // key: 'invite', + // preventExecution: false + // }, + // 'livestreaming', + // 'microphone', + // 'mute-everyone', + // 'mute-video-everyone', + // 'participants-pane', + // 'profile', + // { + // key: 'raisehand', + // preventExecution: true + // }, + // 'recording', + // 'security', + // 'select-background', + // 'settings', + // 'shareaudio', + // 'sharedvideo', + // 'shortcuts', + // 'stats', + // 'tileview', + // 'toggle-camera', + // 'videoquality', + // // The add passcode button from the security dialog. + // { + // key: 'add-passcode', + // preventExecution: false + // } + // '__end' // ], // List of pre meeting screens buttons to hide. The values must be one or more of the 5 allowed buttons: @@ -683,6 +743,9 @@ var config = { // Enables detecting faces of participants and get their expression and send it to other participants // enableFacialRecognition: true, + // Enables displaying facial expressions in speaker stats + // enableDisplayFacialExpressions: true, + // Controls the percentage of automatic feedback shown to participants when callstats is enabled. // The default value is 100%. If set to 0, no automatic feedback will be requested // feedbackPercentage: 100, @@ -986,6 +1049,14 @@ var config = { */ // dynamicBrandingUrl: '', + // Options related to the breakout rooms feature. + // breakoutRooms: { + // // Hides the add breakout room button. This replaces `hideAddRoomButton`. + // hideAddRoomButton: false, + // // Hides the join breakout room button. + // hideJoinRoomButton: false + // }, + // When true the user cannot add more images to be used as virtual background. // Only the default ones from will be available. // disableAddingBackgroundImages: false, @@ -1004,14 +1075,15 @@ var config = { // If true, tile view will not be enabled automatically when the participants count threshold is reached. // disableTileView: true, - // If true, the tiles will be displayed contained within the available space rather than enlarged to cover it. + // If true, the tiles will be displayed contained within the available space rather than enlarged to cover it, + // with a 16:9 aspect ratio (old behaviour). // disableTileEnlargement: true, // Controls the visibility and behavior of the top header conference info labels. // If a label's id is not in any of the 2 arrays, it will not be visible at all on the header. // conferenceInfo: { // // those labels will not be hidden in tandem with the toolbox. - // alwaysVisible: ['recording', 'local-recording'], + // alwaysVisible: ['recording', 'local-recording', 'raised-hands-count'], // // those labels will be auto-hidden in tandem with the toolbox buttons. // autoHide: [ // 'subject', @@ -1025,10 +1097,10 @@ var config = { // }, // Hides the conference subject - // hideConferenceSubject: true, + // hideConferenceSubject: false, // Hides the conference timer. - // hideConferenceTimer: true, + // hideConferenceTimer: false, // Hides the recording label // hideRecordingLabel: false, @@ -1039,6 +1111,9 @@ var config = { // Sets the conference subject // subject: 'Conference Subject', + // Sets the conference local subject + // localSubject: 'Conference Local Subject', + // This property is related to the use case when jitsi-meet is used via the IFrame API. When the property is true // jitsi-meet will use the local storage of the host page instead of its own. This option is useful if the browser // is not persisting the local storage inside the iframe. @@ -1101,6 +1176,7 @@ var config = { forceJVB121Ratio forceTurnRelay hiddenDomain + hiddenFromRecorderFeatureEnabled ignoreStartMuted websocketKeepAlive websocketKeepAliveUrl @@ -1143,10 +1219,14 @@ var config = { // 'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected // 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied // 'localRecording.localRecording', // shown when a local recording is started + // 'notify.chatMessages', // shown when receiving chat messages while the chat window is closed // 'notify.disconnected', // shown when a participant has left // 'notify.connectedOneMember', // show when a participant joined // 'notify.connectedTwoMembers', // show when two participants joined simultaneously // 'notify.connectedThreePlusMembers', // show when more than 2 participants joined simultaneously + // 'notify.leftOneMember', // show when a participant left + // 'notify.leftTwoMembers', // show when two participants left simultaneously + // 'notify.leftThreePlusMembers', // show when more than 2 participants left simultaneously // 'notify.grantedTo', // shown when moderator rights were granted to a participant // 'notify.invitedOneMember', // shown when 1 participant has been invited // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited @@ -1161,6 +1241,7 @@ var config = { // 'notify.mutedTitle', // shown when user has been muted upon joining, // 'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device // 'notify.newDeviceCameraTitle', // prompts the user to use a newly detected camera + // 'notify.participantWantsToJoin', // shown when lobby is enabled and participant requests to join meeting // 'notify.passwordRemovedRemotely', // shown when a password has been removed remotely // 'notify.passwordSetRemotely', // shown when a password has been set remotely // 'notify.raisedHand', // shown when a partcipant used raise hand, @@ -1184,6 +1265,13 @@ var config = { // Prevent the filmstrip from autohiding when screen width is under a certain threshold // disableFilmstripAutohiding: false, + // filmstrip: { + // // Disables user resizable filmstrip. Also, allows configuration of the filmstrip + // // (width, tiles aspect ratios) through the interfaceConfig options. + // disableResizable: false, + // } + + // Specifies whether the chat emoticons are disabled or not // disableChatSmileys: false, diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh b/type/__jitsi_meet_domain/files/interface_config.js.sh index abcf68b..094cc6e 100644 --- a/type/__jitsi_meet_domain/files/interface_config.js.sh +++ b/type/__jitsi_meet_domain/files/interface_config.js.sh @@ -37,7 +37,7 @@ var interfaceConfig = { CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it - DEFAULT_BACKGROUND: '#474747', + DEFAULT_BACKGROUND: '#040404', DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}', DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}', diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh.orig b/type/__jitsi_meet_domain/files/interface_config.js.sh.orig index c3a76af..cf97296 100644 --- a/type/__jitsi_meet_domain/files/interface_config.js.sh.orig +++ b/type/__jitsi_meet_domain/files/interface_config.js.sh.orig @@ -26,7 +26,7 @@ var interfaceConfig = { CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it - DEFAULT_BACKGROUND: '#474747', + DEFAULT_BACKGROUND: '#040404', DEFAULT_LOGO_URL: 'images/watermark.svg', DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg', From a1b3a034c729d557e3e2d601000a74abbbcdbdf7 Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 10 Mar 2022 21:28:28 +0100 Subject: [PATCH 52/81] [__jitsi_meet_domain] Support the --state parameter This enables removing domains in a simple fashion. Closes #3. --- type/__jitsi_meet_domain/man.rst | 4 +++ type/__jitsi_meet_domain/manifest | 30 +++++++++++++++++-- .../parameter/default/state | 1 + type/__jitsi_meet_domain/parameter/optional | 1 + 4 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 type/__jitsi_meet_domain/parameter/default/state diff --git a/type/__jitsi_meet_domain/man.rst b/type/__jitsi_meet_domain/man.rst index ff78287..b035555 100644 --- a/type/__jitsi_meet_domain/man.rst +++ b/type/__jitsi_meet_domain/man.rst @@ -60,6 +60,10 @@ start-video-muted Defaults to 10. +state + Whether the domain is 'present' or 'absent', defaults to 'present'. + + turn-server The TURN server to be used. Defaults to `__target_host`. diff --git a/type/__jitsi_meet_domain/manifest b/type/__jitsi_meet_domain/manifest index 5c92c1c..87af1b9 100755 --- a/type/__jitsi_meet_domain/manifest +++ b/type/__jitsi_meet_domain/manifest @@ -21,6 +21,7 @@ VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")" BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")" BRANDING_JSON="$(cat "${__object}/parameter/branding-json")" BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")" +STATE="$(cat "${__object}/parameter/state")" if [ "${BRANDING_INDEX}" = "-" ]; then BRANDING_INDEX="${__object}/stdin" @@ -47,11 +48,31 @@ if [ -n "${BRANDING_JSON}" ]; then DYNAMIC_BRANDING_URL="/branding.json" fi +case "${STATE}" in + present) + # When adding the domain, Let's Encrypt must come before nginx + le_require="" + nginx_require="__letsencrypt_cert/${DOMAIN}" + ;; + absent) + # When removing, nginx must come before Let's Encrypt + le_require="__file/etc/nginx/sites-enabled/${DOMAIN}.conf" + nginx_require="" + ;; + *) + cat >> /dev/stderr <<-EOM + Unsupported state '${STATE}', must be 'present' or 'absent'. + EOM + exit 1 + ;; +esac + # # Deal with certbot # # use object id as domain -__letsencrypt_cert "${DOMAIN}" \ +require="${le_require}" __letsencrypt_cert "${DOMAIN}" \ + --state "${STATE}" \ --admin-email "${ADMIN_EMAIL}" \ --deploy-hook "service nginx reload" \ --webroot /usr/share/jitsi-meet @@ -59,8 +80,9 @@ __letsencrypt_cert "${DOMAIN}" \ # Create virtualhost for nginx # shellcheck source=type/__jitsi_meet_domain/files/nginx.sh . "${__type}/files/nginx.sh" # This defines JITSI_NGINX_CONFIG -require="__letsencrypt_cert/${DOMAIN}" __file \ +require="${nginx_require}" __file \ "/etc/nginx/sites-enabled/${DOMAIN}.conf" \ + --state "${STATE}" \ --mode 0644 --source "-" < Date: Mon, 14 Mar 2022 15:30:11 +0100 Subject: [PATCH 53/81] [__jitsi_meet]: Fix deprecated usage of __debconf_set_selections. Replace the --file parameter with the --line parameter, as recommended since cdist 6.9.6. --- type/__jitsi_meet/manifest | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 279444a..599af18 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -51,9 +51,7 @@ export require="${require} __apt_source/jitsi_meet __apt_update_index" # Pre-feed debconf settings, so Jitsi's installation has a good config # shellcheck source=type/__jitsi_meet/files/debconf_settings.sh . "${__type}/files/debconf_settings.sh" # This defines DEBCONF_SETTINGS -__debconf_set_selections jitsi_meet --file - < Date: Mon, 14 Mar 2022 16:15:58 +0100 Subject: [PATCH 54/81] [__nginx_vhost]: follow Alpine vhost default directory change. Since nginx package version v1.10.1-r3, Alpine packagers have changed the default vhost directory from conf.d to http.d [0]. This reflects this change. [0]: alpine package commit 383ba9c0a200ed1f4b11d7db74207526ad90bbe3 --- type/__nginx_vhost/manifest | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/type/__nginx_vhost/manifest b/type/__nginx_vhost/manifest index f9ad84d..8b010f8 100644 --- a/type/__nginx_vhost/manifest +++ b/type/__nginx_vhost/manifest @@ -32,7 +32,7 @@ case "$os" in require="$install_reqs" __start_on_boot nginx - export NGINX_SITEDIR="$nginx_confdir/conf.d" + export NGINX_SITEDIR="$nginx_confdir/http.d" export NGINX_CERTDIR="$nginx_confdir/ssl" export NGINX_SNIPPETSDIR="$nginx_confdir/snippets" export NGINX_WEBROOT="/var/www" @@ -158,6 +158,7 @@ for snippet in hsts 301-to-https; do done # Install vhost. -require="$install_reqs" __file "$NGINX_SITEDIR/$__object_id.conf" \ +require="$install_reqs" __directory "$NGINX_SITEDIR" +require="__directory/$NGINX_SITEDIR" __file "$NGINX_SITEDIR/$__object_id.conf" \ --source "$vhost_conf" \ --mode 0644 From fa37ede84fd53fa0902cb74ab13dae5989cb5494 Mon Sep 17 00:00:00 2001 From: Evilham Date: Sun, 10 Apr 2022 19:45:08 +0200 Subject: [PATCH 55/81] [__jitsi_meet] Unconfuse jitsi-version and secured domains Closes #14 by committing to keeping the package up to date as promptly as possible; else weird things happen and there are no real good solutions for this. E.g. we have seen in the past that due to security issues, a jitsi dependency needs to be upgraded, but some package that jitsi-meet depends upon also has an upper limit on that package's version. A note was added to the manpage in order make it explicit that maintenance of this type can be sponsored to ensure its proper functioning. Closes #15 by using `__file`. This will also allow us to have more control over jicofo's settings, which might be important when we start doing recordings. Sponsored by: lafede.cat --- type/__jitsi_meet/files/jicofo.conf.sh | 34 +++++++++++++++++ .../default => files}/jitsi-version | 0 type/__jitsi_meet/gencode-remote | 2 +- type/__jitsi_meet/man.rst | 18 +++++---- type/__jitsi_meet/manifest | 38 +++++++++---------- .../parameter/deprecated/jitsi-version | 4 ++ 6 files changed, 67 insertions(+), 29 deletions(-) create mode 100755 type/__jitsi_meet/files/jicofo.conf.sh rename type/__jitsi_meet/{parameter/default => files}/jitsi-version (100%) create mode 100644 type/__jitsi_meet/parameter/deprecated/jitsi-version diff --git a/type/__jitsi_meet/files/jicofo.conf.sh b/type/__jitsi_meet/files/jicofo.conf.sh new file mode 100755 index 0000000..61a782a --- /dev/null +++ b/type/__jitsi_meet/files/jicofo.conf.sh @@ -0,0 +1,34 @@ +#!/bin/sh -eu + +# Start +cat < COPYING ------- -Copyright \(C) 2021 Evilham. +Copyright \(C) 2022 Evilham. diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 599af18..e9ed5c6 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -13,8 +13,13 @@ esac JITSI_HOST="${__target_host}" -# Currently unused, see below -# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")" +if [ -f "${__object}/parameter/jitsi-version" ]; then + # This has been deprecated and will be removed 'soon' + JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")" +else + # Note this won't be a parameter anymore, we won't let users stay behind + JITSI_VERSION="$(cat "${__type}/files/jitsi-version")" +fi TURN_SERVER="$(cat "${__object}/parameter/turn-server")" TURN_SECRET="$(cat "${__object}/parameter/turn-secret")" @@ -55,11 +60,12 @@ __debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}" export require="${require} __debconf_set_selections/jitsi_meet" # Install and upgrade packages as needed -__package_apt jitsi-meet -# We are not doing version pinning anymore because it breaks when -# the version is not the latest. -# This happens because dependencies cannot be properly resolved. -# --version "${JITSI_VERSION}" +# NOTE: we are doing version pinning again, but it breaks sometimes when +# the version is not the latest. +# This happens because dependencies might not be properly resolved. +# To avoid this, this type must be maintained up to date. +# If we don't use this, keeping Jitsi's up to date is very difficult. +__package_apt jitsi-meet --version "${JITSI_VERSION}" # Proceed only after installation/upgrade has finished export require="__package_apt/jitsi-meet" @@ -151,10 +157,8 @@ EOF if [ -f "${__object}/parameter/secured-domains" ]; then SECURED_DOMAINS_STATE='present' - SECURED_DOMAINS_STATE_JICOFO='present' else SECURED_DOMAINS_STATE='absent' - SECURED_DOMAINS_STATE_JICOFO='absent' fi __file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \ @@ -169,18 +173,10 @@ VirtualHost "guest.${JITSI_HOST}" c2s_require_encryption = false EOF -__block jitsi_jicofo_secured_domains \ - --prefix "// begin cdist: jicofo_secured_domains" \ - --suffix "// end cdist: jicofo_secured_domains" \ - --file /etc/jitsi/jicofo/jicofo.conf \ - --state "${SECURED_DOMAINS_STATE_JICOFO}" \ - --text '-' < Date: Sat, 16 Apr 2022 13:22:16 +0200 Subject: [PATCH 56/81] [__jitsi_meet_domain] Simplify logic for secured domains --- type/__jitsi_meet_domain/files/config.js.sh | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index 58df3fc..7fec422 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -13,14 +13,8 @@ var config = { domain: '${JITSI_HOST}', // When using authentication, domain for guest users. -$( if [ -n "${SECURED_DOMAINS}" ]; then cat<. // authdomain: '${JITSI_HOST}', From a12b343660254f5135aba81013d8ad80f161c21d Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 21 Apr 2022 13:13:12 +0200 Subject: [PATCH 57/81] [__jitsi_meet_domain] Add analytics settings parameter with this, admins can take advantage of e.g. matomo to have some usage statistics. The parameter defaults to `disabled: true`, which is the most privacy-friendly! Sponsored by: camilion.eu --- type/__jitsi_meet_domain/files/config.js.sh | 1 + type/__jitsi_meet_domain/man.rst | 5 +++++ type/__jitsi_meet_domain/manifest | 1 + .../__jitsi_meet_domain/parameter/default/analytics-settings | 1 + type/__jitsi_meet_domain/parameter/optional | 1 + 5 files changed, 9 insertions(+) create mode 100644 type/__jitsi_meet_domain/parameter/default/analytics-settings diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index 7fec422..506e62d 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -817,6 +817,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) }, analytics: { +${ANALYTICS_SETTINGS} // True if the analytics should be disabled // disabled: false, diff --git a/type/__jitsi_meet_domain/man.rst b/type/__jitsi_meet_domain/man.rst index b035555..dd8c852 100644 --- a/type/__jitsi_meet_domain/man.rst +++ b/type/__jitsi_meet_domain/man.rst @@ -41,6 +41,11 @@ admin-email OPTIONAL PARAMETERS ------------------- +analytics-settings + This goes inside the `analytics` part of `config.js`. + Defaults to: `disabled: true`. + See: https://github.com/jitsi/jitsi-meet/blob/master/config.js + channel-last-n Default value for the "last N" attribute. Defaults to 20. Set to -1 for unlimited. diff --git a/type/__jitsi_meet_domain/manifest b/type/__jitsi_meet_domain/manifest index 87af1b9..abc8a1a 100755 --- a/type/__jitsi_meet_domain/manifest +++ b/type/__jitsi_meet_domain/manifest @@ -18,6 +18,7 @@ NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")" START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")" TURN_SERVER="$(cat "${__object}/parameter/turn-server")" VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")" +ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")" BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")" BRANDING_JSON="$(cat "${__object}/parameter/branding-json")" BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")" diff --git a/type/__jitsi_meet_domain/parameter/default/analytics-settings b/type/__jitsi_meet_domain/parameter/default/analytics-settings new file mode 100644 index 0000000..561a7d6 --- /dev/null +++ b/type/__jitsi_meet_domain/parameter/default/analytics-settings @@ -0,0 +1 @@ + disabled: true diff --git a/type/__jitsi_meet_domain/parameter/optional b/type/__jitsi_meet_domain/parameter/optional index ce50f0d..1289b85 100644 --- a/type/__jitsi_meet_domain/parameter/optional +++ b/type/__jitsi_meet_domain/parameter/optional @@ -1,3 +1,4 @@ +analytics-settings channel-last-n default-language notice-message From 87cc109bf1753d4a10ca7b9143b6a655cd4d1baa Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 21 Apr 2022 13:20:30 +0200 Subject: [PATCH 58/81] [__jitsi_meet*] Make rooms on different domains not equivalent This is a backwards-compatible change. We switch the approach from "treat all domains as if they were the main domain" to: "each domain has its own prosody settings". This works perfectly fine, even with secured domains. There is a caveat with secured domains, in that they use the main domain to log in; this means that users are shared across all domains (as they were before this commit). This is due to jicofo refusing to start meetings from a domain that is not configured, and it only accepting one domain. Right now, this is acceptable, however we could want to authenticate against e.g. different LDAP / IMAP servers in the future, so this would need addressing at that stage. Probably the best way to solve it is by patching jicofo, so it accepts starting conferences from multiple domains and getting that patch upstream. Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/files/prosody.cfg.lua.sh | 1 + type/__jitsi_meet/gencode-remote | 3 +- type/__jitsi_meet/manifest | 24 ++- .../files/_update_jitsi_configurations.sh | 1 + type/__jitsi_meet_domain/files/config.js.sh | 19 +- type/__jitsi_meet_domain/files/nginx.sh | 4 +- .../files/prosody.cfg.lua.sh | 199 ++++++++++++++++++ .../files/prosody.cfg.lua.sh.orig | 129 ++++++++++++ type/__jitsi_meet_domain/man.rst | 18 +- type/__jitsi_meet_domain/manifest | 35 +++ 10 files changed, 403 insertions(+), 30 deletions(-) create mode 120000 type/__jitsi_meet/files/prosody.cfg.lua.sh create mode 100644 type/__jitsi_meet_domain/files/prosody.cfg.lua.sh create mode 100644 type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig diff --git a/type/__jitsi_meet/files/prosody.cfg.lua.sh b/type/__jitsi_meet/files/prosody.cfg.lua.sh new file mode 120000 index 0000000..93678b9 --- /dev/null +++ b/type/__jitsi_meet/files/prosody.cfg.lua.sh @@ -0,0 +1 @@ +../../__jitsi_meet_domain/files/prosody.cfg.lua.sh \ No newline at end of file diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote index 7d181b7..670c7be 100755 --- a/type/__jitsi_meet/gencode-remote +++ b/type/__jitsi_meet/gencode-remote @@ -4,8 +4,7 @@ if grep -qE "^__file/etc/nginx" "${__messages_in}"; then echo "service nginx reload" fi -JITSI_HOST="${__object_id}" -if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then +if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then echo "systemctl restart prosody" echo "systemctl restart jicofo" echo "systemctl restart jitsi-videobridge2" diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index e9ed5c6..02716a0 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -161,18 +161,22 @@ else SECURED_DOMAINS_STATE='absent' fi -__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \ - --owner prosody --group prosody --mode 0440 \ - --state ${SECURED_DOMAINS_STATE} \ - --source - <. - // authdomain: '${JITSI_HOST}', + // NOTE [cdist]: if we use '${DOMAIN}', jicofo won't start the meeting + authdomain: '${JITSI_HOST}', // Focus component domain. Defaults to focus.. - // focus: 'focus.${JITSI_HOST}', + focus: 'focus.${JITSI_HOST}', // XMPP MUC domain. FIXME: use XEP-0030 to discover it. - muc: 'conference.${JITSI_HOST}' + muc: 'conference.${DOMAIN}' }, // BOSH URL. FIXME: use XEP-0156 to discover it. @@ -31,12 +32,12 @@ var config = { bosh: '///http-bind', // Websocket URL - // websocket: 'wss://${JITSI_HOST}/xmpp-websocket', + // websocket: 'wss://${DOMAIN}/xmpp-websocket', // The real JID of focus participant - can be overridden here // Do not change username - FIXME: Make focus username configurable // https://github.com/jitsi/jitsi-meet/issues/7376 - // focusUserJid: 'focus@auth.${JITSI_HOST}', + focusUserJid: 'focus@auth.${JITSI_HOST}', // Testing / experimental features. @@ -270,9 +271,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // appKey: '' // Specify your app key here. // // A URL to redirect the user to, after authenticating // // by default uses: - // // 'https://${JITSI_HOST}/static/oauth.html' + // // 'https://${DOMAIN}/static/oauth.html' // redirectURI: - // 'https://${JITSI_HOST}/subfolder/static/oauth.html' + // 'https://${DOMAIN}/subfolder/static/oauth.html' // }, // When integrations like dropbox are enabled only that will be shown, // by enabling fileRecordingsServiceEnabled, we show both the integrations diff --git a/type/__jitsi_meet_domain/files/nginx.sh b/type/__jitsi_meet_domain/files/nginx.sh index 6e874c1..e678dce 100644 --- a/type/__jitsi_meet_domain/files/nginx.sh +++ b/type/__jitsi_meet_domain/files/nginx.sh @@ -100,7 +100,7 @@ server { proxy_set_header X-Forwarded-For \$remote_addr; # Prevision for 'multi-domain' jitsi instances # https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391 - proxy_set_header Host ${JITSI_HOST}; + proxy_set_header Host ${DOMAIN}; } # xmpp websockets @@ -111,7 +111,7 @@ server { proxy_set_header Connection "upgrade"; # Prevision for 'multi-domain' jitsi instances # https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391 - proxy_set_header Host ${JITSI_HOST}; + proxy_set_header Host ${DOMAIN}; tcp_nodelay on; } diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh new file mode 100644 index 0000000..928ce32 --- /dev/null +++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh @@ -0,0 +1,199 @@ +#!/bin/sh -eu + +# Source: +# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example +FOCUS_USER="focus" +JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}" +# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain +PROSODY_SECUREDOMAIN_START="--[[" +PROSODY_SECUREDOMAIN_END="--]]" +if [ -n "${PROSODY_MAIN_CONFIG}" ]; then + PROSODY_MAIN_START="" + PROSODY_MAIN_END="" + PROSODY_DOMAIN_START="--[[" + PROSODY_DOMAIN_END="--]]" +else + PROSODY_MAIN_START="--[[" + PROSODY_MAIN_END="--]]" + PROSODY_DOMAIN_START="" + PROSODY_DOMAIN_END="" + if [ -n "${SECURED_DOMAINS}" ]; then + PROSODY_SECUREDOMAIN_START="" + PROSODY_SECUREDOMAIN_END="" + fi +fi +# Websockets haven't been fully tested in this type and don't work reliably +PROSODY_WEBSOCKET="-- " + +# shellcheck disable=SC2034 # This is intended to be included +PROSODY_CONFIG="$(cat < Date: Thu, 21 Apr 2022 14:34:33 +0200 Subject: [PATCH 59/81] [__jitsi_meet] Adapt jicofo and videobridge memory usage This enables us to setup smaller jitsi instances that work reliably. We set 3 threshholds: - < 3G RAM: use 0.75G max memory - < 5G RAM: use 1G max memory - < 8G RAM: use 2G max memory - >= 8G RAM: use 3G max memory (jitsi's default) For more information as to why and how this is done, see: https://gitlab.com/guifi-exo/projectes/-/issues/318 https://github.com/jitsi/jitsi-meet/issues/6589 as investigated back in the day by @pedro Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/explorer/configured-memory | 15 +++++++++ type/__jitsi_meet/gencode-remote | 33 ++++++++++++++++++++ type/__jitsi_meet/man.rst | 2 ++ 3 files changed, 50 insertions(+) create mode 100755 type/__jitsi_meet/explorer/configured-memory diff --git a/type/__jitsi_meet/explorer/configured-memory b/type/__jitsi_meet/explorer/configured-memory new file mode 100755 index 0000000..658f94b --- /dev/null +++ b/type/__jitsi_meet/explorer/configured-memory @@ -0,0 +1,15 @@ +#!/bin/sh -eu + +JICOFO="/usr/share/jicofo/jicofo.sh" +VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc" + +if [ -f "${JICOFO:?}" ]; then + jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)" +fi +if [ -f "${VIDEOBRIDGE:?}" ]; then + vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)" +fi +cat < Date: Thu, 21 Apr 2022 14:44:10 +0200 Subject: [PATCH 60/81] [__jitsi_meet] Fix adjustment of jicofo's max memory Leftover from last commit >,< Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/gencode-remote | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote index d939347..435bbf4 100755 --- a/type/__jitsi_meet/gencode-remote +++ b/type/__jitsi_meet/gencode-remote @@ -24,7 +24,7 @@ if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY} -e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \ /usr/share/jitsi-videobridge/lib/videobridge.rc sed -i.tmp -E \ - -e 's!^(JICOFO_MAX_MEMORY)[^;]+;!\1=${MAX_MEMORY};!' \ + -e 's!(JICOFO_MAX_MEMORY)[^;]+;!\1=${MAX_MEMORY};!' \ /usr/share/jicofo/jicofo.sh EOF fi From 1658121549dd902714cc0751758e95b0830dc592 Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 21 Apr 2022 15:52:47 +0200 Subject: [PATCH 61/81] [__jitsi_meet*] Update to 2.0.7210 While there, make things a tad easier to maintain. Note that in this version, jitsi switches to using nginx upstreams; it shouldn't be relevant for instances fully managed with these types. Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/files/jitsi-version | 2 +- type/__jitsi_meet/manifest | 21 ++++ .../files/_update_jitsi_configurations.sh | 6 +- type/__jitsi_meet_domain/files/config.js.sh | 99 ++++++++++++++--- .../files/config.js.sh.orig | 100 +++++++++++++++--- type/__jitsi_meet_domain/files/jitsi-version | 1 + type/__jitsi_meet_domain/files/nginx.sh | 21 +++- type/__jitsi_meet_domain/files/nginx.sh.orig | 18 +++- .../files/prosody.cfg.lua.sh | 10 ++ .../files/prosody.cfg.lua.sh.orig | 10 ++ 10 files changed, 246 insertions(+), 42 deletions(-) mode change 100644 => 120000 type/__jitsi_meet/files/jitsi-version create mode 100644 type/__jitsi_meet_domain/files/jitsi-version diff --git a/type/__jitsi_meet/files/jitsi-version b/type/__jitsi_meet/files/jitsi-version deleted file mode 100644 index 4b02224..0000000 --- a/type/__jitsi_meet/files/jitsi-version +++ /dev/null @@ -1 +0,0 @@ -2.0.7001-1 diff --git a/type/__jitsi_meet/files/jitsi-version b/type/__jitsi_meet/files/jitsi-version new file mode 120000 index 0000000..179d1a4 --- /dev/null +++ b/type/__jitsi_meet/files/jitsi-version @@ -0,0 +1 @@ +../../__jitsi_meet_domain/files/jitsi-version \ No newline at end of file diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 02716a0..6a9d962 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -155,6 +155,27 @@ server { } EOF +# Starting from 2.0.7210, jitsi defines following nginx upstreams +__directory "${NGINX_ETC}/conf.d" --state present +require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \ + --mode 644 \ + --source - << EOF +upstream prosody { + zone upstreams 64K; + server 127.0.0.1:5280; + keepalive 2; +} +EOF +require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \ + --mode 644 \ + --source - << EOF +upstream jvb1 { + zone upstreams 64K; + server 127.0.0.1:9090; + keepalive 2; +} +EOF + if [ -f "${__object}/parameter/secured-domains" ]; then SECURED_DOMAINS_STATE='present' else diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh index 1b40768..12c405b 100755 --- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh +++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh @@ -7,7 +7,7 @@ # We could automate this, but are using it as an indicator for the # latest branch with which we conciliated changes. -BRANCH="jitsi-meet_7001" +BRANCH="jitsi-meet_7210" REPO="https://github.com/jitsi/jitsi-meet" get_url() { @@ -29,3 +29,7 @@ download_file config.js download_file interface_config.js download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig + +# Change the version file, maintainers should check that it matches +# the deb version +printf "2.0.${BRANCH#*_}-1" > jitsi-version diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index 357d720..0eca916 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -85,6 +85,10 @@ var config = { flags: { // Enables source names in the signaling. // sourceNameSignaling: false, + + // Enables sending multiple video streams, i.e., camera and desktop tracks can be shared in the conference + // separately as two different streams instead of one composite stream. + // sendMultipleVideoStreams: false }, // Disables moderator indicators. @@ -481,6 +485,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // If Lobby is enabled starts knocking automatically. // autoKnockLobby: false, + // Enable lobby chat. + // enableLobbyChat: true, + // DEPRECATED! Use \`breakoutRooms.hideAddRoomButton\` instead. // Hides add breakout room button // hideAddRoomButton: false, @@ -520,7 +527,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Hides the dominant speaker name badge that hovers above the toolbox // hideDominantSpeakerBadge: false, - // Default language for the user interface. + // Default language for the user interface. Cannot be overwritten. defaultLanguage: '${DEFAULT_LANGUAGE}', // Disables profile and the edit of all fields from the profile settings (display name and email) @@ -607,7 +614,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // 'fullscreen', // 'hangup', // 'help', + // 'highlight', // 'invite', + // 'linktosalesforce', // 'livestreaming', // 'microphone', // 'mute-everyone', @@ -639,7 +648,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // timeout: 4000, // // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE // // Whether toolbar should be always visible or should hide after x miliseconds. - // alwaysVisible: false + // alwaysVisible: false, + // // Indicates whether the toolbar should still autohide when chat is open + // autoHideWhileChatIsOpen: false // }, // Toolbar buttons which have their click/tap event exposed through the API on @@ -748,11 +759,22 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Enables sending participants' emails (if available) to callstats and other analytics // enableEmailInStats: false, - // Enables detecting faces of participants and get their expression and send it to other participants - // enableFacialRecognition: true, + // faceLandmarks: { + // // Enables sharing your face cordinates. Used for centering faces within a video. + // enableFaceCentering: false, - // Enables displaying facial expressions in speaker stats - // enableDisplayFacialExpressions: true, + // // Enables detecting face expressions and sharing data with other participants + // enableFaceExpressionsDetection: false, + + // // Enables displaying face expressions in speaker stats + // enableDisplayFaceExpressions: false, + + // // Minimum required face movement percentage threshold for sending new face centering coordinates data. + // faceCenteringThreshold: 10, + + // // Miliseconds for processing a new image capture in order to detect face coordinates if they exist. + // captureInterval: 100 + // }, // Controls the percentage of automatic feedback shown to participants when callstats is enabled. // The default value is 100%. If set to 0, no automatic feedback will be requested @@ -940,14 +962,18 @@ ${ANALYTICS_SETTINGS} // Options related to end-to-end (participant to participant) ping. // e2eping: { - // // The interval in milliseconds at which pings will be sent. - // // Defaults to 10000, set to <= 0 to disable. - // pingInterval: 10000, + // // Whether ene-to-end pings should be enabled. + // enabled: false, // - // // The interval in milliseconds at which analytics events - // // with the measured RTT will be sent. Defaults to 60000, set - // // to <= 0 to disable. - // analyticsInterval: 60000, + // // The number of responses to wait for. + // numRequests: 5, + // + // // The max conference size in which e2e pings will be sent. + // maxConferenceSize: 200, + // + // // The maximum number of e2e ping messages per second for the whole conference to aim for. + // // This is used to contol the pacing of messages in order to reduce the load on the backend. + // maxMessagesPerSecond: 250 // }, // If set, will attempt to use the provided video input device label when @@ -989,12 +1015,25 @@ ${ANALYTICS_SETTINGS} // Options related to the remote participant menu. // remoteVideoMenu: { + // // Whether the remote video context menu to be rendered or not. + // disabled: true, // // If set to true the 'Kick out' button will be disabled. // disableKick: true, // // If set to true the 'Grant moderator' button will be disabled. - // disableGrantModerator: true + // disableGrantModerator: true, + // // If set to true the 'Send private message' button will be disabled. + // disablePrivateChat: true // }, + // Endpoint that enables support for salesforce integration with in-meeting resource linking + // This is required for: + // listing the most recent records - salesforceUrl/records/recents + // searching records - salesforceUrl/records?text=${text} + // retrieving record details - salesforceUrl/records/${id}?type=${type} + // and linking the meeting - salesforceUrl/sessions/${sessionId}/records/${id} + // + // salesforceUrl: 'https://api.example.com/', + // If set to true all muting operations of remote participants will be disabled. // disableRemoteMute: true, @@ -1101,7 +1140,8 @@ ${ANALYTICS_SETTINGS} // 'e2ee', // 'transcribing', // 'video-quality', - // 'insecure-room' + // 'insecure-room', + // 'highlight-moment' // ] // }, @@ -1241,6 +1281,7 @@ ${ANALYTICS_SETTINGS} // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited // 'notify.invitedTwoMembers', // shown when 2 participants have been invited // 'notify.kickParticipant', // shown when a participant is kicked + // 'notify.linkToSalesforce', // shown when joining a meeting with salesforce integration // 'notify.moderationStartedTitle', // shown when AV moderation is activated // 'notify.moderationStoppedTitle', // shown when AV moderation is deactivated // 'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation @@ -1256,6 +1297,7 @@ ${ANALYTICS_SETTINGS} // 'notify.raisedHand', // shown when a partcipant used raise hand, // 'notify.startSilentTitle', // shown when user joined with no audio // 'notify.unmute', // shown to moderator when user raises hand during AV moderation + // 'notify.hostAskedUnmute', // shown to participant when host asks them to unmute // 'prejoin.errorDialOut', // 'prejoin.errorDialOutDisconnected', // 'prejoin.errorDialOutFailed', @@ -1278,12 +1320,37 @@ ${ANALYTICS_SETTINGS} // // Disables user resizable filmstrip. Also, allows configuration of the filmstrip // // (width, tiles aspect ratios) through the interfaceConfig options. // disableResizable: false, - // } + // // Disables the stage filmstrip + // // (displaying multiple participants on stage besides the vertical filmstrip) + // disableStageFilmstrip: false + // }, + + // Tile view related config options. + // tileView: { + // // The optimal number of tiles that are going to be shown in tile view. Depending on the screen size it may + // // not be possible to show the exact number of participants specified here. + // numberOfVisibleTiles: 25 + // }, // Specifies whether the chat emoticons are disabled or not // disableChatSmileys: false, + // Settings for the GIPHY integration. + // giphy: { + // // Whether the feature is enabled or not. + // enabled: false, + // // SDK API Key from Giphy. + // sdkKey: '', + // // Display mode can be one of: + // // - tile: show the GIF on the tile of the participant that sent it. + // // - chat: show the GIF as a message in chat + // // - all: all of the above. This is the default option + // displayMode: 'all', + // // How long the GIF should be displayed on the tile (in miliseconds). + // tileTime: 5000 + // }, + // Allow all above example options to include a trailing comma and // prevent fear when commenting out the last value. makeJsonParserHappy: 'even if last key had a trailing comma' diff --git a/type/__jitsi_meet_domain/files/config.js.sh.orig b/type/__jitsi_meet_domain/files/config.js.sh.orig index 0976642..8e4c5bc 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh.orig +++ b/type/__jitsi_meet_domain/files/config.js.sh.orig @@ -1,3 +1,4 @@ + /* eslint-disable no-unused-vars, no-var */ var config = { @@ -78,6 +79,10 @@ var config = { flags: { // Enables source names in the signaling. // sourceNameSignaling: false, + + // Enables sending multiple video streams, i.e., camera and desktop tracks can be shared in the conference + // separately as two different streams instead of one composite stream. + // sendMultipleVideoStreams: false }, // Disables moderator indicators. @@ -473,6 +478,9 @@ var config = { // If Lobby is enabled starts knocking automatically. // autoKnockLobby: false, + // Enable lobby chat. + // enableLobbyChat: true, + // DEPRECATED! Use `breakoutRooms.hideAddRoomButton` instead. // Hides add breakout room button // hideAddRoomButton: false, @@ -512,7 +520,7 @@ var config = { // Hides the dominant speaker name badge that hovers above the toolbox // hideDominantSpeakerBadge: false, - // Default language for the user interface. + // Default language for the user interface. Cannot be overwritten. // defaultLanguage: 'en', // Disables profile and the edit of all fields from the profile settings (display name and email) @@ -599,7 +607,9 @@ var config = { // 'fullscreen', // 'hangup', // 'help', + // 'highlight', // 'invite', + // 'linktosalesforce', // 'livestreaming', // 'microphone', // 'mute-everyone', @@ -631,7 +641,9 @@ var config = { // timeout: 4000, // // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE // // Whether toolbar should be always visible or should hide after x miliseconds. - // alwaysVisible: false + // alwaysVisible: false, + // // Indicates whether the toolbar should still autohide when chat is open + // autoHideWhileChatIsOpen: false // }, // Toolbar buttons which have their click/tap event exposed through the API on @@ -740,11 +752,22 @@ var config = { // Enables sending participants' emails (if available) to callstats and other analytics // enableEmailInStats: false, - // Enables detecting faces of participants and get their expression and send it to other participants - // enableFacialRecognition: true, + // faceLandmarks: { + // // Enables sharing your face cordinates. Used for centering faces within a video. + // enableFaceCentering: false, - // Enables displaying facial expressions in speaker stats - // enableDisplayFacialExpressions: true, + // // Enables detecting face expressions and sharing data with other participants + // enableFaceExpressionsDetection: false, + + // // Enables displaying face expressions in speaker stats + // enableDisplayFaceExpressions: false, + + // // Minimum required face movement percentage threshold for sending new face centering coordinates data. + // faceCenteringThreshold: 10, + + // // Miliseconds for processing a new image capture in order to detect face coordinates if they exist. + // captureInterval: 100 + // }, // Controls the percentage of automatic feedback shown to participants when callstats is enabled. // The default value is 100%. If set to 0, no automatic feedback will be requested @@ -931,14 +954,18 @@ var config = { // Options related to end-to-end (participant to participant) ping. // e2eping: { - // // The interval in milliseconds at which pings will be sent. - // // Defaults to 10000, set to <= 0 to disable. - // pingInterval: 10000, + // // Whether ene-to-end pings should be enabled. + // enabled: false, // - // // The interval in milliseconds at which analytics events - // // with the measured RTT will be sent. Defaults to 60000, set - // // to <= 0 to disable. - // analyticsInterval: 60000, + // // The number of responses to wait for. + // numRequests: 5, + // + // // The max conference size in which e2e pings will be sent. + // maxConferenceSize: 200, + // + // // The maximum number of e2e ping messages per second for the whole conference to aim for. + // // This is used to contol the pacing of messages in order to reduce the load on the backend. + // maxMessagesPerSecond: 250 // }, // If set, will attempt to use the provided video input device label when @@ -980,12 +1007,25 @@ var config = { // Options related to the remote participant menu. // remoteVideoMenu: { + // // Whether the remote video context menu to be rendered or not. + // disabled: true, // // If set to true the 'Kick out' button will be disabled. // disableKick: true, // // If set to true the 'Grant moderator' button will be disabled. - // disableGrantModerator: true + // disableGrantModerator: true, + // // If set to true the 'Send private message' button will be disabled. + // disablePrivateChat: true // }, + // Endpoint that enables support for salesforce integration with in-meeting resource linking + // This is required for: + // listing the most recent records - salesforceUrl/records/recents + // searching records - salesforceUrl/records?text=${text} + // retrieving record details - salesforceUrl/records/${id}?type=${type} + // and linking the meeting - salesforceUrl/sessions/${sessionId}/records/${id} + // + // salesforceUrl: 'https://api.example.com/', + // If set to true all muting operations of remote participants will be disabled. // disableRemoteMute: true, @@ -1092,7 +1132,8 @@ var config = { // 'e2ee', // 'transcribing', // 'video-quality', - // 'insecure-room' + // 'insecure-room', + // 'highlight-moment' // ] // }, @@ -1232,6 +1273,7 @@ var config = { // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited // 'notify.invitedTwoMembers', // shown when 2 participants have been invited // 'notify.kickParticipant', // shown when a participant is kicked + // 'notify.linkToSalesforce', // shown when joining a meeting with salesforce integration // 'notify.moderationStartedTitle', // shown when AV moderation is activated // 'notify.moderationStoppedTitle', // shown when AV moderation is deactivated // 'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation @@ -1247,6 +1289,7 @@ var config = { // 'notify.raisedHand', // shown when a partcipant used raise hand, // 'notify.startSilentTitle', // shown when user joined with no audio // 'notify.unmute', // shown to moderator when user raises hand during AV moderation + // 'notify.hostAskedUnmute', // shown to participant when host asks them to unmute // 'prejoin.errorDialOut', // 'prejoin.errorDialOutDisconnected', // 'prejoin.errorDialOutFailed', @@ -1269,12 +1312,37 @@ var config = { // // Disables user resizable filmstrip. Also, allows configuration of the filmstrip // // (width, tiles aspect ratios) through the interfaceConfig options. // disableResizable: false, - // } + // // Disables the stage filmstrip + // // (displaying multiple participants on stage besides the vertical filmstrip) + // disableStageFilmstrip: false + // }, + + // Tile view related config options. + // tileView: { + // // The optimal number of tiles that are going to be shown in tile view. Depending on the screen size it may + // // not be possible to show the exact number of participants specified here. + // numberOfVisibleTiles: 25 + // }, // Specifies whether the chat emoticons are disabled or not // disableChatSmileys: false, + // Settings for the GIPHY integration. + // giphy: { + // // Whether the feature is enabled or not. + // enabled: false, + // // SDK API Key from Giphy. + // sdkKey: '', + // // Display mode can be one of: + // // - tile: show the GIF on the tile of the participant that sent it. + // // - chat: show the GIF as a message in chat + // // - all: all of the above. This is the default option + // displayMode: 'all', + // // How long the GIF should be displayed on the tile (in miliseconds). + // tileTime: 5000 + // }, + // Allow all above example options to include a trailing comma and // prevent fear when commenting out the last value. makeJsonParserHappy: 'even if last key had a trailing comma' diff --git a/type/__jitsi_meet_domain/files/jitsi-version b/type/__jitsi_meet_domain/files/jitsi-version new file mode 100644 index 0000000..f2cc6dd --- /dev/null +++ b/type/__jitsi_meet_domain/files/jitsi-version @@ -0,0 +1 @@ +2.0.7210-1 \ No newline at end of file diff --git a/type/__jitsi_meet_domain/files/nginx.sh b/type/__jitsi_meet_domain/files/nginx.sh index e678dce..ad1b41a 100644 --- a/type/__jitsi_meet_domain/files/nginx.sh +++ b/type/__jitsi_meet_domain/files/nginx.sh @@ -10,6 +10,17 @@ JITSI_NGINX_CONFIG="$(cat < Date: Thu, 21 Apr 2022 17:52:49 +0200 Subject: [PATCH 62/81] [__jitsi_meet] Fix issue with jicofo memory adaptation That was being a bit of a mess. Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/gencode-remote | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote index 435bbf4..fd782a4 100755 --- a/type/__jitsi_meet/gencode-remote +++ b/type/__jitsi_meet/gencode-remote @@ -24,7 +24,7 @@ if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY} -e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \ /usr/share/jitsi-videobridge/lib/videobridge.rc sed -i.tmp -E \ - -e 's!(JICOFO_MAX_MEMORY)[^;]+;!\1=${MAX_MEMORY};!' \ + -e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \ /usr/share/jicofo/jicofo.sh EOF fi From 151dc32fb52f695b101369032a0bdad1a9b20916 Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 21 Apr 2022 19:43:32 +0200 Subject: [PATCH 63/81] [__jitsi_meet*] Add support for simultaneous interpretations By using https://gitlab.com/mfmt/jsi which consists of very small and simple static files, we enable interpretations by default. With this commit, any DOMAIN created with __jitsi_meet_domain will serve jsi on https://DOMAIN/i/ and any ROOM can be used with simultaneous interpretation on https://DOMAIN/i/ROOM Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/manifest | 43 +++++++++++++++++++++++++ type/__jitsi_meet_domain/files/nginx.sh | 15 +++++++++ type/__jitsi_meet_domain/man.rst | 9 +++++- 3 files changed, 66 insertions(+), 1 deletion(-) diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 6a9d962..0b728c7 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -262,3 +262,46 @@ EOF fi fi # TODO: disable the exporter if it is deployed and then admin changes their mind + +# +# Setup interpreter assets if requested +# See: https://gitlab.com/mfmt/jsi/ +# +jsi_updated_on="2022-04-21" +__link "/usr/share/jitsi-meet/interpreters.html" \ + --type symbolic \ + --source "/opt/jsi/static/index.html.sample" +__directory /opt/jsi --mode 0755 +export require="__directory/opt/jsi" +__download /opt/jsi/jsi.tar.gz \ + --url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \ + --sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53" +export require="__download/opt/jsi/jsi.tar.gz" +__unpack /opt/jsi/jsi.tar.gz \ + --preserve-archive \ + --tar-strip 1 \ + --destination /opt/jsi/static \ + --onchange "$(cat <]*(/external_api.js).!src='\1'!" \ + -e "s!

[^<]*

!

Jitsi Meetings with interpreter

!" \ + -e "s!https://meet.mayfirst.org!/!" \ + -e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \ + /opt/jsi/static/index.html.sample +EOF +)" diff --git a/type/__jitsi_meet_domain/files/nginx.sh b/type/__jitsi_meet_domain/files/nginx.sh index ad1b41a..64467d9 100644 --- a/type/__jitsi_meet_domain/files/nginx.sh +++ b/type/__jitsi_meet_domain/files/nginx.sh @@ -102,6 +102,21 @@ server { expires 1y; } } + # Paths for jsi / interpreters + location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$ + { + add_header 'Access-Control-Allow-Origin' '*'; + alias /opt/jsi/static/\$1; + + # cache all versioned files + if (\$arg_v) { + expires 1y; + } + } + location ~ ^/i/ + { + try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri; + } # BOSH location = /http-bind { diff --git a/type/__jitsi_meet_domain/man.rst b/type/__jitsi_meet_domain/man.rst index 0bef146..97d670b 100644 --- a/type/__jitsi_meet_domain/man.rst +++ b/type/__jitsi_meet_domain/man.rst @@ -11,7 +11,13 @@ DESCRIPTION ----------- This type installs and configures the frontend for Jitsi-Meet. -This supports "multi-domain" installations. +Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and +`DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a +patched version of Jitsi Simultaneous Interpretation (jsi; see references). +At least a user with `interpreter` in their name must be present. + + +This type supports "multi-domain" installations. New in April 2022: rooms are independent for each domain, that is: https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are @@ -156,6 +162,7 @@ SEE ALSO -------- - `__jitsi_meet(7)` - `__jitsi_meet_user(7)` +- Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi AUTHORS From 67bc8aa02bd9512b98f1850dff3d4ad38f056273 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 25 Apr 2022 17:10:50 +0200 Subject: [PATCH 64/81] __uacme_obtain: allow use of stdin with the --renew-hook parameter --- type/__uacme_obtain/man.rst | 3 ++- type/__uacme_obtain/manifest | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/type/__uacme_obtain/man.rst b/type/__uacme_obtain/man.rst index f1db899..16ebe87 100644 --- a/type/__uacme_obtain/man.rst +++ b/type/__uacme_obtain/man.rst @@ -38,7 +38,8 @@ install-key-to Installation path of the certificate's private key. renew-hook - Renew hook executed on certificate renewal (e.g. `service nginx reload`). + Renew hook executed on certificate renewal (e.g. `service nginx reload`, `-` + for the standard input). force-cert-ownership-to Override default ownership for TLS certificate, passed as argument to chown. diff --git a/type/__uacme_obtain/manifest b/type/__uacme_obtain/manifest index b41ddde..a40119b 100644 --- a/type/__uacme_obtain/manifest +++ b/type/__uacme_obtain/manifest @@ -109,7 +109,11 @@ export CERT_TARGET RENEW_HOOK= if [ -f "${__object:?}/parameter/renew-hook" ]; then - RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")" + if [ "$(cat "${__object:?}/parameter/renew-hook")" = "-" ]; then + RENEW_HOOK="$(cat ${__object:?}/stdin)" + else + RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")" + fi fi export RENEW_HOOK From 977b530dab44061cdae171e7c3c31d78b74191df Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 28 Apr 2022 17:22:19 +0200 Subject: [PATCH 65/81] [__single_binary_service] Update manpage to remove __evilham prefix --- type/__single_binary_service/man.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/type/__single_binary_service/man.rst b/type/__single_binary_service/man.rst index cb40330..65b4fc0 100644 --- a/type/__single_binary_service/man.rst +++ b/type/__single_binary_service/man.rst @@ -1,9 +1,9 @@ -cdist-type__evilham_single_binary_service(7) -============================================ +cdist-type__single_binary_service(7) +==================================== NAME ---- -cdist-type__evilham_single_binary_service - Setup a single-binary service +cdist-type__single_binary_service - Setup a single-binary service DESCRIPTION @@ -142,7 +142,7 @@ EXAMPLES # Install and enable the ipmi_exporter service # The variables are defined in the manifest previously - __evilham_single_binary_service ipmi_exporter \ + __single_binary_service ipmi_exporter \ --user "${USER}" \ --service-args ' --config.file=/etc/ipmi_exporter.conf' \ --version "${SHOULD_VERSION}" \ @@ -157,7 +157,7 @@ EXAMPLES EOF # Remove the ipmi_exporter service along with the user and its config - __evilham_single_binary_service ipmi_exporter \ + __single_binary_service ipmi_exporter \ --user "${USER}" \ --version "${SHOULD_VERSION}" \ --checksum "${CHECKSUM}" \ @@ -165,7 +165,7 @@ EXAMPLES --state "absent" # Same, but the service was using my user! Let's not delete that! - __evilham_single_binary_service ipmi_exporter \ + __single_binary_service ipmi_exporter \ --user "evilham" \ --do-not-manage-user \ --version "${SHOULD_VERSION}" \ @@ -187,4 +187,4 @@ Evilham COPYING ------- -Copyright \(C) 2021 Evilham. +Copyright \(C) 2022 Evilham. From 0cff41488436c7e9f8aa083e5974ba2537fca41e Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 28 Apr 2022 17:28:46 +0200 Subject: [PATCH 66/81] [__jitsi_meet] Simplify exporter logic and update it to 1.2.0 This uses the newly merged __single_binary_service and: - Fixes the bug where once added, the exporter could not be removed - Simplifies keeping it up to date Sponsored by: camilion.eu, eXO.cat --- .../prometheus-jitsi-meet-explorer-version | 7 -- type/__jitsi_meet/manifest | 78 +++++-------------- 2 files changed, 18 insertions(+), 67 deletions(-) delete mode 100755 type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version diff --git a/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version b/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version deleted file mode 100755 index b1cec48..0000000 --- a/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -e - -EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version" - -if [ -f "${EXPORTER_VERSION_FILE}" ]; then - cat "${EXPORTER_VERSION_FILE}" -fi diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 0b728c7..815d039 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -1,7 +1,6 @@ #!/bin/sh -e os="$(cat "${__global}/explorer/os")" -init="$(cat "${__global}/explorer/init")" case "${os}" in devuan|debian) ;; @@ -27,8 +26,6 @@ if [ -z "${TURN_SERVER}" ]; then TURN_SERVER="${JITSI_HOST}" fi -PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")" - # The rest is loosely based on Jitsi's documentation # https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart @@ -203,65 +200,26 @@ export JITSI_HOST "${__type}/files/jicofo.conf.sh" | \ __file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-' + # These two should be changed on new release -PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5" -PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745" -PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64" -PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version" -if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then - case "${init}" in - init|sysvinit) - __runit - require="__runit" __runit_service \ - prometheus-jitsi-meet-exporter --log --source - <&1 -EOF - - export require="__runit_service/prometheus-jitsi-meet-exporter" - JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter" - ;; - systemd) - __systemd_unit prometheus-jitsi-meet-exporter.service \ - --source "-" \ - --enablement-state "enabled" < Date: Thu, 28 Apr 2022 17:32:15 +0200 Subject: [PATCH 67/81] [__jitsi_meet] Configure jicofo so metrics are more useful By default the REST API provided by jicofo is less useful than desired. This is a tad under-documented, so finding the right settings was tricky :-). Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/gencode-remote | 2 +- type/__jitsi_meet/manifest | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote index fd782a4..c29d20e 100755 --- a/type/__jitsi_meet/gencode-remote +++ b/type/__jitsi_meet/gencode-remote @@ -33,7 +33,7 @@ if grep -qE "^__file/etc/nginx" "${__messages_in}"; then echo "service nginx reload" fi -if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then +if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then RESTART_SERVICES="YES" fi diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 815d039..fb22821 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -200,6 +200,29 @@ export JITSI_HOST "${__type}/files/jicofo.conf.sh" | \ __file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-' +# Enable the private colibri REST API end point for better stats +__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' < Date: Thu, 28 Apr 2022 17:34:32 +0200 Subject: [PATCH 68/81] [__jitsi_meet_domain] Make shellcheck happy and fix escaping issue The escaping issue was overlooked because it was in a comment block; it wasn't relevant. No functional changes intended. Sponsored by: camilion.eu, eXO.cat --- .../files/_update_jitsi_configurations.sh | 2 +- type/__jitsi_meet_domain/files/config.js.sh | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh index 12c405b..0d9f53a 100755 --- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh +++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh @@ -32,4 +32,4 @@ download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody. # Change the version file, maintainers should check that it matches # the deb version -printf "2.0.${BRANCH#*_}-1" > jitsi-version +printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index 0eca916..6836dd1 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -1028,9 +1028,9 @@ ${ANALYTICS_SETTINGS} // Endpoint that enables support for salesforce integration with in-meeting resource linking // This is required for: // listing the most recent records - salesforceUrl/records/recents - // searching records - salesforceUrl/records?text=${text} - // retrieving record details - salesforceUrl/records/${id}?type=${type} - // and linking the meeting - salesforceUrl/sessions/${sessionId}/records/${id} + // searching records - salesforceUrl/records?text=\${text} + // retrieving record details - salesforceUrl/records/\${id}?type=\${type} + // and linking the meeting - salesforceUrl/sessions/\${sessionId}/records/\${id} // // salesforceUrl: 'https://api.example.com/', From 8e1d0b68f1473bd78aea44811c8b977c07af9466 Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 28 Apr 2022 17:40:09 +0200 Subject: [PATCH 69/81] [__jitsi_meet*] Add new parameters for heavier branding This uses nginx' server-side includes, so each domain configured by `__jitsi_meet_domain` can have its own customisation. Note that the file customisation file must exist for each domain, `__jitsi_meet_domain` takes care of that already. Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/manifest | 7 +++++++ type/__jitsi_meet_domain/files/interface_config.js.sh | 2 +- type/__jitsi_meet_domain/man.rst | 11 +++++++++-- type/__jitsi_meet_domain/manifest | 6 ++++++ .../parameter/default/branding-app-name | 1 + .../parameter/default/branding-extra-body | 0 type/__jitsi_meet_domain/parameter/optional | 2 ++ 7 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 type/__jitsi_meet_domain/parameter/default/branding-app-name create mode 100644 type/__jitsi_meet_domain/parameter/default/branding-extra-body diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index fb22821..20e91a7 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -224,6 +224,13 @@ videobridge { } EOFJVB +# Enable simple per-domain body customisation +__file "/usr/share/jitsi-meet/body.html" \ + --mode 0644 \ + --source '-' < +EOF + # These two should be changed on new release EXPORTER_VERSION="1.2.0" EXPORTER_CHECKSUM="sha256:6377ffa7be0c7deb66545616add7245da96f8b7746d6712f41cfa9fe72c935ce" diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh b/type/__jitsi_meet_domain/files/interface_config.js.sh index 094cc6e..0589ced 100644 --- a/type/__jitsi_meet_domain/files/interface_config.js.sh +++ b/type/__jitsi_meet_domain/files/interface_config.js.sh @@ -20,7 +20,7 @@ JITSI_INTERFACE_CONFIG_JS="$(cat < Date: Thu, 28 Apr 2022 17:43:33 +0200 Subject: [PATCH 70/81] [__jitsi_meet_domain] Add a muc_room_cache_size for jibri @pedro is working on this and this change matched my workflow better :-) --- type/__jitsi_meet_domain/files/prosody.cfg.lua.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh index ea243c1..5bb93b5 100644 --- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh +++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh @@ -153,6 +153,8 @@ Component "internal.auth.${JITSI_DOMAIN:?}" "muc" admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" } muc_room_locking = false muc_room_default_public_jids = true + -- https://prosody.im/doc/modules/mod_muc + muc_room_cache_size = 1000 ${PROSODY_DOMAIN_END} ${PROSODY_MAIN_START} -- This will be managed by __jitsi_meet From 797f7c864814f69d0a138b3f415acfd4ca539121 Mon Sep 17 00:00:00 2001 From: Evilham Date: Sun, 8 May 2022 21:47:26 +0200 Subject: [PATCH 71/81] [__jitsi_meet] Improve manpage regarding ufw and SSH This documents the fact that this type does not make decisions about anything other than Jitsi-Meet itself and therefore care should be taken with the SSH port. Related to: https://code.ungleich.ch/ungleich-public/cdist-contrib/pulls/23 Reported by: @pedro --- type/__jitsi_meet/man.rst | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/type/__jitsi_meet/man.rst b/type/__jitsi_meet/man.rst index 876c218..03a4a35 100644 --- a/type/__jitsi_meet/man.rst +++ b/type/__jitsi_meet/man.rst @@ -21,10 +21,10 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up the web frontend (including TLS certificates) and its settings. You may want to use the `files/ufw` example manifest for a `__ufw`-based -firewall compatible with this type. -This file does not include rules for TCP port 9888, which exposes the -prometheus exporter if not disabled. -You should apply your own rules here. +firewall compatible with this type that allows all ports needed by Jitsi-Meet. +Note however that this will not deal with rules for SSH or for TCP port 9888, +which exposes the prometheus exporter if not disabled. +Remember to apply your own rules here, particularly regarding SSH. This type only works on De{bi,vu}an systems. @@ -76,9 +76,11 @@ EXAMPLES .. code-block:: sh - # Setup the firewall + # Setup the firewall for Jitsi-Meet . "${__global}/type/__jitsi_meet/files/ufw" export require="__ufw" + # Setup firewall SSH rules as necessary + __ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24' # Setup Jitsi on this host __jitsi_meet \ --turn-server "turn.exo.cat" \ From 756e5b17c63d641ac35ffad513d3ed15188b87ca Mon Sep 17 00:00:00 2001 From: Evilham Date: Tue, 7 Jun 2022 15:00:00 +0200 Subject: [PATCH 72/81] [__jitsi_meet*] Update to 2.0.7287-1 Sponsored by: camilion.eu, eXO.cat --- .../files/_update_jitsi_configurations.sh | 2 +- type/__jitsi_meet_domain/files/config.js.sh | 38 +++++++++++++++++-- .../files/config.js.sh.orig | 38 +++++++++++++++++-- type/__jitsi_meet_domain/files/jitsi-version | 2 +- .../files/prosody.cfg.lua.sh | 17 +++++++++ .../files/prosody.cfg.lua.sh.orig | 15 ++++++++ 6 files changed, 102 insertions(+), 10 deletions(-) diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh index 0d9f53a..8b14e5c 100755 --- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh +++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh @@ -7,7 +7,7 @@ # We could automate this, but are using it as an indicator for the # latest branch with which we conciliated changes. -BRANCH="jitsi-meet_7210" +BRANCH="jitsi-meet_7287" REPO="https://github.com/jitsi/jitsi-meet" get_url() { diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index 6836dd1..e52ed32 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -4,6 +4,11 @@ JITSI_CONFIG_JS="$(cat <