From 51d0b817fe0e56a733cd1b445b81321831b0c4f3 Mon Sep 17 00:00:00 2001
From: Evilham <cvs@evilham.com>
Date: Fri, 18 Jun 2021 20:52:58 +0200
Subject: [PATCH 01/34] [__single_binary_service] Type to manage very simple
 services.

---
 explorer/explorer-version      |  10 +++
 manifest                       | 158 +++++++++++++++++++++++++++++++++
 parameter/boolean              |   1 +
 parameter/default/service-args |   0
 parameter/default/state        |   1 +
 parameter/default/user         |   1 +
 parameter/optional             |   8 ++
 parameter/optional_multiple    |   1 +
 parameter/required             |   3 +
 9 files changed, 183 insertions(+)
 create mode 100755 explorer/explorer-version
 create mode 100755 manifest
 create mode 100644 parameter/boolean
 create mode 100644 parameter/default/service-args
 create mode 100644 parameter/default/state
 create mode 100644 parameter/default/user
 create mode 100644 parameter/optional
 create mode 100644 parameter/optional_multiple
 create mode 100644 parameter/required

diff --git a/explorer/explorer-version b/explorer/explorer-version
new file mode 100755
index 0000000..690cc5f
--- /dev/null
+++ b/explorer/explorer-version
@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+BIN_PREFIX="/usr/local/bin"
+SERVICE_NAME="${__object_id}"
+
+VERSION_FILE="${BIN_PREFIX}/.${SERVICE_NAME}.cdist.version"
+
+if [ -f "${VERSION_FILE}" ]; then
+	cat "${VERSION_FILE}"
+fi
diff --git a/manifest b/manifest
new file mode 100755
index 0000000..d5df410
--- /dev/null
+++ b/manifest
@@ -0,0 +1,158 @@
+#!/bin/sh -e
+
+BIN_DIR="/usr/local/bin"
+
+# Ensure the target bin dir exists
+__directory "${BIN_DIR}" \
+	--mode 0755
+export require="${require} __directory${BIN_DIR}"
+
+STATE="$(cat "${__object}/parameter/state")"
+USER="$(cat "${__object}/parameter/user")"
+GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)"
+if [ -z "${GROUP}" ]; then
+	GROUP="${USER}"
+fi
+
+SERVICE_NAME="${__object_id}"
+
+BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)"
+if [ -z "${BINARY}" ]; then
+	BINARY="${SERVICE_NAME}"
+fi
+EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)"
+# This only makes sense for file archives
+if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then
+	cat >> /dev/stderr <<-EOF
+	You cannot specify extra binaries without the --unpack argument.
+	Make sure that the --url argument points to a file archive.
+EOF
+fi
+
+SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)"
+if [ -z "${SERVICE_EXEC}" ]; then
+	SERVICE_EXEC="${BIN_DIR}/${BINARY}"
+fi
+SERVICE_EXEC="${SERVICE_EXEC} $(cat "${__object}/parameter/service-args")"
+
+SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \
+	2>/dev/null || true)"
+if [ -z "${SERVICE_DESCRIPTION}" ]; then
+	SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service"
+fi
+
+DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
+CHECKSUM="$(cat "${__object}/parameter/checksum")"
+SHOULD_VERSION="$(cat "${__object}/parameter/version")"
+
+# Create a user for the service if it is not root
+if [ "${USER}" != "root" ]; then
+	__user "${USER}" \
+		--system \
+		--state "${STATE}" \
+		--home /nonexistent \
+		--comment "cdist-managed ${SERVICE_NAME} user"
+	# Track dependencies
+	service_require="${service_require} __user/${USER}"
+fi
+
+# TODO: Support non-systemd
+__systemd_unit "${SERVICE_NAME}.service" \
+	--source "-" \
+	--state "${STATE}" \
+	--enablement-state "enabled" <<EOF
+[Unit]
+Description=${SERVICE_DESCRIPTION}
+After=network.target
+
+[Service]
+Type=simple
+
+User=${USER}
+Group=${GROUP}
+ExecStart=${SERVICE_EXEC}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+EOF
+service_require="${service_require} __systemd_unit/${SERVICE_NAME}.service"
+
+# Proceed after user and service description have been prepared
+export require="${require} ${service_require}"
+
+
+VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
+IS_VERSION="$(cat "${__object}/explorer/explorer-version")"
+
+if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ] && \
+		[ "${STATE}" = "present" ]; then
+	# We are installing the service and there has been a version change
+	# (or it is first-time install)
+	TMP_PATH="/tmp/${SERVICE_NAME}-${SHOULD_VERSION}"
+
+	# This is what will stop the service, replace the binaries and
+	# start the service again
+	perform_service_upgrade="$(cat <<EOF
+service ${SERVICE_NAME} stop || true
+for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
+	bin_path="${TMP_PATH}/\${bin_file}"
+	# TODO: on the BSDs, the super user group is wheel
+	chown root:root "\${bin_path}"
+	chmod 0555 "\${bin_path}"
+	cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}"
+done
+service ${SERVICE_NAME} start || true
+EOF
+)"
+
+	if [ -f "${__object}/parameter/unpack" ]; then
+		# TODO: Support files other than .tar.gz
+		UNPACK_ARGS="$(cat "${__object}/parameter/unpack-args" \
+			2>/dev/null || true)"
+		# Download packed file
+		__download "${TMP_PATH}.tar.gz" \
+			--url "${DOWNLOAD_URL}" \
+			--download remote \
+			--sum "${CHECKSUM}"
+
+		# Unpack file and also perform service upgrade
+		# shellcheck disable=SC2086
+		require="__download${TMP_PATH}.tar.gz" \
+			__unpack "${TMP_PATH}.tar.gz" \
+			${UNPACK_ARGS} \
+			--destination "${TMP_PATH}" \
+			--onchange "$(cat <<EOF
+${perform_service_upgrade}
+EOF
+)"
+		version_bump_require="__unpack${TMP_PATH}.tar.gz"
+	else
+		# Create temp directory
+		__directory "${TMP_PATH}"
+		# Download binary directoy to the temp directory with the
+		# specified binary name
+		# And also perform service upgrade
+		require="__directory${TMP_PATH}" __download \
+			"${TMP_PATH}/${BINARY}" \
+			--url "${DOWNLOAD_URL}" \
+			--download remote \
+			--sum "${CHECKSUM}" \
+			--onchange "${perform_service_upgrade}"
+		version_bump_require="__download${TMP_PATH}/${BINARY}"
+	fi
+
+	# Perform update of cdist-managed version file
+	# only after binaries have been upgraded
+	printf "%s" "${SHOULD_VERSION}" | \
+		require="${version_bump_require}" __file \
+			"${VERSION_FILE}" \
+			--source "-"
+fi
+if [ "${STATE}" = "absent" ]; then
+	# Perform cleanup of generated files
+	for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
+		__file "${BINARY_PREFIX}/${bin_file}" --state "absent"
+	done
+	__file "${VERSION_FILE}" --state "absent"
+fi
diff --git a/parameter/boolean b/parameter/boolean
new file mode 100644
index 0000000..f5f0902
--- /dev/null
+++ b/parameter/boolean
@@ -0,0 +1 @@
+unpack
diff --git a/parameter/default/service-args b/parameter/default/service-args
new file mode 100644
index 0000000..e69de29
diff --git a/parameter/default/state b/parameter/default/state
new file mode 100644
index 0000000..e7f6134
--- /dev/null
+++ b/parameter/default/state
@@ -0,0 +1 @@
+present
diff --git a/parameter/default/user b/parameter/default/user
new file mode 100644
index 0000000..d8649da
--- /dev/null
+++ b/parameter/default/user
@@ -0,0 +1 @@
+root
diff --git a/parameter/optional b/parameter/optional
new file mode 100644
index 0000000..6751e9c
--- /dev/null
+++ b/parameter/optional
@@ -0,0 +1,8 @@
+user
+group
+state
+binary
+service-args
+service-exec
+service-description
+unpack-args
diff --git a/parameter/optional_multiple b/parameter/optional_multiple
new file mode 100644
index 0000000..e1ca562
--- /dev/null
+++ b/parameter/optional_multiple
@@ -0,0 +1 @@
+extra-binary
diff --git a/parameter/required b/parameter/required
new file mode 100644
index 0000000..b1e8d01
--- /dev/null
+++ b/parameter/required
@@ -0,0 +1,3 @@
+url
+checksum
+version

From d5b552ddb4b6289581ffad0bdc4a474aac9e8d90 Mon Sep 17 00:00:00 2001
From: Evilham <cvs@evilham.com>
Date: Fri, 18 Jun 2021 22:01:45 +0200
Subject: [PATCH 02/34] [__single_binary_service] Add manpage, config-file and
 better absent

With these changes the type is good for general consumption (modulo the
limitations mentioned in the manpage under TODO).
---
 man.rst            | 169 +++++++++++++++++++++++++++++++++++++++++++++
 manifest           |  39 ++++++++++-
 parameter/boolean  |   1 +
 parameter/optional |   1 +
 4 files changed, 208 insertions(+), 2 deletions(-)
 create mode 100644 man.rst

diff --git a/man.rst b/man.rst
new file mode 100644
index 0000000..8f384bf
--- /dev/null
+++ b/man.rst
@@ -0,0 +1,169 @@
+cdist-type__evilham_single_binary_service(7)
+============================================
+
+NAME
+----
+cdist-type__evilham_single_binary_service - Setup a single-binary service
+
+
+DESCRIPTION
+-----------
+This type is designed to easily deploy and configure a single-binary service
+named `${__object_id}`.
+
+A good example of this are Prometheus exporters.
+
+This type makes certain assumptions that might not be correct on your system.
+If you need more flexibility, please get in touch and provide a use-case
+(and hopefully a backwards-compatible patch).
+
+This type will place the downloaded binary and, if requested, other extra
+binaries in `/usr/local/bin`.
+
+If a `--config-file-source` is provided, it will be placed under:
+`/etc/${__object_id}.conf`.
+
+TODO (patches welcome!):
+- It currently only supports `.tar.gz` archives.
+- It currently only supports systemd units.
+- Does not handle properly BSD-systems (wheel group, /usr/local/etc, systemd)
+
+
+REQUIRED PARAMETERS
+-------------------
+checksum
+    This will be passed verbatim to `__download(7)`.
+    Use something like `sha256:...`.
+
+url
+    This will be passed verbatim to `__download(7)`.
+
+version
+    This type will use a thumbstone file with a "version" number to track
+    whether or not a service must be updated.
+    This thumbstone file is placed under
+    `/usr/local/bin/.${__object_id}.cdist.version`.
+
+
+BOOLEAN PARAMETERS
+------------------
+unpack
+    If present, the contents of `--url` will be treated as an archive to be
+    unpacked with `__unpack(7)`.
+    See also `--unpack-args` and `--extra-binary`.
+
+do-not-manage-user
+    Always considered present when `--user` is `root`.
+    If present, the user in `--user` will not be managed by this type with
+    `__user`, this means it *must* exist beforehand when installing the service
+    and it will not be removed by this type.
+
+
+OPTIONAL PARAMETERS
+-------------------
+config-file-source
+    If present, this file's contents will be placed under
+    `/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to
+    `--user` and `--group`.
+    If `-` is passed, this type's `stdin` will be used.
+
+user
+    The user under which the service will run. Defaults to `root`.
+    If this user is not `root` and `--do-not-manage-user` is not present,
+    this user will be created or removed as per the `--state` parameter.
+
+group
+    The group under which the service will run. Defaults to `--user`.
+
+state
+    Whether the service is to be `present` (default) or `absent`.
+    When `absent`, this type will clean any binaries listed in `--extra-binary`
+    and also the config file as described in `--config-file-source`.
+
+binary
+    This will be the binary name. Defaults to `${__object_id}`.
+    If `--unpack` is used, a binary with this name must be unpacked.
+    Otherwise, the contents of `--url` will be placed under this binary name.
+
+service-args
+    Any extra arguments to pass along with `--service-exec`.
+
+service-exec
+    The executable to use for this service.
+    Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the
+    resulting value of `--binary`.
+
+service-description
+    The service description to be used in, e.g. the systemd unit file.
+    Defaults to `cdist-managed '${__object_id}' service`.
+
+unpack-args
+    Only has an effect if `--unpack` is used.
+    These arguments will be passed verbatim to `__unpack(7)`.
+    Very useful as this type assumes the archive does not have the binaries in
+    subdirectories; that can be worked around with
+    `--unpack-args '--tar-strip 1'`.
+
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
+extra-binary
+    Only useful with `--unpack`.
+    If passed, these binaries will also be installed when `--state` is `present`
+    and removed when `--state` is `absent`.
+    Handle with care :-).
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+	# Install and enable the ipmi_exporter service
+	#   The variables are defined in the manifest previously
+	__evilham_single_binary_service ipmi_exporter \
+		--user "${USER}" \
+		--service-args ' --config.file=/etc/ipmi_exporter.conf' \
+		--version "${SHOULD_VERSION}" \
+		--checksum "${CHECKSUM}" \
+		--url "${DOWNLOAD_URL}" \
+		--state "present" \
+		--unpack \
+		--unpack-args "--tar-strip 1" \
+		--config-file-source '-' <<-EOF
+	# Remotely managed, changes will be lost
+	# [...] config contents goes here
+	EOF
+
+	# Remove the ipmi_exporter service along with the user and its config
+	__evilham_single_binary_service ipmi_exporter \
+		--user "${USER}" \
+		--version "${SHOULD_VERSION}" \
+		--checksum "${CHECKSUM}" \
+		--url "${DOWNLOAD_URL}" \
+		--state "absent"
+
+	# Same, but the service was using my user! Let's not delete that!
+	__evilham_single_binary_service ipmi_exporter \
+		--user "evilham" \
+		--do-not-manage-user \
+		--version "${SHOULD_VERSION}" \
+		--checksum "${CHECKSUM}" \
+		--url "${DOWNLOAD_URL}" \
+		--state "absent"
+
+
+SEE ALSO
+--------
+- `__download(7)`
+- `__unpack(7)`
+
+
+AUTHORS
+-------
+Evilham <contact@evilham.com>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Evilham.
diff --git a/manifest b/manifest
index d5df410..e279a05 100755
--- a/manifest
+++ b/manifest
@@ -1,9 +1,12 @@
 #!/bin/sh -e
 
 BIN_DIR="/usr/local/bin"
+ETC_DIR="/etc"
 
 # Ensure the target bin dir exists
+#   Care, we never want to remove it :-D
 __directory "${BIN_DIR}" \
+	--state "exists" \
 	--mode 0755
 export require="${require} __directory${BIN_DIR}"
 
@@ -46,8 +49,13 @@ CHECKSUM="$(cat "${__object}/parameter/checksum")"
 SHOULD_VERSION="$(cat "${__object}/parameter/version")"
 
 # Create a user for the service if it is not root
-if [ "${USER}" != "root" ]; then
-	__user "${USER}" \
+if [ "${USER}" != "root" ] && \
+		[ ! -f "${__object}/parameter/do-not-manage-user" ]; then
+	if [ "${STATE}" = "absent" ]; then
+		# When removing, ensure user is not being used
+		user_require="__systemd_unit/${SERVICE_NAME}.service"
+	fi
+	require="${require} ${user_require}" __user "${USER}" \
 		--system \
 		--state "${STATE}" \
 		--home /nonexistent \
@@ -56,10 +64,29 @@ if [ "${USER}" != "root" ]; then
 	service_require="${service_require} __user/${USER}"
 fi
 
+# Place config file if necessary
+CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
+CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)"
+if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then
+	CONFIG_FILE_SOURCE="${__object}/stdin"
+fi
+if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then
+	require="${require} __user/${USER}" __file \
+		"${CONFIG_FILE_DEST}" \
+		--owner "${USER}" \
+		--group "${GROUP}" \
+		--mode "0440" \
+		--source "${CONFIG_FILE_SOURCE}"
+	service_required="${service_required} __file${CONFIG_FILE_DEST}"
+fi
+
+
+
 # TODO: Support non-systemd
 __systemd_unit "${SERVICE_NAME}.service" \
 	--source "-" \
 	--state "${STATE}" \
+	--restart \
 	--enablement-state "enabled" <<EOF
 [Unit]
 Description=${SERVICE_DESCRIPTION}
@@ -81,6 +108,12 @@ service_require="${service_require} __systemd_unit/${SERVICE_NAME}.service"
 # Proceed after user and service description have been prepared
 export require="${require} ${service_require}"
 
+# Perform a service restart if config has changed
+if [ "${STATE}" = "present" ]; then
+	__check_messages "${SERVICE_NAME}_config" \
+		--pattern "^__file${CONFIG_FILE_DEST}" \
+		--execute "service ${SERVICE_NAME} restart"
+fi
 
 VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
 IS_VERSION="$(cat "${__object}/explorer/explorer-version")"
@@ -149,10 +182,12 @@ EOF
 			"${VERSION_FILE}" \
 			--source "-"
 fi
+
 if [ "${STATE}" = "absent" ]; then
 	# Perform cleanup of generated files
 	for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
 		__file "${BINARY_PREFIX}/${bin_file}" --state "absent"
 	done
 	__file "${VERSION_FILE}" --state "absent"
+	__file "${CONFIG_FILE_DEST}" --state "absent"
 fi
diff --git a/parameter/boolean b/parameter/boolean
index f5f0902..a779fd5 100644
--- a/parameter/boolean
+++ b/parameter/boolean
@@ -1 +1,2 @@
+do-not-manage-user
 unpack
diff --git a/parameter/optional b/parameter/optional
index 6751e9c..7669591 100644
--- a/parameter/optional
+++ b/parameter/optional
@@ -1,3 +1,4 @@
+config-file-source
 user
 group
 state

From c5929f397db9107e8cbf82e03912f6fae34e948b Mon Sep 17 00:00:00 2001
From: Evilham <cvs@evilham.com>
Date: Wed, 4 Aug 2021 20:27:08 +0200
Subject: [PATCH 03/34] [__single_binary_service] Adapt bug fixes proposed by
 pedro

there are several typos, some style issues and now there is at most one service
restart in all cases.

Submitted by:   pedro <git2021@cas.cat>
---
 gencode-remote | 21 ++++++++++++++++
 man.rst        |  4 ++-
 manifest       | 68 +++++++++++++++++++++++++++++---------------------
 3 files changed, 64 insertions(+), 29 deletions(-)
 create mode 100644 gencode-remote

diff --git a/gencode-remote b/gencode-remote
new file mode 100644
index 0000000..fe769fa
--- /dev/null
+++ b/gencode-remote
@@ -0,0 +1,21 @@
+#!/bin/sh -e
+
+STATE="$(cat "${__object}/parameter/state")"
+if [ "${STATE}" != "present" ]; then
+	exit
+fi
+
+ETC_DIR="/etc"
+SERVICE_NAME="${__object_id}"
+CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
+
+BIN_DIR="/usr/local/bin"
+VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
+
+# We only restart here if there was a config change
+# but there was not a version change
+if grep -qE "^__file${CONFIG_FILE_DEST}" "${__messages_in}" && \
+	grep -qvE "^__file${VERSION_FILE}" "${__messages_in}"; then
+	echo "service ${SERVICE_NAME} restart"
+fi
+
diff --git a/man.rst b/man.rst
index 8f384bf..804b465 100644
--- a/man.rst
+++ b/man.rst
@@ -86,7 +86,9 @@ binary
     Otherwise, the contents of `--url` will be placed under this binary name.
 
 service-args
-    Any extra arguments to pass along with `--service-exec`.
+    Any extra arguments to pass along with `--service-exec`. Beware that any
+    service-args having the format `--config=/etc/foo.cfg` should be
+    represented in the following way `--service-exec='--config=/etc/foo.cfg'`
 
 service-exec
     The executable to use for this service.
diff --git a/manifest b/manifest
index e279a05..be967eb 100755
--- a/manifest
+++ b/manifest
@@ -1,5 +1,20 @@
 #!/bin/sh -e
 
+OS="$(cat "${__global}/explorer/os")"
+
+case "${OS}" in
+  debian)
+    SUPER_USER_GROUP=root
+  ;;
+  *bsd)
+    SUPER_USER_GROUP=wheel
+  ;;
+  *)
+    echo "Your OS '${OS}' is currently not supported." >&2
+    exit 1
+  ;;
+esac
+
 BIN_DIR="/usr/local/bin"
 ETC_DIR="/etc"
 
@@ -26,7 +41,7 @@ fi
 EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)"
 # This only makes sense for file archives
 if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then
-	cat >> /dev/stderr <<-EOF
+	cat >&2 <<-EOF
 	You cannot specify extra binaries without the --unpack argument.
 	Make sure that the --url argument points to a file archive.
 EOF
@@ -36,7 +51,8 @@ SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)"
 if [ -z "${SERVICE_EXEC}" ]; then
 	SERVICE_EXEC="${BIN_DIR}/${BINARY}"
 fi
-SERVICE_EXEC="${SERVICE_EXEC} $(cat "${__object}/parameter/service-args")"
+SERVICE_ARGS="$(cat "${__object}/parameter/service-args")"
+SERVICE_EXEC="${SERVICE_EXEC} ${SERVICE_ARGS}"
 
 SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \
 	2>/dev/null || true)"
@@ -77,17 +93,19 @@ if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then
 		--group "${GROUP}" \
 		--mode "0440" \
 		--source "${CONFIG_FILE_SOURCE}"
-	service_required="${service_required} __file${CONFIG_FILE_DEST}"
+	service_require="${service_require} __file${CONFIG_FILE_DEST}"
 fi
 
 
 
+INIT="$(cat "${__global}/explorer/init")"
 # TODO: Support non-systemd
-__systemd_unit "${SERVICE_NAME}.service" \
-	--source "-" \
-	--state "${STATE}" \
-	--restart \
-	--enablement-state "enabled" <<EOF
+case "${INIT}" in
+	systemd)
+		__systemd_unit "${SERVICE_NAME}.service" \
+			--source "-" \
+			--state "${STATE}" \
+			--enablement-state "enabled" <<EOF
 [Unit]
 Description=${SERVICE_DESCRIPTION}
 After=network.target
@@ -103,18 +121,18 @@ Restart=always
 [Install]
 WantedBy=multi-user.target
 EOF
-service_require="${service_require} __systemd_unit/${SERVICE_NAME}.service"
+	service_require="${service_require} __systemd_unit/${SERVICE_NAME}.service"
+
+  ;;
+  *)
+    echo "Init system ${INIT}' is currently not supported." >&2
+    exit 1
+  ;;
+esac
 
 # Proceed after user and service description have been prepared
 export require="${require} ${service_require}"
 
-# Perform a service restart if config has changed
-if [ "${STATE}" = "present" ]; then
-	__check_messages "${SERVICE_NAME}_config" \
-		--pattern "^__file${CONFIG_FILE_DEST}" \
-		--execute "service ${SERVICE_NAME} restart"
-fi
-
 VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
 IS_VERSION="$(cat "${__object}/explorer/explorer-version")"
 
@@ -130,8 +148,7 @@ if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ] && \
 service ${SERVICE_NAME} stop || true
 for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
 	bin_path="${TMP_PATH}/\${bin_file}"
-	# TODO: on the BSDs, the super user group is wheel
-	chown root:root "\${bin_path}"
+	chown root:${SUPER_USER_GROUP} "\${bin_path}"
 	chmod 0555 "\${bin_path}"
 	cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}"
 done
@@ -154,39 +171,34 @@ EOF
 		require="__download${TMP_PATH}.tar.gz" \
 			__unpack "${TMP_PATH}.tar.gz" \
 			${UNPACK_ARGS} \
-			--destination "${TMP_PATH}" \
-			--onchange "$(cat <<EOF
-${perform_service_upgrade}
-EOF
-)"
+			--destination "${TMP_PATH}"
 		version_bump_require="__unpack${TMP_PATH}.tar.gz"
 	else
 		# Create temp directory
 		__directory "${TMP_PATH}"
 		# Download binary directoy to the temp directory with the
 		# specified binary name
-		# And also perform service upgrade
 		require="__directory${TMP_PATH}" __download \
 			"${TMP_PATH}/${BINARY}" \
 			--url "${DOWNLOAD_URL}" \
 			--download remote \
-			--sum "${CHECKSUM}" \
-			--onchange "${perform_service_upgrade}"
+			--sum "${CHECKSUM}"
 		version_bump_require="__download${TMP_PATH}/${BINARY}"
 	fi
 
 	# Perform update of cdist-managed version file
-	# only after binaries have been upgraded
+	# And also perform service upgrade
 	printf "%s" "${SHOULD_VERSION}" | \
 		require="${version_bump_require}" __file \
 			"${VERSION_FILE}" \
+			--onchange "${perform_service_upgrade}" \
 			--source "-"
 fi
 
 if [ "${STATE}" = "absent" ]; then
 	# Perform cleanup of generated files
 	for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
-		__file "${BINARY_PREFIX}/${bin_file}" --state "absent"
+		__file "${BIN_DIR}/${bin_file}" --state "absent"
 	done
 	__file "${VERSION_FILE}" --state "absent"
 	__file "${CONFIG_FILE_DEST}" --state "absent"

From afa48b1028a228ae6cfde130a17d28f0eb0ce180 Mon Sep 17 00:00:00 2001
From: Evilham <cvs@evilham.com>
Date: Wed, 4 Aug 2021 21:00:52 +0200
Subject: [PATCH 04/34] [__single_binary_service] Support customisation of
 systemd units

Requested by pedro
---
 manifest           | 14 ++++++++++----
 parameter/optional |  1 +
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/manifest b/manifest
index be967eb..fe9ef74 100755
--- a/manifest
+++ b/manifest
@@ -60,6 +60,8 @@ if [ -z "${SERVICE_DESCRIPTION}" ]; then
 	SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service"
 fi
 
+SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)"
+
 DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
 CHECKSUM="$(cat "${__object}/parameter/checksum")"
 SHOULD_VERSION="$(cat "${__object}/parameter/version")"
@@ -102,10 +104,8 @@ INIT="$(cat "${__global}/explorer/init")"
 # TODO: Support non-systemd
 case "${INIT}" in
 	systemd)
-		__systemd_unit "${SERVICE_NAME}.service" \
-			--source "-" \
-			--state "${STATE}" \
-			--enablement-state "enabled" <<EOF
+		if [ -z "${SERVICE_DEFINITION}" ]; then
+			SERVICE_DEFINITION="$(cat <<EOF
 [Unit]
 Description=${SERVICE_DESCRIPTION}
 After=network.target
@@ -121,6 +121,12 @@ Restart=always
 [Install]
 WantedBy=multi-user.target
 EOF
+)"
+		fi
+		echo ${SERVICE_DEFINITION} | __systemd_unit "${SERVICE_NAME}.service" \
+			--source "-" \
+			--state "${STATE}" \
+			--enablement-state "enabled"
 	service_require="${service_require} __systemd_unit/${SERVICE_NAME}.service"
 
   ;;
diff --git a/parameter/optional b/parameter/optional
index 7669591..7c2ca06 100644
--- a/parameter/optional
+++ b/parameter/optional
@@ -6,4 +6,5 @@ binary
 service-args
 service-exec
 service-description
+service-definition
 unpack-args

From 3e77fbbb436fa3e6c62465218162436625c0e288 Mon Sep 17 00:00:00 2001
From: Evilham <cvs@evilham.com>
Date: Wed, 4 Aug 2021 21:02:37 +0200
Subject: [PATCH 05/34] [__single_binary_service] Do not use echo echo echo

---
 manifest | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/manifest b/manifest
index fe9ef74..e05b630 100755
--- a/manifest
+++ b/manifest
@@ -123,10 +123,12 @@ WantedBy=multi-user.target
 EOF
 )"
 		fi
-		echo ${SERVICE_DEFINITION} | __systemd_unit "${SERVICE_NAME}.service" \
+		__systemd_unit "${SERVICE_NAME}.service" \
 			--source "-" \
 			--state "${STATE}" \
-			--enablement-state "enabled"
+			--enablement-state "enabled" <<EOF
+${SERVICE_DEFINITION}
+EOF
 	service_require="${service_require} __systemd_unit/${SERVICE_NAME}.service"
 
   ;;

From 1af7e960fa882efc7202cad5cc01d3136886fa0a Mon Sep 17 00:00:00 2001
From: Evilham <cvs@evilham.com>
Date: Sat, 30 Oct 2021 15:36:49 +0200
Subject: [PATCH 06/34] [__single_binary_service] Many improvements + runit
 support

Amongst other things compressed files can be of a type other than .tar.gz (it
remains the default) and we now properly support runit services, FreeBSD and
Devuan.
---
 gencode-remote                     |  21 ----
 man.rst                            |  27 ++++-
 manifest                           | 173 +++++++++++++++++++++--------
 parameter/default/unpack-extension |   1 +
 parameter/default/user-home-dir    |   1 +
 parameter/optional                 |   3 +
 6 files changed, 152 insertions(+), 74 deletions(-)
 delete mode 100644 gencode-remote
 create mode 100644 parameter/default/unpack-extension
 create mode 100644 parameter/default/user-home-dir

diff --git a/gencode-remote b/gencode-remote
deleted file mode 100644
index fe769fa..0000000
--- a/gencode-remote
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/sh -e
-
-STATE="$(cat "${__object}/parameter/state")"
-if [ "${STATE}" != "present" ]; then
-	exit
-fi
-
-ETC_DIR="/etc"
-SERVICE_NAME="${__object_id}"
-CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
-
-BIN_DIR="/usr/local/bin"
-VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
-
-# We only restart here if there was a config change
-# but there was not a version change
-if grep -qE "^__file${CONFIG_FILE_DEST}" "${__messages_in}" && \
-	grep -qvE "^__file${VERSION_FILE}" "${__messages_in}"; then
-	echo "service ${SERVICE_NAME} restart"
-fi
-
diff --git a/man.rst b/man.rst
index 804b465..cb40330 100644
--- a/man.rst
+++ b/man.rst
@@ -23,10 +23,8 @@ binaries in `/usr/local/bin`.
 If a `--config-file-source` is provided, it will be placed under:
 `/etc/${__object_id}.conf`.
 
-TODO (patches welcome!):
-- It currently only supports `.tar.gz` archives.
-- It currently only supports systemd units.
-- Does not handle properly BSD-systems (wheel group, /usr/local/etc, systemd)
+This type supports services managed by `__runit(7)` when `systemd` is not
+the init system being used.
 
 
 REQUIRED PARAMETERS
@@ -72,6 +70,13 @@ user
     If this user is not `root` and `--do-not-manage-user` is not present,
     this user will be created or removed as per the `--state` parameter.
 
+user-home-dir
+    Does not have an effect if `--do-not-manage-user` is used or `--user` is
+    `root`.
+    The home directory of the service user. It will be created.
+    Defaults to `/nonexistent`, in this case the home directory will not be
+    created.
+
 group
     The group under which the service will run. Defaults to `--user`.
 
@@ -95,6 +100,13 @@ service-exec
     Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the
     resulting value of `--binary`.
 
+service-definition
+    The service definition to be used as an override.
+    Note that this type decides dinammically between runit and systemd, and
+    you can currently only define either a systemd unit or a runit script here.
+    Use this parameter only for testing and get in touch to discuss how your
+    particular use-case can be supported by the type.
+
 service-description
     The service description to be used in, e.g. the systemd unit file.
     Defaults to `cdist-managed '${__object_id}' service`.
@@ -106,6 +118,13 @@ unpack-args
     subdirectories; that can be worked around with
     `--unpack-args '--tar-strip 1'`.
 
+unpack-extension
+    Only has an effect if `--unpack` is used.
+    The file extension of the file to unpack, defaults to `.tar.gz`.
+
+working-directory
+    If set, the working directory with which the service will be started.
+
 
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
diff --git a/manifest b/manifest
index e05b630..8288b94 100755
--- a/manifest
+++ b/manifest
@@ -1,22 +1,43 @@
 #!/bin/sh -e
+SERVICE_NAME="${__object_id}"
 
 OS="$(cat "${__global}/explorer/os")"
 
 case "${OS}" in
-  debian)
-    SUPER_USER_GROUP=root
-  ;;
-  *bsd)
-    SUPER_USER_GROUP=wheel
-  ;;
-  *)
-    echo "Your OS '${OS}' is currently not supported." >&2
-    exit 1
-  ;;
+	debian|devuan)
+		SUPER_USER_GROUP=root
+		ETC_DIR="/etc"
+	;;
+	*bsd)
+		SUPER_USER_GROUP=wheel
+		ETC_DIR="/usr/local/etc"
+	;;
+	*)
+		echo "Your OS '${OS}' is currently not supported." >&2
+		exit 1
+	;;
+esac
+INIT="$(cat "${__global}/explorer/init")"
+
+case "${INIT}" in
+	systemd)
+		service_definition_require="__systemd_unit/${SERVICE_NAME}.service"
+		service_command="service ${SERVICE_NAME} %s"
+	;;
+	runit|sysvinit)
+		# We will use runit to manage these services
+		__runit
+		export require="__runit"
+		service_definition_require="__runit_service/${SERVICE_NAME}"
+		service_command="sv %s ${SERVICE_NAME}"
+	;;
+	*)
+		echo "Init system ${INIT}' is currently not supported." >&2
+		exit 1
+	;;
 esac
 
 BIN_DIR="/usr/local/bin"
-ETC_DIR="/etc"
 
 # Ensure the target bin dir exists
 #   Care, we never want to remove it :-D
@@ -29,10 +50,13 @@ STATE="$(cat "${__object}/parameter/state")"
 USER="$(cat "${__object}/parameter/user")"
 GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)"
 if [ -z "${GROUP}" ]; then
-	GROUP="${USER}"
+	if [ "${USER}" != "root" ]; then
+		GROUP="${USER}"
+	else
+		GROUP="${SUPER_USER_GROUP}"
+	fi
 fi
 
-SERVICE_NAME="${__object_id}"
 
 BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)"
 if [ -z "${BINARY}" ]; then
@@ -62,22 +86,34 @@ fi
 
 SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)"
 
+WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
+if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
+	WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
+	WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
+fi
+
 DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
 CHECKSUM="$(cat "${__object}/parameter/checksum")"
 SHOULD_VERSION="$(cat "${__object}/parameter/version")"
 
 # Create a user for the service if it is not root
+USER_HOME_DIR="/root"
 if [ "${USER}" != "root" ] && \
 		[ ! -f "${__object}/parameter/do-not-manage-user" ]; then
 	if [ "${STATE}" = "absent" ]; then
 		# When removing, ensure user is not being used
-		user_require="__systemd_unit/${SERVICE_NAME}.service"
+		user_require="${service_definition_require}"
+	fi
+	USER_HOME_DIR="$(cat "${__object}/parameter/user-home-dir")"
+	if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then
+		USER_CREATE_HOME="--create-home"
 	fi
 	require="${require} ${user_require}" __user "${USER}" \
 		--system \
 		--state "${STATE}" \
-		--home /nonexistent \
-		--comment "cdist-managed ${SERVICE_NAME} user"
+		--home "${USER_HOME_DIR}" \
+		--comment "cdist-managed ${SERVICE_NAME} user" \
+		${USER_CREATE_HOME}
 	# Track dependencies
 	service_require="${service_require} __user/${USER}"
 fi
@@ -100,8 +136,8 @@ fi
 
 
 
-INIT="$(cat "${__global}/explorer/init")"
-# TODO: Support non-systemd
+# This should setup the object in $service_definition_require
+# See above.
 case "${INIT}" in
 	systemd)
 		if [ -z "${SERVICE_DEFINITION}" ]; then
@@ -117,6 +153,7 @@ User=${USER}
 Group=${GROUP}
 ExecStart=${SERVICE_EXEC}
 Restart=always
+${WORKING_DIRECTORY_SYSTEMD}
 
 [Install]
 WantedBy=multi-user.target
@@ -129,14 +166,28 @@ EOF
 			--enablement-state "enabled" <<EOF
 ${SERVICE_DEFINITION}
 EOF
-	service_require="${service_require} __systemd_unit/${SERVICE_NAME}.service"
-
-  ;;
-  *)
-    echo "Init system ${INIT}' is currently not supported." >&2
-    exit 1
-  ;;
+	;;
+	runit|sysvinit)
+		if [ -z "${SERVICE_DEFINITION}" ]; then
+			SERVICE_DEFINITION="$(cat <<EOF
+#!/bin/sh -e
+${WORKING_DIRECTORY_RUNIT}
+export HOME="\$(getent passwd '${USER}' | cut -d: -f6)"
+export USER="${USER}"
+export GROUP="${GROUP}"
+exec chpst -u "${USER}:${GROUP}" ${SERVICE_EXEC}
+EOF
+)"
+		fi
+		__runit_service "${SERVICE_NAME}" \
+			--state "${STATE}" \
+			--log \
+			--source - <<EOF
+${SERVICE_DEFINITION}
+EOF
+	;;
 esac
+service_require="${service_require} ${service_definition_require}"
 
 # Proceed after user and service description have been prepared
 export require="${require} ${service_require}"
@@ -144,8 +195,27 @@ export require="${require} ${service_require}"
 VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
 IS_VERSION="$(cat "${__object}/explorer/explorer-version")"
 
-if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ] && \
-		[ "${STATE}" = "present" ]; then
+
+if [ "${STATE}" = "absent" ]; then
+	# Perform cleanup of generated files
+	for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
+		__file "${BIN_DIR}/${bin_file}" --state "absent"
+	done
+	__file "${VERSION_FILE}" --state "absent"
+	__file "${CONFIG_FILE_DEST}" --state "absent"
+fi
+
+if [ "${STATE}" != "present" ]; then
+	exit
+fi
+
+sv_cmd() {
+	# This is intentional
+	# shellcheck disable=SC2059
+	printf "${service_command}" "$1"
+}
+
+if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ]; then
 	# We are installing the service and there has been a version change
 	# (or it is first-time install)
 	TMP_PATH="/tmp/${SERVICE_NAME}-${SHOULD_VERSION}"
@@ -153,34 +223,40 @@ if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ] && \
 	# This is what will stop the service, replace the binaries and
 	# start the service again
 	perform_service_upgrade="$(cat <<EOF
-service ${SERVICE_NAME} stop || true
-for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
-	bin_path="${TMP_PATH}/\${bin_file}"
-	chown root:${SUPER_USER_GROUP} "\${bin_path}"
-	chmod 0555 "\${bin_path}"
-	cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}"
-done
-service ${SERVICE_NAME} start || true
+$(sv_cmd stop) || true
+if [ -f '${TMP_PATH}' ]; then
+	chown root:${SUPER_USER_GROUP} '${TMP_PATH}'
+	chmod 0555 '${TMP_PATH}'
+	cp -af '${TMP_PATH}' '${BIN_DIR}/${BINARY}'
+else
+	for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
+		bin_path="${TMP_PATH}/\${bin_file}"
+		chown root:${SUPER_USER_GROUP} "\${bin_path}"
+		chmod 0555 "\${bin_path}"
+		cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}"
+	done
+fi
+$(sv_cmd start) || true
 EOF
 )"
 
 	if [ -f "${__object}/parameter/unpack" ]; then
-		# TODO: Support files other than .tar.gz
+		UNPACK_EXTENSION="$(cat "${__object}/parameter/unpack-extension")"
 		UNPACK_ARGS="$(cat "${__object}/parameter/unpack-args" \
 			2>/dev/null || true)"
 		# Download packed file
-		__download "${TMP_PATH}.tar.gz" \
+		__download "${TMP_PATH}${UNPACK_EXTENSION}" \
 			--url "${DOWNLOAD_URL}" \
 			--download remote \
 			--sum "${CHECKSUM}"
 
 		# Unpack file and also perform service upgrade
 		# shellcheck disable=SC2086
-		require="__download${TMP_PATH}.tar.gz" \
-			__unpack "${TMP_PATH}.tar.gz" \
+		require="__download${TMP_PATH}${UNPACK_EXTENSION}" \
+			__unpack "${TMP_PATH}${UNPACK_EXTENSION}" \
 			${UNPACK_ARGS} \
 			--destination "${TMP_PATH}"
-		version_bump_require="__unpack${TMP_PATH}.tar.gz"
+		version_bump_require="__unpack${TMP_PATH}${UNPACK_EXTENSION}"
 	else
 		# Create temp directory
 		__directory "${TMP_PATH}"
@@ -196,18 +272,17 @@ EOF
 
 	# Perform update of cdist-managed version file
 	# And also perform service upgrade
+	# This is a bug if service_upgrade fails >,<
 	printf "%s" "${SHOULD_VERSION}" | \
 		require="${version_bump_require}" __file \
 			"${VERSION_FILE}" \
 			--onchange "${perform_service_upgrade}" \
 			--source "-"
-fi
-
-if [ "${STATE}" = "absent" ]; then
-	# Perform cleanup of generated files
-	for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
-		__file "${BIN_DIR}/${bin_file}" --state "absent"
-	done
-	__file "${VERSION_FILE}" --state "absent"
-	__file "${CONFIG_FILE_DEST}" --state "absent"
+else
+	# We only restart here if there was a config change
+	# but there was not a version change
+	require="${service_require}" __check_messages \
+		"single_binary_service_${__object_id}" \
+		--pattern "^__file${CONFIG_FILE_DEST}" \
+		--execute "$(sv_cmd restart)"
 fi
diff --git a/parameter/default/unpack-extension b/parameter/default/unpack-extension
new file mode 100644
index 0000000..c95e2e9
--- /dev/null
+++ b/parameter/default/unpack-extension
@@ -0,0 +1 @@
+.tar.gz
\ No newline at end of file
diff --git a/parameter/default/user-home-dir b/parameter/default/user-home-dir
new file mode 100644
index 0000000..4d21ca6
--- /dev/null
+++ b/parameter/default/user-home-dir
@@ -0,0 +1 @@
+/nonexistent
diff --git a/parameter/optional b/parameter/optional
index 7c2ca06..7c88cb4 100644
--- a/parameter/optional
+++ b/parameter/optional
@@ -7,4 +7,7 @@ service-args
 service-exec
 service-description
 service-definition
+unpack-extension
 unpack-args
+user-home-dir
+working-directory

From 9b6788f29a1301773cabd42f1bdd108d6f967716 Mon Sep 17 00:00:00 2001
From: Joachim Desroches <joachim.desroches@epfl.ch>
Date: Tue, 22 Mar 2022 16:24:00 +0100
Subject: [PATCH 07/34] __php_fpm{,_pool}: initial implementation.

---
 type/__php_fpm/files/php.ini.sh               | 45 +++++++++++
 type/__php_fpm/man.rst                        | 75 ++++++++++++++++++
 type/__php_fpm/manifest                       | 47 +++++++++++
 type/__php_fpm/parameter/boolean              |  2 +
 type/__php_fpm/parameter/default/memory-limit |  1 +
 .../parameter/default/upload-max-filesize     |  1 +
 type/__php_fpm/parameter/optional             |  2 +
 type/__php_fpm/parameter/required             |  1 +
 type/__php_fpm/singleton                      |  0
 type/__php_fpm_pool/files/www.conf.sh         | 34 ++++++++
 type/__php_fpm_pool/man.rst                   | 79 +++++++++++++++++++
 type/__php_fpm_pool/manifest                  | 37 +++++++++
 type/__php_fpm_pool/parameter/optional        |  2 +
 type/__php_fpm_pool/parameter/required        |  5 ++
 14 files changed, 331 insertions(+)
 create mode 100755 type/__php_fpm/files/php.ini.sh
 create mode 100644 type/__php_fpm/man.rst
 create mode 100644 type/__php_fpm/manifest
 create mode 100644 type/__php_fpm/parameter/boolean
 create mode 100644 type/__php_fpm/parameter/default/memory-limit
 create mode 100644 type/__php_fpm/parameter/default/upload-max-filesize
 create mode 100644 type/__php_fpm/parameter/optional
 create mode 100644 type/__php_fpm/parameter/required
 create mode 100644 type/__php_fpm/singleton
 create mode 100755 type/__php_fpm_pool/files/www.conf.sh
 create mode 100644 type/__php_fpm_pool/man.rst
 create mode 100644 type/__php_fpm_pool/manifest
 create mode 100644 type/__php_fpm_pool/parameter/optional
 create mode 100644 type/__php_fpm_pool/parameter/required

diff --git a/type/__php_fpm/files/php.ini.sh b/type/__php_fpm/files/php.ini.sh
new file mode 100755
index 0000000..8fbc4ac
--- /dev/null
+++ b/type/__php_fpm/files/php.ini.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+cat <<EOF
+; This file is managed by cdist, and has been shortened for readability.
+; The fine manual is at http://php.net/configuration.file.
+
+[PHP]
+
+; Production recommended defaults
+display_errors = Off
+display_startup_errors = Off
+enable_dl = Off
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+log_errors = On
+output_buffering = 4096
+register_argc_argv = Off
+request_order = "GP"
+short_open_tag = Off
+variables_order = "GPCS"
+zend.assertions = -1
+
+; Local custom variations
+include_path = ".:/usr/share/php${PHPVER:?}"
+memory_limit = ${MEMORY_LIMIT:?}
+post_max_size = ${UPLOAD_MAX_FILESIZE:?}
+upload_max_filesize = ${UPLOAD_MAX_FILESIZE:?}
+
+EOF
+
+if [ -f "${__object:?}/parameter/enable-opcache" ]; then
+	cat <<-EOF
+		; opcache enabled by type flag
+		opcache.enable=1
+		opcache.enable_cli=1
+	EOF
+fi
+
+if [ -f "${__object:?}/parameter/enable-apcu" ]; then
+	cat <<-EOF
+		; acpu enabled by type flag
+		apc.enabled=1
+		apc.enable_cli=1
+		apc.shm_size=512M
+	EOF
+fi
diff --git a/type/__php_fpm/man.rst b/type/__php_fpm/man.rst
new file mode 100644
index 0000000..08b479e
--- /dev/null
+++ b/type/__php_fpm/man.rst
@@ -0,0 +1,75 @@
+cdist-type__php_fpm(7)
+======================
+
+NAME
+----
+cdist-type__php_fpm - Setup and configure PHP-FPM
+
+
+DESCRIPTION
+-----------
+This type installs and configures PHP-FPM for a given version of PHP. It is
+expected to be used in combination with cdist-type__php_fpm_pool, which
+configures specific pools.
+
+Note that currently, this type is only implemented for Alpine Linux.
+
+
+REQUIRED PARAMETERS
+-------------------
+php-version
+        The PHP version for which the type is working. Will impact installed
+        packages, configuration files, &c
+
+
+OPTIONAL PARAMETERS
+-------------------
+memory-limit
+        The system-wide memory limit for PHP-FPM. Can be overriden per-pool.
+        Default is 512M.
+
+upload-max-filesize
+        The maximum filesize accepted by PHP-FPM for file uploads. Default is
+        2M.
+
+BOOLEAN PARAMETERS
+------------------
+enable-opcache
+        Enable PHP opcache.
+
+enable-apcu
+        Enable PHP APCu.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Dead simple setup
+    __php_fpm --php-version 8.1
+
+    # Custom setup
+    __php_fpm \
+        --php-version 8.1 \
+        --memory-limit 768M \
+        --upload-max-filesize 200M \
+        --enable-opcache \
+        --enable-apcu
+
+SEE ALSO
+--------
+cdist-type__php_fpm_pool(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2022 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
diff --git a/type/__php_fpm/manifest b/type/__php_fpm/manifest
new file mode 100644
index 0000000..84c4383
--- /dev/null
+++ b/type/__php_fpm/manifest
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+os=$(cat "${__global:?}/explorer/os")
+
+PHPVER=$(cat "${__object:?}/parameter/php-version")
+export PHPVER
+
+case "$os" in
+'alpine')
+	package="php${PHPVER}-fpm"
+	service="php-fpm${PHPVER}"
+	opcache_package="php${PHPVER}-opcache"
+	apcu_package="php${PHPVER}-pecl-apcu"
+	;;
+
+*)
+	printf "Your operating system is currently not supported by this type\n" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+	;;
+esac
+
+__package "$package"
+require="__package/$package" __start_on_boot "$service"
+
+if [ -f "${__object:?}/parameter/enable-opcache" ]; then
+	__package "$opcache_package"
+fi
+
+if [ -f "${__object:?}/parameter/enable-apcu" ]; then
+	__package "$apcu_package"
+fi
+
+MEMORY_LIMIT=$(cat "${__object:?}/parameter/memory-limit")
+export MEMORY_LIMIT
+
+UPLOAD_MAX_FILESIZE=$(cat "${__object:?}/parameter/upload-max-filesize")
+export UPLOAD_MAX_FILESIZE
+
+mkdir -p "${__object:?}/files"
+"${__type:?}/files/php.ini.sh" >"${__object:?}/files/php.ini"
+
+require="__package/$package" __file "/etc/php${PHPVER}/php.ini" \
+	--mode 644 --source "${__object:?}/files/php.ini" \
+	--onchange "service $service restart"
+
+require="__file/etc/php${PHPVER}/php.ini" __service "$service" --action start
diff --git a/type/__php_fpm/parameter/boolean b/type/__php_fpm/parameter/boolean
new file mode 100644
index 0000000..9964486
--- /dev/null
+++ b/type/__php_fpm/parameter/boolean
@@ -0,0 +1,2 @@
+enable-opcache
+enable-apcu
diff --git a/type/__php_fpm/parameter/default/memory-limit b/type/__php_fpm/parameter/default/memory-limit
new file mode 100644
index 0000000..d95fe12
--- /dev/null
+++ b/type/__php_fpm/parameter/default/memory-limit
@@ -0,0 +1 @@
+512M
diff --git a/type/__php_fpm/parameter/default/upload-max-filesize b/type/__php_fpm/parameter/default/upload-max-filesize
new file mode 100644
index 0000000..5fbcf1c
--- /dev/null
+++ b/type/__php_fpm/parameter/default/upload-max-filesize
@@ -0,0 +1 @@
+2M
diff --git a/type/__php_fpm/parameter/optional b/type/__php_fpm/parameter/optional
new file mode 100644
index 0000000..a41a87c
--- /dev/null
+++ b/type/__php_fpm/parameter/optional
@@ -0,0 +1,2 @@
+upload-max-filesize
+memory-limit
diff --git a/type/__php_fpm/parameter/required b/type/__php_fpm/parameter/required
new file mode 100644
index 0000000..173609d
--- /dev/null
+++ b/type/__php_fpm/parameter/required
@@ -0,0 +1 @@
+php-version
diff --git a/type/__php_fpm/singleton b/type/__php_fpm/singleton
new file mode 100644
index 0000000..e69de29
diff --git a/type/__php_fpm_pool/files/www.conf.sh b/type/__php_fpm_pool/files/www.conf.sh
new file mode 100755
index 0000000..aa8fa7c
--- /dev/null
+++ b/type/__php_fpm_pool/files/www.conf.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+cat <<EOF
+; PHP-FPM configuration file for $POOL_NAME, PHP version $PHPVER.
+; This file is managed by cdist, do not edit by hand!
+[$POOL_NAME]
+
+; Local non-default configuration
+user = $POOL_USER
+group = $POOL_GROUP
+listen = $POOL_LISTEN_ADDR
+listen.owner = $POOL_LISTEN_OWNER
+
+; Mandatory configuration options with default production values
+pm = dynamic
+pm.max_children = 10
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+env[HOSTNAME] = \$HOSTNAME
+env[PATH] = /usr/local/bin:/usr/bin:/bin
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp
+
+EOF
+
+if [ -f "${__object:?}/parameter/memory-limit" ]; then
+	echo "php_admin_value[memory_limit] = $(cat "$__object/parameter/memory-limit")"
+fi
+
+if [ -f "${__object:?}/parameter/open-basedir" ]; then
+	echo "php_admin_value[open_basedir] = $(cat "${__object:?}/parameter/open-basedir")"
+fi
diff --git a/type/__php_fpm_pool/man.rst b/type/__php_fpm_pool/man.rst
new file mode 100644
index 0000000..cd96175
--- /dev/null
+++ b/type/__php_fpm_pool/man.rst
@@ -0,0 +1,79 @@
+cdist-type__php_fpm_pool(7)
+===========================
+
+NAME
+----
+cdist-type__php_fpm_pool - Setup and configure a PHP-FPM pool
+
+
+DESCRIPTION
+-----------
+
+This type configures a pool named after the `__object_id` for a specified PHP
+version. Note that this types expects a same-version cdist-type__php_fpm type
+to have been run first: the user is responsible for doing so.
+
+Note that currently, this type is only implemented for Alpine Linux.
+
+
+REQUIRED PARAMETERS
+-------------------
+php-version
+        The PHP version for which the type is working. Will impact installed
+        packages, configuration files, &c
+
+pool-user
+        The local user under which the pool processes should run.
+
+pool-group
+        The local group under which the pool processes should run.
+
+pool-listen-addr
+        The socket or address to which the pool should bind for listening.
+
+pool-listen-owner
+        The owner of the socket if a socket is used.
+
+OPTIONAL PARAMETERS
+-------------------
+memory-limit
+        The pool memory limit for PHP-FPM. Will default to the setting in the
+        system-wide php.ini file.
+
+openbasedir
+        Limit the files that can be accessed by PHP to the specified
+        directory-tree, including the file itself.
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup PHP-FPM
+    __php_fpm --php-version 8
+
+    # Setup the pool
+    __php_fpm_pool www \
+        --php-version 8 \
+        --pool-user nextcloud \
+        --pool-group www-data \
+        --pool-listen-addr "/run/php8/php-fpm.sock" \
+        --pool-listen-owner nginx \
+        --memory-limit 1G
+
+SEE ALSO
+--------
+cdist-type__php_fpm(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2022 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
diff --git a/type/__php_fpm_pool/manifest b/type/__php_fpm_pool/manifest
new file mode 100644
index 0000000..b090c9d
--- /dev/null
+++ b/type/__php_fpm_pool/manifest
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+# XXX: this type does not configure or install php-fpm: it expects the
+# __recycledcloud_php_fpm type to be used first before pools are configured.
+
+os=$(cat "${__global:?}/explorer/os")
+name=${__object_id:?}
+
+PHPVER=$(cat "${__object:?}/parameter/php-version")
+export PHPVER
+
+case "$os" in
+'alpine')
+	service="php-fpm${PHPVER}"
+	:
+	;;
+
+*)
+	printf "Your operating system is currently not supported by this type\n" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+	;;
+esac
+
+POOL_NAME="$name"
+POOL_USER=$(cat "${__object:?}/parameter/pool-user")
+POOL_GROUP=$(cat "${__object:?}/parameter/pool-group")
+POOL_LISTEN_ADDR=$(cat "${__object:?}/parameter/pool-listen-addr")
+POOL_LISTEN_OWNER=$(cat "${__object:?}/parameter/pool-listen-owner")
+export POOL_USER POOL_GROUP POOL_LISTEN_ADDR POOL_LISTEN_OWNER POOL_NAME
+
+mkdir -p "${__object:?}/files"
+"${__type:?}/files/www.conf.sh" >"${__object:?}/files/www.conf"
+
+__file "/etc/php${PHPVER:?}/php-fpm.d/${name}.conf" \
+	--mode 644 --source "${__object:?}/files/www.conf" \
+	--onchange "service $service reload"
diff --git a/type/__php_fpm_pool/parameter/optional b/type/__php_fpm_pool/parameter/optional
new file mode 100644
index 0000000..7adc0a3
--- /dev/null
+++ b/type/__php_fpm_pool/parameter/optional
@@ -0,0 +1,2 @@
+memory-limit
+open-basedir
diff --git a/type/__php_fpm_pool/parameter/required b/type/__php_fpm_pool/parameter/required
new file mode 100644
index 0000000..d247290
--- /dev/null
+++ b/type/__php_fpm_pool/parameter/required
@@ -0,0 +1,5 @@
+php-version
+pool-user
+pool-group
+pool-listen-addr
+pool-listen-owner

From fa37ede84fd53fa0902cb74ab13dae5989cb5494 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Sun, 10 Apr 2022 19:45:08 +0200
Subject: [PATCH 08/34] [__jitsi_meet] Unconfuse jitsi-version and secured
 domains

Closes #14 by committing to keeping the package up to date as promptly as
possible; else weird  things happen and there are no real good solutions for
this.  E.g. we have seen in the past that due to security issues, a jitsi
dependency  needs to be upgraded, but some package that jitsi-meet depends upon
also has an upper limit on that package's version.

A note was added to the manpage in order make it explicit that maintenance of
this type can be sponsored to ensure its proper functioning.

Closes #15 by using `__file`. This will also allow us to have more control over
jicofo's settings, which might be important when we start doing recordings.

Sponsored by:	lafede.cat
---
 type/__jitsi_meet/files/jicofo.conf.sh        | 34 +++++++++++++++++
 .../default => files}/jitsi-version           |  0
 type/__jitsi_meet/gencode-remote              |  2 +-
 type/__jitsi_meet/man.rst                     | 18 +++++----
 type/__jitsi_meet/manifest                    | 38 +++++++++----------
 .../parameter/deprecated/jitsi-version        |  4 ++
 6 files changed, 67 insertions(+), 29 deletions(-)
 create mode 100755 type/__jitsi_meet/files/jicofo.conf.sh
 rename type/__jitsi_meet/{parameter/default => files}/jitsi-version (100%)
 create mode 100644 type/__jitsi_meet/parameter/deprecated/jitsi-version

diff --git a/type/__jitsi_meet/files/jicofo.conf.sh b/type/__jitsi_meet/files/jicofo.conf.sh
new file mode 100755
index 0000000..61a782a
--- /dev/null
+++ b/type/__jitsi_meet/files/jicofo.conf.sh
@@ -0,0 +1,34 @@
+#!/bin/sh -eu
+
+# Start
+cat <<EOF
+# Managed remotely, changes will be lost
+
+# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
+#available options, syntax, and default values.
+jicofo {
+  xmpp: {
+    client: {
+      client-proxy: focus.${JITSI_HOST:?}
+    }
+    trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
+  }
+  bridge: {
+    brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
+  }
+EOF
+
+# Secured domains if needed
+if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
+cat <<EOF
+
+  authentication: {
+    enabled: true
+    type: XMPP
+    login-url: ${JITSI_HOST:?}
+  }
+EOF
+fi
+
+# End
+echo '}'
diff --git a/type/__jitsi_meet/parameter/default/jitsi-version b/type/__jitsi_meet/files/jitsi-version
similarity index 100%
rename from type/__jitsi_meet/parameter/default/jitsi-version
rename to type/__jitsi_meet/files/jitsi-version
diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote
index ae91f53..7d181b7 100755
--- a/type/__jitsi_meet/gencode-remote
+++ b/type/__jitsi_meet/gencode-remote
@@ -5,7 +5,7 @@ if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 fi
 
 JITSI_HOST="${__object_id}"
-if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then
   echo "systemctl restart prosody"
   echo "systemctl restart jicofo"
   echo "systemctl restart jitsi-videobridge2"
diff --git a/type/__jitsi_meet/man.rst b/type/__jitsi_meet/man.rst
index bf7cd86..b11fdc9 100644
--- a/type/__jitsi_meet/man.rst
+++ b/type/__jitsi_meet/man.rst
@@ -28,6 +28,15 @@ You should apply your own rules here.
 
 This type only works on De{bi,vu}an systems.
 
+It is very important for this type to stay up to date with the software, as
+otherwise new deployments or maintenance of existing instances might be
+negatively affected.
+If you can, please contribute updates to `__jitsi_meet` and
+`__jitsi_meet_domain` promptly and regularly.
+Alternatively, you can help finance that work; get in touch with the type
+authors for that (see below).
+
+
 NOTE: This type currently does not deal with setting up coturn.
       For that, you might want to check `__coturn` in
       https://code.ungleich.ch/ungleich-public/cdist-contrib
@@ -43,11 +52,6 @@ turn-server
     The hostname of the TURN server.
     This will assume that it is listening with TLS on port 443.
 
-jitsi-version
-    The jitsi-meet version of the Debian package to be installed.
-    While this can be specified, only the default value is known to work
-    properly with this type.
-
 
 BOOLEAN PARAMETERS
 ------------------
@@ -70,7 +74,7 @@ EXAMPLES
 
 .. code-block:: sh
 
-    # Setup the firewall 
+    # Setup the firewall
     . "${__global}/type/__jitsi_meet/files/ufw"
     export require="__ufw"
     # Setup Jitsi on this host
@@ -92,4 +96,4 @@ Evilham <contact@evilham.com>
 
 COPYING
 -------
-Copyright \(C) 2021 Evilham.
+Copyright \(C) 2022 Evilham.
diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest
index 599af18..e9ed5c6 100755
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@@ -13,8 +13,13 @@ esac
 
 
 JITSI_HOST="${__target_host}"
-# Currently unused, see below
-# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
+if [ -f "${__object}/parameter/jitsi-version" ]; then
+	# This has been deprecated and will be removed 'soon'
+	JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
+else
+	# Note this won't be a parameter anymore, we won't let users stay behind
+	JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
+fi
 TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
 TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
 
@@ -55,11 +60,12 @@ __debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
 export require="${require} __debconf_set_selections/jitsi_meet"
 
 # Install and upgrade packages as needed
-__package_apt jitsi-meet
-# We are not doing version pinning anymore because it breaks when
-# the version is not the latest.
-# This happens because dependencies cannot be properly resolved.
-# --version "${JITSI_VERSION}"
+#   NOTE: we are doing version pinning again, but it breaks sometimes when
+#         the version is not the latest.
+#         This happens because dependencies might not be properly resolved.
+#         To avoid this, this type must be maintained up to date.
+#         If we don't use this, keeping Jitsi's up to date is very difficult.
+__package_apt jitsi-meet --version "${JITSI_VERSION}"
 
 # Proceed only after installation/upgrade has finished
 export require="__package_apt/jitsi-meet"
@@ -151,10 +157,8 @@ EOF
 
 if [ -f "${__object}/parameter/secured-domains" ]; then
   SECURED_DOMAINS_STATE='present'
-  SECURED_DOMAINS_STATE_JICOFO='present'
 else
   SECURED_DOMAINS_STATE='absent'
-  SECURED_DOMAINS_STATE_JICOFO='absent'
 fi
 
 __file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
@@ -169,18 +173,10 @@ VirtualHost "guest.${JITSI_HOST}"
     c2s_require_encryption = false
 EOF
 
-__block jitsi_jicofo_secured_domains \
-  --prefix "// begin cdist: jicofo_secured_domains" \
-  --suffix "// end   cdist: jicofo_secured_domains" \
-  --file /etc/jitsi/jicofo/jicofo.conf \
-  --state "${SECURED_DOMAINS_STATE_JICOFO}" \
-  --text '-' <<EOF
-  authentication: {
-    enabled: true
-    type: XMPP
-    login-url: ${JITSI_HOST}
-  }
-EOF
+export SECURED_DOMAINS_STATE
+export JITSI_HOST
+"${__type}/files/jicofo.conf.sh" | \
+	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
 
 # These two should be changed on new release
 PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
diff --git a/type/__jitsi_meet/parameter/deprecated/jitsi-version b/type/__jitsi_meet/parameter/deprecated/jitsi-version
new file mode 100644
index 0000000..288d647
--- /dev/null
+++ b/type/__jitsi_meet/parameter/deprecated/jitsi-version
@@ -0,0 +1,4 @@
+Supporting different versions lead to strange issues in the life-time of a
+Jitsi instance. Chiefly: difficulties upgrading.
+
+If you are specifying this for a valid reason, please get in touch.

From 29cafd4f9a6f55009a781cef74216a128be2c1f4 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Sat, 16 Apr 2022 13:22:16 +0200
Subject: [PATCH 09/34] [__jitsi_meet_domain] Simplify logic for secured
 domains

---
 type/__jitsi_meet_domain/files/config.js.sh | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh
index 58df3fc..7fec422 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
@@ -13,14 +13,8 @@ var config = {
         domain: '${JITSI_HOST}',
 
         // When using authentication, domain for guest users.
-$( if [ -n "${SECURED_DOMAINS}" ]; then cat<<EOF2
-        anonymousdomain: 'guest.${JITSI_HOST}',
-EOF2
-else cat <<EOF2
-        // anonymousdomain: 'guest.example.com',
-EOF2
-fi
-)
+        $( if [ -z "${SECURED_DOMAINS}" ]; then printf "// "
+	fi)anonymousdomain: 'guest.${JITSI_HOST}',
 
         // Domain for authenticated users. Defaults to <domain>.
         // authdomain: '${JITSI_HOST}',

From a12b343660254f5135aba81013d8ad80f161c21d Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 21 Apr 2022 13:13:12 +0200
Subject: [PATCH 10/34] [__jitsi_meet_domain] Add analytics settings parameter

with this, admins can take advantage of e.g. matomo to have some usage
statistics.

The parameter defaults to `disabled: true`, which is the most privacy-friendly!

Sponsored by:   camilion.eu
---
 type/__jitsi_meet_domain/files/config.js.sh                  | 1 +
 type/__jitsi_meet_domain/man.rst                             | 5 +++++
 type/__jitsi_meet_domain/manifest                            | 1 +
 .../__jitsi_meet_domain/parameter/default/analytics-settings | 1 +
 type/__jitsi_meet_domain/parameter/optional                  | 1 +
 5 files changed, 9 insertions(+)
 create mode 100644 type/__jitsi_meet_domain/parameter/default/analytics-settings

diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh
index 7fec422..506e62d 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
@@ -817,6 +817,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     },
 
     analytics: {
+${ANALYTICS_SETTINGS}
         // True if the analytics should be disabled
         // disabled: false,
 
diff --git a/type/__jitsi_meet_domain/man.rst b/type/__jitsi_meet_domain/man.rst
index b035555..dd8c852 100644
--- a/type/__jitsi_meet_domain/man.rst
+++ b/type/__jitsi_meet_domain/man.rst
@@ -41,6 +41,11 @@ admin-email
 
 OPTIONAL PARAMETERS
 -------------------
+analytics-settings
+    This goes inside the `analytics` part of `config.js`.
+    Defaults to: `disabled: true`.
+    See: https://github.com/jitsi/jitsi-meet/blob/master/config.js
+
 channel-last-n
     Default value for the "last N" attribute.
     Defaults to 20. Set to -1 for unlimited.
diff --git a/type/__jitsi_meet_domain/manifest b/type/__jitsi_meet_domain/manifest
index 87af1b9..abc8a1a 100755
--- a/type/__jitsi_meet_domain/manifest
+++ b/type/__jitsi_meet_domain/manifest
@@ -18,6 +18,7 @@ NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")"
 START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
 TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
 VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
+ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")"
 BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
 BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
 BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
diff --git a/type/__jitsi_meet_domain/parameter/default/analytics-settings b/type/__jitsi_meet_domain/parameter/default/analytics-settings
new file mode 100644
index 0000000..561a7d6
--- /dev/null
+++ b/type/__jitsi_meet_domain/parameter/default/analytics-settings
@@ -0,0 +1 @@
+        disabled: true
diff --git a/type/__jitsi_meet_domain/parameter/optional b/type/__jitsi_meet_domain/parameter/optional
index ce50f0d..1289b85 100644
--- a/type/__jitsi_meet_domain/parameter/optional
+++ b/type/__jitsi_meet_domain/parameter/optional
@@ -1,3 +1,4 @@
+analytics-settings
 channel-last-n
 default-language
 notice-message

From 87cc109bf1753d4a10ca7b9143b6a655cd4d1baa Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 21 Apr 2022 13:20:30 +0200
Subject: [PATCH 11/34] [__jitsi_meet*] Make rooms on different domains not
 equivalent

This is a backwards-compatible change.

We switch the approach from "treat all domains as if they were the main domain"
to: "each domain has its own prosody settings".

This works perfectly fine, even with secured domains.

There is a caveat with secured domains, in that they use the main domain to log
in; this means that users are shared across all domains (as they were before
this commit).

This is due to jicofo refusing to start meetings from a domain that is not
configured, and it only accepting one domain.

Right now, this is acceptable, however we could want to authenticate against
e.g. different LDAP / IMAP servers in the future, so this would need addressing
at that stage.

Probably the best way to solve it is by patching jicofo, so it accepts starting
conferences from multiple domains and getting that patch upstream.

Sponsored by:   camilion.eu, eXO.cat
---
 type/__jitsi_meet/files/prosody.cfg.lua.sh    |   1 +
 type/__jitsi_meet/gencode-remote              |   3 +-
 type/__jitsi_meet/manifest                    |  24 ++-
 .../files/_update_jitsi_configurations.sh     |   1 +
 type/__jitsi_meet_domain/files/config.js.sh   |  19 +-
 type/__jitsi_meet_domain/files/nginx.sh       |   4 +-
 .../files/prosody.cfg.lua.sh                  | 199 ++++++++++++++++++
 .../files/prosody.cfg.lua.sh.orig             | 129 ++++++++++++
 type/__jitsi_meet_domain/man.rst              |  18 +-
 type/__jitsi_meet_domain/manifest             |  35 +++
 10 files changed, 403 insertions(+), 30 deletions(-)
 create mode 120000 type/__jitsi_meet/files/prosody.cfg.lua.sh
 create mode 100644 type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
 create mode 100644 type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig

diff --git a/type/__jitsi_meet/files/prosody.cfg.lua.sh b/type/__jitsi_meet/files/prosody.cfg.lua.sh
new file mode 120000
index 0000000..93678b9
--- /dev/null
+++ b/type/__jitsi_meet/files/prosody.cfg.lua.sh
@@ -0,0 +1 @@
+../../__jitsi_meet_domain/files/prosody.cfg.lua.sh
\ No newline at end of file
diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote
index 7d181b7..670c7be 100755
--- a/type/__jitsi_meet/gencode-remote
+++ b/type/__jitsi_meet/gencode-remote
@@ -4,8 +4,7 @@ if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 	echo "service nginx reload"
 fi
 
-JITSI_HOST="${__object_id}"
-if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then
   echo "systemctl restart prosody"
   echo "systemctl restart jicofo"
   echo "systemctl restart jitsi-videobridge2"
diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest
index e9ed5c6..02716a0 100755
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@@ -161,18 +161,22 @@ else
   SECURED_DOMAINS_STATE='absent'
 fi
 
-__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
-  --owner prosody --group prosody --mode 0440 \
-  --state ${SECURED_DOMAINS_STATE} \
-  --source - <<EOF
-VirtualHost "${JITSI_HOST}"
-    authentication = "internal_plain"
-
-VirtualHost "guest.${JITSI_HOST}"
-    authentication = "anonymous"
-    c2s_require_encryption = false
+# This is the main host config
+PROSODY_MAIN_CONFIG="YES"
+# Prosody settings for common components (jvb, focus, ...)
+# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
+. "${__type}/files/prosody.cfg.lua.sh"  # This defines PROSODY_CONFIG
+__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
+	--group prosody \
+	--mode 0440 \
+	--source - <<EOF
+${PROSODY_CONFIG}
 EOF
 
+# Clean up zauth.cfg.lua file, which we don't use now
+__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
+  --state absent
+
 export SECURED_DOMAINS_STATE
 export JITSI_HOST
 "${__type}/files/jicofo.conf.sh" | \
diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
index 6029cf7..1b40768 100755
--- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
+++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
@@ -28,3 +28,4 @@ download_file() {
 download_file config.js
 download_file interface_config.js
 download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
+download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh
index 506e62d..357d720 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
@@ -10,20 +10,21 @@ var config = {
 
     hosts: {
         // XMPP domain.
-        domain: '${JITSI_HOST}',
+        domain: '${DOMAIN}',
 
         // When using authentication, domain for guest users.
         $( if [ -z "${SECURED_DOMAINS}" ]; then printf "// "
-	fi)anonymousdomain: 'guest.${JITSI_HOST}',
+        fi)anonymousdomain: 'guest.${DOMAIN}',
 
         // Domain for authenticated users. Defaults to <domain>.
-        // authdomain: '${JITSI_HOST}',
+        // NOTE [cdist]: if we use '${DOMAIN}', jicofo won't start the meeting
+        authdomain: '${JITSI_HOST}',
 
         // Focus component domain. Defaults to focus.<domain>.
-        // focus: 'focus.${JITSI_HOST}',
+        focus: 'focus.${JITSI_HOST}',
 
         // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
-        muc: 'conference.${JITSI_HOST}'
+        muc: 'conference.${DOMAIN}'
     },
 
     // BOSH URL. FIXME: use XEP-0156 to discover it.
@@ -31,12 +32,12 @@ var config = {
     bosh: '//<!--# echo var="http_host" -->/<!--# echo var="subdir" default="" -->http-bind',
 
     // Websocket URL
-    // websocket: 'wss://${JITSI_HOST}/xmpp-websocket',
+    // websocket: 'wss://${DOMAIN}/xmpp-websocket',
 
     // The real JID of focus participant - can be overridden here
     // Do not change username - FIXME: Make focus username configurable
     // https://github.com/jitsi/jitsi-meet/issues/7376
-    // focusUserJid: 'focus@auth.${JITSI_HOST}',
+    focusUserJid: 'focus@auth.${JITSI_HOST}',
 
 
     // Testing / experimental features.
@@ -270,9 +271,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //     appKey: '<APP_KEY>' // Specify your app key here.
     //     // A URL to redirect the user to, after authenticating
     //     // by default uses:
-    //     // 'https://${JITSI_HOST}/static/oauth.html'
+    //     // 'https://${DOMAIN}/static/oauth.html'
     //     redirectURI:
-    //          'https://${JITSI_HOST}/subfolder/static/oauth.html'
+    //          'https://${DOMAIN}/subfolder/static/oauth.html'
     // },
     // When integrations like dropbox are enabled only that will be shown,
     // by enabling fileRecordingsServiceEnabled, we show both the integrations
diff --git a/type/__jitsi_meet_domain/files/nginx.sh b/type/__jitsi_meet_domain/files/nginx.sh
index 6e874c1..e678dce 100644
--- a/type/__jitsi_meet_domain/files/nginx.sh
+++ b/type/__jitsi_meet_domain/files/nginx.sh
@@ -100,7 +100,7 @@ server {
         proxy_set_header X-Forwarded-For \$remote_addr;
 	# Prevision for 'multi-domain' jitsi instances
 	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
-        proxy_set_header Host ${JITSI_HOST};
+        proxy_set_header Host ${DOMAIN};
     }
 
     # xmpp websockets
@@ -111,7 +111,7 @@ server {
         proxy_set_header Connection "upgrade";
 	# Prevision for 'multi-domain' jitsi instances
 	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
-        proxy_set_header Host ${JITSI_HOST};
+        proxy_set_header Host ${DOMAIN};
         tcp_nodelay on;
     }
 
diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
new file mode 100644
index 0000000..928ce32
--- /dev/null
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
@@ -0,0 +1,199 @@
+#!/bin/sh -eu
+
+# Source:
+# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
+FOCUS_USER="focus"
+JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
+# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
+PROSODY_SECUREDOMAIN_START="--[["
+PROSODY_SECUREDOMAIN_END="--]]"
+if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
+	PROSODY_MAIN_START=""
+	PROSODY_MAIN_END=""
+	PROSODY_DOMAIN_START="--[["
+	PROSODY_DOMAIN_END="--]]"
+else
+	PROSODY_MAIN_START="--[["
+	PROSODY_MAIN_END="--]]"
+	PROSODY_DOMAIN_START=""
+	PROSODY_DOMAIN_END=""
+	if [ -n "${SECURED_DOMAINS}" ]; then
+		PROSODY_SECUREDOMAIN_START=""
+		PROSODY_SECUREDOMAIN_END=""
+	fi
+fi
+# Websockets haven't been fully tested in this type and don't work reliably
+PROSODY_WEBSOCKET="-- "
+
+# shellcheck disable=SC2034  # This is intended to be included
+PROSODY_CONFIG="$(cat <<EOFPROSODY
+-- Managed remotely, changes will be lost
+${PROSODY_MAIN_START}
+-- This will be managed by __jitsi_meet
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
+
+-- domain mapper options, must at least have domain base set to use the mapper
+muc_mapper_domain_base = "${JITSI_HOST:?}";
+
+external_service_secret = "${TURN_SECRET:-TurnSecret}";
+external_services = {
+     { type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
+     { type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
+     { type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
+};
+
+cross_domain_bosh = false;
+consider_bosh_secure = true;
+-- Use websockets
+-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
+${PROSODY_WEBSOCKET}consider_websocket_secure = true;
+
+-- https_ports = { }; -- Remove this line to prevent listening on port 5284
+
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+ssl = {
+    protocol = "tlsv1_2+";
+    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+}
+
+unlimited_jids = {
+    "${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
+    "jvb@auth.${JITSI_HOST:?}"
+}
+${PROSODY_MAIN_END}
+
+${PROSODY_DOMAIN_START}
+-- This will be managed by __jitsi_meet_domain
+VirtualHost "${JITSI_DOMAIN:?}"
+    -- enabled = false -- Remove this line to enable this host
+    authentication = "anonymous"
+    -- Properties below are modified by jitsi-meet-tokens package config
+    -- and authentication above is switched to "token"
+    --app_id="example_app_id"
+    --app_secret="example_app_secret"
+    -- Assign this host a certificate for TLS, otherwise it would use the one
+    -- set in the global section (if any).
+    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
+    -- use the global one.
+    ssl = {
+        key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
+        certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
+    }
+    av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
+    speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
+    conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
+    -- we need bosh
+    modules_enabled = {
+        "bosh";
+        "pubsub";
+        "ping"; -- Enable mod_ping
+        "speakerstats";
+        "external_services";
+        "conference_duration";
+        "muc_lobby_rooms";
+        "muc_breakout_rooms";
+        "av_moderation";
+${PROSODY_WEBSOCKET}        "websocket";
+${PROSODY_WEBSOCKET}        "smacks";
+    }
+    smacks_max_unacked_stanzas = 5;
+    smacks_hibernation_time = 60;
+    smacks_max_hibernated_sessions = 1;
+    smacks_max_old_sessions = 1;
+    c2s_require_encryption = false
+    lobby_muc = "lobby.${JITSI_DOMAIN:?}"
+    breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
+    main_muc = "conference.${JITSI_DOMAIN:?}"
+    -- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
+
+Component "conference.${JITSI_DOMAIN:?}" "muc"
+    restrict_room_creation = true
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        "polls";
+        --"token_verification";
+        "muc_rate_limit";
+    }
+    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+Component "breakout.${JITSI_DOMAIN:?}" "muc"
+    restrict_room_creation = true
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        --"token_verification";
+        "muc_rate_limit";
+        "polls";
+    }
+    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+-- internal muc component
+Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
+    storage = "memory"
+    modules_enabled = {
+        "ping";
+    }
+    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+${PROSODY_DOMAIN_END}
+${PROSODY_MAIN_START}
+-- This will be managed by __jitsi_meet
+
+VirtualHost "auth.${JITSI_DOMAIN:?}"
+    ssl = {
+       key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
+       certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
+    }
+
+    modules_enabled = {
+        "limits_exception";
+    }
+    authentication = "internal_hashed"
+${PROSODY_MAIN_END}
+${PROSODY_DOMAIN_START}
+-- This will be managed by __jitsi_meet_domain
+
+-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
+Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
+    -- Single focus user for the whole instance
+    target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
+
+Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+
+Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+
+Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+
+Component "lobby.${JITSI_DOMAIN:?}" "muc"
+    storage = "memory"
+    restrict_room_creation = true
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+    modules_enabled = {
+        "muc_rate_limit";
+        "polls";
+    }
+${PROSODY_DOMAIN_END}
+
+${PROSODY_SECUREDOMAIN_START}
+-- Only used on secured domains
+VirtualHost "${JITSI_DOMAIN}"
+    authentication = "internal_plain"
+
+VirtualHost "guest.${JITSI_DOMAIN}"
+    authentication = "anonymous"
+    c2s_require_encryption = false
+${PROSODY_SECUREDOMAIN_END}
+EOFPROSODY
+)"
diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
new file mode 100644
index 0000000..a169eb4
--- /dev/null
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
@@ -0,0 +1,129 @@
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
+
+-- domain mapper options, must at least have domain base set to use the mapper
+muc_mapper_domain_base = "jitmeet.example.com";
+
+external_service_secret = "__turnSecret__";
+external_services = {
+     { type = "stun", host = "jitmeet.example.com", port = 3478 },
+     { type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
+     { type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
+};
+
+cross_domain_bosh = false;
+consider_bosh_secure = true;
+-- https_ports = { }; -- Remove this line to prevent listening on port 5284
+
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+ssl = {
+    protocol = "tlsv1_2+";
+    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+}
+
+unlimited_jids = {
+    "focusUser@auth.jitmeet.example.com",
+    "jvb@auth.jitmeet.example.com"
+}
+
+VirtualHost "jitmeet.example.com"
+    -- enabled = false -- Remove this line to enable this host
+    authentication = "anonymous"
+    -- Properties below are modified by jitsi-meet-tokens package config
+    -- and authentication above is switched to "token"
+    --app_id="example_app_id"
+    --app_secret="example_app_secret"
+    -- Assign this host a certificate for TLS, otherwise it would use the one
+    -- set in the global section (if any).
+    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
+    -- use the global one.
+    ssl = {
+        key = "/etc/prosody/certs/jitmeet.example.com.key";
+        certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
+    }
+    av_moderation_component = "avmoderation.jitmeet.example.com"
+    speakerstats_component = "speakerstats.jitmeet.example.com"
+    conference_duration_component = "conferenceduration.jitmeet.example.com"
+    -- we need bosh
+    modules_enabled = {
+        "bosh";
+        "pubsub";
+        "ping"; -- Enable mod_ping
+        "speakerstats";
+        "external_services";
+        "conference_duration";
+        "muc_lobby_rooms";
+        "muc_breakout_rooms";
+        "av_moderation";
+    }
+    c2s_require_encryption = false
+    lobby_muc = "lobby.jitmeet.example.com"
+    breakout_rooms_muc = "breakout.jitmeet.example.com"
+    main_muc = "conference.jitmeet.example.com"
+    -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
+
+Component "conference.jitmeet.example.com" "muc"
+    restrict_room_creation = true
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        "polls";
+        --"token_verification";
+        "muc_rate_limit";
+    }
+    admins = { "focusUser@auth.jitmeet.example.com" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+Component "breakout.jitmeet.example.com" "muc"
+    restrict_room_creation = true
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        --"token_verification";
+        "muc_rate_limit";
+        "polls";
+    }
+    admins = { "focusUser@auth.jitmeet.example.com" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+-- internal muc component
+Component "internal.auth.jitmeet.example.com" "muc"
+    storage = "memory"
+    modules_enabled = {
+        "ping";
+    }
+    admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+VirtualHost "auth.jitmeet.example.com"
+    modules_enabled = {
+        "limits_exception";
+    }
+    authentication = "internal_hashed"
+
+-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
+Component "focus.jitmeet.example.com" "client_proxy"
+    target_address = "focusUser@auth.jitmeet.example.com"
+
+Component "speakerstats.jitmeet.example.com" "speakerstats_component"
+    muc_component = "conference.jitmeet.example.com"
+
+Component "conferenceduration.jitmeet.example.com" "conference_duration_component"
+    muc_component = "conference.jitmeet.example.com"
+
+Component "avmoderation.jitmeet.example.com" "av_moderation_component"
+    muc_component = "conference.jitmeet.example.com"
+
+Component "lobby.jitmeet.example.com" "muc"
+    storage = "memory"
+    restrict_room_creation = true
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+    modules_enabled = {
+        "muc_rate_limit";
+        "polls";
+    }
diff --git a/type/__jitsi_meet_domain/man.rst b/type/__jitsi_meet_domain/man.rst
index dd8c852..0bef146 100644
--- a/type/__jitsi_meet_domain/man.rst
+++ b/type/__jitsi_meet_domain/man.rst
@@ -11,14 +11,18 @@ DESCRIPTION
 -----------
 This type installs and configures the frontend for Jitsi-Meet.
 
-This supports "multi-domain" installations, notice that in such a setup, all
-rooms are shared across the different URLs, e.g.
-https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
-equivalent.
+This supports "multi-domain" installations.
+
+New in April 2022: rooms are independent for each domain, that is:
+https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
+different rooms.
+Note however, that right now if using secured domains, users are still shared
+across any domains hosted in the same instance.
+One way to work around that could be to run multiple jicofos, but we do not
+want to bloat the servers.
+A better way is to patch jicofo, get in touch with the type authors if you want
+the gory details.
 
-This is due to the underlying XMPP and signaling rooms being common.
-There might be a way to perform tricks on the Nginx-side to avoid this, but
-time is lacking :-).
 
 This assumes `__jitsi_meet` has already been ran on the target host, and,
 amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
diff --git a/type/__jitsi_meet_domain/manifest b/type/__jitsi_meet_domain/manifest
index abc8a1a..f449414 100755
--- a/type/__jitsi_meet_domain/manifest
+++ b/type/__jitsi_meet_domain/manifest
@@ -131,3 +131,38 @@ __file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
 	--mode 0644 \
 	--state "$(_var_state "${BRANDING_WATERMARK}")" \
 	--source "${BRANDING_WATERMARK}"
+
+#
+# Take care of prosody settings for the domain
+#
+JITSI_DOMAIN="${DOMAIN}"
+# Prosody settings for common components (jvb, focus, ...)
+# shellcheck source=type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
+. "${__type}/files/prosody.cfg.lua.sh"  # This defines PROSODY_CONFIG
+__file "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
+	--group prosody \
+	--mode 0440 \
+	--state "${STATE}" \
+	--source '-' <<EOF
+${PROSODY_CONFIG}
+EOF
+__link "/etc/prosody/conf.d/${DOMAIN}.cfg.lua" \
+	--source "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
+	--state "${STATE}" \
+	--type symbolic
+
+if [ "${STATE}" = "present" ]; then
+	export require="${require} __file/etc/prosody/conf.avail/${DOMAIN}.cfg.lua __link/etc/prosody/conf.d/${DOMAIN}.cfg.lua"
+	__check_messages "prosody/${DOMAIN}" \
+		--pattern '^(__file|__link)/etc/prosody/conf[.](avail|d)/' \
+		--execute "$(cat <<EOF
+if [ ! -f "/var/lib/prosody/${DOMAIN}.crt" ]; then
+	echo | prosodyctl cert generate '${DOMAIN}';
+	ln -sf '/var/lib/prosody/${DOMAIN}.key' '/etc/prosody/certs/${DOMAIN}.key'
+	ln -sf '/var/lib/prosody/${DOMAIN}.crt' '/etc/prosody/certs/${DOMAIN}.crt'
+fi
+# Surprisingly, a reload is not enough
+service prosody restart
+EOF
+)"
+fi

From 80bbbd3aa8cb694121566a600eaa92eda385c7fc Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 21 Apr 2022 14:34:33 +0200
Subject: [PATCH 12/34] [__jitsi_meet] Adapt jicofo and videobridge memory
 usage

This enables us to setup smaller jitsi instances that work reliably.

We set 3 threshholds:
- < 3G RAM: use 0.75G max memory
- < 5G RAM: use 1G max memory
- < 8G RAM: use 2G max memory
- >= 8G RAM: use 3G max memory (jitsi's default)

For more information as to why and how this is done, see:
https://gitlab.com/guifi-exo/projectes/-/issues/318
https://github.com/jitsi/jitsi-meet/issues/6589
as investigated back in the day by @pedro

Sponsored by:   camilion.eu, eXO.cat
---
 type/__jitsi_meet/explorer/configured-memory | 15 +++++++++
 type/__jitsi_meet/gencode-remote             | 33 ++++++++++++++++++++
 type/__jitsi_meet/man.rst                    |  2 ++
 3 files changed, 50 insertions(+)
 create mode 100755 type/__jitsi_meet/explorer/configured-memory

diff --git a/type/__jitsi_meet/explorer/configured-memory b/type/__jitsi_meet/explorer/configured-memory
new file mode 100755
index 0000000..658f94b
--- /dev/null
+++ b/type/__jitsi_meet/explorer/configured-memory
@@ -0,0 +1,15 @@
+#!/bin/sh -eu
+
+JICOFO="/usr/share/jicofo/jicofo.sh"
+VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
+
+if [ -f "${JICOFO:?}" ]; then
+	jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
+fi
+if [ -f "${VIDEOBRIDGE:?}" ]; then
+	vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
+fi
+cat <<EOF
+jicofo	${jicofo_memory:-n/a}
+videobridge	${vb_memory:-n/a}
+EOF
diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote
index 670c7be..d939347 100755
--- a/type/__jitsi_meet/gencode-remote
+++ b/type/__jitsi_meet/gencode-remote
@@ -1,10 +1,43 @@
 #!/bin/sh -e
 
+memory="$(cat "${__global}/explorer/memory")"
+G="000000"  # Will totally eff up the zero-count otherwise
+# MAX_MEMORY will affect jicofo and videobridge
+#  As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
+if [ "${memory}" -lt "3${G}" ]; then
+	# If you use this, let us know how it works!
+	MAX_MEMORY="768m"
+elif [ "${memory}" -lt "5${G}" ]; then
+	MAX_MEMORY="1024m"
+elif [ "${memory}" -lt "8${G}" ]; then
+	MAX_MEMORY="2048m"
+else
+	# Jitsi recommends running on 8G RAM and these are the defaults
+	MAX_MEMORY="3072m"
+fi
+
+if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
+	# At least one service has different memory settings
+	RESTART_SERVICES="YES"
+	cat <<-EOF
+	sed -i.tmp -E \
+		-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
+		/usr/share/jitsi-videobridge/lib/videobridge.rc
+	sed -i.tmp -E \
+		-e 's!^(JICOFO_MAX_MEMORY)[^;]+;!\1=${MAX_MEMORY};!' \
+		/usr/share/jicofo/jicofo.sh
+	EOF
+fi
+
 if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 	echo "service nginx reload"
 fi
 
 if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then
+	RESTART_SERVICES="YES"
+fi
+
+if [ -n "${RESTART_SERVICES}" ]; then
   echo "systemctl restart prosody"
   echo "systemctl restart jicofo"
   echo "systemctl restart jitsi-videobridge2"
diff --git a/type/__jitsi_meet/man.rst b/type/__jitsi_meet/man.rst
index b11fdc9..876c218 100644
--- a/type/__jitsi_meet/man.rst
+++ b/type/__jitsi_meet/man.rst
@@ -36,6 +36,8 @@ If you can, please contribute updates to `__jitsi_meet` and
 Alternatively, you can help finance that work; get in touch with the type
 authors for that (see below).
 
+This type takes care of adapting the maximum memory used by jicofo and
+videobridge in function of the hosts installed memory.
 
 NOTE: This type currently does not deal with setting up coturn.
       For that, you might want to check `__coturn` in

From c5070a3a3305602cf354823967c07f7dcd07635f Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 21 Apr 2022 14:44:10 +0200
Subject: [PATCH 13/34] [__jitsi_meet] Fix adjustment of jicofo's max memory

Leftover from last commit >,<

Sponsored by:   camilion.eu, eXO.cat
---
 type/__jitsi_meet/gencode-remote | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote
index d939347..435bbf4 100755
--- a/type/__jitsi_meet/gencode-remote
+++ b/type/__jitsi_meet/gencode-remote
@@ -24,7 +24,7 @@ if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}
 		-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
 		/usr/share/jitsi-videobridge/lib/videobridge.rc
 	sed -i.tmp -E \
-		-e 's!^(JICOFO_MAX_MEMORY)[^;]+;!\1=${MAX_MEMORY};!' \
+		-e 's!(JICOFO_MAX_MEMORY)[^;]+;!\1=${MAX_MEMORY};!' \
 		/usr/share/jicofo/jicofo.sh
 	EOF
 fi

From 1658121549dd902714cc0751758e95b0830dc592 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 21 Apr 2022 15:52:47 +0200
Subject: [PATCH 14/34] [__jitsi_meet*] Update to 2.0.7210

While there, make things a tad easier to maintain.

Note that in this version, jitsi switches to using nginx upstreams; it shouldn't
be relevant for instances fully managed with these types.

Sponsored by:   camilion.eu, eXO.cat
---
 type/__jitsi_meet/files/jitsi-version         |   2 +-
 type/__jitsi_meet/manifest                    |  21 ++++
 .../files/_update_jitsi_configurations.sh     |   6 +-
 type/__jitsi_meet_domain/files/config.js.sh   |  99 ++++++++++++++---
 .../files/config.js.sh.orig                   | 100 +++++++++++++++---
 type/__jitsi_meet_domain/files/jitsi-version  |   1 +
 type/__jitsi_meet_domain/files/nginx.sh       |  21 +++-
 type/__jitsi_meet_domain/files/nginx.sh.orig  |  18 +++-
 .../files/prosody.cfg.lua.sh                  |  10 ++
 .../files/prosody.cfg.lua.sh.orig             |  10 ++
 10 files changed, 246 insertions(+), 42 deletions(-)
 mode change 100644 => 120000 type/__jitsi_meet/files/jitsi-version
 create mode 100644 type/__jitsi_meet_domain/files/jitsi-version

diff --git a/type/__jitsi_meet/files/jitsi-version b/type/__jitsi_meet/files/jitsi-version
deleted file mode 100644
index 4b02224..0000000
--- a/type/__jitsi_meet/files/jitsi-version
+++ /dev/null
@@ -1 +0,0 @@
-2.0.7001-1
diff --git a/type/__jitsi_meet/files/jitsi-version b/type/__jitsi_meet/files/jitsi-version
new file mode 120000
index 0000000..179d1a4
--- /dev/null
+++ b/type/__jitsi_meet/files/jitsi-version
@@ -0,0 +1 @@
+../../__jitsi_meet_domain/files/jitsi-version
\ No newline at end of file
diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest
index 02716a0..6a9d962 100755
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@@ -155,6 +155,27 @@ server {
 }
 EOF
 
+# Starting from 2.0.7210, jitsi defines following nginx upstreams
+__directory "${NGINX_ETC}/conf.d" --state present
+require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
+  --mode 644 \
+  --source - << EOF
+upstream prosody {
+    zone upstreams 64K;
+    server 127.0.0.1:5280;
+    keepalive 2;
+}
+EOF
+require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
+  --mode 644 \
+  --source - << EOF
+upstream jvb1 {
+    zone upstreams 64K;
+    server 127.0.0.1:9090;
+    keepalive 2;
+}
+EOF
+
 if [ -f "${__object}/parameter/secured-domains" ]; then
   SECURED_DOMAINS_STATE='present'
 else
diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
index 1b40768..12c405b 100755
--- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
+++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
@@ -7,7 +7,7 @@
 
 # We could automate this, but are using it as an indicator for the
 # latest branch with which we conciliated changes.
-BRANCH="jitsi-meet_7001"
+BRANCH="jitsi-meet_7210"
 REPO="https://github.com/jitsi/jitsi-meet"
 
 get_url() {
@@ -29,3 +29,7 @@ download_file config.js
 download_file interface_config.js
 download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
 download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
+
+# Change the version file, maintainers should check that it matches
+# the deb version
+printf "2.0.${BRANCH#*_}-1" > jitsi-version
diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh
index 357d720..0eca916 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
@@ -85,6 +85,10 @@ var config = {
     flags: {
         // Enables source names in the signaling.
         // sourceNameSignaling: false,
+
+        // Enables sending multiple video streams, i.e., camera and desktop tracks can be shared in the conference
+        // separately as two different streams instead of one composite stream.
+        // sendMultipleVideoStreams: false
     },
 
     // Disables moderator indicators.
@@ -481,6 +485,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     // If Lobby is enabled starts knocking automatically.
     // autoKnockLobby: false,
 
+    // Enable lobby chat.
+    // enableLobbyChat: true,
+
     // DEPRECATED! Use \`breakoutRooms.hideAddRoomButton\` instead.
     // Hides add breakout room button
     // hideAddRoomButton: false,
@@ -520,7 +527,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     // Hides the dominant speaker name badge that hovers above the toolbox
     // hideDominantSpeakerBadge: false,
 
-    // Default language for the user interface.
+    // Default language for the user interface. Cannot be overwritten.
     defaultLanguage: '${DEFAULT_LANGUAGE}',
 
     // Disables profile and the edit of all fields from the profile settings (display name and email)
@@ -607,7 +614,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //    'fullscreen',
     //    'hangup',
     //    'help',
+    //    'highlight',
     //    'invite',
+    //    'linktosalesforce',
     //    'livestreaming',
     //    'microphone',
     //    'mute-everyone',
@@ -639,7 +648,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //     timeout: 4000,
     //     // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE
     //     // Whether toolbar should be always visible or should hide after x miliseconds.
-    //     alwaysVisible: false
+    //     alwaysVisible: false,
+    //     // Indicates whether the toolbar should still autohide when chat is open
+    //     autoHideWhileChatIsOpen: false
     // },
 
     // Toolbar buttons which have their click/tap event exposed through the API on
@@ -748,11 +759,22 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     // Enables sending participants' emails (if available) to callstats and other analytics
     // enableEmailInStats: false,
 
-    // Enables detecting faces of participants and get their expression and send it to other participants
-    // enableFacialRecognition: true,
+    // faceLandmarks: {
+    //     // Enables sharing your face cordinates. Used for centering faces within a video.
+    //     enableFaceCentering: false,
 
-    // Enables displaying facial expressions in speaker stats
-    // enableDisplayFacialExpressions: true,
+    //     // Enables detecting face expressions and sharing data with other participants
+    //     enableFaceExpressionsDetection: false,
+
+    //     // Enables displaying face expressions in speaker stats
+    //     enableDisplayFaceExpressions: false,
+
+    //     // Minimum required face movement percentage threshold for sending new face centering coordinates data.
+    //     faceCenteringThreshold: 10,
+
+    //     // Miliseconds for processing a new image capture in order to detect face coordinates if they exist.
+    //     captureInterval: 100
+    // },
 
     // Controls the percentage of automatic feedback shown to participants when callstats is enabled.
     // The default value is 100%. If set to 0, no automatic feedback will be requested
@@ -940,14 +962,18 @@ ${ANALYTICS_SETTINGS}
 
     // Options related to end-to-end (participant to participant) ping.
     // e2eping: {
-    //   // The interval in milliseconds at which pings will be sent.
-    //   // Defaults to 10000, set to <= 0 to disable.
-    //   pingInterval: 10000,
+    //   // Whether ene-to-end pings should be enabled.
+    //   enabled: false,
     //
-    //   // The interval in milliseconds at which analytics events
-    //   // with the measured RTT will be sent. Defaults to 60000, set
-    //   // to <= 0 to disable.
-    //   analyticsInterval: 60000,
+    //   // The number of responses to wait for.
+    //   numRequests: 5,
+    //
+    //   // The max conference size in which e2e pings will be sent.
+    //   maxConferenceSize: 200,
+    //
+    //   // The maximum number of e2e ping messages per second for the whole conference to aim for.
+    //   // This is used to contol the pacing of messages in order to reduce the load on the backend.
+    //   maxMessagesPerSecond: 250
     //   },
 
     // If set, will attempt to use the provided video input device label when
@@ -989,12 +1015,25 @@ ${ANALYTICS_SETTINGS}
 
     // Options related to the remote participant menu.
     // remoteVideoMenu: {
+    //     // Whether the remote video context menu to be rendered or not.
+    //     disabled: true,
     //     // If set to true the 'Kick out' button will be disabled.
     //     disableKick: true,
     //     // If set to true the 'Grant moderator' button will be disabled.
-    //     disableGrantModerator: true
+    //     disableGrantModerator: true,
+    //     // If set to true the 'Send private message' button will be disabled.
+    //     disablePrivateChat: true
     // },
 
+    // Endpoint that enables support for salesforce integration with in-meeting resource linking
+    // This is required for:
+    // listing the most recent records - salesforceUrl/records/recents
+    // searching records - salesforceUrl/records?text=${text}
+    // retrieving record details - salesforceUrl/records/${id}?type=${type}
+    // and linking the meeting - salesforceUrl/sessions/${sessionId}/records/${id}
+    //
+    // salesforceUrl: 'https://api.example.com/',
+
     // If set to true all muting operations of remote participants will be disabled.
     // disableRemoteMute: true,
 
@@ -1101,7 +1140,8 @@ ${ANALYTICS_SETTINGS}
     //         'e2ee',
     //         'transcribing',
     //         'video-quality',
-    //         'insecure-room'
+    //         'insecure-room',
+    //         'highlight-moment'
     //     ]
     // },
 
@@ -1241,6 +1281,7 @@ ${ANALYTICS_SETTINGS}
     //     'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited
     //     'notify.invitedTwoMembers', // shown when 2 participants have been invited
     //     'notify.kickParticipant', // shown when a participant is kicked
+    //     'notify.linkToSalesforce', // shown when joining a meeting with salesforce integration
     //     'notify.moderationStartedTitle', // shown when AV moderation is activated
     //     'notify.moderationStoppedTitle', // shown when AV moderation is deactivated
     //     'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation
@@ -1256,6 +1297,7 @@ ${ANALYTICS_SETTINGS}
     //     'notify.raisedHand', // shown when a partcipant used raise hand,
     //     'notify.startSilentTitle', // shown when user joined with no audio
     //     'notify.unmute', // shown to moderator when user raises hand during AV moderation
+    //     'notify.hostAskedUnmute', // shown to participant when host asks them to unmute
     //     'prejoin.errorDialOut',
     //     'prejoin.errorDialOutDisconnected',
     //     'prejoin.errorDialOutFailed',
@@ -1278,12 +1320,37 @@ ${ANALYTICS_SETTINGS}
     //     // Disables user resizable filmstrip. Also, allows configuration of the filmstrip
     //     // (width, tiles aspect ratios) through the interfaceConfig options.
     //     disableResizable: false,
-    // }
 
+    //     // Disables the stage filmstrip
+    //     // (displaying multiple participants on stage besides the vertical filmstrip)
+    //     disableStageFilmstrip: false
+    // },
+
+    // Tile view related config options.
+    // tileView: {
+    //     // The optimal number of tiles that are going to be shown in tile view. Depending on the screen size it may
+    //     // not be possible to show the exact number of participants specified here.
+    //     numberOfVisibleTiles: 25
+    // },
 
     // Specifies whether the chat emoticons are disabled or not
     // disableChatSmileys: false,
 
+    // Settings for the GIPHY integration.
+    // giphy: {
+    //     // Whether the feature is enabled or not.
+    //     enabled: false,
+    //     // SDK API Key from Giphy.
+    //     sdkKey: '',
+    //     // Display mode can be one of:
+    //     // - tile: show the GIF on the tile of the participant that sent it.
+    //     // - chat: show the GIF as a message in chat
+    //     // - all: all of the above. This is the default option
+    //     displayMode: 'all',
+    //     // How long the GIF should be displayed on the tile (in miliseconds).
+    //     tileTime: 5000
+    // },
+
     // Allow all above example options to include a trailing comma and
     // prevent fear when commenting out the last value.
     makeJsonParserHappy: 'even if last key had a trailing comma'
diff --git a/type/__jitsi_meet_domain/files/config.js.sh.orig b/type/__jitsi_meet_domain/files/config.js.sh.orig
index 0976642..8e4c5bc 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh.orig
+++ b/type/__jitsi_meet_domain/files/config.js.sh.orig
@@ -1,3 +1,4 @@
+
 /* eslint-disable no-unused-vars, no-var */
 
 var config = {
@@ -78,6 +79,10 @@ var config = {
     flags: {
         // Enables source names in the signaling.
         // sourceNameSignaling: false,
+
+        // Enables sending multiple video streams, i.e., camera and desktop tracks can be shared in the conference
+        // separately as two different streams instead of one composite stream.
+        // sendMultipleVideoStreams: false
     },
 
     // Disables moderator indicators.
@@ -473,6 +478,9 @@ var config = {
     // If Lobby is enabled starts knocking automatically.
     // autoKnockLobby: false,
 
+    // Enable lobby chat.
+    // enableLobbyChat: true,
+
     // DEPRECATED! Use `breakoutRooms.hideAddRoomButton` instead.
     // Hides add breakout room button
     // hideAddRoomButton: false,
@@ -512,7 +520,7 @@ var config = {
     // Hides the dominant speaker name badge that hovers above the toolbox
     // hideDominantSpeakerBadge: false,
 
-    // Default language for the user interface.
+    // Default language for the user interface. Cannot be overwritten.
     // defaultLanguage: 'en',
 
     // Disables profile and the edit of all fields from the profile settings (display name and email)
@@ -599,7 +607,9 @@ var config = {
     //    'fullscreen',
     //    'hangup',
     //    'help',
+    //    'highlight',
     //    'invite',
+    //    'linktosalesforce',
     //    'livestreaming',
     //    'microphone',
     //    'mute-everyone',
@@ -631,7 +641,9 @@ var config = {
     //     timeout: 4000,
     //     // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE
     //     // Whether toolbar should be always visible or should hide after x miliseconds.
-    //     alwaysVisible: false
+    //     alwaysVisible: false,
+    //     // Indicates whether the toolbar should still autohide when chat is open
+    //     autoHideWhileChatIsOpen: false
     // },
 
     // Toolbar buttons which have their click/tap event exposed through the API on
@@ -740,11 +752,22 @@ var config = {
     // Enables sending participants' emails (if available) to callstats and other analytics
     // enableEmailInStats: false,
 
-    // Enables detecting faces of participants and get their expression and send it to other participants
-    // enableFacialRecognition: true,
+    // faceLandmarks: {
+    //     // Enables sharing your face cordinates. Used for centering faces within a video.
+    //     enableFaceCentering: false,
 
-    // Enables displaying facial expressions in speaker stats
-    // enableDisplayFacialExpressions: true,
+    //     // Enables detecting face expressions and sharing data with other participants
+    //     enableFaceExpressionsDetection: false,
+
+    //     // Enables displaying face expressions in speaker stats
+    //     enableDisplayFaceExpressions: false,
+
+    //     // Minimum required face movement percentage threshold for sending new face centering coordinates data.
+    //     faceCenteringThreshold: 10,
+
+    //     // Miliseconds for processing a new image capture in order to detect face coordinates if they exist.
+    //     captureInterval: 100
+    // },
 
     // Controls the percentage of automatic feedback shown to participants when callstats is enabled.
     // The default value is 100%. If set to 0, no automatic feedback will be requested
@@ -931,14 +954,18 @@ var config = {
 
     // Options related to end-to-end (participant to participant) ping.
     // e2eping: {
-    //   // The interval in milliseconds at which pings will be sent.
-    //   // Defaults to 10000, set to <= 0 to disable.
-    //   pingInterval: 10000,
+    //   // Whether ene-to-end pings should be enabled.
+    //   enabled: false,
     //
-    //   // The interval in milliseconds at which analytics events
-    //   // with the measured RTT will be sent. Defaults to 60000, set
-    //   // to <= 0 to disable.
-    //   analyticsInterval: 60000,
+    //   // The number of responses to wait for.
+    //   numRequests: 5,
+    //
+    //   // The max conference size in which e2e pings will be sent.
+    //   maxConferenceSize: 200,
+    //
+    //   // The maximum number of e2e ping messages per second for the whole conference to aim for.
+    //   // This is used to contol the pacing of messages in order to reduce the load on the backend.
+    //   maxMessagesPerSecond: 250
     //   },
 
     // If set, will attempt to use the provided video input device label when
@@ -980,12 +1007,25 @@ var config = {
 
     // Options related to the remote participant menu.
     // remoteVideoMenu: {
+    //     // Whether the remote video context menu to be rendered or not.
+    //     disabled: true,
     //     // If set to true the 'Kick out' button will be disabled.
     //     disableKick: true,
     //     // If set to true the 'Grant moderator' button will be disabled.
-    //     disableGrantModerator: true
+    //     disableGrantModerator: true,
+    //     // If set to true the 'Send private message' button will be disabled.
+    //     disablePrivateChat: true
     // },
 
+    // Endpoint that enables support for salesforce integration with in-meeting resource linking
+    // This is required for:
+    // listing the most recent records - salesforceUrl/records/recents
+    // searching records - salesforceUrl/records?text=${text}
+    // retrieving record details - salesforceUrl/records/${id}?type=${type}
+    // and linking the meeting - salesforceUrl/sessions/${sessionId}/records/${id}
+    //
+    // salesforceUrl: 'https://api.example.com/',
+
     // If set to true all muting operations of remote participants will be disabled.
     // disableRemoteMute: true,
 
@@ -1092,7 +1132,8 @@ var config = {
     //         'e2ee',
     //         'transcribing',
     //         'video-quality',
-    //         'insecure-room'
+    //         'insecure-room',
+    //         'highlight-moment'
     //     ]
     // },
 
@@ -1232,6 +1273,7 @@ var config = {
     //     'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited
     //     'notify.invitedTwoMembers', // shown when 2 participants have been invited
     //     'notify.kickParticipant', // shown when a participant is kicked
+    //     'notify.linkToSalesforce', // shown when joining a meeting with salesforce integration
     //     'notify.moderationStartedTitle', // shown when AV moderation is activated
     //     'notify.moderationStoppedTitle', // shown when AV moderation is deactivated
     //     'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation
@@ -1247,6 +1289,7 @@ var config = {
     //     'notify.raisedHand', // shown when a partcipant used raise hand,
     //     'notify.startSilentTitle', // shown when user joined with no audio
     //     'notify.unmute', // shown to moderator when user raises hand during AV moderation
+    //     'notify.hostAskedUnmute', // shown to participant when host asks them to unmute
     //     'prejoin.errorDialOut',
     //     'prejoin.errorDialOutDisconnected',
     //     'prejoin.errorDialOutFailed',
@@ -1269,12 +1312,37 @@ var config = {
     //     // Disables user resizable filmstrip. Also, allows configuration of the filmstrip
     //     // (width, tiles aspect ratios) through the interfaceConfig options.
     //     disableResizable: false,
-    // }
 
+    //     // Disables the stage filmstrip
+    //     // (displaying multiple participants on stage besides the vertical filmstrip)
+    //     disableStageFilmstrip: false
+    // },
+
+    // Tile view related config options.
+    // tileView: {
+    //     // The optimal number of tiles that are going to be shown in tile view. Depending on the screen size it may
+    //     // not be possible to show the exact number of participants specified here.
+    //     numberOfVisibleTiles: 25
+    // },
 
     // Specifies whether the chat emoticons are disabled or not
     // disableChatSmileys: false,
 
+    // Settings for the GIPHY integration.
+    // giphy: {
+    //     // Whether the feature is enabled or not.
+    //     enabled: false,
+    //     // SDK API Key from Giphy.
+    //     sdkKey: '',
+    //     // Display mode can be one of:
+    //     // - tile: show the GIF on the tile of the participant that sent it.
+    //     // - chat: show the GIF as a message in chat
+    //     // - all: all of the above. This is the default option
+    //     displayMode: 'all',
+    //     // How long the GIF should be displayed on the tile (in miliseconds).
+    //     tileTime: 5000
+    // },
+
     // Allow all above example options to include a trailing comma and
     // prevent fear when commenting out the last value.
     makeJsonParserHappy: 'even if last key had a trailing comma'
diff --git a/type/__jitsi_meet_domain/files/jitsi-version b/type/__jitsi_meet_domain/files/jitsi-version
new file mode 100644
index 0000000..f2cc6dd
--- /dev/null
+++ b/type/__jitsi_meet_domain/files/jitsi-version
@@ -0,0 +1 @@
+2.0.7210-1
\ No newline at end of file
diff --git a/type/__jitsi_meet_domain/files/nginx.sh b/type/__jitsi_meet_domain/files/nginx.sh
index e678dce..ad1b41a 100644
--- a/type/__jitsi_meet_domain/files/nginx.sh
+++ b/type/__jitsi_meet_domain/files/nginx.sh
@@ -10,6 +10,17 @@ JITSI_NGINX_CONFIG="$(cat <<EOF
 ## nginx's default mime.types doesn't include a mapping for wasm
 #    application/wasm     wasm;
 #}
+# These upstreams are managed by __jitsi_meet
+#upstream prosody {
+#    zone upstreams 64K;
+#    server 127.0.0.1:5280;
+#    keepalive 2;
+#}
+#upstream jvb1 {
+#    zone upstreams 64K;
+#    server 127.0.0.1:9090;
+#    keepalive 2;
+#}
 server {
     listen 80;
     listen [::]:80;
@@ -94,18 +105,18 @@ server {
 
     # BOSH
     location = /http-bind {
-	# We are using 127.0.0.1, because we are not specifying a resolver
-	# otherwise nginx will fail to resolve 'localhost'
-        proxy_pass http://127.0.0.1:5280/http-bind?prefix=\$prefix&\$args;
+        proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args;
+        proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For \$remote_addr;
 	# Prevision for 'multi-domain' jitsi instances
 	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
         proxy_set_header Host ${DOMAIN};
+        proxy_set_header Connection "";
     }
 
     # xmpp websockets
     location = /xmpp-websocket {
-        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args;
+        proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args;
         proxy_http_version 1.1;
         proxy_set_header Upgrade \$http_upgrade;
         proxy_set_header Connection "upgrade";
@@ -117,7 +128,7 @@ server {
 
     # colibri (JVB) websockets for jvb1
     location ~ ^/colibri-ws/default-id/(.*) {
-        proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args;
+        proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args;
         proxy_http_version 1.1;
         proxy_set_header Upgrade \$http_upgrade;
         proxy_set_header Connection "upgrade";
diff --git a/type/__jitsi_meet_domain/files/nginx.sh.orig b/type/__jitsi_meet_domain/files/nginx.sh.orig
index 0d1d9be..66f0eca 100644
--- a/type/__jitsi_meet_domain/files/nginx.sh.orig
+++ b/type/__jitsi_meet_domain/files/nginx.sh.orig
@@ -4,6 +4,16 @@ types {
 # nginx's default mime.types doesn't include a mapping for wasm
     application/wasm     wasm;
 }
+upstream prosody {
+    zone upstreams 64K;
+    server 127.0.0.1:5280;
+    keepalive 2;
+}
+upstream jvb1 {
+    zone upstreams 64K;
+    server 127.0.0.1:9090;
+    keepalive 2;
+}
 server {
     listen 80;
     listen [::]:80;
@@ -77,14 +87,16 @@ server {
 
     # BOSH
     location = /http-bind {
-        proxy_pass http://127.0.0.1:5280/http-bind?prefix=$prefix&$args;
+        proxy_pass http://prosody/http-bind?prefix=$prefix&$args;
+        proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header Host $http_host;
+        proxy_set_header Connection "";
     }
 
     # xmpp websockets
     location = /xmpp-websocket {
-        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
+        proxy_pass http://prosody/xmpp-websocket?prefix=$prefix&$args;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
@@ -94,7 +106,7 @@ server {
 
     # colibri (JVB) websockets for jvb1
     location ~ ^/colibri-ws/default-id/(.*) {
-        proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
+        proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
index 928ce32..ea243c1 100644
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
@@ -50,6 +50,16 @@ ${PROSODY_WEBSOCKET}consider_websocket_secure = true;
 
 -- https_ports = { }; -- Remove this line to prevent listening on port 5284
 
+-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
+--http_cors_override = {
+--    bosh = {
+--        enabled = false;
+--    };
+--    websocket = {
+--        enabled = false;
+--    };
+--}
+
 -- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
 ssl = {
     protocol = "tlsv1_2+";
diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
index a169eb4..be23aba 100644
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
@@ -14,6 +14,16 @@ cross_domain_bosh = false;
 consider_bosh_secure = true;
 -- https_ports = { }; -- Remove this line to prevent listening on port 5284
 
+-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
+--http_cors_override = {
+--    bosh = {
+--        enabled = false;
+--    };
+--    websocket = {
+--        enabled = false;
+--    };
+--}
+
 -- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
 ssl = {
     protocol = "tlsv1_2+";

From 7e2ba98d36f29ee087dac57a8985e2abe715f7dd Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 21 Apr 2022 17:52:49 +0200
Subject: [PATCH 15/34] [__jitsi_meet] Fix issue with jicofo memory adaptation

That was being a bit of a mess.

Sponsored by:   camilion.eu, eXO.cat
---
 type/__jitsi_meet/gencode-remote | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote
index 435bbf4..fd782a4 100755
--- a/type/__jitsi_meet/gencode-remote
+++ b/type/__jitsi_meet/gencode-remote
@@ -24,7 +24,7 @@ if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}
 		-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
 		/usr/share/jitsi-videobridge/lib/videobridge.rc
 	sed -i.tmp -E \
-		-e 's!(JICOFO_MAX_MEMORY)[^;]+;!\1=${MAX_MEMORY};!' \
+		-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
 		/usr/share/jicofo/jicofo.sh
 	EOF
 fi

From 151dc32fb52f695b101369032a0bdad1a9b20916 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 21 Apr 2022 19:43:32 +0200
Subject: [PATCH 16/34] [__jitsi_meet*] Add support for simultaneous
 interpretations

By using https://gitlab.com/mfmt/jsi which consists of very small and simple
static files, we enable interpretations by default.

With this commit, any DOMAIN created with __jitsi_meet_domain will serve jsi on
https://DOMAIN/i/ and any ROOM can be used with simultaneous interpretation on
https://DOMAIN/i/ROOM

Sponsored by:   camilion.eu, eXO.cat
---
 type/__jitsi_meet/manifest              | 43 +++++++++++++++++++++++++
 type/__jitsi_meet_domain/files/nginx.sh | 15 +++++++++
 type/__jitsi_meet_domain/man.rst        |  9 +++++-
 3 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest
index 6a9d962..0b728c7 100755
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@@ -262,3 +262,46 @@ EOF
 	fi
 fi
 # TODO: disable the exporter if it is deployed and then admin changes their mind
+
+#
+# Setup interpreter assets if requested
+# See: https://gitlab.com/mfmt/jsi/
+#
+jsi_updated_on="2022-04-21"
+__link "/usr/share/jitsi-meet/interpreters.html" \
+	--type symbolic \
+	--source "/opt/jsi/static/index.html.sample"
+__directory /opt/jsi --mode 0755
+export require="__directory/opt/jsi"
+__download /opt/jsi/jsi.tar.gz \
+	--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
+	--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
+export require="__download/opt/jsi/jsi.tar.gz"
+__unpack /opt/jsi/jsi.tar.gz \
+	--preserve-archive \
+	--tar-strip 1 \
+	--destination /opt/jsi/static \
+	--onchange "$(cat <<EOF
+# Patch style.css to be served on /i/
+sed -i.tmp -E \
+	-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
+	/opt/jsi/static/style.css
+# Patch jsi.js to be served on /i/
+#   and so it always uses the domain it's served from
+#   and so it uses /i/ROOM for the form
+sed -i.tmp -E \
+	-e 's!substr[(][0-9]+[)]!substr(3)!' \
+	-e 's!config[.]jitsimeet_url!url.host!' \
+	-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
+	/opt/jsi/static/jsi.js
+# Patch the sample index.html, so it loads external_api.js from same host
+#   and to easen up on the branding
+#   and to enable browser cache
+sed -i.tmp -E \
+	-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
+	-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
+	-e "s!https://meet.mayfirst.org!/!" \
+	-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
+	/opt/jsi/static/index.html.sample
+EOF
+)"
diff --git a/type/__jitsi_meet_domain/files/nginx.sh b/type/__jitsi_meet_domain/files/nginx.sh
index ad1b41a..64467d9 100644
--- a/type/__jitsi_meet_domain/files/nginx.sh
+++ b/type/__jitsi_meet_domain/files/nginx.sh
@@ -102,6 +102,21 @@ server {
             expires 1y;
         }
     }
+    # Paths for jsi / interpreters
+    location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
+    {
+        add_header 'Access-Control-Allow-Origin' '*';
+        alias /opt/jsi/static/\$1;
+
+        # cache all versioned files
+        if (\$arg_v) {
+            expires 1y;
+        }
+    }
+    location ~ ^/i/
+    {
+        try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
+    }
 
     # BOSH
     location = /http-bind {
diff --git a/type/__jitsi_meet_domain/man.rst b/type/__jitsi_meet_domain/man.rst
index 0bef146..97d670b 100644
--- a/type/__jitsi_meet_domain/man.rst
+++ b/type/__jitsi_meet_domain/man.rst
@@ -11,7 +11,13 @@ DESCRIPTION
 -----------
 This type installs and configures the frontend for Jitsi-Meet.
 
-This supports "multi-domain" installations.
+Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and
+`DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a
+patched version of Jitsi Simultaneous Interpretation (jsi; see references).
+At least a user with `interpreter` in their name must be present.
+
+
+This type supports "multi-domain" installations.
 
 New in April 2022: rooms are independent for each domain, that is:
 https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
@@ -156,6 +162,7 @@ SEE ALSO
 --------
 - `__jitsi_meet(7)`
 - `__jitsi_meet_user(7)`
+- Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi
 
 
 AUTHORS

From 67bc8aa02bd9512b98f1850dff3d4ad38f056273 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= <timothee.floure@posteo.net>
Date: Mon, 25 Apr 2022 17:10:50 +0200
Subject: [PATCH 17/34] __uacme_obtain: allow use of stdin with the
 --renew-hook parameter

---
 type/__uacme_obtain/man.rst  | 3 ++-
 type/__uacme_obtain/manifest | 6 +++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/type/__uacme_obtain/man.rst b/type/__uacme_obtain/man.rst
index f1db899..16ebe87 100644
--- a/type/__uacme_obtain/man.rst
+++ b/type/__uacme_obtain/man.rst
@@ -38,7 +38,8 @@ install-key-to
   Installation path of the certificate's private key.
 
 renew-hook
-  Renew hook executed on certificate renewal (e.g. `service nginx reload`).
+  Renew hook executed on certificate renewal (e.g. `service nginx reload`, `-`
+  for the standard input).
 
 force-cert-ownership-to
   Override default ownership for TLS certificate, passed as argument to chown.
diff --git a/type/__uacme_obtain/manifest b/type/__uacme_obtain/manifest
index b41ddde..a40119b 100644
--- a/type/__uacme_obtain/manifest
+++ b/type/__uacme_obtain/manifest
@@ -109,7 +109,11 @@ export CERT_TARGET
 RENEW_HOOK=
 if [ -f "${__object:?}/parameter/renew-hook" ];
 then
-	RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
+	if [ "$(cat "${__object:?}/parameter/renew-hook")" = "-" ]; then
+		RENEW_HOOK="$(cat ${__object:?}/stdin)"
+	else
+		RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
+	fi
 fi
 export RENEW_HOOK
 

From 977b530dab44061cdae171e7c3c31d78b74191df Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 28 Apr 2022 17:22:19 +0200
Subject: [PATCH 18/34] [__single_binary_service] Update manpage to remove
 __evilham prefix

---
 type/__single_binary_service/man.rst | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/type/__single_binary_service/man.rst b/type/__single_binary_service/man.rst
index cb40330..65b4fc0 100644
--- a/type/__single_binary_service/man.rst
+++ b/type/__single_binary_service/man.rst
@@ -1,9 +1,9 @@
-cdist-type__evilham_single_binary_service(7)
-============================================
+cdist-type__single_binary_service(7)
+====================================
 
 NAME
 ----
-cdist-type__evilham_single_binary_service - Setup a single-binary service
+cdist-type__single_binary_service - Setup a single-binary service
 
 
 DESCRIPTION
@@ -142,7 +142,7 @@ EXAMPLES
 
 	# Install and enable the ipmi_exporter service
 	#   The variables are defined in the manifest previously
-	__evilham_single_binary_service ipmi_exporter \
+	__single_binary_service ipmi_exporter \
 		--user "${USER}" \
 		--service-args ' --config.file=/etc/ipmi_exporter.conf' \
 		--version "${SHOULD_VERSION}" \
@@ -157,7 +157,7 @@ EXAMPLES
 	EOF
 
 	# Remove the ipmi_exporter service along with the user and its config
-	__evilham_single_binary_service ipmi_exporter \
+	__single_binary_service ipmi_exporter \
 		--user "${USER}" \
 		--version "${SHOULD_VERSION}" \
 		--checksum "${CHECKSUM}" \
@@ -165,7 +165,7 @@ EXAMPLES
 		--state "absent"
 
 	# Same, but the service was using my user! Let's not delete that!
-	__evilham_single_binary_service ipmi_exporter \
+	__single_binary_service ipmi_exporter \
 		--user "evilham" \
 		--do-not-manage-user \
 		--version "${SHOULD_VERSION}" \
@@ -187,4 +187,4 @@ Evilham <contact@evilham.com>
 
 COPYING
 -------
-Copyright \(C) 2021 Evilham.
+Copyright \(C) 2022 Evilham.

From 0cff41488436c7e9f8aa083e5974ba2537fca41e Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 28 Apr 2022 17:28:46 +0200
Subject: [PATCH 19/34] [__jitsi_meet] Simplify exporter logic and update it to
 1.2.0

This uses the newly merged __single_binary_service and:

- Fixes the bug where once added, the exporter could not be removed
- Simplifies keeping it up to date

Sponsored by:   camilion.eu, eXO.cat
---
 .../prometheus-jitsi-meet-explorer-version    |  7 --
 type/__jitsi_meet/manifest                    | 78 +++++--------------
 2 files changed, 18 insertions(+), 67 deletions(-)
 delete mode 100755 type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version

diff --git a/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version b/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version
deleted file mode 100755
index b1cec48..0000000
--- a/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh -e
-
-EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
-
-if [ -f "${EXPORTER_VERSION_FILE}" ]; then
-	cat "${EXPORTER_VERSION_FILE}"
-fi
diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest
index 0b728c7..815d039 100755
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@@ -1,7 +1,6 @@
 #!/bin/sh -e
 
 os="$(cat "${__global}/explorer/os")"
-init="$(cat "${__global}/explorer/init")"
 case "${os}" in
 	devuan|debian)
 	;;
@@ -27,8 +26,6 @@ if [ -z "${TURN_SERVER}" ]; then
 	TURN_SERVER="${JITSI_HOST}"
 fi
 
-PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")"
-
 # The rest is loosely based on Jitsi's documentation
 # https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
 
@@ -203,65 +200,26 @@ export JITSI_HOST
 "${__type}/files/jicofo.conf.sh" | \
 	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
 
+
 # These two should be changed on new release
-PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
-PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
-PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64"
-PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
-if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
-	case "${init}" in
-		init|sysvinit)
-			__runit
-			require="__runit" __runit_service \
-				prometheus-jitsi-meet-exporter --log --source - <<EOF
-			#!/bin/sh -e
-			cd /tmp
-			exec chpst -u "nobody:nogroup" env HOME="/tmp" \\
-			     prometheus-jitsi-meet-exporter \\
-				-videobridge-url 'http://localhost:8888/stats' \\
-				-web.listen-address ':9888' 2>&1
-EOF
-
-			export require="__runit_service/prometheus-jitsi-meet-exporter"
-			JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter"
-		;;
-		systemd)
-			__systemd_unit prometheus-jitsi-meet-exporter.service \
-				--source "-" \
-				--enablement-state "enabled" <<EOF
-[Unit]
-Description=Metrics Exporter for Jitsi Meet
-After=network.target
-
-[Service]
-Type=simple
-DynamicUser=yes
-ExecStart=/usr/local/bin/prometheus-jitsi-meet-exporter -videobridge-url 'http://localhost:8888/stats' -web.listen-address ':9888'
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
-EOF
-			export require="__systemd_unit/prometheus-jitsi-meet-exporter.service"
-			JITSI_MEET_EXPORTER_SERVICE="service prometheus-jitsi-meet-exporter %s"
-		;;
-	esac
-	if [ "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" != \
-		"${PROMETHEUS_JITSI_EXPORTER_IS_VERSION}" ]; then
-		# shellcheck disable=SC2059
-		__download \
-			/tmp/prometheus-jitsi-meet-exporter \
-			--url "${PROMETHEUS_JITSI_EXPORTER_URL}" \
-			--download remote \
-			--sum "${PROMETHEUS_JITSI_EXPORTER_CHECKSUM}" \
-			--onchange "$(printf "${JITSI_MEET_EXPORTER_SERVICE}" "stop") || true; chmod 555 /tmp/prometheus-jitsi-meet-exporter && mv /tmp/prometheus-jitsi-meet-exporter /usr/local/bin/prometheus-jitsi-meet-exporter && $(printf "${JITSI_MEET_EXPORTER_SERVICE}" "restart")"
-		printf "%s" "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" | \
-			require="${require} __download/tmp/prometheus-jitsi-meet-exporter" __file \
-			"${PROMETHEUS_JITSI_EXPORTER_VERSION_FILE}" \
-			--source "-"
-	fi
+EXPORTER_VERSION="1.2.0"
+EXPORTER_CHECKSUM="sha256:6377ffa7be0c7deb66545616add7245da96f8b7746d6712f41cfa9fe72c935ce"
+EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
+if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
+	EXPORTER_STATE="absent"
+else
+	EXPORTER_STATE="present"
 fi
-# TODO: disable the exporter if it is deployed and then admin changes their mind
+__evilham_single_binary_service prometheus-jitsi-meet-exporter \
+	--state "${EXPORTER_STATE}" \
+	--do-not-manage-user \
+	--user "nobody" \
+	--group "nogroup" \
+	--version "${EXPORTER_VERSION}" \
+	--checksum "${EXPORTER_CHECKSUM}" \
+	--url "${EXPORTER_URL}" \
+	--unpack \
+	--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
 
 #
 # Setup interpreter assets if requested

From a63d9ec458076e01372612d56a974aaaf1ca1d8d Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 28 Apr 2022 17:32:15 +0200
Subject: [PATCH 20/34] [__jitsi_meet] Configure jicofo so metrics are more
 useful

By default the REST API provided by jicofo is less useful than desired.
This is a tad under-documented, so finding the right settings was tricky :-).

Sponsored by:   camilion.eu, eXO.cat
---
 type/__jitsi_meet/gencode-remote |  2 +-
 type/__jitsi_meet/manifest       | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote
index fd782a4..c29d20e 100755
--- a/type/__jitsi_meet/gencode-remote
+++ b/type/__jitsi_meet/gencode-remote
@@ -33,7 +33,7 @@ if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 	echo "service nginx reload"
 fi
 
-if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then
 	RESTART_SERVICES="YES"
 fi
 
diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest
index 815d039..fb22821 100755
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@@ -200,6 +200,29 @@ export JITSI_HOST
 "${__type}/files/jicofo.conf.sh" | \
 	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
 
+# Enable the private colibri REST API end point for better stats
+__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
+videobridge {
+    http-servers {
+        public {
+            port = 9090
+        }
+        private {
+            port = 8080
+        }
+    }
+    websockets {
+        enabled = true
+        domain = "${JITSI_HOST}:443"
+        tls = true
+    }
+    apis {
+        rest {
+            enabled = true
+        }
+    }
+}
+EOFJVB
 
 # These two should be changed on new release
 EXPORTER_VERSION="1.2.0"

From aa3f2eeb00a3e89db9a1a7e1453df39423ede9bb Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 28 Apr 2022 17:34:32 +0200
Subject: [PATCH 21/34] [__jitsi_meet_domain] Make shellcheck happy and fix
 escaping issue

The escaping issue was overlooked because it was in a comment block; it wasn't
relevant.

No functional changes intended.

Sponsored by:   camilion.eu, eXO.cat
---
 .../files/_update_jitsi_configurations.sh                   | 2 +-
 type/__jitsi_meet_domain/files/config.js.sh                 | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
index 12c405b..0d9f53a 100755
--- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
+++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
@@ -32,4 +32,4 @@ download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.
 
 # Change the version file, maintainers should check that it matches
 # the deb version
-printf "2.0.${BRANCH#*_}-1" > jitsi-version
+printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version
diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh
index 0eca916..6836dd1 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
@@ -1028,9 +1028,9 @@ ${ANALYTICS_SETTINGS}
     // Endpoint that enables support for salesforce integration with in-meeting resource linking
     // This is required for:
     // listing the most recent records - salesforceUrl/records/recents
-    // searching records - salesforceUrl/records?text=${text}
-    // retrieving record details - salesforceUrl/records/${id}?type=${type}
-    // and linking the meeting - salesforceUrl/sessions/${sessionId}/records/${id}
+    // searching records - salesforceUrl/records?text=\${text}
+    // retrieving record details - salesforceUrl/records/\${id}?type=\${type}
+    // and linking the meeting - salesforceUrl/sessions/\${sessionId}/records/\${id}
     //
     // salesforceUrl: 'https://api.example.com/',
 

From 8e1d0b68f1473bd78aea44811c8b977c07af9466 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 28 Apr 2022 17:40:09 +0200
Subject: [PATCH 22/34] [__jitsi_meet*] Add new parameters for heavier branding

This uses nginx' server-side includes, so each domain configured by
`__jitsi_meet_domain` can have its own customisation.

Note that the file customisation file must exist for each domain,
`__jitsi_meet_domain` takes care of that already.

Sponsored by:   camilion.eu, eXO.cat
---
 type/__jitsi_meet/manifest                            |  7 +++++++
 type/__jitsi_meet_domain/files/interface_config.js.sh |  2 +-
 type/__jitsi_meet_domain/man.rst                      | 11 +++++++++--
 type/__jitsi_meet_domain/manifest                     |  6 ++++++
 .../parameter/default/branding-app-name               |  1 +
 .../parameter/default/branding-extra-body             |  0
 type/__jitsi_meet_domain/parameter/optional           |  2 ++
 7 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100644 type/__jitsi_meet_domain/parameter/default/branding-app-name
 create mode 100644 type/__jitsi_meet_domain/parameter/default/branding-extra-body

diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest
index fb22821..20e91a7 100755
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@@ -224,6 +224,13 @@ videobridge {
 }
 EOFJVB
 
+# Enable simple per-domain body customisation
+__file "/usr/share/jitsi-meet/body.html" \
+	--mode 0644 \
+	--source '-' <<EOF
+<!--#include virtual="body-\${host}.html" -->
+EOF
+
 # These two should be changed on new release
 EXPORTER_VERSION="1.2.0"
 EXPORTER_CHECKSUM="sha256:6377ffa7be0c7deb66545616add7245da96f8b7746d6712f41cfa9fe72c935ce"
diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh b/type/__jitsi_meet_domain/files/interface_config.js.sh
index 094cc6e..0589ced 100644
--- a/type/__jitsi_meet_domain/files/interface_config.js.sh
+++ b/type/__jitsi_meet_domain/files/interface_config.js.sh
@@ -20,7 +20,7 @@ JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
  */
 
 var interfaceConfig = {
-    APP_NAME: 'Jitsi Meet',
+    APP_NAME: '${BRANDING_APP_NAME}',
     AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
     AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
 
diff --git a/type/__jitsi_meet_domain/man.rst b/type/__jitsi_meet_domain/man.rst
index 97d670b..0a6e488 100644
--- a/type/__jitsi_meet_domain/man.rst
+++ b/type/__jitsi_meet_domain/man.rst
@@ -93,6 +93,15 @@ video-constraints
     It must not have a trailing comma, see `constraints` in
     `__jitsi_meet_domain/files/config.js.sh`.
 
+branding-app-name
+    This will change `Jitsi Meet` in many places to the brand you desire.
+    Defaults to `Jitsi Meet`.
+
+branding-extra-body
+    This must be valid HTML, it will be included server-side and delivered to
+    clients alongside the default `index.html`.
+    This is useful if you would rather not replace the whole `index`, but
+    still want the chance to do some heavier branding / add instructions / etc.
 
 branding-json
     Path to a JSON file that will be served as the `dynamicBrandingUrl`.
@@ -100,14 +109,12 @@ branding-json
     `__jitsi_meet_domain/files/config.js.sh`.
     If not set, no branding will be set up.
 
-
 branding-index
     Path to an HTML file that will be served instead of Jitsi-Meet's default
     one.
     If not set, the default index file will be used.
     If set to `-`, the type's standard input will be used.
 
-
 branding-watermark
     Path to a png file that will be served instead of Jitsi-Meet's default
     one.
diff --git a/type/__jitsi_meet_domain/manifest b/type/__jitsi_meet_domain/manifest
index f449414..755fe32 100755
--- a/type/__jitsi_meet_domain/manifest
+++ b/type/__jitsi_meet_domain/manifest
@@ -19,6 +19,7 @@ START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
 TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
 VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
 ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")"
+BRANDING_APP_NAME="$(cat "${__object}/parameter/branding-app-name")"
 BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
 BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
 BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
@@ -131,6 +132,11 @@ __file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
 	--mode 0644 \
 	--state "$(_var_state "${BRANDING_WATERMARK}")" \
 	--source "${BRANDING_WATERMARK}"
+# Simple body customisation
+__file "/usr/share/jitsi-meet/body-${DOMAIN}.html" \
+	--mode 0644 \
+	--state "$(_var_state "${STATE}")" \
+	--source "${__object}/parameter/branding-extra-body"
 
 #
 # Take care of prosody settings for the domain
diff --git a/type/__jitsi_meet_domain/parameter/default/branding-app-name b/type/__jitsi_meet_domain/parameter/default/branding-app-name
new file mode 100644
index 0000000..50236b5
--- /dev/null
+++ b/type/__jitsi_meet_domain/parameter/default/branding-app-name
@@ -0,0 +1 @@
+Jitsi Meet
diff --git a/type/__jitsi_meet_domain/parameter/default/branding-extra-body b/type/__jitsi_meet_domain/parameter/default/branding-extra-body
new file mode 100644
index 0000000..e69de29
diff --git a/type/__jitsi_meet_domain/parameter/optional b/type/__jitsi_meet_domain/parameter/optional
index 1289b85..f9f51eb 100644
--- a/type/__jitsi_meet_domain/parameter/optional
+++ b/type/__jitsi_meet_domain/parameter/optional
@@ -5,7 +5,9 @@ notice-message
 start-video-muted
 turn-server
 video-constraints
+branding-app-name
 branding-json
 branding-index
+branding-extra-body
 branding-watermark
 state

From 1791d35f84eb97d239a8905145c744f72b992094 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 28 Apr 2022 17:43:33 +0200
Subject: [PATCH 23/34] [__jitsi_meet_domain] Add a muc_room_cache_size for
 jibri

@pedro is working on this and this change matched my workflow better :-)
---
 type/__jitsi_meet_domain/files/prosody.cfg.lua.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
index ea243c1..5bb93b5 100644
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
@@ -153,6 +153,8 @@ Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
     admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
     muc_room_locking = false
     muc_room_default_public_jids = true
+    -- https://prosody.im/doc/modules/mod_muc
+    muc_room_cache_size = 1000
 ${PROSODY_DOMAIN_END}
 ${PROSODY_MAIN_START}
 -- This will be managed by __jitsi_meet

From 797f7c864814f69d0a138b3f415acfd4ca539121 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Sun, 8 May 2022 21:47:26 +0200
Subject: [PATCH 24/34] [__jitsi_meet] Improve manpage regarding ufw and SSH

This documents the fact that this type does not make decisions about anything
other than Jitsi-Meet itself and therefore care should be taken with the SSH
port.

Related to:	https://code.ungleich.ch/ungleich-public/cdist-contrib/pulls/23
Reported by:	@pedro
---
 type/__jitsi_meet/man.rst | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/type/__jitsi_meet/man.rst b/type/__jitsi_meet/man.rst
index 876c218..03a4a35 100644
--- a/type/__jitsi_meet/man.rst
+++ b/type/__jitsi_meet/man.rst
@@ -21,10 +21,10 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up
 the web frontend (including TLS certificates) and its settings.
 
 You may want to use the `files/ufw` example manifest for a `__ufw`-based
-firewall compatible with this type.
-This file does not include rules for TCP port 9888, which exposes the
-prometheus exporter if not disabled.
-You should apply your own rules here.
+firewall compatible with this type that allows all ports needed by Jitsi-Meet.
+Note however that this will not deal with rules for SSH or for TCP port 9888,
+which exposes the prometheus exporter if not disabled.
+Remember to apply your own rules here, particularly regarding SSH.
 
 This type only works on De{bi,vu}an systems.
 
@@ -76,9 +76,11 @@ EXAMPLES
 
 .. code-block:: sh
 
-    # Setup the firewall
+    # Setup the firewall for Jitsi-Meet
     . "${__global}/type/__jitsi_meet/files/ufw"
     export require="__ufw"
+    # Setup firewall SSH rules as necessary
+    __ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
     # Setup Jitsi on this host
     __jitsi_meet \
       --turn-server "turn.exo.cat" \

From 756e5b17c63d641ac35ffad513d3ed15188b87ca Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Tue, 7 Jun 2022 15:00:00 +0200
Subject: [PATCH 25/34] [__jitsi_meet*] Update to 2.0.7287-1

Sponsored by:	camilion.eu, eXO.cat
---
 .../files/_update_jitsi_configurations.sh     |  2 +-
 type/__jitsi_meet_domain/files/config.js.sh   | 38 +++++++++++++++++--
 .../files/config.js.sh.orig                   | 38 +++++++++++++++++--
 type/__jitsi_meet_domain/files/jitsi-version  |  2 +-
 .../files/prosody.cfg.lua.sh                  | 17 +++++++++
 .../files/prosody.cfg.lua.sh.orig             | 15 ++++++++
 6 files changed, 102 insertions(+), 10 deletions(-)

diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
index 0d9f53a..8b14e5c 100755
--- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
+++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
@@ -7,7 +7,7 @@
 
 # We could automate this, but are using it as an indicator for the
 # latest branch with which we conciliated changes.
-BRANCH="jitsi-meet_7210"
+BRANCH="jitsi-meet_7287"
 REPO="https://github.com/jitsi/jitsi-meet"
 
 get_url() {
diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh
index 6836dd1..e52ed32 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
@@ -4,6 +4,11 @@
 JITSI_CONFIG_JS="$(cat <<EOF
 /* eslint-disable no-unused-vars, no-var */
 
+/*
+ * NOTE: If you add a new option please remember to document it here:
+ * https://jitsi.github.io/handbook/docs/dev-guide/dev-guide-configuration
+ */
+
 var config = {
     // Connection
     //
@@ -75,6 +80,11 @@ var config = {
         // or disabled for the screenshare.
         // capScreenshareBitrate: 1 // 0 to disable - deprecated.
 
+        // Whether to use fake constraints (height: 99999, width: 99999) when calling getDisplayMedia on
+        // Chromium based browsers. This is intended as a workaround for
+        // https://bugs.chromium.org/p/chromium/issues/detail?id=1056311
+        // setScreenSharingResolutionConstraints: true
+
         // Enable callstats only for a percentage of users.
         // This takes a value between 0 and 100 which determines the probability for
         // the callstats to be enabled.
@@ -1101,8 +1111,18 @@ ${ANALYTICS_SETTINGS}
     // breakoutRooms: {
     //     // Hides the add breakout room button. This replaces \`hideAddRoomButton\`.
     //     hideAddRoomButton: false,
+    //     // Hides the auto assign participants button.
+    //     hideAutoAssignButton: false,
+    //     // Hides the participants pane footer menu.
+    //     hideFooterMenu: false,
     //     // Hides the join breakout room button.
-    //     hideJoinRoomButton: false
+    //     hideJoinRoomButton: false,
+    //     // Hides the moderator settings tab.
+    //     hideModeratorSettingsTab: false,
+    //     // Hides the more actions button.
+    //     hideMoreActionsButton: false,
+    //     // Hides the mute all button.
+    //     hideMuteAllButton: false
     // },
 
     // When true the user cannot add more images to be used as virtual background.
@@ -1131,7 +1151,7 @@ ${ANALYTICS_SETTINGS}
     // If a label's id is not in any of the 2 arrays, it will not be visible at all on the header.
     // conferenceInfo: {
     //     // those labels will not be hidden in tandem with the toolbox.
-    //     alwaysVisible: ['recording', 'local-recording', 'raised-hands-count'],
+    //     alwaysVisible: ['recording', 'raised-hands-count'],
     //     // those labels will be auto-hidden in tandem with the toolbox buttons.
     //     autoHide: [
     //         'subject',
@@ -1175,14 +1195,24 @@ ${ANALYTICS_SETTINGS}
     // will open an etherpad document.
     // etherpad_base: 'https://your-etherpad-installati.on/p/',
 
+    // To enable information about dial-in access to meetings you need to provide
+    // dialInNumbersUrl and dialInConfCodeUrl.
+    // dialInNumbersUrl returns a json array of numbers that can be used for dial-in.
+    // {"countryCode":"US","tollFree":false,"formattedNumber":"+1 123-456-7890"}
+    // dialInConfCodeUrl is the conference mapper converting a meeting id to a PIN used for dial-in
+    // or the other way around (more info in resources/cloud-api.swagger)
+    //
+    // For JaaS customers the default values are:
+    // dialInNumbersUrl: 'https://conference-mapper.jitsi.net/v1/access/dids',
+    // dialInConfCodeUrl: 'https://conference-mapper.jitsi.net/v1/access',
+    //
+
     // List of undocumented settings used in jitsi-meet
     /**
      _immediateReloadThreshold
      debug
      debugAudioLevels
      deploymentInfo
-     dialInConfCodeUrl
-     dialInNumbersUrl
      dialOutAuthUrl
      dialOutCodesUrl
      disableRemoteControl
diff --git a/type/__jitsi_meet_domain/files/config.js.sh.orig b/type/__jitsi_meet_domain/files/config.js.sh.orig
index 8e4c5bc..2833e4d 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh.orig
+++ b/type/__jitsi_meet_domain/files/config.js.sh.orig
@@ -1,6 +1,11 @@
 
 /* eslint-disable no-unused-vars, no-var */
 
+/*
+ * NOTE: If you add a new option please remember to document it here:
+ * https://jitsi.github.io/handbook/docs/dev-guide/dev-guide-configuration
+ */
+
 var config = {
     // Connection
     //
@@ -69,6 +74,11 @@ var config = {
         // or disabled for the screenshare.
         // capScreenshareBitrate: 1 // 0 to disable - deprecated.
 
+        // Whether to use fake constraints (height: 99999, width: 99999) when calling getDisplayMedia on
+        // Chromium based browsers. This is intended as a workaround for
+        // https://bugs.chromium.org/p/chromium/issues/detail?id=1056311
+        // setScreenSharingResolutionConstraints: true
+
         // Enable callstats only for a percentage of users.
         // This takes a value between 0 and 100 which determines the probability for
         // the callstats to be enabled.
@@ -1093,8 +1103,18 @@ var config = {
     // breakoutRooms: {
     //     // Hides the add breakout room button. This replaces `hideAddRoomButton`.
     //     hideAddRoomButton: false,
+    //     // Hides the auto assign participants button.
+    //     hideAutoAssignButton: false,
+    //     // Hides the participants pane footer menu.
+    //     hideFooterMenu: false,
     //     // Hides the join breakout room button.
-    //     hideJoinRoomButton: false
+    //     hideJoinRoomButton: false,
+    //     // Hides the moderator settings tab.
+    //     hideModeratorSettingsTab: false,
+    //     // Hides the more actions button.
+    //     hideMoreActionsButton: false,
+    //     // Hides the mute all button.
+    //     hideMuteAllButton: false
     // },
 
     // When true the user cannot add more images to be used as virtual background.
@@ -1123,7 +1143,7 @@ var config = {
     // If a label's id is not in any of the 2 arrays, it will not be visible at all on the header.
     // conferenceInfo: {
     //     // those labels will not be hidden in tandem with the toolbox.
-    //     alwaysVisible: ['recording', 'local-recording', 'raised-hands-count'],
+    //     alwaysVisible: ['recording', 'raised-hands-count'],
     //     // those labels will be auto-hidden in tandem with the toolbox buttons.
     //     autoHide: [
     //         'subject',
@@ -1167,14 +1187,24 @@ var config = {
     // will open an etherpad document.
     // etherpad_base: 'https://your-etherpad-installati.on/p/',
 
+    // To enable information about dial-in access to meetings you need to provide
+    // dialInNumbersUrl and dialInConfCodeUrl.
+    // dialInNumbersUrl returns a json array of numbers that can be used for dial-in.
+    // {"countryCode":"US","tollFree":false,"formattedNumber":"+1 123-456-7890"}
+    // dialInConfCodeUrl is the conference mapper converting a meeting id to a PIN used for dial-in
+    // or the other way around (more info in resources/cloud-api.swagger)
+    //
+    // For JaaS customers the default values are:
+    // dialInNumbersUrl: 'https://conference-mapper.jitsi.net/v1/access/dids',
+    // dialInConfCodeUrl: 'https://conference-mapper.jitsi.net/v1/access',
+    //
+
     // List of undocumented settings used in jitsi-meet
     /**
      _immediateReloadThreshold
      debug
      debugAudioLevels
      deploymentInfo
-     dialInConfCodeUrl
-     dialInNumbersUrl
      dialOutAuthUrl
      dialOutCodesUrl
      disableRemoteControl
diff --git a/type/__jitsi_meet_domain/files/jitsi-version b/type/__jitsi_meet_domain/files/jitsi-version
index f2cc6dd..b88c39d 100644
--- a/type/__jitsi_meet_domain/files/jitsi-version
+++ b/type/__jitsi_meet_domain/files/jitsi-version
@@ -1 +1 @@
-2.0.7210-1
\ No newline at end of file
+2.0.7287-1
\ No newline at end of file
diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
index 5bb93b5..b223246 100644
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
@@ -198,6 +198,23 @@ Component "lobby.${JITSI_DOMAIN:?}" "muc"
     }
 ${PROSODY_DOMAIN_END}
 
+--[[
+-- Enabled dial-in for JaaS customers
+-- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
+-- and execute $ sudo luarocks install luajwtjitsi 3.0-0
+VirtualHost "jigasi.meet.jitsi"
+    enabled = false -- JaaS customers remove this line
+    modules_enabled = {
+      "ping";
+      "bosh";
+    }
+    authentication = "token"
+    app_id = "jitsi";
+    asap_key_server = "https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8"
+    asap_accepted_issuers = { "jaas-components" }
+    asap_accepted_audiences = { "jigasi.jitmeet.example.com" }
+--]]
+
 ${PROSODY_SECUREDOMAIN_START}
 -- Only used on secured domains
 VirtualHost "${JITSI_DOMAIN}"
diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
index be23aba..6814c3b 100644
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
@@ -137,3 +137,18 @@ Component "lobby.jitmeet.example.com" "muc"
         "muc_rate_limit";
         "polls";
     }
+
+-- Enabled dial-in for JaaS customers
+-- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
+-- and execute $ sudo luarocks install luajwtjitsi 3.0-0
+VirtualHost "jigasi.meet.jitsi"
+    enabled = false -- JaaS customers remove this line
+    modules_enabled = {
+      "ping";
+      "bosh";
+    }
+    authentication = "token"
+    app_id = "jitsi";
+    asap_key_server = "https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8"
+    asap_accepted_issuers = { "jaas-components" }
+    asap_accepted_audiences = { "jigasi.jitmeet.example.com" }

From 7a3b706b161e7c9c9d7f1d365c9b652758e6118f Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Thu, 16 Jun 2022 17:43:30 +0200
Subject: [PATCH 26/34] [__jitsi_meet*] Update to 2.0.7416-1

Changelog:	https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#207416-2022-06-16

Sponsored by:	camilion.eu, eXO.cat
---
 .../files/_update_jitsi_configurations.sh     |  2 +-
 type/__jitsi_meet_domain/files/config.js.sh   | 79 ++++++++++---------
 .../files/config.js.sh.orig                   | 79 ++++++++++---------
 type/__jitsi_meet_domain/files/jitsi-version  |  2 +-
 .../files/prosody.cfg.lua.sh                  |  4 +-
 .../files/prosody.cfg.lua.sh.orig             |  4 +-
 6 files changed, 92 insertions(+), 78 deletions(-)

diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
index 8b14e5c..5c320ce 100755
--- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
+++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
@@ -7,7 +7,7 @@
 
 # We could automate this, but are using it as an indicator for the
 # latest branch with which we conciliated changes.
-BRANCH="jitsi-meet_7287"
+BRANCH="jitsi-meet_7416"
 REPO="https://github.com/jitsi/jitsi-meet"
 
 get_url() {
diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh
index e52ed32..5be5dbe 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
@@ -302,6 +302,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     // Whether to enable live streaming or not.
     // liveStreamingEnabled: false,
 
+    // Whether to enable local recording or not.
+    // enableLocalRecording: false,
+
     // Transcription (in interface_config,
     // subtitles and buttons can be configured)
     // transcribingEnabled: false,
@@ -566,6 +569,10 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //     // When 'true', it shows an intermediate page before joining, where the user can configure their devices.
     //     // This replaces \`prejoinPageEnabled\`.
     //     enabled: true,
+    //     // Hides the participant name editing field in the prejoin screen.
+    //     // If requireDisplayName is also set as true, a name should still be provided through
+    //     // either the jwt or the userInfo from the iframe api init object in order for this to have an effect.
+    //     hideDisplayName: false,
     //     // List of buttons to hide from the extra join options dropdown.
     //     hideExtraJoinButtons: ['no-audio', 'by-phone']
     // },
@@ -593,8 +600,17 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     // Array with avatar URL prefixes that need to use CORS.
     // corsAvatarURLs: [ 'https://www.gravatar.com/avatar/' ],
 
-    // Base URL for a Gravatar-compatible service. Defaults to libravatar.
-    // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/',
+    // Base URL for a Gravatar-compatible service. Defaults to Gravatar.
+    // DEPRECATED! Use \`gravatar.baseUrl\` instead.
+    // gravatarBaseURL: 'https://www.gravatar.com/avatar/',
+
+    // Setup for Gravatar-compatible services.
+    // gravatar: {
+    //     // Defaults to Gravatar.
+    //     baseUrl: 'https://www.gravatar.com/avatar/',
+    //     // True if Gravatar should be disabled.
+    //     disabled: false
+    // },
 
     // App name to be displayed in the invitation email subject, as an alternative to
     // interfaceConfig.APP_NAME.
@@ -616,6 +632,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //    'chat',
     //    'closedcaptions',
     //    'desktop',
+    //    'dock-iframe'
     //    'download',
     //    'embedmeeting',
     //    'etherpad',
@@ -629,8 +646,6 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //    'linktosalesforce',
     //    'livestreaming',
     //    'microphone',
-    //    'mute-everyone',
-    //    'mute-video-everyone',
     //    'participants-pane',
     //    'profile',
     //    'raisehand',
@@ -644,6 +659,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //    'stats',
     //    'tileview',
     //    'toggle-camera',
+    //    'undock-iframe',
     //    'videoquality',
     //    '__end'
     // ],
@@ -770,7 +786,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     // enableEmailInStats: false,
 
     // faceLandmarks: {
-    //     // Enables sharing your face cordinates. Used for centering faces within a video.
+    //     // Enables sharing your face coordinates. Used for centering faces within a video.
     //     enableFaceCentering: false,
 
     //     // Enables detecting face expressions and sharing data with other participants
@@ -782,8 +798,11 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //     // Minimum required face movement percentage threshold for sending new face centering coordinates data.
     //     faceCenteringThreshold: 10,
 
-    //     // Miliseconds for processing a new image capture in order to detect face coordinates if they exist.
-    //     captureInterval: 100
+    //     // Milliseconds for processing a new image capture in order to detect face coordinates if they exist.
+    //     captureInterval: 1000,
+
+    //     // Maximum number of faces that can be detected from a video track.
+    //     maxFacesDetected: 4
     // },
 
     // Controls the percentage of automatic feedback shown to participants when callstats is enabled.
@@ -948,23 +967,6 @@ ${ANALYTICS_SETTINGS}
     //     ]
     // },
 
-    // Local Recording
-    //
-
-    // localRecording: {
-    // Enables local recording.
-    // Additionally, 'localrecording' (all lowercase) needs to be added to
-    // the \`toolbarButtons\`-array for the Local Recording button to show up
-    // on the toolbar.
-    //
-    //     enabled: true,
-    //
-
-    // The recording format, can be one of 'ogg', 'flac' or 'wav'.
-    //     format: 'flac'
-    //
-
-    // },
     // e2ee: {
     //   labels,
     //   externallyManagedKey: false
@@ -1010,7 +1012,8 @@ ${ANALYTICS_SETTINGS}
     // Disables all invite functions from the app (share, invite, dial out...etc)
     // disableInviteFunctions: true,
 
-    // Disables storing the room name to the recents list
+    // Disables storing the room name to the recents list. When in an iframe this is ignored and
+    // the room is never stored in the recents list.
     // doNotStoreRoom: true,
 
     // Deployment specific URLs.
@@ -1107,16 +1110,8 @@ ${ANALYTICS_SETTINGS}
     */
     dynamicBrandingUrl: "${DYNAMIC_BRANDING_URL}",
 
-    // Options related to the breakout rooms feature.
-    // breakoutRooms: {
-    //     // Hides the add breakout room button. This replaces \`hideAddRoomButton\`.
-    //     hideAddRoomButton: false,
-    //     // Hides the auto assign participants button.
-    //     hideAutoAssignButton: false,
-    //     // Hides the participants pane footer menu.
-    //     hideFooterMenu: false,
-    //     // Hides the join breakout room button.
-    //     hideJoinRoomButton: false,
+    // Options related to the participants pane.
+    // participantsPane: {
     //     // Hides the moderator settings tab.
     //     hideModeratorSettingsTab: false,
     //     // Hides the more actions button.
@@ -1125,6 +1120,16 @@ ${ANALYTICS_SETTINGS}
     //     hideMuteAllButton: false
     // },
 
+    // Options related to the breakout rooms feature.
+    // breakoutRooms: {
+    //     // Hides the add breakout room button. This replaces \`hideAddRoomButton\`.
+    //     hideAddRoomButton: false,
+    //     // Hides the auto assign participants button.
+    //     hideAutoAssignButton: false,
+    //     // Hides the join breakout room button.
+    //     hideJoinRoomButton: false
+    // },
+
     // When true the user cannot add more images to be used as virtual background.
     // Only the default ones from will be available.
     // disableAddingBackgroundImages: false,
@@ -1297,7 +1302,6 @@ ${ANALYTICS_SETTINGS}
     //     'liveStreaming.unavailableTitle', // shown when livestreaming service is not reachable
     //     'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected
     //     'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied
-    //     'localRecording.localRecording', // shown when a local recording is started
     //     'notify.chatMessages', // shown when receiving chat messages while the chat window is closed
     //     'notify.disconnected', // shown when a participant has left
     //     'notify.connectedOneMember', // show when a participant joined
@@ -1343,6 +1347,9 @@ ${ANALYTICS_SETTINGS}
     //     'transcribing.failedToStart' // shown when transcribing fails to start
     // ],
 
+    // List of notifications to be disabled. Works in tandem with the above setting.
+    // disabledNotifications: [],
+
     // Prevent the filmstrip from autohiding when screen width is under a certain threshold
     // disableFilmstripAutohiding: false,
 
diff --git a/type/__jitsi_meet_domain/files/config.js.sh.orig b/type/__jitsi_meet_domain/files/config.js.sh.orig
index 2833e4d..7949818 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh.orig
+++ b/type/__jitsi_meet_domain/files/config.js.sh.orig
@@ -295,6 +295,9 @@ var config = {
     // Whether to enable live streaming or not.
     // liveStreamingEnabled: false,
 
+    // Whether to enable local recording or not.
+    // enableLocalRecording: false,
+
     // Transcription (in interface_config,
     // subtitles and buttons can be configured)
     // transcribingEnabled: false,
@@ -559,6 +562,10 @@ var config = {
     //     // When 'true', it shows an intermediate page before joining, where the user can configure their devices.
     //     // This replaces `prejoinPageEnabled`.
     //     enabled: true,
+    //     // Hides the participant name editing field in the prejoin screen.
+    //     // If requireDisplayName is also set as true, a name should still be provided through
+    //     // either the jwt or the userInfo from the iframe api init object in order for this to have an effect.
+    //     hideDisplayName: false,
     //     // List of buttons to hide from the extra join options dropdown.
     //     hideExtraJoinButtons: ['no-audio', 'by-phone']
     // },
@@ -586,8 +593,17 @@ var config = {
     // Array with avatar URL prefixes that need to use CORS.
     // corsAvatarURLs: [ 'https://www.gravatar.com/avatar/' ],
 
-    // Base URL for a Gravatar-compatible service. Defaults to libravatar.
-    // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/',
+    // Base URL for a Gravatar-compatible service. Defaults to Gravatar.
+    // DEPRECATED! Use `gravatar.baseUrl` instead.
+    // gravatarBaseURL: 'https://www.gravatar.com/avatar/',
+
+    // Setup for Gravatar-compatible services.
+    // gravatar: {
+    //     // Defaults to Gravatar.
+    //     baseUrl: 'https://www.gravatar.com/avatar/',
+    //     // True if Gravatar should be disabled.
+    //     disabled: false
+    // },
 
     // App name to be displayed in the invitation email subject, as an alternative to
     // interfaceConfig.APP_NAME.
@@ -609,6 +625,7 @@ var config = {
     //    'chat',
     //    'closedcaptions',
     //    'desktop',
+    //    'dock-iframe'
     //    'download',
     //    'embedmeeting',
     //    'etherpad',
@@ -622,8 +639,6 @@ var config = {
     //    'linktosalesforce',
     //    'livestreaming',
     //    'microphone',
-    //    'mute-everyone',
-    //    'mute-video-everyone',
     //    'participants-pane',
     //    'profile',
     //    'raisehand',
@@ -637,6 +652,7 @@ var config = {
     //    'stats',
     //    'tileview',
     //    'toggle-camera',
+    //    'undock-iframe',
     //    'videoquality',
     //    '__end'
     // ],
@@ -763,7 +779,7 @@ var config = {
     // enableEmailInStats: false,
 
     // faceLandmarks: {
-    //     // Enables sharing your face cordinates. Used for centering faces within a video.
+    //     // Enables sharing your face coordinates. Used for centering faces within a video.
     //     enableFaceCentering: false,
 
     //     // Enables detecting face expressions and sharing data with other participants
@@ -775,8 +791,11 @@ var config = {
     //     // Minimum required face movement percentage threshold for sending new face centering coordinates data.
     //     faceCenteringThreshold: 10,
 
-    //     // Miliseconds for processing a new image capture in order to detect face coordinates if they exist.
-    //     captureInterval: 100
+    //     // Milliseconds for processing a new image capture in order to detect face coordinates if they exist.
+    //     captureInterval: 1000,
+
+    //     // Maximum number of faces that can be detected from a video track.
+    //     maxFacesDetected: 4
     // },
 
     // Controls the percentage of automatic feedback shown to participants when callstats is enabled.
@@ -940,23 +959,6 @@ var config = {
     //     ]
     // },
 
-    // Local Recording
-    //
-
-    // localRecording: {
-    // Enables local recording.
-    // Additionally, 'localrecording' (all lowercase) needs to be added to
-    // the `toolbarButtons`-array for the Local Recording button to show up
-    // on the toolbar.
-    //
-    //     enabled: true,
-    //
-
-    // The recording format, can be one of 'ogg', 'flac' or 'wav'.
-    //     format: 'flac'
-    //
-
-    // },
     // e2ee: {
     //   labels,
     //   externallyManagedKey: false
@@ -1002,7 +1004,8 @@ var config = {
     // Disables all invite functions from the app (share, invite, dial out...etc)
     // disableInviteFunctions: true,
 
-    // Disables storing the room name to the recents list
+    // Disables storing the room name to the recents list. When in an iframe this is ignored and
+    // the room is never stored in the recents list.
     // doNotStoreRoom: true,
 
     // Deployment specific URLs.
@@ -1099,16 +1102,8 @@ var config = {
     */
     // dynamicBrandingUrl: '',
 
-    // Options related to the breakout rooms feature.
-    // breakoutRooms: {
-    //     // Hides the add breakout room button. This replaces `hideAddRoomButton`.
-    //     hideAddRoomButton: false,
-    //     // Hides the auto assign participants button.
-    //     hideAutoAssignButton: false,
-    //     // Hides the participants pane footer menu.
-    //     hideFooterMenu: false,
-    //     // Hides the join breakout room button.
-    //     hideJoinRoomButton: false,
+    // Options related to the participants pane.
+    // participantsPane: {
     //     // Hides the moderator settings tab.
     //     hideModeratorSettingsTab: false,
     //     // Hides the more actions button.
@@ -1117,6 +1112,16 @@ var config = {
     //     hideMuteAllButton: false
     // },
 
+    // Options related to the breakout rooms feature.
+    // breakoutRooms: {
+    //     // Hides the add breakout room button. This replaces `hideAddRoomButton`.
+    //     hideAddRoomButton: false,
+    //     // Hides the auto assign participants button.
+    //     hideAutoAssignButton: false,
+    //     // Hides the join breakout room button.
+    //     hideJoinRoomButton: false
+    // },
+
     // When true the user cannot add more images to be used as virtual background.
     // Only the default ones from will be available.
     // disableAddingBackgroundImages: false,
@@ -1289,7 +1294,6 @@ var config = {
     //     'liveStreaming.unavailableTitle', // shown when livestreaming service is not reachable
     //     'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected
     //     'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied
-    //     'localRecording.localRecording', // shown when a local recording is started
     //     'notify.chatMessages', // shown when receiving chat messages while the chat window is closed
     //     'notify.disconnected', // shown when a participant has left
     //     'notify.connectedOneMember', // show when a participant joined
@@ -1335,6 +1339,9 @@ var config = {
     //     'transcribing.failedToStart' // shown when transcribing fails to start
     // ],
 
+    // List of notifications to be disabled. Works in tandem with the above setting.
+    // disabledNotifications: [],
+
     // Prevent the filmstrip from autohiding when screen width is under a certain threshold
     // disableFilmstripAutohiding: false,
 
diff --git a/type/__jitsi_meet_domain/files/jitsi-version b/type/__jitsi_meet_domain/files/jitsi-version
index b88c39d..43f9789 100644
--- a/type/__jitsi_meet_domain/files/jitsi-version
+++ b/type/__jitsi_meet_domain/files/jitsi-version
@@ -1 +1 @@
-2.0.7287-1
\ No newline at end of file
+2.0.7416-1
\ No newline at end of file
diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
index b223246..41a6f5f 100644
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
@@ -199,11 +199,11 @@ Component "lobby.${JITSI_DOMAIN:?}" "muc"
 ${PROSODY_DOMAIN_END}
 
 --[[
--- Enabled dial-in for JaaS customers
+-- Enables dial-in for Jitsi meet components customers
 -- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
 -- and execute $ sudo luarocks install luajwtjitsi 3.0-0
 VirtualHost "jigasi.meet.jitsi"
-    enabled = false -- JaaS customers remove this line
+    enabled = false -- Jitsi meet components customers remove this line
     modules_enabled = {
       "ping";
       "bosh";
diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
index 6814c3b..6193b04 100644
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
@@ -138,11 +138,11 @@ Component "lobby.jitmeet.example.com" "muc"
         "polls";
     }
 
--- Enabled dial-in for JaaS customers
+-- Enables dial-in for Jitsi meet components customers
 -- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
 -- and execute $ sudo luarocks install luajwtjitsi 3.0-0
 VirtualHost "jigasi.meet.jitsi"
-    enabled = false -- JaaS customers remove this line
+    enabled = false -- Jitsi meet components customers remove this line
     modules_enabled = {
       "ping";
       "bosh";

From 03a9b8b3339485dfa4e6ad89e54c83b5d2c86df2 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Tue, 21 Jun 2022 11:10:34 +0200
Subject: [PATCH 27/34] [__jitsi_meet*] Update to 2.0.7439-1

Changelog:	https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#207439-2022-06-17

Sponsored by:	camilion.eu, eXO.cat
---
 .../files/_update_jitsi_configurations.sh          |  2 +-
 type/__jitsi_meet_domain/files/config.js.sh        | 14 ++++++++++----
 type/__jitsi_meet_domain/files/config.js.sh.orig   | 14 ++++++++++----
 type/__jitsi_meet_domain/files/jitsi-version       |  2 +-
 4 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
index 5c320ce..836a2e0 100755
--- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
+++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
@@ -7,7 +7,7 @@
 
 # We could automate this, but are using it as an indicator for the
 # latest branch with which we conciliated changes.
-BRANCH="jitsi-meet_7416"
+BRANCH="jitsi-meet_7439"
 REPO="https://github.com/jitsi/jitsi-meet"
 
 get_url() {
diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh
index 5be5dbe..43e1e29 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
@@ -795,14 +795,14 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //     // Enables displaying face expressions in speaker stats
     //     enableDisplayFaceExpressions: false,
 
+    //     // Enable rtc stats for face landmarks
+    //     enableRTCStats: false,
+
     //     // Minimum required face movement percentage threshold for sending new face centering coordinates data.
     //     faceCenteringThreshold: 10,
 
     //     // Milliseconds for processing a new image capture in order to detect face coordinates if they exist.
-    //     captureInterval: 1000,
-
-    //     // Maximum number of faces that can be detected from a video track.
-    //     maxFacesDetected: 4
+    //     captureInterval: 1000
     // },
 
     // Controls the percentage of automatic feedback shown to participants when callstats is enabled.
@@ -957,12 +957,18 @@ ${ANALYTICS_SETTINGS}
     // chromeExtensionBanner: {
     //     // The chrome extension to be installed address
     //     url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
+    //     edgeUrl: 'https://microsoftedge.microsoft.com/addons/detail/jitsi-meetings/eeecajlpbgjppibfledfihobcabccihn',
 
     //     // Extensions info which allows checking if they are installed or not
     //     chromeExtensionsInfo: [
     //         {
     //             id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
     //             path: 'jitsi-logo-48x48.png'
+    //         },
+    //         // Edge extension info
+    //         {
+    //             id: 'eeecajlpbgjppibfledfihobcabccihn',
+    //             path: 'jitsi-logo-48x48.png'
     //         }
     //     ]
     // },
diff --git a/type/__jitsi_meet_domain/files/config.js.sh.orig b/type/__jitsi_meet_domain/files/config.js.sh.orig
index 7949818..a61a591 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh.orig
+++ b/type/__jitsi_meet_domain/files/config.js.sh.orig
@@ -788,14 +788,14 @@ var config = {
     //     // Enables displaying face expressions in speaker stats
     //     enableDisplayFaceExpressions: false,
 
+    //     // Enable rtc stats for face landmarks
+    //     enableRTCStats: false,
+
     //     // Minimum required face movement percentage threshold for sending new face centering coordinates data.
     //     faceCenteringThreshold: 10,
 
     //     // Milliseconds for processing a new image capture in order to detect face coordinates if they exist.
-    //     captureInterval: 1000,
-
-    //     // Maximum number of faces that can be detected from a video track.
-    //     maxFacesDetected: 4
+    //     captureInterval: 1000
     // },
 
     // Controls the percentage of automatic feedback shown to participants when callstats is enabled.
@@ -949,12 +949,18 @@ var config = {
     // chromeExtensionBanner: {
     //     // The chrome extension to be installed address
     //     url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
+    //     edgeUrl: 'https://microsoftedge.microsoft.com/addons/detail/jitsi-meetings/eeecajlpbgjppibfledfihobcabccihn',
 
     //     // Extensions info which allows checking if they are installed or not
     //     chromeExtensionsInfo: [
     //         {
     //             id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
     //             path: 'jitsi-logo-48x48.png'
+    //         },
+    //         // Edge extension info
+    //         {
+    //             id: 'eeecajlpbgjppibfledfihobcabccihn',
+    //             path: 'jitsi-logo-48x48.png'
     //         }
     //     ]
     // },
diff --git a/type/__jitsi_meet_domain/files/jitsi-version b/type/__jitsi_meet_domain/files/jitsi-version
index 43f9789..a716598 100644
--- a/type/__jitsi_meet_domain/files/jitsi-version
+++ b/type/__jitsi_meet_domain/files/jitsi-version
@@ -1 +1 @@
-2.0.7416-1
\ No newline at end of file
+2.0.7439-1
\ No newline at end of file

From 11ecb37dd97b3042fd60392def225e92b64f9071 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Tue, 21 Jun 2022 11:19:11 +0200
Subject: [PATCH 28/34] [__jitsi_meet] Add --abort-conference-count parameter

Only has an effect if the prometheus exporter is enabled and if it is not
empty (default).
If at least this many conferences are active on the server, the type will
bail out before making any changes.
This is useful if you want to avoid service disruptions due to e.g. an SLA.

Sponsored by:	camilion.eu
---
 type/__jitsi_meet/explorer/jitsi-status            |  6 ++++++
 type/__jitsi_meet/man.rst                          |  8 ++++++++
 type/__jitsi_meet/manifest                         | 14 ++++++++++++++
 .../parameter/default/abort-conference-count       |  0
 type/__jitsi_meet/parameter/optional               |  1 +
 5 files changed, 29 insertions(+)
 create mode 100755 type/__jitsi_meet/explorer/jitsi-status
 create mode 100644 type/__jitsi_meet/parameter/default/abort-conference-count

diff --git a/type/__jitsi_meet/explorer/jitsi-status b/type/__jitsi_meet/explorer/jitsi-status
new file mode 100755
index 0000000..ce3d9f7
--- /dev/null
+++ b/type/__jitsi_meet/explorer/jitsi-status
@@ -0,0 +1,6 @@
+#!/bin/sh -eu
+
+if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
+	# TODO: detect curl / depend on it?
+	curl -s localhost:9888/metrics
+fi
diff --git a/type/__jitsi_meet/man.rst b/type/__jitsi_meet/man.rst
index 03a4a35..e69275b 100644
--- a/type/__jitsi_meet/man.rst
+++ b/type/__jitsi_meet/man.rst
@@ -47,6 +47,14 @@ NOTE: This type currently does not deal with setting up coturn.
 
 OPTIONAL PARAMETERS
 -------------------
+abort-conference-count
+    Only has an effect if the prometheus exporter is enabled and if it is not
+    empty (default).
+    If at least this many conferences are active on the server, the type will
+    bail out before making any changes.
+    This is useful if you want to avoid service disruptions due to e.g. an SLA.
+
+
 turn-secret
     The shared secret for the TURN server.
 
diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest
index 20e91a7..78b3524 100755
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@@ -10,6 +10,20 @@ case "${os}" in
 	;;
 esac
 
+current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
+
+ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
+
+if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
+	[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
+	cat <<-EOF
+Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
+There are currently ${current_conferences} active conferences.
+
+Try again at a later time or remove or increase --abort-conference-count
+	EOF
+	exit 1
+fi
 
 JITSI_HOST="${__target_host}"
 if [ -f "${__object}/parameter/jitsi-version" ]; then
diff --git a/type/__jitsi_meet/parameter/default/abort-conference-count b/type/__jitsi_meet/parameter/default/abort-conference-count
new file mode 100644
index 0000000..e69de29
diff --git a/type/__jitsi_meet/parameter/optional b/type/__jitsi_meet/parameter/optional
index e7581af..e18bd6a 100644
--- a/type/__jitsi_meet/parameter/optional
+++ b/type/__jitsi_meet/parameter/optional
@@ -1,3 +1,4 @@
+abort-conference-count
 jitsi-version
 turn-secret
 turn-server

From c07487ea691ad0b3824e43a6ab0e271dc73f3e47 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Mon, 6 Mar 2023 15:05:07 +0100
Subject: [PATCH 29/34] [__jitsi_meet*] Update to 2.0.8319-1

Changelog:      https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#208319-2023-02-21

Sponsored by:   camilion.eu, eXO.cat
---
 .../__jitsi_meet/explorer/jicofo-authpassword |  26 +
 type/__jitsi_meet/files/debconf_settings.sh   |   6 +-
 type/__jitsi_meet/files/jicofo.conf.sh        |   4 +
 type/__jitsi_meet/manifest                    |  16 +-
 .../files/_update_jitsi_configurations.sh     |   2 +-
 type/__jitsi_meet_domain/files/config.js.sh   | 535 +++++++++++------
 .../files/config.js.sh.orig                   | 542 ++++++++++++------
 .../files/interface_config.js.sh              |  72 +--
 .../files/interface_config.js.sh.orig         |  72 +--
 type/__jitsi_meet_domain/files/jitsi-version  |   2 +-
 type/__jitsi_meet_domain/files/nginx.sh       |  30 +-
 type/__jitsi_meet_domain/files/nginx.sh.orig  |  33 +-
 .../files/prosody.cfg.lua.sh                  |  32 +-
 .../files/prosody.cfg.lua.sh.orig             |  28 +-
 14 files changed, 937 insertions(+), 463 deletions(-)
 create mode 100755 type/__jitsi_meet/explorer/jicofo-authpassword

diff --git a/type/__jitsi_meet/explorer/jicofo-authpassword b/type/__jitsi_meet/explorer/jicofo-authpassword
new file mode 100755
index 0000000..c71a969
--- /dev/null
+++ b/type/__jitsi_meet/explorer/jicofo-authpassword
@@ -0,0 +1,26 @@
+#!/bin/sh -eu
+
+JICOFO_AUTHPASSWORD=""
+# We need this to properly configure jicofo
+
+# Default to reading debconf
+DEBCONF_PASS_FILE="/var/cache/debconf/passwords.dat"
+if [ -f "${DEBCONF_PASS_FILE}" ]; then
+	JICOFO_AUTHPASSWORD="$(grep -A1 'Template: jicofo/jicofo-authpassword' "${DEBCONF_PASS_FILE}" | tail -n 1 | cut -d ' ' -f 2-)"
+fi
+
+# Try jicofo.conf if necessary
+JICOFO_CONF_FILE="/etc/jitsi/jicofo/jicofo.conf"
+if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONF_FILE}" ]; then
+	JICOFO_AUTHPASSWORD="$(grep -E '^[[:space:]]*password:' "${JICOFO_CONF_FILE}" | sed -E 's!^[^:]*:[[:space:]]*"(.*)"$!\1!')"
+fi
+
+# And fallback to config file if necessary
+JICOFO_CONFIG_FILE="/etc/jitsi/jicofo/config"
+if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONFIG_FILE}" ]; then
+	JICOFO_AUTHPASSWORD="$(grep -E '^JICOFO_AUTH_PASSWORD=' "${JICOFO_CONFIG_FILE}" | cut -d '=' -f 2-)"
+fi
+
+# If we didn't find it, this is likely a new installation and we'll generate
+# the password on the manifest
+echo "${JICOFO_AUTHPASSWORD:-}"
diff --git a/type/__jitsi_meet/files/debconf_settings.sh b/type/__jitsi_meet/files/debconf_settings.sh
index 9e358f0..f246c07 100644
--- a/type/__jitsi_meet/files/debconf_settings.sh
+++ b/type/__jitsi_meet/files/debconf_settings.sh
@@ -5,9 +5,6 @@
 if false; then
 	# We are currently not using these, just here as documentation
 	DEBCONF_SETTINGS="$(cat <<EOF
-# Jicofo user password:
-jicofo	jicofo/jicofo-authpassword	password	STH
-jitsi-meet-prosody	jicofo/jicofo-authpassword	password	STH
 # The secret used to connect to xmpp server as component
 jitsi-meet-prosody	jitsi-videobridge/jvbsecret	password	STH
 jitsi-videobridge	jitsi-videobridge/jvbsecret	password	STH
@@ -40,6 +37,9 @@ jitsi-videobridge	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
 jitsi-videobridge2	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
 # The hostname of the current installation:
 jitsi-meet-prosody	jitsi-meet-prosody/jvb-hostname string	${JITSI_HOST}
+# Jicofo user password:
+jicofo	jicofo/jicofo-authpassword	password	${JICOFO_AUTHPASSWORD}
+jitsi-meet-prosody	jicofo/jicofo-authpassword	password	${JICOFO_AUTHPASSWORD}
 # SSL certificate for the Jitsi Meet instance
 # Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
 jitsi-meet-web-config	jitsi-meet/cert-choice	select	Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)
diff --git a/type/__jitsi_meet/files/jicofo.conf.sh b/type/__jitsi_meet/files/jicofo.conf.sh
index 61a782a..87f83b7 100755
--- a/type/__jitsi_meet/files/jicofo.conf.sh
+++ b/type/__jitsi_meet/files/jicofo.conf.sh
@@ -10,6 +10,10 @@ jicofo {
   xmpp: {
     client: {
       client-proxy: focus.${JITSI_HOST:?}
+      xmpp-domain: "${JITSI_HOST:?}"
+      domain: "auth.${JITSI_HOST:?}"
+      username: "focus"
+      password: "${JICOFO_AUTHPASSWORD:?}"
     }
     trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
   }
diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest
index 78b3524..5b5a11e 100755
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@@ -12,6 +12,14 @@ esac
 
 current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
 
+JICOFO_AUTHPASSWORD="$(cat "${__object}/explorer/jicofo-authpassword")"
+if [ -z "${JICOFO_AUTHPASSWORD}" ]; then
+	# This is probably a first time installation, we'll generate the
+	# password which will be set in debconf by this type
+	# https://github.com/jitsi/jicofo/blob/aafb61b5363a1c4abdbf08e1444a6276b807993e/debian/postinst#L43
+	JICOFO_AUTHPASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)"
+fi
+
 ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
 
 if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
@@ -141,8 +149,9 @@ require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-ava
 server_names_hash_bucket_size 64;
 
 types {
-# nginx's default mime.types doesn't include a mapping for wasm
+# nginx's default mime.types doesn't include a mapping for wasm or wav.
     application/wasm     wasm;
+    audio/wav            wav;
 }
 
 server {
@@ -211,6 +220,7 @@ __file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
 
 export SECURED_DOMAINS_STATE
 export JITSI_HOST
+export JICOFO_AUTHPASSWORD
 "${__type}/files/jicofo.conf.sh" | \
 	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
 
@@ -246,8 +256,8 @@ __file "/usr/share/jitsi-meet/body.html" \
 EOF
 
 # These two should be changed on new release
-EXPORTER_VERSION="1.2.0"
-EXPORTER_CHECKSUM="sha256:6377ffa7be0c7deb66545616add7245da96f8b7746d6712f41cfa9fe72c935ce"
+EXPORTER_VERSION="1.2.1"
+EXPORTER_CHECKSUM="sha256:46d4b8475b72fd7632a5203f1cc3c7067bed4629902b7780a1da85e4e06c2129"
 EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
 if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
 	EXPORTER_STATE="absent"
diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
index 836a2e0..334d843 100755
--- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
+++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
@@ -7,7 +7,7 @@
 
 # We could automate this, but are using it as an indicator for the
 # latest branch with which we conciliated changes.
-BRANCH="jitsi-meet_7439"
+BRANCH="jitsi-meet_8319"
 REPO="https://github.com/jitsi/jitsi-meet"
 
 get_url() {
diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh
index 43e1e29..3c1cf1a 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
@@ -2,13 +2,32 @@
 
 # shellcheck disable=SC2034  # This is intended to be included
 JITSI_CONFIG_JS="$(cat <<EOF
-/* eslint-disable no-unused-vars, no-var */
+/* eslint-disable comma-dangle, no-unused-vars, no-var, prefer-template, vars-on-top */
 
 /*
  * NOTE: If you add a new option please remember to document it here:
  * https://jitsi.github.io/handbook/docs/dev-guide/dev-guide-configuration
  */
 
+var subdir = '<!--# echo var="subdir" default="" -->';
+var subdomain = '<!--# echo var="subdomain" default="" -->';
+
+if (subdomain) {
+    subdomain = subdomain.substr(0, subdomain.length - 1).split('.')
+        .join('_')
+        .toLowerCase() + '.';
+}
+
+// In case of no ssi provided by the webserver, use empty strings
+if (subdir.startsWith('<!--')) {
+    subdir = '';
+}
+if (subdomain.startsWith('<!--')) {
+    subdomain = '';
+}
+
+var enableJaaS = false;
+
 var config = {
     // Connection
     //
@@ -53,52 +72,24 @@ var config = {
         // issues related to insertable streams.
         // disableE2EE: false,
 
-        // Enables/disables thumbnail reordering in the filmstrip. It is enabled by default unless explicitly
-        // disabled by the below option.
-        // enableThumbnailReordering: true,
-
         // Enables XMPP WebSocket (as opposed to BOSH) for the given amount of users.
-        // mobileXmppWsThreshold: 10 // enable XMPP WebSockets on mobile for 10% of the users
+        // mobileXmppWsThreshold: 10, // enable XMPP WebSockets on mobile for 10% of the users
 
         // P2P test mode disables automatic switching to P2P when there are 2
         // participants in the conference.
         // p2pTestMode: false,
 
         // Enables the test specific features consumed by jitsi-meet-torture
-        // testMode: false
+        // testMode: false,
 
         // Disables the auto-play behavior of *all* newly created video element.
         // This is useful when the client runs on a host with limited resources.
-        // noAutoPlayVideo: false
-
-        // Enable / disable 500 Kbps bitrate cap on desktop tracks. When enabled,
-        // simulcast is turned off for the desktop share. If presenter is turned
-        // on while screensharing is in progress, the max bitrate is automatically
-        // adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines
-        // the probability for this to be enabled. This setting has been deprecated.
-        // desktopSharingFrameRate.max now determines whether simulcast will be enabled
-        // or disabled for the screenshare.
-        // capScreenshareBitrate: 1 // 0 to disable - deprecated.
-
-        // Whether to use fake constraints (height: 99999, width: 99999) when calling getDisplayMedia on
-        // Chromium based browsers. This is intended as a workaround for
-        // https://bugs.chromium.org/p/chromium/issues/detail?id=1056311
-        // setScreenSharingResolutionConstraints: true
+        // noAutoPlayVideo: false,
 
         // Enable callstats only for a percentage of users.
         // This takes a value between 0 and 100 which determines the probability for
         // the callstats to be enabled.
-        // callStatsThreshold: 5 // enable callstats for 5% of the users.
-    },
-
-    // Feature Flags.
-    flags: {
-        // Enables source names in the signaling.
-        // sourceNameSignaling: false,
-
-        // Enables sending multiple video streams, i.e., camera and desktop tracks can be shared in the conference
-        // separately as two different streams instead of one composite stream.
-        // sendMultipleVideoStreams: false
+        // callStatsThreshold: 5, // enable callstats for 5% of the users.
     },
 
     // Disables moderator indicators.
@@ -127,7 +118,7 @@ var config = {
     //      Can be either 'recording' - screensharing screenshots are taken
     //      only when the recording is also on,
     //      or 'always' - screensharing screenshots are always taken.
-    //      mode: 'recording'
+    //      mode: 'recording',
     // }
 
     // Disables ICE/UDP by filtering out local and remote UDP candidates in
@@ -149,6 +140,7 @@ var config = {
 
     // Disable measuring of audio levels.
     disableAudioLevels: $(if [ -n "${DISABLE_AUDIO_LEVELS}" ]; then printf "true"; else printf "false"; fi),
+
     // audioLevelsInterval: 200,
 
     // Enabling this will run the lib-jitsi-meet no audio detection module which
@@ -184,16 +176,19 @@ var config = {
 
     // Enabling it (with #params) will disable local audio output of remote
     // participants and to enable it back a reload is needed.
-    // startSilent: false
+    // startSilent: false,
 
     // Enables support for opus-red (redundancy for Opus).
     // enableOpusRed: false,
 
     // Specify audio quality stereo and opusMaxAverageBitrate values in order to enable HD audio.
     // Beware, by doing so, you are disabling echo cancellation, noise suppression and AGC.
+    // Specify enableOpusDtx to enable support for opus-dtx where
+    // audio packets won’t be transmitted while participant is silent or muted.
     // audioQuality: {
     //     stereo: false,
-    //     opusMaxAverageBitrate: null // Value to fit the 6000 to 510000 range.
+    //     opusMaxAverageBitrate: null, // Value to fit the 6000 to 510000 range.
+    //     enableOpusDtx: false,
     // },
 
     // Video
@@ -204,15 +199,35 @@ var config = {
     // Specifies whether the raised hand will hide when someone becomes a dominant speaker or not
     // disableRemoveRaisedHandOnFocus: false,
 
+    // speakerStats: {
+    //     // Specifies whether the speaker stats is enable or not.
+    //     disabled: false,
+
+    //     // Specifies whether there will be a search field in speaker stats or not.
+    //     disableSearch: false,
+
+    //     // Specifies whether participants in speaker stats should be ordered or not, and with what priority.
+    //     // 'role', <- Moderators on top.
+    //     // 'name', <- Alphabetically by name.
+    //     // 'hasLeft', <- The ones that have left in the bottom.
+    //     order: [
+    //         'role',
+    //         'name',
+    //         'hasLeft',
+    //     ],
+    // },
+
+    // DEPRECATED. Please use speakerStats.disableSearch instead.
     // Specifies whether there will be a search field in speaker stats or not
     // disableSpeakerStatsSearch: false,
 
+    // DEPRECATED. Please use speakerStats.order .
     // Specifies whether participants in speaker stats should be ordered or not, and with what priority
     // speakerStatsOrder: [
     //  'role', <- Moderators on top
     //  'name', <- Alphabetically by name
     //  'hasLeft', <- The ones that have left in the bottom
-    // ] <- the order of the array elements determines priority
+    // ], <- the order of the array elements determines priority
 
     // How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD.
     // Use -1 to disable.
@@ -228,9 +243,9 @@ var config = {
     //         height: {
     //             ideal: 720,
     //             max: 720,
-    //             min: 240
-    //         }
-    //     }
+    //             min: 240,
+    //         },
+    //     },
     // },
 $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
 
@@ -250,23 +265,12 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     // applied locally. FIXME: having these 2 options is confusing.
     // startWithVideoMuted: false,
 
-    // If set to true, prefer to use the H.264 video codec (if supported).
-    // Note that it's not recommended to do this because simulcast is not
-    // supported when  using H.264. For 1-to-1 calls this setting is enabled by
-    // default and can be toggled in the p2p section.
-    // This option has been deprecated, use preferredCodec under videoQuality section instead.
-    // preferH264: true,
-
-    // If set to true, disable H.264 video codec by stripping it out of the
-    // SDP.
-    // disableH264: false,
-
     // Desktop sharing
 
     // Optional desktop sharing frame rate options. Default value: min:5, max:5.
     // desktopSharingFrameRate: {
     //     min: 5,
-    //     max: 5
+    //     max: 5,
     // },
 
     // This option has been deprecated since it is no longer supported as per the w3c spec.
@@ -278,52 +282,115 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
 
     // Recording
 
-    // Whether to enable file recording or not.
+    // DEPRECATED. Use recordingService.enabled instead.
     // fileRecordingsEnabled: false,
+
     // Enable the dropbox integration.
     // dropbox: {
-    //     appKey: '<APP_KEY>' // Specify your app key here.
+    //     appKey: '<APP_KEY>', // Specify your app key here.
     //     // A URL to redirect the user to, after authenticating
     //     // by default uses:
     //     // 'https://${DOMAIN}/static/oauth.html'
     //     redirectURI:
-    //          'https://${DOMAIN}/subfolder/static/oauth.html'
+    //          'https://${DOMAIN}/subfolder/static/oauth.html',
     // },
-    // When integrations like dropbox are enabled only that will be shown,
-    // by enabling fileRecordingsServiceEnabled, we show both the integrations
-    // and the generic recording service (its configuration and storage type
-    // depends on jibri configuration)
+
+    // recordingService: {
+    //     // When integrations like dropbox are enabled only that will be shown,
+    //     // by enabling fileRecordingsServiceEnabled, we show both the integrations
+    //     // and the generic recording service (its configuration and storage type
+    //     // depends on jibri configuration)
+    //     enabled: false,
+
+    //     // Whether to show the possibility to share file recording with other people
+    //     // (e.g. meeting participants), based on the actual implementation
+    //     // on the backend.
+    //     sharingEnabled: false,
+
+    //     // Hide the warning that says we only store the recording for 24 hours.
+    //     hideStorageWarning: false,
+    // },
+
+    // DEPRECATED. Use recordingService.enabled instead.
     // fileRecordingsServiceEnabled: false,
-    // Whether to show the possibility to share file recording with other people
-    // (e.g. meeting participants), based on the actual implementation
-    // on the backend.
+
+    // DEPRECATED. Use recordingService.sharingEnabled instead.
     // fileRecordingsServiceSharingEnabled: false,
 
-    // Whether to enable live streaming or not.
+    // Local recording configuration.
+    // localRecording: {
+    //     // Whether to disable local recording or not.
+    //     disable: false,
+
+    //     // Whether to notify all participants when a participant is recording locally.
+    //     notifyAllParticipants: false,
+
+    //     // Whether to disable the self recording feature (only local participant streams).
+    //     disableSelfRecording: false,
+    // },
+
+    // Customize the Live Streaming dialog. Can be modified for a non-YouTube provider.
+    // liveStreaming: {
+    //    // Whether to enable live streaming or not.
+    //    enabled: false,
+    //    // Terms link
+    //    termsLink: 'https://www.youtube.com/t/terms',
+    //    // Data privacy link
+    //    dataPrivacyLink: 'https://policies.google.com/privacy',
+    //    // RegExp string that validates the stream key input field
+    //    validatorRegExpString: '^(?:[a-zA-Z0-9]{4}(?:-(?!$)|$)){4}',
+    //    // Documentation reference for the live streaming feature.
+    //    helpLink: 'https://jitsi.org/live'
+    // },
+
+    // DEPRECATED. Use liveStreaming.enabled instead.
     // liveStreamingEnabled: false,
 
-    // Whether to enable local recording or not.
-    // enableLocalRecording: false,
-
-    // Transcription (in interface_config,
-    // subtitles and buttons can be configured)
+    // DEPRECATED. Use transcription.enabled instead.
     // transcribingEnabled: false,
 
-    // If true transcriber will use the application language.
-    // The application language is either explicitly set by participants in their settings or automatically
-    // detected based on the environment, e.g. if the app is opened in a chrome instance which is using french as its
-    // default language then transcriptions for that participant will be in french.
-    // Defaults to true.
+    // DEPRECATED. Use transcription.useAppLanguage instead.
     // transcribeWithAppLanguage: true,
 
-    // Transcriber language. This settings will only work if "transcribeWithAppLanguage" is explicitly set to false.
-    // Available languages can be found in
-    // ./src/react/features/transcribing/transcriber-langs.json.
+    // DEPRECATED. Use transcription.preferredLanguage instead.
     // preferredTranscribeLanguage: 'en-US',
 
-    // Enables automatic turning on captions when recording is started
+    // DEPRECATED. Use transcription.autoCaptionOnRecord instead.
     // autoCaptionOnRecord: false,
 
+    // Transcription options.
+    // transcription: {
+    //     // Whether the feature should be enabled or not.
+    //     enabled: false,
+
+    //     // Translation languages.
+    //     // Available languages can be found in
+    //     // ./src/react/features/transcribing/translation-languages.json.
+    //     translationLanguages: ['en', 'es', 'fr', 'ro'],
+
+    //     // Important languages to show on the top of the language list.
+    //     translationLanguagesHead: ['en'],
+
+    //     // If true transcriber will use the application language.
+    //     // The application language is either explicitly set by participants in their settings or automatically
+    //     // detected based on the environment, e.g. if the app is opened in a chrome instance which
+    //     // is using french as its default language then transcriptions for that participant will be in french.
+    //     // Defaults to true.
+    //     useAppLanguage: true,
+
+    //     // Transcriber language. This settings will only work if "useAppLanguage"
+    //     // is explicitly set to false.
+    //     // Available languages can be found in
+    //     // ./src/react/features/transcribing/transcriber-langs.json.
+    //     preferredLanguage: 'en-US',
+
+    //     // Disable start transcription for all participants.
+    //     disableStartForAll: false,
+
+    //     // Enables automatic turning on captions when recording is started
+    //     autoCaptionOnRecord: false,
+    // },
+
     // Misc
 
     // Default value for the channel "last N" attribute. -1 for unlimited.
@@ -356,15 +423,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //     30: 15,
     //     50: 10,
     //     70: 5,
-    //     90: 2
+    //     90: 2,
     // },
 
-    // Provides a way to translate the legacy bridge signaling messages, 'LastNChangedEvent',
-    // 'SelectedEndpointsChangedEvent' and 'ReceiverVideoConstraint' into the new 'ReceiverVideoConstraints' message
-    // that invokes the new bandwidth allocation algorithm in the bridge which is described here
-    // - https://github.com/jitsi/jitsi-videobridge/blob/master/doc/allocation.md.
-    // useNewBandwidthAllocationStrategy: false,
-
     // Specify the settings for video quality optimizations on the client.
     // videoQuality: {
     //    // Provides a way to prevent a video codec from being negotiated on the JVB connection. The codec specified
@@ -385,7 +446,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //    // This will result in Safari not being able to decode video from endpoints sending VP9 video.
     //    // When set to false, the conference falls back to VP8 whenever there is an endpoint that doesn't support the
     //    // preferred codec and goes back to the preferred codec when that endpoint leaves.
-    //    // enforcePreferredCodec: false,
+    //    enforcePreferredCodec: false,
     //
     //    // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for
     //    // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values
@@ -396,18 +457,18 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //          H264: {
     //              low: 200000,
     //              standard: 500000,
-    //              high: 1500000
+    //              high: 1500000,
     //          },
     //          VP8 : {
     //              low: 200000,
     //              standard: 500000,
-    //              high: 1500000
+    //              high: 1500000,
     //          },
     //          VP9: {
     //              low: 100000,
     //              standard: 300000,
-    //              high: 1200000
-    //          }
+    //              high: 1200000,
+    //          },
     //    },
     //
     //    // The options can be used to override default thresholds of video thumbnail heights corresponding to
@@ -422,19 +483,16 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //    // the high quality.
     //    minHeightForQualityLvl: {
     //        360: 'standard',
-    //        720: 'high'
+    //        720: 'high',
     //    },
     //
-    //    // Provides a way to resize the desktop track to 720p (if it is greater than 720p) before creating a canvas
-    //    // for the presenter mode (camera picture-in-picture mode with screenshare).
-    //    resizeDesktopForPresenter: false
     // },
 
     // Notification timeouts
     // notificationTimeouts: {
     //     short: 2500,
     //     medium: 5000,
-    //     long: 10000
+    //     long: 10000,
     // },
 
     // // Options for the recording limit notification.
@@ -449,7 +507,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //    appName: 'Unlimited recordings APP',
     //
     //    // The URL of the app with unlimited recordings.
-    //    appURL: 'https://unlimited.recordings.app.com/'
+    //    appURL: 'https://unlimited.recordings.app.com/',
     // },
 
     // Disables or enables RTX (RFC 4588) (defaults to false).
@@ -492,12 +550,15 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     // Disables responsive tiles.
     // disableResponsiveTiles: false,
 
-    // Hides lobby button
+    // DEPRECATED. Please use \`securityUi?.hideLobbyButton\` instead.
+    // Hides lobby button.
     // hideLobbyButton: false,
 
+    // DEPRECATED. Please use \`lobby?.autoKnock\` instead.
     // If Lobby is enabled starts knocking automatically.
     // autoKnockLobby: false,
 
+    // DEPRECATED. Please use \`lobby?.enableChat\` instead.
     // Enable lobby chat.
     // enableLobbyChat: true,
 
@@ -508,9 +569,35 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     // Require users to always specify a display name.
     // requireDisplayName: true,
 
+    // DEPRECATED! Use 'welcomePage.disabled' instead.
     // Whether to use a welcome page or not. In case it's false a random room
     // will be joined when no room is specified.
-    enableWelcomePage: true,
+    // enableWelcomePage: true,
+
+    // Configs for welcome page.
+    // welcomePage: {
+    //     // Whether to disable welcome page. In case it's disabled a random room
+    //     // will be joined when no room is specified.
+    //     disabled: false,
+    //     // If set,landing page will redirect to this URL.
+    //     customUrl: ''
+    // },
+
+    // Configs for the lobby screen.
+    // lobby {
+    //     // If Lobby is enabled, it starts knocking automatically. Replaces \`autoKnockLobby\`.
+    //     autoKnock: false,
+    //     // Enables the lobby chat. Replaces \`enableLobbyChat\`.
+    //     enableChat: true,
+    // },
+
+    // Configs for the security related UI elements.
+    // securityUi: {
+    //     // Hides the lobby button. Replaces \`hideLobbyButton\`.
+    //     hideLobbyButton: false,
+    //     // Hides the possibility to set and enter a lobby password.
+    //     disableLobbyPassword: false,
+    // },
 
     // Disable app shortcuts that are registered upon joining a conference
     // disableShortcuts: false,
@@ -549,12 +636,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     // Hides the email section under profile settings.
     // hideEmailInSettings: false,
 
-    // Whether or not some features are checked based on token.
-    // enableFeaturesBasedOnToken: false,
-
     // When enabled the password used for locking a room is restricted to up to the number of digits specified
-    // roomPasswordNumberOfDigits: 10,
     // default: roomPasswordNumberOfDigits: false,
+    // roomPasswordNumberOfDigits: 10,
 
     // Message to show the users. Example: 'The service will be down for
     // maintenance at 01:00 AM GMT,
@@ -574,11 +658,11 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //     // either the jwt or the userInfo from the iframe api init object in order for this to have an effect.
     //     hideDisplayName: false,
     //     // List of buttons to hide from the extra join options dropdown.
-    //     hideExtraJoinButtons: ['no-audio', 'by-phone']
+    //     hideExtraJoinButtons: ['no-audio', 'by-phone'],
     // },
 
     // When 'true', the user cannot edit the display name.
-    // (Mainly useful when used in conjuction with the JWT so the JWT name becomes read only.)
+    // (Mainly useful when used in conjunction with the JWT so the JWT name becomes read only.)
     // readOnlyName: false,
 
     // If etherpad integration is enabled, setting this to true will
@@ -609,7 +693,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //     // Defaults to Gravatar.
     //     baseUrl: 'https://www.gravatar.com/avatar/',
     //     // True if Gravatar should be disabled.
-    //     disabled: false
+    //     disabled: false,
     // },
 
     // App name to be displayed in the invitation email subject, as an alternative to
@@ -632,7 +716,6 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //    'chat',
     //    'closedcaptions',
     //    'desktop',
-    //    'dock-iframe'
     //    'download',
     //    'embedmeeting',
     //    'etherpad',
@@ -646,6 +729,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //    'linktosalesforce',
     //    'livestreaming',
     //    'microphone',
+    //    'noisesuppression',
     //    'participants-pane',
     //    'profile',
     //    'raisehand',
@@ -659,24 +743,23 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //    'stats',
     //    'tileview',
     //    'toggle-camera',
-    //    'undock-iframe',
     //    'videoquality',
-    //    '__end'
+    //    'whiteboard',
     // ],
 
     // Holds values related to toolbar visibility control.
     // toolbarConfig: {
     //     // Moved from interfaceConfig.INITIAL_TOOLBAR_TIMEOUT
-    //     // The initial numer of miliseconds for the toolbar buttons to be visible on screen.
+    //     // The initial number of milliseconds for the toolbar buttons to be visible on screen.
     //     initialTimeout: 20000,
     //     // Moved from interfaceConfig.TOOLBAR_TIMEOUT
-    //     // Number of miliseconds for the toolbar buttons to be visible on screen.
+    //     // Number of milliseconds for the toolbar buttons to be visible on screen.
     //     timeout: 4000,
     //     // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE
-    //     // Whether toolbar should be always visible or should hide after x miliseconds.
+    //     // Whether toolbar should be always visible or should hide after x milliseconds.
     //     alwaysVisible: false,
     //     // Indicates whether the toolbar should still autohide when chat is open
-    //     autoHideWhileChatIsOpen: false
+    //     autoHideWhileChatIsOpen: false,
     // },
 
     // Toolbar buttons which have their click/tap event exposed through the API on
@@ -697,11 +780,13 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //     'desktop',
     //     'download',
     //     'embedmeeting',
+    //     'end-meeting',
     //     'etherpad',
     //     'feedback',
     //     'filmstrip',
     //     'fullscreen',
     //     'hangup',
+    //     'hangup-menu',
     //     'help',
     //     {
     //         key: 'invite',
@@ -711,6 +796,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //     'microphone',
     //     'mute-everyone',
     //     'mute-video-everyone',
+    //     'noisesuppression',
     //     'participants-pane',
     //     'profile',
     //     {
@@ -732,14 +818,22 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //     {
     //         key: 'add-passcode',
     //         preventExecution: false
-    //     }
-    //     '__end'
+    //     },
+    //     'whiteboard',
     // ],
 
     // List of pre meeting screens buttons to hide. The values must be one or more of the 5 allowed buttons:
     // 'microphone', 'camera', 'select-background', 'invite', 'settings'
     // hiddenPremeetingButtons: [],
 
+    // An array with custom option buttons for the participant context menu
+    // type:  Array<{ icon: string; id: string; text: string; }>
+    // customParticipantMenuButtons: [],
+
+    // An array with custom option buttons for the toolbar
+    // type:  Array<{ icon: string; id: string; text: string; }>
+    // customToolbarButtons: [],
+
     // Stats
     //
 
@@ -756,6 +850,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     // Application ID and Secret.
     // callStatsID: '',
     // callStatsSecret: '',
+    // callStatsApplicationLogsDisabled: false,
 
     // The callstats initialize config params as described in the API:
     // https://docs.callstats.io/docs/javascript#callstatsinitialize-with-app-secret
@@ -773,10 +868,10 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //         pbxID: "PBX Identifier. Example, walmart.",
     //         pbxExtensionID: "PBX Extension Identifier. Example, 5625.",
     //         fqExtensionID: "Fully qualified Extension Identifier. Example, +71 (US) +5625.",
-    //         sessionID: "Session Identifier. Example, session-12-34"
+    //         sessionID: "Session Identifier. Example, session-12-34",
     //     },
     //     collectLegacyStats: true, //enables the collection of legacy stats in chrome browser
-    //     collectIP: true //enables the collection localIP address
+    //     collectIP: true, //enables the collection localIP address
     // },
 
     // Enables sending participants' display names to callstats
@@ -802,7 +897,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
     //     faceCenteringThreshold: 10,
 
     //     // Milliseconds for processing a new image capture in order to detect face coordinates if they exist.
-    //     captureInterval: 1000
+    //     captureInterval: 1000,
     // },
 
     // Controls the percentage of automatic feedback shown to participants when callstats is enabled.
@@ -841,18 +936,10 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
         // If not set, the effective value is 'all'.
         // iceTransportPolicy: 'all',
 
-        // If set to true, it will prefer to use H.264 for P2P calls (if H.264
-        // is supported). This setting is deprecated, use preferredCodec instead.
-        // preferH264: true,
-
         // Provides a way to set the video codec preference on the p2p connection. Acceptable
         // codec values are 'VP8', 'VP9' and 'H264'.
         // preferredCodec: 'H264',
 
-        // If set to true, disable H.264 video codec by stripping it out of the
-        // SDP. This setting is deprecated, use disabledCodec instead.
-        // disableH264: false,
-
         // Provides a way to prevent a video codec from being negotiated on the p2p connection.
         // disabledCodec: '',
 
@@ -864,8 +951,8 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
         stunServers: [
 
             // { urls: 'stun:jitsi-meet.example.com:3478' },
-            { urls: 'stun:${TURN_SERVER}:443' }
-        ]
+            { urls: 'stun:${TURN_SERVER}:443' },
+        ],
     },
 
     analytics: {
@@ -874,14 +961,18 @@ ${ANALYTICS_SETTINGS}
         // disabled: false,
 
         // The Google Analytics Tracking ID:
-        // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
+        // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1',
 
         // Matomo configuration:
         // matomoEndpoint: 'https://your-matomo-endpoint/',
         // matomoSiteID: '42',
 
         // The Amplitude APP Key:
-        // amplitudeAPPKey: '<APP_KEY>'
+        // amplitudeAPPKey: '<APP_KEY>',
+
+        // Obfuscates room name sent to analytics (amplitude, rtcstats)
+        // Default value is false.
+        // obfuscateRoomName: false,
 
         // Configuration for the rtcstats server:
         // By enabling rtcstats server every time a conference is joined the rtcstats
@@ -889,19 +980,24 @@ ${ANALYTICS_SETTINGS}
         // PeerConnection states along with getStats metrics polled at the specified
         // interval.
         // rtcstatsEnabled: false,
+        // rtcstatsStoreLogs: false,
 
         // In order to enable rtcstats one needs to provide a endpoint url.
         // rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/,
 
-        // The interval at which rtcstats will poll getStats, defaults to 1000ms.
+        // The interval at which rtcstats will poll getStats, defaults to 10000ms.
         // If the value is set to 0 getStats won't be polled and the rtcstats client
         // will only send data related to RTCPeerConnection events.
-        // rtcstatsPolIInterval: 1000,
+        // rtcstatsPollInterval: 10000,
+
+        // This determines if rtcstats sends the SDP to the rtcstats server or replaces
+        // all SDPs with an empty string instead.
+        // rtcstatsSendSdp: false,
 
         // Array of script URLs to load as lib-jitsi-meet "analytics handlers".
         // scriptURLs: [
         //      "libs/analytics-ga.min.js", // google-analytics
-        //      "https://example.com/my-custom-analytics.js"
+        //      "https://example.com/my-custom-analytics.js",
         // ],
     },
 
@@ -910,11 +1006,11 @@ ${ANALYTICS_SETTINGS}
 
     // Information about the jitsi-meet instance we are connecting to, including
     // the user region as seen by the server.
-    deploymentInfo: {
-        // shard: "shard1",
-        // region: "europe",
-        // userRegion: "asia"
-    },
+    // deploymentInfo: {
+    //     shard: "shard1",
+    //     region: "europe",
+    //     userRegion: "asia",
+    // },
 
     // Array<string> of disabled sounds.
     // Possible values:
@@ -963,19 +1059,19 @@ ${ANALYTICS_SETTINGS}
     //     chromeExtensionsInfo: [
     //         {
     //             id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
-    //             path: 'jitsi-logo-48x48.png'
+    //             path: 'jitsi-logo-48x48.png',
     //         },
     //         // Edge extension info
     //         {
     //             id: 'eeecajlpbgjppibfledfihobcabccihn',
-    //             path: 'jitsi-logo-48x48.png'
-    //         }
+    //             path: 'jitsi-logo-48x48.png',
+    //         },
     //     ]
     // },
 
     // e2ee: {
     //   labels,
-    //   externallyManagedKey: false
+    //   externallyManagedKey: false,
     // },
 
     // Options related to end-to-end (participant to participant) ping.
@@ -990,9 +1086,9 @@ ${ANALYTICS_SETTINGS}
     //   maxConferenceSize: 200,
     //
     //   // The maximum number of e2e ping messages per second for the whole conference to aim for.
-    //   // This is used to contol the pacing of messages in order to reduce the load on the backend.
-    //   maxMessagesPerSecond: 250
-    //   },
+    //   // This is used to control the pacing of messages in order to reduce the load on the backend.
+    //   maxMessagesPerSecond: 250,
+    // },
 
     // If set, will attempt to use the provided video input device label when
     // triggering a screenshare, instead of proceeding through the normal flow
@@ -1001,10 +1097,64 @@ ${ANALYTICS_SETTINGS}
     // use only.
     // _desktopSharingSourceDevice: 'sample-id-or-label',
 
+    // DEPRECATED! Use deeplinking.disabled instead.
     // If true, any checks to handoff to another application will be prevented
     // and instead the app will continue to display in the current browser.
     // disableDeepLinking: false,
 
+    // The deeplinking config.
+    // For information about the properties of
+    // deeplinking.[ios/android].dynamicLink check:
+    // https://firebase.google.com/docs/dynamic-links/create-manually
+    // deeplinking: {
+    //
+    //     // The desktop deeplinking config.
+    //     desktop: {
+    //         appName: 'Jitsi Meet'
+    //     },
+    //     // If true, any checks to handoff to another application will be prevented
+    //     // and instead the app will continue to display in the current browser.
+    //     disabled: false,
+
+    //     // whether to hide the logo on the deep linking pages.
+    //     hideLogo: false,
+
+    //     // The ios deeplinking config.
+    //     ios: {
+    //         appName: 'Jitsi Meet',
+    //         // Specify mobile app scheme for opening the app from the mobile browser.
+    //         appScheme: 'org.jitsi.meet',
+    //         // Custom URL for downloading ios mobile app.
+    //         downloadLink: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
+    //         dynamicLink: {
+    //             apn: 'org.jitsi.meet',
+    //             appCode: 'w2atb',
+    //             customDomain: undefined,
+    //             ibi: 'com.atlassian.JitsiMeet.ios',
+    //             isi: '1165103905'
+    //         }
+    //     },
+
+    //     // The android deeplinking config.
+    //     android: {
+    //         appName: 'Jitsi Meet',
+    //         // Specify mobile app scheme for opening the app from the mobile browser.
+    //         appScheme: 'org.jitsi.meet',
+    //         // Custom URL for downloading android mobile app.
+    //         downloadLink: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
+    //         // Android app package name.
+    //         appPackage: 'org.jitsi.meet',
+    //         fDroidUrl: 'https://f-droid.org/en/packages/org.jitsi.meet/',
+    //         dynamicLink: {
+    //             apn: 'org.jitsi.meet',
+    //             appCode: 'w2atb',
+    //             customDomain: undefined,
+    //             ibi: 'com.atlassian.JitsiMeet.ios',
+    //             isi: '1165103905'
+    //         }
+    //     }
+    // },
+
     // A property to disable the right click context menu for localVideo
     // the menu has option to flip the locally seen video for local presentations
     // disableLocalVideoFlip: false,
@@ -1029,7 +1179,7 @@ ${ANALYTICS_SETTINGS}
     //    userDocumentationURL: 'https://docs.example.com/video-meetings.html',
     //    // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
     //    // to the specified URL for an app download page.
-    //    downloadAppsUrl: 'https://docs.example.com/our-apps.html'
+    //    downloadAppsUrl: 'https://docs.example.com/our-apps.html',
     // },
 
     // Options related to the remote participant menu.
@@ -1041,7 +1191,7 @@ ${ANALYTICS_SETTINGS}
     //     // If set to true the 'Grant moderator' button will be disabled.
     //     disableGrantModerator: true,
     //     // If set to true the 'Send private message' button will be disabled.
-    //     disablePrivateChat: true
+    //     disablePrivateChat: true,
     // },
 
     // Endpoint that enables support for salesforce integration with in-meeting resource linking
@@ -1057,7 +1207,7 @@ ${ANALYTICS_SETTINGS}
     // disableRemoteMute: true,
 
     // Enables support for lip-sync for this client (if the browser supports it).
-    // enableLipSync: false
+    // enableLipSync: false,
 
     /**
      External API url used to receive branding specific information.
@@ -1086,7 +1236,7 @@ ${ANALYTICS_SETTINGS}
         // For a list of all possible theme tokens and their current defaults, please check:
         // https://github.com/jitsi/jitsi-meet/tree/master/resources/custom-theme/custom-theme.json
         // For a short explanations on each of the tokens, please check:
-        // https://github.com/jitsi/jitsi-meet/blob/master/react/features/base/ui/Tokens.js
+        // https://github.com/jitsi/jitsi-meet/blob/master/react/features/base/ui/Tokens.ts
         // IMPORTANT!: This is work in progress so many of the various tokens are not yet applied in code
         // or they are partially applied.
         customTheme: {
@@ -1100,15 +1250,15 @@ ${ANALYTICS_SETTINGS}
                 field02Hover: 'red',
                 action01: 'green',
                 action01Hover: 'lightgreen',
-                action02Disabled: 'beige',
+                disabled01: 'beige',
                 success02: 'cadetblue',
-                action02Hover: 'aliceblue'
+                action02Hover: 'aliceblue',
             },
             typography: {
                 labelRegular: {
                     fontSize: 25,
                     lineHeight: 30,
-                    fontWeight: 500
+                    fontWeight: 500,
                 }
             }
         }
@@ -1123,7 +1273,7 @@ ${ANALYTICS_SETTINGS}
     //     // Hides the more actions button.
     //     hideMoreActionsButton: false,
     //     // Hides the mute all button.
-    //     hideMuteAllButton: false
+    //     hideMuteAllButton: false,
     // },
 
     // Options related to the breakout rooms feature.
@@ -1133,7 +1283,7 @@ ${ANALYTICS_SETTINGS}
     //     // Hides the auto assign participants button.
     //     hideAutoAssignButton: false,
     //     // Hides the join breakout room button.
-    //     hideJoinRoomButton: false
+    //     hideJoinRoomButton: false,
     // },
 
     // When true the user cannot add more images to be used as virtual background.
@@ -1172,7 +1322,8 @@ ${ANALYTICS_SETTINGS}
     //         'transcribing',
     //         'video-quality',
     //         'insecure-room',
-    //         'highlight-moment'
+    //         'highlight-moment',
+    //         'top-panel-toggle',
     //     ]
     // },
 
@@ -1199,9 +1350,8 @@ ${ANALYTICS_SETTINGS}
     // is not persisting the local storage inside the iframe.
     // useHostPageLocalStorage: true,
 
-    // etherpad ("shared document") integration.
+    // Etherpad ("shared document") integration.
     //
-
     // If set, add a "Open shared document" link to the bottom right menu that
     // will open an etherpad document.
     // etherpad_base: 'https://your-etherpad-installati.on/p/',
@@ -1212,11 +1362,6 @@ ${ANALYTICS_SETTINGS}
     // {"countryCode":"US","tollFree":false,"formattedNumber":"+1 123-456-7890"}
     // dialInConfCodeUrl is the conference mapper converting a meeting id to a PIN used for dial-in
     // or the other way around (more info in resources/cloud-api.swagger)
-    //
-    // For JaaS customers the default values are:
-    // dialInNumbersUrl: 'https://conference-mapper.jitsi.net/v1/access/dids',
-    // dialInConfCodeUrl: 'https://conference-mapper.jitsi.net/v1/access',
-    //
 
     // List of undocumented settings used in jitsi-meet
     /**
@@ -1226,6 +1371,7 @@ ${ANALYTICS_SETTINGS}
      deploymentInfo
      dialOutAuthUrl
      dialOutCodesUrl
+     dialOutRegionUrl
      disableRemoteControl
      displayJids
      externalConnectUrl
@@ -1317,6 +1463,7 @@ ${ANALYTICS_SETTINGS}
     //     'notify.leftTwoMembers', // show when two participants left simultaneously
     //     'notify.leftThreePlusMembers', // show when more than 2 participants left simultaneously
     //     'notify.grantedTo', // shown when moderator rights were granted to a participant
+    //     'notify.hostAskedUnmute', // shown to participant when host asks them to unmute
     //     'notify.invitedOneMember', // shown when 1 participant has been invited
     //     'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited
     //     'notify.invitedTwoMembers', // shown when 2 participants have been invited
@@ -1337,7 +1484,7 @@ ${ANALYTICS_SETTINGS}
     //     'notify.raisedHand', // shown when a partcipant used raise hand,
     //     'notify.startSilentTitle', // shown when user joined with no audio
     //     'notify.unmute', // shown to moderator when user raises hand during AV moderation
-    //     'notify.hostAskedUnmute', // shown to participant when host asks them to unmute
+    //     'notify.videoMutedRemotelyTitle', // shown when user's video is muted by a remote party,
     //     'prejoin.errorDialOut',
     //     'prejoin.errorDialOutDisconnected',
     //     'prejoin.errorDialOutFailed',
@@ -1350,7 +1497,7 @@ ${ANALYTICS_SETTINGS}
     //     'toolbar.noAudioSignalTitle', // shown when a broken mic is detected
     //     'toolbar.noisyAudioInputTitle', // shown when noise is detected for the current microphone
     //     'toolbar.talkWhileMutedPopup', // shown when user tries to speak while muted
-    //     'transcribing.failedToStart' // shown when transcribing fails to start
+    //     'transcribing.failedToStart', // shown when transcribing fails to start
     // ],
 
     // List of notifications to be disabled. Works in tandem with the above setting.
@@ -1366,14 +1513,25 @@ ${ANALYTICS_SETTINGS}
 
     //     // Disables the stage filmstrip
     //     // (displaying multiple participants on stage besides the vertical filmstrip)
-    //     disableStageFilmstrip: false
+    //     disableStageFilmstrip: false,
+
+    //     // Default number of participants that can be displayed on stage.
+    //     // The user can change this in settings. Number must be between 1 and 6.
+    //     stageFilmstripParticipants: 1,
+
+    //     // Disables the top panel (only shown when a user is sharing their screen).
+    //     disableTopPanel: false,
+
+    //     // The minimum number of participants that must be in the call for
+    //     // the top panel layout to be used.
+    //     minParticipantCountForTopPanel: 50,
     // },
 
     // Tile view related config options.
     // tileView: {
     //     // The optimal number of tiles that are going to be shown in tile view. Depending on the screen size it may
     //     // not be possible to show the exact number of participants specified here.
-    //     numberOfVisibleTiles: 25
+    //     numberOfVisibleTiles: 25,
     // },
 
     // Specifies whether the chat emoticons are disabled or not
@@ -1390,17 +1548,52 @@ ${ANALYTICS_SETTINGS}
     //     // - chat: show the GIF as a message in chat
     //     // - all: all of the above. This is the default option
     //     displayMode: 'all',
-    //     // How long the GIF should be displayed on the tile (in miliseconds).
-    //     tileTime: 5000
+    //     // How long the GIF should be displayed on the tile (in milliseconds).
+    //     tileTime: 5000,
+    //     // Limit results by rating: g, pg, pg-13, r. Default value: g.
+    //     rating: 'pg',
+    //     // The proxy server url for giphy requests in the web app.
+    //     proxyUrl: 'https://giphy-proxy.example.com',
     // },
 
-    // Allow all above example options to include a trailing comma and
-    // prevent fear when commenting out the last value.
-    makeJsonParserHappy: 'even if last key had a trailing comma'
+    // Logging
+    // logging: {
+    //      // Default log level for the app and lib-jitsi-meet.
+    //      defaultLogLevel: 'trace',
+    //      // Option to disable LogCollector (which stores the logs on CallStats).
+    //      //disableLogCollector: true,
+    //      // Individual loggers are customizable.
+    //      loggers: {
+    //      // The following are too verbose in their logging with the default level.
+    //      'modules/RTC/TraceablePeerConnection.js': 'info',
+    //      'modules/statistics/CallStats.js': 'info',
+    //      'modules/xmpp/strophe.util.js': 'log',
+    // },
 
-    // no configuration value should follow this line.
+    // Application logo url
+    // defaultLogoUrl: 'images/watermark.svg',
+
+    // Settings for the Excalidraw whiteboard integration.
+    // whiteboard: {
+    //     // Whether the feature is enabled or not.
+    //     enabled: true,
+    //     // The server used to support whiteboard collaboration.
+    //     // https://github.com/jitsi/excalidraw-backend
+    //     collabServerBaseUrl: 'https://excalidraw-backend.example.com',
+    // },
 };
 
-/* eslint-enable no-unused-vars, no-var */
+// Temporary backwards compatibility with old mobile clients.
+config.flags = config.flags || {};
+config.flags.sourceNameSignaling = true;
+config.flags.sendMultipleVideoStreams = true;
+config.flags.receiveMultipleVideoStreams = true;
+
+// Set the default values for JaaS customers
+if (enableJaaS) {
+    config.dialInNumbersUrl = 'https://conference-mapper.jitsi.net/v1/access/dids';
+    config.dialInConfCodeUrl = 'https://conference-mapper.jitsi.net/v1/access';
+    config.roomPasswordNumberOfDigits = 10; // skip re-adding it (do not remove comment)
+}
 EOF
 )"
diff --git a/type/__jitsi_meet_domain/files/config.js.sh.orig b/type/__jitsi_meet_domain/files/config.js.sh.orig
index a61a591..422d2f1 100644
--- a/type/__jitsi_meet_domain/files/config.js.sh.orig
+++ b/type/__jitsi_meet_domain/files/config.js.sh.orig
@@ -1,11 +1,29 @@
-
-/* eslint-disable no-unused-vars, no-var */
+/* eslint-disable comma-dangle, no-unused-vars, no-var, prefer-template, vars-on-top */
 
 /*
  * NOTE: If you add a new option please remember to document it here:
  * https://jitsi.github.io/handbook/docs/dev-guide/dev-guide-configuration
  */
 
+var subdir = '<!--# echo var="subdir" default="" -->';
+var subdomain = '<!--# echo var="subdomain" default="" -->';
+
+if (subdomain) {
+    subdomain = subdomain.substr(0, subdomain.length - 1).split('.')
+        .join('_')
+        .toLowerCase() + '.';
+}
+
+// In case of no ssi provided by the webserver, use empty strings
+if (subdir.startsWith('<!--')) {
+    subdir = '';
+}
+if (subdomain.startsWith('<!--')) {
+    subdomain = '';
+}
+
+var enableJaaS = false;
+
 var config = {
     // Connection
     //
@@ -24,14 +42,14 @@ var config = {
         // focus: 'focus.jitsi-meet.example.com',
 
         // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
-        muc: 'conference.jitsi-meet.example.com'
+        muc: 'conference.' + subdomain + 'jitsi-meet.example.com',
     },
 
     // BOSH URL. FIXME: use XEP-0156 to discover it.
-    bosh: '//jitsi-meet.example.com/http-bind',
+    bosh: '//jitsi-meet.example.com/' + subdir + 'http-bind',
 
     // Websocket URL
-    // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket',
+    // websocket: 'wss://jitsi-meet.example.com/' + subdir + 'xmpp-websocket',
 
     // The real JID of focus participant - can be overridden here
     // Do not change username - FIXME: Make focus username configurable
@@ -47,52 +65,24 @@ var config = {
         // issues related to insertable streams.
         // disableE2EE: false,
 
-        // Enables/disables thumbnail reordering in the filmstrip. It is enabled by default unless explicitly
-        // disabled by the below option.
-        // enableThumbnailReordering: true,
-
         // Enables XMPP WebSocket (as opposed to BOSH) for the given amount of users.
-        // mobileXmppWsThreshold: 10 // enable XMPP WebSockets on mobile for 10% of the users
+        // mobileXmppWsThreshold: 10, // enable XMPP WebSockets on mobile for 10% of the users
 
         // P2P test mode disables automatic switching to P2P when there are 2
         // participants in the conference.
         // p2pTestMode: false,
 
         // Enables the test specific features consumed by jitsi-meet-torture
-        // testMode: false
+        // testMode: false,
 
         // Disables the auto-play behavior of *all* newly created video element.
         // This is useful when the client runs on a host with limited resources.
-        // noAutoPlayVideo: false
-
-        // Enable / disable 500 Kbps bitrate cap on desktop tracks. When enabled,
-        // simulcast is turned off for the desktop share. If presenter is turned
-        // on while screensharing is in progress, the max bitrate is automatically
-        // adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines
-        // the probability for this to be enabled. This setting has been deprecated.
-        // desktopSharingFrameRate.max now determines whether simulcast will be enabled
-        // or disabled for the screenshare.
-        // capScreenshareBitrate: 1 // 0 to disable - deprecated.
-
-        // Whether to use fake constraints (height: 99999, width: 99999) when calling getDisplayMedia on
-        // Chromium based browsers. This is intended as a workaround for
-        // https://bugs.chromium.org/p/chromium/issues/detail?id=1056311
-        // setScreenSharingResolutionConstraints: true
+        // noAutoPlayVideo: false,
 
         // Enable callstats only for a percentage of users.
         // This takes a value between 0 and 100 which determines the probability for
         // the callstats to be enabled.
-        // callStatsThreshold: 5 // enable callstats for 5% of the users.
-    },
-
-    // Feature Flags.
-    flags: {
-        // Enables source names in the signaling.
-        // sourceNameSignaling: false,
-
-        // Enables sending multiple video streams, i.e., camera and desktop tracks can be shared in the conference
-        // separately as two different streams instead of one composite stream.
-        // sendMultipleVideoStreams: false
+        // callStatsThreshold: 5, // enable callstats for 5% of the users.
     },
 
     // Disables moderator indicators.
@@ -121,7 +111,7 @@ var config = {
     //      Can be either 'recording' - screensharing screenshots are taken
     //      only when the recording is also on,
     //      or 'always' - screensharing screenshots are always taken.
-    //      mode: 'recording'
+    //      mode: 'recording',
     // }
 
     // Disables ICE/UDP by filtering out local and remote UDP candidates in
@@ -143,6 +133,7 @@ var config = {
 
     // Disable measuring of audio levels.
     // disableAudioLevels: false,
+
     // audioLevelsInterval: 200,
 
     // Enabling this will run the lib-jitsi-meet no audio detection module which
@@ -178,16 +169,19 @@ var config = {
 
     // Enabling it (with #params) will disable local audio output of remote
     // participants and to enable it back a reload is needed.
-    // startSilent: false
+    // startSilent: false,
 
     // Enables support for opus-red (redundancy for Opus).
     // enableOpusRed: false,
 
     // Specify audio quality stereo and opusMaxAverageBitrate values in order to enable HD audio.
     // Beware, by doing so, you are disabling echo cancellation, noise suppression and AGC.
+    // Specify enableOpusDtx to enable support for opus-dtx where
+    // audio packets won’t be transmitted while participant is silent or muted.
     // audioQuality: {
     //     stereo: false,
-    //     opusMaxAverageBitrate: null // Value to fit the 6000 to 510000 range.
+    //     opusMaxAverageBitrate: null, // Value to fit the 6000 to 510000 range.
+    //     enableOpusDtx: false,
     // },
 
     // Video
@@ -198,15 +192,35 @@ var config = {
     // Specifies whether the raised hand will hide when someone becomes a dominant speaker or not
     // disableRemoveRaisedHandOnFocus: false,
 
+    // speakerStats: {
+    //     // Specifies whether the speaker stats is enable or not.
+    //     disabled: false,
+
+    //     // Specifies whether there will be a search field in speaker stats or not.
+    //     disableSearch: false,
+
+    //     // Specifies whether participants in speaker stats should be ordered or not, and with what priority.
+    //     // 'role', <- Moderators on top.
+    //     // 'name', <- Alphabetically by name.
+    //     // 'hasLeft', <- The ones that have left in the bottom.
+    //     order: [
+    //         'role',
+    //         'name',
+    //         'hasLeft',
+    //     ],
+    // },
+
+    // DEPRECATED. Please use speakerStats.disableSearch instead.
     // Specifies whether there will be a search field in speaker stats or not
     // disableSpeakerStatsSearch: false,
 
+    // DEPRECATED. Please use speakerStats.order .
     // Specifies whether participants in speaker stats should be ordered or not, and with what priority
     // speakerStatsOrder: [
     //  'role', <- Moderators on top
     //  'name', <- Alphabetically by name
     //  'hasLeft', <- The ones that have left in the bottom
-    // ] <- the order of the array elements determines priority
+    // ], <- the order of the array elements determines priority
 
     // How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD.
     // Use -1 to disable.
@@ -222,9 +236,9 @@ var config = {
     //         height: {
     //             ideal: 720,
     //             max: 720,
-    //             min: 240
-    //         }
-    //     }
+    //             min: 240,
+    //         },
+    //     },
     // },
 
     // Enable / disable simulcast support.
@@ -243,23 +257,12 @@ var config = {
     // applied locally. FIXME: having these 2 options is confusing.
     // startWithVideoMuted: false,
 
-    // If set to true, prefer to use the H.264 video codec (if supported).
-    // Note that it's not recommended to do this because simulcast is not
-    // supported when  using H.264. For 1-to-1 calls this setting is enabled by
-    // default and can be toggled in the p2p section.
-    // This option has been deprecated, use preferredCodec under videoQuality section instead.
-    // preferH264: true,
-
-    // If set to true, disable H.264 video codec by stripping it out of the
-    // SDP.
-    // disableH264: false,
-
     // Desktop sharing
 
     // Optional desktop sharing frame rate options. Default value: min:5, max:5.
     // desktopSharingFrameRate: {
     //     min: 5,
-    //     max: 5
+    //     max: 5,
     // },
 
     // This option has been deprecated since it is no longer supported as per the w3c spec.
@@ -271,52 +274,115 @@ var config = {
 
     // Recording
 
-    // Whether to enable file recording or not.
+    // DEPRECATED. Use recordingService.enabled instead.
     // fileRecordingsEnabled: false,
+
     // Enable the dropbox integration.
     // dropbox: {
-    //     appKey: '<APP_KEY>' // Specify your app key here.
+    //     appKey: '<APP_KEY>', // Specify your app key here.
     //     // A URL to redirect the user to, after authenticating
     //     // by default uses:
     //     // 'https://jitsi-meet.example.com/static/oauth.html'
     //     redirectURI:
-    //          'https://jitsi-meet.example.com/subfolder/static/oauth.html'
+    //          'https://jitsi-meet.example.com/subfolder/static/oauth.html',
     // },
-    // When integrations like dropbox are enabled only that will be shown,
-    // by enabling fileRecordingsServiceEnabled, we show both the integrations
-    // and the generic recording service (its configuration and storage type
-    // depends on jibri configuration)
+
+    // recordingService: {
+    //     // When integrations like dropbox are enabled only that will be shown,
+    //     // by enabling fileRecordingsServiceEnabled, we show both the integrations
+    //     // and the generic recording service (its configuration and storage type
+    //     // depends on jibri configuration)
+    //     enabled: false,
+
+    //     // Whether to show the possibility to share file recording with other people
+    //     // (e.g. meeting participants), based on the actual implementation
+    //     // on the backend.
+    //     sharingEnabled: false,
+
+    //     // Hide the warning that says we only store the recording for 24 hours.
+    //     hideStorageWarning: false,
+    // },
+
+    // DEPRECATED. Use recordingService.enabled instead.
     // fileRecordingsServiceEnabled: false,
-    // Whether to show the possibility to share file recording with other people
-    // (e.g. meeting participants), based on the actual implementation
-    // on the backend.
+
+    // DEPRECATED. Use recordingService.sharingEnabled instead.
     // fileRecordingsServiceSharingEnabled: false,
 
-    // Whether to enable live streaming or not.
+    // Local recording configuration.
+    // localRecording: {
+    //     // Whether to disable local recording or not.
+    //     disable: false,
+
+    //     // Whether to notify all participants when a participant is recording locally.
+    //     notifyAllParticipants: false,
+
+    //     // Whether to disable the self recording feature (only local participant streams).
+    //     disableSelfRecording: false,
+    // },
+
+    // Customize the Live Streaming dialog. Can be modified for a non-YouTube provider.
+    // liveStreaming: {
+    //    // Whether to enable live streaming or not.
+    //    enabled: false,
+    //    // Terms link
+    //    termsLink: 'https://www.youtube.com/t/terms',
+    //    // Data privacy link
+    //    dataPrivacyLink: 'https://policies.google.com/privacy',
+    //    // RegExp string that validates the stream key input field
+    //    validatorRegExpString: '^(?:[a-zA-Z0-9]{4}(?:-(?!$)|$)){4}',
+    //    // Documentation reference for the live streaming feature.
+    //    helpLink: 'https://jitsi.org/live'
+    // },
+
+    // DEPRECATED. Use liveStreaming.enabled instead.
     // liveStreamingEnabled: false,
 
-    // Whether to enable local recording or not.
-    // enableLocalRecording: false,
-
-    // Transcription (in interface_config,
-    // subtitles and buttons can be configured)
+    // DEPRECATED. Use transcription.enabled instead.
     // transcribingEnabled: false,
 
-    // If true transcriber will use the application language.
-    // The application language is either explicitly set by participants in their settings or automatically
-    // detected based on the environment, e.g. if the app is opened in a chrome instance which is using french as its
-    // default language then transcriptions for that participant will be in french.
-    // Defaults to true.
+    // DEPRECATED. Use transcription.useAppLanguage instead.
     // transcribeWithAppLanguage: true,
 
-    // Transcriber language. This settings will only work if "transcribeWithAppLanguage" is explicitly set to false.
-    // Available languages can be found in
-    // ./src/react/features/transcribing/transcriber-langs.json.
+    // DEPRECATED. Use transcription.preferredLanguage instead.
     // preferredTranscribeLanguage: 'en-US',
 
-    // Enables automatic turning on captions when recording is started
+    // DEPRECATED. Use transcription.autoCaptionOnRecord instead.
     // autoCaptionOnRecord: false,
 
+    // Transcription options.
+    // transcription: {
+    //     // Whether the feature should be enabled or not.
+    //     enabled: false,
+
+    //     // Translation languages.
+    //     // Available languages can be found in
+    //     // ./src/react/features/transcribing/translation-languages.json.
+    //     translationLanguages: ['en', 'es', 'fr', 'ro'],
+
+    //     // Important languages to show on the top of the language list.
+    //     translationLanguagesHead: ['en'],
+
+    //     // If true transcriber will use the application language.
+    //     // The application language is either explicitly set by participants in their settings or automatically
+    //     // detected based on the environment, e.g. if the app is opened in a chrome instance which
+    //     // is using french as its default language then transcriptions for that participant will be in french.
+    //     // Defaults to true.
+    //     useAppLanguage: true,
+
+    //     // Transcriber language. This settings will only work if "useAppLanguage"
+    //     // is explicitly set to false.
+    //     // Available languages can be found in
+    //     // ./src/react/features/transcribing/transcriber-langs.json.
+    //     preferredLanguage: 'en-US',
+
+    //     // Disable start transcription for all participants.
+    //     disableStartForAll: false,
+
+    //     // Enables automatic turning on captions when recording is started
+    //     autoCaptionOnRecord: false,
+    // },
+
     // Misc
 
     // Default value for the channel "last N" attribute. -1 for unlimited.
@@ -349,15 +415,9 @@ var config = {
     //     30: 15,
     //     50: 10,
     //     70: 5,
-    //     90: 2
+    //     90: 2,
     // },
 
-    // Provides a way to translate the legacy bridge signaling messages, 'LastNChangedEvent',
-    // 'SelectedEndpointsChangedEvent' and 'ReceiverVideoConstraint' into the new 'ReceiverVideoConstraints' message
-    // that invokes the new bandwidth allocation algorithm in the bridge which is described here
-    // - https://github.com/jitsi/jitsi-videobridge/blob/master/doc/allocation.md.
-    // useNewBandwidthAllocationStrategy: false,
-
     // Specify the settings for video quality optimizations on the client.
     // videoQuality: {
     //    // Provides a way to prevent a video codec from being negotiated on the JVB connection. The codec specified
@@ -378,7 +438,7 @@ var config = {
     //    // This will result in Safari not being able to decode video from endpoints sending VP9 video.
     //    // When set to false, the conference falls back to VP8 whenever there is an endpoint that doesn't support the
     //    // preferred codec and goes back to the preferred codec when that endpoint leaves.
-    //    // enforcePreferredCodec: false,
+    //    enforcePreferredCodec: false,
     //
     //    // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for
     //    // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values
@@ -389,18 +449,18 @@ var config = {
     //          H264: {
     //              low: 200000,
     //              standard: 500000,
-    //              high: 1500000
+    //              high: 1500000,
     //          },
     //          VP8 : {
     //              low: 200000,
     //              standard: 500000,
-    //              high: 1500000
+    //              high: 1500000,
     //          },
     //          VP9: {
     //              low: 100000,
     //              standard: 300000,
-    //              high: 1200000
-    //          }
+    //              high: 1200000,
+    //          },
     //    },
     //
     //    // The options can be used to override default thresholds of video thumbnail heights corresponding to
@@ -415,19 +475,16 @@ var config = {
     //    // the high quality.
     //    minHeightForQualityLvl: {
     //        360: 'standard',
-    //        720: 'high'
+    //        720: 'high',
     //    },
     //
-    //    // Provides a way to resize the desktop track to 720p (if it is greater than 720p) before creating a canvas
-    //    // for the presenter mode (camera picture-in-picture mode with screenshare).
-    //    resizeDesktopForPresenter: false
     // },
 
     // Notification timeouts
     // notificationTimeouts: {
     //     short: 2500,
     //     medium: 5000,
-    //     long: 10000
+    //     long: 10000,
     // },
 
     // // Options for the recording limit notification.
@@ -442,7 +499,7 @@ var config = {
     //    appName: 'Unlimited recordings APP',
     //
     //    // The URL of the app with unlimited recordings.
-    //    appURL: 'https://unlimited.recordings.app.com/'
+    //    appURL: 'https://unlimited.recordings.app.com/',
     // },
 
     // Disables or enables RTX (RFC 4588) (defaults to false).
@@ -485,12 +542,15 @@ var config = {
     // Disables responsive tiles.
     // disableResponsiveTiles: false,
 
-    // Hides lobby button
+    // DEPRECATED. Please use `securityUi?.hideLobbyButton` instead.
+    // Hides lobby button.
     // hideLobbyButton: false,
 
+    // DEPRECATED. Please use `lobby?.autoKnock` instead.
     // If Lobby is enabled starts knocking automatically.
     // autoKnockLobby: false,
 
+    // DEPRECATED. Please use `lobby?.enableChat` instead.
     // Enable lobby chat.
     // enableLobbyChat: true,
 
@@ -501,9 +561,35 @@ var config = {
     // Require users to always specify a display name.
     // requireDisplayName: true,
 
+    // DEPRECATED! Use 'welcomePage.disabled' instead.
     // Whether to use a welcome page or not. In case it's false a random room
     // will be joined when no room is specified.
-    enableWelcomePage: true,
+    // enableWelcomePage: true,
+
+    // Configs for welcome page.
+    // welcomePage: {
+    //     // Whether to disable welcome page. In case it's disabled a random room
+    //     // will be joined when no room is specified.
+    //     disabled: false,
+    //     // If set,landing page will redirect to this URL.
+    //     customUrl: ''
+    // },
+
+    // Configs for the lobby screen.
+    // lobby {
+    //     // If Lobby is enabled, it starts knocking automatically. Replaces `autoKnockLobby`.
+    //     autoKnock: false,
+    //     // Enables the lobby chat. Replaces `enableLobbyChat`.
+    //     enableChat: true,
+    // },
+
+    // Configs for the security related UI elements.
+    // securityUi: {
+    //     // Hides the lobby button. Replaces `hideLobbyButton`.
+    //     hideLobbyButton: false,
+    //     // Hides the possibility to set and enter a lobby password.
+    //     disableLobbyPassword: false,
+    // },
 
     // Disable app shortcuts that are registered upon joining a conference
     // disableShortcuts: false,
@@ -542,12 +628,9 @@ var config = {
     // Hides the email section under profile settings.
     // hideEmailInSettings: false,
 
-    // Whether or not some features are checked based on token.
-    // enableFeaturesBasedOnToken: false,
-
     // When enabled the password used for locking a room is restricted to up to the number of digits specified
-    // roomPasswordNumberOfDigits: 10,
     // default: roomPasswordNumberOfDigits: false,
+    // roomPasswordNumberOfDigits: 10,
 
     // Message to show the users. Example: 'The service will be down for
     // maintenance at 01:00 AM GMT,
@@ -567,11 +650,11 @@ var config = {
     //     // either the jwt or the userInfo from the iframe api init object in order for this to have an effect.
     //     hideDisplayName: false,
     //     // List of buttons to hide from the extra join options dropdown.
-    //     hideExtraJoinButtons: ['no-audio', 'by-phone']
+    //     hideExtraJoinButtons: ['no-audio', 'by-phone'],
     // },
 
     // When 'true', the user cannot edit the display name.
-    // (Mainly useful when used in conjuction with the JWT so the JWT name becomes read only.)
+    // (Mainly useful when used in conjunction with the JWT so the JWT name becomes read only.)
     // readOnlyName: false,
 
     // If etherpad integration is enabled, setting this to true will
@@ -602,7 +685,7 @@ var config = {
     //     // Defaults to Gravatar.
     //     baseUrl: 'https://www.gravatar.com/avatar/',
     //     // True if Gravatar should be disabled.
-    //     disabled: false
+    //     disabled: false,
     // },
 
     // App name to be displayed in the invitation email subject, as an alternative to
@@ -625,7 +708,6 @@ var config = {
     //    'chat',
     //    'closedcaptions',
     //    'desktop',
-    //    'dock-iframe'
     //    'download',
     //    'embedmeeting',
     //    'etherpad',
@@ -639,6 +721,7 @@ var config = {
     //    'linktosalesforce',
     //    'livestreaming',
     //    'microphone',
+    //    'noisesuppression',
     //    'participants-pane',
     //    'profile',
     //    'raisehand',
@@ -652,24 +735,23 @@ var config = {
     //    'stats',
     //    'tileview',
     //    'toggle-camera',
-    //    'undock-iframe',
     //    'videoquality',
-    //    '__end'
+    //    'whiteboard',
     // ],
 
     // Holds values related to toolbar visibility control.
     // toolbarConfig: {
     //     // Moved from interfaceConfig.INITIAL_TOOLBAR_TIMEOUT
-    //     // The initial numer of miliseconds for the toolbar buttons to be visible on screen.
+    //     // The initial number of milliseconds for the toolbar buttons to be visible on screen.
     //     initialTimeout: 20000,
     //     // Moved from interfaceConfig.TOOLBAR_TIMEOUT
-    //     // Number of miliseconds for the toolbar buttons to be visible on screen.
+    //     // Number of milliseconds for the toolbar buttons to be visible on screen.
     //     timeout: 4000,
     //     // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE
-    //     // Whether toolbar should be always visible or should hide after x miliseconds.
+    //     // Whether toolbar should be always visible or should hide after x milliseconds.
     //     alwaysVisible: false,
     //     // Indicates whether the toolbar should still autohide when chat is open
-    //     autoHideWhileChatIsOpen: false
+    //     autoHideWhileChatIsOpen: false,
     // },
 
     // Toolbar buttons which have their click/tap event exposed through the API on
@@ -690,11 +772,13 @@ var config = {
     //     'desktop',
     //     'download',
     //     'embedmeeting',
+    //     'end-meeting',
     //     'etherpad',
     //     'feedback',
     //     'filmstrip',
     //     'fullscreen',
     //     'hangup',
+    //     'hangup-menu',
     //     'help',
     //     {
     //         key: 'invite',
@@ -704,6 +788,7 @@ var config = {
     //     'microphone',
     //     'mute-everyone',
     //     'mute-video-everyone',
+    //     'noisesuppression',
     //     'participants-pane',
     //     'profile',
     //     {
@@ -725,14 +810,22 @@ var config = {
     //     {
     //         key: 'add-passcode',
     //         preventExecution: false
-    //     }
-    //     '__end'
+    //     },
+    //     'whiteboard',
     // ],
 
     // List of pre meeting screens buttons to hide. The values must be one or more of the 5 allowed buttons:
     // 'microphone', 'camera', 'select-background', 'invite', 'settings'
     // hiddenPremeetingButtons: [],
 
+    // An array with custom option buttons for the participant context menu
+    // type:  Array<{ icon: string; id: string; text: string; }>
+    // customParticipantMenuButtons: [],
+
+    // An array with custom option buttons for the toolbar
+    // type:  Array<{ icon: string; id: string; text: string; }>
+    // customToolbarButtons: [],
+
     // Stats
     //
 
@@ -749,6 +842,7 @@ var config = {
     // Application ID and Secret.
     // callStatsID: '',
     // callStatsSecret: '',
+    // callStatsApplicationLogsDisabled: false,
 
     // The callstats initialize config params as described in the API:
     // https://docs.callstats.io/docs/javascript#callstatsinitialize-with-app-secret
@@ -766,10 +860,10 @@ var config = {
     //         pbxID: "PBX Identifier. Example, walmart.",
     //         pbxExtensionID: "PBX Extension Identifier. Example, 5625.",
     //         fqExtensionID: "Fully qualified Extension Identifier. Example, +71 (US) +5625.",
-    //         sessionID: "Session Identifier. Example, session-12-34"
+    //         sessionID: "Session Identifier. Example, session-12-34",
     //     },
     //     collectLegacyStats: true, //enables the collection of legacy stats in chrome browser
-    //     collectIP: true //enables the collection localIP address
+    //     collectIP: true, //enables the collection localIP address
     // },
 
     // Enables sending participants' display names to callstats
@@ -795,7 +889,7 @@ var config = {
     //     faceCenteringThreshold: 10,
 
     //     // Milliseconds for processing a new image capture in order to detect face coordinates if they exist.
-    //     captureInterval: 1000
+    //     captureInterval: 1000,
     // },
 
     // Controls the percentage of automatic feedback shown to participants when callstats is enabled.
@@ -834,18 +928,10 @@ var config = {
         // If not set, the effective value is 'all'.
         // iceTransportPolicy: 'all',
 
-        // If set to true, it will prefer to use H.264 for P2P calls (if H.264
-        // is supported). This setting is deprecated, use preferredCodec instead.
-        // preferH264: true,
-
         // Provides a way to set the video codec preference on the p2p connection. Acceptable
         // codec values are 'VP8', 'VP9' and 'H264'.
         // preferredCodec: 'H264',
 
-        // If set to true, disable H.264 video codec by stripping it out of the
-        // SDP. This setting is deprecated, use disabledCodec instead.
-        // disableH264: false,
-
         // Provides a way to prevent a video codec from being negotiated on the p2p connection.
         // disabledCodec: '',
 
@@ -857,8 +943,8 @@ var config = {
         stunServers: [
 
             // { urls: 'stun:jitsi-meet.example.com:3478' },
-            { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
-        ]
+            { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' },
+        ],
     },
 
     analytics: {
@@ -866,14 +952,18 @@ var config = {
         // disabled: false,
 
         // The Google Analytics Tracking ID:
-        // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
+        // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1',
 
         // Matomo configuration:
         // matomoEndpoint: 'https://your-matomo-endpoint/',
         // matomoSiteID: '42',
 
         // The Amplitude APP Key:
-        // amplitudeAPPKey: '<APP_KEY>'
+        // amplitudeAPPKey: '<APP_KEY>',
+
+        // Obfuscates room name sent to analytics (amplitude, rtcstats)
+        // Default value is false.
+        // obfuscateRoomName: false,
 
         // Configuration for the rtcstats server:
         // By enabling rtcstats server every time a conference is joined the rtcstats
@@ -881,19 +971,24 @@ var config = {
         // PeerConnection states along with getStats metrics polled at the specified
         // interval.
         // rtcstatsEnabled: false,
+        // rtcstatsStoreLogs: false,
 
         // In order to enable rtcstats one needs to provide a endpoint url.
         // rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/,
 
-        // The interval at which rtcstats will poll getStats, defaults to 1000ms.
+        // The interval at which rtcstats will poll getStats, defaults to 10000ms.
         // If the value is set to 0 getStats won't be polled and the rtcstats client
         // will only send data related to RTCPeerConnection events.
-        // rtcstatsPolIInterval: 1000,
+        // rtcstatsPollInterval: 10000,
+
+        // This determines if rtcstats sends the SDP to the rtcstats server or replaces
+        // all SDPs with an empty string instead.
+        // rtcstatsSendSdp: false,
 
         // Array of script URLs to load as lib-jitsi-meet "analytics handlers".
         // scriptURLs: [
         //      "libs/analytics-ga.min.js", // google-analytics
-        //      "https://example.com/my-custom-analytics.js"
+        //      "https://example.com/my-custom-analytics.js",
         // ],
     },
 
@@ -902,11 +997,11 @@ var config = {
 
     // Information about the jitsi-meet instance we are connecting to, including
     // the user region as seen by the server.
-    deploymentInfo: {
-        // shard: "shard1",
-        // region: "europe",
-        // userRegion: "asia"
-    },
+    // deploymentInfo: {
+    //     shard: "shard1",
+    //     region: "europe",
+    //     userRegion: "asia",
+    // },
 
     // Array<string> of disabled sounds.
     // Possible values:
@@ -955,19 +1050,19 @@ var config = {
     //     chromeExtensionsInfo: [
     //         {
     //             id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
-    //             path: 'jitsi-logo-48x48.png'
+    //             path: 'jitsi-logo-48x48.png',
     //         },
     //         // Edge extension info
     //         {
     //             id: 'eeecajlpbgjppibfledfihobcabccihn',
-    //             path: 'jitsi-logo-48x48.png'
-    //         }
+    //             path: 'jitsi-logo-48x48.png',
+    //         },
     //     ]
     // },
 
     // e2ee: {
     //   labels,
-    //   externallyManagedKey: false
+    //   externallyManagedKey: false,
     // },
 
     // Options related to end-to-end (participant to participant) ping.
@@ -982,9 +1077,9 @@ var config = {
     //   maxConferenceSize: 200,
     //
     //   // The maximum number of e2e ping messages per second for the whole conference to aim for.
-    //   // This is used to contol the pacing of messages in order to reduce the load on the backend.
-    //   maxMessagesPerSecond: 250
-    //   },
+    //   // This is used to control the pacing of messages in order to reduce the load on the backend.
+    //   maxMessagesPerSecond: 250,
+    // },
 
     // If set, will attempt to use the provided video input device label when
     // triggering a screenshare, instead of proceeding through the normal flow
@@ -993,10 +1088,64 @@ var config = {
     // use only.
     // _desktopSharingSourceDevice: 'sample-id-or-label',
 
+    // DEPRECATED! Use deeplinking.disabled instead.
     // If true, any checks to handoff to another application will be prevented
     // and instead the app will continue to display in the current browser.
     // disableDeepLinking: false,
 
+    // The deeplinking config.
+    // For information about the properties of
+    // deeplinking.[ios/android].dynamicLink check:
+    // https://firebase.google.com/docs/dynamic-links/create-manually
+    // deeplinking: {
+    //
+    //     // The desktop deeplinking config.
+    //     desktop: {
+    //         appName: 'Jitsi Meet'
+    //     },
+    //     // If true, any checks to handoff to another application will be prevented
+    //     // and instead the app will continue to display in the current browser.
+    //     disabled: false,
+
+    //     // whether to hide the logo on the deep linking pages.
+    //     hideLogo: false,
+
+    //     // The ios deeplinking config.
+    //     ios: {
+    //         appName: 'Jitsi Meet',
+    //         // Specify mobile app scheme for opening the app from the mobile browser.
+    //         appScheme: 'org.jitsi.meet',
+    //         // Custom URL for downloading ios mobile app.
+    //         downloadLink: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
+    //         dynamicLink: {
+    //             apn: 'org.jitsi.meet',
+    //             appCode: 'w2atb',
+    //             customDomain: undefined,
+    //             ibi: 'com.atlassian.JitsiMeet.ios',
+    //             isi: '1165103905'
+    //         }
+    //     },
+
+    //     // The android deeplinking config.
+    //     android: {
+    //         appName: 'Jitsi Meet',
+    //         // Specify mobile app scheme for opening the app from the mobile browser.
+    //         appScheme: 'org.jitsi.meet',
+    //         // Custom URL for downloading android mobile app.
+    //         downloadLink: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
+    //         // Android app package name.
+    //         appPackage: 'org.jitsi.meet',
+    //         fDroidUrl: 'https://f-droid.org/en/packages/org.jitsi.meet/',
+    //         dynamicLink: {
+    //             apn: 'org.jitsi.meet',
+    //             appCode: 'w2atb',
+    //             customDomain: undefined,
+    //             ibi: 'com.atlassian.JitsiMeet.ios',
+    //             isi: '1165103905'
+    //         }
+    //     }
+    // },
+
     // A property to disable the right click context menu for localVideo
     // the menu has option to flip the locally seen video for local presentations
     // disableLocalVideoFlip: false,
@@ -1021,7 +1170,7 @@ var config = {
     //    userDocumentationURL: 'https://docs.example.com/video-meetings.html',
     //    // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
     //    // to the specified URL for an app download page.
-    //    downloadAppsUrl: 'https://docs.example.com/our-apps.html'
+    //    downloadAppsUrl: 'https://docs.example.com/our-apps.html',
     // },
 
     // Options related to the remote participant menu.
@@ -1033,7 +1182,7 @@ var config = {
     //     // If set to true the 'Grant moderator' button will be disabled.
     //     disableGrantModerator: true,
     //     // If set to true the 'Send private message' button will be disabled.
-    //     disablePrivateChat: true
+    //     disablePrivateChat: true,
     // },
 
     // Endpoint that enables support for salesforce integration with in-meeting resource linking
@@ -1049,7 +1198,7 @@ var config = {
     // disableRemoteMute: true,
 
     // Enables support for lip-sync for this client (if the browser supports it).
-    // enableLipSync: false
+    // enableLipSync: false,
 
     /**
      External API url used to receive branding specific information.
@@ -1078,7 +1227,7 @@ var config = {
         // For a list of all possible theme tokens and their current defaults, please check:
         // https://github.com/jitsi/jitsi-meet/tree/master/resources/custom-theme/custom-theme.json
         // For a short explanations on each of the tokens, please check:
-        // https://github.com/jitsi/jitsi-meet/blob/master/react/features/base/ui/Tokens.js
+        // https://github.com/jitsi/jitsi-meet/blob/master/react/features/base/ui/Tokens.ts
         // IMPORTANT!: This is work in progress so many of the various tokens are not yet applied in code
         // or they are partially applied.
         customTheme: {
@@ -1092,15 +1241,15 @@ var config = {
                 field02Hover: 'red',
                 action01: 'green',
                 action01Hover: 'lightgreen',
-                action02Disabled: 'beige',
+                disabled01: 'beige',
                 success02: 'cadetblue',
-                action02Hover: 'aliceblue'
+                action02Hover: 'aliceblue',
             },
             typography: {
                 labelRegular: {
                     fontSize: 25,
                     lineHeight: 30,
-                    fontWeight: 500
+                    fontWeight: 500,
                 }
             }
         }
@@ -1115,7 +1264,7 @@ var config = {
     //     // Hides the more actions button.
     //     hideMoreActionsButton: false,
     //     // Hides the mute all button.
-    //     hideMuteAllButton: false
+    //     hideMuteAllButton: false,
     // },
 
     // Options related to the breakout rooms feature.
@@ -1125,7 +1274,7 @@ var config = {
     //     // Hides the auto assign participants button.
     //     hideAutoAssignButton: false,
     //     // Hides the join breakout room button.
-    //     hideJoinRoomButton: false
+    //     hideJoinRoomButton: false,
     // },
 
     // When true the user cannot add more images to be used as virtual background.
@@ -1164,7 +1313,8 @@ var config = {
     //         'transcribing',
     //         'video-quality',
     //         'insecure-room',
-    //         'highlight-moment'
+    //         'highlight-moment',
+    //         'top-panel-toggle',
     //     ]
     // },
 
@@ -1191,9 +1341,8 @@ var config = {
     // is not persisting the local storage inside the iframe.
     // useHostPageLocalStorage: true,
 
-    // etherpad ("shared document") integration.
+    // Etherpad ("shared document") integration.
     //
-
     // If set, add a "Open shared document" link to the bottom right menu that
     // will open an etherpad document.
     // etherpad_base: 'https://your-etherpad-installati.on/p/',
@@ -1204,11 +1353,6 @@ var config = {
     // {"countryCode":"US","tollFree":false,"formattedNumber":"+1 123-456-7890"}
     // dialInConfCodeUrl is the conference mapper converting a meeting id to a PIN used for dial-in
     // or the other way around (more info in resources/cloud-api.swagger)
-    //
-    // For JaaS customers the default values are:
-    // dialInNumbersUrl: 'https://conference-mapper.jitsi.net/v1/access/dids',
-    // dialInConfCodeUrl: 'https://conference-mapper.jitsi.net/v1/access',
-    //
 
     // List of undocumented settings used in jitsi-meet
     /**
@@ -1218,6 +1362,7 @@ var config = {
      deploymentInfo
      dialOutAuthUrl
      dialOutCodesUrl
+     dialOutRegionUrl
      disableRemoteControl
      displayJids
      externalConnectUrl
@@ -1309,6 +1454,7 @@ var config = {
     //     'notify.leftTwoMembers', // show when two participants left simultaneously
     //     'notify.leftThreePlusMembers', // show when more than 2 participants left simultaneously
     //     'notify.grantedTo', // shown when moderator rights were granted to a participant
+    //     'notify.hostAskedUnmute', // shown to participant when host asks them to unmute
     //     'notify.invitedOneMember', // shown when 1 participant has been invited
     //     'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited
     //     'notify.invitedTwoMembers', // shown when 2 participants have been invited
@@ -1329,7 +1475,7 @@ var config = {
     //     'notify.raisedHand', // shown when a partcipant used raise hand,
     //     'notify.startSilentTitle', // shown when user joined with no audio
     //     'notify.unmute', // shown to moderator when user raises hand during AV moderation
-    //     'notify.hostAskedUnmute', // shown to participant when host asks them to unmute
+    //     'notify.videoMutedRemotelyTitle', // shown when user's video is muted by a remote party,
     //     'prejoin.errorDialOut',
     //     'prejoin.errorDialOutDisconnected',
     //     'prejoin.errorDialOutFailed',
@@ -1342,7 +1488,7 @@ var config = {
     //     'toolbar.noAudioSignalTitle', // shown when a broken mic is detected
     //     'toolbar.noisyAudioInputTitle', // shown when noise is detected for the current microphone
     //     'toolbar.talkWhileMutedPopup', // shown when user tries to speak while muted
-    //     'transcribing.failedToStart' // shown when transcribing fails to start
+    //     'transcribing.failedToStart', // shown when transcribing fails to start
     // ],
 
     // List of notifications to be disabled. Works in tandem with the above setting.
@@ -1358,14 +1504,25 @@ var config = {
 
     //     // Disables the stage filmstrip
     //     // (displaying multiple participants on stage besides the vertical filmstrip)
-    //     disableStageFilmstrip: false
+    //     disableStageFilmstrip: false,
+
+    //     // Default number of participants that can be displayed on stage.
+    //     // The user can change this in settings. Number must be between 1 and 6.
+    //     stageFilmstripParticipants: 1,
+
+    //     // Disables the top panel (only shown when a user is sharing their screen).
+    //     disableTopPanel: false,
+
+    //     // The minimum number of participants that must be in the call for
+    //     // the top panel layout to be used.
+    //     minParticipantCountForTopPanel: 50,
     // },
 
     // Tile view related config options.
     // tileView: {
     //     // The optimal number of tiles that are going to be shown in tile view. Depending on the screen size it may
     //     // not be possible to show the exact number of participants specified here.
-    //     numberOfVisibleTiles: 25
+    //     numberOfVisibleTiles: 25,
     // },
 
     // Specifies whether the chat emoticons are disabled or not
@@ -1382,15 +1539,50 @@ var config = {
     //     // - chat: show the GIF as a message in chat
     //     // - all: all of the above. This is the default option
     //     displayMode: 'all',
-    //     // How long the GIF should be displayed on the tile (in miliseconds).
-    //     tileTime: 5000
+    //     // How long the GIF should be displayed on the tile (in milliseconds).
+    //     tileTime: 5000,
+    //     // Limit results by rating: g, pg, pg-13, r. Default value: g.
+    //     rating: 'pg',
+    //     // The proxy server url for giphy requests in the web app.
+    //     proxyUrl: 'https://giphy-proxy.example.com',
     // },
 
-    // Allow all above example options to include a trailing comma and
-    // prevent fear when commenting out the last value.
-    makeJsonParserHappy: 'even if last key had a trailing comma'
+    // Logging
+    // logging: {
+    //      // Default log level for the app and lib-jitsi-meet.
+    //      defaultLogLevel: 'trace',
+    //      // Option to disable LogCollector (which stores the logs on CallStats).
+    //      //disableLogCollector: true,
+    //      // Individual loggers are customizable.
+    //      loggers: {
+    //      // The following are too verbose in their logging with the default level.
+    //      'modules/RTC/TraceablePeerConnection.js': 'info',
+    //      'modules/statistics/CallStats.js': 'info',
+    //      'modules/xmpp/strophe.util.js': 'log',
+    // },
 
-    // no configuration value should follow this line.
+    // Application logo url
+    // defaultLogoUrl: 'images/watermark.svg',
+
+    // Settings for the Excalidraw whiteboard integration.
+    // whiteboard: {
+    //     // Whether the feature is enabled or not.
+    //     enabled: true,
+    //     // The server used to support whiteboard collaboration.
+    //     // https://github.com/jitsi/excalidraw-backend
+    //     collabServerBaseUrl: 'https://excalidraw-backend.example.com',
+    // },
 };
 
-/* eslint-enable no-unused-vars, no-var */
+// Temporary backwards compatibility with old mobile clients.
+config.flags = config.flags || {};
+config.flags.sourceNameSignaling = true;
+config.flags.sendMultipleVideoStreams = true;
+config.flags.receiveMultipleVideoStreams = true;
+
+// Set the default values for JaaS customers
+if (enableJaaS) {
+    config.dialInNumbersUrl = 'https://conference-mapper.jitsi.net/v1/access/dids';
+    config.dialInConfCodeUrl = 'https://conference-mapper.jitsi.net/v1/access';
+    config.roomPasswordNumberOfDigits = 10; // skip re-adding it (do not remove comment)
+}
diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh b/type/__jitsi_meet_domain/files/interface_config.js.sh
index 0589ced..1aad856 100644
--- a/type/__jitsi_meet_domain/files/interface_config.js.sh
+++ b/type/__jitsi_meet_domain/files/interface_config.js.sh
@@ -38,7 +38,6 @@ var interfaceConfig = {
     CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
 
     DEFAULT_BACKGROUND: '#040404',
-    DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
     DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
 
     DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
@@ -88,11 +87,6 @@ var interfaceConfig = {
 
     GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
 
-    /**
-     * Hide the logo on the deep linking pages.
-     */
-    HIDE_DEEP_LINKING_LOGO: false,
-
     /**
      * Hide the invite prompt in the header when alone in the meeting.
      */
@@ -101,7 +95,6 @@ var interfaceConfig = {
     JITSI_WATERMARK_LINK: 'https://jitsi.org',
 
     LANG_DETECTION: true, // Allow i18n to detect the system language
-    LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
     LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
 
     /**
@@ -121,23 +114,6 @@ var interfaceConfig = {
      */
     MOBILE_APP_PROMO: true,
 
-    /**
-     * Specify custom URL for downloading android mobile app.
-     */
-    MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
-
-    /**
-     * Specify custom URL for downloading f droid app.
-     */
-    MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
-
-    /**
-     * Specify URL for downloading ios mobile app.
-     */
-    MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
-
-    NATIVE_APP_NAME: 'Jitsi Meet',
-
     // Names of browsers which should show a warning stating the current browser
     // has a suboptimal experience. Browsers which are not listed as optimal or
     // unsupported are considered suboptimal. Valid values are:
@@ -155,7 +131,7 @@ var interfaceConfig = {
     RECENT_LIST_ENABLED: true,
     REMOTE_THUMBNAIL_RATIO: 1, // 1:1
 
-    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
 
     /**
      * Specify which sharing features should be displayed. If the value is not set
@@ -172,7 +148,6 @@ var interfaceConfig = {
      */
     SHOW_CHROME_EXTENSION_BANNER: false,
 
-    SHOW_DEEP_LINKING_IMAGE: false,
     SHOW_JITSI_WATERMARK: true,
     SHOW_POWERED_BY: false,
     SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@@ -213,6 +188,31 @@ var interfaceConfig = {
      */
     // TILE_VIEW_MAX_COLUMNS: 5,
 
+    // List of undocumented settings
+    /**
+     INDICATOR_FONT_SIZES
+     PHONE_NUMBER_REGEX
+    */
+
+    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+
+    /**
+     * Specify URL for downloading ios mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
+
+    /**
+     * Specify custom URL for downloading android mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
+
+    /**
+     * Specify mobile app scheme for opening the app from the mobile browser.
+     */
+    // APP_SCHEME: 'org.jitsi.meet',
+
+    // NATIVE_APP_NAME: 'Jitsi Meet',
+
     /**
      * Specify Firebase dynamic link properties for the mobile apps.
      */
@@ -225,22 +225,19 @@ var interfaceConfig = {
     // },
 
     /**
-     * Specify mobile app scheme for opening the app from the mobile browser.
+     * Hide the logo on the deep linking pages.
      */
-    // APP_SCHEME: 'org.jitsi.meet',
+    // HIDE_DEEP_LINKING_LOGO: false,
 
     /**
      * Specify the Android app package name.
      */
     // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
 
-    // List of undocumented settings
     /**
-     INDICATOR_FONT_SIZES
-     PHONE_NUMBER_REGEX
-    */
-
-    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+     * Specify custom URL for downloading f droid app.
+     */
+    // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
 
     // Connection indicators (
     // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
@@ -253,12 +250,19 @@ var interfaceConfig = {
     // Please use defaultLocalDisplayName from config.js
     // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
 
+    // Please use defaultLogoUrl from config.js
+    DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
+
     // Please use defaultRemoteDisplayName from config.js
     // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
 
     // Moved to config.js as \`toolbarConfig.initialTimeout\`.
     // INITIAL_TOOLBAR_TIMEOUT: 20000,
 
+    // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
+    // Documentation reference for the live streaming feature.
+    // LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
+
     // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
     // TOOLBAR_ALWAYS_VISIBLE: false,
 
diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh.orig b/type/__jitsi_meet_domain/files/interface_config.js.sh.orig
index cf97296..2f8591c 100644
--- a/type/__jitsi_meet_domain/files/interface_config.js.sh.orig
+++ b/type/__jitsi_meet_domain/files/interface_config.js.sh.orig
@@ -27,7 +27,6 @@ var interfaceConfig = {
     CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
 
     DEFAULT_BACKGROUND: '#040404',
-    DEFAULT_LOGO_URL: 'images/watermark.svg',
     DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
 
     DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
@@ -77,11 +76,6 @@ var interfaceConfig = {
 
     GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
 
-    /**
-     * Hide the logo on the deep linking pages.
-     */
-    HIDE_DEEP_LINKING_LOGO: false,
-
     /**
      * Hide the invite prompt in the header when alone in the meeting.
      */
@@ -90,7 +84,6 @@ var interfaceConfig = {
     JITSI_WATERMARK_LINK: 'https://jitsi.org',
 
     LANG_DETECTION: true, // Allow i18n to detect the system language
-    LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
     LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
 
     /**
@@ -110,23 +103,6 @@ var interfaceConfig = {
      */
     MOBILE_APP_PROMO: true,
 
-    /**
-     * Specify custom URL for downloading android mobile app.
-     */
-    MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
-
-    /**
-     * Specify custom URL for downloading f droid app.
-     */
-    MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
-
-    /**
-     * Specify URL for downloading ios mobile app.
-     */
-    MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
-
-    NATIVE_APP_NAME: 'Jitsi Meet',
-
     // Names of browsers which should show a warning stating the current browser
     // has a suboptimal experience. Browsers which are not listed as optimal or
     // unsupported are considered suboptimal. Valid values are:
@@ -144,7 +120,7 @@ var interfaceConfig = {
     RECENT_LIST_ENABLED: true,
     REMOTE_THUMBNAIL_RATIO: 1, // 1:1
 
-    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
 
     /**
      * Specify which sharing features should be displayed. If the value is not set
@@ -161,7 +137,6 @@ var interfaceConfig = {
      */
     SHOW_CHROME_EXTENSION_BANNER: false,
 
-    SHOW_DEEP_LINKING_IMAGE: false,
     SHOW_JITSI_WATERMARK: true,
     SHOW_POWERED_BY: false,
     SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@@ -202,6 +177,31 @@ var interfaceConfig = {
      */
     // TILE_VIEW_MAX_COLUMNS: 5,
 
+    // List of undocumented settings
+    /**
+     INDICATOR_FONT_SIZES
+     PHONE_NUMBER_REGEX
+    */
+
+    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+
+    /**
+     * Specify URL for downloading ios mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
+
+    /**
+     * Specify custom URL for downloading android mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
+
+    /**
+     * Specify mobile app scheme for opening the app from the mobile browser.
+     */
+    // APP_SCHEME: 'org.jitsi.meet',
+
+    // NATIVE_APP_NAME: 'Jitsi Meet',
+
     /**
      * Specify Firebase dynamic link properties for the mobile apps.
      */
@@ -214,22 +214,19 @@ var interfaceConfig = {
     // },
 
     /**
-     * Specify mobile app scheme for opening the app from the mobile browser.
+     * Hide the logo on the deep linking pages.
      */
-    // APP_SCHEME: 'org.jitsi.meet',
+    // HIDE_DEEP_LINKING_LOGO: false,
 
     /**
      * Specify the Android app package name.
      */
     // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
 
-    // List of undocumented settings
     /**
-     INDICATOR_FONT_SIZES
-     PHONE_NUMBER_REGEX
-    */
-
-    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+     * Specify custom URL for downloading f droid app.
+     */
+    // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
 
     // Connection indicators (
     // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
@@ -242,12 +239,19 @@ var interfaceConfig = {
     // Please use defaultLocalDisplayName from config.js
     // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
 
+    // Please use defaultLogoUrl from config.js
+    // DEFAULT_LOGO_URL: 'images/watermark.svg',
+
     // Please use defaultRemoteDisplayName from config.js
     // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
 
     // Moved to config.js as `toolbarConfig.initialTimeout`.
     // INITIAL_TOOLBAR_TIMEOUT: 20000,
 
+    // Please use `liveStreaming.helpLink` from config.js
+    // Documentation reference for the live streaming feature.
+    // LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
+
     // Moved to config.js as `toolbarConfig.alwaysVisible`.
     // TOOLBAR_ALWAYS_VISIBLE: false,
 
diff --git a/type/__jitsi_meet_domain/files/jitsi-version b/type/__jitsi_meet_domain/files/jitsi-version
index a716598..d64455b 100644
--- a/type/__jitsi_meet_domain/files/jitsi-version
+++ b/type/__jitsi_meet_domain/files/jitsi-version
@@ -1 +1 @@
-2.0.7439-1
\ No newline at end of file
+2.0.8319-1
\ No newline at end of file
diff --git a/type/__jitsi_meet_domain/files/nginx.sh b/type/__jitsi_meet_domain/files/nginx.sh
index 64467d9..249aa93 100644
--- a/type/__jitsi_meet_domain/files/nginx.sh
+++ b/type/__jitsi_meet_domain/files/nginx.sh
@@ -7,8 +7,9 @@ JITSI_NGINX_CONFIG="$(cat <<EOF
 #server_names_hash_bucket_size 64;
 #
 #types {
-## nginx's default mime.types doesn't include a mapping for wasm
+## nginx's default mime.types doesn't include a mapping for wasm or wav.
 #    application/wasm     wasm;
+#    audio/wav            wav;
 #}
 # These upstreams are managed by __jitsi_meet
 #upstream prosody {
@@ -21,6 +22,17 @@ JITSI_NGINX_CONFIG="$(cat <<EOF
 #    server 127.0.0.1:9090;
 #    keepalive 2;
 #}
+#map \$arg_vnode \$prosody_node {
+#    default prosody;
+#    v1 v1;
+#    v2 v2;
+#    v3 v3;
+#    v4 v4;
+#    v5 v5;
+#    v6 v6;
+#    v7 v7;
+#    v8 v8;
+#}
 server {
     listen 80;
     listen [::]:80;
@@ -91,6 +103,13 @@ server {
         alias /usr/share/jitsi-meet/libs/external_api.min.js;
     }
 
+    location = /_api/room-info {
+        proxy_pass http://prosody/room-info?prefix=\$prefix&\$args;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For \$remote_addr;
+        proxy_set_header Host \$http_host;
+    }
+
     # ensure all static content can always be found first
     location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
     {
@@ -102,6 +121,7 @@ server {
             expires 1y;
         }
     }
+
     # Paths for jsi / interpreters
     location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
     {
@@ -193,6 +213,14 @@ server {
         rewrite ^/(.*)\$ /xmpp-websocket;
     }
 
+    location ~ ^/([^/?&:'"]+)/_api/room-info {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+        set \$prefix "\$1";
+
+        rewrite ^/(.*)\$ /_api/room-info;
+    }
+
     # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
     location ~ ^/([^/?&:'"]+)/(.*)\$ {
         set \$subdomain "\$1.";
diff --git a/type/__jitsi_meet_domain/files/nginx.sh.orig b/type/__jitsi_meet_domain/files/nginx.sh.orig
index 66f0eca..fd3914e 100644
--- a/type/__jitsi_meet_domain/files/nginx.sh.orig
+++ b/type/__jitsi_meet_domain/files/nginx.sh.orig
@@ -1,8 +1,9 @@
 server_names_hash_bucket_size 64;
 
 types {
-# nginx's default mime.types doesn't include a mapping for wasm
+# nginx's default mime.types doesn't include a mapping for wasm or wav.
     application/wasm     wasm;
+    audio/wav            wav;
 }
 upstream prosody {
     zone upstreams 64K;
@@ -14,6 +15,17 @@ upstream jvb1 {
     server 127.0.0.1:9090;
     keepalive 2;
 }
+map $arg_vnode $prosody_node {
+    default prosody;
+    v1 v1;
+    v2 v2;
+    v3 v3;
+    v4 v4;
+    v5 v5;
+    v6 v6;
+    v7 v7;
+    v8 v8;
+}
 server {
     listen 80;
     listen [::]:80;
@@ -73,6 +85,13 @@ server {
         alias /usr/share/jitsi-meet/libs/external_api.min.js;
     }
 
+    location = /_api/room-info {
+        proxy_pass http://prosody/room-info?prefix=$prefix&$args;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Host $http_host;
+    }
+
     # ensure all static content can always be found first
     location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
     {
@@ -87,7 +106,7 @@ server {
 
     # BOSH
     location = /http-bind {
-        proxy_pass http://prosody/http-bind?prefix=$prefix&$args;
+        proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
         proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header Host $http_host;
@@ -96,7 +115,7 @@ server {
 
     # xmpp websockets
     location = /xmpp-websocket {
-        proxy_pass http://prosody/xmpp-websocket?prefix=$prefix&$args;
+        proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
@@ -156,6 +175,14 @@ server {
         rewrite ^/(.*)$ /xmpp-websocket;
     }
 
+    location ~ ^/([^/?&:'"]+)/_api/room-info {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+        rewrite ^/(.*)$ /_api/room-info;
+    }
+
     # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
     location ~ ^/([^/?&:'"]+)/(.*)$ {
         set $subdomain "$1.";
diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
index 41a6f5f..ed2cd54 100644
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
@@ -75,8 +75,7 @@ ${PROSODY_MAIN_END}
 ${PROSODY_DOMAIN_START}
 -- This will be managed by __jitsi_meet_domain
 VirtualHost "${JITSI_DOMAIN:?}"
-    -- enabled = false -- Remove this line to enable this host
-    authentication = "anonymous"
+    authentication = "jitsi-anonymous" -- do not delete me
     -- Properties below are modified by jitsi-meet-tokens package config
     -- and authentication above is switched to "token"
     --app_id="example_app_id"
@@ -92,6 +91,7 @@ VirtualHost "${JITSI_DOMAIN:?}"
     av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
     speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
     conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
+    end_conference_component = "endconference.${JITSI_DOMAIN:?}"
     -- we need bosh
     modules_enabled = {
         "bosh";
@@ -100,9 +100,11 @@ VirtualHost "${JITSI_DOMAIN:?}"
         "speakerstats";
         "external_services";
         "conference_duration";
+        "end_conference";
         "muc_lobby_rooms";
         "muc_breakout_rooms";
         "av_moderation";
+        "room_metadata";
 ${PROSODY_WEBSOCKET}        "websocket";
 ${PROSODY_WEBSOCKET}        "smacks";
     }
@@ -113,6 +115,7 @@ ${PROSODY_WEBSOCKET}        "smacks";
     c2s_require_encryption = false
     lobby_muc = "lobby.${JITSI_DOMAIN:?}"
     breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
+    room_metadata_component = "metadata.${JITSI_DOMAIN:?}"
     main_muc = "conference.${JITSI_DOMAIN:?}"
     -- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
 
@@ -136,7 +139,6 @@ Component "breakout.${JITSI_DOMAIN:?}" "muc"
     modules_enabled = {
         "muc_meeting_id";
         "muc_domain_mapper";
-        --"token_verification";
         "muc_rate_limit";
         "polls";
     }
@@ -184,6 +186,9 @@ Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
 Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
     muc_component = "conference.${JITSI_DOMAIN:?}"
 
+Component "endconference.${JITSI_DOMAIN:?}" "end_conference"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+
 Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
     muc_component = "conference.${JITSI_DOMAIN:?}"
 
@@ -196,24 +201,11 @@ Component "lobby.${JITSI_DOMAIN:?}" "muc"
         "muc_rate_limit";
         "polls";
     }
-${PROSODY_DOMAIN_END}
 
---[[
--- Enables dial-in for Jitsi meet components customers
--- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
--- and execute $ sudo luarocks install luajwtjitsi 3.0-0
-VirtualHost "jigasi.meet.jitsi"
-    enabled = false -- Jitsi meet components customers remove this line
-    modules_enabled = {
-      "ping";
-      "bosh";
-    }
-    authentication = "token"
-    app_id = "jitsi";
-    asap_key_server = "https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8"
-    asap_accepted_issuers = { "jaas-components" }
-    asap_accepted_audiences = { "jigasi.jitmeet.example.com" }
---]]
+Component "metadata.${JITSI_DOMAIN:?}" "room_metadata_component"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+    breakout_rooms_component = "breakout.${JITSI_DOMAIN:?}"
+${PROSODY_DOMAIN_END}
 
 ${PROSODY_SECUREDOMAIN_START}
 -- Only used on secured domains
diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
index 6193b04..f651088 100644
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
@@ -36,8 +36,7 @@ unlimited_jids = {
 }
 
 VirtualHost "jitmeet.example.com"
-    -- enabled = false -- Remove this line to enable this host
-    authentication = "anonymous"
+    authentication = "jitsi-anonymous" -- do not delete me
     -- Properties below are modified by jitsi-meet-tokens package config
     -- and authentication above is switched to "token"
     --app_id="example_app_id"
@@ -53,6 +52,7 @@ VirtualHost "jitmeet.example.com"
     av_moderation_component = "avmoderation.jitmeet.example.com"
     speakerstats_component = "speakerstats.jitmeet.example.com"
     conference_duration_component = "conferenceduration.jitmeet.example.com"
+    end_conference_component = "endconference.jitmeet.example.com"
     -- we need bosh
     modules_enabled = {
         "bosh";
@@ -61,13 +61,16 @@ VirtualHost "jitmeet.example.com"
         "speakerstats";
         "external_services";
         "conference_duration";
+        "end_conference";
         "muc_lobby_rooms";
         "muc_breakout_rooms";
         "av_moderation";
+        "room_metadata";
     }
     c2s_require_encryption = false
     lobby_muc = "lobby.jitmeet.example.com"
     breakout_rooms_muc = "breakout.jitmeet.example.com"
+    room_metadata_component = "metadata.jitmeet.example.com"
     main_muc = "conference.jitmeet.example.com"
     -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
 
@@ -91,7 +94,6 @@ Component "breakout.jitmeet.example.com" "muc"
     modules_enabled = {
         "muc_meeting_id";
         "muc_domain_mapper";
-        --"token_verification";
         "muc_rate_limit";
         "polls";
     }
@@ -125,6 +127,9 @@ Component "speakerstats.jitmeet.example.com" "speakerstats_component"
 Component "conferenceduration.jitmeet.example.com" "conference_duration_component"
     muc_component = "conference.jitmeet.example.com"
 
+Component "endconference.jitmeet.example.com" "end_conference"
+    muc_component = "conference.jitmeet.example.com"
+
 Component "avmoderation.jitmeet.example.com" "av_moderation_component"
     muc_component = "conference.jitmeet.example.com"
 
@@ -138,17 +143,6 @@ Component "lobby.jitmeet.example.com" "muc"
         "polls";
     }
 
--- Enables dial-in for Jitsi meet components customers
--- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
--- and execute $ sudo luarocks install luajwtjitsi 3.0-0
-VirtualHost "jigasi.meet.jitsi"
-    enabled = false -- Jitsi meet components customers remove this line
-    modules_enabled = {
-      "ping";
-      "bosh";
-    }
-    authentication = "token"
-    app_id = "jitsi";
-    asap_key_server = "https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8"
-    asap_accepted_issuers = { "jaas-components" }
-    asap_accepted_audiences = { "jigasi.jitmeet.example.com" }
+Component "metadata.jitmeet.example.com" "room_metadata_component"
+    muc_component = "conference.jitmeet.example.com"
+    breakout_rooms_component = "breakout.jitmeet.example.com"

From 239a1f20cf65837cb0ab6ef39d2f3fcc79f0936f Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Tue, 21 Feb 2023 17:07:07 +0100
Subject: [PATCH 30/34] [__runit] Add support for older Devuan systems

---
 type/__runit/manifest | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/type/__runit/manifest b/type/__runit/manifest
index 6ba174c..6e5feca 100755
--- a/type/__runit/manifest
+++ b/type/__runit/manifest
@@ -6,7 +6,14 @@ os="$(cat "${__global}/explorer/os")"
 case "${os}" in
 	debian|devuan)
 		# zero-config sysvinit and systemd compatibility
-		__package runit-run
+		os_version="$(cat "${__global}/explorer/os_version")"
+		debian_package="runit-run"
+		case "${os_version}" in
+			beowulf)
+				debian_package="runit"
+			;;
+		esac
+		__package "${debian_package}"
 	;;
 	freebsd)
 		__key_value \

From 7cd606a52f595f77e39bcffd28da0b0bca1c1079 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Fri, 21 Apr 2023 11:07:25 +0200
Subject: [PATCH 31/34] __single_binary_service: envvars and user-reuse support

The new --env flag allows type users to pass env files that will be
used to setup environment variables on both sytemd and runit.

While there, also solve a minor issue where users managed by this type
could not be re-used for multiple services.
---
 type/__single_binary_service/man.rst          |  5 ++++
 type/__single_binary_service/manifest         | 23 ++++++++++++++++---
 .../parameter/default/env                     |  0
 .../parameter/optional                        |  1 +
 4 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100644 type/__single_binary_service/parameter/default/env

diff --git a/type/__single_binary_service/man.rst b/type/__single_binary_service/man.rst
index 65b4fc0..464785f 100644
--- a/type/__single_binary_service/man.rst
+++ b/type/__single_binary_service/man.rst
@@ -90,6 +90,11 @@ binary
     If `--unpack` is used, a binary with this name must be unpacked.
     Otherwise, the contents of `--url` will be placed under this binary name.
 
+env
+    An `env` file consiting of `ENVIRONMENT_VARIABLE=VALUE`, one variable per
+    line.
+    Empty lines and those starting with `#` are ignored.
+
 service-args
     Any extra arguments to pass along with `--service-exec`. Beware that any
     service-args having the format `--config=/etc/foo.cfg` should be
diff --git a/type/__single_binary_service/manifest b/type/__single_binary_service/manifest
index 8288b94..e9d1691 100755
--- a/type/__single_binary_service/manifest
+++ b/type/__single_binary_service/manifest
@@ -112,7 +112,7 @@ if [ "${USER}" != "root" ] && \
 		--system \
 		--state "${STATE}" \
 		--home "${USER_HOME_DIR}" \
-		--comment "cdist-managed ${SERVICE_NAME} user" \
+		--comment "cdist-managed service user" \
 		${USER_CREATE_HOME}
 	# Track dependencies
 	service_require="${service_require} __user/${USER}"
@@ -136,11 +136,21 @@ fi
 
 
 
+# These messages will trigger a service restart (overridden for systemd)
+service_config_reload_pattern="^__file${CONFIG_FILE_DEST}"
+
 # This should setup the object in $service_definition_require
 # See above.
 case "${INIT}" in
 	systemd)
 		if [ -z "${SERVICE_DEFINITION}" ]; then
+			SYSTEMD_ENV_FILE="/etc/systemd/system/${SERVICE_NAME}.env"
+			__file "${SYSTEMD_ENV_FILE}" \
+				--mode 0400 \
+				--source "${__object}/parameter/env"
+			# We need to take into account the envionment file for systemd too
+			service_config_reload_pattern="(${service_config_reload_pattern}|^__file${SYSTEMD_ENV_FILE})"
+
 			SERVICE_DEFINITION="$(cat <<EOF
 [Unit]
 Description=${SERVICE_DESCRIPTION}
@@ -153,6 +163,7 @@ User=${USER}
 Group=${GROUP}
 ExecStart=${SERVICE_EXEC}
 Restart=always
+EnvironmentFile=${SYSTEMD_ENV_FILE}
 ${WORKING_DIRECTORY_SYSTEMD}
 
 [Install]
@@ -169,12 +180,18 @@ EOF
 	;;
 	runit|sysvinit)
 		if [ -z "${SERVICE_DEFINITION}" ]; then
+			RUNIT_ENV="$(sed -Ee 's!^([[:alnum:]_]+)=(.*)$!export \1=\2!' "${__object}/parameter/env")"
 			SERVICE_DEFINITION="$(cat <<EOF
 #!/bin/sh -e
 ${WORKING_DIRECTORY_RUNIT}
+# User-provided environment
+${RUNIT_ENV}
+# System vars
 export HOME="\$(getent passwd '${USER}' | cut -d: -f6)"
 export USER="${USER}"
 export GROUP="${GROUP}"
+
+exec 2>&1
 exec chpst -u "${USER}:${GROUP}" ${SERVICE_EXEC}
 EOF
 )"
@@ -279,10 +296,10 @@ EOF
 			--onchange "${perform_service_upgrade}" \
 			--source "-"
 else
-	# We only restart here if there was a config change
+	# We only restart here if there was a config or env change
 	# but there was not a version change
 	require="${service_require}" __check_messages \
 		"single_binary_service_${__object_id}" \
-		--pattern "^__file${CONFIG_FILE_DEST}" \
+		--pattern "${service_config_reload_pattern}" \
 		--execute "$(sv_cmd restart)"
 fi
diff --git a/type/__single_binary_service/parameter/default/env b/type/__single_binary_service/parameter/default/env
new file mode 100644
index 0000000..e69de29
diff --git a/type/__single_binary_service/parameter/optional b/type/__single_binary_service/parameter/optional
index 7c88cb4..e51681b 100644
--- a/type/__single_binary_service/parameter/optional
+++ b/type/__single_binary_service/parameter/optional
@@ -1,4 +1,5 @@
 config-file-source
+env
 user
 group
 state

From 2511218dd6615c6acdddff451a6c2207178f7490 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Fri, 21 Apr 2023 11:11:03 +0200
Subject: [PATCH 32/34] __runit_service: move logs out of etc

Some systems use etckeeper and having the logs there was not a great
idea to begin with :-).
---
 type/__runit_service/manifest | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/type/__runit_service/manifest b/type/__runit_service/manifest
index 83114fd..548a1de 100755
--- a/type/__runit_service/manifest
+++ b/type/__runit_service/manifest
@@ -33,18 +33,25 @@ if [ "${state}" != "present" ]; then
 	exit
 fi
 
+# Setup run file
+__file --state "${state}" --mode 0550 --source "${source}" \
+	--onchange "sv restart '${sv}' || true" \
+	"${run_file}"
+export require="${require} __file${run_file}"
+
 if [ -f "${__object}/parameter/log" ]; then
 	# Setup logger if requested
-	__directory --parents "${svdir}/${sv}/log/main"
-	export require="${require} __directory${svdir}/${sv}/log/main"
+	logdir="/var/log/runit"
+	__directory --parents "${svdir}/${sv}/log"
+	__directory --state absent "${svdir}/${sv}/log/main"  # Remove lingering old fashioned log
+	__directory --parents "${logdir}/${sv}"
+	export require="${require} __directory${svdir}/${sv}/log __directory${logdir}/${sv}"
 	__file "${svdir}/${sv}/log/run" \
 		--state "${state}" \
 		--mode 0755 \
+		--onchange "sv restart '${sv}/log' || true" \
 		--source "-" <<EOF
 #!/bin/sh
-exec svlogd -tt ./main
+exec svlogd -tt '${logdir}/${sv}'
 EOF
 fi
-
-# Setup run file
-__file --state "${state}" --mode 0755 --source "${source}" "${run_file}"

From f101ea4afa4c3020bda3079e193d963ec4526d43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= <work@tfloure.ch>
Date: Mon, 19 Feb 2024 12:41:05 +0100
Subject: [PATCH 33/34] [__bird_radv] fix MTU setting, link routing tables to
 __object_id, add preference parameters

---
 type/__bird_radv/man.rst            |  7 +++++++
 type/__bird_radv/manifest           | 22 ++++++++++++++++++----
 type/__bird_radv/parameter/optional |  2 ++
 3 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/type/__bird_radv/man.rst b/type/__bird_radv/man.rst
index 819b213..1448f1d 100644
--- a/type/__bird_radv/man.rst
+++ b/type/__bird_radv/man.rst
@@ -26,6 +26,13 @@ OPTIONAL PARAMETERS
 mtu
   An optional MTU setting to include in the router advertisements.
 
+default-preference
+  This option specifies the Default Router Preference value to advertise to
+  hosts. Default: medium.
+
+route-preference
+  This option specifies the default value of advertised route preference for
+  specific routes. Default: medium.
 
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
diff --git a/type/__bird_radv/manifest b/type/__bird_radv/manifest
index aee8690..6c27be0 100755
--- a/type/__bird_radv/manifest
+++ b/type/__bird_radv/manifest
@@ -58,27 +58,41 @@ fi
 MTU=
 if [ -f "${__object:?}/parameter/mtu" ];
 then
-	MTU="link mtu $(cat "${__object:?}/parameter/mtu")"
+	MTU="link mtu $(cat "${__object:?}/parameter/mtu");"
+fi
+
+DEFAULT_PREFERENCE=
+if [ -f "${__object:?}/parameter/default-preference" ];
+then
+	DEFAULT_PREFERENCE="default preference $(cat "${__object:?}/parameter/default-preference");"
+fi
+
+ROUTE_PREFERENCE=
+if [ -f "${__object:?}/parameter/route-preference" ];
+then
+	ROUTE_PREFERENCE="route preference $(cat "${__object:?}/parameter/route-preference");"
 fi
 
 __file "${confdir:?}/radv-${__object_id:?}.conf" \
 	--mode 0640 --owner root --group bird \
 	--source - << EOF
-ipv6 table radv_routes;
+ipv6 table radv_routes_${__object_id};
 
 protocol static {
 	description "Routes advertised via RAs";
-	ipv6 { table radv_routes; };
+	ipv6 { table radv_routes_${__object_id}; };
 
 $(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
 }
 
 protocol radv ${__object_id:?} {
 	propagate routes ${have_routes:?};
-	ipv6 { table radv_routes; export all; };
+	ipv6 { table radv_routes_${__object_id}; export all; };
 
 	interface "$(cat "${__object:?}/parameter/interface")" {
 	$MTU
+	$DEFAULT_PREFERENCE
+	$ROUTE_PREFERENCE
 	};
 
 $RDNS
diff --git a/type/__bird_radv/parameter/optional b/type/__bird_radv/parameter/optional
index ee48c5c..87494d7 100644
--- a/type/__bird_radv/parameter/optional
+++ b/type/__bird_radv/parameter/optional
@@ -1 +1,3 @@
 mtu
+default-preference
+route-preference

From f01f110463da30ed3ff87d9aea448fc4f472433a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= <work@tfloure.ch>
Date: Wed, 21 Feb 2024 13:38:08 +0100
Subject: [PATCH 34/34] [__bird_radv] add --default-lifetime parameter

---
 type/__bird_radv/man.rst            | 5 +++++
 type/__bird_radv/manifest           | 7 +++++++
 type/__bird_radv/parameter/optional | 1 +
 3 files changed, 13 insertions(+)

diff --git a/type/__bird_radv/man.rst b/type/__bird_radv/man.rst
index 1448f1d..27362aa 100644
--- a/type/__bird_radv/man.rst
+++ b/type/__bird_radv/man.rst
@@ -34,6 +34,11 @@ route-preference
   This option specifies the default value of advertised route preference for
   specific routes. Default: medium.
 
+default-lifetime
+  This option specifies the time (in seconds) how long (since the receipt of RA)
+  hosts may use the router as a default router. 0 means do not use as a default
+  router. Default: 3.
+
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 route
diff --git a/type/__bird_radv/manifest b/type/__bird_radv/manifest
index 6c27be0..ed04028 100755
--- a/type/__bird_radv/manifest
+++ b/type/__bird_radv/manifest
@@ -73,6 +73,12 @@ then
 	ROUTE_PREFERENCE="route preference $(cat "${__object:?}/parameter/route-preference");"
 fi
 
+DEFAULT_LIFETIME=
+if [ -f "${__object:?}/parameter/default-lifetime" ];
+then
+	DEFAULT_LIFETIME="default lifetime $(cat "${__object:?}/parameter/default-lifetime");"
+fi
+
 __file "${confdir:?}/radv-${__object_id:?}.conf" \
 	--mode 0640 --owner root --group bird \
 	--source - << EOF
@@ -91,6 +97,7 @@ protocol radv ${__object_id:?} {
 
 	interface "$(cat "${__object:?}/parameter/interface")" {
 	$MTU
+	$DEFAULT_LIFETIME
 	$DEFAULT_PREFERENCE
 	$ROUTE_PREFERENCE
 	};
diff --git a/type/__bird_radv/parameter/optional b/type/__bird_radv/parameter/optional
index 87494d7..51058a7 100644
--- a/type/__bird_radv/parameter/optional
+++ b/type/__bird_radv/parameter/optional
@@ -1,3 +1,4 @@
 mtu
 default-preference
 route-preference
+default-lifetime