From 51d0b817fe0e56a733cd1b445b81321831b0c4f3 Mon Sep 17 00:00:00 2001 From: Evilham Date: Fri, 18 Jun 2021 20:52:58 +0200 Subject: [PATCH 01/47] [__single_binary_service] Type to manage very simple services. --- explorer/explorer-version | 10 +++ manifest | 158 +++++++++++++++++++++++++++++++++ parameter/boolean | 1 + parameter/default/service-args | 0 parameter/default/state | 1 + parameter/default/user | 1 + parameter/optional | 8 ++ parameter/optional_multiple | 1 + parameter/required | 3 + 9 files changed, 183 insertions(+) create mode 100755 explorer/explorer-version create mode 100755 manifest create mode 100644 parameter/boolean create mode 100644 parameter/default/service-args create mode 100644 parameter/default/state create mode 100644 parameter/default/user create mode 100644 parameter/optional create mode 100644 parameter/optional_multiple create mode 100644 parameter/required diff --git a/explorer/explorer-version b/explorer/explorer-version new file mode 100755 index 0000000..690cc5f --- /dev/null +++ b/explorer/explorer-version @@ -0,0 +1,10 @@ +#!/bin/sh -e + +BIN_PREFIX="/usr/local/bin" +SERVICE_NAME="${__object_id}" + +VERSION_FILE="${BIN_PREFIX}/.${SERVICE_NAME}.cdist.version" + +if [ -f "${VERSION_FILE}" ]; then + cat "${VERSION_FILE}" +fi diff --git a/manifest b/manifest new file mode 100755 index 0000000..d5df410 --- /dev/null +++ b/manifest @@ -0,0 +1,158 @@ +#!/bin/sh -e + +BIN_DIR="/usr/local/bin" + +# Ensure the target bin dir exists +__directory "${BIN_DIR}" \ + --mode 0755 +export require="${require} __directory${BIN_DIR}" + +STATE="$(cat "${__object}/parameter/state")" +USER="$(cat "${__object}/parameter/user")" +GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)" +if [ -z "${GROUP}" ]; then + GROUP="${USER}" +fi + +SERVICE_NAME="${__object_id}" + +BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)" +if [ -z "${BINARY}" ]; then + BINARY="${SERVICE_NAME}" +fi +EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)" +# This only makes sense for file archives +if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then + cat >> /dev/stderr <<-EOF + You cannot specify extra binaries without the --unpack argument. + Make sure that the --url argument points to a file archive. +EOF +fi + +SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)" +if [ -z "${SERVICE_EXEC}" ]; then + SERVICE_EXEC="${BIN_DIR}/${BINARY}" +fi +SERVICE_EXEC="${SERVICE_EXEC} $(cat "${__object}/parameter/service-args")" + +SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \ + 2>/dev/null || true)" +if [ -z "${SERVICE_DESCRIPTION}" ]; then + SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service" +fi + +DOWNLOAD_URL="$(cat "${__object}/parameter/url")" +CHECKSUM="$(cat "${__object}/parameter/checksum")" +SHOULD_VERSION="$(cat "${__object}/parameter/version")" + +# Create a user for the service if it is not root +if [ "${USER}" != "root" ]; then + __user "${USER}" \ + --system \ + --state "${STATE}" \ + --home /nonexistent \ + --comment "cdist-managed ${SERVICE_NAME} user" + # Track dependencies + service_require="${service_require} __user/${USER}" +fi + +# TODO: Support non-systemd +__systemd_unit "${SERVICE_NAME}.service" \ + --source "-" \ + --state "${STATE}" \ + --enablement-state "enabled" </dev/null || true)" + # Download packed file + __download "${TMP_PATH}.tar.gz" \ + --url "${DOWNLOAD_URL}" \ + --download remote \ + --sum "${CHECKSUM}" + + # Unpack file and also perform service upgrade + # shellcheck disable=SC2086 + require="__download${TMP_PATH}.tar.gz" \ + __unpack "${TMP_PATH}.tar.gz" \ + ${UNPACK_ARGS} \ + --destination "${TMP_PATH}" \ + --onchange "$(cat < Date: Fri, 18 Jun 2021 22:01:45 +0200 Subject: [PATCH 02/47] [__single_binary_service] Add manpage, config-file and better absent With these changes the type is good for general consumption (modulo the limitations mentioned in the manpage under TODO). --- man.rst | 169 +++++++++++++++++++++++++++++++++++++++++++++ manifest | 39 ++++++++++- parameter/boolean | 1 + parameter/optional | 1 + 4 files changed, 208 insertions(+), 2 deletions(-) create mode 100644 man.rst diff --git a/man.rst b/man.rst new file mode 100644 index 0000000..8f384bf --- /dev/null +++ b/man.rst @@ -0,0 +1,169 @@ +cdist-type__evilham_single_binary_service(7) +============================================ + +NAME +---- +cdist-type__evilham_single_binary_service - Setup a single-binary service + + +DESCRIPTION +----------- +This type is designed to easily deploy and configure a single-binary service +named `${__object_id}`. + +A good example of this are Prometheus exporters. + +This type makes certain assumptions that might not be correct on your system. +If you need more flexibility, please get in touch and provide a use-case +(and hopefully a backwards-compatible patch). + +This type will place the downloaded binary and, if requested, other extra +binaries in `/usr/local/bin`. + +If a `--config-file-source` is provided, it will be placed under: +`/etc/${__object_id}.conf`. + +TODO (patches welcome!): +- It currently only supports `.tar.gz` archives. +- It currently only supports systemd units. +- Does not handle properly BSD-systems (wheel group, /usr/local/etc, systemd) + + +REQUIRED PARAMETERS +------------------- +checksum + This will be passed verbatim to `__download(7)`. + Use something like `sha256:...`. + +url + This will be passed verbatim to `__download(7)`. + +version + This type will use a thumbstone file with a "version" number to track + whether or not a service must be updated. + This thumbstone file is placed under + `/usr/local/bin/.${__object_id}.cdist.version`. + + +BOOLEAN PARAMETERS +------------------ +unpack + If present, the contents of `--url` will be treated as an archive to be + unpacked with `__unpack(7)`. + See also `--unpack-args` and `--extra-binary`. + +do-not-manage-user + Always considered present when `--user` is `root`. + If present, the user in `--user` will not be managed by this type with + `__user`, this means it *must* exist beforehand when installing the service + and it will not be removed by this type. + + +OPTIONAL PARAMETERS +------------------- +config-file-source + If present, this file's contents will be placed under + `/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to + `--user` and `--group`. + If `-` is passed, this type's `stdin` will be used. + +user + The user under which the service will run. Defaults to `root`. + If this user is not `root` and `--do-not-manage-user` is not present, + this user will be created or removed as per the `--state` parameter. + +group + The group under which the service will run. Defaults to `--user`. + +state + Whether the service is to be `present` (default) or `absent`. + When `absent`, this type will clean any binaries listed in `--extra-binary` + and also the config file as described in `--config-file-source`. + +binary + This will be the binary name. Defaults to `${__object_id}`. + If `--unpack` is used, a binary with this name must be unpacked. + Otherwise, the contents of `--url` will be placed under this binary name. + +service-args + Any extra arguments to pass along with `--service-exec`. + +service-exec + The executable to use for this service. + Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the + resulting value of `--binary`. + +service-description + The service description to be used in, e.g. the systemd unit file. + Defaults to `cdist-managed '${__object_id}' service`. + +unpack-args + Only has an effect if `--unpack` is used. + These arguments will be passed verbatim to `__unpack(7)`. + Very useful as this type assumes the archive does not have the binaries in + subdirectories; that can be worked around with + `--unpack-args '--tar-strip 1'`. + + +OPTIONAL MULTIPLE PARAMETERS +---------------------------- +extra-binary + Only useful with `--unpack`. + If passed, these binaries will also be installed when `--state` is `present` + and removed when `--state` is `absent`. + Handle with care :-). + + +EXAMPLES +-------- + +.. code-block:: sh + + # Install and enable the ipmi_exporter service + # The variables are defined in the manifest previously + __evilham_single_binary_service ipmi_exporter \ + --user "${USER}" \ + --service-args ' --config.file=/etc/ipmi_exporter.conf' \ + --version "${SHOULD_VERSION}" \ + --checksum "${CHECKSUM}" \ + --url "${DOWNLOAD_URL}" \ + --state "present" \ + --unpack \ + --unpack-args "--tar-strip 1" \ + --config-file-source '-' <<-EOF + # Remotely managed, changes will be lost + # [...] config contents goes here + EOF + + # Remove the ipmi_exporter service along with the user and its config + __evilham_single_binary_service ipmi_exporter \ + --user "${USER}" \ + --version "${SHOULD_VERSION}" \ + --checksum "${CHECKSUM}" \ + --url "${DOWNLOAD_URL}" \ + --state "absent" + + # Same, but the service was using my user! Let's not delete that! + __evilham_single_binary_service ipmi_exporter \ + --user "evilham" \ + --do-not-manage-user \ + --version "${SHOULD_VERSION}" \ + --checksum "${CHECKSUM}" \ + --url "${DOWNLOAD_URL}" \ + --state "absent" + + +SEE ALSO +-------- +- `__download(7)` +- `__unpack(7)` + + +AUTHORS +------- +Evilham + + +COPYING +------- +Copyright \(C) 2021 Evilham. diff --git a/manifest b/manifest index d5df410..e279a05 100755 --- a/manifest +++ b/manifest @@ -1,9 +1,12 @@ #!/bin/sh -e BIN_DIR="/usr/local/bin" +ETC_DIR="/etc" # Ensure the target bin dir exists +# Care, we never want to remove it :-D __directory "${BIN_DIR}" \ + --state "exists" \ --mode 0755 export require="${require} __directory${BIN_DIR}" @@ -46,8 +49,13 @@ CHECKSUM="$(cat "${__object}/parameter/checksum")" SHOULD_VERSION="$(cat "${__object}/parameter/version")" # Create a user for the service if it is not root -if [ "${USER}" != "root" ]; then - __user "${USER}" \ +if [ "${USER}" != "root" ] && \ + [ ! -f "${__object}/parameter/do-not-manage-user" ]; then + if [ "${STATE}" = "absent" ]; then + # When removing, ensure user is not being used + user_require="__systemd_unit/${SERVICE_NAME}.service" + fi + require="${require} ${user_require}" __user "${USER}" \ --system \ --state "${STATE}" \ --home /nonexistent \ @@ -56,10 +64,29 @@ if [ "${USER}" != "root" ]; then service_require="${service_require} __user/${USER}" fi +# Place config file if necessary +CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf" +CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)" +if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then + CONFIG_FILE_SOURCE="${__object}/stdin" +fi +if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then + require="${require} __user/${USER}" __file \ + "${CONFIG_FILE_DEST}" \ + --owner "${USER}" \ + --group "${GROUP}" \ + --mode "0440" \ + --source "${CONFIG_FILE_SOURCE}" + service_required="${service_required} __file${CONFIG_FILE_DEST}" +fi + + + # TODO: Support non-systemd __systemd_unit "${SERVICE_NAME}.service" \ --source "-" \ --state "${STATE}" \ + --restart \ --enablement-state "enabled" < Date: Wed, 4 Aug 2021 20:27:08 +0200 Subject: [PATCH 03/47] [__single_binary_service] Adapt bug fixes proposed by pedro there are several typos, some style issues and now there is at most one service restart in all cases. Submitted by: pedro --- gencode-remote | 21 ++++++++++++++++ man.rst | 4 ++- manifest | 68 +++++++++++++++++++++++++++++--------------------- 3 files changed, 64 insertions(+), 29 deletions(-) create mode 100644 gencode-remote diff --git a/gencode-remote b/gencode-remote new file mode 100644 index 0000000..fe769fa --- /dev/null +++ b/gencode-remote @@ -0,0 +1,21 @@ +#!/bin/sh -e + +STATE="$(cat "${__object}/parameter/state")" +if [ "${STATE}" != "present" ]; then + exit +fi + +ETC_DIR="/etc" +SERVICE_NAME="${__object_id}" +CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf" + +BIN_DIR="/usr/local/bin" +VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version" + +# We only restart here if there was a config change +# but there was not a version change +if grep -qE "^__file${CONFIG_FILE_DEST}" "${__messages_in}" && \ + grep -qvE "^__file${VERSION_FILE}" "${__messages_in}"; then + echo "service ${SERVICE_NAME} restart" +fi + diff --git a/man.rst b/man.rst index 8f384bf..804b465 100644 --- a/man.rst +++ b/man.rst @@ -86,7 +86,9 @@ binary Otherwise, the contents of `--url` will be placed under this binary name. service-args - Any extra arguments to pass along with `--service-exec`. + Any extra arguments to pass along with `--service-exec`. Beware that any + service-args having the format `--config=/etc/foo.cfg` should be + represented in the following way `--service-exec='--config=/etc/foo.cfg'` service-exec The executable to use for this service. diff --git a/manifest b/manifest index e279a05..be967eb 100755 --- a/manifest +++ b/manifest @@ -1,5 +1,20 @@ #!/bin/sh -e +OS="$(cat "${__global}/explorer/os")" + +case "${OS}" in + debian) + SUPER_USER_GROUP=root + ;; + *bsd) + SUPER_USER_GROUP=wheel + ;; + *) + echo "Your OS '${OS}' is currently not supported." >&2 + exit 1 + ;; +esac + BIN_DIR="/usr/local/bin" ETC_DIR="/etc" @@ -26,7 +41,7 @@ fi EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)" # This only makes sense for file archives if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then - cat >> /dev/stderr <<-EOF + cat >&2 <<-EOF You cannot specify extra binaries without the --unpack argument. Make sure that the --url argument points to a file archive. EOF @@ -36,7 +51,8 @@ SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)" if [ -z "${SERVICE_EXEC}" ]; then SERVICE_EXEC="${BIN_DIR}/${BINARY}" fi -SERVICE_EXEC="${SERVICE_EXEC} $(cat "${__object}/parameter/service-args")" +SERVICE_ARGS="$(cat "${__object}/parameter/service-args")" +SERVICE_EXEC="${SERVICE_EXEC} ${SERVICE_ARGS}" SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \ 2>/dev/null || true)" @@ -77,17 +93,19 @@ if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then --group "${GROUP}" \ --mode "0440" \ --source "${CONFIG_FILE_SOURCE}" - service_required="${service_required} __file${CONFIG_FILE_DEST}" + service_require="${service_require} __file${CONFIG_FILE_DEST}" fi +INIT="$(cat "${__global}/explorer/init")" # TODO: Support non-systemd -__systemd_unit "${SERVICE_NAME}.service" \ - --source "-" \ - --state "${STATE}" \ - --restart \ - --enablement-state "enabled" <&2 + exit 1 + ;; +esac # Proceed after user and service description have been prepared export require="${require} ${service_require}" -# Perform a service restart if config has changed -if [ "${STATE}" = "present" ]; then - __check_messages "${SERVICE_NAME}_config" \ - --pattern "^__file${CONFIG_FILE_DEST}" \ - --execute "service ${SERVICE_NAME} restart" -fi - VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version" IS_VERSION="$(cat "${__object}/explorer/explorer-version")" @@ -130,8 +148,7 @@ if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ] && \ service ${SERVICE_NAME} stop || true for bin_file in ${BINARY} ${EXTRA_BINARIES}; do bin_path="${TMP_PATH}/\${bin_file}" - # TODO: on the BSDs, the super user group is wheel - chown root:root "\${bin_path}" + chown root:${SUPER_USER_GROUP} "\${bin_path}" chmod 0555 "\${bin_path}" cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}" done @@ -154,39 +171,34 @@ EOF require="__download${TMP_PATH}.tar.gz" \ __unpack "${TMP_PATH}.tar.gz" \ ${UNPACK_ARGS} \ - --destination "${TMP_PATH}" \ - --onchange "$(cat < Date: Wed, 4 Aug 2021 21:00:52 +0200 Subject: [PATCH 04/47] [__single_binary_service] Support customisation of systemd units Requested by pedro --- manifest | 14 ++++++++++---- parameter/optional | 1 + 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/manifest b/manifest index be967eb..fe9ef74 100755 --- a/manifest +++ b/manifest @@ -60,6 +60,8 @@ if [ -z "${SERVICE_DESCRIPTION}" ]; then SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service" fi +SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)" + DOWNLOAD_URL="$(cat "${__object}/parameter/url")" CHECKSUM="$(cat "${__object}/parameter/checksum")" SHOULD_VERSION="$(cat "${__object}/parameter/version")" @@ -102,10 +104,8 @@ INIT="$(cat "${__global}/explorer/init")" # TODO: Support non-systemd case "${INIT}" in systemd) - __systemd_unit "${SERVICE_NAME}.service" \ - --source "-" \ - --state "${STATE}" \ - --enablement-state "enabled" < Date: Wed, 4 Aug 2021 21:02:37 +0200 Subject: [PATCH 05/47] [__single_binary_service] Do not use echo echo echo --- manifest | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/manifest b/manifest index fe9ef74..e05b630 100755 --- a/manifest +++ b/manifest @@ -123,10 +123,12 @@ WantedBy=multi-user.target EOF )" fi - echo ${SERVICE_DEFINITION} | __systemd_unit "${SERVICE_NAME}.service" \ + __systemd_unit "${SERVICE_NAME}.service" \ --source "-" \ --state "${STATE}" \ - --enablement-state "enabled" + --enablement-state "enabled" < Date: Sat, 30 Oct 2021 15:36:49 +0200 Subject: [PATCH 06/47] [__single_binary_service] Many improvements + runit support Amongst other things compressed files can be of a type other than .tar.gz (it remains the default) and we now properly support runit services, FreeBSD and Devuan. --- gencode-remote | 21 ---- man.rst | 27 ++++- manifest | 173 +++++++++++++++++++++-------- parameter/default/unpack-extension | 1 + parameter/default/user-home-dir | 1 + parameter/optional | 3 + 6 files changed, 152 insertions(+), 74 deletions(-) delete mode 100644 gencode-remote create mode 100644 parameter/default/unpack-extension create mode 100644 parameter/default/user-home-dir diff --git a/gencode-remote b/gencode-remote deleted file mode 100644 index fe769fa..0000000 --- a/gencode-remote +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh -e - -STATE="$(cat "${__object}/parameter/state")" -if [ "${STATE}" != "present" ]; then - exit -fi - -ETC_DIR="/etc" -SERVICE_NAME="${__object_id}" -CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf" - -BIN_DIR="/usr/local/bin" -VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version" - -# We only restart here if there was a config change -# but there was not a version change -if grep -qE "^__file${CONFIG_FILE_DEST}" "${__messages_in}" && \ - grep -qvE "^__file${VERSION_FILE}" "${__messages_in}"; then - echo "service ${SERVICE_NAME} restart" -fi - diff --git a/man.rst b/man.rst index 804b465..cb40330 100644 --- a/man.rst +++ b/man.rst @@ -23,10 +23,8 @@ binaries in `/usr/local/bin`. If a `--config-file-source` is provided, it will be placed under: `/etc/${__object_id}.conf`. -TODO (patches welcome!): -- It currently only supports `.tar.gz` archives. -- It currently only supports systemd units. -- Does not handle properly BSD-systems (wheel group, /usr/local/etc, systemd) +This type supports services managed by `__runit(7)` when `systemd` is not +the init system being used. REQUIRED PARAMETERS @@ -72,6 +70,13 @@ user If this user is not `root` and `--do-not-manage-user` is not present, this user will be created or removed as per the `--state` parameter. +user-home-dir + Does not have an effect if `--do-not-manage-user` is used or `--user` is + `root`. + The home directory of the service user. It will be created. + Defaults to `/nonexistent`, in this case the home directory will not be + created. + group The group under which the service will run. Defaults to `--user`. @@ -95,6 +100,13 @@ service-exec Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the resulting value of `--binary`. +service-definition + The service definition to be used as an override. + Note that this type decides dinammically between runit and systemd, and + you can currently only define either a systemd unit or a runit script here. + Use this parameter only for testing and get in touch to discuss how your + particular use-case can be supported by the type. + service-description The service description to be used in, e.g. the systemd unit file. Defaults to `cdist-managed '${__object_id}' service`. @@ -106,6 +118,13 @@ unpack-args subdirectories; that can be worked around with `--unpack-args '--tar-strip 1'`. +unpack-extension + Only has an effect if `--unpack` is used. + The file extension of the file to unpack, defaults to `.tar.gz`. + +working-directory + If set, the working directory with which the service will be started. + OPTIONAL MULTIPLE PARAMETERS ---------------------------- diff --git a/manifest b/manifest index e05b630..8288b94 100755 --- a/manifest +++ b/manifest @@ -1,22 +1,43 @@ #!/bin/sh -e +SERVICE_NAME="${__object_id}" OS="$(cat "${__global}/explorer/os")" case "${OS}" in - debian) - SUPER_USER_GROUP=root - ;; - *bsd) - SUPER_USER_GROUP=wheel - ;; - *) - echo "Your OS '${OS}' is currently not supported." >&2 - exit 1 - ;; + debian|devuan) + SUPER_USER_GROUP=root + ETC_DIR="/etc" + ;; + *bsd) + SUPER_USER_GROUP=wheel + ETC_DIR="/usr/local/etc" + ;; + *) + echo "Your OS '${OS}' is currently not supported." >&2 + exit 1 + ;; +esac +INIT="$(cat "${__global}/explorer/init")" + +case "${INIT}" in + systemd) + service_definition_require="__systemd_unit/${SERVICE_NAME}.service" + service_command="service ${SERVICE_NAME} %s" + ;; + runit|sysvinit) + # We will use runit to manage these services + __runit + export require="__runit" + service_definition_require="__runit_service/${SERVICE_NAME}" + service_command="sv %s ${SERVICE_NAME}" + ;; + *) + echo "Init system ${INIT}' is currently not supported." >&2 + exit 1 + ;; esac BIN_DIR="/usr/local/bin" -ETC_DIR="/etc" # Ensure the target bin dir exists # Care, we never want to remove it :-D @@ -29,10 +50,13 @@ STATE="$(cat "${__object}/parameter/state")" USER="$(cat "${__object}/parameter/user")" GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)" if [ -z "${GROUP}" ]; then - GROUP="${USER}" + if [ "${USER}" != "root" ]; then + GROUP="${USER}" + else + GROUP="${SUPER_USER_GROUP}" + fi fi -SERVICE_NAME="${__object_id}" BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)" if [ -z "${BINARY}" ]; then @@ -62,22 +86,34 @@ fi SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)" +WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)" +if [ -n "${WORKING_DIRECTORY_PATH}" ]; then + WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}" + WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'" +fi + DOWNLOAD_URL="$(cat "${__object}/parameter/url")" CHECKSUM="$(cat "${__object}/parameter/checksum")" SHOULD_VERSION="$(cat "${__object}/parameter/version")" # Create a user for the service if it is not root +USER_HOME_DIR="/root" if [ "${USER}" != "root" ] && \ [ ! -f "${__object}/parameter/do-not-manage-user" ]; then if [ "${STATE}" = "absent" ]; then # When removing, ensure user is not being used - user_require="__systemd_unit/${SERVICE_NAME}.service" + user_require="${service_definition_require}" + fi + USER_HOME_DIR="$(cat "${__object}/parameter/user-home-dir")" + if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then + USER_CREATE_HOME="--create-home" fi require="${require} ${user_require}" __user "${USER}" \ --system \ --state "${STATE}" \ - --home /nonexistent \ - --comment "cdist-managed ${SERVICE_NAME} user" + --home "${USER_HOME_DIR}" \ + --comment "cdist-managed ${SERVICE_NAME} user" \ + ${USER_CREATE_HOME} # Track dependencies service_require="${service_require} __user/${USER}" fi @@ -100,8 +136,8 @@ fi -INIT="$(cat "${__global}/explorer/init")" -# TODO: Support non-systemd +# This should setup the object in $service_definition_require +# See above. case "${INIT}" in systemd) if [ -z "${SERVICE_DEFINITION}" ]; then @@ -117,6 +153,7 @@ User=${USER} Group=${GROUP} ExecStart=${SERVICE_EXEC} Restart=always +${WORKING_DIRECTORY_SYSTEMD} [Install] WantedBy=multi-user.target @@ -129,14 +166,28 @@ EOF --enablement-state "enabled" <&2 - exit 1 - ;; + ;; + runit|sysvinit) + if [ -z "${SERVICE_DEFINITION}" ]; then + SERVICE_DEFINITION="$(cat </dev/null || true)" # Download packed file - __download "${TMP_PATH}.tar.gz" \ + __download "${TMP_PATH}${UNPACK_EXTENSION}" \ --url "${DOWNLOAD_URL}" \ --download remote \ --sum "${CHECKSUM}" # Unpack file and also perform service upgrade # shellcheck disable=SC2086 - require="__download${TMP_PATH}.tar.gz" \ - __unpack "${TMP_PATH}.tar.gz" \ + require="__download${TMP_PATH}${UNPACK_EXTENSION}" \ + __unpack "${TMP_PATH}${UNPACK_EXTENSION}" \ ${UNPACK_ARGS} \ --destination "${TMP_PATH}" - version_bump_require="__unpack${TMP_PATH}.tar.gz" + version_bump_require="__unpack${TMP_PATH}${UNPACK_EXTENSION}" else # Create temp directory __directory "${TMP_PATH}" @@ -196,18 +272,17 @@ EOF # Perform update of cdist-managed version file # And also perform service upgrade + # This is a bug if service_upgrade fails >,< printf "%s" "${SHOULD_VERSION}" | \ require="${version_bump_require}" __file \ "${VERSION_FILE}" \ --onchange "${perform_service_upgrade}" \ --source "-" -fi - -if [ "${STATE}" = "absent" ]; then - # Perform cleanup of generated files - for bin_file in ${BINARY} ${EXTRA_BINARIES}; do - __file "${BIN_DIR}/${bin_file}" --state "absent" - done - __file "${VERSION_FILE}" --state "absent" - __file "${CONFIG_FILE_DEST}" --state "absent" +else + # We only restart here if there was a config change + # but there was not a version change + require="${service_require}" __check_messages \ + "single_binary_service_${__object_id}" \ + --pattern "^__file${CONFIG_FILE_DEST}" \ + --execute "$(sv_cmd restart)" fi diff --git a/parameter/default/unpack-extension b/parameter/default/unpack-extension new file mode 100644 index 0000000..c95e2e9 --- /dev/null +++ b/parameter/default/unpack-extension @@ -0,0 +1 @@ +.tar.gz \ No newline at end of file diff --git a/parameter/default/user-home-dir b/parameter/default/user-home-dir new file mode 100644 index 0000000..4d21ca6 --- /dev/null +++ b/parameter/default/user-home-dir @@ -0,0 +1 @@ +/nonexistent diff --git a/parameter/optional b/parameter/optional index 7c2ca06..7c88cb4 100644 --- a/parameter/optional +++ b/parameter/optional @@ -7,4 +7,7 @@ service-args service-exec service-description service-definition +unpack-extension unpack-args +user-home-dir +working-directory From de2449bfc42fe168f4e2730a66e831b80760403f Mon Sep 17 00:00:00 2001 From: "jinguk.kwon" Date: Sat, 29 Jan 2022 19:07:12 +0900 Subject: [PATCH 07/47] [matrix] update password config when it login --- type/__matrix_synapse/files/homeserver.yaml.sh | 2 ++ type/__matrix_synapse/man.rst | 5 +++++ type/__matrix_synapse/manifest | 1 + type/__matrix_synapse/parameter/boolean | 1 + .../__matrix_synapse/parameter/default/enable-passwordconfig | 1 + 5 files changed, 10 insertions(+) create mode 100644 type/__matrix_synapse/parameter/default/enable-passwordconfig diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index d719d3f..74ac69c 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -2254,6 +2254,8 @@ password_config: # Uncomment to disable password login # #enabled: false + enableed: ${ENABLE_PASSWORDCONFIG:?} + # Uncomment to disable authentication against the local password # database. This is ignored if \`enabled\` is false, and is only useful diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index 0589a5e..d7b5a32 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -286,6 +286,11 @@ worker-mode processes are called 'workers'. Please read the WORKER MODE section of this manpage before enabling, as extra work and considerations are required. +enable-passwordconfig + For removing user/password tab on login screen. + when it set saml2-login, it remove user/password tab on login-screen. + default is true. + PERFORMANCE ----------- diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 6a89de6..42ced0d 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -169,6 +169,7 @@ fi # Registrations and users. ALLOW_GUEST_ACCESS=$(get_boolean_for 'allow-guest-access') ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations') +ENABLE_PASSWORDCONFIG=$(get_boolean_for 'enable-passwordconfig') USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users') export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS diff --git a/type/__matrix_synapse/parameter/boolean b/type/__matrix_synapse/parameter/boolean index ac87271..1bd2dc7 100644 --- a/type/__matrix_synapse/parameter/boolean +++ b/type/__matrix_synapse/parameter/boolean @@ -18,3 +18,4 @@ enable-message-retention-policy worker-mode enable-url-preview enable-3pid-lookups +enable-passwordconfig diff --git a/type/__matrix_synapse/parameter/default/enable-passwordconfig b/type/__matrix_synapse/parameter/default/enable-passwordconfig new file mode 100644 index 0000000..27ba77d --- /dev/null +++ b/type/__matrix_synapse/parameter/default/enable-passwordconfig @@ -0,0 +1 @@ +true From 4fdba43dd65b785601372c31ba76f5eb80df1aea Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Thu, 20 Jan 2022 12:39:55 +0100 Subject: [PATCH 08/47] [__matrix_synapse]: typos in manpage. --- type/__matrix_synapse/man.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index 0589a5e..d13e80a 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -1,5 +1,5 @@ cdist-type__matrix_synapse(7) -====================== +============================= NAME ---- @@ -8,7 +8,7 @@ cdist-type__matrix_synapse - Install and configure Synapse, a Matrix homeserver DESCRIPTION ----------- -This type install and configure the Synapse Matrix homeserver. This is a +This type installs and configures the Synapse Matrix homeserver. This is a signleton type. @@ -52,13 +52,13 @@ ldap-base-dn Base DN of your LDAP tree. ldap-uid-attribute - LDAP attriute mapping to Synapse's uid field, default to uid. + LDAP attribute mapping to Synapse's uid field, default to uid. ldap-mail-attribute - LDAP attriute mapping to Synapse's mail field, default to mail. + LDAP attribute mapping to Synapse's mail field, default to mail. ldap-name-attribute - LDAP attriute mapping to Synapse's name field, default to givenName. + LDAP attribute mapping to Synapse's name field, default to givenName. ldap-bind-dn User used to authenticate against your LDAP server in 'search' mode. @@ -81,7 +81,7 @@ smtp-host The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. smtp-port - # The port on the mail server for outgoing SMTP. Defaults to 25. + The port on the mail server for outgoing SMTP. Defaults to 25. smtp-user Username for authentication to the SMTP server. By From 3f52e758fc298974604875f596b9e4fb2cb7af95 Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Wed, 2 Feb 2022 14:01:47 +0100 Subject: [PATCH 09/47] __systemd-network: initial implementation. --- type/__systemd_network/gencode-remote | 20 +++++ type/__systemd_network/man.rst | 68 +++++++++++++++ type/__systemd_network/manifest | 84 +++++++++++++++++++ type/__systemd_network/parameter/boolean | 1 + type/__systemd_network/parameter/optional | 1 + .../parameter/optional_multiple | 1 + 6 files changed, 175 insertions(+) create mode 100755 type/__systemd_network/gencode-remote create mode 100644 type/__systemd_network/man.rst create mode 100755 type/__systemd_network/manifest create mode 100644 type/__systemd_network/parameter/boolean create mode 100644 type/__systemd_network/parameter/optional create mode 100644 type/__systemd_network/parameter/optional_multiple diff --git a/type/__systemd_network/gencode-remote b/type/__systemd_network/gencode-remote new file mode 100755 index 0000000..af16ca6 --- /dev/null +++ b/type/__systemd_network/gencode-remote @@ -0,0 +1,20 @@ +#!/bin/sh -e +# +# 2022 Joachim Desroches (joachim.desroches@epfl.ch) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . + +systemctl enable systemd-networkd diff --git a/type/__systemd_network/man.rst b/type/__systemd_network/man.rst new file mode 100644 index 0000000..1b7b7a6 --- /dev/null +++ b/type/__systemd_network/man.rst @@ -0,0 +1,68 @@ +cdist-type__systemd-network(7) +============================== + +NAME +---- +cdist-type__systemd-network - Configure systemd.network(5) file. + + +DESCRIPTION +----------- + +This type allows you to configure network interfaces by generating a +systemd.network(5) file. It will enable systemd-networkd, so be sure to remove +any conflicting network configuration tool if appropriate! + +Note that the systemd.network(5) system is very complete, and this type does +not aim at providing every possible option. Are currently available only the +most common options: feel free to add anything you need to this type which +hopefully will grow over time. + + +REQUIRED PARAMETERS +------------------- +None. + + +OPTIONAL PARAMETERS +------------------- +description + A text field used when displaying details about this network. + +OPTIONAL MULTIPLE PARAMETERS +---------------------------- +match-name + A text field that will be set in the `Name` option of the `[Match]` section. + + +BOOLEAN PARAMETERS +------------------ +ipv6ra-usedomains + Set the `UseDomains` option of the `[IPv6AcceptRA]` section to `True`. + + +EXAMPLES +-------- + +.. code-block:: sh + + # TODO + __systemd-network + + +SEE ALSO +-------- +`cdist-type_systemd-resolved`\ (7) +`systemd.network`\ (5) + +AUTHORS +------- +Joachim Desroches + + +COPYING +------- +Copyright \(C) 2022 Joachim Desroches. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/type/__systemd_network/manifest b/type/__systemd_network/manifest new file mode 100755 index 0000000..a2c1805 --- /dev/null +++ b/type/__systemd_network/manifest @@ -0,0 +1,84 @@ +#!/bin/sh -e +# +# 2022 Joachim Desroches (joachim.desroches@epfl.ch) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +os=$(cat "${__global:?}/explorer/os") + +case "$os" in +'debian' | 'ubuntu' | 'archlinux') + : + ;; +*) + printf "Your operating system (%s) is currently not supported by systemd-network\n" "$os" >&2 + printf "Please contribute an implementation for it if you can.\n" >&2 + exit 1 + ;; +esac + +# XXX: Please keep the option parsing organized in order per-section, with +# sections in the same order as they are in the manpage. This will make hacking +# and maintaining this type much easier. + +output_file="${__object:?}/files/${__object_id:?}.network" + +cat << EOF > "$output_file" +# This file is managed by cdist. Do not edit by hand! +EOF + +# Match section +# Ensure section is needed, OR existence of optional params. +if [ -f "${__object:?}/parameter/match-name" ]; +then + printf "\n[Match]\n" >> "$output_file" + + if [ -f "${__object:?}/parameter/match-name" ]; + then + sed -e 's/^/Name=/' \ + "${__object:?}/parameter/match-name" >> "$output_file" + fi +fi + +# Network section +# Ensure section is needed, OR existence of optional params. +if [ -f "${__object:?}/parameter/description" ]; +then + printf "\n[Network]\n" >> "$output_file" + + if [ -f "${__object:?}/parameter/description" ]; + then + sed -e 's/^/Description=/' \ + "${__object:?}/parameter/description" >> "$output_file" + fi +fi + +# IPv6AcceptRA section +# Ensure section is needed, OR existence of optional params. +if [ -f "${__object:?}/parameter/ipv6ra-usedomains" ]; +then + printf "\n[IPv6AcceptRA]\n" >> "$output_file" + + if [ -f "${__object:?}/parameter/ipv6ra-usedomains" ]; + then + printf "UseDomains=True\n" >> "$output_file" + fi + +fi + +__file "/etc/systemd/network/${__object_id:?}.network" \ + --source "$output_file" diff --git a/type/__systemd_network/parameter/boolean b/type/__systemd_network/parameter/boolean new file mode 100644 index 0000000..b23dcdc --- /dev/null +++ b/type/__systemd_network/parameter/boolean @@ -0,0 +1 @@ +ipv6ra-usedomains diff --git a/type/__systemd_network/parameter/optional b/type/__systemd_network/parameter/optional new file mode 100644 index 0000000..e1b39b0 --- /dev/null +++ b/type/__systemd_network/parameter/optional @@ -0,0 +1 @@ +description diff --git a/type/__systemd_network/parameter/optional_multiple b/type/__systemd_network/parameter/optional_multiple new file mode 100644 index 0000000..c97c387 --- /dev/null +++ b/type/__systemd_network/parameter/optional_multiple @@ -0,0 +1 @@ +match-name From 6310db73011dea428700be033fc46359b176267d Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Mon, 7 Feb 2022 13:33:57 +0100 Subject: [PATCH 10/47] [bird_bgp]: minor cleanup. --- type/__bird_bgp/manifest | 1 - 1 file changed, 1 deletion(-) diff --git a/type/__bird_bgp/manifest b/type/__bird_bgp/manifest index a1d79f2..7525bb5 100755 --- a/type/__bird_bgp/manifest +++ b/type/__bird_bgp/manifest @@ -89,7 +89,6 @@ ipv4_import= if [ -f "${__object:?}"/parameter/ipv4-import ]; then ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)" - echo "FOO" >&2 fi export ipv4_import From 727fbd55fb0ff47b4453727ad24bd48068aee64b Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Mon, 7 Feb 2022 13:44:10 +0100 Subject: [PATCH 11/47] [bird_radv] Add option to include MTU in RAs. --- type/__bird_radv/man.rst | 10 ++++++++-- type/__bird_radv/manifest | 10 +++++++++- type/__bird_radv/parameter/optional | 1 + .../parameter/{required_multiple => required} | 0 type/__systemd_network/gencode-remote | 2 +- type/__systemd_network/manifest | 4 +++- 6 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 type/__bird_radv/parameter/optional rename type/__bird_radv/parameter/{required_multiple => required} (100%) diff --git a/type/__bird_radv/man.rst b/type/__bird_radv/man.rst index 118fd60..819b213 100644 --- a/type/__bird_radv/man.rst +++ b/type/__bird_radv/man.rst @@ -15,12 +15,17 @@ autoconfigure IPv6 hosts, this type is a rudimentary implementation to generate configuration for Bird to do so. -REQUIRED MULTIPLE PARAMETERS ----------------------------- +REQUIRED PARAMETERS +------------------- interface The interfaces to activate the protocol on. RAs will be sent using the prefixes configured on these interfaces. +OPTIONAL PARAMETERS +------------------- +mtu + An optional MTU setting to include in the router advertisements. + OPTIONAL MULTIPLE PARAMETERS ---------------------------- @@ -41,6 +46,7 @@ EXAMPLES __bird_radv datacenter \ --interface eth1 \ + --mtu 9000 \ --route ::/0 \ --ns 2001:DB8:cafe::4 \ --ns 2001:DB8:cafe::14 \ diff --git a/type/__bird_radv/manifest b/type/__bird_radv/manifest index a95e88e..aee8690 100755 --- a/type/__bird_radv/manifest +++ b/type/__bird_radv/manifest @@ -55,6 +55,12 @@ then DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl") fi +MTU= +if [ -f "${__object:?}/parameter/mtu" ]; +then + MTU="link mtu $(cat "${__object:?}/parameter/mtu")" +fi + __file "${confdir:?}/radv-${__object_id:?}.conf" \ --mode 0640 --owner root --group bird \ --source - << EOF @@ -71,7 +77,9 @@ protocol radv ${__object_id:?} { propagate routes ${have_routes:?}; ipv6 { table radv_routes; export all; }; -$(sed -e 's/^/\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface") + interface "$(cat "${__object:?}/parameter/interface")" { + $MTU + }; $RDNS diff --git a/type/__bird_radv/parameter/optional b/type/__bird_radv/parameter/optional new file mode 100644 index 0000000..ee48c5c --- /dev/null +++ b/type/__bird_radv/parameter/optional @@ -0,0 +1 @@ +mtu diff --git a/type/__bird_radv/parameter/required_multiple b/type/__bird_radv/parameter/required similarity index 100% rename from type/__bird_radv/parameter/required_multiple rename to type/__bird_radv/parameter/required diff --git a/type/__systemd_network/gencode-remote b/type/__systemd_network/gencode-remote index af16ca6..13c16c9 100755 --- a/type/__systemd_network/gencode-remote +++ b/type/__systemd_network/gencode-remote @@ -17,4 +17,4 @@ # You should have received a copy of the GNU General Public License # along with cdist. If not, see . -systemctl enable systemd-networkd +echo "systemctl enable systemd-networkd" diff --git a/type/__systemd_network/manifest b/type/__systemd_network/manifest index a2c1805..49eb792 100755 --- a/type/__systemd_network/manifest +++ b/type/__systemd_network/manifest @@ -35,6 +35,7 @@ esac # sections in the same order as they are in the manpage. This will make hacking # and maintaining this type much easier. +mkdir "${__object:?}/files" output_file="${__object:?}/files/${__object_id:?}.network" cat << EOF > "$output_file" @@ -81,4 +82,5 @@ then fi __file "/etc/systemd/network/${__object_id:?}.network" \ - --source "$output_file" + --source "$output_file" \ + --mode 0644 From 9a779aafa3a2ae1d2f92058b8eda2202db96e00b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 8 Feb 2022 13:45:03 +0100 Subject: [PATCH 12/47] __matrix_synapse: add --disable-{displayname,3pid}-changes flag --- type/__matrix_synapse/files/homeserver.yaml.sh | 4 ++-- type/__matrix_synapse/man.rst | 6 ++++++ type/__matrix_synapse/manifest | 12 ++++++++++++ type/__matrix_synapse/parameter/boolean | 2 ++ 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index d719d3f..64b40ee 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1406,7 +1406,7 @@ account_threepid_delegates: # # Does not apply to server administrators. Defaults to 'true' # -#enable_set_displayname: false +enable_set_displayname: ${ENABLE_SET_DISPLAYNAME:?} # Whether users are allowed to change their avatar after it has been # initially set. Useful when provisioning users based on the contents @@ -1421,7 +1421,7 @@ account_threepid_delegates: # # Defaults to 'true' # -#enable_3pid_changes: false +enable_3pid_changes: ${ENABLE_3PID_CHANGES:?} # Users who register on this homeserver will automatically be joined # to these rooms. diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index d13e80a..0ec7a94 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -162,6 +162,12 @@ rc-login-burst registration-allows-email-pattern Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`. +disable-displayname-changes + Whether users are allowed to change their displayname after it has been initially set. + +disable-3pid-changes + Whether users can change the 3PIDs associated with their accounts (email address and msisdn). + auto-join-room Room where newly-registered users are automatically added. Can be specified multiple times. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 6a89de6..bc76143 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -181,6 +181,18 @@ if [ -f "$__object/parameter/registration-requires-email" ]; then export REGISTRATION_REQUIRES_EMAIL=1 fi +ENABLE_SET_DISPLAYNAME='true' +if [ -f "$__object/parameter/disable-displayname-changes" ]; then + ENABLE_SET_DISPLAYNAME='false' +fi +export ENABLE_SET_DISPLAYNAME + +ENABLE_3PID_CHANGES='true' +if [ -f "$__object/parameter/disable-3pid-changes" ]; then + ENABLE_3PID_CHANGES='false' +fi +export ENABLE_3PID_CHANGES + if [ -f "$__object/parameter/auto-join-room" ]; then AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")" export AUTO_JOIN_ROOMS diff --git a/type/__matrix_synapse/parameter/boolean b/type/__matrix_synapse/parameter/boolean index ac87271..54c383a 100644 --- a/type/__matrix_synapse/parameter/boolean +++ b/type/__matrix_synapse/parameter/boolean @@ -18,3 +18,5 @@ enable-message-retention-policy worker-mode enable-url-preview enable-3pid-lookups +disable-3pid-changes +disable-displayname-changes From f6d0cbbeb7c043150d603297710325d2e1433a9a Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Mon, 7 Feb 2022 14:15:05 +0100 Subject: [PATCH 13/47] __systemd_resolved: initial implementation. --- type/__systemd_resolved/gencode-remote | 21 ++++++++++++ type/__systemd_resolved/man.rst | 47 ++++++++++++++++++++++++++ type/__systemd_resolved/manifest | 42 +++++++++++++++++++++++ 3 files changed, 110 insertions(+) create mode 100755 type/__systemd_resolved/gencode-remote create mode 100644 type/__systemd_resolved/man.rst create mode 100755 type/__systemd_resolved/manifest diff --git a/type/__systemd_resolved/gencode-remote b/type/__systemd_resolved/gencode-remote new file mode 100755 index 0000000..115b99b --- /dev/null +++ b/type/__systemd_resolved/gencode-remote @@ -0,0 +1,21 @@ +#!/bin/sh -e +# +# 2022 Joachim Desroches (joachim.desroches@epfl.ch) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +echo "systemctl enable systemd-resolved" diff --git a/type/__systemd_resolved/man.rst b/type/__systemd_resolved/man.rst new file mode 100644 index 0000000..213c725 --- /dev/null +++ b/type/__systemd_resolved/man.rst @@ -0,0 +1,47 @@ +cdist-type__systemd_resolved(7) +=============================== + +NAME +---- +cdist-type__systemd_resolved - Configure system to use systemd-resolved. + + +DESCRIPTION +----------- +*systemd-resolved* is a systemd service that provides network name resolution +to local applications via a D-Bus interface, the resolve NSS service +(nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. + +This type enables and starts this type, and helps with some minimal +configuration. In particular, systemd-resolved has four modes of handling the +`/etc/resolv.conf` file: stub, static, uplink and foreign. See the +systemd-resolved(8) manpage for details. By default, this type uses stub mode: +if you need another one, please provide an implementation in this type! + + +EXAMPLES +-------- + +.. code-block:: sh + + __systemd_resolved + + +SEE ALSO +-------- +`systemd.network`\ (5) +`systemd-resolved`\ (8) +`nss-resolve`\ (8) + + +AUTHORS +------- +Joachim Desroches + + +COPYING +------- +Copyright \(C) 2022 Joachim Desroches. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/type/__systemd_resolved/manifest b/type/__systemd_resolved/manifest new file mode 100755 index 0000000..3b99592 --- /dev/null +++ b/type/__systemd_resolved/manifest @@ -0,0 +1,42 @@ +#!/bin/sh -e +# +# 2022 Joachim Desroches (joachim.desroches@epfl.ch) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +os=$(cat "${__global:?}/explorer/os") + +case "$os" in +'debian') + : + ;; +*) + printf "Your operating system (%s) is currently not supported by __systemd_resolved\n" "$os" >&2 + printf "Please contribute an implementation for it if you can.\n" >&2 + exit 1 + ;; +esac + +__link /etc/resolv.conf \ + --type symbolic \ + --source ../run/systemd/resolve/stub-resolv.conf + +require=__link/etc/resolv.conf \ + __systemd_service systemd-resolved \ + --state running \ + --action restart \ + --if-required From 422b97bc1b310c8f3515f3911794d2d674eb964a Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Mon, 7 Feb 2022 15:12:23 +0100 Subject: [PATCH 14/47] [systemd_resolved]: make singleton. --- type/__systemd_resolved/singleton | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 type/__systemd_resolved/singleton diff --git a/type/__systemd_resolved/singleton b/type/__systemd_resolved/singleton new file mode 100644 index 0000000..e69de29 From ecd10de2d3517be874ac5b54b4c03214afe12672 Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 10 Mar 2022 20:08:51 +0100 Subject: [PATCH 15/47] [__opendkim*] FreeBSD support and minor fixes While adding FreeBSD support to the type I noticed various issues: - We were making sure that the KeyTable and SigningTable were created in __opendkim_genkey, but that was being done with the default cdist permissions (0400) which could result in issues when reloading the service after privilege drop. This is addressed by checking that it exists/creating it in __opendkim (just once, not once per __opendkim_genkey call) with laxer permissions (0444). - In __opendkim, the service was being started after the config file was installed. This is insufficient as OpenDKIM will refuse to start with the generated config if either SigningTable or KeyTable do not exist yet. - __opendkim_genkey had the implicit assumption that the --directory parameter always ended in a slash. This was not documented and error-prone; we are now a bit laxer and add the trailing slash if it is missing. - __opendkim_genkey was not changing permissions for the resulting .txt file. This was not critical for it to function, but it was inconsistent. - As documented in #17, __opendkim allows for a --userid parameter that might cause issues with keys generated by __opendkim_genkey. This issue has not been addressed yet, but I recommend deprecating the --userid parameter. --- type/__opendkim/files/opendkim.conf.sh | 5 +-- type/__opendkim/man.rst | 12 ++++--- type/__opendkim/manifest | 28 ++++++++++++--- type/__opendkim_genkey/gencode-remote | 10 ++++-- type/__opendkim_genkey/man.rst | 7 ++-- type/__opendkim_genkey/manifest | 47 ++++++++++++++++++-------- 6 files changed, 79 insertions(+), 30 deletions(-) diff --git a/type/__opendkim/files/opendkim.conf.sh b/type/__opendkim/files/opendkim.conf.sh index a21eecc..468b262 100755 --- a/type/__opendkim/files/opendkim.conf.sh +++ b/type/__opendkim/files/opendkim.conf.sh @@ -1,6 +1,7 @@ #!/bin/sh -e # Generate an opendkim.conf(5) file for opendkim(8). +echo "# Managed remotely, manual changes will be lost." # Optional chdir(2) if [ "$BASEDIR" ]; @@ -33,8 +34,8 @@ then fi # Key and Domain tables -echo 'KeyTable /etc/opendkim/KeyTable' -echo 'SigningTable /etc/opendkim/SigningTable' +echo "KeyTable ${CFG_DIR}/KeyTable" +echo "SigningTable ${CFG_DIR}/SigningTable" # Required socket to listen on printf "Socket %s\n" "${SOCKET:?}" diff --git a/type/__opendkim/man.rst b/type/__opendkim/man.rst index 205ca65..e3f3e7a 100644 --- a/type/__opendkim/man.rst +++ b/type/__opendkim/man.rst @@ -14,8 +14,8 @@ installation and basic configuration of an instance of OpenDKIM. Note that this type does not generate or ensure that a key is present: use `cdist-type__opendkim-genkey(7)` for that. -Note that this type is currently only implemented for Alpine Linux. Please -contribute an implementation if you can. +Note that this type is currently only implemented for Alpine Linux and FreeBSD. +Please contribute an implementation if you can. REQUIRED PARAMETERS @@ -42,8 +42,9 @@ umask Set the umask for the socket and PID file. userid - Change the user the opendkim program is to run as. By default, Alpine Linux's - OpenRC service will set this to `opendkim` on the command-line. + Change the user the opendkim program is to run as. + By default, Alpine Linux's OpenRC service will set this to `opendkim` on the + command-line and FreeBSD's rc will set it to `mailnull`. custom-config The string following this parameter is appended as-is in the configuration, to @@ -86,11 +87,12 @@ SEE ALSO AUTHORS ------- Joachim Desroches +Evilham COPYING ------- -Copyright \(C) 2021 Joachim Desroches. You can redistribute it +Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/type/__opendkim/manifest b/type/__opendkim/manifest index e3325b4..dbd9fc0 100755 --- a/type/__opendkim/manifest +++ b/type/__opendkim/manifest @@ -20,16 +20,23 @@ os=$(cat "${__global:?}/explorer/os") +CFG_DIR="/etc/opendkim" +service="opendkim" case "$os" in 'alpine') : ;; +'freebsd') + CFG_DIR="/usr/local/etc/mail" + service="milter-opendkim" + ;; *) printf "__opendkim does not yet support %s.\n" "$os" >&2 printf "Please contribute an implementation if you can.\n" >&2 exit 1 ;; esac +export CFG_DIR __package opendkim @@ -68,7 +75,7 @@ fi # Generate and deploy configuration file. source_file="${__object:?}/files/opendkim.conf" -target_file="/etc/opendkim/opendkim.conf" +target_file="${CFG_DIR}/opendkim.conf" mkdir -p "${__object:?}/files" @@ -83,9 +90,22 @@ fi require="__package/opendkim" __file "$target_file" \ --source "$source_file" --mode 0644 -require="__package/opendkim" __start_on_boot opendkim +require="__package/opendkim" __start_on_boot "${service}" -require="__file${target_file}" \ +# Ensure Key and Signing tables exist and have proper permissions +key_table="${CFG_DIR}/KeyTable" +signing_table="${CFG_DIR}/SigningTable" + +require="__package/opendkim" \ + __file "${key_table}" \ + --mode 444 + +require="__package/opendkim" \ + __file "${signing_table}" \ + --mode 444 + +require="__file${target_file} __file${key_table} + __file${signing_table} __start_on_boot/${service}" \ __check_messages opendkim \ --pattern "^__file${target_file}" \ - --execute "service opendkim restart" + --execute "service ${service} restart" diff --git a/type/__opendkim_genkey/gencode-remote b/type/__opendkim_genkey/gencode-remote index 65ce934..d8dfb4d 100755 --- a/type/__opendkim_genkey/gencode-remote +++ b/type/__opendkim_genkey/gencode-remote @@ -30,7 +30,8 @@ fi DIRECTORY="/var/db/dkim/" if [ -f "${__object:?}/parameter/directory" ]; then - DIRECTORY="$(cat "${__object:?}/parameter/directory")" + # Be forgiving about a lack of trailing slash + DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")" fi # Boolean parameters @@ -44,7 +45,12 @@ if [ -f "${__object:?}/parameters/unrestricted" ]; then RESTRICTED= fi +user="$(cat "${__object:?}/user")" +group="$(cat "${__object:?}/group")" + if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS" - echo "chown opendkim:opendkim ${DIRECTORY}${SELECTOR}.private" + echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.private" + # This is usually generated, if it weren't we do not want to fail + echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.txt || true" fi diff --git a/type/__opendkim_genkey/man.rst b/type/__opendkim_genkey/man.rst index 46e6505..b3fd013 100644 --- a/type/__opendkim_genkey/man.rst +++ b/type/__opendkim_genkey/man.rst @@ -17,8 +17,8 @@ will be added to the OpenDKIM signing table, using either the domain or the provided key for the `domain:selector:keyfile` value in the table. An existing key will not be overwritten. -Currently, this type is only implemented for Alpine Linux. Please contribute an -implementation if you can. +Currently, this type is only implemented for Alpine Linux and FreeBSD. +Please contribute an implementation if you can. REQUIRED PARAMETERS ------------------- @@ -85,11 +85,12 @@ SEE ALSO AUTHORS ------- Joachim Desroches +Evilham COPYING ------- -Copyright \(C) 2021 Joachim Desroches. You can redistribute it +Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/type/__opendkim_genkey/manifest b/type/__opendkim_genkey/manifest index 7c506e9..50dcee5 100755 --- a/type/__opendkim_genkey/manifest +++ b/type/__opendkim_genkey/manifest @@ -21,10 +21,18 @@ os=$(cat "${__global:?}/explorer/os") +CFG_DIR="/etc/opendkim" +user="opendkim" +group="opendkim" case "$os" in 'alpine') : ;; +'freebsd') + CFG_DIR="/usr/local/etc/mail" + user="mailnull" + group="mailnull" +;; *) cat <<- EOF >&2 __opendkim_genkey currently only supports Alpine Linux. Please @@ -32,6 +40,9 @@ case "$os" in EOF ;; esac +# Persist user and group for gencode-remote +printf '%s' "${user}" > "${__object:?}/user" +printf '%s' "${group}" > "${__object:?}/group" SELECTOR="$(cat "${__object:?}/parameter/selector")" DOMAIN="$(cat "${__object:?}/parameter/domain")" @@ -39,7 +50,8 @@ DOMAIN="$(cat "${__object:?}/parameter/domain")" DIRECTORY="/var/db/dkim/" if [ -f "${__object:?}/parameter/directory" ]; then - DIRECTORY="$(cat "${__object:?}/parameter/directory")" + # Be forgiving about a lack of trailing slash + DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")" fi SIGKEY="${DOMAIN:?}" @@ -48,19 +60,26 @@ then SIGKEY="$(cat "${__object:?}/parameter/sigkey")" fi -__package opendkim-utils +# Ensure the key-container directory exists with the proper permissions +__directory "${DIRECTORY}" \ + --mode 0750 \ + --owner "${user}" --group "${group}" -require='__package/opendkim-utils' \ - __file /etc/opendkim/KeyTable -require='__package/opendkim-utils' \ - __file /etc/opendkim/SigningTable +# OS-specific code +case "$os" in +'alpine') + # This is needed for opendkim-genkey + __package opendkim-utils +;; +esac -require='__file/etc/opendkim/KeyTable' \ - __line "line-key-${__object_id:?}" \ - --file /etc/opendkim/KeyTable \ - --line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private" +key_table="${CFG_DIR}/KeyTable" +signing_table="${CFG_DIR}/SigningTable" -require='__file/etc/opendkim/SigningTable' \ - __line "line-sig-${__object_id:?}" \ - --file /etc/opendkim/SigningTable \ - --line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}" +__line "line-key-${__object_id:?}" \ + --file "${key_table}" \ + --line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private" + +__line "line-sig-${__object_id:?}" \ + --file "${signing_table}" \ + --line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}" From ac03f05766f2ef12b893918b6d206b281d32e263 Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 10 Mar 2022 21:20:52 +0100 Subject: [PATCH 16/47] [__jitsi_meet] Fix bug with secured domains This is a leftover from when we were using __line instead of __block. Closes #15 Reported by: @pedro --- type/__jitsi_meet/manifest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 0364db6..279444a 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -153,7 +153,7 @@ EOF if [ -f "${__object}/parameter/secured-domains" ]; then SECURED_DOMAINS_STATE='present' - SECURED_DOMAINS_STATE_JICOFO='replace' + SECURED_DOMAINS_STATE_JICOFO='present' else SECURED_DOMAINS_STATE='absent' SECURED_DOMAINS_STATE_JICOFO='absent' From ac99cd8d84af340188a7e10a97ab829d540572bc Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 10 Mar 2022 21:23:45 +0100 Subject: [PATCH 17/47] [__jitsi_meet_domain] Update to 2.0.7001-1 Obsoletes #13 --- .../parameter/default/jitsi-version | 2 +- .../files/_update_jitsi_configurations.sh | 2 +- type/__jitsi_meet_domain/files/config.js.sh | 166 ++++++++++++++---- .../files/config.js.sh.orig | 166 ++++++++++++++---- .../files/interface_config.js.sh | 2 +- .../files/interface_config.js.sh.orig | 2 +- 6 files changed, 258 insertions(+), 82 deletions(-) diff --git a/type/__jitsi_meet/parameter/default/jitsi-version b/type/__jitsi_meet/parameter/default/jitsi-version index 9fe8252..4b02224 100644 --- a/type/__jitsi_meet/parameter/default/jitsi-version +++ b/type/__jitsi_meet/parameter/default/jitsi-version @@ -1 +1 @@ -2.0.5765-1 +2.0.7001-1 diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh index 295bdf0..6029cf7 100755 --- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh +++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh @@ -7,7 +7,7 @@ # We could automate this, but are using it as an indicator for the # latest branch with which we conciliated changes. -BRANCH="jitsi-meet_6726" +BRANCH="jitsi-meet_7001" REPO="https://github.com/jitsi/jitsi-meet" get_url() { diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index 4532ba6..58df3fc 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -86,18 +86,41 @@ fi // callStatsThreshold: 5 // enable callstats for 5% of the users. }, + // Feature Flags. + flags: { + // Enables source names in the signaling. + // sourceNameSignaling: false, + }, + // Disables moderator indicators. // disableModeratorIndicator: false, // Disables the reactions feature. // disableReactions: true, + // Disables the reactions moderation feature. + // disableReactionsModeration: false, + // Disables polls feature. // disablePolls: false, // Disables self-view tile. (hides it from tile view and from filmstrip) // disableSelfView: false, + // Disables self-view settings in UI + // disableSelfViewSettings: false, + + // screenshotCapture : { + // Enables the screensharing capture feature. + // enabled: false, + // + // The mode for the screenshot capture feature. + // Can be either 'recording' - screensharing screenshots are taken + // only when the recording is also on, + // or 'always' - screensharing screenshots are always taken. + // mode: 'recording' + // } + // Disables ICE/UDP by filtering out local and remote UDP candidates in // signalling. // webrtcIceUdpDisable: false, @@ -237,7 +260,11 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // max: 5 // }, - // Try to start calls with screen-sharing instead of camera video. + // This option has been deprecated since it is no longer supported as per the w3c spec. + // https://w3c.github.io/mediacapture-screen-share/#dom-mediadevices-getdisplaymedia. If the user has not + // interacted with the webpage before the getDisplayMedia call, the promise will be rejected by the browser. This + // has already been implemented in Firefox and Safari and will be implemented in Chrome soon. + // https://bugs.chromium.org/p/chromium/issues/detail?id=1198918 // startScreenSharing: false, // Recording @@ -459,6 +486,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // If Lobby is enabled starts knocking automatically. // autoKnockLobby: false, + // DEPRECATED! Use \`breakoutRooms.hideAddRoomButton\` instead. // Hides add breakout room button // hideAddRoomButton: false, @@ -491,12 +519,21 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Default remote name to be displayed // defaultRemoteDisplayName: 'Fellow Jitster', + // Hides the display name from the participant thumbnail + // hideDisplayName: false, + + // Hides the dominant speaker name badge that hovers above the toolbox + // hideDominantSpeakerBadge: false, + // Default language for the user interface. defaultLanguage: '${DEFAULT_LANGUAGE}', // Disables profile and the edit of all fields from the profile settings (display name and email) // disableProfile: false, + // Hides the email section under profile settings. + // hideEmailInSettings: false, + // Whether or not some features are checked based on token. // enableFeaturesBasedOnToken: false, @@ -541,6 +578,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Document should be focused for this option to work // enableAutomaticUrlCopy: false, + // Array with avatar URL prefixes that need to use CORS. + // corsAvatarURLs: [ 'https://www.gravatar.com/avatar/' ], + // Base URL for a Gravatar-compatible service. Defaults to libravatar. // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/', @@ -607,41 +647,61 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // alwaysVisible: false // }, - // Toolbar buttons which have their click event exposed through the API on - // \`toolbarButtonClicked\` event instead of executing the normal click routine. + // Toolbar buttons which have their click/tap event exposed through the API on + // \`toolbarButtonClicked\`. Passing a string for the button key will + // prevent execution of the click/tap routine; passing an object with \`key\` and + // \`preventExecution\` flag on false will not prevent execution of the click/tap + // routine. Below array with mixed mode for passing the buttons. // buttonsWithNotifyClick: [ - // 'camera', - // 'chat', - // 'closedcaptions', - // 'desktop', - // 'download', - // 'embedmeeting', - // 'etherpad', - // 'feedback', - // 'filmstrip', - // 'fullscreen', - // 'hangup', - // 'help', - // 'invite', - // 'livestreaming', - // 'microphone', - // 'mute-everyone', - // 'mute-video-everyone', - // 'participants-pane', - // 'profile', - // 'raisehand', - // 'recording', - // 'security', - // 'select-background', - // 'settings', - // 'shareaudio', - // 'sharedvideo', - // 'shortcuts', - // 'stats', - // 'tileview', - // 'toggle-camera', - // 'videoquality', - // '__end' + // 'camera', + // { + // key: 'chat', + // preventExecution: false + // }, + // { + // key: 'closedcaptions', + // preventExecution: true + // }, + // 'desktop', + // 'download', + // 'embedmeeting', + // 'etherpad', + // 'feedback', + // 'filmstrip', + // 'fullscreen', + // 'hangup', + // 'help', + // { + // key: 'invite', + // preventExecution: false + // }, + // 'livestreaming', + // 'microphone', + // 'mute-everyone', + // 'mute-video-everyone', + // 'participants-pane', + // 'profile', + // { + // key: 'raisehand', + // preventExecution: true + // }, + // 'recording', + // 'security', + // 'select-background', + // 'settings', + // 'shareaudio', + // 'sharedvideo', + // 'shortcuts', + // 'stats', + // 'tileview', + // 'toggle-camera', + // 'videoquality', + // // The add passcode button from the security dialog. + // { + // key: 'add-passcode', + // preventExecution: false + // } + // '__end' // ], // List of pre meeting screens buttons to hide. The values must be one or more of the 5 allowed buttons: @@ -696,6 +756,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Enables detecting faces of participants and get their expression and send it to other participants // enableFacialRecognition: true, + // Enables displaying facial expressions in speaker stats + // enableDisplayFacialExpressions: true, + // Controls the percentage of automatic feedback shown to participants when callstats is enabled. // The default value is 100%. If set to 0, no automatic feedback will be requested // feedbackPercentage: 100, @@ -999,6 +1062,14 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) */ dynamicBrandingUrl: "${DYNAMIC_BRANDING_URL}", + // Options related to the breakout rooms feature. + // breakoutRooms: { + // // Hides the add breakout room button. This replaces \`hideAddRoomButton\`. + // hideAddRoomButton: false, + // // Hides the join breakout room button. + // hideJoinRoomButton: false + // }, + // When true the user cannot add more images to be used as virtual background. // Only the default ones from will be available. // disableAddingBackgroundImages: false, @@ -1017,14 +1088,15 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // If true, tile view will not be enabled automatically when the participants count threshold is reached. // disableTileView: true, - // If true, the tiles will be displayed contained within the available space rather than enlarged to cover it. + // If true, the tiles will be displayed contained within the available space rather than enlarged to cover it, + // with a 16:9 aspect ratio (old behaviour). // disableTileEnlargement: true, // Controls the visibility and behavior of the top header conference info labels. // If a label's id is not in any of the 2 arrays, it will not be visible at all on the header. // conferenceInfo: { // // those labels will not be hidden in tandem with the toolbox. - // alwaysVisible: ['recording', 'local-recording'], + // alwaysVisible: ['recording', 'local-recording', 'raised-hands-count'], // // those labels will be auto-hidden in tandem with the toolbox buttons. // autoHide: [ // 'subject', @@ -1038,10 +1110,10 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // }, // Hides the conference subject - // hideConferenceSubject: true, + // hideConferenceSubject: false, // Hides the conference timer. - // hideConferenceTimer: true, + // hideConferenceTimer: false, // Hides the recording label // hideRecordingLabel: false, @@ -1052,6 +1124,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Sets the conference subject // subject: 'Conference Subject', + // Sets the conference local subject + // localSubject: 'Conference Local Subject', + // This property is related to the use case when jitsi-meet is used via the IFrame API. When the property is true // jitsi-meet will use the local storage of the host page instead of its own. This option is useful if the browser // is not persisting the local storage inside the iframe. @@ -1114,6 +1189,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) forceJVB121Ratio forceTurnRelay hiddenDomain + hiddenFromRecorderFeatureEnabled ignoreStartMuted websocketKeepAlive websocketKeepAliveUrl @@ -1156,10 +1232,14 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // 'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected // 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied // 'localRecording.localRecording', // shown when a local recording is started + // 'notify.chatMessages', // shown when receiving chat messages while the chat window is closed // 'notify.disconnected', // shown when a participant has left // 'notify.connectedOneMember', // show when a participant joined // 'notify.connectedTwoMembers', // show when two participants joined simultaneously // 'notify.connectedThreePlusMembers', // show when more than 2 participants joined simultaneously + // 'notify.leftOneMember', // show when a participant left + // 'notify.leftTwoMembers', // show when two participants left simultaneously + // 'notify.leftThreePlusMembers', // show when more than 2 participants left simultaneously // 'notify.grantedTo', // shown when moderator rights were granted to a participant // 'notify.invitedOneMember', // shown when 1 participant has been invited // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited @@ -1174,6 +1254,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // 'notify.mutedTitle', // shown when user has been muted upon joining, // 'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device // 'notify.newDeviceCameraTitle', // prompts the user to use a newly detected camera + // 'notify.participantWantsToJoin', // shown when lobby is enabled and participant requests to join meeting // 'notify.passwordRemovedRemotely', // shown when a password has been removed remotely // 'notify.passwordSetRemotely', // shown when a password has been set remotely // 'notify.raisedHand', // shown when a partcipant used raise hand, @@ -1197,6 +1278,13 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Prevent the filmstrip from autohiding when screen width is under a certain threshold // disableFilmstripAutohiding: false, + // filmstrip: { + // // Disables user resizable filmstrip. Also, allows configuration of the filmstrip + // // (width, tiles aspect ratios) through the interfaceConfig options. + // disableResizable: false, + // } + + // Specifies whether the chat emoticons are disabled or not // disableChatSmileys: false, diff --git a/type/__jitsi_meet_domain/files/config.js.sh.orig b/type/__jitsi_meet_domain/files/config.js.sh.orig index eb30636..0976642 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh.orig +++ b/type/__jitsi_meet_domain/files/config.js.sh.orig @@ -74,18 +74,41 @@ var config = { // callStatsThreshold: 5 // enable callstats for 5% of the users. }, + // Feature Flags. + flags: { + // Enables source names in the signaling. + // sourceNameSignaling: false, + }, + // Disables moderator indicators. // disableModeratorIndicator: false, // Disables the reactions feature. // disableReactions: true, + // Disables the reactions moderation feature. + // disableReactionsModeration: false, + // Disables polls feature. // disablePolls: false, // Disables self-view tile. (hides it from tile view and from filmstrip) // disableSelfView: false, + // Disables self-view settings in UI + // disableSelfViewSettings: false, + + // screenshotCapture : { + // Enables the screensharing capture feature. + // enabled: false, + // + // The mode for the screenshot capture feature. + // Can be either 'recording' - screensharing screenshots are taken + // only when the recording is also on, + // or 'always' - screensharing screenshots are always taken. + // mode: 'recording' + // } + // Disables ICE/UDP by filtering out local and remote UDP candidates in // signalling. // webrtcIceUdpDisable: false, @@ -224,7 +247,11 @@ var config = { // max: 5 // }, - // Try to start calls with screen-sharing instead of camera video. + // This option has been deprecated since it is no longer supported as per the w3c spec. + // https://w3c.github.io/mediacapture-screen-share/#dom-mediadevices-getdisplaymedia. If the user has not + // interacted with the webpage before the getDisplayMedia call, the promise will be rejected by the browser. This + // has already been implemented in Firefox and Safari and will be implemented in Chrome soon. + // https://bugs.chromium.org/p/chromium/issues/detail?id=1198918 // startScreenSharing: false, // Recording @@ -446,6 +473,7 @@ var config = { // If Lobby is enabled starts knocking automatically. // autoKnockLobby: false, + // DEPRECATED! Use `breakoutRooms.hideAddRoomButton` instead. // Hides add breakout room button // hideAddRoomButton: false, @@ -478,12 +506,21 @@ var config = { // Default remote name to be displayed // defaultRemoteDisplayName: 'Fellow Jitster', + // Hides the display name from the participant thumbnail + // hideDisplayName: false, + + // Hides the dominant speaker name badge that hovers above the toolbox + // hideDominantSpeakerBadge: false, + // Default language for the user interface. // defaultLanguage: 'en', // Disables profile and the edit of all fields from the profile settings (display name and email) // disableProfile: false, + // Hides the email section under profile settings. + // hideEmailInSettings: false, + // Whether or not some features are checked based on token. // enableFeaturesBasedOnToken: false, @@ -528,6 +565,9 @@ var config = { // Document should be focused for this option to work // enableAutomaticUrlCopy: false, + // Array with avatar URL prefixes that need to use CORS. + // corsAvatarURLs: [ 'https://www.gravatar.com/avatar/' ], + // Base URL for a Gravatar-compatible service. Defaults to libravatar. // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/', @@ -594,41 +634,61 @@ var config = { // alwaysVisible: false // }, - // Toolbar buttons which have their click event exposed through the API on - // `toolbarButtonClicked` event instead of executing the normal click routine. + // Toolbar buttons which have their click/tap event exposed through the API on + // `toolbarButtonClicked`. Passing a string for the button key will + // prevent execution of the click/tap routine; passing an object with `key` and + // `preventExecution` flag on false will not prevent execution of the click/tap + // routine. Below array with mixed mode for passing the buttons. // buttonsWithNotifyClick: [ - // 'camera', - // 'chat', - // 'closedcaptions', - // 'desktop', - // 'download', - // 'embedmeeting', - // 'etherpad', - // 'feedback', - // 'filmstrip', - // 'fullscreen', - // 'hangup', - // 'help', - // 'invite', - // 'livestreaming', - // 'microphone', - // 'mute-everyone', - // 'mute-video-everyone', - // 'participants-pane', - // 'profile', - // 'raisehand', - // 'recording', - // 'security', - // 'select-background', - // 'settings', - // 'shareaudio', - // 'sharedvideo', - // 'shortcuts', - // 'stats', - // 'tileview', - // 'toggle-camera', - // 'videoquality', - // '__end' + // 'camera', + // { + // key: 'chat', + // preventExecution: false + // }, + // { + // key: 'closedcaptions', + // preventExecution: true + // }, + // 'desktop', + // 'download', + // 'embedmeeting', + // 'etherpad', + // 'feedback', + // 'filmstrip', + // 'fullscreen', + // 'hangup', + // 'help', + // { + // key: 'invite', + // preventExecution: false + // }, + // 'livestreaming', + // 'microphone', + // 'mute-everyone', + // 'mute-video-everyone', + // 'participants-pane', + // 'profile', + // { + // key: 'raisehand', + // preventExecution: true + // }, + // 'recording', + // 'security', + // 'select-background', + // 'settings', + // 'shareaudio', + // 'sharedvideo', + // 'shortcuts', + // 'stats', + // 'tileview', + // 'toggle-camera', + // 'videoquality', + // // The add passcode button from the security dialog. + // { + // key: 'add-passcode', + // preventExecution: false + // } + // '__end' // ], // List of pre meeting screens buttons to hide. The values must be one or more of the 5 allowed buttons: @@ -683,6 +743,9 @@ var config = { // Enables detecting faces of participants and get their expression and send it to other participants // enableFacialRecognition: true, + // Enables displaying facial expressions in speaker stats + // enableDisplayFacialExpressions: true, + // Controls the percentage of automatic feedback shown to participants when callstats is enabled. // The default value is 100%. If set to 0, no automatic feedback will be requested // feedbackPercentage: 100, @@ -986,6 +1049,14 @@ var config = { */ // dynamicBrandingUrl: '', + // Options related to the breakout rooms feature. + // breakoutRooms: { + // // Hides the add breakout room button. This replaces `hideAddRoomButton`. + // hideAddRoomButton: false, + // // Hides the join breakout room button. + // hideJoinRoomButton: false + // }, + // When true the user cannot add more images to be used as virtual background. // Only the default ones from will be available. // disableAddingBackgroundImages: false, @@ -1004,14 +1075,15 @@ var config = { // If true, tile view will not be enabled automatically when the participants count threshold is reached. // disableTileView: true, - // If true, the tiles will be displayed contained within the available space rather than enlarged to cover it. + // If true, the tiles will be displayed contained within the available space rather than enlarged to cover it, + // with a 16:9 aspect ratio (old behaviour). // disableTileEnlargement: true, // Controls the visibility and behavior of the top header conference info labels. // If a label's id is not in any of the 2 arrays, it will not be visible at all on the header. // conferenceInfo: { // // those labels will not be hidden in tandem with the toolbox. - // alwaysVisible: ['recording', 'local-recording'], + // alwaysVisible: ['recording', 'local-recording', 'raised-hands-count'], // // those labels will be auto-hidden in tandem with the toolbox buttons. // autoHide: [ // 'subject', @@ -1025,10 +1097,10 @@ var config = { // }, // Hides the conference subject - // hideConferenceSubject: true, + // hideConferenceSubject: false, // Hides the conference timer. - // hideConferenceTimer: true, + // hideConferenceTimer: false, // Hides the recording label // hideRecordingLabel: false, @@ -1039,6 +1111,9 @@ var config = { // Sets the conference subject // subject: 'Conference Subject', + // Sets the conference local subject + // localSubject: 'Conference Local Subject', + // This property is related to the use case when jitsi-meet is used via the IFrame API. When the property is true // jitsi-meet will use the local storage of the host page instead of its own. This option is useful if the browser // is not persisting the local storage inside the iframe. @@ -1101,6 +1176,7 @@ var config = { forceJVB121Ratio forceTurnRelay hiddenDomain + hiddenFromRecorderFeatureEnabled ignoreStartMuted websocketKeepAlive websocketKeepAliveUrl @@ -1143,10 +1219,14 @@ var config = { // 'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected // 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied // 'localRecording.localRecording', // shown when a local recording is started + // 'notify.chatMessages', // shown when receiving chat messages while the chat window is closed // 'notify.disconnected', // shown when a participant has left // 'notify.connectedOneMember', // show when a participant joined // 'notify.connectedTwoMembers', // show when two participants joined simultaneously // 'notify.connectedThreePlusMembers', // show when more than 2 participants joined simultaneously + // 'notify.leftOneMember', // show when a participant left + // 'notify.leftTwoMembers', // show when two participants left simultaneously + // 'notify.leftThreePlusMembers', // show when more than 2 participants left simultaneously // 'notify.grantedTo', // shown when moderator rights were granted to a participant // 'notify.invitedOneMember', // shown when 1 participant has been invited // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited @@ -1161,6 +1241,7 @@ var config = { // 'notify.mutedTitle', // shown when user has been muted upon joining, // 'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device // 'notify.newDeviceCameraTitle', // prompts the user to use a newly detected camera + // 'notify.participantWantsToJoin', // shown when lobby is enabled and participant requests to join meeting // 'notify.passwordRemovedRemotely', // shown when a password has been removed remotely // 'notify.passwordSetRemotely', // shown when a password has been set remotely // 'notify.raisedHand', // shown when a partcipant used raise hand, @@ -1184,6 +1265,13 @@ var config = { // Prevent the filmstrip from autohiding when screen width is under a certain threshold // disableFilmstripAutohiding: false, + // filmstrip: { + // // Disables user resizable filmstrip. Also, allows configuration of the filmstrip + // // (width, tiles aspect ratios) through the interfaceConfig options. + // disableResizable: false, + // } + + // Specifies whether the chat emoticons are disabled or not // disableChatSmileys: false, diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh b/type/__jitsi_meet_domain/files/interface_config.js.sh index abcf68b..094cc6e 100644 --- a/type/__jitsi_meet_domain/files/interface_config.js.sh +++ b/type/__jitsi_meet_domain/files/interface_config.js.sh @@ -37,7 +37,7 @@ var interfaceConfig = { CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it - DEFAULT_BACKGROUND: '#474747', + DEFAULT_BACKGROUND: '#040404', DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}', DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}', diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh.orig b/type/__jitsi_meet_domain/files/interface_config.js.sh.orig index c3a76af..cf97296 100644 --- a/type/__jitsi_meet_domain/files/interface_config.js.sh.orig +++ b/type/__jitsi_meet_domain/files/interface_config.js.sh.orig @@ -26,7 +26,7 @@ var interfaceConfig = { CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it - DEFAULT_BACKGROUND: '#474747', + DEFAULT_BACKGROUND: '#040404', DEFAULT_LOGO_URL: 'images/watermark.svg', DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg', From a1b3a034c729d557e3e2d601000a74abbbcdbdf7 Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 10 Mar 2022 21:28:28 +0100 Subject: [PATCH 18/47] [__jitsi_meet_domain] Support the --state parameter This enables removing domains in a simple fashion. Closes #3. --- type/__jitsi_meet_domain/man.rst | 4 +++ type/__jitsi_meet_domain/manifest | 30 +++++++++++++++++-- .../parameter/default/state | 1 + type/__jitsi_meet_domain/parameter/optional | 1 + 4 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 type/__jitsi_meet_domain/parameter/default/state diff --git a/type/__jitsi_meet_domain/man.rst b/type/__jitsi_meet_domain/man.rst index ff78287..b035555 100644 --- a/type/__jitsi_meet_domain/man.rst +++ b/type/__jitsi_meet_domain/man.rst @@ -60,6 +60,10 @@ start-video-muted Defaults to 10. +state + Whether the domain is 'present' or 'absent', defaults to 'present'. + + turn-server The TURN server to be used. Defaults to `__target_host`. diff --git a/type/__jitsi_meet_domain/manifest b/type/__jitsi_meet_domain/manifest index 5c92c1c..87af1b9 100755 --- a/type/__jitsi_meet_domain/manifest +++ b/type/__jitsi_meet_domain/manifest @@ -21,6 +21,7 @@ VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")" BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")" BRANDING_JSON="$(cat "${__object}/parameter/branding-json")" BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")" +STATE="$(cat "${__object}/parameter/state")" if [ "${BRANDING_INDEX}" = "-" ]; then BRANDING_INDEX="${__object}/stdin" @@ -47,11 +48,31 @@ if [ -n "${BRANDING_JSON}" ]; then DYNAMIC_BRANDING_URL="/branding.json" fi +case "${STATE}" in + present) + # When adding the domain, Let's Encrypt must come before nginx + le_require="" + nginx_require="__letsencrypt_cert/${DOMAIN}" + ;; + absent) + # When removing, nginx must come before Let's Encrypt + le_require="__file/etc/nginx/sites-enabled/${DOMAIN}.conf" + nginx_require="" + ;; + *) + cat >> /dev/stderr <<-EOM + Unsupported state '${STATE}', must be 'present' or 'absent'. + EOM + exit 1 + ;; +esac + # # Deal with certbot # # use object id as domain -__letsencrypt_cert "${DOMAIN}" \ +require="${le_require}" __letsencrypt_cert "${DOMAIN}" \ + --state "${STATE}" \ --admin-email "${ADMIN_EMAIL}" \ --deploy-hook "service nginx reload" \ --webroot /usr/share/jitsi-meet @@ -59,8 +80,9 @@ __letsencrypt_cert "${DOMAIN}" \ # Create virtualhost for nginx # shellcheck source=type/__jitsi_meet_domain/files/nginx.sh . "${__type}/files/nginx.sh" # This defines JITSI_NGINX_CONFIG -require="__letsencrypt_cert/${DOMAIN}" __file \ +require="${nginx_require}" __file \ "/etc/nginx/sites-enabled/${DOMAIN}.conf" \ + --state "${STATE}" \ --mode 0644 --source "-" < Date: Mon, 14 Mar 2022 15:30:11 +0100 Subject: [PATCH 19/47] [__jitsi_meet]: Fix deprecated usage of __debconf_set_selections. Replace the --file parameter with the --line parameter, as recommended since cdist 6.9.6. --- type/__jitsi_meet/manifest | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 279444a..599af18 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -51,9 +51,7 @@ export require="${require} __apt_source/jitsi_meet __apt_update_index" # Pre-feed debconf settings, so Jitsi's installation has a good config # shellcheck source=type/__jitsi_meet/files/debconf_settings.sh . "${__type}/files/debconf_settings.sh" # This defines DEBCONF_SETTINGS -__debconf_set_selections jitsi_meet --file - < Date: Mon, 14 Mar 2022 16:15:58 +0100 Subject: [PATCH 20/47] [__nginx_vhost]: follow Alpine vhost default directory change. Since nginx package version v1.10.1-r3, Alpine packagers have changed the default vhost directory from conf.d to http.d [0]. This reflects this change. [0]: alpine package commit 383ba9c0a200ed1f4b11d7db74207526ad90bbe3 --- type/__nginx_vhost/manifest | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/type/__nginx_vhost/manifest b/type/__nginx_vhost/manifest index f9ad84d..8b010f8 100644 --- a/type/__nginx_vhost/manifest +++ b/type/__nginx_vhost/manifest @@ -32,7 +32,7 @@ case "$os" in require="$install_reqs" __start_on_boot nginx - export NGINX_SITEDIR="$nginx_confdir/conf.d" + export NGINX_SITEDIR="$nginx_confdir/http.d" export NGINX_CERTDIR="$nginx_confdir/ssl" export NGINX_SNIPPETSDIR="$nginx_confdir/snippets" export NGINX_WEBROOT="/var/www" @@ -158,6 +158,7 @@ for snippet in hsts 301-to-https; do done # Install vhost. -require="$install_reqs" __file "$NGINX_SITEDIR/$__object_id.conf" \ +require="$install_reqs" __directory "$NGINX_SITEDIR" +require="__directory/$NGINX_SITEDIR" __file "$NGINX_SITEDIR/$__object_id.conf" \ --source "$vhost_conf" \ --mode 0644 From fa37ede84fd53fa0902cb74ab13dae5989cb5494 Mon Sep 17 00:00:00 2001 From: Evilham Date: Sun, 10 Apr 2022 19:45:08 +0200 Subject: [PATCH 21/47] [__jitsi_meet] Unconfuse jitsi-version and secured domains Closes #14 by committing to keeping the package up to date as promptly as possible; else weird things happen and there are no real good solutions for this. E.g. we have seen in the past that due to security issues, a jitsi dependency needs to be upgraded, but some package that jitsi-meet depends upon also has an upper limit on that package's version. A note was added to the manpage in order make it explicit that maintenance of this type can be sponsored to ensure its proper functioning. Closes #15 by using `__file`. This will also allow us to have more control over jicofo's settings, which might be important when we start doing recordings. Sponsored by: lafede.cat --- type/__jitsi_meet/files/jicofo.conf.sh | 34 +++++++++++++++++ .../default => files}/jitsi-version | 0 type/__jitsi_meet/gencode-remote | 2 +- type/__jitsi_meet/man.rst | 18 +++++---- type/__jitsi_meet/manifest | 38 +++++++++---------- .../parameter/deprecated/jitsi-version | 4 ++ 6 files changed, 67 insertions(+), 29 deletions(-) create mode 100755 type/__jitsi_meet/files/jicofo.conf.sh rename type/__jitsi_meet/{parameter/default => files}/jitsi-version (100%) create mode 100644 type/__jitsi_meet/parameter/deprecated/jitsi-version diff --git a/type/__jitsi_meet/files/jicofo.conf.sh b/type/__jitsi_meet/files/jicofo.conf.sh new file mode 100755 index 0000000..61a782a --- /dev/null +++ b/type/__jitsi_meet/files/jicofo.conf.sh @@ -0,0 +1,34 @@ +#!/bin/sh -eu + +# Start +cat < COPYING ------- -Copyright \(C) 2021 Evilham. +Copyright \(C) 2022 Evilham. diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 599af18..e9ed5c6 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -13,8 +13,13 @@ esac JITSI_HOST="${__target_host}" -# Currently unused, see below -# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")" +if [ -f "${__object}/parameter/jitsi-version" ]; then + # This has been deprecated and will be removed 'soon' + JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")" +else + # Note this won't be a parameter anymore, we won't let users stay behind + JITSI_VERSION="$(cat "${__type}/files/jitsi-version")" +fi TURN_SERVER="$(cat "${__object}/parameter/turn-server")" TURN_SECRET="$(cat "${__object}/parameter/turn-secret")" @@ -55,11 +60,12 @@ __debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}" export require="${require} __debconf_set_selections/jitsi_meet" # Install and upgrade packages as needed -__package_apt jitsi-meet -# We are not doing version pinning anymore because it breaks when -# the version is not the latest. -# This happens because dependencies cannot be properly resolved. -# --version "${JITSI_VERSION}" +# NOTE: we are doing version pinning again, but it breaks sometimes when +# the version is not the latest. +# This happens because dependencies might not be properly resolved. +# To avoid this, this type must be maintained up to date. +# If we don't use this, keeping Jitsi's up to date is very difficult. +__package_apt jitsi-meet --version "${JITSI_VERSION}" # Proceed only after installation/upgrade has finished export require="__package_apt/jitsi-meet" @@ -151,10 +157,8 @@ EOF if [ -f "${__object}/parameter/secured-domains" ]; then SECURED_DOMAINS_STATE='present' - SECURED_DOMAINS_STATE_JICOFO='present' else SECURED_DOMAINS_STATE='absent' - SECURED_DOMAINS_STATE_JICOFO='absent' fi __file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \ @@ -169,18 +173,10 @@ VirtualHost "guest.${JITSI_HOST}" c2s_require_encryption = false EOF -__block jitsi_jicofo_secured_domains \ - --prefix "// begin cdist: jicofo_secured_domains" \ - --suffix "// end cdist: jicofo_secured_domains" \ - --file /etc/jitsi/jicofo/jicofo.conf \ - --state "${SECURED_DOMAINS_STATE_JICOFO}" \ - --text '-' < Date: Sat, 16 Apr 2022 13:22:16 +0200 Subject: [PATCH 22/47] [__jitsi_meet_domain] Simplify logic for secured domains --- type/__jitsi_meet_domain/files/config.js.sh | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index 58df3fc..7fec422 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -13,14 +13,8 @@ var config = { domain: '${JITSI_HOST}', // When using authentication, domain for guest users. -$( if [ -n "${SECURED_DOMAINS}" ]; then cat<. // authdomain: '${JITSI_HOST}', From a12b343660254f5135aba81013d8ad80f161c21d Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 21 Apr 2022 13:13:12 +0200 Subject: [PATCH 23/47] [__jitsi_meet_domain] Add analytics settings parameter with this, admins can take advantage of e.g. matomo to have some usage statistics. The parameter defaults to `disabled: true`, which is the most privacy-friendly! Sponsored by: camilion.eu --- type/__jitsi_meet_domain/files/config.js.sh | 1 + type/__jitsi_meet_domain/man.rst | 5 +++++ type/__jitsi_meet_domain/manifest | 1 + .../__jitsi_meet_domain/parameter/default/analytics-settings | 1 + type/__jitsi_meet_domain/parameter/optional | 1 + 5 files changed, 9 insertions(+) create mode 100644 type/__jitsi_meet_domain/parameter/default/analytics-settings diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index 7fec422..506e62d 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -817,6 +817,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) }, analytics: { +${ANALYTICS_SETTINGS} // True if the analytics should be disabled // disabled: false, diff --git a/type/__jitsi_meet_domain/man.rst b/type/__jitsi_meet_domain/man.rst index b035555..dd8c852 100644 --- a/type/__jitsi_meet_domain/man.rst +++ b/type/__jitsi_meet_domain/man.rst @@ -41,6 +41,11 @@ admin-email OPTIONAL PARAMETERS ------------------- +analytics-settings + This goes inside the `analytics` part of `config.js`. + Defaults to: `disabled: true`. + See: https://github.com/jitsi/jitsi-meet/blob/master/config.js + channel-last-n Default value for the "last N" attribute. Defaults to 20. Set to -1 for unlimited. diff --git a/type/__jitsi_meet_domain/manifest b/type/__jitsi_meet_domain/manifest index 87af1b9..abc8a1a 100755 --- a/type/__jitsi_meet_domain/manifest +++ b/type/__jitsi_meet_domain/manifest @@ -18,6 +18,7 @@ NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")" START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")" TURN_SERVER="$(cat "${__object}/parameter/turn-server")" VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")" +ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")" BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")" BRANDING_JSON="$(cat "${__object}/parameter/branding-json")" BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")" diff --git a/type/__jitsi_meet_domain/parameter/default/analytics-settings b/type/__jitsi_meet_domain/parameter/default/analytics-settings new file mode 100644 index 0000000..561a7d6 --- /dev/null +++ b/type/__jitsi_meet_domain/parameter/default/analytics-settings @@ -0,0 +1 @@ + disabled: true diff --git a/type/__jitsi_meet_domain/parameter/optional b/type/__jitsi_meet_domain/parameter/optional index ce50f0d..1289b85 100644 --- a/type/__jitsi_meet_domain/parameter/optional +++ b/type/__jitsi_meet_domain/parameter/optional @@ -1,3 +1,4 @@ +analytics-settings channel-last-n default-language notice-message From 87cc109bf1753d4a10ca7b9143b6a655cd4d1baa Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 21 Apr 2022 13:20:30 +0200 Subject: [PATCH 24/47] [__jitsi_meet*] Make rooms on different domains not equivalent This is a backwards-compatible change. We switch the approach from "treat all domains as if they were the main domain" to: "each domain has its own prosody settings". This works perfectly fine, even with secured domains. There is a caveat with secured domains, in that they use the main domain to log in; this means that users are shared across all domains (as they were before this commit). This is due to jicofo refusing to start meetings from a domain that is not configured, and it only accepting one domain. Right now, this is acceptable, however we could want to authenticate against e.g. different LDAP / IMAP servers in the future, so this would need addressing at that stage. Probably the best way to solve it is by patching jicofo, so it accepts starting conferences from multiple domains and getting that patch upstream. Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/files/prosody.cfg.lua.sh | 1 + type/__jitsi_meet/gencode-remote | 3 +- type/__jitsi_meet/manifest | 24 ++- .../files/_update_jitsi_configurations.sh | 1 + type/__jitsi_meet_domain/files/config.js.sh | 19 +- type/__jitsi_meet_domain/files/nginx.sh | 4 +- .../files/prosody.cfg.lua.sh | 199 ++++++++++++++++++ .../files/prosody.cfg.lua.sh.orig | 129 ++++++++++++ type/__jitsi_meet_domain/man.rst | 18 +- type/__jitsi_meet_domain/manifest | 35 +++ 10 files changed, 403 insertions(+), 30 deletions(-) create mode 120000 type/__jitsi_meet/files/prosody.cfg.lua.sh create mode 100644 type/__jitsi_meet_domain/files/prosody.cfg.lua.sh create mode 100644 type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig diff --git a/type/__jitsi_meet/files/prosody.cfg.lua.sh b/type/__jitsi_meet/files/prosody.cfg.lua.sh new file mode 120000 index 0000000..93678b9 --- /dev/null +++ b/type/__jitsi_meet/files/prosody.cfg.lua.sh @@ -0,0 +1 @@ +../../__jitsi_meet_domain/files/prosody.cfg.lua.sh \ No newline at end of file diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote index 7d181b7..670c7be 100755 --- a/type/__jitsi_meet/gencode-remote +++ b/type/__jitsi_meet/gencode-remote @@ -4,8 +4,7 @@ if grep -qE "^__file/etc/nginx" "${__messages_in}"; then echo "service nginx reload" fi -JITSI_HOST="${__object_id}" -if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then +if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then echo "systemctl restart prosody" echo "systemctl restart jicofo" echo "systemctl restart jitsi-videobridge2" diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index e9ed5c6..02716a0 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -161,18 +161,22 @@ else SECURED_DOMAINS_STATE='absent' fi -__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \ - --owner prosody --group prosody --mode 0440 \ - --state ${SECURED_DOMAINS_STATE} \ - --source - <. - // authdomain: '${JITSI_HOST}', + // NOTE [cdist]: if we use '${DOMAIN}', jicofo won't start the meeting + authdomain: '${JITSI_HOST}', // Focus component domain. Defaults to focus.. - // focus: 'focus.${JITSI_HOST}', + focus: 'focus.${JITSI_HOST}', // XMPP MUC domain. FIXME: use XEP-0030 to discover it. - muc: 'conference.${JITSI_HOST}' + muc: 'conference.${DOMAIN}' }, // BOSH URL. FIXME: use XEP-0156 to discover it. @@ -31,12 +32,12 @@ var config = { bosh: '///http-bind', // Websocket URL - // websocket: 'wss://${JITSI_HOST}/xmpp-websocket', + // websocket: 'wss://${DOMAIN}/xmpp-websocket', // The real JID of focus participant - can be overridden here // Do not change username - FIXME: Make focus username configurable // https://github.com/jitsi/jitsi-meet/issues/7376 - // focusUserJid: 'focus@auth.${JITSI_HOST}', + focusUserJid: 'focus@auth.${JITSI_HOST}', // Testing / experimental features. @@ -270,9 +271,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // appKey: '' // Specify your app key here. // // A URL to redirect the user to, after authenticating // // by default uses: - // // 'https://${JITSI_HOST}/static/oauth.html' + // // 'https://${DOMAIN}/static/oauth.html' // redirectURI: - // 'https://${JITSI_HOST}/subfolder/static/oauth.html' + // 'https://${DOMAIN}/subfolder/static/oauth.html' // }, // When integrations like dropbox are enabled only that will be shown, // by enabling fileRecordingsServiceEnabled, we show both the integrations diff --git a/type/__jitsi_meet_domain/files/nginx.sh b/type/__jitsi_meet_domain/files/nginx.sh index 6e874c1..e678dce 100644 --- a/type/__jitsi_meet_domain/files/nginx.sh +++ b/type/__jitsi_meet_domain/files/nginx.sh @@ -100,7 +100,7 @@ server { proxy_set_header X-Forwarded-For \$remote_addr; # Prevision for 'multi-domain' jitsi instances # https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391 - proxy_set_header Host ${JITSI_HOST}; + proxy_set_header Host ${DOMAIN}; } # xmpp websockets @@ -111,7 +111,7 @@ server { proxy_set_header Connection "upgrade"; # Prevision for 'multi-domain' jitsi instances # https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391 - proxy_set_header Host ${JITSI_HOST}; + proxy_set_header Host ${DOMAIN}; tcp_nodelay on; } diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh new file mode 100644 index 0000000..928ce32 --- /dev/null +++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh @@ -0,0 +1,199 @@ +#!/bin/sh -eu + +# Source: +# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example +FOCUS_USER="focus" +JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}" +# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain +PROSODY_SECUREDOMAIN_START="--[[" +PROSODY_SECUREDOMAIN_END="--]]" +if [ -n "${PROSODY_MAIN_CONFIG}" ]; then + PROSODY_MAIN_START="" + PROSODY_MAIN_END="" + PROSODY_DOMAIN_START="--[[" + PROSODY_DOMAIN_END="--]]" +else + PROSODY_MAIN_START="--[[" + PROSODY_MAIN_END="--]]" + PROSODY_DOMAIN_START="" + PROSODY_DOMAIN_END="" + if [ -n "${SECURED_DOMAINS}" ]; then + PROSODY_SECUREDOMAIN_START="" + PROSODY_SECUREDOMAIN_END="" + fi +fi +# Websockets haven't been fully tested in this type and don't work reliably +PROSODY_WEBSOCKET="-- " + +# shellcheck disable=SC2034 # This is intended to be included +PROSODY_CONFIG="$(cat < Date: Thu, 21 Apr 2022 14:34:33 +0200 Subject: [PATCH 25/47] [__jitsi_meet] Adapt jicofo and videobridge memory usage This enables us to setup smaller jitsi instances that work reliably. We set 3 threshholds: - < 3G RAM: use 0.75G max memory - < 5G RAM: use 1G max memory - < 8G RAM: use 2G max memory - >= 8G RAM: use 3G max memory (jitsi's default) For more information as to why and how this is done, see: https://gitlab.com/guifi-exo/projectes/-/issues/318 https://github.com/jitsi/jitsi-meet/issues/6589 as investigated back in the day by @pedro Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/explorer/configured-memory | 15 +++++++++ type/__jitsi_meet/gencode-remote | 33 ++++++++++++++++++++ type/__jitsi_meet/man.rst | 2 ++ 3 files changed, 50 insertions(+) create mode 100755 type/__jitsi_meet/explorer/configured-memory diff --git a/type/__jitsi_meet/explorer/configured-memory b/type/__jitsi_meet/explorer/configured-memory new file mode 100755 index 0000000..658f94b --- /dev/null +++ b/type/__jitsi_meet/explorer/configured-memory @@ -0,0 +1,15 @@ +#!/bin/sh -eu + +JICOFO="/usr/share/jicofo/jicofo.sh" +VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc" + +if [ -f "${JICOFO:?}" ]; then + jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)" +fi +if [ -f "${VIDEOBRIDGE:?}" ]; then + vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)" +fi +cat < Date: Thu, 21 Apr 2022 14:44:10 +0200 Subject: [PATCH 26/47] [__jitsi_meet] Fix adjustment of jicofo's max memory Leftover from last commit >,< Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/gencode-remote | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote index d939347..435bbf4 100755 --- a/type/__jitsi_meet/gencode-remote +++ b/type/__jitsi_meet/gencode-remote @@ -24,7 +24,7 @@ if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY} -e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \ /usr/share/jitsi-videobridge/lib/videobridge.rc sed -i.tmp -E \ - -e 's!^(JICOFO_MAX_MEMORY)[^;]+;!\1=${MAX_MEMORY};!' \ + -e 's!(JICOFO_MAX_MEMORY)[^;]+;!\1=${MAX_MEMORY};!' \ /usr/share/jicofo/jicofo.sh EOF fi From 1658121549dd902714cc0751758e95b0830dc592 Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 21 Apr 2022 15:52:47 +0200 Subject: [PATCH 27/47] [__jitsi_meet*] Update to 2.0.7210 While there, make things a tad easier to maintain. Note that in this version, jitsi switches to using nginx upstreams; it shouldn't be relevant for instances fully managed with these types. Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/files/jitsi-version | 2 +- type/__jitsi_meet/manifest | 21 ++++ .../files/_update_jitsi_configurations.sh | 6 +- type/__jitsi_meet_domain/files/config.js.sh | 99 ++++++++++++++--- .../files/config.js.sh.orig | 100 +++++++++++++++--- type/__jitsi_meet_domain/files/jitsi-version | 1 + type/__jitsi_meet_domain/files/nginx.sh | 21 +++- type/__jitsi_meet_domain/files/nginx.sh.orig | 18 +++- .../files/prosody.cfg.lua.sh | 10 ++ .../files/prosody.cfg.lua.sh.orig | 10 ++ 10 files changed, 246 insertions(+), 42 deletions(-) mode change 100644 => 120000 type/__jitsi_meet/files/jitsi-version create mode 100644 type/__jitsi_meet_domain/files/jitsi-version diff --git a/type/__jitsi_meet/files/jitsi-version b/type/__jitsi_meet/files/jitsi-version deleted file mode 100644 index 4b02224..0000000 --- a/type/__jitsi_meet/files/jitsi-version +++ /dev/null @@ -1 +0,0 @@ -2.0.7001-1 diff --git a/type/__jitsi_meet/files/jitsi-version b/type/__jitsi_meet/files/jitsi-version new file mode 120000 index 0000000..179d1a4 --- /dev/null +++ b/type/__jitsi_meet/files/jitsi-version @@ -0,0 +1 @@ +../../__jitsi_meet_domain/files/jitsi-version \ No newline at end of file diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 02716a0..6a9d962 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -155,6 +155,27 @@ server { } EOF +# Starting from 2.0.7210, jitsi defines following nginx upstreams +__directory "${NGINX_ETC}/conf.d" --state present +require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \ + --mode 644 \ + --source - << EOF +upstream prosody { + zone upstreams 64K; + server 127.0.0.1:5280; + keepalive 2; +} +EOF +require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \ + --mode 644 \ + --source - << EOF +upstream jvb1 { + zone upstreams 64K; + server 127.0.0.1:9090; + keepalive 2; +} +EOF + if [ -f "${__object}/parameter/secured-domains" ]; then SECURED_DOMAINS_STATE='present' else diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh index 1b40768..12c405b 100755 --- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh +++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh @@ -7,7 +7,7 @@ # We could automate this, but are using it as an indicator for the # latest branch with which we conciliated changes. -BRANCH="jitsi-meet_7001" +BRANCH="jitsi-meet_7210" REPO="https://github.com/jitsi/jitsi-meet" get_url() { @@ -29,3 +29,7 @@ download_file config.js download_file interface_config.js download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig + +# Change the version file, maintainers should check that it matches +# the deb version +printf "2.0.${BRANCH#*_}-1" > jitsi-version diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index 357d720..0eca916 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -85,6 +85,10 @@ var config = { flags: { // Enables source names in the signaling. // sourceNameSignaling: false, + + // Enables sending multiple video streams, i.e., camera and desktop tracks can be shared in the conference + // separately as two different streams instead of one composite stream. + // sendMultipleVideoStreams: false }, // Disables moderator indicators. @@ -481,6 +485,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // If Lobby is enabled starts knocking automatically. // autoKnockLobby: false, + // Enable lobby chat. + // enableLobbyChat: true, + // DEPRECATED! Use \`breakoutRooms.hideAddRoomButton\` instead. // Hides add breakout room button // hideAddRoomButton: false, @@ -520,7 +527,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Hides the dominant speaker name badge that hovers above the toolbox // hideDominantSpeakerBadge: false, - // Default language for the user interface. + // Default language for the user interface. Cannot be overwritten. defaultLanguage: '${DEFAULT_LANGUAGE}', // Disables profile and the edit of all fields from the profile settings (display name and email) @@ -607,7 +614,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // 'fullscreen', // 'hangup', // 'help', + // 'highlight', // 'invite', + // 'linktosalesforce', // 'livestreaming', // 'microphone', // 'mute-everyone', @@ -639,7 +648,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // timeout: 4000, // // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE // // Whether toolbar should be always visible or should hide after x miliseconds. - // alwaysVisible: false + // alwaysVisible: false, + // // Indicates whether the toolbar should still autohide when chat is open + // autoHideWhileChatIsOpen: false // }, // Toolbar buttons which have their click/tap event exposed through the API on @@ -748,11 +759,22 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi) // Enables sending participants' emails (if available) to callstats and other analytics // enableEmailInStats: false, - // Enables detecting faces of participants and get their expression and send it to other participants - // enableFacialRecognition: true, + // faceLandmarks: { + // // Enables sharing your face cordinates. Used for centering faces within a video. + // enableFaceCentering: false, - // Enables displaying facial expressions in speaker stats - // enableDisplayFacialExpressions: true, + // // Enables detecting face expressions and sharing data with other participants + // enableFaceExpressionsDetection: false, + + // // Enables displaying face expressions in speaker stats + // enableDisplayFaceExpressions: false, + + // // Minimum required face movement percentage threshold for sending new face centering coordinates data. + // faceCenteringThreshold: 10, + + // // Miliseconds for processing a new image capture in order to detect face coordinates if they exist. + // captureInterval: 100 + // }, // Controls the percentage of automatic feedback shown to participants when callstats is enabled. // The default value is 100%. If set to 0, no automatic feedback will be requested @@ -940,14 +962,18 @@ ${ANALYTICS_SETTINGS} // Options related to end-to-end (participant to participant) ping. // e2eping: { - // // The interval in milliseconds at which pings will be sent. - // // Defaults to 10000, set to <= 0 to disable. - // pingInterval: 10000, + // // Whether ene-to-end pings should be enabled. + // enabled: false, // - // // The interval in milliseconds at which analytics events - // // with the measured RTT will be sent. Defaults to 60000, set - // // to <= 0 to disable. - // analyticsInterval: 60000, + // // The number of responses to wait for. + // numRequests: 5, + // + // // The max conference size in which e2e pings will be sent. + // maxConferenceSize: 200, + // + // // The maximum number of e2e ping messages per second for the whole conference to aim for. + // // This is used to contol the pacing of messages in order to reduce the load on the backend. + // maxMessagesPerSecond: 250 // }, // If set, will attempt to use the provided video input device label when @@ -989,12 +1015,25 @@ ${ANALYTICS_SETTINGS} // Options related to the remote participant menu. // remoteVideoMenu: { + // // Whether the remote video context menu to be rendered or not. + // disabled: true, // // If set to true the 'Kick out' button will be disabled. // disableKick: true, // // If set to true the 'Grant moderator' button will be disabled. - // disableGrantModerator: true + // disableGrantModerator: true, + // // If set to true the 'Send private message' button will be disabled. + // disablePrivateChat: true // }, + // Endpoint that enables support for salesforce integration with in-meeting resource linking + // This is required for: + // listing the most recent records - salesforceUrl/records/recents + // searching records - salesforceUrl/records?text=${text} + // retrieving record details - salesforceUrl/records/${id}?type=${type} + // and linking the meeting - salesforceUrl/sessions/${sessionId}/records/${id} + // + // salesforceUrl: 'https://api.example.com/', + // If set to true all muting operations of remote participants will be disabled. // disableRemoteMute: true, @@ -1101,7 +1140,8 @@ ${ANALYTICS_SETTINGS} // 'e2ee', // 'transcribing', // 'video-quality', - // 'insecure-room' + // 'insecure-room', + // 'highlight-moment' // ] // }, @@ -1241,6 +1281,7 @@ ${ANALYTICS_SETTINGS} // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited // 'notify.invitedTwoMembers', // shown when 2 participants have been invited // 'notify.kickParticipant', // shown when a participant is kicked + // 'notify.linkToSalesforce', // shown when joining a meeting with salesforce integration // 'notify.moderationStartedTitle', // shown when AV moderation is activated // 'notify.moderationStoppedTitle', // shown when AV moderation is deactivated // 'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation @@ -1256,6 +1297,7 @@ ${ANALYTICS_SETTINGS} // 'notify.raisedHand', // shown when a partcipant used raise hand, // 'notify.startSilentTitle', // shown when user joined with no audio // 'notify.unmute', // shown to moderator when user raises hand during AV moderation + // 'notify.hostAskedUnmute', // shown to participant when host asks them to unmute // 'prejoin.errorDialOut', // 'prejoin.errorDialOutDisconnected', // 'prejoin.errorDialOutFailed', @@ -1278,12 +1320,37 @@ ${ANALYTICS_SETTINGS} // // Disables user resizable filmstrip. Also, allows configuration of the filmstrip // // (width, tiles aspect ratios) through the interfaceConfig options. // disableResizable: false, - // } + // // Disables the stage filmstrip + // // (displaying multiple participants on stage besides the vertical filmstrip) + // disableStageFilmstrip: false + // }, + + // Tile view related config options. + // tileView: { + // // The optimal number of tiles that are going to be shown in tile view. Depending on the screen size it may + // // not be possible to show the exact number of participants specified here. + // numberOfVisibleTiles: 25 + // }, // Specifies whether the chat emoticons are disabled or not // disableChatSmileys: false, + // Settings for the GIPHY integration. + // giphy: { + // // Whether the feature is enabled or not. + // enabled: false, + // // SDK API Key from Giphy. + // sdkKey: '', + // // Display mode can be one of: + // // - tile: show the GIF on the tile of the participant that sent it. + // // - chat: show the GIF as a message in chat + // // - all: all of the above. This is the default option + // displayMode: 'all', + // // How long the GIF should be displayed on the tile (in miliseconds). + // tileTime: 5000 + // }, + // Allow all above example options to include a trailing comma and // prevent fear when commenting out the last value. makeJsonParserHappy: 'even if last key had a trailing comma' diff --git a/type/__jitsi_meet_domain/files/config.js.sh.orig b/type/__jitsi_meet_domain/files/config.js.sh.orig index 0976642..8e4c5bc 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh.orig +++ b/type/__jitsi_meet_domain/files/config.js.sh.orig @@ -1,3 +1,4 @@ + /* eslint-disable no-unused-vars, no-var */ var config = { @@ -78,6 +79,10 @@ var config = { flags: { // Enables source names in the signaling. // sourceNameSignaling: false, + + // Enables sending multiple video streams, i.e., camera and desktop tracks can be shared in the conference + // separately as two different streams instead of one composite stream. + // sendMultipleVideoStreams: false }, // Disables moderator indicators. @@ -473,6 +478,9 @@ var config = { // If Lobby is enabled starts knocking automatically. // autoKnockLobby: false, + // Enable lobby chat. + // enableLobbyChat: true, + // DEPRECATED! Use `breakoutRooms.hideAddRoomButton` instead. // Hides add breakout room button // hideAddRoomButton: false, @@ -512,7 +520,7 @@ var config = { // Hides the dominant speaker name badge that hovers above the toolbox // hideDominantSpeakerBadge: false, - // Default language for the user interface. + // Default language for the user interface. Cannot be overwritten. // defaultLanguage: 'en', // Disables profile and the edit of all fields from the profile settings (display name and email) @@ -599,7 +607,9 @@ var config = { // 'fullscreen', // 'hangup', // 'help', + // 'highlight', // 'invite', + // 'linktosalesforce', // 'livestreaming', // 'microphone', // 'mute-everyone', @@ -631,7 +641,9 @@ var config = { // timeout: 4000, // // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE // // Whether toolbar should be always visible or should hide after x miliseconds. - // alwaysVisible: false + // alwaysVisible: false, + // // Indicates whether the toolbar should still autohide when chat is open + // autoHideWhileChatIsOpen: false // }, // Toolbar buttons which have their click/tap event exposed through the API on @@ -740,11 +752,22 @@ var config = { // Enables sending participants' emails (if available) to callstats and other analytics // enableEmailInStats: false, - // Enables detecting faces of participants and get their expression and send it to other participants - // enableFacialRecognition: true, + // faceLandmarks: { + // // Enables sharing your face cordinates. Used for centering faces within a video. + // enableFaceCentering: false, - // Enables displaying facial expressions in speaker stats - // enableDisplayFacialExpressions: true, + // // Enables detecting face expressions and sharing data with other participants + // enableFaceExpressionsDetection: false, + + // // Enables displaying face expressions in speaker stats + // enableDisplayFaceExpressions: false, + + // // Minimum required face movement percentage threshold for sending new face centering coordinates data. + // faceCenteringThreshold: 10, + + // // Miliseconds for processing a new image capture in order to detect face coordinates if they exist. + // captureInterval: 100 + // }, // Controls the percentage of automatic feedback shown to participants when callstats is enabled. // The default value is 100%. If set to 0, no automatic feedback will be requested @@ -931,14 +954,18 @@ var config = { // Options related to end-to-end (participant to participant) ping. // e2eping: { - // // The interval in milliseconds at which pings will be sent. - // // Defaults to 10000, set to <= 0 to disable. - // pingInterval: 10000, + // // Whether ene-to-end pings should be enabled. + // enabled: false, // - // // The interval in milliseconds at which analytics events - // // with the measured RTT will be sent. Defaults to 60000, set - // // to <= 0 to disable. - // analyticsInterval: 60000, + // // The number of responses to wait for. + // numRequests: 5, + // + // // The max conference size in which e2e pings will be sent. + // maxConferenceSize: 200, + // + // // The maximum number of e2e ping messages per second for the whole conference to aim for. + // // This is used to contol the pacing of messages in order to reduce the load on the backend. + // maxMessagesPerSecond: 250 // }, // If set, will attempt to use the provided video input device label when @@ -980,12 +1007,25 @@ var config = { // Options related to the remote participant menu. // remoteVideoMenu: { + // // Whether the remote video context menu to be rendered or not. + // disabled: true, // // If set to true the 'Kick out' button will be disabled. // disableKick: true, // // If set to true the 'Grant moderator' button will be disabled. - // disableGrantModerator: true + // disableGrantModerator: true, + // // If set to true the 'Send private message' button will be disabled. + // disablePrivateChat: true // }, + // Endpoint that enables support for salesforce integration with in-meeting resource linking + // This is required for: + // listing the most recent records - salesforceUrl/records/recents + // searching records - salesforceUrl/records?text=${text} + // retrieving record details - salesforceUrl/records/${id}?type=${type} + // and linking the meeting - salesforceUrl/sessions/${sessionId}/records/${id} + // + // salesforceUrl: 'https://api.example.com/', + // If set to true all muting operations of remote participants will be disabled. // disableRemoteMute: true, @@ -1092,7 +1132,8 @@ var config = { // 'e2ee', // 'transcribing', // 'video-quality', - // 'insecure-room' + // 'insecure-room', + // 'highlight-moment' // ] // }, @@ -1232,6 +1273,7 @@ var config = { // 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited // 'notify.invitedTwoMembers', // shown when 2 participants have been invited // 'notify.kickParticipant', // shown when a participant is kicked + // 'notify.linkToSalesforce', // shown when joining a meeting with salesforce integration // 'notify.moderationStartedTitle', // shown when AV moderation is activated // 'notify.moderationStoppedTitle', // shown when AV moderation is deactivated // 'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation @@ -1247,6 +1289,7 @@ var config = { // 'notify.raisedHand', // shown when a partcipant used raise hand, // 'notify.startSilentTitle', // shown when user joined with no audio // 'notify.unmute', // shown to moderator when user raises hand during AV moderation + // 'notify.hostAskedUnmute', // shown to participant when host asks them to unmute // 'prejoin.errorDialOut', // 'prejoin.errorDialOutDisconnected', // 'prejoin.errorDialOutFailed', @@ -1269,12 +1312,37 @@ var config = { // // Disables user resizable filmstrip. Also, allows configuration of the filmstrip // // (width, tiles aspect ratios) through the interfaceConfig options. // disableResizable: false, - // } + // // Disables the stage filmstrip + // // (displaying multiple participants on stage besides the vertical filmstrip) + // disableStageFilmstrip: false + // }, + + // Tile view related config options. + // tileView: { + // // The optimal number of tiles that are going to be shown in tile view. Depending on the screen size it may + // // not be possible to show the exact number of participants specified here. + // numberOfVisibleTiles: 25 + // }, // Specifies whether the chat emoticons are disabled or not // disableChatSmileys: false, + // Settings for the GIPHY integration. + // giphy: { + // // Whether the feature is enabled or not. + // enabled: false, + // // SDK API Key from Giphy. + // sdkKey: '', + // // Display mode can be one of: + // // - tile: show the GIF on the tile of the participant that sent it. + // // - chat: show the GIF as a message in chat + // // - all: all of the above. This is the default option + // displayMode: 'all', + // // How long the GIF should be displayed on the tile (in miliseconds). + // tileTime: 5000 + // }, + // Allow all above example options to include a trailing comma and // prevent fear when commenting out the last value. makeJsonParserHappy: 'even if last key had a trailing comma' diff --git a/type/__jitsi_meet_domain/files/jitsi-version b/type/__jitsi_meet_domain/files/jitsi-version new file mode 100644 index 0000000..f2cc6dd --- /dev/null +++ b/type/__jitsi_meet_domain/files/jitsi-version @@ -0,0 +1 @@ +2.0.7210-1 \ No newline at end of file diff --git a/type/__jitsi_meet_domain/files/nginx.sh b/type/__jitsi_meet_domain/files/nginx.sh index e678dce..ad1b41a 100644 --- a/type/__jitsi_meet_domain/files/nginx.sh +++ b/type/__jitsi_meet_domain/files/nginx.sh @@ -10,6 +10,17 @@ JITSI_NGINX_CONFIG="$(cat < Date: Thu, 21 Apr 2022 17:52:49 +0200 Subject: [PATCH 28/47] [__jitsi_meet] Fix issue with jicofo memory adaptation That was being a bit of a mess. Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/gencode-remote | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote index 435bbf4..fd782a4 100755 --- a/type/__jitsi_meet/gencode-remote +++ b/type/__jitsi_meet/gencode-remote @@ -24,7 +24,7 @@ if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY} -e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \ /usr/share/jitsi-videobridge/lib/videobridge.rc sed -i.tmp -E \ - -e 's!(JICOFO_MAX_MEMORY)[^;]+;!\1=${MAX_MEMORY};!' \ + -e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \ /usr/share/jicofo/jicofo.sh EOF fi From 151dc32fb52f695b101369032a0bdad1a9b20916 Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 21 Apr 2022 19:43:32 +0200 Subject: [PATCH 29/47] [__jitsi_meet*] Add support for simultaneous interpretations By using https://gitlab.com/mfmt/jsi which consists of very small and simple static files, we enable interpretations by default. With this commit, any DOMAIN created with __jitsi_meet_domain will serve jsi on https://DOMAIN/i/ and any ROOM can be used with simultaneous interpretation on https://DOMAIN/i/ROOM Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/manifest | 43 +++++++++++++++++++++++++ type/__jitsi_meet_domain/files/nginx.sh | 15 +++++++++ type/__jitsi_meet_domain/man.rst | 9 +++++- 3 files changed, 66 insertions(+), 1 deletion(-) diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 6a9d962..0b728c7 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -262,3 +262,46 @@ EOF fi fi # TODO: disable the exporter if it is deployed and then admin changes their mind + +# +# Setup interpreter assets if requested +# See: https://gitlab.com/mfmt/jsi/ +# +jsi_updated_on="2022-04-21" +__link "/usr/share/jitsi-meet/interpreters.html" \ + --type symbolic \ + --source "/opt/jsi/static/index.html.sample" +__directory /opt/jsi --mode 0755 +export require="__directory/opt/jsi" +__download /opt/jsi/jsi.tar.gz \ + --url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \ + --sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53" +export require="__download/opt/jsi/jsi.tar.gz" +__unpack /opt/jsi/jsi.tar.gz \ + --preserve-archive \ + --tar-strip 1 \ + --destination /opt/jsi/static \ + --onchange "$(cat <]*(/external_api.js).!src='\1'!" \ + -e "s!

[^<]*

!

Jitsi Meetings with interpreter

!" \ + -e "s!https://meet.mayfirst.org!/!" \ + -e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \ + /opt/jsi/static/index.html.sample +EOF +)" diff --git a/type/__jitsi_meet_domain/files/nginx.sh b/type/__jitsi_meet_domain/files/nginx.sh index ad1b41a..64467d9 100644 --- a/type/__jitsi_meet_domain/files/nginx.sh +++ b/type/__jitsi_meet_domain/files/nginx.sh @@ -102,6 +102,21 @@ server { expires 1y; } } + # Paths for jsi / interpreters + location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$ + { + add_header 'Access-Control-Allow-Origin' '*'; + alias /opt/jsi/static/\$1; + + # cache all versioned files + if (\$arg_v) { + expires 1y; + } + } + location ~ ^/i/ + { + try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri; + } # BOSH location = /http-bind { diff --git a/type/__jitsi_meet_domain/man.rst b/type/__jitsi_meet_domain/man.rst index 0bef146..97d670b 100644 --- a/type/__jitsi_meet_domain/man.rst +++ b/type/__jitsi_meet_domain/man.rst @@ -11,7 +11,13 @@ DESCRIPTION ----------- This type installs and configures the frontend for Jitsi-Meet. -This supports "multi-domain" installations. +Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and +`DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a +patched version of Jitsi Simultaneous Interpretation (jsi; see references). +At least a user with `interpreter` in their name must be present. + + +This type supports "multi-domain" installations. New in April 2022: rooms are independent for each domain, that is: https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are @@ -156,6 +162,7 @@ SEE ALSO -------- - `__jitsi_meet(7)` - `__jitsi_meet_user(7)` +- Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi AUTHORS From 67bc8aa02bd9512b98f1850dff3d4ad38f056273 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 25 Apr 2022 17:10:50 +0200 Subject: [PATCH 30/47] __uacme_obtain: allow use of stdin with the --renew-hook parameter --- type/__uacme_obtain/man.rst | 3 ++- type/__uacme_obtain/manifest | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/type/__uacme_obtain/man.rst b/type/__uacme_obtain/man.rst index f1db899..16ebe87 100644 --- a/type/__uacme_obtain/man.rst +++ b/type/__uacme_obtain/man.rst @@ -38,7 +38,8 @@ install-key-to Installation path of the certificate's private key. renew-hook - Renew hook executed on certificate renewal (e.g. `service nginx reload`). + Renew hook executed on certificate renewal (e.g. `service nginx reload`, `-` + for the standard input). force-cert-ownership-to Override default ownership for TLS certificate, passed as argument to chown. diff --git a/type/__uacme_obtain/manifest b/type/__uacme_obtain/manifest index b41ddde..a40119b 100644 --- a/type/__uacme_obtain/manifest +++ b/type/__uacme_obtain/manifest @@ -109,7 +109,11 @@ export CERT_TARGET RENEW_HOOK= if [ -f "${__object:?}/parameter/renew-hook" ]; then - RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")" + if [ "$(cat "${__object:?}/parameter/renew-hook")" = "-" ]; then + RENEW_HOOK="$(cat ${__object:?}/stdin)" + else + RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")" + fi fi export RENEW_HOOK From 977b530dab44061cdae171e7c3c31d78b74191df Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 28 Apr 2022 17:22:19 +0200 Subject: [PATCH 31/47] [__single_binary_service] Update manpage to remove __evilham prefix --- type/__single_binary_service/man.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/type/__single_binary_service/man.rst b/type/__single_binary_service/man.rst index cb40330..65b4fc0 100644 --- a/type/__single_binary_service/man.rst +++ b/type/__single_binary_service/man.rst @@ -1,9 +1,9 @@ -cdist-type__evilham_single_binary_service(7) -============================================ +cdist-type__single_binary_service(7) +==================================== NAME ---- -cdist-type__evilham_single_binary_service - Setup a single-binary service +cdist-type__single_binary_service - Setup a single-binary service DESCRIPTION @@ -142,7 +142,7 @@ EXAMPLES # Install and enable the ipmi_exporter service # The variables are defined in the manifest previously - __evilham_single_binary_service ipmi_exporter \ + __single_binary_service ipmi_exporter \ --user "${USER}" \ --service-args ' --config.file=/etc/ipmi_exporter.conf' \ --version "${SHOULD_VERSION}" \ @@ -157,7 +157,7 @@ EXAMPLES EOF # Remove the ipmi_exporter service along with the user and its config - __evilham_single_binary_service ipmi_exporter \ + __single_binary_service ipmi_exporter \ --user "${USER}" \ --version "${SHOULD_VERSION}" \ --checksum "${CHECKSUM}" \ @@ -165,7 +165,7 @@ EXAMPLES --state "absent" # Same, but the service was using my user! Let's not delete that! - __evilham_single_binary_service ipmi_exporter \ + __single_binary_service ipmi_exporter \ --user "evilham" \ --do-not-manage-user \ --version "${SHOULD_VERSION}" \ @@ -187,4 +187,4 @@ Evilham COPYING ------- -Copyright \(C) 2021 Evilham. +Copyright \(C) 2022 Evilham. From 0cff41488436c7e9f8aa083e5974ba2537fca41e Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 28 Apr 2022 17:28:46 +0200 Subject: [PATCH 32/47] [__jitsi_meet] Simplify exporter logic and update it to 1.2.0 This uses the newly merged __single_binary_service and: - Fixes the bug where once added, the exporter could not be removed - Simplifies keeping it up to date Sponsored by: camilion.eu, eXO.cat --- .../prometheus-jitsi-meet-explorer-version | 7 -- type/__jitsi_meet/manifest | 78 +++++-------------- 2 files changed, 18 insertions(+), 67 deletions(-) delete mode 100755 type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version diff --git a/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version b/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version deleted file mode 100755 index b1cec48..0000000 --- a/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -e - -EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version" - -if [ -f "${EXPORTER_VERSION_FILE}" ]; then - cat "${EXPORTER_VERSION_FILE}" -fi diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 0b728c7..815d039 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -1,7 +1,6 @@ #!/bin/sh -e os="$(cat "${__global}/explorer/os")" -init="$(cat "${__global}/explorer/init")" case "${os}" in devuan|debian) ;; @@ -27,8 +26,6 @@ if [ -z "${TURN_SERVER}" ]; then TURN_SERVER="${JITSI_HOST}" fi -PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")" - # The rest is loosely based on Jitsi's documentation # https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart @@ -203,65 +200,26 @@ export JITSI_HOST "${__type}/files/jicofo.conf.sh" | \ __file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-' + # These two should be changed on new release -PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5" -PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745" -PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64" -PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version" -if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then - case "${init}" in - init|sysvinit) - __runit - require="__runit" __runit_service \ - prometheus-jitsi-meet-exporter --log --source - <&1 -EOF - - export require="__runit_service/prometheus-jitsi-meet-exporter" - JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter" - ;; - systemd) - __systemd_unit prometheus-jitsi-meet-exporter.service \ - --source "-" \ - --enablement-state "enabled" < Date: Thu, 28 Apr 2022 17:32:15 +0200 Subject: [PATCH 33/47] [__jitsi_meet] Configure jicofo so metrics are more useful By default the REST API provided by jicofo is less useful than desired. This is a tad under-documented, so finding the right settings was tricky :-). Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/gencode-remote | 2 +- type/__jitsi_meet/manifest | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote index fd782a4..c29d20e 100755 --- a/type/__jitsi_meet/gencode-remote +++ b/type/__jitsi_meet/gencode-remote @@ -33,7 +33,7 @@ if grep -qE "^__file/etc/nginx" "${__messages_in}"; then echo "service nginx reload" fi -if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then +if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then RESTART_SERVICES="YES" fi diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index 815d039..fb22821 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -200,6 +200,29 @@ export JITSI_HOST "${__type}/files/jicofo.conf.sh" | \ __file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-' +# Enable the private colibri REST API end point for better stats +__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' < Date: Thu, 28 Apr 2022 17:34:32 +0200 Subject: [PATCH 34/47] [__jitsi_meet_domain] Make shellcheck happy and fix escaping issue The escaping issue was overlooked because it was in a comment block; it wasn't relevant. No functional changes intended. Sponsored by: camilion.eu, eXO.cat --- .../files/_update_jitsi_configurations.sh | 2 +- type/__jitsi_meet_domain/files/config.js.sh | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh index 12c405b..0d9f53a 100755 --- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh +++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh @@ -32,4 +32,4 @@ download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody. # Change the version file, maintainers should check that it matches # the deb version -printf "2.0.${BRANCH#*_}-1" > jitsi-version +printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index 0eca916..6836dd1 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -1028,9 +1028,9 @@ ${ANALYTICS_SETTINGS} // Endpoint that enables support for salesforce integration with in-meeting resource linking // This is required for: // listing the most recent records - salesforceUrl/records/recents - // searching records - salesforceUrl/records?text=${text} - // retrieving record details - salesforceUrl/records/${id}?type=${type} - // and linking the meeting - salesforceUrl/sessions/${sessionId}/records/${id} + // searching records - salesforceUrl/records?text=\${text} + // retrieving record details - salesforceUrl/records/\${id}?type=\${type} + // and linking the meeting - salesforceUrl/sessions/\${sessionId}/records/\${id} // // salesforceUrl: 'https://api.example.com/', From 8e1d0b68f1473bd78aea44811c8b977c07af9466 Mon Sep 17 00:00:00 2001 From: Evilham Date: Thu, 28 Apr 2022 17:40:09 +0200 Subject: [PATCH 35/47] [__jitsi_meet*] Add new parameters for heavier branding This uses nginx' server-side includes, so each domain configured by `__jitsi_meet_domain` can have its own customisation. Note that the file customisation file must exist for each domain, `__jitsi_meet_domain` takes care of that already. Sponsored by: camilion.eu, eXO.cat --- type/__jitsi_meet/manifest | 7 +++++++ type/__jitsi_meet_domain/files/interface_config.js.sh | 2 +- type/__jitsi_meet_domain/man.rst | 11 +++++++++-- type/__jitsi_meet_domain/manifest | 6 ++++++ .../parameter/default/branding-app-name | 1 + .../parameter/default/branding-extra-body | 0 type/__jitsi_meet_domain/parameter/optional | 2 ++ 7 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 type/__jitsi_meet_domain/parameter/default/branding-app-name create mode 100644 type/__jitsi_meet_domain/parameter/default/branding-extra-body diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index fb22821..20e91a7 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -224,6 +224,13 @@ videobridge { } EOFJVB +# Enable simple per-domain body customisation +__file "/usr/share/jitsi-meet/body.html" \ + --mode 0644 \ + --source '-' < +EOF + # These two should be changed on new release EXPORTER_VERSION="1.2.0" EXPORTER_CHECKSUM="sha256:6377ffa7be0c7deb66545616add7245da96f8b7746d6712f41cfa9fe72c935ce" diff --git a/type/__jitsi_meet_domain/files/interface_config.js.sh b/type/__jitsi_meet_domain/files/interface_config.js.sh index 094cc6e..0589ced 100644 --- a/type/__jitsi_meet_domain/files/interface_config.js.sh +++ b/type/__jitsi_meet_domain/files/interface_config.js.sh @@ -20,7 +20,7 @@ JITSI_INTERFACE_CONFIG_JS="$(cat < Date: Thu, 28 Apr 2022 17:43:33 +0200 Subject: [PATCH 36/47] [__jitsi_meet_domain] Add a muc_room_cache_size for jibri @pedro is working on this and this change matched my workflow better :-) --- type/__jitsi_meet_domain/files/prosody.cfg.lua.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh index ea243c1..5bb93b5 100644 --- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh +++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh @@ -153,6 +153,8 @@ Component "internal.auth.${JITSI_DOMAIN:?}" "muc" admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" } muc_room_locking = false muc_room_default_public_jids = true + -- https://prosody.im/doc/modules/mod_muc + muc_room_cache_size = 1000 ${PROSODY_DOMAIN_END} ${PROSODY_MAIN_START} -- This will be managed by __jitsi_meet From 797f7c864814f69d0a138b3f415acfd4ca539121 Mon Sep 17 00:00:00 2001 From: Evilham Date: Sun, 8 May 2022 21:47:26 +0200 Subject: [PATCH 37/47] [__jitsi_meet] Improve manpage regarding ufw and SSH This documents the fact that this type does not make decisions about anything other than Jitsi-Meet itself and therefore care should be taken with the SSH port. Related to: https://code.ungleich.ch/ungleich-public/cdist-contrib/pulls/23 Reported by: @pedro --- type/__jitsi_meet/man.rst | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/type/__jitsi_meet/man.rst b/type/__jitsi_meet/man.rst index 876c218..03a4a35 100644 --- a/type/__jitsi_meet/man.rst +++ b/type/__jitsi_meet/man.rst @@ -21,10 +21,10 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up the web frontend (including TLS certificates) and its settings. You may want to use the `files/ufw` example manifest for a `__ufw`-based -firewall compatible with this type. -This file does not include rules for TCP port 9888, which exposes the -prometheus exporter if not disabled. -You should apply your own rules here. +firewall compatible with this type that allows all ports needed by Jitsi-Meet. +Note however that this will not deal with rules for SSH or for TCP port 9888, +which exposes the prometheus exporter if not disabled. +Remember to apply your own rules here, particularly regarding SSH. This type only works on De{bi,vu}an systems. @@ -76,9 +76,11 @@ EXAMPLES .. code-block:: sh - # Setup the firewall + # Setup the firewall for Jitsi-Meet . "${__global}/type/__jitsi_meet/files/ufw" export require="__ufw" + # Setup firewall SSH rules as necessary + __ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24' # Setup Jitsi on this host __jitsi_meet \ --turn-server "turn.exo.cat" \ From 756e5b17c63d641ac35ffad513d3ed15188b87ca Mon Sep 17 00:00:00 2001 From: Evilham Date: Tue, 7 Jun 2022 15:00:00 +0200 Subject: [PATCH 38/47] [__jitsi_meet*] Update to 2.0.7287-1 Sponsored by: camilion.eu, eXO.cat --- .../files/_update_jitsi_configurations.sh | 2 +- type/__jitsi_meet_domain/files/config.js.sh | 38 +++++++++++++++++-- .../files/config.js.sh.orig | 38 +++++++++++++++++-- type/__jitsi_meet_domain/files/jitsi-version | 2 +- .../files/prosody.cfg.lua.sh | 17 +++++++++ .../files/prosody.cfg.lua.sh.orig | 15 ++++++++ 6 files changed, 102 insertions(+), 10 deletions(-) diff --git a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh index 0d9f53a..8b14e5c 100755 --- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh +++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh @@ -7,7 +7,7 @@ # We could automate this, but are using it as an indicator for the # latest branch with which we conciliated changes. -BRANCH="jitsi-meet_7210" +BRANCH="jitsi-meet_7287" REPO="https://github.com/jitsi/jitsi-meet" get_url() { diff --git a/type/__jitsi_meet_domain/files/config.js.sh b/type/__jitsi_meet_domain/files/config.js.sh index 6836dd1..e52ed32 100644 --- a/type/__jitsi_meet_domain/files/config.js.sh +++ b/type/__jitsi_meet_domain/files/config.js.sh @@ -4,6 +4,11 @@ JITSI_CONFIG_JS="$(cat <