Compare commits
2 commits
master
...
synapse-up
Author | SHA1 | Date | |
---|---|---|---|
2ce8223fa7 | |||
5102fe466e |
121 changed files with 826 additions and 5092 deletions
|
@ -89,6 +89,7 @@ ipv4_import=
|
||||||
if [ -f "${__object:?}"/parameter/ipv4-import ];
|
if [ -f "${__object:?}"/parameter/ipv4-import ];
|
||||||
then
|
then
|
||||||
ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)"
|
ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)"
|
||||||
|
echo "FOO" >&2
|
||||||
fi
|
fi
|
||||||
export ipv4_import
|
export ipv4_import
|
||||||
|
|
||||||
|
|
|
@ -24,6 +24,12 @@ import
|
||||||
export
|
export
|
||||||
The keyword or filter to decide what to export in the above channel.
|
The keyword or filter to decide what to export in the above channel.
|
||||||
|
|
||||||
|
|
||||||
|
REQUIRED MULTIPLE PARAMETERS
|
||||||
|
----------------------------
|
||||||
|
interface
|
||||||
|
An interface to include in OSPF area 0.
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
OPTIONAL PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
description
|
description
|
||||||
|
@ -33,19 +39,6 @@ instance-id
|
||||||
An OSPF instance ID, allowing several OSPF instances to run on the same
|
An OSPF instance ID, allowing several OSPF instances to run on the same
|
||||||
links.
|
links.
|
||||||
|
|
||||||
extra-area-configuration
|
|
||||||
Configuration string added to the `area` section of the OSPF configuration.
|
|
||||||
|
|
||||||
OPTIONAL MULTIPLE PARAMETERS
|
|
||||||
----------------------------
|
|
||||||
|
|
||||||
stubnet
|
|
||||||
Add an optionless stubnet definition to the configuration.
|
|
||||||
|
|
||||||
interface
|
|
||||||
An interface to include in OSPF area 0. Is required unless
|
|
||||||
extra-area-configuration is set.
|
|
||||||
|
|
||||||
SEE ALSO
|
SEE ALSO
|
||||||
--------
|
--------
|
||||||
cdist-type__bird_core(7)
|
cdist-type__bird_core(7)
|
||||||
|
|
|
@ -44,21 +44,6 @@ then
|
||||||
instance_id="$(cat "${__object:?}/parameter/instance-id")"
|
instance_id="$(cat "${__object:?}/parameter/instance-id")"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
extra_area_configuration=
|
|
||||||
if [ -f "${__object:?}/parameter/extra-area-configuration" ];
|
|
||||||
then
|
|
||||||
extra_area_configuration="$(cat "${__object:?}/parameter/extra-area-configuration")"
|
|
||||||
|
|
||||||
if [ "$extra_area_configuration" = "-" ]; then
|
|
||||||
extra_area_configuration=$(cat "$__object/stdin")
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -f "${__object:?}/parameter/interface" ] && [ -z "$extra_area_configuration" ]; then
|
|
||||||
echo "Either --interface or --extra-area-configuration must be set." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
__file "${confdir:?}/ospf-${__object_id:?}.conf" \
|
__file "${confdir:?}/ospf-${__object_id:?}.conf" \
|
||||||
--mode 0640 --owner root --group bird \
|
--mode 0640 --owner root --group bird \
|
||||||
--source - << EOF
|
--source - << EOF
|
||||||
|
@ -73,9 +58,6 @@ $([ -n "${instance_id?}" ] && printf "\tinstance id %s;\n" "${instance_id?}")
|
||||||
|
|
||||||
area 0 {
|
area 0 {
|
||||||
$(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
|
$(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
|
||||||
$(sed -e 's/^/\t\tsubnet /' -e 's/$/;/' "${__object:?}/parameter/subnet")
|
|
||||||
|
|
||||||
$extra_area_configuration
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
|
@ -1,3 +1,2 @@
|
||||||
description
|
description
|
||||||
instance-id
|
instance-id
|
||||||
extra-area-configuration
|
|
||||||
|
|
|
@ -15,29 +15,12 @@ autoconfigure IPv6 hosts, this type is a rudimentary implementation to generate
|
||||||
configuration for Bird to do so.
|
configuration for Bird to do so.
|
||||||
|
|
||||||
|
|
||||||
REQUIRED PARAMETERS
|
REQUIRED MULTIPLE PARAMETERS
|
||||||
-------------------
|
----------------------------
|
||||||
interface
|
interface
|
||||||
The interfaces to activate the protocol on. RAs will be sent using the
|
The interfaces to activate the protocol on. RAs will be sent using the
|
||||||
prefixes configured on these interfaces.
|
prefixes configured on these interfaces.
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
|
||||||
-------------------
|
|
||||||
mtu
|
|
||||||
An optional MTU setting to include in the router advertisements.
|
|
||||||
|
|
||||||
default-preference
|
|
||||||
This option specifies the Default Router Preference value to advertise to
|
|
||||||
hosts. Default: medium.
|
|
||||||
|
|
||||||
route-preference
|
|
||||||
This option specifies the default value of advertised route preference for
|
|
||||||
specific routes. Default: medium.
|
|
||||||
|
|
||||||
default-lifetime
|
|
||||||
This option specifies the time (in seconds) how long (since the receipt of RA)
|
|
||||||
hosts may use the router as a default router. 0 means do not use as a default
|
|
||||||
router. Default: 3.
|
|
||||||
|
|
||||||
OPTIONAL MULTIPLE PARAMETERS
|
OPTIONAL MULTIPLE PARAMETERS
|
||||||
----------------------------
|
----------------------------
|
||||||
|
@ -58,7 +41,6 @@ EXAMPLES
|
||||||
|
|
||||||
__bird_radv datacenter \
|
__bird_radv datacenter \
|
||||||
--interface eth1 \
|
--interface eth1 \
|
||||||
--mtu 9000 \
|
|
||||||
--route ::/0 \
|
--route ::/0 \
|
||||||
--ns 2001:DB8:cafe::4 \
|
--ns 2001:DB8:cafe::4 \
|
||||||
--ns 2001:DB8:cafe::14 \
|
--ns 2001:DB8:cafe::14 \
|
||||||
|
|
|
@ -55,52 +55,23 @@ then
|
||||||
DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl")
|
DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
MTU=
|
|
||||||
if [ -f "${__object:?}/parameter/mtu" ];
|
|
||||||
then
|
|
||||||
MTU="link mtu $(cat "${__object:?}/parameter/mtu");"
|
|
||||||
fi
|
|
||||||
|
|
||||||
DEFAULT_PREFERENCE=
|
|
||||||
if [ -f "${__object:?}/parameter/default-preference" ];
|
|
||||||
then
|
|
||||||
DEFAULT_PREFERENCE="default preference $(cat "${__object:?}/parameter/default-preference");"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ROUTE_PREFERENCE=
|
|
||||||
if [ -f "${__object:?}/parameter/route-preference" ];
|
|
||||||
then
|
|
||||||
ROUTE_PREFERENCE="route preference $(cat "${__object:?}/parameter/route-preference");"
|
|
||||||
fi
|
|
||||||
|
|
||||||
DEFAULT_LIFETIME=
|
|
||||||
if [ -f "${__object:?}/parameter/default-lifetime" ];
|
|
||||||
then
|
|
||||||
DEFAULT_LIFETIME="default lifetime $(cat "${__object:?}/parameter/default-lifetime");"
|
|
||||||
fi
|
|
||||||
|
|
||||||
__file "${confdir:?}/radv-${__object_id:?}.conf" \
|
__file "${confdir:?}/radv-${__object_id:?}.conf" \
|
||||||
--mode 0640 --owner root --group bird \
|
--mode 0640 --owner root --group bird \
|
||||||
--source - << EOF
|
--source - << EOF
|
||||||
ipv6 table radv_routes_${__object_id};
|
ipv6 table radv_routes;
|
||||||
|
|
||||||
protocol static {
|
protocol static {
|
||||||
description "Routes advertised via RAs";
|
description "Routes advertised via RAs";
|
||||||
ipv6 { table radv_routes_${__object_id}; };
|
ipv6 { table radv_routes; };
|
||||||
|
|
||||||
$(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
|
$(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
|
||||||
}
|
}
|
||||||
|
|
||||||
protocol radv ${__object_id:?} {
|
protocol radv ${__object_id:?} {
|
||||||
propagate routes ${have_routes:?};
|
propagate routes ${have_routes:?};
|
||||||
ipv6 { table radv_routes_${__object_id}; export all; };
|
ipv6 { table radv_routes; export all; };
|
||||||
|
|
||||||
interface "$(cat "${__object:?}/parameter/interface")" {
|
$(sed -e 's/^/\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
|
||||||
$MTU
|
|
||||||
$DEFAULT_LIFETIME
|
|
||||||
$DEFAULT_PREFERENCE
|
|
||||||
$ROUTE_PREFERENCE
|
|
||||||
};
|
|
||||||
|
|
||||||
$RDNS
|
$RDNS
|
||||||
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
mtu
|
|
||||||
default-preference
|
|
||||||
route-preference
|
|
||||||
default-lifetime
|
|
|
@ -1,2 +1 @@
|
||||||
stubnet
|
|
||||||
interface
|
interface
|
|
@ -3,7 +3,7 @@
|
||||||
os="$(cat "${__global:?}"/explorer/os)"
|
os="$(cat "${__global:?}"/explorer/os)"
|
||||||
|
|
||||||
case "$os" in
|
case "$os" in
|
||||||
"alpine"|"ubuntu")
|
"alpine")
|
||||||
borg_package=borgbackup
|
borg_package=borgbackup
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
|
@ -17,4 +17,3 @@ if [ -f "${__object:?}/parameter/owner" ];
|
||||||
then
|
then
|
||||||
__package sudo
|
__package sudo
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -1,15 +0,0 @@
|
||||||
#!/bin/sh -eu
|
|
||||||
|
|
||||||
JICOFO="/usr/share/jicofo/jicofo.sh"
|
|
||||||
VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
|
|
||||||
|
|
||||||
if [ -f "${JICOFO:?}" ]; then
|
|
||||||
jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
|
|
||||||
fi
|
|
||||||
if [ -f "${VIDEOBRIDGE:?}" ]; then
|
|
||||||
vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
|
|
||||||
fi
|
|
||||||
cat <<EOF
|
|
||||||
jicofo ${jicofo_memory:-n/a}
|
|
||||||
videobridge ${vb_memory:-n/a}
|
|
||||||
EOF
|
|
|
@ -1,26 +0,0 @@
|
||||||
#!/bin/sh -eu
|
|
||||||
|
|
||||||
JICOFO_AUTHPASSWORD=""
|
|
||||||
# We need this to properly configure jicofo
|
|
||||||
|
|
||||||
# Default to reading debconf
|
|
||||||
DEBCONF_PASS_FILE="/var/cache/debconf/passwords.dat"
|
|
||||||
if [ -f "${DEBCONF_PASS_FILE}" ]; then
|
|
||||||
JICOFO_AUTHPASSWORD="$(grep -A1 'Template: jicofo/jicofo-authpassword' "${DEBCONF_PASS_FILE}" | tail -n 1 | cut -d ' ' -f 2-)"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Try jicofo.conf if necessary
|
|
||||||
JICOFO_CONF_FILE="/etc/jitsi/jicofo/jicofo.conf"
|
|
||||||
if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONF_FILE}" ]; then
|
|
||||||
JICOFO_AUTHPASSWORD="$(grep -E '^[[:space:]]*password:' "${JICOFO_CONF_FILE}" | sed -E 's!^[^:]*:[[:space:]]*"(.*)"$!\1!')"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# And fallback to config file if necessary
|
|
||||||
JICOFO_CONFIG_FILE="/etc/jitsi/jicofo/config"
|
|
||||||
if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONFIG_FILE}" ]; then
|
|
||||||
JICOFO_AUTHPASSWORD="$(grep -E '^JICOFO_AUTH_PASSWORD=' "${JICOFO_CONFIG_FILE}" | cut -d '=' -f 2-)"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# If we didn't find it, this is likely a new installation and we'll generate
|
|
||||||
# the password on the manifest
|
|
||||||
echo "${JICOFO_AUTHPASSWORD:-}"
|
|
|
@ -1,6 +0,0 @@
|
||||||
#!/bin/sh -eu
|
|
||||||
|
|
||||||
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
|
|
||||||
# TODO: detect curl / depend on it?
|
|
||||||
curl -s localhost:9888/metrics
|
|
||||||
fi
|
|
7
type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version
Executable file
7
type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version
Executable file
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
|
||||||
|
|
||||||
|
if [ -f "${EXPORTER_VERSION_FILE}" ]; then
|
||||||
|
cat "${EXPORTER_VERSION_FILE}"
|
||||||
|
fi
|
|
@ -5,6 +5,9 @@
|
||||||
if false; then
|
if false; then
|
||||||
# We are currently not using these, just here as documentation
|
# We are currently not using these, just here as documentation
|
||||||
DEBCONF_SETTINGS="$(cat <<EOF
|
DEBCONF_SETTINGS="$(cat <<EOF
|
||||||
|
# Jicofo user password:
|
||||||
|
jicofo jicofo/jicofo-authpassword password STH
|
||||||
|
jitsi-meet-prosody jicofo/jicofo-authpassword password STH
|
||||||
# The secret used to connect to xmpp server as component
|
# The secret used to connect to xmpp server as component
|
||||||
jitsi-meet-prosody jitsi-videobridge/jvbsecret password STH
|
jitsi-meet-prosody jitsi-videobridge/jvbsecret password STH
|
||||||
jitsi-videobridge jitsi-videobridge/jvbsecret password STH
|
jitsi-videobridge jitsi-videobridge/jvbsecret password STH
|
||||||
|
@ -37,9 +40,6 @@ jitsi-videobridge jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
|
||||||
jitsi-videobridge2 jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
|
jitsi-videobridge2 jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
|
||||||
# The hostname of the current installation:
|
# The hostname of the current installation:
|
||||||
jitsi-meet-prosody jitsi-meet-prosody/jvb-hostname string ${JITSI_HOST}
|
jitsi-meet-prosody jitsi-meet-prosody/jvb-hostname string ${JITSI_HOST}
|
||||||
# Jicofo user password:
|
|
||||||
jicofo jicofo/jicofo-authpassword password ${JICOFO_AUTHPASSWORD}
|
|
||||||
jitsi-meet-prosody jicofo/jicofo-authpassword password ${JICOFO_AUTHPASSWORD}
|
|
||||||
# SSL certificate for the Jitsi Meet instance
|
# SSL certificate for the Jitsi Meet instance
|
||||||
# Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
|
# Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
|
||||||
jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)
|
jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)
|
||||||
|
|
|
@ -1,38 +0,0 @@
|
||||||
#!/bin/sh -eu
|
|
||||||
|
|
||||||
# Start
|
|
||||||
cat <<EOF
|
|
||||||
# Managed remotely, changes will be lost
|
|
||||||
|
|
||||||
# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
|
|
||||||
#available options, syntax, and default values.
|
|
||||||
jicofo {
|
|
||||||
xmpp: {
|
|
||||||
client: {
|
|
||||||
client-proxy: focus.${JITSI_HOST:?}
|
|
||||||
xmpp-domain: "${JITSI_HOST:?}"
|
|
||||||
domain: "auth.${JITSI_HOST:?}"
|
|
||||||
username: "focus"
|
|
||||||
password: "${JICOFO_AUTHPASSWORD:?}"
|
|
||||||
}
|
|
||||||
trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
|
|
||||||
}
|
|
||||||
bridge: {
|
|
||||||
brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Secured domains if needed
|
|
||||||
if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
|
|
||||||
cat <<EOF
|
|
||||||
|
|
||||||
authentication: {
|
|
||||||
enabled: true
|
|
||||||
type: XMPP
|
|
||||||
login-url: ${JITSI_HOST:?}
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
# End
|
|
||||||
echo '}'
|
|
|
@ -1 +0,0 @@
|
||||||
../../__jitsi_meet_domain/files/jitsi-version
|
|
|
@ -1 +0,0 @@
|
||||||
../../__jitsi_meet_domain/files/prosody.cfg.lua.sh
|
|
|
@ -1,43 +1,11 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
|
|
||||||
memory="$(cat "${__global}/explorer/memory")"
|
|
||||||
G="000000" # Will totally eff up the zero-count otherwise
|
|
||||||
# MAX_MEMORY will affect jicofo and videobridge
|
|
||||||
# As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
|
|
||||||
if [ "${memory}" -lt "3${G}" ]; then
|
|
||||||
# If you use this, let us know how it works!
|
|
||||||
MAX_MEMORY="768m"
|
|
||||||
elif [ "${memory}" -lt "5${G}" ]; then
|
|
||||||
MAX_MEMORY="1024m"
|
|
||||||
elif [ "${memory}" -lt "8${G}" ]; then
|
|
||||||
MAX_MEMORY="2048m"
|
|
||||||
else
|
|
||||||
# Jitsi recommends running on 8G RAM and these are the defaults
|
|
||||||
MAX_MEMORY="3072m"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
|
|
||||||
# At least one service has different memory settings
|
|
||||||
RESTART_SERVICES="YES"
|
|
||||||
cat <<-EOF
|
|
||||||
sed -i.tmp -E \
|
|
||||||
-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
|
|
||||||
/usr/share/jitsi-videobridge/lib/videobridge.rc
|
|
||||||
sed -i.tmp -E \
|
|
||||||
-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
|
|
||||||
/usr/share/jicofo/jicofo.sh
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
|
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
|
||||||
echo "service nginx reload"
|
echo "service nginx reload"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then
|
JITSI_HOST="${__object_id}"
|
||||||
RESTART_SERVICES="YES"
|
if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "${RESTART_SERVICES}" ]; then
|
|
||||||
echo "systemctl restart prosody"
|
echo "systemctl restart prosody"
|
||||||
echo "systemctl restart jicofo"
|
echo "systemctl restart jicofo"
|
||||||
echo "systemctl restart jitsi-videobridge2"
|
echo "systemctl restart jitsi-videobridge2"
|
||||||
|
|
|
@ -21,24 +21,13 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up
|
||||||
the web frontend (including TLS certificates) and its settings.
|
the web frontend (including TLS certificates) and its settings.
|
||||||
|
|
||||||
You may want to use the `files/ufw` example manifest for a `__ufw`-based
|
You may want to use the `files/ufw` example manifest for a `__ufw`-based
|
||||||
firewall compatible with this type that allows all ports needed by Jitsi-Meet.
|
firewall compatible with this type.
|
||||||
Note however that this will not deal with rules for SSH or for TCP port 9888,
|
This file does not include rules for TCP port 9888, which exposes the
|
||||||
which exposes the prometheus exporter if not disabled.
|
prometheus exporter if not disabled.
|
||||||
Remember to apply your own rules here, particularly regarding SSH.
|
You should apply your own rules here.
|
||||||
|
|
||||||
This type only works on De{bi,vu}an systems.
|
This type only works on De{bi,vu}an systems.
|
||||||
|
|
||||||
It is very important for this type to stay up to date with the software, as
|
|
||||||
otherwise new deployments or maintenance of existing instances might be
|
|
||||||
negatively affected.
|
|
||||||
If you can, please contribute updates to `__jitsi_meet` and
|
|
||||||
`__jitsi_meet_domain` promptly and regularly.
|
|
||||||
Alternatively, you can help finance that work; get in touch with the type
|
|
||||||
authors for that (see below).
|
|
||||||
|
|
||||||
This type takes care of adapting the maximum memory used by jicofo and
|
|
||||||
videobridge in function of the hosts installed memory.
|
|
||||||
|
|
||||||
NOTE: This type currently does not deal with setting up coturn.
|
NOTE: This type currently does not deal with setting up coturn.
|
||||||
For that, you might want to check `__coturn` in
|
For that, you might want to check `__coturn` in
|
||||||
https://code.ungleich.ch/ungleich-public/cdist-contrib
|
https://code.ungleich.ch/ungleich-public/cdist-contrib
|
||||||
|
@ -47,14 +36,6 @@ NOTE: This type currently does not deal with setting up coturn.
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
OPTIONAL PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
abort-conference-count
|
|
||||||
Only has an effect if the prometheus exporter is enabled and if it is not
|
|
||||||
empty (default).
|
|
||||||
If at least this many conferences are active on the server, the type will
|
|
||||||
bail out before making any changes.
|
|
||||||
This is useful if you want to avoid service disruptions due to e.g. an SLA.
|
|
||||||
|
|
||||||
|
|
||||||
turn-secret
|
turn-secret
|
||||||
The shared secret for the TURN server.
|
The shared secret for the TURN server.
|
||||||
|
|
||||||
|
@ -62,6 +43,11 @@ turn-server
|
||||||
The hostname of the TURN server.
|
The hostname of the TURN server.
|
||||||
This will assume that it is listening with TLS on port 443.
|
This will assume that it is listening with TLS on port 443.
|
||||||
|
|
||||||
|
jitsi-version
|
||||||
|
The jitsi-meet version of the Debian package to be installed.
|
||||||
|
While this can be specified, only the default value is known to work
|
||||||
|
properly with this type.
|
||||||
|
|
||||||
|
|
||||||
BOOLEAN PARAMETERS
|
BOOLEAN PARAMETERS
|
||||||
------------------
|
------------------
|
||||||
|
@ -84,11 +70,9 @@ EXAMPLES
|
||||||
|
|
||||||
.. code-block:: sh
|
.. code-block:: sh
|
||||||
|
|
||||||
# Setup the firewall for Jitsi-Meet
|
# Setup the firewall
|
||||||
. "${__global}/type/__jitsi_meet/files/ufw"
|
. "${__global}/type/__jitsi_meet/files/ufw"
|
||||||
export require="__ufw"
|
export require="__ufw"
|
||||||
# Setup firewall SSH rules as necessary
|
|
||||||
__ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
|
|
||||||
# Setup Jitsi on this host
|
# Setup Jitsi on this host
|
||||||
__jitsi_meet \
|
__jitsi_meet \
|
||||||
--turn-server "turn.exo.cat" \
|
--turn-server "turn.exo.cat" \
|
||||||
|
@ -108,4 +92,4 @@ Evilham <contact@evilham.com>
|
||||||
|
|
||||||
COPYING
|
COPYING
|
||||||
-------
|
-------
|
||||||
Copyright \(C) 2022 Evilham.
|
Copyright \(C) 2021 Evilham.
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
|
|
||||||
os="$(cat "${__global}/explorer/os")"
|
os="$(cat "${__global}/explorer/os")"
|
||||||
|
init="$(cat "${__global}/explorer/init")"
|
||||||
case "${os}" in
|
case "${os}" in
|
||||||
devuan|debian)
|
devuan|debian)
|
||||||
;;
|
;;
|
||||||
|
@ -10,37 +11,9 @@ case "${os}" in
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
|
|
||||||
|
|
||||||
JICOFO_AUTHPASSWORD="$(cat "${__object}/explorer/jicofo-authpassword")"
|
|
||||||
if [ -z "${JICOFO_AUTHPASSWORD}" ]; then
|
|
||||||
# This is probably a first time installation, we'll generate the
|
|
||||||
# password which will be set in debconf by this type
|
|
||||||
# https://github.com/jitsi/jicofo/blob/aafb61b5363a1c4abdbf08e1444a6276b807993e/debian/postinst#L43
|
|
||||||
JICOFO_AUTHPASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
|
|
||||||
|
|
||||||
if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
|
|
||||||
[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
|
|
||||||
cat <<-EOF
|
|
||||||
Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
|
|
||||||
There are currently ${current_conferences} active conferences.
|
|
||||||
|
|
||||||
Try again at a later time or remove or increase --abort-conference-count
|
|
||||||
EOF
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
JITSI_HOST="${__target_host}"
|
JITSI_HOST="${__target_host}"
|
||||||
if [ -f "${__object}/parameter/jitsi-version" ]; then
|
|
||||||
# This has been deprecated and will be removed 'soon'
|
|
||||||
JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
|
JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
|
||||||
else
|
|
||||||
# Note this won't be a parameter anymore, we won't let users stay behind
|
|
||||||
JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
|
|
||||||
fi
|
|
||||||
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
|
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
|
||||||
TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
|
TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
|
||||||
|
|
||||||
|
@ -48,6 +21,8 @@ if [ -z "${TURN_SERVER}" ]; then
|
||||||
TURN_SERVER="${JITSI_HOST}"
|
TURN_SERVER="${JITSI_HOST}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")"
|
||||||
|
|
||||||
# The rest is loosely based on Jitsi's documentation
|
# The rest is loosely based on Jitsi's documentation
|
||||||
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
|
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
|
||||||
|
|
||||||
|
@ -75,15 +50,12 @@ export require="${require} __apt_source/jitsi_meet __apt_update_index"
|
||||||
# Pre-feed debconf settings, so Jitsi's installation has a good config
|
# Pre-feed debconf settings, so Jitsi's installation has a good config
|
||||||
# shellcheck source=type/__jitsi_meet/files/debconf_settings.sh
|
# shellcheck source=type/__jitsi_meet/files/debconf_settings.sh
|
||||||
. "${__type}/files/debconf_settings.sh" # This defines DEBCONF_SETTINGS
|
. "${__type}/files/debconf_settings.sh" # This defines DEBCONF_SETTINGS
|
||||||
__debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
|
__debconf_set_selections jitsi_meet --file - <<EOF
|
||||||
|
${DEBCONF_SETTINGS}
|
||||||
|
EOF
|
||||||
export require="${require} __debconf_set_selections/jitsi_meet"
|
export require="${require} __debconf_set_selections/jitsi_meet"
|
||||||
|
|
||||||
# Install and upgrade packages as needed
|
# Install and upgrade packages as needed
|
||||||
# NOTE: we are doing version pinning again, but it breaks sometimes when
|
|
||||||
# the version is not the latest.
|
|
||||||
# This happens because dependencies might not be properly resolved.
|
|
||||||
# To avoid this, this type must be maintained up to date.
|
|
||||||
# If we don't use this, keeping Jitsi's up to date is very difficult.
|
|
||||||
__package_apt jitsi-meet --version "${JITSI_VERSION}"
|
__package_apt jitsi-meet --version "${JITSI_VERSION}"
|
||||||
|
|
||||||
# Proceed only after installation/upgrade has finished
|
# Proceed only after installation/upgrade has finished
|
||||||
|
@ -148,11 +120,7 @@ require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-ava
|
||||||
|
|
||||||
server_names_hash_bucket_size 64;
|
server_names_hash_bucket_size 64;
|
||||||
|
|
||||||
types {
|
# nginx server configuration for:
|
||||||
# nginx's default mime.types doesn't include a mapping for wasm or wav.
|
|
||||||
application/wasm wasm;
|
|
||||||
audio/wav wav;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
|
||||||
|
@ -175,145 +143,88 @@ server {
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Starting from 2.0.7210, jitsi defines following nginx upstreams
|
|
||||||
__directory "${NGINX_ETC}/conf.d" --state present
|
|
||||||
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
|
|
||||||
--mode 644 \
|
|
||||||
--source - << EOF
|
|
||||||
upstream prosody {
|
|
||||||
zone upstreams 64K;
|
|
||||||
server 127.0.0.1:5280;
|
|
||||||
keepalive 2;
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
|
|
||||||
--mode 644 \
|
|
||||||
--source - << EOF
|
|
||||||
upstream jvb1 {
|
|
||||||
zone upstreams 64K;
|
|
||||||
server 127.0.0.1:9090;
|
|
||||||
keepalive 2;
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
if [ -f "${__object}/parameter/secured-domains" ]; then
|
if [ -f "${__object}/parameter/secured-domains" ]; then
|
||||||
SECURED_DOMAINS_STATE='present'
|
SECURED_DOMAINS_STATE='present'
|
||||||
|
SECURED_DOMAINS_STATE_JICOFO='replace'
|
||||||
else
|
else
|
||||||
SECURED_DOMAINS_STATE='absent'
|
SECURED_DOMAINS_STATE='absent'
|
||||||
|
SECURED_DOMAINS_STATE_JICOFO='absent'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# This is the main host config
|
|
||||||
PROSODY_MAIN_CONFIG="YES"
|
|
||||||
# Prosody settings for common components (jvb, focus, ...)
|
|
||||||
# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
|
|
||||||
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
|
|
||||||
__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
|
|
||||||
--group prosody \
|
|
||||||
--mode 0440 \
|
|
||||||
--source - <<EOF
|
|
||||||
${PROSODY_CONFIG}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Clean up zauth.cfg.lua file, which we don't use now
|
|
||||||
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
|
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
|
||||||
--state absent
|
--owner prosody --group prosody --mode 0440 \
|
||||||
|
--state ${SECURED_DOMAINS_STATE} \
|
||||||
|
--source - <<EOF
|
||||||
|
VirtualHost "${JITSI_HOST}"
|
||||||
|
authentication = "internal_plain"
|
||||||
|
|
||||||
export SECURED_DOMAINS_STATE
|
VirtualHost "guest.${JITSI_HOST}"
|
||||||
export JITSI_HOST
|
authentication = "anonymous"
|
||||||
export JICOFO_AUTHPASSWORD
|
c2s_require_encryption = false
|
||||||
"${__type}/files/jicofo.conf.sh" | \
|
|
||||||
__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
|
|
||||||
|
|
||||||
# Enable the private colibri REST API end point for better stats
|
|
||||||
__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
|
|
||||||
videobridge {
|
|
||||||
http-servers {
|
|
||||||
public {
|
|
||||||
port = 9090
|
|
||||||
}
|
|
||||||
private {
|
|
||||||
port = 8080
|
|
||||||
}
|
|
||||||
}
|
|
||||||
websockets {
|
|
||||||
enabled = true
|
|
||||||
domain = "${JITSI_HOST}:443"
|
|
||||||
tls = true
|
|
||||||
}
|
|
||||||
apis {
|
|
||||||
rest {
|
|
||||||
enabled = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
EOFJVB
|
|
||||||
|
|
||||||
# Enable simple per-domain body customisation
|
|
||||||
__file "/usr/share/jitsi-meet/body.html" \
|
|
||||||
--mode 0644 \
|
|
||||||
--source '-' <<EOF
|
|
||||||
<!--#include virtual="body-\${host}.html" -->
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
__line jitsi_jicofo_secured_domains \
|
||||||
|
--file /etc/jitsi/jicofo/sip-communicator.properties \
|
||||||
|
--line "org.jitsi.jicofo.auth.URL=XMPP:${JITSI_HOST}" \
|
||||||
|
--regex "org.jitsi.jicofo.auth.URL=" \
|
||||||
|
--state ${SECURED_DOMAINS_STATE_JICOFO}
|
||||||
|
|
||||||
# These two should be changed on new release
|
# These two should be changed on new release
|
||||||
EXPORTER_VERSION="1.2.1"
|
PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
|
||||||
EXPORTER_CHECKSUM="sha256:46d4b8475b72fd7632a5203f1cc3c7067bed4629902b7780a1da85e4e06c2129"
|
PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
|
||||||
EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
|
PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64"
|
||||||
if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
|
PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
|
||||||
EXPORTER_STATE="absent"
|
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
|
||||||
else
|
case "${init}" in
|
||||||
EXPORTER_STATE="present"
|
init|sysvinit)
|
||||||
fi
|
__runit
|
||||||
__evilham_single_binary_service prometheus-jitsi-meet-exporter \
|
require="__runit" __runit_service \
|
||||||
--state "${EXPORTER_STATE}" \
|
prometheus-jitsi-meet-exporter --log --source - <<EOF
|
||||||
--do-not-manage-user \
|
#!/bin/sh -e
|
||||||
--user "nobody" \
|
cd /tmp
|
||||||
--group "nogroup" \
|
exec chpst -u "nobody:nogroup" env HOME="/tmp" \\
|
||||||
--version "${EXPORTER_VERSION}" \
|
prometheus-jitsi-meet-exporter \\
|
||||||
--checksum "${EXPORTER_CHECKSUM}" \
|
-videobridge-url 'http://localhost:8888/stats' \\
|
||||||
--url "${EXPORTER_URL}" \
|
-web.listen-address ':9888' 2>&1
|
||||||
--unpack \
|
|
||||||
--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
|
|
||||||
|
|
||||||
#
|
|
||||||
# Setup interpreter assets if requested
|
|
||||||
# See: https://gitlab.com/mfmt/jsi/
|
|
||||||
#
|
|
||||||
jsi_updated_on="2022-04-21"
|
|
||||||
__link "/usr/share/jitsi-meet/interpreters.html" \
|
|
||||||
--type symbolic \
|
|
||||||
--source "/opt/jsi/static/index.html.sample"
|
|
||||||
__directory /opt/jsi --mode 0755
|
|
||||||
export require="__directory/opt/jsi"
|
|
||||||
__download /opt/jsi/jsi.tar.gz \
|
|
||||||
--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
|
|
||||||
--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
|
|
||||||
export require="__download/opt/jsi/jsi.tar.gz"
|
|
||||||
__unpack /opt/jsi/jsi.tar.gz \
|
|
||||||
--preserve-archive \
|
|
||||||
--tar-strip 1 \
|
|
||||||
--destination /opt/jsi/static \
|
|
||||||
--onchange "$(cat <<EOF
|
|
||||||
# Patch style.css to be served on /i/
|
|
||||||
sed -i.tmp -E \
|
|
||||||
-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
|
|
||||||
/opt/jsi/static/style.css
|
|
||||||
# Patch jsi.js to be served on /i/
|
|
||||||
# and so it always uses the domain it's served from
|
|
||||||
# and so it uses /i/ROOM for the form
|
|
||||||
sed -i.tmp -E \
|
|
||||||
-e 's!substr[(][0-9]+[)]!substr(3)!' \
|
|
||||||
-e 's!config[.]jitsimeet_url!url.host!' \
|
|
||||||
-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
|
|
||||||
/opt/jsi/static/jsi.js
|
|
||||||
# Patch the sample index.html, so it loads external_api.js from same host
|
|
||||||
# and to easen up on the branding
|
|
||||||
# and to enable browser cache
|
|
||||||
sed -i.tmp -E \
|
|
||||||
-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
|
|
||||||
-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
|
|
||||||
-e "s!https://meet.mayfirst.org!/!" \
|
|
||||||
-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
|
|
||||||
/opt/jsi/static/index.html.sample
|
|
||||||
EOF
|
EOF
|
||||||
)"
|
|
||||||
|
export require="__runit_service/prometheus-jitsi-meet-exporter"
|
||||||
|
JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter"
|
||||||
|
;;
|
||||||
|
systemd)
|
||||||
|
__systemd_unit prometheus-jitsi-meet-exporter.service \
|
||||||
|
--source "-" \
|
||||||
|
--enablement-state "enabled" <<EOF
|
||||||
|
[Unit]
|
||||||
|
Description=Metrics Exporter for Jitsi Meet
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
DynamicUser=yes
|
||||||
|
ExecStart=/usr/local/bin/prometheus-jitsi-meet-exporter -videobridge-url 'http://localhost:8888/stats' -web.listen-address ':9888'
|
||||||
|
Restart=always
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
EOF
|
||||||
|
export require="__systemd_unit/prometheus-jitsi-meet-exporter.service"
|
||||||
|
JITSI_MEET_EXPORTER_SERVICE="service prometheus-jitsi-meet-exporter %s"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
if [ "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" != \
|
||||||
|
"${PROMETHEUS_JITSI_EXPORTER_IS_VERSION}" ]; then
|
||||||
|
# shellcheck disable=SC2059
|
||||||
|
__download \
|
||||||
|
/tmp/prometheus-jitsi-meet-exporter \
|
||||||
|
--url "${PROMETHEUS_JITSI_EXPORTER_URL}" \
|
||||||
|
--download remote \
|
||||||
|
--sum "${PROMETHEUS_JITSI_EXPORTER_CHECKSUM}" \
|
||||||
|
--onchange "$(printf "${JITSI_MEET_EXPORTER_SERVICE}" "stop") || true; chmod 555 /tmp/prometheus-jitsi-meet-exporter && mv /tmp/prometheus-jitsi-meet-exporter /usr/local/bin/prometheus-jitsi-meet-exporter && $(printf "${JITSI_MEET_EXPORTER_SERVICE}" "restart")"
|
||||||
|
printf "%s" "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" | \
|
||||||
|
require="${require} __download/tmp/prometheus-jitsi-meet-exporter" __file \
|
||||||
|
"${PROMETHEUS_JITSI_EXPORTER_VERSION_FILE}" \
|
||||||
|
--source "-"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
# TODO: disable the exporter if it is deployed and then admin changes their mind
|
||||||
|
|
1
type/__jitsi_meet/parameter/default/jitsi-version
Normal file
1
type/__jitsi_meet/parameter/default/jitsi-version
Normal file
|
@ -0,0 +1 @@
|
||||||
|
2.0.5765-1
|
|
@ -1,4 +0,0 @@
|
||||||
Supporting different versions lead to strange issues in the life-time of a
|
|
||||||
Jitsi instance. Chiefly: difficulties upgrading.
|
|
||||||
|
|
||||||
If you are specifying this for a valid reason, please get in touch.
|
|
|
@ -1,4 +1,3 @@
|
||||||
abort-conference-count
|
|
||||||
jitsi-version
|
jitsi-version
|
||||||
turn-secret
|
turn-secret
|
||||||
turn-server
|
turn-server
|
||||||
|
|
|
@ -1,35 +0,0 @@
|
||||||
#!/bin/sh -eu
|
|
||||||
|
|
||||||
# This is a helper to update the '.sh.orig' files for jitsi's
|
|
||||||
# configuration files.
|
|
||||||
# Then the changes must be propagated to their corresponding .sh
|
|
||||||
# files by the type maintainer or a contributor
|
|
||||||
|
|
||||||
# We could automate this, but are using it as an indicator for the
|
|
||||||
# latest branch with which we conciliated changes.
|
|
||||||
BRANCH="jitsi-meet_8319"
|
|
||||||
REPO="https://github.com/jitsi/jitsi-meet"
|
|
||||||
|
|
||||||
get_url() {
|
|
||||||
file="${1}"
|
|
||||||
printf "%s/raw/stable/%s/%s" "${REPO}" "${BRANCH}" "${file}"
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
download_file() {
|
|
||||||
file="${1}"
|
|
||||||
destination="${2:-${file}.sh.orig}"
|
|
||||||
url="$(get_url "${file}")"
|
|
||||||
echo "Downloading ${destination}"
|
|
||||||
curl -L "${url}" > "${destination}"
|
|
||||||
echo
|
|
||||||
}
|
|
||||||
|
|
||||||
download_file config.js
|
|
||||||
download_file interface_config.js
|
|
||||||
download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
|
|
||||||
download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
|
|
||||||
|
|
||||||
# Change the version file, maintainers should check that it matches
|
|
||||||
# the deb version
|
|
||||||
printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version
|
|
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -20,7 +20,7 @@ JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
|
||||||
*/
|
*/
|
||||||
|
|
||||||
var interfaceConfig = {
|
var interfaceConfig = {
|
||||||
APP_NAME: '${BRANDING_APP_NAME}',
|
APP_NAME: 'Jitsi Meet',
|
||||||
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
|
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
|
||||||
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
|
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
|
||||||
|
|
||||||
|
@ -36,12 +36,42 @@ var interfaceConfig = {
|
||||||
BRAND_WATERMARK_LINK: '',
|
BRAND_WATERMARK_LINK: '',
|
||||||
|
|
||||||
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
|
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
|
||||||
|
/**
|
||||||
|
* Whether the connection indicator icon should hide itself based on
|
||||||
|
* connection strength. If true, the connection indicator will remain
|
||||||
|
* displayed while the participant has a weak connection and will hide
|
||||||
|
* itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
|
||||||
|
* strong.
|
||||||
|
*
|
||||||
|
* @type {boolean}
|
||||||
|
*/
|
||||||
|
CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
|
||||||
|
|
||||||
DEFAULT_BACKGROUND: '#040404',
|
/**
|
||||||
|
* How long the connection indicator should remain displayed before hiding.
|
||||||
|
* Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
|
||||||
|
*
|
||||||
|
* @type {number}
|
||||||
|
*/
|
||||||
|
CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* If true, hides the connection indicators completely.
|
||||||
|
*
|
||||||
|
* @type {boolean}
|
||||||
|
*/
|
||||||
|
CONNECTION_INDICATOR_DISABLED: false,
|
||||||
|
|
||||||
|
DEFAULT_BACKGROUND: '#474747',
|
||||||
|
DEFAULT_LOCAL_DISPLAY_NAME: 'me',
|
||||||
|
DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
|
||||||
|
DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
|
||||||
DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
|
DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
|
||||||
|
|
||||||
DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
|
DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
|
||||||
|
|
||||||
|
DISABLE_FOCUS_INDICATOR: false,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* If true, notifications regarding joining/leaving are no longer displayed.
|
* If true, notifications regarding joining/leaving are no longer displayed.
|
||||||
*/
|
*/
|
||||||
|
@ -87,14 +117,21 @@ var interfaceConfig = {
|
||||||
|
|
||||||
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
|
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Hide the logo on the deep linking pages.
|
||||||
|
*/
|
||||||
|
HIDE_DEEP_LINKING_LOGO: false,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Hide the invite prompt in the header when alone in the meeting.
|
* Hide the invite prompt in the header when alone in the meeting.
|
||||||
*/
|
*/
|
||||||
HIDE_INVITE_MORE_HEADER: false,
|
HIDE_INVITE_MORE_HEADER: false,
|
||||||
|
|
||||||
|
INITIAL_TOOLBAR_TIMEOUT: 20000,
|
||||||
JITSI_WATERMARK_LINK: 'https://jitsi.org',
|
JITSI_WATERMARK_LINK: 'https://jitsi.org',
|
||||||
|
|
||||||
LANG_DETECTION: true, // Allow i18n to detect the system language
|
LANG_DETECTION: true, // Allow i18n to detect the system language
|
||||||
|
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
|
||||||
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
|
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -114,6 +151,23 @@ var interfaceConfig = {
|
||||||
*/
|
*/
|
||||||
MOBILE_APP_PROMO: true,
|
MOBILE_APP_PROMO: true,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Specify custom URL for downloading android mobile app.
|
||||||
|
*/
|
||||||
|
MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Specify custom URL for downloading f droid app.
|
||||||
|
*/
|
||||||
|
MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Specify URL for downloading ios mobile app.
|
||||||
|
*/
|
||||||
|
MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
|
||||||
|
|
||||||
|
NATIVE_APP_NAME: 'Jitsi Meet',
|
||||||
|
|
||||||
// Names of browsers which should show a warning stating the current browser
|
// Names of browsers which should show a warning stating the current browser
|
||||||
// has a suboptimal experience. Browsers which are not listed as optimal or
|
// has a suboptimal experience. Browsers which are not listed as optimal or
|
||||||
// unsupported are considered suboptimal. Valid values are:
|
// unsupported are considered suboptimal. Valid values are:
|
||||||
|
@ -131,7 +185,7 @@ var interfaceConfig = {
|
||||||
RECENT_LIST_ENABLED: true,
|
RECENT_LIST_ENABLED: true,
|
||||||
REMOTE_THUMBNAIL_RATIO: 1, // 1:1
|
REMOTE_THUMBNAIL_RATIO: 1, // 1:1
|
||||||
|
|
||||||
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
|
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar' ],
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Specify which sharing features should be displayed. If the value is not set
|
* Specify which sharing features should be displayed. If the value is not set
|
||||||
|
@ -148,6 +202,7 @@ var interfaceConfig = {
|
||||||
*/
|
*/
|
||||||
SHOW_CHROME_EXTENSION_BANNER: false,
|
SHOW_CHROME_EXTENSION_BANNER: false,
|
||||||
|
|
||||||
|
SHOW_DEEP_LINKING_IMAGE: false,
|
||||||
SHOW_JITSI_WATERMARK: true,
|
SHOW_JITSI_WATERMARK: true,
|
||||||
SHOW_POWERED_BY: false,
|
SHOW_POWERED_BY: false,
|
||||||
SHOW_PROMOTIONAL_CLOSE_PAGE: false,
|
SHOW_PROMOTIONAL_CLOSE_PAGE: false,
|
||||||
|
@ -158,6 +213,22 @@ var interfaceConfig = {
|
||||||
*/
|
*/
|
||||||
SUPPORT_URL: 'https://community.jitsi.org/',
|
SUPPORT_URL: 'https://community.jitsi.org/',
|
||||||
|
|
||||||
|
TOOLBAR_ALWAYS_VISIBLE: false,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* DEPRECATED!
|
||||||
|
* This config was moved to config.js as \`toolbarButtons\`.
|
||||||
|
*/
|
||||||
|
// TOOLBAR_BUTTONS: [
|
||||||
|
// 'microphone', 'camera', 'closedcaptions', 'desktop', 'embedmeeting', 'fullscreen',
|
||||||
|
// 'fodeviceselection', 'hangup', 'profile', 'chat', 'recording',
|
||||||
|
// 'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand',
|
||||||
|
// 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts',
|
||||||
|
// 'tileview', 'select-background', 'download', 'help', 'mute-everyone', 'mute-video-everyone', 'security'
|
||||||
|
// ],
|
||||||
|
|
||||||
|
TOOLBAR_TIMEOUT: 4000,
|
||||||
|
|
||||||
// Browsers, in addition to those which do not fully support WebRTC, that
|
// Browsers, in addition to those which do not fully support WebRTC, that
|
||||||
// are not supported and should show the unsupported browser page.
|
// are not supported and should show the unsupported browser page.
|
||||||
UNSUPPORTED_BROWSERS: [],
|
UNSUPPORTED_BROWSERS: [],
|
||||||
|
@ -170,8 +241,7 @@ var interfaceConfig = {
|
||||||
// Determines how the video would fit the screen. 'both' would fit the whole
|
// Determines how the video would fit the screen. 'both' would fit the whole
|
||||||
// screen, 'height' would fit the original video height to the height of the
|
// screen, 'height' would fit the original video height to the height of the
|
||||||
// screen, 'width' would fit the original video width to the width of the
|
// screen, 'width' would fit the original video width to the width of the
|
||||||
// screen respecting ratio, 'nocrop' would make the video as large as
|
// screen respecting ratio.
|
||||||
// possible and preserve aspect ratio without cropping.
|
|
||||||
VIDEO_LAYOUT_FIT: 'both',
|
VIDEO_LAYOUT_FIT: 'both',
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -188,31 +258,6 @@ var interfaceConfig = {
|
||||||
*/
|
*/
|
||||||
// TILE_VIEW_MAX_COLUMNS: 5,
|
// TILE_VIEW_MAX_COLUMNS: 5,
|
||||||
|
|
||||||
// List of undocumented settings
|
|
||||||
/**
|
|
||||||
INDICATOR_FONT_SIZES
|
|
||||||
PHONE_NUMBER_REGEX
|
|
||||||
*/
|
|
||||||
|
|
||||||
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Specify URL for downloading ios mobile app.
|
|
||||||
*/
|
|
||||||
// MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Specify custom URL for downloading android mobile app.
|
|
||||||
*/
|
|
||||||
// MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Specify mobile app scheme for opening the app from the mobile browser.
|
|
||||||
*/
|
|
||||||
// APP_SCHEME: 'org.jitsi.meet',
|
|
||||||
|
|
||||||
// NATIVE_APP_NAME: 'Jitsi Meet',
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Specify Firebase dynamic link properties for the mobile apps.
|
* Specify Firebase dynamic link properties for the mobile apps.
|
||||||
*/
|
*/
|
||||||
|
@ -225,9 +270,9 @@ var interfaceConfig = {
|
||||||
// },
|
// },
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Hide the logo on the deep linking pages.
|
* Specify mobile app scheme for opening the app from the mobile browser.
|
||||||
*/
|
*/
|
||||||
// HIDE_DEEP_LINKING_LOGO: false,
|
// APP_SCHEME: 'org.jitsi.meet',
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Specify the Android app package name.
|
* Specify the Android app package name.
|
||||||
|
@ -235,42 +280,17 @@ var interfaceConfig = {
|
||||||
// ANDROID_APP_PACKAGE: 'org.jitsi.meet',
|
// ANDROID_APP_PACKAGE: 'org.jitsi.meet',
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Specify custom URL for downloading f droid app.
|
* Override the behavior of some notifications to remain displayed until
|
||||||
|
* explicitly dismissed through a user action. The value is how long, in
|
||||||
|
* milliseconds, those notifications should remain displayed.
|
||||||
*/
|
*/
|
||||||
// MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
|
// ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
|
||||||
|
|
||||||
// Connection indicators (
|
// List of undocumented settings
|
||||||
// CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
|
/**
|
||||||
// CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
|
INDICATOR_FONT_SIZES
|
||||||
// CONNECTION_INDICATOR_DISABLED) got moved to config.js.
|
PHONE_NUMBER_REGEX
|
||||||
|
*/
|
||||||
// Please use disableModeratorIndicator from config.js
|
|
||||||
// DISABLE_FOCUS_INDICATOR: false,
|
|
||||||
|
|
||||||
// Please use defaultLocalDisplayName from config.js
|
|
||||||
// DEFAULT_LOCAL_DISPLAY_NAME: 'me',
|
|
||||||
|
|
||||||
// Please use defaultLogoUrl from config.js
|
|
||||||
DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
|
|
||||||
|
|
||||||
// Please use defaultRemoteDisplayName from config.js
|
|
||||||
// DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
|
|
||||||
|
|
||||||
// Moved to config.js as \`toolbarConfig.initialTimeout\`.
|
|
||||||
// INITIAL_TOOLBAR_TIMEOUT: 20000,
|
|
||||||
|
|
||||||
// Moved to config.js as \`toolbarConfig.alwaysVisible\`.
|
|
||||||
// Documentation reference for the live streaming feature.
|
|
||||||
// LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
|
|
||||||
|
|
||||||
// Moved to config.js as \`toolbarConfig.alwaysVisible\`.
|
|
||||||
// TOOLBAR_ALWAYS_VISIBLE: false,
|
|
||||||
|
|
||||||
// This config was moved to config.js as \`toolbarButtons\`.
|
|
||||||
// TOOLBAR_BUTTONS: [],
|
|
||||||
|
|
||||||
// Moved to config.js as \`toolbarConfig.timeout\`.
|
|
||||||
// TOOLBAR_TIMEOUT: 4000,
|
|
||||||
|
|
||||||
// Allow all above example options to include a trailing comma and
|
// Allow all above example options to include a trailing comma and
|
||||||
// prevent fear when commenting out the last value.
|
// prevent fear when commenting out the last value.
|
||||||
|
|
|
@ -25,12 +25,42 @@ var interfaceConfig = {
|
||||||
BRAND_WATERMARK_LINK: '',
|
BRAND_WATERMARK_LINK: '',
|
||||||
|
|
||||||
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
|
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
|
||||||
|
/**
|
||||||
|
* Whether the connection indicator icon should hide itself based on
|
||||||
|
* connection strength. If true, the connection indicator will remain
|
||||||
|
* displayed while the participant has a weak connection and will hide
|
||||||
|
* itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
|
||||||
|
* strong.
|
||||||
|
*
|
||||||
|
* @type {boolean}
|
||||||
|
*/
|
||||||
|
CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
|
||||||
|
|
||||||
DEFAULT_BACKGROUND: '#040404',
|
/**
|
||||||
|
* How long the connection indicator should remain displayed before hiding.
|
||||||
|
* Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
|
||||||
|
*
|
||||||
|
* @type {number}
|
||||||
|
*/
|
||||||
|
CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* If true, hides the connection indicators completely.
|
||||||
|
*
|
||||||
|
* @type {boolean}
|
||||||
|
*/
|
||||||
|
CONNECTION_INDICATOR_DISABLED: false,
|
||||||
|
|
||||||
|
DEFAULT_BACKGROUND: '#474747',
|
||||||
|
DEFAULT_LOCAL_DISPLAY_NAME: 'me',
|
||||||
|
DEFAULT_LOGO_URL: 'images/watermark.svg',
|
||||||
|
DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
|
||||||
DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
|
DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
|
||||||
|
|
||||||
DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
|
DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
|
||||||
|
|
||||||
|
DISABLE_FOCUS_INDICATOR: false,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* If true, notifications regarding joining/leaving are no longer displayed.
|
* If true, notifications regarding joining/leaving are no longer displayed.
|
||||||
*/
|
*/
|
||||||
|
@ -76,14 +106,21 @@ var interfaceConfig = {
|
||||||
|
|
||||||
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
|
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Hide the logo on the deep linking pages.
|
||||||
|
*/
|
||||||
|
HIDE_DEEP_LINKING_LOGO: false,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Hide the invite prompt in the header when alone in the meeting.
|
* Hide the invite prompt in the header when alone in the meeting.
|
||||||
*/
|
*/
|
||||||
HIDE_INVITE_MORE_HEADER: false,
|
HIDE_INVITE_MORE_HEADER: false,
|
||||||
|
|
||||||
|
INITIAL_TOOLBAR_TIMEOUT: 20000,
|
||||||
JITSI_WATERMARK_LINK: 'https://jitsi.org',
|
JITSI_WATERMARK_LINK: 'https://jitsi.org',
|
||||||
|
|
||||||
LANG_DETECTION: true, // Allow i18n to detect the system language
|
LANG_DETECTION: true, // Allow i18n to detect the system language
|
||||||
|
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
|
||||||
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
|
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -103,6 +140,23 @@ var interfaceConfig = {
|
||||||
*/
|
*/
|
||||||
MOBILE_APP_PROMO: true,
|
MOBILE_APP_PROMO: true,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Specify custom URL for downloading android mobile app.
|
||||||
|
*/
|
||||||
|
MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Specify custom URL for downloading f droid app.
|
||||||
|
*/
|
||||||
|
MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Specify URL for downloading ios mobile app.
|
||||||
|
*/
|
||||||
|
MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
|
||||||
|
|
||||||
|
NATIVE_APP_NAME: 'Jitsi Meet',
|
||||||
|
|
||||||
// Names of browsers which should show a warning stating the current browser
|
// Names of browsers which should show a warning stating the current browser
|
||||||
// has a suboptimal experience. Browsers which are not listed as optimal or
|
// has a suboptimal experience. Browsers which are not listed as optimal or
|
||||||
// unsupported are considered suboptimal. Valid values are:
|
// unsupported are considered suboptimal. Valid values are:
|
||||||
|
@ -120,7 +174,7 @@ var interfaceConfig = {
|
||||||
RECENT_LIST_ENABLED: true,
|
RECENT_LIST_ENABLED: true,
|
||||||
REMOTE_THUMBNAIL_RATIO: 1, // 1:1
|
REMOTE_THUMBNAIL_RATIO: 1, // 1:1
|
||||||
|
|
||||||
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
|
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar' ],
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Specify which sharing features should be displayed. If the value is not set
|
* Specify which sharing features should be displayed. If the value is not set
|
||||||
|
@ -137,6 +191,7 @@ var interfaceConfig = {
|
||||||
*/
|
*/
|
||||||
SHOW_CHROME_EXTENSION_BANNER: false,
|
SHOW_CHROME_EXTENSION_BANNER: false,
|
||||||
|
|
||||||
|
SHOW_DEEP_LINKING_IMAGE: false,
|
||||||
SHOW_JITSI_WATERMARK: true,
|
SHOW_JITSI_WATERMARK: true,
|
||||||
SHOW_POWERED_BY: false,
|
SHOW_POWERED_BY: false,
|
||||||
SHOW_PROMOTIONAL_CLOSE_PAGE: false,
|
SHOW_PROMOTIONAL_CLOSE_PAGE: false,
|
||||||
|
@ -147,6 +202,22 @@ var interfaceConfig = {
|
||||||
*/
|
*/
|
||||||
SUPPORT_URL: 'https://community.jitsi.org/',
|
SUPPORT_URL: 'https://community.jitsi.org/',
|
||||||
|
|
||||||
|
TOOLBAR_ALWAYS_VISIBLE: false,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* DEPRECATED!
|
||||||
|
* This config was moved to config.js as `toolbarButtons`.
|
||||||
|
*/
|
||||||
|
// TOOLBAR_BUTTONS: [
|
||||||
|
// 'microphone', 'camera', 'closedcaptions', 'desktop', 'embedmeeting', 'fullscreen',
|
||||||
|
// 'fodeviceselection', 'hangup', 'profile', 'chat', 'recording',
|
||||||
|
// 'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand',
|
||||||
|
// 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts',
|
||||||
|
// 'tileview', 'select-background', 'download', 'help', 'mute-everyone', 'mute-video-everyone', 'security'
|
||||||
|
// ],
|
||||||
|
|
||||||
|
TOOLBAR_TIMEOUT: 4000,
|
||||||
|
|
||||||
// Browsers, in addition to those which do not fully support WebRTC, that
|
// Browsers, in addition to those which do not fully support WebRTC, that
|
||||||
// are not supported and should show the unsupported browser page.
|
// are not supported and should show the unsupported browser page.
|
||||||
UNSUPPORTED_BROWSERS: [],
|
UNSUPPORTED_BROWSERS: [],
|
||||||
|
@ -159,8 +230,7 @@ var interfaceConfig = {
|
||||||
// Determines how the video would fit the screen. 'both' would fit the whole
|
// Determines how the video would fit the screen. 'both' would fit the whole
|
||||||
// screen, 'height' would fit the original video height to the height of the
|
// screen, 'height' would fit the original video height to the height of the
|
||||||
// screen, 'width' would fit the original video width to the width of the
|
// screen, 'width' would fit the original video width to the width of the
|
||||||
// screen respecting ratio, 'nocrop' would make the video as large as
|
// screen respecting ratio.
|
||||||
// possible and preserve aspect ratio without cropping.
|
|
||||||
VIDEO_LAYOUT_FIT: 'both',
|
VIDEO_LAYOUT_FIT: 'both',
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -177,31 +247,6 @@ var interfaceConfig = {
|
||||||
*/
|
*/
|
||||||
// TILE_VIEW_MAX_COLUMNS: 5,
|
// TILE_VIEW_MAX_COLUMNS: 5,
|
||||||
|
|
||||||
// List of undocumented settings
|
|
||||||
/**
|
|
||||||
INDICATOR_FONT_SIZES
|
|
||||||
PHONE_NUMBER_REGEX
|
|
||||||
*/
|
|
||||||
|
|
||||||
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Specify URL for downloading ios mobile app.
|
|
||||||
*/
|
|
||||||
// MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Specify custom URL for downloading android mobile app.
|
|
||||||
*/
|
|
||||||
// MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Specify mobile app scheme for opening the app from the mobile browser.
|
|
||||||
*/
|
|
||||||
// APP_SCHEME: 'org.jitsi.meet',
|
|
||||||
|
|
||||||
// NATIVE_APP_NAME: 'Jitsi Meet',
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Specify Firebase dynamic link properties for the mobile apps.
|
* Specify Firebase dynamic link properties for the mobile apps.
|
||||||
*/
|
*/
|
||||||
|
@ -214,9 +259,9 @@ var interfaceConfig = {
|
||||||
// },
|
// },
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Hide the logo on the deep linking pages.
|
* Specify mobile app scheme for opening the app from the mobile browser.
|
||||||
*/
|
*/
|
||||||
// HIDE_DEEP_LINKING_LOGO: false,
|
// APP_SCHEME: 'org.jitsi.meet',
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Specify the Android app package name.
|
* Specify the Android app package name.
|
||||||
|
@ -224,42 +269,17 @@ var interfaceConfig = {
|
||||||
// ANDROID_APP_PACKAGE: 'org.jitsi.meet',
|
// ANDROID_APP_PACKAGE: 'org.jitsi.meet',
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Specify custom URL for downloading f droid app.
|
* Override the behavior of some notifications to remain displayed until
|
||||||
|
* explicitly dismissed through a user action. The value is how long, in
|
||||||
|
* milliseconds, those notifications should remain displayed.
|
||||||
*/
|
*/
|
||||||
// MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
|
// ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
|
||||||
|
|
||||||
// Connection indicators (
|
// List of undocumented settings
|
||||||
// CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
|
/**
|
||||||
// CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
|
INDICATOR_FONT_SIZES
|
||||||
// CONNECTION_INDICATOR_DISABLED) got moved to config.js.
|
PHONE_NUMBER_REGEX
|
||||||
|
*/
|
||||||
// Please use disableModeratorIndicator from config.js
|
|
||||||
// DISABLE_FOCUS_INDICATOR: false,
|
|
||||||
|
|
||||||
// Please use defaultLocalDisplayName from config.js
|
|
||||||
// DEFAULT_LOCAL_DISPLAY_NAME: 'me',
|
|
||||||
|
|
||||||
// Please use defaultLogoUrl from config.js
|
|
||||||
// DEFAULT_LOGO_URL: 'images/watermark.svg',
|
|
||||||
|
|
||||||
// Please use defaultRemoteDisplayName from config.js
|
|
||||||
// DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
|
|
||||||
|
|
||||||
// Moved to config.js as `toolbarConfig.initialTimeout`.
|
|
||||||
// INITIAL_TOOLBAR_TIMEOUT: 20000,
|
|
||||||
|
|
||||||
// Please use `liveStreaming.helpLink` from config.js
|
|
||||||
// Documentation reference for the live streaming feature.
|
|
||||||
// LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
|
|
||||||
|
|
||||||
// Moved to config.js as `toolbarConfig.alwaysVisible`.
|
|
||||||
// TOOLBAR_ALWAYS_VISIBLE: false,
|
|
||||||
|
|
||||||
// This config was moved to config.js as `toolbarButtons`.
|
|
||||||
// TOOLBAR_BUTTONS: [],
|
|
||||||
|
|
||||||
// Moved to config.js as `toolbarConfig.timeout`.
|
|
||||||
// TOOLBAR_TIMEOUT: 4000,
|
|
||||||
|
|
||||||
// Allow all above example options to include a trailing comma and
|
// Allow all above example options to include a trailing comma and
|
||||||
// prevent fear when commenting out the last value.
|
// prevent fear when commenting out the last value.
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
2.0.8319-1
|
|
|
@ -2,37 +2,6 @@
|
||||||
|
|
||||||
# shellcheck disable=SC2034 # This is intended to be included
|
# shellcheck disable=SC2034 # This is intended to be included
|
||||||
JITSI_NGINX_CONFIG="$(cat <<EOF
|
JITSI_NGINX_CONFIG="$(cat <<EOF
|
||||||
# Jitsi uses following lines by default, in our cdist types they must be commented
|
|
||||||
# out as we already set it with __jitsi_meet in the default server config.
|
|
||||||
#server_names_hash_bucket_size 64;
|
|
||||||
#
|
|
||||||
#types {
|
|
||||||
## nginx's default mime.types doesn't include a mapping for wasm or wav.
|
|
||||||
# application/wasm wasm;
|
|
||||||
# audio/wav wav;
|
|
||||||
#}
|
|
||||||
# These upstreams are managed by __jitsi_meet
|
|
||||||
#upstream prosody {
|
|
||||||
# zone upstreams 64K;
|
|
||||||
# server 127.0.0.1:5280;
|
|
||||||
# keepalive 2;
|
|
||||||
#}
|
|
||||||
#upstream jvb1 {
|
|
||||||
# zone upstreams 64K;
|
|
||||||
# server 127.0.0.1:9090;
|
|
||||||
# keepalive 2;
|
|
||||||
#}
|
|
||||||
#map \$arg_vnode \$prosody_node {
|
|
||||||
# default prosody;
|
|
||||||
# v1 v1;
|
|
||||||
# v2 v2;
|
|
||||||
# v3 v3;
|
|
||||||
# v4 v4;
|
|
||||||
# v5 v5;
|
|
||||||
# v6 v6;
|
|
||||||
# v7 v7;
|
|
||||||
# v8 v8;
|
|
||||||
#}
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
@ -61,7 +30,6 @@ server {
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
set \$prefix "";
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
|
||||||
|
@ -103,13 +71,6 @@ server {
|
||||||
alias /usr/share/jitsi-meet/libs/external_api.min.js;
|
alias /usr/share/jitsi-meet/libs/external_api.min.js;
|
||||||
}
|
}
|
||||||
|
|
||||||
location = /_api/room-info {
|
|
||||||
proxy_pass http://prosody/room-info?prefix=\$prefix&\$args;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header X-Forwarded-For \$remote_addr;
|
|
||||||
proxy_set_header Host \$http_host;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ensure all static content can always be found first
|
#ensure all static content can always be found first
|
||||||
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
|
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
|
||||||
{
|
{
|
||||||
|
@ -122,63 +83,36 @@ server {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Paths for jsi / interpreters
|
|
||||||
location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
|
|
||||||
{
|
|
||||||
add_header 'Access-Control-Allow-Origin' '*';
|
|
||||||
alias /opt/jsi/static/\$1;
|
|
||||||
|
|
||||||
# cache all versioned files
|
|
||||||
if (\$arg_v) {
|
|
||||||
expires 1y;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
location ~ ^/i/
|
|
||||||
{
|
|
||||||
try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
# BOSH
|
# BOSH
|
||||||
location = /http-bind {
|
location = /http-bind {
|
||||||
proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args;
|
proxy_pass http://localhost:5280/http-bind;
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header X-Forwarded-For \$remote_addr;
|
proxy_set_header X-Forwarded-For \$remote_addr;
|
||||||
# Prevision for 'multi-domain' jitsi instances
|
# Prevision for 'multi-domain' jitsi instances
|
||||||
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
|
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
|
||||||
proxy_set_header Host ${DOMAIN};
|
proxy_set_header Host ${JITSI_HOST};
|
||||||
proxy_set_header Connection "";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# xmpp websockets
|
# xmpp websockets
|
||||||
location = /xmpp-websocket {
|
location = /xmpp-websocket {
|
||||||
proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args;
|
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Upgrade \$http_upgrade;
|
proxy_set_header Upgrade \$http_upgrade;
|
||||||
proxy_set_header Connection "upgrade";
|
proxy_set_header Connection "upgrade";
|
||||||
# Prevision for 'multi-domain' jitsi instances
|
# Prevision for 'multi-domain' jitsi instances
|
||||||
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
|
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
|
||||||
proxy_set_header Host ${DOMAIN};
|
proxy_set_header Host ${JITSI_HOST};
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
}
|
}
|
||||||
|
|
||||||
# colibri (JVB) websockets for jvb1
|
# colibri (JVB) websockets for jvb1
|
||||||
location ~ ^/colibri-ws/default-id/(.*) {
|
location ~ ^/colibri-ws/default-id/(.*) {
|
||||||
proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args;
|
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Upgrade \$http_upgrade;
|
proxy_set_header Upgrade \$http_upgrade;
|
||||||
proxy_set_header Connection "upgrade";
|
proxy_set_header Connection "upgrade";
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
}
|
}
|
||||||
|
|
||||||
# load test minimal client, uncomment when used
|
|
||||||
#location ~ ^/_load-test/([^/?&:'"]+)\$ {
|
|
||||||
# rewrite ^/_load-test/(.*)\$ /load-test/index.html break;
|
|
||||||
#}
|
|
||||||
#location ~ ^/_load-test/libs/(.*)\$ {
|
|
||||||
# add_header 'Access-Control-Allow-Origin' '*';
|
|
||||||
# alias /usr/share/jitsi-meet/load-test/libs/\$1;
|
|
||||||
#}
|
|
||||||
|
|
||||||
location ~ ^/([^/?&:'"]+)\$ {
|
location ~ ^/([^/?&:'"]+)\$ {
|
||||||
try_files \$uri @root_path;
|
try_files \$uri @root_path;
|
||||||
}
|
}
|
||||||
|
@ -195,6 +129,13 @@ server {
|
||||||
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
|
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
|
||||||
|
location ~ ^/([^/?&:'"]+)/(.*)\$ {
|
||||||
|
set \$subdomain "\$1.";
|
||||||
|
set \$subdir "\$1/";
|
||||||
|
rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
|
||||||
|
}
|
||||||
|
|
||||||
# BOSH for subdomains
|
# BOSH for subdomains
|
||||||
location ~ ^/([^/?&:'"]+)/http-bind {
|
location ~ ^/([^/?&:'"]+)/http-bind {
|
||||||
set \$subdomain "\$1.";
|
set \$subdomain "\$1.";
|
||||||
|
@ -212,21 +153,6 @@ server {
|
||||||
|
|
||||||
rewrite ^/(.*)\$ /xmpp-websocket;
|
rewrite ^/(.*)\$ /xmpp-websocket;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ ^/([^/?&:'"]+)/_api/room-info {
|
|
||||||
set \$subdomain "\$1.";
|
|
||||||
set \$subdir "\$1/";
|
|
||||||
set \$prefix "\$1";
|
|
||||||
|
|
||||||
rewrite ^/(.*)\$ /_api/room-info;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
|
|
||||||
location ~ ^/([^/?&:'"]+)/(.*)\$ {
|
|
||||||
set \$subdomain "\$1.";
|
|
||||||
set \$subdir "\$1/";
|
|
||||||
rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
)"
|
)"
|
||||||
|
|
|
@ -1,31 +1,5 @@
|
||||||
server_names_hash_bucket_size 64;
|
server_names_hash_bucket_size 64;
|
||||||
|
|
||||||
types {
|
|
||||||
# nginx's default mime.types doesn't include a mapping for wasm or wav.
|
|
||||||
application/wasm wasm;
|
|
||||||
audio/wav wav;
|
|
||||||
}
|
|
||||||
upstream prosody {
|
|
||||||
zone upstreams 64K;
|
|
||||||
server 127.0.0.1:5280;
|
|
||||||
keepalive 2;
|
|
||||||
}
|
|
||||||
upstream jvb1 {
|
|
||||||
zone upstreams 64K;
|
|
||||||
server 127.0.0.1:9090;
|
|
||||||
keepalive 2;
|
|
||||||
}
|
|
||||||
map $arg_vnode $prosody_node {
|
|
||||||
default prosody;
|
|
||||||
v1 v1;
|
|
||||||
v2 v2;
|
|
||||||
v3 v3;
|
|
||||||
v4 v4;
|
|
||||||
v5 v5;
|
|
||||||
v6 v6;
|
|
||||||
v7 v7;
|
|
||||||
v8 v8;
|
|
||||||
}
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
@ -57,7 +31,6 @@ server {
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
set $prefix "";
|
|
||||||
|
|
||||||
ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
|
ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
|
||||||
ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
|
ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
|
||||||
|
@ -85,13 +58,6 @@ server {
|
||||||
alias /usr/share/jitsi-meet/libs/external_api.min.js;
|
alias /usr/share/jitsi-meet/libs/external_api.min.js;
|
||||||
}
|
}
|
||||||
|
|
||||||
location = /_api/room-info {
|
|
||||||
proxy_pass http://prosody/room-info?prefix=$prefix&$args;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ensure all static content can always be found first
|
#ensure all static content can always be found first
|
||||||
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
|
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
|
||||||
{
|
{
|
||||||
|
@ -106,16 +72,14 @@ server {
|
||||||
|
|
||||||
# BOSH
|
# BOSH
|
||||||
location = /http-bind {
|
location = /http-bind {
|
||||||
proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
|
proxy_pass http://localhost:5280/http-bind;
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header Connection "";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# xmpp websockets
|
# xmpp websockets
|
||||||
location = /xmpp-websocket {
|
location = /xmpp-websocket {
|
||||||
proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
|
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "upgrade";
|
proxy_set_header Connection "upgrade";
|
||||||
|
@ -125,22 +89,13 @@ server {
|
||||||
|
|
||||||
# colibri (JVB) websockets for jvb1
|
# colibri (JVB) websockets for jvb1
|
||||||
location ~ ^/colibri-ws/default-id/(.*) {
|
location ~ ^/colibri-ws/default-id/(.*) {
|
||||||
proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
|
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "upgrade";
|
proxy_set_header Connection "upgrade";
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
}
|
}
|
||||||
|
|
||||||
# load test minimal client, uncomment when used
|
|
||||||
#location ~ ^/_load-test/([^/?&:'"]+)$ {
|
|
||||||
# rewrite ^/_load-test/(.*)$ /load-test/index.html break;
|
|
||||||
#}
|
|
||||||
#location ~ ^/_load-test/libs/(.*)$ {
|
|
||||||
# add_header 'Access-Control-Allow-Origin' '*';
|
|
||||||
# alias /usr/share/jitsi-meet/load-test/libs/$1;
|
|
||||||
#}
|
|
||||||
|
|
||||||
location ~ ^/([^/?&:'"]+)$ {
|
location ~ ^/([^/?&:'"]+)$ {
|
||||||
try_files $uri @root_path;
|
try_files $uri @root_path;
|
||||||
}
|
}
|
||||||
|
@ -157,6 +112,13 @@ server {
|
||||||
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
|
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
|
||||||
|
location ~ ^/([^/?&:'"]+)/(.*)$ {
|
||||||
|
set $subdomain "$1.";
|
||||||
|
set $subdir "$1/";
|
||||||
|
rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
|
||||||
|
}
|
||||||
|
|
||||||
# BOSH for subdomains
|
# BOSH for subdomains
|
||||||
location ~ ^/([^/?&:'"]+)/http-bind {
|
location ~ ^/([^/?&:'"]+)/http-bind {
|
||||||
set $subdomain "$1.";
|
set $subdomain "$1.";
|
||||||
|
@ -174,19 +136,4 @@ server {
|
||||||
|
|
||||||
rewrite ^/(.*)$ /xmpp-websocket;
|
rewrite ^/(.*)$ /xmpp-websocket;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ ^/([^/?&:'"]+)/_api/room-info {
|
|
||||||
set $subdomain "$1.";
|
|
||||||
set $subdir "$1/";
|
|
||||||
set $prefix "$1";
|
|
||||||
|
|
||||||
rewrite ^/(.*)$ /_api/room-info;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
|
|
||||||
location ~ ^/([^/?&:'"]+)/(.*)$ {
|
|
||||||
set $subdomain "$1.";
|
|
||||||
set $subdir "$1/";
|
|
||||||
rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,220 +0,0 @@
|
||||||
#!/bin/sh -eu
|
|
||||||
|
|
||||||
# Source:
|
|
||||||
# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
|
|
||||||
FOCUS_USER="focus"
|
|
||||||
JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
|
|
||||||
# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
|
|
||||||
PROSODY_SECUREDOMAIN_START="--[["
|
|
||||||
PROSODY_SECUREDOMAIN_END="--]]"
|
|
||||||
if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
|
|
||||||
PROSODY_MAIN_START=""
|
|
||||||
PROSODY_MAIN_END=""
|
|
||||||
PROSODY_DOMAIN_START="--[["
|
|
||||||
PROSODY_DOMAIN_END="--]]"
|
|
||||||
else
|
|
||||||
PROSODY_MAIN_START="--[["
|
|
||||||
PROSODY_MAIN_END="--]]"
|
|
||||||
PROSODY_DOMAIN_START=""
|
|
||||||
PROSODY_DOMAIN_END=""
|
|
||||||
if [ -n "${SECURED_DOMAINS}" ]; then
|
|
||||||
PROSODY_SECUREDOMAIN_START=""
|
|
||||||
PROSODY_SECUREDOMAIN_END=""
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
# Websockets haven't been fully tested in this type and don't work reliably
|
|
||||||
PROSODY_WEBSOCKET="-- "
|
|
||||||
|
|
||||||
# shellcheck disable=SC2034 # This is intended to be included
|
|
||||||
PROSODY_CONFIG="$(cat <<EOFPROSODY
|
|
||||||
-- Managed remotely, changes will be lost
|
|
||||||
${PROSODY_MAIN_START}
|
|
||||||
-- This will be managed by __jitsi_meet
|
|
||||||
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
|
|
||||||
|
|
||||||
-- domain mapper options, must at least have domain base set to use the mapper
|
|
||||||
muc_mapper_domain_base = "${JITSI_HOST:?}";
|
|
||||||
|
|
||||||
external_service_secret = "${TURN_SECRET:-TurnSecret}";
|
|
||||||
external_services = {
|
|
||||||
{ type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
|
|
||||||
{ type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
|
|
||||||
{ type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
|
|
||||||
};
|
|
||||||
|
|
||||||
cross_domain_bosh = false;
|
|
||||||
consider_bosh_secure = true;
|
|
||||||
-- Use websockets
|
|
||||||
-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
|
|
||||||
${PROSODY_WEBSOCKET}consider_websocket_secure = true;
|
|
||||||
|
|
||||||
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
|
|
||||||
|
|
||||||
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
|
|
||||||
--http_cors_override = {
|
|
||||||
-- bosh = {
|
|
||||||
-- enabled = false;
|
|
||||||
-- };
|
|
||||||
-- websocket = {
|
|
||||||
-- enabled = false;
|
|
||||||
-- };
|
|
||||||
--}
|
|
||||||
|
|
||||||
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
|
|
||||||
ssl = {
|
|
||||||
protocol = "tlsv1_2+";
|
|
||||||
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
|
||||||
}
|
|
||||||
|
|
||||||
unlimited_jids = {
|
|
||||||
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
|
|
||||||
"jvb@auth.${JITSI_HOST:?}"
|
|
||||||
}
|
|
||||||
${PROSODY_MAIN_END}
|
|
||||||
|
|
||||||
${PROSODY_DOMAIN_START}
|
|
||||||
-- This will be managed by __jitsi_meet_domain
|
|
||||||
VirtualHost "${JITSI_DOMAIN:?}"
|
|
||||||
authentication = "jitsi-anonymous" -- do not delete me
|
|
||||||
-- Properties below are modified by jitsi-meet-tokens package config
|
|
||||||
-- and authentication above is switched to "token"
|
|
||||||
--app_id="example_app_id"
|
|
||||||
--app_secret="example_app_secret"
|
|
||||||
-- Assign this host a certificate for TLS, otherwise it would use the one
|
|
||||||
-- set in the global section (if any).
|
|
||||||
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
|
||||||
-- use the global one.
|
|
||||||
ssl = {
|
|
||||||
key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
|
|
||||||
certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
|
|
||||||
}
|
|
||||||
av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
|
|
||||||
speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
|
|
||||||
conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
|
|
||||||
end_conference_component = "endconference.${JITSI_DOMAIN:?}"
|
|
||||||
-- we need bosh
|
|
||||||
modules_enabled = {
|
|
||||||
"bosh";
|
|
||||||
"pubsub";
|
|
||||||
"ping"; -- Enable mod_ping
|
|
||||||
"speakerstats";
|
|
||||||
"external_services";
|
|
||||||
"conference_duration";
|
|
||||||
"end_conference";
|
|
||||||
"muc_lobby_rooms";
|
|
||||||
"muc_breakout_rooms";
|
|
||||||
"av_moderation";
|
|
||||||
"room_metadata";
|
|
||||||
${PROSODY_WEBSOCKET} "websocket";
|
|
||||||
${PROSODY_WEBSOCKET} "smacks";
|
|
||||||
}
|
|
||||||
smacks_max_unacked_stanzas = 5;
|
|
||||||
smacks_hibernation_time = 60;
|
|
||||||
smacks_max_hibernated_sessions = 1;
|
|
||||||
smacks_max_old_sessions = 1;
|
|
||||||
c2s_require_encryption = false
|
|
||||||
lobby_muc = "lobby.${JITSI_DOMAIN:?}"
|
|
||||||
breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
|
|
||||||
room_metadata_component = "metadata.${JITSI_DOMAIN:?}"
|
|
||||||
main_muc = "conference.${JITSI_DOMAIN:?}"
|
|
||||||
-- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
|
|
||||||
|
|
||||||
Component "conference.${JITSI_DOMAIN:?}" "muc"
|
|
||||||
restrict_room_creation = true
|
|
||||||
storage = "memory"
|
|
||||||
modules_enabled = {
|
|
||||||
"muc_meeting_id";
|
|
||||||
"muc_domain_mapper";
|
|
||||||
"polls";
|
|
||||||
--"token_verification";
|
|
||||||
"muc_rate_limit";
|
|
||||||
}
|
|
||||||
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
|
|
||||||
muc_room_locking = false
|
|
||||||
muc_room_default_public_jids = true
|
|
||||||
|
|
||||||
Component "breakout.${JITSI_DOMAIN:?}" "muc"
|
|
||||||
restrict_room_creation = true
|
|
||||||
storage = "memory"
|
|
||||||
modules_enabled = {
|
|
||||||
"muc_meeting_id";
|
|
||||||
"muc_domain_mapper";
|
|
||||||
"muc_rate_limit";
|
|
||||||
"polls";
|
|
||||||
}
|
|
||||||
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
|
|
||||||
muc_room_locking = false
|
|
||||||
muc_room_default_public_jids = true
|
|
||||||
|
|
||||||
-- internal muc component
|
|
||||||
Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
|
|
||||||
storage = "memory"
|
|
||||||
modules_enabled = {
|
|
||||||
"ping";
|
|
||||||
}
|
|
||||||
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
|
|
||||||
muc_room_locking = false
|
|
||||||
muc_room_default_public_jids = true
|
|
||||||
-- https://prosody.im/doc/modules/mod_muc
|
|
||||||
muc_room_cache_size = 1000
|
|
||||||
${PROSODY_DOMAIN_END}
|
|
||||||
${PROSODY_MAIN_START}
|
|
||||||
-- This will be managed by __jitsi_meet
|
|
||||||
|
|
||||||
VirtualHost "auth.${JITSI_DOMAIN:?}"
|
|
||||||
ssl = {
|
|
||||||
key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
|
|
||||||
certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
|
|
||||||
}
|
|
||||||
|
|
||||||
modules_enabled = {
|
|
||||||
"limits_exception";
|
|
||||||
}
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
${PROSODY_MAIN_END}
|
|
||||||
${PROSODY_DOMAIN_START}
|
|
||||||
-- This will be managed by __jitsi_meet_domain
|
|
||||||
|
|
||||||
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
|
|
||||||
Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
|
|
||||||
-- Single focus user for the whole instance
|
|
||||||
target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
|
|
||||||
|
|
||||||
Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
|
|
||||||
muc_component = "conference.${JITSI_DOMAIN:?}"
|
|
||||||
|
|
||||||
Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
|
|
||||||
muc_component = "conference.${JITSI_DOMAIN:?}"
|
|
||||||
|
|
||||||
Component "endconference.${JITSI_DOMAIN:?}" "end_conference"
|
|
||||||
muc_component = "conference.${JITSI_DOMAIN:?}"
|
|
||||||
|
|
||||||
Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
|
|
||||||
muc_component = "conference.${JITSI_DOMAIN:?}"
|
|
||||||
|
|
||||||
Component "lobby.${JITSI_DOMAIN:?}" "muc"
|
|
||||||
storage = "memory"
|
|
||||||
restrict_room_creation = true
|
|
||||||
muc_room_locking = false
|
|
||||||
muc_room_default_public_jids = true
|
|
||||||
modules_enabled = {
|
|
||||||
"muc_rate_limit";
|
|
||||||
"polls";
|
|
||||||
}
|
|
||||||
|
|
||||||
Component "metadata.${JITSI_DOMAIN:?}" "room_metadata_component"
|
|
||||||
muc_component = "conference.${JITSI_DOMAIN:?}"
|
|
||||||
breakout_rooms_component = "breakout.${JITSI_DOMAIN:?}"
|
|
||||||
${PROSODY_DOMAIN_END}
|
|
||||||
|
|
||||||
${PROSODY_SECUREDOMAIN_START}
|
|
||||||
-- Only used on secured domains
|
|
||||||
VirtualHost "${JITSI_DOMAIN}"
|
|
||||||
authentication = "internal_plain"
|
|
||||||
|
|
||||||
VirtualHost "guest.${JITSI_DOMAIN}"
|
|
||||||
authentication = "anonymous"
|
|
||||||
c2s_require_encryption = false
|
|
||||||
${PROSODY_SECUREDOMAIN_END}
|
|
||||||
EOFPROSODY
|
|
||||||
)"
|
|
|
@ -1,148 +0,0 @@
|
||||||
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
|
|
||||||
|
|
||||||
-- domain mapper options, must at least have domain base set to use the mapper
|
|
||||||
muc_mapper_domain_base = "jitmeet.example.com";
|
|
||||||
|
|
||||||
external_service_secret = "__turnSecret__";
|
|
||||||
external_services = {
|
|
||||||
{ type = "stun", host = "jitmeet.example.com", port = 3478 },
|
|
||||||
{ type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
|
|
||||||
{ type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
|
|
||||||
};
|
|
||||||
|
|
||||||
cross_domain_bosh = false;
|
|
||||||
consider_bosh_secure = true;
|
|
||||||
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
|
|
||||||
|
|
||||||
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
|
|
||||||
--http_cors_override = {
|
|
||||||
-- bosh = {
|
|
||||||
-- enabled = false;
|
|
||||||
-- };
|
|
||||||
-- websocket = {
|
|
||||||
-- enabled = false;
|
|
||||||
-- };
|
|
||||||
--}
|
|
||||||
|
|
||||||
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
|
|
||||||
ssl = {
|
|
||||||
protocol = "tlsv1_2+";
|
|
||||||
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
|
||||||
}
|
|
||||||
|
|
||||||
unlimited_jids = {
|
|
||||||
"focusUser@auth.jitmeet.example.com",
|
|
||||||
"jvb@auth.jitmeet.example.com"
|
|
||||||
}
|
|
||||||
|
|
||||||
VirtualHost "jitmeet.example.com"
|
|
||||||
authentication = "jitsi-anonymous" -- do not delete me
|
|
||||||
-- Properties below are modified by jitsi-meet-tokens package config
|
|
||||||
-- and authentication above is switched to "token"
|
|
||||||
--app_id="example_app_id"
|
|
||||||
--app_secret="example_app_secret"
|
|
||||||
-- Assign this host a certificate for TLS, otherwise it would use the one
|
|
||||||
-- set in the global section (if any).
|
|
||||||
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
|
||||||
-- use the global one.
|
|
||||||
ssl = {
|
|
||||||
key = "/etc/prosody/certs/jitmeet.example.com.key";
|
|
||||||
certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
|
|
||||||
}
|
|
||||||
av_moderation_component = "avmoderation.jitmeet.example.com"
|
|
||||||
speakerstats_component = "speakerstats.jitmeet.example.com"
|
|
||||||
conference_duration_component = "conferenceduration.jitmeet.example.com"
|
|
||||||
end_conference_component = "endconference.jitmeet.example.com"
|
|
||||||
-- we need bosh
|
|
||||||
modules_enabled = {
|
|
||||||
"bosh";
|
|
||||||
"pubsub";
|
|
||||||
"ping"; -- Enable mod_ping
|
|
||||||
"speakerstats";
|
|
||||||
"external_services";
|
|
||||||
"conference_duration";
|
|
||||||
"end_conference";
|
|
||||||
"muc_lobby_rooms";
|
|
||||||
"muc_breakout_rooms";
|
|
||||||
"av_moderation";
|
|
||||||
"room_metadata";
|
|
||||||
}
|
|
||||||
c2s_require_encryption = false
|
|
||||||
lobby_muc = "lobby.jitmeet.example.com"
|
|
||||||
breakout_rooms_muc = "breakout.jitmeet.example.com"
|
|
||||||
room_metadata_component = "metadata.jitmeet.example.com"
|
|
||||||
main_muc = "conference.jitmeet.example.com"
|
|
||||||
-- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
|
|
||||||
|
|
||||||
Component "conference.jitmeet.example.com" "muc"
|
|
||||||
restrict_room_creation = true
|
|
||||||
storage = "memory"
|
|
||||||
modules_enabled = {
|
|
||||||
"muc_meeting_id";
|
|
||||||
"muc_domain_mapper";
|
|
||||||
"polls";
|
|
||||||
--"token_verification";
|
|
||||||
"muc_rate_limit";
|
|
||||||
}
|
|
||||||
admins = { "focusUser@auth.jitmeet.example.com" }
|
|
||||||
muc_room_locking = false
|
|
||||||
muc_room_default_public_jids = true
|
|
||||||
|
|
||||||
Component "breakout.jitmeet.example.com" "muc"
|
|
||||||
restrict_room_creation = true
|
|
||||||
storage = "memory"
|
|
||||||
modules_enabled = {
|
|
||||||
"muc_meeting_id";
|
|
||||||
"muc_domain_mapper";
|
|
||||||
"muc_rate_limit";
|
|
||||||
"polls";
|
|
||||||
}
|
|
||||||
admins = { "focusUser@auth.jitmeet.example.com" }
|
|
||||||
muc_room_locking = false
|
|
||||||
muc_room_default_public_jids = true
|
|
||||||
|
|
||||||
-- internal muc component
|
|
||||||
Component "internal.auth.jitmeet.example.com" "muc"
|
|
||||||
storage = "memory"
|
|
||||||
modules_enabled = {
|
|
||||||
"ping";
|
|
||||||
}
|
|
||||||
admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
|
|
||||||
muc_room_locking = false
|
|
||||||
muc_room_default_public_jids = true
|
|
||||||
|
|
||||||
VirtualHost "auth.jitmeet.example.com"
|
|
||||||
modules_enabled = {
|
|
||||||
"limits_exception";
|
|
||||||
}
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
|
|
||||||
Component "focus.jitmeet.example.com" "client_proxy"
|
|
||||||
target_address = "focusUser@auth.jitmeet.example.com"
|
|
||||||
|
|
||||||
Component "speakerstats.jitmeet.example.com" "speakerstats_component"
|
|
||||||
muc_component = "conference.jitmeet.example.com"
|
|
||||||
|
|
||||||
Component "conferenceduration.jitmeet.example.com" "conference_duration_component"
|
|
||||||
muc_component = "conference.jitmeet.example.com"
|
|
||||||
|
|
||||||
Component "endconference.jitmeet.example.com" "end_conference"
|
|
||||||
muc_component = "conference.jitmeet.example.com"
|
|
||||||
|
|
||||||
Component "avmoderation.jitmeet.example.com" "av_moderation_component"
|
|
||||||
muc_component = "conference.jitmeet.example.com"
|
|
||||||
|
|
||||||
Component "lobby.jitmeet.example.com" "muc"
|
|
||||||
storage = "memory"
|
|
||||||
restrict_room_creation = true
|
|
||||||
muc_room_locking = false
|
|
||||||
muc_room_default_public_jids = true
|
|
||||||
modules_enabled = {
|
|
||||||
"muc_rate_limit";
|
|
||||||
"polls";
|
|
||||||
}
|
|
||||||
|
|
||||||
Component "metadata.jitmeet.example.com" "room_metadata_component"
|
|
||||||
muc_component = "conference.jitmeet.example.com"
|
|
||||||
breakout_rooms_component = "breakout.jitmeet.example.com"
|
|
|
@ -11,24 +11,14 @@ DESCRIPTION
|
||||||
-----------
|
-----------
|
||||||
This type installs and configures the frontend for Jitsi-Meet.
|
This type installs and configures the frontend for Jitsi-Meet.
|
||||||
|
|
||||||
Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and
|
This supports "multi-domain" installations, notice that in such a setup, all
|
||||||
`DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a
|
rooms are shared across the different URLs, e.g.
|
||||||
patched version of Jitsi Simultaneous Interpretation (jsi; see references).
|
|
||||||
At least a user with `interpreter` in their name must be present.
|
|
||||||
|
|
||||||
|
|
||||||
This type supports "multi-domain" installations.
|
|
||||||
|
|
||||||
New in April 2022: rooms are independent for each domain, that is:
|
|
||||||
https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
|
https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
|
||||||
different rooms.
|
equivalent.
|
||||||
Note however, that right now if using secured domains, users are still shared
|
|
||||||
across any domains hosted in the same instance.
|
|
||||||
One way to work around that could be to run multiple jicofos, but we do not
|
|
||||||
want to bloat the servers.
|
|
||||||
A better way is to patch jicofo, get in touch with the type authors if you want
|
|
||||||
the gory details.
|
|
||||||
|
|
||||||
|
This is due to the underlying XMPP and signaling rooms being common.
|
||||||
|
There might be a way to perform tricks on the Nginx-side to avoid this, but
|
||||||
|
time is lacking :-).
|
||||||
|
|
||||||
This assumes `__jitsi_meet` has already been ran on the target host, and,
|
This assumes `__jitsi_meet` has already been ran on the target host, and,
|
||||||
amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
|
amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
|
||||||
|
@ -51,11 +41,6 @@ admin-email
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
OPTIONAL PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
analytics-settings
|
|
||||||
This goes inside the `analytics` part of `config.js`.
|
|
||||||
Defaults to: `disabled: true`.
|
|
||||||
See: https://github.com/jitsi/jitsi-meet/blob/master/config.js
|
|
||||||
|
|
||||||
channel-last-n
|
channel-last-n
|
||||||
Default value for the "last N" attribute.
|
Default value for the "last N" attribute.
|
||||||
Defaults to 20. Set to -1 for unlimited.
|
Defaults to 20. Set to -1 for unlimited.
|
||||||
|
@ -75,10 +60,6 @@ start-video-muted
|
||||||
Defaults to 10.
|
Defaults to 10.
|
||||||
|
|
||||||
|
|
||||||
state
|
|
||||||
Whether the domain is 'present' or 'absent', defaults to 'present'.
|
|
||||||
|
|
||||||
|
|
||||||
turn-server
|
turn-server
|
||||||
The TURN server to be used.
|
The TURN server to be used.
|
||||||
Defaults to `__target_host`.
|
Defaults to `__target_host`.
|
||||||
|
@ -93,15 +74,6 @@ video-constraints
|
||||||
It must not have a trailing comma, see `constraints` in
|
It must not have a trailing comma, see `constraints` in
|
||||||
`__jitsi_meet_domain/files/config.js.sh`.
|
`__jitsi_meet_domain/files/config.js.sh`.
|
||||||
|
|
||||||
branding-app-name
|
|
||||||
This will change `Jitsi Meet` in many places to the brand you desire.
|
|
||||||
Defaults to `Jitsi Meet`.
|
|
||||||
|
|
||||||
branding-extra-body
|
|
||||||
This must be valid HTML, it will be included server-side and delivered to
|
|
||||||
clients alongside the default `index.html`.
|
|
||||||
This is useful if you would rather not replace the whole `index`, but
|
|
||||||
still want the chance to do some heavier branding / add instructions / etc.
|
|
||||||
|
|
||||||
branding-json
|
branding-json
|
||||||
Path to a JSON file that will be served as the `dynamicBrandingUrl`.
|
Path to a JSON file that will be served as the `dynamicBrandingUrl`.
|
||||||
|
@ -109,12 +81,14 @@ branding-json
|
||||||
`__jitsi_meet_domain/files/config.js.sh`.
|
`__jitsi_meet_domain/files/config.js.sh`.
|
||||||
If not set, no branding will be set up.
|
If not set, no branding will be set up.
|
||||||
|
|
||||||
|
|
||||||
branding-index
|
branding-index
|
||||||
Path to an HTML file that will be served instead of Jitsi-Meet's default
|
Path to an HTML file that will be served instead of Jitsi-Meet's default
|
||||||
one.
|
one.
|
||||||
If not set, the default index file will be used.
|
If not set, the default index file will be used.
|
||||||
If set to `-`, the type's standard input will be used.
|
If set to `-`, the type's standard input will be used.
|
||||||
|
|
||||||
|
|
||||||
branding-watermark
|
branding-watermark
|
||||||
Path to a png file that will be served instead of Jitsi-Meet's default
|
Path to a png file that will be served instead of Jitsi-Meet's default
|
||||||
one.
|
one.
|
||||||
|
@ -169,7 +143,6 @@ SEE ALSO
|
||||||
--------
|
--------
|
||||||
- `__jitsi_meet(7)`
|
- `__jitsi_meet(7)`
|
||||||
- `__jitsi_meet_user(7)`
|
- `__jitsi_meet_user(7)`
|
||||||
- Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi
|
|
||||||
|
|
||||||
|
|
||||||
AUTHORS
|
AUTHORS
|
||||||
|
|
|
@ -18,12 +18,9 @@ NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")"
|
||||||
START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
|
START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
|
||||||
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
|
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
|
||||||
VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
|
VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
|
||||||
ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")"
|
|
||||||
BRANDING_APP_NAME="$(cat "${__object}/parameter/branding-app-name")"
|
|
||||||
BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
|
BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
|
||||||
BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
|
BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
|
||||||
BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
|
BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
|
||||||
STATE="$(cat "${__object}/parameter/state")"
|
|
||||||
|
|
||||||
if [ "${BRANDING_INDEX}" = "-" ]; then
|
if [ "${BRANDING_INDEX}" = "-" ]; then
|
||||||
BRANDING_INDEX="${__object}/stdin"
|
BRANDING_INDEX="${__object}/stdin"
|
||||||
|
@ -50,31 +47,11 @@ if [ -n "${BRANDING_JSON}" ]; then
|
||||||
DYNAMIC_BRANDING_URL="/branding.json"
|
DYNAMIC_BRANDING_URL="/branding.json"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "${STATE}" in
|
|
||||||
present)
|
|
||||||
# When adding the domain, Let's Encrypt must come before nginx
|
|
||||||
le_require=""
|
|
||||||
nginx_require="__letsencrypt_cert/${DOMAIN}"
|
|
||||||
;;
|
|
||||||
absent)
|
|
||||||
# When removing, nginx must come before Let's Encrypt
|
|
||||||
le_require="__file/etc/nginx/sites-enabled/${DOMAIN}.conf"
|
|
||||||
nginx_require=""
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
cat >> /dev/stderr <<-EOM
|
|
||||||
Unsupported state '${STATE}', must be 'present' or 'absent'.
|
|
||||||
EOM
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Deal with certbot
|
# Deal with certbot
|
||||||
#
|
#
|
||||||
# use object id as domain
|
# use object id as domain
|
||||||
require="${le_require}" __letsencrypt_cert "${DOMAIN}" \
|
__letsencrypt_cert "${DOMAIN}" \
|
||||||
--state "${STATE}" \
|
|
||||||
--admin-email "${ADMIN_EMAIL}" \
|
--admin-email "${ADMIN_EMAIL}" \
|
||||||
--deploy-hook "service nginx reload" \
|
--deploy-hook "service nginx reload" \
|
||||||
--webroot /usr/share/jitsi-meet
|
--webroot /usr/share/jitsi-meet
|
||||||
|
@ -82,9 +59,8 @@ require="${le_require}" __letsencrypt_cert "${DOMAIN}" \
|
||||||
# Create virtualhost for nginx
|
# Create virtualhost for nginx
|
||||||
# shellcheck source=type/__jitsi_meet_domain/files/nginx.sh
|
# shellcheck source=type/__jitsi_meet_domain/files/nginx.sh
|
||||||
. "${__type}/files/nginx.sh" # This defines JITSI_NGINX_CONFIG
|
. "${__type}/files/nginx.sh" # This defines JITSI_NGINX_CONFIG
|
||||||
require="${nginx_require}" __file \
|
require="__letsencrypt_cert/${DOMAIN}" __file \
|
||||||
"/etc/nginx/sites-enabled/${DOMAIN}.conf" \
|
"/etc/nginx/sites-enabled/${DOMAIN}.conf" \
|
||||||
--state "${STATE}" \
|
|
||||||
--mode 0644 --source "-" <<EOF
|
--mode 0644 --source "-" <<EOF
|
||||||
${JITSI_NGINX_CONFIG}
|
${JITSI_NGINX_CONFIG}
|
||||||
EOF
|
EOF
|
||||||
|
@ -93,7 +69,6 @@ EOF
|
||||||
# shellcheck source=type/__jitsi_meet_domain/files/config.js.sh
|
# shellcheck source=type/__jitsi_meet_domain/files/config.js.sh
|
||||||
. "${__type}/files/config.js.sh" # This defines JITSI_CONFIG_JS
|
. "${__type}/files/config.js.sh" # This defines JITSI_CONFIG_JS
|
||||||
__file "/etc/jitsi/meet/${DOMAIN}-config.js" \
|
__file "/etc/jitsi/meet/${DOMAIN}-config.js" \
|
||||||
--state "${STATE}" \
|
|
||||||
--mode 0644 --source "-" <<EOF
|
--mode 0644 --source "-" <<EOF
|
||||||
${JITSI_CONFIG_JS}
|
${JITSI_CONFIG_JS}
|
||||||
EOF
|
EOF
|
||||||
|
@ -102,7 +77,6 @@ EOF
|
||||||
# shellcheck source=type/__jitsi_meet_domain/files/interface_config.js.sh
|
# shellcheck source=type/__jitsi_meet_domain/files/interface_config.js.sh
|
||||||
. "${__type}/files/interface_config.js.sh" # This defines JITSI_CONFIG_JS
|
. "${__type}/files/interface_config.js.sh" # This defines JITSI_CONFIG_JS
|
||||||
__file "/etc/jitsi/meet/${DOMAIN}-interface_config.js" \
|
__file "/etc/jitsi/meet/${DOMAIN}-interface_config.js" \
|
||||||
--state "${STATE}" \
|
|
||||||
--mode 0644 --source "-" <<EOF
|
--mode 0644 --source "-" <<EOF
|
||||||
${JITSI_INTERFACE_CONFIG_JS}
|
${JITSI_INTERFACE_CONFIG_JS}
|
||||||
EOF
|
EOF
|
||||||
|
@ -113,7 +87,7 @@ EOF
|
||||||
#
|
#
|
||||||
# Helper function to manage the state of the target branding file
|
# Helper function to manage the state of the target branding file
|
||||||
_var_state() {
|
_var_state() {
|
||||||
if [ "${STATE}" = "present" ] && [ -n "${1}" ]; then
|
if [ -n "${1}" ]; then
|
||||||
echo "present"
|
echo "present"
|
||||||
else
|
else
|
||||||
echo "absent"
|
echo "absent"
|
||||||
|
@ -132,43 +106,3 @@ __file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
|
||||||
--mode 0644 \
|
--mode 0644 \
|
||||||
--state "$(_var_state "${BRANDING_WATERMARK}")" \
|
--state "$(_var_state "${BRANDING_WATERMARK}")" \
|
||||||
--source "${BRANDING_WATERMARK}"
|
--source "${BRANDING_WATERMARK}"
|
||||||
# Simple body customisation
|
|
||||||
__file "/usr/share/jitsi-meet/body-${DOMAIN}.html" \
|
|
||||||
--mode 0644 \
|
|
||||||
--state "$(_var_state "${STATE}")" \
|
|
||||||
--source "${__object}/parameter/branding-extra-body"
|
|
||||||
|
|
||||||
#
|
|
||||||
# Take care of prosody settings for the domain
|
|
||||||
#
|
|
||||||
JITSI_DOMAIN="${DOMAIN}"
|
|
||||||
# Prosody settings for common components (jvb, focus, ...)
|
|
||||||
# shellcheck source=type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
|
|
||||||
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
|
|
||||||
__file "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
|
|
||||||
--group prosody \
|
|
||||||
--mode 0440 \
|
|
||||||
--state "${STATE}" \
|
|
||||||
--source '-' <<EOF
|
|
||||||
${PROSODY_CONFIG}
|
|
||||||
EOF
|
|
||||||
__link "/etc/prosody/conf.d/${DOMAIN}.cfg.lua" \
|
|
||||||
--source "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
|
|
||||||
--state "${STATE}" \
|
|
||||||
--type symbolic
|
|
||||||
|
|
||||||
if [ "${STATE}" = "present" ]; then
|
|
||||||
export require="${require} __file/etc/prosody/conf.avail/${DOMAIN}.cfg.lua __link/etc/prosody/conf.d/${DOMAIN}.cfg.lua"
|
|
||||||
__check_messages "prosody/${DOMAIN}" \
|
|
||||||
--pattern '^(__file|__link)/etc/prosody/conf[.](avail|d)/' \
|
|
||||||
--execute "$(cat <<EOF
|
|
||||||
if [ ! -f "/var/lib/prosody/${DOMAIN}.crt" ]; then
|
|
||||||
echo | prosodyctl cert generate '${DOMAIN}';
|
|
||||||
ln -sf '/var/lib/prosody/${DOMAIN}.key' '/etc/prosody/certs/${DOMAIN}.key'
|
|
||||||
ln -sf '/var/lib/prosody/${DOMAIN}.crt' '/etc/prosody/certs/${DOMAIN}.crt'
|
|
||||||
fi
|
|
||||||
# Surprisingly, a reload is not enough
|
|
||||||
service prosody restart
|
|
||||||
EOF
|
|
||||||
)"
|
|
||||||
fi
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
disabled: true
|
|
|
@ -1 +0,0 @@
|
||||||
Jitsi Meet
|
|
|
@ -1 +0,0 @@
|
||||||
present
|
|
|
@ -1,13 +1,9 @@
|
||||||
analytics-settings
|
|
||||||
channel-last-n
|
channel-last-n
|
||||||
default-language
|
default-language
|
||||||
notice-message
|
notice-message
|
||||||
start-video-muted
|
start-video-muted
|
||||||
turn-server
|
turn-server
|
||||||
video-constraints
|
video-constraints
|
||||||
branding-app-name
|
|
||||||
branding-json
|
branding-json
|
||||||
branding-index
|
branding-index
|
||||||
branding-extra-body
|
|
||||||
branding-watermark
|
branding-watermark
|
||||||
state
|
|
||||||
|
|
|
@ -34,12 +34,12 @@ EOF
|
||||||
|
|
||||||
if [ "$BRANDING_AUTH_FOOTER_LINKS" != "" ]; then
|
if [ "$BRANDING_AUTH_FOOTER_LINKS" != "" ]; then
|
||||||
cat << EOF
|
cat << EOF
|
||||||
"authFooterLinks": $BRANDING_AUTH_FOOTER_LINKS,
|
"authFooterLinks": "$BRANDING_AUTH_FOOTER_LINKS",
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cat << EOF
|
cat << EOF
|
||||||
"welcomeBackgroundUrl": "$BRANDING_WELCOME_BACKGROUND_URL"
|
"welcomeBackgroundUrl": "themes/element/img/backgrounds/lake.jpg"
|
||||||
EOF
|
EOF
|
||||||
echo '},'
|
echo '},'
|
||||||
}
|
}
|
||||||
|
@ -52,7 +52,7 @@ cat << EOF
|
||||||
"server_name": "$DEFAULT_SERVER_NAME"
|
"server_name": "$DEFAULT_SERVER_NAME"
|
||||||
},
|
},
|
||||||
"m.identity_server": {
|
"m.identity_server": {
|
||||||
"base_url": "$IDENTITY_SERVER_URL"
|
"base_url": "https://vector.im"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"brand": "$BRAND",
|
"brand": "$BRAND",
|
||||||
|
@ -85,10 +85,6 @@ cat << EOF
|
||||||
"url": "$COOKIE_POLICY_URL",
|
"url": "$COOKIE_POLICY_URL",
|
||||||
"text": "Cookie Policy"
|
"text": "Cookie Policy"
|
||||||
}
|
}
|
||||||
],
|
]
|
||||||
"embeddedPages": {
|
|
||||||
"welcomeUrl": "$WELCOME_PAGE_URL",
|
|
||||||
"homeUrl": "$HOME_PAGE_URL"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
|
@ -27,28 +27,12 @@ default_server_name
|
||||||
default_server_url
|
default_server_url
|
||||||
URL of matrix homeserver to connect to, defaults to 'https://matrix-client.matrix.org'.
|
URL of matrix homeserver to connect to, defaults to 'https://matrix-client.matrix.org'.
|
||||||
|
|
||||||
identity_server_url
|
|
||||||
URL of matrix identity server to connect to, defaults to 'https://vector.im'.
|
|
||||||
See element documentation
|
|
||||||
`<https://github.com/vector-im/element-web/blob/develop/docs/config.md#identity-servers>_`
|
|
||||||
for details.
|
|
||||||
|
|
||||||
owner
|
owner
|
||||||
Owner of the deployed files, passed to `chown`. Defaults to 'root'.
|
Owner of the deployed files, passed to `chown`. Defaults to 'root'.
|
||||||
|
|
||||||
brand
|
brand
|
||||||
Web UI branding, defaults to 'Element'.
|
Web UI branding, defaults to 'Element'.
|
||||||
|
|
||||||
branding_auth_header_logo_url
|
|
||||||
A logo image that is shown in the header during authentication flows.
|
|
||||||
|
|
||||||
branding_welcome_background_url
|
|
||||||
An image to use as a wallpaper outside the app during authentication flows. If an array is passed, an image is chosen randomly for each visit.
|
|
||||||
|
|
||||||
branding_auth_footer_links
|
|
||||||
a list of links to show in the authentication page footer: `[{"text": "Link
|
|
||||||
text", "url": "https://link.target"}, {"text": "Other link", ...}]`
|
|
||||||
|
|
||||||
default_country_code
|
default_country_code
|
||||||
ISO 3166 alpha2 country code to use when showing country selectors, such as
|
ISO 3166 alpha2 country code to use when showing country selectors, such as
|
||||||
phone number inputs. Defaults to GB.
|
phone number inputs. Defaults to GB.
|
||||||
|
|
|
@ -25,13 +25,11 @@ INSTALL_DIR=$(cat "$__object/parameter/install_dir")
|
||||||
|
|
||||||
export DEFAULT_SERVER_NAME=$(cat "$__object/parameter/default_server_name")
|
export DEFAULT_SERVER_NAME=$(cat "$__object/parameter/default_server_name")
|
||||||
export DEFAULT_SERVER_URL=$(cat "$__object/parameter/default_server_url")
|
export DEFAULT_SERVER_URL=$(cat "$__object/parameter/default_server_url")
|
||||||
export IDENTITY_SERVER_URL=$(cat "$__object/parameter/identity_server_url")
|
|
||||||
export BRAND=$(cat "$__object/parameter/brand")
|
export BRAND=$(cat "$__object/parameter/brand")
|
||||||
export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code")
|
export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code")
|
||||||
export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers")
|
export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers")
|
||||||
export PRIVACY_POLICY_URL=$(cat "$__object/parameter/privacy_policy_url")
|
export PRIVACY_POLICY_URL=$(cat "$__object/parameter/privacy_policy_url")
|
||||||
export COOKIE_POLICY_URL=$(cat "$__object/parameter/cookie_policy_url")
|
export COOKIE_POLICY_URL=$(cat "$__object/parameter/cookie_policy_url")
|
||||||
export BRANDING_WELCOME_BACKGROUND_URL=$(cat "$__object/parameter/branding_welcome_background_url")
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/jitsi_domain" ]; then
|
if [ -f "$__object/parameter/jitsi_domain" ]; then
|
||||||
export JITSI_DOMAIN=$(cat "$__object/parameter/jitsi_domain")
|
export JITSI_DOMAIN=$(cat "$__object/parameter/jitsi_domain")
|
||||||
|
@ -46,24 +44,14 @@ if [ -f "$__object/parameter/branding_auth_footer_links" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/homepage" ]; then
|
if [ -f "$__object/parameter/homepage" ]; then
|
||||||
|
export EMBED_HOMEPAGE=1
|
||||||
homepage=$(cat "$__object/parameter/homepage")
|
homepage=$(cat "$__object/parameter/homepage")
|
||||||
if [ -f "$homepage" ]; then
|
|
||||||
upload_homepage=1
|
|
||||||
else
|
|
||||||
export HOME_PAGE_URL=$homepage
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
WELCOME_PAGE_URL="welcome.html"
|
|
||||||
if [ -f "$__object/parameter/welcomepage" ]; then
|
if [ -f "$__object/parameter/welcomepage" ]; then
|
||||||
|
export EMBED_WELCOMEPAGE=1
|
||||||
welcomepage=$(cat "$__object/parameter/welcomepage")
|
welcomepage=$(cat "$__object/parameter/welcomepage")
|
||||||
if [ -f welcomepage ]; then
|
|
||||||
export UPLOAD_WELCOMEPAGE=1
|
|
||||||
else
|
|
||||||
WELCOME_PAGE_URL=$welcomepage
|
|
||||||
fi
|
fi
|
||||||
fi
|
|
||||||
export WELCOME_PAGE_URL
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/custom_asset" ]; then
|
if [ -f "$__object/parameter/custom_asset" ]; then
|
||||||
"$__object/parameter/custom_asset" | while IFS= read -r file; do
|
"$__object/parameter/custom_asset" | while IFS= read -r file; do
|
||||||
|
@ -103,14 +91,14 @@ require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/config.json"
|
||||||
--mode 0664 \
|
--mode 0664 \
|
||||||
--state present
|
--state present
|
||||||
|
|
||||||
if [ $upload_homepage ]; then
|
if [ $EMBED_HOMEPAGE ]; then
|
||||||
require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/home.html" \
|
require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/home.html" \
|
||||||
--source "$homepage" \
|
--source "$homepage" \
|
||||||
--mode 0664 \
|
--mode 0664 \
|
||||||
--state present
|
--state present
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $upload_welcomepage ]; then
|
if [ $EMBED_WELCOMEPAGE ]; then
|
||||||
require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/welcome.html" \
|
require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/welcome.html" \
|
||||||
--source "$welcomepage" \
|
--source "$welcomepage" \
|
||||||
--mode 0664 \
|
--mode 0664 \
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
themes/element/img/backgrounds/lake.jpg
|
|
|
@ -1,6 +1,5 @@
|
||||||
default_server_url
|
default_server_url
|
||||||
default_server_name
|
default_server_name
|
||||||
identity_server_url
|
|
||||||
brand
|
brand
|
||||||
default_country_code
|
default_country_code
|
||||||
privacy_policy_url
|
privacy_policy_url
|
||||||
|
@ -12,4 +11,3 @@ welcomepage
|
||||||
jitsi_domain
|
jitsi_domain
|
||||||
branding_auth_header_logo_url
|
branding_auth_header_logo_url
|
||||||
branding_auth_footer_links
|
branding_auth_footer_links
|
||||||
branding_welcome_background_url
|
|
||||||
|
|
|
@ -448,7 +448,7 @@ retention:
|
||||||
# matter much because Synapse doesn't take it into account yet.
|
# matter much because Synapse doesn't take it into account yet.
|
||||||
#
|
#
|
||||||
default_policy:
|
default_policy:
|
||||||
min_lifetime: ${MESSAGE_RETENTION_POLICY_MIN_LIFETIME:?}
|
min_lifetime: 1d
|
||||||
max_lifetime: ${MESSAGE_RETENTION_POLICY_MAX_LIFETIME:?}
|
max_lifetime: ${MESSAGE_RETENTION_POLICY_MAX_LIFETIME:?}
|
||||||
|
|
||||||
# Retention policy limits. If set, and the state of a room contains a
|
# Retention policy limits. If set, and the state of a room contains a
|
||||||
|
@ -1175,26 +1175,14 @@ fi
|
||||||
cat << EOF
|
cat << EOF
|
||||||
# The shared secret used to compute passwords for the TURN server
|
# The shared secret used to compute passwords for the TURN server
|
||||||
#
|
#
|
||||||
EOF
|
turn_shared_secret: "$TURN_SHARED_SECRET"
|
||||||
|
|
||||||
if [ -n "$TURN_SHARED_SECRET" ]; then
|
|
||||||
echo "turn_shared_secret: \"$TURN_SHARED_SECRET\""
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat << EOF
|
|
||||||
# The Username and password if the TURN server needs them and
|
# The Username and password if the TURN server needs them and
|
||||||
# does not use a token
|
# does not use a token
|
||||||
#
|
#
|
||||||
EOF
|
#turn_username: "TURNSERVER_USERNAME"
|
||||||
|
#turn_password: "TURNSERVER_PASSWORD"
|
||||||
|
|
||||||
if [ -n "$TURN_USERNAME" ] || [ "$TURN_PASSWORD" ]; then
|
|
||||||
cat <<- EOF
|
|
||||||
turn_username: "$TURN_USERNAME"
|
|
||||||
turn_password: "$TURN_PASSWORD"
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat << EOF
|
|
||||||
# How long generated TURN credentials last
|
# How long generated TURN credentials last
|
||||||
#
|
#
|
||||||
turn_user_lifetime: ${TURN_USER_LIFETIME:?}
|
turn_user_lifetime: ${TURN_USER_LIFETIME:?}
|
||||||
|
@ -1334,7 +1322,7 @@ fi
|
||||||
cat << EOF
|
cat << EOF
|
||||||
# Enable 3PIDs lookup requests to identity servers from this server.
|
# Enable 3PIDs lookup requests to identity servers from this server.
|
||||||
#
|
#
|
||||||
enable_3pid_lookup: ${ENABLE_3PID_LOOKUPS:?}
|
#enable_3pid_lookup: true
|
||||||
|
|
||||||
# If set, allows registration of standard or admin accounts by anyone who
|
# If set, allows registration of standard or admin accounts by anyone who
|
||||||
# has the shared secret, even if registration is otherwise disabled.
|
# has the shared secret, even if registration is otherwise disabled.
|
||||||
|
@ -1342,12 +1330,9 @@ EOF
|
||||||
|
|
||||||
if [ -n "$REGISTRATION_SHARED_SECRET" ]; then
|
if [ -n "$REGISTRATION_SHARED_SECRET" ]; then
|
||||||
echo "registration_shared_secret: '$REGISTRATION_SHARED_SECRET'"
|
echo "registration_shared_secret: '$REGISTRATION_SHARED_SECRET'"
|
||||||
else
|
|
||||||
echo "# registration_shared_secret: 'secret'"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cat << EOF
|
cat << EOF
|
||||||
|
|
||||||
# Set the number of bcrypt rounds used to generate password hash.
|
# Set the number of bcrypt rounds used to generate password hash.
|
||||||
# Larger numbers increase the work factor needed to generate the hash.
|
# Larger numbers increase the work factor needed to generate the hash.
|
||||||
# The default number is 12 (which equates to 2^12 rounds).
|
# The default number is 12 (which equates to 2^12 rounds).
|
||||||
|
@ -1368,13 +1353,7 @@ allow_guest_access: ${ALLOW_GUEST_ACCESS:?}
|
||||||
# (By default, no suggestion is made, so it is left up to the client.)
|
# (By default, no suggestion is made, so it is left up to the client.)
|
||||||
#
|
#
|
||||||
#default_identity_server: https://matrix.org
|
#default_identity_server: https://matrix.org
|
||||||
EOF
|
|
||||||
|
|
||||||
if [ -n "$DEFAULT_IDENTITY_SERVER" ]; then
|
|
||||||
echo "default_identity_server: \"$DEFAULT_IDENTITY_SERVER\""
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat << EOF
|
|
||||||
# Handle threepid (email/phone etc) registration and password resets through a set of
|
# Handle threepid (email/phone etc) registration and password resets through a set of
|
||||||
# *trusted* identity servers. Note that this allows the configured identity server to
|
# *trusted* identity servers. Note that this allows the configured identity server to
|
||||||
# reset passwords for accounts!
|
# reset passwords for accounts!
|
||||||
|
@ -1406,7 +1385,7 @@ account_threepid_delegates:
|
||||||
#
|
#
|
||||||
# Does not apply to server administrators. Defaults to 'true'
|
# Does not apply to server administrators. Defaults to 'true'
|
||||||
#
|
#
|
||||||
enable_set_displayname: ${ENABLE_SET_DISPLAYNAME:?}
|
#enable_set_displayname: false
|
||||||
|
|
||||||
# Whether users are allowed to change their avatar after it has been
|
# Whether users are allowed to change their avatar after it has been
|
||||||
# initially set. Useful when provisioning users based on the contents
|
# initially set. Useful when provisioning users based on the contents
|
||||||
|
@ -1421,7 +1400,7 @@ enable_set_displayname: ${ENABLE_SET_DISPLAYNAME:?}
|
||||||
#
|
#
|
||||||
# Defaults to 'true'
|
# Defaults to 'true'
|
||||||
#
|
#
|
||||||
enable_3pid_changes: ${ENABLE_3PID_CHANGES:?}
|
#enable_3pid_changes: false
|
||||||
|
|
||||||
# Users who register on this homeserver will automatically be joined
|
# Users who register on this homeserver will automatically be joined
|
||||||
# to these rooms.
|
# to these rooms.
|
||||||
|
@ -1717,24 +1696,7 @@ saml2_config:
|
||||||
# local: ["saml2/idp.xml"]
|
# local: ["saml2/idp.xml"]
|
||||||
# remote:
|
# remote:
|
||||||
# - url: https://our_idp/metadata.xml
|
# - url: https://our_idp/metadata.xml
|
||||||
EOF
|
|
||||||
|
|
||||||
if [ -n "$SAML2_IDP_METADATA_URL" ]; then
|
|
||||||
cat << EOF
|
|
||||||
metadata:
|
|
||||||
remote:
|
|
||||||
- url: "$SAML2_IDP_METADATA_URL"
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$SAML2_SP_CERT" ] || [ -n "$SAML2_SP_KEY" ]; then
|
|
||||||
cat << EOF
|
|
||||||
key_file: "$SAML2_SP_KEY"
|
|
||||||
cert_file: "$SAML2_SP_CERT"
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat << EOF
|
|
||||||
# Allowed clock difference in seconds between the homeserver and IdP.
|
# Allowed clock difference in seconds between the homeserver and IdP.
|
||||||
#
|
#
|
||||||
# Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
|
# Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
|
||||||
|
@ -1808,15 +1770,7 @@ cat << EOF
|
||||||
# The custom module's class. Uncomment to use a custom module.
|
# The custom module's class. Uncomment to use a custom module.
|
||||||
#
|
#
|
||||||
#module: mapping_provider.SamlMappingProvider
|
#module: mapping_provider.SamlMappingProvider
|
||||||
EOF
|
|
||||||
|
|
||||||
if [ -n "$SAML2_MAPPING_PROVIDER_MODULE" ]; then
|
|
||||||
cat << EOF
|
|
||||||
module: "$SAML2_MAPPING_PROVIDER_MODULE"
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat << EOF
|
|
||||||
# Custom configuration values for the module. Below options are
|
# Custom configuration values for the module. Below options are
|
||||||
# intended for the built-in provider, they should be changed if
|
# intended for the built-in provider, they should be changed if
|
||||||
# using a custom module. This section will be passed as a Python
|
# using a custom module. This section will be passed as a Python
|
||||||
|
@ -1846,17 +1800,6 @@ cat << EOF
|
||||||
# value will be used instead.
|
# value will be used instead.
|
||||||
#
|
#
|
||||||
#mxid_mapping: dotreplace
|
#mxid_mapping: dotreplace
|
||||||
EOF
|
|
||||||
|
|
||||||
if [ -n "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" ]; then
|
|
||||||
echo "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" | while IFS= read -r entry; do
|
|
||||||
cat << EOF
|
|
||||||
$entry
|
|
||||||
EOF
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat << EOF
|
|
||||||
|
|
||||||
# In previous versions of synapse, the mapping from SAML attribute to
|
# In previous versions of synapse, the mapping from SAML attribute to
|
||||||
# MXID was always calculated dynamically rather than stored in a
|
# MXID was always calculated dynamically rather than stored in a
|
||||||
|
@ -2191,7 +2134,7 @@ sso:
|
||||||
# You can see the default templates at:
|
# You can see the default templates at:
|
||||||
# https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
|
# https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
|
||||||
#
|
#
|
||||||
template_dir: "${SSO_TEMPLATE_DIR:?}"
|
#template_dir: "res/templates"
|
||||||
|
|
||||||
|
|
||||||
# JSON web token integration. The following settings can be used to make
|
# JSON web token integration. The following settings can be used to make
|
||||||
|
|
|
@ -8,7 +8,7 @@ case "$os" in
|
||||||
synapse_conf_dir=/etc/synapse
|
synapse_conf_dir=/etc/synapse
|
||||||
synapse_service=synapse
|
synapse_service=synapse
|
||||||
;;
|
;;
|
||||||
debian|ubuntu)
|
debian)
|
||||||
synapse_conf_dir=/etc/matrix-synapse
|
synapse_conf_dir=/etc/matrix-synapse
|
||||||
synapse_service=matrix-synapse
|
synapse_service=matrix-synapse
|
||||||
;;
|
;;
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
cdist-type__matrix_synapse(7)
|
cdist-type__matrix_synapse(7)
|
||||||
=============================
|
======================
|
||||||
|
|
||||||
NAME
|
NAME
|
||||||
----
|
----
|
||||||
|
@ -8,7 +8,7 @@ cdist-type__matrix_synapse - Install and configure Synapse, a Matrix homeserver
|
||||||
|
|
||||||
DESCRIPTION
|
DESCRIPTION
|
||||||
-----------
|
-----------
|
||||||
This type installs and configures the Synapse Matrix homeserver. This is a
|
This type install and configure the Synapse Matrix homeserver. This is a
|
||||||
signleton type.
|
signleton type.
|
||||||
|
|
||||||
|
|
||||||
|
@ -52,13 +52,13 @@ ldap-base-dn
|
||||||
Base DN of your LDAP tree.
|
Base DN of your LDAP tree.
|
||||||
|
|
||||||
ldap-uid-attribute
|
ldap-uid-attribute
|
||||||
LDAP attribute mapping to Synapse's uid field, default to uid.
|
LDAP attriute mapping to Synapse's uid field, default to uid.
|
||||||
|
|
||||||
ldap-mail-attribute
|
ldap-mail-attribute
|
||||||
LDAP attribute mapping to Synapse's mail field, default to mail.
|
LDAP attriute mapping to Synapse's mail field, default to mail.
|
||||||
|
|
||||||
ldap-name-attribute
|
ldap-name-attribute
|
||||||
LDAP attribute mapping to Synapse's name field, default to givenName.
|
LDAP attriute mapping to Synapse's name field, default to givenName.
|
||||||
|
|
||||||
ldap-bind-dn
|
ldap-bind-dn
|
||||||
User used to authenticate against your LDAP server in 'search' mode.
|
User used to authenticate against your LDAP server in 'search' mode.
|
||||||
|
@ -81,7 +81,7 @@ smtp-host
|
||||||
The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
|
The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
|
||||||
|
|
||||||
smtp-port
|
smtp-port
|
||||||
The port on the mail server for outgoing SMTP. Defaults to 25.
|
# The port on the mail server for outgoing SMTP. Defaults to 25.
|
||||||
|
|
||||||
smtp-user
|
smtp-user
|
||||||
Username for authentication to the SMTP server. By
|
Username for authentication to the SMTP server. By
|
||||||
|
@ -133,14 +133,6 @@ turn-uri
|
||||||
turn-shared-secret
|
turn-shared-secret
|
||||||
Shared secret used to access the TURN REST API.
|
Shared secret used to access the TURN REST API.
|
||||||
|
|
||||||
turn-username
|
|
||||||
Username used to authenticate against the TURN server if needed / a shared
|
|
||||||
secret token is not used.
|
|
||||||
|
|
||||||
turn-password
|
|
||||||
Password used to authenticate against the TURN server if needed / a shared
|
|
||||||
secret token is not used.
|
|
||||||
|
|
||||||
turn-user-lifetime
|
turn-user-lifetime
|
||||||
Lifetime of TURN credentials. Defaults to 1h.
|
Lifetime of TURN credentials. Defaults to 1h.
|
||||||
|
|
||||||
|
@ -162,12 +154,6 @@ rc-login-burst
|
||||||
registration-allows-email-pattern
|
registration-allows-email-pattern
|
||||||
Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`.
|
Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`.
|
||||||
|
|
||||||
disable-displayname-changes
|
|
||||||
Whether users are allowed to change their displayname after it has been initially set.
|
|
||||||
|
|
||||||
disable-3pid-changes
|
|
||||||
Whether users can change the 3PIDs associated with their accounts (email address and msisdn).
|
|
||||||
|
|
||||||
auto-join-room
|
auto-join-room
|
||||||
Room where newly-registered users are automatically added. Can be specified multiple times.
|
Room where newly-registered users are automatically added. Can be specified multiple times.
|
||||||
|
|
||||||
|
@ -195,25 +181,6 @@ bind-address
|
||||||
Address used to bind the synapse listeners. Can be specified multiple times.
|
Address used to bind the synapse listeners. Can be specified multiple times.
|
||||||
Defaults to '::1' and '127.0.0.1'.
|
Defaults to '::1' and '127.0.0.1'.
|
||||||
|
|
||||||
saml2-idp-metadata-url
|
|
||||||
HTTP(S) url to SAML2 Identity Provider (IdP), used for Single Sign On (SSO) logic.
|
|
||||||
|
|
||||||
saml2-sp-key
|
|
||||||
Path to PEM-formatted key file for use by PySAML2.
|
|
||||||
|
|
||||||
saml2-sp-cert
|
|
||||||
Path to PEM-formatted cert file for use by PySAML2.
|
|
||||||
|
|
||||||
saml2-mapping-provider-module
|
|
||||||
Name of custom Python module used to map SAML2 attributes to synapse internals.
|
|
||||||
|
|
||||||
saml2-mapping-provider-extra-settings
|
|
||||||
Extra YAML-formatted key/pair values provided as configuration to the SAML2
|
|
||||||
mapping provider module (e.g. 'key: value'). Can be specified multiple times.
|
|
||||||
|
|
||||||
sso-template-dir
|
|
||||||
Directory used to source SSO-related HTML templates.
|
|
||||||
|
|
||||||
extra-setting
|
extra-setting
|
||||||
Arbitrary string to be added to the configuration file. Can be specified multiple times.
|
Arbitrary string to be added to the configuration file. Can be specified multiple times.
|
||||||
|
|
||||||
|
@ -255,9 +222,6 @@ allow-public-rooms-without-auth
|
||||||
enable-server-notices
|
enable-server-notices
|
||||||
Enable the server notices room.
|
Enable the server notices room.
|
||||||
|
|
||||||
enable-3pid-lookups
|
|
||||||
Enable 3PIDs lookup requests to identity servers from this server.
|
|
||||||
|
|
||||||
allow-guest-access
|
allow-guest-access
|
||||||
Allows users to register as guests without a password/email/etc, and
|
Allows users to register as guests without a password/email/etc, and
|
||||||
participate in rooms hosted on this server which have been made accessible
|
participate in rooms hosted on this server which have been made accessible
|
||||||
|
|
|
@ -19,10 +19,10 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# OS-specific configuration.
|
# OS-specific configuration.
|
||||||
os=$(cat "$__global/explorer/os")
|
os=$(cat "${__global:?}/explorer/os")
|
||||||
|
|
||||||
case "$os" in
|
case "$os" in
|
||||||
debian|ubuntu)
|
debian)
|
||||||
synapse_user=matrix-synapse
|
synapse_user=matrix-synapse
|
||||||
synapse_pkg=matrix-synapse-py3
|
synapse_pkg=matrix-synapse-py3
|
||||||
synapse_service=matrix-synapse
|
synapse_service=matrix-synapse
|
||||||
|
@ -30,13 +30,12 @@ case "$os" in
|
||||||
synapse_conf_dir='/etc/matrix-synapse'
|
synapse_conf_dir='/etc/matrix-synapse'
|
||||||
synapse_data_dir='/var/lib/matrix-synapse'
|
synapse_data_dir='/var/lib/matrix-synapse'
|
||||||
|
|
||||||
__apt_key matrix-org \
|
# We directly use upstream's APT repository.
|
||||||
--uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
|
# See https://code.ungleich.ch/ungleich-public/cdist-contrib/-/issues/11 for details.
|
||||||
|
__apt_key matrix-org --uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
|
||||||
require="__apt_key/matrix-org" __apt_source matrix-org \
|
require="__apt_key/matrix-org" __apt_source matrix-org \
|
||||||
--uri https://packages.matrix.org/debian/ \
|
--uri https://packages.matrix.org/debian/ \
|
||||||
--component main
|
--component main
|
||||||
package_req="__apt_source/matrix-org"
|
|
||||||
;;
|
;;
|
||||||
alpine)
|
alpine)
|
||||||
synapse_user=synapse
|
synapse_user=synapse
|
||||||
|
@ -57,7 +56,7 @@ esac
|
||||||
# Small helper used to get boolean values which can be used as-is in the
|
# Small helper used to get boolean values which can be used as-is in the
|
||||||
# configuration template.
|
# configuration template.
|
||||||
get_boolean_for () {
|
get_boolean_for () {
|
||||||
if [ -f "$__object/parameter/${1:?}" ]; then
|
if [ -f "${__object:?}/parameter/${1:?}" ]; then
|
||||||
echo 'true'
|
echo 'true'
|
||||||
else
|
else
|
||||||
echo 'false'
|
echo 'false'
|
||||||
|
@ -172,7 +171,7 @@ ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations')
|
||||||
USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
|
USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
|
||||||
export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
|
export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
|
||||||
|
|
||||||
if [ -f "$__object/parameter/registration-shared-secret" ]; then
|
if [ -f "$__object/parameter/registration-shared-token" ]; then
|
||||||
REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret")
|
REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret")
|
||||||
export REGISTRATION_SHARED_SECRET
|
export REGISTRATION_SHARED_SECRET
|
||||||
fi
|
fi
|
||||||
|
@ -181,18 +180,6 @@ if [ -f "$__object/parameter/registration-requires-email" ]; then
|
||||||
export REGISTRATION_REQUIRES_EMAIL=1
|
export REGISTRATION_REQUIRES_EMAIL=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ENABLE_SET_DISPLAYNAME='true'
|
|
||||||
if [ -f "$__object/parameter/disable-displayname-changes" ]; then
|
|
||||||
ENABLE_SET_DISPLAYNAME='false'
|
|
||||||
fi
|
|
||||||
export ENABLE_SET_DISPLAYNAME
|
|
||||||
|
|
||||||
ENABLE_3PID_CHANGES='true'
|
|
||||||
if [ -f "$__object/parameter/disable-3pid-changes" ]; then
|
|
||||||
ENABLE_3PID_CHANGES='false'
|
|
||||||
fi
|
|
||||||
export ENABLE_3PID_CHANGES
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/auto-join-room" ]; then
|
if [ -f "$__object/parameter/auto-join-room" ]; then
|
||||||
AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")"
|
AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")"
|
||||||
export AUTO_JOIN_ROOMS
|
export AUTO_JOIN_ROOMS
|
||||||
|
@ -203,57 +190,6 @@ if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then
|
||||||
export RESGISTRATION_ALLOWS_EMAIL_PATTERN
|
export RESGISTRATION_ALLOWS_EMAIL_PATTERN
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then
|
|
||||||
# Synapse fails to start while trying to parse IDP metadata if this package
|
|
||||||
# is not installed.
|
|
||||||
__package xmlsec1
|
|
||||||
|
|
||||||
SAML2_IDP_METADATA_URL=$(cat "$__object/parameter/saml2-idp-metadata-url")
|
|
||||||
export SAML2_IDP_METADATA_URL
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/saml2-sp-key" ]; then
|
|
||||||
SAML2_SP_KEY=$(cat "$__object/parameter/saml2-sp-key")
|
|
||||||
export SAML2_SP_KEY
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/saml2-sp-cert" ]; then
|
|
||||||
SAML2_SP_CERT=$(cat "$__object/parameter/saml2-sp-cert")
|
|
||||||
export SAML2_SP_CERT
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/saml2-mapping-provider-module" ]; then
|
|
||||||
SAML2_MAPPING_PROVIDER_MODULE=$(cat "$__object/parameter/saml2-mapping-provider-module")
|
|
||||||
export SAML2_MAPPING_PROVIDER_MODULE
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/saml2-mapping-provider-extra-config" ]; then
|
|
||||||
SAML2_MAPPING_PROVIDER_EXTRA_CONFIG=$(cat "$__object/parameter/saml2-mapping-provider-extra-config")
|
|
||||||
export SAML2_MAPPING_PROVIDER_EXTRA_CONFIG
|
|
||||||
fi
|
|
||||||
|
|
||||||
SSO_TEMPLATE_DIR=$(cat "$__object/parameter/sso-template-dir")
|
|
||||||
export SSO_TEMPLATE_DIR
|
|
||||||
|
|
||||||
if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then
|
|
||||||
echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2
|
|
||||||
exit 1
|
|
||||||
elif [ -n "$SAML2_SP_CERT" ] && [ -z "$SAML2_SP_KEY" ]; then
|
|
||||||
echo "--saml2-sp-key must be set if --saml2-sp-cert is provided." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/default-identity-server" ]; then
|
|
||||||
DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server")
|
|
||||||
export DEFAULT_IDENTITY_SERVER
|
|
||||||
fi
|
|
||||||
|
|
||||||
ENABLE_3PID_LOOKUPS='false'
|
|
||||||
if [ -f "$__object/parameter/enable-3pid-lookups" ]; then
|
|
||||||
ENABLE_3PID_LOOKUPS='true'
|
|
||||||
fi
|
|
||||||
export ENABLE_3PID_LOOKUPS
|
|
||||||
|
|
||||||
# Federation.
|
# Federation.
|
||||||
ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation')
|
ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation')
|
||||||
ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth')
|
ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth')
|
||||||
|
@ -269,8 +205,7 @@ fi
|
||||||
# Message retention.
|
# Message retention.
|
||||||
ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy')
|
ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy')
|
||||||
MESSAGE_RETENTION_POLICY_MAX_LIFETIME=$(cat "$__object/parameter/message-max-lifetime")
|
MESSAGE_RETENTION_POLICY_MAX_LIFETIME=$(cat "$__object/parameter/message-max-lifetime")
|
||||||
MESSAGE_RETENTION_POLICY_MIN_LIFETIME=$MESSAGE_RETENTION_POLICY_MAX_LIFETIME
|
export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME
|
||||||
export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME MESSAGE_RETENTION_POLICY_MIN_LIFETIME
|
|
||||||
|
|
||||||
# Previews.
|
# Previews.
|
||||||
ENABLE_URL_PREVIEW=$(get_boolean_for 'enable-url-preview')
|
ENABLE_URL_PREVIEW=$(get_boolean_for 'enable-url-preview')
|
||||||
|
@ -310,16 +245,6 @@ if [ -f "$__object/parameter/turn-uri" ]; then
|
||||||
export TURN_URIS
|
export TURN_URIS
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/turn-username" ]; then
|
|
||||||
TURN_USERNAME=$(cat "$__object/parameter/turn-username")
|
|
||||||
export TURN_USERNAME
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/turn-password" ]; then
|
|
||||||
TURN_PASSWORD=$(cat "$__object/parameter/turn-password")
|
|
||||||
export TURN_PASSWORD
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Worker-mode configuration.
|
# Worker-mode configuration.
|
||||||
export MAIN_LISTENER_PORT=8008
|
export MAIN_LISTENER_PORT=8008
|
||||||
export ENABLE_MEDIA_REPO='true'
|
export ENABLE_MEDIA_REPO='true'
|
||||||
|
@ -366,12 +291,23 @@ case "$DATABASE_ENGINE" in
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
|
||||||
# Install OS packages.
|
# Install OS packages. We have a bit of boilerplate to handle the debian case.
|
||||||
require="$package_req" __package "$synapse_pkg"
|
synapse_req=
|
||||||
|
if [ "$os" = "debian" ]; then
|
||||||
|
require="__apt_source/matrix-org" __package_apt "$synapse_pkg"
|
||||||
|
synapse_req="__package_apt/$synapse_pkg"
|
||||||
|
else
|
||||||
|
__package "$synapse_pkg"
|
||||||
synapse_req="__package/$synapse_pkg"
|
synapse_req="__package/$synapse_pkg"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -n "$ENABLE_LDAP_AUTH" ]; then
|
if [ -n "$ENABLE_LDAP_AUTH" ]; then
|
||||||
require="$package_req" __package "$ldap_auth_provider_pkg"
|
if [ "$os" = "debian" ]; then
|
||||||
|
require="__apt_source/matrix-org" __package_apt "$ldap_auth_provider_pkg"
|
||||||
|
else
|
||||||
|
__package "$ldap_auth_provider_pkg"
|
||||||
|
fi
|
||||||
|
synapse_req="$synapse_req __package_apt/$ldap_auth_provider_pkg"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Generate and deploy configuration files.
|
# Generate and deploy configuration files.
|
||||||
|
@ -394,8 +330,8 @@ for directory in $DATA_DIR $LOG_DIR; do
|
||||||
--owner $synapse_user
|
--owner $synapse_user
|
||||||
done
|
done
|
||||||
|
|
||||||
# Make dpkg-reconfigure happy on debian-based systems.
|
# Make dpkg-reconfigure happy on debian systems.
|
||||||
if [ "$os" = "debian" ] || [ "$os" = "ubuntu" ]; then
|
if [ "$os" = "debian" ]; then
|
||||||
require="$synapse_req" __file "$synapse_conf_dir/conf.d/server_name.yaml" \
|
require="$synapse_req" __file "$synapse_conf_dir/conf.d/server_name.yaml" \
|
||||||
--owner $synapse_user \
|
--owner $synapse_user \
|
||||||
--source - <<- EOF
|
--source - <<- EOF
|
||||||
|
|
|
@ -17,6 +17,3 @@ user-directory-search-all-users
|
||||||
enable-message-retention-policy
|
enable-message-retention-policy
|
||||||
worker-mode
|
worker-mode
|
||||||
enable-url-preview
|
enable-url-preview
|
||||||
enable-3pid-lookups
|
|
||||||
disable-3pid-changes
|
|
||||||
disable-displayname-changes
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
res/template
|
|
|
@ -13,8 +13,6 @@ ldap-bind-password
|
||||||
ldap-filter
|
ldap-filter
|
||||||
turn-shared-secret
|
turn-shared-secret
|
||||||
turn-user-lifetime
|
turn-user-lifetime
|
||||||
turn-username
|
|
||||||
turn-password
|
|
||||||
max-upload-size
|
max-upload-size
|
||||||
smtp-host
|
smtp-host
|
||||||
smtp-port
|
smtp-port
|
||||||
|
@ -36,9 +34,3 @@ background-tasks-worker
|
||||||
tls-cert
|
tls-cert
|
||||||
tls-private-key
|
tls-private-key
|
||||||
registration-shared-secret
|
registration-shared-secret
|
||||||
saml2-idp-metadata-url
|
|
||||||
saml2-sp-key
|
|
||||||
saml2-sp-cert
|
|
||||||
default-identity-server
|
|
||||||
saml2-mapping-provider-module
|
|
||||||
sso-template-dir
|
|
||||||
|
|
|
@ -5,4 +5,3 @@ app-service-config-file
|
||||||
extra-setting
|
extra-setting
|
||||||
bind-address
|
bind-address
|
||||||
outbound-federation-worker
|
outbound-federation-worker
|
||||||
saml2-mapping-provider-extra-config
|
|
||||||
|
|
|
@ -15,7 +15,7 @@ NotifyAccess=main
|
||||||
User=matrix-synapse
|
User=matrix-synapse
|
||||||
WorkingDirectory=/var/lib/matrix-synapse
|
WorkingDirectory=/var/lib/matrix-synapse
|
||||||
EnvironmentFile=/etc/default/matrix-synapse
|
EnvironmentFile=/etc/default/matrix-synapse
|
||||||
ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml
|
ExecStart=/usr/bin/python3 -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
RestartSec=3
|
RestartSec=3
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
|
|
||||||
os=$(cat "$__global/explorer/os")
|
os=$(cat "$__global/explorer/os")
|
||||||
case "$os" in
|
case "$os" in
|
||||||
debian|ubuntu)
|
debian)
|
||||||
# This type assume systemd for service installation.
|
# This type assume systemd for service installation.
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
|
@ -31,13 +31,11 @@ case "$os" in
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# Required parameters.
|
# Required parameters.
|
||||||
version=$(cat "$__object/parameter/version")
|
VERSION=$(cat "$__object/parameter/version")
|
||||||
if [ -f "$__object/parameter/config" ]; then
|
if [ -f "$__object/parameter/config" ]; then
|
||||||
config="$(cat "$__object/parameter/config")"
|
CONFIG="$(cat "$__object/parameter/config")"
|
||||||
if [ "$config" = "-" ]; then
|
if [ "$CONFIG" = "-" ]; then
|
||||||
mkdir -p "$__object/files"
|
CONFIG=$(cat "$__object/stdin")
|
||||||
config="$__object/files/matterbridge.toml"
|
|
||||||
cat "$__object/stdin" > "$config"
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -48,11 +46,11 @@ export USER=matterbridge
|
||||||
export GROUP=$USER
|
export GROUP=$USER
|
||||||
|
|
||||||
# Internal variables.
|
# Internal variables.
|
||||||
artefact="matterbridge-$version-linux-64bit"
|
artefact="matterbridge-$VERSION-linux-64bit"
|
||||||
checksum_file="checksums.txt"
|
checksum_file="checksums.txt"
|
||||||
release_download_url=https://github.com/42wim/matterbridge/releases/download
|
release_download_url=https://github.com/42wim/matterbridge/releases/download
|
||||||
binary_url="$release_download_url/v$version/$artefact"
|
binary_url="$release_download_url/v$VERSION/$artefact"
|
||||||
checksum_file_url="$release_download_url/v$version/$checksum_file"
|
checksum_file_url="$release_download_url/v$VERSION/$checksum_file"
|
||||||
config_dir=$(dirname $CONFIG_PATH)
|
config_dir=$(dirname $CONFIG_PATH)
|
||||||
systemd_unit_path='/etc/systemd/system/matterbridge.service'
|
systemd_unit_path='/etc/systemd/system/matterbridge.service'
|
||||||
|
|
||||||
|
@ -90,7 +88,7 @@ require="__user/$USER" __directory "$config_dir" \
|
||||||
require="__directory/$config_dir" __file "$CONFIG_PATH" \
|
require="__directory/$config_dir" __file "$CONFIG_PATH" \
|
||||||
--owner "$USER" \
|
--owner "$USER" \
|
||||||
--mode 0640 \
|
--mode 0640 \
|
||||||
--source "$config"
|
--source "$CONFIG"
|
||||||
|
|
||||||
__file "$systemd_unit_path" \
|
__file "$systemd_unit_path" \
|
||||||
--source "$__object/files/matterbridge.service"
|
--source "$__object/files/matterbridge.service"
|
||||||
|
|
|
@ -1,50 +0,0 @@
|
||||||
cdist-type__networktime(7)
|
|
||||||
==========================
|
|
||||||
|
|
||||||
NAME
|
|
||||||
----
|
|
||||||
cdist-type__networktime - Generic time synchronization type
|
|
||||||
|
|
||||||
|
|
||||||
DESCRIPTION
|
|
||||||
-----------
|
|
||||||
|
|
||||||
This type is intended to be a simple abstraction over the various backends and
|
|
||||||
programs available for network time synchronization. This type only takes a
|
|
||||||
list of peers to synchronize to as argument, and then chooses an appropriate
|
|
||||||
backend depending on the operating system, configures, starts and enables it to
|
|
||||||
start on boot.
|
|
||||||
|
|
||||||
Currently, the following OSes are supported with the following backends:
|
|
||||||
|
|
||||||
- Alpine Linux: builtin busybox NTPd
|
|
||||||
- Debian/Ubuntu: systemd-timesyncd
|
|
||||||
|
|
||||||
|
|
||||||
REQUIRED MULTIPLE PARAMETERS
|
|
||||||
-------------------
|
|
||||||
peer:
|
|
||||||
The name or IP address of a peer to synchronize to.
|
|
||||||
|
|
||||||
|
|
||||||
EXAMPLES
|
|
||||||
--------
|
|
||||||
|
|
||||||
.. code-block:: sh
|
|
||||||
|
|
||||||
# 2.XXX.ntp.org are IPv6-enabled pools
|
|
||||||
__networktime --peer 2.ch.pool.ntp.org \
|
|
||||||
--peer 2.europe.pool.ntp.org
|
|
||||||
|
|
||||||
|
|
||||||
AUTHORS
|
|
||||||
-------
|
|
||||||
Joachim Desroches <joachim.desroches@epfl.ch>
|
|
||||||
|
|
||||||
|
|
||||||
COPYING
|
|
||||||
-------
|
|
||||||
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
|
|
||||||
and/or modify it under the terms of the GNU General Public License as
|
|
||||||
published by the Free Software Foundation, either version 3 of the
|
|
||||||
License, or (at your option) any later version.
|
|
|
@ -1,74 +0,0 @@
|
||||||
#!/bin/sh -e
|
|
||||||
#
|
|
||||||
# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
|
|
||||||
#
|
|
||||||
# This file is part of cdist.
|
|
||||||
#
|
|
||||||
# cdist is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# cdist is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
|
|
||||||
os=$(cat "${__global:?}/explorer/os")
|
|
||||||
|
|
||||||
case "$os" in
|
|
||||||
'alpine')
|
|
||||||
backend=busybox-openrc
|
|
||||||
;;
|
|
||||||
'debian' | 'ubuntu')
|
|
||||||
backend=systemd-timesyncd
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
printf "__networktime is not yet implemented for %s.\n" "$os" >&2
|
|
||||||
printf "Please contribute an implementation for it if you can.\n" >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
case "$backend" in
|
|
||||||
'busybox-openrc')
|
|
||||||
argstring="-N"
|
|
||||||
while read -r peer;
|
|
||||||
do
|
|
||||||
argstring="$argstring -p $peer"
|
|
||||||
done < "${__object:?}/parameter/peer"
|
|
||||||
|
|
||||||
__start_on_boot ntpd
|
|
||||||
|
|
||||||
__file /etc/conf.d/ntpd \
|
|
||||||
--mode 0644 --onchange "service ntpd restart"\
|
|
||||||
--source - <<- EOF
|
|
||||||
# NTPd OpenRC configuration file. Managed by cdist.
|
|
||||||
NTPD_OPTS="$argstring"
|
|
||||||
EOF
|
|
||||||
;;
|
|
||||||
|
|
||||||
'systemd-timesyncd')
|
|
||||||
peers="$(tr '\n' ' ' < "${__object:?}/parameter/peer")"
|
|
||||||
|
|
||||||
__package ntp --state absent
|
|
||||||
require="__package/ntp" __systemd_unit systemd-timesyncd \
|
|
||||||
--enablement-state enabled --restart
|
|
||||||
|
|
||||||
__file /etc/systemd/timesyncd.conf \
|
|
||||||
--mode 0644 --onchange "systemctl restart systemd-timesyncd" \
|
|
||||||
--source - <<- EOF
|
|
||||||
# timesyncd(8) configuration file. Managed by cdist.
|
|
||||||
[Time]
|
|
||||||
NTP=$peers
|
|
||||||
EOF
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
printf "Unkown backend in __networktime. This is a bug.\n" >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
|
@ -1 +0,0 @@
|
||||||
peer
|
|
|
@ -1,67 +0,0 @@
|
||||||
cdist-type__nginx(7)
|
|
||||||
===================================
|
|
||||||
|
|
||||||
NAME
|
|
||||||
----
|
|
||||||
cdist-type__nginx - Serve web content with NGINX
|
|
||||||
|
|
||||||
|
|
||||||
DESCRIPTION
|
|
||||||
-----------
|
|
||||||
Leverages `__nginx_vhost` to serve web content.
|
|
||||||
|
|
||||||
REQUIRED PARAMETERS
|
|
||||||
-------------------
|
|
||||||
domain
|
|
||||||
Domain name to be served.
|
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
|
||||||
-------------------
|
|
||||||
config
|
|
||||||
Custom NGINX logic, templated within a standard `server` section with
|
|
||||||
`server_name` and TLS parameters set. Defaults to simple static hosting.
|
|
||||||
|
|
||||||
altdomains
|
|
||||||
Alternative domain names for this vhost and related TLS certificate.
|
|
||||||
|
|
||||||
uacme-hookscript
|
|
||||||
Custom hook passed to the __uacme_obtain type: useful to integrate the
|
|
||||||
dns-01 challenge with third-party DNS providers.
|
|
||||||
|
|
||||||
acme-url
|
|
||||||
ACMEv2 server directory object URL. Lets'Encrypt is used by default.
|
|
||||||
|
|
||||||
acme-eab-credentials
|
|
||||||
Specify RFC8555 External Account Binding credentials according to
|
|
||||||
https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
|
|
||||||
ACME account with an existing account in a non-ACME system such as a CA
|
|
||||||
customer database. KEYID must be an ASCII string. KEY must be
|
|
||||||
base64url-encoded.
|
|
||||||
|
|
||||||
EXAMPLES
|
|
||||||
--------
|
|
||||||
|
|
||||||
.. code-block:: sh
|
|
||||||
|
|
||||||
# TLS-enabled vhost serving static files in $WEBROOT/domain.tld (OS-specific,
|
|
||||||
# usually `/var/www` on GNU/Linux systemd).
|
|
||||||
__nginx domain.tld
|
|
||||||
|
|
||||||
# TLS-enabled vhost with custom configuration.
|
|
||||||
__nginx files.domain.tld \
|
|
||||||
--config - <<- EOF
|
|
||||||
root /var/www/files.domain.tld/;
|
|
||||||
autoindex on;
|
|
||||||
EOF
|
|
||||||
|
|
||||||
AUTHORS
|
|
||||||
-------
|
|
||||||
Timothée Floure <timothee.floure@posteo.net>
|
|
||||||
Joachim Desroches <joachim.desroches@epfl.ch>
|
|
||||||
|
|
||||||
COPYING
|
|
||||||
-------
|
|
||||||
Copyright \(C) 2020 Joachim Desroches. You can redistribute it
|
|
||||||
and/or modify it under the terms of the GNU General Public License as
|
|
||||||
published by the Free Software Foundation, either version 3 of the
|
|
||||||
License, or (at your option) any later version.
|
|
|
@ -1,96 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
os="$(cat "${__global:?}"/explorer/os)"
|
|
||||||
case "$os" in
|
|
||||||
alpine)
|
|
||||||
nginx_user=nginx
|
|
||||||
nginx_certdir=/etc/nginx/ssl
|
|
||||||
;;
|
|
||||||
debian|ubuntu)
|
|
||||||
nginx_user=www-data
|
|
||||||
nginx_certdir=/etc/nginx/ssl
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "This type does not support $os yet. Aborting." >&2;
|
|
||||||
exit 1;
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
if [ -f "${__object:?}/parameter/domain" ];
|
|
||||||
then
|
|
||||||
domain="$(cat "${__object:?}/parameter/domain")"
|
|
||||||
else
|
|
||||||
domain="${__object_id:?}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
altdomains=
|
|
||||||
if [ -f "${__object:?}/parameter/altdomains" ];
|
|
||||||
then
|
|
||||||
altdomains="$(cat "${__object:?}/parameter/altdomains")"
|
|
||||||
fi
|
|
||||||
|
|
||||||
set_custom_uacme_hookscript=
|
|
||||||
if [ -f "${__object:?}/parameter/uacme-hookscript" ];
|
|
||||||
then
|
|
||||||
uacme_hookscript="$(cat "${__object:?}/parameter/uacme-hookscript")"
|
|
||||||
set_custom_uacme_hookscript="--hookscript $uacme_hookscript"
|
|
||||||
fi
|
|
||||||
|
|
||||||
set_custom_acme_url=
|
|
||||||
if [ -f "${__object:?}/parameter/acme-url" ];
|
|
||||||
then
|
|
||||||
custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
|
|
||||||
set_custom_acme_url="--acme-url $custom_acme_url"
|
|
||||||
fi
|
|
||||||
|
|
||||||
set_acme_eab_credentials=
|
|
||||||
if [ -f "${__object:?}/parameter/acme-eab-credentials" ];
|
|
||||||
then
|
|
||||||
acme_eab_credentials=$(cat "${__object:?}/parameter/acme-eab-credentials")
|
|
||||||
set_acme_eab_credentials="--eab-credentials $acme_eab_credentials"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Deploy simple HTTP vhost, allowing to serve ACME challenges.
|
|
||||||
__nginx_vhost "301-to-https-$domain" \
|
|
||||||
--domain "$domain" --altdomains "$altdomains" --to-https
|
|
||||||
|
|
||||||
# Obtaining TLS cert.
|
|
||||||
cert_ownership=$nginx_user
|
|
||||||
if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then
|
|
||||||
cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to")
|
|
||||||
fi
|
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
|
||||||
__uacme_account \
|
|
||||||
$set_custom_acme_url \
|
|
||||||
$set_acme_eab_credentials \
|
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
|
||||||
require="__nginx_vhost/301-to-https-$domain __uacme_account" \
|
|
||||||
__uacme_obtain "$domain" \
|
|
||||||
--altdomains "$altdomains" \
|
|
||||||
$set_custom_uacme_hookscript \
|
|
||||||
$set_custom_acme_url \
|
|
||||||
$set_acme_eab_credentials \
|
|
||||||
--owner "$cert_ownership" \
|
|
||||||
--install-key-to "$nginx_certdir/$domain/privkey.pem" \
|
|
||||||
--install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \
|
|
||||||
--renew-hook "service nginx reload"
|
|
||||||
|
|
||||||
# Deploy HTTPS nginx vhost.
|
|
||||||
if [ -f "${__object:?}/parameter/config" ]; then
|
|
||||||
if [ "$(cat "${__object:?}/parameter/config")" = "-" ]; then
|
|
||||||
nginx_logic="${__object:?}/stdin"
|
|
||||||
else
|
|
||||||
nginx_logic="${__object:?}/parameter/config"
|
|
||||||
fi
|
|
||||||
|
|
||||||
mkdir -p "${__object:?}/files"
|
|
||||||
cat "$nginx_logic" > "${__object:?}/files/config"
|
|
||||||
|
|
||||||
require="__uacme_obtain/$domain" __nginx_vhost "$domain" \
|
|
||||||
--altdomains "$altdomains" --config "${__object:?}/files/config"
|
|
||||||
else
|
|
||||||
require="__uacme_obtain/$domain" __nginx_vhost "$domain" \
|
|
||||||
--altdomains "$altdomains"
|
|
||||||
fi
|
|
|
@ -1 +0,0 @@
|
||||||
80
|
|
|
@ -1 +0,0 @@
|
||||||
443
|
|
|
@ -1,7 +0,0 @@
|
||||||
config
|
|
||||||
domain
|
|
||||||
altdomains
|
|
||||||
uacme-hookscript
|
|
||||||
acme-url
|
|
||||||
acme-eab-credentials
|
|
||||||
force-cert-ownership-to
|
|
|
@ -1,4 +0,0 @@
|
||||||
# Redirect request to this page in HTTPS.
|
|
||||||
location / {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
|
@ -1,37 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
# Template for static NGINX hosting.
|
|
||||||
|
|
||||||
echo 'server {'
|
|
||||||
|
|
||||||
# Listen
|
|
||||||
cat <<- EOF
|
|
||||||
listen ${LPORT:?} $TLS;
|
|
||||||
listen [::]:${LPORT:?} $TLS;
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Name
|
|
||||||
echo "server_name ${DOMAIN:?} $ALTDOMAINS;"
|
|
||||||
|
|
||||||
# ACME challenges.
|
|
||||||
cat << EOF
|
|
||||||
location /.well-known/acme-challenge/ {
|
|
||||||
alias ${ACME_CHALLENGE_DIR:?};
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
if [ -n "$TLS" ];
|
|
||||||
then
|
|
||||||
if [ -n "$HSTS" ];
|
|
||||||
then
|
|
||||||
echo 'include snippets/hsts;'
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat <<- EOF
|
|
||||||
ssl_certificate ${NGINX_CERTDIR:?}/${DOMAIN:?}/fullchain.pem;
|
|
||||||
ssl_certificate_key ${NGINX_CERTDIR:?}/${DOMAIN:?}/privkey.pem;
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "${NGINX_LOGIC:?}"
|
|
||||||
|
|
||||||
echo '}'
|
|
|
@ -1 +0,0 @@
|
||||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
|
|
@ -1,12 +0,0 @@
|
||||||
<!doctype html>
|
|
||||||
<html lang="en">
|
|
||||||
<head>
|
|
||||||
<meta charset="utf-8">
|
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
||||||
<title>cdist configured!</title>
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
You have successfully configured a vhost with
|
|
||||||
<a href="https://cdi.st">cdist</a>. You can now upload content!
|
|
||||||
</body>
|
|
||||||
</html>
|
|
|
@ -1,13 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
# Template for static NGINX hosting.
|
|
||||||
|
|
||||||
NGINX_LOGIC="$(cat << EOF
|
|
||||||
location / {
|
|
||||||
root ${NGINX_WEBROOT:?}/${DOMAIN:?};
|
|
||||||
index index.html;
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
)"
|
|
||||||
export NGINX_LOGIC
|
|
||||||
|
|
||||||
"${__type:?}/files/generic.conf.sh"
|
|
|
@ -1,25 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
# Template for HTTPS redirection.
|
|
||||||
|
|
||||||
echo 'server {'
|
|
||||||
|
|
||||||
# Listen
|
|
||||||
cat <<- EOF
|
|
||||||
listen ${LPORT:?};
|
|
||||||
listen [::]:${LPORT:?};
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Name
|
|
||||||
echo "server_name ${DOMAIN:?} $ALTDOMAINS;"
|
|
||||||
|
|
||||||
# ACME challenges.
|
|
||||||
cat << EOF
|
|
||||||
location /.well-known/acme-challenge/ {
|
|
||||||
alias ${ACME_CHALLENGE_DIR:?};
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# HTTPS redirection.
|
|
||||||
echo 'include snippets/301-to-https;'
|
|
||||||
|
|
||||||
echo '}'
|
|
|
@ -1,35 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
os="$(cat "${__global:?}"/explorer/os)"
|
|
||||||
init=$(cat "$__global/explorer/init")
|
|
||||||
nginx_confdir="/etc/nginx"
|
|
||||||
|
|
||||||
# The nginx service is not automatically started on alpine.
|
|
||||||
if [ "$os" = "alpine" ]; then
|
|
||||||
echo "service nginx --ifstopped start"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if grep -qE "^__file$nginx_confdir" "${__messages_in:?}"; then
|
|
||||||
case "$init" in
|
|
||||||
systemd)
|
|
||||||
reload_hook="systemctl reload-or-restart nginx"
|
|
||||||
;;
|
|
||||||
busybox-init+openrc)
|
|
||||||
reload_hook="service nginx reload"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Unknown init $init." >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
cat <<- EOF
|
|
||||||
if nginx -t; then
|
|
||||||
$reload_hook
|
|
||||||
else
|
|
||||||
echo "NGINX configuration is invalid. Exiting." >2&
|
|
||||||
nginx -t >2&
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
EOF
|
|
||||||
fi
|
|
|
@ -1,82 +0,0 @@
|
||||||
cdist-type__nginx_vhost(7)
|
|
||||||
===================================
|
|
||||||
|
|
||||||
NAME
|
|
||||||
----
|
|
||||||
cdist-type__nginx_vhost - Have nginx serve content for a virtual host
|
|
||||||
|
|
||||||
|
|
||||||
DESCRIPTION
|
|
||||||
-----------
|
|
||||||
This type setups up nginx with reasonable defaults and creates a vhost to be
|
|
||||||
served, optionally with TLS certificates obtained from the Let's Encrypt CA
|
|
||||||
through the ACME HTTP-01 challenge-response mechanism.
|
|
||||||
|
|
||||||
By default, if no rules are specified, then the vhost will serve as-is the
|
|
||||||
contents of the `WEBROOT/foo.com` directory, where WEBROOT is
|
|
||||||
determined depending on the OS, adhering as close to `hier(7)` as possible.
|
|
||||||
|
|
||||||
NGINX expects files in the vhost to be served to be at least readable by the
|
|
||||||
`USER` group, that it creates if it does not exist. It is recommended to have
|
|
||||||
the user owning the files to be someone else, and the files beeing
|
|
||||||
group-readable but not writeable.
|
|
||||||
|
|
||||||
Finally, if TLS is not disabled, then this type makes nginx expect the
|
|
||||||
fullchain certificate and the private key in
|
|
||||||
`CERTDIR/domain/{fullchain,privkey}.pem`.
|
|
||||||
|
|
||||||
+------------------+---------+-------------------+-----------------------------+
|
|
||||||
| Operating System | USER | WEBROOT | CERTDIR |
|
|
||||||
+==================+=========+===================+=============================+
|
|
||||||
| Alpine Linux | `nginx` | `/srv/www/` | `/etc/nginx/ssl/` |
|
|
||||||
+------------------+---------+-------------------+-----------------------------+
|
|
||||||
| Arch Linux | `www` | `/srv/www/` | `/etc/nginx/ssl/` |
|
|
||||||
+------------------+---------+-------------------+-----------------------------+
|
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
|
||||||
-------------------
|
|
||||||
|
|
||||||
config
|
|
||||||
A custom configuration file for the vhost, inserted in a server section
|
|
||||||
populated with `server_name` and TLS parameters unless `--standalone-config`
|
|
||||||
is specified. Can be specified either as a file path, or if the value of this
|
|
||||||
flag is '-', then the configuration is read from stdin.
|
|
||||||
|
|
||||||
domain
|
|
||||||
The domain this server will respond to. If this is omitted, then the
|
|
||||||
`__object_id` is used.
|
|
||||||
|
|
||||||
lport
|
|
||||||
The port to which we listen. If this is omitted, the defaults of `80` for
|
|
||||||
HTTP and `443` for HTTPS are used.
|
|
||||||
|
|
||||||
altdomains
|
|
||||||
Alternative domain names for this vhost.
|
|
||||||
|
|
||||||
BOOLEAN PARAMETERS
|
|
||||||
------------------
|
|
||||||
|
|
||||||
no-hsts
|
|
||||||
Do not use HSTS pinning.
|
|
||||||
|
|
||||||
no-tls
|
|
||||||
Do not serve over HTTPS.
|
|
||||||
|
|
||||||
to-https
|
|
||||||
Ignore --config flag and redirect to HTTPS. Implies --no-tls.
|
|
||||||
|
|
||||||
standalone-config
|
|
||||||
Use as-in the vhost configuration (= do not wrap in generic server section)
|
|
||||||
the content of the `config` parameter.
|
|
||||||
|
|
||||||
AUTHORS
|
|
||||||
-------
|
|
||||||
Joachim Desroches <joachim.desroches@epfl.ch>
|
|
||||||
Timothée Floure <timothee.floure@posteo.net>
|
|
||||||
|
|
||||||
COPYING
|
|
||||||
-------
|
|
||||||
Copyright \(C) 2020 Joachim Desroches. You can redistribute it
|
|
||||||
and/or modify it under the terms of the GNU General Public License as
|
|
||||||
published by the Free Software Foundation, either version 3 of the
|
|
||||||
License, or (at your option) any later version.
|
|
|
@ -1,164 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# 2020 Joachim Desroches <joachim.desroches@epfl.ch>
|
|
||||||
# 2021 Timothée Floure <timothee.floure@posteo.net>
|
|
||||||
#
|
|
||||||
# This file is part of cdist.
|
|
||||||
#
|
|
||||||
# cdist is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# cdist is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
# Create NGINX vhosts
|
|
||||||
|
|
||||||
os="$(cat "${__global:?}"/explorer/os)"
|
|
||||||
mkdir -p "${__object:?}/files"
|
|
||||||
|
|
||||||
case "$os" in
|
|
||||||
alpine)
|
|
||||||
__package nginx
|
|
||||||
|
|
||||||
nginx_confdir="/etc/nginx"
|
|
||||||
install_reqs="__package/nginx"
|
|
||||||
|
|
||||||
require="$install_reqs" __start_on_boot nginx
|
|
||||||
|
|
||||||
export NGINX_SITEDIR="$nginx_confdir/http.d"
|
|
||||||
export NGINX_CERTDIR="$nginx_confdir/ssl"
|
|
||||||
export NGINX_SNIPPETSDIR="$nginx_confdir/snippets"
|
|
||||||
export NGINX_WEBROOT="/var/www"
|
|
||||||
export ACME_CHALLENGE_DIR="$NGINX_WEBROOT/.well-known/acme-challenge/"
|
|
||||||
;;
|
|
||||||
debian|ubuntu)
|
|
||||||
__package nginx
|
|
||||||
|
|
||||||
nginx_confdir="/etc/nginx"
|
|
||||||
install_reqs="__package/nginx"
|
|
||||||
|
|
||||||
export NGINX_SITEDIR="$nginx_confdir/sites-enabled"
|
|
||||||
export NGINX_CERTDIR="$nginx_confdir/ssl"
|
|
||||||
export NGINX_SNIPPETSDIR="$nginx_confdir/snippets"
|
|
||||||
export NGINX_WEBROOT="/var/www"
|
|
||||||
export ACME_CHALLENGE_DIR="$NGINX_WEBROOT/.well-known/acme-challenge/"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "This type does not support $os yet. Aborting." >&2;
|
|
||||||
exit 1;
|
|
||||||
esac
|
|
||||||
|
|
||||||
# Domain
|
|
||||||
if [ -f "${__object:?}/parameter/domain" ];
|
|
||||||
then
|
|
||||||
DOMAIN="$(cat "${__object:?}/parameter/domain")"
|
|
||||||
else
|
|
||||||
DOMAIN="${__object_id:?}"
|
|
||||||
fi
|
|
||||||
export DOMAIN
|
|
||||||
|
|
||||||
ALTDOMAINS=
|
|
||||||
if [ -f "${__object:?}/parameter/altdomains" ];
|
|
||||||
then
|
|
||||||
ALTDOMAINS="$(cat "${__object:?}/parameter/altdomains")"
|
|
||||||
fi
|
|
||||||
export ALTDOMAINS
|
|
||||||
|
|
||||||
# Use TLS ?
|
|
||||||
if [ -f "${__object:?}/parameter/no-tls" ];
|
|
||||||
then
|
|
||||||
TLS=
|
|
||||||
echo "WARNING: you have disabled TLS for vhost $DOMAIN" >&2
|
|
||||||
else
|
|
||||||
TLS=ssl
|
|
||||||
fi
|
|
||||||
export TLS
|
|
||||||
|
|
||||||
# Use HSTS ?
|
|
||||||
if [ -f "${__object:?}/parameter/no-hsts" ];
|
|
||||||
then
|
|
||||||
HSTS=
|
|
||||||
else
|
|
||||||
HSTS=true
|
|
||||||
fi
|
|
||||||
export HSTS
|
|
||||||
|
|
||||||
# Redirect to HTTPS ?
|
|
||||||
if [ -f "${__object:?}/parameter/to-https" ];
|
|
||||||
then
|
|
||||||
TO_HTTPS=true
|
|
||||||
else
|
|
||||||
TO_HTTPS=
|
|
||||||
fi
|
|
||||||
export HSTS
|
|
||||||
|
|
||||||
# Port to listen on
|
|
||||||
if [ -f "${__object:?}/parameter/lport" ];
|
|
||||||
then
|
|
||||||
LPORT="$(cat "${__object:?}/parameter/lport")"
|
|
||||||
else
|
|
||||||
if [ -n "$TLS" ] && [ -z "$TO_HTTPS" ];
|
|
||||||
then
|
|
||||||
LPORT=443
|
|
||||||
else
|
|
||||||
LPORT=80
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
export LPORT
|
|
||||||
|
|
||||||
# Server definition
|
|
||||||
if [ -n "$TO_HTTPS" ];
|
|
||||||
then
|
|
||||||
# Ignore configuration, simply serve ACME challenge and redirect to HTTPS.
|
|
||||||
"${__type:?}/files/to-https.conf.sh" > "${__object:?}/files/vhost.conf"
|
|
||||||
vhost_conf="${__object:?}/files/vhost.conf"
|
|
||||||
elif [ -f "${__object:?}/parameter/config" ];
|
|
||||||
then
|
|
||||||
# Extract nginx config from type parameter.
|
|
||||||
if [ "$(cat "${__object:?}/parameter/config")" = "-" ];
|
|
||||||
then
|
|
||||||
vhost_partial="${__object:?}/stdin"
|
|
||||||
else
|
|
||||||
vhost_partial=$(cat "${__object:?}/parameter/config")
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Either use config as-in or template it in generic vhost structure.
|
|
||||||
if [ -f "${__object:?}/parameter/standalone-config" ]; then
|
|
||||||
vhost_conf=$vhost_partial
|
|
||||||
else
|
|
||||||
NGINX_LOGIC=$(cat "$vhost_partial") "${__type:?}/files/generic.conf.sh" \
|
|
||||||
> "${__object:?}/files/vhost.conf"
|
|
||||||
|
|
||||||
vhost_conf="${__object:?}/files/vhost.conf"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
# Default to simple static configuration.
|
|
||||||
"${__type:?}/files/static.conf.sh" > "${__object:?}/files/vhost.conf"
|
|
||||||
vhost_conf="${__object:?}/files/vhost.conf"
|
|
||||||
|
|
||||||
require="$install_reqs" __directory "$NGINX_WEBROOT/$DOMAIN"
|
|
||||||
require="__directory$NGINX_WEBROOT/$DOMAIN" \
|
|
||||||
__file "$NGINX_WEBROOT/$DOMAIN/index.html" --state exists \
|
|
||||||
--source "${__type:?}/files/index.html" \
|
|
||||||
--mode 0644
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Install snippets.
|
|
||||||
require="$install_reqs" __directory "$NGINX_SNIPPETSDIR"
|
|
||||||
for snippet in hsts 301-to-https; do
|
|
||||||
require="__directory/$NGINX_SNIPPETSDIR" __file \
|
|
||||||
"$NGINX_SNIPPETSDIR/$snippet" --source "${__type:?}/files/$snippet"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Install vhost.
|
|
||||||
require="$install_reqs" __directory "$NGINX_SITEDIR"
|
|
||||||
require="__directory/$NGINX_SITEDIR" __file "$NGINX_SITEDIR/$__object_id.conf" \
|
|
||||||
--source "$vhost_conf" \
|
|
||||||
--mode 0644
|
|
|
@ -1,4 +0,0 @@
|
||||||
no-tls
|
|
||||||
no-hsts
|
|
||||||
to-https
|
|
||||||
standalone-config
|
|
|
@ -1 +0,0 @@
|
||||||
index.html index.htm
|
|
|
@ -1,4 +0,0 @@
|
||||||
domain
|
|
||||||
config
|
|
||||||
altdomains
|
|
||||||
lport
|
|
|
@ -1,7 +1,6 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
# Generate an opendkim.conf(5) file for opendkim(8).
|
# Generate an opendkim.conf(5) file for opendkim(8).
|
||||||
|
|
||||||
echo "# Managed remotely, manual changes will be lost."
|
|
||||||
|
|
||||||
# Optional chdir(2)
|
# Optional chdir(2)
|
||||||
if [ "$BASEDIR" ];
|
if [ "$BASEDIR" ];
|
||||||
|
@ -34,8 +33,8 @@ then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Key and Domain tables
|
# Key and Domain tables
|
||||||
echo "KeyTable ${CFG_DIR}/KeyTable"
|
echo 'KeyTable /etc/opendkim/KeyTable'
|
||||||
echo "SigningTable ${CFG_DIR}/SigningTable"
|
echo 'SigningTable /etc/opendkim/SigningTable'
|
||||||
|
|
||||||
# Required socket to listen on
|
# Required socket to listen on
|
||||||
printf "Socket %s\n" "${SOCKET:?}"
|
printf "Socket %s\n" "${SOCKET:?}"
|
||||||
|
|
|
@ -14,8 +14,8 @@ installation and basic configuration of an instance of OpenDKIM.
|
||||||
Note that this type does not generate or ensure that a key is present: use
|
Note that this type does not generate or ensure that a key is present: use
|
||||||
`cdist-type__opendkim-genkey(7)` for that.
|
`cdist-type__opendkim-genkey(7)` for that.
|
||||||
|
|
||||||
Note that this type is currently only implemented for Alpine Linux and FreeBSD.
|
Note that this type is currently only implemented for Alpine Linux. Please
|
||||||
Please contribute an implementation if you can.
|
contribute an implementation if you can.
|
||||||
|
|
||||||
|
|
||||||
REQUIRED PARAMETERS
|
REQUIRED PARAMETERS
|
||||||
|
@ -42,9 +42,8 @@ umask
|
||||||
Set the umask for the socket and PID file.
|
Set the umask for the socket and PID file.
|
||||||
|
|
||||||
userid
|
userid
|
||||||
Change the user the opendkim program is to run as.
|
Change the user the opendkim program is to run as. By default, Alpine Linux's
|
||||||
By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
|
OpenRC service will set this to `opendkim` on the command-line.
|
||||||
command-line and FreeBSD's rc will set it to `mailnull`.
|
|
||||||
|
|
||||||
custom-config
|
custom-config
|
||||||
The string following this parameter is appended as-is in the configuration, to
|
The string following this parameter is appended as-is in the configuration, to
|
||||||
|
@ -87,12 +86,11 @@ SEE ALSO
|
||||||
AUTHORS
|
AUTHORS
|
||||||
-------
|
-------
|
||||||
Joachim Desroches <joachim.desroches@epfl.ch>
|
Joachim Desroches <joachim.desroches@epfl.ch>
|
||||||
Evilham <contact@evilham.com>
|
|
||||||
|
|
||||||
|
|
||||||
COPYING
|
COPYING
|
||||||
-------
|
-------
|
||||||
Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
|
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
|
||||||
and/or modify it under the terms of the GNU General Public License as
|
and/or modify it under the terms of the GNU General Public License as
|
||||||
published by the Free Software Foundation, either version 3 of the
|
published by the Free Software Foundation, either version 3 of the
|
||||||
License, or (at your option) any later version.
|
License, or (at your option) any later version.
|
||||||
|
|
|
@ -20,23 +20,16 @@
|
||||||
|
|
||||||
os=$(cat "${__global:?}/explorer/os")
|
os=$(cat "${__global:?}/explorer/os")
|
||||||
|
|
||||||
CFG_DIR="/etc/opendkim"
|
|
||||||
service="opendkim"
|
|
||||||
case "$os" in
|
case "$os" in
|
||||||
'alpine')
|
'alpine')
|
||||||
:
|
:
|
||||||
;;
|
;;
|
||||||
'freebsd')
|
|
||||||
CFG_DIR="/usr/local/etc/mail"
|
|
||||||
service="milter-opendkim"
|
|
||||||
;;
|
|
||||||
*)
|
*)
|
||||||
printf "__opendkim does not yet support %s.\n" "$os" >&2
|
printf "__opendkim does not yet support %s.\n" "$os" >&2
|
||||||
printf "Please contribute an implementation if you can.\n" >&2
|
printf "Please contribute an implementation if you can.\n" >&2
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
export CFG_DIR
|
|
||||||
|
|
||||||
__package opendkim
|
__package opendkim
|
||||||
|
|
||||||
|
@ -75,7 +68,7 @@ fi
|
||||||
|
|
||||||
# Generate and deploy configuration file.
|
# Generate and deploy configuration file.
|
||||||
source_file="${__object:?}/files/opendkim.conf"
|
source_file="${__object:?}/files/opendkim.conf"
|
||||||
target_file="${CFG_DIR}/opendkim.conf"
|
target_file="/etc/opendkim/opendkim.conf"
|
||||||
|
|
||||||
mkdir -p "${__object:?}/files"
|
mkdir -p "${__object:?}/files"
|
||||||
|
|
||||||
|
@ -90,22 +83,9 @@ fi
|
||||||
require="__package/opendkim" __file "$target_file" \
|
require="__package/opendkim" __file "$target_file" \
|
||||||
--source "$source_file" --mode 0644
|
--source "$source_file" --mode 0644
|
||||||
|
|
||||||
require="__package/opendkim" __start_on_boot "${service}"
|
require="__package/opendkim" __start_on_boot opendkim
|
||||||
|
|
||||||
# Ensure Key and Signing tables exist and have proper permissions
|
require="__file${target_file}" \
|
||||||
key_table="${CFG_DIR}/KeyTable"
|
|
||||||
signing_table="${CFG_DIR}/SigningTable"
|
|
||||||
|
|
||||||
require="__package/opendkim" \
|
|
||||||
__file "${key_table}" \
|
|
||||||
--mode 444
|
|
||||||
|
|
||||||
require="__package/opendkim" \
|
|
||||||
__file "${signing_table}" \
|
|
||||||
--mode 444
|
|
||||||
|
|
||||||
require="__file${target_file} __file${key_table}
|
|
||||||
__file${signing_table} __start_on_boot/${service}" \
|
|
||||||
__check_messages opendkim \
|
__check_messages opendkim \
|
||||||
--pattern "^__file${target_file}" \
|
--pattern "^__file${target_file}" \
|
||||||
--execute "service ${service} restart"
|
--execute "service opendkim restart"
|
||||||
|
|
|
@ -30,8 +30,7 @@ fi
|
||||||
|
|
||||||
DIRECTORY="/var/db/dkim/"
|
DIRECTORY="/var/db/dkim/"
|
||||||
if [ -f "${__object:?}/parameter/directory" ]; then
|
if [ -f "${__object:?}/parameter/directory" ]; then
|
||||||
# Be forgiving about a lack of trailing slash
|
DIRECTORY="$(cat "${__object:?}/parameter/directory")"
|
||||||
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Boolean parameters
|
# Boolean parameters
|
||||||
|
@ -45,12 +44,7 @@ if [ -f "${__object:?}/parameters/unrestricted" ]; then
|
||||||
RESTRICTED=
|
RESTRICTED=
|
||||||
fi
|
fi
|
||||||
|
|
||||||
user="$(cat "${__object:?}/user")"
|
|
||||||
group="$(cat "${__object:?}/group")"
|
|
||||||
|
|
||||||
if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then
|
if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then
|
||||||
echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS"
|
echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS"
|
||||||
echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.private"
|
echo "chown opendkim:opendkim ${DIRECTORY}${SELECTOR}.private"
|
||||||
# This is usually generated, if it weren't we do not want to fail
|
|
||||||
echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.txt || true"
|
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -17,8 +17,8 @@ will be added to the OpenDKIM signing table, using either the domain or the
|
||||||
provided key for the `domain:selector:keyfile` value in the table. An existing
|
provided key for the `domain:selector:keyfile` value in the table. An existing
|
||||||
key will not be overwritten.
|
key will not be overwritten.
|
||||||
|
|
||||||
Currently, this type is only implemented for Alpine Linux and FreeBSD.
|
Currently, this type is only implemented for Alpine Linux. Please contribute an
|
||||||
Please contribute an implementation if you can.
|
implementation if you can.
|
||||||
|
|
||||||
REQUIRED PARAMETERS
|
REQUIRED PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
|
@ -85,12 +85,11 @@ SEE ALSO
|
||||||
AUTHORS
|
AUTHORS
|
||||||
-------
|
-------
|
||||||
Joachim Desroches <joachim.desroches@epfl.ch>
|
Joachim Desroches <joachim.desroches@epfl.ch>
|
||||||
Evilham <contact@evilham.com>
|
|
||||||
|
|
||||||
|
|
||||||
COPYING
|
COPYING
|
||||||
-------
|
-------
|
||||||
Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
|
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
|
||||||
and/or modify it under the terms of the GNU General Public License as
|
and/or modify it under the terms of the GNU General Public License as
|
||||||
published by the Free Software Foundation, either version 3 of the
|
published by the Free Software Foundation, either version 3 of the
|
||||||
License, or (at your option) any later version.
|
License, or (at your option) any later version.
|
||||||
|
|
|
@ -21,18 +21,10 @@
|
||||||
|
|
||||||
os=$(cat "${__global:?}/explorer/os")
|
os=$(cat "${__global:?}/explorer/os")
|
||||||
|
|
||||||
CFG_DIR="/etc/opendkim"
|
|
||||||
user="opendkim"
|
|
||||||
group="opendkim"
|
|
||||||
case "$os" in
|
case "$os" in
|
||||||
'alpine')
|
'alpine')
|
||||||
:
|
:
|
||||||
;;
|
;;
|
||||||
'freebsd')
|
|
||||||
CFG_DIR="/usr/local/etc/mail"
|
|
||||||
user="mailnull"
|
|
||||||
group="mailnull"
|
|
||||||
;;
|
|
||||||
*)
|
*)
|
||||||
cat <<- EOF >&2
|
cat <<- EOF >&2
|
||||||
__opendkim_genkey currently only supports Alpine Linux. Please
|
__opendkim_genkey currently only supports Alpine Linux. Please
|
||||||
|
@ -40,9 +32,6 @@ case "$os" in
|
||||||
EOF
|
EOF
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
# Persist user and group for gencode-remote
|
|
||||||
printf '%s' "${user}" > "${__object:?}/user"
|
|
||||||
printf '%s' "${group}" > "${__object:?}/group"
|
|
||||||
|
|
||||||
SELECTOR="$(cat "${__object:?}/parameter/selector")"
|
SELECTOR="$(cat "${__object:?}/parameter/selector")"
|
||||||
DOMAIN="$(cat "${__object:?}/parameter/domain")"
|
DOMAIN="$(cat "${__object:?}/parameter/domain")"
|
||||||
|
@ -50,8 +39,7 @@ DOMAIN="$(cat "${__object:?}/parameter/domain")"
|
||||||
DIRECTORY="/var/db/dkim/"
|
DIRECTORY="/var/db/dkim/"
|
||||||
if [ -f "${__object:?}/parameter/directory" ];
|
if [ -f "${__object:?}/parameter/directory" ];
|
||||||
then
|
then
|
||||||
# Be forgiving about a lack of trailing slash
|
DIRECTORY="$(cat "${__object:?}/parameter/directory")"
|
||||||
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
SIGKEY="${DOMAIN:?}"
|
SIGKEY="${DOMAIN:?}"
|
||||||
|
@ -60,26 +48,19 @@ then
|
||||||
SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
|
SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Ensure the key-container directory exists with the proper permissions
|
|
||||||
__directory "${DIRECTORY}" \
|
|
||||||
--mode 0750 \
|
|
||||||
--owner "${user}" --group "${group}"
|
|
||||||
|
|
||||||
# OS-specific code
|
|
||||||
case "$os" in
|
|
||||||
'alpine')
|
|
||||||
# This is needed for opendkim-genkey
|
|
||||||
__package opendkim-utils
|
__package opendkim-utils
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
key_table="${CFG_DIR}/KeyTable"
|
require='__package/opendkim-utils' \
|
||||||
signing_table="${CFG_DIR}/SigningTable"
|
__file /etc/opendkim/KeyTable
|
||||||
|
require='__package/opendkim-utils' \
|
||||||
|
__file /etc/opendkim/SigningTable
|
||||||
|
|
||||||
|
require='__file/etc/opendkim/KeyTable' \
|
||||||
__line "line-key-${__object_id:?}" \
|
__line "line-key-${__object_id:?}" \
|
||||||
--file "${key_table}" \
|
--file /etc/opendkim/KeyTable \
|
||||||
--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
|
--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
|
||||||
|
|
||||||
|
require='__file/etc/opendkim/SigningTable' \
|
||||||
__line "line-sig-${__object_id:?}" \
|
__line "line-sig-${__object_id:?}" \
|
||||||
--file "${signing_table}" \
|
--file /etc/opendkim/SigningTable \
|
||||||
--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"
|
--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"
|
||||||
|
|
|
@ -1,12 +1,5 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
|
||||||
os="$(cat "${__global}/explorer/os")"
|
|
||||||
if [ "${os}" != "freebsd" ]; then
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
|
|
||||||
# FreeBSD-specific
|
|
||||||
svdir="/var/service"
|
svdir="/var/service"
|
||||||
svdir_exists="$(cat "${__object}/explorer/svdir-exists")"
|
svdir_exists="$(cat "${__object}/explorer/svdir-exists")"
|
||||||
runit_etc="$(cat "${__object}/explorer/runit-etc")"
|
runit_etc="$(cat "${__object}/explorer/runit-etc")"
|
||||||
|
|
|
@ -2,29 +2,9 @@
|
||||||
|
|
||||||
__package "runit"
|
__package "runit"
|
||||||
|
|
||||||
os="$(cat "${__global}/explorer/os")"
|
|
||||||
case "${os}" in
|
|
||||||
debian|devuan)
|
|
||||||
# zero-config sysvinit and systemd compatibility
|
|
||||||
os_version="$(cat "${__global}/explorer/os_version")"
|
|
||||||
debian_package="runit-run"
|
|
||||||
case "${os_version}" in
|
|
||||||
beowulf)
|
|
||||||
debian_package="runit"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
__package "${debian_package}"
|
|
||||||
;;
|
|
||||||
freebsd)
|
|
||||||
__key_value \
|
__key_value \
|
||||||
--file "/etc/rc.conf" \
|
--file "/etc/rc.conf" \
|
||||||
--key "runsvdir_enable" \
|
--key "runsvdir_enable" \
|
||||||
--delimiter "=" \
|
--delimiter "=" \
|
||||||
--value "yes" \
|
--value "yes" \
|
||||||
"runsvdir_enable"
|
"runsvdir_enable"
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Your OS '${os}' is currently not supported." >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
|
@ -27,11 +27,6 @@ BOOLEAN PARAMETERS
|
||||||
log
|
log
|
||||||
Setup logging with `svlogd -tt ./main`.
|
Setup logging with `svlogd -tt ./main`.
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
|
||||||
-------------------
|
|
||||||
state
|
|
||||||
Whether this service is to be 'present' (default) or 'absent'.
|
|
||||||
|
|
||||||
|
|
||||||
EXAMPLES
|
EXAMPLES
|
||||||
--------
|
--------
|
||||||
|
|
|
@ -1,21 +1,8 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
|
|
||||||
os="$(cat "${__global}/explorer/os")"
|
|
||||||
case "${os}" in
|
|
||||||
debian|devuan)
|
|
||||||
svdir="/etc/service"
|
|
||||||
;;
|
|
||||||
*bsd)
|
|
||||||
svdir="/var/service"
|
svdir="/var/service"
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Your OS '${OS}' is currently not supported." >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
sv="${__object_id}"
|
sv="${__object_id}"
|
||||||
state="$(cat "${__object}/parameter/state")"
|
state="present"
|
||||||
run_file="${svdir}/${sv}/run"
|
run_file="${svdir}/${sv}/run"
|
||||||
|
|
||||||
source="$(cat "$__object/parameter/source")"
|
source="$(cat "$__object/parameter/source")"
|
||||||
|
@ -28,30 +15,19 @@ __directory --state "${state}" "${svdir}/${sv}"
|
||||||
|
|
||||||
export require="__directory${svdir}/${sv}"
|
export require="__directory${svdir}/${sv}"
|
||||||
|
|
||||||
if [ "${state}" != "present" ]; then
|
|
||||||
# We are done here, the service gets removed
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Setup run file
|
|
||||||
__file --state "${state}" --mode 0550 --source "${source}" \
|
|
||||||
--onchange "sv restart '${sv}' || true" \
|
|
||||||
"${run_file}"
|
|
||||||
export require="${require} __file${run_file}"
|
|
||||||
|
|
||||||
if [ -f "${__object}/parameter/log" ]; then
|
if [ -f "${__object}/parameter/log" ]; then
|
||||||
# Setup logger if requested
|
# Setup logger if requested
|
||||||
logdir="/var/log/runit"
|
__directory --parents "${svdir}/${sv}/log/main"
|
||||||
__directory --parents "${svdir}/${sv}/log"
|
export require="${require} __directory${svdir}/${sv}/log/main"
|
||||||
__directory --state absent "${svdir}/${sv}/log/main" # Remove lingering old fashioned log
|
|
||||||
__directory --parents "${logdir}/${sv}"
|
|
||||||
export require="${require} __directory${svdir}/${sv}/log __directory${logdir}/${sv}"
|
|
||||||
__file "${svdir}/${sv}/log/run" \
|
__file "${svdir}/${sv}/log/run" \
|
||||||
--state "${state}" \
|
--state "${state}" \
|
||||||
--mode 0755 \
|
--mode 0755 \
|
||||||
--onchange "sv restart '${sv}/log' || true" \
|
|
||||||
--source "-" <<EOF
|
--source "-" <<EOF
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
exec svlogd -tt '${logdir}/${sv}'
|
exec svlogd -tt ./main
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Setup run file
|
||||||
|
__file --state "${state}" --mode 0755 --source "${source}" "${run_file}"
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
present
|
|
|
@ -1 +0,0 @@
|
||||||
state
|
|
|
@ -1,10 +0,0 @@
|
||||||
#!/bin/sh -e
|
|
||||||
|
|
||||||
BIN_PREFIX="/usr/local/bin"
|
|
||||||
SERVICE_NAME="${__object_id}"
|
|
||||||
|
|
||||||
VERSION_FILE="${BIN_PREFIX}/.${SERVICE_NAME}.cdist.version"
|
|
||||||
|
|
||||||
if [ -f "${VERSION_FILE}" ]; then
|
|
||||||
cat "${VERSION_FILE}"
|
|
||||||
fi
|
|
|
@ -1,195 +0,0 @@
|
||||||
cdist-type__single_binary_service(7)
|
|
||||||
====================================
|
|
||||||
|
|
||||||
NAME
|
|
||||||
----
|
|
||||||
cdist-type__single_binary_service - Setup a single-binary service
|
|
||||||
|
|
||||||
|
|
||||||
DESCRIPTION
|
|
||||||
-----------
|
|
||||||
This type is designed to easily deploy and configure a single-binary service
|
|
||||||
named `${__object_id}`.
|
|
||||||
|
|
||||||
A good example of this are Prometheus exporters.
|
|
||||||
|
|
||||||
This type makes certain assumptions that might not be correct on your system.
|
|
||||||
If you need more flexibility, please get in touch and provide a use-case
|
|
||||||
(and hopefully a backwards-compatible patch).
|
|
||||||
|
|
||||||
This type will place the downloaded binary and, if requested, other extra
|
|
||||||
binaries in `/usr/local/bin`.
|
|
||||||
|
|
||||||
If a `--config-file-source` is provided, it will be placed under:
|
|
||||||
`/etc/${__object_id}.conf`.
|
|
||||||
|
|
||||||
This type supports services managed by `__runit(7)` when `systemd` is not
|
|
||||||
the init system being used.
|
|
||||||
|
|
||||||
|
|
||||||
REQUIRED PARAMETERS
|
|
||||||
-------------------
|
|
||||||
checksum
|
|
||||||
This will be passed verbatim to `__download(7)`.
|
|
||||||
Use something like `sha256:...`.
|
|
||||||
|
|
||||||
url
|
|
||||||
This will be passed verbatim to `__download(7)`.
|
|
||||||
|
|
||||||
version
|
|
||||||
This type will use a thumbstone file with a "version" number to track
|
|
||||||
whether or not a service must be updated.
|
|
||||||
This thumbstone file is placed under
|
|
||||||
`/usr/local/bin/.${__object_id}.cdist.version`.
|
|
||||||
|
|
||||||
|
|
||||||
BOOLEAN PARAMETERS
|
|
||||||
------------------
|
|
||||||
unpack
|
|
||||||
If present, the contents of `--url` will be treated as an archive to be
|
|
||||||
unpacked with `__unpack(7)`.
|
|
||||||
See also `--unpack-args` and `--extra-binary`.
|
|
||||||
|
|
||||||
do-not-manage-user
|
|
||||||
Always considered present when `--user` is `root`.
|
|
||||||
If present, the user in `--user` will not be managed by this type with
|
|
||||||
`__user`, this means it *must* exist beforehand when installing the service
|
|
||||||
and it will not be removed by this type.
|
|
||||||
|
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
|
||||||
-------------------
|
|
||||||
config-file-source
|
|
||||||
If present, this file's contents will be placed under
|
|
||||||
`/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to
|
|
||||||
`--user` and `--group`.
|
|
||||||
If `-` is passed, this type's `stdin` will be used.
|
|
||||||
|
|
||||||
user
|
|
||||||
The user under which the service will run. Defaults to `root`.
|
|
||||||
If this user is not `root` and `--do-not-manage-user` is not present,
|
|
||||||
this user will be created or removed as per the `--state` parameter.
|
|
||||||
|
|
||||||
user-home-dir
|
|
||||||
Does not have an effect if `--do-not-manage-user` is used or `--user` is
|
|
||||||
`root`.
|
|
||||||
The home directory of the service user. It will be created.
|
|
||||||
Defaults to `/nonexistent`, in this case the home directory will not be
|
|
||||||
created.
|
|
||||||
|
|
||||||
group
|
|
||||||
The group under which the service will run. Defaults to `--user`.
|
|
||||||
|
|
||||||
state
|
|
||||||
Whether the service is to be `present` (default) or `absent`.
|
|
||||||
When `absent`, this type will clean any binaries listed in `--extra-binary`
|
|
||||||
and also the config file as described in `--config-file-source`.
|
|
||||||
|
|
||||||
binary
|
|
||||||
This will be the binary name. Defaults to `${__object_id}`.
|
|
||||||
If `--unpack` is used, a binary with this name must be unpacked.
|
|
||||||
Otherwise, the contents of `--url` will be placed under this binary name.
|
|
||||||
|
|
||||||
env
|
|
||||||
An `env` file consiting of `ENVIRONMENT_VARIABLE=VALUE`, one variable per
|
|
||||||
line.
|
|
||||||
Empty lines and those starting with `#` are ignored.
|
|
||||||
|
|
||||||
service-args
|
|
||||||
Any extra arguments to pass along with `--service-exec`. Beware that any
|
|
||||||
service-args having the format `--config=/etc/foo.cfg` should be
|
|
||||||
represented in the following way `--service-exec='--config=/etc/foo.cfg'`
|
|
||||||
|
|
||||||
service-exec
|
|
||||||
The executable to use for this service.
|
|
||||||
Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the
|
|
||||||
resulting value of `--binary`.
|
|
||||||
|
|
||||||
service-definition
|
|
||||||
The service definition to be used as an override.
|
|
||||||
Note that this type decides dinammically between runit and systemd, and
|
|
||||||
you can currently only define either a systemd unit or a runit script here.
|
|
||||||
Use this parameter only for testing and get in touch to discuss how your
|
|
||||||
particular use-case can be supported by the type.
|
|
||||||
|
|
||||||
service-description
|
|
||||||
The service description to be used in, e.g. the systemd unit file.
|
|
||||||
Defaults to `cdist-managed '${__object_id}' service`.
|
|
||||||
|
|
||||||
unpack-args
|
|
||||||
Only has an effect if `--unpack` is used.
|
|
||||||
These arguments will be passed verbatim to `__unpack(7)`.
|
|
||||||
Very useful as this type assumes the archive does not have the binaries in
|
|
||||||
subdirectories; that can be worked around with
|
|
||||||
`--unpack-args '--tar-strip 1'`.
|
|
||||||
|
|
||||||
unpack-extension
|
|
||||||
Only has an effect if `--unpack` is used.
|
|
||||||
The file extension of the file to unpack, defaults to `.tar.gz`.
|
|
||||||
|
|
||||||
working-directory
|
|
||||||
If set, the working directory with which the service will be started.
|
|
||||||
|
|
||||||
|
|
||||||
OPTIONAL MULTIPLE PARAMETERS
|
|
||||||
----------------------------
|
|
||||||
extra-binary
|
|
||||||
Only useful with `--unpack`.
|
|
||||||
If passed, these binaries will also be installed when `--state` is `present`
|
|
||||||
and removed when `--state` is `absent`.
|
|
||||||
Handle with care :-).
|
|
||||||
|
|
||||||
|
|
||||||
EXAMPLES
|
|
||||||
--------
|
|
||||||
|
|
||||||
.. code-block:: sh
|
|
||||||
|
|
||||||
# Install and enable the ipmi_exporter service
|
|
||||||
# The variables are defined in the manifest previously
|
|
||||||
__single_binary_service ipmi_exporter \
|
|
||||||
--user "${USER}" \
|
|
||||||
--service-args ' --config.file=/etc/ipmi_exporter.conf' \
|
|
||||||
--version "${SHOULD_VERSION}" \
|
|
||||||
--checksum "${CHECKSUM}" \
|
|
||||||
--url "${DOWNLOAD_URL}" \
|
|
||||||
--state "present" \
|
|
||||||
--unpack \
|
|
||||||
--unpack-args "--tar-strip 1" \
|
|
||||||
--config-file-source '-' <<-EOF
|
|
||||||
# Remotely managed, changes will be lost
|
|
||||||
# [...] config contents goes here
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Remove the ipmi_exporter service along with the user and its config
|
|
||||||
__single_binary_service ipmi_exporter \
|
|
||||||
--user "${USER}" \
|
|
||||||
--version "${SHOULD_VERSION}" \
|
|
||||||
--checksum "${CHECKSUM}" \
|
|
||||||
--url "${DOWNLOAD_URL}" \
|
|
||||||
--state "absent"
|
|
||||||
|
|
||||||
# Same, but the service was using my user! Let's not delete that!
|
|
||||||
__single_binary_service ipmi_exporter \
|
|
||||||
--user "evilham" \
|
|
||||||
--do-not-manage-user \
|
|
||||||
--version "${SHOULD_VERSION}" \
|
|
||||||
--checksum "${CHECKSUM}" \
|
|
||||||
--url "${DOWNLOAD_URL}" \
|
|
||||||
--state "absent"
|
|
||||||
|
|
||||||
|
|
||||||
SEE ALSO
|
|
||||||
--------
|
|
||||||
- `__download(7)`
|
|
||||||
- `__unpack(7)`
|
|
||||||
|
|
||||||
|
|
||||||
AUTHORS
|
|
||||||
-------
|
|
||||||
Evilham <contact@evilham.com>
|
|
||||||
|
|
||||||
|
|
||||||
COPYING
|
|
||||||
-------
|
|
||||||
Copyright \(C) 2022 Evilham.
|
|
|
@ -1,305 +0,0 @@
|
||||||
#!/bin/sh -e
|
|
||||||
SERVICE_NAME="${__object_id}"
|
|
||||||
|
|
||||||
OS="$(cat "${__global}/explorer/os")"
|
|
||||||
|
|
||||||
case "${OS}" in
|
|
||||||
debian|devuan)
|
|
||||||
SUPER_USER_GROUP=root
|
|
||||||
ETC_DIR="/etc"
|
|
||||||
;;
|
|
||||||
*bsd)
|
|
||||||
SUPER_USER_GROUP=wheel
|
|
||||||
ETC_DIR="/usr/local/etc"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Your OS '${OS}' is currently not supported." >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
INIT="$(cat "${__global}/explorer/init")"
|
|
||||||
|
|
||||||
case "${INIT}" in
|
|
||||||
systemd)
|
|
||||||
service_definition_require="__systemd_unit/${SERVICE_NAME}.service"
|
|
||||||
service_command="service ${SERVICE_NAME} %s"
|
|
||||||
;;
|
|
||||||
runit|sysvinit)
|
|
||||||
# We will use runit to manage these services
|
|
||||||
__runit
|
|
||||||
export require="__runit"
|
|
||||||
service_definition_require="__runit_service/${SERVICE_NAME}"
|
|
||||||
service_command="sv %s ${SERVICE_NAME}"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Init system ${INIT}' is currently not supported." >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
BIN_DIR="/usr/local/bin"
|
|
||||||
|
|
||||||
# Ensure the target bin dir exists
|
|
||||||
# Care, we never want to remove it :-D
|
|
||||||
__directory "${BIN_DIR}" \
|
|
||||||
--state "exists" \
|
|
||||||
--mode 0755
|
|
||||||
export require="${require} __directory${BIN_DIR}"
|
|
||||||
|
|
||||||
STATE="$(cat "${__object}/parameter/state")"
|
|
||||||
USER="$(cat "${__object}/parameter/user")"
|
|
||||||
GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)"
|
|
||||||
if [ -z "${GROUP}" ]; then
|
|
||||||
if [ "${USER}" != "root" ]; then
|
|
||||||
GROUP="${USER}"
|
|
||||||
else
|
|
||||||
GROUP="${SUPER_USER_GROUP}"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)"
|
|
||||||
if [ -z "${BINARY}" ]; then
|
|
||||||
BINARY="${SERVICE_NAME}"
|
|
||||||
fi
|
|
||||||
EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)"
|
|
||||||
# This only makes sense for file archives
|
|
||||||
if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then
|
|
||||||
cat >&2 <<-EOF
|
|
||||||
You cannot specify extra binaries without the --unpack argument.
|
|
||||||
Make sure that the --url argument points to a file archive.
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)"
|
|
||||||
if [ -z "${SERVICE_EXEC}" ]; then
|
|
||||||
SERVICE_EXEC="${BIN_DIR}/${BINARY}"
|
|
||||||
fi
|
|
||||||
SERVICE_ARGS="$(cat "${__object}/parameter/service-args")"
|
|
||||||
SERVICE_EXEC="${SERVICE_EXEC} ${SERVICE_ARGS}"
|
|
||||||
|
|
||||||
SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \
|
|
||||||
2>/dev/null || true)"
|
|
||||||
if [ -z "${SERVICE_DESCRIPTION}" ]; then
|
|
||||||
SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service"
|
|
||||||
fi
|
|
||||||
|
|
||||||
SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)"
|
|
||||||
|
|
||||||
WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
|
|
||||||
if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
|
|
||||||
WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
|
|
||||||
WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
|
|
||||||
fi
|
|
||||||
|
|
||||||
DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
|
|
||||||
CHECKSUM="$(cat "${__object}/parameter/checksum")"
|
|
||||||
SHOULD_VERSION="$(cat "${__object}/parameter/version")"
|
|
||||||
|
|
||||||
# Create a user for the service if it is not root
|
|
||||||
USER_HOME_DIR="/root"
|
|
||||||
if [ "${USER}" != "root" ] && \
|
|
||||||
[ ! -f "${__object}/parameter/do-not-manage-user" ]; then
|
|
||||||
if [ "${STATE}" = "absent" ]; then
|
|
||||||
# When removing, ensure user is not being used
|
|
||||||
user_require="${service_definition_require}"
|
|
||||||
fi
|
|
||||||
USER_HOME_DIR="$(cat "${__object}/parameter/user-home-dir")"
|
|
||||||
if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then
|
|
||||||
USER_CREATE_HOME="--create-home"
|
|
||||||
fi
|
|
||||||
require="${require} ${user_require}" __user "${USER}" \
|
|
||||||
--system \
|
|
||||||
--state "${STATE}" \
|
|
||||||
--home "${USER_HOME_DIR}" \
|
|
||||||
--comment "cdist-managed service user" \
|
|
||||||
${USER_CREATE_HOME}
|
|
||||||
# Track dependencies
|
|
||||||
service_require="${service_require} __user/${USER}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Place config file if necessary
|
|
||||||
CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
|
|
||||||
CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)"
|
|
||||||
if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then
|
|
||||||
CONFIG_FILE_SOURCE="${__object}/stdin"
|
|
||||||
fi
|
|
||||||
if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then
|
|
||||||
require="${require} __user/${USER}" __file \
|
|
||||||
"${CONFIG_FILE_DEST}" \
|
|
||||||
--owner "${USER}" \
|
|
||||||
--group "${GROUP}" \
|
|
||||||
--mode "0440" \
|
|
||||||
--source "${CONFIG_FILE_SOURCE}"
|
|
||||||
service_require="${service_require} __file${CONFIG_FILE_DEST}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# These messages will trigger a service restart (overridden for systemd)
|
|
||||||
service_config_reload_pattern="^__file${CONFIG_FILE_DEST}"
|
|
||||||
|
|
||||||
# This should setup the object in $service_definition_require
|
|
||||||
# See above.
|
|
||||||
case "${INIT}" in
|
|
||||||
systemd)
|
|
||||||
if [ -z "${SERVICE_DEFINITION}" ]; then
|
|
||||||
SYSTEMD_ENV_FILE="/etc/systemd/system/${SERVICE_NAME}.env"
|
|
||||||
__file "${SYSTEMD_ENV_FILE}" \
|
|
||||||
--mode 0400 \
|
|
||||||
--source "${__object}/parameter/env"
|
|
||||||
# We need to take into account the envionment file for systemd too
|
|
||||||
service_config_reload_pattern="(${service_config_reload_pattern}|^__file${SYSTEMD_ENV_FILE})"
|
|
||||||
|
|
||||||
SERVICE_DEFINITION="$(cat <<EOF
|
|
||||||
[Unit]
|
|
||||||
Description=${SERVICE_DESCRIPTION}
|
|
||||||
After=network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
|
|
||||||
User=${USER}
|
|
||||||
Group=${GROUP}
|
|
||||||
ExecStart=${SERVICE_EXEC}
|
|
||||||
Restart=always
|
|
||||||
EnvironmentFile=${SYSTEMD_ENV_FILE}
|
|
||||||
${WORKING_DIRECTORY_SYSTEMD}
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
EOF
|
|
||||||
)"
|
|
||||||
fi
|
|
||||||
__systemd_unit "${SERVICE_NAME}.service" \
|
|
||||||
--source "-" \
|
|
||||||
--state "${STATE}" \
|
|
||||||
--enablement-state "enabled" <<EOF
|
|
||||||
${SERVICE_DEFINITION}
|
|
||||||
EOF
|
|
||||||
;;
|
|
||||||
runit|sysvinit)
|
|
||||||
if [ -z "${SERVICE_DEFINITION}" ]; then
|
|
||||||
RUNIT_ENV="$(sed -Ee 's!^([[:alnum:]_]+)=(.*)$!export \1=\2!' "${__object}/parameter/env")"
|
|
||||||
SERVICE_DEFINITION="$(cat <<EOF
|
|
||||||
#!/bin/sh -e
|
|
||||||
${WORKING_DIRECTORY_RUNIT}
|
|
||||||
# User-provided environment
|
|
||||||
${RUNIT_ENV}
|
|
||||||
# System vars
|
|
||||||
export HOME="\$(getent passwd '${USER}' | cut -d: -f6)"
|
|
||||||
export USER="${USER}"
|
|
||||||
export GROUP="${GROUP}"
|
|
||||||
|
|
||||||
exec 2>&1
|
|
||||||
exec chpst -u "${USER}:${GROUP}" ${SERVICE_EXEC}
|
|
||||||
EOF
|
|
||||||
)"
|
|
||||||
fi
|
|
||||||
__runit_service "${SERVICE_NAME}" \
|
|
||||||
--state "${STATE}" \
|
|
||||||
--log \
|
|
||||||
--source - <<EOF
|
|
||||||
${SERVICE_DEFINITION}
|
|
||||||
EOF
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
service_require="${service_require} ${service_definition_require}"
|
|
||||||
|
|
||||||
# Proceed after user and service description have been prepared
|
|
||||||
export require="${require} ${service_require}"
|
|
||||||
|
|
||||||
VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
|
|
||||||
IS_VERSION="$(cat "${__object}/explorer/explorer-version")"
|
|
||||||
|
|
||||||
|
|
||||||
if [ "${STATE}" = "absent" ]; then
|
|
||||||
# Perform cleanup of generated files
|
|
||||||
for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
|
|
||||||
__file "${BIN_DIR}/${bin_file}" --state "absent"
|
|
||||||
done
|
|
||||||
__file "${VERSION_FILE}" --state "absent"
|
|
||||||
__file "${CONFIG_FILE_DEST}" --state "absent"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "${STATE}" != "present" ]; then
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
|
|
||||||
sv_cmd() {
|
|
||||||
# This is intentional
|
|
||||||
# shellcheck disable=SC2059
|
|
||||||
printf "${service_command}" "$1"
|
|
||||||
}
|
|
||||||
|
|
||||||
if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ]; then
|
|
||||||
# We are installing the service and there has been a version change
|
|
||||||
# (or it is first-time install)
|
|
||||||
TMP_PATH="/tmp/${SERVICE_NAME}-${SHOULD_VERSION}"
|
|
||||||
|
|
||||||
# This is what will stop the service, replace the binaries and
|
|
||||||
# start the service again
|
|
||||||
perform_service_upgrade="$(cat <<EOF
|
|
||||||
$(sv_cmd stop) || true
|
|
||||||
if [ -f '${TMP_PATH}' ]; then
|
|
||||||
chown root:${SUPER_USER_GROUP} '${TMP_PATH}'
|
|
||||||
chmod 0555 '${TMP_PATH}'
|
|
||||||
cp -af '${TMP_PATH}' '${BIN_DIR}/${BINARY}'
|
|
||||||
else
|
|
||||||
for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
|
|
||||||
bin_path="${TMP_PATH}/\${bin_file}"
|
|
||||||
chown root:${SUPER_USER_GROUP} "\${bin_path}"
|
|
||||||
chmod 0555 "\${bin_path}"
|
|
||||||
cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
$(sv_cmd start) || true
|
|
||||||
EOF
|
|
||||||
)"
|
|
||||||
|
|
||||||
if [ -f "${__object}/parameter/unpack" ]; then
|
|
||||||
UNPACK_EXTENSION="$(cat "${__object}/parameter/unpack-extension")"
|
|
||||||
UNPACK_ARGS="$(cat "${__object}/parameter/unpack-args" \
|
|
||||||
2>/dev/null || true)"
|
|
||||||
# Download packed file
|
|
||||||
__download "${TMP_PATH}${UNPACK_EXTENSION}" \
|
|
||||||
--url "${DOWNLOAD_URL}" \
|
|
||||||
--download remote \
|
|
||||||
--sum "${CHECKSUM}"
|
|
||||||
|
|
||||||
# Unpack file and also perform service upgrade
|
|
||||||
# shellcheck disable=SC2086
|
|
||||||
require="__download${TMP_PATH}${UNPACK_EXTENSION}" \
|
|
||||||
__unpack "${TMP_PATH}${UNPACK_EXTENSION}" \
|
|
||||||
${UNPACK_ARGS} \
|
|
||||||
--destination "${TMP_PATH}"
|
|
||||||
version_bump_require="__unpack${TMP_PATH}${UNPACK_EXTENSION}"
|
|
||||||
else
|
|
||||||
# Create temp directory
|
|
||||||
__directory "${TMP_PATH}"
|
|
||||||
# Download binary directoy to the temp directory with the
|
|
||||||
# specified binary name
|
|
||||||
require="__directory${TMP_PATH}" __download \
|
|
||||||
"${TMP_PATH}/${BINARY}" \
|
|
||||||
--url "${DOWNLOAD_URL}" \
|
|
||||||
--download remote \
|
|
||||||
--sum "${CHECKSUM}"
|
|
||||||
version_bump_require="__download${TMP_PATH}/${BINARY}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Perform update of cdist-managed version file
|
|
||||||
# And also perform service upgrade
|
|
||||||
# This is a bug if service_upgrade fails >,<
|
|
||||||
printf "%s" "${SHOULD_VERSION}" | \
|
|
||||||
require="${version_bump_require}" __file \
|
|
||||||
"${VERSION_FILE}" \
|
|
||||||
--onchange "${perform_service_upgrade}" \
|
|
||||||
--source "-"
|
|
||||||
else
|
|
||||||
# We only restart here if there was a config or env change
|
|
||||||
# but there was not a version change
|
|
||||||
require="${service_require}" __check_messages \
|
|
||||||
"single_binary_service_${__object_id}" \
|
|
||||||
--pattern "${service_config_reload_pattern}" \
|
|
||||||
--execute "$(sv_cmd restart)"
|
|
||||||
fi
|
|
|
@ -1,2 +0,0 @@
|
||||||
do-not-manage-user
|
|
||||||
unpack
|
|
|
@ -1 +0,0 @@
|
||||||
present
|
|
|
@ -1 +0,0 @@
|
||||||
.tar.gz
|
|
|
@ -1 +0,0 @@
|
||||||
root
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue