sparrowhawk
/
cdist-contrib
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: sparrowhawk:af04f7464b3130a48dd9eee2668cd8da906c4fbb
Branches Tags
sparrowhawk:master
sparrowhawk:php
sparrowhawk:newtype/dirbackup
sparrowhawk:__matrix_synapse
sparrowhawk:netbox
sparrowhawk:root-mail-dma
...
compare: sparrowhawk:11ecb37dd97b3042fd60392def225e92b64f9071
Branches Tags
sparrowhawk:master
sparrowhawk:php
sparrowhawk:newtype/dirbackup
sparrowhawk:__matrix_synapse
sparrowhawk:netbox
sparrowhawk:root-mail-dma

28 Commits
af04f7464b ... 11ecb37dd9

Author SHA1 Message Date
evilham 11ecb37dd9
[__jitsi_meet] Add --abort-conference-count parameter 
Only has an effect if the prometheus exporter is enabled and if it is not
empty (default).
If at least this many conferences are active on the server, the type will
bail out before making any changes.
This is useful if you want to avoid service disruptions due to e.g. an SLA.

Sponsored by:	camilion.eu
 2022-06-21 11:19:11 +02:00
evilham 03a9b8b333
[__jitsi_meet*] Update to 2.0.7439-1 
Changelog:	https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#207439-2022-06-17

Sponsored by:	camilion.eu, eXO.cat
 2022-06-21 11:12:27 +02:00
evilham 7a3b706b16
[__jitsi_meet*] Update to 2.0.7416-1 
Changelog:	https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#207416-2022-06-16

Sponsored by:	camilion.eu, eXO.cat
 2022-06-16 17:43:30 +02:00
evilham 756e5b17c6
[__jitsi_meet*] Update to 2.0.7287-1 
Sponsored by:	camilion.eu, eXO.cat
 2022-06-07 15:00:00 +02:00
evilham 797f7c8648
[__jitsi_meet] Improve manpage regarding ufw and SSH 
This documents the fact that this type does not make decisions about anything
other than Jitsi-Meet itself and therefore care should be taken with the SSH
port.

Related to:	ungleich-public/cdist-contrib#23
Reported by:	@pedro
 2022-05-08 21:47:26 +02:00
evilham 1791d35f84
[__jitsi_meet_domain] Add a muc_room_cache_size for jibri 
@pedro is working on this and this change matched my workflow better :-)
 2022-04-28 17:43:33 +02:00
evilham 8e1d0b68f1
[__jitsi_meet*] Add new parameters for heavier branding 
This uses nginx' server-side includes, so each domain configured by
`__jitsi_meet_domain` can have its own customisation.

Note that the file customisation file must exist for each domain,
`__jitsi_meet_domain` takes care of that already.

Sponsored by:   camilion.eu, eXO.cat
 2022-04-28 17:42:30 +02:00
evilham aa3f2eeb00
[__jitsi_meet_domain] Make shellcheck happy and fix escaping issue 
The escaping issue was overlooked because it was in a comment block; it wasn't
relevant.

No functional changes intended.

Sponsored by:   camilion.eu, eXO.cat
 2022-04-28 17:34:32 +02:00
evilham a63d9ec458
[__jitsi_meet] Configure jicofo so metrics are more useful 
By default the REST API provided by jicofo is less useful than desired.
This is a tad under-documented, so finding the right settings was tricky :-).

Sponsored by:   camilion.eu, eXO.cat
 2022-04-28 17:32:15 +02:00
evilham 0cff414884
[__jitsi_meet] Simplify exporter logic and update it to 1.2.0 
This uses the newly merged __single_binary_service and:

- Fixes the bug where once added, the exporter could not be removed
- Simplifies keeping it up to date

Sponsored by:   camilion.eu, eXO.cat
 2022-04-28 17:28:46 +02:00
evilham 977b530dab
[__single_binary_service] Update manpage to remove __evilham prefix 2022-04-28 17:22:19 +02:00
evilham 1865ff9dce Add 'type/__single_binary_service/' from commit '1af7e960fa882efc7202cad5cc01d3136886fa0a' 
git-subtree-dir: type/__single_binary_service
git-subtree-mainline: 67bc8aa02b
git-subtree-split: 1af7e960fa
 2022-04-28 17:20:02 +02:00
fnux 67bc8aa02b
__uacme_obtain: allow use of stdin with the --renew-hook parameter 2022-04-25 17:10:50 +02:00
evilham 151dc32fb5
[__jitsi_meet*] Add support for simultaneous interpretations 
By using https://gitlab.com/mfmt/jsi which consists of very small and simple
static files, we enable interpretations by default.

With this commit, any DOMAIN created with __jitsi_meet_domain will serve jsi on
https://DOMAIN/i/ and any ROOM can be used with simultaneous interpretation on
https://DOMAIN/i/ROOM

Sponsored by:   camilion.eu, eXO.cat
 2022-04-21 19:46:03 +02:00
evilham 7e2ba98d36
[__jitsi_meet] Fix issue with jicofo memory adaptation 
That was being a bit of a mess.

Sponsored by:   camilion.eu, eXO.cat
 2022-04-21 17:52:49 +02:00
evilham 1658121549
[__jitsi_meet*] Update to 2.0.7210 
While there, make things a tad easier to maintain.

Note that in this version, jitsi switches to using nginx upstreams; it shouldn't
be relevant for instances fully managed with these types.

Sponsored by:   camilion.eu, eXO.cat
 2022-04-21 15:52:47 +02:00
evilham c5070a3a33
[__jitsi_meet] Fix adjustment of jicofo's max memory 
Leftover from last commit >,<

Sponsored by:   camilion.eu, eXO.cat
 2022-04-21 14:44:10 +02:00
evilham 80bbbd3aa8
[__jitsi_meet] Adapt jicofo and videobridge memory usage 
This enables us to setup smaller jitsi instances that work reliably.

We set 3 threshholds:
- < 3G RAM: use 0.75G max memory
- < 5G RAM: use 1G max memory
- < 8G RAM: use 2G max memory
- >= 8G RAM: use 3G max memory (jitsi's default)

For more information as to why and how this is done, see:
https://gitlab.com/guifi-exo/projectes/-/issues/318
https://github.com/jitsi/jitsi-meet/issues/6589
as investigated back in the day by @pedro

Sponsored by:   camilion.eu, eXO.cat
 2022-04-21 14:37:08 +02:00
evilham 87cc109bf1
[__jitsi_meet*] Make rooms on different domains not equivalent 
This is a backwards-compatible change.

We switch the approach from "treat all domains as if they were the main domain"
to: "each domain has its own prosody settings".

This works perfectly fine, even with secured domains.

There is a caveat with secured domains, in that they use the main domain to log
in; this means that users are shared across all domains (as they were before
this commit).

This is due to jicofo refusing to start meetings from a domain that is not
configured, and it only accepting one domain.

Right now, this is acceptable, however we could want to authenticate against
e.g. different LDAP / IMAP servers in the future, so this would need addressing
at that stage.

Probably the best way to solve it is by patching jicofo, so it accepts starting
conferences from multiple domains and getting that patch upstream.

Sponsored by:   camilion.eu, eXO.cat
 2022-04-21 13:20:30 +02:00
evilham a12b343660
[__jitsi_meet_domain] Add analytics settings parameter 
with this, admins can take advantage of e.g. matomo to have some usage
statistics.

The parameter defaults to `disabled: true`, which is the most privacy-friendly!

Sponsored by:   camilion.eu
 2022-04-21 13:13:12 +02:00
evilham 29cafd4f9a
[__jitsi_meet_domain] Simplify logic for secured domains 2022-04-16 13:22:16 +02:00
evilham fa37ede84f
[__jitsi_meet] Unconfuse jitsi-version and secured domains 
Closes #14 by committing to keeping the package up to date as promptly as
possible; else weird  things happen and there are no real good solutions for
this.  E.g. we have seen in the past that due to security issues, a jitsi
dependency  needs to be upgraded, but some package that jitsi-meet depends upon
also has an upper limit on that package's version.

A note was added to the manpage in order make it explicit that maintenance of
this type can be sponsored to ensure its proper functioning.

Closes #15 by using `__file`. This will also allow us to have more control over
jicofo's settings, which might be important when we start doing recordings.

Sponsored by:	lafede.cat
 2022-04-10 19:45:08 +02:00
evilham 1af7e960fa [__single_binary_service] Many improvements + runit support 
Amongst other things compressed files can be of a type other than .tar.gz (it
remains the default) and we now properly support runit services, FreeBSD and
Devuan.
 2021-10-30 15:38:26 +02:00
evilham 3e77fbbb43 [__single_binary_service] Do not use echo echo echo 2021-08-04 21:02:37 +02:00
evilham afa48b1028 [__single_binary_service] Support customisation of systemd units 
Requested by pedro
 2021-08-04 21:00:52 +02:00
evilham c5929f397d [__single_binary_service] Adapt bug fixes proposed by pedro 
there are several typos, some style issues and now there is at most one service
restart in all cases.

Submitted by:   pedro <git2021@cas.cat>
 2021-08-04 20:27:08 +02:00
evilham d5b552ddb4 [__single_binary_service] Add manpage, config-file and better absent 
With these changes the type is good for general consumption (modulo the
limitations mentioned in the manpage under TODO).
 2021-06-18 22:01:45 +02:00
evilham 51d0b817fe [__single_binary_service] Type to manage very simple services. 2021-06-18 20:52:58 +02:00
42 changed files with 1637 additions and 240 deletions
Show Stats Expand all files Collapse all files

15
type/__jitsi_meet/explorer/configured-memory Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh -eu
JICOFO="/usr/share/jicofo/jicofo.sh"
VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
if [ -f "${JICOFO:?}" ]; then
jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
fi
if [ -f "${VIDEOBRIDGE:?}" ]; then
vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
fi
cat <<EOF
jicofo ${jicofo_memory:-n/a}
videobridge ${vb_memory:-n/a}
EOF

6
type/__jitsi_meet/explorer/jitsi-status Executable file
View File

@ -0,0 +1,6 @@
#!/bin/sh -eu
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
# TODO: detect curl / depend on it?
curl -s localhost:9888/metrics
fi

7
type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version
View File

@ -1,7 +0,0 @@
#!/bin/sh -e
EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
if [ -f "${EXPORTER_VERSION_FILE}" ]; then
cat "${EXPORTER_VERSION_FILE}"
fi

34
type/__jitsi_meet/files/jicofo.conf.sh Executable file
View File

@ -0,0 +1,34 @@
#!/bin/sh -eu
# Start
cat <<EOF
# Managed remotely, changes will be lost
# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
#available options, syntax, and default values.
jicofo {
xmpp: {
client: {
client-proxy: focus.${JITSI_HOST:?}
}
trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
}
bridge: {
brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
}
EOF
# Secured domains if needed
if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
cat <<EOF
authentication: {
enabled: true
type: XMPP
login-url: ${JITSI_HOST:?}
}
EOF
fi
# End
echo '}'

1
type/__jitsi_meet/files/jitsi-version Symbolic link
View File

@ -0,0 +1 @@
../../__jitsi_meet_domain/files/jitsi-version

1
type/__jitsi_meet/files/prosody.cfg.lua.sh Symbolic link
View File

@ -0,0 +1 @@
../../__jitsi_meet_domain/files/prosody.cfg.lua.sh

36
type/__jitsi_meet/gencode-remote
View File

@ -1,11 +1,43 @@
#!/bin/sh -e
memory="$(cat "${__global}/explorer/memory")"
G="000000" # Will totally eff up the zero-count otherwise
# MAX_MEMORY will affect jicofo and videobridge
# As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
if [ "${memory}" -lt "3${G}" ]; then
# If you use this, let us know how it works!
MAX_MEMORY="768m"
elif [ "${memory}" -lt "5${G}" ]; then
MAX_MEMORY="1024m"
elif [ "${memory}" -lt "8${G}" ]; then
MAX_MEMORY="2048m"
else
# Jitsi recommends running on 8G RAM and these are the defaults
MAX_MEMORY="3072m"
fi
if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
# At least one service has different memory settings
RESTART_SERVICES="YES"
cat <<-EOF
sed -i.tmp -E \
-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
/usr/share/jitsi-videobridge/lib/videobridge.rc
sed -i.tmp -E \
-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
/usr/share/jicofo/jicofo.sh
EOF
fi
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
echo "service nginx reload"
fi
JITSI_HOST="${__object_id}"
if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then
RESTART_SERVICES="YES"
fi
if [ -n "${RESTART_SERVICES}" ]; then
echo "systemctl restart prosody"
echo "systemctl restart jicofo"
echo "systemctl restart jitsi-videobridge2"

38
type/__jitsi_meet/man.rst
View File

@ -21,13 +21,24 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up
the web frontend (including TLS certificates) and its settings.
You may want to use the `files/ufw` example manifest for a `__ufw`-based
firewall compatible with this type.
This file does not include rules for TCP port 9888, which exposes the
prometheus exporter if not disabled.
You should apply your own rules here.
firewall compatible with this type that allows all ports needed by Jitsi-Meet.
Note however that this will not deal with rules for SSH or for TCP port 9888,
which exposes the prometheus exporter if not disabled.
Remember to apply your own rules here, particularly regarding SSH.
This type only works on De{bi,vu}an systems.
It is very important for this type to stay up to date with the software, as
otherwise new deployments or maintenance of existing instances might be
negatively affected.
If you can, please contribute updates to `__jitsi_meet` and
`__jitsi_meet_domain` promptly and regularly.
Alternatively, you can help finance that work; get in touch with the type
authors for that (see below).
This type takes care of adapting the maximum memory used by jicofo and
videobridge in function of the hosts installed memory.
NOTE: This type currently does not deal with setting up coturn.
For that, you might want to check `__coturn` in
https://code.ungleich.ch/ungleich-public/cdist-contrib
@ -36,6 +47,14 @@ NOTE: This type currently does not deal with setting up coturn.
OPTIONAL PARAMETERS
-------------------
abort-conference-count
Only has an effect if the prometheus exporter is enabled and if it is not
empty (default).
If at least this many conferences are active on the server, the type will
bail out before making any changes.
This is useful if you want to avoid service disruptions due to e.g. an SLA.
turn-secret
The shared secret for the TURN server.
@ -43,11 +62,6 @@ turn-server
The hostname of the TURN server.
This will assume that it is listening with TLS on port 443.
jitsi-version
The jitsi-meet version of the Debian package to be installed.
While this can be specified, only the default value is known to work
properly with this type.
BOOLEAN PARAMETERS
------------------
@ -70,9 +84,11 @@ EXAMPLES
.. code-block:: sh
# Setup the firewall
# Setup the firewall for Jitsi-Meet
. "${__global}/type/__jitsi_meet/files/ufw"
export require="__ufw"
# Setup firewall SSH rules as necessary
__ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
# Setup Jitsi on this host
__jitsi_meet \
--turn-server "turn.exo.cat" \
@ -92,4 +108,4 @@ Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2021 Evilham.
Copyright \(C) 2022 Evilham.

258
type/__jitsi_meet/manifest
View File

@ -1,7 +1,6 @@
#!/bin/sh -e
os="$(cat "${__global}/explorer/os")"
init="$(cat "${__global}/explorer/init")"
case "${os}" in
devuan|debian)
;;
@ -11,10 +10,29 @@ case "${os}" in
;;
esac
current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
cat <<-EOF
Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
There are currently ${current_conferences} active conferences.
Try again at a later time or remove or increase --abort-conference-count
EOF
exit 1
fi
JITSI_HOST="${__target_host}"
# Currently unused, see below
# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
if [ -f "${__object}/parameter/jitsi-version" ]; then
# This has been deprecated and will be removed 'soon'
JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
else
# Note this won't be a parameter anymore, we won't let users stay behind
JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
fi
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
@ -22,8 +40,6 @@ if [ -z "${TURN_SERVER}" ]; then
TURN_SERVER="${JITSI_HOST}"
fi
PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")"
# The rest is loosely based on Jitsi's documentation
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
@ -55,11 +71,12 @@ __debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
export require="${require} __debconf_set_selections/jitsi_meet"
# Install and upgrade packages as needed
__package_apt jitsi-meet
# We are not doing version pinning anymore because it breaks when
# the version is not the latest.
# This happens because dependencies cannot be properly resolved.
# --version "${JITSI_VERSION}"
# NOTE: we are doing version pinning again, but it breaks sometimes when
# the version is not the latest.
# This happens because dependencies might not be properly resolved.
# To avoid this, this type must be maintained up to date.
# If we don't use this, keeping Jitsi's up to date is very difficult.
__package_apt jitsi-meet --version "${JITSI_VERSION}"
# Proceed only after installation/upgrade has finished
export require="__package_apt/jitsi-meet"
@ -149,95 +166,144 @@ server {
}
EOF
if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS_STATE='present'
SECURED_DOMAINS_STATE_JICOFO='present'
else
SECURED_DOMAINS_STATE='absent'
SECURED_DOMAINS_STATE_JICOFO='absent'
fi
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
--owner prosody --group prosody --mode 0440 \
--state ${SECURED_DOMAINS_STATE} \
--source - <<EOF
VirtualHost "${JITSI_HOST}"
authentication = "internal_plain"
VirtualHost "guest.${JITSI_HOST}"
authentication = "anonymous"
c2s_require_encryption = false
# Starting from 2.0.7210, jitsi defines following nginx upstreams
__directory "${NGINX_ETC}/conf.d" --state present
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
--mode 644 \
--source - << EOF
upstream prosody {
zone upstreams 64K;
server 127.0.0.1:5280;
keepalive 2;
}
EOF
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
--mode 644 \
--source - << EOF
upstream jvb1 {
zone upstreams 64K;
server 127.0.0.1:9090;
keepalive 2;
}
EOF
__block jitsi_jicofo_secured_domains \
--prefix "// begin cdist: jicofo_secured_domains" \
--suffix "// end cdist: jicofo_secured_domains" \
--file /etc/jitsi/jicofo/jicofo.conf \
--state "${SECURED_DOMAINS_STATE_JICOFO}" \
--text '-' <<EOF
authentication: {
enabled: true
type: XMPP
login-url: ${JITSI_HOST}
}
if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS_STATE='present'
else
SECURED_DOMAINS_STATE='absent'
fi
# This is the main host config
PROSODY_MAIN_CONFIG="YES"
# Prosody settings for common components (jvb, focus, ...)
# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
--group prosody \
--mode 0440 \
--source - <<EOF
${PROSODY_CONFIG}
EOF
# Clean up zauth.cfg.lua file, which we don't use now
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
--state absent
export SECURED_DOMAINS_STATE
export JITSI_HOST
"${__type}/files/jicofo.conf.sh" | \
__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
# Enable the private colibri REST API end point for better stats
__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
videobridge {
http-servers {
public {
port = 9090
}
private {
port = 8080
}
}
websockets {
enabled = true
domain = "${JITSI_HOST}:443"
tls = true
}
apis {
rest {
enabled = true
}
}
}
EOFJVB
# Enable simple per-domain body customisation
__file "/usr/share/jitsi-meet/body.html" \
--mode 0644 \
--source '-' <<EOF
<!--#include virtual="body-\${host}.html" -->
EOF
# These two should be changed on new release
PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64"
PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
case "${init}" in
init|sysvinit)
__runit
require="__runit" __runit_service \
prometheus-jitsi-meet-exporter --log --source - <<EOF
#!/bin/sh -e
cd /tmp
exec chpst -u "nobody:nogroup" env HOME="/tmp" \\
prometheus-jitsi-meet-exporter \\
-videobridge-url 'http://localhost:8888/stats' \\
-web.listen-address ':9888' 2>&1
EOF
export require="__runit_service/prometheus-jitsi-meet-exporter"
JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter"
;;
systemd)
__systemd_unit prometheus-jitsi-meet-exporter.service \
--source "-" \
--enablement-state "enabled" <<EOF
[Unit]
Description=Metrics Exporter for Jitsi Meet
After=network.target
[Service]
Type=simple
DynamicUser=yes
ExecStart=/usr/local/bin/prometheus-jitsi-meet-exporter -videobridge-url 'http://localhost:8888/stats' -web.listen-address ':9888'
Restart=always
[Install]
WantedBy=multi-user.target
EOF
export require="__systemd_unit/prometheus-jitsi-meet-exporter.service"
JITSI_MEET_EXPORTER_SERVICE="service prometheus-jitsi-meet-exporter %s"
;;
esac
if [ "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" != \
"${PROMETHEUS_JITSI_EXPORTER_IS_VERSION}" ]; then
# shellcheck disable=SC2059
__download \
/tmp/prometheus-jitsi-meet-exporter \
--url "${PROMETHEUS_JITSI_EXPORTER_URL}" \
--download remote \
--sum "${PROMETHEUS_JITSI_EXPORTER_CHECKSUM}" \
--onchange "$(printf "${JITSI_MEET_EXPORTER_SERVICE}" "stop") || true; chmod 555 /tmp/prometheus-jitsi-meet-exporter && mv /tmp/prometheus-jitsi-meet-exporter /usr/local/bin/prometheus-jitsi-meet-exporter && $(printf "${JITSI_MEET_EXPORTER_SERVICE}" "restart")"
printf "%s" "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" | \
require="${require} __download/tmp/prometheus-jitsi-meet-exporter" __file \
"${PROMETHEUS_JITSI_EXPORTER_VERSION_FILE}" \
--source "-"
fi
EXPORTER_VERSION="1.2.0"
EXPORTER_CHECKSUM="sha256:6377ffa7be0c7deb66545616add7245da96f8b7746d6712f41cfa9fe72c935ce"
EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
EXPORTER_STATE="absent"
else
EXPORTER_STATE="present"
fi
# TODO: disable the exporter if it is deployed and then admin changes their mind
__evilham_single_binary_service prometheus-jitsi-meet-exporter \
--state "${EXPORTER_STATE}" \
--do-not-manage-user \
--user "nobody" \
--group "nogroup" \
--version "${EXPORTER_VERSION}" \
--checksum "${EXPORTER_CHECKSUM}" \
--url "${EXPORTER_URL}" \
--unpack \
--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
#
# Setup interpreter assets if requested
# See: https://gitlab.com/mfmt/jsi/
#
jsi_updated_on="2022-04-21"
__link "/usr/share/jitsi-meet/interpreters.html" \
--type symbolic \
--source "/opt/jsi/static/index.html.sample"
__directory /opt/jsi --mode 0755
export require="__directory/opt/jsi"
__download /opt/jsi/jsi.tar.gz \
--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
export require="__download/opt/jsi/jsi.tar.gz"
__unpack /opt/jsi/jsi.tar.gz \
--preserve-archive \
--tar-strip 1 \
--destination /opt/jsi/static \
--onchange "$(cat <<EOF
# Patch style.css to be served on /i/
sed -i.tmp -E \
-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
/opt/jsi/static/style.css
# Patch jsi.js to be served on /i/
# and so it always uses the domain it's served from
# and so it uses /i/ROOM for the form
sed -i.tmp -E \
-e 's!substr[(][0-9]+[)]!substr(3)!' \
-e 's!config[.]jitsimeet_url!url.host!' \
-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
/opt/jsi/static/jsi.js
# Patch the sample index.html, so it loads external_api.js from same host
# and to easen up on the branding
# and to enable browser cache
sed -i.tmp -E \
-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
-e "s!https://meet.mayfirst.org!/!" \
-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
/opt/jsi/static/index.html.sample
EOF
)"

0
type/__jitsi_meet/parameter/default/abort-conference-count Normal file
View File

1
type/__jitsi_meet/parameter/default/jitsi-version
View File

@ -1 +0,0 @@
2.0.7001-1

4
type/__jitsi_meet/parameter/deprecated/jitsi-version Normal file
View File

@ -0,0 +1,4 @@
Supporting different versions lead to strange issues in the life-time of a
Jitsi instance. Chiefly: difficulties upgrading.
If you are specifying this for a valid reason, please get in touch.

1
type/__jitsi_meet/parameter/optional
View File

@ -1,3 +1,4 @@
abort-conference-count
jitsi-version
turn-secret
turn-server

7
type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
View File

@ -7,7 +7,7 @@
# We could automate this, but are using it as an indicator for the
# latest branch with which we conciliated changes.
BRANCH="jitsi-meet_7001"
BRANCH="jitsi-meet_7439"
REPO="https://github.com/jitsi/jitsi-meet"
get_url() {
@ -28,3 +28,8 @@ download_file() {
download_file config.js
download_file interface_config.js
download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
# Change the version file, maintainers should check that it matches
# the deb version
printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version

222
type/__jitsi_meet_domain/files/config.js.sh
View File

@ -4,32 +4,32 @@
JITSI_CONFIG_JS="$(cat <<EOF
/* eslint-disable no-unused-vars, no-var */
/*
* NOTE: If you add a new option please remember to document it here:
* https://jitsi.github.io/handbook/docs/dev-guide/dev-guide-configuration
*/
var config = {
// Connection
//
hosts: {
// XMPP domain.
domain: '${JITSI_HOST}',
domain: '${DOMAIN}',
// When using authentication, domain for guest users.
$( if [ -n "${SECURED_DOMAINS}" ]; then cat<<EOF2
anonymousdomain: 'guest.${JITSI_HOST}',
EOF2
else cat <<EOF2
// anonymousdomain: 'guest.example.com',
EOF2
fi
)
$( if [ -z "${SECURED_DOMAINS}" ]; then printf "// "
fi)anonymousdomain: 'guest.${DOMAIN}',
// Domain for authenticated users. Defaults to <domain>.
// authdomain: '${JITSI_HOST}',
// NOTE [cdist]: if we use '${DOMAIN}', jicofo won't start the meeting
authdomain: '${JITSI_HOST}',
// Focus component domain. Defaults to focus.<domain>.
// focus: 'focus.${JITSI_HOST}',
focus: 'focus.${JITSI_HOST}',
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
muc: 'conference.${JITSI_HOST}'
muc: 'conference.${DOMAIN}'
},
// BOSH URL. FIXME: use XEP-0156 to discover it.
@ -37,12 +37,12 @@ fi
bosh: '//<!--# echo var="http_host" -->/<!--# echo var="subdir" default="" -->http-bind',
// Websocket URL
// websocket: 'wss://${JITSI_HOST}/xmpp-websocket',
// websocket: 'wss://${DOMAIN}/xmpp-websocket',
// The real JID of focus participant - can be overridden here
// Do not change username - FIXME: Make focus username configurable
// https://github.com/jitsi/jitsi-meet/issues/7376
// focusUserJid: 'focus@auth.${JITSI_HOST}',
focusUserJid: 'focus@auth.${JITSI_HOST}',
// Testing / experimental features.
@ -80,6 +80,11 @@ fi
// or disabled for the screenshare.
// capScreenshareBitrate: 1 // 0 to disable - deprecated.
// Whether to use fake constraints (height: 99999, width: 99999) when calling getDisplayMedia on
// Chromium based browsers. This is intended as a workaround for
// https://bugs.chromium.org/p/chromium/issues/detail?id=1056311
// setScreenSharingResolutionConstraints: true
// Enable callstats only for a percentage of users.
// This takes a value between 0 and 100 which determines the probability for
// the callstats to be enabled.
@ -90,6 +95,10 @@ fi
flags: {
// Enables source names in the signaling.
// sourceNameSignaling: false,
// Enables sending multiple video streams, i.e., camera and desktop tracks can be shared in the conference
// separately as two different streams instead of one composite stream.
// sendMultipleVideoStreams: false
},
// Disables moderator indicators.
@ -276,9 +285,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// appKey: '<APP_KEY>' // Specify your app key here.
// // A URL to redirect the user to, after authenticating
// // by default uses:
// // 'https://${JITSI_HOST}/static/oauth.html'
// // 'https://${DOMAIN}/static/oauth.html'
// redirectURI:
// 'https://${JITSI_HOST}/subfolder/static/oauth.html'
// 'https://${DOMAIN}/subfolder/static/oauth.html'
// },
// When integrations like dropbox are enabled only that will be shown,
// by enabling fileRecordingsServiceEnabled, we show both the integrations
@ -293,6 +302,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// Whether to enable live streaming or not.
// liveStreamingEnabled: false,
// Whether to enable local recording or not.
// enableLocalRecording: false,
// Transcription (in interface_config,
// subtitles and buttons can be configured)
// transcribingEnabled: false,
@ -486,6 +498,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// If Lobby is enabled starts knocking automatically.
// autoKnockLobby: false,
// Enable lobby chat.
// enableLobbyChat: true,
// DEPRECATED! Use \`breakoutRooms.hideAddRoomButton\` instead.
// Hides add breakout room button
// hideAddRoomButton: false,
@ -525,7 +540,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// Hides the dominant speaker name badge that hovers above the toolbox
// hideDominantSpeakerBadge: false,
// Default language for the user interface.
// Default language for the user interface. Cannot be overwritten.
defaultLanguage: '${DEFAULT_LANGUAGE}',
// Disables profile and the edit of all fields from the profile settings (display name and email)
@ -554,6 +569,10 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// // When 'true', it shows an intermediate page before joining, where the user can configure their devices.
// // This replaces \`prejoinPageEnabled\`.
// enabled: true,
// // Hides the participant name editing field in the prejoin screen.
// // If requireDisplayName is also set as true, a name should still be provided through
// // either the jwt or the userInfo from the iframe api init object in order for this to have an effect.
// hideDisplayName: false,
// // List of buttons to hide from the extra join options dropdown.
// hideExtraJoinButtons: ['no-audio', 'by-phone']
// },
@ -581,8 +600,17 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// Array with avatar URL prefixes that need to use CORS.
// corsAvatarURLs: [ 'https://www.gravatar.com/avatar/' ],
// Base URL for a Gravatar-compatible service. Defaults to libravatar.
// gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/',
// Base URL for a Gravatar-compatible service. Defaults to Gravatar.
// DEPRECATED! Use \`gravatar.baseUrl\` instead.
// gravatarBaseURL: 'https://www.gravatar.com/avatar/',
// Setup for Gravatar-compatible services.
// gravatar: {
// // Defaults to Gravatar.
// baseUrl: 'https://www.gravatar.com/avatar/',
// // True if Gravatar should be disabled.
// disabled: false
// },
// App name to be displayed in the invitation email subject, as an alternative to
// interfaceConfig.APP_NAME.
@ -604,6 +632,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// 'chat',
// 'closedcaptions',
// 'desktop',
// 'dock-iframe'
// 'download',
// 'embedmeeting',
// 'etherpad',
@ -612,11 +641,11 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// 'fullscreen',
// 'hangup',
// 'help',
// 'highlight',
// 'invite',
// 'linktosalesforce',
// 'livestreaming',
// 'microphone',
// 'mute-everyone',
// 'mute-video-everyone',
// 'participants-pane',
// 'profile',
// 'raisehand',
@ -630,6 +659,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// 'stats',
// 'tileview',
// 'toggle-camera',
// 'undock-iframe',
// 'videoquality',
// '__end'
// ],
@ -644,7 +674,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// timeout: 4000,
// // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE
// // Whether toolbar should be always visible or should hide after x miliseconds.
// alwaysVisible: false
// alwaysVisible: false,
// // Indicates whether the toolbar should still autohide when chat is open
// autoHideWhileChatIsOpen: false
// },
// Toolbar buttons which have their click/tap event exposed through the API on
@ -753,11 +785,25 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// Enables sending participants' emails (if available) to callstats and other analytics
// enableEmailInStats: false,
// Enables detecting faces of participants and get their expression and send it to other participants
// enableFacialRecognition: true,
// faceLandmarks: {
// // Enables sharing your face coordinates. Used for centering faces within a video.
// enableFaceCentering: false,
// Enables displaying facial expressions in speaker stats
// enableDisplayFacialExpressions: true,
// // Enables detecting face expressions and sharing data with other participants
// enableFaceExpressionsDetection: false,
// // Enables displaying face expressions in speaker stats
// enableDisplayFaceExpressions: false,
// // Enable rtc stats for face landmarks
// enableRTCStats: false,
// // Minimum required face movement percentage threshold for sending new face centering coordinates data.
// faceCenteringThreshold: 10,
// // Milliseconds for processing a new image capture in order to detect face coordinates if they exist.
// captureInterval: 1000
// },
// Controls the percentage of automatic feedback shown to participants when callstats is enabled.
// The default value is 100%. If set to 0, no automatic feedback will be requested
@ -823,6 +869,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
},
analytics: {
${ANALYTICS_SETTINGS}
// True if the analytics should be disabled
// disabled: false,
@ -910,33 +957,22 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// chromeExtensionBanner: {
// // The chrome extension to be installed address
// url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
// edgeUrl: 'https://microsoftedge.microsoft.com/addons/detail/jitsi-meetings/eeecajlpbgjppibfledfihobcabccihn',
// // Extensions info which allows checking if they are installed or not
// chromeExtensionsInfo: [
// {
// id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
// path: 'jitsi-logo-48x48.png'
// },
// // Edge extension info
// {
// id: 'eeecajlpbgjppibfledfihobcabccihn',
// path: 'jitsi-logo-48x48.png'
// }
// ]
// },
// Local Recording
//
// localRecording: {
// Enables local recording.
// Additionally, 'localrecording' (all lowercase) needs to be added to
// the \`toolbarButtons\`-array for the Local Recording button to show up
// on the toolbar.
//
// enabled: true,
//
// The recording format, can be one of 'ogg', 'flac' or 'wav'.
// format: 'flac'
//
// },
// e2ee: {
// labels,
// externallyManagedKey: false
@ -944,14 +980,18 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// Options related to end-to-end (participant to participant) ping.
// e2eping: {
// // The interval in milliseconds at which pings will be sent.
// // Defaults to 10000, set to <= 0 to disable.
// pingInterval: 10000,
// // Whether ene-to-end pings should be enabled.
// enabled: false,
//
// // The interval in milliseconds at which analytics events
// // with the measured RTT will be sent. Defaults to 60000, set
// // to <= 0 to disable.
// analyticsInterval: 60000,
// // The number of responses to wait for.
// numRequests: 5,
//
// // The max conference size in which e2e pings will be sent.
// maxConferenceSize: 200,
//
// // The maximum number of e2e ping messages per second for the whole conference to aim for.
// // This is used to contol the pacing of messages in order to reduce the load on the backend.
// maxMessagesPerSecond: 250
// },
// If set, will attempt to use the provided video input device label when
@ -978,7 +1018,8 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// Disables all invite functions from the app (share, invite, dial out...etc)
// disableInviteFunctions: true,
// Disables storing the room name to the recents list
// Disables storing the room name to the recents list. When in an iframe this is ignored and
// the room is never stored in the recents list.
// doNotStoreRoom: true,
// Deployment specific URLs.
@ -993,12 +1034,25 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// Options related to the remote participant menu.
// remoteVideoMenu: {
// // Whether the remote video context menu to be rendered or not.
// disabled: true,
// // If set to true the 'Kick out' button will be disabled.
// disableKick: true,
// // If set to true the 'Grant moderator' button will be disabled.
// disableGrantModerator: true
// disableGrantModerator: true,
// // If set to true the 'Send private message' button will be disabled.
// disablePrivateChat: true
// },
// Endpoint that enables support for salesforce integration with in-meeting resource linking
// This is required for:
// listing the most recent records - salesforceUrl/records/recents
// searching records - salesforceUrl/records?text=\${text}
// retrieving record details - salesforceUrl/records/\${id}?type=\${type}
// and linking the meeting - salesforceUrl/sessions/\${sessionId}/records/\${id}
//
// salesforceUrl: 'https://api.example.com/',
// If set to true all muting operations of remote participants will be disabled.
// disableRemoteMute: true,
@ -1062,10 +1116,22 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
*/
dynamicBrandingUrl: "${DYNAMIC_BRANDING_URL}",
// Options related to the participants pane.
// participantsPane: {
// // Hides the moderator settings tab.
// hideModeratorSettingsTab: false,
// // Hides the more actions button.
// hideMoreActionsButton: false,
// // Hides the mute all button.
// hideMuteAllButton: false
// },
// Options related to the breakout rooms feature.
// breakoutRooms: {
// // Hides the add breakout room button. This replaces \`hideAddRoomButton\`.
// hideAddRoomButton: false,
// // Hides the auto assign participants button.
// hideAutoAssignButton: false,
// // Hides the join breakout room button.
// hideJoinRoomButton: false
// },
@ -1096,7 +1162,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// If a label's id is not in any of the 2 arrays, it will not be visible at all on the header.
// conferenceInfo: {
// // those labels will not be hidden in tandem with the toolbox.
// alwaysVisible: ['recording', 'local-recording', 'raised-hands-count'],
// alwaysVisible: ['recording', 'raised-hands-count'],
// // those labels will be auto-hidden in tandem with the toolbox buttons.
// autoHide: [
// 'subject',
@ -1105,7 +1171,8 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// 'e2ee',
// 'transcribing',
// 'video-quality',
// 'insecure-room'
// 'insecure-room',
// 'highlight-moment'
// ]
// },
@ -1139,14 +1206,24 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// will open an etherpad document.
// etherpad_base: 'https://your-etherpad-installati.on/p/',
// To enable information about dial-in access to meetings you need to provide
// dialInNumbersUrl and dialInConfCodeUrl.
// dialInNumbersUrl returns a json array of numbers that can be used for dial-in.
// {"countryCode":"US","tollFree":false,"formattedNumber":"+1 123-456-7890"}
// dialInConfCodeUrl is the conference mapper converting a meeting id to a PIN used for dial-in
// or the other way around (more info in resources/cloud-api.swagger)
//
// For JaaS customers the default values are:
// dialInNumbersUrl: 'https://conference-mapper.jitsi.net/v1/access/dids',
// dialInConfCodeUrl: 'https://conference-mapper.jitsi.net/v1/access',
//
// List of undocumented settings used in jitsi-meet
/**
_immediateReloadThreshold
debug
debugAudioLevels
deploymentInfo
dialInConfCodeUrl
dialInNumbersUrl
dialOutAuthUrl
dialOutCodesUrl
disableRemoteControl
@ -1231,7 +1308,6 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// 'liveStreaming.unavailableTitle', // shown when livestreaming service is not reachable
// 'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected
// 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied
// 'localRecording.localRecording', // shown when a local recording is started
// 'notify.chatMessages', // shown when receiving chat messages while the chat window is closed
// 'notify.disconnected', // shown when a participant has left
// 'notify.connectedOneMember', // show when a participant joined
@ -1245,6 +1321,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited
// 'notify.invitedTwoMembers', // shown when 2 participants have been invited
// 'notify.kickParticipant', // shown when a participant is kicked
// 'notify.linkToSalesforce', // shown when joining a meeting with salesforce integration
// 'notify.moderationStartedTitle', // shown when AV moderation is activated
// 'notify.moderationStoppedTitle', // shown when AV moderation is deactivated
// 'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation
@ -1260,6 +1337,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// 'notify.raisedHand', // shown when a partcipant used raise hand,
// 'notify.startSilentTitle', // shown when user joined with no audio
// 'notify.unmute', // shown to moderator when user raises hand during AV moderation
// 'notify.hostAskedUnmute', // shown to participant when host asks them to unmute
// 'prejoin.errorDialOut',
// 'prejoin.errorDialOutDisconnected',
// 'prejoin.errorDialOutFailed',
@ -1275,6 +1353,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// 'transcribing.failedToStart' // shown when transcribing fails to start
// ],
// List of notifications to be disabled. Works in tandem with the above setting.
// disabledNotifications: [],
// Prevent the filmstrip from autohiding when screen width is under a certain threshold
// disableFilmstripAutohiding: false,
@ -1282,12 +1363,37 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// // Disables user resizable filmstrip. Also, allows configuration of the filmstrip
// // (width, tiles aspect ratios) through the interfaceConfig options.
// disableResizable: false,
// }
// // Disables the stage filmstrip
// // (displaying multiple participants on stage besides the vertical filmstrip)
// disableStageFilmstrip: false
// },
// Tile view related config options.
// tileView: {
// // The optimal number of tiles that are going to be shown in tile view. Depending on the screen size it may
// // not be possible to show the exact number of participants specified here.
// numberOfVisibleTiles: 25
// },
// Specifies whether the chat emoticons are disabled or not
// disableChatSmileys: false,
// Settings for the GIPHY integration.
// giphy: {
// // Whether the feature is enabled or not.
// enabled: false,
// // SDK API Key from Giphy.
// sdkKey: '',
// // Display mode can be one of:
// // - tile: show the GIF on the tile of the participant that sent it.
// // - chat: show the GIF as a message in chat
// // - all: all of the above. This is the default option
// displayMode: 'all',
// // How long the GIF should be displayed on the tile (in miliseconds).
// tileTime: 5000
// },
// Allow all above example options to include a trailing comma and
// prevent fear when commenting out the last value.
makeJsonParserHappy: 'even if last key had a trailing comma'

195
type/__jitsi_meet_domain/files/config.js.sh.orig
View File

@ -1,5 +1,11 @@
/* eslint-disable no-unused-vars, no-var */
/*
* NOTE: If you add a new option please remember to document it here:
* https://jitsi.github.io/handbook/docs/dev-guide/dev-guide-configuration
*/
var config = {
// Connection
//
@ -68,6 +74,11 @@ var config = {
// or disabled for the screenshare.
// capScreenshareBitrate: 1 // 0 to disable - deprecated.
// Whether to use fake constraints (height: 99999, width: 99999) when calling getDisplayMedia on
// Chromium based browsers. This is intended as a workaround for
// https://bugs.chromium.org/p/chromium/issues/detail?id=1056311
// setScreenSharingResolutionConstraints: true
// Enable callstats only for a percentage of users.
// This takes a value between 0 and 100 which determines the probability for
// the callstats to be enabled.
@ -78,6 +89,10 @@ var config = {
flags: {
// Enables source names in the signaling.
// sourceNameSignaling: false,
// Enables sending multiple video streams, i.e., camera and desktop tracks can be shared in the conference
// separately as two different streams instead of one composite stream.
// sendMultipleVideoStreams: false
},
// Disables moderator indicators.
@ -280,6 +295,9 @@ var config = {
// Whether to enable live streaming or not.
// liveStreamingEnabled: false,
// Whether to enable local recording or not.
// enableLocalRecording: false,
// Transcription (in interface_config,
// subtitles and buttons can be configured)
// transcribingEnabled: false,
@ -473,6 +491,9 @@ var config = {
// If Lobby is enabled starts knocking automatically.
// autoKnockLobby: false,
// Enable lobby chat.
// enableLobbyChat: true,
// DEPRECATED! Use `breakoutRooms.hideAddRoomButton` instead.
// Hides add breakout room button
// hideAddRoomButton: false,
@ -512,7 +533,7 @@ var config = {
// Hides the dominant speaker name badge that hovers above the toolbox
// hideDominantSpeakerBadge: false,
// Default language for the user interface.
// Default language for the user interface. Cannot be overwritten.
// defaultLanguage: 'en',
// Disables profile and the edit of all fields from the profile settings (display name and email)
@ -541,6 +562,10 @@ var config = {
// // When 'true', it shows an intermediate page before joining, where the user can configure their devices.
// // This replaces `prejoinPageEnabled`.
// enabled: true,
// // Hides the participant name editing field in the prejoin screen.
// // If requireDisplayName is also set as true, a name should still be provided through
// // either the jwt or the userInfo from the iframe api init object in order for this to have an effect.
// hideDisplayName: false,
// // List of buttons to hide from the extra join options dropdown.
// hideExtraJoinButtons: ['no-audio', 'by-phone']
// },
@ -568,8 +593,17 @@ var config = {
// Array with avatar URL prefixes that need to use CORS.
// corsAvatarURLs: [ 'https://www.gravatar.com/avatar/' ],
// Base URL for a Gravatar-compatible service. Defaults to libravatar.
// gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/',
// Base URL for a Gravatar-compatible service. Defaults to Gravatar.
// DEPRECATED! Use `gravatar.baseUrl` instead.
// gravatarBaseURL: 'https://www.gravatar.com/avatar/',
// Setup for Gravatar-compatible services.
// gravatar: {
// // Defaults to Gravatar.
// baseUrl: 'https://www.gravatar.com/avatar/',
// // True if Gravatar should be disabled.
// disabled: false
// },
// App name to be displayed in the invitation email subject, as an alternative to
// interfaceConfig.APP_NAME.
@ -591,6 +625,7 @@ var config = {
// 'chat',
// 'closedcaptions',
// 'desktop',
// 'dock-iframe'
// 'download',
// 'embedmeeting',
// 'etherpad',
@ -599,11 +634,11 @@ var config = {
// 'fullscreen',
// 'hangup',
// 'help',
// 'highlight',
// 'invite',
// 'linktosalesforce',
// 'livestreaming',
// 'microphone',
// 'mute-everyone',
// 'mute-video-everyone',
// 'participants-pane',
// 'profile',
// 'raisehand',
@ -617,6 +652,7 @@ var config = {
// 'stats',
// 'tileview',
// 'toggle-camera',
// 'undock-iframe',
// 'videoquality',
// '__end'
// ],
@ -631,7 +667,9 @@ var config = {
// timeout: 4000,
// // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE
// // Whether toolbar should be always visible or should hide after x miliseconds.
// alwaysVisible: false
// alwaysVisible: false,
// // Indicates whether the toolbar should still autohide when chat is open
// autoHideWhileChatIsOpen: false
// },
// Toolbar buttons which have their click/tap event exposed through the API on
@ -740,11 +778,25 @@ var config = {
// Enables sending participants' emails (if available) to callstats and other analytics
// enableEmailInStats: false,
// Enables detecting faces of participants and get their expression and send it to other participants
// enableFacialRecognition: true,
// faceLandmarks: {
// // Enables sharing your face coordinates. Used for centering faces within a video.
// enableFaceCentering: false,
// Enables displaying facial expressions in speaker stats
// enableDisplayFacialExpressions: true,
// // Enables detecting face expressions and sharing data with other participants
// enableFaceExpressionsDetection: false,
// // Enables displaying face expressions in speaker stats
// enableDisplayFaceExpressions: false,
// // Enable rtc stats for face landmarks
// enableRTCStats: false,
// // Minimum required face movement percentage threshold for sending new face centering coordinates data.
// faceCenteringThreshold: 10,
// // Milliseconds for processing a new image capture in order to detect face coordinates if they exist.
// captureInterval: 1000
// },
// Controls the percentage of automatic feedback shown to participants when callstats is enabled.
// The default value is 100%. If set to 0, no automatic feedback will be requested
@ -897,33 +949,22 @@ var config = {
// chromeExtensionBanner: {
// // The chrome extension to be installed address
// url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
// edgeUrl: 'https://microsoftedge.microsoft.com/addons/detail/jitsi-meetings/eeecajlpbgjppibfledfihobcabccihn',
// // Extensions info which allows checking if they are installed or not
// chromeExtensionsInfo: [
// {
// id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
// path: 'jitsi-logo-48x48.png'
// },
// // Edge extension info
// {
// id: 'eeecajlpbgjppibfledfihobcabccihn',
// path: 'jitsi-logo-48x48.png'
// }
// ]
// },
// Local Recording
//
// localRecording: {
// Enables local recording.
// Additionally, 'localrecording' (all lowercase) needs to be added to
// the `toolbarButtons`-array for the Local Recording button to show up
// on the toolbar.
//
// enabled: true,
//
// The recording format, can be one of 'ogg', 'flac' or 'wav'.
// format: 'flac'
//
// },
// e2ee: {
// labels,
// externallyManagedKey: false
@ -931,14 +972,18 @@ var config = {
// Options related to end-to-end (participant to participant) ping.
// e2eping: {
// // The interval in milliseconds at which pings will be sent.
// // Defaults to 10000, set to <= 0 to disable.
// pingInterval: 10000,
// // Whether ene-to-end pings should be enabled.
// enabled: false,
//
// // The interval in milliseconds at which analytics events
// // with the measured RTT will be sent. Defaults to 60000, set
// // to <= 0 to disable.
// analyticsInterval: 60000,
// // The number of responses to wait for.
// numRequests: 5,
//
// // The max conference size in which e2e pings will be sent.
// maxConferenceSize: 200,
//
// // The maximum number of e2e ping messages per second for the whole conference to aim for.
// // This is used to contol the pacing of messages in order to reduce the load on the backend.
// maxMessagesPerSecond: 250
// },
// If set, will attempt to use the provided video input device label when
@ -965,7 +1010,8 @@ var config = {
// Disables all invite functions from the app (share, invite, dial out...etc)
// disableInviteFunctions: true,
// Disables storing the room name to the recents list
// Disables storing the room name to the recents list. When in an iframe this is ignored and
// the room is never stored in the recents list.
// doNotStoreRoom: true,
// Deployment specific URLs.
@ -980,12 +1026,25 @@ var config = {
// Options related to the remote participant menu.
// remoteVideoMenu: {
// // Whether the remote video context menu to be rendered or not.
// disabled: true,
// // If set to true the 'Kick out' button will be disabled.
// disableKick: true,
// // If set to true the 'Grant moderator' button will be disabled.
// disableGrantModerator: true
// disableGrantModerator: true,
// // If set to true the 'Send private message' button will be disabled.
// disablePrivateChat: true
// },
// Endpoint that enables support for salesforce integration with in-meeting resource linking
// This is required for:
// listing the most recent records - salesforceUrl/records/recents
// searching records - salesforceUrl/records?text=${text}
// retrieving record details - salesforceUrl/records/${id}?type=${type}
// and linking the meeting - salesforceUrl/sessions/${sessionId}/records/${id}
//
// salesforceUrl: 'https://api.example.com/',
// If set to true all muting operations of remote participants will be disabled.
// disableRemoteMute: true,
@ -1049,10 +1108,22 @@ var config = {
*/
// dynamicBrandingUrl: '',
// Options related to the participants pane.
// participantsPane: {
// // Hides the moderator settings tab.
// hideModeratorSettingsTab: false,
// // Hides the more actions button.
// hideMoreActionsButton: false,
// // Hides the mute all button.
// hideMuteAllButton: false
// },
// Options related to the breakout rooms feature.
// breakoutRooms: {
// // Hides the add breakout room button. This replaces `hideAddRoomButton`.
// hideAddRoomButton: false,
// // Hides the auto assign participants button.
// hideAutoAssignButton: false,
// // Hides the join breakout room button.
// hideJoinRoomButton: false
// },
@ -1083,7 +1154,7 @@ var config = {
// If a label's id is not in any of the 2 arrays, it will not be visible at all on the header.
// conferenceInfo: {
// // those labels will not be hidden in tandem with the toolbox.
// alwaysVisible: ['recording', 'local-recording', 'raised-hands-count'],
// alwaysVisible: ['recording', 'raised-hands-count'],
// // those labels will be auto-hidden in tandem with the toolbox buttons.
// autoHide: [
// 'subject',
@ -1092,7 +1163,8 @@ var config = {
// 'e2ee',
// 'transcribing',
// 'video-quality',
// 'insecure-room'
// 'insecure-room',
// 'highlight-moment'
// ]
// },
@ -1126,14 +1198,24 @@ var config = {
// will open an etherpad document.
// etherpad_base: 'https://your-etherpad-installati.on/p/',
// To enable information about dial-in access to meetings you need to provide
// dialInNumbersUrl and dialInConfCodeUrl.
// dialInNumbersUrl returns a json array of numbers that can be used for dial-in.
// {"countryCode":"US","tollFree":false,"formattedNumber":"+1 123-456-7890"}
// dialInConfCodeUrl is the conference mapper converting a meeting id to a PIN used for dial-in
// or the other way around (more info in resources/cloud-api.swagger)
//
// For JaaS customers the default values are:
// dialInNumbersUrl: 'https://conference-mapper.jitsi.net/v1/access/dids',
// dialInConfCodeUrl: 'https://conference-mapper.jitsi.net/v1/access',
//
// List of undocumented settings used in jitsi-meet
/**
_immediateReloadThreshold
debug
debugAudioLevels
deploymentInfo
dialInConfCodeUrl
dialInNumbersUrl
dialOutAuthUrl
dialOutCodesUrl
disableRemoteControl
@ -1218,7 +1300,6 @@ var config = {
// 'liveStreaming.unavailableTitle', // shown when livestreaming service is not reachable
// 'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected
// 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied
// 'localRecording.localRecording', // shown when a local recording is started
// 'notify.chatMessages', // shown when receiving chat messages while the chat window is closed
// 'notify.disconnected', // shown when a participant has left
// 'notify.connectedOneMember', // show when a participant joined
@ -1232,6 +1313,7 @@ var config = {
// 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited
// 'notify.invitedTwoMembers', // shown when 2 participants have been invited
// 'notify.kickParticipant', // shown when a participant is kicked
// 'notify.linkToSalesforce', // shown when joining a meeting with salesforce integration
// 'notify.moderationStartedTitle', // shown when AV moderation is activated
// 'notify.moderationStoppedTitle', // shown when AV moderation is deactivated
// 'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation
@ -1247,6 +1329,7 @@ var config = {
// 'notify.raisedHand', // shown when a partcipant used raise hand,
// 'notify.startSilentTitle', // shown when user joined with no audio
// 'notify.unmute', // shown to moderator when user raises hand during AV moderation
// 'notify.hostAskedUnmute', // shown to participant when host asks them to unmute
// 'prejoin.errorDialOut',
// 'prejoin.errorDialOutDisconnected',
// 'prejoin.errorDialOutFailed',
@ -1262,6 +1345,9 @@ var config = {
// 'transcribing.failedToStart' // shown when transcribing fails to start
// ],
// List of notifications to be disabled. Works in tandem with the above setting.
// disabledNotifications: [],
// Prevent the filmstrip from autohiding when screen width is under a certain threshold
// disableFilmstripAutohiding: false,
@ -1269,12 +1355,37 @@ var config = {
// // Disables user resizable filmstrip. Also, allows configuration of the filmstrip
// // (width, tiles aspect ratios) through the interfaceConfig options.
// disableResizable: false,
// }
// // Disables the stage filmstrip
// // (displaying multiple participants on stage besides the vertical filmstrip)
// disableStageFilmstrip: false
// },
// Tile view related config options.
// tileView: {
// // The optimal number of tiles that are going to be shown in tile view. Depending on the screen size it may
// // not be possible to show the exact number of participants specified here.
// numberOfVisibleTiles: 25
// },
// Specifies whether the chat emoticons are disabled or not
// disableChatSmileys: false,
// Settings for the GIPHY integration.
// giphy: {
// // Whether the feature is enabled or not.
// enabled: false,
// // SDK API Key from Giphy.
// sdkKey: '',
// // Display mode can be one of:
// // - tile: show the GIF on the tile of the participant that sent it.
// // - chat: show the GIF as a message in chat
// // - all: all of the above. This is the default option
// displayMode: 'all',
// // How long the GIF should be displayed on the tile (in miliseconds).
// tileTime: 5000
// },
// Allow all above example options to include a trailing comma and
// prevent fear when commenting out the last value.
makeJsonParserHappy: 'even if last key had a trailing comma'

2
type/__jitsi_meet_domain/files/interface_config.js.sh
View File

@ -20,7 +20,7 @@ JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
*/
var interfaceConfig = {
APP_NAME: 'Jitsi Meet',
APP_NAME: '${BRANDING_APP_NAME}',
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',

1
type/__jitsi_meet_domain/files/jitsi-version Normal file
View File

@ -0,0 +1 @@
2.0.7439-1

40
type/__jitsi_meet_domain/files/nginx.sh
View File

@ -10,6 +10,17 @@ JITSI_NGINX_CONFIG="$(cat <<EOF
## nginx's default mime.types doesn't include a mapping for wasm
# application/wasm wasm;
#}
# These upstreams are managed by __jitsi_meet
#upstream prosody {
# zone upstreams 64K;
# server 127.0.0.1:5280;
# keepalive 2;
#}
#upstream jvb1 {
# zone upstreams 64K;
# server 127.0.0.1:9090;
# keepalive 2;
#}
server {
listen 80;
listen [::]:80;
@ -91,33 +102,48 @@ server {
expires 1y;
}
}
# Paths for jsi / interpreters
location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /opt/jsi/static/\$1;
# cache all versioned files
if (\$arg_v) {
expires 1y;
}
}
location ~ ^/i/
{
try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
}
# BOSH
location = /http-bind {
# We are using 127.0.0.1, because we are not specifying a resolver
# otherwise nginx will fail to resolve 'localhost'
proxy_pass http://127.0.0.1:5280/http-bind?prefix=\$prefix&\$args;
proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For \$remote_addr;
# Prevision for 'multi-domain' jitsi instances
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
proxy_set_header Host ${JITSI_HOST};
proxy_set_header Host ${DOMAIN};
proxy_set_header Connection "";
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args;
proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
# Prevision for 'multi-domain' jitsi instances
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
proxy_set_header Host ${JITSI_HOST};
proxy_set_header Host ${DOMAIN};
tcp_nodelay on;
}
# colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args;
proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";

18
type/__jitsi_meet_domain/files/nginx.sh.orig
View File

@ -4,6 +4,16 @@ types {
# nginx's default mime.types doesn't include a mapping for wasm
application/wasm wasm;
}
upstream prosody {
zone upstreams 64K;
server 127.0.0.1:5280;
keepalive 2;
}
upstream jvb1 {
zone upstreams 64K;
server 127.0.0.1:9090;
keepalive 2;
}
server {
listen 80;
listen [::]:80;
@ -77,14 +87,16 @@ server {
# BOSH
location = /http-bind {
proxy_pass http://127.0.0.1:5280/http-bind?prefix=$prefix&$args;
proxy_pass http://prosody/http-bind?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header Connection "";
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
proxy_pass http://prosody/xmpp-websocket?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
@ -94,7 +106,7 @@ server {
# colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

228
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh Normal file
View File

@ -0,0 +1,228 @@
#!/bin/sh -eu
# Source:
# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
FOCUS_USER="focus"
JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
PROSODY_SECUREDOMAIN_START="--[["
PROSODY_SECUREDOMAIN_END="--]]"
if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
PROSODY_MAIN_START=""
PROSODY_MAIN_END=""
PROSODY_DOMAIN_START="--[["
PROSODY_DOMAIN_END="--]]"
else
PROSODY_MAIN_START="--[["
PROSODY_MAIN_END="--]]"
PROSODY_DOMAIN_START=""
PROSODY_DOMAIN_END=""
if [ -n "${SECURED_DOMAINS}" ]; then
PROSODY_SECUREDOMAIN_START=""
PROSODY_SECUREDOMAIN_END=""
fi
fi
# Websockets haven't been fully tested in this type and don't work reliably
PROSODY_WEBSOCKET="-- "
# shellcheck disable=SC2034 # This is intended to be included
PROSODY_CONFIG="$(cat <<EOFPROSODY
-- Managed remotely, changes will be lost
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "${JITSI_HOST:?}";
external_service_secret = "${TURN_SECRET:-TurnSecret}";
external_services = {
{ type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
{ type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
-- Use websockets
-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
${PROSODY_WEBSOCKET}consider_websocket_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
--http_cors_override = {
-- bosh = {
-- enabled = false;
-- };
-- websocket = {
-- enabled = false;
-- };
--}
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
unlimited_jids = {
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
"jvb@auth.${JITSI_HOST:?}"
}
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain
VirtualHost "${JITSI_DOMAIN:?}"
-- enabled = false -- Remove this line to enable this host
authentication = "anonymous"
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
}
av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
-- we need bosh
modules_enabled = {
"bosh";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"conference_duration";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
${PROSODY_WEBSOCKET} "websocket";
${PROSODY_WEBSOCKET} "smacks";
}
smacks_max_unacked_stanzas = 5;
smacks_hibernation_time = 60;
smacks_max_hibernated_sessions = 1;
smacks_max_old_sessions = 1;
c2s_require_encryption = false
lobby_muc = "lobby.${JITSI_DOMAIN:?}"
breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
main_muc = "conference.${JITSI_DOMAIN:?}"
-- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.${JITSI_DOMAIN:?}" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
"polls";
--"token_verification";
"muc_rate_limit";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
Component "breakout.${JITSI_DOMAIN:?}" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
--"token_verification";
"muc_rate_limit";
"polls";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
storage = "memory"
modules_enabled = {
"ping";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
-- https://prosody.im/doc/modules/mod_muc
muc_room_cache_size = 1000
${PROSODY_DOMAIN_END}
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
VirtualHost "auth.${JITSI_DOMAIN:?}"
ssl = {
key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
}
modules_enabled = {
"limits_exception";
}
authentication = "internal_hashed"
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
-- Single focus user for the whole instance
target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "lobby.${JITSI_DOMAIN:?}" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
"muc_rate_limit";
"polls";
}
${PROSODY_DOMAIN_END}
--[[
-- Enables dial-in for Jitsi meet components customers
-- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
-- and execute $ sudo luarocks install luajwtjitsi 3.0-0
VirtualHost "jigasi.meet.jitsi"
enabled = false -- Jitsi meet components customers remove this line
modules_enabled = {
"ping";
"bosh";
}
authentication = "token"
app_id = "jitsi";
asap_key_server = "https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8"
asap_accepted_issuers = { "jaas-components" }
asap_accepted_audiences = { "jigasi.jitmeet.example.com" }
--]]
${PROSODY_SECUREDOMAIN_START}
-- Only used on secured domains
VirtualHost "${JITSI_DOMAIN}"
authentication = "internal_plain"
VirtualHost "guest.${JITSI_DOMAIN}"
authentication = "anonymous"
c2s_require_encryption = false
${PROSODY_SECUREDOMAIN_END}
EOFPROSODY
)"

154
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig Normal file
View File

@ -0,0 +1,154 @@
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "jitmeet.example.com";
external_service_secret = "__turnSecret__";
external_services = {
{ type = "stun", host = "jitmeet.example.com", port = 3478 },
{ type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
--http_cors_override = {
-- bosh = {
-- enabled = false;
-- };
-- websocket = {
-- enabled = false;
-- };
--}
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
unlimited_jids = {
"focusUser@auth.jitmeet.example.com",
"jvb@auth.jitmeet.example.com"
}
VirtualHost "jitmeet.example.com"
-- enabled = false -- Remove this line to enable this host
authentication = "anonymous"
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/jitmeet.example.com.key";
certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
}
av_moderation_component = "avmoderation.jitmeet.example.com"
speakerstats_component = "speakerstats.jitmeet.example.com"
conference_duration_component = "conferenceduration.jitmeet.example.com"
-- we need bosh
modules_enabled = {
"bosh";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"conference_duration";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
}
c2s_require_encryption = false
lobby_muc = "lobby.jitmeet.example.com"
breakout_rooms_muc = "breakout.jitmeet.example.com"
main_muc = "conference.jitmeet.example.com"
-- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.jitmeet.example.com" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
"polls";
--"token_verification";
"muc_rate_limit";
}
admins = { "focusUser@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
Component "breakout.jitmeet.example.com" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
--"token_verification";
"muc_rate_limit";
"polls";
}
admins = { "focusUser@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.jitmeet.example.com" "muc"
storage = "memory"
modules_enabled = {
"ping";
}
admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
VirtualHost "auth.jitmeet.example.com"
modules_enabled = {
"limits_exception";
}
authentication = "internal_hashed"
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.jitmeet.example.com" "client_proxy"
target_address = "focusUser@auth.jitmeet.example.com"
Component "speakerstats.jitmeet.example.com" "speakerstats_component"
muc_component = "conference.jitmeet.example.com"
Component "conferenceduration.jitmeet.example.com" "conference_duration_component"
muc_component = "conference.jitmeet.example.com"
Component "avmoderation.jitmeet.example.com" "av_moderation_component"
muc_component = "conference.jitmeet.example.com"
Component "lobby.jitmeet.example.com" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
"muc_rate_limit";
"polls";
}
-- Enables dial-in for Jitsi meet components customers
-- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
-- and execute $ sudo luarocks install luajwtjitsi 3.0-0
VirtualHost "jigasi.meet.jitsi"
enabled = false -- Jitsi meet components customers remove this line
modules_enabled = {
"ping";
"bosh";
}
authentication = "token"
app_id = "jitsi";
asap_key_server = "https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8"
asap_accepted_issuers = { "jaas-components" }
asap_accepted_audiences = { "jigasi.jitmeet.example.com" }

41
type/__jitsi_meet_domain/man.rst
View File

@ -11,14 +11,24 @@ DESCRIPTION
-----------
This type installs and configures the frontend for Jitsi-Meet.
This supports "multi-domain" installations, notice that in such a setup, all
rooms are shared across the different URLs, e.g.
https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
equivalent.
Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and
`DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a
patched version of Jitsi Simultaneous Interpretation (jsi; see references).
At least a user with `interpreter` in their name must be present.
This type supports "multi-domain" installations.
New in April 2022: rooms are independent for each domain, that is:
https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
different rooms.
Note however, that right now if using secured domains, users are still shared
across any domains hosted in the same instance.
One way to work around that could be to run multiple jicofos, but we do not
want to bloat the servers.
A better way is to patch jicofo, get in touch with the type authors if you want
the gory details.
This is due to the underlying XMPP and signaling rooms being common.
There might be a way to perform tricks on the Nginx-side to avoid this, but
time is lacking :-).
This assumes `__jitsi_meet` has already been ran on the target host, and,
amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
@ -41,6 +51,11 @@ admin-email
OPTIONAL PARAMETERS
-------------------
analytics-settings
This goes inside the `analytics` part of `config.js`.
Defaults to: `disabled: true`.
See: https://github.com/jitsi/jitsi-meet/blob/master/config.js
channel-last-n
Default value for the "last N" attribute.
Defaults to 20. Set to -1 for unlimited.
@ -78,6 +93,15 @@ video-constraints
It must not have a trailing comma, see `constraints` in
`__jitsi_meet_domain/files/config.js.sh`.
branding-app-name
This will change `Jitsi Meet` in many places to the brand you desire.
Defaults to `Jitsi Meet`.
branding-extra-body
This must be valid HTML, it will be included server-side and delivered to
clients alongside the default `index.html`.
This is useful if you would rather not replace the whole `index`, but
still want the chance to do some heavier branding / add instructions / etc.
branding-json
Path to a JSON file that will be served as the `dynamicBrandingUrl`.
@ -85,14 +109,12 @@ branding-json
`__jitsi_meet_domain/files/config.js.sh`.
If not set, no branding will be set up.
branding-index
Path to an HTML file that will be served instead of Jitsi-Meet's default
one.
If not set, the default index file will be used.
If set to `-`, the type's standard input will be used.
branding-watermark
Path to a png file that will be served instead of Jitsi-Meet's default
one.
@ -147,6 +169,7 @@ SEE ALSO
--------
- `__jitsi_meet(7)`
- `__jitsi_meet_user(7)`
- Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi
AUTHORS

42
type/__jitsi_meet_domain/manifest
View File

@ -18,6 +18,8 @@ NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")"
START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")"
BRANDING_APP_NAME="$(cat "${__object}/parameter/branding-app-name")"
BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
@ -130,3 +132,43 @@ __file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
--mode 0644 \
--state "$(_var_state "${BRANDING_WATERMARK}")" \
--source "${BRANDING_WATERMARK}"
# Simple body customisation
__file "/usr/share/jitsi-meet/body-${DOMAIN}.html" \
--mode 0644 \
--state "$(_var_state "${STATE}")" \
--source "${__object}/parameter/branding-extra-body"
#
# Take care of prosody settings for the domain
#
JITSI_DOMAIN="${DOMAIN}"
# Prosody settings for common components (jvb, focus, ...)
# shellcheck source=type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
__file "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
--group prosody \
--mode 0440 \
--state "${STATE}" \
--source '-' <<EOF
${PROSODY_CONFIG}
EOF
__link "/etc/prosody/conf.d/${DOMAIN}.cfg.lua" \
--source "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
--state "${STATE}" \
--type symbolic
if [ "${STATE}" = "present" ]; then
export require="${require} __file/etc/prosody/conf.avail/${DOMAIN}.cfg.lua __link/etc/prosody/conf.d/${DOMAIN}.cfg.lua"
__check_messages "prosody/${DOMAIN}" \
--pattern '^(__file|__link)/etc/prosody/conf[.](avail|d)/' \
--execute "$(cat <<EOF
if [ ! -f "/var/lib/prosody/${DOMAIN}.crt" ]; then
echo | prosodyctl cert generate '${DOMAIN}';
ln -sf '/var/lib/prosody/${DOMAIN}.key' '/etc/prosody/certs/${DOMAIN}.key'
ln -sf '/var/lib/prosody/${DOMAIN}.crt' '/etc/prosody/certs/${DOMAIN}.crt'
fi
# Surprisingly, a reload is not enough
service prosody restart
EOF
)"
fi

1
type/__jitsi_meet_domain/parameter/default/analytics-settings Normal file
View File

@ -0,0 +1 @@
disabled: true

1
type/__jitsi_meet_domain/parameter/default/branding-app-name Normal file
View File

@ -0,0 +1 @@
Jitsi Meet

0
type/__jitsi_meet_domain/parameter/default/branding-extra-body Normal file
View File

3
type/__jitsi_meet_domain/parameter/optional
View File

@ -1,10 +1,13 @@
analytics-settings
channel-last-n
default-language
notice-message
start-video-muted
turn-server
video-constraints
branding-app-name
branding-json
branding-index
branding-extra-body
branding-watermark
state

10
type/__single_binary_service/explorer/explorer-version Executable file
View File

@ -0,0 +1,10 @@
#!/bin/sh -e
BIN_PREFIX="/usr/local/bin"
SERVICE_NAME="${__object_id}"
VERSION_FILE="${BIN_PREFIX}/.${SERVICE_NAME}.cdist.version"
if [ -f "${VERSION_FILE}" ]; then
cat "${VERSION_FILE}"
fi

190
type/__single_binary_service/man.rst Normal file
View File

@ -0,0 +1,190 @@
cdist-type__single_binary_service(7)
====================================
NAME
----
cdist-type__single_binary_service - Setup a single-binary service
DESCRIPTION
-----------
This type is designed to easily deploy and configure a single-binary service
named `${__object_id}`.
A good example of this are Prometheus exporters.
This type makes certain assumptions that might not be correct on your system.
If you need more flexibility, please get in touch and provide a use-case
(and hopefully a backwards-compatible patch).
This type will place the downloaded binary and, if requested, other extra
binaries in `/usr/local/bin`.
If a `--config-file-source` is provided, it will be placed under:
`/etc/${__object_id}.conf`.
This type supports services managed by `__runit(7)` when `systemd` is not
the init system being used.
REQUIRED PARAMETERS
-------------------
checksum
This will be passed verbatim to `__download(7)`.
Use something like `sha256:...`.
url
This will be passed verbatim to `__download(7)`.
version
This type will use a thumbstone file with a "version" number to track
whether or not a service must be updated.
This thumbstone file is placed under
`/usr/local/bin/.${__object_id}.cdist.version`.
BOOLEAN PARAMETERS
------------------
unpack
If present, the contents of `--url` will be treated as an archive to be
unpacked with `__unpack(7)`.
See also `--unpack-args` and `--extra-binary`.
do-not-manage-user
Always considered present when `--user` is `root`.
If present, the user in `--user` will not be managed by this type with
`__user`, this means it *must* exist beforehand when installing the service
and it will not be removed by this type.
OPTIONAL PARAMETERS
-------------------
config-file-source
If present, this file's contents will be placed under
`/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to
`--user` and `--group`.
If `-` is passed, this type's `stdin` will be used.
user
The user under which the service will run. Defaults to `root`.
If this user is not `root` and `--do-not-manage-user` is not present,
this user will be created or removed as per the `--state` parameter.
user-home-dir
Does not have an effect if `--do-not-manage-user` is used or `--user` is
`root`.
The home directory of the service user. It will be created.
Defaults to `/nonexistent`, in this case the home directory will not be
created.
group
The group under which the service will run. Defaults to `--user`.
state
Whether the service is to be `present` (default) or `absent`.
When `absent`, this type will clean any binaries listed in `--extra-binary`
and also the config file as described in `--config-file-source`.
binary
This will be the binary name. Defaults to `${__object_id}`.
If `--unpack` is used, a binary with this name must be unpacked.
Otherwise, the contents of `--url` will be placed under this binary name.
service-args
Any extra arguments to pass along with `--service-exec`. Beware that any
service-args having the format `--config=/etc/foo.cfg` should be
represented in the following way `--service-exec='--config=/etc/foo.cfg'`
service-exec
The executable to use for this service.
Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the
resulting value of `--binary`.
service-definition
The service definition to be used as an override.
Note that this type decides dinammically between runit and systemd, and
you can currently only define either a systemd unit or a runit script here.
Use this parameter only for testing and get in touch to discuss how your
particular use-case can be supported by the type.
service-description
The service description to be used in, e.g. the systemd unit file.
Defaults to `cdist-managed '${__object_id}' service`.
unpack-args
Only has an effect if `--unpack` is used.
These arguments will be passed verbatim to `__unpack(7)`.
Very useful as this type assumes the archive does not have the binaries in
subdirectories; that can be worked around with
`--unpack-args '--tar-strip 1'`.
unpack-extension
Only has an effect if `--unpack` is used.
The file extension of the file to unpack, defaults to `.tar.gz`.
working-directory
If set, the working directory with which the service will be started.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
extra-binary
Only useful with `--unpack`.
If passed, these binaries will also be installed when `--state` is `present`
and removed when `--state` is `absent`.
Handle with care :-).
EXAMPLES
--------
.. code-block:: sh
# Install and enable the ipmi_exporter service
# The variables are defined in the manifest previously
__single_binary_service ipmi_exporter \
--user "${USER}" \
--service-args ' --config.file=/etc/ipmi_exporter.conf' \
--version "${SHOULD_VERSION}" \
--checksum "${CHECKSUM}" \
--url "${DOWNLOAD_URL}" \
--state "present" \
--unpack \
--unpack-args "--tar-strip 1" \
--config-file-source '-' <<-EOF
# Remotely managed, changes will be lost
# [...] config contents goes here
EOF
# Remove the ipmi_exporter service along with the user and its config
__single_binary_service ipmi_exporter \
--user "${USER}" \
--version "${SHOULD_VERSION}" \
--checksum "${CHECKSUM}" \
--url "${DOWNLOAD_URL}" \
--state "absent"
# Same, but the service was using my user! Let's not delete that!
__single_binary_service ipmi_exporter \
--user "evilham" \
--do-not-manage-user \
--version "${SHOULD_VERSION}" \
--checksum "${CHECKSUM}" \
--url "${DOWNLOAD_URL}" \
--state "absent"
SEE ALSO
--------
- `__download(7)`
- `__unpack(7)`
AUTHORS
-------
Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2022 Evilham.

288
type/__single_binary_service/manifest Executable file
View File

@ -0,0 +1,288 @@
#!/bin/sh -e
SERVICE_NAME="${__object_id}"
OS="$(cat "${__global}/explorer/os")"
case "${OS}" in
debian|devuan)
SUPER_USER_GROUP=root
ETC_DIR="/etc"
;;
*bsd)
SUPER_USER_GROUP=wheel
ETC_DIR="/usr/local/etc"
;;
*)
echo "Your OS '${OS}' is currently not supported." >&2
exit 1
;;
esac
INIT="$(cat "${__global}/explorer/init")"
case "${INIT}" in
systemd)
service_definition_require="__systemd_unit/${SERVICE_NAME}.service"
service_command="service ${SERVICE_NAME} %s"
;;
runit|sysvinit)
# We will use runit to manage these services
__runit
export require="__runit"
service_definition_require="__runit_service/${SERVICE_NAME}"
service_command="sv %s ${SERVICE_NAME}"
;;
*)
echo "Init system ${INIT}' is currently not supported." >&2
exit 1
;;
esac
BIN_DIR="/usr/local/bin"
# Ensure the target bin dir exists
# Care, we never want to remove it :-D
__directory "${BIN_DIR}" \
--state "exists" \
--mode 0755
export require="${require} __directory${BIN_DIR}"
STATE="$(cat "${__object}/parameter/state")"
USER="$(cat "${__object}/parameter/user")"
GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)"
if [ -z "${GROUP}" ]; then
if [ "${USER}" != "root" ]; then
GROUP="${USER}"
else
GROUP="${SUPER_USER_GROUP}"
fi
fi
BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)"
if [ -z "${BINARY}" ]; then
BINARY="${SERVICE_NAME}"
fi
EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)"
# This only makes sense for file archives
if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then
cat >&2 <<-EOF
You cannot specify extra binaries without the --unpack argument.
Make sure that the --url argument points to a file archive.
EOF
fi
SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)"
if [ -z "${SERVICE_EXEC}" ]; then
SERVICE_EXEC="${BIN_DIR}/${BINARY}"
fi
SERVICE_ARGS="$(cat "${__object}/parameter/service-args")"
SERVICE_EXEC="${SERVICE_EXEC} ${SERVICE_ARGS}"
SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \
2>/dev/null || true)"
if [ -z "${SERVICE_DESCRIPTION}" ]; then
SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service"
fi
SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)"
WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
fi
DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
CHECKSUM="$(cat "${__object}/parameter/checksum")"
SHOULD_VERSION="$(cat "${__object}/parameter/version")"
# Create a user for the service if it is not root
USER_HOME_DIR="/root"
if [ "${USER}" != "root" ] && \
[ ! -f "${__object}/parameter/do-not-manage-user" ]; then
if [ "${STATE}" = "absent" ]; then
# When removing, ensure user is not being used
user_require="${service_definition_require}"
fi
USER_HOME_DIR="$(cat "${__object}/parameter/user-home-dir")"
if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then
USER_CREATE_HOME="--create-home"
fi
require="${require} ${user_require}" __user "${USER}" \
--system \
--state "${STATE}" \
--home "${USER_HOME_DIR}" \
--comment "cdist-managed ${SERVICE_NAME} user" \
${USER_CREATE_HOME}
# Track dependencies
service_require="${service_require} __user/${USER}"
fi
# Place config file if necessary
CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)"
if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then
CONFIG_FILE_SOURCE="${__object}/stdin"
fi
if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then
require="${require} __user/${USER}" __file \
"${CONFIG_FILE_DEST}" \
--owner "${USER}" \
--group "${GROUP}" \
--mode "0440" \
--source "${CONFIG_FILE_SOURCE}"
service_require="${service_require} __file${CONFIG_FILE_DEST}"
fi
# This should setup the object in $service_definition_require
# See above.
case "${INIT}" in
systemd)
if [ -z "${SERVICE_DEFINITION}" ]; then
SERVICE_DEFINITION="$(cat <<EOF
[Unit]
Description=${SERVICE_DESCRIPTION}
After=network.target
[Service]
Type=simple
User=${USER}
Group=${GROUP}
ExecStart=${SERVICE_EXEC}
Restart=always
${WORKING_DIRECTORY_SYSTEMD}
[Install]
WantedBy=multi-user.target
EOF
)"
fi
__systemd_unit "${SERVICE_NAME}.service" \
--source "-" \
--state "${STATE}" \
--enablement-state "enabled" <<EOF
${SERVICE_DEFINITION}
EOF
;;
runit|sysvinit)
if [ -z "${SERVICE_DEFINITION}" ]; then
SERVICE_DEFINITION="$(cat <<EOF
#!/bin/sh -e
${WORKING_DIRECTORY_RUNIT}
export HOME="\$(getent passwd '${USER}' | cut -d: -f6)"
export USER="${USER}"
export GROUP="${GROUP}"
exec chpst -u "${USER}:${GROUP}" ${SERVICE_EXEC}
EOF
)"
fi
__runit_service "${SERVICE_NAME}" \
--state "${STATE}" \
--log \
--source - <<EOF
${SERVICE_DEFINITION}
EOF
;;
esac
service_require="${service_require} ${service_definition_require}"
# Proceed after user and service description have been prepared
export require="${require} ${service_require}"
VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
IS_VERSION="$(cat "${__object}/explorer/explorer-version")"
if [ "${STATE}" = "absent" ]; then
# Perform cleanup of generated files
for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
__file "${BIN_DIR}/${bin_file}" --state "absent"
done
__file "${VERSION_FILE}" --state "absent"
__file "${CONFIG_FILE_DEST}" --state "absent"
fi
if [ "${STATE}" != "present" ]; then
exit
fi
sv_cmd() {
# This is intentional
# shellcheck disable=SC2059
printf "${service_command}" "$1"
}
if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ]; then
# We are installing the service and there has been a version change
# (or it is first-time install)
TMP_PATH="/tmp/${SERVICE_NAME}-${SHOULD_VERSION}"
# This is what will stop the service, replace the binaries and
# start the service again
perform_service_upgrade="$(cat <<EOF
$(sv_cmd stop) || true
if [ -f '${TMP_PATH}' ]; then
chown root:${SUPER_USER_GROUP} '${TMP_PATH}'
chmod 0555 '${TMP_PATH}'
cp -af '${TMP_PATH}' '${BIN_DIR}/${BINARY}'
else
for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
bin_path="${TMP_PATH}/\${bin_file}"
chown root:${SUPER_USER_GROUP} "\${bin_path}"
chmod 0555 "\${bin_path}"
cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}"
done
fi
$(sv_cmd start) || true
EOF
)"
if [ -f "${__object}/parameter/unpack" ]; then
UNPACK_EXTENSION="$(cat "${__object}/parameter/unpack-extension")"
UNPACK_ARGS="$(cat "${__object}/parameter/unpack-args" \
2>/dev/null || true)"
# Download packed file
__download "${TMP_PATH}${UNPACK_EXTENSION}" \
--url "${DOWNLOAD_URL}" \
--download remote \
--sum "${CHECKSUM}"
# Unpack file and also perform service upgrade
# shellcheck disable=SC2086
require="__download${TMP_PATH}${UNPACK_EXTENSION}" \
__unpack "${TMP_PATH}${UNPACK_EXTENSION}" \
${UNPACK_ARGS} \
--destination "${TMP_PATH}"
version_bump_require="__unpack${TMP_PATH}${UNPACK_EXTENSION}"
else
# Create temp directory
__directory "${TMP_PATH}"
# Download binary directoy to the temp directory with the
# specified binary name
require="__directory${TMP_PATH}" __download \
"${TMP_PATH}/${BINARY}" \
--url "${DOWNLOAD_URL}" \
--download remote \
--sum "${CHECKSUM}"
version_bump_require="__download${TMP_PATH}/${BINARY}"
fi
# Perform update of cdist-managed version file
# And also perform service upgrade
# This is a bug if service_upgrade fails >,<
printf "%s" "${SHOULD_VERSION}" | \
require="${version_bump_require}" __file \
"${VERSION_FILE}" \
--onchange "${perform_service_upgrade}" \
--source "-"
else
# We only restart here if there was a config change
# but there was not a version change
require="${service_require}" __check_messages \
"single_binary_service_${__object_id}" \
--pattern "^__file${CONFIG_FILE_DEST}" \
--execute "$(sv_cmd restart)"
fi

2
type/__single_binary_service/parameter/boolean Normal file
View File

@ -0,0 +1,2 @@
do-not-manage-user
unpack

0
type/__single_binary_service/parameter/default/service-args Normal file
View File

1
type/__single_binary_service/parameter/default/state Normal file
View File

@ -0,0 +1 @@
present

1
type/__single_binary_service/parameter/default/unpack-extension Normal file
View File

@ -0,0 +1 @@
.tar.gz

1
type/__single_binary_service/parameter/default/user Normal file
View File

@ -0,0 +1 @@
root

1
type/__single_binary_service/parameter/default/user-home-dir Normal file
View File

@ -0,0 +1 @@
/nonexistent

13
type/__single_binary_service/parameter/optional Normal file
View File

@ -0,0 +1,13 @@
config-file-source
user
group
state
binary
service-args
service-exec
service-description
service-definition
unpack-extension
unpack-args
user-home-dir
working-directory

1
type/__single_binary_service/parameter/optional_multiple Normal file
View File

@ -0,0 +1 @@
extra-binary

3
type/__single_binary_service/parameter/required Normal file
View File

@ -0,0 +1,3 @@
url
checksum
version

3
type/__uacme_obtain/man.rst
View File

@ -38,7 +38,8 @@ install-key-to
Installation path of the certificate's private key.
renew-hook
Renew hook executed on certificate renewal (e.g. `service nginx reload`).
Renew hook executed on certificate renewal (e.g. `service nginx reload`, `-`
for the standard input).
force-cert-ownership-to
Override default ownership for TLS certificate, passed as argument to chown.

6
type/__uacme_obtain/manifest
View File

@ -109,7 +109,11 @@ export CERT_TARGET
RENEW_HOOK=
if [ -f "${__object:?}/parameter/renew-hook" ];
then
RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
if [ "$(cat "${__object:?}/parameter/renew-hook")" = "-" ]; then
RENEW_HOOK="$(cat ${__object:?}/stdin)"
else
RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
fi
fi
export RENEW_HOOK