sparrowhawk/cdist-contrib
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

base: sparrowhawk:master
Branches Tags
sparrowhawk:master
sparrowhawk:php
sparrowhawk:newtype/dirbackup
sparrowhawk:__matrix_synapse
sparrowhawk:netbox
sparrowhawk:root-mail-dma
..
compare: sparrowhawk:__matrix_synapse
Branches Tags
sparrowhawk:master
sparrowhawk:php
sparrowhawk:newtype/dirbackup
sparrowhawk:__matrix_synapse
sparrowhawk:netbox
sparrowhawk:root-mail-dma

2 commits
master ... __matrix_s

Author SHA1 Message Date
Timothée Floure
716b4de8e1 __matrix_synapse: make shellcheck happy! 2020-07-28 14:44:37 +02:00
Timothée Floure
451f09d746 Import __matrix_synapse type from ungleich's dot-cdist 2020-06-25 11:16:20 +02:00
434 changed files with 2077 additions and 19870 deletions
Show stats Expand all files Collapse all files

21
.gitlab-ci.yml
View file

@ -1,29 +1,14 @@
stages:
- test
- doc
image: code.ungleich.ch:5050/ungleich-public/cdist-contrib/ci-container:latest
image: code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest
shellcheck:
stage: test
script:
- make lint
- ./scripts/run-shellcheck.sh
manpages:
stage: test
script:
- make check-manpages
docs:
stage: doc
only:
- master@ungleich-public/cdist-contrib
before_script:
- eval $(ssh-agent -s)
- echo "$CD_SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
- mkdir -p ~/.ssh
- echo "$CD_SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts
- chmod 644 ~/.ssh/known_hosts
script:
- make html
- sftp fnux@staticwebhosting.ungleich.ch:public_html/cdist-contrib <<< "put -r docs/dist/html/*"
- ./scripts/run-manpage-checks.sh

4
CHANGELOG.md Normal file
View file

@ -0,0 +1,4 @@
# cdist-contrib changes
* 2020-06-03: New type: __unbound (Timothée Floure)
* 2020-04-28: New type: __find_exec (Ander Punnar)

70
Makefile
View file

@ -1,70 +0,0 @@
.PHONY: help
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo "man build only man user documentation"
@echo "html build only html user documentation"
@echo "docs build both man and html user documentation"
@echo "check-manpages check for manpage in types"
@echo "lint run shellcheck on types"
@echo "check run both type manpage checks and linting"
@echo "clean clean"
DOCS_SRC_DIR=./docs/src
TYPEDIR=./type
SPHINXM=make -C $(DOCS_SRC_DIR) man
SPHINXH=make -C $(DOCS_SRC_DIR) html
SPHINXC=make -C $(DOCS_SRC_DIR) clean
################################################################################
# Manpages
#
MAN7DSTDIR=$(DOCS_SRC_DIR)/man7
# Use shell / ls to get complete list - $(TYPEDIR)/*/man.rst does not work
# Using ls does not work if no file with given pattern exist, so use wildcard
MANTYPESRC=$(wildcard $(TYPEDIR)/*/man.rst)
MANTYPEPREFIX=$(subst $(TYPEDIR)/,$(MAN7DSTDIR)/cdist-type,$(MANTYPESRC))
MANTYPES=$(subst /man.rst,.rst,$(MANTYPEPREFIX))
# Link manpage: do not create man.html but correct named file
$(MAN7DSTDIR)/cdist-type%.rst: $(TYPEDIR)/%/man.rst
mkdir -p $(MAN7DSTDIR)
ln -sf "../../../$^" $@
DOCSINDEX=$(MAN7DSTDIR)/index.rst
DOCSINDEXH=$(DOCS_SRC_DIR)/index.rst.sh
$(DOCSINDEX): $(DOCSINDEXH)
$(DOCSINDEXH)
# Manpages: .cdist Types
DOT_CDIST_PATH=${HOME}/.cdist
DOTMAN7DSTDIR=$(MAN7DSTDIR)
DOTTYPEDIR=$(DOT_CDIST_PATH)/type
# Link manpage: do not create man.html but correct named file
$(DOTMAN7DSTDIR)/cdist-type%.rst: $(DOTTYPEDIR)/%/man.rst
ln -sf "$^" $@
man: $(MANTYPES) $(DOCSINDEX)
$(SPHINXM)
html: $(MANTYPES) $(DOCSINDEX)
$(SPHINXH)
docs: man html
check-manpages:
./scripts/run-manpage-checks.sh
lint:
./scripts/run-shellcheck.sh
check: check-manpages lint
clean:
$(SPHINXC)
rm -f docs/src/index.rst
rm -rf docs/src/man7/
rm -rf docs/src/__pycache__/

19
README.md
View file

@ -5,9 +5,8 @@ tool with community-maitained types which are either too specific to fit/be
maintained in cdist itself or were not accepted in code cdist but could still
be useful.
This project does not have releases and is continously updated: see git history
for change log. You will find HTML documentation at
[contrib.cdi.st](https://contrib.cdi.st).
This project does not have releases and is continously updated: see
`CHANGELOG.md` for details.
## Using cdist-contrib
@ -33,11 +32,14 @@ And you would run [cdist][cdist] from the same directory as follows:
## Participating in the [cdist][cdist] community
Join us on [#cdist:ungleich.ch][cdistmatrix] on matrix!
Join us on [#cdist:ungleich.ch][cdistmatrix] on matrix or on
[#cdist over mattermost][cdistmattermost].
[cdist]: https://www.cdi.st/
[cdistconfig]: https://www.cdi.st/manual/latest/cdist-configuration.html
[cdistmatrix]: https://matrix.to/#/#cdist:ungleich.ch
[cdistmattermost]: https://chat.ungleich.ch/ungleich/channels/cdist
## Contributing
@ -51,12 +53,3 @@ Every type in cdist-contrib must:
* Have a `man.rst` documentation page.
* Pass [shellcheck](http://shellcheck.net/) without errors.
## Other resources
Some people/organizations are known to keep some cdist types that might be of
interest to others:
* [cdist-evilham](https://git.sr.ht/~evilham/cdist-evilham): Evilham's cdist-types
* [cdist-recycledcloud](https://code.recycled.cloud/RecycledCloud/cdist-recycledcloud): e-Durable SA / Recycled Cloud public types
* [cdist-ungleich](https://code.ungleich.ch/ungleich-public/cdist-ungleich): ungleich public types

235
docs/src/Makefile
View file

@ -1,235 +0,0 @@
# Makefile for Sphinx documentation
#
# You can set these variables from the command line.
SPHINXOPTS ?=
SPHINXBUILD ?= sphinx-build
PAPER ?=
BUILDDIR ?= ../dist
# for cache, etc.
_BUILDDIR = _build
# User-friendly check for sphinx-build
ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don\'t have Sphinx installed, grab it from http://sphinx-doc.org/)
endif
# Internal variables.
PAPEROPT_a4 = -D latex_paper_size=a4
PAPEROPT_letter = -D latex_paper_size=letter
ALLSPHINXOPTS = -d $(_BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
# the i18n builder cannot share the environment and doctrees with the others
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
.PHONY: help
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " html to make standalone HTML files"
@echo " dirhtml to make HTML files named index.html in directories"
@echo " singlehtml to make a single large HTML file"
@echo " pickle to make pickle files"
@echo " json to make JSON files"
@echo " htmlhelp to make HTML files and a HTML help project"
@echo " qthelp to make HTML files and a qthelp project"
@echo " applehelp to make an Apple Help Book"
@echo " devhelp to make HTML files and a Devhelp project"
@echo " epub to make an epub"
@echo " epub3 to make an epub3"
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
@echo " latexpdf to make LaTeX files and run them through pdflatex"
@echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
@echo " text to make text files"
@echo " man to make manual pages"
@echo " texinfo to make Texinfo files"
@echo " info to make Texinfo files and run them through makeinfo"
@echo " gettext to make PO message catalogs"
@echo " changes to make an overview of all changed/added/deprecated items"
@echo " xml to make Docutils-native XML files"
@echo " pseudoxml to make pseudoxml-XML files for display purposes"
@echo " linkcheck to check all external links for integrity"
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
@echo " coverage to run coverage check of the documentation (if enabled)"
@echo " dummy to check syntax errors of document sources"
.PHONY: clean
clean:
rm -rf $(BUILDDIR)/*
rm -rf $(_BUILDDIR)/*
.PHONY: html
html:
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
.PHONY: dirhtml
dirhtml:
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
.PHONY: singlehtml
singlehtml:
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
@echo
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
.PHONY: pickle
pickle:
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
@echo
@echo "Build finished; now you can process the pickle files."
.PHONY: json
json:
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
@echo
@echo "Build finished; now you can process the JSON files."
.PHONY: htmlhelp
htmlhelp:
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
@echo
@echo "Build finished; now you can run HTML Help Workshop with the" \
".hhp project file in $(BUILDDIR)/htmlhelp."
.PHONY: qthelp
qthelp:
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
@echo
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/cdist-docs.qhcp"
@echo "To view the help file:"
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/cdist-docs.qhc"
.PHONY: applehelp
applehelp:
$(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp
@echo
@echo "Build finished. The help book is in $(BUILDDIR)/applehelp."
@echo "N.B. You won't be able to view it unless you put it in" \
"~/Library/Documentation/Help or install it in your application" \
"bundle."
.PHONY: devhelp
devhelp:
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
@echo
@echo "Build finished."
@echo "To view the help file:"
@echo "# mkdir -p $$HOME/.local/share/devhelp/cdist-docs"
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/cdist-docs"
@echo "# devhelp"
.PHONY: epub
epub:
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
@echo
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
.PHONY: epub3
epub3:
$(SPHINXBUILD) -b epub3 $(ALLSPHINXOPTS) $(BUILDDIR)/epub3
@echo
@echo "Build finished. The epub3 file is in $(BUILDDIR)/epub3."
.PHONY: latex
latex:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
@echo "Run \`make' in that directory to run these through (pdf)latex" \
"(use \`make latexpdf' here to do that automatically)."
.PHONY: latexpdf
latexpdf:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through pdflatex..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
.PHONY: latexpdfja
latexpdfja:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through platex and dvipdfmx..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
.PHONY: text
text:
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
@echo
@echo "Build finished. The text files are in $(BUILDDIR)/text."
.PHONY: man
man:
$(SPHINXBUILD) -b cman $(ALLSPHINXOPTS) $(BUILDDIR)/man
mkdir -p $(BUILDDIR)/man/man7
mv -f $(BUILDDIR)/man/*.7 $(BUILDDIR)/man/man7/
@echo
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
.PHONY: texinfo
texinfo:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
@echo "Run \`make' in that directory to run these through makeinfo" \
"(use \`make info' here to do that automatically)."
.PHONY: info
info:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo "Running Texinfo files through makeinfo..."
make -C $(BUILDDIR)/texinfo info
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
.PHONY: gettext
gettext:
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
@echo
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
.PHONY: changes
changes:
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
@echo
@echo "The overview file is in $(BUILDDIR)/changes."
.PHONY: linkcheck
linkcheck:
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
@echo
@echo "Link check complete; look for any errors in the above output " \
"or in $(BUILDDIR)/linkcheck/output.txt."
.PHONY: doctest
doctest:
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
@echo "Testing of doctests in the sources finished, look at the " \
"results in $(BUILDDIR)/doctest/output.txt."
.PHONY: coverage
coverage:
$(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage
@echo "Testing of coverage in the sources finished, look at the " \
"results in $(BUILDDIR)/coverage/python.txt."
.PHONY: xml
xml:
$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
@echo
@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
.PHONY: pseudoxml
pseudoxml:
$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
@echo
@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
.PHONY: dummy
dummy:
$(SPHINXBUILD) -b dummy $(ALLSPHINXOPTS) $(BUILDDIR)/dummy
@echo
@echo "Build finished. Dummy builder generates no files."

101
docs/src/conf.py
View file

@ -1,101 +0,0 @@
#!/usr/bin/env python3
import sys
import os
import sphinx_rtd_theme
from datetime import date
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
# sys.path.insert(0, os.path.abspath('.'))
sys.path.insert(0, os.path.abspath(os.path.join(
os.path.dirname(os.path.realpath(__file__)), "..", "..")))
# -- General configuration ------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
# needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'docs.src.manpage',
'sphinx.ext.extlinks',
]
# The suffix(es) of source filenames.
# You can specify multiple suffix as a list of string:
source_suffix = ['.rst']
# The encoding of source files.
# source_encoding = 'utf-8-sig'
# The master toctree document.
master_doc = 'index'
# General information about the project.
project = 'cdist-contrib'
copyright = 'cdist-contrib contributors'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
version = str(date.today())
release = os.popen('git rev-parse HEAD').read()
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
#
# This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases.
language = None
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
# If true, `todo` and `todoList` produce output, else they produce nothing.
todo_include_todos = False
# -- Options for HTML output ----------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
html_theme = 'sphinx_rtd_theme'
html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
# Output file base name for HTML help builder.
htmlhelp_basename = 'cdistcontribdoc'
# -- Options for manual page output ---------------------------------------
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
root_mandir = os.path.dirname(os.path.realpath(__file__))
mandirs = []
for mansubdir in ('man7',):
mandirs.append((os.path.join(root_mandir, mansubdir), mansubdir[-1]))
man_pages = []
for mandir, section in mandirs:
for root, dirs, files in os.walk(mandir):
for fname in files:
froot, fext = os.path.splitext(fname)
if fext == '.rst':
man_page = (os.path.join('man' + str(section), froot),
froot, '', [], section)
man_pages.append(man_page)
# man_pages = [
# ('cdist-type', 'cdist-type', 'cdist-type documentation',
# [author], 1),
# ('man7/cdist-type__file', 'cdist-type__file',
# '', [], 1),
# ('cdist-type__directory', 'cdist-type__directory',
# 'cdist-type__directory documentation', [author], 1),
# ]
# If true, show URL addresses after external links.
# man_show_urls = False

40
docs/src/index.rst.sh
View file

@ -1,40 +0,0 @@
#!/bin/sh
__cdist_pwd="$(pwd -P)"
__cdist_mydir="${0%/*}";
__cdist_abs_mydir="$(cd "$__cdist_mydir" && pwd -P)"
__cdist_myname=${0##*/};
__cdist_abs_myname="$__cdist_abs_mydir/$__cdist_myname"
filename="${__cdist_myname%.sh}"
dest="$__cdist_abs_mydir/$filename"
if ! command -v pandoc > /dev/null; then
echo "Pandoc is required to generate HTML index from README." >&2
exit 1
fi
cd "$__cdist_abs_mydir"
exec > "$dest"
pandoc -f markdown -t rst ../../README.md
cat << EOF
.. toctree::
:hidden:
EOF
# If there is no such file then ls prints error to stderr,
# so redirect stderr to /dev/null.
for type in $(ls man7/cdist-type__*.rst 2>/dev/null | LC_ALL=C sort); do
no_dir="${type#man7/}";
no_type="${no_dir#cdist-type}";
name="${no_type%.rst}";
manref="${no_dir%.rst}"
man="${manref}(7)"
echo " $name" "<man7/${manref}>"
done

87
docs/src/manpage.py
View file

@ -1,87 +0,0 @@
import sphinx.builders.manpage
import sphinx.writers.manpage
from docutils.frontend import OptionParser
from sphinx.util.console import bold, darkgreen
from six import string_types
from docutils.io import FileOutput
from os import path
from sphinx.util.nodes import inline_all_toctrees
from sphinx import addnodes
from sphinx.util import logging
"""
Extension based on sphinx builtin manpage.
It does not write its own .SH NAME based on config,
but leaves everything to actual reStructuredText file content.
"""
logger = logging.getLogger(__name__)
class ManualPageTranslator(sphinx.writers.manpage.ManualPageTranslator):
def header(self):
tmpl = (".TH \"%(title_upper)s\" \"%(manual_section)s\""
" \"%(date)s\" \"%(version)s\" \"%(manual_group)s\"\n")
return tmpl % self._docinfo
class ManualPageWriter(sphinx.writers.manpage.ManualPageWriter):
def __init__(self, builder):
super().__init__(builder)
self.translator_class = (
self.builder.get_translator_class() or ManualPageTranslator)
class ManualPageBuilder(sphinx.builders.manpage.ManualPageBuilder):
name = 'cman'
default_translator_class = ManualPageTranslator
def write(self, *ignored):
docwriter = ManualPageWriter(self)
docsettings = OptionParser(
defaults=self.env.settings,
components=(docwriter,),
read_config_files=True).get_default_values()
logger.info(bold('writing... '), nonl=True)
for info in self.config.man_pages:
docname, name, description, authors, section = info
if isinstance(authors, string_types):
if authors:
authors = [authors]
else:
authors = []
targetname = '%s.%s' % (name, section)
logger.info(darkgreen(targetname) + ' { ', nonl=True)
destination = FileOutput(
destination_path=path.join(self.outdir, targetname),
encoding='utf-8')
tree = self.env.get_doctree(docname)
docnames = set()
largetree = inline_all_toctrees(self, docnames, docname, tree,
darkgreen, [docname])
logger.info('} ', nonl=True)
self.env.resolve_references(largetree, docname, self)
# remove pending_xref nodes
for pendingnode in largetree.traverse(addnodes.pending_xref):
pendingnode.replace_self(pendingnode.children)
largetree.settings = docsettings
largetree.settings.title = name
largetree.settings.subtitle = description
largetree.settings.authors = authors
largetree.settings.section = section
docwriter.write(largetree, destination)
logger.info("")
def setup(app):
app.add_builder(ManualPageBuilder)

7
scripts/ci-container/Dockerfile
View file

@ -1,7 +0,0 @@
# This image is used in the cdist-contrib CI for linting and generating the
# documentation.
FROM fedora:latest
MAINTAINER Timothée Floure <fnux@ungleich.ch>
RUN dnf install -y git findutils make python3-sphinx python3-sphinx_rtd_theme \
ShellCheck openssh-clients pandoc

26
scripts/run-shellcheck.sh
View file

@ -1,29 +1,21 @@
#!/bin/sh -eu
#!/bin/sh
SHELLCHECKCMD='shellcheck -s sh -f gcc -x'
SHELLCHECKCMD="shellcheck -s sh -f gcc -x"
# Skip SC2154 for variables starting with __ since such variables are cdist
# environment variables.
SHELLCHECK_SKIP=': __.*is referenced but not assigned.*\[SC2154\]'
SHELLCHECKTMP='.shellcheck.tmp'
SHELLCHECKTMP=".shellcheck.tmp"
# Move to top-level cdist-contrib directory.
cd "$(dirname $0)"/..
cd $(dirname $0)/..
check() {
find type/ -type f "$@" -exec ${SHELLCHECKCMD} {} + \
| grep -v "${SHELLCHECK_SKIP}" >>"${SHELLCHECKTMP}" || true
check () {
find type/ -type f $1 $2 -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" > "${SHELLCHECKTMP}"
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
}
rm -f "${SHELLCHECKTMP}"
check -path '*/explorer/*'
check -path '*/files/*' -name '*.sh'
check -path "*/explorer/*"
check -path "*/files/*"
check -name manifest
check -name gencode-local
check -name gencode-remote
if test -s "${SHELLCHECKTMP}"
then
cat "${SHELLCHECKTMP}" >&2
exit 1
fi

45
type/__bird_bgp/files/template.sh
View file

@ -1,45 +0,0 @@
#!/bin/sh
# Template to generate a bgp protocol configuration file for bird(1).
# Required non-empty variables:
# __object_id, local_{ip,as}, neighbor_{ip,as}
#
# Required defined variables:
# description, password, ipv{4,6}_{import,export}
# Header
echo "protocol bgp ${__object_id:?} {"
# Optional description
[ -n "${description?}" ] && printf "\tdescription \"%s\";\n" "${description?}"
# Mandatory session information
cat << EOF
local ${local_ip?} as ${local_as:?};
neighbor ${neighbor_ip:?} as ${neighbor_as:?};
EOF
# Direct connection ?
[ -n "${direct?}" ] && printf "\tdirect;\n"
# Password-protected session ?
[ -n "${password?}" ] && printf "\tpassword \"%s\";\n" "${password?}"
if [ -n "${ipv4_import?}" ] || [ -n "${ipv4_export?}" ] || "${ipv4_extended_next_hop?}";
then
printf "\tipv4 {\n"
[ -n "${ipv4_import?}" ] && printf "\t\timport %s;\n" "${ipv4_import:?}"
[ -n "${ipv4_export?}" ] && printf "\t\texport %s;\n" "${ipv4_export:?}"
[ -n "${ipv4_extended_next_hop?}" ] && printf "\t\textended next hop;\n"
printf "\t};\n"
fi
if [ -n "${ipv6_import?}" ] || [ -n "${ipv6_export?}" ] || "${ipv6_extended_next_hop?}";
then
printf "\tipv6 {\n"
[ -n "${ipv6_import?}" ] && printf "\t\timport %s;\n" "${ipv6_import:?}"
[ -n "${ipv6_export?}" ] && printf "\t\texport %s;\n" "${ipv6_export:?}"
[ -n "${ipv6_extended_next_hop?}" ] && printf "\t\textended next hop;\n"
printf "\t};\n"
fi
# Header close
echo "}"

105
type/__bird_bgp/man.rst
View file

@ -1,105 +0,0 @@
cdist-type__bird_bgp(7)
=======================
NAME
----
cdist-type__bird_bgp - configure an instance of the BGP protocol.
DESCRIPTION
-----------
This type writes the configuration for an instance of the BGP protocol to be
ran by the bird internet routing daemon. It **expects** to depend on the
`cdist-type__bird_core(7)` type.
REQUIRED PARAMETERS
-------------------
local-as
The number for the AS in which the daemon is running.
neighbor-as
The number of the AS with which we are peering.
neighbor-ip
The IP address of the peer we are opening a session with.
OPTIONAL PARAMETERS
-------------------
description
An instance desciption to be printed when `birdc show protocols` is called.
local-ip
The IP address used as a source address for the BGP session.
password
A password for the BGP session.
ipv4-import
A string suitable for the bird `import` directive. Usually `all`, `none` or
a filter definition.
ipv4-export
See ipv4-import.
ipv4-extended-next-hop
Allow IPv6 next hop in IPv4 NLRI.
ipv6-import
See ipv4-import.
ipv6-export
See ipv4-import.
ipv6-extended-next-hop
Allow IPv4 next hop in IPv6 NLRI.
BOOLEAN PARAMETERS
------------------
direct
Specify that the two routers are directly connected.
EXAMPLES
--------
.. code-block:: sh
# Setup bird and open a BGP session.
__bird_core --router-id 198.51.100.4
require='__bird_core' __bird_bgp bgp4 \
--description "a test IPv4 BGP instance" \
--ipv4-export all \
--ipv4-import all \
--ipv6-export none \
--ipv6-import none \
--local-as 1234 \
--local-ip 198.51.100.4 \
--neighbor-as 4321 \
--neighbor-ip 198.51.100.3 \
--password hunter01
SEE ALSO
--------
cdist-type__bird_core(7)
cdist-type__bird_filter(7)
cdist-type__bird_kernel(7)
cdist-type__bird_ospf(7)
cdist-type__bird_static(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

122
type/__bird_bgp/manifest
View file

@ -1,122 +0,0 @@
#!/bin/sh -e
#
# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "${__global:?}/explorer/os")
case "$os" in
"alpine"|"debian"|"ubuntu")
confdir="/etc/bird.d"
;;
*)
printf "Your operating system (%s) is currently not supported by __bird_bgp\n" "$os" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
# Required parameters
local_as="$(cat "${__object:?}"/parameter/local-as)"
export local_as
neighbor_as="$(cat "${__object:?}"/parameter/neighbor-as)"
export neighbor_as
neighbor_ip="$(cat "${__object:?}"/parameter/neighbor-ip)"
export neighbor_ip
# Optional parameters
description=
if [ -f "${__object:?}"/parameter/description ];
then
description="$(cat "${__object:?}"/parameter/description)"
fi
export description
direct=
if [ -f "${__object:?}"/parameter/direct ];
then
direct="true"
fi
export direct
ipv4_extended_next_hop=
if [ -f "${__object:?}"/parameter/ipv4-extended-next-hop ];
then
ipv4_extended_next_hop="true"
fi
export ipv4_extended_next_hop
ipv6_extended_next_hop=
if [ -f "${__object:?}"/parameter/ipv6-extended-next-hop ];
then
ipv6_extended_next_hop="true"
fi
export ipv6_extended_next_hop
local_ip=
if [ -f "${__object:?}"/parameter/local-ip ];
then
local_ip="$(cat "${__object:?}"/parameter/local-ip)"
fi
export local_ip
password=
if [ -f "${__object:?}"/parameter/password ];
then
password="$(cat "${__object:?}"/parameter/password)"
fi
export password
ipv4_import=
if [ -f "${__object:?}"/parameter/ipv4-import ];
then
ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)"
fi
export ipv4_import
ipv4_export=
if [ -f "${__object:?}"/parameter/ipv4-export ];
then
ipv4_export="$(cat "${__object:?}"/parameter/ipv4-export)"
fi
export ipv4_export
ipv6_import=
if [ -f "${__object:?}"/parameter/ipv6-import ];
then
ipv6_import="$(cat "${__object:?}"/parameter/ipv6-import)"
fi
export ipv6_import
ipv6_export=
if [ -f "${__object:?}"/parameter/ipv6-export ];
then
ipv6_export="$(cat "${__object:?}"/parameter/ipv6-export)"
fi
export ipv6_export
# Run template
"${__type:?}"/files/template.sh > "${__files:?}/bgp-${__object_id:?}.conf"
# Install resulting configuration
__file "${confdir:?}"/bgp-"${__object_id:?}".conf \
--mode 0640 --owner root --group bird \
--source "${__files:?}/bgp-${__object_id:?}.conf"

3
type/__bird_bgp/parameter/boolean
View file

@ -1,3 +0,0 @@
direct
ipv4-extended-next-hop
ipv6-extended-next-hop

7
type/__bird_bgp/parameter/optional
View file

@ -1,7 +0,0 @@
description
ipv4-export
ipv4-import
ipv6-export
ipv6-import
local-ip
password

3
type/__bird_bgp/parameter/required
View file

@ -1,3 +0,0 @@
local-as
neighbor-as
neighbor-ip

65
type/__bird_core/man.rst
View file

@ -1,65 +0,0 @@
cdist-type__bird-core(7)
========================
NAME
----
cdist-type__bird-core - setup a skeleton bird configuration.
DESCRIPTION
-----------
The `bird`_ daemon is an internet routing daemon, running protocols such as
OSPF and BGP. This type creates a skeleton configuration file suitable for
running a no-op bird. It is then intended to be combined - and depended on - by
types specific to the instances of the various protocols that bird should run.
.. _bird: https://bird.network.cz/
OPTIONAL PARAMETERS
-------------------
router-id
This parameter follows the format of an IPv4 address, and will be used by
bird as its router id. See `the documentation for router id`_.
.. _the documentation for router id: https://bird.network.cz/?get_doc&v=20&f=bird-3.html#opt-router-id
log-params
This parameter expects a string suitable to follow the `log` bird
configuration key. If this parameter is not include, the value `syslog all`
is used. See `the documentation for log`_.
.. _the documentation for log: https://bird.network.cz/?get_doc&v=20&f=bird-3.html#opt-log
EXAMPLES
--------
.. code-block:: sh
__bird-core --router-id 198.51.100.4
require='__bird-core' __bird_bgp <...>
require='__bird-core' __bird_ospf <...>
SEE ALSO
--------
cdist-type__bird_bgp(7)
cdist-type__bird_filter(7)
cdist-type__bird_kernel(7)
cdist-type__bird_ospf(7)
cdist-type__bird_static(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

72
type/__bird_core/manifest
View file

@ -1,72 +0,0 @@
#!/bin/sh -e
#
# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "${__global:?}/explorer/os")
package=
conffile=
confdir=
case "$os" in
"alpine")
package=bird
conffile=/etc/bird.conf
confdir=/etc/bird.d
;;
*)
printf "Your operating system (%s) is currently not supported by __bird_core\n" "$os" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
router_id=
if [ -f "${__object:?}/parameter/router-id" ];
then
router_id="router id $(cat "${__object:?}"/parameter/router-id);"
fi
log_params="syslog all"
if [ -f "${__object:?}/parameter/log-params" ];
then
log_params="$(cat "${__object:?}"/parameter/log-params)"
fi
__package "$package"
export require="__package/$package"
__directory "$confdir"
__file "$conffile" \
--mode 0640 --owner root --group bird \
--source - << EOF
# $conffile - bird(1) configuration file.
# Managed by cdist. Do not edit by hand.
${router_id}
log ${log_params};
# Always include this "protocol": all it does is expose the available
# interfaces to bird.
protocol device {
description "Obtain a list of device interfaces.";
}
include "$confdir/*.conf";
EOF

1
type/__bird_core/parameter/optional
View file

@ -1 +0,0 @@
log-params

1
type/__bird_core/parameter/required
View file

@ -1 +0,0 @@
router-id

63
type/__bird_filter/man.rst
View file

@ -1,63 +0,0 @@
cdist-type__bird_filter(7)
==========================
NAME
----
cdist-type__bird_filter - Create a named filter to use in configuring bird.
DESCRIPTION
-----------
This type writes a configuration file defining a filter named `__object_id` for
the bird internet routing daemon. It is guaranteed that all filters defined
through this type will be loaded before any other protocol defined using the
cdist __bird_xxx types, except functions. However, note that if two filters
have a dependency, they will be loaded in alphabetical order, so some care may
need to be taken in the naming.
This type takes it's input through stdin, expecting valid filter statements as
per the bird configuration file syntax. The standard input will be printed out
between a `filter __object_id {\n ... \n}`, so only the inner statements are
needed.
EXAMPLES
--------
.. code-block:: sh
# Setup bird, a filter and open a BGP session.
__bird_core --router-id 198.51.100.4
require='__bird_core' __bird_filter bgp_export <<- EOF
if (source = RTS_DEVICE) then accept;
reject;
EOF
require='__bird_core' __bird_bgp bgp4 \
--description "a test IPv4 BGP instance" \
--ipv4-export "filter bgp_export" \
--[...]
SEE ALSO
--------
cdist-type__bird_core(7)
cdist-type__bird_bgp(7)
cdist-type__bird_function(7)
cdist-type__bird_kernel(7)
cdist-type__bird_ospf(7)
cdist-type__bird_static(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

44
type/__bird_filter/manifest
View file

@ -1,44 +0,0 @@
#!/bin/sh -e
#
# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "${__global:?}/explorer/os")
case "$os" in
'alpine'|'debian'|'ubuntu')
confdir=/etc/bird.d
;;
*)
printf "Your operating system (%s) is currently not supported by __bird_filter\n" "$os" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
# Filters start with 1 because bird loads the config in alphanumerical order
# and we need them to be defined to be used in the rest of the stuff, but after
# functions.
__file "$confdir/1-filter-${__object_id:?}.conf" \
--owner root --group bird --mode 0640 \
--source - << EOF
filter ${__object_id:?} {
$(cat "${__object:?}"/stdin)
}
EOF

58
type/__bird_function/man.rst
View file

@ -1,58 +0,0 @@
cdist-type__bird_function(7)
============================
NAME
----
cdist-type__bird_function - Create a named function to use in configuring bird.
DESCRIPTION
-----------
This type writes a configuration file for the bird internet routing daemon. It
is guaranteed that all functions defined through this type will be loaded
before any other protocol defined using the cdist __bird_xxx types. However,
note that if two functions have a dependency, they will be loaded in
alphabetical order, so some care may need to be taken in the naming.
This type takes it's input through stdin, expecting a valid function definition
as per the bird configuration file syntax.
EXAMPLES
--------
.. code-block:: sh
# Setup bird, a function and open a BGP session.
__bird_core --router-id 198.51.100.4
require='__bird_core' __bird_function is_device <<- EOF
function is_device (enum source)
{
if (source = RTS_DEVICE) then return true;
return false;
}
EOF
SEE ALSO
--------
cdist-type__bird_core(7)
cdist-type__bird_bgp(7)
cdist-type__bird_filter(7)
cdist-type__bird_kernel(7)
cdist-type__bird_ospf(7)
cdist-type__bird_static(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

41
type/__bird_function/manifest
View file

@ -1,41 +0,0 @@
#!/bin/sh -e
#
# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "${__global:?}/explorer/os")
case "$os" in
'alpine'|'debian'|'ubuntu')
confdir=/etc/bird.d
;;
*)
printf "Your operating system (%s) is currently not supported by __bird_filter\n" "$os" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
# Functions start with 0 because bird loads the config in alphanumerical order
# and we need them to be defined to be used in the rest of the stuff.
__file "$confdir/0-function-${__object_id:?}.conf" \
--owner root --group bird --mode 0640 \
--source - << EOF
$(cat "${__object:?}"/stdin)
EOF

73
type/__bird_kernel/man.rst
View file

@ -1,73 +0,0 @@
cdist-type__bird_kernel(7)
==========================
NAME
----
cdist-type__bird_kernel - configure syncing of routes with the kernel.
DESCRIPTION
-----------
This type writes the configuration for an instance of the kernel protocol to be
ran by the bird internet routing daemon. It **expects** to depend on the
`cdist-type__bird_core(7)` type.
OPTIONAL PARAMETERS
-------------------
description
An instance desciption to be printed when `birdc show protocols` is called.
persist
Instruct bird to leave routes in kernel table after exiting. See the bird
`persist` keyword.
learn
Learn routes added externally to the kernel routing table. See the bird
`learn` keyword.
channel
The channel to connect the protocol to. Usually `ipv4` or `ipv6`.
import
A string suitable for the bird `import` directive. Usually `all`, `none` or
a filter definition.
export
See import.
EXAMPLES
--------
.. code-block:: sh
# Setup bird and open a BGP session.
__bird_core --router-id 198.51.100.4
require='__bird_core' __bird_kernel k4 \
--learn --persist --channel ipv4 \
--import all \
--export all
SEE ALSO
--------
cdist-type__bird_bgp(7)
cdist-type__bird_core(7)
cdist-type__bird_filter(7)
cdist-type__bird_ospf(7)
cdist-type__bird_static(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

83
type/__bird_kernel/manifest
View file

@ -1,83 +0,0 @@
#!/bin/sh -e
#
# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "${__global:?}/explorer/os")
case "$os" in
"alpine"|"debian"|"ubuntu")
confdir="/etc/bird.d"
;;
*)
printf "Your operating system (%s) is currently not supported by __bird_kernel\n" "$os" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
# Required parameters
channel="$(cat "${__object:?}/parameter/channel")"
# Boolean switches
persist=
if [ -f "${__object:?}"/parameter/persist ];
then
persist=true
fi
learn=
if [ -f "${__object:?}"/parameter/learn ];
then
learn=true
fi
# Optional parameters
description=
if [ -f "${__object:?}"/parameter/description ];
then
description="$(cat "${__object:?}/parameter/description")"
fi
import=
if [ -f "${__object:?}"/parameter/import ];
then
import="$(cat "${__object:?}/parameter/import")"
fi
_export=
if [ -f "${__object:?}"/parameter/export ];
then
_export="$(cat "${__object:?}/parameter/export")"
fi
# Install resulting configuration
__file "${confdir:?}"/kernel-"${__object_id:?}".conf \
--mode 0640 --owner root --group bird \
--source - << EOF
protocol kernel ${__object_id:?} {
$([ -n "${description?}" ] && printf "\tdescription \"%s\";\n" "${description?}")
$([ -n "${persist?}" ] && printf "\tpersist;\n")
$([ -n "${learn?}" ] && printf "\tlearn;\n")
${channel:?} {
import ${import:?};
export ${_export:?};
};
}
EOF

2
type/__bird_kernel/parameter/boolean
View file

@ -1,2 +0,0 @@
learn
persist

1
type/__bird_kernel/parameter/optional
View file

@ -1 +0,0 @@
description

3
type/__bird_kernel/parameter/required
View file

@ -1,3 +0,0 @@
channel
import
export

63
type/__bird_ospf/man.rst
View file

@ -1,63 +0,0 @@
cdist-type__bird-ospf(7)
========================
NAME
----
cdist-type__bird-ospf - Configure an instance of the OSPF protocol
DESCRIPTION
-----------
This type is an *extremely rudimentary* method to configure a simple OSPF
protocol instance for bird, the internet routing daemon. Even this manpage is
pretty crude and will be fixed and expanded.
REQUIRED PARAMETERS
-------------------
channel
The channel the protocol should connect to. Usually `ipv4` or `ipv6`.
import
The keyword or filter to decide what to import in the above channel.
export
The keyword or filter to decide what to export in the above channel.
OPTIONAL PARAMETERS
-------------------
description
A description given with `show protocol all`
instance-id
An OSPF instance ID, allowing several OSPF instances to run on the same
links.
extra-area-configuration
Configuration string added to the `area` section of the OSPF configuration.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
stubnet
Add an optionless stubnet definition to the configuration.
interface
An interface to include in OSPF area 0. Is required unless
extra-area-configuration is set.
SEE ALSO
--------
cdist-type__bird_core(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

81
type/__bird_ospf/manifest
View file

@ -1,81 +0,0 @@
#!/bin/sh -e
#
# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "${__global:?}/explorer/os")
case "$os" in
'alpine'|'debian'|'ubuntu')
confdir='/etc/bird.d'
;;
*)
printf "Your operating system (%s) is currently not supported by this __bird_ospf\n" "$os" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
description=
if [ -f "${__object:?}/parameter/description" ];
then
description="$(cat "${__object:?}/parameter/description")"
fi
instance_id=
if [ -f "${__object:?}/parameter/instance-id" ];
then
instance_id="$(cat "${__object:?}/parameter/instance-id")"
fi
extra_area_configuration=
if [ -f "${__object:?}/parameter/extra-area-configuration" ];
then
extra_area_configuration="$(cat "${__object:?}/parameter/extra-area-configuration")"
if [ "$extra_area_configuration" = "-" ]; then
extra_area_configuration=$(cat "$__object/stdin")
fi
fi
if [ ! -f "${__object:?}/parameter/interface" ] && [ -z "$extra_area_configuration" ]; then
echo "Either --interface or --extra-area-configuration must be set." >&2
exit 1
fi
__file "${confdir:?}/ospf-${__object_id:?}.conf" \
--mode 0640 --owner root --group bird \
--source - << EOF
protocol ospf v3 ${__object_id:?} {
$([ -n "${description?}" ] && printf "\tdescription \"%s\";\n" "${description?}")
$([ -n "${instance_id?}" ] && printf "\tinstance id %s;\n" "${instance_id?}")
$(cat "${__object:?}/parameter/channel") {
import $(cat "${__object:?}/parameter/import");
export $(cat "${__object:?}/parameter/export");
};
area 0 {
$(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
$(sed -e 's/^/\t\tsubnet /' -e 's/$/;/' "${__object:?}/parameter/subnet")
$extra_area_configuration
};
}
EOF

3
type/__bird_ospf/parameter/optional
View file

@ -1,3 +0,0 @@
description
instance-id
extra-area-configuration

2
type/__bird_ospf/parameter/optional_multiple
View file

@ -1,2 +0,0 @@
stubnet
interface

3
type/__bird_ospf/parameter/required
View file

@ -1,3 +0,0 @@
channel
import
export

71
type/__bird_radv/man.rst
View file

@ -1,71 +0,0 @@
cdist-type__bird_radv(7)
========================
NAME
----
cdist-type__bird_radv - Configure the Bird Internet Router Daemon to send RAdvs.
DESCRIPTION
-----------
The Bird Internet Router Daemon knows about a bunch of internet routing
protocols. In particular, it can send Router Advertisements to help
autoconfigure IPv6 hosts, this type is a rudimentary implementation to generate
configuration for Bird to do so.
REQUIRED PARAMETERS
-------------------
interface
The interfaces to activate the protocol on. RAs will be sent using the
prefixes configured on these interfaces.
OPTIONAL PARAMETERS
-------------------
mtu
An optional MTU setting to include in the router advertisements.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
route
Routes to be added to the RA for hosts.
ns
Recursive DNS servers given to the hosts through RAs.
dnssl
Search domain to be given to the hosts through RAs.
EXAMPLES
--------
.. code-block:: sh
__bird_radv datacenter \
--interface eth1 \
--mtu 9000 \
--route ::/0 \
--ns 2001:DB8:cafe::4 \
--ns 2001:DB8:cafe::14 \
--dnssl "example.com"
SEE ALSO
--------
`__bird_core(7)`
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

89
type/__bird_radv/manifest
View file

@ -1,89 +0,0 @@
#!/bin/sh -e
#
# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "${__global:?}/explorer/os")
case "$os" in
'alpine'|'debian'|'ubuntu')
confdir='/etc/bird.d'
;;
*)
printf "Your operating system (%s) is currently not supported by __bird_radv\n" "$os" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
have_routes=no
if [ -f "${__object:?}/parameter/route" ];
then
have_routes=yes
fi
RDNS=
if [ -f "${__object:?}/parameter/ns" ];
then
RDNS=$(cat << EOF
rdnss {
$(sed -e 's/^/\t\tns /' -e 's/$/;/' "${__object:?}/parameter/ns")
};
EOF
)
fi
DNSSL=
if [ -f "${__object:?}/parameter/dnssl" ];
then
DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl")
fi
MTU=
if [ -f "${__object:?}/parameter/mtu" ];
then
MTU="link mtu $(cat "${__object:?}/parameter/mtu")"
fi
__file "${confdir:?}/radv-${__object_id:?}.conf" \
--mode 0640 --owner root --group bird \
--source - << EOF
ipv6 table radv_routes;
protocol static {
description "Routes advertised via RAs";
ipv6 { table radv_routes; };
$(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
}
protocol radv ${__object_id:?} {
propagate routes ${have_routes:?};
ipv6 { table radv_routes; export all; };
interface "$(cat "${__object:?}/parameter/interface")" {
$MTU
};
$RDNS
$DNSSL
}
EOF

1
type/__bird_radv/parameter/optional
View file

@ -1 +0,0 @@
mtu

3
type/__bird_radv/parameter/optional_multiple
View file

@ -1,3 +0,0 @@
dnssl
ns
route

1
type/__bird_radv/parameter/required
View file

@ -1 +0,0 @@
interface

25
type/__bird_static/files/template.sh
View file

@ -1,25 +0,0 @@
#!/bin/sh
# Template to generate a static protocol configuration file for bird(1).
# Required non-empty variables:
# __object_id, object
#
# Required defined variables:
# description
# Header
printf "protocol static %s {\n" "${__object_id:?}"
# Optional description
[ -n "${description?}" ] && printf "\tdescription \"%s\";\n" "${description:?}"
# Channel choice
printf "\t%s;\n" "$(cat "${__object:?}/parameter/channel")"
# Routes
while read -r route
do
printf "\troute %s;\n" "${route?}"
done < "${__object:?}/parameter/route"
# Header close
printf "}\n"

69
type/__bird_static/man.rst
View file

@ -1,69 +0,0 @@
cdist-type__bird_static(7)
==========================
NAME
----
cdist-type__bird_static - configure an instance of the bird static protocol.
DESCRIPTION
-----------
This type write the configuration file for an instance of the static protocl to
be ran bu the bird internet routing daemon, allowing an administrator to inject
static routes into the daemon's routing tables. This protocol allows for only
one of two channels to be used, either `ipv4` or `ipv6`, by default `ipv6` is
used unless the `ipv4` flag is passed. This type **expects** to depend on the
`cdist-type__bird_core(7)` type.
REQUIRED PARAMETERS
-------------------
channel
The channel to use between the protocol and the table.
REQUIRED MULTIPLE PARAMETERS
----------------------------
route
This flag expects a valid route to be inserted between the bird `route`
keyword and the end of line. It may be specified as many times as necessary.
OPTIONAL PARAMETERS
-------------------
description
An instance desciption to be printed when `birdc show protocols` is called.
EXAMPLES
--------
.. code-block:: sh
# Setup bird and open a BGP session.
__bird_core --router-id 198.51.100.4
require='__bird_core' __bird_static static4 \
--description "static ipv4 routes plugged into bird" \
--route "198.51.0.0/16 via 192.51.100.1" \
--route "192.52.0.0/16 via 192.51.100.1"
SEE ALSO
--------
cdist-type__bird_core(7)
cdist-type__bird_bgp(7)
cdist-type__bird_kernel(7)
cdist-type__bird_ospf(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

51
type/__bird_static/manifest
View file

@ -1,51 +0,0 @@
#!/bin/sh -e
#
# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "${__global:?}/explorer/os")
case "$os" in
'alpine'|'debian'|'ubuntu')
confdir=/etc/bird.d
;;
*)
printf "Your operating system (%s) is currently not supported by __bird_static\n" "$os" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
# Required parameter route is directly accessed in template.
# Boolean parameter ipv4 is directly accessed in template.
# Optional parameter description
description=
if [ -f "${__object:?}/parameter/description" ];
then
description="$(cat "${__object:?}/parameter/description")"
fi
export description
# Run template
"${__type:?}"/files/template.sh > "${__files:?}/static-${__object_id:?}.conf"
# Install resulting configuration
__file "${confdir:?}"/static-"${__object_id:?}".conf \
--mode 0640 --owner root --group bird \
--source "${__files:?}/static-${__object_id:?}.conf"

1
type/__bird_static/parameter/optional
View file

@ -1 +0,0 @@
description

1
type/__bird_static/parameter/required
View file

@ -1 +0,0 @@
channel

1
type/__bird_static/parameter/required_multiple
View file

@ -1 +0,0 @@
route

41
type/__borg_repo/gencode-remote
View file

@ -1,41 +0,0 @@
#!/bin/sh
passphrase=
appendonly=
case "$(cat "${__object:?}/parameter/encryption")" in
none)
enc=none
;;
repokey)
enc=repokey
if [ -f "${__object:?}/parameter/passphrase" ];
then
passphrase="$(cat "${__object:?}/parameter/passphrase")"
else
echo "__borg_repo cannot use repokey encryption with no passphrase. Aborting." >&2;
exit 1;
fi
;;
*)
echo "$enc is not a known encryption mode for __borg_repo. Aborting." >&2
exit 1;
esac
if [ -f "${__object:?}/parameter/append-only" ];
then
appendonly='--append-only'
fi
if [ -f "${__object:?}/parameter/owner" ];
then
doas="sudo -u '$(cat "${__object:?}/parameter/owner")'"
fi
cat <<- EOF
set -x
if [ ! -d "/${__object_id:?}" ]; then
$doas BORG_NEW_PASSPHRASE=$passphrase borg init -e ${enc:?} $appendonly /${__object_id:?}
fi
EOF

46
type/__borg_repo/man.rst
View file

@ -1,46 +0,0 @@
cdist-type__borg_repo(7)
========================
NAME
----
cdist-type__borg_repo - Configure a borg repository on host
DESCRIPTION
-----------
Initializes a borg repository at the location specified in the
`${__object_id}`. Nothing is done if the repository already exists.
Currently, only `none` and `repokey` are supported as encryption modes;
`repokey` requires the `passphrase` argument to be given. The default is
`none`.
REQUIRED PARAMETERS
-------------------
encryption
The encryption to use.
OPTIONAL PARAMETERS
-------------------
passphrase
The passphrase to encrypt the keyfile with.
owner
Remote user owning the repository.
BOOLEAN PARAMETERS
------------------
append-only
If the repository is append-only
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2020 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

20
type/__borg_repo/manifest
View file

@ -1,20 +0,0 @@
#!/bin/sh
os="$(cat "${__global:?}"/explorer/os)"
case "$os" in
"alpine"|"ubuntu")
borg_package=borgbackup
;;
*)
echo "__borg_repo is not yet implemented for os $os. Aborting." >&2;
exit 1;
esac
__package "$borg_package"
if [ -f "${__object:?}/parameter/owner" ];
then
__package sudo
fi

1
type/__borg_repo/parameter/boolean
View file

@ -1 +0,0 @@
append-only

1
type/__borg_repo/parameter/default/encryption
View file

@ -1 +0,0 @@
none

2
type/__borg_repo/parameter/optional
View file

@ -1,2 +0,0 @@
passphrase
owner

1
type/__borg_repo/parameter/required
View file

@ -1 +0,0 @@
encryption

49
type/__dma/explorer/auth_conf
View file

@ -1,49 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# This explorer determines the path of dma's auth.conf file
# No dma.conf -> use default
test -f /etc/dma/dma.conf || {
echo /etc/dma/auth.conf
exit 0
}
test -r /etc/dma/dma.conf || {
echo 'Cannot read /etc/dma/dma.conf' >&2
exit 1
}
# Get AUTHPATH from dma.conf
awk -F'[ \t]' '
{
sub(/#.*$/, "", $0) # remove comments
if (!$0) next # ignore empty lines
}
$1 == "AUTHPATH" {
# Store authpath. In dma conf parsing last wins.
if ($2) authpath = substr($0, index($0, " ") + 1)
}
END {
if (authpath) {
print authpath
exit 0
} else exit 1
}
' /etc/dma/dma.conf \
|| echo /etc/dma/auth.conf # default

34
type/__dma/explorer/conf
View file

@ -1,34 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# This explorer returns a sorted list of "active" (= non-commented) lines
# in the dma.conf file.
# "Trailing" line comments are stripped off.
#
# NOTE: This explorer assumes that the sort(1) utility supports the non-POXIX
# -s (stable sort) option.
CONF_PATH=/etc/dma # set in Makefile
dma_conf="${CONF_PATH:?}/dma.conf"
test -f "${dma_conf}" || exit 0
grep -v -e '^[ \t]*#\|^$' "${dma_conf}" \
| sed -e 's/[ \t]*#.*$//' \
| sort -s -k 1,1

178
type/__dma/files/update_dma_conf.awk
View file

@ -1,178 +0,0 @@
#!/usr/bin/awk -f
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
function comment_line(line) {
# returns the position in line at which the comment's text starts
# (0 if the line is not a comment)
match(line, /^[ \t]*\#+[ \t]*/)
return RSTART ? (RLENGTH + 1) : 0
}
function empty_line(line) { return line ~ /^[ \t]*$/ }
function is_word(s) { return s ~ /^[A-Z_]+$/ } # "looks like a plausible word"
function first(line, sep_re) {
# returns the part of the line until sep is found
# (or the whole line if sep is not found)
if (!sep_re) sep_re = "[" SUBSEP "]"
match(line, sep_re)
return RSTART ? substr(line, 1, RSTART - 1) : line
}
function rest(line, sep_re) {
# returns the part of the line after the first occurrence of sep is found.
# (or nothing if sep is not found)
if (!sep_re) sep_re = "[" SUBSEP "]"
if (match(line, sep_re))
return substr(line, RSTART + RLENGTH)
}
function conf_pop(word, value) {
# returns the next value for the config `word` and delete it from the list.
# if value is set, this function will only return value if it is the first
# option in the list, otherwise it returns 0.
if (!(word in conf)) return 0
if (!value) {
if (index(conf[word], SUBSEP)) # more than one element?
value = substr(conf[word], 1, index(conf[word], SUBSEP) - 1)
else
value = conf[word]
}
if (index(conf[word], SUBSEP)) {
if (index(conf[word], value SUBSEP) != 1) return 0
conf[word] = substr(conf[word], length(value) + 2)
} else {
if (conf[word] != value) return 0
delete conf[word]
}
return value
}
function print_conf(word, value) {
# print a config line with the given parameters
printf "%s", word
if (value) printf " %s", value
printf "\n"
}
function print_confs(word, value) {
# print config lines for all values stored in conf[word].
if (!(word in conf)) return
if (conf[word]) {
while (value = conf_pop(word))
print_conf(word, value)
} else {
print_conf(word)
delete conf[word]
}
}
BEGIN {
FS = "\n"
EQS = "[ \t]" # copied from dma/conf.c
if (ARGV[2]) exit (e=1)
# Loop over file twice!
ARGV[2] = ARGV[1]
ARGC++
# read the "should" state into the `conf` array.
while (getline < "/dev/stdin") {
word = first($0, EQS)
if ((word in conf))
conf[word] = conf[word] SUBSEP rest($0, EQS)
else
conf[word] = rest($0, EQS)
}
}
# first pass, gather information about where which information is stored in the
# current config file. This information will be used in the second pass.
NR == FNR {
if (comment_line($0)) {
# comment line
word = first(substr($0, comment_line($0)), " ")
if (is_word(word)) last_occ["#" word] = FNR
} else {
word = first($0, EQS)
if (is_word(word)) last_occ[word] = FNR
}
}
# before second pass prepare hashes containing location information to be used
# in the second pass.
NR > FNR && FNR == 1 {
# First we drop the locations of commented-out options if a non-commented
# option is available. If a non-commented option is available, we will
# append new config options there to have them all at one place.
for (k in last_occ)
if (k ~ /^\#/ && (substr(k, 2) in last_occ))
delete last_occ[k]
# Reverse the option => line mapping. The line_map allows for easier lookups
# in the second pass.
for (k in last_occ) line_map[last_occ[k]] = k
}
# second pass, generate and output new config
NR > FNR {
if (comment_line($0) || empty_line($0)) {
# comment or empty line
print
if ((FNR in line_map)) {
if (line_map[FNR] ~ /^\#/) {
# This line contains a commented config option. If the conf hash
# contains options to be set, we output them here because this
# option is not used in the current config.
k = substr(line_map[FNR], 2)
if ((k in conf)) print_confs(k)
}
if (("INSECURE" in conf) && line_map[FNR] ~ /^\#?SECURE$/) {
# INSECURE goes where SECURE comment is.
print_confs("INSECURE")
}
}
} else {
word = first($0, EQS)
value = rest($0, EQS)
sub(/[ \t]*\#.*$/, "", value) # ignore comments in value
if ((word in conf) && value == first(conf[word])) {
# keep config options we want
conf_pop(word)
print
}
if ((FNR in line_map) && line_map[FNR] == word) {
# rest of config options should be here
print_confs(word)
}
}
}
END {
if (e) exit
# print rest of config options (
for (word in conf) print_confs(word)
}

177
type/__dma/gencode-remote
View file

@ -1,177 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
CONF_PATH=/etc/dma # set in Makefile
# Determine mailname
if test -f "${__object:?}/parameter/mailname"
then
mailname=$(cat "${__object:?}/parameter/mailname")
else
case $(cat "${__global:?}/explorer/os")
in
(debian|devuan|ubuntu)
# On Debian-like systems use /etc/mailname unless --mailname is used
mailname='/etc/mailname'
;;
(*)
mailname=${__target_fqdn:?}
;;
esac
fi
# Generate "should" values for config
conf_should=$(
if test -s "${__object:?}/parameter/smarthost"
then
printf 'SMARTHOST %s\n' "$(cat "${__object:?}/parameter/smarthost")"
fi
printf 'MAILNAME %s\n' "${mailname}"
if test -s "${__object:?}/explorer/auth_conf"
then
printf "AUTHPATH %s\n" "$(cat "${__object:?}/explorer/auth_conf")"
fi
case $(cat "${__object:?}/parameter/security")
in
(ssl|tls)
default_smtp_port=465
echo 'SECURETRANSFER'
;;
(starttls)
default_smtp_port=587
echo 'SECURETRANSFER'
echo 'STARTTLS'
;;
(opportunistic)
default_smtp_port=25
echo 'SECURETRANSFER'
echo 'STARTTLS'
echo 'OPPORTUNISTIC_TLS'
;;
(insecure)
default_smtp_port=25
echo 'INSECURE'
;;
esac
if test -s "${__object:?}/parameter/port"
then
printf 'PORT %u\n' "$(cat "${__object:?}/parameter/port")"
elif test "${default_smtp_port}" -ne 25 # DMA uses port 25 by default
then
printf 'PORT %u\n' "${default_smtp_port}"
fi
if test -f "${__object:?}/parameter/masquerade"
then
while read -r line
do
printf 'MASQUERADE %s\n' "${line}"
done <"${__object:?}/parameter/masquerade"
fi
if test -f "${__object:?}/parameter/defer"
then
echo 'DEFER'
fi
if test -f "${__object:?}/parameter/fullbounce"
then
echo 'FULLBOUNCE'
fi
if test -f "${__object:?}/parameter/nullclient"
then
test -s "${__object:?}/parameter/smarthost" || {
echo '--nullclient requires a --smarthost to be defined' >&2
exit 1
}
echo 'NULLCLIENT'
fi
)
# Sort conf_should to compare against "conf_is"
conf_should=$(echo "${conf_should}" | sort -s -k 1,1)
config_updated=false
if ! echo "${conf_should}" | cmp -s "${__object:?}/explorer/conf" -
then
# config needs to be updated
dma_conf="${CONF_PATH:?}/dma.conf"
# The following AWK script will output the new config file to be stored on
# disk. To do so it reads the current dma.conf file and the config options
# that should be set (from stdin).
# Note that the path to the current dma.conf is passed to AWK twice, because
# the new file cannot be generated in one pass.
# The logic tries to place options at a sensible location, that is:
# a) if the option is already used in the config file:
# group all similar options (e.g. MASQUERADE) at one place in the order
# they are listed in stdin.
# b) if it is a new option and a "default comment" (e.g. "#PORT 25") exists:
# place options grouped directly after the comment (the comment is left
# alone)
# c) otherwise:
# options are grouped by word (the first word in the line) and appended
# at the end of the file.
cat <<-CODE
awk $(drop_awk_comments "${__type:?}/files/update_dma_conf.awk") $(quote "${dma_conf}") <<'EOF' >$(quote "${dma_conf}.tmp") \
&& cat $(quote "${dma_conf}.tmp") >$(quote "${dma_conf}")
${conf_should}
EOF
rm $(quote "${dma_conf}.tmp")
CODE
config_updated=true
echo 'config updated' >>"${__messages_out:?}"
fi
# Send a test email if enabled and necessary (=configuration changed)
if test -f "${__object:?}/parameter/send-test-mail"
then
if grep -q '^__mail_alias/root:' "${__messages_in:?}" \
|| grep -q '^__dma_auth/' "${__messages_in:?}" \
|| ${config_updated}
then
cat <<-CODE
sendmail root <<'EOF'
Subject: [cdist] Test mail from '${__target_fqdn:?}'
Hi,
you can ignore this message.
Its sole purpose is to notify you that root mail on ${__target_fqdn:?}
will be redirected to you.
Enjoy!
EOF
CODE
fi
fi

112
type/__dma/man.rst
View file

@ -1,112 +0,0 @@
cdist-type__dma(7)
============================
NAME
----
cdist-type__dma - Setup the DragonFly Mail Agent as the MTA.
DESCRIPTION
-----------
This (singleton) type uses DMA, a small Mail Transport Agent (MTA), to accept
mails from locally installed Mail User Agents (MUA) and either deliver the mails
to a remote smart host for delivery or communicate with remote SMTP servers
directly.
REQUIRED PARAMETERS
-------------------
None.
BOOLEAN PARAMETERS
------------------
defer
If enabled, mail will not be sent immediately, but stored in a queue.
To flush the queue and send the mails, ```dma -q`` has to be run
periodically (e.g. using a cron job.)
This type does not manage such a cron job, but some operating systems ship
such a cron job with the package.
fullbounce
Enable if bounce messages should include the complete original message,
not just the headers.
nullclient
Enable to bypass aliases and local delivery, and instead forward all mails
to the defined ``--smarthost``.
send-test-mail
If set, this type will send a test email to root after setup, to check if
the configured settings work.
OPTIONAL PARAMETERS
-------------------
mailname
If present, this will be the hostname used to identify this host and the
remote part of the sender addresses.
If not defined, it defaults to ``/etc/mailname`` on Debian derivatives and
to ``__target_fqdn`` otherwise.
See `dma(8)` for more information.
Note: on Debian derivatives the ``/etc/mailname`` file should be updated
instead of using this parameter.
masquerade
Masquerade the envelope-from addresses with this address/hostname.
Use this setting if mails are not accepted by destination mail servers
because your sender domain is invalid.
This option can be used multiple times.
For more information see the `dma(8)` man page.
port
The port on which to deliver email.
If not provided, a sensible default port will be used based on the
``--security`` argument.
security
Configures whether and how DMA should use secure connections.
ssl/tls
Enable TLS/SSL secured transfer.
starttls
Use STARTTLS to establish a secure connection.
opportunistic (default)
Will try to establish a secure connection using STARTTLS, but allow
unencrypted transfer if STARTTLS fails.
Most useful when dma is used without a smarthost, delivering remote
messages directly to the outside mail exchangers.
insecure
allow plain text SMTP login over an insecure connection.
Should really *not* be used anymore!
smarthost
The mail server used to send email.
It must be configured to act as a relay for the host being configured by
this type so that mail can be sent to users non-local to the smarthost.
EXAMPLES
--------
.. code-block:: sh
# Install DMA and use the smarthost mx1.domain.tld to send mail.
__dma --smarthost mx1.domain.tld --send-test-mail
# Install DMA in a default configuration.
__dma
SEE ALSO
--------
- `DragonFly Mail Agent <https://github.com/corecode/dma>`_
- `DragonFly Handbook MTA <https://www.dragonflybsd.org/handbook/mta/>`_
AUTHORS
-------
Evilham <contact@evilham.com>
Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
COPYING
-------
Copyright \(C) 2020 Evilham and Dennis Camera. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

66
type/__dma/manifest
View file

@ -1,66 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "${__global:?}/explorer/os")
# Install DMA
case ${os}
in
(alpine)
__package dma --state present
export require='__package/dma'
;;
(debian|devuan|ubuntu)
__package dma --state present
export require='__package/dma'
;;
(freebsd)
# Stop sendmail if necessary
__process 'sendmail' --name 'sendmail.*' --state absent \
--stop '/etc/rc.d/sendmail onestop'
# ... and disable it
__key_value 'rcconf-sendmail-enable' --file '/etc/rc.conf' \
--key 'sendmail_enable' --delimiter '=' --value '"NONE"' \
--exact_delimiter
# Setup mailwrapper accordingly
__file '/etc/mail/mailer.conf' --mode 0644 --source - <<-'EOF'
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
sendmail /usr/libexec/dma
send-mail /usr/libexec/dma
mailq /usr/libexec/dma
newaliases /usr/libexec/dma
rmail /usr/libexec/dma
EOF
;;
(*)
cat <<EOF >&2
Your OS (${os}) is not supported yet.
Maybe adding support is as simple as adapting the packages or allowing it,
we highly encourage you to open a PR with the necessary changes.
See: https://code.ungleich.ch/ungleich-public/cdist-contrib/
EOF
exit 1
;;
esac

4
type/__dma/parameter/boolean
View file

@ -1,4 +0,0 @@
defer
fullbounce
nullclient
send-test-mail

1
type/__dma/parameter/default/security
View file

@ -1 +0,0 @@
opportunistic

4
type/__dma/parameter/optional
View file

@ -1,4 +0,0 @@
mailname
port
security
smarthost

1
type/__dma/parameter/optional_multiple
View file

@ -1 +0,0 @@
masquerade

1
type/__dma_auth/explorer/auth_conf
View file

@ -1 +0,0 @@
../../__dma/explorer/auth_conf

91
type/__dma_auth/explorer/state
View file

@ -1,91 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# This explorer looks for a line matching the server parameter
# in dma's auth.conf and reports:
# present: a line matching login + host + password exists
# absent: no line matching login + host exists
# different_login: a line exists but with a different login user
# different_password: a line exists but with a different password
# multiple: multiple lines matching host exist (should not happen)
auth_conf=$("${__type_explorer:?}/auth_conf")
test -r "${auth_conf}" || exit 0
awk -F'\n' '
function getvalue(path) {
# Reads the first line of the file located at path and returns it.
getline < path
close(path)
return $0
}
BEGIN {
DP = "[: \t]" # copied from dma/conf.c
parameter_dir = ENVIRON["__object"] "/parameter/"
# Read the parameters of this object
host_param = ENVIRON["__object_id"]
login_param = getvalue(parameter_dir "login")
passwd_param = getvalue(parameter_dir "password")
state = "absent"
}
/^#/ || /^$/ {
# skip comments and empty lines
next
}
{
# parse line
login = substr($0, 1, index($0, "|") - 1)
if (!login) { login = $0 } # if no "|" found
host = substr($0, length(login) + 2)
if (match(host, DP)) {
passwd = substr(host, RSTART + 1)
host = substr(host, 1, RSTART - 1)
} else {
passwd = ""
}
}
host == host_param {
# a match…
if (state == "absent") {
if (login != login_param)
state = "different_login"
else if (passwd != passwd_param)
state = "different_password"
else
state = "present"
} else {
# report "multiple" to that the type can remove the duplicates.
state = "multiple"
}
}
END {
print state
}
' "${auth_conf}"

93
type/__dma_auth/files/update_dma_auth.awk
View file

@ -1,93 +0,0 @@
#!/usr/bin/awk -f
#
# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
function getvalue(path) {
# Reads the first line of the file located at path and returns it.
getline < path
close(path)
return $0
}
function print_should() {
printf "%s|%s:%s\n", login_param, host_param, passwd_param
}
BEGIN {
FS = "\n"
DP = "[: \t]" # copied from dma/conf.c
parameter_dir = ENVIRON["__object"] "/parameter/"
mode = (getvalue(parameter_dir "state") != "absent")
host_param = ENVIRON["__object_id"]
login_param = getvalue(parameter_dir "login")
passwd_param = getvalue(parameter_dir "password")
}
# skip comments and empty lines
/^#/ || /^$/ {
print
next
}
{
# parse line (like dma/conf.c would)
login = substr($0, 1, index($0, "|") - 1)
if (!login) { login = $0 } # if no "|" found
host = substr($0, length(login) + 2)
if (match(host, DP)) {
passwd = substr(host, RSTART + 1)
host = substr(host, 1, RSTART - 1)
} else {
passwd = ""
}
}
host == host_param {
if (mode) {
# state_should == present
if (!written) {
# replace first line if host matches (but only if no line has
# been written already -> no duplicates)
print_should()
written = 1
}
next
} else {
# state_should == absent
next
}
}
# leave other lines alone
{
print
}
END {
if (mode && !written) {
# append line if no match to replace was found
print_should()
}
}

72
type/__dma_auth/gencode-remote
View file

@ -1,72 +0,0 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
state_is=$(cat "${__object:?}/explorer/state")
state_should=$(cat "${__object:?}/parameter/state")
server=${__object_id:?}
login=$(cat "${__object:?}/parameter/login")
auth_conf=$(cat "${__object:?}/explorer/auth_conf")
test -n "${auth_conf}" || {
echo 'Cannot determine path of dma auth.conf' >&2
exit 1
}
if test "${state_is}" = "${state_should}"
then
# state is as it should
exit 0
fi
case ${state_should}
in
(present)
test -n "${login}" || { echo '--login must be non-empty' >&2; exit 1; }
if test "${state_is}" = 'absent'
then
printf 'add authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
else
printf 'set authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
fi
;;
(absent)
printf 'delete authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
;;
(*)
printf 'Invalid --state: %s.\n' "${state_should}" >&2
printf 'Acceptable values are: present, absent.\n' >&2
exit 1
;;
esac
cat <<EOF
test -f $(quote "${auth_conf}") || touch $(quote "${auth_conf}")
awk $(drop_awk_comments "${__type:?}/files/update_dma_auth.awk") <$(quote "${auth_conf}") >$(quote "${auth_conf}.tmp") \
&& cat $(quote "${auth_conf}.tmp") >$(quote "${auth_conf}")
rm -f $(quote "${auth_conf}.tmp")
EOF

66
type/__dma_auth/man.rst
View file

@ -1,66 +0,0 @@
cdist-type__dma_auth(7)
=======================
NAME
----
cdist-type__dma_auth - Configure SMTP logins for the DragonFly Mail Agent MTA.
DESCRIPTION
-----------
This cdist type allows you to set up credentials to log in to remote SMTP
servers.
NB: dma currently (v0.13) does not differentiate between users on a host.
It will use whatever user it finds in the ``auth.conf`` first.
Thus, this type will use the ``__object_id`` as the host specifier.
REQUIRED PARAMETERS
-------------------
login
The user's LOGIN name on the SMTP server.
password
The user's password (in plain text.)
OPTIONAL PARAMETERS
-------------------
state
Either ``present`` or ``absent``. Defaults to ``present``.
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
--------
.. code-block:: sh
# Set the password for smarthost
__dma_auth smarthost.example.com --login joe --password hunter2
# Set credentials for user at an external provider
__dma_auth mail.provider.com --login paul@example.com --password letmein
# Delete credentials for example.com (for all users)
__dma_auth example.com --login '' --password '' --state absent
SEE ALSO
--------
:strong:`cdist-type__dma`\ (7), :strong:`dma`\ (8)
AUTHORS
-------
Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
COPYING
-------
Copyright \(C) 2020 Dennis Camera. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

1
type/__dma_auth/parameter/default/state
View file

@ -1 +0,0 @@
present

1
type/__dma_auth/parameter/optional
View file

@ -1 +0,0 @@
state

2
type/__dma_auth/parameter/required
View file

@ -1,2 +0,0 @@
login
password

15
type/__jitsi_meet/explorer/configured-memory
View file

@ -1,15 +0,0 @@
#!/bin/sh -eu
JICOFO="/usr/share/jicofo/jicofo.sh"
VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
if [ -f "${JICOFO:?}" ]; then
jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
fi
if [ -f "${VIDEOBRIDGE:?}" ]; then
vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
fi
cat <<EOF
jicofo ${jicofo_memory:-n/a}
videobridge ${vb_memory:-n/a}
EOF

6
type/__jitsi_meet/explorer/jitsi-status
View file

@ -1,6 +0,0 @@
#!/bin/sh -eu
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
# TODO: detect curl / depend on it?
curl -s localhost:9888/metrics
fi

51
type/__jitsi_meet/files/apt_2021.gpg
View file

@ -1,51 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGB4bEkBEADffHELs6RBZEEgme2L6KXyO5XThI5ROFCMZ+4X1mZTKPyihuMX
u1IQeaLQhUKEw60NZH1HyvH11L33LYcimlyLDG7N6s/MjWtLAI+wkgb6iYY2mArM
3TqPTzVgZUcJl5Strft2U8QNq9N2qslbF7hm3g35M78r5CJmlVQYO298rz6ybovO
9TTB/C3KbDMHohEXIdVlAIKAtu+/5dWQtP7NR3RZHpfMoOvf65NiZRsudZ5SZcd1
8G7n0nv6NF5Ul+cuLsOMh7r2KiPjpHuQwobwEJpc8Nags6xTqQ8riyJsv8KXJNZh
51OQWYyQhMz/O3mVSbfdfmS4u4HUb3pheUmjq2Lx4vTlSzyCRniRC4VIhViRawTL
QyIpdw85CN7iJPN+2ZYOU4knZgSv9CDmuKFqxGSd/j4QHtL/K4e3wFE/kwD+4SWL
+xAsCZQPnZu9RNdmTfaSfsPqSwQFErTGWyuGJBzN0EFGRFIMI3m3AJSC6OOFycDV
4KPJHBQKcTH4oVF3opAJj3X45oa6886TAjwAsPG1R5FapqhWRzWsq8Cn3rr6EKJ/
8xf9Ep/KIMNJtZoout7f2AEmP/oQTNft+wWEejprd0aJMX4O6NOSG4UNxRbm32gf
rBEajiLUA0cJW+se40ACZXri36Ea8HnKnYsCaXZba9FMy9Te0OkySJpQYwARAQAB
tBVKaXRzaSA8ZGV2QGppdHNpLm9yZz6JAk4EEwEIADgWIQT/1loNor6963PUTIu0
0tIW8f14BgUCYHhsSQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC00tIW
8f14Bt8eEADPmi1X9ycjevFR82sGo0qTUEgndu9tWiGQzS3E7SG1wIkRqiwSk7X2
J1Mrxa5kIEkl0KctpYQjhEJWV8TfATOekKhoxtanZef9q9EvpNLBJGifXAHt9b2o
Dzk7437cytW71jlByrbjUe7tVQtaEJZuOczjZGnHw70Yv6H0DUQuRDlJmocHzzU3
AgpXJ+XoS1p8gI64OgIzXVOhvyZVyNqbn0PyqeroRbxC0DPwGsTA8MYgf3ujowAI
ntVtSv0kzbZP0xU/3zpmuD+Lw0Msq4idnE0e+nApfThF28w+MAF4EikXovwr+FEh
6Czt3KGrUuoCUY1YmLqSpLQaHYvF1oRsnZIVEecXBY/sRxxOvLk4HsJtIV6jJ3qS
XAGPsxAJJBlsT0nvPC+x46wvOxBYv2WgmVRrnrz7vpp1C8yRYAaab10lUq+PufYr
S4wQXvbTKAelpOZhR00qJ1Ati7y1TFv3xFhlhEjg/r2TUc2oFEYdlIPpfkiCPeCz
kcTXB6iwuUn59Qm6ksGCL/ITo3sWZSDbOQIG63hb0FRZkF8mWnmPcGoPmR5kmvr7
QzHKmfomaORyLofXqrXf3zfhDpe5kSxfLbTsRnHCx46XJWXMFh70T19j4ILnWaGj
bnA9OWWtEyMCp9GeJPtmWKsBhP8ywt0jbbfHzczBfWRO06n47/BLSLkCDQRgeGxJ
ARAA1pi0AZ0kcW1aW9sKZNYJ2JXjsefqnqtUUDI0xOSSl5+Lzjtj1lPA1Xr2L9V4
FyUGG6N8BeQcyfl7ZAFp6EWS/RATaOze/rKxImArHdY0L48rEQNBCg6lDsvvPJYd
cMFuNFm9e+2vggKU+o0zpDiV0WIjar/I5aVyObQ77EBOJlEPDSjz2essTbZZ5Bpr
w6pRSQ8CjpOpSrNwoDDhNfHPEcokkccmPlE8xdmXn1oM5Zj/LKOEKBqJUh1Ucykh
EE9g/Mch6GV6AnuFrtAeWYzx5kfNlBvz1Y7w3TXnboQP8b9IeQwNyZTWaMMstn8z
nt8RKnrTA2eOGO61ySgtMU3fEJSN0mqH3cjpAzPX9rcdipMLe3ZDGYlixFAXpctc
dhKvEqxd+bxtvFTQlSsSSQe9DvXQOfb9pp+6SjejhTvsWhWwhPzWIOLX4IBiX13q
D5ct/IxsLwhk23+r9zpk74xwRplX4FTc3o1m+NpoWXRRAekcKd5AgnlAhY9O7Tv+
31ORR6X/hCYcs1vnxbHJgWrzv01Gx8mcOj/+7aCctsQ32oQWM6FQY/vcpSxTjJsb
npiS3ZIUYNXf32UnAuZUyCaqrpLAVAwNGBxmpwQb1SUx7HBA8e2lHbEqKW/qnUQG
bnRv0g/oSkkimADazkwojNcVdgkrF91zkUtzIya+NOiGO7cAEQEAAYkCNgQYAQgA
IBYhBP/WWg2ivr3rc9RMi7TS0hbx/XgGBQJgeGxJAhsMAAoJELTS0hbx/XgGEyQQ
ALAHIiRoFkhypGpFt3+bt3ZLQf6OD+H0ZiOcy43DlBAUz7PbNlW4bDvINkgTaGRa
+cIMwdW5lWO9fsChsEoDVnjl9rcNcTJcN5Fc/L+XnW6k9RzW1nK+mj3NiGfR7OI1
V6eNM346+EpA2ZnqVTfr14+Vu49TV7vSsfnZg6brl+t1qNzJLHcsnVxxACw95OOK
joGu56ozuxEWjsGwnvvkH7dR/HLGtk+XP0NWSBOoEpHj7bF+6h81MpcMcj4BYoaZ
AJfQyfx8rP2JQC/HNrY0bAW0ahN2x+fE9Vd6iPkrPGSGibWRv6Db/KLk1R8/8W4B
YKti313EXV8g0gc0TdwqbhLWOinCjtLW+anXsqxmVFNG1cS1CvsFi2WDRtjHP3eY
aEdnXHcnPL4gKPTeXlHf3HGDCeboGOWFeim2bHwOzbzg9Kp+lGYyi/qJW496n+Yp
wBWDVHgVlS51Y8hS7xB4FY71S4OY4W9S8XX0KUQihqoh3E44eow+Z8OE1g0CosPz
2cRioAiEeVPNra0IgD2iD7LKuEVd6zJ7RbxzWCWko+sOgCm0lqz87R5IQibEFbRV
ATvmI/B3DPYHjk7toPT5+jgcgY0QPq9JYSORbgXvoWG0f83TFIfFV6yGgmaG1DMX
YPNx6EOVTWjMMoXNbskDkw3HdcVdVz41ZnW/1lJZejvW
=uIZN
-----END PGP PUBLIC KEY BLOCK-----

56
type/__jitsi_meet/files/debconf_settings.sh
View file

@ -1,56 +0,0 @@
#!/bin/sh -e
# This can be obtained with debconf-get-selections on a host with jitsi
# (and also analysing the deb-src)
if false; then
# We are currently not using these, just here as documentation
DEBCONF_SETTINGS="$(cat <<EOF
# Jicofo user password:
jicofo jicofo/jicofo-authpassword password STH
jitsi-meet-prosody jicofo/jicofo-authpassword password STH
# The secret used to connect to xmpp server as component
jitsi-meet-prosody jitsi-videobridge/jvbsecret password STH
jitsi-videobridge jitsi-videobridge/jvbsecret password STH
jitsi-videobridge2 jitsi-videobridge/jvbsecret password STH
# Jicofo Component secret:
jicofo jicofo/jicofosecret password STH
jitsi-meet-prosody jicofo/jicofosecret password STH
# Jicofo username:
jicofo jicofo/jicofo-authuser string focus
jitsi-meet-prosody jicofo/jicofo-authuser string focus
# The hostname of the current installation:
jitsi-meet-turnserver jitsi-meet-turnserver/jvb-hostname string ${JITSI_HOST}
# Full local server path to the SSL certificate file:
jitsi-meet-web-config jitsi-meet/cert-path-crt string
# Full local server path to the SSL key file:
jitsi-meet-web-config jitsi-meet/cert-path-key string
EOF
)"
fi
DEBCONF_SETTINGS="$(cat <<EOF
# The hostname of the current installation:
jitsi-meet-web-config jitsi-meet/jvb-hostname string ${JITSI_HOST}
# Hostname:
jicofo jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
jitsi-meet-prosody jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
jitsi-meet-turnserver jitsi-videobridge/jvb-hostname string ${TURN_SERVER}
jitsi-meet-web-config jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
jitsi-videobridge jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
jitsi-videobridge2 jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
# The hostname of the current installation:
jitsi-meet-prosody jitsi-meet-prosody/jvb-hostname string ${JITSI_HOST}
# SSL certificate for the Jitsi Meet instance
# Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)
EOF
)"
if [ -n "${TURN_SECRET}" ]; then
DEBCONF_SETTINGS="$(cat <<EOF
${DEBCONF_SETTINGS}
# The turn server secret
jitsi-meet-prosody jitsi-meet-prosody/turn-secret string ${TURN_SECRET}
EOF
)"
fi

34
type/__jitsi_meet/files/jicofo.conf.sh
View file

@ -1,34 +0,0 @@
#!/bin/sh -eu
# Start
cat <<EOF
# Managed remotely, changes will be lost
# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
#available options, syntax, and default values.
jicofo {
xmpp: {
client: {
client-proxy: focus.${JITSI_HOST:?}
}
trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
}
bridge: {
brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
}
EOF
# Secured domains if needed
if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
cat <<EOF
authentication: {
enabled: true
type: XMPP
login-url: ${JITSI_HOST:?}
}
EOF
fi
# End
echo '}'

1
type/__jitsi_meet/files/jitsi-version
View file

@ -1 +0,0 @@
../../__jitsi_meet_domain/files/jitsi-version

1
type/__jitsi_meet/files/prosody.cfg.lua.sh
View file

@ -1 +0,0 @@
../../__jitsi_meet_domain/files/prosody.cfg.lua.sh

10
type/__jitsi_meet/files/ufw
View file

@ -1,10 +0,0 @@
#!/bin/sh -e
# Setup firewall
__ufw
# Allow jitsi ports
require="__ufw" __ufw_rule http --rule 'allow 80/tcp'
require="__ufw" __ufw_rule https --rule 'allow 443/tcp'
require="__ufw" __ufw_rule jitsi_prom --rule 'allow 9888/tcp'
require="__ufw" __ufw_rule avfallback --rule 'allow 4443/tcp'
require="__ufw" __ufw_rule avdefault --rule 'allow 10000/udp'

44
type/__jitsi_meet/gencode-remote
View file

@ -1,44 +0,0 @@
#!/bin/sh -e
memory="$(cat "${__global}/explorer/memory")"
G="000000" # Will totally eff up the zero-count otherwise
# MAX_MEMORY will affect jicofo and videobridge
# As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
if [ "${memory}" -lt "3${G}" ]; then
# If you use this, let us know how it works!
MAX_MEMORY="768m"
elif [ "${memory}" -lt "5${G}" ]; then
MAX_MEMORY="1024m"
elif [ "${memory}" -lt "8${G}" ]; then
MAX_MEMORY="2048m"
else
# Jitsi recommends running on 8G RAM and these are the defaults
MAX_MEMORY="3072m"
fi
if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
# At least one service has different memory settings
RESTART_SERVICES="YES"
cat <<-EOF
sed -i.tmp -E \
-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
/usr/share/jitsi-videobridge/lib/videobridge.rc
sed -i.tmp -E \
-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
/usr/share/jicofo/jicofo.sh
EOF
fi
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
echo "service nginx reload"
fi
if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then
RESTART_SERVICES="YES"
fi
if [ -n "${RESTART_SERVICES}" ]; then
echo "systemctl restart prosody"
echo "systemctl restart jicofo"
echo "systemctl restart jitsi-videobridge2"
fi

111
type/__jitsi_meet/man.rst
View file

@ -1,111 +0,0 @@
cdist-type__jitsi_meet(7)
=========================
NAME
----
cdist-type__jitsi_meet - Setup the server-side of Jitsi-Meet.
DESCRIPTION
-----------
This (singleton) type installs and configures jitsi-meet automatically.
It does so by following loosely the official quick-install instructions and
eXO's notes for installing and managing Jitsi Meet instances.
This type also sets up nginx in a way that is compatible with
`__letsencrypt_cert` and assumes that it will only serve Jitsi instances.
You will also need the `__jitsi_meet_domain` type in order to finish setting up
the web frontend (including TLS certificates) and its settings.
You may want to use the `files/ufw` example manifest for a `__ufw`-based
firewall compatible with this type that allows all ports needed by Jitsi-Meet.
Note however that this will not deal with rules for SSH or for TCP port 9888,
which exposes the prometheus exporter if not disabled.
Remember to apply your own rules here, particularly regarding SSH.
This type only works on De{bi,vu}an systems.
It is very important for this type to stay up to date with the software, as
otherwise new deployments or maintenance of existing instances might be
negatively affected.
If you can, please contribute updates to `__jitsi_meet` and
`__jitsi_meet_domain` promptly and regularly.
Alternatively, you can help finance that work; get in touch with the type
authors for that (see below).
This type takes care of adapting the maximum memory used by jicofo and
videobridge in function of the hosts installed memory.
NOTE: This type currently does not deal with setting up coturn.
For that, you might want to check `__coturn` in
https://code.ungleich.ch/ungleich-public/cdist-contrib
In that case, this type should run *after* `__coturn`.
OPTIONAL PARAMETERS
-------------------
abort-conference-count
Only has an effect if the prometheus exporter is enabled and if it is not
empty (default).
If at least this many conferences are active on the server, the type will
bail out before making any changes.
This is useful if you want to avoid service disruptions due to e.g. an SLA.
turn-secret
The shared secret for the TURN server.
turn-server
The hostname of the TURN server.
This will assume that it is listening with TLS on port 443.
BOOLEAN PARAMETERS
------------------
disable-prometheus-exporter
This type enables a prometheus exporter for jitsi by default, if you would
rather not have that, pass this parameter.
The explorer is based on:
https://github.com/systemli/prometheus-jitsi-meet-exporter
secured-domains
If this flag is present, all domains that use this Jitsi instance will
require that an authenticated user starts a meeting.
For information on how this is achieved, see
https://jitsi.github.io/handbook/docs/devops-guide/secure-domain .
You will need to create the users with `__jitsi_meet_user(7)`.
EXAMPLES
--------
.. code-block:: sh
# Setup the firewall for Jitsi-Meet
. "${__global}/type/__jitsi_meet/files/ufw"
export require="__ufw"
# Setup firewall SSH rules as necessary
__ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
# Setup Jitsi on this host
__jitsi_meet \
--turn-server "turn.exo.cat" \
--turn-secret "WeNeedGoodSecurity"
SEE ALSO
--------
- `__jitsi_meet_domain(7)`
- `__jitsi_meet_user(7)`
AUTHORS
-------
Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2022 Evilham.

309
type/__jitsi_meet/manifest
View file

@ -1,309 +0,0 @@
#!/bin/sh -e
os="$(cat "${__global}/explorer/os")"
case "${os}" in
devuan|debian)
;;
*)
echo "Your OS '${os}' is currently not supported." > /dev/stderr
exit 1
;;
esac
current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
cat <<-EOF
Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
There are currently ${current_conferences} active conferences.
Try again at a later time or remove or increase --abort-conference-count
EOF
exit 1
fi
JITSI_HOST="${__target_host}"
if [ -f "${__object}/parameter/jitsi-version" ]; then
# This has been deprecated and will be removed 'soon'
JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
else
# Note this won't be a parameter anymore, we won't let users stay behind
JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
fi
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
if [ -z "${TURN_SERVER}" ]; then
TURN_SERVER="${JITSI_HOST}"
fi
# The rest is loosely based on Jitsi's documentation
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
# Setup repositories
## First the signing keys
### Remove old signing key
__apt_key "jitsi_meet_2016" \
--keyid "66A9 CD05 95D6 AFA2 4729 0D3B EF8B 479E 2DC1 389C" \
--use-deprecated-apt-key \
--state "absent"
### Add new signing key
require="__apt_key/jitsi_meet_2016" __apt_key jitsi_meet_2021 \
--source "${__type}/files/apt_2021.gpg" \
--state "present"
## Now the repositories (they are a tad weird, so distribution is 'stable/')
require="__apt_key/jitsi_meet_2021" __apt_source jitsi_meet \
--uri 'https://download.jitsi.org' \
--distribution 'stable/' \
--state present
## Ensure apt cache is up-to-date
require="__apt_source/jitsi_meet" __apt_update_index
export require="${require} __apt_source/jitsi_meet __apt_update_index"
# Pre-feed debconf settings, so Jitsi's installation has a good config
# shellcheck source=type/__jitsi_meet/files/debconf_settings.sh
. "${__type}/files/debconf_settings.sh" # This defines DEBCONF_SETTINGS
__debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
export require="${require} __debconf_set_selections/jitsi_meet"
# Install and upgrade packages as needed
# NOTE: we are doing version pinning again, but it breaks sometimes when
# the version is not the latest.
# This happens because dependencies might not be properly resolved.
# To avoid this, this type must be maintained up to date.
# If we don't use this, keeping Jitsi's up to date is very difficult.
__package_apt jitsi-meet --version "${JITSI_VERSION}"
# Proceed only after installation/upgrade has finished
export require="__package_apt/jitsi-meet"
# TODO: generalise and move out
# Prep nginx for acme settings
NGINX_ETC="/etc/nginx"
#
# Setup the acme-challenge snippet
#
__directory "${NGINX_ETC}/snippets" --state present
require="__directory${NGINX_ETC}/snippets" __file "${NGINX_ETC}/snippets/acme-challenge.conf" \
--mode 644 \
--source - << EOF
# This file is managed remotely, all changes will be lost
# This was heavily inspired by debops.org.
# Automatic Certificate Management Environment (ACME) support.
# https://tools.ietf.org/html/draft-ietf-acme-acme-01
# https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
# Return the ACME challenge present in the server public root.
# If not found, switch to global web server root.
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
try_files \$uri @well-known-acme-challenge;
}
# Return the ACME challenge present in the global server public root.
# If not present, redirect request to a specified domain.
location @well-known-acme-challenge {
root /usr/share/jitsi-meet;
default_type "text/plain";
try_files \$uri @redirect-acme-challenge;
}
# Redirect the ACME challenge to a different host. If a redirect loop is
# detected, return 404.
location @redirect-acme-challenge {
if (\$arg_redirect) {
return 404;
}
return 307 \$scheme://${ACME_DOMAIN}\$request_uri?redirect=yes;
}
# Return 404 if ACME challenge well known path is accessed directly.
location = /.well-known/acme-challenge/ {
return 404;
}
EOF
__directory "${NGINX_ETC}/sites-available" --state present
require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-available/default" \
--mode 644 \
--source - << EOF
# This file is managed remotely, all changes will be lost
server_names_hash_bucket_size 64;
types {
# nginx's default mime.types doesn't include a mapping for wasm
application/wasm wasm;
}
server {
# Listen on IPv4
listen 80;
# Note: there is an ipv6only=off flag, but it is Linux-only
# incidentally, that defaults to "on", which is what causes
# not having the double listen to listen on IPv6-only
listen [::]:80;
server_name welcome;
root /srv/www/sites/welcome/public;
include snippets/acme-challenge.conf;
location / {
return 301 https://\$host\$request_uri;
}
}
EOF
# Starting from 2.0.7210, jitsi defines following nginx upstreams
__directory "${NGINX_ETC}/conf.d" --state present
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
--mode 644 \
--source - << EOF
upstream prosody {
zone upstreams 64K;
server 127.0.0.1:5280;
keepalive 2;
}
EOF
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
--mode 644 \
--source - << EOF
upstream jvb1 {
zone upstreams 64K;
server 127.0.0.1:9090;
keepalive 2;
}
EOF
if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS_STATE='present'
else
SECURED_DOMAINS_STATE='absent'
fi
# This is the main host config
PROSODY_MAIN_CONFIG="YES"
# Prosody settings for common components (jvb, focus, ...)
# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
--group prosody \
--mode 0440 \
--source - <<EOF
${PROSODY_CONFIG}
EOF
# Clean up zauth.cfg.lua file, which we don't use now
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
--state absent
export SECURED_DOMAINS_STATE
export JITSI_HOST
"${__type}/files/jicofo.conf.sh" | \
__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
# Enable the private colibri REST API end point for better stats
__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
videobridge {
http-servers {
public {
port = 9090
}
private {
port = 8080
}
}
websockets {
enabled = true
domain = "${JITSI_HOST}:443"
tls = true
}
apis {
rest {
enabled = true
}
}
}
EOFJVB
# Enable simple per-domain body customisation
__file "/usr/share/jitsi-meet/body.html" \
--mode 0644 \
--source '-' <<EOF
<!--#include virtual="body-\${host}.html" -->
EOF
# These two should be changed on new release
EXPORTER_VERSION="1.2.0"
EXPORTER_CHECKSUM="sha256:6377ffa7be0c7deb66545616add7245da96f8b7746d6712f41cfa9fe72c935ce"
EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
EXPORTER_STATE="absent"
else
EXPORTER_STATE="present"
fi
__evilham_single_binary_service prometheus-jitsi-meet-exporter \
--state "${EXPORTER_STATE}" \
--do-not-manage-user \
--user "nobody" \
--group "nogroup" \
--version "${EXPORTER_VERSION}" \
--checksum "${EXPORTER_CHECKSUM}" \
--url "${EXPORTER_URL}" \
--unpack \
--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
#
# Setup interpreter assets if requested
# See: https://gitlab.com/mfmt/jsi/
#
jsi_updated_on="2022-04-21"
__link "/usr/share/jitsi-meet/interpreters.html" \
--type symbolic \
--source "/opt/jsi/static/index.html.sample"
__directory /opt/jsi --mode 0755
export require="__directory/opt/jsi"
__download /opt/jsi/jsi.tar.gz \
--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
export require="__download/opt/jsi/jsi.tar.gz"
__unpack /opt/jsi/jsi.tar.gz \
--preserve-archive \
--tar-strip 1 \
--destination /opt/jsi/static \
--onchange "$(cat <<EOF
# Patch style.css to be served on /i/
sed -i.tmp -E \
-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
/opt/jsi/static/style.css
# Patch jsi.js to be served on /i/
# and so it always uses the domain it's served from
# and so it uses /i/ROOM for the form
sed -i.tmp -E \
-e 's!substr[(][0-9]+[)]!substr(3)!' \
-e 's!config[.]jitsimeet_url!url.host!' \
-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
/opt/jsi/static/jsi.js
# Patch the sample index.html, so it loads external_api.js from same host
# and to easen up on the branding
# and to enable browser cache
sed -i.tmp -E \
-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
-e "s!https://meet.mayfirst.org!/!" \
-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
/opt/jsi/static/index.html.sample
EOF
)"

2
type/__jitsi_meet/parameter/boolean
View file

@ -1,2 +0,0 @@
disable-prometheus-exporter
secured-domains

4
type/__jitsi_meet/parameter/deprecated/jitsi-version
View file

@ -1,4 +0,0 @@
Supporting different versions lead to strange issues in the life-time of a
Jitsi instance. Chiefly: difficulties upgrading.
If you are specifying this for a valid reason, please get in touch.

4
type/__jitsi_meet/parameter/optional
View file

@ -1,4 +0,0 @@
abort-conference-count
jitsi-version
turn-secret
turn-server

1
type/__jitsi_meet_domain/boolean
View file

@ -1 +0,0 @@
secured-domains

35
type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
View file

@ -1,35 +0,0 @@
#!/bin/sh -eu
# This is a helper to update the '.sh.orig' files for jitsi's
# configuration files.
# Then the changes must be propagated to their corresponding .sh
# files by the type maintainer or a contributor
# We could automate this, but are using it as an indicator for the
# latest branch with which we conciliated changes.
BRANCH="jitsi-meet_7439"
REPO="https://github.com/jitsi/jitsi-meet"
get_url() {
file="${1}"
printf "%s/raw/stable/%s/%s" "${REPO}" "${BRANCH}" "${file}"
}
download_file() {
file="${1}"
destination="${2:-${file}.sh.orig}"
url="$(get_url "${file}")"
echo "Downloading ${destination}"
curl -L "${url}" > "${destination}"
echo
}
download_file config.js
download_file interface_config.js
download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
# Change the version file, maintainers should check that it matches
# the deb version
printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version

1406
type/__jitsi_meet_domain/files/config.js.sh
View file

File diff suppressed because it is too large Load diff

1396
type/__jitsi_meet_domain/files/config.js.sh.orig
View file

File diff suppressed because it is too large Load diff

281
type/__jitsi_meet_domain/files/interface_config.js.sh
View file

@ -1,281 +0,0 @@
#!/bin/sh -e
# default jitsi logo in svg
BRANDING_WATERMARK_PATH='images/watermark.svg'
# overrides default jitsi logo with the provided custom png logo
if [ -n "${BRANDING_WATERMARK}" ]; then
BRANDING_WATERMARK_PATH='images/watermark.png'
fi
# shellcheck disable=SC2034 # This is intended to be included
JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
/* eslint-disable no-unused-vars, no-var, max-len */
/* eslint sort-keys: ["error", "asc", {"caseSensitive": false}] */
/**
* !!!IMPORTANT!!!
*
* This file is considered deprecated. All options will eventually be moved to
* config.js, and no new options should be added here.
*/
var interfaceConfig = {
APP_NAME: '${BRANDING_APP_NAME}',
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
/**
* A UX mode where the last screen share participant is automatically
* pinned. Valid values are the string "remote-only" so remote participants
* get pinned but not local, otherwise any truthy value for all participants,
* and any falsy value to disable the feature.
*
* Note: this mode is experimental and subject to breakage.
*/
AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only',
BRAND_WATERMARK_LINK: '',
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
DEFAULT_BACKGROUND: '#040404',
DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
/**
* If true, notifications regarding joining/leaving are no longer displayed.
*/
DISABLE_JOIN_LEAVE_NOTIFICATIONS: false,
/**
* If true, presence status: busy, calling, connected etc. is not displayed.
*/
DISABLE_PRESENCE_STATUS: false,
/**
* Whether the ringing sound in the call/ring overlay is disabled. If
* {@code undefined}, defaults to {@code false}.
*
* @type {boolean}
*/
DISABLE_RINGING: false,
/**
* Whether the speech to text transcription subtitles panel is disabled.
* If {@code undefined}, defaults to {@code false}.
*
* @type {boolean}
*/
DISABLE_TRANSCRIPTION_SUBTITLES: false,
/**
* Whether or not the blurred video background for large video should be
* displayed on browsers that can support it.
*/
DISABLE_VIDEO_BACKGROUND: false,
DISPLAY_WELCOME_FOOTER: true,
DISPLAY_WELCOME_PAGE_ADDITIONAL_CARD: false,
DISPLAY_WELCOME_PAGE_CONTENT: false,
DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false,
ENABLE_DIAL_OUT: true,
ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
FILM_STRIP_MAX_HEIGHT: 120,
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
/**
* Hide the logo on the deep linking pages.
*/
HIDE_DEEP_LINKING_LOGO: false,
/**
* Hide the invite prompt in the header when alone in the meeting.
*/
HIDE_INVITE_MORE_HEADER: false,
JITSI_WATERMARK_LINK: 'https://jitsi.org',
LANG_DETECTION: true, // Allow i18n to detect the system language
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
/**
* Maximum coefficient of the ratio of the large video to the visible area
* after the large video is scaled to fit the window.
*
* @type {number}
*/
MAXIMUM_ZOOMING_COEFFICIENT: 1.3,
/**
* Whether the mobile app Jitsi Meet is to be promoted to participants
* attempting to join a conference in a mobile Web browser. If
* {@code undefined}, defaults to {@code true}.
*
* @type {boolean}
*/
MOBILE_APP_PROMO: true,
/**
* Specify custom URL for downloading android mobile app.
*/
MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
/**
* Specify custom URL for downloading f droid app.
*/
MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
/**
* Specify URL for downloading ios mobile app.
*/
MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
NATIVE_APP_NAME: 'Jitsi Meet',
// Names of browsers which should show a warning stating the current browser
// has a suboptimal experience. Browsers which are not listed as optimal or
// unsupported are considered suboptimal. Valid values are:
// chrome, chromium, edge, electron, firefox, nwjs, opera, safari
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
POLICY_LOGO: null,
PROVIDER_NAME: 'Jitsi',
/**
* If true, will display recent list
*
* @type {boolean}
*/
RECENT_LIST_ENABLED: true,
REMOTE_THUMBNAIL_RATIO: 1, // 1:1
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
/**
* Specify which sharing features should be displayed. If the value is not set
* all sharing features will be shown. You can set [] to disable all.
*/
// SHARING_FEATURES: ['email', 'url', 'dial-in', 'embed'],
SHOW_BRAND_WATERMARK: false,
/**
* Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
* If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
* being already installed is done before rendering.
*/
SHOW_CHROME_EXTENSION_BANNER: false,
SHOW_DEEP_LINKING_IMAGE: false,
SHOW_JITSI_WATERMARK: true,
SHOW_POWERED_BY: false,
SHOW_PROMOTIONAL_CLOSE_PAGE: false,
/*
* If indicated some of the error dialogs may point to the support URL for
* help.
*/
SUPPORT_URL: 'https://community.jitsi.org/',
// Browsers, in addition to those which do not fully support WebRTC, that
// are not supported and should show the unsupported browser page.
UNSUPPORTED_BROWSERS: [],
/**
* Whether to show thumbnails in filmstrip as a column instead of as a row.
*/
VERTICAL_FILMSTRIP: true,
// Determines how the video would fit the screen. 'both' would fit the whole
// screen, 'height' would fit the original video height to the height of the
// screen, 'width' would fit the original video width to the width of the
// screen respecting ratio, 'nocrop' would make the video as large as
// possible and preserve aspect ratio without cropping.
VIDEO_LAYOUT_FIT: 'both',
/**
* If true, hides the video quality label indicating the resolution status
* of the current large video.
*
* @type {boolean}
*/
VIDEO_QUALITY_LABEL_DISABLED: false,
/**
* How many columns the tile view can expand to. The respected range is
* between 1 and 5.
*/
// TILE_VIEW_MAX_COLUMNS: 5,
/**
* Specify Firebase dynamic link properties for the mobile apps.
*/
// MOBILE_DYNAMIC_LINK: {
// APN: 'org.jitsi.meet',
// APP_CODE: 'w2atb',
// CUSTOM_DOMAIN: undefined,
// IBI: 'com.atlassian.JitsiMeet.ios',
// ISI: '1165103905'
// },
/**
* Specify mobile app scheme for opening the app from the mobile browser.
*/
// APP_SCHEME: 'org.jitsi.meet',
/**
* Specify the Android app package name.
*/
// ANDROID_APP_PACKAGE: 'org.jitsi.meet',
// List of undocumented settings
/**
INDICATOR_FONT_SIZES
PHONE_NUMBER_REGEX
*/
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
// Connection indicators (
// CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
// CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
// CONNECTION_INDICATOR_DISABLED) got moved to config.js.
// Please use disableModeratorIndicator from config.js
// DISABLE_FOCUS_INDICATOR: false,
// Please use defaultLocalDisplayName from config.js
// DEFAULT_LOCAL_DISPLAY_NAME: 'me',
// Please use defaultRemoteDisplayName from config.js
// DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
// Moved to config.js as \`toolbarConfig.initialTimeout\`.
// INITIAL_TOOLBAR_TIMEOUT: 20000,
// Moved to config.js as \`toolbarConfig.alwaysVisible\`.
// TOOLBAR_ALWAYS_VISIBLE: false,
// This config was moved to config.js as \`toolbarButtons\`.
// TOOLBAR_BUTTONS: [],
// Moved to config.js as \`toolbarConfig.timeout\`.
// TOOLBAR_TIMEOUT: 4000,
// Allow all above example options to include a trailing comma and
// prevent fear when commenting out the last value.
// eslint-disable-next-line sort-keys
makeJsonParserHappy: 'even if last key had a trailing comma'
// No configuration value should follow this line.
};
/* eslint-enable no-unused-vars, no-var, max-len */
EOF
)"

268
type/__jitsi_meet_domain/files/interface_config.js.sh.orig
View file

@ -1,268 +0,0 @@
/* eslint-disable no-unused-vars, no-var, max-len */
/* eslint sort-keys: ["error", "asc", {"caseSensitive": false}] */
/**
* !!!IMPORTANT!!!
*
* This file is considered deprecated. All options will eventually be moved to
* config.js, and no new options should be added here.
*/
var interfaceConfig = {
APP_NAME: 'Jitsi Meet',
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
/**
* A UX mode where the last screen share participant is automatically
* pinned. Valid values are the string "remote-only" so remote participants
* get pinned but not local, otherwise any truthy value for all participants,
* and any falsy value to disable the feature.
*
* Note: this mode is experimental and subject to breakage.
*/
AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only',
BRAND_WATERMARK_LINK: '',
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
DEFAULT_BACKGROUND: '#040404',
DEFAULT_LOGO_URL: 'images/watermark.svg',
DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
/**
* If true, notifications regarding joining/leaving are no longer displayed.
*/
DISABLE_JOIN_LEAVE_NOTIFICATIONS: false,
/**
* If true, presence status: busy, calling, connected etc. is not displayed.
*/
DISABLE_PRESENCE_STATUS: false,
/**
* Whether the ringing sound in the call/ring overlay is disabled. If
* {@code undefined}, defaults to {@code false}.
*
* @type {boolean}
*/
DISABLE_RINGING: false,
/**
* Whether the speech to text transcription subtitles panel is disabled.
* If {@code undefined}, defaults to {@code false}.
*
* @type {boolean}
*/
DISABLE_TRANSCRIPTION_SUBTITLES: false,
/**
* Whether or not the blurred video background for large video should be
* displayed on browsers that can support it.
*/
DISABLE_VIDEO_BACKGROUND: false,
DISPLAY_WELCOME_FOOTER: true,
DISPLAY_WELCOME_PAGE_ADDITIONAL_CARD: false,
DISPLAY_WELCOME_PAGE_CONTENT: false,
DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false,
ENABLE_DIAL_OUT: true,
ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
FILM_STRIP_MAX_HEIGHT: 120,
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
/**
* Hide the logo on the deep linking pages.
*/
HIDE_DEEP_LINKING_LOGO: false,
/**
* Hide the invite prompt in the header when alone in the meeting.
*/
HIDE_INVITE_MORE_HEADER: false,
JITSI_WATERMARK_LINK: 'https://jitsi.org',
LANG_DETECTION: true, // Allow i18n to detect the system language
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
/**
* Maximum coefficient of the ratio of the large video to the visible area
* after the large video is scaled to fit the window.
*
* @type {number}
*/
MAXIMUM_ZOOMING_COEFFICIENT: 1.3,
/**
* Whether the mobile app Jitsi Meet is to be promoted to participants
* attempting to join a conference in a mobile Web browser. If
* {@code undefined}, defaults to {@code true}.
*
* @type {boolean}
*/
MOBILE_APP_PROMO: true,
/**
* Specify custom URL for downloading android mobile app.
*/
MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
/**
* Specify custom URL for downloading f droid app.
*/
MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
/**
* Specify URL for downloading ios mobile app.
*/
MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
NATIVE_APP_NAME: 'Jitsi Meet',
// Names of browsers which should show a warning stating the current browser
// has a suboptimal experience. Browsers which are not listed as optimal or
// unsupported are considered suboptimal. Valid values are:
// chrome, chromium, edge, electron, firefox, nwjs, opera, safari
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
POLICY_LOGO: null,
PROVIDER_NAME: 'Jitsi',
/**
* If true, will display recent list
*
* @type {boolean}
*/
RECENT_LIST_ENABLED: true,
REMOTE_THUMBNAIL_RATIO: 1, // 1:1
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
/**
* Specify which sharing features should be displayed. If the value is not set
* all sharing features will be shown. You can set [] to disable all.
*/
// SHARING_FEATURES: ['email', 'url', 'dial-in', 'embed'],
SHOW_BRAND_WATERMARK: false,
/**
* Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
* If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
* being already installed is done before rendering.
*/
SHOW_CHROME_EXTENSION_BANNER: false,
SHOW_DEEP_LINKING_IMAGE: false,
SHOW_JITSI_WATERMARK: true,
SHOW_POWERED_BY: false,
SHOW_PROMOTIONAL_CLOSE_PAGE: false,
/*
* If indicated some of the error dialogs may point to the support URL for
* help.
*/
SUPPORT_URL: 'https://community.jitsi.org/',
// Browsers, in addition to those which do not fully support WebRTC, that
// are not supported and should show the unsupported browser page.
UNSUPPORTED_BROWSERS: [],
/**
* Whether to show thumbnails in filmstrip as a column instead of as a row.
*/
VERTICAL_FILMSTRIP: true,
// Determines how the video would fit the screen. 'both' would fit the whole
// screen, 'height' would fit the original video height to the height of the
// screen, 'width' would fit the original video width to the width of the
// screen respecting ratio, 'nocrop' would make the video as large as
// possible and preserve aspect ratio without cropping.
VIDEO_LAYOUT_FIT: 'both',
/**
* If true, hides the video quality label indicating the resolution status
* of the current large video.
*
* @type {boolean}
*/
VIDEO_QUALITY_LABEL_DISABLED: false,
/**
* How many columns the tile view can expand to. The respected range is
* between 1 and 5.
*/
// TILE_VIEW_MAX_COLUMNS: 5,
/**
* Specify Firebase dynamic link properties for the mobile apps.
*/
// MOBILE_DYNAMIC_LINK: {
// APN: 'org.jitsi.meet',
// APP_CODE: 'w2atb',
// CUSTOM_DOMAIN: undefined,
// IBI: 'com.atlassian.JitsiMeet.ios',
// ISI: '1165103905'
// },
/**
* Specify mobile app scheme for opening the app from the mobile browser.
*/
// APP_SCHEME: 'org.jitsi.meet',
/**
* Specify the Android app package name.
*/
// ANDROID_APP_PACKAGE: 'org.jitsi.meet',
// List of undocumented settings
/**
INDICATOR_FONT_SIZES
PHONE_NUMBER_REGEX
*/
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
// Connection indicators (
// CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
// CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
// CONNECTION_INDICATOR_DISABLED) got moved to config.js.
// Please use disableModeratorIndicator from config.js
// DISABLE_FOCUS_INDICATOR: false,
// Please use defaultLocalDisplayName from config.js
// DEFAULT_LOCAL_DISPLAY_NAME: 'me',
// Please use defaultRemoteDisplayName from config.js
// DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
// Moved to config.js as `toolbarConfig.initialTimeout`.
// INITIAL_TOOLBAR_TIMEOUT: 20000,
// Moved to config.js as `toolbarConfig.alwaysVisible`.
// TOOLBAR_ALWAYS_VISIBLE: false,
// This config was moved to config.js as `toolbarButtons`.
// TOOLBAR_BUTTONS: [],
// Moved to config.js as `toolbarConfig.timeout`.
// TOOLBAR_TIMEOUT: 4000,
// Allow all above example options to include a trailing comma and
// prevent fear when commenting out the last value.
// eslint-disable-next-line sort-keys
makeJsonParserHappy: 'even if last key had a trailing comma'
// No configuration value should follow this line.
};
/* eslint-enable no-unused-vars, no-var, max-len */

1
type/__jitsi_meet_domain/files/jitsi-version
View file

@ -1 +0,0 @@
2.0.7439-1

204
type/__jitsi_meet_domain/files/nginx.sh
View file

@ -1,204 +0,0 @@
#!/bin/sh -e
# shellcheck disable=SC2034 # This is intended to be included
JITSI_NGINX_CONFIG="$(cat <<EOF
# Jitsi uses following lines by default, in our cdist types they must be commented
# out as we already set it with __jitsi_meet in the default server config.
#server_names_hash_bucket_size 64;
#
#types {
## nginx's default mime.types doesn't include a mapping for wasm
# application/wasm wasm;
#}
# These upstreams are managed by __jitsi_meet
#upstream prosody {
# zone upstreams 64K;
# server 127.0.0.1:5280;
# keepalive 2;
#}
#upstream jvb1 {
# zone upstreams 64K;
# server 127.0.0.1:9090;
# keepalive 2;
#}
server {
listen 80;
listen [::]:80;
server_name ${DOMAIN};
include snippets/acme-challenge.conf;
location / {
return 301 https://\$host\$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name ${DOMAIN};
include snippets/acme-challenge.conf;
# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m; # about 40000 sessions
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always;
set \$prefix "";
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
root /usr/share/jitsi-meet;
# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;
# Try the custom page for this domain, fallback to default page
index index-${DOMAIN}.html index.html index.htm;
error_page 404 /static/404.html;
gzip on;
gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
gzip_vary on;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 512;
# We expect this domain to be properly configured, the file should exist
location = /config.js {
alias /etc/jitsi/meet/${DOMAIN}-config.js;
}
# We expect this domain to be properly configured, the file should exist
location = /interface_config.js {
alias /etc/jitsi/meet/${DOMAIN}-interface_config.js;
}
# This may or may not exist; it will be set up in config.js if needed
location = /branding.json {
alias /etc/jitsi/meet/${DOMAIN}-branding.json;
}
# Try custom image and fallback to default
location = /images/watermark.png {
try_files /images/watermark-${DOMAIN}.png \$uri;
}
location = /external_api.js {
alias /usr/share/jitsi-meet/libs/external_api.min.js;
}
# ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/\$1/\$2;
# cache all versioned files
if (\$arg_v) {
expires 1y;
}
}
# Paths for jsi / interpreters
location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /opt/jsi/static/\$1;
# cache all versioned files
if (\$arg_v) {
expires 1y;
}
}
location ~ ^/i/
{
try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
}
# BOSH
location = /http-bind {
proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For \$remote_addr;
# Prevision for 'multi-domain' jitsi instances
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
proxy_set_header Host ${DOMAIN};
proxy_set_header Connection "";
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
# Prevision for 'multi-domain' jitsi instances
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
proxy_set_header Host ${DOMAIN};
tcp_nodelay on;
}
# colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
tcp_nodelay on;
}
# load test minimal client, uncomment when used
#location ~ ^/_load-test/([^/?&:'"]+)\$ {
# rewrite ^/_load-test/(.*)\$ /load-test/index.html break;
#}
#location ~ ^/_load-test/libs/(.*)\$ {
# add_header 'Access-Control-Allow-Origin' '*';
# alias /usr/share/jitsi-meet/load-test/libs/\$1;
#}
location ~ ^/([^/?&:'"]+)\$ {
try_files \$uri @root_path;
}
location @root_path {
rewrite ^/(.*)\$ / break;
}
location ~ ^/([^/?&:'"]+)/config.js\$
{
set \$subdomain "\$1.";
set \$subdir "\$1/";
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set \$subdomain "\$1.";
set \$subdir "\$1/";
set \$prefix "\$1";
rewrite ^/(.*)\$ /http-bind;
}
# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
set \$subdomain "\$1.";
set \$subdir "\$1/";
set \$prefix "\$1";
rewrite ^/(.*)\$ /xmpp-websocket;
}
# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)\$ {
set \$subdomain "\$1.";
set \$subdir "\$1/";
rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
}
}
EOF
)"

165
type/__jitsi_meet_domain/files/nginx.sh.orig
View file

@ -1,165 +0,0 @@
server_names_hash_bucket_size 64;
types {
# nginx's default mime.types doesn't include a mapping for wasm
application/wasm wasm;
}
upstream prosody {
zone upstreams 64K;
server 127.0.0.1:5280;
keepalive 2;
}
upstream jvb1 {
zone upstreams 64K;
server 127.0.0.1:9090;
keepalive 2;
}
server {
listen 80;
listen [::]:80;
server_name jitsi-meet.example.com;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /usr/share/jitsi-meet;
}
location = /.well-known/acme-challenge/ {
return 404;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name jitsi-meet.example.com;
# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m; # about 40000 sessions
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always;
set $prefix "";
ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
root /usr/share/jitsi-meet;
# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;
index index.html index.htm;
error_page 404 /static/404.html;
gzip on;
gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
gzip_vary on;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 512;
location = /config.js {
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
}
location = /external_api.js {
alias /usr/share/jitsi-meet/libs/external_api.min.js;
}
# ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/$1/$2;
# cache all versioned files
if ($arg_v) {
expires 1y;
}
}
# BOSH
location = /http-bind {
proxy_pass http://prosody/http-bind?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header Connection "";
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://prosody/xmpp-websocket?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
tcp_nodelay on;
}
# colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
tcp_nodelay on;
}
# load test minimal client, uncomment when used
#location ~ ^/_load-test/([^/?&:'"]+)$ {
# rewrite ^/_load-test/(.*)$ /load-test/index.html break;
#}
#location ~ ^/_load-test/libs/(.*)$ {
# add_header 'Access-Control-Allow-Origin' '*';
# alias /usr/share/jitsi-meet/load-test/libs/$1;
#}
location ~ ^/([^/?&:'"]+)$ {
try_files $uri @root_path;
}
location @root_path {
rewrite ^/(.*)$ / break;
}
location ~ ^/([^/?&:'"]+)/config.js$
{
set $subdomain "$1.";
set $subdir "$1/";
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /http-bind;
}
# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /xmpp-websocket;
}
# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
set $subdomain "$1.";
set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
}
}

228
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
View file

@ -1,228 +0,0 @@
#!/bin/sh -eu
# Source:
# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
FOCUS_USER="focus"
JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
PROSODY_SECUREDOMAIN_START="--[["
PROSODY_SECUREDOMAIN_END="--]]"
if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
PROSODY_MAIN_START=""
PROSODY_MAIN_END=""
PROSODY_DOMAIN_START="--[["
PROSODY_DOMAIN_END="--]]"
else
PROSODY_MAIN_START="--[["
PROSODY_MAIN_END="--]]"
PROSODY_DOMAIN_START=""
PROSODY_DOMAIN_END=""
if [ -n "${SECURED_DOMAINS}" ]; then
PROSODY_SECUREDOMAIN_START=""
PROSODY_SECUREDOMAIN_END=""
fi
fi
# Websockets haven't been fully tested in this type and don't work reliably
PROSODY_WEBSOCKET="-- "
# shellcheck disable=SC2034 # This is intended to be included
PROSODY_CONFIG="$(cat <<EOFPROSODY
-- Managed remotely, changes will be lost
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "${JITSI_HOST:?}";
external_service_secret = "${TURN_SECRET:-TurnSecret}";
external_services = {
{ type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
{ type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
-- Use websockets
-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
${PROSODY_WEBSOCKET}consider_websocket_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
--http_cors_override = {
-- bosh = {
-- enabled = false;
-- };
-- websocket = {
-- enabled = false;
-- };
--}
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
unlimited_jids = {
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
"jvb@auth.${JITSI_HOST:?}"
}
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain
VirtualHost "${JITSI_DOMAIN:?}"
-- enabled = false -- Remove this line to enable this host
authentication = "anonymous"
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
}
av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
-- we need bosh
modules_enabled = {
"bosh";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"conference_duration";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
${PROSODY_WEBSOCKET} "websocket";
${PROSODY_WEBSOCKET} "smacks";
}
smacks_max_unacked_stanzas = 5;
smacks_hibernation_time = 60;
smacks_max_hibernated_sessions = 1;
smacks_max_old_sessions = 1;
c2s_require_encryption = false
lobby_muc = "lobby.${JITSI_DOMAIN:?}"
breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
main_muc = "conference.${JITSI_DOMAIN:?}"
-- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.${JITSI_DOMAIN:?}" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
"polls";
--"token_verification";
"muc_rate_limit";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
Component "breakout.${JITSI_DOMAIN:?}" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
--"token_verification";
"muc_rate_limit";
"polls";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
storage = "memory"
modules_enabled = {
"ping";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
-- https://prosody.im/doc/modules/mod_muc
muc_room_cache_size = 1000
${PROSODY_DOMAIN_END}
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
VirtualHost "auth.${JITSI_DOMAIN:?}"
ssl = {
key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
}
modules_enabled = {
"limits_exception";
}
authentication = "internal_hashed"
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
-- Single focus user for the whole instance
target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "lobby.${JITSI_DOMAIN:?}" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
"muc_rate_limit";
"polls";
}
${PROSODY_DOMAIN_END}
--[[
-- Enables dial-in for Jitsi meet components customers
-- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
-- and execute $ sudo luarocks install luajwtjitsi 3.0-0
VirtualHost "jigasi.meet.jitsi"
enabled = false -- Jitsi meet components customers remove this line
modules_enabled = {
"ping";
"bosh";
}
authentication = "token"
app_id = "jitsi";
asap_key_server = "https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8"
asap_accepted_issuers = { "jaas-components" }
asap_accepted_audiences = { "jigasi.jitmeet.example.com" }
--]]
${PROSODY_SECUREDOMAIN_START}
-- Only used on secured domains
VirtualHost "${JITSI_DOMAIN}"
authentication = "internal_plain"
VirtualHost "guest.${JITSI_DOMAIN}"
authentication = "anonymous"
c2s_require_encryption = false
${PROSODY_SECUREDOMAIN_END}
EOFPROSODY
)"

154
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
View file

@ -1,154 +0,0 @@
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "jitmeet.example.com";
external_service_secret = "__turnSecret__";
external_services = {
{ type = "stun", host = "jitmeet.example.com", port = 3478 },
{ type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
--http_cors_override = {
-- bosh = {
-- enabled = false;
-- };
-- websocket = {
-- enabled = false;
-- };
--}
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
unlimited_jids = {
"focusUser@auth.jitmeet.example.com",
"jvb@auth.jitmeet.example.com"
}
VirtualHost "jitmeet.example.com"
-- enabled = false -- Remove this line to enable this host
authentication = "anonymous"
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/jitmeet.example.com.key";
certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
}
av_moderation_component = "avmoderation.jitmeet.example.com"
speakerstats_component = "speakerstats.jitmeet.example.com"
conference_duration_component = "conferenceduration.jitmeet.example.com"
-- we need bosh
modules_enabled = {
"bosh";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"conference_duration";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
}
c2s_require_encryption = false
lobby_muc = "lobby.jitmeet.example.com"
breakout_rooms_muc = "breakout.jitmeet.example.com"
main_muc = "conference.jitmeet.example.com"
-- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.jitmeet.example.com" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
"polls";
--"token_verification";
"muc_rate_limit";
}
admins = { "focusUser@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
Component "breakout.jitmeet.example.com" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
--"token_verification";
"muc_rate_limit";
"polls";
}
admins = { "focusUser@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.jitmeet.example.com" "muc"
storage = "memory"
modules_enabled = {
"ping";
}
admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
VirtualHost "auth.jitmeet.example.com"
modules_enabled = {
"limits_exception";
}
authentication = "internal_hashed"
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.jitmeet.example.com" "client_proxy"
target_address = "focusUser@auth.jitmeet.example.com"
Component "speakerstats.jitmeet.example.com" "speakerstats_component"
muc_component = "conference.jitmeet.example.com"
Component "conferenceduration.jitmeet.example.com" "conference_duration_component"
muc_component = "conference.jitmeet.example.com"
Component "avmoderation.jitmeet.example.com" "av_moderation_component"
muc_component = "conference.jitmeet.example.com"
Component "lobby.jitmeet.example.com" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
"muc_rate_limit";
"polls";
}
-- Enables dial-in for Jitsi meet components customers
-- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
-- and execute $ sudo luarocks install luajwtjitsi 3.0-0
VirtualHost "jigasi.meet.jitsi"
enabled = false -- Jitsi meet components customers remove this line
modules_enabled = {
"ping";
"bosh";
}
authentication = "token"
app_id = "jitsi";
asap_key_server = "https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8"
asap_accepted_issuers = { "jaas-components" }
asap_accepted_audiences = { "jigasi.jitmeet.example.com" }

5
type/__jitsi_meet_domain/gencode-remote
View file

@ -1,5 +0,0 @@
#!/bin/sh -e
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
echo "service nginx reload"
fi

182
type/__jitsi_meet_domain/man.rst
View file

@ -1,182 +0,0 @@
cdist-type__jitsi_meet_domain(7)
================================
NAME
----
cdist-type__jitsi_meet_domain - Setup a frontend for Jitsi-Meet.
DESCRIPTION
-----------
This type installs and configures the frontend for Jitsi-Meet.
Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and
`DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a
patched version of Jitsi Simultaneous Interpretation (jsi; see references).
At least a user with `interpreter` in their name must be present.
This type supports "multi-domain" installations.
New in April 2022: rooms are independent for each domain, that is:
https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
different rooms.
Note however, that right now if using secured domains, users are still shared
across any domains hosted in the same instance.
One way to work around that could be to run multiple jicofos, but we do not
want to bloat the servers.
A better way is to patch jicofo, get in touch with the type authors if you want
the gory details.
This assumes `__jitsi_meet` has already been ran on the target host, and,
amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
This type will take care of TLS settings, branding and client-side
configuration for Jitsi.
This type only works on De{bi,vu}an systems.
REQUIRED PARAMETERS
-------------------
object id
The domain that will be configured as a Jitsi-Meet instance.
admin-email
Where to send Let's Encrypt emails like "certificate needs renewal".
OPTIONAL PARAMETERS
-------------------
analytics-settings
This goes inside the `analytics` part of `config.js`.
Defaults to: `disabled: true`.
See: https://github.com/jitsi/jitsi-meet/blob/master/config.js
channel-last-n
Default value for the "last N" attribute.
Defaults to 20. Set to -1 for unlimited.
default-language
Default language for the user interface.
Defaults to 'en'.
notice-message
Message to show the users when they join a room.
start-video-muted
Every participant after the Nth will start video muted.
Defaults to 10.
state
Whether the domain is 'present' or 'absent', defaults to 'present'.
turn-server
The TURN server to be used.
Defaults to `__target_host`.
video-constraints
w3c spec-compliant video constraints to use for video capture. Currently
used by browsers that return true from lib-jitsi-meet's
util#browser#usesNewGumFlow. The constraints are independent from
this config's resolution value. Defaults to requesting an ideal
resolution of 720p.
It must not have a trailing comma, see `constraints` in
`__jitsi_meet_domain/files/config.js.sh`.
branding-app-name
This will change `Jitsi Meet` in many places to the brand you desire.
Defaults to `Jitsi Meet`.
branding-extra-body
This must be valid HTML, it will be included server-side and delivered to
clients alongside the default `index.html`.
This is useful if you would rather not replace the whole `index`, but
still want the chance to do some heavier branding / add instructions / etc.
branding-json
Path to a JSON file that will be served as the `dynamicBrandingUrl`.
For information on the format see `dynamicBrandingUrl` in
`__jitsi_meet_domain/files/config.js.sh`.
If not set, no branding will be set up.
branding-index
Path to an HTML file that will be served instead of Jitsi-Meet's default
one.
If not set, the default index file will be used.
If set to `-`, the type's standard input will be used.
branding-watermark
Path to a png file that will be served instead of Jitsi-Meet's default
one.
If not set, the default watermark will be used.
BOOLEAN PARAMETERS
------------------
disable-audio-levels
Disable measuring of audio levels.
This has been reported to improve performance on clients.
enable-third-party-requests
This type disables third-party requests by default, this flag re-enables
them, restoring Jitsi-Meet's defaults.
This affects things like avatars, callstats, ...
secured-domains
Whether or not an authetnicated user will be required to start a meeting.
You will need to create the users with `__jitsi_meet_user(7)`.
EXAMPLES
--------
.. code-block:: sh
# Setup a Jitsi frontend for jitsi.exo.cat
__jitsi_meet_domain "jitsi.exo.cat" \
--admin-email "info@exo.cat" \
--turn-server "turn.exo.cat" \
--notice-message "Hola!" \
--disable-audio-levels \
--turn-secret "WeNeedGoodSecurity" \
--video-constraints "$(cat <<-EOF
constraints: {
video: {
height: {
ideal: 320,
max: 320,
min: 180
}
}
}
EOF
)"
SEE ALSO
--------
- `__jitsi_meet(7)`
- `__jitsi_meet_user(7)`
- Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi
AUTHORS
-------
Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2021 Evilham.

174
type/__jitsi_meet_domain/manifest
View file

@ -1,174 +0,0 @@
#!/bin/sh -e
os="$(cat "${__global}/explorer/os")"
case "${os}" in
devuan|debian)
;;
*)
echo "Your OS '${os}' is currently not supported." > /dev/stderr
exit 1
;;
esac
DOMAIN="${__object_id}"
ADMIN_EMAIL="$(cat "${__object}/parameter/admin-email")"
CHANNEL_LAST_N="$(cat "${__object}/parameter/channel-last-n")"
DEFAULT_LANGUAGE="$(cat "${__object}/parameter/default-language")"
NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")"
START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")"
BRANDING_APP_NAME="$(cat "${__object}/parameter/branding-app-name")"
BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
STATE="$(cat "${__object}/parameter/state")"
if [ "${BRANDING_INDEX}" = "-" ]; then
BRANDING_INDEX="${__object}/stdin"
fi
if [ -f "${__object}/parameter/enable-third-party-requests" ]; then
ENABLE_THIRD_PARTY_REQUESTS="YES"
fi
if [ -f "${__object}/parameter/disable-audio-levels" ]; then
DISABLE_AUDIO_LEVELS="YES"
fi
if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS="YES"
fi
if [ -z "${TURN_SERVER}" ]; then
TURN_SERVER="${__target_host}"
fi
if [ -z "${JITSI_HOST}" ]; then
JITSI_HOST="${__target_host}"
fi
if [ -n "${BRANDING_JSON}" ]; then
DYNAMIC_BRANDING_URL="/branding.json"
fi
case "${STATE}" in
present)
# When adding the domain, Let's Encrypt must come before nginx
le_require=""
nginx_require="__letsencrypt_cert/${DOMAIN}"
;;
absent)
# When removing, nginx must come before Let's Encrypt
le_require="__file/etc/nginx/sites-enabled/${DOMAIN}.conf"
nginx_require=""
;;
*)
cat >> /dev/stderr <<-EOM
Unsupported state '${STATE}', must be 'present' or 'absent'.
EOM
exit 1
;;
esac
#
# Deal with certbot
#
# use object id as domain
require="${le_require}" __letsencrypt_cert "${DOMAIN}" \
--state "${STATE}" \
--admin-email "${ADMIN_EMAIL}" \
--deploy-hook "service nginx reload" \
--webroot /usr/share/jitsi-meet
# Create virtualhost for nginx
# shellcheck source=type/__jitsi_meet_domain/files/nginx.sh
. "${__type}/files/nginx.sh" # This defines JITSI_NGINX_CONFIG
require="${nginx_require}" __file \
"/etc/nginx/sites-enabled/${DOMAIN}.conf" \
--state "${STATE}" \
--mode 0644 --source "-" <<EOF
${JITSI_NGINX_CONFIG}
EOF
# Setup jitsi config
# shellcheck source=type/__jitsi_meet_domain/files/config.js.sh
. "${__type}/files/config.js.sh" # This defines JITSI_CONFIG_JS
__file "/etc/jitsi/meet/${DOMAIN}-config.js" \
--state "${STATE}" \
--mode 0644 --source "-" <<EOF
${JITSI_CONFIG_JS}
EOF
# Setup jitsi interface config
# shellcheck source=type/__jitsi_meet_domain/files/interface_config.js.sh
. "${__type}/files/interface_config.js.sh" # This defines JITSI_CONFIG_JS
__file "/etc/jitsi/meet/${DOMAIN}-interface_config.js" \
--state "${STATE}" \
--mode 0644 --source "-" <<EOF
${JITSI_INTERFACE_CONFIG_JS}
EOF
#
# Deal with branding as requested
#
# Helper function to manage the state of the target branding file
_var_state() {
if [ "${STATE}" = "present" ] && [ -n "${1}" ]; then
echo "present"
else
echo "absent"
fi
}
__file "/usr/share/jitsi-meet/index-${DOMAIN}.html" \
--mode 0644 \
--state "$(_var_state "${BRANDING_INDEX}")" \
--source "${BRANDING_INDEX}"
__file "/etc/jitsi/meet/${DOMAIN}-branding.json" \
--mode 0644 \
--state "$(_var_state "${BRANDING_JSON}")" \
--source "${BRANDING_JSON}"
__file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
--mode 0644 \
--state "$(_var_state "${BRANDING_WATERMARK}")" \
--source "${BRANDING_WATERMARK}"
# Simple body customisation
__file "/usr/share/jitsi-meet/body-${DOMAIN}.html" \
--mode 0644 \
--state "$(_var_state "${STATE}")" \
--source "${__object}/parameter/branding-extra-body"
#
# Take care of prosody settings for the domain
#
JITSI_DOMAIN="${DOMAIN}"
# Prosody settings for common components (jvb, focus, ...)
# shellcheck source=type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
__file "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
--group prosody \
--mode 0440 \
--state "${STATE}" \
--source '-' <<EOF
${PROSODY_CONFIG}
EOF
__link "/etc/prosody/conf.d/${DOMAIN}.cfg.lua" \
--source "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
--state "${STATE}" \
--type symbolic
if [ "${STATE}" = "present" ]; then
export require="${require} __file/etc/prosody/conf.avail/${DOMAIN}.cfg.lua __link/etc/prosody/conf.d/${DOMAIN}.cfg.lua"
__check_messages "prosody/${DOMAIN}" \
--pattern '^(__file|__link)/etc/prosody/conf[.](avail|d)/' \
--execute "$(cat <<EOF
if [ ! -f "/var/lib/prosody/${DOMAIN}.crt" ]; then
echo | prosodyctl cert generate '${DOMAIN}';
ln -sf '/var/lib/prosody/${DOMAIN}.key' '/etc/prosody/certs/${DOMAIN}.key'
ln -sf '/var/lib/prosody/${DOMAIN}.crt' '/etc/prosody/certs/${DOMAIN}.crt'
fi
# Surprisingly, a reload is not enough
service prosody restart
EOF
)"
fi

3
type/__jitsi_meet_domain/parameter/boolean
View file

@ -1,3 +0,0 @@
disable-audio-levels
enable-third-party-requests
secured-domains

1
type/__jitsi_meet_domain/parameter/default/analytics-settings
View file

@ -1 +0,0 @@
disabled: true

Some files were not shown because too many files have changed in this diff Show more