sparrowhawk
/
cdist-contrib
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: sparrowhawk:master
Branches Tags
sparrowhawk:master
sparrowhawk:php
sparrowhawk:newtype/dirbackup
sparrowhawk:__matrix_synapse
sparrowhawk:netbox
sparrowhawk:root-mail-dma
..
compare: sparrowhawk:php
Branches Tags
sparrowhawk:master
sparrowhawk:php
sparrowhawk:newtype/dirbackup
sparrowhawk:__matrix_synapse
sparrowhawk:netbox
sparrowhawk:root-mail-dma

1 Commits
master ... php

Author SHA1 Message Date
sparrowhawk 9b6788f29a
__php_fpm{,_pool}: initial implementation. 2022-03-22 16:41:07 +01:00
55 changed files with 564 additions and 1630 deletions
Show Stats Expand all files Collapse all files

15
type/__jitsi_meet/explorer/configured-memory
View File

@ -1,15 +0,0 @@
#!/bin/sh -eu
JICOFO="/usr/share/jicofo/jicofo.sh"
VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
if [ -f "${JICOFO:?}" ]; then
jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
fi
if [ -f "${VIDEOBRIDGE:?}" ]; then
vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
fi
cat <<EOF
jicofo ${jicofo_memory:-n/a}
videobridge ${vb_memory:-n/a}
EOF

6
type/__jitsi_meet/explorer/jitsi-status
View File

@ -1,6 +0,0 @@
#!/bin/sh -eu
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
# TODO: detect curl / depend on it?
curl -s localhost:9888/metrics
fi

7
type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh -e
EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
if [ -f "${EXPORTER_VERSION_FILE}" ]; then
cat "${EXPORTER_VERSION_FILE}"
fi

34
type/__jitsi_meet/files/jicofo.conf.sh
View File

@ -1,34 +0,0 @@
#!/bin/sh -eu
# Start
cat <<EOF
# Managed remotely, changes will be lost
# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
#available options, syntax, and default values.
jicofo {
xmpp: {
client: {
client-proxy: focus.${JITSI_HOST:?}
}
trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
}
bridge: {
brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
}
EOF
# Secured domains if needed
if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
cat <<EOF
authentication: {
enabled: true
type: XMPP
login-url: ${JITSI_HOST:?}
}
EOF
fi
# End
echo '}'

1
type/__jitsi_meet/files/jitsi-version
View File

@ -1 +0,0 @@
../../__jitsi_meet_domain/files/jitsi-version

1
type/__jitsi_meet/files/prosody.cfg.lua.sh
View File

@ -1 +0,0 @@
../../__jitsi_meet_domain/files/prosody.cfg.lua.sh

36
type/__jitsi_meet/gencode-remote
View File

@ -1,43 +1,11 @@
#!/bin/sh -e
memory="$(cat "${__global}/explorer/memory")"
G="000000" # Will totally eff up the zero-count otherwise
# MAX_MEMORY will affect jicofo and videobridge
# As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
if [ "${memory}" -lt "3${G}" ]; then
# If you use this, let us know how it works!
MAX_MEMORY="768m"
elif [ "${memory}" -lt "5${G}" ]; then
MAX_MEMORY="1024m"
elif [ "${memory}" -lt "8${G}" ]; then
MAX_MEMORY="2048m"
else
# Jitsi recommends running on 8G RAM and these are the defaults
MAX_MEMORY="3072m"
fi
if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
# At least one service has different memory settings
RESTART_SERVICES="YES"
cat <<-EOF
sed -i.tmp -E \
-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
/usr/share/jitsi-videobridge/lib/videobridge.rc
sed -i.tmp -E \
-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
/usr/share/jicofo/jicofo.sh
EOF
fi
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
echo "service nginx reload"
fi
if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then
RESTART_SERVICES="YES"
fi
if [ -n "${RESTART_SERVICES}" ]; then
JITSI_HOST="${__object_id}"
if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
echo "systemctl restart prosody"
echo "systemctl restart jicofo"
echo "systemctl restart jitsi-videobridge2"

38
type/__jitsi_meet/man.rst
View File

@ -21,24 +21,13 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up
the web frontend (including TLS certificates) and its settings.
You may want to use the `files/ufw` example manifest for a `__ufw`-based
firewall compatible with this type that allows all ports needed by Jitsi-Meet.
Note however that this will not deal with rules for SSH or for TCP port 9888,
which exposes the prometheus exporter if not disabled.
Remember to apply your own rules here, particularly regarding SSH.
firewall compatible with this type.
This file does not include rules for TCP port 9888, which exposes the
prometheus exporter if not disabled.
You should apply your own rules here.
This type only works on De{bi,vu}an systems.
It is very important for this type to stay up to date with the software, as
otherwise new deployments or maintenance of existing instances might be
negatively affected.
If you can, please contribute updates to `__jitsi_meet` and
`__jitsi_meet_domain` promptly and regularly.
Alternatively, you can help finance that work; get in touch with the type
authors for that (see below).
This type takes care of adapting the maximum memory used by jicofo and
videobridge in function of the hosts installed memory.
NOTE: This type currently does not deal with setting up coturn.
For that, you might want to check `__coturn` in
https://code.ungleich.ch/ungleich-public/cdist-contrib
@ -47,14 +36,6 @@ NOTE: This type currently does not deal with setting up coturn.
OPTIONAL PARAMETERS
-------------------
abort-conference-count
Only has an effect if the prometheus exporter is enabled and if it is not
empty (default).
If at least this many conferences are active on the server, the type will
bail out before making any changes.
This is useful if you want to avoid service disruptions due to e.g. an SLA.
turn-secret
The shared secret for the TURN server.
@ -62,6 +43,11 @@ turn-server
The hostname of the TURN server.
This will assume that it is listening with TLS on port 443.
jitsi-version
The jitsi-meet version of the Debian package to be installed.
While this can be specified, only the default value is known to work
properly with this type.
BOOLEAN PARAMETERS
------------------
@ -84,11 +70,9 @@ EXAMPLES
.. code-block:: sh
# Setup the firewall for Jitsi-Meet
# Setup the firewall
. "${__global}/type/__jitsi_meet/files/ufw"
export require="__ufw"
# Setup firewall SSH rules as necessary
__ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
# Setup Jitsi on this host
__jitsi_meet \
--turn-server "turn.exo.cat" \
@ -108,4 +92,4 @@ Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2022 Evilham.
Copyright \(C) 2021 Evilham.

246
type/__jitsi_meet/manifest
View File

@ -1,6 +1,7 @@
#!/bin/sh -e
os="$(cat "${__global}/explorer/os")"
init="$(cat "${__global}/explorer/init")"
case "${os}" in
devuan|debian)
;;
@ -10,29 +11,10 @@ case "${os}" in
;;
esac
current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
cat <<-EOF
Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
There are currently ${current_conferences} active conferences.
Try again at a later time or remove or increase --abort-conference-count
EOF
exit 1
fi
JITSI_HOST="${__target_host}"
if [ -f "${__object}/parameter/jitsi-version" ]; then
# This has been deprecated and will be removed 'soon'
JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
else
# Note this won't be a parameter anymore, we won't let users stay behind
JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
fi
# Currently unused, see below
# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
@ -40,6 +22,8 @@ if [ -z "${TURN_SERVER}" ]; then
TURN_SERVER="${JITSI_HOST}"
fi
PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")"
# The rest is loosely based on Jitsi's documentation
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
@ -71,12 +55,11 @@ __debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
export require="${require} __debconf_set_selections/jitsi_meet"
# Install and upgrade packages as needed
# NOTE: we are doing version pinning again, but it breaks sometimes when
# the version is not the latest.
# This happens because dependencies might not be properly resolved.
# To avoid this, this type must be maintained up to date.
# If we don't use this, keeping Jitsi's up to date is very difficult.
__package_apt jitsi-meet --version "${JITSI_VERSION}"
__package_apt jitsi-meet
# We are not doing version pinning anymore because it breaks when
# the version is not the latest.
# This happens because dependencies cannot be properly resolved.
# --version "${JITSI_VERSION}"
# Proceed only after installation/upgrade has finished
export require="__package_apt/jitsi-meet"
@ -166,144 +149,95 @@ server {
}
EOF
# Starting from 2.0.7210, jitsi defines following nginx upstreams
__directory "${NGINX_ETC}/conf.d" --state present
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
--mode 644 \
--source - << EOF
upstream prosody {
zone upstreams 64K;
server 127.0.0.1:5280;
keepalive 2;
}
EOF
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
--mode 644 \
--source - << EOF
upstream jvb1 {
zone upstreams 64K;
server 127.0.0.1:9090;
keepalive 2;
}
EOF
if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS_STATE='present'
SECURED_DOMAINS_STATE_JICOFO='present'
else
SECURED_DOMAINS_STATE='absent'
SECURED_DOMAINS_STATE_JICOFO='absent'
fi
# This is the main host config
PROSODY_MAIN_CONFIG="YES"
# Prosody settings for common components (jvb, focus, ...)
# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
--group prosody \
--mode 0440 \
--source - <<EOF
${PROSODY_CONFIG}
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
--owner prosody --group prosody --mode 0440 \
--state ${SECURED_DOMAINS_STATE} \
--source - <<EOF
VirtualHost "${JITSI_HOST}"
authentication = "internal_plain"
VirtualHost "guest.${JITSI_HOST}"
authentication = "anonymous"
c2s_require_encryption = false
EOF
# Clean up zauth.cfg.lua file, which we don't use now
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
--state absent
export SECURED_DOMAINS_STATE
export JITSI_HOST
"${__type}/files/jicofo.conf.sh" | \
__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
# Enable the private colibri REST API end point for better stats
__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
videobridge {
http-servers {
public {
port = 9090
}
private {
port = 8080
}
}
websockets {
enabled = true
domain = "${JITSI_HOST}:443"
tls = true
}
apis {
rest {
enabled = true
}
}
}
EOFJVB
# Enable simple per-domain body customisation
__file "/usr/share/jitsi-meet/body.html" \
--mode 0644 \
--source '-' <<EOF
<!--#include virtual="body-\${host}.html" -->
__block jitsi_jicofo_secured_domains \
--prefix "// begin cdist: jicofo_secured_domains" \
--suffix "// end cdist: jicofo_secured_domains" \
--file /etc/jitsi/jicofo/jicofo.conf \
--state "${SECURED_DOMAINS_STATE_JICOFO}" \
--text '-' <<EOF
authentication: {
enabled: true
type: XMPP
login-url: ${JITSI_HOST}
}
EOF
# These two should be changed on new release
EXPORTER_VERSION="1.2.0"
EXPORTER_CHECKSUM="sha256:6377ffa7be0c7deb66545616add7245da96f8b7746d6712f41cfa9fe72c935ce"
EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
EXPORTER_STATE="absent"
else
EXPORTER_STATE="present"
fi
__evilham_single_binary_service prometheus-jitsi-meet-exporter \
--state "${EXPORTER_STATE}" \
--do-not-manage-user \
--user "nobody" \
--group "nogroup" \
--version "${EXPORTER_VERSION}" \
--checksum "${EXPORTER_CHECKSUM}" \
--url "${EXPORTER_URL}" \
--unpack \
--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
#
# Setup interpreter assets if requested
# See: https://gitlab.com/mfmt/jsi/
#
jsi_updated_on="2022-04-21"
__link "/usr/share/jitsi-meet/interpreters.html" \
--type symbolic \
--source "/opt/jsi/static/index.html.sample"
__directory /opt/jsi --mode 0755
export require="__directory/opt/jsi"
__download /opt/jsi/jsi.tar.gz \
--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
export require="__download/opt/jsi/jsi.tar.gz"
__unpack /opt/jsi/jsi.tar.gz \
--preserve-archive \
--tar-strip 1 \
--destination /opt/jsi/static \
--onchange "$(cat <<EOF
# Patch style.css to be served on /i/
sed -i.tmp -E \
-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
/opt/jsi/static/style.css
# Patch jsi.js to be served on /i/
# and so it always uses the domain it's served from
# and so it uses /i/ROOM for the form
sed -i.tmp -E \
-e 's!substr[(][0-9]+[)]!substr(3)!' \
-e 's!config[.]jitsimeet_url!url.host!' \
-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
/opt/jsi/static/jsi.js
# Patch the sample index.html, so it loads external_api.js from same host
# and to easen up on the branding
# and to enable browser cache
sed -i.tmp -E \
-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
-e "s!https://meet.mayfirst.org!/!" \
-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
/opt/jsi/static/index.html.sample
PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64"
PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
case "${init}" in
init|sysvinit)
__runit
require="__runit" __runit_service \
prometheus-jitsi-meet-exporter --log --source - <<EOF
#!/bin/sh -e
cd /tmp
exec chpst -u "nobody:nogroup" env HOME="/tmp" \\
prometheus-jitsi-meet-exporter \\
-videobridge-url 'http://localhost:8888/stats' \\
-web.listen-address ':9888' 2>&1
EOF
)"
export require="__runit_service/prometheus-jitsi-meet-exporter"
JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter"
;;
systemd)
__systemd_unit prometheus-jitsi-meet-exporter.service \
--source "-" \
--enablement-state "enabled" <<EOF
[Unit]
Description=Metrics Exporter for Jitsi Meet
After=network.target
[Service]
Type=simple
DynamicUser=yes
ExecStart=/usr/local/bin/prometheus-jitsi-meet-exporter -videobridge-url 'http://localhost:8888/stats' -web.listen-address ':9888'
Restart=always
[Install]
WantedBy=multi-user.target
EOF
export require="__systemd_unit/prometheus-jitsi-meet-exporter.service"
JITSI_MEET_EXPORTER_SERVICE="service prometheus-jitsi-meet-exporter %s"
;;
esac
if [ "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" != \
"${PROMETHEUS_JITSI_EXPORTER_IS_VERSION}" ]; then
# shellcheck disable=SC2059
__download \
/tmp/prometheus-jitsi-meet-exporter \
--url "${PROMETHEUS_JITSI_EXPORTER_URL}" \
--download remote \
--sum "${PROMETHEUS_JITSI_EXPORTER_CHECKSUM}" \
--onchange "$(printf "${JITSI_MEET_EXPORTER_SERVICE}" "stop") || true; chmod 555 /tmp/prometheus-jitsi-meet-exporter && mv /tmp/prometheus-jitsi-meet-exporter /usr/local/bin/prometheus-jitsi-meet-exporter && $(printf "${JITSI_MEET_EXPORTER_SERVICE}" "restart")"
printf "%s" "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" | \
require="${require} __download/tmp/prometheus-jitsi-meet-exporter" __file \
"${PROMETHEUS_JITSI_EXPORTER_VERSION_FILE}" \
--source "-"
fi
fi
# TODO: disable the exporter if it is deployed and then admin changes their mind

1
type/__jitsi_meet/parameter/default/jitsi-version Normal file
View File

@ -0,0 +1 @@
2.0.7001-1

4
type/__jitsi_meet/parameter/deprecated/jitsi-version
View File

@ -1,4 +0,0 @@
Supporting different versions lead to strange issues in the life-time of a
Jitsi instance. Chiefly: difficulties upgrading.
If you are specifying this for a valid reason, please get in touch.

1
type/__jitsi_meet/parameter/optional
View File

@ -1,4 +1,3 @@
abort-conference-count
jitsi-version
turn-secret
turn-server

7
type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
View File

@ -7,7 +7,7 @@
# We could automate this, but are using it as an indicator for the
# latest branch with which we conciliated changes.
BRANCH="jitsi-meet_7439"
BRANCH="jitsi-meet_7001"
REPO="https://github.com/jitsi/jitsi-meet"
get_url() {
@ -28,8 +28,3 @@ download_file() {
download_file config.js
download_file interface_config.js
download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
# Change the version file, maintainers should check that it matches
# the deb version
printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version

222
type/__jitsi_meet_domain/files/config.js.sh
View File

@ -4,32 +4,32 @@
JITSI_CONFIG_JS="$(cat <<EOF
/* eslint-disable no-unused-vars, no-var */
/*
* NOTE: If you add a new option please remember to document it here:
* https://jitsi.github.io/handbook/docs/dev-guide/dev-guide-configuration
*/
var config = {
// Connection
//
hosts: {
// XMPP domain.
domain: '${DOMAIN}',
domain: '${JITSI_HOST}',
// When using authentication, domain for guest users.
$( if [ -z "${SECURED_DOMAINS}" ]; then printf "// "
fi)anonymousdomain: 'guest.${DOMAIN}',
$( if [ -n "${SECURED_DOMAINS}" ]; then cat<<EOF2
anonymousdomain: 'guest.${JITSI_HOST}',
EOF2
else cat <<EOF2
// anonymousdomain: 'guest.example.com',
EOF2
fi
)
// Domain for authenticated users. Defaults to <domain>.
// NOTE [cdist]: if we use '${DOMAIN}', jicofo won't start the meeting
authdomain: '${JITSI_HOST}',
// authdomain: '${JITSI_HOST}',
// Focus component domain. Defaults to focus.<domain>.
focus: 'focus.${JITSI_HOST}',
// focus: 'focus.${JITSI_HOST}',
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
muc: 'conference.${DOMAIN}'
muc: 'conference.${JITSI_HOST}'
},
// BOSH URL. FIXME: use XEP-0156 to discover it.
@ -37,12 +37,12 @@ var config = {
bosh: '//<!--# echo var="http_host" -->/<!--# echo var="subdir" default="" -->http-bind',
// Websocket URL
// websocket: 'wss://${DOMAIN}/xmpp-websocket',
// websocket: 'wss://${JITSI_HOST}/xmpp-websocket',
// The real JID of focus participant - can be overridden here
// Do not change username - FIXME: Make focus username configurable
// https://github.com/jitsi/jitsi-meet/issues/7376
focusUserJid: 'focus@auth.${JITSI_HOST}',
// focusUserJid: 'focus@auth.${JITSI_HOST}',
// Testing / experimental features.
@ -80,11 +80,6 @@ var config = {
// or disabled for the screenshare.
// capScreenshareBitrate: 1 // 0 to disable - deprecated.
// Whether to use fake constraints (height: 99999, width: 99999) when calling getDisplayMedia on
// Chromium based browsers. This is intended as a workaround for
// https://bugs.chromium.org/p/chromium/issues/detail?id=1056311
// setScreenSharingResolutionConstraints: true
// Enable callstats only for a percentage of users.
// This takes a value between 0 and 100 which determines the probability for
// the callstats to be enabled.
@ -95,10 +90,6 @@ var config = {
flags: {
// Enables source names in the signaling.
// sourceNameSignaling: false,
// Enables sending multiple video streams, i.e., camera and desktop tracks can be shared in the conference
// separately as two different streams instead of one composite stream.
// sendMultipleVideoStreams: false
},
// Disables moderator indicators.
@ -285,9 +276,9 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// appKey: '<APP_KEY>' // Specify your app key here.
// // A URL to redirect the user to, after authenticating
// // by default uses:
// // 'https://${DOMAIN}/static/oauth.html'
// // 'https://${JITSI_HOST}/static/oauth.html'
// redirectURI:
// 'https://${DOMAIN}/subfolder/static/oauth.html'
// 'https://${JITSI_HOST}/subfolder/static/oauth.html'
// },
// When integrations like dropbox are enabled only that will be shown,
// by enabling fileRecordingsServiceEnabled, we show both the integrations
@ -302,9 +293,6 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// Whether to enable live streaming or not.
// liveStreamingEnabled: false,
// Whether to enable local recording or not.
// enableLocalRecording: false,
// Transcription (in interface_config,
// subtitles and buttons can be configured)
// transcribingEnabled: false,
@ -498,9 +486,6 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// If Lobby is enabled starts knocking automatically.
// autoKnockLobby: false,
// Enable lobby chat.
// enableLobbyChat: true,
// DEPRECATED! Use \`breakoutRooms.hideAddRoomButton\` instead.
// Hides add breakout room button
// hideAddRoomButton: false,
@ -540,7 +525,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// Hides the dominant speaker name badge that hovers above the toolbox
// hideDominantSpeakerBadge: false,
// Default language for the user interface. Cannot be overwritten.
// Default language for the user interface.
defaultLanguage: '${DEFAULT_LANGUAGE}',
// Disables profile and the edit of all fields from the profile settings (display name and email)
@ -569,10 +554,6 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// // When 'true', it shows an intermediate page before joining, where the user can configure their devices.
// // This replaces \`prejoinPageEnabled\`.
// enabled: true,
// // Hides the participant name editing field in the prejoin screen.
// // If requireDisplayName is also set as true, a name should still be provided through
// // either the jwt or the userInfo from the iframe api init object in order for this to have an effect.
// hideDisplayName: false,
// // List of buttons to hide from the extra join options dropdown.
// hideExtraJoinButtons: ['no-audio', 'by-phone']
// },
@ -600,17 +581,8 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// Array with avatar URL prefixes that need to use CORS.
// corsAvatarURLs: [ 'https://www.gravatar.com/avatar/' ],
// Base URL for a Gravatar-compatible service. Defaults to Gravatar.
// DEPRECATED! Use \`gravatar.baseUrl\` instead.
// gravatarBaseURL: 'https://www.gravatar.com/avatar/',
// Setup for Gravatar-compatible services.
// gravatar: {
// // Defaults to Gravatar.
// baseUrl: 'https://www.gravatar.com/avatar/',
// // True if Gravatar should be disabled.
// disabled: false
// },
// Base URL for a Gravatar-compatible service. Defaults to libravatar.
// gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/',
// App name to be displayed in the invitation email subject, as an alternative to
// interfaceConfig.APP_NAME.
@ -632,7 +604,6 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// 'chat',
// 'closedcaptions',
// 'desktop',
// 'dock-iframe'
// 'download',
// 'embedmeeting',
// 'etherpad',
@ -641,11 +612,11 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// 'fullscreen',
// 'hangup',
// 'help',
// 'highlight',
// 'invite',
// 'linktosalesforce',
// 'livestreaming',
// 'microphone',
// 'mute-everyone',
// 'mute-video-everyone',
// 'participants-pane',
// 'profile',
// 'raisehand',
@ -659,7 +630,6 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// 'stats',
// 'tileview',
// 'toggle-camera',
// 'undock-iframe',
// 'videoquality',
// '__end'
// ],
@ -674,9 +644,7 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// timeout: 4000,
// // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE
// // Whether toolbar should be always visible or should hide after x miliseconds.
// alwaysVisible: false,
// // Indicates whether the toolbar should still autohide when chat is open
// autoHideWhileChatIsOpen: false
// alwaysVisible: false
// },
// Toolbar buttons which have their click/tap event exposed through the API on
@ -785,25 +753,11 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
// Enables sending participants' emails (if available) to callstats and other analytics
// enableEmailInStats: false,
// faceLandmarks: {
// // Enables sharing your face coordinates. Used for centering faces within a video.
// enableFaceCentering: false,
// Enables detecting faces of participants and get their expression and send it to other participants
// enableFacialRecognition: true,
// // Enables detecting face expressions and sharing data with other participants
// enableFaceExpressionsDetection: false,
// // Enables displaying face expressions in speaker stats
// enableDisplayFaceExpressions: false,
// // Enable rtc stats for face landmarks
// enableRTCStats: false,
// // Minimum required face movement percentage threshold for sending new face centering coordinates data.
// faceCenteringThreshold: 10,
// // Milliseconds for processing a new image capture in order to detect face coordinates if they exist.
// captureInterval: 1000
// },
// Enables displaying facial expressions in speaker stats
// enableDisplayFacialExpressions: true,
// Controls the percentage of automatic feedback shown to participants when callstats is enabled.
// The default value is 100%. If set to 0, no automatic feedback will be requested
@ -869,7 +823,6 @@ $(if [ -n "${VIDEO_CONSTRAINTS}" ]; then echo "${VIDEO_CONSTRAINTS},"; fi)
},
analytics: {
${ANALYTICS_SETTINGS}
// True if the analytics should be disabled
// disabled: false,
@ -957,22 +910,33 @@ ${ANALYTICS_SETTINGS}
// chromeExtensionBanner: {
// // The chrome extension to be installed address
// url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
// edgeUrl: 'https://microsoftedge.microsoft.com/addons/detail/jitsi-meetings/eeecajlpbgjppibfledfihobcabccihn',
// // Extensions info which allows checking if they are installed or not
// chromeExtensionsInfo: [
// {
// id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
// path: 'jitsi-logo-48x48.png'
// },
// // Edge extension info
// {
// id: 'eeecajlpbgjppibfledfihobcabccihn',
// path: 'jitsi-logo-48x48.png'
// }
// ]
// },
// Local Recording
//
// localRecording: {
// Enables local recording.
// Additionally, 'localrecording' (all lowercase) needs to be added to
// the \`toolbarButtons\`-array for the Local Recording button to show up
// on the toolbar.
//
// enabled: true,
//
// The recording format, can be one of 'ogg', 'flac' or 'wav'.
// format: 'flac'
//
// },
// e2ee: {
// labels,
// externallyManagedKey: false
@ -980,18 +944,14 @@ ${ANALYTICS_SETTINGS}
// Options related to end-to-end (participant to participant) ping.
// e2eping: {
// // Whether ene-to-end pings should be enabled.
// enabled: false,
// // The interval in milliseconds at which pings will be sent.
// // Defaults to 10000, set to <= 0 to disable.
// pingInterval: 10000,
//
// // The number of responses to wait for.
// numRequests: 5,
//
// // The max conference size in which e2e pings will be sent.
// maxConferenceSize: 200,
//
// // The maximum number of e2e ping messages per second for the whole conference to aim for.
// // This is used to contol the pacing of messages in order to reduce the load on the backend.
// maxMessagesPerSecond: 250
// // The interval in milliseconds at which analytics events
// // with the measured RTT will be sent. Defaults to 60000, set
// // to <= 0 to disable.
// analyticsInterval: 60000,
// },
// If set, will attempt to use the provided video input device label when
@ -1018,8 +978,7 @@ ${ANALYTICS_SETTINGS}
// Disables all invite functions from the app (share, invite, dial out...etc)
// disableInviteFunctions: true,
// Disables storing the room name to the recents list. When in an iframe this is ignored and
// the room is never stored in the recents list.
// Disables storing the room name to the recents list
// doNotStoreRoom: true,
// Deployment specific URLs.
@ -1034,25 +993,12 @@ ${ANALYTICS_SETTINGS}
// Options related to the remote participant menu.
// remoteVideoMenu: {
// // Whether the remote video context menu to be rendered or not.
// disabled: true,
// // If set to true the 'Kick out' button will be disabled.
// disableKick: true,
// // If set to true the 'Grant moderator' button will be disabled.
// disableGrantModerator: true,
// // If set to true the 'Send private message' button will be disabled.
// disablePrivateChat: true
// disableGrantModerator: true
// },
// Endpoint that enables support for salesforce integration with in-meeting resource linking
// This is required for:
// listing the most recent records - salesforceUrl/records/recents
// searching records - salesforceUrl/records?text=\${text}
// retrieving record details - salesforceUrl/records/\${id}?type=\${type}
// and linking the meeting - salesforceUrl/sessions/\${sessionId}/records/\${id}
//
// salesforceUrl: 'https://api.example.com/',
// If set to true all muting operations of remote participants will be disabled.
// disableRemoteMute: true,
@ -1116,22 +1062,10 @@ ${ANALYTICS_SETTINGS}
*/
dynamicBrandingUrl: "${DYNAMIC_BRANDING_URL}",
// Options related to the participants pane.
// participantsPane: {
// // Hides the moderator settings tab.
// hideModeratorSettingsTab: false,
// // Hides the more actions button.
// hideMoreActionsButton: false,
// // Hides the mute all button.
// hideMuteAllButton: false
// },
// Options related to the breakout rooms feature.
// breakoutRooms: {
// // Hides the add breakout room button. This replaces \`hideAddRoomButton\`.
// hideAddRoomButton: false,
// // Hides the auto assign participants button.
// hideAutoAssignButton: false,
// // Hides the join breakout room button.
// hideJoinRoomButton: false
// },
@ -1162,7 +1096,7 @@ ${ANALYTICS_SETTINGS}
// If a label's id is not in any of the 2 arrays, it will not be visible at all on the header.
// conferenceInfo: {
// // those labels will not be hidden in tandem with the toolbox.
// alwaysVisible: ['recording', 'raised-hands-count'],
// alwaysVisible: ['recording', 'local-recording', 'raised-hands-count'],
// // those labels will be auto-hidden in tandem with the toolbox buttons.
// autoHide: [
// 'subject',
@ -1171,8 +1105,7 @@ ${ANALYTICS_SETTINGS}
// 'e2ee',
// 'transcribing',
// 'video-quality',
// 'insecure-room',
// 'highlight-moment'
// 'insecure-room'
// ]
// },
@ -1206,24 +1139,14 @@ ${ANALYTICS_SETTINGS}
// will open an etherpad document.
// etherpad_base: 'https://your-etherpad-installati.on/p/',
// To enable information about dial-in access to meetings you need to provide
// dialInNumbersUrl and dialInConfCodeUrl.
// dialInNumbersUrl returns a json array of numbers that can be used for dial-in.
// {"countryCode":"US","tollFree":false,"formattedNumber":"+1 123-456-7890"}
// dialInConfCodeUrl is the conference mapper converting a meeting id to a PIN used for dial-in
// or the other way around (more info in resources/cloud-api.swagger)
//
// For JaaS customers the default values are:
// dialInNumbersUrl: 'https://conference-mapper.jitsi.net/v1/access/dids',
// dialInConfCodeUrl: 'https://conference-mapper.jitsi.net/v1/access',
//
// List of undocumented settings used in jitsi-meet
/**
_immediateReloadThreshold
debug
debugAudioLevels
deploymentInfo
dialInConfCodeUrl
dialInNumbersUrl
dialOutAuthUrl
dialOutCodesUrl
disableRemoteControl
@ -1308,6 +1231,7 @@ ${ANALYTICS_SETTINGS}
// 'liveStreaming.unavailableTitle', // shown when livestreaming service is not reachable
// 'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected
// 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied
// 'localRecording.localRecording', // shown when a local recording is started
// 'notify.chatMessages', // shown when receiving chat messages while the chat window is closed
// 'notify.disconnected', // shown when a participant has left
// 'notify.connectedOneMember', // show when a participant joined
@ -1321,7 +1245,6 @@ ${ANALYTICS_SETTINGS}
// 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited
// 'notify.invitedTwoMembers', // shown when 2 participants have been invited
// 'notify.kickParticipant', // shown when a participant is kicked
// 'notify.linkToSalesforce', // shown when joining a meeting with salesforce integration
// 'notify.moderationStartedTitle', // shown when AV moderation is activated
// 'notify.moderationStoppedTitle', // shown when AV moderation is deactivated
// 'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation
@ -1337,7 +1260,6 @@ ${ANALYTICS_SETTINGS}
// 'notify.raisedHand', // shown when a partcipant used raise hand,
// 'notify.startSilentTitle', // shown when user joined with no audio
// 'notify.unmute', // shown to moderator when user raises hand during AV moderation
// 'notify.hostAskedUnmute', // shown to participant when host asks them to unmute
// 'prejoin.errorDialOut',
// 'prejoin.errorDialOutDisconnected',
// 'prejoin.errorDialOutFailed',
@ -1353,9 +1275,6 @@ ${ANALYTICS_SETTINGS}
// 'transcribing.failedToStart' // shown when transcribing fails to start
// ],
// List of notifications to be disabled. Works in tandem with the above setting.
// disabledNotifications: [],
// Prevent the filmstrip from autohiding when screen width is under a certain threshold
// disableFilmstripAutohiding: false,
@ -1363,37 +1282,12 @@ ${ANALYTICS_SETTINGS}
// // Disables user resizable filmstrip. Also, allows configuration of the filmstrip
// // (width, tiles aspect ratios) through the interfaceConfig options.
// disableResizable: false,
// }
// // Disables the stage filmstrip
// // (displaying multiple participants on stage besides the vertical filmstrip)
// disableStageFilmstrip: false
// },
// Tile view related config options.
// tileView: {
// // The optimal number of tiles that are going to be shown in tile view. Depending on the screen size it may
// // not be possible to show the exact number of participants specified here.
// numberOfVisibleTiles: 25
// },
// Specifies whether the chat emoticons are disabled or not
// disableChatSmileys: false,
// Settings for the GIPHY integration.
// giphy: {
// // Whether the feature is enabled or not.
// enabled: false,
// // SDK API Key from Giphy.
// sdkKey: '',
// // Display mode can be one of:
// // - tile: show the GIF on the tile of the participant that sent it.
// // - chat: show the GIF as a message in chat
// // - all: all of the above. This is the default option
// displayMode: 'all',
// // How long the GIF should be displayed on the tile (in miliseconds).
// tileTime: 5000
// },
// Allow all above example options to include a trailing comma and
// prevent fear when commenting out the last value.
makeJsonParserHappy: 'even if last key had a trailing comma'

195
type/__jitsi_meet_domain/files/config.js.sh.orig
View File

@ -1,11 +1,5 @@
/* eslint-disable no-unused-vars, no-var */
/*
* NOTE: If you add a new option please remember to document it here:
* https://jitsi.github.io/handbook/docs/dev-guide/dev-guide-configuration
*/
var config = {
// Connection
//
@ -74,11 +68,6 @@ var config = {
// or disabled for the screenshare.
// capScreenshareBitrate: 1 // 0 to disable - deprecated.
// Whether to use fake constraints (height: 99999, width: 99999) when calling getDisplayMedia on
// Chromium based browsers. This is intended as a workaround for
// https://bugs.chromium.org/p/chromium/issues/detail?id=1056311
// setScreenSharingResolutionConstraints: true
// Enable callstats only for a percentage of users.
// This takes a value between 0 and 100 which determines the probability for
// the callstats to be enabled.
@ -89,10 +78,6 @@ var config = {
flags: {
// Enables source names in the signaling.
// sourceNameSignaling: false,
// Enables sending multiple video streams, i.e., camera and desktop tracks can be shared in the conference
// separately as two different streams instead of one composite stream.
// sendMultipleVideoStreams: false
},
// Disables moderator indicators.
@ -295,9 +280,6 @@ var config = {
// Whether to enable live streaming or not.
// liveStreamingEnabled: false,
// Whether to enable local recording or not.
// enableLocalRecording: false,
// Transcription (in interface_config,
// subtitles and buttons can be configured)
// transcribingEnabled: false,
@ -491,9 +473,6 @@ var config = {
// If Lobby is enabled starts knocking automatically.
// autoKnockLobby: false,
// Enable lobby chat.
// enableLobbyChat: true,
// DEPRECATED! Use `breakoutRooms.hideAddRoomButton` instead.
// Hides add breakout room button
// hideAddRoomButton: false,
@ -533,7 +512,7 @@ var config = {
// Hides the dominant speaker name badge that hovers above the toolbox
// hideDominantSpeakerBadge: false,
// Default language for the user interface. Cannot be overwritten.
// Default language for the user interface.
// defaultLanguage: 'en',
// Disables profile and the edit of all fields from the profile settings (display name and email)
@ -562,10 +541,6 @@ var config = {
// // When 'true', it shows an intermediate page before joining, where the user can configure their devices.
// // This replaces `prejoinPageEnabled`.
// enabled: true,
// // Hides the participant name editing field in the prejoin screen.
// // If requireDisplayName is also set as true, a name should still be provided through
// // either the jwt or the userInfo from the iframe api init object in order for this to have an effect.
// hideDisplayName: false,
// // List of buttons to hide from the extra join options dropdown.
// hideExtraJoinButtons: ['no-audio', 'by-phone']
// },
@ -593,17 +568,8 @@ var config = {
// Array with avatar URL prefixes that need to use CORS.
// corsAvatarURLs: [ 'https://www.gravatar.com/avatar/' ],
// Base URL for a Gravatar-compatible service. Defaults to Gravatar.
// DEPRECATED! Use `gravatar.baseUrl` instead.
// gravatarBaseURL: 'https://www.gravatar.com/avatar/',
// Setup for Gravatar-compatible services.
// gravatar: {
// // Defaults to Gravatar.
// baseUrl: 'https://www.gravatar.com/avatar/',
// // True if Gravatar should be disabled.
// disabled: false
// },
// Base URL for a Gravatar-compatible service. Defaults to libravatar.
// gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/',
// App name to be displayed in the invitation email subject, as an alternative to
// interfaceConfig.APP_NAME.
@ -625,7 +591,6 @@ var config = {
// 'chat',
// 'closedcaptions',
// 'desktop',
// 'dock-iframe'
// 'download',
// 'embedmeeting',
// 'etherpad',
@ -634,11 +599,11 @@ var config = {
// 'fullscreen',
// 'hangup',
// 'help',
// 'highlight',
// 'invite',
// 'linktosalesforce',
// 'livestreaming',
// 'microphone',
// 'mute-everyone',
// 'mute-video-everyone',
// 'participants-pane',
// 'profile',
// 'raisehand',
@ -652,7 +617,6 @@ var config = {
// 'stats',
// 'tileview',
// 'toggle-camera',
// 'undock-iframe',
// 'videoquality',
// '__end'
// ],
@ -667,9 +631,7 @@ var config = {
// timeout: 4000,
// // Moved from interfaceConfig.TOOLBAR_ALWAYS_VISIBLE
// // Whether toolbar should be always visible or should hide after x miliseconds.
// alwaysVisible: false,
// // Indicates whether the toolbar should still autohide when chat is open
// autoHideWhileChatIsOpen: false
// alwaysVisible: false
// },
// Toolbar buttons which have their click/tap event exposed through the API on
@ -778,25 +740,11 @@ var config = {
// Enables sending participants' emails (if available) to callstats and other analytics
// enableEmailInStats: false,
// faceLandmarks: {
// // Enables sharing your face coordinates. Used for centering faces within a video.
// enableFaceCentering: false,
// Enables detecting faces of participants and get their expression and send it to other participants
// enableFacialRecognition: true,
// // Enables detecting face expressions and sharing data with other participants
// enableFaceExpressionsDetection: false,
// // Enables displaying face expressions in speaker stats
// enableDisplayFaceExpressions: false,
// // Enable rtc stats for face landmarks
// enableRTCStats: false,
// // Minimum required face movement percentage threshold for sending new face centering coordinates data.
// faceCenteringThreshold: 10,
// // Milliseconds for processing a new image capture in order to detect face coordinates if they exist.
// captureInterval: 1000
// },
// Enables displaying facial expressions in speaker stats
// enableDisplayFacialExpressions: true,
// Controls the percentage of automatic feedback shown to participants when callstats is enabled.
// The default value is 100%. If set to 0, no automatic feedback will be requested
@ -949,22 +897,33 @@ var config = {
// chromeExtensionBanner: {
// // The chrome extension to be installed address
// url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
// edgeUrl: 'https://microsoftedge.microsoft.com/addons/detail/jitsi-meetings/eeecajlpbgjppibfledfihobcabccihn',
// // Extensions info which allows checking if they are installed or not
// chromeExtensionsInfo: [
// {
// id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
// path: 'jitsi-logo-48x48.png'
// },
// // Edge extension info
// {
// id: 'eeecajlpbgjppibfledfihobcabccihn',
// path: 'jitsi-logo-48x48.png'
// }
// ]
// },
// Local Recording
//
// localRecording: {
// Enables local recording.
// Additionally, 'localrecording' (all lowercase) needs to be added to
// the `toolbarButtons`-array for the Local Recording button to show up
// on the toolbar.
//
// enabled: true,
//
// The recording format, can be one of 'ogg', 'flac' or 'wav'.
// format: 'flac'
//
// },
// e2ee: {
// labels,
// externallyManagedKey: false
@ -972,18 +931,14 @@ var config = {
// Options related to end-to-end (participant to participant) ping.
// e2eping: {
// // Whether ene-to-end pings should be enabled.
// enabled: false,
// // The interval in milliseconds at which pings will be sent.
// // Defaults to 10000, set to <= 0 to disable.
// pingInterval: 10000,
//
// // The number of responses to wait for.
// numRequests: 5,
//
// // The max conference size in which e2e pings will be sent.
// maxConferenceSize: 200,
//
// // The maximum number of e2e ping messages per second for the whole conference to aim for.
// // This is used to contol the pacing of messages in order to reduce the load on the backend.
// maxMessagesPerSecond: 250
// // The interval in milliseconds at which analytics events
// // with the measured RTT will be sent. Defaults to 60000, set
// // to <= 0 to disable.
// analyticsInterval: 60000,
// },
// If set, will attempt to use the provided video input device label when
@ -1010,8 +965,7 @@ var config = {
// Disables all invite functions from the app (share, invite, dial out...etc)
// disableInviteFunctions: true,
// Disables storing the room name to the recents list. When in an iframe this is ignored and
// the room is never stored in the recents list.
// Disables storing the room name to the recents list
// doNotStoreRoom: true,
// Deployment specific URLs.
@ -1026,25 +980,12 @@ var config = {
// Options related to the remote participant menu.
// remoteVideoMenu: {
// // Whether the remote video context menu to be rendered or not.
// disabled: true,
// // If set to true the 'Kick out' button will be disabled.
// disableKick: true,
// // If set to true the 'Grant moderator' button will be disabled.
// disableGrantModerator: true,
// // If set to true the 'Send private message' button will be disabled.
// disablePrivateChat: true
// disableGrantModerator: true
// },
// Endpoint that enables support for salesforce integration with in-meeting resource linking
// This is required for:
// listing the most recent records - salesforceUrl/records/recents
// searching records - salesforceUrl/records?text=${text}
// retrieving record details - salesforceUrl/records/${id}?type=${type}
// and linking the meeting - salesforceUrl/sessions/${sessionId}/records/${id}
//
// salesforceUrl: 'https://api.example.com/',
// If set to true all muting operations of remote participants will be disabled.
// disableRemoteMute: true,
@ -1108,22 +1049,10 @@ var config = {
*/
// dynamicBrandingUrl: '',
// Options related to the participants pane.
// participantsPane: {
// // Hides the moderator settings tab.
// hideModeratorSettingsTab: false,
// // Hides the more actions button.
// hideMoreActionsButton: false,
// // Hides the mute all button.
// hideMuteAllButton: false
// },
// Options related to the breakout rooms feature.
// breakoutRooms: {
// // Hides the add breakout room button. This replaces `hideAddRoomButton`.
// hideAddRoomButton: false,
// // Hides the auto assign participants button.
// hideAutoAssignButton: false,
// // Hides the join breakout room button.
// hideJoinRoomButton: false
// },
@ -1154,7 +1083,7 @@ var config = {
// If a label's id is not in any of the 2 arrays, it will not be visible at all on the header.
// conferenceInfo: {
// // those labels will not be hidden in tandem with the toolbox.
// alwaysVisible: ['recording', 'raised-hands-count'],
// alwaysVisible: ['recording', 'local-recording', 'raised-hands-count'],
// // those labels will be auto-hidden in tandem with the toolbox buttons.
// autoHide: [
// 'subject',
@ -1163,8 +1092,7 @@ var config = {
// 'e2ee',
// 'transcribing',
// 'video-quality',
// 'insecure-room',
// 'highlight-moment'
// 'insecure-room'
// ]
// },
@ -1198,24 +1126,14 @@ var config = {
// will open an etherpad document.
// etherpad_base: 'https://your-etherpad-installati.on/p/',
// To enable information about dial-in access to meetings you need to provide
// dialInNumbersUrl and dialInConfCodeUrl.
// dialInNumbersUrl returns a json array of numbers that can be used for dial-in.
// {"countryCode":"US","tollFree":false,"formattedNumber":"+1 123-456-7890"}
// dialInConfCodeUrl is the conference mapper converting a meeting id to a PIN used for dial-in
// or the other way around (more info in resources/cloud-api.swagger)
//
// For JaaS customers the default values are:
// dialInNumbersUrl: 'https://conference-mapper.jitsi.net/v1/access/dids',
// dialInConfCodeUrl: 'https://conference-mapper.jitsi.net/v1/access',
//
// List of undocumented settings used in jitsi-meet
/**
_immediateReloadThreshold
debug
debugAudioLevels
deploymentInfo
dialInConfCodeUrl
dialInNumbersUrl
dialOutAuthUrl
dialOutCodesUrl
disableRemoteControl
@ -1300,6 +1218,7 @@ var config = {
// 'liveStreaming.unavailableTitle', // shown when livestreaming service is not reachable
// 'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected
// 'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied
// 'localRecording.localRecording', // shown when a local recording is started
// 'notify.chatMessages', // shown when receiving chat messages while the chat window is closed
// 'notify.disconnected', // shown when a participant has left
// 'notify.connectedOneMember', // show when a participant joined
@ -1313,7 +1232,6 @@ var config = {
// 'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited
// 'notify.invitedTwoMembers', // shown when 2 participants have been invited
// 'notify.kickParticipant', // shown when a participant is kicked
// 'notify.linkToSalesforce', // shown when joining a meeting with salesforce integration
// 'notify.moderationStartedTitle', // shown when AV moderation is activated
// 'notify.moderationStoppedTitle', // shown when AV moderation is deactivated
// 'notify.moderationInEffectTitle', // shown when user attempts to unmute audio during AV moderation
@ -1329,7 +1247,6 @@ var config = {
// 'notify.raisedHand', // shown when a partcipant used raise hand,
// 'notify.startSilentTitle', // shown when user joined with no audio
// 'notify.unmute', // shown to moderator when user raises hand during AV moderation
// 'notify.hostAskedUnmute', // shown to participant when host asks them to unmute
// 'prejoin.errorDialOut',
// 'prejoin.errorDialOutDisconnected',
// 'prejoin.errorDialOutFailed',
@ -1345,9 +1262,6 @@ var config = {
// 'transcribing.failedToStart' // shown when transcribing fails to start
// ],
// List of notifications to be disabled. Works in tandem with the above setting.
// disabledNotifications: [],
// Prevent the filmstrip from autohiding when screen width is under a certain threshold
// disableFilmstripAutohiding: false,
@ -1355,37 +1269,12 @@ var config = {
// // Disables user resizable filmstrip. Also, allows configuration of the filmstrip
// // (width, tiles aspect ratios) through the interfaceConfig options.
// disableResizable: false,
// }
// // Disables the stage filmstrip
// // (displaying multiple participants on stage besides the vertical filmstrip)
// disableStageFilmstrip: false
// },
// Tile view related config options.
// tileView: {
// // The optimal number of tiles that are going to be shown in tile view. Depending on the screen size it may
// // not be possible to show the exact number of participants specified here.
// numberOfVisibleTiles: 25
// },
// Specifies whether the chat emoticons are disabled or not
// disableChatSmileys: false,
// Settings for the GIPHY integration.
// giphy: {
// // Whether the feature is enabled or not.
// enabled: false,
// // SDK API Key from Giphy.
// sdkKey: '',
// // Display mode can be one of:
// // - tile: show the GIF on the tile of the participant that sent it.
// // - chat: show the GIF as a message in chat
// // - all: all of the above. This is the default option
// displayMode: 'all',
// // How long the GIF should be displayed on the tile (in miliseconds).
// tileTime: 5000
// },
// Allow all above example options to include a trailing comma and
// prevent fear when commenting out the last value.
makeJsonParserHappy: 'even if last key had a trailing comma'

2
type/__jitsi_meet_domain/files/interface_config.js.sh
View File

@ -20,7 +20,7 @@ JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
*/
var interfaceConfig = {
APP_NAME: '${BRANDING_APP_NAME}',
APP_NAME: 'Jitsi Meet',
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',

1
type/__jitsi_meet_domain/files/jitsi-version
View File

@ -1 +0,0 @@
2.0.7439-1

40
type/__jitsi_meet_domain/files/nginx.sh
View File

@ -10,17 +10,6 @@ JITSI_NGINX_CONFIG="$(cat <<EOF
## nginx's default mime.types doesn't include a mapping for wasm
# application/wasm wasm;
#}
# These upstreams are managed by __jitsi_meet
#upstream prosody {
# zone upstreams 64K;
# server 127.0.0.1:5280;
# keepalive 2;
#}
#upstream jvb1 {
# zone upstreams 64K;
# server 127.0.0.1:9090;
# keepalive 2;
#}
server {
listen 80;
listen [::]:80;
@ -102,48 +91,33 @@ server {
expires 1y;
}
}
# Paths for jsi / interpreters
location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /opt/jsi/static/\$1;
# cache all versioned files
if (\$arg_v) {
expires 1y;
}
}
location ~ ^/i/
{
try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
}
# BOSH
location = /http-bind {
proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args;
proxy_http_version 1.1;
# We are using 127.0.0.1, because we are not specifying a resolver
# otherwise nginx will fail to resolve 'localhost'
proxy_pass http://127.0.0.1:5280/http-bind?prefix=\$prefix&\$args;
proxy_set_header X-Forwarded-For \$remote_addr;
# Prevision for 'multi-domain' jitsi instances
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
proxy_set_header Host ${DOMAIN};
proxy_set_header Connection "";
proxy_set_header Host ${JITSI_HOST};
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args;
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
# Prevision for 'multi-domain' jitsi instances
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
proxy_set_header Host ${DOMAIN};
proxy_set_header Host ${JITSI_HOST};
tcp_nodelay on;
}
# colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args;
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";

18
type/__jitsi_meet_domain/files/nginx.sh.orig
View File

@ -4,16 +4,6 @@ types {
# nginx's default mime.types doesn't include a mapping for wasm
application/wasm wasm;
}
upstream prosody {
zone upstreams 64K;
server 127.0.0.1:5280;
keepalive 2;
}
upstream jvb1 {
zone upstreams 64K;
server 127.0.0.1:9090;
keepalive 2;
}
server {
listen 80;
listen [::]:80;
@ -87,16 +77,14 @@ server {
# BOSH
location = /http-bind {
proxy_pass http://prosody/http-bind?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:5280/http-bind?prefix=$prefix&$args;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header Connection "";
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://prosody/xmpp-websocket?prefix=$prefix&$args;
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
@ -106,7 +94,7 @@ server {
# colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

228
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
View File

@ -1,228 +0,0 @@
#!/bin/sh -eu
# Source:
# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
FOCUS_USER="focus"
JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
PROSODY_SECUREDOMAIN_START="--[["
PROSODY_SECUREDOMAIN_END="--]]"
if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
PROSODY_MAIN_START=""
PROSODY_MAIN_END=""
PROSODY_DOMAIN_START="--[["
PROSODY_DOMAIN_END="--]]"
else
PROSODY_MAIN_START="--[["
PROSODY_MAIN_END="--]]"
PROSODY_DOMAIN_START=""
PROSODY_DOMAIN_END=""
if [ -n "${SECURED_DOMAINS}" ]; then
PROSODY_SECUREDOMAIN_START=""
PROSODY_SECUREDOMAIN_END=""
fi
fi
# Websockets haven't been fully tested in this type and don't work reliably
PROSODY_WEBSOCKET="-- "
# shellcheck disable=SC2034 # This is intended to be included
PROSODY_CONFIG="$(cat <<EOFPROSODY
-- Managed remotely, changes will be lost
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "${JITSI_HOST:?}";
external_service_secret = "${TURN_SECRET:-TurnSecret}";
external_services = {
{ type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
{ type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
-- Use websockets
-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
${PROSODY_WEBSOCKET}consider_websocket_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
--http_cors_override = {
-- bosh = {
-- enabled = false;
-- };
-- websocket = {
-- enabled = false;
-- };
--}
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
unlimited_jids = {
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
"jvb@auth.${JITSI_HOST:?}"
}
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain
VirtualHost "${JITSI_DOMAIN:?}"
-- enabled = false -- Remove this line to enable this host
authentication = "anonymous"
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
}
av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
-- we need bosh
modules_enabled = {
"bosh";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"conference_duration";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
${PROSODY_WEBSOCKET} "websocket";
${PROSODY_WEBSOCKET} "smacks";
}
smacks_max_unacked_stanzas = 5;
smacks_hibernation_time = 60;
smacks_max_hibernated_sessions = 1;
smacks_max_old_sessions = 1;
c2s_require_encryption = false
lobby_muc = "lobby.${JITSI_DOMAIN:?}"
breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
main_muc = "conference.${JITSI_DOMAIN:?}"
-- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.${JITSI_DOMAIN:?}" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
"polls";
--"token_verification";
"muc_rate_limit";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
Component "breakout.${JITSI_DOMAIN:?}" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
--"token_verification";
"muc_rate_limit";
"polls";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
storage = "memory"
modules_enabled = {
"ping";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
-- https://prosody.im/doc/modules/mod_muc
muc_room_cache_size = 1000
${PROSODY_DOMAIN_END}
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
VirtualHost "auth.${JITSI_DOMAIN:?}"
ssl = {
key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
}
modules_enabled = {
"limits_exception";
}
authentication = "internal_hashed"
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
-- Single focus user for the whole instance
target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "lobby.${JITSI_DOMAIN:?}" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
"muc_rate_limit";
"polls";
}
${PROSODY_DOMAIN_END}
--[[
-- Enables dial-in for Jitsi meet components customers
-- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
-- and execute $ sudo luarocks install luajwtjitsi 3.0-0
VirtualHost "jigasi.meet.jitsi"
enabled = false -- Jitsi meet components customers remove this line
modules_enabled = {
"ping";
"bosh";
}
authentication = "token"
app_id = "jitsi";
asap_key_server = "https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8"
asap_accepted_issuers = { "jaas-components" }
asap_accepted_audiences = { "jigasi.jitmeet.example.com" }
--]]
${PROSODY_SECUREDOMAIN_START}
-- Only used on secured domains
VirtualHost "${JITSI_DOMAIN}"
authentication = "internal_plain"
VirtualHost "guest.${JITSI_DOMAIN}"
authentication = "anonymous"
c2s_require_encryption = false
${PROSODY_SECUREDOMAIN_END}
EOFPROSODY
)"

154
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
View File

@ -1,154 +0,0 @@
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "jitmeet.example.com";
external_service_secret = "__turnSecret__";
external_services = {
{ type = "stun", host = "jitmeet.example.com", port = 3478 },
{ type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
--http_cors_override = {
-- bosh = {
-- enabled = false;
-- };
-- websocket = {
-- enabled = false;
-- };
--}
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
unlimited_jids = {
"focusUser@auth.jitmeet.example.com",
"jvb@auth.jitmeet.example.com"
}
VirtualHost "jitmeet.example.com"
-- enabled = false -- Remove this line to enable this host
authentication = "anonymous"
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/jitmeet.example.com.key";
certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
}
av_moderation_component = "avmoderation.jitmeet.example.com"
speakerstats_component = "speakerstats.jitmeet.example.com"
conference_duration_component = "conferenceduration.jitmeet.example.com"
-- we need bosh
modules_enabled = {
"bosh";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"conference_duration";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
}
c2s_require_encryption = false
lobby_muc = "lobby.jitmeet.example.com"
breakout_rooms_muc = "breakout.jitmeet.example.com"
main_muc = "conference.jitmeet.example.com"
-- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.jitmeet.example.com" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
"polls";
--"token_verification";
"muc_rate_limit";
}
admins = { "focusUser@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
Component "breakout.jitmeet.example.com" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
--"token_verification";
"muc_rate_limit";
"polls";
}
admins = { "focusUser@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.jitmeet.example.com" "muc"
storage = "memory"
modules_enabled = {
"ping";
}
admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
VirtualHost "auth.jitmeet.example.com"
modules_enabled = {
"limits_exception";
}
authentication = "internal_hashed"
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.jitmeet.example.com" "client_proxy"
target_address = "focusUser@auth.jitmeet.example.com"
Component "speakerstats.jitmeet.example.com" "speakerstats_component"
muc_component = "conference.jitmeet.example.com"
Component "conferenceduration.jitmeet.example.com" "conference_duration_component"
muc_component = "conference.jitmeet.example.com"
Component "avmoderation.jitmeet.example.com" "av_moderation_component"
muc_component = "conference.jitmeet.example.com"
Component "lobby.jitmeet.example.com" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
"muc_rate_limit";
"polls";
}
-- Enables dial-in for Jitsi meet components customers
-- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
-- and execute $ sudo luarocks install luajwtjitsi 3.0-0
VirtualHost "jigasi.meet.jitsi"
enabled = false -- Jitsi meet components customers remove this line
modules_enabled = {
"ping";
"bosh";
}
authentication = "token"
app_id = "jitsi";
asap_key_server = "https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8"
asap_accepted_issuers = { "jaas-components" }
asap_accepted_audiences = { "jigasi.jitmeet.example.com" }

39
type/__jitsi_meet_domain/man.rst
View File

@ -11,24 +11,14 @@ DESCRIPTION
-----------
This type installs and configures the frontend for Jitsi-Meet.
Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and
`DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a
patched version of Jitsi Simultaneous Interpretation (jsi; see references).
At least a user with `interpreter` in their name must be present.
This type supports "multi-domain" installations.
New in April 2022: rooms are independent for each domain, that is:
This supports "multi-domain" installations, notice that in such a setup, all
rooms are shared across the different URLs, e.g.
https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
different rooms.
Note however, that right now if using secured domains, users are still shared
across any domains hosted in the same instance.
One way to work around that could be to run multiple jicofos, but we do not
want to bloat the servers.
A better way is to patch jicofo, get in touch with the type authors if you want
the gory details.
equivalent.
This is due to the underlying XMPP and signaling rooms being common.
There might be a way to perform tricks on the Nginx-side to avoid this, but
time is lacking :-).
This assumes `__jitsi_meet` has already been ran on the target host, and,
amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
@ -51,11 +41,6 @@ admin-email
OPTIONAL PARAMETERS
-------------------
analytics-settings
This goes inside the `analytics` part of `config.js`.
Defaults to: `disabled: true`.
See: https://github.com/jitsi/jitsi-meet/blob/master/config.js
channel-last-n
Default value for the "last N" attribute.
Defaults to 20. Set to -1 for unlimited.
@ -93,15 +78,6 @@ video-constraints
It must not have a trailing comma, see `constraints` in
`__jitsi_meet_domain/files/config.js.sh`.
branding-app-name
This will change `Jitsi Meet` in many places to the brand you desire.
Defaults to `Jitsi Meet`.
branding-extra-body
This must be valid HTML, it will be included server-side and delivered to
clients alongside the default `index.html`.
This is useful if you would rather not replace the whole `index`, but
still want the chance to do some heavier branding / add instructions / etc.
branding-json
Path to a JSON file that will be served as the `dynamicBrandingUrl`.
@ -109,12 +85,14 @@ branding-json
`__jitsi_meet_domain/files/config.js.sh`.
If not set, no branding will be set up.
branding-index
Path to an HTML file that will be served instead of Jitsi-Meet's default
one.
If not set, the default index file will be used.
If set to `-`, the type's standard input will be used.
branding-watermark
Path to a png file that will be served instead of Jitsi-Meet's default
one.
@ -169,7 +147,6 @@ SEE ALSO
--------
- `__jitsi_meet(7)`
- `__jitsi_meet_user(7)`
- Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi
AUTHORS

42
type/__jitsi_meet_domain/manifest
View File

@ -18,8 +18,6 @@ NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")"
START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")"
BRANDING_APP_NAME="$(cat "${__object}/parameter/branding-app-name")"
BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
@ -132,43 +130,3 @@ __file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
--mode 0644 \
--state "$(_var_state "${BRANDING_WATERMARK}")" \
--source "${BRANDING_WATERMARK}"
# Simple body customisation
__file "/usr/share/jitsi-meet/body-${DOMAIN}.html" \
--mode 0644 \
--state "$(_var_state "${STATE}")" \
--source "${__object}/parameter/branding-extra-body"
#
# Take care of prosody settings for the domain
#
JITSI_DOMAIN="${DOMAIN}"
# Prosody settings for common components (jvb, focus, ...)
# shellcheck source=type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
__file "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
--group prosody \
--mode 0440 \
--state "${STATE}" \
--source '-' <<EOF
${PROSODY_CONFIG}
EOF
__link "/etc/prosody/conf.d/${DOMAIN}.cfg.lua" \
--source "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
--state "${STATE}" \
--type symbolic
if [ "${STATE}" = "present" ]; then
export require="${require} __file/etc/prosody/conf.avail/${DOMAIN}.cfg.lua __link/etc/prosody/conf.d/${DOMAIN}.cfg.lua"
__check_messages "prosody/${DOMAIN}" \
--pattern '^(__file|__link)/etc/prosody/conf[.](avail|d)/' \
--execute "$(cat <<EOF
if [ ! -f "/var/lib/prosody/${DOMAIN}.crt" ]; then
echo | prosodyctl cert generate '${DOMAIN}';
ln -sf '/var/lib/prosody/${DOMAIN}.key' '/etc/prosody/certs/${DOMAIN}.key'
ln -sf '/var/lib/prosody/${DOMAIN}.crt' '/etc/prosody/certs/${DOMAIN}.crt'
fi
# Surprisingly, a reload is not enough
service prosody restart
EOF
)"
fi

1
type/__jitsi_meet_domain/parameter/default/analytics-settings
View File

@ -1 +0,0 @@
disabled: true

1
type/__jitsi_meet_domain/parameter/default/branding-app-name
View File

@ -1 +0,0 @@
Jitsi Meet

0
type/__jitsi_meet_domain/parameter/default/branding-extra-body
View File

3
type/__jitsi_meet_domain/parameter/optional
View File

@ -1,13 +1,10 @@
analytics-settings
channel-last-n
default-language
notice-message
start-video-muted
turn-server
video-constraints
branding-app-name
branding-json
branding-index
branding-extra-body
branding-watermark
state

45
type/__php_fpm/files/php.ini.sh Executable file
View File

@ -0,0 +1,45 @@
#!/bin/sh
cat <<EOF
; This file is managed by cdist, and has been shortened for readability.
; The fine manual is at http://php.net/configuration.file.
[PHP]
; Production recommended defaults
display_errors = Off
display_startup_errors = Off
enable_dl = Off
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
log_errors = On
output_buffering = 4096
register_argc_argv = Off
request_order = "GP"
short_open_tag = Off
variables_order = "GPCS"
zend.assertions = -1
; Local custom variations
include_path = ".:/usr/share/php${PHPVER:?}"
memory_limit = ${MEMORY_LIMIT:?}
post_max_size = ${UPLOAD_MAX_FILESIZE:?}
upload_max_filesize = ${UPLOAD_MAX_FILESIZE:?}
EOF
if [ -f "${__object:?}/parameter/enable-opcache" ]; then
cat <<-EOF
; opcache enabled by type flag
opcache.enable=1
opcache.enable_cli=1
EOF
fi
if [ -f "${__object:?}/parameter/enable-apcu" ]; then
cat <<-EOF
; acpu enabled by type flag
apc.enabled=1
apc.enable_cli=1
apc.shm_size=512M
EOF
fi

75
type/__php_fpm/man.rst Normal file
View File

@ -0,0 +1,75 @@
cdist-type__php_fpm(7)
======================
NAME
----
cdist-type__php_fpm - Setup and configure PHP-FPM
DESCRIPTION
-----------
This type installs and configures PHP-FPM for a given version of PHP. It is
expected to be used in combination with cdist-type__php_fpm_pool, which
configures specific pools.
Note that currently, this type is only implemented for Alpine Linux.
REQUIRED PARAMETERS
-------------------
php-version
The PHP version for which the type is working. Will impact installed
packages, configuration files, &c
OPTIONAL PARAMETERS
-------------------
memory-limit
The system-wide memory limit for PHP-FPM. Can be overriden per-pool.
Default is 512M.
upload-max-filesize
The maximum filesize accepted by PHP-FPM for file uploads. Default is
2M.
BOOLEAN PARAMETERS
------------------
enable-opcache
Enable PHP opcache.
enable-apcu
Enable PHP APCu.
EXAMPLES
--------
.. code-block:: sh
# Dead simple setup
__php_fpm --php-version 8.1
# Custom setup
__php_fpm \
--php-version 8.1 \
--memory-limit 768M \
--upload-max-filesize 200M \
--enable-opcache \
--enable-apcu
SEE ALSO
--------
cdist-type__php_fpm_pool(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2022 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

47
type/__php_fpm/manifest Normal file
View File

@ -0,0 +1,47 @@
#!/bin/sh
os=$(cat "${__global:?}/explorer/os")
PHPVER=$(cat "${__object:?}/parameter/php-version")
export PHPVER
case "$os" in
'alpine')
package="php${PHPVER}-fpm"
service="php-fpm${PHPVER}"
opcache_package="php${PHPVER}-opcache"
apcu_package="php${PHPVER}-pecl-apcu"
;;
*)
printf "Your operating system is currently not supported by this type\n" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
__package "$package"
require="__package/$package" __start_on_boot "$service"
if [ -f "${__object:?}/parameter/enable-opcache" ]; then
__package "$opcache_package"
fi
if [ -f "${__object:?}/parameter/enable-apcu" ]; then
__package "$apcu_package"
fi
MEMORY_LIMIT=$(cat "${__object:?}/parameter/memory-limit")
export MEMORY_LIMIT
UPLOAD_MAX_FILESIZE=$(cat "${__object:?}/parameter/upload-max-filesize")
export UPLOAD_MAX_FILESIZE
mkdir -p "${__object:?}/files"
"${__type:?}/files/php.ini.sh" >"${__object:?}/files/php.ini"
require="__package/$package" __file "/etc/php${PHPVER}/php.ini" \
--mode 644 --source "${__object:?}/files/php.ini" \
--onchange "service $service restart"
require="__file/etc/php${PHPVER}/php.ini" __service "$service" --action start

2
type/__php_fpm/parameter/boolean Normal file
View File

@ -0,0 +1,2 @@
enable-opcache
enable-apcu

1
type/__php_fpm/parameter/default/memory-limit Normal file
View File

@ -0,0 +1 @@
512M

1
type/__php_fpm/parameter/default/upload-max-filesize Normal file
View File

@ -0,0 +1 @@
2M

2
type/__php_fpm/parameter/optional Normal file
View File

@ -0,0 +1,2 @@
upload-max-filesize
memory-limit

1
type/__php_fpm/parameter/required Normal file
View File

@ -0,0 +1 @@
php-version

0
type/__jitsi_meet/parameter/default/abort-conference-count → type/__php_fpm/singleton
View File

34
type/__php_fpm_pool/files/www.conf.sh Executable file
View File

@ -0,0 +1,34 @@
#!/bin/sh
cat <<EOF
; PHP-FPM configuration file for $POOL_NAME, PHP version $PHPVER.
; This file is managed by cdist, do not edit by hand!
[$POOL_NAME]
; Local non-default configuration
user = $POOL_USER
group = $POOL_GROUP
listen = $POOL_LISTEN_ADDR
listen.owner = $POOL_LISTEN_OWNER
; Mandatory configuration options with default production values
pm = dynamic
pm.max_children = 10
pm.min_spare_servers = 1
pm.max_spare_servers = 3
env[HOSTNAME] = \$HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
EOF
if [ -f "${__object:?}/parameter/memory-limit" ]; then
echo "php_admin_value[memory_limit] = $(cat "$__object/parameter/memory-limit")"
fi
if [ -f "${__object:?}/parameter/open-basedir" ]; then
echo "php_admin_value[open_basedir] = $(cat "${__object:?}/parameter/open-basedir")"
fi

79
type/__php_fpm_pool/man.rst Normal file
View File

@ -0,0 +1,79 @@
cdist-type__php_fpm_pool(7)
===========================
NAME
----
cdist-type__php_fpm_pool - Setup and configure a PHP-FPM pool
DESCRIPTION
-----------
This type configures a pool named after the `__object_id` for a specified PHP
version. Note that this types expects a same-version cdist-type__php_fpm type
to have been run first: the user is responsible for doing so.
Note that currently, this type is only implemented for Alpine Linux.
REQUIRED PARAMETERS
-------------------
php-version
The PHP version for which the type is working. Will impact installed
packages, configuration files, &c
pool-user
The local user under which the pool processes should run.
pool-group
The local group under which the pool processes should run.
pool-listen-addr
The socket or address to which the pool should bind for listening.
pool-listen-owner
The owner of the socket if a socket is used.
OPTIONAL PARAMETERS
-------------------
memory-limit
The pool memory limit for PHP-FPM. Will default to the setting in the
system-wide php.ini file.
openbasedir
Limit the files that can be accessed by PHP to the specified
directory-tree, including the file itself.
EXAMPLES
--------
.. code-block:: sh
# Setup PHP-FPM
__php_fpm --php-version 8
# Setup the pool
__php_fpm_pool www \
--php-version 8 \
--pool-user nextcloud \
--pool-group www-data \
--pool-listen-addr "/run/php8/php-fpm.sock" \
--pool-listen-owner nginx \
--memory-limit 1G
SEE ALSO
--------
cdist-type__php_fpm(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2022 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

37
type/__php_fpm_pool/manifest Normal file
View File

@ -0,0 +1,37 @@
#!/bin/sh
# XXX: this type does not configure or install php-fpm: it expects the
# __recycledcloud_php_fpm type to be used first before pools are configured.
os=$(cat "${__global:?}/explorer/os")
name=${__object_id:?}
PHPVER=$(cat "${__object:?}/parameter/php-version")
export PHPVER
case "$os" in
'alpine')
service="php-fpm${PHPVER}"
:
;;
*)
printf "Your operating system is currently not supported by this type\n" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
POOL_NAME="$name"
POOL_USER=$(cat "${__object:?}/parameter/pool-user")
POOL_GROUP=$(cat "${__object:?}/parameter/pool-group")
POOL_LISTEN_ADDR=$(cat "${__object:?}/parameter/pool-listen-addr")
POOL_LISTEN_OWNER=$(cat "${__object:?}/parameter/pool-listen-owner")
export POOL_USER POOL_GROUP POOL_LISTEN_ADDR POOL_LISTEN_OWNER POOL_NAME
mkdir -p "${__object:?}/files"
"${__type:?}/files/www.conf.sh" >"${__object:?}/files/www.conf"
__file "/etc/php${PHPVER:?}/php-fpm.d/${name}.conf" \
--mode 644 --source "${__object:?}/files/www.conf" \
--onchange "service $service reload"

2
type/__php_fpm_pool/parameter/optional Normal file
View File

@ -0,0 +1,2 @@
memory-limit
open-basedir

5
type/__php_fpm_pool/parameter/required Normal file
View File

@ -0,0 +1,5 @@
php-version
pool-user
pool-group
pool-listen-addr
pool-listen-owner

10
type/__single_binary_service/explorer/explorer-version
View File

@ -1,10 +0,0 @@
#!/bin/sh -e
BIN_PREFIX="/usr/local/bin"
SERVICE_NAME="${__object_id}"
VERSION_FILE="${BIN_PREFIX}/.${SERVICE_NAME}.cdist.version"
if [ -f "${VERSION_FILE}" ]; then
cat "${VERSION_FILE}"
fi

190
type/__single_binary_service/man.rst
View File

@ -1,190 +0,0 @@
cdist-type__single_binary_service(7)
====================================
NAME
----
cdist-type__single_binary_service - Setup a single-binary service
DESCRIPTION
-----------
This type is designed to easily deploy and configure a single-binary service
named `${__object_id}`.
A good example of this are Prometheus exporters.
This type makes certain assumptions that might not be correct on your system.
If you need more flexibility, please get in touch and provide a use-case
(and hopefully a backwards-compatible patch).
This type will place the downloaded binary and, if requested, other extra
binaries in `/usr/local/bin`.
If a `--config-file-source` is provided, it will be placed under:
`/etc/${__object_id}.conf`.
This type supports services managed by `__runit(7)` when `systemd` is not
the init system being used.
REQUIRED PARAMETERS
-------------------
checksum
This will be passed verbatim to `__download(7)`.
Use something like `sha256:...`.
url
This will be passed verbatim to `__download(7)`.
version
This type will use a thumbstone file with a "version" number to track
whether or not a service must be updated.
This thumbstone file is placed under
`/usr/local/bin/.${__object_id}.cdist.version`.
BOOLEAN PARAMETERS
------------------
unpack
If present, the contents of `--url` will be treated as an archive to be
unpacked with `__unpack(7)`.
See also `--unpack-args` and `--extra-binary`.
do-not-manage-user
Always considered present when `--user` is `root`.
If present, the user in `--user` will not be managed by this type with
`__user`, this means it *must* exist beforehand when installing the service
and it will not be removed by this type.
OPTIONAL PARAMETERS
-------------------
config-file-source
If present, this file's contents will be placed under
`/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to
`--user` and `--group`.
If `-` is passed, this type's `stdin` will be used.
user
The user under which the service will run. Defaults to `root`.
If this user is not `root` and `--do-not-manage-user` is not present,
this user will be created or removed as per the `--state` parameter.
user-home-dir
Does not have an effect if `--do-not-manage-user` is used or `--user` is
`root`.
The home directory of the service user. It will be created.
Defaults to `/nonexistent`, in this case the home directory will not be
created.
group
The group under which the service will run. Defaults to `--user`.
state
Whether the service is to be `present` (default) or `absent`.
When `absent`, this type will clean any binaries listed in `--extra-binary`
and also the config file as described in `--config-file-source`.
binary
This will be the binary name. Defaults to `${__object_id}`.
If `--unpack` is used, a binary with this name must be unpacked.
Otherwise, the contents of `--url` will be placed under this binary name.
service-args
Any extra arguments to pass along with `--service-exec`. Beware that any
service-args having the format `--config=/etc/foo.cfg` should be
represented in the following way `--service-exec='--config=/etc/foo.cfg'`
service-exec
The executable to use for this service.
Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the
resulting value of `--binary`.
service-definition
The service definition to be used as an override.
Note that this type decides dinammically between runit and systemd, and
you can currently only define either a systemd unit or a runit script here.
Use this parameter only for testing and get in touch to discuss how your
particular use-case can be supported by the type.
service-description
The service description to be used in, e.g. the systemd unit file.
Defaults to `cdist-managed '${__object_id}' service`.
unpack-args
Only has an effect if `--unpack` is used.
These arguments will be passed verbatim to `__unpack(7)`.
Very useful as this type assumes the archive does not have the binaries in
subdirectories; that can be worked around with
`--unpack-args '--tar-strip 1'`.
unpack-extension
Only has an effect if `--unpack` is used.
The file extension of the file to unpack, defaults to `.tar.gz`.
working-directory
If set, the working directory with which the service will be started.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
extra-binary
Only useful with `--unpack`.
If passed, these binaries will also be installed when `--state` is `present`
and removed when `--state` is `absent`.
Handle with care :-).
EXAMPLES
--------
.. code-block:: sh
# Install and enable the ipmi_exporter service
# The variables are defined in the manifest previously
__single_binary_service ipmi_exporter \
--user "${USER}" \
--service-args ' --config.file=/etc/ipmi_exporter.conf' \
--version "${SHOULD_VERSION}" \
--checksum "${CHECKSUM}" \
--url "${DOWNLOAD_URL}" \
--state "present" \
--unpack \
--unpack-args "--tar-strip 1" \
--config-file-source '-' <<-EOF
# Remotely managed, changes will be lost
# [...] config contents goes here
EOF
# Remove the ipmi_exporter service along with the user and its config
__single_binary_service ipmi_exporter \
--user "${USER}" \
--version "${SHOULD_VERSION}" \
--checksum "${CHECKSUM}" \
--url "${DOWNLOAD_URL}" \
--state "absent"
# Same, but the service was using my user! Let's not delete that!
__single_binary_service ipmi_exporter \
--user "evilham" \
--do-not-manage-user \
--version "${SHOULD_VERSION}" \
--checksum "${CHECKSUM}" \
--url "${DOWNLOAD_URL}" \
--state "absent"
SEE ALSO
--------
- `__download(7)`
- `__unpack(7)`
AUTHORS
-------
Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2022 Evilham.

288
type/__single_binary_service/manifest
View File

@ -1,288 +0,0 @@
#!/bin/sh -e
SERVICE_NAME="${__object_id}"
OS="$(cat "${__global}/explorer/os")"
case "${OS}" in
debian|devuan)
SUPER_USER_GROUP=root
ETC_DIR="/etc"
;;
*bsd)
SUPER_USER_GROUP=wheel
ETC_DIR="/usr/local/etc"
;;
*)
echo "Your OS '${OS}' is currently not supported." >&2
exit 1
;;
esac
INIT="$(cat "${__global}/explorer/init")"
case "${INIT}" in
systemd)
service_definition_require="__systemd_unit/${SERVICE_NAME}.service"
service_command="service ${SERVICE_NAME} %s"
;;
runit|sysvinit)
# We will use runit to manage these services
__runit
export require="__runit"
service_definition_require="__runit_service/${SERVICE_NAME}"
service_command="sv %s ${SERVICE_NAME}"
;;
*)
echo "Init system ${INIT}' is currently not supported." >&2
exit 1
;;
esac
BIN_DIR="/usr/local/bin"
# Ensure the target bin dir exists
# Care, we never want to remove it :-D
__directory "${BIN_DIR}" \
--state "exists" \
--mode 0755
export require="${require} __directory${BIN_DIR}"
STATE="$(cat "${__object}/parameter/state")"
USER="$(cat "${__object}/parameter/user")"
GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)"
if [ -z "${GROUP}" ]; then
if [ "${USER}" != "root" ]; then
GROUP="${USER}"
else
GROUP="${SUPER_USER_GROUP}"
fi
fi
BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)"
if [ -z "${BINARY}" ]; then
BINARY="${SERVICE_NAME}"
fi
EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)"
# This only makes sense for file archives
if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then
cat >&2 <<-EOF
You cannot specify extra binaries without the --unpack argument.
Make sure that the --url argument points to a file archive.
EOF
fi
SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)"
if [ -z "${SERVICE_EXEC}" ]; then
SERVICE_EXEC="${BIN_DIR}/${BINARY}"
fi
SERVICE_ARGS="$(cat "${__object}/parameter/service-args")"
SERVICE_EXEC="${SERVICE_EXEC} ${SERVICE_ARGS}"
SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \
2>/dev/null || true)"
if [ -z "${SERVICE_DESCRIPTION}" ]; then
SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service"
fi
SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)"
WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
fi
DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
CHECKSUM="$(cat "${__object}/parameter/checksum")"
SHOULD_VERSION="$(cat "${__object}/parameter/version")"
# Create a user for the service if it is not root
USER_HOME_DIR="/root"
if [ "${USER}" != "root" ] && \
[ ! -f "${__object}/parameter/do-not-manage-user" ]; then
if [ "${STATE}" = "absent" ]; then
# When removing, ensure user is not being used
user_require="${service_definition_require}"
fi
USER_HOME_DIR="$(cat "${__object}/parameter/user-home-dir")"
if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then
USER_CREATE_HOME="--create-home"
fi
require="${require} ${user_require}" __user "${USER}" \
--system \
--state "${STATE}" \
--home "${USER_HOME_DIR}" \
--comment "cdist-managed ${SERVICE_NAME} user" \
${USER_CREATE_HOME}
# Track dependencies
service_require="${service_require} __user/${USER}"
fi
# Place config file if necessary
CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)"
if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then
CONFIG_FILE_SOURCE="${__object}/stdin"
fi
if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then
require="${require} __user/${USER}" __file \
"${CONFIG_FILE_DEST}" \
--owner "${USER}" \
--group "${GROUP}" \
--mode "0440" \
--source "${CONFIG_FILE_SOURCE}"
service_require="${service_require} __file${CONFIG_FILE_DEST}"
fi
# This should setup the object in $service_definition_require
# See above.
case "${INIT}" in
systemd)
if [ -z "${SERVICE_DEFINITION}" ]; then
SERVICE_DEFINITION="$(cat <<EOF
[Unit]
Description=${SERVICE_DESCRIPTION}
After=network.target
[Service]
Type=simple
User=${USER}
Group=${GROUP}
ExecStart=${SERVICE_EXEC}
Restart=always
${WORKING_DIRECTORY_SYSTEMD}
[Install]
WantedBy=multi-user.target
EOF
)"
fi
__systemd_unit "${SERVICE_NAME}.service" \
--source "-" \
--state "${STATE}" \
--enablement-state "enabled" <<EOF
${SERVICE_DEFINITION}
EOF
;;
runit|sysvinit)
if [ -z "${SERVICE_DEFINITION}" ]; then
SERVICE_DEFINITION="$(cat <<EOF
#!/bin/sh -e
${WORKING_DIRECTORY_RUNIT}
export HOME="\$(getent passwd '${USER}' | cut -d: -f6)"
export USER="${USER}"
export GROUP="${GROUP}"
exec chpst -u "${USER}:${GROUP}" ${SERVICE_EXEC}
EOF
)"
fi
__runit_service "${SERVICE_NAME}" \
--state "${STATE}" \
--log \
--source - <<EOF
${SERVICE_DEFINITION}
EOF
;;
esac
service_require="${service_require} ${service_definition_require}"
# Proceed after user and service description have been prepared
export require="${require} ${service_require}"
VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
IS_VERSION="$(cat "${__object}/explorer/explorer-version")"
if [ "${STATE}" = "absent" ]; then
# Perform cleanup of generated files
for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
__file "${BIN_DIR}/${bin_file}" --state "absent"
done
__file "${VERSION_FILE}" --state "absent"
__file "${CONFIG_FILE_DEST}" --state "absent"
fi
if [ "${STATE}" != "present" ]; then
exit
fi
sv_cmd() {
# This is intentional
# shellcheck disable=SC2059
printf "${service_command}" "$1"
}
if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ]; then
# We are installing the service and there has been a version change
# (or it is first-time install)
TMP_PATH="/tmp/${SERVICE_NAME}-${SHOULD_VERSION}"
# This is what will stop the service, replace the binaries and
# start the service again
perform_service_upgrade="$(cat <<EOF
$(sv_cmd stop) || true
if [ -f '${TMP_PATH}' ]; then
chown root:${SUPER_USER_GROUP} '${TMP_PATH}'
chmod 0555 '${TMP_PATH}'
cp -af '${TMP_PATH}' '${BIN_DIR}/${BINARY}'
else
for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
bin_path="${TMP_PATH}/\${bin_file}"
chown root:${SUPER_USER_GROUP} "\${bin_path}"
chmod 0555 "\${bin_path}"
cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}"
done
fi
$(sv_cmd start) || true
EOF
)"
if [ -f "${__object}/parameter/unpack" ]; then
UNPACK_EXTENSION="$(cat "${__object}/parameter/unpack-extension")"
UNPACK_ARGS="$(cat "${__object}/parameter/unpack-args" \
2>/dev/null || true)"
# Download packed file
__download "${TMP_PATH}${UNPACK_EXTENSION}" \
--url "${DOWNLOAD_URL}" \
--download remote \
--sum "${CHECKSUM}"
# Unpack file and also perform service upgrade
# shellcheck disable=SC2086
require="__download${TMP_PATH}${UNPACK_EXTENSION}" \
__unpack "${TMP_PATH}${UNPACK_EXTENSION}" \
${UNPACK_ARGS} \
--destination "${TMP_PATH}"
version_bump_require="__unpack${TMP_PATH}${UNPACK_EXTENSION}"
else
# Create temp directory
__directory "${TMP_PATH}"
# Download binary directoy to the temp directory with the
# specified binary name
require="__directory${TMP_PATH}" __download \
"${TMP_PATH}/${BINARY}" \
--url "${DOWNLOAD_URL}" \
--download remote \
--sum "${CHECKSUM}"
version_bump_require="__download${TMP_PATH}/${BINARY}"
fi
# Perform update of cdist-managed version file
# And also perform service upgrade
# This is a bug if service_upgrade fails >,<
printf "%s" "${SHOULD_VERSION}" | \
require="${version_bump_require}" __file \
"${VERSION_FILE}" \
--onchange "${perform_service_upgrade}" \
--source "-"
else
# We only restart here if there was a config change
# but there was not a version change
require="${service_require}" __check_messages \
"single_binary_service_${__object_id}" \
--pattern "^__file${CONFIG_FILE_DEST}" \
--execute "$(sv_cmd restart)"
fi

2
type/__single_binary_service/parameter/boolean
View File

@ -1,2 +0,0 @@
do-not-manage-user
unpack

0
type/__single_binary_service/parameter/default/service-args
View File

1
type/__single_binary_service/parameter/default/state
View File

@ -1 +0,0 @@
present

1
type/__single_binary_service/parameter/default/unpack-extension
View File

@ -1 +0,0 @@
.tar.gz

1
type/__single_binary_service/parameter/default/user
View File

@ -1 +0,0 @@
root

1
type/__single_binary_service/parameter/default/user-home-dir
View File

@ -1 +0,0 @@
/nonexistent

13
type/__single_binary_service/parameter/optional
View File

@ -1,13 +0,0 @@
config-file-source
user
group
state
binary
service-args
service-exec
service-description
service-definition
unpack-extension
unpack-args
user-home-dir
working-directory

1
type/__single_binary_service/parameter/optional_multiple
View File

@ -1 +0,0 @@
extra-binary

3
type/__single_binary_service/parameter/required
View File

@ -1,3 +0,0 @@
url
checksum
version

3
type/__uacme_obtain/man.rst
View File

@ -38,8 +38,7 @@ install-key-to
Installation path of the certificate's private key.
renew-hook
Renew hook executed on certificate renewal (e.g. `service nginx reload`, `-`
for the standard input).
Renew hook executed on certificate renewal (e.g. `service nginx reload`).
force-cert-ownership-to
Override default ownership for TLS certificate, passed as argument to chown.

6
type/__uacme_obtain/manifest
View File

@ -109,11 +109,7 @@ export CERT_TARGET
RENEW_HOOK=
if [ -f "${__object:?}/parameter/renew-hook" ];
then
if [ "$(cat "${__object:?}/parameter/renew-hook")" = "-" ]; then
RENEW_HOOK="$(cat ${__object:?}/stdin)"
else
RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
fi
RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
fi
export RENEW_HOOK