ungleich-public/cdist-contrib
ungleich-public/cdist-contrib
8
2
Fork 3
Code Issues 2 Pull requests 3 Projects Releases Wiki Activity

Compare commits

merge into: ungleich-public:haproxy-dualstack
Branches Tags
ungleich-public:master
ungleich-public:opendkim-debian
ungleich-public:kjg_passwordconfig
ungleich-public:synapse-upstream-apt-repository
ungleich-public:haproxy-dualstack
ungleich-public:synapse-upstream-repository
ungleich-public:root-mail-dma
...
pull from: ungleich-public:master
Branches Tags
ungleich-public:master
ungleich-public:opendkim-debian
ungleich-public:kjg_passwordconfig
ungleich-public:synapse-upstream-apt-repository
ungleich-public:haproxy-dualstack
ungleich-public:synapse-upstream-repository
ungleich-public:root-mail-dma

78 commits
haproxy-du ... master

Author SHA1 Message Date
Evilham
fe523fe993
__opendkim: fix start_on_boot on FreeBSD 
There was a bit of an oddity with this, it is implemented in a way
that should not be an issue for other systems.

Reviewed at:	#31
 2024-05-24 13:32:22 +02:00
Evilham
0f281d4118 __jitsi_meet: improve screensharing in certain situations 
We had been noticing issues when sharing screen that required
refreshing (sometimes from presentors, sometimes from receivers), or
else people would get a shared black screen or hanging screen after
some time.

This somewhat undocumented jitsi-videobridge setting appears to have
fixed the issue on all instances tested:

    videobridge.cc.trust-bwe = false

Announcement: https://agora.exo.cat/t/exofasia-3/276#meetexocatguifinet-4

Relevant links:
- https://community.jitsi.org/t/jitsi-users-video-turned-off-to-save-bandwidth-on-meet-jit-si/12735/2
- https://github.com/jitsi/jitsi-videobridge/blob/master/CONFIG.md#migrating-from-old-config

Sponsored by:	camilion.eu, eXO.cat
 2024-05-24 07:29:52 +00:00
Evilham
624bf996f6 [__jitsi_meet*] Update to 2.0.9457 
Changelog:	https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#209457-2024-04-23

Sponsored by:	camilion.eu, eXO.cat
 2024-05-24 07:29:52 +00:00
Timothée Floure
b7ba43553b
[__php_fpm*] add support for Debian and Ubuntu 2024-05-16 17:05:45 +02:00
Evilham
116acebd10
[__opendkim] Deprecate --userid 
The parameter could produce inconsistencies permissions-wise.

Users of the type that need this functionality can still use:
--custom-config 'UserId $USERID'

Closes #17
 2024-05-15 13:48:38 +02:00
Evilham
79baaf02b1 [__opendkim_genkey] Improve error text for unsupported OS 
It was not listing FreeBSD, which is currently supported.
 2024-05-15 11:45:51 +00:00
Evilham
cc2b1af653 [__opendkim_key] Overall improvements in key management 
While developing this, I noticed that the type was handling inconsistently the
expectation that a cdist object with the same __object_id gets *modified*.
Instead more and more lines were added to, e.g. SigningTable and KeyTable.

In order to solve this, some backwards compatibility breaking is necessary.

This is probably not too terrible since:

- the `--selector` parameter was mandatory, therefore the fallback for the key
location is triggered.
- OpenDKIM uses the first match in `SigningTable` and `KeyTable`
- __line and __block respectively append if they do not match

Closes #19 and #20.
 2024-05-15 11:45:51 +00:00
Timothée Floure
f2850de5eb [__php_fpm_pool] remove mention to recycledcloud / e-Durable SA 2024-05-15 10:18:03 +00:00
Joachim Desroches
3bc9a9ff4a __php_fpm{,_pool}: initial implementation. 2024-05-15 10:18:03 +00:00
Timothée Floure
f01f110463
[__bird_radv] add --default-lifetime parameter 2024-02-21 13:38:08 +01:00
Timothée Floure
f101ea4afa
[__bird_radv] fix MTU setting, link routing tables to __object_id, add preference parameters 2024-02-19 12:41:05 +01:00
Evilham
2511218dd6
__runit_service: move logs out of etc 
Some systems use etckeeper and having the logs there was not a great
idea to begin with :-).
 2023-04-21 14:48:09 +02:00
Evilham
7cd606a52f
__single_binary_service: envvars and user-reuse support 
The new --env flag allows type users to pass env files that will be
used to setup environment variables on both sytemd and runit.

While there, also solve a minor issue where users managed by this type
could not be re-used for multiple services.
 2023-04-21 14:47:49 +02:00
Evilham
239a1f20cf
[__runit] Add support for older Devuan systems 2023-03-06 15:17:21 +01:00
Evilham
c07487ea69
[__jitsi_meet*] Update to 2.0.8319-1 
Changelog:      https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#208319-2023-02-21

Sponsored by:   camilion.eu, eXO.cat
 2023-03-06 15:06:46 +01:00
Evilham
11ecb37dd9
[__jitsi_meet] Add --abort-conference-count parameter 
Only has an effect if the prometheus exporter is enabled and if it is not
empty (default).
If at least this many conferences are active on the server, the type will
bail out before making any changes.
This is useful if you want to avoid service disruptions due to e.g. an SLA.

Sponsored by:	camilion.eu
 2022-06-21 11:19:11 +02:00
Evilham
03a9b8b333
[__jitsi_meet*] Update to 2.0.7439-1 
Changelog:	https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#207439-2022-06-17

Sponsored by:	camilion.eu, eXO.cat
 2022-06-21 11:12:27 +02:00
Evilham
7a3b706b16
[__jitsi_meet*] Update to 2.0.7416-1 
Changelog:	https://github.com/jitsi/jitsi-meet-release-notes/blob/master/CHANGELOG-WEB.md#207416-2022-06-16

Sponsored by:	camilion.eu, eXO.cat
 2022-06-16 17:43:30 +02:00
Evilham
756e5b17c6
[__jitsi_meet*] Update to 2.0.7287-1 
Sponsored by:	camilion.eu, eXO.cat
 2022-06-07 15:00:00 +02:00
Evilham
797f7c8648
[__jitsi_meet] Improve manpage regarding ufw and SSH 
This documents the fact that this type does not make decisions about anything
other than Jitsi-Meet itself and therefore care should be taken with the SSH
port.

Related to:	#23
Reported by:	@pedro
 2022-05-08 21:47:26 +02:00
Evilham
1791d35f84
[__jitsi_meet_domain] Add a muc_room_cache_size for jibri 
@pedro is working on this and this change matched my workflow better :-)
 2022-04-28 17:43:33 +02:00
Evilham
8e1d0b68f1
[__jitsi_meet*] Add new parameters for heavier branding 
This uses nginx' server-side includes, so each domain configured by
`__jitsi_meet_domain` can have its own customisation.

Note that the file customisation file must exist for each domain,
`__jitsi_meet_domain` takes care of that already.

Sponsored by:   camilion.eu, eXO.cat
 2022-04-28 17:42:30 +02:00
Evilham
aa3f2eeb00
[__jitsi_meet_domain] Make shellcheck happy and fix escaping issue 
The escaping issue was overlooked because it was in a comment block; it wasn't
relevant.

No functional changes intended.

Sponsored by:   camilion.eu, eXO.cat
 2022-04-28 17:34:32 +02:00
Evilham
a63d9ec458
[__jitsi_meet] Configure jicofo so metrics are more useful 
By default the REST API provided by jicofo is less useful than desired.
This is a tad under-documented, so finding the right settings was tricky :-).

Sponsored by:   camilion.eu, eXO.cat
 2022-04-28 17:32:15 +02:00
Evilham
0cff414884
[__jitsi_meet] Simplify exporter logic and update it to 1.2.0 
This uses the newly merged __single_binary_service and:

- Fixes the bug where once added, the exporter could not be removed
- Simplifies keeping it up to date

Sponsored by:   camilion.eu, eXO.cat
 2022-04-28 17:28:46 +02:00
Evilham
977b530dab
[__single_binary_service] Update manpage to remove __evilham prefix 2022-04-28 17:22:19 +02:00
Evilham
1865ff9dce Add 'type/__single_binary_service/' from commit '1af7e960fa882efc7202cad5cc01d3136886fa0a' 
git-subtree-dir: type/__single_binary_service
git-subtree-mainline: 67bc8aa02b
git-subtree-split: 1af7e960fa
 2022-04-28 17:20:02 +02:00
Timothée Floure
67bc8aa02b
__uacme_obtain: allow use of stdin with the --renew-hook parameter 2022-04-25 17:10:50 +02:00
Evilham
151dc32fb5
[__jitsi_meet*] Add support for simultaneous interpretations 
By using https://gitlab.com/mfmt/jsi which consists of very small and simple
static files, we enable interpretations by default.

With this commit, any DOMAIN created with __jitsi_meet_domain will serve jsi on
https://DOMAIN/i/ and any ROOM can be used with simultaneous interpretation on
https://DOMAIN/i/ROOM

Sponsored by:   camilion.eu, eXO.cat
 2022-04-21 19:46:03 +02:00
Evilham
7e2ba98d36
[__jitsi_meet] Fix issue with jicofo memory adaptation 
That was being a bit of a mess.

Sponsored by:   camilion.eu, eXO.cat
 2022-04-21 17:52:49 +02:00
Evilham
1658121549
[__jitsi_meet*] Update to 2.0.7210 
While there, make things a tad easier to maintain.

Note that in this version, jitsi switches to using nginx upstreams; it shouldn't
be relevant for instances fully managed with these types.

Sponsored by:   camilion.eu, eXO.cat
 2022-04-21 15:52:47 +02:00
Evilham
c5070a3a33
[__jitsi_meet] Fix adjustment of jicofo's max memory 
Leftover from last commit >,<

Sponsored by:   camilion.eu, eXO.cat
 2022-04-21 14:44:10 +02:00
Evilham
80bbbd3aa8
[__jitsi_meet] Adapt jicofo and videobridge memory usage 
This enables us to setup smaller jitsi instances that work reliably.

We set 3 threshholds:
- < 3G RAM: use 0.75G max memory
- < 5G RAM: use 1G max memory
- < 8G RAM: use 2G max memory
- >= 8G RAM: use 3G max memory (jitsi's default)

For more information as to why and how this is done, see:
https://gitlab.com/guifi-exo/projectes/-/issues/318
https://github.com/jitsi/jitsi-meet/issues/6589
as investigated back in the day by @pedro

Sponsored by:   camilion.eu, eXO.cat
 2022-04-21 14:37:08 +02:00
Evilham
87cc109bf1
[__jitsi_meet*] Make rooms on different domains not equivalent 
This is a backwards-compatible change.

We switch the approach from "treat all domains as if they were the main domain"
to: "each domain has its own prosody settings".

This works perfectly fine, even with secured domains.

There is a caveat with secured domains, in that they use the main domain to log
in; this means that users are shared across all domains (as they were before
this commit).

This is due to jicofo refusing to start meetings from a domain that is not
configured, and it only accepting one domain.

Right now, this is acceptable, however we could want to authenticate against
e.g. different LDAP / IMAP servers in the future, so this would need addressing
at that stage.

Probably the best way to solve it is by patching jicofo, so it accepts starting
conferences from multiple domains and getting that patch upstream.

Sponsored by:   camilion.eu, eXO.cat
 2022-04-21 13:20:30 +02:00
Evilham
a12b343660
[__jitsi_meet_domain] Add analytics settings parameter 
with this, admins can take advantage of e.g. matomo to have some usage
statistics.

The parameter defaults to `disabled: true`, which is the most privacy-friendly!

Sponsored by:   camilion.eu
 2022-04-21 13:13:12 +02:00
Evilham
29cafd4f9a
[__jitsi_meet_domain] Simplify logic for secured domains 2022-04-16 13:22:16 +02:00
Evilham
fa37ede84f
[__jitsi_meet] Unconfuse jitsi-version and secured domains 
Closes #14 by committing to keeping the package up to date as promptly as
possible; else weird  things happen and there are no real good solutions for
this.  E.g. we have seen in the past that due to security issues, a jitsi
dependency  needs to be upgraded, but some package that jitsi-meet depends upon
also has an upper limit on that package's version.

A note was added to the manpage in order make it explicit that maintenance of
this type can be sponsored to ensure its proper functioning.

Closes #15 by using `__file`. This will also allow us to have more control over
jicofo's settings, which might be important when we start doing recordings.

Sponsored by:	lafede.cat
 2022-04-10 19:45:08 +02:00
Joachim Desroches
af04f7464b
[__nginx_vhost]: follow Alpine vhost default directory change. 
Since nginx package version v1.10.1-r3, Alpine packagers have changed
the default vhost directory from conf.d to http.d [0]. This reflects
this change.

[0]: alpine package commit 383ba9c0a200ed1f4b11d7db74207526ad90bbe3
 2022-03-14 16:15:58 +01:00
Joachim Desroches
a6f6a7fba8
[__jitsi_meet]: Fix deprecated usage of __debconf_set_selections. 
Replace the --file parameter with the --line parameter, as recommended
since cdist 6.9.6.
 2022-03-14 15:30:11 +01:00
Evilham
a1b3a034c7
[__jitsi_meet_domain] Support the --state parameter 
This enables removing domains in a simple fashion.

Closes #3.
 2022-03-10 21:28:28 +01:00
Evilham
ac99cd8d84
[__jitsi_meet_domain] Update to 2.0.7001-1 
Obsoletes #13
 2022-03-10 21:23:45 +01:00
Evilham
ac03f05766 [__jitsi_meet] Fix bug with secured domains 
This is a leftover from when we were using __line instead of __block.

Closes #15

Reported by:  @pedro
 2022-03-10 21:20:52 +01:00
Evilham
ecd10de2d3
[__opendkim*] FreeBSD support and minor fixes 
While adding FreeBSD support to the type I noticed various issues:

- We were making sure that the KeyTable and SigningTable were created in
  __opendkim_genkey, but that was being done with the default cdist permissions
  (0400) which could result in issues when reloading the service after privilege
  drop.
  This is addressed by checking that it exists/creating it in __opendkim (just
  once, not once per __opendkim_genkey call) with laxer permissions (0444).
- In __opendkim, the service was being started after the config file was
  installed. This is insufficient as OpenDKIM will refuse to start with the
  generated config if either SigningTable or KeyTable do not exist yet.
- __opendkim_genkey had the implicit assumption that the --directory parameter
  always ended in a slash. This was not documented and error-prone; we are now
  a bit laxer and add the trailing slash if it is missing.
- __opendkim_genkey was not changing permissions for the resulting .txt file.
  This was not critical for it to function, but it was inconsistent.
- As documented in #17, __opendkim allows for a --userid parameter that might
  cause issues with keys generated by __opendkim_genkey.
  This issue has not been addressed yet, but I recommend deprecating the
  --userid parameter.
 2022-03-10 20:08:51 +01:00
Joachim Desroches
422b97bc1b
[systemd_resolved]: make singleton. 2022-02-28 16:18:51 +01:00
Joachim Desroches
f6d0cbbeb7
__systemd_resolved: initial implementation. 2022-02-28 16:18:49 +01:00
Timothée Floure
9a779aafa3
__matrix_synapse: add --disable-{displayname,3pid}-changes flag 2022-02-08 13:45:29 +01:00
Joachim Desroches
727fbd55fb
[bird_radv] Add option to include MTU in RAs. 2022-02-07 13:46:08 +01:00
Joachim Desroches
6310db7301
[bird_bgp]: minor cleanup. 2022-02-07 13:33:57 +01:00
Joachim Desroches
3f52e758fc
__systemd-network: initial implementation. 2022-02-02 14:09:16 +01:00
Joachim Desroches
4fdba43dd6
[__matrix_synapse]: typos in manpage. 2022-02-02 11:49:50 +01:00
Timothée Floure
c32a1836aa
__matrix_synapse: add --sso-template-dir parameter 2022-01-24 11:23:38 +01:00
Timothée Floure
287d8df9bd
__matrix_synapse: set message min lifetime (although currently ignored 
by synapse)
 2022-01-24 08:56:12 +01:00
Timothée Floure
723d7ed250
__matrix_element: add more branding parameters 2022-01-16 14:14:42 +01:00
Timothée Floure
974e42e20e
__matrix_synapse: add --saml2-mapping-provider-extra-settings flag 2022-01-16 12:41:37 +01:00
Timothée Floure
c198a74a34
__matrix_element: add --identity_server_url flag 2022-01-12 16:22:41 +01:00
Timothée Floure
35e1477521
__matrix_synapse: fix ignored --enable-3pid-lookups flag 2022-01-12 16:22:41 +01:00
Timothée Floure
b2c1fee672
__matrix_synapse: add --saml2-mapping-provider-module flag 2022-01-12 16:22:41 +01:00
Timothée Floure
eecb2b4629
__bird_ospf: ass -extra-area-configuration parameter 2022-01-11 16:12:45 +01:00
Joachim Desroches
023206d3d9
borg-repo: add ubuntu as supported OS. 2022-01-11 09:24:43 +01:00
Timothée Floure
c466733111
__matrix_synapse: add --enable-3pid-lookups flag, normalize indentation 2022-01-07 11:42:13 +01:00
Timothée Floure
afe76af679
__matterbridge: add support for ubuntu, fix configuration via STDIN 2021-12-23 12:30:58 +01:00
Timothée Floure
35e299a5d1
__matrix_synapse: add --saml2-sp-key and --saml2-sp-cert flags 2021-12-23 10:46:21 +01:00
Evilham
e052178122 [__jitsi*] Update to 2.0.6726 
Sponsored by: plataformess.org
 2021-12-22 20:05:37 +01:00
Timothée Floure
a38275f6d7
__uacme*, __nginx: allow external ACME provider, EAB authentication 2021-12-14 12:37:18 +01:00
Timothée Floure
698525fcd2
__matrix_synapse: add saml2-idp-medatada-url flag to manpage 2021-12-06 08:41:13 +01:00
Timothée Floure
7b27eb5445
__matrix_synapse: add --default-identity-server flag 2021-12-02 13:07:06 +01:00
Timothée Floure
96beae4c2f
__matrix_synapse:add --smal2-idp-metadata-uri flag 2021-12-02 11:38:26 +01:00
Timothée Floure
d872f1d4f0
__matrix_synapse: add --turn-username and --turn-password flags 2021-12-01 15:55:34 +01:00
Timothée Floure
08e81d1e97
__matrix_synapse: fixe ignored registration-shared-secret parameter 2021-12-01 08:32:37 +01:00
Timothée Floure
25406ea3a0
__matrix_synapse: add support for Ubuntu 2021-11-30 13:32:03 +01:00
Timothée Floure
fc6764be44
__matrix_synapse_worker: change synapse call to fit matrix.org packaging 2021-11-16 15:13:16 +01:00
Timothée Floure
18f02e24aa
__matrix_synapse: use upstream matrix.org APT repository on debian 2021-11-16 14:16:37 +01:00
Evilham
1af7e960fa [__single_binary_service] Many improvements + runit support 
Amongst other things compressed files can be of a type other than .tar.gz (it
remains the default) and we now properly support runit services, FreeBSD and
Devuan.
 2021-10-30 15:38:26 +02:00
Evilham
3e77fbbb43 [__single_binary_service] Do not use echo echo echo 2021-08-04 21:02:37 +02:00
Evilham
afa48b1028 [__single_binary_service] Support customisation of systemd units 
Requested by pedro
 2021-08-04 21:00:52 +02:00
Evilham
c5929f397d [__single_binary_service] Adapt bug fixes proposed by pedro 
there are several typos, some style issues and now there is at most one service
restart in all cases.

Submitted by:   pedro <git2021@cas.cat>
 2021-08-04 20:27:08 +02:00
Evilham
d5b552ddb4 [__single_binary_service] Add manpage, config-file and better absent 
With these changes the type is good for general consumption (modulo the
limitations mentioned in the manpage under TODO).
 2021-06-18 22:01:45 +02:00
Evilham
51d0b817fe [__single_binary_service] Type to manage very simple services. 2021-06-18 20:52:58 +02:00
120 changed files with 5557 additions and 1006 deletions
Show stats Expand all files Collapse all files

1
type/__bird_bgp/manifest
View file

@ -89,7 +89,6 @@ ipv4_import=
if [ -f "${__object:?}"/parameter/ipv4-import ]; if [ -f "${__object:?}"/parameter/ipv4-import ];
then then
ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)" ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)"
echo "FOO" >&2
fi fi
export ipv4_import export ipv4_import

13
type/__bird_ospf/man.rst
View file

@ -24,12 +24,6 @@ import
export export
The keyword or filter to decide what to export in the above channel. The keyword or filter to decide what to export in the above channel.
REQUIRED MULTIPLE PARAMETERS
----------------------------
interface
An interface to include in OSPF area 0.
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
description description
@ -39,12 +33,19 @@ instance-id
An OSPF instance ID, allowing several OSPF instances to run on the same An OSPF instance ID, allowing several OSPF instances to run on the same
links. links.
extra-area-configuration
Configuration string added to the `area` section of the OSPF configuration.
OPTIONAL MULTIPLE PARAMETERS OPTIONAL MULTIPLE PARAMETERS
---------------------------- ----------------------------
stubnet stubnet
Add an optionless stubnet definition to the configuration. Add an optionless stubnet definition to the configuration.
interface
An interface to include in OSPF area 0. Is required unless
extra-area-configuration is set.
SEE ALSO SEE ALSO
-------- --------
cdist-type__bird_core(7) cdist-type__bird_core(7)

17
type/__bird_ospf/manifest
View file

@ -44,6 +44,21 @@ then
instance_id="$(cat "${__object:?}/parameter/instance-id")" instance_id="$(cat "${__object:?}/parameter/instance-id")"
fi fi
extra_area_configuration=
if [ -f "${__object:?}/parameter/extra-area-configuration" ];
then
extra_area_configuration="$(cat "${__object:?}/parameter/extra-area-configuration")"
if [ "$extra_area_configuration" = "-" ]; then
extra_area_configuration=$(cat "$__object/stdin")
fi
fi
if [ ! -f "${__object:?}/parameter/interface" ] && [ -z "$extra_area_configuration" ]; then
echo "Either --interface or --extra-area-configuration must be set." >&2
exit 1
fi
__file "${confdir:?}/ospf-${__object_id:?}.conf" \ __file "${confdir:?}/ospf-${__object_id:?}.conf" \
--mode 0640 --owner root --group bird \ --mode 0640 --owner root --group bird \
--source - << EOF --source - << EOF
@ -59,6 +74,8 @@ $([ -n "${instance_id?}" ] && printf "\tinstance id %s;\n" "${instance_id?}")
area 0 { area 0 {
$(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface") $(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
$(sed -e 's/^/\t\tsubnet /' -e 's/$/;/' "${__object:?}/parameter/subnet") $(sed -e 's/^/\t\tsubnet /' -e 's/$/;/' "${__object:?}/parameter/subnet")
$extra_area_configuration
}; };
} }
EOF EOF

1
type/__bird_ospf/parameter/optional
View file

@ -1,2 +1,3 @@
description description
instance-id instance-id
extra-area-configuration

1
type/__bird_ospf/parameter/optional_multiple
View file

@ -1 +1,2 @@
stubnet stubnet
interface

22
type/__bird_radv/man.rst
View file

@ -15,12 +15,29 @@ autoconfigure IPv6 hosts, this type is a rudimentary implementation to generate
configuration for Bird to do so. configuration for Bird to do so.
REQUIRED MULTIPLE PARAMETERS REQUIRED PARAMETERS
---------------------------- -------------------
interface interface
The interfaces to activate the protocol on. RAs will be sent using the The interfaces to activate the protocol on. RAs will be sent using the
prefixes configured on these interfaces. prefixes configured on these interfaces.
OPTIONAL PARAMETERS
-------------------
mtu
An optional MTU setting to include in the router advertisements.
default-preference
This option specifies the Default Router Preference value to advertise to
hosts. Default: medium.
route-preference
This option specifies the default value of advertised route preference for
specific routes. Default: medium.
default-lifetime
This option specifies the time (in seconds) how long (since the receipt of RA)
hosts may use the router as a default router. 0 means do not use as a default
router. Default: 3.
OPTIONAL MULTIPLE PARAMETERS OPTIONAL MULTIPLE PARAMETERS
---------------------------- ----------------------------
@ -41,6 +58,7 @@ EXAMPLES
__bird_radv datacenter \ __bird_radv datacenter \
--interface eth1 \ --interface eth1 \
--mtu 9000 \
--route ::/0 \ --route ::/0 \
--ns 2001:DB8:cafe::4 \ --ns 2001:DB8:cafe::4 \
--ns 2001:DB8:cafe::14 \ --ns 2001:DB8:cafe::14 \

37
type/__bird_radv/manifest
View file

@ -55,23 +55,52 @@ then
DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl") DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl")
fi fi
MTU=
if [ -f "${__object:?}/parameter/mtu" ];
then
MTU="link mtu $(cat "${__object:?}/parameter/mtu");"
fi
DEFAULT_PREFERENCE=
if [ -f "${__object:?}/parameter/default-preference" ];
then
DEFAULT_PREFERENCE="default preference $(cat "${__object:?}/parameter/default-preference");"
fi
ROUTE_PREFERENCE=
if [ -f "${__object:?}/parameter/route-preference" ];
then
ROUTE_PREFERENCE="route preference $(cat "${__object:?}/parameter/route-preference");"
fi
DEFAULT_LIFETIME=
if [ -f "${__object:?}/parameter/default-lifetime" ];
then
DEFAULT_LIFETIME="default lifetime $(cat "${__object:?}/parameter/default-lifetime");"
fi
__file "${confdir:?}/radv-${__object_id:?}.conf" \ __file "${confdir:?}/radv-${__object_id:?}.conf" \
--mode 0640 --owner root --group bird \ --mode 0640 --owner root --group bird \
--source - << EOF --source - << EOF
ipv6 table radv_routes; ipv6 table radv_routes_${__object_id};
protocol static { protocol static {
description "Routes advertised via RAs"; description "Routes advertised via RAs";
ipv6 { table radv_routes; }; ipv6 { table radv_routes_${__object_id}; };
$(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route") $(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
} }
protocol radv ${__object_id:?} { protocol radv ${__object_id:?} {
propagate routes ${have_routes:?}; propagate routes ${have_routes:?};
ipv6 { table radv_routes; export all; }; ipv6 { table radv_routes_${__object_id}; export all; };
$(sed -e 's/^/\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface") interface "$(cat "${__object:?}/parameter/interface")" {
$MTU
$DEFAULT_LIFETIME
$DEFAULT_PREFERENCE
$ROUTE_PREFERENCE
};
$RDNS $RDNS

4
type/__bird_radv/parameter/optional Normal file
View file

@ -0,0 +1,4 @@
mtu
default-preference
route-preference
default-lifetime

0
type/__bird_ospf/parameter/required_multiple → type/__bird_radv/parameter/required
View file

1
type/__bird_radv/parameter/required_multiple
View file

@ -1 +0,0 @@
interface

3
type/__borg_repo/manifest
View file

@ -3,7 +3,7 @@
os="$(cat "${__global:?}"/explorer/os)" os="$(cat "${__global:?}"/explorer/os)"
case "$os" in case "$os" in
"alpine") "alpine"|"ubuntu")
borg_package=borgbackup borg_package=borgbackup
;; ;;
*) *)
@ -17,3 +17,4 @@ if [ -f "${__object:?}/parameter/owner" ];
then then
__package sudo __package sudo
fi fi

15
type/__jitsi_meet/explorer/configured-memory Executable file
View file

@ -0,0 +1,15 @@
#!/bin/sh -eu
JICOFO="/usr/share/jicofo/jicofo.sh"
VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
if [ -f "${JICOFO:?}" ]; then
jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
fi
if [ -f "${VIDEOBRIDGE:?}" ]; then
vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
fi
cat <<EOF
jicofo ${jicofo_memory:-n/a}
videobridge ${vb_memory:-n/a}
EOF

26
type/__jitsi_meet/explorer/jicofo-authpassword Executable file
View file

@ -0,0 +1,26 @@
#!/bin/sh -eu
JICOFO_AUTHPASSWORD=""
# We need this to properly configure jicofo
# Default to reading debconf
DEBCONF_PASS_FILE="/var/cache/debconf/passwords.dat"
if [ -f "${DEBCONF_PASS_FILE}" ]; then
JICOFO_AUTHPASSWORD="$(grep -A1 'Template: jicofo/jicofo-authpassword' "${DEBCONF_PASS_FILE}" | tail -n 1 | cut -d ' ' -f 2-)"
fi
# Try jicofo.conf if necessary
JICOFO_CONF_FILE="/etc/jitsi/jicofo/jicofo.conf"
if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONF_FILE}" ]; then
JICOFO_AUTHPASSWORD="$(grep -E '^[[:space:]]*password:' "${JICOFO_CONF_FILE}" | sed -E 's!^[^:]*:[[:space:]]*"(.*)"$!\1!')"
fi
# And fallback to config file if necessary
JICOFO_CONFIG_FILE="/etc/jitsi/jicofo/config"
if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONFIG_FILE}" ]; then
JICOFO_AUTHPASSWORD="$(grep -E '^JICOFO_AUTH_PASSWORD=' "${JICOFO_CONFIG_FILE}" | cut -d '=' -f 2-)"
fi
# If we didn't find it, this is likely a new installation and we'll generate
# the password on the manifest
echo "${JICOFO_AUTHPASSWORD:-}"

6
type/__jitsi_meet/explorer/jitsi-status Executable file
View file

@ -0,0 +1,6 @@
#!/bin/sh -eu
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
# TODO: detect curl / depend on it?
curl -s localhost:9888/metrics
fi

7
type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version
View file

@ -1,7 +0,0 @@
#!/bin/sh -e
EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
if [ -f "${EXPORTER_VERSION_FILE}" ]; then
cat "${EXPORTER_VERSION_FILE}"
fi

6
type/__jitsi_meet/files/debconf_settings.sh
View file

@ -5,9 +5,6 @@
if false; then if false; then
# We are currently not using these, just here as documentation # We are currently not using these, just here as documentation
DEBCONF_SETTINGS="$(cat <<EOF DEBCONF_SETTINGS="$(cat <<EOF
# Jicofo user password:
jicofo jicofo/jicofo-authpassword password STH
jitsi-meet-prosody jicofo/jicofo-authpassword password STH
# The secret used to connect to xmpp server as component # The secret used to connect to xmpp server as component
jitsi-meet-prosody jitsi-videobridge/jvbsecret password STH jitsi-meet-prosody jitsi-videobridge/jvbsecret password STH
jitsi-videobridge jitsi-videobridge/jvbsecret password STH jitsi-videobridge jitsi-videobridge/jvbsecret password STH
@ -40,6 +37,9 @@ jitsi-videobridge jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
jitsi-videobridge2 jitsi-videobridge/jvb-hostname string ${JITSI_HOST} jitsi-videobridge2 jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
# The hostname of the current installation: # The hostname of the current installation:
jitsi-meet-prosody jitsi-meet-prosody/jvb-hostname string ${JITSI_HOST} jitsi-meet-prosody jitsi-meet-prosody/jvb-hostname string ${JITSI_HOST}
# Jicofo user password:
jicofo jicofo/jicofo-authpassword password ${JICOFO_AUTHPASSWORD}
jitsi-meet-prosody jicofo/jicofo-authpassword password ${JICOFO_AUTHPASSWORD}
# SSL certificate for the Jitsi Meet instance # SSL certificate for the Jitsi Meet instance
# Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate # Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate) jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)

38
type/__jitsi_meet/files/jicofo.conf.sh Executable file
View file

@ -0,0 +1,38 @@
#!/bin/sh -eu
# Start
cat <<EOF
# Managed remotely, changes will be lost
# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
#available options, syntax, and default values.
jicofo {
xmpp: {
client: {
client-proxy: focus.${JITSI_HOST:?}
xmpp-domain: "${JITSI_HOST:?}"
domain: "auth.${JITSI_HOST:?}"
username: "focus"
password: "${JICOFO_AUTHPASSWORD:?}"
}
trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
}
bridge: {
brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
}
EOF
# Secured domains if needed
if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
cat <<EOF
authentication: {
enabled: true
type: XMPP
login-url: ${JITSI_HOST:?}
}
EOF
fi
# End
echo '}'

1
type/__jitsi_meet/files/jitsi-version Symbolic link
View file

@ -0,0 +1 @@
../../__jitsi_meet_domain/files/jitsi-version

1
type/__jitsi_meet/files/prosody.cfg.lua.sh Symbolic link
View file

@ -0,0 +1 @@
../../__jitsi_meet_domain/files/prosody.cfg.lua.sh

36
type/__jitsi_meet/gencode-remote
View file

@ -1,11 +1,43 @@
#!/bin/sh -e #!/bin/sh -e
memory="$(cat "${__global}/explorer/memory")"
G="000000" # Will totally eff up the zero-count otherwise
# MAX_MEMORY will affect jicofo and videobridge
# As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
if [ "${memory}" -lt "3${G}" ]; then
# If you use this, let us know how it works!
MAX_MEMORY="768m"
elif [ "${memory}" -lt "5${G}" ]; then
MAX_MEMORY="1024m"
elif [ "${memory}" -lt "8${G}" ]; then
MAX_MEMORY="2048m"
else
# Jitsi recommends running on 8G RAM and these are the defaults
MAX_MEMORY="3072m"
fi
if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
# At least one service has different memory settings
RESTART_SERVICES="YES"
cat <<-EOF
sed -i.tmp -E \
-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
/usr/share/jitsi-videobridge/lib/videobridge.rc
sed -i.tmp -E \
-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
/usr/share/jicofo/jicofo.sh
EOF
fi
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
echo "service nginx reload" echo "service nginx reload"
fi fi
JITSI_HOST="${__object_id}" if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then
if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then RESTART_SERVICES="YES"
fi
if [ -n "${RESTART_SERVICES}" ]; then
echo "systemctl restart prosody" echo "systemctl restart prosody"
echo "systemctl restart jicofo" echo "systemctl restart jicofo"
echo "systemctl restart jitsi-videobridge2" echo "systemctl restart jitsi-videobridge2"

38
type/__jitsi_meet/man.rst
View file

@ -21,13 +21,24 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up
the web frontend (including TLS certificates) and its settings. the web frontend (including TLS certificates) and its settings.
You may want to use the `files/ufw` example manifest for a `__ufw`-based You may want to use the `files/ufw` example manifest for a `__ufw`-based
firewall compatible with this type. firewall compatible with this type that allows all ports needed by Jitsi-Meet.
This file does not include rules for TCP port 9888, which exposes the Note however that this will not deal with rules for SSH or for TCP port 9888,
prometheus exporter if not disabled. which exposes the prometheus exporter if not disabled.
You should apply your own rules here. Remember to apply your own rules here, particularly regarding SSH.
This type only works on De{bi,vu}an systems. This type only works on De{bi,vu}an systems.
It is very important for this type to stay up to date with the software, as
otherwise new deployments or maintenance of existing instances might be
negatively affected.
If you can, please contribute updates to `__jitsi_meet` and
`__jitsi_meet_domain` promptly and regularly.
Alternatively, you can help finance that work; get in touch with the type
authors for that (see below).
This type takes care of adapting the maximum memory used by jicofo and
videobridge in function of the hosts installed memory.
NOTE: This type currently does not deal with setting up coturn. NOTE: This type currently does not deal with setting up coturn.
For that, you might want to check `__coturn` in For that, you might want to check `__coturn` in
https://code.ungleich.ch/ungleich-public/cdist-contrib https://code.ungleich.ch/ungleich-public/cdist-contrib
@ -36,6 +47,14 @@ NOTE: This type currently does not deal with setting up coturn.
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
abort-conference-count
Only has an effect if the prometheus exporter is enabled and if it is not
empty (default).
If at least this many conferences are active on the server, the type will
bail out before making any changes.
This is useful if you want to avoid service disruptions due to e.g. an SLA.
turn-secret turn-secret
The shared secret for the TURN server. The shared secret for the TURN server.
@ -43,11 +62,6 @@ turn-server
The hostname of the TURN server. The hostname of the TURN server.
This will assume that it is listening with TLS on port 443. This will assume that it is listening with TLS on port 443.
jitsi-version
The jitsi-meet version of the Debian package to be installed.
While this can be specified, only the default value is known to work
properly with this type.
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
@ -70,9 +84,11 @@ EXAMPLES
.. code-block:: sh .. code-block:: sh
# Setup the firewall # Setup the firewall for Jitsi-Meet
. "${__global}/type/__jitsi_meet/files/ufw" . "${__global}/type/__jitsi_meet/files/ufw"
export require="__ufw" export require="__ufw"
# Setup firewall SSH rules as necessary
__ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
# Setup Jitsi on this host # Setup Jitsi on this host
__jitsi_meet \ __jitsi_meet \
--turn-server "turn.exo.cat" \ --turn-server "turn.exo.cat" \
@ -92,4 +108,4 @@ Evilham <contact@evilham.com>
COPYING COPYING
------- -------
Copyright \(C) 2021 Evilham. Copyright \(C) 2022 Evilham.

289
type/__jitsi_meet/manifest
View file

@ -1,7 +1,6 @@
#!/bin/sh -e #!/bin/sh -e
os="$(cat "${__global}/explorer/os")" os="$(cat "${__global}/explorer/os")"
init="$(cat "${__global}/explorer/init")"
case "${os}" in case "${os}" in
devuan|debian) devuan|debian)
;; ;;
@ -11,10 +10,37 @@ case "${os}" in
;; ;;
esac esac
current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
JICOFO_AUTHPASSWORD="$(cat "${__object}/explorer/jicofo-authpassword")"
if [ -z "${JICOFO_AUTHPASSWORD}" ]; then
# This is probably a first time installation, we'll generate the
# password which will be set in debconf by this type
# https://github.com/jitsi/jicofo/blob/aafb61b5363a1c4abdbf08e1444a6276b807993e/debian/postinst#L43
JICOFO_AUTHPASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)"
fi
ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
cat <<-EOF
Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
There are currently ${current_conferences} active conferences.
Try again at a later time or remove or increase --abort-conference-count
EOF
exit 1
fi
JITSI_HOST="${__target_host}" JITSI_HOST="${__target_host}"
# Currently unused, see below if [ -f "${__object}/parameter/jitsi-version" ]; then
# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")" # This has been deprecated and will be removed 'soon'
JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
else
# Note this won't be a parameter anymore, we won't let users stay behind
JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
fi
TURN_SERVER="$(cat "${__object}/parameter/turn-server")" TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
TURN_SECRET="$(cat "${__object}/parameter/turn-secret")" TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
@ -22,8 +48,6 @@ if [ -z "${TURN_SERVER}" ]; then
TURN_SERVER="${JITSI_HOST}" TURN_SERVER="${JITSI_HOST}"
fi fi
PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")"
# The rest is loosely based on Jitsi's documentation # The rest is loosely based on Jitsi's documentation
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart # https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
@ -51,17 +75,16 @@ export require="${require} __apt_source/jitsi_meet __apt_update_index"
# Pre-feed debconf settings, so Jitsi's installation has a good config # Pre-feed debconf settings, so Jitsi's installation has a good config
# shellcheck source=type/__jitsi_meet/files/debconf_settings.sh # shellcheck source=type/__jitsi_meet/files/debconf_settings.sh
. "${__type}/files/debconf_settings.sh" # This defines DEBCONF_SETTINGS . "${__type}/files/debconf_settings.sh" # This defines DEBCONF_SETTINGS
__debconf_set_selections jitsi_meet --file - <<EOF __debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
${DEBCONF_SETTINGS}
EOF
export require="${require} __debconf_set_selections/jitsi_meet" export require="${require} __debconf_set_selections/jitsi_meet"
# Install and upgrade packages as needed # Install and upgrade packages as needed
__package_apt jitsi-meet # NOTE: we are doing version pinning again, but it breaks sometimes when
# We are not doing version pinning anymore because it breaks when # the version is not the latest.
# the version is not the latest. # This happens because dependencies might not be properly resolved.
# This happens because dependencies cannot be properly resolved. # To avoid this, this type must be maintained up to date.
# --version "${JITSI_VERSION}" # If we don't use this, keeping Jitsi's up to date is very difficult.
__package_apt jitsi-meet --version "${JITSI_VERSION}"
# Proceed only after installation/upgrade has finished # Proceed only after installation/upgrade has finished
export require="__package_apt/jitsi-meet" export require="__package_apt/jitsi-meet"
@ -125,7 +148,11 @@ require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-ava
server_names_hash_bucket_size 64; server_names_hash_bucket_size 64;
# nginx server configuration for: types {
# nginx's default mime.types doesn't include a mapping for wasm or wav.
application/wasm wasm;
audio/wav wav;
}
server { server {
@ -148,95 +175,157 @@ server {
} }
EOF EOF
if [ -f "${__object}/parameter/secured-domains" ]; then # Starting from 2.0.7210, jitsi defines following nginx upstreams
SECURED_DOMAINS_STATE='present' __directory "${NGINX_ETC}/conf.d" --state present
SECURED_DOMAINS_STATE_JICOFO='replace' require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
else --mode 644 \
SECURED_DOMAINS_STATE='absent' --source - << EOF
SECURED_DOMAINS_STATE_JICOFO='absent' upstream prosody {
fi zone upstreams 64K;
server 127.0.0.1:5280;
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \ keepalive 2;
--owner prosody --group prosody --mode 0440 \ }
--state ${SECURED_DOMAINS_STATE} \ EOF
--source - <<EOF require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
VirtualHost "${JITSI_HOST}" --mode 644 \
authentication = "internal_plain" --source - << EOF
upstream jvb1 {
VirtualHost "guest.${JITSI_HOST}" zone upstreams 64K;
authentication = "anonymous" server 127.0.0.1:9090;
c2s_require_encryption = false keepalive 2;
}
EOF
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jicofo.conf" \
--mode 644 \
--source - << EOF
upstream jicofo {
zone upstreams 64K;
server 127.0.0.1:8888;
keepalive 2;
}
EOF EOF
__block jitsi_jicofo_secured_domains \ if [ -f "${__object}/parameter/secured-domains" ]; then
--prefix "// begin cdist: jicofo_secured_domains" \ SECURED_DOMAINS_STATE='present'
--suffix "// end cdist: jicofo_secured_domains" \ else
--file /etc/jitsi/jicofo/jicofo.conf \ SECURED_DOMAINS_STATE='absent'
--state "${SECURED_DOMAINS_STATE_JICOFO}" \ fi
--text '-' <<EOF
authentication: { # This is the main host config
enabled: true PROSODY_MAIN_CONFIG="YES"
type: XMPP # Prosody settings for common components (jvb, focus, ...)
login-url: ${JITSI_HOST} # shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
} . "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
--group prosody \
--mode 0440 \
--source - <<EOF
${PROSODY_CONFIG}
EOF
# Clean up zauth.cfg.lua file, which we don't use now
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
--state absent
export SECURED_DOMAINS_STATE
export JITSI_HOST
export JICOFO_AUTHPASSWORD
"${__type}/files/jicofo.conf.sh" | \
__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
# Enable the private colibri REST API end point for better stats
__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
videobridge {
http-servers {
public {
port = 9090
}
private {
port = 8080
}
}
websockets {
enabled = true
domain = "${JITSI_HOST}:443"
tls = true
}
apis {
rest {
enabled = true
}
}
cc {
trust-bwe = false
}
}
EOFJVB
# Enable simple per-domain body customisation
__file "/usr/share/jitsi-meet/body.html" \
--mode 0644 \
--source '-' <<EOF
<!--#include virtual="body-\${host}.html" -->
EOF EOF
# These two should be changed on new release # These two should be changed on new release
PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5" EXPORTER_VERSION="1.2.1"
PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745" EXPORTER_CHECKSUM="sha256:46d4b8475b72fd7632a5203f1cc3c7067bed4629902b7780a1da85e4e06c2129"
PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64" EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version" if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then EXPORTER_STATE="absent"
case "${init}" in else
init|sysvinit) EXPORTER_STATE="present"
__runit
require="__runit" __runit_service \
prometheus-jitsi-meet-exporter --log --source - <<EOF
#!/bin/sh -e
cd /tmp
exec chpst -u "nobody:nogroup" env HOME="/tmp" \\
prometheus-jitsi-meet-exporter \\
-videobridge-url 'http://localhost:8888/stats' \\
-web.listen-address ':9888' 2>&1
EOF
export require="__runit_service/prometheus-jitsi-meet-exporter"
JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter"
;;
systemd)
__systemd_unit prometheus-jitsi-meet-exporter.service \
--source "-" \
--enablement-state "enabled" <<EOF
[Unit]
Description=Metrics Exporter for Jitsi Meet
After=network.target
[Service]
Type=simple
DynamicUser=yes
ExecStart=/usr/local/bin/prometheus-jitsi-meet-exporter -videobridge-url 'http://localhost:8888/stats' -web.listen-address ':9888'
Restart=always
[Install]
WantedBy=multi-user.target
EOF
export require="__systemd_unit/prometheus-jitsi-meet-exporter.service"
JITSI_MEET_EXPORTER_SERVICE="service prometheus-jitsi-meet-exporter %s"
;;
esac
if [ "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" != \
"${PROMETHEUS_JITSI_EXPORTER_IS_VERSION}" ]; then
# shellcheck disable=SC2059
__download \
/tmp/prometheus-jitsi-meet-exporter \
--url "${PROMETHEUS_JITSI_EXPORTER_URL}" \
--download remote \
--sum "${PROMETHEUS_JITSI_EXPORTER_CHECKSUM}" \
--onchange "$(printf "${JITSI_MEET_EXPORTER_SERVICE}" "stop") || true; chmod 555 /tmp/prometheus-jitsi-meet-exporter && mv /tmp/prometheus-jitsi-meet-exporter /usr/local/bin/prometheus-jitsi-meet-exporter && $(printf "${JITSI_MEET_EXPORTER_SERVICE}" "restart")"
printf "%s" "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" | \
require="${require} __download/tmp/prometheus-jitsi-meet-exporter" __file \
"${PROMETHEUS_JITSI_EXPORTER_VERSION_FILE}" \
--source "-"
fi
fi fi
# TODO: disable the exporter if it is deployed and then admin changes their mind __single_binary_service prometheus-jitsi-meet-exporter \
--state "${EXPORTER_STATE}" \
--do-not-manage-user \
--user "nobody" \
--group "nogroup" \
--version "${EXPORTER_VERSION}" \
--checksum "${EXPORTER_CHECKSUM}" \
--url "${EXPORTER_URL}" \
--unpack \
--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
#
# Setup interpreter assets if requested
# See: https://gitlab.com/mfmt/jsi/
#
jsi_updated_on="2022-04-21"
__link "/usr/share/jitsi-meet/interpreters.html" \
--type symbolic \
--source "/opt/jsi/static/index.html.sample"
__directory /opt/jsi --mode 0755
export require="__directory/opt/jsi"
__download /opt/jsi/jsi.tar.gz \
--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
export require="__download/opt/jsi/jsi.tar.gz"
__unpack /opt/jsi/jsi.tar.gz \
--preserve-archive \
--tar-strip 1 \
--destination /opt/jsi/static \
--onchange "$(cat <<EOF
# Patch style.css to be served on /i/
sed -i.tmp -E \
-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
/opt/jsi/static/style.css
# Patch jsi.js to be served on /i/
# and so it always uses the domain it's served from
# and so it uses /i/ROOM for the form
sed -i.tmp -E \
-e 's!substr[(][0-9]+[)]!substr(3)!' \
-e 's!config[.]jitsimeet_url!url.host!' \
-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
/opt/jsi/static/jsi.js
# Patch the sample index.html, so it loads external_api.js from same host
# and to easen up on the branding
# and to enable browser cache
sed -i.tmp -E \
-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
-e "s!https://meet.mayfirst.org!/!" \
-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
/opt/jsi/static/index.html.sample
EOF
)"

0
type/__jitsi_meet/parameter/default/abort-conference-count Normal file
View file

1
type/__jitsi_meet/parameter/default/jitsi-version
View file

@ -1 +0,0 @@
2.0.5765-1

4
type/__jitsi_meet/parameter/deprecated/jitsi-version Normal file
View file

@ -0,0 +1,4 @@
Supporting different versions lead to strange issues in the life-time of a
Jitsi instance. Chiefly: difficulties upgrading.
If you are specifying this for a valid reason, please get in touch.

1
type/__jitsi_meet/parameter/optional
View file

@ -1,3 +1,4 @@
abort-conference-count
jitsi-version jitsi-version
turn-secret turn-secret
turn-server turn-server

35
type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh Executable file
View file

@ -0,0 +1,35 @@
#!/bin/sh -eu
# This is a helper to update the '.sh.orig' files for jitsi's
# configuration files.
# Then the changes must be propagated to their corresponding .sh
# files by the type maintainer or a contributor
# We could automate this, but are using it as an indicator for the
# latest branch with which we conciliated changes.
BRANCH="jitsi-meet_9457"
REPO="https://github.com/jitsi/jitsi-meet"
get_url() {
file="${1}"
printf "%s/raw/stable/%s/%s" "${REPO}" "${BRANCH}" "${file}"
}
download_file() {
file="${1}"
destination="${2:-${file}.sh.orig}"
url="$(get_url "${file}")"
echo "Downloading ${destination}"
curl -L "${url}" > "${destination}"
echo
}
download_file config.js
download_file interface_config.js
download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
# Change the version file, maintainers should check that it matches
# the deb version
printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version

1430
type/__jitsi_meet_domain/files/config.js.sh
View file

File diff suppressed because it is too large Load diff

1405
type/__jitsi_meet_domain/files/config.js.sh.orig
View file

File diff suppressed because it is too large Load diff

158
type/__jitsi_meet_domain/files/interface_config.js.sh
View file

@ -20,7 +20,7 @@ JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
*/ */
var interfaceConfig = { var interfaceConfig = {
APP_NAME: 'Jitsi Meet', APP_NAME: '${BRANDING_APP_NAME}',
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)', AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)', AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
@ -36,42 +36,12 @@ var interfaceConfig = {
BRAND_WATERMARK_LINK: '', BRAND_WATERMARK_LINK: '',
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
/**
* Whether the connection indicator icon should hide itself based on
* connection strength. If true, the connection indicator will remain
* displayed while the participant has a weak connection and will hide
* itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
* strong.
*
* @type {boolean}
*/
CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
/** DEFAULT_BACKGROUND: '#040404',
* How long the connection indicator should remain displayed before hiding.
* Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
*
* @type {number}
*/
CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
/**
* If true, hides the connection indicators completely.
*
* @type {boolean}
*/
CONNECTION_INDICATOR_DISABLED: false,
DEFAULT_BACKGROUND: '#474747',
DEFAULT_LOCAL_DISPLAY_NAME: 'me',
DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}', DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
DISABLE_DOMINANT_SPEAKER_INDICATOR: false, DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
DISABLE_FOCUS_INDICATOR: false,
/** /**
* If true, notifications regarding joining/leaving are no longer displayed. * If true, notifications regarding joining/leaving are no longer displayed.
*/ */
@ -111,27 +81,21 @@ var interfaceConfig = {
ENABLE_DIAL_OUT: true, ENABLE_DIAL_OUT: true,
ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation. // DEPRECATED. Animation no longer supported.
// ENABLE_FEEDBACK_ANIMATION: false,
FILM_STRIP_MAX_HEIGHT: 120, FILM_STRIP_MAX_HEIGHT: 120,
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true, GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
/**
* Hide the logo on the deep linking pages.
*/
HIDE_DEEP_LINKING_LOGO: false,
/** /**
* Hide the invite prompt in the header when alone in the meeting. * Hide the invite prompt in the header when alone in the meeting.
*/ */
HIDE_INVITE_MORE_HEADER: false, HIDE_INVITE_MORE_HEADER: false,
INITIAL_TOOLBAR_TIMEOUT: 20000,
JITSI_WATERMARK_LINK: 'https://jitsi.org', JITSI_WATERMARK_LINK: 'https://jitsi.org',
LANG_DETECTION: true, // Allow i18n to detect the system language LANG_DETECTION: true, // Allow i18n to detect the system language
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9 LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
/** /**
@ -151,28 +115,11 @@ var interfaceConfig = {
*/ */
MOBILE_APP_PROMO: true, MOBILE_APP_PROMO: true,
/**
* Specify custom URL for downloading android mobile app.
*/
MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
/**
* Specify custom URL for downloading f droid app.
*/
MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
/**
* Specify URL for downloading ios mobile app.
*/
MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
NATIVE_APP_NAME: 'Jitsi Meet',
// Names of browsers which should show a warning stating the current browser // Names of browsers which should show a warning stating the current browser
// has a suboptimal experience. Browsers which are not listed as optimal or // has a suboptimal experience. Browsers which are not listed as optimal or
// unsupported are considered suboptimal. Valid values are: // unsupported are considered suboptimal. Valid values are:
// chrome, chromium, edge, electron, firefox, nwjs, opera, safari // chrome, chromium, electron, firefox , safari, webkit
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ], OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ],
POLICY_LOGO: null, POLICY_LOGO: null,
PROVIDER_NAME: 'Jitsi', PROVIDER_NAME: 'Jitsi',
@ -185,7 +132,7 @@ var interfaceConfig = {
RECENT_LIST_ENABLED: true, RECENT_LIST_ENABLED: true,
REMOTE_THUMBNAIL_RATIO: 1, // 1:1 REMOTE_THUMBNAIL_RATIO: 1, // 1:1
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ], SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
/** /**
* Specify which sharing features should be displayed. If the value is not set * Specify which sharing features should be displayed. If the value is not set
@ -196,13 +143,12 @@ var interfaceConfig = {
SHOW_BRAND_WATERMARK: false, SHOW_BRAND_WATERMARK: false,
/** /**
* Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
* If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
* being already installed is done before rendering. * being already installed is done before rendering.
*/ */
SHOW_CHROME_EXTENSION_BANNER: false, SHOW_CHROME_EXTENSION_BANNER: false,
SHOW_DEEP_LINKING_IMAGE: false,
SHOW_JITSI_WATERMARK: true, SHOW_JITSI_WATERMARK: true,
SHOW_POWERED_BY: false, SHOW_POWERED_BY: false,
SHOW_PROMOTIONAL_CLOSE_PAGE: false, SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@ -213,16 +159,6 @@ var interfaceConfig = {
*/ */
SUPPORT_URL: 'https://community.jitsi.org/', SUPPORT_URL: 'https://community.jitsi.org/',
TOOLBAR_ALWAYS_VISIBLE: false,
/**
* DEPRECATED!
* This config was moved to config.js as \`toolbarButtons\`.
*/
// TOOLBAR_BUTTONS: [],
TOOLBAR_TIMEOUT: 4000,
// Browsers, in addition to those which do not fully support WebRTC, that // Browsers, in addition to those which do not fully support WebRTC, that
// are not supported and should show the unsupported browser page. // are not supported and should show the unsupported browser page.
UNSUPPORTED_BROWSERS: [], UNSUPPORTED_BROWSERS: [],
@ -253,6 +189,31 @@ var interfaceConfig = {
*/ */
// TILE_VIEW_MAX_COLUMNS: 5, // TILE_VIEW_MAX_COLUMNS: 5,
// List of undocumented settings
/**
INDICATOR_FONT_SIZES
PHONE_NUMBER_REGEX
*/
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
/**
* Specify URL for downloading ios mobile app.
*/
// MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
/**
* Specify custom URL for downloading android mobile app.
*/
// MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
/**
* Specify mobile app scheme for opening the app from the mobile browser.
*/
// APP_SCHEME: 'org.jitsi.meet',
// NATIVE_APP_NAME: 'Jitsi Meet',
/** /**
* Specify Firebase dynamic link properties for the mobile apps. * Specify Firebase dynamic link properties for the mobile apps.
*/ */
@ -265,9 +226,9 @@ var interfaceConfig = {
// }, // },
/** /**
* Specify mobile app scheme for opening the app from the mobile browser. * Hide the logo on the deep linking pages.
*/ */
// APP_SCHEME: 'org.jitsi.meet', // HIDE_DEEP_LINKING_LOGO: false,
/** /**
* Specify the Android app package name. * Specify the Android app package name.
@ -275,17 +236,42 @@ var interfaceConfig = {
// ANDROID_APP_PACKAGE: 'org.jitsi.meet', // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
/** /**
* Override the behavior of some notifications to remain displayed until * Specify custom URL for downloading f droid app.
* explicitly dismissed through a user action. The value is how long, in
* milliseconds, those notifications should remain displayed.
*/ */
// ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000, // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
// List of undocumented settings // Connection indicators (
/** // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
INDICATOR_FONT_SIZES // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
PHONE_NUMBER_REGEX // CONNECTION_INDICATOR_DISABLED) got moved to config.js.
*/
// Please use disableModeratorIndicator from config.js
// DISABLE_FOCUS_INDICATOR: false,
// Please use defaultLocalDisplayName from config.js
// DEFAULT_LOCAL_DISPLAY_NAME: 'me',
// Please use defaultLogoUrl from config.js
DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
// Please use defaultRemoteDisplayName from config.js
// DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
// Moved to config.js as \`toolbarConfig.initialTimeout\`.
// INITIAL_TOOLBAR_TIMEOUT: 20000,
// Moved to config.js as \`toolbarConfig.alwaysVisible\`.
// Documentation reference for the live streaming feature.
// LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
// Moved to config.js as \`toolbarConfig.alwaysVisible\`.
// TOOLBAR_ALWAYS_VISIBLE: false,
// This config was moved to config.js as \`toolbarButtons\`.
// TOOLBAR_BUTTONS: [],
// Moved to config.js as \`toolbarConfig.timeout\`.
// TOOLBAR_TIMEOUT: 4000,
// Allow all above example options to include a trailing comma and // Allow all above example options to include a trailing comma and
// prevent fear when commenting out the last value. // prevent fear when commenting out the last value.

156
type/__jitsi_meet_domain/files/interface_config.js.sh.orig
View file

@ -25,42 +25,12 @@ var interfaceConfig = {
BRAND_WATERMARK_LINK: '', BRAND_WATERMARK_LINK: '',
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
/**
* Whether the connection indicator icon should hide itself based on
* connection strength. If true, the connection indicator will remain
* displayed while the participant has a weak connection and will hide
* itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
* strong.
*
* @type {boolean}
*/
CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
/** DEFAULT_BACKGROUND: '#040404',
* How long the connection indicator should remain displayed before hiding.
* Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
*
* @type {number}
*/
CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
/**
* If true, hides the connection indicators completely.
*
* @type {boolean}
*/
CONNECTION_INDICATOR_DISABLED: false,
DEFAULT_BACKGROUND: '#474747',
DEFAULT_LOCAL_DISPLAY_NAME: 'me',
DEFAULT_LOGO_URL: 'images/watermark.svg',
DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg', DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
DISABLE_DOMINANT_SPEAKER_INDICATOR: false, DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
DISABLE_FOCUS_INDICATOR: false,
/** /**
* If true, notifications regarding joining/leaving are no longer displayed. * If true, notifications regarding joining/leaving are no longer displayed.
*/ */
@ -100,27 +70,21 @@ var interfaceConfig = {
ENABLE_DIAL_OUT: true, ENABLE_DIAL_OUT: true,
ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation. // DEPRECATED. Animation no longer supported.
// ENABLE_FEEDBACK_ANIMATION: false,
FILM_STRIP_MAX_HEIGHT: 120, FILM_STRIP_MAX_HEIGHT: 120,
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true, GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
/**
* Hide the logo on the deep linking pages.
*/
HIDE_DEEP_LINKING_LOGO: false,
/** /**
* Hide the invite prompt in the header when alone in the meeting. * Hide the invite prompt in the header when alone in the meeting.
*/ */
HIDE_INVITE_MORE_HEADER: false, HIDE_INVITE_MORE_HEADER: false,
INITIAL_TOOLBAR_TIMEOUT: 20000,
JITSI_WATERMARK_LINK: 'https://jitsi.org', JITSI_WATERMARK_LINK: 'https://jitsi.org',
LANG_DETECTION: true, // Allow i18n to detect the system language LANG_DETECTION: true, // Allow i18n to detect the system language
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9 LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
/** /**
@ -140,28 +104,11 @@ var interfaceConfig = {
*/ */
MOBILE_APP_PROMO: true, MOBILE_APP_PROMO: true,
/**
* Specify custom URL for downloading android mobile app.
*/
MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
/**
* Specify custom URL for downloading f droid app.
*/
MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
/**
* Specify URL for downloading ios mobile app.
*/
MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
NATIVE_APP_NAME: 'Jitsi Meet',
// Names of browsers which should show a warning stating the current browser // Names of browsers which should show a warning stating the current browser
// has a suboptimal experience. Browsers which are not listed as optimal or // has a suboptimal experience. Browsers which are not listed as optimal or
// unsupported are considered suboptimal. Valid values are: // unsupported are considered suboptimal. Valid values are:
// chrome, chromium, edge, electron, firefox, nwjs, opera, safari // chrome, chromium, electron, firefox , safari, webkit
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ], OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ],
POLICY_LOGO: null, POLICY_LOGO: null,
PROVIDER_NAME: 'Jitsi', PROVIDER_NAME: 'Jitsi',
@ -174,7 +121,7 @@ var interfaceConfig = {
RECENT_LIST_ENABLED: true, RECENT_LIST_ENABLED: true,
REMOTE_THUMBNAIL_RATIO: 1, // 1:1 REMOTE_THUMBNAIL_RATIO: 1, // 1:1
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ], SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
/** /**
* Specify which sharing features should be displayed. If the value is not set * Specify which sharing features should be displayed. If the value is not set
@ -185,13 +132,12 @@ var interfaceConfig = {
SHOW_BRAND_WATERMARK: false, SHOW_BRAND_WATERMARK: false,
/** /**
* Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
* If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
* being already installed is done before rendering. * being already installed is done before rendering.
*/ */
SHOW_CHROME_EXTENSION_BANNER: false, SHOW_CHROME_EXTENSION_BANNER: false,
SHOW_DEEP_LINKING_IMAGE: false,
SHOW_JITSI_WATERMARK: true, SHOW_JITSI_WATERMARK: true,
SHOW_POWERED_BY: false, SHOW_POWERED_BY: false,
SHOW_PROMOTIONAL_CLOSE_PAGE: false, SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@ -202,16 +148,6 @@ var interfaceConfig = {
*/ */
SUPPORT_URL: 'https://community.jitsi.org/', SUPPORT_URL: 'https://community.jitsi.org/',
TOOLBAR_ALWAYS_VISIBLE: false,
/**
* DEPRECATED!
* This config was moved to config.js as `toolbarButtons`.
*/
// TOOLBAR_BUTTONS: [],
TOOLBAR_TIMEOUT: 4000,
// Browsers, in addition to those which do not fully support WebRTC, that // Browsers, in addition to those which do not fully support WebRTC, that
// are not supported and should show the unsupported browser page. // are not supported and should show the unsupported browser page.
UNSUPPORTED_BROWSERS: [], UNSUPPORTED_BROWSERS: [],
@ -242,6 +178,31 @@ var interfaceConfig = {
*/ */
// TILE_VIEW_MAX_COLUMNS: 5, // TILE_VIEW_MAX_COLUMNS: 5,
// List of undocumented settings
/**
INDICATOR_FONT_SIZES
PHONE_NUMBER_REGEX
*/
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
/**
* Specify URL for downloading ios mobile app.
*/
// MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
/**
* Specify custom URL for downloading android mobile app.
*/
// MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
/**
* Specify mobile app scheme for opening the app from the mobile browser.
*/
// APP_SCHEME: 'org.jitsi.meet',
// NATIVE_APP_NAME: 'Jitsi Meet',
/** /**
* Specify Firebase dynamic link properties for the mobile apps. * Specify Firebase dynamic link properties for the mobile apps.
*/ */
@ -254,9 +215,9 @@ var interfaceConfig = {
// }, // },
/** /**
* Specify mobile app scheme for opening the app from the mobile browser. * Hide the logo on the deep linking pages.
*/ */
// APP_SCHEME: 'org.jitsi.meet', // HIDE_DEEP_LINKING_LOGO: false,
/** /**
* Specify the Android app package name. * Specify the Android app package name.
@ -264,17 +225,42 @@ var interfaceConfig = {
// ANDROID_APP_PACKAGE: 'org.jitsi.meet', // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
/** /**
* Override the behavior of some notifications to remain displayed until * Specify custom URL for downloading f droid app.
* explicitly dismissed through a user action. The value is how long, in
* milliseconds, those notifications should remain displayed.
*/ */
// ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000, // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
// List of undocumented settings // Connection indicators (
/** // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
INDICATOR_FONT_SIZES // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
PHONE_NUMBER_REGEX // CONNECTION_INDICATOR_DISABLED) got moved to config.js.
*/
// Please use disableModeratorIndicator from config.js
// DISABLE_FOCUS_INDICATOR: false,
// Please use defaultLocalDisplayName from config.js
// DEFAULT_LOCAL_DISPLAY_NAME: 'me',
// Please use defaultLogoUrl from config.js
// DEFAULT_LOGO_URL: 'images/watermark.svg',
// Please use defaultRemoteDisplayName from config.js
// DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
// Moved to config.js as `toolbarConfig.initialTimeout`.
// INITIAL_TOOLBAR_TIMEOUT: 20000,
// Please use `liveStreaming.helpLink` from config.js
// Documentation reference for the live streaming feature.
// LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
// Moved to config.js as `toolbarConfig.alwaysVisible`.
// TOOLBAR_ALWAYS_VISIBLE: false,
// This config was moved to config.js as `toolbarButtons`.
// TOOLBAR_BUTTONS: [],
// Moved to config.js as `toolbarConfig.timeout`.
// TOOLBAR_TIMEOUT: 4000,
// Allow all above example options to include a trailing comma and // Allow all above example options to include a trailing comma and
// prevent fear when commenting out the last value. // prevent fear when commenting out the last value.

1
type/__jitsi_meet_domain/files/jitsi-version Normal file
View file

@ -0,0 +1 @@
2.0.9457-1

163
type/__jitsi_meet_domain/files/nginx.sh
View file

@ -2,6 +2,42 @@
# shellcheck disable=SC2034 # This is intended to be included # shellcheck disable=SC2034 # This is intended to be included
JITSI_NGINX_CONFIG="$(cat <<EOF JITSI_NGINX_CONFIG="$(cat <<EOF
# Jitsi uses following lines by default, in our cdist types they must be commented
# out as we already set it with __jitsi_meet in the default server config.
#server_names_hash_bucket_size 64;
#
#types {
## nginx's default mime.types doesn't include a mapping for wasm or wav.
# application/wasm wasm;
# audio/wav wav;
#}
# These upstreams are managed by __jitsi_meet
#upstream jicofo {
# zone upstreams 64K;
# server 127.0.0.1:8888;
# keepalive 2;
#}
#upstream prosody {
# zone upstreams 64K;
# server 127.0.0.1:5280;
# keepalive 2;
#}
#upstream jvb1 {
# zone upstreams 64K;
# server 127.0.0.1:9090;
# keepalive 2;
#}
#map \$arg_vnode \$prosody_node {
# default prosody;
# v1 v1;
# v2 v2;
# v3 v3;
# v4 v4;
# v5 v5;
# v6 v6;
# v7 v7;
# v8 v8;
#}
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
@ -10,17 +46,17 @@ server {
include snippets/acme-challenge.conf; include snippets/acme-challenge.conf;
location / { location / {
return 301 https://\$host\$request_uri; return 301 https://\$host\$request_uri;
} }
} }
server { server {
listen 443 ssl; listen 443 ssl http2;
listen [::]:443 ssl; listen [::]:443 ssl http2;
server_name ${DOMAIN}; server_name ${DOMAIN};
include snippets/acme-challenge.conf; include snippets/acme-challenge.conf;
# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
@ -30,6 +66,11 @@ server {
ssl_session_tickets off; ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always; add_header Strict-Transport-Security "max-age=63072000" always;
set \$prefix "";
# Try the custom page for this domain, fallback to default page
set \$custom_index "index-${DOMAIN}.html";
# We expect this domain to be properly configured, the file should exist
set \$config_js_location "/etc/jitsi/meet/${DOMAIN}-config.js";
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
@ -41,7 +82,7 @@ server {
ssi_types application/x-javascript application/javascript; ssi_types application/x-javascript application/javascript;
# Try the custom page for this domain, fallback to default page # Try the custom page for this domain, fallback to default page
index index-${DOMAIN}.html index.html index.htm; index \$custom_index index.html index.htm;
error_page 404 /static/404.html; error_page 404 /static/404.html;
gzip on; gzip on;
@ -50,9 +91,10 @@ server {
gzip_proxied no-cache no-store private expired auth; gzip_proxied no-cache no-store private expired auth;
gzip_min_length 512; gzip_min_length 512;
# We expect this domain to be properly configured, the file should exist # include /etc/jitsi/meet/jaas/*.conf;
location = /config.js { location = /config.js {
alias /etc/jitsi/meet/${DOMAIN}-config.js; alias \$config_js_location;
} }
# We expect this domain to be properly configured, the file should exist # We expect this domain to be properly configured, the file should exist
location = /interface_config.js { location = /interface_config.js {
@ -71,71 +113,121 @@ server {
alias /usr/share/jitsi-meet/libs/external_api.min.js; alias /usr/share/jitsi-meet/libs/external_api.min.js;
} }
#ensure all static content can always be found first location = /_api/room-info {
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$ proxy_pass http://prosody/room-info?prefix=\$prefix&\$args;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_set_header Host \$http_host;
}
location ~ ^/_api/public/(.*)\$ {
autoindex off;
alias /etc/jitsi/meet/public/\$1;
}
# ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)\$
{ {
add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/\$1/\$2; alias /usr/share/jitsi-meet/\$1/\$2;
# cache all versioned files # cache all versioned files
if (\$arg_v) { if (\$arg_v) {
expires 1y; expires 1y;
} }
} }
# Paths for jsi / interpreters
location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /opt/jsi/static/\$1;
# cache all versioned files
if (\$arg_v) {
expires 1y;
}
}
location ~ ^/i/
{
try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
}
# BOSH # BOSH
location = /http-bind { location = /http-bind {
proxy_pass http://localhost:5280/http-bind; proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For \$remote_addr; proxy_set_header X-Forwarded-For \$remote_addr;
# Prevision for 'multi-domain' jitsi instances # Prevision for 'multi-domain' jitsi instances
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391 # https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
proxy_set_header Host ${JITSI_HOST}; proxy_set_header Host ${DOMAIN};
proxy_set_header Connection "";
} }
# xmpp websockets # xmpp websockets
location = /xmpp-websocket { location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args; proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade; proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
# Prevision for 'multi-domain' jitsi instances # Prevision for 'multi-domain' jitsi instances
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391 # https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
proxy_set_header Host ${JITSI_HOST}; proxy_set_header Host ${DOMAIN};
tcp_nodelay on; tcp_nodelay on;
} }
# colibri (JVB) websockets for jvb1 # colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) { location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args; proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade; proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
tcp_nodelay on; tcp_nodelay on;
}
# load test minimal client, uncomment when used
#location ~ ^/_load-test/([^/?&:'"]+)\$ {
# rewrite ^/_load-test/(.*)\$ /load-test/index.html break;
#}
#location ~ ^/_load-test/libs/(.*)\$ {
# add_header 'Access-Control-Allow-Origin' '*';
# alias /usr/share/jitsi-meet/load-test/libs/\$1;
#}
location ~ ^/conference-request/v1([/].*)?\$ {
proxy_pass http://jicofo/conference-request/v1\$1;
add_header "Cache-Control" "no-cache, no-store";
add_header 'Access-Control-Allow-Origin' '*';
}
location ~ ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ {
rewrite ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ /conference-request/v1\$2;
} }
location ~ ^/([^/?&:'"]+)\$ { location ~ ^/([^/?&:'"]+)\$ {
set \$roomname "\$1";
try_files \$uri @root_path; try_files \$uri @root_path;
} }
location @root_path { location @root_path {
# rewrite ^/(.*)\$ /\$custom_index break;
rewrite ^/(.*)\$ / break; rewrite ^/(.*)\$ / break;
} }
location ~ ^/([^/?&:'"]+)/config.js\$ location ~ ^/([^/?&:'"]+)/config.js\$
{ {
set \$subdomain "\$1.";
set \$subdir "\$1/";
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
}
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)\$ {
set \$subdomain "\$1."; set \$subdomain "\$1.";
set \$subdir "\$1/"; set \$subdir "\$1/";
rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
alias \$config_js_location;
} }
## Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
#location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ {
# set \$subdomain "\$1.";
# set \$subdir "\$1/";
# rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ /\$2;
#}
# BOSH for subdomains # BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind { location ~ ^/([^/?&:'"]+)/http-bind {
set \$subdomain "\$1."; set \$subdomain "\$1.";
@ -153,6 +245,21 @@ server {
rewrite ^/(.*)\$ /xmpp-websocket; rewrite ^/(.*)\$ /xmpp-websocket;
} }
location ~ ^/([^/?&:'"]+)/_api/room-info {
set \$subdomain "\$1.";
set \$subdir "\$1/";
set \$prefix "\$1";
rewrite ^/(.*)\$ /_api/room-info;
}
# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)\$ {
set \$subdomain "\$1.";
set \$subdir "\$1/";
rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
}
} }
EOF EOF
)" )"

135
type/__jitsi_meet_domain/files/nginx.sh.orig
View file

@ -1,27 +1,53 @@
server_names_hash_bucket_size 64; server_names_hash_bucket_size 64;
types {
# nginx's default mime.types doesn't include a mapping for wasm or wav.
application/wasm wasm;
audio/wav wav;
}
upstream prosody {
zone upstreams 64K;
server 127.0.0.1:5280;
keepalive 2;
}
upstream jvb1 {
zone upstreams 64K;
server 127.0.0.1:9090;
keepalive 2;
}
map $arg_vnode $prosody_node {
default prosody;
v1 v1;
v2 v2;
v3 v3;
v4 v4;
v5 v5;
v6 v6;
v7 v7;
v8 v8;
}
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name jitsi-meet.example.com; server_name jitsi-meet.example.com;
location ^~ /.well-known/acme-challenge/ { location ^~ /.well-known/acme-challenge/ {
default_type "text/plain"; default_type "text/plain";
root /usr/share/jitsi-meet; root /usr/share/jitsi-meet;
} }
location = /.well-known/acme-challenge/ { location = /.well-known/acme-challenge/ {
return 404; return 404;
} }
location / { location / {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
} }
server { server {
listen 443 ssl; listen 443 ssl http2;
listen [::]:443 ssl; listen [::]:443 ssl http2;
server_name jitsi-meet.example.com; server_name jitsi-meet.example.com;
# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
@ -31,6 +57,9 @@ server {
ssl_session_tickets off; ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always; add_header Strict-Transport-Security "max-age=63072000" always;
set $prefix "";
set $custom_index "";
set $config_js_location /etc/jitsi/meet/jitsi-meet.example.com-config.js;
ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt; ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key; ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
@ -50,36 +79,52 @@ server {
gzip_proxied no-cache no-store private expired auth; gzip_proxied no-cache no-store private expired auth;
gzip_min_length 512; gzip_min_length 512;
include /etc/jitsi/meet/jaas/*.conf;
location = /config.js { location = /config.js {
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js; alias $config_js_location;
} }
location = /external_api.js { location = /external_api.js {
alias /usr/share/jitsi-meet/libs/external_api.min.js; alias /usr/share/jitsi-meet/libs/external_api.min.js;
} }
#ensure all static content can always be found first location = /_api/room-info {
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$ proxy_pass http://prosody/room-info?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
location ~ ^/_api/public/(.*)$ {
autoindex off;
alias /etc/jitsi/meet/public/$1;
}
# ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$
{ {
add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/$1/$2; alias /usr/share/jitsi-meet/$1/$2;
# cache all versioned files # cache all versioned files
if ($arg_v) { if ($arg_v) {
expires 1y; expires 1y;
} }
} }
# BOSH # BOSH
location = /http-bind { location = /http-bind {
proxy_pass http://localhost:5280/http-bind; proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header Connection "";
} }
# xmpp websockets # xmpp websockets
location = /xmpp-websocket { location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args; proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
@ -89,34 +134,53 @@ server {
# colibri (JVB) websockets for jvb1 # colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) { location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args; proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
tcp_nodelay on; tcp_nodelay on;
}
# load test minimal client, uncomment when used
#location ~ ^/_load-test/([^/?&:'"]+)$ {
# rewrite ^/_load-test/(.*)$ /load-test/index.html break;
#}
#location ~ ^/_load-test/libs/(.*)$ {
# add_header 'Access-Control-Allow-Origin' '*';
# alias /usr/share/jitsi-meet/load-test/libs/$1;
#}
location ~ ^/conference-request/v1(\/.*)?$ {
proxy_pass http://127.0.0.1:8888/conference-request/v1$1;
add_header "Cache-Control" "no-cache, no-store";
add_header 'Access-Control-Allow-Origin' '*';
}
location ~ ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ {
rewrite ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ /conference-request/v1$2;
} }
location ~ ^/([^/?&:'"]+)$ { location ~ ^/([^/?&:'"]+)$ {
set $roomname "$1";
try_files $uri @root_path; try_files $uri @root_path;
} }
location @root_path { location @root_path {
rewrite ^/(.*)$ / break; rewrite ^/(.*)$ /$custom_index break;
} }
location ~ ^/([^/?&:'"]+)/config.js$ location ~ ^/([^/?&:'"]+)/config.js$
{ {
set $subdomain "$1.";
set $subdir "$1/";
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
}
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
set $subdomain "$1."; set $subdomain "$1.";
set $subdir "$1/"; set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
alias $config_js_location;
}
# Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
set $subdomain "$1.";
set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
} }
# BOSH for subdomains # BOSH for subdomains
@ -136,4 +200,19 @@ server {
rewrite ^/(.*)$ /xmpp-websocket; rewrite ^/(.*)$ /xmpp-websocket;
} }
location ~ ^/([^/?&:'"]+)/_api/room-info {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /_api/room-info;
}
# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
set $subdomain "$1.";
set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
}
} }

223
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh Normal file
View file

@ -0,0 +1,223 @@
#!/bin/sh -eu
# Source:
# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
FOCUS_USER="focus"
JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
PROSODY_SECUREDOMAIN_START="--[["
PROSODY_SECUREDOMAIN_END="--]]"
if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
PROSODY_MAIN_START=""
PROSODY_MAIN_END=""
PROSODY_DOMAIN_START="--[["
PROSODY_DOMAIN_END="--]]"
else
PROSODY_MAIN_START="--[["
PROSODY_MAIN_END="--]]"
PROSODY_DOMAIN_START=""
PROSODY_DOMAIN_END=""
if [ -n "${SECURED_DOMAINS}" ]; then
PROSODY_SECUREDOMAIN_START=""
PROSODY_SECUREDOMAIN_END=""
fi
fi
# Websockets haven't been fully tested in this type and don't work reliably
PROSODY_WEBSOCKET="-- "
# shellcheck disable=SC2034 # This is intended to be included
PROSODY_CONFIG="$(cat <<EOFPROSODY
-- Managed remotely, changes will be lost
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "${JITSI_HOST:?}";
external_service_secret = "${TURN_SECRET:-TurnSecret}";
external_services = {
{ type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
{ type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
-- Use websockets
-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
${PROSODY_WEBSOCKET}consider_websocket_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
--http_cors_override = {
-- bosh = {
-- enabled = false;
-- };
-- websocket = {
-- enabled = false;
-- };
--}
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
unlimited_jids = {
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
"jvb@auth.${JITSI_HOST:?}"
}
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain
VirtualHost "${JITSI_DOMAIN:?}"
authentication = "jitsi-anonymous" -- do not delete me
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
}
av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
end_conference_component = "endconference.${JITSI_DOMAIN:?}"
-- we need bosh
modules_enabled = {
"bosh";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"conference_duration";
"end_conference";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
"room_metadata";
${PROSODY_WEBSOCKET} "websocket";
${PROSODY_WEBSOCKET} "smacks";
}
smacks_max_unacked_stanzas = 5;
smacks_hibernation_time = 60;
smacks_max_hibernated_sessions = 1;
smacks_max_old_sessions = 1;
c2s_require_encryption = false
lobby_muc = "lobby.${JITSI_DOMAIN:?}"
breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
room_metadata_component = "metadata.${JITSI_DOMAIN:?}"
main_muc = "conference.${JITSI_DOMAIN:?}"
-- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.${JITSI_DOMAIN:?}" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_hide_all";
"muc_meeting_id";
"muc_domain_mapper";
"polls";
--"token_verification";
"muc_rate_limit";
"muc_password_whitelist";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
muc_password_whitelist = {
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
}
muc_room_locking = false
muc_room_default_public_jids = true
Component "breakout.${JITSI_DOMAIN:?}" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_hide_all";
"muc_meeting_id";
"muc_domain_mapper";
"muc_rate_limit";
"polls";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
storage = "memory"
modules_enabled = {
"muc_hide_all";
"ping";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
-- https://prosody.im/doc/modules/mod_muc
muc_room_cache_size = 1000
${PROSODY_DOMAIN_END}
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
VirtualHost "auth.${JITSI_DOMAIN:?}"
ssl = {
key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
}
modules_enabled = {
"limits_exception";
}
authentication = "internal_hashed"
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
-- Single focus user for the whole instance
target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "endconference.${JITSI_DOMAIN:?}" "end_conference"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "lobby.${JITSI_DOMAIN:?}" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
"muc_hide_all";
"muc_rate_limit";
"polls";
}
Component "metadata.${JITSI_DOMAIN:?}" "room_metadata_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
breakout_rooms_component = "breakout.${JITSI_DOMAIN:?}"
${PROSODY_DOMAIN_END}
${PROSODY_SECUREDOMAIN_START}
-- Only used on secured domains
VirtualHost "${JITSI_DOMAIN}"
authentication = "internal_plain"
VirtualHost "guest.${JITSI_DOMAIN}"
authentication = "anonymous"
c2s_require_encryption = false
${PROSODY_SECUREDOMAIN_END}
EOFPROSODY
)"

151
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig Normal file
View file

@ -0,0 +1,151 @@
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "jitmeet.example.com";
external_service_secret = "__turnSecret__";
external_services = {
{ type = "stun", host = "jitmeet.example.com", port = 3478 },
{ type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
--http_cors_override = {
-- bosh = {
-- enabled = false;
-- };
-- websocket = {
-- enabled = false;
-- };
--}
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
unlimited_jids = {
"focusUser@auth.jitmeet.example.com",
"jvb@auth.jitmeet.example.com"
}
VirtualHost "jitmeet.example.com"
authentication = "jitsi-anonymous" -- do not delete me
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/jitmeet.example.com.key";
certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
}
av_moderation_component = "avmoderation.jitmeet.example.com"
speakerstats_component = "speakerstats.jitmeet.example.com"
end_conference_component = "endconference.jitmeet.example.com"
-- we need bosh
modules_enabled = {
"bosh";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"conference_duration";
"end_conference";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
"room_metadata";
}
c2s_require_encryption = false
lobby_muc = "lobby.jitmeet.example.com"
breakout_rooms_muc = "breakout.jitmeet.example.com"
room_metadata_component = "metadata.jitmeet.example.com"
main_muc = "conference.jitmeet.example.com"
-- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.jitmeet.example.com" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_hide_all";
"muc_meeting_id";
"muc_domain_mapper";
"polls";
--"token_verification";
"muc_rate_limit";
"muc_password_whitelist";
}
admins = { "focusUser@auth.jitmeet.example.com" }
muc_password_whitelist = {
"focusUser@auth.jitmeet.example.com"
}
muc_room_locking = false
muc_room_default_public_jids = true
Component "breakout.jitmeet.example.com" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_hide_all";
"muc_meeting_id";
"muc_domain_mapper";
"muc_rate_limit";
"polls";
}
admins = { "focusUser@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.jitmeet.example.com" "muc"
storage = "memory"
modules_enabled = {
"muc_hide_all";
"ping";
}
admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
VirtualHost "auth.jitmeet.example.com"
modules_enabled = {
"limits_exception";
}
authentication = "internal_hashed"
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.jitmeet.example.com" "client_proxy"
target_address = "focusUser@auth.jitmeet.example.com"
Component "speakerstats.jitmeet.example.com" "speakerstats_component"
muc_component = "conference.jitmeet.example.com"
Component "endconference.jitmeet.example.com" "end_conference"
muc_component = "conference.jitmeet.example.com"
Component "avmoderation.jitmeet.example.com" "av_moderation_component"
muc_component = "conference.jitmeet.example.com"
Component "lobby.jitmeet.example.com" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
"muc_hide_all";
"muc_rate_limit";
"polls";
}
Component "metadata.jitmeet.example.com" "room_metadata_component"
muc_component = "conference.jitmeet.example.com"
breakout_rooms_component = "breakout.jitmeet.example.com"

45
type/__jitsi_meet_domain/man.rst
View file

@ -11,14 +11,24 @@ DESCRIPTION
----------- -----------
This type installs and configures the frontend for Jitsi-Meet. This type installs and configures the frontend for Jitsi-Meet.
This supports "multi-domain" installations, notice that in such a setup, all Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and
rooms are shared across the different URLs, e.g. `DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a
https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are patched version of Jitsi Simultaneous Interpretation (jsi; see references).
equivalent. At least a user with `interpreter` in their name must be present.
This type supports "multi-domain" installations.
New in April 2022: rooms are independent for each domain, that is:
https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
different rooms.
Note however, that right now if using secured domains, users are still shared
across any domains hosted in the same instance.
One way to work around that could be to run multiple jicofos, but we do not
want to bloat the servers.
A better way is to patch jicofo, get in touch with the type authors if you want
the gory details.
This is due to the underlying XMPP and signaling rooms being common.
There might be a way to perform tricks on the Nginx-side to avoid this, but
time is lacking :-).
This assumes `__jitsi_meet` has already been ran on the target host, and, This assumes `__jitsi_meet` has already been ran on the target host, and,
amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain. amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
@ -41,6 +51,11 @@ admin-email
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
analytics-settings
This goes inside the `analytics` part of `config.js`.
Defaults to: `disabled: true`.
See: https://github.com/jitsi/jitsi-meet/blob/master/config.js
channel-last-n channel-last-n
Default value for the "last N" attribute. Default value for the "last N" attribute.
Defaults to 20. Set to -1 for unlimited. Defaults to 20. Set to -1 for unlimited.
@ -60,6 +75,10 @@ start-video-muted
Defaults to 10. Defaults to 10.
state
Whether the domain is 'present' or 'absent', defaults to 'present'.
turn-server turn-server
The TURN server to be used. The TURN server to be used.
Defaults to `__target_host`. Defaults to `__target_host`.
@ -74,6 +93,15 @@ video-constraints
It must not have a trailing comma, see `constraints` in It must not have a trailing comma, see `constraints` in
`__jitsi_meet_domain/files/config.js.sh`. `__jitsi_meet_domain/files/config.js.sh`.
branding-app-name
This will change `Jitsi Meet` in many places to the brand you desire.
Defaults to `Jitsi Meet`.
branding-extra-body
This must be valid HTML, it will be included server-side and delivered to
clients alongside the default `index.html`.
This is useful if you would rather not replace the whole `index`, but
still want the chance to do some heavier branding / add instructions / etc.
branding-json branding-json
Path to a JSON file that will be served as the `dynamicBrandingUrl`. Path to a JSON file that will be served as the `dynamicBrandingUrl`.
@ -81,14 +109,12 @@ branding-json
`__jitsi_meet_domain/files/config.js.sh`. `__jitsi_meet_domain/files/config.js.sh`.
If not set, no branding will be set up. If not set, no branding will be set up.
branding-index branding-index
Path to an HTML file that will be served instead of Jitsi-Meet's default Path to an HTML file that will be served instead of Jitsi-Meet's default
one. one.
If not set, the default index file will be used. If not set, the default index file will be used.
If set to `-`, the type's standard input will be used. If set to `-`, the type's standard input will be used.
branding-watermark branding-watermark
Path to a png file that will be served instead of Jitsi-Meet's default Path to a png file that will be served instead of Jitsi-Meet's default
one. one.
@ -143,6 +169,7 @@ SEE ALSO
-------- --------
- `__jitsi_meet(7)` - `__jitsi_meet(7)`
- `__jitsi_meet_user(7)` - `__jitsi_meet_user(7)`
- Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi
AUTHORS AUTHORS

72
type/__jitsi_meet_domain/manifest
View file

@ -18,9 +18,12 @@ NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")"
START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")" START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
TURN_SERVER="$(cat "${__object}/parameter/turn-server")" TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")" VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")"
BRANDING_APP_NAME="$(cat "${__object}/parameter/branding-app-name")"
BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")" BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
BRANDING_JSON="$(cat "${__object}/parameter/branding-json")" BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")" BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
STATE="$(cat "${__object}/parameter/state")"
if [ "${BRANDING_INDEX}" = "-" ]; then if [ "${BRANDING_INDEX}" = "-" ]; then
BRANDING_INDEX="${__object}/stdin" BRANDING_INDEX="${__object}/stdin"
@ -47,11 +50,31 @@ if [ -n "${BRANDING_JSON}" ]; then
DYNAMIC_BRANDING_URL="/branding.json" DYNAMIC_BRANDING_URL="/branding.json"
fi fi
case "${STATE}" in
present)
# When adding the domain, Let's Encrypt must come before nginx
le_require=""
nginx_require="__letsencrypt_cert/${DOMAIN}"
;;
absent)
# When removing, nginx must come before Let's Encrypt
le_require="__file/etc/nginx/sites-enabled/${DOMAIN}.conf"
nginx_require=""
;;
*)
cat >> /dev/stderr <<-EOM
Unsupported state '${STATE}', must be 'present' or 'absent'.
EOM
exit 1
;;
esac
# #
# Deal with certbot # Deal with certbot
# #
# use object id as domain # use object id as domain
__letsencrypt_cert "${DOMAIN}" \ require="${le_require}" __letsencrypt_cert "${DOMAIN}" \
--state "${STATE}" \
--admin-email "${ADMIN_EMAIL}" \ --admin-email "${ADMIN_EMAIL}" \
--deploy-hook "service nginx reload" \ --deploy-hook "service nginx reload" \
--webroot /usr/share/jitsi-meet --webroot /usr/share/jitsi-meet
@ -59,8 +82,9 @@ __letsencrypt_cert "${DOMAIN}" \
# Create virtualhost for nginx # Create virtualhost for nginx
# shellcheck source=type/__jitsi_meet_domain/files/nginx.sh # shellcheck source=type/__jitsi_meet_domain/files/nginx.sh
. "${__type}/files/nginx.sh" # This defines JITSI_NGINX_CONFIG . "${__type}/files/nginx.sh" # This defines JITSI_NGINX_CONFIG
require="__letsencrypt_cert/${DOMAIN}" __file \ require="${nginx_require}" __file \
"/etc/nginx/sites-enabled/${DOMAIN}.conf" \ "/etc/nginx/sites-enabled/${DOMAIN}.conf" \
--state "${STATE}" \
--mode 0644 --source "-" <<EOF --mode 0644 --source "-" <<EOF
${JITSI_NGINX_CONFIG} ${JITSI_NGINX_CONFIG}
EOF EOF
@ -69,6 +93,7 @@ EOF
# shellcheck source=type/__jitsi_meet_domain/files/config.js.sh # shellcheck source=type/__jitsi_meet_domain/files/config.js.sh
. "${__type}/files/config.js.sh" # This defines JITSI_CONFIG_JS . "${__type}/files/config.js.sh" # This defines JITSI_CONFIG_JS
__file "/etc/jitsi/meet/${DOMAIN}-config.js" \ __file "/etc/jitsi/meet/${DOMAIN}-config.js" \
--state "${STATE}" \
--mode 0644 --source "-" <<EOF --mode 0644 --source "-" <<EOF
${JITSI_CONFIG_JS} ${JITSI_CONFIG_JS}
EOF EOF
@ -77,6 +102,7 @@ EOF
# shellcheck source=type/__jitsi_meet_domain/files/interface_config.js.sh # shellcheck source=type/__jitsi_meet_domain/files/interface_config.js.sh
. "${__type}/files/interface_config.js.sh" # This defines JITSI_CONFIG_JS . "${__type}/files/interface_config.js.sh" # This defines JITSI_CONFIG_JS
__file "/etc/jitsi/meet/${DOMAIN}-interface_config.js" \ __file "/etc/jitsi/meet/${DOMAIN}-interface_config.js" \
--state "${STATE}" \
--mode 0644 --source "-" <<EOF --mode 0644 --source "-" <<EOF
${JITSI_INTERFACE_CONFIG_JS} ${JITSI_INTERFACE_CONFIG_JS}
EOF EOF
@ -87,7 +113,7 @@ EOF
# #
# Helper function to manage the state of the target branding file # Helper function to manage the state of the target branding file
_var_state() { _var_state() {
if [ -n "${1}" ]; then if [ "${STATE}" = "present" ] && [ -n "${1}" ]; then
echo "present" echo "present"
else else
echo "absent" echo "absent"
@ -106,3 +132,43 @@ __file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
--mode 0644 \ --mode 0644 \
--state "$(_var_state "${BRANDING_WATERMARK}")" \ --state "$(_var_state "${BRANDING_WATERMARK}")" \
--source "${BRANDING_WATERMARK}" --source "${BRANDING_WATERMARK}"
# Simple body customisation
__file "/usr/share/jitsi-meet/body-${DOMAIN}.html" \
--mode 0644 \
--state "$(_var_state "${STATE}")" \
--source "${__object}/parameter/branding-extra-body"
#
# Take care of prosody settings for the domain
#
JITSI_DOMAIN="${DOMAIN}"
# Prosody settings for common components (jvb, focus, ...)
# shellcheck source=type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
__file "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
--group prosody \
--mode 0440 \
--state "${STATE}" \
--source '-' <<EOF
${PROSODY_CONFIG}
EOF
__link "/etc/prosody/conf.d/${DOMAIN}.cfg.lua" \
--source "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
--state "${STATE}" \
--type symbolic
if [ "${STATE}" = "present" ]; then
export require="${require} __file/etc/prosody/conf.avail/${DOMAIN}.cfg.lua __link/etc/prosody/conf.d/${DOMAIN}.cfg.lua"
__check_messages "prosody/${DOMAIN}" \
--pattern '^(__file|__link)/etc/prosody/conf[.](avail|d)/' \
--execute "$(cat <<EOF
if [ ! -f "/var/lib/prosody/${DOMAIN}.crt" ]; then
echo | prosodyctl cert generate '${DOMAIN}';
ln -sf '/var/lib/prosody/${DOMAIN}.key' '/etc/prosody/certs/${DOMAIN}.key'
ln -sf '/var/lib/prosody/${DOMAIN}.crt' '/etc/prosody/certs/${DOMAIN}.crt'
fi
# Surprisingly, a reload is not enough
service prosody restart
EOF
)"
fi

1
type/__jitsi_meet_domain/parameter/default/analytics-settings Normal file
View file

@ -0,0 +1 @@
disabled: true

1
type/__jitsi_meet_domain/parameter/default/branding-app-name Normal file
View file

@ -0,0 +1 @@
Jitsi Meet

0
type/__jitsi_meet_domain/parameter/default/branding-extra-body Normal file
View file

1
type/__jitsi_meet_domain/parameter/default/state Normal file
View file

@ -0,0 +1 @@
present

4
type/__jitsi_meet_domain/parameter/optional
View file

@ -1,9 +1,13 @@
analytics-settings
channel-last-n channel-last-n
default-language default-language
notice-message notice-message
start-video-muted start-video-muted
turn-server turn-server
video-constraints video-constraints
branding-app-name
branding-json branding-json
branding-index branding-index
branding-extra-body
branding-watermark branding-watermark
state

12
type/__matrix_element/files/config.json.sh
View file

@ -34,12 +34,12 @@ EOF
if [ "$BRANDING_AUTH_FOOTER_LINKS" != "" ]; then if [ "$BRANDING_AUTH_FOOTER_LINKS" != "" ]; then
cat << EOF cat << EOF
"authFooterLinks": "$BRANDING_AUTH_FOOTER_LINKS", "authFooterLinks": $BRANDING_AUTH_FOOTER_LINKS,
EOF EOF
fi fi
cat << EOF cat << EOF
"welcomeBackgroundUrl": "themes/element/img/backgrounds/lake.jpg" "welcomeBackgroundUrl": "$BRANDING_WELCOME_BACKGROUND_URL"
EOF EOF
echo '},' echo '},'
} }
@ -52,7 +52,7 @@ cat << EOF
"server_name": "$DEFAULT_SERVER_NAME" "server_name": "$DEFAULT_SERVER_NAME"
}, },
"m.identity_server": { "m.identity_server": {
"base_url": "https://vector.im" "base_url": "$IDENTITY_SERVER_URL"
} }
}, },
"brand": "$BRAND", "brand": "$BRAND",
@ -85,6 +85,10 @@ cat << EOF
"url": "$COOKIE_POLICY_URL", "url": "$COOKIE_POLICY_URL",
"text": "Cookie Policy" "text": "Cookie Policy"
} }
] ],
"embeddedPages": {
"welcomeUrl": "$WELCOME_PAGE_URL",
"homeUrl": "$HOME_PAGE_URL"
}
} }
EOF EOF

16
type/__matrix_element/man.rst
View file

@ -27,12 +27,28 @@ default_server_name
default_server_url default_server_url
URL of matrix homeserver to connect to, defaults to 'https://matrix-client.matrix.org'. URL of matrix homeserver to connect to, defaults to 'https://matrix-client.matrix.org'.
identity_server_url
URL of matrix identity server to connect to, defaults to 'https://vector.im'.
See element documentation
`<https://github.com/vector-im/element-web/blob/develop/docs/config.md#identity-servers>_`
for details.
owner owner
Owner of the deployed files, passed to `chown`. Defaults to 'root'. Owner of the deployed files, passed to `chown`. Defaults to 'root'.
brand brand
Web UI branding, defaults to 'Element'. Web UI branding, defaults to 'Element'.
branding_auth_header_logo_url
A logo image that is shown in the header during authentication flows.
branding_welcome_background_url
An image to use as a wallpaper outside the app during authentication flows. If an array is passed, an image is chosen randomly for each visit.
branding_auth_footer_links
a list of links to show in the authentication page footer: `[{"text": "Link
text", "url": "https://link.target"}, {"text": "Other link", ...}]`
default_country_code default_country_code
ISO 3166 alpha2 country code to use when showing country selectors, such as ISO 3166 alpha2 country code to use when showing country selectors, such as
phone number inputs. Defaults to GB. phone number inputs. Defaults to GB.

20
type/__matrix_element/manifest
View file

@ -25,11 +25,13 @@ INSTALL_DIR=$(cat "$__object/parameter/install_dir")
export DEFAULT_SERVER_NAME=$(cat "$__object/parameter/default_server_name") export DEFAULT_SERVER_NAME=$(cat "$__object/parameter/default_server_name")
export DEFAULT_SERVER_URL=$(cat "$__object/parameter/default_server_url") export DEFAULT_SERVER_URL=$(cat "$__object/parameter/default_server_url")
export IDENTITY_SERVER_URL=$(cat "$__object/parameter/identity_server_url")
export BRAND=$(cat "$__object/parameter/brand") export BRAND=$(cat "$__object/parameter/brand")
export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code") export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code")
export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers") export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers")
export PRIVACY_POLICY_URL=$(cat "$__object/parameter/privacy_policy_url") export PRIVACY_POLICY_URL=$(cat "$__object/parameter/privacy_policy_url")
export COOKIE_POLICY_URL=$(cat "$__object/parameter/cookie_policy_url") export COOKIE_POLICY_URL=$(cat "$__object/parameter/cookie_policy_url")
export BRANDING_WELCOME_BACKGROUND_URL=$(cat "$__object/parameter/branding_welcome_background_url")
if [ -f "$__object/parameter/jitsi_domain" ]; then if [ -f "$__object/parameter/jitsi_domain" ]; then
export JITSI_DOMAIN=$(cat "$__object/parameter/jitsi_domain") export JITSI_DOMAIN=$(cat "$__object/parameter/jitsi_domain")
@ -44,14 +46,24 @@ if [ -f "$__object/parameter/branding_auth_footer_links" ]; then
fi fi
if [ -f "$__object/parameter/homepage" ]; then if [ -f "$__object/parameter/homepage" ]; then
export EMBED_HOMEPAGE=1
homepage=$(cat "$__object/parameter/homepage") homepage=$(cat "$__object/parameter/homepage")
if [ -f "$homepage" ]; then
upload_homepage=1
else
export HOME_PAGE_URL=$homepage
fi
fi fi
WELCOME_PAGE_URL="welcome.html"
if [ -f "$__object/parameter/welcomepage" ]; then if [ -f "$__object/parameter/welcomepage" ]; then
export EMBED_WELCOMEPAGE=1
welcomepage=$(cat "$__object/parameter/welcomepage") welcomepage=$(cat "$__object/parameter/welcomepage")
if [ -f welcomepage ]; then
export UPLOAD_WELCOMEPAGE=1
else
WELCOME_PAGE_URL=$welcomepage
fi
fi fi
export WELCOME_PAGE_URL
if [ -f "$__object/parameter/custom_asset" ]; then if [ -f "$__object/parameter/custom_asset" ]; then
"$__object/parameter/custom_asset" | while IFS= read -r file; do "$__object/parameter/custom_asset" | while IFS= read -r file; do
@ -91,14 +103,14 @@ require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/config.json"
--mode 0664 \ --mode 0664 \
--state present --state present
if [ $EMBED_HOMEPAGE ]; then if [ $upload_homepage ]; then
require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/home.html" \ require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/home.html" \
--source "$homepage" \ --source "$homepage" \
--mode 0664 \ --mode 0664 \
--state present --state present
fi fi
if [ $EMBED_WELCOMEPAGE ]; then if [ $upload_welcomepage ]; then
require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/welcome.html" \ require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/welcome.html" \
--source "$welcomepage" \ --source "$welcomepage" \
--mode 0664 \ --mode 0664 \

1
type/__matrix_element/parameter/default/branding_welcome_background_url Normal file
View file

@ -0,0 +1 @@
themes/element/img/backgrounds/lake.jpg

0
type/__matrix_element/parameter/default/identity_server Normal file
View file

2
type/__matrix_element/parameter/optional
View file

@ -1,5 +1,6 @@
default_server_url default_server_url
default_server_name default_server_name
identity_server_url
brand brand
default_country_code default_country_code
privacy_policy_url privacy_policy_url
@ -11,3 +12,4 @@ welcomepage
jitsi_domain jitsi_domain
branding_auth_header_logo_url branding_auth_header_logo_url
branding_auth_footer_links branding_auth_footer_links
branding_welcome_background_url

73
type/__matrix_synapse/files/homeserver.yaml.sh
View file

@ -448,7 +448,7 @@ retention:
# matter much because Synapse doesn't take it into account yet. # matter much because Synapse doesn't take it into account yet.
# #
default_policy: default_policy:
min_lifetime: 1d min_lifetime: ${MESSAGE_RETENTION_POLICY_MIN_LIFETIME:?}
max_lifetime: ${MESSAGE_RETENTION_POLICY_MAX_LIFETIME:?} max_lifetime: ${MESSAGE_RETENTION_POLICY_MAX_LIFETIME:?}
# Retention policy limits. If set, and the state of a room contains a # Retention policy limits. If set, and the state of a room contains a
@ -1175,14 +1175,26 @@ fi
cat << EOF cat << EOF
# The shared secret used to compute passwords for the TURN server # The shared secret used to compute passwords for the TURN server
# #
turn_shared_secret: "$TURN_SHARED_SECRET" EOF
if [ -n "$TURN_SHARED_SECRET" ]; then
echo "turn_shared_secret: \"$TURN_SHARED_SECRET\""
fi
cat << EOF
# The Username and password if the TURN server needs them and # The Username and password if the TURN server needs them and
# does not use a token # does not use a token
# #
#turn_username: "TURNSERVER_USERNAME" EOF
#turn_password: "TURNSERVER_PASSWORD"
if [ -n "$TURN_USERNAME" ] || [ "$TURN_PASSWORD" ]; then
cat <<- EOF
turn_username: "$TURN_USERNAME"
turn_password: "$TURN_PASSWORD"
EOF
fi
cat << EOF
# How long generated TURN credentials last # How long generated TURN credentials last
# #
turn_user_lifetime: ${TURN_USER_LIFETIME:?} turn_user_lifetime: ${TURN_USER_LIFETIME:?}
@ -1322,7 +1334,7 @@ fi
cat << EOF cat << EOF
# Enable 3PIDs lookup requests to identity servers from this server. # Enable 3PIDs lookup requests to identity servers from this server.
# #
#enable_3pid_lookup: true enable_3pid_lookup: ${ENABLE_3PID_LOOKUPS:?}
# If set, allows registration of standard or admin accounts by anyone who # If set, allows registration of standard or admin accounts by anyone who
# has the shared secret, even if registration is otherwise disabled. # has the shared secret, even if registration is otherwise disabled.
@ -1330,9 +1342,12 @@ EOF
if [ -n "$REGISTRATION_SHARED_SECRET" ]; then if [ -n "$REGISTRATION_SHARED_SECRET" ]; then
echo "registration_shared_secret: '$REGISTRATION_SHARED_SECRET'" echo "registration_shared_secret: '$REGISTRATION_SHARED_SECRET'"
else
echo "# registration_shared_secret: 'secret'"
fi fi
cat << EOF cat << EOF
# Set the number of bcrypt rounds used to generate password hash. # Set the number of bcrypt rounds used to generate password hash.
# Larger numbers increase the work factor needed to generate the hash. # Larger numbers increase the work factor needed to generate the hash.
# The default number is 12 (which equates to 2^12 rounds). # The default number is 12 (which equates to 2^12 rounds).
@ -1353,7 +1368,13 @@ allow_guest_access: ${ALLOW_GUEST_ACCESS:?}
# (By default, no suggestion is made, so it is left up to the client.) # (By default, no suggestion is made, so it is left up to the client.)
# #
#default_identity_server: https://matrix.org #default_identity_server: https://matrix.org
EOF
if [ -n "$DEFAULT_IDENTITY_SERVER" ]; then
echo "default_identity_server: \"$DEFAULT_IDENTITY_SERVER\""
fi
cat << EOF
# Handle threepid (email/phone etc) registration and password resets through a set of # Handle threepid (email/phone etc) registration and password resets through a set of
# *trusted* identity servers. Note that this allows the configured identity server to # *trusted* identity servers. Note that this allows the configured identity server to
# reset passwords for accounts! # reset passwords for accounts!
@ -1385,7 +1406,7 @@ account_threepid_delegates:
# #
# Does not apply to server administrators. Defaults to 'true' # Does not apply to server administrators. Defaults to 'true'
# #
#enable_set_displayname: false enable_set_displayname: ${ENABLE_SET_DISPLAYNAME:?}
# Whether users are allowed to change their avatar after it has been # Whether users are allowed to change their avatar after it has been
# initially set. Useful when provisioning users based on the contents # initially set. Useful when provisioning users based on the contents
@ -1400,7 +1421,7 @@ account_threepid_delegates:
# #
# Defaults to 'true' # Defaults to 'true'
# #
#enable_3pid_changes: false enable_3pid_changes: ${ENABLE_3PID_CHANGES:?}
# Users who register on this homeserver will automatically be joined # Users who register on this homeserver will automatically be joined
# to these rooms. # to these rooms.
@ -1696,7 +1717,24 @@ saml2_config:
# local: ["saml2/idp.xml"] # local: ["saml2/idp.xml"]
# remote: # remote:
# - url: https://our_idp/metadata.xml # - url: https://our_idp/metadata.xml
EOF
if [ -n "$SAML2_IDP_METADATA_URL" ]; then
cat << EOF
metadata:
remote:
- url: "$SAML2_IDP_METADATA_URL"
EOF
fi
if [ -n "$SAML2_SP_CERT" ] || [ -n "$SAML2_SP_KEY" ]; then
cat << EOF
key_file: "$SAML2_SP_KEY"
cert_file: "$SAML2_SP_CERT"
EOF
fi
cat << EOF
# Allowed clock difference in seconds between the homeserver and IdP. # Allowed clock difference in seconds between the homeserver and IdP.
# #
# Uncomment the below to increase the accepted time difference from 0 to 3 seconds. # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
@ -1770,7 +1808,15 @@ saml2_config:
# The custom module's class. Uncomment to use a custom module. # The custom module's class. Uncomment to use a custom module.
# #
#module: mapping_provider.SamlMappingProvider #module: mapping_provider.SamlMappingProvider
EOF
if [ -n "$SAML2_MAPPING_PROVIDER_MODULE" ]; then
cat << EOF
module: "$SAML2_MAPPING_PROVIDER_MODULE"
EOF
fi
cat << EOF
# Custom configuration values for the module. Below options are # Custom configuration values for the module. Below options are
# intended for the built-in provider, they should be changed if # intended for the built-in provider, they should be changed if
# using a custom module. This section will be passed as a Python # using a custom module. This section will be passed as a Python
@ -1800,6 +1846,17 @@ saml2_config:
# value will be used instead. # value will be used instead.
# #
#mxid_mapping: dotreplace #mxid_mapping: dotreplace
EOF
if [ -n "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" ]; then
echo "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" | while IFS= read -r entry; do
cat << EOF
$entry
EOF
done
fi
cat << EOF
# In previous versions of synapse, the mapping from SAML attribute to # In previous versions of synapse, the mapping from SAML attribute to
# MXID was always calculated dynamically rather than stored in a # MXID was always calculated dynamically rather than stored in a
@ -2134,7 +2191,7 @@ sso:
# You can see the default templates at: # You can see the default templates at:
# https://github.com/matrix-org/synapse/tree/master/synapse/res/templates # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
# #
#template_dir: "res/templates" template_dir: "${SSO_TEMPLATE_DIR:?}"
# JSON web token integration. The following settings can be used to make # JSON web token integration. The following settings can be used to make

2
type/__matrix_synapse/gencode-remote
View file

@ -8,7 +8,7 @@ case "$os" in
synapse_conf_dir=/etc/synapse synapse_conf_dir=/etc/synapse
synapse_service=synapse synapse_service=synapse
;; ;;
debian) debian|ubuntu)
synapse_conf_dir=/etc/matrix-synapse synapse_conf_dir=/etc/matrix-synapse
synapse_service=matrix-synapse synapse_service=matrix-synapse
;; ;;

48
type/__matrix_synapse/man.rst
View file

@ -1,5 +1,5 @@
cdist-type__matrix_synapse(7) cdist-type__matrix_synapse(7)
====================== =============================
NAME NAME
---- ----
@ -8,7 +8,7 @@ cdist-type__matrix_synapse - Install and configure Synapse, a Matrix homeserver
DESCRIPTION DESCRIPTION
----------- -----------
This type install and configure the Synapse Matrix homeserver. This is a This type installs and configures the Synapse Matrix homeserver. This is a
signleton type. signleton type.
@ -52,13 +52,13 @@ ldap-base-dn
Base DN of your LDAP tree. Base DN of your LDAP tree.
ldap-uid-attribute ldap-uid-attribute
LDAP attriute mapping to Synapse's uid field, default to uid. LDAP attribute mapping to Synapse's uid field, default to uid.
ldap-mail-attribute ldap-mail-attribute
LDAP attriute mapping to Synapse's mail field, default to mail. LDAP attribute mapping to Synapse's mail field, default to mail.
ldap-name-attribute ldap-name-attribute
LDAP attriute mapping to Synapse's name field, default to givenName. LDAP attribute mapping to Synapse's name field, default to givenName.
ldap-bind-dn ldap-bind-dn
User used to authenticate against your LDAP server in 'search' mode. User used to authenticate against your LDAP server in 'search' mode.
@ -81,7 +81,7 @@ smtp-host
The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
smtp-port smtp-port
# The port on the mail server for outgoing SMTP. Defaults to 25. The port on the mail server for outgoing SMTP. Defaults to 25.
smtp-user smtp-user
Username for authentication to the SMTP server. By Username for authentication to the SMTP server. By
@ -133,6 +133,14 @@ turn-uri
turn-shared-secret turn-shared-secret
Shared secret used to access the TURN REST API. Shared secret used to access the TURN REST API.
turn-username
Username used to authenticate against the TURN server if needed / a shared
secret token is not used.
turn-password
Password used to authenticate against the TURN server if needed / a shared
secret token is not used.
turn-user-lifetime turn-user-lifetime
Lifetime of TURN credentials. Defaults to 1h. Lifetime of TURN credentials. Defaults to 1h.
@ -154,6 +162,12 @@ rc-login-burst
registration-allows-email-pattern registration-allows-email-pattern
Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`. Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`.
disable-displayname-changes
Whether users are allowed to change their displayname after it has been initially set.
disable-3pid-changes
Whether users can change the 3PIDs associated with their accounts (email address and msisdn).
auto-join-room auto-join-room
Room where newly-registered users are automatically added. Can be specified multiple times. Room where newly-registered users are automatically added. Can be specified multiple times.
@ -181,6 +195,25 @@ bind-address
Address used to bind the synapse listeners. Can be specified multiple times. Address used to bind the synapse listeners. Can be specified multiple times.
Defaults to '::1' and '127.0.0.1'. Defaults to '::1' and '127.0.0.1'.
saml2-idp-metadata-url
HTTP(S) url to SAML2 Identity Provider (IdP), used for Single Sign On (SSO) logic.
saml2-sp-key
Path to PEM-formatted key file for use by PySAML2.
saml2-sp-cert
Path to PEM-formatted cert file for use by PySAML2.
saml2-mapping-provider-module
Name of custom Python module used to map SAML2 attributes to synapse internals.
saml2-mapping-provider-extra-settings
Extra YAML-formatted key/pair values provided as configuration to the SAML2
mapping provider module (e.g. 'key: value'). Can be specified multiple times.
sso-template-dir
Directory used to source SSO-related HTML templates.
extra-setting extra-setting
Arbitrary string to be added to the configuration file. Can be specified multiple times. Arbitrary string to be added to the configuration file. Can be specified multiple times.
@ -222,6 +255,9 @@ allow-public-rooms-without-auth
enable-server-notices enable-server-notices
Enable the server notices room. Enable the server notices room.
enable-3pid-lookups
Enable 3PIDs lookup requests to identity servers from this server.
allow-guest-access allow-guest-access
Allows users to register as guests without a password/email/etc, and Allows users to register as guests without a password/email/etc, and
participate in rooms hosted on this server which have been made accessible participate in rooms hosted on this server which have been made accessible

170
type/__matrix_synapse/manifest
View file

@ -20,41 +20,24 @@
# OS-specific configuration. # OS-specific configuration.
os=$(cat "$__global/explorer/os") os=$(cat "$__global/explorer/os")
distribution=$(cat "$__global/explorer/lsb_codename")
case "$os" in case "$os" in
debian) debian|ubuntu)
synapse_user=matrix-synapse synapse_user=matrix-synapse
synapse_pkg=matrix-synapse synapse_pkg=matrix-synapse-py3
synapse_service=matrix-synapse synapse_service=matrix-synapse
ldap_auth_provider_pkg=matrix-synapse-ldap3 ldap_auth_provider_pkg=matrix-synapse-ldap3
synapse_conf_dir='/etc/matrix-synapse' synapse_conf_dir='/etc/matrix-synapse'
synapse_data_dir='/var/lib/matrix-synapse' synapse_data_dir='/var/lib/matrix-synapse'
# See https://packages.debian.org/bullseye/matrix-synapse for state of __apt_key matrix-org \
# synapse packaging in debian. --uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
case "$distribution" in
stretch) require="__apt_key/matrix-org" __apt_source matrix-org \
echo "The matrix-synapse package in debian stretch is outdated and unusable." >&2 --uri https://packages.matrix.org/debian/ \
exit 1 --component main
;; package_req="__apt_source/matrix-org"
buster) ;;
# Enable debian-backports for debian Buster, as the 'stable'
# matrix-synapse package is ways too old (< 1.0).
apt_target_release=buster-backports
__apt_backports
;;
bullseye|sid)
# As of writting (2021-02), the default matrix-synapse of those
# release is perfectly usable.
:
;;
*)
echo "Unknown debian release '$distribution'. Exiting" >&2
exit 1
;;
esac
;;
alpine) alpine)
synapse_user=synapse synapse_user=synapse
synapse_pkg=synapse synapse_pkg=synapse
@ -113,7 +96,7 @@ export SERVER_NAME BASE_URL REPORT_STATS MAX_UPLOAD_SIZE EXPOSE_METRICS \
WEB_CLIENT_URL ROOM_ENCRYPTION_POLICY BIND_ADDRESSES WEB_CLIENT_URL ROOM_ENCRYPTION_POLICY BIND_ADDRESSES
if [ -f "$__object/parameter/enable-server-notices" ]; then if [ -f "$__object/parameter/enable-server-notices" ]; then
export ENABLE_SERVER_NOTICES=1 export ENABLE_SERVER_NOTICES=1
fi fi
# TLS. # TLS.
@ -189,25 +172,88 @@ ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations')
USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users') USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
if [ -f "$__object/parameter/registration-shared-token" ]; then if [ -f "$__object/parameter/registration-shared-secret" ]; then
REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret") REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret")
export REGISTRATION_SHARED_SECRET export REGISTRATION_SHARED_SECRET
fi fi
if [ -f "$__object/parameter/registration-requires-email" ]; then if [ -f "$__object/parameter/registration-requires-email" ]; then
export REGISTRATION_REQUIRES_EMAIL=1 export REGISTRATION_REQUIRES_EMAIL=1
fi fi
ENABLE_SET_DISPLAYNAME='true'
if [ -f "$__object/parameter/disable-displayname-changes" ]; then
ENABLE_SET_DISPLAYNAME='false'
fi
export ENABLE_SET_DISPLAYNAME
ENABLE_3PID_CHANGES='true'
if [ -f "$__object/parameter/disable-3pid-changes" ]; then
ENABLE_3PID_CHANGES='false'
fi
export ENABLE_3PID_CHANGES
if [ -f "$__object/parameter/auto-join-room" ]; then if [ -f "$__object/parameter/auto-join-room" ]; then
AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")" AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")"
export AUTO_JOIN_ROOMS export AUTO_JOIN_ROOMS
fi fi
if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then
RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern") RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern")
export RESGISTRATION_ALLOWS_EMAIL_PATTERN export RESGISTRATION_ALLOWS_EMAIL_PATTERN
fi fi
if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then
# Synapse fails to start while trying to parse IDP metadata if this package
# is not installed.
__package xmlsec1
SAML2_IDP_METADATA_URL=$(cat "$__object/parameter/saml2-idp-metadata-url")
export SAML2_IDP_METADATA_URL
fi
if [ -f "$__object/parameter/saml2-sp-key" ]; then
SAML2_SP_KEY=$(cat "$__object/parameter/saml2-sp-key")
export SAML2_SP_KEY
fi
if [ -f "$__object/parameter/saml2-sp-cert" ]; then
SAML2_SP_CERT=$(cat "$__object/parameter/saml2-sp-cert")
export SAML2_SP_CERT
fi
if [ -f "$__object/parameter/saml2-mapping-provider-module" ]; then
SAML2_MAPPING_PROVIDER_MODULE=$(cat "$__object/parameter/saml2-mapping-provider-module")
export SAML2_MAPPING_PROVIDER_MODULE
fi
if [ -f "$__object/parameter/saml2-mapping-provider-extra-config" ]; then
SAML2_MAPPING_PROVIDER_EXTRA_CONFIG=$(cat "$__object/parameter/saml2-mapping-provider-extra-config")
export SAML2_MAPPING_PROVIDER_EXTRA_CONFIG
fi
SSO_TEMPLATE_DIR=$(cat "$__object/parameter/sso-template-dir")
export SSO_TEMPLATE_DIR
if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then
echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2
exit 1
elif [ -n "$SAML2_SP_CERT" ] && [ -z "$SAML2_SP_KEY" ]; then
echo "--saml2-sp-key must be set if --saml2-sp-cert is provided." >&2
exit 1
fi
if [ -f "$__object/parameter/default-identity-server" ]; then
DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server")
export DEFAULT_IDENTITY_SERVER
fi
ENABLE_3PID_LOOKUPS='false'
if [ -f "$__object/parameter/enable-3pid-lookups" ]; then
ENABLE_3PID_LOOKUPS='true'
fi
export ENABLE_3PID_LOOKUPS
# Federation. # Federation.
ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation') ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation')
ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth') ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth')
@ -223,7 +269,8 @@ fi
# Message retention. # Message retention.
ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy') ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy')
MESSAGE_RETENTION_POLICY_MAX_LIFETIME=$(cat "$__object/parameter/message-max-lifetime") MESSAGE_RETENTION_POLICY_MAX_LIFETIME=$(cat "$__object/parameter/message-max-lifetime")
export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME MESSAGE_RETENTION_POLICY_MIN_LIFETIME=$MESSAGE_RETENTION_POLICY_MAX_LIFETIME
export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME MESSAGE_RETENTION_POLICY_MIN_LIFETIME
# Previews. # Previews.
ENABLE_URL_PREVIEW=$(get_boolean_for 'enable-url-preview') ENABLE_URL_PREVIEW=$(get_boolean_for 'enable-url-preview')
@ -263,6 +310,16 @@ if [ -f "$__object/parameter/turn-uri" ]; then
export TURN_URIS export TURN_URIS
fi fi
if [ -f "$__object/parameter/turn-username" ]; then
TURN_USERNAME=$(cat "$__object/parameter/turn-username")
export TURN_USERNAME
fi
if [ -f "$__object/parameter/turn-password" ]; then
TURN_PASSWORD=$(cat "$__object/parameter/turn-password")
export TURN_PASSWORD
fi
# Worker-mode configuration. # Worker-mode configuration.
export MAIN_LISTENER_PORT=8008 export MAIN_LISTENER_PORT=8008
export ENABLE_MEDIA_REPO='true' export ENABLE_MEDIA_REPO='true'
@ -296,38 +353,25 @@ export ENABLE_REPLICATION ENABLE_REDIS_SUPPORT WORKER_REPLICATION_SECRET \
case "$DATABASE_ENGINE" in case "$DATABASE_ENGINE" in
sqlite3) sqlite3)
: :
;; ;;
psycopg2) psycopg2)
when='database engine is psycopg2' when='database engine is psycopg2'
is_required_when "$DATABASE_HOST" '--database-host' "$when" is_required_when "$DATABASE_HOST" '--database-host' "$when"
is_required_when "$DATABASE_USER" '--database-user' "$when" is_required_when "$DATABASE_USER" '--database-user' "$when"
;; ;;
*) *)
echo "Invalid database engine: $DATABASE_ENGINE." >&2 echo "Invalid database engine: $DATABASE_ENGINE." >&2
exit 1 exit 1
;; ;;
esac esac
# Install OS packages. We have a bit of boilerplate to handle the debian # Install OS packages.
# backports situation. require="$package_req" __package "$synapse_pkg"
synapse_req= synapse_req="__package/$synapse_pkg"
if [ -n "$apt_target_release" ]; then
require="__apt_backports" __package_apt "$synapse_pkg" \
--target-release "$apt_target_release"
synapse_req="__package_apt/$synapse_pkg"
else
__package "$synapse_pkg"
synapse_req="__package/$synapse_pkg"
fi
if [ -n "$ENABLE_LDAP_AUTH" ]; then if [ -n "$ENABLE_LDAP_AUTH" ]; then
if [ -n "$apt_target_release" ]; then require="$package_req" __package "$ldap_auth_provider_pkg"
require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \
--target-release "$apt_target_release"
else
__package "$ldap_auth_provider_pkg"
fi
fi fi
# Generate and deploy configuration files. # Generate and deploy configuration files.
@ -336,13 +380,13 @@ mkdir -p "$__object/files"
"$__type/files/log.config.sh" > "$__object/files/log.config" "$__type/files/log.config.sh" > "$__object/files/log.config"
require="$synapse_req" __file "$synapse_conf_dir/homeserver.yaml" \ require="$synapse_req" __file "$synapse_conf_dir/homeserver.yaml" \
--owner $synapse_user \ --owner $synapse_user \
--mode 600 \ --mode 600 \
--source "$__object/files/homeserver.yaml" --source "$__object/files/homeserver.yaml"
require="$synapse_req" __file "$LOG_CONFIG_PATH" \ require="$synapse_req" __file "$LOG_CONFIG_PATH" \
--owner $synapse_user \ --owner $synapse_user \
--mode 600 \ --mode 600 \
--source "$__object/files/log.config" --source "$__object/files/log.config"
for directory in $DATA_DIR $LOG_DIR; do for directory in $DATA_DIR $LOG_DIR; do
require="$synapse_req" __directory $directory \ require="$synapse_req" __directory $directory \
@ -350,8 +394,8 @@ for directory in $DATA_DIR $LOG_DIR; do
--owner $synapse_user --owner $synapse_user
done done
# Make dpkg-reconfigure happy on debian systems. # Make dpkg-reconfigure happy on debian-based systems.
if [ "$os" = "debian" ]; then if [ "$os" = "debian" ] || [ "$os" = "ubuntu" ]; then
require="$synapse_req" __file "$synapse_conf_dir/conf.d/server_name.yaml" \ require="$synapse_req" __file "$synapse_conf_dir/conf.d/server_name.yaml" \
--owner $synapse_user \ --owner $synapse_user \
--source - <<- EOF --source - <<- EOF

3
type/__matrix_synapse/parameter/boolean
View file

@ -17,3 +17,6 @@ user-directory-search-all-users
enable-message-retention-policy enable-message-retention-policy
worker-mode worker-mode
enable-url-preview enable-url-preview
enable-3pid-lookups
disable-3pid-changes
disable-displayname-changes

1
type/__matrix_synapse/parameter/default/sso-template-dir Normal file
View file

@ -0,0 +1 @@
res/template

8
type/__matrix_synapse/parameter/optional
View file

@ -13,6 +13,8 @@ ldap-bind-password
ldap-filter ldap-filter
turn-shared-secret turn-shared-secret
turn-user-lifetime turn-user-lifetime
turn-username
turn-password
max-upload-size max-upload-size
smtp-host smtp-host
smtp-port smtp-port
@ -34,3 +36,9 @@ background-tasks-worker
tls-cert tls-cert
tls-private-key tls-private-key
registration-shared-secret registration-shared-secret
saml2-idp-metadata-url
saml2-sp-key
saml2-sp-cert
default-identity-server
saml2-mapping-provider-module
sso-template-dir

1
type/__matrix_synapse/parameter/optional_multiple
View file

@ -5,3 +5,4 @@ app-service-config-file
extra-setting extra-setting
bind-address bind-address
outbound-federation-worker outbound-federation-worker
saml2-mapping-provider-extra-config

2
type/__matrix_synapse_worker/files/matrix-synapse-worker@.service
View file

@ -15,7 +15,7 @@ NotifyAccess=main
User=matrix-synapse User=matrix-synapse
WorkingDirectory=/var/lib/matrix-synapse WorkingDirectory=/var/lib/matrix-synapse
EnvironmentFile=/etc/default/matrix-synapse EnvironmentFile=/etc/default/matrix-synapse
ExecStart=/usr/bin/python3 -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure Restart=on-failure
RestartSec=3 RestartSec=3

20
type/__matterbridge/manifest
View file

@ -20,7 +20,7 @@
os=$(cat "$__global/explorer/os") os=$(cat "$__global/explorer/os")
case "$os" in case "$os" in
debian) debian|ubuntu)
# This type assume systemd for service installation. # This type assume systemd for service installation.
;; ;;
*) *)
@ -31,11 +31,13 @@ case "$os" in
esac esac
# Required parameters. # Required parameters.
VERSION=$(cat "$__object/parameter/version") version=$(cat "$__object/parameter/version")
if [ -f "$__object/parameter/config" ]; then if [ -f "$__object/parameter/config" ]; then
CONFIG="$(cat "$__object/parameter/config")" config="$(cat "$__object/parameter/config")"
if [ "$CONFIG" = "-" ]; then if [ "$config" = "-" ]; then
CONFIG=$(cat "$__object/stdin") mkdir -p "$__object/files"
config="$__object/files/matterbridge.toml"
cat "$__object/stdin" > "$config"
fi fi
fi fi
@ -46,11 +48,11 @@ export USER=matterbridge
export GROUP=$USER export GROUP=$USER
# Internal variables. # Internal variables.
artefact="matterbridge-$VERSION-linux-64bit" artefact="matterbridge-$version-linux-64bit"
checksum_file="checksums.txt" checksum_file="checksums.txt"
release_download_url=https://github.com/42wim/matterbridge/releases/download release_download_url=https://github.com/42wim/matterbridge/releases/download
binary_url="$release_download_url/v$VERSION/$artefact" binary_url="$release_download_url/v$version/$artefact"
checksum_file_url="$release_download_url/v$VERSION/$checksum_file" checksum_file_url="$release_download_url/v$version/$checksum_file"
config_dir=$(dirname $CONFIG_PATH) config_dir=$(dirname $CONFIG_PATH)
systemd_unit_path='/etc/systemd/system/matterbridge.service' systemd_unit_path='/etc/systemd/system/matterbridge.service'
@ -88,7 +90,7 @@ require="__user/$USER" __directory "$config_dir" \
require="__directory/$config_dir" __file "$CONFIG_PATH" \ require="__directory/$config_dir" __file "$CONFIG_PATH" \
--owner "$USER" \ --owner "$USER" \
--mode 0640 \ --mode 0640 \
--source "$CONFIG" --source "$config"
__file "$systemd_unit_path" \ __file "$systemd_unit_path" \
--source "$__object/files/matterbridge.service" --source "$__object/files/matterbridge.service"

10
type/__nginx/man.rst
View file

@ -28,6 +28,16 @@ uacme-hookscript
Custom hook passed to the __uacme_obtain type: useful to integrate the Custom hook passed to the __uacme_obtain type: useful to integrate the
dns-01 challenge with third-party DNS providers. dns-01 challenge with third-party DNS providers.
acme-url
ACMEv2 server directory object URL. Lets'Encrypt is used by default.
acme-eab-credentials
Specify RFC8555 External Account Binding credentials according to
https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
ACME account with an existing account in a non-ACME system such as a CA
customer database. KEYID must be an ASCII string. KEY must be
base64url-encoded.
EXAMPLES EXAMPLES
-------- --------

22
type/__nginx/manifest
View file

@ -36,6 +36,20 @@ then
set_custom_uacme_hookscript="--hookscript $uacme_hookscript" set_custom_uacme_hookscript="--hookscript $uacme_hookscript"
fi fi
set_custom_acme_url=
if [ -f "${__object:?}/parameter/acme-url" ];
then
custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
set_custom_acme_url="--acme-url $custom_acme_url"
fi
set_acme_eab_credentials=
if [ -f "${__object:?}/parameter/acme-eab-credentials" ];
then
acme_eab_credentials=$(cat "${__object:?}/parameter/acme-eab-credentials")
set_acme_eab_credentials="--eab-credentials $acme_eab_credentials"
fi
# Deploy simple HTTP vhost, allowing to serve ACME challenges. # Deploy simple HTTP vhost, allowing to serve ACME challenges.
__nginx_vhost "301-to-https-$domain" \ __nginx_vhost "301-to-https-$domain" \
--domain "$domain" --altdomains "$altdomains" --to-https --domain "$domain" --altdomains "$altdomains" --to-https
@ -46,12 +60,18 @@ if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then
cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to") cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to")
fi fi
__uacme_account # shellcheck disable=SC2086
__uacme_account \
$set_custom_acme_url \
$set_acme_eab_credentials \
# shellcheck disable=SC2086 # shellcheck disable=SC2086
require="__nginx_vhost/301-to-https-$domain __uacme_account" \ require="__nginx_vhost/301-to-https-$domain __uacme_account" \
__uacme_obtain "$domain" \ __uacme_obtain "$domain" \
--altdomains "$altdomains" \ --altdomains "$altdomains" \
$set_custom_uacme_hookscript \ $set_custom_uacme_hookscript \
$set_custom_acme_url \
$set_acme_eab_credentials \
--owner "$cert_ownership" \ --owner "$cert_ownership" \
--install-key-to "$nginx_certdir/$domain/privkey.pem" \ --install-key-to "$nginx_certdir/$domain/privkey.pem" \
--install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \ --install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \

2
type/__nginx/parameter/optional
View file

@ -2,4 +2,6 @@ config
domain domain
altdomains altdomains
uacme-hookscript uacme-hookscript
acme-url
acme-eab-credentials
force-cert-ownership-to force-cert-ownership-to

5
type/__nginx_vhost/manifest
View file

@ -32,7 +32,7 @@ case "$os" in
require="$install_reqs" __start_on_boot nginx require="$install_reqs" __start_on_boot nginx
export NGINX_SITEDIR="$nginx_confdir/conf.d" export NGINX_SITEDIR="$nginx_confdir/http.d"
export NGINX_CERTDIR="$nginx_confdir/ssl" export NGINX_CERTDIR="$nginx_confdir/ssl"
export NGINX_SNIPPETSDIR="$nginx_confdir/snippets" export NGINX_SNIPPETSDIR="$nginx_confdir/snippets"
export NGINX_WEBROOT="/var/www" export NGINX_WEBROOT="/var/www"
@ -158,6 +158,7 @@ for snippet in hsts 301-to-https; do
done done
# Install vhost. # Install vhost.
require="$install_reqs" __file "$NGINX_SITEDIR/$__object_id.conf" \ require="$install_reqs" __directory "$NGINX_SITEDIR"
require="__directory/$NGINX_SITEDIR" __file "$NGINX_SITEDIR/$__object_id.conf" \
--source "$vhost_conf" \ --source "$vhost_conf" \
--mode 0644 --mode 0644

5
type/__opendkim/files/opendkim.conf.sh
View file

@ -1,6 +1,7 @@
#!/bin/sh -e #!/bin/sh -e
# Generate an opendkim.conf(5) file for opendkim(8). # Generate an opendkim.conf(5) file for opendkim(8).
echo "# Managed remotely, manual changes will be lost."
# Optional chdir(2) # Optional chdir(2)
if [ "$BASEDIR" ]; if [ "$BASEDIR" ];
@ -33,8 +34,8 @@ then
fi fi
# Key and Domain tables # Key and Domain tables
echo 'KeyTable /etc/opendkim/KeyTable' echo "KeyTable ${CFG_DIR}/KeyTable"
echo 'SigningTable /etc/opendkim/SigningTable' echo "SigningTable ${CFG_DIR}/SigningTable"
# Required socket to listen on # Required socket to listen on
printf "Socket %s\n" "${SOCKET:?}" printf "Socket %s\n" "${SOCKET:?}"

20
type/__opendkim/man.rst
View file

@ -14,8 +14,8 @@ installation and basic configuration of an instance of OpenDKIM.
Note that this type does not generate or ensure that a key is present: use Note that this type does not generate or ensure that a key is present: use
`cdist-type__opendkim-genkey(7)` for that. `cdist-type__opendkim-genkey(7)` for that.
Note that this type is currently only implemented for Alpine Linux. Please Note that this type is currently only implemented for Alpine Linux and FreeBSD.
contribute an implementation if you can. Please contribute an implementation if you can.
REQUIRED PARAMETERS REQUIRED PARAMETERS
@ -41,20 +41,25 @@ subdomains
umask umask
Set the umask for the socket and PID file. Set the umask for the socket and PID file.
userid
Change the user the opendkim program is to run as. By default, Alpine Linux's
OpenRC service will set this to `opendkim` on the command-line.
custom-config custom-config
The string following this parameter is appended as-is in the configuration, to The string following this parameter is appended as-is in the configuration, to
enable more complex configurations. enable more complex configurations.
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
syslog syslog
Log to syslog. Log to syslog.
DEPRECATED PARAMETERS
---------------------
userid
Change the user the opendkim program is to run as.
By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
command-line and FreeBSD's rc will set it to `mailnull`.
EXAMPLES EXAMPLES
-------- --------
@ -86,11 +91,12 @@ SEE ALSO
AUTHORS AUTHORS
------- -------
Joachim Desroches <joachim.desroches@epfl.ch> Joachim Desroches <joachim.desroches@epfl.ch>
Evilham <contact@evilham.com>
COPYING COPYING
------- -------
Copyright \(C) 2021 Joachim Desroches. You can redistribute it Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
and/or modify it under the terms of the GNU General Public License as and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version. License, or (at your option) any later version.

33
type/__opendkim/manifest
View file

@ -20,16 +20,24 @@
os=$(cat "${__global:?}/explorer/os") os=$(cat "${__global:?}/explorer/os")
CFG_DIR="/etc/opendkim"
service="opendkim"
case "$os" in case "$os" in
'alpine') 'alpine')
: :
;; ;;
'freebsd')
CFG_DIR="/usr/local/etc/mail"
service="milter-opendkim"
start_service="milteropendkim"
;;
*) *)
printf "__opendkim does not yet support %s.\n" "$os" >&2 printf "__opendkim does not yet support %s.\n" "$os" >&2
printf "Please contribute an implementation if you can.\n" >&2 printf "Please contribute an implementation if you can.\n" >&2
exit 1 exit 1
;; ;;
esac esac
export CFG_DIR
__package opendkim __package opendkim
@ -68,7 +76,7 @@ fi
# Generate and deploy configuration file. # Generate and deploy configuration file.
source_file="${__object:?}/files/opendkim.conf" source_file="${__object:?}/files/opendkim.conf"
target_file="/etc/opendkim/opendkim.conf" target_file="${CFG_DIR}/opendkim.conf"
mkdir -p "${__object:?}/files" mkdir -p "${__object:?}/files"
@ -83,9 +91,26 @@ fi
require="__package/opendkim" __file "$target_file" \ require="__package/opendkim" __file "$target_file" \
--source "$source_file" --mode 0644 --source "$source_file" --mode 0644
require="__package/opendkim" __start_on_boot opendkim # Due to the way rc.conf works on *BSD, we find ourselves in the awkward
# situation, where a service's name can contain a '-' symbol, but the
# rc.conf setting to enable a service at boot cannot.
# Unless start_service has been defined before, these two match.
require="__package/opendkim" __start_on_boot "${start_service:-${service}}"
require="__file${target_file}" \ # Ensure Key and Signing tables exist and have proper permissions
key_table="${CFG_DIR}/KeyTable"
signing_table="${CFG_DIR}/SigningTable"
require="__package/opendkim" \
__file "${key_table}" \
--mode 444
require="__package/opendkim" \
__file "${signing_table}" \
--mode 444
require="__file${target_file} __file${key_table}
__file${signing_table} __start_on_boot/${start_service:-${service}}" \
__check_messages opendkim \ __check_messages opendkim \
--pattern "^__file${target_file}" \ --pattern "^__file${target_file}" \
--execute "service opendkim restart" --execute "service ${service} restart"

2
type/__opendkim/parameter/deprecated/userid Normal file
View file

@ -0,0 +1,2 @@
This can cause inconsistencies with permissions and will stop being supported.
If you still need this, you can use --custom-config 'UserId $USERID'.

32
type/__opendkim_genkey/explorer/key-state Executable file
View file

@ -0,0 +1,32 @@
#!/bin/sh -e
DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ];
then
# Be forgiving about a lack of trailing slash
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
fi
KEY_ID="$(echo "${__object_id:?)}" | tr '/' '_')"
DEFAULT_PATH="${DIRECTORY:?}${KEY_ID:?}.private"
if [ -s "${DEFAULT_PATH}" ]; then
# This is the main location for the key
FOUND_PATH="${DEFAULT_PATH}"
else
# This is a backwards-compatible location for the key
# Keys generated post March 2022 should not land here
if [ -f "${__object:?}/parameter/selector" ]; then
SELECTOR="$(cat "${__object:?}/parameter/selector")"
if [ -s "${DIRECTORY}${SELECTOR:?}.private" ]; then
FOUND_PATH="${DIRECTORY}${SELECTOR:?}.private"
fi
fi
fi
if [ -n "${FOUND_PATH}" ]; then
printf "present\t%s" "${FOUND_PATH}"
else
# We didn't find the key
# We pass the default path here, to easen logic in the rest of the type
printf "absent\t%s" "${DEFAULT_PATH}"
fi

35
type/__opendkim_genkey/gencode-remote
View file

@ -19,8 +19,8 @@
# #
# Required parameters # Required parameters
DOMAIN="$(cat "${__object:?}/parameter/domain")" DOMAIN="$(cat "${__object:?}/domain")"
SELECTOR="$(cat "${__object:?}/parameter/selector")" SELECTOR="$(cat "${__object:?}/selector")"
# Optional parameters # Optional parameters
BITS= BITS=
@ -28,11 +28,6 @@ if [ -f "${__object:?}/parameter/bits" ]; then
BITS="-b $(cat "${__object:?}/parameter/bits")" BITS="-b $(cat "${__object:?}/parameter/bits")"
fi fi
DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ]; then
DIRECTORY="$(cat "${__object:?}/parameter/directory")"
fi
# Boolean parameters # Boolean parameters
SUBDOMAINS= SUBDOMAINS=
if [ -f "${__object:?}/parameter/no-subdomains" ]; then if [ -f "${__object:?}/parameter/no-subdomains" ]; then
@ -44,7 +39,27 @@ if [ -f "${__object:?}/parameters/unrestricted" ]; then
RESTRICTED= RESTRICTED=
fi fi
if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then user="$(cat "${__object:?}/user")"
echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS" group="$(cat "${__object:?}/group")"
echo "chown opendkim:opendkim ${DIRECTORY}${SELECTOR}.private"
KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")"
KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")"
if [ "${KEY_STATE:?}" = "absent" ]; then
# opendkim-genkey(8) does not allow specifying the file name.
# To err on the safe side (and avoid potentially killing other keys)
# we operate on a temporary directory first, then move the resulting key
cat <<-EOF
tmp_dir="\$(mktemp -d cdist-dkim.XXXXXXXXXXX)"
opendkim-genkey $BITS --domain=${DOMAIN:?} --directory=\${tmp_dir:?} $RESTRICTED --selector=${SELECTOR:?} $SUBDOMAINS
# Relocate and ensure permissions
mv "\${tmp_dir:?}/${SELECTOR:?}.private" '${KEY_LOCATION:?}'
chown ${user}:${group} '${KEY_LOCATION}'
chmod 0600 '${KEY_LOCATION}'
# This is usually generated, if it weren't we do not want to fail
mv "\${tmp_dir:?}/${SELECTOR:?}.txt" '${KEY_LOCATION%.private}.txt' || true
chown ${user}:${group} '${KEY_LOCATION%.private}.txt' || true
# Cleanup after ourselves
rmdir "\${tmp_dir:?}" || true
EOF
fi fi

88
type/__opendkim_genkey/man.rst
View file

@ -10,23 +10,27 @@ DESCRIPTION
----------- -----------
This type uses the `opendkim-genkey(8)` to generate signing keys suitable for This type uses the `opendkim-genkey(8)` to generate signing keys suitable for
usage by `opendkim(8)` to sign outgoing emails. Then, a line with the domain, usage by `opendkim(8)` to sign outgoing emails.
selector and keyname in the `$selector._domainkey.$domain` format will be added
to the OpenDKIM key table located at `/etc/opendkim/KeyTable`. Finally, a line
will be added to the OpenDKIM signing table, using either the domain or the
provided key for the `domain:selector:keyfile` value in the table. An existing
key will not be overwritten.
Currently, this type is only implemented for Alpine Linux. Please contribute an It also manages the key, identified by its `$__object_id` in OpenDKIM's
implementation if you can. KeyTable and sets its `s=` and `d=` parameters (see: `--selector` and
`--sigdomain` respectively).
REQUIRED PARAMETERS This type will also manage the entries in the OpenDKIM's SigningTable by
------------------- associating any given `sigkey` values to this key.
domain
The domain to generate the key for.
selector Take into account that if you use this type without the `--domain` and
The DKIM selector to generate the key for. `--selector` parameters, the `$__object_id` must be in form `$domain/$selector`.
Currently, this type is only implemented for Alpine Linux and FreeBSD.
Please contribute an implementation if you can.
NOTE: the name of the key file under `--directory` will default to
`$__object_id.private`, but if that fails and `--selector` is used,
`SELECTOR.private` will be considered.
Take care when using unrelated keys that might collide this way.
For more information see:
https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
@ -38,10 +42,36 @@ bits
directory directory
The directory in which to generate the key, `/var/db/dkim/` by default. The directory in which to generate the key, `/var/db/dkim/` by default.
domain
The domain to generate the key for.
If omitted, `--selector` must be omitted as well and `$__object_id` must be
in form: `$domain/$selector`.
selector
The DKIM selector to generate the key for.
If omitted, `--domain` must be omitted as well and `$__object_id` must be
in form: `$domain/$selector`.
sigdomain
Specified in the KeyTable, the domain to use in the signature's "d=" value.
Defaults to the specified domain. If `%`, it will be replaced by the apparent
domain of the sender when generating a signature.
Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
See `KeyTable` in `opendkim.conf(5)` for more information.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
sigkey sigkey
The key used in the SigningTable for this signing key. Defaults to the The key used in the `SigningTable` for this signing key. Defaults to the
specified domain. If `%`, OpenDKIM will replace it with the domain found specified domain. If `%`, OpenDKIM will replace it with the domain found
in the `From:` header. See `opendkim.conf(5)` for more options. in the `From:` header. See `opendkim.conf(5)` for more options.
Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
This can be passed multiple times, resulting in multiple lines in the
SigningTable, which can be used to support signing of subdomains or multiple
domains with the same key; in that case, you probably want to set
`--sigdomain` to `%`, else the domains will not be aligned.
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
@ -57,6 +87,7 @@ EXAMPLES
.. code-block:: sh .. code-block:: sh
# Setup the OpenDKIM service
__opendkim \ __opendkim \
--socket inet:8891@localhost \ --socket inet:8891@localhost \
--basedir /var/lib/opendkim \ --basedir /var/lib/opendkim \
@ -65,14 +96,24 @@ EXAMPLES
--umask 002 \ --umask 002 \
--syslog --syslog
require='__opendkim' \ # Continue only after the service has been set up
__opendkim_genkey default \ export require="__opendkim"
--domain example.com \
--selector default
__opendkim_genkey myfoo \ # Generate a key for 'example.com' with selector 'default'
--domain foo.com \ __opendkim_genkey default \
--selector backup --domain example.com \
--selector default
# Generate a key for 'foo.com' with selector 'backup'
__opendkim_genkey 'foo.com/backup'
# Generate a key for 'example.org' with selector 'main'
# that can also sign 'cdi.st' and subdomains of 'example.org'
__opendkim_genkey 'example.org/main' \
--sigdomain '%' \
--sigkey 'example.org' \
--sigkey '.example.org' \
--sigkey 'cdi.st'
SEE ALSO SEE ALSO
@ -85,11 +126,12 @@ SEE ALSO
AUTHORS AUTHORS
------- -------
Joachim Desroches <joachim.desroches@epfl.ch> Joachim Desroches <joachim.desroches@epfl.ch>
Evilham <contact@evilham.com>
COPYING COPYING
------- -------
Copyright \(C) 2021 Joachim Desroches. You can redistribute it Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
and/or modify it under the terms of the GNU General Public License as and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version. License, or (at your option) any later version.

109
type/__opendkim_genkey/manifest
View file

@ -21,25 +21,68 @@
os=$(cat "${__global:?}/explorer/os") os=$(cat "${__global:?}/explorer/os")
CFG_DIR="/etc/opendkim"
user="opendkim"
group="opendkim"
case "$os" in case "$os" in
'alpine') 'alpine')
: :
;; ;;
'freebsd')
CFG_DIR="/usr/local/etc/mail"
user="mailnull"
group="mailnull"
;;
*) *)
cat <<- EOF >&2 cat <<- EOF >&2
__opendkim_genkey currently only supports Alpine Linux. Please __opendkim_genkey currently only supports Alpine Linux and FreeBSD.
contribute an implementation for $os if you can. Please contribute an implementation for $os if you can.
EOF EOF
exit 1
;; ;;
esac esac
SELECTOR="$(cat "${__object:?}/parameter/selector")" # Logic to simplify the type as documented in
DOMAIN="$(cat "${__object:?}/parameter/domain")" # https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20#issuecomment-14711
DOMAIN="$(cat "${__object:?}/parameter/domain" 2>/dev/null || true)"
SELECTOR="$(cat "${__object:?}/parameter/selector" 2>/dev/null || true)"
if [ -z "${DOMAIN}${SELECTOR}" ]; then
# Neither SELECTOR nor DOMAIN were passed, try to use __object_id
if echo "${__object_id:?}" | \
grep -qE '^[^/[:space:]]+/[^/[:space:]]+$'; then
# __object_id matches, let's get the data
DOMAIN="$(echo "${__object_id:?}" | cut -d '/' -f 1)"
SELECTOR="$(echo "${__object_id:?}" | cut -d '/' -f 2)"
else
# It doesn't match the pattern, this is sad
cat <<- EOF >&2
The arguments --domain and --selector were not used.
So __object_id must match DOMAIN/SELECTOR.
But instead the type got: ${__object_id:?}
EOF
exit 1
fi
elif [ -z "${DOMAIN}" ] || [ -z "${SELECTOR}" ]; then
# Only one was passed, this is sad :-(
cat <<- EOF >&2
You must pass either both --selector and --domain or none of them.
If these arguments are absent, __object_id must match: DOMAIN/SELECTOR.
EOF
exit 1
# else: both were passed
fi
# Persist data for gencode-remote
printf '%s' "${user:?}" > "${__object:?}/user"
printf '%s' "${group:?}" > "${__object:?}/group"
printf '%s' "${DOMAIN:?}" > "${__object:?}/domain"
printf '%s' "${SELECTOR:?}" > "${__object:?}/selector"
DIRECTORY="/var/db/dkim/" DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ]; if [ -f "${__object:?}/parameter/directory" ];
then then
DIRECTORY="$(cat "${__object:?}/parameter/directory")" # Be forgiving about a lack of trailing slash
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
fi fi
SIGKEY="${DOMAIN:?}" SIGKEY="${DOMAIN:?}"
@ -47,20 +90,50 @@ if [ -f "${__object:?}/parameter/sigkey" ];
then then
SIGKEY="$(cat "${__object:?}/parameter/sigkey")" SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
fi fi
SIGDOMAIN="${DOMAIN:?}"
if [ -f "${__object:?}/parameter/sigdomain" ];
then
SIGDOMAIN="$(cat "${__object:?}/parameter/sigdomain")"
fi
__package opendkim-utils # Ensure the key-container directory exists with the proper permissions
__directory "${DIRECTORY}" \
--mode 0750 \
--owner "${user}" --group "${group}"
require='__package/opendkim-utils' \ # OS-specific code
__file /etc/opendkim/KeyTable case "$os" in
require='__package/opendkim-utils' \ 'alpine')
__file /etc/opendkim/SigningTable # This is needed for opendkim-genkey
__package opendkim-utils
;;
esac
require='__file/etc/opendkim/KeyTable' \ key_table="${CFG_DIR}/KeyTable"
__line "line-key-${__object_id:?}" \ signing_table="${CFG_DIR}/SigningTable"
--file /etc/opendkim/KeyTable \
--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
require='__file/etc/opendkim/SigningTable' \ KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")"
__line "line-sig-${__object_id:?}" \ KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")"
--file /etc/opendkim/SigningTable \
--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}" __line "__opendkim_genkey/${__object_id:?}" \
--file "${key_table}" \
--line "${__object_id:?} ${SIGDOMAIN:?}:${SELECTOR:?}:${KEY_LOCATION:?}" \
--regex "^${__object_id:?}[[:space:]]" \
--state 'replace'
sigtable_block() {
for sigkey in ${SIGKEY:?}; do
echo "${sigkey:?} ${__object_id:?}"
done
}
__block "__opendkim_genkey/${__object_id:?}" \
--file "${signing_table}" \
--text "$(sigtable_block)"
if [ "${KEY_STATE:?}" = "present" ]; then
# Ensure proper permissions for the key file
__file "${KEY_LOCATION}" \
--owner "${user}" \
--group "${group}" \
--mode 0600
fi

4
type/__opendkim_genkey/parameter/optional
View file

@ -1,4 +1,6 @@
bits bits
directory directory
domain
unrestricted unrestricted
sigkey selector
sigdomain

1
type/__opendkim_genkey/parameter/optional_multiple Normal file
View file

@ -0,0 +1 @@
sigkey

2
type/__opendkim_genkey/parameter/required
View file

@ -1,2 +0,0 @@
domain
selector

45
type/__php_fpm/files/php.ini.sh Executable file
View file

@ -0,0 +1,45 @@
#!/bin/sh
cat <<EOF
; This file is managed by cdist, and has been shortened for readability.
; The fine manual is at http://php.net/configuration.file.
[PHP]
; Production recommended defaults
display_errors = Off
display_startup_errors = Off
enable_dl = Off
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
log_errors = On
output_buffering = 4096
register_argc_argv = Off
request_order = "GP"
short_open_tag = Off
variables_order = "GPCS"
zend.assertions = -1
; Local custom variations
include_path = ".:${PHP_INCLUDEDIR}"
memory_limit = ${MEMORY_LIMIT:?}
post_max_size = ${UPLOAD_MAX_FILESIZE:?}
upload_max_filesize = ${UPLOAD_MAX_FILESIZE:?}
EOF
if [ -f "${__object:?}/parameter/enable-opcache" ]; then
cat <<-EOF
; opcache enabled by type flag
opcache.enable=1
opcache.enable_cli=1
EOF
fi
if [ -f "${__object:?}/parameter/enable-apcu" ]; then
cat <<-EOF
; acpu enabled by type flag
apc.enabled=1
apc.enable_cli=1
apc.shm_size=512M
EOF
fi

74
type/__php_fpm/man.rst Normal file
View file

@ -0,0 +1,74 @@
cdist-type__php_fpm(7)
======================
NAME
----
cdist-type__php_fpm - Setup and configure PHP-FPM
DESCRIPTION
-----------
This type installs and configures PHP-FPM for a given version of PHP. It is
expected to be used in combination with cdist-type__php_fpm_pool, which
configures specific pools.
This type supports Debian, Ubuntu and Alpine Linux.
REQUIRED PARAMETERS
-------------------
php-version
The PHP version for which the type is working. Will impact installed
packages, configuration files, &c
OPTIONAL PARAMETERS
-------------------
memory-limit
The system-wide memory limit for PHP-FPM. Can be overriden per-pool.
Default is 512M.
upload-max-filesize
The maximum filesize accepted by PHP-FPM for file uploads. Default is
2M.
BOOLEAN PARAMETERS
------------------
enable-opcache
Enable PHP opcache.
enable-apcu
Enable PHP APCu.
EXAMPLES
--------
.. code-block:: sh
# Dead simple setup
__php_fpm --php-version 8.1
# Custom setup
__php_fpm \
--php-version 8.1 \
--memory-limit 768M \
--upload-max-filesize 200M \
--enable-opcache \
--enable-apcu
SEE ALSO
--------
cdist-type__php_fpm_pool(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2022 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

68
type/__php_fpm/manifest Normal file
View file

@ -0,0 +1,68 @@
#!/bin/sh
os=$(cat "${__global:?}/explorer/os")
PHPVER=$(cat "${__object:?}/parameter/php-version")
export PHPVER
case "$os" in
'alpine')
# Alpine packages looks like php81-fpm - we make sure to remove dots from user
# input.
PHPVER=$(echo "$PHPVER" | tr -d '.')
package="php${PHPVER}-fpm"
opcache_package="php${PHPVER}-opcache"
apcu_package="php${PHPVER}-pecl-apcu"
service="php-fpm${PHPVER}"
php_confdir="/etc/php${PHPVER}"
php_ini="${php_confdir:?}/php.ini"
PHP_INCLUDEDIR="/usr/share/php${PHPVER:?}"
export PHP_INCLUDEDIR
;;
'debian'|'ubuntu')
package="php${PHPVER}-fpm"
opcache_package="php${PHPVER}-opcache"
apcu_package="php${PHPVER}-apcu"
service="php${PHPVER}-fpm"
php_confdir="/etc/php/${PHPVER}"
php_ini="${php_confdir:?}/fpm/php.ini"
PHP_INCLUDEDIR="/usr/share/php/${PHPVER:?}"
export PHP_INCLUDEDIR
;;
*)
printf "Your operating system is currently not supported by this type\n" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
__package "$package"
require="__package/$package" __start_on_boot "$service"
if [ -f "${__object:?}/parameter/enable-opcache" ]; then
__package "$opcache_package"
fi
if [ -f "${__object:?}/parameter/enable-apcu" ]; then
__package "$apcu_package"
fi
MEMORY_LIMIT=$(cat "${__object:?}/parameter/memory-limit")
export MEMORY_LIMIT
UPLOAD_MAX_FILESIZE=$(cat "${__object:?}/parameter/upload-max-filesize")
export UPLOAD_MAX_FILESIZE
mkdir -p "${__object:?}/files"
"${__type:?}/files/php.ini.sh" >"${__object:?}/files/php.ini"
require="__package/$package" __file "${php_ini:?}" \
--mode 644 --source "${__object:?}/files/php.ini" \
--onchange "service $service restart"
require="__file/${php_ini:?}" __service "$service" --action start

2
type/__php_fpm/parameter/boolean Normal file
View file

@ -0,0 +1,2 @@
enable-opcache
enable-apcu

1
type/__php_fpm/parameter/default/memory-limit Normal file
View file

@ -0,0 +1 @@
512M

1
type/__php_fpm/parameter/default/upload-max-filesize Normal file
View file

@ -0,0 +1 @@
2M

2
type/__php_fpm/parameter/optional Normal file
View file

@ -0,0 +1,2 @@
upload-max-filesize
memory-limit

1
type/__php_fpm/parameter/required Normal file
View file

@ -0,0 +1 @@
php-version

0
type/__php_fpm/singleton Normal file
View file

34
type/__php_fpm_pool/files/www.conf.sh Executable file
View file

@ -0,0 +1,34 @@
#!/bin/sh
cat <<EOF
; PHP-FPM configuration file for $POOL_NAME, PHP version $PHPVER.
; This file is managed by cdist, do not edit by hand!
[$POOL_NAME]
; Local non-default configuration
user = $POOL_USER
group = $POOL_GROUP
listen = $POOL_LISTEN_ADDR
listen.owner = $POOL_LISTEN_OWNER
; Mandatory configuration options with default production values
pm = dynamic
pm.max_children = 10
pm.min_spare_servers = 1
pm.max_spare_servers = 3
env[HOSTNAME] = \$HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
EOF
if [ -f "${__object:?}/parameter/memory-limit" ]; then
echo "php_admin_value[memory_limit] = $(cat "$__object/parameter/memory-limit")"
fi
if [ -f "${__object:?}/parameter/open-basedir" ]; then
echo "php_admin_value[open_basedir] = $(cat "${__object:?}/parameter/open-basedir")"
fi

79
type/__php_fpm_pool/man.rst Normal file
View file

@ -0,0 +1,79 @@
cdist-type__php_fpm_pool(7)
===========================
NAME
----
cdist-type__php_fpm_pool - Setup and configure a PHP-FPM pool
DESCRIPTION
-----------
This type configures a pool named after the `__object_id` for a specified PHP
version. Note that this types expects a same-version cdist-type__php_fpm type
to have been run first: the user is responsible for doing so.
This type supports Debian, Ubuntu and Alpine Linux.
REQUIRED PARAMETERS
-------------------
php-version
The PHP version for which the type is working. Will impact installed
packages, configuration files, &c
pool-user
The local user under which the pool processes should run.
pool-group
The local group under which the pool processes should run.
pool-listen-addr
The socket or address to which the pool should bind for listening.
pool-listen-owner
The owner of the socket if a socket is used.
OPTIONAL PARAMETERS
-------------------
memory-limit
The pool memory limit for PHP-FPM. Will default to the setting in the
system-wide php.ini file.
openbasedir
Limit the files that can be accessed by PHP to the specified
directory-tree, including the file itself.
EXAMPLES
--------
.. code-block:: sh
# Setup PHP-FPM
__php_fpm --php-version 8
# Setup the pool
__php_fpm_pool www \
--php-version 8 \
--pool-user nextcloud \
--pool-group www-data \
--pool-listen-addr "/run/php8/php-fpm.sock" \
--pool-listen-owner nginx \
--memory-limit 1G
SEE ALSO
--------
cdist-type__php_fpm(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2022 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

40
type/__php_fpm_pool/manifest Normal file
View file

@ -0,0 +1,40 @@
#!/bin/sh
os=$(cat "${__global:?}/explorer/os")
name=${__object_id:?}
PHPVER=$(cat "${__object:?}/parameter/php-version")
export PHPVER
case "$os" in
'alpine')
PHPVER=$(echo "$PHP_VERSION" | tr -d '.')
service="php-fpm${PHPVER}"
php_confdir="/etc/php${PHPVER}"
php_pooldir="${php_confdir:?}/php-fpm.d"
;;
'debian'|'ubuntu')
service="php${PHPVER}-fpm"
php_confdir="/etc/php/${PHPVER}"
php_pooldir="${php_confdir:?}/fpm/pool.d"
;;
*)
printf "Your operating system is currently not supported by this type\n" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
POOL_NAME="$name"
POOL_USER=$(cat "${__object:?}/parameter/pool-user")
POOL_GROUP=$(cat "${__object:?}/parameter/pool-group")
POOL_LISTEN_ADDR=$(cat "${__object:?}/parameter/pool-listen-addr")
POOL_LISTEN_OWNER=$(cat "${__object:?}/parameter/pool-listen-owner")
export POOL_USER POOL_GROUP POOL_LISTEN_ADDR POOL_LISTEN_OWNER POOL_NAME
mkdir -p "${__object:?}/files"
"${__type:?}/files/www.conf.sh" >"${__object:?}/files/www.conf"
__file "${php_pooldir:?}/${name}.conf" \
--mode 644 --source "${__object:?}/files/www.conf" \
--onchange "service $service reload"

2
type/__php_fpm_pool/parameter/optional Normal file
View file

@ -0,0 +1,2 @@
memory-limit
open-basedir

5
type/__php_fpm_pool/parameter/required Normal file
View file

@ -0,0 +1,5 @@
php-version
pool-user
pool-group
pool-listen-addr
pool-listen-owner

9
type/__runit/manifest
View file

@ -6,7 +6,14 @@ os="$(cat "${__global}/explorer/os")"
case "${os}" in case "${os}" in
debian|devuan) debian|devuan)
# zero-config sysvinit and systemd compatibility # zero-config sysvinit and systemd compatibility
__package runit-run os_version="$(cat "${__global}/explorer/os_version")"
debian_package="runit-run"
case "${os_version}" in
beowulf)
debian_package="runit"
;;
esac
__package "${debian_package}"
;; ;;
freebsd) freebsd)
__key_value \ __key_value \

19
type/__runit_service/manifest
View file

@ -33,18 +33,25 @@ if [ "${state}" != "present" ]; then
exit exit
fi fi
# Setup run file
__file --state "${state}" --mode 0550 --source "${source}" \
--onchange "sv restart '${sv}' || true" \
"${run_file}"
export require="${require} __file${run_file}"
if [ -f "${__object}/parameter/log" ]; then if [ -f "${__object}/parameter/log" ]; then
# Setup logger if requested # Setup logger if requested
__directory --parents "${svdir}/${sv}/log/main" logdir="/var/log/runit"
export require="${require} __directory${svdir}/${sv}/log/main" __directory --parents "${svdir}/${sv}/log"
__directory --state absent "${svdir}/${sv}/log/main" # Remove lingering old fashioned log
__directory --parents "${logdir}/${sv}"
export require="${require} __directory${svdir}/${sv}/log __directory${logdir}/${sv}"
__file "${svdir}/${sv}/log/run" \ __file "${svdir}/${sv}/log/run" \
--state "${state}" \ --state "${state}" \
--mode 0755 \ --mode 0755 \
--onchange "sv restart '${sv}/log' || true" \
--source "-" <<EOF --source "-" <<EOF
#!/bin/sh #!/bin/sh
exec svlogd -tt ./main exec svlogd -tt '${logdir}/${sv}'
EOF EOF
fi fi
# Setup run file
__file --state "${state}" --mode 0755 --source "${source}" "${run_file}"

10
type/__single_binary_service/explorer/explorer-version Executable file
View file

@ -0,0 +1,10 @@
#!/bin/sh -e
BIN_PREFIX="/usr/local/bin"
SERVICE_NAME="${__object_id}"
VERSION_FILE="${BIN_PREFIX}/.${SERVICE_NAME}.cdist.version"
if [ -f "${VERSION_FILE}" ]; then
cat "${VERSION_FILE}"
fi

195
type/__single_binary_service/man.rst Normal file
View file

@ -0,0 +1,195 @@
cdist-type__single_binary_service(7)
====================================
NAME
----
cdist-type__single_binary_service - Setup a single-binary service
DESCRIPTION
-----------
This type is designed to easily deploy and configure a single-binary service
named `${__object_id}`.
A good example of this are Prometheus exporters.
This type makes certain assumptions that might not be correct on your system.
If you need more flexibility, please get in touch and provide a use-case
(and hopefully a backwards-compatible patch).
This type will place the downloaded binary and, if requested, other extra
binaries in `/usr/local/bin`.
If a `--config-file-source` is provided, it will be placed under:
`/etc/${__object_id}.conf`.
This type supports services managed by `__runit(7)` when `systemd` is not
the init system being used.
REQUIRED PARAMETERS
-------------------
checksum
This will be passed verbatim to `__download(7)`.
Use something like `sha256:...`.
url
This will be passed verbatim to `__download(7)`.
version
This type will use a thumbstone file with a "version" number to track
whether or not a service must be updated.
This thumbstone file is placed under
`/usr/local/bin/.${__object_id}.cdist.version`.
BOOLEAN PARAMETERS
------------------
unpack
If present, the contents of `--url` will be treated as an archive to be
unpacked with `__unpack(7)`.
See also `--unpack-args` and `--extra-binary`.
do-not-manage-user
Always considered present when `--user` is `root`.
If present, the user in `--user` will not be managed by this type with
`__user`, this means it *must* exist beforehand when installing the service
and it will not be removed by this type.
OPTIONAL PARAMETERS
-------------------
config-file-source
If present, this file's contents will be placed under
`/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to
`--user` and `--group`.
If `-` is passed, this type's `stdin` will be used.
user
The user under which the service will run. Defaults to `root`.
If this user is not `root` and `--do-not-manage-user` is not present,
this user will be created or removed as per the `--state` parameter.
user-home-dir
Does not have an effect if `--do-not-manage-user` is used or `--user` is
`root`.
The home directory of the service user. It will be created.
Defaults to `/nonexistent`, in this case the home directory will not be
created.
group
The group under which the service will run. Defaults to `--user`.
state
Whether the service is to be `present` (default) or `absent`.
When `absent`, this type will clean any binaries listed in `--extra-binary`
and also the config file as described in `--config-file-source`.
binary
This will be the binary name. Defaults to `${__object_id}`.
If `--unpack` is used, a binary with this name must be unpacked.
Otherwise, the contents of `--url` will be placed under this binary name.
env
An `env` file consiting of `ENVIRONMENT_VARIABLE=VALUE`, one variable per
line.
Empty lines and those starting with `#` are ignored.
service-args
Any extra arguments to pass along with `--service-exec`. Beware that any
service-args having the format `--config=/etc/foo.cfg` should be
represented in the following way `--service-exec='--config=/etc/foo.cfg'`
service-exec
The executable to use for this service.
Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the
resulting value of `--binary`.
service-definition
The service definition to be used as an override.
Note that this type decides dinammically between runit and systemd, and
you can currently only define either a systemd unit or a runit script here.
Use this parameter only for testing and get in touch to discuss how your
particular use-case can be supported by the type.
service-description
The service description to be used in, e.g. the systemd unit file.
Defaults to `cdist-managed '${__object_id}' service`.
unpack-args
Only has an effect if `--unpack` is used.
These arguments will be passed verbatim to `__unpack(7)`.
Very useful as this type assumes the archive does not have the binaries in
subdirectories; that can be worked around with
`--unpack-args '--tar-strip 1'`.
unpack-extension
Only has an effect if `--unpack` is used.
The file extension of the file to unpack, defaults to `.tar.gz`.
working-directory
If set, the working directory with which the service will be started.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
extra-binary
Only useful with `--unpack`.
If passed, these binaries will also be installed when `--state` is `present`
and removed when `--state` is `absent`.
Handle with care :-).
EXAMPLES
--------
.. code-block:: sh
# Install and enable the ipmi_exporter service
# The variables are defined in the manifest previously
__single_binary_service ipmi_exporter \
--user "${USER}" \
--service-args ' --config.file=/etc/ipmi_exporter.conf' \
--version "${SHOULD_VERSION}" \
--checksum "${CHECKSUM}" \
--url "${DOWNLOAD_URL}" \
--state "present" \
--unpack \
--unpack-args "--tar-strip 1" \
--config-file-source '-' <<-EOF
# Remotely managed, changes will be lost
# [...] config contents goes here
EOF
# Remove the ipmi_exporter service along with the user and its config
__single_binary_service ipmi_exporter \
--user "${USER}" \
--version "${SHOULD_VERSION}" \
--checksum "${CHECKSUM}" \
--url "${DOWNLOAD_URL}" \
--state "absent"
# Same, but the service was using my user! Let's not delete that!
__single_binary_service ipmi_exporter \
--user "evilham" \
--do-not-manage-user \
--version "${SHOULD_VERSION}" \
--checksum "${CHECKSUM}" \
--url "${DOWNLOAD_URL}" \
--state "absent"
SEE ALSO
--------
- `__download(7)`
- `__unpack(7)`
AUTHORS
-------
Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2022 Evilham.

305
type/__single_binary_service/manifest Executable file
View file

@ -0,0 +1,305 @@
#!/bin/sh -e
SERVICE_NAME="${__object_id}"
OS="$(cat "${__global}/explorer/os")"
case "${OS}" in
debian|devuan)
SUPER_USER_GROUP=root
ETC_DIR="/etc"
;;
*bsd)
SUPER_USER_GROUP=wheel
ETC_DIR="/usr/local/etc"
;;
*)
echo "Your OS '${OS}' is currently not supported." >&2
exit 1
;;
esac
INIT="$(cat "${__global}/explorer/init")"
case "${INIT}" in
systemd)
service_definition_require="__systemd_unit/${SERVICE_NAME}.service"
service_command="service ${SERVICE_NAME} %s"
;;
runit|sysvinit)
# We will use runit to manage these services
__runit
export require="__runit"
service_definition_require="__runit_service/${SERVICE_NAME}"
service_command="sv %s ${SERVICE_NAME}"
;;
*)
echo "Init system ${INIT}' is currently not supported." >&2
exit 1
;;
esac
BIN_DIR="/usr/local/bin"
# Ensure the target bin dir exists
# Care, we never want to remove it :-D
__directory "${BIN_DIR}" \
--state "exists" \
--mode 0755
export require="${require} __directory${BIN_DIR}"
STATE="$(cat "${__object}/parameter/state")"
USER="$(cat "${__object}/parameter/user")"
GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)"
if [ -z "${GROUP}" ]; then
if [ "${USER}" != "root" ]; then
GROUP="${USER}"
else
GROUP="${SUPER_USER_GROUP}"
fi
fi
BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)"
if [ -z "${BINARY}" ]; then
BINARY="${SERVICE_NAME}"
fi
EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)"
# This only makes sense for file archives
if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then
cat >&2 <<-EOF
You cannot specify extra binaries without the --unpack argument.
Make sure that the --url argument points to a file archive.
EOF
fi
SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)"
if [ -z "${SERVICE_EXEC}" ]; then
SERVICE_EXEC="${BIN_DIR}/${BINARY}"
fi
SERVICE_ARGS="$(cat "${__object}/parameter/service-args")"
SERVICE_EXEC="${SERVICE_EXEC} ${SERVICE_ARGS}"
SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \
2>/dev/null || true)"
if [ -z "${SERVICE_DESCRIPTION}" ]; then
SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service"
fi
SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)"
WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
fi
DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
CHECKSUM="$(cat "${__object}/parameter/checksum")"
SHOULD_VERSION="$(cat "${__object}/parameter/version")"
# Create a user for the service if it is not root
USER_HOME_DIR="/root"
if [ "${USER}" != "root" ] && \
[ ! -f "${__object}/parameter/do-not-manage-user" ]; then
if [ "${STATE}" = "absent" ]; then
# When removing, ensure user is not being used
user_require="${service_definition_require}"
fi
USER_HOME_DIR="$(cat "${__object}/parameter/user-home-dir")"
if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then
USER_CREATE_HOME="--create-home"
fi
require="${require} ${user_require}" __user "${USER}" \
--system \
--state "${STATE}" \
--home "${USER_HOME_DIR}" \
--comment "cdist-managed service user" \
${USER_CREATE_HOME}
# Track dependencies
service_require="${service_require} __user/${USER}"
fi
# Place config file if necessary
CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)"
if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then
CONFIG_FILE_SOURCE="${__object}/stdin"
fi
if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then
require="${require} __user/${USER}" __file \
"${CONFIG_FILE_DEST}" \
--owner "${USER}" \
--group "${GROUP}" \
--mode "0440" \
--source "${CONFIG_FILE_SOURCE}"
service_require="${service_require} __file${CONFIG_FILE_DEST}"
fi
# These messages will trigger a service restart (overridden for systemd)
service_config_reload_pattern="^__file${CONFIG_FILE_DEST}"
# This should setup the object in $service_definition_require
# See above.
case "${INIT}" in
systemd)
if [ -z "${SERVICE_DEFINITION}" ]; then
SYSTEMD_ENV_FILE="/etc/systemd/system/${SERVICE_NAME}.env"
__file "${SYSTEMD_ENV_FILE}" \
--mode 0400 \
--source "${__object}/parameter/env"
# We need to take into account the envionment file for systemd too
service_config_reload_pattern="(${service_config_reload_pattern}|^__file${SYSTEMD_ENV_FILE})"
SERVICE_DEFINITION="$(cat <<EOF
[Unit]
Description=${SERVICE_DESCRIPTION}
After=network.target
[Service]
Type=simple
User=${USER}
Group=${GROUP}
ExecStart=${SERVICE_EXEC}
Restart=always
EnvironmentFile=${SYSTEMD_ENV_FILE}
${WORKING_DIRECTORY_SYSTEMD}
[Install]
WantedBy=multi-user.target
EOF
)"
fi
__systemd_unit "${SERVICE_NAME}.service" \
--source "-" \
--state "${STATE}" \
--enablement-state "enabled" <<EOF
${SERVICE_DEFINITION}
EOF
;;
runit|sysvinit)
if [ -z "${SERVICE_DEFINITION}" ]; then
RUNIT_ENV="$(sed -Ee 's!^([[:alnum:]_]+)=(.*)$!export \1=\2!' "${__object}/parameter/env")"
SERVICE_DEFINITION="$(cat <<EOF
#!/bin/sh -e
${WORKING_DIRECTORY_RUNIT}
# User-provided environment
${RUNIT_ENV}
# System vars
export HOME="\$(getent passwd '${USER}' | cut -d: -f6)"
export USER="${USER}"
export GROUP="${GROUP}"
exec 2>&1
exec chpst -u "${USER}:${GROUP}" ${SERVICE_EXEC}
EOF
)"
fi
__runit_service "${SERVICE_NAME}" \
--state "${STATE}" \
--log \
--source - <<EOF
${SERVICE_DEFINITION}
EOF
;;
esac
service_require="${service_require} ${service_definition_require}"
# Proceed after user and service description have been prepared
export require="${require} ${service_require}"
VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
IS_VERSION="$(cat "${__object}/explorer/explorer-version")"
if [ "${STATE}" = "absent" ]; then
# Perform cleanup of generated files
for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
__file "${BIN_DIR}/${bin_file}" --state "absent"
done
__file "${VERSION_FILE}" --state "absent"
__file "${CONFIG_FILE_DEST}" --state "absent"
fi
if [ "${STATE}" != "present" ]; then
exit
fi
sv_cmd() {
# This is intentional
# shellcheck disable=SC2059
printf "${service_command}" "$1"
}
if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ]; then
# We are installing the service and there has been a version change
# (or it is first-time install)
TMP_PATH="/tmp/${SERVICE_NAME}-${SHOULD_VERSION}"
# This is what will stop the service, replace the binaries and
# start the service again
perform_service_upgrade="$(cat <<EOF
$(sv_cmd stop) || true
if [ -f '${TMP_PATH}' ]; then
chown root:${SUPER_USER_GROUP} '${TMP_PATH}'
chmod 0555 '${TMP_PATH}'
cp -af '${TMP_PATH}' '${BIN_DIR}/${BINARY}'
else
for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
bin_path="${TMP_PATH}/\${bin_file}"
chown root:${SUPER_USER_GROUP} "\${bin_path}"
chmod 0555 "\${bin_path}"
cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}"
done
fi
$(sv_cmd start) || true
EOF
)"
if [ -f "${__object}/parameter/unpack" ]; then
UNPACK_EXTENSION="$(cat "${__object}/parameter/unpack-extension")"
UNPACK_ARGS="$(cat "${__object}/parameter/unpack-args" \
2>/dev/null || true)"
# Download packed file
__download "${TMP_PATH}${UNPACK_EXTENSION}" \
--url "${DOWNLOAD_URL}" \
--download remote \
--sum "${CHECKSUM}"
# Unpack file and also perform service upgrade
# shellcheck disable=SC2086
require="__download${TMP_PATH}${UNPACK_EXTENSION}" \
__unpack "${TMP_PATH}${UNPACK_EXTENSION}" \
${UNPACK_ARGS} \
--destination "${TMP_PATH}"
version_bump_require="__unpack${TMP_PATH}${UNPACK_EXTENSION}"
else
# Create temp directory
__directory "${TMP_PATH}"
# Download binary directoy to the temp directory with the
# specified binary name
require="__directory${TMP_PATH}" __download \
"${TMP_PATH}/${BINARY}" \
--url "${DOWNLOAD_URL}" \
--download remote \
--sum "${CHECKSUM}"
version_bump_require="__download${TMP_PATH}/${BINARY}"
fi
# Perform update of cdist-managed version file
# And also perform service upgrade
# This is a bug if service_upgrade fails >,<
printf "%s" "${SHOULD_VERSION}" | \
require="${version_bump_require}" __file \
"${VERSION_FILE}" \
--onchange "${perform_service_upgrade}" \
--source "-"
else
# We only restart here if there was a config or env change
# but there was not a version change
require="${service_require}" __check_messages \
"single_binary_service_${__object_id}" \
--pattern "${service_config_reload_pattern}" \
--execute "$(sv_cmd restart)"
fi

2
type/__single_binary_service/parameter/boolean Normal file
View file

@ -0,0 +1,2 @@
do-not-manage-user
unpack

0
type/__single_binary_service/parameter/default/env Normal file
View file

0
type/__single_binary_service/parameter/default/service-args Normal file
View file

1
type/__single_binary_service/parameter/default/state Normal file
View file

@ -0,0 +1 @@
present

1
type/__single_binary_service/parameter/default/unpack-extension Normal file
View file

@ -0,0 +1 @@
.tar.gz

1
type/__single_binary_service/parameter/default/user Normal file
View file

@ -0,0 +1 @@
root

1
type/__single_binary_service/parameter/default/user-home-dir Normal file
View file

@ -0,0 +1 @@
/nonexistent

Some files were not shown because too many files have changed in this diff Show more