Compare commits
56 commits
kjg_passwo
...
master
Author | SHA1 | Date | |
---|---|---|---|
fe523fe993 | |||
0f281d4118 | |||
624bf996f6 | |||
b7ba43553b | |||
116acebd10 | |||
79baaf02b1 | |||
cc2b1af653 | |||
f2850de5eb | |||
3bc9a9ff4a | |||
f01f110463 | |||
f101ea4afa | |||
2511218dd6 | |||
7cd606a52f | |||
239a1f20cf | |||
c07487ea69 | |||
11ecb37dd9 | |||
03a9b8b333 | |||
7a3b706b16 | |||
756e5b17c6 | |||
797f7c8648 | |||
1791d35f84 | |||
8e1d0b68f1 | |||
aa3f2eeb00 | |||
a63d9ec458 | |||
0cff414884 | |||
977b530dab | |||
1865ff9dce | |||
67bc8aa02b | |||
151dc32fb5 | |||
7e2ba98d36 | |||
1658121549 | |||
c5070a3a33 | |||
80bbbd3aa8 | |||
87cc109bf1 | |||
a12b343660 | |||
29cafd4f9a | |||
fa37ede84f | |||
af04f7464b | |||
a6f6a7fba8 | |||
a1b3a034c7 | |||
ac99cd8d84 | |||
ac03f05766 | |||
ecd10de2d3 | |||
422b97bc1b | |||
f6d0cbbeb7 | |||
9a779aafa3 | |||
727fbd55fb | |||
6310db7301 | |||
3f52e758fc | |||
4fdba43dd6 | |||
1af7e960fa | |||
3e77fbbb43 | |||
afa48b1028 | |||
c5929f397d | |||
d5b552ddb4 | |||
51d0b817fe |
95 changed files with 4489 additions and 975 deletions
|
@ -89,7 +89,6 @@ ipv4_import=
|
|||
if [ -f "${__object:?}"/parameter/ipv4-import ];
|
||||
then
|
||||
ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)"
|
||||
echo "FOO" >&2
|
||||
fi
|
||||
export ipv4_import
|
||||
|
||||
|
|
|
@ -15,12 +15,29 @@ autoconfigure IPv6 hosts, this type is a rudimentary implementation to generate
|
|||
configuration for Bird to do so.
|
||||
|
||||
|
||||
REQUIRED MULTIPLE PARAMETERS
|
||||
----------------------------
|
||||
REQUIRED PARAMETERS
|
||||
-------------------
|
||||
interface
|
||||
The interfaces to activate the protocol on. RAs will be sent using the
|
||||
prefixes configured on these interfaces.
|
||||
|
||||
OPTIONAL PARAMETERS
|
||||
-------------------
|
||||
mtu
|
||||
An optional MTU setting to include in the router advertisements.
|
||||
|
||||
default-preference
|
||||
This option specifies the Default Router Preference value to advertise to
|
||||
hosts. Default: medium.
|
||||
|
||||
route-preference
|
||||
This option specifies the default value of advertised route preference for
|
||||
specific routes. Default: medium.
|
||||
|
||||
default-lifetime
|
||||
This option specifies the time (in seconds) how long (since the receipt of RA)
|
||||
hosts may use the router as a default router. 0 means do not use as a default
|
||||
router. Default: 3.
|
||||
|
||||
OPTIONAL MULTIPLE PARAMETERS
|
||||
----------------------------
|
||||
|
@ -41,6 +58,7 @@ EXAMPLES
|
|||
|
||||
__bird_radv datacenter \
|
||||
--interface eth1 \
|
||||
--mtu 9000 \
|
||||
--route ::/0 \
|
||||
--ns 2001:DB8:cafe::4 \
|
||||
--ns 2001:DB8:cafe::14 \
|
||||
|
|
|
@ -55,23 +55,52 @@ then
|
|||
DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl")
|
||||
fi
|
||||
|
||||
MTU=
|
||||
if [ -f "${__object:?}/parameter/mtu" ];
|
||||
then
|
||||
MTU="link mtu $(cat "${__object:?}/parameter/mtu");"
|
||||
fi
|
||||
|
||||
DEFAULT_PREFERENCE=
|
||||
if [ -f "${__object:?}/parameter/default-preference" ];
|
||||
then
|
||||
DEFAULT_PREFERENCE="default preference $(cat "${__object:?}/parameter/default-preference");"
|
||||
fi
|
||||
|
||||
ROUTE_PREFERENCE=
|
||||
if [ -f "${__object:?}/parameter/route-preference" ];
|
||||
then
|
||||
ROUTE_PREFERENCE="route preference $(cat "${__object:?}/parameter/route-preference");"
|
||||
fi
|
||||
|
||||
DEFAULT_LIFETIME=
|
||||
if [ -f "${__object:?}/parameter/default-lifetime" ];
|
||||
then
|
||||
DEFAULT_LIFETIME="default lifetime $(cat "${__object:?}/parameter/default-lifetime");"
|
||||
fi
|
||||
|
||||
__file "${confdir:?}/radv-${__object_id:?}.conf" \
|
||||
--mode 0640 --owner root --group bird \
|
||||
--source - << EOF
|
||||
ipv6 table radv_routes;
|
||||
ipv6 table radv_routes_${__object_id};
|
||||
|
||||
protocol static {
|
||||
description "Routes advertised via RAs";
|
||||
ipv6 { table radv_routes; };
|
||||
ipv6 { table radv_routes_${__object_id}; };
|
||||
|
||||
$(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
|
||||
}
|
||||
|
||||
protocol radv ${__object_id:?} {
|
||||
propagate routes ${have_routes:?};
|
||||
ipv6 { table radv_routes; export all; };
|
||||
ipv6 { table radv_routes_${__object_id}; export all; };
|
||||
|
||||
$(sed -e 's/^/\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
|
||||
interface "$(cat "${__object:?}/parameter/interface")" {
|
||||
$MTU
|
||||
$DEFAULT_LIFETIME
|
||||
$DEFAULT_PREFERENCE
|
||||
$ROUTE_PREFERENCE
|
||||
};
|
||||
|
||||
$RDNS
|
||||
|
||||
|
|
4
type/__bird_radv/parameter/optional
Normal file
4
type/__bird_radv/parameter/optional
Normal file
|
@ -0,0 +1,4 @@
|
|||
mtu
|
||||
default-preference
|
||||
route-preference
|
||||
default-lifetime
|
15
type/__jitsi_meet/explorer/configured-memory
Executable file
15
type/__jitsi_meet/explorer/configured-memory
Executable file
|
@ -0,0 +1,15 @@
|
|||
#!/bin/sh -eu
|
||||
|
||||
JICOFO="/usr/share/jicofo/jicofo.sh"
|
||||
VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
|
||||
|
||||
if [ -f "${JICOFO:?}" ]; then
|
||||
jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
|
||||
fi
|
||||
if [ -f "${VIDEOBRIDGE:?}" ]; then
|
||||
vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
|
||||
fi
|
||||
cat <<EOF
|
||||
jicofo ${jicofo_memory:-n/a}
|
||||
videobridge ${vb_memory:-n/a}
|
||||
EOF
|
26
type/__jitsi_meet/explorer/jicofo-authpassword
Executable file
26
type/__jitsi_meet/explorer/jicofo-authpassword
Executable file
|
@ -0,0 +1,26 @@
|
|||
#!/bin/sh -eu
|
||||
|
||||
JICOFO_AUTHPASSWORD=""
|
||||
# We need this to properly configure jicofo
|
||||
|
||||
# Default to reading debconf
|
||||
DEBCONF_PASS_FILE="/var/cache/debconf/passwords.dat"
|
||||
if [ -f "${DEBCONF_PASS_FILE}" ]; then
|
||||
JICOFO_AUTHPASSWORD="$(grep -A1 'Template: jicofo/jicofo-authpassword' "${DEBCONF_PASS_FILE}" | tail -n 1 | cut -d ' ' -f 2-)"
|
||||
fi
|
||||
|
||||
# Try jicofo.conf if necessary
|
||||
JICOFO_CONF_FILE="/etc/jitsi/jicofo/jicofo.conf"
|
||||
if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONF_FILE}" ]; then
|
||||
JICOFO_AUTHPASSWORD="$(grep -E '^[[:space:]]*password:' "${JICOFO_CONF_FILE}" | sed -E 's!^[^:]*:[[:space:]]*"(.*)"$!\1!')"
|
||||
fi
|
||||
|
||||
# And fallback to config file if necessary
|
||||
JICOFO_CONFIG_FILE="/etc/jitsi/jicofo/config"
|
||||
if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONFIG_FILE}" ]; then
|
||||
JICOFO_AUTHPASSWORD="$(grep -E '^JICOFO_AUTH_PASSWORD=' "${JICOFO_CONFIG_FILE}" | cut -d '=' -f 2-)"
|
||||
fi
|
||||
|
||||
# If we didn't find it, this is likely a new installation and we'll generate
|
||||
# the password on the manifest
|
||||
echo "${JICOFO_AUTHPASSWORD:-}"
|
6
type/__jitsi_meet/explorer/jitsi-status
Executable file
6
type/__jitsi_meet/explorer/jitsi-status
Executable file
|
@ -0,0 +1,6 @@
|
|||
#!/bin/sh -eu
|
||||
|
||||
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
|
||||
# TODO: detect curl / depend on it?
|
||||
curl -s localhost:9888/metrics
|
||||
fi
|
|
@ -1,7 +0,0 @@
|
|||
#!/bin/sh -e
|
||||
|
||||
EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
|
||||
|
||||
if [ -f "${EXPORTER_VERSION_FILE}" ]; then
|
||||
cat "${EXPORTER_VERSION_FILE}"
|
||||
fi
|
|
@ -5,9 +5,6 @@
|
|||
if false; then
|
||||
# We are currently not using these, just here as documentation
|
||||
DEBCONF_SETTINGS="$(cat <<EOF
|
||||
# Jicofo user password:
|
||||
jicofo jicofo/jicofo-authpassword password STH
|
||||
jitsi-meet-prosody jicofo/jicofo-authpassword password STH
|
||||
# The secret used to connect to xmpp server as component
|
||||
jitsi-meet-prosody jitsi-videobridge/jvbsecret password STH
|
||||
jitsi-videobridge jitsi-videobridge/jvbsecret password STH
|
||||
|
@ -40,6 +37,9 @@ jitsi-videobridge jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
|
|||
jitsi-videobridge2 jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
|
||||
# The hostname of the current installation:
|
||||
jitsi-meet-prosody jitsi-meet-prosody/jvb-hostname string ${JITSI_HOST}
|
||||
# Jicofo user password:
|
||||
jicofo jicofo/jicofo-authpassword password ${JICOFO_AUTHPASSWORD}
|
||||
jitsi-meet-prosody jicofo/jicofo-authpassword password ${JICOFO_AUTHPASSWORD}
|
||||
# SSL certificate for the Jitsi Meet instance
|
||||
# Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
|
||||
jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)
|
||||
|
|
38
type/__jitsi_meet/files/jicofo.conf.sh
Executable file
38
type/__jitsi_meet/files/jicofo.conf.sh
Executable file
|
@ -0,0 +1,38 @@
|
|||
#!/bin/sh -eu
|
||||
|
||||
# Start
|
||||
cat <<EOF
|
||||
# Managed remotely, changes will be lost
|
||||
|
||||
# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
|
||||
#available options, syntax, and default values.
|
||||
jicofo {
|
||||
xmpp: {
|
||||
client: {
|
||||
client-proxy: focus.${JITSI_HOST:?}
|
||||
xmpp-domain: "${JITSI_HOST:?}"
|
||||
domain: "auth.${JITSI_HOST:?}"
|
||||
username: "focus"
|
||||
password: "${JICOFO_AUTHPASSWORD:?}"
|
||||
}
|
||||
trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
|
||||
}
|
||||
bridge: {
|
||||
brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
|
||||
}
|
||||
EOF
|
||||
|
||||
# Secured domains if needed
|
||||
if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
|
||||
cat <<EOF
|
||||
|
||||
authentication: {
|
||||
enabled: true
|
||||
type: XMPP
|
||||
login-url: ${JITSI_HOST:?}
|
||||
}
|
||||
EOF
|
||||
fi
|
||||
|
||||
# End
|
||||
echo '}'
|
1
type/__jitsi_meet/files/jitsi-version
Symbolic link
1
type/__jitsi_meet/files/jitsi-version
Symbolic link
|
@ -0,0 +1 @@
|
|||
../../__jitsi_meet_domain/files/jitsi-version
|
1
type/__jitsi_meet/files/prosody.cfg.lua.sh
Symbolic link
1
type/__jitsi_meet/files/prosody.cfg.lua.sh
Symbolic link
|
@ -0,0 +1 @@
|
|||
../../__jitsi_meet_domain/files/prosody.cfg.lua.sh
|
|
@ -1,11 +1,43 @@
|
|||
#!/bin/sh -e
|
||||
|
||||
memory="$(cat "${__global}/explorer/memory")"
|
||||
G="000000" # Will totally eff up the zero-count otherwise
|
||||
# MAX_MEMORY will affect jicofo and videobridge
|
||||
# As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
|
||||
if [ "${memory}" -lt "3${G}" ]; then
|
||||
# If you use this, let us know how it works!
|
||||
MAX_MEMORY="768m"
|
||||
elif [ "${memory}" -lt "5${G}" ]; then
|
||||
MAX_MEMORY="1024m"
|
||||
elif [ "${memory}" -lt "8${G}" ]; then
|
||||
MAX_MEMORY="2048m"
|
||||
else
|
||||
# Jitsi recommends running on 8G RAM and these are the defaults
|
||||
MAX_MEMORY="3072m"
|
||||
fi
|
||||
|
||||
if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
|
||||
# At least one service has different memory settings
|
||||
RESTART_SERVICES="YES"
|
||||
cat <<-EOF
|
||||
sed -i.tmp -E \
|
||||
-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
|
||||
/usr/share/jitsi-videobridge/lib/videobridge.rc
|
||||
sed -i.tmp -E \
|
||||
-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
|
||||
/usr/share/jicofo/jicofo.sh
|
||||
EOF
|
||||
fi
|
||||
|
||||
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
|
||||
echo "service nginx reload"
|
||||
fi
|
||||
|
||||
JITSI_HOST="${__object_id}"
|
||||
if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
|
||||
if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then
|
||||
RESTART_SERVICES="YES"
|
||||
fi
|
||||
|
||||
if [ -n "${RESTART_SERVICES}" ]; then
|
||||
echo "systemctl restart prosody"
|
||||
echo "systemctl restart jicofo"
|
||||
echo "systemctl restart jitsi-videobridge2"
|
||||
|
|
|
@ -21,13 +21,24 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up
|
|||
the web frontend (including TLS certificates) and its settings.
|
||||
|
||||
You may want to use the `files/ufw` example manifest for a `__ufw`-based
|
||||
firewall compatible with this type.
|
||||
This file does not include rules for TCP port 9888, which exposes the
|
||||
prometheus exporter if not disabled.
|
||||
You should apply your own rules here.
|
||||
firewall compatible with this type that allows all ports needed by Jitsi-Meet.
|
||||
Note however that this will not deal with rules for SSH or for TCP port 9888,
|
||||
which exposes the prometheus exporter if not disabled.
|
||||
Remember to apply your own rules here, particularly regarding SSH.
|
||||
|
||||
This type only works on De{bi,vu}an systems.
|
||||
|
||||
It is very important for this type to stay up to date with the software, as
|
||||
otherwise new deployments or maintenance of existing instances might be
|
||||
negatively affected.
|
||||
If you can, please contribute updates to `__jitsi_meet` and
|
||||
`__jitsi_meet_domain` promptly and regularly.
|
||||
Alternatively, you can help finance that work; get in touch with the type
|
||||
authors for that (see below).
|
||||
|
||||
This type takes care of adapting the maximum memory used by jicofo and
|
||||
videobridge in function of the hosts installed memory.
|
||||
|
||||
NOTE: This type currently does not deal with setting up coturn.
|
||||
For that, you might want to check `__coturn` in
|
||||
https://code.ungleich.ch/ungleich-public/cdist-contrib
|
||||
|
@ -36,6 +47,14 @@ NOTE: This type currently does not deal with setting up coturn.
|
|||
|
||||
OPTIONAL PARAMETERS
|
||||
-------------------
|
||||
abort-conference-count
|
||||
Only has an effect if the prometheus exporter is enabled and if it is not
|
||||
empty (default).
|
||||
If at least this many conferences are active on the server, the type will
|
||||
bail out before making any changes.
|
||||
This is useful if you want to avoid service disruptions due to e.g. an SLA.
|
||||
|
||||
|
||||
turn-secret
|
||||
The shared secret for the TURN server.
|
||||
|
||||
|
@ -43,11 +62,6 @@ turn-server
|
|||
The hostname of the TURN server.
|
||||
This will assume that it is listening with TLS on port 443.
|
||||
|
||||
jitsi-version
|
||||
The jitsi-meet version of the Debian package to be installed.
|
||||
While this can be specified, only the default value is known to work
|
||||
properly with this type.
|
||||
|
||||
|
||||
BOOLEAN PARAMETERS
|
||||
------------------
|
||||
|
@ -70,9 +84,11 @@ EXAMPLES
|
|||
|
||||
.. code-block:: sh
|
||||
|
||||
# Setup the firewall
|
||||
# Setup the firewall for Jitsi-Meet
|
||||
. "${__global}/type/__jitsi_meet/files/ufw"
|
||||
export require="__ufw"
|
||||
# Setup firewall SSH rules as necessary
|
||||
__ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
|
||||
# Setup Jitsi on this host
|
||||
__jitsi_meet \
|
||||
--turn-server "turn.exo.cat" \
|
||||
|
@ -92,4 +108,4 @@ Evilham <contact@evilham.com>
|
|||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2021 Evilham.
|
||||
Copyright \(C) 2022 Evilham.
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
#!/bin/sh -e
|
||||
|
||||
os="$(cat "${__global}/explorer/os")"
|
||||
init="$(cat "${__global}/explorer/init")"
|
||||
case "${os}" in
|
||||
devuan|debian)
|
||||
;;
|
||||
|
@ -11,10 +10,37 @@ case "${os}" in
|
|||
;;
|
||||
esac
|
||||
|
||||
current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
|
||||
|
||||
JICOFO_AUTHPASSWORD="$(cat "${__object}/explorer/jicofo-authpassword")"
|
||||
if [ -z "${JICOFO_AUTHPASSWORD}" ]; then
|
||||
# This is probably a first time installation, we'll generate the
|
||||
# password which will be set in debconf by this type
|
||||
# https://github.com/jitsi/jicofo/blob/aafb61b5363a1c4abdbf08e1444a6276b807993e/debian/postinst#L43
|
||||
JICOFO_AUTHPASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)"
|
||||
fi
|
||||
|
||||
ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
|
||||
|
||||
if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
|
||||
[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
|
||||
cat <<-EOF
|
||||
Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
|
||||
There are currently ${current_conferences} active conferences.
|
||||
|
||||
Try again at a later time or remove or increase --abort-conference-count
|
||||
EOF
|
||||
exit 1
|
||||
fi
|
||||
|
||||
JITSI_HOST="${__target_host}"
|
||||
# Currently unused, see below
|
||||
# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
|
||||
if [ -f "${__object}/parameter/jitsi-version" ]; then
|
||||
# This has been deprecated and will be removed 'soon'
|
||||
JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
|
||||
else
|
||||
# Note this won't be a parameter anymore, we won't let users stay behind
|
||||
JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
|
||||
fi
|
||||
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
|
||||
TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
|
||||
|
||||
|
@ -22,8 +48,6 @@ if [ -z "${TURN_SERVER}" ]; then
|
|||
TURN_SERVER="${JITSI_HOST}"
|
||||
fi
|
||||
|
||||
PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")"
|
||||
|
||||
# The rest is loosely based on Jitsi's documentation
|
||||
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
|
||||
|
||||
|
@ -51,17 +75,16 @@ export require="${require} __apt_source/jitsi_meet __apt_update_index"
|
|||
# Pre-feed debconf settings, so Jitsi's installation has a good config
|
||||
# shellcheck source=type/__jitsi_meet/files/debconf_settings.sh
|
||||
. "${__type}/files/debconf_settings.sh" # This defines DEBCONF_SETTINGS
|
||||
__debconf_set_selections jitsi_meet --file - <<EOF
|
||||
${DEBCONF_SETTINGS}
|
||||
EOF
|
||||
__debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
|
||||
export require="${require} __debconf_set_selections/jitsi_meet"
|
||||
|
||||
# Install and upgrade packages as needed
|
||||
__package_apt jitsi-meet
|
||||
# We are not doing version pinning anymore because it breaks when
|
||||
# NOTE: we are doing version pinning again, but it breaks sometimes when
|
||||
# the version is not the latest.
|
||||
# This happens because dependencies cannot be properly resolved.
|
||||
# --version "${JITSI_VERSION}"
|
||||
# This happens because dependencies might not be properly resolved.
|
||||
# To avoid this, this type must be maintained up to date.
|
||||
# If we don't use this, keeping Jitsi's up to date is very difficult.
|
||||
__package_apt jitsi-meet --version "${JITSI_VERSION}"
|
||||
|
||||
# Proceed only after installation/upgrade has finished
|
||||
export require="__package_apt/jitsi-meet"
|
||||
|
@ -126,8 +149,9 @@ require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-ava
|
|||
server_names_hash_bucket_size 64;
|
||||
|
||||
types {
|
||||
# nginx's default mime.types doesn't include a mapping for wasm
|
||||
# nginx's default mime.types doesn't include a mapping for wasm or wav.
|
||||
application/wasm wasm;
|
||||
audio/wav wav;
|
||||
}
|
||||
|
||||
server {
|
||||
|
@ -151,95 +175,157 @@ server {
|
|||
}
|
||||
EOF
|
||||
|
||||
if [ -f "${__object}/parameter/secured-domains" ]; then
|
||||
SECURED_DOMAINS_STATE='present'
|
||||
SECURED_DOMAINS_STATE_JICOFO='replace'
|
||||
else
|
||||
SECURED_DOMAINS_STATE='absent'
|
||||
SECURED_DOMAINS_STATE_JICOFO='absent'
|
||||
fi
|
||||
|
||||
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
|
||||
--owner prosody --group prosody --mode 0440 \
|
||||
--state ${SECURED_DOMAINS_STATE} \
|
||||
# Starting from 2.0.7210, jitsi defines following nginx upstreams
|
||||
__directory "${NGINX_ETC}/conf.d" --state present
|
||||
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
|
||||
--mode 644 \
|
||||
--source - << EOF
|
||||
VirtualHost "${JITSI_HOST}"
|
||||
authentication = "internal_plain"
|
||||
|
||||
VirtualHost "guest.${JITSI_HOST}"
|
||||
authentication = "anonymous"
|
||||
c2s_require_encryption = false
|
||||
upstream prosody {
|
||||
zone upstreams 64K;
|
||||
server 127.0.0.1:5280;
|
||||
keepalive 2;
|
||||
}
|
||||
EOF
|
||||
|
||||
__block jitsi_jicofo_secured_domains \
|
||||
--prefix "// begin cdist: jicofo_secured_domains" \
|
||||
--suffix "// end cdist: jicofo_secured_domains" \
|
||||
--file /etc/jitsi/jicofo/jicofo.conf \
|
||||
--state "${SECURED_DOMAINS_STATE_JICOFO}" \
|
||||
--text '-' <<EOF
|
||||
authentication: {
|
||||
enabled: true
|
||||
type: XMPP
|
||||
login-url: ${JITSI_HOST}
|
||||
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
|
||||
--mode 644 \
|
||||
--source - << EOF
|
||||
upstream jvb1 {
|
||||
zone upstreams 64K;
|
||||
server 127.0.0.1:9090;
|
||||
keepalive 2;
|
||||
}
|
||||
EOF
|
||||
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jicofo.conf" \
|
||||
--mode 644 \
|
||||
--source - << EOF
|
||||
upstream jicofo {
|
||||
zone upstreams 64K;
|
||||
server 127.0.0.1:8888;
|
||||
keepalive 2;
|
||||
}
|
||||
EOF
|
||||
|
||||
if [ -f "${__object}/parameter/secured-domains" ]; then
|
||||
SECURED_DOMAINS_STATE='present'
|
||||
else
|
||||
SECURED_DOMAINS_STATE='absent'
|
||||
fi
|
||||
|
||||
# This is the main host config
|
||||
PROSODY_MAIN_CONFIG="YES"
|
||||
# Prosody settings for common components (jvb, focus, ...)
|
||||
# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
|
||||
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
|
||||
__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
|
||||
--group prosody \
|
||||
--mode 0440 \
|
||||
--source - <<EOF
|
||||
${PROSODY_CONFIG}
|
||||
EOF
|
||||
|
||||
# Clean up zauth.cfg.lua file, which we don't use now
|
||||
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
|
||||
--state absent
|
||||
|
||||
export SECURED_DOMAINS_STATE
|
||||
export JITSI_HOST
|
||||
export JICOFO_AUTHPASSWORD
|
||||
"${__type}/files/jicofo.conf.sh" | \
|
||||
__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
|
||||
|
||||
# Enable the private colibri REST API end point for better stats
|
||||
__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
|
||||
videobridge {
|
||||
http-servers {
|
||||
public {
|
||||
port = 9090
|
||||
}
|
||||
private {
|
||||
port = 8080
|
||||
}
|
||||
}
|
||||
websockets {
|
||||
enabled = true
|
||||
domain = "${JITSI_HOST}:443"
|
||||
tls = true
|
||||
}
|
||||
apis {
|
||||
rest {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
cc {
|
||||
trust-bwe = false
|
||||
}
|
||||
}
|
||||
EOFJVB
|
||||
|
||||
# Enable simple per-domain body customisation
|
||||
__file "/usr/share/jitsi-meet/body.html" \
|
||||
--mode 0644 \
|
||||
--source '-' <<EOF
|
||||
<!--#include virtual="body-\${host}.html" -->
|
||||
EOF
|
||||
|
||||
# These two should be changed on new release
|
||||
PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
|
||||
PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
|
||||
PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64"
|
||||
PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
|
||||
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
|
||||
case "${init}" in
|
||||
init|sysvinit)
|
||||
__runit
|
||||
require="__runit" __runit_service \
|
||||
prometheus-jitsi-meet-exporter --log --source - <<EOF
|
||||
#!/bin/sh -e
|
||||
cd /tmp
|
||||
exec chpst -u "nobody:nogroup" env HOME="/tmp" \\
|
||||
prometheus-jitsi-meet-exporter \\
|
||||
-videobridge-url 'http://localhost:8888/stats' \\
|
||||
-web.listen-address ':9888' 2>&1
|
||||
EOF
|
||||
|
||||
export require="__runit_service/prometheus-jitsi-meet-exporter"
|
||||
JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter"
|
||||
;;
|
||||
systemd)
|
||||
__systemd_unit prometheus-jitsi-meet-exporter.service \
|
||||
--source "-" \
|
||||
--enablement-state "enabled" <<EOF
|
||||
[Unit]
|
||||
Description=Metrics Exporter for Jitsi Meet
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
DynamicUser=yes
|
||||
ExecStart=/usr/local/bin/prometheus-jitsi-meet-exporter -videobridge-url 'http://localhost:8888/stats' -web.listen-address ':9888'
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
export require="__systemd_unit/prometheus-jitsi-meet-exporter.service"
|
||||
JITSI_MEET_EXPORTER_SERVICE="service prometheus-jitsi-meet-exporter %s"
|
||||
;;
|
||||
esac
|
||||
if [ "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" != \
|
||||
"${PROMETHEUS_JITSI_EXPORTER_IS_VERSION}" ]; then
|
||||
# shellcheck disable=SC2059
|
||||
__download \
|
||||
/tmp/prometheus-jitsi-meet-exporter \
|
||||
--url "${PROMETHEUS_JITSI_EXPORTER_URL}" \
|
||||
--download remote \
|
||||
--sum "${PROMETHEUS_JITSI_EXPORTER_CHECKSUM}" \
|
||||
--onchange "$(printf "${JITSI_MEET_EXPORTER_SERVICE}" "stop") || true; chmod 555 /tmp/prometheus-jitsi-meet-exporter && mv /tmp/prometheus-jitsi-meet-exporter /usr/local/bin/prometheus-jitsi-meet-exporter && $(printf "${JITSI_MEET_EXPORTER_SERVICE}" "restart")"
|
||||
printf "%s" "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" | \
|
||||
require="${require} __download/tmp/prometheus-jitsi-meet-exporter" __file \
|
||||
"${PROMETHEUS_JITSI_EXPORTER_VERSION_FILE}" \
|
||||
--source "-"
|
||||
EXPORTER_VERSION="1.2.1"
|
||||
EXPORTER_CHECKSUM="sha256:46d4b8475b72fd7632a5203f1cc3c7067bed4629902b7780a1da85e4e06c2129"
|
||||
EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
|
||||
if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
|
||||
EXPORTER_STATE="absent"
|
||||
else
|
||||
EXPORTER_STATE="present"
|
||||
fi
|
||||
fi
|
||||
# TODO: disable the exporter if it is deployed and then admin changes their mind
|
||||
__single_binary_service prometheus-jitsi-meet-exporter \
|
||||
--state "${EXPORTER_STATE}" \
|
||||
--do-not-manage-user \
|
||||
--user "nobody" \
|
||||
--group "nogroup" \
|
||||
--version "${EXPORTER_VERSION}" \
|
||||
--checksum "${EXPORTER_CHECKSUM}" \
|
||||
--url "${EXPORTER_URL}" \
|
||||
--unpack \
|
||||
--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
|
||||
|
||||
#
|
||||
# Setup interpreter assets if requested
|
||||
# See: https://gitlab.com/mfmt/jsi/
|
||||
#
|
||||
jsi_updated_on="2022-04-21"
|
||||
__link "/usr/share/jitsi-meet/interpreters.html" \
|
||||
--type symbolic \
|
||||
--source "/opt/jsi/static/index.html.sample"
|
||||
__directory /opt/jsi --mode 0755
|
||||
export require="__directory/opt/jsi"
|
||||
__download /opt/jsi/jsi.tar.gz \
|
||||
--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
|
||||
--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
|
||||
export require="__download/opt/jsi/jsi.tar.gz"
|
||||
__unpack /opt/jsi/jsi.tar.gz \
|
||||
--preserve-archive \
|
||||
--tar-strip 1 \
|
||||
--destination /opt/jsi/static \
|
||||
--onchange "$(cat <<EOF
|
||||
# Patch style.css to be served on /i/
|
||||
sed -i.tmp -E \
|
||||
-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
|
||||
/opt/jsi/static/style.css
|
||||
# Patch jsi.js to be served on /i/
|
||||
# and so it always uses the domain it's served from
|
||||
# and so it uses /i/ROOM for the form
|
||||
sed -i.tmp -E \
|
||||
-e 's!substr[(][0-9]+[)]!substr(3)!' \
|
||||
-e 's!config[.]jitsimeet_url!url.host!' \
|
||||
-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
|
||||
/opt/jsi/static/jsi.js
|
||||
# Patch the sample index.html, so it loads external_api.js from same host
|
||||
# and to easen up on the branding
|
||||
# and to enable browser cache
|
||||
sed -i.tmp -E \
|
||||
-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
|
||||
-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
|
||||
-e "s!https://meet.mayfirst.org!/!" \
|
||||
-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
|
||||
/opt/jsi/static/index.html.sample
|
||||
EOF
|
||||
)"
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
2.0.5765-1
|
4
type/__jitsi_meet/parameter/deprecated/jitsi-version
Normal file
4
type/__jitsi_meet/parameter/deprecated/jitsi-version
Normal file
|
@ -0,0 +1,4 @@
|
|||
Supporting different versions lead to strange issues in the life-time of a
|
||||
Jitsi instance. Chiefly: difficulties upgrading.
|
||||
|
||||
If you are specifying this for a valid reason, please get in touch.
|
|
@ -1,3 +1,4 @@
|
|||
abort-conference-count
|
||||
jitsi-version
|
||||
turn-secret
|
||||
turn-server
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
|
||||
# We could automate this, but are using it as an indicator for the
|
||||
# latest branch with which we conciliated changes.
|
||||
BRANCH="jitsi-meet_6726"
|
||||
BRANCH="jitsi-meet_9457"
|
||||
REPO="https://github.com/jitsi/jitsi-meet"
|
||||
|
||||
get_url() {
|
||||
|
@ -28,3 +28,8 @@ download_file() {
|
|||
download_file config.js
|
||||
download_file interface_config.js
|
||||
download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
|
||||
download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
|
||||
|
||||
# Change the version file, maintainers should check that it matches
|
||||
# the deb version
|
||||
printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version
|
||||
|
|
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -20,7 +20,7 @@ JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
|
|||
*/
|
||||
|
||||
var interfaceConfig = {
|
||||
APP_NAME: 'Jitsi Meet',
|
||||
APP_NAME: '${BRANDING_APP_NAME}',
|
||||
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
|
||||
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
|
||||
|
||||
|
@ -37,8 +37,7 @@ var interfaceConfig = {
|
|||
|
||||
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
|
||||
|
||||
DEFAULT_BACKGROUND: '#474747',
|
||||
DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
|
||||
DEFAULT_BACKGROUND: '#040404',
|
||||
DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
|
||||
|
||||
DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
|
||||
|
@ -82,17 +81,13 @@ var interfaceConfig = {
|
|||
|
||||
ENABLE_DIAL_OUT: true,
|
||||
|
||||
ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
|
||||
// DEPRECATED. Animation no longer supported.
|
||||
// ENABLE_FEEDBACK_ANIMATION: false,
|
||||
|
||||
FILM_STRIP_MAX_HEIGHT: 120,
|
||||
|
||||
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
|
||||
|
||||
/**
|
||||
* Hide the logo on the deep linking pages.
|
||||
*/
|
||||
HIDE_DEEP_LINKING_LOGO: false,
|
||||
|
||||
/**
|
||||
* Hide the invite prompt in the header when alone in the meeting.
|
||||
*/
|
||||
|
@ -101,7 +96,6 @@ var interfaceConfig = {
|
|||
JITSI_WATERMARK_LINK: 'https://jitsi.org',
|
||||
|
||||
LANG_DETECTION: true, // Allow i18n to detect the system language
|
||||
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
|
||||
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
|
||||
|
||||
/**
|
||||
|
@ -121,28 +115,11 @@ var interfaceConfig = {
|
|||
*/
|
||||
MOBILE_APP_PROMO: true,
|
||||
|
||||
/**
|
||||
* Specify custom URL for downloading android mobile app.
|
||||
*/
|
||||
MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
|
||||
|
||||
/**
|
||||
* Specify custom URL for downloading f droid app.
|
||||
*/
|
||||
MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
|
||||
|
||||
/**
|
||||
* Specify URL for downloading ios mobile app.
|
||||
*/
|
||||
MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
|
||||
|
||||
NATIVE_APP_NAME: 'Jitsi Meet',
|
||||
|
||||
// Names of browsers which should show a warning stating the current browser
|
||||
// has a suboptimal experience. Browsers which are not listed as optimal or
|
||||
// unsupported are considered suboptimal. Valid values are:
|
||||
// chrome, chromium, edge, electron, firefox, nwjs, opera, safari
|
||||
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
|
||||
// chrome, chromium, electron, firefox , safari, webkit
|
||||
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ],
|
||||
|
||||
POLICY_LOGO: null,
|
||||
PROVIDER_NAME: 'Jitsi',
|
||||
|
@ -155,7 +132,7 @@ var interfaceConfig = {
|
|||
RECENT_LIST_ENABLED: true,
|
||||
REMOTE_THUMBNAIL_RATIO: 1, // 1:1
|
||||
|
||||
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
|
||||
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
|
||||
|
||||
/**
|
||||
* Specify which sharing features should be displayed. If the value is not set
|
||||
|
@ -172,7 +149,6 @@ var interfaceConfig = {
|
|||
*/
|
||||
SHOW_CHROME_EXTENSION_BANNER: false,
|
||||
|
||||
SHOW_DEEP_LINKING_IMAGE: false,
|
||||
SHOW_JITSI_WATERMARK: true,
|
||||
SHOW_POWERED_BY: false,
|
||||
SHOW_PROMOTIONAL_CLOSE_PAGE: false,
|
||||
|
@ -213,6 +189,31 @@ var interfaceConfig = {
|
|||
*/
|
||||
// TILE_VIEW_MAX_COLUMNS: 5,
|
||||
|
||||
// List of undocumented settings
|
||||
/**
|
||||
INDICATOR_FONT_SIZES
|
||||
PHONE_NUMBER_REGEX
|
||||
*/
|
||||
|
||||
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
|
||||
|
||||
/**
|
||||
* Specify URL for downloading ios mobile app.
|
||||
*/
|
||||
// MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
|
||||
|
||||
/**
|
||||
* Specify custom URL for downloading android mobile app.
|
||||
*/
|
||||
// MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
|
||||
|
||||
/**
|
||||
* Specify mobile app scheme for opening the app from the mobile browser.
|
||||
*/
|
||||
// APP_SCHEME: 'org.jitsi.meet',
|
||||
|
||||
// NATIVE_APP_NAME: 'Jitsi Meet',
|
||||
|
||||
/**
|
||||
* Specify Firebase dynamic link properties for the mobile apps.
|
||||
*/
|
||||
|
@ -225,22 +226,19 @@ var interfaceConfig = {
|
|||
// },
|
||||
|
||||
/**
|
||||
* Specify mobile app scheme for opening the app from the mobile browser.
|
||||
* Hide the logo on the deep linking pages.
|
||||
*/
|
||||
// APP_SCHEME: 'org.jitsi.meet',
|
||||
// HIDE_DEEP_LINKING_LOGO: false,
|
||||
|
||||
/**
|
||||
* Specify the Android app package name.
|
||||
*/
|
||||
// ANDROID_APP_PACKAGE: 'org.jitsi.meet',
|
||||
|
||||
// List of undocumented settings
|
||||
/**
|
||||
INDICATOR_FONT_SIZES
|
||||
PHONE_NUMBER_REGEX
|
||||
* Specify custom URL for downloading f droid app.
|
||||
*/
|
||||
|
||||
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
|
||||
// MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
|
||||
|
||||
// Connection indicators (
|
||||
// CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
|
||||
|
@ -253,12 +251,19 @@ var interfaceConfig = {
|
|||
// Please use defaultLocalDisplayName from config.js
|
||||
// DEFAULT_LOCAL_DISPLAY_NAME: 'me',
|
||||
|
||||
// Please use defaultLogoUrl from config.js
|
||||
DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
|
||||
|
||||
// Please use defaultRemoteDisplayName from config.js
|
||||
// DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
|
||||
|
||||
// Moved to config.js as \`toolbarConfig.initialTimeout\`.
|
||||
// INITIAL_TOOLBAR_TIMEOUT: 20000,
|
||||
|
||||
// Moved to config.js as \`toolbarConfig.alwaysVisible\`.
|
||||
// Documentation reference for the live streaming feature.
|
||||
// LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
|
||||
|
||||
// Moved to config.js as \`toolbarConfig.alwaysVisible\`.
|
||||
// TOOLBAR_ALWAYS_VISIBLE: false,
|
||||
|
||||
|
|
|
@ -26,8 +26,7 @@ var interfaceConfig = {
|
|||
|
||||
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
|
||||
|
||||
DEFAULT_BACKGROUND: '#474747',
|
||||
DEFAULT_LOGO_URL: 'images/watermark.svg',
|
||||
DEFAULT_BACKGROUND: '#040404',
|
||||
DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
|
||||
|
||||
DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
|
||||
|
@ -71,17 +70,13 @@ var interfaceConfig = {
|
|||
|
||||
ENABLE_DIAL_OUT: true,
|
||||
|
||||
ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
|
||||
// DEPRECATED. Animation no longer supported.
|
||||
// ENABLE_FEEDBACK_ANIMATION: false,
|
||||
|
||||
FILM_STRIP_MAX_HEIGHT: 120,
|
||||
|
||||
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
|
||||
|
||||
/**
|
||||
* Hide the logo on the deep linking pages.
|
||||
*/
|
||||
HIDE_DEEP_LINKING_LOGO: false,
|
||||
|
||||
/**
|
||||
* Hide the invite prompt in the header when alone in the meeting.
|
||||
*/
|
||||
|
@ -90,7 +85,6 @@ var interfaceConfig = {
|
|||
JITSI_WATERMARK_LINK: 'https://jitsi.org',
|
||||
|
||||
LANG_DETECTION: true, // Allow i18n to detect the system language
|
||||
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
|
||||
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
|
||||
|
||||
/**
|
||||
|
@ -110,28 +104,11 @@ var interfaceConfig = {
|
|||
*/
|
||||
MOBILE_APP_PROMO: true,
|
||||
|
||||
/**
|
||||
* Specify custom URL for downloading android mobile app.
|
||||
*/
|
||||
MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
|
||||
|
||||
/**
|
||||
* Specify custom URL for downloading f droid app.
|
||||
*/
|
||||
MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
|
||||
|
||||
/**
|
||||
* Specify URL for downloading ios mobile app.
|
||||
*/
|
||||
MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
|
||||
|
||||
NATIVE_APP_NAME: 'Jitsi Meet',
|
||||
|
||||
// Names of browsers which should show a warning stating the current browser
|
||||
// has a suboptimal experience. Browsers which are not listed as optimal or
|
||||
// unsupported are considered suboptimal. Valid values are:
|
||||
// chrome, chromium, edge, electron, firefox, nwjs, opera, safari
|
||||
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
|
||||
// chrome, chromium, electron, firefox , safari, webkit
|
||||
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ],
|
||||
|
||||
POLICY_LOGO: null,
|
||||
PROVIDER_NAME: 'Jitsi',
|
||||
|
@ -144,7 +121,7 @@ var interfaceConfig = {
|
|||
RECENT_LIST_ENABLED: true,
|
||||
REMOTE_THUMBNAIL_RATIO: 1, // 1:1
|
||||
|
||||
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
|
||||
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
|
||||
|
||||
/**
|
||||
* Specify which sharing features should be displayed. If the value is not set
|
||||
|
@ -161,7 +138,6 @@ var interfaceConfig = {
|
|||
*/
|
||||
SHOW_CHROME_EXTENSION_BANNER: false,
|
||||
|
||||
SHOW_DEEP_LINKING_IMAGE: false,
|
||||
SHOW_JITSI_WATERMARK: true,
|
||||
SHOW_POWERED_BY: false,
|
||||
SHOW_PROMOTIONAL_CLOSE_PAGE: false,
|
||||
|
@ -202,6 +178,31 @@ var interfaceConfig = {
|
|||
*/
|
||||
// TILE_VIEW_MAX_COLUMNS: 5,
|
||||
|
||||
// List of undocumented settings
|
||||
/**
|
||||
INDICATOR_FONT_SIZES
|
||||
PHONE_NUMBER_REGEX
|
||||
*/
|
||||
|
||||
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
|
||||
|
||||
/**
|
||||
* Specify URL for downloading ios mobile app.
|
||||
*/
|
||||
// MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
|
||||
|
||||
/**
|
||||
* Specify custom URL for downloading android mobile app.
|
||||
*/
|
||||
// MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
|
||||
|
||||
/**
|
||||
* Specify mobile app scheme for opening the app from the mobile browser.
|
||||
*/
|
||||
// APP_SCHEME: 'org.jitsi.meet',
|
||||
|
||||
// NATIVE_APP_NAME: 'Jitsi Meet',
|
||||
|
||||
/**
|
||||
* Specify Firebase dynamic link properties for the mobile apps.
|
||||
*/
|
||||
|
@ -214,22 +215,19 @@ var interfaceConfig = {
|
|||
// },
|
||||
|
||||
/**
|
||||
* Specify mobile app scheme for opening the app from the mobile browser.
|
||||
* Hide the logo on the deep linking pages.
|
||||
*/
|
||||
// APP_SCHEME: 'org.jitsi.meet',
|
||||
// HIDE_DEEP_LINKING_LOGO: false,
|
||||
|
||||
/**
|
||||
* Specify the Android app package name.
|
||||
*/
|
||||
// ANDROID_APP_PACKAGE: 'org.jitsi.meet',
|
||||
|
||||
// List of undocumented settings
|
||||
/**
|
||||
INDICATOR_FONT_SIZES
|
||||
PHONE_NUMBER_REGEX
|
||||
* Specify custom URL for downloading f droid app.
|
||||
*/
|
||||
|
||||
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
|
||||
// MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
|
||||
|
||||
// Connection indicators (
|
||||
// CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
|
||||
|
@ -242,12 +240,19 @@ var interfaceConfig = {
|
|||
// Please use defaultLocalDisplayName from config.js
|
||||
// DEFAULT_LOCAL_DISPLAY_NAME: 'me',
|
||||
|
||||
// Please use defaultLogoUrl from config.js
|
||||
// DEFAULT_LOGO_URL: 'images/watermark.svg',
|
||||
|
||||
// Please use defaultRemoteDisplayName from config.js
|
||||
// DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
|
||||
|
||||
// Moved to config.js as `toolbarConfig.initialTimeout`.
|
||||
// INITIAL_TOOLBAR_TIMEOUT: 20000,
|
||||
|
||||
// Please use `liveStreaming.helpLink` from config.js
|
||||
// Documentation reference for the live streaming feature.
|
||||
// LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
|
||||
|
||||
// Moved to config.js as `toolbarConfig.alwaysVisible`.
|
||||
// TOOLBAR_ALWAYS_VISIBLE: false,
|
||||
|
||||
|
|
1
type/__jitsi_meet_domain/files/jitsi-version
Normal file
1
type/__jitsi_meet_domain/files/jitsi-version
Normal file
|
@ -0,0 +1 @@
|
|||
2.0.9457-1
|
|
@ -7,8 +7,36 @@ JITSI_NGINX_CONFIG="$(cat <<EOF
|
|||
#server_names_hash_bucket_size 64;
|
||||
#
|
||||
#types {
|
||||
## nginx's default mime.types doesn't include a mapping for wasm
|
||||
## nginx's default mime.types doesn't include a mapping for wasm or wav.
|
||||
# application/wasm wasm;
|
||||
# audio/wav wav;
|
||||
#}
|
||||
# These upstreams are managed by __jitsi_meet
|
||||
#upstream jicofo {
|
||||
# zone upstreams 64K;
|
||||
# server 127.0.0.1:8888;
|
||||
# keepalive 2;
|
||||
#}
|
||||
#upstream prosody {
|
||||
# zone upstreams 64K;
|
||||
# server 127.0.0.1:5280;
|
||||
# keepalive 2;
|
||||
#}
|
||||
#upstream jvb1 {
|
||||
# zone upstreams 64K;
|
||||
# server 127.0.0.1:9090;
|
||||
# keepalive 2;
|
||||
#}
|
||||
#map \$arg_vnode \$prosody_node {
|
||||
# default prosody;
|
||||
# v1 v1;
|
||||
# v2 v2;
|
||||
# v3 v3;
|
||||
# v4 v4;
|
||||
# v5 v5;
|
||||
# v6 v6;
|
||||
# v7 v7;
|
||||
# v8 v8;
|
||||
#}
|
||||
server {
|
||||
listen 80;
|
||||
|
@ -22,8 +50,8 @@ server {
|
|||
}
|
||||
}
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name ${DOMAIN};
|
||||
|
||||
include snippets/acme-challenge.conf;
|
||||
|
@ -39,6 +67,10 @@ server {
|
|||
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
set \$prefix "";
|
||||
# Try the custom page for this domain, fallback to default page
|
||||
set \$custom_index "index-${DOMAIN}.html";
|
||||
# We expect this domain to be properly configured, the file should exist
|
||||
set \$config_js_location "/etc/jitsi/meet/${DOMAIN}-config.js";
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
|
||||
|
@ -50,7 +82,7 @@ server {
|
|||
ssi_types application/x-javascript application/javascript;
|
||||
|
||||
# Try the custom page for this domain, fallback to default page
|
||||
index index-${DOMAIN}.html index.html index.htm;
|
||||
index \$custom_index index.html index.htm;
|
||||
error_page 404 /static/404.html;
|
||||
|
||||
gzip on;
|
||||
|
@ -59,9 +91,10 @@ server {
|
|||
gzip_proxied no-cache no-store private expired auth;
|
||||
gzip_min_length 512;
|
||||
|
||||
# We expect this domain to be properly configured, the file should exist
|
||||
# include /etc/jitsi/meet/jaas/*.conf;
|
||||
|
||||
location = /config.js {
|
||||
alias /etc/jitsi/meet/${DOMAIN}-config.js;
|
||||
alias \$config_js_location;
|
||||
}
|
||||
# We expect this domain to be properly configured, the file should exist
|
||||
location = /interface_config.js {
|
||||
|
@ -80,8 +113,20 @@ server {
|
|||
alias /usr/share/jitsi-meet/libs/external_api.min.js;
|
||||
}
|
||||
|
||||
location = /_api/room-info {
|
||||
proxy_pass http://prosody/room-info?prefix=\$prefix&\$args;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header X-Forwarded-For \$remote_addr;
|
||||
proxy_set_header Host \$http_host;
|
||||
}
|
||||
|
||||
location ~ ^/_api/public/(.*)\$ {
|
||||
autoindex off;
|
||||
alias /etc/jitsi/meet/public/\$1;
|
||||
}
|
||||
|
||||
# ensure all static content can always be found first
|
||||
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
|
||||
location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)\$
|
||||
{
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
alias /usr/share/jitsi-meet/\$1/\$2;
|
||||
|
@ -92,32 +137,48 @@ server {
|
|||
}
|
||||
}
|
||||
|
||||
# Paths for jsi / interpreters
|
||||
location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
|
||||
{
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
alias /opt/jsi/static/\$1;
|
||||
|
||||
# cache all versioned files
|
||||
if (\$arg_v) {
|
||||
expires 1y;
|
||||
}
|
||||
}
|
||||
location ~ ^/i/
|
||||
{
|
||||
try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
|
||||
}
|
||||
|
||||
# BOSH
|
||||
location = /http-bind {
|
||||
# We are using 127.0.0.1, because we are not specifying a resolver
|
||||
# otherwise nginx will fail to resolve 'localhost'
|
||||
proxy_pass http://127.0.0.1:5280/http-bind?prefix=\$prefix&\$args;
|
||||
proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header X-Forwarded-For \$remote_addr;
|
||||
# Prevision for 'multi-domain' jitsi instances
|
||||
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
|
||||
proxy_set_header Host ${JITSI_HOST};
|
||||
proxy_set_header Host ${DOMAIN};
|
||||
proxy_set_header Connection "";
|
||||
}
|
||||
|
||||
# xmpp websockets
|
||||
location = /xmpp-websocket {
|
||||
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args;
|
||||
proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade \$http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
# Prevision for 'multi-domain' jitsi instances
|
||||
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
|
||||
proxy_set_header Host ${JITSI_HOST};
|
||||
proxy_set_header Host ${DOMAIN};
|
||||
tcp_nodelay on;
|
||||
}
|
||||
|
||||
# colibri (JVB) websockets for jvb1
|
||||
location ~ ^/colibri-ws/default-id/(.*) {
|
||||
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args;
|
||||
proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade \$http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
@ -133,11 +194,22 @@ server {
|
|||
# alias /usr/share/jitsi-meet/load-test/libs/\$1;
|
||||
#}
|
||||
|
||||
location ~ ^/conference-request/v1([/].*)?\$ {
|
||||
proxy_pass http://jicofo/conference-request/v1\$1;
|
||||
add_header "Cache-Control" "no-cache, no-store";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
}
|
||||
location ~ ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ {
|
||||
rewrite ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ /conference-request/v1\$2;
|
||||
}
|
||||
|
||||
location ~ ^/([^/?&:'"]+)\$ {
|
||||
set \$roomname "\$1";
|
||||
try_files \$uri @root_path;
|
||||
}
|
||||
|
||||
location @root_path {
|
||||
# rewrite ^/(.*)\$ /\$custom_index break;
|
||||
rewrite ^/(.*)\$ / break;
|
||||
}
|
||||
|
||||
|
@ -146,9 +218,16 @@ server {
|
|||
set \$subdomain "\$1.";
|
||||
set \$subdir "\$1/";
|
||||
|
||||
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
|
||||
alias \$config_js_location;
|
||||
}
|
||||
|
||||
## Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
|
||||
#location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ {
|
||||
# set \$subdomain "\$1.";
|
||||
# set \$subdir "\$1/";
|
||||
# rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ /\$2;
|
||||
#}
|
||||
|
||||
# BOSH for subdomains
|
||||
location ~ ^/([^/?&:'"]+)/http-bind {
|
||||
set \$subdomain "\$1.";
|
||||
|
@ -167,6 +246,14 @@ server {
|
|||
rewrite ^/(.*)\$ /xmpp-websocket;
|
||||
}
|
||||
|
||||
location ~ ^/([^/?&:'"]+)/_api/room-info {
|
||||
set \$subdomain "\$1.";
|
||||
set \$subdir "\$1/";
|
||||
set \$prefix "\$1";
|
||||
|
||||
rewrite ^/(.*)\$ /_api/room-info;
|
||||
}
|
||||
|
||||
# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
|
||||
location ~ ^/([^/?&:'"]+)/(.*)\$ {
|
||||
set \$subdomain "\$1.";
|
||||
|
|
|
@ -1,8 +1,30 @@
|
|||
server_names_hash_bucket_size 64;
|
||||
|
||||
types {
|
||||
# nginx's default mime.types doesn't include a mapping for wasm
|
||||
# nginx's default mime.types doesn't include a mapping for wasm or wav.
|
||||
application/wasm wasm;
|
||||
audio/wav wav;
|
||||
}
|
||||
upstream prosody {
|
||||
zone upstreams 64K;
|
||||
server 127.0.0.1:5280;
|
||||
keepalive 2;
|
||||
}
|
||||
upstream jvb1 {
|
||||
zone upstreams 64K;
|
||||
server 127.0.0.1:9090;
|
||||
keepalive 2;
|
||||
}
|
||||
map $arg_vnode $prosody_node {
|
||||
default prosody;
|
||||
v1 v1;
|
||||
v2 v2;
|
||||
v3 v3;
|
||||
v4 v4;
|
||||
v5 v5;
|
||||
v6 v6;
|
||||
v7 v7;
|
||||
v8 v8;
|
||||
}
|
||||
server {
|
||||
listen 80;
|
||||
|
@ -21,8 +43,8 @@ server {
|
|||
}
|
||||
}
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name jitsi-meet.example.com;
|
||||
|
||||
# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
|
||||
|
@ -36,6 +58,8 @@ server {
|
|||
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
set $prefix "";
|
||||
set $custom_index "";
|
||||
set $config_js_location /etc/jitsi/meet/jitsi-meet.example.com-config.js;
|
||||
|
||||
ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
|
||||
ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
|
||||
|
@ -55,16 +79,30 @@ server {
|
|||
gzip_proxied no-cache no-store private expired auth;
|
||||
gzip_min_length 512;
|
||||
|
||||
include /etc/jitsi/meet/jaas/*.conf;
|
||||
|
||||
location = /config.js {
|
||||
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
|
||||
alias $config_js_location;
|
||||
}
|
||||
|
||||
location = /external_api.js {
|
||||
alias /usr/share/jitsi-meet/libs/external_api.min.js;
|
||||
}
|
||||
|
||||
location = /_api/room-info {
|
||||
proxy_pass http://prosody/room-info?prefix=$prefix&$args;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
location ~ ^/_api/public/(.*)$ {
|
||||
autoindex off;
|
||||
alias /etc/jitsi/meet/public/$1;
|
||||
}
|
||||
|
||||
# ensure all static content can always be found first
|
||||
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
|
||||
location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$
|
||||
{
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
alias /usr/share/jitsi-meet/$1/$2;
|
||||
|
@ -77,14 +115,16 @@ server {
|
|||
|
||||
# BOSH
|
||||
location = /http-bind {
|
||||
proxy_pass http://127.0.0.1:5280/http-bind?prefix=$prefix&$args;
|
||||
proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Connection "";
|
||||
}
|
||||
|
||||
# xmpp websockets
|
||||
location = /xmpp-websocket {
|
||||
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
|
||||
proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
@ -94,7 +134,7 @@ server {
|
|||
|
||||
# colibri (JVB) websockets for jvb1
|
||||
location ~ ^/colibri-ws/default-id/(.*) {
|
||||
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
|
||||
proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
@ -110,12 +150,22 @@ server {
|
|||
# alias /usr/share/jitsi-meet/load-test/libs/$1;
|
||||
#}
|
||||
|
||||
location ~ ^/conference-request/v1(\/.*)?$ {
|
||||
proxy_pass http://127.0.0.1:8888/conference-request/v1$1;
|
||||
add_header "Cache-Control" "no-cache, no-store";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
}
|
||||
location ~ ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ {
|
||||
rewrite ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ /conference-request/v1$2;
|
||||
}
|
||||
|
||||
location ~ ^/([^/?&:'"]+)$ {
|
||||
set $roomname "$1";
|
||||
try_files $uri @root_path;
|
||||
}
|
||||
|
||||
location @root_path {
|
||||
rewrite ^/(.*)$ / break;
|
||||
rewrite ^/(.*)$ /$custom_index break;
|
||||
}
|
||||
|
||||
location ~ ^/([^/?&:'"]+)/config.js$
|
||||
|
@ -123,7 +173,14 @@ server {
|
|||
set $subdomain "$1.";
|
||||
set $subdir "$1/";
|
||||
|
||||
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
|
||||
alias $config_js_location;
|
||||
}
|
||||
|
||||
# Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
|
||||
location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
|
||||
set $subdomain "$1.";
|
||||
set $subdir "$1/";
|
||||
rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
|
||||
}
|
||||
|
||||
# BOSH for subdomains
|
||||
|
@ -144,6 +201,14 @@ server {
|
|||
rewrite ^/(.*)$ /xmpp-websocket;
|
||||
}
|
||||
|
||||
location ~ ^/([^/?&:'"]+)/_api/room-info {
|
||||
set $subdomain "$1.";
|
||||
set $subdir "$1/";
|
||||
set $prefix "$1";
|
||||
|
||||
rewrite ^/(.*)$ /_api/room-info;
|
||||
}
|
||||
|
||||
# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
|
||||
location ~ ^/([^/?&:'"]+)/(.*)$ {
|
||||
set $subdomain "$1.";
|
||||
|
|
223
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
Normal file
223
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
Normal file
|
@ -0,0 +1,223 @@
|
|||
#!/bin/sh -eu
|
||||
|
||||
# Source:
|
||||
# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
|
||||
FOCUS_USER="focus"
|
||||
JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
|
||||
# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
|
||||
PROSODY_SECUREDOMAIN_START="--[["
|
||||
PROSODY_SECUREDOMAIN_END="--]]"
|
||||
if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
|
||||
PROSODY_MAIN_START=""
|
||||
PROSODY_MAIN_END=""
|
||||
PROSODY_DOMAIN_START="--[["
|
||||
PROSODY_DOMAIN_END="--]]"
|
||||
else
|
||||
PROSODY_MAIN_START="--[["
|
||||
PROSODY_MAIN_END="--]]"
|
||||
PROSODY_DOMAIN_START=""
|
||||
PROSODY_DOMAIN_END=""
|
||||
if [ -n "${SECURED_DOMAINS}" ]; then
|
||||
PROSODY_SECUREDOMAIN_START=""
|
||||
PROSODY_SECUREDOMAIN_END=""
|
||||
fi
|
||||
fi
|
||||
# Websockets haven't been fully tested in this type and don't work reliably
|
||||
PROSODY_WEBSOCKET="-- "
|
||||
|
||||
# shellcheck disable=SC2034 # This is intended to be included
|
||||
PROSODY_CONFIG="$(cat <<EOFPROSODY
|
||||
-- Managed remotely, changes will be lost
|
||||
${PROSODY_MAIN_START}
|
||||
-- This will be managed by __jitsi_meet
|
||||
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
|
||||
|
||||
-- domain mapper options, must at least have domain base set to use the mapper
|
||||
muc_mapper_domain_base = "${JITSI_HOST:?}";
|
||||
|
||||
external_service_secret = "${TURN_SECRET:-TurnSecret}";
|
||||
external_services = {
|
||||
{ type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
|
||||
{ type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
|
||||
{ type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
|
||||
};
|
||||
|
||||
cross_domain_bosh = false;
|
||||
consider_bosh_secure = true;
|
||||
-- Use websockets
|
||||
-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
|
||||
${PROSODY_WEBSOCKET}consider_websocket_secure = true;
|
||||
|
||||
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
|
||||
|
||||
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
|
||||
--http_cors_override = {
|
||||
-- bosh = {
|
||||
-- enabled = false;
|
||||
-- };
|
||||
-- websocket = {
|
||||
-- enabled = false;
|
||||
-- };
|
||||
--}
|
||||
|
||||
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
|
||||
ssl = {
|
||||
protocol = "tlsv1_2+";
|
||||
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
||||
}
|
||||
|
||||
unlimited_jids = {
|
||||
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
|
||||
"jvb@auth.${JITSI_HOST:?}"
|
||||
}
|
||||
${PROSODY_MAIN_END}
|
||||
|
||||
${PROSODY_DOMAIN_START}
|
||||
-- This will be managed by __jitsi_meet_domain
|
||||
VirtualHost "${JITSI_DOMAIN:?}"
|
||||
authentication = "jitsi-anonymous" -- do not delete me
|
||||
-- Properties below are modified by jitsi-meet-tokens package config
|
||||
-- and authentication above is switched to "token"
|
||||
--app_id="example_app_id"
|
||||
--app_secret="example_app_secret"
|
||||
-- Assign this host a certificate for TLS, otherwise it would use the one
|
||||
-- set in the global section (if any).
|
||||
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
||||
-- use the global one.
|
||||
ssl = {
|
||||
key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
|
||||
certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
|
||||
}
|
||||
av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
|
||||
speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
|
||||
end_conference_component = "endconference.${JITSI_DOMAIN:?}"
|
||||
-- we need bosh
|
||||
modules_enabled = {
|
||||
"bosh";
|
||||
"ping"; -- Enable mod_ping
|
||||
"speakerstats";
|
||||
"external_services";
|
||||
"conference_duration";
|
||||
"end_conference";
|
||||
"muc_lobby_rooms";
|
||||
"muc_breakout_rooms";
|
||||
"av_moderation";
|
||||
"room_metadata";
|
||||
${PROSODY_WEBSOCKET} "websocket";
|
||||
${PROSODY_WEBSOCKET} "smacks";
|
||||
}
|
||||
smacks_max_unacked_stanzas = 5;
|
||||
smacks_hibernation_time = 60;
|
||||
smacks_max_hibernated_sessions = 1;
|
||||
smacks_max_old_sessions = 1;
|
||||
c2s_require_encryption = false
|
||||
lobby_muc = "lobby.${JITSI_DOMAIN:?}"
|
||||
breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
|
||||
room_metadata_component = "metadata.${JITSI_DOMAIN:?}"
|
||||
main_muc = "conference.${JITSI_DOMAIN:?}"
|
||||
-- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
|
||||
|
||||
Component "conference.${JITSI_DOMAIN:?}" "muc"
|
||||
restrict_room_creation = true
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"muc_hide_all";
|
||||
"muc_meeting_id";
|
||||
"muc_domain_mapper";
|
||||
"polls";
|
||||
--"token_verification";
|
||||
"muc_rate_limit";
|
||||
"muc_password_whitelist";
|
||||
}
|
||||
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
|
||||
muc_password_whitelist = {
|
||||
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
|
||||
}
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
Component "breakout.${JITSI_DOMAIN:?}" "muc"
|
||||
restrict_room_creation = true
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"muc_hide_all";
|
||||
"muc_meeting_id";
|
||||
"muc_domain_mapper";
|
||||
"muc_rate_limit";
|
||||
"polls";
|
||||
}
|
||||
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
-- internal muc component
|
||||
Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"muc_hide_all";
|
||||
"ping";
|
||||
}
|
||||
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
-- https://prosody.im/doc/modules/mod_muc
|
||||
muc_room_cache_size = 1000
|
||||
${PROSODY_DOMAIN_END}
|
||||
${PROSODY_MAIN_START}
|
||||
-- This will be managed by __jitsi_meet
|
||||
|
||||
VirtualHost "auth.${JITSI_DOMAIN:?}"
|
||||
ssl = {
|
||||
key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
|
||||
certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
|
||||
}
|
||||
|
||||
modules_enabled = {
|
||||
"limits_exception";
|
||||
}
|
||||
authentication = "internal_hashed"
|
||||
${PROSODY_MAIN_END}
|
||||
${PROSODY_DOMAIN_START}
|
||||
-- This will be managed by __jitsi_meet_domain
|
||||
|
||||
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
|
||||
Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
|
||||
-- Single focus user for the whole instance
|
||||
target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
|
||||
|
||||
Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
|
||||
muc_component = "conference.${JITSI_DOMAIN:?}"
|
||||
|
||||
Component "endconference.${JITSI_DOMAIN:?}" "end_conference"
|
||||
muc_component = "conference.${JITSI_DOMAIN:?}"
|
||||
|
||||
Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
|
||||
muc_component = "conference.${JITSI_DOMAIN:?}"
|
||||
|
||||
Component "lobby.${JITSI_DOMAIN:?}" "muc"
|
||||
storage = "memory"
|
||||
restrict_room_creation = true
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
modules_enabled = {
|
||||
"muc_hide_all";
|
||||
"muc_rate_limit";
|
||||
"polls";
|
||||
}
|
||||
|
||||
Component "metadata.${JITSI_DOMAIN:?}" "room_metadata_component"
|
||||
muc_component = "conference.${JITSI_DOMAIN:?}"
|
||||
breakout_rooms_component = "breakout.${JITSI_DOMAIN:?}"
|
||||
${PROSODY_DOMAIN_END}
|
||||
|
||||
${PROSODY_SECUREDOMAIN_START}
|
||||
-- Only used on secured domains
|
||||
VirtualHost "${JITSI_DOMAIN}"
|
||||
authentication = "internal_plain"
|
||||
|
||||
VirtualHost "guest.${JITSI_DOMAIN}"
|
||||
authentication = "anonymous"
|
||||
c2s_require_encryption = false
|
||||
${PROSODY_SECUREDOMAIN_END}
|
||||
EOFPROSODY
|
||||
)"
|
151
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
Normal file
151
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
Normal file
|
@ -0,0 +1,151 @@
|
|||
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
|
||||
|
||||
-- domain mapper options, must at least have domain base set to use the mapper
|
||||
muc_mapper_domain_base = "jitmeet.example.com";
|
||||
|
||||
external_service_secret = "__turnSecret__";
|
||||
external_services = {
|
||||
{ type = "stun", host = "jitmeet.example.com", port = 3478 },
|
||||
{ type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
|
||||
{ type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
|
||||
};
|
||||
|
||||
cross_domain_bosh = false;
|
||||
consider_bosh_secure = true;
|
||||
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
|
||||
|
||||
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
|
||||
--http_cors_override = {
|
||||
-- bosh = {
|
||||
-- enabled = false;
|
||||
-- };
|
||||
-- websocket = {
|
||||
-- enabled = false;
|
||||
-- };
|
||||
--}
|
||||
|
||||
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
|
||||
ssl = {
|
||||
protocol = "tlsv1_2+";
|
||||
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
||||
}
|
||||
|
||||
unlimited_jids = {
|
||||
"focusUser@auth.jitmeet.example.com",
|
||||
"jvb@auth.jitmeet.example.com"
|
||||
}
|
||||
|
||||
VirtualHost "jitmeet.example.com"
|
||||
authentication = "jitsi-anonymous" -- do not delete me
|
||||
-- Properties below are modified by jitsi-meet-tokens package config
|
||||
-- and authentication above is switched to "token"
|
||||
--app_id="example_app_id"
|
||||
--app_secret="example_app_secret"
|
||||
-- Assign this host a certificate for TLS, otherwise it would use the one
|
||||
-- set in the global section (if any).
|
||||
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
||||
-- use the global one.
|
||||
ssl = {
|
||||
key = "/etc/prosody/certs/jitmeet.example.com.key";
|
||||
certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
|
||||
}
|
||||
av_moderation_component = "avmoderation.jitmeet.example.com"
|
||||
speakerstats_component = "speakerstats.jitmeet.example.com"
|
||||
end_conference_component = "endconference.jitmeet.example.com"
|
||||
-- we need bosh
|
||||
modules_enabled = {
|
||||
"bosh";
|
||||
"ping"; -- Enable mod_ping
|
||||
"speakerstats";
|
||||
"external_services";
|
||||
"conference_duration";
|
||||
"end_conference";
|
||||
"muc_lobby_rooms";
|
||||
"muc_breakout_rooms";
|
||||
"av_moderation";
|
||||
"room_metadata";
|
||||
}
|
||||
c2s_require_encryption = false
|
||||
lobby_muc = "lobby.jitmeet.example.com"
|
||||
breakout_rooms_muc = "breakout.jitmeet.example.com"
|
||||
room_metadata_component = "metadata.jitmeet.example.com"
|
||||
main_muc = "conference.jitmeet.example.com"
|
||||
-- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
|
||||
|
||||
Component "conference.jitmeet.example.com" "muc"
|
||||
restrict_room_creation = true
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"muc_hide_all";
|
||||
"muc_meeting_id";
|
||||
"muc_domain_mapper";
|
||||
"polls";
|
||||
--"token_verification";
|
||||
"muc_rate_limit";
|
||||
"muc_password_whitelist";
|
||||
}
|
||||
admins = { "focusUser@auth.jitmeet.example.com" }
|
||||
muc_password_whitelist = {
|
||||
"focusUser@auth.jitmeet.example.com"
|
||||
}
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
Component "breakout.jitmeet.example.com" "muc"
|
||||
restrict_room_creation = true
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"muc_hide_all";
|
||||
"muc_meeting_id";
|
||||
"muc_domain_mapper";
|
||||
"muc_rate_limit";
|
||||
"polls";
|
||||
}
|
||||
admins = { "focusUser@auth.jitmeet.example.com" }
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
-- internal muc component
|
||||
Component "internal.auth.jitmeet.example.com" "muc"
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"muc_hide_all";
|
||||
"ping";
|
||||
}
|
||||
admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
VirtualHost "auth.jitmeet.example.com"
|
||||
modules_enabled = {
|
||||
"limits_exception";
|
||||
}
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
|
||||
Component "focus.jitmeet.example.com" "client_proxy"
|
||||
target_address = "focusUser@auth.jitmeet.example.com"
|
||||
|
||||
Component "speakerstats.jitmeet.example.com" "speakerstats_component"
|
||||
muc_component = "conference.jitmeet.example.com"
|
||||
|
||||
Component "endconference.jitmeet.example.com" "end_conference"
|
||||
muc_component = "conference.jitmeet.example.com"
|
||||
|
||||
Component "avmoderation.jitmeet.example.com" "av_moderation_component"
|
||||
muc_component = "conference.jitmeet.example.com"
|
||||
|
||||
Component "lobby.jitmeet.example.com" "muc"
|
||||
storage = "memory"
|
||||
restrict_room_creation = true
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
modules_enabled = {
|
||||
"muc_hide_all";
|
||||
"muc_rate_limit";
|
||||
"polls";
|
||||
}
|
||||
|
||||
Component "metadata.jitmeet.example.com" "room_metadata_component"
|
||||
muc_component = "conference.jitmeet.example.com"
|
||||
breakout_rooms_component = "breakout.jitmeet.example.com"
|
|
@ -11,14 +11,24 @@ DESCRIPTION
|
|||
-----------
|
||||
This type installs and configures the frontend for Jitsi-Meet.
|
||||
|
||||
This supports "multi-domain" installations, notice that in such a setup, all
|
||||
rooms are shared across the different URLs, e.g.
|
||||
https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
|
||||
equivalent.
|
||||
Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and
|
||||
`DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a
|
||||
patched version of Jitsi Simultaneous Interpretation (jsi; see references).
|
||||
At least a user with `interpreter` in their name must be present.
|
||||
|
||||
|
||||
This type supports "multi-domain" installations.
|
||||
|
||||
New in April 2022: rooms are independent for each domain, that is:
|
||||
https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
|
||||
different rooms.
|
||||
Note however, that right now if using secured domains, users are still shared
|
||||
across any domains hosted in the same instance.
|
||||
One way to work around that could be to run multiple jicofos, but we do not
|
||||
want to bloat the servers.
|
||||
A better way is to patch jicofo, get in touch with the type authors if you want
|
||||
the gory details.
|
||||
|
||||
This is due to the underlying XMPP and signaling rooms being common.
|
||||
There might be a way to perform tricks on the Nginx-side to avoid this, but
|
||||
time is lacking :-).
|
||||
|
||||
This assumes `__jitsi_meet` has already been ran on the target host, and,
|
||||
amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
|
||||
|
@ -41,6 +51,11 @@ admin-email
|
|||
|
||||
OPTIONAL PARAMETERS
|
||||
-------------------
|
||||
analytics-settings
|
||||
This goes inside the `analytics` part of `config.js`.
|
||||
Defaults to: `disabled: true`.
|
||||
See: https://github.com/jitsi/jitsi-meet/blob/master/config.js
|
||||
|
||||
channel-last-n
|
||||
Default value for the "last N" attribute.
|
||||
Defaults to 20. Set to -1 for unlimited.
|
||||
|
@ -60,6 +75,10 @@ start-video-muted
|
|||
Defaults to 10.
|
||||
|
||||
|
||||
state
|
||||
Whether the domain is 'present' or 'absent', defaults to 'present'.
|
||||
|
||||
|
||||
turn-server
|
||||
The TURN server to be used.
|
||||
Defaults to `__target_host`.
|
||||
|
@ -74,6 +93,15 @@ video-constraints
|
|||
It must not have a trailing comma, see `constraints` in
|
||||
`__jitsi_meet_domain/files/config.js.sh`.
|
||||
|
||||
branding-app-name
|
||||
This will change `Jitsi Meet` in many places to the brand you desire.
|
||||
Defaults to `Jitsi Meet`.
|
||||
|
||||
branding-extra-body
|
||||
This must be valid HTML, it will be included server-side and delivered to
|
||||
clients alongside the default `index.html`.
|
||||
This is useful if you would rather not replace the whole `index`, but
|
||||
still want the chance to do some heavier branding / add instructions / etc.
|
||||
|
||||
branding-json
|
||||
Path to a JSON file that will be served as the `dynamicBrandingUrl`.
|
||||
|
@ -81,14 +109,12 @@ branding-json
|
|||
`__jitsi_meet_domain/files/config.js.sh`.
|
||||
If not set, no branding will be set up.
|
||||
|
||||
|
||||
branding-index
|
||||
Path to an HTML file that will be served instead of Jitsi-Meet's default
|
||||
one.
|
||||
If not set, the default index file will be used.
|
||||
If set to `-`, the type's standard input will be used.
|
||||
|
||||
|
||||
branding-watermark
|
||||
Path to a png file that will be served instead of Jitsi-Meet's default
|
||||
one.
|
||||
|
@ -143,6 +169,7 @@ SEE ALSO
|
|||
--------
|
||||
- `__jitsi_meet(7)`
|
||||
- `__jitsi_meet_user(7)`
|
||||
- Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi
|
||||
|
||||
|
||||
AUTHORS
|
||||
|
|
|
@ -18,9 +18,12 @@ NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")"
|
|||
START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
|
||||
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
|
||||
VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
|
||||
ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")"
|
||||
BRANDING_APP_NAME="$(cat "${__object}/parameter/branding-app-name")"
|
||||
BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
|
||||
BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
|
||||
BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
|
||||
STATE="$(cat "${__object}/parameter/state")"
|
||||
|
||||
if [ "${BRANDING_INDEX}" = "-" ]; then
|
||||
BRANDING_INDEX="${__object}/stdin"
|
||||
|
@ -47,11 +50,31 @@ if [ -n "${BRANDING_JSON}" ]; then
|
|||
DYNAMIC_BRANDING_URL="/branding.json"
|
||||
fi
|
||||
|
||||
case "${STATE}" in
|
||||
present)
|
||||
# When adding the domain, Let's Encrypt must come before nginx
|
||||
le_require=""
|
||||
nginx_require="__letsencrypt_cert/${DOMAIN}"
|
||||
;;
|
||||
absent)
|
||||
# When removing, nginx must come before Let's Encrypt
|
||||
le_require="__file/etc/nginx/sites-enabled/${DOMAIN}.conf"
|
||||
nginx_require=""
|
||||
;;
|
||||
*)
|
||||
cat >> /dev/stderr <<-EOM
|
||||
Unsupported state '${STATE}', must be 'present' or 'absent'.
|
||||
EOM
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
#
|
||||
# Deal with certbot
|
||||
#
|
||||
# use object id as domain
|
||||
__letsencrypt_cert "${DOMAIN}" \
|
||||
require="${le_require}" __letsencrypt_cert "${DOMAIN}" \
|
||||
--state "${STATE}" \
|
||||
--admin-email "${ADMIN_EMAIL}" \
|
||||
--deploy-hook "service nginx reload" \
|
||||
--webroot /usr/share/jitsi-meet
|
||||
|
@ -59,8 +82,9 @@ __letsencrypt_cert "${DOMAIN}" \
|
|||
# Create virtualhost for nginx
|
||||
# shellcheck source=type/__jitsi_meet_domain/files/nginx.sh
|
||||
. "${__type}/files/nginx.sh" # This defines JITSI_NGINX_CONFIG
|
||||
require="__letsencrypt_cert/${DOMAIN}" __file \
|
||||
require="${nginx_require}" __file \
|
||||
"/etc/nginx/sites-enabled/${DOMAIN}.conf" \
|
||||
--state "${STATE}" \
|
||||
--mode 0644 --source "-" <<EOF
|
||||
${JITSI_NGINX_CONFIG}
|
||||
EOF
|
||||
|
@ -69,6 +93,7 @@ EOF
|
|||
# shellcheck source=type/__jitsi_meet_domain/files/config.js.sh
|
||||
. "${__type}/files/config.js.sh" # This defines JITSI_CONFIG_JS
|
||||
__file "/etc/jitsi/meet/${DOMAIN}-config.js" \
|
||||
--state "${STATE}" \
|
||||
--mode 0644 --source "-" <<EOF
|
||||
${JITSI_CONFIG_JS}
|
||||
EOF
|
||||
|
@ -77,6 +102,7 @@ EOF
|
|||
# shellcheck source=type/__jitsi_meet_domain/files/interface_config.js.sh
|
||||
. "${__type}/files/interface_config.js.sh" # This defines JITSI_CONFIG_JS
|
||||
__file "/etc/jitsi/meet/${DOMAIN}-interface_config.js" \
|
||||
--state "${STATE}" \
|
||||
--mode 0644 --source "-" <<EOF
|
||||
${JITSI_INTERFACE_CONFIG_JS}
|
||||
EOF
|
||||
|
@ -87,7 +113,7 @@ EOF
|
|||
#
|
||||
# Helper function to manage the state of the target branding file
|
||||
_var_state() {
|
||||
if [ -n "${1}" ]; then
|
||||
if [ "${STATE}" = "present" ] && [ -n "${1}" ]; then
|
||||
echo "present"
|
||||
else
|
||||
echo "absent"
|
||||
|
@ -106,3 +132,43 @@ __file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
|
|||
--mode 0644 \
|
||||
--state "$(_var_state "${BRANDING_WATERMARK}")" \
|
||||
--source "${BRANDING_WATERMARK}"
|
||||
# Simple body customisation
|
||||
__file "/usr/share/jitsi-meet/body-${DOMAIN}.html" \
|
||||
--mode 0644 \
|
||||
--state "$(_var_state "${STATE}")" \
|
||||
--source "${__object}/parameter/branding-extra-body"
|
||||
|
||||
#
|
||||
# Take care of prosody settings for the domain
|
||||
#
|
||||
JITSI_DOMAIN="${DOMAIN}"
|
||||
# Prosody settings for common components (jvb, focus, ...)
|
||||
# shellcheck source=type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
|
||||
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
|
||||
__file "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
|
||||
--group prosody \
|
||||
--mode 0440 \
|
||||
--state "${STATE}" \
|
||||
--source '-' <<EOF
|
||||
${PROSODY_CONFIG}
|
||||
EOF
|
||||
__link "/etc/prosody/conf.d/${DOMAIN}.cfg.lua" \
|
||||
--source "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
|
||||
--state "${STATE}" \
|
||||
--type symbolic
|
||||
|
||||
if [ "${STATE}" = "present" ]; then
|
||||
export require="${require} __file/etc/prosody/conf.avail/${DOMAIN}.cfg.lua __link/etc/prosody/conf.d/${DOMAIN}.cfg.lua"
|
||||
__check_messages "prosody/${DOMAIN}" \
|
||||
--pattern '^(__file|__link)/etc/prosody/conf[.](avail|d)/' \
|
||||
--execute "$(cat <<EOF
|
||||
if [ ! -f "/var/lib/prosody/${DOMAIN}.crt" ]; then
|
||||
echo | prosodyctl cert generate '${DOMAIN}';
|
||||
ln -sf '/var/lib/prosody/${DOMAIN}.key' '/etc/prosody/certs/${DOMAIN}.key'
|
||||
ln -sf '/var/lib/prosody/${DOMAIN}.crt' '/etc/prosody/certs/${DOMAIN}.crt'
|
||||
fi
|
||||
# Surprisingly, a reload is not enough
|
||||
service prosody restart
|
||||
EOF
|
||||
)"
|
||||
fi
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
disabled: true
|
|
@ -0,0 +1 @@
|
|||
Jitsi Meet
|
1
type/__jitsi_meet_domain/parameter/default/state
Normal file
1
type/__jitsi_meet_domain/parameter/default/state
Normal file
|
@ -0,0 +1 @@
|
|||
present
|
|
@ -1,9 +1,13 @@
|
|||
analytics-settings
|
||||
channel-last-n
|
||||
default-language
|
||||
notice-message
|
||||
start-video-muted
|
||||
turn-server
|
||||
video-constraints
|
||||
branding-app-name
|
||||
branding-json
|
||||
branding-index
|
||||
branding-extra-body
|
||||
branding-watermark
|
||||
state
|
||||
|
|
|
@ -1406,7 +1406,7 @@ account_threepid_delegates:
|
|||
#
|
||||
# Does not apply to server administrators. Defaults to 'true'
|
||||
#
|
||||
#enable_set_displayname: false
|
||||
enable_set_displayname: ${ENABLE_SET_DISPLAYNAME:?}
|
||||
|
||||
# Whether users are allowed to change their avatar after it has been
|
||||
# initially set. Useful when provisioning users based on the contents
|
||||
|
@ -1421,7 +1421,7 @@ account_threepid_delegates:
|
|||
#
|
||||
# Defaults to 'true'
|
||||
#
|
||||
#enable_3pid_changes: false
|
||||
enable_3pid_changes: ${ENABLE_3PID_CHANGES:?}
|
||||
|
||||
# Users who register on this homeserver will automatically be joined
|
||||
# to these rooms.
|
||||
|
@ -2254,8 +2254,6 @@ password_config:
|
|||
# Uncomment to disable password login
|
||||
#
|
||||
#enabled: false
|
||||
enableed: ${ENABLE_PASSWORDCONFIG:?}
|
||||
|
||||
|
||||
# Uncomment to disable authentication against the local password
|
||||
# database. This is ignored if \`enabled\` is false, and is only useful
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
cdist-type__matrix_synapse(7)
|
||||
======================
|
||||
=============================
|
||||
|
||||
NAME
|
||||
----
|
||||
|
@ -8,7 +8,7 @@ cdist-type__matrix_synapse - Install and configure Synapse, a Matrix homeserver
|
|||
|
||||
DESCRIPTION
|
||||
-----------
|
||||
This type install and configure the Synapse Matrix homeserver. This is a
|
||||
This type installs and configures the Synapse Matrix homeserver. This is a
|
||||
signleton type.
|
||||
|
||||
|
||||
|
@ -52,13 +52,13 @@ ldap-base-dn
|
|||
Base DN of your LDAP tree.
|
||||
|
||||
ldap-uid-attribute
|
||||
LDAP attriute mapping to Synapse's uid field, default to uid.
|
||||
LDAP attribute mapping to Synapse's uid field, default to uid.
|
||||
|
||||
ldap-mail-attribute
|
||||
LDAP attriute mapping to Synapse's mail field, default to mail.
|
||||
LDAP attribute mapping to Synapse's mail field, default to mail.
|
||||
|
||||
ldap-name-attribute
|
||||
LDAP attriute mapping to Synapse's name field, default to givenName.
|
||||
LDAP attribute mapping to Synapse's name field, default to givenName.
|
||||
|
||||
ldap-bind-dn
|
||||
User used to authenticate against your LDAP server in 'search' mode.
|
||||
|
@ -81,7 +81,7 @@ smtp-host
|
|||
The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
|
||||
|
||||
smtp-port
|
||||
# The port on the mail server for outgoing SMTP. Defaults to 25.
|
||||
The port on the mail server for outgoing SMTP. Defaults to 25.
|
||||
|
||||
smtp-user
|
||||
Username for authentication to the SMTP server. By
|
||||
|
@ -162,6 +162,12 @@ rc-login-burst
|
|||
registration-allows-email-pattern
|
||||
Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`.
|
||||
|
||||
disable-displayname-changes
|
||||
Whether users are allowed to change their displayname after it has been initially set.
|
||||
|
||||
disable-3pid-changes
|
||||
Whether users can change the 3PIDs associated with their accounts (email address and msisdn).
|
||||
|
||||
auto-join-room
|
||||
Room where newly-registered users are automatically added. Can be specified multiple times.
|
||||
|
||||
|
@ -286,11 +292,6 @@ worker-mode
|
|||
processes are called 'workers'. Please read the WORKER MODE section of this
|
||||
manpage before enabling, as extra work and considerations are required.
|
||||
|
||||
enable-passwordconfig
|
||||
For removing user/password tab on login screen.
|
||||
when it set saml2-login, it remove user/password tab on login-screen.
|
||||
default is true.
|
||||
|
||||
PERFORMANCE
|
||||
-----------
|
||||
|
||||
|
|
|
@ -169,7 +169,6 @@ fi
|
|||
# Registrations and users.
|
||||
ALLOW_GUEST_ACCESS=$(get_boolean_for 'allow-guest-access')
|
||||
ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations')
|
||||
ENABLE_PASSWORDCONFIG=$(get_boolean_for 'enable-passwordconfig')
|
||||
USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
|
||||
export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
|
||||
|
||||
|
@ -182,6 +181,18 @@ if [ -f "$__object/parameter/registration-requires-email" ]; then
|
|||
export REGISTRATION_REQUIRES_EMAIL=1
|
||||
fi
|
||||
|
||||
ENABLE_SET_DISPLAYNAME='true'
|
||||
if [ -f "$__object/parameter/disable-displayname-changes" ]; then
|
||||
ENABLE_SET_DISPLAYNAME='false'
|
||||
fi
|
||||
export ENABLE_SET_DISPLAYNAME
|
||||
|
||||
ENABLE_3PID_CHANGES='true'
|
||||
if [ -f "$__object/parameter/disable-3pid-changes" ]; then
|
||||
ENABLE_3PID_CHANGES='false'
|
||||
fi
|
||||
export ENABLE_3PID_CHANGES
|
||||
|
||||
if [ -f "$__object/parameter/auto-join-room" ]; then
|
||||
AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")"
|
||||
export AUTO_JOIN_ROOMS
|
||||
|
|
|
@ -18,4 +18,5 @@ enable-message-retention-policy
|
|||
worker-mode
|
||||
enable-url-preview
|
||||
enable-3pid-lookups
|
||||
enable-passwordconfig
|
||||
disable-3pid-changes
|
||||
disable-displayname-changes
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
true
|
|
@ -32,7 +32,7 @@ case "$os" in
|
|||
|
||||
require="$install_reqs" __start_on_boot nginx
|
||||
|
||||
export NGINX_SITEDIR="$nginx_confdir/conf.d"
|
||||
export NGINX_SITEDIR="$nginx_confdir/http.d"
|
||||
export NGINX_CERTDIR="$nginx_confdir/ssl"
|
||||
export NGINX_SNIPPETSDIR="$nginx_confdir/snippets"
|
||||
export NGINX_WEBROOT="/var/www"
|
||||
|
@ -158,6 +158,7 @@ for snippet in hsts 301-to-https; do
|
|||
done
|
||||
|
||||
# Install vhost.
|
||||
require="$install_reqs" __file "$NGINX_SITEDIR/$__object_id.conf" \
|
||||
require="$install_reqs" __directory "$NGINX_SITEDIR"
|
||||
require="__directory/$NGINX_SITEDIR" __file "$NGINX_SITEDIR/$__object_id.conf" \
|
||||
--source "$vhost_conf" \
|
||||
--mode 0644
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
#!/bin/sh -e
|
||||
# Generate an opendkim.conf(5) file for opendkim(8).
|
||||
|
||||
echo "# Managed remotely, manual changes will be lost."
|
||||
|
||||
# Optional chdir(2)
|
||||
if [ "$BASEDIR" ];
|
||||
|
@ -33,8 +34,8 @@ then
|
|||
fi
|
||||
|
||||
# Key and Domain tables
|
||||
echo 'KeyTable /etc/opendkim/KeyTable'
|
||||
echo 'SigningTable /etc/opendkim/SigningTable'
|
||||
echo "KeyTable ${CFG_DIR}/KeyTable"
|
||||
echo "SigningTable ${CFG_DIR}/SigningTable"
|
||||
|
||||
# Required socket to listen on
|
||||
printf "Socket %s\n" "${SOCKET:?}"
|
||||
|
|
|
@ -14,8 +14,8 @@ installation and basic configuration of an instance of OpenDKIM.
|
|||
Note that this type does not generate or ensure that a key is present: use
|
||||
`cdist-type__opendkim-genkey(7)` for that.
|
||||
|
||||
Note that this type is currently only implemented for Alpine Linux. Please
|
||||
contribute an implementation if you can.
|
||||
Note that this type is currently only implemented for Alpine Linux and FreeBSD.
|
||||
Please contribute an implementation if you can.
|
||||
|
||||
|
||||
REQUIRED PARAMETERS
|
||||
|
@ -41,20 +41,25 @@ subdomains
|
|||
umask
|
||||
Set the umask for the socket and PID file.
|
||||
|
||||
userid
|
||||
Change the user the opendkim program is to run as. By default, Alpine Linux's
|
||||
OpenRC service will set this to `opendkim` on the command-line.
|
||||
|
||||
custom-config
|
||||
The string following this parameter is appended as-is in the configuration, to
|
||||
enable more complex configurations.
|
||||
|
||||
|
||||
BOOLEAN PARAMETERS
|
||||
------------------
|
||||
syslog
|
||||
Log to syslog.
|
||||
|
||||
|
||||
DEPRECATED PARAMETERS
|
||||
---------------------
|
||||
userid
|
||||
Change the user the opendkim program is to run as.
|
||||
By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
|
||||
command-line and FreeBSD's rc will set it to `mailnull`.
|
||||
|
||||
|
||||
EXAMPLES
|
||||
--------
|
||||
|
||||
|
@ -86,11 +91,12 @@ SEE ALSO
|
|||
AUTHORS
|
||||
-------
|
||||
Joachim Desroches <joachim.desroches@epfl.ch>
|
||||
Evilham <contact@evilham.com>
|
||||
|
||||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
|
||||
Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
|
||||
and/or modify it under the terms of the GNU General Public License as
|
||||
published by the Free Software Foundation, either version 3 of the
|
||||
License, or (at your option) any later version.
|
||||
|
|
|
@ -20,16 +20,24 @@
|
|||
|
||||
os=$(cat "${__global:?}/explorer/os")
|
||||
|
||||
CFG_DIR="/etc/opendkim"
|
||||
service="opendkim"
|
||||
case "$os" in
|
||||
'alpine')
|
||||
:
|
||||
;;
|
||||
'freebsd')
|
||||
CFG_DIR="/usr/local/etc/mail"
|
||||
service="milter-opendkim"
|
||||
start_service="milteropendkim"
|
||||
;;
|
||||
*)
|
||||
printf "__opendkim does not yet support %s.\n" "$os" >&2
|
||||
printf "Please contribute an implementation if you can.\n" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
export CFG_DIR
|
||||
|
||||
__package opendkim
|
||||
|
||||
|
@ -68,7 +76,7 @@ fi
|
|||
|
||||
# Generate and deploy configuration file.
|
||||
source_file="${__object:?}/files/opendkim.conf"
|
||||
target_file="/etc/opendkim/opendkim.conf"
|
||||
target_file="${CFG_DIR}/opendkim.conf"
|
||||
|
||||
mkdir -p "${__object:?}/files"
|
||||
|
||||
|
@ -83,9 +91,26 @@ fi
|
|||
require="__package/opendkim" __file "$target_file" \
|
||||
--source "$source_file" --mode 0644
|
||||
|
||||
require="__package/opendkim" __start_on_boot opendkim
|
||||
# Due to the way rc.conf works on *BSD, we find ourselves in the awkward
|
||||
# situation, where a service's name can contain a '-' symbol, but the
|
||||
# rc.conf setting to enable a service at boot cannot.
|
||||
# Unless start_service has been defined before, these two match.
|
||||
require="__package/opendkim" __start_on_boot "${start_service:-${service}}"
|
||||
|
||||
require="__file${target_file}" \
|
||||
# Ensure Key and Signing tables exist and have proper permissions
|
||||
key_table="${CFG_DIR}/KeyTable"
|
||||
signing_table="${CFG_DIR}/SigningTable"
|
||||
|
||||
require="__package/opendkim" \
|
||||
__file "${key_table}" \
|
||||
--mode 444
|
||||
|
||||
require="__package/opendkim" \
|
||||
__file "${signing_table}" \
|
||||
--mode 444
|
||||
|
||||
require="__file${target_file} __file${key_table}
|
||||
__file${signing_table} __start_on_boot/${start_service:-${service}}" \
|
||||
__check_messages opendkim \
|
||||
--pattern "^__file${target_file}" \
|
||||
--execute "service opendkim restart"
|
||||
--execute "service ${service} restart"
|
||||
|
|
2
type/__opendkim/parameter/deprecated/userid
Normal file
2
type/__opendkim/parameter/deprecated/userid
Normal file
|
@ -0,0 +1,2 @@
|
|||
This can cause inconsistencies with permissions and will stop being supported.
|
||||
If you still need this, you can use --custom-config 'UserId $USERID'.
|
32
type/__opendkim_genkey/explorer/key-state
Executable file
32
type/__opendkim_genkey/explorer/key-state
Executable file
|
@ -0,0 +1,32 @@
|
|||
#!/bin/sh -e
|
||||
DIRECTORY="/var/db/dkim/"
|
||||
if [ -f "${__object:?}/parameter/directory" ];
|
||||
then
|
||||
# Be forgiving about a lack of trailing slash
|
||||
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
|
||||
fi
|
||||
|
||||
|
||||
KEY_ID="$(echo "${__object_id:?)}" | tr '/' '_')"
|
||||
DEFAULT_PATH="${DIRECTORY:?}${KEY_ID:?}.private"
|
||||
if [ -s "${DEFAULT_PATH}" ]; then
|
||||
# This is the main location for the key
|
||||
FOUND_PATH="${DEFAULT_PATH}"
|
||||
else
|
||||
# This is a backwards-compatible location for the key
|
||||
# Keys generated post March 2022 should not land here
|
||||
if [ -f "${__object:?}/parameter/selector" ]; then
|
||||
SELECTOR="$(cat "${__object:?}/parameter/selector")"
|
||||
if [ -s "${DIRECTORY}${SELECTOR:?}.private" ]; then
|
||||
FOUND_PATH="${DIRECTORY}${SELECTOR:?}.private"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "${FOUND_PATH}" ]; then
|
||||
printf "present\t%s" "${FOUND_PATH}"
|
||||
else
|
||||
# We didn't find the key
|
||||
# We pass the default path here, to easen logic in the rest of the type
|
||||
printf "absent\t%s" "${DEFAULT_PATH}"
|
||||
fi
|
|
@ -19,8 +19,8 @@
|
|||
#
|
||||
|
||||
# Required parameters
|
||||
DOMAIN="$(cat "${__object:?}/parameter/domain")"
|
||||
SELECTOR="$(cat "${__object:?}/parameter/selector")"
|
||||
DOMAIN="$(cat "${__object:?}/domain")"
|
||||
SELECTOR="$(cat "${__object:?}/selector")"
|
||||
|
||||
# Optional parameters
|
||||
BITS=
|
||||
|
@ -28,11 +28,6 @@ if [ -f "${__object:?}/parameter/bits" ]; then
|
|||
BITS="-b $(cat "${__object:?}/parameter/bits")"
|
||||
fi
|
||||
|
||||
DIRECTORY="/var/db/dkim/"
|
||||
if [ -f "${__object:?}/parameter/directory" ]; then
|
||||
DIRECTORY="$(cat "${__object:?}/parameter/directory")"
|
||||
fi
|
||||
|
||||
# Boolean parameters
|
||||
SUBDOMAINS=
|
||||
if [ -f "${__object:?}/parameter/no-subdomains" ]; then
|
||||
|
@ -44,7 +39,27 @@ if [ -f "${__object:?}/parameters/unrestricted" ]; then
|
|||
RESTRICTED=
|
||||
fi
|
||||
|
||||
if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then
|
||||
echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS"
|
||||
echo "chown opendkim:opendkim ${DIRECTORY}${SELECTOR}.private"
|
||||
user="$(cat "${__object:?}/user")"
|
||||
group="$(cat "${__object:?}/group")"
|
||||
|
||||
KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")"
|
||||
KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")"
|
||||
|
||||
if [ "${KEY_STATE:?}" = "absent" ]; then
|
||||
# opendkim-genkey(8) does not allow specifying the file name.
|
||||
# To err on the safe side (and avoid potentially killing other keys)
|
||||
# we operate on a temporary directory first, then move the resulting key
|
||||
cat <<-EOF
|
||||
tmp_dir="\$(mktemp -d cdist-dkim.XXXXXXXXXXX)"
|
||||
opendkim-genkey $BITS --domain=${DOMAIN:?} --directory=\${tmp_dir:?} $RESTRICTED --selector=${SELECTOR:?} $SUBDOMAINS
|
||||
# Relocate and ensure permissions
|
||||
mv "\${tmp_dir:?}/${SELECTOR:?}.private" '${KEY_LOCATION:?}'
|
||||
chown ${user}:${group} '${KEY_LOCATION}'
|
||||
chmod 0600 '${KEY_LOCATION}'
|
||||
# This is usually generated, if it weren't we do not want to fail
|
||||
mv "\${tmp_dir:?}/${SELECTOR:?}.txt" '${KEY_LOCATION%.private}.txt' || true
|
||||
chown ${user}:${group} '${KEY_LOCATION%.private}.txt' || true
|
||||
# Cleanup after ourselves
|
||||
rmdir "\${tmp_dir:?}" || true
|
||||
EOF
|
||||
fi
|
||||
|
|
|
@ -10,23 +10,27 @@ DESCRIPTION
|
|||
-----------
|
||||
|
||||
This type uses the `opendkim-genkey(8)` to generate signing keys suitable for
|
||||
usage by `opendkim(8)` to sign outgoing emails. Then, a line with the domain,
|
||||
selector and keyname in the `$selector._domainkey.$domain` format will be added
|
||||
to the OpenDKIM key table located at `/etc/opendkim/KeyTable`. Finally, a line
|
||||
will be added to the OpenDKIM signing table, using either the domain or the
|
||||
provided key for the `domain:selector:keyfile` value in the table. An existing
|
||||
key will not be overwritten.
|
||||
usage by `opendkim(8)` to sign outgoing emails.
|
||||
|
||||
Currently, this type is only implemented for Alpine Linux. Please contribute an
|
||||
implementation if you can.
|
||||
It also manages the key, identified by its `$__object_id` in OpenDKIM's
|
||||
KeyTable and sets its `s=` and `d=` parameters (see: `--selector` and
|
||||
`--sigdomain` respectively).
|
||||
|
||||
REQUIRED PARAMETERS
|
||||
-------------------
|
||||
domain
|
||||
The domain to generate the key for.
|
||||
This type will also manage the entries in the OpenDKIM's SigningTable by
|
||||
associating any given `sigkey` values to this key.
|
||||
|
||||
selector
|
||||
The DKIM selector to generate the key for.
|
||||
Take into account that if you use this type without the `--domain` and
|
||||
`--selector` parameters, the `$__object_id` must be in form `$domain/$selector`.
|
||||
|
||||
Currently, this type is only implemented for Alpine Linux and FreeBSD.
|
||||
Please contribute an implementation if you can.
|
||||
|
||||
NOTE: the name of the key file under `--directory` will default to
|
||||
`$__object_id.private`, but if that fails and `--selector` is used,
|
||||
`SELECTOR.private` will be considered.
|
||||
Take care when using unrelated keys that might collide this way.
|
||||
For more information see:
|
||||
https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20
|
||||
|
||||
|
||||
OPTIONAL PARAMETERS
|
||||
|
@ -38,10 +42,36 @@ bits
|
|||
directory
|
||||
The directory in which to generate the key, `/var/db/dkim/` by default.
|
||||
|
||||
domain
|
||||
The domain to generate the key for.
|
||||
If omitted, `--selector` must be omitted as well and `$__object_id` must be
|
||||
in form: `$domain/$selector`.
|
||||
|
||||
selector
|
||||
The DKIM selector to generate the key for.
|
||||
If omitted, `--domain` must be omitted as well and `$__object_id` must be
|
||||
in form: `$domain/$selector`.
|
||||
|
||||
sigdomain
|
||||
Specified in the KeyTable, the domain to use in the signature's "d=" value.
|
||||
Defaults to the specified domain. If `%`, it will be replaced by the apparent
|
||||
domain of the sender when generating a signature.
|
||||
Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
|
||||
See `KeyTable` in `opendkim.conf(5)` for more information.
|
||||
|
||||
|
||||
OPTIONAL MULTIPLE PARAMETERS
|
||||
----------------------------
|
||||
sigkey
|
||||
The key used in the SigningTable for this signing key. Defaults to the
|
||||
The key used in the `SigningTable` for this signing key. Defaults to the
|
||||
specified domain. If `%`, OpenDKIM will replace it with the domain found
|
||||
in the `From:` header. See `opendkim.conf(5)` for more options.
|
||||
Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
|
||||
This can be passed multiple times, resulting in multiple lines in the
|
||||
SigningTable, which can be used to support signing of subdomains or multiple
|
||||
domains with the same key; in that case, you probably want to set
|
||||
`--sigdomain` to `%`, else the domains will not be aligned.
|
||||
|
||||
|
||||
BOOLEAN PARAMETERS
|
||||
------------------
|
||||
|
@ -57,6 +87,7 @@ EXAMPLES
|
|||
|
||||
.. code-block:: sh
|
||||
|
||||
# Setup the OpenDKIM service
|
||||
__opendkim \
|
||||
--socket inet:8891@localhost \
|
||||
--basedir /var/lib/opendkim \
|
||||
|
@ -65,14 +96,24 @@ EXAMPLES
|
|||
--umask 002 \
|
||||
--syslog
|
||||
|
||||
require='__opendkim' \
|
||||
# Continue only after the service has been set up
|
||||
export require="__opendkim"
|
||||
|
||||
# Generate a key for 'example.com' with selector 'default'
|
||||
__opendkim_genkey default \
|
||||
--domain example.com \
|
||||
--selector default
|
||||
|
||||
__opendkim_genkey myfoo \
|
||||
--domain foo.com \
|
||||
--selector backup
|
||||
# Generate a key for 'foo.com' with selector 'backup'
|
||||
__opendkim_genkey 'foo.com/backup'
|
||||
|
||||
# Generate a key for 'example.org' with selector 'main'
|
||||
# that can also sign 'cdi.st' and subdomains of 'example.org'
|
||||
__opendkim_genkey 'example.org/main' \
|
||||
--sigdomain '%' \
|
||||
--sigkey 'example.org' \
|
||||
--sigkey '.example.org' \
|
||||
--sigkey 'cdi.st'
|
||||
|
||||
|
||||
SEE ALSO
|
||||
|
@ -85,11 +126,12 @@ SEE ALSO
|
|||
AUTHORS
|
||||
-------
|
||||
Joachim Desroches <joachim.desroches@epfl.ch>
|
||||
Evilham <contact@evilham.com>
|
||||
|
||||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
|
||||
Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
|
||||
and/or modify it under the terms of the GNU General Public License as
|
||||
published by the Free Software Foundation, either version 3 of the
|
||||
License, or (at your option) any later version.
|
||||
|
|
|
@ -21,25 +21,68 @@
|
|||
|
||||
os=$(cat "${__global:?}/explorer/os")
|
||||
|
||||
CFG_DIR="/etc/opendkim"
|
||||
user="opendkim"
|
||||
group="opendkim"
|
||||
case "$os" in
|
||||
'alpine')
|
||||
:
|
||||
;;
|
||||
'freebsd')
|
||||
CFG_DIR="/usr/local/etc/mail"
|
||||
user="mailnull"
|
||||
group="mailnull"
|
||||
;;
|
||||
*)
|
||||
cat <<- EOF >&2
|
||||
__opendkim_genkey currently only supports Alpine Linux. Please
|
||||
contribute an implementation for $os if you can.
|
||||
__opendkim_genkey currently only supports Alpine Linux and FreeBSD.
|
||||
Please contribute an implementation for $os if you can.
|
||||
EOF
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
SELECTOR="$(cat "${__object:?}/parameter/selector")"
|
||||
DOMAIN="$(cat "${__object:?}/parameter/domain")"
|
||||
# Logic to simplify the type as documented in
|
||||
# https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20#issuecomment-14711
|
||||
DOMAIN="$(cat "${__object:?}/parameter/domain" 2>/dev/null || true)"
|
||||
SELECTOR="$(cat "${__object:?}/parameter/selector" 2>/dev/null || true)"
|
||||
if [ -z "${DOMAIN}${SELECTOR}" ]; then
|
||||
# Neither SELECTOR nor DOMAIN were passed, try to use __object_id
|
||||
if echo "${__object_id:?}" | \
|
||||
grep -qE '^[^/[:space:]]+/[^/[:space:]]+$'; then
|
||||
# __object_id matches, let's get the data
|
||||
DOMAIN="$(echo "${__object_id:?}" | cut -d '/' -f 1)"
|
||||
SELECTOR="$(echo "${__object_id:?}" | cut -d '/' -f 2)"
|
||||
else
|
||||
# It doesn't match the pattern, this is sad
|
||||
cat <<- EOF >&2
|
||||
The arguments --domain and --selector were not used.
|
||||
So __object_id must match DOMAIN/SELECTOR.
|
||||
But instead the type got: ${__object_id:?}
|
||||
EOF
|
||||
exit 1
|
||||
fi
|
||||
elif [ -z "${DOMAIN}" ] || [ -z "${SELECTOR}" ]; then
|
||||
# Only one was passed, this is sad :-(
|
||||
cat <<- EOF >&2
|
||||
You must pass either both --selector and --domain or none of them.
|
||||
If these arguments are absent, __object_id must match: DOMAIN/SELECTOR.
|
||||
EOF
|
||||
exit 1
|
||||
# else: both were passed
|
||||
fi
|
||||
|
||||
# Persist data for gencode-remote
|
||||
printf '%s' "${user:?}" > "${__object:?}/user"
|
||||
printf '%s' "${group:?}" > "${__object:?}/group"
|
||||
printf '%s' "${DOMAIN:?}" > "${__object:?}/domain"
|
||||
printf '%s' "${SELECTOR:?}" > "${__object:?}/selector"
|
||||
|
||||
DIRECTORY="/var/db/dkim/"
|
||||
if [ -f "${__object:?}/parameter/directory" ];
|
||||
then
|
||||
DIRECTORY="$(cat "${__object:?}/parameter/directory")"
|
||||
# Be forgiving about a lack of trailing slash
|
||||
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
|
||||
fi
|
||||
|
||||
SIGKEY="${DOMAIN:?}"
|
||||
|
@ -47,20 +90,50 @@ if [ -f "${__object:?}/parameter/sigkey" ];
|
|||
then
|
||||
SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
|
||||
fi
|
||||
SIGDOMAIN="${DOMAIN:?}"
|
||||
if [ -f "${__object:?}/parameter/sigdomain" ];
|
||||
then
|
||||
SIGDOMAIN="$(cat "${__object:?}/parameter/sigdomain")"
|
||||
fi
|
||||
|
||||
# Ensure the key-container directory exists with the proper permissions
|
||||
__directory "${DIRECTORY}" \
|
||||
--mode 0750 \
|
||||
--owner "${user}" --group "${group}"
|
||||
|
||||
# OS-specific code
|
||||
case "$os" in
|
||||
'alpine')
|
||||
# This is needed for opendkim-genkey
|
||||
__package opendkim-utils
|
||||
;;
|
||||
esac
|
||||
|
||||
require='__package/opendkim-utils' \
|
||||
__file /etc/opendkim/KeyTable
|
||||
require='__package/opendkim-utils' \
|
||||
__file /etc/opendkim/SigningTable
|
||||
key_table="${CFG_DIR}/KeyTable"
|
||||
signing_table="${CFG_DIR}/SigningTable"
|
||||
|
||||
require='__file/etc/opendkim/KeyTable' \
|
||||
__line "line-key-${__object_id:?}" \
|
||||
--file /etc/opendkim/KeyTable \
|
||||
--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
|
||||
KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")"
|
||||
KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")"
|
||||
|
||||
require='__file/etc/opendkim/SigningTable' \
|
||||
__line "line-sig-${__object_id:?}" \
|
||||
--file /etc/opendkim/SigningTable \
|
||||
--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"
|
||||
__line "__opendkim_genkey/${__object_id:?}" \
|
||||
--file "${key_table}" \
|
||||
--line "${__object_id:?} ${SIGDOMAIN:?}:${SELECTOR:?}:${KEY_LOCATION:?}" \
|
||||
--regex "^${__object_id:?}[[:space:]]" \
|
||||
--state 'replace'
|
||||
|
||||
sigtable_block() {
|
||||
for sigkey in ${SIGKEY:?}; do
|
||||
echo "${sigkey:?} ${__object_id:?}"
|
||||
done
|
||||
}
|
||||
__block "__opendkim_genkey/${__object_id:?}" \
|
||||
--file "${signing_table}" \
|
||||
--text "$(sigtable_block)"
|
||||
|
||||
if [ "${KEY_STATE:?}" = "present" ]; then
|
||||
# Ensure proper permissions for the key file
|
||||
__file "${KEY_LOCATION}" \
|
||||
--owner "${user}" \
|
||||
--group "${group}" \
|
||||
--mode 0600
|
||||
fi
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
bits
|
||||
directory
|
||||
domain
|
||||
unrestricted
|
||||
sigkey
|
||||
selector
|
||||
sigdomain
|
||||
|
|
1
type/__opendkim_genkey/parameter/optional_multiple
Normal file
1
type/__opendkim_genkey/parameter/optional_multiple
Normal file
|
@ -0,0 +1 @@
|
|||
sigkey
|
|
@ -1,2 +0,0 @@
|
|||
domain
|
||||
selector
|
45
type/__php_fpm/files/php.ini.sh
Executable file
45
type/__php_fpm/files/php.ini.sh
Executable file
|
@ -0,0 +1,45 @@
|
|||
#!/bin/sh
|
||||
|
||||
cat <<EOF
|
||||
; This file is managed by cdist, and has been shortened for readability.
|
||||
; The fine manual is at http://php.net/configuration.file.
|
||||
|
||||
[PHP]
|
||||
|
||||
; Production recommended defaults
|
||||
display_errors = Off
|
||||
display_startup_errors = Off
|
||||
enable_dl = Off
|
||||
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
|
||||
log_errors = On
|
||||
output_buffering = 4096
|
||||
register_argc_argv = Off
|
||||
request_order = "GP"
|
||||
short_open_tag = Off
|
||||
variables_order = "GPCS"
|
||||
zend.assertions = -1
|
||||
|
||||
; Local custom variations
|
||||
include_path = ".:${PHP_INCLUDEDIR}"
|
||||
memory_limit = ${MEMORY_LIMIT:?}
|
||||
post_max_size = ${UPLOAD_MAX_FILESIZE:?}
|
||||
upload_max_filesize = ${UPLOAD_MAX_FILESIZE:?}
|
||||
|
||||
EOF
|
||||
|
||||
if [ -f "${__object:?}/parameter/enable-opcache" ]; then
|
||||
cat <<-EOF
|
||||
; opcache enabled by type flag
|
||||
opcache.enable=1
|
||||
opcache.enable_cli=1
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [ -f "${__object:?}/parameter/enable-apcu" ]; then
|
||||
cat <<-EOF
|
||||
; acpu enabled by type flag
|
||||
apc.enabled=1
|
||||
apc.enable_cli=1
|
||||
apc.shm_size=512M
|
||||
EOF
|
||||
fi
|
74
type/__php_fpm/man.rst
Normal file
74
type/__php_fpm/man.rst
Normal file
|
@ -0,0 +1,74 @@
|
|||
cdist-type__php_fpm(7)
|
||||
======================
|
||||
|
||||
NAME
|
||||
----
|
||||
cdist-type__php_fpm - Setup and configure PHP-FPM
|
||||
|
||||
|
||||
DESCRIPTION
|
||||
-----------
|
||||
This type installs and configures PHP-FPM for a given version of PHP. It is
|
||||
expected to be used in combination with cdist-type__php_fpm_pool, which
|
||||
configures specific pools.
|
||||
|
||||
This type supports Debian, Ubuntu and Alpine Linux.
|
||||
|
||||
REQUIRED PARAMETERS
|
||||
-------------------
|
||||
php-version
|
||||
The PHP version for which the type is working. Will impact installed
|
||||
packages, configuration files, &c
|
||||
|
||||
|
||||
OPTIONAL PARAMETERS
|
||||
-------------------
|
||||
memory-limit
|
||||
The system-wide memory limit for PHP-FPM. Can be overriden per-pool.
|
||||
Default is 512M.
|
||||
|
||||
upload-max-filesize
|
||||
The maximum filesize accepted by PHP-FPM for file uploads. Default is
|
||||
2M.
|
||||
|
||||
BOOLEAN PARAMETERS
|
||||
------------------
|
||||
enable-opcache
|
||||
Enable PHP opcache.
|
||||
|
||||
enable-apcu
|
||||
Enable PHP APCu.
|
||||
|
||||
|
||||
EXAMPLES
|
||||
--------
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
# Dead simple setup
|
||||
__php_fpm --php-version 8.1
|
||||
|
||||
# Custom setup
|
||||
__php_fpm \
|
||||
--php-version 8.1 \
|
||||
--memory-limit 768M \
|
||||
--upload-max-filesize 200M \
|
||||
--enable-opcache \
|
||||
--enable-apcu
|
||||
|
||||
SEE ALSO
|
||||
--------
|
||||
cdist-type__php_fpm_pool(7)
|
||||
|
||||
|
||||
AUTHORS
|
||||
-------
|
||||
Joachim Desroches <joachim.desroches@epfl.ch>
|
||||
|
||||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2022 Joachim Desroches. You can redistribute it
|
||||
and/or modify it under the terms of the GNU General Public License as
|
||||
published by the Free Software Foundation, either version 3 of the
|
||||
License, or (at your option) any later version.
|
68
type/__php_fpm/manifest
Normal file
68
type/__php_fpm/manifest
Normal file
|
@ -0,0 +1,68 @@
|
|||
#!/bin/sh
|
||||
|
||||
os=$(cat "${__global:?}/explorer/os")
|
||||
|
||||
PHPVER=$(cat "${__object:?}/parameter/php-version")
|
||||
export PHPVER
|
||||
|
||||
case "$os" in
|
||||
'alpine')
|
||||
# Alpine packages looks like php81-fpm - we make sure to remove dots from user
|
||||
# input.
|
||||
PHPVER=$(echo "$PHPVER" | tr -d '.')
|
||||
|
||||
package="php${PHPVER}-fpm"
|
||||
opcache_package="php${PHPVER}-opcache"
|
||||
apcu_package="php${PHPVER}-pecl-apcu"
|
||||
|
||||
service="php-fpm${PHPVER}"
|
||||
php_confdir="/etc/php${PHPVER}"
|
||||
php_ini="${php_confdir:?}/php.ini"
|
||||
|
||||
PHP_INCLUDEDIR="/usr/share/php${PHPVER:?}"
|
||||
export PHP_INCLUDEDIR
|
||||
;;
|
||||
'debian'|'ubuntu')
|
||||
package="php${PHPVER}-fpm"
|
||||
opcache_package="php${PHPVER}-opcache"
|
||||
apcu_package="php${PHPVER}-apcu"
|
||||
|
||||
service="php${PHPVER}-fpm"
|
||||
php_confdir="/etc/php/${PHPVER}"
|
||||
php_ini="${php_confdir:?}/fpm/php.ini"
|
||||
|
||||
PHP_INCLUDEDIR="/usr/share/php/${PHPVER:?}"
|
||||
export PHP_INCLUDEDIR
|
||||
;;
|
||||
*)
|
||||
printf "Your operating system is currently not supported by this type\n" >&2
|
||||
printf "Please contribute an implementation for it if you can.\n" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
__package "$package"
|
||||
require="__package/$package" __start_on_boot "$service"
|
||||
|
||||
if [ -f "${__object:?}/parameter/enable-opcache" ]; then
|
||||
__package "$opcache_package"
|
||||
fi
|
||||
|
||||
if [ -f "${__object:?}/parameter/enable-apcu" ]; then
|
||||
__package "$apcu_package"
|
||||
fi
|
||||
|
||||
MEMORY_LIMIT=$(cat "${__object:?}/parameter/memory-limit")
|
||||
export MEMORY_LIMIT
|
||||
|
||||
UPLOAD_MAX_FILESIZE=$(cat "${__object:?}/parameter/upload-max-filesize")
|
||||
export UPLOAD_MAX_FILESIZE
|
||||
|
||||
mkdir -p "${__object:?}/files"
|
||||
"${__type:?}/files/php.ini.sh" >"${__object:?}/files/php.ini"
|
||||
|
||||
require="__package/$package" __file "${php_ini:?}" \
|
||||
--mode 644 --source "${__object:?}/files/php.ini" \
|
||||
--onchange "service $service restart"
|
||||
|
||||
require="__file/${php_ini:?}" __service "$service" --action start
|
2
type/__php_fpm/parameter/boolean
Normal file
2
type/__php_fpm/parameter/boolean
Normal file
|
@ -0,0 +1,2 @@
|
|||
enable-opcache
|
||||
enable-apcu
|
1
type/__php_fpm/parameter/default/memory-limit
Normal file
1
type/__php_fpm/parameter/default/memory-limit
Normal file
|
@ -0,0 +1 @@
|
|||
512M
|
1
type/__php_fpm/parameter/default/upload-max-filesize
Normal file
1
type/__php_fpm/parameter/default/upload-max-filesize
Normal file
|
@ -0,0 +1 @@
|
|||
2M
|
2
type/__php_fpm/parameter/optional
Normal file
2
type/__php_fpm/parameter/optional
Normal file
|
@ -0,0 +1,2 @@
|
|||
upload-max-filesize
|
||||
memory-limit
|
1
type/__php_fpm/parameter/required
Normal file
1
type/__php_fpm/parameter/required
Normal file
|
@ -0,0 +1 @@
|
|||
php-version
|
0
type/__php_fpm/singleton
Normal file
0
type/__php_fpm/singleton
Normal file
34
type/__php_fpm_pool/files/www.conf.sh
Executable file
34
type/__php_fpm_pool/files/www.conf.sh
Executable file
|
@ -0,0 +1,34 @@
|
|||
#!/bin/sh
|
||||
|
||||
cat <<EOF
|
||||
; PHP-FPM configuration file for $POOL_NAME, PHP version $PHPVER.
|
||||
; This file is managed by cdist, do not edit by hand!
|
||||
[$POOL_NAME]
|
||||
|
||||
; Local non-default configuration
|
||||
user = $POOL_USER
|
||||
group = $POOL_GROUP
|
||||
listen = $POOL_LISTEN_ADDR
|
||||
listen.owner = $POOL_LISTEN_OWNER
|
||||
|
||||
; Mandatory configuration options with default production values
|
||||
pm = dynamic
|
||||
pm.max_children = 10
|
||||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
||||
|
||||
env[HOSTNAME] = \$HOSTNAME
|
||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||
env[TMP] = /tmp
|
||||
env[TMPDIR] = /tmp
|
||||
env[TEMP] = /tmp
|
||||
|
||||
EOF
|
||||
|
||||
if [ -f "${__object:?}/parameter/memory-limit" ]; then
|
||||
echo "php_admin_value[memory_limit] = $(cat "$__object/parameter/memory-limit")"
|
||||
fi
|
||||
|
||||
if [ -f "${__object:?}/parameter/open-basedir" ]; then
|
||||
echo "php_admin_value[open_basedir] = $(cat "${__object:?}/parameter/open-basedir")"
|
||||
fi
|
79
type/__php_fpm_pool/man.rst
Normal file
79
type/__php_fpm_pool/man.rst
Normal file
|
@ -0,0 +1,79 @@
|
|||
cdist-type__php_fpm_pool(7)
|
||||
===========================
|
||||
|
||||
NAME
|
||||
----
|
||||
cdist-type__php_fpm_pool - Setup and configure a PHP-FPM pool
|
||||
|
||||
|
||||
DESCRIPTION
|
||||
-----------
|
||||
|
||||
This type configures a pool named after the `__object_id` for a specified PHP
|
||||
version. Note that this types expects a same-version cdist-type__php_fpm type
|
||||
to have been run first: the user is responsible for doing so.
|
||||
|
||||
This type supports Debian, Ubuntu and Alpine Linux.
|
||||
|
||||
|
||||
REQUIRED PARAMETERS
|
||||
-------------------
|
||||
php-version
|
||||
The PHP version for which the type is working. Will impact installed
|
||||
packages, configuration files, &c
|
||||
|
||||
pool-user
|
||||
The local user under which the pool processes should run.
|
||||
|
||||
pool-group
|
||||
The local group under which the pool processes should run.
|
||||
|
||||
pool-listen-addr
|
||||
The socket or address to which the pool should bind for listening.
|
||||
|
||||
pool-listen-owner
|
||||
The owner of the socket if a socket is used.
|
||||
|
||||
OPTIONAL PARAMETERS
|
||||
-------------------
|
||||
memory-limit
|
||||
The pool memory limit for PHP-FPM. Will default to the setting in the
|
||||
system-wide php.ini file.
|
||||
|
||||
openbasedir
|
||||
Limit the files that can be accessed by PHP to the specified
|
||||
directory-tree, including the file itself.
|
||||
|
||||
EXAMPLES
|
||||
--------
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
# Setup PHP-FPM
|
||||
__php_fpm --php-version 8
|
||||
|
||||
# Setup the pool
|
||||
__php_fpm_pool www \
|
||||
--php-version 8 \
|
||||
--pool-user nextcloud \
|
||||
--pool-group www-data \
|
||||
--pool-listen-addr "/run/php8/php-fpm.sock" \
|
||||
--pool-listen-owner nginx \
|
||||
--memory-limit 1G
|
||||
|
||||
SEE ALSO
|
||||
--------
|
||||
cdist-type__php_fpm(7)
|
||||
|
||||
|
||||
AUTHORS
|
||||
-------
|
||||
Joachim Desroches <joachim.desroches@epfl.ch>
|
||||
|
||||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2022 Joachim Desroches. You can redistribute it
|
||||
and/or modify it under the terms of the GNU General Public License as
|
||||
published by the Free Software Foundation, either version 3 of the
|
||||
License, or (at your option) any later version.
|
40
type/__php_fpm_pool/manifest
Normal file
40
type/__php_fpm_pool/manifest
Normal file
|
@ -0,0 +1,40 @@
|
|||
#!/bin/sh
|
||||
|
||||
os=$(cat "${__global:?}/explorer/os")
|
||||
name=${__object_id:?}
|
||||
|
||||
PHPVER=$(cat "${__object:?}/parameter/php-version")
|
||||
export PHPVER
|
||||
|
||||
case "$os" in
|
||||
'alpine')
|
||||
PHPVER=$(echo "$PHP_VERSION" | tr -d '.')
|
||||
service="php-fpm${PHPVER}"
|
||||
php_confdir="/etc/php${PHPVER}"
|
||||
php_pooldir="${php_confdir:?}/php-fpm.d"
|
||||
;;
|
||||
'debian'|'ubuntu')
|
||||
service="php${PHPVER}-fpm"
|
||||
php_confdir="/etc/php/${PHPVER}"
|
||||
php_pooldir="${php_confdir:?}/fpm/pool.d"
|
||||
;;
|
||||
*)
|
||||
printf "Your operating system is currently not supported by this type\n" >&2
|
||||
printf "Please contribute an implementation for it if you can.\n" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
POOL_NAME="$name"
|
||||
POOL_USER=$(cat "${__object:?}/parameter/pool-user")
|
||||
POOL_GROUP=$(cat "${__object:?}/parameter/pool-group")
|
||||
POOL_LISTEN_ADDR=$(cat "${__object:?}/parameter/pool-listen-addr")
|
||||
POOL_LISTEN_OWNER=$(cat "${__object:?}/parameter/pool-listen-owner")
|
||||
export POOL_USER POOL_GROUP POOL_LISTEN_ADDR POOL_LISTEN_OWNER POOL_NAME
|
||||
|
||||
mkdir -p "${__object:?}/files"
|
||||
"${__type:?}/files/www.conf.sh" >"${__object:?}/files/www.conf"
|
||||
|
||||
__file "${php_pooldir:?}/${name}.conf" \
|
||||
--mode 644 --source "${__object:?}/files/www.conf" \
|
||||
--onchange "service $service reload"
|
2
type/__php_fpm_pool/parameter/optional
Normal file
2
type/__php_fpm_pool/parameter/optional
Normal file
|
@ -0,0 +1,2 @@
|
|||
memory-limit
|
||||
open-basedir
|
5
type/__php_fpm_pool/parameter/required
Normal file
5
type/__php_fpm_pool/parameter/required
Normal file
|
@ -0,0 +1,5 @@
|
|||
php-version
|
||||
pool-user
|
||||
pool-group
|
||||
pool-listen-addr
|
||||
pool-listen-owner
|
|
@ -6,7 +6,14 @@ os="$(cat "${__global}/explorer/os")"
|
|||
case "${os}" in
|
||||
debian|devuan)
|
||||
# zero-config sysvinit and systemd compatibility
|
||||
__package runit-run
|
||||
os_version="$(cat "${__global}/explorer/os_version")"
|
||||
debian_package="runit-run"
|
||||
case "${os_version}" in
|
||||
beowulf)
|
||||
debian_package="runit"
|
||||
;;
|
||||
esac
|
||||
__package "${debian_package}"
|
||||
;;
|
||||
freebsd)
|
||||
__key_value \
|
||||
|
|
|
@ -33,18 +33,25 @@ if [ "${state}" != "present" ]; then
|
|||
exit
|
||||
fi
|
||||
|
||||
# Setup run file
|
||||
__file --state "${state}" --mode 0550 --source "${source}" \
|
||||
--onchange "sv restart '${sv}' || true" \
|
||||
"${run_file}"
|
||||
export require="${require} __file${run_file}"
|
||||
|
||||
if [ -f "${__object}/parameter/log" ]; then
|
||||
# Setup logger if requested
|
||||
__directory --parents "${svdir}/${sv}/log/main"
|
||||
export require="${require} __directory${svdir}/${sv}/log/main"
|
||||
logdir="/var/log/runit"
|
||||
__directory --parents "${svdir}/${sv}/log"
|
||||
__directory --state absent "${svdir}/${sv}/log/main" # Remove lingering old fashioned log
|
||||
__directory --parents "${logdir}/${sv}"
|
||||
export require="${require} __directory${svdir}/${sv}/log __directory${logdir}/${sv}"
|
||||
__file "${svdir}/${sv}/log/run" \
|
||||
--state "${state}" \
|
||||
--mode 0755 \
|
||||
--onchange "sv restart '${sv}/log' || true" \
|
||||
--source "-" <<EOF
|
||||
#!/bin/sh
|
||||
exec svlogd -tt ./main
|
||||
exec svlogd -tt '${logdir}/${sv}'
|
||||
EOF
|
||||
fi
|
||||
|
||||
# Setup run file
|
||||
__file --state "${state}" --mode 0755 --source "${source}" "${run_file}"
|
||||
|
|
10
type/__single_binary_service/explorer/explorer-version
Executable file
10
type/__single_binary_service/explorer/explorer-version
Executable file
|
@ -0,0 +1,10 @@
|
|||
#!/bin/sh -e
|
||||
|
||||
BIN_PREFIX="/usr/local/bin"
|
||||
SERVICE_NAME="${__object_id}"
|
||||
|
||||
VERSION_FILE="${BIN_PREFIX}/.${SERVICE_NAME}.cdist.version"
|
||||
|
||||
if [ -f "${VERSION_FILE}" ]; then
|
||||
cat "${VERSION_FILE}"
|
||||
fi
|
195
type/__single_binary_service/man.rst
Normal file
195
type/__single_binary_service/man.rst
Normal file
|
@ -0,0 +1,195 @@
|
|||
cdist-type__single_binary_service(7)
|
||||
====================================
|
||||
|
||||
NAME
|
||||
----
|
||||
cdist-type__single_binary_service - Setup a single-binary service
|
||||
|
||||
|
||||
DESCRIPTION
|
||||
-----------
|
||||
This type is designed to easily deploy and configure a single-binary service
|
||||
named `${__object_id}`.
|
||||
|
||||
A good example of this are Prometheus exporters.
|
||||
|
||||
This type makes certain assumptions that might not be correct on your system.
|
||||
If you need more flexibility, please get in touch and provide a use-case
|
||||
(and hopefully a backwards-compatible patch).
|
||||
|
||||
This type will place the downloaded binary and, if requested, other extra
|
||||
binaries in `/usr/local/bin`.
|
||||
|
||||
If a `--config-file-source` is provided, it will be placed under:
|
||||
`/etc/${__object_id}.conf`.
|
||||
|
||||
This type supports services managed by `__runit(7)` when `systemd` is not
|
||||
the init system being used.
|
||||
|
||||
|
||||
REQUIRED PARAMETERS
|
||||
-------------------
|
||||
checksum
|
||||
This will be passed verbatim to `__download(7)`.
|
||||
Use something like `sha256:...`.
|
||||
|
||||
url
|
||||
This will be passed verbatim to `__download(7)`.
|
||||
|
||||
version
|
||||
This type will use a thumbstone file with a "version" number to track
|
||||
whether or not a service must be updated.
|
||||
This thumbstone file is placed under
|
||||
`/usr/local/bin/.${__object_id}.cdist.version`.
|
||||
|
||||
|
||||
BOOLEAN PARAMETERS
|
||||
------------------
|
||||
unpack
|
||||
If present, the contents of `--url` will be treated as an archive to be
|
||||
unpacked with `__unpack(7)`.
|
||||
See also `--unpack-args` and `--extra-binary`.
|
||||
|
||||
do-not-manage-user
|
||||
Always considered present when `--user` is `root`.
|
||||
If present, the user in `--user` will not be managed by this type with
|
||||
`__user`, this means it *must* exist beforehand when installing the service
|
||||
and it will not be removed by this type.
|
||||
|
||||
|
||||
OPTIONAL PARAMETERS
|
||||
-------------------
|
||||
config-file-source
|
||||
If present, this file's contents will be placed under
|
||||
`/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to
|
||||
`--user` and `--group`.
|
||||
If `-` is passed, this type's `stdin` will be used.
|
||||
|
||||
user
|
||||
The user under which the service will run. Defaults to `root`.
|
||||
If this user is not `root` and `--do-not-manage-user` is not present,
|
||||
this user will be created or removed as per the `--state` parameter.
|
||||
|
||||
user-home-dir
|
||||
Does not have an effect if `--do-not-manage-user` is used or `--user` is
|
||||
`root`.
|
||||
The home directory of the service user. It will be created.
|
||||
Defaults to `/nonexistent`, in this case the home directory will not be
|
||||
created.
|
||||
|
||||
group
|
||||
The group under which the service will run. Defaults to `--user`.
|
||||
|
||||
state
|
||||
Whether the service is to be `present` (default) or `absent`.
|
||||
When `absent`, this type will clean any binaries listed in `--extra-binary`
|
||||
and also the config file as described in `--config-file-source`.
|
||||
|
||||
binary
|
||||
This will be the binary name. Defaults to `${__object_id}`.
|
||||
If `--unpack` is used, a binary with this name must be unpacked.
|
||||
Otherwise, the contents of `--url` will be placed under this binary name.
|
||||
|
||||
env
|
||||
An `env` file consiting of `ENVIRONMENT_VARIABLE=VALUE`, one variable per
|
||||
line.
|
||||
Empty lines and those starting with `#` are ignored.
|
||||
|
||||
service-args
|
||||
Any extra arguments to pass along with `--service-exec`. Beware that any
|
||||
service-args having the format `--config=/etc/foo.cfg` should be
|
||||
represented in the following way `--service-exec='--config=/etc/foo.cfg'`
|
||||
|
||||
service-exec
|
||||
The executable to use for this service.
|
||||
Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the
|
||||
resulting value of `--binary`.
|
||||
|
||||
service-definition
|
||||
The service definition to be used as an override.
|
||||
Note that this type decides dinammically between runit and systemd, and
|
||||
you can currently only define either a systemd unit or a runit script here.
|
||||
Use this parameter only for testing and get in touch to discuss how your
|
||||
particular use-case can be supported by the type.
|
||||
|
||||
service-description
|
||||
The service description to be used in, e.g. the systemd unit file.
|
||||
Defaults to `cdist-managed '${__object_id}' service`.
|
||||
|
||||
unpack-args
|
||||
Only has an effect if `--unpack` is used.
|
||||
These arguments will be passed verbatim to `__unpack(7)`.
|
||||
Very useful as this type assumes the archive does not have the binaries in
|
||||
subdirectories; that can be worked around with
|
||||
`--unpack-args '--tar-strip 1'`.
|
||||
|
||||
unpack-extension
|
||||
Only has an effect if `--unpack` is used.
|
||||
The file extension of the file to unpack, defaults to `.tar.gz`.
|
||||
|
||||
working-directory
|
||||
If set, the working directory with which the service will be started.
|
||||
|
||||
|
||||
OPTIONAL MULTIPLE PARAMETERS
|
||||
----------------------------
|
||||
extra-binary
|
||||
Only useful with `--unpack`.
|
||||
If passed, these binaries will also be installed when `--state` is `present`
|
||||
and removed when `--state` is `absent`.
|
||||
Handle with care :-).
|
||||
|
||||
|
||||
EXAMPLES
|
||||
--------
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
# Install and enable the ipmi_exporter service
|
||||
# The variables are defined in the manifest previously
|
||||
__single_binary_service ipmi_exporter \
|
||||
--user "${USER}" \
|
||||
--service-args ' --config.file=/etc/ipmi_exporter.conf' \
|
||||
--version "${SHOULD_VERSION}" \
|
||||
--checksum "${CHECKSUM}" \
|
||||
--url "${DOWNLOAD_URL}" \
|
||||
--state "present" \
|
||||
--unpack \
|
||||
--unpack-args "--tar-strip 1" \
|
||||
--config-file-source '-' <<-EOF
|
||||
# Remotely managed, changes will be lost
|
||||
# [...] config contents goes here
|
||||
EOF
|
||||
|
||||
# Remove the ipmi_exporter service along with the user and its config
|
||||
__single_binary_service ipmi_exporter \
|
||||
--user "${USER}" \
|
||||
--version "${SHOULD_VERSION}" \
|
||||
--checksum "${CHECKSUM}" \
|
||||
--url "${DOWNLOAD_URL}" \
|
||||
--state "absent"
|
||||
|
||||
# Same, but the service was using my user! Let's not delete that!
|
||||
__single_binary_service ipmi_exporter \
|
||||
--user "evilham" \
|
||||
--do-not-manage-user \
|
||||
--version "${SHOULD_VERSION}" \
|
||||
--checksum "${CHECKSUM}" \
|
||||
--url "${DOWNLOAD_URL}" \
|
||||
--state "absent"
|
||||
|
||||
|
||||
SEE ALSO
|
||||
--------
|
||||
- `__download(7)`
|
||||
- `__unpack(7)`
|
||||
|
||||
|
||||
AUTHORS
|
||||
-------
|
||||
Evilham <contact@evilham.com>
|
||||
|
||||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2022 Evilham.
|
305
type/__single_binary_service/manifest
Executable file
305
type/__single_binary_service/manifest
Executable file
|
@ -0,0 +1,305 @@
|
|||
#!/bin/sh -e
|
||||
SERVICE_NAME="${__object_id}"
|
||||
|
||||
OS="$(cat "${__global}/explorer/os")"
|
||||
|
||||
case "${OS}" in
|
||||
debian|devuan)
|
||||
SUPER_USER_GROUP=root
|
||||
ETC_DIR="/etc"
|
||||
;;
|
||||
*bsd)
|
||||
SUPER_USER_GROUP=wheel
|
||||
ETC_DIR="/usr/local/etc"
|
||||
;;
|
||||
*)
|
||||
echo "Your OS '${OS}' is currently not supported." >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
INIT="$(cat "${__global}/explorer/init")"
|
||||
|
||||
case "${INIT}" in
|
||||
systemd)
|
||||
service_definition_require="__systemd_unit/${SERVICE_NAME}.service"
|
||||
service_command="service ${SERVICE_NAME} %s"
|
||||
;;
|
||||
runit|sysvinit)
|
||||
# We will use runit to manage these services
|
||||
__runit
|
||||
export require="__runit"
|
||||
service_definition_require="__runit_service/${SERVICE_NAME}"
|
||||
service_command="sv %s ${SERVICE_NAME}"
|
||||
;;
|
||||
*)
|
||||
echo "Init system ${INIT}' is currently not supported." >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
BIN_DIR="/usr/local/bin"
|
||||
|
||||
# Ensure the target bin dir exists
|
||||
# Care, we never want to remove it :-D
|
||||
__directory "${BIN_DIR}" \
|
||||
--state "exists" \
|
||||
--mode 0755
|
||||
export require="${require} __directory${BIN_DIR}"
|
||||
|
||||
STATE="$(cat "${__object}/parameter/state")"
|
||||
USER="$(cat "${__object}/parameter/user")"
|
||||
GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)"
|
||||
if [ -z "${GROUP}" ]; then
|
||||
if [ "${USER}" != "root" ]; then
|
||||
GROUP="${USER}"
|
||||
else
|
||||
GROUP="${SUPER_USER_GROUP}"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)"
|
||||
if [ -z "${BINARY}" ]; then
|
||||
BINARY="${SERVICE_NAME}"
|
||||
fi
|
||||
EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)"
|
||||
# This only makes sense for file archives
|
||||
if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then
|
||||
cat >&2 <<-EOF
|
||||
You cannot specify extra binaries without the --unpack argument.
|
||||
Make sure that the --url argument points to a file archive.
|
||||
EOF
|
||||
fi
|
||||
|
||||
SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)"
|
||||
if [ -z "${SERVICE_EXEC}" ]; then
|
||||
SERVICE_EXEC="${BIN_DIR}/${BINARY}"
|
||||
fi
|
||||
SERVICE_ARGS="$(cat "${__object}/parameter/service-args")"
|
||||
SERVICE_EXEC="${SERVICE_EXEC} ${SERVICE_ARGS}"
|
||||
|
||||
SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \
|
||||
2>/dev/null || true)"
|
||||
if [ -z "${SERVICE_DESCRIPTION}" ]; then
|
||||
SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service"
|
||||
fi
|
||||
|
||||
SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)"
|
||||
|
||||
WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
|
||||
if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
|
||||
WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
|
||||
WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
|
||||
fi
|
||||
|
||||
DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
|
||||
CHECKSUM="$(cat "${__object}/parameter/checksum")"
|
||||
SHOULD_VERSION="$(cat "${__object}/parameter/version")"
|
||||
|
||||
# Create a user for the service if it is not root
|
||||
USER_HOME_DIR="/root"
|
||||
if [ "${USER}" != "root" ] && \
|
||||
[ ! -f "${__object}/parameter/do-not-manage-user" ]; then
|
||||
if [ "${STATE}" = "absent" ]; then
|
||||
# When removing, ensure user is not being used
|
||||
user_require="${service_definition_require}"
|
||||
fi
|
||||
USER_HOME_DIR="$(cat "${__object}/parameter/user-home-dir")"
|
||||
if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then
|
||||
USER_CREATE_HOME="--create-home"
|
||||
fi
|
||||
require="${require} ${user_require}" __user "${USER}" \
|
||||
--system \
|
||||
--state "${STATE}" \
|
||||
--home "${USER_HOME_DIR}" \
|
||||
--comment "cdist-managed service user" \
|
||||
${USER_CREATE_HOME}
|
||||
# Track dependencies
|
||||
service_require="${service_require} __user/${USER}"
|
||||
fi
|
||||
|
||||
# Place config file if necessary
|
||||
CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
|
||||
CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)"
|
||||
if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then
|
||||
CONFIG_FILE_SOURCE="${__object}/stdin"
|
||||
fi
|
||||
if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then
|
||||
require="${require} __user/${USER}" __file \
|
||||
"${CONFIG_FILE_DEST}" \
|
||||
--owner "${USER}" \
|
||||
--group "${GROUP}" \
|
||||
--mode "0440" \
|
||||
--source "${CONFIG_FILE_SOURCE}"
|
||||
service_require="${service_require} __file${CONFIG_FILE_DEST}"
|
||||
fi
|
||||
|
||||
|
||||
|
||||
# These messages will trigger a service restart (overridden for systemd)
|
||||
service_config_reload_pattern="^__file${CONFIG_FILE_DEST}"
|
||||
|
||||
# This should setup the object in $service_definition_require
|
||||
# See above.
|
||||
case "${INIT}" in
|
||||
systemd)
|
||||
if [ -z "${SERVICE_DEFINITION}" ]; then
|
||||
SYSTEMD_ENV_FILE="/etc/systemd/system/${SERVICE_NAME}.env"
|
||||
__file "${SYSTEMD_ENV_FILE}" \
|
||||
--mode 0400 \
|
||||
--source "${__object}/parameter/env"
|
||||
# We need to take into account the envionment file for systemd too
|
||||
service_config_reload_pattern="(${service_config_reload_pattern}|^__file${SYSTEMD_ENV_FILE})"
|
||||
|
||||
SERVICE_DEFINITION="$(cat <<EOF
|
||||
[Unit]
|
||||
Description=${SERVICE_DESCRIPTION}
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
|
||||
User=${USER}
|
||||
Group=${GROUP}
|
||||
ExecStart=${SERVICE_EXEC}
|
||||
Restart=always
|
||||
EnvironmentFile=${SYSTEMD_ENV_FILE}
|
||||
${WORKING_DIRECTORY_SYSTEMD}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
)"
|
||||
fi
|
||||
__systemd_unit "${SERVICE_NAME}.service" \
|
||||
--source "-" \
|
||||
--state "${STATE}" \
|
||||
--enablement-state "enabled" <<EOF
|
||||
${SERVICE_DEFINITION}
|
||||
EOF
|
||||
;;
|
||||
runit|sysvinit)
|
||||
if [ -z "${SERVICE_DEFINITION}" ]; then
|
||||
RUNIT_ENV="$(sed -Ee 's!^([[:alnum:]_]+)=(.*)$!export \1=\2!' "${__object}/parameter/env")"
|
||||
SERVICE_DEFINITION="$(cat <<EOF
|
||||
#!/bin/sh -e
|
||||
${WORKING_DIRECTORY_RUNIT}
|
||||
# User-provided environment
|
||||
${RUNIT_ENV}
|
||||
# System vars
|
||||
export HOME="\$(getent passwd '${USER}' | cut -d: -f6)"
|
||||
export USER="${USER}"
|
||||
export GROUP="${GROUP}"
|
||||
|
||||
exec 2>&1
|
||||
exec chpst -u "${USER}:${GROUP}" ${SERVICE_EXEC}
|
||||
EOF
|
||||
)"
|
||||
fi
|
||||
__runit_service "${SERVICE_NAME}" \
|
||||
--state "${STATE}" \
|
||||
--log \
|
||||
--source - <<EOF
|
||||
${SERVICE_DEFINITION}
|
||||
EOF
|
||||
;;
|
||||
esac
|
||||
service_require="${service_require} ${service_definition_require}"
|
||||
|
||||
# Proceed after user and service description have been prepared
|
||||
export require="${require} ${service_require}"
|
||||
|
||||
VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
|
||||
IS_VERSION="$(cat "${__object}/explorer/explorer-version")"
|
||||
|
||||
|
||||
if [ "${STATE}" = "absent" ]; then
|
||||
# Perform cleanup of generated files
|
||||
for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
|
||||
__file "${BIN_DIR}/${bin_file}" --state "absent"
|
||||
done
|
||||
__file "${VERSION_FILE}" --state "absent"
|
||||
__file "${CONFIG_FILE_DEST}" --state "absent"
|
||||
fi
|
||||
|
||||
if [ "${STATE}" != "present" ]; then
|
||||
exit
|
||||
fi
|
||||
|
||||
sv_cmd() {
|
||||
# This is intentional
|
||||
# shellcheck disable=SC2059
|
||||
printf "${service_command}" "$1"
|
||||
}
|
||||
|
||||
if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ]; then
|
||||
# We are installing the service and there has been a version change
|
||||
# (or it is first-time install)
|
||||
TMP_PATH="/tmp/${SERVICE_NAME}-${SHOULD_VERSION}"
|
||||
|
||||
# This is what will stop the service, replace the binaries and
|
||||
# start the service again
|
||||
perform_service_upgrade="$(cat <<EOF
|
||||
$(sv_cmd stop) || true
|
||||
if [ -f '${TMP_PATH}' ]; then
|
||||
chown root:${SUPER_USER_GROUP} '${TMP_PATH}'
|
||||
chmod 0555 '${TMP_PATH}'
|
||||
cp -af '${TMP_PATH}' '${BIN_DIR}/${BINARY}'
|
||||
else
|
||||
for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
|
||||
bin_path="${TMP_PATH}/\${bin_file}"
|
||||
chown root:${SUPER_USER_GROUP} "\${bin_path}"
|
||||
chmod 0555 "\${bin_path}"
|
||||
cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}"
|
||||
done
|
||||
fi
|
||||
$(sv_cmd start) || true
|
||||
EOF
|
||||
)"
|
||||
|
||||
if [ -f "${__object}/parameter/unpack" ]; then
|
||||
UNPACK_EXTENSION="$(cat "${__object}/parameter/unpack-extension")"
|
||||
UNPACK_ARGS="$(cat "${__object}/parameter/unpack-args" \
|
||||
2>/dev/null || true)"
|
||||
# Download packed file
|
||||
__download "${TMP_PATH}${UNPACK_EXTENSION}" \
|
||||
--url "${DOWNLOAD_URL}" \
|
||||
--download remote \
|
||||
--sum "${CHECKSUM}"
|
||||
|
||||
# Unpack file and also perform service upgrade
|
||||
# shellcheck disable=SC2086
|
||||
require="__download${TMP_PATH}${UNPACK_EXTENSION}" \
|
||||
__unpack "${TMP_PATH}${UNPACK_EXTENSION}" \
|
||||
${UNPACK_ARGS} \
|
||||
--destination "${TMP_PATH}"
|
||||
version_bump_require="__unpack${TMP_PATH}${UNPACK_EXTENSION}"
|
||||
else
|
||||
# Create temp directory
|
||||
__directory "${TMP_PATH}"
|
||||
# Download binary directoy to the temp directory with the
|
||||
# specified binary name
|
||||
require="__directory${TMP_PATH}" __download \
|
||||
"${TMP_PATH}/${BINARY}" \
|
||||
--url "${DOWNLOAD_URL}" \
|
||||
--download remote \
|
||||
--sum "${CHECKSUM}"
|
||||
version_bump_require="__download${TMP_PATH}/${BINARY}"
|
||||
fi
|
||||
|
||||
# Perform update of cdist-managed version file
|
||||
# And also perform service upgrade
|
||||
# This is a bug if service_upgrade fails >,<
|
||||
printf "%s" "${SHOULD_VERSION}" | \
|
||||
require="${version_bump_require}" __file \
|
||||
"${VERSION_FILE}" \
|
||||
--onchange "${perform_service_upgrade}" \
|
||||
--source "-"
|
||||
else
|
||||
# We only restart here if there was a config or env change
|
||||
# but there was not a version change
|
||||
require="${service_require}" __check_messages \
|
||||
"single_binary_service_${__object_id}" \
|
||||
--pattern "${service_config_reload_pattern}" \
|
||||
--execute "$(sv_cmd restart)"
|
||||
fi
|
2
type/__single_binary_service/parameter/boolean
Normal file
2
type/__single_binary_service/parameter/boolean
Normal file
|
@ -0,0 +1,2 @@
|
|||
do-not-manage-user
|
||||
unpack
|
0
type/__single_binary_service/parameter/default/env
Normal file
0
type/__single_binary_service/parameter/default/env
Normal file
1
type/__single_binary_service/parameter/default/state
Normal file
1
type/__single_binary_service/parameter/default/state
Normal file
|
@ -0,0 +1 @@
|
|||
present
|
|
@ -0,0 +1 @@
|
|||
.tar.gz
|
1
type/__single_binary_service/parameter/default/user
Normal file
1
type/__single_binary_service/parameter/default/user
Normal file
|
@ -0,0 +1 @@
|
|||
root
|
|
@ -0,0 +1 @@
|
|||
/nonexistent
|
14
type/__single_binary_service/parameter/optional
Normal file
14
type/__single_binary_service/parameter/optional
Normal file
|
@ -0,0 +1,14 @@
|
|||
config-file-source
|
||||
env
|
||||
user
|
||||
group
|
||||
state
|
||||
binary
|
||||
service-args
|
||||
service-exec
|
||||
service-description
|
||||
service-definition
|
||||
unpack-extension
|
||||
unpack-args
|
||||
user-home-dir
|
||||
working-directory
|
1
type/__single_binary_service/parameter/optional_multiple
Normal file
1
type/__single_binary_service/parameter/optional_multiple
Normal file
|
@ -0,0 +1 @@
|
|||
extra-binary
|
3
type/__single_binary_service/parameter/required
Normal file
3
type/__single_binary_service/parameter/required
Normal file
|
@ -0,0 +1,3 @@
|
|||
url
|
||||
checksum
|
||||
version
|
20
type/__systemd_network/gencode-remote
Executable file
20
type/__systemd_network/gencode-remote
Executable file
|
@ -0,0 +1,20 @@
|
|||
#!/bin/sh -e
|
||||
#
|
||||
# 2022 Joachim Desroches (joachim.desroches@epfl.ch)
|
||||
#
|
||||
# This file is part of cdist.
|
||||
#
|
||||
# cdist is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# cdist is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
echo "systemctl enable systemd-networkd"
|
68
type/__systemd_network/man.rst
Normal file
68
type/__systemd_network/man.rst
Normal file
|
@ -0,0 +1,68 @@
|
|||
cdist-type__systemd-network(7)
|
||||
==============================
|
||||
|
||||
NAME
|
||||
----
|
||||
cdist-type__systemd-network - Configure systemd.network(5) file.
|
||||
|
||||
|
||||
DESCRIPTION
|
||||
-----------
|
||||
|
||||
This type allows you to configure network interfaces by generating a
|
||||
systemd.network(5) file. It will enable systemd-networkd, so be sure to remove
|
||||
any conflicting network configuration tool if appropriate!
|
||||
|
||||
Note that the systemd.network(5) system is very complete, and this type does
|
||||
not aim at providing every possible option. Are currently available only the
|
||||
most common options: feel free to add anything you need to this type which
|
||||
hopefully will grow over time.
|
||||
|
||||
|
||||
REQUIRED PARAMETERS
|
||||
-------------------
|
||||
None.
|
||||
|
||||
|
||||
OPTIONAL PARAMETERS
|
||||
-------------------
|
||||
description
|
||||
A text field used when displaying details about this network.
|
||||
|
||||
OPTIONAL MULTIPLE PARAMETERS
|
||||
----------------------------
|
||||
match-name
|
||||
A text field that will be set in the `Name` option of the `[Match]` section.
|
||||
|
||||
|
||||
BOOLEAN PARAMETERS
|
||||
------------------
|
||||
ipv6ra-usedomains
|
||||
Set the `UseDomains` option of the `[IPv6AcceptRA]` section to `True`.
|
||||
|
||||
|
||||
EXAMPLES
|
||||
--------
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
# TODO
|
||||
__systemd-network
|
||||
|
||||
|
||||
SEE ALSO
|
||||
--------
|
||||
`cdist-type_systemd-resolved`\ (7)
|
||||
`systemd.network`\ (5)
|
||||
|
||||
AUTHORS
|
||||
-------
|
||||
Joachim Desroches <joachim.desroches@epfl.ch>
|
||||
|
||||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2022 Joachim Desroches. You can redistribute it
|
||||
and/or modify it under the terms of the GNU General Public License as
|
||||
published by the Free Software Foundation, either version 3 of the
|
||||
License, or (at your option) any later version.
|
86
type/__systemd_network/manifest
Executable file
86
type/__systemd_network/manifest
Executable file
|
@ -0,0 +1,86 @@
|
|||
#!/bin/sh -e
|
||||
#
|
||||
# 2022 Joachim Desroches (joachim.desroches@epfl.ch)
|
||||
#
|
||||
# This file is part of cdist.
|
||||
#
|
||||
# cdist is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# cdist is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
os=$(cat "${__global:?}/explorer/os")
|
||||
|
||||
case "$os" in
|
||||
'debian' | 'ubuntu' | 'archlinux')
|
||||
:
|
||||
;;
|
||||
*)
|
||||
printf "Your operating system (%s) is currently not supported by systemd-network\n" "$os" >&2
|
||||
printf "Please contribute an implementation for it if you can.\n" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# XXX: Please keep the option parsing organized in order per-section, with
|
||||
# sections in the same order as they are in the manpage. This will make hacking
|
||||
# and maintaining this type much easier.
|
||||
|
||||
mkdir "${__object:?}/files"
|
||||
output_file="${__object:?}/files/${__object_id:?}.network"
|
||||
|
||||
cat << EOF > "$output_file"
|
||||
# This file is managed by cdist. Do not edit by hand!
|
||||
EOF
|
||||
|
||||
# Match section
|
||||
# Ensure section is needed, OR existence of optional params.
|
||||
if [ -f "${__object:?}/parameter/match-name" ];
|
||||
then
|
||||
printf "\n[Match]\n" >> "$output_file"
|
||||
|
||||
if [ -f "${__object:?}/parameter/match-name" ];
|
||||
then
|
||||
sed -e 's/^/Name=/' \
|
||||
"${__object:?}/parameter/match-name" >> "$output_file"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Network section
|
||||
# Ensure section is needed, OR existence of optional params.
|
||||
if [ -f "${__object:?}/parameter/description" ];
|
||||
then
|
||||
printf "\n[Network]\n" >> "$output_file"
|
||||
|
||||
if [ -f "${__object:?}/parameter/description" ];
|
||||
then
|
||||
sed -e 's/^/Description=/' \
|
||||
"${__object:?}/parameter/description" >> "$output_file"
|
||||
fi
|
||||
fi
|
||||
|
||||
# IPv6AcceptRA section
|
||||
# Ensure section is needed, OR existence of optional params.
|
||||
if [ -f "${__object:?}/parameter/ipv6ra-usedomains" ];
|
||||
then
|
||||
printf "\n[IPv6AcceptRA]\n" >> "$output_file"
|
||||
|
||||
if [ -f "${__object:?}/parameter/ipv6ra-usedomains" ];
|
||||
then
|
||||
printf "UseDomains=True\n" >> "$output_file"
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
__file "/etc/systemd/network/${__object_id:?}.network" \
|
||||
--source "$output_file" \
|
||||
--mode 0644
|
1
type/__systemd_network/parameter/boolean
Normal file
1
type/__systemd_network/parameter/boolean
Normal file
|
@ -0,0 +1 @@
|
|||
ipv6ra-usedomains
|
1
type/__systemd_network/parameter/optional
Normal file
1
type/__systemd_network/parameter/optional
Normal file
|
@ -0,0 +1 @@
|
|||
description
|
1
type/__systemd_network/parameter/optional_multiple
Normal file
1
type/__systemd_network/parameter/optional_multiple
Normal file
|
@ -0,0 +1 @@
|
|||
match-name
|
21
type/__systemd_resolved/gencode-remote
Executable file
21
type/__systemd_resolved/gencode-remote
Executable file
|
@ -0,0 +1,21 @@
|
|||
#!/bin/sh -e
|
||||
#
|
||||
# 2022 Joachim Desroches (joachim.desroches@epfl.ch)
|
||||
#
|
||||
# This file is part of cdist.
|
||||
#
|
||||
# cdist is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# cdist is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
echo "systemctl enable systemd-resolved"
|
47
type/__systemd_resolved/man.rst
Normal file
47
type/__systemd_resolved/man.rst
Normal file
|
@ -0,0 +1,47 @@
|
|||
cdist-type__systemd_resolved(7)
|
||||
===============================
|
||||
|
||||
NAME
|
||||
----
|
||||
cdist-type__systemd_resolved - Configure system to use systemd-resolved.
|
||||
|
||||
|
||||
DESCRIPTION
|
||||
-----------
|
||||
*systemd-resolved* is a systemd service that provides network name resolution
|
||||
to local applications via a D-Bus interface, the resolve NSS service
|
||||
(nss-resolve(8)), and a local DNS stub listener on 127.0.0.53.
|
||||
|
||||
This type enables and starts this type, and helps with some minimal
|
||||
configuration. In particular, systemd-resolved has four modes of handling the
|
||||
`/etc/resolv.conf` file: stub, static, uplink and foreign. See the
|
||||
systemd-resolved(8) manpage for details. By default, this type uses stub mode:
|
||||
if you need another one, please provide an implementation in this type!
|
||||
|
||||
|
||||
EXAMPLES
|
||||
--------
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
__systemd_resolved
|
||||
|
||||
|
||||
SEE ALSO
|
||||
--------
|
||||
`systemd.network`\ (5)
|
||||
`systemd-resolved`\ (8)
|
||||
`nss-resolve`\ (8)
|
||||
|
||||
|
||||
AUTHORS
|
||||
-------
|
||||
Joachim Desroches <joachim.desroches@epfl.ch>
|
||||
|
||||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2022 Joachim Desroches. You can redistribute it
|
||||
and/or modify it under the terms of the GNU General Public License as
|
||||
published by the Free Software Foundation, either version 3 of the
|
||||
License, or (at your option) any later version.
|
42
type/__systemd_resolved/manifest
Executable file
42
type/__systemd_resolved/manifest
Executable file
|
@ -0,0 +1,42 @@
|
|||
#!/bin/sh -e
|
||||
#
|
||||
# 2022 Joachim Desroches (joachim.desroches@epfl.ch)
|
||||
#
|
||||
# This file is part of cdist.
|
||||
#
|
||||
# cdist is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# cdist is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
os=$(cat "${__global:?}/explorer/os")
|
||||
|
||||
case "$os" in
|
||||
'debian')
|
||||
:
|
||||
;;
|
||||
*)
|
||||
printf "Your operating system (%s) is currently not supported by __systemd_resolved\n" "$os" >&2
|
||||
printf "Please contribute an implementation for it if you can.\n" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
__link /etc/resolv.conf \
|
||||
--type symbolic \
|
||||
--source ../run/systemd/resolve/stub-resolv.conf
|
||||
|
||||
require=__link/etc/resolv.conf \
|
||||
__systemd_service systemd-resolved \
|
||||
--state running \
|
||||
--action restart \
|
||||
--if-required
|
0
type/__systemd_resolved/singleton
Normal file
0
type/__systemd_resolved/singleton
Normal file
|
@ -38,7 +38,8 @@ install-key-to
|
|||
Installation path of the certificate's private key.
|
||||
|
||||
renew-hook
|
||||
Renew hook executed on certificate renewal (e.g. `service nginx reload`).
|
||||
Renew hook executed on certificate renewal (e.g. `service nginx reload`, `-`
|
||||
for the standard input).
|
||||
|
||||
force-cert-ownership-to
|
||||
Override default ownership for TLS certificate, passed as argument to chown.
|
||||
|
|
|
@ -109,8 +109,12 @@ export CERT_TARGET
|
|||
RENEW_HOOK=
|
||||
if [ -f "${__object:?}/parameter/renew-hook" ];
|
||||
then
|
||||
if [ "$(cat "${__object:?}/parameter/renew-hook")" = "-" ]; then
|
||||
RENEW_HOOK="$(cat ${__object:?}/stdin)"
|
||||
else
|
||||
RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
|
||||
fi
|
||||
fi
|
||||
export RENEW_HOOK
|
||||
|
||||
if [ -n "$KEY_TARGET" ] && [ -z "$CERT_TARGET" ]; then
|
||||
|
|
Loading…
Reference in a new issue