Compare commits

..

1 commit
master ... php

Author SHA1 Message Date
9b6788f29a
__php_fpm{,_pool}: initial implementation. 2022-03-22 16:41:07 +01:00
66 changed files with 925 additions and 3543 deletions

View file

@ -26,18 +26,6 @@ OPTIONAL PARAMETERS
mtu mtu
An optional MTU setting to include in the router advertisements. An optional MTU setting to include in the router advertisements.
default-preference
This option specifies the Default Router Preference value to advertise to
hosts. Default: medium.
route-preference
This option specifies the default value of advertised route preference for
specific routes. Default: medium.
default-lifetime
This option specifies the time (in seconds) how long (since the receipt of RA)
hosts may use the router as a default router. 0 means do not use as a default
router. Default: 3.
OPTIONAL MULTIPLE PARAMETERS OPTIONAL MULTIPLE PARAMETERS
---------------------------- ----------------------------

View file

@ -58,48 +58,27 @@ fi
MTU= MTU=
if [ -f "${__object:?}/parameter/mtu" ]; if [ -f "${__object:?}/parameter/mtu" ];
then then
MTU="link mtu $(cat "${__object:?}/parameter/mtu");" MTU="link mtu $(cat "${__object:?}/parameter/mtu")"
fi
DEFAULT_PREFERENCE=
if [ -f "${__object:?}/parameter/default-preference" ];
then
DEFAULT_PREFERENCE="default preference $(cat "${__object:?}/parameter/default-preference");"
fi
ROUTE_PREFERENCE=
if [ -f "${__object:?}/parameter/route-preference" ];
then
ROUTE_PREFERENCE="route preference $(cat "${__object:?}/parameter/route-preference");"
fi
DEFAULT_LIFETIME=
if [ -f "${__object:?}/parameter/default-lifetime" ];
then
DEFAULT_LIFETIME="default lifetime $(cat "${__object:?}/parameter/default-lifetime");"
fi fi
__file "${confdir:?}/radv-${__object_id:?}.conf" \ __file "${confdir:?}/radv-${__object_id:?}.conf" \
--mode 0640 --owner root --group bird \ --mode 0640 --owner root --group bird \
--source - << EOF --source - << EOF
ipv6 table radv_routes_${__object_id}; ipv6 table radv_routes;
protocol static { protocol static {
description "Routes advertised via RAs"; description "Routes advertised via RAs";
ipv6 { table radv_routes_${__object_id}; }; ipv6 { table radv_routes; };
$(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route") $(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
} }
protocol radv ${__object_id:?} { protocol radv ${__object_id:?} {
propagate routes ${have_routes:?}; propagate routes ${have_routes:?};
ipv6 { table radv_routes_${__object_id}; export all; }; ipv6 { table radv_routes; export all; };
interface "$(cat "${__object:?}/parameter/interface")" { interface "$(cat "${__object:?}/parameter/interface")" {
$MTU $MTU
$DEFAULT_LIFETIME
$DEFAULT_PREFERENCE
$ROUTE_PREFERENCE
}; };
$RDNS $RDNS

View file

@ -1,4 +1 @@
mtu mtu
default-preference
route-preference
default-lifetime

View file

@ -1,15 +0,0 @@
#!/bin/sh -eu
JICOFO="/usr/share/jicofo/jicofo.sh"
VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
if [ -f "${JICOFO:?}" ]; then
jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
fi
if [ -f "${VIDEOBRIDGE:?}" ]; then
vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
fi
cat <<EOF
jicofo ${jicofo_memory:-n/a}
videobridge ${vb_memory:-n/a}
EOF

View file

@ -1,26 +0,0 @@
#!/bin/sh -eu
JICOFO_AUTHPASSWORD=""
# We need this to properly configure jicofo
# Default to reading debconf
DEBCONF_PASS_FILE="/var/cache/debconf/passwords.dat"
if [ -f "${DEBCONF_PASS_FILE}" ]; then
JICOFO_AUTHPASSWORD="$(grep -A1 'Template: jicofo/jicofo-authpassword' "${DEBCONF_PASS_FILE}" | tail -n 1 | cut -d ' ' -f 2-)"
fi
# Try jicofo.conf if necessary
JICOFO_CONF_FILE="/etc/jitsi/jicofo/jicofo.conf"
if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONF_FILE}" ]; then
JICOFO_AUTHPASSWORD="$(grep -E '^[[:space:]]*password:' "${JICOFO_CONF_FILE}" | sed -E 's!^[^:]*:[[:space:]]*"(.*)"$!\1!')"
fi
# And fallback to config file if necessary
JICOFO_CONFIG_FILE="/etc/jitsi/jicofo/config"
if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONFIG_FILE}" ]; then
JICOFO_AUTHPASSWORD="$(grep -E '^JICOFO_AUTH_PASSWORD=' "${JICOFO_CONFIG_FILE}" | cut -d '=' -f 2-)"
fi
# If we didn't find it, this is likely a new installation and we'll generate
# the password on the manifest
echo "${JICOFO_AUTHPASSWORD:-}"

View file

@ -1,6 +0,0 @@
#!/bin/sh -eu
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
# TODO: detect curl / depend on it?
curl -s localhost:9888/metrics
fi

View file

@ -0,0 +1,7 @@
#!/bin/sh -e
EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
if [ -f "${EXPORTER_VERSION_FILE}" ]; then
cat "${EXPORTER_VERSION_FILE}"
fi

View file

@ -5,6 +5,9 @@
if false; then if false; then
# We are currently not using these, just here as documentation # We are currently not using these, just here as documentation
DEBCONF_SETTINGS="$(cat <<EOF DEBCONF_SETTINGS="$(cat <<EOF
# Jicofo user password:
jicofo jicofo/jicofo-authpassword password STH
jitsi-meet-prosody jicofo/jicofo-authpassword password STH
# The secret used to connect to xmpp server as component # The secret used to connect to xmpp server as component
jitsi-meet-prosody jitsi-videobridge/jvbsecret password STH jitsi-meet-prosody jitsi-videobridge/jvbsecret password STH
jitsi-videobridge jitsi-videobridge/jvbsecret password STH jitsi-videobridge jitsi-videobridge/jvbsecret password STH
@ -37,9 +40,6 @@ jitsi-videobridge jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
jitsi-videobridge2 jitsi-videobridge/jvb-hostname string ${JITSI_HOST} jitsi-videobridge2 jitsi-videobridge/jvb-hostname string ${JITSI_HOST}
# The hostname of the current installation: # The hostname of the current installation:
jitsi-meet-prosody jitsi-meet-prosody/jvb-hostname string ${JITSI_HOST} jitsi-meet-prosody jitsi-meet-prosody/jvb-hostname string ${JITSI_HOST}
# Jicofo user password:
jicofo jicofo/jicofo-authpassword password ${JICOFO_AUTHPASSWORD}
jitsi-meet-prosody jicofo/jicofo-authpassword password ${JICOFO_AUTHPASSWORD}
# SSL certificate for the Jitsi Meet instance # SSL certificate for the Jitsi Meet instance
# Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate # Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate) jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)

View file

@ -1,38 +0,0 @@
#!/bin/sh -eu
# Start
cat <<EOF
# Managed remotely, changes will be lost
# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
#available options, syntax, and default values.
jicofo {
xmpp: {
client: {
client-proxy: focus.${JITSI_HOST:?}
xmpp-domain: "${JITSI_HOST:?}"
domain: "auth.${JITSI_HOST:?}"
username: "focus"
password: "${JICOFO_AUTHPASSWORD:?}"
}
trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
}
bridge: {
brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
}
EOF
# Secured domains if needed
if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
cat <<EOF
authentication: {
enabled: true
type: XMPP
login-url: ${JITSI_HOST:?}
}
EOF
fi
# End
echo '}'

View file

@ -1 +0,0 @@
../../__jitsi_meet_domain/files/jitsi-version

View file

@ -1 +0,0 @@
../../__jitsi_meet_domain/files/prosody.cfg.lua.sh

View file

@ -1,43 +1,11 @@
#!/bin/sh -e #!/bin/sh -e
memory="$(cat "${__global}/explorer/memory")"
G="000000" # Will totally eff up the zero-count otherwise
# MAX_MEMORY will affect jicofo and videobridge
# As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
if [ "${memory}" -lt "3${G}" ]; then
# If you use this, let us know how it works!
MAX_MEMORY="768m"
elif [ "${memory}" -lt "5${G}" ]; then
MAX_MEMORY="1024m"
elif [ "${memory}" -lt "8${G}" ]; then
MAX_MEMORY="2048m"
else
# Jitsi recommends running on 8G RAM and these are the defaults
MAX_MEMORY="3072m"
fi
if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
# At least one service has different memory settings
RESTART_SERVICES="YES"
cat <<-EOF
sed -i.tmp -E \
-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
/usr/share/jitsi-videobridge/lib/videobridge.rc
sed -i.tmp -E \
-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
/usr/share/jicofo/jicofo.sh
EOF
fi
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
echo "service nginx reload" echo "service nginx reload"
fi fi
if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then JITSI_HOST="${__object_id}"
RESTART_SERVICES="YES" if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
fi
if [ -n "${RESTART_SERVICES}" ]; then
echo "systemctl restart prosody" echo "systemctl restart prosody"
echo "systemctl restart jicofo" echo "systemctl restart jicofo"
echo "systemctl restart jitsi-videobridge2" echo "systemctl restart jitsi-videobridge2"

View file

@ -21,24 +21,13 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up
the web frontend (including TLS certificates) and its settings. the web frontend (including TLS certificates) and its settings.
You may want to use the `files/ufw` example manifest for a `__ufw`-based You may want to use the `files/ufw` example manifest for a `__ufw`-based
firewall compatible with this type that allows all ports needed by Jitsi-Meet. firewall compatible with this type.
Note however that this will not deal with rules for SSH or for TCP port 9888, This file does not include rules for TCP port 9888, which exposes the
which exposes the prometheus exporter if not disabled. prometheus exporter if not disabled.
Remember to apply your own rules here, particularly regarding SSH. You should apply your own rules here.
This type only works on De{bi,vu}an systems. This type only works on De{bi,vu}an systems.
It is very important for this type to stay up to date with the software, as
otherwise new deployments or maintenance of existing instances might be
negatively affected.
If you can, please contribute updates to `__jitsi_meet` and
`__jitsi_meet_domain` promptly and regularly.
Alternatively, you can help finance that work; get in touch with the type
authors for that (see below).
This type takes care of adapting the maximum memory used by jicofo and
videobridge in function of the hosts installed memory.
NOTE: This type currently does not deal with setting up coturn. NOTE: This type currently does not deal with setting up coturn.
For that, you might want to check `__coturn` in For that, you might want to check `__coturn` in
https://code.ungleich.ch/ungleich-public/cdist-contrib https://code.ungleich.ch/ungleich-public/cdist-contrib
@ -47,14 +36,6 @@ NOTE: This type currently does not deal with setting up coturn.
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
abort-conference-count
Only has an effect if the prometheus exporter is enabled and if it is not
empty (default).
If at least this many conferences are active on the server, the type will
bail out before making any changes.
This is useful if you want to avoid service disruptions due to e.g. an SLA.
turn-secret turn-secret
The shared secret for the TURN server. The shared secret for the TURN server.
@ -62,6 +43,11 @@ turn-server
The hostname of the TURN server. The hostname of the TURN server.
This will assume that it is listening with TLS on port 443. This will assume that it is listening with TLS on port 443.
jitsi-version
The jitsi-meet version of the Debian package to be installed.
While this can be specified, only the default value is known to work
properly with this type.
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
@ -84,11 +70,9 @@ EXAMPLES
.. code-block:: sh .. code-block:: sh
# Setup the firewall for Jitsi-Meet # Setup the firewall
. "${__global}/type/__jitsi_meet/files/ufw" . "${__global}/type/__jitsi_meet/files/ufw"
export require="__ufw" export require="__ufw"
# Setup firewall SSH rules as necessary
__ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
# Setup Jitsi on this host # Setup Jitsi on this host
__jitsi_meet \ __jitsi_meet \
--turn-server "turn.exo.cat" \ --turn-server "turn.exo.cat" \
@ -108,4 +92,4 @@ Evilham <contact@evilham.com>
COPYING COPYING
------- -------
Copyright \(C) 2022 Evilham. Copyright \(C) 2021 Evilham.

View file

@ -1,6 +1,7 @@
#!/bin/sh -e #!/bin/sh -e
os="$(cat "${__global}/explorer/os")" os="$(cat "${__global}/explorer/os")"
init="$(cat "${__global}/explorer/init")"
case "${os}" in case "${os}" in
devuan|debian) devuan|debian)
;; ;;
@ -10,37 +11,10 @@ case "${os}" in
;; ;;
esac esac
current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
JICOFO_AUTHPASSWORD="$(cat "${__object}/explorer/jicofo-authpassword")"
if [ -z "${JICOFO_AUTHPASSWORD}" ]; then
# This is probably a first time installation, we'll generate the
# password which will be set in debconf by this type
# https://github.com/jitsi/jicofo/blob/aafb61b5363a1c4abdbf08e1444a6276b807993e/debian/postinst#L43
JICOFO_AUTHPASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)"
fi
ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
cat <<-EOF
Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
There are currently ${current_conferences} active conferences.
Try again at a later time or remove or increase --abort-conference-count
EOF
exit 1
fi
JITSI_HOST="${__target_host}" JITSI_HOST="${__target_host}"
if [ -f "${__object}/parameter/jitsi-version" ]; then # Currently unused, see below
# This has been deprecated and will be removed 'soon' # JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
else
# Note this won't be a parameter anymore, we won't let users stay behind
JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
fi
TURN_SERVER="$(cat "${__object}/parameter/turn-server")" TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
TURN_SECRET="$(cat "${__object}/parameter/turn-secret")" TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
@ -48,6 +22,8 @@ if [ -z "${TURN_SERVER}" ]; then
TURN_SERVER="${JITSI_HOST}" TURN_SERVER="${JITSI_HOST}"
fi fi
PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")"
# The rest is loosely based on Jitsi's documentation # The rest is loosely based on Jitsi's documentation
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart # https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
@ -79,12 +55,11 @@ __debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
export require="${require} __debconf_set_selections/jitsi_meet" export require="${require} __debconf_set_selections/jitsi_meet"
# Install and upgrade packages as needed # Install and upgrade packages as needed
# NOTE: we are doing version pinning again, but it breaks sometimes when __package_apt jitsi-meet
# We are not doing version pinning anymore because it breaks when
# the version is not the latest. # the version is not the latest.
# This happens because dependencies might not be properly resolved. # This happens because dependencies cannot be properly resolved.
# To avoid this, this type must be maintained up to date. # --version "${JITSI_VERSION}"
# If we don't use this, keeping Jitsi's up to date is very difficult.
__package_apt jitsi-meet --version "${JITSI_VERSION}"
# Proceed only after installation/upgrade has finished # Proceed only after installation/upgrade has finished
export require="__package_apt/jitsi-meet" export require="__package_apt/jitsi-meet"
@ -149,9 +124,8 @@ require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-ava
server_names_hash_bucket_size 64; server_names_hash_bucket_size 64;
types { types {
# nginx's default mime.types doesn't include a mapping for wasm or wav. # nginx's default mime.types doesn't include a mapping for wasm
application/wasm wasm; application/wasm wasm;
audio/wav wav;
} }
server { server {
@ -175,157 +149,95 @@ server {
} }
EOF EOF
# Starting from 2.0.7210, jitsi defines following nginx upstreams
__directory "${NGINX_ETC}/conf.d" --state present
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
--mode 644 \
--source - << EOF
upstream prosody {
zone upstreams 64K;
server 127.0.0.1:5280;
keepalive 2;
}
EOF
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
--mode 644 \
--source - << EOF
upstream jvb1 {
zone upstreams 64K;
server 127.0.0.1:9090;
keepalive 2;
}
EOF
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jicofo.conf" \
--mode 644 \
--source - << EOF
upstream jicofo {
zone upstreams 64K;
server 127.0.0.1:8888;
keepalive 2;
}
EOF
if [ -f "${__object}/parameter/secured-domains" ]; then if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS_STATE='present' SECURED_DOMAINS_STATE='present'
SECURED_DOMAINS_STATE_JICOFO='present'
else else
SECURED_DOMAINS_STATE='absent' SECURED_DOMAINS_STATE='absent'
SECURED_DOMAINS_STATE_JICOFO='absent'
fi fi
# This is the main host config __file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
PROSODY_MAIN_CONFIG="YES" --owner prosody --group prosody --mode 0440 \
# Prosody settings for common components (jvb, focus, ...) --state ${SECURED_DOMAINS_STATE} \
# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
--group prosody \
--mode 0440 \
--source - <<EOF --source - <<EOF
${PROSODY_CONFIG} VirtualHost "${JITSI_HOST}"
authentication = "internal_plain"
VirtualHost "guest.${JITSI_HOST}"
authentication = "anonymous"
c2s_require_encryption = false
EOF EOF
# Clean up zauth.cfg.lua file, which we don't use now __block jitsi_jicofo_secured_domains \
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \ --prefix "// begin cdist: jicofo_secured_domains" \
--state absent --suffix "// end cdist: jicofo_secured_domains" \
--file /etc/jitsi/jicofo/jicofo.conf \
export SECURED_DOMAINS_STATE --state "${SECURED_DOMAINS_STATE_JICOFO}" \
export JITSI_HOST --text '-' <<EOF
export JICOFO_AUTHPASSWORD authentication: {
"${__type}/files/jicofo.conf.sh" | \ enabled: true
__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-' type: XMPP
login-url: ${JITSI_HOST}
# Enable the private colibri REST API end point for better stats
__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
videobridge {
http-servers {
public {
port = 9090
} }
private {
port = 8080
}
}
websockets {
enabled = true
domain = "${JITSI_HOST}:443"
tls = true
}
apis {
rest {
enabled = true
}
}
cc {
trust-bwe = false
}
}
EOFJVB
# Enable simple per-domain body customisation
__file "/usr/share/jitsi-meet/body.html" \
--mode 0644 \
--source '-' <<EOF
<!--#include virtual="body-\${host}.html" -->
EOF EOF
# These two should be changed on new release # These two should be changed on new release
EXPORTER_VERSION="1.2.1" PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
EXPORTER_CHECKSUM="sha256:46d4b8475b72fd7632a5203f1cc3c7067bed4629902b7780a1da85e4e06c2129" PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz" PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64"
if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
EXPORTER_STATE="absent" if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
else case "${init}" in
EXPORTER_STATE="present" init|sysvinit)
fi __runit
__single_binary_service prometheus-jitsi-meet-exporter \ require="__runit" __runit_service \
--state "${EXPORTER_STATE}" \ prometheus-jitsi-meet-exporter --log --source - <<EOF
--do-not-manage-user \ #!/bin/sh -e
--user "nobody" \ cd /tmp
--group "nogroup" \ exec chpst -u "nobody:nogroup" env HOME="/tmp" \\
--version "${EXPORTER_VERSION}" \ prometheus-jitsi-meet-exporter \\
--checksum "${EXPORTER_CHECKSUM}" \ -videobridge-url 'http://localhost:8888/stats' \\
--url "${EXPORTER_URL}" \ -web.listen-address ':9888' 2>&1
--unpack \
--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
#
# Setup interpreter assets if requested
# See: https://gitlab.com/mfmt/jsi/
#
jsi_updated_on="2022-04-21"
__link "/usr/share/jitsi-meet/interpreters.html" \
--type symbolic \
--source "/opt/jsi/static/index.html.sample"
__directory /opt/jsi --mode 0755
export require="__directory/opt/jsi"
__download /opt/jsi/jsi.tar.gz \
--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
export require="__download/opt/jsi/jsi.tar.gz"
__unpack /opt/jsi/jsi.tar.gz \
--preserve-archive \
--tar-strip 1 \
--destination /opt/jsi/static \
--onchange "$(cat <<EOF
# Patch style.css to be served on /i/
sed -i.tmp -E \
-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
/opt/jsi/static/style.css
# Patch jsi.js to be served on /i/
# and so it always uses the domain it's served from
# and so it uses /i/ROOM for the form
sed -i.tmp -E \
-e 's!substr[(][0-9]+[)]!substr(3)!' \
-e 's!config[.]jitsimeet_url!url.host!' \
-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
/opt/jsi/static/jsi.js
# Patch the sample index.html, so it loads external_api.js from same host
# and to easen up on the branding
# and to enable browser cache
sed -i.tmp -E \
-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
-e "s!https://meet.mayfirst.org!/!" \
-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
/opt/jsi/static/index.html.sample
EOF EOF
)"
export require="__runit_service/prometheus-jitsi-meet-exporter"
JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter"
;;
systemd)
__systemd_unit prometheus-jitsi-meet-exporter.service \
--source "-" \
--enablement-state "enabled" <<EOF
[Unit]
Description=Metrics Exporter for Jitsi Meet
After=network.target
[Service]
Type=simple
DynamicUser=yes
ExecStart=/usr/local/bin/prometheus-jitsi-meet-exporter -videobridge-url 'http://localhost:8888/stats' -web.listen-address ':9888'
Restart=always
[Install]
WantedBy=multi-user.target
EOF
export require="__systemd_unit/prometheus-jitsi-meet-exporter.service"
JITSI_MEET_EXPORTER_SERVICE="service prometheus-jitsi-meet-exporter %s"
;;
esac
if [ "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" != \
"${PROMETHEUS_JITSI_EXPORTER_IS_VERSION}" ]; then
# shellcheck disable=SC2059
__download \
/tmp/prometheus-jitsi-meet-exporter \
--url "${PROMETHEUS_JITSI_EXPORTER_URL}" \
--download remote \
--sum "${PROMETHEUS_JITSI_EXPORTER_CHECKSUM}" \
--onchange "$(printf "${JITSI_MEET_EXPORTER_SERVICE}" "stop") || true; chmod 555 /tmp/prometheus-jitsi-meet-exporter && mv /tmp/prometheus-jitsi-meet-exporter /usr/local/bin/prometheus-jitsi-meet-exporter && $(printf "${JITSI_MEET_EXPORTER_SERVICE}" "restart")"
printf "%s" "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" | \
require="${require} __download/tmp/prometheus-jitsi-meet-exporter" __file \
"${PROMETHEUS_JITSI_EXPORTER_VERSION_FILE}" \
--source "-"
fi
fi
# TODO: disable the exporter if it is deployed and then admin changes their mind

View file

@ -0,0 +1 @@
2.0.7001-1

View file

@ -1,4 +0,0 @@
Supporting different versions lead to strange issues in the life-time of a
Jitsi instance. Chiefly: difficulties upgrading.
If you are specifying this for a valid reason, please get in touch.

View file

@ -1,4 +1,3 @@
abort-conference-count
jitsi-version jitsi-version
turn-secret turn-secret
turn-server turn-server

View file

@ -7,7 +7,7 @@
# We could automate this, but are using it as an indicator for the # We could automate this, but are using it as an indicator for the
# latest branch with which we conciliated changes. # latest branch with which we conciliated changes.
BRANCH="jitsi-meet_9457" BRANCH="jitsi-meet_7001"
REPO="https://github.com/jitsi/jitsi-meet" REPO="https://github.com/jitsi/jitsi-meet"
get_url() { get_url() {
@ -28,8 +28,3 @@ download_file() {
download_file config.js download_file config.js
download_file interface_config.js download_file interface_config.js
download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
# Change the version file, maintainers should check that it matches
# the deb version
printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -20,7 +20,7 @@ JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
*/ */
var interfaceConfig = { var interfaceConfig = {
APP_NAME: '${BRANDING_APP_NAME}', APP_NAME: 'Jitsi Meet',
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)', AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)', AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
@ -38,6 +38,7 @@ var interfaceConfig = {
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
DEFAULT_BACKGROUND: '#040404', DEFAULT_BACKGROUND: '#040404',
DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}', DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
DISABLE_DOMINANT_SPEAKER_INDICATOR: false, DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
@ -81,13 +82,17 @@ var interfaceConfig = {
ENABLE_DIAL_OUT: true, ENABLE_DIAL_OUT: true,
// DEPRECATED. Animation no longer supported. ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
// ENABLE_FEEDBACK_ANIMATION: false,
FILM_STRIP_MAX_HEIGHT: 120, FILM_STRIP_MAX_HEIGHT: 120,
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true, GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
/**
* Hide the logo on the deep linking pages.
*/
HIDE_DEEP_LINKING_LOGO: false,
/** /**
* Hide the invite prompt in the header when alone in the meeting. * Hide the invite prompt in the header when alone in the meeting.
*/ */
@ -96,6 +101,7 @@ var interfaceConfig = {
JITSI_WATERMARK_LINK: 'https://jitsi.org', JITSI_WATERMARK_LINK: 'https://jitsi.org',
LANG_DETECTION: true, // Allow i18n to detect the system language LANG_DETECTION: true, // Allow i18n to detect the system language
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9 LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
/** /**
@ -115,11 +121,28 @@ var interfaceConfig = {
*/ */
MOBILE_APP_PROMO: true, MOBILE_APP_PROMO: true,
/**
* Specify custom URL for downloading android mobile app.
*/
MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
/**
* Specify custom URL for downloading f droid app.
*/
MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
/**
* Specify URL for downloading ios mobile app.
*/
MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
NATIVE_APP_NAME: 'Jitsi Meet',
// Names of browsers which should show a warning stating the current browser // Names of browsers which should show a warning stating the current browser
// has a suboptimal experience. Browsers which are not listed as optimal or // has a suboptimal experience. Browsers which are not listed as optimal or
// unsupported are considered suboptimal. Valid values are: // unsupported are considered suboptimal. Valid values are:
// chrome, chromium, electron, firefox , safari, webkit // chrome, chromium, edge, electron, firefox, nwjs, opera, safari
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ], OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
POLICY_LOGO: null, POLICY_LOGO: null,
PROVIDER_NAME: 'Jitsi', PROVIDER_NAME: 'Jitsi',
@ -132,7 +155,7 @@ var interfaceConfig = {
RECENT_LIST_ENABLED: true, RECENT_LIST_ENABLED: true,
REMOTE_THUMBNAIL_RATIO: 1, // 1:1 REMOTE_THUMBNAIL_RATIO: 1, // 1:1
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ], SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
/** /**
* Specify which sharing features should be displayed. If the value is not set * Specify which sharing features should be displayed. If the value is not set
@ -149,6 +172,7 @@ var interfaceConfig = {
*/ */
SHOW_CHROME_EXTENSION_BANNER: false, SHOW_CHROME_EXTENSION_BANNER: false,
SHOW_DEEP_LINKING_IMAGE: false,
SHOW_JITSI_WATERMARK: true, SHOW_JITSI_WATERMARK: true,
SHOW_POWERED_BY: false, SHOW_POWERED_BY: false,
SHOW_PROMOTIONAL_CLOSE_PAGE: false, SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@ -189,31 +213,6 @@ var interfaceConfig = {
*/ */
// TILE_VIEW_MAX_COLUMNS: 5, // TILE_VIEW_MAX_COLUMNS: 5,
// List of undocumented settings
/**
INDICATOR_FONT_SIZES
PHONE_NUMBER_REGEX
*/
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
/**
* Specify URL for downloading ios mobile app.
*/
// MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
/**
* Specify custom URL for downloading android mobile app.
*/
// MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
/**
* Specify mobile app scheme for opening the app from the mobile browser.
*/
// APP_SCHEME: 'org.jitsi.meet',
// NATIVE_APP_NAME: 'Jitsi Meet',
/** /**
* Specify Firebase dynamic link properties for the mobile apps. * Specify Firebase dynamic link properties for the mobile apps.
*/ */
@ -226,19 +225,22 @@ var interfaceConfig = {
// }, // },
/** /**
* Hide the logo on the deep linking pages. * Specify mobile app scheme for opening the app from the mobile browser.
*/ */
// HIDE_DEEP_LINKING_LOGO: false, // APP_SCHEME: 'org.jitsi.meet',
/** /**
* Specify the Android app package name. * Specify the Android app package name.
*/ */
// ANDROID_APP_PACKAGE: 'org.jitsi.meet', // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
// List of undocumented settings
/** /**
* Specify custom URL for downloading f droid app. INDICATOR_FONT_SIZES
PHONE_NUMBER_REGEX
*/ */
// MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
// Connection indicators ( // Connection indicators (
// CONNECTION_INDICATOR_AUTO_HIDE_ENABLED, // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
@ -251,19 +253,12 @@ var interfaceConfig = {
// Please use defaultLocalDisplayName from config.js // Please use defaultLocalDisplayName from config.js
// DEFAULT_LOCAL_DISPLAY_NAME: 'me', // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
// Please use defaultLogoUrl from config.js
DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
// Please use defaultRemoteDisplayName from config.js // Please use defaultRemoteDisplayName from config.js
// DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
// Moved to config.js as \`toolbarConfig.initialTimeout\`. // Moved to config.js as \`toolbarConfig.initialTimeout\`.
// INITIAL_TOOLBAR_TIMEOUT: 20000, // INITIAL_TOOLBAR_TIMEOUT: 20000,
// Moved to config.js as \`toolbarConfig.alwaysVisible\`.
// Documentation reference for the live streaming feature.
// LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
// Moved to config.js as \`toolbarConfig.alwaysVisible\`. // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
// TOOLBAR_ALWAYS_VISIBLE: false, // TOOLBAR_ALWAYS_VISIBLE: false,

View file

@ -27,6 +27,7 @@ var interfaceConfig = {
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
DEFAULT_BACKGROUND: '#040404', DEFAULT_BACKGROUND: '#040404',
DEFAULT_LOGO_URL: 'images/watermark.svg',
DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg', DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
DISABLE_DOMINANT_SPEAKER_INDICATOR: false, DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
@ -70,13 +71,17 @@ var interfaceConfig = {
ENABLE_DIAL_OUT: true, ENABLE_DIAL_OUT: true,
// DEPRECATED. Animation no longer supported. ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
// ENABLE_FEEDBACK_ANIMATION: false,
FILM_STRIP_MAX_HEIGHT: 120, FILM_STRIP_MAX_HEIGHT: 120,
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true, GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
/**
* Hide the logo on the deep linking pages.
*/
HIDE_DEEP_LINKING_LOGO: false,
/** /**
* Hide the invite prompt in the header when alone in the meeting. * Hide the invite prompt in the header when alone in the meeting.
*/ */
@ -85,6 +90,7 @@ var interfaceConfig = {
JITSI_WATERMARK_LINK: 'https://jitsi.org', JITSI_WATERMARK_LINK: 'https://jitsi.org',
LANG_DETECTION: true, // Allow i18n to detect the system language LANG_DETECTION: true, // Allow i18n to detect the system language
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9 LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
/** /**
@ -104,11 +110,28 @@ var interfaceConfig = {
*/ */
MOBILE_APP_PROMO: true, MOBILE_APP_PROMO: true,
/**
* Specify custom URL for downloading android mobile app.
*/
MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
/**
* Specify custom URL for downloading f droid app.
*/
MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
/**
* Specify URL for downloading ios mobile app.
*/
MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
NATIVE_APP_NAME: 'Jitsi Meet',
// Names of browsers which should show a warning stating the current browser // Names of browsers which should show a warning stating the current browser
// has a suboptimal experience. Browsers which are not listed as optimal or // has a suboptimal experience. Browsers which are not listed as optimal or
// unsupported are considered suboptimal. Valid values are: // unsupported are considered suboptimal. Valid values are:
// chrome, chromium, electron, firefox , safari, webkit // chrome, chromium, edge, electron, firefox, nwjs, opera, safari
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ], OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
POLICY_LOGO: null, POLICY_LOGO: null,
PROVIDER_NAME: 'Jitsi', PROVIDER_NAME: 'Jitsi',
@ -121,7 +144,7 @@ var interfaceConfig = {
RECENT_LIST_ENABLED: true, RECENT_LIST_ENABLED: true,
REMOTE_THUMBNAIL_RATIO: 1, // 1:1 REMOTE_THUMBNAIL_RATIO: 1, // 1:1
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ], SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
/** /**
* Specify which sharing features should be displayed. If the value is not set * Specify which sharing features should be displayed. If the value is not set
@ -138,6 +161,7 @@ var interfaceConfig = {
*/ */
SHOW_CHROME_EXTENSION_BANNER: false, SHOW_CHROME_EXTENSION_BANNER: false,
SHOW_DEEP_LINKING_IMAGE: false,
SHOW_JITSI_WATERMARK: true, SHOW_JITSI_WATERMARK: true,
SHOW_POWERED_BY: false, SHOW_POWERED_BY: false,
SHOW_PROMOTIONAL_CLOSE_PAGE: false, SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@ -178,31 +202,6 @@ var interfaceConfig = {
*/ */
// TILE_VIEW_MAX_COLUMNS: 5, // TILE_VIEW_MAX_COLUMNS: 5,
// List of undocumented settings
/**
INDICATOR_FONT_SIZES
PHONE_NUMBER_REGEX
*/
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
/**
* Specify URL for downloading ios mobile app.
*/
// MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
/**
* Specify custom URL for downloading android mobile app.
*/
// MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
/**
* Specify mobile app scheme for opening the app from the mobile browser.
*/
// APP_SCHEME: 'org.jitsi.meet',
// NATIVE_APP_NAME: 'Jitsi Meet',
/** /**
* Specify Firebase dynamic link properties for the mobile apps. * Specify Firebase dynamic link properties for the mobile apps.
*/ */
@ -215,19 +214,22 @@ var interfaceConfig = {
// }, // },
/** /**
* Hide the logo on the deep linking pages. * Specify mobile app scheme for opening the app from the mobile browser.
*/ */
// HIDE_DEEP_LINKING_LOGO: false, // APP_SCHEME: 'org.jitsi.meet',
/** /**
* Specify the Android app package name. * Specify the Android app package name.
*/ */
// ANDROID_APP_PACKAGE: 'org.jitsi.meet', // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
// List of undocumented settings
/** /**
* Specify custom URL for downloading f droid app. INDICATOR_FONT_SIZES
PHONE_NUMBER_REGEX
*/ */
// MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
// -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
// Connection indicators ( // Connection indicators (
// CONNECTION_INDICATOR_AUTO_HIDE_ENABLED, // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
@ -240,19 +242,12 @@ var interfaceConfig = {
// Please use defaultLocalDisplayName from config.js // Please use defaultLocalDisplayName from config.js
// DEFAULT_LOCAL_DISPLAY_NAME: 'me', // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
// Please use defaultLogoUrl from config.js
// DEFAULT_LOGO_URL: 'images/watermark.svg',
// Please use defaultRemoteDisplayName from config.js // Please use defaultRemoteDisplayName from config.js
// DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
// Moved to config.js as `toolbarConfig.initialTimeout`. // Moved to config.js as `toolbarConfig.initialTimeout`.
// INITIAL_TOOLBAR_TIMEOUT: 20000, // INITIAL_TOOLBAR_TIMEOUT: 20000,
// Please use `liveStreaming.helpLink` from config.js
// Documentation reference for the live streaming feature.
// LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
// Moved to config.js as `toolbarConfig.alwaysVisible`. // Moved to config.js as `toolbarConfig.alwaysVisible`.
// TOOLBAR_ALWAYS_VISIBLE: false, // TOOLBAR_ALWAYS_VISIBLE: false,

View file

@ -1 +0,0 @@
2.0.9457-1

View file

@ -7,36 +7,8 @@ JITSI_NGINX_CONFIG="$(cat <<EOF
#server_names_hash_bucket_size 64; #server_names_hash_bucket_size 64;
# #
#types { #types {
## nginx's default mime.types doesn't include a mapping for wasm or wav. ## nginx's default mime.types doesn't include a mapping for wasm
# application/wasm wasm; # application/wasm wasm;
# audio/wav wav;
#}
# These upstreams are managed by __jitsi_meet
#upstream jicofo {
# zone upstreams 64K;
# server 127.0.0.1:8888;
# keepalive 2;
#}
#upstream prosody {
# zone upstreams 64K;
# server 127.0.0.1:5280;
# keepalive 2;
#}
#upstream jvb1 {
# zone upstreams 64K;
# server 127.0.0.1:9090;
# keepalive 2;
#}
#map \$arg_vnode \$prosody_node {
# default prosody;
# v1 v1;
# v2 v2;
# v3 v3;
# v4 v4;
# v5 v5;
# v6 v6;
# v7 v7;
# v8 v8;
#} #}
server { server {
listen 80; listen 80;
@ -50,8 +22,8 @@ server {
} }
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
server_name ${DOMAIN}; server_name ${DOMAIN};
include snippets/acme-challenge.conf; include snippets/acme-challenge.conf;
@ -67,10 +39,6 @@ server {
add_header Strict-Transport-Security "max-age=63072000" always; add_header Strict-Transport-Security "max-age=63072000" always;
set \$prefix ""; set \$prefix "";
# Try the custom page for this domain, fallback to default page
set \$custom_index "index-${DOMAIN}.html";
# We expect this domain to be properly configured, the file should exist
set \$config_js_location "/etc/jitsi/meet/${DOMAIN}-config.js";
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
@ -82,7 +50,7 @@ server {
ssi_types application/x-javascript application/javascript; ssi_types application/x-javascript application/javascript;
# Try the custom page for this domain, fallback to default page # Try the custom page for this domain, fallback to default page
index \$custom_index index.html index.htm; index index-${DOMAIN}.html index.html index.htm;
error_page 404 /static/404.html; error_page 404 /static/404.html;
gzip on; gzip on;
@ -91,10 +59,9 @@ server {
gzip_proxied no-cache no-store private expired auth; gzip_proxied no-cache no-store private expired auth;
gzip_min_length 512; gzip_min_length 512;
# include /etc/jitsi/meet/jaas/*.conf; # We expect this domain to be properly configured, the file should exist
location = /config.js { location = /config.js {
alias \$config_js_location; alias /etc/jitsi/meet/${DOMAIN}-config.js;
} }
# We expect this domain to be properly configured, the file should exist # We expect this domain to be properly configured, the file should exist
location = /interface_config.js { location = /interface_config.js {
@ -113,20 +80,8 @@ server {
alias /usr/share/jitsi-meet/libs/external_api.min.js; alias /usr/share/jitsi-meet/libs/external_api.min.js;
} }
location = /_api/room-info {
proxy_pass http://prosody/room-info?prefix=\$prefix&\$args;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_set_header Host \$http_host;
}
location ~ ^/_api/public/(.*)\$ {
autoindex off;
alias /etc/jitsi/meet/public/\$1;
}
# ensure all static content can always be found first # ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)\$ location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
{ {
add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/\$1/\$2; alias /usr/share/jitsi-meet/\$1/\$2;
@ -137,48 +92,32 @@ server {
} }
} }
# Paths for jsi / interpreters
location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /opt/jsi/static/\$1;
# cache all versioned files
if (\$arg_v) {
expires 1y;
}
}
location ~ ^/i/
{
try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
}
# BOSH # BOSH
location = /http-bind { location = /http-bind {
proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args; # We are using 127.0.0.1, because we are not specifying a resolver
proxy_http_version 1.1; # otherwise nginx will fail to resolve 'localhost'
proxy_pass http://127.0.0.1:5280/http-bind?prefix=\$prefix&\$args;
proxy_set_header X-Forwarded-For \$remote_addr; proxy_set_header X-Forwarded-For \$remote_addr;
# Prevision for 'multi-domain' jitsi instances # Prevision for 'multi-domain' jitsi instances
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391 # https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
proxy_set_header Host ${DOMAIN}; proxy_set_header Host ${JITSI_HOST};
proxy_set_header Connection "";
} }
# xmpp websockets # xmpp websockets
location = /xmpp-websocket { location = /xmpp-websocket {
proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args; proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade; proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
# Prevision for 'multi-domain' jitsi instances # Prevision for 'multi-domain' jitsi instances
# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391 # https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
proxy_set_header Host ${DOMAIN}; proxy_set_header Host ${JITSI_HOST};
tcp_nodelay on; tcp_nodelay on;
} }
# colibri (JVB) websockets for jvb1 # colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) { location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args; proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade; proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
@ -194,22 +133,11 @@ server {
# alias /usr/share/jitsi-meet/load-test/libs/\$1; # alias /usr/share/jitsi-meet/load-test/libs/\$1;
#} #}
location ~ ^/conference-request/v1([/].*)?\$ {
proxy_pass http://jicofo/conference-request/v1\$1;
add_header "Cache-Control" "no-cache, no-store";
add_header 'Access-Control-Allow-Origin' '*';
}
location ~ ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ {
rewrite ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ /conference-request/v1\$2;
}
location ~ ^/([^/?&:'"]+)\$ { location ~ ^/([^/?&:'"]+)\$ {
set \$roomname "\$1";
try_files \$uri @root_path; try_files \$uri @root_path;
} }
location @root_path { location @root_path {
# rewrite ^/(.*)\$ /\$custom_index break;
rewrite ^/(.*)\$ / break; rewrite ^/(.*)\$ / break;
} }
@ -218,16 +146,9 @@ server {
set \$subdomain "\$1."; set \$subdomain "\$1.";
set \$subdir "\$1/"; set \$subdir "\$1/";
alias \$config_js_location; alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
} }
## Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
#location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ {
# set \$subdomain "\$1.";
# set \$subdir "\$1/";
# rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ /\$2;
#}
# BOSH for subdomains # BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind { location ~ ^/([^/?&:'"]+)/http-bind {
set \$subdomain "\$1."; set \$subdomain "\$1.";
@ -246,14 +167,6 @@ server {
rewrite ^/(.*)\$ /xmpp-websocket; rewrite ^/(.*)\$ /xmpp-websocket;
} }
location ~ ^/([^/?&:'"]+)/_api/room-info {
set \$subdomain "\$1.";
set \$subdir "\$1/";
set \$prefix "\$1";
rewrite ^/(.*)\$ /_api/room-info;
}
# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to / # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)\$ { location ~ ^/([^/?&:'"]+)/(.*)\$ {
set \$subdomain "\$1."; set \$subdomain "\$1.";

View file

@ -1,30 +1,8 @@
server_names_hash_bucket_size 64; server_names_hash_bucket_size 64;
types { types {
# nginx's default mime.types doesn't include a mapping for wasm or wav. # nginx's default mime.types doesn't include a mapping for wasm
application/wasm wasm; application/wasm wasm;
audio/wav wav;
}
upstream prosody {
zone upstreams 64K;
server 127.0.0.1:5280;
keepalive 2;
}
upstream jvb1 {
zone upstreams 64K;
server 127.0.0.1:9090;
keepalive 2;
}
map $arg_vnode $prosody_node {
default prosody;
v1 v1;
v2 v2;
v3 v3;
v4 v4;
v5 v5;
v6 v6;
v7 v7;
v8 v8;
} }
server { server {
listen 80; listen 80;
@ -43,8 +21,8 @@ server {
} }
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
server_name jitsi-meet.example.com; server_name jitsi-meet.example.com;
# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
@ -58,8 +36,6 @@ server {
add_header Strict-Transport-Security "max-age=63072000" always; add_header Strict-Transport-Security "max-age=63072000" always;
set $prefix ""; set $prefix "";
set $custom_index "";
set $config_js_location /etc/jitsi/meet/jitsi-meet.example.com-config.js;
ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt; ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key; ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
@ -79,30 +55,16 @@ server {
gzip_proxied no-cache no-store private expired auth; gzip_proxied no-cache no-store private expired auth;
gzip_min_length 512; gzip_min_length 512;
include /etc/jitsi/meet/jaas/*.conf;
location = /config.js { location = /config.js {
alias $config_js_location; alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
} }
location = /external_api.js { location = /external_api.js {
alias /usr/share/jitsi-meet/libs/external_api.min.js; alias /usr/share/jitsi-meet/libs/external_api.min.js;
} }
location = /_api/room-info {
proxy_pass http://prosody/room-info?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
location ~ ^/_api/public/(.*)$ {
autoindex off;
alias /etc/jitsi/meet/public/$1;
}
# ensure all static content can always be found first # ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$ location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{ {
add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/$1/$2; alias /usr/share/jitsi-meet/$1/$2;
@ -115,16 +77,14 @@ server {
# BOSH # BOSH
location = /http-bind { location = /http-bind {
proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args; proxy_pass http://127.0.0.1:5280/http-bind?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header Connection "";
} }
# xmpp websockets # xmpp websockets
location = /xmpp-websocket { location = /xmpp-websocket {
proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args; proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
@ -134,7 +94,7 @@ server {
# colibri (JVB) websockets for jvb1 # colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) { location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args; proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
@ -150,22 +110,12 @@ server {
# alias /usr/share/jitsi-meet/load-test/libs/$1; # alias /usr/share/jitsi-meet/load-test/libs/$1;
#} #}
location ~ ^/conference-request/v1(\/.*)?$ {
proxy_pass http://127.0.0.1:8888/conference-request/v1$1;
add_header "Cache-Control" "no-cache, no-store";
add_header 'Access-Control-Allow-Origin' '*';
}
location ~ ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ {
rewrite ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ /conference-request/v1$2;
}
location ~ ^/([^/?&:'"]+)$ { location ~ ^/([^/?&:'"]+)$ {
set $roomname "$1";
try_files $uri @root_path; try_files $uri @root_path;
} }
location @root_path { location @root_path {
rewrite ^/(.*)$ /$custom_index break; rewrite ^/(.*)$ / break;
} }
location ~ ^/([^/?&:'"]+)/config.js$ location ~ ^/([^/?&:'"]+)/config.js$
@ -173,14 +123,7 @@ server {
set $subdomain "$1."; set $subdomain "$1.";
set $subdir "$1/"; set $subdir "$1/";
alias $config_js_location; alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
}
# Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
set $subdomain "$1.";
set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
} }
# BOSH for subdomains # BOSH for subdomains
@ -201,14 +144,6 @@ server {
rewrite ^/(.*)$ /xmpp-websocket; rewrite ^/(.*)$ /xmpp-websocket;
} }
location ~ ^/([^/?&:'"]+)/_api/room-info {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /_api/room-info;
}
# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to / # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ { location ~ ^/([^/?&:'"]+)/(.*)$ {
set $subdomain "$1."; set $subdomain "$1.";

View file

@ -1,223 +0,0 @@
#!/bin/sh -eu
# Source:
# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
FOCUS_USER="focus"
JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
PROSODY_SECUREDOMAIN_START="--[["
PROSODY_SECUREDOMAIN_END="--]]"
if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
PROSODY_MAIN_START=""
PROSODY_MAIN_END=""
PROSODY_DOMAIN_START="--[["
PROSODY_DOMAIN_END="--]]"
else
PROSODY_MAIN_START="--[["
PROSODY_MAIN_END="--]]"
PROSODY_DOMAIN_START=""
PROSODY_DOMAIN_END=""
if [ -n "${SECURED_DOMAINS}" ]; then
PROSODY_SECUREDOMAIN_START=""
PROSODY_SECUREDOMAIN_END=""
fi
fi
# Websockets haven't been fully tested in this type and don't work reliably
PROSODY_WEBSOCKET="-- "
# shellcheck disable=SC2034 # This is intended to be included
PROSODY_CONFIG="$(cat <<EOFPROSODY
-- Managed remotely, changes will be lost
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "${JITSI_HOST:?}";
external_service_secret = "${TURN_SECRET:-TurnSecret}";
external_services = {
{ type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
{ type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
-- Use websockets
-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
${PROSODY_WEBSOCKET}consider_websocket_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
--http_cors_override = {
-- bosh = {
-- enabled = false;
-- };
-- websocket = {
-- enabled = false;
-- };
--}
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
unlimited_jids = {
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
"jvb@auth.${JITSI_HOST:?}"
}
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain
VirtualHost "${JITSI_DOMAIN:?}"
authentication = "jitsi-anonymous" -- do not delete me
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
}
av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
end_conference_component = "endconference.${JITSI_DOMAIN:?}"
-- we need bosh
modules_enabled = {
"bosh";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"conference_duration";
"end_conference";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
"room_metadata";
${PROSODY_WEBSOCKET} "websocket";
${PROSODY_WEBSOCKET} "smacks";
}
smacks_max_unacked_stanzas = 5;
smacks_hibernation_time = 60;
smacks_max_hibernated_sessions = 1;
smacks_max_old_sessions = 1;
c2s_require_encryption = false
lobby_muc = "lobby.${JITSI_DOMAIN:?}"
breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
room_metadata_component = "metadata.${JITSI_DOMAIN:?}"
main_muc = "conference.${JITSI_DOMAIN:?}"
-- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.${JITSI_DOMAIN:?}" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_hide_all";
"muc_meeting_id";
"muc_domain_mapper";
"polls";
--"token_verification";
"muc_rate_limit";
"muc_password_whitelist";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
muc_password_whitelist = {
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
}
muc_room_locking = false
muc_room_default_public_jids = true
Component "breakout.${JITSI_DOMAIN:?}" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_hide_all";
"muc_meeting_id";
"muc_domain_mapper";
"muc_rate_limit";
"polls";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
storage = "memory"
modules_enabled = {
"muc_hide_all";
"ping";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
-- https://prosody.im/doc/modules/mod_muc
muc_room_cache_size = 1000
${PROSODY_DOMAIN_END}
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
VirtualHost "auth.${JITSI_DOMAIN:?}"
ssl = {
key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
}
modules_enabled = {
"limits_exception";
}
authentication = "internal_hashed"
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
-- Single focus user for the whole instance
target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "endconference.${JITSI_DOMAIN:?}" "end_conference"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "lobby.${JITSI_DOMAIN:?}" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
"muc_hide_all";
"muc_rate_limit";
"polls";
}
Component "metadata.${JITSI_DOMAIN:?}" "room_metadata_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
breakout_rooms_component = "breakout.${JITSI_DOMAIN:?}"
${PROSODY_DOMAIN_END}
${PROSODY_SECUREDOMAIN_START}
-- Only used on secured domains
VirtualHost "${JITSI_DOMAIN}"
authentication = "internal_plain"
VirtualHost "guest.${JITSI_DOMAIN}"
authentication = "anonymous"
c2s_require_encryption = false
${PROSODY_SECUREDOMAIN_END}
EOFPROSODY
)"

View file

@ -1,151 +0,0 @@
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "jitmeet.example.com";
external_service_secret = "__turnSecret__";
external_services = {
{ type = "stun", host = "jitmeet.example.com", port = 3478 },
{ type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
--http_cors_override = {
-- bosh = {
-- enabled = false;
-- };
-- websocket = {
-- enabled = false;
-- };
--}
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
unlimited_jids = {
"focusUser@auth.jitmeet.example.com",
"jvb@auth.jitmeet.example.com"
}
VirtualHost "jitmeet.example.com"
authentication = "jitsi-anonymous" -- do not delete me
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/jitmeet.example.com.key";
certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
}
av_moderation_component = "avmoderation.jitmeet.example.com"
speakerstats_component = "speakerstats.jitmeet.example.com"
end_conference_component = "endconference.jitmeet.example.com"
-- we need bosh
modules_enabled = {
"bosh";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"conference_duration";
"end_conference";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
"room_metadata";
}
c2s_require_encryption = false
lobby_muc = "lobby.jitmeet.example.com"
breakout_rooms_muc = "breakout.jitmeet.example.com"
room_metadata_component = "metadata.jitmeet.example.com"
main_muc = "conference.jitmeet.example.com"
-- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.jitmeet.example.com" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_hide_all";
"muc_meeting_id";
"muc_domain_mapper";
"polls";
--"token_verification";
"muc_rate_limit";
"muc_password_whitelist";
}
admins = { "focusUser@auth.jitmeet.example.com" }
muc_password_whitelist = {
"focusUser@auth.jitmeet.example.com"
}
muc_room_locking = false
muc_room_default_public_jids = true
Component "breakout.jitmeet.example.com" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_hide_all";
"muc_meeting_id";
"muc_domain_mapper";
"muc_rate_limit";
"polls";
}
admins = { "focusUser@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.jitmeet.example.com" "muc"
storage = "memory"
modules_enabled = {
"muc_hide_all";
"ping";
}
admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
muc_room_locking = false
muc_room_default_public_jids = true
VirtualHost "auth.jitmeet.example.com"
modules_enabled = {
"limits_exception";
}
authentication = "internal_hashed"
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.jitmeet.example.com" "client_proxy"
target_address = "focusUser@auth.jitmeet.example.com"
Component "speakerstats.jitmeet.example.com" "speakerstats_component"
muc_component = "conference.jitmeet.example.com"
Component "endconference.jitmeet.example.com" "end_conference"
muc_component = "conference.jitmeet.example.com"
Component "avmoderation.jitmeet.example.com" "av_moderation_component"
muc_component = "conference.jitmeet.example.com"
Component "lobby.jitmeet.example.com" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
"muc_hide_all";
"muc_rate_limit";
"polls";
}
Component "metadata.jitmeet.example.com" "room_metadata_component"
muc_component = "conference.jitmeet.example.com"
breakout_rooms_component = "breakout.jitmeet.example.com"

View file

@ -11,24 +11,14 @@ DESCRIPTION
----------- -----------
This type installs and configures the frontend for Jitsi-Meet. This type installs and configures the frontend for Jitsi-Meet.
Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and This supports "multi-domain" installations, notice that in such a setup, all
`DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a rooms are shared across the different URLs, e.g.
patched version of Jitsi Simultaneous Interpretation (jsi; see references).
At least a user with `interpreter` in their name must be present.
This type supports "multi-domain" installations.
New in April 2022: rooms are independent for each domain, that is:
https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
different rooms. equivalent.
Note however, that right now if using secured domains, users are still shared
across any domains hosted in the same instance.
One way to work around that could be to run multiple jicofos, but we do not
want to bloat the servers.
A better way is to patch jicofo, get in touch with the type authors if you want
the gory details.
This is due to the underlying XMPP and signaling rooms being common.
There might be a way to perform tricks on the Nginx-side to avoid this, but
time is lacking :-).
This assumes `__jitsi_meet` has already been ran on the target host, and, This assumes `__jitsi_meet` has already been ran on the target host, and,
amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain. amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
@ -51,11 +41,6 @@ admin-email
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
analytics-settings
This goes inside the `analytics` part of `config.js`.
Defaults to: `disabled: true`.
See: https://github.com/jitsi/jitsi-meet/blob/master/config.js
channel-last-n channel-last-n
Default value for the "last N" attribute. Default value for the "last N" attribute.
Defaults to 20. Set to -1 for unlimited. Defaults to 20. Set to -1 for unlimited.
@ -93,15 +78,6 @@ video-constraints
It must not have a trailing comma, see `constraints` in It must not have a trailing comma, see `constraints` in
`__jitsi_meet_domain/files/config.js.sh`. `__jitsi_meet_domain/files/config.js.sh`.
branding-app-name
This will change `Jitsi Meet` in many places to the brand you desire.
Defaults to `Jitsi Meet`.
branding-extra-body
This must be valid HTML, it will be included server-side and delivered to
clients alongside the default `index.html`.
This is useful if you would rather not replace the whole `index`, but
still want the chance to do some heavier branding / add instructions / etc.
branding-json branding-json
Path to a JSON file that will be served as the `dynamicBrandingUrl`. Path to a JSON file that will be served as the `dynamicBrandingUrl`.
@ -109,12 +85,14 @@ branding-json
`__jitsi_meet_domain/files/config.js.sh`. `__jitsi_meet_domain/files/config.js.sh`.
If not set, no branding will be set up. If not set, no branding will be set up.
branding-index branding-index
Path to an HTML file that will be served instead of Jitsi-Meet's default Path to an HTML file that will be served instead of Jitsi-Meet's default
one. one.
If not set, the default index file will be used. If not set, the default index file will be used.
If set to `-`, the type's standard input will be used. If set to `-`, the type's standard input will be used.
branding-watermark branding-watermark
Path to a png file that will be served instead of Jitsi-Meet's default Path to a png file that will be served instead of Jitsi-Meet's default
one. one.
@ -169,7 +147,6 @@ SEE ALSO
-------- --------
- `__jitsi_meet(7)` - `__jitsi_meet(7)`
- `__jitsi_meet_user(7)` - `__jitsi_meet_user(7)`
- Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi
AUTHORS AUTHORS

View file

@ -18,8 +18,6 @@ NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")"
START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")" START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
TURN_SERVER="$(cat "${__object}/parameter/turn-server")" TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")" VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")"
BRANDING_APP_NAME="$(cat "${__object}/parameter/branding-app-name")"
BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")" BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
BRANDING_JSON="$(cat "${__object}/parameter/branding-json")" BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")" BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
@ -132,43 +130,3 @@ __file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
--mode 0644 \ --mode 0644 \
--state "$(_var_state "${BRANDING_WATERMARK}")" \ --state "$(_var_state "${BRANDING_WATERMARK}")" \
--source "${BRANDING_WATERMARK}" --source "${BRANDING_WATERMARK}"
# Simple body customisation
__file "/usr/share/jitsi-meet/body-${DOMAIN}.html" \
--mode 0644 \
--state "$(_var_state "${STATE}")" \
--source "${__object}/parameter/branding-extra-body"
#
# Take care of prosody settings for the domain
#
JITSI_DOMAIN="${DOMAIN}"
# Prosody settings for common components (jvb, focus, ...)
# shellcheck source=type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
__file "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
--group prosody \
--mode 0440 \
--state "${STATE}" \
--source '-' <<EOF
${PROSODY_CONFIG}
EOF
__link "/etc/prosody/conf.d/${DOMAIN}.cfg.lua" \
--source "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
--state "${STATE}" \
--type symbolic
if [ "${STATE}" = "present" ]; then
export require="${require} __file/etc/prosody/conf.avail/${DOMAIN}.cfg.lua __link/etc/prosody/conf.d/${DOMAIN}.cfg.lua"
__check_messages "prosody/${DOMAIN}" \
--pattern '^(__file|__link)/etc/prosody/conf[.](avail|d)/' \
--execute "$(cat <<EOF
if [ ! -f "/var/lib/prosody/${DOMAIN}.crt" ]; then
echo | prosodyctl cert generate '${DOMAIN}';
ln -sf '/var/lib/prosody/${DOMAIN}.key' '/etc/prosody/certs/${DOMAIN}.key'
ln -sf '/var/lib/prosody/${DOMAIN}.crt' '/etc/prosody/certs/${DOMAIN}.crt'
fi
# Surprisingly, a reload is not enough
service prosody restart
EOF
)"
fi

View file

@ -1 +0,0 @@
disabled: true

View file

@ -1,13 +1,10 @@
analytics-settings
channel-last-n channel-last-n
default-language default-language
notice-message notice-message
start-video-muted start-video-muted
turn-server turn-server
video-constraints video-constraints
branding-app-name
branding-json branding-json
branding-index branding-index
branding-extra-body
branding-watermark branding-watermark
state state

View file

@ -41,25 +41,21 @@ subdomains
umask umask
Set the umask for the socket and PID file. Set the umask for the socket and PID file.
userid
Change the user the opendkim program is to run as.
By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
command-line and FreeBSD's rc will set it to `mailnull`.
custom-config custom-config
The string following this parameter is appended as-is in the configuration, to The string following this parameter is appended as-is in the configuration, to
enable more complex configurations. enable more complex configurations.
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
syslog syslog
Log to syslog. Log to syslog.
DEPRECATED PARAMETERS
---------------------
userid
Change the user the opendkim program is to run as.
By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
command-line and FreeBSD's rc will set it to `mailnull`.
EXAMPLES EXAMPLES
-------- --------

View file

@ -29,7 +29,6 @@ case "$os" in
'freebsd') 'freebsd')
CFG_DIR="/usr/local/etc/mail" CFG_DIR="/usr/local/etc/mail"
service="milter-opendkim" service="milter-opendkim"
start_service="milteropendkim"
;; ;;
*) *)
printf "__opendkim does not yet support %s.\n" "$os" >&2 printf "__opendkim does not yet support %s.\n" "$os" >&2
@ -91,11 +90,7 @@ fi
require="__package/opendkim" __file "$target_file" \ require="__package/opendkim" __file "$target_file" \
--source "$source_file" --mode 0644 --source "$source_file" --mode 0644
# Due to the way rc.conf works on *BSD, we find ourselves in the awkward require="__package/opendkim" __start_on_boot "${service}"
# situation, where a service's name can contain a '-' symbol, but the
# rc.conf setting to enable a service at boot cannot.
# Unless start_service has been defined before, these two match.
require="__package/opendkim" __start_on_boot "${start_service:-${service}}"
# Ensure Key and Signing tables exist and have proper permissions # Ensure Key and Signing tables exist and have proper permissions
key_table="${CFG_DIR}/KeyTable" key_table="${CFG_DIR}/KeyTable"
@ -110,7 +105,7 @@ require="__package/opendkim" \
--mode 444 --mode 444
require="__file${target_file} __file${key_table} require="__file${target_file} __file${key_table}
__file${signing_table} __start_on_boot/${start_service:-${service}}" \ __file${signing_table} __start_on_boot/${service}" \
__check_messages opendkim \ __check_messages opendkim \
--pattern "^__file${target_file}" \ --pattern "^__file${target_file}" \
--execute "service ${service} restart" --execute "service ${service} restart"

View file

@ -1,2 +0,0 @@
This can cause inconsistencies with permissions and will stop being supported.
If you still need this, you can use --custom-config 'UserId $USERID'.

View file

@ -1,32 +0,0 @@
#!/bin/sh -e
DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ];
then
# Be forgiving about a lack of trailing slash
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
fi
KEY_ID="$(echo "${__object_id:?)}" | tr '/' '_')"
DEFAULT_PATH="${DIRECTORY:?}${KEY_ID:?}.private"
if [ -s "${DEFAULT_PATH}" ]; then
# This is the main location for the key
FOUND_PATH="${DEFAULT_PATH}"
else
# This is a backwards-compatible location for the key
# Keys generated post March 2022 should not land here
if [ -f "${__object:?}/parameter/selector" ]; then
SELECTOR="$(cat "${__object:?}/parameter/selector")"
if [ -s "${DIRECTORY}${SELECTOR:?}.private" ]; then
FOUND_PATH="${DIRECTORY}${SELECTOR:?}.private"
fi
fi
fi
if [ -n "${FOUND_PATH}" ]; then
printf "present\t%s" "${FOUND_PATH}"
else
# We didn't find the key
# We pass the default path here, to easen logic in the rest of the type
printf "absent\t%s" "${DEFAULT_PATH}"
fi

View file

@ -19,8 +19,8 @@
# #
# Required parameters # Required parameters
DOMAIN="$(cat "${__object:?}/domain")" DOMAIN="$(cat "${__object:?}/parameter/domain")"
SELECTOR="$(cat "${__object:?}/selector")" SELECTOR="$(cat "${__object:?}/parameter/selector")"
# Optional parameters # Optional parameters
BITS= BITS=
@ -28,6 +28,12 @@ if [ -f "${__object:?}/parameter/bits" ]; then
BITS="-b $(cat "${__object:?}/parameter/bits")" BITS="-b $(cat "${__object:?}/parameter/bits")"
fi fi
DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ]; then
# Be forgiving about a lack of trailing slash
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
fi
# Boolean parameters # Boolean parameters
SUBDOMAINS= SUBDOMAINS=
if [ -f "${__object:?}/parameter/no-subdomains" ]; then if [ -f "${__object:?}/parameter/no-subdomains" ]; then
@ -42,24 +48,9 @@ fi
user="$(cat "${__object:?}/user")" user="$(cat "${__object:?}/user")"
group="$(cat "${__object:?}/group")" group="$(cat "${__object:?}/group")"
KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")" if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then
KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")" echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS"
echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.private"
if [ "${KEY_STATE:?}" = "absent" ]; then
# opendkim-genkey(8) does not allow specifying the file name.
# To err on the safe side (and avoid potentially killing other keys)
# we operate on a temporary directory first, then move the resulting key
cat <<-EOF
tmp_dir="\$(mktemp -d cdist-dkim.XXXXXXXXXXX)"
opendkim-genkey $BITS --domain=${DOMAIN:?} --directory=\${tmp_dir:?} $RESTRICTED --selector=${SELECTOR:?} $SUBDOMAINS
# Relocate and ensure permissions
mv "\${tmp_dir:?}/${SELECTOR:?}.private" '${KEY_LOCATION:?}'
chown ${user}:${group} '${KEY_LOCATION}'
chmod 0600 '${KEY_LOCATION}'
# This is usually generated, if it weren't we do not want to fail # This is usually generated, if it weren't we do not want to fail
mv "\${tmp_dir:?}/${SELECTOR:?}.txt" '${KEY_LOCATION%.private}.txt' || true echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.txt || true"
chown ${user}:${group} '${KEY_LOCATION%.private}.txt' || true
# Cleanup after ourselves
rmdir "\${tmp_dir:?}" || true
EOF
fi fi

View file

@ -10,27 +10,23 @@ DESCRIPTION
----------- -----------
This type uses the `opendkim-genkey(8)` to generate signing keys suitable for This type uses the `opendkim-genkey(8)` to generate signing keys suitable for
usage by `opendkim(8)` to sign outgoing emails. usage by `opendkim(8)` to sign outgoing emails. Then, a line with the domain,
selector and keyname in the `$selector._domainkey.$domain` format will be added
It also manages the key, identified by its `$__object_id` in OpenDKIM's to the OpenDKIM key table located at `/etc/opendkim/KeyTable`. Finally, a line
KeyTable and sets its `s=` and `d=` parameters (see: `--selector` and will be added to the OpenDKIM signing table, using either the domain or the
`--sigdomain` respectively). provided key for the `domain:selector:keyfile` value in the table. An existing
key will not be overwritten.
This type will also manage the entries in the OpenDKIM's SigningTable by
associating any given `sigkey` values to this key.
Take into account that if you use this type without the `--domain` and
`--selector` parameters, the `$__object_id` must be in form `$domain/$selector`.
Currently, this type is only implemented for Alpine Linux and FreeBSD. Currently, this type is only implemented for Alpine Linux and FreeBSD.
Please contribute an implementation if you can. Please contribute an implementation if you can.
NOTE: the name of the key file under `--directory` will default to REQUIRED PARAMETERS
`$__object_id.private`, but if that fails and `--selector` is used, -------------------
`SELECTOR.private` will be considered. domain
Take care when using unrelated keys that might collide this way. The domain to generate the key for.
For more information see:
https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20 selector
The DKIM selector to generate the key for.
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
@ -42,36 +38,10 @@ bits
directory directory
The directory in which to generate the key, `/var/db/dkim/` by default. The directory in which to generate the key, `/var/db/dkim/` by default.
domain
The domain to generate the key for.
If omitted, `--selector` must be omitted as well and `$__object_id` must be
in form: `$domain/$selector`.
selector
The DKIM selector to generate the key for.
If omitted, `--domain` must be omitted as well and `$__object_id` must be
in form: `$domain/$selector`.
sigdomain
Specified in the KeyTable, the domain to use in the signature's "d=" value.
Defaults to the specified domain. If `%`, it will be replaced by the apparent
domain of the sender when generating a signature.
Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
See `KeyTable` in `opendkim.conf(5)` for more information.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
sigkey sigkey
The key used in the `SigningTable` for this signing key. Defaults to the The key used in the SigningTable for this signing key. Defaults to the
specified domain. If `%`, OpenDKIM will replace it with the domain found specified domain. If `%`, OpenDKIM will replace it with the domain found
in the `From:` header. See `opendkim.conf(5)` for more options. in the `From:` header. See `opendkim.conf(5)` for more options.
Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
This can be passed multiple times, resulting in multiple lines in the
SigningTable, which can be used to support signing of subdomains or multiple
domains with the same key; in that case, you probably want to set
`--sigdomain` to `%`, else the domains will not be aligned.
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
@ -87,7 +57,6 @@ EXAMPLES
.. code-block:: sh .. code-block:: sh
# Setup the OpenDKIM service
__opendkim \ __opendkim \
--socket inet:8891@localhost \ --socket inet:8891@localhost \
--basedir /var/lib/opendkim \ --basedir /var/lib/opendkim \
@ -96,24 +65,14 @@ EXAMPLES
--umask 002 \ --umask 002 \
--syslog --syslog
# Continue only after the service has been set up require='__opendkim' \
export require="__opendkim"
# Generate a key for 'example.com' with selector 'default'
__opendkim_genkey default \ __opendkim_genkey default \
--domain example.com \ --domain example.com \
--selector default --selector default
# Generate a key for 'foo.com' with selector 'backup' __opendkim_genkey myfoo \
__opendkim_genkey 'foo.com/backup' --domain foo.com \
--selector backup
# Generate a key for 'example.org' with selector 'main'
# that can also sign 'cdi.st' and subdomains of 'example.org'
__opendkim_genkey 'example.org/main' \
--sigdomain '%' \
--sigkey 'example.org' \
--sigkey '.example.org' \
--sigkey 'cdi.st'
SEE ALSO SEE ALSO

View file

@ -35,48 +35,17 @@ case "$os" in
;; ;;
*) *)
cat <<- EOF >&2 cat <<- EOF >&2
__opendkim_genkey currently only supports Alpine Linux and FreeBSD. __opendkim_genkey currently only supports Alpine Linux. Please
Please contribute an implementation for $os if you can. contribute an implementation for $os if you can.
EOF EOF
exit 1
;; ;;
esac esac
# Persist user and group for gencode-remote
printf '%s' "${user}" > "${__object:?}/user"
printf '%s' "${group}" > "${__object:?}/group"
# Logic to simplify the type as documented in SELECTOR="$(cat "${__object:?}/parameter/selector")"
# https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20#issuecomment-14711 DOMAIN="$(cat "${__object:?}/parameter/domain")"
DOMAIN="$(cat "${__object:?}/parameter/domain" 2>/dev/null || true)"
SELECTOR="$(cat "${__object:?}/parameter/selector" 2>/dev/null || true)"
if [ -z "${DOMAIN}${SELECTOR}" ]; then
# Neither SELECTOR nor DOMAIN were passed, try to use __object_id
if echo "${__object_id:?}" | \
grep -qE '^[^/[:space:]]+/[^/[:space:]]+$'; then
# __object_id matches, let's get the data
DOMAIN="$(echo "${__object_id:?}" | cut -d '/' -f 1)"
SELECTOR="$(echo "${__object_id:?}" | cut -d '/' -f 2)"
else
# It doesn't match the pattern, this is sad
cat <<- EOF >&2
The arguments --domain and --selector were not used.
So __object_id must match DOMAIN/SELECTOR.
But instead the type got: ${__object_id:?}
EOF
exit 1
fi
elif [ -z "${DOMAIN}" ] || [ -z "${SELECTOR}" ]; then
# Only one was passed, this is sad :-(
cat <<- EOF >&2
You must pass either both --selector and --domain or none of them.
If these arguments are absent, __object_id must match: DOMAIN/SELECTOR.
EOF
exit 1
# else: both were passed
fi
# Persist data for gencode-remote
printf '%s' "${user:?}" > "${__object:?}/user"
printf '%s' "${group:?}" > "${__object:?}/group"
printf '%s' "${DOMAIN:?}" > "${__object:?}/domain"
printf '%s' "${SELECTOR:?}" > "${__object:?}/selector"
DIRECTORY="/var/db/dkim/" DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ]; if [ -f "${__object:?}/parameter/directory" ];
@ -90,11 +59,6 @@ if [ -f "${__object:?}/parameter/sigkey" ];
then then
SIGKEY="$(cat "${__object:?}/parameter/sigkey")" SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
fi fi
SIGDOMAIN="${DOMAIN:?}"
if [ -f "${__object:?}/parameter/sigdomain" ];
then
SIGDOMAIN="$(cat "${__object:?}/parameter/sigdomain")"
fi
# Ensure the key-container directory exists with the proper permissions # Ensure the key-container directory exists with the proper permissions
__directory "${DIRECTORY}" \ __directory "${DIRECTORY}" \
@ -112,28 +76,10 @@ esac
key_table="${CFG_DIR}/KeyTable" key_table="${CFG_DIR}/KeyTable"
signing_table="${CFG_DIR}/SigningTable" signing_table="${CFG_DIR}/SigningTable"
KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")" __line "line-key-${__object_id:?}" \
KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")"
__line "__opendkim_genkey/${__object_id:?}" \
--file "${key_table}" \ --file "${key_table}" \
--line "${__object_id:?} ${SIGDOMAIN:?}:${SELECTOR:?}:${KEY_LOCATION:?}" \ --line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
--regex "^${__object_id:?}[[:space:]]" \
--state 'replace'
sigtable_block() { __line "line-sig-${__object_id:?}" \
for sigkey in ${SIGKEY:?}; do
echo "${sigkey:?} ${__object_id:?}"
done
}
__block "__opendkim_genkey/${__object_id:?}" \
--file "${signing_table}" \ --file "${signing_table}" \
--text "$(sigtable_block)" --line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"
if [ "${KEY_STATE:?}" = "present" ]; then
# Ensure proper permissions for the key file
__file "${KEY_LOCATION}" \
--owner "${user}" \
--group "${group}" \
--mode 0600
fi

View file

@ -1,6 +1,4 @@
bits bits
directory directory
domain
unrestricted unrestricted
selector sigkey
sigdomain

View file

@ -1 +0,0 @@
sigkey

View file

@ -0,0 +1,2 @@
domain
selector

View file

@ -20,7 +20,7 @@ variables_order = "GPCS"
zend.assertions = -1 zend.assertions = -1
; Local custom variations ; Local custom variations
include_path = ".:${PHP_INCLUDEDIR}" include_path = ".:/usr/share/php${PHPVER:?}"
memory_limit = ${MEMORY_LIMIT:?} memory_limit = ${MEMORY_LIMIT:?}
post_max_size = ${UPLOAD_MAX_FILESIZE:?} post_max_size = ${UPLOAD_MAX_FILESIZE:?}
upload_max_filesize = ${UPLOAD_MAX_FILESIZE:?} upload_max_filesize = ${UPLOAD_MAX_FILESIZE:?}

View file

@ -12,7 +12,8 @@ This type installs and configures PHP-FPM for a given version of PHP. It is
expected to be used in combination with cdist-type__php_fpm_pool, which expected to be used in combination with cdist-type__php_fpm_pool, which
configures specific pools. configures specific pools.
This type supports Debian, Ubuntu and Alpine Linux. Note that currently, this type is only implemented for Alpine Linux.
REQUIRED PARAMETERS REQUIRED PARAMETERS
------------------- -------------------

View file

@ -6,35 +6,14 @@ PHPVER=$(cat "${__object:?}/parameter/php-version")
export PHPVER export PHPVER
case "$os" in case "$os" in
'alpine') 'alpine')
# Alpine packages looks like php81-fpm - we make sure to remove dots from user
# input.
PHPVER=$(echo "$PHPVER" | tr -d '.')
package="php${PHPVER}-fpm" package="php${PHPVER}-fpm"
service="php-fpm${PHPVER}"
opcache_package="php${PHPVER}-opcache" opcache_package="php${PHPVER}-opcache"
apcu_package="php${PHPVER}-pecl-apcu" apcu_package="php${PHPVER}-pecl-apcu"
service="php-fpm${PHPVER}"
php_confdir="/etc/php${PHPVER}"
php_ini="${php_confdir:?}/php.ini"
PHP_INCLUDEDIR="/usr/share/php${PHPVER:?}"
export PHP_INCLUDEDIR
;; ;;
'debian'|'ubuntu')
package="php${PHPVER}-fpm"
opcache_package="php${PHPVER}-opcache"
apcu_package="php${PHPVER}-apcu"
service="php${PHPVER}-fpm" *)
php_confdir="/etc/php/${PHPVER}"
php_ini="${php_confdir:?}/fpm/php.ini"
PHP_INCLUDEDIR="/usr/share/php/${PHPVER:?}"
export PHP_INCLUDEDIR
;;
*)
printf "Your operating system is currently not supported by this type\n" >&2 printf "Your operating system is currently not supported by this type\n" >&2
printf "Please contribute an implementation for it if you can.\n" >&2 printf "Please contribute an implementation for it if you can.\n" >&2
exit 1 exit 1
@ -61,8 +40,8 @@ export UPLOAD_MAX_FILESIZE
mkdir -p "${__object:?}/files" mkdir -p "${__object:?}/files"
"${__type:?}/files/php.ini.sh" >"${__object:?}/files/php.ini" "${__type:?}/files/php.ini.sh" >"${__object:?}/files/php.ini"
require="__package/$package" __file "${php_ini:?}" \ require="__package/$package" __file "/etc/php${PHPVER}/php.ini" \
--mode 644 --source "${__object:?}/files/php.ini" \ --mode 644 --source "${__object:?}/files/php.ini" \
--onchange "service $service restart" --onchange "service $service restart"
require="__file/${php_ini:?}" __service "$service" --action start require="__file/etc/php${PHPVER}/php.ini" __service "$service" --action start

View file

@ -13,7 +13,7 @@ This type configures a pool named after the `__object_id` for a specified PHP
version. Note that this types expects a same-version cdist-type__php_fpm type version. Note that this types expects a same-version cdist-type__php_fpm type
to have been run first: the user is responsible for doing so. to have been run first: the user is responsible for doing so.
This type supports Debian, Ubuntu and Alpine Linux. Note that currently, this type is only implemented for Alpine Linux.
REQUIRED PARAMETERS REQUIRED PARAMETERS

View file

@ -1,5 +1,8 @@
#!/bin/sh #!/bin/sh
# XXX: this type does not configure or install php-fpm: it expects the
# __recycledcloud_php_fpm type to be used first before pools are configured.
os=$(cat "${__global:?}/explorer/os") os=$(cat "${__global:?}/explorer/os")
name=${__object_id:?} name=${__object_id:?}
@ -7,18 +10,12 @@ PHPVER=$(cat "${__object:?}/parameter/php-version")
export PHPVER export PHPVER
case "$os" in case "$os" in
'alpine') 'alpine')
PHPVER=$(echo "$PHP_VERSION" | tr -d '.')
service="php-fpm${PHPVER}" service="php-fpm${PHPVER}"
php_confdir="/etc/php${PHPVER}" :
php_pooldir="${php_confdir:?}/php-fpm.d"
;; ;;
'debian'|'ubuntu')
service="php${PHPVER}-fpm" *)
php_confdir="/etc/php/${PHPVER}"
php_pooldir="${php_confdir:?}/fpm/pool.d"
;;
*)
printf "Your operating system is currently not supported by this type\n" >&2 printf "Your operating system is currently not supported by this type\n" >&2
printf "Please contribute an implementation for it if you can.\n" >&2 printf "Please contribute an implementation for it if you can.\n" >&2
exit 1 exit 1
@ -35,6 +32,6 @@ export POOL_USER POOL_GROUP POOL_LISTEN_ADDR POOL_LISTEN_OWNER POOL_NAME
mkdir -p "${__object:?}/files" mkdir -p "${__object:?}/files"
"${__type:?}/files/www.conf.sh" >"${__object:?}/files/www.conf" "${__type:?}/files/www.conf.sh" >"${__object:?}/files/www.conf"
__file "${php_pooldir:?}/${name}.conf" \ __file "/etc/php${PHPVER:?}/php-fpm.d/${name}.conf" \
--mode 644 --source "${__object:?}/files/www.conf" \ --mode 644 --source "${__object:?}/files/www.conf" \
--onchange "service $service reload" --onchange "service $service reload"

View file

@ -6,14 +6,7 @@ os="$(cat "${__global}/explorer/os")"
case "${os}" in case "${os}" in
debian|devuan) debian|devuan)
# zero-config sysvinit and systemd compatibility # zero-config sysvinit and systemd compatibility
os_version="$(cat "${__global}/explorer/os_version")" __package runit-run
debian_package="runit-run"
case "${os_version}" in
beowulf)
debian_package="runit"
;;
esac
__package "${debian_package}"
;; ;;
freebsd) freebsd)
__key_value \ __key_value \

View file

@ -33,25 +33,18 @@ if [ "${state}" != "present" ]; then
exit exit
fi fi
# Setup run file
__file --state "${state}" --mode 0550 --source "${source}" \
--onchange "sv restart '${sv}' || true" \
"${run_file}"
export require="${require} __file${run_file}"
if [ -f "${__object}/parameter/log" ]; then if [ -f "${__object}/parameter/log" ]; then
# Setup logger if requested # Setup logger if requested
logdir="/var/log/runit" __directory --parents "${svdir}/${sv}/log/main"
__directory --parents "${svdir}/${sv}/log" export require="${require} __directory${svdir}/${sv}/log/main"
__directory --state absent "${svdir}/${sv}/log/main" # Remove lingering old fashioned log
__directory --parents "${logdir}/${sv}"
export require="${require} __directory${svdir}/${sv}/log __directory${logdir}/${sv}"
__file "${svdir}/${sv}/log/run" \ __file "${svdir}/${sv}/log/run" \
--state "${state}" \ --state "${state}" \
--mode 0755 \ --mode 0755 \
--onchange "sv restart '${sv}/log' || true" \
--source "-" <<EOF --source "-" <<EOF
#!/bin/sh #!/bin/sh
exec svlogd -tt '${logdir}/${sv}' exec svlogd -tt ./main
EOF EOF
fi fi
# Setup run file
__file --state "${state}" --mode 0755 --source "${source}" "${run_file}"

View file

@ -1,10 +0,0 @@
#!/bin/sh -e
BIN_PREFIX="/usr/local/bin"
SERVICE_NAME="${__object_id}"
VERSION_FILE="${BIN_PREFIX}/.${SERVICE_NAME}.cdist.version"
if [ -f "${VERSION_FILE}" ]; then
cat "${VERSION_FILE}"
fi

View file

@ -1,195 +0,0 @@
cdist-type__single_binary_service(7)
====================================
NAME
----
cdist-type__single_binary_service - Setup a single-binary service
DESCRIPTION
-----------
This type is designed to easily deploy and configure a single-binary service
named `${__object_id}`.
A good example of this are Prometheus exporters.
This type makes certain assumptions that might not be correct on your system.
If you need more flexibility, please get in touch and provide a use-case
(and hopefully a backwards-compatible patch).
This type will place the downloaded binary and, if requested, other extra
binaries in `/usr/local/bin`.
If a `--config-file-source` is provided, it will be placed under:
`/etc/${__object_id}.conf`.
This type supports services managed by `__runit(7)` when `systemd` is not
the init system being used.
REQUIRED PARAMETERS
-------------------
checksum
This will be passed verbatim to `__download(7)`.
Use something like `sha256:...`.
url
This will be passed verbatim to `__download(7)`.
version
This type will use a thumbstone file with a "version" number to track
whether or not a service must be updated.
This thumbstone file is placed under
`/usr/local/bin/.${__object_id}.cdist.version`.
BOOLEAN PARAMETERS
------------------
unpack
If present, the contents of `--url` will be treated as an archive to be
unpacked with `__unpack(7)`.
See also `--unpack-args` and `--extra-binary`.
do-not-manage-user
Always considered present when `--user` is `root`.
If present, the user in `--user` will not be managed by this type with
`__user`, this means it *must* exist beforehand when installing the service
and it will not be removed by this type.
OPTIONAL PARAMETERS
-------------------
config-file-source
If present, this file's contents will be placed under
`/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to
`--user` and `--group`.
If `-` is passed, this type's `stdin` will be used.
user
The user under which the service will run. Defaults to `root`.
If this user is not `root` and `--do-not-manage-user` is not present,
this user will be created or removed as per the `--state` parameter.
user-home-dir
Does not have an effect if `--do-not-manage-user` is used or `--user` is
`root`.
The home directory of the service user. It will be created.
Defaults to `/nonexistent`, in this case the home directory will not be
created.
group
The group under which the service will run. Defaults to `--user`.
state
Whether the service is to be `present` (default) or `absent`.
When `absent`, this type will clean any binaries listed in `--extra-binary`
and also the config file as described in `--config-file-source`.
binary
This will be the binary name. Defaults to `${__object_id}`.
If `--unpack` is used, a binary with this name must be unpacked.
Otherwise, the contents of `--url` will be placed under this binary name.
env
An `env` file consiting of `ENVIRONMENT_VARIABLE=VALUE`, one variable per
line.
Empty lines and those starting with `#` are ignored.
service-args
Any extra arguments to pass along with `--service-exec`. Beware that any
service-args having the format `--config=/etc/foo.cfg` should be
represented in the following way `--service-exec='--config=/etc/foo.cfg'`
service-exec
The executable to use for this service.
Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the
resulting value of `--binary`.
service-definition
The service definition to be used as an override.
Note that this type decides dinammically between runit and systemd, and
you can currently only define either a systemd unit or a runit script here.
Use this parameter only for testing and get in touch to discuss how your
particular use-case can be supported by the type.
service-description
The service description to be used in, e.g. the systemd unit file.
Defaults to `cdist-managed '${__object_id}' service`.
unpack-args
Only has an effect if `--unpack` is used.
These arguments will be passed verbatim to `__unpack(7)`.
Very useful as this type assumes the archive does not have the binaries in
subdirectories; that can be worked around with
`--unpack-args '--tar-strip 1'`.
unpack-extension
Only has an effect if `--unpack` is used.
The file extension of the file to unpack, defaults to `.tar.gz`.
working-directory
If set, the working directory with which the service will be started.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
extra-binary
Only useful with `--unpack`.
If passed, these binaries will also be installed when `--state` is `present`
and removed when `--state` is `absent`.
Handle with care :-).
EXAMPLES
--------
.. code-block:: sh
# Install and enable the ipmi_exporter service
# The variables are defined in the manifest previously
__single_binary_service ipmi_exporter \
--user "${USER}" \
--service-args ' --config.file=/etc/ipmi_exporter.conf' \
--version "${SHOULD_VERSION}" \
--checksum "${CHECKSUM}" \
--url "${DOWNLOAD_URL}" \
--state "present" \
--unpack \
--unpack-args "--tar-strip 1" \
--config-file-source '-' <<-EOF
# Remotely managed, changes will be lost
# [...] config contents goes here
EOF
# Remove the ipmi_exporter service along with the user and its config
__single_binary_service ipmi_exporter \
--user "${USER}" \
--version "${SHOULD_VERSION}" \
--checksum "${CHECKSUM}" \
--url "${DOWNLOAD_URL}" \
--state "absent"
# Same, but the service was using my user! Let's not delete that!
__single_binary_service ipmi_exporter \
--user "evilham" \
--do-not-manage-user \
--version "${SHOULD_VERSION}" \
--checksum "${CHECKSUM}" \
--url "${DOWNLOAD_URL}" \
--state "absent"
SEE ALSO
--------
- `__download(7)`
- `__unpack(7)`
AUTHORS
-------
Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2022 Evilham.

View file

@ -1,305 +0,0 @@
#!/bin/sh -e
SERVICE_NAME="${__object_id}"
OS="$(cat "${__global}/explorer/os")"
case "${OS}" in
debian|devuan)
SUPER_USER_GROUP=root
ETC_DIR="/etc"
;;
*bsd)
SUPER_USER_GROUP=wheel
ETC_DIR="/usr/local/etc"
;;
*)
echo "Your OS '${OS}' is currently not supported." >&2
exit 1
;;
esac
INIT="$(cat "${__global}/explorer/init")"
case "${INIT}" in
systemd)
service_definition_require="__systemd_unit/${SERVICE_NAME}.service"
service_command="service ${SERVICE_NAME} %s"
;;
runit|sysvinit)
# We will use runit to manage these services
__runit
export require="__runit"
service_definition_require="__runit_service/${SERVICE_NAME}"
service_command="sv %s ${SERVICE_NAME}"
;;
*)
echo "Init system ${INIT}' is currently not supported." >&2
exit 1
;;
esac
BIN_DIR="/usr/local/bin"
# Ensure the target bin dir exists
# Care, we never want to remove it :-D
__directory "${BIN_DIR}" \
--state "exists" \
--mode 0755
export require="${require} __directory${BIN_DIR}"
STATE="$(cat "${__object}/parameter/state")"
USER="$(cat "${__object}/parameter/user")"
GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)"
if [ -z "${GROUP}" ]; then
if [ "${USER}" != "root" ]; then
GROUP="${USER}"
else
GROUP="${SUPER_USER_GROUP}"
fi
fi
BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)"
if [ -z "${BINARY}" ]; then
BINARY="${SERVICE_NAME}"
fi
EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)"
# This only makes sense for file archives
if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then
cat >&2 <<-EOF
You cannot specify extra binaries without the --unpack argument.
Make sure that the --url argument points to a file archive.
EOF
fi
SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)"
if [ -z "${SERVICE_EXEC}" ]; then
SERVICE_EXEC="${BIN_DIR}/${BINARY}"
fi
SERVICE_ARGS="$(cat "${__object}/parameter/service-args")"
SERVICE_EXEC="${SERVICE_EXEC} ${SERVICE_ARGS}"
SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \
2>/dev/null || true)"
if [ -z "${SERVICE_DESCRIPTION}" ]; then
SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service"
fi
SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)"
WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
fi
DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
CHECKSUM="$(cat "${__object}/parameter/checksum")"
SHOULD_VERSION="$(cat "${__object}/parameter/version")"
# Create a user for the service if it is not root
USER_HOME_DIR="/root"
if [ "${USER}" != "root" ] && \
[ ! -f "${__object}/parameter/do-not-manage-user" ]; then
if [ "${STATE}" = "absent" ]; then
# When removing, ensure user is not being used
user_require="${service_definition_require}"
fi
USER_HOME_DIR="$(cat "${__object}/parameter/user-home-dir")"
if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then
USER_CREATE_HOME="--create-home"
fi
require="${require} ${user_require}" __user "${USER}" \
--system \
--state "${STATE}" \
--home "${USER_HOME_DIR}" \
--comment "cdist-managed service user" \
${USER_CREATE_HOME}
# Track dependencies
service_require="${service_require} __user/${USER}"
fi
# Place config file if necessary
CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)"
if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then
CONFIG_FILE_SOURCE="${__object}/stdin"
fi
if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then
require="${require} __user/${USER}" __file \
"${CONFIG_FILE_DEST}" \
--owner "${USER}" \
--group "${GROUP}" \
--mode "0440" \
--source "${CONFIG_FILE_SOURCE}"
service_require="${service_require} __file${CONFIG_FILE_DEST}"
fi
# These messages will trigger a service restart (overridden for systemd)
service_config_reload_pattern="^__file${CONFIG_FILE_DEST}"
# This should setup the object in $service_definition_require
# See above.
case "${INIT}" in
systemd)
if [ -z "${SERVICE_DEFINITION}" ]; then
SYSTEMD_ENV_FILE="/etc/systemd/system/${SERVICE_NAME}.env"
__file "${SYSTEMD_ENV_FILE}" \
--mode 0400 \
--source "${__object}/parameter/env"
# We need to take into account the envionment file for systemd too
service_config_reload_pattern="(${service_config_reload_pattern}|^__file${SYSTEMD_ENV_FILE})"
SERVICE_DEFINITION="$(cat <<EOF
[Unit]
Description=${SERVICE_DESCRIPTION}
After=network.target
[Service]
Type=simple
User=${USER}
Group=${GROUP}
ExecStart=${SERVICE_EXEC}
Restart=always
EnvironmentFile=${SYSTEMD_ENV_FILE}
${WORKING_DIRECTORY_SYSTEMD}
[Install]
WantedBy=multi-user.target
EOF
)"
fi
__systemd_unit "${SERVICE_NAME}.service" \
--source "-" \
--state "${STATE}" \
--enablement-state "enabled" <<EOF
${SERVICE_DEFINITION}
EOF
;;
runit|sysvinit)
if [ -z "${SERVICE_DEFINITION}" ]; then
RUNIT_ENV="$(sed -Ee 's!^([[:alnum:]_]+)=(.*)$!export \1=\2!' "${__object}/parameter/env")"
SERVICE_DEFINITION="$(cat <<EOF
#!/bin/sh -e
${WORKING_DIRECTORY_RUNIT}
# User-provided environment
${RUNIT_ENV}
# System vars
export HOME="\$(getent passwd '${USER}' | cut -d: -f6)"
export USER="${USER}"
export GROUP="${GROUP}"
exec 2>&1
exec chpst -u "${USER}:${GROUP}" ${SERVICE_EXEC}
EOF
)"
fi
__runit_service "${SERVICE_NAME}" \
--state "${STATE}" \
--log \
--source - <<EOF
${SERVICE_DEFINITION}
EOF
;;
esac
service_require="${service_require} ${service_definition_require}"
# Proceed after user and service description have been prepared
export require="${require} ${service_require}"
VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
IS_VERSION="$(cat "${__object}/explorer/explorer-version")"
if [ "${STATE}" = "absent" ]; then
# Perform cleanup of generated files
for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
__file "${BIN_DIR}/${bin_file}" --state "absent"
done
__file "${VERSION_FILE}" --state "absent"
__file "${CONFIG_FILE_DEST}" --state "absent"
fi
if [ "${STATE}" != "present" ]; then
exit
fi
sv_cmd() {
# This is intentional
# shellcheck disable=SC2059
printf "${service_command}" "$1"
}
if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ]; then
# We are installing the service and there has been a version change
# (or it is first-time install)
TMP_PATH="/tmp/${SERVICE_NAME}-${SHOULD_VERSION}"
# This is what will stop the service, replace the binaries and
# start the service again
perform_service_upgrade="$(cat <<EOF
$(sv_cmd stop) || true
if [ -f '${TMP_PATH}' ]; then
chown root:${SUPER_USER_GROUP} '${TMP_PATH}'
chmod 0555 '${TMP_PATH}'
cp -af '${TMP_PATH}' '${BIN_DIR}/${BINARY}'
else
for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
bin_path="${TMP_PATH}/\${bin_file}"
chown root:${SUPER_USER_GROUP} "\${bin_path}"
chmod 0555 "\${bin_path}"
cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}"
done
fi
$(sv_cmd start) || true
EOF
)"
if [ -f "${__object}/parameter/unpack" ]; then
UNPACK_EXTENSION="$(cat "${__object}/parameter/unpack-extension")"
UNPACK_ARGS="$(cat "${__object}/parameter/unpack-args" \
2>/dev/null || true)"
# Download packed file
__download "${TMP_PATH}${UNPACK_EXTENSION}" \
--url "${DOWNLOAD_URL}" \
--download remote \
--sum "${CHECKSUM}"
# Unpack file and also perform service upgrade
# shellcheck disable=SC2086
require="__download${TMP_PATH}${UNPACK_EXTENSION}" \
__unpack "${TMP_PATH}${UNPACK_EXTENSION}" \
${UNPACK_ARGS} \
--destination "${TMP_PATH}"
version_bump_require="__unpack${TMP_PATH}${UNPACK_EXTENSION}"
else
# Create temp directory
__directory "${TMP_PATH}"
# Download binary directoy to the temp directory with the
# specified binary name
require="__directory${TMP_PATH}" __download \
"${TMP_PATH}/${BINARY}" \
--url "${DOWNLOAD_URL}" \
--download remote \
--sum "${CHECKSUM}"
version_bump_require="__download${TMP_PATH}/${BINARY}"
fi
# Perform update of cdist-managed version file
# And also perform service upgrade
# This is a bug if service_upgrade fails >,<
printf "%s" "${SHOULD_VERSION}" | \
require="${version_bump_require}" __file \
"${VERSION_FILE}" \
--onchange "${perform_service_upgrade}" \
--source "-"
else
# We only restart here if there was a config or env change
# but there was not a version change
require="${service_require}" __check_messages \
"single_binary_service_${__object_id}" \
--pattern "${service_config_reload_pattern}" \
--execute "$(sv_cmd restart)"
fi

View file

@ -1,2 +0,0 @@
do-not-manage-user
unpack

View file

@ -1 +0,0 @@
present

View file

@ -1 +0,0 @@
/nonexistent

View file

@ -1,14 +0,0 @@
config-file-source
env
user
group
state
binary
service-args
service-exec
service-description
service-definition
unpack-extension
unpack-args
user-home-dir
working-directory

View file

@ -1 +0,0 @@
extra-binary

View file

@ -1,3 +0,0 @@
url
checksum
version

View file

@ -38,8 +38,7 @@ install-key-to
Installation path of the certificate's private key. Installation path of the certificate's private key.
renew-hook renew-hook
Renew hook executed on certificate renewal (e.g. `service nginx reload`, `-` Renew hook executed on certificate renewal (e.g. `service nginx reload`).
for the standard input).
force-cert-ownership-to force-cert-ownership-to
Override default ownership for TLS certificate, passed as argument to chown. Override default ownership for TLS certificate, passed as argument to chown.

View file

@ -109,11 +109,7 @@ export CERT_TARGET
RENEW_HOOK= RENEW_HOOK=
if [ -f "${__object:?}/parameter/renew-hook" ]; if [ -f "${__object:?}/parameter/renew-hook" ];
then then
if [ "$(cat "${__object:?}/parameter/renew-hook")" = "-" ]; then
RENEW_HOOK="$(cat ${__object:?}/stdin)"
else
RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")" RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
fi
fi fi
export RENEW_HOOK export RENEW_HOOK