cdist-contrib/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh

#!/bin/sh -eu

# Source:
# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
FOCUS_USER="focus"
JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
PROSODY_SECUREDOMAIN_START="--[["
PROSODY_SECUREDOMAIN_END="--]]"
if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
	PROSODY_MAIN_START=""
	PROSODY_MAIN_END=""
	PROSODY_DOMAIN_START="--[["
	PROSODY_DOMAIN_END="--]]"
else
	PROSODY_MAIN_START="--[["
	PROSODY_MAIN_END="--]]"
	PROSODY_DOMAIN_START=""
	PROSODY_DOMAIN_END=""
	if [ -n "${SECURED_DOMAINS}" ]; then
		PROSODY_SECUREDOMAIN_START=""
		PROSODY_SECUREDOMAIN_END=""
	fi
fi
# Websockets haven't been fully tested in this type and don't work reliably
PROSODY_WEBSOCKET="-- "

# shellcheck disable=SC2034  # This is intended to be included
PROSODY_CONFIG="$(cat <<EOFPROSODY
-- Managed remotely, changes will be lost
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "${JITSI_HOST:?}";

external_service_secret = "${TURN_SECRET:-TurnSecret}";
external_services = {
     { type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
     { type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- Use websockets
-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
${PROSODY_WEBSOCKET}consider_websocket_secure = true;

-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
--http_cors_override = {
--    bosh = {
--        enabled = false;
--    };
--    websocket = {
--        enabled = false;
--    };
--}

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}

unlimited_jids = {
    "${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
    "jvb@auth.${JITSI_HOST:?}"
}
${PROSODY_MAIN_END}

${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain
VirtualHost "${JITSI_DOMAIN:?}"
    -- enabled = false -- Remove this line to enable this host
    authentication = "anonymous"
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    --app_id="example_app_id"
    --app_secret="example_app_secret"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
        certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
    }
    av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
    speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
    conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "muc_lobby_rooms";
        "muc_breakout_rooms";
        "av_moderation";
${PROSODY_WEBSOCKET}        "websocket";
${PROSODY_WEBSOCKET}        "smacks";
    }
    smacks_max_unacked_stanzas = 5;
    smacks_hibernation_time = 60;
    smacks_max_hibernated_sessions = 1;
    smacks_max_old_sessions = 1;
    c2s_require_encryption = false
    lobby_muc = "lobby.${JITSI_DOMAIN:?}"
    breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
    main_muc = "conference.${JITSI_DOMAIN:?}"
    -- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms

Component "conference.${JITSI_DOMAIN:?}" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "polls";
        --"token_verification";
        "muc_rate_limit";
    }
    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
    muc_room_locking = false
    muc_room_default_public_jids = true

Component "breakout.${JITSI_DOMAIN:?}" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        --"token_verification";
        "muc_rate_limit";
        "polls";
    }
    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
    storage = "memory"
    modules_enabled = {
        "ping";
    }
    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
    muc_room_locking = false
    muc_room_default_public_jids = true
    -- https://prosody.im/doc/modules/mod_muc
    muc_room_cache_size = 1000
${PROSODY_DOMAIN_END}
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet

VirtualHost "auth.${JITSI_DOMAIN:?}"
    ssl = {
       key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
       certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
    }

    modules_enabled = {
        "limits_exception";
    }
    authentication = "internal_hashed"
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain

-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
    -- Single focus user for the whole instance
    target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"

Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
    muc_component = "conference.${JITSI_DOMAIN:?}"

Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
    muc_component = "conference.${JITSI_DOMAIN:?}"

Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
    muc_component = "conference.${JITSI_DOMAIN:?}"

Component "lobby.${JITSI_DOMAIN:?}" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true
    modules_enabled = {
        "muc_rate_limit";
        "polls";
    }
${PROSODY_DOMAIN_END}

--[[
-- Enabled dial-in for JaaS customers
-- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
-- and execute $ sudo luarocks install luajwtjitsi 3.0-0
VirtualHost "jigasi.meet.jitsi"
    enabled = false -- JaaS customers remove this line
    modules_enabled = {
      "ping";
      "bosh";
    }
    authentication = "token"
    app_id = "jitsi";
    asap_key_server = "https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8"
    asap_accepted_issuers = { "jaas-components" }
    asap_accepted_audiences = { "jigasi.jitmeet.example.com" }
--]]

${PROSODY_SECUREDOMAIN_START}
-- Only used on secured domains
VirtualHost "${JITSI_DOMAIN}"
    authentication = "internal_plain"

VirtualHost "guest.${JITSI_DOMAIN}"
    authentication = "anonymous"
    c2s_require_encryption = false
${PROSODY_SECUREDOMAIN_END}
EOFPROSODY
)"