244 lines
8.2 KiB
Bash
Executable File
244 lines
8.2 KiB
Bash
Executable File
#!/bin/sh -e
|
|
|
|
os="$(cat "${__global}/explorer/os")"
|
|
init="$(cat "${__global}/explorer/init")"
|
|
case "${os}" in
|
|
devuan|debian)
|
|
;;
|
|
*)
|
|
echo "Your OS '${os}' is currently not supported." > /dev/stderr
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
|
|
JITSI_HOST="${__target_host}"
|
|
if [ -f "${__object}/parameter/jitsi-version" ]; then
|
|
# This has been deprecated and will be removed 'soon'
|
|
JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
|
|
else
|
|
# Note this won't be a parameter anymore, we won't let users stay behind
|
|
JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
|
|
fi
|
|
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
|
|
TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
|
|
|
|
if [ -z "${TURN_SERVER}" ]; then
|
|
TURN_SERVER="${JITSI_HOST}"
|
|
fi
|
|
|
|
PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")"
|
|
|
|
# The rest is loosely based on Jitsi's documentation
|
|
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
|
|
|
|
# Setup repositories
|
|
## First the signing keys
|
|
### Remove old signing key
|
|
__apt_key "jitsi_meet_2016" \
|
|
--keyid "66A9 CD05 95D6 AFA2 4729 0D3B EF8B 479E 2DC1 389C" \
|
|
--use-deprecated-apt-key \
|
|
--state "absent"
|
|
### Add new signing key
|
|
require="__apt_key/jitsi_meet_2016" __apt_key jitsi_meet_2021 \
|
|
--source "${__type}/files/apt_2021.gpg" \
|
|
--state "present"
|
|
## Now the repositories (they are a tad weird, so distribution is 'stable/')
|
|
require="__apt_key/jitsi_meet_2021" __apt_source jitsi_meet \
|
|
--uri 'https://download.jitsi.org' \
|
|
--distribution 'stable/' \
|
|
--state present
|
|
## Ensure apt cache is up-to-date
|
|
require="__apt_source/jitsi_meet" __apt_update_index
|
|
|
|
export require="${require} __apt_source/jitsi_meet __apt_update_index"
|
|
|
|
# Pre-feed debconf settings, so Jitsi's installation has a good config
|
|
# shellcheck source=type/__jitsi_meet/files/debconf_settings.sh
|
|
. "${__type}/files/debconf_settings.sh" # This defines DEBCONF_SETTINGS
|
|
__debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
|
|
export require="${require} __debconf_set_selections/jitsi_meet"
|
|
|
|
# Install and upgrade packages as needed
|
|
# NOTE: we are doing version pinning again, but it breaks sometimes when
|
|
# the version is not the latest.
|
|
# This happens because dependencies might not be properly resolved.
|
|
# To avoid this, this type must be maintained up to date.
|
|
# If we don't use this, keeping Jitsi's up to date is very difficult.
|
|
__package_apt jitsi-meet --version "${JITSI_VERSION}"
|
|
|
|
# Proceed only after installation/upgrade has finished
|
|
export require="__package_apt/jitsi-meet"
|
|
|
|
# TODO: generalise and move out
|
|
# Prep nginx for acme settings
|
|
|
|
NGINX_ETC="/etc/nginx"
|
|
|
|
#
|
|
# Setup the acme-challenge snippet
|
|
#
|
|
__directory "${NGINX_ETC}/snippets" --state present
|
|
require="__directory${NGINX_ETC}/snippets" __file "${NGINX_ETC}/snippets/acme-challenge.conf" \
|
|
--mode 644 \
|
|
--source - << EOF
|
|
# This file is managed remotely, all changes will be lost
|
|
|
|
# This was heavily inspired by debops.org.
|
|
|
|
# Automatic Certificate Management Environment (ACME) support.
|
|
# https://tools.ietf.org/html/draft-ietf-acme-acme-01
|
|
# https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
|
|
|
|
|
|
# Return the ACME challenge present in the server public root.
|
|
# If not found, switch to global web server root.
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
default_type "text/plain";
|
|
try_files \$uri @well-known-acme-challenge;
|
|
}
|
|
|
|
# Return the ACME challenge present in the global server public root.
|
|
# If not present, redirect request to a specified domain.
|
|
location @well-known-acme-challenge {
|
|
root /usr/share/jitsi-meet;
|
|
default_type "text/plain";
|
|
try_files \$uri @redirect-acme-challenge;
|
|
}
|
|
|
|
# Redirect the ACME challenge to a different host. If a redirect loop is
|
|
# detected, return 404.
|
|
location @redirect-acme-challenge {
|
|
if (\$arg_redirect) {
|
|
return 404;
|
|
}
|
|
return 307 \$scheme://${ACME_DOMAIN}\$request_uri?redirect=yes;
|
|
}
|
|
|
|
# Return 404 if ACME challenge well known path is accessed directly.
|
|
location = /.well-known/acme-challenge/ {
|
|
return 404;
|
|
}
|
|
EOF
|
|
|
|
__directory "${NGINX_ETC}/sites-available" --state present
|
|
require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-available/default" \
|
|
--mode 644 \
|
|
--source - << EOF
|
|
# This file is managed remotely, all changes will be lost
|
|
|
|
server_names_hash_bucket_size 64;
|
|
|
|
types {
|
|
# nginx's default mime.types doesn't include a mapping for wasm
|
|
application/wasm wasm;
|
|
}
|
|
|
|
server {
|
|
|
|
# Listen on IPv4
|
|
listen 80;
|
|
# Note: there is an ipv6only=off flag, but it is Linux-only
|
|
# incidentally, that defaults to "on", which is what causes
|
|
# not having the double listen to listen on IPv6-only
|
|
listen [::]:80;
|
|
|
|
server_name welcome;
|
|
|
|
root /srv/www/sites/welcome/public;
|
|
|
|
include snippets/acme-challenge.conf;
|
|
|
|
location / {
|
|
return 301 https://\$host\$request_uri;
|
|
}
|
|
}
|
|
EOF
|
|
|
|
if [ -f "${__object}/parameter/secured-domains" ]; then
|
|
SECURED_DOMAINS_STATE='present'
|
|
else
|
|
SECURED_DOMAINS_STATE='absent'
|
|
fi
|
|
|
|
# This is the main host config
|
|
PROSODY_MAIN_CONFIG="YES"
|
|
# Prosody settings for common components (jvb, focus, ...)
|
|
# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
|
|
. "${__type}/files/prosody.cfg.lua.sh" # This defines PROSODY_CONFIG
|
|
__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
|
|
--group prosody \
|
|
--mode 0440 \
|
|
--source - <<EOF
|
|
${PROSODY_CONFIG}
|
|
EOF
|
|
|
|
# Clean up zauth.cfg.lua file, which we don't use now
|
|
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
|
|
--state absent
|
|
|
|
export SECURED_DOMAINS_STATE
|
|
export JITSI_HOST
|
|
"${__type}/files/jicofo.conf.sh" | \
|
|
__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
|
|
|
|
# These two should be changed on new release
|
|
PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
|
|
PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
|
|
PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64"
|
|
PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
|
|
if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
|
|
case "${init}" in
|
|
init|sysvinit)
|
|
__runit
|
|
require="__runit" __runit_service \
|
|
prometheus-jitsi-meet-exporter --log --source - <<EOF
|
|
#!/bin/sh -e
|
|
cd /tmp
|
|
exec chpst -u "nobody:nogroup" env HOME="/tmp" \\
|
|
prometheus-jitsi-meet-exporter \\
|
|
-videobridge-url 'http://localhost:8888/stats' \\
|
|
-web.listen-address ':9888' 2>&1
|
|
EOF
|
|
|
|
export require="__runit_service/prometheus-jitsi-meet-exporter"
|
|
JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter"
|
|
;;
|
|
systemd)
|
|
__systemd_unit prometheus-jitsi-meet-exporter.service \
|
|
--source "-" \
|
|
--enablement-state "enabled" <<EOF
|
|
[Unit]
|
|
Description=Metrics Exporter for Jitsi Meet
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
DynamicUser=yes
|
|
ExecStart=/usr/local/bin/prometheus-jitsi-meet-exporter -videobridge-url 'http://localhost:8888/stats' -web.listen-address ':9888'
|
|
Restart=always
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
export require="__systemd_unit/prometheus-jitsi-meet-exporter.service"
|
|
JITSI_MEET_EXPORTER_SERVICE="service prometheus-jitsi-meet-exporter %s"
|
|
;;
|
|
esac
|
|
if [ "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" != \
|
|
"${PROMETHEUS_JITSI_EXPORTER_IS_VERSION}" ]; then
|
|
# shellcheck disable=SC2059
|
|
__download \
|
|
/tmp/prometheus-jitsi-meet-exporter \
|
|
--url "${PROMETHEUS_JITSI_EXPORTER_URL}" \
|
|
--download remote \
|
|
--sum "${PROMETHEUS_JITSI_EXPORTER_CHECKSUM}" \
|
|
--onchange "$(printf "${JITSI_MEET_EXPORTER_SERVICE}" "stop") || true; chmod 555 /tmp/prometheus-jitsi-meet-exporter && mv /tmp/prometheus-jitsi-meet-exporter /usr/local/bin/prometheus-jitsi-meet-exporter && $(printf "${JITSI_MEET_EXPORTER_SERVICE}" "restart")"
|
|
printf "%s" "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" | \
|
|
require="${require} __download/tmp/prometheus-jitsi-meet-exporter" __file \
|
|
"${PROMETHEUS_JITSI_EXPORTER_VERSION_FILE}" \
|
|
--source "-"
|
|
fi
|
|
fi
|
|
# TODO: disable the exporter if it is deployed and then admin changes their mind
|