Update to 2021-12-01 19:13

roles/jitsi/defaults/main.yml

@@ -0,0 +1,272 @@
+---
+
+jitsi_root_dir: /opt/jitsi
+jitsi_user: jitsi
+
+# List of IP or CIDR for which web resources will be served
+# It can be different from jitsi_videobridge_src_ip is web access is done through
+# a reverse proxy
+jitsi_web_src_ip:
+  - 0.0.0.0/0
+
+jitsi_jicofo_git_url: https://github.com/jitsi/jicofo.git
+jitsi_jigasi_git_url: https://github.com/jitsi/jigasi.git
+jitsi_meet_git_url: https://github.com/jitsi/jitsi-meet.git
+
+# Should ansible handle upgrades, or only initial install ?
+jitsi_manage_upgrade: True
+
+# XMPP server to connect to. Default is the same machine
+jitsi_xmpp_server: "{{ inventory_hostname }}"
+# Port on which to connect to the XMPP server to register as a component
+jitsi_xmpp_component_port: 5347
+
+# Account for videobridge
+jitsi_jvb_xmpp_user: "{{ jitsi_videobridge_xmpp_user | default('jvb') }}"
+jitsi_jvb_xmpp_domain: "{{ jitsi_videobridge_xmpp_domain | default(jitsi_auth_domain) }}"
+# jitsi_jvb_xmpp_pass: 
+
+jitsi_stun_servers: []
+# jitsi_stun_servers:
+#   - stun:meet-jit-si-turnrelay.jitsi.net:443
+
+jitsi_turn_secret: "{{ turnserver_auth_secret | default('p@ssw0rd') }}"
+
+# Authentication. Can be set to
+#  * False : no authentication at all (can also be None)
+#  * sso : In this case, you have to protect /login with your SSO system (through a reverse proxy)
+#    And once authenticated, send the HTTP headers mail and displayName with the appropriate values
+#    Note that jitsi Android client does not support sso authentication, so mobile users will be able
+#    to join an existing conf, but not create one easily
+#  * ldap : Will use an LDAP server for authentication. Works on mobile, but is a bit less convinient
+#    than sso for desktop users. See all the jitsi_ldap_xxxx settings
+jitsi_auth: False
+
+jitsi_jicofo_xmpp_user: focus
+jitsi_jicofo_xmpp_domain: "{{ jitsi_auth_domain }}"
+# Password for the focus user on the auth domain
+# jitsi_jicofo_xmpp_pass: p@ssw0rd
+
+jitsi_domain: "{{ inventory_hostname }}"
+jitsi_auth_domain: auth.{{ jitsi_domain }}
+
+# Can be either true, in which case a cert will be automatically obtained using letsencrypt
+# or can be a name, in which case you have to configure letsencrypt to obtain the cert yourself
+# jitsi_letsencrypt_cert: True
+# or
+# jitsi_letsencrypt_cert: jitsi.example.com
+#
+# or, you can also set custom cert path
+#
+# jitsi_cert_path: /etc/jitsi/ssl/cert.pem
+# jitsi_key_path: /etc/jitsi/ssl/key.pem
+
+# Meet configuration. Will be converted to JSON
+# See https://github.com/jitsi/jitsi-meet/blob/master/config.js for available settings and their meaning
+jitsi_meet_conf_base:
+  hosts:
+    domain: "{{ jitsi_domain }}"
+    muc: conference.{{ jitsi_domain }}
+  bosh: '//{{ jitsi_domain }}/http-bind'
+  websocket: wss://{{ jitsi_domain }}/xmpp-websocket
+  clientNode: http://jitsi.org/jitsimeet
+  focusUserJid: "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}"
+  disableAudioLevels: True
+  enableNoAudioDetection: True
+  enableNoisyMicDetection: False
+  startAudioMuted: 10
+  maxFullResolutionParticipants: 4
+  desktopSharingFrameRate:
+    min: 5
+    max: 30
+  liveStreamingEnabled: False
+  channelLastN: -1
+  requireDisplayName: False
+  prejoinPageEnabled: True
+  enableInsecureRoomNameWarning: True
+  disableThirdPartyRequests: True
+  enableWelcomePage: True
+  useStunTurn: True
+  localRecording:
+    enabled: True
+  p2p:
+    enabled: False
+    stunServers: "{{ jitsi_stun_servers }}"
+  analytics:
+    disabled: True
+  toolbarButtons:
+    - camera
+    - chat
+    - desktop
+    - etherpad
+    - fullscreen
+    - hangup
+    - invite
+    - microphone
+    - mute-everyone
+    - mute-video-everyone
+    - participants-pane
+    - profile
+    - raisehand
+    - recording
+    - security
+    - select-background
+    - settings
+    - sharedvideo
+    - shortcuts
+    - stats
+    - tileview
+    - toggle-camera
+    - videoquality
+  dialInNumbersUrl: https://{{ jitsi_domain }}/phoneNumberList
+  dialInConfCodeUrl: https://{{ jitsi_domain }}/conferenceMapper
+jitsi_meet_conf_extra: {}
+jitsi_meet_conf: "{{ jitsi_meet_conf_base | combine(jitsi_meet_conf_extra, recursive=True) }}"
+
+# Meet interface configuration. Will be converted to JSON
+# See https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js for available settings and their meaning
+jitsi_meet_interface_conf_base:
+  DEFAULT_BACKGROUND: '#474747'
+  DISABLE_VIDEO_BACKGROUND: False
+  INITIAL_TOOLBAR_TIMEOUT: 20000
+  TOOLBAR_TIMEOUT: 4000
+  TOOLBAR_ALWAYS_VISIBLE: False
+  DEFAULT_REMOTE_DISPLAY_NAME: Happy User
+  DEFAULT_LOCAL_DISPLAY_NAME: Me
+  SHOW_JITSI_WATERMARK: False
+  JITSI_WATERMARK_LINK: 'https://jitsi.org'
+  SHOW_BRAND_WATERMARK: False
+  BRAND_WATERMARK_LINK: 'https://www.firewall-services.com'
+  DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg'
+  DEFAULT_LOGO_URL: 'images/watermark.svg'
+  PROVIDER_NAME: 'Firewall Services'
+  SHOW_POWERED_BY: False
+  SHOW_DEEP_LINKING_IMAGE: False
+  DISPLAY_WELCOME_FOOTER: True,
+  DISPLAY_WELCOME_PAGE_ADDITIONAL_CARD: False
+  DISPLAY_WELCOME_PAGE_CONTENT: False
+  DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: False
+  GENERATE_ROOMNAMES_ON_WELCOME_PAGE: True
+  APP_NAME: Jitsi Meet
+  NATIVE_APP_NAME: Jitsi Meet
+  INVITATION_POWERED_BY: True
+  LANG_DETECTION: True
+  AUTHENTICATION_ENABLE: True
+  SETTINGS_SECTIONS:
+    - devices
+    - language
+    - moderator
+    - profile
+    - calendar
+  VIDEO_LAYOUT_FIT: both
+  VERTICAL_FILMSTRIP: True
+  CLOSE_PAGE_GUEST_HINT: False
+  SHOW_PROMOTIONAL_CLOSE_PAGE: False
+  RANDOM_AVATAR_URL_PREFIX: False
+  RANDOM_AVATAR_URL_SUFFIX: False
+  FILM_STRIP_MAX_HEIGHT: 120
+  ENABLE_FEEDBACK_ANIMATION: False
+  DISABLE_FOCUS_INDICATOR: False
+  DISABLE_DOMINANT_SPEAKER_INDICATOR: False
+  DISABLE_TRANSCRIPTION_SUBTITLES: True
+  DISABLE_RINGING: False
+  AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)'
+  AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)'
+  POLICY_LOGO: Null
+  LOCAL_THUMBNAIL_RATIO: '16 / 9' # 16:9
+  REMOTE_THUMBNAIL_RATIO: 1 # 1:1
+  LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live'
+  MOBILE_APP_PROMO: True
+  MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet'
+  MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/'
+  MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905'
+  MAXIMUM_ZOOMING_COEFFICIENT: 1.3
+  SUPPORT_URL: https://community.jitsi.org/
+  CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: True
+  CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000
+  CONNECTION_INDICATOR_DISABLED: False
+  VIDEO_QUALITY_LABEL_DISABLED: False
+  RECENT_LIST_ENABLED: True
+  OPTIMAL_BROWSERS: 
+    - chrome
+    - chromium
+    - firefox
+    - nwjs
+    - electron
+    - safari
+  UNSUPPORTED_BROWSERS: []
+  AUTO_PIN_LATEST_SCREEN_SHARE: remote-only
+  DISABLE_PRESENCE_STATUS: False
+  DISABLE_JOIN_LEAVE_NOTIFICATIONS: False
+  SHOW_CHROME_EXTENSION_BANNER: False
+  ENABLE_DIAL_OUT: "{{ (jitsi_jigasi_sip_server is defined) | ternary(True, False) }}"
+
+jitsi_meet_interface_conf_extra: {}
+jitsi_meet_interface_conf: "{{ jitsi_meet_interface_conf_base | combine(jitsi_meet_interface_conf_extra, recursive=True) }}"
+
+# You can customize strings here (lang/main-XX.json)
+jitsi_meet_custom_lang:
+  fr:
+    welcomepage:
+      headerSubtitle: >-
+        La vidéoconférence simple, sécurisée, libre
+      startMeeting: >-
+        C'est parti !
+      appDescription: >-
+        Choisissez un nom ou bien laisser le système en créer un pour vous,
+        partagez le lien avec qui vous voulez.
+        Jamais la vidéoconférence n'a été aussi simple
+
+
+# If jitsi_auth is ldap
+# We inherit values from prosody if available, or we try to get values from ad_auth or ldap_auth
+jitsi_ldap_base: "{{ prosody_ldap_base | default(ad_auth | default(False) | ternary((ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base,'DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC=')), ldap_user_base | default('ou=Users') + ',' + ldap_base | default(ansible_domain | regex_replace('\\.','dc=')))) }}"
+jitsi_ldap_servers: "{{ prosody_ldap_server | default(ad_ldap_servers | default([ad_auth | default(False) | ternary(ad_realm | default(samba_realm) | default(ansible_domain) | lower, ldap_uri | default('ldap://' + ansible_domain) | urlsplit('hostname'))]))}}"
+jitsi_ldap_bind_dn: "{{ prosody_ldap_bind_dn | default(None) }}"
+jitsi_ldap_bind_pass: "{{ prosody_ldap_bind_pass | default(None) }}"
+jitsi_ldap_filter: "{{ prosody_ldap_filter | default(ad_auth | default(False) | ternary('(&(objectClass=user)(sAMAccountName=%s))','(&(objectClass=inetOrgPerson)(uid=%s))')) }}"
+jitsi_ldap_starttls: "{{ prosody_ldap_starttls | default(True) }}"
+
+# Jigasi settings
+
+# Default room on which to connect inbound SIP calls
+# if no Jitsi-Conference-Room SIP header is found
+jitsi_jigasi_default_room: sip
+
+# SIP settings
+#jitsi_jigasi_sip_user:
+#jitsi_jigasi_sip_secret:
+#jitsi_jigasi_sip_server:
+jitsi_jigasi_sip_port: 5060
+jitsi_jigasi_sip_transport: UDP
+
+jitsi_jigasi_xmpp_user: jigasi
+jitsi_jigasi_xmpp_domain: "{{ jitsi_auth_domain }}"
+# Password to auth as an XMPP user. A random one will be created if missing
+#jitsi_jigasi_xmpp_pass:
+
+# conferenceMapper is used for inbound SIP call
+jitsi_confmapper_port: 8823
+jitsi_confmapper_src_ip: []
+jitsi_confmapper_conf_base:
+  numbers: {}
+  # numbers:
+  #   FR:
+  #     - +335 99 99 99 99
+  #     - +339 88 88 88 88
+  #   EN:
+  #     - 555 555 555
+  port: "{{ jitsi_confmapper_port }}"
+  host: 0.0.0.0
+  expire_seconds: 86400
+  id_max_length: 4
+  db_file: "{{ jitsi_root_dir }}/data/confmapper/confmapper.sqlite"
+jitsi_confmapper_conf_extra: {}
+jitsi_confmapper_conf: "{{ jitsi_confmapper_conf_base | combine(jitsi_confmapper_conf_extra, recursive=True) }}"
+
+# This is for Jibri integration
+jitsi_jibri_xmpp_user: jibri
+# jitsi_jibri_xmpp_pass: s3cr3t.
+jitsi_jibri_recorder_xmpp_user: recorder
+# jitsi_jibri_recorder_xmpp_pass: p@ssw0rd
+

roles/jitsi/handlers/main.yml

@@ -0,0 +1,15 @@
+---
+
+- include: ../prosody/handlers/main.yml
+
+- name: restart jitsi-videobridge
+  service: name=jitsi-videobridge state=restarted
+
+- name: restart jitsi-jicofo
+  service: name=jitsi-jicofo state=restarted
+
+- name: restart jitsi-jigasi
+  service: name=jitsi-jigasi state={{ jitsi_jigasi | ternary('restarted', 'stopped') }}
+
+- name: restart jitsi-confmapper
+  service: name=jitsi-confmapper state={{ jitsi_jigasi | ternary('restarted', 'stopped') }}

roles/jitsi/meta/main.yml

@@ -0,0 +1,8 @@
+---
+
+dependencies:
+  - role: repo_nodejs
+  - role: maven
+  - role: prosody
+    when: jitsi_xmpp_server in ['127.0.0.1', 'localhost', inventory_hostname]
+  - role: nginx

roles/jitsi/tasks/cleanup.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Remove temp files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ jitsi_root_dir }}/tmp/jicofo-1.1-SNAPSHOT"
+    - "{{ jitsi_root_dir }}/src/jicofo/target"
+    - "{{ jitsi_root_dir }}/tmp/jigasi-linux-x64-1.1-SNAPSHOT"
+    - "{{ jitsi_root_dir }}/src/jigasi/target"
+  tags: jitsi

roles/jitsi/tasks/conf.yml

@@ -0,0 +1,72 @@
+---
+
+- name: Deploy prosody configuration
+  template: src=prosody.cfg.lua.j2 dest=/etc/prosody/ansible_conf.d/jitsi.cfg.lua group=prosody mode=640
+  register: jitsi_prosody_conf
+  when: jitsi_xmpp_server in ['localhost', '127.0.0.1', inventory_hostname]
+  tags: jitsi
+
+- name: Register XMPP accounts
+  block:
+    - name: Reload prosody
+      service: name=prosody state=restarted
+
+    - name: register XMPP users
+      command: prosodyctl register {{ item.user }} {{ jitsi_auth_domain }} '{{ item.pass }}'
+      loop:
+        - user: "{{ jitsi_jvb_xmpp_user }}"
+          pass: "{{ jitsi_jvb_xmpp_pass }}"
+        - user: "{{ jitsi_jicofo_xmpp_user }}"
+          pass: "{{ jitsi_jicofo_xmpp_pass }}"
+        - user: "{{ jitsi_jigasi_xmpp_user }}"
+          pass: "{{ jitsi_jigasi_xmpp_pass }}"
+        - user: "{{ jitsi_jibri_xmpp_user }}"
+          pass: "{{ jitsi_jibri_xmpp_pass }}"
+
+    - name: Register recorder XMPP account
+      command: prosodyctl register {{ jitsi_jibri_recorder_xmpp_user }} recorder.{{ jitsi_domain }} '{{ jitsi_jibri_recorder_xmpp_pass }}'
+
+    - name: add focus component in focus user roster
+      command: prosodyctl mod_roster_command subscribe focus.{{ jitsi_domain }} {{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}
+
+  when: jitsi_prosody_conf is defined and jitsi_prosody_conf.changed
+  tags: jitsi
+
+- name: Deploy jicofo configuration
+  template: src=jicofo/{{ item }}.j2 dest={{ jitsi_root_dir }}/etc/jicofo/{{ item }} group={{ jitsi_user }} mode=640
+  loop:
+    - jicofo.conf
+    - sip-communicator.properties
+  notify: restart jitsi-jicofo
+  tags: jitsi
+
+- name: Deploy jigasi configuration
+  template: src=jigasi/{{ item }}.j2 dest={{ jitsi_root_dir }}/etc/jigasi/{{ item }} group={{ jitsi_user }} mode=640
+  loop:
+    - jigasi.conf
+    - sip-communicator.properties
+  notify: restart jitsi-jigasi
+  tags: jitsi
+
+- name: Deploy meet configuration
+  template: src={{ item.src }}.j2 dest={{jitsi_root_dir }}/meet/{{ item.dest }}
+  loop:
+    - src: meet.js
+      dest: config.js
+    - src: meet_interface.js
+      dest: interface_config.js
+  tags: jitsi
+
+- name: Deploy nginx configuration
+  template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/10-jitsi.conf
+  notify: reload nginx
+  tags: jitsi
+
+- name: Deploy conference mapper configuration
+  template: src=confmapper.json.j2 dest={{ jitsi_root_dir }}/etc/confmapper/config.json
+  notify: restart jitsi-confmapper
+  tags: jitsi
+
+- name: Link conference mapper configuration
+  file: path={{ jitsi_root_dir }}/confmapper/config.json src={{ jitsi_root_dir }}/etc/confmapper/config.json state=link
+  tags: jitsi

roles/jitsi/tasks/directories.yml

@@ -0,0 +1,54 @@
+---
+
+- name: Create directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: "{{ jitsi_root_dir }}"
+      mode: 755
+    - dir: "{{ jitsi_root_dir }}/.m2"
+      owner: "{{ jitsi_user }}"
+      group: "{{ jitsi_user }}"
+    - dir: "{{ jitsi_root_dir }}/tmp"
+      owner: "{{ jitsi_user }}"
+      group: "{{ jitsi_user }}"
+      mode: 700
+    - dir: "{{ jitsi_root_dir }}/src/videobridge"
+      owner: "{{ jitsi_user }}"
+    - dir: "{{ jitsi_root_dir }}/src/jicofo"
+      owner: "{{ jitsi_user }}"
+    - dir: "{{ jitsi_root_dir }}/src/jigasi"
+      owner: "{{ jitsi_user }}"
+    - dir: "{{ jitsi_root_dir }}/src/meet"
+      owner: "{{ jitsi_user }}"
+    - dir: "{{ jitsi_root_dir }}/videobridge"
+    - dir: "{{ jitsi_root_dir }}/jibri"
+    - dir: "{{ jitsi_root_dir }}/jicofo"
+    - dir: "{{ jitsi_root_dir }}/jigasi"
+    - dir: "{{ jitsi_root_dir }}/meet"
+    - dir: "{{ jitsi_root_dir }}/meta"
+      mode: 700
+    - dir: "{{ jitsi_root_dir }}/archives"
+      mode: 700
+    - dir: "{{ jitsi_root_dir }}/etc/"
+      mode: 755
+    - dir: "{{ jitsi_root_dir }}/etc/videobridge"
+      owner: "{{ jitsi_user }}"
+      group: "{{ jitsi_user }}"
+      mode: 700
+    - dir: "{{ jitsi_root_dir }}/etc/jicofo"
+      owner: "{{ jitsi_user }}"
+      group: "{{ jitsi_user }}"
+      mode: 700
+    - dir: "{{ jitsi_root_dir }}/etc/jigasi"
+      owner: "{{ jitsi_user }}"
+      group: "{{ jitsi_user }}"
+      mode: 700
+    - dir: "{{ jitsi_root_dir }}/etc/confmapper"
+    - dir: "{{ jitsi_root_dir }}/data"
+      mode: 755
+    - dir: "{{ jitsi_root_dir }}/data/confmapper"
+      owner: "{{ jitsi_user }}"
+      group: "{{ jitsi_user }}"
+      mode: 700
+    - dir: "{{ jitsi_root_dir }}/confmapper"
+  tags: jitsi

roles/jitsi/tasks/facts.yml

@@ -0,0 +1,104 @@
+---
+
+- name: Set if jigasi is used
+  set_fact: jitsi_jigasi={{ (jitsi_jigasi_sip_user is defined and jitsi_jigasi_sip_secret is defined) | ternary(True, False) }}
+  tags: jitsi
+
+- name: Generate a random secret for videobridge
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ jitsi_root_dir }}/meta/ansible_videobridge_xmpp_pass"
+    - set_fact: jitsi_jvb_xmpp_pass={{ rand_pass }}
+  when: jitsi_jvb_xmpp_pass is not defined
+  tags: jitsi
+
+- name: Generate a random password for the focus account
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jicofo_xmpp_pass"
+    - set_fact: jitsi_jicofo_xmpp_pass={{ rand_pass }}
+  when: jitsi_jicofo_xmpp_pass is not defined
+  tags: jitsi
+
+- name: Generate a random secret for jigasi
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jigasi_xmpp_secret"
+    - set_fact: jitsi_jigasi_xmpp_secret={{ rand_pass }}
+  when: jitsi_jigasi_xmpp_secret is not defined
+  tags: jitsi
+
+- name: Generate a random password for jigasi XMPP account
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jigasi_xmpp_pass"
+    - set_fact: jitsi_jigasi_xmpp_pass={{ rand_pass }}
+  when: jitsi_jigasi_xmpp_pass is not defined
+  tags: jitsi
+
+- name: Generate a random password for jibri XMPP account
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jibri_xmpp_pass"
+    - set_fact: jitsi_jibri_xmpp_pass={{ rand_pass }}
+  when: jitsi_jibri_xmpp_pass is not defined
+  tags: jitsi
+
+- name: Generate a random password for recorder XMPP account
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ jitsi_root_dir }}/meta/ansible_jibri_recorder_xmpp_pass"
+    - set_fact: jitsi_jibri_recorder_xmpp_pass={{ rand_pass }}
+  when: jitsi_jibri_recorder_xmpp_pass is not defined
+  tags: jitsi
+
+- name: Set certificate path
+  set_fact: jitsi_cert_path='/etc/prosody/certs/jitsi.crt'
+  when: jitsi_cert_path is not defined
+  tags: jitsi
+
+- name: Set key path
+  set_fact: jitsi_key_path='/etc/prosody/certs/jitsi.key'
+  when: jitsi_key_path is not defined
+  tags: jitsi
+
+- name: Set anonymous domain for jitsi meet
+  block:
+    - set_fact:
+        jitsi_anonymousdomain:
+          hosts:
+           anonymousdomain: guest.{{ jitsi_domain }}
+    - set_fact: jitsi_meet_conf={{ jitsi_anonymousdomain | combine(jitsi_meet_conf, recursive=True) }}
+  when: jitsi_auth == 'ldap'
+  tags: jisti
+
+- name: Check if cert file exist
+  stat: path={{ jitsi_cert_path }}
+  register: jitsi_cert_file
+  tags: jitsi
+
+- name: Check if key file exist
+  stat: path={{ jitsi_key_path }}
+  register: jitsi_key_file
+  tags: jitsi
+
+- name: Check if jicofo is built
+  stat: path={{ jitsi_root_dir }}/jicofo/jicofo.sh
+  register: jitsi_jicofo_script
+  tags: jitsi
+
+- name: Check if jigasi is built
+  stat: path={{ jitsi_root_dir }}/jigasi/jigasi.sh
+  register: jitsi_jigasi_script
+  tags: jitsi
+
+- name: Check if meet is installed
+  stat: path={{ jitsi_root_dir }}/meet/index.html
+  register: jitsi_meet_index
+  tags: jitsi

roles/jitsi/tasks/install.yml

@@ -0,0 +1,194 @@
+---
+
+- name: Install dependencies
+  yum:
+    name:
+      - java-1.8.0-openjdk
+      - java-1.8.0-openjdk-devel
+      - git
+      - nodejs        # needed to build meet
+      - libXScrnSaver # needed for jigasi
+      - python3       # needed for confmapper
+      - make
+  tags: jitsi
+
+  # If you use an Let's Encrypt cert, it might not be there yet. In this case, create a link
+  # to the default prosody cert so the service can be started. The cert will be obtained after that and
+  # will override the links
+- name: Link cert to the default one
+  file: path={{ jitsi_cert_path }} src=/etc/prosody/certs/localhost.crt state=link
+  when: not jitsi_cert_file.stat.exists
+  tags: jitsi
+
+- name: Link key to the default one
+  file: path={{ jitsi_key_path }} src=/etc/prosody/certs/localhost.key state=link
+  when: not jitsi_key_file.stat.exists
+  tags: jitsi
+
+  # This file used to contain proxy settings for maven
+  # now this is handled in a maven general dir, so remove it from here
+- name: Remove local maven configuration
+  file: path={{ jitsi_root_dir }}/.m2/settings.xml state=absent
+  tags: jitsi
+
+  # Now, for every component, we will clone or update the repo.
+  # If the repo changed since the last run, we rebuild and restart the corresponding component
+- name: Clone jicofo repo
+  git:
+    repo: "{{ jitsi_jicofo_git_url }}"
+    dest: "{{ jitsi_root_dir }}/src/jicofo"
+    force: True
+  become_user: "{{ jitsi_user }}"
+  register: jitsi_jicofo_git
+  tags: jitsi
+
+- name: Install or update jicofo
+  block:
+    - name: Build jicofo
+      command: /opt/maven/apache-maven/bin/mvn package -DskipTests -Dassembly.skipAssembly=false
+      args:
+        chdir: "{{ jitsi_root_dir }}/src/jicofo"
+      become_user: "{{ jitsi_user }}"
+
+    - name: Extract jicofo archive
+      unarchive:
+        src: "{{ jitsi_root_dir }}/src/jicofo/target/jicofo-1.1-SNAPSHOT-archive.zip"
+        dest: "{{ jitsi_root_dir }}/tmp/"
+        remote_src: True
+
+    - name: Move jicofo to its final directory
+      synchronize:
+        src: "{{ jitsi_root_dir }}/tmp/jicofo-1.1-SNAPSHOT/"
+        dest: "{{ jitsi_root_dir }}/jicofo/"
+        recursive: True
+        delete: True
+        compress: False
+      delegate_to: "{{ inventory_hostname }}"
+      notify: restart jitsi-jicofo
+  when: (jitsi_jicofo_git.changed and jitsi_manage_upgrade) or not jitsi_jicofo_script.stat.exists
+  tags: jitsi
+
+- name: Clone jigasi repo
+  git:
+    repo: "{{ jitsi_jigasi_git_url }}"
+    dest: "{{ jitsi_root_dir }}/src/jigasi"
+    force: True
+  become_user: "{{ jitsi_user }}"
+  register: jitsi_jigasi_git
+  tags: jitsi
+
+- name: Install or update jigasi
+  block:
+    - name: Build jigasi
+      command: /opt/maven/apache-maven/bin/mvn package -DskipTests -Dassembly.skipAssembly=false
+      args:
+        chdir: "{{ jitsi_root_dir }}/src/jigasi"
+      become_user: "{{ jitsi_user }}"
+
+    - name: Extract jigasi archive
+      unarchive:
+        src: "{{ jitsi_root_dir }}/src/jigasi/target/jigasi-linux-x64-1.1-SNAPSHOT.zip"
+        dest: "{{ jitsi_root_dir }}/tmp/"
+        remote_src: True
+
+    - name: Link libunix-java lib
+      file: src=libunix-0.5.1.so dest={{ jitsi_root_dir }}/tmp/jigasi-linux-x64-1.1-SNAPSHOT/lib/libunix-java.so state=link
+
+    - name: Move jigasi to its final directory
+      synchronize:
+        src: "{{ jitsi_root_dir }}/tmp/jigasi-linux-x64-1.1-SNAPSHOT/"
+        dest: "{{ jitsi_root_dir }}/jigasi/"
+        recursive: True
+        delete: True
+        compress: False
+      delegate_to: "{{ inventory_hostname }}"
+      notify: restart jitsi-jigasi
+  when: (jitsi_jigasi_git.changed and jitsi_manage_upgrade) or not jitsi_jigasi_script.stat.exists
+  tags: jitsi
+
+- name: Deploy systemd unit
+  template: src={{ item }}.service.j2 dest=/etc/systemd/system/{{ item }}.service
+  loop:
+    - jitsi-jicofo
+    - jitsi-jigasi
+    - jitsi-confmapper
+  register: jitsi_units
+  notify:
+    - restart jitsi-jicofo
+    - restart jitsi-jigasi
+    - restart jitsi-confmapper
+  tags: jitsi
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: jitsi_units.results | selectattr('changed', 'equalto', True) | list | length > 0
+  tags: jitsi
+
+- name: Clone jitsi meet
+  git:
+    repo: "{{ jitsi_meet_git_url }}"
+    dest: "{{ jitsi_root_dir }}/src/meet"
+    force: True
+  register: jitsi_meet_git
+  become_user: "{{ jitsi_user }}"
+  tags: jitsi
+
+- name: Install or update jitsi meet
+  block:
+    - name: Clear node_modules cache
+      file: path={{ jitsi_root_dir }}/src/meet/node_modules state=absent
+
+    - name: Install jitsi meet node dependencies
+      npm: path={{ jitsi_root_dir }}/src/meet
+      become_user: "{{ jitsi_user }}"
+
+    - name: Build jitsi meet
+      command: make
+      args:
+        chdir: "{{ jitsi_root_dir }}/src/meet"
+      become_user: "{{ jitsi_user }}"
+
+    - name: Reset git (so next run won't detect a change)
+      command: git checkout {{ jitsi_root_dir }}/src/meet/resources/load-test/package-lock.json
+      changed_when: False
+      args:
+        chdir: "{{ jitsi_root_dir }}/src/meet"
+      become_user: "{{ jitsi_user }}"
+
+    - name: Deploy new jitsi meet version
+      shell: |
+        rm -rf {{ jitsi_root_dir }}/meet/*
+        mkdir -p {{ jitsi_root_dir }}/meet/css
+        cp -r *.js *.html resources/*.txt connection_optimization favicon.ico fonts images libs static sounds LICENSE lang {{ jitsi_root_dir }}/meet/
+        cp css/all.css {{ jitsi_root_dir }}/meet/css/
+      args:
+        chdir: "{{ jitsi_root_dir }}/src/meet"
+  when: (jitsi_meet_git.changed and jitsi_manage_upgrade) or not jitsi_meet_index.stat.exists
+  tags: jitsi
+
+- name: Update languages
+  include_tasks: update_lang.yml
+  loop: "{{ jitsi_meet_custom_lang.keys() | list }}"
+  tags: jitsi
+
+- name: Install dehydrated hook
+  template: src=dehydrated_hook.sh.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/jitsi.sh mode=755
+  tags: jitsi
+
+- name: Install the conference mapping daemon
+  get_url:
+    url: https://raw.githubusercontent.com/gronke/jitsi-conferencemapper-api/master/daemon.py
+    dest: "{{ jitsi_root_dir }}/confmapper/daemon.py"
+    mode: 0755
+  notify: restart jitsi-confmapper
+  tags: jitsi
+
+- name: Ensure prosody module dir exists
+  file: path=/opt/prosody/modules/ state=directory
+  tags: jitsi
+
+- name: Install byass_pwd module for prosody
+  template: src=mod_jibri_bypass_pwd.lua.j2 dest=/opt/prosody/modules/mod_jibri_bypass_pwd.lua
+  notify: reload prosody
+  tags: jitsi
+

roles/jitsi/tasks/iptables.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Handle jitsi confmapper port
+  iptables_raw:
+    name: jitsi_confmapper_ports
+    state: "{{ (jitsi_confmapper_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ jitsi_confmapper_port }} -s {{ jitsi_confmapper_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,jitsi

roles/jitsi/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml
+- include: cleanup.yml

roles/jitsi/tasks/services.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Start and enable services
+  service: name=jitsi-jicofo state=started enabled=True
+  tags: jitsi
+
+- name: Start and enable jigasi
+  service: name=jitsi-jigasi state={{ jitsi_jigasi | ternary('started', 'stopped') }} enabled={{ jitsi_jigasi }}
+  tags: jitsi
+
+- name: Start and enable confmapper
+  service: name=jitsi-confmapper state={{ jitsi_jigasi | ternary('started', 'stopped') }} enabled={{ jitsi_jigasi }}
+  tags: jitsi

roles/jitsi/tasks/update_lang.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Read default lang file
+  command: cat {{ jitsi_root_dir }}/src/meet/lang/main-{{ item }}.json
+  register: jitsi_meet_default_lang
+  changed_when: False
+  tags: jitsi
+
+- name: Merge with custom strings
+  set_fact:
+    jitsi_meet_lang: "{{ jitsi_meet_default_lang.stdout | from_json | combine(jitsi_meet_custom_lang[item] | default({}), recursive=True) }}"
+  tags: jitsi
+
+- name: Save new lang file
+  copy: content={{ jitsi_meet_lang | to_nice_json }} dest={{ jitsi_root_dir }}/meet/lang/main-{{ item }}.json
+  tags: jitsi
+

roles/jitsi/tasks/user.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Create jitsi user account
+  user: name={{ jitsi_user }} home={{ jitsi_root_dir }} system=True
+  tags: jitsi

roles/jitsi/templates/confmapper.json.j2

@@ -0,0 +1 @@
+{{ jitsi_confmapper_conf | to_nice_json }}

roles/jitsi/templates/dehydrated_hook.sh.j2

@@ -0,0 +1,20 @@
+#!/bin/bash -e
+
+{% if jitsi_letsencrypt_cert is defined %}
+
+{% if jitsi_letsencrypt_cert == True %}
+{% set cert = jitsi_domain %}
+{% elif jitsi_letsencrypt_cert is string %}
+{% set cert = jitsi_letsencrypt_cert %}
+{% endif %}
+
+if [ $1 == "{{ cert }}" ]; then
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/fullchain.pem /etc/prosody/certs/jitsi.crt
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/privkey.pem /etc/prosody/certs/jitsi.key
+  chown :prosody /etc/prosody/certs/jitsi.key
+  chmod 644 /etc/prosody/certs/jitsi.crt
+  chmod 640 /etc/prosody/certs/jitsi.key
+  systemctl reload prosody
+fi
+{% endif %}
+

roles/jitsi/templates/jicofo/jicofo.conf.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+JICOFO_HOST={{ jitsi_xmpp_server }}
+JICOFO_DOMAIN={{ jitsi_domain }}
+JICOFO_USER={{ jitsi_jicofo_xmpp_user }}
+JICOFO_USERDOMAIN={{ jitsi_auth_domain }}
+JICOFO_USER_PASS='{{ jitsi_jicofo_xmpp_pass }}'
+JICOFO_OPTS=''
+JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION={{ jitsi_root_dir }}/etc -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo"

roles/jitsi/templates/jicofo/sip-communicator.properties.j2

@@ -0,0 +1,11 @@
+{% if jitsi_auth == 'sso' %}
+org.jitsi.jicofo.auth.URL=shibboleth:default
+{% elif jitsi_auth == 'ldap' %}
+org.jitsi.jicofo.auth.URL=XMPP:{{ jitsi_domain }}
+{% endif %}
+org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.{{ jitsi_auth_domain }}
+{% if jitsi_jigasi %}
+org.jitsi.jicofo.jigasi.BREWERY=JigasiBrewery@internal.{{ jitsi_auth_domain }}
+{% endif %}
+org.jitsi.jicofo.jibri.BREWERY=JibriBrewery@internal.{{ jitsi_auth_domain }}
+org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90

roles/jitsi/templates/jigasi/jigasi.conf.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+JIGASI_OPTS=''
+JAVA_SYS_PROPS=''

roles/jitsi/templates/jigasi/sip-communicator.properties.j2

@@ -0,0 +1,54 @@
+# Default room to which inbound called without a Jitsi-Conference-Room header
+org.jitsi.jigasi.DEFAULT_JVB_ROOM_NAME={{ jitsi_jigasi_default_room }}
+
+net.java.sip.communicator.impl.protocol.SingleCallInProgressPolicy.enabled=false
+
+# Disable packet capture
+net.java.sip.communicator.packetlogging.PACKET_LOGGING_ENABLED=false
+
+# Enable brewery
+org.jitsi.jigasi.BREWERY_ENABLED=true
+org.jitsi.jigasi.MUC_SERVICE_ADDRESS=conference.{{ jitsi_domain }}
+
+{% if jitsi_jigasi %}
+# SIP acount
+net.java.sip.communicator.impl.protocol.sip.acc=acc
+net.java.sip.communicator.impl.protocol.sip.acc.ACCOUNT_UID=SIP\:{{ jitsi_jigasi_sip_user }}
+net.java.sip.communicator.impl.protocol.sip.acc.PASSWORD={{ jitsi_jigasi_sip_secret | b64encode }}
+net.java.sip.communicator.impl.protocol.sip.acc.PROTOCOL_NAME=SIP
+net.java.sip.communicator.impl.protocol.sip.acc.SERVER_ADDRESS={{ jitsi_jigasi_sip_server }}
+net.java.sip.communicator.impl.protocol.sip.acc.USER_ID={{ jitsi_jigasi_sip_user }}
+net.java.sip.communicator.impl.protocol.sip.acc.KEEP_ALIVE_INTERVAL=25
+net.java.sip.communicator.impl.protocol.sip.acc.KEEP_ALIVE_METHOD=OPTIONS
+net.java.sip.communicator.impl.protocol.sip.acc.VOICEMAIL_ENABLED=false
+net.java.sip.communicator.impl.protocol.sip.acc.OVERRIDE_ENCODINGS=false
+net.java.sip.communicator.impl.protocol.sip.acc.DOMAIN_BASE={{ jitsi_domain }}
+net.java.sip.communicator.impl.protocol.sip.acc.PROXY_ADDRESS={{ jitsi_jigasi_sip_server }}
+net.java.sip.communicator.impl.protocol.sip.acc.PROXY_AUTO_CONFIG=false
+net.java.sip.communicator.impl.protocol.sip.acc.PROXY_PORT={{ jitsi_jigasi_sip_port }}
+net.java.sip.communicator.impl.protocol.sip.acc.PREFERRED_TRANSPORT={{ jitsi_jigasi_sip_transport }}
+{% else %}
+# No SIP acc configured, jigasi will be disabled
+{% endif %}
+
+# XMPP account
+net.java.sip.communicator.impl.protocol.jabber.acc=acc
+net.java.sip.communicator.impl.protocol.jabber.acc.ACCOUNT_UID=Jabber:jigasi@{{ jitsi_auth_domain }}
+net.java.sip.communicator.impl.protocol.jabber.acc.USER_ID=jigasi@{{ jitsi_auth_domain }}
+net.java.sip.communicator.impl.protocol.jabber.acc.IS_SERVER_OVERRIDDEN=true
+net.java.sip.communicator.impl.protocol.jabber.acc.SERVER_ADDRESS={{ inventory_hostname }}
+net.java.sip.communicator.impl.protocol.jabber.acc.PASSWORD={{ jitsi_jigasi_xmpp_pass | b64encode }}
+net.java.sip.communicator.impl.protocol.jabber.acc.RESOURCE_PRIORITY=30
+net.java.sip.communicator.impl.protocol.jabber.acc.BREWERY=JigasiBrewery@internal.{{ jitsi_auth_domain }}
+net.java.sip.communicator.impl.protocol.jabber.acc.DOMAIN_BASE={{ jitsi_domain }}
+
+org.jitsi.jigasi.xmpp.acc.USER_ID=jigasi@auth.{{ jitsi_domain }}
+org.jitsi.jigasi.xmpp.acc.PASS={{ jitsi_jigasi_xmpp_pass }}
+org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false
+org.jitsi.jigasi.xmpp.acc.IS_SERVER_OVERRIDDEN=true
+org.jitsi.jigasi.xmpp.acc.SERVER_ADDRESS={{ inventory_hostname }}
+org.jitsi.jigasi.xmpp.acc.JINGLE_NODES_ENABLED=false
+org.jitsi.jigasi.xmpp.acc.AUTO_DISCOVER_STUN=false
+org.jitsi.jigasi.xmpp.acc.IM_DISABLED=true
+org.jitsi.jigasi.xmpp.acc.SERVER_STORED_INFO_DISABLED=true
+org.jitsi.jigasi.xmpp.acc.IS_FILE_TRANSFER_DISABLED=true

roles/jitsi/templates/jitsi-confmapper.service.j2

@@ -0,0 +1,20 @@
+[Unit]
+Description=Jitsi Conference Mapper
+After=network.target
+
+[Service]
+Type=simple
+User={{ jitsi_user }}
+Group={{ jitsi_user }}
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+ExecStart={{ jitsi_root_dir }}/confmapper/daemon.py
+SyslogIdentifier=confmapper
+
+[Install]
+WantedBy=multi-user.target

roles/jitsi/templates/jitsi-jicofo.service.j2

@@ -0,0 +1,30 @@
+[Unit]
+Description=Jitsi Conference Focus
+After=network.target
+
+[Service]
+Type=simple
+SuccessExitStatus=143
+EnvironmentFile={{ jitsi_root_dir }}/etc/jicofo/jicofo.conf
+User={{ jitsi_user }}
+Group={{ jitsi_user }}
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+ReadOnlyDirectories={{ jitsi_root_dir }}/etc {{ jitsi_root_dir }}/jicofo
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+ExecStart=/opt/jitsi/jicofo/jicofo.sh \
+            --host=${JICOFO_HOST} \
+            --domain=${JICOFO_DOMAIN} \
+            --secret=${JICOFO_SECRET} \
+            --user_domain=${JICOFO_USERDOMAIN} \
+            --user_name=${JICOFO_USER} \
+            --user_password=${JICOFO_USER_PASS} \
+            ${JICOFO_OPT}
+SyslogIdentifier=jicofo
+
+[Install]
+WantedBy=multi-user.target

roles/jitsi/templates/jitsi-jigasi.service.j2

@@ -0,0 +1,26 @@
+[Unit]
+Description=Jitsi Gateway to SIP
+After=network.target
+
+[Service]
+Type=simple
+SuccessExitStatus=143
+EnvironmentFile={{ jitsi_root_dir }}/etc/jigasi/jigasi.conf
+User={{ jitsi_user }}
+Group={{ jitsi_user }}
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+ExecStart=/opt/jitsi/jigasi/jigasi.sh \
+            --configdir={{ jitsi_root_dir }}/etc \
+            --configdirname=jigasi \
+            --nocomponent=true \
+            ${JIGASI_OPT}
+SyslogIdentifier=jigasi
+
+[Install]
+WantedBy=multi-user.target

roles/jitsi/templates/meet.js.j2

@@ -0,0 +1 @@
+var config = {{ jitsi_meet_conf | to_nice_json(indent=4) }};

roles/jitsi/templates/meet_interface.js.j2

@@ -0,0 +1 @@
+var interfaceConfig = {{ jitsi_meet_interface_conf | to_nice_json(indent=4) }};

roles/jitsi/templates/mod_jibri_bypass_pwd.lua.j2

@@ -0,0 +1,14 @@
+local MUC_NS = "http://jabber.org/protocol/muc";
+local jid = require "util.jid";
+
+module:hook("muc-occupant-pre-join", function (event)
+    local room, stanza = event.room, event.stanza;
+
+    local user, domain, res = jid.split(event.stanza.attr.from);
+    log("info", "--------------> user %s domain %s res %s pass %s", tostring(user),tostring(domain),tostring(res),tostring(room:get_password())); 
+    
+    if ( user == '{{ jitsi_jibri_recorder_xmpp_user }}' and domain == '{{ jitsi_jibri_xmpp_domain | default('recorder.' ~ jitsi_domain) }}' ) then
+      local join = stanza:get_child("x", MUC_NS);
+      join:tag("password", { xmlns = MUC_NS }):text(room:get_password()); 
+    end;
+end);

roles/jitsi/templates/nginx.conf.j2

@@ -0,0 +1,73 @@
+server {
+  listen 80;
+  listen 443 ssl http2;
+  server_name {{ jitsi_domain }};
+
+  ssl_certificate_key {{ jitsi_key_path }};
+  ssl_certificate     {{ jitsi_cert_path }};
+
+  include /etc/nginx/ansible_conf.d/perf.inc;
+  include /etc/nginx/ansible_conf.d/force_ssl.inc;
+  include /etc/nginx/ansible_conf.d/acme.inc;
+
+  if ($request_method !~ ^(GET|POST|HEAD)$ ) {
+    return 405;
+  }
+
+  add_header Strict-Transport-Security "$hsts_header";
+
+  root {{ jitsi_root_dir }}/meet;
+  index index.html;
+
+  # conferenceMapper endpoint
+  location ~ ^/(phoneNumberList|conferenceMapper) {
+    proxy_pass http://localhost:{{ jitsi_confmapper_port }};
+    proxy_socket_keepalive on;
+    # TODO : rate limit these endpoints to prevent room listing
+  }
+
+  # BOSH endpoint
+  location /http-bind {
+    proxy_socket_keepalive on;
+    proxy_pass http://localhost:5280/http-bind;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $http_host;
+  }
+
+  # Websocket endpoint
+  location /xmpp-websocket {
+    proxy_pass http://localhost:5280/xmpp-websocket?$args;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    tcp_nodelay on;
+  }
+{% if jitsi_auth == 'sso' %}
+
+  # SSO endpoint
+  location /login {
+    proxy_pass http://127.0.0.1:8888;
+    proxy_set_header mail $http_mail;
+    proxy_set_header displayName $http_displayname;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $http_host;
+
+    # jicofo doesn't add the Content-Type for the redirection page
+    add_header Content-Type 'text/html';
+  }
+{% endif %}
+
+  location / {
+    ssi on;
+    limit_req zone=limit_req_std burst=100 nodelay;
+    limit_conn limit_conn_std 80;
+    try_files $uri /index.html;
+  }
+
+{% for ip in jitsi_web_src_ip %}
+  allow {{ ip }};
+{% endfor %}
+  deny all;
+}

roles/jitsi/templates/prosody.cfg.lua.j2

@@ -0,0 +1,151 @@
+
+muc_mapper_domain_base = "{{ jitsi_domain }}";
+admins = { "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}" };
+http_default_host = "{{ jitsi_domain }}";
+
+{% if jitsi_turn_secret is defined %}
+external_service_secret = "{{ jitsi_turn_secret }}";
+{% endif %}
+
+external_services = {
+{% for stun in jitsi_stun_servers %}
+  {
+    type = "{{ stun | urlsplit('scheme') }}",
+    host = "{{ stun | regex_replace('(turns?|stun):([^:]+)(:\d+)?.*', '\\2') }}",
+{% if stun | regex_replace('(turns?|stun):.+:(\d+)?.*', '\\2') | int > 0 and stun | regex_replace('(turns?|stun):.+:(\d+)?.*', '\\2') | int < 65535 %}
+    port = "{{ stun | regex_replace('(turns?|stun):.+:(\d+)?.*', '\\2') }}",
+{% endif %}
+{% if stun | urlsplit('query') is search('transport=') %}
+    transport = "{{ stun | urlsplit('query') | regex_replace('.*transport=(udp|tcp).*', '\\1') }}"
+{% endif %}
+  },
+{% endfor %}
+};
+
+cross_domain_bosh = false;
+cross_domain_websocket = true;
+consider_bosh_secure = true;
+
+unlimited_jids = {
+    "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}",
+    "{{ jitsi_videobridge_xmpp_user }}@{{ jitsi_videobridge_xmpp_domain }}"
+}
+
+VirtualHost "{{ jitsi_domain }}"
+{% if jitsi_auth == 'ldap' %}
+  authentication = "ldap"
+  ldap_base = "{{ jitsi_ldap_base }}"
+  ldap_server = "{{ jitsi_ldap_servers | join(' ') }}"
+{% if jitsi_ldap_bind_dn is defined and jitsi_ldap_bind_pass is defined %}
+  ldap_rootdn = "{{ jitsi_ldap_bind_dn }}"
+  ldap_password = "{{ jitsi_ldap_bind_pass }}"
+{% endif %}
+  ldap_filter = "{{ jitsi_ldap_filter }}"
+  ldap_scope = "subtree"
+  ldap_tls = {{ jitsi_ldap_starttls | ternary('true','false') }}
+{% else %}
+  authentication = "anonymous"
+{% endif %}
+  ssl = {
+    key = "{{ jitsi_key_path }}";
+    certificate = "{{ jitsi_cert_path }}";
+  }
+
+  modules_enabled = {
+    "bosh";
+    "pubsub";
+    "ping";
+    "websocket";
+    "external_services";
+    "speakerstats";
+    "conference_duration";
+    "muc_lobby_rooms";
+    "participant_metadata";
+    "muc_breakout_rooms";
+    "av_moderation";
+  }
+  c2s_require_encryption = false
+  allow_unencrypted_plain_auth = true
+  speakerstats_component = "speakerstats.{{ jitsi_domain }}"
+  conference_duration_component = "conferenceduration.{{ jitsi_domain }}"
+  lobby_muc = "lobby.{{ jitsi_domain }}"
+  breakout_rooms_muc = "breakout.{{ jitsi_domain }}"
+  main_muc = "conference.{{ jitsi_domain }}"
+  muc_lobby_whitelist = { "recorder.{{ jitsi_domain }}" }
+
+{% if jitsi_auth == 'ldap' %}
+-- Guest virtual domain
+VirtualHost "guest.{{ jitsi_domain }}"
+  authentication = "anonymous"
+  c2s_require_encryption = false
+  modules_enabled = {
+    "participant_metadata";
+  }
+{% endif %}
+
+VirtualHost "{{ jitsi_auth_domain }}"
+  ssl = {
+    key = "{{ jitsi_key_path }}";
+    certificate = "{{ jitsi_cert_path }}";
+  }
+  modules_enabled = {
+    "limits_exception";
+  }
+  authentication = "internal_hashed"
+
+VirtualHost "recorder.{{ jitsi_domain }}"
+  modules_enabled = { "ping"; }
+  authentication = "internal_hashed"
+  c2s_require_encryption = false
+
+Component "conference.{{ jitsi_domain }}" "muc"
+  storage = "memory"
+  modules_enabled = {
+    "ping";
+    "jibri_bypass_pwd";
+    "muc_meeting_id";
+    "muc_domain_mapper";
+    "polls";
+    "muc_rate_limit";
+  }
+  admins = { "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}" }
+  muc_room_locking = false
+  muc_room_default_public_jids = true
+
+Component "internal.{{ jitsi_auth_domain }}" "muc"
+  storage = "memory"
+  modules_enabled = { "ping"; }
+  muc_room_cache_size = 1000
+
+Component "focus.{{ jitsi_domain }}" "client_proxy"
+  target_address = "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}"
+
+Component "speakerstats.{{ jitsi_domain }}" "speakerstats_component"
+  muc_component = "conference.{{ jitsi_domain }}"
+
+Component "conferenceduration.{{ jitsi_domain }}" "conference_duration_component"
+  muc_component = "conference.{{ jitsi_domain }}"
+
+Component "avmoderation.{{ jitsi_domain }}" "av_moderation_component"
+  muc_component = "conference.{{ jitsi_domain }}"
+
+Component "lobby.{{ jitsi_domain }}" "muc"
+  storage = "memory"
+  restrict_room_creation = true
+  muc_room_locking = false
+  muc_room_default_public_jids = true
+  modules_enabled = {
+    "muc_rate_limit";
+  }
+
+Component "breakout.{{ jitsi_domain }}" "muc"
+  restrict_room_creation = true
+  storage = "memory"
+  modules_enabled = {
+    "muc_meeting_id";
+    "muc_domain_mapper";
+    "muc_rate_limit";
+  }
+  admins = { "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}" }
+  muc_room_locking = false
+  muc_room_default_public_jids = true