Update to 2021-12-01 19:13

2025-10-31 02:41:36 +01:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/jitsi/templates/confmapper.json.j2
+++ b/roles/jitsi/templates/confmapper.json.j2
@@ -0,0 +1 @@
+{{ jitsi_confmapper_conf | to_nice_json }}
--- a/roles/jitsi/templates/dehydrated_hook.sh.j2
+++ b/roles/jitsi/templates/dehydrated_hook.sh.j2
@@ -0,0 +1,20 @@
+#!/bin/bash -e
+
+{% if jitsi_letsencrypt_cert is defined %}
+
+{% if jitsi_letsencrypt_cert == True %}
+{% set cert = jitsi_domain %}
+{% elif jitsi_letsencrypt_cert is string %}
+{% set cert = jitsi_letsencrypt_cert %}
+{% endif %}
+
+if [ $1 == "{{ cert }}" ]; then
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/fullchain.pem /etc/prosody/certs/jitsi.crt
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/privkey.pem /etc/prosody/certs/jitsi.key
+  chown :prosody /etc/prosody/certs/jitsi.key
+  chmod 644 /etc/prosody/certs/jitsi.crt
+  chmod 640 /etc/prosody/certs/jitsi.key
+  systemctl reload prosody
+fi
+{% endif %}
+
--- a/roles/jitsi/templates/jicofo/jicofo.conf.j2
+++ b/roles/jitsi/templates/jicofo/jicofo.conf.j2
@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+JICOFO_HOST={{ jitsi_xmpp_server }}
+JICOFO_DOMAIN={{ jitsi_domain }}
+JICOFO_USER={{ jitsi_jicofo_xmpp_user }}
+JICOFO_USERDOMAIN={{ jitsi_auth_domain }}
+JICOFO_USER_PASS='{{ jitsi_jicofo_xmpp_pass }}'
+JICOFO_OPTS=''
+JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION={{ jitsi_root_dir }}/etc -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo"
--- a/roles/jitsi/templates/jicofo/sip-communicator.properties.j2
+++ b/roles/jitsi/templates/jicofo/sip-communicator.properties.j2
@@ -0,0 +1,11 @@
+{% if jitsi_auth == 'sso' %}
+org.jitsi.jicofo.auth.URL=shibboleth:default
+{% elif jitsi_auth == 'ldap' %}
+org.jitsi.jicofo.auth.URL=XMPP:{{ jitsi_domain }}
+{% endif %}
+org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.{{ jitsi_auth_domain }}
+{% if jitsi_jigasi %}
+org.jitsi.jicofo.jigasi.BREWERY=JigasiBrewery@internal.{{ jitsi_auth_domain }}
+{% endif %}
+org.jitsi.jicofo.jibri.BREWERY=JibriBrewery@internal.{{ jitsi_auth_domain }}
+org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90
--- a/roles/jitsi/templates/jigasi/jigasi.conf.j2
+++ b/roles/jitsi/templates/jigasi/jigasi.conf.j2
@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+JIGASI_OPTS=''
+JAVA_SYS_PROPS=''
--- a/roles/jitsi/templates/jigasi/sip-communicator.properties.j2
+++ b/roles/jitsi/templates/jigasi/sip-communicator.properties.j2
@@ -0,0 +1,54 @@
+# Default room to which inbound called without a Jitsi-Conference-Room header
+org.jitsi.jigasi.DEFAULT_JVB_ROOM_NAME={{ jitsi_jigasi_default_room }}
+
+net.java.sip.communicator.impl.protocol.SingleCallInProgressPolicy.enabled=false
+
+# Disable packet capture
+net.java.sip.communicator.packetlogging.PACKET_LOGGING_ENABLED=false
+
+# Enable brewery
+org.jitsi.jigasi.BREWERY_ENABLED=true
+org.jitsi.jigasi.MUC_SERVICE_ADDRESS=conference.{{ jitsi_domain }}
+
+{% if jitsi_jigasi %}
+# SIP acount
+net.java.sip.communicator.impl.protocol.sip.acc=acc
+net.java.sip.communicator.impl.protocol.sip.acc.ACCOUNT_UID=SIP\:{{ jitsi_jigasi_sip_user }}
+net.java.sip.communicator.impl.protocol.sip.acc.PASSWORD={{ jitsi_jigasi_sip_secret | b64encode }}
+net.java.sip.communicator.impl.protocol.sip.acc.PROTOCOL_NAME=SIP
+net.java.sip.communicator.impl.protocol.sip.acc.SERVER_ADDRESS={{ jitsi_jigasi_sip_server }}
+net.java.sip.communicator.impl.protocol.sip.acc.USER_ID={{ jitsi_jigasi_sip_user }}
+net.java.sip.communicator.impl.protocol.sip.acc.KEEP_ALIVE_INTERVAL=25
+net.java.sip.communicator.impl.protocol.sip.acc.KEEP_ALIVE_METHOD=OPTIONS
+net.java.sip.communicator.impl.protocol.sip.acc.VOICEMAIL_ENABLED=false
+net.java.sip.communicator.impl.protocol.sip.acc.OVERRIDE_ENCODINGS=false
+net.java.sip.communicator.impl.protocol.sip.acc.DOMAIN_BASE={{ jitsi_domain }}
+net.java.sip.communicator.impl.protocol.sip.acc.PROXY_ADDRESS={{ jitsi_jigasi_sip_server }}
+net.java.sip.communicator.impl.protocol.sip.acc.PROXY_AUTO_CONFIG=false
+net.java.sip.communicator.impl.protocol.sip.acc.PROXY_PORT={{ jitsi_jigasi_sip_port }}
+net.java.sip.communicator.impl.protocol.sip.acc.PREFERRED_TRANSPORT={{ jitsi_jigasi_sip_transport }}
+{% else %}
+# No SIP acc configured, jigasi will be disabled
+{% endif %}
+
+# XMPP account
+net.java.sip.communicator.impl.protocol.jabber.acc=acc
+net.java.sip.communicator.impl.protocol.jabber.acc.ACCOUNT_UID=Jabber:jigasi@{{ jitsi_auth_domain }}
+net.java.sip.communicator.impl.protocol.jabber.acc.USER_ID=jigasi@{{ jitsi_auth_domain }}
+net.java.sip.communicator.impl.protocol.jabber.acc.IS_SERVER_OVERRIDDEN=true
+net.java.sip.communicator.impl.protocol.jabber.acc.SERVER_ADDRESS={{ inventory_hostname }}
+net.java.sip.communicator.impl.protocol.jabber.acc.PASSWORD={{ jitsi_jigasi_xmpp_pass | b64encode }}
+net.java.sip.communicator.impl.protocol.jabber.acc.RESOURCE_PRIORITY=30
+net.java.sip.communicator.impl.protocol.jabber.acc.BREWERY=JigasiBrewery@internal.{{ jitsi_auth_domain }}
+net.java.sip.communicator.impl.protocol.jabber.acc.DOMAIN_BASE={{ jitsi_domain }}
+
+org.jitsi.jigasi.xmpp.acc.USER_ID=jigasi@auth.{{ jitsi_domain }}
+org.jitsi.jigasi.xmpp.acc.PASS={{ jitsi_jigasi_xmpp_pass }}
+org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false
+org.jitsi.jigasi.xmpp.acc.IS_SERVER_OVERRIDDEN=true
+org.jitsi.jigasi.xmpp.acc.SERVER_ADDRESS={{ inventory_hostname }}
+org.jitsi.jigasi.xmpp.acc.JINGLE_NODES_ENABLED=false
+org.jitsi.jigasi.xmpp.acc.AUTO_DISCOVER_STUN=false
+org.jitsi.jigasi.xmpp.acc.IM_DISABLED=true
+org.jitsi.jigasi.xmpp.acc.SERVER_STORED_INFO_DISABLED=true
+org.jitsi.jigasi.xmpp.acc.IS_FILE_TRANSFER_DISABLED=true
--- a/roles/jitsi/templates/jitsi-confmapper.service.j2
+++ b/roles/jitsi/templates/jitsi-confmapper.service.j2
@@ -0,0 +1,20 @@
+[Unit]
+Description=Jitsi Conference Mapper
+After=network.target
+
+[Service]
+Type=simple
+User={{ jitsi_user }}
+Group={{ jitsi_user }}
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+ExecStart={{ jitsi_root_dir }}/confmapper/daemon.py
+SyslogIdentifier=confmapper
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/jitsi/templates/jitsi-jicofo.service.j2
+++ b/roles/jitsi/templates/jitsi-jicofo.service.j2
@@ -0,0 +1,30 @@
+[Unit]
+Description=Jitsi Conference Focus
+After=network.target
+
+[Service]
+Type=simple
+SuccessExitStatus=143
+EnvironmentFile={{ jitsi_root_dir }}/etc/jicofo/jicofo.conf
+User={{ jitsi_user }}
+Group={{ jitsi_user }}
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+ReadOnlyDirectories={{ jitsi_root_dir }}/etc {{ jitsi_root_dir }}/jicofo
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+ExecStart=/opt/jitsi/jicofo/jicofo.sh \
+            --host=${JICOFO_HOST} \
+            --domain=${JICOFO_DOMAIN} \
+            --secret=${JICOFO_SECRET} \
+            --user_domain=${JICOFO_USERDOMAIN} \
+            --user_name=${JICOFO_USER} \
+            --user_password=${JICOFO_USER_PASS} \
+            ${JICOFO_OPT}
+SyslogIdentifier=jicofo
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/jitsi/templates/jitsi-jigasi.service.j2
+++ b/roles/jitsi/templates/jitsi-jigasi.service.j2
@@ -0,0 +1,26 @@
+[Unit]
+Description=Jitsi Gateway to SIP
+After=network.target
+
+[Service]
+Type=simple
+SuccessExitStatus=143
+EnvironmentFile={{ jitsi_root_dir }}/etc/jigasi/jigasi.conf
+User={{ jitsi_user }}
+Group={{ jitsi_user }}
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+ExecStart=/opt/jitsi/jigasi/jigasi.sh \
+            --configdir={{ jitsi_root_dir }}/etc \
+            --configdirname=jigasi \
+            --nocomponent=true \
+            ${JIGASI_OPT}
+SyslogIdentifier=jigasi
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/jitsi/templates/meet.js.j2
+++ b/roles/jitsi/templates/meet.js.j2
@@ -0,0 +1 @@
+var config = {{ jitsi_meet_conf | to_nice_json(indent=4) }};
--- a/roles/jitsi/templates/meet_interface.js.j2
+++ b/roles/jitsi/templates/meet_interface.js.j2
@@ -0,0 +1 @@
+var interfaceConfig = {{ jitsi_meet_interface_conf | to_nice_json(indent=4) }};
--- a/roles/jitsi/templates/mod_jibri_bypass_pwd.lua.j2
+++ b/roles/jitsi/templates/mod_jibri_bypass_pwd.lua.j2
@@ -0,0 +1,14 @@
+local MUC_NS = "http://jabber.org/protocol/muc";
+local jid = require "util.jid";
+
+module:hook("muc-occupant-pre-join", function (event)
+    local room, stanza = event.room, event.stanza;
+
+    local user, domain, res = jid.split(event.stanza.attr.from);
+    log("info", "--------------> user %s domain %s res %s pass %s", tostring(user),tostring(domain),tostring(res),tostring(room:get_password())); 
+    
+    if ( user == '{{ jitsi_jibri_recorder_xmpp_user }}' and domain == '{{ jitsi_jibri_xmpp_domain | default('recorder.' ~ jitsi_domain) }}' ) then
+      local join = stanza:get_child("x", MUC_NS);
+      join:tag("password", { xmlns = MUC_NS }):text(room:get_password()); 
+    end;
+end);
--- a/roles/jitsi/templates/nginx.conf.j2
+++ b/roles/jitsi/templates/nginx.conf.j2
@@ -0,0 +1,73 @@
+server {
+  listen 80;
+  listen 443 ssl http2;
+  server_name {{ jitsi_domain }};
+
+  ssl_certificate_key {{ jitsi_key_path }};
+  ssl_certificate     {{ jitsi_cert_path }};
+
+  include /etc/nginx/ansible_conf.d/perf.inc;
+  include /etc/nginx/ansible_conf.d/force_ssl.inc;
+  include /etc/nginx/ansible_conf.d/acme.inc;
+
+  if ($request_method !~ ^(GET|POST|HEAD)$ ) {
+    return 405;
+  }
+
+  add_header Strict-Transport-Security "$hsts_header";
+
+  root {{ jitsi_root_dir }}/meet;
+  index index.html;
+
+  # conferenceMapper endpoint
+  location ~ ^/(phoneNumberList|conferenceMapper) {
+    proxy_pass http://localhost:{{ jitsi_confmapper_port }};
+    proxy_socket_keepalive on;
+    # TODO : rate limit these endpoints to prevent room listing
+  }
+
+  # BOSH endpoint
+  location /http-bind {
+    proxy_socket_keepalive on;
+    proxy_pass http://localhost:5280/http-bind;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $http_host;
+  }
+
+  # Websocket endpoint
+  location /xmpp-websocket {
+    proxy_pass http://localhost:5280/xmpp-websocket?$args;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    tcp_nodelay on;
+  }
+{% if jitsi_auth == 'sso' %}
+
+  # SSO endpoint
+  location /login {
+    proxy_pass http://127.0.0.1:8888;
+    proxy_set_header mail $http_mail;
+    proxy_set_header displayName $http_displayname;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $http_host;
+
+    # jicofo doesn't add the Content-Type for the redirection page
+    add_header Content-Type 'text/html';
+  }
+{% endif %}
+
+  location / {
+    ssi on;
+    limit_req zone=limit_req_std burst=100 nodelay;
+    limit_conn limit_conn_std 80;
+    try_files $uri /index.html;
+  }
+
+{% for ip in jitsi_web_src_ip %}
+  allow {{ ip }};
+{% endfor %}
+  deny all;
+}
--- a/roles/jitsi/templates/prosody.cfg.lua.j2
+++ b/roles/jitsi/templates/prosody.cfg.lua.j2
@@ -0,0 +1,151 @@
+
+muc_mapper_domain_base = "{{ jitsi_domain }}";
+admins = { "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}" };
+http_default_host = "{{ jitsi_domain }}";
+
+{% if jitsi_turn_secret is defined %}
+external_service_secret = "{{ jitsi_turn_secret }}";
+{% endif %}
+
+external_services = {
+{% for stun in jitsi_stun_servers %}
+  {
+    type = "{{ stun | urlsplit('scheme') }}",
+    host = "{{ stun | regex_replace('(turns?|stun):([^:]+)(:\d+)?.*', '\\2') }}",
+{% if stun | regex_replace('(turns?|stun):.+:(\d+)?.*', '\\2') | int > 0 and stun | regex_replace('(turns?|stun):.+:(\d+)?.*', '\\2') | int < 65535 %}
+    port = "{{ stun | regex_replace('(turns?|stun):.+:(\d+)?.*', '\\2') }}",
+{% endif %}
+{% if stun | urlsplit('query') is search('transport=') %}
+    transport = "{{ stun | urlsplit('query') | regex_replace('.*transport=(udp|tcp).*', '\\1') }}"
+{% endif %}
+  },
+{% endfor %}
+};
+
+cross_domain_bosh = false;
+cross_domain_websocket = true;
+consider_bosh_secure = true;
+
+unlimited_jids = {
+    "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}",
+    "{{ jitsi_videobridge_xmpp_user }}@{{ jitsi_videobridge_xmpp_domain }}"
+}
+
+VirtualHost "{{ jitsi_domain }}"
+{% if jitsi_auth == 'ldap' %}
+  authentication = "ldap"
+  ldap_base = "{{ jitsi_ldap_base }}"
+  ldap_server = "{{ jitsi_ldap_servers | join(' ') }}"
+{% if jitsi_ldap_bind_dn is defined and jitsi_ldap_bind_pass is defined %}
+  ldap_rootdn = "{{ jitsi_ldap_bind_dn }}"
+  ldap_password = "{{ jitsi_ldap_bind_pass }}"
+{% endif %}
+  ldap_filter = "{{ jitsi_ldap_filter }}"
+  ldap_scope = "subtree"
+  ldap_tls = {{ jitsi_ldap_starttls | ternary('true','false') }}
+{% else %}
+  authentication = "anonymous"
+{% endif %}
+  ssl = {
+    key = "{{ jitsi_key_path }}";
+    certificate = "{{ jitsi_cert_path }}";
+  }
+
+  modules_enabled = {
+    "bosh";
+    "pubsub";
+    "ping";
+    "websocket";
+    "external_services";
+    "speakerstats";
+    "conference_duration";
+    "muc_lobby_rooms";
+    "participant_metadata";
+    "muc_breakout_rooms";
+    "av_moderation";
+  }
+  c2s_require_encryption = false
+  allow_unencrypted_plain_auth = true
+  speakerstats_component = "speakerstats.{{ jitsi_domain }}"
+  conference_duration_component = "conferenceduration.{{ jitsi_domain }}"
+  lobby_muc = "lobby.{{ jitsi_domain }}"
+  breakout_rooms_muc = "breakout.{{ jitsi_domain }}"
+  main_muc = "conference.{{ jitsi_domain }}"
+  muc_lobby_whitelist = { "recorder.{{ jitsi_domain }}" }
+
+{% if jitsi_auth == 'ldap' %}
+-- Guest virtual domain
+VirtualHost "guest.{{ jitsi_domain }}"
+  authentication = "anonymous"
+  c2s_require_encryption = false
+  modules_enabled = {
+    "participant_metadata";
+  }
+{% endif %}
+
+VirtualHost "{{ jitsi_auth_domain }}"
+  ssl = {
+    key = "{{ jitsi_key_path }}";
+    certificate = "{{ jitsi_cert_path }}";
+  }
+  modules_enabled = {
+    "limits_exception";
+  }
+  authentication = "internal_hashed"
+
+VirtualHost "recorder.{{ jitsi_domain }}"
+  modules_enabled = { "ping"; }
+  authentication = "internal_hashed"
+  c2s_require_encryption = false
+
+Component "conference.{{ jitsi_domain }}" "muc"
+  storage = "memory"
+  modules_enabled = {
+    "ping";
+    "jibri_bypass_pwd";
+    "muc_meeting_id";
+    "muc_domain_mapper";
+    "polls";
+    "muc_rate_limit";
+  }
+  admins = { "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}" }
+  muc_room_locking = false
+  muc_room_default_public_jids = true
+
+Component "internal.{{ jitsi_auth_domain }}" "muc"
+  storage = "memory"
+  modules_enabled = { "ping"; }
+  muc_room_cache_size = 1000
+
+Component "focus.{{ jitsi_domain }}" "client_proxy"
+  target_address = "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}"
+
+Component "speakerstats.{{ jitsi_domain }}" "speakerstats_component"
+  muc_component = "conference.{{ jitsi_domain }}"
+
+Component "conferenceduration.{{ jitsi_domain }}" "conference_duration_component"
+  muc_component = "conference.{{ jitsi_domain }}"
+
+Component "avmoderation.{{ jitsi_domain }}" "av_moderation_component"
+  muc_component = "conference.{{ jitsi_domain }}"
+
+Component "lobby.{{ jitsi_domain }}" "muc"
+  storage = "memory"
+  restrict_room_creation = true
+  muc_room_locking = false
+  muc_room_default_public_jids = true
+  modules_enabled = {
+    "muc_rate_limit";
+  }
+
+Component "breakout.{{ jitsi_domain }}" "muc"
+  restrict_room_creation = true
+  storage = "memory"
+  modules_enabled = {
+    "muc_meeting_id";
+    "muc_domain_mapper";
+    "muc_rate_limit";
+  }
+  admins = { "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}" }
+  muc_room_locking = false
+  muc_room_default_public_jids = true
				`@@ -0,0 +1 @@`
				`var config = {{ jitsi_meet_conf \| to_nice_json(indent=4) }};`
				`@@ -0,0 +1 @@`
				`var interfaceConfig = {{ jitsi_meet_interface_conf \| to_nice_json(indent=4) }};`