Add Jitsi Meet

2024-02-10 22:36:48 +01:00 · 2024-02-10 22:36:48 +01:00 · 5cd044018a
parent d91cb37303
commit 5cd044018a
14 changed files with 275 additions and 63 deletions
--- a/group_vars/appservers/vars.yml
+++ b/group_vars/appservers/vars.yml
@ -5,12 +5,17 @@ apps_include:
  - nginx
  - postfix
  - ipfs
+  - jitsi
  - monerod
  - nextcloud
  - snowflake
  - restic
  - watchtower

+jitsi_passwords:
+  jicofo_auth: "{{ vault_jitsi_passwords.jicofo_auth }}"
+  jvb_auth: "{{ vault_jitsi_passwords.jvb_auth }}"
+
 redis_passwords:
  nextcloud: "{{ vault_redis_passwords.nextcloud }}"

--- a/group_vars/production/vars.yml
+++ b/group_vars/production/vars.yml
@ -5,13 +5,13 @@ base_domain: sapti.me
 internal_subnet: 10.2.16.0/24
 postgresql_version: 14

+databases:
+  nextcloud:
+    username: nextcloud
+    password: "{{ vault_databases.nextcloud.password }}"
+
 db_inventory_hostname: sapt-labp-db01
 db_host: "{{ hostvars[db_inventory_hostname].internal_ipv4 }}"

 proxy_inventory_hostname: sapt-labr-prx01
 proxy_host: "{{ hostvars[proxy_inventory_hostname].internal_ipv4 }}"
-
-databases:
-  nextcloud:
-    username: nextcloud
-    password: "{{ vault_db_passwords.nextcloud }}"
--- a/group_vars/production/vault.yml
+++ b/group_vars/production/vault.yml
@ -1,26 +1,35 @@
 $ANSIBLE_VAULT;1.1;AES256
-32366636386565356265326466313931393762623762313230653735336565666662353962386132
-6533636337326630323066333238346663303238623538390a316230636564386638373233363161
-65323364613131393236373233383639663566323061613638373533643566363864613563306232
-3034626662383032390a623036643433366364653135353730346230646437313332333730613933
-64356134343330306536653136343061646432383861666438646463616465323863636466653935
-31363565373438313732653466636535346530323836356261666134666661386435306335633235
-30363432633635653566396132323536323834393534343631323638363939353237633432303165
-63326464386664336338356236306432633739396464313536343138613030646237663731306233
-31633735616535336630363563653338343364386533633934386138353265386630326163306331
-63663635663434356261373066643833656535353066646363353038376337356134663162626331
-31636665346636396630636663393636343861626636393461303233323564373733613564353166
-32373332623232303437353931356134616665643863303065396664623736646632336664616235
-38303337376466363862353338323033643834303238316639616564363435646136323038333264
-31376565333731623930633261656237313263336231366663373930653063373133383536663531
-38323665383730616238613239386632333865663465383538326665633631663163643132656138
-37386336383239666437336432643361376232363131626162373738666130326434383666373234
-62623432666535643461336661373761346165663435376639393633623432383362613032613838
-65386361666532303032326362323466303930656536333935633730356636343265306533363238
-31396164386463633864303335303136663264343465656663373434376634346234336636313363
-38616639336537346163383562333536343663396462363034656563623831346664666230303464
-63623432303363653535633536313533343361366235653466653564633034383236613234383861
-61333730613164383665643037623836346463656439383931316164653533376236336633343533
-35373035346263343138616365343432636336303339313135326135326165353934613439316335
-63663964333061333337623365333564353734353733373961633235336230356631333034633430
-3161
+38666565393262653238376564633336356466666566613931366465373832646664363362613537
+6530326438663035393638666338653434633038613733370a313136306661613565353966643038
+39663237653766333462666238373633363736636365333932373939326631663462373239336232
+6239613734383439650a393063373963396366396264306437623938366430376531316263653332
+39313235383962363566623839663662393363393562383837343630616530363438343930306632
+31323561366234353236323163643731336130643163373031666138316238646234303163356465
+37306130323338306564356639356165623530366239613965353732333763636132306439613361
+65623834313236323064346561666433663830356530633635613065383966386464626438386539
+39316366303966393336353666326239633365333264336165373266393430346361373861303666
+61333564323834373366316361633966626630316139656331383865663862636437366563366433
+64346234386637366435663738356363346466386132306163383432353436626332393832343236
+63316335373435653764383963656362306161643438383336396332376532326430366231656330
+66356663343939316433386538646364616331316366663433616536666466383432643832316331
+35346438353061613630303334656633303861633761623066303734323533663665383535623635
+30323233396531633836393931376631663765656563626334343765333237386132383230336163
+35373539643033316431373138326130663236663637353638316563613438646438666335643635
+63663735663434393062636538323363386439643361633565323938383239666665663838313666
+63646461393565656661666335366663366635393833663333613066316561633431303232383138
+33323832363461643363303736616234653861323163633231663836316462346237313938343037
+30663032663664333965333334636235303035383238323935616339323530613532363661616530
+64646365323731646464623539393166633431306263396564353435666637636362616631323034
+32303338333066363862643633663735356461626237636665663265316232306561303137656363
+35663961333666333666613534383133323662333265646131633963656166646133663737316439
+37646266396663316430313764613235623332343838343830663938646133323636366133623666
+64633133623564393332663930343530616665306330373131626233653466353334623837653530
+65323836646163353865396230313538393062316134383934363337653937663233316665326562
+35383038333433633538306134343130353231313365356331643763343561353232333939643935
+33663536356639656437343735343965643430646561323434386331616136613832366431383638
+61666335383430346166663865643336303337303566333461666630323332623639333836663735
+62313533333230353165626431643034383232306165383630623763636634363066653837393166
+63303530313830366361653934633661366332336134626231646162336163643964306462363534
+66663432376332343030636338663563316630643837316130653137333539333762333833666434
+30326634643163343762373035326539666665316130393564376631303538313030656236663239
+6462373938366338646539666561666335343665656166383435
--- a/group_vars/staging/vars.yml
+++ b/group_vars/staging/vars.yml
@ -5,13 +5,13 @@ base_domain: staging.sapti.me
 internal_subnet: 10.2.19.0/24
 postgresql_version: 14

+databases:
+  nextcloud:
+    username: nextcloud
+    password: "{{ vault_databases.nextcloud.password }}"
+
 db_inventory_hostname: sapt-labs-db01
 db_host: "{{ hostvars[db_inventory_hostname].internal_ipv4 }}"

 proxy_inventory_hostname: sapt-labr-prx01
 proxy_host: "{{ hostvars[proxy_inventory_hostname].internal_ipv4 }}"
-
-databases:
-  nextcloud:
-    username: nextcloud
-    password: "{{ vault_db_passwords.nextcloud }}"
--- a/group_vars/staging/vault.yml
+++ b/group_vars/staging/vault.yml
@ -1,26 +1,35 @@
 $ANSIBLE_VAULT;1.1;AES256
-64333431356566356137666636636262306262613664663935633934343532663563333837313963
-3638386534636463646461666338356633356462326663360a393966613865613434663136613933
-36343438336364636561333130653436386630356630626139643139303636383762663838383463
-6561336438303235610a663339633133613935383464336164323630316536353130333130316237
-33383738383535646135326236646233313166336330386362613534343031373234313634313361
-61303362323961636265616666306632326363656261376564633337343632333732663231643165
-32356239346535303965653261613437623837326138376231653761366166316639653239653034
-30333032363932363961336335623464313333653465373965366430306365663739393335343434
-39623531643563303438306264623866383135303534653131626435623139386666633066356630
-66633036303264666639663063373635366563313466303932363265623235303432383162636437
-31666463306238313138373239306531616264353336393138323538353331656132366361653463
-39356236396134303764326165656136636638303436323932643432366662393864646439656631
-33316630346330313137383230376433633238626132653861393435313038663066363664633436
-64336165363637643732626366336338373961336166353533393235333939323563656336633965
-37646161663334666335646436346432383037633430303838386337303835303336323963373135
-65643331663933313031323761313765363065383937323461343065313862323032613131666461
-34623862353337343535356139373830636563643135633530666164653662346133303837653862
-62336664353034653337646662396536396133623763643264383736363163393831376135373265
-33613633643962303731623562666435373736336163613465626338663832366334663765353263
-66643834623066386465396233333334386333663530613466373332393664356465613565356562
-35643265386462333661346533313336306233313335383830363739333334326234663236653461
-62396263626637396339373139366332363232326364663764383763666231373532343263393064
-36303565393362356134643532303239656236343038303263613538613630346264386236656636
-31373066363635356365316432653931393937333664316265623332643932613934333265626231
-6564
+39333261386639633632616336613338323739393565356466333734663163623561613234656136
+3364336635623064383363663231303463646432386237300a383734316161366361323333393432
+34653231643465656462613165366539663063333335366431313666303730316431643534333533
+6164383833393564660a323165633039353166646232626639376664636665313039376664623465
+64326462396231393035323739613537323736366462613936666563373139663737626334623837
+37613333373662666330633131626363643834323531393735613563303930353537656130316664
+31636632306362343162353536356530383530363530323931623930363239373866343266663132
+63663036333939316131343162343038323265303336316436373039316134393936613830316465
+66646131623833636263633238663637363165396136356436316237373130323737616332396136
+66353636653332346261303965613463323562633566383436613761633064613331653164306263
+38623063616566376564623535343363383861343338313637666330376161616162613737626434
+63356333633963656137333736666431346262383434366662323066646561353530343834316161
+32333861346534373038666563366537313832303265386562393630633861313437353135306231
+34313766666533306163643237643765616131333830316136336463666637393262313066386663
+61623735666165383162353361383137616162393239346432386261633933666530313639623465
+36373037333837346231396636633166393565623261636430303965313635353566633238656632
+39646136633431326266313066623861333661373431316162316539363139343061656432356365
+33363763313366636165346236353666656562356339653239666262386264356539653531666261
+33663538376562663838616161306135646331336362306130396534653335633435656133636265
+65326431373061393066353732653936343633313366393864633933643563623336353561373234
+33326535326264386237316663396633353037373364636435346538636337643839643130643934
+39643864386135623664646230343039623234333636633963626537323062363061643036376431
+39393537373937363530393039366264633737633661663030303830636636313766373965633531
+62646235636238616537626638653263343630663535373064376232376638626438346238616337
+62656330373061306564663062363835326664666234616332316566616537626239633837396230
+30613036356566383231383631663133653161383334396435363836336364323437353931343231
+37333032333135333635366634363836656363663834396231323737343238353035366237343239
+31303135336530313432323238653361646662636362326634313763316566323663356236323933
+38613262383562626564323434313839633739376536393638363632383933306633333135306263
+31623834626163663263396638353238653564653464646239643831343230326432383232323135
+34633632343831306537333264396230323732383761376534303661653764646438626561393731
+61653434636665346535393763376139656664303738313638336262313830323238343838346536
+37313535313662323335353865346665323236363830393663613035633936623439616366643439
+6464316134376336646431616466336436393235336234666236
--- a/roles/apps/defaults/main.yml
+++ b/roles/apps/defaults/main.yml
@ -40,6 +40,14 @@ apps_vars:
    gateway_port: 8080
    version: v0.25.0

+  jitsi:
+    backup: false
+    sender: false
+    extra_tasks: true
+    domain: meet.{{ apps_base_domain }}
+    port: 80
+    version: stable
+
  monerod:
    backup: false
    sender: false
--- a/roles/apps/files/jitsi/register.sh
+++ b/roles/apps/files/jitsi/register.sh
@ -0,0 +1,16 @@
+# THIS FILE IS MANAGED BY ANSIBLE
+#!/usr/bin/env bash
+
+cd "$(dirname "$0")"
+
+USERNAME=$1
+read -rsp "password: " PASSWORD; echo
+
+if [[ -f "data/prosody/config/data/meet%2ejitsi/accounts/$USERNAME.dat" ]]; then
+    echo "User $USERNAME exists"
+    exit 1
+fi
+
+docker compose exec prosody \
+    /usr/bin/prosodyctl --config /config/prosody.cfg.lua \
+    register $USERNAME meet.jitsi $PASSWORD
--- a/roles/apps/tasks/extra_tasks/jitsi.yml
+++ b/roles/apps/tasks/extra_tasks/jitsi.yml
@ -0,0 +1,35 @@
+# vim: ft=yaml.ansible
+# code: language=ansible
+---
+- name: Create subdirectories for Jitsi Meet data
+  ansible.builtin.file:
+    path: "{{ apps_data_root }}/jitsi/data/{{ dir }}"
+    owner: root
+    mode: u=rwx,g=rx,o=rx
+    state: directory
+  loop:
+    - web/transcripts
+    - prosody
+  loop_control:
+    loop_var: dir
+
+- name: Create subdirectories for Jitsi Meet Prosody data
+  ansible.builtin.file:
+    path: "{{ apps_data_root }}/jitsi/data/{{ dir }}"
+    owner: '101'
+    group: root
+    mode: u=rwx,g=rx,o=rx
+    state: directory
+  loop:
+    - prosody/plugins
+    - prosody/config
+  loop_control:
+    loop_var: dir
+
+- name: Copy user registration script for Jitsi Meet
+  ansible.builtin.copy:
+    src: jitsi/register.sh
+    dest: "{{ apps_data_root }}/jitsi/register.sh"
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=rx
--- a/roles/apps/templates/compose-files/jitsi.yml.j2
+++ b/roles/apps/templates/compose-files/jitsi.yml.j2
@ -0,0 +1,79 @@
+{# code: language=ansible-jinja #}
+# THIS FILE IS MANAGED BY ANSIBLE
+
+version: "3.8"
+
+services:
+  meet:
+    image: jitsi/web:{{ apps_vars.jitsi.version }}
+    restart: always
+    environment:
+      DISABLE_HTTPS: 1
+      PUBLIC_URL: {{ apps_vars.jitsi.domain }}
+      ENABLE_AUTH: 1
+      ENABLE_GUESTS: 1
+    networks:
+      meet.jitsi:
+      {{ apps_shared_docker_network }}:
+        aliases:
+          - jitsi
+    volumes:
+      - "./data/web/transcripts:/usr/share/jitsi-meet/transcripts:rw"
+    depends_on:
+      - jvb
+
+  prosody:
+    image: jitsi/prosody:{{ apps_vars.jitsi.version }}
+    restart: always
+    environment:
+      JICOFO_AUTH_PASSWORD: {{ jitsi_passwords.jicofo_auth }}
+      JVB_AUTH_PASSWORD: {{ jitsi_passwords.jvb_auth }}
+      ENABLE_AUTH: 1
+      ENABLE_GUESTS: 1
+      AUTH_TYPE: internal
+    networks:
+      meet.jitsi:
+        aliases:
+          - xmpp.meet.jitsi
+    volumes:
+      - "./data/prosody/plugins:/prosody-plugins-custom:rw"
+      - "./data/prosody/config:/config:rw"
+    expose:
+      - 5222
+      - 5269
+      - 5280
+      - 5347
+
+  jicofo:
+    image: jitsi/jicofo:{{ apps_vars.jitsi.version }}
+    restart: always
+    environment:
+      JICOFO_AUTH_PASSWORD: {{ jitsi_passwords.jicofo_auth }}
+      ENABLE_AUTH: 1
+      AUTH_TYPE: internal
+      XMPP_SERVER: prosody
+    networks:
+      - meet.jitsi
+    depends_on:
+      - prosody
+
+  jvb:
+    image: jitsi/jvb:{{ apps_vars.jitsi.version }}
+    restart: always
+    environment:
+      JVB_AUTH_PASSWORD: {{ jitsi_passwords.jvb_auth }}
+      JVB_WS_DOMAIN: {{ apps_vars.jitsi.domain }}
+{% if hostname not in groups['production'] %}
+      JVB_ADVERTISE_IPS: {{ ansible_host }}
+{% endif %}
+    networks:
+      - meet.jitsi
+    ports:
+      - 10000:10000/udp
+    depends_on:
+      - prosody
+
+networks:
+  meet.jitsi:
+  {{ apps_shared_docker_network }}:
+    external: true
--- a/roles/apps/templates/nginx/conf.d/ipfs.conf.j2
+++ b/roles/apps/templates/nginx/conf.d/ipfs.conf.j2
@ -14,7 +14,6 @@ server {

    proxy_http_version      1.1;
    proxy_buffering         off;
-    proxy_request_buffering off;

    location / {
        proxy_pass $upstream;
--- a/roles/apps/templates/nginx/conf.d/jitsi.conf.j2
+++ b/roles/apps/templates/nginx/conf.d/jitsi.conf.j2
@ -0,0 +1,29 @@
+{# code: language=ansible-jinja #}
+# THIS FILE IS MANAGED BY ANSIBLE
+
+server {
+    server_name {{ apps_vars.jitsi.domain }};
+    listen 8080;
+
+    set $upstream http://jitsi:{{ apps_vars.jitsi.port }};
+
+    proxy_set_header Host              $host;
+    proxy_set_header X-Real-IP         $remote_addr;
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto "https";
+
+    proxy_http_version      1.1;
+    proxy_buffering         off;
+
+    location / {
+        proxy_pass $upstream;
+    }
+
+    location ~^/(colibri-ws|xmpp-websocket)$ {
+        proxy_pass $upstream;
+
+        # WebSocket support
+        proxy_set_header Upgrade    $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+}
--- a/roles/apps/templates/nginx/conf.d/monerod.conf.j2
+++ b/roles/apps/templates/nginx/conf.d/monerod.conf.j2
@ -14,7 +14,6 @@ server {

    proxy_http_version      1.1;
    proxy_buffering         off;
-    proxy_request_buffering off;

    location / {
        proxy_pass $upstream;
--- a/roles/apps/templates/nginx/conf.d/nextcloud.conf.j2
+++ b/roles/apps/templates/nginx/conf.d/nextcloud.conf.j2
@ -14,7 +14,6 @@ server {

    proxy_http_version      1.1;
    proxy_buffering         off;
-    proxy_request_buffering off;

    location / {
        proxy_pass $upstream;
--- a/roles/proxy/templates/caddy/Caddyfile.j2
+++ b/roles/proxy/templates/caddy/Caddyfile.j2
@ -77,6 +77,31 @@ ipfs.local.{{ proxy_vars[env].app01.base_domain }} {
    respond 403
 }

+meet.{{ proxy_vars[env].app01.base_domain }} {
+    tls {{ tls_email }} {
+        dns njalla {{ njalla_api_token }}
+    }
+
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        -Server
+    }
+
+{% if env == 'production' %}
+    reverse_proxy {{ proxy_vars[env].app01.internal_ipv4 }}:8080
+{% else %}
+    @local {
+        remote_ip {{ proxy_trusted_subnets | join(' ') }}
+    }
+
+    handle @local {
+        reverse_proxy {{ proxy_vars[env].app01.internal_ipv4 }}:8080
+    }
+
+    respond 403
+{% endif %}
+}
+
 xmr.local.{{ proxy_vars[env].app01.base_domain }} {
    tls {{ tls_email }} {
        dns njalla {{ njalla_api_token }}