From 63c01ea6a37a5011ed370b371e5afc31463f9646 Mon Sep 17 00:00:00 2001
From: Sam Al-Sapti <sam@sapti.me>
Date: Sat, 10 Feb 2024 22:36:48 +0100
Subject: [PATCH] Add Jitsi Meet

---
 group_vars/appservers/vars.yml                |  7 ++
 group_vars/production/vars.yml                |  5 --
 group_vars/production/vault.yml               | 59 ++++++++-------
 group_vars/staging/vars.yml                   |  5 --
 group_vars/staging/vault.yml                  | 59 ++++++++-------
 roles/apps/defaults/main.yml                  |  8 +++
 roles/apps/tasks/extra_tasks/jitsi.yml        | 27 +++++++
 .../apps/templates/compose-files/jitsi.yml.j2 | 71 +++++++++++++++++++
 .../templates/compose-files/nextcloud.yml.j2  |  2 +-
 .../apps/templates/nginx/conf.d/ipfs.conf.j2  |  1 -
 .../apps/templates/nginx/conf.d/jitsi.conf.j2 | 29 ++++++++
 .../templates/nginx/conf.d/monerod.conf.j2    |  1 -
 .../templates/nginx/conf.d/nextcloud.conf.j2  |  1 -
 roles/postgresql/defaults/main.yml            |  2 +-
 roles/postgresql/tasks/database.yml           | 10 +--
 roles/postgresql/templates/pg_hba.conf.j2     |  2 +-
 16 files changed, 218 insertions(+), 71 deletions(-)
 create mode 100644 roles/apps/tasks/extra_tasks/jitsi.yml
 create mode 100644 roles/apps/templates/compose-files/jitsi.yml.j2
 create mode 100644 roles/apps/templates/nginx/conf.d/jitsi.conf.j2

diff --git a/group_vars/appservers/vars.yml b/group_vars/appservers/vars.yml
index 55acae4..5c4e095 100644
--- a/group_vars/appservers/vars.yml
+++ b/group_vars/appservers/vars.yml
@@ -11,6 +11,13 @@ apps_include:
   - restic
   - watchtower
 
+db_passwords:
+  nextcloud: "{{ vault_db_passwords.nextcloud }}"
+
+jitsi_passwords:
+  jicofo_auth: "{{ vault_jitsi_passwords.jicofo_auth }}"
+  jvb_auth: "{{ vault_jitsi_passwords.jvb_auth }}"
+
 redis_passwords:
   nextcloud: "{{ vault_redis_passwords.nextcloud }}"
 
diff --git a/group_vars/production/vars.yml b/group_vars/production/vars.yml
index afa3824..1060691 100644
--- a/group_vars/production/vars.yml
+++ b/group_vars/production/vars.yml
@@ -10,8 +10,3 @@ db_host: "{{ hostvars[db_inventory_hostname].internal_ipv4 }}"
 
 proxy_inventory_hostname: sapt-labr-prx01
 proxy_host: "{{ hostvars[proxy_inventory_hostname].internal_ipv4 }}"
-
-databases:
-  nextcloud:
-    username: nextcloud
-    password: "{{ vault_db_passwords.nextcloud }}"
diff --git a/group_vars/production/vault.yml b/group_vars/production/vault.yml
index fac5baa..252e6ea 100644
--- a/group_vars/production/vault.yml
+++ b/group_vars/production/vault.yml
@@ -1,26 +1,35 @@
 $ANSIBLE_VAULT;1.1;AES256
-32366636386565356265326466313931393762623762313230653735336565666662353962386132
-6533636337326630323066333238346663303238623538390a316230636564386638373233363161
-65323364613131393236373233383639663566323061613638373533643566363864613563306232
-3034626662383032390a623036643433366364653135353730346230646437313332333730613933
-64356134343330306536653136343061646432383861666438646463616465323863636466653935
-31363565373438313732653466636535346530323836356261666134666661386435306335633235
-30363432633635653566396132323536323834393534343631323638363939353237633432303165
-63326464386664336338356236306432633739396464313536343138613030646237663731306233
-31633735616535336630363563653338343364386533633934386138353265386630326163306331
-63663635663434356261373066643833656535353066646363353038376337356134663162626331
-31636665346636396630636663393636343861626636393461303233323564373733613564353166
-32373332623232303437353931356134616665643863303065396664623736646632336664616235
-38303337376466363862353338323033643834303238316639616564363435646136323038333264
-31376565333731623930633261656237313263336231366663373930653063373133383536663531
-38323665383730616238613239386632333865663465383538326665633631663163643132656138
-37386336383239666437336432643361376232363131626162373738666130326434383666373234
-62623432666535643461336661373761346165663435376639393633623432383362613032613838
-65386361666532303032326362323466303930656536333935633730356636343265306533363238
-31396164386463633864303335303136663264343465656663373434376634346234336636313363
-38616639336537346163383562333536343663396462363034656563623831346664666230303464
-63623432303363653535633536313533343361366235653466653564633034383236613234383861
-61333730613164383665643037623836346463656439383931316164653533376236336633343533
-35373035346263343138616365343432636336303339313135326135326165353934613439316335
-63663964333061333337623365333564353734353733373961633235336230356631333034633430
-3161
+34636666353931643133313861616133323761363737363038373162356332653231326334663262
+3537633032363062326532393861323934343030353563630a336436653832316439633035306538
+63383039313838373536316165323936636639386564353166363033366538313433636331343166
+3132386339313533660a306631373333663138663566353863633039303630386562303464393031
+32653135663931353939623861386637663163393537616531313733623330616239303563336138
+37353762363931333134343365343265353638326530313232643963303532613535636236633730
+33316635323666616464323432323830646462626466313936393639616339613662363635353661
+31633565616137353635333833643963303634333433653437393136353938343734623563646462
+31396161633861333830336532303138623162623063656163613362313764623566356563616135
+33313730653366623833333066303932303637633836653463373961626466386538346135383265
+31613438636566373330616135626638653831306136363365663861316562363338643361333236
+38366464366538373838326436383130646662633035663566353366306465303532383432363432
+30626132663635306163616332626233393862326632353635666431326532383930656638646633
+31313962343035643038393865393036646133326639656336386435616130633962303836643937
+30366331316134323831613965383736353431346533656334643632626635623631353632346437
+61386634326230383031663061373030353863353539393533343436616366636234666466636431
+39393036353064613835353331336333643166353737646461616261633735646430343630636164
+38666162366139383235646636333934643965666635363731313138323165313164326535343339
+37386363346336653632316430353138336236613762396637346537313537306566336437653661
+62383864376237336630316533653338333430313964333663303265396334316166383432303734
+31343730396532323431643964663161633037346462313165373462663663633863663561633661
+62336633313338313939396464353137366563613036633634313164386564393266393439306331
+63393364633863643664393031386161663233333530376364356262363261376166666434633265
+34623730333535303837623266333963373063363330396462393031356330333138613635613531
+34323230616161383165303636393130396231643064316438303430373436616635336166666331
+39386439613166616539393765363066386330633535363132346162343865616234616665633234
+37363139326536316334333130636436616162363562613863663537636538373664653835623665
+62623434346264616663313231373365623634653033343464393464666331353431386139643438
+39306435353833666263353933316233383163363138323931626662383033356535306561343165
+63643233303866663037376137373233623566323732343361626535613138333538666236326136
+35323661376134626333666563366438366336623737326636623634623164626630663336373032
+65643237623463663336393033366433336639396632316539613963643261373632346131656666
+38303733393136656266366337376537366237663661396433323363353663383735356333626461
+3864386539313265396630643335343966313537393438613434
diff --git a/group_vars/staging/vars.yml b/group_vars/staging/vars.yml
index e59eba5..7b3b93a 100644
--- a/group_vars/staging/vars.yml
+++ b/group_vars/staging/vars.yml
@@ -10,8 +10,3 @@ db_host: "{{ hostvars[db_inventory_hostname].internal_ipv4 }}"
 
 proxy_inventory_hostname: sapt-labr-prx01
 proxy_host: "{{ hostvars[proxy_inventory_hostname].internal_ipv4 }}"
-
-databases:
-  nextcloud:
-    username: nextcloud
-    password: "{{ vault_db_passwords.nextcloud }}"
diff --git a/group_vars/staging/vault.yml b/group_vars/staging/vault.yml
index 86f76ff..10030b5 100644
--- a/group_vars/staging/vault.yml
+++ b/group_vars/staging/vault.yml
@@ -1,26 +1,35 @@
 $ANSIBLE_VAULT;1.1;AES256
-64333431356566356137666636636262306262613664663935633934343532663563333837313963
-3638386534636463646461666338356633356462326663360a393966613865613434663136613933
-36343438336364636561333130653436386630356630626139643139303636383762663838383463
-6561336438303235610a663339633133613935383464336164323630316536353130333130316237
-33383738383535646135326236646233313166336330386362613534343031373234313634313361
-61303362323961636265616666306632326363656261376564633337343632333732663231643165
-32356239346535303965653261613437623837326138376231653761366166316639653239653034
-30333032363932363961336335623464313333653465373965366430306365663739393335343434
-39623531643563303438306264623866383135303534653131626435623139386666633066356630
-66633036303264666639663063373635366563313466303932363265623235303432383162636437
-31666463306238313138373239306531616264353336393138323538353331656132366361653463
-39356236396134303764326165656136636638303436323932643432366662393864646439656631
-33316630346330313137383230376433633238626132653861393435313038663066363664633436
-64336165363637643732626366336338373961336166353533393235333939323563656336633965
-37646161663334666335646436346432383037633430303838386337303835303336323963373135
-65643331663933313031323761313765363065383937323461343065313862323032613131666461
-34623862353337343535356139373830636563643135633530666164653662346133303837653862
-62336664353034653337646662396536396133623763643264383736363163393831376135373265
-33613633643962303731623562666435373736336163613465626338663832366334663765353263
-66643834623066386465396233333334386333663530613466373332393664356465613565356562
-35643265386462333661346533313336306233313335383830363739333334326234663236653461
-62396263626637396339373139366332363232326364663764383763666231373532343263393064
-36303565393362356134643532303239656236343038303263613538613630346264386236656636
-31373066363635356365316432653931393937333664316265623332643932613934333265626231
-6564
+36363561316464613066393161623261663336353838393831626465336236363731643264356662
+3564626232643538333531366136386166326366373836380a336630643733616261383662313036
+35663531323938303164366537613939366530633439336638323239623466363337616464396132
+3333326336386234380a373365613233356338333166363865656335383562643962653166313837
+34343635356231336634653765663031663362383564303331626564313466656436396339393533
+39323164353834343563376639666333626239383537653235373736353838323137636439346361
+36353133323065633565366333303033346432633832316235396436633132613165306430613533
+33623332333765383932316230323936346266396661646237346665633739616138643232396564
+32646535336636663736393532636431366530363238616462386164353131343964643436356662
+34366634343762313833633762356535366234343064306232383037303466316531313733336662
+35346337373766656466656634626364663131666562326435653134336164376236396630303434
+37643932383937373038303137623034653731666134656463396362646566643835386162653661
+33666166613433393461386537316630366632393731643437313362356662643964613661346334
+64636565393262313462366638323864343530393130333032323036343365383462336461643466
+34373766393933346264386263373936376536643964396332366138636562313261393638663738
+34323637393539623266366637646464316436306139643461613834363361376331626366656133
+36643662313164656232383566373438376437653339303962313432303031353335323162373862
+34333161343262353331643330646239366132613039323838386237626234313239343066633238
+36363466373366376466306463356137653363636466303862353262666635323361636335323061
+39623431373265313665363331313363636232643166363863386130326135326332663066623334
+65386136623261653732666530373134306635356230623039613130303062356565306466356130
+33326431626237303063653236656535336437633235323834396135336335653735326139346665
+39646131313464316261396362323733613863383763633238326661666238633137333835663533
+31326661363238323032386163323065643166636132616465613237643133623962396264646434
+65313832373963326430643061353138363430343363663339313133336361356130386638323033
+35326461336238306261656639336334636637613333646336616336353566616537633664663663
+35303561306130323663616261323336666235343038356432383333663731336533306333306331
+39353364646130313633386137393238633163656662386334373161306136623966636135366331
+63633366343438343730663537306631353762396432393864396462383432333461346565633163
+64396462306237383762303430306566323436316566363836663565343633656334313434663566
+66343738353837383364343463656261343337303835313430643739343662613764363862343366
+36626534316263373462623161666535626533326239616436613836343437653366643834396133
+31623830643963323164326133353462323861323338376365623563653633346337333637653337
+3764363865383933323738623062303532353663313465333932
diff --git a/roles/apps/defaults/main.yml b/roles/apps/defaults/main.yml
index 9bc944d..8332541 100644
--- a/roles/apps/defaults/main.yml
+++ b/roles/apps/defaults/main.yml
@@ -40,6 +40,14 @@ apps_vars:
     gateway_port: 8080
     version: v0.25.0
 
+  jitsi:
+    backup: false
+    sender: false
+    extra_tasks: true
+    domain: meet.{{ apps_base_domain }}
+    port: 80
+    version: stable
+
   monerod:
     backup: false
     sender: false
diff --git a/roles/apps/tasks/extra_tasks/jitsi.yml b/roles/apps/tasks/extra_tasks/jitsi.yml
new file mode 100644
index 0000000..3b8f7d9
--- /dev/null
+++ b/roles/apps/tasks/extra_tasks/jitsi.yml
@@ -0,0 +1,27 @@
+# vim: ft=yaml.ansible
+# code: language=ansible
+---
+- name: Create subdirectories for Jitsi Meet data
+  ansible.builtin.file:
+    path: "{{ apps_data_root }}/jitsi/data/{{ dir }}"
+    owner: root
+    mode: u=rwx,g=rx,o=rx
+    state: directory
+  loop:
+    - web/transcripts
+    - prosody
+  loop_control:
+    loop_var: dir
+
+- name: Create subdirectories for Jitsi Meet Prosody data
+  ansible.builtin.file:
+    path: "{{ apps_data_root }}/jitsi/data/{{ dir }}"
+    owner: '101'
+    group: root
+    mode: u=rwx,g=rx,o=rx
+    state: directory
+  loop:
+    - prosody/plugins
+    - prosody/config
+  loop_control:
+    loop_var: dir
diff --git a/roles/apps/templates/compose-files/jitsi.yml.j2 b/roles/apps/templates/compose-files/jitsi.yml.j2
new file mode 100644
index 0000000..57e575a
--- /dev/null
+++ b/roles/apps/templates/compose-files/jitsi.yml.j2
@@ -0,0 +1,71 @@
+{# code: language=ansible-jinja #}
+# THIS FILE IS MANAGED BY ANSIBLE
+
+version: "3.8"
+
+services:
+  meet:
+    image: jitsi/web:{{ apps_vars.jitsi.version }}
+    restart: always
+    environment:
+      DISABLE_HTTPS: 1
+      PUBLIC_URL: {{ apps_vars.jitsi.domain }}
+      ENABLE_AUTH: 1
+      ENABLE_GUESTS: 1
+    networks:
+      default:
+      {{ apps_shared_docker_network }}:
+        aliases:
+          - jitsi
+    volumes:
+      - "./data/web/transcripts:/usr/share/jitsi-meet/transcripts:rw"
+    depends_on:
+      - jvb
+
+  prosody:
+    image: jitsi/prosody:{{ apps_vars.jitsi.version }}
+    restart: always
+    environment:
+      JICOFO_AUTH_PASSWORD: {{ jitsi_passwords.jicofo_auth }}
+      JVB_AUTH_PASSWORD: {{ jitsi_passwords.jvb_auth }}
+      ENABLE_AUTH: 1
+      ENABLE_GUESTS: 1
+      AUTH_TYPE: internal
+    volumes:
+      - "./data/prosody/plugins:/prosody-plugins-custom:rw"
+      - "./data/prosody/config:/config:rw"
+    expose:
+      - 5222
+      - 5269
+      - 5280
+      - 5347
+
+  jicofo:
+    image: jitsi/jicofo:{{ apps_vars.jitsi.version }}
+    restart: always
+    environment:
+      JICOFO_AUTH_PASSWORD: "{{ jitsi_passwords.jicofo_auth }}"
+      ENABLE_AUTH: 1
+      AUTH_TYPE: internal
+      XMPP_SERVER: prosody
+    depends_on:
+      - prosody
+
+  jvb:
+    image: jitsi/jvb:{{ apps_vars.jitsi.version }}
+    restart: always
+    environment:
+      JVB_AUTH_PASSWORD: "{{ jitsi_passwords.jvb_auth }}"
+      JVB_WS_DOMAIN: "{{ apps_vars.jitsi.domain }}"
+      XMPP_SERVER: prosody
+{% if hostname not in groups['production'] %}
+      JVB_ADVERTISE_IPS: {{ ansible_host }}
+{% endif %}
+    ports:
+      - 10000:10000/udp
+    depends_on:
+      - prosody
+
+networks:
+  {{ apps_shared_docker_network }}:
+    external: true
diff --git a/roles/apps/templates/compose-files/nextcloud.yml.j2 b/roles/apps/templates/compose-files/nextcloud.yml.j2
index 160c367..3665d27 100644
--- a/roles/apps/templates/compose-files/nextcloud.yml.j2
+++ b/roles/apps/templates/compose-files/nextcloud.yml.j2
@@ -17,7 +17,7 @@ services:
     environment:
       POSTGRES_HOST: {{ db_host }}
       POSTGRES_DB: nextcloud
-      POSTGRES_USER: {{ databases.nextcloud.username }}
+      POSTGRES_USER: nextcloud
       POSTGRES_PASSWORD: {{ databases.nextcloud.password }}
       REDIS_HOST: redis
       REDIS_HOST_PASSWORD: {{ redis_passwords.nextcloud }}
diff --git a/roles/apps/templates/nginx/conf.d/ipfs.conf.j2 b/roles/apps/templates/nginx/conf.d/ipfs.conf.j2
index 8fde97b..78b8bdc 100644
--- a/roles/apps/templates/nginx/conf.d/ipfs.conf.j2
+++ b/roles/apps/templates/nginx/conf.d/ipfs.conf.j2
@@ -14,7 +14,6 @@ server {
 
     proxy_http_version      1.1;
     proxy_buffering         off;
-    proxy_request_buffering off;
 
     location / {
         proxy_pass $upstream;
diff --git a/roles/apps/templates/nginx/conf.d/jitsi.conf.j2 b/roles/apps/templates/nginx/conf.d/jitsi.conf.j2
new file mode 100644
index 0000000..42a7412
--- /dev/null
+++ b/roles/apps/templates/nginx/conf.d/jitsi.conf.j2
@@ -0,0 +1,29 @@
+{# code: language=ansible-jinja #}
+# THIS FILE IS MANAGED BY ANSIBLE
+
+server {
+    server_name {{ apps_vars.jitsi.domain }};
+    listen 8080;
+
+    set $upstream http://jitsi:{{ apps_vars.jitsi.port }};
+
+    proxy_set_header Host              $host;
+    proxy_set_header X-Real-IP         $remote_addr;
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto "https";
+
+    proxy_http_version      1.1;
+    proxy_buffering         off;
+
+    location / {
+        proxy_pass $upstream;
+    }
+
+    location ~^/(colibri-ws|xmpp-websocket)$ {
+        proxy_pass $upstream;
+
+        # WebSocket support
+        proxy_set_header Upgrade    $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+}
diff --git a/roles/apps/templates/nginx/conf.d/monerod.conf.j2 b/roles/apps/templates/nginx/conf.d/monerod.conf.j2
index 2a59fec..d7dbf5c 100644
--- a/roles/apps/templates/nginx/conf.d/monerod.conf.j2
+++ b/roles/apps/templates/nginx/conf.d/monerod.conf.j2
@@ -14,7 +14,6 @@ server {
 
     proxy_http_version      1.1;
     proxy_buffering         off;
-    proxy_request_buffering off;
 
     location / {
         proxy_pass $upstream;
diff --git a/roles/apps/templates/nginx/conf.d/nextcloud.conf.j2 b/roles/apps/templates/nginx/conf.d/nextcloud.conf.j2
index fd8660e..7366d54 100644
--- a/roles/apps/templates/nginx/conf.d/nextcloud.conf.j2
+++ b/roles/apps/templates/nginx/conf.d/nextcloud.conf.j2
@@ -14,7 +14,6 @@ server {
 
     proxy_http_version      1.1;
     proxy_buffering         off;
-    proxy_request_buffering off;
 
     location / {
         proxy_pass $upstream;
diff --git a/roles/postgresql/defaults/main.yml b/roles/postgresql/defaults/main.yml
index 74160bf..b1b0e49 100644
--- a/roles/postgresql/defaults/main.yml
+++ b/roles/postgresql/defaults/main.yml
@@ -5,4 +5,4 @@ postgresql_pgdata: "{{ data_fs }}/pgsql/{{ postgresql_version }}/data"
 postgresql_wal_archive: "{{ data_fs }}/wal-archive"
 postgresql_service: postgresql-{{ postgresql_version }}
 
-postgresql_db_list: "{{ databases | dict2items(key_name='name', value_name='vars') }}"
+postgresql_db_list: "{{ db_passwords | dict2items(key_name='name', value_name='password') }}"
diff --git a/roles/postgresql/tasks/database.yml b/roles/postgresql/tasks/database.yml
index a847349..856bcbe 100644
--- a/roles/postgresql/tasks/database.yml
+++ b/roles/postgresql/tasks/database.yml
@@ -1,16 +1,16 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-- name: Create database user '{{ db.vars.username }}'
+- name: Create database user '{{ db.name }}'
   community.postgresql.postgresql_user:
-    name: "{{ db.vars.username }}"
-    password: "{{ db.vars.password }}"
+    name: "{{ db.name }}"
+    password: "{{ db.password }}"
     state: present
 
 - name: Create database '{{ db.name }}'
   community.postgresql.postgresql_db:
     name: "{{ db.name }}"
-    owner: "{{ db.vars.username }}"
+    owner: "{{ db.name }}"
     template: template0
     encoding: UTF-8
     state: present
@@ -18,7 +18,7 @@
 - name: Grant all priviliges to owner on database '{{ db.name }}'
   community.postgresql.postgresql_privs:
     database: "{{ db.name }}"
-    roles: "{{ db.vars.username }}"
+    roles: "{{ db.name }}"
     type: database
     privs: ALL
     state: present
diff --git a/roles/postgresql/templates/pg_hba.conf.j2 b/roles/postgresql/templates/pg_hba.conf.j2
index 95e33f3..698ebf6 100644
--- a/roles/postgresql/templates/pg_hba.conf.j2
+++ b/roles/postgresql/templates/pg_hba.conf.j2
@@ -7,5 +7,5 @@ host    all             all                     127.0.0.1/32            scram-sh
 host    all             all                     ::1/128                 scram-sha-256
 
 {% for db in postgresql_db_list|sort %}
-host    {{ db.name }}   {{ db.vars.username }}  {{ internal_subnet }}   scram-sha-256
+host    {{ db.name }}   {{ db.name }}           {{ internal_subnet }}   scram-sha-256
 {% endfor %}