diff --git a/inventory/service/group_vars/jvb.yaml b/inventory/service/group_vars/jvb.yaml index e3ca786f22..5f93162100 100644 --- a/inventory/service/group_vars/jvb.yaml +++ b/inventory/service/group_vars/jvb.yaml @@ -1,3 +1,5 @@ meetpad_jvb_xmpp_server: "{{ hostvars['meetpad01.opendev.org'].ansible_host }}" iptables_extra_public_udp_ports: - 10000 +iptables_extra_allowed_groups: + - {'protocol': 'tcp', 'port': '9090', 'group': 'meetpad'} diff --git a/inventory/service/group_vars/meetpad.yaml b/inventory/service/group_vars/meetpad.yaml index 4b5c5cade6..7fb4550fd5 100644 --- a/inventory/service/group_vars/meetpad.yaml +++ b/inventory/service/group_vars/meetpad.yaml @@ -6,3 +6,4 @@ iptables_extra_public_udp_ports: - 10000 iptables_extra_allowed_groups: - {'protocol': 'tcp', 'port': '5222', 'group': 'jvb'} + - {'protocol': 'tcp', 'port': '9090', 'group': 'meetpad'} diff --git a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml index 1c45e25372..39e18eff0f 100644 --- a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml +++ b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml @@ -11,6 +11,7 @@ services: network_mode: host volumes: - ${CONFIG}/jvb:/config + - ${DEFAULTS}/jvb/jvb.conf:/defaults/jvb.conf environment: - DOCKER_HOST_ADDRESS - PUBLIC_URL @@ -25,4 +26,7 @@ services: - JVB_TCP_PORT - JVB_STUN_SERVERS - JVB_ENABLE_APIS + - JVB_KEYSTORE_PATH + - JVB_KEYSTORE_PASSWORD + - JVB_WS_SERVER_ID - TZ diff --git a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml index b11bfe45ed..9d770f9f5e 100644 --- a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml +++ b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml @@ -136,6 +136,7 @@ services: network_mode: host volumes: - ${CONFIG}/jvb:/config + - ${DEFAULTS}/jvb/jvb.conf:/defaults/jvb.conf environment: - DOCKER_HOST_ADDRESS - PUBLIC_URL @@ -150,6 +151,9 @@ services: - JVB_TCP_PORT - JVB_STUN_SERVERS - JVB_ENABLE_APIS + - JVB_KEYSTORE_PATH + - JVB_KEYSTORE_PASSWORD + - JVB_WS_SERVER_ID - TZ depends_on: - prosody diff --git a/playbooks/roles/jitsi-meet/files/jvb.conf b/playbooks/roles/jitsi-meet/files/jvb.conf new file mode 100644 index 0000000000..0f43d8bdd0 --- /dev/null +++ b/playbooks/roles/jitsi-meet/files/jvb.conf @@ -0,0 +1,117 @@ +// This file originates from +// https://github.com/jitsi/docker-jitsi-meet/blob/stable-7648-4/jvb/rootfs/defaults/jvb.conf +// We have modified it to run an ssl https server instead of a normal http +// server. + +{{ $COLIBRI_REST_ENABLED := .Env.COLIBRI_REST_ENABLED | default "false" | toBool -}} +{{ $ENABLE_COLIBRI_WEBSOCKET := .Env.ENABLE_COLIBRI_WEBSOCKET | default "1" | toBool -}} +{{ $ENABLE_OCTO := .Env.ENABLE_OCTO | default "0" | toBool -}} +{{ $ENABLE_MULTI_STREAM := .Env.ENABLE_MULTI_STREAM | default "true" | toBool -}} +{{ $JVB_DISABLE_STUN := .Env.JVB_DISABLE_STUN | default "0" | toBool -}} +{{ $JVB_STUN_SERVERS := .Env.JVB_STUN_SERVERS | default "meet-jit-si-turnrelay.jitsi.net:443" -}} +{{ $JVB_AUTH_USER := .Env.JVB_AUTH_USER | default "jvb" -}} +{{ $JVB_BREWERY_MUC := .Env.JVB_BREWERY_MUC | default "jvbbrewery" -}} +{{ $JVB_MUC_NICKNAME := .Env.JVB_MUC_NICKNAME | default .Env.HOSTNAME -}} +{{ $JVB_ADVERTISE_PRIVATE_CANDIDATES := .Env.JVB_ADVERTISE_PRIVATE_CANDIDATES | default "true" | toBool -}} +{{ $PUBLIC_URL_DOMAIN := .Env.PUBLIC_URL | default "https://localhost:8443" | trimPrefix "https://" | trimSuffix "/" -}} +{{ $SHUTDOWN_REST_ENABLED := .Env.SHUTDOWN_REST_ENABLED | default "false" | toBool -}} +{{ $WS_DOMAIN := .Env.JVB_WS_DOMAIN | default $PUBLIC_URL_DOMAIN -}} +{{ $WS_SERVER_ID := .Env.JVB_WS_SERVER_ID | default .Env.JVB_WS_SERVER_ID_FALLBACK -}} +{{ $XMPP_AUTH_DOMAIN := .Env.XMPP_AUTH_DOMAIN | default "auth.meet.jitsi" -}} +{{ $XMPP_INTERNAL_MUC_DOMAIN := .Env.XMPP_INTERNAL_MUC_DOMAIN | default "internal-muc.meet.jitsi" -}} +{{ $XMPP_PORT := .Env.XMPP_PORT | default "5222" -}} +{{ $XMPP_SERVER := .Env.XMPP_SERVER | default "xmpp.meet.jitsi" -}} +{{ $XMPP_SERVERS := splitList "," $XMPP_SERVER -}} +{{/* assign env from context, preserve during range when . is re-assigned */}} +{{ $ENV := .Env -}} + +videobridge { + ice { + udp { + port = {{ .Env.JVB_PORT | default 10000 }} + } + advertise-private-candidates = {{ $JVB_ADVERTISE_PRIVATE_CANDIDATES }} + } + apis { + xmpp-client { + configs { +{{ range $index, $element := $XMPP_SERVERS -}} +{{ $SERVER := splitn ":" 2 $element }} + shard{{ $index }} { + HOSTNAME = "{{ $SERVER._0 }}" + PORT = "{{ $SERVER._1 | default $XMPP_PORT }}" + DOMAIN = "{{ $XMPP_AUTH_DOMAIN }}" + USERNAME = "{{ $JVB_AUTH_USER }}" + PASSWORD = "{{ $ENV.JVB_AUTH_PASSWORD }}" + MUC_JIDS = "{{ $JVB_BREWERY_MUC }}@{{ $XMPP_INTERNAL_MUC_DOMAIN }}" + MUC_NICKNAME = "{{ $JVB_MUC_NICKNAME }}" + DISABLE_CERTIFICATE_VERIFICATION = true + } +{{ end -}} + } + } + rest { + enabled = {{ $COLIBRI_REST_ENABLED }} + } + } + rest { + shutdown { + enabled = {{ $SHUTDOWN_REST_ENABLED }} + } + } + stats { + enabled = true + } + websockets { + enabled = {{ $ENABLE_COLIBRI_WEBSOCKET }} + domain = "{{ $WS_DOMAIN }}" + tls = true + server-id = "{{ $WS_SERVER_ID }}" + } + multi-stream { + enabled = {{ $ENABLE_MULTI_STREAM }} + } + http-servers { + private { + host = 0.0.0.0 + } + public { + host = 0.0.0.0 + tls-port = 9090 + key-store-path={{ .Env.JVB_KEYSTORE_PATH }} + key-store-password={{ .Env.JVB_KEYSTORE_PASSWORD }} + } + } + + {{ if $ENABLE_OCTO -}} + octo { + enabled = true + bind-address = "{{ .Env.JVB_OCTO_BIND_ADDRESS | default "0.0.0.0" }}" + public-address = "{{ .Env.JVB_OCTO_PUBLIC_ADDRESS }}" + bind-port = "{{ .Env.JVB_OCTO_BIND_PORT | default "4096" }}" + region = "{{ .Env.JVB_OCTO_REGION | default "europe" }}" + } + {{ end -}} +} + +ice4j { + harvest { + mapping { + stun { +{{ if not $JVB_DISABLE_STUN -}} + addresses = [ "{{ join "\",\"" (splitList "," $JVB_STUN_SERVERS) }}" ] +{{ else -}} + enabled = false +{{ end -}} + } + static-mappings = [ +{{ if .Env.DOCKER_HOST_ADDRESS -}} + { + local-address = "{{ .Env.LOCAL_ADDRESS }}" + public-address = "{{ .Env.DOCKER_HOST_ADDRESS }}" + } +{{ end -}} + ] + } + } +} diff --git a/playbooks/roles/jitsi-meet/files/meet.conf b/playbooks/roles/jitsi-meet/files/meet.conf index c8fedd8019..6d1795c03d 100644 --- a/playbooks/roles/jitsi-meet/files/meet.conf +++ b/playbooks/roles/jitsi-meet/files/meet.conf @@ -74,7 +74,7 @@ location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args; + proxy_pass https://$1:9090/colibri-ws/$1/$2$is_args$args; } {{ end }} diff --git a/playbooks/roles/jitsi-meet/tasks/main.yaml b/playbooks/roles/jitsi-meet/tasks/main.yaml index 33529489d0..0db8735d95 100644 --- a/playbooks/roles/jitsi-meet/tasks/main.yaml +++ b/playbooks/roles/jitsi-meet/tasks/main.yaml @@ -21,12 +21,14 @@ state: directory path: "/var/jitsi-meet/{{ item }}" loop: + - jvb - web - web/nginx - web/nginx/site-confs - defaults - defaults/web - defaults/web/nginx + - defaults/jvb # These files are interpreted by the container at startup and are templated # using the frep tool. Ideally we'll keep the content in templates to a @@ -39,6 +41,10 @@ copy: src: settings-config.js dest: /var/jitsi-meet/defaults/web/settings-config.js +- name: Write jvb.conf config template + copy: + src: jvb.conf + dest: /var/jitsi-meet/defaults/jvb/jvb.conf # This file appears to be consumed as is by the jitsi meet web process. # No funny templating or replacement. @@ -47,6 +53,31 @@ src: interface_config.js dest: /var/jitsi-meet/defaults/web/interface_config.js +# This prepares a keystore for the JVB websocket connection +- name: Install java for keytool + package: + name: openjdk-11-jre-headless + state: present +- name: Create keystore if it isn't present + command: + cmd: > + keytool -genkeypair + -alias {{ inventory_hostname }}.key + -keyalg RSA + -keysize 2048 + -validity 3652 + -keystore /var/jitsi-meet/jvb/jvb-keystore.store + -storepass {{ meetpad_jvb_keystore_password }} + stdin: | + Infra Root + OpenDev + Open Infra Foundation + Austin + Texas + US + yes + creates: /var/jitsi-meet/jvb/jvb-keystore.store + - name: Run docker-compose pull shell: cmd: docker-compose pull diff --git a/playbooks/roles/jitsi-meet/templates/jvb-env.j2 b/playbooks/roles/jitsi-meet/templates/jvb-env.j2 index 2011c6bde2..f8278ca3c9 100644 --- a/playbooks/roles/jitsi-meet/templates/jvb-env.j2 +++ b/playbooks/roles/jitsi-meet/templates/jvb-env.j2 @@ -4,12 +4,16 @@ # Customized for OpenDev, all overrides go here (and remember to comment out # any defaults from the example): CONFIG=/var/jitsi-meet +DEFAULTS=/var/jitsi-meet/defaults PUBLIC_URL=https://meetpad.opendev.org XMPP_SERVER={{ meetpad_jvb_xmpp_server }} XMPP_AUTH_DOMAIN=auth.localhost XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }} JVB_PORT=10000 +JVB_KEYSTORE_PATH=/config/jvb-keystore.store +JVB_KEYSTORE_PASSWORD={{ meetpad_jvb_keystore_password }} +JVB_WS_SERVER_ID={{ inventory_hostname }} # shellcheck disable=SC2034 diff --git a/playbooks/roles/jitsi-meet/templates/meet-env.j2 b/playbooks/roles/jitsi-meet/templates/meet-env.j2 index 27d4c68819..65b0e50dc9 100644 --- a/playbooks/roles/jitsi-meet/templates/meet-env.j2 +++ b/playbooks/roles/jitsi-meet/templates/meet-env.j2 @@ -17,6 +17,9 @@ XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost XMPP_GUEST_DOMAIN=guest.localhost JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }} JVB_PORT=10000 +JVB_KEYSTORE_PATH=/config/jvb-keystore.store +JVB_KEYSTORE_PASSWORD={{ meetpad_jvb_keystore_password }} +JVB_WS_SERVER_ID={{ inventory_hostname }} JICOFO_COMPONENT_SECRET={{ meetpad_jicofo_component_secret }} JICOFO_AUTH_PASSWORD={{ meetpad_jicofo_auth_password }} JIGASI_XMPP_PASSWORD={{ meetpad_jigasi_xmpp_password }} diff --git a/playbooks/zuul/templates/group_vars/jvb.yaml.j2 b/playbooks/zuul/templates/group_vars/jvb.yaml.j2 index 06deb123fc..59a159cf48 100644 --- a/playbooks/zuul/templates/group_vars/jvb.yaml.j2 +++ b/playbooks/zuul/templates/group_vars/jvb.yaml.j2 @@ -1 +1,2 @@ meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0 +meetpad_jvb_keystore_password: ateeweegoLee3aig5eish8aeraetiG diff --git a/playbooks/zuul/templates/group_vars/meetpad.yaml.j2 b/playbooks/zuul/templates/group_vars/meetpad.yaml.j2 index 4ab3ddb413..e427e8ce0e 100644 --- a/playbooks/zuul/templates/group_vars/meetpad.yaml.j2 +++ b/playbooks/zuul/templates/group_vars/meetpad.yaml.j2 @@ -1,4 +1,5 @@ meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0 +meetpad_jvb_keystore_password: ateeweegoLee3aig5eish8aeraetiG meetpad_jicofo_component_secret: 3bcd6b4494d99de7ff7b64b931d394f6 meetpad_jicofo_auth_password: e0d9bceec264b78d8bf0022787f92498 meetpad_jigasi_xmpp_password: 2a8fb7ff7c59f09d94960f3fa15001fb