diff --git a/inventory/service/group_vars/jvb.yaml b/inventory/service/group_vars/jvb.yaml
index e3ca786f22..5f93162100 100644
--- a/inventory/service/group_vars/jvb.yaml
+++ b/inventory/service/group_vars/jvb.yaml
@@ -1,3 +1,5 @@
meetpad_jvb_xmpp_server: "{{ hostvars['meetpad01.opendev.org'].ansible_host }}"
iptables_extra_public_udp_ports:
- 10000
+iptables_extra_allowed_groups:
+ - {'protocol': 'tcp', 'port': '9090', 'group': 'meetpad'}
diff --git a/inventory/service/group_vars/meetpad.yaml b/inventory/service/group_vars/meetpad.yaml
index 4b5c5cade6..7fb4550fd5 100644
--- a/inventory/service/group_vars/meetpad.yaml
+++ b/inventory/service/group_vars/meetpad.yaml
@@ -6,3 +6,4 @@ iptables_extra_public_udp_ports:
- 10000
iptables_extra_allowed_groups:
- {'protocol': 'tcp', 'port': '5222', 'group': 'jvb'}
+ - {'protocol': 'tcp', 'port': '9090', 'group': 'meetpad'}
diff --git a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml
index 1c45e25372..39e18eff0f 100644
--- a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml
+++ b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml
@@ -11,6 +11,7 @@ services:
network_mode: host
volumes:
- ${CONFIG}/jvb:/config
+ - ${DEFAULTS}/jvb/jvb.conf:/defaults/jvb.conf
environment:
- DOCKER_HOST_ADDRESS
- PUBLIC_URL
@@ -25,4 +26,7 @@ services:
- JVB_TCP_PORT
- JVB_STUN_SERVERS
- JVB_ENABLE_APIS
+ - JVB_KEYSTORE_PATH
+ - JVB_KEYSTORE_PASSWORD
+ - JVB_WS_SERVER_ID
- TZ
diff --git a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml
index b11bfe45ed..9d770f9f5e 100644
--- a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml
+++ b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml
@@ -136,6 +136,7 @@ services:
network_mode: host
volumes:
- ${CONFIG}/jvb:/config
+ - ${DEFAULTS}/jvb/jvb.conf:/defaults/jvb.conf
environment:
- DOCKER_HOST_ADDRESS
- PUBLIC_URL
@@ -150,6 +151,9 @@ services:
- JVB_TCP_PORT
- JVB_STUN_SERVERS
- JVB_ENABLE_APIS
+ - JVB_KEYSTORE_PATH
+ - JVB_KEYSTORE_PASSWORD
+ - JVB_WS_SERVER_ID
- TZ
depends_on:
- prosody
diff --git a/playbooks/roles/jitsi-meet/files/jvb.conf b/playbooks/roles/jitsi-meet/files/jvb.conf
new file mode 100644
index 0000000000..0f43d8bdd0
--- /dev/null
+++ b/playbooks/roles/jitsi-meet/files/jvb.conf
@@ -0,0 +1,117 @@
+// This file originates from
+// https://github.com/jitsi/docker-jitsi-meet/blob/stable-7648-4/jvb/rootfs/defaults/jvb.conf
+// We have modified it to run an ssl https server instead of a normal http
+// server.
+
+{{ $COLIBRI_REST_ENABLED := .Env.COLIBRI_REST_ENABLED | default "false" | toBool -}}
+{{ $ENABLE_COLIBRI_WEBSOCKET := .Env.ENABLE_COLIBRI_WEBSOCKET | default "1" | toBool -}}
+{{ $ENABLE_OCTO := .Env.ENABLE_OCTO | default "0" | toBool -}}
+{{ $ENABLE_MULTI_STREAM := .Env.ENABLE_MULTI_STREAM | default "true" | toBool -}}
+{{ $JVB_DISABLE_STUN := .Env.JVB_DISABLE_STUN | default "0" | toBool -}}
+{{ $JVB_STUN_SERVERS := .Env.JVB_STUN_SERVERS | default "meet-jit-si-turnrelay.jitsi.net:443" -}}
+{{ $JVB_AUTH_USER := .Env.JVB_AUTH_USER | default "jvb" -}}
+{{ $JVB_BREWERY_MUC := .Env.JVB_BREWERY_MUC | default "jvbbrewery" -}}
+{{ $JVB_MUC_NICKNAME := .Env.JVB_MUC_NICKNAME | default .Env.HOSTNAME -}}
+{{ $JVB_ADVERTISE_PRIVATE_CANDIDATES := .Env.JVB_ADVERTISE_PRIVATE_CANDIDATES | default "true" | toBool -}}
+{{ $PUBLIC_URL_DOMAIN := .Env.PUBLIC_URL | default "https://localhost:8443" | trimPrefix "https://" | trimSuffix "/" -}}
+{{ $SHUTDOWN_REST_ENABLED := .Env.SHUTDOWN_REST_ENABLED | default "false" | toBool -}}
+{{ $WS_DOMAIN := .Env.JVB_WS_DOMAIN | default $PUBLIC_URL_DOMAIN -}}
+{{ $WS_SERVER_ID := .Env.JVB_WS_SERVER_ID | default .Env.JVB_WS_SERVER_ID_FALLBACK -}}
+{{ $XMPP_AUTH_DOMAIN := .Env.XMPP_AUTH_DOMAIN | default "auth.meet.jitsi" -}}
+{{ $XMPP_INTERNAL_MUC_DOMAIN := .Env.XMPP_INTERNAL_MUC_DOMAIN | default "internal-muc.meet.jitsi" -}}
+{{ $XMPP_PORT := .Env.XMPP_PORT | default "5222" -}}
+{{ $XMPP_SERVER := .Env.XMPP_SERVER | default "xmpp.meet.jitsi" -}}
+{{ $XMPP_SERVERS := splitList "," $XMPP_SERVER -}}
+{{/* assign env from context, preserve during range when . is re-assigned */}}
+{{ $ENV := .Env -}}
+
+videobridge {
+ ice {
+ udp {
+ port = {{ .Env.JVB_PORT | default 10000 }}
+ }
+ advertise-private-candidates = {{ $JVB_ADVERTISE_PRIVATE_CANDIDATES }}
+ }
+ apis {
+ xmpp-client {
+ configs {
+{{ range $index, $element := $XMPP_SERVERS -}}
+{{ $SERVER := splitn ":" 2 $element }}
+ shard{{ $index }} {
+ HOSTNAME = "{{ $SERVER._0 }}"
+ PORT = "{{ $SERVER._1 | default $XMPP_PORT }}"
+ DOMAIN = "{{ $XMPP_AUTH_DOMAIN }}"
+ USERNAME = "{{ $JVB_AUTH_USER }}"
+ PASSWORD = "{{ $ENV.JVB_AUTH_PASSWORD }}"
+ MUC_JIDS = "{{ $JVB_BREWERY_MUC }}@{{ $XMPP_INTERNAL_MUC_DOMAIN }}"
+ MUC_NICKNAME = "{{ $JVB_MUC_NICKNAME }}"
+ DISABLE_CERTIFICATE_VERIFICATION = true
+ }
+{{ end -}}
+ }
+ }
+ rest {
+ enabled = {{ $COLIBRI_REST_ENABLED }}
+ }
+ }
+ rest {
+ shutdown {
+ enabled = {{ $SHUTDOWN_REST_ENABLED }}
+ }
+ }
+ stats {
+ enabled = true
+ }
+ websockets {
+ enabled = {{ $ENABLE_COLIBRI_WEBSOCKET }}
+ domain = "{{ $WS_DOMAIN }}"
+ tls = true
+ server-id = "{{ $WS_SERVER_ID }}"
+ }
+ multi-stream {
+ enabled = {{ $ENABLE_MULTI_STREAM }}
+ }
+ http-servers {
+ private {
+ host = 0.0.0.0
+ }
+ public {
+ host = 0.0.0.0
+ tls-port = 9090
+ key-store-path={{ .Env.JVB_KEYSTORE_PATH }}
+ key-store-password={{ .Env.JVB_KEYSTORE_PASSWORD }}
+ }
+ }
+
+ {{ if $ENABLE_OCTO -}}
+ octo {
+ enabled = true
+ bind-address = "{{ .Env.JVB_OCTO_BIND_ADDRESS | default "0.0.0.0" }}"
+ public-address = "{{ .Env.JVB_OCTO_PUBLIC_ADDRESS }}"
+ bind-port = "{{ .Env.JVB_OCTO_BIND_PORT | default "4096" }}"
+ region = "{{ .Env.JVB_OCTO_REGION | default "europe" }}"
+ }
+ {{ end -}}
+}
+
+ice4j {
+ harvest {
+ mapping {
+ stun {
+{{ if not $JVB_DISABLE_STUN -}}
+ addresses = [ "{{ join "\",\"" (splitList "," $JVB_STUN_SERVERS) }}" ]
+{{ else -}}
+ enabled = false
+{{ end -}}
+ }
+ static-mappings = [
+{{ if .Env.DOCKER_HOST_ADDRESS -}}
+ {
+ local-address = "{{ .Env.LOCAL_ADDRESS }}"
+ public-address = "{{ .Env.DOCKER_HOST_ADDRESS }}"
+ }
+{{ end -}}
+ ]
+ }
+ }
+}
diff --git a/playbooks/roles/jitsi-meet/files/meet.conf b/playbooks/roles/jitsi-meet/files/meet.conf
index c8fedd8019..6d1795c03d 100644
--- a/playbooks/roles/jitsi-meet/files/meet.conf
+++ b/playbooks/roles/jitsi-meet/files/meet.conf
@@ -74,7 +74,7 @@ location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
- proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
+ proxy_pass https://$1:9090/colibri-ws/$1/$2$is_args$args;
}
{{ end }}
diff --git a/playbooks/roles/jitsi-meet/tasks/main.yaml b/playbooks/roles/jitsi-meet/tasks/main.yaml
index 33529489d0..0db8735d95 100644
--- a/playbooks/roles/jitsi-meet/tasks/main.yaml
+++ b/playbooks/roles/jitsi-meet/tasks/main.yaml
@@ -21,12 +21,14 @@
state: directory
path: "/var/jitsi-meet/{{ item }}"
loop:
+ - jvb
- web
- web/nginx
- web/nginx/site-confs
- defaults
- defaults/web
- defaults/web/nginx
+ - defaults/jvb
# These files are interpreted by the container at startup and are templated
# using the frep tool. Ideally we'll keep the content in templates to a
@@ -39,6 +41,10 @@
copy:
src: settings-config.js
dest: /var/jitsi-meet/defaults/web/settings-config.js
+- name: Write jvb.conf config template
+ copy:
+ src: jvb.conf
+ dest: /var/jitsi-meet/defaults/jvb/jvb.conf
# This file appears to be consumed as is by the jitsi meet web process.
# No funny templating or replacement.
@@ -47,6 +53,31 @@
src: interface_config.js
dest: /var/jitsi-meet/defaults/web/interface_config.js
+# This prepares a keystore for the JVB websocket connection
+- name: Install java for keytool
+ package:
+ name: openjdk-11-jre-headless
+ state: present
+- name: Create keystore if it isn't present
+ command:
+ cmd: >
+ keytool -genkeypair
+ -alias {{ inventory_hostname }}.key
+ -keyalg RSA
+ -keysize 2048
+ -validity 3652
+ -keystore /var/jitsi-meet/jvb/jvb-keystore.store
+ -storepass {{ meetpad_jvb_keystore_password }}
+ stdin: |
+ Infra Root
+ OpenDev
+ Open Infra Foundation
+ Austin
+ Texas
+ US
+ yes
+ creates: /var/jitsi-meet/jvb/jvb-keystore.store
+
- name: Run docker-compose pull
shell:
cmd: docker-compose pull
diff --git a/playbooks/roles/jitsi-meet/templates/jvb-env.j2 b/playbooks/roles/jitsi-meet/templates/jvb-env.j2
index 2011c6bde2..f8278ca3c9 100644
--- a/playbooks/roles/jitsi-meet/templates/jvb-env.j2
+++ b/playbooks/roles/jitsi-meet/templates/jvb-env.j2
@@ -4,12 +4,16 @@
# Customized for OpenDev, all overrides go here (and remember to comment out
# any defaults from the example):
CONFIG=/var/jitsi-meet
+DEFAULTS=/var/jitsi-meet/defaults
PUBLIC_URL=https://meetpad.opendev.org
XMPP_SERVER={{ meetpad_jvb_xmpp_server }}
XMPP_AUTH_DOMAIN=auth.localhost
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost
JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }}
JVB_PORT=10000
+JVB_KEYSTORE_PATH=/config/jvb-keystore.store
+JVB_KEYSTORE_PASSWORD={{ meetpad_jvb_keystore_password }}
+JVB_WS_SERVER_ID={{ inventory_hostname }}
# shellcheck disable=SC2034
diff --git a/playbooks/roles/jitsi-meet/templates/meet-env.j2 b/playbooks/roles/jitsi-meet/templates/meet-env.j2
index 27d4c68819..65b0e50dc9 100644
--- a/playbooks/roles/jitsi-meet/templates/meet-env.j2
+++ b/playbooks/roles/jitsi-meet/templates/meet-env.j2
@@ -17,6 +17,9 @@ XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost
XMPP_GUEST_DOMAIN=guest.localhost
JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }}
JVB_PORT=10000
+JVB_KEYSTORE_PATH=/config/jvb-keystore.store
+JVB_KEYSTORE_PASSWORD={{ meetpad_jvb_keystore_password }}
+JVB_WS_SERVER_ID={{ inventory_hostname }}
JICOFO_COMPONENT_SECRET={{ meetpad_jicofo_component_secret }}
JICOFO_AUTH_PASSWORD={{ meetpad_jicofo_auth_password }}
JIGASI_XMPP_PASSWORD={{ meetpad_jigasi_xmpp_password }}
diff --git a/playbooks/zuul/templates/group_vars/jvb.yaml.j2 b/playbooks/zuul/templates/group_vars/jvb.yaml.j2
index 06deb123fc..59a159cf48 100644
--- a/playbooks/zuul/templates/group_vars/jvb.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/jvb.yaml.j2
@@ -1 +1,2 @@
meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0
+meetpad_jvb_keystore_password: ateeweegoLee3aig5eish8aeraetiG
diff --git a/playbooks/zuul/templates/group_vars/meetpad.yaml.j2 b/playbooks/zuul/templates/group_vars/meetpad.yaml.j2
index 4ab3ddb413..e427e8ce0e 100644
--- a/playbooks/zuul/templates/group_vars/meetpad.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/meetpad.yaml.j2
@@ -1,4 +1,5 @@
meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0
+meetpad_jvb_keystore_password: ateeweegoLee3aig5eish8aeraetiG
meetpad_jicofo_component_secret: 3bcd6b4494d99de7ff7b64b931d394f6
meetpad_jicofo_auth_password: e0d9bceec264b78d8bf0022787f92498
meetpad_jigasi_xmpp_password: 2a8fb7ff7c59f09d94960f3fa15001fb