From c6fc09a7b2d334da9af3fbf36af4a8ef70d69b1a Mon Sep 17 00:00:00 2001
From: Karl Grube <karl@hudlergrube.com>
Date: Mon, 21 Oct 2024 15:53:19 +0200
Subject: [PATCH] initial first steps...
---
tasks/config.yml | 16 +++-
templates/site.j2 | 221 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 236 insertions(+), 1 deletion(-)
create mode 100644 templates/site.j2
diff --git a/tasks/config.yml b/tasks/config.yml
index 9039af8..a812ec2 100644
--- a/tasks/config.yml
+++ b/tasks/config.yml
@@ -5,6 +5,20 @@
src: config.js.j2
dest: '/etc/jitsi/meet/{{jitsi_domain}}-config.js'
notify: reload nginx
- tags: sites,conf
+ tags: site,conf
+- name: site configuration
+ template:
+ src: site.j2
+ dest: /etc/nginx/sites-available/jitsi
+ notify: reload nginx
+ tags: site,conf
+ - name: link site
+ file:
+ state: link
+ path: /etc/nginx/sites-enabled/jitsi
+ src: ../sites-available/jitsi
+ notify: reload nginx
+ tags: site
+
diff --git a/templates/site.j2 b/templates/site.j2
new file mode 100644
index 0000000..c086da4
--- /dev/null
+++ b/templates/site.j2
@@ -0,0 +1,221 @@
+server_names_hash_bucket_size 64;
+
+types {
+# nginx's default mime.types doesn't include a mapping for wasm or wav.
+ application/wasm wasm;
+ audio/wav wav;
+}
+upstream prosody {
+ zone upstreams 64K;
+ server 127.0.0.1:5280;
+ keepalive 2;
+}
+upstream jvb1 {
+ zone upstreams 64K;
+ server 127.0.0.1:9090;
+ keepalive 2;
+}
+map $arg_vnode $prosody_node {
+ default prosody;
+ v1 v1;
+ v2 v2;
+ v3 v3;
+ v4 v4;
+ v5 v5;
+ v6 v6;
+ v7 v7;
+ v8 v8;
+}
+server {
+ listen 80;
+ listen [::]:80;
+ server_name {{jitsi_domain}};
+
+ location ^~ /.well-known/acme-challenge/ {
+ default_type "text/plain";
+ root /usr/share/jitsi-meet;
+ }
+ location = /.well-known/acme-challenge/ {
+ return 404;
+ }
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name {{jitsi_domain}};
+
+ # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:SSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ set $prefix "";
+ set $custom_index "";
+ set $config_js_location /etc/jitsi/meet/{{jitsi_domain}}-config.js;
+
+ ssl_certificate /etc/ssl/jitsi/makise1.crt;
+ ssl_certificate_key /etc/ssl/jitsi/makise1.crt;
+
+ root /usr/share/jitsi-meet;
+
+ # ssi on with javascript for multidomain variables in config.js
+ ssi on;
+ ssi_types application/x-javascript application/javascript;
+
+ index index.html index.htm;
+ error_page 404 /static/404.html;
+
+ gzip on;
+ gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
+ gzip_vary on;
+ gzip_proxied no-cache no-store private expired auth;
+ gzip_min_length 512;
+
+ include /etc/jitsi/meet/jaas/*.conf;
+
+ location = /config.js {
+ alias $config_js_location;
+ }
+
+ location = /external_api.js {
+ alias /usr/share/jitsi-meet/libs/external_api.min.js;
+ }
+
+ location = /_api/room-info {
+ proxy_pass http://prosody/room-info?prefix=$prefix&$args;
+ proxy_http_version 1.1;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header Host $http_host;
+ }
+
+ location ~ ^/_api/public/(.*)$ {
+ autoindex off;
+ alias /etc/jitsi/meet/public/$1;
+ }
+
+ # ensure all static content can always be found first
+ location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$
+ {
+ add_header 'Access-Control-Allow-Origin' '*';
+ alias /usr/share/jitsi-meet/$1/$2;
+
+ # cache all versioned files
+ if ($arg_v) {
+ expires 1y;
+ }
+ }
+
+ # BOSH
+ location = /http-bind {
+ proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
+ proxy_http_version 1.1;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header Host $http_host;
+ proxy_set_header Connection "";
+ }
+
+ # xmpp websockets
+ location = /xmpp-websocket {
+ proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host $http_host;
+ tcp_nodelay on;
+ }
+
+ # colibri (JVB) websockets for jvb1
+ location ~ ^/colibri-ws/default-id/(.*) {
+ proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ tcp_nodelay on;
+ }
+
+ # load test minimal client, uncomment when used
+ #location ~ ^/_load-test/([^/?&:'"]+)$ {
+ # rewrite ^/_load-test/(.*)$ /load-test/index.html break;
+ #}
+ #location ~ ^/_load-test/libs/(.*)$ {
+ # add_header 'Access-Control-Allow-Origin' '*';
+ # alias /usr/share/jitsi-meet/load-test/libs/$1;
+ #}
+
+ location ~ ^/conference-request/v1(\/.*)?$ {
+ proxy_pass http://127.0.0.1:8888/conference-request/v1$1;
+ add_header "Cache-Control" "no-cache, no-store";
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Content-Type';
+ }
+ location ~ ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ {
+ rewrite ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ /conference-request/v1$2;
+ }
+
+ location ~ ^/([^/?&:'"]+)$ {
+ set $roomname "$1";
+ try_files $uri @root_path;
+ }
+
+ location @root_path {
+ rewrite ^/(.*)$ /$custom_index break;
+ }
+
+ location ~ ^/([^/?&:'"]+)/config.js$
+ {
+ set $subdomain "$1.";
+ set $subdir "$1/";
+
+ alias $config_js_location;
+ }
+
+ # Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
+ location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
+ set $subdomain "$1.";
+ set $subdir "$1/";
+ rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
+ }
+
+ # BOSH for subdomains
+ location ~ ^/([^/?&:'"]+)/http-bind {
+ set $subdomain "$1.";
+ set $subdir "$1/";
+ set $prefix "$1";
+
+ rewrite ^/(.*)$ /http-bind;
+ }
+
+ # websockets for subdomains
+ location ~ ^/([^/?&:'"]+)/xmpp-websocket {
+ set $subdomain "$1.";
+ set $subdir "$1/";
+ set $prefix "$1";
+
+ rewrite ^/(.*)$ /xmpp-websocket;
+ }
+
+ location ~ ^/([^/?&:'"]+)/_api/room-info {
+ set $subdomain "$1.";
+ set $subdir "$1/";
+ set $prefix "$1";
+
+ rewrite ^/(.*)$ /_api/room-info;
+ }
+
+ # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+ location ~ ^/([^/?&:'"]+)/(.*)$ {
+ set $subdomain "$1.";
+ set $subdir "$1/";
+ rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
+ }
+}
+
--
GitLab