From 780ddea7985be8518b9a98c0a4a58132138b34a7 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Sun, 5 Apr 2020 02:31:13 +0200
Subject: [PATCH] Initial commit

---
 README.authentication           |  96 +++++++++++++
 README.install                  | 248 ++++++++++++++++++++++++++++++++
 README.unknown_directice_stream |  16 +++
 settings-sysctl.conf            |  17 +++
 settings-system.conf            |  12 ++
 5 files changed, 389 insertions(+)
 create mode 100644 README.authentication
 create mode 100644 README.install
 create mode 100644 README.unknown_directice_stream
 create mode 100644 settings-sysctl.conf
 create mode 100644 settings-system.conf

diff --git a/README.authentication b/README.authentication
new file mode 100644
index 0000000..a1eca8d
--- /dev/null
+++ b/README.authentication
@@ -0,0 +1,96 @@
+# ============================================================================
+# Enable authentication for Jitsi 
+#
+# Self-hosted Jitsi server with authentication
+#    - https://dev.to/noandrea/self-hosted-jitsi-server-with-authentication-ie7
+#
+# see also: 
+#    - https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md
+#
+#    - https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md
+# i============================================================================
+
+FQND_HOSTNAME="meet.oopen.de"
+FQND_HOSTNAME="meet.faire-mobilitaet.de"
+
+cp /etc/jitsi/meet/${FQND_HOSTNAME}-config.js /etc/jitsi/meet/${FQND_HOSTNAME}-config.js.ORIG
+cp /etc/prosody/conf.avail/${FQND_HOSTNAME}.cfg.lua /etc/prosody/conf.avail/${FQND_HOSTNAME}.cfg.lua.ORIG
+cp /etc/jitsi/jicofo/sip-communicator.properties /etc/jitsi/jicofo/sip-communicator.properties.ORIG
+
+
+# --
+# file: /etc/jitsi/meet/${FQND_HOSTNAME}-config.js
+# --
+
+# Section 'host'
+#
+#     anonymousdomain: 'guest.${FQND_HOSTNAME},
+#
+if ! $(grep -q -E "^\s*anonymousdomain:\s+'guest.${FQND_HOSTNAME}'\s*," \
+       /etc/jitsi/meet/${FQND_HOSTNAME}-config.js 2>/dev/null); then
+   perl -i -n -p -e "s#^((\s*)// anonymousdomain:.*)#\1\n\2anonymousdomain: 'guest.${FQND_HOSTNAME}',#" \
+      /etc/jitsi/meet/${FQND_HOSTNAME}-config.js
+fi
+
+# Section 'host'
+#
+#     authdomain: 'guest.${FQND_HOSTNAME},
+#
+if ! $(grep -q -E "^\s*authdomain:\s+'${FQND_HOSTNAME}'\s*," \
+       /etc/jitsi/meet/${FQND_HOSTNAME}-config.js 2>/dev/null); then
+   perl -i -n -p -e "s#^((\s*)// authdomain:.*)#\1\n\2authdomain: '${FQND_HOSTNAME}',#" \
+      /etc/jitsi/meet/${FQND_HOSTNAME}-config.js
+fi
+
+
+# root Section (var config = {)
+#
+# Enable:
+#
+#    requireDisplayName: true,
+#
+if ! $(grep -q -E "^\s*requireDisplayName:\s+true\s*," \
+       /etc/jitsi/meet/${FQND_HOSTNAME}-config.js 2>/dev/null); then
+   perl -i -n -p -e "s#^((\s*)// requireDisplayName:.*)#\1\n\2requireDisplayName: true,#" \
+      /etc/jitsi/meet/${FQND_HOSTNAME}-config.js
+fi
+
+
+# ---
+# file: /etc/prosody/conf.avail/${FQND_HOSTNAME}.cfg.lua
+# ---
+
+
+# Root section of 'VirtualHost "${FQND_HOSTNAME}"' 
+#
+#    authentication = "internal_plain"
+#
+if $(grep -q -E "^\s*authentication\s+=\s+\"anonymous\"" \
+       /etc/prosody/conf.avail/${FQND_HOSTNAME}.cfg.lua 2>/dev/null); then
+   perl -i -n -p -e "s/^(\s*)(authentication\s*=\s*\"anonymous\")/\1--\2\n\1authentication = \"internal_plain\"/" \
+      /etc/prosody/conf.avail/${FQND_HOSTNAME}.cfg.lua
+fi
+
+
+# Add Section 'VirtualHost "guest.${FQND_HOSTNAME}""
+#
+if ! $(grep -q -E "^\s*VirtualHost \"guest.${FQND_HOSTNAME}\"" \
+       /etc/prosody/conf.avail/${FQND_HOSTNAME}.cfg.lua 2>/dev/null); then
+   cat <<EOF >> /etc/prosody/conf.avail/${FQND_HOSTNAME}.cfg.lua
+
+VirtualHost "guest.${FQND_HOSTNAME}"
+    authentication = "anonymous"
+    c2s_require_encryption = false
+EOF
+fi
+
+# ---
+# file: /etc/jitsi/jicofo/sip-communicator.properties
+# ---
+
+if ! $(grep -q -E "^\s*org.jitsi.jicofo.auth.URL\s*=\s*XMPP:${FQND_HOSTNAME}" \
+       /etc/jitsi/jicofo/sip-communicator.properties 2>/dev/null); then
+   cat <<EOF >> /etc/jitsi/jicofo/sip-communicator.properties
+org.jitsi.jicofo.auth.URL=XMPP:${FQND_HOSTNAME}
+EOF
+fi
diff --git a/README.install b/README.install
new file mode 100644
index 0000000..369fb7d
--- /dev/null
+++ b/README.install
@@ -0,0 +1,248 @@
+# ===========================================================================
+# Git Repository Jitsi Meet Service
+#    https://github.com/jitsi/jitsi-meet
+#
+# see: 
+#    - https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md
+#
+#    - https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md
+#
+# Self-hosted Jitsi server with authentication
+#    - https://dev.to/noandrea/self-hosted-jitsi-server-with-authentication-ie7
+# =============================================================================
+
+FQND_HOSTNAME="meet.oopen.de"
+FQND_HOSTNAME="meet.faire-mobilitaet.de"
+
+# 0.) Create new LX Container
+#
+#    /root/bin/LXC/create-lx-container.sh
+#    ...
+
+
+# 1.) Assign(Adjust user root
+#
+#    lxc-attach -n meet
+#    add_new_user.sh root
+
+# 2.) Base Install via ansible
+#
+#    cd /home/chris/devel/git/git.oopen.de/ansible/oopen-server
+#    ansible-playbook --limit meet.oopen.de ansible-dependencies.yml
+#    ansible-playbook --limit meet.oopen.de common.yml
+#    ansible-playbook --limit meet.oopen.de scripts/install-ulogd.yml
+
+# 3.) Install Postfix SMTP Service (base)
+#
+#    cd /usr/local/src/mailsystem
+#    ./install_postfix_base.sh
+
+# 4.) Install iptable firewall (optinal)
+#
+#    cd /usr/local/src/ipt-server
+#    see: README.install
+
+
+# 5.)
+#
+#    - crontab
+#    - /etc/ssl
+
+cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/fullchain.pem
+chmod 644 /etc/ssl/fullchain.pem
+
+cp  /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/privkey.pem
+chmod 644 /etc/ssl/privkey.pem
+
+ln -s fullchain.pem /etc/ssl/${FQND_HOSTNAME}.crt
+ln -s privkey.pem /etc/ssl/${FQND_HOSTNAME}.key
+
+# 5.) Adjust
+#
+#    - /etc/hostname (must contain this FQDN "meet.oopen.de")
+#    - /etc/hosts (127.0.0.1 localhost meet.example.org)
+#    - /etc/ssl
+#    - /var/lib/dehydrated
+
+# /etc/hostname
+cat <<EOF > /etc/hostname
+$FQND_HOSTNAME
+EOF
+
+# 6.) Install jitsi meet
+#
+# see: https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md
+
+echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list
+wget -qO -  https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
+apt-get update
+
+# Install Jitsi Meet Service
+#
+apt-get install jitsi-meet
+
+
+# Maybe reinstall of 'jitsi-meet-turnserver' is needed..
+#
+if [[ ! -h "/etc/nginx/modules-enabled/60-jitsi-meet.conf" ]] ; then
+   apt-get install --reinstall jitsi-meet-turnserver
+fi
+
+
+
+cd /etc/nginx/modules-enabled
+
+# for streamin at leas module 'ngx_stream_module.so' is needed
+#    load_module modules/ngx_stream_module.so;
+#
+#    if [[ ! -h /etc/nginx/modules-enabled/50-mod-stream.conf ]] ; then
+#       ln -s /usr/share/nginx/modules-available/mod-stream.conf 50-mod-stream.conf
+#    fi
+#
+# But we will load all available modules:
+#
+for _file in $(ls /usr/share/nginx/modules-available/) ; do
+   [[  -d "/usr/share/nginx/modules-available/${_file}" ]] && continue
+   [[ -h "/etc/nginx/modules-enabled/50-${_file}" ]] && continue
+   ln -s "/usr/share/nginx/modules-available/${_file}" "/etc/nginx/modules-enabled/50-${_file}"
+   echo $_file
+done
+
+# Install Let's Encrypt Certificate
+#
+/usr/local/src/dehydrated-cron/install_dehydrated.sh
+
+
+# Addjust file nginx vhost congiguration '/etc/nginx/sites-enabled/${FQND_HOSTNAME}.conf'
+#
+#
+# At section 'server' (configuration for port 80) replace
+#
+#     location ^~ /.well-known/acme-challenge/ {
+#        default_type "text/plain";
+#        root         /usr/share/jitsi-meet;
+#     }
+#     location = /.well-known/acme-challenge/ {
+#        return 404;
+#     }
+#
+# with
+#
+#     # - Needed for (automated) updating certificate
+#     # -
+#     include snippets/letsencrypt-acme-challenge.conf;
+#
+vim /etc/nginx/sites-enabled/${FQND_HOSTNAME}.conf
+
+# Add FQND hostname to /var/lib/dehydrated/domains.txt
+# 
+echo "$FQND_HOSTNAME" > /var/lib/dehydrated/domains.txt
+
+# Create Certificate
+#
+/var/lib/dehydrated/cron/dehydrated_cron.sh
+
+# Change directives 'ssl_certificate'and 'ssl_certificate_key' to
+# meet the new certificate/key locations
+#
+/var/lib/dehydrated/tools/change_ssl_directives.sh
+
+
+# ---
+# 7. Install cronjob to adjust certificates at directory '/etc/ssl'
+#---
+
+# Prepare cnfiguration file
+#
+cp /root/bin/monitoring/conf/check_cert_for_service.conf.sample \
+	/root/bin/monitoring/conf/check_cert_for_service.conf
+
+# Prepare configuration file for 'service_name'
+#
+if ! $(grep -q -E "^\s*service_name=\"coTURN\"" /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
+	perl -i -n -p -e "s/^(#service_name.*)/#\1\nservice_name=\"coTURN\"/" \
+		/root/bin/monitoring/conf/check_cert_for_service.conf
+fi
+
+# Prepare configuration file for 'check_string_ps'
+#
+if ! $(grep -q -E "^\s*check_string_ps=\"[[:digit:]]\\ /usr/bin/turnserver\"" \
+	    /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
+	perl -i -n -p -e "s/^(#check_string_ps*)/#\1\ncheck_string_ps=\"[[:digit:]]\\\ \/usr\/bin\/turnserver\"/" \
+		/root/bin/monitoring/conf/check_cert_for_service.conf
+fi
+
+# Prepare configuration file for 'service_user'
+#
+if ! $(grep -q -E "^\s*service_user=\"turnserver\"" \
+       /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
+	perl -i -n -p -e "s/^(#service_user.*)/#\1\nservice_user=\"turnserver\"/" \
+		/root/bin/monitoring/conf/check_cert_for_service.conf
+fi
+
+# Prepare configuration file for 'service_group'
+#
+if ! $(grep -q -E "^\s*service_group=\"turnserver\"" \
+       /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
+	perl -i -n -p -e "s/^(#service_group.*)/#\1\nservice_group=\"turnserver\"/" \
+		/root/bin/monitoring/conf/check_cert_for_service.conf
+fi
+
+# Prepare configuration file for 'cert_installed'
+#
+if ! $(grep -q -E "^\s*cert_installed=\"/etc/ssl/fullchain.pem\"" \
+       /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
+	perl -i -n -p -e "s/^(#cert_installed.*)/#\1\ncert_installed=\"\/etc\/ssl\/fullchain.pem\"/" \
+		/root/bin/monitoring/conf/check_cert_for_service.conf
+fi
+
+# Prepare configuration file for 'key_installed'
+#
+if ! $(grep -q -E "^\s*key_installed=\"/etc/ssl/privkey.pem\"" \
+		 /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
+	perl -i -n -p -e "s/^(#key_installed.*)/#\1\nkey_installed=\"\/etc\/ssl\/privkey.pem\"/" \
+		/root/bin/monitoring/conf/check_cert_for_service.conf
+fi
+
+# Prepare configuration file for 'cert_newest'
+#
+if ! $(grep -q -E "^\s*cert_newest=\"/var/lib/dehydrated/certs/${FQND_HOSTNAME}/fullchain.pem\"" \
+       /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
+	perl -i -n -p -e \
+		"s/^(#cert_newest.*)/#\1\ncert_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQND_HOSTNAME}\/fullchain.pem\"/" \
+		/root/bin/monitoring/conf/check_cert_for_service.conf
+fi
+
+# Prepare configuration file for 'key_newest'
+#
+if ! $(grep -q -E "^\s*key_newest=\"/var/lib/dehydrated/certs/${FQND_HOSTNAME}/privkey.pem\"" \
+       /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
+	perl -i -n -p -e \
+		"s/^(#key_newest.*)/#\1\nkey_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQND_HOSTNAME}\/privkey.pem\"/" \
+		/root/bin/monitoring/conf/check_cert_for_service.conf
+fi
+
+# Initial 
+/root/bin/monitoring//check_cert_for_service.sh
+
+# Add Cronjob for checcking if certificate/key is up to date
+#
+_crontab_tmp_file=/tmp/crontab_root.$$
+crontab -l > "$_crontab_tmp_file" 2> /dev/null
+
+if ! $(grep -q "/root/bin/monitoring/check_cert_for_service.sh" "$_crontab_tmp_file" 2>/dev/null) ; then
+	cat <<EOF >> "$_crontab_tmp_file"
+
+# - Check if cert for coTURN service is
+# -
+39 05 * * * /root/bin/monitoring/check_cert_for_service.sh
+EOF
+fi
+crontab "$_crontab_tmp_file"
+rm -f "$_crontab_tmp_file"
+
+
+# ===============================
+# ssh-keygen -f "/home/chris/.ssh/known_hosts" -R "meet.oopen.de"
+# ssh-keygen -f "/home/chris/.ssh/known_hosts" -R ""159.69.74.155
+# ssh-keygen -f "/home/chris/.ssh/known_hosts" -R "2a01:4f8:231:19a7::155"
diff --git a/README.unknown_directice_stream b/README.unknown_directice_stream
new file mode 100644
index 0000000..a69ba00
--- /dev/null
+++ b/README.unknown_directice_stream
@@ -0,0 +1,16 @@
+
+# see: https://serverfault.com/questions/858067/unknown-directive-stream-in-etc-nginx-nginx-conf86
+
+
+# Answer 21
+
+The stream module is being added as dynamic, as per:
+
+--with-stream=dynamic
+
+# You need it to be 'static' - so load the module directly. To do so, add the 
+# following at the very top of your nginx.conf:
+#           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+# 
+load_module /usr/lib/nginx/modules/ngx_stream_module.so;
+
diff --git a/settings-sysctl.conf b/settings-sysctl.conf
new file mode 100644
index 0000000..9ab24a2
--- /dev/null
+++ b/settings-sysctl.conf
@@ -0,0 +1,17 @@
+# file: /etc/sysctl.conf
+
+# see also:
+#   https://github.com/jitsi/jitsi-videobridge/blob/master/config/20-jvb-udp-buffers.conf
+#   https://forum.golem.de/kommentare/opensource/homeoffice-videokonferenzen-auf-eigenen-servern-mit-jitsi-meet/bevor-sich-noch-wer-die-zaehne-ausbeisst/133384,5616554,5616554,read.html
+#   https://idelution.com/nextcloud-talk-einrichtung-turn-server/
+
+# increase Linux TCP buffer limits
+net.core.rmem_max = 10485760
+net.core.wmem_max = 4194304
+net.core.netdev_max_backlog=100000
+
+# increase Linux autotuning TCP buffer limits
+# min, default, and max number of bytes to use
+net.ipv4.tcp_rmem = 4096 131072 10485760
+net.ipv4.tcp_wmem = 4096 65536 4194304
+
diff --git a/settings-system.conf b/settings-system.conf
new file mode 100644
index 0000000..248a52a
--- /dev/null
+++ b/settings-system.conf
@@ -0,0 +1,12 @@
+# file: /etc/systemd/system.conf
+
+# seel also:
+#    https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md#systemd-details
+
+DefaultTasksMax=65000
+DefaultLimitCORE=infinity
+DefaultLimitNOFILE=1048576
+DefaultLimitNPROC=65000
+DefaultLimitRTPRIO=infinity
+DefaultLimitRTTIME=infinity
+