From 84d313c1fb6fe7dd19e8c06f65239bda65c2d1c4 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Thu, 23 Apr 2020 03:12:49 +0200
Subject: [PATCH] README.install: disableThirdPartyRequests must NOT BE
 eenabled at configuration file '/etc/jitsi/meet/-config.js'.

---
 README.install | 101 ++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 91 insertions(+), 10 deletions(-)

diff --git a/README.install b/README.install
index 369fb7d..56cd9d6 100644
--- a/README.install
+++ b/README.install
@@ -12,6 +12,7 @@
 # =============================================================================
 
 FQND_HOSTNAME="meet.oopen.de"
+FQND_HOSTNAME="meet2.oopen.de"
 FQND_HOSTNAME="meet.faire-mobilitaet.de"
 
 # 0.) Create new LX Container
@@ -31,19 +32,40 @@ FQND_HOSTNAME="meet.faire-mobilitaet.de"
 #    ansible-playbook --limit meet.oopen.de ansible-dependencies.yml
 #    ansible-playbook --limit meet.oopen.de common.yml
 #    ansible-playbook --limit meet.oopen.de scripts/install-ulogd.yml
+#    ansible-playbook --limit meet.oopen.de firewall.yml
 
 # 3.) Install Postfix SMTP Service (base)
 #
 #    cd /usr/local/src/mailsystem
 #    ./install_postfix_base.sh
 
-# 4.) Install iptable firewall (optinal)
+# 4.) Install NGINX Web Service
+#
+#    cd /usr/local/src/nginx
+#    ./install_nginx.sh
+
+# 5.) Install 'dehydrated-cron' (Let's Encrypt Certificates)
+#
+#    cd /usr/local/src/dehydrated-cron
+#    ./install_dehydrated.sh
+cat <<EOF >> /var/lib/dehydrated/domains.txt
+$FQND_HOSTNAME
+EOF
+
+# Generate Certificate
+#
+/var/lib/dehydrated/cron/dehydrated_cron.sh
+
+
+
+
+# 6.) Install iptable firewall (optinal)
 #
 #    cd /usr/local/src/ipt-server
 #    see: README.install
 
 
-# 5.)
+# 7.)
 #
 #    - crontab
 #    - /etc/ssl
@@ -57,23 +79,22 @@ chmod 644 /etc/ssl/privkey.pem
 ln -s fullchain.pem /etc/ssl/${FQND_HOSTNAME}.crt
 ln -s privkey.pem /etc/ssl/${FQND_HOSTNAME}.key
 
-# 5.) Adjust
+# 8.) Adjust
 #
 #    - /etc/hostname (must contain this FQDN "meet.oopen.de")
 #    - /etc/hosts (127.0.0.1 localhost meet.example.org)
 #    - /etc/ssl
-#    - /var/lib/dehydrated
 
 # /etc/hostname
 cat <<EOF > /etc/hostname
 $FQND_HOSTNAME
 EOF
 
-# 6.) Install jitsi meet
+# 9.) Install jitsi meet
 #
 # see: https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md
 
-echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list
+echo 'deb https://download.jitsi.org unstable/' > /etc/apt/sources.list.d/jitsi-unstable.list
 wget -qO -  https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
 apt-get update
 
@@ -84,9 +105,11 @@ apt-get install jitsi-meet
 
 # Maybe reinstall of 'jitsi-meet-turnserver' is needed..
 #
-if [[ ! -h "/etc/nginx/modules-enabled/60-jitsi-meet.conf" ]] ; then
-   apt-get install --reinstall jitsi-meet-turnserver
-fi
+# Note: not needed if 'unstable' packages are installed.
+#
+#if [[ ! -h "/etc/nginx/modules-enabled/60-jitsi-meet.conf" ]] ; then
+#   apt-get install --reinstall jitsi-meet-turnserver
+#fi
 
 
 
@@ -149,7 +172,7 @@ echo "$FQND_HOSTNAME" > /var/lib/dehydrated/domains.txt
 
 
 # ---
-# 7. Install cronjob to adjust certificates at directory '/etc/ssl'
+# 10. Install cronjob to adjust certificates at directory '/etc/ssl'
 #---
 
 # Prepare cnfiguration file
@@ -242,6 +265,64 @@ crontab "$_crontab_tmp_file"
 rm -f "$_crontab_tmp_file"
 
 
+# ---
+# 11.) Configure Jitsi Meet
+# ---
+
+# First of all we configure the videobridge. 
+#
+# Open /etc/jitsi/videobridge/sip-communicator.properties and add:
+#
+#    # disable the built-in webserver (required)
+#    org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true 
+#    # sometimes the above setting does not work, therefore we change the port too (required)
+#    org.jitsi.videobridge.TCP_HARVESTER_PORT=4443
+#    # sometimes the above setting does not work, therefore we change the port too (required)
+#    org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=443
+#    # disable statistics to third parties (optional)
+##    org.jitsi.videobridge.ENABLE_STATISTICS=false
+#    cat <<EOF >> /etc/jitsi/videobridge/sip-communicator.properties
+
+#
+# It is important to remove the comments (# comment)! Otherwise they will not work!
+
+cat <<EOF >> /etc/jitsi/videobridge/sip-communicator.properties
+
+# disable the built-in webserver (required)
+org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true
+# sometimes the above setting does not work, therefore we change the port too (required)
+org.jitsi.videobridge.TCP_HARVESTER_PORT=4443
+# sometimes the above setting does not work, therefore we change the port too (required)
+org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=443
+# disable statistics to third parties (optional)
+# DOES NOT WORK
+#org.jitsi.videobridge.ENABLE_STATISTICS=false
+EOF
+
+
+# Open /etc/jitsi/meet/${FQND_HOSTNAME}-config.js:
+# 
+# Uncomment and change // disableThirdPartyRequests: false to true
+#
+# !! DOES NOT WORK !!
+#
+#if ! $(grep -q -E "^\s*disableThirdPartyRequests:\s+true" /etc/jitsi/meet/${FQND_HOSTNAME}-config.js) ; then
+#   perl -i -n -p -e "s#^(\s*)(//\s*disableThirdPartyRequests.*)#\1\2\n\1disableThirdPartyRequests: true#" \
+#      /etc/jitsi/meet/${FQND_HOSTNAME}-config.js
+#fi
+
+
+# Replace the google stun servers under stunServers: with other more privacy 
+# respecting ones. There is a list available on this GitHub gist. I can 
+# recommend you to use the following:
+#
+#    { urls: 'stun.nextcloud.com:443' },
+#    { urls: 'stun.stunprotocol.org:3478' },
+#    { urls: 'stun.services.mozilla.com:3478' }
+#    
+vim /etc/jitsi/meet/${FQND_HOSTNAME}-config.js
+
+
 # ===============================
 # ssh-keygen -f "/home/chris/.ssh/known_hosts" -R "meet.oopen.de"
 # ssh-keygen -f "/home/chris/.ssh/known_hosts" -R ""159.69.74.155