diff --git a/jitsi-post-install.sh b/jitsi-post-install.sh index 87a6fe0..eab88c4 100755 --- a/jitsi-post-install.sh +++ b/jitsi-post-install.sh @@ -60,11 +60,38 @@ error (){ echo "" } +warn (){ + echo "" + if $terminal ; then + echo -e " [ \033[33m\033[1mWarning\033[m ] $*" + else + echo " [ Error ] $*" + fi + echo "" +} + +info (){ + if $terminal ; then + echo "" + if $terminal ; then + echo -e " [ \033[32m\033[1mInfo\033[m ] $*" + else + echo " [ Info ] $*" + fi + echo "" + fi +} + echo_ok() { if $terminal ; then echo -e "\033[85G[ \033[32mok\033[m ]" fi } +echo_done() { + if $terminal ; then + echo -e "\033[85G[ \033[32mdone\033[m ]" + fi +} echo_failed(){ if $terminal ; then echo -e "\033[85G[ \033[1;31mfailed\033[m ]" @@ -692,6 +719,7 @@ else echo_skipped fi + blank_line echo @@ -754,11 +782,80 @@ else echo_skipped fi +echononl "Backup file '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.." +if [[ ! -f "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js.ORIG" ]]; then + cp -a "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js" \ + "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js.ORIG" > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat "$log_file")" + else + echo_ok + fi +else + echo_skipped +fi +#echononl "Adjust '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.." +#if ! $(grep -q -E "^\s*{ urls: 'stun.nextcloud.com:443' }" \ +# /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js 2> "$log_file") ; then +# perl -i -n -p -e "s/((\s*)stunServers: \[.*)/\1\n\n\2 { urls: 'stun.nextcloud.com:443' },\n\2 { urls: 'stun.stunprotocol.org:3478' },\n\2 { urls: 'stun.services.mozilla.com:3478' },/" /etc/jitsi/meet/video.faire-mobilitaet.de-config.js +# if [[ $? -ne 0 ]]; then +# echo_failed +# error "$(cat "$log_file")" +# else +# echo_ok +# fi +#else +# echo_skipped +#fi + +_temp_jitsi_meet_config_created=false echononl "Adjust '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.." if ! $(grep -q -E "^\s*{ urls: 'stun.nextcloud.com:443' }" \ /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js 2> "$log_file") ; then - perl -i -n -p -e "s/((\s*)stunServers: \[.*)/\1\n\n\2 { urls: 'stun.nextcloud.com:443' },\n\2 { urls: 'stun.stunprotocol.org:3478' },\n\2 { urls: 'stun.services.mozilla.com:3478' },/" /etc/jitsi/meet/video.faire-mobilitaet.de-config.js + + _found=false + :> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js + while IFS='' read -r _line || [[ -n $_line ]] ; do + + if $_found && echo "$_line" | grep -iq -E "^\s*// { urls:.*${FQHN_HOSTNAME}" 2> /dev/null ; then + echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js + cat <> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js + { urls: 'stun.nextcloud.com:443' }, + { urls: 'stun.stunprotocol.org:3478' }, + { urls: 'stun.services.mozilla.com:3478' }, +EOF + _found=false + elif $_found && echo "$_line" | grep -iq -E "^\s*\]," ; then + cat <> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js + { urls: 'stun.nextcloud.com:443' }, + { urls: 'stun.stunprotocol.org:3478' }, + { urls: 'stun.services.mozilla.com:3478' } +EOF + echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js + _found=false + else + echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js + fi + + if ! $_found && echo "$_line" | grep -iq -E "^\s*stunServers: \[" 2> /dev/null ; then + _found=true + fi + + done < "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js" + + echo_done + + _temp_jitsi_meet_config_created=true +else + echo_skipped +fi + + +echononl "Copy created file '${FQHN_HOSTNAME}-config.js' to folder '/etc/jitsi/meet/'.." +if $_temp_jitsi_meet_config_created ; then + cp -a "${LOCK_DIR}/${FQHN_HOSTNAME}-config.js" "/etc/jitsi/meet/" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" @@ -771,6 +868,321 @@ fi blank_line +echo +echo -e "\033[37m\033[1mConfigure Prosody (/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua) ..\033[m" +echo + + +# Edit file /etc/prosody/conf.d/${FQHN_HOSTNAME}.cfg.lua +# +# after line (the location this is important) +# consider_bosh_secure = true; +# +# add the following lines: +# bosh_ports = { +# { +# port = 5280; +# path = "http-bind"; +# }, +# { +# port = 5281; +# path = "http-bind"; +# ssl = { +# certificate = "/etc/prosody/certs/${FQHN_HOSTNAME}.crt"; +# key = "/etc/prosody/certs/${FQHN_HOSTNAME}.key"; +# } +# } +# } +# +# http_ports = { 5280 } +# http_interfaces = { "localhost" } +# +# https_ports = { 5281 } +# https_interfaces = { "localhost" } +# +# https_ssl = { +# certificate = "/etc/prosody/certs/${FQHN_HOSTNAME}.crt"; +# key = "/etc/prosody/certs/${FQHN_HOSTNAME}.key"; +# } +# +echononl "Backup file '/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua'.." +if [[ ! -f "/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua.ORIG" ]]; then + cp -a "/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua" \ + "/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua.ORIG" > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat "$log_file")" + else + echo_ok + fi +else + echo_skipped +fi + +_found=false +_tem_prosody_config_created=false +echononl "Create temporary configuration '${FQHN_HOSTNAME}.cfg.lua'.." +if ! $(grep -q -E "^\s*bosh_ports = {" /etc/prosody//conf.avail/${FQHN_HOSTNAME}.cfg.lua 2> /dev/null) ; then + + :> ${LOCK_DIR}/${FQHN_HOSTNAME}.cfg.lua + while IFS='' read -r _line || [[ -n $_line ]] ; do + + echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}.cfg.lua + + if ! $_found && echo "$_line" | grep -i -E "^\s*consider_bosh_secure = true;" > /dev/null 2>&1 ; then + + _found=true + + cat <> ${LOCK_DIR}/${FQHN_HOSTNAME}.cfg.lua + +bosh_ports = { + { + port = 5280; + path = "http-bind"; + }, + { + port = 5281; + path = "http-bind"; + ssl = { + certificate = "/etc/prosody/certs/${FQHN_HOSTNAME}.crt"; + key = "/etc/prosody/certs/${FQHN_HOSTNAME}.key"; + } + } +} + +http_ports = { 5280 } +http_interfaces = { "localhost" } + +https_ports = { 5281 } +https_interfaces = { "localhost" } + +https_ssl = { + certificate = "/etc/prosody/certs/${FQHN_HOSTNAME}.crt"; + key = "/etc/prosody/certs/${FQHN_HOSTNAME}.key"; +} +EOF + fi + + done < "/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua" + + echo_done + + _tem_prosody_config_created=true + +else + echo_skipped +fi + +echononl "Copy created file '${FQHN_HOSTNAME}.cfg.lua' to folder '/etc/prosody/conf.avail/'.." +if $_tem_prosody_config_created ; then + cp -a "${LOCK_DIR}/${FQHN_HOSTNAME}.cfg.lua" "/etc/prosody/conf.avail/" > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat "$log_file")" + else + echo_ok + fi +else + echo_skipped +fi + + +blank_line + +echo +echo -e "\033[37m\033[1mConfigure nginx configuration ..\033[m" +echo + +echononl "Backup nginx configuration '${FQHN_HOSTNAME}.conf'.." +if [[ ! -f "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf.ORIG" ]] ; then + if [[ -f "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" ]] ; then + cp -a "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" \ + "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf.ORIG" > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat "$log_file")" + else + echo_ok + fi + else + echo_skipped + fi +else + echo_skipped +fi + +echononl "Create nginx configuration for '${FQHN_HOSTNAME}'.." +if ! $(grep -q -E "^\s*include snippets/letsencrypt-acme-challenge.conf;" \ + "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" 2> /dev/null) ; then + cat < "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" 2> "$log_file" +# - ${FQHN_HOSTNAME} + +server_names_hash_bucket_size 64; + +server { + listen 80; + listen [::]:80; + server_name ${FQHN_HOSTNAME}; + + return 301 https://\$host\$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ${FQHN_HOSTNAME}; + + # Include location directive for Let's Encrypt ACME Challenge + # + # Needed for (automated) updating certificate + # + include snippets/letsencrypt-acme-challenge.conf; + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + # + # To generate a dhparam.pem file, run in a terminal + # openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048 + # + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Eable session resumption to improve https performance + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 10m; + ssl_session_tickets off; + + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE + # omit SSLv3 because of POODLE + # omit TLSv1 TLSv1.1 + ssl_protocols TLSv1.2 TLSv1.3; + + # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) + # Everything better than SHA1 (deprecated) + # + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; + ssl_prefer_server_ciphers on; + + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + #ssl_prefer_server_ciphers on; + #ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED"; + + add_header Strict-Transport-Security "max-age=31536000"; + + ssl_certificate /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem; + ssl_trusted_certificate /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/chain.pem; + + root /usr/share/jitsi-meet; + + # ssi on with javascript for multidomain variables in config.js + ssi on; + ssi_types application/x-javascript application/javascript; + + index index.html index.htm; + error_page 404 /static/404.html; + + gzip on; + gzip_types text/plain text/css application/javascript application/json; + gzip_vary on; + + location = /config.js { + alias /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js; + } + + location = /external_api.js { + alias /usr/share/jitsi-meet/libs/external_api.min.js; + } + + #ensure all static content can always be found first + location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$ + { + add_header 'Access-Control-Allow-Origin' '*'; + alias /usr/share/jitsi-meet/\$1/\$2; + } + + # BOSH + location = /http-bind { + proxy_pass http://localhost:5280/http-bind; + proxy_set_header X-Forwarded-For \$remote_addr; + proxy_set_header Host \$http_host; + } + + # xmpp websockets + location = /xmpp-websocket { + proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args; + proxy_http_version 1.1; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host \$http_host; + tcp_nodelay on; + } + + location ~ ^/([^/?&:'"]+)\$ { + try_files \$uri @root_path; + } + + location @root_path { + rewrite ^/(.*)\$ / break; + } + + location ~ ^/([^/?&:'"]+)/config.js\$ + { + set \$subdomain "\$1."; + set \$subdir "\$1/"; + + alias /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js; + } + + #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to / + location ~ ^/([^/?&:'"]+)/(.*)\$ { + set \$subdomain "\$1."; + set \$subdir "\$1/"; + rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2; + } + + # BOSH for subdomains + location ~ ^/([^/?&:'"]+)/http-bind { + set \$subdomain "\$1."; + set \$subdir "\$1/"; + set \$prefix "\$1"; + + rewrite ^/(.*)\$ /http-bind; + } + + # websockets for subdomains + location ~ ^/([^/?&:'"]+)/xmpp-websocket { + set \$subdomain "\$1."; + set \$subdir "\$1/"; + set \$prefix "\$1"; + + rewrite ^/(.*)\$ /xmpp-websocket; + } +} +EOF + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat "$log_file")" + else + echo_ok + fi +else + echo_skipped +fi + +echononl "Enable nginx support for '${FQHN_HOSTNAME}'.." +if [[ ! -h "/etc/nginx/sites-enabled/${FQHN_HOSTNAME}.conf" ]] ; then + ln -s "../sites-available/${FQHN_HOSTNAME}.conf" "/etc/nginx/sites-enabled/${FQHN_HOSTNAME}.conf" > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat "$log_file")" + else + echo_ok + fi +else + echo_skipped +fi + + + echo echo -e "\033[37m\033[1mRestart services..\033[m" echo @@ -802,4 +1214,8 @@ else echo_ok fi +if $_tem_prosody_config_created ; then + warn "Please check file '/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua'" +fi + clean_up 0