#!/usr/bin/env bash script_name="$(basename $(realpath $0))" working_dir="$(dirname $(realpath $0))" #conf_file="${working_dir}/conf/${script_name%%.*}.conf" conf_file="${working_dir}/conf/jitsi.conf" LOCK_DIR="/tmp/$(basename $0).$$.LOCK" log_file="${LOCK_DIR}/${script_name%%.*}.log" backup_date="$(date +%F-%H%M)" # ---------- # Base Function(s) # ---------- clean_up() { # Perform program exit housekeeping rm -rf "$LOCK_DIR" blank_line exit $1 } echononl(){ if $terminal ; then echo X\\c > /tmp/shprompt$$ if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then echo -e -n " $*\\c" 1>&2 else echo -e -n " $*" 1>&2 fi rm /tmp/shprompt$$ fi } fatal(){ echo "" if $terminal ; then echo -e " [ \033[31m\033[1mFatal\033[m ] $*" else echo -e " [ Fatal ] $*" fi echo "" if $terminal ; then echo -e " \033[1mScript terminated\033[m.." else echo -e " Script terminated.." fi echo "" rm -rf $LOCK_DIR exit 1 } error (){ echo "" if $terminal ; then echo -e " [ \033[31m\033[1mError\033[m ] $*" else echo " [ Error ] $*" fi echo "" } warn (){ echo "" if $terminal ; then echo -e " [ \033[33m\033[1mWarning\033[m ] $*" else echo " [ Error ] $*" fi echo "" } info (){ if $terminal ; then echo "" if $terminal ; then echo -e " [ \033[32m\033[1mInfo\033[m ] $*" else echo " [ Info ] $*" fi echo "" fi } echo_ok() { if $terminal ; then echo -e "\033[85G[ \033[32mok\033[m ]" fi } echo_done() { if $terminal ; then echo -e "\033[85G[ \033[32mdone\033[m ]" fi } echo_failed(){ if $terminal ; then echo -e "\033[85G[ \033[1;31mfailed\033[m ]" fi } echo_skipped() { if $terminal ; then echo -e "\033[85G[ \033[33m\033[1mskipped\033[m ]" fi } echo_wait(){ if $terminal ; then echo -en "\033[85G[ \033[5m\033[1m..\033[m ]" fi } trim() { local var="$*" var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters echo -n "$var" } blank_line() { if $terminal ; then echo "" fi } detect_os () { if [ -r /etc/os-release ]; then . /etc/os-release DIST="${ID:-unknown}" DIST_VERSION="${VERSION_ID:-unknown}" DIST_CODENAME="${VERSION_CODENAME:-unknown}" elif $(which lsb_release > /dev/null 2>&1) ; then DIST="$(lsb_release -i | awk '{print tolower($3)}')" DIST_VERSION="$(lsb_release -r | awk '{print tolower($2)}')" DIST_CODENAME="$(lsb_release -c | awk '{print tolower($2)}')" if [[ "$DIST" = "debian" ]]; then if $(echo "$DIST_VERSION" | grep -q '\.') ; then DIST_VERSION=$(echo "$DIST_VERSION" | cut --delimiter='.' -f1) fi fi else DIST="unknown" DIST_VERSION="unknown" DIST_CODENAME="unknown" fi # remove whitespace from DIST and DIST_VERSION DIST="${DIST// /}" DIST_VERSION="${DIST_VERSION// /}" } # ------------------------------------ # - Helper: ensure_vhost_modules # - $1 = CONFIG # - $2 = DOMAIN # - $3 = REQUIRED_MODULES (nameref) # ------------------------------------ ensure_vhost_modules() { local config="$1" local domain="$2" local -n modules="$3" local vhost_line modules_line closing_line next_block_line all_ok local VHOST_BLOCK MODULES_BLOCK VHOST_BLOCK="VirtualHost \"${domain}\" modules_enabled = {" for module in "${modules[@]}"; do VHOST_BLOCK="${VHOST_BLOCK} \"${module}\";" done VHOST_BLOCK="${VHOST_BLOCK} }" MODULES_BLOCK=" modules_enabled = {" for module in "${modules[@]}"; do MODULES_BLOCK="${MODULES_BLOCK} \"${module}\";" done MODULES_BLOCK="${MODULES_BLOCK} }" if ! grep -q "VirtualHost \"${domain}\"" "$config"; then # VirtualHost fehlt – komplett ans Ende anfügen echo "" >> "$config" echo "$VHOST_BLOCK" >> "$config" if [[ $? -ne 0 ]]; then echo_failed error "Failed to insert VirtualHost \"${domain}\" in ${config}" return 1 else echo_ok fi else vhost_line=$(grep -n "VirtualHost \"${domain}\"" "$config" | head -1 | cut -d: -f1) modules_line=$(awk "NR>${vhost_line} && /modules_enabled\s*=\s*\{/ {print NR; exit}" "$config") if [[ -z "$modules_line" ]]; then # VirtualHost existiert, aber kein modules_enabled – Block einfügen next_block_line=$(awk "NR>${vhost_line} && /^(VirtualHost|Component)\s/ {print NR; exit}" "$config") if [[ -z "$next_block_line" ]]; then # Kein weiterer Block – ans Ende anfügen echo "" >> "$config" echo "$MODULES_BLOCK" >> "$config" if [[ $? -ne 0 ]]; then echo_failed error "Failed to insert modules_enabled in VirtualHost \"${domain}\" in ${config}" return 1 else echo_ok fi else # Vor dem nächsten Block einfügen export MODULES_BLOCK perl -i -0pe "s/((?:VirtualHost|Component)\s)/\$ENV{MODULES_BLOCK}\n\n\$1/ if !\$done++" "$config" if [[ $? -ne 0 ]]; then echo_failed error "Failed to insert modules_enabled in VirtualHost \"${domain}\" in ${config}" return 1 else echo_ok fi fi else # modules_enabled existiert – fehlende Module ergänzen closing_line=$(awk "NR>${modules_line} && /^\s*\}/ {print NR; exit}" "$config") all_ok=true for module in "${modules[@]}"; do if ! awk "NR>=${modules_line} && NR<=${closing_line}" "$config" | grep -qE "\"${module}\""; then sed -i "${closing_line}i\\ \"${module}\";" "$config" closing_line=$((closing_line + 1)) all_ok=false fi done if $all_ok; then echo_skipped else echo_ok fi fi fi } # ------------------------------------ # - Helper: ensure_component # - $1 = CONFIG # - $2 = COMPONENT # - $3 = COMPONENT_TYPE # - $4 = REQUIRED_MODULES (nameref, optional) # ------------------------------------ ensure_component() { local config="$1" local component="$2" local component_type="$3" local -n comp_modules="$4" 2>/dev/null local has_modules=$([[ -n "$4" ]] && echo true || echo false) local comp_line modules_line closing_line all_ok local COMP_BLOCK MODULES_BLOCK if ! grep -q "Component \"${component}\"" "$config"; then # Component fehlt – komplett ans Ende anfügen if $has_modules; then COMP_BLOCK="Component \"${component}\" \"${component_type}\" modules_enabled = {" for module in "${comp_modules[@]}"; do COMP_BLOCK="${COMP_BLOCK} \"${module}\";" done COMP_BLOCK="${COMP_BLOCK} }" else COMP_BLOCK="Component \"${component}\" \"${component_type}\"" fi echo "" >> "$config" echo "$COMP_BLOCK" >> "$config" if [[ $? -ne 0 ]]; then echo_failed error "Failed to insert Component \"${component}\" in ${config}" return 1 else echo_ok fi else if ! $has_modules; then echo_skipped return 0 fi # Component existiert – fehlende Module ergänzen comp_line=$(grep -n "Component \"${component}\"" "$config" | head -1 | cut -d: -f1) modules_line=$(awk "NR>${comp_line} && /modules_enabled\s*=\s*\{/ {print NR; exit}" "$config") if [[ -z "$modules_line" ]]; then echo_failed error "Kein modules_enabled-Block in Component \"${component}\" gefunden" return 1 else closing_line=$(awk "NR>${modules_line} && /^\s*\}/ {print NR; exit}" "$config") all_ok=true for module in "${comp_modules[@]}"; do if ! awk "NR>=${modules_line} && NR<=${closing_line}" "$config" | grep -qE "\"${module}\""; then sed -i "${closing_line}i\\ \"${module}\";" "$config" closing_line=$((closing_line + 1)) all_ok=false fi done if $all_ok; then echo_skipped else echo_ok fi fi fi } # ---------- # - Jobhandling # ---------- # - Run 'clean_up' for signals SIGHUP SIGINT SIGTERM # - trap clean_up SIGHUP SIGINT SIGTERM # - Create lock directory '$LOCK_DIR" # mkdir "$LOCK_DIR" # ---------- # - Some checks .. # ---------- # - Running in a terminal? # - if [[ -t 1 ]] ; then terminal=true else fatal "Script must run in a terminal." fi # ========== # - Begin Main Script # ========== # ---------- # - Headline # ---------- if $terminal ; then echo "" echo -e "\033[1m----------\033[m" echo -e "\033[32m\033[1mRunning script \033[m\033[1m$script_name\033[32m .. \033[m" echo -e "\033[1m----------\033[m" fi # ---------- # Read Configurations from $conf_file # ---------- # - Give your default values here # - DEFAULT_FQHN_HOSTNAME="$(hostname -f)" if [[ -f "$conf_file" ]]; then source "$conf_file" else warn "No configuration file '$conf_file' present.\n Loading default values.." fi [[ -n "$FQHN_HOSTNAME" ]] && DEFAULT_FQHN_HOSTNAME="$FQHN_HOSTNAME" blank_line echononl "Detect distribution/release of running OS.." detect_os > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi FQHN_HOSTNAME= echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert full qualified hostname for Jitsi-Meet Service" echo "" if [[ -n "$DEFAULT_FQHN_HOSTNAME" ]]; then while [[ "X${FQHN_HOSTNAME}" = "X" ]]; do echononl "Full qualified hostname [${DEFAULT_FQHN_HOSTNAME}]: " read FQHN_HOSTNAME if [[ "X${FQHN_HOSTNAME}" = "X" ]]; then FQHN_HOSTNAME=$DEFAULT_FQHN_HOSTNAME fi if [[ ! $FQHN_HOSTNAME =~ \. ]]; then echo -e "\n\tGiven Host \033[33m\033[1m$FQHN_HOSTNAME\033[m seems not to be a full qualified hostname.\n" FQHN_HOSTNAME="" fi done else while [[ "X${FQHN_HOSTNAME}" = "X" ]]; do echononl "Full qualified hostname: " read FQHN_HOSTNAME if [[ "X${FQHN_HOSTNAME}" = "X" ]]; then echo -e "\n\t\033[33m\033[1mFull qualified hostname is reqired\033[m\n" fi if [[ ! $FQHN_HOSTNAME =~ \. ]]; then echo -e "\n\tGiven Host \033[33m\033[1m$FQHN_HOSTNAME\033[m seems not to be a full qualified hostname.\n" FQHN_HOSTNAME="" fi done fi HOSTNAME="${FQHN_HOSTNAME%%.*}" echo "" echo "" echo -e "\t\033[32mStart post-install script for Jitsi-Meet Service with the following parameters\033[m" echo "" echo -e "\tFull qualified Hostname..: $FQHN_HOSTNAME" echo -e "\tHostname.................: $HOSTNAME" echo "" echo -e "\tOS Distribution..........: $DIST" echo -e "\tDistribution's codename..: $DIST_CODENAME" echo "" echononl "einverstanden (yes/no): " read OK OK=${OK,,} while [ "X$OK" != "Xyes" -a "X$OK" != "Xno" ]; do echononl "Wrong entry! [yes/no]: " read OK OK=${OK,,} done [ $OK = "yes" ] || fatal Repeat with other settings.. echo "" echo "" echo echo -e "\033[37m\033[1mInstall script checking if certificate/key of coTURN service is up-to-date..\033[m" echo # ------ # Create configuration file for certification check of coTURN service # ------ echononl "Create configuration file for certification check of coTURN service.." if [[ ! -f "/root/bin/monitoring/conf/check_cert_for_service.conf" ]]; then cp /root/bin/monitoring/conf/check_cert_for_service.conf.sample \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'service_name'.." if ! $(grep -q -E "^\s*service_name=\"coTURN\"" /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#service_name.*)/#\1\nservice_name=\"coTURN\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'check_string_ps'.." if ! $(grep -q -E "^\s*check_string_ps=\"\[\[:digit:\]\]\\\ /usr/bin/turnserver\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+check_string_ps*)/#\1\ncheck_string_ps=\"[[:digit:]]\\\ \/usr\/bin\/turnserver\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'service_user'.." if ! $(grep -q -E "^\s*service_user=\"turnserver\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+service_user.*)/#\1\nservice_user=\"turnserver\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'service_group'.." if ! $(grep -q -E "^\s*service_group=\"turnserver\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+service_group.*)/#\1\nservice_group=\"turnserver\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'cert_installed'.." # if ! $(grep -q -E "^\s*cert_installed=\"/etc/ssl/fullchain.pem\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+cert_installed.*)/#\1\ncert_installed=\"\/etc\/ssl\/fullchain.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'key_installed'.." # if ! $(grep -q -E "^\s*key_installed=\"/etc/ssl/privkey.pem\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+key_installed.*)/#\1\nkey_installed=\"\/etc\/ssl\/privkey.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'cert_newest'.." # if ! $(grep -q -E "^\s*cert_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e \ "s/^(#+cert_newest.*)/#\1\ncert_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/fullchain.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'key_newest'.." # if ! $(grep -q -E "^\s*key_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e \ "s/^(#+key_newest.*)/#\1\nkey_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/privkey.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi blank_line echononl "Initial run of script 'check_cert_for_service.sh'.." echo_wait /root/bin/monitoring//check_cert_for_service.sh > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok if [[ -s "$log_file" ]] ; then echo -e " \033[32m----------\033[m \033[1mOutput from :run of script 'check_cert_for_service.sh' was:\033[m $(cat "$log_file") \033[32m----------\033[m " fi fi blank_line # Add Cronjob for checcking if certificate/key of coTURN service is up to date # _failed=false echononl "Add Cronjob for checcking if certificate/key of coTURN service is up-to-date.." _crontab_tmp_file=/tmp/crontab_root.$$ crontab -l > "$_crontab_tmp_file" 2> "$log_file" if [[ $? -ne 0 ]]; then _failed=true fi if ! $(grep -q "/root/bin/monitoring/check_cert_for_service.sh" "$_crontab_tmp_file" 2>/dev/null) ; then cat <> "$_crontab_tmp_file" 2>> "$log_file" # - Check if cert for coTURN service is up-to-date # - 39 05 * * * /root/bin/monitoring/check_cert_for_service.sh EOF if [[ $? -ne 0 ]]; then _failed=true fi crontab "$_crontab_tmp_file" if [[ $? -ne 0 ]]; then _failed=true fi rm -f "$_crontab_tmp_file" if [[ $? -ne 0 ]]; then _failed=true fi if $_failed ; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi blank_line echo echo -e "\033[37m\033[1mInstall script checking if certificate/key of Prosody service is up-to-date..\033[m" echo # ------ # Create configuration file for certification check of Prosody service # ------ echononl "Create configuration file for certification check of Prosody service.." if [[ ! -f "/root/bin/monitoring/conf/check_cert_for_prosody.conf" ]]; then cp /root/bin/monitoring/conf/check_cert_for_prosody.conf.sample \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'service_name'.." if ! grep -q -E "^\s*service_domain=\"${FQHN_HOSTNAME}\"" /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then perl -i -n -p -e "s/^(#service_domain.*)/#\1\nservice_domain=\"${FQHN_HOSTNAME}\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi if ! grep -q -E "^\s*service_name=\"Prosody\"" /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then perl -i -n -p -e "s/^(#+service_name.*)/#\1\nservice_name=\"Prosody\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'check_string_ps'.." if ! grep -q -E "^\s*check_string_ps=\"\[\[:digit:\]\]\\\ lua\[\[:digit:\]\].\[\[:digit:\]\] /usr/bin/prosody\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then perl -i -n -p -e "s/^(#+check_string_ps.*)/#\1\ncheck_string_ps=\"[[:digit:]]\\\ lua[[:digit:]].[[:digit:]] \/usr\/bin\/prosody\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'service_user'.." if ! grep -q -E "^\s*service_user=\"prosody\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then perl -i -n -p -e "s/^(#+service_user.*)/#\1\nservice_user=\"prosody\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'service_group'.." if ! grep -q -E "^\s*service_group=\"prosody\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then perl -i -n -p -e "s/^(#+service_group.*)/#\1\nservice_group=\"prosody\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'cert_installed'.." if ! grep -q -E "^\s*cert_installed=\"/etc/prosody/certs/${FQHN_HOSTNAME}.crt\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then perl -i -n -p -e "s/^(#+cert_installed.*)/#\1\ncert_installed=\"\/etc\/prosody\/certs\/${FQHN_HOSTNAME}.crt\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'key_installed'.." if ! grep -q -E "^\s*key_installed=\"/etc/prosody/certs/${FQHN_HOSTNAME}.key\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then perl -i -n -p -e "s/^(#+key_installed.*)/#\1\nkey_installed=\"\/etc\/prosody\/certs\/${FQHN_HOSTNAME}.key\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'cert_newest'.." if ! grep -q -E "^\s*cert_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then perl -i -n -p -e \ "s/^(#+cert_newest.*)/#\1\ncert_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/fullchain.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'key_newest'.." if ! grep -q -E "^\s*key_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then perl -i -n -p -e \ "s/^(#+key_newest.*)/#\1\nkey_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/privkey.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi blank_line echononl "Initial run of script 'check_cert_for_prosody.sh'.." echo_wait /root/bin/monitoring/check_cert_for_prosody.sh > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok if [[ -s "$log_file" ]] ; then echo -e " \033[32m----------\033[m \033[1mOutput from :run of script 'check_cert_for_prosody.sh' was:\033[m $(cat "$log_file") \033[32m----------\033[m " fi fi blank_line # Add Cronjob for checcking if certificate/key of Prosody service is up to date # _failed=false echononl "Add Cronjob for checcking if certificate/key of Prosody service is up-to-date.." _crontab_tmp_file=/tmp/crontab_root.$$ crontab -l > "$_crontab_tmp_file" 2> "$log_file" if [[ $? -ne 0 ]]; then _failed=true fi if ! grep -q "/root/bin/monitoring/check_cert_for_prosody.sh" "$_crontab_tmp_file" 2>/dev/null ; then cat <> "$_crontab_tmp_file" 2>> "$log_file" # - Check if cert(s) for Prosody service are up-zp-date # - 13 05 * * * /root/bin/monitoring/check_cert_for_prosody.sh EOF if [[ $? -ne 0 ]]; then _failed=true fi crontab "$_crontab_tmp_file" if [[ $? -ne 0 ]]; then _failed=true fi rm -f "$_crontab_tmp_file" if [[ $? -ne 0 ]]; then _failed=true fi if $_failed ; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi blank_line echo echo -e "\033[37m\033[1mConfigure Jitsi Meet..\033[m" echo _failed=false _changed=false echononl "Adjust '/etc/jitsi/videobridge/sip-communicator.properties'.." if ! grep -q -E "^\s*org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true" \ /etc/jitsi/videobridge/sip-communicator.properties 2> "$log_file" ; then cat <> /etc/jitsi/videobridge/sip-communicator.properties # disable the built-in webserver (required) org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true EOF if [[ $? -ne 0 ]]; then _failed=true fi _changed=true fi if ! grep -q -E "^\s*org.jitsi.videobridge.TCP_HARVESTER_PORT=4443" \ /etc/jitsi/videobridge/sip-communicator.properties 2> "$log_file" ; then cat <> /etc/jitsi/videobridge/sip-communicator.properties # sometimes the above setting does not work, therefore we change the port too (required) org.jitsi.videobridge.TCP_HARVESTER_PORT=4443 # sometimes the above setting does not work, therefore we change the port too (required) org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=443 EOF if [[ $? -ne 0 ]]; then _failed=true fi _changed=true fi if ! grep -q -E "^\s*#+org.jitsi.videobridge.ENABLE_STATISTICS=false" \ /etc/jitsi/videobridge/sip-communicator.properties 2> "$log_file" ; then cat <> /etc/jitsi/videobridge/sip-communicator.properties # disable statistics to third parties (optional) # DOES NOT WORK #org.jitsi.videobridge.ENABLE_STATISTICS=false EOF if [[ $? -ne 0 ]]; then _failed=true fi _changed=true fi if $_changed ; then if $_failed; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Backup file '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.." if [[ -f "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js" ]] ; then if [[ ! -f "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js.ORIG" ]] ; then cp -a "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js" \ "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js.ORIG" if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else cp -a "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js" \ "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js.${backup_date}" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi fi else echo_skipped fi #echononl "Adjust '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.." #if ! $(grep -q -E "^\s*{ urls: 'stun.nextcloud.com:443' }" \ # /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js 2> "$log_file") ; then # perl -i -n -p -e "s/((\s*)stunServers: \[.*)/\1\n\n\2 { urls: 'stun.nextcloud.com:443' },\n\2 { urls: 'stun.stunprotocol.org:3478' },\n\2 { urls: 'stun.services.mozilla.com:3478' },/" /etc/jitsi/meet/video.faire-mobilitaet.de-config.js # if [[ $? -ne 0 ]]; then # echo_failed # error "$(cat "$log_file")" # else # echo_ok # fi #else # echo_skipped #fi _temp_jitsi_meet_config_created=false echononl "Adjust '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.." if ! grep -q -E "^\s*{ urls: 'stun.nextcloud.com:443' }" \ /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js 2> "$log_file" ; then _found=false :> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js while IFS='' read -r _line || [[ -n $_line ]] ; do if $_found && echo "$_line" | grep -iq -E "^\s*// { urls:.*${FQHN_HOSTNAME}" 2> /dev/null ; then echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js cat <> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js { urls: 'stun.nextcloud.com:443' }, { urls: 'stun.stunprotocol.org:3478' }, { urls: 'stun.services.mozilla.com:3478' }, EOF _found=false elif $_found && echo "$_line" | grep -iq -E "^\s*\]," ; then cat <> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js { urls: 'stun.nextcloud.com:443' }, { urls: 'stun.stunprotocol.org:3478' }, { urls: 'stun.services.mozilla.com:3478' } EOF echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js _found=false else echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js fi if ! $_found && echo "$_line" | grep -iq -E "^\s*stunServers: \[" 2> /dev/null ; then _found=true fi done < "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js" echo_done _temp_jitsi_meet_config_created=true else echo_skipped fi echononl "Copy created file '${FQHN_HOSTNAME}-config.js' to folder '/etc/jitsi/meet/'.." if $_temp_jitsi_meet_config_created ; then cp -a "${LOCK_DIR}/${FQHN_HOSTNAME}-config.js" "/etc/jitsi/meet/" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi blank_line echo echo -e "\033[37m\033[1mConfigure Prosody (/etc/prosody/conf.avail/* ..\033[m" echo CONFIG_GLOBAL="/etc/prosody/prosody.cfg.lua" echononl "Backup global configuration file $(basename "${CONFIG_GLOBAL}").." if [[ -f "${CONFIG_GLOBAL}" ]] ; then if [[ ! -f "${CONFIG_GLOBAL}.ORIG" ]]; then cp -a "${CONFIG_GLOBAL}" "${CONFIG_GLOBAL}.ORIG" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else cp -a "${CONFIG_GLOBAL}" "${CONFIG_GLOBAL}.${backup_date}" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi fi else echo_skipped fi CONFIG="/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua" echononl "Backup Konfiguration $(basename "${CONFIG}").." if [[ -f "${CONFIG}" ]] ; then if [[ ! -f "${CONFIG}.ORIG" ]]; then cp -a "${CONFIG}" "${CONFIG}.ORIG" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else cp -a "${CONFIG}" "${CONFIG}.${backup_date}" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi fi else echo_skipped fi CONFIG_LOCALHOST="/etc/prosody/conf.avail/localhost.cfg.lua" echononl "Backup configuration file $(basename "${CONFIG_LOCALHOST}").." if [[ -f "${CONFIG_LOCALHOST}" ]] ; then if [[ ! -f "${CONFIG_LOCALHOST}.ORIG" ]]; then cp -a "${CONFIG_LOCALHOST}" "${CONFIG_LOCALHOST}.ORIG" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else cp -a "${CONFIG_LOCALHOST}" "${CONFIG_LOCALHOST}.${backup_date}" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi fi else echo_skipped fi CONFIG_JAAS="/etc/prosody/conf.avail/localhost.cfg.lua" echononl "Backup configuration file $(basename "${CONFIG_JAAS}").." if [[ -f "${CONFIG_JAAS}" ]] ; then if [[ ! -f "${CONFIG_JAAS}.ORIG" ]]; then cp -a "${CONFIG_JAAS}" "${CONFIG_JAAS}.ORIG" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else cp -a "${CONFIG_JAAS}" "${CONFIG_JAAS}.${backup_date}" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi fi else echo_skipped fi blank_line KEY="posix" echononl "Comment out module '${KEY}' in $(basename $CONFIG_GLOBAL) .." if grep -qE "^\s*\"${KEY}\";" "$CONFIG_GLOBAL"; then sed -i "s|^\(\s*\)\(\"${KEY}\";\)|\1-- \2|" "$CONFIG_GLOBAL" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed echo_failed error "Failed to comment out module '${KEY}' in ${CONFIG_GLOBAL}" else echo_ok fi else echo_skipped fi blank_line KEY="tcp_keepalives" VALUE="true" echononl "Set ${KEY} = ${VALUE} in $(basename $CONFIG) .." if grep -qE "^\s*${KEY}\s*=" "$CONFIG"; then if grep -qE "^\s*${KEY}\s*=\s*${VALUE}\s*;" "$CONFIG"; then echo_skipped else sed -i "s|^\(\s*${KEY}\s*=\s*\).*|\1${VALUE};|" "$CONFIG" if [[ $? -ne 0 ]]; then echo_failed error "Failed to update '${KEY}' in ${CONFIG}" else echo_ok fi fi else perl -i -0pe "s/(VirtualHost\\s)/${KEY} = ${VALUE};\\n\\n\$1/ if !\$done++" "$CONFIG" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" error "Failed to insert '${KEY}' in ${CONFIG}" else echo_ok fi fi KEY="cross_domain_bosh" INSERT_BLOCK='http_cors_override = {\n bosh = {\n enabled = false;\n };\n websocket = {\n enabled = false;\n };\n}' echononl "Comment out '${KEY}' and insert http_cors_override block in $(basename $CONFIG) .." # Prüfen ob der Block bereits vorhanden ist if grep -qE "^\s*http_cors_override\s*=" "$CONFIG"; then echo_skipped else # cross_domain_bosh auskommentieren falls gesetzt if grep -qE "^\s*${KEY}\s*=" "$CONFIG"; then sed -i "s|^\(\s*\)\(${KEY}\s*=.*\)|\1-- \2|" "$CONFIG" fi # Block vor erstem VirtualHost einfügen (mit führender Leerzeile) perl -i -0pe "s/(VirtualHost\\s)/${INSERT_BLOCK}\\n\\n\$1/ if !\$done++" "$CONFIG" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" error "Failed to insert 'http_cors_override' block in ${CONFIG}" else echo_ok fi fi DOMAIN="meet.oopen.de" INSERT_BLOCK='http_ports = { 5280 } http_interfaces = { "127.0.0.1", "::1" } https_ports = { 5281 } https_interfaces = { "127.0.0.1", "::1" } https_ssl = { certificate = "/etc/prosody/certs/'"${DOMAIN}"'.crt"; key = "/etc/prosody/certs/'"${DOMAIN}"'.key"; } -- http_default_host = "'"${DOMAIN}"'" http_paths = { bosh = "/http-bind"; files = "/" }' echononl "Insert http/https block in $(basename $CONFIG) .." if grep -q "http_ports" "$CONFIG"; then echo_skipped else export INSERT_BLOCK perl -i -0pe 's/(VirtualHost\s)/$ENV{INSERT_BLOCK}\n\n$1/ if !$done++' "$CONFIG" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" error "Failed to insert http/https block in ${CONFIG}" else echo_ok fi fi # ------------------------------------ # - VirtualHost "auth.meet.oopen.de" # ------------------------------------ REQUIRED_MODULES=("mam" "turn_external" "bosh" "websocket") echononl "Ensure required modules in VirtualHost \"auth.meet.oopen.de\" in $(basename $CONFIG) .." ensure_vhost_modules "$CONFIG" "auth.meet.oopen.de" REQUIRED_MODULES # ------------------------------------ # - Component "share.auth.meet.oopen.de" # ------------------------------------ echononl "Ensure Component \"share.auth.meet.oopen.de\" in $(basename $CONFIG) .." ensure_component "$CONFIG" "share.auth.meet.oopen.de" "http_file_share" # ------------------------------------ # - Component "internal.auth.meet.oopen.de" # ------------------------------------ REQUIRED_MODULES=("mam" "bosh" "websocket" "turn_external" "muc_mam") echononl "Ensure Component \"internal.auth.meet.oopen.de\" in $(basename $CONFIG) .." ensure_component "$CONFIG" "internal.auth.meet.oopen.de" "muc" REQUIRED_MODULES # ------------------------------------ # - VirtualHost "guest.meet.oopen.de" # ------------------------------------ REQUIRED_MODULES=("mam" "turn_external" "bosh" "websocket") echononl "Ensure required modules in VirtualHost \"guest.meet.oopen.de\" in $(basename $CONFIG) .." ensure_vhost_modules "$CONFIG" "guest.meet.oopen.de" REQUIRED_MODULES # ------------------------------------ # - Component "share.guest.meet.oopen.de" # ------------------------------------ echononl "Ensure Component \"share.guest.meet.oopen.de\" in $(basename $CONFIG) .." ensure_component "$CONFIG" "share.guest.meet.oopen.de" "http_file_share" # ------------------------------------ # - Component "groups.guest.meet.oopen.de" # ------------------------------------ REQUIRED_MODULES=("muc_mam") echononl "Ensure Component \"groups.guest.meet.oopen.de\" in $(basename $CONFIG) .." ensure_component "$CONFIG" "groups.guest.meet.oopen.de" "muc" REQUIRED_MODULES # ------------------------------------ # - VirtualHost "meet.oopen.de" # ------------------------------------ REQUIRED_MODULES=("mam") echononl "Ensure required modules in VirtualHost \"meet.oopen.de\" in $(basename $CONFIG) .." ensure_vhost_modules "$CONFIG" "meet.oopen.de" REQUIRED_MODULES # ------------------------------------ # - Component "share.meet.oopen.de" # ------------------------------------ echononl "Ensure Component \"share.meet.oopen.de\" in $(basename $CONFIG) .." ensure_component "$CONFIG" "share.meet.oopen.de" "http_file_share" # ------------------------------------ # - Component "breakout.meet.oopen.de" # ------------------------------------ REQUIRED_MODULES=("muc_hide_all" "muc_meeting_id" "muc_domain_mapper" "muc_rate_limit" "muc_mam") echononl "Ensure Component \"breakout.meet.oopen.de\" in $(basename $CONFIG) .." ensure_component "$CONFIG" "breakout.meet.oopen.de" "muc" REQUIRED_MODULES # ------------------------------------ # - VirtualHost "recorder.meet.oopen.de" # ------------------------------------ REQUIRED_MODULES=("mam" "bosh" "websocket" "turn_external") echononl "Ensure required modules in VirtualHost \"recorder.meet.oopen.de\" in $(basename $CONFIG) .." ensure_vhost_modules "$CONFIG" "recorder.meet.oopen.de" REQUIRED_MODULES # ------------------------------------ # - Component "share.recorder.meet.oopen.de" # ------------------------------------ echononl "Ensure Component \"share.recorder.meet.oopen.de\" in $(basename $CONFIG) .." ensure_component "$CONFIG" "share.recorder.meet.oopen.de" "http_file_share" # ------------------------------------ # - Component "groups.recorder.meet.oopen.de" # ------------------------------------ REQUIRED_MODULES=("muc_mam") echononl "Ensure Component \"groups.recorder.meet.oopen.de\" in $(basename $CONFIG) .." ensure_component "$CONFIG" "groups.recorder.meet.oopen.de" "muc" REQUIRED_MODULES blank_line CONFIG="/etc/prosody/conf.avail/localhost.cfg.lua" # ------------------------------------ # - VirtualHost "localhost" (localhost.cfg.lua) # ------------------------------------ REQUIRED_MODULES=("bosh" "websocket" "turn_external" "mam") echononl "Ensure required modules in VirtualHost \"localhost\" in $(basename $CONFIG) .." ensure_vhost_modules "$CONFIG" "localhost" REQUIRED_MODULES # ------------------------------------ # - Component "share.localhost" # ------------------------------------ echononl "Ensure Component \"share.localhost\" in $(basename $CONFIG) .." ensure_component "$CONFIG" "share.localhost" "http_file_share" # ------------------------------------ # - Component "groups.localhost" # ------------------------------------ REQUIRED_MODULES=("muc_mam") echononl "Ensure Component \"groups.localhost\" in $(basename $CONFIG) .." ensure_component "$CONFIG" "groups.localhost" "muc" REQUIRED_MODULES # ------------------------------------ # - jaas.cfg.lua # ------------------------------------ CONFIG="/etc/prosody/conf.avail/jaas.cfg.lua" # ------------------------------------ # - VirtualHost "jigasi.meet.jitsi" # ------------------------------------ REQUIRED_MODULES=("mam" "websocket" "turn_external") echononl "Ensure required modules in VirtualHost \"jigasi.meet.jitsi\" in $(basename $CONFIG) .." ensure_vhost_modules "$CONFIG" "jigasi.meet.jitsi" REQUIRED_MODULES # ------------------------------------ # - Component "share.jigasi.meet.jitsi" # ------------------------------------ echononl "Ensure Component \"share.jigasi.meet.jitsi\" in $(basename $CONFIG) .." ensure_component "$CONFIG" "share.jigasi.meet.jitsi" "http_file_share" # ------------------------------------ # - Component "groups.jigasi.meet.jitsi" # ------------------------------------ REQUIRED_MODULES=("muc_mam") echononl "Ensure Component \"groups.jigasi.meet.jitsi\" in $(basename $CONFIG) .." ensure_component "$CONFIG" "groups.jigasi.meet.jitsi" "muc" REQUIRED_MODULES blank_line echo echo -e "\033[37m\033[1mConfigure nginx configuration ..\033[m" echo echononl "Backup nginx configuration '${FQHN_HOSTNAME}.conf'.." if [[ -f "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" ]] ; then cp -a "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" \ "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf.${backup_date}" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Create nginx configuration for '${FQHN_HOSTNAME}'.." if ! $(grep -q -E "^\s*include snippets/letsencrypt-acme-challenge.conf;" \ "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" 2> /dev/null) ; then cat < "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" 2> "$log_file" # - ${FQHN_HOSTNAME} server_names_hash_bucket_size 64; server { listen 80; listen [::]:80; server_name ${FQHN_HOSTNAME}; return 301 https://\$host\$request_uri; } server { listen 443 ssl; listen [::]:443 ssl; server_name ${FQHN_HOSTNAME}; # Include location directive for Let's Encrypt ACME Challenge # # Needed for (automated) updating certificate # include snippets/letsencrypt-acme-challenge.conf; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits # # To generate a dhparam.pem file, run in a terminal # openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048 # ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CC:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers off; # Eable session resumption to improve https performance ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # ========== # HTTP security Headers # ========== # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) # add_header Strict-Transport-Security "max-age=31536000" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options nosniff always; add_header Referrer-Policy "strict-origin"; # - Geteiltes Dokument öffnen # # # Add Etherpad-Lite host to frame-src, so frame-src becomes: # # # # #frame-src 'self' https:// https://www.youtube.com ; # # # # i.e. etherpad-litehost = epad-01.oopen.de # # # frame-src 'self' https://epad-01.oopen.de https://www.youtube.com ; # # # - YouTube-Video teilen # # # Add https://www.youtube.com to script-src, so script-src becomes: # # # script-src 'self' 'unsafe-inline' https://www.youtube.com ; # # # Add https://www.youtube.com to frame-src, so frame-src becomes: # # # frame-src 'self' https://meet-ep-pee7eiji-xein9aiy.oopen.de https://www.youtube.com ; # # # Add https://img.youtube.com to img-src, so img-src becomes: # img-src 'self' https://img.youtube.com # # # - Hintergrundschärfe aktivieren: # # # Add https://storage.googleapis.com to connect-src, so connect source becomes: # # # connect-src 'self' https://storage.googleapis.com; # # # Add blob: to script-src, so script-src becomes: # script-src 'self' 'unsafe-inline' https://www.youtube.com blob: # # Note! # Other directives (like worker-src, or child-src, or..) are falling back to 'default-src'. # #add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' https://www.youtube.com ; img-src 'self' https://img.youtube.com ; style-src 'self' 'unsafe-inline' ; font-src 'self'; frame-src 'self' https://epad-01.oopen.de https://www.youtube.com ; object-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; connect-src 'self' https://storage.googleapis.com ; media-src 'self'"; add_header Content-Security-Policy "block-all-mixed-content ; default-src 'none'; script-src 'self' 'unsafe-inline' https: blob: ; img-src 'self' https: ; style-src 'self' 'unsafe-inline' ; font-src 'self'; frame-src 'self' https: ; object-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; connect-src 'self' https: ; media-src 'self'"; add_header Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();"; ssl_certificate /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem; ssl_trusted_certificate /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/chain.pem; root /usr/share/jitsi-meet; # ssi on with javascript for multidomain variables in config.js ssi on; ssi_types application/x-javascript application/javascript; index index.html index.htm; error_page 404 /static/404.html; gzip on; gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm; gzip_vary on; gzip_proxied no-cache no-store private expired auth; gzip_min_length 512; location = /config.js { alias /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js; } location = /external_api.js { alias /usr/share/jitsi-meet/libs/external_api.min.js; } #ensure all static content can always be found first location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$ { add_header 'Access-Control-Allow-Origin' '*'; alias /usr/share/jitsi-meet/\$1/\$2; # cache all versioned files if (\$arg_v) { expires 1y; } } # BOSH location = /http-bind { proxy_pass http://localhost:5280/http-bind; proxy_set_header X-Forwarded-For \$remote_addr; proxy_set_header Host \$http_host; } # xmpp websockets location = /xmpp-websocket { proxy_pass http://localhost:5280/xmpp-websocket?prefix=\$prefix&\$args; proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host \$http_host; tcp_nodelay on; } # colibri (JVB) websockets for jvb1 location ~ ^/colibri-ws/default-id/(.*) { proxy_pass http://localhost:9090/colibri-ws/default-id/\$1\$is_args\$args; proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection "upgrade"; tcp_nodelay on; } location ~ ^/([^/?&:'"]+)\$ { try_files \$uri @root_path; } location @root_path { rewrite ^/(.*)\$ / break; } location ~ ^/([^/?&:'"]+)/config.js\$ { set \$subdomain "\$1."; set \$subdir "\$1/"; alias /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js; } #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to / location ~ ^/([^/?&:'"]+)/(.*)\$ { set \$subdomain "\$1."; set \$subdir "\$1/"; rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2; } # BOSH for subdomains location ~ ^/([^/?&:'"]+)/http-bind { set \$subdomain "\$1."; set \$subdir "\$1/"; set \$prefix "\$1"; rewrite ^/(.*)\$ /http-bind; } # websockets for subdomains location ~ ^/([^/?&:'"]+)/xmpp-websocket { set \$subdomain "\$1."; set \$subdir "\$1/"; set \$prefix "\$1"; rewrite ^/(.*)\$ /xmpp-websocket; } } EOF if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Enable nginx support for '${FQHN_HOSTNAME}'.." if [[ ! -h "/etc/nginx/sites-enabled/${FQHN_HOSTNAME}.conf" ]] ; then ln -s "../sites-available/${FQHN_HOSTNAME}.conf" "/etc/nginx/sites-enabled/${FQHN_HOSTNAME}.conf" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi if [ "$DIST" = "debian" ] && [[ "$DIST_VERSION" == 13* ]]; then echo echo -e "\033[37m\033[1mTake care inspect.lua is available für Lua 5.4 ..\033[m" echo echononl "Create Folder '/usr/share/lua/5.4'.." if [[ ! -d "/usr/share/lua/5.4" ]] ; then mkdir -p /usr/share/lua/5.4 > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Deploy luan.inspect to the '/usr/share/lua/5.4' folder.." if [[ ! -f /usr/share/lua/5.4/inspect.lua ]]; then if [[ -f /usr/share/lua/5.3/inspect.lua ]]; then cp -a /usr/share/lua/5.3/inspect.lua /usr/share/lua/5.4/inspect.lua > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi elif [[ -f /usr/share/lua/5.2/inspect.lua ]]; then cp -a /usr/share/lua/5.2/inspect.lua /usr/share/lua/5.4/inspect.lua > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi elif [[ -f /usr/share/lua/5.1/inspect.lua ]]; then ln -s ../5.1/inspect.lua /usr/share/lua/5.4/inspect.lua > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_failed error "No luan.inspect at folder '/usr/share/lua/5.4' present!" fi else echo_skipped fi fi echo echo -e "\033[37m\033[1mRestart services..\033[m" echo echononl "Restart prosody service.." systemctl restart prosody > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi echononl "Restart jicofo service.." systemctl restart jicofo > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi echononl "Restart jitsi-videobridge2 service.." systemctl restart jitsi-videobridge2 > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi echononl "Restart Nginx webservice.." systemctl restart nginx > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi if $_tem_prosody_config_created ; then warn "Please check file '/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua'" fi clean_up 0