#!/usr/bin/env bash script_name="$(basename $(realpath $0))" working_dir="$(dirname $(realpath $0))" #conf_file="${working_dir}/conf/${script_name%%.*}.conf" conf_file="${working_dir}/conf/jitsi.conf" LOCK_DIR="/tmp/$(basename $0).$$.LOCK" log_file="${LOCK_DIR}/${script_name%%.*}.log" # ---------- # Base Function(s) # ---------- clean_up() { # Perform program exit housekeeping rm -rf "$LOCK_DIR" blank_line exit $1 } echononl(){ if $terminal ; then echo X\\c > /tmp/shprompt$$ if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then echo -e -n " $*\\c" 1>&2 else echo -e -n " $*" 1>&2 fi rm /tmp/shprompt$$ fi } fatal(){ echo "" if $terminal ; then echo -e " [ \033[31m\033[1mFatal\033[m ] $*" else echo -e " [ Fatal ] $*" fi echo "" if $terminal ; then echo -e " \033[1mScript terminated\033[m.." else echo -e " Script terminated.." fi echo "" rm -rf $LOCK_DIR exit 1 } error (){ echo "" if $terminal ; then echo -e " [ \033[31m\033[1mError\033[m ] $*" else echo " [ Error ] $*" fi echo "" } warn (){ echo "" if $terminal ; then echo -e " [ \033[33m\033[1mWarning\033[m ] $*" else echo " [ Error ] $*" fi echo "" } info (){ if $terminal ; then echo "" if $terminal ; then echo -e " [ \033[32m\033[1mInfo\033[m ] $*" else echo " [ Info ] $*" fi echo "" fi } echo_ok() { if $terminal ; then echo -e "\033[85G[ \033[32mok\033[m ]" fi } echo_done() { if $terminal ; then echo -e "\033[85G[ \033[32mdone\033[m ]" fi } echo_failed(){ if $terminal ; then echo -e "\033[85G[ \033[1;31mfailed\033[m ]" fi } echo_skipped() { if $terminal ; then echo -e "\033[85G[ \033[33m\033[1mskipped\033[m ]" fi } echo_wait(){ if $terminal ; then echo -en "\033[85G[ \033[5m\033[1m..\033[m ]" fi } trim() { local var="$*" var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters echo -n "$var" } blank_line() { if $terminal ; then echo "" fi } detect_os () { if $(which lsb_release > /dev/null 2>&1) ; then DIST="$(lsb_release -i | awk '{print tolower($3)}')" DIST_VERSION="$(lsb_release -r | awk '{print tolower($2)}')" DIST_CODENAME="$(lsb_release -c | awk '{print tolower($2)}')" if [[ "$DIST" = "debian" ]]; then if $(echo "$DIST_VERSION" | grep -q '\.') ; then DIST_VERSION=$(echo "$DIST_VERSION" | cut --delimiter='.' -f1) fi fi elif [[ -e "/etc/os-release" ]]; then . /etc/os-release DIST=$ID DIST_VERSION=${VERSION_ID} fi # remove whitespace from DIST and DIST_VERSION DIST="${DIST// /}" DIST_VERSION="${DIST_VERSION// /}" } # ---------- # - Jobhandling # ---------- # - Run 'clean_up' for signals SIGHUP SIGINT SIGTERM # - trap clean_up SIGHUP SIGINT SIGTERM # - Create lock directory '$LOCK_DIR" # mkdir "$LOCK_DIR" # ---------- # - Some checks .. # ---------- # - Running in a terminal? # - if [[ -t 1 ]] ; then terminal=true else fatal "Script must run in a terminal." fi # ========== # - Begin Main Script # ========== # ---------- # - Headline # ---------- if $terminal ; then echo "" echo -e "\033[1m----------\033[m" echo -e "\033[32m\033[1mRunning script \033[m\033[1m$script_name\033[32m .. \033[m" echo -e "\033[1m----------\033[m" fi # ---------- # Read Configurations from $conf_file # ---------- # - Give your default values here # - DEFAULT_FQHN_HOSTNAME="$(hostname -f)" if [[ -f "$conf_file" ]]; then source "$conf_file" else warn "No configuration file '$conf_file' present.\n Loading default values.." fi [[ -n "$FQHN_HOSTNAME" ]] && DEFAULT_FQHN_HOSTNAME="$FQHN_HOSTNAME" blank_line echononl "Detect distribution/release of running OS.." detect_os > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi FQHN_HOSTNAME= echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert full qualified hostname for Jitsi-Meet Service" echo "" if [[ -n "$DEFAULT_FQHN_HOSTNAME" ]]; then while [[ "X${FQHN_HOSTNAME}" = "X" ]]; do echononl "Full qualified hostname [${DEFAULT_FQHN_HOSTNAME}]: " read FQHN_HOSTNAME if [[ "X${FQHN_HOSTNAME}" = "X" ]]; then FQHN_HOSTNAME=$DEFAULT_FQHN_HOSTNAME fi if [[ ! $FQHN_HOSTNAME =~ \. ]]; then echo -e "\n\tGiven Host \033[33m\033[1m$FQHN_HOSTNAME\033[m seems not to be a full qualified hostname.\n" FQHN_HOSTNAME="" fi done else while [[ "X${FQHN_HOSTNAME}" = "X" ]]; do echononl "Full qualified hostname: " read FQHN_HOSTNAME if [[ "X${FQHN_HOSTNAME}" = "X" ]]; then echo -e "\n\t\033[33m\033[1mFull qualified hostname is reqired\033[m\n" fi if [[ ! $FQHN_HOSTNAME =~ \. ]]; then echo -e "\n\tGiven Host \033[33m\033[1m$FQHN_HOSTNAME\033[m seems not to be a full qualified hostname.\n" FQHN_HOSTNAME="" fi done fi HOSTNAME="${FQHN_HOSTNAME%%.*}" echo "" echo "" echo -e "\t\033[32mStart post-install script for Jitsi-Meet Service with the following parameters\033[m" echo "" echo -e "\tFull qualified Hostname..: $FQHN_HOSTNAME" echo -e "\tHostname.................: $HOSTNAME" echo "" echo -e "\tOS Distribution..........: $DIST" echo -e "\tDistribution's codename..: $DIST_CODENAME" echo "" echononl "einverstanden (yes/no): " read OK OK=${OK,,} while [ "X$OK" != "Xyes" -a "X$OK" != "Xno" ]; do echononl "Wrong entry! [yes/no]: " read OK OK=${OK,,} done [ $OK = "yes" ] || fatal Repeat with other settings.. echo "" echo "" echo echo -e "\033[37m\033[1mInstall script checking if certificate/key of coTURN service is up-to-date..\033[m" echo # ------ # Create configuration file for certification check of coTURN service # ------ echononl "Create configuration file for certification check of coTURN service.." if [[ ! -f "/root/bin/monitoring/conf/check_cert_for_service.conf" ]]; then cp /root/bin/monitoring/conf/check_cert_for_service.conf.sample \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'service_name'.." if ! $(grep -q -E "^\s*service_name=\"coTURN\"" /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#service_name.*)/#\1\nservice_name=\"coTURN\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'check_string_ps'.." if ! $(grep -q -E "^\s*check_string_ps=\"\[\[:digit:\]\]\\\ /usr/bin/turnserver\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+check_string_ps*)/#\1\ncheck_string_ps=\"[[:digit:]]\\\ \/usr\/bin\/turnserver\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'service_user'.." if ! $(grep -q -E "^\s*service_user=\"turnserver\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+service_user.*)/#\1\nservice_user=\"turnserver\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'service_group'.." if ! $(grep -q -E "^\s*service_group=\"turnserver\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+service_group.*)/#\1\nservice_group=\"turnserver\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'cert_installed'.." # if ! $(grep -q -E "^\s*cert_installed=\"/etc/ssl/fullchain.pem\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+cert_installed.*)/#\1\ncert_installed=\"\/etc\/ssl\/fullchain.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'key_installed'.." # if ! $(grep -q -E "^\s*key_installed=\"/etc/ssl/privkey.pem\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+key_installed.*)/#\1\nkey_installed=\"\/etc\/ssl\/privkey.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'cert_newest'.." # if ! $(grep -q -E "^\s*cert_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e \ "s/^(#+cert_newest.*)/#\1\ncert_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/fullchain.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'key_newest'.." # if ! $(grep -q -E "^\s*key_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e \ "s/^(#+key_newest.*)/#\1\nkey_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/privkey.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi blank_line echononl "Initial run of script 'check_cert_for_service.sh'.." echo_wait /root/bin/monitoring//check_cert_for_service.sh > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok if [[ -s "$log_file" ]] ; then echo -e " \033[32m----------\033[m \033[1mOutput from :run of script 'check_cert_for_service.sh' was:\033[m $(cat "$log_file") \033[32m----------\033[m " fi fi blank_line # Add Cronjob for checcking if certificate/key of coTURN service is up to date # _failed=false echononl "Add Cronjob for checcking if certificate/key of coTURN service is up-to-date.." _crontab_tmp_file=/tmp/crontab_root.$$ crontab -l > "$_crontab_tmp_file" 2> "$log_file" if [[ $? -ne 0 ]]; then _failed=true fi if ! $(grep -q "/root/bin/monitoring/check_cert_for_service.sh" "$_crontab_tmp_file" 2>/dev/null) ; then cat <> "$_crontab_tmp_file" 2>> "$log_file" # - Check if cert for coTURN service is up-to-date # - 39 05 * * * /root/bin/monitoring/check_cert_for_service.sh EOF if [[ $? -ne 0 ]]; then _failed=true fi crontab "$_crontab_tmp_file" if [[ $? -ne 0 ]]; then _failed=true fi rm -f "$_crontab_tmp_file" if [[ $? -ne 0 ]]; then _failed=true fi if $_failed ; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi blank_line echo echo -e "\033[37m\033[1mInstall script checking if certificate/key of Prosody service is up-to-date..\033[m" echo # ------ # Create configuration file for certification check of Prosody service # ------ echononl "Create configuration file for certification check of Prosody service.." if [[ ! -f "/root/bin/monitoring/conf/check_cert_for_prosody.conf" ]]; then cp /root/bin/monitoring/conf/check_cert_for_prosody.conf.sample \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'service_name'.." if ! $(grep -q -E "^\s*service_domain=\"${FQHN_HOSTNAME}\"" /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#service_domain.*)/#\1\nservice_domain=\"${FQHN_HOSTNAME}\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi if ! $(grep -q -E "^\s*service_name=\"Prosody\"" /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+service_name.*)/#\1\nservice_name=\"Prosody\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'check_string_ps'.." if ! $(grep -q -E "^\s*check_string_ps=\"\[\[:digit:\]\]\\\ lua\[\[:digit:\]\].\[\[:digit:\]\] /usr/bin/prosody\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+check_string_ps.*)/#\1\ncheck_string_ps=\"[[:digit:]]\\\ lua[[:digit:]].[[:digit:]] \/usr\/bin\/prosody\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'service_user'.." if ! $(grep -q -E "^\s*service_user=\"prosody\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+service_user.*)/#\1\nservice_user=\"prosody\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'service_group'.." if ! $(grep -q -E "^\s*service_group=\"prosody\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+service_group.*)/#\1\nservice_group=\"prosody\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'cert_installed'.." if ! $(grep -q -E "^\s*cert_installed=\"/etc/prosody/certs/${FQHN_HOSTNAME}.crt\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+cert_installed.*)/#\1\ncert_installed=\"\/etc\/prosody\/certs\/${FQHN_HOSTNAME}.crt\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'key_installed'.." if ! $(grep -q -E "^\s*key_installed=\"/etc/prosody/certs/${FQHN_HOSTNAME}.key\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#+key_installed.*)/#\1\nkey_installed=\"\/etc\/prosody\/certs\/${FQHN_HOSTNAME}.key\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'cert_newest'.." if ! $(grep -q -E "^\s*cert_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e \ "s/^(#+cert_newest.*)/#\1\ncert_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/fullchain.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Prepare configuration file for 'key_newest'.." if ! $(grep -q -E "^\s*key_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e \ "s/^(#+key_newest.*)/#\1\nkey_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/privkey.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi blank_line echononl "Initial run of script 'check_cert_for_prosody.sh'.." echo_wait /root/bin/monitoring/check_cert_for_prosody.sh > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok if [[ -s "$log_file" ]] ; then echo -e " \033[32m----------\033[m \033[1mOutput from :run of script 'check_cert_for_prosody.sh' was:\033[m $(cat "$log_file") \033[32m----------\033[m " fi fi blank_line # Add Cronjob for checcking if certificate/key of Prosody service is up to date # _failed=false echononl "Add Cronjob for checcking if certificate/key of Prosody service is up-to-date.." _crontab_tmp_file=/tmp/crontab_root.$$ crontab -l > "$_crontab_tmp_file" 2> "$log_file" if [[ $? -ne 0 ]]; then _failed=true fi if ! $(grep -q "/root/bin/monitoring/check_cert_for_prosody.sh" "$_crontab_tmp_file" 2>/dev/null) ; then cat <> "$_crontab_tmp_file" 2>> "$log_file" # - Check if cert(s) for Prosody service are up-zp-date # - 13 05 * * * /root/bin/monitoring/check_cert_for_prosody.sh EOF if [[ $? -ne 0 ]]; then _failed=true fi crontab "$_crontab_tmp_file" if [[ $? -ne 0 ]]; then _failed=true fi rm -f "$_crontab_tmp_file" if [[ $? -ne 0 ]]; then _failed=true fi if $_failed ; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi blank_line echo echo -e "\033[37m\033[1mConfigure Jitsi Meet..\033[m" echo _failed=false _changed=false echononl "Adjust '/etc/jitsi/videobridge/sip-communicator.properties'.." if ! $(grep -q -E "^\s*org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true" \ /etc/jitsi/videobridge/sip-communicator.properties 2> "$log_file") ; then cat <> /etc/jitsi/videobridge/sip-communicator.properties # disable the built-in webserver (required) org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true EOF if [[ $? -ne 0 ]]; then _failed=true fi _changed=true fi if ! $(grep -q -E "^\s*org.jitsi.videobridge.TCP_HARVESTER_PORT=4443" \ /etc/jitsi/videobridge/sip-communicator.properties 2> "$log_file") ; then cat <> /etc/jitsi/videobridge/sip-communicator.properties # sometimes the above setting does not work, therefore we change the port too (required) org.jitsi.videobridge.TCP_HARVESTER_PORT=4443 # sometimes the above setting does not work, therefore we change the port too (required) org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=443 EOF if [[ $? -ne 0 ]]; then _failed=true fi _changed=true fi if ! $(grep -q -E "^\s*#+org.jitsi.videobridge.ENABLE_STATISTICS=false" \ /etc/jitsi/videobridge/sip-communicator.properties 2> "$log_file") ; then cat <> /etc/jitsi/videobridge/sip-communicator.properties # disable statistics to third parties (optional) # DOES NOT WORK #org.jitsi.videobridge.ENABLE_STATISTICS=false EOF if [[ $? -ne 0 ]]; then _failed=true fi _changed=true fi if $_changed ; then if $_failed; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Backup file '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.." if [[ ! -f "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js.ORIG" ]]; then cp -a "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js" \ "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js.ORIG" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi #echononl "Adjust '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.." #if ! $(grep -q -E "^\s*{ urls: 'stun.nextcloud.com:443' }" \ # /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js 2> "$log_file") ; then # perl -i -n -p -e "s/((\s*)stunServers: \[.*)/\1\n\n\2 { urls: 'stun.nextcloud.com:443' },\n\2 { urls: 'stun.stunprotocol.org:3478' },\n\2 { urls: 'stun.services.mozilla.com:3478' },/" /etc/jitsi/meet/video.faire-mobilitaet.de-config.js # if [[ $? -ne 0 ]]; then # echo_failed # error "$(cat "$log_file")" # else # echo_ok # fi #else # echo_skipped #fi _temp_jitsi_meet_config_created=false echononl "Adjust '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.." if ! $(grep -q -E "^\s*{ urls: 'stun.nextcloud.com:443' }" \ /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js 2> "$log_file") ; then _found=false :> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js while IFS='' read -r _line || [[ -n $_line ]] ; do if $_found && echo "$_line" | grep -iq -E "^\s*// { urls:.*${FQHN_HOSTNAME}" 2> /dev/null ; then echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js cat <> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js { urls: 'stun.nextcloud.com:443' }, { urls: 'stun.stunprotocol.org:3478' }, { urls: 'stun.services.mozilla.com:3478' }, EOF _found=false elif $_found && echo "$_line" | grep -iq -E "^\s*\]," ; then cat <> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js { urls: 'stun.nextcloud.com:443' }, { urls: 'stun.stunprotocol.org:3478' }, { urls: 'stun.services.mozilla.com:3478' } EOF echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js _found=false else echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js fi if ! $_found && echo "$_line" | grep -iq -E "^\s*stunServers: \[" 2> /dev/null ; then _found=true fi done < "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js" echo_done _temp_jitsi_meet_config_created=true else echo_skipped fi echononl "Copy created file '${FQHN_HOSTNAME}-config.js' to folder '/etc/jitsi/meet/'.." if $_temp_jitsi_meet_config_created ; then cp -a "${LOCK_DIR}/${FQHN_HOSTNAME}-config.js" "/etc/jitsi/meet/" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi blank_line echo echo -e "\033[37m\033[1mConfigure Prosody (/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua) ..\033[m" echo # Edit file /etc/prosody/conf.d/${FQHN_HOSTNAME}.cfg.lua # # after line (the location this is important) # consider_bosh_secure = true; # # add the following lines: # bosh_ports = { # { # port = 5280; # path = "http-bind"; # }, # { # port = 5281; # path = "http-bind"; # ssl = { # certificate = "/etc/prosody/certs/${FQHN_HOSTNAME}.crt"; # key = "/etc/prosody/certs/${FQHN_HOSTNAME}.key"; # } # } # } # # http_ports = { 5280 } # http_interfaces = { "localhost" } # # https_ports = { 5281 } # https_interfaces = { "localhost" } # # https_ssl = { # certificate = "/etc/prosody/certs/${FQHN_HOSTNAME}.crt"; # key = "/etc/prosody/certs/${FQHN_HOSTNAME}.key"; # } # echononl "Backup file '/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua'.." if [[ ! -f "/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua.ORIG" ]]; then cp -a "/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua" \ "/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua.ORIG" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi _found=false _tem_prosody_config_created=false echononl "Create temporary configuration '${FQHN_HOSTNAME}.cfg.lua'.." if ! $(grep -q -E "^\s*bosh_ports = {" /etc/prosody//conf.avail/${FQHN_HOSTNAME}.cfg.lua 2> /dev/null) ; then :> ${LOCK_DIR}/${FQHN_HOSTNAME}.cfg.lua while IFS='' read -r _line || [[ -n $_line ]] ; do echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}.cfg.lua if ! $_found && echo "$_line" | grep -i -E "^\s*consider_bosh_secure = true;" > /dev/null 2>&1 ; then _found=true cat <> ${LOCK_DIR}/${FQHN_HOSTNAME}.cfg.lua bosh_ports = { { port = 5280; path = "http-bind"; }, { port = 5281; path = "http-bind"; ssl = { certificate = "/etc/prosody/certs/${FQHN_HOSTNAME}.crt"; key = "/etc/prosody/certs/${FQHN_HOSTNAME}.key"; } } } http_ports = { 5280 } http_interfaces = { "localhost" } https_ports = { 5281 } https_interfaces = { "localhost" } https_ssl = { certificate = "/etc/prosody/certs/${FQHN_HOSTNAME}.crt"; key = "/etc/prosody/certs/${FQHN_HOSTNAME}.key"; } EOF fi done < "/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua" echo_done _tem_prosody_config_created=true else echo_skipped fi echononl "Copy created file '${FQHN_HOSTNAME}.cfg.lua' to folder '/etc/prosody/conf.avail/'.." if $_tem_prosody_config_created ; then cp -a "${LOCK_DIR}/${FQHN_HOSTNAME}.cfg.lua" "/etc/prosody/conf.avail/" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi blank_line echo echo -e "\033[37m\033[1mConfigure nginx configuration ..\033[m" echo echononl "Backup nginx configuration '${FQHN_HOSTNAME}.conf'.." if [[ ! -f "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf.ORIG" ]] ; then if [[ -f "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" ]] ; then cp -a "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" \ "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf.ORIG" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi else echo_skipped fi echononl "Create nginx configuration for '${FQHN_HOSTNAME}'.." if ! $(grep -q -E "^\s*include snippets/letsencrypt-acme-challenge.conf;" \ "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" 2> /dev/null) ; then cat < "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" 2> "$log_file" # - ${FQHN_HOSTNAME} server_names_hash_bucket_size 64; server { listen 80; listen [::]:80; server_name ${FQHN_HOSTNAME}; return 301 https://\$host\$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ${FQHN_HOSTNAME}; # Include location directive for Let's Encrypt ACME Challenge # # Needed for (automated) updating certificate # include snippets/letsencrypt-acme-challenge.conf; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits # # To generate a dhparam.pem file, run in a terminal # openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048 # ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CC:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers off; # Eable session resumption to improve https performance ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # ========== # HTTP security Headers # ========== # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) # add_header Strict-Transport-Security "max-age=31536000" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options nosniff always; add_header Referrer-Policy "strict-origin"; # - Geteiltes Dokument öffnen # # # Add Etherpad-Lite host to frame-src, so frame-src becomes: # # # # #frame-src 'self' https:// https://www.youtube.com ; # # # # i.e. etherpad-litehost = epad-01.oopen.de # # # frame-src 'self' https://epad-01.oopen.de https://www.youtube.com ; # # # - YouTube-Video teilen # # # Add https://www.youtube.com to script-src, so script-src becomes: # # # script-src 'self' 'unsafe-inline' https://www.youtube.com ; # # # Add https://www.youtube.com to frame-src, so frame-src becomes: # # # frame-src 'self' https://meet-ep-pee7eiji-xein9aiy.oopen.de https://www.youtube.com ; # # # Add https://img.youtube.com to img-src, so img-src becomes: # img-src 'self' https://img.youtube.com # # # - Hintergrundschärfe aktivieren: # # # Add https://storage.googleapis.com to connect-src, so connect source becomes: # # # connect-src 'self' https://storage.googleapis.com; # # # Add blob: to script-src, so script-src becomes: # script-src 'self' 'unsafe-inline' https://www.youtube.com blob: # # Note! # Other directives (like worker-src, or child-src, or..) are falling back to 'default-src'. # #add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' https://www.youtube.com ; img-src 'self' https://img.youtube.com ; style-src 'self' 'unsafe-inline' ; font-src 'self'; frame-src 'self' https://epad-01.oopen.de https://www.youtube.com ; object-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; connect-src 'self' https://storage.googleapis.com ; media-src 'self'"; add_header Content-Security-Policy "block-all-mixed-content ; default-src 'none'; script-src 'self' 'unsafe-inline' https: blob: ; img-src 'self' https: ; style-src 'self' 'unsafe-inline' ; font-src 'self'; frame-src 'self' https: ; object-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; connect-src 'self' https: ; media-src 'self'"; add_header Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();"; ssl_certificate /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem; ssl_trusted_certificate /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/chain.pem; root /usr/share/jitsi-meet; # ssi on with javascript for multidomain variables in config.js ssi on; ssi_types application/x-javascript application/javascript; index index.html index.htm; error_page 404 /static/404.html; gzip on; gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm; gzip_vary on; gzip_proxied no-cache no-store private expired auth; gzip_min_length 512; location = /config.js { alias /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js; } location = /external_api.js { alias /usr/share/jitsi-meet/libs/external_api.min.js; } #ensure all static content can always be found first location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$ { add_header 'Access-Control-Allow-Origin' '*'; alias /usr/share/jitsi-meet/\$1/\$2; # cache all versioned files if (\$arg_v) { expires 1y; } } # BOSH location = /http-bind { proxy_pass http://localhost:5280/http-bind; proxy_set_header X-Forwarded-For \$remote_addr; proxy_set_header Host \$http_host; } # xmpp websockets location = /xmpp-websocket { proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args; proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host \$http_host; tcp_nodelay on; } # colibri (JVB) websockets for jvb1 location ~ ^/colibri-ws/default-id/(.*) { proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args; proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection "upgrade"; tcp_nodelay on; } location ~ ^/([^/?&:'"]+)\$ { try_files \$uri @root_path; } location @root_path { rewrite ^/(.*)\$ / break; } location ~ ^/([^/?&:'"]+)/config.js\$ { set \$subdomain "\$1."; set \$subdir "\$1/"; alias /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js; } #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to / location ~ ^/([^/?&:'"]+)/(.*)\$ { set \$subdomain "\$1."; set \$subdir "\$1/"; rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2; } # BOSH for subdomains location ~ ^/([^/?&:'"]+)/http-bind { set \$subdomain "\$1."; set \$subdir "\$1/"; set \$prefix "\$1"; rewrite ^/(.*)\$ /http-bind; } # websockets for subdomains location ~ ^/([^/?&:'"]+)/xmpp-websocket { set \$subdomain "\$1."; set \$subdir "\$1/"; set \$prefix "\$1"; rewrite ^/(.*)\$ /xmpp-websocket; } } EOF if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echononl "Enable nginx support for '${FQHN_HOSTNAME}'.." if [[ ! -h "/etc/nginx/sites-enabled/${FQHN_HOSTNAME}.conf" ]] ; then ln -s "../sites-available/${FQHN_HOSTNAME}.conf" "/etc/nginx/sites-enabled/${FQHN_HOSTNAME}.conf" > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi else echo_skipped fi echo echo -e "\033[37m\033[1mRestart services..\033[m" echo echononl "Restart prosody service.." systemctl restart prosody > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi echononl "Restart jicofo service.." systemctl restart prosody > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi echononl "Restart jitsi-videobridge2 service.." systemctl restart jitsi-videobridge2 > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi echononl "Restart Nginx webservice.." systemctl restart nginx > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat "$log_file")" else echo_ok fi if $_tem_prosody_config_created ; then warn "Please check file '/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua'" fi clean_up 0