# =========================================================================== # Git Repository Jitsi Meet Service # https://github.com/jitsi/jitsi-meet # # see: # - https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md # # - https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md # # Self-hosted Jitsi server with authentication # - https://dev.to/noandrea/self-hosted-jitsi-server-with-authentication-ie7 # ============================================================================= FQND_HOSTNAME="meet.oopen.de" FQND_HOSTNAME="meet2.oopen.de" FQND_HOSTNAME="meet.faire-mobilitaet.de" # 0.) Create new LX Container # # /root/bin/LXC/create-lx-container.sh # ... # 1.) Assign(Adjust user root # # lxc-attach -n meet # add_new_user.sh root # 2.) Base Install via ansible # # cd /home/chris/devel/git/git.oopen.de/ansible/oopen-server # ansible-playbook --limit meet.oopen.de ansible-dependencies.yml # ansible-playbook --limit meet.oopen.de common.yml # ansible-playbook --limit meet.oopen.de scripts/install-ulogd.yml # ansible-playbook --limit meet.oopen.de firewall.yml # 3.) Install Postfix SMTP Service (base) # # cd /usr/local/src/mailsystem # ./install_postfix_base.sh # 4.) Install NGINX Web Service # # cd /usr/local/src/nginx # ./install_nginx.sh # 5.) Install 'dehydrated-cron' (Let's Encrypt Certificates) # # cd /usr/local/src/dehydrated-cron # ./install_dehydrated.sh cat <> /var/lib/dehydrated/domains.txt $FQND_HOSTNAME EOF # Generate Certificate # /var/lib/dehydrated/cron/dehydrated_cron.sh # 6.) Install iptable firewall (optinal) # # cd /usr/local/src/ipt-server # see: README.install # 7.) # # - crontab # - /etc/ssl cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/fullchain.pem chmod 644 /etc/ssl/fullchain.pem cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/privkey.pem chmod 644 /etc/ssl/privkey.pem ln -s fullchain.pem /etc/ssl/${FQND_HOSTNAME}.crt ln -s privkey.pem /etc/ssl/${FQND_HOSTNAME}.key # 8.) Adjust # # - /etc/hostname (must contain this FQDN "meet.oopen.de") # - /etc/hosts (127.0.0.1 localhost meet.example.org) # - /etc/ssl # /etc/hostname cat < /etc/hostname $FQND_HOSTNAME EOF # 9.) Install jitsi meet # # see: https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md echo 'deb https://download.jitsi.org unstable/' > /etc/apt/sources.list.d/jitsi-unstable.list wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add - apt-get update # Install Jitsi Meet Service # apt-get install jitsi-meet # Maybe reinstall of 'jitsi-meet-turnserver' is needed.. # # Note: not needed if 'unstable' packages are installed. # #if [[ ! -h "/etc/nginx/modules-enabled/60-jitsi-meet.conf" ]] ; then # apt-get install --reinstall jitsi-meet-turnserver #fi cd /etc/nginx/modules-enabled # for streamin at leas module 'ngx_stream_module.so' is needed # load_module modules/ngx_stream_module.so; # # if [[ ! -h /etc/nginx/modules-enabled/50-mod-stream.conf ]] ; then # ln -s /usr/share/nginx/modules-available/mod-stream.conf 50-mod-stream.conf # fi # # But we will load all available modules: # for _file in $(ls /usr/share/nginx/modules-available/) ; do [[ -d "/usr/share/nginx/modules-available/${_file}" ]] && continue [[ -h "/etc/nginx/modules-enabled/50-${_file}" ]] && continue ln -s "/usr/share/nginx/modules-available/${_file}" "/etc/nginx/modules-enabled/50-${_file}" echo $_file done # Install Let's Encrypt Certificate # /usr/local/src/dehydrated-cron/install_dehydrated.sh # Addjust file nginx vhost congiguration '/etc/nginx/sites-enabled/${FQND_HOSTNAME}.conf' # # # At section 'server' (configuration for port 80) replace # # location ^~ /.well-known/acme-challenge/ { # default_type "text/plain"; # root /usr/share/jitsi-meet; # } # location = /.well-known/acme-challenge/ { # return 404; # } # # with # # # - Needed for (automated) updating certificate # # - # include snippets/letsencrypt-acme-challenge.conf; # vim /etc/nginx/sites-enabled/${FQND_HOSTNAME}.conf # Add FQND hostname to /var/lib/dehydrated/domains.txt # echo "$FQND_HOSTNAME" > /var/lib/dehydrated/domains.txt # Create Certificate # /var/lib/dehydrated/cron/dehydrated_cron.sh # Change directives 'ssl_certificate'and 'ssl_certificate_key' to # meet the new certificate/key locations # /var/lib/dehydrated/tools/change_ssl_directives.sh # --- # 10. Install cronjob to adjust certificates at directory '/etc/ssl' #--- # Prepare configuration file for check coTURN service # cp /root/bin/monitoring/conf/check_cert_for_service.conf.sample \ /root/bin/monitoring/conf/check_cert_for_service.conf # Prepare configuration file for 'service_name' # if ! $(grep -q -E "^\s*service_name=\"coTURN\"" /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#service_name.*)/#\1\nservice_name=\"coTURN\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf fi # Prepare configuration file for 'check_string_ps' # if ! $(grep -q -E "^\s*check_string_ps=\"[[:digit:]]\\ /usr/bin/turnserver\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#check_string_ps*)/#\1\ncheck_string_ps=\"[[:digit:]]\\\ \/usr\/bin\/turnserver\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf fi # Prepare configuration file for 'service_user' # if ! $(grep -q -E "^\s*service_user=\"turnserver\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#service_user.*)/#\1\nservice_user=\"turnserver\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf fi # Prepare configuration file for 'service_group' # if ! $(grep -q -E "^\s*service_group=\"turnserver\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#service_group.*)/#\1\nservice_group=\"turnserver\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf fi # Prepare configuration file for 'cert_installed' # if ! $(grep -q -E "^\s*cert_installed=\"/etc/ssl/fullchain.pem\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#cert_installed.*)/#\1\ncert_installed=\"\/etc\/ssl\/fullchain.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf fi # Prepare configuration file for 'key_installed' # if ! $(grep -q -E "^\s*key_installed=\"/etc/ssl/privkey.pem\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#key_installed.*)/#\1\nkey_installed=\"\/etc\/ssl\/privkey.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf fi # Prepare configuration file for 'cert_newest' # if ! $(grep -q -E "^\s*cert_newest=\"/var/lib/dehydrated/certs/${FQND_HOSTNAME}/fullchain.pem\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e \ "s/^(#cert_newest.*)/#\1\ncert_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQND_HOSTNAME}\/fullchain.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf fi # Prepare configuration file for 'key_newest' # if ! $(grep -q -E "^\s*key_newest=\"/var/lib/dehydrated/certs/${FQND_HOSTNAME}/privkey.pem\"" \ /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then perl -i -n -p -e \ "s/^(#key_newest.*)/#\1\nkey_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQND_HOSTNAME}\/privkey.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_service.conf fi # Initial /root/bin/monitoring//check_cert_for_service.sh # Add Cronjob for checcking if certificate/key is up to date # _crontab_tmp_file=/tmp/crontab_root.$$ crontab -l > "$_crontab_tmp_file" 2> /dev/null if ! $(grep -q "/root/bin/monitoring/check_cert_for_service.sh" "$_crontab_tmp_file" 2>/dev/null) ; then cat <> "$_crontab_tmp_file" # - Check if cert for coTURN service is # - 39 05 * * * /root/bin/monitoring/check_cert_for_service.sh EOF fi crontab "$_crontab_tmp_file" rm -f "$_crontab_tmp_file" # Prepare configuration file for check certificates for prosody service # cp /root/bin/monitoring/conf/check_cert_for_prosody.conf.sample \ /root/bin/monitoring/conf/check_cert_for_prosody.conf # Prepare configuration file for 'service_name' # if ! $(grep -q -E "^\s*service_domain=\"${FQND_HOSTNAME}\"" /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#service_domain.*)/#\1\nservice_domain=\"${FQND_HOSTNAME}\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf fi if ! $(grep -q -E "^\s*service_name=\"Prosody\"" /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#service_name.*)/#\1\nservice_name=\"Prosody\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf fi # Prepare configuration file for 'check_string_ps' # if ! $(grep -q -E "^\s*check_string_ps=\"[[:digit:]]\\ lua[[:digit:]].[[:digit:]] /usr/bin/prosody\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#check_string_ps.*)/#\1\ncheck_string_ps=\"[[:digit:]]\\\ lua[[:digit:]].[[:digit:]] \/usr\/bin\/prosody\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf fi # Prepare configuration file for 'service_user' # if ! $(grep -q -E "^\s*service_user=\"prosody\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#service_user.*)/#\1\nservice_user=\"prosody\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf fi # Prepare configuration file for 'service_group' # if ! $(grep -q -E "^\s*service_group=\"prosody\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#service_group.*)/#\1\nservice_group=\"prosody\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf fi # Prepare configuration file for 'cert_installed' # if ! $(grep -q -E "^\s*cert_installed=\"/etc/prosody/certs/${FQND_HOSTNAME}.crt\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#cert_installed.*)/#\1\ncert_installed=\"\/etc\/prosody\/certs\/${FQND_HOSTNAME}.crt\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf fi # Prepare configuration file for 'key_installed' # if ! $(grep -q -E "^\s*key_installed=\"/etc/prosody/certs/${FQND_HOSTNAME}.key\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e "s/^(#key_installed.*)/#\1\nkey_installed=\"\/etc\/prosody\/certs\/${FQND_HOSTNAME}.key\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf fi # Prepare configuration file for 'cert_newest' # if ! $(grep -q -E "^\s*cert_newest=\"/var/lib/dehydrated/certs/${FQND_HOSTNAME}/fullchain.pem\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e \ "s/^(#cert_newest.*)/#\1\ncert_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQND_HOSTNAME}\/fullchain.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf fi # Prepare configuration file for 'key_newest' # if ! $(grep -q -E "^\s*key_newest=\"/var/lib/dehydrated/certs/${FQND_HOSTNAME}/privkey.pem\"" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then perl -i -n -p -e \ "s/^(#key_newest.*)/#\1\nkey_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQND_HOSTNAME}\/privkey.pem\"/" \ /root/bin/monitoring/conf/check_cert_for_prosody.conf fi # Initial /root/bin/monitoring//check_cert_for_prosody.sh # Add Cronjob for checcking if certificate/key is up to date # _crontab_tmp_file=/tmp/crontab_root.$$ crontab -l > "$_crontab_tmp_file" 2> /dev/null if ! $(grep -q "/root/bin/monitoring/check_cert_for_prosody.sh" "$_crontab_tmp_file" 2>/dev/null) ; then cat <> "$_crontab_tmp_file" # - Check if cert(s) for prosody service are up-to-date # - 13 05 * * * /root/bin/monitoring/check_cert_for_prosody.sh EOF fi crontab "$_crontab_tmp_file" rm -f "$_crontab_tmp_file" # --- # 11.) Configure Jitsi Meet # --- # First of all we configure the videobridge. # # Open /etc/jitsi/videobridge/sip-communicator.properties and add: # # # disable the built-in webserver (required) # org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true # # sometimes the above setting does not work, therefore we change the port too (required) # org.jitsi.videobridge.TCP_HARVESTER_PORT=4443 # # sometimes the above setting does not work, therefore we change the port too (required) # org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=443 # # disable statistics to third parties (optional) ## org.jitsi.videobridge.ENABLE_STATISTICS=false # cat <> /etc/jitsi/videobridge/sip-communicator.properties # # It is important to remove the comments (# comment)! Otherwise they will not work! cat <> /etc/jitsi/videobridge/sip-communicator.properties # disable the built-in webserver (required) org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true # sometimes the above setting does not work, therefore we change the port too (required) org.jitsi.videobridge.TCP_HARVESTER_PORT=4443 # sometimes the above setting does not work, therefore we change the port too (required) org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=443 # disable statistics to third parties (optional) # DOES NOT WORK #org.jitsi.videobridge.ENABLE_STATISTICS=false EOF # Open /etc/jitsi/meet/${FQND_HOSTNAME}-config.js: # # Uncomment and change // disableThirdPartyRequests: false to true # # !! DOES NOT WORK !! # #if ! $(grep -q -E "^\s*disableThirdPartyRequests:\s+true" /etc/jitsi/meet/${FQND_HOSTNAME}-config.js) ; then # perl -i -n -p -e "s#^(\s*)(//\s*disableThirdPartyRequests.*)#\1\2\n\1disableThirdPartyRequests: true#" \ # /etc/jitsi/meet/${FQND_HOSTNAME}-config.js #fi # Replace the google stun servers under stunServers: with other more privacy # respecting ones. There is a list available on this GitHub gist. I can # recommend you to use the following: # # { urls: 'stun.nextcloud.com:443' }, # { urls: 'stun.stunprotocol.org:3478' }, # { urls: 'stun.services.mozilla.com:3478' } # vim /etc/jitsi/meet/${FQND_HOSTNAME}-config.js # --- # 12.) Configure Prosody (avoid error message "portmanager error Error binding encrypted port for https.." # --- # Edit file /etc/prosody/conf.d/${FQND_HOSTNAME}.cfg.lua # # after line (the location this is important) # consider_bosh_secure = true; # # add the following lines: # bosh_ports = { # { # port = 5280; # path = "http-bind"; # }, # { # port = 5281; # path = "http-bind"; # ssl = { # certificate = "/etc/prosody/certs/${FQND_HOSTNAME}.crt"; # key = "/etc/prosody/certs/${FQND_HOSTNAME}.key"; # } # } # } # # http_ports = { 5280 } # http_interfaces = { "localhost" } # # https_ports = { 5281 } # https_interfaces = { "localhost" } # # https_ssl = { # certificate = "/etc/prosody/certs/${FQND_HOSTNAME}.crt"; # key = "/etc/prosody/certs/${FQND_HOSTNAME}.key"; # } # cat <> /etc/prosody/conf.d/${FQND_HOSTNAME}.cfg.lua bosh_ports = { { port = 5280; path = "http-bind"; }, { port = 5281; path = "http-bind"; ssl = { certificate = "/etc/prosody/certs/${FQND_HOSTNAME}.crt"; key = "/etc/prosody/certs/${FQND_HOSTNAME}.key"; } } } http_ports = { 5280 } http_interfaces = { "localhost" } https_ports = { 5281 } https_interfaces = { "localhost" } https_ssl = { certificate = "/etc/prosody/certs/${FQND_HOSTNAME}.crt"; key = "/etc/prosody/certs/${FQND_HOSTNAME}.key"; } EOF # vim /etc/prosody/conf.d/${FQND_HOSTNAME}.cfg.lua # =============================== # ssh-keygen -f "/home/chris/.ssh/known_hosts" -R "meet.oopen.de" # ssh-keygen -f "/home/chris/.ssh/known_hosts" -R ""159.69.74.155 # ssh-keygen -f "/home/chris/.ssh/known_hosts" -R "2a01:4f8:231:19a7::155"