install/jitsi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
master
jitsi/jitsi-post-install.sh
Christoph 7d18e0cbf0 Chagne (default) ciphers.
2021-09-18 10:04:36 +02:00

1294 lines
35 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
script_name="$(basename $(realpath $0))"
working_dir="$(dirname $(realpath $0))"
#conf_file="${working_dir}/conf/${script_name%%.*}.conf"
conf_file="${working_dir}/conf/jitsi.conf"
LOCK_DIR="/tmp/$(basename $0).$$.LOCK"
log_file="${LOCK_DIR}/${script_name%%.*}.log"
# ----------
# Base Function(s)
# ----------
clean_up() {
# Perform program exit housekeeping
rm -rf "$LOCK_DIR"
blank_line
exit $1
}
echononl(){
if $terminal ; then
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n " $*\\c" 1>&2
else
echo -e -n " $*" 1>&2
fi
rm /tmp/shprompt$$
fi
}
fatal(){
echo ""
if $terminal ; then
echo -e " [ \033[31m\033[1mFatal\033[m ] $*"
else
echo -e " [ Fatal ] $*"
fi
echo ""
if $terminal ; then
echo -e " \033[1mScript terminated\033[m.."
else
echo -e " Script terminated.."
fi
echo ""
rm -rf $LOCK_DIR
exit 1
}
error (){
echo ""
if $terminal ; then
echo -e " [ \033[31m\033[1mError\033[m ] $*"
else
echo " [ Error ] $*"
fi
echo ""
}
warn (){
echo ""
if $terminal ; then
echo -e " [ \033[33m\033[1mWarning\033[m ] $*"
else
echo " [ Error ] $*"
fi
echo ""
}
info (){
if $terminal ; then
echo ""
if $terminal ; then
echo -e " [ \033[32m\033[1mInfo\033[m ] $*"
else
echo " [ Info ] $*"
fi
echo ""
fi
}
echo_ok() {
if $terminal ; then
echo -e "\033[85G[ \033[32mok\033[m ]"
fi
}
echo_done() {
if $terminal ; then
echo -e "\033[85G[ \033[32mdone\033[m ]"
fi
}
echo_failed(){
if $terminal ; then
echo -e "\033[85G[ \033[1;31mfailed\033[m ]"
fi
}
echo_skipped() {
if $terminal ; then
echo -e "\033[85G[ \033[33m\033[1mskipped\033[m ]"
fi
}
echo_wait(){
if $terminal ; then
echo -en "\033[85G[ \033[5m\033[1m..\033[m ]"
fi
}
trim() {
local var="$*"
var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters
var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters
echo -n "$var"
}
blank_line() {
if $terminal ; then
echo ""
fi
}
detect_os () {
if $(which lsb_release > /dev/null 2>&1) ; then
DIST="$(lsb_release -i | awk '{print tolower($3)}')"
DIST_VERSION="$(lsb_release -r | awk '{print tolower($2)}')"
DIST_CODENAME="$(lsb_release -c | awk '{print tolower($2)}')"
if [[ "$DIST" = "debian" ]]; then
if $(echo "$DIST_VERSION" | grep -q '\.') ; then
DIST_VERSION=$(echo "$DIST_VERSION" | cut --delimiter='.' -f1)
fi
fi
elif [[ -e "/etc/os-release" ]]; then
. /etc/os-release
DIST=$ID
DIST_VERSION=${VERSION_ID}
fi
# remove whitespace from DIST and DIST_VERSION
DIST="${DIST// /}"
DIST_VERSION="${DIST_VERSION// /}"
}
# ----------
# - Jobhandling
# ----------
# - Run 'clean_up' for signals SIGHUP SIGINT SIGTERM
# -
trap clean_up SIGHUP SIGINT SIGTERM
# - Create lock directory '$LOCK_DIR"
#
mkdir "$LOCK_DIR"
# ----------
# - Some checks ..
# ----------
# - Running in a terminal?
# -
if [[ -t 1 ]] ; then
terminal=true
else
fatal "Script must run in a terminal."
fi
# ==========
# - Begin Main Script
# ==========
# ----------
# - Headline
# ----------
if $terminal ; then
echo ""
echo -e "\033[1m----------\033[m"
echo -e "\033[32m\033[1mRunning script \033[m\033[1m$script_name\033[32m .. \033[m"
echo -e "\033[1m----------\033[m"
fi
# ----------
# Read Configurations from $conf_file
# ----------
# - Give your default values here
# -
DEFAULT_FQHN_HOSTNAME="$(hostname -f)"
if [[ -f "$conf_file" ]]; then
source "$conf_file"
else
warn "No configuration file '$conf_file' present.\n
Loading default values.."
fi
[[ -n "$FQHN_HOSTNAME" ]] && DEFAULT_FQHN_HOSTNAME="$FQHN_HOSTNAME"
blank_line
echononl "Detect distribution/release of running OS.."
detect_os > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
FQHN_HOSTNAME=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert full qualified hostname for Jitsi-Meet Service"
echo ""
if [[ -n "$DEFAULT_FQHN_HOSTNAME" ]]; then
while [[ "X${FQHN_HOSTNAME}" = "X" ]]; do
echononl "Full qualified hostname [${DEFAULT_FQHN_HOSTNAME}]: "
read FQHN_HOSTNAME
if [[ "X${FQHN_HOSTNAME}" = "X" ]]; then
FQHN_HOSTNAME=$DEFAULT_FQHN_HOSTNAME
fi
if [[ ! $FQHN_HOSTNAME =~ \. ]]; then
echo -e "\n\tGiven Host \033[33m\033[1m$FQHN_HOSTNAME\033[m seems not to be a full qualified hostname.\n"
FQHN_HOSTNAME=""
fi
done
else
while [[ "X${FQHN_HOSTNAME}" = "X" ]]; do
echononl "Full qualified hostname: "
read FQHN_HOSTNAME
if [[ "X${FQHN_HOSTNAME}" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mFull qualified hostname is reqired\033[m\n"
fi
if [[ ! $FQHN_HOSTNAME =~ \. ]]; then
echo -e "\n\tGiven Host \033[33m\033[1m$FQHN_HOSTNAME\033[m seems not to be a full qualified hostname.\n"
FQHN_HOSTNAME=""
fi
done
fi
HOSTNAME="${FQHN_HOSTNAME%%.*}"
echo ""
echo ""
echo -e "\t\033[32mStart post-install script for Jitsi-Meet Service with the following parameters\033[m"
echo ""
echo -e "\tFull qualified Hostname..: $FQHN_HOSTNAME"
echo -e "\tHostname.................: $HOSTNAME"
echo ""
echo -e "\tOS Distribution..........: $DIST"
echo -e "\tDistribution's codename..: $DIST_CODENAME"
echo ""
echononl "einverstanden (yes/no): "
read OK
OK=${OK,,}
while [ "X$OK" != "Xyes" -a "X$OK" != "Xno" ]; do
echononl "Wrong entry! [yes/no]: "
read OK
OK=${OK,,}
done
[ $OK = "yes" ] || fatal Repeat with other settings..
echo ""
echo ""
echo
echo -e "\033[37m\033[1mInstall script checking if certificate/key of coTURN service is up-to-date..\033[m"
echo
# ------
# Create configuration file for certification check of coTURN service
# ------
echononl "Create configuration file for certification check of coTURN service.."
if [[ ! -f "/root/bin/monitoring/conf/check_cert_for_service.conf" ]]; then
cp /root/bin/monitoring/conf/check_cert_for_service.conf.sample \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'service_name'.."
if ! $(grep -q -E "^\s*service_name=\"coTURN\"" /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#service_name.*)/#\1\nservice_name=\"coTURN\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'check_string_ps'.."
if ! $(grep -q -E "^\s*check_string_ps=\"\[\[:digit:\]\]\\\ /usr/bin/turnserver\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+check_string_ps*)/#\1\ncheck_string_ps=\"[[:digit:]]\\\ \/usr\/bin\/turnserver\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'service_user'.."
if ! $(grep -q -E "^\s*service_user=\"turnserver\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+service_user.*)/#\1\nservice_user=\"turnserver\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'service_group'.."
if ! $(grep -q -E "^\s*service_group=\"turnserver\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+service_group.*)/#\1\nservice_group=\"turnserver\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'cert_installed'.."
#
if ! $(grep -q -E "^\s*cert_installed=\"/etc/ssl/fullchain.pem\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+cert_installed.*)/#\1\ncert_installed=\"\/etc\/ssl\/fullchain.pem\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'key_installed'.."
#
if ! $(grep -q -E "^\s*key_installed=\"/etc/ssl/privkey.pem\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+key_installed.*)/#\1\nkey_installed=\"\/etc\/ssl\/privkey.pem\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'cert_newest'.."
#
if ! $(grep -q -E "^\s*cert_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e \
"s/^(#+cert_newest.*)/#\1\ncert_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/fullchain.pem\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'key_newest'.."
#
if ! $(grep -q -E "^\s*key_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e \
"s/^(#+key_newest.*)/#\1\nkey_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/privkey.pem\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
blank_line
echononl "Initial run of script 'check_cert_for_service.sh'.."
echo_wait
/root/bin/monitoring//check_cert_for_service.sh > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
if [[ -s "$log_file" ]] ; then
echo -e "
\033[32m----------\033[m
\033[1mOutput from :run of script 'check_cert_for_service.sh' was:\033[m
$(cat "$log_file")
\033[32m----------\033[m
"
fi
fi
blank_line
# Add Cronjob for checcking if certificate/key of coTURN service is up to date
#
_failed=false
echononl "Add Cronjob for checcking if certificate/key of coTURN service is up-to-date.."
_crontab_tmp_file=/tmp/crontab_root.$$
crontab -l > "$_crontab_tmp_file" 2> "$log_file"
if [[ $? -ne 0 ]]; then
_failed=true
fi
if ! $(grep -q "/root/bin/monitoring/check_cert_for_service.sh" "$_crontab_tmp_file" 2>/dev/null) ; then
cat <<EOF >> "$_crontab_tmp_file" 2>> "$log_file"
# - Check if cert for coTURN service is up-to-date
# -
39 05 * * * /root/bin/monitoring/check_cert_for_service.sh
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
crontab "$_crontab_tmp_file"
if [[ $? -ne 0 ]]; then
_failed=true
fi
rm -f "$_crontab_tmp_file"
if [[ $? -ne 0 ]]; then
_failed=true
fi
if $_failed ; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
blank_line
echo
echo -e "\033[37m\033[1mInstall script checking if certificate/key of Prosody service is up-to-date..\033[m"
echo
# ------
# Create configuration file for certification check of Prosody service
# ------
echononl "Create configuration file for certification check of Prosody service.."
if [[ ! -f "/root/bin/monitoring/conf/check_cert_for_prosody.conf" ]]; then
cp /root/bin/monitoring/conf/check_cert_for_prosody.conf.sample \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'service_name'.."
if ! $(grep -q -E "^\s*service_domain=\"${FQHN_HOSTNAME}\"" /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#service_domain.*)/#\1\nservice_domain=\"${FQHN_HOSTNAME}\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
if ! $(grep -q -E "^\s*service_name=\"Prosody\"" /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+service_name.*)/#\1\nservice_name=\"Prosody\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'check_string_ps'.."
if ! $(grep -q -E "^\s*check_string_ps=\"\[\[:digit:\]\]\\\ lua\[\[:digit:\]\].\[\[:digit:\]\] /usr/bin/prosody\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+check_string_ps.*)/#\1\ncheck_string_ps=\"[[:digit:]]\\\ lua[[:digit:]].[[:digit:]] \/usr\/bin\/prosody\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'service_user'.."
if ! $(grep -q -E "^\s*service_user=\"prosody\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+service_user.*)/#\1\nservice_user=\"prosody\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'service_group'.."
if ! $(grep -q -E "^\s*service_group=\"prosody\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+service_group.*)/#\1\nservice_group=\"prosody\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'cert_installed'.."
if ! $(grep -q -E "^\s*cert_installed=\"/etc/prosody/certs/${FQHN_HOSTNAME}.crt\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+cert_installed.*)/#\1\ncert_installed=\"\/etc\/prosody\/certs\/${FQHN_HOSTNAME}.crt\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'key_installed'.."
if ! $(grep -q -E "^\s*key_installed=\"/etc/prosody/certs/${FQHN_HOSTNAME}.key\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+key_installed.*)/#\1\nkey_installed=\"\/etc\/prosody\/certs\/${FQHN_HOSTNAME}.key\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'cert_newest'.."
if ! $(grep -q -E "^\s*cert_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then
perl -i -n -p -e \
"s/^(#+cert_newest.*)/#\1\ncert_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/fullchain.pem\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'key_newest'.."
if ! $(grep -q -E "^\s*key_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then
perl -i -n -p -e \
"s/^(#+key_newest.*)/#\1\nkey_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/privkey.pem\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
blank_line
echononl "Initial run of script 'check_cert_for_prosody.sh'.."
echo_wait
/root/bin/monitoring/check_cert_for_prosody.sh > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
if [[ -s "$log_file" ]] ; then
echo -e "
\033[32m----------\033[m
\033[1mOutput from :run of script 'check_cert_for_prosody.sh' was:\033[m
$(cat "$log_file")
\033[32m----------\033[m
"
fi
fi
blank_line
# Add Cronjob for checcking if certificate/key of Prosody service is up to date
#
_failed=false
echononl "Add Cronjob for checcking if certificate/key of Prosody service is up-to-date.."
_crontab_tmp_file=/tmp/crontab_root.$$
crontab -l > "$_crontab_tmp_file" 2> "$log_file"
if [[ $? -ne 0 ]]; then
_failed=true
fi
if ! $(grep -q "/root/bin/monitoring/check_cert_for_prosody.sh" "$_crontab_tmp_file" 2>/dev/null) ; then
cat <<EOF >> "$_crontab_tmp_file" 2>> "$log_file"
# - Check if cert(s) for Prosody service are up-zp-date
# -
13 05 * * * /root/bin/monitoring/check_cert_for_prosody.sh
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
crontab "$_crontab_tmp_file"
if [[ $? -ne 0 ]]; then
_failed=true
fi
rm -f "$_crontab_tmp_file"
if [[ $? -ne 0 ]]; then
_failed=true
fi
if $_failed ; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
blank_line
echo
echo -e "\033[37m\033[1mConfigure Jitsi Meet..\033[m"
echo
_failed=false
_changed=false
echononl "Adjust '/etc/jitsi/videobridge/sip-communicator.properties'.."
if ! $(grep -q -E "^\s*org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true" \
/etc/jitsi/videobridge/sip-communicator.properties 2> "$log_file") ; then
cat <<EOF >> /etc/jitsi/videobridge/sip-communicator.properties
# disable the built-in webserver (required)
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
_changed=true
fi
if ! $(grep -q -E "^\s*org.jitsi.videobridge.TCP_HARVESTER_PORT=4443" \
/etc/jitsi/videobridge/sip-communicator.properties 2> "$log_file") ; then
cat <<EOF >> /etc/jitsi/videobridge/sip-communicator.properties
# sometimes the above setting does not work, therefore we change the port too (required)
org.jitsi.videobridge.TCP_HARVESTER_PORT=4443
# sometimes the above setting does not work, therefore we change the port too (required)
org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=443
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
_changed=true
fi
if ! $(grep -q -E "^\s*#+org.jitsi.videobridge.ENABLE_STATISTICS=false" \
/etc/jitsi/videobridge/sip-communicator.properties 2> "$log_file") ; then
cat <<EOF >> /etc/jitsi/videobridge/sip-communicator.properties
# disable statistics to third parties (optional)
# DOES NOT WORK
#org.jitsi.videobridge.ENABLE_STATISTICS=false
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
_changed=true
fi
if $_changed ; then
if $_failed; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Backup file '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.."
if [[ ! -f "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js.ORIG" ]]; then
cp -a "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js" \
"/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js.ORIG" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
#echononl "Adjust '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.."
#if ! $(grep -q -E "^\s*{ urls: 'stun.nextcloud.com:443' }" \
# /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js 2> "$log_file") ; then
# perl -i -n -p -e "s/((\s*)stunServers: \[.*)/\1\n\n\2 { urls: 'stun.nextcloud.com:443' },\n\2 { urls: 'stun.stunprotocol.org:3478' },\n\2 { urls: 'stun.services.mozilla.com:3478' },/" /etc/jitsi/meet/video.faire-mobilitaet.de-config.js
# if [[ $? -ne 0 ]]; then
# echo_failed
# error "$(cat "$log_file")"
# else
# echo_ok
# fi
#else
# echo_skipped
#fi
_temp_jitsi_meet_config_created=false
echononl "Adjust '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.."
if ! $(grep -q -E "^\s*{ urls: 'stun.nextcloud.com:443' }" \
/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js 2> "$log_file") ; then
_found=false
:> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js
while IFS='' read -r _line || [[ -n $_line ]] ; do
if $_found && echo "$_line" | grep -iq -E "^\s*// { urls:.*${FQHN_HOSTNAME}" 2> /dev/null ; then
echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js
cat <<EOF >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js
{ urls: 'stun.nextcloud.com:443' },
{ urls: 'stun.stunprotocol.org:3478' },
{ urls: 'stun.services.mozilla.com:3478' },
EOF
_found=false
elif $_found && echo "$_line" | grep -iq -E "^\s*\]," ; then
cat <<EOF >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js
{ urls: 'stun.nextcloud.com:443' },
{ urls: 'stun.stunprotocol.org:3478' },
{ urls: 'stun.services.mozilla.com:3478' }
EOF
echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js
_found=false
else
echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js
fi
if ! $_found && echo "$_line" | grep -iq -E "^\s*stunServers: \[" 2> /dev/null ; then
_found=true
fi
done < "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js"
echo_done
_temp_jitsi_meet_config_created=true
else
echo_skipped
fi
echononl "Copy created file '${FQHN_HOSTNAME}-config.js' to folder '/etc/jitsi/meet/'.."
if $_temp_jitsi_meet_config_created ; then
cp -a "${LOCK_DIR}/${FQHN_HOSTNAME}-config.js" "/etc/jitsi/meet/" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
blank_line
echo
echo -e "\033[37m\033[1mConfigure Prosody (/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua) ..\033[m"
echo
# Edit file /etc/prosody/conf.d/${FQHN_HOSTNAME}.cfg.lua
#
# after line (the location this is important)
# consider_bosh_secure = true;
#
# add the following lines:
# bosh_ports = {
# {
# port = 5280;
# path = "http-bind";
# },
# {
# port = 5281;
# path = "http-bind";
# ssl = {
# certificate = "/etc/prosody/certs/${FQHN_HOSTNAME}.crt";
# key = "/etc/prosody/certs/${FQHN_HOSTNAME}.key";
# }
# }
# }
#
# http_ports = { 5280 }
# http_interfaces = { "localhost" }
#
# https_ports = { 5281 }
# https_interfaces = { "localhost" }
#
# https_ssl = {
# certificate = "/etc/prosody/certs/${FQHN_HOSTNAME}.crt";
# key = "/etc/prosody/certs/${FQHN_HOSTNAME}.key";
# }
#
echononl "Backup file '/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua'.."
if [[ ! -f "/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua.ORIG" ]]; then
cp -a "/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua" \
"/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua.ORIG" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
_found=false
_tem_prosody_config_created=false
echononl "Create temporary configuration '${FQHN_HOSTNAME}.cfg.lua'.."
if ! $(grep -q -E "^\s*bosh_ports = {" /etc/prosody//conf.avail/${FQHN_HOSTNAME}.cfg.lua 2> /dev/null) ; then
:> ${LOCK_DIR}/${FQHN_HOSTNAME}.cfg.lua
while IFS='' read -r _line || [[ -n $_line ]] ; do
echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}.cfg.lua
if ! $_found && echo "$_line" | grep -i -E "^\s*consider_bosh_secure = true;" > /dev/null 2>&1 ; then
_found=true
cat <<EOF >> ${LOCK_DIR}/${FQHN_HOSTNAME}.cfg.lua
bosh_ports = {
{
port = 5280;
path = "http-bind";
},
{
port = 5281;
path = "http-bind";
ssl = {
certificate = "/etc/prosody/certs/${FQHN_HOSTNAME}.crt";
key = "/etc/prosody/certs/${FQHN_HOSTNAME}.key";
}
}
}
http_ports = { 5280 }
http_interfaces = { "localhost" }
https_ports = { 5281 }
https_interfaces = { "localhost" }
https_ssl = {
certificate = "/etc/prosody/certs/${FQHN_HOSTNAME}.crt";
key = "/etc/prosody/certs/${FQHN_HOSTNAME}.key";
}
EOF
fi
done < "/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua"
echo_done
_tem_prosody_config_created=true
else
echo_skipped
fi
echononl "Copy created file '${FQHN_HOSTNAME}.cfg.lua' to folder '/etc/prosody/conf.avail/'.."
if $_tem_prosody_config_created ; then
cp -a "${LOCK_DIR}/${FQHN_HOSTNAME}.cfg.lua" "/etc/prosody/conf.avail/" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
blank_line
echo
echo -e "\033[37m\033[1mConfigure nginx configuration ..\033[m"
echo
echononl "Backup nginx configuration '${FQHN_HOSTNAME}.conf'.."
if [[ ! -f "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf.ORIG" ]] ; then
if [[ -f "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" ]] ; then
cp -a "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" \
"/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf.ORIG" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
else
echo_skipped
fi
echononl "Create nginx configuration for '${FQHN_HOSTNAME}'.."
if ! $(grep -q -E "^\s*include snippets/letsencrypt-acme-challenge.conf;" \
"/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" 2> /dev/null) ; then
cat <<EOF > "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" 2> "$log_file"
# - ${FQHN_HOSTNAME}
server_names_hash_bucket_size 64;
server {
listen 80;
listen [::]:80;
server_name ${FQHN_HOSTNAME};
return 301 https://\$host\$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${FQHN_HOSTNAME};
# Include location directive for Let's Encrypt ACME Challenge
#
# Needed for (automated) updating certificate
#
include snippets/letsencrypt-acme-challenge.conf;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
#
# To generate a dhparam.pem file, run in a terminal
# openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
#
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CC:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# Eable session resumption to improve https performance
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# ==========
# HTTP security Headers
# ==========
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy "strict-origin";
# - Geteiltes Dokument öffnen
#
# # Add Etherpad-Lite host to frame-src, so frame-src becomes:
# #
# # #frame-src 'self' https://<etherpad-lite-host> https://www.youtube.com ;
# #
# # i.e. etherpad-litehost = epad-01.oopen.de
# #
# frame-src 'self' https://epad-01.oopen.de https://www.youtube.com ;
#
#
# - YouTube-Video teilen
#
# # Add https://www.youtube.com to script-src, so script-src becomes:
# #
# script-src 'self' 'unsafe-inline' https://www.youtube.com ;
#
# # Add https://www.youtube.com to frame-src, so frame-src becomes:
# #
# frame-src 'self' https://meet-ep-pee7eiji-xein9aiy.oopen.de https://www.youtube.com ;
#
# # Add https://img.youtube.com to img-src, so img-src becomes:
# img-src 'self' https://img.youtube.com
#
#
# - Hintergrundschärfe aktivieren:
#
# # Add https://storage.googleapis.com to connect-src, so connect source becomes:
# #
# connect-src 'self' https://storage.googleapis.com;
#
# # Add blob: to script-src, so script-src becomes:
# script-src 'self' 'unsafe-inline' https://www.youtube.com blob:
#
# Note!
# Other directives (like worker-src, or child-src, or..) are falling back to 'default-src'.
#
#add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' https://www.youtube.com ; img-src 'self' https://img.youtube.com ; style-src 'self' 'unsafe-inline' ; font-src 'self'; frame-src 'self' https://epad-01.oopen.de https://www.youtube.com ; object-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; connect-src 'self' https://storage.googleapis.com ; media-src 'self'";
add_header Content-Security-Policy "block-all-mixed-content ; default-src 'none'; script-src 'self' 'unsafe-inline' https: blob: ; img-src 'self' https: ; style-src 'self' 'unsafe-inline' ; font-src 'self'; frame-src 'self' https: ; object-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; connect-src 'self' https: ; media-src 'self'";
add_header Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();";
ssl_certificate /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem;
ssl_trusted_certificate /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/chain.pem;
root /usr/share/jitsi-meet;
# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;
index index.html index.htm;
error_page 404 /static/404.html;
gzip on;
gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
gzip_vary on;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 512;
location = /config.js {
alias /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js;
}
location = /external_api.js {
alias /usr/share/jitsi-meet/libs/external_api.min.js;
}
#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/\$1/\$2;
# cache all versioned files
if (\$arg_v) {
expires 1y;
}
}
# BOSH
location = /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_set_header Host \$http_host;
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host \$http_host;
tcp_nodelay on;
}
# colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
tcp_nodelay on;
}
location ~ ^/([^/?&:'"]+)\$ {
try_files \$uri @root_path;
}
location @root_path {
rewrite ^/(.*)\$ / break;
}
location ~ ^/([^/?&:'"]+)/config.js\$
{
set \$subdomain "\$1.";
set \$subdir "\$1/";
alias /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js;
}
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)\$ {
set \$subdomain "\$1.";
set \$subdir "\$1/";
rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set \$subdomain "\$1.";
set \$subdir "\$1/";
set \$prefix "\$1";
rewrite ^/(.*)\$ /http-bind;
}
# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
set \$subdomain "\$1.";
set \$subdir "\$1/";
set \$prefix "\$1";
rewrite ^/(.*)\$ /xmpp-websocket;
}
}
EOF
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Enable nginx support for '${FQHN_HOSTNAME}'.."
if [[ ! -h "/etc/nginx/sites-enabled/${FQHN_HOSTNAME}.conf" ]] ; then
ln -s "../sites-available/${FQHN_HOSTNAME}.conf" "/etc/nginx/sites-enabled/${FQHN_HOSTNAME}.conf" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echo
echo -e "\033[37m\033[1mRestart services..\033[m"
echo
echononl "Restart prosody service.."
systemctl restart prosody > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
echononl "Restart jicofo service.."
systemctl restart prosody > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
echononl "Restart jitsi-videobridge2 service.."
systemctl restart jitsi-videobridge2 > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
echononl "Restart Nginx webservice.."
systemctl restart nginx > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
if $_tem_prosody_config_created ; then
warn "Please check file '/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua'"
fi
clean_up 0
Reference in New Issue View Git Blame Copy Permalink