install/jitsi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
c635f5104ea97cc510fca8b348543ce4aeee2789
jitsi/jitsi-post-install.sh

1778 lines
51 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/usr/bin/env bash
script_name="$(basename $(realpath $0))"
working_dir="$(dirname $(realpath $0))"
#conf_file="${working_dir}/conf/${script_name%%.*}.conf"
conf_file="${working_dir}/conf/jitsi.conf"
LOCK_DIR="/tmp/$(basename $0).$$.LOCK"
log_file="${LOCK_DIR}/${script_name%%.*}.log"
backup_date="$(date +%F-%H%M)"
# ----------
# Base Function(s)
# ----------
clean_up() {
# Perform program exit housekeeping
rm -rf "$LOCK_DIR"
blank_line
exit $1
}
echononl(){
if $terminal ; then
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n " $*\\c" 1>&2
else
echo -e -n " $*" 1>&2
fi
rm /tmp/shprompt$$
fi
}
fatal(){
echo ""
if $terminal ; then
echo -e " [ \033[31m\033[1mFatal\033[m ] $*"
else
echo -e " [ Fatal ] $*"
fi
echo ""
if $terminal ; then
echo -e " \033[1mScript terminated\033[m.."
else
echo -e " Script terminated.."
fi
echo ""
rm -rf $LOCK_DIR
exit 1
}
error (){
echo ""
if $terminal ; then
echo -e " [ \033[31m\033[1mError\033[m ] $*"
else
echo " [ Error ] $*"
fi
echo ""
}
warn (){
echo ""
if $terminal ; then
echo -e " [ \033[33m\033[1mWarning\033[m ] $*"
else
echo " [ Error ] $*"
fi
echo ""
}
info (){
if $terminal ; then
echo ""
if $terminal ; then
echo -e " [ \033[32m\033[1mInfo\033[m ] $*"
else
echo " [ Info ] $*"
fi
echo ""
fi
}
echo_ok() {
if $terminal ; then
echo -e "\033[85G[ \033[32mok\033[m ]"
fi
}
echo_done() {
if $terminal ; then
echo -e "\033[85G[ \033[32mdone\033[m ]"
fi
}
echo_failed(){
if $terminal ; then
echo -e "\033[85G[ \033[1;31mfailed\033[m ]"
fi
}
echo_skipped() {
if $terminal ; then
echo -e "\033[85G[ \033[33m\033[1mskipped\033[m ]"
fi
}
echo_wait(){
if $terminal ; then
echo -en "\033[85G[ \033[5m\033[1m..\033[m ]"
fi
}
trim() {
local var="$*"
var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters
var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters
echo -n "$var"
}
blank_line() {
if $terminal ; then
echo ""
fi
}
detect_os () {
if [ -r /etc/os-release ]; then
. /etc/os-release
DIST="${ID:-unknown}"
DIST_VERSION="${VERSION_ID:-unknown}"
DIST_CODENAME="${VERSION_CODENAME:-unknown}"
elif $(which lsb_release > /dev/null 2>&1) ; then
DIST="$(lsb_release -i | awk '{print tolower($3)}')"
DIST_VERSION="$(lsb_release -r | awk '{print tolower($2)}')"
DIST_CODENAME="$(lsb_release -c | awk '{print tolower($2)}')"
if [[ "$DIST" = "debian" ]]; then
if $(echo "$DIST_VERSION" | grep -q '\.') ; then
DIST_VERSION=$(echo "$DIST_VERSION" | cut --delimiter='.' -f1)
fi
fi
else
DIST="unknown"
DIST_VERSION="unknown"
DIST_CODENAME="unknown"
fi
# remove whitespace from DIST and DIST_VERSION
DIST="${DIST// /}"
DIST_VERSION="${DIST_VERSION// /}"
}
# ------------------------------------
# - Helper: ensure_vhost_modules
# - $1 = CONFIG
# - $2 = DOMAIN
# - $3 = REQUIRED_MODULES (nameref)
# ------------------------------------
ensure_vhost_modules() {
local config="$1"
local domain="$2"
local -n modules="$3"
local vhost_line modules_line closing_line next_block_line all_ok
local VHOST_BLOCK MODULES_BLOCK
VHOST_BLOCK="VirtualHost \"${domain}\"
modules_enabled = {"
for module in "${modules[@]}"; do
VHOST_BLOCK="${VHOST_BLOCK}
\"${module}\";"
done
VHOST_BLOCK="${VHOST_BLOCK}
}"
MODULES_BLOCK=" modules_enabled = {"
for module in "${modules[@]}"; do
MODULES_BLOCK="${MODULES_BLOCK}
\"${module}\";"
done
MODULES_BLOCK="${MODULES_BLOCK}
}"
if ! grep -q "VirtualHost \"${domain}\"" "$config"; then
# VirtualHost fehlt komplett ans Ende anfügen
echo "" >> "$config"
echo "$VHOST_BLOCK" >> "$config"
if [[ $? -ne 0 ]]; then
echo_failed
error "Failed to insert VirtualHost \"${domain}\" in ${config}"
return 1
else
echo_ok
fi
else
vhost_line=$(grep -n "VirtualHost \"${domain}\"" "$config" | head -1 | cut -d: -f1)
modules_line=$(awk "NR>${vhost_line} && /modules_enabled\s*=\s*\{/ {print NR; exit}" "$config")
if [[ -z "$modules_line" ]]; then
# VirtualHost existiert, aber kein modules_enabled Block einfügen
next_block_line=$(awk "NR>${vhost_line} && /^(VirtualHost|Component)\s/ {print NR; exit}" "$config")
if [[ -z "$next_block_line" ]]; then
# Kein weiterer Block ans Ende anfügen
echo "" >> "$config"
echo "$MODULES_BLOCK" >> "$config"
if [[ $? -ne 0 ]]; then
echo_failed
error "Failed to insert modules_enabled in VirtualHost \"${domain}\" in ${config}"
return 1
else
echo_ok
fi
else
# Vor dem nächsten Block einfügen
export MODULES_BLOCK
perl -i -0pe "s/((?:VirtualHost|Component)\s)/\$ENV{MODULES_BLOCK}\n\n\$1/ if !\$done++" "$config"
if [[ $? -ne 0 ]]; then
echo_failed
error "Failed to insert modules_enabled in VirtualHost \"${domain}\" in ${config}"
return 1
else
echo_ok
fi
fi
else
# modules_enabled existiert fehlende Module ergänzen
closing_line=$(awk "NR>${modules_line} && /^\s*\}/ {print NR; exit}" "$config")
all_ok=true
for module in "${modules[@]}"; do
if ! awk "NR>=${modules_line} && NR<=${closing_line}" "$config" | grep -qE "\"${module}\""; then
sed -i "${closing_line}i\\ \"${module}\";" "$config"
closing_line=$((closing_line + 1))
all_ok=false
fi
done
if $all_ok; then
echo_skipped
else
echo_ok
fi
fi
fi
}
# ------------------------------------
# - Helper: ensure_component
# - $1 = CONFIG
# - $2 = COMPONENT
# - $3 = COMPONENT_TYPE
# - $4 = REQUIRED_MODULES (nameref, optional)
# ------------------------------------
ensure_component() {
local config="$1"
local component="$2"
local component_type="$3"
local -n comp_modules="$4" 2>/dev/null
local has_modules=$([[ -n "$4" ]] && echo true || echo false)
local comp_line modules_line closing_line all_ok
local COMP_BLOCK MODULES_BLOCK
if ! grep -q "Component \"${component}\"" "$config"; then
# Component fehlt komplett ans Ende anfügen
if $has_modules; then
COMP_BLOCK="Component \"${component}\" \"${component_type}\"
modules_enabled = {"
for module in "${comp_modules[@]}"; do
COMP_BLOCK="${COMP_BLOCK}
\"${module}\";"
done
COMP_BLOCK="${COMP_BLOCK}
}"
else
COMP_BLOCK="Component \"${component}\" \"${component_type}\""
fi
echo "" >> "$config"
echo "$COMP_BLOCK" >> "$config"
if [[ $? -ne 0 ]]; then
echo_failed
error "Failed to insert Component \"${component}\" in ${config}"
return 1
else
echo_ok
fi
else
if ! $has_modules; then
echo_skipped
return 0
fi
# Component existiert fehlende Module ergänzen
comp_line=$(grep -n "Component \"${component}\"" "$config" | head -1 | cut -d: -f1)
modules_line=$(awk "NR>${comp_line} && /modules_enabled\s*=\s*\{/ {print NR; exit}" "$config")
if [[ -z "$modules_line" ]]; then
echo_failed
error "Kein modules_enabled-Block in Component \"${component}\" gefunden"
return 1
else
closing_line=$(awk "NR>${modules_line} && /^\s*\}/ {print NR; exit}" "$config")
all_ok=true
for module in "${comp_modules[@]}"; do
if ! awk "NR>=${modules_line} && NR<=${closing_line}" "$config" | grep -qE "\"${module}\""; then
sed -i "${closing_line}i\\ \"${module}\";" "$config"
closing_line=$((closing_line + 1))
all_ok=false
fi
done
if $all_ok; then
echo_skipped
else
echo_ok
fi
fi
fi
}
# ----------
# - Jobhandling
# ----------
# - Run 'clean_up' for signals SIGHUP SIGINT SIGTERM
# -
trap clean_up SIGHUP SIGINT SIGTERM
# - Create lock directory '$LOCK_DIR"
#
mkdir "$LOCK_DIR"
# ----------
# - Some checks ..
# ----------
# - Running in a terminal?
# -
if [[ -t 1 ]] ; then
terminal=true
else
fatal "Script must run in a terminal."
fi
# ==========
# - Begin Main Script
# ==========
# ----------
# - Headline
# ----------
if $terminal ; then
echo ""
echo -e "\033[1m----------\033[m"
echo -e "\033[32m\033[1mRunning script \033[m\033[1m$script_name\033[32m .. \033[m"
echo -e "\033[1m----------\033[m"
fi
# ----------
# Read Configurations from $conf_file
# ----------
# - Give your default values here
# -
DEFAULT_FQHN_HOSTNAME="$(hostname -f)"
if [[ -f "$conf_file" ]]; then
source "$conf_file"
else
warn "No configuration file '$conf_file' present.\n
Loading default values.."
fi
[[ -n "$FQHN_HOSTNAME" ]] && DEFAULT_FQHN_HOSTNAME="$FQHN_HOSTNAME"
blank_line
echononl "Detect distribution/release of running OS.."
detect_os > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
FQHN_HOSTNAME=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert full qualified hostname for Jitsi-Meet Service"
echo ""
if [[ -n "$DEFAULT_FQHN_HOSTNAME" ]]; then
while [[ "X${FQHN_HOSTNAME}" = "X" ]]; do
echononl "Full qualified hostname [${DEFAULT_FQHN_HOSTNAME}]: "
read FQHN_HOSTNAME
if [[ "X${FQHN_HOSTNAME}" = "X" ]]; then
FQHN_HOSTNAME=$DEFAULT_FQHN_HOSTNAME
fi
if [[ ! $FQHN_HOSTNAME =~ \. ]]; then
echo -e "\n\tGiven Host \033[33m\033[1m$FQHN_HOSTNAME\033[m seems not to be a full qualified hostname.\n"
FQHN_HOSTNAME=""
fi
done
else
while [[ "X${FQHN_HOSTNAME}" = "X" ]]; do
echononl "Full qualified hostname: "
read FQHN_HOSTNAME
if [[ "X${FQHN_HOSTNAME}" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mFull qualified hostname is reqired\033[m\n"
fi
if [[ ! $FQHN_HOSTNAME =~ \. ]]; then
echo -e "\n\tGiven Host \033[33m\033[1m$FQHN_HOSTNAME\033[m seems not to be a full qualified hostname.\n"
FQHN_HOSTNAME=""
fi
done
fi
HOSTNAME="${FQHN_HOSTNAME%%.*}"
echo ""
echo ""
echo -e "\t\033[32mStart post-install script for Jitsi-Meet Service with the following parameters\033[m"
echo ""
echo -e "\tFull qualified Hostname..: $FQHN_HOSTNAME"
echo -e "\tHostname.................: $HOSTNAME"
echo ""
echo -e "\tOS Distribution..........: $DIST"
echo -e "\tDistribution's codename..: $DIST_CODENAME"
echo ""
echononl "einverstanden (yes/no): "
read OK
OK=${OK,,}
while [ "X$OK" != "Xyes" -a "X$OK" != "Xno" ]; do
echononl "Wrong entry! [yes/no]: "
read OK
OK=${OK,,}
done
[ $OK = "yes" ] || fatal Repeat with other settings..
echo ""
echo ""
echo
echo -e "\033[37m\033[1mInstall script checking if certificate/key of coTURN service is up-to-date..\033[m"
echo
# ------
# Create configuration file for certification check of coTURN service
# ------
echononl "Create configuration file for certification check of coTURN service.."
if [[ ! -f "/root/bin/monitoring/conf/check_cert_for_service.conf" ]]; then
cp /root/bin/monitoring/conf/check_cert_for_service.conf.sample \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'service_name'.."
if ! $(grep -q -E "^\s*service_name=\"coTURN\"" /root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#service_name.*)/#\1\nservice_name=\"coTURN\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'check_string_ps'.."
if ! $(grep -q -E "^\s*check_string_ps=\"\[\[:digit:\]\]\\\ /usr/bin/turnserver\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+check_string_ps*)/#\1\ncheck_string_ps=\"[[:digit:]]\\\ \/usr\/bin\/turnserver\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'service_user'.."
if ! $(grep -q -E "^\s*service_user=\"turnserver\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+service_user.*)/#\1\nservice_user=\"turnserver\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'service_group'.."
if ! $(grep -q -E "^\s*service_group=\"turnserver\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+service_group.*)/#\1\nservice_group=\"turnserver\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'cert_installed'.."
#
if ! $(grep -q -E "^\s*cert_installed=\"/etc/ssl/fullchain.pem\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+cert_installed.*)/#\1\ncert_installed=\"\/etc\/ssl\/fullchain.pem\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'key_installed'.."
#
if ! $(grep -q -E "^\s*key_installed=\"/etc/ssl/privkey.pem\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e "s/^(#+key_installed.*)/#\1\nkey_installed=\"\/etc\/ssl\/privkey.pem\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'cert_newest'.."
#
if ! $(grep -q -E "^\s*cert_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e \
"s/^(#+cert_newest.*)/#\1\ncert_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/fullchain.pem\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'key_newest'.."
#
if ! $(grep -q -E "^\s*key_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem\"" \
/root/bin/monitoring/conf/check_cert_for_service.conf 2> /dev/null) ; then
perl -i -n -p -e \
"s/^(#+key_newest.*)/#\1\nkey_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/privkey.pem\"/" \
/root/bin/monitoring/conf/check_cert_for_service.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
blank_line
echononl "Initial run of script 'check_cert_for_service.sh'.."
echo_wait
/root/bin/monitoring//check_cert_for_service.sh > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
if [[ -s "$log_file" ]] ; then
echo -e "
\033[32m----------\033[m
\033[1mOutput from :run of script 'check_cert_for_service.sh' was:\033[m
$(cat "$log_file")
\033[32m----------\033[m
"
fi
fi
blank_line
# Add Cronjob for checcking if certificate/key of coTURN service is up to date
#
_failed=false
echononl "Add Cronjob for checcking if certificate/key of coTURN service is up-to-date.."
_crontab_tmp_file=/tmp/crontab_root.$$
crontab -l > "$_crontab_tmp_file" 2> "$log_file"
if [[ $? -ne 0 ]]; then
_failed=true
fi
if ! $(grep -q "/root/bin/monitoring/check_cert_for_service.sh" "$_crontab_tmp_file" 2>/dev/null) ; then
cat <<EOF >> "$_crontab_tmp_file" 2>> "$log_file"
# - Check if cert for coTURN service is up-to-date
# -
39 05 * * * /root/bin/monitoring/check_cert_for_service.sh
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
crontab "$_crontab_tmp_file"
if [[ $? -ne 0 ]]; then
_failed=true
fi
rm -f "$_crontab_tmp_file"
if [[ $? -ne 0 ]]; then
_failed=true
fi
if $_failed ; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
blank_line
echo
echo -e "\033[37m\033[1mInstall script checking if certificate/key of Prosody service is up-to-date..\033[m"
echo
# ------
# Create configuration file for certification check of Prosody service
# ------
echononl "Create configuration file for certification check of Prosody service.."
if [[ ! -f "/root/bin/monitoring/conf/check_cert_for_prosody.conf" ]]; then
cp /root/bin/monitoring/conf/check_cert_for_prosody.conf.sample \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'service_name'.."
if ! grep -q -E "^\s*service_domain=\"${FQHN_HOSTNAME}\"" /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then
perl -i -n -p -e "s/^(#service_domain.*)/#\1\nservice_domain=\"${FQHN_HOSTNAME}\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
if ! grep -q -E "^\s*service_name=\"Prosody\"" /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then
perl -i -n -p -e "s/^(#+service_name.*)/#\1\nservice_name=\"Prosody\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'check_string_ps'.."
if ! grep -q -E "^\s*check_string_ps=\"\[\[:digit:\]\]\\\ lua\[\[:digit:\]\].\[\[:digit:\]\] /usr/bin/prosody\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then
perl -i -n -p -e "s/^(#+check_string_ps.*)/#\1\ncheck_string_ps=\"[[:digit:]]\\\ lua[[:digit:]].[[:digit:]] \/usr\/bin\/prosody\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'service_user'.."
if ! grep -q -E "^\s*service_user=\"prosody\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then
perl -i -n -p -e "s/^(#+service_user.*)/#\1\nservice_user=\"prosody\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'service_group'.."
if ! grep -q -E "^\s*service_group=\"prosody\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then
perl -i -n -p -e "s/^(#+service_group.*)/#\1\nservice_group=\"prosody\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'cert_installed'.."
if ! grep -q -E "^\s*cert_installed=\"/etc/prosody/certs/${FQHN_HOSTNAME}.crt\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then
perl -i -n -p -e "s/^(#+cert_installed.*)/#\1\ncert_installed=\"\/etc\/prosody\/certs\/${FQHN_HOSTNAME}.crt\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'key_installed'.."
if ! grep -q -E "^\s*key_installed=\"/etc/prosody/certs/${FQHN_HOSTNAME}.key\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then
perl -i -n -p -e "s/^(#+key_installed.*)/#\1\nkey_installed=\"\/etc\/prosody\/certs\/${FQHN_HOSTNAME}.key\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'cert_newest'.."
if ! grep -q -E "^\s*cert_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then
perl -i -n -p -e \
"s/^(#+cert_newest.*)/#\1\ncert_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/fullchain.pem\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Prepare configuration file for 'key_newest'.."
if ! grep -q -E "^\s*key_newest=\"/var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem\"" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null ; then
perl -i -n -p -e \
"s/^(#+key_newest.*)/#\1\nkey_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQHN_HOSTNAME}\/privkey.pem\"/" \
/root/bin/monitoring/conf/check_cert_for_prosody.conf > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
blank_line
echononl "Initial run of script 'check_cert_for_prosody.sh'.."
echo_wait
/root/bin/monitoring/check_cert_for_prosody.sh > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
if [[ -s "$log_file" ]] ; then
echo -e "
\033[32m----------\033[m
\033[1mOutput from :run of script 'check_cert_for_prosody.sh' was:\033[m
$(cat "$log_file")
\033[32m----------\033[m
"
fi
fi
blank_line
# Add Cronjob for checcking if certificate/key of Prosody service is up to date
#
_failed=false
echononl "Add Cronjob for checcking if certificate/key of Prosody service is up-to-date.."
_crontab_tmp_file=/tmp/crontab_root.$$
crontab -l > "$_crontab_tmp_file" 2> "$log_file"
if [[ $? -ne 0 ]]; then
_failed=true
fi
if ! grep -q "/root/bin/monitoring/check_cert_for_prosody.sh" "$_crontab_tmp_file" 2>/dev/null ; then
cat <<EOF >> "$_crontab_tmp_file" 2>> "$log_file"
# - Check if cert(s) for Prosody service are up-zp-date
# -
13 05 * * * /root/bin/monitoring/check_cert_for_prosody.sh
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
crontab "$_crontab_tmp_file"
if [[ $? -ne 0 ]]; then
_failed=true
fi
rm -f "$_crontab_tmp_file"
if [[ $? -ne 0 ]]; then
_failed=true
fi
if $_failed ; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
blank_line
echo
echo -e "\033[37m\033[1mConfigure Jitsi Meet..\033[m"
echo
_failed=false
_changed=false
echononl "Adjust '/etc/jitsi/videobridge/sip-communicator.properties'.."
if ! grep -q -E "^\s*org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true" \
/etc/jitsi/videobridge/sip-communicator.properties 2> "$log_file" ; then
cat <<EOF >> /etc/jitsi/videobridge/sip-communicator.properties
# disable the built-in webserver (required)
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
_changed=true
fi
if ! grep -q -E "^\s*org.jitsi.videobridge.TCP_HARVESTER_PORT=4443" \
/etc/jitsi/videobridge/sip-communicator.properties 2> "$log_file" ; then
cat <<EOF >> /etc/jitsi/videobridge/sip-communicator.properties
# sometimes the above setting does not work, therefore we change the port too (required)
org.jitsi.videobridge.TCP_HARVESTER_PORT=4443
# sometimes the above setting does not work, therefore we change the port too (required)
org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=443
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
_changed=true
fi
if ! grep -q -E "^\s*#+org.jitsi.videobridge.ENABLE_STATISTICS=false" \
/etc/jitsi/videobridge/sip-communicator.properties 2> "$log_file" ; then
cat <<EOF >> /etc/jitsi/videobridge/sip-communicator.properties
# disable statistics to third parties (optional)
# DOES NOT WORK
#org.jitsi.videobridge.ENABLE_STATISTICS=false
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
_changed=true
fi
if $_changed ; then
if $_failed; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Backup file '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.."
if [[ -f "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js" ]] ; then
if [[ ! -f "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js.ORIG" ]] ; then
cp -a "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js" \
"/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js.ORIG"
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
cp -a "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js" \
"/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js.${backup_date}" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
fi
else
echo_skipped
fi
#echononl "Adjust '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.."
#if ! $(grep -q -E "^\s*{ urls: 'stun.nextcloud.com:443' }" \
# /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js 2> "$log_file") ; then
# perl -i -n -p -e "s/((\s*)stunServers: \[.*)/\1\n\n\2 { urls: 'stun.nextcloud.com:443' },\n\2 { urls: 'stun.stunprotocol.org:3478' },\n\2 { urls: 'stun.services.mozilla.com:3478' },/" /etc/jitsi/meet/video.faire-mobilitaet.de-config.js
# if [[ $? -ne 0 ]]; then
# echo_failed
# error "$(cat "$log_file")"
# else
# echo_ok
# fi
#else
# echo_skipped
#fi
_temp_jitsi_meet_config_created=false
echononl "Adjust '/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js'.."
if ! grep -q -E "^\s*{ urls: 'stun.nextcloud.com:443' }" \
/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js 2> "$log_file" ; then
_found=false
:> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js
while IFS='' read -r _line || [[ -n $_line ]] ; do
if $_found && echo "$_line" | grep -iq -E "^\s*// { urls:.*${FQHN_HOSTNAME}" 2> /dev/null ; then
echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js
cat <<EOF >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js
{ urls: 'stun.nextcloud.com:443' },
{ urls: 'stun.stunprotocol.org:3478' },
{ urls: 'stun.services.mozilla.com:3478' },
EOF
_found=false
elif $_found && echo "$_line" | grep -iq -E "^\s*\]," ; then
cat <<EOF >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js
{ urls: 'stun.nextcloud.com:443' },
{ urls: 'stun.stunprotocol.org:3478' },
{ urls: 'stun.services.mozilla.com:3478' }
EOF
echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js
_found=false
else
echo "$_line" >> ${LOCK_DIR}/${FQHN_HOSTNAME}-config.js
fi
if ! $_found && echo "$_line" | grep -iq -E "^\s*stunServers: \[" 2> /dev/null ; then
_found=true
fi
done < "/etc/jitsi/meet/${FQHN_HOSTNAME}-config.js"
echo_done
_temp_jitsi_meet_config_created=true
else
echo_skipped
fi
echononl "Copy created file '${FQHN_HOSTNAME}-config.js' to folder '/etc/jitsi/meet/'.."
if $_temp_jitsi_meet_config_created ; then
cp -a "${LOCK_DIR}/${FQHN_HOSTNAME}-config.js" "/etc/jitsi/meet/" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
blank_line
echo
echo -e "\033[37m\033[1mConfigure Prosody (/etc/prosody/conf.avail/* ..\033[m"
echo
CONFIG_GLOBAL="/etc/prosody/prosody.cfg.lua"
echononl "Backup global configuration file $(basename "${CONFIG_GLOBAL}").."
if [[ -f "${CONFIG_GLOBAL}" ]] ; then
if [[ ! -f "${CONFIG_GLOBAL}.ORIG" ]]; then
cp -a "${CONFIG_GLOBAL}" "${CONFIG_GLOBAL}.ORIG" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
cp -a "${CONFIG_GLOBAL}" "${CONFIG_GLOBAL}.${backup_date}" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
fi
else
echo_skipped
fi
CONFIG="/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua"
echononl "Backup Konfiguration $(basename "${CONFIG}").."
if [[ -f "${CONFIG}" ]] ; then
if [[ ! -f "${CONFIG}.ORIG" ]]; then
cp -a "${CONFIG}" "${CONFIG}.ORIG" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
cp -a "${CONFIG}" "${CONFIG}.${backup_date}" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
fi
else
echo_skipped
fi
CONFIG_LOCALHOST="/etc/prosody/conf.avail/localhost.cfg.lua"
echononl "Backup configuration file $(basename "${CONFIG_LOCALHOST}").."
if [[ -f "${CONFIG_LOCALHOST}" ]] ; then
if [[ ! -f "${CONFIG_LOCALHOST}.ORIG" ]]; then
cp -a "${CONFIG_LOCALHOST}" "${CONFIG_LOCALHOST}.ORIG" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
cp -a "${CONFIG_LOCALHOST}" "${CONFIG_LOCALHOST}.${backup_date}" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
fi
else
echo_skipped
fi
CONFIG_JAAS="/etc/prosody/conf.avail/localhost.cfg.lua"
echononl "Backup configuration file $(basename "${CONFIG_JAAS}").."
if [[ -f "${CONFIG_JAAS}" ]] ; then
if [[ ! -f "${CONFIG_JAAS}.ORIG" ]]; then
cp -a "${CONFIG_JAAS}" "${CONFIG_JAAS}.ORIG" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
cp -a "${CONFIG_JAAS}" "${CONFIG_JAAS}.${backup_date}" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
fi
else
echo_skipped
fi
blank_line
KEY="posix"
echononl "Comment out module '${KEY}' in $(basename $CONFIG_GLOBAL) .."
if grep -qE "^\s*\"${KEY}\";" "$CONFIG_GLOBAL"; then
sed -i "s|^\(\s*\)\(\"${KEY}\";\)|\1-- \2|" "$CONFIG_GLOBAL" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
echo_failed
error "Failed to comment out module '${KEY}' in ${CONFIG_GLOBAL}"
else
echo_ok
fi
else
echo_skipped
fi
blank_line
KEY="tcp_keepalives"
VALUE="true"
echononl "Set ${KEY} = ${VALUE} in $(basename $CONFIG) .."
if grep -qE "^\s*${KEY}\s*=" "$CONFIG"; then
if grep -qE "^\s*${KEY}\s*=\s*${VALUE}\s*;" "$CONFIG"; then
echo_skipped
else
sed -i "s|^\(\s*${KEY}\s*=\s*\).*|\1${VALUE};|" "$CONFIG"
if [[ $? -ne 0 ]]; then
echo_failed
error "Failed to update '${KEY}' in ${CONFIG}"
else
echo_ok
fi
fi
else
perl -i -0pe "s/(VirtualHost\\s)/${KEY} = ${VALUE};\\n\\n\$1/ if !\$done++" "$CONFIG" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
error "Failed to insert '${KEY}' in ${CONFIG}"
else
echo_ok
fi
fi
KEY="cross_domain_bosh"
INSERT_BLOCK='http_cors_override = {\n bosh = {\n enabled = false;\n };\n websocket = {\n enabled = false;\n };\n}'
echononl "Comment out '${KEY}' and insert http_cors_override block in $(basename $CONFIG) .."
# Prüfen ob der Block bereits vorhanden ist
if grep -qE "^\s*http_cors_override\s*=" "$CONFIG"; then
echo_skipped
else
# cross_domain_bosh auskommentieren falls gesetzt
if grep -qE "^\s*${KEY}\s*=" "$CONFIG"; then
sed -i "s|^\(\s*\)\(${KEY}\s*=.*\)|\1-- \2|" "$CONFIG"
fi
# Block vor erstem VirtualHost einfügen (mit führender Leerzeile)
perl -i -0pe "s/(VirtualHost\\s)/${INSERT_BLOCK}\\n\\n\$1/ if !\$done++" "$CONFIG" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
error "Failed to insert 'http_cors_override' block in ${CONFIG}"
else
echo_ok
fi
fi
DOMAIN="meet.oopen.de"
INSERT_BLOCK='http_ports = { 5280 }
http_interfaces = { "127.0.0.1", "::1" }
https_ports = { 5281 }
https_interfaces = { "127.0.0.1", "::1" }
https_ssl = {
certificate = "/etc/prosody/certs/'"${DOMAIN}"'.crt";
key = "/etc/prosody/certs/'"${DOMAIN}"'.key";
}
-- http_default_host = "'"${DOMAIN}"'"
http_paths = {
bosh = "/http-bind";
files = "/"
}'
echononl "Insert http/https block in $(basename $CONFIG) .."
if grep -q "http_ports" "$CONFIG"; then
echo_skipped
else
export INSERT_BLOCK
perl -i -0pe 's/(VirtualHost\s)/$ENV{INSERT_BLOCK}\n\n$1/ if !$done++' "$CONFIG" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
error "Failed to insert http/https block in ${CONFIG}"
else
echo_ok
fi
fi
# ------------------------------------
# - VirtualHost "auth.meet.oopen.de"
# ------------------------------------
REQUIRED_MODULES=("mam" "turn_external" "bosh" "websocket")
echononl "Ensure required modules in VirtualHost \"auth.meet.oopen.de\" in $(basename $CONFIG) .."
ensure_vhost_modules "$CONFIG" "auth.meet.oopen.de" REQUIRED_MODULES
# ------------------------------------
# - Component "share.auth.meet.oopen.de"
# ------------------------------------
echononl "Ensure Component \"share.auth.meet.oopen.de\" in $(basename $CONFIG) .."
ensure_component "$CONFIG" "share.auth.meet.oopen.de" "http_file_share"
# ------------------------------------
# - Component "internal.auth.meet.oopen.de"
# ------------------------------------
REQUIRED_MODULES=("mam" "bosh" "websocket" "turn_external" "muc_mam")
echononl "Ensure Component \"internal.auth.meet.oopen.de\" in $(basename $CONFIG) .."
ensure_component "$CONFIG" "internal.auth.meet.oopen.de" "muc" REQUIRED_MODULES
# ------------------------------------
# - VirtualHost "guest.meet.oopen.de"
# ------------------------------------
REQUIRED_MODULES=("mam" "turn_external" "bosh" "websocket")
echononl "Ensure required modules in VirtualHost \"guest.meet.oopen.de\" in $(basename $CONFIG) .."
ensure_vhost_modules "$CONFIG" "guest.meet.oopen.de" REQUIRED_MODULES
# ------------------------------------
# - Component "share.guest.meet.oopen.de"
# ------------------------------------
echononl "Ensure Component \"share.guest.meet.oopen.de\" in $(basename $CONFIG) .."
ensure_component "$CONFIG" "share.guest.meet.oopen.de" "http_file_share"
# ------------------------------------
# - Component "groups.guest.meet.oopen.de"
# ------------------------------------
REQUIRED_MODULES=("muc_mam")
echononl "Ensure Component \"groups.guest.meet.oopen.de\" in $(basename $CONFIG) .."
ensure_component "$CONFIG" "groups.guest.meet.oopen.de" "muc" REQUIRED_MODULES
# ------------------------------------
# - VirtualHost "meet.oopen.de"
# ------------------------------------
REQUIRED_MODULES=("mam")
echononl "Ensure required modules in VirtualHost \"meet.oopen.de\" in $(basename $CONFIG) .."
ensure_vhost_modules "$CONFIG" "meet.oopen.de" REQUIRED_MODULES
# ------------------------------------
# - Component "share.meet.oopen.de"
# ------------------------------------
echononl "Ensure Component \"share.meet.oopen.de\" in $(basename $CONFIG) .."
ensure_component "$CONFIG" "share.meet.oopen.de" "http_file_share"
# ------------------------------------
# - Component "breakout.meet.oopen.de"
# ------------------------------------
REQUIRED_MODULES=("muc_hide_all" "muc_meeting_id" "muc_domain_mapper" "muc_rate_limit" "muc_mam")
echononl "Ensure Component \"breakout.meet.oopen.de\" in $(basename $CONFIG) .."
ensure_component "$CONFIG" "breakout.meet.oopen.de" "muc" REQUIRED_MODULES
# ------------------------------------
# - VirtualHost "recorder.meet.oopen.de"
# ------------------------------------
REQUIRED_MODULES=("mam" "bosh" "websocket" "turn_external")
echononl "Ensure required modules in VirtualHost \"recorder.meet.oopen.de\" in $(basename $CONFIG) .."
ensure_vhost_modules "$CONFIG" "recorder.meet.oopen.de" REQUIRED_MODULES
# ------------------------------------
# - Component "share.recorder.meet.oopen.de"
# ------------------------------------
echononl "Ensure Component \"share.recorder.meet.oopen.de\" in $(basename $CONFIG) .."
ensure_component "$CONFIG" "share.recorder.meet.oopen.de" "http_file_share"
# ------------------------------------
# - Component "groups.recorder.meet.oopen.de"
# ------------------------------------
REQUIRED_MODULES=("muc_mam")
echononl "Ensure Component \"groups.recorder.meet.oopen.de\" in $(basename $CONFIG) .."
ensure_component "$CONFIG" "groups.recorder.meet.oopen.de" "muc" REQUIRED_MODULES
blank_line
CONFIG="/etc/prosody/conf.avail/localhost.cfg.lua"
# ------------------------------------
# - VirtualHost "localhost" (localhost.cfg.lua)
# ------------------------------------
REQUIRED_MODULES=("bosh" "websocket" "turn_external" "mam")
echononl "Ensure required modules in VirtualHost \"localhost\" in $(basename $CONFIG) .."
ensure_vhost_modules "$CONFIG" "localhost" REQUIRED_MODULES
# ------------------------------------
# - Component "share.localhost"
# ------------------------------------
echononl "Ensure Component \"share.localhost\" in $(basename $CONFIG) .."
ensure_component "$CONFIG" "share.localhost" "http_file_share"
# ------------------------------------
# - Component "groups.localhost"
# ------------------------------------
REQUIRED_MODULES=("muc_mam")
echononl "Ensure Component \"groups.localhost\" in $(basename $CONFIG) .."
ensure_component "$CONFIG" "groups.localhost" "muc" REQUIRED_MODULES
# ------------------------------------
# - jaas.cfg.lua
# ------------------------------------
CONFIG="/etc/prosody/conf.avail/jaas.cfg.lua"
# ------------------------------------
# - VirtualHost "jigasi.meet.jitsi"
# ------------------------------------
REQUIRED_MODULES=("mam" "websocket" "turn_external")
echononl "Ensure required modules in VirtualHost \"jigasi.meet.jitsi\" in $(basename $CONFIG) .."
ensure_vhost_modules "$CONFIG" "jigasi.meet.jitsi" REQUIRED_MODULES
# ------------------------------------
# - Component "share.jigasi.meet.jitsi"
# ------------------------------------
echononl "Ensure Component \"share.jigasi.meet.jitsi\" in $(basename $CONFIG) .."
ensure_component "$CONFIG" "share.jigasi.meet.jitsi" "http_file_share"
# ------------------------------------
# - Component "groups.jigasi.meet.jitsi"
# ------------------------------------
REQUIRED_MODULES=("muc_mam")
echononl "Ensure Component \"groups.jigasi.meet.jitsi\" in $(basename $CONFIG) .."
ensure_component "$CONFIG" "groups.jigasi.meet.jitsi" "muc" REQUIRED_MODULES
blank_line
echo
echo -e "\033[37m\033[1mConfigure nginx configuration ..\033[m"
echo
echononl "Backup nginx configuration '${FQHN_HOSTNAME}.conf'.."
if [[ -f "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" ]] ; then
cp -a "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" \
"/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf.${backup_date}" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Create nginx configuration for '${FQHN_HOSTNAME}'.."
if ! $(grep -q -E "^\s*include snippets/letsencrypt-acme-challenge.conf;" \
"/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" 2> /dev/null) ; then
cat <<EOF > "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" 2> "$log_file"
# - ${FQHN_HOSTNAME}
server_names_hash_bucket_size 64;
server {
listen 80;
listen [::]:80;
server_name ${FQHN_HOSTNAME};
return 301 https://\$host\$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name ${FQHN_HOSTNAME};
# Include location directive for Let's Encrypt ACME Challenge
#
# Needed for (automated) updating certificate
#
include snippets/letsencrypt-acme-challenge.conf;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
#
# To generate a dhparam.pem file, run in a terminal
# openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
#
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CC:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# Eable session resumption to improve https performance
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# ==========
# HTTP security Headers
# ==========
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy "strict-origin";
# - Geteiltes Dokument öffnen
#
# # Add Etherpad-Lite host to frame-src, so frame-src becomes:
# #
# # #frame-src 'self' https://<etherpad-lite-host> https://www.youtube.com ;
# #
# # i.e. etherpad-litehost = epad-01.oopen.de
# #
# frame-src 'self' https://epad-01.oopen.de https://www.youtube.com ;
#
#
# - YouTube-Video teilen
#
# # Add https://www.youtube.com to script-src, so script-src becomes:
# #
# script-src 'self' 'unsafe-inline' https://www.youtube.com ;
#
# # Add https://www.youtube.com to frame-src, so frame-src becomes:
# #
# frame-src 'self' https://meet-ep-pee7eiji-xein9aiy.oopen.de https://www.youtube.com ;
#
# # Add https://img.youtube.com to img-src, so img-src becomes:
# img-src 'self' https://img.youtube.com
#
#
# - Hintergrundschärfe aktivieren:
#
# # Add https://storage.googleapis.com to connect-src, so connect source becomes:
# #
# connect-src 'self' https://storage.googleapis.com;
#
# # Add blob: to script-src, so script-src becomes:
# script-src 'self' 'unsafe-inline' https://www.youtube.com blob:
#
# Note!
# Other directives (like worker-src, or child-src, or..) are falling back to 'default-src'.
#
#add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' https://www.youtube.com ; img-src 'self' https://img.youtube.com ; style-src 'self' 'unsafe-inline' ; font-src 'self'; frame-src 'self' https://epad-01.oopen.de https://www.youtube.com ; object-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; connect-src 'self' https://storage.googleapis.com ; media-src 'self'";
add_header Content-Security-Policy "block-all-mixed-content ; default-src 'none'; script-src 'self' 'unsafe-inline' https: blob: ; img-src 'self' https: ; style-src 'self' 'unsafe-inline' ; font-src 'self'; frame-src 'self' https: ; object-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; connect-src 'self' https: ; media-src 'self'";
add_header Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();";
ssl_certificate /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/privkey.pem;
ssl_trusted_certificate /var/lib/dehydrated/certs/${FQHN_HOSTNAME}/chain.pem;
root /usr/share/jitsi-meet;
# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;
index index.html index.htm;
error_page 404 /static/404.html;
gzip on;
gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
gzip_vary on;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 512;
location = /config.js {
alias /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js;
}
location = /external_api.js {
alias /usr/share/jitsi-meet/libs/external_api.min.js;
}
#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/\$1/\$2;
# cache all versioned files
if (\$arg_v) {
expires 1y;
}
}
# BOSH
location = /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_set_header Host \$http_host;
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://localhost:5280/xmpp-websocket?prefix=\$prefix&\$args;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host \$http_host;
tcp_nodelay on;
}
# colibri (JVB) websockets for jvb1
location ~ ^/colibri-ws/default-id/(.*) {
proxy_pass http://localhost:9090/colibri-ws/default-id/\$1\$is_args\$args;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
tcp_nodelay on;
}
location ~ ^/([^/?&:'"]+)\$ {
try_files \$uri @root_path;
}
location @root_path {
rewrite ^/(.*)\$ / break;
}
location ~ ^/([^/?&:'"]+)/config.js\$
{
set \$subdomain "\$1.";
set \$subdir "\$1/";
alias /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js;
}
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)\$ {
set \$subdomain "\$1.";
set \$subdir "\$1/";
rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set \$subdomain "\$1.";
set \$subdir "\$1/";
set \$prefix "\$1";
rewrite ^/(.*)\$ /http-bind;
}
# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
set \$subdomain "\$1.";
set \$subdir "\$1/";
set \$prefix "\$1";
rewrite ^/(.*)\$ /xmpp-websocket;
}
}
EOF
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Enable nginx support for '${FQHN_HOSTNAME}'.."
if [[ ! -h "/etc/nginx/sites-enabled/${FQHN_HOSTNAME}.conf" ]] ; then
ln -s "../sites-available/${FQHN_HOSTNAME}.conf" "/etc/nginx/sites-enabled/${FQHN_HOSTNAME}.conf" > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
if [ "$DIST" = "debian" ] && [[ "$DIST_VERSION" == 13* ]]; then
echo
echo -e "\033[37m\033[1mTake care inspect.lua is available für Lua 5.4 ..\033[m"
echo
echononl "Create Folder '/usr/share/lua/5.4'.."
if [[ ! -d "/usr/share/lua/5.4" ]] ; then
mkdir -p /usr/share/lua/5.4 > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_skipped
fi
echononl "Deploy luan.inspect to the '/usr/share/lua/5.4' folder.."
if [[ ! -f /usr/share/lua/5.4/inspect.lua ]]; then
if [[ -f /usr/share/lua/5.3/inspect.lua ]]; then
cp -a /usr/share/lua/5.3/inspect.lua /usr/share/lua/5.4/inspect.lua > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
elif [[ -f /usr/share/lua/5.2/inspect.lua ]]; then
cp -a /usr/share/lua/5.2/inspect.lua /usr/share/lua/5.4/inspect.lua > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
elif [[ -f /usr/share/lua/5.1/inspect.lua ]]; then
ln -s ../5.1/inspect.lua /usr/share/lua/5.4/inspect.lua > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
else
echo_failed
error "No luan.inspect at folder '/usr/share/lua/5.4' present!"
fi
else
echo_skipped
fi
fi
echo
echo -e "\033[37m\033[1mRestart services..\033[m"
echo
echononl "Restart prosody service.."
systemctl restart prosody > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
echononl "Restart jicofo service.."
systemctl restart jicofo > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
echononl "Restart jitsi-videobridge2 service.."
systemctl restart jitsi-videobridge2 > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
echononl "Restart Nginx webservice.."
systemctl restart nginx > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat "$log_file")"
else
echo_ok
fi
if $_tem_prosody_config_created ; then
warn "Please check file '/etc/prosody/conf.avail/${FQHN_HOSTNAME}.cfg.lua'"
fi
clean_up 0
Reference in New Issue View Git Blame Copy Permalink