Merge pull request #22 from switnet-ltd/unstable

Scaling up and performance features.
- JWT auth
- CHP mode
- Add JVB2
- Docker SG
etc.
This commit is contained in:
Luis Guzman 2020-12-17 11:34:27 -06:00 committed by GitHub
commit b25cb90ae6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 977 additions and 84 deletions

View File

@ -60,7 +60,7 @@ Feel free to use our (new) `test-jibri-env.sh` tool to find some details on your
* Grafana Dashboard
* Lobby Rooms - Secure Rooms
* Conference Duration - Secure Rooms
* (New) Automatic Jibri nodes network sync ([see more](https://github.com/switnet-ltd/quick-jibri-installer/wiki/Jibri-Nodes)).
* (New) Automatic Jibri nodes network sync ([see more](https://github.com/switnet-ltd/quick-jibri-installer/wiki/Setup-and-Jibri-Nodes)).
## Tools (New)
* (New) Jibri Environment Tester

View File

@ -53,6 +53,7 @@ DIR_RECORD="/var/jbrecord"
REC_DIR="/home/jibri/finalize_recording.sh"
CHD_VER="$(curl -sL https://chromedriver.storage.googleapis.com/LATEST_RELEASE)"
GOOGL_REPO="/etc/apt/sources.list.d/dl_google_com_linux_chrome_deb.list"
GOOGLE_ACTIVE_REPO=$(apt-cache policy | grep http | grep chrome| awk '{print $3}' | head -n 1 | cut -d "/" -f2)
GCMP_JSON="/etc/opt/chrome/policies/managed/managed_policies.json"
PUBLIC_IP="$(dig -4 @resolver1.opendns.com ANY myip.opendns.com +short)"
NJN_RAND_TAIL="$(tr -dc "a-zA-Z0-9" < /dev/urandom | fold -w 4 | head -n1)"
@ -226,6 +227,7 @@ if [ "$HWE_VIR_MOD" == "1" ]; then
linux-modules-extra-virtual-hwe-$(lsb_release -sr)
else
apt-get -y install \
linux-image-generic \
linux-modules-extra-$(uname -r)
fi
@ -239,7 +241,7 @@ apt-get -y install \
openjdk-8-jre-headless
echo "# Installing Google Chrome / ChromeDriver"
if [ -f $GOOGL_REPO ]; then
if [ "$GOOGLE_ACTIVE_REPO" = "main" ]; then
echo "Google repository already set."
else
echo "Installing Google Chrome Stable"
@ -404,7 +406,7 @@ INOT_RSYNC
mkdir /var/log/$NJN_USER
cat << LOG_ROT >> /etc/logrotate.d/$NJN_USER
cat << LOG_ROT > /etc/logrotate.d/$NJN_USER
/var/log/$NJN_USER/*.log {
monthly
missingok

347
add-jvb2-node.sh Normal file
View File

@ -0,0 +1,347 @@
#!/bin/bash
# JVB2 Node Aggregator
# SwITNet Ltd © - 2020, https://switnet.net/
# GPLv3 or later.
### 0_LAST EDITION TIME STAMP ###
# LETS: AUTOMATED_EDITION_TIME
### 1_LAST EDITION ###
#Make sure the file name is the required one
if [ ! "$(basename $0)" = "add-jvb2-node.sh" ]; then
echo "For most cases naming won't matter, for this one it does."
echo "Please use the original name for this script: \`add-jvb2-node.sh', and run again."
exit
fi
while getopts m: option
do
case "${option}"
in
m) MODE=${OPTARG};;
\?) echo "Usage: sudo ./add-jvb2-node.sh [-m debug]" && exit;;
esac
done
#DEBUG
if [ "$MODE" = "debug" ]; then
set -x
fi
#Check admin rights
if ! [ "$(id -u)" = 0 ]; then
echo "You need to be root or have sudo privileges!"
exit 0
fi
### 0_VAR_DEF
MAIN_SRV_DIST=TBD
MAIN_SRV_REPO=TBD
MAIN_SRV_DOMAIN=TBD
JVB_HOSTNAME=TBD
JVB_HOST=TBD
JVB_PORT=TBD
JVB_SECRET=TBD
JVB_OPTS=TBD
SYS_PROPS=TBD
AWS_HARVEST=TBD
STUN_MAPPING=TBD
ENABLE_STATISTICS=TBD
SHARD_HOSTNAME=TBD
SHARD_DOMAIN=TBD
SHARD_PASS=TBD
MUC_JID=TBD
MJS_USER=TBD
MJS_USER_PASS=TBD
START=0
LAST=TBD
THIS_SRV_DIST=$(lsb_release -sc)
JITSI_REPO=$(apt-cache policy | grep http | grep jitsi | grep stable | awk '{print $3}' | head -n 1 | cut -d "/" -f1)
JVB2_CONF="/etc/jitsi/videobridge/config"
JVB2_NCONF="/etc/jitsi/videobridge/jvb.conf"
JVB2_SIP="/etc/jitsi/videobridge/sip-communicator.properties"
#PUBLIC_IP="$(dig -4 @resolver1.opendns.com ANY myip.opendns.com +short)"
NJN_RAND_TAIL="$(tr -dc "a-zA-Z0-9" < /dev/urandom | fold -w 4 | head -n1)"
NJN_USER="jvbnode${ADDUP}_${NJN_RAND_TAIL}"
NJN_USER_PASS="$(tr -dc "a-zA-Z0-9#_*=" < /dev/urandom | fold -w 32 | head -n1)"
#GITHUB_RAW="https://raw.githubusercontent.com"
#GIT_REPO="switnet-ltd/quick-jibri-installer"
### 1_VAR_DEF
# sed limiters for add-jvb2-node.sh variables
var_dlim() {
grep -n $1 add-jvb2-node.sh|head -n1|cut -d ":" -f1
}
check_var() {
if [ -z "$2" ]; then
echo -e "Check if variable $1 is set: \xE2\x9C\x96 \nExiting..."
exit
else
echo -e "Check if variable $1 is set: \xE2\x9C\x94"
fi
}
if [ -z "$LAST" ]; then
echo "There is an error on the LAST definition, please report."
exit
elif [ "$LAST" = "TBD" ]; then
ADDUP=$((START + 1))
else
ADDUP=$((LAST + 1))
fi
#Check server and node OS
if [ ! "$THIS_SRV_DIST" = "$MAIN_SRV_DIST" ]; then
echo "Please use the same OS for the JVB2 setup on both servers."
echo "This server is based on: $THIS_SRV_DIST"
echo "The main server record claims is based on: $MAIN_SRV_DIST"
exit
fi
#Check system resources
echo "Verifying System Resources:"
if [ "$(nproc --all)" -lt 4 ];then
echo "
Warning!: The system do not meet the CPU recomendations for a JVB node for heavy loads.
>> We recommend 4 cores/threads for JVB2!
"
CPU_MIN="N"
else
echo "CPU Cores/Threads: OK ($(nproc --all))"
CPU_MIN="Y"
fi
### Test RAM size (8GB min) ###
mem_available=$(grep MemTotal /proc/meminfo| grep -o '[0-9]\+')
if [ ${mem_available} -lt 7700000 ]; then
echo "
Warning!: The system do not meet the CPU recomendations for a JVB node for heavy loads.
>> We recommend 8GB RAM for JVB2!
"
MEM_MIN="N"
else
echo "Memory: OK ($((mem_available/1024)) MiB)"
MEM_MIN="Y"
fi
if [ "$CPU_MIN" = "Y" ] && [ "$MEM_MIN" = "Y" ];then
echo "All requirements seems meet!"
echo "
- We hope you have a nice recording/streaming session
"
else
echo "CPU ($(nproc --all))/RAM ($((mem_available/1024)) MiB) does NOT meet minimum recommended requirements!"
echo "We highly advice to increase the resources in order to install this JVB2 node."
while [[ "$CONTINUE_LOW_RES" != "yes" && "$CONTINUE_LOW_RES" != "no" ]]
do
read -p "> Do you want to continue?: (yes or no)"$'\n' -r CONTINUE_LOW_RES
if [ "$CONTINUE_LOW_RES" = "no" ]; then
echo "See you next time with more resources!..."
exit
elif [ "$CONTINUE_LOW_RES" = "yes" ]; then
echo "Please keep in mind that we might not support underpowered nodes."
fi
done
fi
echo "
#-----------------------------------------------------------------------
# Checking initial necessary variables...
#-----------------------------------------------------------------------"
check_var JVB_HOSTNNAME "$JVB_HOSTNAME"
if [ -z $JVB_HOST ]; then
echo "JVB_HOST is empty, but it may be ok for it to be empty, skipping empty test."
else
check_var JVB_HOST "$JVB_HOST"
fi
check_var JVB_PORT "$JVB_PORT"
check_var JVB_SECRET "$JVB_SECRET"
check_var JVB_OPTS "$JVB_OPTS"
check_var SYS_PROPS "$SYS_PROPS"
check_var AWS_HARVEST "$AWS_HARVEST"
check_var STUN_MAPPING "$STUN_MAPPING"
check_var ENABLE_STATISTICS "$ENABLE_STATISTICS"
check_var SHARD_HOSTNAME "$SHARD_HOSTNAME"
check_var SHARD_DOMAIN "$SHARD_DOMAIN"
check_var SHARD_PASS "$SHARD_PASS"
check_var MUC_JID "$MUC_JID"
check_var MAIN_SRV_DOMAIN "$MAIN_SRV_DOMAIN"
# Rename hostname for each jvb2 node
hostnamectl set-hostname "jvb${ADDUP}.${MAIN_SRV_DOMAIN}"
sed -i "1i 127.0.0.1 jvb${ADDUP}.${MAIN_SRV_DOMAIN}" /etc/hosts
# Jitsi-Meet Repo
echo "Add Jitsi repo"
if [ -z "$JITSI_REPO" ]; then
echo "deb http://download.jitsi.org $MAIN_SRV_REPO/" > /etc/apt/sources.list.d/jitsi-$MAIN_SRV_REPO.list
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -
elif [ ! "$JITSI_REPO" = "$MAIN_SRV_REPO" ]; then
echo "Main and node servers repository don't match, extiting.."
exit
elif [ "$JITSI_REPO" = "$MAIN_SRV_REPO" ]; then
echo "Main and node servers repository match, continuing..."
else
echo "Jitsi $JITSI_REPO repository already installed"
fi
# Requirements
echo "We'll start by installing system requirements this may take a while please be patient..."
apt-get update -q2
apt-get dist-upgrade -yq2
apt-get -y install \
apt-show-versions \
bmon \
curl \
git \
htop \
ssh \
unzip \
wget
echo "# Check and Install HWE kernel if possible..."
HWE_VIR_MOD=$(apt-cache madison linux-modules-extra-virtual-hwe-$(lsb_release -sr) 2>/dev/null|head -n1|grep -c "extra-virtual-hwe")
if [ "$HWE_VIR_MOD" == "1" ]; then
apt-get -y install \
linux-image-generic-hwe-$(lsb_release -sr) \
linux-modules-extra-virtual-hwe-$(lsb_release -sr)
else
apt-get -y install \
linux-modules-extra-$(uname -r)
fi
echo "
#--------------------------------------------------
# Install JVB2
#--------------------------------------------------
"
echo "jitsi-videobridge jitsi-videobridge/jvb-hostname string $MAIN_SRV_DOMAIN" | debconf-set-selections
apt-get -y install \
jitsi-videobridge2 \
openjdk-8-jre-headless
echo '
########################################################################
Start JVB2 configuration
########################################################################
'
mv $JVB2_CONF ${JVB2_CONF}-dpkg-file
## JVB2 - CONFIG
cat << JVB2_CONF > $JVB2_CONF
# Jitsi Videobridge settings
# sets the XMPP domain (default: none)
JVB_HOSTNAME=$JVB_HN
# sets the hostname of the XMPP server (default: domain if set, localhost otherwise)
JVB_HOST=$JVB_HOST
# sets the port of the XMPP server (default: 5275)
JVB_PORT=$JVB_PORT
# sets the shared secret used to authenticate to the XMPP server
JVB_SECRET=$JVB_SECRET
# extra options to pass to the JVB daemon
JVB_OPTS=$JVB_OPTS
# adds java system props that are passed to jvb (default are for home and logging config file)
JAVA_SYS_PROPS=$SYS_PROPS
JVB2_CONF
mv $JVB2_SIP $JVB2_SIP-dpkg-file
## JVB2 - SIP
cat << JVB2_SIP > $JVB2_SIP
# Legacy conf file, new format already at
# /etc/jitsi/videobridge/jvb.conf
# --add-jvb2-node.sh
JVB2_SIP
echo -e "\n---- Setting new config format for jvb2 node. ----"
sed -i '${/\}/d;}' $JVB2_NCONF
cat << JVB2 >> $JVB2_NCONF
stats {
# Enable broadcasting stats/presence in a MUC
enabled = true
transports = [
{ type = "muc" }
]
}
apis {
xmpp-client {
configs {
# Connect to the first XMPP server
xmpp-server-$ADDUP {
hostname="$MAIN_SRV_DOMAIN"
domain = "auth.$MAIN_SRV_DOMAIN"
username = "jvb"
password = "$SHARD_PASS"
muc_jids = "JvbBrewery@internal.auth.$MAIN_SRV_DOMAIN"
# The muc_nickname must be unique across all jitsi-videobridge instances
muc_nickname = "jvb2-$ADDUP"
disable_certificate_verification = true
}
}
}
}
}
JVB2
echo -e "\n---- Create random nodesync user ----"
useradd -m -g jitsi $NJN_USER
echo "$NJN_USER:$NJN_USER_PASS" | chpasswd
echo -e "\n---- We'll connect to main server ----"
read -n 1 -s -r -p "Press any key to continue..."$'\n'
sudo su $NJN_USER -c "ssh-keygen -t rsa -f ~/.ssh/id_rsa -b 4096 -o -a 100 -q -N ''"
echo "Remote pass: $MJS_USER_PASS"
ssh-keyscan -t rsa $MAIN_SRV_DOMAIN >> ~/.ssh/known_hosts
ssh $MJS_USER@$MAIN_SRV_DOMAIN sh -c "'cat >> .ssh/authorized_keys'" < /home/$NJN_USER/.ssh/id_rsa.pub
sudo su $NJN_USER -c "ssh-keyscan -t rsa $MAIN_SRV_DOMAIN >> /home/$NJN_USER/.ssh/known_hosts"
echo "Writting last node number..."
sed -i "$(var_dlim 0_VAR),$(var_dlim 1_VAR){s|LAST=.*|LAST=$ADDUP|}" add-jvb2-node.sh
sed -i "$(var_dlim 0_LAST),$(var_dlim 1_LAST){s|LETS: .*|LETS: $(date -R)|}" add-jvb2-node.sh
echo "Last file edition at: $(grep "LETS:" add-jvb2-node.sh|head -n1|awk -F'LETS:' '{print$2}')"
#Enable jvb2 services
systemctl enable jitsi-videobridge2.service
systemctl restart jitsi-videobridge2.service
echo -e "\nSending updated add-jvb2-node.sh file to main server sync user...\n"
cp $PWD/add-jvb2-node.sh /tmp
sudo -u $NJN_USER scp /tmp/add-jvb2-node.sh $MJS_USER@$MAIN_SRV_DOMAIN:/home/$MJS_USER/
rm $PWD/add-jvb2-node.sh /tmp/add-jvb2-node.sh
echo "
########################################################################
Node addition complete!!
IMPORTANT:
The updated version of this file has been sent to the main server
at the sync user home directory, please use that one in order to
install new nodes. For security reason this version has been deleted
from this very node.
For customized support: http://switnet.net
########################################################################
"
echo "Rebooting in..."
secs=$((15))
while [ $secs -gt 0 ]; do
echo -ne "$secs\033[0K\r"
sleep 1
: $((secs--))
done
reboot

169
mode/chp-mode.sh Normal file
View File

@ -0,0 +1,169 @@
#!/bin/bash
# Custom High Performance Jitsi conf
# SwITNet Ltd © - 2020, https://switnet.net/
# GPLv3 or later.
#Check if user is root
if ! [ $(id -u) = 0 ]; then
echo "You need to be root or have privileges!"
exit 0
fi
while getopts m: option
do
case "${option}"
in
m) MODE=${OPTARG};;
\?) echo "Usage: sudo ./chp-mode.sh [-m debug]" && exit;;
esac
done
#DEBUG
if [ "$MODE" = "debug" ]; then
set -x
fi
wait_seconds() {
secs=$(($1))
while [ $secs -gt 0 ]; do
echo -ne "$secs\033[0K\r"
sleep 1
: $((secs--))
done
}
LTS_REL="$(lsb_release -d | awk '{print$4}')"
DOMAIN="$(ls /etc/prosody/conf.d/ | grep -v localhost | awk -F'.cfg' '{print $1}' | awk '!NF || !seen[$0]++')"
JVB_LOG_POP="/etc/jitsi/videobridge/logging.properties"
JVB_RC="/usr/share/jitsi-videobridge/lib/videobridge.rc"
JICOFO_LOG_POP="/etc/jitsi/videobridge/logging.properties"
MEET_LOG_CONF="/usr/share/jitsi-meet/logging_config.js"
MEET_CONF="/etc/jitsi/meet/$DOMAIN-config.js"
MEET_CONF_HP="/etc/jitsi/meet/${DOMAIN}-chp-config.js"
INT_CONF_JS="/etc/jitsi/meet/${DOMAIN}-interface_config.js"
INT_CONF_JS_HP="/etc/jitsi/meet/${DOMAIN}-chp-interface_config.js"
WS_CONF="/etc/nginx/sites-enabled/$DOMAIN.conf"
FSTAB="/etc/fstab"
if [ -z $LTS_REL ] || [ -z $DOMAIN ];then
echo "This system isn't suitable to configure."
exit
else
echo "This system seems suitable to configure..."
fi
while [[ "$CONTINUE_HP" != "yes" && "$CONTINUE_HP" != "no" ]]
do
read -p "> Do you want to continue?: (yes or no)"$'\n' -r CONTINUE_HP
if [ "$CONTINUE_HP" = "no" ]; then
echo "See you next time!..."
exit
elif [ "$CONTINUE_HP" = "yes" ]; then
echo "Good, then let's get it done..."
fi
done
#Tools to consider
##Profiling
#https://github.com/jvm-profiling-tools/async-profiler
#SYSTEM
##Disable swap
swapoff -a
sed -ir '/\sswap\s/s/^#?/#/' $FSTAB
##Kernel
#https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/tuning_and_optimizing_red_hat_enterprise_linux_for_oracle_9i_and_10g_databases/sect-oracle_9i_and_10g_tuning_guide-adjusting_network_settings-changing_network_kernel_settings
sysctl -w net.core.rmem_default=262144
sysctl -w net.core.wmem_default=262144
sysctl -w net.core.rmem_max=262144
sysctl -w net.core.wmem_max=262144
echo 'net.core.rmem_default=262144' | tee -a /etc/sysctl.conf
echo 'net.core.wmem_default=262144' | tee -a /etc/sysctl.conf
echo 'net.core.rmem_max=262144' | tee -a /etc/sysctl.conf
echo 'net.core.wmem_max=262144' | tee -a /etc/sysctl.conf
#https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_for_real_time/7/html/tuning_guide/reduce_tcp_performance_spikes
sysctl -w net.ipv4.tcp_timestamps=0
echo 'net.ipv4.tcp_timestamps=0' | tee -a /etc/sysctl.conf
#https://bugzilla.redhat.com/show_bug.cgi?id=1283676
sysctl -w net.core.netdev_max_backlog=100000
echo 'net.core.netdev_max_backlog=100000' | tee -a /etc/sysctl.conf
##nginx
sed -i "s|worker_connections.*|worker_connections 2000;|" /etc/nginx/nginx.conf
#Missing docs
#sysctl -w net.ipv4.tcp_low_latency=1
#JVB2
##Loose up logging
# https://community.jitsi.org/t/23641/13
sed -i "/java.util.logging.FileHandler.level/s|ALL|WARNING|g" $JVB_LOG_POP
sed -i "s|^.level=INFO|.level=WARNING|" $JVB_LOG_POP
sed -i "/VIDEOBRIDGE_MAX_MEMORY=/i \ VIDEOBRIDGE_MAX_MEMORY=8192m" $JVB_RC
#JICOFO
sed -i "/java.util.logging.FileHandler.level/s|ALL|OFF|g" $JICOFO_LOG_POP
sed -i "s|^.level=INFO|.level=WARNING|" $JICOFO_LOG_POP
#MEET
sed -i "s|defaultLogLevel:.*|defaultLogLevel: 'error',|" $MEET_LOG_CONF
sed -i "/TraceablePeerConnection.js/s|info|error|" $MEET_LOG_CONF
sed -i "/CallStats.js/s|info|error|" $MEET_LOG_CONF
sed -i "/strophe.util.js/s|log|error|" $MEET_LOG_CONF
#UX - Room settings and interface
cp $MEET_CONF $MEET_CONF_HP
sed -i "s|// disableAudioLevels:.*|disableAudioLevels: true,|" $MEET_CONF_HP
sed -i "s|enableNoAudioDetection:.*|enableNoAudioDetection: false,|" $MEET_CONF_HP
sed -i "s|enableNoisyMicDetection:.*|enableNoisyMicDetection: false,|" $MEET_CONF_HP
sed -i "s|startAudioMuted:.*|startAudioMuted: 5,|" $MEET_CONF_HP
sed -i "s|// startVideoMuted:.*|startVideoMuted: 5,|" $MEET_CONF_HP
sed -i "s|startWithVideoMuted: true,|startWithVideoMuted: false,|" $MEET_CONF_HP
sed -i "s|channelLastN:.*|channelLastN: 10,|" $MEET_CONF_HP
sed -i "s|// enableLayerSuspension:.*|enableLayerSuspension: true,|" $MEET_CONF_HP
sed -i "s|// resolution:.*|resolution: 480,|" $MEET_CONF_HP
sed -i "s|// apiLogLevels:.*|apiLogLevels: \['warn', 'error'],|" $MEET_CONF_HP
sed -i "/w3c spec-compliant/,/disableSimulcast:/s|// constraints: {| constraints: {|" $MEET_CONF_HP
sed -i "/w3c spec-compliant/,/disableSimulcast:/s|// video: {| video: {|" $MEET_CONF_HP
sed -i "/w3c spec-compliant/,/disableSimulcast:/s|// height: {| height: {|" $MEET_CONF_HP
sed -i "/w3c spec-compliant/,/disableSimulcast:/s|// ideal:.*| ideal: 480,|" $MEET_CONF_HP
sed -i "/w3c spec-compliant/,/disableSimulcast:/s|// max:.*| max: 480,|" $MEET_CONF_HP
sed -i "/w3c spec-compliant/,/disableSimulcast:/s|// min:.*| min:240|" $MEET_CONF_HP
sed -i "/w3c spec-compliant/,/disableSimulcast:/s|// }| }|" $MEET_CONF_HP
sed -i "/w3c spec-compliant/,/disableSimulcast:/s|// }| }|" $MEET_CONF_HP
sed -i "/w3c spec-compliant/,/disableSimulcast:/s|// },| },|" $MEET_CONF_HP
cp $INT_CONF_JS $INT_CONF_JS_HP
sed -i "s|CONNECTION_INDICATOR_DISABLED:.*|CONNECTION_INDICATOR_DISABLED: true,|" $INT_CONF_JS_HP
sed -i "s|DISABLE_DOMINANT_SPEAKER_INDICATOR:.*|DISABLE_DOMINANT_SPEAKER_INDICATOR: true,|" $INT_CONF_JS_HP
sed -i "s|DISABLE_FOCUS_INDICATOR:.*|DISABLE_FOCUS_INDICATOR: false,|" $INT_CONF_JS_HP
sed -i "s|DISABLE_JOIN_LEAVE_NOTIFICATIONS:.*|DISABLE_JOIN_LEAVE_NOTIFICATIONS: true,|" $INT_CONF_JS_HP
sed -i "s|DISABLE_VIDEO_BACKGROUND:.*|DISABLE_VIDEO_BACKGROUND: true,|" $INT_CONF_JS_HP
sed -i "s|OPTIMAL_BROWSERS: \[.*|OPTIMAL_BROWSERS: \[ 'chrome', 'chromium', 'electron' \],|" $INT_CONF_JS_HP
sed -i "s|UNSUPPORTED_BROWSERS: .*|UNSUPPORTED_BROWSERS: \[ 'nwjs', 'safari' \],|" $INT_CONF_JS_HP
##Toolbars
sed -i "/^\s*TOOLBAR_BUTTONS*\]$/ s|^|//|; /^\s*TOOLBAR_BUTTONS/, /\],$/ s|^|//|" $INT_CONF_JS_HP
sed -i "/\/\/ TOOLBAR_BUTTONS/i \ \ \ \ TOOLBAR_BUTTONS: \[" $INT_CONF_JS_HP
sed -i "/\/\/ TOOLBAR_BUTTONS/i \ \ \ \ \ \ \ \ 'microphone', 'camera', 'desktop', 'fullscreen'," $INT_CONF_JS_HP
sed -i "/\/\/ TOOLBAR_BUTTONS/i \ \ \ \ \ \ \ \ 'fodeviceselection', 'hangup', 'profile', 'recording'," $INT_CONF_JS_HP
sed -i "/\/\/ TOOLBAR_BUTTONS/i \ \ \ \ \ \ \ \ 'etherpad', 'settings', 'raisehand'," $INT_CONF_JS_HP
sed -i "/\/\/ TOOLBAR_BUTTONS/i \ \ \ \ \ \ \ \ 'videoquality', 'filmstrip', 'feedback'," $INT_CONF_JS_HP
sed -i "/\/\/ TOOLBAR_BUTTONS/i \ \ \ \ \ \ \ \ 'tileview', 'download', 'help', 'mute-everyone', 'security'" $INT_CONF_JS_HP
sed -i "/\/\/ TOOLBAR_BUTTONS/i \ \ \ \ \]," $INT_CONF_JS_HP
sed -i "s|$MEET_CONF|$MEET_CONF_HP|g" $WS_CONF
sed -i "s|$INT_CONF_JS|$INT_CONF_JS_HP|" $WS_CONF
nginx -t
#systemctl restart nginx
echo "Done!, yeah, that quick ;)"
echo "Rebooting in..."
wait_seconds 15
reboot

View File

@ -0,0 +1,152 @@
#!/bin/bash
# Custom Selenium Grid-Node fro Jitsi Meet
# Pandian - https://community.jitsi.org/u/Pandian
# SwITNet Ltd © - 2020, https://switnet.net/
# GPLv3 or later.
#Check if user is root
if ! [ $(id -u) = 0 ]; then
echo "You need to be root or have sudo privileges!"
exit 0
fi
WAN_IP="$(dig +short myip.opendns.com @resolver1.opendns.com)"
AV_SPACE="$(df -h .|grep -v File|awk '{print$4}'|sed -e 's|G||')"
echo -e "\n-- Make sure you have at least 10GB of disk space available.\n"
if [ $(echo "$AV_SPACE > 9" | bc) -ne 0 ]; then
echo "> Seems we have enough disk space."
else
echo "> Please meet the minimum required disk space for this installer, exiting..."
exit
fi
apt-get update
apt-get dist-upgrade -y
apt-get install -y \
gnupg \
bmon \
curl \
wget \
unzip \
maven \
openjdk-8-jdk
# Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
## Docker Compose
curl -sL "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
# Jitsi Meet Torture
cd /opt
git clone https://github.com/jitsi/jitsi-meet-torture
cd jitsi-meet-torture/resources
wget -c https://media.xiph.org/video/derf/y4m/FourPeople_1280x720_60.y4m
cp FourPeople_1280x720_60.y4m FourPeople_1280x720_30.y4m
cd ..
#150 "participants" available
## Tested up to 120 with AWS c5.24xlarge
cat << SELENIUM_GRID_DOCKER > selenium.yml
version: "3"
services:
selenium-hub:
image: selenium/hub:3.141.59-20200525
container_name: selenium-hub
ports:
- "4444:4444"
restart: always
chrome:
image: selenium/node-chrome:3.141.59-20200525
volumes:
- /dev/shm:/dev/shm
- ./resources:/usr/share/jitsi-meet-torture/resources
depends_on:
- selenium-hub
environment:
- HUB_HOST=selenium-hub
- HUB_PORT=4444
- NODE_MAX_INSTANCES=30
- NODE_MAX_SESSION=30
restart: always
chrome2:
image: selenium/node-chrome:3.141.59-20200525
volumes:
- /dev/shm:/dev/shm
- ./resources:/usr/share/jitsi-meet-torture/resources
depends_on:
- selenium-hub
environment:
- HUB_HOST=selenium-hub
- HUB_PORT=4444
- NODE_MAX_INSTANCES=30
- NODE_MAX_SESSION=30
restart: always
chrome3:
image: selenium/node-chrome:3.141.59-20200525
volumes:
- /dev/shm:/dev/shm
- ./resources:/usr/share/jitsi-meet-torture/resources
depends_on:
- selenium-hub
environment:
- HUB_HOST=selenium-hub
- HUB_PORT=4444
- NODE_MAX_INSTANCES=30
- NODE_MAX_SESSION=30
restart: always
chrome4:
image: selenium/node-chrome:3.141.59-20200525
volumes:
- /dev/shm:/dev/shm
- ./resources:/usr/share/jitsi-meet-torture/resources
depends_on:
- selenium-hub
environment:
- HUB_HOST=selenium-hub
- HUB_PORT=4444
- NODE_MAX_INSTANCES=30
- NODE_MAX_SESSION=30
restart: always
chrome5:
image: selenium/node-chrome:3.141.59-20200525
volumes:
- /dev/shm:/dev/shm
- ./resources:/usr/share/jitsi-meet-torture/resources
depends_on:
- selenium-hub
environment:
- HUB_HOST=selenium-hub
- HUB_PORT=4444
- NODE_MAX_INSTANCES=30
- NODE_MAX_SESSION=30
restart: always
SELENIUM_GRID_DOCKER
docker-compose -f selenium.yml up -d
echo -e "\n#=================== End of Seleniun Grid build ========================#\n"
echo -e "\nChange the values acording to you test requirements using something like;\n"
echo "cd /opt/jitsi-meet-torture
sudo bash /opt/jitsi-meet-torture/scripts/malleus.sh \\
--conferences=1 \\
--participants=30 \\
--senders=2 \\
--audio-senders=1 \\
--duration=120 \\
--room-name-prefix=hamertesting \\
--hub-url=http://localhost:4444/wd/hub \\
--instance-url=https://YOUR.JITSI-MEET-INSTANCE.DOMAIN
"
echo -e "\n-- If using 'hamertesting' as prefix name you can join the room
hamertesting0, hamertesting1, hamertestingN
according to the 'N' number of conferences you have set to watch the test.
*Beware* for 120 \"participants\" to join video-muted it was necessary at least a c5.24xlarge AWS instance.
So start low, monitor your server resources and go from there."
echo -e "\n-- You can check the grid status at:
http://$WAN_IP:4444/grid/console
"

97
mode/jwt.sh Normal file
View File

@ -0,0 +1,97 @@
#!/bin/bash
# JWT Mode Setup
# SwITNet Ltd © - 2020, https://switnet.net/
# GPLv3 or later.
DOMAIN=$(ls /etc/prosody/conf.d/ | grep -v localhost | awk -F'.cfg' '{print $1}' | awk '!NF || !seen[$0]++')
MEET_CONF="/etc/jitsi/meet/$DOMAIN-config.js"
JICOFO_SIP="/etc/jitsi/jicofo/sip-communicator.properties"
PROSODY_FILE="/etc/prosody/conf.d/$DOMAIN.cfg.lua"
PROSODY_SYS="/etc/prosody/prosody.cfg.lua"
APP_ID="$(tr -dc "a-zA-Z0-9" < /dev/urandom | fold -w 16 | head -n1)"
SECRET_APP="$(tr -dc "a-zA-Z0-9" < /dev/urandom | fold -w 64 | head -n1)"
SRP_STR=$(grep -n "VirtualHost \"$DOMAIN\"" $PROSODY_FILE | head -n1 | cut -d ":" -f1)
SRP_END=$((SRP_STR + 10))
## Required openssl for Focal 20.04
if [ "$(lsb_release -sc)" = "focal" ]; then
echo "deb http://ppa.launchpad.net/rael-gc/rvm/ubuntu focal main" | \
sudo tee /etc/apt/sources.list.d/rvm.list
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys F4E3FBBE
apt-get update
fi
apt-get -y install \
lua5.2 \
liblua5.2 \
luarocks \
libssl1.0-dev \
python3-jwt
luarocks install basexx
luarocks install luacrypto
luarocks install lua-cjson 2.1.0-1
echo "set jitsi-meet-tokens/appid string $APP_ID" | debconf-set-selections
echo "set jitsi-meet-tokens/appsecret password $SECRET_APP" | debconf-set-selections
apt-get install -y jitsi-meet-tokens
#Setting up
sed -i "s|c2s_require_encryption = true|c2s_require_encryption = false|" $PROSODY_SYS
#-
sed -i "$SRP_STR,$SRP_END{s|authentication = \"anonymous\"|authentication = \"token\"|}" $PROSODY_FILE
sed -i "s|--app_id=\"example_app_id\"|app_id=\"$APP_ID\"|" $PROSODY_FILE
sed -i "s|--app_secret=\"example_app_secret\"|app_secret=\"$SECRET_APP\"|" $PROSODY_FILE
sed -i "/app_secret/a \ \ \ \ \ \ \ \ asap_accepted_issuers = { \"$APP_ID\" }" $PROSODY_FILE
sed -i "/app_secret/a \ \ \ \ \ \ \ \ asap_accepted_audiences = { \"$APP_ID\", \"RocketChat\" }" $PROSODY_FILE
#allow_empty_token = false
#Request auth
sed -i "s|#org.jitsi.jicofo.auth.URL=EXT_JWT:|org.jitsi.jicofo.auth.URL=EXT_JWT:|" $JICOFO_SIP
sed -i "s|// anonymousdomain: 'guest.example.com'|anonymousdomain: \'guest.$DOMAIN\'|" $MEET_CONF
#Enable jibri recording
cat << REC-JIBRI >> $PROSODY_FILE
VirtualHost "recorder.$DOMAIN"
modules_enabled = {
"ping";
}
authentication = "internal_plain"
REC-JIBRI
#Setup guests and lobby
cat << P_SR >> $PROSODY_FILE
VirtualHost "guest.$DOMAIN"
authentication = "token"
allow_empty_token = true
c2s_require_encryption = false
muc_lobby_whitelist = { "recorder.$DOMAIN", "auth.$DOMAIN" }
speakerstats_component = "speakerstats.$DOMAIN"
conference_duration_component = "conferenceduration.$DOMAIN"
app_id="$APP_ID";
app_secret="$SECRET_APP";
modules_enabled = {
"speakerstats";
"conference_duration";
}
P_SR
echo -e "\nUse the following for your App (e.g. Rocket.Chat):\n"
echo -e "\n$APP_ID" && \
echo -e "$SECRET_APP\n"
echo -e "You can test JWT authentication with the following token:\n"
pyjwt3 --key="$SECRET_APP" \
encode \
group="Rocket.Chat" \
aud="$APP_ID" \
iss="$APP_ID" \
sub="$DOMAIN" \
room="*" \
algorithm="HS256"
read -n 1 -s -r -p $'\n'"Press any key to continue..."$'\n'

View File

@ -25,6 +25,7 @@ APACHE_2=$(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok instal
NGINX=$(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed")
DIST=$(lsb_release -sc)
GOOGL_REPO="/etc/apt/sources.list.d/dl_google_com_linux_chrome_deb.list"
GOOGLE_ACTIVE_REPO=$(apt-cache policy | grep http | grep chrome| awk '{print $3}' | head -n 1 | cut -d "/" -f2)
PROSODY_REPO=$(apt-cache policy | grep http | grep prosody| awk '{print $3}' | head -n 1 | cut -d "/" -f2)
CR=`echo $'\n> '`
@ -274,6 +275,7 @@ if [ "$HWE_VIR_MOD" == "1" ]; then
linux-modules-extra-virtual-hwe-$(lsb_release -sr)
else
apt-get -y install \
linux-image-generic \
linux-modules-extra-$(uname -r)
fi
@ -304,7 +306,7 @@ echo "
if [ "$(dpkg-query -W -f='${Status}' nodejs 2>/dev/null | grep -c "ok")" == "1" ]; then
echo "Nodejs is installed, skipping..."
else
curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
apt-get install -yq2 nodejs
echo "Installing nodejs esprima package..."
npm install -g esprima
@ -321,7 +323,7 @@ CHD_VER=$(curl -sL https://chromedriver.storage.googleapis.com/LATEST_RELEASE)
GCMP_JSON="/etc/opt/chrome/policies/managed/managed_policies.json"
echo "# Installing Google Chrome / ChromeDriver"
if [ -f $GOOGL_REPO ]; then
if [ "$GOOGLE_ACTIVE_REPO" = "main" ]; then
echo "Google repository already set."
else
echo "Installing Google Chrome Stable"
@ -362,16 +364,18 @@ echo '
'
# MEET / JIBRI SETUP
DOMAIN=$(ls /etc/prosody/conf.d/ | grep -v localhost | awk -F'.cfg' '{print $1}' | awk '!NF || !seen[$0]++')
WS_CONF=/etc/nginx/sites-enabled/$DOMAIN.conf
WS_CONF="/etc/nginx/sites-enabled/$DOMAIN.conf"
JB_AUTH_PASS="$(tr -dc "a-zA-Z0-9#*=" < /dev/urandom | fold -w 10 | head -n1)"
JB_REC_PASS="$(tr -dc "a-zA-Z0-9#*=" < /dev/urandom | fold -w 10 | head -n1)"
PROSODY_FILE=/etc/prosody/conf.d/$DOMAIN.cfg.lua
PROSODY_SYS=/etc/prosody/prosody.cfg.lua
JICOFO_SIP=/etc/jitsi/jicofo/sip-communicator.properties
MEET_CONF=/etc/jitsi/meet/$DOMAIN-config.js
JIBRI_CONF=/etc/jitsi/jibri/jibri.conf
PROSODY_FILE="/etc/prosody/conf.d/$DOMAIN.cfg.lua"
PROSODY_SYS="/etc/prosody/prosody.cfg.lua"
JICOFO_SIP="/etc/jitsi/jicofo/sip-communicator.properties"
MEET_CONF="/etc/jitsi/meet/$DOMAIN-config.js"
JIBRI_CONF="/etc/jitsi/jibri/jibri.conf"
JVB2_CONF="/etc/jitsi/videobridge/config"
JVB2_SIP="/etc/jitsi/videobridge/sip-communicator.properties"
DIR_RECORD=/var/jbrecord
REC_DIR=/home/jibri/finalize_recording.sh
REC_DIR="/home/jibri/finalize_recording.sh"
JB_NAME="Jibri Sessions"
LE_RENEW_LOG="/var/log/letsencrypt/renew.log"
MOD_LISTU="https://prosody.im/files/mod_listusers.lua"
@ -385,8 +389,8 @@ MJS_USER="jbsync_$MJS_RAND_TAIL"
MJS_USER_PASS="$(tr -dc "a-zA-Z0-9#_*=" < /dev/urandom | fold -w 32 | head -n1)"
# Rename hostname for jitsi server
#hostnamectl set-hostname "jibri.${DOMAIN}"
#sed -i "1i ${PUBLIC_IP} jibri.${DOMAIN}" /etc/hosts
#hostnamectl set-hostname "jitsi.${DOMAIN}"
#sed -i "1i ${PUBLIC_IP} jitsi.${DOMAIN}" /etc/hosts
#Sysadmin email
while [[ -z $SYSADMIN_EMAIL ]]
@ -403,6 +407,16 @@ https://github.com/jitsi/jitsi-meet/blob/master/lang/languages.json
Jitsi Meet web interface will be set to use such language.
"
read -p "Please set your language (Press enter to default to 'en'):"$'\n' -r JB_LANG
echo -e "\nWe'll take a minute to localize some UI excerpts if you need.\n"
#Participant
echo -e "> Do you want to translate 'Participant' to your own language?" && \
read -p "Leave empty to use the default one (English): "$'\n' L10N_PARTICIPANT
#Me
echo -e "\n> Do you want to translate 'me' to your own language?
This must be a really small word to present one self.
Some suggestions might be: yo (Spanish) | je (French) | ich (German)\n" && \
read -p "Leave empty to use the default one (English): "$'\n' L10N_ME
#Drop unsecure TLS
while [[ "$DROP_TLS1" != "yes" && "$DROP_TLS1" != "no" ]]
do
@ -447,15 +461,6 @@ elif [ "$ENABLE_BLESSM" = "yes" ]; then
echo "Brandless mode will be set."
fi
done
echo -e "\nWe'll take a minute to localize some UI excerpts if you need.\n"
#Participant
echo -e "> Do you want to translate 'Participant' to your own language?" && \
read -p "Leave empty to use the default one (English): "$'\n' L10N_PARTICIPANT
#Me
echo -e "\n> Do you want to translate 'me' to your own language?
This must be a really small word to present one self.
Some suggestions might be: yo (Spanish) | je (French) | ich (German)\n" && \
read -p "Leave empty to use the default one (English): "$'\n' L10N_ME
#Welcome Page
while [[ "$ENABLE_WELCP" != "yes" && "$ENABLE_WELCP" != "no" ]]
do
@ -486,18 +491,45 @@ done
# echo "Local audio recording option will be enabled"
#fi
#done
#Secure room initial user
while [[ "$ENABLE_SC" != "yes" && "$ENABLE_SC" != "no" ]]
#while [[ "$ENABLE_SC" != "yes" && "$ENABLE_SC" != "no" ]]
#do
#read -p "> Do you want to enable secure rooms?: (yes or no)"$'\n' -r ENABLE_SC
#if [ "$ENABLE_SC" = "no" ]; then
# echo "-- Secure rooms won't be enabled."
#elif [ "$ENABLE_SC" = "yes" ]; then
# echo "-- Secure rooms will be enabled."
# read -p "Set username for secure room moderator: "$'\n' -r SEC_ROOM_USER
# read -p "Secure room moderator password: "$'\n' -r SEC_ROOM_PASS
#fi
#done
echo "
> Jitsi Meet Auth Method selection.
"
PS3='Select the authentication method for your Jitsi Meet instance: '
options=("Local" "JWT" "None")
select opt in "${options[@]}"
do
read -p "> Do you want to enable secure rooms?: (yes or no)"$'\n' -r ENABLE_SC
if [ "$ENABLE_SC" = "no" ]; then
echo "-- Secure rooms won't be enabled."
elif [ "$ENABLE_SC" = "yes" ]; then
echo "-- Secure rooms will be enabled."
read -p "Set username for secure room moderator: "$'\n' -r SEC_ROOM_USER
read -p "Secure room moderator password: "$'\n' -r SEC_ROOM_PASS
fi
case $opt in
"Local")
echo -e "\n > Users are created manually using prosodyctl, only moderators can open a room or launch recording.\n"
ENABLE_SC="yes"
break
;;
"JWT")
echo -e "\n > A external app manage the token usage/creation, like RocketChat does.\n"
ENABLE_JWT="yes"
break
;;
"None")
echo -e "\n > Everyone can access the room as moderators as there is no auth mechanism.\n"
break
;;
*) echo "Invalid option $REPLY, choose 1, 2 or 3";;
esac
done
#Jibri Records Access (JRA) via Nextcloud
while [[ "$ENABLE_NC_ACCESS" != "yes" && "$ENABLE_NC_ACCESS" != "no" ]]
do
@ -512,7 +544,8 @@ done
#Jigasi
if [ "$(curl -s -o /dev/null -w "%{http_code}" $GC_SDK_REL_FILE )" == "404" ]; then
echo "> Sorry Google SDK doesn't have support yet for $(lsb_release -sd),
thus, Jigasi Transcript can't be enable."
thus, Jigasi Transcript can't be enable.
"
elif [ "$(curl -s -o /dev/null -w "%{http_code}" $GC_SDK_REL_FILE )" == "200" ]; then
while [[ "$ENABLE_TRANSCRIPT" != "yes" && "$ENABLE_TRANSCRIPT" != "no" ]]
do
@ -621,21 +654,22 @@ restart_services() {
check_jibri
}
# Configure Jvb2
sed -i "/shard.HOSTNAME/s|localhost|$DOMAIN|" /etc/jitsi/videobridge/sip-communicator.properties
# Configure Jibri
## PROSODY
if dpkg-compare prosody lt 0.11.0 ; then
cat << MUC-JIBRI >> $PROSODY_FILE
if [ "$ENABLE_SC" = "yes" ]; then
if [ ! -f $MOD_LIST_FILE ]; then
echo -e "\n-> Adding external module to list prosody users...\n"
curl -s $MOD_LISTU > $MOD_LIST_FILE
-- internal muc component, meant to enable pools of jibri and jigasi clients
Component "internal.auth.$DOMAIN" "muc"
modules_enabled = {
"ping";
}
storage = "null"
muc_room_cache_size = 1000
echo -e "Now you can check registered users with:\nprosodyctl mod_listusers\n"
else
echo -e "Prosody support for listing users seems to be enabled. \ncheck with: prosodyctl mod_listusers\n"
fi
MUC-JIBRI
fi
#Enable jibri recording
cat << REC-JIBRI >> $PROSODY_FILE
VirtualHost "recorder.$DOMAIN"
@ -645,16 +679,15 @@ VirtualHost "recorder.$DOMAIN"
authentication = "internal_plain"
REC-JIBRI
#Enable Jibri withelist
sed -i "s| -- muc_lobby_whitelist| muc_lobby_whitelist|" $PROSODY_FILE
#Fix Jibri conectivity issues
#if dpkg-compare prosody lt 0.11.0 ; then
sed -i "s|c2s_require_encryption = .*|c2s_require_encryption = false|" $PROSODY_SYS
sed -i "/c2s_require_encryption = false/a \\
\\
consider_bosh_secure = true" $PROSODY_SYS
#fi
if [ ! -z $L10N_PARTICIPANT ]; then
sed -i "s|PART_USER=.*|PART_USER=\"$L10N_PARTICIPANT\"|" jm-bm.sh
@ -662,15 +695,7 @@ fi
if [ ! -z $L10N_ME ]; then
sed -i "s|LOCAL_USER=.*|LOCAL_USER=\"$L10N_ME\"|" jm-bm.sh
fi
if [ ! -f $MOD_LIST_FILE ]; then
echo -e "\n-> Adding external module to list prosody users...\n"
curl -s $MOD_LISTU > $MOD_LIST_FILE
echo -e "Now you can check registered users with:\nprosodyctl mod_listusers\n"
else
echo -e "Prosody support for listing users seems to be enabled.
check with: prosodyctl mod_listusers\n"
fi
### Prosody users
prosodyctl register jibri auth.$DOMAIN $JB_AUTH_PASS
@ -680,13 +705,13 @@ prosodyctl register recorder recorder.$DOMAIN $JB_REC_PASS
# /etc/jitsi/jicofo/sip-communicator.properties
cat << BREWERY >> $JICOFO_SIP
#org.jitsi.jicofo.auth.URL=XMPP:$DOMAIN
#org.jitsi.jicofo.auth.URL=EXT_JWT:$DOMAIN
org.jitsi.jicofo.jibri.BREWERY=$JibriBrewery@internal.auth.$DOMAIN
org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90
#org.jitsi.jicofo.auth.DISABLE_AUTOLOGIN=true
BREWERY
# Jibri tweaks for /etc/jitsi/meet/$DOMAIN-config.js
sed -i "s|// anonymousdomain: 'guest.example.com'|anonymousdomain: \'guest.$DOMAIN\'|" $MEET_CONF
sed -i "s|conference.$DOMAIN|internal.auth.$DOMAIN|" $MEET_CONF
sed -i "s|// fileRecordingsEnabled: false,|fileRecordingsEnabled: true,| " $MEET_CONF
sed -i "s|// liveStreamingEnabled: false,|liveStreamingEnabled: true,\\
@ -694,13 +719,13 @@ sed -i "s|// liveStreamingEnabled: false,|liveStreamingEnabled: true,\\
hiddenDomain: \'recorder.$DOMAIN\',|" $MEET_CONF
#Dropbox feature
if [ "$ENABLE_DB" = "yes" ]; then
DB_STR=$(grep -n "dropbox:" $MEET_CONF | cut -d ":" -f1)
DB_END=$((DB_STR + 10))
sed -i "$DB_STR,$DB_END{s|// dropbox: {|dropbox: {|}" $MEET_CONF
sed -i "$DB_STR,$DB_END{s|// appKey: '<APP_KEY>'|appKey: \'$DB_CID\'|}" $MEET_CONF
sed -i "$DB_STR,$DB_END{s|// },|},|}" $MEET_CONF
fi
#if [ "$ENABLE_DB" = "yes" ]; then
#DB_STR=$(grep -n "dropbox:" $MEET_CONF | cut -d ":" -f1)
#DB_END=$((DB_STR + 10))
#sed -i "$DB_STR,$DB_END{s|// dropbox: {|dropbox: {|}" $MEET_CONF
#sed -i "$DB_STR,$DB_END{s|// appKey: '<APP_KEY>'|appKey: \'$DB_CID\'|}" $MEET_CONF
#sed -i "$DB_STR,$DB_END{s|// },|},|}" $MEET_CONF
#fi
#LocalRecording
if [ "$ENABLE_LAR" = "yes" ]; then
@ -842,7 +867,6 @@ sudo su $MJS_USER -c "ssh-keygen -t rsa -f ~/.ssh/id_rsa -b 4096 -o -a 100 -q -N
sed -i "s|PasswordAuthentication .*|PasswordAuthentication yes|" /etc/ssh/sshd_config
systemctl restart sshd
#Setting varibales for add-jibri-node.sh
sed -i "s|MAIN_SRV_DIST=.*|MAIN_SRV_DIST=\"$DIST\"|" add-jibri-node.sh
sed -i "s|MAIN_SRV_REPO=.*|MAIN_SRV_REPO=\"$JITSI_REPO\"|" add-jibri-node.sh
@ -856,6 +880,51 @@ sed -i "s|MJS_USER_PASS=.*|MJS_USER_PASS=\"$MJS_USER_PASS\"|" add-jibri-node.sh
sed -i "$(var_dlim 0_LAST),$(var_dlim 1_LAST){s|LETS: .*|LETS: $(date -R)|}" add-jibri-node.sh
echo "Last file edition at: $(grep "LETS:" add-jibri-node.sh|head -n1|awk -F'LETS:' '{print$2}')"
#-- Setting variables for add-jvb2-node.sh
g_conf_value() {
grep "$1" $JVB2_CONF|sed "s|$1||"
}
JVB_HOSTNAME=$(g_conf_value JVB_HOSTNAME=)
JVB_HOST=$(g_conf_value JVB_HOST=)
JVB_PORT=$(g_conf_value JVB_PORT=)
JVB_SECRET=$(g_conf_value JVB_SECRET=)
JVB_OPTS=$(g_conf_value JVB_OPTS=)
JAVA_SYS_PROPS=$(g_conf_value JAVA_SYS_PROPS=)
g_sip_value() {
grep "$1" $JVB2_SIP |cut -d "=" -f2
}
DISABLE_AWS_HARVESTER=$(g_sip_value DISABLE_AWS_HARVESTER=)
STUN_MAPPING_HARVESTER_ADDRESSES=$(g_sip_value STUN_MAPPING_HARVESTER_ADDRESSES=)
ENABLE_STATISTICS=$(g_sip_value ENABLE_STATISTICS=)
SHARD_HOSTNAME=$(g_sip_value shard.HOSTNAME=)
SHARD_DOMAIN=$(g_sip_value shard.DOMAIN=)
SHARD_PASSWORD=$(g_sip_value shard.PASSWORD=)
MUC_JID=$(g_sip_value MUC_JIDS=)
##-- Replacing on add-jvb2-node.sh
sed -i "s|JVB_HOSTNAME=.*|JVB_HOSTNAME=$JVB_HOSTNAME|" add-jvb2-node.sh
sed -i "s|JVB_HOST=.*|JVB_HOST=$JVB_HOST|" add-jvb2-node.sh
sed -i "s|JVB_PORT=.*|JVB_PORT=$JVB_PORT|" add-jvb2-node.sh
sed -i "s|JVB_SECRET=.*|JVB_SECRET=$JVB_SECRET|" add-jvb2-node.sh
sed -i "s|JVB_OPTS=.*|JVB_OPTS=$JVB_OPTS|" add-jvb2-node.sh
sed -i "s|SYS_PROPS=.*|SYS_PROPS=$JAVA_SYS_PROPS|" add-jvb2-node.sh
#-
sed -i "s|AWS_HARVEST=.*|AWS_HARVEST=$DISABLE_AWS_HARVESTER|" add-jvb2-node.sh
sed -i "s|STUN_MAPPING=.*|STUN_MAPPING=$STUN_MAPPING_HARVESTER_ADDRESSES|" add-jvb2-node.sh
sed -i "s|ENABLE_STATISTICS=.*|ENABLE_STATISTICS=$ENABLE_STATISTICS|" add-jvb2-node.sh
sed -i "s|SHARD_HOSTNAME=.*|SHARD_HOSTNAME=$SHARD_HOSTNAME|" add-jvb2-node.sh
sed -i "s|SHARD_DOMAIN=.*|SHARD_DOMAIN=$SHARD_DOMAIN|" add-jvb2-node.sh
sed -i "s|SHARD_PASS=.*|SHARD_PASS=$SHARD_PASSWORD|" add-jvb2-node.sh
sed -i "s|MUC_JID=.*|MUC_JID=$MUC_JID|" add-jvb2-node.sh
sed -i "s|MAIN_SRV_DIST=.*|MAIN_SRV_DIST=\"$DIST\"|" add-jvb2-node.sh
sed -i "s|MAIN_SRV_REPO=.*|MAIN_SRV_REPO=\"$JITSI_REPO\"|" add-jvb2-node.sh
sed -i "s|MAIN_SRV_DOMAIN=.*|MAIN_SRV_DOMAIN=\"$DOMAIN\"|" add-jvb2-node.sh
sed -i "s|MJS_USER=.*|MJS_USER=\"$MJS_USER\"|" add-jvb2-node.sh
sed -i "s|MJS_USER_PASS=.*|MJS_USER_PASS=\"$MJS_USER_PASS\"|" add-jvb2-node.sh
##--
#Tune webserver for Jitsi App control
if [ -f $WS_CONF ]; then
sed -i "/Anything that didn't match above/i \\\n" $WS_CONF
@ -900,12 +969,34 @@ sed -i "s|'videobackgroundblur', ||" $INT_CONF
#================== Setup prosody conf file =================
#Setup secure rooms
###Setup secure rooms
if [ "$ENABLE_SC" = "yes" ]; then
SRP_STR=$(grep -n "VirtualHost \"$DOMAIN\"" $PROSODY_FILE | head -n1 | cut -d ":" -f1)
SRP_END=$((SRP_STR + 10))
sed -i "$SRP_STR,$SRP_END{s|authentication = \"anonymous\"|authentication = \"internal_plain\"|}" $PROSODY_FILE
sed -i "s|// anonymousdomain: 'guest.example.com'|anonymousdomain: \'guest.$DOMAIN\'|" $MEET_CONF
if dpkg-compare prosody gt 0.11.0 ; then
#Secure room initial user
read -p "Set username for secure room moderator: "$'\n' -r SEC_ROOM_USER
read -p "Secure room moderator password: "$'\n' -r SEC_ROOM_PASS
prosodyctl register $SEC_ROOM_USER $DOMAIN $SEC_ROOM_PASS
echo -e "\nSecure rooms are being enabled..."
echo "You'll be able to login Secure Room chat with '${SEC_ROOM_USER}' \
or '${SEC_ROOM_USER}@${DOMAIN}' using the password you just entered.
If you have issues with the password refer to your sysadmin."
sed -i "s|#org.jitsi.jicofo.auth.URL=XMPP:|org.jitsi.jicofo.auth.URL=XMPP:|" $JICOFO_SIP
sed -i "s|SEC_ROOM=.*|SEC_ROOM=\"on\"|" jm-bm.sh
fi
###JWT
if [ "$ENABLE_JWT" = "yes" ]; then
echo -e "\nJWT auth is being setup..."
bash $PWD/mode/jwt.sh
fi
#Guest allow
if [ "$ENABLE_SC" = "yes" ];then
cat << P_SR >> $PROSODY_FILE
VirtualHost "guest.$DOMAIN"
@ -924,26 +1015,9 @@ VirtualHost "guest.$DOMAIN"
}
P_SR
else
cat << P_SR >> $PROSODY_FILE
VirtualHost "guest.$DOMAIN"
authentication = "anonymous"
c2s_require_encryption = false
P_SR
fi
#======================
#Secure room initial user
if [ "$ENABLE_SC" = "yes" ]; then
echo -e "\nSecure rooms are being enabled..."
echo "You'll be able to login Secure Room chat with '${SEC_ROOM_USER}' \
or '${SEC_ROOM_USER}@${DOMAIN}' using the password you just entered.
If you have issues with the password refer to your sysadmin."
sed -i "s|#org.jitsi.jicofo.auth.URL=XMPP:|org.jitsi.jicofo.auth.URL=XMPP:|" $JICOFO_SIP
prosodyctl register $SEC_ROOM_USER $DOMAIN $SEC_ROOM_PASS
sed -i "s|SEC_ROOM=.*|SEC_ROOM=\"on\"|" jm-bm.sh
fi
#Start with video muted by default
sed -i "s|// startWithVideoMuted: false,|startWithVideoMuted: true,|" $MEET_CONF
@ -969,11 +1043,13 @@ if [ "$DISABLE_LOCAL_JIBRI" = "yes" ]; then
systemctl disable jibri
systemctl disable jibri-xorg
systemctl disable jibri-icewm
#Manually apply permissions since finalize_recording.sh won't be triggered on this server.
sudo -u jibri bash /home/jibri/finalize_recording.sh
fi
enable_letsencrypt
if dpkg-compare prosody gt 0.11.0 && [ "$ENABLE_SC" = "yes" ]; then
if [ "$ENABLE_SC" = "yes" ];then
echo "Waiting prosody restart to continue configuration, 15s..."
wait_seconds 15
#Move mucs when using secure rooms - https://community.jitsi.org/t/27752/112

45
tools/fail2ban_ssh.sh Normal file
View File

@ -0,0 +1,45 @@
#!/bin/bash
# Simple Fail2ban configuration
# 2020 - SwITNet Ltd
# GNU GPLv3 or later.
while getopts m: option
do
case "${option}"
in
m) MODE=${OPTARG};;
\?) echo "Usage: sudo ./fail2ban_ssh.sh [-m debug]" && exit;;
esac
done
#DEBUG
if [ "$MODE" = "debug" ]; then
set -x
fi
#Check if user is root
if ! [ $(id -u) = 0 ]; then
echo "You need to be root or have sudo privileges!"
exit 0
fi
apt-get -y install fail2ban
if \
[ -f /var/log/ssh_f2b.log ] && \
[ $(grep -c 604800 /etc/fail2ban/jail.local) = "1" ] && \
[ $(grep -c ssh_f2b.log /etc/fail2ban/jail.local) = "1"]; then
echo -e "\nFail2ban seems to be already configured.\n"
else
echo -e "\nConfiguring Fail2ban...\n"
cat << F2BAN >> /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/ssh_f2b.log
maxretry = 3
bantime = 604800
F2BAN
fi
systemctl restart fail2ban

View File

@ -200,3 +200,8 @@ read -n 1 -s -r -p "Press any key to continue..."$'\n'
restart_services_jibri
systemctl status jibri
if [ -f /var/log/jitsi/jicofo.log ]; then
echo -e "Checking for jicofo recognizing \"Live\" jibri node..."
tail -n 10 | grep Live
fi