#!/bin/bash # JWT Mode Setup # SwITNet Ltd © - 2025, https://switnet.net/ # GPLv3 or later. while getopts m: option do case "${option}" in m) MODE=${OPTARG};; \?) echo "Usage: sudo bash ./$0 [-m debug]" && exit;; esac done #DEBUG if [ "$MODE" = "debug" ]; then set -x fi DOMAIN="$(find /etc/prosody/conf.d/ -name \*.lua|awk -F'.cfg' '!/localhost/{print $1}'|xargs basename)" MEET_CONF="/etc/jitsi/meet/$DOMAIN-config.js" JICOFO_SIP="/etc/jitsi/jicofo/sip-communicator.properties" PROSODY_FILE="/etc/prosody/conf.d/$DOMAIN.cfg.lua" PROSODY_SYS="/etc/prosody/prosody.cfg.lua" APP_ID="$(tr -dc "a-zA-Z0-9" < /dev/urandom | fold -w 16 | head -n1)" SECRET_APP="$(tr -dc "a-zA-Z0-9" < /dev/urandom | fold -w 64 | head -n1)" SRP_STR="$(grep -n "VirtualHost \"$DOMAIN\"" "$PROSODY_FILE" | head -n1 | cut -d ":" -f1)" SRP_END="$((SRP_STR + 10))" # Prosody 0.12 only if command -v prosodyctl >/dev/null 2>&1; then PROSODY_VER="$(prosodyctl about 2>/dev/null | sed -n 's/^Prosody //p' | awk '{print $1}')" case "$PROSODY_VER" in 0.12.*) : ;; *) echo "Prosody $PROSODY_VER NO supported for JWT mode (required 0.12.x)" exit 1 ;; esac fi # Install dependencies apt-get -y install python3-jwt echo "set jitsi-meet-tokens/appid string $APP_ID" | debconf-set-selections echo "set jitsi-meet-tokens/appsecret password $SECRET_APP" | debconf-set-selections apt-get install -y jitsi-meet-tokens # Setting up sed -i "s|c2s_require_encryption = true|c2s_require_encryption = false|" "$PROSODY_SYS" #- sed -i "$SRP_STR,$SRP_END{s|authentication = \"jitsi-anonymous\"|authentication = \"token\"|}" "$PROSODY_FILE" sed -i "s|--app_id=\"example_app_id\"|app_id=\"$APP_ID\"|" "$PROSODY_FILE" sed -i "s|--app_secret=\"example_app_secret\"|app_secret=\"$SECRET_APP\"|" "$PROSODY_FILE" sed -i "/app_secret/a \\\\" "$PROSODY_FILE" sed -i "/app_secret/a \ \ \ \ allow_empty_token = false" "$PROSODY_FILE" sed -i "/app_secret/a \\\\" "$PROSODY_FILE" sed -i "/app_secret/a \ \ \ \ asap_accepted_issuers = { \"$APP_ID\" }" "$PROSODY_FILE" sed -i "/app_secret/a \ \ \ \ asap_accepted_audiences = { \"$APP_ID\", \"RocketChat\" }" "$PROSODY_FILE" sed -i "/app_secret/a \\\\" "$PROSODY_FILE" sed -i "s|--allow_empty_token =.*|allow_empty_token = false|" "$PROSODY_FILE" sed -i 's|--"token_verification"|"token_verification"|' "$PROSODY_FILE" # Request auth ## JWT via Prosody: don't touch Jicofo #sed -i "s|#org.jitsi.jicofo.auth.URL=EXT_JWT:|org.jitsi.jicofo.auth.URL=EXT_JWT:|" "$JICOFO_SIP" sed -i "s|// anonymousdomain: 'guest.example.com'|anonymousdomain: \'guest.$DOMAIN\'|" "$MEET_CONF" # Enable jibri recording cat << REC-JIBRI >> "$PROSODY_FILE" VirtualHost "recorder.$DOMAIN" modules_enabled = { "ping"; } authentication = "internal_hashed" REC-JIBRI # Setup guests and lobby cat << P_SR >> "$PROSODY_FILE" VirtualHost "guest.$DOMAIN" authentication = "jitsi-anonymous" c2s_require_encryption = false speakerstats_component = "speakerstats.$DOMAIN" modules_enabled = { "speakerstats"; -- "conference_duration"; } P_SR echo -e "\nUse the following for your App (e.g. Rocket.Chat):\n" echo -e "\nAPP_ID: $APP_ID" && \ echo -e "SECRET_APP: $SECRET_APP\n" echo -e "You can test JWT authentication with the following token for the next hour:\n" pyjwt3 --key="$SECRET_APP" \ encode \ --alg HS256 \ group="Rocket.Chat" \ aud="$APP_ID" \ iss="$APP_ID" \ sub="$DOMAIN" \ room="*" \ exp="$(($(date +%s)+3600))" read -n 1 -s -r -p $'\n'"Press any key to continue..."$'\n'