Understanding the environment variables #1090
Description
I'm currently trying to move an existing bare jitsi installation to the docker version and I'm running into some issues. I'm not sure if some of these things are not implemented (yet) or if I am just overlooking them somewhere in the docs.
My goal is a jitsi instance which can be used for workadventure and only for that. The authentication should work via JWTs.
I'm now at a point where I think I've been able to recreate most config files in some way or another through the use of the .env file. However, I'm struggling with getting the prosody configuration right.
Specifically, I can't seem to get/change the following things:
- add the
turncredentialsat the beginning of the old file - an app-id and app-secret for the JWT authentication for the guest domain as well as the
c2c-require-encryption - add a
component_secretto thefocuscomponent - add the
muc_domain_mapperto themuccomponent - add
"presence_identiy"to the list of enabled modules for themeet.jitsiVirtual Host - remove the
recorderblock (optional)
For more details, please take a look at the two configs below.
Thanks already in advance for any tips and help.
EDIT: Added .env file.
Here's what I have on the old system's <my-domain>.cfg.lua:
unlimited_jids = { "focus@auth.<my-domain>", "jvb@auth.<my-domain>" }
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
muc_mapper_domain_base = "<my-domain>";
-- --how would I add these following lines?--
turncredentials_secret = "<turn-secret>";
turncredentials = {
{ type = "stun", host = "<my-domain>", port = "3478" },
{ type = "turn", host = "<my-domain>", port = "3478", transport = "udp" },
{ type = "turns", host = "<my-domain>", port = "5349", transport = "tcp" }
};
-- ----
cross_domain_bosh = false;
consider_bosh_secure = true;
https_ports = { };
ssl = {
protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
VirtualHost "<my-domain>"
authentication = "token"
app_id="<app-id>"
app_secret="<app-secret>"
ssl = {
key = "/etc/prosody/certs/<my-domain>.key";
certificate = "/etc/prosody/certs/<my-domain>.crt";
}
speakerstats_component = "speakerstats.<my-domain>"
conference_duration_component = "conferenceduration.<my-domain>"
modules_enabled = {
"bosh";
"pubsub";
"ping";
"speakerstats";
"turncredentials";
"conference_duration";
"muc_lobby_rooms";
"presence_identity";
}
c2s_require_encryption = true
lobby_muc = "lobby.<my-domain>"
main_muc = "conference.<my-domain>"
Component "conference<my-domain>" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
"token_verification";
}
admins = { "focus@auth.<my-domain>" }
muc_room_locking = false
muc_room_default_public_jids = true
Component "internal.auth.<my-domain>" "muc"
storage = "memory"
modules_enabled = {
"ping";
}
admins = { "focus@auth.<my-domain>", "jvb@auth.<my-domain>" }
muc_room_locking = false
muc_room_default_public_jids = true
VirtualHost "auth.<my-domain>"
modules_enabled = { "limits_exception"; }
ssl = {
key = "/etc/prosody/certs/auth.<my-domain>.key";
certificate = "/etc/prosody/certs/auth.<my-domain>.crt";
}
authentication = "internal_plain"
VirtualHost "guest.<my-domain>"
authentication = "token";
app_id = "<app-id>";
app_secret = "<app-secret>";
c2s_require_encryption = true;
allow_empty_token = true;
Component "focus.<my-domain>" "client_proxy"
target_address = "focus@auth.<my-domain>"
component_secret = "<component-secret>"
Component "speakerstats.<my-domain>" "speakerstats_component"
muc_component = "conference.<my-domain>"
Component "conferenceduration.<my-domain>" "conference_duration_component"
muc_component = "conference.<my-domain>"
Component "lobby.<my-domain>" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = trueAnd here's how much I've been able to recreate through the .env file:
admins = {
"[email protected]",
"[email protected]"
}
unlimited_jids = {
"[email protected]",
"[email protected]"
}
plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
http_default_host = "meet.jitsi"
consider_bosh_secure = true;
cross_domain_websocket = { "https://<my-domain>","https://meet.jitsi" }
cross_domain_bosh = { "https://<my-domain>","https://meet.jitsi" }
VirtualHost "meet.jitsi"
authentication = "token"
app_id = "<app-id>"
app_secret = "<app-secret>"
allow_empty_token = false
ssl = {
key = "/config/certs/meet.jitsi.key";
certificate = "/config/certs/meet.jitsi.crt";
}
modules_enabled = {
"bosh";
"websocket";
"smacks";
"pubsub";
"ping"
"speakerstats";
"conference_duration";
"muc_lobby_rooms";
-- --missing "presence_identiy" here (not sure if necessary)--
}
main_muc = "muc.meet.jitsi"
lobby_muc = "lobby.meet.jitsi"
muc_lobby_whitelist = { "recorder.meet.jitsi" }
speakerstats_component = "speakerstats.meet.jitsi"
conference_duration_component = "conferenceduration.meet.jitsi"
c2s_require_encryption = false
VirtualHost "guest.meet.jitsi"
authentication = "token"
app_id = "" -- --app id missing here--
app_secret = "" -- --app secret missing here--
allow_empty_token = true
c2s_require_encryption = false -- --should be true--
VirtualHost "auth.meet.jitsi"
ssl = {
key = "/config/certs/auth.meet.jitsi.key";
certificate = "/config/certs/auth.meet.jitsi.crt";
}
modules_enabled = {
"limits_exception";
}
authentication = "internal_hashed"
-- --not disabled despite setting the corresponding flag to 0 but shouldn't be such a big issue--
VirtualHost "recorder.meet.jitsi"
modules_enabled = {
"ping";
}
authentication = "internal_hashed"
Component "internal-muc.meet.jitsi" "muc"
storage = "memory"
modules_enabled = {
"ping";
}
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
Component "muc.meet.jitsi" "muc"
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"token_verification";
-- --no muc_domain_mapper here. not sure if necessary with this setup--
}
muc_room_cache_size = 1000
muc_room_locking = false
muc_room_default_public_jids = true
Component "focus.meet.jitsi" "client_proxy"
target_address = "[email protected]"
-- --no component_secret here--
Component "speakerstats.meet.jitsi" "speakerstats_component"
muc_component = "muc.meet.jitsi"
Component "conferenceduration.meet.jitsi" "conference_duration_component"
muc_component = "muc.meet.jitsi"
Component "lobby.meet.jitsi" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = trueHere's the .env file I used:
# shellcheck disable=SC2034
# Security
# [...]
#
# Basic configuration options
#
# Directory where all configuration will be stored
CONFIG=/opt/jitsi-meet-cfg
# Exposed HTTP port
HTTP_PORT=8000
# Exposed HTTPS port
HTTPS_PORT=8443
# System time zone
TZ=<my-tz>
# Public URL for the web service (required)
PUBLIC_URL=<my-domain>
# IP address of the Docker host
# See the "Running behind NAT or on a LAN environment" section in the Handbook:
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
#DOCKER_HOST_ADDRESS=192.168.1.1
# Control whether the lobby feature should be enabled or not
ENABLE_LOBBY=1
# Show a prejoin page before entering a conference
ENABLE_PREJOIN_PAGE=0
# Enable the welcome page
ENABLE_WELCOME_PAGE=1
# Enable the close page
ENABLE_CLOSE_PAGE=0
# Disable measuring of audio levels
DISABLE_AUDIO_LEVELS=0
# Enable noisy mic detection
ENABLE_NOISY_MIC_DETECTION=1
#
# Let's Encrypt configuration
# [disabled, thus skipped]
#
# Etherpad integration (for document sharing)
# [not used, thus skipped]
#
# Basic Jigasi configuration options (needed for SIP gateway support)
# [not used, thus skipped]
#
# Authentication configuration (see handbook for details)
#
# Enable authentication
ENABLE_AUTH=1
# Enable guest access
ENABLE_GUESTS=1
# Select authentication type: internal, jwt or ldap
AUTH_TYPE=jwt
# JWT authentication
#
# Application identifier
JWT_APP_ID=<app-id>
# Application secret known only to your token generator
JWT_APP_SECRET=<app-secret>
# (Optional) Set asap_accepted_issuers as a comma separated list
#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
# (Optional) Set asap_accepted_audiences as a comma separated list
#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
# (Optional) Allow anonymous users with no JWT while validating JWTs when provided
JWT_ALLOW_EMPTY=0
#
# LDAP authentication
# [not used, thus skipped]
#
# Advanced configuration options (you generally don't need to change these)
#
# Internal XMPP domain
XMPP_DOMAIN=meet.jitsi
# Internal XMPP server
XMPP_SERVER=xmpp.meet.jitsi
# Internal XMPP server URL
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
# Internal XMPP domain for authenticated services
XMPP_AUTH_DOMAIN=auth.meet.jitsi
# XMPP domain for the MUC
XMPP_MUC_DOMAIN=muc.meet.jitsi
# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
# XMPP domain for unauthenticated users
XMPP_GUEST_DOMAIN=guest.meet.jitsi
# Comma separated list of domains for cross domain policy or "true" to allow all
# The PUBLIC_URL is always allowed
#XMPP_CROSS_DOMAIN=true
# Custom Prosody modules for XMPP_DOMAIN (comma separated)
XMPP_MODULES=
# Custom Prosody modules for MUC component (comma separated)
XMPP_MUC_MODULES=
# Custom Prosody modules for internal MUC component (comma separated)
XMPP_INTERNAL_MUC_MODULES=
# MUC for the JVB pool
JVB_BREWERY_MUC=jvbbrewery
# XMPP user for JVB client connections
JVB_AUTH_USER=jvb
# STUN servers used to discover the server's public IP
JVB_STUN_SERVERS=<my-stun-domain>
# Media port for the Jitsi Videobridge
JVB_PORT=10000
# TCP Fallback for Jitsi Videobridge for when UDP isn't available
JVB_TCP_HARVESTER_DISABLED=true
JVB_TCP_PORT=4443
JVB_TCP_MAPPED_PORT=4443
# A comma separated list of APIs to enable when the JVB is started [default: none]
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
JVB_ENABLE_APIS=rest,colibri
# XMPP user for Jicofo client connections.
# NOTE: this option doesn't currently work due to a bug
JICOFO_AUTH_USER=focus
# Base URL of Jicofo's reservation REST API
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
#JICOFO_ENABLE_HEALTH_CHECKS=true
# [Jigasi stuff skipped]
# Enable recording
ENABLE_RECORDING=0 # Also had this in its commented state before
# XMPP domain for the jibri recorder
XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
# XMPP recorder user for Jibri client connections
JIBRI_RECORDER_USER=recorder
# Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/config/recordings
# The finalizing script. Will run after recording is complete
#JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
# XMPP user for Jibri client connections
JIBRI_XMPP_USER=jibri
# MUC name for the Jibri pool
JIBRI_BREWERY_MUC=jibribrewery
# MUC connection timeout
JIBRI_PENDING_TIMEOUT=90
# When jibri gets a request to start a service for a room, the room
# jid will look like: [email protected]_domain
# We'll build the url for the call by transforming that into:
# https://xmpp_domain/subdomain/roomName
# So if there are any prefixes in the jid (like jitsi meet, which
# has its participants join a muc at conference.xmpp_domain) then
# list that prefix here so it can be stripped out to generate
# the call url correctly
JIBRI_STRIP_DOMAIN_JID=muc
# Directory for logs inside Jibri container
JIBRI_LOGS_DIR=/config/logs
# Disable HTTPS: handle TLS connections outside of this setup
#DISABLE_HTTPS=1
# Enable FLoC
# Opt-In to Federated Learning of Cohorts tracking
#ENABLE_FLOC=0
# Redirect HTTP traffic to HTTPS
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
ENABLE_HTTP_REDIRECT=1
# Send a `strict-transport-security` header to force browsers to use
# a secure and trusted connection. Recommended for production use.
# Defaults to 1 (send the header).
# ENABLE_HSTS=1
# Enable IPv6
# Provides means to disable IPv6 in environments that don't support it (get with the times, people!)
ENABLE_IPV6=1
# Container restart policy
# Defaults to unless-stopped
RESTART_POLICY=unless-stopped
# Authenticate using external service or just focus external auth window if there is one already.
# TOKEN_AUTH_URL=https://auth.meet.example.com/{room}