@drumee/setup-infra 1.0.0

package/templates/etc/jitsi/jicofo/defaults/jicofo.conf

@@ -0,0 +1,225 @@
+{{ $ENABLE_AUTH := .Env.ENABLE_AUTH | default "0" -}}
+{{ $JICOFO_ENABLE_AUTH := .Env.JICOFO_ENABLE_AUTH | default $ENABLE_AUTH | toBool -}}
+{{ $AUTH_TYPE := .Env.AUTH_TYPE | default "internal" -}}
+{{ $JICOFO_AUTH_TYPE := .Env.JICOFO_AUTH_TYPE | default $AUTH_TYPE -}}
+{{ $JICOFO_AUTH_LIFETIME := .Env.JICOFO_AUTH_LIFETIME | default "24 hours" -}}
+{{ $ENABLE_SCTP := .Env.ENABLE_SCTP | default "0" | toBool -}}
+{{ $ENABLE_RECORDING := .Env.ENABLE_RECORDING | default "0" | toBool -}}
+{{ $ENABLE_OCTO := .Env.ENABLE_OCTO | default "0" | toBool -}}
+{{ $ENABLE_AUTO_LOGIN := .Env.ENABLE_AUTO_LOGIN | default "1" | toBool -}}
+{{ $ENABLE_REST := .Env.JICOFO_ENABLE_REST | default "0" | toBool -}}
+{{ $ENABLE_JVB_XMPP_SERVER := .Env.ENABLE_JVB_XMPP_SERVER | default "0" | toBool -}}
+{{ $HEALTH_CHECKS_USE_PRESENCE := .Env.JICOFO_HEALTH_CHECKS_USE_PRESENCE | default "0" | toBool -}}
+{{ $JIBRI_BREWERY_MUC := .Env.JIBRI_BREWERY_MUC | default "jibribrewery" -}}
+{{ $JIGASI_BREWERY_MUC := .Env.JIGASI_BREWERY_MUC | default "jigasibrewery" -}}
+{{ $JVB_BREWERY_MUC := .Env.JVB_BREWERY_MUC | default "jvbbrewery" -}}
+{{ $JIBRI_PENDING_TIMEOUT := .Env.JIBRI_PENDING_TIMEOUT | default 90 -}}
+{{ $JVB_XMPP_AUTH_DOMAIN := .Env.JVB_XMPP_AUTH_DOMAIN | default "auth.jvb.meet.jitsi" -}}
+{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN := .Env.JVB_XMPP_INTERNAL_MUC_DOMAIN | default "muc.jvb.meet.jitsi" -}}
+{{ $JVB_XMPP_PORT := .Env.JVB_XMPP_PORT | default "6222" -}}
+{{ $JVB_XMPP_SERVER := .Env.JVB_XMPP_SERVER | default "xmpp.jvb.meet.jitsi" -}}
+{{ $XMPP_AUTH_DOMAIN := .Env.XMPP_AUTH_DOMAIN | default "auth.meet.jitsi" -}}
+{{ $XMPP_MUC_DOMAIN := .Env.XMPP_MUC_DOMAIN | default "muc.meet.jitsi" -}}
+{{ $XMPP_INTERNAL_MUC_DOMAIN := .Env.XMPP_INTERNAL_MUC_DOMAIN | default "internal-muc.meet.jitsi" -}}
+{{ $XMPP_DOMAIN := .Env.XMPP_DOMAIN | default "meet.jitsi" -}}
+{{ $XMPP_RECORDER_DOMAIN := .Env.XMPP_RECORDER_DOMAIN | default "recorder.meet.jitsi" -}}
+{{ $XMPP_PORT := .Env.XMPP_PORT | default "5222" -}}
+{{ $XMPP_SERVER := .Env.XMPP_SERVER | default "xmpp.meet.jitsi" -}}
+
+jicofo {
+    {{ if $JICOFO_ENABLE_AUTH }}
+    authentication {
+      enabled = true
+      // The type of authentication. Supported values are XMPP or JWT.
+      {{ if eq $JICOFO_AUTH_TYPE "jwt" }}
+      type = JWT
+      {{ else }}
+      type = XMPP
+      {{ end }}
+      login-url = "{{ $XMPP_DOMAIN }}"
+      enable-auto-login = {{ $ENABLE_AUTO_LOGIN }}
+      authentication-lifetime = {{ $JICOFO_AUTH_LIFETIME }}
+    }
+    {{ end }}
+
+    // Configuration related to jitsi-videobridge
+    bridge {
+      {{ if .Env.MAX_BRIDGE_PARTICIPANTS }}
+      max-bridge-participants = "{{ .Env.MAX_BRIDGE_PARTICIPANTS }}"
+      {{ end }}
+
+      {{ if .Env.BRIDGE_AVG_PARTICIPANT_STRESS }}
+      // The assumed average stress per participant. default is 0.01
+      average-participant-stress = "{{ .Env.BRIDGE_AVG_PARTICIPANT_STRESS }}"
+      {{ end }}
+
+      {{ if .Env.BRIDGE_STRESS_THRESHOLD }}
+      // The stress level above which a bridge is considered overstressed. 0.8 is the default value
+      stress-threshold = "{{ .Env.BRIDGE_STRESS_THRESHOLD }}"
+      {{ end }}
+
+      {{ if .Env.OCTO_BRIDGE_SELECTION_STRATEGY }}
+      selection-strategy = "{{ .Env.OCTO_BRIDGE_SELECTION_STRATEGY }}"
+      {{ end }}
+
+      {{ if .Env.JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS }}
+      health-checks {
+        enabled = {{ .Env.JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS | toBool }}
+        use-presence = {{ $HEALTH_CHECKS_USE_PRESENCE }}
+      }
+      {{ end }}
+
+      {{ if $ENABLE_JVB_XMPP_SERVER }}
+      brewery-jid = "{{ $JVB_BREWERY_MUC }}@{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN }}"
+      {{ else }}
+      brewery-jid = "{{ $JVB_BREWERY_MUC }}@{{ $XMPP_INTERNAL_MUC_DOMAIN }}"
+      {{ end }}
+
+      {{ if .Env.JICOFO_BRIDGE_REGION_GROUPS }}
+      region-groups = [{{ .Env.JICOFO_BRIDGE_REGION_GROUPS }}]
+      {{ end }}
+    }
+    // Configure the codecs and RTP extensions to be used in the offer sent to clients.
+    codec {
+      video {
+        {{ if .Env.ENABLE_CODEC_VP8 }}
+        vp8 {
+          enabled = {{ .Env.ENABLE_CODEC_VP8 | toBool }}
+        }
+        {{ end }}
+        {{ if .Env.ENABLE_CODEC_VP9 }}
+        vp9 {
+          enabled = {{ .Env.ENABLE_CODEC_VP9 | toBool }}
+        }
+        {{ end }}
+        {{ if .Env.ENABLE_CODEC_H264 }}
+        h264 {
+          enabled = {{ .Env.ENABLE_CODEC_H264 | toBool }}
+        }
+        {{ end }}
+      }
+      audio {
+        {{ if .Env.ENABLE_CODEC_OPUS_RED }}
+        opus {
+          red {
+            enabled = {{ .Env.ENABLE_CODEC_OPUS_RED | toBool }}
+          }
+        }
+        {{ end }}
+      }
+    }
+
+    conference {
+      {{ if .Env.ENABLE_AUTO_OWNER }}
+      enable-auto-owner = {{ .Env.ENABLE_AUTO_OWNER | toBool }}
+      {{ end }}
+
+      {{ if .Env.JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT }}
+      initial-timeout = "{{ .Env.JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT }}"
+      {{ end }}
+
+      {{ if .Env.JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT }}
+      single-participant-timeout = "{{ .Env.JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT }}"
+      {{ end }}
+
+      {{ if .Env.JICOFO_CONF_SOURCE_SIGNALING_DELAYS }}
+      source-signaling-delays = {{ .Env.JICOFO_SOURCE_SIGNALING_DELAYS }}
+      {{ end }}
+
+      {{ if .Env.JICOFO_CONF_MAX_AUDIO_SENDERS }}
+      max-audio-senders = {{ .Env.JICOFO_CONF_MAX_AUDIO_SENDERS }}
+      {{ end }}
+
+      {{ if .Env.JICOFO_CONF_MAX_VIDEO_SENDERS }}
+      max-video-senders = {{ .Env.JICOFO_CONF_MAX_VIDEO_SENDERS }}
+      {{ end }}
+
+      {{ if .Env.JICOFO_CONF_STRIP_SIMULCAST }}
+      strip-simulcast = {{ .Env.JICOFO_CONF_STRIP_SIMULCAST | toBool }}
+      {{ end }}
+
+      {{ if .Env.JICOFO_CONF_SSRC_REWRITING }}
+      use-ssrc-rewriting = {{ .Env.JICOFO_CONF_SSRC_REWRITING | toBool }}
+      {{ end }}
+
+      {{ if .Env.JICOFO_MULTI_STREAM_BACKWARD_COMPAT }}
+      enable-multi-stream-backward-compat = {{ .Env.JICOFO_MULTI_STREAM_BACKWARD_COMPAT | toBool }}
+      {{ end }}
+
+    }
+
+    {{ if .Env.JICOFO_ENABLE_HEALTH_CHECKS }}
+    // Configuration for the internal health checks performed by jicofo.
+    health {
+      // Whether to perform health checks.
+      enabled = {{ .Env.JICOFO_ENABLE_HEALTH_CHECKS | toBool }}
+    }
+    {{ end }}
+
+    {{ if $ENABLE_RECORDING }}
+    jibri {
+      brewery-jid = "{{ $JIBRI_BREWERY_MUC }}@{{ $XMPP_INTERNAL_MUC_DOMAIN }}"
+      {{ if .Env.JIBRI_REQUEST_RETRIES }}
+      num-retries = "{{ .Env.JIBRI_REQUEST_RETRIES }}"
+      {{ end }}
+      pending-timeout = "{{ $JIBRI_PENDING_TIMEOUT }}"
+    }
+    {{ end }}
+
+    {{ if and .Env.JIGASI_SIP_URI $JIGASI_BREWERY_MUC }}
+    jigasi {
+      brewery-jid = "{{ $JIGASI_BREWERY_MUC }}@{{ $XMPP_INTERNAL_MUC_DOMAIN }}"
+    }
+    {{ end }}
+
+    {{ if .Env.JICOFO_OCTO_REGION }}
+    local-region = "{{ .Env.JICOFO_OCTO_REGION }}"
+    {{ end }}
+
+    octo {
+      // Whether or not to use Octo. Note that when enabled, its use will be determined by
+      // $jicofo.bridge.selection-strategy. There's a corresponding flag in the JVB and these
+      // two MUST be in sync (otherwise bridges will crash because they won't know how to
+      // deal with octo channels).
+      enabled = {{ $ENABLE_OCTO }}
+    }
+
+    {{ if $ENABLE_REST }}
+    rest {
+      host = "0.0.0.0"
+    }
+    {{ end }}
+
+    sctp {
+      enabled = {{ $ENABLE_SCTP }}
+    }
+
+    xmpp {
+      client {
+        enabled = true
+        hostname = "{{ $XMPP_SERVER }}"
+        port = "{{ $XMPP_PORT }}"
+        domain = "{{ $XMPP_AUTH_DOMAIN }}"
+        xmpp-domain = "{{ $XMPP_DOMAIN }}"
+        username = "focus"
+        password = "{{ .Env.JICOFO_AUTH_PASSWORD }}"
+        conference-muc-jid = "{{ $XMPP_MUC_DOMAIN }}"
+        client-proxy = "focus.{{ $XMPP_DOMAIN }}"
+        disable-certificate-verification = true
+      }
+      {{ if $ENABLE_JVB_XMPP_SERVER }}
+      service {
+        enabled = true
+        hostname = "{{ $JVB_XMPP_SERVER }}"
+        port = "{{ $JVB_XMPP_PORT }}"
+        domain =  "{{ $JVB_XMPP_AUTH_DOMAIN }}"
+        username = "focus"
+        password = "{{ .Env.JICOFO_AUTH_PASSWORD }}"
+        disable-certificate-verification = true
+      }
+      {{ end }}
+      {{ if $ENABLE_RECORDING }}
+      trusted-domains = [ "{{ $XMPP_RECORDER_DOMAIN }}" ]
+      {{ end }}
+    }
+}

package/templates/etc/jitsi/jicofo/defaults/logging.properties

@@ -0,0 +1,15 @@
+{{ if .Env.SENTRY_DSN | default "0" | toBool }}
+handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler
+{{ else }}
+handlers= java.util.logging.ConsoleHandler
+{{ end }}
+
+java.util.logging.ConsoleHandler.level = ALL
+java.util.logging.ConsoleHandler.formatter = org.jitsi.utils.logging2.JitsiLogFormatter
+org.jitsi.utils.logging2.JitsiLogFormatter.programname=Jicofo
+
+.level=INFO
+io.sentry.jul.SentryHandler.level=WARNING
+
+# Enable debug packets logging
+#org.jitsi.impl.protocol.xmpp.level=FINE

package/templates/etc/jitsi/jicofo/jicofo.conf.tpl

@@ -0,0 +1,46 @@
+jicofo {
+    // Configuration related to jitsi-videobridge
+    bridge {
+      brewery-jid = "jvbbrewery@internal-muc.<%= jitsi_domain %>" 
+    }
+    // Configure the codecs and RTP extensions to be used in the offer sent to clients.
+    codec {
+      video {
+      }
+      audio {
+      }
+    }
+
+    conference {
+    }
+    octo {
+      // Whether or not to use Octo. Note that when enabled, its use will be determined by
+      // $jicofo.bridge.selection-strategy. There's a corresponding flag in the JVB and these
+      // two MUST be in sync (otherwise bridges will crash because they won't know how to
+      // deal with octo channels).
+      enabled = false
+    }
+    sctp {
+      enabled = false
+    }
+    authentication: {
+       enabled: true
+       type: JWT
+       login-url: <%= jitsi_domain %>
+    }
+    xmpp {
+      client {
+        enabled = true
+        hostname = "xmpp.<%= jitsi_domain %>"
+        port = "5222"
+        domain = "auth.<%= jitsi_domain %>"
+        xmpp-domain = "<%= jitsi_domain %>"
+        username = "focus"
+        password = "<%= jicofo_password %>"
+        conference-muc-jid = "muc.<%= jitsi_domain %>"
+        client-proxy = "focus.<%= jitsi_domain %>"
+        disable-certificate-verification = true
+      }
+    }
+}
+

package/templates/etc/jitsi/jicofo/logging.properties.tpl

@@ -0,0 +1,12 @@
+handlers= java.util.logging.ConsoleHandler
+
+
+java.util.logging.ConsoleHandler.level = ALL
+java.util.logging.ConsoleHandler.formatter = org.jitsi.utils.logging2.JitsiLogFormatter
+org.jitsi.utils.logging2.JitsiLogFormatter.programname=Jicofo
+
+.level=INFO
+io.sentry.jul.SentryHandler.level=WARNING
+
+# Enable debug packets logging
+#org.jitsi.impl.protocol.xmpp.level=FINE

package/templates/etc/jitsi/meet.conf.tpl

@@ -0,0 +1,131 @@
+server_name <%= jitsi_domain %>;
+
+charset utf8;
+
+client_max_body_size 0;
+
+#root /usr/share/jitsi-meet;
+root /srv/drumee/static/images;
+
+# ssi on with javascript for multidomain variables in config.js
+ssi on;
+ssi_types application/x-javascript application/javascript;
+
+# index index.html index.htm;
+error_page 404 /static/404.html;
+
+# Security headers
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+
+set $prefix "";
+
+
+# Opt out of FLoC (deprecated)
+add_header Permissions-Policy "interest-cohort=()";
+
+# location = /config.js {
+#    alias /etc/jitsi/web/config.js;
+# }
+
+# location = /interface_config.js {
+#    alias /etc/jitsi/web/interface_config.js;
+# }
+
+# location = /external_api.js {
+#    alias /usr/share/jitsi-meet/libs/external_api.min.js;
+# }
+
+
+
+# ensure all static content can always be found first
+# location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$ {
+#    add_header 'Access-Control-Allow-Origin' '*';
+#    alias /usr/share/jitsi-meet/$1/$2;
+
+    # cache all versioned files
+#    if ($arg_v) {
+#        expires 1y;
+#    }
+# }
+
+
+# colibri (JVB) websockets
+location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) {
+    tcp_nodelay on;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
+}
+
+
+# BOSH
+location = /http-bind {
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host <%= jitsi_domain %>;
+    proxy_pass http://127.0.0.1:5280/http-bind?prefix=$prefix&$args;
+}
+
+
+# xmpp websockets
+location = /xmpp-websocket {
+    proxy_pass http://localhost:5280/xmpp-websocket;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Host <%= jitsi_domain %>;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    tcp_nodelay on;
+}
+
+
+location ~ ^/([^/?&:'"]+)$ {
+    try_files $uri @root_path;
+}
+
+location @root_path {
+    rewrite ^/(.*)$ / break;
+}
+
+
+# Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
+location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
+    set $subdomain "$1.";
+    set $subdir "$1/";
+    rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
+}
+
+location ~ ^/([^/?&:'"]+)/config.js$ {
+    set $subdomain "$1.";
+    set $subdir "$1/";
+
+    alias /etc/jitsi/web/config.js;
+}
+
+# BOSH for subdomains
+location ~ ^/([^/?&:'"]+)/http-bind {
+    set $subdomain "$1.";
+    set $subdir "$1/";
+    set $prefix "$1";
+
+    rewrite ^/(.*)$ /http-bind;
+}
+
+
+# websockets for subdomains
+location ~ ^/([^/?&:'"]+)/xmpp-websocket {
+    set $subdomain "$1.";
+    set $subdir "$1/";
+    set $prefix "$1";
+
+    rewrite ^/(.*)$ /xmpp-websocket;
+}
+
+
+# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+location ~ ^/([^/?&:'"]+)/(.*)$ {
+    set $subdomain "$1.";
+    set $subdir "$1/";
+    rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
+}

package/templates/etc/jitsi/ssl.conf.tpl

@@ -0,0 +1,25 @@
+# session settings
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+
+# ssl certs
+
+ssl_certificate <%= certs_dir %>/<%= jitsi_domain %>_ecc/fullchain.cer;
+ssl_certificate_key <%= certs_dir %>/<%= jitsi_domain %>_ecc/<%= jitsi_domain %>.key;
+ssl_trusted_certificate <%= certs_dir %>/<%= jitsi_domain %>_ecc/ca.cer;
+
+# protocols
+# Mozilla Guideline v5.6, nginx 1.14.2, OpenSSL 1.1.1d, intermediate configuration, no OCSP
+# https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# Diffie-Hellman parameter for DHE cipher suites
+ssl_dhparam /etc/jitsi/web/defaults/ffdhe2048.txt;
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+
+add_header Strict-Transport-Security "max-age=63072000" always;
+

package/templates/etc/jitsi/videobridge/config

@@ -0,0 +1,2 @@
+# adds java system props that are passed to jvb (default are for home and logging config file)
+JAVA_SYS_PROPS="-Dconfig.file=/etc/jitsi/videobridge/jvb.conf -Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=videobridge -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/videobridge/logging.properties"

package/templates/etc/jitsi/videobridge/defaults/jvb.conf

@@ -0,0 +1,129 @@
+{{ $COLIBRI_REST_ENABLED := .Env.COLIBRI_REST_ENABLED | default "false" | toBool -}}
+{{ $ENABLE_COLIBRI_WEBSOCKET := .Env.ENABLE_COLIBRI_WEBSOCKET | default "1" | toBool -}}
+{{ $ENABLE_OCTO := .Env.ENABLE_OCTO | default "0" | toBool -}}
+{{ $ENABLE_JVB_XMPP_SERVER := .Env.ENABLE_JVB_XMPP_SERVER | default "0" | toBool }}
+{{ $JVB_DISABLE_STUN := .Env.JVB_DISABLE_STUN | default "0" | toBool -}}
+{{ $JVB_STUN_SERVERS := .Env.JVB_STUN_SERVERS | default "meet-jit-si-turnrelay.jitsi.net:443" -}}
+{{ $JVB_AUTH_USER := .Env.JVB_AUTH_USER | default "jvb" -}}
+{{ $JVB_BREWERY_MUC := .Env.JVB_BREWERY_MUC | default "jvbbrewery" -}}
+{{ $JVB_MUC_NICKNAME := .Env.JVB_MUC_NICKNAME | default .Env.HOSTNAME -}}
+{{ $JVB_ADVERTISE_PRIVATE_CANDIDATES := .Env.JVB_ADVERTISE_PRIVATE_CANDIDATES | default "true" | toBool -}}
+{{ $JVB_ADVERTISE_IPS := .Env.JVB_ADVERTISE_IPS | default "" -}}
+{{ $JVB_IPS := splitList "," $JVB_ADVERTISE_IPS -}}
+{{ $JVB_XMPP_AUTH_DOMAIN := .Env.JVB_XMPP_AUTH_DOMAIN | default "auth.jvb.meet.jitsi" -}}
+{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN := .Env.JVB_XMPP_INTERNAL_MUC_DOMAIN | default "muc.jvb.meet.jitsi" -}}
+{{ $JVB_XMPP_PORT := .Env.JVB_XMPP_PORT | default "6222" -}}
+{{ $JVB_XMPP_SERVER := .Env.JVB_XMPP_SERVER | default "xmpp.jvb.meet.jitsi" -}}
+{{ $JVB_XMPP_SERVERS := splitList "," $JVB_XMPP_SERVER -}}
+{{ $PUBLIC_URL_DOMAIN := .Env.PUBLIC_URL | default "https://localhost:8443" | trimPrefix "https://" | trimSuffix "/" -}}
+{{ $SHUTDOWN_REST_ENABLED := .Env.SHUTDOWN_REST_ENABLED | default "false" | toBool -}}
+{{ $WS_DOMAIN := .Env.JVB_WS_DOMAIN | default $PUBLIC_URL_DOMAIN -}}
+{{ $WS_SERVER_ID := .Env.JVB_WS_SERVER_ID | default .Env.JVB_WS_SERVER_ID_FALLBACK -}}
+{{ $XMPP_AUTH_DOMAIN := .Env.XMPP_AUTH_DOMAIN | default "auth.meet.jitsi" -}}
+{{ $XMPP_INTERNAL_MUC_DOMAIN := .Env.XMPP_INTERNAL_MUC_DOMAIN | default "internal-muc.meet.jitsi" -}}
+{{ $XMPP_PORT := .Env.XMPP_PORT | default "5222" -}}
+{{ $XMPP_SERVER := .Env.XMPP_SERVER | default "xmpp.meet.jitsi" -}}
+{{ $XMPP_SERVERS := splitList "," $XMPP_SERVER -}}
+{{/* assign env from context, preserve during range when . is re-assigned */}}
+{{ $ENV := .Env -}}
+
+videobridge {
+    ice {
+        udp {
+            port = {{ .Env.JVB_PORT | default 10000 }}
+        }
+        advertise-private-candidates = {{ $JVB_ADVERTISE_PRIVATE_CANDIDATES }}
+    }
+    apis {
+        xmpp-client {
+            configs {
+{{ if $ENABLE_JVB_XMPP_SERVER }}
+{{ range $index, $element := $JVB_XMPP_SERVERS -}}
+{{ $SERVER := splitn ":" 2 $element }}
+                shard{{ $index }} {
+                    HOSTNAME = "{{ $SERVER._0 }}"
+                    PORT = "{{ $SERVER._1 | default $JVB_XMPP_PORT }}"
+                    DOMAIN = "{{ $JVB_XMPP_AUTH_DOMAIN }}"
+                    USERNAME = "{{ $JVB_AUTH_USER }}"
+                    PASSWORD = "{{ $ENV.JVB_AUTH_PASSWORD }}"
+                    MUC_JIDS = "{{ $JVB_BREWERY_MUC }}@{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN }}"
+                    MUC_NICKNAME = "{{ $JVB_MUC_NICKNAME }}"
+                    DISABLE_CERTIFICATE_VERIFICATION = true
+                }
+{{ end -}}
+{{ else }}
+{{ range $index, $element := $XMPP_SERVERS -}}
+{{ $SERVER := splitn ":" 2 $element }}
+                shard{{ $index }} {
+                    HOSTNAME = "{{ $SERVER._0 }}"
+                    PORT = "{{ $SERVER._1 | default $XMPP_PORT }}"
+                    DOMAIN = "{{ $XMPP_AUTH_DOMAIN }}"
+                    USERNAME = "{{ $JVB_AUTH_USER }}"
+                    PASSWORD = "{{ $ENV.JVB_AUTH_PASSWORD }}"
+                    MUC_JIDS = "{{ $JVB_BREWERY_MUC }}@{{ $XMPP_INTERNAL_MUC_DOMAIN }}"
+                    MUC_NICKNAME = "{{ $JVB_MUC_NICKNAME }}"
+                    DISABLE_CERTIFICATE_VERIFICATION = true
+                }
+{{ end -}}
+{{ end }}
+            }
+        }
+        rest {
+            enabled = {{ $COLIBRI_REST_ENABLED }}
+        }
+    }
+    rest {
+        shutdown {
+            enabled = {{ $SHUTDOWN_REST_ENABLED }}
+        }
+    }
+    stats {
+        enabled = true
+    }
+    websockets {
+        enabled = {{ $ENABLE_COLIBRI_WEBSOCKET }}
+        domain = "{{ $WS_DOMAIN }}"
+        tls = true
+        server-id = "{{ $WS_SERVER_ID }}"
+    }
+    http-servers {
+        private {
+          host = 0.0.0.0
+        }
+        public {
+            host = 0.0.0.0
+            port = 9090
+        }
+    }
+
+    {{ if $ENABLE_OCTO -}}
+    relay {
+        enabled = true
+        region = "{{ .Env.JVB_OCTO_REGION | default "europe" }}"
+        relay-id = "{{ .Env.JVB_OCTO_RELAY_ID | default .Env.JVB_OCTO_BIND_ADDRESS }}"
+    }
+    {{ end -}}
+}
+
+ice4j {
+    harvest {
+        mapping {
+            stun {
+{{ if not $JVB_DISABLE_STUN -}}
+                addresses = [ "{{ join "\",\"" (splitList "," $JVB_STUN_SERVERS) }}" ]
+{{ else -}}
+                enabled = false
+{{ end -}}
+            }
+            static-mappings = [
+{{ range $index, $element := $JVB_IPS -}}
+                {
+                    local-address = "{{ $ENV.LOCAL_ADDRESS }}"
+                    public-address = "{{ $element }}"
+                    name = "ip-{{ $index }}"
+                },
+{{ end -}}
+            ]
+        }
+    }
+}

package/templates/etc/jitsi/videobridge/defaults/logging.properties

@@ -0,0 +1,12 @@
+{{ if .Env.SENTRY_DSN | default "0" | toBool }}
+handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler
+{{ else }}
+handlers= java.util.logging.ConsoleHandler
+{{ end }}
+
+java.util.logging.ConsoleHandler.level = ALL
+java.util.logging.ConsoleHandler.formatter = org.jitsi.utils.logging2.JitsiLogFormatter
+org.jitsi.utils.logging2.JitsiLogFormatter.programname=JVB
+
+.level=INFO
+io.sentry.jul.SentryHandler.level=WARNING

package/templates/etc/jitsi/videobridge/jvb.conf

@@ -0,0 +1,67 @@
+videobridge {
+  ice {
+    udp {
+      port = 10000
+    }
+    advertise-private-candidates = true
+  }
+  apis {
+    xmpp-client {
+      configs {
+        shard0 {
+          HOSTNAME = "xmpp.<%= jitsi_domain %>"
+          PORT = "5222"
+          DOMAIN = "auth.<%= jitsi_domain %>"
+          USERNAME = "jvb"
+          PASSWORD = "<%= jvb_password %>"
+          MUC_JIDS = "jvbbrewery@internal-muc.<%= jitsi_domain %>"
+          MUC_NICKNAME = "shard0"
+          DISABLE_CERTIFICATE_VERIFICATION = true
+        }
+      }
+    }
+    rest {
+      enabled = false
+    }
+  }
+  rest {
+    shutdown {
+      enabled = false
+    }
+  }
+  stats {
+    enabled = true
+  }
+  websockets {
+    enabled = true
+    domain = "<%= jitsi_domain %>"
+    tls = true
+    server-id = "<%= local_address %>"
+  }
+  http-servers {
+      private {
+        host = 0.0.0.0
+      }
+      public {
+          host = 0.0.0.0
+          port = 9090
+      }
+  }
+}
+
+ice4j {
+  harvest {
+    mapping {
+      stun {
+        addresses = [ "meet-jit-si-turnrelay.jitsi.net:443" ]
+      }
+      static-mappings = [
+        {
+          local-address = "<%= local_address %>"
+          public-address = ""
+          name = "ip-0"
+        }
+      ]
+    }
+  }
+}

package/templates/etc/jitsi/videobridge/logging.properties.tpl

@@ -0,0 +1,12 @@
+
+handlers= java.util.logging.ConsoleHandler
+java.util.logging.ConsoleHandler.level = ALL
+java.util.logging.ConsoleHandler.formatter = org.jitsi.utils.logging2.JitsiLogFormatter
+org.jitsi.utils.logging2.JitsiLogFormatter.programname=JVB
+
+.level=INFO
+io.sentry.jul.SentryHandler.level=WARNING
+
+# Enable debug packets logging
+#org.jitsi.impl.protocol.xmpp.level=FINE
+