npm - @drumee/setup-infra - Versions diffs - 1.0.14 → 1.0.16 - Mend

@drumee/setup-infra 1.0.14 → 1.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/templates/etc/drumee/infrastructure/servers/tt.conf CHANGED Viewed

@@ -33,7 +33,7 @@ server {
   location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
-      root         /usr/share/jitsi-meet;
+      root         <%= jitsi_root_dir %>;
   }
   location = /.well-known/acme-challenge/ {
       return 404;
@@ -43,8 +43,8 @@ server {
   }
 }
 server {
-  listen 443 ssl;
-  listen [::]:443 ssl;
+  listen <%= public_https_port %> ssl;
+  listen [::]:<%= public_https_port %> ssl;
   server_name placeholder.placeholder.com;
   # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
@@ -59,10 +59,10 @@ server {
   add_header Strict-Transport-Security "max-age=63072000" always;
   set $prefix "";
-  ssl_certificate /usr/share/acme/certs/;
-  ssl_certificate_key /usr/share/acme/certs/;
+  ssl_certificate /etc/drumee/certs/acme/certs/;
+  ssl_certificate_key /etc/drumee/certs/acme/certs/;
-  root /usr/share/jitsi-meet;
+  root <%= jitsi_root_dir %>;
   # ssi on with javascript for multidomain variables in config.js
   ssi on;
@@ -82,7 +82,7 @@ server {
   }
   location = /external_api.js {
-    alias /usr/share/jitsi-meet/libs/external_api.min.js;
+    alias <%= jitsi_root_dir %>/libs/external_api.min.js;
   }
   location = /_api/room-info {
@@ -96,7 +96,7 @@ server {
   location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$
   {
     add_header 'Access-Control-Allow-Origin' '*';
-    alias /usr/share/jitsi-meet/$1/$2;
+    alias <%= jitsi_root_dir %>/$1/$2;
     # cache all versioned files
     if ($arg_v) {
@@ -138,7 +138,7 @@ server {
   #}
   #location ~ ^/_load-test/libs/(.*)$ {
   #    add_header 'Access-Control-Allow-Origin' '*';
-  #    alias /usr/share/jitsi-meet/load-test/libs/$1;
+  #    alias <%= jitsi_root_dir %>/load-test/libs/$1;
   #}
   location ~ ^/([^/?&:'"]+)$ {

package/templates/etc/drumee/ssl/private.conf.tpl CHANGED Viewed

@@ -4,5 +4,6 @@
 # Date : <%= date %>
 # -------------------------------------------------------------
+ssl_certificate <%= certs_dir %>/<%= private_domain %>_ecc/<%= private_domain %>.cer;
+ssl_trusted_certificate <%= certs_dir %>/<%= private_domain %>_ecc/<%= private_domain %>.cer;
 ssl_certificate_key <%= certs_dir %>/<%= private_domain %>_ecc/<%= private_domain %>.key;
-ssl_trusted_certificate <%= certs_dir %>/<%= private_domain %>_ecc/<%= private_domain %>.cer;

package/templates/etc/drumee/ssl/public.conf.tpl CHANGED Viewed

@@ -4,7 +4,7 @@
 # Date : <%= date %>
 # -------------------------------------------------------------
-ssl_certificate_key <%= certs_dir %>/<%= public_domain %>_ecc/<%= public_domain %>.key;
 ssl_certificate <%= certs_dir %>/<%= public_domain %>_ecc/fullchain.cer;
 ssl_trusted_certificate <%= certs_dir %>/<%= public_domain %>_ecc/ca.cer;
+ssl_certificate_key <%= certs_dir %>/<%= public_domain %>_ecc/<%= public_domain %>.key;

package/templates/etc/jitsi/jicofo/jicofo.private.conf.tpl ADDED Viewed

@@ -0,0 +1,46 @@
+jicofo {
+    // Configuration related to jitsi-videobridge
+    bridge {
+      brewery-jid = "jvbbrewery@internal-muc.<%= jitsi_private_domain %>"
+    }
+    // Configure the codecs and RTP extensions to be used in the offer sent to clients.
+    codec {
+      video {
+      }
+      audio {
+      }
+    }
+    conference {
+    }
+    octo {
+      // Whether or not to use Octo. Note that when enabled, its use will be determined by
+      // $jicofo.bridge.selection-strategy. There's a corresponding flag in the JVB and these
+      // two MUST be in sync (otherwise bridges will crash because they won't know how to
+      // deal with octo channels).
+      enabled = false
+    }
+    sctp {
+      enabled = false
+    }
+    authentication: {
+       enabled: true
+       type: JWT
+       login-url: <%= jitsi_private_domain %>
+    }
+    xmpp {
+      client {
+        enabled = true
+        hostname = "xmpp.<%= jitsi_private_domain %>"
+        port = "5222"
+        domain = "auth.<%= jitsi_private_domain %>"
+        xmpp-domain = "<%= jitsi_private_domain %>"
+        username = "focus"
+        password = "<%= jicofo_password %>"
+        conference-muc-jid = "muc.<%= jitsi_private_domain %>"
+        client-proxy = "focus.<%= jitsi_private_domain %>"
+        disable-certificate-verification = true
+      }
+    }
+}

package/templates/etc/jitsi/jicofo/{jicofo.conf.tpl → jicofo.public.conf.tpl} RENAMED Viewed

@@ -1,7 +1,7 @@
 jicofo {
     // Configuration related to jitsi-videobridge
     bridge {
-      brewery-jid = "jvbbrewery@internal-muc.<%= jitsi_domain %>"
+      brewery-jid = "jvbbrewery@internal-muc.<%= jitsi_public_domain %>"
     }
     // Configure the codecs and RTP extensions to be used in the offer sent to clients.
     codec {
@@ -26,19 +26,19 @@ jicofo {
     authentication: {
        enabled: true
        type: JWT
-       login-url: <%= jitsi_domain %>
+       login-url: <%= jitsi_public_domain %>
     }
     xmpp {
       client {
         enabled = true
-        hostname = "xmpp.<%= jitsi_domain %>"
+        hostname = "xmpp.<%= jitsi_public_domain %>"
         port = "5222"
-        domain = "auth.<%= jitsi_domain %>"
-        xmpp-domain = "<%= jitsi_domain %>"
+        domain = "auth.<%= jitsi_public_domain %>"
+        xmpp-domain = "<%= jitsi_public_domain %>"
         username = "focus"
         password = "<%= jicofo_password %>"
-        conference-muc-jid = "muc.<%= jitsi_domain %>"
-        client-proxy = "focus.<%= jitsi_domain %>"
+        conference-muc-jid = "muc.<%= jitsi_public_domain %>"
+        client-proxy = "focus.<%= jitsi_public_domain %>"
         disable-certificate-verification = true
       }
     }

package/templates/etc/jitsi/jicofo/sip-cmmunicator.private.properties ADDED Viewed

@@ -0,0 +1,3 @@
+org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.<%= jitsi_private_domain %>
+org.jitsi.jicofo.auth.URL=XMPP:<%= jitsi_private_domain %>
+org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true

package/templates/etc/jitsi/jicofo/sip-cmmunicator.public.properties ADDED Viewed

@@ -0,0 +1,3 @@
+org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.<%= jitsi_public_domain %>
+org.jitsi.jicofo.auth.URL=XMPP:<%= jitsi_public_domain %>
+org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true

package/templates/etc/jitsi/meet.private.conf.tpl ADDED Viewed

@@ -0,0 +1,132 @@
+server_name _;
+charset utf8;
+client_max_body_size 0;
+# Disable direct access to jitsi UI
+# root <%= jitsi_root_dir %>;
+root <%= static_dir %>;
+# ssi on with javascript for multidomain variables in config.js
+ssi on;
+ssi_types application/x-javascript application/javascript;
+index index.html index.htm;
+error_page 404 /static/404.html;
+# Security headers
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+set $prefix "";
+# Opt out of FLoC (deprecated)
+add_header Permissions-Policy "interest-cohort=()";
+location = /config.js {
+   alias /etc/jitsi/web/config.js;
+}
+location = /interface_config.js {
+   alias /etc/jitsi/web/interface_config.js;
+}
+location = /external_api.js {
+   alias <%= jitsi_root_dir %>/libs/external_api.min.js;
+}
+# ensure all static content can always be found first
+location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$ {
+   add_header 'Access-Control-Allow-Origin' '*';
+   alias <%= jitsi_root_dir %>/$1/$2;
+    # cache all versioned files
+   if ($arg_v) {
+       expires 1y;
+   }
+}
+# colibri (JVB) websockets
+location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) {
+    tcp_nodelay on;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
+}
+# BOSH
+location = /http-bind {
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host <%= jitsi_private_domain %>;
+    proxy_pass http://127.0.0.1:5280/http-bind?prefix=$prefix&$args;
+}
+# xmpp websockets
+location = /xmpp-websocket {
+    proxy_pass http://localhost:5280/xmpp-websocket;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Host <%= jitsi_private_domain %>;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    tcp_nodelay on;
+}
+location ~ ^/([^/?&:'"]+)$ {
+    try_files $uri @root_path;
+}
+location @root_path {
+    rewrite ^/(.*)$ / break;
+}
+# Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
+location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
+    set $subdomain "$1.";
+    set $subdir "$1/";
+    rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
+}
+location ~ ^/([^/?&:'"]+)/config.js$ {
+    set $subdomain "$1.";
+    set $subdir "$1/";
+    alias /etc/jitsi/web/config.js;
+}
+# BOSH for subdomains
+location ~ ^/([^/?&:'"]+)/http-bind {
+    set $subdomain "$1.";
+    set $subdir "$1/";
+    set $prefix "$1";
+    rewrite ^/(.*)$ /http-bind;
+}
+# websockets for subdomains
+location ~ ^/([^/?&:'"]+)/xmpp-websocket {
+    set $subdomain "$1.";
+    set $subdir "$1/";
+    set $prefix "$1";
+    rewrite ^/(.*)$ /xmpp-websocket;
+}
+# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+location ~ ^/([^/?&:'"]+)/(.*)$ {
+    set $subdomain "$1.";
+    set $subdir "$1/";
+    rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
+}

package/templates/etc/jitsi/{meet.conf.tpl → meet.public.conf.tpl} RENAMED Viewed

@@ -5,7 +5,7 @@ charset utf8;
 client_max_body_size 0;
 # Disable direct access to jitsi UI
-# root /usr/share/jitsi-meet;
+# root <%= jitsi_root_dir %>;
 root <%= static_dir %>;
 # ssi on with javascript for multidomain variables in config.js
@@ -34,7 +34,7 @@ location = /interface_config.js {
 }
 location = /external_api.js {
-   alias /usr/share/jitsi-meet/libs/external_api.min.js;
+   alias <%= jitsi_root_dir %>/libs/external_api.min.js;
 }
@@ -42,7 +42,7 @@ location = /external_api.js {
 # ensure all static content can always be found first
 location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$ {
    add_header 'Access-Control-Allow-Origin' '*';
-   alias /usr/share/jitsi-meet/$1/$2;
+   alias <%= jitsi_root_dir %>/$1/$2;
     # cache all versioned files
    if ($arg_v) {
@@ -64,7 +64,7 @@ location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) {
 # BOSH
 location = /http-bind {
     proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header Host <%= jitsi_domain %>;
+    proxy_set_header Host <%= jitsi_public_domain %>;
     proxy_pass http://127.0.0.1:5280/http-bind?prefix=$prefix&$args;
 }
@@ -75,7 +75,7 @@ location = /xmpp-websocket {
     proxy_http_version 1.1;
     proxy_set_header Connection "upgrade";
     proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Host <%= jitsi_domain %>;
+    proxy_set_header Host <%= jitsi_public_domain %>;
     proxy_set_header X-Forwarded-For $remote_addr;
     tcp_nodelay on;
 }

package/templates/etc/jitsi/ssl.private.conf.tpl ADDED Viewed

@@ -0,0 +1,25 @@
+# session settings
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+# ssl certs
+ssl_certificate <%= certs_dir %>/<%= jitsi_private_domain %>_ecc/<%= jitsi_private_domain %>.cer;
+ssl_trusted_certificate <%= certs_dir %>/<%= jitsi_private_domain %>_ecc/<%= jitsi_private_domain %>.cer;
+ssl_certificate_key <%= certs_dir %>/<%= jitsi_private_domain %>_ecc/<%= jitsi_private_domain %>.key;
+# protocols
+# Mozilla Guideline v5.6, nginx 1.14.2, OpenSSL 1.1.1d, intermediate configuration, no OCSP
+# https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+# Diffie-Hellman parameter for DHE cipher suites
+ssl_dhparam /etc/jitsi/web/defaults/ffdhe2048.txt;
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+add_header Strict-Transport-Security "max-age=63072000" always;

package/templates/etc/jitsi/{ssl.conf.tpl → ssl.public.conf.tpl} RENAMED Viewed

@@ -5,9 +5,9 @@ ssl_session_tickets off;
 # ssl certs
-ssl_certificate <%= certs_dir %>/<%= jitsi_domain %>_ecc/fullchain.cer;
-ssl_certificate_key <%= certs_dir %>/<%= jitsi_domain %>_ecc/<%= jitsi_domain %>.key;
-ssl_trusted_certificate <%= certs_dir %>/<%= jitsi_domain %>_ecc/ca.cer;
+ssl_certificate <%= certs_dir %>/<%= jitsi_public_domain %>_ecc/fullchain.cer;
+ssl_certificate_key <%= certs_dir %>/<%= jitsi_public_domain %>_ecc/<%= jitsi_public_domain %>.key;
+ssl_trusted_certificate <%= certs_dir %>/<%= jitsi_public_domain %>_ecc/ca.cer;
 # protocols
 # Mozilla Guideline v5.6, nginx 1.14.2, OpenSSL 1.1.1d, intermediate configuration, no OCSP

package/templates/etc/jitsi/videobridge/defaults/jvb.conf CHANGED Viewed

@@ -15,7 +15,7 @@
 {{ $JVB_XMPP_PORT := .Env.JVB_XMPP_PORT | default "6222" -}}
 {{ $JVB_XMPP_SERVER := .Env.JVB_XMPP_SERVER | default "xmpp.jvb.meet.jitsi" -}}
 {{ $JVB_XMPP_SERVERS := splitList "," $JVB_XMPP_SERVER -}}
-{{ $PUBLIC_URL_DOMAIN := .Env.PUBLIC_URL | default "https://localhost:8443" | trimPrefix "https://" | trimSuffix "/" -}}
+{{ $PUBLIC_URL_DOMAIN := .Env.PUBLIC_URL | default "https://localhost:<%= local_port %>" | trimPrefix "https://" | trimSuffix "/" -}}
 {{ $SHUTDOWN_REST_ENABLED := .Env.SHUTDOWN_REST_ENABLED | default "false" | toBool -}}
 {{ $WS_DOMAIN := .Env.JVB_WS_DOMAIN | default $PUBLIC_URL_DOMAIN -}}
 {{ $WS_SERVER_ID := .Env.JVB_WS_SERVER_ID | default .Env.JVB_WS_SERVER_ID_FALLBACK -}}

package/templates/etc/jitsi/videobridge/jvb.private.conf ADDED Viewed

@@ -0,0 +1,67 @@
+videobridge {
+  ice {
+    udp {
+      port = 10000
+    }
+    advertise-private-candidates = true
+  }
+  apis {
+    xmpp-client {
+      configs {
+        shard0 {
+          HOSTNAME = "xmpp.<%= jitsi_private_domain %>"
+          PORT = "5222"
+          DOMAIN = "auth.<%= jitsi_private_domain %>"
+          USERNAME = "jvb"
+          PASSWORD = "<%= jvb_password %>"
+          MUC_JIDS = "jvbbrewery@internal-muc.<%= jitsi_private_domain %>"
+          MUC_NICKNAME = "shard0"
+          DISABLE_CERTIFICATE_VERIFICATION = true
+        }
+      }
+    }
+    rest {
+      enabled = false
+    }
+  }
+  rest {
+    shutdown {
+      enabled = false
+    }
+  }
+  stats {
+    enabled = true
+  }
+  websockets {
+    enabled = true
+    domain = "<%= jitsi_private_domain %>"
+    tls = true
+    server-id = "<%= private_ip4 %>"
+  }
+  http-servers {
+      private {
+        host = 0.0.0.0
+      }
+      public {
+          host = 0.0.0.0
+          port = 9090
+      }
+  }
+}
+ice4j {
+  harvest {
+    mapping {
+      stun {
+        addresses = [ "meet-jit-si-turnrelay.jitsi.net:443" ]
+      }
+      static-mappings = [
+        {
+          local-address = "<%= private_ip4 %>"
+          public-address = ""
+          name = "ip-0"
+        }
+      ]
+    }
+  }
+}

package/templates/etc/jitsi/videobridge/{jvb.conf → jvb.public.conf} RENAMED Viewed

@@ -9,12 +9,12 @@ videobridge {
     xmpp-client {
       configs {
         shard0 {
-          HOSTNAME = "xmpp.<%= jitsi_domain %>"
+          HOSTNAME = "xmpp.<%= jitsi_public_domain %>"
           PORT = "5222"
-          DOMAIN = "auth.<%= jitsi_domain %>"
+          DOMAIN = "auth.<%= jitsi_public_domain %>"
           USERNAME = "jvb"
           PASSWORD = "<%= jvb_password %>"
-          MUC_JIDS = "jvbbrewery@internal-muc.<%= jitsi_domain %>"
+          MUC_JIDS = "jvbbrewery@internal-muc.<%= jitsi_public_domain %>"
           MUC_NICKNAME = "shard0"
           DISABLE_CERTIFICATE_VERIFICATION = true
         }
@@ -34,9 +34,9 @@ videobridge {
   }
   websockets {
     enabled = true
-    domain = "<%= jitsi_domain %>"
+    domain = "<%= jitsi_public_domain %>"
     tls = true
-    server-id = "<%= local_address %>"
+    server-id = "<%= private_ip4 %>"
   }
   http-servers {
       private {
@@ -57,7 +57,7 @@ ice4j {
       }
       static-mappings = [
         {
-          local-address = "<%= local_address %>"
+          local-address = "<%= private_ip4 %>"
           public-address = ""
           name = "ip-0"
         }