@drumee/setup-infra 1.0.28 → 1.0.29

package/templates/etc/nginx/modules-enabled/90-turn-relay.conf

@@ -0,0 +1,27 @@
+stream {
+    map $ssl_preread_server_name $name {
+        <%= jitsi_domain %> web_backend;
+        turn-jitsi.<%= jitsi_domain %> turn_backend;
+    }
+
+    upstream web_backend {
+        server 127.0.0.1:4444;
+    }
+
+    upstream turn_backend {
+        server <%= public_ip4 %>:5349;
+    }
+
+    server {
+        listen 443;
+        listen [::]:443;
+
+        # since 1.11.5
+        ssl_preread on;
+
+        proxy_pass $name;
+
+        # Increase buffer to serve video
+        proxy_buffer_size 10m;
+    }
+}

package/templates/etc/nginx/modules-enabled/90-turn-relay.conf.tpl

@@ -0,0 +1,27 @@
+stream {
+    map $ssl_preread_server_name $name {
+        turn.<%= jitsi_domain %> web_backend;
+        turn-jitsi.<%= jitsi_domain %> turn_backend;
+    }
+
+    upstream web_backend {
+        server 127.0.0.1:3478;
+    }
+
+    upstream turn_backend {
+        server <%= public_ip4 %>:5349;
+    }
+
+    server {
+        listen 443 udp;
+        listen [::]:443 udp;
+
+        # since 1.11.5
+        ssl_preread on;
+
+        proxy_pass $name;
+
+        # Increase buffer to serve video
+        proxy_buffer_size 10m;
+    }
+}

package/templates/etc/nginx/sites-enabled/jitsi.conf.tpl

@@ -0,0 +1,28 @@
+# -------------------------------------------------------------
+# !!!!!!! DO NOT EDIT !!!!!!!!
+# Config file automatically generated by <setup-infra>
+# Purpose     : Provide Nginx config to a specific server
+# Server name : <%= domain %>
+# Date        : <%= date %>
+# -------------------------------------------------------------
+
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	''      close;
+}
+
+server {
+	listen <%= http_port %> default_server;
+	listen [::]:<%= http_port %> default_server;
+    server_name *.<%= jitsi_domain %>;
+	include /etc/jitsi/meet.conf;
+}
+
+server {
+	listen <%= https_port %> ssl http2;
+	listen [::]:<%= https_port %> ssl http2;
+	server_name <%= jitsi_domain %>; 
+	include /etc/jitsi/ssl.conf;
+	include /etc/jitsi/meet.conf;
+}
+

package/templates/etc/nginx/sites-enabled/localhost.conf

@@ -0,0 +1,31 @@
+
+# -------------------------------------------------------------
+# !!!!!!! DO NOT EDIT !!!!!!!!
+# Config file automatically generated by <setup-infra>
+# Purpose     : Provide Nginx config to a specific server
+# Server name : localhost
+# Date        : <%= date %>
+# -------------------------------------------------------------
+
+proxy_cache_path <%= drumee_root %>/cache/localhost levels=1:2 keys_zone=localhost_keys_zone:10m max_size=10g inactive=60m;
+server {
+	listen <%= http_port %>;
+	listen [::]:<%= http_port %>;
+	server_name localhost; 
+	#
+	root <%= drumee_root %>/runtime/server;
+	client_max_body_size 10G;
+
+	# Security headers
+	add_header X-Content-Type-Options nosniff;
+	add_header X-XSS-Protection "1; mode=block";
+
+	set $prefix "";
+
+	include /etc/drumee/infrastructure/routes/*.conf;
+	include /etc/drumee/infrastructure/internals/accel.conf;
+	include /etc/drumee/infrastructure/mfs.conf;
+}
+
+
+

package/templates/etc/nginx/sites-enabled/pivate.jitsi.conf.tpl

@@ -0,0 +1,28 @@
+# -------------------------------------------------------------
+# !!!!!!! DO NOT EDIT !!!!!!!!
+# Config file automatically generated by <setup-infra>
+# Purpose     : Provide Nginx config to a specific server
+# Server name : <%= domain %>
+# Date        : <%= date %>
+# -------------------------------------------------------------
+
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	''      close;
+}
+
+server {
+	listen <%= http_port %> default_server;
+	listen [::]:<%= http_port %> default_server;
+    server_name *.<%= jitsi_domain %>;
+	include /etc/jitsi/meet.conf;
+}
+
+server {
+	listen <%= https_port %> ssl;
+	listen [::]:<%= https_port %> ssl;
+	server_name <%= jitsi_domain %>; 
+	include /etc/jitsi/ssl.conf;
+	include /etc/jitsi/meet.conf;
+}
+

package/templates/etc/nginx/sites-enabled/private.conf.tpl

@@ -0,0 +1,40 @@
+
+# -------------------------------------------------------------
+# !!!!!!! DO NOT EDIT !!!!!!!!
+# Config file automatically generated by <setup-infra>
+# Purpose     : Provide Nginx config to a specific server
+# Server name : <%= private_domain %>
+# Date        : <%= date %>
+# -------------------------------------------------------------
+
+
+proxy_cache_path <%= cache_dir %>/<%= private_domain %> levels=1:2 keys_zone=<%= private_domain %>_keys_zone:10m max_size=10g inactive=60m;
+server {
+	listen <%= http_port %>;
+	listen [::]:<%= http_port %>;
+	server_name <%= private_domain %>; 
+	location / {
+		return  301 https://$host$request_uri;
+	}
+}
+server {
+	listen <%= https_port %> ssl;
+	listen [::]:<%= https_port %> ssl;	
+	#
+	root <%= server_dir %>;
+	server_name <%= private_domain %>; 
+	client_max_body_size <%= max_body_size %>;
+
+	# Security headers
+	add_header X-Content-Type-Options nosniff;
+	add_header X-XSS-Protection "1; mode=block";
+
+	set $prefix "";
+
+	include /etc/drumee/ssl/private.conf;
+	include /etc/drumee/infrastructure/routes/*.conf;
+	include /etc/drumee/infrastructure/internals/*.conf;
+	include /etc/drumee/infrastructure/mfs.conf;
+}
+
+

package/templates/etc/nginx/sites-enabled/public.conf.tpl

@@ -0,0 +1,40 @@
+
+# -------------------------------------------------------------
+# !!!!!!! DO NOT EDIT !!!!!!!!
+# Config file automatically generated by <setup-infra>
+# Purpose     : Provide Nginx config to a specific server
+# Server name : <%= public_domain %>
+# Date        : <%= date %>
+# -------------------------------------------------------------
+
+
+proxy_cache_path <%= cache_dir %>/<%= public_domain %> levels=1:2 keys_zone=<%= public_domain %>_keys_zone:10m max_size=10g inactive=60m;
+server {
+	listen <%= http_port %>;
+	listen [::]:<%= http_port %>;
+	server_name <%= public_domain %>; 
+	location / {
+		return  301 https://$host$request_uri;
+	}
+}
+server {
+	listen <%= https_port %> ssl;
+	listen [::]:<%= https_port %> ssl;	
+	#
+	root <%= server_dir %>;
+	server_name <%= public_domain %>; 
+	client_max_body_size <%= max_body_size %>;
+
+	# Security headers
+	add_header X-Content-Type-Options nosniff;
+	add_header X-XSS-Protection "1; mode=block";
+
+	set $prefix "";
+
+	include /etc/drumee/ssl/main.conf;
+	include /etc/drumee/infrastructure/routes/*.conf;
+	include /etc/drumee/infrastructure/internals/*.conf;
+	include /etc/drumee/infrastructure/mfs.conf;
+}
+
+

package/templates/etc/nginx/sites-enabled/public.jitsi.conf.tpl

@@ -0,0 +1,28 @@
+# -------------------------------------------------------------
+# !!!!!!! DO NOT EDIT !!!!!!!!
+# Config file automatically generated by <setup-infra>
+# Purpose     : Provide Nginx config to a specific server
+# Server name : <%= domain %>
+# Date        : <%= date %>
+# -------------------------------------------------------------
+
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	''      close;
+}
+
+server {
+	listen <%= http_port %> default_server;
+	listen [::]:<%= http_port %> default_server;
+    server_name *.<%= jitsi_public %>;
+	include /etc/jitsi/meet.conf;
+}
+
+server {
+	listen <%= https_port %> ssl http2;
+	listen [::]:<%= https_port %> ssl http2;
+	server_name <%= jitsi_public %>; 
+	include /etc/jitsi/ssl.conf;
+	include /etc/jitsi/meet.conf;
+}
+

package/templates/etc/prosody/conf.d/vhost.cfg.lua.tpl

@@ -0,0 +1,162 @@
+admins = {
+    "jigasi@auth.<%= jitsi_domain %>",
+    "jibri@auth.<%= jitsi_domain %>",
+    "focus@auth.<%= jitsi_domain %>",
+    "jvb@auth.<%= jitsi_domain %>"
+}
+
+unlimited_jids = {
+    "focus@auth.<%= jitsi_domain %>",
+    "jvb@auth.<%= jitsi_domain %>"
+}
+
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/", "/prosody-plugins-custom" }
+
+muc_mapper_domain_base = "<%= jitsi_domain %>";
+muc_mapper_domain_prefix = "muc";
+http_default_host = "<%= jitsi_domain %>"
+consider_bosh_secure = true;
+consider_websocket_secure = true;
+
+VirtualHost "<%= jitsi_domain %>"
+    authentication = "internal_hashed"
+    ssl = {
+        key = "<%= certs_dir %>/<%= jitsi_domain %>_ecc/<%= jitsi_domain %>.key";
+        certificate = "<%= certs_dir %>/<%= jitsi_domain %>_ecc/<%= jitsi_domain %>.cer";
+    }
+    modules_enabled = {
+        "bosh";
+        "websocket";
+        "smacks"; -- XEP-0198: Stream Management
+        "pubsub";
+        "ping";
+        "speakerstats";
+        "conference_duration";
+        "room_metadata";
+        "end_conference";
+        "muc_lobby_rooms";
+        "muc_breakout_rooms";
+        "av_moderation";
+        "turncredentials";
+    }
+    main_muc = "muc.<%= jitsi_domain %>"
+    lobby_muc = "lobby.<%= jitsi_domain %>"
+    breakout_rooms_muc = "breakout.<%= jitsi_domain %>"
+    speakerstats_component = "speakerstats.<%= jitsi_domain %>"
+    conference_duration_component = "conferenceduration.<%= jitsi_domain %>"
+    end_conference_component = "endconference.<%= jitsi_domain %>"
+    av_moderation_component = "avmoderation.<%= jitsi_domain %>"
+    turncredentials_secret = "<%= turn_sercret %>"
+    c2s_require_encryption = false
+
+
+VirtualHost "guest.<%= jitsi_domain %>"
+    authentication = "anonymous"
+    ssl = {
+        key = "/usr/share/acme/certs/<%= jitsi_domain %>_ecc/<%= jitsi_domain %>.key";
+        certificate = "/usr/share/acme/certs/<%= jitsi_domain %>_ecc/<%= jitsi_domain %>.cer";
+    }
+    modules_enabled = {
+        "bosh";
+        "websocket";
+        "smacks"; -- XEP-0198: Stream Management
+        "pubsub";
+        "ping";
+        "speakerstats";
+        "conference_duration";
+        "room_metadata";
+        "end_conference";
+        "muc_lobby_rooms";
+        "muc_breakout_rooms";
+        "av_moderation";
+ 	    "turncredentials";
+    }
+    main_muc = "muc.<%= jitsi_domain %>"
+    lobby_muc = "lobby.<%= jitsi_domain %>"
+    breakout_rooms_muc = "breakout.<%= jitsi_domain %>"
+    speakerstats_component = "speakerstats.<%= jitsi_domain %>"
+    conference_duration_component = "conferenceduration.<%= jitsi_domain %>"
+    end_conference_component = "endconference.<%= jitsi_domain %>"
+    av_moderation_component = "avmoderation.<%= jitsi_domain %>"
+    turncredentials_secret = "<%= turn_sercret %>"
+    c2s_require_encryption = false
+
+
+VirtualHost "auth.<%= jitsi_domain %>"
+    ssl = {
+        key = "<%= certs_dir %>/<%= jitsi_domain %>_ecc/<%= jitsi_domain %>.key";
+        certificate = "<%= certs_dir %>/<%= jitsi_domain %>_ecc/fullchain.cer";
+    }
+    modules_enabled = {
+        "limits_exception";
+    }
+    authentication = "internal_hashed"
+
+
+
+Component "internal-muc.<%= jitsi_domain %>" "muc"
+    storage = "memory"
+    modules_enabled = {
+        "ping";
+    }
+    restrict_room_creation = true
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+Component "muc.<%= jitsi_domain %>" "muc"
+    restrict_room_creation = true
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "polls";
+        "muc_domain_mapper";
+        "muc_password_whitelist";
+    }
+
+    -- The size of the cache that saves state for IP addresses
+	rate_limit_cache_size = 10000;
+    muc_room_cache_size = 1000
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+    muc_password_whitelist = {
+        "focus@<no value>"
+    }
+
+Component "focus.<%= jitsi_domain %>" "client_proxy"
+    target_address = "focus@auth.<%= jitsi_domain %>"
+
+Component "speakerstats.<%= jitsi_domain %>" "speakerstats_component"
+    muc_component = "muc.<%= jitsi_domain %>"
+
+Component "conferenceduration.<%= jitsi_domain %>" "conference_duration_component"
+    muc_component = "muc.<%= jitsi_domain %>"
+
+
+Component "endconference.<%= jitsi_domain %>" "end_conference"
+    muc_component = "muc.<%= jitsi_domain %>"
+
+
+Component "lobby.<%= jitsi_domain %>" "muc"
+    storage = "memory"
+    restrict_room_creation = true
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+    modules_enabled = {
+    }
+
+
+Component "breakout.<%= jitsi_domain %>" "muc"
+    storage = "memory"
+    restrict_room_creation = true
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        "polls";
+    }
+
+
+Component "metadata.<%= jitsi_domain %>" "room_metadata_component"
+    muc_component = "muc.<%= jitsi_domain %>"
+    breakout_rooms_component = "breakout.<%= jitsi_domain %>"

package/templates/etc/turnserver.conf.tpl

@@ -0,0 +1,46 @@
+# jitsi-meet coturn config. Do not modify this line
+use-auth-secret
+keep-address-family
+static-auth-secret=<%= turn_sercret %>
+realm=<%= jitsi_domain %>
+cert=<%= acme_dir %>/certs/<%= jitsi_domain %>_ecc/<%= jitsi_domain %>.cer
+pkey=<%= acme_dir %>/certs/<%= jitsi_domain %>_ecc/<%= jitsi_domain %>.key
+external-ip=<%= public_ip4 %> / <%= public_ip6 %>
+no-multicast-peers
+no-cli
+#no-loopback-peers
+#no-tcp-relay
+no-tcp
+listening-port=3478
+tls-listening-port=5349
+no-tlsv1
+no-tlsv1_1
+# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+# without it there are errors when running on Ubuntu 20.04
+dh2066
+# jitsi-meet coturn relay disable config. Do not modify this line
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+denied-peer-ip=::1
+denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+syslog

package/templates/var/lib/bind/prvate.tpl

@@ -0,0 +1,70 @@
+$TTL 3D
+$ORIGIN <%= private_domain %>.
+;
+@       IN      SOA     ns1.<%= private_domain %>. master.<%= private_domain %>. (
+                        <%= serial %>   ; serial, today date + today serial
+                        1H              ; refresh, seconds
+                        2H              ; retry, seconds
+                        4W              ; expire, seconds
+                        1D )            ; minimum, seconds
+;
+;
+@		60	IN  NS      ns1.<%= private_domain %>.
+@		60	IN  NS      ns2.<%= private_domain %>.
+;
+<% if (typeof(private_ip4) !== "undefined" && private_ip4 != "" ) { %>
+; A records
+@		60	IN	A	    <%= private_ip4 %>
+ns1		60	IN	A	    <%= private_ip4 %>
+ns2		60	IN	A	    <%= private_ip4 %>
+smtp	60	IN	A	    <%= private_ip4 %>
+jit		60	IN	A	    <%= private_ip4 %>
+*		60	IN	A	    <%= private_ip4 %>
+;
+<% } %>
+<% if (typeof(private_ip6) !== "undefined" && private_ip6 != "" ) { %>
+; AAAA records
+@		60	IN	AAAA	<%= private_ip6 %>
+ns1		60	IN	AAAA	<%= private_ip6 %>
+ns2		60	IN	AAAA	<%= private_ip6 %>
+smtp	60	IN	AAAA	<%= private_ip6 %>
+jit		60	IN	AAAA	<%= private_ip6 %>
+*		60	IN	AAAA	<%= private_ip6 %>
+<% } %>
+;
+; CNAME
+;
+www             IN   CNAME  <%= private_domain %>.
+;
+; MX records 
+;
+@               60  IN   MX 10  smtp.<%= private_domain %>.
+
+; TXT records 
+_acme-challenge 60	IN	TXT "acme-challenge"
+@               60	IN	TXT "v=spf1 a ~all"
+@               60	IN	TXT (<%= dkim_key %>)
+;
+;
+; DKIM 
+smtp._domainkey 60  IN  TXT (<%= dkim_key %>)
+dkim._domainkey 60  IN  TXT (<%= dkim_key %>)
+;
+;
+; DMARC 
+_dmarc          60  IN  TXT "v=DMARC1; p=quarantine;  sp=quarantine; aspf=s"
+;
+;
+; Jitsi subdomain
+$ORIGIN <%= jitsi_domain %>.
+;
+<% if (typeof(private_ip4) !== "undefined" && private_ip4 != "" ) { %>
+*		60	IN	A	    <%= private_ip4 %>
+<% } %>
+<% if (typeof(private_ip6) !== "undefined" && private_ip6 != "" ) { %>
+*		60	IN	AAAA	<%= private_ip6 %>
+<% } %>
+;
+; TXT records 
+_acme-challenge 60	IN	TXT	"jit-acme-challenge"
+