Merge pull request spantaleev#415 from spantaleev/jitsi

Add Jitsi support
mooomooo · Mar 24, 2020 · be00452 · be00452
2 parents ecd35a8 + d605b21
commit be00452
Show file tree

Hide file tree

Showing 31 changed files with 1,706 additions and 1 deletion.
diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md
@@ -23,6 +23,7 @@ If you decide to go with the alternative method ([Server Delegation via a DNS SR
 | A     | `matrix`                     | -        | -      | -    | `matrix-server-IP`     |
 | CNAME | `riot`                       | -        | -      | -    | `matrix.<your-domain>` |
 | CNAME | `dimension` (*)              | -        | -      | -    | `matrix.<your-domain>` |
+| CNAME | `jitsi` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
 | SRV   | `_matrix-identity._tcp`      | 10       | 0      | 443  | `matrix.<your-domain>` |
 
 
@@ -38,6 +39,8 @@ If you'd rather instruct the playbook not to install Riot (`matrix_riot_web_enab
 
 The `dimension.<your-domain>` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.<your-domain>` DNS record.
 
+The `jitsi.<your-domain>` subdomain may be necessary, because this playbook could install the [Jitsi video-conferencing platform](https://jitsi.org/) for you. Jitsi installation is disabled by default, because it may be heavy and is not a core required component. To learn how to install it, see our [Jitsi](configuring-playbook-jitsi.md) guide. If you do not wish to set up Jitsi, feel free to skip the `jitsi.<your-domain>` DNS record.
+
 
 ## `_matrix-identity._tcp` SRV record setup
 

diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md
@@ -0,0 +1,36 @@
+# Jitsi
+
+The playbook can install the [Jitsi](https://jitsi.org/) video-conferencing platform and integrate it with [Riot](configuring-playbook-riot-web.md).
+
+Jitsi installation is **not enabled by default**, because it's not a core component of Matrix services.
+
+The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet).
+
+
+## Prerequisites
+
+Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record. See [Configuring DNS](configuring-dns.md).
+
+You may also need to open the following ports to your server:
+
+- `udp/10000` - RTP media over UDP
+- `tcp/4443` - RTP media fallback over TCP
+
+
+## Installation
+
+Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
+
+```yaml
+matrix_jitsi_enabled: true
+
+# We only need this temporarily - until Jitsi integration in riot-web is finalized.
+# Remove this line in the future, to switch back to a stable riot-web version.
+matrix_riot_web_docker_image: "vectorim/riot-web:develop"
+```
+
+Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`
+
+.. and fully reload your riot-web page (at `riot.DOMAIN`).
+
+Starting a video-conference in a room with more than 2 members should then create a Jitsi widget which utilizes your self-hosted Jitsi server.
diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
@@ -392,6 +392,41 @@ matrix_email2matrix_enabled: false
 
 
 
+######################################################################
+#
+# matrix-jitsi
+#
+######################################################################
+
+matrix_jitsi_enabled: false
+
+# Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network.
+# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
+# the Jitsi HTTP port to the local host.
+matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:12080' }}"
+
+matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}"
+matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}"
+matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}"
+
+matrix_jitsi_web_stun_servers: |
+  {{
+    [
+      matrix_server_fqn_matrix + ':5349',
+      matrix_server_fqn_matrix + ':3478',
+    ]
+    if matrix_coturn_enabled
+    else [ 'stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302']
+  }}
+
+######################################################################
+#
+# /matrix-jitsi
+#
+######################################################################
+
+
+
 ######################################################################
 #
 # matrix-mailer
@@ -482,6 +517,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_s
 matrix_nginx_proxy_proxy_matrix_enabled: true
 matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}"
 matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
+matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
 
 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@@ -525,6 +561,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
     +
     ([matrix_server_fqn_dimension] if matrix_dimension_enabled else [])
     +
+    ([matrix_server_fqn_jitsi])
+    +
     ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
   }}
 
@@ -596,6 +634,8 @@ matrix_riot_web_enable_presence_by_hs_url: |
 
 matrix_riot_web_welcome_user_id: ~
 
+matrix_riot_web_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}"
+
 ######################################################################
 #
 # /matrix-riot-web

diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml
@@ -18,6 +18,9 @@ matrix_server_fqn_riot: "riot.{{ matrix_domain }}"
 # This is where you access the Dimension.
 matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
 
+# This is where you access Jitsi.
+matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"
+
 matrix_user_username: "matrix"
 matrix_user_uid: 991
 matrix_user_gid: 991
@@ -69,4 +72,4 @@ run_stop: true
 
 # Building every docker image from source on the target host
 # Controlling docker image build is possible on a per unit base
-matrix_container_images_self_build: false
+matrix_container_images_self_build: false
diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml
@@ -0,0 +1,116 @@
+matrix_jitsi_enabled: true
+
+matrix_jitsi_base_path: "{{ matrix_base_data_path }}/jitsi"
+
+matrix_jitsi_enable_auth: false
+matrix_jitsi_enable_guests: false
+matrix_jitsi_enable_recording: true
+matrix_jitsi_enable_transcriptions: true
+
+matrix_jitsi_timezone: UTC
+
+matrix_jitsi_xmpp_domain: matrix-jitsi-web
+matrix_jitsi_xmpp_server: matrix-jitsi-prosody
+matrix_jitsi_xmpp_auth_domain: auth.meet.jitsi
+matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280
+matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi
+matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi
+matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi
+
+matrix_jitsi_recorder_domain: recorder.meet.jitsi
+
+
+matrix_jitsi_jibri_brewery_muc: jibribrewery
+matrix_jitsi_jibri_pending_timeout: 90
+matrix_jitsi_jibri_xmpp_user: jibri
+matrix_jitsi_jibri_xmpp_password: jibri-password
+matrix_jitsi_jibri_recorder_user: recorder
+matrix_jitsi_jibri_recorder_password: recorder-password
+
+
+matrix_jitsi_web_docker_image: "jitsi/web:4101"
+matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"
+
+matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
+matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config"
+matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts"
+
+matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}"
+
+# STUN servers used in the web UI. Feel free to point them to your own STUN server.
+matrix_jitsi_web_stun_servers: ['stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302']
+
+# Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:12080"), or empty string to not expose.
+matrix_jitsi_web_container_http_host_bind_port: ''
+
+# A list of extra arguments to pass to the container
+matrix_jitsi_web_container_extra_arguments: []
+
+# List of systemd services that matrix-jitsi-web.service depends on
+matrix_jitsi_web_systemd_required_services_list: ['docker.service']
+
+
+matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101"
+matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}"
+
+matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
+matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config"
+
+# A list of extra arguments to pass to the container
+matrix_jitsi_prosody_container_extra_arguments: []
+
+# List of systemd services that matrix-jitsi-prosody.service depends on
+matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']
+
+
+matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4101"
+matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"
+
+matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo"
+matrix_jitsi_jicofo_config_path: "{{ matrix_jitsi_jicofo_base_path }}/config"
+
+# A list of extra arguments to pass to the container
+matrix_jitsi_jicofo_container_extra_arguments: []
+
+# List of systemd services that matrix-jitsi-jicofo.service depends on
+matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
+
+matrix_jitsi_jicofo_component_secret: s3cr37
+matrix_jitsi_jicofo_auth_user: focus
+matrix_jitsi_jicofo_auth_password: passw0rd
+
+
+matrix_jitsi_jvb_docker_image: "jitsi/jvb:4101"
+matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"
+
+matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb"
+matrix_jitsi_jvb_config_path: "{{ matrix_jitsi_jvb_base_path }}/config"
+
+# A list of extra arguments to pass to the container
+matrix_jitsi_jvb_container_extra_arguments: []
+
+# List of systemd services that matrix-jitsi-jvb.service depends on
+matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
+
+matrix_jitsi_jvb_auth_user: jvb
+matrix_jitsi_jvb_auth_password: passw0rd
+
+# STUN servers used by JVB on the server-side, so it can discover its own external IP address.
+# Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery.
+matrix_jitsi_jvb_stun_servers: ['stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302']
+
+matrix_jitsi_jvb_brewery_muc: jvbbrewery
+matrix_jitsi_jvb_rtp_udp_port: 10000
+matrix_jitsi_jvb_rtp_tcp_port: 4443
+
+# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/10000 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:10000"), or empty string to not expose.
+matrix_jitsi_jvb_container_rtp_udp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_udp_port }}"
+
+# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/4443 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:4443"), or empty string to not expose.
+matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_port }}"
diff --git a/roles/matrix-jitsi/tasks/init.yml b/roles/matrix-jitsi/tasks/init.yml
@@ -0,0 +1,3 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web', 'matrix-jitsi-prosody', 'matrix-jitsi-jicofo', 'matrix-jitsi-jvb'] }}"
+  when: matrix_jitsi_enabled|bool
diff --git a/roles/matrix-jitsi/tasks/main.yml b/roles/matrix-jitsi/tasks/main.yml
@@ -0,0 +1,33 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-jitsi
+
+- import_tasks: "{{ role_path }}/tasks/setup_jitsi_web.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-jitsi
+
+- import_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-jitsi
+
+- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-jitsi
+
+- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-jitsi
diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml
@@ -0,0 +1,20 @@
+---
+
+#
+# Tasks related to setting up jitsi
+#
+
+- name: Ensure Matrix jitsi base path exists
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - { path: "{{ matrix_jitsi_base_path }}", when: true }
+  when: matrix_jitsi_enabled|bool and item.when
+
+#
+# Tasks related to getting rid of jitsi (if it was previously enabled)
+#