more updates march

jitsi/web/rootfs/etc/cont-init.d/10-config

@@ -0,0 +1,142 @@
+#!/usr/bin/with-contenv bash
+
+# make our folders
+mkdir -p \
+    /config/{nginx/site-confs,keys} \
+    /run \
+    /var/lib/nginx/tmp/client_body \
+    /var/tmp/nginx
+
+# generate keys (maybe)
+if [[ $DISABLE_HTTPS -ne 1 ]]; then
+    if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
+        mkdir -p /config/acme.sh
+        pushd /opt
+        sh ./acme.sh --install --home /config/acme.sh --accountemail $LETSENCRYPT_EMAIL
+        popd
+
+        STAGING=""
+        if [[ $LETSENCRYPT_USE_STAGING -eq 1 ]]; then
+            STAGING="--staging"
+        fi
+
+        ACME_SERVER=""
+        if [[ ! -z $LETSENCRYPT_ACME_SERVER ]]; then
+            ACME_SERVER="--set-default-ca --server $LETSENCRYPT_ACME_SERVER"
+            echo "Using custom ACME server: $LETSENCRYPT_ACME_SERVER"
+        fi
+
+        export LE_WORKING_DIR="/config/acme.sh"
+        # TODO: move away from standalone mode to webroot mode.
+        /config/acme.sh/acme.sh \
+            $STAGING \
+            $ACME_SERVER \
+            --issue \
+            --standalone \
+            --pre-hook "if [[ -d /var/run/s6/services/nginx ]]; then s6-svc -d /var/run/s6/services/nginx; fi" \
+            --post-hook "if [[ -d /var/run/s6/services/nginx ]]; then s6-svc -u /var/run/s6/services/nginx; fi" \
+            -d $LETSENCRYPT_DOMAIN
+        rc=$?
+        if [[ $rc -eq 1 ]]; then
+            echo "Failed to obtain a certificate from the Let's Encrypt CA."
+            # this tries to get the user's attention and to spare the
+            # authority's rate limit:
+            sleep 15
+            echo "Exiting."
+            exit 1
+        fi
+        if [[ $rc -eq 0 ]]; then
+            mkdir -p /config/acme-certs/$LETSENCRYPT_DOMAIN
+            if ! /config/acme.sh/acme.sh \
+                    --install-cert -d $LETSENCRYPT_DOMAIN \
+                    --key-file /config/acme-certs/$LETSENCRYPT_DOMAIN/key.pem  \
+                    --fullchain-file /config/acme-certs/$LETSENCRYPT_DOMAIN/fullchain.pem ; then
+                echo "Failed to install certificate."
+                # this tries to get the user's attention and to spare the
+                # authority's rate limit:
+                sleep 15
+                echo "Exiting."
+                exit 1
+            fi
+        fi
+    else
+        # use self-signed certs
+        if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then
+            echo "using keys found in /config/keys"
+        else
+            echo "generating self-signed keys in /config/keys, you can replace these with your own keys if required"
+            SUBJECT="/C=US/ST=TX/L=Austin/O=jitsi.org/OU=Jitsi Server/CN=*"
+            openssl req -new -x509 -days 3650 -nodes -out /config/keys/cert.crt -keyout /config/keys/cert.key -subj "$SUBJECT"
+        fi
+    fi
+fi
+
+# Detect nameserver for Nginx, if not specified.
+if [[ -z "$NGINX_RESOLVER" ]]; then
+    IP_LIST=""
+
+    # Parse IPs in /etc/resolv.conf, taking into account IPv6 addresses need to be
+    # enclosed in square brackets for the Nginx config file.
+    while read -r line; do
+        if [[ $line =~ ^nameserver.* ]]; then
+            IP=$(echo $line | cut -d" " -f2)
+            COLONS=$(echo $IP | tr -dc ":" | awk '{ print length '})
+            if [[ $COLONS -ge 2 ]]; then
+                IP="[$IP]"
+            fi
+            if [[ ! "$IP_LIST" = "" ]]; then
+                IP_LIST+=" "
+            fi
+            IP_LIST+="$IP"
+        fi
+    done < <(cat /etc/resolv.conf)
+
+    export NGINX_RESOLVER=$IP_LIST
+fi
+
+echo "Using Nginx resolver: =$NGINX_RESOLVER="
+
+# colibri-ws settings
+COLIBRI_WEBSOCKET_UNSAFE_REGEX="[a-zA-Z0-9-\._]+"
+# use custom websocket regex if provided
+if [ -z "$COLIBRI_WEBSOCKET_REGEX" ]; then
+    # default to the previous unsafe behavior only if flag is set
+    if [[ "$ENABLE_COLIBRI_WEBSOCKET_UNSAFE_REGEX" == "1" ]]; then
+        export COLIBRI_WEBSOCKET_REGEX="$COLIBRI_WEBSOCKET_UNSAFE_REGEX"
+    else
+        # default value to the JVB IP, works in compose and anywhere a dns lookup of the JVB reveals the correct IP for proxying
+        [ -z "$COLIBRI_WEBSOCKET_JVB_LOOKUP_NAME" ] && export COLIBRI_WEBSOCKET_JVB_LOOKUP_NAME="jvb"
+        if [[ "$DISABLE_COLIBRI_WEBSOCKET_JVB_LOOKUP" == "1" ]]; then
+            # otherwise value default to the static value in the template 'jvb'
+            echo "WARNING: DISABLE_COLIBRI_WEBSOCKET_JVB_LOOKUP is set and no value for COLIBRI_WEBSOCKET_REGEX was provided, using static value 'jvb' for COLIBRI_WEBSOCKET_REGEX"
+        else
+            export COLIBRI_WEBSOCKET_REGEX="$(dig +short +search $COLIBRI_WEBSOCKET_JVB_LOOKUP_NAME)"
+        fi
+    fi
+fi
+
+# maintain backward compatibility with older variable
+[ -z "${XMPP_HIDDEN_DOMAIN}" ] && export XMPP_HIDDEN_DOMAIN="$XMPP_RECORDER_DOMAIN"
+
+# copy config files
+tpl /defaults/nginx.conf > /config/nginx/nginx.conf
+
+tpl /defaults/meet.conf > /config/nginx/meet.conf
+if [[ -f /config/nginx/custom-meet.conf ]]; then
+    cat /config/nginx/custom-meet.conf >> /config/nginx/meet.conf
+fi
+
+tpl /defaults/ssl.conf > /config/nginx/ssl.conf
+
+tpl /defaults/default > /config/nginx/site-confs/default
+
+tpl /defaults/system-config.js > /config/config.js
+tpl /defaults/settings-config.js >> /config/config.js
+if [[ -f /config/custom-config.js ]]; then
+    cat /config/custom-config.js >> /config/config.js
+fi
+
+cp /defaults/interface_config.js /config/interface_config.js
+if [[ -f /config/custom-interface_config.js ]]; then
+    cat /config/custom-interface_config.js >> /config/interface_config.js
+fi

jitsi/web/rootfs/etc/services.d/cron/run

@@ -0,0 +1,9 @@
+#!/usr/bin/with-contenv bash
+
+if [[ $DISABLE_HTTPS -ne 1 ]] && [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
+    exec cron -f
+else
+    # if cron should not be started,
+    # prevent s6 from restarting this script again and again
+    s6-svc -O /var/run/s6/services/cron
+fi

jitsi/web/rootfs/etc/services.d/jaas-account/run

@@ -0,0 +1,122 @@
+#!/usr/bin/with-contenv bash
+
+set -e
+
+EMAIL=$LETSENCRYPT_EMAIL
+DOMAIN=$LETSENCRYPT_DOMAIN
+
+JITSI_INSTALLATION="DOCKER"
+JAAS_ENDPOINT="https://account-provisioning.cloudflare.jitsi.net/operations"
+CHALLENGE_DIR="/usr/share/jitsi-meet/.well-known"
+CHALLENGE_FILE="$CHALLENGE_DIR/jitsi-challenge.txt"
+SUPPORT_MSG="Reach out to JaaS support at https://jaas.8x8.vc/#components"
+JAAS_ACCOUNT_FILE="/config/jaas-account-created.txt"
+
+function stop_service() {
+  s6-svc -O /var/run/s6/services/jaas-account
+  exit 0
+}
+
+if [[ $DISABLE_HTTPS -ne 1 ]] && [[ $ENABLE_LETSENCRYPT -eq 1 ]] && [[ $ENABLE_JAAS_COMPONENTS -eq 1 ]]  && [[ ! -z $EMAIL ]] && [[ ! -z $DOMAIN ]]; then
+
+if [ -f $JAAS_ACCOUNT_FILE ]; then
+    echo "JaaS account already exists"
+    stop_service
+fi
+
+KEEP_WAITING=true
+RETRIES=0
+MAX_TRIES=5
+SLEEP_INTERVAL=10
+# Waiting for nginx to start before creating the JaaS account
+while $KEEP_WAITING; do
+    s6-svwait -u /var/run/s6/services/nginx
+    NGINX_RESPONSE=$?
+    if [ $NGINX_RESPONSE -eq 0 ]; then
+        echo "Nginx started"
+        KEEP_WAITING=false
+    else
+        RETRIES=$((RETRIES + 1))
+        if [ $RETRIES -ge $MAX_TRIES ]; then
+            echo "Nginx did not start, exiting..."
+            KEEP_WAITING=false
+        else
+            echo "Waiting for nginx to start, retrying in $SLEEP_INTERVAL seconds... $RETRIES/$MAX_TRIES"
+            sleep $SLEEP_INTERVAL
+        fi
+    fi
+done
+
+create_error=0
+create_data=$(curl -s -f -X 'POST' "${JAAS_ENDPOINT}" -H 'Content-Type: application/json' -H 'accept: */*' -d "{ \"domain\": \"${DOMAIN}\", \"email\": \"${EMAIL}\", \"jitsiInstallation\": \"${JITSI_INSTALLATION}\" }") || create_error=$?
+if [ ${create_error} -ne 0 ]; then
+    echo "JaaS account creation failed. Status: ${create_error}, response: ${create_data}"
+    stop_service
+fi
+
+echo "${create_data}"
+
+# Creating the challenge dir
+mkdir -p ${CHALLENGE_DIR}
+# Creating the challenge file
+echo "${create_data}" | jq -r .challenge > ${CHALLENGE_FILE}
+
+op_id=$(echo "${create_data}" | jq -r .operationId)
+ready_error=0
+ready_data=$(curl -s -f -X 'PUT' "${JAAS_ENDPOINT}/${op_id}/ready") || ready_error=$?
+if [ ${ready_error} -ne 0 ]; then
+    echo "Jitsi domain validation failed. Status: ${ready_error}"
+    echo "Response: "
+    echo "${ready_data}" | jq -r
+    echo "${SUPPORT_MSG}"
+    echo
+    stop_service
+fi
+
+SLEEP_TIME=0
+WAIT_BEFORE_CHECK=5
+TIMEOUT=60
+echo -n "Creating the JaaS account..."
+(while true; do
+    provisioned_data=$(curl -s -f "${JAAS_ENDPOINT}/${op_id}")
+
+    status=$(echo "${provisioned_data}" | jq -r .status)
+
+    if [ "${status}" == "PROVISIONED" ]; then
+        echo ""
+        echo "=================="
+        echo ""
+        echo "A JaaS account was created. Please check your email for more details."
+        echo ""
+        echo "=================="
+        # Creating the jaas-account file
+        touch ${JAAS_ACCOUNT_FILE}
+        stop_service
+    elif  [ "${status}" == "FAILED" ]; then
+        echo ""
+        echo "=================="
+        echo ""
+        echo "JaaS account creation failed:${provisioned_data}"
+        echo ""
+        echo "=================="
+        stop_service
+    fi
+
+    if [ ${SLEEP_TIME} -ge ${TIMEOUT} ]; then
+        echo ""
+        echo "=================="
+        echo ""
+        echo "Timeout creating the JaaS account. ${SUPPORT_MSG}"
+        echo ""
+        echo "=================="
+        stop_service
+    fi
+
+    echo -n "Waiting for the JaaS account to be created..."
+    sleep ${WAIT_BEFORE_CHECK}
+    SLEEP_TIME=$((SLEEP_TIME+WAIT_BEFORE_CHECK))
+done)
+rm ${CHALLENGE_FILE} || true
+
+fi
+stop_service

jitsi/web/rootfs/etc/services.d/nginx/run

@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv bash
+
+exec nginx -c /config/nginx/nginx.conf