Commit 75b624be authored by o's avatar o
Browse files

add a jitsi-meet service

parent 27444a99
[Service]
LimitNOFILE=8192
LimitNPROC=16384
ExecStartPost=/usr/libexec/jitsi-meet/fix-hosts.sh
# manage jitsi-meet installations
class ib_apache::services::jitsi_meet(
$instances = {}
){
$instances.each |$in,$vals| {
ib_apache::services::jitsi_meet::instance{
$in:
* => $vals
}
}
}
# manage base stuff for hosts hosting jitsi-meet
class ib_apache::services::jitsi_meet::base {
file {
default:
owner => root,
group => root,
mode => '0755';
"/usr/libexec/jitsi-meet":
ensure => directory;
"/usr/libexec/jitsi-meet/fix-hosts.sh":
content => template('ib_apache/services/jitsi-meet/fix-hosts.sh');
}
}
# manages an instance of wkd-srv
define ib_apache::services::wkd_srv::instance(
Enum['present','absent']
$ensure = 'present',
Integer[1,65535]
$port = 8000,
Variant[Array[String],String]
$domainalias = 'absent',
Hash
$configuration = {},
String
$uid = 'iuid',
Variant[Enum['force'],Boolean]
$ssl_mode = 'force',
$proxy = nearby_or_default_host($facts['fqdn'],'immerx-7',true),
$nagios_check = 'ensure',
$nagios_check_domain = 'absent',
$nagios_check_url = '/',
$nagios_check_code = '200',
$nagios_use = 'generic-service',
){
$uid_name = $name
$real_gid_name = $name
$real_uid = $uid ? {
'iuid' => iuid($name,'webhosting'),
default => $uid,
}
$real_gid = $real_uid
if $ensure == 'present' {
include ::ib_apache::services::jitsi_meet::base
exec {
"create initial dirs":
cwd => "/var/www/vhosts/${name}/data",
creates => "/var/www/vhosts/${name}/data/jvb",
command => "sh -c 'mkdir jvb jicofo prosody web && chown ${uid_name}:${real_gid_name} jvb jicofo prosody web && chmod 755 jvb jicofo prosody web && chcon -t container_file_t jvb jicofo prosody web'";
}
}
webhosting::common{$name:
ensure => $ensure,
uid => $real_uid,
uid_name => $uid_name,
gid => $real_gid,
gid_name => $real_gid_name,
ssl_mode => $ssl_mode,
run_mode => 'static',
nagios_check => $nagios_check,
nagios_check_domain => $nagios_check_domain,
nagios_check_url => $nagios_check_url,
nagios_check_code => $nagios_check_code,
nagios_use => $nagios_use,
watch_adjust_webfiles => 'absent',
user_scripts => 'absend',
user_scripts_options => {},
configuration => $configuration + {
containers => {
$name => pick($configuration['container_config'],{}) + {
ensure => $ensure,
user => $uid_name,
uid => $real_uid,
gid => $real_gid,
homedir => "/var/www/vhosts/${name}",
manage_user => false,
image => 'pod',
deployment_mode => 'pod',
publish => ['8000:8000:tcp', '10000:10000:udp', '4443:4443:tcp'],
publish_firewall => ['10000:udp', '4443:tcp'],
pod_file => "ib_apache/services/jitsi-meet/jitsi-meet.yaml.erb",
configuration => {
'public_ip' => icmdb('ip_of_interface_fqdn',$facts['fqdn'],$proxy),
},
publish_socket => {
$port => {
'dir' => "/var/www/vhosts/${name}/tmp/run",
'security-opt-label-type' => 'socat_httpd_sidecar',
},
},
run_flags => {
'security-opt-label-type' => 'httpd_container_rw_content',
},
}
}
}
} ~> file {
"/etc/systemd/system/con-${name}-${name}.service.d/limits.conf":
owner => root,
group => root,
mode => '0644',
source => 'puppet://modules/ib_apache/services/jitsi-meet/fix-hosts.sh';
} -> Service['apache']
$options = "http://127.0.0.1:${port}"
apache::vhost::container{$name:
ensure => $ensure,
configuration => $configuration,
domainalias => $domainalias,
group => $real_gid_name,
documentroot_owner => $uid_name,
documentroot_group => $real_gid_name,
ssl_mode => $ssl_mode,
vhost_mode => 'template',
options => $options,
}
}
#!/bin/bash
export XDG_RUNTIME_DIR=/run/pods/$(id -u)
while [ -z "$(podman ps | grep meet-jvb)" ]; do
echo "waiting for jvb"
sleep 1
done
ID="$(podman ps | grep meet-jvb | cut -d' ' -f1)"
FILE=$(mktemp)
echo "<%= @ipaddress %> ${ID}" > $FILE
podman cp $FILE $ID:/etc/hosts
rm $FILE
apiVersion: v1
kind: Pod
metadata:
labels:
app: <%= @sanitised_con_name %>
name: <%= @sanitised_con_name %>
spec:
containers:
- env:
- name: container
value: podman
- name: ENABLE_GUESTS
value: 1
- name: JVB_AUTH_PASSWORD
value: "<%= scope.call_function('trocla',['JVB_AUTH_PASSWORD_'+@name,'plain', length: 32]) %>"
- name: JICOFO_AUTH_PASSWORD
value: "<%= scope.call_function('trocla',['JICOFO_AUTH_PASSWORD'+@name,'plain', length: 32]) %>"
- name: JICOFO_COMPONENT_SECRET
value: "<%= scope.call_function('trocla',['JICOFO_COMPONENT_SECRET'+@name,'plain', length: 32]) %>"
- name: XMPP_BOSH_URL_BASE
value: http://localhost:5280
- name: JVB_TCP_HARVESTER_DISABLED
value: "false"
- name: HTTP_PORT
value: "8000"
- name: DISABLE_HTTPS
value: 1
- name: ENABLE_HTTP_REDIRECT
value: 0
- name: DOCKER_HOST_ADDRESS
value: "<%= @configuration['public_ip'] %>"
- name: TZ
value: Europe/Amsterdam
- name: XMPP_AUTH_DOMAIN
value: auth.meet.jitsi
- name: JVB_BREWERY_MUC
value: jvbbrewery
- name: CONFIG
value: /var/jitsi-meet
- name: XMPP_MUC_DOMAIN
value: muc.meet.jitsi
- name: XMPP_INTERNAL_MUC_DOMAIN
value: internal-muc.meet.jitsi
- name: JVB_TCP_PORT
value: "4443"
- name: JIBRI_STRIP_DOMAIN_JID
value: muc
- name: XMPP_DOMAIN
value: meet.jitsi
- name: XMPP_SERVER
value: localhost
- name: XMPP_GUEST_DOMAIN
value: guest.meet.jitsi
- name: JVB_PORT
value: "10000"
- name: JVB_AUTH_USER
value: jvb
- name: JICOFO_AUTH_USER
value: focus
image: docker.io/jitsi/prosody:latest
name: jitsi-meet-prosody.meet.jitsi
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
privileged: false
readOnlyRootFilesystem: false
volumeMounts:
- mountPath: /config
name: jitsi-meet-cfg-prosody
workingDir: /
- env:
- name: container
value: podman
- name: ENABLE_GUESTS
value: 1
- name: JVB_AUTH_PASSWORD
value: "<%= scope.call_function('trocla',['JVB_AUTH_PASSWORD'+@name,'plain', length: 32]) %>"
- name: JICOFO_AUTH_PASSWORD
value: "<%= scope.call_function('trocla',['JICOFO_AUTH_PASSWORD'+@name,'plain', length: 32]) %>"
- name: JICOFO_COMPONENT_SECRET
value: "<%= scope.call_function('trocla',['JICOFO_COMPONENT_SECRET'+@name,'plain', length: 32]) %>"
- name: XMPP_BOSH_URL_BASE
value: http://localhost:5280
- name: JVB_TCP_HARVESTER_DISABLED
value: "false"
- name: HTTP_PORT
value: "8000"
- name: DISABLE_HTTPS
value: 1
- name: ENABLE_HTTP_REDIRECT
value: 0
- name: DOCKER_HOST_ADDRESS
value: "<%= @configuration['public_ip'] %>"
- name: TZ
value: Europe/Amsterdam
- name: XMPP_AUTH_DOMAIN
value: auth.meet.jitsi
- name: JVB_BREWERY_MUC
value: jvbbrewery
- name: CONFIG
value: /var/jitsi-meet
- name: XMPP_MUC_DOMAIN
value: muc.meet.jitsi
- name: XMPP_INTERNAL_MUC_DOMAIN
value: internal-muc.meet.jitsi
- name: JVB_TCP_PORT
value: "4443"
- name: JIBRI_STRIP_DOMAIN_JID
value: muc
- name: XMPP_DOMAIN
value: meet.jitsi
- name: XMPP_SERVER
value: localhost
- name: XMPP_GUEST_DOMAIN
value: guest.meet.jitsi
- name: JVB_PORT
value: "10000"
- name: JVB_AUTH_USER
value: jvb
- name: JICOFO_AUTH_USER
value: focus
image: docker.io/jitsi/web:latest
name: jitsi-meet-web.meet.jitsi
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
privileged: false
readOnlyRootFilesystem: false
volumeMounts:
- mountPath: /config
name: jitsi-meet-cfg-web
workingDir: /
- env:
- name: container
value: podman
- name: ENABLE_GUESTS
value: 1
- name: JVB_AUTH_PASSWORD
value: "<%= scope.call_function('trocla',['JVB_AUTH_PASSWORD_'+@name,'plain', length: 32]) %>"
- name: JICOFO_AUTH_PASSWORD
value: "<%= scope.call_function('trocla',['JICOFO_AUTH_PASSWORD'+@name,'plain', length: 32]) %>"
- name: JICOFO_COMPONENT_SECRET
value: "<%= scope.call_function('trocla',['JICOFO_COMPONENT_SECRET'+@name,'plain', length: 32]) %>"
- name: XMPP_BOSH_URL_BASE
value: http://localhost:5280
- name: JVB_TCP_HARVESTER_DISABLED
value: "false"
- name: HTTP_PORT
value: "8000"
- name: DISABLE_HTTPS
value: 1
- name: ENABLE_HTTP_REDIRECT
value: 0
- name: DOCKER_HOST_ADDRESS
value: "<%= @configuration['public_ip'] %>"
- name: TZ
value: Europe/Amsterdam
- name: XMPP_AUTH_DOMAIN
value: auth.meet.jitsi
- name: JVB_BREWERY_MUC
value: jvbbrewery
- name: CONFIG
value: /var/jitsi-meet
- name: XMPP_MUC_DOMAIN
value: muc.meet.jitsi
- name: XMPP_INTERNAL_MUC_DOMAIN
value: internal-muc.meet.jitsi
- name: JVB_TCP_PORT
value: "4443"
- name: JIBRI_STRIP_DOMAIN_JID
value: muc
- name: XMPP_DOMAIN
value: meet.jitsi
- name: XMPP_SERVER
value: localhost
- name: XMPP_GUEST_DOMAIN
value: guest.meet.jitsi
- name: JVB_PORT
value: "10000"
- name: JVB_AUTH_USER
value: jvb
- name: JICOFO_AUTH_USER
value: focus
image: docker.io/jitsi/jicofo:latest
name: jitsi-meet-jicofo.meet.jitsi
ports:
- containerPort: 10000
hostPort: 10000
protocol: UDP
- containerPort: 4443
hostPort: 4443
protocol: TCP
- containerPort: 80
hostPort: 8000
protocol: TCP
- containerPort: 8888
hostPort: 8888
protocol: TCP
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
privileged: false
readOnlyRootFilesystem: false
volumeMounts:
- mountPath: /config
name: jitsi-meet-cfg-jicofo
workingDir: /
- env:
- name: container
value: podman
- name: ENABLE_GUESTS
value: 1
- name: JVB_AUTH_PASSWORD
value: "<%= scope.call_function('trocla',['JVB_AUTH_PASSWORD_'+@name,'plain', length: 32]) %>"
- name: JICOFO_AUTH_PASSWORD
value: "<%= scope.call_function('trocla',['JICOFO_AUTH_PASSWORD'+@name,'plain', length: 32]) %>"
- name: JICOFO_COMPONENT_SECRET
value: "<%= scope.call_function('trocla',['JICOFO_COMPONENT_SECRET'+@name,'plain', length: 32]) %>"
- name: XMPP_BOSH_URL_BASE
value: http://localhost:5280
- name: JVB_TCP_HARVESTER_DISABLED
value: "false"
- name: HTTP_PORT
value: "8000"
- name: DISABLE_HTTPS
value: 1
- name: ENABLE_HTTP_REDIRECT
value: 0
- name: DOCKER_HOST_ADDRESS
value: "<%= @configuration['public_ip'] %>"
- name: TZ
value: Europe/Amsterdam
- name: XMPP_AUTH_DOMAIN
value: auth.meet.jitsi
- name: JVB_BREWERY_MUC
value: jvbbrewery
- name: CONFIG
value: /var/jitsi-meet
- name: XMPP_MUC_DOMAIN
value: muc.meet.jitsi
- name: XMPP_INTERNAL_MUC_DOMAIN
value: internal-muc.meet.jitsi
- name: JVB_TCP_PORT
value: "4443"
- name: JIBRI_STRIP_DOMAIN_JID
value: muc
- name: XMPP_DOMAIN
value: meet.jitsi
- name: XMPP_SERVER
value: localhost
- name: XMPP_GUEST_DOMAIN
value: guest.meet.jitsi
- name: JVB_PORT
value: "10000"
- name: JVB_AUTH_USER
value: jvb
- name: JICOFO_AUTH_USER
value: focus
image: docker.io/jitsi/jvb:latest
name: jitsi-meet-jvb.meet.jitsi
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
privileged: false
readOnlyRootFilesystem: false
volumeMounts:
- mountPath: /config
name: jitsi-meet-cfg-jvb
workingDir: /
volumes:
- hostPath:
path: <%= @real_homedir %>/data/jvb
type: Directory
name: jitsi-meet-cfg-jvb
- hostPath:
path: <%= @real_homedir %>/data/prosody
type: Directory
name: jitsi-meet-cfg-prosody
- hostPath:
path: <%= @real_homedir %>/data/jicofo
type: Directory
name: jitsi-meet-cfg-jicofo
- hostPath:
path: <%= @real_homedir %>/data/web
type: Directory
name: jitsi-meet-cfg-web
......@@ -15,6 +15,7 @@ class ib_webhosting::hostings(
$modperl = {},
$wsgi = {},
$container = {},
$jitsi_meet = {},
){
include ::ib_webhosting
......@@ -129,6 +130,16 @@ class ib_webhosting::hostings(
}
}
$jitsi_options = $default_options + {
watch_adjust_webfiles => 'present',
}
$jitsi_meet.each |$c,$vals| {
webhosting::jitsi_meet{
$c:
* => ($container_options + $vals)
}
}
# tune inotify limits based on amount of hostings
file{'/usr/local/sbin/tune_inotify_watches.sh':
source => 'puppet:///modules/ib_webhosting/scripts/tune_inotify_watches.sh',
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment