commit c783770b5f1e9449000ba33fe6fa29afa67d4043 Author: Lieberman Date: Sat Dec 11 18:51:37 2021 -0300 Initial diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..213b179 --- /dev/null +++ b/.gitignore @@ -0,0 +1,15 @@ +yggdrasil +wiki +site +revolt +proxy +ldap +hedgedoc +h2 +fosstodon +*/data +jitsi/* +!jitsi/*.yml +!jitsi/env.example +!jitsi/Makefile +!jitsi/gen-passwords.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..6ee5e11 --- /dev/null +++ b/README.md @@ -0,0 +1,6 @@ +# MilkToastHoney + +1. Entrar na pasta master e executar o script `create-networks.sh` para criar as redes. +2. Executar o docker-compose da pasta master para levantar os serviços de: Lokinet, VPN e Proxy +3. Entrar na pasta Matrix e levantar o serviço (provavelmente será necessário baixar e levantar uma vez por causa das configurações geradas) +4. Entrar na pasta jitsi e levantar o serviço \ No newline at end of file diff --git a/jitsi/Makefile b/jitsi/Makefile new file mode 100644 index 0000000..08ec3a9 --- /dev/null +++ b/jitsi/Makefile @@ -0,0 +1,42 @@ +FORCE_REBUILD ?= 0 +JITSI_RELEASE ?= stable +JITSI_BUILD ?= latest +JITSI_REPO ?= jitsi +JITSI_SERVICES ?= base base-java web prosody jicofo jvb jigasi jibri + +BUILD_ARGS := --build-arg JITSI_REPO=$(JITSI_REPO) --build-arg JITSI_RELEASE=$(JITSI_RELEASE) +ifeq ($(FORCE_REBUILD), 1) + BUILD_ARGS := $(BUILD_ARGS) --no-cache +endif + + +all: build-all + +release: tag-all push-all + +build: + docker build $(BUILD_ARGS) --progress plain --tag $(JITSI_REPO)/$(JITSI_SERVICE) $(JITSI_SERVICE)/ + +$(addprefix build_,$(JITSI_SERVICES)): + $(MAKE) --no-print-directory JITSI_SERVICE=$(patsubst build_%,%,$@) build + +tag: + docker tag $(JITSI_REPO)/$(JITSI_SERVICE):latest $(JITSI_REPO)/$(JITSI_SERVICE):$(JITSI_BUILD) + +push: + docker push $(JITSI_REPO)/$(JITSI_SERVICE):latest + docker push $(JITSI_REPO)/$(JITSI_SERVICE):$(JITSI_BUILD) + +%-all: + @$(foreach SERVICE, $(JITSI_SERVICES), $(MAKE) --no-print-directory JITSI_SERVICE=$(SERVICE) $(subst -all,;,$@)) + +clean: + docker-compose stop + docker-compose rm + docker network prune + +prepare: + docker pull debian:buster-slim + FORCE_REBUILD=1 $(MAKE) + +.PHONY: all build tag push clean prepare release $(addprefix build_,$(JITSI_SERVICES)) diff --git a/jitsi/docker-compose.yml b/jitsi/docker-compose.yml new file mode 100644 index 0000000..68c5df5 --- /dev/null +++ b/jitsi/docker-compose.yml @@ -0,0 +1,299 @@ +version: '3' + +services: + web: + image: jitsi/web:stable-6433 + restart: always + volumes: + - ${CONFIG}/web:/config:Z + - ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z + - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z + environment: + - AMPLITUDE_ID + - ANALYTICS_SCRIPT_URLS + - ANALYTICS_WHITELISTED_EVENTS + - CALLSTATS_CUSTOM_SCRIPT_URL + - CALLSTATS_ID + - CALLSTATS_SECRET + - CHROME_EXTENSION_BANNER_JSON + - CONFCODE_URL + - CONFIG_EXTERNAL_CONNECT + - DEFAULT_LANGUAGE + - DEPLOYMENTINFO_ENVIRONMENT + - DEPLOYMENTINFO_ENVIRONMENT_TYPE + - DEPLOYMENTINFO_REGION + - DEPLOYMENTINFO_SHARD + - DEPLOYMENTINFO_USERREGION + - DESKTOP_SHARING_FRAMERATE_MIN + - DESKTOP_SHARING_FRAMERATE_MAX + - DIALIN_NUMBERS_URL + - DIALOUT_AUTH_URL + - DIALOUT_CODES_URL + - DISABLE_AUDIO_LEVELS + - DISABLE_DEEP_LINKING + - DISABLE_HTTPS + - DISABLE_POLLS + - DISABLE_REACTIONS + - DROPBOX_APPKEY + - DROPBOX_REDIRECT_URI + - DYNAMIC_BRANDING_URL + - ENABLE_AUDIO_PROCESSING + - ENABLE_AUTH + - ENABLE_CALENDAR + - ENABLE_COLIBRI_WEBSOCKET + - ENABLE_FILE_RECORDING_SERVICE + - ENABLE_FILE_RECORDING_SERVICE_SHARING + - ENABLE_FLOC + - ENABLE_GUESTS + - ENABLE_HSTS + - ENABLE_HTTP_REDIRECT + - ENABLE_IPV6 + - ENABLE_LETSENCRYPT + - ENABLE_LIPSYNC + - ENABLE_NO_AUDIO_DETECTION + - ENABLE_NOISY_MIC_DETECTION + - ENABLE_PREJOIN_PAGE + - ENABLE_P2P + - ENABLE_WELCOME_PAGE + - ENABLE_CLOSE_PAGE + - ENABLE_RECORDING + - ENABLE_REMB + - ENABLE_REQUIRE_DISPLAY_NAME + - ENABLE_SIMULCAST + - ENABLE_STATS_ID + - ENABLE_STEREO + - ENABLE_SUBDOMAINS + - ENABLE_TALK_WHILE_MUTED + - ENABLE_TCC + - ENABLE_TRANSCRIPTIONS + - ENABLE_XMPP_WEBSOCKET + - ETHERPAD_PUBLIC_URL + - ETHERPAD_URL_BASE + - GOOGLE_ANALYTICS_ID + - GOOGLE_API_APP_CLIENT_ID + - INVITE_SERVICE_URL + - JICOFO_AUTH_USER + - LETSENCRYPT_DOMAIN + - LETSENCRYPT_EMAIL + - LETSENCRYPT_USE_STAGING + - MATOMO_ENDPOINT + - MATOMO_SITE_ID + - MICROSOFT_API_APP_CLIENT_ID + - NGINX_RESOLVER + - NGINX_WORKER_PROCESSES + - NGINX_WORKER_CONNECTIONS + - PEOPLE_SEARCH_URL + - PUBLIC_URL + - P2P_PREFERRED_CODEC + - RESOLUTION + - RESOLUTION_MIN + - RESOLUTION_WIDTH + - RESOLUTION_WIDTH_MIN + - START_AUDIO_MUTED + - START_AUDIO_ONLY + - START_BITRATE + - START_SILENT + - START_WITH_AUDIO_MUTED + - START_VIDEO_MUTED + - START_WITH_VIDEO_MUTED + - TESTING_CAP_SCREENSHARE_BITRATE + - TESTING_OCTO_PROBABILITY + - TOKEN_AUTH_URL + - TZ + - VIDEOQUALITY_BITRATE_H264_LOW + - VIDEOQUALITY_BITRATE_H264_STANDARD + - VIDEOQUALITY_BITRATE_H264_HIGH + - VIDEOQUALITY_BITRATE_VP8_LOW + - VIDEOQUALITY_BITRATE_VP8_STANDARD + - VIDEOQUALITY_BITRATE_VP8_HIGH + - VIDEOQUALITY_BITRATE_VP9_LOW + - VIDEOQUALITY_BITRATE_VP9_STANDARD + - VIDEOQUALITY_BITRATE_VP9_HIGH + - VIDEOQUALITY_ENFORCE_PREFERRED_CODEC + - VIDEOQUALITY_PREFERRED_CODEC + - XMPP_AUTH_DOMAIN + - XMPP_BOSH_URL_BASE + - XMPP_DOMAIN + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_RECORDER_DOMAIN + networks: + meet.jitsi: + pg_bus: + ipv4_address: 10.255.253.196 + + # XMPP server + prosody: + image: jitsi/prosody:stable-6433 + restart: ${RESTART_POLICY} + expose: + - '5222' + - '5347' + - '5280' + volumes: + - ${CONFIG}/prosody/config:/config:Z + - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z + environment: + - AUTH_TYPE + - DISABLE_POLLS + - ENABLE_AUTH + - ENABLE_AV_MODERATION + - ENABLE_GUESTS + - ENABLE_LOBBY + - ENABLE_XMPP_WEBSOCKET + - GLOBAL_CONFIG + - GLOBAL_MODULES + - JIBRI_RECORDER_USER + - JIBRI_RECORDER_PASSWORD + - JIBRI_XMPP_USER + - JIBRI_XMPP_PASSWORD + - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD + - JICOFO_COMPONENT_SECRET + - JIGASI_XMPP_USER + - JIGASI_XMPP_PASSWORD + - JVB_AUTH_USER + - JVB_AUTH_PASSWORD + - JWT_APP_ID + - JWT_APP_SECRET + - JWT_ACCEPTED_ISSUERS + - JWT_ACCEPTED_AUDIENCES + - JWT_ASAP_KEYSERVER + - JWT_ALLOW_EMPTY + - JWT_AUTH_TYPE + - JWT_TOKEN_AUTH_MODULE + - LOG_LEVEL + - LDAP_AUTH_METHOD + - LDAP_BASE + - LDAP_BINDDN + - LDAP_BINDPW + - LDAP_FILTER + - LDAP_VERSION + - LDAP_TLS_CIPHERS + - LDAP_TLS_CHECK_PEER + - LDAP_TLS_CACERT_FILE + - LDAP_TLS_CACERT_DIR + - LDAP_START_TLS + - LDAP_URL + - LDAP_USE_TLS + - PUBLIC_URL + - TURN_CREDENTIALS + - TURN_HOST + - TURNS_HOST + - TURN_PORT + - TURNS_PORT + - TZ + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MODULES + - XMPP_MUC_MODULES + - XMPP_INTERNAL_MUC_MODULES + - XMPP_RECORDER_DOMAIN + - XMPP_CROSS_DOMAIN + networks: + meet.jitsi: + aliases: + - ${XMPP_SERVER} + + # Focus component + jicofo: + image: jitsi/jicofo:stable-6433 + restart: ${RESTART_POLICY} + volumes: + - ${CONFIG}/jicofo:/config:Z + environment: + - AUTH_TYPE + - BRIDGE_AVG_PARTICIPANT_STRESS + - BRIDGE_STRESS_THRESHOLD + - ENABLE_AUTH + - ENABLE_AUTO_OWNER + - ENABLE_CODEC_VP8 + - ENABLE_CODEC_VP9 + - ENABLE_CODEC_H264 + - ENABLE_OCTO + - ENABLE_RECORDING + - ENABLE_SCTP + - ENABLE_AUTO_LOGIN + - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD + - JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS + - JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT + - JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT + - JICOFO_ENABLE_HEALTH_CHECKS + - JICOFO_SHORT_ID + - JICOFO_RESERVATION_ENABLED + - JICOFO_RESERVATION_REST_BASE_URL + - JIBRI_BREWERY_MUC + - JIBRI_REQUEST_RETRIES + - JIBRI_PENDING_TIMEOUT + - JIGASI_BREWERY_MUC + - JIGASI_SIP_URI + - JVB_BREWERY_MUC + - MAX_BRIDGE_PARTICIPANTS + - OCTO_BRIDGE_SELECTION_STRATEGY + - SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}" + - SENTRY_ENVIRONMENT + - SENTRY_RELEASE + - TZ + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_SERVER + depends_on: + - prosody + networks: + meet.jitsi: + + # Video bridge + jvb: + image: jitsi/jvb:stable-6433 + restart: ${RESTART_POLICY} + # ports: + # - '${JVB_PORT}:${JVB_PORT}/udp' + # - '${JVB_TCP_PORT}:${JVB_TCP_PORT}' + volumes: + - ${CONFIG}/jvb:/config:Z + environment: + - DOCKER_HOST_ADDRESS + - ENABLE_COLIBRI_WEBSOCKET + - ENABLE_OCTO + - JVB_AUTH_USER + - JVB_AUTH_PASSWORD + - JVB_BREWERY_MUC + - JVB_PORT + - JVB_TCP_HARVESTER_DISABLED + - JVB_TCP_PORT + - JVB_TCP_MAPPED_PORT + - JVB_STUN_SERVERS + - JVB_ENABLE_APIS + - JVB_OCTO_BIND_ADDRESS + - JVB_OCTO_PUBLIC_ADDRESS + - JVB_OCTO_BIND_PORT + - JVB_OCTO_REGION + - JVB_WS_DOMAIN + - JVB_WS_SERVER_ID + - PUBLIC_URL + - SENTRY_DSN="${JVB_SENTRY_DSN:-0}" + - SENTRY_ENVIRONMENT + - SENTRY_RELEASE + - COLIBRI_REST_ENABLED + - SHUTDOWN_REST_ENABLED + - TZ + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_SERVER + depends_on: + - prosody + networks: + meet.jitsi: + +# Custom network so all services can communicate using a FQDN +networks: + meet.jitsi: + pg_bus: + external: + name: pg_bus diff --git a/jitsi/env.example b/jitsi/env.example new file mode 100644 index 0000000..0a1d4c4 --- /dev/null +++ b/jitsi/env.example @@ -0,0 +1,409 @@ +# shellcheck disable=SC2034 + +# Security +# +# Set these to strong passwords to avoid intruders from impersonating a service account +# The service(s) won't start unless these are specified +# Running ./gen-passwords.sh will update .env with strong passwords +# You may skip the Jigasi and Jibri passwords if you are not using those +# DO NOT reuse passwords +# + +# XMPP password for Jicofo client connections +JICOFO_AUTH_PASSWORD= + +# XMPP password for JVB client connections +JVB_AUTH_PASSWORD= + +# XMPP password for Jigasi MUC client connections +JIGASI_XMPP_PASSWORD= + +# XMPP recorder password for Jibri client connections +JIBRI_RECORDER_PASSWORD= + +# XMPP password for Jibri client connections +JIBRI_XMPP_PASSWORD= + + +# +# Basic configuration options +# + +# Directory where all configuration will be stored +CONFIG=~/.jitsi-meet-cfg + +# Exposed HTTP port +HTTP_PORT=8000 + +# Exposed HTTPS port +HTTPS_PORT=8443 + +# System time zone +TZ=UTC + +# Public URL for the web service (required) +#PUBLIC_URL=https://meet.example.com + +# IP address of the Docker host +# See the "Running behind NAT or on a LAN environment" section in the Handbook: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment +#DOCKER_HOST_ADDRESS=192.168.1.1 + +# Control whether the lobby feature should be enabled or not +#ENABLE_LOBBY=1 + +# Control whether the A/V moderation should be enabled or not +#ENABLE_AV_MODERATION=1 + +# Show a prejoin page before entering a conference +#ENABLE_PREJOIN_PAGE=0 + +# Enable the welcome page +#ENABLE_WELCOME_PAGE=1 + +# Enable the close page +#ENABLE_CLOSE_PAGE=0 + +# Disable measuring of audio levels +#DISABLE_AUDIO_LEVELS=0 + +# Enable noisy mic detection +#ENABLE_NOISY_MIC_DETECTION=1 + +# +# Let's Encrypt configuration +# + +# Enable Let's Encrypt certificate generation +#ENABLE_LETSENCRYPT=1 + +# Domain for which to generate the certificate +#LETSENCRYPT_DOMAIN=meet.example.com + +# E-Mail for receiving important account notifications (mandatory) +#LETSENCRYPT_EMAIL=alice@atlanta.net + +# Use the staging server (for avoiding rate limits while testing) +#LETSENCRYPT_USE_STAGING=1 + + +# +# Etherpad integration (for document sharing) +# + +# Set etherpad-lite URL in docker local network (uncomment to enable) +#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 + +# Set etherpad-lite public URL (uncomment to enable) +#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain + +# Name your etherpad instance! +ETHERPAD_TITLE=Video Chat + +# The default text of a pad +ETHERPAD_DEFAULT_PAD_TEXT=Welcome to Web Chat!\n\n + +# Name of the skin for etherpad +ETHERPAD_SKIN_NAME=colibris + +# Skin variants for etherpad +ETHERPAD_SKIN_VARIANTS=super-light-toolbar super-light-editor light-background full-width-editor + + +# +# Basic Jigasi configuration options (needed for SIP gateway support) +# + +# SIP URI for incoming / outgoing calls +#JIGASI_SIP_URI=test@sip2sip.info + +# Password for the specified SIP account as a clear text +#JIGASI_SIP_PASSWORD=passw0rd + +# SIP server (use the SIP account domain if in doubt) +#JIGASI_SIP_SERVER=sip2sip.info + +# SIP server port +#JIGASI_SIP_PORT=5060 + +# SIP server transport +#JIGASI_SIP_TRANSPORT=UDP + +# +# Authentication configuration (see handbook for details) +# + +# Enable authentication +#ENABLE_AUTH=1 + +# Enable guest access +#ENABLE_GUESTS=1 + +# Select authentication type: internal, jwt or ldap +#AUTH_TYPE=internal + +# JWT authentication +# + +# Application identifier +#JWT_APP_ID=my_jitsi_app_id + +# Application secret known only to your token generator +#JWT_APP_SECRET=my_jitsi_app_secret + +# (Optional) Set asap_accepted_issuers as a comma separated list +#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client + +# (Optional) Set asap_accepted_audiences as a comma separated list +#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 + + +# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) +# + +# LDAP url for connection +#LDAP_URL=ldaps://ldap.domain.com/ + +# LDAP base DN. Can be empty +#LDAP_BASE=DC=example,DC=domain,DC=com + +# LDAP user DN. Do not specify this parameter for the anonymous bind +#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com + +# LDAP user password. Do not specify this parameter for the anonymous bind +#LDAP_BINDPW=LdapUserPassw0rd + +# LDAP filter. Tokens example: +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail +# %s - %s is replaced by the complete service string +# %r - %r is replaced by the complete realm string +#LDAP_FILTER=(sAMAccountName=%u) + +# LDAP authentication method +#LDAP_AUTH_METHOD=bind + +# LDAP version +#LDAP_VERSION=3 + +# LDAP TLS using +#LDAP_USE_TLS=1 + +# List of SSL/TLS ciphers to allow +#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC + +# Require and verify server certificate +#LDAP_TLS_CHECK_PEER=1 + +# Path to CA cert file. Used when server certificate verify is enabled +#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt + +# Path to CA certs directory. Used when server certificate verify is enabled +#LDAP_TLS_CACERT_DIR=/etc/ssl/certs + +# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps:// +# LDAP_START_TLS=1 + + +# +# Advanced configuration options (you generally don't need to change these) +# + +# Internal XMPP domain +XMPP_DOMAIN=meet.jitsi + +# Internal XMPP server +XMPP_SERVER=xmpp.meet.jitsi + +# Internal XMPP server URL +XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 + +# Internal XMPP domain for authenticated services +XMPP_AUTH_DOMAIN=auth.meet.jitsi + +# XMPP domain for the MUC +XMPP_MUC_DOMAIN=muc.meet.jitsi + +# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools +XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi + +# XMPP domain for unauthenticated users +XMPP_GUEST_DOMAIN=guest.meet.jitsi + +# Comma separated list of domains for cross domain policy or "true" to allow all +# The PUBLIC_URL is always allowed +#XMPP_CROSS_DOMAIN=true + +# Custom Prosody modules for XMPP_DOMAIN (comma separated) +XMPP_MODULES= + +# Custom Prosody modules for MUC component (comma separated) +XMPP_MUC_MODULES= + +# Custom Prosody modules for internal MUC component (comma separated) +XMPP_INTERNAL_MUC_MODULES= + +# MUC for the JVB pool +JVB_BREWERY_MUC=jvbbrewery + +# XMPP user for JVB client connections +JVB_AUTH_USER=jvb + +# STUN servers used to discover the server's public IP +JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443 + +# Media port for the Jitsi Videobridge +JVB_PORT=10000 + +# TCP Fallback for Jitsi Videobridge for when UDP isn't available +JVB_TCP_HARVESTER_DISABLED=true +JVB_TCP_PORT=4443 +JVB_TCP_MAPPED_PORT=4443 + +# A comma separated list of APIs to enable when the JVB is started [default: none] +# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information +#JVB_ENABLE_APIS=rest,colibri + +# XMPP user for Jicofo client connections. +# NOTE: this option doesn't currently work due to a bug +JICOFO_AUTH_USER=focus + +# Base URL of Jicofo's reservation REST API +#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com + +# Enable Jicofo's health check REST API (http://:8888/about/health) +#JICOFO_ENABLE_HEALTH_CHECKS=true + +# XMPP user for Jigasi MUC client connections +JIGASI_XMPP_USER=jigasi + +# MUC name for the Jigasi pool +JIGASI_BREWERY_MUC=jigasibrewery + +# Minimum port for media used by Jigasi +JIGASI_PORT_MIN=20000 + +# Maximum port for media used by Jigasi +JIGASI_PORT_MAX=20050 + +# Enable SDES srtp +#JIGASI_ENABLE_SDES_SRTP=1 + +# Keepalive method +#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS + +# Health-check extension +#JIGASI_HEALTH_CHECK_SIP_URI=keepalive + +# Health-check interval +#JIGASI_HEALTH_CHECK_INTERVAL=300000 +# +# Enable Jigasi transcription +#ENABLE_TRANSCRIPTIONS=1 + +# Jigasi will record audio when transcriber is on [default: false] +#JIGASI_TRANSCRIBER_RECORD_AUDIO=true + +# Jigasi will send transcribed text to the chat when transcriber is on [default: false] +#JIGASI_TRANSCRIBER_SEND_TXT=true + +# Jigasi will post an url to the chat with transcription file [default: false] +#JIGASI_TRANSCRIBER_ADVERTISE_URL=true + +# Credentials for connect to Cloud Google API from Jigasi +# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol +# section "Before you begin" paragraph 1 to 5 +# Copy the values from the json to the related env vars +#GC_PROJECT_ID= +#GC_PRIVATE_KEY_ID= +#GC_PRIVATE_KEY= +#GC_CLIENT_EMAIL= +#GC_CLIENT_ID= +#GC_CLIENT_CERT_URL= + +# Enable recording +#ENABLE_RECORDING=1 + +# XMPP domain for the jibri recorder +XMPP_RECORDER_DOMAIN=recorder.meet.jitsi + +# XMPP recorder user for Jibri client connections +JIBRI_RECORDER_USER=recorder + +# Directory for recordings inside Jibri container +JIBRI_RECORDING_DIR=/config/recordings + +# The finalizing script. Will run after recording is complete +#JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh + +# XMPP user for Jibri client connections +JIBRI_XMPP_USER=jibri + +# MUC name for the Jibri pool +JIBRI_BREWERY_MUC=jibribrewery + +# MUC connection timeout +JIBRI_PENDING_TIMEOUT=90 + +# When jibri gets a request to start a service for a room, the room +# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain +# We'll build the url for the call by transforming that into: +# https://xmpp_domain/subdomain/roomName +# So if there are any prefixes in the jid (like jitsi meet, which +# has its participants join a muc at conference.xmpp_domain) then +# list that prefix here so it can be stripped out to generate +# the call url correctly +JIBRI_STRIP_DOMAIN_JID=muc + +# Directory for logs inside Jibri container +JIBRI_LOGS_DIR=/config/logs + +# Configure an external TURN server +# TURN_CREDENTIALS=secret +# TURN_HOST=turnserver.example.com +# TURN_PORT=443 +# TURNS_HOST=turnserver.example.com +# TURNS_PORT=443 + +# Disable HTTPS: handle TLS connections outside of this setup +#DISABLE_HTTPS=1 + +# Enable FLoC +# Opt-In to Federated Learning of Cohorts tracking +#ENABLE_FLOC=0 + +# Redirect HTTP traffic to HTTPS +# Necessary for Let's Encrypt, relies on standard HTTPS port (443) +#ENABLE_HTTP_REDIRECT=1 + +# Send a `strict-transport-security` header to force browsers to use +# a secure and trusted connection. Recommended for production use. +# Defaults to 1 (send the header). +# ENABLE_HSTS=1 + +# Enable IPv6 +# Provides means to disable IPv6 in environments that don't support it (get with the times, people!) +#ENABLE_IPV6=1 + +# Container restart policy +# Defaults to unless-stopped +RESTART_POLICY=unless-stopped + +# Authenticate using external service or just focus external auth window if there is one already. +# TOKEN_AUTH_URL=https://auth.meet.example.com/{room} + +# Sentry Error Tracking +# Sentry Data Source Name (Endpoint for Sentry project) +# Example: https://public:private@host:port/1 +#JVB_SENTRY_DSN= +#JICOFO_SENTRY_DSN= +#JIGASI_SENTRY_DSN= + +# Optional environment info to filter events +#SENTRY_ENVIRONMENT=production + +# Optional release info to filter events +#SENTRY_RELEASE=1.0.0 + +# Optional properties for shutdown api +#COLIBRI_REST_ENABLED=true +#SHUTDOWN_REST_ENABLED=true diff --git a/jitsi/etherpad.yml b/jitsi/etherpad.yml new file mode 100644 index 0000000..bab9378 --- /dev/null +++ b/jitsi/etherpad.yml @@ -0,0 +1,16 @@ +version: '3' + +services: + # Etherpad: real-time collaborative document editing + etherpad: + image: etherpad/etherpad:1.8.6 + restart: ${RESTART_POLICY} + environment: + - TITLE=${ETHERPAD_TITLE} + - DEFAULT_PAD_TEXT=${ETHERPAD_DEFAULT_PAD_TEXT} + - SKIN_NAME=${ETHERPAD_SKIN_NAME} + - SKIN_VARIANTS=${ETHERPAD_SKIN_VARIANTS} + networks: + meet.jitsi: + aliases: + - etherpad.meet.jitsi diff --git a/jitsi/gen-passwords.sh b/jitsi/gen-passwords.sh new file mode 100755 index 0000000..29aec9b --- /dev/null +++ b/jitsi/gen-passwords.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +function generatePassword() { + openssl rand -hex 16 +} + +JICOFO_AUTH_PASSWORD=$(generatePassword) +JVB_AUTH_PASSWORD=$(generatePassword) +JIGASI_XMPP_PASSWORD=$(generatePassword) +JIBRI_RECORDER_PASSWORD=$(generatePassword) +JIBRI_XMPP_PASSWORD=$(generatePassword) + +sed -i.bak \ + -e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \ + -e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \ + -e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \ + -e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \ + -e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \ + "$(dirname "$0")/.env" diff --git a/jitsi/jibri.yml b/jitsi/jibri.yml new file mode 100644 index 0000000..624ba0d --- /dev/null +++ b/jitsi/jibri.yml @@ -0,0 +1,46 @@ +version: '3' + +services: + jibri: + image: jitsi/jibri:stable-6433 + restart: ${RESTART_POLICY} + volumes: + - ${CONFIG}/jibri:/config:Z + - /dev/shm:/dev/shm + cap_add: + - SYS_ADMIN + - NET_BIND_SERVICE + devices: + - /dev/snd:/dev/snd + environment: + - CHROMIUM_FLAGS + - DISPLAY=:0 + - ENABLE_STATS_D + - JIBRI_FFMPEG_AUDIO_SOURCE + - JIBRI_FFMPEG_AUDIO_DEVICE + - JIBRI_HTTP_API_EXTERNAL_PORT + - JIBRI_HTTP_API_INTERNAL_PORT + - JIBRI_RECORDING_RESOLUTION + - JIBRI_USAGE_TIMEOUT + - JIBRI_XMPP_USER + - JIBRI_XMPP_PASSWORD + - JIBRI_BREWERY_MUC + - JIBRI_RECORDER_USER + - JIBRI_RECORDER_PASSWORD + - JIBRI_RECORDING_DIR + - JIBRI_FINALIZE_RECORDING_SCRIPT_PATH + - JIBRI_STRIP_DOMAIN_JID + - JIBRI_LOGS_DIR + - PUBLIC_URL + - TZ + - XMPP_AUTH_DOMAIN + - XMPP_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_RECORDER_DOMAIN + - XMPP_SERVER + - XMPP_TRUST_ALL_CERTS + depends_on: + - jicofo + networks: + meet.jitsi: + diff --git a/jitsi/jigasi.yml b/jitsi/jigasi.yml new file mode 100644 index 0000000..c35aa97 --- /dev/null +++ b/jitsi/jigasi.yml @@ -0,0 +1,53 @@ +version: '3' + +services: + # SIP gateway (audio) + jigasi: + image: jitsi/jigasi:stable-6433 + restart: ${RESTART_POLICY} + ports: + - '${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}:${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}/udp' + volumes: + - ${CONFIG}/jigasi:/config:Z + - ${CONFIG}/transcripts:/tmp/transcripts:Z + environment: + - ENABLE_AUTH + - XMPP_AUTH_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_SERVER + - XMPP_DOMAIN + - PUBLIC_URL + - JIGASI_SIP_URI + - JIGASI_SIP_PASSWORD + - JIGASI_SIP_SERVER + - JIGASI_SIP_PORT + - JIGASI_SIP_TRANSPORT + - JIGASI_SIP_DEFAULT_ROOM + - JIGASI_XMPP_USER + - JIGASI_XMPP_PASSWORD + - JIGASI_BREWERY_MUC + - JIGASI_PORT_MIN + - JIGASI_PORT_MAX + - JIGASI_HEALTH_CHECK_SIP_URI + - JIGASI_HEALTH_CHECK_INTERVAL + - JIGASI_SIP_KEEP_ALIVE_METHOD + - JIGASI_ENABLE_SDES_SRTP + - ENABLE_TRANSCRIPTIONS + - JIGASI_TRANSCRIBER_ADVERTISE_URL + - JIGASI_TRANSCRIBER_RECORD_AUDIO + - JIGASI_TRANSCRIBER_SEND_TXT + - GC_PROJECT_ID + - GC_PRIVATE_KEY_ID + - GC_PRIVATE_KEY + - GC_CLIENT_EMAIL + - GC_CLIENT_ID + - GC_CLIENT_CERT_URL + - SENTRY_DSN="${JIGASI_SENTRY_DSN:-0}" + - SENTRY_ENVIRONMENT + - SENTRY_RELEASE + - TZ + depends_on: + - prosody + networks: + meet.jitsi: diff --git a/master/create-networks.sh b/master/create-networks.sh new file mode 100755 index 0000000..9682f4a --- /dev/null +++ b/master/create-networks.sh @@ -0,0 +1,4 @@ +docker network create --subnet 10.255.251.0/24 pg_opn +docker network create --subnet 10.255.252.0/24 pg_vpn +docker network create --internal --subnet 10.255.253.0/24 pg_bus +docker network create --internal --subnet 10.255.254.0/24 pg_int \ No newline at end of file diff --git a/master/docker-compose.yml b/master/docker-compose.yml new file mode 100644 index 0000000..6d274f6 --- /dev/null +++ b/master/docker-compose.yml @@ -0,0 +1,62 @@ +version: '3.9' +services: + lokinet: + build: lokinet + privileged: true + restart: always + environment: + - "TZ=UTC" + tty: true + tmpfs: + - /run + - /tmp + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + - /sys/fs/cgroup/systemd + - ./data/lokinet:/data + - ./data/proxy/config/:/etc/squid + - ./data/proxy/logs/:/var/log/squid + - ./data/proxy/cache/:/var/spool/squid + - ./lokinet.ini:/etc/loki/lokinet.ini + - ./haproxy.cfg:/etc/haproxy/haproxy.cfg + - ./data/vpn:/certs + - ..:/repo:ro + networks: + pg_vpn: + ipv4_address: 10.255.252.253 + pg_bus: + ipv4_address: 10.255.253.254 + vpn: + build: vpn + privileged: true + restart: always + volumes: + - ./data/vpn:/config + networks: + pg_opn: + ipv4_address: 10.255.251.254 + pg_vpn: + ipv4_address: 10.255.252.254 + proxy: + build: proxy + privileged: true + environment: + - "TZ=UTC" + volumes: + - ./data/proxy/logs/:/var/log/squid + - ./data/proxy/cache/:/var/spool/squid + networks: + pg_vpn: + ipv4_address: 10.255.252.252 + pg_bus: + ipv4_address: 10.255.253.252 +networks: + pg_opn: + external: + name: pg_opn + pg_vpn: + external: + name: pg_vpn + pg_bus: + external: + name: pg_bus diff --git a/master/haproxy.cfg b/master/haproxy.cfg new file mode 100644 index 0000000..3b9ab34 --- /dev/null +++ b/master/haproxy.cfg @@ -0,0 +1,118 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +frontend http-in + bind :80 alpn h2,http/1.1 + bind :8008 alpn h2,http/1.1 + bind :443 ssl crt /certs/.acme.sh/rato.ro.eu.org/all.pem alpn h2,http/1.1 + bind :8448 ssl crt /certs/.acme.sh/rato.ro.eu.org/all.pem alpn h2,http/1.1 + default_backend matrix + +use_backend aaa if { hdr_beg(host) -i aaa } +use_backend matrixwellknown if { path -i -m beg /.well-known/matrix } +use_backend dimension if { hdr_beg(host) -i dimension } +use_backend element if { hdr_beg(host) -i element } +use_backend fosstodon if { hdr_beg(host) -i fosstodon } +use_backend jitsi if { hdr_beg(host) -i jitsi } +use_backend keycloak if { hdr_beg(host) -i keycloak } +use_backend revolt if { hdr_beg(host) -i revolt. } +use_backend revolt-api if { hdr_beg(host) -i revolt-api } +use_backend revolt-ws if { hdr_beg(host) -i revolt-ws } +use_backend revolt-au if { hdr_beg(host) -i revolt-au } +use_backend revolt-jan if { hdr_beg(host) -i revolt-jan } +use_backend revolt-vox if { hdr_beg(host) -i revolt-vox } +use_backend site if { hdr_beg(host) -i site } +use_backend h2 if { hdr_beg(host) -i h2 } +use_backend pad if { hdr_beg(host) -i pad } +use_backend wiki if { hdr_beg(host) -i wiki } + +backend aaa +server aaa 10.255.253.199:80 + +backend jitsi +server jitsi 10.255.253.196:80 + +backend keycloak +server keycloak 10.255.253.198:8080 + +backend matrix +server matrix 10.255.253.10:8008 + +backend matrixwellknown +http-response add-header Access-Control-Allow-Origin * +option forwardfor +server matrixwellknown 10.255.253.14:80 + +backend dimension +http-response add-header Access-Control-Allow-Origin * +option forwardfor +server dimension 10.255.253.13:8184 + + +backend element +server element 10.255.253.12:80 + +backend fosstodon +server fosstodon 10.255.253.20:3001 + +backend revolt +server revolt 10.255.253.30:5000 + +backend revolt-api +server revolt-api 10.255.253.31:8000 + +backend revolt-ws +server revolt-ws 10.255.253.31:9000 + +backend revolt-au +server revolt-au 10.255.253.32:3000 + +backend revolt-jan +server revolt-jan 10.255.253.33:3000 + +backend revolt-vox +server revolt-vox 10.255.253.34:8080 + +backend wiki +server wiki 10.255.253.194:80 + +backend site +server site 10.255.253.40:80 + +backend pad +server pad 10.255.253.50:3000 + +backend h2 +server h2 10.255.253.60:3000 diff --git a/master/lokinet.ini b/master/lokinet.ini new file mode 100644 index 0000000..eb753f2 --- /dev/null +++ b/master/lokinet.ini @@ -0,0 +1,234 @@ +[router] +# Configuration for routing activity. + + +# Network ID; this is 'lokinet' for mainnet, 'gamma' for testnet. +#netid=lokinet + +# Minimum number of routers lokinet will attempt to maintain connections to. +#min-connections=4 + +# Maximum number (hard limit) of routers lokinet will be connected to at any time. +#max-connections=6 + +# Optional directory for containing lokinet runtime data. This includes generated +# private keys. +#data-dir=/var/lib/lokinet + +# The number of threads available for performing cryptographic functions. +# The minimum is one thread, but network performance may increase with more. +# threads. Should not exceed the number of logical CPU cores. +# 0 means use the number of logical CPU cores detected at startup. +#worker-threads=0 + + +[network] +# Network settings +# Snapp settings + + +# Public key of a router which will act as a pinned first-hop. This may be used to +# provide a trusted router (consider that you are not fully anonymous with your +# first hop). +#strict-connect= + +# The private key to persist address with. If not specified the address will be +# ephemeral. +#keyfile= + +# Set the endpoint authentication mechanism. +# none/whitelist/lmq +#auth= + +# lmq endpoint to talk to for authenticating new sessions +# ipc:///var/lib/lokinet/auth.socket +# tcp://127.0.0.1:5555 +#auth-lmq= + +# lmq function to call for authenticating new sessions +# llarp.auth +#auth-lmq-method=llarp.auth + +# manually add a remote endpoint by .loki address to the access whitelist +#auth-whitelist= + +# Determines whether we will publish our snapp's introset to the DHT. +#reachable=1 + +# Number of hops in a path. Min 1, max 8. +#hops=4 + +# Number of paths to maintain at any given time. +#paths=6 + +# Whether or not we should act as an exit node. Beware that this increases demand +# on the server and may pose liability concerns. Enable at your own risk. +#exit=0 + +# When in exit mode announce we allow a private range in our introsetexmaple: +# owned-range=10.0.0.0/24 +#owned-range= + +# List of ip traffic whitelist, anything not specified will be dropped by us.examples: +# tcp for all tcp traffic regardless of port +# 0x69 for all packets using ip protocol 0x69udp/53 for udp port 53 +# tcp/smtp for smtp port +#traffic-whitelist= + +# Specify a `.loki` address and an optional ip range to use as an exit broker. +# Example: +# exit-node=whatever.loki # maps all exit traffic to whatever.loki +# exit-node=stuff.loki:100.0.0.0/24 # maps 100.0.0.0/24 to stuff.loki +#exit-node= + +# Specify an optional authentication code required to use a non-public exit node. +# For example: +# exit-auth=myfavouriteexit.loki:abc +# uses the authentication code `abc` whenever myfavouriteexit.loki is accessed. +# Can be specified multiple time to store codes for different exit nodes. +#exit-auth= + +# Interface name for lokinet traffic. If unset lokinet will look for a free name +# lokinetN, starting at 0 (e.g. lokinet0, lokinet1, ...). +#ifname= + +# Local IP and range for lokinet traffic. For example, 172.16.0.1/16 to use +# 172.16.0.1 for this machine and 172.16.x.y for remote peers. If omitted then +# lokinet will attempt to find an unused private range. +#ifaddr= + +# For all ipv6 exit traffic you will use this as the base address bitwised or'd with the v4 address in use. +# To disable ipv6 set this to an empty value. +# !!! WARNING !!! Disabling ipv6 tunneling when you have ipv6 routes WILL lead to de-anonymization as lokinet will no longer carry your ipv6 traffic. +#ip6-range=fd00:: + +# Map a remote `.loki` address to always use a fixed local IP. For example: +# mapaddr=whatever.loki:172.16.0.10 +# maps `whatever.loki` to `172.16.0.10` instead of using the next available IP. +# The given IP address must be inside the range configured by ifaddr= +#mapaddr= + +# Adds a lokinet relay `.snode` address to the list of relays to avoid when +# building paths. Can be specified multiple times. +#blacklist-snode= + +# Specify SRV Records for services hosted on the SNApp +# for more info see https://docs.loki.network/Lokinet/Guides/HostingSNApps/ +# srv=_service._protocol priority weight port target.loki +#srv= + +# time in seconds how long to wait for a path to align to pivot routers +# if not provided a sensible default will be used +#path-alignment-timeout= + +# persist mapped ephemeral addresses to a file +# on restart the mappings will be loaded so that ip addresses will not be mapped to a different address +#persist-addrmap-file=/var/lib/lokinet/addrmap.dat + + +[paths] +# path selection algorithm options + + +# Netmask for router path selection; each router must be from a distinct IP subnet of the given size. +# E.g. 16 ensures that all routers are using distinct /16 IP addresses. +#unique-range-size=32 + + +[dns] +# DNS configuration + + +# Upstream resolver(s) to use as fallback for non-loki addresses. +# Multiple values accepted. +upstream=10.64.0.1 + +# Address to bind to for handling DNS requests. +bind=127.3.2.1:53 +# Add a hosts file to the dns resolver +# For use with client side dns filtering +#add-hosts= + +# Can be uncommented and set to 1 to disable resolvconf configuration of lokinet DNS. +# (This is not used directly by lokinet itself, but by the lokinet init scripts +# on systems which use resolveconf) +#no-resolvconf= + + +[bind] +# This section specifies network interface names and/or IPs as keys, and +# ports as values to control the address(es) on which Lokinet listens for +# incoming data. +# +# Examples: +# +# eth0=1090 +# 0.0.0.0=1090 +# 1.2.3.4=1090 +# +# The first bind to port 1090 on the network interface 'eth0'; the second binds +# to port 1090 on all local network interfaces; and the third example binds to +# port 1090 on the given IP address. +# +# If a private range IP address (or an interface with a private IP) is given, or +# if the 0.0.0.0 all-address IP is given then you must also specify the +# public-ip= and public-port= settings in the [router] section with a public +# address at which this router can be reached. +# Typically this section can be left blank: if no inbound bind addresses are +# configured then lokinet will search for a local network interface with a public +# IP address and use that (with port 1090). + + +# Specify a source port for **outgoing** Lokinet traffic, for example if you want to +# set up custom firewall rules based on the originating port. Typically this should +# be left unset to automatically choose random source ports. +#*=0 + + +[api] +# JSON API settings + + +# Determines whether or not the LMQ JSON API is enabled. Defaults +#enabled=1 + +# IP address and port to bind to. +# Recommend localhost-only for security purposes. +#bind=tcp://127.0.0.1:1190 + + +[bootstrap] +# Configure nodes that will bootstrap us onto the network + + +# Whether or not to run as a seed node. We will not have any bootstrap routers configured. +#seed-node=0 + +# Specify a bootstrap file containing a signed RouterContact of a service node +# which can act as a bootstrap. Can be specified multiple times. +#add-node= + + +[logging] +# logging settings + + +# Log type (format). Valid options are: +# file - plaintext formatting +# json - json-formatted log statements +# syslog - logs directed to syslog +#type=file + +# Minimum log level to print. Logging below this level will be ignored. +# Valid log levels, in ascending order, are: +# trace +# debug +# info +# warn +# error +#level=warn + +# When using type=file this is the output filename. If given the value 'stdout' or +# left empty then logging is printed as standard output rather than written to a +# file. +#file= diff --git a/master/lokinet/Dockerfile b/master/lokinet/Dockerfile new file mode 100644 index 0000000..37588aa --- /dev/null +++ b/master/lokinet/Dockerfile @@ -0,0 +1,15 @@ +FROM registry.oxen.rocks/lokinet-exit:latest + +RUN apt-get -y update && \ + apt-get -y install curl iproute2 iputils-ping tcpdump net-tools dnsutils procps squid iptables inetutils-telnet haproxy && \ + apt-get -y clean && \ + rm -rf /var/lib/apt/lists/* + +EXPOSE 3128/tcp +VOLUME [/var/spool/squid /var/log/squid] + +COPY routes.service /etc/systemd/system/routes.service +COPY routes-start /usr/local/bin/routes-start +COPY resolv.conf /etc/resolv.conf +RUN chmod +x /usr/local/bin/routes-start +RUN systemctl enable routes.service \ No newline at end of file diff --git a/master/lokinet/resolv.conf b/master/lokinet/resolv.conf new file mode 100644 index 0000000..143c252 --- /dev/null +++ b/master/lokinet/resolv.conf @@ -0,0 +1 @@ +nameserver 127.0.0.1 \ No newline at end of file diff --git a/master/lokinet/routes-start b/master/lokinet/routes-start new file mode 100644 index 0000000..ba7d601 --- /dev/null +++ b/master/lokinet/routes-start @@ -0,0 +1,4 @@ +#!/bin/bash +#route del -net default +route add -net 10.64.0.0/24 gw 10.255.252.254 +#route add -net default gw 10.255.252.254 \ No newline at end of file diff --git a/master/lokinet/routes.service b/master/lokinet/routes.service new file mode 100644 index 0000000..5159dbc --- /dev/null +++ b/master/lokinet/routes.service @@ -0,0 +1,7 @@ +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/bash /usr/local/bin/routes-start + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/master/vpn/Dockerfile b/master/vpn/Dockerfile new file mode 100644 index 0000000..369360f --- /dev/null +++ b/master/vpn/Dockerfile @@ -0,0 +1,20 @@ +FROM debian + +RUN apt-get -y update && \ + apt-get -y install curl dbus && \ + curl -L -o mullvad.deb https://mullvad.net/download/app/deb/latest && \ + apt-get -y install ./mullvad.deb && \ + rm -f mullvad.deb && \ + apt-get -y clean && \ + rm -rf /var/lib/apt/lists/* + + +RUN apt-get -y update && \ + apt-get -y install iputils-ping tcpdump net-tools dnsutils procps iptables git iproute2 && \ + apt-get -y clean && \ + rm -rf /var/lib/apt/lists/* + +VOLUME /config + +ADD my_init / +CMD ["/my_init"] diff --git a/master/vpn/README.md b/master/vpn/README.md new file mode 100644 index 0000000..ff6f7a8 --- /dev/null +++ b/master/vpn/README.md @@ -0,0 +1,40 @@ +## Image + +Docker image of [mullvad](https://mullvad.net/en/) + +## Usage + +Start container: + +``` +docker run -d \ + --name mullvad_vpn \ + --restart=always \ + --privileged \ + -v mullvad_config:/config \ + oblique/mullvad +``` + +The first time you need to configure your mullvad client: + +``` +docker exec -it mullvad_vpn bash +mullvad relay set tunnel-protocol wireguard +mullvad always-require-vpn set on +mullvad auto-connect set on +mullvad account set [ID] +mullvad connect +``` + +## Use VPN from another container + +For `docker run`, use `--net=container:mullvad_vpn`, for example: + +``` +docker run -it --rm --net=container:mullvad_vpn alpine +``` + +For `docker-compose`, check my [vpn-example]. + + +[vpn-example]: https://github.com/oblique/dockerfiles/tree/master/composefiles/vpn-example diff --git a/master/vpn/my_init b/master/vpn/my_init new file mode 100755 index 0000000..70b165c --- /dev/null +++ b/master/vpn/my_init @@ -0,0 +1,5 @@ +#!/bin/bash + +export MULLVAD_SETTINGS_DIR=/config +iptables -t nat -A POSTROUTING -j MASQUERADE +exec /opt/Mullvad\ VPN/resources/mullvad-daemon -v diff --git a/matrix/docker-compose.yml b/matrix/docker-compose.yml new file mode 100644 index 0000000..928eaea --- /dev/null +++ b/matrix/docker-compose.yml @@ -0,0 +1,72 @@ +version: '3' +services: + synapse: + container_name: synapse + hostname: piorgeracao.loki + image: matrixdotorg/synapse:latest + restart: always + environment: + - SYNAPSE_SERVER_NAME=urchcno5rea4njyb7niytdekqw87x55x9q77a1gba9tqkbznw67y.loki + - SYNAPSE_REPORT_STATS=yes + - SYNAPSE_NO_TLS=1 + - SYNAPSE_ENABLE_REGISTRATION=yes + # - SYNAPSE_CONFIG_PATH=/config + - SYNAPSE_LOG_LEVEL=DEBUG + # - SYNAPSE_REGISTRATION_SHARED_SECRET=${REG_SHARED_SECRET} + - POSTGRES_DB=synapse + - POSTGRES_HOST=synapse_db + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=postgres + volumes: + - ./data/synapse:/data + depends_on: + - synapse_db + # In order to expose Synapse, remove one of the following, you might for + # instance expose the TLS port directly: + # ports: + # - 8448:8448/tcp + networks: + pg_bus: + ipv4_address: 10.255.253.10 + synapse_db: + image: docker.io/postgres:10-alpine + restart: always + environment: + - POSTGRES_DB=synapse + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=postgres + volumes: + - ./data/postgres:/var/lib/postgresql/data + networks: + pg_bus: + ipv4_address: 10.255.253.11 + element: + image: vectorim/element-web + restart: always + volumes: + - ./data/element/config.json:/app/config.json + networks: + pg_bus: + ipv4_address: 10.255.253.12 + dimension: + image: turt2live/matrix-dimension + restart: always + volumes: + - ./data/dimension:/data + extra_hosts: + urchcno5rea4njyb7niytdekqw87x55x9q77a1gba9tqkbznw67y.loki: 10.255.253.254 + networks: + pg_bus: + ipv4_address: 10.255.253.13 + web: + image: nginx + volumes: + - ./data/wellknown:/usr/share/nginx/html + restart: always + networks: + pg_bus: + ipv4_address: 10.255.253.14 +networks: + pg_bus: + external: + name: pg_bus