Initial
This commit is contained in:
commit
c783770b5f
|
@ -0,0 +1,15 @@
|
||||||
|
yggdrasil
|
||||||
|
wiki
|
||||||
|
site
|
||||||
|
revolt
|
||||||
|
proxy
|
||||||
|
ldap
|
||||||
|
hedgedoc
|
||||||
|
h2
|
||||||
|
fosstodon
|
||||||
|
*/data
|
||||||
|
jitsi/*
|
||||||
|
!jitsi/*.yml
|
||||||
|
!jitsi/env.example
|
||||||
|
!jitsi/Makefile
|
||||||
|
!jitsi/gen-passwords.sh
|
|
@ -0,0 +1,6 @@
|
||||||
|
# MilkToastHoney
|
||||||
|
|
||||||
|
1. Entrar na pasta master e executar o script `create-networks.sh` para criar as redes.
|
||||||
|
2. Executar o docker-compose da pasta master para levantar os serviços de: Lokinet, VPN e Proxy
|
||||||
|
3. Entrar na pasta Matrix e levantar o serviço (provavelmente será necessário baixar e levantar uma vez por causa das configurações geradas)
|
||||||
|
4. Entrar na pasta jitsi e levantar o serviço
|
|
@ -0,0 +1,42 @@
|
||||||
|
FORCE_REBUILD ?= 0
|
||||||
|
JITSI_RELEASE ?= stable
|
||||||
|
JITSI_BUILD ?= latest
|
||||||
|
JITSI_REPO ?= jitsi
|
||||||
|
JITSI_SERVICES ?= base base-java web prosody jicofo jvb jigasi jibri
|
||||||
|
|
||||||
|
BUILD_ARGS := --build-arg JITSI_REPO=$(JITSI_REPO) --build-arg JITSI_RELEASE=$(JITSI_RELEASE)
|
||||||
|
ifeq ($(FORCE_REBUILD), 1)
|
||||||
|
BUILD_ARGS := $(BUILD_ARGS) --no-cache
|
||||||
|
endif
|
||||||
|
|
||||||
|
|
||||||
|
all: build-all
|
||||||
|
|
||||||
|
release: tag-all push-all
|
||||||
|
|
||||||
|
build:
|
||||||
|
docker build $(BUILD_ARGS) --progress plain --tag $(JITSI_REPO)/$(JITSI_SERVICE) $(JITSI_SERVICE)/
|
||||||
|
|
||||||
|
$(addprefix build_,$(JITSI_SERVICES)):
|
||||||
|
$(MAKE) --no-print-directory JITSI_SERVICE=$(patsubst build_%,%,$@) build
|
||||||
|
|
||||||
|
tag:
|
||||||
|
docker tag $(JITSI_REPO)/$(JITSI_SERVICE):latest $(JITSI_REPO)/$(JITSI_SERVICE):$(JITSI_BUILD)
|
||||||
|
|
||||||
|
push:
|
||||||
|
docker push $(JITSI_REPO)/$(JITSI_SERVICE):latest
|
||||||
|
docker push $(JITSI_REPO)/$(JITSI_SERVICE):$(JITSI_BUILD)
|
||||||
|
|
||||||
|
%-all:
|
||||||
|
@$(foreach SERVICE, $(JITSI_SERVICES), $(MAKE) --no-print-directory JITSI_SERVICE=$(SERVICE) $(subst -all,;,$@))
|
||||||
|
|
||||||
|
clean:
|
||||||
|
docker-compose stop
|
||||||
|
docker-compose rm
|
||||||
|
docker network prune
|
||||||
|
|
||||||
|
prepare:
|
||||||
|
docker pull debian:buster-slim
|
||||||
|
FORCE_REBUILD=1 $(MAKE)
|
||||||
|
|
||||||
|
.PHONY: all build tag push clean prepare release $(addprefix build_,$(JITSI_SERVICES))
|
|
@ -0,0 +1,299 @@
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
web:
|
||||||
|
image: jitsi/web:stable-6433
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- ${CONFIG}/web:/config:Z
|
||||||
|
- ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
|
||||||
|
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
|
||||||
|
environment:
|
||||||
|
- AMPLITUDE_ID
|
||||||
|
- ANALYTICS_SCRIPT_URLS
|
||||||
|
- ANALYTICS_WHITELISTED_EVENTS
|
||||||
|
- CALLSTATS_CUSTOM_SCRIPT_URL
|
||||||
|
- CALLSTATS_ID
|
||||||
|
- CALLSTATS_SECRET
|
||||||
|
- CHROME_EXTENSION_BANNER_JSON
|
||||||
|
- CONFCODE_URL
|
||||||
|
- CONFIG_EXTERNAL_CONNECT
|
||||||
|
- DEFAULT_LANGUAGE
|
||||||
|
- DEPLOYMENTINFO_ENVIRONMENT
|
||||||
|
- DEPLOYMENTINFO_ENVIRONMENT_TYPE
|
||||||
|
- DEPLOYMENTINFO_REGION
|
||||||
|
- DEPLOYMENTINFO_SHARD
|
||||||
|
- DEPLOYMENTINFO_USERREGION
|
||||||
|
- DESKTOP_SHARING_FRAMERATE_MIN
|
||||||
|
- DESKTOP_SHARING_FRAMERATE_MAX
|
||||||
|
- DIALIN_NUMBERS_URL
|
||||||
|
- DIALOUT_AUTH_URL
|
||||||
|
- DIALOUT_CODES_URL
|
||||||
|
- DISABLE_AUDIO_LEVELS
|
||||||
|
- DISABLE_DEEP_LINKING
|
||||||
|
- DISABLE_HTTPS
|
||||||
|
- DISABLE_POLLS
|
||||||
|
- DISABLE_REACTIONS
|
||||||
|
- DROPBOX_APPKEY
|
||||||
|
- DROPBOX_REDIRECT_URI
|
||||||
|
- DYNAMIC_BRANDING_URL
|
||||||
|
- ENABLE_AUDIO_PROCESSING
|
||||||
|
- ENABLE_AUTH
|
||||||
|
- ENABLE_CALENDAR
|
||||||
|
- ENABLE_COLIBRI_WEBSOCKET
|
||||||
|
- ENABLE_FILE_RECORDING_SERVICE
|
||||||
|
- ENABLE_FILE_RECORDING_SERVICE_SHARING
|
||||||
|
- ENABLE_FLOC
|
||||||
|
- ENABLE_GUESTS
|
||||||
|
- ENABLE_HSTS
|
||||||
|
- ENABLE_HTTP_REDIRECT
|
||||||
|
- ENABLE_IPV6
|
||||||
|
- ENABLE_LETSENCRYPT
|
||||||
|
- ENABLE_LIPSYNC
|
||||||
|
- ENABLE_NO_AUDIO_DETECTION
|
||||||
|
- ENABLE_NOISY_MIC_DETECTION
|
||||||
|
- ENABLE_PREJOIN_PAGE
|
||||||
|
- ENABLE_P2P
|
||||||
|
- ENABLE_WELCOME_PAGE
|
||||||
|
- ENABLE_CLOSE_PAGE
|
||||||
|
- ENABLE_RECORDING
|
||||||
|
- ENABLE_REMB
|
||||||
|
- ENABLE_REQUIRE_DISPLAY_NAME
|
||||||
|
- ENABLE_SIMULCAST
|
||||||
|
- ENABLE_STATS_ID
|
||||||
|
- ENABLE_STEREO
|
||||||
|
- ENABLE_SUBDOMAINS
|
||||||
|
- ENABLE_TALK_WHILE_MUTED
|
||||||
|
- ENABLE_TCC
|
||||||
|
- ENABLE_TRANSCRIPTIONS
|
||||||
|
- ENABLE_XMPP_WEBSOCKET
|
||||||
|
- ETHERPAD_PUBLIC_URL
|
||||||
|
- ETHERPAD_URL_BASE
|
||||||
|
- GOOGLE_ANALYTICS_ID
|
||||||
|
- GOOGLE_API_APP_CLIENT_ID
|
||||||
|
- INVITE_SERVICE_URL
|
||||||
|
- JICOFO_AUTH_USER
|
||||||
|
- LETSENCRYPT_DOMAIN
|
||||||
|
- LETSENCRYPT_EMAIL
|
||||||
|
- LETSENCRYPT_USE_STAGING
|
||||||
|
- MATOMO_ENDPOINT
|
||||||
|
- MATOMO_SITE_ID
|
||||||
|
- MICROSOFT_API_APP_CLIENT_ID
|
||||||
|
- NGINX_RESOLVER
|
||||||
|
- NGINX_WORKER_PROCESSES
|
||||||
|
- NGINX_WORKER_CONNECTIONS
|
||||||
|
- PEOPLE_SEARCH_URL
|
||||||
|
- PUBLIC_URL
|
||||||
|
- P2P_PREFERRED_CODEC
|
||||||
|
- RESOLUTION
|
||||||
|
- RESOLUTION_MIN
|
||||||
|
- RESOLUTION_WIDTH
|
||||||
|
- RESOLUTION_WIDTH_MIN
|
||||||
|
- START_AUDIO_MUTED
|
||||||
|
- START_AUDIO_ONLY
|
||||||
|
- START_BITRATE
|
||||||
|
- START_SILENT
|
||||||
|
- START_WITH_AUDIO_MUTED
|
||||||
|
- START_VIDEO_MUTED
|
||||||
|
- START_WITH_VIDEO_MUTED
|
||||||
|
- TESTING_CAP_SCREENSHARE_BITRATE
|
||||||
|
- TESTING_OCTO_PROBABILITY
|
||||||
|
- TOKEN_AUTH_URL
|
||||||
|
- TZ
|
||||||
|
- VIDEOQUALITY_BITRATE_H264_LOW
|
||||||
|
- VIDEOQUALITY_BITRATE_H264_STANDARD
|
||||||
|
- VIDEOQUALITY_BITRATE_H264_HIGH
|
||||||
|
- VIDEOQUALITY_BITRATE_VP8_LOW
|
||||||
|
- VIDEOQUALITY_BITRATE_VP8_STANDARD
|
||||||
|
- VIDEOQUALITY_BITRATE_VP8_HIGH
|
||||||
|
- VIDEOQUALITY_BITRATE_VP9_LOW
|
||||||
|
- VIDEOQUALITY_BITRATE_VP9_STANDARD
|
||||||
|
- VIDEOQUALITY_BITRATE_VP9_HIGH
|
||||||
|
- VIDEOQUALITY_ENFORCE_PREFERRED_CODEC
|
||||||
|
- VIDEOQUALITY_PREFERRED_CODEC
|
||||||
|
- XMPP_AUTH_DOMAIN
|
||||||
|
- XMPP_BOSH_URL_BASE
|
||||||
|
- XMPP_DOMAIN
|
||||||
|
- XMPP_GUEST_DOMAIN
|
||||||
|
- XMPP_MUC_DOMAIN
|
||||||
|
- XMPP_RECORDER_DOMAIN
|
||||||
|
networks:
|
||||||
|
meet.jitsi:
|
||||||
|
pg_bus:
|
||||||
|
ipv4_address: 10.255.253.196
|
||||||
|
|
||||||
|
# XMPP server
|
||||||
|
prosody:
|
||||||
|
image: jitsi/prosody:stable-6433
|
||||||
|
restart: ${RESTART_POLICY}
|
||||||
|
expose:
|
||||||
|
- '5222'
|
||||||
|
- '5347'
|
||||||
|
- '5280'
|
||||||
|
volumes:
|
||||||
|
- ${CONFIG}/prosody/config:/config:Z
|
||||||
|
- ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
|
||||||
|
environment:
|
||||||
|
- AUTH_TYPE
|
||||||
|
- DISABLE_POLLS
|
||||||
|
- ENABLE_AUTH
|
||||||
|
- ENABLE_AV_MODERATION
|
||||||
|
- ENABLE_GUESTS
|
||||||
|
- ENABLE_LOBBY
|
||||||
|
- ENABLE_XMPP_WEBSOCKET
|
||||||
|
- GLOBAL_CONFIG
|
||||||
|
- GLOBAL_MODULES
|
||||||
|
- JIBRI_RECORDER_USER
|
||||||
|
- JIBRI_RECORDER_PASSWORD
|
||||||
|
- JIBRI_XMPP_USER
|
||||||
|
- JIBRI_XMPP_PASSWORD
|
||||||
|
- JICOFO_AUTH_USER
|
||||||
|
- JICOFO_AUTH_PASSWORD
|
||||||
|
- JICOFO_COMPONENT_SECRET
|
||||||
|
- JIGASI_XMPP_USER
|
||||||
|
- JIGASI_XMPP_PASSWORD
|
||||||
|
- JVB_AUTH_USER
|
||||||
|
- JVB_AUTH_PASSWORD
|
||||||
|
- JWT_APP_ID
|
||||||
|
- JWT_APP_SECRET
|
||||||
|
- JWT_ACCEPTED_ISSUERS
|
||||||
|
- JWT_ACCEPTED_AUDIENCES
|
||||||
|
- JWT_ASAP_KEYSERVER
|
||||||
|
- JWT_ALLOW_EMPTY
|
||||||
|
- JWT_AUTH_TYPE
|
||||||
|
- JWT_TOKEN_AUTH_MODULE
|
||||||
|
- LOG_LEVEL
|
||||||
|
- LDAP_AUTH_METHOD
|
||||||
|
- LDAP_BASE
|
||||||
|
- LDAP_BINDDN
|
||||||
|
- LDAP_BINDPW
|
||||||
|
- LDAP_FILTER
|
||||||
|
- LDAP_VERSION
|
||||||
|
- LDAP_TLS_CIPHERS
|
||||||
|
- LDAP_TLS_CHECK_PEER
|
||||||
|
- LDAP_TLS_CACERT_FILE
|
||||||
|
- LDAP_TLS_CACERT_DIR
|
||||||
|
- LDAP_START_TLS
|
||||||
|
- LDAP_URL
|
||||||
|
- LDAP_USE_TLS
|
||||||
|
- PUBLIC_URL
|
||||||
|
- TURN_CREDENTIALS
|
||||||
|
- TURN_HOST
|
||||||
|
- TURNS_HOST
|
||||||
|
- TURN_PORT
|
||||||
|
- TURNS_PORT
|
||||||
|
- TZ
|
||||||
|
- XMPP_DOMAIN
|
||||||
|
- XMPP_AUTH_DOMAIN
|
||||||
|
- XMPP_GUEST_DOMAIN
|
||||||
|
- XMPP_MUC_DOMAIN
|
||||||
|
- XMPP_INTERNAL_MUC_DOMAIN
|
||||||
|
- XMPP_MODULES
|
||||||
|
- XMPP_MUC_MODULES
|
||||||
|
- XMPP_INTERNAL_MUC_MODULES
|
||||||
|
- XMPP_RECORDER_DOMAIN
|
||||||
|
- XMPP_CROSS_DOMAIN
|
||||||
|
networks:
|
||||||
|
meet.jitsi:
|
||||||
|
aliases:
|
||||||
|
- ${XMPP_SERVER}
|
||||||
|
|
||||||
|
# Focus component
|
||||||
|
jicofo:
|
||||||
|
image: jitsi/jicofo:stable-6433
|
||||||
|
restart: ${RESTART_POLICY}
|
||||||
|
volumes:
|
||||||
|
- ${CONFIG}/jicofo:/config:Z
|
||||||
|
environment:
|
||||||
|
- AUTH_TYPE
|
||||||
|
- BRIDGE_AVG_PARTICIPANT_STRESS
|
||||||
|
- BRIDGE_STRESS_THRESHOLD
|
||||||
|
- ENABLE_AUTH
|
||||||
|
- ENABLE_AUTO_OWNER
|
||||||
|
- ENABLE_CODEC_VP8
|
||||||
|
- ENABLE_CODEC_VP9
|
||||||
|
- ENABLE_CODEC_H264
|
||||||
|
- ENABLE_OCTO
|
||||||
|
- ENABLE_RECORDING
|
||||||
|
- ENABLE_SCTP
|
||||||
|
- ENABLE_AUTO_LOGIN
|
||||||
|
- JICOFO_AUTH_USER
|
||||||
|
- JICOFO_AUTH_PASSWORD
|
||||||
|
- JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS
|
||||||
|
- JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT
|
||||||
|
- JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT
|
||||||
|
- JICOFO_ENABLE_HEALTH_CHECKS
|
||||||
|
- JICOFO_SHORT_ID
|
||||||
|
- JICOFO_RESERVATION_ENABLED
|
||||||
|
- JICOFO_RESERVATION_REST_BASE_URL
|
||||||
|
- JIBRI_BREWERY_MUC
|
||||||
|
- JIBRI_REQUEST_RETRIES
|
||||||
|
- JIBRI_PENDING_TIMEOUT
|
||||||
|
- JIGASI_BREWERY_MUC
|
||||||
|
- JIGASI_SIP_URI
|
||||||
|
- JVB_BREWERY_MUC
|
||||||
|
- MAX_BRIDGE_PARTICIPANTS
|
||||||
|
- OCTO_BRIDGE_SELECTION_STRATEGY
|
||||||
|
- SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}"
|
||||||
|
- SENTRY_ENVIRONMENT
|
||||||
|
- SENTRY_RELEASE
|
||||||
|
- TZ
|
||||||
|
- XMPP_DOMAIN
|
||||||
|
- XMPP_AUTH_DOMAIN
|
||||||
|
- XMPP_INTERNAL_MUC_DOMAIN
|
||||||
|
- XMPP_MUC_DOMAIN
|
||||||
|
- XMPP_SERVER
|
||||||
|
depends_on:
|
||||||
|
- prosody
|
||||||
|
networks:
|
||||||
|
meet.jitsi:
|
||||||
|
|
||||||
|
# Video bridge
|
||||||
|
jvb:
|
||||||
|
image: jitsi/jvb:stable-6433
|
||||||
|
restart: ${RESTART_POLICY}
|
||||||
|
# ports:
|
||||||
|
# - '${JVB_PORT}:${JVB_PORT}/udp'
|
||||||
|
# - '${JVB_TCP_PORT}:${JVB_TCP_PORT}'
|
||||||
|
volumes:
|
||||||
|
- ${CONFIG}/jvb:/config:Z
|
||||||
|
environment:
|
||||||
|
- DOCKER_HOST_ADDRESS
|
||||||
|
- ENABLE_COLIBRI_WEBSOCKET
|
||||||
|
- ENABLE_OCTO
|
||||||
|
- JVB_AUTH_USER
|
||||||
|
- JVB_AUTH_PASSWORD
|
||||||
|
- JVB_BREWERY_MUC
|
||||||
|
- JVB_PORT
|
||||||
|
- JVB_TCP_HARVESTER_DISABLED
|
||||||
|
- JVB_TCP_PORT
|
||||||
|
- JVB_TCP_MAPPED_PORT
|
||||||
|
- JVB_STUN_SERVERS
|
||||||
|
- JVB_ENABLE_APIS
|
||||||
|
- JVB_OCTO_BIND_ADDRESS
|
||||||
|
- JVB_OCTO_PUBLIC_ADDRESS
|
||||||
|
- JVB_OCTO_BIND_PORT
|
||||||
|
- JVB_OCTO_REGION
|
||||||
|
- JVB_WS_DOMAIN
|
||||||
|
- JVB_WS_SERVER_ID
|
||||||
|
- PUBLIC_URL
|
||||||
|
- SENTRY_DSN="${JVB_SENTRY_DSN:-0}"
|
||||||
|
- SENTRY_ENVIRONMENT
|
||||||
|
- SENTRY_RELEASE
|
||||||
|
- COLIBRI_REST_ENABLED
|
||||||
|
- SHUTDOWN_REST_ENABLED
|
||||||
|
- TZ
|
||||||
|
- XMPP_AUTH_DOMAIN
|
||||||
|
- XMPP_INTERNAL_MUC_DOMAIN
|
||||||
|
- XMPP_SERVER
|
||||||
|
depends_on:
|
||||||
|
- prosody
|
||||||
|
networks:
|
||||||
|
meet.jitsi:
|
||||||
|
|
||||||
|
# Custom network so all services can communicate using a FQDN
|
||||||
|
networks:
|
||||||
|
meet.jitsi:
|
||||||
|
pg_bus:
|
||||||
|
external:
|
||||||
|
name: pg_bus
|
|
@ -0,0 +1,409 @@
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
|
||||||
|
# Security
|
||||||
|
#
|
||||||
|
# Set these to strong passwords to avoid intruders from impersonating a service account
|
||||||
|
# The service(s) won't start unless these are specified
|
||||||
|
# Running ./gen-passwords.sh will update .env with strong passwords
|
||||||
|
# You may skip the Jigasi and Jibri passwords if you are not using those
|
||||||
|
# DO NOT reuse passwords
|
||||||
|
#
|
||||||
|
|
||||||
|
# XMPP password for Jicofo client connections
|
||||||
|
JICOFO_AUTH_PASSWORD=
|
||||||
|
|
||||||
|
# XMPP password for JVB client connections
|
||||||
|
JVB_AUTH_PASSWORD=
|
||||||
|
|
||||||
|
# XMPP password for Jigasi MUC client connections
|
||||||
|
JIGASI_XMPP_PASSWORD=
|
||||||
|
|
||||||
|
# XMPP recorder password for Jibri client connections
|
||||||
|
JIBRI_RECORDER_PASSWORD=
|
||||||
|
|
||||||
|
# XMPP password for Jibri client connections
|
||||||
|
JIBRI_XMPP_PASSWORD=
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Basic configuration options
|
||||||
|
#
|
||||||
|
|
||||||
|
# Directory where all configuration will be stored
|
||||||
|
CONFIG=~/.jitsi-meet-cfg
|
||||||
|
|
||||||
|
# Exposed HTTP port
|
||||||
|
HTTP_PORT=8000
|
||||||
|
|
||||||
|
# Exposed HTTPS port
|
||||||
|
HTTPS_PORT=8443
|
||||||
|
|
||||||
|
# System time zone
|
||||||
|
TZ=UTC
|
||||||
|
|
||||||
|
# Public URL for the web service (required)
|
||||||
|
#PUBLIC_URL=https://meet.example.com
|
||||||
|
|
||||||
|
# IP address of the Docker host
|
||||||
|
# See the "Running behind NAT or on a LAN environment" section in the Handbook:
|
||||||
|
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
|
||||||
|
#DOCKER_HOST_ADDRESS=192.168.1.1
|
||||||
|
|
||||||
|
# Control whether the lobby feature should be enabled or not
|
||||||
|
#ENABLE_LOBBY=1
|
||||||
|
|
||||||
|
# Control whether the A/V moderation should be enabled or not
|
||||||
|
#ENABLE_AV_MODERATION=1
|
||||||
|
|
||||||
|
# Show a prejoin page before entering a conference
|
||||||
|
#ENABLE_PREJOIN_PAGE=0
|
||||||
|
|
||||||
|
# Enable the welcome page
|
||||||
|
#ENABLE_WELCOME_PAGE=1
|
||||||
|
|
||||||
|
# Enable the close page
|
||||||
|
#ENABLE_CLOSE_PAGE=0
|
||||||
|
|
||||||
|
# Disable measuring of audio levels
|
||||||
|
#DISABLE_AUDIO_LEVELS=0
|
||||||
|
|
||||||
|
# Enable noisy mic detection
|
||||||
|
#ENABLE_NOISY_MIC_DETECTION=1
|
||||||
|
|
||||||
|
#
|
||||||
|
# Let's Encrypt configuration
|
||||||
|
#
|
||||||
|
|
||||||
|
# Enable Let's Encrypt certificate generation
|
||||||
|
#ENABLE_LETSENCRYPT=1
|
||||||
|
|
||||||
|
# Domain for which to generate the certificate
|
||||||
|
#LETSENCRYPT_DOMAIN=meet.example.com
|
||||||
|
|
||||||
|
# E-Mail for receiving important account notifications (mandatory)
|
||||||
|
#LETSENCRYPT_EMAIL=alice@atlanta.net
|
||||||
|
|
||||||
|
# Use the staging server (for avoiding rate limits while testing)
|
||||||
|
#LETSENCRYPT_USE_STAGING=1
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Etherpad integration (for document sharing)
|
||||||
|
#
|
||||||
|
|
||||||
|
# Set etherpad-lite URL in docker local network (uncomment to enable)
|
||||||
|
#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
|
||||||
|
|
||||||
|
# Set etherpad-lite public URL (uncomment to enable)
|
||||||
|
#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain
|
||||||
|
|
||||||
|
# Name your etherpad instance!
|
||||||
|
ETHERPAD_TITLE=Video Chat
|
||||||
|
|
||||||
|
# The default text of a pad
|
||||||
|
ETHERPAD_DEFAULT_PAD_TEXT=Welcome to Web Chat!\n\n
|
||||||
|
|
||||||
|
# Name of the skin for etherpad
|
||||||
|
ETHERPAD_SKIN_NAME=colibris
|
||||||
|
|
||||||
|
# Skin variants for etherpad
|
||||||
|
ETHERPAD_SKIN_VARIANTS=super-light-toolbar super-light-editor light-background full-width-editor
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Basic Jigasi configuration options (needed for SIP gateway support)
|
||||||
|
#
|
||||||
|
|
||||||
|
# SIP URI for incoming / outgoing calls
|
||||||
|
#JIGASI_SIP_URI=test@sip2sip.info
|
||||||
|
|
||||||
|
# Password for the specified SIP account as a clear text
|
||||||
|
#JIGASI_SIP_PASSWORD=passw0rd
|
||||||
|
|
||||||
|
# SIP server (use the SIP account domain if in doubt)
|
||||||
|
#JIGASI_SIP_SERVER=sip2sip.info
|
||||||
|
|
||||||
|
# SIP server port
|
||||||
|
#JIGASI_SIP_PORT=5060
|
||||||
|
|
||||||
|
# SIP server transport
|
||||||
|
#JIGASI_SIP_TRANSPORT=UDP
|
||||||
|
|
||||||
|
#
|
||||||
|
# Authentication configuration (see handbook for details)
|
||||||
|
#
|
||||||
|
|
||||||
|
# Enable authentication
|
||||||
|
#ENABLE_AUTH=1
|
||||||
|
|
||||||
|
# Enable guest access
|
||||||
|
#ENABLE_GUESTS=1
|
||||||
|
|
||||||
|
# Select authentication type: internal, jwt or ldap
|
||||||
|
#AUTH_TYPE=internal
|
||||||
|
|
||||||
|
# JWT authentication
|
||||||
|
#
|
||||||
|
|
||||||
|
# Application identifier
|
||||||
|
#JWT_APP_ID=my_jitsi_app_id
|
||||||
|
|
||||||
|
# Application secret known only to your token generator
|
||||||
|
#JWT_APP_SECRET=my_jitsi_app_secret
|
||||||
|
|
||||||
|
# (Optional) Set asap_accepted_issuers as a comma separated list
|
||||||
|
#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
|
||||||
|
|
||||||
|
# (Optional) Set asap_accepted_audiences as a comma separated list
|
||||||
|
#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
|
||||||
|
|
||||||
|
|
||||||
|
# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
|
||||||
|
#
|
||||||
|
|
||||||
|
# LDAP url for connection
|
||||||
|
#LDAP_URL=ldaps://ldap.domain.com/
|
||||||
|
|
||||||
|
# LDAP base DN. Can be empty
|
||||||
|
#LDAP_BASE=DC=example,DC=domain,DC=com
|
||||||
|
|
||||||
|
# LDAP user DN. Do not specify this parameter for the anonymous bind
|
||||||
|
#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
|
||||||
|
|
||||||
|
# LDAP user password. Do not specify this parameter for the anonymous bind
|
||||||
|
#LDAP_BINDPW=LdapUserPassw0rd
|
||||||
|
|
||||||
|
# LDAP filter. Tokens example:
|
||||||
|
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
|
||||||
|
# %s - %s is replaced by the complete service string
|
||||||
|
# %r - %r is replaced by the complete realm string
|
||||||
|
#LDAP_FILTER=(sAMAccountName=%u)
|
||||||
|
|
||||||
|
# LDAP authentication method
|
||||||
|
#LDAP_AUTH_METHOD=bind
|
||||||
|
|
||||||
|
# LDAP version
|
||||||
|
#LDAP_VERSION=3
|
||||||
|
|
||||||
|
# LDAP TLS using
|
||||||
|
#LDAP_USE_TLS=1
|
||||||
|
|
||||||
|
# List of SSL/TLS ciphers to allow
|
||||||
|
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
|
||||||
|
|
||||||
|
# Require and verify server certificate
|
||||||
|
#LDAP_TLS_CHECK_PEER=1
|
||||||
|
|
||||||
|
# Path to CA cert file. Used when server certificate verify is enabled
|
||||||
|
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
|
||||||
|
|
||||||
|
# Path to CA certs directory. Used when server certificate verify is enabled
|
||||||
|
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
|
||||||
|
|
||||||
|
# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
|
||||||
|
# LDAP_START_TLS=1
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Advanced configuration options (you generally don't need to change these)
|
||||||
|
#
|
||||||
|
|
||||||
|
# Internal XMPP domain
|
||||||
|
XMPP_DOMAIN=meet.jitsi
|
||||||
|
|
||||||
|
# Internal XMPP server
|
||||||
|
XMPP_SERVER=xmpp.meet.jitsi
|
||||||
|
|
||||||
|
# Internal XMPP server URL
|
||||||
|
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
|
||||||
|
|
||||||
|
# Internal XMPP domain for authenticated services
|
||||||
|
XMPP_AUTH_DOMAIN=auth.meet.jitsi
|
||||||
|
|
||||||
|
# XMPP domain for the MUC
|
||||||
|
XMPP_MUC_DOMAIN=muc.meet.jitsi
|
||||||
|
|
||||||
|
# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
|
||||||
|
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
|
||||||
|
|
||||||
|
# XMPP domain for unauthenticated users
|
||||||
|
XMPP_GUEST_DOMAIN=guest.meet.jitsi
|
||||||
|
|
||||||
|
# Comma separated list of domains for cross domain policy or "true" to allow all
|
||||||
|
# The PUBLIC_URL is always allowed
|
||||||
|
#XMPP_CROSS_DOMAIN=true
|
||||||
|
|
||||||
|
# Custom Prosody modules for XMPP_DOMAIN (comma separated)
|
||||||
|
XMPP_MODULES=
|
||||||
|
|
||||||
|
# Custom Prosody modules for MUC component (comma separated)
|
||||||
|
XMPP_MUC_MODULES=
|
||||||
|
|
||||||
|
# Custom Prosody modules for internal MUC component (comma separated)
|
||||||
|
XMPP_INTERNAL_MUC_MODULES=
|
||||||
|
|
||||||
|
# MUC for the JVB pool
|
||||||
|
JVB_BREWERY_MUC=jvbbrewery
|
||||||
|
|
||||||
|
# XMPP user for JVB client connections
|
||||||
|
JVB_AUTH_USER=jvb
|
||||||
|
|
||||||
|
# STUN servers used to discover the server's public IP
|
||||||
|
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
|
||||||
|
|
||||||
|
# Media port for the Jitsi Videobridge
|
||||||
|
JVB_PORT=10000
|
||||||
|
|
||||||
|
# TCP Fallback for Jitsi Videobridge for when UDP isn't available
|
||||||
|
JVB_TCP_HARVESTER_DISABLED=true
|
||||||
|
JVB_TCP_PORT=4443
|
||||||
|
JVB_TCP_MAPPED_PORT=4443
|
||||||
|
|
||||||
|
# A comma separated list of APIs to enable when the JVB is started [default: none]
|
||||||
|
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
|
||||||
|
#JVB_ENABLE_APIS=rest,colibri
|
||||||
|
|
||||||
|
# XMPP user for Jicofo client connections.
|
||||||
|
# NOTE: this option doesn't currently work due to a bug
|
||||||
|
JICOFO_AUTH_USER=focus
|
||||||
|
|
||||||
|
# Base URL of Jicofo's reservation REST API
|
||||||
|
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
|
||||||
|
|
||||||
|
# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
|
||||||
|
#JICOFO_ENABLE_HEALTH_CHECKS=true
|
||||||
|
|
||||||
|
# XMPP user for Jigasi MUC client connections
|
||||||
|
JIGASI_XMPP_USER=jigasi
|
||||||
|
|
||||||
|
# MUC name for the Jigasi pool
|
||||||
|
JIGASI_BREWERY_MUC=jigasibrewery
|
||||||
|
|
||||||
|
# Minimum port for media used by Jigasi
|
||||||
|
JIGASI_PORT_MIN=20000
|
||||||
|
|
||||||
|
# Maximum port for media used by Jigasi
|
||||||
|
JIGASI_PORT_MAX=20050
|
||||||
|
|
||||||
|
# Enable SDES srtp
|
||||||
|
#JIGASI_ENABLE_SDES_SRTP=1
|
||||||
|
|
||||||
|
# Keepalive method
|
||||||
|
#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS
|
||||||
|
|
||||||
|
# Health-check extension
|
||||||
|
#JIGASI_HEALTH_CHECK_SIP_URI=keepalive
|
||||||
|
|
||||||
|
# Health-check interval
|
||||||
|
#JIGASI_HEALTH_CHECK_INTERVAL=300000
|
||||||
|
#
|
||||||
|
# Enable Jigasi transcription
|
||||||
|
#ENABLE_TRANSCRIPTIONS=1
|
||||||
|
|
||||||
|
# Jigasi will record audio when transcriber is on [default: false]
|
||||||
|
#JIGASI_TRANSCRIBER_RECORD_AUDIO=true
|
||||||
|
|
||||||
|
# Jigasi will send transcribed text to the chat when transcriber is on [default: false]
|
||||||
|
#JIGASI_TRANSCRIBER_SEND_TXT=true
|
||||||
|
|
||||||
|
# Jigasi will post an url to the chat with transcription file [default: false]
|
||||||
|
#JIGASI_TRANSCRIBER_ADVERTISE_URL=true
|
||||||
|
|
||||||
|
# Credentials for connect to Cloud Google API from Jigasi
|
||||||
|
# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol
|
||||||
|
# section "Before you begin" paragraph 1 to 5
|
||||||
|
# Copy the values from the json to the related env vars
|
||||||
|
#GC_PROJECT_ID=
|
||||||
|
#GC_PRIVATE_KEY_ID=
|
||||||
|
#GC_PRIVATE_KEY=
|
||||||
|
#GC_CLIENT_EMAIL=
|
||||||
|
#GC_CLIENT_ID=
|
||||||
|
#GC_CLIENT_CERT_URL=
|
||||||
|
|
||||||
|
# Enable recording
|
||||||
|
#ENABLE_RECORDING=1
|
||||||
|
|
||||||
|
# XMPP domain for the jibri recorder
|
||||||
|
XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
|
||||||
|
|
||||||
|
# XMPP recorder user for Jibri client connections
|
||||||
|
JIBRI_RECORDER_USER=recorder
|
||||||
|
|
||||||
|
# Directory for recordings inside Jibri container
|
||||||
|
JIBRI_RECORDING_DIR=/config/recordings
|
||||||
|
|
||||||
|
# The finalizing script. Will run after recording is complete
|
||||||
|
#JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
|
||||||
|
|
||||||
|
# XMPP user for Jibri client connections
|
||||||
|
JIBRI_XMPP_USER=jibri
|
||||||
|
|
||||||
|
# MUC name for the Jibri pool
|
||||||
|
JIBRI_BREWERY_MUC=jibribrewery
|
||||||
|
|
||||||
|
# MUC connection timeout
|
||||||
|
JIBRI_PENDING_TIMEOUT=90
|
||||||
|
|
||||||
|
# When jibri gets a request to start a service for a room, the room
|
||||||
|
# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
|
||||||
|
# We'll build the url for the call by transforming that into:
|
||||||
|
# https://xmpp_domain/subdomain/roomName
|
||||||
|
# So if there are any prefixes in the jid (like jitsi meet, which
|
||||||
|
# has its participants join a muc at conference.xmpp_domain) then
|
||||||
|
# list that prefix here so it can be stripped out to generate
|
||||||
|
# the call url correctly
|
||||||
|
JIBRI_STRIP_DOMAIN_JID=muc
|
||||||
|
|
||||||
|
# Directory for logs inside Jibri container
|
||||||
|
JIBRI_LOGS_DIR=/config/logs
|
||||||
|
|
||||||
|
# Configure an external TURN server
|
||||||
|
# TURN_CREDENTIALS=secret
|
||||||
|
# TURN_HOST=turnserver.example.com
|
||||||
|
# TURN_PORT=443
|
||||||
|
# TURNS_HOST=turnserver.example.com
|
||||||
|
# TURNS_PORT=443
|
||||||
|
|
||||||
|
# Disable HTTPS: handle TLS connections outside of this setup
|
||||||
|
#DISABLE_HTTPS=1
|
||||||
|
|
||||||
|
# Enable FLoC
|
||||||
|
# Opt-In to Federated Learning of Cohorts tracking
|
||||||
|
#ENABLE_FLOC=0
|
||||||
|
|
||||||
|
# Redirect HTTP traffic to HTTPS
|
||||||
|
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
|
||||||
|
#ENABLE_HTTP_REDIRECT=1
|
||||||
|
|
||||||
|
# Send a `strict-transport-security` header to force browsers to use
|
||||||
|
# a secure and trusted connection. Recommended for production use.
|
||||||
|
# Defaults to 1 (send the header).
|
||||||
|
# ENABLE_HSTS=1
|
||||||
|
|
||||||
|
# Enable IPv6
|
||||||
|
# Provides means to disable IPv6 in environments that don't support it (get with the times, people!)
|
||||||
|
#ENABLE_IPV6=1
|
||||||
|
|
||||||
|
# Container restart policy
|
||||||
|
# Defaults to unless-stopped
|
||||||
|
RESTART_POLICY=unless-stopped
|
||||||
|
|
||||||
|
# Authenticate using external service or just focus external auth window if there is one already.
|
||||||
|
# TOKEN_AUTH_URL=https://auth.meet.example.com/{room}
|
||||||
|
|
||||||
|
# Sentry Error Tracking
|
||||||
|
# Sentry Data Source Name (Endpoint for Sentry project)
|
||||||
|
# Example: https://public:private@host:port/1
|
||||||
|
#JVB_SENTRY_DSN=
|
||||||
|
#JICOFO_SENTRY_DSN=
|
||||||
|
#JIGASI_SENTRY_DSN=
|
||||||
|
|
||||||
|
# Optional environment info to filter events
|
||||||
|
#SENTRY_ENVIRONMENT=production
|
||||||
|
|
||||||
|
# Optional release info to filter events
|
||||||
|
#SENTRY_RELEASE=1.0.0
|
||||||
|
|
||||||
|
# Optional properties for shutdown api
|
||||||
|
#COLIBRI_REST_ENABLED=true
|
||||||
|
#SHUTDOWN_REST_ENABLED=true
|
|
@ -0,0 +1,16 @@
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
# Etherpad: real-time collaborative document editing
|
||||||
|
etherpad:
|
||||||
|
image: etherpad/etherpad:1.8.6
|
||||||
|
restart: ${RESTART_POLICY}
|
||||||
|
environment:
|
||||||
|
- TITLE=${ETHERPAD_TITLE}
|
||||||
|
- DEFAULT_PAD_TEXT=${ETHERPAD_DEFAULT_PAD_TEXT}
|
||||||
|
- SKIN_NAME=${ETHERPAD_SKIN_NAME}
|
||||||
|
- SKIN_VARIANTS=${ETHERPAD_SKIN_VARIANTS}
|
||||||
|
networks:
|
||||||
|
meet.jitsi:
|
||||||
|
aliases:
|
||||||
|
- etherpad.meet.jitsi
|
|
@ -0,0 +1,19 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
function generatePassword() {
|
||||||
|
openssl rand -hex 16
|
||||||
|
}
|
||||||
|
|
||||||
|
JICOFO_AUTH_PASSWORD=$(generatePassword)
|
||||||
|
JVB_AUTH_PASSWORD=$(generatePassword)
|
||||||
|
JIGASI_XMPP_PASSWORD=$(generatePassword)
|
||||||
|
JIBRI_RECORDER_PASSWORD=$(generatePassword)
|
||||||
|
JIBRI_XMPP_PASSWORD=$(generatePassword)
|
||||||
|
|
||||||
|
sed -i.bak \
|
||||||
|
-e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \
|
||||||
|
-e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \
|
||||||
|
-e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \
|
||||||
|
-e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \
|
||||||
|
-e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \
|
||||||
|
"$(dirname "$0")/.env"
|
|
@ -0,0 +1,46 @@
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
jibri:
|
||||||
|
image: jitsi/jibri:stable-6433
|
||||||
|
restart: ${RESTART_POLICY}
|
||||||
|
volumes:
|
||||||
|
- ${CONFIG}/jibri:/config:Z
|
||||||
|
- /dev/shm:/dev/shm
|
||||||
|
cap_add:
|
||||||
|
- SYS_ADMIN
|
||||||
|
- NET_BIND_SERVICE
|
||||||
|
devices:
|
||||||
|
- /dev/snd:/dev/snd
|
||||||
|
environment:
|
||||||
|
- CHROMIUM_FLAGS
|
||||||
|
- DISPLAY=:0
|
||||||
|
- ENABLE_STATS_D
|
||||||
|
- JIBRI_FFMPEG_AUDIO_SOURCE
|
||||||
|
- JIBRI_FFMPEG_AUDIO_DEVICE
|
||||||
|
- JIBRI_HTTP_API_EXTERNAL_PORT
|
||||||
|
- JIBRI_HTTP_API_INTERNAL_PORT
|
||||||
|
- JIBRI_RECORDING_RESOLUTION
|
||||||
|
- JIBRI_USAGE_TIMEOUT
|
||||||
|
- JIBRI_XMPP_USER
|
||||||
|
- JIBRI_XMPP_PASSWORD
|
||||||
|
- JIBRI_BREWERY_MUC
|
||||||
|
- JIBRI_RECORDER_USER
|
||||||
|
- JIBRI_RECORDER_PASSWORD
|
||||||
|
- JIBRI_RECORDING_DIR
|
||||||
|
- JIBRI_FINALIZE_RECORDING_SCRIPT_PATH
|
||||||
|
- JIBRI_STRIP_DOMAIN_JID
|
||||||
|
- JIBRI_LOGS_DIR
|
||||||
|
- PUBLIC_URL
|
||||||
|
- TZ
|
||||||
|
- XMPP_AUTH_DOMAIN
|
||||||
|
- XMPP_DOMAIN
|
||||||
|
- XMPP_INTERNAL_MUC_DOMAIN
|
||||||
|
- XMPP_RECORDER_DOMAIN
|
||||||
|
- XMPP_SERVER
|
||||||
|
- XMPP_TRUST_ALL_CERTS
|
||||||
|
depends_on:
|
||||||
|
- jicofo
|
||||||
|
networks:
|
||||||
|
meet.jitsi:
|
||||||
|
|
|
@ -0,0 +1,53 @@
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
# SIP gateway (audio)
|
||||||
|
jigasi:
|
||||||
|
image: jitsi/jigasi:stable-6433
|
||||||
|
restart: ${RESTART_POLICY}
|
||||||
|
ports:
|
||||||
|
- '${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}:${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}/udp'
|
||||||
|
volumes:
|
||||||
|
- ${CONFIG}/jigasi:/config:Z
|
||||||
|
- ${CONFIG}/transcripts:/tmp/transcripts:Z
|
||||||
|
environment:
|
||||||
|
- ENABLE_AUTH
|
||||||
|
- XMPP_AUTH_DOMAIN
|
||||||
|
- XMPP_MUC_DOMAIN
|
||||||
|
- XMPP_INTERNAL_MUC_DOMAIN
|
||||||
|
- XMPP_SERVER
|
||||||
|
- XMPP_DOMAIN
|
||||||
|
- PUBLIC_URL
|
||||||
|
- JIGASI_SIP_URI
|
||||||
|
- JIGASI_SIP_PASSWORD
|
||||||
|
- JIGASI_SIP_SERVER
|
||||||
|
- JIGASI_SIP_PORT
|
||||||
|
- JIGASI_SIP_TRANSPORT
|
||||||
|
- JIGASI_SIP_DEFAULT_ROOM
|
||||||
|
- JIGASI_XMPP_USER
|
||||||
|
- JIGASI_XMPP_PASSWORD
|
||||||
|
- JIGASI_BREWERY_MUC
|
||||||
|
- JIGASI_PORT_MIN
|
||||||
|
- JIGASI_PORT_MAX
|
||||||
|
- JIGASI_HEALTH_CHECK_SIP_URI
|
||||||
|
- JIGASI_HEALTH_CHECK_INTERVAL
|
||||||
|
- JIGASI_SIP_KEEP_ALIVE_METHOD
|
||||||
|
- JIGASI_ENABLE_SDES_SRTP
|
||||||
|
- ENABLE_TRANSCRIPTIONS
|
||||||
|
- JIGASI_TRANSCRIBER_ADVERTISE_URL
|
||||||
|
- JIGASI_TRANSCRIBER_RECORD_AUDIO
|
||||||
|
- JIGASI_TRANSCRIBER_SEND_TXT
|
||||||
|
- GC_PROJECT_ID
|
||||||
|
- GC_PRIVATE_KEY_ID
|
||||||
|
- GC_PRIVATE_KEY
|
||||||
|
- GC_CLIENT_EMAIL
|
||||||
|
- GC_CLIENT_ID
|
||||||
|
- GC_CLIENT_CERT_URL
|
||||||
|
- SENTRY_DSN="${JIGASI_SENTRY_DSN:-0}"
|
||||||
|
- SENTRY_ENVIRONMENT
|
||||||
|
- SENTRY_RELEASE
|
||||||
|
- TZ
|
||||||
|
depends_on:
|
||||||
|
- prosody
|
||||||
|
networks:
|
||||||
|
meet.jitsi:
|
|
@ -0,0 +1,4 @@
|
||||||
|
docker network create --subnet 10.255.251.0/24 pg_opn
|
||||||
|
docker network create --subnet 10.255.252.0/24 pg_vpn
|
||||||
|
docker network create --internal --subnet 10.255.253.0/24 pg_bus
|
||||||
|
docker network create --internal --subnet 10.255.254.0/24 pg_int
|
|
@ -0,0 +1,62 @@
|
||||||
|
version: '3.9'
|
||||||
|
services:
|
||||||
|
lokinet:
|
||||||
|
build: lokinet
|
||||||
|
privileged: true
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- "TZ=UTC"
|
||||||
|
tty: true
|
||||||
|
tmpfs:
|
||||||
|
- /run
|
||||||
|
- /tmp
|
||||||
|
volumes:
|
||||||
|
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||||
|
- /sys/fs/cgroup/systemd
|
||||||
|
- ./data/lokinet:/data
|
||||||
|
- ./data/proxy/config/:/etc/squid
|
||||||
|
- ./data/proxy/logs/:/var/log/squid
|
||||||
|
- ./data/proxy/cache/:/var/spool/squid
|
||||||
|
- ./lokinet.ini:/etc/loki/lokinet.ini
|
||||||
|
- ./haproxy.cfg:/etc/haproxy/haproxy.cfg
|
||||||
|
- ./data/vpn:/certs
|
||||||
|
- ..:/repo:ro
|
||||||
|
networks:
|
||||||
|
pg_vpn:
|
||||||
|
ipv4_address: 10.255.252.253
|
||||||
|
pg_bus:
|
||||||
|
ipv4_address: 10.255.253.254
|
||||||
|
vpn:
|
||||||
|
build: vpn
|
||||||
|
privileged: true
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- ./data/vpn:/config
|
||||||
|
networks:
|
||||||
|
pg_opn:
|
||||||
|
ipv4_address: 10.255.251.254
|
||||||
|
pg_vpn:
|
||||||
|
ipv4_address: 10.255.252.254
|
||||||
|
proxy:
|
||||||
|
build: proxy
|
||||||
|
privileged: true
|
||||||
|
environment:
|
||||||
|
- "TZ=UTC"
|
||||||
|
volumes:
|
||||||
|
- ./data/proxy/logs/:/var/log/squid
|
||||||
|
- ./data/proxy/cache/:/var/spool/squid
|
||||||
|
networks:
|
||||||
|
pg_vpn:
|
||||||
|
ipv4_address: 10.255.252.252
|
||||||
|
pg_bus:
|
||||||
|
ipv4_address: 10.255.253.252
|
||||||
|
networks:
|
||||||
|
pg_opn:
|
||||||
|
external:
|
||||||
|
name: pg_opn
|
||||||
|
pg_vpn:
|
||||||
|
external:
|
||||||
|
name: pg_vpn
|
||||||
|
pg_bus:
|
||||||
|
external:
|
||||||
|
name: pg_bus
|
|
@ -0,0 +1,118 @@
|
||||||
|
global
|
||||||
|
log /dev/log local0
|
||||||
|
log /dev/log local1 notice
|
||||||
|
chroot /var/lib/haproxy
|
||||||
|
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||||
|
stats timeout 30s
|
||||||
|
user haproxy
|
||||||
|
group haproxy
|
||||||
|
daemon
|
||||||
|
|
||||||
|
# Default SSL material locations
|
||||||
|
ca-base /etc/ssl/certs
|
||||||
|
crt-base /etc/ssl/private
|
||||||
|
|
||||||
|
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
|
||||||
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||||
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
||||||
|
|
||||||
|
defaults
|
||||||
|
log global
|
||||||
|
mode http
|
||||||
|
option httplog
|
||||||
|
option dontlognull
|
||||||
|
timeout connect 5000
|
||||||
|
timeout client 50000
|
||||||
|
timeout server 50000
|
||||||
|
errorfile 400 /etc/haproxy/errors/400.http
|
||||||
|
errorfile 403 /etc/haproxy/errors/403.http
|
||||||
|
errorfile 408 /etc/haproxy/errors/408.http
|
||||||
|
errorfile 500 /etc/haproxy/errors/500.http
|
||||||
|
errorfile 502 /etc/haproxy/errors/502.http
|
||||||
|
errorfile 503 /etc/haproxy/errors/503.http
|
||||||
|
errorfile 504 /etc/haproxy/errors/504.http
|
||||||
|
|
||||||
|
frontend http-in
|
||||||
|
bind :80 alpn h2,http/1.1
|
||||||
|
bind :8008 alpn h2,http/1.1
|
||||||
|
bind :443 ssl crt /certs/.acme.sh/rato.ro.eu.org/all.pem alpn h2,http/1.1
|
||||||
|
bind :8448 ssl crt /certs/.acme.sh/rato.ro.eu.org/all.pem alpn h2,http/1.1
|
||||||
|
default_backend matrix
|
||||||
|
|
||||||
|
use_backend aaa if { hdr_beg(host) -i aaa }
|
||||||
|
use_backend matrixwellknown if { path -i -m beg /.well-known/matrix }
|
||||||
|
use_backend dimension if { hdr_beg(host) -i dimension }
|
||||||
|
use_backend element if { hdr_beg(host) -i element }
|
||||||
|
use_backend fosstodon if { hdr_beg(host) -i fosstodon }
|
||||||
|
use_backend jitsi if { hdr_beg(host) -i jitsi }
|
||||||
|
use_backend keycloak if { hdr_beg(host) -i keycloak }
|
||||||
|
use_backend revolt if { hdr_beg(host) -i revolt. }
|
||||||
|
use_backend revolt-api if { hdr_beg(host) -i revolt-api }
|
||||||
|
use_backend revolt-ws if { hdr_beg(host) -i revolt-ws }
|
||||||
|
use_backend revolt-au if { hdr_beg(host) -i revolt-au }
|
||||||
|
use_backend revolt-jan if { hdr_beg(host) -i revolt-jan }
|
||||||
|
use_backend revolt-vox if { hdr_beg(host) -i revolt-vox }
|
||||||
|
use_backend site if { hdr_beg(host) -i site }
|
||||||
|
use_backend h2 if { hdr_beg(host) -i h2 }
|
||||||
|
use_backend pad if { hdr_beg(host) -i pad }
|
||||||
|
use_backend wiki if { hdr_beg(host) -i wiki }
|
||||||
|
|
||||||
|
backend aaa
|
||||||
|
server aaa 10.255.253.199:80
|
||||||
|
|
||||||
|
backend jitsi
|
||||||
|
server jitsi 10.255.253.196:80
|
||||||
|
|
||||||
|
backend keycloak
|
||||||
|
server keycloak 10.255.253.198:8080
|
||||||
|
|
||||||
|
backend matrix
|
||||||
|
server matrix 10.255.253.10:8008
|
||||||
|
|
||||||
|
backend matrixwellknown
|
||||||
|
http-response add-header Access-Control-Allow-Origin *
|
||||||
|
option forwardfor
|
||||||
|
server matrixwellknown 10.255.253.14:80
|
||||||
|
|
||||||
|
backend dimension
|
||||||
|
http-response add-header Access-Control-Allow-Origin *
|
||||||
|
option forwardfor
|
||||||
|
server dimension 10.255.253.13:8184
|
||||||
|
|
||||||
|
|
||||||
|
backend element
|
||||||
|
server element 10.255.253.12:80
|
||||||
|
|
||||||
|
backend fosstodon
|
||||||
|
server fosstodon 10.255.253.20:3001
|
||||||
|
|
||||||
|
backend revolt
|
||||||
|
server revolt 10.255.253.30:5000
|
||||||
|
|
||||||
|
backend revolt-api
|
||||||
|
server revolt-api 10.255.253.31:8000
|
||||||
|
|
||||||
|
backend revolt-ws
|
||||||
|
server revolt-ws 10.255.253.31:9000
|
||||||
|
|
||||||
|
backend revolt-au
|
||||||
|
server revolt-au 10.255.253.32:3000
|
||||||
|
|
||||||
|
backend revolt-jan
|
||||||
|
server revolt-jan 10.255.253.33:3000
|
||||||
|
|
||||||
|
backend revolt-vox
|
||||||
|
server revolt-vox 10.255.253.34:8080
|
||||||
|
|
||||||
|
backend wiki
|
||||||
|
server wiki 10.255.253.194:80
|
||||||
|
|
||||||
|
backend site
|
||||||
|
server site 10.255.253.40:80
|
||||||
|
|
||||||
|
backend pad
|
||||||
|
server pad 10.255.253.50:3000
|
||||||
|
|
||||||
|
backend h2
|
||||||
|
server h2 10.255.253.60:3000
|
|
@ -0,0 +1,234 @@
|
||||||
|
[router]
|
||||||
|
# Configuration for routing activity.
|
||||||
|
|
||||||
|
|
||||||
|
# Network ID; this is 'lokinet' for mainnet, 'gamma' for testnet.
|
||||||
|
#netid=lokinet
|
||||||
|
|
||||||
|
# Minimum number of routers lokinet will attempt to maintain connections to.
|
||||||
|
#min-connections=4
|
||||||
|
|
||||||
|
# Maximum number (hard limit) of routers lokinet will be connected to at any time.
|
||||||
|
#max-connections=6
|
||||||
|
|
||||||
|
# Optional directory for containing lokinet runtime data. This includes generated
|
||||||
|
# private keys.
|
||||||
|
#data-dir=/var/lib/lokinet
|
||||||
|
|
||||||
|
# The number of threads available for performing cryptographic functions.
|
||||||
|
# The minimum is one thread, but network performance may increase with more.
|
||||||
|
# threads. Should not exceed the number of logical CPU cores.
|
||||||
|
# 0 means use the number of logical CPU cores detected at startup.
|
||||||
|
#worker-threads=0
|
||||||
|
|
||||||
|
|
||||||
|
[network]
|
||||||
|
# Network settings
|
||||||
|
# Snapp settings
|
||||||
|
|
||||||
|
|
||||||
|
# Public key of a router which will act as a pinned first-hop. This may be used to
|
||||||
|
# provide a trusted router (consider that you are not fully anonymous with your
|
||||||
|
# first hop).
|
||||||
|
#strict-connect=
|
||||||
|
|
||||||
|
# The private key to persist address with. If not specified the address will be
|
||||||
|
# ephemeral.
|
||||||
|
#keyfile=
|
||||||
|
|
||||||
|
# Set the endpoint authentication mechanism.
|
||||||
|
# none/whitelist/lmq
|
||||||
|
#auth=
|
||||||
|
|
||||||
|
# lmq endpoint to talk to for authenticating new sessions
|
||||||
|
# ipc:///var/lib/lokinet/auth.socket
|
||||||
|
# tcp://127.0.0.1:5555
|
||||||
|
#auth-lmq=
|
||||||
|
|
||||||
|
# lmq function to call for authenticating new sessions
|
||||||
|
# llarp.auth
|
||||||
|
#auth-lmq-method=llarp.auth
|
||||||
|
|
||||||
|
# manually add a remote endpoint by .loki address to the access whitelist
|
||||||
|
#auth-whitelist=
|
||||||
|
|
||||||
|
# Determines whether we will publish our snapp's introset to the DHT.
|
||||||
|
#reachable=1
|
||||||
|
|
||||||
|
# Number of hops in a path. Min 1, max 8.
|
||||||
|
#hops=4
|
||||||
|
|
||||||
|
# Number of paths to maintain at any given time.
|
||||||
|
#paths=6
|
||||||
|
|
||||||
|
# Whether or not we should act as an exit node. Beware that this increases demand
|
||||||
|
# on the server and may pose liability concerns. Enable at your own risk.
|
||||||
|
#exit=0
|
||||||
|
|
||||||
|
# When in exit mode announce we allow a private range in our introsetexmaple:
|
||||||
|
# owned-range=10.0.0.0/24
|
||||||
|
#owned-range=
|
||||||
|
|
||||||
|
# List of ip traffic whitelist, anything not specified will be dropped by us.examples:
|
||||||
|
# tcp for all tcp traffic regardless of port
|
||||||
|
# 0x69 for all packets using ip protocol 0x69udp/53 for udp port 53
|
||||||
|
# tcp/smtp for smtp port
|
||||||
|
#traffic-whitelist=
|
||||||
|
|
||||||
|
# Specify a `.loki` address and an optional ip range to use as an exit broker.
|
||||||
|
# Example:
|
||||||
|
# exit-node=whatever.loki # maps all exit traffic to whatever.loki
|
||||||
|
# exit-node=stuff.loki:100.0.0.0/24 # maps 100.0.0.0/24 to stuff.loki
|
||||||
|
#exit-node=
|
||||||
|
|
||||||
|
# Specify an optional authentication code required to use a non-public exit node.
|
||||||
|
# For example:
|
||||||
|
# exit-auth=myfavouriteexit.loki:abc
|
||||||
|
# uses the authentication code `abc` whenever myfavouriteexit.loki is accessed.
|
||||||
|
# Can be specified multiple time to store codes for different exit nodes.
|
||||||
|
#exit-auth=
|
||||||
|
|
||||||
|
# Interface name for lokinet traffic. If unset lokinet will look for a free name
|
||||||
|
# lokinetN, starting at 0 (e.g. lokinet0, lokinet1, ...).
|
||||||
|
#ifname=
|
||||||
|
|
||||||
|
# Local IP and range for lokinet traffic. For example, 172.16.0.1/16 to use
|
||||||
|
# 172.16.0.1 for this machine and 172.16.x.y for remote peers. If omitted then
|
||||||
|
# lokinet will attempt to find an unused private range.
|
||||||
|
#ifaddr=
|
||||||
|
|
||||||
|
# For all ipv6 exit traffic you will use this as the base address bitwised or'd with the v4 address in use.
|
||||||
|
# To disable ipv6 set this to an empty value.
|
||||||
|
# !!! WARNING !!! Disabling ipv6 tunneling when you have ipv6 routes WILL lead to de-anonymization as lokinet will no longer carry your ipv6 traffic.
|
||||||
|
#ip6-range=fd00::
|
||||||
|
|
||||||
|
# Map a remote `.loki` address to always use a fixed local IP. For example:
|
||||||
|
# mapaddr=whatever.loki:172.16.0.10
|
||||||
|
# maps `whatever.loki` to `172.16.0.10` instead of using the next available IP.
|
||||||
|
# The given IP address must be inside the range configured by ifaddr=
|
||||||
|
#mapaddr=
|
||||||
|
|
||||||
|
# Adds a lokinet relay `.snode` address to the list of relays to avoid when
|
||||||
|
# building paths. Can be specified multiple times.
|
||||||
|
#blacklist-snode=
|
||||||
|
|
||||||
|
# Specify SRV Records for services hosted on the SNApp
|
||||||
|
# for more info see https://docs.loki.network/Lokinet/Guides/HostingSNApps/
|
||||||
|
# srv=_service._protocol priority weight port target.loki
|
||||||
|
#srv=
|
||||||
|
|
||||||
|
# time in seconds how long to wait for a path to align to pivot routers
|
||||||
|
# if not provided a sensible default will be used
|
||||||
|
#path-alignment-timeout=
|
||||||
|
|
||||||
|
# persist mapped ephemeral addresses to a file
|
||||||
|
# on restart the mappings will be loaded so that ip addresses will not be mapped to a different address
|
||||||
|
#persist-addrmap-file=/var/lib/lokinet/addrmap.dat
|
||||||
|
|
||||||
|
|
||||||
|
[paths]
|
||||||
|
# path selection algorithm options
|
||||||
|
|
||||||
|
|
||||||
|
# Netmask for router path selection; each router must be from a distinct IP subnet of the given size.
|
||||||
|
# E.g. 16 ensures that all routers are using distinct /16 IP addresses.
|
||||||
|
#unique-range-size=32
|
||||||
|
|
||||||
|
|
||||||
|
[dns]
|
||||||
|
# DNS configuration
|
||||||
|
|
||||||
|
|
||||||
|
# Upstream resolver(s) to use as fallback for non-loki addresses.
|
||||||
|
# Multiple values accepted.
|
||||||
|
upstream=10.64.0.1
|
||||||
|
|
||||||
|
# Address to bind to for handling DNS requests.
|
||||||
|
bind=127.3.2.1:53
|
||||||
|
# Add a hosts file to the dns resolver
|
||||||
|
# For use with client side dns filtering
|
||||||
|
#add-hosts=
|
||||||
|
|
||||||
|
# Can be uncommented and set to 1 to disable resolvconf configuration of lokinet DNS.
|
||||||
|
# (This is not used directly by lokinet itself, but by the lokinet init scripts
|
||||||
|
# on systems which use resolveconf)
|
||||||
|
#no-resolvconf=
|
||||||
|
|
||||||
|
|
||||||
|
[bind]
|
||||||
|
# This section specifies network interface names and/or IPs as keys, and
|
||||||
|
# ports as values to control the address(es) on which Lokinet listens for
|
||||||
|
# incoming data.
|
||||||
|
#
|
||||||
|
# Examples:
|
||||||
|
#
|
||||||
|
# eth0=1090
|
||||||
|
# 0.0.0.0=1090
|
||||||
|
# 1.2.3.4=1090
|
||||||
|
#
|
||||||
|
# The first bind to port 1090 on the network interface 'eth0'; the second binds
|
||||||
|
# to port 1090 on all local network interfaces; and the third example binds to
|
||||||
|
# port 1090 on the given IP address.
|
||||||
|
#
|
||||||
|
# If a private range IP address (or an interface with a private IP) is given, or
|
||||||
|
# if the 0.0.0.0 all-address IP is given then you must also specify the
|
||||||
|
# public-ip= and public-port= settings in the [router] section with a public
|
||||||
|
# address at which this router can be reached.
|
||||||
|
# Typically this section can be left blank: if no inbound bind addresses are
|
||||||
|
# configured then lokinet will search for a local network interface with a public
|
||||||
|
# IP address and use that (with port 1090).
|
||||||
|
|
||||||
|
|
||||||
|
# Specify a source port for **outgoing** Lokinet traffic, for example if you want to
|
||||||
|
# set up custom firewall rules based on the originating port. Typically this should
|
||||||
|
# be left unset to automatically choose random source ports.
|
||||||
|
#*=0
|
||||||
|
|
||||||
|
|
||||||
|
[api]
|
||||||
|
# JSON API settings
|
||||||
|
|
||||||
|
|
||||||
|
# Determines whether or not the LMQ JSON API is enabled. Defaults
|
||||||
|
#enabled=1
|
||||||
|
|
||||||
|
# IP address and port to bind to.
|
||||||
|
# Recommend localhost-only for security purposes.
|
||||||
|
#bind=tcp://127.0.0.1:1190
|
||||||
|
|
||||||
|
|
||||||
|
[bootstrap]
|
||||||
|
# Configure nodes that will bootstrap us onto the network
|
||||||
|
|
||||||
|
|
||||||
|
# Whether or not to run as a seed node. We will not have any bootstrap routers configured.
|
||||||
|
#seed-node=0
|
||||||
|
|
||||||
|
# Specify a bootstrap file containing a signed RouterContact of a service node
|
||||||
|
# which can act as a bootstrap. Can be specified multiple times.
|
||||||
|
#add-node=
|
||||||
|
|
||||||
|
|
||||||
|
[logging]
|
||||||
|
# logging settings
|
||||||
|
|
||||||
|
|
||||||
|
# Log type (format). Valid options are:
|
||||||
|
# file - plaintext formatting
|
||||||
|
# json - json-formatted log statements
|
||||||
|
# syslog - logs directed to syslog
|
||||||
|
#type=file
|
||||||
|
|
||||||
|
# Minimum log level to print. Logging below this level will be ignored.
|
||||||
|
# Valid log levels, in ascending order, are:
|
||||||
|
# trace
|
||||||
|
# debug
|
||||||
|
# info
|
||||||
|
# warn
|
||||||
|
# error
|
||||||
|
#level=warn
|
||||||
|
|
||||||
|
# When using type=file this is the output filename. If given the value 'stdout' or
|
||||||
|
# left empty then logging is printed as standard output rather than written to a
|
||||||
|
# file.
|
||||||
|
#file=
|
|
@ -0,0 +1,15 @@
|
||||||
|
FROM registry.oxen.rocks/lokinet-exit:latest
|
||||||
|
|
||||||
|
RUN apt-get -y update && \
|
||||||
|
apt-get -y install curl iproute2 iputils-ping tcpdump net-tools dnsutils procps squid iptables inetutils-telnet haproxy && \
|
||||||
|
apt-get -y clean && \
|
||||||
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
|
EXPOSE 3128/tcp
|
||||||
|
VOLUME [/var/spool/squid /var/log/squid]
|
||||||
|
|
||||||
|
COPY routes.service /etc/systemd/system/routes.service
|
||||||
|
COPY routes-start /usr/local/bin/routes-start
|
||||||
|
COPY resolv.conf /etc/resolv.conf
|
||||||
|
RUN chmod +x /usr/local/bin/routes-start
|
||||||
|
RUN systemctl enable routes.service
|
|
@ -0,0 +1 @@
|
||||||
|
nameserver 127.0.0.1
|
|
@ -0,0 +1,4 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#route del -net default
|
||||||
|
route add -net 10.64.0.0/24 gw 10.255.252.254
|
||||||
|
#route add -net default gw 10.255.252.254
|
|
@ -0,0 +1,7 @@
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/bin/bash /usr/local/bin/routes-start
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -0,0 +1,20 @@
|
||||||
|
FROM debian
|
||||||
|
|
||||||
|
RUN apt-get -y update && \
|
||||||
|
apt-get -y install curl dbus && \
|
||||||
|
curl -L -o mullvad.deb https://mullvad.net/download/app/deb/latest && \
|
||||||
|
apt-get -y install ./mullvad.deb && \
|
||||||
|
rm -f mullvad.deb && \
|
||||||
|
apt-get -y clean && \
|
||||||
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
|
|
||||||
|
RUN apt-get -y update && \
|
||||||
|
apt-get -y install iputils-ping tcpdump net-tools dnsutils procps iptables git iproute2 && \
|
||||||
|
apt-get -y clean && \
|
||||||
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
|
VOLUME /config
|
||||||
|
|
||||||
|
ADD my_init /
|
||||||
|
CMD ["/my_init"]
|
|
@ -0,0 +1,40 @@
|
||||||
|
## Image
|
||||||
|
|
||||||
|
Docker image of [mullvad](https://mullvad.net/en/)
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Start container:
|
||||||
|
|
||||||
|
```
|
||||||
|
docker run -d \
|
||||||
|
--name mullvad_vpn \
|
||||||
|
--restart=always \
|
||||||
|
--privileged \
|
||||||
|
-v mullvad_config:/config \
|
||||||
|
oblique/mullvad
|
||||||
|
```
|
||||||
|
|
||||||
|
The first time you need to configure your mullvad client:
|
||||||
|
|
||||||
|
```
|
||||||
|
docker exec -it mullvad_vpn bash
|
||||||
|
mullvad relay set tunnel-protocol wireguard
|
||||||
|
mullvad always-require-vpn set on
|
||||||
|
mullvad auto-connect set on
|
||||||
|
mullvad account set [ID]
|
||||||
|
mullvad connect
|
||||||
|
```
|
||||||
|
|
||||||
|
## Use VPN from another container
|
||||||
|
|
||||||
|
For `docker run`, use `--net=container:mullvad_vpn`, for example:
|
||||||
|
|
||||||
|
```
|
||||||
|
docker run -it --rm --net=container:mullvad_vpn alpine
|
||||||
|
```
|
||||||
|
|
||||||
|
For `docker-compose`, check my [vpn-example].
|
||||||
|
|
||||||
|
|
||||||
|
[vpn-example]: https://github.com/oblique/dockerfiles/tree/master/composefiles/vpn-example
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
export MULLVAD_SETTINGS_DIR=/config
|
||||||
|
iptables -t nat -A POSTROUTING -j MASQUERADE
|
||||||
|
exec /opt/Mullvad\ VPN/resources/mullvad-daemon -v
|
|
@ -0,0 +1,72 @@
|
||||||
|
version: '3'
|
||||||
|
services:
|
||||||
|
synapse:
|
||||||
|
container_name: synapse
|
||||||
|
hostname: piorgeracao.loki
|
||||||
|
image: matrixdotorg/synapse:latest
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- SYNAPSE_SERVER_NAME=urchcno5rea4njyb7niytdekqw87x55x9q77a1gba9tqkbznw67y.loki
|
||||||
|
- SYNAPSE_REPORT_STATS=yes
|
||||||
|
- SYNAPSE_NO_TLS=1
|
||||||
|
- SYNAPSE_ENABLE_REGISTRATION=yes
|
||||||
|
# - SYNAPSE_CONFIG_PATH=/config
|
||||||
|
- SYNAPSE_LOG_LEVEL=DEBUG
|
||||||
|
# - SYNAPSE_REGISTRATION_SHARED_SECRET=${REG_SHARED_SECRET}
|
||||||
|
- POSTGRES_DB=synapse
|
||||||
|
- POSTGRES_HOST=synapse_db
|
||||||
|
- POSTGRES_USER=postgres
|
||||||
|
- POSTGRES_PASSWORD=postgres
|
||||||
|
volumes:
|
||||||
|
- ./data/synapse:/data
|
||||||
|
depends_on:
|
||||||
|
- synapse_db
|
||||||
|
# In order to expose Synapse, remove one of the following, you might for
|
||||||
|
# instance expose the TLS port directly:
|
||||||
|
# ports:
|
||||||
|
# - 8448:8448/tcp
|
||||||
|
networks:
|
||||||
|
pg_bus:
|
||||||
|
ipv4_address: 10.255.253.10
|
||||||
|
synapse_db:
|
||||||
|
image: docker.io/postgres:10-alpine
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- POSTGRES_DB=synapse
|
||||||
|
- POSTGRES_USER=postgres
|
||||||
|
- POSTGRES_PASSWORD=postgres
|
||||||
|
volumes:
|
||||||
|
- ./data/postgres:/var/lib/postgresql/data
|
||||||
|
networks:
|
||||||
|
pg_bus:
|
||||||
|
ipv4_address: 10.255.253.11
|
||||||
|
element:
|
||||||
|
image: vectorim/element-web
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- ./data/element/config.json:/app/config.json
|
||||||
|
networks:
|
||||||
|
pg_bus:
|
||||||
|
ipv4_address: 10.255.253.12
|
||||||
|
dimension:
|
||||||
|
image: turt2live/matrix-dimension
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- ./data/dimension:/data
|
||||||
|
extra_hosts:
|
||||||
|
urchcno5rea4njyb7niytdekqw87x55x9q77a1gba9tqkbznw67y.loki: 10.255.253.254
|
||||||
|
networks:
|
||||||
|
pg_bus:
|
||||||
|
ipv4_address: 10.255.253.13
|
||||||
|
web:
|
||||||
|
image: nginx
|
||||||
|
volumes:
|
||||||
|
- ./data/wellknown:/usr/share/nginx/html
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
pg_bus:
|
||||||
|
ipv4_address: 10.255.253.14
|
||||||
|
networks:
|
||||||
|
pg_bus:
|
||||||
|
external:
|
||||||
|
name: pg_bus
|
Loading…
Reference in New Issue