Initial
This commit is contained in:
commit
c783770b5f
|
@ -0,0 +1,15 @@
|
|||
yggdrasil
|
||||
wiki
|
||||
site
|
||||
revolt
|
||||
proxy
|
||||
ldap
|
||||
hedgedoc
|
||||
h2
|
||||
fosstodon
|
||||
*/data
|
||||
jitsi/*
|
||||
!jitsi/*.yml
|
||||
!jitsi/env.example
|
||||
!jitsi/Makefile
|
||||
!jitsi/gen-passwords.sh
|
|
@ -0,0 +1,6 @@
|
|||
# MilkToastHoney
|
||||
|
||||
1. Entrar na pasta master e executar o script `create-networks.sh` para criar as redes.
|
||||
2. Executar o docker-compose da pasta master para levantar os serviços de: Lokinet, VPN e Proxy
|
||||
3. Entrar na pasta Matrix e levantar o serviço (provavelmente será necessário baixar e levantar uma vez por causa das configurações geradas)
|
||||
4. Entrar na pasta jitsi e levantar o serviço
|
|
@ -0,0 +1,42 @@
|
|||
FORCE_REBUILD ?= 0
|
||||
JITSI_RELEASE ?= stable
|
||||
JITSI_BUILD ?= latest
|
||||
JITSI_REPO ?= jitsi
|
||||
JITSI_SERVICES ?= base base-java web prosody jicofo jvb jigasi jibri
|
||||
|
||||
BUILD_ARGS := --build-arg JITSI_REPO=$(JITSI_REPO) --build-arg JITSI_RELEASE=$(JITSI_RELEASE)
|
||||
ifeq ($(FORCE_REBUILD), 1)
|
||||
BUILD_ARGS := $(BUILD_ARGS) --no-cache
|
||||
endif
|
||||
|
||||
|
||||
all: build-all
|
||||
|
||||
release: tag-all push-all
|
||||
|
||||
build:
|
||||
docker build $(BUILD_ARGS) --progress plain --tag $(JITSI_REPO)/$(JITSI_SERVICE) $(JITSI_SERVICE)/
|
||||
|
||||
$(addprefix build_,$(JITSI_SERVICES)):
|
||||
$(MAKE) --no-print-directory JITSI_SERVICE=$(patsubst build_%,%,$@) build
|
||||
|
||||
tag:
|
||||
docker tag $(JITSI_REPO)/$(JITSI_SERVICE):latest $(JITSI_REPO)/$(JITSI_SERVICE):$(JITSI_BUILD)
|
||||
|
||||
push:
|
||||
docker push $(JITSI_REPO)/$(JITSI_SERVICE):latest
|
||||
docker push $(JITSI_REPO)/$(JITSI_SERVICE):$(JITSI_BUILD)
|
||||
|
||||
%-all:
|
||||
@$(foreach SERVICE, $(JITSI_SERVICES), $(MAKE) --no-print-directory JITSI_SERVICE=$(SERVICE) $(subst -all,;,$@))
|
||||
|
||||
clean:
|
||||
docker-compose stop
|
||||
docker-compose rm
|
||||
docker network prune
|
||||
|
||||
prepare:
|
||||
docker pull debian:buster-slim
|
||||
FORCE_REBUILD=1 $(MAKE)
|
||||
|
||||
.PHONY: all build tag push clean prepare release $(addprefix build_,$(JITSI_SERVICES))
|
|
@ -0,0 +1,299 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
web:
|
||||
image: jitsi/web:stable-6433
|
||||
restart: always
|
||||
volumes:
|
||||
- ${CONFIG}/web:/config:Z
|
||||
- ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
|
||||
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
|
||||
environment:
|
||||
- AMPLITUDE_ID
|
||||
- ANALYTICS_SCRIPT_URLS
|
||||
- ANALYTICS_WHITELISTED_EVENTS
|
||||
- CALLSTATS_CUSTOM_SCRIPT_URL
|
||||
- CALLSTATS_ID
|
||||
- CALLSTATS_SECRET
|
||||
- CHROME_EXTENSION_BANNER_JSON
|
||||
- CONFCODE_URL
|
||||
- CONFIG_EXTERNAL_CONNECT
|
||||
- DEFAULT_LANGUAGE
|
||||
- DEPLOYMENTINFO_ENVIRONMENT
|
||||
- DEPLOYMENTINFO_ENVIRONMENT_TYPE
|
||||
- DEPLOYMENTINFO_REGION
|
||||
- DEPLOYMENTINFO_SHARD
|
||||
- DEPLOYMENTINFO_USERREGION
|
||||
- DESKTOP_SHARING_FRAMERATE_MIN
|
||||
- DESKTOP_SHARING_FRAMERATE_MAX
|
||||
- DIALIN_NUMBERS_URL
|
||||
- DIALOUT_AUTH_URL
|
||||
- DIALOUT_CODES_URL
|
||||
- DISABLE_AUDIO_LEVELS
|
||||
- DISABLE_DEEP_LINKING
|
||||
- DISABLE_HTTPS
|
||||
- DISABLE_POLLS
|
||||
- DISABLE_REACTIONS
|
||||
- DROPBOX_APPKEY
|
||||
- DROPBOX_REDIRECT_URI
|
||||
- DYNAMIC_BRANDING_URL
|
||||
- ENABLE_AUDIO_PROCESSING
|
||||
- ENABLE_AUTH
|
||||
- ENABLE_CALENDAR
|
||||
- ENABLE_COLIBRI_WEBSOCKET
|
||||
- ENABLE_FILE_RECORDING_SERVICE
|
||||
- ENABLE_FILE_RECORDING_SERVICE_SHARING
|
||||
- ENABLE_FLOC
|
||||
- ENABLE_GUESTS
|
||||
- ENABLE_HSTS
|
||||
- ENABLE_HTTP_REDIRECT
|
||||
- ENABLE_IPV6
|
||||
- ENABLE_LETSENCRYPT
|
||||
- ENABLE_LIPSYNC
|
||||
- ENABLE_NO_AUDIO_DETECTION
|
||||
- ENABLE_NOISY_MIC_DETECTION
|
||||
- ENABLE_PREJOIN_PAGE
|
||||
- ENABLE_P2P
|
||||
- ENABLE_WELCOME_PAGE
|
||||
- ENABLE_CLOSE_PAGE
|
||||
- ENABLE_RECORDING
|
||||
- ENABLE_REMB
|
||||
- ENABLE_REQUIRE_DISPLAY_NAME
|
||||
- ENABLE_SIMULCAST
|
||||
- ENABLE_STATS_ID
|
||||
- ENABLE_STEREO
|
||||
- ENABLE_SUBDOMAINS
|
||||
- ENABLE_TALK_WHILE_MUTED
|
||||
- ENABLE_TCC
|
||||
- ENABLE_TRANSCRIPTIONS
|
||||
- ENABLE_XMPP_WEBSOCKET
|
||||
- ETHERPAD_PUBLIC_URL
|
||||
- ETHERPAD_URL_BASE
|
||||
- GOOGLE_ANALYTICS_ID
|
||||
- GOOGLE_API_APP_CLIENT_ID
|
||||
- INVITE_SERVICE_URL
|
||||
- JICOFO_AUTH_USER
|
||||
- LETSENCRYPT_DOMAIN
|
||||
- LETSENCRYPT_EMAIL
|
||||
- LETSENCRYPT_USE_STAGING
|
||||
- MATOMO_ENDPOINT
|
||||
- MATOMO_SITE_ID
|
||||
- MICROSOFT_API_APP_CLIENT_ID
|
||||
- NGINX_RESOLVER
|
||||
- NGINX_WORKER_PROCESSES
|
||||
- NGINX_WORKER_CONNECTIONS
|
||||
- PEOPLE_SEARCH_URL
|
||||
- PUBLIC_URL
|
||||
- P2P_PREFERRED_CODEC
|
||||
- RESOLUTION
|
||||
- RESOLUTION_MIN
|
||||
- RESOLUTION_WIDTH
|
||||
- RESOLUTION_WIDTH_MIN
|
||||
- START_AUDIO_MUTED
|
||||
- START_AUDIO_ONLY
|
||||
- START_BITRATE
|
||||
- START_SILENT
|
||||
- START_WITH_AUDIO_MUTED
|
||||
- START_VIDEO_MUTED
|
||||
- START_WITH_VIDEO_MUTED
|
||||
- TESTING_CAP_SCREENSHARE_BITRATE
|
||||
- TESTING_OCTO_PROBABILITY
|
||||
- TOKEN_AUTH_URL
|
||||
- TZ
|
||||
- VIDEOQUALITY_BITRATE_H264_LOW
|
||||
- VIDEOQUALITY_BITRATE_H264_STANDARD
|
||||
- VIDEOQUALITY_BITRATE_H264_HIGH
|
||||
- VIDEOQUALITY_BITRATE_VP8_LOW
|
||||
- VIDEOQUALITY_BITRATE_VP8_STANDARD
|
||||
- VIDEOQUALITY_BITRATE_VP8_HIGH
|
||||
- VIDEOQUALITY_BITRATE_VP9_LOW
|
||||
- VIDEOQUALITY_BITRATE_VP9_STANDARD
|
||||
- VIDEOQUALITY_BITRATE_VP9_HIGH
|
||||
- VIDEOQUALITY_ENFORCE_PREFERRED_CODEC
|
||||
- VIDEOQUALITY_PREFERRED_CODEC
|
||||
- XMPP_AUTH_DOMAIN
|
||||
- XMPP_BOSH_URL_BASE
|
||||
- XMPP_DOMAIN
|
||||
- XMPP_GUEST_DOMAIN
|
||||
- XMPP_MUC_DOMAIN
|
||||
- XMPP_RECORDER_DOMAIN
|
||||
networks:
|
||||
meet.jitsi:
|
||||
pg_bus:
|
||||
ipv4_address: 10.255.253.196
|
||||
|
||||
# XMPP server
|
||||
prosody:
|
||||
image: jitsi/prosody:stable-6433
|
||||
restart: ${RESTART_POLICY}
|
||||
expose:
|
||||
- '5222'
|
||||
- '5347'
|
||||
- '5280'
|
||||
volumes:
|
||||
- ${CONFIG}/prosody/config:/config:Z
|
||||
- ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
|
||||
environment:
|
||||
- AUTH_TYPE
|
||||
- DISABLE_POLLS
|
||||
- ENABLE_AUTH
|
||||
- ENABLE_AV_MODERATION
|
||||
- ENABLE_GUESTS
|
||||
- ENABLE_LOBBY
|
||||
- ENABLE_XMPP_WEBSOCKET
|
||||
- GLOBAL_CONFIG
|
||||
- GLOBAL_MODULES
|
||||
- JIBRI_RECORDER_USER
|
||||
- JIBRI_RECORDER_PASSWORD
|
||||
- JIBRI_XMPP_USER
|
||||
- JIBRI_XMPP_PASSWORD
|
||||
- JICOFO_AUTH_USER
|
||||
- JICOFO_AUTH_PASSWORD
|
||||
- JICOFO_COMPONENT_SECRET
|
||||
- JIGASI_XMPP_USER
|
||||
- JIGASI_XMPP_PASSWORD
|
||||
- JVB_AUTH_USER
|
||||
- JVB_AUTH_PASSWORD
|
||||
- JWT_APP_ID
|
||||
- JWT_APP_SECRET
|
||||
- JWT_ACCEPTED_ISSUERS
|
||||
- JWT_ACCEPTED_AUDIENCES
|
||||
- JWT_ASAP_KEYSERVER
|
||||
- JWT_ALLOW_EMPTY
|
||||
- JWT_AUTH_TYPE
|
||||
- JWT_TOKEN_AUTH_MODULE
|
||||
- LOG_LEVEL
|
||||
- LDAP_AUTH_METHOD
|
||||
- LDAP_BASE
|
||||
- LDAP_BINDDN
|
||||
- LDAP_BINDPW
|
||||
- LDAP_FILTER
|
||||
- LDAP_VERSION
|
||||
- LDAP_TLS_CIPHERS
|
||||
- LDAP_TLS_CHECK_PEER
|
||||
- LDAP_TLS_CACERT_FILE
|
||||
- LDAP_TLS_CACERT_DIR
|
||||
- LDAP_START_TLS
|
||||
- LDAP_URL
|
||||
- LDAP_USE_TLS
|
||||
- PUBLIC_URL
|
||||
- TURN_CREDENTIALS
|
||||
- TURN_HOST
|
||||
- TURNS_HOST
|
||||
- TURN_PORT
|
||||
- TURNS_PORT
|
||||
- TZ
|
||||
- XMPP_DOMAIN
|
||||
- XMPP_AUTH_DOMAIN
|
||||
- XMPP_GUEST_DOMAIN
|
||||
- XMPP_MUC_DOMAIN
|
||||
- XMPP_INTERNAL_MUC_DOMAIN
|
||||
- XMPP_MODULES
|
||||
- XMPP_MUC_MODULES
|
||||
- XMPP_INTERNAL_MUC_MODULES
|
||||
- XMPP_RECORDER_DOMAIN
|
||||
- XMPP_CROSS_DOMAIN
|
||||
networks:
|
||||
meet.jitsi:
|
||||
aliases:
|
||||
- ${XMPP_SERVER}
|
||||
|
||||
# Focus component
|
||||
jicofo:
|
||||
image: jitsi/jicofo:stable-6433
|
||||
restart: ${RESTART_POLICY}
|
||||
volumes:
|
||||
- ${CONFIG}/jicofo:/config:Z
|
||||
environment:
|
||||
- AUTH_TYPE
|
||||
- BRIDGE_AVG_PARTICIPANT_STRESS
|
||||
- BRIDGE_STRESS_THRESHOLD
|
||||
- ENABLE_AUTH
|
||||
- ENABLE_AUTO_OWNER
|
||||
- ENABLE_CODEC_VP8
|
||||
- ENABLE_CODEC_VP9
|
||||
- ENABLE_CODEC_H264
|
||||
- ENABLE_OCTO
|
||||
- ENABLE_RECORDING
|
||||
- ENABLE_SCTP
|
||||
- ENABLE_AUTO_LOGIN
|
||||
- JICOFO_AUTH_USER
|
||||
- JICOFO_AUTH_PASSWORD
|
||||
- JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS
|
||||
- JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT
|
||||
- JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT
|
||||
- JICOFO_ENABLE_HEALTH_CHECKS
|
||||
- JICOFO_SHORT_ID
|
||||
- JICOFO_RESERVATION_ENABLED
|
||||
- JICOFO_RESERVATION_REST_BASE_URL
|
||||
- JIBRI_BREWERY_MUC
|
||||
- JIBRI_REQUEST_RETRIES
|
||||
- JIBRI_PENDING_TIMEOUT
|
||||
- JIGASI_BREWERY_MUC
|
||||
- JIGASI_SIP_URI
|
||||
- JVB_BREWERY_MUC
|
||||
- MAX_BRIDGE_PARTICIPANTS
|
||||
- OCTO_BRIDGE_SELECTION_STRATEGY
|
||||
- SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}"
|
||||
- SENTRY_ENVIRONMENT
|
||||
- SENTRY_RELEASE
|
||||
- TZ
|
||||
- XMPP_DOMAIN
|
||||
- XMPP_AUTH_DOMAIN
|
||||
- XMPP_INTERNAL_MUC_DOMAIN
|
||||
- XMPP_MUC_DOMAIN
|
||||
- XMPP_SERVER
|
||||
depends_on:
|
||||
- prosody
|
||||
networks:
|
||||
meet.jitsi:
|
||||
|
||||
# Video bridge
|
||||
jvb:
|
||||
image: jitsi/jvb:stable-6433
|
||||
restart: ${RESTART_POLICY}
|
||||
# ports:
|
||||
# - '${JVB_PORT}:${JVB_PORT}/udp'
|
||||
# - '${JVB_TCP_PORT}:${JVB_TCP_PORT}'
|
||||
volumes:
|
||||
- ${CONFIG}/jvb:/config:Z
|
||||
environment:
|
||||
- DOCKER_HOST_ADDRESS
|
||||
- ENABLE_COLIBRI_WEBSOCKET
|
||||
- ENABLE_OCTO
|
||||
- JVB_AUTH_USER
|
||||
- JVB_AUTH_PASSWORD
|
||||
- JVB_BREWERY_MUC
|
||||
- JVB_PORT
|
||||
- JVB_TCP_HARVESTER_DISABLED
|
||||
- JVB_TCP_PORT
|
||||
- JVB_TCP_MAPPED_PORT
|
||||
- JVB_STUN_SERVERS
|
||||
- JVB_ENABLE_APIS
|
||||
- JVB_OCTO_BIND_ADDRESS
|
||||
- JVB_OCTO_PUBLIC_ADDRESS
|
||||
- JVB_OCTO_BIND_PORT
|
||||
- JVB_OCTO_REGION
|
||||
- JVB_WS_DOMAIN
|
||||
- JVB_WS_SERVER_ID
|
||||
- PUBLIC_URL
|
||||
- SENTRY_DSN="${JVB_SENTRY_DSN:-0}"
|
||||
- SENTRY_ENVIRONMENT
|
||||
- SENTRY_RELEASE
|
||||
- COLIBRI_REST_ENABLED
|
||||
- SHUTDOWN_REST_ENABLED
|
||||
- TZ
|
||||
- XMPP_AUTH_DOMAIN
|
||||
- XMPP_INTERNAL_MUC_DOMAIN
|
||||
- XMPP_SERVER
|
||||
depends_on:
|
||||
- prosody
|
||||
networks:
|
||||
meet.jitsi:
|
||||
|
||||
# Custom network so all services can communicate using a FQDN
|
||||
networks:
|
||||
meet.jitsi:
|
||||
pg_bus:
|
||||
external:
|
||||
name: pg_bus
|
|
@ -0,0 +1,409 @@
|
|||
# shellcheck disable=SC2034
|
||||
|
||||
# Security
|
||||
#
|
||||
# Set these to strong passwords to avoid intruders from impersonating a service account
|
||||
# The service(s) won't start unless these are specified
|
||||
# Running ./gen-passwords.sh will update .env with strong passwords
|
||||
# You may skip the Jigasi and Jibri passwords if you are not using those
|
||||
# DO NOT reuse passwords
|
||||
#
|
||||
|
||||
# XMPP password for Jicofo client connections
|
||||
JICOFO_AUTH_PASSWORD=
|
||||
|
||||
# XMPP password for JVB client connections
|
||||
JVB_AUTH_PASSWORD=
|
||||
|
||||
# XMPP password for Jigasi MUC client connections
|
||||
JIGASI_XMPP_PASSWORD=
|
||||
|
||||
# XMPP recorder password for Jibri client connections
|
||||
JIBRI_RECORDER_PASSWORD=
|
||||
|
||||
# XMPP password for Jibri client connections
|
||||
JIBRI_XMPP_PASSWORD=
|
||||
|
||||
|
||||
#
|
||||
# Basic configuration options
|
||||
#
|
||||
|
||||
# Directory where all configuration will be stored
|
||||
CONFIG=~/.jitsi-meet-cfg
|
||||
|
||||
# Exposed HTTP port
|
||||
HTTP_PORT=8000
|
||||
|
||||
# Exposed HTTPS port
|
||||
HTTPS_PORT=8443
|
||||
|
||||
# System time zone
|
||||
TZ=UTC
|
||||
|
||||
# Public URL for the web service (required)
|
||||
#PUBLIC_URL=https://meet.example.com
|
||||
|
||||
# IP address of the Docker host
|
||||
# See the "Running behind NAT or on a LAN environment" section in the Handbook:
|
||||
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
|
||||
#DOCKER_HOST_ADDRESS=192.168.1.1
|
||||
|
||||
# Control whether the lobby feature should be enabled or not
|
||||
#ENABLE_LOBBY=1
|
||||
|
||||
# Control whether the A/V moderation should be enabled or not
|
||||
#ENABLE_AV_MODERATION=1
|
||||
|
||||
# Show a prejoin page before entering a conference
|
||||
#ENABLE_PREJOIN_PAGE=0
|
||||
|
||||
# Enable the welcome page
|
||||
#ENABLE_WELCOME_PAGE=1
|
||||
|
||||
# Enable the close page
|
||||
#ENABLE_CLOSE_PAGE=0
|
||||
|
||||
# Disable measuring of audio levels
|
||||
#DISABLE_AUDIO_LEVELS=0
|
||||
|
||||
# Enable noisy mic detection
|
||||
#ENABLE_NOISY_MIC_DETECTION=1
|
||||
|
||||
#
|
||||
# Let's Encrypt configuration
|
||||
#
|
||||
|
||||
# Enable Let's Encrypt certificate generation
|
||||
#ENABLE_LETSENCRYPT=1
|
||||
|
||||
# Domain for which to generate the certificate
|
||||
#LETSENCRYPT_DOMAIN=meet.example.com
|
||||
|
||||
# E-Mail for receiving important account notifications (mandatory)
|
||||
#LETSENCRYPT_EMAIL=alice@atlanta.net
|
||||
|
||||
# Use the staging server (for avoiding rate limits while testing)
|
||||
#LETSENCRYPT_USE_STAGING=1
|
||||
|
||||
|
||||
#
|
||||
# Etherpad integration (for document sharing)
|
||||
#
|
||||
|
||||
# Set etherpad-lite URL in docker local network (uncomment to enable)
|
||||
#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
|
||||
|
||||
# Set etherpad-lite public URL (uncomment to enable)
|
||||
#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain
|
||||
|
||||
# Name your etherpad instance!
|
||||
ETHERPAD_TITLE=Video Chat
|
||||
|
||||
# The default text of a pad
|
||||
ETHERPAD_DEFAULT_PAD_TEXT=Welcome to Web Chat!\n\n
|
||||
|
||||
# Name of the skin for etherpad
|
||||
ETHERPAD_SKIN_NAME=colibris
|
||||
|
||||
# Skin variants for etherpad
|
||||
ETHERPAD_SKIN_VARIANTS=super-light-toolbar super-light-editor light-background full-width-editor
|
||||
|
||||
|
||||
#
|
||||
# Basic Jigasi configuration options (needed for SIP gateway support)
|
||||
#
|
||||
|
||||
# SIP URI for incoming / outgoing calls
|
||||
#JIGASI_SIP_URI=test@sip2sip.info
|
||||
|
||||
# Password for the specified SIP account as a clear text
|
||||
#JIGASI_SIP_PASSWORD=passw0rd
|
||||
|
||||
# SIP server (use the SIP account domain if in doubt)
|
||||
#JIGASI_SIP_SERVER=sip2sip.info
|
||||
|
||||
# SIP server port
|
||||
#JIGASI_SIP_PORT=5060
|
||||
|
||||
# SIP server transport
|
||||
#JIGASI_SIP_TRANSPORT=UDP
|
||||
|
||||
#
|
||||
# Authentication configuration (see handbook for details)
|
||||
#
|
||||
|
||||
# Enable authentication
|
||||
#ENABLE_AUTH=1
|
||||
|
||||
# Enable guest access
|
||||
#ENABLE_GUESTS=1
|
||||
|
||||
# Select authentication type: internal, jwt or ldap
|
||||
#AUTH_TYPE=internal
|
||||
|
||||
# JWT authentication
|
||||
#
|
||||
|
||||
# Application identifier
|
||||
#JWT_APP_ID=my_jitsi_app_id
|
||||
|
||||
# Application secret known only to your token generator
|
||||
#JWT_APP_SECRET=my_jitsi_app_secret
|
||||
|
||||
# (Optional) Set asap_accepted_issuers as a comma separated list
|
||||
#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
|
||||
|
||||
# (Optional) Set asap_accepted_audiences as a comma separated list
|
||||
#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
|
||||
|
||||
|
||||
# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
|
||||
#
|
||||
|
||||
# LDAP url for connection
|
||||
#LDAP_URL=ldaps://ldap.domain.com/
|
||||
|
||||
# LDAP base DN. Can be empty
|
||||
#LDAP_BASE=DC=example,DC=domain,DC=com
|
||||
|
||||
# LDAP user DN. Do not specify this parameter for the anonymous bind
|
||||
#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
|
||||
|
||||
# LDAP user password. Do not specify this parameter for the anonymous bind
|
||||
#LDAP_BINDPW=LdapUserPassw0rd
|
||||
|
||||
# LDAP filter. Tokens example:
|
||||
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
|
||||
# %s - %s is replaced by the complete service string
|
||||
# %r - %r is replaced by the complete realm string
|
||||
#LDAP_FILTER=(sAMAccountName=%u)
|
||||
|
||||
# LDAP authentication method
|
||||
#LDAP_AUTH_METHOD=bind
|
||||
|
||||
# LDAP version
|
||||
#LDAP_VERSION=3
|
||||
|
||||
# LDAP TLS using
|
||||
#LDAP_USE_TLS=1
|
||||
|
||||
# List of SSL/TLS ciphers to allow
|
||||
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
|
||||
|
||||
# Require and verify server certificate
|
||||
#LDAP_TLS_CHECK_PEER=1
|
||||
|
||||
# Path to CA cert file. Used when server certificate verify is enabled
|
||||
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
|
||||
|
||||
# Path to CA certs directory. Used when server certificate verify is enabled
|
||||
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
|
||||
|
||||
# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
|
||||
# LDAP_START_TLS=1
|
||||
|
||||
|
||||
#
|
||||
# Advanced configuration options (you generally don't need to change these)
|
||||
#
|
||||
|
||||
# Internal XMPP domain
|
||||
XMPP_DOMAIN=meet.jitsi
|
||||
|
||||
# Internal XMPP server
|
||||
XMPP_SERVER=xmpp.meet.jitsi
|
||||
|
||||
# Internal XMPP server URL
|
||||
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
|
||||
|
||||
# Internal XMPP domain for authenticated services
|
||||
XMPP_AUTH_DOMAIN=auth.meet.jitsi
|
||||
|
||||
# XMPP domain for the MUC
|
||||
XMPP_MUC_DOMAIN=muc.meet.jitsi
|
||||
|
||||
# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
|
||||
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
|
||||
|
||||
# XMPP domain for unauthenticated users
|
||||
XMPP_GUEST_DOMAIN=guest.meet.jitsi
|
||||
|
||||
# Comma separated list of domains for cross domain policy or "true" to allow all
|
||||
# The PUBLIC_URL is always allowed
|
||||
#XMPP_CROSS_DOMAIN=true
|
||||
|
||||
# Custom Prosody modules for XMPP_DOMAIN (comma separated)
|
||||
XMPP_MODULES=
|
||||
|
||||
# Custom Prosody modules for MUC component (comma separated)
|
||||
XMPP_MUC_MODULES=
|
||||
|
||||
# Custom Prosody modules for internal MUC component (comma separated)
|
||||
XMPP_INTERNAL_MUC_MODULES=
|
||||
|
||||
# MUC for the JVB pool
|
||||
JVB_BREWERY_MUC=jvbbrewery
|
||||
|
||||
# XMPP user for JVB client connections
|
||||
JVB_AUTH_USER=jvb
|
||||
|
||||
# STUN servers used to discover the server's public IP
|
||||
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
|
||||
|
||||
# Media port for the Jitsi Videobridge
|
||||
JVB_PORT=10000
|
||||
|
||||
# TCP Fallback for Jitsi Videobridge for when UDP isn't available
|
||||
JVB_TCP_HARVESTER_DISABLED=true
|
||||
JVB_TCP_PORT=4443
|
||||
JVB_TCP_MAPPED_PORT=4443
|
||||
|
||||
# A comma separated list of APIs to enable when the JVB is started [default: none]
|
||||
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
|
||||
#JVB_ENABLE_APIS=rest,colibri
|
||||
|
||||
# XMPP user for Jicofo client connections.
|
||||
# NOTE: this option doesn't currently work due to a bug
|
||||
JICOFO_AUTH_USER=focus
|
||||
|
||||
# Base URL of Jicofo's reservation REST API
|
||||
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
|
||||
|
||||
# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
|
||||
#JICOFO_ENABLE_HEALTH_CHECKS=true
|
||||
|
||||
# XMPP user for Jigasi MUC client connections
|
||||
JIGASI_XMPP_USER=jigasi
|
||||
|
||||
# MUC name for the Jigasi pool
|
||||
JIGASI_BREWERY_MUC=jigasibrewery
|
||||
|
||||
# Minimum port for media used by Jigasi
|
||||
JIGASI_PORT_MIN=20000
|
||||
|
||||
# Maximum port for media used by Jigasi
|
||||
JIGASI_PORT_MAX=20050
|
||||
|
||||
# Enable SDES srtp
|
||||
#JIGASI_ENABLE_SDES_SRTP=1
|
||||
|
||||
# Keepalive method
|
||||
#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS
|
||||
|
||||
# Health-check extension
|
||||
#JIGASI_HEALTH_CHECK_SIP_URI=keepalive
|
||||
|
||||
# Health-check interval
|
||||
#JIGASI_HEALTH_CHECK_INTERVAL=300000
|
||||
#
|
||||
# Enable Jigasi transcription
|
||||
#ENABLE_TRANSCRIPTIONS=1
|
||||
|
||||
# Jigasi will record audio when transcriber is on [default: false]
|
||||
#JIGASI_TRANSCRIBER_RECORD_AUDIO=true
|
||||
|
||||
# Jigasi will send transcribed text to the chat when transcriber is on [default: false]
|
||||
#JIGASI_TRANSCRIBER_SEND_TXT=true
|
||||
|
||||
# Jigasi will post an url to the chat with transcription file [default: false]
|
||||
#JIGASI_TRANSCRIBER_ADVERTISE_URL=true
|
||||
|
||||
# Credentials for connect to Cloud Google API from Jigasi
|
||||
# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol
|
||||
# section "Before you begin" paragraph 1 to 5
|
||||
# Copy the values from the json to the related env vars
|
||||
#GC_PROJECT_ID=
|
||||
#GC_PRIVATE_KEY_ID=
|
||||
#GC_PRIVATE_KEY=
|
||||
#GC_CLIENT_EMAIL=
|
||||
#GC_CLIENT_ID=
|
||||
#GC_CLIENT_CERT_URL=
|
||||
|
||||
# Enable recording
|
||||
#ENABLE_RECORDING=1
|
||||
|
||||
# XMPP domain for the jibri recorder
|
||||
XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
|
||||
|
||||
# XMPP recorder user for Jibri client connections
|
||||
JIBRI_RECORDER_USER=recorder
|
||||
|
||||
# Directory for recordings inside Jibri container
|
||||
JIBRI_RECORDING_DIR=/config/recordings
|
||||
|
||||
# The finalizing script. Will run after recording is complete
|
||||
#JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
|
||||
|
||||
# XMPP user for Jibri client connections
|
||||
JIBRI_XMPP_USER=jibri
|
||||
|
||||
# MUC name for the Jibri pool
|
||||
JIBRI_BREWERY_MUC=jibribrewery
|
||||
|
||||
# MUC connection timeout
|
||||
JIBRI_PENDING_TIMEOUT=90
|
||||
|
||||
# When jibri gets a request to start a service for a room, the room
|
||||
# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
|
||||
# We'll build the url for the call by transforming that into:
|
||||
# https://xmpp_domain/subdomain/roomName
|
||||
# So if there are any prefixes in the jid (like jitsi meet, which
|
||||
# has its participants join a muc at conference.xmpp_domain) then
|
||||
# list that prefix here so it can be stripped out to generate
|
||||
# the call url correctly
|
||||
JIBRI_STRIP_DOMAIN_JID=muc
|
||||
|
||||
# Directory for logs inside Jibri container
|
||||
JIBRI_LOGS_DIR=/config/logs
|
||||
|
||||
# Configure an external TURN server
|
||||
# TURN_CREDENTIALS=secret
|
||||
# TURN_HOST=turnserver.example.com
|
||||
# TURN_PORT=443
|
||||
# TURNS_HOST=turnserver.example.com
|
||||
# TURNS_PORT=443
|
||||
|
||||
# Disable HTTPS: handle TLS connections outside of this setup
|
||||
#DISABLE_HTTPS=1
|
||||
|
||||
# Enable FLoC
|
||||
# Opt-In to Federated Learning of Cohorts tracking
|
||||
#ENABLE_FLOC=0
|
||||
|
||||
# Redirect HTTP traffic to HTTPS
|
||||
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
|
||||
#ENABLE_HTTP_REDIRECT=1
|
||||
|
||||
# Send a `strict-transport-security` header to force browsers to use
|
||||
# a secure and trusted connection. Recommended for production use.
|
||||
# Defaults to 1 (send the header).
|
||||
# ENABLE_HSTS=1
|
||||
|
||||
# Enable IPv6
|
||||
# Provides means to disable IPv6 in environments that don't support it (get with the times, people!)
|
||||
#ENABLE_IPV6=1
|
||||
|
||||
# Container restart policy
|
||||
# Defaults to unless-stopped
|
||||
RESTART_POLICY=unless-stopped
|
||||
|
||||
# Authenticate using external service or just focus external auth window if there is one already.
|
||||
# TOKEN_AUTH_URL=https://auth.meet.example.com/{room}
|
||||
|
||||
# Sentry Error Tracking
|
||||
# Sentry Data Source Name (Endpoint for Sentry project)
|
||||
# Example: https://public:private@host:port/1
|
||||
#JVB_SENTRY_DSN=
|
||||
#JICOFO_SENTRY_DSN=
|
||||
#JIGASI_SENTRY_DSN=
|
||||
|
||||
# Optional environment info to filter events
|
||||
#SENTRY_ENVIRONMENT=production
|
||||
|
||||
# Optional release info to filter events
|
||||
#SENTRY_RELEASE=1.0.0
|
||||
|
||||
# Optional properties for shutdown api
|
||||
#COLIBRI_REST_ENABLED=true
|
||||
#SHUTDOWN_REST_ENABLED=true
|
|
@ -0,0 +1,16 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
# Etherpad: real-time collaborative document editing
|
||||
etherpad:
|
||||
image: etherpad/etherpad:1.8.6
|
||||
restart: ${RESTART_POLICY}
|
||||
environment:
|
||||
- TITLE=${ETHERPAD_TITLE}
|
||||
- DEFAULT_PAD_TEXT=${ETHERPAD_DEFAULT_PAD_TEXT}
|
||||
- SKIN_NAME=${ETHERPAD_SKIN_NAME}
|
||||
- SKIN_VARIANTS=${ETHERPAD_SKIN_VARIANTS}
|
||||
networks:
|
||||
meet.jitsi:
|
||||
aliases:
|
||||
- etherpad.meet.jitsi
|
|
@ -0,0 +1,19 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
function generatePassword() {
|
||||
openssl rand -hex 16
|
||||
}
|
||||
|
||||
JICOFO_AUTH_PASSWORD=$(generatePassword)
|
||||
JVB_AUTH_PASSWORD=$(generatePassword)
|
||||
JIGASI_XMPP_PASSWORD=$(generatePassword)
|
||||
JIBRI_RECORDER_PASSWORD=$(generatePassword)
|
||||
JIBRI_XMPP_PASSWORD=$(generatePassword)
|
||||
|
||||
sed -i.bak \
|
||||
-e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \
|
||||
-e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \
|
||||
-e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \
|
||||
-e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \
|
||||
-e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \
|
||||
"$(dirname "$0")/.env"
|
|
@ -0,0 +1,46 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
jibri:
|
||||
image: jitsi/jibri:stable-6433
|
||||
restart: ${RESTART_POLICY}
|
||||
volumes:
|
||||
- ${CONFIG}/jibri:/config:Z
|
||||
- /dev/shm:/dev/shm
|
||||
cap_add:
|
||||
- SYS_ADMIN
|
||||
- NET_BIND_SERVICE
|
||||
devices:
|
||||
- /dev/snd:/dev/snd
|
||||
environment:
|
||||
- CHROMIUM_FLAGS
|
||||
- DISPLAY=:0
|
||||
- ENABLE_STATS_D
|
||||
- JIBRI_FFMPEG_AUDIO_SOURCE
|
||||
- JIBRI_FFMPEG_AUDIO_DEVICE
|
||||
- JIBRI_HTTP_API_EXTERNAL_PORT
|
||||
- JIBRI_HTTP_API_INTERNAL_PORT
|
||||
- JIBRI_RECORDING_RESOLUTION
|
||||
- JIBRI_USAGE_TIMEOUT
|
||||
- JIBRI_XMPP_USER
|
||||
- JIBRI_XMPP_PASSWORD
|
||||
- JIBRI_BREWERY_MUC
|
||||
- JIBRI_RECORDER_USER
|
||||
- JIBRI_RECORDER_PASSWORD
|
||||
- JIBRI_RECORDING_DIR
|
||||
- JIBRI_FINALIZE_RECORDING_SCRIPT_PATH
|
||||
- JIBRI_STRIP_DOMAIN_JID
|
||||
- JIBRI_LOGS_DIR
|
||||
- PUBLIC_URL
|
||||
- TZ
|
||||
- XMPP_AUTH_DOMAIN
|
||||
- XMPP_DOMAIN
|
||||
- XMPP_INTERNAL_MUC_DOMAIN
|
||||
- XMPP_RECORDER_DOMAIN
|
||||
- XMPP_SERVER
|
||||
- XMPP_TRUST_ALL_CERTS
|
||||
depends_on:
|
||||
- jicofo
|
||||
networks:
|
||||
meet.jitsi:
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
# SIP gateway (audio)
|
||||
jigasi:
|
||||
image: jitsi/jigasi:stable-6433
|
||||
restart: ${RESTART_POLICY}
|
||||
ports:
|
||||
- '${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}:${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}/udp'
|
||||
volumes:
|
||||
- ${CONFIG}/jigasi:/config:Z
|
||||
- ${CONFIG}/transcripts:/tmp/transcripts:Z
|
||||
environment:
|
||||
- ENABLE_AUTH
|
||||
- XMPP_AUTH_DOMAIN
|
||||
- XMPP_MUC_DOMAIN
|
||||
- XMPP_INTERNAL_MUC_DOMAIN
|
||||
- XMPP_SERVER
|
||||
- XMPP_DOMAIN
|
||||
- PUBLIC_URL
|
||||
- JIGASI_SIP_URI
|
||||
- JIGASI_SIP_PASSWORD
|
||||
- JIGASI_SIP_SERVER
|
||||
- JIGASI_SIP_PORT
|
||||
- JIGASI_SIP_TRANSPORT
|
||||
- JIGASI_SIP_DEFAULT_ROOM
|
||||
- JIGASI_XMPP_USER
|
||||
- JIGASI_XMPP_PASSWORD
|
||||
- JIGASI_BREWERY_MUC
|
||||
- JIGASI_PORT_MIN
|
||||
- JIGASI_PORT_MAX
|
||||
- JIGASI_HEALTH_CHECK_SIP_URI
|
||||
- JIGASI_HEALTH_CHECK_INTERVAL
|
||||
- JIGASI_SIP_KEEP_ALIVE_METHOD
|
||||
- JIGASI_ENABLE_SDES_SRTP
|
||||
- ENABLE_TRANSCRIPTIONS
|
||||
- JIGASI_TRANSCRIBER_ADVERTISE_URL
|
||||
- JIGASI_TRANSCRIBER_RECORD_AUDIO
|
||||
- JIGASI_TRANSCRIBER_SEND_TXT
|
||||
- GC_PROJECT_ID
|
||||
- GC_PRIVATE_KEY_ID
|
||||
- GC_PRIVATE_KEY
|
||||
- GC_CLIENT_EMAIL
|
||||
- GC_CLIENT_ID
|
||||
- GC_CLIENT_CERT_URL
|
||||
- SENTRY_DSN="${JIGASI_SENTRY_DSN:-0}"
|
||||
- SENTRY_ENVIRONMENT
|
||||
- SENTRY_RELEASE
|
||||
- TZ
|
||||
depends_on:
|
||||
- prosody
|
||||
networks:
|
||||
meet.jitsi:
|
|
@ -0,0 +1,4 @@
|
|||
docker network create --subnet 10.255.251.0/24 pg_opn
|
||||
docker network create --subnet 10.255.252.0/24 pg_vpn
|
||||
docker network create --internal --subnet 10.255.253.0/24 pg_bus
|
||||
docker network create --internal --subnet 10.255.254.0/24 pg_int
|
|
@ -0,0 +1,62 @@
|
|||
version: '3.9'
|
||||
services:
|
||||
lokinet:
|
||||
build: lokinet
|
||||
privileged: true
|
||||
restart: always
|
||||
environment:
|
||||
- "TZ=UTC"
|
||||
tty: true
|
||||
tmpfs:
|
||||
- /run
|
||||
- /tmp
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||
- /sys/fs/cgroup/systemd
|
||||
- ./data/lokinet:/data
|
||||
- ./data/proxy/config/:/etc/squid
|
||||
- ./data/proxy/logs/:/var/log/squid
|
||||
- ./data/proxy/cache/:/var/spool/squid
|
||||
- ./lokinet.ini:/etc/loki/lokinet.ini
|
||||
- ./haproxy.cfg:/etc/haproxy/haproxy.cfg
|
||||
- ./data/vpn:/certs
|
||||
- ..:/repo:ro
|
||||
networks:
|
||||
pg_vpn:
|
||||
ipv4_address: 10.255.252.253
|
||||
pg_bus:
|
||||
ipv4_address: 10.255.253.254
|
||||
vpn:
|
||||
build: vpn
|
||||
privileged: true
|
||||
restart: always
|
||||
volumes:
|
||||
- ./data/vpn:/config
|
||||
networks:
|
||||
pg_opn:
|
||||
ipv4_address: 10.255.251.254
|
||||
pg_vpn:
|
||||
ipv4_address: 10.255.252.254
|
||||
proxy:
|
||||
build: proxy
|
||||
privileged: true
|
||||
environment:
|
||||
- "TZ=UTC"
|
||||
volumes:
|
||||
- ./data/proxy/logs/:/var/log/squid
|
||||
- ./data/proxy/cache/:/var/spool/squid
|
||||
networks:
|
||||
pg_vpn:
|
||||
ipv4_address: 10.255.252.252
|
||||
pg_bus:
|
||||
ipv4_address: 10.255.253.252
|
||||
networks:
|
||||
pg_opn:
|
||||
external:
|
||||
name: pg_opn
|
||||
pg_vpn:
|
||||
external:
|
||||
name: pg_vpn
|
||||
pg_bus:
|
||||
external:
|
||||
name: pg_bus
|
|
@ -0,0 +1,118 @@
|
|||
global
|
||||
log /dev/log local0
|
||||
log /dev/log local1 notice
|
||||
chroot /var/lib/haproxy
|
||||
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||
stats timeout 30s
|
||||
user haproxy
|
||||
group haproxy
|
||||
daemon
|
||||
|
||||
# Default SSL material locations
|
||||
ca-base /etc/ssl/certs
|
||||
crt-base /etc/ssl/private
|
||||
|
||||
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode http
|
||||
option httplog
|
||||
option dontlognull
|
||||
timeout connect 5000
|
||||
timeout client 50000
|
||||
timeout server 50000
|
||||
errorfile 400 /etc/haproxy/errors/400.http
|
||||
errorfile 403 /etc/haproxy/errors/403.http
|
||||
errorfile 408 /etc/haproxy/errors/408.http
|
||||
errorfile 500 /etc/haproxy/errors/500.http
|
||||
errorfile 502 /etc/haproxy/errors/502.http
|
||||
errorfile 503 /etc/haproxy/errors/503.http
|
||||
errorfile 504 /etc/haproxy/errors/504.http
|
||||
|
||||
frontend http-in
|
||||
bind :80 alpn h2,http/1.1
|
||||
bind :8008 alpn h2,http/1.1
|
||||
bind :443 ssl crt /certs/.acme.sh/rato.ro.eu.org/all.pem alpn h2,http/1.1
|
||||
bind :8448 ssl crt /certs/.acme.sh/rato.ro.eu.org/all.pem alpn h2,http/1.1
|
||||
default_backend matrix
|
||||
|
||||
use_backend aaa if { hdr_beg(host) -i aaa }
|
||||
use_backend matrixwellknown if { path -i -m beg /.well-known/matrix }
|
||||
use_backend dimension if { hdr_beg(host) -i dimension }
|
||||
use_backend element if { hdr_beg(host) -i element }
|
||||
use_backend fosstodon if { hdr_beg(host) -i fosstodon }
|
||||
use_backend jitsi if { hdr_beg(host) -i jitsi }
|
||||
use_backend keycloak if { hdr_beg(host) -i keycloak }
|
||||
use_backend revolt if { hdr_beg(host) -i revolt. }
|
||||
use_backend revolt-api if { hdr_beg(host) -i revolt-api }
|
||||
use_backend revolt-ws if { hdr_beg(host) -i revolt-ws }
|
||||
use_backend revolt-au if { hdr_beg(host) -i revolt-au }
|
||||
use_backend revolt-jan if { hdr_beg(host) -i revolt-jan }
|
||||
use_backend revolt-vox if { hdr_beg(host) -i revolt-vox }
|
||||
use_backend site if { hdr_beg(host) -i site }
|
||||
use_backend h2 if { hdr_beg(host) -i h2 }
|
||||
use_backend pad if { hdr_beg(host) -i pad }
|
||||
use_backend wiki if { hdr_beg(host) -i wiki }
|
||||
|
||||
backend aaa
|
||||
server aaa 10.255.253.199:80
|
||||
|
||||
backend jitsi
|
||||
server jitsi 10.255.253.196:80
|
||||
|
||||
backend keycloak
|
||||
server keycloak 10.255.253.198:8080
|
||||
|
||||
backend matrix
|
||||
server matrix 10.255.253.10:8008
|
||||
|
||||
backend matrixwellknown
|
||||
http-response add-header Access-Control-Allow-Origin *
|
||||
option forwardfor
|
||||
server matrixwellknown 10.255.253.14:80
|
||||
|
||||
backend dimension
|
||||
http-response add-header Access-Control-Allow-Origin *
|
||||
option forwardfor
|
||||
server dimension 10.255.253.13:8184
|
||||
|
||||
|
||||
backend element
|
||||
server element 10.255.253.12:80
|
||||
|
||||
backend fosstodon
|
||||
server fosstodon 10.255.253.20:3001
|
||||
|
||||
backend revolt
|
||||
server revolt 10.255.253.30:5000
|
||||
|
||||
backend revolt-api
|
||||
server revolt-api 10.255.253.31:8000
|
||||
|
||||
backend revolt-ws
|
||||
server revolt-ws 10.255.253.31:9000
|
||||
|
||||
backend revolt-au
|
||||
server revolt-au 10.255.253.32:3000
|
||||
|
||||
backend revolt-jan
|
||||
server revolt-jan 10.255.253.33:3000
|
||||
|
||||
backend revolt-vox
|
||||
server revolt-vox 10.255.253.34:8080
|
||||
|
||||
backend wiki
|
||||
server wiki 10.255.253.194:80
|
||||
|
||||
backend site
|
||||
server site 10.255.253.40:80
|
||||
|
||||
backend pad
|
||||
server pad 10.255.253.50:3000
|
||||
|
||||
backend h2
|
||||
server h2 10.255.253.60:3000
|
|
@ -0,0 +1,234 @@
|
|||
[router]
|
||||
# Configuration for routing activity.
|
||||
|
||||
|
||||
# Network ID; this is 'lokinet' for mainnet, 'gamma' for testnet.
|
||||
#netid=lokinet
|
||||
|
||||
# Minimum number of routers lokinet will attempt to maintain connections to.
|
||||
#min-connections=4
|
||||
|
||||
# Maximum number (hard limit) of routers lokinet will be connected to at any time.
|
||||
#max-connections=6
|
||||
|
||||
# Optional directory for containing lokinet runtime data. This includes generated
|
||||
# private keys.
|
||||
#data-dir=/var/lib/lokinet
|
||||
|
||||
# The number of threads available for performing cryptographic functions.
|
||||
# The minimum is one thread, but network performance may increase with more.
|
||||
# threads. Should not exceed the number of logical CPU cores.
|
||||
# 0 means use the number of logical CPU cores detected at startup.
|
||||
#worker-threads=0
|
||||
|
||||
|
||||
[network]
|
||||
# Network settings
|
||||
# Snapp settings
|
||||
|
||||
|
||||
# Public key of a router which will act as a pinned first-hop. This may be used to
|
||||
# provide a trusted router (consider that you are not fully anonymous with your
|
||||
# first hop).
|
||||
#strict-connect=
|
||||
|
||||
# The private key to persist address with. If not specified the address will be
|
||||
# ephemeral.
|
||||
#keyfile=
|
||||
|
||||
# Set the endpoint authentication mechanism.
|
||||
# none/whitelist/lmq
|
||||
#auth=
|
||||
|
||||
# lmq endpoint to talk to for authenticating new sessions
|
||||
# ipc:///var/lib/lokinet/auth.socket
|
||||
# tcp://127.0.0.1:5555
|
||||
#auth-lmq=
|
||||
|
||||
# lmq function to call for authenticating new sessions
|
||||
# llarp.auth
|
||||
#auth-lmq-method=llarp.auth
|
||||
|
||||
# manually add a remote endpoint by .loki address to the access whitelist
|
||||
#auth-whitelist=
|
||||
|
||||
# Determines whether we will publish our snapp's introset to the DHT.
|
||||
#reachable=1
|
||||
|
||||
# Number of hops in a path. Min 1, max 8.
|
||||
#hops=4
|
||||
|
||||
# Number of paths to maintain at any given time.
|
||||
#paths=6
|
||||
|
||||
# Whether or not we should act as an exit node. Beware that this increases demand
|
||||
# on the server and may pose liability concerns. Enable at your own risk.
|
||||
#exit=0
|
||||
|
||||
# When in exit mode announce we allow a private range in our introsetexmaple:
|
||||
# owned-range=10.0.0.0/24
|
||||
#owned-range=
|
||||
|
||||
# List of ip traffic whitelist, anything not specified will be dropped by us.examples:
|
||||
# tcp for all tcp traffic regardless of port
|
||||
# 0x69 for all packets using ip protocol 0x69udp/53 for udp port 53
|
||||
# tcp/smtp for smtp port
|
||||
#traffic-whitelist=
|
||||
|
||||
# Specify a `.loki` address and an optional ip range to use as an exit broker.
|
||||
# Example:
|
||||
# exit-node=whatever.loki # maps all exit traffic to whatever.loki
|
||||
# exit-node=stuff.loki:100.0.0.0/24 # maps 100.0.0.0/24 to stuff.loki
|
||||
#exit-node=
|
||||
|
||||
# Specify an optional authentication code required to use a non-public exit node.
|
||||
# For example:
|
||||
# exit-auth=myfavouriteexit.loki:abc
|
||||
# uses the authentication code `abc` whenever myfavouriteexit.loki is accessed.
|
||||
# Can be specified multiple time to store codes for different exit nodes.
|
||||
#exit-auth=
|
||||
|
||||
# Interface name for lokinet traffic. If unset lokinet will look for a free name
|
||||
# lokinetN, starting at 0 (e.g. lokinet0, lokinet1, ...).
|
||||
#ifname=
|
||||
|
||||
# Local IP and range for lokinet traffic. For example, 172.16.0.1/16 to use
|
||||
# 172.16.0.1 for this machine and 172.16.x.y for remote peers. If omitted then
|
||||
# lokinet will attempt to find an unused private range.
|
||||
#ifaddr=
|
||||
|
||||
# For all ipv6 exit traffic you will use this as the base address bitwised or'd with the v4 address in use.
|
||||
# To disable ipv6 set this to an empty value.
|
||||
# !!! WARNING !!! Disabling ipv6 tunneling when you have ipv6 routes WILL lead to de-anonymization as lokinet will no longer carry your ipv6 traffic.
|
||||
#ip6-range=fd00::
|
||||
|
||||
# Map a remote `.loki` address to always use a fixed local IP. For example:
|
||||
# mapaddr=whatever.loki:172.16.0.10
|
||||
# maps `whatever.loki` to `172.16.0.10` instead of using the next available IP.
|
||||
# The given IP address must be inside the range configured by ifaddr=
|
||||
#mapaddr=
|
||||
|
||||
# Adds a lokinet relay `.snode` address to the list of relays to avoid when
|
||||
# building paths. Can be specified multiple times.
|
||||
#blacklist-snode=
|
||||
|
||||
# Specify SRV Records for services hosted on the SNApp
|
||||
# for more info see https://docs.loki.network/Lokinet/Guides/HostingSNApps/
|
||||
# srv=_service._protocol priority weight port target.loki
|
||||
#srv=
|
||||
|
||||
# time in seconds how long to wait for a path to align to pivot routers
|
||||
# if not provided a sensible default will be used
|
||||
#path-alignment-timeout=
|
||||
|
||||
# persist mapped ephemeral addresses to a file
|
||||
# on restart the mappings will be loaded so that ip addresses will not be mapped to a different address
|
||||
#persist-addrmap-file=/var/lib/lokinet/addrmap.dat
|
||||
|
||||
|
||||
[paths]
|
||||
# path selection algorithm options
|
||||
|
||||
|
||||
# Netmask for router path selection; each router must be from a distinct IP subnet of the given size.
|
||||
# E.g. 16 ensures that all routers are using distinct /16 IP addresses.
|
||||
#unique-range-size=32
|
||||
|
||||
|
||||
[dns]
|
||||
# DNS configuration
|
||||
|
||||
|
||||
# Upstream resolver(s) to use as fallback for non-loki addresses.
|
||||
# Multiple values accepted.
|
||||
upstream=10.64.0.1
|
||||
|
||||
# Address to bind to for handling DNS requests.
|
||||
bind=127.3.2.1:53
|
||||
# Add a hosts file to the dns resolver
|
||||
# For use with client side dns filtering
|
||||
#add-hosts=
|
||||
|
||||
# Can be uncommented and set to 1 to disable resolvconf configuration of lokinet DNS.
|
||||
# (This is not used directly by lokinet itself, but by the lokinet init scripts
|
||||
# on systems which use resolveconf)
|
||||
#no-resolvconf=
|
||||
|
||||
|
||||
[bind]
|
||||
# This section specifies network interface names and/or IPs as keys, and
|
||||
# ports as values to control the address(es) on which Lokinet listens for
|
||||
# incoming data.
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# eth0=1090
|
||||
# 0.0.0.0=1090
|
||||
# 1.2.3.4=1090
|
||||
#
|
||||
# The first bind to port 1090 on the network interface 'eth0'; the second binds
|
||||
# to port 1090 on all local network interfaces; and the third example binds to
|
||||
# port 1090 on the given IP address.
|
||||
#
|
||||
# If a private range IP address (or an interface with a private IP) is given, or
|
||||
# if the 0.0.0.0 all-address IP is given then you must also specify the
|
||||
# public-ip= and public-port= settings in the [router] section with a public
|
||||
# address at which this router can be reached.
|
||||
# Typically this section can be left blank: if no inbound bind addresses are
|
||||
# configured then lokinet will search for a local network interface with a public
|
||||
# IP address and use that (with port 1090).
|
||||
|
||||
|
||||
# Specify a source port for **outgoing** Lokinet traffic, for example if you want to
|
||||
# set up custom firewall rules based on the originating port. Typically this should
|
||||
# be left unset to automatically choose random source ports.
|
||||
#*=0
|
||||
|
||||
|
||||
[api]
|
||||
# JSON API settings
|
||||
|
||||
|
||||
# Determines whether or not the LMQ JSON API is enabled. Defaults
|
||||
#enabled=1
|
||||
|
||||
# IP address and port to bind to.
|
||||
# Recommend localhost-only for security purposes.
|
||||
#bind=tcp://127.0.0.1:1190
|
||||
|
||||
|
||||
[bootstrap]
|
||||
# Configure nodes that will bootstrap us onto the network
|
||||
|
||||
|
||||
# Whether or not to run as a seed node. We will not have any bootstrap routers configured.
|
||||
#seed-node=0
|
||||
|
||||
# Specify a bootstrap file containing a signed RouterContact of a service node
|
||||
# which can act as a bootstrap. Can be specified multiple times.
|
||||
#add-node=
|
||||
|
||||
|
||||
[logging]
|
||||
# logging settings
|
||||
|
||||
|
||||
# Log type (format). Valid options are:
|
||||
# file - plaintext formatting
|
||||
# json - json-formatted log statements
|
||||
# syslog - logs directed to syslog
|
||||
#type=file
|
||||
|
||||
# Minimum log level to print. Logging below this level will be ignored.
|
||||
# Valid log levels, in ascending order, are:
|
||||
# trace
|
||||
# debug
|
||||
# info
|
||||
# warn
|
||||
# error
|
||||
#level=warn
|
||||
|
||||
# When using type=file this is the output filename. If given the value 'stdout' or
|
||||
# left empty then logging is printed as standard output rather than written to a
|
||||
# file.
|
||||
#file=
|
|
@ -0,0 +1,15 @@
|
|||
FROM registry.oxen.rocks/lokinet-exit:latest
|
||||
|
||||
RUN apt-get -y update && \
|
||||
apt-get -y install curl iproute2 iputils-ping tcpdump net-tools dnsutils procps squid iptables inetutils-telnet haproxy && \
|
||||
apt-get -y clean && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
EXPOSE 3128/tcp
|
||||
VOLUME [/var/spool/squid /var/log/squid]
|
||||
|
||||
COPY routes.service /etc/systemd/system/routes.service
|
||||
COPY routes-start /usr/local/bin/routes-start
|
||||
COPY resolv.conf /etc/resolv.conf
|
||||
RUN chmod +x /usr/local/bin/routes-start
|
||||
RUN systemctl enable routes.service
|
|
@ -0,0 +1 @@
|
|||
nameserver 127.0.0.1
|
|
@ -0,0 +1,4 @@
|
|||
#!/bin/bash
|
||||
#route del -net default
|
||||
route add -net 10.64.0.0/24 gw 10.255.252.254
|
||||
#route add -net default gw 10.255.252.254
|
|
@ -0,0 +1,7 @@
|
|||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/bin/bash /usr/local/bin/routes-start
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,20 @@
|
|||
FROM debian
|
||||
|
||||
RUN apt-get -y update && \
|
||||
apt-get -y install curl dbus && \
|
||||
curl -L -o mullvad.deb https://mullvad.net/download/app/deb/latest && \
|
||||
apt-get -y install ./mullvad.deb && \
|
||||
rm -f mullvad.deb && \
|
||||
apt-get -y clean && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
|
||||
RUN apt-get -y update && \
|
||||
apt-get -y install iputils-ping tcpdump net-tools dnsutils procps iptables git iproute2 && \
|
||||
apt-get -y clean && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
VOLUME /config
|
||||
|
||||
ADD my_init /
|
||||
CMD ["/my_init"]
|
|
@ -0,0 +1,40 @@
|
|||
## Image
|
||||
|
||||
Docker image of [mullvad](https://mullvad.net/en/)
|
||||
|
||||
## Usage
|
||||
|
||||
Start container:
|
||||
|
||||
```
|
||||
docker run -d \
|
||||
--name mullvad_vpn \
|
||||
--restart=always \
|
||||
--privileged \
|
||||
-v mullvad_config:/config \
|
||||
oblique/mullvad
|
||||
```
|
||||
|
||||
The first time you need to configure your mullvad client:
|
||||
|
||||
```
|
||||
docker exec -it mullvad_vpn bash
|
||||
mullvad relay set tunnel-protocol wireguard
|
||||
mullvad always-require-vpn set on
|
||||
mullvad auto-connect set on
|
||||
mullvad account set [ID]
|
||||
mullvad connect
|
||||
```
|
||||
|
||||
## Use VPN from another container
|
||||
|
||||
For `docker run`, use `--net=container:mullvad_vpn`, for example:
|
||||
|
||||
```
|
||||
docker run -it --rm --net=container:mullvad_vpn alpine
|
||||
```
|
||||
|
||||
For `docker-compose`, check my [vpn-example].
|
||||
|
||||
|
||||
[vpn-example]: https://github.com/oblique/dockerfiles/tree/master/composefiles/vpn-example
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
export MULLVAD_SETTINGS_DIR=/config
|
||||
iptables -t nat -A POSTROUTING -j MASQUERADE
|
||||
exec /opt/Mullvad\ VPN/resources/mullvad-daemon -v
|
|
@ -0,0 +1,72 @@
|
|||
version: '3'
|
||||
services:
|
||||
synapse:
|
||||
container_name: synapse
|
||||
hostname: piorgeracao.loki
|
||||
image: matrixdotorg/synapse:latest
|
||||
restart: always
|
||||
environment:
|
||||
- SYNAPSE_SERVER_NAME=urchcno5rea4njyb7niytdekqw87x55x9q77a1gba9tqkbznw67y.loki
|
||||
- SYNAPSE_REPORT_STATS=yes
|
||||
- SYNAPSE_NO_TLS=1
|
||||
- SYNAPSE_ENABLE_REGISTRATION=yes
|
||||
# - SYNAPSE_CONFIG_PATH=/config
|
||||
- SYNAPSE_LOG_LEVEL=DEBUG
|
||||
# - SYNAPSE_REGISTRATION_SHARED_SECRET=${REG_SHARED_SECRET}
|
||||
- POSTGRES_DB=synapse
|
||||
- POSTGRES_HOST=synapse_db
|
||||
- POSTGRES_USER=postgres
|
||||
- POSTGRES_PASSWORD=postgres
|
||||
volumes:
|
||||
- ./data/synapse:/data
|
||||
depends_on:
|
||||
- synapse_db
|
||||
# In order to expose Synapse, remove one of the following, you might for
|
||||
# instance expose the TLS port directly:
|
||||
# ports:
|
||||
# - 8448:8448/tcp
|
||||
networks:
|
||||
pg_bus:
|
||||
ipv4_address: 10.255.253.10
|
||||
synapse_db:
|
||||
image: docker.io/postgres:10-alpine
|
||||
restart: always
|
||||
environment:
|
||||
- POSTGRES_DB=synapse
|
||||
- POSTGRES_USER=postgres
|
||||
- POSTGRES_PASSWORD=postgres
|
||||
volumes:
|
||||
- ./data/postgres:/var/lib/postgresql/data
|
||||
networks:
|
||||
pg_bus:
|
||||
ipv4_address: 10.255.253.11
|
||||
element:
|
||||
image: vectorim/element-web
|
||||
restart: always
|
||||
volumes:
|
||||
- ./data/element/config.json:/app/config.json
|
||||
networks:
|
||||
pg_bus:
|
||||
ipv4_address: 10.255.253.12
|
||||
dimension:
|
||||
image: turt2live/matrix-dimension
|
||||
restart: always
|
||||
volumes:
|
||||
- ./data/dimension:/data
|
||||
extra_hosts:
|
||||
urchcno5rea4njyb7niytdekqw87x55x9q77a1gba9tqkbznw67y.loki: 10.255.253.254
|
||||
networks:
|
||||
pg_bus:
|
||||
ipv4_address: 10.255.253.13
|
||||
web:
|
||||
image: nginx
|
||||
volumes:
|
||||
- ./data/wellknown:/usr/share/nginx/html
|
||||
restart: always
|
||||
networks:
|
||||
pg_bus:
|
||||
ipv4_address: 10.255.253.14
|
||||
networks:
|
||||
pg_bus:
|
||||
external:
|
||||
name: pg_bus
|
Loading…
Reference in New Issue