Re: [new] jitsi/meta,prosody-plugins,srtp - addons and README for jitsi
On Mon, Nov 07, 2022 at 10:06:58PM -0500, aisha wrote: > and now with the actual attachments :o srtp: - MASTER_SITES7: are 0-6 missing or does 7 have a special meaning? - do-test could use a line break. prosody: - do-install could use a line-break - VERSION can be folded into PKGNAME Nothing run-tested but port-wise this looks good OK kn In general, it looks like you could move common Makefile stuff into net/jitsi/Makefile.inc.
Re: [new] jitsi/meta,prosody-plugins,srtp - addons and README for jitsi
and now with the actual attachments :o jitsi-prosody-plugins-2.0.7882.tgz Description: GNU Zip compressed data jitsi-srtp-1.1pl20220605.tgz Description: GNU Zip compressed data
Re: [new] jitsi/meta,prosody-plugins,srtp - addons and README for jitsi
Only attached two new ports, still working on the meta README. - net/jitsi/srtp: openssl bindings for encryption - net/jitsi/prosody-plugins: additional plugins for prosody to be used for jitsi The srtp library is automatically loaded by videobridge, so I've just added a RUN_DEPENDS in net/jitsi/videobridge on net/jitsi/srtp. The prosody-plugins are nice to have, as currently double-p's instructions need the plugins to be fetched from the online repo. ok? Aisha diff --git a/net/jitsi/Makefile b/net/jitsi/Makefile index 1528296e6ff..03f889597a5 100644 --- a/net/jitsi/Makefile +++ b/net/jitsi/Makefile @@ -1,6 +1,8 @@ SUBDIR = SUBDIR += jicofo SUBDIR += meet +SUBDIR += prosody-plugins +SUBDIR += srtp SUBDIR += videobridge .include diff --git a/net/jitsi/videobridge/Makefile b/net/jitsi/videobridge/Makefile index 6544cc3650f..e9416859694 100644 --- a/net/jitsi/videobridge/Makefile +++ b/net/jitsi/videobridge/Makefile @@ -27,7 +27,8 @@ MODJAVA_VER = 11 BUILD_DEPENDS =devel/maven -RUN_DEPENDS = java/javaPathHelper +RUN_DEPENDS = java/javaPathHelper \ + net/jitsi/srtp MAVEN_ARGS=--offline -PbuildFatJar -DskipTests -Dassembly.skipAssembly=false MAVEN_REPO=-Dmaven.repo.local=${WRKDIR}/m2
Re: [new] jitsi/meta,prosody-plugins,srtp - addons and README for jitsi
On 22/10/06 09:37PM, aisha wrote: > Hi, > I've attached new ports for jitsi and a meta package (PKGNAME is jitsi for > simplicity). > > Things I'd appreciate feedback on - > * should I name the meta package something different? my aim was to just be > able to do `pkg_add jitsi` and then you should have everything you need. > * versioning for the meta package is just starting with 1.0 and any > updates/changes would follow normal rules of backward compatibility and > breaking changes. > * someone should try to setup a server with the README instructions and see > if they work for you. > > Any other feedback is also good to have. > > packages attached - > * jitsi-srtp: openssl bindings for encryption > * jitsi-prosody-plugins: additional plugins to be used for jitsi > * jitsi-meta: the meta package > > also attached a patch to update the samples in current ports to follow the > README directions. > > Best, > Aisha > Moved the meta port to the meta/jitsi path. Attached updates for changes for current packages to 2.0.7882 versions. Cheers, Aisha diff --git a/net/jitsi/Makefile b/net/jitsi/Makefile index 1528296e6ff..03f889597a5 100644 --- a/net/jitsi/Makefile +++ b/net/jitsi/Makefile @@ -1,6 +1,8 @@ SUBDIR = SUBDIR += jicofo SUBDIR += meet +SUBDIR += prosody-plugins +SUBDIR += srtp SUBDIR += videobridge .include diff --git a/net/jitsi/jicofo/Makefile b/net/jitsi/jicofo/Makefile index d13e12e23e4..06d328ce86d 100644 --- a/net/jitsi/jicofo/Makefile +++ b/net/jitsi/jicofo/Makefile @@ -2,13 +2,12 @@ COMMENT = server-side focus component used in Jitsi Meet conferences CATEGORIES = net -VERSION = 2.0.7648 +VERSION = 2.0.7882 PKGNAME = jicofo-${VERSION} -REVISION = 0 GH_ACCOUNT = jitsi GH_PROJECT = jicofo -GH_TAGNAME = jitsi-meet_7648 +GH_TAGNAME = jitsi-meet_7882 DISTFILES += ${GH_DISTFILE} @@ -45,6 +44,6 @@ do-install: ${FILESDIR}/jicofo.conf ${PREFIX}/share/jicofo/jicofo.conf.sample ${INSTALL_DATA} ${WRKSRC}/lib/logging.properties \ ${PREFIX}/share/jicofo/lib/logging.properties.sample - ${INSTALL_DATA} ${WRKSRC}/target/jicofo-1.1-SNAPSHOT-jar-with-dependencies.jar ${MODJAVA_JAR_DIR}/jicofo.jar + ${INSTALL_DATA} ${WRKSRC}/jicofo/target/jicofo-1.1-SNAPSHOT-jar-with-dependencies.jar ${MODJAVA_JAR_DIR}/jicofo.jar .include diff --git a/net/jitsi/jicofo/distinfo b/net/jitsi/jicofo/distinfo index 55926583792..31f6aa6a613 100644 --- a/net/jitsi/jicofo/distinfo +++ b/net/jitsi/jicofo/distinfo @@ -1,4 +1,4 @@ -SHA256 (jicofo-deps-2.0.7648.tgz) = l3oZplN8VplIVrlcch7Nbm7Gk7EcVXzZ6SMfg5+wzco= -SHA256 (jicofo-jitsi-meet_7648.tar.gz) = lTHSZtKUSHIo8q9Xjeg6QtdMe44arhtBR4Ui/O4HpKM= -SIZE (jicofo-deps-2.0.7648.tgz) = 155908396 -SIZE (jicofo-jitsi-meet_7648.tar.gz) = 238108 +SHA256 (jicofo-deps-2.0.7882.tgz) = iLhIxETlyQrwiCyn5bOls/m6lq0M0B1A/048K9UAL+s= +SHA256 (jicofo-jitsi-meet_7882.tar.gz) = BpPVmO9PYPdD5YpCHMg5LEPZ4ax4b/ULkyXsIa9xNNw= +SIZE (jicofo-deps-2.0.7882.tgz) = 158418609 +SIZE (jicofo-jitsi-meet_7882.tar.gz) = 249764 diff --git a/net/jitsi/jicofo/files/jicofo.conf b/net/jitsi/jicofo/files/jicofo.conf index 087d8765e59..227542f0a0b 100644 --- a/net/jitsi/jicofo/files/jicofo.conf +++ b/net/jitsi/jicofo/files/jicofo.conf @@ -44,11 +44,11 @@ jicofo { // The separate XMPP connection used for communication with clients (endpoints). client { enabled = true - hostname = "auth.jitsi.example.com" + hostname = "localhost" port = 5222 - domain = auth.jitsi.example.com + domain = "auth.jitsi.example.com" username = "focus" - password = "CHANGE_ME" + password = "${FOCUS_COMP_PASS}" // A flag to suppress the TLS certificate verification. XXX really? disable-certificate-verification = false diff --git a/net/jitsi/jicofo/files/jicofo.in.sh b/net/jitsi/jicofo/files/jicofo.in.sh index 644c63497c6..f0cf9fd18c6 100644 --- a/net/jitsi/jicofo/files/jicofo.in.sh +++ b/net/jitsi/jicofo/files/jicofo.in.sh @@ -1,6 +1,6 @@ JICOFO_CONF=${SYSCONFDIR}/jicofo/jicofo.conf -JICOFO_LOG_CONFIG=${TRUEPREFIX}/share/jicofo/lib/logging.properties -JICOFO_TRUSTSTORE=${SYSCONFDIR}/ssl/jicofo-key.store -JICOFO_TRUSTSTORE_PASSWORD='CHANGE_ME' +JICOFO_LOG_CONFIG=${SYSCONFDIR}/jicofo/logging.properties +JICOFO_TRUSTSTORE=${SYSCONFDIR}/ssl/jitsi.store +JICOFO_TRUSTSTORE_PASSWORD='${JAVA_TS_PASS}' JICOFO_MAXMEM=3G JICOFO_DHKEYSIZE=2048 diff --git a/net/jitsi/jicofo/pkg/PLIST b/net/jitsi/jicofo/pkg/PLIST index 42336871387..e2ad416a1d7 100644 --- a/net/jitsi/jicofo/pkg/PLIST +++ b/net/jitsi/jicofo/pkg/PLIST @@ -29,4 +29,4 @@ share/jicofo/lib/ share/jicofo/lib/logging.properties.sample @mode 640 @group _jicofo -@sample share/jicofo/lib/logging.properties +@sample ${SYSCONFDIR}/jicofo/logging.properties diff --git a/net/jitsi/meet/Makefile b/net/jitsi/meet/Makefile index 349bdaf392e..d73757a931b 100644 --- a/net/jitsi/meet/Makefile +++
[new] jitsi/meta,prosody-plugins,srtp - addons and README for jitsi
Hi, I've attached new ports for jitsi and a meta package (PKGNAME is jitsi for simplicity). Things I'd appreciate feedback on - * should I name the meta package something different? my aim was to just be able to do `pkg_add jitsi` and then you should have everything you need. * versioning for the meta package is just starting with 1.0 and any updates/changes would follow normal rules of backward compatibility and breaking changes. * someone should try to setup a server with the README instructions and see if they work for you. Any other feedback is also good to have. packages attached - * jitsi-srtp: openssl bindings for encryption * jitsi-prosody-plugins: additional plugins to be used for jitsi * jitsi-meta: the meta package also attached a patch to update the samples in current ports to follow the README directions. Best, Aisha diff --git a/net/jitsi/Makefile b/net/jitsi/Makefile index 1528296e6ff..fecd8176094 100644 --- a/net/jitsi/Makefile +++ b/net/jitsi/Makefile @@ -1,6 +1,9 @@ SUBDIR = SUBDIR += jicofo SUBDIR += meet +SUBDIR += prosody-plugins +SUBDIR += srtp SUBDIR += videobridge +SUBDIR += meta .include diff --git a/net/jitsi/jicofo/Makefile b/net/jitsi/jicofo/Makefile index d13e12e23e4..303d8c5618d 100644 --- a/net/jitsi/jicofo/Makefile +++ b/net/jitsi/jicofo/Makefile @@ -4,7 +4,7 @@ CATEGORIES =net VERSION = 2.0.7648 PKGNAME = jicofo-${VERSION} -REVISION = 0 +REVISION = 1 GH_ACCOUNT = jitsi GH_PROJECT = jicofo diff --git a/net/jitsi/jicofo/files/jicofo.conf b/net/jitsi/jicofo/files/jicofo.conf index 087d8765e59..240f899374c 100644 --- a/net/jitsi/jicofo/files/jicofo.conf +++ b/net/jitsi/jicofo/files/jicofo.conf @@ -44,11 +44,11 @@ jicofo { // The separate XMPP connection used for communication with clients (endpoints). client { enabled = true - hostname = "auth.jitsi.example.com" + hostname = "auth.jitsi" port = 5222 - domain = auth.jitsi.example.com + domain = "auth.jitsi.example.com" username = "focus" - password = "CHANGE_ME" + password = "${FOCUS_COMP_PASS}" // A flag to suppress the TLS certificate verification. XXX really? disable-certificate-verification = false diff --git a/net/jitsi/jicofo/files/jicofo.in.sh b/net/jitsi/jicofo/files/jicofo.in.sh index 644c63497c6..f0cf9fd18c6 100644 --- a/net/jitsi/jicofo/files/jicofo.in.sh +++ b/net/jitsi/jicofo/files/jicofo.in.sh @@ -1,6 +1,6 @@ JICOFO_CONF=${SYSCONFDIR}/jicofo/jicofo.conf -JICOFO_LOG_CONFIG=${TRUEPREFIX}/share/jicofo/lib/logging.properties -JICOFO_TRUSTSTORE=${SYSCONFDIR}/ssl/jicofo-key.store -JICOFO_TRUSTSTORE_PASSWORD='CHANGE_ME' +JICOFO_LOG_CONFIG=${SYSCONFDIR}/jicofo/logging.properties +JICOFO_TRUSTSTORE=${SYSCONFDIR}/ssl/jitsi.store +JICOFO_TRUSTSTORE_PASSWORD='${JAVA_TS_PASS}' JICOFO_MAXMEM=3G JICOFO_DHKEYSIZE=2048 diff --git a/net/jitsi/jicofo/pkg/PLIST b/net/jitsi/jicofo/pkg/PLIST index 42336871387..e2ad416a1d7 100644 --- a/net/jitsi/jicofo/pkg/PLIST +++ b/net/jitsi/jicofo/pkg/PLIST @@ -29,4 +29,4 @@ share/jicofo/lib/ share/jicofo/lib/logging.properties.sample @mode 640 @group _jicofo -@sample share/jicofo/lib/logging.properties +@sample ${SYSCONFDIR}/jicofo/logging.properties diff --git a/net/jitsi/videobridge/Makefile b/net/jitsi/videobridge/Makefile index d1f7be24dc4..3195b82a9aa 100644 --- a/net/jitsi/videobridge/Makefile +++ b/net/jitsi/videobridge/Makefile @@ -4,7 +4,7 @@ CATEGORIES =net VERSION = 2.0.7648 DISTNAME = jitsi-videobridge-${VERSION} -REVISION = 0 +REVISION = 1 GH_ACCOUNT = jitsi GH_PROJECT = jitsi-videobridge diff --git a/net/jitsi/videobridge/files/jvb.conf b/net/jitsi/videobridge/files/jvb.conf index abf99167c40..3a125a29c19 100644 --- a/net/jitsi/videobridge/files/jvb.conf +++ b/net/jitsi/videobridge/files/jvb.conf @@ -10,10 +10,10 @@ videobridge { presence-interval = 120s configs { ourprosody { - hostname = "xmpp" + hostname = "auth.jitsi" domain = "auth.jitsi.example.com" username = "jvb" - password = "CHANGE_ME" + password = "${JVB_COMP_PASS}" muc_jids = "jvbbrew...@internal.auth.jitsi.example.com" muc_nickname = "jvb" disable_certificate_verification = true diff --git a/net/jitsi/videobridge/files/jvb.in.sh b/net/jitsi/videobridge/files/jvb.in.sh index 678c8d3558d..fac3f3fe940 100644 --- a/net/jitsi/videobridge/files/jvb.in.sh +++ b/net/jitsi/videobridge/files/jvb.in.sh @@ -1,7 +1,7 @@ JVB_CONF=${SYSCONFDIR}/jvb/jvb.conf -JVB_LOG_CONFIG=${TRUEPREFIX}/share/jvb/lib/logging.properties -JVB_TRUSTSTORE=${SYSCONFDIR}/ssl/jvb-key.store -JVB_TRUSTSTORE_PASSWORD='CHANGE_ME' +JVB_LOG_CONFIG=${SYSCONFDIR}/jvb/logging.properties +JVB_TRUSTSTORE=${SYSCONFDIR}/ssl/jitsi.store +JVB_TRUSTSTORE_PASSWORD='${JAVA_TS_PASS}' JVB_MAXMEM=3G JVB_DHKEYSIZE=2048 JVB_GC_TYPE=G1GC diff --git
Re: README for jitsi
Am 28.09.2022 20:30 schrieb Marc Espie: I sent private email to that guy about your work at eurobsdcon. I think you should work together and get this stuff in better shape before it's committed. I work together for some weeks now already .. with that "guy" ;-) I would really like to be able to just pkg_add jitsi-server (possibly a meta port), start it up, and have jitsi "just work" :) That's the goal, indeed. -- pb
Re: README for jitsi
On Wed, Sep 28, 2022 at 06:04:17PM +, Philipp Buehler wrote: > Am 28.09.2022 18:43 schrieb Stuart Henderson: > > > > > This makes me think "what are the other ones for then?" if they're > > discussed in a section about firewall rules. Maybe say "exposed to > > the network" and then say that the others are only used for local > > communications between the daemons? > > The many from prosody do not belong here, since only 5280 and 5222 is > *needed* > Also the 8080 and for jvb/jicofo are "only" for monitoring and not > operations per se. > > > IPv6 is of course a real mess with Java on OpenBSD with the forced > > IPV6_V6ONLY thing:( > > Didn't try IPv6 at all, all v4 is fine (and makes ok for a localhost setup > since a generic > v6 only on OpenBSD is rather not around soon?) > > > These files want to go into a meta port don't they? Sending that as a > > tgz would sidestep the line-wrapping issues ;) > > Yes, meta in the makings where this goes in as a pkg-readme. > > -- > pb > > I sent private email to that guy about your work at eurobsdcon. I think you should work together and get this stuff in better shape before it's committed. I would really like to be able to just pkg_add jitsi-server (possibly a meta port), start it up, and have jitsi "just work" :)
Re: README for jitsi
Am 28.09.2022 18:43 schrieb Stuart Henderson: This makes me think "what are the other ones for then?" if they're discussed in a section about firewall rules. Maybe say "exposed to the network" and then say that the others are only used for local communications between the daemons? The many from prosody do not belong here, since only 5280 and 5222 is *needed* Also the 8080 and for jvb/jicofo are "only" for monitoring and not operations per se. IPv6 is of course a real mess with Java on OpenBSD with the forced IPV6_V6ONLY thing:( Didn't try IPv6 at all, all v4 is fine (and makes ok for a localhost setup since a generic v6 only on OpenBSD is rather not around soon?) These files want to go into a meta port don't they? Sending that as a tgz would sidestep the line-wrapping issues ;) Yes, meta in the makings where this goes in as a pkg-readme. -- pb
Re: README for jitsi
> Passwords > needs another = > Ports and pf.conf > = Maybe better to avoid "ports" in the title here, I would go with perhaps "pf.conf rules" > The default configuration uses the following ports: > > * nginx: TCP 80, 443 > * prosody: TCP 5000, 5222, 5269, 5280, 5281, 5347, 5582 > * jicofo: TCP > * jvb: TCP 8080, UDP 1 > > Only a few ports, TCP 80, 443 and UDP 1, are to be exposed. A possible > set of pf.conf rules that can be used is: > > pass in on egress to (self) tcp port { 80 443 } > pass in on egress to (self) udp port 1 This makes me think "what are the other ones for then?" if they're discussed in a section about firewall rules. Maybe say "exposed to the network" and then say that the others are only used for local communications between the daemons? > /etc/hosts configuration > > > Jitsi needs two subdomains, 'auth.jitsi.example.com' and 'jitsi.example.com', > configured as part of the setup, of which only 'jitsi.example.com' is exposed > outside the local network. > > They are accessed by the jicofo, jvb and prosody daemons as part of their > internal communication. The simplest way to make them resolvable to localhost > is to add them in the /etc/hosts file: > > 127.0.0.1 localhost jitsi jitsi.example.com auth.jitsi > auth.jitsi.example.com > ::1 localhost jitsi jitsi.example.com auth.jitsi > auth.jitsi.example.com IPv6 is of course a real mess with Java on OpenBSD with the forced IPV6_V6ONLY thing:( > In the sample prosody configuration file, replace the domain and the password > placeholders with the pregenerated passwords mentioned above. "pregenerated" makes me think that something has generated them automatically, maybe "with the passsword you chose above"? > These certificates also need to be shared with jicofo and jvb by adding them > to a java certificate truststore ${SYSCONFDIR}/ssl/jitsi.store. s/java/Java/ > The daemons needs to be started in the order given: > > pkg_scripts=nginx prosody jvb jicofo > > The above can be achieved by editing /etc/rc.conf.local. The setup can be > tested by starting the daemons and visiting the site at > https://jitsi.example.com. use "rcctl enable" and "rcctl order", see net/avahi/pkg/README-main These files want to go into a meta port don't they? Sending that as a tgz would sidestep the line-wrapping issues ;)
README for jitsi
I've attached a README (and helper configs for prosody/nginx) for the jitsi ports which shows how to create a simple open setup. Any comments, improvements, changes and updates are welcome. Tests are also welcome. I've added the README after SUBST_CMD inline and attached the raw file as an attachment. Patches for changes should be for the raw file. (apologies for thunderbird line wrap nightmare) +--- | Running jitsi on OpenBSD +--- A basic configuration guide is provided here which will set up a single node jitsi-meet instance where anyone can create a conference room and invite others to join them. We will assume that the domain of interest is 'example.com' and jitsi is being hosted in the subdomain 'jitsi.example.com'. OpenBSD daemons === As jitsi has a lot of moving parts, a concise list of daemons and their configuration files is presented here for clarity: 1) jvb - (daemon) jitsi videobridge * /etc/jvb/jvb.in.sh - default command line parameters and their values * /etc/jvb/jvb.conf - default config file * /etc/jvb/sip-communicator.properties - config file for running behind a NAT 2) jicofo - (daemon) jitsi conference focus * /etc/jicofo/jicofo.in.sh - default command line parameters and their values * /etc/jicofo/jicofo.conf - default config file 3) jitsi-meet - static files for jitsi web frontend * /var/www/jitsi-meet/ - default location of files * /var/www/jitsi-meet/config.js - default config file 4) nginx - (daemon) web server and reverse proxy * /etc/nginx/ - default config files 5) prosody - (daemon) XMPP server used by jitsi * /etc/prosody/prosody.cfg.lua - default config file * /var/prosody/ - default runtime files Sample files There are sample files provided for nginx and prosody to go along with the default files provided for jvb and jicofo. They are located in /usr/local/share/jitsi/nginx.conf.sample and /usr/local/share/jitsi/prosody.cfg.lua.sample. Passwords Throughout the configuration, the following passwords should be generated as they will be needed in the configuration files: ${JAVA_TS_PASS} ${JVB_COMP_PASS} ${FOCUS_COMP_PASS} Ports and pf.conf = The default configuration uses the following ports: * nginx: TCP 80, 443 * prosody: TCP 5000, 5222, 5269, 5280, 5281, 5347, 5582 * jicofo: TCP * jvb: TCP 8080, UDP 1 Only a few ports, TCP 80, 443 and UDP 1, are to be exposed. A possible set of pf.conf rules that can be used is: pass in on egress to (self) tcp port { 80 443 } pass in on egress to (self) udp port 1 /etc/hosts configuration Jitsi needs two subdomains, 'auth.jitsi.example.com' and 'jitsi.example.com', configured as part of the setup, of which only 'jitsi.example.com' is exposed outside the local network. They are accessed by the jicofo, jvb and prosody daemons as part of their internal communication. The simplest way to make them resolvable to localhost is to add them in the /etc/hosts file: 127.0.0.1 localhost jitsi jitsi.example.com auth.jitsi auth.jitsi.example.com ::1 localhost jitsi jitsi.example.com auth.jitsi auth.jitsi.example.com Nginx configuration === Jitsi uses webrtc which mandates the use of https. The sample nginx config file should be updated to use the proper TLS certificates, which can be obtained by acme-client(1). These are also going to be used by prosody. Prosody configuration = In the sample prosody configuration file, replace the domain and the password placeholders with the pregenerated passwords mentioned above. In the section for the domain 'jitsi.example.com' the certificates obtained in the previous step should be used. Prosody also hosts the internal domain 'auth.jitsi.example.com' and can use self signed TLS certificates for this. They should be generated using the following command: $ prosodyctl cert generate auth.jitsi.example.com The certificates will be stored in /var/prosody/auth.jitsi.example.com.{crt,key}. These certificates also need to be shared with jicofo and jvb by adding them to a java certificate truststore /etc/ssl/jitsi.store. $(javaPathHelper -h jicofo)/bin/keytool -import -alias prosody -file /var/prosody/auth.jitsi.example.com -keystore /etc/ssl/jitsi.store -storepass ${JAVA_TS_PASS} Prosody needs two plugins to be added to the setup which can be achieved by: $ prosodyctl install --server=https://modules.prosody.im/rocks/ mod_client_proxy $ prosodyctl install --server=https://modules.prosody.im/rocks/ mod_roster_command The 'focus' user for prosody should also be registered via the command line: $ prosodyctl register focus auth.jitsi.example.com ${FOCUS_COMP_PASS} $ prosodyctl mod_roster_command