-
Notifications
You must be signed in to change notification settings - Fork 4
/
setup.sh
executable file
·414 lines (379 loc) · 10.6 KB
/
setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
#!/bin/sh
#
# freebsd-jitsi-meet-setup/setup.sh
#
# https://github.com/genneko/freebsd-jitsi-meet-setup
#
prog=$(basename "$0")
bindir=$(dirname "$(readlink -f "$0")")
echoerr() {
echo "$@" >&2
}
err_exit() {
if [ $# -gt 0 ]; then
echoerr "$@"
fi
exit 1
}
usage_exit() {
if [ $# -gt 0 ]; then
echoerr "$@"
fi
echoerr "usage: $prog [-aBpr] [-n LOCAL:PUBLIC] [-e DAYS] FQDN CERT_PATH KEY_PATH"
echoerr " $prog -c [-e DAYS] FQDN"
echoerr
echoerr " -a: use apache web server instead of nginx"
echoerr " -B: do not backup existing files"
echoerr " -p: install missing packages instead of exiting with an error."
echoerr " -r: require authentication for room creation"
echoerr " (without this flag, any user can create a room)"
echoerr " -N LOCAL:PUBLIC: specify local/public IPv4 addresses"
echoerr " when using jitsi-meet behind a NAT"
echoerr " -c: only renew self-signed certs used by prosody."
echoerr " -e DAYS: duration of self-signed certs used by prosody (default 365)."
echoerr
exit 1
}
gen_selfsigned_cert() {
local fqdn expiry san certdir
if [ -n "$CERTDIR" ]; then
certdir=$CERTDIR
else
certdir=.
fi
if [ $# -ge 1 ]; then
fqdn=$1
san="DNS:$fqdn"
shift
expiry=$1
[ "$expiry" -lt 1 ] && expiry=365
shift
for n in "$@"; do
san="$san,DNS:$n"
done
openssl req -new -x509 -days $expiry -sha256 -keyout "$certdir/$fqdn.key" -nodes -out "$certdir/$fqdn.crt" -subj "/C=JP/O=Prosody/CN=$fqdn" -addext "subjectAltName = $san"
fi
}
backup_file() {
local file=$1 ts=$2
[ "$dobackup" -eq 0 ] && return 1
[ -f "$file" ] || return 1
echoerr "NOTICE: backup $file.$ts"
cp -p "$file" "$file.$ts"
}
CERTDIR=/var/db/prosody
JKS=/usr/local/etc/jitsi/jicofo/truststore.jks
renew_internal_certs() {
local fqdn=$1 expiry=$2 ts=$3 crt1 key1 crt2 key2
crt1=$CERTDIR/$fqdn.crt
key1=$CERTDIR/$fqdn.key
crt2=$CERTDIR/auth.$fqdn.crt
key2=$CERTDIR/auth.$fqdn.key
backup_file "$key1" "$ts"
backup_file "$crt1" "$ts"
gen_selfsigned_cert "$fqdn" "$expiry" "jitsi-videobridge.$fqdn" "conference.$fqdn" "focus.$fqdn" "auth.$fqdn" && chown prosody:prosody "$key1" "$crt1"
backup_file "$key2" "$ts"
backup_file "$crt2" "$ts"
gen_selfsigned_cert "auth.$fqdn" "$expiry" && chown prosody:prosody "$key2" "$crt2"
backup_file "$JKS" "$ts"
[ -f "$JKS" ] && keytool -delete -noprompt -keystore $JKS -alias prosody -storepass changeit
keytool -importcert -noprompt -keystore "$JKS" -alias prosody -storepass changeit -file "$crt2"
}
webserver=nginx
dobackup=1
onlyrenewcerts=0
installpkg=0
mkroom=anon
nat=0
certexpiry=365
while getopts "aBcprN:e:" opt
do
case "$opt" in
a) webserver=apache24 ;;
B) dobackup=0 ;;
c) onlyrenewcerts=1 ;;
p) installpkg=1 ;;
r) mkroom=auth ;;
N) nat=1
SERVER_LOCAL_IP4ADDR=${OPTARG%%:*}
SERVER_PUBLIC_IP4ADDR=${OPTARG##*:}
;;
e)
if [ "$OPTARG" -gt 0 ]; then
certexpiry=$OPTARG
fi
;;
*) usage_exit ;;
esac
done
shift $(( OPTIND - 1 ))
TS=$(date '+%F_%T')
SERVER_FQDN=$1
SERVER_CERT_PATH=$2
SERVER_KEY_PATH=$3
if [ -z "$SERVER_FQDN" ]; then
usage_exit "Please specify SERVER_FQDN (e.g. jitsi.example.com)."
fi
if [ $onlyrenewcerts -eq 1 ]; then
renew_internal_certs "$SERVER_FQDN" "$certexpiry" "$TS"
exit 0
fi
if [ -z "$SERVER_CERT_PATH" ]; then
usage_exit "Please specify SERVER_CERT_PATH (e.g. /usr/local/etc/letsencrypt/live/jitsi.example.com/fullchain.pem)."
fi
if [ -z "$SERVER_KEY_PATH" ]; then
usage_exit "Please specify SERVER_KEY_PATH (e.g. /usr/local/etc/letsencrypt/live/jitsi.example.com/privkey.pem)."
fi
PRE_CONFIG_LIST=$(cat <<EOB
usr/local/etc/pkg
usr/local/etc/pkg/repos
usr/local/etc/pkg/repos/FreeBSD.conf
EOB
)
PKG_LIST=$(cat <<EOB
jitsi-meet
jitsi-videobridge
jicofo
prosody
EOB
)
CONFIG_LIST=$(cat <<EOB
usr/local/etc/prosody/prosody.cfg.lua
usr/local/etc/prosody/conf.d
usr/local/etc/prosody/conf.d/jitsi.cfg.lua
usr/local/etc/jitsi/videobridge/jitsi-videobridge.conf
usr/local/etc/jitsi/jicofo/jicofo.conf
usr/local/www/jitsi-meet/config.js
usr/local/etc/newsyslog.conf.d
EOB
)
if [ $webserver = "apache24" ]; then
CONFIG_LIST="$CONFIG_LIST
usr/local/etc/apache24/httpd.conf
usr/local/etc/apache24/extra/httpd-ssl.conf
usr/local/etc/newsyslog.conf.d
usr/local/etc/newsyslog.conf.d/apache24.conf"
PKG_LIST="$PKG_LIST
apache24"
else
CONFIG_LIST="$CONFIG_LIST
usr/local/etc/nginx/nginx.conf
usr/local/etc/newsyslog.conf.d
usr/local/etc/newsyslog.conf.d/nginx.conf"
PKG_LIST="$PKG_LIST
nginx"
fi
if [ $mkroom = "auth" ]; then
CONFIG_LIST="$CONFIG_LIST
usr/local/etc/jitsi/jicofo/sip-communicator.properties"
fi
if [ $nat -eq 1 ]; then
if [ "$SERVER_LOCAL_IP4ADDR" = "" ] || [ "$SERVER_PUBLIC_IP4ADDR" = "" ]; then
usage_exit "Please specify LOCAL:PUBLIC for NAT (e.g. -n 192.168.10.5/10.1.1.5)"
fi
CONFIG_LIST="$CONFIG_LIST
usr/local/etc/jitsi/videobridge/sip-communicator.properties"
fi
JVB_COMPONENT_SECRET=$(openssl rand -hex 16)
FOCUS_COMPONENT_SECRET=$(openssl rand -hex 16)
FOCUS_USER_SECRET=$(openssl rand -hex 16)
cd "$bindir" || err_exit "ERROR: cannot chdir to $bindir."
if [ $installpkg -eq 1 ]; then
echoerr
echoerr "###"
echoerr "### Preparing latest package set"
echoerr "###"
sleep 1
for file in $PRE_CONFIG_LIST; do
echoerr ""
echoerr "# $file"
sleep 1
srcfile="$file"
if [ -d "$file" ]; then
if [ ! -d "/$file" ]; then
echoerr "NOTICE: mkdir /$file"
mkdir -p "/$file"
else
echoerr "INFO: nothing to do for /$file"
fi
continue
fi
if [ -n "$file" ] && [ -e "/$file" ]; then
if cmp -s "$file" "/$file"; then
echoerr "INFO: already there /$file"
continue
fi
backup_file "/$file" "$TS"
fi
echoerr "NOTICE: install /$file"
cp -p "$srcfile" "/$file"
done
fi
echoerr
echoerr "###"
echoerr "### Checking if the required packages/ports have been installed."
echoerr "###"
sleep 1
missing=
[ $installpkg -eq 1 ] && pkg update
for pkg in $PKG_LIST; do
if pkg_info=$(pkg query %n-%v "$pkg" 2>/dev/null); then
echoerr "INFO: $pkg_info installed"
continue
fi
if [ $installpkg -eq 0 ]; then
echoerr "ERROR: $pkg not found."
missing="$missing $pkg"
else
echoerr -n "NOTICE: $pkg not found. Installing..."
if pkg install -y "$pkg" >/dev/null 2>&1; then
echoerr "done"
else
echoerr "failed"
exit 1
fi
fi
done
if [ -n "$missing" ]; then
echoerr "ERROR: please install the missing packages."
echoerr
echoerr " pkg install$missing"
echoerr
exit 1
fi
echoerr
echoerr "###"
echoerr "### Installing custom config files"
echoerr "###"
sleep 1
for file in $CONFIG_LIST; do
echoerr ""
echoerr "# $file"
sleep 1
srcfile="$file"
if [ ! -f "$file" ] && [ -f "$file.$mkroom" ]; then
srcfile="$file.$mkroom"
elif [ "$(readlink -f "$file")" = "/$file" ]; then
echoerr "WARNING: Source and destination files are the same. Skipping..."
continue
fi
if [ -d "$file" ]; then
if [ ! -d "/$file" ]; then
echoerr "NOTICE: mkdir /$file"
mkdir -p "/$file"
else
echoerr "INFO: nothing to do for /$file"
fi
continue
fi
if [ -n "$srcfile" ] && [ -f "$srcfile" ]; then
m4 \
-DSERVER_FQDN="$SERVER_FQDN" \
-DSERVER_CERT_PATH="$SERVER_CERT_PATH" \
-DSERVER_KEY_PATH="$SERVER_KEY_PATH" \
-DJVB_COMPONENT_SECRET="$JVB_COMPONENT_SECRET" \
-DFOCUS_COMPONENT_SECRET="$FOCUS_COMPONENT_SECRET" \
-DFOCUS_USER_SECRET="$FOCUS_USER_SECRET" \
-DSERVER_LOCAL_IP4ADDR="$SERVER_LOCAL_IP4ADDR" \
-DSERVER_PUBLIC_IP4ADDR="$SERVER_PUBLIC_IP4ADDR" \
"$srcfile" > "/$file.tmp"
if [ -e "/$file" ]; then
if cmp -s "/$file.tmp" "/$file"; then
echoerr "INFO: already there /$file"
rm -f "/$file.tmp"
continue
fi
backup_file "/$file" "$TS"
fi
echoerr "NOTICE: install /$file"
cp -p "/$file.tmp" "/$file"
rm -f "/$file.tmp"
fi
done
echoerr
echoerr "###"
echoerr "### Adding an XMPP user for internal use"
echoerr "###"
sleep 1
prosodyctl deluser "focus@auth.$SERVER_FQDN" >/dev/null 2>&1
prosodyctl register focus "auth.$SERVER_FQDN" "$FOCUS_USER_SECRET"
if [ "$mkroom" = "auth" ]; then
echoerr
echoerr "###"
echoerr "### Adding an XMPP user to create conference rooms"
echoerr "###"
sleep 1
prosodyctl adduser "admin@$SERVER_FQDN"
fi
echoerr
echoerr "###"
echoerr "### Generating certificates used by internal processes"
echoerr "###"
sleep 1
#prosodyctl cert generate $SERVER_FQDN
#prosodyctl cert generate auth.$SERVER_FQDN
renew_internal_certs "$SERVER_FQDN" "$certexpiry" "$TS"
echoerr
echoerr "###"
echoerr "### Enabling services"
echoerr "###"
sleep 1
sysrc prosody_enable=YES
sysrc "${webserver}_enable=YES"
sysrc jitsi_videobridge_enable=YES
sysrc jicofo_enable=YES
echoerr
echoerr "###"
echoerr "### Finished!"
echoerr "###"
sleep 1
echoerr "Check your configs and run the following commands to start services."
echoerr ""
echoerr " service prosody start"
echoerr " service $webserver start"
echoerr " service jitsi-videobridge start"
echoerr " service jicofo start"
echoerr ""
echoerr "Some additional notes:"
echoerr
echoerr "*** Firewall/NAT ***"
echoerr "jitsi-meet requires the following ports are open."
echoerr " 443/tcp"
echoerr " 4443/tcp"
echoerr " 10000/udp"
if [ $nat -eq 1 ]; then
echoerr
echoerr "If you are using PF, add rules like below to /etc/pf.conf and"
echoerr "reload the PF by 'service pf reload'."
echoerr "(tighten those rules according to your needs)"
echoerr " # \$ext_if is an interface name which has $SERVER_PUBLIC_IP4ADDR"
echoerr " rdr pass inet proto tcp to (\$ext_if) port 443 -> $SERVER_LOCAL_IP4ADDR"
echoerr " rdr pass inet proto tcp to (\$ext_if) port 4443 -> $SERVER_LOCAL_IP4ADDR"
echoerr " rdr pass inet proto udp to (\$ext_if) port 10000 -> $SERVER_LOCAL_IP4ADDR"
else
echoerr
echoerr "If you are using PF, add rules like below to /etc/pf.conf and"
echoerr "reload the PF by 'service pf reload'."
echoerr "(tighten those rules according to your needs)"
echoerr " pass in log proto tcp to port 443"
echoerr " pass in log proto tcp to port 4443"
echoerr " pass in log proto udp to port 10000"
fi
echoerr
echoerr "*** Certificates ***"
echoerr "If your server certificate in the following file:"
echoerr " $SERVER_CERT_PATH"
echoerr "is selfsigned or issued by a private certificate authority (CA),"
echoerr "you have to isntall the server certificate itself or"
echoerr "the private CA certificate on your browser or operating system."
echoerr "Note that mobile jitsi apps doesn't seem to work with the private"
echoerr "certificate."
echoerr
echoerr "If the server certificate is issued by a public CA such as"
echoerr "Let's encrypt, it might be okay that you do nothing about it."
echoerr
echoerr
echoerr "If all set, launch your browser and access the following URL:"
echoerr " https://$SERVER_FQDN/"
echoerr
echoerr "Enjoy!"