Initial import

2018-03-14 10:23:13 +01:00
commit 467a149cbb
37 changed files with 1010 additions and 0 deletions
--- a/prosody/Dockerfile
+++ b/prosody/Dockerfile
@@ -0,0 +1,15 @@
+FROM jitsi/base
+
+RUN \
+	echo "deb http://ftp.debian.org/debian stretch-backports main" > /etc/apt/sources.list.d/backports.list && \
+	apt-dpkg-wrap apt-get update && \
+	apt-dpkg-wrap apt-get install -t stretch-backports -y prosody && \
+	apt-cleanup && \
+	rm -rf /etc/prosody
+
+COPY rootfs/ /
+
+EXPOSE 5222 5269 5347 5280 5281
+
+VOLUME /config
+
--- a/prosody/Makefile
+++ b/prosody/Makefile
@@ -0,0 +1,4 @@
+build:
+	docker build -t jitsi/prosody .
+
+.PHONY: build
--- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
+++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
@@ -0,0 +1,32 @@
+admins = { "focus@auth.${XMPP_DOMAIN}" }
+
+VirtualHost "${XMPP_DOMAIN}"
+        authentication = "anonymous"
+        ssl = {
+                key = "/config/certs/${XMPP_DOMAIN}.key";
+                certificate = "/config/certs/${XMPP_DOMAIN}.crt";
+        }
+        modules_enabled = {
+            "bosh";
+            "pubsub";
+            "ping";
+        }
+
+        c2s_require_encryption = false
+
+VirtualHost "auth.${XMPP_DOMAIN}"
+    ssl = {
+        key = "/config/certs/auth.${XMPP_DOMAIN}.key";
+        certificate = "/config/certs/auth.${XMPP_DOMAIN}.crt";
+    }
+    authentication = "internal_plain"
+
+Component "conference.${XMPP_DOMAIN}" "muc"
+    storage = "null"
+
+Component "jitsi-videobridge.${XMPP_DOMAIN}"
+    component_secret = "${JVB_COMPONENT_SECRET}"
+
+Component "focus.${XMPP_DOMAIN}"
+    component_secret = "${JICOFO_COMPONENT_SECRET}"
+
--- a/prosody/rootfs/defaults/prosody.cfg.lua
+++ b/prosody/rootfs/defaults/prosody.cfg.lua
@@ -0,0 +1,151 @@
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at http://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running: luac -p prosody.cfg.lua
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see http://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: http://prosody.im/doc/libevent
+--use_libevent = true;
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation on modules can be found at: http://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"vcard"; -- Allow users to set vCards
+	
+	-- These are commented by default as they have a performance impact
+		--"privacy"; -- Support privacy lists
+		--"compression"; -- Stream compression (Debian: requires lua-zlib module to work)
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"pep"; -- Enables users to publish their mood, activity, playing music and more
+		"register"; -- Allow users to register on this server using a client and change passwords
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+	
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+		--"groups"; -- Shared roster support
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+};
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+};
+
+-- Disable account creation by default, for security
+-- For more information see http://prosody.im/doc/creating_accounts
+allow_registration = false;
+
+daemonize = false;
+
+pidfile = "/config/data/prosody.pid";
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+
+-- Force certificate authentication for server-to-server connections?
+-- This provides ideal security, but requires servers you communicate
+-- with to support encryption AND present valid, trusted certificates.
+-- NOTE: Your version of LuaSec must support certificate verification!
+-- For more information see http://prosody.im/doc/s2s#security
+
+s2s_secure_auth = false
+
+-- Many servers don't support encryption or have invalid or self-signed
+-- certificates. You can list domains here that will not be required to
+-- authenticate using certificates. They will be authenticated using DNS.
+
+--s2s_insecure_domains = { "gmail.com" }
+
+-- Even if you leave s2s_secure_auth disabled, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+-- To allow Prosody to offer secure authentication mechanisms to clients, the
+-- default provider stores passwords in plaintext. If you do not trust your
+-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
+-- for information about using the hashed backend.
+
+authentication = "internal_plain"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See http://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
+-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+-- Logging configuration
+-- For advanced logging see http://prosody.im/doc/logging
+--
+-- Debian:
+--  Logs info and higher to /var/log
+--  Logs errors to syslog also
+log = {
+	{ levels = {min = "info"}, to = "console"};
+}
+
+component_interface = { "*" }
+
+data_path = "/config/data"
+
+Include "conf.d/*.cfg.lua"
--- a/prosody/rootfs/etc/cont-init.d/10-config
+++ b/prosody/rootfs/etc/cont-init.d/10-config
@@ -0,0 +1,35 @@
+#!/usr/bin/with-contenv bash
+
+AUTH_XMPP_DOMAIN="auth.$XMPP_DOMAIN"
+PROSODY_CFG="/config/prosody.cfg.lua"
+
+if [[ ! -d /config/data ]]; then
+    mkdir -p /config/data
+    chmod 777 /config/data
+fi
+
+if [[ ! -f $PROSODY_CFG ]]; then
+    cp -r /defaults/* /config
+    sed -i \
+        -e "s,\${XMPP_DOMAIN},$XMPP_DOMAIN,g" \
+        -e "s,\${JICOFO_COMPONENT_SECRET},$JICOFO_COMPONENT_SECRET,g" \
+        -e "s,\${JVB_COMPONENT_SECRET},$JVB_COMPONENT_SECRET,g" \
+        /config/conf.d/jitsi-meet.cfg.lua
+    prosodyctl --config $PROSODY_CFG register $JICOFO_AUTH_USER $AUTH_XMPP_DOMAIN $JICOFO_AUTH_PASSWORD
+fi
+
+mkdir /config/certs
+
+if [[ ! -f /config/certs/$XMPP_DOMAIN.crt ]]; then
+    # echo for using all default values
+    echo | prosodyctl --config $PROSODY_CFG cert generate $XMPP_DOMAIN
+fi
+
+if [[ ! -f /config/certs/$AUTH_XMPP_DOMAIN.crt ]]; then
+    # echo for using all default values
+    echo | prosodyctl --config $PROSODY_CFG cert generate $AUTH_XMPP_DOMAIN
+fi
+
+# certs vill be created in /var/lib/prosody
+mv /var/lib/prosody/*.{crt,key} /config/certs/
+
--- a/prosody/rootfs/etc/services.d/prosody/run
+++ b/prosody/rootfs/etc/services.d/prosody/run
@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv bash
+exec s6-setuidgid prosody prosody --config /config/prosody.cfg.lua
+