WIP

This how-to will provide https://meet.jit.si/ as a docker container on Nethserver 7.x

Original poster https://community.nethserver.org/u/djx/summary of https://community.nethserver.org/t/deploying-jitsi-meet-on-nethserver-independent-video-conferencing/15838

There are comments like Follow the Jitsi documentation, and you will have a working installation in 10 minutes but that assumes you have a decent knowledge of Docker and other components. If you’re using Nethserver, I assume you like me and you are not a seasoned sysadmin.

So here are my steps to get us a bit more than just a basic install.

Current Features:

Working Jitsi server (using a docker image) Using SSL certificate provided by Nethserver Using Nethserver LDAP authentication to make it so Nethserver users can be hosts of meetings, and guests can join Things that could be improved on

* An automatic script to pull in some of the settings from Nethserver automatically * Create a virtual host for redirecting port 443 on the subdomain to 8443 on the subdomain

Future Improvements:

A working reverse proxy to use the TLD without the custom port. Apparently this is a known limitation with the docker image, Even if you enable a reverse proxy the BOSH connection will fail.

Steps:

* get a domain and matching SSL cert * install docker & docker compose * enable Portainer * update the firewall * get the Jitsi docker image * configure & deploy the image

The Jitsi Docker does support getting a cert through LetsEncrypt but I had issues getting this to work. It was failing on the ACME request - I think because of the non-standard HTTPS port and because I didn’t have a reverse proxy in place on the domain. In any case, I decided to just utilize the cert that is on my Nethserver because then I know it will get updated automatically.

Add a domain/sub-domain that points to your Nethserver. E.g. https://meet.mydomain.com In the Cockpit UI go to System → Certificates and use the Request Let's Encrypt certificate button:

Add in your sub-domain

Update the cert Take note of the path to the cert:

Install Docker

Use the Cockpit UI and go to Software Center Install Docker

Enable Portainer

According to the Docker documentation, we need to update the configuration in order to turn on Portainer so we can edit the networks. As root you can do it in with the command lines:

config setprop portainer status enabled
signal-event nethserver-docker-update

Now one can navigate to the Portainer address to set up the admin password: https://meet.mydomain.com:980/portainer/ (note the port number 980! )

Install Docker Compose

Follow the instructions to Install Docker Compose 2 Which currently is:

sudo curl -L "https://github.com/docker/compose/releases/tag/1.29.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Update the firewall

There are two firewall changes we need to make.

We need to allow the Jitsi docker image to access LDAP on our Nethserver

We need to allow the Jitsi docker image to be accessed from the WAN on our Nethserver (unless you don’t need that)

Access LDAP

You can read more about it in the Nethserver Docker docs , but basically the default network for docker images does not allow access to our Nethserver for security reasons. There is a special aqua network that will be set up with our Docker install that will allow docker images to access local ports on our Nethserver. That is how we will let Jitsi use our existing LDAP.

I think there is currently a bug in the Jitsi docker image that mixes up ldap: and ldaps:, so I just opened both ports and things seem to work.

The docs give an example command to open up the ports, and for me my command was:

db dockrules set jitsiLdap aqua TCPPorts 389,636 status enabled
signal-event firewall-adjust

Access WAN

Using the Cockpit UI, go to System > Services > Add Network Service For me, I had to run this as the root user to get the network options to show up. We want both Green and Red interfaces for this to be accessible from the internet.

Now we have our address, we have Docker, and we have our firewall updated. Now we just need to get the docker image and configure it.

This article is pretty good but there are a few things we should consider on our Nethserver. Here is the latest available version of Jitsi Meet from GitHub.

First, we should be putting all of our custom apps in the /opt/ folder. So for me, my jitsi folder is /opt/jitsi

In an attempt to make installation easier, here are two scripts which can be put into your /opt/jitsi folder:

install_jitsi.sh

#!/bin/bash
CURRENT_RELEASE=stable-6865

# Clean up existing config
if [[ -d ".jitsi-meet-cfg" ]]
then
    rm -rf .jitsi-meet-cfg
fi

# Backup existing generation folder
if [[ -d "docker-jitsi-meet" ]]
then
    # Shut down existing docker
    cd docker-jitsi-meet
    docker-compose down
    cd ../

    if [[ -d "old_docker-jitsi-meet" ]]
    then
        echo "Removing old backup"
        rm -rf old_docker-jitsi-meet
    fi

    echo "Backing up build folder"
    mv -f docker-jitsi-meet old_docker-jitsi-meet
fi

wget -q https://github.com/jitsi/docker-jitsi-meet/archive/refs/tags/${CURRENT_RELEASE}.zip -O ${CURRENT_RELEASE}.zip
unzip -q ${CURRENT_RELEASE}.zip
mv docker-jitsi-meet-${CURRENT_RELEASE} docker-jitsi-meet
cd docker-jitsi-meet
cp env.example .env
cp docker-compose.yml docker-compose.yml.example
cp ../update_env.sh ./
./update_env.sh
docker-compose up -d
docker network connect aqua docker-jitsi-meet_prosody_1

This script will:

  • back up the old install
  • shut down the existing jitsi containers
  • fetch the specified build of the docker jitsi repo
  • generate new passwords for the internal components
  • run the update_env.sh script to change environment defaults how you like them
  • pull down the new jitsi containers
  • start the new jitsi containers
  • add the jitsi containers to the aqua network so they can be accessed immediately

Normally, there are no steps needed other than running this install script.

and

update_env.sh

CONFIG=/opt/jitsi/.jitsi-meet-cfg
PUBLIC_URL=https://meet.mydomain.com:8443
ENABLE_PREJOIN_PAGE=1
ENABLE_AUTH=1
ENABLE_GUESTS=1
AUTH_TYPE=ldap
LDAP_URL=ldaps://172.28.0.1:636
LDAP_BASE=dc=directory,dc=nh
LDAP_BINDDN=cn=ldapservice,dc=directory,dc=nh
LDAP_BINDPW=<SECRET>
LDAP_FILTER=(uid=%u)
LDAP_AUTH_METHOD=bind
LDAP_USE_TLS=1
CERT_NAME=neth.mydomain.com

cp env.example .env
./gen-passwords.sh

sed -i.bak \
    -e "s#CONFIG=.*#CONFIG=${CONFIG}#g" \
    -e "s#\#PUBLIC_URL=.*#PUBLIC_URL=${PUBLIC_URL}#g" \
    -e "s#\#ENABLE_PREJOIN_PAGE=.*#ENABLE_PREJOIN_PAGE=${ENABLE_PREJOIN_PAGE}#g" \
    -e "s#\#ENABLE_AUTH=.*#ENABLE_AUTH=${ENABLE_AUTH}#g" \
    -e "s#\#ENABLE_GUESTS=.*#ENABLE_GUESTS=${ENABLE_GUESTS}#g" \
    -e "s#\#AUTH_TYPE=.*#AUTH_TYPE=${AUTH_TYPE}#g" \
    -e "s#\#LDAP_URL=.*#LDAP_URL=${LDAP_URL}#g" \
    -e "s#\#LDAP_BASE=.*#LDAP_BASE=${LDAP_BASE}#g" \
    -e "s#\#LDAP_BINDDN=.*#LDAP_BINDDN=${LDAP_BINDDN}#g" \
    -e "s#\#LDAP_BINDPW=.*#LDAP_BINDPW=${LDAP_BINDPW}#g" \
    -e "s#\#LDAP_FILTER=.*#LDAP_FILTER=${LDAP_FILTER}#g" \
    -e "s#\#LDAP_AUTH_METHOD=.*#LDAP_AUTH_METHOD=${LDAP_AUTH_METHOD}#g" \
    -e "s#\#LDAP_USE_TLS=.*#LDAP_USE_TLS=${LDAP_USE_TLS}#g" \
    "$(dirname "$0")/.env"

sed -i.bak \
    -e "s#transcripts:Z#transcripts:Z\n            - /etc/letsencrypt/live/${CERT_NAME}/privkey.pem:/config/keys/cert.key#g" \
    -e "s#transcripts:Z#transcripts:Z\n            - /etc/letsencrypt/live/${CERT_NAME}/fullchain.pem:/config/keys/cert.crt#g" \
        "$(dirname "$0")/docker-compose.yml"

This script will provide mandatory configuration and change some of the defaults to a more secure and user-friendly environment:

  • Configure the public URL (mandatory)
  • Define the config path (mandatory - changing this to align with NethServer defaults)
  • Enable pre-join page
  • Enable LDAP Auth (requiring a user account on your server to start meetings)
  • Allow guests to join a meeting created by an authenticated user
  • Allow turning on the lobby feature
  • Update the docker config file to use an SSL certificate that is configured in NethServer
    • This lets you use the same cert with multiple sub-domains for all services on your NethServer
    • The Jitsi config does support Let's Encrypt, but currently the reverse proxy in NethServer doesn't work for BOSH services (which Jitsi uses), so Jitsi cannot use the automated Let's Encrypt certificate verification.

A few notes about these config options:

  • The LDAP configurations are based on using OpenLDAP with all the default Nethserver settings.
  • I actually stole most of these settings from my ejabberd configuration (located here: /etc/ejabberd/ejabberd.yml). You could also grab them from your Nextcloud or any other app you’re using with LDAP auth.
  • The LDAP URL is using ldaps, but my log shows me that it’s actually calling on port 389 still. I think this is an issue / manual configuration in the Jitsi docker configuration. That’s why our firewall rule opens up the port for ldap: (389) and ldaps: (636)
  • The LDAP URL is pointing to the aqua interface on your docker. For me, I found this out by going to: https://neth.mydomain.com:980/portainer → Networks and then looking at the Gateway for the aqua network:

  • You need to get the LDAP_BINDPW for your ldap service account. For me, I found this in my ejabberd config file but there is probably a better way to find it.
  • The LDAP_USE_TLS is required, even though we are just doing it local. Again, I think it’s an issue in the docker image.

You should now be able to access your Jitsi server at: https://meet.mydomain.com:8443

Note that the port is important. I have not gotten this to work through the Nethserver reverse proxy yet so we can serve it up on the regular HTTPS port.

Other Notes:

You can re-install a new version of Jitsi just by editing and running the `install_jitsi.sh` script. It will pull the new version and regenerate the configuration as defined in your update_env.sh

  • If you need to debug your LDAP queries the docs give a very clear guide on how to increase the verbosity of what you see at /var/log/slapd . Don’t be like me and raise a question about something clearly written in the docs 1! (Thanks mrmarkuz for the kind reply!)
  • jitsi_meet.txt
  • Last modified: 2022/02/20 15:06
  • by DJX