WIP

This how-to will provide https://meet.jit.si/ as a docker container on Nethserver 7.x

Original poster https://community.nethserver.org/u/djx/summary of https://community.nethserver.org/t/deploying-jitsi-meet-on-nethserver-independent-video-conferencing/15838

There are comments like Follow the Jitsi documentation, and you will have a working installation in 10 minutes but that assumes you have a decent knowledge of Docker and other components. If you’re using Nethserver, I assume you like me and you are not a seasoned sysadmin.

So here are my steps to get us a bit more than just a basic install.

Current Features:

Working Jitsi server (using a docker image) Using SSL certificate provided by Nethserver Using Nethserver LDAP authentication to make it so Nethserver users can be hosts of meetings, and guests can join Things that could be improved on

  • An automatic script to pull in some of the settings from Nethserver automatically
  • Create a virtual host for redirecting port 443 on the subdomain to 8443 on the subdomain

Future Improvements:

A working reverse proxy to use the TLD without the custom port. Apparently this is a known limitation with the docker image, Even if you enable a reverse proxy the BOSH connection will fail.

Steps:

  • get a domain and matching SSL cert
  • install docker & docker compose
  • enable Portainer
  • update the firewall
  • get the Jitsi docker image
  • configure & deploy the image

Domain & Cert

The Jitsi Docker does support getting a cert through LetsEncrypt but I had issues getting this to work. It was failing on the ACME request - I think because of the non-standard HTTPS port and because I didn’t have a reverse proxy in place on the domain. In any case, I decided to just utilize the cert that is on my Nethserver because then I know it will get updated automatically.

Add a domain/sub-domain that points to your Nethserver. E.g. https://meet.mydomain.com In the Cockpit UI go to System → Certificates and use the Request Let's Encrypt certificate button:

Add in your sub-domain

Update the cert Take note of the path to the cert:

Install Docker & Docker-Compose

Install Docker

Use the Cockpit UI and go to Software Center Install Docker

Enable Portainer

According to the Docker documentation, we need to update the configuration in order to turn on Portainer so we can edit the networks. As root you can do it in with the command lines:

config setprop portainer status enabled
signal-event nethserver-docker-update

Now one can navigate to the Portainer address to set up the admin password: https://meet.mydomain.com:980/portainer/

Install Docker Compose

Follow the instructions to Install Docker Compose 2 Which currently is:

sudo curl -L "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Update the firewall

There are two firewall changes we need to make.

We need to allow the Jitsi docker image to access LDAP on our Nethserver

We need to allow the Jitsi docker image to be accessed from the WAN on our Nethserver (unless you don’t need that)

Access LDAP

You can read more about it in the Nethserver Docker docs , but basically the default network for docker images does not allow access to our Nethserver for security reasons. There is a special aqua network that will be set up with our Docker install that will allow docker images to access local ports on our Nethserver. That is how we will let Jitsi use our existing LDAP.

I think there is currently a bug in the Jitsi docker image that mixes up ldap: and ldaps:, so I just opened both ports and things seem to work.

The docs give an example command to open up the ports, and for me my command was:

db dockrules set jitsiLdap aqua TCPPorts 389,636 status enabled
signal-event firewall-adjust

Access WAN

Using the Cockpit UI, go to System > Services > Add Network Service For me, I had to run this as the root user to get the network options to show up. We want both Green and Red interfaces for this to be accessible from the internet.

Now we have our address, we have Docker, and we have our firewall updated. Now we just need to get the docker image and configure it.

Get & Configure the Jitsi Docker image

This article is pretty good but there are a few things we should consider on our Nethserver. Here is the latest available version of Jitsi Meet frm GitHub.

First, we should be putting all of our custom apps in the /opt/ folder. So for me, my jitsi folder is /opt/jitsi

Using your preferred method, get the latest Jitsi Docker image and put it in:

/opt/jitsi/docker-jitsi-meet

According to the guide (at this time) follow these steps:

but on the last step, instead of putting the jitsi config under root, let’s keep it under our opt folder, so the command looks like this:

mkdir -p /var/opt/jitsi/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}

As part of the testing of Jitsi we need to erase this folder frequently, so I prefer to have it in this folder instead of in the root of the system. Also, this follows the Nethserver convention of keeping apps under /opt/

Configure the env variables Now we have our .env file that we need to modify a few things. here are the changes I made:

CONFIG=/opt/jitsi/.jitsi-meet-cfg
PUBLIC_URL=https://meet.mydomain.com
ENABLE_AUTH=1
ENABLE_GUESTS=1
AUTH_TYPE=ldap
LDAP_URL=ldaps://172.28.0.1:636
LDAP_BASE=dc=directory,dc=nh
LDAP_BINDDN=cn=ldapservice,dc=directory,dc=nh
LDAP_BINDPW=...
LDAP_FILTER=(uid=%u)
LDAP_AUTH_METHOD=bind
LDAP_USE_TLS=1

A few notes about these config options:

  • You’ll need to look for these specific keys in the file, uncomment them, and fill in the appropriate value. For me, I’m using OpenLDAP with all the default Nethserver settings.
  • I actually stole most of these settings from my ejabberd configuration (located here: /etc/ejabberd/ejabberd.yml). You could also grab them from your Nextcloud or any other app you’re using with LDAP auth.
  • The LDAP URL is using ldaps, but my log shows me that it’s actually calling on port 389 still. I think this is an issue / manual configuration in the Jitsi docker configuration. That’s why our firewall rule opens up the port for ldap: (389) and ldaps: (636)
  • The LDAP URL is pointing to the aqua interface on your docker. For me, I found this out by going to: https://neth.mydomain.com:980/portainer → Networks and then looking at the Gateway for the aqua network:

  • You need to get the LDAP_BINDPW for your ldap service account. For me, I found this in my ejabberd config file but there is probably a better way to find it.
  • The LDAPUSETLS is required, even though we are just doing it local. Again, I think it’s an issue in the docker image.

Configure the docker compose file

We need to make a change to our docker compose file to allow it to utilize the Nethserver certificate instead of the docker image trying to get it’s own cert from Let’s Encrypt.

Using the path to our cert that we saw in the steps above, add two volumes to the docker image (the last two lines):

volumes:
            - ${CONFIG}/web:/config:Z
            - ${CONFIG}/web/letsencrypt:/etc/letsencrypt:Z
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
            - /etc/letsencrypt/live/neth.mydomain.com/fullchain.pem:/config/keys/cert.crt
            - /etc/letsencrypt/live/neth.mydomain.com/privkey.pem:/config/keys/cert.key
  • It is important that you use the fullchain.pem , and not the cert.pem. If you use just the cert, then desktop browsers will be able to connect, but Android browsers and clients will not be able to!

Composing the Docker

Now that we have edited the env variables and included our certificate, we just need to run the command from the Jitsi quickstart guide to compose and launch the docker images: docker-compose up -d

Adding the Docker to the aqua network

There is probably a way to do this in the Docker compose file, but I’m a total noob so I just did it through the web UI.

Go to your Portainer site → Containers and find the Prosody container:

  • Open it up and scroll to the bottom to see the networks
  • Add the aqua network

  • Now your network should look like this:

Hurray!

You should now be able to access your Jitsi server at: https://meet.mydomain.com:8443

Note that the port is important. I have not gotten this to work through the Nethserver reverse proxy yet so we can serve it up on the regular HTTPS port.

Other Notes:
  • Each time you re-build the docker image using compose you will need to re-add this network interface to the docker image
  • Each time you make changes to the docker compose file or .env file, you will need to clear the cfg folder and rebuild it. I had to do this a lot so I made a simple bash script to do it for me:
rm -rf ../.jitsi-meet-cfg/
docker-compose up -d
  • If you need to debug your LDAP queries the docs give a very clear guide on how to increase the verbosity of what you see at /var/log/slapd . Don’t be like me and raise a question about something clearly written in the docs 1! (Thanks mrmarkuz for the kind reply!)