From 19e407ad0ec3bf7d8d05b3700676fabf25e8ce09 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sat, 14 Jan 2023 18:00:01 +0100
Subject: [PATCH] add jitsi meet

---
 Makefile                                      |   3 +
 inventory/group_vars/homeserver.yml           |   2 +
 playbooks/all.yml                             |   3 +-
 playbooks/jitsi.yml                           |   4 +
 roles/forgejo/tasks/main.yml                  |   2 +-
 .../forgejo/templates/{app.ini => app.ini.j2} |   2 +-
 roles/jitsi/meta/main.yml                     |   4 +
 roles/jitsi/tasks/main.yml                    |  17 +++
 roles/jitsi/templates/docker-compose.yml.j2   | 107 ++++++++++++++++++
 roles/jitsi/vars/main.yml                     |  47 ++++++++
 roles/nsd/files/zones/pizzapim.nl             |   3 +-
 roles/traefik/tasks/main.yml                  |   4 +-
 roles/traefik/templates/docker-compose.yml.j2 |   2 +-
 .../traefik.toml.j2}                          |   4 +-
 14 files changed, 196 insertions(+), 8 deletions(-)
 create mode 100644 playbooks/jitsi.yml
 rename roles/forgejo/templates/{app.ini => app.ini.j2} (98%)
 create mode 100644 roles/jitsi/meta/main.yml
 create mode 100644 roles/jitsi/tasks/main.yml
 create mode 100644 roles/jitsi/templates/docker-compose.yml.j2
 create mode 100644 roles/jitsi/vars/main.yml
 rename roles/traefik/{files/traefik.toml => templates/traefik.toml.j2} (85%)

diff --git a/Makefile b/Makefile
index 3af1ce8..478cf5f 100644
--- a/Makefile
+++ b/Makefile
@@ -37,4 +37,7 @@ dataserver:
 seafile:
 	ansible-playbook playbooks/seafile.yml -i inventory/hosts.yml --ask-vault-pass
 
+jitsi:
+	ansible-playbook playbooks/jitsi.yml -i inventory/hosts.yml --ask-vault-pass
+
 .PHONY: run
diff --git a/inventory/group_vars/homeserver.yml b/inventory/group_vars/homeserver.yml
index 69f1dc9..6b91532 100644
--- a/inventory/group_vars/homeserver.yml
+++ b/inventory/group_vars/homeserver.yml
@@ -1,2 +1,4 @@
 base_data_dir: /data
 base_service_dir: /srv
+jitsi_videobridge_port: 54562
+git_ssh_port: 56287
diff --git a/playbooks/all.yml b/playbooks/all.yml
index 8bb6cc8..5ab0bfc 100644
--- a/playbooks/all.yml
+++ b/playbooks/all.yml
@@ -11,7 +11,8 @@
     - radicale
     - mastodon
     - seafile
+    - jitsi
 - name: Setup dataserver
   hosts: dataserver
   roles:
-    - dataserver
\ No newline at end of file
+    - dataserver
diff --git a/playbooks/jitsi.yml b/playbooks/jitsi.yml
new file mode 100644
index 0000000..a712e3a
--- /dev/null
+++ b/playbooks/jitsi.yml
@@ -0,0 +1,4 @@
+- name: Install Jitsi Meet
+  hosts: homeserver
+  roles:
+    - jitsi
diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml
index a2ce768..0bf47a2 100644
--- a/roles/forgejo/tasks/main.yml
+++ b/roles/forgejo/tasks/main.yml
@@ -20,7 +20,7 @@
     group: 1000
 - name: Copy app.ini
   template:
-    src: "{{ role_path }}/templates/app.ini"
+    src: "{{ role_path }}/templates/app.ini.j2"
     dest: "{{ service_dir }}/conf/app.ini"
   register: config
 - name: Start the Docker Compose
diff --git a/roles/forgejo/templates/app.ini b/roles/forgejo/templates/app.ini.j2
similarity index 98%
rename from roles/forgejo/templates/app.ini
rename to roles/forgejo/templates/app.ini.j2
index f12d54d..dc5dde3 100644
--- a/roles/forgejo/templates/app.ini
+++ b/roles/forgejo/templates/app.ini.j2
@@ -18,7 +18,7 @@ SSH_DOMAIN       = git.pizzapim.nl
 HTTP_PORT        = 3000
 ROOT_URL         = {{ forgejo.root_url }}
 DISABLE_SSH      = false
-SSH_PORT         = 56287
+SSH_PORT         = {{ git_ssh_port }}
 SSH_LISTEN_PORT  = 22
 LFS_START_SERVER = true
 LFS_JWT_SECRET   = {{ forgejo.lfs_jwt_secret }}
diff --git a/roles/jitsi/meta/main.yml b/roles/jitsi/meta/main.yml
new file mode 100644
index 0000000..6b03734
--- /dev/null
+++ b/roles/jitsi/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  - role: traefik
diff --git a/roles/jitsi/tasks/main.yml b/roles/jitsi/tasks/main.yml
new file mode 100644
index 0000000..c49a46e
--- /dev/null
+++ b/roles/jitsi/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: Create Jitsi Meet app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy docker-compose.yml file
+  template:
+    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Create Jitsi Meet data directory
+  file:
+    path: "{{ data_dir }}"
+    state: directory
+- name: Start Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
diff --git a/roles/jitsi/templates/docker-compose.yml.j2 b/roles/jitsi/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..63e6c6e
--- /dev/null
+++ b/roles/jitsi/templates/docker-compose.yml.j2
@@ -0,0 +1,107 @@
+version: '3.5'
+
+services:
+    web:
+        image: jitsi/web:stable-8218
+        container_name: jitsi-web
+        restart: unless-stopped
+        volumes:
+            - {{ data_dir }}/web:/config:Z
+            - {{ data_dir }}/web/crontabs:/var/spool/cron/crontabs:Z
+            - {{ data_dir }}/transcripts:/usr/share/jitsi-meet/transcripts:Z
+        environment:
+            - DISABLE_HTTPS=1
+            - ENABLE_AUTH=1
+            - ENABLE_GUESTS=1
+            - ENABLE_IPV6=1
+            - ENABLE_LETSENCRYPT=0
+            - PUBLIC_URL=https://{{ public_domain }}
+            - TZ=Europe/Amsterdam
+        networks:
+            - meet.jitsi
+            - traefik
+        labels:
+            - traefik.http.routers.jitsi-web.entrypoints=websecure
+            - traefik.http.routers.jitsi-web.rule=Host(`{{ public_domain }}`)
+            - traefik.http.routers.jitsi-web.tls=true
+            - traefik.http.routers.jitsi-web.tls.certresolver=pizzapim
+            - traefik.http.services.jitsi-web.loadbalancer.server.port=80
+            - traefik.http.routers.jitsi-web.service=jitsi-web
+            - traefik.docker.network=traefik
+
+    prosody:
+        image: jitsi/prosody:stable-8218
+        container_name: jitsi-xmpp
+        restart: unless-stopped
+        expose:
+            - '5222'
+            - '5347'
+            - '5280'
+        volumes:
+            - {{ data_dir }}/prosody/config:/config:Z
+            - {{ data_dir }}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
+        environment:
+            - AUTH_TYPE=internal
+            - ENABLE_AUTH=1
+            - ENABLE_GUESTS=1
+            - ENABLE_IPV6=1
+            - ENABLE_LOBBY=1
+            - JIBRI_RECORDER_PASSWORD={{ jibri_recorder_password }}
+            - JIBRI_XMPP_PASSWORD={{ jibri_xmpp_password }}
+            - JICOFO_AUTH_PASSWORD={{ jicofo_auth_password }}
+            - JIGASI_XMPP_PASSWORD={{ jigasi_xmpp_password }}
+            - JVB_AUTH_PASSWORD={{ jvb_auth_password }}
+            - PUBLIC_URL=https://{{ public_domain }}
+            - TZ=Europe/Amsterdam
+        networks:
+            meet.jitsi:
+                aliases:
+                    - xmpp.meet.jitsi
+
+    jicofo:
+        image: jitsi/jicofo:stable-8218
+        container_name: jitsi-focus
+        restart: unless-stopped
+        volumes:
+            - {{ data_dir }}/jicofo:/config:Z
+        environment:
+            - AUTH_TYPE=internal
+            - ENABLE_AUTH=1
+            - JICOFO_AUTH_PASSWORD={{ jicofo_auth_password }}
+            - SENTRY_DSN=0
+            - TZ=Europe/Amsterdam
+        depends_on:
+            - prosody
+        networks:
+            meet.jitsi:
+
+    jvb:
+        image: jitsi/jvb:stable-8218
+        container_name: jitsi-videobridge
+        restart: unless-stopped
+        ports:
+          - '{{ jitsi_videobridge_port }}:{{ jitsi_videobridge_port }}/udp'
+        volumes:
+            - {{ data_dir }}/jvb:/config:Z
+        environment:
+            - JVB_ADVERTISE_IPS={{ jvb_advertise_ips }}
+            - JVB_AUTH_PASSWORD={{ jvb_auth_password }}
+            - JVB_PORT={{ jitsi_videobridge_port }}
+            - PUBLIC_URL=https://{{ public_domain }}
+            - SENTRY_DSN=0
+            - COLIBRI_REST_ENABLED=0
+            - TZ=Europe/Amsterdam
+        depends_on:
+            - prosody
+        networks:
+            meet.jitsi:
+        labels:
+            - traefik.udp.routers.jitsi-videobridge.rule=HostSNI(`*`)
+            - traefik.udp.routers.jitsi-videobridge.entrypoints=video
+            - traefik.udp.routers.jitsi-videobridge.service=jitsi-videobridge
+            - traefik.udp.services.jitsi-videobridge.loadbalancer.server.port={{ jitsi_videobridge_port }}
+
+networks:
+    meet.jitsi:
+    traefik:
+      external: true
diff --git a/roles/jitsi/vars/main.yml b/roles/jitsi/vars/main.yml
new file mode 100644
index 0000000..40453de
--- /dev/null
+++ b/roles/jitsi/vars/main.yml
@@ -0,0 +1,47 @@
+service_name: jitsi
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+
+public_domain: "meet.pizzapim.nl"
+jvb_advertise_ips: "84.245.14.149,192.168.30.3"
+
+jvb_auth_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          32613939646334396165386233353938306165326532336564343762616465323734653564353939
+          6363616139653932326436656530613661326135303738370a653530663733343431663535373663
+          64656565386266613463623036346438636635343061623533343434663131623334333661363135
+          3633646237393563610a353763333332653462653136373139666566333062386265633234613065
+          32616565303764646365653165663862383233643839663563353838663663636332323939373665
+          6131666537326333326332383164333730623865646639353230
+jibri_recorder_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65386136383631626262393861313161363563376662623964633138376462386366353035363930
+          6637353263633731613037623030646365613364303232620a646366356338383665316432613965
+          35613636343832623731646161373938343866616230613461373964303566323761663536376466
+          6365616132373532350a316639383266393835636233626562636466663737386234333362663066
+          65353534303835636430306536653062636466303265623836643030323237323332353431343066
+          6138383630643735393565363931343162383963343635336138
+jibri_xmpp_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          34323665313961613830346662346137643339316237316532646330393366373236323036373035
+          3530376164303730643832393865643231316537303133340a383562633937353139646231343265
+          33353933633463373366383236643364366631663136313164643231366537303437653962656166
+          3031333735346538370a616539323531653734663533303463623865613739373433656537613636
+          39306363313264306535666237376561633439666232303338343832303637366237323339373431
+          6131333434393931613437383061653238656165356136306331
+jicofo_auth_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          39613461623132346632623664633866356261653737393534366665653966623437323962636430
+          3230656535333631333661653263343663323732376562350a616662353030646164336231366239
+          32373263303962646232383539656435633436633137383837633162363232336134346461386165
+          3633613665393264640a323030666235366363313532623732623862346433343336343035663661
+          63326636386330363362313665643466373935363161383932623839373462613032326331366333
+          3661313266306166633532643333623266316631386532653834
+jigasi_xmpp_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35303333613961616236623134333063366261336239633836633435323235343864636237626136
+          3635356538663637656639323161316361663636323933370a326430333066383234643064303961
+          36393564646131313938363664636266653362373732656634653966663736313231613163313461
+          6565373230333635650a653630373339376637653634383733613531633535343438326631633739
+          31303966353235333533353730346135323438343266303431376563393330343563363432626639
+          3539636136386563376162383835346166663630633463336132
diff --git a/roles/nsd/files/zones/pizzapim.nl b/roles/nsd/files/zones/pizzapim.nl
index 9c8e1e5..52493ab 100644
--- a/roles/nsd/files/zones/pizzapim.nl
+++ b/roles/nsd/files/zones/pizzapim.nl
@@ -1,7 +1,7 @@
 $ORIGIN pizzapim.nl.
 $TTL 60
 
-pizzapim.nl.	IN 	SOA	ns.pizzapim.nl. pim.kunis.nl. 2023010701 1800 3600 1209600 3600
+pizzapim.nl.	IN 	SOA	ns.pizzapim.nl. pim.kunis.nl. 2023011400 1800 3600 1209600 3600
 
 			NS	ns.pizzapim.nl.
 			NS	ns0.transip.net.
@@ -22,3 +22,4 @@ cloud		IN	CNAME	www.pizzapim.nl.
 social		IN	CNAME	www.pizzapim.nl.
 dav		IN	CNAME	www.pizzapim.nl.
 git		IN	CNAME	www.pizzapim.nl.
+meet            IN      CNAME   www.pizzapim.nl.
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index 635c1dd..d190b3f 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -13,8 +13,8 @@
     src: "{{ role_path }}/templates/docker-compose.yml.j2"
     dest: "{{ service_dir }}/docker-compose.yml"
 - name: Copy traefik.toml
-  copy:
-    src: "{{ role_path }}/files/traefik.toml"
+  template:
+    src: "{{ role_path }}/templates/traefik.toml.j2"
     dest: "{{ service_dir }}/traefik.toml"
 - name: Copy services.toml
   copy:
diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2
index a892dea..34339d4 100644
--- a/roles/traefik/templates/docker-compose.yml.j2
+++ b/roles/traefik/templates/docker-compose.yml.j2
@@ -18,7 +18,7 @@ services:
     ports:
       - "443:443"
       - "80:80"
-      - "56287:56287"
+      - "{{ git_ssh_port }}:{{ git_ssh_port }}"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml
diff --git a/roles/traefik/files/traefik.toml b/roles/traefik/templates/traefik.toml.j2
similarity index 85%
rename from roles/traefik/files/traefik.toml
rename to roles/traefik/templates/traefik.toml.j2
index 19c85f0..ac99065 100644
--- a/roles/traefik/files/traefik.toml
+++ b/roles/traefik/templates/traefik.toml.j2
@@ -6,7 +6,9 @@ loglevel = "DEBUG"
   [entryPoints.websecure]
   address = ":443"
   [entryPoints.ssh]
-  address = ":56287"
+  address = ":{{ git_ssh_port }}"
+  [entryPoints.video]
+  address = ":{{ jitsi_videobridge_port }}/udp"
 
 [api]