Understanding the environment variables

[Lithimlin]

I'm currently trying to move an existing bare jitsi installation to the docker version and I'm running into some issues. I'm not sure if some of these things are not implemented (yet) or if I am just overlooking them somewhere in the docs.

My goal is a jitsi instance which can be used for workadventure and only for that. The authentication should work via JWTs.

I'm now at a point where I think I've been able to recreate most config files in some way or another through the use of the .env file. However, I'm struggling with getting the prosody configuration right.
Specifically, I can't seem to get/change the following things:

• add the turncredentials at the beginning of the old file
• an app-id and app-secret for the JWT authentication for the guest domain as well as the c2c-require-encryption
• add a component_secret to the focus component
• add the muc_domain_mapper to the muc component
• add "presence_identiy" to the list of enabled modules for the meet.jitsi Virtual Host
• remove the recorder block (optional)

For more details, please take a look at the two configs below.
Thanks already in advance for any tips and help.

EDIT: Added .env file.

Here's what I have on the old system's <my-domain>.cfg.lua:

unlimited_jids = { "focus@auth.<my-domain>", "jvb@auth.<my-domain>" }
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }                     
                                                                                
muc_mapper_domain_base = "<my-domain>";                                 
                     
-- --how would I add these following lines?--                                                           
turncredentials_secret = "<turn-secret>";                                    
                                                                                
turncredentials = {                                                             
    { type = "stun", host = "<my-domain>", port = "3478" },             
    { type = "turn", host = "<my-domain>", port = "3478", transport = "udp" },
    { type = "turns", host = "<my-domain>", port = "5349", transport = "tcp" }
};                                                                              
-- ----       
                                                                         
cross_domain_bosh = false;                                                      
consider_bosh_secure = true;                                                    
https_ports = { };      
                                                                                
ssl = {                                                                         
    protocol = "tlsv1_2+";                                                      
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}

VirtualHost "<my-domain>"                                                             
    authentication = "token"                         
    app_id="<app-id>"                                   
    app_secret="<app-secret>"                                           
    ssl = {                                                                     
        key = "/etc/prosody/certs/<my-domain>.key";                     
        certificate = "/etc/prosody/certs/<my-domain>.crt";             
    }                                                                           
    speakerstats_component = "speakerstats.<my-domain>"                 
    conference_duration_component = "conferenceduration.<my-domain>"    
    modules_enabled = {                                                         
        "bosh";                                                                 
        "pubsub";                                                               
        "ping";                                          
        "speakerstats";                                                         
        "turncredentials";                                                      
        "conference_duration";                                                  
        "muc_lobby_rooms";                                                      
        "presence_identity";                                                    
    }                                                                           
    c2s_require_encryption = true                                               
    lobby_muc = "lobby.<my-domain>"                                     
    main_muc = "conference.<my-domain>"
                                                                                
Component "conference<my-domain>" "muc"                                
    restrict_room_creation = true                                               
    storage = "memory"                                                          
    modules_enabled = {                                                         
        "muc_meeting_id";                                                       
        "muc_domain_mapper";                                                    
        "token_verification";                                                   
    }                                                                           
    admins = { "focus@auth.<my-domain>" }                               
    muc_room_locking = false                                                    
    muc_room_default_public_jids = true
                                                                               
                                               
Component "internal.auth.<my-domain>" "muc"                             
    storage = "memory"                                                          
    modules_enabled = {                                                         
        "ping";                                                                 
    }                                                                           
    admins = { "focus@auth.<my-domain>", "jvb@auth.<my-domain>" }
    muc_room_locking = false                                                    
    muc_room_default_public_jids = true                                         
                                                                                
VirtualHost "auth.<my-domain>"                                          
    modules_enabled = { "limits_exception"; }                                   
    ssl = {                                                                     
        key = "/etc/prosody/certs/auth.<my-domain>.key";                
        certificate = "/etc/prosody/certs/auth.<my-domain>.crt";        
    }                                                                           
    authentication = "internal_plain"                                           
                                                                                
VirtualHost "guest.<my-domain>"                                                     
    authentication = "token";                                                
    app_id = "<app-id>";                      
    app_secret = "<app-secret>";     
                                                                                
    c2s_require_encryption = true;                                              
    allow_empty_token = true;                                                   
                                                                                
Component "focus.<my-domain>" "client_proxy"                            
    target_address = "focus@auth.<my-domain>"                           
    component_secret = "<component-secret>"                                               
                                                                                
Component "speakerstats.<my-domain>" "speakerstats_component"           
    muc_component = "conference.<my-domain>"                            
                                                                                
Component "conferenceduration.<my-domain>" "conference_duration_component"
    muc_component = "conference.<my-domain>"                            
                                                                                
Component "lobby.<my-domain>" "muc"                                     
    storage = "memory"                                                          
    restrict_room_creation = true                                               
    muc_room_locking = false                                                    
    muc_room_default_public_jids = true

And here's how much I've been able to recreate through the .env file:

admins = {                                                                      
    "[email protected]",                                                    
    "[email protected]"                                                       
}                                                                               
                                                                                
unlimited_jids = {                                                              
    "[email protected]",                                                    
    "[email protected]"                                                       
}                                                                               
                                                                                
plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }               
http_default_host = "meet.jitsi"

consider_bosh_secure = true;

cross_domain_websocket = { "https://<my-domain>","https://meet.jitsi" }
cross_domain_bosh = { "https://<my-domain>","https://meet.jitsi" }  
                                                                             
VirtualHost "meet.jitsi"                                                                      
    authentication = "token"                                                    
    app_id = "<app-id>"                                                   
    app_secret = "<app-secret>"                                         
    allow_empty_token = false                                                                            
                                                       
    ssl = {                                                                     
        key = "/config/certs/meet.jitsi.key";                                   
        certificate = "/config/certs/meet.jitsi.crt";                           
    }                                                                           
    modules_enabled = {                                                         
        "bosh";                                              
        "websocket";                                                            
        "smacks";                             
        "pubsub";                                                               
        "ping"                                                                  
        "speakerstats";                                                         
        "conference_duration";                                 
        "muc_lobby_rooms";  
        -- --missing "presence_identiy" here (not sure if necessary)--                                                           
    }                                                                        
    main_muc = "muc.meet.jitsi"                                                 
    lobby_muc = "lobby.meet.jitsi"                    
    muc_lobby_whitelist = { "recorder.meet.jitsi" }                            
                                                           
    speakerstats_component = "speakerstats.meet.jitsi"                          
    conference_duration_component = "conferenceduration.meet.jitsi"             
                                                              
    c2s_require_encryption = false

VirtualHost "guest.meet.jitsi"                                                  
    authentication = "token"                                        
    app_id = ""        -- --app id missing here--
    app_secret = ""      -- --app secret missing here--
    allow_empty_token = true                       
    c2s_require_encryption = false   -- --should be true--
                                                                                
                                                                                
VirtualHost "auth.meet.jitsi"                                                   
    ssl = {                                                                     
        key = "/config/certs/auth.meet.jitsi.key";                              
        certificate = "/config/certs/auth.meet.jitsi.crt";                      
    }                                                                           
    modules_enabled = {                                                         
        "limits_exception";                                                     
    }                                                                           
    authentication = "internal_hashed"              
                               
-- --not disabled despite setting the corresponding flag to 0 but shouldn't be such a big issue--                                                 
VirtualHost "recorder.meet.jitsi"                                               
    modules_enabled = {                                                         
      "ping";                                                                   
    }                                                                           
    authentication = "internal_hashed"                                          
        
Component "internal-muc.meet.jitsi" "muc"                                       
    storage = "memory"                                                          
    modules_enabled = {                                                         
        "ping";                                                         
    }                                                                           
    restrict_room_creation = true                                               
    muc_room_locking = false                                                    
    muc_room_default_public_jids = true                                         
                                                                                
Component "muc.meet.jitsi" "muc"                                                
    storage = "memory"                                                          
    modules_enabled = {                                                         
        "muc_meeting_id";                                           
        "token_verification";
        -- --no muc_domain_mapper here. not sure if necessary with this setup--                                              
    }                                                                           
    muc_room_cache_size = 1000                                                  
    muc_room_locking = false                                                    
    muc_room_default_public_jids = true

Component "focus.meet.jitsi" "client_proxy"                                     
    target_address = "[email protected]"   
    -- --no component_secret here--                                 
                                                                                
Component "speakerstats.meet.jitsi" "speakerstats_component"                    
    muc_component = "muc.meet.jitsi"                                            
                                                                                
Component "conferenceduration.meet.jitsi" "conference_duration_component"       
    muc_component = "muc.meet.jitsi"                                            
                                                                              
Component "lobby.meet.jitsi" "muc"                                              
    storage = "memory"                                                          
    restrict_room_creation = true                                               
    muc_room_locking = false                                                    
    muc_room_default_public_jids = true

Here's the .env file I used:

# shellcheck disable=SC2034

# Security
# [...]


#
# Basic configuration options
#

# Directory where all configuration will be stored
CONFIG=/opt/jitsi-meet-cfg

# Exposed HTTP port
HTTP_PORT=8000

# Exposed HTTPS port
HTTPS_PORT=8443

# System time zone
TZ=<my-tz>

# Public URL for the web service (required)
PUBLIC_URL=<my-domain>

# IP address of the Docker host
# See the "Running behind NAT or on a LAN environment" section in the Handbook:
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
#DOCKER_HOST_ADDRESS=192.168.1.1

# Control whether the lobby feature should be enabled or not
ENABLE_LOBBY=1

# Show a prejoin page before entering a conference
ENABLE_PREJOIN_PAGE=0

# Enable the welcome page
ENABLE_WELCOME_PAGE=1

# Enable the close page
ENABLE_CLOSE_PAGE=0

# Disable measuring of audio levels
DISABLE_AUDIO_LEVELS=0

# Enable noisy mic detection
ENABLE_NOISY_MIC_DETECTION=1

#
# Let's Encrypt configuration
# [disabled, thus skipped]

#
# Etherpad integration (for document sharing)
# [not used, thus skipped]

#
# Basic Jigasi configuration options (needed for SIP gateway support)
# [not used, thus skipped]

#
# Authentication configuration (see handbook for details)
#

# Enable authentication
ENABLE_AUTH=1

# Enable guest access
ENABLE_GUESTS=1

# Select authentication type: internal, jwt or ldap
AUTH_TYPE=jwt

# JWT authentication
#

# Application identifier
JWT_APP_ID=<app-id>

# Application secret known only to your token generator
JWT_APP_SECRET=<app-secret>

# (Optional) Set asap_accepted_issuers as a comma separated list
#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client

# (Optional) Set asap_accepted_audiences as a comma separated list
#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2

# (Optional) Allow anonymous users with no JWT while validating JWTs when provided
JWT_ALLOW_EMPTY=0
#

# LDAP authentication
# [not used, thus skipped]


#
# Advanced configuration options (you generally don't need to change these)
#

# Internal XMPP domain
XMPP_DOMAIN=meet.jitsi

# Internal XMPP server
XMPP_SERVER=xmpp.meet.jitsi

# Internal XMPP server URL
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280

# Internal XMPP domain for authenticated services
XMPP_AUTH_DOMAIN=auth.meet.jitsi

# XMPP domain for the MUC
XMPP_MUC_DOMAIN=muc.meet.jitsi

# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi

# XMPP domain for unauthenticated users
XMPP_GUEST_DOMAIN=guest.meet.jitsi

# Comma separated list of domains for cross domain policy or "true" to allow all
# The PUBLIC_URL is always allowed
#XMPP_CROSS_DOMAIN=true

# Custom Prosody modules for XMPP_DOMAIN (comma separated)
XMPP_MODULES=

# Custom Prosody modules for MUC component (comma separated)
XMPP_MUC_MODULES=

# Custom Prosody modules for internal MUC component (comma separated)
XMPP_INTERNAL_MUC_MODULES=

# MUC for the JVB pool
JVB_BREWERY_MUC=jvbbrewery

# XMPP user for JVB client connections
JVB_AUTH_USER=jvb

# STUN servers used to discover the server's public IP
JVB_STUN_SERVERS=<my-stun-domain>

# Media port for the Jitsi Videobridge
JVB_PORT=10000

# TCP Fallback for Jitsi Videobridge for when UDP isn't available
JVB_TCP_HARVESTER_DISABLED=true
JVB_TCP_PORT=4443
JVB_TCP_MAPPED_PORT=4443

# A comma separated list of APIs to enable when the JVB is started [default: none]
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
JVB_ENABLE_APIS=rest,colibri

# XMPP user for Jicofo client connections.
# NOTE: this option doesn't currently work due to a bug
JICOFO_AUTH_USER=focus

# Base URL of Jicofo's reservation REST API
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com

# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
#JICOFO_ENABLE_HEALTH_CHECKS=true

# [Jigasi stuff skipped]

# Enable recording
ENABLE_RECORDING=0 # Also had this in its commented state before

# XMPP domain for the jibri recorder
XMPP_RECORDER_DOMAIN=recorder.meet.jitsi

# XMPP recorder user for Jibri client connections
JIBRI_RECORDER_USER=recorder

# Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/config/recordings

# The finalizing script. Will run after recording is complete
#JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh

# XMPP user for Jibri client connections
JIBRI_XMPP_USER=jibri

# MUC name for the Jibri pool
JIBRI_BREWERY_MUC=jibribrewery

# MUC connection timeout
JIBRI_PENDING_TIMEOUT=90

# When jibri gets a request to start a service for a room, the room
# jid will look like: [email protected]_domain
# We'll build the url for the call by transforming that into:
# https://xmpp_domain/subdomain/roomName
# So if there are any prefixes in the jid (like jitsi meet, which
# has its participants join a muc at conference.xmpp_domain) then
# list that prefix here so it can be stripped out to generate
# the call url correctly
JIBRI_STRIP_DOMAIN_JID=muc

# Directory for logs inside Jibri container
JIBRI_LOGS_DIR=/config/logs

# Disable HTTPS: handle TLS connections outside of this setup
#DISABLE_HTTPS=1

# Enable FLoC
# Opt-In to Federated Learning of Cohorts tracking
#ENABLE_FLOC=0

# Redirect HTTP traffic to HTTPS
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
ENABLE_HTTP_REDIRECT=1

# Send a `strict-transport-security` header to force browsers to use
# a secure and trusted connection. Recommended for production use.
# Defaults to 1 (send the header).
# ENABLE_HSTS=1

# Enable IPv6
# Provides means to disable IPv6 in environments that don't support it (get with the times, people!)
ENABLE_IPV6=1

# Container restart policy
# Defaults to unless-stopped
RESTART_POLICY=unless-stopped

# Authenticate using external service or just focus external auth window if there is one already.
# TOKEN_AUTH_URL=https://auth.meet.example.com/{room}

[prayagsingh]

* add the `turncredentials` at the beginning of the old file

Not possible as of now via env variables. A PR is in progress to add this functionality.

* an app-id and app-secret for the JWT authentication for the guest domain as well as the `c2c-require-encryption`

configure it in .env file here.

* add a `component_secret` to the `focus` component

No need to do anything explicitly to manage these. simply follow the User Guide and scripts are there to manage it for you.

* add the `muc_domain_mapper` to the `muc` component

A PR is in progress.

* add `"presence_identiy"` to the list of enabled modules for the `meet.jitsi` Virtual Host

Set AUTH_TYPE = jwt here and these module will be there in prosody-config.

* remove the `recorder` block (optional)

Recording is disabled by default. check here

If you want to add the config which is not present at this moment then you have to build your own docker image for prosody.

[Lithimlin]

Thanks for the help! However, some things are still not quite clear to me.

* an app-id and app-secret for the JWT authentication for the guest domain as well as the `c2c-require-encryption`

configure it in .env file here.

* add `"presence_identiy"` to the list of enabled modules for the `meet.jitsi` Virtual Host

Set AUTH_TYPE = jwt here and these module will be there in prosody-config.

That's what I've done. However, it has no effect on the guest domain's config. It only affects the main domain's config.

* remove the `recorder` block (optional)

Recording is disabled by default. check here

Even when it was disabled by default, the recorder block was generated.

[Lithimlin]

Added my .env file for better understanding.

[Lithimlin]

I've tried editing some of the files in /prosody/ and (re-)building the image with make.
I've also changed the prosody image in the docker-compose.yml from jitsi/prosody:stable-5963 to ...:latest so I actually use the freshly built image. However, it doesn't seem to correctly copy the rootfs directory perhaps?

For some reason I end up with an empty file in place of the {$CONFIG}/prosody/config/conf.d/jitsi-meet.cfg.lua and I'm not sure why that is.

EDIT: I've checked the contents of the container/image and the file was copied correctly. The end result is still empty though.

[prayagsingh]

For some reason I end up with an empty file in place of the {$CONFIG}/prosody/config/conf.d/jitsi-meet.cfg.lua and I'm not sure why that is.

Can you please check the directory using sudo permission like sudo ls {$CONFIG}/prosody/config/conf.d/?

[Lithimlin]

Sure. This is the output:

# ls -l {$CONFIG}/prosody/config/conf.d/
total 0
-rw-r--r-- 1 root root 0 Jul 30 09:35 jitsi-meet.cfg.lua

I'm already root which is why the sudo is omitted. Should the directory/file not belong to root?

[Lithimlin]

So, I've now tried removing all images and then rebuilding the prosody image.
When I now check the contents of the container, the /config/conf.d/jitsi-meet.cfg.lua is empty as well, explaining why the file in the volume is empty as well. The /defaults/conf.d/jitsi-meet.cfg.lua however has all the correct contents (i.e. the modifications I made).

I've checked prosody's logs and it seems the environment is not configured correctly? Here's the output:

prosody_1  | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
prosody_1  | [s6-init] ensuring user provided files have correct perms...exited 0.
prosody_1  | [fix-attrs.d] applying ownership & permissions fixes...
prosody_1  | [fix-attrs.d] done.
prosody_1  | [cont-init.d] executing container initialization scripts...
prosody_1  | [cont-init.d] 01-set-timezone: executing... 
prosody_1  | [cont-init.d] 01-set-timezone: exited 0.
prosody_1  | [cont-init.d] 10-config: executing... 
prosody_1  | Adding user `prosody' to group `sasl' ...
prosody_1  | Adding user prosody to group sasl
prosody_1  | Done.
prosody_1  | fatal: unable to parse template file, caused:
prosody_1  | 
prosody_1  |    template: /defaults/conf.d/jitsi-meet.cfg.lua:36: function "Env" not defined
prosody_1  | 
prosody_1  | The given hostname does not exist in the config
[...]

[Lithimlin]

Ah, it seems I should have just read the error message more carefully: It clearly states that there's an issue in line 36. It turns out I'd been missing a . there.