Few debian updates

config.js

@@ -343,7 +343,7 @@ var config = {
         // The STUN servers that will be used in the peer to peer connections
         stunServers: [
 
-            // { urls: 'stun:jitsi-meet.example.com:443' },
+            // { urls: 'stun:jitsi-meet.example.com:4446' },
             { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
         ],
 

debian/control

@@ -53,5 +53,6 @@ Description: Prosody token authentication plugin for Jitsi Meet
 Package: jitsi-meet-turnserver
 Architecture: all
 Breaks: apache2
+Pre-Depends: jitsi-meet-web-config
 Depends: ${misc:Depends}, nginx (>= 1.13.10) | nginx-full (>= 1.13.10) | nginx-extras (>= 1.13.10), jitsi-meet-prosody, coturn, dnsutils
 Description: Configures coturn to be used with Jitsi Meet

debian/jitsi-meet-prosody.postinst

@@ -134,7 +134,7 @@ case "$1" in
         # as we are migrating configs
         if [ -f $PROSODY_HOST_CONFIG ] && ! grep -q "internal.auth.$JVB_HOSTNAME" $PROSODY_HOST_CONFIG; then
             echo -e "\nComponent \"internal.auth.$JVB_HOSTNAME\" \"muc\"" >> $PROSODY_HOST_CONFIG
-            echo -e "    storage = \"null\"" >> $PROSODY_HOST_CONFIG
+            echo -e "    storage = \"memory\"" >> $PROSODY_HOST_CONFIG
             echo -e "    modules_enabled = { \"ping\"; }" >> $PROSODY_HOST_CONFIG
             echo -e "    admins = { \"$JICOFO_AUTH_USER@auth.$JVB_HOSTNAME\", \"jvb@auth.$JVB_HOSTNAME\" }" >> $PROSODY_HOST_CONFIG
         fi
@@ -148,14 +148,13 @@ case "$1" in
             ln -sf /var/lib/prosody/$JVB_HOSTNAME.crt /etc/prosody/certs/$JVB_HOSTNAME.crt
         fi
 
-        PR11_INSTALL_CHECK="$(dpkg-query -f '${Status}' -W 'prosody-0.11' 2>/dev/null | awk '{print $3}' || true)"
+        PRTRUNK_INSTALL_CHECK="$(dpkg-query -f '${Status}' -W 'prosody-trunk' 2>/dev/null | awk '{print $3}' || true)"
         PR10_INSTALL_CHECK="$(dpkg-query -f '${Status}' -W 'prosody-0.10' 2>/dev/null | awk '{print $3}' || true)"
         PR_VER_INSTALLED=$(dpkg-query -f='${Version}\n' --show prosody  2>/dev/null || true)
-        if [ "$PR11_INSTALL_CHECK" = "installed" ] \
-            || [ "$PR11_INSTALL_CHECK" = "unpacked" ] \
-            || dpkg --compare-versions "$PR_VER_INSTALLED" gt "0.11" ; then
+        if [ "$PRTRUNK_INSTALL_CHECK" = "installed" ] \
+            || [ "$PRTRUNK_INSTALL_CHECK" = "unpacked" ] ; then
             if [ -f $PROSODY_HOST_CONFIG ]; then
-                sed -i 's/storage = \"null\"/storage = \"memory\"/g' $PROSODY_HOST_CONFIG
+                sed -i 's/storage = \"memory\"/storage = \"null\"/g' $PROSODY_HOST_CONFIG
 
                 # trigger a restart
                 PROSODY_CONFIG_PRESENT="false"
@@ -168,7 +167,7 @@ case "$1" in
             # if the version is 0.10.X (>0.10 and <0.11)
             if [ -f $PROSODY_HOST_CONFIG ] \
                 && dpkg --compare-versions "$PR_VER_INSTALLED" lt "0.11" ; then
-                sed -i 's/storage = \"null\"/storage = \"none\"/g' $PROSODY_HOST_CONFIG
+                sed -i 's/storage = \"memory\"/storage = \"none\"/g' $PROSODY_HOST_CONFIG
 
                 # trigger a restart
                 PROSODY_CONFIG_PRESENT="false"

debian/jitsi-meet-tokens.postinst

@@ -69,12 +69,15 @@ case "$1" in
                    echo "Failed to install basexx - try installing it manually"
                 fi
 
-                PR11_INSTALL_CHECK="$(dpkg-query -f '${Status}' -W 'prosody-0.11' 2>/dev/null | awk '{print $3}' || true)"
+                PR10_INSTALL_CHECK="$(dpkg-query -f '${Status}' -W 'prosody-0.10' 2>/dev/null | awk '{print $3}' || true)"
+                PRTRUNK_INSTALL_CHECK="$(dpkg-query -f '${Status}' -W 'prosody-trunk' 2>/dev/null | awk '{print $3}' || true)"
                 PR_VER_INSTALLED=$(dpkg-query -f='${Version}\n' --show prosody  2>/dev/null || true)
-                if [ "$PR11_INSTALL_CHECK" = "installed" ] \
-                    || [ "$PR11_INSTALL_CHECK" = "unpacked" ] \
-                    || dpkg --compare-versions "$PR_VER_INSTALLED" gt "0.11" ; then
-                    sed -i 's/module:hook/module:hook_global/g' /usr/share/jitsi-meet/prosody-plugins/mod_auth_token.lua
+                if [ "$PR10_INSTALL_CHECK" = "installed" ] \
+                    || "$PR10_INSTALL_CHECK" = "unpacked"  \
+                    || "$PRTRUNK_INSTALL_CHECK" = "installed"  \
+                    || "$PRTRUNK_INSTALL_CHECK" = "unpacked"  \
+                    || dpkg --compare-versions "$PR_VER_INSTALLED" lt "0.11" ; then
+                    sed -i 's/module:hook_global(/module:hook(/g' /usr/share/jitsi-meet/prosody-plugins/mod_auth_token.lua
                 fi
 
                 if [ -x "/etc/init.d/prosody" ]; then

debian/jitsi-meet-turnserver.install

@@ -1,2 +1,3 @@
-doc/debian/jitsi-meet-turn/turnserver.conf  /usr/share/jitsi-meet-turnserver/
-doc/debian/jitsi-meet/jitsi-meet.conf       /usr/share/jitsi-meet-turnserver/
+doc/debian/jitsi-meet-turn/turnserver.conf          /usr/share/jitsi-meet-turnserver/
+doc/debian/jitsi-meet/jitsi-meet.conf               /usr/share/jitsi-meet-turnserver/
+doc/debian/jitsi-meet-turn/coturn-certbot-deploy.sh /usr/share/jitsi-meet-turnserver/

debian/jitsi-meet-turnserver.postinst

@@ -112,13 +112,6 @@ case "$1" in
         sed -i "s/__turnSecret__/$TURN_SECRET/g" $TURN_CONFIG
         sed -i "s/__external_ip_address__/$JVB_HOSTNAME/g" $TURN_CONFIG
 
-        # Hack Debian Buster coturn to be able to bind privileged port 443
-        COTURN_UNIT_FILE="/lib/systemd/system/coturn.service"
-        if [[ -f $COTURN_UNIT_FILE ]] && ! grep -q "CAP_NET_BIND_SERVICE" "$COTURN_UNIT_FILE" ; then
-            sed -i "s/\[Service\]/\[Service\]\nAmbientCapabilities=CAP_NET_BIND_SERVICE/g" $COTURN_UNIT_FILE
-            systemctl daemon-reload
-        fi
-
         # SSL for nginx
         db_get jitsi-meet/cert-choice
         CERT_CHOICE="$RET"

doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example

@@ -6,8 +6,8 @@ muc_mapper_domain_base = "jitmeet.example.com";
 turncredentials_secret = "__turnSecret__";
 
 turncredentials = {
-  { type = "stun", host = "jitmeet.example.com", port = "443" },
-  { type = "turn", host = "jitmeet.example.com", port = "443", transport = "udp" },
+  { type = "stun", host = "jitmeet.example.com", port = "4446" },
+  { type = "turn", host = "jitmeet.example.com", port = "4446", transport = "udp" },
   { type = "turns", host = "jitmeet.example.com", port = "443", transport = "tcp" }
 };
 
@@ -43,7 +43,7 @@ VirtualHost "jitmeet.example.com"
         c2s_require_encryption = false
 
 Component "conference.jitmeet.example.com" "muc"
-    storage = "null"
+    storage = "memory"
     modules_enabled = {
         "muc_meeting_id";
         "muc_domain_mapper";
@@ -55,11 +55,13 @@ Component "conference.jitmeet.example.com" "muc"
 
 -- internal muc component
 Component "internal.auth.jitmeet.example.com" "muc"
-    storage = "null"
+    storage = "memory"
     modules_enabled = {
       "ping";
     }
     admins = { "[email protected]", "[email protected]" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
 
 VirtualHost "auth.jitmeet.example.com"
     authentication = "internal_plain"

doc/debian/jitsi-meet-turn/coturn-certbot-deploy.sh

@@ -0,0 +1,42 @@
+#!/bin/sh
+
+set -e
+
+COTURN_CERT_DIR="/etc/coturn/certs"
+TURN_CONFIG="/etc/turnserver.conf"
+
+# create a directory to store certs if it does not exists
+if [ ! -d "$COTURN_CERT_DIR" ]; then
+	mkdir -p /etc/coturn/certs
+	chown -R turnserver:turnserver /etc/coturn/
+	chmod -R 700 /etc/coturn/
+fi
+
+for domain in $RENEWED_DOMAINS; do
+        case $domain in
+        jitsi-meet.example.com)
+                # Make sure the certificate and private key files are
+                # never world readable, even just for an instant while
+                # we're copying them into daemon_cert_root.
+                umask 077
+
+                cp "$RENEWED_LINEAGE/fullchain.pem" "$COTURN_CERT_DIR/$domain.fullchain.pem"
+                cp "$RENEWED_LINEAGE/privkey.pem" "$COTURN_CERT_DIR/$domain.privkey.pem"
+
+                # Apply the proper file ownership and permissions for
+                # the daemon to read its certificate and key.
+                chown turnserver "$COTURN_CERT_DIR/$domain.fullchain.pem" \
+                        "$COTURN_CERT_DIR/$domain.privkey.pem"
+                chmod 400 "$COTURN_CERT_DIR/$domain.fullchain.pem" \
+                        "$COTURN_CERT_DIR/$domain.privkey.pem"
+
+                if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
+                    echo "Configuring turnserver"
+                    sed -i "/^cert/c\cert=\/etc\/coturn\/certs\/${domain}.fullchain.pem" $TURN_CONFIG
+                    sed -i "/^pkey/c\pkey=\/etc\/coturn\/certs\/${domain}.privkey.pem" $TURN_CONFIG
+                fi
+                service coturn restart
+                ;;
+        esac
+done
+

doc/debian/jitsi-meet-turn/turnserver.conf

@@ -1,5 +1,4 @@
 # jitsi-meet coturn config. Do not modify this line
-lt-cred-mech
 use-auth-secret
 keep-address-family
 static-auth-secret=__turnSecret__
@@ -8,7 +7,7 @@ cert=/etc/jitsi/meet/jitsi-meet.example.com.crt
 pkey=/etc/jitsi/meet/jitsi-meet.example.com.key
 
 no-tcp
-listening-port=443
+listening-port=4446
 tls-listening-port=4445
 external-ip=__external_ip_address__
 

doc/quick-install.md

@@ -29,7 +29,7 @@ wget -qO -  https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
 ### Install Jitsi Meet
 
 _Note_: The installer will check if [Nginx](https://nginx.org/) or [Apache](https://httpd.apache.org/) is present (in that order) and configure a virtualhost within the web server it finds to serve Jitsi Meet. If none of the above is found it then defaults to Nginx.
-If you are already running Nginx on port 443 on the same machine you better skip the turnserver configuration as it will conflict with your current port 443, so use the command `apt install --no-install-recommends jitsi-meet`.
+If you are already running Nginx on port 443 on the same machine turnserver configuration will be skipped as it will conflict with your current port 443.
 
 ```sh
 # Ensure support is available for apt repositories served via HTTPS

resources/install-letsencrypt-cert.sh

@@ -14,6 +14,8 @@ echo "- Download certbot-auto from https://dl.eff.org to /usr/local/sbin"
 echo "- Install additional dependencies in order to request Let’s Encrypt certificate"
 echo "- If running with jetty serving web content, will stop Jitsi Videobridge"
 echo "- Configure and reload nginx or apache2, whichever is used"
+echo "- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks"
+echo "- Add command in weekly cron job to renew certificates regularly"
 echo ""
 echo "You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) "
 echo "by providing an email address for important account notifications"
@@ -40,10 +42,21 @@ CERT_CRT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
 
 if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
 
+    TURN_CONFIG="/etc/turnserver.conf"
+    TURN_HOOK=/etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh
+    if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
+        mkdir -p $(dirname $TURN_HOOK)
+
+        cp /usr/share/jitsi-meet-turnserver/coturn-certbot-deploy.sh $TURN_HOOK
+        chmod u+x $TURN_HOOK
+        sed -i "s/jitsi-meet.example.com/$DOMAIN/g" $TURN_HOOK
+    fi
+
     ./certbot-auto certonly --noninteractive \
     --webroot --webroot-path /usr/share/jitsi-meet \
     -d $DOMAIN \
-    --agree-tos --email $EMAIL
+    --agree-tos --email $EMAIL \
+    --deploy-hook $TURN_HOOK
 
     echo "Configuring nginx"
 
@@ -59,16 +72,6 @@ if [ -f /etc/nginx/sites-enabled/$DOMAIN.conf ] ; then
 
     echo "service nginx reload" >> $CRON_FILE
     service nginx reload
-
-    TURN_CONFIG="/etc/turnserver.conf"
-    if [ -f $TURN_CONFIG ] && grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
-        echo "Configuring turnserver"
-        sed -i "s/cert=\/etc\/jitsi\/meet\/.*crt/cert=$CERT_CRT_ESC/g" $TURN_CONFIG
-        sed -i "s/pkey=\/etc\/jitsi\/meet\/.*key/pkey=$CERT_KEY_ESC/g" $TURN_CONFIG
-
-        echo "service coturn restart" >> $CRON_FILE
-        service coturn restart
-    fi
 elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
 
     ./certbot-auto certonly --noninteractive \
@@ -90,27 +93,6 @@ elif [ -f /etc/apache2/sites-enabled/$DOMAIN.conf ] ; then
 
     echo "service apache2 reload" >> $CRON_FILE
     service apache2 reload
-else
-    service jitsi-videobridge stop
-
-    ./certbot-auto certonly --noninteractive \
-    --standalone \
-    -d $DOMAIN \
-    --agree-tos --email $EMAIL
-
-    echo "Configuring jetty"
-
-    CERT_P12="/etc/jitsi/videobridge/$DOMAIN.p12"
-    CERT_JKS="/etc/jitsi/videobridge/$DOMAIN.jks"
-    # create jks from  certs
-    openssl pkcs12 -export \
-        -in $CERT_CRT -inkey $CERT_KEY -passout pass:changeit > $CERT_P12
-    keytool -importkeystore -destkeystore $CERT_JKS \
-        -srckeystore $CERT_P12 -srcstoretype pkcs12 \
-        -noprompt -storepass changeit -srcstorepass changeit
-
-    service jitsi-videobridge start
-
 fi
 
 # the cron file that will renew certificates

resources/prosody-plugins/mod_auth_token.lua

@@ -37,8 +37,8 @@ function init_session(event)
     end
 end
 
-module:hook("bosh-session", init_session);
-module:hook("websocket-session", init_session);
+module:hook_global("bosh-session", init_session);
+module:hook_global("websocket-session", init_session);
 
 function provider.test_password(username, password)
 	return nil, "Password based auth not supported";