meta/jitsi: meta port for jitsi and friends

has a detailed README to setup a single host install
includes sample configs for nginx and prosody

lots of help by Philipp Buehler <pb-openbsd AT sysfive DOT com>

README tweaks from george@
comments by landry@ and sthen@
ok sthen@

meta/jitsi/Makefile

@@ -0,0 +1,28 @@
+COMMENT=	meta package for all Jitsi Meet components
+
+CATEGORIES=	meta net
+
+VERSION=	1.0
+
+MAINTAINER=	Philipp Buehler <pb-openbsd@sysfive.com>, \
+		Aisha Tammy <openbsd@aisha.cc>
+
+PKGNAME=	jitsi-${VERSION}
+
+# ISC
+PERMIT_PACKAGE=	Yes
+
+RUN_DEPENDS=	net/jitsi/jicofo \
+		net/jitsi/meet \
+		net/jitsi/prosody-plugins \
+		net/jitsi/srtp \
+		net/jitsi/videobridge
+
+
+do-install:
+	${INSTALL_DATA_DIR} ${PREFIX}/share/jitsi/
+	${SUBST_DATA} \
+		${FILESDIR}/prosody.cfg.lua.sample ${PREFIX}/share/jitsi/prosody.cfg.lua.sample
+
+
+.include <bsd.port.mk>

meta/jitsi/files/prosody.cfg.lua.sample

@@ -0,0 +1,63 @@
+prosody_user = "_prosody"
+prosody_group = "_prosody"
+
+pidfile = "/var/prosody/prosody.pid"
+
+modules_enabled = {
+                "disco"; -- Service discovery
+                "roster"; -- Allow users to have a roster. Recommended ;)
+                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+                "tls"; -- Add support for secure TLS on c2s/s2s connections
+                "blocklist"; -- Allow users to block communications with other users
+                "carbons"; -- Keep multiple online clients in sync
+                "smacks"; -- Stream management and resumption (XEP-0198)
+                "ping"; -- Replies to XMPP pings with pongs
+                "register"; -- Allow users to register on this server using a client and change passwords
+                "time"; -- Let others know the time here on this server
+                "uptime"; -- Report how long server has been running
+                "version"; -- Replies to server version requests
+                "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+                "admin_shell"; -- Allow secure administration via prosodyctl shell
+}
+http_ports = { 5280 }
+http_interfaces = { "*", "::" }
+
+-- per Vhost: authentication = "internal_hashed"
+
+log = {
+        info = "/var/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
+        error = "/var/prosody/prosody.err";
+}
+
+-- ### MAIN
+
+VirtualHost "jitsi.example.com"
+    authentication = "anonymous";
+    modules_enabled = {
+        "bosh";
+        "pubsub";
+    }
+    c2s_require_encryption = false
+
+VirtualHost "auth.jitsi.example.com"
+    ssl = {
+         key = "/var/prosody/auth.jitsi.example.com.key";
+         certificate = "/var/prosody/auth.jitsi.example.com.crt";
+    }
+    authentication = "internal_hashed"
+
+Component "conference.jitsi.example.com" "muc"
+Component "jvb.jitsi.example.com"
+    component_secret = "${JVB_COMP_PASS}"
+Component "focus.jitsi.example.com" "client_proxy"
+    target_address = "focus@auth.jitsi.example.com"
+    -- component_secret = "${FOCUS_COMP_PASS}"
+Component "internal.auth.jitsi.example.com" "muc"
+    storage = "memory"
+    modules_enabled = {
+      "ping";
+    }
+    admins = { "focus@auth.jitsi.example.com", "jvb@auth.jitsi.example.com" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+    muc_room_cache_size = 1000

meta/jitsi/pkg/DESCR

@@ -0,0 +1,2 @@
+meta package for jitsi components along with a short tutorial for
+setting up a simple server.

meta/jitsi/pkg/PLIST

@@ -0,0 +1,3 @@
+share/doc/pkg-readmes/${PKGSTEM}
+share/jitsi/
+share/jitsi/prosody.cfg.lua.sample

meta/jitsi/pkg/README

@@ -0,0 +1,234 @@
++-------------------------------------------------------------------------------
+| Running jitsi on OpenBSD
++-------------------------------------------------------------------------------
+
+A basic configuration guide is provided here which will set up a single node
+jitsi-meet instance where anyone can create a conference room and invite others
+to join them.
+We will assume that the domain of interest is 'example.com' and jitsi is being
+hosted in the subdomain 'jitsi.example.com'.
+
+OpenBSD daemons
+===============
+
+As jitsi has a lot of moving parts, a concise list of daemons and their
+configuration files is presented here for clarity:
+
+1) jvb - (daemon) jitsi videobridge
+    * ${SYSCONFDIR}/jvb/jvb.in.sh - default command line parameters and
+                                    their values
+    * ${SYSCONFDIR}/jvb/jvb.conf - default config file
+    * ${SYSCONFDIR}/jvb/sip-communicator.properties - config file for running
+                                                      behind a NAT
+
+2) jicofo - (daemon) jitsi conference focus
+    * ${SYSCONFDIR}/jicofo/jicofo.in.sh - default command line parameters
+                                          and their values
+    * ${SYSCONFDIR}/jicofo/jicofo.conf - default config file
+
+3) jitsi-meet - static files for jitsi web frontend
+    * ${LOCALSTATEDIR}/www/jitsi-meet/ - default location of files
+    * ${LOCALSTATEDIR}/www/jitsi-meet/config.js - default config file
+
+4) nginx - (daemon) web server and reverse proxy
+    * ${SYSCONFDIR}/nginx/ - default config files
+
+5) prosody - (daemon) XMPP server used by jitsi
+    * ${SYSCONFDIR}/prosody/prosody.cfg.lua - default config file
+    * ${LOCALSTATEDIR}/prosody/ - default runtime files
+
+Sample files
+============
+
+There is sample file provided for prosody to go along with the default files
+provided for jvb and jicofo, located at:
+    ${TRUEPREFIX}/share/jitsi/prosody.cfg.lua.sample.
+
+Nginx can be used as a reverse proxy, with a configuration for the server
+given as follows:
+
+    server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+
+        server_name jitsi.example.com;
+
+        ssl_certificate /etc/ssl/jitsi.example.com.crt;
+        ssl_certificate_key /etc/ssl/private/jitsi.example.com.key;
+
+        root /jitsi-meet;
+
+        # BOSH
+        location = /http-bind {
+            proxy_pass      http://127.0.0.1:5280/http-bind;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header Host $http_host;
+        }
+
+        ssi on;
+        ssi_types application/x-javascript application/javascript;
+
+        location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization)/(.*)$ {
+            add_header 'Access-Control-Allow-Origin' '*';
+            alias /jitsi-meet/$1/$2;
+        }
+
+        # rooms
+        location ~ ^/([a-zA-Z0-9=\?]+)$ {
+            rewrite ^/(.*)$ / break;
+        }
+
+        # external_api.js must be accessible from the root of the
+        # installation for the electron version of Jitsi Meet to work
+        location /external_api.js {
+            alias /jitsi-meet/libs/external_api.min.js;
+        }
+    }
+
+Passwords
+=========
+
+Throughout the configuration, the following passwords should be generated as
+they will be needed in the configuration files:
+
+    ${JAVA_TS_PASS}
+    ${JVB_COMP_PASS}
+    ${FOCUS_COMP_PASS}
+
+pf.conf
+=======
+
+The default configuration uses the following ports:
+
+    * nginx: TCP 80, 443
+    * prosody: TCP 5000, 5222, 5269, 5280, 5281, 5347, 5582
+    * jicofo: TCP 8888
+    * jvb: TCP 8080, UDP 10000
+
+Only a few ports, TCP 80, 443 and UDP 10000, are to be exposed to the
+network, the other ports are used for internal communication between jicofo,
+jvb and prosody.
+A possible set of pf.conf rules that can be used is:
+
+    pass in on egress to (egress) tcp port { 80 443 }
+    pass in on egress to (egress) udp port 10000
+
+/etc/hosts configuration
+========================
+
+Jitsi needs two subdomains, 'auth.jitsi.example.com' and 'jitsi.example.com',
+configured as part of the setup, of which only 'jitsi.example.com' is
+exposed outside the local network.
+
+They are accessed by the jicofo, jvb and prosody daemons as part of their
+internal communication. The simplest way to make them resolvable to localhost
+is to add them in the /etc/hosts file -
+
+    127.0.0.1 localhost jitsi jitsi.example.com auth.jitsi auth.jitsi.example.com
+    ::1       localhost jitsi jitsi.example.com auth.jitsi auth.jitsi.example.com
+
+Nginx configuration
+===================
+
+Jitsi uses webrtc which mandates the use of https. The sample nginx config file
+should be updated to use the proper TLS certificates, which can be obtained
+by acme-client(1). These are also going to be used by prosody.
+
+Prosody configuration
+=====================
+
+In the sample prosody configuration file, replace the domain and the password
+placeholders with the passwords chosen above.
+
+In the section for the domain 'jitsi.example.com' the certificates obtained in
+the previous step should be used.
+
+Prosody also hosts the internal domain 'auth.jitsi.example.com' and can use
+self signed TLS certificates for this.
+They should be generated using the following command:
+
+    $ prosodyctl cert generate auth.jitsi.example.com
+
+The certificates will be stored in:
+    ${LOCALSTATEDIR}/prosody/auth.jitsi.example.com.{crt,key}.
+
+These certificates also need to be shared with jicofo and jvb by adding them
+to a Java certificate truststore ${SYSCONFDIR}/ssl/jitsi.store.
+
+    $ $(javaPathHelper -h jicofo)/bin/keytool -import -alias prosody \
+      -file ${LOCALSTATEDIR}/prosody/auth.jitsi.example.com \
+      -keystore ${SYSCONFDIR}/ssl/jitsi.store -storepass ${JAVA_TS_PASS}
+
+Prosody needs two plugins to be added to the setup which can be achieved by:
+
+    $ prosodyctl install --server=https://modules.prosody.im/rocks/ \
+        mod_client_proxy
+    $ prosodyctl install --server=https://modules.prosody.im/rocks/ \
+        mod_roster_command
+
+The 'focus' user for prosody should also be registered via the command line:
+
+    $ prosodyctl register focus auth.jitsi.example.com ${FOCUS_COMP_PASS}
+    $ prosodyctl mod_roster_command subscribe focus.jitsi.example.com \
+        focus@auth.jitsi.example.com
+
+JVB and jicofo configuration
+============================
+
+The default configuration files for jvb and jicofo only need the domain and
+password fields to be updated.
+The jicofo daemon needs to be provided the host name:
+
+    $ rcctl set jicofo flags "--host=jitsi.example.com"
+
+SIP configuration
+=================
+
+If the jitsi server is behind a NAT, such as when hosting from an internal
+homeserver, the config file ${SYSCONFDIR}/jvb/sip-communicator.properties
+should be updated to include the public and NAT local addresses of the setup.
+The ${LOCAL_ADDRESS} should be the internal IP address assigned on the LAN
+network and the ${PUBLIC_ADDRESS} should be the one used by peers outside
+the LAN to reach the setup.
+
+Jitsi-meet configuration
+========================
+
+The relevant parts of the web configuration file at
+'${LOCALSTATEDIR}/www/jitsi-meet/config.js' that need to be updated, and
+uncommented if needed, are provided here:
+
+    var config = {
+      hosts: {
+        domain: 'jitsi.example.com',
+        muc: 'conference.jitsi.example.com'
+      },
+
+      bosh: '//jitsi.example.com/http-bind',
+      useTurnUdp: false,
+      enableWelcomePage: true,
+      prejoinConfig: {
+        enabled: true,
+        hideExtraJoinButtons: ['no-audio', 'by-phone']
+      },
+      p2p: {
+        stunServers: [ { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' } ]
+      }
+    }
+
+Spinning up the daemons
+=======================
+
+The daemons needs to be started in the order given:
+
+    $ rcctl enable nginx prosody jvb jicofo
+    $ rcctl order nginx prosody jvb jicofo
+    $ rcctl start nginx prosody jvb jicofo
+
+The setup can be tested by visiting the site at https://jitsi.example.com.
+
+Additional upstream documentation
+=================================
+
+Further steps to configure the setup can be found in the upstream
+documentation at https://jitsi.github.io/handbook/.