├── .gitignore
├── AUTHORS
├── ChangeLog
├── LICENSE
├── Makefile
├── README.md
├── README_en.md
├── VERSION
├── data
    ├── certbot
    │   └── deploy-hook-certbot.sh
    ├── collabora
    │   ├── coolwsd.xml
    │   └── snippet-coolwsd.conf
    ├── msmtp
    │   ├── aliases
    │   ├── msmtprc
    │   └── test-email.html
    ├── nginx
    │   ├── headers.conf
    │   ├── index.html
    │   ├── nextcloud-hpb.conf
    │   └── robots.txt
    ├── signaling
    │   ├── coturn.service
    │   ├── janus.jcfg
    │   ├── janus.transport.http.jcfg
    │   ├── janus.transport.websockets.jcfg
    │   ├── janus_aarch64.jcfg
    │   ├── janus_powerpc64le.jcfg
    │   ├── nats-server.conf
    │   ├── nats-server.service
    │   ├── nextcloud-spreed-signaling.service
    │   ├── nginx-signaling-forwarding.conf
    │   ├── nginx-signaling-upstream-servers.conf
    │   ├── signaling-server.conf
    │   └── turnserver.conf
    └── unattended-upgrades
    │   └── 60unattended-upgrades-nextcloud-hpb-setup
├── settings.sh
├── setup-nextcloud-hpb.sh
└── src
    ├── setup-certbot.sh
    ├── setup-collabora.sh
    ├── setup-msmtp.sh
    ├── setup-nginx.sh
    ├── setup-signaling.sh
    ├── setup-ufw.sh
    └── setup-unattendedupgrades.sh


/.gitignore:
--------------------------------------------------------------------------------
1 | *.log
2 | .vscode
3 | tmp/
4 | *secrets*
5 | 


--------------------------------------------------------------------------------
/AUTHORS:
--------------------------------------------------------------------------------
1 | Daniel Teichmann <daniel.teichmann@das-netzwerkteam.de>
2 | PhilDevProg <91820316+PhilDevProg@users.noreply.github.com>
3 | Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
4 | Mirco <109531545+mircokam@users.noreply.github.com>
5 | DecaTec <jr@decatec.de>
6 | PhilProg <91820316+PhilDevProg@users.noreply.github.com>
7 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 2, June 1991
  3 | 
  4 |  Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
  5 |  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  6 |  Everyone is permitted to copy and distribute verbatim copies
  7 |  of this license document, but changing it is not allowed.
  8 | 
  9 |                             Preamble
 10 | 
 11 |   The licenses for most software are designed to take away your
 12 | freedom to share and change it.  By contrast, the GNU General Public
 13 | License is intended to guarantee your freedom to share and change free
 14 | software--to make sure the software is free for all its users.  This
 15 | General Public License applies to most of the Free Software
 16 | Foundation's software and to any other program whose authors commit to
 17 | using it.  (Some other Free Software Foundation software is covered by
 18 | the GNU Lesser General Public License instead.)  You can apply it to
 19 | your programs, too.
 20 | 
 21 |   When we speak of free software, we are referring to freedom, not
 22 | price.  Our General Public Licenses are designed to make sure that you
 23 | have the freedom to distribute copies of free software (and charge for
 24 | this service if you wish), that you receive source code or can get it
 25 | if you want it, that you can change the software or use pieces of it
 26 | in new free programs; and that you know you can do these things.
 27 | 
 28 |   To protect your rights, we need to make restrictions that forbid
 29 | anyone to deny you these rights or to ask you to surrender the rights.
 30 | These restrictions translate to certain responsibilities for you if you
 31 | distribute copies of the software, or if you modify it.
 32 | 
 33 |   For example, if you distribute copies of such a program, whether
 34 | gratis or for a fee, you must give the recipients all the rights that
 35 | you have.  You must make sure that they, too, receive or can get the
 36 | source code.  And you must show them these terms so they know their
 37 | rights.
 38 | 
 39 |   We protect your rights with two steps: (1) copyright the software, and
 40 | (2) offer you this license which gives you legal permission to copy,
 41 | distribute and/or modify the software.
 42 | 
 43 |   Also, for each author's protection and ours, we want to make certain
 44 | that everyone understands that there is no warranty for this free
 45 | software.  If the software is modified by someone else and passed on, we
 46 | want its recipients to know that what they have is not the original, so
 47 | that any problems introduced by others will not reflect on the original
 48 | authors' reputations.
 49 | 
 50 |   Finally, any free program is threatened constantly by software
 51 | patents.  We wish to avoid the danger that redistributors of a free
 52 | program will individually obtain patent licenses, in effect making the
 53 | program proprietary.  To prevent this, we have made it clear that any
 54 | patent must be licensed for everyone's free use or not licensed at all.
 55 | 
 56 |   The precise terms and conditions for copying, distribution and
 57 | modification follow.
 58 | 
 59 |                     GNU GENERAL PUBLIC LICENSE
 60 |    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 61 | 
 62 |   0. This License applies to any program or other work which contains
 63 | a notice placed by the copyright holder saying it may be distributed
 64 | under the terms of this General Public License.  The "Program", below,
 65 | refers to any such program or work, and a "work based on the Program"
 66 | means either the Program or any derivative work under copyright law:
 67 | that is to say, a work containing the Program or a portion of it,
 68 | either verbatim or with modifications and/or translated into another
 69 | language.  (Hereinafter, translation is included without limitation in
 70 | the term "modification".)  Each licensee is addressed as "you".
 71 | 
 72 | Activities other than copying, distribution and modification are not
 73 | covered by this License; they are outside its scope.  The act of
 74 | running the Program is not restricted, and the output from the Program
 75 | is covered only if its contents constitute a work based on the
 76 | Program (independent of having been made by running the Program).
 77 | Whether that is true depends on what the Program does.
 78 | 
 79 |   1. You may copy and distribute verbatim copies of the Program's
 80 | source code as you receive it, in any medium, provided that you
 81 | conspicuously and appropriately publish on each copy an appropriate
 82 | copyright notice and disclaimer of warranty; keep intact all the
 83 | notices that refer to this License and to the absence of any warranty;
 84 | and give any other recipients of the Program a copy of this License
 85 | along with the Program.
 86 | 
 87 | You may charge a fee for the physical act of transferring a copy, and
 88 | you may at your option offer warranty protection in exchange for a fee.
 89 | 
 90 |   2. You may modify your copy or copies of the Program or any portion
 91 | of it, thus forming a work based on the Program, and copy and
 92 | distribute such modifications or work under the terms of Section 1
 93 | above, provided that you also meet all of these conditions:
 94 | 
 95 |     a) You must cause the modified files to carry prominent notices
 96 |     stating that you changed the files and the date of any change.
 97 | 
 98 |     b) You must cause any work that you distribute or publish, that in
 99 |     whole or in part contains or is derived from the Program or any
100 |     part thereof, to be licensed as a whole at no charge to all third
101 |     parties under the terms of this License.
102 | 
103 |     c) If the modified program normally reads commands interactively
104 |     when run, you must cause it, when started running for such
105 |     interactive use in the most ordinary way, to print or display an
106 |     announcement including an appropriate copyright notice and a
107 |     notice that there is no warranty (or else, saying that you provide
108 |     a warranty) and that users may redistribute the program under
109 |     these conditions, and telling the user how to view a copy of this
110 |     License.  (Exception: if the Program itself is interactive but
111 |     does not normally print such an announcement, your work based on
112 |     the Program is not required to print an announcement.)
113 | 
114 | These requirements apply to the modified work as a whole.  If
115 | identifiable sections of that work are not derived from the Program,
116 | and can be reasonably considered independent and separate works in
117 | themselves, then this License, and its terms, do not apply to those
118 | sections when you distribute them as separate works.  But when you
119 | distribute the same sections as part of a whole which is a work based
120 | on the Program, the distribution of the whole must be on the terms of
121 | this License, whose permissions for other licensees extend to the
122 | entire whole, and thus to each and every part regardless of who wrote it.
123 | 
124 | Thus, it is not the intent of this section to claim rights or contest
125 | your rights to work written entirely by you; rather, the intent is to
126 | exercise the right to control the distribution of derivative or
127 | collective works based on the Program.
128 | 
129 | In addition, mere aggregation of another work not based on the Program
130 | with the Program (or with a work based on the Program) on a volume of
131 | a storage or distribution medium does not bring the other work under
132 | the scope of this License.
133 | 
134 |   3. You may copy and distribute the Program (or a work based on it,
135 | under Section 2) in object code or executable form under the terms of
136 | Sections 1 and 2 above provided that you also do one of the following:
137 | 
138 |     a) Accompany it with the complete corresponding machine-readable
139 |     source code, which must be distributed under the terms of Sections
140 |     1 and 2 above on a medium customarily used for software interchange; or,
141 | 
142 |     b) Accompany it with a written offer, valid for at least three
143 |     years, to give any third party, for a charge no more than your
144 |     cost of physically performing source distribution, a complete
145 |     machine-readable copy of the corresponding source code, to be
146 |     distributed under the terms of Sections 1 and 2 above on a medium
147 |     customarily used for software interchange; or,
148 | 
149 |     c) Accompany it with the information you received as to the offer
150 |     to distribute corresponding source code.  (This alternative is
151 |     allowed only for noncommercial distribution and only if you
152 |     received the program in object code or executable form with such
153 |     an offer, in accord with Subsection b above.)
154 | 
155 | The source code for a work means the preferred form of the work for
156 | making modifications to it.  For an executable work, complete source
157 | code means all the source code for all modules it contains, plus any
158 | associated interface definition files, plus the scripts used to
159 | control compilation and installation of the executable.  However, as a
160 | special exception, the source code distributed need not include
161 | anything that is normally distributed (in either source or binary
162 | form) with the major components (compiler, kernel, and so on) of the
163 | operating system on which the executable runs, unless that component
164 | itself accompanies the executable.
165 | 
166 | If distribution of executable or object code is made by offering
167 | access to copy from a designated place, then offering equivalent
168 | access to copy the source code from the same place counts as
169 | distribution of the source code, even though third parties are not
170 | compelled to copy the source along with the object code.
171 | 
172 |   4. You may not copy, modify, sublicense, or distribute the Program
173 | except as expressly provided under this License.  Any attempt
174 | otherwise to copy, modify, sublicense or distribute the Program is
175 | void, and will automatically terminate your rights under this License.
176 | However, parties who have received copies, or rights, from you under
177 | this License will not have their licenses terminated so long as such
178 | parties remain in full compliance.
179 | 
180 |   5. You are not required to accept this License, since you have not
181 | signed it.  However, nothing else grants you permission to modify or
182 | distribute the Program or its derivative works.  These actions are
183 | prohibited by law if you do not accept this License.  Therefore, by
184 | modifying or distributing the Program (or any work based on the
185 | Program), you indicate your acceptance of this License to do so, and
186 | all its terms and conditions for copying, distributing or modifying
187 | the Program or works based on it.
188 | 
189 |   6. Each time you redistribute the Program (or any work based on the
190 | Program), the recipient automatically receives a license from the
191 | original licensor to copy, distribute or modify the Program subject to
192 | these terms and conditions.  You may not impose any further
193 | restrictions on the recipients' exercise of the rights granted herein.
194 | You are not responsible for enforcing compliance by third parties to
195 | this License.
196 | 
197 |   7. If, as a consequence of a court judgment or allegation of patent
198 | infringement or for any other reason (not limited to patent issues),
199 | conditions are imposed on you (whether by court order, agreement or
200 | otherwise) that contradict the conditions of this License, they do not
201 | excuse you from the conditions of this License.  If you cannot
202 | distribute so as to satisfy simultaneously your obligations under this
203 | License and any other pertinent obligations, then as a consequence you
204 | may not distribute the Program at all.  For example, if a patent
205 | license would not permit royalty-free redistribution of the Program by
206 | all those who receive copies directly or indirectly through you, then
207 | the only way you could satisfy both it and this License would be to
208 | refrain entirely from distribution of the Program.
209 | 
210 | If any portion of this section is held invalid or unenforceable under
211 | any particular circumstance, the balance of the section is intended to
212 | apply and the section as a whole is intended to apply in other
213 | circumstances.
214 | 
215 | It is not the purpose of this section to induce you to infringe any
216 | patents or other property right claims or to contest validity of any
217 | such claims; this section has the sole purpose of protecting the
218 | integrity of the free software distribution system, which is
219 | implemented by public license practices.  Many people have made
220 | generous contributions to the wide range of software distributed
221 | through that system in reliance on consistent application of that
222 | system; it is up to the author/donor to decide if he or she is willing
223 | to distribute software through any other system and a licensee cannot
224 | impose that choice.
225 | 
226 | This section is intended to make thoroughly clear what is believed to
227 | be a consequence of the rest of this License.
228 | 
229 |   8. If the distribution and/or use of the Program is restricted in
230 | certain countries either by patents or by copyrighted interfaces, the
231 | original copyright holder who places the Program under this License
232 | may add an explicit geographical distribution limitation excluding
233 | those countries, so that distribution is permitted only in or among
234 | countries not thus excluded.  In such case, this License incorporates
235 | the limitation as if written in the body of this License.
236 | 
237 |   9. The Free Software Foundation may publish revised and/or new versions
238 | of the General Public License from time to time.  Such new versions will
239 | be similar in spirit to the present version, but may differ in detail to
240 | address new problems or concerns.
241 | 
242 | Each version is given a distinguishing version number.  If the Program
243 | specifies a version number of this License which applies to it and "any
244 | later version", you have the option of following the terms and conditions
245 | either of that version or of any later version published by the Free
246 | Software Foundation.  If the Program does not specify a version number of
247 | this License, you may choose any version ever published by the Free Software
248 | Foundation.
249 | 
250 |   10. If you wish to incorporate parts of the Program into other free
251 | programs whose distribution conditions are different, write to the author
252 | to ask for permission.  For software which is copyrighted by the Free
253 | Software Foundation, write to the Free Software Foundation; we sometimes
254 | make exceptions for this.  Our decision will be guided by the two goals
255 | of preserving the free status of all derivatives of our free software and
256 | of promoting the sharing and reuse of software generally.
257 | 
258 |                             NO WARRANTY
259 | 
260 |   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268 | REPAIR OR CORRECTION.
269 | 
270 |   12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278 | POSSIBILITY OF SUCH DAMAGES.
279 | 
280 |                      END OF TERMS AND CONDITIONS
281 | 
282 |             How to Apply These Terms to Your New Programs
283 | 
284 |   If you develop a new program, and you want it to be of the greatest
285 | possible use to the public, the best way to achieve this is to make it
286 | free software which everyone can redistribute and change under these terms.
287 | 
288 |   To do so, attach the following notices to the program.  It is safest
289 | to attach them to the start of each source file to most effectively
290 | convey the exclusion of warranty; and each file should have at least
291 | the "copyright" line and a pointer to where the full notice is found.
292 | 
293 |     <one line to give the program's name and a brief idea of what it does.>
294 |     Copyright (C) <year>  <name of author>
295 | 
296 |     This program is free software; you can redistribute it and/or modify
297 |     it under the terms of the GNU General Public License as published by
298 |     the Free Software Foundation; either version 2 of the License, or
299 |     (at your option) any later version.
300 | 
301 |     This program is distributed in the hope that it will be useful,
302 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
303 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
304 |     GNU General Public License for more details.
305 | 
306 |     You should have received a copy of the GNU General Public License along
307 |     with this program; if not, write to the Free Software Foundation, Inc.,
308 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309 | 
310 | Also add information on how to contact you by electronic and paper mail.
311 | 
312 | If the program is interactive, make it output a short notice like this
313 | when it starts in an interactive mode:
314 | 
315 |     Gnomovision version 69, Copyright (C) year name of author
316 |     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 |     This is free software, and you are welcome to redistribute it
318 |     under certain conditions; type `show c' for details.
319 | 
320 | The hypothetical commands `show w' and `show c' should show the appropriate
321 | parts of the General Public License.  Of course, the commands you use may
322 | be called something other than `show w' and `show c'; they could even be
323 | mouse-clicks or menu items--whatever suits your program.
324 | 
325 | You should also get your employer (if you work as a programmer) or your
326 | school, if any, to sign a "copyright disclaimer" for the program, if
327 | necessary.  Here is a sample; alter the names:
328 | 
329 |   Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 |   `Gnomovision' (which makes passes at compilers) written by James Hacker.
331 | 
332 |   <signature of Ty Coon>, 1 April 1989
333 |   Ty Coon, President of Vice
334 | 
335 | This General Public License does not permit incorporating your program into
336 | proprietary programs.  If your program is a subroutine library, you may
337 | consider it more useful to permit linking proprietary applications with the
338 | library.  If this is what you want to do, use the GNU Lesser General
339 | Public License instead of this License.
340 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | all: check_root
 2 | 	@echo "Execute 'sudo make install' to start the setup."
 3 | 
 4 | check_root:
 5 | 	@if ! [ "$(shell id -u)" = 0 ]; then \
 6 | 		echo "You are not root, run this target as root please"; \
 7 | 		exit 1; \
 8 | 	fi
 9 | 
10 | clean: check_root
11 | 	-rm *.log
12 | 	-rm -r tmp/
13 | 	-rm -r nats-server-v*-linux-amd64/ *.patch coturn-master/ nextcloud-spreed-signaling-master/ *.tar.gz*
14 | 	@echo "Clean done"
15 | 
16 | install: check_root clean
17 | 	./setup-nextcloud-hpb.sh
18 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | <p align="center">
 2 |   <span>Deutsch</span> |
 3 |   <a href="https://github.com/sunweaver/nextcloud-high-performance-backend-setup/blob/main/README_en.md">English</a>
 4 | </p>
 5 | 
 6 | # Einfaches Setup für Nextcloud Hochleistungsbackend, Signaling & Collabora Office für Debian 12 (Bookworm)
 7 | 
 8 | Dieses Skript installiert vollautomatisch das Nextcloud High Performance Backend mit eigenem Coturn- und Signaling-Server, sowie Collabora Office als Debian-Paket oder aus den Sourcen. Die Installation ist extra einfach gehalten und ermöglicht dadurch auch Anwendern mit wenig Unix-/Linux-Kenntnissen eine Installation in ca. 5 Minuten.
 9 | 
10 | Das Nextcloud HPB kann als Debian-Paket (Debian 12 Bookworm Backports) oder aus den aktuellen Sourcen (Debian 12 Bookworm) installiert werden. Das Collabora-Paket wird immer als aktuellstes Paket aus dem Stable-Zweig installiert. Bitte beachten Sie, dass Collabora Office hier in der Community Version installiert wird. Dies können Sie natürlich durch eine Lizenz-Key auch jederzeit auf eine Proffesional Version erweitern.
11 | 
12 | [**Hier im Wiki finden Sie eine detaillierte Installationsanleitung!**](https://github.com/sunweaver/nextcloud-high-performance-backend-setup/wiki/02-Setup-Script)
13 | 
14 | [**Die neueste Version des Skriptes können Sie hier herunterladen**](https://github.com/sunweaver/nextcloud-high-performance-backend-setup/releases)
15 | 
16 | **Voraussetzungen für den Betrieb:**
17 | 
18 | * Ein Server mit einer öffentlich zugänglichen IP! (nicht für Systeme hinter einer Firewall oder NAT mit privater Adresse)
19 | * Einen virtuellen oder physikalischen Server mit Debian 12 (Bookworm)
20 | * Eine Subdomain für den Server, auf dem das Skript installiert wird
21 | 
22 | Sie werden bei der Installation durch 8 Dialoge geführt und danach werden die Pakete voll automatisch installiert, konfiguriert und Sie erhalten eine Übersicht mit allen einzutragenden Schlüsseln für die Nextcloud-Instanz. Das Skript kann auch mehrere Nextcloud-URLs auf dem Server verwalten. Diese geben Sie in dem Script einfach mit Kommata separiert ein (Multidomain).
23 | 
24 | 
25 | **Folgende Systeme/Anwendungen werden installiert:**
26 | 
27 | * Coturn
28 | * Signaling
29 | * Let’s Encrypt
30 | * Nginx
31 | * UfW Firewall
32 | * SSH
33 | * Collabora Office
34 | * High Performance Backend
35 | 
36 |  
37 |  
38 | 
39 | **Für wen das Skript gedacht ist:**
40 | 
41 | Oft möchte man als Betrieb, Verein oder Schule eine Nextcloud einfach nur bei einem Provider mieten. Da gibt es gute Angebote z. B. bei Hetzner ([Storage Box](https://www.hetzner.com/de/storage/storage-box)) oder Ionos. Diese bieten zwar viel Speicherplatz an, aber die Rechenleistung ist oft stark eingeschränkt.
42 | 
43 | Hier kann das Skript helfen, da wir damit die fehlenden leistungsfressenden Anwendungen wie Videokonferenz (Talk) mit mehr als 4 Personen und Online-Office (Collabora Office) auf einen eigenen Server auslagern. Da Sie den Server selbst betreiben, gibt es auch keine DSGVO-Probleme. Für das Script eignen sich unter aderen sehr gut [Hetzner Cloud Server](https://www.hetzner.com/de/cloud). 
44 | 
45 | Das Skript eignet sich aber auch für größere Installationen, bei denen der Admin einfach nicht die ganze Installation per Hand machen möchte. Wir halten uns hier streng an die Debian-Vorgaben, damit spätere Updates reibungslos funktionieren. Das Skript sichert den Server mit der UfW Firewall ab. Zusätzlich können Sie aber auch noch den SSH-Zugriff deaktivieren. Dann kommen Sie nur noch über die Server-Konsole an die Maschine ran.
46 | 
47 | Wenn der Server einmal konfiguriert ist, braucht man im Idealfall auch kein Admin-Zugriff auf die Maschine übers Netz, es ist ein reines Arbeitstier. Der Server ist so konfiguriert, dass er selbstständig Updates einspielt und neustartet. Falls dann doch mal etwas schief geht, können Sie entweder selbst eingreifen oder einfach schnell eine neue Maschine erstellen, das ist ja in fünf Minuten erledigt.
48 | 
49 | 
50 | **Beispiel-Anwendungs-Szenario:**
51 | 
52 | [Nextcloud mit Videokonferenz (Talk) und Anbindung an das Schulportal Hessen finanziert von Förderverein der Schule!](https://github.com/sunweaver/nextcloud-high-performance-backend-setup/wiki/05-Bsp-Anwendungen)
53 | 
54 |  
55 | **Spenden oder Beteiligen:**
56 | 
57 | Bitte denken Sie immer daran, dass es auch freie Software nicht umsonst gibt. Hinter all den Projekten verbringen Menschen ihre Zeit, ob beruflich oder privat. Es ist wichtig sich an der Entwicklung zu beteiligen. Sie können die Projekte finanziell oder durch Ihre Beteiligung unterstützen. Nur so kann freie Software besser werden und bleibt uns allen langfristig erhalten.
58 | 
59 | <https://nextcloud.com/contribute/>
60 | 
61 | Ich möchte mich hier noch bei den drei Firmen Nextcloud GmbH, Struktur AG sowie Collabora für die tolle Software bedanken, die uns ein selbstbestimmtes freies Arbeiten in der Cloud ermöglicht.  
62 | 
63 | Mirco Rohloff
64 | 


--------------------------------------------------------------------------------
/README_en.md:
--------------------------------------------------------------------------------
 1 | <p align="center">
 2 |   <a href="https://github.com/sunweaver/nextcloud-high-performance-backend-setup/blob/main/README.md">Deutsch</a> |
 3 |   <span>English</span>
 4 | </p>
 5 | 
 6 | # Easy setup for Nextcloud High performance backend, Signaling & Collabora Office for Debian 12 (Bookworm)
 7 | 
 8 | 
 9 | This script installs the Nextcloud High Performance Backend with its own coturn and signaling server, as well as Collabora Office as a Debian package or from the Sources. The installation is kept extra simple and thus also enables users with a few Unix/Linux skills an installation in about 5 minutes.
10 | 
11 | The Nextcloud HPB can be installed as a Debian package (Debian 12 Bookworm Backports) or from the current source code (for Debian 12 bookworm). The Collabora package is always installed as the latest package from the stable branch. Please note that Collabora Office in this version is the community edition. Of course, you can also expand this at any time with a license key.
12 | 
13 | [**Here in the wiki you will find detailed installation instructions!**](https://github.com/sunweaver/nextcloud-high-performance-backend-setup/wiki/09-Home-(en))
14 | 
15 | [**You can download the newest version of the script here**](https://github.com/sunweaver/nextcloud-high-performance-backend-setup/releases)
16 | 
17 | **Requirements**
18 | 
19 | * A server with a publicly accessible IP! (not for systems behind a firewall or NAT with a private address)
20 | * A virtual or physical server with Debian 12 (Bookworm)
21 | * A subdomain for the server on which the script is installe
22 | 
23 | You are guided by 8 dialogues during the installation and then the packages are fully installed, configured and you will receive an overview with all the keys for the Nextcloud instance. The script can also manage several Nextcloud URLs on the server. In the script, simply enter these with commas sepparized(multidomain).
24 | 
25 | 
26 | **The following systems/applications wil be installed:**
27 | 
28 | * Coturn
29 | * Signaling
30 | * Let’s Encrypt
31 | * Nginx
32 | * UfW Firewall
33 | * SSH
34 | * Collabora Office
35 | * High Performance Backend
36 | 
37 |  
38 |  
39 | 
40 | **For whom the script is intended:**
41 | 
42 | As a company, association or school, you often just want to rent a Nextcloud from a provider. There are good offers e. g. at Hetzner ([Storage Box](https://www.hetzner.com/de/storage/storage-box)) or Ionos. These offer a lot of storage space, but the computing power is often severely restricted.
43 | 
44 | The script can help here, as it outsources the missing performance-eating applications such as video conference (Talk) with more than 4 people and online office (Collabora Office) on our own server. Since you operate the server yourself, there are no GDPR problems. Among other things, [Hetzner Cloud Servers](https://www.hetzner.com/de/cloud) are very suitable for the script.
45 | 
46 | The script is also suitable for larger installations where the admin simply does not want to make the entire installation by hand. We stick strictly to the Debian requirements here so that later updates work smoothly. The script secures the server with the UFW firewall. In addition, you can also deactivate SSH access. Then you can only get access to the machine via the server console.
47 | 
48 | If the server is configured, ideally you don't need admin access to the machine via the internet, it is a pure work animal. The server is configured in such a way that it enables updates independently and restarts. If something goes wrong, you can either intervene yourself or simply create a new machine quickly, which is done in five minutes.
49 | 
50 | 
51 | **Example application scenario**
52 | 
53 | [Nextcloud with video conference (Talk) and a connection to the school portal Hessen financed by the school support association in Germany!](https://github.com/sunweaver/nextcloud-high-performance-backend-setup/wiki/05-Bsp-Anwendungen)
54 | 
55 |  
56 | **Donate or participate:**
57 | 
58 | Please always remember that free software does not exist for nothing. People spend their time behind all the projects, whether professionally or privately. It is important to participate in the development. You can support the projects financially or through your participation. This is the only way free software can get better and remain in the long term.
59 | 
60 | <https://nextcloud.com/contribute/>
61 | 
62 | I would like to thank the three companies Nextcloud GmbH, Structure AG and Collabora for the great software that enables us a self-determined free work in the cloud.
63 | 
64 | Mirco Rohloff
65 | 


--------------------------------------------------------------------------------
/VERSION:
--------------------------------------------------------------------------------
1 | 1.2.7a
2 | 


--------------------------------------------------------------------------------
/data/certbot/deploy-hook-certbot.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # This file was created by the Nextcloud High-performance setup script.
 4 | 
 5 | chmod 2750 /etc/letsencrypt/archive
 6 | chmod 2750 /etc/letsencrypt/live
 7 | find /etc/letsencrypt/archive -type d -exec chmod 2750 {} +
 8 | find /etc/letsencrypt/live -type d -exec chmod 2750 {} +
 9 | chown -R :ssl-cert /etc/letsencrypt/archive
10 | chown -R :ssl-cert /etc/letsencrypt/live
11 | find /etc/letsencrypt/archive -name "privkey*.pem" -exec chmod 640 {} +
12 | 


--------------------------------------------------------------------------------
/data/collabora/coolwsd.xml:
--------------------------------------------------------------------------------
  1 | <!-- -*- nxml-child-indent: 4; tab-width: 4; indent-tabs-mode: nil -*- -->
  2 | <config>
  3 | 
  4 |     <!-- For more detailed documentation on typical configuration options please see:
  5 |          https://sdk.collaboraonline.com/docs/installation/Configuration.html -->
  6 | 
  7 |     <!-- Note: 'default' attributes are used to document a setting's default value as well as to use as fallback. -->
  8 |     <!-- Note: When adding a new entry, a default must be set in WSD in case the entry is missing upon deployment. -->
  9 | 
 10 |     <allowed_languages desc="List of supported languages of Writing Aids (spell checker, grammar checker, thesaurus, hyphenation) on this instance. Allowing too many has negative effect on startup performance." default="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru">de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru</allowed_languages>
 11 | 
 12 |     <!--
 13 |         This is LanguageTool.org API settings. To turn it on, please set "enabled" property to true.
 14 |         "base_url" may be https://api.languagetoolplus.com/v2 if the cloud version is used.
 15 |         However, your data in the document e.g. the text part of it will be sent to the cloud API. Please read the privacy policy: https://languagetool.org/legal/privacy
 16 |     -->
 17 |     <languagetool desc="LanguageTool Remote API settings for grammar checking">
 18 |         <enabled desc="Enable LanguageTool Remote Grammar Checker" type="bool" default="false"></enabled>
 19 |         <base_url desc="Http endpoint for the LanguageTool API server, without /check or /languages postfix at the end." type="string" default=""></base_url>
 20 |         <user_name desc="LanguageTool account username for premium usage." type="string" default=""></user_name>
 21 |         <api_key desc="Api key provided by LanguageTool account for premium usage." type="string" default=""></api_key>
 22 |         <ssl_verification desc="Enable or disable SSL verification" type="string" default="true"></ssl_verification>
 23 |     </languagetool>
 24 | 
 25 |     <sys_template_path desc="Path to a template tree with shared libraries etc to be used as source for chroot jails for child processes." type="path" relative="true" default="systemplate"></sys_template_path>
 26 |     <child_root_path desc="Path to the directory under which the chroot jails for the child processes will be created. Should be on the same file system as systemplate and lotemplate. Must be an empty directory." type="path" relative="true" default="jails"></child_root_path>
 27 |     <mount_jail_tree desc="Controls whether the systemplate and lotemplate contents are mounted or not, which is much faster than the default of linking/copying each file." type="bool" default="true"></mount_jail_tree>
 28 | 
 29 |     <server_name desc="External hostname:port of the server running coolwsd. If empty, it's derived from the request (please set it if this doesn't work). May be specified when behind a reverse-proxy or when the hostname is not reachable directly." type="string" default=""></server_name>
 30 |     <file_server_root_path desc="Path to the directory that should be considered root for the file server. This should be the directory containing cool." type="path" relative="true" default="browser/../"></file_server_root_path>
 31 |     <hexify_embedded_urls desc="Enable to protect encoded URLs from getting decoded by intermediate hops. Particularly useful on Azure deployments" type="bool" default="false"></hexify_embedded_urls>
 32 |     <experimental_features desc="Enable/Disable experimental features" type="bool" default="false">false</experimental_features>
 33 | 
 34 |     <memproportion desc="The maximum percentage of system memory consumed by all of the Collabora Online Development Edition, after which we start cleaning up idle documents" type="double" default="80.0"></memproportion>
 35 |     <num_prespawn_children desc="Number of child processes to keep started in advance and waiting for new clients." type="uint" default="1">1</num_prespawn_children>
 36 |     <!-- <fetch_update_check desc="Every number of hours will fetch latest version data. Defaults to 10 hours." type="uint" default="10">10</fetch_update_check> -->
 37 |     <per_document desc="Document-specific settings, including LO Core settings.">
 38 |         <max_concurrency desc="The maximum number of threads to use while processing a document." type="uint" default="4">4</max_concurrency>
 39 |         <batch_priority desc="A (lower) priority for use by batch eg. convert-to processes to avoid starving interactive ones" type="uint" default="5">5</batch_priority>
 40 |         <document_signing_url desc="The endpoint URL of signing server, if empty the document signing is disabled" type="string" default=""></document_signing_url>
 41 |         <redlining_as_comments desc="If true show red-lines as comments" type="bool" default="false">false</redlining_as_comments>
 42 |         <pdf_resolution_dpi desc="The resolution, in DPI, used to render PDF documents as image. Memory consumption grows proportionally. Must be a positive value less than 385. Defaults to 96." type="uint" default="96">96</pdf_resolution_dpi>
 43 |         <idle_timeout_secs desc="The maximum number of seconds before unloading an idle document. Defaults to 1 hour." type="uint" default="3600">3600</idle_timeout_secs>
 44 |         <!-- Idle save and auto save are checked every 30 seconds -->
 45 |         <!-- They are disabled when the value is zero or negative. -->
 46 |         <idlesave_duration_secs desc="The number of idle seconds after which document, if modified, should be saved. Defaults to 30 seconds." type="int" default="30">30</idlesave_duration_secs>
 47 |         <autosave_duration_secs desc="The number of seconds after which document, if modified, should be saved. Defaults to 5 minutes." type="int" default="300">300</autosave_duration_secs>
 48 |         <always_save_on_exit desc="On exiting the last editor, always perform the save, even if the document is not modified." type="bool" default="false">false</always_save_on_exit>
 49 |         <limit_virt_mem_mb desc="The maximum virtual memory allowed to each document process. 0 for unlimited." type="uint">0</limit_virt_mem_mb>
 50 |         <limit_stack_mem_kb desc="The maximum stack size allowed to each document process. 0 for unlimited." type="uint">8000</limit_stack_mem_kb>
 51 |         <limit_file_size_mb desc="The maximum file size allowed to each document process to write. 0 for unlimited." type="uint">0</limit_file_size_mb>
 52 |         <limit_num_open_files desc="The maximum number of files allowed to each document process to open. 0 for unlimited." type="uint">0</limit_num_open_files>
 53 |         <limit_load_secs desc="Maximum number of seconds to wait for a document load to succeed. 0 for unlimited." type="uint" default="100">100</limit_load_secs>
 54 |         <limit_store_failures desc="Maximum number of consecutive save-and-upload to storage failures when unloading the document. 0 for unlimited (not recommended)." type="uint" default="5">5</limit_store_failures>
 55 |         <limit_convert_secs desc="Maximum number of seconds to wait for a document conversion to succeed. 0 for unlimited." type="uint" default="100">100</limit_convert_secs>
 56 |         <cleanup desc="Checks for resource consuming (bad) documents and kills associated kit process. A document is considered resource consuming (bad) if is in idle state for idle_time_secs period and memory usage passed limit_dirty_mem_mb or CPU usage passed limit_cpu_per" enable="true">
 57 |             <cleanup_interval_ms desc="Interval between two checks" type="uint" default="10000">10000</cleanup_interval_ms>
 58 |             <bad_behavior_period_secs desc="Minimum time period for a document to be in bad state before associated kit process is killed. If in this period the condition for bad document is not met once then this period is reset" type="uint" default="60">60</bad_behavior_period_secs>
 59 |             <idle_time_secs desc="Minimum idle time for a document to be candidate for bad state" type="uint" default="300">300</idle_time_secs>
 60 |             <limit_dirty_mem_mb desc="Minimum memory usage for a document to be candidate for bad state" type="uint" default="3072">3072</limit_dirty_mem_mb>
 61 |             <limit_cpu_per desc="Minimum CPU usage for a document to be candidate for bad state" type="uint" default="85">85</limit_cpu_per>
 62 |             <lost_kit_grace_period_secs desc="The minimum grace period for a lost kit process (not referenced by coolwsd) to resolve its lost status before it is terminated. To disable the cleanup of lost kits use value 0" default="120">120</lost_kit_grace_period_secs>
 63 |         </cleanup>
 64 |     </per_document>
 65 | 
 66 |     <per_view desc="View-specific settings.">
 67 |         <group_download_as desc="If set to true, groups download as icons into a dropdown for the notebookbar view." type="bool" default="false">false</group_download_as>
 68 |         <out_of_focus_timeout_secs desc="The maximum number of seconds before dimming and stopping updates when the browser tab is no longer in focus. Defaults to 120 seconds." type="uint" default="120">120</out_of_focus_timeout_secs>
 69 |         <idle_timeout_secs desc="The maximum number of seconds before dimming and stopping updates when the user is no longer active (even if the browser is in focus). Defaults to 15 minutes." type="uint" default="900">900</idle_timeout_secs>
 70 |     </per_view>
 71 | 
 72 |     <ver_suffix desc="Appended to etags to allow easy refresh of changed files during development" type="string" default=""></ver_suffix>
 73 | 
 74 |     <logging>
 75 |         <color type="bool">true</color>
 76 |         <!--
 77 |              Note to developers: When you do "make run", the logging.level will be set on the
 78 |              coolwsd command line, so if you want to change it for your testing, do it in
 79 |              Makefile.am, not here.
 80 |         -->
 81 |         <level type="string" desc="Can be 0-8 (with the lowest numbers being the least verbose), or none (turns off logging), fatal, critical, error, warning, notice, information, debug, trace" default="warning">warning</level>
 82 |         <most_verbose_level_settable_from_client type="string" desc="A loggingleveloverride message from the client can not set a more verbose log level than this" default="notice">notice</most_verbose_level_settable_from_client>
 83 |         <least_verbose_level_settable_from_client type="string" desc="A loggingleveloverride message from a client can not set a less verbose log level than this" default="fatal">fatal</least_verbose_level_settable_from_client>
 84 |         <protocol type="bool" desc="Enable minimal client-site JS protocol logging from the start">false</protocol>
 85 |         <!-- lokit_sal_log example: Log WebDAV-related messages, that is interesting for debugging Insert - Image operation: "+TIMESTAMP+INFO.ucb.ucp.webdav+WARN.ucb.ucp.webdav"
 86 |              See also: https://docs.libreoffice.org/sal/html/sal_log.html -->
 87 |         <lokit_sal_log type="string" desc="Fine tune log messages from LOKit. Default is to suppress log messages from LOKit." default="-INFO-WARN">-INFO-WARN</lokit_sal_log>
 88 |         <file enable="false">
 89 |             <!-- If you use other path than /var/log and you run coolwsd from systemd, make sure that you enable that path in coolwsd.service (ReadWritePaths). -->
 90 |             <property name="path" desc="Log file path.">/var/log/coolwsd.log</property>
 91 |             <property name="rotation" desc="Log file rotation strategy. See Poco FileChannel.">never</property>
 92 |             <property name="archive" desc="Append either timestamp or number to the archived log filename.">timestamp</property>
 93 |             <property name="compress" desc="Enable/disable log file compression.">true</property>
 94 |             <property name="purgeAge" desc="The maximum age of log files to preserve. See Poco FileChannel.">10 days</property>
 95 |             <property name="purgeCount" desc="The maximum number of log archives to preserve. Use 'none' to disable purging. See Poco FileChannel.">10</property>
 96 |             <property name="rotateOnOpen" desc="Enable/disable log file rotation on opening.">true</property>
 97 |             <property name="flush" desc="Enable/disable flushing after logging each line. May harm performance. Note that without flushing after each line, the log lines from the different processes will not appear in chronological order.">false</property>
 98 |         </file>
 99 |         <anonymize>
100 |             <anonymize_user_data type="bool" desc="Enable to anonymize/obfuscate of user-data in logs. If default is true, it was forced at compile-time and cannot be disabled." default="false">false</anonymize_user_data>
101 |             <anonymization_salt type="uint" desc="The salt used to anonymize/obfuscate user-data in logs. Use a secret 64-bit random number." default="82589933">82589933</anonymization_salt>
102 |         </anonymize>
103 |         <docstats type="bool" desc="Enable to see document handling information in logs." default="false">false</docstats>
104 |     </logging>
105 | 
106 |     <!--
107 |          Note to developers: When you do "make run", the trace_event[@enable] will be set on the
108 |          coolwsd command line, so if you want to change it for your testing, do it in Makefile.am,
109 |          not here.
110 |     -->
111 |     <trace_event desc="The possibility to turn on generation of a Chrome Trace Event file" enable="false">
112 |         <path desc="Output path for the Trace Event file, to which they will be written if turned on at run-time" type="string" default="/var/log/coolwsd.trace.json">/var/log/coolwsd.trace.json</path>
113 |     </trace_event>
114 | 
115 |     <browser_logging desc="Logging in the browser console" default="false">false</browser_logging>
116 | 
117 |     <trace desc="Dump commands and notifications for replay. When 'snapshot' is true, the source file is copied to the path first." enable="false">
118 |         <path desc="Output path to hold trace file and docs. Use '%' for timestamp to avoid overwriting. For example: /some/path/to/cooltrace-%.gz" compress="true" snapshot="false"></path>
119 |         <filter>
120 |             <message desc="Regex pattern of messages to exclude"></message>
121 |         </filter>
122 |         <outgoing>
123 |             <record desc="Whether or not to record outgoing messages" default="false">false</record>
124 |         </outgoing>
125 |     </trace>
126 | 
127 |     <net desc="Network settings">
128 |       <!-- On systems where localhost resolves to IPv6 [::1] address first, when net.proto is all and net.listen is loopback, coolwsd unexpectedly listens on [::1] only.
129 |            You need to change net.proto to IPv4, if you want to use 127.0.0.1. -->
130 |       <proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">IPv4</proto>
131 |       <listen type="string" default="any" desc="Listen address that coolwsd binds to. Can be 'any' or 'loopback'.">loopback</listen>
132 |       <!-- this allows you to shift all of our URLs into a sub-path from
133 |            https://my.com/browser/a123... to https://my.com/my/sub/path/browser/a123... -->
134 |       <service_root type="path" default="" desc="Prefix all the pages, websockets, etc. with this path.">/collabora</service_root>
135 |       <post_allow desc="Allow/deny client IP address for POST(REST)." allow="true">
136 |         <host desc="The IPv4 loopback (localhost) address.">127\.0\.0\.1</host>
137 |         <host desc="The IPv4 loopback (localhost) address.">127\.0\.1\.1</host>
138 |       </post_allow>
139 |       <frame_ancestors desc="Specify who is allowed to embed the Collabora Online iframe (coolwsd and WOPI host are always allowed). Separate multiple hosts by space."></frame_ancestors>
140 |       <connection_timeout_secs desc="Specifies the connection, send, recv timeout in seconds for connections initiated by coolwsd (such as WOPI connections)." type="int" default="30"></connection_timeout_secs>
141 | 
142 |       <!-- this setting radically changes how online works, it should not be used in a production environment -->
143 |       <proxy_prefix type="bool" default="false" desc="Enable a ProxyPrefix to be passed int through which to redirect requests"></proxy_prefix>
144 |     </net>
145 | 
146 |     <ssl desc="SSL settings">
147 |         <!-- switches from https:// + wss:// to http:// + ws:// -->
148 |         <enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>
149 |         <!-- SSL off-load can be done in a proxy, if so disable SSL, and enable termination below in production -->
150 |         <termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" default="true">true</termination>
151 |         <cert_file_path desc="Path to the cert file" relative="false">/etc/coolwsd/cert.pem</cert_file_path>
152 |         <key_file_path desc="Path to the key file" relative="false">/etc/coolwsd/key.pem</key_file_path>
153 |         <ca_file_path desc="Path to the ca file" relative="false">/etc/coolwsd/ca-chain.cert.pem</ca_file_path>
154 |         <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
155 |         <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
156 |             <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
157 |             <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
158 |             <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
159 |             <pin></pin>
160 |             </pins>
161 |         </hpkp>
162 |         <sts desc="Strict-Transport-Security settings, per rfc6797. Subdomains are always included.">
163 |             <enabled desc="Whether or not Strict-Transport-Security is enabled. Enable only when ready for production. Cannot be disabled without resetting the browsers." type="bool" default="false">false</enabled>
164 |             <max_age desc="Strict-Transport-Security max-age directive, in seconds. 0 is allowed; please see rfc6797 for details. Defaults to 1 year." type="int" default="31536000">31536000</max_age>
165 |         </sts>
166 |     </ssl>
167 | 
168 |     <security desc="Altering these defaults potentially opens you to significant risk">
169 |       <seccomp desc="Should we use the seccomp system call filtering." type="bool" default="true">true</seccomp>
170 |       <capabilities desc="Should we require capabilities to isolate processes into chroot jails" type="bool" default="true">true</capabilities>
171 |       <jwt_expiry_secs desc="Time in seconds before the Admin Console's JWT token expires" type="int" default="1800">1800</jwt_expiry_secs>
172 |       <enable_macros_execution desc="Specifies whether the macro execution is enabled in general. This will enable Basic, Beanshell, Javascript and Python scripts. If it is set to false, the macro_security_level is ignored. If it is set to true, the mentioned entry specified the level of macro security." type="bool" default="false">false</enable_macros_execution>
173 |       <macro_security_level desc="Level of Macro security. 1 (Medium) Confirmation required before executing macros from untrusted sources. 0 (Low, not recommended) All macros will be executed without confirmation." type="int" default="1">1</macro_security_level>
174 |       <enable_metrics_unauthenticated desc="When enabled, the /cool/getMetrics endpoint will not require authentication." type="bool" default="false">false</enable_metrics_unauthenticated>
175 |     </security>
176 | 
177 |     <certificates>
178 |       <database_path type="string" desc="Path to the NSS certificates that are used for signing documents" default=""></database_path>
179 |     </certificates>
180 | 
181 |     <watermark>
182 |       <opacity desc="Opacity of on-screen watermark from 0.0 to 1.0" type="double" default="0.2"></opacity>
183 |       <text desc="Watermark text to be displayed on the document if entered" type="string"></text>
184 |     </watermark>
185 | 
186 | 
187 |     <user_interface>
188 |       <mode type="string" desc="Controls the user interface style. The 'default' means: Take the value from ui_defaults, or decide for one of compact or tabbed (default|compact|tabbed)" default="default">default</mode>
189 |       <use_integration_theme desc="Use theme from the integrator" type="bool" default="true">true</use_integration_theme>
190 |     </user_interface>
191 | 
192 |     <storage desc="Backend storage">
193 |         <filesystem allow="false" />
194 |         <wopi desc="Allow/deny wopi storage." allow="true">
195 |             <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
196 |             <locking desc="Locking settings">
197 |                 <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
198 |             </locking>
199 | 
200 |             <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="groups">
201 |                 <!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
202 |                 add the hosts below.  If one host is accessible under multiple ip addresses
203 |                 or names, add them as aliases. -->
204 | 
205 | <COLLABORA_HOST_DEFINITIONS>
206 |                 <!-- More "group"s possible here -->
207 |             </alias_groups>
208 | 
209 |         </wopi>
210 |         <ssl desc="SSL settings">
211 |             <as_scheme type="bool" default="true" desc="When set we exclusively use the WOPI URI's scheme to enable SSL for storage">true</as_scheme>
212 |             <enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and coolwsd. When empty this defaults to following the ssl.enable setting"></enable>
213 |             <cert_file_path desc="Path to the cert file" relative="false"></cert_file_path>
214 |             <key_file_path desc="Path to the key file" relative="false"></key_file_path>
215 |             <ca_file_path desc="Path to the ca file. If this is not empty, then SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified." relative="false"></ca_file_path>
216 |             <cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overridden only if absolutely needed."></cipher_list>
217 |         </ssl>
218 |     </storage>
219 | 
220 |     <tile_cache_persistent desc="Should the tiles persist between two editing sessions of the given document?" type="bool" default="true">true</tile_cache_persistent>
221 | 
222 |     <admin_console desc="Web admin console settings.">
223 |         <enable desc="Enable the admin console functionality" type="bool" default="true">true</enable>
224 |         <enable_pam desc="Enable admin user authentication with PAM" type="bool" default="false">false</enable_pam>
225 |         <username desc="The username of the admin console. Ignored if PAM is enabled."></username>
226 |         <password desc="The password of the admin console. Deprecated on most platforms. Instead, use PAM or coolconfig to set up a secure password."></password>
227 |     </admin_console>
228 | 
229 |     <monitors desc="Addresses of servers we connect to on start for monitoring">
230 |     </monitors>
231 | 
232 |     <quarantine_files desc="Files are stored here to be examined later in cases of crashes or similar situation." default="false" enable="false">
233 |         <limit_dir_size_mb desc="Maximum directory size. On exceeding the specified limit, older files will be deleted." default="250" type="uint"></limit_dir_size_mb>
234 |         <max_versions_to_maintain desc="How many versions of the same file to keep." default="2" type="uint"></max_versions_to_maintain>
235 |         <path desc="Path to directory under which quarantined files will be stored" type="path" relative="true" default="quarantine"></path>
236 |         <expiry_min desc="Time in mins after quarantined files will be deleted." type="int" default="30"></expiry_min>
237 |     </quarantine_files>
238 | 
239 |     <remote_config>
240 |         <remote_url desc="remote server to which you will send resquest to get remote config in response" type="string" default=""></remote_url>
241 |     </remote_config>
242 | 
243 |     <remote_font_config>
244 | <COLLABORA_REMOTE_FONT_CONFIGS>
245 |     </remote_font_config>
246 | </config>
247 | 


--------------------------------------------------------------------------------
/data/collabora/snippet-coolwsd.conf:
--------------------------------------------------------------------------------
 1 | location = / {
 2 |     # First attempt to serve request as file, then
 3 |     # as directory, then fall back to displaying a 404.
 4 |     try_files $uri $uri/ =404;
 5 |     index index.html;
 6 | }
 7 | 
 8 | # static files
 9 | location ^~ /collabora/browser {
10 |     proxy_pass http://127.0.0.1:9980;
11 |     proxy_set_header Host $http_host;
12 | }
13 | 
14 | # WOPI discovery URL
15 | location ^~ /collabora/hosting/discovery {
16 |     proxy_pass http://127.0.0.1:9980;
17 |     proxy_set_header Host $http_host;
18 | }
19 | 
20 | # Capabilities
21 | location ^~ /collabora/hosting/capabilities {
22 |     proxy_pass http://127.0.0.1:9980;
23 |     proxy_set_header Host $http_host;
24 | }
25 | 
26 | # main websocket
27 | location ~ ^/collabora/cool/(.*)/ws$ {
28 |     proxy_pass http://127.0.0.1:9980;
29 |     proxy_set_header Upgrade $http_upgrade;
30 |     proxy_set_header Connection "Upgrade";
31 |     proxy_set_header Host $http_host;
32 |     proxy_read_timeout 36000s;
33 | }
34 | 
35 | # download, presentation and image upload
36 | location ~ ^/collabora/(c|l)ool {
37 |     proxy_pass http://127.0.0.1:9980;
38 |     proxy_set_header Host $http_host;
39 | }
40 | 
41 | # Admin Console websocket
42 | location ^~ /collabora/cool/adminws {
43 |     proxy_pass http://127.0.0.1:9980;
44 |     proxy_set_header Upgrade $http_upgrade;
45 |     proxy_set_header Connection "Upgrade";
46 |     proxy_set_header Host $http_host;
47 |     proxy_read_timeout 36000s;
48 | }
49 | 


--------------------------------------------------------------------------------
/data/msmtp/aliases:
--------------------------------------------------------------------------------
1 | mailer-daemon: <EMAIL_USER_ADDRESS>
2 | postmaster: <EMAIL_USER_ADDRESS>
3 | webmaster: <EMAIL_USER_ADDRESS>
4 | root: <EMAIL_USER_ADDRESS>
5 | default: <EMAIL_USER_ADDRESS>
6 | 


--------------------------------------------------------------------------------
/data/msmtp/msmtprc:
--------------------------------------------------------------------------------
 1 | # Set default values for all following accounts.
 2 | defaults
 3 | 
 4 | port <EMAIL_SERVER_PORT>
 5 | 
 6 | # Always use TLS.
 7 | tls on
 8 | 
 9 | # Set a list of trusted CAs for TLS. The default is to use system settings, but
10 | # you can select your own file.
11 | tls_trust_file /etc/ssl/certs/ca-certificates.crt
12 | 
13 | # If you select your own file, you should also use the tls_crl_file command to
14 | # check for revoked certificates, but unfortunately getting revocation lists and
15 | # keeping them up to date is not straightforward.
16 | #tls_crl_file ~/.tls-crls
17 | 
18 | # Mail account
19 | account <EMAIL_USER_ADDRESS>
20 | 
21 | # Host name of the SMTP server
22 | host <EMAIL_SERVER_HOST>
23 | 
24 | # This is especially important for mail providers like 
25 | # Ionos, 1&1, GMX and web.de
26 | set_from_header on
27 | 
28 | # As an alternative to tls_trust_file/tls_crl_file, you can use tls_fingerprint
29 | # to pin a single certificate. You have to update the fingerprint when the
30 | # server certificate changes, but an attacker cannot trick you into accepting
31 | # a fraudulent certificate. Get the fingerprint with
32 | # $ msmtp --serverinfo --tls --tls-certcheck=off --host=smtp.freemail.example
33 | #tls_fingerprint 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33
34 | 
35 | # Envelope-from address
36 | from <EMAIL_USER_ADDRESS>
37 | 
38 | # Authentication. The password is given using one of five methods, see below.
39 | auth on
40 | 
41 | user <EMAIL_USER_USERNAME>
42 | password <EMAIL_USER_PASSWORD>
43 | 
44 | # Set a default account
45 | account default: <EMAIL_USER_ADDRESS>
46 | 
47 | # Map local users to mail addresses (for crontab)
48 | aliases /etc/aliases
49 | 


--------------------------------------------------------------------------------
/data/msmtp/test-email.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | 
 4 | <head>
 5 |     <meta charset="utf-8" />
 6 |     <style>
 7 |         #centerblock {
 8 |             border: 1px solid;
 9 |             border-radius: 10px;
10 |             padding-bottom: 20px;
11 |         }
12 | 
13 |         h1,
14 |         h2,
15 |         h3,
16 |         h4,
17 |         h5,
18 |         h6 {
19 |             color: limegreen;
20 |         }
21 | 
22 |         span {
23 |             font-size: 1.25rem;
24 |         }
25 |     </style>
26 | </head>
27 | 
28 | <body>
29 |     <center id="centerblock">
30 |         <h2>Congratulations! Your e-mail configuration works!</h2>
31 |         <span>
32 |             This is a test e-mail sent to you by the Nextcloud
33 |             high-performance-backend setup script.
34 |         </span>
35 |     </center>
36 | </body>
37 | 
38 | </html>
39 | 


--------------------------------------------------------------------------------
/data/nginx/headers.conf:
--------------------------------------------------------------------------------
 1 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always;
 2 | add_header X-Content-Type-Options "nosniff" always;
 3 | add_header X-XSS-Protection "1; mode=block" always;
 4 | add_header X-Robots-Tag none always;
 5 | add_header X-Download-Options noopen always;
 6 | add_header X-Permitted-Cross-Domain-Policies none always;
 7 | add_header Referrer-Policy no-referrer always;
 8 | add_header X-Frame-Options "SAMEORIGIN" always;
 9 | fastcgi_hide_header X-Powered-By;
10 | 


--------------------------------------------------------------------------------
/data/nginx/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 2 | <html>
 3 | 
 4 | <head>
 5 |     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
 6 |     <title>This page intentionally left blank (default)</title>
 7 | </head>
 8 | 
 9 | <body>
10 |     <div class="tpilb">
11 |         <a href="http://www.this-page-intentionally-left-blank.org/">this page intentionally left blank</a>
12 |     </div>
13 | </body>
14 | 
15 | </html>
16 | 


--------------------------------------------------------------------------------
/data/nginx/nextcloud-hpb.conf:
--------------------------------------------------------------------------------
 1 | <INCLUDE_SNIPPET_SIGNALING_UPSTREAM_SERVERS>
 2 | 
 3 | server {
 4 |   listen 0.0.0.0:80;
 5 |   listen [::]:80 ipv6only=on;
 6 | 
 7 |   server_name <SERVER_FQDN>;
 8 |   # security - prevent information disclosure about server version
 9 |   server_tokens off;
10 | 
11 |   location / {
12 |     rewrite     ^   https://$host$request_uri? permanent;
13 |   }
14 | 
15 |   access_log  /var/log/nginx/<SERVER_FQDN>_access.log;
16 |   error_log   /var/log/nginx/<SERVER_FQDN>_error.log;
17 | }
18 | 
19 | server {
20 |   listen 0.0.0.0:443 ssl;
21 |   listen [::]:443 ipv6only=on ssl;
22 | 
23 |   root /var/www/html;
24 | 
25 |   ## Strong SSL Security
26 |   # RSA certificates
27 |   ssl_certificate <SSL_CERT_PATH_RSA>;
28 |   ssl_certificate_key <SSL_CERT_KEY_PATH_RSA>;
29 |   # ECC certificates
30 |   ssl_certificate <SSL_CERT_PATH_ECDSA>;
31 |   ssl_certificate_key <SSL_CERT_KEY_PATH_ECDSA>;
32 | 
33 |   ssl_trusted_certificate <SSL_CHAIN_PATH_ECDSA>;
34 | 
35 |   ssl_dhparam <DHPARAM_PATH>;
36 | 
37 |   # Backup self-signed SSL-certs.
38 |   # include snippets/snakeoil.conf;
39 | 
40 |   ssl_protocols TLSv1.2 TLSv1.3;
41 |   
42 |   # SSL ciphers: RSA + ECDSA
43 |   # Two certificate types (ECDSA, RSA) are needed.
44 |   ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384';
45 | 
46 |   ssl_ecdh_curve secp521r1:secp384r1;
47 |   ssl_prefer_server_ciphers on;
48 |   ssl_session_cache shared:SSL:10m;
49 |   ssl_session_timeout 5m;
50 |   ssl_session_tickets off;
51 |   ssl_stapling on;
52 |   ssl_stapling_verify on;
53 |   resolver <DNS_RESOLVER>;
54 | 
55 |   include /etc/nginx/snippets/headers.conf;
56 |   
57 |   server_name <SERVER_FQDN>;
58 | 
59 |   # security - prevent information disclosure about server version
60 |   server_tokens off;
61 | 
62 |   access_log  /var/log/nginx/<SERVER_FQDN>_access.log;
63 |   error_log   /var/log/nginx/<SERVER_FQDN>_error.log;
64 | 
65 |   <INCLUDE_SNIPPET_COLLABORA>
66 |   <INCLUDE_SNIPPET_SIGNALING_FORWARDING>
67 | }
68 | 


--------------------------------------------------------------------------------
/data/nginx/robots.txt:
--------------------------------------------------------------------------------
1 | Disallow: /browser/*
2 | 


--------------------------------------------------------------------------------
/data/signaling/coturn.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=coTURN STUN/TURN Server
 3 | Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
 4 | After=network.target
 5 | 
 6 | [Service]
 7 | User=turnserver
 8 | Group=turnserver
 9 | ExecStart=/usr/local/bin/turnserver -c /etc/turnserver.conf --pidfile=
10 | Restart=on-failure
11 | InaccessibleDirectories=/home
12 | PrivateTmp=yes
13 | 
14 | [Install]
15 | WantedBy=multi-user.target
16 | 


--------------------------------------------------------------------------------
/data/signaling/janus.jcfg:
--------------------------------------------------------------------------------
  1 | # General configuration: folders where the configuration and the plugins
  2 | # can be found, how output should be logged, whether Janus should run as
  3 | # a daemon or in foreground, default interface to use, debug/logging level
  4 | # and, if needed, shared apisecret and/or token authentication mechanism
  5 | # between application(s) and Janus.
  6 | general: {
  7 | 	configs_folder = "/etc/janus"			# Configuration files folder
  8 | 	plugins_folder = "/usr/lib/x86_64-linux-gnu/janus/plugins"			# Plugins folder
  9 | 	transports_folder = "/usr/lib/x86_64-linux-gnu/janus/transports"	# Transports folder
 10 | 	events_folder = "/usr/lib/x86_64-linux-gnu/janus/events"			# Event handlers folder
 11 | 	loggers_folder = "/usr/lib/x86_64-linux-gnu/janus/loggers"			# External loggers folder
 12 | 
 13 | 		# The next settings configure logging
 14 | 	#log_to_stdout = false					# Whether the Janus output should be written
 15 | 											# to stdout or not (default=true)
 16 | 	log_to_file = "/var/log/janus.log"		# Whether to use a log file or not
 17 | 	debug_level = 4							# Debug/logging level, valid values are 0-7
 18 | 	debug_timestamps = true					# Whether to show a timestamp for each log line
 19 | 	#debug_colors = false					# Whether colors should be disabled in the log
 20 | 	#debug_locks = true						# Whether to enable debugging of locks (very verbose!)
 21 | 	#log_prefix = "[janus] "				# In case you want log lines to be prefixed by some
 22 | 											# custom text, you can use the 'log_prefix' property.
 23 | 											# It supports terminal colors, meaning something like
 24 | 											# "[\x1b[32mjanus\x1b[0m] " would show a green "janus"
 25 | 											# string in square brackets (assuming debug_colors=true).
 26 | 
 27 | 		# This is what you configure if you want to launch Janus as a daemon
 28 | 	#daemonize = true						# Whether Janus should run as a daemon
 29 | 											# or not (default=run in foreground)
 30 | 	#pid_file = "/path/to/janus.pid"		# PID file to create when Janus has been
 31 | 											# started, and to destroy at shutdown
 32 | 
 33 | 		# There are different ways you can authenticate the Janus and Admin APIs
 34 | 	#api_secret = "janusrocks"		# String that all Janus requests must contain
 35 | 									# to be accepted/authorized by the Janus core.
 36 | 									# Useful if you're wrapping all Janus API requests
 37 | 									# in your servers (that is, not in the browser,
 38 | 									# where you do the things your way) and you
 39 | 									# don't want other application to mess with
 40 | 									# this Janus instance.
 41 | 	#token_auth = true				# Enable a token based authentication
 42 | 									# mechanism to force users to always provide
 43 | 									# a valid token in all requests. Useful if
 44 | 									# you want to authenticate requests from web
 45 | 									# users.
 46 | 	#token_auth_secret = "janus"	# Use HMAC-SHA1 signed tokens (with token_auth). Note that
 47 | 									# without this, the Admin API MUST
 48 | 									# be enabled, as tokens are added and removed
 49 | 									# through messages sent there.
 50 | 	admin_secret = "janusoverlord"	# String that all Janus requests must contain
 51 | 									# to be accepted/authorized by the admin/monitor.
 52 | 									# only needed if you enabled the admin API
 53 | 									# in any of the available transports.
 54 | 
 55 | 		# Generic settings
 56 | 	#interface = "1.2.3.4"			# Interface to use (will be used in SDP)
 57 | 	#server_name = "MyJanusInstance"# Public name of this Janus instance
 58 | 									# as it will appear in an info request
 59 | 	#session_timeout = 60			# How long (in seconds) we should wait before
 60 | 									# deciding a Janus session has timed out. A
 61 | 									# session times out when no request is received
 62 | 									# for session_timeout seconds (default=60s).
 63 | 									# Setting this to 0 will disable the timeout
 64 | 									# mechanism, which is NOT suggested as it may
 65 | 									# risk having orphaned sessions (sessions not
 66 | 									# controlled by any transport and never freed).
 67 | 									# To avoid timeouts, keep-alives can be used.
 68 | 	#candidates_timeout = 45		# How long (in seconds) we should keep hold of
 69 | 									# pending (trickle) candidates before discarding
 70 | 									# them (default=45s). Notice that setting this
 71 | 									# to 0 will NOT disable the timeout, but will
 72 | 									# be considered an invalid value and ignored.
 73 | 	#reclaim_session_timeout = 0	# How long (in seconds) we should wait for a
 74 | 									# janus session to be reclaimed after the transport
 75 | 									# is gone. After the transport is gone, a session
 76 | 									# times out when no request is received for
 77 | 									# reclaim_session_timeout seconds (default=0s).
 78 | 									# Setting this to 0 will disable the timeout
 79 | 									# mechanism, and sessions will be destroyed immediately
 80 | 									# if the transport is gone.
 81 | 	#recordings_tmp_ext = "tmp"		# The extension for recordings, in Janus, is
 82 | 									# .mjr, a custom format we devised ourselves.
 83 | 									# By default, we save to .mjr directly. If you'd
 84 | 									# rather the recording filename have a temporary
 85 | 									# extension while it's being saved, and only
 86 | 									# have the .mjr extension when the recording
 87 | 									# is over (e.g., to automatically trigger some
 88 | 									# external scripts), then uncomment and set the
 89 | 									# recordings_tmp_ext property to the extension
 90 | 									# to add to the base (e.g., tmp --> .mjr.tmp).
 91 | 	#event_loops = 8				# By default, Janus handles each have their own
 92 | 									# event loop and related thread for all the media
 93 | 									# routing and management. If for some reason you'd
 94 | 									# rather limit the number of loop/threads, and
 95 | 									# you want handles to share those, you can do that
 96 | 									# configuring the event_loops property: this will
 97 | 									# spawn the specified amount of threads at startup,
 98 | 									# run a separate event loop on each of them, and
 99 | 									# add new handles to one of them when attaching.
100 | 									# Notice that, while cutting the number of threads
101 | 									# and possibly reducing context switching, this
102 | 									# might have an impact on the media delivery,
103 | 									# especially if the available loops can't take
104 | 									# care of all the handles and their media in time.
105 | 									# As such, if you want to use this you should
106 | 									# provision the correct value according to the
107 | 									# available resources (e.g., CPUs available).
108 | 	#allow_loop_indication = true	# In case a static number of event loops is
109 | 									# configured as explained above, by default
110 | 									# new handles will be allocated on one loop or
111 | 									# another by the Janus core itself. In some cases
112 | 									# it may be helpful to manually tell the Janus
113 | 									# core which loop a handle should be added to,
114 | 									# e.g., to group viewers of the same stream on
115 | 									# the same loop. This is possible via the Janus
116 | 									# API when performing the 'attach' request, but
117 | 									# only if allow_loop_indication is set to true;
118 | 									# it's set to false by default to avoid abuses.
119 | 									# Don't change if you don't know what you're doing!
120 | 	#opaqueid_in_api = true			# Opaque IDs set by applications are typically
121 | 									# only passed to event handlers for correlation
122 | 									# purposes, but not sent back to the user or
123 | 									# application in the related Janus API responses
124 | 									# or events; in case you need them to be in the
125 | 									# Janus API too, set this property to 'true'.
126 | 	#hide_dependencies = true		# By default, a call to the "info" endpoint of
127 | 									# either the Janus or Admin API now also returns
128 | 									# the versions of the main dependencies (e.g.,
129 | 									# libnice, libsrtp, which crypto library is in
130 | 									# use and so on). Should you want that info not
131 | 									# to be disclose, set 'hide_dependencies' to true.
132 | 	#exit_on_dl_error = false		# If a Janus shared libary cannot be loaded or an expected
133 | 									# symbol is not found, exit immediately.
134 | 
135 | 		# The following is ONLY useful when debugging RTP/RTCP packets,
136 | 		# e.g., to look at unencrypted live traffic with a browser. By
137 | 		# default it is obviously disabled, as WebRTC mandates encryption.
138 | 	#no_webrtc_encryption = true
139 | 
140 | 		# Janus provides ways via its API to specify custom paths to save
141 | 		# files to (e.g., recordings, pcap captures and the like). In order
142 | 		# to avoid people can mess with folders they're not supposed to,
143 | 		# you can configure an array of folders that Janus should prevent
144 | 		# creating files in. If the 'protected_folder' property below is
145 | 		# commented, no folder is protected.
146 | 		# Notice that at the moment this only covers attempts to start
147 | 		# an .mjr recording and pcap/text2pcap packet captures.
148 | 	protected_folders = [
149 | 		"/bin",
150 | 		"/boot",
151 | 		"/dev",
152 | 		"/etc",
153 | 		"/initrd",
154 | 		"/lib",
155 | 		"/lib32",
156 | 		"/lib64",
157 | 		"/proc",
158 | 		"/sbin",
159 | 		"/sys",
160 | 		"/usr",
161 | 		"/var",
162 | 			# We add what are usually the folders Janus is installed to
163 | 			# as well: we don't just put "/opt/janus" because that would
164 | 			# include folders like "/opt/janus/share" that is where
165 | 			# recordings might be saved to by some plugins
166 | 		"/opt/janus/bin",
167 | 		"/opt/janus/etc",
168 | 		"/opt/janus/include",
169 | 		"/opt/janus/lib",
170 | 		"/opt/janus/lib32",
171 | 		"/opt/janus/lib64",
172 | 		"/opt/janus/sbin"
173 | 	]
174 | }
175 | 
176 | # Certificate and key to use for DTLS (and passphrase if needed). If missing,
177 | # Janus will autogenerate a self-signed certificate to use. Notice that
178 | # self-signed certificates are fine for the purpose of WebRTC DTLS
179 | # connectivity, for the time being, at least until Identity Providers
180 | # are standardized and implemented in browsers. If for some reason you
181 | # want to enforce the DTLS stack in Janus to enforce valid certificates
182 | # from peers, though, you can do that setting 'dtls_accept_selfsigned' to
183 | # 'false' below: DO NOT TOUCH THAT IF YOU DO NOT KNOW WHAT YOU'RE DOING!
184 | # You can also configure the DTLS ciphers to offer: the default if not
185 | # set is "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK"
186 | # Finally, by default NIST P-256 certificates are generated (see #1997),
187 | # but RSA generation is still supported if you set 'rsa_private_key' to 'true'.
188 | certificates: {
189 | 	#cert_pem = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
190 | 	#cert_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
191 | 	#cert_pwd = "secretpassphrase"
192 | 	#dtls_accept_selfsigned = false
193 | 	#dtls_ciphers = "your-desired-openssl-ciphers"
194 | 	#rsa_private_key = false
195 | }
196 | 
197 | # Media-related stuff: you can configure whether if you want to enable IPv6
198 | # support (and link-local IPs), the minimum size of the NACK queue (in ms,
199 | # defaults to 200ms) for retransmissions no matter the RTT, the range of
200 | # ports to use for RTP and RTCP (by default, no range is envisaged), the
201 | # starting MTU for DTLS (1200 by default, it adapts automatically),
202 | # how much time, in seconds, should pass with no media (audio or
203 | # video) being received before Janus notifies you about this (default=1s,
204 | # 0 disables these events entirely), how many lost packets should trigger a
205 | # 'slowlink' event to users (default=0, disabled), and how often, in milliseconds,
206 | # to send the Transport Wide Congestion Control feedback information back
207 | # to senders, if negotiated (default=200ms). Finally, if you're using BoringSSL
208 | # you can customize the frequency of retransmissions: OpenSSL has a fixed
209 | # value of 1 second (the default), while BoringSSL can override that. Notice
210 | # that lower values (e.g., 100ms) will typically get you faster connection
211 | # times, but may not work in case the RTT of the user is high: as such,
212 | # you should pick a reasonable trade-off (usually 2*max expected RTT).
213 | media: {
214 | 	#ipv6 = true
215 | 	#ipv6_linklocal = true
216 | 	#min_nack_queue = 500
217 | 	#rtp_port_range = "20000-40000"
218 | 	#dtls_mtu = 1200
219 | 	#no_media_timer = 1
220 | 	#slowlink_threshold = 4
221 | 	#twcc_period = 100
222 | 	#dtls_timeout = 500
223 | 
224 | 	# Janus can do some optimizations on the NACK queue, specifically when
225 | 	# keyframes are involved. Namely, you can configure Janus so that any
226 | 	# time a keyframe is sent to a user, the NACK buffer for that connection
227 | 	# is emptied. This allows Janus to ignore NACK requests for packets
228 | 	# sent shortly before the keyframe was sent, since it can be assumed
229 | 	# that the keyframe will restore a complete working image for the user
230 | 	# anyway (which is the main reason why video retransmissions are typically
231 | 	# required). While this optimization is known to work fine in most cases,
232 | 	# it can backfire in some edge cases, and so is disabled by default.
233 | 	#nack_optimizations = true
234 | 
235 | 	# If you need DSCP packet marking and prioritization, you can configure
236 | 	# the 'dscp' property to a specific values, and Janus will try to
237 | 	# set it on all outgoing packets using libnice. Normally, the specs
238 | 	# suggest to use different values depending on whether audio, video
239 | 	# or data are used, but since all PeerConnections in Janus are bundled,
240 | 	# we can only use one. You can refer to this document for more info:
241 | 	# https://tools.ietf.org/html/draft-ietf-tsvwg-rtcweb-qos-18#page-6
242 | 	# That said, DON'T TOUCH THIS IF YOU DON'T KNOW WHAT IT MEANS!
243 | 	#dscp = 46
244 | }
245 | 
246 | # NAT-related stuff: specifically, you can configure the STUN/TURN
247 | # servers to use to gather candidates if the gateway is behind a NAT,
248 | # and srflx/relay candidates are needed. In case STUN is not enough and
249 | # this is needed (it shouldn't), you can also configure Janus to use a
250 | # TURN server# please notice that this does NOT refer to TURN usage in
251 | # browsers, but in the gathering of relay candidates by Janus itself,
252 | # e.g., if you want to limit the ports used by a Janus instance on a
253 | # private machine. Furthermore, you can choose whether Janus should be
254 | # configured to do full-trickle (Janus also trickles its candidates to
255 | # users) rather than the default half-trickle (Janus supports trickle
256 | # candidates from users, but sends its own within the SDP), and whether
257 | # it should work in ICE-Lite mode (by default it doesn't). If libnice is
258 | # at least 0.1.15, you can choose which ICE nomination mode to use: valid
259 | # values are "regular" and "aggressive" (the default depends on the libnice
260 | # version itself; if we can set it, we set aggressive nomination). You can
261 | # also configure whether to use connectivity checks as keep-alives, which
262 | # might help detecting when a peer is no longer available (notice that
263 | # current libnice master is breaking connections after 50 seconds when
264 | # keepalive-conncheck is being used, so if you want to use it, better
265 | # sticking to 0.1.18 until the issue is addressed upstream). Finally,
266 | # you can also enable ICE-TCP support (beware that this may lead to problems
267 | # if you do not enable ICE Lite as well), choose which interfaces should
268 | # be used for gathering candidates, and enable or disable the
269 | # internal libnice debugging, if needed.
270 | nat: {
271 | 	stun_server = "<SIGNALING_COTURN_URL>" # HAND-EDIT
272 | 	stun_port = 5349 # HAND-EDIT PORT-EDIT (443)
273 | 	nice_debug = false
274 | 	full_trickle = true # HAND-EDIT
275 | 	#ice_nomination = "regular"
276 | 	#ice_keepalive_conncheck = true
277 | 	#ice_lite = true
278 | 	#ice_tcp = true
279 | 
280 | 	# By default Janus tries to resolve mDNS (.local) candidates: even
281 | 	# though this is now done asynchronously and shouldn't keep the API
282 | 	# busy, even in case mDNS resolution takes a long time to timeout,
283 | 	# you can choose to drop all .local candidates instead, which is
284 | 	# helpful in case you know clients will never be in the same private
285 | 	# network as the one the Janus instance is running from. Notice that
286 | 	# this will cause ICE to fail if mDNS is the only way to connect!
287 | 	#ignore_mdns = true
288 | 
289 | 	# In case you're deploying Janus on a server which is configured with
290 | 	# a 1:1 NAT (e.g., Amazon EC2), you might want to also specify the public
291 | 	# address of the machine using the setting below. This will result in
292 | 	# all host candidates (which normally have a private IP address) to
293 | 	# be rewritten with the public address provided in the settings. As
294 | 	# such, use the option with caution and only if you know what you're doing.
295 | 	# Make sure you keep ICE Lite disabled, though, as it's not strictly
296 | 	# speaking a publicly reachable server, and a NAT is still involved.
297 | 	# If you'd rather keep the private IP address in place, rather than
298 | 	# replacing it (and so have both of them as advertised candidates),
299 | 	# then set the 'keep_private_host' property to true.
300 | 	# Multiple public IP addresses can be specified as a comma separated list
301 | 	# if the Janus is deployed in a DMZ between two 1-1 NAT for internal and
302 | 	# external users.
303 | 	#nat_1_1_mapping = "1.2.3.4"
304 | 	#keep_private_host = true
305 | 
306 | 	# You can configure a TURN server in two different ways: specifying a
307 | 	# statically configured TURN server, and thus provide the address of the
308 | 	# TURN server, the transport (udp/tcp/tls) to use, and a set of valid
309 | 	# credentials to authenticate. Notice that you should NEVER configure
310 | 	# a TURN server for Janus unless it's really what you want! If you want
311 | 	# *users* to use TURN, then you need to configure that on the client
312 | 	# side, and NOT in Janus. The following TURN configuration should ONLY
313 | 	# be enabled when Janus itself is sitting behind a restrictive firewall
314 | 	# (e.g., it's part of a service installed on a box in a private home).
315 | 	#turn_server = "myturnserver.com"
316 | 	#turn_port = 3478
317 | 	#turn_type = "udp"
318 | 	#turn_user = "myuser"
319 | 	#turn_pwd = "mypassword"
320 | 
321 | 	# You can also make use of the TURN REST API to get info on one or more
322 | 	# TURN services dynamically. This makes use of the proposed standard of
323 | 	# such an API (https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00)
324 | 	# which is currently available in both rfc5766-turn-server and coturn.
325 | 	# You enable this by specifying the address of your TURN REST API backend,
326 | 	# the HTTP method to use (GET or POST) and, if required, the API key Janus
327 | 	# must provide. The timeout can be configured in seconds, with a default of
328 | 	# 10 seconds and a minimum of 1 second. Notice that the 'opaque_id' provided
329 | 	# via Janus API will be used as the username for a specific PeerConnection
330 | 	# by default; if that one is missing, the 'session_id' will be used as the
331 | 	# username instead.
332 | 	#turn_rest_api = "http://yourbackend.com/path/to/api"
333 | 	turn_rest_api_key = "<SIGNALING_JANUS_API_KEY>" # HAND-EDIT
334 | 	#turn_rest_api_method = "GET"
335 | 	#turn_rest_api_timeout = 10
336 | 
337 | 	# In case a TURN server is provided, you can allow applications to force
338 | 	# Janus to use TURN (https://github.com/meetecho/janus-gateway/pull/2774).
339 | 	# This is NOT allowed by default: only enable it if you know what you're doing.
340 | 	#allow_force_relay = true
341 | 
342 | 	# You can also choose which interfaces should be explicitly used by the
343 | 	# gateway for the purpose of ICE candidates gathering, thus excluding
344 | 	# others that may be available. To do so, use the 'ice_enforce_list'
345 | 	# setting and pass it a comma-separated list of interfaces or IP addresses
346 | 	# to enforce. This is especially useful if the server hosting the gateway
347 | 	# has several interfaces, and you only want a subset to be used. Any of
348 | 	# the following examples are valid:
349 | 	#     ice_enforce_list = "eth0"
350 | 	#     ice_enforce_list = "eth0,eth1"
351 | 	#     ice_enforce_list = "eth0,192.168."
352 | 	#     ice_enforce_list = "eth0,192.168.0.1"
353 | 	# By default, no interface is enforced, meaning Janus will try to use them all.
354 | 	#ice_enforce_list = "eth0"
355 | 
356 | 	# In case you don't want to specify specific interfaces to use, but would
357 | 	# rather tell Janus to use all the available interfaces except some that
358 | 	# you don't want to involve, you can also choose which interfaces or IP
359 | 	# addresses should be excluded and ignored by the gateway for the purpose
360 | 	# of ICE candidates gathering. To do so, use the 'ice_ignore_list' setting
361 | 	# and pass it a comma-separated list of interfaces or IP addresses to
362 | 	# ignore. This is especially useful if the server hosting the gateway
363 | 	# has several interfaces you already know will not be used or will simply
364 | 	# always slow down ICE (e.g., virtual interfaces created by VMware).
365 | 	# Partial strings are supported, which means that any of the following
366 | 	# examples are valid:
367 | 	#     ice_ignore_list = "vmnet8,192.168.0.1,10.0.0.1"
368 | 	#     ice_ignore_list = "vmnet,192.168."
369 | 	# Just beware that the ICE ignore list is not used if an enforce list
370 | 	# has been configured. By default, Janus ignores all interfaces whose
371 | 	# name starts with 'vmnet', to skip VMware interfaces:
372 | 	ice_ignore_list = "vmnet"
373 | 
374 | 	# In case you want to allow Janus to start even if the configured STUN or TURN
375 | 	# server is unreachable, you can set 'ignore_unreachable_ice_server' to true.
376 | 	# WARNING: We do not recommend to ignore reachability problems, particularly
377 | 	# if you run Janus in the cloud. Before enabling this flag, make sure your
378 | 	# system is correctly configured and Janus starts after the network layer of
379 | 	# your machine is ready. Note that Linux distributions offer such directives.
380 | 	# You could use the following directive in systemd: 'After=network-online.target'
381 | 	# https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=
382 | 	#ignore_unreachable_ice_server = true
383 | }
384 | 
385 | # You can choose which of the available plugins should be
386 | # enabled or not. Use the 'disable' directive to prevent Janus from
387 | # loading one or more plugins: use a comma separated list of plugin file
388 | # names to identify the plugins to disable. By default all available
389 | # plugins are enabled and loaded at startup.
390 | plugins: {
391 | 	#disable = "libjanus_voicemail.so,libjanus_recordplay.so"
392 | }
393 | 
394 | # You can choose which of the available transports should be enabled or
395 | # not. Use the 'disable' directive to prevent Janus from loading one
396 | # or more transport: use a comma separated list of transport file names
397 | # to identify the transports to disable. By default all available
398 | # transports are enabled and loaded at startup.
399 | transports: {
400 | 	#disable = "libjanus_rabbitmq.so"
401 | }
402 | 
403 | # As a core feature, Janus can log either on the standard output, or to
404 | # a local file. Should you need more advanced logging functionality, you
405 | # can make use of one of the custom loggers, or write one yourself. Use the
406 | # 'disable' directive to prevent Janus from loading one or more loggers:
407 | # use a comma separated list of logger file names to identify the loggers
408 | # to disable. By default all available loggers are enabled and loaded at startup.
409 | loggers: {
410 | 	#disable = "libjanus_jsonlog.so"
411 | }
412 | 
413 | # Event handlers allow you to receive live events from Janus happening
414 | # in core and/or plugins. Since this can require some more resources,
415 | # the feature is disabled by default. Setting broadcast to yes will
416 | # enable them. You can then choose which of the available event handlers
417 | # should be loaded or not. Use the 'disable' directive to prevent Janus
418 | # from loading one or more event handlers: use a comma separated list of
419 | # file names to identify the event handlers to disable. By default, if
420 | # broadcast is set to yes all available event handlers are enabled and
421 | # loaded at startup. Finally, you can choose how often media statistics
422 | # (packets sent/received, losses, etc.) should be sent: by default it's
423 | # once per second (audio and video statistics sent separately), but may
424 | # considered too verbose, or you may want to limit the number of events,
425 | # especially if you have many PeerConnections active. To change this,
426 | # just set 'stats_period' to the number of seconds that should pass in
427 | # between statistics for each handle. Setting it to 0 disables them (but
428 | # not other media-related events). By default Janus sends single media
429 | # statistic events per media (audio, video and simulcast layers as separate
430 | # events): if you'd rather receive a single containing all media stats in a
431 | # single array, set 'combine_media_stats' to true.
432 | events: {
433 | 	#broadcast = true
434 | 	#combine_media_stats = true
435 | 	#disable = "libjanus_sampleevh.so"
436 | 	#stats_period = 5
437 | }
438 | 


--------------------------------------------------------------------------------
/data/signaling/janus.transport.http.jcfg:
--------------------------------------------------------------------------------
 1 | # Web server stuff: whether any should be enabled, which ports they
 2 | # should use, whether security should be handled directly or demanded to
 3 | # an external application (e.g., web frontend) and what should be the
 4 | # base path for the Janus API protocol. Notice that by default
 5 | # all the web servers will try and bind on both IPv4 and IPv6: if you
 6 | # want to only bind to IPv4 addresses (e.g., because your system does not
 7 | # support IPv6), you should set the web server 'ip' property to '0.0.0.0'.
 8 | # To see debug logs from the HTTP server library, set 'mhd_debug'.
 9 | general: {
10 | 	#events = true					# Whether to notify event handlers about transport events (default=true)
11 | 	json = "indented"				# Whether the JSON messages should be indented (default),
12 | 									# plain (no indentation) or compact (no indentation and no spaces)
13 | 	base_path = "/janus"			# Base path to bind to in the web server (plain HTTP only)
14 | 	http = true						# Whether to enable the plain HTTP interface
15 | 	port = 8088						# Web server HTTP port
16 | 	interface = "lo" # HAND-EDIT	# Whether we should bind this server to a specific interface only
17 | 	#ip = "192.168.0.1"				# Whether we should bind this server to a specific IP address (v4 or v6) only
18 | 	https = false					# Whether to enable HTTPS (default=false)
19 | 	#secure_port = 8089				# Web server HTTPS port, if enabled
20 | 	#secure_interface = "eth0"		# Whether we should bind this server to a specific interface only
21 | 	#secure_ip = "192.168.0.1"		# Whether we should bind this server to a specific IP address (v4 or v6) only
22 | 	#acl = "127.,192.168.0."		# Only allow requests coming from this comma separated list of addresses
23 | 	#mhd_connection_limit = 1020		# Open connections limit in libmicrohttpd (default=1020)
24 | 	#mhd_debug = false					# Ask libmicrohttpd to write warning and error messages to stderr (default=false)
25 | }
26 | 
27 | # Janus can also expose an admin/monitor endpoint, to allow you to check
28 | # which sessions are up, which handles they're managing, their current
29 | # status and so on. This provides a useful aid when debugging potential
30 | # issues in Janus. The configuration is pretty much the same as the one
31 | # already presented above for the webserver stuff, as the API is very
32 | # similar: choose the base bath for the admin/monitor endpoint (/admin
33 | # by default), ports, etc. Besides, you can specify
34 | # a secret that must be provided in all requests as a crude form of
35 | # authorization mechanism, and partial or full source IPs if you want to
36 | # limit access basing on IP addresses. For security reasons, this
37 | # endpoint is disabled by default, enable it by setting admin_http=true.
38 | admin: {
39 | 	admin_base_path = "/admin"			# Base path to bind to in the admin/monitor web server (plain HTTP only)
40 | 	admin_http = false					# Whether to enable the plain HTTP interface
41 | 	admin_port = 7088					# Admin/monitor web server HTTP port
42 | 	#admin_interface = "eth0"			# Whether we should bind this server to a specific interface only
43 | 	#admin_ip = "192.168.0.1"			# Whether we should bind this server to a specific IP address (v4 or v6) only
44 | 	admin_https = false					# Whether to enable HTTPS (default=false)
45 | 	#admin_secure_port = 7889			# Admin/monitor web server HTTPS port, if enabled
46 | 	#admin_secure_interface = "eth0"	# Whether we should bind this server to a specific interface only
47 | 	#admin_secure_ip = "192.168.0.1"	# Whether we should bind this server to a specific IP address (v4 or v6) only
48 | 	#admin_acl = "127.,192.168.0."		# Only allow requests coming from this comma separated list of addresses
49 | }
50 | 
51 | # The HTTP servers created in Janus support CORS out of the box, but by
52 | # default they return a wildcard (*) in the 'Access-Control-Allow-Origin'
53 | # header. This works fine in most situations, except when we have to
54 | # respond to a credential request (withCredentials=true in the XHR). If
55 | # you need that, uncomment and set the 'allow_origin' below to specify
56 | # what must be returned in 'Access-Control-Allow-Origin'. More details:
57 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
58 | # In case you want to enforce the Origin validation, rather than leave
59 | # it to browsers, you can set 'enforce_cors' to 'true' to have Janus
60 | # return a '403 Forbidden' for all requests that don't comply.
61 | cors: {
62 | 	#allow_origin = "http://foo.example"
63 | 	#enforce_cors = true
64 | }
65 | 
66 | # Certificate and key to use for HTTPS, if enabled (and passphrase if needed).
67 | # You can also disable insecure protocols and ciphers by configuring the
68 | # 'ciphers' property accordingly (no limitation by default).
69 | certificates: {
70 | 	cert_pem = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
71 | 	cert_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
72 | 	#cert_pwd = "secretpassphrase"
73 | 	#ciphers = "PFS:-VERS-TLS1.0:-VERS-TLS1.1:-3DES-CBC:-ARCFOUR-128"
74 | }
75 | 


--------------------------------------------------------------------------------
/data/signaling/janus.transport.websockets.jcfg:
--------------------------------------------------------------------------------
 1 | # WebSockets stuff: whether they should be enabled, which ports they
 2 | # should use, and so on.
 3 | general: {
 4 | 	#events = true					# Whether to notify event handlers about transport events (default=true)
 5 | 	json = "indented"				# Whether the JSON messages should be indented (default),
 6 | 									# plain (no indentation) or compact (no indentation and no spaces)
 7 | 	#pingpong_trigger = 30			# After how many seconds of idle, a PING should be sent
 8 | 	#pingpong_timeout = 10			# After how many seconds of not getting a PONG, a timeout should be detected
 9 | 
10 | 	ws = true						# Whether to enable the WebSockets API
11 | 	ws_port = 8188					# WebSockets server port
12 | 	ws_interface = "lo" # HAND-EDIT	# Whether we should bind this server to a specific interface only
13 | 	#ws_ip = "192.168.0.1"			# Whether we should bind this server to a specific IP address only
14 | 	#ws_unix = "/run/ws.sock"		# Use WebSocket server over UNIX socket instead of TCP
15 | 	wss = false						# Whether to enable secure WebSockets
16 | 	#wss_port = 8989				# WebSockets server secure port, if enabled
17 | 	#wss_interface = "eth0"			# Whether we should bind this server to a specific interface only
18 | 	#wss_ip = "192.168.0.1"			# Whether we should bind this server to a specific IP address only
19 | 	#wss_unix = "/run/wss.sock"		# Use WebSocket server over UNIX socket instead of TCP
20 | 	#ws_logging = "err,warn"		# libwebsockets debugging level as a comma separated list of things
21 | 									# to debug, supported values: err, warn, notice, info, debug, parser,
22 | 									# header, ext, client, latency, user, count (plus 'none' and 'all')
23 | 	#ws_acl = "127.,192.168.0."		# Only allow requests coming from this comma separated list of addresses
24 | }
25 | 
26 | # If you want to expose the Admin API via WebSockets as well, you need to
27 | # specify a different server instance, as you cannot mix Janus API and
28 | # Admin API messaging. Notice that by default the Admin API support via
29 | # WebSockets is disabled.
30 | admin: {
31 | 	admin_ws = false					# Whether to enable the Admin API WebSockets API
32 | 	admin_ws_port = 7188				# Admin API WebSockets server port, if enabled
33 | 	#admin_ws_interface = "eth0"		# Whether we should bind this server to a specific interface only
34 | 	#admin_ws_ip = "192.168.0.1"		# Whether we should bind this server to a specific IP address only
35 | 	#admin_ws_unix = "/run/aws.sock"	# Use WebSocket server over UNIX socket instead of TCP
36 | 	admin_wss = false					# Whether to enable the Admin API secure WebSockets
37 | 	#admin_wss_port = 7989				# Admin API WebSockets server secure port, if enabled
38 | 	#admin_wss_interface = "eth0"		# Whether we should bind this server to a specific interface only
39 | 	#admin_wss_ip = "192.168.0.1"		# Whether we should bind this server to a specific IP address only
40 | 	#admin_wss_unix = "/run/awss.sock"	# Use WebSocket server over UNIX socket instead of TCP
41 | 	#admin_ws_acl = "127.,192.168.0."	# Only allow requests coming from this comma separated list of addresses
42 | }
43 | 
44 | # The HTTP servers created in Janus support CORS out of the box, but by
45 | # default they return a wildcard (*) in the 'Access-Control-Allow-Origin'
46 | # header. This works fine in most situations, except when we have to
47 | # respond to a credential request (withCredentials=true in the XHR). If
48 | # you need that, uncomment and set the 'allow_origin' below to specify
49 | # what must be returned in 'Access-Control-Allow-Origin'. More details:
50 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
51 | # In case you want to enforce the Origin validation, rather than leave
52 | # it to browsers, you can set 'enforce_cors' to 'true' to have Janus
53 | # return a '403 Forbidden' for all requests that don't comply.
54 | cors: {
55 | 	#allow_origin = "http://foo.example"
56 | 	#enforce_cors = true
57 | }
58 | 
59 | # Certificate and key to use for any secure WebSocket server, if enabled (and passphrase if needed).
60 | # You can also disable insecure protocols and ciphers by configuring the
61 | # 'ciphers' property accordingly (no limitation by default).
62 | # Examples of recommended cipher strings at https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html
63 | certificates: {
64 | 	cert_pem = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
65 | 	cert_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
66 | 	#cert_pwd = "secretpassphrase"
67 | 	#ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
68 | }
69 | 


--------------------------------------------------------------------------------
/data/signaling/janus_aarch64.jcfg:
--------------------------------------------------------------------------------
  1 | # General configuration: folders where the configuration and the plugins
  2 | # can be found, how output should be logged, whether Janus should run as
  3 | # a daemon or in foreground, default interface to use, debug/logging level
  4 | # and, if needed, shared apisecret and/or token authentication mechanism
  5 | # between application(s) and Janus.
  6 | general: {
  7 | 	configs_folder = "/etc/janus"			# Configuration files folder
  8 | 	plugins_folder = "/usr/lib/aarch64-linux-gnu/janus/plugins"			# Plugins folder
  9 | 	transports_folder = "/usr/lib/aarch64-linux-gnu/janus/transports"	# Transports folder
 10 | 	events_folder = "/usr/lib/aarch64-linux-gnu/janus/events"			# Event handlers folder
 11 | 	loggers_folder = "/usr/lib/aarch64-linux-gnu/janus/loggers"			# External loggers folder
 12 | 
 13 | 		# The next settings configure logging
 14 | 	#log_to_stdout = false					# Whether the Janus output should be written
 15 | 											# to stdout or not (default=true)
 16 | 	log_to_file = "/var/log/janus.log"		# Whether to use a log file or not
 17 | 	debug_level = 4							# Debug/logging level, valid values are 0-7
 18 | 	debug_timestamps = true					# Whether to show a timestamp for each log line
 19 | 	#debug_colors = false					# Whether colors should be disabled in the log
 20 | 	#debug_locks = true						# Whether to enable debugging of locks (very verbose!)
 21 | 	#log_prefix = "[janus] "				# In case you want log lines to be prefixed by some
 22 | 											# custom text, you can use the 'log_prefix' property.
 23 | 											# It supports terminal colors, meaning something like
 24 | 											# "[\x1b[32mjanus\x1b[0m] " would show a green "janus"
 25 | 											# string in square brackets (assuming debug_colors=true).
 26 | 
 27 | 		# This is what you configure if you want to launch Janus as a daemon
 28 | 	#daemonize = true						# Whether Janus should run as a daemon
 29 | 											# or not (default=run in foreground)
 30 | 	#pid_file = "/path/to/janus.pid"		# PID file to create when Janus has been
 31 | 											# started, and to destroy at shutdown
 32 | 
 33 | 		# There are different ways you can authenticate the Janus and Admin APIs
 34 | 	#api_secret = "janusrocks"		# String that all Janus requests must contain
 35 | 									# to be accepted/authorized by the Janus core.
 36 | 									# Useful if you're wrapping all Janus API requests
 37 | 									# in your servers (that is, not in the browser,
 38 | 									# where you do the things your way) and you
 39 | 									# don't want other application to mess with
 40 | 									# this Janus instance.
 41 | 	#token_auth = true				# Enable a token based authentication
 42 | 									# mechanism to force users to always provide
 43 | 									# a valid token in all requests. Useful if
 44 | 									# you want to authenticate requests from web
 45 | 									# users.
 46 | 	#token_auth_secret = "janus"	# Use HMAC-SHA1 signed tokens (with token_auth). Note that
 47 | 									# without this, the Admin API MUST
 48 | 									# be enabled, as tokens are added and removed
 49 | 									# through messages sent there.
 50 | 	admin_secret = "janusoverlord"	# String that all Janus requests must contain
 51 | 									# to be accepted/authorized by the admin/monitor.
 52 | 									# only needed if you enabled the admin API
 53 | 									# in any of the available transports.
 54 | 
 55 | 		# Generic settings
 56 | 	#interface = "1.2.3.4"			# Interface to use (will be used in SDP)
 57 | 	#server_name = "MyJanusInstance"# Public name of this Janus instance
 58 | 									# as it will appear in an info request
 59 | 	#session_timeout = 60			# How long (in seconds) we should wait before
 60 | 									# deciding a Janus session has timed out. A
 61 | 									# session times out when no request is received
 62 | 									# for session_timeout seconds (default=60s).
 63 | 									# Setting this to 0 will disable the timeout
 64 | 									# mechanism, which is NOT suggested as it may
 65 | 									# risk having orphaned sessions (sessions not
 66 | 									# controlled by any transport and never freed).
 67 | 									# To avoid timeouts, keep-alives can be used.
 68 | 	#candidates_timeout = 45		# How long (in seconds) we should keep hold of
 69 | 									# pending (trickle) candidates before discarding
 70 | 									# them (default=45s). Notice that setting this
 71 | 									# to 0 will NOT disable the timeout, but will
 72 | 									# be considered an invalid value and ignored.
 73 | 	#reclaim_session_timeout = 0	# How long (in seconds) we should wait for a
 74 | 									# janus session to be reclaimed after the transport
 75 | 									# is gone. After the transport is gone, a session
 76 | 									# times out when no request is received for
 77 | 									# reclaim_session_timeout seconds (default=0s).
 78 | 									# Setting this to 0 will disable the timeout
 79 | 									# mechanism, and sessions will be destroyed immediately
 80 | 									# if the transport is gone.
 81 | 	#recordings_tmp_ext = "tmp"		# The extension for recordings, in Janus, is
 82 | 									# .mjr, a custom format we devised ourselves.
 83 | 									# By default, we save to .mjr directly. If you'd
 84 | 									# rather the recording filename have a temporary
 85 | 									# extension while it's being saved, and only
 86 | 									# have the .mjr extension when the recording
 87 | 									# is over (e.g., to automatically trigger some
 88 | 									# external scripts), then uncomment and set the
 89 | 									# recordings_tmp_ext property to the extension
 90 | 									# to add to the base (e.g., tmp --> .mjr.tmp).
 91 | 	#event_loops = 8				# By default, Janus handles each have their own
 92 | 									# event loop and related thread for all the media
 93 | 									# routing and management. If for some reason you'd
 94 | 									# rather limit the number of loop/threads, and
 95 | 									# you want handles to share those, you can do that
 96 | 									# configuring the event_loops property: this will
 97 | 									# spawn the specified amount of threads at startup,
 98 | 									# run a separate event loop on each of them, and
 99 | 									# add new handles to one of them when attaching.
100 | 									# Notice that, while cutting the number of threads
101 | 									# and possibly reducing context switching, this
102 | 									# might have an impact on the media delivery,
103 | 									# especially if the available loops can't take
104 | 									# care of all the handles and their media in time.
105 | 									# As such, if you want to use this you should
106 | 									# provision the correct value according to the
107 | 									# available resources (e.g., CPUs available).
108 | 	#allow_loop_indication = true	# In case a static number of event loops is
109 | 									# configured as explained above, by default
110 | 									# new handles will be allocated on one loop or
111 | 									# another by the Janus core itself. In some cases
112 | 									# it may be helpful to manually tell the Janus
113 | 									# core which loop a handle should be added to,
114 | 									# e.g., to group viewers of the same stream on
115 | 									# the same loop. This is possible via the Janus
116 | 									# API when performing the 'attach' request, but
117 | 									# only if allow_loop_indication is set to true;
118 | 									# it's set to false by default to avoid abuses.
119 | 									# Don't change if you don't know what you're doing!
120 | 	#opaqueid_in_api = true			# Opaque IDs set by applications are typically
121 | 									# only passed to event handlers for correlation
122 | 									# purposes, but not sent back to the user or
123 | 									# application in the related Janus API responses
124 | 									# or events; in case you need them to be in the
125 | 									# Janus API too, set this property to 'true'.
126 | 	#hide_dependencies = true		# By default, a call to the "info" endpoint of
127 | 									# either the Janus or Admin API now also returns
128 | 									# the versions of the main dependencies (e.g.,
129 | 									# libnice, libsrtp, which crypto library is in
130 | 									# use and so on). Should you want that info not
131 | 									# to be disclose, set 'hide_dependencies' to true.
132 | 	#exit_on_dl_error = false		# If a Janus shared libary cannot be loaded or an expected
133 | 									# symbol is not found, exit immediately.
134 | 
135 | 		# The following is ONLY useful when debugging RTP/RTCP packets,
136 | 		# e.g., to look at unencrypted live traffic with a browser. By
137 | 		# default it is obviously disabled, as WebRTC mandates encryption.
138 | 	#no_webrtc_encryption = true
139 | 
140 | 		# Janus provides ways via its API to specify custom paths to save
141 | 		# files to (e.g., recordings, pcap captures and the like). In order
142 | 		# to avoid people can mess with folders they're not supposed to,
143 | 		# you can configure an array of folders that Janus should prevent
144 | 		# creating files in. If the 'protected_folder' property below is
145 | 		# commented, no folder is protected.
146 | 		# Notice that at the moment this only covers attempts to start
147 | 		# an .mjr recording and pcap/text2pcap packet captures.
148 | 	protected_folders = [
149 | 		"/bin",
150 | 		"/boot",
151 | 		"/dev",
152 | 		"/etc",
153 | 		"/initrd",
154 | 		"/lib",
155 | 		"/lib32",
156 | 		"/lib64",
157 | 		"/proc",
158 | 		"/sbin",
159 | 		"/sys",
160 | 		"/usr",
161 | 		"/var",
162 | 			# We add what are usually the folders Janus is installed to
163 | 			# as well: we don't just put "/opt/janus" because that would
164 | 			# include folders like "/opt/janus/share" that is where
165 | 			# recordings might be saved to by some plugins
166 | 		"/opt/janus/bin",
167 | 		"/opt/janus/etc",
168 | 		"/opt/janus/include",
169 | 		"/opt/janus/lib",
170 | 		"/opt/janus/lib32",
171 | 		"/opt/janus/lib64",
172 | 		"/opt/janus/sbin"
173 | 	]
174 | }
175 | 
176 | # Certificate and key to use for DTLS (and passphrase if needed). If missing,
177 | # Janus will autogenerate a self-signed certificate to use. Notice that
178 | # self-signed certificates are fine for the purpose of WebRTC DTLS
179 | # connectivity, for the time being, at least until Identity Providers
180 | # are standardized and implemented in browsers. If for some reason you
181 | # want to enforce the DTLS stack in Janus to enforce valid certificates
182 | # from peers, though, you can do that setting 'dtls_accept_selfsigned' to
183 | # 'false' below: DO NOT TOUCH THAT IF YOU DO NOT KNOW WHAT YOU'RE DOING!
184 | # You can also configure the DTLS ciphers to offer: the default if not
185 | # set is "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK"
186 | # Finally, by default NIST P-256 certificates are generated (see #1997),
187 | # but RSA generation is still supported if you set 'rsa_private_key' to 'true'.
188 | certificates: {
189 | 	#cert_pem = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
190 | 	#cert_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
191 | 	#cert_pwd = "secretpassphrase"
192 | 	#dtls_accept_selfsigned = false
193 | 	#dtls_ciphers = "your-desired-openssl-ciphers"
194 | 	#rsa_private_key = false
195 | }
196 | 
197 | # Media-related stuff: you can configure whether if you want to enable IPv6
198 | # support (and link-local IPs), the minimum size of the NACK queue (in ms,
199 | # defaults to 200ms) for retransmissions no matter the RTT, the range of
200 | # ports to use for RTP and RTCP (by default, no range is envisaged), the
201 | # starting MTU for DTLS (1200 by default, it adapts automatically),
202 | # how much time, in seconds, should pass with no media (audio or
203 | # video) being received before Janus notifies you about this (default=1s,
204 | # 0 disables these events entirely), how many lost packets should trigger a
205 | # 'slowlink' event to users (default=0, disabled), and how often, in milliseconds,
206 | # to send the Transport Wide Congestion Control feedback information back
207 | # to senders, if negotiated (default=200ms). Finally, if you're using BoringSSL
208 | # you can customize the frequency of retransmissions: OpenSSL has a fixed
209 | # value of 1 second (the default), while BoringSSL can override that. Notice
210 | # that lower values (e.g., 100ms) will typically get you faster connection
211 | # times, but may not work in case the RTT of the user is high: as such,
212 | # you should pick a reasonable trade-off (usually 2*max expected RTT).
213 | media: {
214 | 	#ipv6 = true
215 | 	#ipv6_linklocal = true
216 | 	#min_nack_queue = 500
217 | 	#rtp_port_range = "20000-40000"
218 | 	#dtls_mtu = 1200
219 | 	#no_media_timer = 1
220 | 	#slowlink_threshold = 4
221 | 	#twcc_period = 100
222 | 	#dtls_timeout = 500
223 | 
224 | 	# Janus can do some optimizations on the NACK queue, specifically when
225 | 	# keyframes are involved. Namely, you can configure Janus so that any
226 | 	# time a keyframe is sent to a user, the NACK buffer for that connection
227 | 	# is emptied. This allows Janus to ignore NACK requests for packets
228 | 	# sent shortly before the keyframe was sent, since it can be assumed
229 | 	# that the keyframe will restore a complete working image for the user
230 | 	# anyway (which is the main reason why video retransmissions are typically
231 | 	# required). While this optimization is known to work fine in most cases,
232 | 	# it can backfire in some edge cases, and so is disabled by default.
233 | 	#nack_optimizations = true
234 | 
235 | 	# If you need DSCP packet marking and prioritization, you can configure
236 | 	# the 'dscp' property to a specific values, and Janus will try to
237 | 	# set it on all outgoing packets using libnice. Normally, the specs
238 | 	# suggest to use different values depending on whether audio, video
239 | 	# or data are used, but since all PeerConnections in Janus are bundled,
240 | 	# we can only use one. You can refer to this document for more info:
241 | 	# https://tools.ietf.org/html/draft-ietf-tsvwg-rtcweb-qos-18#page-6
242 | 	# That said, DON'T TOUCH THIS IF YOU DON'T KNOW WHAT IT MEANS!
243 | 	#dscp = 46
244 | }
245 | 
246 | # NAT-related stuff: specifically, you can configure the STUN/TURN
247 | # servers to use to gather candidates if the gateway is behind a NAT,
248 | # and srflx/relay candidates are needed. In case STUN is not enough and
249 | # this is needed (it shouldn't), you can also configure Janus to use a
250 | # TURN server# please notice that this does NOT refer to TURN usage in
251 | # browsers, but in the gathering of relay candidates by Janus itself,
252 | # e.g., if you want to limit the ports used by a Janus instance on a
253 | # private machine. Furthermore, you can choose whether Janus should be
254 | # configured to do full-trickle (Janus also trickles its candidates to
255 | # users) rather than the default half-trickle (Janus supports trickle
256 | # candidates from users, but sends its own within the SDP), and whether
257 | # it should work in ICE-Lite mode (by default it doesn't). If libnice is
258 | # at least 0.1.15, you can choose which ICE nomination mode to use: valid
259 | # values are "regular" and "aggressive" (the default depends on the libnice
260 | # version itself; if we can set it, we set aggressive nomination). You can
261 | # also configure whether to use connectivity checks as keep-alives, which
262 | # might help detecting when a peer is no longer available (notice that
263 | # current libnice master is breaking connections after 50 seconds when
264 | # keepalive-conncheck is being used, so if you want to use it, better
265 | # sticking to 0.1.18 until the issue is addressed upstream). Finally,
266 | # you can also enable ICE-TCP support (beware that this may lead to problems
267 | # if you do not enable ICE Lite as well), choose which interfaces should
268 | # be used for gathering candidates, and enable or disable the
269 | # internal libnice debugging, if needed.
270 | nat: {
271 | 	stun_server = "<SIGNALING_COTURN_URL>" # HAND-EDIT
272 | 	stun_port = 5349 # HAND-EDIT PORT-EDIT (443)
273 | 	nice_debug = false
274 | 	full_trickle = true # HAND-EDIT
275 | 	#ice_nomination = "regular"
276 | 	#ice_keepalive_conncheck = true
277 | 	#ice_lite = true
278 | 	#ice_tcp = true
279 | 
280 | 	# By default Janus tries to resolve mDNS (.local) candidates: even
281 | 	# though this is now done asynchronously and shouldn't keep the API
282 | 	# busy, even in case mDNS resolution takes a long time to timeout,
283 | 	# you can choose to drop all .local candidates instead, which is
284 | 	# helpful in case you know clients will never be in the same private
285 | 	# network as the one the Janus instance is running from. Notice that
286 | 	# this will cause ICE to fail if mDNS is the only way to connect!
287 | 	#ignore_mdns = true
288 | 
289 | 	# In case you're deploying Janus on a server which is configured with
290 | 	# a 1:1 NAT (e.g., Amazon EC2), you might want to also specify the public
291 | 	# address of the machine using the setting below. This will result in
292 | 	# all host candidates (which normally have a private IP address) to
293 | 	# be rewritten with the public address provided in the settings. As
294 | 	# such, use the option with caution and only if you know what you're doing.
295 | 	# Make sure you keep ICE Lite disabled, though, as it's not strictly
296 | 	# speaking a publicly reachable server, and a NAT is still involved.
297 | 	# If you'd rather keep the private IP address in place, rather than
298 | 	# replacing it (and so have both of them as advertised candidates),
299 | 	# then set the 'keep_private_host' property to true.
300 | 	# Multiple public IP addresses can be specified as a comma separated list
301 | 	# if the Janus is deployed in a DMZ between two 1-1 NAT for internal and
302 | 	# external users.
303 | 	#nat_1_1_mapping = "1.2.3.4"
304 | 	#keep_private_host = true
305 | 
306 | 	# You can configure a TURN server in two different ways: specifying a
307 | 	# statically configured TURN server, and thus provide the address of the
308 | 	# TURN server, the transport (udp/tcp/tls) to use, and a set of valid
309 | 	# credentials to authenticate. Notice that you should NEVER configure
310 | 	# a TURN server for Janus unless it's really what you want! If you want
311 | 	# *users* to use TURN, then you need to configure that on the client
312 | 	# side, and NOT in Janus. The following TURN configuration should ONLY
313 | 	# be enabled when Janus itself is sitting behind a restrictive firewall
314 | 	# (e.g., it's part of a service installed on a box in a private home).
315 | 	#turn_server = "myturnserver.com"
316 | 	#turn_port = 3478
317 | 	#turn_type = "udp"
318 | 	#turn_user = "myuser"
319 | 	#turn_pwd = "mypassword"
320 | 
321 | 	# You can also make use of the TURN REST API to get info on one or more
322 | 	# TURN services dynamically. This makes use of the proposed standard of
323 | 	# such an API (https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00)
324 | 	# which is currently available in both rfc5766-turn-server and coturn.
325 | 	# You enable this by specifying the address of your TURN REST API backend,
326 | 	# the HTTP method to use (GET or POST) and, if required, the API key Janus
327 | 	# must provide. The timeout can be configured in seconds, with a default of
328 | 	# 10 seconds and a minimum of 1 second. Notice that the 'opaque_id' provided
329 | 	# via Janus API will be used as the username for a specific PeerConnection
330 | 	# by default; if that one is missing, the 'session_id' will be used as the
331 | 	# username instead.
332 | 	#turn_rest_api = "http://yourbackend.com/path/to/api"
333 | 	turn_rest_api_key = "<SIGNALING_JANUS_API_KEY>" # HAND-EDIT
334 | 	#turn_rest_api_method = "GET"
335 | 	#turn_rest_api_timeout = 10
336 | 
337 | 	# In case a TURN server is provided, you can allow applications to force
338 | 	# Janus to use TURN (https://github.com/meetecho/janus-gateway/pull/2774).
339 | 	# This is NOT allowed by default: only enable it if you know what you're doing.
340 | 	#allow_force_relay = true
341 | 
342 | 	# You can also choose which interfaces should be explicitly used by the
343 | 	# gateway for the purpose of ICE candidates gathering, thus excluding
344 | 	# others that may be available. To do so, use the 'ice_enforce_list'
345 | 	# setting and pass it a comma-separated list of interfaces or IP addresses
346 | 	# to enforce. This is especially useful if the server hosting the gateway
347 | 	# has several interfaces, and you only want a subset to be used. Any of
348 | 	# the following examples are valid:
349 | 	#     ice_enforce_list = "eth0"
350 | 	#     ice_enforce_list = "eth0,eth1"
351 | 	#     ice_enforce_list = "eth0,192.168."
352 | 	#     ice_enforce_list = "eth0,192.168.0.1"
353 | 	# By default, no interface is enforced, meaning Janus will try to use them all.
354 | 	#ice_enforce_list = "eth0"
355 | 
356 | 	# In case you don't want to specify specific interfaces to use, but would
357 | 	# rather tell Janus to use all the available interfaces except some that
358 | 	# you don't want to involve, you can also choose which interfaces or IP
359 | 	# addresses should be excluded and ignored by the gateway for the purpose
360 | 	# of ICE candidates gathering. To do so, use the 'ice_ignore_list' setting
361 | 	# and pass it a comma-separated list of interfaces or IP addresses to
362 | 	# ignore. This is especially useful if the server hosting the gateway
363 | 	# has several interfaces you already know will not be used or will simply
364 | 	# always slow down ICE (e.g., virtual interfaces created by VMware).
365 | 	# Partial strings are supported, which means that any of the following
366 | 	# examples are valid:
367 | 	#     ice_ignore_list = "vmnet8,192.168.0.1,10.0.0.1"
368 | 	#     ice_ignore_list = "vmnet,192.168."
369 | 	# Just beware that the ICE ignore list is not used if an enforce list
370 | 	# has been configured. By default, Janus ignores all interfaces whose
371 | 	# name starts with 'vmnet', to skip VMware interfaces:
372 | 	ice_ignore_list = "vmnet"
373 | 
374 | 	# In case you want to allow Janus to start even if the configured STUN or TURN
375 | 	# server is unreachable, you can set 'ignore_unreachable_ice_server' to true.
376 | 	# WARNING: We do not recommend to ignore reachability problems, particularly
377 | 	# if you run Janus in the cloud. Before enabling this flag, make sure your
378 | 	# system is correctly configured and Janus starts after the network layer of
379 | 	# your machine is ready. Note that Linux distributions offer such directives.
380 | 	# You could use the following directive in systemd: 'After=network-online.target'
381 | 	# https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=
382 | 	#ignore_unreachable_ice_server = true
383 | }
384 | 
385 | # You can choose which of the available plugins should be
386 | # enabled or not. Use the 'disable' directive to prevent Janus from
387 | # loading one or more plugins: use a comma separated list of plugin file
388 | # names to identify the plugins to disable. By default all available
389 | # plugins are enabled and loaded at startup.
390 | plugins: {
391 | 	#disable = "libjanus_voicemail.so,libjanus_recordplay.so"
392 | }
393 | 
394 | # You can choose which of the available transports should be enabled or
395 | # not. Use the 'disable' directive to prevent Janus from loading one
396 | # or more transport: use a comma separated list of transport file names
397 | # to identify the transports to disable. By default all available
398 | # transports are enabled and loaded at startup.
399 | transports: {
400 | 	#disable = "libjanus_rabbitmq.so"
401 | }
402 | 
403 | # As a core feature, Janus can log either on the standard output, or to
404 | # a local file. Should you need more advanced logging functionality, you
405 | # can make use of one of the custom loggers, or write one yourself. Use the
406 | # 'disable' directive to prevent Janus from loading one or more loggers:
407 | # use a comma separated list of logger file names to identify the loggers
408 | # to disable. By default all available loggers are enabled and loaded at startup.
409 | loggers: {
410 | 	#disable = "libjanus_jsonlog.so"
411 | }
412 | 
413 | # Event handlers allow you to receive live events from Janus happening
414 | # in core and/or plugins. Since this can require some more resources,
415 | # the feature is disabled by default. Setting broadcast to yes will
416 | # enable them. You can then choose which of the available event handlers
417 | # should be loaded or not. Use the 'disable' directive to prevent Janus
418 | # from loading one or more event handlers: use a comma separated list of
419 | # file names to identify the event handlers to disable. By default, if
420 | # broadcast is set to yes all available event handlers are enabled and
421 | # loaded at startup. Finally, you can choose how often media statistics
422 | # (packets sent/received, losses, etc.) should be sent: by default it's
423 | # once per second (audio and video statistics sent separately), but may
424 | # considered too verbose, or you may want to limit the number of events,
425 | # especially if you have many PeerConnections active. To change this,
426 | # just set 'stats_period' to the number of seconds that should pass in
427 | # between statistics for each handle. Setting it to 0 disables them (but
428 | # not other media-related events). By default Janus sends single media
429 | # statistic events per media (audio, video and simulcast layers as separate
430 | # events): if you'd rather receive a single containing all media stats in a
431 | # single array, set 'combine_media_stats' to true.
432 | events: {
433 | 	#broadcast = true
434 | 	#combine_media_stats = true
435 | 	#disable = "libjanus_sampleevh.so"
436 | 	#stats_period = 5
437 | }
438 | 


--------------------------------------------------------------------------------
/data/signaling/janus_powerpc64le.jcfg:
--------------------------------------------------------------------------------
  1 | # General configuration: folders where the configuration and the plugins
  2 | # can be found, how output should be logged, whether Janus should run as
  3 | # a daemon or in foreground, default interface to use, debug/logging level
  4 | # and, if needed, shared apisecret and/or token authentication mechanism
  5 | # between application(s) and Janus.
  6 | general: {
  7 | 	configs_folder = "/etc/janus"			# Configuration files folder
  8 | 	plugins_folder = "/usr/lib/powerpc64le-linux-gnu/janus/plugins"			# Plugins folder
  9 | 	transports_folder = "/usr/lib/powerpc64le-linux-gnu/janus/transports"	# Transports folder
 10 | 	events_folder = "/usr/lib/powerpc64le-linux-gnu/janus/events"			# Event handlers folder
 11 | 	loggers_folder = "/usr/lib/powerpc64le-linux-gnu/janus/loggers"			# External loggers folder
 12 | 
 13 | 		# The next settings configure logging
 14 | 	#log_to_stdout = false					# Whether the Janus output should be written
 15 | 											# to stdout or not (default=true)
 16 | 	log_to_file = "/var/log/janus.log"		# Whether to use a log file or not
 17 | 	debug_level = 4							# Debug/logging level, valid values are 0-7
 18 | 	debug_timestamps = true					# Whether to show a timestamp for each log line
 19 | 	#debug_colors = false					# Whether colors should be disabled in the log
 20 | 	#debug_locks = true						# Whether to enable debugging of locks (very verbose!)
 21 | 	#log_prefix = "[janus] "				# In case you want log lines to be prefixed by some
 22 | 											# custom text, you can use the 'log_prefix' property.
 23 | 											# It supports terminal colors, meaning something like
 24 | 											# "[\x1b[32mjanus\x1b[0m] " would show a green "janus"
 25 | 											# string in square brackets (assuming debug_colors=true).
 26 | 
 27 | 		# This is what you configure if you want to launch Janus as a daemon
 28 | 	#daemonize = true						# Whether Janus should run as a daemon
 29 | 											# or not (default=run in foreground)
 30 | 	#pid_file = "/path/to/janus.pid"		# PID file to create when Janus has been
 31 | 											# started, and to destroy at shutdown
 32 | 
 33 | 		# There are different ways you can authenticate the Janus and Admin APIs
 34 | 	#api_secret = "janusrocks"		# String that all Janus requests must contain
 35 | 									# to be accepted/authorized by the Janus core.
 36 | 									# Useful if you're wrapping all Janus API requests
 37 | 									# in your servers (that is, not in the browser,
 38 | 									# where you do the things your way) and you
 39 | 									# don't want other application to mess with
 40 | 									# this Janus instance.
 41 | 	#token_auth = true				# Enable a token based authentication
 42 | 									# mechanism to force users to always provide
 43 | 									# a valid token in all requests. Useful if
 44 | 									# you want to authenticate requests from web
 45 | 									# users.
 46 | 	#token_auth_secret = "janus"	# Use HMAC-SHA1 signed tokens (with token_auth). Note that
 47 | 									# without this, the Admin API MUST
 48 | 									# be enabled, as tokens are added and removed
 49 | 									# through messages sent there.
 50 | 	admin_secret = "janusoverlord"	# String that all Janus requests must contain
 51 | 									# to be accepted/authorized by the admin/monitor.
 52 | 									# only needed if you enabled the admin API
 53 | 									# in any of the available transports.
 54 | 
 55 | 		# Generic settings
 56 | 	#interface = "1.2.3.4"			# Interface to use (will be used in SDP)
 57 | 	#server_name = "MyJanusInstance"# Public name of this Janus instance
 58 | 									# as it will appear in an info request
 59 | 	#session_timeout = 60			# How long (in seconds) we should wait before
 60 | 									# deciding a Janus session has timed out. A
 61 | 									# session times out when no request is received
 62 | 									# for session_timeout seconds (default=60s).
 63 | 									# Setting this to 0 will disable the timeout
 64 | 									# mechanism, which is NOT suggested as it may
 65 | 									# risk having orphaned sessions (sessions not
 66 | 									# controlled by any transport and never freed).
 67 | 									# To avoid timeouts, keep-alives can be used.
 68 | 	#candidates_timeout = 45		# How long (in seconds) we should keep hold of
 69 | 									# pending (trickle) candidates before discarding
 70 | 									# them (default=45s). Notice that setting this
 71 | 									# to 0 will NOT disable the timeout, but will
 72 | 									# be considered an invalid value and ignored.
 73 | 	#reclaim_session_timeout = 0	# How long (in seconds) we should wait for a
 74 | 									# janus session to be reclaimed after the transport
 75 | 									# is gone. After the transport is gone, a session
 76 | 									# times out when no request is received for
 77 | 									# reclaim_session_timeout seconds (default=0s).
 78 | 									# Setting this to 0 will disable the timeout
 79 | 									# mechanism, and sessions will be destroyed immediately
 80 | 									# if the transport is gone.
 81 | 	#recordings_tmp_ext = "tmp"		# The extension for recordings, in Janus, is
 82 | 									# .mjr, a custom format we devised ourselves.
 83 | 									# By default, we save to .mjr directly. If you'd
 84 | 									# rather the recording filename have a temporary
 85 | 									# extension while it's being saved, and only
 86 | 									# have the .mjr extension when the recording
 87 | 									# is over (e.g., to automatically trigger some
 88 | 									# external scripts), then uncomment and set the
 89 | 									# recordings_tmp_ext property to the extension
 90 | 									# to add to the base (e.g., tmp --> .mjr.tmp).
 91 | 	#event_loops = 8				# By default, Janus handles each have their own
 92 | 									# event loop and related thread for all the media
 93 | 									# routing and management. If for some reason you'd
 94 | 									# rather limit the number of loop/threads, and
 95 | 									# you want handles to share those, you can do that
 96 | 									# configuring the event_loops property: this will
 97 | 									# spawn the specified amount of threads at startup,
 98 | 									# run a separate event loop on each of them, and
 99 | 									# add new handles to one of them when attaching.
100 | 									# Notice that, while cutting the number of threads
101 | 									# and possibly reducing context switching, this
102 | 									# might have an impact on the media delivery,
103 | 									# especially if the available loops can't take
104 | 									# care of all the handles and their media in time.
105 | 									# As such, if you want to use this you should
106 | 									# provision the correct value according to the
107 | 									# available resources (e.g., CPUs available).
108 | 	#allow_loop_indication = true	# In case a static number of event loops is
109 | 									# configured as explained above, by default
110 | 									# new handles will be allocated on one loop or
111 | 									# another by the Janus core itself. In some cases
112 | 									# it may be helpful to manually tell the Janus
113 | 									# core which loop a handle should be added to,
114 | 									# e.g., to group viewers of the same stream on
115 | 									# the same loop. This is possible via the Janus
116 | 									# API when performing the 'attach' request, but
117 | 									# only if allow_loop_indication is set to true;
118 | 									# it's set to false by default to avoid abuses.
119 | 									# Don't change if you don't know what you're doing!
120 | 	#opaqueid_in_api = true			# Opaque IDs set by applications are typically
121 | 									# only passed to event handlers for correlation
122 | 									# purposes, but not sent back to the user or
123 | 									# application in the related Janus API responses
124 | 									# or events; in case you need them to be in the
125 | 									# Janus API too, set this property to 'true'.
126 | 	#hide_dependencies = true		# By default, a call to the "info" endpoint of
127 | 									# either the Janus or Admin API now also returns
128 | 									# the versions of the main dependencies (e.g.,
129 | 									# libnice, libsrtp, which crypto library is in
130 | 									# use and so on). Should you want that info not
131 | 									# to be disclose, set 'hide_dependencies' to true.
132 | 	#exit_on_dl_error = false		# If a Janus shared libary cannot be loaded or an expected
133 | 									# symbol is not found, exit immediately.
134 | 
135 | 		# The following is ONLY useful when debugging RTP/RTCP packets,
136 | 		# e.g., to look at unencrypted live traffic with a browser. By
137 | 		# default it is obviously disabled, as WebRTC mandates encryption.
138 | 	#no_webrtc_encryption = true
139 | 
140 | 		# Janus provides ways via its API to specify custom paths to save
141 | 		# files to (e.g., recordings, pcap captures and the like). In order
142 | 		# to avoid people can mess with folders they're not supposed to,
143 | 		# you can configure an array of folders that Janus should prevent
144 | 		# creating files in. If the 'protected_folder' property below is
145 | 		# commented, no folder is protected.
146 | 		# Notice that at the moment this only covers attempts to start
147 | 		# an .mjr recording and pcap/text2pcap packet captures.
148 | 	protected_folders = [
149 | 		"/bin",
150 | 		"/boot",
151 | 		"/dev",
152 | 		"/etc",
153 | 		"/initrd",
154 | 		"/lib",
155 | 		"/lib32",
156 | 		"/lib64",
157 | 		"/proc",
158 | 		"/sbin",
159 | 		"/sys",
160 | 		"/usr",
161 | 		"/var",
162 | 			# We add what are usually the folders Janus is installed to
163 | 			# as well: we don't just put "/opt/janus" because that would
164 | 			# include folders like "/opt/janus/share" that is where
165 | 			# recordings might be saved to by some plugins
166 | 		"/opt/janus/bin",
167 | 		"/opt/janus/etc",
168 | 		"/opt/janus/include",
169 | 		"/opt/janus/lib",
170 | 		"/opt/janus/lib32",
171 | 		"/opt/janus/lib64",
172 | 		"/opt/janus/sbin"
173 | 	]
174 | }
175 | 
176 | # Certificate and key to use for DTLS (and passphrase if needed). If missing,
177 | # Janus will autogenerate a self-signed certificate to use. Notice that
178 | # self-signed certificates are fine for the purpose of WebRTC DTLS
179 | # connectivity, for the time being, at least until Identity Providers
180 | # are standardized and implemented in browsers. If for some reason you
181 | # want to enforce the DTLS stack in Janus to enforce valid certificates
182 | # from peers, though, you can do that setting 'dtls_accept_selfsigned' to
183 | # 'false' below: DO NOT TOUCH THAT IF YOU DO NOT KNOW WHAT YOU'RE DOING!
184 | # You can also configure the DTLS ciphers to offer: the default if not
185 | # set is "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK"
186 | # Finally, by default NIST P-256 certificates are generated (see #1997),
187 | # but RSA generation is still supported if you set 'rsa_private_key' to 'true'.
188 | certificates: {
189 | 	#cert_pem = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
190 | 	#cert_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
191 | 	#cert_pwd = "secretpassphrase"
192 | 	#dtls_accept_selfsigned = false
193 | 	#dtls_ciphers = "your-desired-openssl-ciphers"
194 | 	#rsa_private_key = false
195 | }
196 | 
197 | # Media-related stuff: you can configure whether if you want to enable IPv6
198 | # support (and link-local IPs), the minimum size of the NACK queue (in ms,
199 | # defaults to 200ms) for retransmissions no matter the RTT, the range of
200 | # ports to use for RTP and RTCP (by default, no range is envisaged), the
201 | # starting MTU for DTLS (1200 by default, it adapts automatically),
202 | # how much time, in seconds, should pass with no media (audio or
203 | # video) being received before Janus notifies you about this (default=1s,
204 | # 0 disables these events entirely), how many lost packets should trigger a
205 | # 'slowlink' event to users (default=0, disabled), and how often, in milliseconds,
206 | # to send the Transport Wide Congestion Control feedback information back
207 | # to senders, if negotiated (default=200ms). Finally, if you're using BoringSSL
208 | # you can customize the frequency of retransmissions: OpenSSL has a fixed
209 | # value of 1 second (the default), while BoringSSL can override that. Notice
210 | # that lower values (e.g., 100ms) will typically get you faster connection
211 | # times, but may not work in case the RTT of the user is high: as such,
212 | # you should pick a reasonable trade-off (usually 2*max expected RTT).
213 | media: {
214 | 	#ipv6 = true
215 | 	#ipv6_linklocal = true
216 | 	#min_nack_queue = 500
217 | 	#rtp_port_range = "20000-40000"
218 | 	#dtls_mtu = 1200
219 | 	#no_media_timer = 1
220 | 	#slowlink_threshold = 4
221 | 	#twcc_period = 100
222 | 	#dtls_timeout = 500
223 | 
224 | 	# Janus can do some optimizations on the NACK queue, specifically when
225 | 	# keyframes are involved. Namely, you can configure Janus so that any
226 | 	# time a keyframe is sent to a user, the NACK buffer for that connection
227 | 	# is emptied. This allows Janus to ignore NACK requests for packets
228 | 	# sent shortly before the keyframe was sent, since it can be assumed
229 | 	# that the keyframe will restore a complete working image for the user
230 | 	# anyway (which is the main reason why video retransmissions are typically
231 | 	# required). While this optimization is known to work fine in most cases,
232 | 	# it can backfire in some edge cases, and so is disabled by default.
233 | 	#nack_optimizations = true
234 | 
235 | 	# If you need DSCP packet marking and prioritization, you can configure
236 | 	# the 'dscp' property to a specific values, and Janus will try to
237 | 	# set it on all outgoing packets using libnice. Normally, the specs
238 | 	# suggest to use different values depending on whether audio, video
239 | 	# or data are used, but since all PeerConnections in Janus are bundled,
240 | 	# we can only use one. You can refer to this document for more info:
241 | 	# https://tools.ietf.org/html/draft-ietf-tsvwg-rtcweb-qos-18#page-6
242 | 	# That said, DON'T TOUCH THIS IF YOU DON'T KNOW WHAT IT MEANS!
243 | 	#dscp = 46
244 | }
245 | 
246 | # NAT-related stuff: specifically, you can configure the STUN/TURN
247 | # servers to use to gather candidates if the gateway is behind a NAT,
248 | # and srflx/relay candidates are needed. In case STUN is not enough and
249 | # this is needed (it shouldn't), you can also configure Janus to use a
250 | # TURN server# please notice that this does NOT refer to TURN usage in
251 | # browsers, but in the gathering of relay candidates by Janus itself,
252 | # e.g., if you want to limit the ports used by a Janus instance on a
253 | # private machine. Furthermore, you can choose whether Janus should be
254 | # configured to do full-trickle (Janus also trickles its candidates to
255 | # users) rather than the default half-trickle (Janus supports trickle
256 | # candidates from users, but sends its own within the SDP), and whether
257 | # it should work in ICE-Lite mode (by default it doesn't). If libnice is
258 | # at least 0.1.15, you can choose which ICE nomination mode to use: valid
259 | # values are "regular" and "aggressive" (the default depends on the libnice
260 | # version itself; if we can set it, we set aggressive nomination). You can
261 | # also configure whether to use connectivity checks as keep-alives, which
262 | # might help detecting when a peer is no longer available (notice that
263 | # current libnice master is breaking connections after 50 seconds when
264 | # keepalive-conncheck is being used, so if you want to use it, better
265 | # sticking to 0.1.18 until the issue is addressed upstream). Finally,
266 | # you can also enable ICE-TCP support (beware that this may lead to problems
267 | # if you do not enable ICE Lite as well), choose which interfaces should
268 | # be used for gathering candidates, and enable or disable the
269 | # internal libnice debugging, if needed.
270 | nat: {
271 | 	stun_server = "<SIGNALING_COTURN_URL>" # HAND-EDIT
272 | 	stun_port = 5349 # HAND-EDIT PORT-EDIT (443)
273 | 	nice_debug = false
274 | 	full_trickle = true # HAND-EDIT
275 | 	#ice_nomination = "regular"
276 | 	#ice_keepalive_conncheck = true
277 | 	#ice_lite = true
278 | 	#ice_tcp = true
279 | 
280 | 	# By default Janus tries to resolve mDNS (.local) candidates: even
281 | 	# though this is now done asynchronously and shouldn't keep the API
282 | 	# busy, even in case mDNS resolution takes a long time to timeout,
283 | 	# you can choose to drop all .local candidates instead, which is
284 | 	# helpful in case you know clients will never be in the same private
285 | 	# network as the one the Janus instance is running from. Notice that
286 | 	# this will cause ICE to fail if mDNS is the only way to connect!
287 | 	#ignore_mdns = true
288 | 
289 | 	# In case you're deploying Janus on a server which is configured with
290 | 	# a 1:1 NAT (e.g., Amazon EC2), you might want to also specify the public
291 | 	# address of the machine using the setting below. This will result in
292 | 	# all host candidates (which normally have a private IP address) to
293 | 	# be rewritten with the public address provided in the settings. As
294 | 	# such, use the option with caution and only if you know what you're doing.
295 | 	# Make sure you keep ICE Lite disabled, though, as it's not strictly
296 | 	# speaking a publicly reachable server, and a NAT is still involved.
297 | 	# If you'd rather keep the private IP address in place, rather than
298 | 	# replacing it (and so have both of them as advertised candidates),
299 | 	# then set the 'keep_private_host' property to true.
300 | 	# Multiple public IP addresses can be specified as a comma separated list
301 | 	# if the Janus is deployed in a DMZ between two 1-1 NAT for internal and
302 | 	# external users.
303 | 	#nat_1_1_mapping = "1.2.3.4"
304 | 	#keep_private_host = true
305 | 
306 | 	# You can configure a TURN server in two different ways: specifying a
307 | 	# statically configured TURN server, and thus provide the address of the
308 | 	# TURN server, the transport (udp/tcp/tls) to use, and a set of valid
309 | 	# credentials to authenticate. Notice that you should NEVER configure
310 | 	# a TURN server for Janus unless it's really what you want! If you want
311 | 	# *users* to use TURN, then you need to configure that on the client
312 | 	# side, and NOT in Janus. The following TURN configuration should ONLY
313 | 	# be enabled when Janus itself is sitting behind a restrictive firewall
314 | 	# (e.g., it's part of a service installed on a box in a private home).
315 | 	#turn_server = "myturnserver.com"
316 | 	#turn_port = 3478
317 | 	#turn_type = "udp"
318 | 	#turn_user = "myuser"
319 | 	#turn_pwd = "mypassword"
320 | 
321 | 	# You can also make use of the TURN REST API to get info on one or more
322 | 	# TURN services dynamically. This makes use of the proposed standard of
323 | 	# such an API (https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00)
324 | 	# which is currently available in both rfc5766-turn-server and coturn.
325 | 	# You enable this by specifying the address of your TURN REST API backend,
326 | 	# the HTTP method to use (GET or POST) and, if required, the API key Janus
327 | 	# must provide. The timeout can be configured in seconds, with a default of
328 | 	# 10 seconds and a minimum of 1 second. Notice that the 'opaque_id' provided
329 | 	# via Janus API will be used as the username for a specific PeerConnection
330 | 	# by default; if that one is missing, the 'session_id' will be used as the
331 | 	# username instead.
332 | 	#turn_rest_api = "http://yourbackend.com/path/to/api"
333 | 	turn_rest_api_key = "<SIGNALING_JANUS_API_KEY>" # HAND-EDIT
334 | 	#turn_rest_api_method = "GET"
335 | 	#turn_rest_api_timeout = 10
336 | 
337 | 	# In case a TURN server is provided, you can allow applications to force
338 | 	# Janus to use TURN (https://github.com/meetecho/janus-gateway/pull/2774).
339 | 	# This is NOT allowed by default: only enable it if you know what you're doing.
340 | 	#allow_force_relay = true
341 | 
342 | 	# You can also choose which interfaces should be explicitly used by the
343 | 	# gateway for the purpose of ICE candidates gathering, thus excluding
344 | 	# others that may be available. To do so, use the 'ice_enforce_list'
345 | 	# setting and pass it a comma-separated list of interfaces or IP addresses
346 | 	# to enforce. This is especially useful if the server hosting the gateway
347 | 	# has several interfaces, and you only want a subset to be used. Any of
348 | 	# the following examples are valid:
349 | 	#     ice_enforce_list = "eth0"
350 | 	#     ice_enforce_list = "eth0,eth1"
351 | 	#     ice_enforce_list = "eth0,192.168."
352 | 	#     ice_enforce_list = "eth0,192.168.0.1"
353 | 	# By default, no interface is enforced, meaning Janus will try to use them all.
354 | 	#ice_enforce_list = "eth0"
355 | 
356 | 	# In case you don't want to specify specific interfaces to use, but would
357 | 	# rather tell Janus to use all the available interfaces except some that
358 | 	# you don't want to involve, you can also choose which interfaces or IP
359 | 	# addresses should be excluded and ignored by the gateway for the purpose
360 | 	# of ICE candidates gathering. To do so, use the 'ice_ignore_list' setting
361 | 	# and pass it a comma-separated list of interfaces or IP addresses to
362 | 	# ignore. This is especially useful if the server hosting the gateway
363 | 	# has several interfaces you already know will not be used or will simply
364 | 	# always slow down ICE (e.g., virtual interfaces created by VMware).
365 | 	# Partial strings are supported, which means that any of the following
366 | 	# examples are valid:
367 | 	#     ice_ignore_list = "vmnet8,192.168.0.1,10.0.0.1"
368 | 	#     ice_ignore_list = "vmnet,192.168."
369 | 	# Just beware that the ICE ignore list is not used if an enforce list
370 | 	# has been configured. By default, Janus ignores all interfaces whose
371 | 	# name starts with 'vmnet', to skip VMware interfaces:
372 | 	ice_ignore_list = "vmnet"
373 | 
374 | 	# In case you want to allow Janus to start even if the configured STUN or TURN
375 | 	# server is unreachable, you can set 'ignore_unreachable_ice_server' to true.
376 | 	# WARNING: We do not recommend to ignore reachability problems, particularly
377 | 	# if you run Janus in the cloud. Before enabling this flag, make sure your
378 | 	# system is correctly configured and Janus starts after the network layer of
379 | 	# your machine is ready. Note that Linux distributions offer such directives.
380 | 	# You could use the following directive in systemd: 'After=network-online.target'
381 | 	# https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=
382 | 	#ignore_unreachable_ice_server = true
383 | }
384 | 
385 | # You can choose which of the available plugins should be
386 | # enabled or not. Use the 'disable' directive to prevent Janus from
387 | # loading one or more plugins: use a comma separated list of plugin file
388 | # names to identify the plugins to disable. By default all available
389 | # plugins are enabled and loaded at startup.
390 | plugins: {
391 | 	#disable = "libjanus_voicemail.so,libjanus_recordplay.so"
392 | }
393 | 
394 | # You can choose which of the available transports should be enabled or
395 | # not. Use the 'disable' directive to prevent Janus from loading one
396 | # or more transport: use a comma separated list of transport file names
397 | # to identify the transports to disable. By default all available
398 | # transports are enabled and loaded at startup.
399 | transports: {
400 | 	#disable = "libjanus_rabbitmq.so"
401 | }
402 | 
403 | # As a core feature, Janus can log either on the standard output, or to
404 | # a local file. Should you need more advanced logging functionality, you
405 | # can make use of one of the custom loggers, or write one yourself. Use the
406 | # 'disable' directive to prevent Janus from loading one or more loggers:
407 | # use a comma separated list of logger file names to identify the loggers
408 | # to disable. By default all available loggers are enabled and loaded at startup.
409 | loggers: {
410 | 	#disable = "libjanus_jsonlog.so"
411 | }
412 | 
413 | # Event handlers allow you to receive live events from Janus happening
414 | # in core and/or plugins. Since this can require some more resources,
415 | # the feature is disabled by default. Setting broadcast to yes will
416 | # enable them. You can then choose which of the available event handlers
417 | # should be loaded or not. Use the 'disable' directive to prevent Janus
418 | # from loading one or more event handlers: use a comma separated list of
419 | # file names to identify the event handlers to disable. By default, if
420 | # broadcast is set to yes all available event handlers are enabled and
421 | # loaded at startup. Finally, you can choose how often media statistics
422 | # (packets sent/received, losses, etc.) should be sent: by default it's
423 | # once per second (audio and video statistics sent separately), but may
424 | # considered too verbose, or you may want to limit the number of events,
425 | # especially if you have many PeerConnections active. To change this,
426 | # just set 'stats_period' to the number of seconds that should pass in
427 | # between statistics for each handle. Setting it to 0 disables them (but
428 | # not other media-related events). By default Janus sends single media
429 | # statistic events per media (audio, video and simulcast layers as separate
430 | # events): if you'd rather receive a single containing all media stats in a
431 | # single array, set 'combine_media_stats' to true.
432 | events: {
433 | 	#broadcast = true
434 | 	#combine_media_stats = true
435 | 	#disable = "libjanus_sampleevh.so"
436 | 	#stats_period = 5
437 | }
438 | 


--------------------------------------------------------------------------------
/data/signaling/nats-server.conf:
--------------------------------------------------------------------------------
1 | listen: 127.0.0.1:4222
2 | 


--------------------------------------------------------------------------------
/data/signaling/nats-server.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=NATS Server
 3 | After=network.target ntp.service
 4 | 
 5 | [Service]
 6 | PrivateTmp=true
 7 | Type=simple
 8 | ExecStart=/usr/local/bin/nats-server -c /etc/nats-server.conf
 9 | ExecReload=/bin/kill -s HUP $MAINPID
10 | ExecStop=/bin/kill -s SIGINT $MAINPID
11 | User=nats
12 | Group=nats
13 | 
14 | [Install]
15 | WantedBy=multi-user.target
16 | 


--------------------------------------------------------------------------------
/data/signaling/nextcloud-spreed-signaling.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Nextcloud Talk signaling server
 3 | 
 4 | [Service]
 5 | ExecStart=/usr/local/bin/nextcloud-spreed-signaling-server --config /etc/nextcloud-spreed-signaling/server.conf
 6 | User=_signaling
 7 | Group=_signaling
 8 | Restart=on-failure
 9 | 
10 | [Install]
11 | WantedBy=multi-user.target
12 | 


--------------------------------------------------------------------------------
/data/signaling/nginx-signaling-forwarding.conf:
--------------------------------------------------------------------------------
 1 | location /standalone-signaling/ {
 2 |     proxy_pass http://signaling/;
 3 |     proxy_http_version 1.1;
 4 |     proxy_set_header Host $host;
 5 |     proxy_set_header X-Real-IP $remote_addr;
 6 |     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 7 | }
 8 | 
 9 | location /standalone-signaling/spreed {
10 |     proxy_pass http://signaling/spreed;
11 |     proxy_http_version 1.1;
12 |     proxy_set_header Upgrade $http_upgrade;
13 |     proxy_set_header Connection "Upgrade";
14 |     proxy_set_header Host $host;
15 |     proxy_set_header X-Real-IP $remote_addr;
16 |     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
17 | }
18 | 


--------------------------------------------------------------------------------
/data/signaling/nginx-signaling-upstream-servers.conf:
--------------------------------------------------------------------------------
1 | upstream signaling {
2 |     server 127.0.0.1:8080;
3 | }
4 | 


--------------------------------------------------------------------------------
/data/signaling/signaling-server.conf:
--------------------------------------------------------------------------------
  1 | [http]
  2 | # IP and port to listen on for HTTP requests.
  3 | # Comment line to disable the listener.
  4 | listen = 127.0.0.1:8080
  5 | 
  6 | # HTTP socket read timeout in seconds.
  7 | #readtimeout = 15
  8 | 
  9 | # HTTP socket write timeout in seconds.
 10 | #writetimeout = 15
 11 | 
 12 | [https]
 13 | # IP and port to listen on for HTTPS requests.
 14 | # Comment line to disable the listener.
 15 | #listen = 127.0.0.1:8443
 16 | 
 17 | # HTTPS socket read timeout in seconds.
 18 | #readtimeout = 15
 19 | 
 20 | # HTTPS socket write timeout in seconds.
 21 | #writetimeout = 15
 22 | 
 23 | # Certificate / private key to use for the HTTPS server.
 24 | #certificate = /etc/nginx/ssl/server.crt # HAND-EDIT
 25 | #key = /etc/nginx/ssl/server.key
 26 | 
 27 | [app]
 28 | # Set to "true" to install pprof debug handlers.
 29 | # See "https://golang.org/pkg/net/http/pprof/" for further information.
 30 | debug = false
 31 | 
 32 | # Set to "true" to allow subscribing any streams. This is insecure and should
 33 | # only be enabled for testing. By default only streams of users in the same
 34 | # room and call can be subscribed.
 35 | #allowsubscribeany = false
 36 | 
 37 | [sessions]
 38 | # Secret value used to generate checksums of sessions. This should be a random
 39 | # string of 32 or 64 bytes.
 40 | hashkey = <SIGNALING_HASH_KEY> # HAND-EDIT
 41 | 
 42 | # Optional key for encrypting data in the sessions. Must be either 16, 24 or
 43 | # 32 bytes.
 44 | # If no key is specified, data will not be encrypted (not recommended).
 45 | blockkey = <SIGNALING_BLOCK_KEY> # HAND-EDIT
 46 | 
 47 | [clients]
 48 | # Shared secret for connections from internal clients. This must be the same
 49 | # value as configured in the respective internal services.
 50 | #internalsecret = 
 51 | 
 52 | [backend]
 53 | # Comma-separated list of backend ids from which clients are allowed to connect
 54 | # from. Each backend will have isolated rooms, i.e. clients connecting to room
 55 | # "abc12345" on backend 1 will be in a different room than clients connected to
 56 | # a room with the same name on backend 2. Also sessions connected from different
 57 | # backends will not be able to communicate with each other.
 58 | backends = <SIGNALING_BACKENDS> # HAND-EDIT
 59 | 
 60 | # Allow any hostname as backend endpoint. This is extremely insecure and should
 61 | # only be used while running the benchmark client against the server.
 62 | allowall = false
 63 | 
 64 | # Common shared secret for requests from and to the backend servers if
 65 | # "allowall" is enabled. This must be the same value as configured in the
 66 | # Nextcloud admin ui.
 67 | #secret = the-shared-secret
 68 | 
 69 | # Timeout in seconds for requests to the backend.
 70 | timeout = 10
 71 | 
 72 | # Maximum number of concurrent backend connections per host.
 73 | connectionsperhost = 8
 74 | 
 75 | # If set to "true", certificate validation of backend endpoints will be skipped.
 76 | # This should only be enabled during development, e.g. to work with self-signed
 77 | # certificates.
 78 | #skipverify = false
 79 | 
 80 | # Backend configurations as defined in the "[backend]" section above. The
 81 | # section names must match the ids used in "backends" above.
 82 | 
 83 | # --- OPTIONS FOR BACKENDS DOWN BELOW ---
 84 | # URL of the Nextcloud instance
 85 | #url = https://nc.example.org
 86 | 
 87 | # Shared secret for requests from and to the backend servers. This must be the
 88 | # same value as configured in the Nextcloud admin ui.
 89 | #secret = abc1234567890abc
 90 | 
 91 | # Limit the number of sessions that are allowed to connect to this backend.
 92 | # Omit or set to 0 to not limit the number of sessions.
 93 | #sessionlimit = 10
 94 | 
 95 | # The maximum bitrate per publishing stream (in bits per second).
 96 | # Defaults to the maximum bitrate configured for the proxy / MCU.
 97 | #maxstreambitrate = 1048576
 98 | 
 99 | # The maximum bitrate per screensharing stream (in bits per second).
100 | # Defaults to the maximum bitrate configured for the proxy / MCU.
101 | #maxscreenbitrate = 2097152
102 | # -----------------------------------------
103 | 
104 | <SIGNALING_BACKEND_DEFINITIONS>
105 | [nats]
106 | # Url of NATS backend to use. This can also be a list of URLs to connect to
107 | # multiple backends. For local development, this can be set to ":loopback:"
108 | # to process NATS messages internally instead of sending them through an
109 | # external NATS backend.
110 | url = nats://localhost:4222 # HAND-EDIT
111 | 
112 | [mcu]
113 | # The type of the MCU to use. Currently only "janus" and "proxy" are supported.
114 | # Leave empty to disable MCU functionality.
115 | type = janus # HAND-EDIT
116 | 
117 | # For type "janus": the URL to the websocket endpoint of the MCU server.
118 | # For type "proxy": a space-separated list of proxy URLs to connect to.
119 | url = ws://127.0.0.1:8188 # HAND-EDIT
120 | 
121 | # The maximum bitrate per publishing stream (in bits per second).
122 | # Defaults to 1 mbit/sec.
123 | # For type "proxy": will be capped to the maximum bitrate configured at the
124 | # proxy server that is used.
125 | #maxstreambitrate = 1048576
126 | 
127 | # The maximum bitrate per screensharing stream (in bits per second).
128 | # Default is 2 mbit/sec.
129 | # For type "proxy": will be capped to the maximum bitrate configured at the
130 | # proxy server that is used.
131 | #maxscreenbitrate = 2097152
132 | 
133 | # For type "proxy": timeout in seconds for requests to the proxy server.
134 | #proxytimeout = 2
135 | 
136 | # For type "proxy": type of URL configuration for proxy servers.
137 | # Defaults to "static".
138 | #
139 | # Possible values:
140 | # - static: A space-separated list of proxy URLs is given in the "url" option.
141 | # - etcd: Proxy URLs are retrieved from an etcd cluster (see below).
142 | #urltype = static
143 | 
144 | # If set to "true", certificate validation of proxy servers will be skipped.
145 | # This should only be enabled during development, e.g. to work with self-signed
146 | # certificates.
147 | #skipverify = false
148 | 
149 | # For type "proxy": the id of the token to use when connecting to proxy servers.
150 | #token_id = server1
151 | 
152 | # For type "proxy": the private key for the configured token id to use when
153 | # connecting to proxy servers.
154 | #token_key = privkey.pem
155 | 
156 | # For url type "etcd": Comma-separated list of static etcd endpoints to
157 | # connect to.
158 | #endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379
159 | 
160 | # For url type "etcd": Options to perform endpoint discovery through DNS SRV.
161 | # Only used if no endpoints are configured manually.
162 | #discoverysrv = example.com
163 | #discoveryservice = foo
164 | 
165 | # For url type "etcd": Path to private key, client certificate and CA
166 | # certificate if TLS authentication should be used.
167 | #clientkey = /path/to/etcd-client.key
168 | #clientcert = /path/to/etcd-client.crt
169 | #cacert = /path/to/etcd-ca.crt
170 | 
171 | # For url type "etcd": Key prefix of MCU proxy entries. All keys below will be
172 | # watched and assumed to contain a JSON document. The entry "address" from this
173 | # document will be used as proxy URL, other contents in the document will be
174 | # ignored.
175 | #
176 | # Example:
177 | # "/signaling/proxy/server/one" -> {"address": "https://proxy1.domain.invalid"}
178 | # "/signaling/proxy/server/two" -> {"address": "https://proxy2.domain.invalid"}
179 | #keyprefix = /signaling/proxy/server
180 | 
181 | [turn]
182 | # API key that the MCU will need to send when requesting TURN credentials.
183 | apikey = <SIGNALING_JANUS_API_KEY> # HAND-EDIT
184 | 
185 | # The shared secret to use for generating TURN credentials. This must be the
186 | # same as on the TURN server.
187 | secret = <SIGNALING_TURN_STATIC_AUTH_SECRET> # HAND-EDIT
188 | 
189 | # A comma-separated list of TURN servers to use. Leave empty to disable the
190 | # TURN REST API.
191 | servers = turn:<SIGNALING_COTURN_URL>:9991?transport=udp,turn:<SIGNALING_COTURN_URL>:9991?transport=tcp
192 | 
193 | [geoip]
194 | # License key to use when downloading the MaxMind GeoIP database. You can
195 | # register an account at "https://www.maxmind.com/en/geolite2/signup" for
196 | # free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/" for further
197 | # information.
198 | # Leave empty to disable GeoIP lookups.
199 | #license =
200 | 
201 | # Optional URL to download a MaxMind GeoIP database from. Will be generated if
202 | # "license" is provided above. Can be a "file://" url if a local file should
203 | # be used. Please note that the database must provide a country field when
204 | # looking up IP addresses.
205 | #url =
206 | 
207 | [geoip-overrides]
208 | # Optional overrides for GeoIP lookups. The key is an IP address / range, the
209 | # value the associated country code.
210 | #127.0.0.1 = DE
211 | #192.168.0.0/24 = DE
212 | 
213 | [continent-overrides]
214 | # Optional overrides for continent mappings. The key is a continent code, the
215 | # value a comma-separated list of continent codes to map the continent to.
216 | # Use European servers for clients in Africa.
217 | #AF = EU
218 | # Use servers in North Africa for clients in South America.
219 | #SA = NA
220 | 
221 | [stats]
222 | # Comma-separated list of IP addresses that are allowed to access the stats
223 | # endpoint. Leave empty (or commented) to only allow access from "127.0.0.1".
224 | #allowed_ips =
225 | 


--------------------------------------------------------------------------------
/data/unattended-upgrades/60unattended-upgrades-nextcloud-hpb-setup:
--------------------------------------------------------------------------------
 1 | Unattended-Upgrade::AutoFixInterruptedDpkg "true";
 2 | Unattended-Upgrade::MinimalSteps "true";
 3 | Unattended-Upgrade::Mail "root";
 4 | Unattended-Upgrade::MailReport "on-change";
 5 | Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
 6 | Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
 7 | Unattended-Upgrade::Remove-Unused-Dependencies "true";
 8 | Unattended-Upgrade::Automatic-Reboot "true";
 9 | Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
10 | Unattended-Upgrade::Automatic-Reboot-Time "05:00";
11 | # Don't erase generated configuration files
12 | # if there is a new version available
13 | Dpkg::Options {"--force-confold"};
14 | 
15 | <UNATTENDED_UPGRADES_ENABLE_COLLABORA_UPGRADES>
16 | 


--------------------------------------------------------------------------------
/settings.sh:
--------------------------------------------------------------------------------
 1 | # !!! Be careful, this script will be executed by the root user. !!!
 2 | 
 3 | # Please have a look at this Wiki page for this file:
 4 | # NOTE: It's in german.
 5 | # https://github.com/sunweaver/nextcloud-high-performance-backend-setup/wiki/02-Setup-Script
 6 | 
 7 | # Dry run (Don't actually alter anything on the system. (except in $TMP_DIR_PATH))
 8 | # Leave empty, if you wish that the user will be asked about this.
 9 | DRY_RUN=false
10 | 
11 | # Should the script try to install the high-performance-backend server
12 | # without any user input?
13 | UNATTENDED_INSTALL=false
14 | 
15 | # General settings
16 | # Leave empty, if you wish that the user will be asked about this.
17 | # You can also specify multiple Nextcloud servers by separating them with commas.
18 | #NEXTCLOUD_SERVER_FQDNS="nextcloud.example.org"
19 | # Leave empty, if you wish that the user will be asked about this.
20 | #SERVER_FQDN="nc-workhorse.example.org"
21 | 
22 | # Only modify if you know what you're doing.
23 | #SSL_CERT_PATH_RSA=""
24 | #SSL_CERT_KEY_PATH_RSA=""
25 | #SSL_CHAIN_PATH_RSA=""
26 | #SSL_CERT_PATH_ECDSA=""
27 | #SSL_CERT_KEY_PATH_ECDSA=""
28 | #SSL_CHAIN_PATH_ECDSA=""
29 | #DHPARAM_PATH=""
30 | 
31 | # Collabora (Gets asked anyway, except unattended install.)
32 | SHOULD_INSTALL_COLLABORA=true
33 | 
34 | # Signaling (Gets asked anyway, except unattended install.)
35 | SHOULD_INSTALL_SIGNALING=true
36 | 
37 | SHOULD_INSTALL_UFW=true
38 | SHOULD_INSTALL_NGINX=true
39 | SHOULD_INSTALL_CERTBOT=true
40 | SHOULD_INSTALL_UNATTENDEDUPGRADES=true
41 | SHOULD_INSTALL_MSMTP=true
42 | 
43 | # Logfile get created if UNATTENDED_INSTALL is true.
44 | # Leave empty, if you wish that the user will be asked about this.
45 | LOGFILE_PATH="./setup-nextcloud-hpb-$(date +%Y-%m-%dT%H:%M:%SZ).log"
46 | 
47 | # Configuration gets copied and prepared here before copying them into place.
48 | # This prevents config being broken if something goes wrong.
49 | # Leave empty, if you wish that the user will be asked about this.
50 | TMP_DIR_PATH="./tmp"
51 | 
52 | # Secrets, passwords and configuration gets saved in this file.
53 | # Leave empty, if you wish that the user will be asked about this.
54 | SECRETS_FILE_PATH=""
55 | 
56 | # This email address gets passed on to the services the user whiches to install.
57 | # The services (like Certbot) can send email notification for important info.
58 | # Leave empty, if you wish that the user will be asked about this.
59 | EMAIL_USER_ADDRESS=""
60 | # The password for the address above. Used to authenticate to the SMTP server.
61 | EMAIL_USER_PASSWORD=""
62 | # The username to authencicate with. Most likely it will be just the full email
63 | # address. But there are email hoster which require a different username.
64 | EMAIL_USER_USERNAME=""
65 | # The SMTP server to send the emails to.
66 | EMAIL_SERVER_HOST=""
67 | # The port on which we will try to connect to the SMTP server.
68 | #EMAIL_SERVER_PORT="25"
69 | #EMAIL_SERVER_PORT="587"
70 | 
71 | # Should the ssh service be disabled?
72 | #DISABLE_SSH_SERVER=false
73 | 
74 | # Should nextcloud-spreed-signaling, nats-server and coturn be built and
75 | # installed from sources?
76 | SIGNALING_BUILD_FROM_SOURCES=""
77 | 
78 | # DNS Resolver. Here a custom DNS server can be specified,
79 | # otherwise the one configured in resolv.conf is used
80 | DNS_RESOLVER=""
81 | 


--------------------------------------------------------------------------------
/src/setup-certbot.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # Warning: recursive function
  4 | # $1 can enable staging certificates arguments for certbot if $1 = "true".
  5 | function run_certbot_command() {
  6 | 	arg_dry_run=""
  7 | 	if is_dry_run; then
  8 | 		arg_dry_run="--dry-run"
  9 | 	fi
 10 | 
 11 | 	arg_interactive=""
 12 | 	if [ "$UNATTENDED_INSTALL" == true ]; then
 13 | 		arg_interactive="--non-interactive --agree-tos"
 14 | 	else
 15 | 		arg_interactive="--force-interactive $CERTBOT_AGREE_TOS"
 16 | 	fi
 17 | 
 18 | 	arg_staging=""
 19 | 	if [ "$1" == "true" ]; then
 20 | 		arg_staging="--staging --break-my-certs"
 21 | 	fi
 22 | 
 23 | 	error_message_ratelimited=$(echo -e "You have issued too many certificates already $(
 24 | 	)in the last 168 hours. You have to wait before you can issue another certificate.\n$(
 25 | 	)Please see https://letsencrypt.org/docs/duplicate-certificate-limit/")
 26 | 
 27 | 	error_message_ratelimited_extra=$(echo -e "\nIf you are currently testing: $(
 28 | 	)Do you want to enable testing certificates?\n\n$(
 29 | 	)PROCEED WITH CAUTION! You will break your current SSL certificates if you $(
 30 | 	)choose to enable testing certificates.")
 31 | 
 32 | 	error_title_ratelimited="LetsEncrypt rate limit reached!"
 33 | 
 34 | 	# RSA certificate
 35 | 	certbot_args=(certonly --nginx $arg_staging $arg_interactive $arg_dry_run
 36 | 		--key-path "$SSL_CERT_KEY_PATH_RSA" --domains "$SERVER_FQDN"
 37 | 		--fullchain-path "$SSL_CERT_PATH_RSA" --email "$EMAIL_USER_ADDRESS"
 38 | 		--rsa-key-size 4096 --cert-name "$SERVER_FQDN"-rsa
 39 | 		--chain-path "$SSL_CHAIN_PATH_RSA")
 40 | 
 41 | 	log "Executing Certbot using arguments: '${certbot_args[@]}'…"
 42 | 
 43 | 	if ! certbot "${certbot_args[@]}" |& tee -a $LOGFILE_PATH; then
 44 | 		# Checking if Certbot reported rate limit error
 45 | 		# Let the user decide if they want staging certificates (for testing
 46 | 		# purposes for example).
 47 | 		error_ratelimited="$(tail $LOGFILE_PATH | grep 'too many certificates (5) already issued for this exact set of domains in the last 168 hours')"
 48 | 		if [ -n "$error_ratelimited" ]; then
 49 | 			if [ "$UNATTENDED_INSTALL" != true ]; then
 50 | 				if whiptail --title "$error_title_ratelimited" --defaultno \
 51 | 					--yesno "$error_message_ratelimited $error_message_ratelimited_extra" 16 65 3>&1 1>&2 2>&3; then
 52 | 					# Recursively call this function
 53 | 					run_certbot_command "true"
 54 | 					return 0
 55 | 				fi
 56 | 			else
 57 | 				log "$error_message_ratelimited"
 58 | 			fi
 59 | 		fi
 60 | 
 61 | 		return 1
 62 | 	fi
 63 | 
 64 | 	# ECDSA certificate
 65 | 	certbot_args=(certonly --nginx $arg_staging $arg_interactive $arg_dry_run
 66 | 		--key-path "$SSL_CERT_KEY_PATH_ECDSA" --domains "$SERVER_FQDN"
 67 | 		--fullchain-path "$SSL_CERT_PATH_ECDSA" --email "$EMAIL_USER_ADDRESS"
 68 | 		--key-type ecdsa --cert-name "$SERVER_FQDN"-ecdsa
 69 | 		--chain-path "$SSL_CHAIN_PATH_ECDSA")
 70 | 
 71 | 	log "Executing Certbot using arguments: '${certbot_args[@]}'…"
 72 | 
 73 | 	if ! certbot "${certbot_args[@]}" |& tee -a $LOGFILE_PATH; then
 74 | 		# Checking if Certbot reported rate limit error
 75 | 		# Let the user decide if they want staging certificates (for testing
 76 | 		# purposes for example).
 77 | 		error_ratelimited="$(tail $LOGFILE_PATH | grep 'too many certificates (5) already issued for this exact set of domains in the last 168 hours')"
 78 | 		if [ -n "$error_ratelimited" ]; then
 79 | 			if [ "$UNATTENDED_INSTALL" != true ]; then
 80 | 				if whiptail --title "$error_title_ratelimited" --defaultno \
 81 | 					--yesno "$error_message_ratelimited $error_message_ratelimited_extra" 16 65 3>&1 1>&2 2>&3; then
 82 | 					# Recursively call this function
 83 | 					run_certbot_command "true"
 84 | 					return 0
 85 | 				fi
 86 | 			else
 87 | 				log "$error_message_ratelimited"
 88 | 			fi
 89 | 		fi
 90 | 
 91 | 		return 1
 92 | 	fi
 93 | 
 94 | 	# Force renewal of certificates
 95 | 	certbot_args=(renew --force-renewal $arg_staging $arg_interactive $arg_dry_run)
 96 | 
 97 | 	log "Executing Certbot using arguments: '${certbot_args[@]}'…"
 98 | 
 99 | 	if certbot "${certbot_args[@]}" |& tee -a $LOGFILE_PATH; then
100 | 		return 0
101 | 	else
102 | 		# Checking if Certbot reported rate limit error
103 | 		# Let the user decide if they want staging certificates (for testing
104 | 		# purposes for example).
105 | 		error_ratelimited="$(tail $LOGFILE_PATH | grep 'too many certificates (5) already issued for this exact set of domains in the last 168 hours')"
106 | 		if [ -n "$error_ratelimited" ]; then
107 | 			if [ "$UNATTENDED_INSTALL" != true ]; then
108 | 				if whiptail --title "$error_title_ratelimited" --defaultno \
109 | 					--yesno "$error_message_ratelimited $error_message_ratelimited_extra" 16 65 3>&1 1>&2 2>&3; then
110 | 					# Recursively call this function
111 | 					run_certbot_command "true"
112 | 					return 0
113 | 				fi
114 | 			else
115 | 				log "$error_message_ratelimited"
116 | 			fi
117 | 		fi
118 | 	fi
119 | }
120 | 
121 | function install_certbot() {
122 | 	log "Installing Certbot…"
123 | 
124 | 	certbot_step1
125 | 	certbot_step2
126 | 
127 | 	log "Certbot install completed."
128 | }
129 | 
130 | function certbot_step1() {
131 | 	log "\nStep 1: Installing Certbot packages"
132 | 	packages_to_install=(python3-certbot-nginx certbot ssl-cert)
133 | 	if ! is_dry_run; then
134 | 		if [ "$UNATTENDED_INSTALL" == true ]; then
135 | 			log "Trying unattended install for Certbot."
136 | 			export DEBIAN_FRONTEND=noninteractive
137 | 			apt-get install -qqy "${packages_to_install[@]}" 2>&1 | tee -a $LOGFILE_PATH
138 | 		else
139 | 			apt-get install -y "${packages_to_install[@]}" 2>&1 | tee -a $LOGFILE_PATH
140 | 		fi
141 | 	else
142 | 		log "Would have installed '${packages_to_install[@]}' via APT now."
143 | 	fi
144 | }
145 | 
146 | function certbot_step2() {
147 | 	log "\nStep 2: Configuring Certbot"
148 | 
149 | 	generate_dhparam_file
150 | 
151 | 	if ! run_certbot_command && ! is_dry_run; then
152 | 		log "Something wen't wrong while starting Certbot."
153 | 
154 | 		if [ "$UNATTENDED_INSTALL" != true ]; then
155 | 			log "Maybe the error is in the nextcloud-hpb.conf" \
156 | 				"file (please read the error message above).\n"
157 | 			read -p "Do you wish to delete this file:$(
158 | 			)'/etc/nginx/sites-enabled/nextcloud-hbp.conf'? [YyNn]" -n 1 -r && echo
159 | 			if [[ $REPLY =~ ^[YyJj]$ ]]; then
160 | 				rm -v "/etc/nginx/sites-enabled/nextcloud-hpb.conf" |& tee -a $LOGFILE_PATH || true
161 | 				log "File got deleted. Please try again now."
162 | 			fi
163 | 		fi
164 | 
165 | 		exit 1
166 | 	fi
167 | 
168 | 	log "Making SSL certificates available for 'ssl-cert' group."
169 | 	is_dry_run || chmod 2750 /etc/letsencrypt/archive
170 | 	is_dry_run || chmod 2750 /etc/letsencrypt/live
171 | 	is_dry_run || find /etc/letsencrypt/archive -type d -exec chmod 2750 {} +
172 | 	is_dry_run || find /etc/letsencrypt/live -type d -exec chmod 2750 {} +
173 | 	is_dry_run || chown -R :ssl-cert /etc/letsencrypt/archive
174 | 	is_dry_run || chown -R :ssl-cert /etc/letsencrypt/live
175 | 	is_dry_run || find /etc/letsencrypt/archive -name "privkey*.pem" -exec chmod 640 {} +
176 | 
177 | 	deploy_file "$TMP_DIR_PATH"/certbot/deploy-hook-certbot.sh /etc/letsencrypt/renewal-hooks/deploy/deploy-hook-certbot.sh || true
178 | 	is_dry_run || chmod 750 /etc/letsencrypt/renewal-hooks/deploy/deploy-hook-certbot.sh
179 | }
180 | 
181 | # arg: $1 is secret file path
182 | function certbot_write_secrets_to_file() {
183 | 	# No secrets, passwords, keys or something to worry about.
184 | 	if is_dry_run; then
185 | 		return 0
186 | 	fi
187 | 
188 | 	echo -e "=== Certbot ===" >>$1
189 | 	echo -e "Notifications regarding SSL certificates get sent to:" >>$1
190 | 	echo -e " - '$EMAIL_USER_ADDRESS'" >>$1
191 | }
192 | 
193 | function certbot_print_info() {
194 | 	log "SSL certificate we're installed successfully and get refreshed" \
195 | 		"\nautomatically by Certbot."
196 | 	log "Notifications regarding SSL-Certificates get sent to:"
197 | 	log " - '$EMAIL_USER_ADDRESS'"
198 | }
199 | 


--------------------------------------------------------------------------------
/src/setup-collabora.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # Collabora Online server
  4 | # https://github.com/CollaboraOnline/online
  5 | # https://www.collaboraoffice.com/code/linux-packages/
  6 | 
  7 | COLLABORA_KEYRING_URL="https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg"
  8 | COLLABORA_KEYRING_DIR="/usr/share/keyrings"
  9 | COLLABORA_KEYRING_FILE="$COLLABORA_KEYRING_DIR/collaboraonline-release-keyring.gpg"
 10 | 
 11 | COLLABORA_SOURCES_FILE="/etc/apt/sources.list.d/collaboraonline.sources"
 12 | 
 13 | function install_collabora() {
 14 | 	log "Installing Collabora…"
 15 | 
 16 | 	collabora_step1
 17 | 	collabora_step2
 18 | 	collabora_step3
 19 | 	collabora_step4
 20 | 	collabora_step5
 21 | 
 22 | 	log "Collabora install completed."
 23 | }
 24 | 
 25 | function collabora_step1() {
 26 | 	# 1. Import the signing key
 27 | 	log "\nStep 1: Import the signing key"
 28 | 
 29 | 	cd $COLLABORA_KEYRING_DIR
 30 | 	is_dry_run || wget "$COLLABORA_KEYRING_URL" || exit 1
 31 | 	cd -
 32 | }
 33 | 
 34 | function collabora_step2() {
 35 | 	# 2. Add CODE package repositories
 36 | 	log "\nStep 2: Add CODE package repositories"
 37 | 
 38 | 	COLLABORA_REPO_URL="https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-deb"
 39 | 
 40 | 	log "Installing Collabora APT-Repo URL: '$COLLABORA_REPO_URL'…"
 41 | 	is_dry_run || cat <<EOF >$COLLABORA_SOURCES_FILE
 42 | Types: deb
 43 | URIs: $COLLABORA_REPO_URL
 44 | Suites: ./
 45 | Signed-By: $COLLABORA_KEYRING_FILE
 46 | EOF
 47 | }
 48 | 
 49 | function collabora_step3() {
 50 | 	# 3. Install packages
 51 | 	log "\nStep 3: Install packages"
 52 | 
 53 | 	# Installing:
 54 | 	#   - coolwsd
 55 | 	#   - code-brand
 56 | 	#   - some dictionaries, German, English, French, Spanish, Dutch
 57 | 	#   - Microsoft fonts.
 58 | 	if ! is_dry_run; then
 59 | 		if [ "$UNATTENDED_INSTALL" == true ]; then
 60 | 			log "Trying unattended install for Collabora."
 61 | 			export DEBIAN_FRONTEND=noninteractive
 62 | 			args_apt="-qqy"
 63 | 		else
 64 | 			args_apt="-y"
 65 | 		fi
 66 | 
 67 | 		apt-get install "$args_apt" \
 68 | 			software-properties-common \
 69 | 			2>&1 | tee -a $LOGFILE_PATH
 70 | 
 71 | 		apt-add-repository -y contrib \
 72 | 			2>&1 | tee -a $LOGFILE_PATH
 73 | 
 74 | 		is_dry_run || apt update 2>&1 | tee -a $LOGFILE_PATH
 75 | 
 76 | 		apt-get install "$args_apt" \
 77 | 			ttf-mscorefonts-installer \
 78 | 			2>&1 | tee -a $LOGFILE_PATH
 79 | 
 80 | 		apt-get install "$args_apt" \
 81 | 			coolwsd code-brand collaboraoffice-dict-en \
 82 | 			collaboraofficebasis-de collaboraoffice-dict-de \
 83 | 			collaboraofficebasis-fr collaboraoffice-dict-fr \
 84 | 			collaboraofficebasis-nl collaboraoffice-dict-nl \
 85 | 			collaboraofficebasis-es collaboraoffice-dict-es \
 86 | 			2>&1 | tee -a $LOGFILE_PATH
 87 | 	fi
 88 | }
 89 | 
 90 | function collabora_step4() {
 91 | 	# 4. Prepare configuration
 92 | 	log "\nStep 4: Prepare configuration"
 93 | 
 94 | 	for NC_SERVER in "${NEXTCLOUD_SERVER_FQDNS[@]}"; do
 95 | 		IFS= read -r -d '' COLLABORA_HOST_DEFINITION <<EOF || true
 96 | 				<group>
 97 | 					<host desc="hostname to allow or deny." allow="true">https://$NC_SERVER:443</host>
 98 | 				</group>
 99 | EOF
100 | 
101 | 		# Escape newlines for sed later on.
102 | 		COLLABORA_HOST_DEFINITION=$(echo "$COLLABORA_HOST_DEFINITION" | sed -z 's|\n|\\n|g')
103 | 		COLLABORA_HOST_DEFINITIONS+=("$COLLABORA_HOST_DEFINITION")
104 | 	done
105 | 
106 | 	IFS= # Avoid whitespace between definitions.
107 | 	log "Replacing '<COLLABORA_HOST_DEFINITIONS>' with:\n${COLLABORA_HOST_DEFINITIONS[*]}"
108 | 	sed -ri "s|<COLLABORA_HOST_DEFINITIONS>|${COLLABORA_HOST_DEFINITIONS[*]}|g" "$TMP_DIR_PATH"/collabora/*
109 | 	unset IFS
110 | 
111 | 	for NC_SERVER in "${NEXTCLOUD_SERVER_FQDNS[@]}"; do
112 | 		IFS= read -r -d '' COLLABORA_REMOTE_FONT_CONFIG <<EOF || true
113 | 				<url desc="URL of optional JSON file that lists fonts to be included in Online" type="string" default="">https://$NC_SERVER/apps/richdocuments/settings/fonts.json</url>
114 | EOF
115 | 
116 | 		# Escape newlines for sed later on.
117 | 		COLLABORA_REMOTE_FONT_CONFIG=$(echo "$COLLABORA_REMOTE_FONT_CONFIG" | sed -z 's|\n|\\n|g')
118 | 		COLLABORA_REMOTE_FONT_CONFIGS+=("$COLLABORA_REMOTE_FONT_CONFIG")
119 | 	done
120 | 
121 | 	IFS= # Avoid whitespace between definitions.
122 | 	log "Replacing '<COLLABORA_REMOTE_FONT_CONFIGS>' with:\n${COLLABORA_REMOTE_FONT_CONFIGS[*]}"
123 | 	sed -ri "s|<COLLABORA_REMOTE_FONT_CONFIGS>|${COLLABORA_REMOTE_FONT_CONFIGS[*]}|g" "$TMP_DIR_PATH"/collabora/*
124 | 	unset IFS
125 | }
126 | 
127 | function collabora_step5() {
128 | 	# 5. Deploy configuration
129 | 	log "\nStep 5: Deploy configuration"
130 | 
131 | 	deploy_file "$TMP_DIR_PATH"/collabora/snippet-coolwsd.conf /etc/nginx/snippets/coolwsd.conf || true
132 | 	deploy_file "$TMP_DIR_PATH"/collabora/coolwsd.xml /etc/coolwsd/coolwsd.xml || true
133 | }
134 | 
135 | # arg: $1 is secret file path
136 | function collabora_write_secrets_to_file() {
137 | 	if is_dry_run; then
138 | 		return 0
139 | 	fi
140 | 
141 | 	conf_path="/etc/coolwsd/coolwsd.xml"
142 | 	echo -e "=== Collabora ===" >>$1
143 | 	echo -e "Coolwsd.xml configuration file: $conf_path" >>$1
144 | }
145 | 
146 | function collabora_print_info() {
147 | 	collabora_address="https://$SERVER_FQDN/collabora"
148 | 
149 | 	log "The Collabora Online service got installed. To set it up," \
150 | 		"\nlog into all of your Nextcloud instances with an adminstrator" \
151 | 		"account.\n$(printf '\t- https://%s\n' "${NEXTCLOUD_SERVER_FQDNS[@]}")" \
152 | 		"\nThen install the Nextcloud Office app and navigate to" \
153 | 		"\nSettings -> Administration -> Nextcloud Office." \
154 | 		"\nNow select 'Use your own server' and type in '$collabora_address'." \
155 | 		"\nPlease note that you need to have a working HTTPS setup on your" \
156 | 		"\nNextcloud server in order to get Nextcloud Office working."
157 | }
158 | 


--------------------------------------------------------------------------------
/src/setup-msmtp.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | function msmtp_do_preseed() {
  4 |     pkg="$1"
  5 |     template="$2"
  6 |     type="$3"
  7 |     value="$4"
  8 |     is_dry_run ||
  9 |         echo $pkg $template $type "$value" | debconf-set-selections ||
 10 |             log "Failed to preseed '$template'"
 11 | }
 12 | 
 13 | function install_msmtp() {
 14 |     log "Checking requirements for msmtp…"
 15 | 
 16 |     local show_error=""
 17 |     if [[ -z "$EMAIL_USER_ADDRESS" ]]; then
 18 |         show_error="The email address (EMAIL_USER_ADDRESS) is missing."
 19 |         # show_error="Es fehlt die E-Mail Adresse (EMAIL_USER_ADDRESS)."
 20 |     fi
 21 | 
 22 |     if [[ -z "$EMAIL_USER_USERNAME" ]]; then
 23 |         show_error="The email username (EMAIL_USER_USERNAME) is missing."
 24 |         # show_error="Es fehlt der E-Mail Benutzername (EMAIL_USER_USERNAME)."
 25 |     fi
 26 | 
 27 |     if [[ -z "$EMAIL_USER_PASSWORD" ]]; then
 28 |         show_error="The email password (EMAIL_USER_PASSWORD) is missing."
 29 |         # show_error="Es fehlt das E-Mail Passwort (EMAIL_USER_PASSWORD)."
 30 |     fi
 31 | 
 32 |     if [[ -z "$EMAIL_SERVER_HOST" ]]; then
 33 |         show_error="The email server address (EMAIL_SERVER_HOST) is missing."
 34 |         # show_error="Es fehlt die E-Mail-Server Adresse (EMAIL_SERVER_HOST)."
 35 |     fi
 36 | 
 37 |     if [[ -z "$EMAIL_SERVER_PORT" ]]; then
 38 |         show_error="The email server port (EMAIL_SERVER_PORT) is missing."
 39 |         # show_error="Es fehlt der E-Mail-Server Port (EMAIL_SERVER_PORT)."
 40 |     fi
 41 | 
 42 |     if [[ -n "${show_error}" ]]; then
 43 |         dialog_text=$(echo -e "Couldn't install MSMTP.\n$(
 44 |         )${show_error}\n\n$(
 45 |         )Should the nextcloud high-performance-backend setup\n$(
 46 |         )continue without the installation of 'msmtp'?\n\n$(
 47 |         )NOTE: You can run this script again, but you'll have\n$(
 48 |         )to re-enter your data again.")
 49 | 
 50 |         # dialog_text=$(echo -e "Kann MSMTP nicht installieren.\n$(
 51 |         # )${show_error}\n\n$(
 52 |         # )Soll das Nextcloud High-Performance-Backend Setup-Skript\n$(
 53 |         # )ohne die Installation von 'msmtp' fortgesetzt werden?\n\n$(
 54 |         # )Achtung: Sie müssen, wenn Sie jetzt das Setup abbrechen,\n$(
 55 |         # )Ihre Daten erneut eingeben.")
 56 | 
 57 |         if [ "$UNATTENDED_INSTALL" != true ]; then
 58 |             if whiptail --title "MSMTP configuration fail!" \
 59 |                 --yesno "$dialog_text" \
 60 |                 15 65 --defaultno; then
 61 |                 return
 62 |             fi
 63 |         else
 64 |             log "$dialog_text"
 65 |             return
 66 |         fi
 67 |     fi
 68 | 
 69 |     log "Installing msmtp…"
 70 | 
 71 |     msmtp_step1
 72 |     msmtp_step2
 73 |     msmtp_step3
 74 |     msmtp_step4
 75 |     msmtp_step5
 76 | 
 77 |     log "msmtp install completed."
 78 | }
 79 | 
 80 | function msmtp_step1() {
 81 |     log "\nStep 1: Preseeding msmtp package."
 82 |     if ! is_dry_run; then
 83 |         # preseed package
 84 |         msmtp_do_preseed msmtp msmtp/apparmor boolean true 2>&1 | tee -a $LOGFILE_PATH
 85 |     fi
 86 | }
 87 | 
 88 | function msmtp_step2() {
 89 |     log "\nStep 2: Installing msmtp package"
 90 | 
 91 |     is_dry_run || apt update 2>&1 | tee -a $LOGFILE_PATH
 92 | 
 93 |     # Installing:
 94 |     #   - msmtp
 95 |     #   - msmtp-mta
 96 |     #   - mailutils
 97 |     if ! is_dry_run; then
 98 |         if [ "$UNATTENDED_INSTALL" == true ]; then
 99 |             log "Trying unattended install for msmtp etup."
100 |             export DEBIAN_FRONTEND=noninteractive
101 |             args_apt="-qqy"
102 |         else
103 |             args_apt="-y"
104 |         fi
105 | 
106 |         apt-get install "$args_apt" msmtp msmtp-mta mailutils 2>&1 | tee -a $LOGFILE_PATH
107 |     fi
108 | }
109 | 
110 | function msmtp_step3() {
111 |     log "\nStep 3: Prepare msmtp configuration"
112 | 
113 |     # Don't actually *log* passwords! (Or do for debugging…)
114 | 
115 |     log "Replacing '<EMAIL_USER_ADDRESS>' with '$EMAIL_USER_ADDRESS'…"
116 |     sed -i "s|<EMAIL_USER_ADDRESS>|$EMAIL_USER_ADDRESS|g" "$TMP_DIR_PATH"/msmtp/*
117 | 
118 |     log "Replacing '<EMAIL_USER_USERNAME>' with '$EMAIL_USER_USERNAME'…"
119 |     sed -i "s|<EMAIL_USER_USERNAME>|$EMAIL_USER_USERNAME|g" "$TMP_DIR_PATH"/msmtp/*
120 | 
121 |     #log "Replacing '<EMAIL_USER_PASSWORD>' with '$EMAIL_USER_PASSWORD'…"
122 |     log "Replacing '<EMAIL_USER_PASSWORD>…'"
123 |     ESCAPED_EMAIL_USER_PASSWORD=$(printf '%s\n' "$EMAIL_USER_PASSWORD" | sed -e 's/[\/&]/\\&/g')
124 |     sed -i "s|<EMAIL_USER_PASSWORD>|$ESCAPED_EMAIL_USER_PASSWORD|g" "$TMP_DIR_PATH"/msmtp/*
125 | 
126 |     log "Replacing '<EMAIL_SERVER_HOST>' with '$EMAIL_SERVER_HOST'…"
127 |     sed -i "s|<EMAIL_SERVER_HOST>|$EMAIL_SERVER_HOST|g" "$TMP_DIR_PATH"/msmtp/*
128 | 
129 |     log "Replacing '<EMAIL_SERVER_PORT>' with '$EMAIL_SERVER_PORT'…"
130 |     sed -i "s|<EMAIL_SERVER_PORT>|$EMAIL_SERVER_PORT|g" "$TMP_DIR_PATH"/msmtp/*
131 | }
132 | 
133 | function msmtp_step4() {
134 |     log "\nStep 4: Deploy msmtp configuration"
135 | 
136 |     deploy_file "$TMP_DIR_PATH"/msmtp/aliases /etc/aliases || true
137 |     deploy_file "$TMP_DIR_PATH"/msmtp/msmtprc /etc/msmtprc || true
138 | 
139 |     is_dry_run || chmod 600 /etc/msmtprc
140 | }
141 | 
142 | function msmtp_step5() {
143 |     log "\nStep 5: Test msmtp configuration"
144 | 
145 |     msmtp_arguments=(root -X "$LOGFILE_PATH")
146 |     if is_dry_run; then
147 |         msmtp_arguments+=(--pretend)
148 |     fi
149 | 
150 |     set +e
151 |     msmtp "${msmtp_arguments[@]}" <<END
152 | Subject: Test email sent by Nextcloud high-performance-backend setup.
153 | Mime-Version: 1.0
154 | Content-Type: text/html
155 | 
156 | $(cat "$TMP_DIR_PATH"/msmtp/test-email.html)
157 | END
158 | 
159 |     if [ ! "$?" -eq 0 ]; then
160 |         set -e
161 | 
162 |         dialog_text=$(echo -e "We couldn't send an email to you successfully. $(
163 |         )So therefore there is no working email setup on this system! \n$(
164 |         )Please check your email configuration and password. Also make sure $(
165 |         )your SMTP server is online.\n$(
166 |         )Please check any error messages printed by msmtp (email client).\n\n$(
167 |         )The configuration file for msmtp is located at: '/etc/msmtprc'.")
168 | 
169 |         if [ "$UNATTENDED_INSTALL" != true ]; then
170 |             whiptail --title "MSMTP configuration fail!" \
171 |                 --msgbox "$dialog_text" \
172 |                 15 65
173 |         else
174 |             log "$dialog_text"
175 |         fi
176 |     fi
177 | 
178 |     set -e
179 | }
180 | 
181 | # arg: $1 is secret file path
182 | function msmtp_write_secrets_to_file() {
183 |     if is_dry_run; then
184 |         return 0
185 |     fi
186 | 
187 |     echo -e "=== MSMTP Setup ===" >>$1
188 |     echo -e "E-Mails get sent to: $EMAIL_USER_ADDRESS" >>$1
189 |     echo -e "E-Mail account username: $EMAIL_USER_USERNAME" >>$1
190 |     echo -e "E-Mail account password: $EMAIL_USER_PASSWORD" >>$1
191 |     echo -e "E-Mail server host: $EMAIL_SERVER_HOST" >>$1
192 |     echo -e "E-Mail server port: $EMAIL_SERVER_PORT" >>$1
193 | }
194 | 
195 | function msmtp_print_info() {
196 |     log "The msmtp package got successfully configured. So this system can" \
197 |         "\nsend emails to you now. You should have got a test email. Please" \
198 |         "\nhave a look and make sure you also look into your spam folder.\n"
199 | 
200 |     log "=== MSMTP Setup ==="
201 |     log "E-Mails get sent to: $EMAIL_USER_ADDRESS"
202 |     log "E-Mail account username: $EMAIL_USER_USERNAME"
203 |     log "E-Mail account password: *****"
204 |     log "E-Mail server host: $EMAIL_SERVER_HOST"
205 |     log "E-Mail server port: $EMAIL_SERVER_PORT"
206 | }
207 | 


--------------------------------------------------------------------------------
/src/setup-nginx.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | function install_nginx() {
  4 | 	log "Installing Nginx…"
  5 | 
  6 | 	nginx_step1
  7 | 	nginx_step2
  8 | 	nginx_step3
  9 | 
 10 | 	log "Nginx install completed."
 11 | }
 12 | 
 13 | function nginx_step1() {
 14 | 	log "\nStep 1: Installing Nginx package"
 15 | 	if ! is_dry_run; then
 16 | 		if [ "$UNATTENDED_INSTALL" == true ]; then
 17 | 			log "Trying unattended install for Nginx."
 18 | 			export DEBIAN_FRONTEND=noninteractive
 19 | 			apt-get install -qqy nginx ssl-cert 2>&1 | tee -a $LOGFILE_PATH
 20 | 		else
 21 | 			apt-get install -y nginx ssl-cert 2>&1 | tee -a $LOGFILE_PATH
 22 | 		fi
 23 | 	fi
 24 | }
 25 | 
 26 | function nginx_step2() {
 27 | 	log "\nStep 2: Prepare configuration"
 28 | 
 29 | 	generate_dhparam_file
 30 | 
 31 | 	include_snippet_signaling_forwarding=""
 32 | 	include_snippet_signaling_upstream_servers=""
 33 | 	if [ "$SHOULD_INSTALL_SIGNALING" == true ]; then
 34 | 		include_snippet_signaling_forwarding="# Signaling\n  include snippets/signaling-forwarding.conf;\n"
 35 | 		include_snippet_signaling_upstream_servers="include snippets/signaling-upstream-servers.conf;\n"
 36 | 		log "Replacing '<INCLUDE_SNIPPET_SIGNALING_FORWARDING>' with '$include_snippet_signaling_forwarding'…"
 37 | 		log "Replacing '<INCLUDE_SNIPPET_SIGNALING_UPSTREAM_SERVERS>' with '$include_snippet_signaling_upstream_servers'…"
 38 | 	fi
 39 | 	sed -i "s|<INCLUDE_SNIPPET_SIGNALING_FORWARDING>|$include_snippet_signaling_forwarding|g" "$TMP_DIR_PATH"/nginx/nextcloud-hpb.conf
 40 | 	sed -i "s|<INCLUDE_SNIPPET_SIGNALING_UPSTREAM_SERVERS>|$include_snippet_signaling_upstream_servers|g" "$TMP_DIR_PATH"/nginx/nextcloud-hpb.conf
 41 | 
 42 | 	include_snippet_collabora=""
 43 | 	if [ "$SHOULD_INSTALL_COLLABORA" == true ]; then
 44 | 		include_snippet_collabora="# Collabora\n  include snippets/coolwsd.conf;"
 45 | 		log "Replacing '<INCLUDE_SNIPPET_COLLABORA>' with '$include_snippet_collabora'…"
 46 | 	fi
 47 | 	sed -i "s|<INCLUDE_SNIPPET_COLLABORA>|$include_snippet_collabora|g" "$TMP_DIR_PATH"/nginx/nextcloud-hpb.conf
 48 | 
 49 | 	if [ "$DNS_RESOLVER" = "" ]; then
 50 | 		DNS_RESOLVER="9.9.9.9"
 51 | 		log "Using default value '$DNS_RESOLVER' for DNS_RESOLVER".
 52 | 	else
 53 | 		log "Using '$DNS_RESOLVER' for DNS_RESOLVER".
 54 | 	fi
 55 | 
 56 | 	log "Replacing '<SERVER_FQDN>' with '$SERVER_FQDN'…"
 57 | 	sed -i "s|<SERVER_FQDN>|$SERVER_FQDN|g" "$TMP_DIR_PATH"/nginx/*
 58 | 
 59 | 	log "Replacing '<SSL_CERT_PATH_RSA>' with '$SSL_CERT_PATH_RSA'…"
 60 | 	sed -i "s|<SSL_CERT_PATH_RSA>|$SSL_CERT_PATH_RSA|g" "$TMP_DIR_PATH"/nginx/*
 61 | 
 62 | 	log "Replacing '<SSL_CERT_KEY_PATH_RSA>' with '$SSL_CERT_KEY_PATH_RSA'…"
 63 | 	sed -i "s|<SSL_CERT_KEY_PATH_RSA>|$SSL_CERT_KEY_PATH_RSA|g" "$TMP_DIR_PATH"/nginx/*
 64 | 
 65 | 	log "Replacing '<SSL_CHAIN_PATH_RSA>' with '$SSL_CHAIN_PATH_RSA'…"
 66 | 	sed -i "s|<SSL_CHAIN_PATH_RSA>|$SSL_CHAIN_PATH_RSA|g" "$TMP_DIR_PATH"/nginx/*
 67 | 
 68 | 	log "Replacing '<SSL_CERT_PATH_ECDSA>' with '$SSL_CERT_PATH_ECDSA'…"
 69 | 	sed -i "s|<SSL_CERT_PATH_ECDSA>|$SSL_CERT_PATH_ECDSA|g" "$TMP_DIR_PATH"/nginx/*
 70 | 
 71 | 	log "Replacing '<SSL_CERT_KEY_PATH_ECDSA>' with '$SSL_CERT_KEY_PATH_ECDSA'…"
 72 | 	sed -i "s|<SSL_CERT_KEY_PATH_ECDSA>|$SSL_CERT_KEY_PATH_ECDSA|g" "$TMP_DIR_PATH"/nginx/*
 73 | 
 74 | 	log "Replacing '<SSL_CHAIN_PATH_ECDSA>' with '$SSL_CHAIN_PATH_ECDSA'…"
 75 | 	sed -i "s|<SSL_CHAIN_PATH_ECDSA>|$SSL_CHAIN_PATH_ECDSA|g" "$TMP_DIR_PATH"/nginx/*
 76 | 
 77 | 	log "Replacing '<DHPARAM_PATH>' with '$DHPARAM_PATH'…"
 78 | 	sed -i "s|<DHPARAM_PATH>|$DHPARAM_PATH|g" "$TMP_DIR_PATH"/nginx/*
 79 | 
 80 | 	log "Replacing '<DNS_RESOLVER>' with '$DNS_RESOLVER'…"
 81 | 	sed -i "s|<DNS_RESOLVER>|$DNS_RESOLVER|g" "$TMP_DIR_PATH"/nginx/*
 82 | }
 83 | 
 84 | function nginx_step3() {
 85 | 	log "Deploying config files…"
 86 | 	deploy_file "$TMP_DIR_PATH"/nginx/nextcloud-hpb.conf /etc/nginx/sites-enabled/nextcloud-hpb.conf || true
 87 | 
 88 | 	is_dry_run || mkdir -p /etc/nginx/snippets || true
 89 | 	deploy_file "$TMP_DIR_PATH"/nginx/headers.conf /etc/nginx/snippets/headers.conf || true
 90 | 
 91 | 	is_dry_run || mkdir -p /var/www/html || true
 92 | 	is_dry_run || rm /var/www/html/index.nginx-debian.html || true
 93 | 	deploy_file "$TMP_DIR_PATH"/nginx/index.html /var/www/html/index.html || true
 94 | 	deploy_file "$TMP_DIR_PATH"/nginx/robots.txt /var/www/html/robots.txt || true
 95 | }
 96 | 
 97 | # arg: $1 is secret file path
 98 | function nginx_write_secrets_to_file() {
 99 | 	# No secrets, passwords, keys or something to worry about.
100 | 	if is_dry_run; then
101 | 		return 0
102 | 	fi
103 | }
104 | 
105 | function nginx_print_info() {
106 | 	log "Nginx got installed which acts as a reverse proxy for your selected" \
107 | 		"\nservices.No extra configuration needed."
108 | 
109 | 	if [ "$SHOULD_INSTALL_CERTBOT" != true ]; then
110 | 		log "\nExcept one thing. Since you choose to not install an automatic" \
111 | 			"\nSSL-Certificate renewer (certbot for example), you need to make" \
112 | 			"\nsure that at all time a valid SSL-Cert is located at: " \
113 | 			"\n'$SSL_CERT_PATH_RSA' and '$SSL_CERT_KEY_PATH_RSA' (for RSA certificates)" \
114 | 			"\n'$SSL_CERT_PATH_ECDSA' and '$SSL_CERT_KEY_PATH_ECDSA' (for ECDSA certificates)."
115 | 	fi
116 | }
117 | 


--------------------------------------------------------------------------------
/src/setup-signaling.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # Signaling server
  4 | # https://github.com/strukturag/nextcloud-spreed-signaling
  5 | 
  6 | #SIGNALING_SUNWEAVER_SOURCE_FILE="/etc/apt/sources.list.d/sunweaver.list"
  7 | 
  8 | SIGNALING_BACKPORTS_SOURCE_FILE="/etc/apt/sources.list.d/debian-backports.list"
  9 | 
 10 | SIGNALING_TURN_STATIC_AUTH_SECRET="$(openssl rand -hex 32)"
 11 | SIGNALING_JANUS_API_KEY="$(openssl rand -base64 16)"
 12 | SIGNALING_HASH_KEY="$(openssl rand -hex 16)"
 13 | SIGNALING_BLOCK_KEY="$(openssl rand -hex 16)"
 14 | 
 15 | SIGNALING_COTURN_URL="$SERVER_FQDN"
 16 | 
 17 | COTURN_DIR="/etc/coturn"
 18 | 
 19 | declare -a SIGNALING_BACKENDS                   # Normal array
 20 | declare -a SIGNALING_BACKEND_DEFINITIONS        # Normal Array
 21 | declare -A SIGNALING_NC_SERVER_SECRETS          # Associative array
 22 | declare -A SIGNALING_NC_SERVER_SESSIONLIMIT     # Associative array
 23 | declare -A SIGNALING_NC_SERVER_MAXSTREAMBITRATE # Associative array
 24 | declare -A SIGNALING_NC_SERVER_MAXSCREENBITRATE # Associative array
 25 | 
 26 | function install_signaling() {
 27 | 	log "Installing Signaling…"
 28 | 
 29 | 	if [ "$DEBIAN_VERSION_MAJOR" = "12" ] ; then
 30 | 		log "Enable bookworm-backports"
 31 | 		is_dry_run || cat <<-EOL >$SIGNALING_BACKPORTS_SOURCE_FILE
 32 | 			# Added by nextcloud-high-performance-backend setup-script.
 33 | 			deb http://deb.debian.org/debian bookworm-backports main
 34 | 		EOL
 35 | 		is_dry_run || apt-get update 2>&1 | tee -a $LOGFILE_PATH
 36 | 	fi
 37 | 
 38 | 	if [ "$DEBIAN_VERSION_MAJOR" = "11" ]; then
 39 | 		log "Enable bullseye-backports"
 40 | 		is_dry_run || cat <<-EOL >$SIGNALING_BACKPORTS_SOURCE_FILE
 41 | 			# Added by nextcloud-high-performance-backend setup-script.
 42 | 			deb http://deb.debian.org/debian bullseye-backports main
 43 | 		EOL
 44 | 		is_dry_run || apt-get update 2>&1 | tee -a $LOGFILE_PATH
 45 | 	fi
 46 | 
 47 | 	if [ "$SIGNALING_BUILD_FROM_SOURCES" = true ]; then
 48 | 		is_dry_run || apt update 2>&1 | tee -a $LOGFILE_PATH
 49 | 
 50 | 		# Remove old packages.
 51 | 		is_dry_run || apt purge nextcloud-spreed-signaling nats-server coturn 2>&1 | tee -a $LOGFILE_PATH
 52 | 
 53 | 		# Installing: golang-go make build-essential wget curl
 54 | 		APT_PARAMS="-y"
 55 | 		if [ "$UNATTENDED_INSTALL" == true ]; then
 56 | 			export DEBIAN_FRONTEND=noninteractive
 57 | 			APT_PARAMS="-qqy"
 58 | 			log "Trying unattended install for Signaling."
 59 | 		fi
 60 | 
 61 | 		if [ "$DEBIAN_VERSION_MAJOR" = "11" ]; then
 62 | 			apt-get install $APT_PARAMS -t bullseye-backports golang-go 2>&1 | tee -a $LOGFILE_PATH
 63 | 			apt-get install $APT_PARAMS wget curl protobuf-compiler build-essential make 2>&1 | tee -a $LOGFILE_PATH
 64 | 		elif [ "$DEBIAN_VERSION_MAJOR" = "12" ]; then
 65 | 			apt-get install $APT_PARAMS -t bookworm-backports golang-go 2>&1 | tee -a $LOGFILE_PATH
 66 | 			apt-get install $APT_PARAMS wget curl protobuf-compiler build-essential make 2>&1 | tee -a $LOGFILE_PATH
 67 | 		else
 68 | 			apt-get install $APT_PARAMS wget curl protobuf-compiler build-essential make golang-go 2>&1 | tee -a $LOGFILE_PATH
 69 | 		fi
 70 | 
 71 | 		is_dry_run || signaling_build_nextcloud-spreed-signaling && log "Would have built nextcloud-spreed-signaling now…"
 72 | 
 73 | 		# Only if Debian 11
 74 | 		if [ "$DEBIAN_VERSION_MAJOR" = "11" ]; then
 75 | 			is_dry_run || signaling_build_coturn && log "Would have built coturn now…"
 76 | 			is_dry_run || signaling_build_nats-server && log "Would have built nats-server now…"
 77 | 		fi
 78 | 
 79 | 		# Installing:
 80 | 		# - janus
 81 | 		# - ssl-cert
 82 | 		# - nats-server (Always built from sources for Debian 11)
 83 | 		# - coturn      (Always built from sources for Debian 11)
 84 | 		APT_PARAMS="-y"
 85 | 		if [ "$UNATTENDED_INSTALL" == true ]; then
 86 | 			export DEBIAN_FRONTEND=noninteractive
 87 | 			APT_PARAMS="-qqy"
 88 | 		fi
 89 | 
 90 | 		if [ "$DEBIAN_VERSION_MAJOR" = "11" ]; then
 91 | 			is_dry_run || apt-get install $APT_PARAMS ssl-cert 2>&1 | tee -a $LOGFILE_PATH
 92 | 			is_dry_run || apt-get install $APT_PARAMS -t bullseye-backports janus 2>&1 | tee -a $LOGFILE_PATH
 93 | 		else
 94 | 			is_dry_run || apt-get install $APT_PARAMS janus ssl-cert nats-server coturn 2>&1 | tee -a $LOGFILE_PATH
 95 | 		fi
 96 | 
 97 | 		log "Reloading systemd."
 98 | 		systemctl daemon-reload | tee -a $LOGFILE_PATH
 99 | 	else
100 | 		# Skipped because, we don't need sunweaver's packages anymore.
101 | 		# The packages arived in official Debian repositories.
102 | 		# TODO: This code should be removed soon IMHO.
103 | 		#signaling_step1
104 | 		#signaling_step2
105 | 		signaling_step3
106 | 	fi
107 | 
108 | 	signaling_step4
109 | 	signaling_step5
110 | 
111 | 	# Make sure janus is restartet 15 sec after system reboot, wo that coturn service is already up
112 | 	# Otherwise, janus will silently crash if coturn is not available.
113 | 	set +eo pipefail
114 | 	crontab -l >cron_backup
115 | 	echo "@reboot sleep 15 && systemctl restart janus > /dev/null 2>&1" >>cron_backup
116 | 	crontab cron_backup
117 | 	rm cron_backup
118 | 	set -eo pipefail
119 | 
120 | 	log "Signaling install completed."
121 | }
122 | 
123 | function signaling_build_nats-server() {
124 | 	log "Building nats-server…"
125 | 
126 | 	LATEST_RELEASE="https://api.github.com/repos/nats-io/nats-server/releases/latest"
127 | 	log "Latest nats-server release URL: '$LATEST_RELEASE'"
128 | 
129 | 	LATEST_RELEASE_TAG="$(curl -s "$LATEST_RELEASE" | grep 'tag_name' | cut -d\" -f4)"
130 | 	log "Latest nats-server version is: '$LATEST_RELEASE_TAG'"
131 | 
132 | 	log "Removing old sources…"
133 | 	rm -v nats-server-v*-linux-*.tar.gz | tee -a $LOGFILE_PATH || true
134 | 
135 | 	log "Downloading sources…"
136 | 	if [ "$(dpkg --print-architecture)" = "arm64" ]; then
137 | 		wget $(curl -s "$LATEST_RELEASE" | grep 'linux-arm64.tar.gz' |
138 | 			grep 'browser_download_url' | cut -d\" -f4) |
139 | 			tee -a $LOGFILE_PATH
140 | 	else
141 | 		wget $(curl -s "$LATEST_RELEASE" | grep 'linux-amd64.tar.gz' |
142 | 			grep 'browser_download_url' | cut -d\" -f4) |
143 | 			tee -a $LOGFILE_PATH
144 |    	fi
145 | 
146 | 	log "Extracting sources…"
147 | 	tar -xvf "nats-server-$LATEST_RELEASE_TAG-linux-*.tar.gz" | tee -a $LOGFILE_PATH
148 | 
149 | 	log "Copying binary into /usr/local/bin/nats-server…"
150 | 	cp --backup=numbered -v "nats-server-$LATEST_RELEASE_TAG-linux-*/nats-server" /usr/local/bin/nats-server | tee -a $LOGFILE_PATH
151 | 
152 | 	deploy_file "$TMP_DIR_PATH"/signaling/nats-server.service /lib/systemd/system/nats-server.service || true
153 | 	deploy_file "$TMP_DIR_PATH"/signaling/nats-server.conf /etc/nats-server.conf || true
154 | 
155 | 	log "Creating 'nats' system account…"
156 | 	adduser --system --group nats || true
157 | }
158 | 
159 | function signaling_build_coturn() {
160 | 	log "Building coturn…"
161 | 
162 | 	log "Installing necessary packages…"
163 | 	is_dry_run || apt update 2>&1 | tee -a $LOGFILE_PATH
164 | 
165 | 	APT_PARAMS="-y"
166 | 	if [ "$UNATTENDED_INSTALL" == true ]; then
167 | 		export DEBIAN_FRONTEND=noninteractive
168 | 		APT_PARAMS="-qqy"
169 | 	fi
170 | 	is_dry_run || apt-get install $APT_PARAMS cmake libssl-dev libevent-dev git 2>&1 | tee -a $LOGFILE_PATH
171 | 
172 | 	log "Downloading sources…"
173 | 	rm coturn-master.tar.gz | tee -a $LOGFILE_PATH || true
174 | 	wget https://github.com/coturn/coturn/archive/refs/heads/master.tar.gz -O coturn-master.tar.gz | tee -a $LOGFILE_PATH
175 | 
176 | 	log "Extracting sources…"
177 | 	tar -xvf coturn-master.tar.gz | tee -a $LOGFILE_PATH
178 | 
179 | 	log "Creating build directory…"
180 | 	mkdir coturn-master/build | tee -a $LOGFILE_PATH || true
181 | 
182 | 	log "Run configure script which will make a Makefile for this system…"
183 | 	cmake -S coturn-master -B coturn-master/build | tee -a $LOGFILE_PATH
184 | 
185 | 	log "Build & install coturn."
186 | 	cmake --build coturn-master/build --target install | tee -a $LOGFILE_PATH
187 | 
188 | 	deploy_file "$TMP_DIR_PATH"/signaling/coturn.service /lib/systemd/system/coturn.service || true
189 | 
190 | 	chmod 755 /usr/local/bin/turnserver
191 | 
192 | 	log "Creating 'turnserver' account"
193 | 	adduser --system --group --home /var/lib/turnserver turnserver || true
194 | }
195 | 
196 | function signaling_build_nextcloud-spreed-signaling() {
197 | 	log "Building nextcloud-spreed-signaling…"
198 | 
199 | 	log "Downloading sources…"
200 | 	rm n-s-s-master.tar.gz | tee -a $LOGFILE_PATH || true
201 | 	wget https://github.com/strukturag/nextcloud-spreed-signaling/archive/refs/heads/master.tar.gz -O n-s-s-master.tar.gz | tee -a $LOGFILE_PATH
202 | 
203 | 	log "Extracting sources…"
204 | 	tar -xvf n-s-s-master.tar.gz | tee -a $LOGFILE_PATH
205 | 
206 | 	log "Building sources…"
207 | 	make -C nextcloud-spreed-signaling-master | tee -a $LOGFILE_PATH
208 | 
209 | 	log "Stopping potential running service…"
210 | 	systemctl stop nextcloud-spreed-signaling | tee -a $LOGFILE_PATH || true
211 | 
212 | 	log "Copying built binary into /usr/local/bin/nextcloud-spreed-signaling-server…"
213 | 	cp -v nextcloud-spreed-signaling-master/bin/signaling \
214 | 		/usr/local/bin/nextcloud-spreed-signaling-server | tee -a $LOGFILE_PATH
215 | 
216 | 	deploy_file "$TMP_DIR_PATH"/signaling/nextcloud-spreed-signaling.service \
217 | 		/lib/systemd/system/nextcloud-spreed-signaling.service || true
218 | 
219 | 	if [ ! -d /etc/nextcloud-spreed-signaling ]; then
220 | 		log "Create '/etc/nextcloud-spreed-signaling' directory"
221 | 		mkdir /etc/nextcloud-spreed-signaling | tee -a $LOGFILE_PATH
222 | 	fi
223 | 
224 | 	log "Creating '_signaling' account"
225 | 	# TODO: If bullseye support is dropped sometime then this fix can be dropped too.
226 | 	# if adduser >= 3.122; then use --allow-bad-names
227 | 	# if not; then use --force-badname
228 | 	badname_option="--allow-bad-names"
229 | 	version=$(dpkg-query --show --showformat='${Version}' adduser)
230 | 	if dpkg --compare-versions "$version" "lt" "3.122"; then
231 | 		badname_option="--force-badname"
232 | 	fi
233 | 	adduser --system --group --home /var/lib/nextcloud-spreed-signaling \
234 | 		"$badname_option" _signaling || true
235 | }
236 | 
237 | #function signaling_step1() {
238 | #	log "\nStep 1: Import sunweaver's gpg key."
239 | #	is_dry_run || wget http://packages.sunweavers.net/archive.key \
240 | #		-O /etc/apt/trusted.gpg.d/sunweaver-archive-keyring.asc
241 | #}
242 | 
243 | #function signaling_step2() {
244 | #	log "\nStep 2: Add sunweaver package repository"
245 | #
246 | #	is_dry_run || cat <<EOF >$SIGNALING_SUNWEAVER_SOURCE_FILE
247 | ## Added by nextcloud-high-performance-backend setup-script.
248 | #deb http://packages.sunweavers.net/debian bookworm main
249 | #EOF
250 | #}
251 | 
252 | function signaling_step3() {
253 | 	log "\nStep 3: Install packages"
254 | 
255 | 	is_dry_run || apt update 2>&1 | tee -a $LOGFILE_PATH
256 | 
257 | 	# Installing:
258 | 	# - janus
259 | 	# - nats-server
260 | 	# - nextcloud-spreed-signaling
261 | 	# - coturn
262 | 	APT_PARAMS="-y"
263 | 	if [ "$UNATTENDED_INSTALL" == true ]; then
264 | 		export DEBIAN_FRONTEND=noninteractive
265 | 		APT_PARAMS="-qqy"
266 | 	fi
267 | 
268 | 	if [ "$DEBIAN_VERSION_MAJOR" = "11" ]; then
269 | 		# Nope, always build from sources. This function should never be called in the first place.
270 | 		exit 1;
271 | 	elif [ "$DEBIAN_VERSION_MAJOR" = "12" ]; then
272 | 		# Special case, please install 'nextcloud-spreed-signaling' from bookworm-backports.
273 | 		is_dry_run || apt-get install $APT_PARAMS janus nats-server coturn ssl-cert 2>&1 | tee -a $LOGFILE_PATH
274 | 		is_dry_run || apt-get install $APT_PARAMS -t bookworm-backports nextcloud-spreed-signaling nextcloud-spreed-signaling-client 2>&1 | tee -a $LOGFILE_PATH
275 | 	else
276 | 		is_dry_run || apt-get install $APT_PARAMS janus nats-server coturn ssl-cert nextcloud-spreed-signaling nextcloud-spreed-signaling-client 2>&1 | tee -a $LOGFILE_PATH
277 | 	fi
278 | }
279 | 
280 | function signaling_step4() {
281 | 	log "\nStep 4: Prepare configuration"
282 | 
283 | 	# Make sure /etc/nginx/snippets/ is created
284 | 	is_dry_run || mkdir -p /etc/nginx/snippets || true
285 | 
286 | 	# Make SSL certificates available for coturn
287 | 	if [ "$SHOULD_INSTALL_CERTBOT" = true ] && ! is_dry_run; then
288 | 		mkdir -p "$COTURN_DIR/certs"
289 | 		adduser turnserver ssl-cert
290 | 	else
291 | 		is_dry_run || mkdir -p "$COTURN_DIR"
292 | 	fi
293 | 
294 | 	generate_dhparam_file
295 | 
296 | 	is_dry_run || chown -R turnserver:turnserver "$COTURN_DIR"
297 | 	is_dry_run || chmod -R 740 "$COTURN_DIR"
298 | 
299 | 	i=0
300 | 	for NC_SERVER in "${NEXTCLOUD_SERVER_FQDNS[@]}"; do
301 | 		NC_SERVER_UNDERSCORE=$(echo "$NC_SERVER" | sed "s/\./_/g")
302 | 		SIGNALING_NC_SERVER_SECRETS[$NC_SERVER_UNDERSCORE]="$(openssl rand -hex 16)"
303 | 		SIGNALING_NC_SERVER_SESSIONLIMIT[$NC_SERVER_UNDERSCORE]=0
304 | 		SIGNALING_NC_SERVER_MAXSTREAMBITRATE[$NC_SERVER_UNDERSCORE]=0
305 | 		SIGNALING_NC_SERVER_MAXSCREENBITRATE[$NC_SERVER_UNDERSCORE]=0
306 | 
307 | 		SIGNALING_BACKENDS+=("nextcloud-backend-$i")
308 | 
309 | 		IFS= read -r -d '' SIGNALING_BACKEND_DEFINITION <<-EOF || true
310 | 			[nextcloud-backend-$i]
311 | 			url = https://$NC_SERVER
312 | 			secret = ${SIGNALING_NC_SERVER_SECRETS["$NC_SERVER_UNDERSCORE"]}
313 | 			#sessionlimit = ${SIGNALING_NC_SERVER_SESSIONLIMIT["$NC_SERVER_UNDERSCORE"]}
314 | 			#maxstreambitrate = ${SIGNALING_NC_SERVER_MAXSTREAMBITRATE["$NC_SERVER_UNDERSCORE"]}
315 | 			#maxscreenbitrate = ${SIGNALING_NC_SERVER_MAXSCREENBITRATE["$NC_SERVER_UNDERSCORE"]}
316 | 		EOF
317 | 
318 | 		# Escape newlines for sed later on.
319 | 		SIGNALING_BACKEND_DEFINITION=$(echo "$SIGNALING_BACKEND_DEFINITION" | sed -z 's|\n|\\n|g')
320 | 		SIGNALING_BACKEND_DEFINITIONS+=("$SIGNALING_BACKEND_DEFINITION")
321 | 
322 | 		i=$(($i + 1))
323 | 	done
324 | 
325 | 	# Don't actually *log* passwords! (Or do for debugging…)
326 | 
327 | 	# log "Replacing '<SIGNALING_TURN_STATIC_AUTH_SECRET>' with '$SIGNALING_TURN_STATIC_AUTH_SECRET'…"
328 | 	log "Replacing '<SIGNALING_TURN_STATIC_AUTH_SECRET>'…"
329 | 	sed -i "s|<SIGNALING_TURN_STATIC_AUTH_SECRET>|$SIGNALING_TURN_STATIC_AUTH_SECRET|g" "$TMP_DIR_PATH"/signaling/*
330 | 
331 | 	# log "Replacing '<SIGNALING_JANUS_API_KEY>' with '$SIGNALING_JANUS_API_KEY'…"
332 | 	log "Replacing '<SIGNALING_JANUS_API_KEY>…'"
333 | 	sed -i "s|<SIGNALING_JANUS_API_KEY>|$SIGNALING_JANUS_API_KEY|g" "$TMP_DIR_PATH"/signaling/*
334 | 
335 | 	# log "Replacing '<SIGNALING_HASH_KEY>' with '$SIGNALING_HASH_KEY'…"
336 | 	log "Replacing '<SIGNALING_HASH_KEY>…'"
337 | 	sed -i "s|<SIGNALING_HASH_KEY>|$SIGNALING_HASH_KEY|g" "$TMP_DIR_PATH"/signaling/*
338 | 
339 | 	# log "Replacing '<SIGNALING_BLOCK_KEY>' with '$SIGNALING_BLOCK_KEY'…"
340 | 	log "Replacing '<SIGNALING_BLOCK_KEY>…'"
341 | 	sed -i "s|<SIGNALING_BLOCK_KEY>|$SIGNALING_BLOCK_KEY|g" "$TMP_DIR_PATH"/signaling/*
342 | 
343 | 	IFS=,
344 | 	log "Replacing '<SIGNALING_BACKENDS>' with '""${SIGNALING_BACKENDS[*]}""'…"
345 | 	sed -i "s|<SIGNALING_BACKENDS>|""${SIGNALING_BACKENDS[*]}""|g" "$TMP_DIR_PATH"/signaling/*
346 | 	unset IFS
347 | 
348 | 	IFS= # Avoid whitespace between definitions.
349 | 	#log "Replacing '<SIGNALING_BACKEND_DEFINITIONS>' with:\n${SIGNALING_BACKEND_DEFINITIONS[*]}"
350 | 	log "Replacing '<SIGNALING_BACKEND_DEFINITIONS>'…"
351 | 	sed -ri "s|<SIGNALING_BACKEND_DEFINITIONS>|${SIGNALING_BACKEND_DEFINITIONS[*]}|g" "$TMP_DIR_PATH"/signaling/*
352 | 	unset IFS
353 | 
354 | 	log "Replacing '<SIGNALING_COTURN_URL>' with '$SIGNALING_COTURN_URL'…"
355 | 	sed -i "s|<SIGNALING_COTURN_URL>|$SIGNALING_COTURN_URL|g" "$TMP_DIR_PATH"/signaling/*
356 | 
357 | 	log "Replacing '<SSL_CERT_PATH_RSA>' with '$SSL_CERT_PATH_RSA'…"
358 | 	sed -i "s|<SSL_CERT_PATH_RSA>|$SSL_CERT_PATH_RSA|g" "$TMP_DIR_PATH"/signaling/*
359 | 
360 | 	log "Replacing '<SSL_CERT_KEY_PATH_RSA>' with '$SSL_CERT_KEY_PATH_RSA'…"
361 | 	sed -i "s|<SSL_CERT_KEY_PATH_RSA>|$SSL_CERT_KEY_PATH_RSA|g" "$TMP_DIR_PATH"/signaling/*
362 | 
363 | 	log "Replacing '<SSL_CHAIN_PATH_RSA>' with '$SSL_CHAIN_PATH_RSA'…"
364 | 	sed -i "s|<SSL_CHAIN_PATH_RSA>|$SSL_CHAIN_PATH_RSA|g" "$TMP_DIR_PATH"/signaling/*
365 | 
366 | 	log "Replacing '<SSL_CERT_PATH_ECDSA>' with '$SSL_CERT_PATH_ECDSA'…"
367 | 	sed -i "s|<SSL_CERT_PATH_ECDSA>|$SSL_CERT_PATH_ECDSA|g" "$TMP_DIR_PATH"/signaling/*
368 | 
369 | 	log "Replacing '<SSL_CERT_KEY_PATH_ECDSA>' with '$SSL_CERT_KEY_PATH_ECDSA'…"
370 | 	sed -i "s|<SSL_CERT_KEY_PATH_ECDSA>|$SSL_CERT_KEY_PATH_ECDSA|g" "$TMP_DIR_PATH"/signaling/*
371 | 
372 | 	log "Replacing '<SSL_CHAIN_PATH_ECDSA>' with '$SSL_CHAIN_PATH_ECDSA'…"
373 | 	sed -i "s|<SSL_CHAIN_PATH_ECDSA>|$SSL_CHAIN_PATH_ECDSA|g" "$TMP_DIR_PATH"/signaling/*
374 | 
375 | 	log "Replacing '<DHPARAM_PATH>' with '$DHPARAM_PATH'…"
376 | 	sed -i "s|<DHPARAM_PATH>|$DHPARAM_PATH|g" "$TMP_DIR_PATH"/signaling/*
377 | 
378 | 	EXTERN_IPv4=$(wget -4 ident.me -O - -o /dev/null || true)
379 | 	log "Replacing '<SIGNALING_COTURN_EXTERN_IPV4>' with '$EXTERN_IPv4'…"
380 | 	sed -i "s|<SIGNALING_COTURN_EXTERN_IPV4>|$EXTERN_IPv4|g" "$TMP_DIR_PATH"/signaling/*
381 | 
382 | 	EXTERN_IPv6=$(wget -6 ident.me -O - -o /dev/null || true)
383 | 	log "Replacing '<SIGNALING_COTURN_EXTERN_IPV6>' with '$EXTERN_IPv6'…"
384 | 	sed -i "s|<SIGNALING_COTURN_EXTERN_IPV6>|$EXTERN_IPv6|g" "$TMP_DIR_PATH"/signaling/*
385 | }
386 | 
387 | function signaling_step5() {
388 | 	log "\nStep 5: Deploy configuration"
389 | 
390 | 	deploy_file "$TMP_DIR_PATH"/signaling/nginx-signaling-upstream-servers.conf /etc/nginx/snippets/signaling-upstream-servers.conf || true
391 | 	deploy_file "$TMP_DIR_PATH"/signaling/nginx-signaling-forwarding.conf /etc/nginx/snippets/signaling-forwarding.conf || true
392 | 
393 | 	if [ "$(dpkg --print-architecture)" = "arm64" ]; then
394 | 		deploy_file "$TMP_DIR_PATH"/signaling/janus_aarch64.jcfg /etc/janus/janus.jcfg || true
395 | 	elif [ "$(dpkg --print-architecture)" = "ppc64el" ]; then
396 | 		deploy_file "$TMP_DIR_PATH"/signaling/janus_powerpc64le.jcfg /etc/janus/janus.jcfg || true
397 | 	else
398 | 		deploy_file "$TMP_DIR_PATH"/signaling/janus.jcfg /etc/janus/janus.jcfg || true
399 | 	fi
400 | 	deploy_file "$TMP_DIR_PATH"/signaling/janus.transport.http.jcfg /etc/janus/janus.transport.http.jcfg || true
401 | 	deploy_file "$TMP_DIR_PATH"/signaling/janus.transport.websockets.jcfg /etc/janus/janus.transport.websockets.jcfg || true
402 | 
403 | 	deploy_file "$TMP_DIR_PATH"/signaling/signaling-server.conf /etc/nextcloud-spreed-signaling/server.conf || true
404 | 
405 | 	deploy_file "$TMP_DIR_PATH"/signaling/turnserver.conf /etc/turnserver.conf || true
406 | }
407 | 
408 | # arg: $1 is secret file path
409 | function signaling_write_secrets_to_file() {
410 | 	if is_dry_run; then
411 | 		return 0
412 | 	fi
413 | 
414 | 	echo -e "=== Signaling / Nextcloud Talk ===" >>$1
415 | 	echo -e "Janus API key: $SIGNALING_JANUS_API_KEY" >>$1
416 | 	echo -e "Hash key:      $SIGNALING_HASH_KEY" >>$1
417 | 	echo -e "Block key:     $SIGNALING_BLOCK_KEY" >>$1
418 | 	echo -e "" >>$1
419 | 	echo -e "Allowed Nextcloud Servers:" >>$1
420 | 	echo -e "$(printf '\t- https://%s\n' "${NEXTCLOUD_SERVER_FQDNS[@]}")" >>$1
421 | 	echo -e "STUN server = $SERVER_FQDN:5349" >>$1
422 | 	echo -e "TURN server:" >>$1
423 | 	echo -e " - 'turn and turns'" >>$1
424 | 	echo -e " - $SERVER_FQDN:5349" >>$1
425 | 	echo -e " - $SIGNALING_TURN_STATIC_AUTH_SECRET" >>$1
426 | 	echo -e " - 'udp & tcp'" >>$1
427 | 	echo -e "High-performance backend:" >>$1
428 | 	echo -e " - https://$SERVER_FQDN/standalone-signaling" >>$1
429 | 
430 | 	for NC_SERVER in "${NEXTCLOUD_SERVER_FQDNS[@]}"; do
431 | 		NC_SERVER_UNDERSCORE=$(echo "$NC_SERVER" | sed "s/\./_/g")
432 | 		echo -e " - $NC_SERVER\t-> ${SIGNALING_NC_SERVER_SECRETS["$NC_SERVER_UNDERSCORE"]}" >>$1
433 | 	done
434 | }
435 | 
436 | function signaling_print_info() {
437 | 	log "The services coturn janus nats-server and nextcloud-signaling-spreed" \
438 | 		"\ngot installed. To set it up, log into all of your Nextcloud" \
439 | 		"\ninstances with an adminstrator account and install the Talk app." \
440 | 		"\nThen navigate to Settings -> Administration -> Talk and put in the" \
441 | 		"\nsettings down below.\n" \
442 | 		"$(printf '\t- https://%s\n' "${NEXTCLOUD_SERVER_FQDNS[@]}")\n"
443 | 
444 | 	# Don't actually *log* passwords!
445 | 	log "STUN server = $SERVER_FQDN:5349"
446 | 	log "TURN server:"
447 | 	log " - 'turn and turns'"
448 | 	log " - turnserver+port: $SERVER_FQDN:5349"
449 | 	echo -e " - secret: $SIGNALING_TURN_STATIC_AUTH_SECRET"
450 | 	log " - 'udp & tcp'"
451 | 	log "High-performance backend:"
452 | 	log " - https://$SERVER_FQDN/standalone-signaling"
453 | 
454 | 	for NC_SERVER in "${NEXTCLOUD_SERVER_FQDNS[@]}"; do
455 | 		NC_SERVER_UNDERSCORE=$(echo "$NC_SERVER" | sed "s/\./_/g")
456 | 		echo -e " - $NC_SERVER\t-> ${SIGNALING_NC_SERVER_SECRETS["$NC_SERVER_UNDERSCORE"]}"
457 | 	done
458 | }
459 | 


--------------------------------------------------------------------------------
/src/setup-ufw.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | function install_ufw() {
 4 | 	log "Installing UFW…"
 5 | 
 6 | 	ufw_step1
 7 | 	ufw_step2
 8 | 
 9 | 	log "UFW install completed."
10 | }
11 | 
12 | function ufw_step1() {
13 | 	# 1. Install packages
14 | 	log "\nStep 1: Install package"
15 | 
16 | 	is_dry_run || apt update 2>&1 | tee -a $LOGFILE_PATH
17 | 
18 | 	# Installing:
19 | 	#   - ufw
20 | 	if ! is_dry_run; then
21 | 		if [ "$UNATTENDED_INSTALL" == true ]; then
22 | 			log "Trying unattended install for UFW."
23 | 			export DEBIAN_FRONTEND=noninteractive
24 | 			args_apt="-qqy"
25 | 		else
26 | 			args_apt="-y"
27 | 		fi
28 | 
29 | 		apt-get install "$args_apt" ufw 2>&1 | tee -a $LOGFILE_PATH
30 | 	fi
31 | }
32 | 
33 | function ufw_step2() {
34 | 	# 2. Configure firewall
35 | 	log "\nStep 2: Configure firewall"
36 | 
37 | 	# Prefix command with 'log' if in dry run mode.
38 | 	local _cmdprefix=""
39 | 	is_dry_run && _cmdprefix="log " || true
40 | 
41 | 	${_cmdprefix}ufw default deny incoming | tee -a $LOGFILE_PATH
42 | 	${_cmdprefix}ufw default allow outgoing | tee -a $LOGFILE_PATH
43 | 
44 | 	if [ "$DISABLE_SSH_SERVER" != true ]; then
45 | 		if [ -e "/etc/ufw/applications.d/openssh-server" ]; then
46 | 			${_cmdprefix}ufw allow "OpenSSH" | tee -a $LOGFILE_PATH
47 | 		fi
48 | 	fi
49 | 
50 | 	# Nginx
51 | 	if [ "$SHOULD_INSTALL_NGINX" = true ]; then
52 | 		${_cmdprefix}ufw allow "WWW Full" comment "Nextcloud HPB Nginx" | tee -a $LOGFILE_PATH
53 | 	fi
54 | 
55 | 	# Coturn
56 | 	if [ "$SHOULD_INSTALL_SIGNALING" = true ]; then
57 | 		${_cmdprefix}ufw allow 5349 comment "Nextcloud HPB Coturn" | tee -a $LOGFILE_PATH
58 | 	fi
59 | 
60 | 	_ufwargs=""
61 | 	is_dry_run || _ufwargs="--force"
62 | 	${_cmdprefix}ufw "$_ufwargs" enable | tee -a $LOGFILE_PATH
63 | }
64 | 
65 | # arg: $1 is secret file path
66 | # function ufw_write_secrets_to_file() { }
67 | # function ufw_print_info() { }
68 | 


--------------------------------------------------------------------------------
/src/setup-unattendedupgrades.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | function unattendedupgrades_do_preseed() {
 4 | 	pkg="$1"
 5 | 	template="$2"
 6 | 	type="$3"
 7 | 	value="$4"
 8 | 	is_dry_run ||
 9 | 		echo $pkg $template $type "$value" | debconf-set-selections ||
10 | 		log "Failed to load preseed '$template'"
11 | }
12 | 
13 | function unattendedupgrades_do_reconfigure() {
14 | 	package="$1"
15 | 	log "Silently running dpkg-reconfigure on package $package…"
16 | 	is_dry_run || dpkg -l $package 1>/dev/null 2>/dev/null && {
17 | 		dpkg-reconfigure -fnoninteractive -pcritical $package &&
18 | 			log "Reconfigure DONE" || log "Reconfigure FAILED"
19 | 	}
20 | }
21 | 
22 | function install_unattendedupgrades() {
23 | 	log "Installing unattended-upgrades…"
24 | 
25 | 	unattendedupgrades_step1
26 | 	unattendedupgrades_step2
27 | 	unattendedupgrades_step3
28 | 	unattendedupgrades_step4
29 | 
30 | 	log "unattended-upgrades install completed."
31 | }
32 | 
33 | function unattendedupgrades_step1() {
34 | 	log "\nStep 1: Install unattended-upgrades package"
35 | 
36 | 	is_dry_run || apt update 2>&1 | tee -a $LOGFILE_PATH
37 | 
38 | 	# Installing:
39 | 	#   - unattended-upgrades
40 | 	if ! is_dry_run; then
41 | 		if [ "$UNATTENDED_INSTALL" == true ]; then
42 | 			log "Trying unattended install for unattended upgrades."
43 | 			export DEBIAN_FRONTEND=noninteractive
44 | 			args_apt="-qqy"
45 | 		else
46 | 			args_apt="-y"
47 | 		fi
48 | 
49 | 		apt-get install "$args_apt" unattended-upgrades \
50 | 			2>&1 | tee -a $LOGFILE_PATH
51 | 
52 | 	fi
53 | }
54 | 
55 | function unattendedupgrades_step2() {
56 | 	log "\nStep 2: Preseed and reconfigure unattended-upgrades package"
57 | 
58 | 	if ! is_dry_run; then
59 | 		# preseed and reconfigure
60 | 		unattendedupgrades_do_preseed \
61 | 			unattended-upgrades unattended-upgrades/enable_auto_updates \
62 | 			boolean true \
63 | 			2>&1 | tee -a $LOGFILE_PATH
64 | 
65 | 		unattendedupgrades_do_reconfigure \
66 | 			unattended-upgrades \
67 | 			2>&1 | tee -a $LOGFILE_PATH
68 | 	fi
69 | }
70 | 
71 | function unattendedupgrades_step3() {
72 | 	log "\nStep 3: Prepare unattended-upgrades configuration"
73 | 
74 | 	UNATTENDED_UPGRADES_ENABLE_COLLABORA_UPGRADES=""
75 | 	if [ "$SHOULD_INSTALL_COLLABORA" = true ]; then
76 | 		UNATTENDED_UPGRADES_ENABLE_COLLABORA_UPGRADES="\
77 | Unattended-Upgrade::Origins-Pattern {\"site=www.collaboraoffice.com\";}"
78 | 	fi
79 | 
80 | 	log "Replacing '<UNATTENDED_UPGRADES_ENABLE_COLLABORA_UPGRADES>' with '$UNATTENDED_UPGRADES_ENABLE_COLLABORA_UPGRADES'…"
81 | 	sed -i "s|<UNATTENDED_UPGRADES_ENABLE_COLLABORA_UPGRADES>|$UNATTENDED_UPGRADES_ENABLE_COLLABORA_UPGRADES|g" "$TMP_DIR_PATH"/unattended-upgrades/*
82 | }
83 | 
84 | function unattendedupgrades_step4() {
85 | 	log "\nStep 4: Deploy unattended-upgrades configuration"
86 | 
87 | 	deploy_file "$TMP_DIR_PATH"/unattended-upgrades/60unattended-upgrades-nextcloud-hpb-setup /etc/apt/apt.conf.d/60unattended-upgrades-nextcloud-hpb-setup || true
88 | }
89 | 
90 | # arg: $1 is secret file path
91 | # function unattendedupgrades_write_secrets_to_file() { }
92 | # function unattendedupgrades_print_info() { }
93 | 


--------------------------------------------------------------------------------