Notes on setting up Jitsi Meet on a personal server. Main thing is to note what we'd need to do to get this set up on an hcoop server
Contents
1. Setup Script
https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
Followed the script and got a working install.
- We'll need to set config to provide our own cert
- jitsi-meet needs nginx out of the box
/etc/nginx/sites-available/sites-available/meet.unknownlamer.org.conf
- Has its own xmpp server, prosidy (I think in theory we could integrate the videobridge with jabber but in practice probably not worth it at our scale)
Working config out of the box, if we accept having to run this on a dedicated server.
2. Puppet Module Notes
https://gitlab.com/shared-puppet-modules-group/jitsimeet
The puppet modules has a few rough edges that we should fix and contribute upstream.
2.1. Check for Staleness
Since I installed meet.unknownlamer.org in July, jitsi has changed something with the vhost structure to avoid multiplexing: https://jitsi.github.io/handbook/docs/devops-guide/faq#how-to-migrate-away-from-multiplexing-and-enable-bridge-websockets, make sure puppet is generating a config which doesn't do this
- Generated config does not work at all... review postinst for clues:
2.2. Not sure if it's just me or not
jitsimeet::config created an LE cert for "auth.${jitsimeet::jitsi_domain}", and using the hcoop wildcard cert we get a cert error, which does not occur on my test instance despite only having a cert for Subject: CN = meet.unknownlamer.org (no wildcard)
Jicofo 2020-12-01 23:55:37.933 WARNING: [505] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener() Connection XMPPTCPConnection[not-authenticated] (0) closed with error java.security.cert.CertificateException: Hostname verification of certificate failed. Certificate does not authenticate auth.meet-test.hcoop.net at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:820) at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000) at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016) at java.base/java.lang.Thread.run(Thread.java:834)
2.3. Defects
Forced to set jitsi_vhost_ssl_key and auth_vhost_ssl_key even when using combined PEM.
Does not configure turnserver, which is needed for websockets
- Nginx config is stale, doesn't work with websockets (and needed config options aren't set), and the mobile client can't connect at all
3. Testing
Using https://meet.unknownlamer.org on my personal DigitalOcean account. With a 2CPU/2G RAM setup, a 4 person conference used around 4Mbps and 10% CPU.
3.1. Things to look out for
MIME type application/wasm wasm; was not set, appearing to cause chromium/firefox to just not use any of the wasm which seems bad for performance
pwa-worker.js is missing in stable release packaging 1.0.4466-1 (Fixed in 4480)
4. Security
https://jitsi.github.io/handbook/docs/devops-guide/secure-domain
Need to adapt to kerberos, will have to use SASL: https://prosody.im/doc/cyrus_sasl (we have saslauthd in place for exim, so should be straightforward)
There are some additional steps to auth against sasl:
lua-cyrussasl must be installed from buster-backports on Debian 10.
/etc/prosody/conf.avail/meet-test.hcoop.net.cfg.lua :
... VirtualHost "meet-test.hcoop.net" -- enabled = false -- Remove this line to enable this host authentication = "cyrus" cyrus_application_name = "xmpp" --allow_unencrypted_plain_auth = true -- is this safe ? / it worked fine without it ... modules_enabled = { "auth_cyrus"; ... } ...
/etc/sasl/xmpp.conf:
pwcheck_method: saslauthd mech_list: PLAIN
5. Open Questions
- Can we limit room sizes?
6. FSF setup
https://vcs.fsf.org/?p=jitsi-ansible.git review
6.1. Useful snippets
- name: custom css lineinfile: path: /usr/share/jitsi-meet/css/all.css line: ".header-text-description, .unsupported-desktop-browser__description {display:none!important}" - name: fellow hacker replace: path: /usr/share/jitsi-meet/interface_config.js regexp: "Fellow Jitster" replace: "Fellow Hacker" - name: link replace: path: /usr/share/jitsi-meet/interface_config.js regexp: "https://jitsi.org" replace: "https://{{ inventory_hostname }}/" - name: hide logo replace: path: /usr/share/jitsi-meet/interface_config.js regexp: "SHOW_WATERMARK_FOR_GUESTS: true," replace: "SHOW_WATERMARK_FOR_GUESTS: false," - name: hide logo replace: path: /usr/share/jitsi-meet/interface_config.js regexp: "SHOW_JITSI_WATERMARK: true," replace: "SHOW_JITSI_WATERMARK: false," - name: copy watermark logo copy: src: files/LPlogo.png dest: /usr/share/jitsi-meet/images/watermark.png owner: root group: root mode: 0444 when: j.stat.exists
6.2. Custom index
We'll want to customize the css at least to match our usual color schema and insert the hcoop logo, and something like the blurb about the coop we include on git.hcoop.net
Also, do we want to add librejs info? Not sure what the licensing on the youtube stuff is...
7. Config changes
If we leave youtube support on, do we need to generate our own API keys, or is using the ones built into jitsi fine? https://jitsi.github.io/handbook/docs/dev-guide/dev-guide-web-integrations
7.1. Performance
Discussing hosting 500 person meetings (not feasible, but some advice there)
Jitsi Club Self-Hosting Tuning Guide worth a review
Recommends disabling currently speaking dot to lower client and server cpu use (fsf does this, I left it on in my testing instance): the detection apparently uses quite a bit of CPU.
Further suggested tweaks to reduce client cpu use:
disableAudioLevels: true DISABLE_JOIN_LEAVE_NOTIFICATIONS: true, DISABLE_VIDEO_BACKGROUND: true, DISABLE_FOCUS_INDICATOR: true, DISABLE_DOMINANT_SPEAKER_INDICATOR: true, DISABLE_VIDEO_BACKGROUND: true,
7.2. /etc/jitsi/meet/meet.hcoop.net-config.js
fileRecordingsEnabled defaults to true, since we will not support dropbox integration and don't want local recordings, we should set this to false to hide the interface elements that don't work
resolution: 720 is the default (so 720p) max resolution, which seems reasonable for video conferencing
Jiti by defaults starts with the mic and camera of participants on. The FSF starts with participants muted. I think that would be a more reasonable, privacy respecting default? Alternatively, we could set prejoinPageEnabled which allows participants to set or disable their camera/mic and set their nickname before entering the room
// Every participant after the Nth will start audio muted. // startAudioMuted: 10, // Start calls with audio muted. Unlike the option above, this one is only // applied locally. FIXME: having these 2 options is confusing. // startWithAudioMuted: false, // Every participant after the Nth will start video muted. // startVideoMuted: 10, // Start calls with video muted. Unlike the option above, this one is only // applied locally. FIXME: having these 2 options is confusing. // startWithVideoMuted: false,
should we use our own STUN server instead of the default provided by jitsi?:
stunServers: [ // { urls: 'stun:meet.unknownlamer.org:3478' }, { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' } ]
Instead of patching internal data, maybe we could just have a static json file on hcoop.net and use this to override logos? (My attempt to get this work on my local install didn't work, the react frontend should be making a request to brandingDataUrl but it never does for me)
/** External API url used to receive branding specific information. If there is no url set or there are missing fields, the defaults are applied. None of the fields are mandatory and the response must have the shape: { // The hex value for the colour used as background backgroundColor: '#fff', // The url for the image used as background backgroundImageUrl: 'https://example.com/background-img.png', // The anchor url used when clicking the logo image logoClickUrl: 'https://example-company.org', // The url used for the image used as logo logoImageUrl: 'https://example.com/logo-img.png' } */ // brandingDataUrl: '',
Maybe some bandwidth savings to be had?
// Enable / disable layer suspension. If enabled, endpoints whose HD // layers are not in use will be suspended (no longer sent) until they // are requested again. // enableLayerSuspension: false, // Optional desktop sharing frame rate options. Default value: min:5, max:5. // desktopSharingFrameRate: { // min: 5, // max: 5 // },
Update: yes, enableLayerSuspension: true is essential, it's not clear why it is not enabled by default at all.
Misc
// Require users to always specify a display name. // requireDisplayName: true, // If true, shows the unsafe room name warning label when a room name is // deemed unsafe (due to the simplicity in the name) and a password is not // set or the lobby is not enabled. // enableInsecureRoomNameWarning: false, // Privacy // // If third party requests are disabled, no other server will be contacted. // This means avatars will be locally generated and callstats integration // will not function. // disableThirdPartyRequests: false,
7.3. /usr/share/jitsi-meet/interface_config.js
Override mobile download link to use F-Droid?
/** * Specify custom URL for downloading android mobile app. */ // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
Might want/need to customize these
JITSI_WATERMARK_LINK: 'https://jitsi.org', POLICY_LOGO: null, PROVIDER_NAME: 'Jitsi', SHOW_POWERED_BY: false, SUPPORT_URL: 'https://community.jitsi.org/', /* probably should point to our support */ TOOLBAR_BUTTONS: [ ... ] /* disable things like video recording that we aren't going to support */ // HIDE_KICK_BUTTON_FOR_GUESTS: false,
7.4. /usr/share/jitsi-meet/logging_config.js
Make sure we don't log more than the bare minimum.
7.5. /etc/jitsi/videobridge/config
VIDEOBRIDGE_MAX_MEMORY is converted to java -Xmx, make sure to tune appropriately for available ram on the server
7.6. /etc/jitsi/jicofo/config
JICOFO_MAX_MEMORY is converted to java -Xmx, make sure to tune appropriately for available ram on the server
8. Add-Ons / Etc
Etherpad integration not sure how complete this is, but could be useful
Packages come with an example apache config /usr/share/jitsi-meet-web-config/jitsi-meet.example-apache. Looks like all directives would work with domtool.
https://blog.windfluechter.net/content/blog/2020/06/19/1759-jitsi-meet-and-ejabberd it appears possible to use ejabberd instead of prosody if we want to integrate this with existing infrastructure
https://jitsi.github.io/handbook/docs/community/breakout-rooms there are several addon components that add break out room support
9. Possible Alternatives
https://github.com/edumeet/edumeet promises better performance by using VP9 instead of VP8 (40% reduced bandwidth). Advantage might be negated soon: Jitsi Meet has VP9 support actively under development.
https://docs.bigbluebutton.org/ according to JackHill BigBlueButton may have more compatibility. It also integrates evernote and other nice things like breakout rooms, useful if we want to target organizations for membership.