nixos/jitsi-meet: init

[mmilata]

Jitsi Meet video conferencing setup following these instructions (similar to the Debian quick install).

The java apps are not built from source but repackaged prebuilt JARs. I'm at my wit's end wrt building them from source so I'd like to ask someone more knowledgeable in maven to help me with this, potentially in another PR. (Edit: got source build mostly working.)

How to test

If you don't mind switching your system to the snapshot of NixOS Unstable this PR is based on, you can simply pass -I nixpkgs=https://github.com/otevrenamesta/nixpkgs/archive/jitsi-meet.tar.gz to nixos-rebuild or nixops.

If you want to only import the module without the rest of the OS, for example on 19.09 install, you can use the module from NUR:

imports = let
  nur-no-pkgs = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") {};
in [
  nur-no-pkgs.repos.mmilata.modules.jitsi-meet
];

Example configuration:

services.jitsi-meet = {
  enable = true;
  hostName = "meet.example.org";
  videobridge.openFirewall = true;
};

services.nginx.virtualHosts.${config.services.jitsi-meet.hostName} = {
  enableACME = true;
  forceSSL = true;
};

networking.firewall.allowedTCPPorts = [ 80 443 ];

Motivation for this change

#82805

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[veprbl]

@GrahamcOfBorg test jitsi-meet

[jluttine]

@mmilata Wow, superamazing! Huge thanks! I'll try to test this today or during the weekend at least. Very excited. 🙂

I suppose it's ok to build them from binary deb packages for now, but it'd be good to have "building from source" as todos for these packages?

[mmilata]

@jluttine yeah that would be ideal, I've tried mavenix and mvn2nix and none worked for me, I guess I'd need advice from someone more experienced with Java/Maven. Though there seems to be quite a lot of packages in nixpkgs that just download archive with .jar like this.

Building the webapp through node2nix errors out on some missing webpack plugin, probably has simple solution I missed.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-nixpkgs-nix-discord-for-voice-communication/5845/40

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/package-services-for-schools-covidsupport/6335/7

[jluttine]

I tested this on localhost and seems to work! I had a successful two people video conference.

Just one minor issue/question, but it could be related to running it under localhost: I cannot access the front page of Jitsi Meet. Whenever I go to my IP on LAN https://192.168.1.123, it just forwards me automatically to some room like https://192.168.1.123/HappyElephantsDanceRemorsefully. Is this on purpose, a bug or just my localhost setup issue?

This is how I configured:

services.jitsi-meet = {
  enable = true;
  hostname = "192.168.1.123";  # my IP on LAN
  videobridge.openFirewall = true;
};
networking.firewall = {
  enable = true;
  allowedTCPPorts = [ 80 443 ];
};

I was expecting a similar front page as in https://meet.jit.si/ or is that just some custom configuration of their site? I might actually prefer this automatic redirection to a new room, but just wondering how it's expected to behave.

[mmilata]

@jluttine it's a feature, you can turn it off with services.jitsi-meet.config.enableWelcomePage = true;

edit: maybe we whould enable the welcome page by default as is in the default config that is currently not included in the package: https://github.com/jitsi/jitsi-meet/blob/master/config.js

[jluttine]

@mmilata Ah, nice! Perhaps that would be a good example in the services.jitsi-meet.config option?

[andir]

Is that a predefined local user that must exist? I am not sure why focus@ is there.

[mmilata]

Indeed, the jicofo service requires an admin user: https://github.com/jitsi/jicofo#manual-prosody-configuration

[mmilata]

Thanks for review guys, pushed version that addresses some comments:

• store secrets in /var/lib/jitsi-meet
• use enableWelcomePage = true in default config, add it to examples
• enableFirewall now uses ports from cfg.videobridge.config
• mkDefault for nginx and prosody configuration

PTAL

Gonna attempt to build jitsi-meet from source again now.

[mmilata]

Force-pushed:

• jitsi-meet (the webapp) is now built (copied) from release tarball (which I stumbled into after fighting node2nix for half a day)

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/package-services-for-schools-covidsupport/6335/1

[omgwtflaserguns]

I would really like to use this as soon this is available.

Is there a way to use it as it is now?

Im a software developer myself so at least i could report back problems i encounter, but i have to say i am a real dummy when it gets to nixos.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixcon-2020-status-update/6914/6

[mmilata]

Pushed:

• moved jitsi-videobridge into its own module services.jitsi-videobridge
  • setting services.jitsi-meet.videobridge.enable = true enables this service and configures it to connect to XMPP server on localhost
  • this means the configuration options were renamed, e.g. services.jitsi-meet.videobridge.openFirewall -> service.jitsi-videobridge.openFirewall
• made the videobridge HOCON config generation slightly saner (IMO)
• added options for configuring NAT addresses - service.jitsi-videobridge.nat.publicAddress and service.jitsi-videobridge.nat.localAddress
• jicofo now skips certificate validation instead of fiddling with JKS, should be fine since we're connecting to localhost
• added check for required environment variables to jitsi-meet-init-secrets
• updated to latest stable versions

Feedback appreciated. Hoping to address the other outstanding issues in the near future.

---

@Zhen-hao Sorry, not in this PR.

[flokli]

Can these component names be like in their official documentation?

[mmilata]

They are - conference.${cfg.hostName} and focus.${cfg.hostName} are the same.

The linked document describes connecting videobridge as a XMPP component named jitsi-videobridge.${cfg.hostName}, which is deprecated. It is now recommended to connect the videobridge as a XMPP client that joins the internal.${cfg.hostName} MUC component.

See this part of the official DEB package or their docker, repo.

[mmilata]

Also regarding deprecation: https://github.com/jitsi/jitsi-videobridge/blob/master/doc/muc.md

[flokli]

So manual-install, updated 20 days ago is documenting a deprecated installation method? Huuuh…

[ArdaXi]

@flokli

WARNING: Manual installation is not recommended. We recommend following the quick-install document. The current document describes the steps that are needed to install a working deployment, but steps are easy to mess up, and the debian packages are more up-to-date, where this document is sometimes not updated to reflect latest changes.

Seems to me like the Debian package should be authoritative, and this PR matches what it does.

[mmilata]

Unfortunately the documentation is a bit lacking and needs to be combined with reverse engineering the Debian packages and digging through Jitsi Discourse:(

For example according to https://github.com/jitsi/jitsi-meet/blob/master/doc/scalable-installation.md#jitsi-videobridge2 manual configuration of NAT addresses is no longer needed which I had no idea about.

[mmilata]

Pushed:

• Rebased on top of @NinjaTrappeur's nixos/prosody: make module defaults comply with XEP-0423 #86067 which should make Jitsi Meet work a bit better with Prosody instance shared for other use.
• Split off JiCoFo to a separate module. Even though 99 % of users will want to run it on the same host as Prosody, this has two advantages:
  • Less complexity in jitsi-meet.nix and coupling of the two modules through a defined set of options.
  • jitsi-meet.nix now acts purely as an "integration" module that configures other "service" modules. Should make it easier to integrate them in a different way if one desires.
• Secrets for the "service" modules are now configured using the passwordFile pattern, i.e. you provide a path to file containing the secret. The "integration" module generates these files for you, unless you want to explicitly set videobridge password for connecting multiple videobridges to one Prosody instance. This change does not require any action if you're upgrading from previous version of this PR.
• Self-signed prosody certificate is now generated using openssl instead of prosodyctl cert generate and it is now not needed to regenerate the cert. ACME integration is still on TODO list.
• services.jitsi-meet.extraConfig option was added to allow injecting javascript for bridge selection logic (cc @ArdaXi)

According to https://github.com/jitsi/jitsi-meet/blob/master/doc/scalable-installation.md#jitsi-videobridge2 it should be no longer needed to configure IP addresses when running behind NAT - can someone confirm this please?

[mmilata]

I was also trying to improve the test and it should in theory be possible to test this end-to-end, i.e. including the javascript that runs in browser by means of the enableOCR test option, v4l2loopback kernel module and xdo tool.

The module must be enabled in node configuration:

boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];

Then it's possible to create mock camera that will output static image with text:

modprobe v4l2loopback
convert -border 250 -font DejaVu-Serif -pointsize 50 -extent 640x480 label:'Hello Client1' /tmp/image.png
ffmpeg -loop 1 -re -i /tmp/image.png -f v4l2 -vcodec rawvideo -pix_fmt yuv420p /dev/video0

This is where I got stuck:

• I can't figure out how to import CA certificate into Firefox from the command line (without excessive yak-shaving). This is needed because camera can only be used in secure context i.e. over https.
• Chromium doesn't detect the mock camera.

Any ideas?

[bjornfor]

I think there is a v4l2loopback option that helps with Chromium. Look in v4l2loopback issue tracker or something. (Sorry, on mobile.)

[kolloch]

To whom it may concern: I copied the relevant module/package files from this PR to my nur-packages repo so that you can more easily use this PR without patching your nixpkgs. Like this PR, it depends on prosody changes on nixpkgs-unstable.

There is also a sample config that works with recent updates of this PR.

[The nur-packages repo @mmilata had some problems.]

[rnhmjoj]

Regarding adding a certificate in firefox, I think the only way is to do something like

nix run nixpkgs.nssTools -c certutil -A -n "name" -t "TC,," -d sql:$HOME/.pki/nssdb -i name.pem

Though, it would be good if someone could figure how to point firefox at the system store: it's still an open issue.

[bachp]

Is somebody still working on this?

[mmilata]

@bachp I don't have the motivation to work on this any more, at least not anytime soon. Apologies to everyone. Feel free to reuse expressions from this PR.

IIRC the main thing that is missing is LetsEncrypt support for Prosody<->{jicofo,videobridge} certificates.

Here's OCR-enabled test of video functionality that doesn't work reliably.

[JosephLucas]

Thanks for your work @mmilata, using a modified version of @kolloch nur I made jitsi work fine. I wish that this PR will soon be completed and merged.

[makefu]

Can we have a MVP (with some documentation to get the thing working) and have new features add as Pull Requests?
It would be fantastic to have jitisi as module in nixpkgs!

[ghost]

Thanks to everyone who contributed to this. Some of my friends and I use it since a while for socializing 😄

I have one small improvement request: The nginx config is based off the manual install guide, while the Debian packages contain a completely different nginx config. The Debian config allows for "-" characters in room names, which is required when using the Matrix/Riot integration, because that generates room names with "-" characters. It would be great to change to a nginx config based on the Debian package.

[ghost]

This header is set twice on systems where the recommendedProxySettings are enabled. Not sure if it is a problem, but it might be nicer to either not use the proxyPass attribute, or enable recommendedProxySettings instead of setting it in extraConfig.

[ghost]

I agree with makefu that feature / improvement requests should not keep this module from being included in nixpkgs. I'm generally interested in continuing this PR up to the point where it can be merged as a minimum viable product, but I'm not interested in maintaining the package and module long-term, so if anyone is up to that task feel free to contact me so we can make it work.

[ghost]

FYI: I started a second try with #92468