Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/jitsi-meet: init #82920

Closed
wants to merge 6 commits into from
Closed

nixos/jitsi-meet: init #82920

wants to merge 6 commits into from

Conversation

@mmilata
Copy link
Member

mmilata commented Mar 19, 2020

Jitsi Meet video conferencing setup following these instructions (similar to the Debian quick install).

The java apps are not built from source but repackaged prebuilt JARs. I'm at my wit's end wrt building them from source so I'd like to ask someone more knowledgeable in maven to help me with this, potentially in another PR. (Edit: got source build mostly working.)

How to test

If you don't mind switching your system to the snapshot of NixOS Unstable this PR is based on, you can simply pass -I nixpkgs=https://github.com/otevrenamesta/nixpkgs/archive/jitsi-meet.tar.gz to nixos-rebuild or nixops.

If you want to only import the module without the rest of the OS, for example on 19.09 install, you can use the module from NUR:

imports = let
  nur-no-pkgs = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") {};
in [
  nur-no-pkgs.repos.mmilata.modules.jitsi-meet
];

Example configuration:

services.jitsi-meet = {
  enable = true;
  hostName = "meet.example.org";
  videobridge.openFirewall = true;
};

services.nginx.virtualHosts.${config.services.jitsi-meet.hostName} = {
  enableACME = true;
  forceSSL = true;
};

networking.firewall.allowedTCPPorts = [ 80 443 ];
Motivation for this change

#82805

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@veprbl
Copy link
Member

veprbl commented Mar 19, 2020

@GrahamcOfBorg test jitsi-meet

@jluttine
Copy link
Member

jluttine commented Mar 19, 2020

@mmilata Wow, superamazing! Huge thanks! I'll try to test this today or during the weekend at least. Very excited. 🙂

I suppose it's ok to build them from binary deb packages for now, but it'd be good to have "building from source" as todos for these packages?

@mmilata
Copy link
Member Author

mmilata commented Mar 19, 2020

@jluttine yeah that would be ideal, I've tried mavenix and mvn2nix and none worked for me, I guess I'd need advice from someone more experienced with Java/Maven. Though there seems to be quite a lot of packages in nixpkgs that just download archive with .jar like this.

Building the webapp through node2nix errors out on some missing webpack plugin, probably has simple solution I missed.

@nixos-discourse
Copy link

nixos-discourse commented Mar 19, 2020

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-nixpkgs-nix-discord-for-voice-communication/5845/40

@mmilata mmilata force-pushed the otevrenamesta:jitsi-meet branch from c7743d3 to 56a1f8b Mar 19, 2020
@mmilata mmilata marked this pull request as ready for review Mar 19, 2020
@mmilata mmilata requested a review from Infinisil as a code owner Mar 19, 2020
@mmilata mmilata force-pushed the otevrenamesta:jitsi-meet branch from 56a1f8b to 3a3bc4e Mar 19, 2020
@mmilata mmilata force-pushed the otevrenamesta:jitsi-meet branch from 3a3bc4e to 2fadf86 Mar 19, 2020
@nixos-discourse
Copy link

nixos-discourse commented Mar 20, 2020

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/package-services-for-schools-covidsupport/6335/7

@jluttine
Copy link
Member

jluttine commented Mar 21, 2020

I tested this on localhost and seems to work! I had a successful two people video conference.

Just one minor issue/question, but it could be related to running it under localhost: I cannot access the front page of Jitsi Meet. Whenever I go to my IP on LAN https://192.168.1.123, it just forwards me automatically to some room like https://192.168.1.123/HappyElephantsDanceRemorsefully. Is this on purpose, a bug or just my localhost setup issue?

This is how I configured:

services.jitsi-meet = {
  enable = true;
  hostname = "192.168.1.123";  # my IP on LAN
  videobridge.openFirewall = true;
};
networking.firewall = {
  enable = true;
  allowedTCPPorts = [ 80 443 ];
};

I was expecting a similar front page as in https://meet.jit.si/ or is that just some custom configuration of their site? I might actually prefer this automatic redirection to a new room, but just wondering how it's expected to behave.

@mmilata
Copy link
Member Author

mmilata commented Mar 21, 2020

@jluttine it's a feature, you can turn it off with services.jitsi-meet.config.enableWelcomePage = true;

edit: maybe we whould enable the welcome page by default as is in the default config that is currently not included in the package: https://github.com/jitsi/jitsi-meet/blob/master/config.js

@jluttine
Copy link
Member

jluttine commented Mar 21, 2020

@mmilata Ah, nice! Perhaps that would be a good example in the services.jitsi-meet.config option?

nixos/modules/services/networking/jitsi-meet.nix Outdated Show resolved Hide resolved
extraConfig = ''
authentication = "anonymous"
c2s_require_encryption = false
admins = { "focus@auth.${cfg.hostname}" }

This comment has been minimized.

@andir

andir Mar 21, 2020 Member

Is that a predefined local user that must exist? I am not sure why focus@ is there.

This comment has been minimized.

@mmilata

mmilata Mar 22, 2020 Author Member

Indeed, the jicofo service requires an admin user: https://github.com/jitsi/jicofo#manual-prosody-configuration

nixos/modules/services/networking/jitsi-meet.nix Outdated Show resolved Hide resolved
nixos/modules/services/networking/jitsi-meet.nix Outdated Show resolved Hide resolved
nixos/modules/services/networking/jitsi-meet.nix Outdated Show resolved Hide resolved
nixos/modules/services/networking/jitsi-meet.nix Outdated Show resolved Hide resolved
@mmilata mmilata force-pushed the otevrenamesta:jitsi-meet branch from 2fadf86 to 9d515da Mar 22, 2020
@mmilata
Copy link
Member Author

mmilata commented Mar 22, 2020

Thanks for review guys, pushed version that addresses some comments:

  • store secrets in /var/lib/jitsi-meet
  • use enableWelcomePage = true in default config, add it to examples
  • enableFirewall now uses ports from cfg.videobridge.config
  • mkDefault for nginx and prosody configuration

PTAL

Gonna attempt to build jitsi-meet from source again now.

@mmilata mmilata force-pushed the otevrenamesta:jitsi-meet branch 2 times, most recently from 4932002 to 124d159 Mar 22, 2020
@mmilata
Copy link
Member Author

mmilata commented Mar 22, 2020

Force-pushed:

  • jitsi-meet (the webapp) is now built (copied) from release tarball (which I stumbled into after fighting node2nix for half a day)
@nixos-discourse
Copy link

nixos-discourse commented Mar 24, 2020

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/package-services-for-schools-covidsupport/6335/1

@omgwtflaserguns
Copy link

omgwtflaserguns commented Mar 27, 2020

I would really like to use this as soon this is available.

Is there a way to use it as it is now?

Im a software developer myself so at least i could report back problems i encounter, but i have to say i am a real dummy when it gets to nixos.

@bachp
bachp approved these changes Apr 27, 2020
@nixos-discourse
Copy link

nixos-discourse commented Apr 28, 2020

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixcon-2020-status-update/6914/6

@mmilata mmilata force-pushed the otevrenamesta:jitsi-meet branch from 7e2020e to b16c30d Apr 29, 2020
@mmilata
Copy link
Member Author

mmilata commented Apr 29, 2020

Pushed:

  • moved jitsi-videobridge into its own module services.jitsi-videobridge
    • setting services.jitsi-meet.videobridge.enable = true enables this service and configures it to connect to XMPP server on localhost
    • this means the configuration options were renamed, e.g. services.jitsi-meet.videobridge.openFirewall -> service.jitsi-videobridge.openFirewall
  • made the videobridge HOCON config generation slightly saner (IMO)
  • added options for configuring NAT addresses - service.jitsi-videobridge.nat.publicAddress and service.jitsi-videobridge.nat.localAddress
  • jicofo now skips certificate validation instead of fiddling with JKS, should be fine since we're connecting to localhost
  • added check for required environment variables to jitsi-meet-init-secrets
  • updated to latest stable versions

Feedback appreciated. Hoping to address the other outstanding issues in the near future.


@Zhen-hao Sorry, not in this PR.

extraConfig = ''
certificates = "${config.services.prosody.dataDir}"
Component "conference.${cfg.hostName}" "muc"

This comment has been minimized.

@flokli

flokli Apr 30, 2020 Contributor

Can these component names be like in their official documentation?

This comment has been minimized.

@mmilata

mmilata Apr 30, 2020 Author Member

They are - conference.${cfg.hostName} and focus.${cfg.hostName} are the same.

The linked document describes connecting videobridge as a XMPP component named jitsi-videobridge.${cfg.hostName}, which is deprecated. It is now recommended to connect the videobridge as a XMPP client that joins the internal.${cfg.hostName} MUC component.

See this part of the official DEB package or their docker, repo.

This comment has been minimized.

This comment has been minimized.

@flokli

flokli Apr 30, 2020 Contributor

So manual-install, updated 20 days ago is documenting a deprecated installation method? Huuuh…

This comment has been minimized.

@ArdaXi

ArdaXi Apr 30, 2020 Contributor

@flokli

WARNING: Manual installation is not recommended. We recommend following the quick-install document. The current document describes the steps that are needed to install a working deployment, but steps are easy to mess up, and the debian packages are more up-to-date, where this document is sometimes not updated to reflect latest changes.

Seems to me like the Debian package should be authoritative, and this PR matches what it does.

This comment has been minimized.

@mmilata

mmilata Apr 30, 2020 Author Member

Unfortunately the documentation is a bit lacking and needs to be combined with reverse engineering the Debian packages and digging through Jitsi Discourse:(

For example according to https://github.com/jitsi/jitsi-meet/blob/master/doc/scalable-installation.md#jitsi-videobridge2 manual configuration of NAT addresses is no longer needed which I had no idea about.

@mmilata mmilata mentioned this pull request May 3, 2020
4 of 10 tasks complete
@mmilata mmilata force-pushed the otevrenamesta:jitsi-meet branch from b16c30d to 7e4960a May 4, 2020
@mmilata
Copy link
Member Author

mmilata commented May 4, 2020

Pushed:

  • Rebased on top of @NinjaTrappeur's #86067 which should make Jitsi Meet work a bit better with Prosody instance shared for other use.
  • Split off JiCoFo to a separate module. Even though 99 % of users will want to run it on the same host as Prosody, this has two advantages:
    • Less complexity in jitsi-meet.nix and coupling of the two modules through a defined set of options.
    • jitsi-meet.nix now acts purely as an "integration" module that configures other "service" modules. Should make it easier to integrate them in a different way if one desires.
  • Secrets for the "service" modules are now configured using the passwordFile pattern, i.e. you provide a path to file containing the secret. The "integration" module generates these files for you, unless you want to explicitly set videobridge password for connecting multiple videobridges to one Prosody instance. This change does not require any action if you're upgrading from previous version of this PR.
  • Self-signed prosody certificate is now generated using openssl instead of prosodyctl cert generate and it is now not needed to regenerate the cert. ACME integration is still on TODO list.
  • services.jitsi-meet.extraConfig option was added to allow injecting javascript for bridge selection logic (cc @ArdaXi)

According to https://github.com/jitsi/jitsi-meet/blob/master/doc/scalable-installation.md#jitsi-videobridge2 it should be no longer needed to configure IP addresses when running behind NAT - can someone confirm this please?

@mmilata
Copy link
Member Author

mmilata commented May 4, 2020

I was also trying to improve the test and it should in theory be possible to test this end-to-end, i.e. including the javascript that runs in browser by means of the enableOCR test option, v4l2loopback kernel module and xdo tool.

The module must be enabled in node configuration:

boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];

Then it's possible to create mock camera that will output static image with text:

modprobe v4l2loopback
convert -border 250 -font DejaVu-Serif -pointsize 50 -extent 640x480 label:'Hello Client1' /tmp/image.png
ffmpeg -loop 1 -re -i /tmp/image.png -f v4l2 -vcodec rawvideo -pix_fmt yuv420p /dev/video0

This is where I got stuck:

  • I can't figure out how to import CA certificate into Firefox from the command line (without excessive yak-shaving). This is needed because camera can only be used in secure context i.e. over https.
  • Chromium doesn't detect the mock camera.

Any ideas?

@bjornfor
Copy link
Contributor

bjornfor commented May 4, 2020

I think there is a v4l2loopback option that helps with Chromium. Look in v4l2loopback issue tracker or something. (Sorry, on mobile.)

@mmilata mmilata force-pushed the otevrenamesta:jitsi-meet branch from 7e4960a to 9657c27 May 11, 2020
@kolloch
Copy link
Contributor

kolloch commented May 17, 2020

To whom it may concern: I copied the relevant module/package files from this PR to my nur-packages repo so that you can more easily use this PR without patching your nixpkgs. Like this PR, it depends on prosody changes on nixpkgs-unstable.

There is also a sample config that works with recent updates of this PR.

[The nur-packages repo @mmilata had some problems.]

@rnhmjoj
Copy link
Contributor

rnhmjoj commented May 17, 2020

Regarding adding a certificate in firefox, I think the only way is to do something like

nix run nixpkgs.nssTools -c certutil -A -n "name" -t "TC,," -d sql:$HOME/.pki/nssdb -i name.pem

Though, it would be good if someone could figure how to point firefox at the system store: it's still an open issue.

@bachp
Copy link
Member

bachp commented Jun 14, 2020

Is somebody still working on this?

@mmilata mmilata force-pushed the otevrenamesta:jitsi-meet branch from 9657c27 to 8e8a3d7 Jun 14, 2020
@mmilata
Copy link
Member Author

mmilata commented Jun 14, 2020

@bachp I don't have the motivation to work on this any more, at least not anytime soon. Apologies to everyone. Feel free to reuse expressions from this PR.

IIRC the main thing that is missing is LetsEncrypt support for Prosody<->{jicofo,videobridge} certificates.

Here's OCR-enabled test of video functionality that doesn't work reliably.

@JosephLucas
Copy link

JosephLucas commented Jun 15, 2020

Thanks for your work @mmilata, using a modified version of @kolloch nur I made jitsi work fine. I wish that this PR will soon be completed and merged.

@makefu
Copy link
Contributor

makefu commented Jun 15, 2020

Can we have a MVP (with some documentation to get the thing working) and have new features add as Pull Requests?
It would be fantastic to have jitisi as module in nixpkgs!

@petabyteboy
Copy link
Member

petabyteboy commented Jul 1, 2020

Thanks to everyone who contributed to this. Some of my friends and I use it since a while for socializing 😄

I have one small improvement request: The nginx config is based off the manual install guide, while the Debian packages contain a completely different nginx config. The Debian config allows for "-" characters in room names, which is required when using the Matrix/Riot integration, because that generates room names with "-" characters. It would be great to change to a nginx config based on the Debian package.

locations."/http-bind" = {
proxyPass = "http://localhost:5280/http-bind";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

This comment has been minimized.

@petabyteboy

petabyteboy Jul 1, 2020 Member

This header is set twice on systems where the recommendedProxySettings are enabled. Not sure if it is a problem, but it might be nicer to either not use the proxyPass attribute, or enable recommendedProxySettings instead of setting it in extraConfig.

@petabyteboy
Copy link
Member

petabyteboy commented Jul 1, 2020

I agree with makefu that feature / improvement requests should not keep this module from being included in nixpkgs. I'm generally interested in continuing this PR up to the point where it can be merged as a minimum viable product, but I'm not interested in maintaining the package and module long-term, so if anyone is up to that task feel free to contact me so we can make it work.

@mmilata mmilata closed this Jul 2, 2020
@petabyteboy
Copy link
Member

petabyteboy commented Jul 6, 2020

FYI: I started a second try with #92468

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.