Jibri installation et configuration

2021-04-28 15:43:34 +00:00
parent e13e25b1de
commit 81f81beb10
19 changed files with 533 additions and 34 deletions
@@ -0,0 +1,31 @@
+# extension chrome
+
+cette extension permet de forcer le positionnement de cookie
+
+il faut d'abord forcer l'installation de cette extension voir la documentation
+sur [chromium](http://dev.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist)
+
+
+Puis il faut configurer l'extension via le fichier /etc/chromium/policies/managed/content.json
+pour chromium (ou /etc/opt/chrome/policies/managed/managed_policies.json pour chrome) avec le contenu suivant:
+
+```json
+{
+  "3rdparty": {
+    "extensions": {
+      "gkaeknlffijmeakpmmeigddgjhiidhof": {
+        "forcedCookies": [
+          {
+            "name": "rgpd",
+            "value": "nothing",
+            "domain": "visio.imio.be"
+          }
+        ]
+      }
+    }
+  }
+}
+```
+
+
+voir la documentation [ici](http://dev.chromium.org/administrators/configuring-policy-for-extensions)
@@ -0,0 +1,15 @@
+{
+  "3rdparty": {
+    "extensions": {
+      "gkaeknlffijmeakpmmeigddgjhiidhof": {
+        "forcedCookies": [
+          {
+            "domain": "toto",
+            "name": "toto name",
+            "value": "toto value"
+          }
+        ]
+      }
+    }
+  }
+}
@@ -0,0 +1,18 @@
+{
+  "name": "Force cookie extension",
+  "version": "1.0.0",
+  "description": "Will set cookie for particular domain",
+  "background": {
+    "scripts": ["background.js"],
+    "persistent": false
+  },
+  "storage": {
+    "managed_schema": "schema.json"
+  },
+  "permissions": [
+    "storage",
+    "cookies",
+    "\u003Call_urls\u003E"
+  ],
+  "manifest_version": 2
+}
@@ -0,0 +1,16 @@
+{
+  "type": "object",
+  "properties": {
+    "forcedCookies": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "domain": { "type": "string" },
+          "name": { "type": "string" },
+          "value": { "type": "string" }
+        }
+      }
+    }
+  }
+}
@@ -0,0 +1,12 @@
+---
+- name: restart jibri
+  systemd:
+    name: jibri
+    state: restarted
+    enabled: true
+
+- name: restart jibri-xorg
+  systemd:
+    name: jibri-xorg
+    state: restarted
+    enabled: true
@@ -0,0 +1,25 @@
+---
+- block:
+    - name: installation de unzip
+      apt:
+        pkg:
+          - unzip
+    - name: récupération de la version pour chromedriver
+      uri:
+        url: "https://chromedriver.storage.googleapis.com/LATEST_RELEASE"
+        method: GET
+        return_content: true
+        status_code: 200
+      register: _latest_release
+      until: _latest_release.status == 200
+      retries: 5
+    - name: répertoire du binaire pour chromedriver
+      file:
+        state: directory
+        path: /usr/local/bin/
+    - name: "télécharge de chromedriver pour la version {{ _latest_release.content }}"
+      unarchive:
+        src: "http://chromedriver.storage.googleapis.com/{{ _latest_release.content }}/chromedriver_linux64.zip"
+        dest: /usr/local/bin
+        mode: "755"
+        remote_src: true
@@ -0,0 +1,29 @@
+---
+- name: Import de la clé GPG google
+  apt_key:
+    id: 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991
+    url: https://dl-ssl.google.com/linux/linux_signing_key.pub
+    keyring: /etc/apt/trusted.gpg.d/google.gpg
+
+- name: Ajout du depot google
+  apt_repository:
+    repo: deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/google.gpg] http://dl.google.com/linux/chrome/deb/ stable main
+    update_cache: true
+    filename: google-chrome
+
+- name: install google-chrome-stable
+  apt:
+    pkg:
+      - google-chrome-stable
+
+- name: désactive l'avertissement chrome est contrôllé par un autre logiciel
+  block:
+    - name: répertoire policies
+      file:
+        state: directory
+        path: /etc/opt/chrome/policies/managed
+    - name: CommandLineFlagSecurityWarningsEnabled
+      copy:
+        dest: /etc/opt/chrome/policies/managed/managed_policies.json
+        content: |
+          { "CommandLineFlagSecurityWarningsEnabled": false }
@@ -0,0 +1,61 @@
+---
+- name: vérification des variables obligatoire
+  fail:
+    msg: |
+      il faut définir les variables `jibri_user` et
+      `jibri_password`, `jitsi_server_host` pour utiliser ce role
+  when: (jibri_user is not defined) or
+        (jibri_password is not defined) or
+        (jitsi_server_host is not defined)
+
+# source: https://github.com/jitsi/jibri#jitsi-debian-repository
+- name: Import de la clé GPG
+  apt_key:
+    id: FFD65A0DA2BEBDEB73D44C8BB4D2D216F1FD7806
+    url: https://download.jitsi.org/jitsi-key.gpg.key
+    keyring: /etc/apt/trusted.gpg.d/jitsi.gpg
+
+- name: Ajout du depot jitsi
+  apt_repository:
+    repo: deb [signed-by=/etc/apt/trusted.gpg.d/jitsi.gpg] https://download.jitsi.org stable/
+    update_cache: true
+
+- name: install jibri
+  apt:
+    pkg:
+      - jibri
+  notify: restart jibri
+
+- name: configure jibri
+  template:
+    src: ../templates/jibri.conf
+    dest: /etc/jitsi/jibri/jibri.conf
+  notify: restart jibri
+
+- name: configure xorg
+  lineinfile:
+    path: /etc/jitsi/jibri/xorg-video-dummy.conf
+    regexp: "[^?]Virtual "
+    line: "    Virtual 1280 720"
+  notify:
+    - restart jibri
+    - restart jibri-xorg
+
+- name: configure les cookies (fichier)
+  copy:
+    src: ../files/chrome-extension-cookie
+    dest: /opt/
+    mode: '644'
+    directory_mode: '755'
+  when:
+    - jitsi_cookie_enabled is defined
+    - jitsi_cookie_enabled
+
+- name: configure les cookies (template)
+  template:
+    src: ../templates/chrome-extension-background.js.j2
+    dest: /opt/chrome-extension-cookie/background.js
+    mode: '644'
+  when:
+    - jitsi_cookie_enabled is defined
+    - jitsi_cookie_enabled
@@ -0,0 +1,5 @@
+---
+- include_tasks: pre-install.yml
+- include_tasks: install-chromedriver.yml
+- include_tasks: install-googlechrome.yml
+- include_tasks: install-jibri.yml
@@ -0,0 +1,5 @@
+---
+- name: Activation du module snd-aloop
+  modprobe:
+    name: snd-aloop
+    state: present
@@ -0,0 +1,41 @@
+
+chrome.runtime.onInstalled.addListener(function() {
+  chrome.storage.managed.get("forcedCookies", managedItems => {
+    if (!managedItems.hasOwnProperty('forcedCookies')) {
+      return;
+    }
+    for (const item of managedItems.forcedCookies) {
+      chrome.cookies.set({
+        url: `https://${item.domain}/`,
+        domain: item.domain,
+        name: item.name,
+        value: item.value
+      });
+    }
+  })
+
+  // temp hack because loading config from managed policies seems too slow
+  const forcedCookies = [
+    {
+      domain: "{{ jitsi_server_host }}",
+      name: "rgpd",
+      value: "nothing"
+    },
+    {% for host in cookies_dns|default([]) %}
+    {
+      domain: "{{ host }}",
+      name: "rgpd",
+      value: "nothing"
+    },
+    {% endfor %}
+  ];
+  for (const item of forcedCookies) {
+    chrome.cookies.set({
+      url: `https://${item.domain}/`,
+      domain: item.domain,
+      name: item.name,
+      value: item.value
+    });
+  }
+
+});
@@ -0,0 +1,152 @@
+jibri {
+  // A unique identifier for this Jibri
+  // TODO: eventually this will be required with no default
+  id = "{{ inventory_hostname }}"
+  // Whether or not Jibri should return to idle state after handling
+  // (successfully or unsuccessfully) a request.  A value of 'true'
+  // here means that a Jibri will NOT return back to the IDLE state
+  // and will need to be restarted in order to be used again.
+  single-use-mode = false
+  api {
+    http {
+      external-api-port = 2222
+      internal-api-port = 3333
+    }
+    xmpp {
+      // See example_xmpp_envs.conf for an example of what is expected here
+      environments = [
+          {
+            // A user-friendly name for this environment
+            name = "prod env"
+
+            // A list of XMPP server hosts to which we'll connect
+            xmpp-server-hosts = [
+                "{{ jitsi_server_host }}",
+            ]
+
+            // The base XMPP domain
+            xmpp-domain = "{{ jitsi_server_host }}"
+
+            // The MUC we'll join to announce our presence for
+            // recording and streaming services
+            control-muc {
+                domain = "internal.auth.{{ jitsi_server_host }}"
+                room-name = "JibriBrewery"
+                nickname = "{{ inventory_hostname }}-nickname"
+            }
+
+            // The login information for the control MUC
+            control-login {
+                domain = "auth.{{ jitsi_server_host }}"
+                // Optional port, defaults to 5222.
+                // port = 6222
+                username = "{{ jibri_user }}"
+                password = "{{ jibri_password }}"
+            }
+
+            // An (optional) MUC configuration where we'll
+            // join to announce SIP gateway services
+           # sip-control-muc {
+           #     domain = "domain"
+           #     room-name = "room-name"
+           #     nickname = "nickname"
+           # }
+
+            // The login information the selenium web client will use
+            call-login {
+                domain = "recorder.{{ jitsi_server_host }}"
+                username = "{{ jibri_user }}-record"
+                password = "{{ jibri_password }}"
+            }
+
+            // The value we'll strip from the room JID domain to derive
+            // the call URL
+            strip-from-room-domain = "conference."
+
+            // How long Jibri sessions will be allowed to last before
+            // they are stopped.  A value of 0 allows them to go on
+            // indefinitely
+            usage-timeout = 1 hour
+
+            // Whether or not we'll automatically trust any cert on
+            // this XMPP domain
+            trust-all-xmpp-certs = true
+        }
+      ]
+    }
+  }
+  recording {
+    recordings-directory = "/tmp/recordings"
+    # TODO: make this an optional param and remove the default
+    # finalize-script = "/path/to/finalize"
+  }
+  streaming {
+    // A list of regex patterns for allowed RTMP URLs.  The RTMP URL used
+    // when starting a stream must match at least one of the patterns in
+    // this list.
+    rtmp-allow-list = [
+      // By default, all services are allowed
+      ".*"
+    ]
+  }
+  ffmpeg {
+    resolution = "1280x720"
+    // The audio source that will be used to capture audio on Linux
+    audio-source = "alsa"
+    // The audio device that will be used to capture audio on Linux
+    audio-device = "plug:bsnoop"
+  }
+  chrome {
+    // The flags which will be passed to chromium when launching
+    flags = [
+      {% if jitsi_cookie_enabled | default(false) %}
+      "--load-extension=/opt/chrome-extension-cookie",
+      {% endif %}
+      "--use-fake-ui-for-media-stream",
+      "--start-maximized",
+      "--kiosk",
+      "--enabled",
+      "--disable-infobars",
+      "--autoplay-policy=no-user-gesture-required"
+    ]
+  }
+  stats {
+    enable-stats-d = true
+  }
+  webhook {
+    // A list of subscribers interested in receiving webhook events
+    subscribers = []
+  }
+  jwt-info {
+    // The path to a .pem file which will be used to sign JWT tokens used in webhook
+    // requests.  If not set, no JWT will be added to webhook requests.
+    # signing-key-path = "/path/to/key.pem"
+
+    // The kid to use as part of the JWT
+    # kid = "key-id"
+
+    // The issuer of the JWT
+    # issuer = "issuer"
+
+    // The audience of the JWT
+    # audience = "audience"
+
+    // The TTL of each generated JWT.  Can't be less than 10 minutes.
+    # ttl = 1 hour
+  }
+  call-status-checks {
+    // If all clients have their audio and video muted and if Jibri does not
+    // detect any data stream (audio or video) comming in, it will stop
+    // recording after NO_MEDIA_TIMEOUT expires.
+    no-media-timeout = 30 seconds
+
+    // If all clients have their audio and video muted, Jibri consideres this
+    // as an empty call and stops the recording after ALL_MUTED_TIMEOUT expires.
+    all-muted-timeout = 10 minutes
+
+    // When detecting if a call is empty, Jibri takes into consideration for how
+    // long the call has been empty already. If it has been empty for more than
+    // DEFAULT_CALL_EMPTY_TIMEOUT, it will consider it empty and stop the recording.
+    default-call-empty-timeout = 30 seconds
+  }
+}
@@ -0,0 +1,18 @@
+---
+- name: restart prosody
+  systemd:
+    name: prosody
+    state: restarted
+    enabled: true
+
+- name: restart jitsi-videobridge2
+  systemd:
+    name: jitsi-videobridge2
+    state: restarted
+    enabled: true
+
+- name: restart jicofo
+  systemd:
+    name: jicofo
+    state: restarted
+    enabled: true
@@ -0,0 +1,52 @@
+---
+- name: vérification des variables obligatoire
+  fail:
+    msg: |
+      il faut définir la variable `jibri_users`
+      pour utiliser ce role
+  when: jibri_users is not defined
+
+- name: configure prosody
+  blockinfile:
+    path: /etc/prosody/conf.d/{{ inventory_hostname }}.cfg.lua
+    marker: "-- {mark} jibri ANSIBLE MANAGED BLOCK"
+    block: |
+      VirtualHost "recorder.{{ inventory_hostname }}"
+        modules_enabled = {
+          "ping";
+        }
+        authentication = "internal_plain"
+  notify:
+    - restart prosody
+
+- name: utilisateur jibri pour prosody (auth)
+  command: prosodyctl register {{ item.user }} auth.{{ inventory_hostname }} {{ item.password }}
+  loop: "{{ jibri_users }}"
+
+- name: utilisateur jibri pour prosody (recorder)
+  command: prosodyctl register {{ item.user }}-record recorder.{{ inventory_hostname }} {{ item.password }}
+  loop: "{{ jibri_users }}"
+
+- name: authentification jicofo
+  blockinfile:
+    path: /etc/jitsi/jicofo/sip-communicator.properties
+    marker: "# {mark} jibri ANSIBLE MANAGED BLOCK"
+    block: |
+      org.jitsi.jicofo.jibri.BREWERY=JibriBrewery@internal.auth.{{ inventory_hostname }}
+      org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90
+  notify:
+    - restart prosody
+    - restart jitsi-videobridge2
+    - restart jicofo
+
+- name:  livestreaming
+  lineinfile:
+    path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
+    insertafter: "[^?]// liveStreamingEnabled:"
+    line: "liveStreamingEnabled: true,"
+
+- name:  hidden domain
+  lineinfile:
+    path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
+    insertbefore: "[^?]// List of undocumented"
+    line: "hiddenDomain: 'recorder.{{ inventory_hostname}}',"