/ansible-jitsi-meet-role

Install jitsi-meet with nginx and (optionally) certbot on Ubuntu with Ansible

MIT LicenseMIT

jitsi_meet

An Ansible role to install Jitsi Meet.

Introduction

This is an Ansible role that installs Jitsi Meet with nginx as TLS terminating proxy and (optionally) a Let's Encrypt certificate (via certbot) on Ubuntu Bionic (18.04).

Requirements

  • A domain must point to your server in order to use Let's Encrypt
  • Your firewall must allow ports 80/tcp, 443/tcp, 4443/tcp, 10000/udp
    • If your server is behind a NAT, then make sure to forward these ports.

Role Variables

  • apt_mirror: On Ubuntu, universe must be enabled. This variable should indicate your system mirror. Defaults to http://archive.ubuntu.com/ubuntu
  • jitsi_domain: Under which domain will Jitsi be accessible. Must be a domain name if you intend to use Let's Encrypt. Can be an IP otherwise. Defaults to {{ inventory_hostname }}.
  • certbot_enabled: Whether to install certbot and request a certificate for {{ jitsi_domain }}. Defaults to false.
  • certbot_admin_email: Which email address to register for Let's Encrypt. Required if certbot_enabled=true. The email should exist. No default value.
  • jitsi_nat: Whether you're running jitsi meet behind a NAT. Defaults to false. If enabled, you must set jitsi_nat_local_ip and jitsi_nat_public_ip.
  • jitsi_nat_public_ip: The public IP of your jitsi meet host. Defaults to the IPv4 reported by ipify.
  • jitsi_nat_private_ip: The private IP of your jitsi meet host. Defaults to the IPv4 that Ansible considers to be the default for the host.
  • nginx_server_names_hash_bucket_size: The server_names_hash_bucket_size of nginx. Will be declared in the global nginx.conf if nginx_modify_server_names_hash_bucket_size is set to true. Defaults to 64.
  • nginx_modify_server_names_hash_bucket_size: Whether to change the value of server_names_hash_bucket_size in the global nginx.conf file. Defaults to true.

Also look at geerlingguy/ansible-role-certbot/.../defaults/main.yml for further configuration settings that are related to certbot.

Dependencies

Depends on the geerlingguy.certbot Ansible role for the Let's Encrypt / certbot tasks:

ansible-galaxy install geerlingguy.certbot

Quickstart

Install Ansible:

# on macOS with Homebrew
brew install ansible

# on Debian
sudo apt update
sudo apt install software-properties-common
sudo apt-add-repository --yes --update ppa:ansible/ansible
sudo apt install ansible

# or via Python / pip
sudo python3 -m pip install ansible

Setup a new server with Ubuntu 18.04 or get one on Digital Ocean, Vultr, Hetzner Cloud, Cloudscale, Azure, Google Cloud, AWS, ...

Make sure you can login via your SSH key:

ssh-copy-id ubuntu@my-jitsi-server.com
ssh ubuntu@my-jitsi-server.com

Create an inventory file:

# jitsi.ini
[jitsi]
my-jitsi-server.com jitsi_domain=my-jitsi-server.com certbot_admin_email=admin@my-jitsi-server.com

[jitsi:vars]
ansible_user=ubuntu
ansible_become=yes # set to `no` if you log in via root
apt_mirror=http://archive.ubuntu.com/ubuntu # change to the mirror you already use
certbot_enabled=yes
jitsi_nat=no # turn on if your server is behind a NAT.

Create a playbook file:

# jitsi.yml
- hosts: jitsi
  roles:
      - cimnine.jitsi_meet

Install the required dependencies:

ansible-galaxy install cimnine.jitsi_meet
ansible-galaxy install geerlingguy.certbot

Run the playbook file on the inventory:

# if `sudo` on your server does not require a password:
ansible-playbook -i jitsi.ini jitsi.yml

# or if `sudo` on your server requires a password:
ansible-playbook -K -i jitsi.ini jitsi.yml

Configuration

Jitsi Meet can be configured from this Ansible role. To do so, the file /etc/jitsi/meet/{{ jitsi_domain }}-config.js from the upstream package will be replaced by a file managed by this role.

To enable this behaviour, define the variable: managed_jitsi_config and set it to yes.

I.e. add the last line of the following example to your jitsi.ini:

# jitsi.ini
[jitsi]
my-jitsi-server.com jitsi_domain=my-jitsi-server.com certbot_admin_email=admin@my-jitsi-server.com
[jitsi:vars]
ansible_user=ubuntu
ansible_become=yes
apt_mirror=http://archive.ubuntu.com/ubuntu # change to the mirror you already use
certbot_enabled=yes
jitsi_nat=no
managed_jitsi_config=yes  # manage your jitsi config through this role

Then, set all required config variables. The defaults can be found in file defaults/main.yml of the role. All variables must be provided, not just those that you want to override! Pay attention to empty variables such as analytics: {}: due to the way Jitsi works, this has to be an empty object, and cannot be null.

All settings, their values, usage and effect are documented in jitsi-meet config.js.

An most minimal example is:

jitsi_config:
  hosts:
    domain: "{{ jitsi_domain }}"
    muc: "conference.{{ jitsi_domain }}"
  bosh: "//{{ jitsi_domain }}/http-bind"
  clientNode: "http://jitsi.org/jitsimeet"
  testing:
    enableFirefoxMulticast: false
    p2pTestMode: false
  desktopSharingChromeExtId: null
  desktopSharingChromeSources: [ 'screen', 'window', 'tab' ]
  desktopSharingChromeMinExtVersion: '0.1'
  channelLastN: -1
  enableWelcomePage: true
  enableUserRolesBasedOnToken: false
  p2p:
    enabled: true
    stunServers:
      - urls: 'stun:stun.l.google.com:19302'
      - urls: 'stun:stun1.l.google.com:19302'
      - urls: 'stun:stun2.l.google.com:19302'
    preferH264: true
  analytics: {}
  deploymentInfo: {}
  localRecording: {}
  e2eping: {}
  deploymentUrls: {}

NOTE: The requirements of config.js may change at any moment when updating jitsi-meet, upstream is not very comunnicatative about this. Check with any CHANGELOG and announcements of the Jitsi Meet project about newly required values before you update.

NOTE: The structure is case-sensitive and follows the exact variable settings in config.js. So, for example, webrctIceUdpDisable is very different to WebRTCIceUDPDisable. Jitsi is inconsistent in its naming of variables (e.g. it mixes URL and Url at random), so pay attention to the exact name.

Uninstall

The following commands help you to remove the installation. They might not completely remove every file, but it's enough to start again should you messed up something.

systemctl stop jitsi-videobridge
systemctl disable jitsi-videobridge
apt-get purge -y jigasi jitsi-meet jitsi-meet-web-config jitsi-meet-prosody jitsi-meet-web jicofo jitsi-videobridge

systemctl stop nginx
systemctl disable nginx
apt-get purge -y nginx nginx-common nginx-full

apt purge certbot

rm -rf /etc/jitsi /etc/nginx /etc/letsencrypt

crontab -e -u root

reboot

License

MIT