An Ansible role to install Jitsi Meet.
This is an Ansible role that installs Jitsi Meet with nginx as TLS terminating proxy and (optionally) a Let's Encrypt certificate (via certbot) on Ubuntu Bionic (18.04).
- A domain must point to your server in order to use Let's Encrypt
- Your firewall must allow ports 80/tcp, 443/tcp, 4443/tcp, 10000/udp
- If your server is behind a NAT, then make sure to forward these ports.
apt_mirror
: On Ubuntu, universe must be enabled. This variable should indicate your system mirror. Defaults tohttp://archive.ubuntu.com/ubuntu
jitsi_domain
: Under which domain will Jitsi be accessible. Must be a domain name if you intend to use Let's Encrypt. Can be an IP otherwise. Defaults to{{ inventory_hostname }}
.certbot_enabled
: Whether to install certbot and request a certificate for{{ jitsi_domain }}
. Defaults tofalse
.certbot_admin_email
: Which email address to register for Let's Encrypt. Required ifcertbot_enabled=true
. The email should exist. No default value.jitsi_nat
: Whether you're running jitsi meet behind a NAT. Defaults tofalse
. If enabled, you must setjitsi_nat_local_ip
andjitsi_nat_public_ip
.jitsi_nat_public_ip
: The public IP of your jitsi meet host. Defaults to the IPv4 reported by ipify.jitsi_nat_private_ip
: The private IP of your jitsi meet host. Defaults to the IPv4 that Ansible considers to be the default for the host.nginx_server_names_hash_bucket_size
: Theserver_names_hash_bucket_size
of nginx. Will be declared in the globalnginx.conf
ifnginx_modify_server_names_hash_bucket_size
is set totrue
. Defaults to64
.nginx_modify_server_names_hash_bucket_size
: Whether to change the value ofserver_names_hash_bucket_size
in the globalnginx.conf
file. Defaults totrue
.
Also look at geerlingguy/ansible-role-certbot/.../defaults/main.yml for further configuration settings that are related to certbot.
Depends on the geerlingguy.certbot
Ansible role for the Let's Encrypt / certbot tasks:
ansible-galaxy install geerlingguy.certbot
# on macOS with Homebrew
brew install ansible
# on Debian
sudo apt update
sudo apt install software-properties-common
sudo apt-add-repository --yes --update ppa:ansible/ansible
sudo apt install ansible
# or via Python / pip
sudo python3 -m pip install ansible
Setup a new server with Ubuntu 18.04 or get one on Digital Ocean, Vultr, Hetzner Cloud, Cloudscale, Azure, Google Cloud, AWS, ...
Make sure you can login via your SSH key:
ssh-copy-id ubuntu@my-jitsi-server.com
ssh ubuntu@my-jitsi-server.com
Create an inventory file:
# jitsi.ini
[jitsi]
my-jitsi-server.com jitsi_domain=my-jitsi-server.com certbot_admin_email=admin@my-jitsi-server.com
[jitsi:vars]
ansible_user=ubuntu
ansible_become=yes # set to `no` if you log in via root
apt_mirror=http://archive.ubuntu.com/ubuntu # change to the mirror you already use
certbot_enabled=yes
jitsi_nat=no # turn on if your server is behind a NAT.
Create a playbook file:
# jitsi.yml
- hosts: jitsi
roles:
- cimnine.jitsi_meet
Install the required dependencies:
ansible-galaxy install cimnine.jitsi_meet
ansible-galaxy install geerlingguy.certbot
Run the playbook file on the inventory:
# if `sudo` on your server does not require a password:
ansible-playbook -i jitsi.ini jitsi.yml
# or if `sudo` on your server requires a password:
ansible-playbook -K -i jitsi.ini jitsi.yml
Jitsi Meet can be configured from this Ansible role. To do so, the
file /etc/jitsi/meet/{{ jitsi_domain }}-config.js
from the upstream package will be replaced by a file managed by this
role.
To enable this behaviour, define the variable: managed_jitsi_config
and set it to yes
.
I.e. add the last line of the following example to your jitsi.ini
:
# jitsi.ini
[jitsi]
my-jitsi-server.com jitsi_domain=my-jitsi-server.com certbot_admin_email=admin@my-jitsi-server.com
[jitsi:vars]
ansible_user=ubuntu
ansible_become=yes
apt_mirror=http://archive.ubuntu.com/ubuntu # change to the mirror you already use
certbot_enabled=yes
jitsi_nat=no
managed_jitsi_config=yes # manage your jitsi config through this role
Then, set all required config variables. The defaults can be found in
file defaults/main.yml
of the role. All variables must be provided,
not just those that you want to override! Pay attention to empty
variables such as analytics: {}
: due to the way Jitsi works, this has
to be an empty object, and cannot be null.
All settings, their values, usage and effect are documented in jitsi-meet config.js.
An most minimal example is:
jitsi_config:
hosts:
domain: "{{ jitsi_domain }}"
muc: "conference.{{ jitsi_domain }}"
bosh: "//{{ jitsi_domain }}/http-bind"
clientNode: "http://jitsi.org/jitsimeet"
testing:
enableFirefoxMulticast: false
p2pTestMode: false
desktopSharingChromeExtId: null
desktopSharingChromeSources: [ 'screen', 'window', 'tab' ]
desktopSharingChromeMinExtVersion: '0.1'
channelLastN: -1
enableWelcomePage: true
enableUserRolesBasedOnToken: false
p2p:
enabled: true
stunServers:
- urls: 'stun:stun.l.google.com:19302'
- urls: 'stun:stun1.l.google.com:19302'
- urls: 'stun:stun2.l.google.com:19302'
preferH264: true
analytics: {}
deploymentInfo: {}
localRecording: {}
e2eping: {}
deploymentUrls: {}
NOTE:
The requirements of config.js
may change at any moment when updating jitsi-meet, upstream is not very comunnicatative about this.
Check with any CHANGELOG and announcements of the Jitsi Meet project about newly required values before you update.
NOTE:
The structure is case-sensitive and follows the exact variable settings in config.js
.
So, for example, webrctIceUdpDisable
is very different to WebRTCIceUDPDisable
.
Jitsi is inconsistent in its naming of variables (e.g. it mixes URL
and Url
at random), so pay attention to the exact name.
The following commands help you to remove the installation. They might not completely remove every file, but it's enough to start again should you messed up something.
systemctl stop jitsi-videobridge
systemctl disable jitsi-videobridge
apt-get purge -y jigasi jitsi-meet jitsi-meet-web-config jitsi-meet-prosody jitsi-meet-web jicofo jitsi-videobridge
systemctl stop nginx
systemctl disable nginx
apt-get purge -y nginx nginx-common nginx-full
apt purge certbot
rm -rf /etc/jitsi /etc/nginx /etc/letsencrypt
crontab -e -u root
reboot
MIT