Merge branch '4-jitsi' into 'master'

Resolve "Investigate adding Jitsi Meet as an extra service"

Closes #4

See merge request cyber5k/mistborn!13

base.yml

@@ -46,8 +46,10 @@ services:
     volumes:
       - production_traefik:/etc/traefik/acme
       - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ../mistborn_volumes/base/tls:/tls
     ports:
       - "0.0.0.0:80:80/tcp"
+      - "0.0.0.0:443:443/tcp"
 
   redis:
     image: redis:5.0

compose/production/traefik/traefik.toml.template

@@ -3,8 +3,8 @@
 logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
 InsecureSkipVerify = true 
 
-#defaultEntryPoints = ["http", "https"]
+defaultEntryPoints = ["http", "https"]
-defaultEntryPoints = ["http"]
+#defaultEntryPoints = ["http"]
 
 # Entrypoints, http and https
 [entryPoints]
@@ -14,9 +14,12 @@ defaultEntryPoints = ["http"]
     #[entryPoints.http.redirect]
     #entryPoint = "https"
   # https is the default
-  #[entryPoints.https]
+  [entryPoints.https]
-  #address = ":443"
+  address = ":443"
-  #  [entryPoints.https.tls]
+    [entryPoints.https.tls]
+    [entryPoints.https.tls.defaultCertificate]
+      certFile = "/tls/cert.crt"
+      keyFile = "/tls/cert.key"
 
 ## Enable ACME (Let's Encrypt): automatic SSL
 #[acme]
@@ -68,6 +71,10 @@ defaultEntryPoints = ["http"]
     [backends.jellyfin.servers.server1]
       url = "http://jellyfin:8096"
   
+  [backends.jitsi]
+    [backends.jitsi.servers.server1]
+      url = "http://jitsi-web:80"
+  
   [backends.raspap]
     [backends.raspap.servers.server1]
       url = "http://raspap:80"
@@ -150,6 +157,14 @@ defaultEntryPoints = ["http"]
     [frontends.jellyfin.routes.dr1]
       rule = "Host:jellyfin.mistborn"
   
+  [frontends.jitsi]
+    backend = "jitsi"
+    passHostHeader = true
+    [frontends.jitsi.headers]
+      HostsProxyHeaders = ['X-CSRFToken']
+    [frontends.jitsi.routes.dr1]
+      rule = "Host:jitsi.mistborn"
+
   [frontends.raspap]
     backend = "raspap"
     passHostHeader = true

extra/jitsi-meet.yml

@@ -0,0 +1,177 @@
+version: '3'
+
+services:
+    # Frontend
+    jitsi-web:
+        image: jitsi/web
+        #ports:
+            #- '${HTTP_PORT}:80'
+            #- '${HTTPS_PORT}:443'
+        labels:
+            - "traefik.enable=true"
+            - "traefik.port=${HTTP_PORT}"
+        volumes:
+            - ${CONFIG}/web:/config
+            - ${CONFIG}/web/letsencrypt:/etc/letsencrypt
+            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
+        env_file:
+            - ../.envs/.production/.jitsi
+        environment:
+            - ENABLE_AUTH
+            - ENABLE_GUESTS
+            - ENABLE_LETSENCRYPT
+            - ENABLE_HTTP_REDIRECT
+            - ENABLE_TRANSCRIPTIONS
+            - DISABLE_HTTPS
+            - JICOFO_AUTH_USER
+            - LETSENCRYPT_DOMAIN
+            - LETSENCRYPT_EMAIL
+            - PUBLIC_URL
+            - XMPP_DOMAIN
+            - XMPP_AUTH_DOMAIN
+            - XMPP_BOSH_URL_BASE
+            - XMPP_GUEST_DOMAIN
+            - XMPP_MUC_DOMAIN
+            - XMPP_RECORDER_DOMAIN
+            - ETHERPAD_URL_BASE
+            - TZ
+            - JIBRI_BREWERY_MUC
+            - JIBRI_PENDING_TIMEOUT
+            - JIBRI_XMPP_USER
+            - JIBRI_XMPP_PASSWORD
+            - JIBRI_RECORDER_USER
+            - JIBRI_RECORDER_PASSWORD
+            - ENABLE_RECORDING
+        networks:
+            default:
+            meet.jitsi:
+                aliases:
+                    - ${XMPP_DOMAIN}
+
+    # XMPP server
+    jitsi-prosody:
+        image: jitsi/prosody
+        expose:
+            - '5222'
+            - '5347'
+            - '5280'
+        volumes:
+            - ${CONFIG}/prosody:/config
+        env_file:
+            - ../.envs/.production/.jitsi
+        environment:
+            - AUTH_TYPE
+            - ENABLE_AUTH
+            - ENABLE_GUESTS
+            - GLOBAL_MODULES
+            - GLOBAL_CONFIG
+            - LDAP_URL
+            - LDAP_BASE
+            - LDAP_BINDDN
+            - LDAP_BINDPW
+            - LDAP_FILTER
+            - LDAP_AUTH_METHOD
+            - LDAP_VERSION
+            - LDAP_USE_TLS
+            - LDAP_TLS_CIPHERS
+            - LDAP_TLS_CHECK_PEER
+            - LDAP_TLS_CACERT_FILE
+            - LDAP_TLS_CACERT_DIR
+            - LDAP_START_TLS
+            - XMPP_DOMAIN
+            - XMPP_AUTH_DOMAIN
+            - XMPP_GUEST_DOMAIN
+            - XMPP_MUC_DOMAIN
+            - XMPP_INTERNAL_MUC_DOMAIN
+            - XMPP_MODULES
+            - XMPP_MUC_MODULES
+            - XMPP_INTERNAL_MUC_MODULES
+            - XMPP_RECORDER_DOMAIN
+            - JICOFO_COMPONENT_SECRET
+            - JICOFO_AUTH_USER
+            - JICOFO_AUTH_PASSWORD
+            - JVB_AUTH_USER
+            - JVB_AUTH_PASSWORD
+            - JIGASI_XMPP_USER
+            - JIGASI_XMPP_PASSWORD
+            - JIBRI_XMPP_USER
+            - JIBRI_XMPP_PASSWORD
+            - JIBRI_RECORDER_USER
+            - JIBRI_RECORDER_PASSWORD
+            - JWT_APP_ID
+            - JWT_APP_SECRET
+            - JWT_ACCEPTED_ISSUERS
+            - JWT_ACCEPTED_AUDIENCES
+            - JWT_ASAP_KEYSERVER
+            - JWT_ALLOW_EMPTY
+            - JWT_AUTH_TYPE
+            - JWT_TOKEN_AUTH_MODULE
+            - LOG_LEVEL
+            - TZ
+        networks:
+            meet.jitsi:
+                aliases:
+                    - ${XMPP_SERVER}
+
+    # Focus component
+    jitsi-jicofo:
+        image: jitsi/jicofo
+        volumes:
+            - ${CONFIG}/jicofo:/config
+        env_file:
+            - ../.envs/.production/.jitsi
+        environment:
+            - ENABLE_AUTH
+            - XMPP_DOMAIN
+            - XMPP_AUTH_DOMAIN
+            - XMPP_INTERNAL_MUC_DOMAIN
+            - XMPP_SERVER
+            - JICOFO_COMPONENT_SECRET
+            - JICOFO_AUTH_USER
+            - JICOFO_AUTH_PASSWORD
+            - JICOFO_RESERVATION_REST_BASE_URL
+            - JVB_BREWERY_MUC
+            - JIGASI_BREWERY_MUC
+            - JIBRI_BREWERY_MUC
+            - JIBRI_PENDING_TIMEOUT
+            - TZ
+        depends_on:
+            - jitsi-prosody
+        networks:
+            meet.jitsi:
+
+    # Video bridge
+    jitsi-jvb:
+        image: jitsi/jvb
+        ports:
+            - '${JVB_PORT}:${JVB_PORT}/udp'
+            - '${JVB_TCP_PORT}:${JVB_TCP_PORT}'
+        volumes:
+            - ${CONFIG}/jvb:/config
+        env_file:
+            - ../.envs/.production/.jitsi
+        environment:
+            - DOCKER_HOST_ADDRESS
+            - XMPP_AUTH_DOMAIN
+            - XMPP_INTERNAL_MUC_DOMAIN
+            - XMPP_SERVER
+            - JVB_AUTH_USER
+            - JVB_AUTH_PASSWORD
+            - JVB_BREWERY_MUC
+            - JVB_PORT
+            - JVB_TCP_HARVESTER_DISABLED
+            - JVB_TCP_PORT
+            - JVB_STUN_SERVERS
+            - JVB_ENABLE_APIS
+            - TZ
+        depends_on:
+            - jitsi-prosody
+        networks:
+            meet.jitsi:
+
+# Custom network so all services can communicate using a FQDN
+networks:
+    default:
+      external:
+        name: mistborn_default
+    meet.jitsi:

scripts/conf/jitsi.env

@@ -0,0 +1,307 @@
+#
+# Basic configuration options
+#
+
+# Directory where all configuration will be stored.
+#CONFIG=~/.jitsi-meet-cfg
+CONFIG=../.envs/.production/.jitsi-cfg
+
+# Exposed HTTP port.
+HTTP_PORT=80
+
+# Exposed HTTPS port.
+HTTPS_PORT=8443
+
+# System time zone.
+TZ=Europe/Amsterdam
+
+# Public URL for the web service.
+#PUBLIC_URL=https://meet.example.com
+
+# IP address of the Docker host. See the "Running on a LAN environment" section
+# in the README.
+DOCKER_HOST_ADDRESS=10.2.3.1
+
+
+#
+# Let's Encrypt configuration
+#
+
+# Enable Let's Encrypt certificate generation.
+#ENABLE_LETSENCRYPT=1
+
+# Domain for which to generate the certificate.
+#LETSENCRYPT_DOMAIN=meet.example.com
+
+# E-Mail for receiving important account notifications (mandatory).
+#LETSENCRYPT_EMAIL=alice@atlanta.net
+
+
+#
+# Etherpad integration (for document sharing)
+#
+
+# Set etherpad-lite URL (uncomment to enable).
+#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
+
+
+#
+# Basic Jigasi configuration options (needed for SIP gateway support)
+#
+
+# SIP URI for incoming / outgoing calls.
+#JIGASI_SIP_URI=test@sip2sip.info
+
+# Password for the specified SIP account as a clear text
+#JIGASI_SIP_PASSWORD=passw0rd
+
+# SIP server (use the SIP account domain if in doubt).
+#JIGASI_SIP_SERVER=sip2sip.info
+
+# SIP server port
+#JIGASI_SIP_PORT=5060
+
+# SIP server transport
+#JIGASI_SIP_TRANSPORT=UDP
+
+#
+# Authentication configuration (see README for details)
+#
+
+# Enable authentication.
+#ENABLE_AUTH=1
+
+# Enable guest access.
+#ENABLE_GUESTS=1
+
+# Select authentication type: internal, jwt or ldap
+#AUTH_TYPE=internal
+
+# JWT authentication
+#
+
+# Application identifier.
+#JWT_APP_ID=my_jitsi_app_id
+
+# Application secret known only to your token.
+#JWT_APP_SECRET=my_jitsi_app_secret
+
+# (Optional) Set asap_accepted_issuers as a comma separated list.
+#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
+
+# (Optional) Set asap_accepted_audiences as a comma separated list.
+#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
+
+
+# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
+#
+
+# LDAP url for connection.
+#LDAP_URL=ldaps://ldap.domain.com/
+
+# LDAP base DN. Can be empty
+#LDAP_BASE=DC=example,DC=domain,DC=com
+
+# LDAP user DN. Do not specify this parameter for the anonymous bind.
+#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
+
+# LDAP user password. Do not specify this parameter for the anonymous bind.
+#LDAP_BINDPW=LdapUserPassw0rd
+
+# LDAP filter. Tokens example:
+# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail.
+# %s - %s is replaced by the complete service string.
+# %r - %r is replaced by the complete realm string.
+#LDAP_FILTER=(sAMAccountName=%u)
+
+# LDAP authentication method
+#LDAP_AUTH_METHOD=bind
+
+# LDAP version
+#LDAP_VERSION=3
+
+# LDAP TLS using
+#LDAP_USE_TLS=1
+
+# List of SSL/TLS ciphers to allow.
+#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
+
+# Require and verify server certificate
+#LDAP_TLS_CHECK_PEER=1
+
+# Path to CA cert file. Used when server sertificate verify is enabled.
+#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# Path to CA certs directory. Used when server sertificate verify is enabled.
+#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
+
+# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
+# LDAP_START_TLS=1
+
+
+#
+# Advanced configuration options (you generally don't need to change these)
+#
+
+# Internal XMPP domain.
+XMPP_DOMAIN=meet.jitsi
+
+# Internal XMPP server
+XMPP_SERVER=xmpp.meet.jitsi
+
+# Internal XMPP server URL
+XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
+
+# Internal XMPP domain for authenticated services.
+XMPP_AUTH_DOMAIN=auth.meet.jitsi
+
+# XMPP domain for the MUC.
+XMPP_MUC_DOMAIN=muc.meet.jitsi
+
+# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools.
+XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
+
+# XMPP domain for unauthenticated users.
+XMPP_GUEST_DOMAIN=guest.meet.jitsi
+
+# Custom Prosody modules for XMPP_DOMAIN (comma separated)
+XMPP_MODULES=
+
+# Custom Prosody modules for MUC component (comma separated)
+XMPP_MUC_MODULES=
+
+# Custom Prosody modules for internal MUC component (comma separated)
+XMPP_INTERNAL_MUC_MODULES=
+
+# MUC for the JVB pool.
+JVB_BREWERY_MUC=jvbbrewery
+
+# XMPP user for JVB client connections.
+JVB_AUTH_USER=jvb
+
+# XMPP password for JVB client connections.
+JVB_AUTH_PASSWORD=passw0rd
+
+# STUN servers used to discover the server's public IP.
+JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302
+
+# Media port for the Jitsi Videobridge
+JVB_PORT=10000
+
+# TCP Fallback for Jitsi Videobridge for when UDP isn't available
+JVB_TCP_HARVESTER_DISABLED=true
+JVB_TCP_PORT=4443
+
+# A comma separated list of APIs to enable when the JVB is started. The default is none.
+# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
+#JVB_ENABLE_APIS=rest,colibri
+
+# XMPP component password for Jicofo.
+JICOFO_COMPONENT_SECRET=s3cr37
+
+# XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug.
+JICOFO_AUTH_USER=focus
+
+# XMPP password for Jicofo client connections.
+JICOFO_AUTH_PASSWORD=passw0rd
+
+# Base URL of Jicofo's reservation REST API
+#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
+
+# XMPP user for Jigasi MUC client connections.
+JIGASI_XMPP_USER=jigasi
+
+# XMPP password for Jigasi MUC client connections.
+JIGASI_XMPP_PASSWORD=passw0rd
+
+# MUC name for the Jigasi pool.
+JIGASI_BREWERY_MUC=jigasibrewery
+
+# Minimum port for media used by Jigasi.
+JIGASI_PORT_MIN=20000
+
+# Maximum port for media used by Jigasi.
+JIGASI_PORT_MAX=20050
+
+# Enable SDES srtp
+#JIGASI_ENABLE_SDES_SRTP=1
+
+# Keepalive method
+#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS
+
+# Health-check extension
+#JIGASI_HEALTH_CHECK_SIP_URI=keepalive
+
+# Health-check interval
+#JIGASI_HEALTH_CHECK_INTERVAL=300000
+#
+# Enable Jigasi transcription.
+#ENABLE_TRANSCRIPTIONS=1
+
+# Jigasi will recordord an audio when transcriber is on. Default false.
+#JIGASI_TRANSCRIBER_RECORD_AUDIO=true
+
+# Jigasi will send transcribed text to the chat when transcriber is on. Default false.
+#JIGASI_TRANSCRIBER_SEND_TXT=true
+
+# Jigasi post to the chat an url with transcription file. Default false.
+#JIGASI_TRANSCRIBER_ADVERTISE_URL=true
+
+# Credentials for connect to Cloud Google API from Jigasi
+# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph.
+# Copy the values from the json to the related env vars
+#GC_PROJECT_ID=
+#GC_PRIVATE_KEY_ID=
+#GC_PRIVATE_KEY=
+#GC_CLIENT_EMAIL=
+#GC_CLIENT_ID=
+#GC_CLIENT_CERT_URL=
+
+# Enable recording
+#ENABLE_RECORDING=1
+
+# XMPP domain for the jibri recorder
+XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
+
+# XMPP recorder user for Jibri client connections.
+JIBRI_RECORDER_USER=recorder
+
+# XMPP recorder password for Jibri client connections.
+JIBRI_RECORDER_PASSWORD=passw0rd
+
+# Directory for recordings inside Jibri container.
+JIBRI_RECORDING_DIR=/config/recordings
+
+# The finalizing script. Will run after recording is complete.
+JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
+
+# XMPP user for Jibri client connections.
+JIBRI_XMPP_USER=jibri
+
+# XMPP password for Jibri client connections.
+JIBRI_XMPP_PASSWORD=passw0rd
+
+# MUC name for the Jibri pool.
+JIBRI_BREWERY_MUC=jibribrewery
+
+# MUC connection timeout
+JIBRI_PENDING_TIMEOUT=90
+
+# When jibri gets a request to start a service for a room, the room
+# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
+# We'll build the url for the call by transforming that into:
+# https://xmpp_domain/subdomain/roomName
+# So if there are any prefixes in the jid (like jitsi meet, which
+# has its participants join a muc at conference.xmpp_domain) then
+# list that prefix here so it can be stripped out to generate
+# the call url correctly.
+JIBRI_STRIP_DOMAIN_JID=muc
+
+# Directory for logs inside Jibri container.
+JIBRI_LOGS_DIR=/config/logs
+
+# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup.
+DISABLE_HTTPS=1
+
+# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443).
+#ENABLE_HTTP_REDIRECT=1

scripts/install.sh

@@ -181,6 +181,10 @@ sudo mkdir -p ../mistborn_volumes/extra
 
 # Traefik final setup (cockpit)
 cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml
+# setup tls certs 
+source ./scripts/subinstallers/openssl.sh
+sudo rm -rf ../mistborn_volumes/base/tls
+sudo mv ./tls ../mistborn_volumes/base/
 
 # Download docker images while DNS is operable
 sudo docker-compose -f base.yml pull || true

scripts/services/Mistborn-base.service

@@ -16,6 +16,7 @@ ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/ip6tables -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
@@ -28,6 +29,7 @@ ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP

scripts/services/Mistborn-jitsi.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=Mistborn Jitsi Service
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+
+[Service]
+Restart=always
+User=root
+Group=docker
+PermissionsStartOnly=true
+EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi
+
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
+
+ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
+# Start container when unit is started
+ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
+# Stop container when unit is stopped
+ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
+# Post stop
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
+
+[Install]
+WantedBy=multi-user.target

scripts/subinstallers/gen_prod_env.sh

@@ -62,3 +62,8 @@ echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
 BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden"
 echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
 echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
+
+# JITSI
+JITSI_PROD_FILE="./.envs/.production/.jitsi"
+cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE
+mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}

scripts/subinstallers/iptables.sh

@@ -27,7 +27,7 @@ sudo iptables -X MISTBORN_DOCKER_INPUT 2>/dev/null || true
 
 # iptables: log and drop chain
 sudo iptables -N MISTBORN_LOG_DROP
-sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 2/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
+sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
 sudo iptables -A MISTBORN_LOG_DROP -j DROP
 
 # wireguard rules chains

scripts/subinstallers/openssl.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+KEY_FOLDER="./tls/"
+CRT_FILE="cert.crt"
+KEY_FILE="cert.key"
+
+CRT_PATH="$KEY_FOLDER/$CRT_FILE"
+KEY_PATH="$KEY_FOLDER/$KEY_FILE"
+
+# ensure openssl installed
+sudo apt-get install -y openssl
+
+# make folder
+mkdir -p $KEY_FOLDER
+
+# generate crt and key
+openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost"
+
+# set permissions
+chmod 644 $CRT_PATH
+chmod 600 $KEY_PATH