Merge pull request #41 from pachadotdev/master

jitsi fixes

jitsi-20-04/files/etc/update-motd.d/99-one-click

@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Configured as part of the DigitalOcean 1-Click Image build process
+
+myip=$(hostname -I | awk '{print$1}')
+cat <<EOF
+********************************************************************************
+
+Please read the instructions at
+https://github.com/digitalocean/droplet-1-clicks/tree/master/jitsi-20-04
+
+I you want to use this image, you agree to the Apache License.
+See https://github.com/jitsi/jitsi/blob/master/LICENSE.
+
+Type 'bash complete-jitsi-setup.sh' to complete Jitsi setup if and only if you
+agree to the Jitsi License.
+
+********************************************************************************
+To delete this message of the day: rm -rf $(readlink -f ${0})
+EOF

jitsi-20-04/files/root/complete-jitsi-setup.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Scripts in this directory will be executed by cloud-init on the first boot of droplets
+# created from your image.  Things like generating passwords, configuration requiring IP address
+# or other items that will be unique to each instance should be done in scripts here.
+
+printf "\n-------------------------\nUpdating the system\n-------------------------\n"
+
+apt-get update
+apt-get upgrade
+
+printf "\n-------------------------\nConfiguring Jitsi for your domain\n-------------------------\n"
+
+apt-get -y install jicofo jitsi-meet jitsi-meet-prosody jitsi-meet-turnserver jitsi-meet-web jitsi-meet-web-config jitsi-videobridge2
+
+bash /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
+

jitsi-20-04/scripts/01-packages.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+# non-interactive install
+export DEBIAN_FRONTEND=noninteractive
+
+# Add a swap file to prevent build time OOM errors
+fallocate -l 8G /swapfile
+mkswap /swapfile
+swapon /swapfile
+
+# First install the Jitsi repository key onto your system:
+curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
+
+# Create a sources.list.d file with the repository:
+echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | sudo tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
+
+# update apt
+apt-get -qqy -o Dpkg::Options::=--force-confdef update
+apt-get -qqy -o Dpkg::Options::=--force-confdef upgrade
+
+# requisites for jitsi
+apt-get -qqy -o Dpkg::Options::=--force-confdef install ca-certificates-java coturn fontconfig-config fonts-dejavu-core fonts-lato java-common javascript-common\
+ libavahi-client3 libavahi-common-data libavahi-common3 libcups2 libevent-core-2.1-7\
+ libevent-extra-2.1-7 libevent-openssl-2.1-7 libevent-pthreads-2.1-7 libfontconfig1 libgd3 libgraphite2-3\
+ libharfbuzz0b libhiredis0.14 libidn11 libjbig0 libjpeg-turbo8 libjpeg8 libjs-jquery liblcms2-2\
+ libmysqlclient21 libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail\
+ libnginx-mod-stream libnspr4 libnss3 libpcsclite1 libpq5 libruby2.7 libtiff5 libwebp6 libxpm4 lua-bitop\
+ lua-event lua-expat lua-filesystem lua-sec lua-socket lua5.2 mysql-common nginx nginx-common nginx-core\
+ openjdk-16-jre-headless prosody rake ruby ruby-hocon ruby-minitest ruby-net-telnet ruby-power-assert\
+ ruby-test-unit ruby-xmlrpc ruby2.7 rubygems-integration sqlite3 ssl-cert unzip zip
+
+# apt-get -y install debconf-utils
+
+# echo "jitsi-videobridge2 jitsi-videobridge/jvb-hostname string example.digitalocean.com" | debconf-set-selections
+# echo "jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)" | debconf-set-selections
+
+# install let's encrypt
+apt-get -qqy -o Dpkg::Options::=--force-confdef install python3-certbot-nginx
+
+# install Digital Ocean agent
+curl -sSL https://repos.insights.digitalocean.com/install.sh | bash
+
+# add some security
+echo "y" | ufw enable
+apt-get -qqy -o Dpkg::Options::=--force-confdef install fail2ban
+systemctl start fail2ban
+systemctl enable fail2ban
+printf '[sshd]\nenabled = true\nport = 22\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = 5' | tee -a /etc/fail2ban/jail.local
+printf '\n\n[http-auth]\nenabled = true\nport = http,https\nlogpath = /var/log/auth.log\nmaxretry = 5' | tee -a /etc/fail2ban/jail.local
+systemctl restart fail2ban
+
+# open ports
+ufw allow http
+ufw allow https
+ufw allow ssh
+ufw allow 4443/tcp
+ufw allow 10000/udp
+
+# Disable and remove the swapfile prior to snapshotting
+swapoff /swapfile
+rm -f /swapfile
+

jitsi-20-04/scripts/90-cleanup.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -o errexit
+
+# Ensure /tmp exists and has the proper permissions before
+# checking for security updates
+# https://github.com/digitalocean/marketplace-partners/issues/94
+if [[ ! -d /tmp ]]; then
+  mkdir /tmp
+fi
+chmod 1777 /tmp
+
+if [ -n "$(command -v yum)" ]; then
+  yum update -y
+  yum clean all
+elif [ -n "$(command -v apt-get)" ]; then
+  apt-get -y update
+  apt-get -y upgrade
+  apt-get -y autoremove
+  apt-get -y autoclean
+fi
+
+rm -rf /tmp/* /var/tmp/*
+history -c
+cat /dev/null > /root/.bash_history
+unset HISTFILE
+find /var/log -mtime -1 -type f -exec truncate -s 0 {} \;
+rm -rf /var/log/*.gz /var/log/*.[0-9] /var/log/*-????????
+rm -rf /var/lib/cloud/instances/*
+rm -f /root/.ssh/authorized_keys /etc/ssh/*key*
+touch /etc/ssh/revoked_keys
+chmod 600 /etc/ssh/revoked_keys
+
+# Securely erase the unused portion of the filesystem
+GREEN='\033[0;32m'
+NC='\033[0m'
+printf "\n${GREEN}Writing zeros to the remaining disk space to securely
+erase the unused portion of the file system.
+Depending on your disk size this may take several minutes.
+The secure erase will complete successfully when you see:${NC}
+    dd: writing to '/zerofile': No space left on device\n
+Beginning secure erase now\n"
+
+dd if=/dev/zero of=/zerofile &
+  PID=$!
+  while [ -d /proc/$PID ]
+    do
+      printf "."
+      sleep 5
+    done
+sync; rm /zerofile; sync
+cat /dev/null > /var/log/lastlog; cat /dev/null > /var/log/wtmp