From e242eda0f24a7961937456005b544bfe39bf802d Mon Sep 17 00:00:00 2001
From: Mathieu Gauthier-Pilote <mgauthier+git@evolix.ca>
Date: Thu, 18 Jan 2024 15:43:59 -0500
Subject: [PATCH] Deploy with additional domains

---
 webapps/jitsimeet/tasks/other_domains.yml     |  18 +-
 .../templates/nginx/other.vhost.conf.j2       | 223 ++++++++++++++++++
 2 files changed, 232 insertions(+), 9 deletions(-)
 create mode 100644 webapps/jitsimeet/templates/nginx/other.vhost.conf.j2

diff --git a/webapps/jitsimeet/tasks/other_domains.yml b/webapps/jitsimeet/tasks/other_domains.yml
index b5eda9bc..b2dfcf69 100644
--- a/webapps/jitsimeet/tasks/other_domains.yml
+++ b/webapps/jitsimeet/tasks/other_domains.yml
@@ -10,6 +10,7 @@
     mode: "{{ item.mode }}"
   loop:
     - { src: 'meet/config.js.j2', dest: "/etc/jitsi/meet/{{ domain }}-config.js", owner: "root", group: "root", mode: "0644" }
+    - { src: 'meet/interface_config.js.j2', dest: "/etc/jitsi/meet/{{ domain }}-interface_config.js", owner: "root", group: "root", mode: "0644" }
 
 - name: Check if SSL certificate is present and register result
   stat:
@@ -20,7 +21,7 @@
   block:
   - name: Template vhost without SSL for successfull LE challengce
     template: 
-      src: "nginx/vhost.conf.j2"
+      src: "nginx/other.vhost.conf.j2"
       dest: "/etc/nginx/sites-available/{{ domain }}.conf"
   - name: Enable temporary nginx vhost
     file:
@@ -42,7 +43,7 @@
 
 - name: (Re)check if SSL certificate is present and register result
   stat:
-    path: "/etc/letsencrypt/live/{{ domain |first }}/fullchain.pem"
+    path: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem"
   register: ssl
 
 - name: (Re)template conf file for nginx vhost with SSL
@@ -50,14 +51,13 @@
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
   loop:
-    - { src: 'nginx/vhost.conf.j2', dest: "/etc/nginx/sites-available/{{ domain }}.conf" }
-    - { src: 'nginx/multiplex.conf.j2', dest: '/etc/nginx/modules-available/multiplex.conf' }
+    - { src: 'nginx/other.vhost.conf.j2', dest: "/etc/nginx/sites-available/{{ domain }}.conf" }
 
-- name: Enable multiplex module conf
-  file:
-    src: '/etc/nginx/modules-available/multiplex.conf'
-    dest: '/etc/nginx/modules-enabled/multiplex.conf'
-    state: link
+- name: Insert block in multiplex.conf
+  lineinfile:
+    path: /etc/nginx/modules-enabled/multiplex.conf
+    insertafter: "web_backend;"
+    line: "{{ domain }} web_backend;"
 
 - name: Enable nginx vhost
   file:
diff --git a/webapps/jitsimeet/templates/nginx/other.vhost.conf.j2 b/webapps/jitsimeet/templates/nginx/other.vhost.conf.j2
new file mode 100644
index 00000000..a897b8ab
--- /dev/null
+++ b/webapps/jitsimeet/templates/nginx/other.vhost.conf.j2
@@ -0,0 +1,223 @@
+{% if ssl.stat.exists %}
+map $arg_vnode $prosody_node {
+    default prosody;
+    v1 v1;
+    v2 v2;
+    v3 v3;
+    v4 v4;
+    v5 v5;
+    v6 v6;
+    v7 v7;
+    v8 v8;
+}
+
+{% endif %}
+
+server {
+  listen 80;
+  listen [::]:80;
+  server_name {{ domain }};
+
+  # For certbot
+  location ~ /.well-known/acme-challenge {
+    alias /var/lib/letsencrypt/;
+    try_files $uri =404;
+    allow all;
+  }
+  {% if ssl.stat.exists %}
+  location / { return 301 https://$host$request_uri; }
+  {% endif %}
+}
+
+{% if ssl.stat.exists %}
+server {
+  listen 8088 ssl http2;
+  listen [::]:8088 ssl http2;
+  server_name {{ domain }};
+  
+  access_log /var/log/nginx/{{ service }}.access.log; # reduce I/0 with buffer=10m flush=5m
+  error_log  /var/log/nginx/{{ service }}.error.log;
+
+  # For certbot
+  location ~ /.well-known/acme-challenge {
+    alias /var/lib/letsencrypt/;
+    try_files $uri =404;
+    allow all;
+  }
+
+  # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:10m;  # about 40000 sessions
+  ssl_session_tickets off;
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+  set $prefix "";
+  set $custom_index "";
+  set $config_js_location /etc/jitsi/meet/{{ domain }}-config.js;
+  set $interface_config_js_location /etc/jitsi/meet/{{ domain }}-interface_config.js;
+  set $welcome_page_additional_content_location /etc/jitsi/meet/welcomePageAdditionalContent.html;
+
+  ##
+  # Certificates
+  # you need a certificate to run in production. see https://letsencrypt.org/
+  ##
+  ssl_certificate     /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
+
+  root /usr/share/jitsi-meet;
+
+  # ssi on with javascript for multidomain variables in config.js
+  ssi on;
+  ssi_types application/x-javascript application/javascript;
+
+  index index.html index.htm;
+  error_page 404 /static/404.html;
+
+  gzip on;
+  gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
+  gzip_vary on;
+  gzip_proxied no-cache no-store private expired auth;
+  gzip_min_length 512;
+
+  include /etc/jitsi/meet/jaas/*.conf;
+
+  location = /config.js {
+      alias $config_js_location;
+  }
+  
+  location = /interface_config.js {
+      alias $interface_config_js_location;
+  }
+
+  location = /external_api.js {
+      alias /usr/share/jitsi-meet/libs/external_api.min.js;
+  }
+  
+  location = /static/welcomePageAdditionalContent.html {
+      alias $welcome_page_additional_content_location;
+  }
+
+  location = /_api/room-info {
+      proxy_pass http://prosody/room-info?prefix=$prefix&$args;
+      proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header Host $http_host;
+  }
+
+  location ~ ^/_api/public/(.*)$ {
+      autoindex off;
+      alias /etc/jitsi/meet/public/$1;
+  }
+
+  # ensure all static content can always be found first
+  location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$
+  {
+      add_header 'Access-Control-Allow-Origin' '*';
+      alias /usr/share/jitsi-meet/$1/$2;
+
+      # cache all versioned files
+      if ($arg_v) {
+          expires 1y;
+      }
+  }
+
+  # BOSH
+  location = /http-bind {
+      proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
+      proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header Host $http_host;
+      proxy_set_header Connection "";
+  }
+
+  # xmpp websockets
+  location = /xmpp-websocket {
+      proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_set_header Host $http_host;
+      tcp_nodelay on;
+  }
+
+  # colibri (JVB) websockets for jvb1
+  location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) {
+      proxy_pass http://jvb1/colibri-ws/default-id/$2$is_args$args;
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      tcp_nodelay on;
+  }
+
+  # load test minimal client, uncomment when used
+  #location ~ ^/_load-test/([^/?&:'"]+)$ {
+  #    rewrite ^/_load-test/(.*)$ /load-test/index.html break;
+  #}
+  #location ~ ^/_load-test/libs/(.*)$ {
+  #    add_header 'Access-Control-Allow-Origin' '*';
+  #    alias /usr/share/jitsi-meet/load-test/libs/$1;
+  #}
+
+  location ~ ^/([^/?&:'"]+)$ {
+      set $roomname "$1";
+      try_files $uri @root_path;
+  }
+
+  location @root_path {
+      rewrite ^/(.*)$ /$custom_index break;
+  }
+
+  location ~ ^/([^/?&:'"]+)/config.js$
+  {
+      set $subdomain "$1.";
+      set $subdir "$1/";
+
+      alias $config_js_location;
+  }
+
+  # Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
+  location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
+      set $subdomain "$1.";
+      set $subdir "$1/";
+      rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
+  }
+
+  # BOSH for subdomains
+  location ~ ^/([^/?&:'"]+)/http-bind {
+      set $subdomain "$1.";
+      set $subdir "$1/";
+      set $prefix "$1";
+
+      rewrite ^/(.*)$ /http-bind;
+  }
+
+  # websockets for subdomains
+  location ~ ^/([^/?&:'"]+)/xmpp-websocket {
+      set $subdomain "$1.";
+      set $subdir "$1/";
+      set $prefix "$1";
+
+      rewrite ^/(.*)$ /xmpp-websocket;
+  }
+
+  location ~ ^/([^/?&:'"]+)/_api/room-info {
+      set $subdomain "$1.";
+      set $subdir "$1/";
+      set $prefix "$1";
+
+      rewrite ^/(.*)$ /_api/room-info;
+  }
+
+  # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+  location ~ ^/([^/?&:'"]+)/(.*)$ {
+      set $subdomain "$1.";
+      set $subdir "$1/";
+      rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
+  }
+}
+
+{% endif %}