diff --git a/templates/template13-talk-hpb/Readme.md b/templates/template13-talk-hpb/Readme.md index 690f3ab..0afbdfa 100644 --- a/templates/template13-talk-hpb/Readme.md +++ b/templates/template13-talk-hpb/Readme.md @@ -14,14 +14,12 @@ | `rootCA-key.pem` | The rootCA key previously created in your host machine | -* In file `provision.sh`, give a sensible value to the following environment variables: - * MACHINE_HOSTNAME - * NEXTCLOUD_URL - * CUSTOMER_ID +* Open `Vagrantfile` and fill in the values of the following parameters and variables: + * `lxd.name`: The name of the container (it is recommended to give the same name as the folder, in this example `talk-hpb`) + * `MACHINE_HOSTNAME`: The hostname of the container (it is recommended to give the same name as the folder, plus the domain, in this example `nc-instance.localenv.com`) + * `NEXTCLOUD_URL`: URL of the Nextcloud instance to define this Talk HPB service on + * `CUSTOMER_ID`: Customer ID to access the enterprise software repository of Talk HPB * Create folder `log` -* Open `Vagrantfile` and change the value of variable `lxd.name`. It makes sense to give the same name as the folder, in this example `talk-hpb`. -* Open `provision.sh` - * change the value of variable `MACHINE_HOSTNAME`. It makes sense to give the same name as the folder, plus the domain, in this example `talk-hpb.localenv.com`. * Run `vagrant up > log/provisioning.log` -* Make sure your system is able to resolve the domain name that you specified in variable `MACHINE_HOSTNAME`, for example by adding an entry in `/etc/hosts` +* Make sure your system is able to resolve the domain name that you specified in variable `MACHINE_HOSTNAME`, for example by adding an entry in `/etc/hosts` or setting up LXD nameserver * Start using your environment diff --git a/templates/template13-talk-hpb/Vagrantfile b/templates/template13-talk-hpb/Vagrantfile index 2975d89..c98efc7 100644 --- a/templates/template13-talk-hpb/Vagrantfile +++ b/templates/template13-talk-hpb/Vagrantfile @@ -4,25 +4,32 @@ Vagrant.configure("2") do |config| - config.vm.box = "isc/lxc-ubuntu-22.04" + config.vm.box = "isc/forge-clt-ubuntu-22.04" + + config.vm.box_version = "1" config.vm.box_check_update = false - + config.vm.provider 'lxd' do |lxd| lxd.api_endpoint = 'https://127.0.0.1:8443' lxd.timeout = 10 - lxd.name = 'your-container-name' - lxd.project = 'default' + lxd.name = '' + lxd.project = 'default' lxd.profiles = ['default'] # lxd.nesting = nil - # lxd.ephemeral = false # lxd.privileged = nil - # lxd.ephemeral = false + # lxd.ephemeral = false # lxd.environment = {} # lxd.config = {} end - config.vm.provision :shell, path: "provision.sh" - + config.vm.provision "shell" do |s| + s.env = { + "MACHINE_HOSTNAME" => "", + "NEXTCLOUD_URL" => "", + "CUSTOMER_ID" => "" + } + s.path = "provision.sh" + end end diff --git a/templates/template13-talk-hpb/artifacts/nextcloud-spreed-signaling-server.conf b/templates/template13-talk-hpb/artifacts/nextcloud-spreed-signaling-server.conf index a804310..927a67e 100644 --- a/templates/template13-talk-hpb/artifacts/nextcloud-spreed-signaling-server.conf +++ b/templates/template13-talk-hpb/artifacts/nextcloud-spreed-signaling-server.conf @@ -21,30 +21,44 @@ #writetimeout = 15 # Certificate / private key to use for the HTTPS server. -certificate = /etc/nginx/ssl/#MACHINE_HOSTNAME#.pem -key = /etc/nginx/ssl/#MACHINE_HOSTNAME#-key.pem +# certificate = /etc/nginx/ssl/server.crt +# key = /etc/nginx/ssl/server.key [app] # Set to "true" to install pprof debug handlers. # See "https://golang.org/pkg/net/http/pprof/" for further information. -debug = true +debug = false + +# Set to "true" to allow subscribing any streams. This is insecure and should +# only be enabled for testing. By default only streams of users in the same +# room and call can be subscribed. +#allowsubscribeany = false [sessions] # Secret value used to generate checksums of sessions. This should be a random # string of 32 or 64 bytes. -hashkey = 47b91f88695c66b2dd8b2f07dceafd82bc3bb58ad7afd72edf977d9581da37f2 +hashkey = 7cee859c98f7c3c98af206fd5fb5a970a00d084c4b0721889e98460c240ba750 # Optional key for encrypting data in the sessions. Must be either 16, 24 or # 32 bytes. # If no key is specified, data will not be encrypted (not recommended). -blockkey = 9685548d450071c2685418413c206586 +blockkey = be7942b4c40e231981e7aae7e1ff572a [clients] # Shared secret for connections from internal clients. This must be the same # value as configured in the respective internal services. -internalsecret = 33558e3b8a2e9c6dcd559a7fd476e894decbb678a1a043a048ea4f76ed772653 +internalsecret = e12142fc50e035f25fbbfc684e20c8e3fde457521da5643352bd8799f50c3280 [backend] +# Type of backend configuration. +# Defaults to "static". +# +# Possible values: +# - static: A comma-separated list of backends is given in the "backends" option. +# - etcd: Backends are retrieved from an etcd cluster. +#backendtype = static + +# For backend type "static": # Comma-separated list of backend ids from which clients are allowed to connect # from. Each backend will have isolated rooms, i.e. clients connecting to room # "abc12345" on backend 1 will be in a different room than clients connected to @@ -52,6 +66,22 @@ # backends will not be able to communicate with each other. backends = backend-1 +# For backend type "etcd": +# Key prefix of backend entries. All keys below will be watched and assumed to +# contain a JSON document with the following entries: +# - "url": Url of the Nextcloud instance. +# - "secret": Shared secret for requests from and to the backend servers. +# +# Additional optional entries: +# - "maxstreambitrate": Maximum bitrate per publishing stream (in bits per second). +# - "maxscreenbitrate": Maximum bitrate per screensharing stream (in bits per second). +# - "sessionlimit": Number of sessions that are allowed to connect. +# +# Example: +# "/signaling/backend/one" -> {"url": "https://nextcloud.domain1.invalid", ...} +# "/signaling/backend/two" -> {"url": "https://domain2.invalid/nextcloud", ...} +#backendprefix = /signaling/backend + # Allow any hostname as backend endpoint. This is extremely insecure and should # only be used while running the benchmark client against the server. allowall = false @@ -62,7 +92,7 @@ #secret = the-shared-secret # Timeout in seconds for requests to the backend. -timeout = 20 +timeout = 10 # Maximum number of concurrent backend connections per host. connectionsperhost = 8 @@ -72,6 +102,7 @@ # certificates. #skipverify = false +# For backendtype "static": # Backend configurations as defined in the "[backend]" section above. The # section names must match the ids used in "backends" above. [backend-1] @@ -84,7 +115,7 @@ [nats] # Url of NATS backend to use. This can also be a list of URLs to connect to -# multiple backends. For local development, this can be set to ":loopback:" +# multiple backends. For local development, this can be set to "nats://loopback" # to process NATS messages internally instead of sending them through an # external NATS backend. #url = nats://localhost:4222 @@ -98,16 +129,21 @@ # For type "proxy": a space-separated list of proxy URLs to connect to. url = ws://localhost:8188 -# For type "janus": the maximum bitrate per publishing stream (in bits per -# second). +# The maximum bitrate per publishing stream (in bits per second). # Defaults to 1 mbit/sec. -maxstreambitrate = 2097152 +# For type "proxy": will be capped to the maximum bitrate configured at the +# proxy server that is used. +#maxstreambitrate = 1048576 -# For type "janus": the maximum bitrate per screensharing stream (in bits per -# second). +# The maximum bitrate per screensharing stream (in bits per second). # Default is 2 mbit/sec. +# For type "proxy": will be capped to the maximum bitrate configured at the +# proxy server that is used. #maxscreenbitrate = 2097152 +# For type "proxy": timeout in seconds for requests to the proxy server. +#proxytimeout = 2 + # For type "proxy": type of URL configuration for proxy servers. # Defaults to "static". # @@ -116,6 +152,11 @@ # - etcd: Proxy URLs are retrieved from an etcd cluster (see below). #urltype = static +# If set to "true", certificate validation of proxy servers will be skipped. +# This should only be enabled during development, e.g. to work with self-signed +# certificates. +#skipverify = false + # For type "proxy": the id of the token to use when connecting to proxy servers. #token_id = server1 @@ -123,20 +164,12 @@ # connecting to proxy servers. #token_key = privkey.pem -# For url type "etcd": Comma-separated list of static etcd endpoints to -# connect to. -#endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379 - -# For url type "etcd": Options to perform endpoint discovery through DNS SRV. -# Only used if no endpoints are configured manually. -#discoverysrv = example.com -#discoveryservice = foo - -# For url type "etcd": Path to private key, client certificate and CA -# certificate if TLS authentication should be used. -#clientkey = /path/to/etcd-client.key -#clientcert = /path/to/etcd-client.crt -#cacert = /path/to/etcd-ca.crt +# For url type "static": Enable DNS discovery on hostname of configured URL. +# If the hostname resolves to multiple IP addresses, a connection is established +# to each of them. +# Changes to the DNS are monitored regularly and proxy connections are created +# or deleted as necessary. +#dnsdiscovery = true # For url type "etcd": Key prefix of MCU proxy entries. All keys below will be # watched and assumed to contain a JSON document. The entry "address" from this @@ -180,7 +213,82 @@ #127.0.0.1 = DE #192.168.0.0/24 = DE +[continent-overrides] +# Optional overrides for continent mappings. The key is a continent code, the +# value a comma-separated list of continent codes to map the continent to. +# Use European servers for clients in Africa. +#AF = EU +# Use servers in North Africa for clients in South America. +#SA = NA + [stats] # Comma-separated list of IP addresses that are allowed to access the stats # endpoint. Leave empty (or commented) to only allow access from "127.0.0.1". #allowed_ips = + +[etcd] +# Comma-separated list of static etcd endpoints to connect to. +#endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379 + +# Options to perform endpoint discovery through DNS SRV. +# Only used if no endpoints are configured manually. +#discoverysrv = example.com +#discoveryservice = foo + +# Path to private key, client certificate and CA certificate if TLS +# authentication should be used. +#clientkey = /path/to/etcd-client.key +#clientcert = /path/to/etcd-client.crt +#cacert = /path/to/etcd-ca.crt + +[grpc] +# IP and port to listen on for GRPC requests. +# Comment line to disable the listener. +#listen = 0.0.0.0:9090 + +# Certificate / private key to use for the GRPC server. +# Omit to use unencrypted connections. +#servercertificate = /path/to/grpc-server.crt +#serverkey = /path/to/grpc-server.key + +# CA certificate that is allowed to issue certificates of GRPC servers. +# Omit to expect unencrypted connections. +#serverca = /path/to/grpc-ca.crt + +# Certificate / private key to use for the GRPC client. +# Omit if clients don't need to authenticate on the server. +#clientcertificate = /path/to/grpc-client.crt +#clientkey = /path/to/grpc-client.key + +# CA certificate that is allowed to issue certificates of GRPC clients. +# Omit to allow any clients to connect. +#clientca = /path/to/grpc-ca.crt + +# Type of GRPC target configuration. +# Defaults to "static". +# +# Possible values: +# - static: A comma-separated list of targets is given in the "targets" option. +# - etcd: Target URLs are retrieved from an etcd cluster. +#targettype = static + +# For target type "static": Comma-separated list of GRPC targets to connect to +# for clustering mode. +#targets = 192.168.0.1:9090, 192.168.0.2:9090 + +# For target type "static": Enable DNS discovery on hostnames of GRPC target. +# If a hostname resolves to multiple IP addresses, a connection is established +# to each of them. +# Changes to the DNS are monitored regularly and GRPC clients are created or +# deleted as necessary. +#dnsdiscovery = true + +# For target type "etcd": Key prefix of GRPC target entries. All keys below will +# be watched and assumed to contain a JSON document. The entry "address" from +# this document will be used as target URL, other contents in the document will +# be ignored. +# +# Example: +# "/signaling/cluster/grpc/one" -> {"address": "192.168.0.1:9090"} +# "/signaling/cluster/grpc/two" -> {"address": "192.168.0.2:9090"} +#targetprefix = /signaling/cluster/grpc diff --git a/templates/template13-talk-hpb/provision.sh b/templates/template13-talk-hpb/provision.sh index ad500ab..bc2d07d 100644 --- a/templates/template13-talk-hpb/provision.sh +++ b/templates/template13-talk-hpb/provision.sh @@ -6,20 +6,6 @@ echo "provisioning started: ${start_time}" -#### The user must fill these variables - -# Fully Qualified Name: ex. talk-hpb.localenv.com -MACHINE_HOSTNAME= - -# URL of the Nextcloud instance to be used as backend for the Talk HPB. It must include 'https://'. -NEXTCLOUD_URL= - -# Struktur AG-issued Customer ID to get access to apt repositories -CUSTOMER_ID= -#### - -SYSTEM_USER=usrv - NETWORK_INTERFACE=eth0 hostnamectl set-hostname ${MACHINE_HOSTNAME} @@ -36,12 +22,6 @@ ##################################################################### ip_address=`ip -4 addr show ${NETWORK_INTERFACE} | grep -oP '(?<=inet\s)\d+(\.\d+){3}'` -adduser --disabled-password --gecos GECOS ${SYSTEM_USER} - -usermod -p "`openssl passwd -1 -salt 5RPVAd ${SYSTEM_USER}`" ${SYSTEM_USER} - -adduser ${SYSTEM_USER} sudo - apt update apt install -y ca-certificates wget nginx curl gnupg2 @@ -70,8 +50,6 @@ sed -i "s|#SECRET_KEY#|${SECRET_KEY}|g" /etc/nextcloud-spreed-signaling/server.conf -sed -i "s|#MACHINE_HOSTNAME#|${MACHINE_HOSTNAME}|g" /etc/nextcloud-spreed-signaling/server.conf - export CAROOT=/vagrant/artifacts/ mkcert -install @@ -106,11 +84,7 @@ echo "This container has IP (interface: ${NETWORK_INTERFACE}): ${ip_address}" -echo "If you add this IP to the hostname (${MACHINE_HOSTNAME}) in your hosts file:" - -echo " The shared secret to be configured in the Nextcloud Talk UI is: ${SECRET_KEY}" - -echo " You can connect with user ${SYSTEM_USER} via ssh (password ${SYSTEM_USER}): ssh ${SYSTEM_USER}@${MACHINE_HOSTNAME}" +echo " The shared secret to be configured in the Nextcloud Talk UI is: ${SECRET_KEY}" echo "provisioning started: ${start_time}"