Manage jitsi-meet meet.conf as a template input for the container

The jitsi meet containers want to generate configuration from the
templates found in /defaults on the container to config files in the
bind mounted /config (/var/jitsi-meet/ on the host side). This means
that the configs ansible is writing to /var/jitsi-meet are complete
ignored and overwritten by the container using its templating system and
env vars.

This is causing us problems because we would like to use a different
etherpad prxoy config in nginx to ensure the Host header is set
properly. To make this happen we bind mount in our own template file so
that the container can template what we want rather than what is found
in the image.

Change-Id: Ifdde66a01bb7e632fc19ca0a512216584f1ea9f0

playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml

@@ -12,6 +12,7 @@ services:
             - ${CONFIG}/web:/config
             - ${CONFIG}/web/letsencrypt:/etc/letsencrypt
             - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
+            - ${DEFAULTS}/web/nginx/meet.conf:/defaults/meet.conf
         environment:
             - ENABLE_AUTH
             - ENABLE_GUESTS

playbooks/roles/jitsi-meet/files/meet.conf

@@ -1,50 +1,96 @@
+{{ $ENABLE_XMPP_WEBSOCKET := .Env.ENABLE_XMPP_WEBSOCKET | default "1" | toBool }}
+
 server_name _;
 
 client_max_body_size 0;
 
 root /usr/share/jitsi-meet;
-index index.html
+
+# ssi on with javascript for multidomain variables in config.js
+ssi on;
+ssi_types application/x-javascript application/javascript;
+
+index index.html index.htm;
 error_page 404 /static/404.html;
 
-location ~ ^/([a-zA-Z0-9=\?_-]+)$ {
+# Security headers
-    rewrite ^/(.*)$ / break;
+add_header X-Content-Type-Options nosniff;
-}
+add_header X-XSS-Protection "1; mode=block";
 
-location ^~ /config.js {
+location = /config.js {
     alias /config/config.js;
 }
 
-location ^~ /interface_config.js {
+location = /interface_config.js {
     alias /config/interface_config.js;
 }
 
-location ^~ /external_api.js {
+location = /external_api.js {
     alias /usr/share/jitsi-meet/libs/external_api.min.js;
 }
 
-location / {
+# ensure all static content can always be found first
-    ssi on;
+location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
+{
+    add_header 'Access-Control-Allow-Origin' '*';
+    alias /usr/share/jitsi-meet/$1/$2;
+}
+
+# colibri (JVB) websockets
+location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
+    proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    tcp_nodelay on;
 }
 
 # BOSH
-location ^~ /http-bind {
+location = /http-bind {
-    proxy_pass http://localhost:5280/http-bind;
+    proxy_pass {{ .Env.XMPP_BOSH_URL_BASE }}/http-bind;
     proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header Host localhost;
+    proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
 }
 
+{{ if $ENABLE_XMPP_WEBSOCKET }}
+# xmpp websockets
+location = /xmpp-websocket {
+    proxy_pass {{ .Env.XMPP_BOSH_URL_BASE }}/xmpp-websocket;
+    proxy_http_version 1.1;
+
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Upgrade $http_upgrade;
+
+    proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
+    proxy_set_header X-Forwarded-For $remote_addr;
+    tcp_nodelay on;
+}
+{{ end }}
+
+location ~ ^/([^/?&:'"]+)$ {
+    try_files $uri @root_path;
+}
+
+location @root_path {
+    rewrite ^/(.*)$ / break;
+}
+
+{{ if .Env.ETHERPAD_URL_BASE }}
 # Etherpad-lite
-location ^~ /etherpad/ {
+location /etherpad/ {
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection 'upgrade';
-    proxy_set_header Host 'etherpad.opendev.org';
+    # Commented out as we want the default behavior of using
+    # $proxy_host as the Host header value
+    #proxy_set_header Host $host;
     proxy_cache_bypass $http_upgrade;
-    proxy_pass_header Server;
 
-    proxy_pass https://etherpad.opendev.org/;
+    proxy_pass {{ .Env.ETHERPAD_URL_BASE }}/;
     proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_ssl_server_name on;
     proxy_buffering off;
+    # Commented out as we want the default behavior of using
+    # $proxy_host as the Host header value
+    #proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
 }
+{{ end }}

playbooks/roles/jitsi-meet/tasks/main.yaml

@@ -24,6 +24,13 @@
     - web
     - web/nginx
     - web/nginx/site-confs
+    - defaults
+    - defaults/web
+    - defaults/web/nginx
+
+# TODO files managed here seem to be completely ignored by the containers
+# we should clean them up. And if necessary replace them with templates
+# below like meet.conf.
 - name: Write web config
   copy:
     src: config.js
@@ -36,10 +43,16 @@
   copy:
     src: default.conf
     dest: /var/jitsi-meet/web/nginx/site-confs/default
-- name: Write nginx meet config
+# END TODO
+
+# These files are interpreted by the container at startup and are templated
+# using the frep tool. Ideally we'll keep the content in templates to a
+# minumum and rely on upstream as much as possible.
+- name: Write nginx meet config template
   copy:
     src: meet.conf
-    dest: /var/jitsi-meet/web/nginx/meet.conf
+    dest: /var/jitsi-meet/defaults/web/nginx/meet.conf
+
 - name: Run docker-compose pull
   shell:
     cmd: docker-compose pull

playbooks/roles/jitsi-meet/templates/jvb-env.j2

@@ -6,6 +6,9 @@
 # Directory where all configuration will be stored.
 CONFIG=/var/jitsi-meet
 
+# Directory where templates to generate configs are stored.
+DEFAULTS=/var/jitsi-meet/defaults
+
 # System time zone.
 TZ=Etc/UTC
 

playbooks/roles/jitsi-meet/templates/meet-env.j2

@@ -6,6 +6,9 @@
 # Directory where all configuration will be stored.
 CONFIG=/var/jitsi-meet
 
+# Directory where templates to generate configs are stored.
+DEFAULTS=/var/jitsi-meet/defaults
+
 # System time zone.
 TZ=Etc/UTC