Deploying Jitsi Meet on Nethserver independent video conferencing

There is a Feature topic about this that doesn’t actually offer much help. I thought I would post my steps in case it helps other people as well. I mean, it’s one thing to know Zoom is evil, and it’s another to actually help people do something about it. :slight_smile:

There are comments like Follow the Jitsi documentation, and you will have a working installation in 10 minutes but that assumes you have a decent knowledge of Docker and other components. If you’re using Nethserver, I assume you like me and you are not a seasoned sysadmin.

So here are my steps to get us a bit more than just a basic install.

Current Features:

  • Working Jitsi server (using a docker image)
  • Using SSL certificate provided by Nethserver
  • Using Nethserver LDAP authentication to make it so Nethserver users can be hosts of meetings, and guests can join

Things that could be improved on

  • An automatic script to pull in some of the settings from Nethserver automatically
  • Create a virtual host for redirecting port 443 on the subdomain to 8443 on the subdomain

Future Improvements

Steps

  • get a domain and matching SSL cert
  • install docker & docker compose
  • update the firewall
  • get the Jitsi docker image
  • configure & deploy the image

Domain & Cert

The Jitsi Docker does support getting a cert through LetsEncrypt but I had issues getting this to work. It was failing on the ACME request - I think because of the non-standard HTTPS port and because I didn’t have a reverse proxy in place on the domain. In any case, I decided to just utilize the cert that is on my Nethserver because then I know it will get updated automatically.

  • Add a domain/sub-domain that points to your Nethserver. E.g. meet.mydomain.com
  • In the Cockpit UI go to System > Certificates
  • Use the Request Let's Encrypt certificate button
    jitsi_1_cert
  • Add in your sub-domain
    jitsi_2_cert
  • Update the cert
  • Take note of the path to the cert:
    jitsi_3_cert

Install Docker & Docker-Compose

Install Docker

  • Use the Cockpit UI and go to Software Center
  • Install Docker
  • Navigate to the Portainer address to set up the admin password: https://neth.mydomain.com:980/portainer/

Install Docker Compose

  • Follow the instructions to Install Docker Compose
  • Which currently is:
  • sudo curl -L "https://github.com/docker/compose/releases/download/1.26.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  • sudo chmod +x /usr/local/bin/docker-compose

Update the firewall

There are two firewall changes we need to make.

  1. We need to allow the Jitsi docker image to access LDAP on our Nethserver
  2. We need to allow the Jitsi docker image to be accessed from the WAN on our Nethserver (unless you don’t need that)

Access LDAP

You can read more about it in the Nethserver Docker docs , but basically the default network for docker images does not allow access to our Nethserver for security reasons. There is a special aqua network that will be set up with our Docker install that will allow docker images to access local ports on our Nethserver. That is how we will let Jitsi use our existing LDAP.

I think there is currently a bug in the Jitsi docker image that mixes up ldap:// and ldaps://, so I just opened both ports and things seem to work.

The docs give an example command to open up the ports, and for me my command was:
db dockrules set jitsiLdap aqua TCPPorts 389,636 status enabled
signal-event firewall-adjust

Access WAN

Using the Cockpit UI, go to System > Services > Add Network Service
For me, I had to run this as the root user to get the network options to show up. We want both Green and Red interfaces for this to be accessible from the internet.
jitsi_4_network

Now we have our address, we have Docker, and we have our firewall updated. Now we just need to get the docker image and configure it.

Get & Configure the Jitsi Docker image

Like the other post mentioned, this article is pretty good but there are a few things we should consider on our Nethserver.

First, we should be putting all of our custom apps in the /opt/ folder. So for me, my jitsi folder is /opt/jitsi

  • Using your preferred method, get the latest Jitsi Docker image and put it in /opt/jitsi/docker-jitsi-meet

  • According to the guide (at this time) follow these steps:
    jitsi_5_config

but on the last step, instead of putting the jitsi config under root, let’s keep it under our opt folder, so the command looks like this:

mkdir -p /var/opt/jitsi/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}

As part of the testing of Jitsi we need to erase this folder frequently, so I prefer to have it in this folder instead of in the root of the system. Also, this follows the Nethserver convention of keeping apps under /opt/

Configure the env variables

Now we have our .env file that we need to modify a few things. here are the changes I made:
CONFIG=/opt/jitsi/.jitsi-meet-cfg
PUBLIC_URL=https://meet.mydomain.com
ENABLE_AUTH=1
ENABLE_GUESTS=1
AUTH_TYPE=ldap
LDAP_URL=ldaps://172.28.0.1:636
LDAP_BASE=dc=directory,dc=nh
LDAP_BINDDN=cn=ldapservice,dc=directory,dc=nh
LDAP_BINDPW=...
LDAP_FILTER=(uid=%u)
LDAP_AUTH_METHOD=bind
LDAP_USE_TLS=1

A few notes about these config options:

  • You’ll need to look for these specific keys in the file, uncomment them, and fill in the appropriate value. For me, I’m using OpenLDAP with all the default Nethserver settings.
  • I actually stole most of these settings from my ejabberd configuration (located here: /etc/ejabberd/ejabberd.yml). You could also grab them from your Nextcloud or any other app you’re using with LDAP auth.
  • the LDAP URL is using ldaps, but my log shows me that it’s actually calling on port 389 still. I think this is an issue / manual configuration in the Jitsi docker configuration. That’s why our firewall rule opens up the port for ldap:// (389) and ldaps:// (636)
  • The LDAP URL is pointing to the aqua interface on your docker. For me, I found this out by going to: https://neth.mydomain.com:980/portainer > Networks and then looking at the Gateway for the aqua network:
  • You need to get the LDAP_BINDPW for your ldap service account. For me, I found this in my ejabberd config file but there is probably a better way to find it
  • The LDAP_USE_TLS is required, even though we are just doing it local. Again, I think it’s an issue in the docker image

Configure the docker compose file

We need to make a change to our docker compose file to allow it to utilize the Nethserver certificate instead of the docker image trying to get it’s own cert from Let’s Encrypt.

Using the path to our cert that we saw in the steps above, add two volumes to the docker image (the last two lines):

        volumes:
            - ${CONFIG}/web:/config:Z
            - ${CONFIG}/web/letsencrypt:/etc/letsencrypt:Z
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
            - /etc/letsencrypt/live/neth.mydomain.com/fullchain.pem:/config/keys/cert.crt
            - /etc/letsencrypt/live/neth.mydomain.com/privkey.pem:/config/keys/cert.key
  • It is important that you use the fullchain.pem , and not the cert.pem. If you use just the cert, then desktop browsers will be able to connect, but Android browsers and clients will not be able to!

Composing the Docker

Now that we have edited the env variables and included our certificate, we just need to run the command from the Jitsi quickstart guide to compose and launch the docker images:
docker-compose up -d

Adding the Docker to the aqua network

There is probably a way to do this in the Docker compose file, but I’m a total noob so I just did it through the web UI.

  • Go to your Portainer site > Containers
  • Find the Prosody container
    jitsi_7_container_network
  • Open it up and scroll to the bottom to see the networks
  • Add the aqua network
    jitsi_8_container_network_2
  • Now your network should look like this:

Hurray!
You should now be able to access your Jitsi server at: https://meet.mydomain.com:8443

Note that the port is important. I have not gotten this to work through the Nethserver reverse proxy yet so we can serve it up on the regular HTTPS port.

Other Notes

  • Each time you re-build the docker image using compose you will need to re-add this network interface to the docker image
  • Each time you make changes to the docker compose file or .env file, you will need to clear the cfg folder and rebuild it. I had to do this a lot so I made a simple bash script to do it for me:
rm -rf ../.jitsi-meet-cfg/
docker-compose up -d

I hope this helps someone else! I’ll try to clean it up a bit more later.

10 Likes

Wow, what a wonderful topic @djx Thank you very much for the howto.

I am glad you even implemented the ldap authentication on the same to get it to work, highly appreciated.

Clap clap clap…medails to this man

@davidep @mrmarkuz i am glad to read this

@stephdl he wrote it like it was written to a 12 year old.

assuming you dont know and working up from there

Thank you all! I’m just trying to contribute something back to this great product and community.

3 Likes