jitsi-meet: Add option to disable Prosody services not used by Jitsi Meet

The default Prosody config assumes that Prosody will be used as a federated
XMPP server, while the usecase for Jitsi Meet is much narrower.
This commit is contained in:
Erin Yuki Schlarb 2024-01-12 23:21:47 +01:00
parent 7ab8f255b9
commit 56581588c3
2 changed files with 31 additions and 2 deletions

View file

@ -19,6 +19,13 @@ A minimal configuration using Let's Encrypt for TLS certificates looks like this
}
```
Jitsi Meet depends on the Prosody XMPP server only for message passing from
the web browser while the default Prosody configuration is intended for use
with standalone XMPP clients and XMPP federation. If you only use Prosody as
a backend for Jitsi Meet it is therefore recommended to also enable
{option}`services.jitsi-meet.prosody.lockdown` option to disable unnecessary
Prosody features such as federation or the file proxy.
## Configuration {#module-services-jitsi-configuration}
Here is the minimal configuration with additional configurations:
@ -27,6 +34,7 @@ Here is the minimal configuration with additional configurations:
services.jitsi-meet = {
enable = true;
hostName = "jitsi.example.com";
prosody.lockdown = true;
config = {
enableWelcomePage = false;
prejoinPageEnabled = true;

View file

@ -175,11 +175,26 @@ in
prosody.enable = mkOption {
type = bool;
default = true;
example = false;
description = ''
Whether to configure Prosody to relay XMPP messages between Jitsi Meet components. Turn this
off if you want to configure it manually.
'';
};
prosody.lockdown = mkOption {
type = bool;
default = false;
example = true;
description = ''
Whether to disable Prosody features not needed by Jitsi Meet.
The default Prosody configuration assumes that it will be used as a
general-purpose XMPP server rather than as a companion service for
Jitsi Meet. This option reconfigures Prosody to only listen on
localhost without support for TLS termination, XMPP federation or
the file transfer proxy.
'';
};
excalidraw.enable = mkEnableOption "Excalidraw collaboration backend for Jitsi";
excalidraw.port = mkOption {
@ -211,7 +226,10 @@ in
smacks = mkDefault true;
tls = mkDefault true;
websocket = mkDefault true;
proxy65 = mkIf cfg.prosody.lockdown (mkDefault false);
};
httpInterfaces = mkIf cfg.prosody.lockdown (mkDefault [ "127.0.0.1" ]);
httpsPorts = mkIf cfg.prosody.lockdown (mkDefault []);
muc = [
{
domain = "conference.${cfg.hostName}";
@ -300,7 +318,7 @@ in
muc_component = "conference.${cfg.hostName}"
breakout_rooms_component = "breakout.${cfg.hostName}"
'')
(mkBefore ''
(mkBefore (''
muc_mapper_domain_base = "${cfg.hostName}"
cross_domain_websocket = true;
@ -310,7 +328,10 @@ in
"focus@auth.${cfg.hostName}",
"jvb@auth.${cfg.hostName}"
}
'')
'' + optionalString cfg.prosody.lockdown ''
c2s_interfaces = { "127.0.0.1" };
modules_disabled = { "s2s" };
''))
];
virtualHosts.${cfg.hostName} = {
enabled = true;