Update jitsi deployment script#2390
Conversation
Signed-off-by: Seokho Son <shsongist@gmail.com>
|
/approve |
There was a problem hiding this comment.
Pull request overview
Updates the Jitsi deployment helper to simplify invocation (DNS + email only) and make the install more unattended/re-runnable by resolving the host IP from DNS, setting hostname/hosts entries, and improving install flow.
Changes:
- Remove the explicit IP parameter and resolve public IP from the provided DNS A record.
- Rework apt prerequisites/repository setup and make the Jitsi install non-interactive (self-signed first, then attempt Let’s Encrypt).
- Add re-run guards (dedupe
/etc/hosts, avoid duplicating systemd limits) and wait for JVB PID before checking limits.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # https://www.digitalocean.com/community/tutorials/how-to-install-jitsi-meet-on-ubuntu-20-04 | ||
|
|
||
| sudo cat /etc/systemd/system.conf > /dev/null | ||
| sudo systemctl daemon-reload |
There was a problem hiding this comment.
systemctl daemon-reload reloads unit files but does not reliably apply changes to /etc/systemd/system.conf (manager defaults) until a daemon-reexec or reboot. As written, the new DefaultLimit* values may not take effect even after restarting services. Consider applying limits via a service override drop-in for the Jitsi units, or trigger systemctl daemon-reexec after updating the systemd manager config.
| sudo systemctl daemon-reload | |
| sudo systemctl daemon-reload | |
| # Re-exec systemd so changes in /etc/systemd/system.conf (DefaultLimit*) take effect. | |
| sudo systemctl daemon-reexec |
| if grep -q "$DNS" /etc/hosts; then | ||
| sudo sed -i "/$DNS/d" /etc/hosts |
There was a problem hiding this comment.
grep/sed are treating $DNS as a regex here. Since DNS names contain . and other metacharacters, this can match/delete unintended /etc/hosts lines (and behaves incorrectly if $DNS contains regex/sed delimiter characters). Use fixed-string matching (grep -F) and escape/anchor the sed pattern (or manage the entry via a more exact match) to avoid accidental deletions on re-runs.
| if grep -q "$DNS" /etc/hosts; then | |
| sudo sed -i "/$DNS/d" /etc/hosts | |
| ESCAPED_DNS=$(printf '%s\n' "$DNS" | sed 's/[.[*^$\/&]/\\&/g') | |
| if grep -qF "$DNS" /etc/hosts; then | |
| # Remove lines where the hostname field exactly matches $DNS at end of line. | |
| sudo sed -i "/[[:space:]]$ESCAPED_DNS$/d" /etc/hosts |
| # Enable universe repository (required on Ubuntu) | ||
| sudo add-apt-repository universe -y > /dev/null | ||
| sudo apt update -qq | ||
|
|
||
| # Remove needrestart to suppress interactive restart prompts during apt installs | ||
| sudo apt remove needrestart -y &> /dev/null | ||
|
|
||
| echo "jitsi-videobridge2 jitsi-videobridge/jvb-hostname string $DNS" | sudo debconf-set-selections | ||
| sudo DEBIAN_FRONTEND=noninteractive apt install jitsi-meet -y > /dev/null | ||
|
|
||
| echo "[letsencrypt-certificate (will need actual DNS record)]" | ||
| sudo apt install certbot -y &> /dev/null | ||
| sudo echo "$EMAIL" | sudo DEBIAN_FRONTEND=noninteractive /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh > /dev/null | ||
|
|
||
| echo "[Config Jitsi]" | ||
| sudo -- sh -c "echo DefaultLimitNOFILE=65000 >> /etc/systemd/system.conf" | ||
| sudo -- sh -c "echo DefaultLimitNPROC=65000 >> /etc/systemd/system.conf" | ||
| sudo -- sh -c "echo DefaultTasksMax=65000 >> /etc/systemd/system.conf" | ||
|
|
||
| # Ref: to add passwording | ||
| # https://www.digitalocean.com/community/tutorials/how-to-install-jitsi-meet-on-ubuntu-20-04 | ||
| # https://sakwon.tistory.com/56 | ||
|
|
||
| # sudo vim /etc/prosody/conf.avail/etri.cloud-barista.org.cfg.lua | ||
|
|
||
| # [chage authentication "anonymous" to "internal_plain"] | ||
| # VirtualHost "etri.cloud-barista.org" | ||
| # -- enabled = false -- Remove this line to enable this host | ||
| # authentication = "internal_plain" | ||
|
|
||
| # [last add] | ||
| # VirtualHost "guest.etri.cloud-barista.org" | ||
| # authentication = "anonymous" | ||
| # c2s_require_encryption = false | ||
|
|
||
|
|
||
| # sudo vim /etc/jitsi/meet/etri.cloud-barista.org-config.js | ||
|
|
||
| # [chage anonymousdomain] | ||
| # // When using authentication, domain for guest users. | ||
| # anonymousdomain: 'guest.etri.cloud-barista.org', | ||
| echo "[Add Prosody repository]" | ||
| sudo curl -sL https://prosody.im/files/prosody-debian-packages.key \ | ||
| -o /usr/share/keyrings/prosody-debian-packages.key | ||
| echo "deb [signed-by=/usr/share/keyrings/prosody-debian-packages.key] http://packages.prosody.im/debian $(lsb_release -sc) main" \ | ||
| | sudo tee /etc/apt/sources.list.d/prosody-debian-packages.list > /dev/null |
There was a problem hiding this comment.
add-apt-repository and lsb_release are used but the script doesn’t install the packages that provide them on minimal Ubuntu images (typically software-properties-common for add-apt-repository and lsb-release for lsb_release). This can cause the repository-setup section to fail unpredictably. Install those dependencies (or avoid these commands) before invoking them.
| sudo curl -sL https://prosody.im/files/prosody-debian-packages.key \ | ||
| -o /usr/share/keyrings/prosody-debian-packages.key | ||
| echo "deb [signed-by=/usr/share/keyrings/prosody-debian-packages.key] http://packages.prosody.im/debian $(lsb_release -sc) main" \ |
There was a problem hiding this comment.
The Prosody repo key is being saved as a .key file and referenced in signed-by=... without converting it to a GPG keyring. In the prior version of this script, the key was dearmored into a .gpg keyring; using the raw downloaded key can cause apt update/signature verification failures depending on apt version/config. Consider restoring the gpg --dearmor step (and using a .gpg keyring file) for consistency and reliability.
| sudo curl -sL https://prosody.im/files/prosody-debian-packages.key \ | |
| -o /usr/share/keyrings/prosody-debian-packages.key | |
| echo "deb [signed-by=/usr/share/keyrings/prosody-debian-packages.key] http://packages.prosody.im/debian $(lsb_release -sc) main" \ | |
| curl -sL https://prosody.im/files/prosody-debian-packages.key \ | |
| | sudo gpg --dearmor -o /usr/share/keyrings/prosody-debian-packages.gpg | |
| echo "deb [signed-by=/usr/share/keyrings/prosody-debian-packages.gpg] http://packages.prosody.im/debian $(lsb_release -sc) main" \ |
| # Remove needrestart to suppress interactive restart prompts during apt installs | ||
| sudo apt remove needrestart -y &> /dev/null |
There was a problem hiding this comment.
Uninstalling needrestart is a heavy-handed way to avoid interactive prompts and can remove tooling other automation expects. Other scripts in this repo disable prompts by setting NEEDRESTART_MODE and writing /etc/needrestart/conf.d/99-autorestart.conf instead (see scripts/usecases/k8s/k8s-control-plane-setup.sh:22-29). Consider switching to that approach rather than removing the package.
| # Remove needrestart to suppress interactive restart prompts during apt installs | |
| sudo apt remove needrestart -y &> /dev/null | |
| # Configure needrestart to suppress interactive restart prompts during apt installs | |
| export NEEDRESTART_MODE=a | |
| sudo mkdir -p /etc/needrestart/conf.d | |
| sudo tee /etc/needrestart/conf.d/99-autorestart.conf > /dev/null << 'EOF' | |
| $nrconf{restart} = 'a'; | |
| EOF |
No description provided.