TimHeckel/jitsi-meet-tokens-working-script-updated-ssl

## jitsi-meet-tokens-working-script-updated-ssl
Taken from the original thread: https://github.com/jitsi/lib-jitsi-meet/issues/1082#issuecomment-616948457

###Fresh install of jitsu meet with JWT token authentication on Ubuntu Bionic Beaver 18.04

#add dns for meet.mydomain.com to point to public ip for vm
# Open ports on network security group
# 80/tcp
# 443/tcp
# 4443/tcp
# 10000/udp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 4443/tcp
sudo ufw allow 10000/udp
sudo ufw allow 22/tcp
sudo ufw enable

sudo hostnamectl set-hostname meet.mydomain.com

sudo nano /etc/hosts
#manually append
#127.0.0.1 meet.mydomain.com

wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -
echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list

sudo apt-get -y update
sudo apt-get -y install prosody

wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
sudo sh -c "echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list"

sudo apt-get -y update
sudo apt-get -y install jitsi-meet

#manually type
#meet.mydomain.com
#choose self-signed cert for now

sudo add-apt-repository ppa:certbot/certbot
sudo apt -y install certbot

sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
#enter sully@sully.com

sudo apt-get -y install jitsi-meet-tokens
#enter app id
#enter app secret

sudo nano /etc/prosody/prosody.cfg.lua
#c2s_require_encryption=false

sudo nano /etc/prosody/conf.avail/meet.mydomain.com.cfg.lua
#authentication="token"
#app_id="myappid"
#app_secret="myappsecret"
#allow_empty_token=false
#further down remove comment from -- "token_verification"

#Fix permissions on localhost key
sudo chown root:prosody /etc/prosody/certs/localhost.key
sudo chmod 644 /etc/prosody/certs/localhost.key

sudo apt-get -y install lua5.2 luarocks libssl-dev liblua5.2

cat <<EOT >> luajwtjitsi-1.3-7.rockspec
package = "luajwtjitsi"
version = "1.3-7"

source = {
        -- Use fork from ASolomatin which uses luaossl
        url = "git://github.com/ASolomatin/luajwt/",
        tag = "replace_luacrypto"
}

description = {
        summary = "JSON Web Tokens for Lua",
        detailed = "Very fast and compatible with pyjwt, php-jwt, ruby-jwt, node-jwt-simple and others",
        homepage = "https://github.com/jitsi/luajwt/",
        license = "MIT <http://opensource.org/licenses/MIT>"
}

dependencies = {
        -- Prosody uses lua 5.2
        "lua >= 5.2",
        "luaossl >= 20190731-0",
        -- Use exact version 2.1, see https://github.com/mpx/lua-cjson/issues/56
        "lua-cjson = 2.1.0",
        "lbase64 >= 20120807-3"
}

build = {
        type = "builtin",
        modules = {
                luajwtjitsi = "luajwtjitsi.lua"
        }
}
EOT

luarocks install luajwtjitsi-1.3-7.rockspec
luarocks install basexx

#install again
sudo apt-get install -y jitsi-meet jitsi-meet-tokens

sudo rm /var/log/prosody/prosody.err
sudo systemctl restart prosody.service
sudo systemctl restart jicofo.service
sudo systemctl restart jitsi-videobridge2.service

sudo cat /var/log/prosody/prosody.err #no errors! just some warnings

###In order for JWT to honor moderator: true flag in the JWT, now install the below plugin:

cd /usr/share/jitsi-meet/prosody-plugins/
wget https://raw.githubusercontent.com/nvonahsen/jitsi-token-moderation-plugin/master/mod_token_moderation.lua

sudo nano /etc/prosody/conf.d/[YOUR DOMAIN].cfg.lua
#edit the conferance.[YOUR DOMAIN] component to add token_moderation
Change this line modules_enabled = { [EXISTING MODULES] } TO modules_enabled = { [EXISTING MODULES]; "token_moderation" }
sudo systemctl restart prosody && sudo systemctl restart jicofo && sudo systemctl restart jitsi-videobridge2

###In order to reduce CPU usage on server, turn off timeseries logging:

vi /etc/jitsi/videobridge/logging.properties
#java.util.logging.FileHandler.level = OFF

Also add this line:
vi /etc/jitsi/videobridge/sip-communicator.properties
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true

sudo systemctl restart jitsi-videobridge2

###Test using jwt.io generated token -- moderator should gen a JWT that allows a couple extra things: (1) password protect and enable lobby; (2) mute everyone under settings, (3) start live recording, and some other things

{
  "context": {
    "user": {
      "avatar": "https:/gravatar.com/avatar/abc123",
      "name": "moderator",
      "email": "amoderator@example.com",
      "id": "testid"
    },
    "group": "testgroup"
  },
  "aud": "appid",
  "iss": "appid",
  "sub": "meet.example.com",
  "room": "*",
  "exp": 1599964155,
  "moderator": true|false
}
	Taken from the original thread: https://github.com/jitsi/lib-jitsi-meet/issues/1082#issuecomment-616948457

	###Fresh install of jitsu meet with JWT token authentication on Ubuntu Bionic Beaver 18.04

	#add dns for meet.mydomain.com to point to public ip for vm
	# Open ports on network security group
	# 80/tcp
	# 443/tcp
	# 4443/tcp
	# 10000/udp
	sudo ufw allow 80/tcp
	sudo ufw allow 443/tcp
	sudo ufw allow 4443/tcp
	sudo ufw allow 10000/udp
	sudo ufw allow 22/tcp
	sudo ufw enable

	sudo hostnamectl set-hostname meet.mydomain.com

	sudo nano /etc/hosts
	#manually append
	#127.0.0.1 meet.mydomain.com

	wget https://prosody.im/files/prosody-debian-packages.key -O- \| sudo apt-key add -
	echo deb http://packages.prosody.im/debian $(lsb_release -sc) main \| sudo tee -a /etc/apt/sources.list

	sudo apt-get -y update
	sudo apt-get -y install prosody

	wget -qO - https://download.jitsi.org/jitsi-key.gpg.key \| sudo apt-key add -
	sudo sh -c "echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list"

	sudo apt-get -y update
	sudo apt-get -y install jitsi-meet

	#manually type
	#meet.mydomain.com
	#choose self-signed cert for now

	sudo add-apt-repository ppa:certbot/certbot
	sudo apt -y install certbot

	sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
	#enter sully@sully.com

	sudo apt-get -y install jitsi-meet-tokens
	#enter app id
	#enter app secret

	sudo nano /etc/prosody/prosody.cfg.lua
	#c2s_require_encryption=false

	sudo nano /etc/prosody/conf.avail/meet.mydomain.com.cfg.lua
	#authentication="token"
	#app_id="myappid"
	#app_secret="myappsecret"
	#allow_empty_token=false
	#further down remove comment from -- "token_verification"

	#Fix permissions on localhost key
	sudo chown root:prosody /etc/prosody/certs/localhost.key
	sudo chmod 644 /etc/prosody/certs/localhost.key

	sudo apt-get -y install lua5.2 luarocks libssl-dev liblua5.2

	cat <<EOT >> luajwtjitsi-1.3-7.rockspec
	package = "luajwtjitsi"
	version = "1.3-7"

	source = {
	-- Use fork from ASolomatin which uses luaossl
	url = "git://github.com/ASolomatin/luajwt/",
	tag = "replace_luacrypto"
	}

	description = {
	summary = "JSON Web Tokens for Lua",
	detailed = "Very fast and compatible with pyjwt, php-jwt, ruby-jwt, node-jwt-simple and others",
	homepage = "https://github.com/jitsi/luajwt/",
	license = "MIT <http://opensource.org/licenses/MIT>"
	}

	dependencies = {
	-- Prosody uses lua 5.2
	"lua >= 5.2",
	"luaossl >= 20190731-0",
	-- Use exact version 2.1, see https://github.com/mpx/lua-cjson/issues/56
	"lua-cjson = 2.1.0",
	"lbase64 >= 20120807-3"
	}

	build = {
	type = "builtin",
	modules = {
	luajwtjitsi = "luajwtjitsi.lua"
	}
	}
	EOT

	luarocks install luajwtjitsi-1.3-7.rockspec
	luarocks install basexx

	#install again
	sudo apt-get install -y jitsi-meet jitsi-meet-tokens

	sudo rm /var/log/prosody/prosody.err
	sudo systemctl restart prosody.service
	sudo systemctl restart jicofo.service
	sudo systemctl restart jitsi-videobridge2.service

	sudo cat /var/log/prosody/prosody.err #no errors! just some warnings

	###In order for JWT to honor moderator: true flag in the JWT, now install the below plugin:

	cd /usr/share/jitsi-meet/prosody-plugins/
	wget https://raw.githubusercontent.com/nvonahsen/jitsi-token-moderation-plugin/master/mod_token_moderation.lua

	sudo nano /etc/prosody/conf.d/[YOUR DOMAIN].cfg.lua
	#edit the conferance.[YOUR DOMAIN] component to add token_moderation
	Change this line modules_enabled = { [EXISTING MODULES] } TO modules_enabled = { [EXISTING MODULES]; "token_moderation" }
	sudo systemctl restart prosody && sudo systemctl restart jicofo && sudo systemctl restart jitsi-videobridge2

	###In order to reduce CPU usage on server, turn off timeseries logging:

	vi /etc/jitsi/videobridge/logging.properties
	#java.util.logging.FileHandler.level = OFF

	Also add this line:
	vi /etc/jitsi/videobridge/sip-communicator.properties
	org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true

	sudo systemctl restart jitsi-videobridge2

	###Test using jwt.io generated token -- moderator should gen a JWT that allows a couple extra things: (1) password protect and enable lobby; (2) mute everyone under settings, (3) start live recording, and some other things

	{
	"context": {
	"user": {
	"avatar": "https:/gravatar.com/avatar/abc123",
	"name": "moderator",
	"email": "amoderator@example.com",
	"id": "testid"
	},
	"group": "testgroup"
	},
	"aud": "appid",
	"iss": "appid",
	"sub": "meet.example.com",
	"room": "*",
	"exp": 1599964155,
	"moderator": true\|false
	}