#!/bin/bash
set -e

# -----------------------------------------------------------------------------
# globals
# -----------------------------------------------------------------------------
JITSI_TMPL=https://raw.githubusercontent.com/jitsi-contrib/installers/main/templates/jitsi

JITSI_MEET_CONFIG=/etc/jitsi/meet/$JITSI_HOST-config.js
PROSODY_CONFIG=/etc/prosody/conf.avail/$JITSI_HOST.cfg.lua
NGINX_CONFIG=/etc/nginx/sites-available/$JITSI_HOST.conf

PROSODY_PLUGINS_VERSION=20250923
PROSODY_PLUGINS_ARCHIVE=https://github.com/jitsi-contrib/prosody-plugins/archive/refs/tags/v$PROSODY_PLUGINS_VERSION.tar.gz

CHECKMYPORT=https://checkmyport.emrah.com
TCP=(80 443 4444 5222 5280 5269 5347 5349 8080 8888 9090)
UDP=(5000 5349 10000)


# -----------------------------------------------------------------------------
# globals (extra)
# -----------------------------------------------------------------------------
JIBRI_TMPL=https://raw.githubusercontent.com/jitsi-contrib/installers/main/templates/jibri


# -----------------------------------------------------------------------------
# output format
# -----------------------------------------------------------------------------
out() {
    printf "\n"

    while IFS= read -r line; do
        printf "\033[0;31m>>>\033[0m \033[0;33m%s\033[0m\n" "$line"
    done
}


# -----------------------------------------------------------------------------
# trap on exit
# -----------------------------------------------------------------------------
function on_exit {
    if [[ "$COMPLETED" != true ]]; then
        out <<< "Something went wrong. Not completed!"
        exit 1
    else
        out <<EOF
Installation Duration: $DURATION
Completed successfully!
EOF
        exit 0
    fi
}

COMPLETED=false
trap on_exit EXIT


# -----------------------------------------------------------------------------
# environment
# -----------------------------------------------------------------------------
DEBIAN_FRONTEND=noninteractive
START_TIME=$(date +%s)
BASEDIR=$(pwd)
DEFAULT_ROUTE=$(ip route | egrep '^default ' | head -n1)
PUBLIC_INTERFACE=${DEFAULT_ROUTE##*dev }
PUBLIC_INTERFACE=${PUBLIC_INTERFACE/% */}
PUBLIC_IP=$(ip addr show $PUBLIC_INTERFACE | egrep "$PUBLIC_INTERFACE$" | \
            xargs | cut -d " " -f 2 | cut -d "/" -f1)


# -----------------------------------------------------------------------------
# environment check (phase 1)
# -----------------------------------------------------------------------------
clear

# are you sure
out <<EOF
This script can be harmful and will remove already installed Jitsi if exists.
Don't use it on a working production server.
If you are sure then write YES (uppercase) and press enter to start!
EOF

read answer
if [[ "$answer" != "YES" ]]; then
    out <<EOF
Aborted! not approved, typed: $answer
EOF
    exit 1
fi


# whoami
out <<< "checking the user account..."
if [[ "$(whoami)" != "root" ]]; then
    out <<EOF
Aborted! You are not the root user: $(whoami)
Recommendation: Use the following command to be the 'root' user

    su -l
EOF
    exit 1
fi

# distro
out <<< "checking the distro..."
[[ $(command -v lsb_release) ]] && \
    DISTRO=$(lsb_release -c | cut -d: -f2 | xargs) || \
    DISTRO=$(grep VERSION_CODENAME /etc/os-release | cut -d= -f2)

if [[ "$DISTRO" = "jammy" ]] || \
   [[ "$DISTRO" = "noble" ]] || \
   [[ "$DISTRO" = "bookworm" ]]; then
    LUA="5.3"
    JDK="17"
else
    out <<EOF
Aborted! Your distro is not supported
Recommendation: Use a supported distribution:
    - Debian 12 Bookworm
    - Ubuntu 22.04 Jammy Jellyfish
    - Ubuntu 24.04 Noble Numbat
EOF
    exit 1
fi

# memory
out <<< "checking the total memory..."
MEM=$(cat /proc/meminfo | grep MemTotal | egrep -o "[0-9]*")
if [[ "$MEM" -lt 7000000 ]]; then
    out <<EOF
Aborted! Not enough memory: $MEM kB
Recommendation: The total memory should be at least 8 GB
EOF
    exit 1
fi

# jitsi host address
out <<< "checking Jitsi FQDN..."
if [[ -z "$JITSI_HOST" ]]; then
    out <<EOF
Aborted! Unknown Jitsi host address
Recommendation: Set Jitsi host address and try again, e.g.

    export JITSI_HOST=jitsi.yourdomain.com
EOF
    exit 1
fi

# jitsi fqdn
if [[ -z "$(echo $JITSI_HOST | egrep -o '[a-zA-Z]')" ]]; then
    out <<EOF
Aborted! Jitsi host address is not FQDN: $JITSI_HOST
Recommendation: Don't use an IP address, use a valid FQDN address
EOF
    exit 1
fi

# turn host address
out <<< "checking TURN FQDN..."
if [[ -z "$TURN_HOST" ]]; then
    out <<EOF
Aborted! Unknown TURN host address
Recommendation: Set TURN host address and try again, e.g.

    export TURN_HOST=turn.yourdomain.com
EOF
    exit 1
fi

# turn fqdn
if [[ -z "$(echo $TURN_HOST | egrep -o '[a-zA-Z]')" ]]; then
    out <<EOF
Aborted! TURN host address is not FQDN: $TURN_HOST
Recommendation: Don't use an IP address, use a valid FQDN address
EOF
    exit 1
fi

# jitsi == turn
if [[ "$JITSI_HOST" = "$TURN_HOST" ]]; then
    out <<EOF
Aborted! Jitsi host address and TURN host address are the same
Recommendation: Use different addresses for Jitsi and TURN, e.g.

    export JITSI_HOST=jitsi.yourdomain.com
    export TURN_HOST=turn.yourdomain.com
EOF
    exit 1
fi


# -----------------------------------------------------------------------------
# input check (extra)
# -----------------------------------------------------------------------------
# core
out <<< "checking the number of cores..."
CORES=$(nproc --all)
if [[ "$CORES" -lt 4 ]]; then
    out <<EOF
Aborted! Not enough cores: $CORES
Recommendation: It should be at least 4 cores
EOF
    exit 1
fi

# snd_aloop
out <<< "checking the snd-aloop support..."

if [[ "$DISTRO" = "jammy" ]]; then
    apt-get $APT_PROXY -y install linux-modules-extra-$(uname -r) \
        -o Dpkg::Options::="--force-confdef" \
        -o Dpkg::Options::="--force-confold"
fi

if [[ "$DISTRO" = "bookworm" ]]; then
    KERNEL="linux-image-$(dpkg --print-architecture)"
else
    KERNEL="linux-image-generic"
fi

modprobe snd_aloop 2>/dev/null || true
if [[ -z "$(grep snd_aloop /proc/modules)" ]]; then
    out <<EOF
Aborted! This kernel ($(uname -r)) does not support snd_aloop module.
Recommendation: Install the standard Linux kernel package and reboot with it.
                Probably it's the "$KERNEL" package in your case.
EOF
    exit 1
fi


# -----------------------------------------------------------------------------
# remove the old installation if exists
# -----------------------------------------------------------------------------
out <<< "removing the old installation if exists..."

systemctl stop virtual-camera-0.service || true
systemctl stop virtual-camera-1.service || true
systemctl stop excalidraw.service || true
systemctl stop sip-dial-plan.service || true
systemctl stop sip-xorg.service || true
systemctl stop jibri-xorg.service || true
systemctl stop jigasi.service || true
systemctl stop jitsi-videobridge2.service || true
systemctl stop jicofo.service || true
systemctl stop prosody.service || true
systemctl stop coturn.service || true
systemctl stop nginx.service || true
systemctl stop certbot.timer || true
systemctl stop certbot.service || true

apt-mark unhold 'jitsi-*' || true
apt-mark unhold jicofo || true
apt-mark unhold jibri || true
apt-mark unhold jigasi || true
apt-mark unhold google-chrome-stable || true

apt-get -y purge jibri || true
apt-get -y purge jigasi || true
apt-get -y purge 'jitsi-*' || true
apt-get -y purge jicofo || true
apt-get -y purge prosody || true
apt-get -y purge 'prosody-*' || true
apt-get -y purge coturn || true
apt-get -y purge nginx || true
apt-get -y purge 'nginx-*' || true
apt-get -y purge 'libnginx-*' || true
apt-get -y purge 'openjdk-*' || true
apt-get -y purge 'lua*' || true
apt-get -y purge 'liblua*' || true
apt-get -y purge 'adoptopenjdk-*' || true
apt-get -y purge certbot || true
apt-get -y purge ffmpeg || true
apt-get -y purge nodejs || true
apt-get -y purge chromium chromium-common chromium-driver || true
apt-get -y purge chromium-browser chromium-chromedriver || true
apt-get -y purge chromium-codecs-ffmpeg chromium-codecs-ffmpeg-extra || true
apt-get -y purge google-chrome-stable || true
apt-get -y purge va-driver-all vdpau-driver-all || true
apt-get -y purge "v4l2loopback-*" || true
apt-get -y purge build-essential || true
apt-get -y purge alsa-utils unclutter x11vnc || true
apt-get -y purge libv4l-dev libsdl2-dev libavcodec-dev libavdevice-dev \
    libavfilter-dev libavformat-dev libavutil-dev libswscale-dev \
    libasound2-dev libopus-dev libvpx-dev libssl-dev || true
apt-get -y autoremove --purge

deluser dev || true
delgroup dev || true
deluser excalidraw || true
delgroup excalidraw || true
deluser jibri || true
delgroup jibri || true

rm -rf /home/excalidraw
rm -rf /home/jibri
rm -rf /etc/chromium
rm -rf /etc/jitsi
rm -rf /etc/prosody
rm -rf /etc/coturn
rm -rf /etc/nginx
rm -rf /etc/opt/chrome
rm -rf /etc/systemd/system/jibri*
rm -rf /etc/systemd/system/sip-*
rm -rf /etc/systemd/system/certbot.service.d
rm -rf /etc/systemd/system/nginx.service.d
rm -rf /etc/systemd/system/prosody.service.d
rm -rf /etc/systemd/system/virtual-camera-*
rm -rf /opt/google
rm -rf /opt/jitsi
rm -rf /usr/lib/node_modules
rm -rf /usr/local/share/nginx
rm -rf /usr/share/jitsi-meet
rm -rf /usr/share/jitsi-videobridge
rm -rf /usr/share/jicofo
rm -rf /var/lib/prosody
rm -f  /etc/apt/sources.list.d/jitsi-stable.list
rm -f  /etc/apt/sources.list.d/jitsi.sources
rm -f  /etc/apt/sources.list.d/google-chrome.list
rm -f  /etc/apt/sources.list.d/google-chrome.sources
rm -f  /etc/apt/sources.list.d/prosody.list
rm -f  /etc/apt/sources.list.d/prosody.sources
rm -f  /etc/apt/sources.list.d/nodesource.list
rm -f  /etc/apt/sources.list.d/nodesource.sources
rm -f  /etc/modprobe.d/alsa-loopback.conf
rm -f  /etc/modprobe.d/v4l2loopback.conf
rm -f  /etc/sudoers.d/jibri
rm -f  /etc/sysctl.d/jitsi-inotify-watcher.conf
rm -f  /usr/local/bin/chromedriver
rm -f  /usr/local/bin/google-chrome
rm -f  /usr/local/bin/pjsua

find /usr/local/share/ca-certificates -xtype l -delete


# -----------------------------------------------------------------------------
# packages (base)
# -----------------------------------------------------------------------------
out <<< "installing base packages..."

for i in $(seq 3); do
    apt-get -y --allow-releaseinfo-change update && sleep 3 && break
done

apt-get $APT_PROXY -y install apt-utils \
    -o Dpkg::Options::="--force-confdef" \
    -o Dpkg::Options::="--force-confold"
apt-get $APT_PROXY -y upgrade \
    -o Dpkg::Options::="--force-confdef" \
    -o Dpkg::Options::="--force-confold"
apt-get $APT_PROXY -y install wget curl ca-certificates openssl
apt-get $APT_PROXY -y install apt-transport-https gnupg
apt-get $APT_PROXY -y install iputils-ping dnsutils
apt-get $APT_PROXY -y install tmux vim less ack jq rsync bzip2
apt-get $APT_PROXY -y install procps htop bmon
apt-get $APT_PROXY -y install net-tools ngrep ncat
apt-get $APT_PROXY -y install ssl-cert certbot
apt-get $APT_PROXY -y install gcc git


# -----------------------------------------------------------------------------
# environment check (phase 2)
# -----------------------------------------------------------------------------
# external ip
out <<< "checking the external IP..."

if [[ -n "$JITSI_IP" ]]; then
    EXTERNAL_IP=$JITSI_IP
else
    EXTERNAL_IP=$(dig -4 +short myip.opendns.com a @resolver1.opendns.com) \
        || true
fi

if [[ -z "$EXTERNAL_IP" ]]; then
    out <<EOF
Aborted! The external IP not found
Recommendation: Check if myip.opendns.com is accessible
EOF
    exit 1
fi

# jitsi host A record
out <<< "checking DNS record for $JITSI_HOST..."

if [[ -n "$JITSI_IP" ]]; then
    IP=$JITSI_IP
else
    IP=$(dig -4 +short $JITSI_HOST @resolver1.opendns.com | tail -1) || true
fi

if [[ -z "$IP" ]]; then
    out <<EOF
Aborted! $JITSI_HOST is not resolvable on Internet
Recommendation: Set DNS A record for $JITSI_HOST on a public DNS.

    If this is a test setup and you don't have a reachable address, export
    the public IP by setting JITSI_IP and disable LetsEncrypt certificate
    by setting DONT_SET_LETSENCRYPT. e.g.

    export JITSI_IP=$EXTERNAL_IP
    export DONT_SET_LETSENCRYPT=true
EOF
    exit 1
fi

# jitsi ip == external ip
out <<< "checking $JITSI_HOST resolved IP..."
if [[ "$IP" != "$EXTERNAL_IP" ]]; then
    out <<EOF
Aborted! $JITSI_HOST does not point to this server: $EXTERNAL_IP <> $IP
Recommendation: Set $EXTERNAL_IP as DNS A record for $JITSI_HOST

    If this is a test setup and you don't have a reachable address, export
    the public IP by setting JITSI_IP and disable LetsEncrypt certificate
    by setting DONT_SET_LETSENCRYPT. e.g.

    export JITSI_IP=$EXTERNAL_IP
    export DONT_SET_LETSENCRYPT=true
EOF
    exit 1
fi

# turn host A record
out <<< "checking DNS record for $TURN_HOST..."

if [[ -n "$JITSI_IP" ]]; then
    IP=$JITSI_IP
else
    IP=$(dig -4 +short $TURN_HOST @resolver1.opendns.com | tail -1) || true
fi

if [[ -z "$IP" ]]; then
    out <<EOF
Aborted! $TURN_HOST is not resolvable on Internet
Recommendation: Set DNS CNAME or A record for $TURN_HOST on a public DNS
EOF
    exit 1
fi

# turn ip == external ip
out <<< "checking $TURN_HOST resolved IP..."
if [[ "$IP" != "$EXTERNAL_IP" ]]; then
    out <<EOF
Aborted! $TURN_HOST does not point to this server: $EXTERNAL_IP <> $IP
Recommendation: Set $EXTERNAL_IP as DNS A record for $TURN_HOST
EOF
    exit 1
fi


# -----------------------------------------------------------------------------
# port availability check
# -----------------------------------------------------------------------------
out <<< "checking the availability of TCP ports..."
netstat -ltnp | egrep '^tcp' | while read -r l; do
    port=$(echo $l | awk '{print $4}' | rev | cut -d: -f1 | rev)
    for p in ${TCP[*]}; do
        if [[ "$p" = "$port" ]]; then
            prog=$(echo $l | cut -d/ -f2)
            proto=$(echo $l | awk '{print $1}')
            out <<EOF
Aborted! The port $proto/$port is already in use by $prog
Recommendation: disable this application or change its port
EOF
            exit 1
        fi
    done
done

out <<< "checking the availability of UDP ports..."
netstat -lunp | egrep '^udp' | while read -r l; do
    port=$(echo $l | awk '{print $4}' | rev | cut -d: -f1 | rev)
    for p in ${UDP[*]}; do
        if [[ "$p" = "$port" ]]; then
            prog=$(echo $l | cut -d/ -f2)
            proto=$(echo $l | awk '{print $1}')
            out <<EOF
Aborted! The port $proto/$port is already in use by $prog
Recommendation: remove this application or change its port
EOF
            exit 1
        fi
    done
done


# -----------------------------------------------------------------------------
# accessibility check
# -----------------------------------------------------------------------------
TEXT=$(openssl rand -hex 20)

out <<< "checking the checkmyport service..."
RES=$(timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=$TEXT" || true)
if [[ "$RES" != "ok" ]]; then
    out <<EOF
Aborted! The accessibility check failed
Recommendation: Check if $CHECKMYPORT is accessible
EOF
    [[ -z "$JITSI_IP" ]] && exit 1
fi

# tcp/80
out <<< "checking TCP/80 accessibility..."
(sleep 3 && \
    timeout 8 curl -s "$CHECKMYPORT?proto=tcp&port=80&text=$TEXT" \
    >/dev/null 2>&1 || true) &
RES=$(timeout 8 ncat -l 0.0.0.0 80 | tr -d '\0' || true)
if [[ "$RES" != "$TEXT" ]]; then
    out <<EOF
Aborted! TCP/80 is not accessible
Recommendation: Check firewall and NAT rules, allow TCP/80
EOF
    [[ -z "$JITSI_IP" ]] && exit 1
fi

# tcp/443
out <<< "checking TCP/443 accessibility..."
(sleep 3 && \
    timeout 8 curl -s "$CHECKMYPORT?proto=tcp&port=443&text=$TEXT" \
    >/dev/null 2>&1 || true) &
RES=$(timeout 8 ncat -l 0.0.0.0 443 | tr -d '\0' || true)
if [[ "$RES" != "$TEXT" ]]; then
    out <<EOF
Aborted! TCP/443 is not accessible
Recommendation: Check firewall and NAT rules, allow TCP/443
EOF
    [[ -z "$JITSI_IP" ]] && exit 1
fi

# udp/10000
out <<< "checking UDP/10000 accessibility..."
(sleep 3 && \
    timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=10000&text=$TEXT" \
    >/dev/null 2>&1 || true) &
RES=$(timeout 8 ncat -u -l 0.0.0.0 10000 | tr -d '\0' || true)
if [[ "$RES" != "$TEXT" ]]; then
    out <<EOF
Aborted! UDP/10000 is not accessible
Recommendation: Check firewall and NAT rules, allow UDP/10000
EOF
    [[ -z "$JITSI_IP" ]] && exit 1
fi

# ports are ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-port" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# packages
# -----------------------------------------------------------------------------
out <<< "installing Jitsi..."

# openjdk-xx-jre-headless
apt-get $APT_PROXY -y install openjdk-$JDK-jre-headless

# lua
apt-get $APT_PROXY -y install lua$LUA

# nodesource.list
wget -T 10 -qO /tmp/nodesource.gpg.key \
    https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
cat /tmp/nodesource.gpg.key | gpg --dearmor \
    >/usr/share/keyrings/nodesource.gpg
if [[ "$DISTRO" = "jammy" ]] || \
   [[ "$DISTRO" = "bookworm" ]]; then
    wget -T 10 -O /etc/apt/sources.list.d/nodesource.list \
        $JITSI_TMPL/etc/apt/sources.list.d/nodesource.list
else
    wget -T 10 -O /etc/apt/sources.list.d/nodesource.sources \
        $JITSI_TMPL/etc/apt/sources.list.d/nodesource.sources
fi

# prosody sources.list
wget -T 10 -qO /tmp/prosody.gpg.key \
    https://prosody.im/files/prosody-debian-packages.key
cat /tmp/prosody.gpg.key | gpg --dearmor > /usr/share/keyrings/prosody.gpg
if [[ "$DISTRO" = "jammy" ]] || \
   [[ "$DISTRO" = "bookworm" ]]; then
    wget -T 10 -O /etc/apt/sources.list.d/prosody.list \
        $JITSI_TMPL/etc/apt/sources.list.d/prosody.list.$DISTRO
else
    wget -T 10 -O /etc/apt/sources.list.d/prosody.sources \
        $JITSI_TMPL/etc/apt/sources.list.d/prosody.sources.$DISTRO
fi

# jitsi-meet
wget -T 10 -qO /tmp/jitsi.gpg.key https://download.jitsi.org/jitsi-key.gpg.key
cat /tmp/jitsi.gpg.key | gpg --dearmor > /usr/share/keyrings/jitsi.gpg
if [[ "$DISTRO" = "jammy" ]] || \
   [[ "$DISTRO" = "bookworm" ]]; then
    wget -T 10 -O /etc/apt/sources.list.d/jitsi-stable.list \
        $JITSI_TMPL/etc/apt/sources.list.d/jitsi-stable.list
else
    wget -T 10 -O /etc/apt/sources.list.d/jitsi.sources \
        $JITSI_TMPL/etc/apt/sources.list.d/jitsi.sources
fi

apt-get update
debconf-set-selections <<< \
    "jicofo jitsi-videobridge/jvb-hostname string $JITSI_HOST"
debconf-set-selections <<< \
    "jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate"
apt-get $APT_PROXY -y --install-recommends install jitsi-meet prosody
apt-get $APT_PROXY -y install libnginx-mod-stream
apt-get $APT_PROXY -y install nodejs
apt-mark hold 'jitsi-*' jicofo

# packages are ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-package" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# packages (extra)
# -----------------------------------------------------------------------------
out <<< "installing jibri packages..."

wget -T 10 -qO /tmp/google-chrome.gpg.key \
    https://dl.google.com/linux/linux_signing_key.pub
apt-key add /tmp/google-chrome.gpg.key
wget -T 10 -O /etc/apt/sources.list.d/google-chrome.list \
    $JIBRI_TMPL/etc/apt/sources.list.d/google-chrome.list

apt-get -y --allow-releaseinfo-change update
apt-get $APT_PROXY -y install kmod alsa-utils
apt-get $APT_PROXY -y install libnss3-tools unzip unclutter
apt-get $APT_PROXY -y install va-driver-all vdpau-driver-all
apt-get $APT_PROXY -y --install-recommends install ffmpeg
apt-get $APT_PROXY -y --install-recommends install google-chrome-stable
apt-mark hold google-chrome-stable

CHROME_VER=$(dpkg -s google-chrome-stable | egrep "^Version" | \
    cut -d " " -f2 | cut -d "-" -f1)
CHROME_STORE="https://storage.googleapis.com/chrome-for-testing-public"
CHROMEDRIVER="$CHROME_STORE/${CHROME_VER}/linux64/chromedriver-linux64.zip"
wget -T 30 -qO /tmp/chromedriver-linux64.zip $CHROMEDRIVER

rm -rf /tmp/chromedriver-linux64
unzip -o /tmp/chromedriver-linux64.zip -d /tmp
mv /tmp/chromedriver-linux64/chromedriver /usr/local/bin/
chmod 755 /usr/local/bin/chromedriver

apt-get $APT_PROXY -y install x11vnc
apt-get $APT_PROXY -y install sudo
apt-get $APT_PROXY -y install jibri
apt-mark hold jibri

apt-get -y purge upower
apt-get -y --purge autoremove

# jibri packages are ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-package-jibri" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# backup
# -----------------------------------------------------------------------------
out <<< "backups..."

# jitsi-meet
cp $JITSI_MEET_CONFIG $JITSI_MEET_CONFIG.org

# coturn
cp /etc/turnserver.conf /etc/turnserver.conf.org

# prosody
cp /etc/prosody/prosody.cfg.lua /etc/prosody/prosody.cfg.lua.org
cp $PROSODY_CONFIG $PROSODY_CONFIG.org

# jicofo
cp /etc/jitsi/jicofo/config /etc/jitsi/jicofo/config.org
cp /etc/jitsi/jicofo/jicofo.conf /etc/jitsi/jicofo/jicofo.conf.org

# jvb
cp /etc/jitsi/videobridge/config /etc/jitsi/videobridge/config.org
cp /etc/jitsi/videobridge/jvb.conf /etc/jitsi/videobridge/jvb.conf.org

# nginx
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.org
cp $NGINX_CONFIG $NGINX_CONFIG.org


# -----------------------------------------------------------------------------
# backup (extra)
# -----------------------------------------------------------------------------
cp /etc/modules /etc/modules.org
cp /etc/hosts /etc/hosts.org
cp /usr/share/jitsi-meet/body.html /usr/share/jitsi-meet/body.html.org


# -----------------------------------------------------------------------------
# configuration (extra)
# -----------------------------------------------------------------------------
out <<< "jibri related configuration..."

# snd_aloop
[[ -z "$(egrep '^snd_aloop' /etc/modules)" ]] && echo snd_aloop >>/etc/modules

# hosts
sed -i -E "s/(\s)$JITSI_HOST/\1/" /etc/hosts
sed -i -E "/^[0-9.]+\s*$/d" /etc/hosts
sed -i "/127.0.2.1\s/d" /etc/hosts
sed -i "$ a 127.0.2.1 $JITSI_HOST" /etc/hosts

# google chrome
mkdir -p /etc/opt/chrome/policies/managed
wget -T 10 -O /etc/opt/chrome/policies/managed/jibri_policies.json \
    $JIBRI_TMPL/etc/opt/chrome/policies/managed/jibri_policies.json


# -----------------------------------------------------------------------------
# self-signed certificates
# -----------------------------------------------------------------------------
out <<< "self-signed certificates..."

ln -sf /etc/jitsi/meet/*.crt /usr/local/share/ca-certificates/
update-ca-certificates -f

# self-signed certificates is ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-conf-selfcerts" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# certbot
# -----------------------------------------------------------------------------
out <<< "configuring Certbot..."

mkdir -p /etc/systemd/system/certbot.service.d
wget -T 10 -O /etc/systemd/system/certbot.service.d/override.conf \
    $JITSI_TMPL/etc/systemd/system/certbot.service.d/override.conf
systemctl daemon-reload

# certbot config is ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-conf-certbot" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# coturn
# -----------------------------------------------------------------------------
out <<< "configuring Coturn..."

cat >>/etc/turnserver.conf <<EOF

# the following lines added by installer
listening-ip=$PUBLIC_IP
allowed-peer-ip=$PUBLIC_IP
no-udp
EOF

adduser turnserver ssl-cert
systemctl restart coturn.service

# coturn config is ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-conf-coturn" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# prosody
# -----------------------------------------------------------------------------
out <<< "configuring Prosody..."

mkdir -p /etc/systemd/system/prosody.service.d
wget -T 10 -O /etc/systemd/system/prosody.service.d/override.conf \
    $JITSI_TMPL/etc/systemd/system/prosody.service.d/override.conf

wget -T 10 -O /etc/prosody/conf.avail/network.cfg.lua \
    $JITSI_TMPL/etc/prosody/conf.avail/network.cfg.lua
ln -s ../conf.avail/network.cfg.lua /etc/prosody/conf.d/

sed -i "/rate *=.*kb.s/  s/[0-9]*kb/1024kb/" /etc/prosody/prosody.cfg.lua
sed -i "s/^-- \(https_ports = { };\)/\1/" $PROSODY_CONFIG
sed -i "/turns.*tcp/ s/host\s*=[^,]*/host = \"$TURN_HOST\"/" $PROSODY_CONFIG
sed -i "/turns.*tcp/ s/5349/443/" $PROSODY_CONFIG
sed -i '/^plugin_paths/ s~ }~, "/usr/share/jitsi-meet/prosody-plugins-contrib/" }~' \
    $PROSODY_CONFIG

# jitsi-contrib-prosody-plugins
wget -T 10 -O /tmp/v$PROSODY_PLUGINS_VERSION.tar.gz $PROSODY_PLUGINS_ARCHIVE
tar -xf /tmp/v$PROSODY_PLUGINS_VERSION.tar.gz
mv prosody-plugins-$PROSODY_PLUGINS_VERSION \
    /usr/share/jitsi-meet/prosody-plugins-contrib

# extra
sed -i 's/-- muc_lobby_whitelist/muc_lobby_whitelist/' $PROSODY_CONFIG
sed -i "/muc_password_whitelist =/a \
\        \"recorder@recorder.$JITSI_HOST\"," $PROSODY_CONFIG

# prosody restart
systemctl daemon-reload
systemctl restart prosody.service
sleep 3

# prosody accounts (extra)
PASSWD1=$(openssl rand -hex 20)
PASSWD2=$(openssl rand -hex 20)

prosodyctl unregister jibri auth.$JITSI_HOST || true
prosodyctl register jibri auth.$JITSI_HOST $PASSWD1
prosodyctl unregister recorder recorder.$JITSI_HOST || true
prosodyctl register recorder recorder.$JITSI_HOST $PASSWD2

# prosody config is ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-conf-prosody" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# jicofo
# -----------------------------------------------------------------------------
out <<< "configuring Jicofo..."

# add the custom config
cat >>/etc/jitsi/jicofo/config <<EOF

# set the maximum memory for the jicofo daemon
JICOFO_MAX_MEMORY=3072m
EOF

# add enable-auto-owner
hocon -f /etc/jitsi/jicofo/jicofo.conf \
    set jicofo.conference.enable-auto-owner true

# extra
hocon -f /etc/jitsi/jicofo/jicofo.conf \
    set jicofo.jibri.brewery-jid "\"JibriBrewery@internal.auth.$JITSI_HOST\""
hocon -f /etc/jitsi/jicofo/jicofo.conf \
    set jicofo.jibri.pending-timeout "90 seconds"

# jicofo restart
systemctl restart jicofo.service

# jicofo config is ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-conf-jicofo" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# jitsi-meet (extra)
# -----------------------------------------------------------------------------
out <<< "configuring jitsi-meet..."

wget -T 10 -O /usr/share/jitsi-meet/static/branding.json \
    $JITSI_TMPL/usr/share/jitsi-meet/static/branding.json
wget -T 10 -O /tmp/config.branding.js \
    $JITSI_TMPL/etc/jitsi/meet/config.branding.js
cat /tmp/config.branding.js >>$JITSI_MEET_CONFIG

wget -T 10 -O /tmp/config.whiteboard.js \
    $JITSI_TMPL/etc/jitsi/meet/config.whiteboard.js
cat /tmp/config.whiteboard.js >>$JITSI_MEET_CONFIG

wget -T 10 -O /tmp/config.recording.js \
    $JITSI_TMPL/etc/jitsi/meet/config.recording.js
cat /tmp/config.recording.js >>$JITSI_MEET_CONFIG

wget -T 10 -O /tmp/config.livestreaming.js \
    $JITSI_TMPL/etc/jitsi/meet/config.livestreaming.js
cat /tmp/config.livestreaming.js >>$JITSI_MEET_CONFIG

wget -T 10 -O /tmp/config.hiddendomain.js \
    $JITSI_TMPL/etc/jitsi/meet/config.hiddendomain.js
cat /tmp/config.hiddendomain.js >>$JITSI_MEET_CONFIG

sed -i "s/___JITSI_FQDN___/$JITSI_HOST/" $JITSI_MEET_CONFIG

# jitsi-meet config is ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-conf-jitsi-meet" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# nginx
# -----------------------------------------------------------------------------
out <<< "configuring Nginx..."

mkdir -p /etc/systemd/system/nginx.service.d
wget -T 10 -O /etc/systemd/system/nginx.service.d/override.conf \
    $JITSI_TMPL/etc/systemd/system/nginx.service.d/override.conf

sed -i "/worker_connections/ s/\\S*;/8192;/" \
    /etc/nginx/nginx.conf

mkdir -p /usr/local/share/nginx/modules-available
wget -T 10 -O /usr/local/share/nginx/modules-available/jitsi-meet.conf \
    $JITSI_TMPL/usr/local/share/nginx/modules-available/jitsi-meet.conf
sed -i "s/___LOCAL_IP___/$PUBLIC_IP/" \
    /usr/local/share/nginx/modules-available/jitsi-meet.conf
sed -i "s/___TURN_HOST___/$TURN_HOST/" \
    /usr/local/share/nginx/modules-available/jitsi-meet.conf

wget -T 10 -O /etc/nginx/sites-available/$JITSI_HOST.conf \
    $JITSI_TMPL/etc/nginx/sites-available/jms.conf
sed -i "s/___JITSI_HOST___/$JITSI_HOST/" $NGINX_CONFIG
sed -i "s/___TURN_HOST___/$TURN_HOST/" $NGINX_CONFIG

ln -s /usr/local/share/nginx/modules-available/jitsi-meet.conf \
    /etc/nginx/modules-enabled/99-jitsi-meet-custom.conf
rm /etc/nginx/sites-enabled/default

mkdir -p /etc/jitsi/meet/jaas
wget -T 10 -O /etc/jitsi/meet/jaas/excalidraw.conf \
    $JITSI_TMPL/etc/jitsi/meet/jaas/excalidraw.conf
wget -T 10 -O /etc/jitsi/meet/jaas/recording.conf \
    $JITSI_TMPL/etc/jitsi/meet/jaas/recording.conf

systemctl daemon-reload
systemctl stop nginx.service
systemctl start nginx.service

# nginx config is ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-conf-nginx" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# jvb
# -----------------------------------------------------------------------------
out <<< "configuring JVB..."

# add the custom config
cat >>/etc/jitsi/videobridge/config <<EOF

# set the maximum memory for the JVB daemon
VIDEOBRIDGE_MAX_MEMORY=3072m
EOF

# enable colibri rest api
hocon -f /etc/jitsi/videobridge/jvb.conf \
    set videobridge.apis.rest.enabled true

# explicitly define UDP port
hocon -f /etc/jitsi/videobridge/jvb.conf \
    set videobridge.ice.udp.port 10000

# enable NAT harvester if there is a forced external IP
if [[ -n "$JITSI_IP" ]] && [[ "$JITSI_IP" != "$PUBLIC_IP" ]]; then
    cat >>/etc/jitsi/videobridge/sip-communicator.properties <<EOF
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=$PUBLIC_IP
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=$JITSI_IP
EOF
    sed -i "/STUN_MAPPING_HARVESTER_ADDRESSES/ s/^org/#org/" \
        /etc/jitsi/videobridge/sip-communicator.properties

    hocon -f /etc/jitsi/videobridge/jvb.conf \
        set videobridge.health.require-valid-address false
fi

systemctl restart jitsi-videobridge2.service

# jvb config is ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-conf-jvb" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# excalidraw
# -----------------------------------------------------------------------------
out <<< "installing excalidraw..."

# excalidraw user
adduser excalidraw --system --group --disabled-password --shell /bin/bash \
    --home /home/excalidraw

# excalidraw-backend app
su -l excalidraw <<EOF
    git clone https://github.com/jitsi/excalidraw-backend.git
    cd excalidraw-backend
    echo -n "PORT=3002" >.env.production
    sed -i '/collectDefaultMetrics/ i \    createServer: false,' src/index.ts

    npm install
    npm run build
EOF

# excalidraw service
wget -T 10 -O /etc/systemd/system/excalidraw.service \
    $JITSI_TMPL/etc/systemd/system/excalidraw.service

systemctl enable excalidraw.service
systemctl start excalidraw.service

# excalidraw is ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-excalidraw" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# lets encrypt
# -----------------------------------------------------------------------------
if [[ "$DONT_SET_LETSENCRYPT" != true ]]; then
    out <<< "setting Let's Encrypt certificates..."

    certbot certonly --dry-run --non-interactive -m info@$JITSI_HOST \
        --agree-tos --duplicate --webroot -w /usr/share/jitsi-meet \
        -d $JITSI_HOST,$TURN_HOST || true

    sleep 3

    certbot certonly --non-interactive -m info@$JITSI_HOST \
        --agree-tos --duplicate --webroot -w /usr/share/jitsi-meet \
        -d $JITSI_HOST,$TURN_HOST

    rm -f /etc/jitsi/meet/$JITSI_HOST.crt
    rm -f /etc/jitsi/meet/$JITSI_HOST.key
    ln -s /etc/letsencrypt/live/$JITSI_HOST/fullchain.pem \
        /etc/jitsi/meet/$JITSI_HOST.crt
    ln -s /etc/letsencrypt/live/$JITSI_HOST/privkey.pem \
        /etc/jitsi/meet/$JITSI_HOST.key

    out <<< "restarting Certbot..."
    systemctl restart certbot.service

    out <<< "restarting Coturn..."
    systemctl restart coturn.service

    out <<< "restarting Nginx..."
    systemctl restart nginx.service

    # tls is ok
    timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-tls" \
        >/dev/null || true
fi


# -----------------------------------------------------------------------------
# jibri related (extra)
# -----------------------------------------------------------------------------
# icewm
mkdir -p /home/jibri/.icewm
wget -T 10 -O /home/jibri/.icewm/startup $JIBRI_TMPL/home/jibri/.icewm/startup
chmod 755 /home/jibri/.icewm/startup

# jibri
chsh -s /bin/bash jibri
usermod -aG adm,audio,video,plugdev jibri
chown jibri:jibri /home/jibri

mkdir -p /usr/local/recordings
chown jibri:jibri /usr/local/recordings -R

wget -T 10 -O /etc/jitsi/jibri/jibri.conf $JIBRI_TMPL/etc/jitsi/jibri/jibri.conf
sed -i "s/___JITSI_HOST___/$JITSI_HOST/" /etc/jitsi/jibri/jibri.conf
sed -i "s/___PASSWD1___/$PASSWD1/" /etc/jitsi/jibri/jibri.conf
sed -i "s/___PASSWD2___/$PASSWD2/" /etc/jitsi/jibri/jibri.conf

wget -T 10 -O /usr/local/bin/finalize_recording.sh \
    $JIBRI_TMPL/usr/local/bin/finalize_recording.sh
chmod 755 /usr/local/bin/finalize_recording.sh

wget -T 10 -O /usr/local/bin/ffmpeg $JIBRI_TMPL/usr/local/bin/ffmpeg
chmod 755 /usr/local/bin/ffmpeg

systemctl daemon-reload
systemctl enable jibri.service
systemctl start jibri.service

# jibri, recorded file link as a private message
wget -T 10 -O /usr/share/jitsi-meet/body.html \
    $JIBRI_TMPL/usr/share/jitsi-meet/body.html
sed -i "s/___JITSI_HOST___/$JITSI_HOST/" /usr/share/jitsi-meet/body.html

# jibri, vnc
mkdir -p /home/jibri/.vnc
x11vnc -storepasswd jibri /home/jibri/.vnc/passwd
chown jibri:jibri /home/jibri/.vnc -R

# jibri, Xdefaults
wget -T 10 -O /home/jibri/.Xdefaults $JIBRI_TMPL/home/jibri/.Xdefaults

# jibri configuration is ok
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-conf-jibri" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# completed (extra)
# -----------------------------------------------------------------------------
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-jibri" \
    >/dev/null || true


# -----------------------------------------------------------------------------
# completed
# -----------------------------------------------------------------------------
timeout 8 curl -s "$CHECKMYPORT?proto=udp&port=60000&text=ok-completed" \
    >/dev/null || true

END_TIME=$(date +%s)
DURATION=$(date -u -d "0 $END_TIME seconds - $START_TIME seconds" +"%H:%M:%S")
COMPLETED=true