Post

Installation of Jitsi Meet

Once I took care of my Matrix-Synapse server I also wanted to upgrade the OS of my Jitsi Meet server - which of course would force me to re-install everything. Getting a basic Jitsi setup running is quite easy. However, each time I install it I’m struggling with the right sequence of steps and I’m trying to remember what I’m usually customizing. So I’m putting it down here now.

For this setup I assume you are running Ubuntu 20.04 LTS as operating system and there is a valid DNS record for your domain pointing to your server. You will find Jitsi’s documentation here.

Prerequisites

Repositories

Once the operating system is installed and you did some basic hardening (sshd settings, users, fail2ban, firewall, etc.) we can start by adding two new software repositories: one for Prosody and of course for Jitsi itself:

  • Prosody:
    1
    2
    3
    
    $ apt install wget curl
    $ wget https://prosody.im/files/prosody-debian-packages.key -O /usr/share/keyrings/prosody-keyring.gpg
    $ echo "deb [signed-by=/usr/share/keyrings/prosody-keyring.gpg] https://packages.prosody.im/debian focal main" > /etc/apt/sources.list.d/prosody.list
    
  • Jitsi:
    1
    2
    3
    
    curl https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg
    $ echo "deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/" > /etc/apt/sources.list.d/jitsi.list
    $ apt update
    

Install software

UPDATE: as of April 2022 Jitsi seems not compatible with Prosody 0.12, so replace prosody with prosody-0.11 below!

Let’s install some packages which will be required (snapd and fuse are optional, but required if you’d like to install certbot for generating ssl certificates):

1
$ apt install openjdk-11-jre apt-transport-https coturn nginx prosody snapd fuse

Install cerbot:

1
2
$ snap install core; snap refresh core
$ snap install --classic certbot

Get SSL certificates

Open firewall ports 80 and 443 for nginx. If you’re using ufw:

1
2
$ ufw allow 80/tcp
$ ufw allow 443/tcp

…and get the certificates (certonly: this will not modify your nginx config):

1
$ certbot certonly --nginx

Additional firewall ports

We need to open some additional firewall ports for Coturn:

1
2
3
$ ufw allow 10000/udp
$ ufw allow 3478/udp
$ ufw allow 5349/tcp

systemd limits

Check some limits:

1
2
3
$ systemctl show --property DefaultLimitNPROC
$ systemctl show --property DefaultLimitNOFILE
$ systemctl show --property DefaultTasksMax

Each command should return at least 65000. If not edit /etc/systemd/system.conf and reload systemd:

1
$ systemctl daemon-reload

Install Jitsi

Finally install Jitsi:

1
$ apt install jitsi-meet

You will have to enter your domain name at some point. Choose “I want to use my own certificate” when asked for SSL certificates. You will then have to enter the path to your key and certificate file manually. (Let’s Encrypt usually stores them here: /etc/letsencrypt/live/<YOUR_DOMAIN>/). Jitsi packages will then take care of configuring nginx, coturn and prosody.

Configuration

Though everything should work by now, it’s probably not a bad idea to do a little tweaking…

nginx

As it’s quite unlikely you need the “default” site, you can just remove it:

1
$ unlink /etc/nginx/sites-enabled/default

I tend to set server_tokens off; in /etc/nginx/nginx.conf and also remove TLSv1 TLSv1.1 from ssl_protocols line.

Coturn

By default coturn will run with root privileges which I consider a bad idea. To change that, add

1
2
proc-user=turnserver
proc-group=turnserver

to /etc/turnserver.conf, then change ownership and mode:

1
2
$ chgrp turnserver /etc/turnserver.conf
$ chmod 640 /etc/turnserver.conf

Of course now coturn has no access to SSL certificates anymore. You could either work with acl or you could just copy certificate and key to another location and make them readable for the group “turnserver”. Of course you have to remember to copy certificates again as soon as you renew them. I would not alter permissions of the original Let’s Encrypt files though. Do not forget to set the new path in /etc/turnserver.conf as well (cert= and key=).

Jitsi

Customizing Jitsi is a little annoying as some stuff will be overwritten on each update. You can for example replace the “welcome” image, located at /usr/share/jitsi-meet/images/welcome-background.png with something you like, but you will lose that as soon as Jitsi will be updated. I think they will put more options into the configuration files in /etc/jitsi in the future. Alterations made there will not be overwritten then.

If you would like to restrict access to your Jitsi instance simply follow their secure domain guide. It used to be quite a mess but now it works fine.

Restart services

As last step you’ll have to either restart each service…

1
$ for i in nginx coturn prosody jicofo jitsi-videobridge2; do systemctl restart $i; done

…or simply reboot your server (will be good to check whether everything’s coming up upon reboot anyway).

That’s it :-)

This post is licensed under CC BY-SA 4.0 by the author.