diff --git a/README.md b/README.md
index 154fbef62296bd99a4d7dda9ca9334eb38ab5866..83e3735c924fd2bd4cceee525fcb2e815850d1eb 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,28 @@ Installed with a Linux distribution of your choice.
To run OpenTalk with this deployment method, you need to have the `docker engine` and the plugin `compose` to be installed.
Please refer to the official documentation for **[docker engine](https://docs.docker.com/engine/install)** and the **[docker compose plugin](https://docs.docker.com/compose/install/linux)**.
+We define the running application stack via a `docker-compose.yaml` file and we use the feature **[profiles](https://docs.docker.com/compose/profiles/)** to handle different deployment scenarios.
+
+In the current state, the configuration that is ready to use out-of-the-box, covers the services tagged with the profile `core`.
+
+| Service | core |
+|--------------|-----------|
+| Keycloak | X |
+| postgresql | X |
+| autoheal | X |
+| rabbitmq | X |
+| redis | X |
+| web-frontend | X |
+| controller | X |
+| minio | X |
+| janus-gateway| X |
+| obelisk | |
+| smtp-mailer | |
+| spacedeck | |
+| etherpad | |
+
+Of course, you can **extend** the OpenTalk lite setup to run all services available in the `docker-compose.yaml` file. However, this requires further configuration steps that are not part of this quick install guide. We will provide instructions for an extended setup later.
+
### open Firewall ports
Ensure, that the ports `80/tcp`, `443/tcp` and `20000-25000/udp` are opened in your firewall and accessible from public.
@@ -46,8 +68,8 @@ Get valid SSL certificates for your DNS records at the certificate authority of
Set up a reverse proxy that terminates the SSL connections and forward the requests to the appropriate OpenTalk upstream services.
When you use the default ports, the services listen on the following ports on the local interface:
-- frontend: localhost:8090
-- controller: localhost:8080
+- frontend: localhost:8080
+- controller: localhost:8090
- keycloak: localhost:8087
We recommend using nginx as reverse-proxy. Please refer the [official nginx documentation](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) for further information.
diff --git a/config/controller.toml.sample b/config/controller.toml.sample
index 2b103c53128fb23eeff820f1b9af54d10e550a4b..f1e29c27f541b738a64472f47e49cdc0d6d3f4ab 100644
--- a/config/controller.toml.sample
+++ b/config/controller.toml.sample
@@ -1,36 +1,191 @@
+# SPDX-FileCopyrightText: OpenTalk GmbH <mail@opentalk.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+[logging]
+# Default tracing directives that will always be applied after RUST_LOG's directives.
+# Each array entry may contain a single directive.
+# Below are some example directives which are used by default
+# to reduce the extreme amount of spamming some crates do by default
+#default_directives = [
+# "pinky_swear=OFF",
+# "rustls=WARN",
+# "mio=ERROR",
+# "lapin=WARN",
+#]
+
+# Specify an optional jaeger agent endpoint to export traces to
+#jaeger_agent_endpoint = "localhost:6831"
+
+# Service name when using opentelemetry
+#service_name = "opentalk-controller"
+
+
[database]
-url = "postgres://ot:<MyPostgresPW>@postgres:5432/k3k"
+# URL used to connect to a postgres.
+url = "postgres://ot:<MyPostgresPW>@postgres:5432/opentalk"
+
+# Maximum number of connections allowed to the server.
+# Defaults to 100 which is the default of postgres.
+#max_connections = 100
+
+# Minimum number of connections that are at least open.
+# If load increases the controller will open new connection, at most max_connections many.
+# Defaults to 10
+#min_idle_connections = 10
[http]
+# The port to bind the HTTP Server to (defaults to 11311).
port = 11311
+# URLs that requests are allowed from. Leave empty to allow all.
cors.allowed_origin = ["https://<MyOtDomain>"]
+# Settings for the keycloak which is the user provider
+# and allows authentication via OIDC
[keycloak]
+# URL to the keycloak
base_url = "https://accounts.<MyOtDomain>/auth"
+# Name of the keycloak realm
realm = "opentalk"
+# Client ID
client_id = "OtBackend"
+# Client secret (application requires confidential client).
client_secret = "<MyKcClientSecret>"
[room_server]
-max_video_bitrate = "1600000"
-max_screen_bitrate = "8000000"
+# Maximum bitrate allowed for media sessions that will be used to transmit webcam video/audio
+max_video_bitrate = "800000"
+# Maximum bitrate allowed for media sessions used for screen share
+max_screen_bitrate = "1200000"
+
+# Number of packets with with given `speaker_focus_level`
+# needed to detect a speaking participant.
+#
+# Default: 50 packets (1 second of audio)
+#speaker_focus_packets = "50"
+
+# Average value of audio level needed per packet.
+#
+# min: 127 (muted)
+# max: 0 (loud)
+# default: 50
+#speaker_focus_level = "50"
+
+# Connection settings for the channel used to talk to the room server.
+# Currently these should be equal to the settings in janus.transport.rabbitmq.jcfg
+# of the respective janus instance.
[[room_server.connections]]
to_routing_key = "to-janus"
exchange = "janus-exchange"
from_routing_key = "from-janus"
+
[rabbit_mq]
+# The URL to use to connect to the rabbit mq broker
+#url = "amqp://username:password@host/%2F"
+
+# The rabbitmq queue name for the mail worker,
+# mailing is disabled when this is not set.
+#mail_task_queue = "opentalk_mailer"
+
+# The rabbitmq queue name for the recorder,
+# recording is disabled when this is not set.
+#recording_task_queue = "opentalk_recorder"
+
+# Minimum amount of connections to retain when removing stale connections
+#min_connections = 10
+
+# Maximum number of amqp channels per connection
+#max_channels_per_connection = 100
url = "amqp://rabbit/%2F"
mail_task_queue = "opentalk_mailer"
recording_task_queue = "opentalk_recorder"
[redis]
+# Redis URL used to connect the redis server
url = "redis://redis:6379/"
+#[turn]
+# Lifetime of the generated credentials (in seconds)
+#lifetime = 86400
+
+#[[turn.servers]]
+# URIS of this Turn Server following rfc7065
+#uris = [
+# "turn:127.0.0.1:3478?transport=udp",
+# "turn:127.0.0.1:3478?transport=tcp",
+# "turns:127.0.0.1:5349?transport=tcp"
+#]
+# The Pre Shared Key set with --static-auth-secret=...
+#pre_shared_key = "<myS3cr37>"
+
+#[stun]
+#uris = ["stun:127.0.0.1:3478"]
+
+#[authz]
+# The reload interval of the permissions in seconds.
+# Used to propagate updates from one controller to the other.
+# reload_interval = 10
+
+#[call_in]
+# Set a phone number which will be displayed to the user
+# for the call-in service
+#tel="03012345678"
+# Enable the mapping of user names to their phone number. This requires
+# the OIDC provider to have a phone number field configured for their users.
+#enable_phone_mapping=false
+# The default country code for call in numbers. Notated in Alpha-2 code (ISO 3166)
+# Phone numbers that do not fall in the category of the default country must be notated
+# in the international format.
+#default_country_code="DE"
+
+# MinIO configuration
[minio]
+# The URI to the MinIO instance
uri = "http://minio:9000"
+# Name of the bucket
bucket = "s3_bucket"
+# Access key for the MinIO bucket
access_key = "minioadmin"
+# Secret key for the MinIO bucket
secret_key = "minioadmin"
+# The etherpad configuration for the protocol module
+#[etherpad]
+#url = "http://etherpad:9001"
+# Etherpads api key
+#api_key = "secret"
+
+# Spacedeck configuration
+#[spacedeck]
+#url = "http://spacedeck:9666"
+#api_key = "secret"
+
+# Default/fallback values
+#[defaults]
+# Default language of a new user
+#user_language = "en-US"
+# Default presenter role for all users (defaults to false if not set)
+#participants_have_presenter_role = true
+
+# Settings for endpoints
+#[endpoints]
+# Disable the /users/find endpoint for performance or privacy reasons
+#disable_users_find = false
+
+# Enable user-searching using keycloak's admin API
+# This allows for finding users which have not yet
+# logged into the controller
+#users_find_use_kc = false
+
+# Allow inviting any unchecked email address.
+# Not recommended without proper outgoing anti-spam protection
+#event_invite_external_email_address = false
+
+# Configuration for the /metric HTTP endpoint
+#[metrics]
+# Allowlist for the /metrics endpoint
+#
+# Example: Allow all traffic from localhost
+#allowlist = ["127.0.0.0/24", "::ffff:0:0/96"]
diff --git a/docker-compose.yaml b/docker-compose.yaml
index bede066dc8c554dcb7a3c7c301ab5dfa58fb0dd9..0d465aa9fca7e887b661049b2f9d53cd82c1f56d 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,3 +1,4 @@
+
---
version: "3.9"
services:
diff --git a/extras/nginx-samples/controller.conf.sample b/extras/nginx-samples/controller.conf.sample
index 145d1c3f341d02955089704f93c40c17ed771e4c..256523a9a25d96ddb3c1fdd65406784865106337 100644
--- a/extras/nginx-samples/controller.conf.sample
+++ b/extras/nginx-samples/controller.conf.sample
@@ -12,7 +12,7 @@ server {
listen [::]:80;
server_name controller.example.com;
- include snippets/letsencrypt.conf;
+ # include snippets/letsencrypt.conf;
location / {
access_log off;
@@ -25,9 +25,8 @@ server {
listen [::]:443 ssl http2;
server_name controller.example.com;
- ssl_certificate /etc/ssl/letsencrypt/crt/fullchain_controller.example.com.crt;
- ssl_certificate_key /etc/ssl/letsencrypt/key/controller.example.com.key;
- ssl_trusted_certificate /etc/ssl/letsencrypt/crt/controller.example.com-intermediate.crt;
+ ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root controller.example.com;
diff --git a/extras/nginx-samples/frontend.conf.sample b/extras/nginx-samples/frontend.conf.sample
index 66f36a9e84382a407ec6387af867788163e0daf7..30ef545d3e71db858a61a4ba0eb50567355bafbd 100644
--- a/extras/nginx-samples/frontend.conf.sample
+++ b/extras/nginx-samples/frontend.conf.sample
@@ -12,7 +12,7 @@ server {
listen [::]:80;
server_name example.com;
- include snippets/letsencrypt.conf;
+ # include snippets/letsencrypt.conf;
location / {
access_log off;
@@ -25,9 +25,8 @@ server {
listen [::]:443 ssl http2;
server_name example.com;
- ssl_certificate /etc/ssl/letsencrypt/crt/fullchain_example.com.crt;
- ssl_certificate_key /etc/ssl/letsencrypt/key/example.com.key;
- ssl_trusted_certificate /etc/ssl/letsencrypt/crt/example.com-intermediate.crt;
+ ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root example.com;
diff --git a/extras/nginx-samples/keycloak.conf.sample b/extras/nginx-samples/keycloak.conf.sample
index b2f27d10b73303460b6f1a21649e722aecfe4878..f8f831baab9a0f39078283a6ffa607cb5cb4faac 100644
--- a/extras/nginx-samples/keycloak.conf.sample
+++ b/extras/nginx-samples/keycloak.conf.sample
@@ -12,7 +12,7 @@ server {
listen [::]:80;
server_name accounts.example.com;
- include snippets/letsencrypt.conf;
+ # include snippets/letsencrypt.conf;
location / {
access_log off;
@@ -25,9 +25,8 @@ server {
listen [::]:443 ssl http2;
server_name accounts.example.com;
- ssl_certificate /etc/ssl/letsencrypt/crt/fullchain_accounts.example.com.crt;
- ssl_certificate_key /etc/ssl/letsencrypt/key/accounts.example.com.key;
- ssl_trusted_certificate /etc/ssl/letsencrypt/crt/accounts.example.com-intermediate.crt;
+ ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root accounts.example.com;
diff --git a/extras/nginx-samples/pad.conf.sample b/extras/nginx-samples/pad.conf.sample
new file mode 100644
index 0000000000000000000000000000000000000000..b3dbec8cf803a99dd73756b35ea38a800675d522
--- /dev/null
+++ b/extras/nginx-samples/pad.conf.sample
@@ -0,0 +1,48 @@
+upstream etherpad {
+ server localhost:9001;
+}
+
+map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+}
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name pad.example.com;
+
+ # include snippets/letsencrypt.conf;
+
+ location / {
+ access_log off;
+ return 301 https://$server_name$request_uri;
+ }
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name pad.example.com;
+
+ ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+
+ root pad.example.com;
+
+ include /etc/nginx/snippets/sslsettings.conf;
+
+ access_log /var/log/nginx/https-access_pad.example.com.log;
+ error_log /var/log/nginx/https-error_pad.example.com.log;
+
+
+ location / {
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
+ proxy_buffers 8 8k;
+ proxy_buffer_size 8k;
+
+ proxy_pass http://etherpad;
+ }
+}
\ No newline at end of file
diff --git a/extras/nginx-samples/snippets/sslsettings.conf.sample b/extras/nginx-samples/snippets/sslsettings.conf.sample
index afbf1dc7989402f115e127b7d5136a3080b8c16b..d4553c037f1df3ed27d0571d52d207f454578429 100644
--- a/extras/nginx-samples/snippets/sslsettings.conf.sample
+++ b/extras/nginx-samples/snippets/sslsettings.conf.sample
@@ -13,3 +13,6 @@ ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+### openssl command to generate DH parameters:
+# openssl dhparam -out /etc/ssl/dhparam.pem 4096
+ssl_dhparam /etc/ssl/dhparam.pem;
\ No newline at end of file
diff --git a/extras/nginx-samples/whiteboard.conf.sample b/extras/nginx-samples/whiteboard.conf.sample
new file mode 100644
index 0000000000000000000000000000000000000000..b3234b08c0cd2b5846ec67a09d13dd8113e372e9
--- /dev/null
+++ b/extras/nginx-samples/whiteboard.conf.sample
@@ -0,0 +1,48 @@
+upstream whiteboard {
+ server localhost:9666;
+}
+
+map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+}
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name whiteboard.example.com;
+
+ # include snippets/letsencrypt.conf;
+
+ location / {
+ access_log off;
+ return 301 https://$server_name$request_uri;
+ }
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name whiteboard.example.com;
+
+ ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+
+ root whiteboard.example.com;
+
+ include /etc/nginx/snippets/sslsettings.conf;
+
+ access_log /var/log/nginx/https-access_whiteboard.example.com.log;
+ error_log /var/log/nginx/https-error_whiteboard.example.com.log;
+
+
+ location / {
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
+ proxy_buffers 8 8k;
+ proxy_buffer_size 8k;
+
+ proxy_pass http://whiteboard;
+ }
+}
\ No newline at end of file