Dennis Paradzinski
6efce0c8f1
Some checks failed
deploy / deploy (push) Failing after 3s
Self-hosted Jitsi instance at meet.it.financeflow.de — avoids the meet.jit.si moderator-auth wall. Four components (web/prosody/jicofo/jvb) as raw k3s manifests, same deploy pattern as Embertime (Gitea Actions + kubectl apply + KUBECONFIG_B64 secret). JVB uses hostNetwork + UDP 10000 for media — requires router forward. Component passwords live in a kubectl-applied Secret (not in git); generate-secrets.sh produces a fresh manifest. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
35 lines
1015 B
Bash
Executable File
35 lines
1015 B
Bash
Executable File
#!/usr/bin/env bash
|
|
# Generates a 20-secrets.yaml with fresh random component passwords.
|
|
# Usage:
|
|
# ./scripts/generate-secrets.sh > infra/k3s/20-secrets.yaml
|
|
# kubectl apply -f infra/k3s/20-secrets.yaml
|
|
#
|
|
# Re-running rotates the passwords — every component then needs to be
|
|
# restarted (kubectl rollout restart) so they pick up the new env.
|
|
|
|
set -eu
|
|
|
|
# 24 random bytes → 32 base64 chars, stripped of slashes/+ for safety in
|
|
# env vars + URLs. Avoids the SIGPIPE issue with `tr | head` under
|
|
# pipefail.
|
|
rand() { openssl rand -hex 16; } # 32 hex chars = 16 bytes entropy, plenty for component auth
|
|
|
|
JICOFO_COMPONENT_SECRET=$(rand)
|
|
JICOFO_AUTH_PASSWORD=$(rand)
|
|
JVB_AUTH_PASSWORD=$(rand)
|
|
|
|
cat <<EOF
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: jitsi-secrets
|
|
namespace: jitsi
|
|
type: Opaque
|
|
stringData:
|
|
JICOFO_COMPONENT_SECRET: "${JICOFO_COMPONENT_SECRET}"
|
|
JICOFO_AUTH_USER: "focus"
|
|
JICOFO_AUTH_PASSWORD: "${JICOFO_AUTH_PASSWORD}"
|
|
JVB_AUTH_USER: "jvb"
|
|
JVB_AUTH_PASSWORD: "${JVB_AUTH_PASSWORD}"
|
|
EOF
|