Add Jitsi support

docs/configuring-dns.md

@@ -23,6 +23,7 @@ If you decide to go with the alternative method ([Server Delegation via a DNS SR
 | A     | `matrix`                     | -        | -      | -    | `matrix-server-IP`     |
 | CNAME | `riot`                       | -        | -      | -    | `matrix.<your-domain>` |
 | CNAME | `dimension` (*)              | -        | -      | -    | `matrix.<your-domain>` |
+| CNAME | `jitsi` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
 | SRV   | `_matrix-identity._tcp`      | 10       | 0      | 443  | `matrix.<your-domain>` |
 
 
@@ -38,6 +39,8 @@ If you'd rather instruct the playbook not to install Riot (`matrix_riot_web_enab
 
 The `dimension.<your-domain>` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.<your-domain>` DNS record.
 
+The `jitsi.<your-domain>` subdomain may be necessary, because this playbook could install the [Jitsi video-conferencing platform](https://jitsi.org/) for you. Jitsi installation is disabled by default, because it may be heavy and is not a core required component. To learn how to install it, see our [Jitsi](configuring-playbook-jitsi.md) guide. If you do not wish to set up Jitsi, feel free to skip the `jitsi.<your-domain>` DNS record.
+
 
 ## `_matrix-identity._tcp` SRV record setup
 

docs/configuring-playbook-jitsi.md

@@ -0,0 +1,39 @@
+# Jitsi
+
+The playbook can install the [Jitsi](https://jitsi.org/) video-conferencing platform and integrate it with [Riot](configuring-playbook-riot-web.md).
+
+Jitsi installation is **not enabled by default**, because it's not a core component of Matrix services.
+
+The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet).
+
+
+## Prerequisites
+
+Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record. See [Configuring DNS](configuring-dns.md).
+
+You may also need to open the following ports to your server:
+
+- `udp/10000` - RTP media over UDP
+- `tcp/4443` - RTP media fallback over TCP
+
+
+## Installation
+
+Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
+
+```yaml
+matrix_jitsi_enabled: true
+
+# We only need this temporarily - until Jitsi integration in riot-web is finalized.
+# Remove this line in the future, to switch back to a stable riot-web version.
+matrix_riot_web_docker_image: "vectorim/riot-web:develop"
+```
+
+Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`
+
+.. and fully reload your riot-web page (at `riot.DOMAIN`).
+
+Starting a video-conference in a room with more than 2 members should then create a Jitsi widget which utilizes your self-hosted Jitsi server.
+
+
+**NOTE**: the playbook currently configures the Jitsi JVB component to use Google's STUN servers even in cases where our own [Coturn TURN server](configuring-playbook-turn.md) is enabled (it is by default). This is because JVB fails to discover its own external IP correctly when pointed to our own Coturn server. The failure happens because JVB reaches Coturn via the localnetwork and discovers a local Docker IP address instead of the public one, leading to a non-working service.

group_vars/matrix_servers

@@ -392,6 +392,46 @@ matrix_email2matrix_enabled: false
 
 
 
+######################################################################
+#
+# matrix-jitsi
+#
+######################################################################
+
+matrix_jitsi_enabled: false
+
+# Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network.
+# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
+# the Jitsi HTTP port to the local host.
+matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:12080' }}"
+
+matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}"
+matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}"
+matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}"
+
+# TODO. Using our own STUN server fails, so we're using Google's STUN servers (the default for the matrix-jitsi role).
+#
+# When using our STUN server, JVB tries to discover its own IP by contacting it and gets a local Docker IP address instead of the external one.
+# > matrix-jitsi-jvb[30965]: JVB 2020-03-23 14:52:59.253 INFO: [21] org.ice4j.ice.harvest.StunMappingCandidateHarvester.discover() Discovered public address 172.19.0.1:60385/udp from STUN server x.x.x.x:5349/udp using local address 172.18.0.10:0/udp
+#
+# matrix_jitsi_jvb_stun_servers: |
+#   {{
+#     [
+#       matrix_server_fqn_matrix + ':5349',
+#       matrix_server_fqn_matrix + ':3478',
+#     ]
+#     if matrix_coturn_enabled
+#     else [ 'stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302']
+#   }}
+
+######################################################################
+#
+# /matrix-jitsi
+#
+######################################################################
+
+
+
 ######################################################################
 #
 # matrix-mailer
@@ -482,6 +522,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_s
 matrix_nginx_proxy_proxy_matrix_enabled: true
 matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}"
 matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
+matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
 
 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@@ -525,6 +566,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
     +
     ([matrix_server_fqn_dimension] if matrix_dimension_enabled else [])
     +
+    ([matrix_server_fqn_jitsi])
+    +
     ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
   }}
 
@@ -596,6 +639,8 @@ matrix_riot_web_enable_presence_by_hs_url: |
 
 matrix_riot_web_welcome_user_id: ~
 
+matrix_riot_web_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}"
+
 ######################################################################
 #
 # /matrix-riot-web

roles/matrix-base/defaults/main.yml

@@ -18,6 +18,9 @@ matrix_server_fqn_riot: "riot.{{ matrix_domain }}"
 # This is where you access the Dimension.
 matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
 
+# This is where you access Jitsi.
+matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"
+
 matrix_user_username: "matrix"
 matrix_user_uid: 991
 matrix_user_gid: 991
@@ -69,4 +72,4 @@ run_stop: true
 
 # Building every docker image from source on the target host
 # Controlling docker image build is possible on a per unit base
-matrix_container_images_self_build: false
+matrix_container_images_self_build: false

roles/matrix-jitsi/defaults/main.yml

@@ -0,0 +1,109 @@
+matrix_jitsi_enabled: true
+
+matrix_jitsi_base_path: "{{ matrix_base_data_path }}/jitsi"
+
+matrix_jitsi_enable_auth: false
+matrix_jitsi_enable_guests: false
+matrix_jitsi_enable_recording: true
+matrix_jitsi_enable_transcriptions: true
+
+matrix_jitsi_timezone: UTC
+
+matrix_jitsi_xmpp_domain: matrix-jitsi-web
+matrix_jitsi_xmpp_server: matrix-jitsi-prosody
+matrix_jitsi_xmpp_auth_domain: auth.meet.jitsi
+matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280
+matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi
+matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi
+matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi
+
+matrix_jitsi_recorder_domain: recorder.meet.jitsi
+
+
+matrix_jitsi_jibri_brewery_muc: jibribrewery
+matrix_jitsi_jibri_pending_timeout: 90
+matrix_jitsi_jibri_xmpp_user: jibri
+matrix_jitsi_jibri_xmpp_password: jibri-password
+matrix_jitsi_jibri_recorder_user: recorder
+matrix_jitsi_jibri_recorder_password: recorder-password
+
+
+matrix_jitsi_web_docker_image: "jitsi/web:4101"
+matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"
+
+matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
+matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config"
+matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts"
+
+matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}"
+
+# Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:12080"), or empty string to not expose.
+matrix_jitsi_web_container_http_host_bind_port: ''
+
+# A list of extra arguments to pass to the container
+matrix_jitsi_web_container_extra_arguments: []
+
+# List of systemd services that matrix-jitsi-web.service depends on
+matrix_jitsi_web_systemd_required_services_list: ['docker.service']
+
+
+matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101"
+matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}"
+
+matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
+matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config"
+
+# A list of extra arguments to pass to the container
+matrix_jitsi_prosody_container_extra_arguments: []
+
+# List of systemd services that matrix-jitsi-prosody.service depends on
+matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']
+
+
+matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4101"
+matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"
+
+matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo"
+matrix_jitsi_jicofo_config_path: "{{ matrix_jitsi_jicofo_base_path }}/config"
+
+# A list of extra arguments to pass to the container
+matrix_jitsi_jicofo_container_extra_arguments: []
+
+# List of systemd services that matrix-jitsi-jicofo.service depends on
+matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
+
+matrix_jitsi_jicofo_component_secret: s3cr37
+matrix_jitsi_jicofo_auth_user: focus
+matrix_jitsi_jicofo_auth_password: passw0rd
+
+
+matrix_jitsi_jvb_docker_image: "jitsi/jvb:4101"
+matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"
+
+matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb"
+matrix_jitsi_jvb_config_path: "{{ matrix_jitsi_jvb_base_path }}/config"
+
+# A list of extra arguments to pass to the container
+matrix_jitsi_jvb_container_extra_arguments: []
+
+# List of systemd services that matrix-jitsi-jvb.service depends on
+matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
+
+matrix_jitsi_jvb_auth_user: jvb
+matrix_jitsi_jvb_auth_password: passw0rd
+matrix_jitsi_jvb_stun_servers: ['stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302']
+matrix_jitsi_jvb_brewery_muc: jvbbrewery
+matrix_jitsi_jvb_rtp_udp_port: 10000
+matrix_jitsi_jvb_rtp_tcp_port: 4443
+
+# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/10000 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:10000"), or empty string to not expose.
+matrix_jitsi_jvb_container_rtp_udp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_udp_port }}"
+
+# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/4443 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:4443"), or empty string to not expose.
+matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_port }}"

roles/matrix-jitsi/tasks/init.yml

@@ -0,0 +1,3 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web', 'matrix-jitsi-prosody', 'matrix-jitsi-jicofo', 'matrix-jitsi-jvb'] }}"
+  when: matrix_jitsi_enabled|bool

roles/matrix-jitsi/tasks/main.yml

@@ -0,0 +1,33 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-jitsi
+
+- import_tasks: "{{ role_path }}/tasks/setup_jitsi_web.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-jitsi
+
+- import_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-jitsi
+
+- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-jitsi
+
+- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-jitsi

roles/matrix-jitsi/tasks/setup_jitsi_base.yml

@@ -0,0 +1,20 @@
+---
+
+#
+# Tasks related to setting up jitsi
+#
+
+- name: Ensure Matrix jitsi base path exists
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - { path: "{{ matrix_jitsi_base_path }}", when: true }
+  when: matrix_jitsi_enabled|bool and item.when
+
+#
+# Tasks related to getting rid of jitsi (if it was previously enabled)
+#

roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml

@@ -0,0 +1,86 @@
+---
+
+#
+# Tasks related to setting up jitsi-jicofo
+#
+
+- name: Ensure Matrix jitsi-jicofo path exists
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0777
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - { path: "{{ matrix_jitsi_jicofo_base_path }}", when: true }
+    - { path: "{{ matrix_jitsi_jicofo_config_path }}", when: true }
+  when: matrix_jitsi_enabled|bool and item.when
+
+- name: Ensure jitsi-jicofo Docker image is pulled
+  docker_image:
+    name: "{{ matrix_jitsi_jicofo_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_jitsi_jicofo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jicofo_docker_image_force_pull }}"
+  when: matrix_jitsi_enabled|bool
+
+- name: Ensure jitsi-jicofo environment variables file created
+  template:
+    src: "{{ role_path }}/templates/jicofo/env.j2"
+    dest: "{{ matrix_jitsi_jicofo_base_path }}/env"
+    mode: 0640
+  when: matrix_jitsi_enabled|bool
+
+- name: Ensure matrix-jitsi-jicofo.service installed
+  template:
+    src: "{{ role_path }}/templates/jicofo/matrix-jitsi-jicofo.service.j2"
+    dest: "/etc/systemd/system/matrix-jitsi-jicofo.service"
+    mode: 0644
+  register: matrix_jitsi_jicofo_systemd_service_result
+  when: matrix_jitsi_enabled|bool
+
+- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_jitsi_enabled and matrix_jitsi_jicofo_systemd_service_result.changed"
+
+#
+# Tasks related to getting rid of jitsi-jicofo (if it was previously enabled)
+#
+
+- name: Check existence of matrix-jitsi-jicofo service
+  stat:
+    path: "/etc/systemd/system/matrix-jitsi-jicofo.service"
+  register: matrix_jitsi_jicofo_service_stat
+  when: "not matrix_jitsi_enabled|bool"
+
+- name: Ensure matrix-jitsi-jicofo is stopped
+  service:
+    name: matrix-jitsi-jicofo
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists"
+
+- name: Ensure matrix-jitsi-jicofo.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-jitsi-jicofo.service"
+    state: absent
+  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service removal
+  service:
+    daemon_reload: yes
+  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists"
+
+- name: Ensure Matrix jitsi-jicofo paths doesn't exist
+  file:
+    path: "{{ matrix_jitsi_jicofo_base_path }}"
+    state: absent
+  when: "not matrix_jitsi_enabled|bool"
+
+- name: Ensure jitsi-jicofo Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_jitsi_jicofo_docker_image }}"
+    state: absent
+  when: "not matrix_jitsi_enabled|bool"

roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml

@@ -0,0 +1,86 @@
+---
+
+#
+# Tasks related to setting up jitsi-jvb
+#
+
+- name: Ensure Matrix jitsi-jvb path exists
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0777
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - { path: "{{ matrix_jitsi_jvb_base_path }}", when: true }
+    - { path: "{{ matrix_jitsi_jvb_config_path }}", when: true }
+  when: matrix_jitsi_enabled|bool and item.when
+
+- name: Ensure jitsi-jvb Docker image is pulled
+  docker_image:
+    name: "{{ matrix_jitsi_jvb_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_jitsi_jvb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jvb_docker_image_force_pull }}"
+  when: matrix_jitsi_enabled|bool
+
+- name: Ensure jitsi-jvb environment variables file created
+  template:
+    src: "{{ role_path }}/templates/jvb/env.j2"
+    dest: "{{ matrix_jitsi_jvb_base_path }}/env"
+    mode: 0640
+  when: matrix_jitsi_enabled|bool
+
+- name: Ensure matrix-jitsi-jvb.service installed
+  template:
+    src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2"
+    dest: "/etc/systemd/system/matrix-jitsi-jvb.service"
+    mode: 0644
+  register: matrix_jitsi_jvb_systemd_service_result
+  when: matrix_jitsi_enabled|bool
+
+- name: Ensure systemd reloaded after matrix-jitsi-jvb.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_jitsi_enabled and matrix_jitsi_jvb_systemd_service_result.changed"
+
+#
+# Tasks related to getting rid of jitsi-jvb (if it was previously enabled)
+#
+
+- name: Check existence of matrix-jitsi-jvb service
+  stat:
+    path: "/etc/systemd/system/matrix-jitsi-jvb.service"
+  register: matrix_jitsi_jvb_service_stat
+  when: "not matrix_jitsi_enabled|bool"
+
+- name: Ensure matrix-jitsi-jvb is stopped
+  service:
+    name: matrix-jitsi-jvb
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists"
+
+- name: Ensure matrix-jitsi-jvb.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-jitsi-jvb.service"
+    state: absent
+  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-jitsi-jvb.service removal
+  service:
+    daemon_reload: yes
+  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists"
+
+- name: Ensure Matrix jitsi-jvb paths doesn't exist
+  file:
+    path: "{{ matrix_jitsi_jvb_base_path }}"
+    state: absent
+  when: "not matrix_jitsi_enabled|bool"
+
+- name: Ensure jitsi-jvb Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_jitsi_jvb_docker_image }}"
+    state: absent
+  when: "not matrix_jitsi_enabled|bool"

roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml

@@ -0,0 +1,86 @@
+---
+
+#
+# Tasks related to setting up jitsi-prosody
+#
+
+- name: Ensure Matrix jitsi-prosody path exists
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0777
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true }
+    - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true }
+  when: matrix_jitsi_enabled|bool and item.when
+
+- name: Ensure jitsi-prosody Docker image is pulled
+  docker_image:
+    name: "{{ matrix_jitsi_prosody_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_jitsi_prosody_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}"
+  when: matrix_jitsi_enabled|bool
+
+- name: Ensure jitsi-prosody environment variables file created
+  template:
+    src: "{{ role_path }}/templates/prosody/env.j2"
+    dest: "{{ matrix_jitsi_prosody_base_path }}/env"
+    mode: 0640
+  when: matrix_jitsi_enabled|bool
+
+- name: Ensure matrix-jitsi-prosody.service installed
+  template:
+    src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2"
+    dest: "/etc/systemd/system/matrix-jitsi-prosody.service"
+    mode: 0644
+  register: matrix_jitsi_prosody_systemd_service_result
+  when: matrix_jitsi_enabled|bool
+
+- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed"
+
+#
+# Tasks related to getting rid of jitsi-prosody (if it was previously enabled)
+#
+
+- name: Check existence of matrix-jitsi-prosody service
+  stat:
+    path: "/etc/systemd/system/matrix-jitsi-prosody.service"
+  register: matrix_jitsi_prosody_service_stat
+  when: "not matrix_jitsi_enabled|bool"
+
+- name: Ensure matrix-jitsi-prosody is stopped
+  service:
+    name: matrix-jitsi-prosody
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
+
+- name: Ensure matrix-jitsi-prosody.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-jitsi-prosody.service"
+    state: absent
+  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal
+  service:
+    daemon_reload: yes
+  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
+
+- name: Ensure Matrix jitsi-prosody paths doesn't exist
+  file:
+    path: "{{ matrix_jitsi_prosody_base_path }}"
+    state: absent
+  when: "not matrix_jitsi_enabled|bool"
+
+- name: Ensure jitsi-prosody Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_jitsi_prosody_docker_image }}"
+    state: absent
+  when: "not matrix_jitsi_enabled|bool"

roles/matrix-jitsi/tasks/setup_jitsi_web.yml

@@ -0,0 +1,87 @@
+---
+
+#
+# Tasks related to setting up jitsi-web
+#
+
+- name: Ensure Matrix jitsi-web path exists
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0777
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - { path: "{{ matrix_jitsi_web_base_path }}", when: true }
+    - { path: "{{ matrix_jitsi_web_config_path }}", when: true }
+    - { path: "{{ matrix_jitsi_web_transcripts_path }}", when: true }
+  when: matrix_jitsi_enabled|bool and item.when
+
+- name: Ensure jitsi-web Docker image is pulled
+  docker_image:
+    name: "{{ matrix_jitsi_web_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_jitsi_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_web_docker_image_force_pull }}"
+  when: matrix_jitsi_enabled|bool
+
+- name: Ensure jitsi-web environment variables file created
+  template:
+    src: "{{ role_path }}/templates/web/env.j2"
+    dest: "{{ matrix_jitsi_web_base_path }}/env"
+    mode: 0640
+  when: matrix_jitsi_enabled|bool
+
+- name: Ensure matrix-jitsi-web.service installed
+  template:
+    src: "{{ role_path }}/templates/web/matrix-jitsi-web.service.j2"
+    dest: "/etc/systemd/system/matrix-jitsi-web.service"
+    mode: 0644
+  register: matrix_jitsi_web_systemd_service_result
+  when: matrix_jitsi_enabled|bool
+
+- name: Ensure systemd reloaded after matrix-jitsi-web.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_jitsi_enabled and matrix_jitsi_web_systemd_service_result.changed"
+
+#
+# Tasks related to getting rid of jitsi-web (if it was previously enabled)
+#
+
+- name: Check existence of matrix-jitsi-web service
+  stat:
+    path: "/etc/systemd/system/matrix-jitsi-web.service"
+  register: matrix_jitsi_web_service_stat
+  when: "not matrix_jitsi_enabled|bool"
+
+- name: Ensure matrix-jitsi-web is stopped
+  service:
+    name: matrix-jitsi-web
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists"
+
+- name: Ensure matrix-jitsi-web.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-jitsi-web.service"
+    state: absent
+  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-jitsi-web.service removal
+  service:
+    daemon_reload: yes
+  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists"
+
+- name: Ensure Matrix jitsi-web paths doesn't exist
+  file:
+    path: "{{ matrix_jitsi_web_base_path }}"
+    state: absent
+  when: "not matrix_jitsi_enabled|bool"
+
+- name: Ensure jitsi-web Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_jitsi_web_docker_image }}"
+    state: absent
+  when: "not matrix_jitsi_enabled|bool"

roles/matrix-jitsi/templates/jicofo/env.j2

@@ -0,0 +1,17 @@
+ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
+
+XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
+XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
+XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
+XMPP_SERVER={{ matrix_jitsi_xmpp_server }}
+
+JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }}
+JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
+JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }}
+
+JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }}
+
+JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }}
+JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }}
+
+TZ={{ matrix_jitsi_timezone }}

roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2

@@ -0,0 +1,31 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix jitsi-jicofo server
+{% for service in matrix_jitsi_jicofo_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-jitsi-jicofo
+ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jicofo
+
+ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jicofo \
+			--log-driver=none \
+			--network={{ matrix_docker_network }} \
+			--env-file={{ matrix_jitsi_jicofo_base_path }}/env \
+			-v {{ matrix_jitsi_jicofo_config_path }}:/config \
+			{% for arg in matrix_jitsi_jicofo_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_jitsi_jicofo_docker_image }}
+
+ExecStop=-/usr/bin/docker kill matrix-jitsi-jicofo
+ExecStop=-/usr/bin/docker rm matrix-jitsi-jicofo
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-jitsi-jicofo
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-jitsi/templates/jvb/env.j2

@@ -0,0 +1,14 @@
+XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
+XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
+XMPP_SERVER={{ matrix_jitsi_xmpp_server }}
+
+JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }}
+JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
+JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }}
+JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }}
+JVB_TCP_HARVESTER_DISABLED=false
+JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }}
+
+JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }}
+
+TZ={{ matrix_jitsi_timezone }}

roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2

@@ -0,0 +1,37 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix jitsi-jvb server
+{% for service in matrix_jitsi_jvb_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-jitsi-jvb
+ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb
+
+ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \
+			--log-driver=none \
+			--network={{ matrix_docker_network }} \
+			--env-file={{ matrix_jitsi_jvb_base_path }}/env \
+			{% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %}
+			-p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \
+			{% endif %}
+			{% if matrix_jitsi_jvb_container_rtp_tcp_host_bind_port %}
+			-p {{ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_tcp_port }} \
+			{% endif %}
+			-v {{ matrix_jitsi_jvb_config_path }}:/config \
+			{% for arg in matrix_jitsi_jvb_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_jitsi_jvb_docker_image }}
+
+ExecStop=-/usr/bin/docker kill matrix-jitsi-jvb
+ExecStop=-/usr/bin/docker rm matrix-jitsi-jvb
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-jitsi-jvb
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-jitsi/templates/prosody/env.j2

@@ -0,0 +1,31 @@
+AUTH_TYPE=internal
+
+ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
+ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }}
+
+XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
+XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
+XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
+XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }}
+XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
+
+XMPP_MODULES=
+XMPP_MUC_MODULES=
+XMPP_INTERNAL_MUC_MODULES=
+
+XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }}
+
+JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }}
+JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
+JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }}
+
+JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }}
+JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
+
+JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }}
+JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }}
+
+JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }}
+JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }}
+
+TZ={{ matrix_jitsi_timezone }}

roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2

@@ -0,0 +1,31 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix jitsi-prosody server
+{% for service in matrix_jitsi_prosody_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-jitsi-prosody
+ExecStartPre=-/usr/bin/docker rm matrix-jitsi-prosody
+
+ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-prosody \
+			--log-driver=none \
+			--network={{ matrix_docker_network }} \
+			--env-file={{ matrix_jitsi_prosody_base_path }}/env \
+			-v {{ matrix_jitsi_prosody_config_path }}:/config \
+			{% for arg in matrix_jitsi_prosody_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_jitsi_prosody_docker_image }}
+
+ExecStop=-/usr/bin/docker kill matrix-jitsi-prosody
+ExecStop=-/usr/bin/docker rm matrix-jitsi-prosody
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-jitsi-prosody
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-jitsi/templates/web/env.j2

@@ -0,0 +1,28 @@
+ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
+ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }}
+
+ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }}
+
+DISABLE_HTTPS=1
+
+JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
+
+PUBLIC_URL={{ matrix_jitsi_web_public_url }}
+
+XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
+XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
+XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }}
+XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
+XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }}
+XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }}
+
+TZ={{ matrix_jitsi_timezone }}
+
+JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }}
+JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }}
+JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }}
+JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }}
+JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }}
+JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }}
+
+ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }}

roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2

@@ -0,0 +1,35 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix jitsi-web server
+{% for service in matrix_jitsi_web_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-jitsi-web
+ExecStartPre=-/usr/bin/docker rm matrix-jitsi-web
+
+ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-web \
+			--log-driver=none \
+			--network={{ matrix_docker_network }} \
+			--env-file={{ matrix_jitsi_web_base_path }}/env \
+			{% if matrix_jitsi_web_container_http_host_bind_port %}
+			-p {{ matrix_jitsi_web_container_http_host_bind_port }}:80 \
+			{% endif %}
+			-v {{ matrix_jitsi_web_config_path }}:/config \
+			-v {{ matrix_jitsi_web_transcripts_path }}:/usr/share/jitsi-meet/transcripts \
+			{% for arg in matrix_jitsi_web_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_jitsi_web_docker_image }}
+
+ExecStop=-/usr/bin/docker kill matrix-jitsi-web
+ExecStop=-/usr/bin/docker rm matrix-jitsi-web
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-jitsi-web
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-nginx-proxy/defaults/main.yml

@@ -105,6 +105,10 @@ matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_nginx_proxy_proxy_dimension_enabled: false
 matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
 
+# Controls whether proxying the jitsi domain should be done.
+matrix_nginx_proxy_proxy_jitsi_enabled: false
+matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
+
 # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@@ -164,6 +168,9 @@ matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []
 # A list of strings containing additional configuration blocks to add to the matrix dimension's server configuration.
 matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
 
+# A list of strings containing additional configuration blocks to add to the jitsi's server configuration.
+matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
+
 # A list of strings containing additional configuration blocks to add to the matrix domain server configuration.
 matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
 

roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml

@@ -66,6 +66,13 @@
     mode: 0644
   when: matrix_nginx_proxy_proxy_dimension_enabled|bool
 
+- name: Ensure Matrix nginx-proxy configuration for jitsi domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_jitsi_enabled|bool
+
 - name: Ensure Matrix nginx-proxy data directory for base domain exists
   file:
     path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain"
@@ -163,6 +170,12 @@
     state: absent
   when: "not matrix_nginx_proxy_proxy_dimension_enabled|bool"
 
+- name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_jitsi_enabled|bool"
+
 - name: Ensure Matrix nginx-proxy homepage for base domain deleted
   file:
     path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2

@@ -0,0 +1,72 @@
+#jinja2: lstrip_blocks: "True"
+
+{% macro render_vhost_directives() %}
+	gzip on;
+	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}
+	{{- configuration_block }}
+{% endfor %}
+
+	location / {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "matrix-jitsi-web:80";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://127.0.0.1:12080;
+		{% endif %}
+
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $remote_addr;
+	}
+{% endmacro %}
+
+server {
+	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
+	server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }};
+
+	server_tokens off;
+	root /dev/null;
+
+	{% if matrix_nginx_proxy_https_enabled %}
+		location /.well-known/acme-challenge {
+			{% if matrix_nginx_proxy_enabled %}
+				{# Use the embedded DNS resolver in Docker containers to discover the service #}
+				resolver 127.0.0.11 valid=5s;
+				set $backend "matrix-certbot:8080";
+				proxy_pass http://$backend;
+			{% else %}
+				{# Generic configuration for use outside of our container setup #}
+				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
+			{% endif %}
+		}
+
+		location / {
+			return 301 https://$http_host$request_uri;
+		}
+	{% else %}
+		{{ render_vhost_directives() }}
+	{% endif %}
+}
+
+{% if matrix_nginx_proxy_https_enabled %}
+server {
+	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
+	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
+
+	server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }};
+
+	server_tokens off;
+	root /dev/null;
+
+	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem;
+	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem;
+	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+
+	{{ render_vhost_directives() }}
+}
+{% endif %}

roles/matrix-riot-web/defaults/main.yml

@@ -58,6 +58,8 @@ matrix_riot_web_branding_welcomeBackgroundUrl: ~
 # point this to a `home.html` template file on your local filesystem.
 matrix_riot_web_embedded_pages_home_path: ~
 
+matrix_riot_web_jitsi_preferredDomain: ''
+
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_riot_web_self_check_validate_certificates: true
 

roles/matrix-riot-web/templates/config.json.j2

@@ -30,6 +30,12 @@
 	"embeddedPages": {
 		"homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }}
 	},
+	{% if matrix_riot_web_jitsi_preferredDomain is not none %}
+	"jitsi": {
+        "preferredDomain": {{ matrix_riot_web_jitsi_preferredDomain|to_json }},
+        "externalApiUrl": "https://{{ matrix_riot_web_jitsi_preferredDomain }}/libs/external_api.min.js"
+    },
+	{% endif %}
 	"branding": {
 		"authFooterLinks": {{ matrix_riot_web_branding_authFooterLinks|to_json }},
 		"authHeaderLogoUrl": {{ matrix_riot_web_branding_authHeaderLogoUrl|to_json }},

setup.yml

@@ -18,6 +18,7 @@
     - matrix-bridge-mautrix-whatsapp
     - matrix-synapse
     - matrix-riot-web
+    - matrix-jitsi
     - matrix-mxisd
     - matrix-dimension
     - matrix-email2matrix