====== 2021-01-04 - dziadkofon ======
...or a family videoconferencing system. ;) when [[wp>COVID-19 pandemic]] started and we ended up in a lockdown i was thinking about possible options to be able to meet grandparents, even if only remotely. there were a couple of things to keep in mind. the most important were:
* secure
* trivial to use by family elders
* simple to setup for everyone interested
* audio + video
* multiple attendees at the same time supported
* easy to setup
time has passed, it i now have a working solution for that. :) there are two parts of it -- server side and client side. we'll cover the solution in this order.
===== server =====
i've chosen [[https://jitsi.org|jitsi]] as a videoconferencing solution. to set it up it's enough to create a small VM in your favorite cloud, and use [[wp>docker (software)|docker]] to start an instance. as usual i'm using [[wp>debian]] as a base OS.
after creating an instance, just to this:
apt install -y docker.io docker-compose git
git clone https://github.com/jitsi/docker-jitsi-meet.git
cd docker-jitsi-meet
cp env.example .env
./gen-passwords.sh
vi .env # we'll come to that in a sec...
mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
docker-compose up -d
there are number of options that you have to and/or should change in //.env// file. let's go through this that are important.
//HTTP_PORT// and //HTTPS_PORT// shall be changed to standard values (i.e. //80// and //443//). otherwise [[wp>Let's Encrypt]] will not work. since HTTPS ("security" part) is my base requirement, it is a must have here.
now setup DNS entry, that will point into your newly created instance. next change //PUBLIC_URL// to that URL and //DOCKER_HOST_ADDRESS// to an actual IP address of the machine (public IP).
time for HTTPS settings. it's all very smooth -- just set //ENABLE_LETSECNRYPT// to //1//, provide //LETSENCRYPT_DOMAIN// (your DNS entry) and set //LETCENCRYPT_EMAIL// to sth you own. you'll also need to set //ENABLE_HTTP_REDIRECT// to //1//.
while not a hard must-have, do also consider setting //RESTART_POLICY// to //no// so that web proxy will not be restarted when Let's Encrypt's certificate negotation fails. Let's Encrypt have a very strict limits on number of tries and if you screw anything with //RESTART_POLICY// set to anything else, you'll just blow up Let's Encrypt certs limits rates, blocking you for hours. once cert is downloaded and working, you can always set it back to //unless-stopped// (or whatever you like).
the 2nd part of security aspect is that you want to have authentication enabled. since this is just a simple installation, aimed for a small and trusted group, we can just manage accounts by hand and provide family members with credentials. this can be done with jitsi's internal authorization mechanism. thus let's set //ENABLE_AUTH// to //1//, disable guests with //ENABLE_GUESTS// set to //0// and set //AUTH_TYPE// to //internal//. i also prefer //ENABLE_RECORDINGS// to be set to //0// -- don't plan to use it anyway, so why bother/risk?
the last part is to add users. you can do this with a simple command:
docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register USERNAME meet.jitsi PASSWORD
and that's it! you're now good to go! :)
===== client =====
for most of users / family members under 60, it will be as easy as opening web browser, go to //your.domain.name/channel_name//, login and you can talk! :)
2/3 of my time on this project was however spent to make things easy for elders, so that they can use it, too. assumption was: no prior knowledge, technically agnostic and a single-button-UI approach. after going through like a dozen of different setups and ideas, i've finally seteled up with re-using old laptops as end-user terminals. laptops are setup up in a way, that they auto-connect to the custom jitsi server upon boot, automatically login and are ready to go. when session is over, it is enough to push power button again, to turn it off. here is a ready to go recipe for the setup.
obviously a minimal installation of [[wp>debian]], so that it works fast and reliable + is easy to setup (forget about Windows ;)).
first install all required packages, so that you can start //X11// (note: no window manager!):
apt install chromium xinit
now add a new user, that will autologon -- say: //johndoe//.
make user auto-login. edit /etc/systemd/logind.conf and set //NAutoVTs=1//. then do //systemctl edit getty@tty1//, providing a following content:
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin root --noclear %I 38400 linux
run //systemctl enable getty@tty1// to make sure it is started upon next boot.
to connect to the service we'll just use chromium in a kiosk mode. it should also auto start, upon boot. first create file /home/johndoe/.xinitrc and make it executable. content of it will be started when X11 is started:
#!/bin/bash
set -eux -o pipefail
# disable power saving, screen blanking, etc...
xset -dpms
xset s off
xset s noblank
# hide mouse pointer
unclutter &
# browser in a kiosk mode
exec chromium \
--kiosk \
--start-fullscreen \
--noerrdialogs \
--disable-translate \
--no-first-run \
--fast \
--fast-start \
--disable-infobars \
--disable-features=TranslateUI \
--disk-cache-dir=/dev/null \
--password-store=basic \
"https://your.domain.name/my_private_channel_for_family"
note that while normally incognito mode is preferred for kiosk modes, here it is actually a problem, as it will show pop-ups regarding page wanting to access your mic and camera. having this breaks the assumption of having interaction-free UI, auto-starting the whole thing. thus we skip incognito mode switch and just click "allow", so that this setting is saved.
the last thing is to actually start X11 automatically. since we already auto-login in shell, the task is as simple as creating /home/johndoe/.bash_profile with a following content:
if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]
then
while ! ping -c 4 -D "your.domain.name"
do
echo "$0: awaiting for the internet connection..."
sleep 1
done
exec startx
fi
you can use /etc/network/interfaces and/or //wicd// to auto-configure network at your family member's place. now after reboot, computer will start into kiosk mode and load the right page.
last thing that it's there to cover is auto-authentication, so that it is all key-free. to do this we'll use [[https://chrome.google.com/webstore/detail/auto-clicker-autofill/iapifmceeokikomajpccajhjpacjmibe|Auto Clicker - AutoFill]] addon to chromium. with it you can setup auto-filling entries and / or clicking buttons on pages, using [[wp>xpath]] to elements to interact with. in case of jitsi login screen, it is enough to import configuration similar to this (just update username, password and URL):
{
"enable": true,
"url": "https://your.domain.name",
"name": "",
"refresh": false,
"repeat": "",
"repeatInterval": "",
"initWait": "",
"startTime": "",
"actions": [
{
"initWait": "",
"xpath": "//input[@name=\"username\"]",
"value": "johndoe",
"repeat": "",
"repeatInterval": "",
"addon": {
"xpath": "",
"value": "",
"condition": ""
}
},
{
"initWait": "",
"xpath": "//input[@name=\"password\"]",
"value": "SuperSecretRandomlyGeneratedPassword40+2",
"repeat": "",
"repeatInterval": "",
"addon": {
"xpath": "",
"value": "",
"condition": ""
}
},
{
"initWait": "",
"xpath": "//button[@name=\"jqi_login_buttonspandatai18ndialogOkOKspan\"]",
"value": "",
"repeat": "",
"repeatInterval": "",
"addon": {
"xpath": "",
"value": "",
"condition": ""
}
}
]
}
now we're set! after reboot it should connect, auto-login and join an appropriate channel on its own. :)
===== final thoughts =====
setup is neat and fast. on my VERY old laptop it took under 60s from pressing a button to get teleconference running, while over half of it was BIOS + awaiting for an internet connection.
the instructions are detailed enough, it could be automated. maybe in a future i'll prepare [[wp>Ansible (software)|ansible]]'s playbook for this. for now time-to-market was critical, thus i just focused on "getting the job done".
the "non-incognito" thing could be improved. maybe it is possible to auto-access mic/cam dialog, too? or there is //--do-not-bother-user// flag? ;) dunno -- time will tell.
i already had a great fun using the system and had a chance to see family members i have not seen for a VERY long time now. hope you'll find it useful, too! :)