Self-hosting Jitsi Meet

Standing up your own Jitsi Meet server

I recently started to play around with Jitsi Meet, as a way of hosting multi-party video calls (Signal can only do 1-to-1, Whatsapp caps out at 4). The publicly hosted version at https://meet.jit.si looks great had has an awesome privacy policy, but I was interested in hosting my own for extra privacy and performance considerations.

The steps taken

  1. Open an account with Digital Ocean

    • I’d never actually used Digital Ocean before trying to do this. I figured AWS might be a bit too heavyweight, and I’d heard of Digital Ocean before through Hacktoberfest.
    • Creating an account was pretty simple, althought I did have to verify my ID with them
  2. Create a droplet

    Digital Ocean operates on the notion that they provide access to an “ocean” of servers, where each one is a “droplet”.

    • Make one using the console, I used the following settings:
      • OS: Ubuntu (not sure why. I have some experience with Debian via my Raspberry Pis, but my sysadmin experience is so minimal that, to me, all Linux systems are the same apart from whether they use apt or yum to install things)
      • Plan: The smallest & cheapest droplet available - 1GB RAM, 1 core, $5 per month
      • Region: London - nearest to me
      • Additional Options: monitoring (I like pretty graphs)
      • Authentication: SSH key
  3. Create a firewall -

    I briefly panicked because I’d created a server on the internet without any network controls (weird now droplets default to having all ports open to the internet, I prefer AWS’ model of a default security group that blocks all traffic)

    • Open the ports that Jitsi needs:

      Ingress:

      • Port 22 (TCP) - open only to my IP address, checked here
      • Ports 80,443,4443 (TCP) - open to 0.0.0.0
      • Port 10000 (UDP) - open to 0.0.0.0

      Egress:

      • All TCP and UDP connections (until we can verify what outbound ports jitsi needs)
  4. Log on and update the box

    • Follow Digital Ocean’s server setup guide, and do things like create (& use!) non-root users
    • Enable Fail2Ban on its most basic settings incase I messed up the firewall
    • Run sudo apt -y update && sudo apt upgrade
  5. Install Docker

    • Digital Ocean wrote a handy guide for doing this here
  6. Install docker-compose

  7. Clone the Jitsi Meet Docker repo:

    • git clone https://github.com/jitsi/docker-jitsi-meet.git
  8. Personalise the configuration

    • The documentation is pretty good in the repo already; they’ve seen a surge of users following all the Zoom news and seem to be responding pretty well to it
    • The places that I changed my configuration were as follows (n.b. many of these are just uncommenting a line):
    click here to see the changes
     ```
     + HTTP_PORT=80
     - HTTP_PORT=8000
        
     + HTTPS_PORT=443
     - HTTPS_PORT=8443
        
     + TZ=Europe/London
     - TZ=Europe/Amsterdam
        
     + PUBLIC_URL=https://meet.mydomain.com
     - #PUBLIC_URL=https://meet.example.com
        
     + ENABLE_LETSENCRYPT=1
     - #ENABLE_LETSENCRYPT=1
        
     + LETSENCRYPT_DOMAIN=meet.mydomain.com
     - #LETSENCRYPT_DOMAIN=meet.example.com
        
     + LETSENCRYPT_EMAIL=myemail@mydomain.com
     - #LETSENCRYPT_EMAIL=alice@atlanta.net
    
     + ENABLE_AUTH=1
     - #ENABLE_AUTH=1
        
     + AUTH_TYPE=internal
     - #AUTH_TYPE=internal
        
     + ENABLE_HTTP_REDIRECT=1
     - #ENABLE_HTTP_REDIRECT=1
     ```
    
  9. Start the service(s)!

    • docker-compose up -d
  10. Create user account(s)

    I’m just going to quote the main documentation here:

    users must be created with the prosodyctl utility in the prosody container. In order to do that, first, execute a shell in the corresponding container:

    docker-compose exec prosody /bin/bash

    Once in the container, run the following command to create a user:

    prosodyctl --config /config/prosody.cfg.lua register TheDesiredUsername meet.jitsi TheDesiredPassword

    Note that the command produces no output.

  11. Hit the url in your browser, and create a chat!

Overall it was pretty painless but extremely manual. None of this really feels like it should need much user input, so could be relatively straightforward to script up.

I felt weirdly exposed standing up a server with just that single firewall configured; I’m not convinced I understand how to properly secure it yet, so at the moment I destroy the server after each time I play around with Jitsi. I think there’s a learning/comfort curve to go along with Digital Ocean, much like I did when getting started with AWS.

Ideally I’d have a single script (like Terraform/Troposphere) that creates an instance, sets up a firewall, does the installation & configuration, and then boots up the docker containers.

Once (if) I get around to doing this, I’ll write up my notes here