diff --git a/README.md b/README.md
index 4bf8daf..5eafa02 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,13 @@
 # BigBlueButton Docker
 
+## Features
+- Easy installation
+- Greenlight included
+- TURN server included
+- Fully automated HTTPS certificates
+- Runs on almost any major linux distributon (Debian, Ubuntu, CentOS,...)
+- Full IPv6 support
+
 ## Install
 1. Install docker-ce & docker-compose
     1. follow instructions
@@ -28,53 +36,11 @@
     $ ./scripts/compose exec greenlight bundle exec rake admin:create
     ```
 
-
-
-
-
-## Note if you use a Firewall / NAT
-Kurento binds somehow always to the external IP instead of the local one or `0.0.0.0`. For that reason you need to add your external IP to your interface.
-
-##### Temporary  way (until next reboot)
-```
-$ ip addr add 144.76.97.34/32 dev ens3
-```
-
-##### Permanent way
-Specific to your linux distribution. Use a search engine of your choice. ;)
-
-### Ports
-Also don't forget to forward all necassary ports listed in http://docs.bigbluebutton.org/2.2/configure-firewall.html
-
-
-## Upgrading
-
-```bash
-cd bbb-docker
-
-# if you use greenlight:
-# create a database backup
-docker exec -t docker_postgres_1 pg_dumpall -c -U postgres > /root/greenlight_`date +%d-%m-%Y"_"%H_%M_%S`.sql
-
-# upgrade!
-./scripts/upgrade
-
-# restart updated services
-./scripts/compose up -d
-```
-
-If you're on an old version, you might get following error: \
-`no such file or directory: ./scripts/upgrade` \
-A simple `$ git pull` resolves that, by fetching a newer version which includes the upgrade script.
+## How-To's
+- [Upgrade](docs/upgrading.md)
+- [Behind NAT](docs/behind-nat.md)
+- [BBB-Docker Development](docs/development.md)
+- [Integration into an existing web server](docs/existing-web-server.md)
 
 ## Special thanks to
 - @dkrenn, whos dockerized version (bigbluebutton#8858)(https://github.com/bigbluebutton/bigbluebutton/pull/8858) helped me a lot in understand and some configs.
-
-## Open Tasks
-- add support for recording
-- add coturn
-- add prometheus exporter
-- further separate `bbb-core` into individual container
-- enable IPv6 support
-- switch `html5` to node v12
-- drop root privileges in `webrtc-sfu`
\ No newline at end of file
diff --git a/docker-compose.coturn.yml b/docker-compose.coturn.yml
index e50708d..6485378 100644
--- a/docker-compose.coturn.yml
+++ b/docker-compose.coturn.yml
@@ -4,7 +4,8 @@ services:
     image: instrumentisto/coturn:4.5
     restart: unless-stopped
     command:
-      - "--external-ip=${EXTERNAL_IP}"
+      - "--external-ip=${EXTERNAL_IPv4}/${EXTERNAL_IPv4}"
+      - "--external-ip=${EXTERNAL_IPv6:-::1}/${EXTERNAL_IPv6:-::1}"
       - "--static-auth-secret=${TURN_SECRET}"
     volumes:
       - ssl_data:/etc/resty-auto-ssl
diff --git a/docker-compose.greenlight.yml b/docker-compose.greenlight.yml
index 018ca9c..0ca79fa 100644
--- a/docker-compose.greenlight.yml
+++ b/docker-compose.greenlight.yml
@@ -12,7 +12,7 @@ services:
       DB_NAME: greenlight
       DB_USERNAME: postgres
       DB_PASSWORD: password
-      BIGBLUEBUTTON_ENDPOINT: https://${DOMAIN}/bigbluebutton/api/
+      BIGBLUEBUTTON_ENDPOINT: ${GREENLIGHT_ENDPOINT}
       BIGBLUEBUTTON_SECRET: ${SHARED_SECRET}
       SECRET_KEY_BASE: ${RAILS_SECRET}
     ports:
diff --git a/docker-compose.https.yml b/docker-compose.https.yml
index cf0ca3a..4ed824f 100644
--- a/docker-compose.https.yml
+++ b/docker-compose.https.yml
@@ -3,14 +3,12 @@ services:
   https_proxy:
     image: valian/docker-nginx-auto-ssl
     restart: unless-stopped
-    ports:
-      - 80:80
-      - 443:443
     volumes:
       - ssl_data:/etc/resty-auto-ssl
+      - ./mod/https/${HTTPS_SITE_FILE}:/etc/nginx/conf.d/bbb-docker.conf
     environment:
-      ALLOWED_DOMAINS: ${DOMAIN}
-      SITES: ${DOMAIN}=10.7.7.1:8080
+      ALLOWED_DOMAINS: ${CERTIFICATE_DOMAINS}
+    network_mode: host
 
 volumes:
   ssl_data:
diff --git a/docker-compose.prometheus.yml b/docker-compose.prometheus.yml
new file mode 100644
index 0000000..94d96f1
--- /dev/null
+++ b/docker-compose.prometheus.yml
@@ -0,0 +1,15 @@
+version: '3.6'
+
+services:
+  prometheus-exporter:
+    image: greenstatic/bigbluebutton-exporter:v0.5.1
+    restart: unless-stopped
+    environment: 
+      API_BASE_URL: http://10.7.7.1:8080/bigbluebutton/api/
+      API_SECRET: ${SHARED_SECRET}
+      RECORDINGS_METRICS_READ_FROM_DISK: "false"
+    networks:
+      bbb-net:
+        ipv4_address: 10.7.7.33
+    # volumes:
+    #   - bigbluebutton:/var/bigbluebutton
\ No newline at end of file
diff --git a/docker-compose.webhooks.yml b/docker-compose.webhooks.yml
new file mode 100644
index 0000000..b7ed70b
--- /dev/null
+++ b/docker-compose.webhooks.yml
@@ -0,0 +1,13 @@
+version: '3.6'
+services:
+  webhooks:
+    build: mod/webhooks
+    restart: unless-stopped
+    environment:
+      DOMAIN: ${DOMAIN}
+      SHARED_SECRET: ${SHARED_SECRET}
+    extra_hosts:
+      - "redis:10.7.7.5"
+    networks:
+      bbb-net:
+        ipv4_address: 10.7.7.15
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index ee97f2d..c124ac7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,8 +7,10 @@ services:
     depends_on:
         - redis
     environment:
+      DEV_MODE: ${DEV_MODE:-}
       DOMAIN: ${DOMAIN}
       SHARED_SECRET: ${SHARED_SECRET}
+      WELCOME_MESSAGE: ${WELCOME_MESSAGE:-}
       WELCOME_FOOTER: ${WELCOME_FOOTER}
       STUN_SERVER: stun:${STUN_IP}:${STUN_PORT}
       TURN_SERVER: ${TURN_SERVER:-}
@@ -31,14 +33,18 @@ services:
       - SYS_RESOURCE
     environment:
       DOMAIN: ${DOMAIN}
-      EXTERNAL_IP: ${EXTERNAL_IP}
+      EXTERNAL_IPv4: ${EXTERNAL_IPv4}
+      EXTERNAL_IPv6: ${EXTERNAL_IPv6:-::1}
+      SIP_IP_ALLOWLIST: ${SIP_IP_ALLOWLIST:-}
+      DISABLE_SOUND_MUTED: ${DISABLE_SOUND_MUTED:-false}
+      DISABLE_SOUND_ALONE: ${DISABLE_SOUND_ALONE:-false}
     volumes:
       - ./conf/sip_profiles:/etc/freeswitch/sip_profiles/external
       - ./conf/dialplan_public:/etc/freeswitch/dialplan/public_docker
     network_mode: host
   
   nginx:
-    image: nginx:1.18-alpine
+    image: nginx:1.19-alpine
     restart: unless-stopped
     depends_on:
       - etherpad
@@ -51,11 +57,13 @@ services:
       - ./mod/nginx/bbb:/etc/nginx/bbb
       - ./mod/nginx/bigbluebutton:/etc/nginx/conf.d/default.conf
       - ${DEFAULT_PRESENTATION:-/dev/null}:/etc/nginx/html/default.pdf
-    networks:
-      bbb-net:
-        ipv4_address: 10.7.7.13
+    network_mode: host
     extra_hosts:
       - "host.docker.internal:10.7.7.1"
+      - "core:10.7.7.2"
+      - "etherpad:10.7.7.4"
+      - "webrtc-sfu:10.7.7.10"
+      - "html5:10.7.7.11"
 
   etherpad:
     build: mod/etherpad
@@ -85,14 +93,13 @@ services:
         ipv4_address: 10.7.7.6
 
   kurento:
-    image: kurento/kurento-media-server:6.13.2
+    image: kurento/kurento-media-server:6.14
     restart: unless-stopped
     environment: 
       KMS_STUN_IP: ${STUN_IP}
       KMS_STUN_PORT: ${STUN_PORT}
       KMS_MIN_PORT: 24577
       KMS_MAX_PORT: 32768
-      KMS_EXTERNAL_ADDRESS: ${EXTERNAL_IP} 
       KMS_TURN_URL:
       KMS_NETWORK_INTERFACES: ${NETWORK_INTERFACE:-}
     network_mode: host
@@ -111,10 +118,10 @@ services:
       KURENTO_NAME: kurento
       REDIS_HOST: redis
       FREESWITCH_IP: host.docker.internal
-      FREESWITCH_SIP_IP: ${EXTERNAL_IP}
+      FREESWITCH_SIP_IP: ${EXTERNAL_IPv4}
       ESL_IP: host.docker.internal
       LOG_LEVEL: info
-      NODE_CONFIG: '{"kurento":[{"ip":"${EXTERNAL_IP}","url":"ws://kurento:8888/kurento"}]}'
+      NODE_CONFIG: '{"kurento":[{"ip":"${EXTERNAL_IPv4}","url":"ws://kurento:8888/kurento"}]}'
     ports:
       - "127.0.0.1:3008:3008"
     extra_hosts:
@@ -135,6 +142,13 @@ services:
       DOMAIN: ${DOMAIN}
       CLIENT_TITLE: ${CLIENT_TITLE}
       ETHERPAD_API_KEY: ${ETHERPAD_API_KEY}
+      LISTEN_ONLY_MODE: ${LISTEN_ONLY_MODE:-true}
+      DISABLE_ECHO_TEST: ${DISABLE_ECHO_TEST:-false}
+      AUTO_SHARE_WEBCAM: ${AUTO_SHARE_WEBCAM:-false}
+      DISABLE_VIDEO_PREVIEW: ${DISABLE_VIDEO_PREVIEW:-false}
+      CHAT_ENABLED: ${CHAT_ENABLED:-true}
+      CHAT_START_CLOSED: ${CHAT_START_CLOSED:-false}
+      DEV_MODE: ${DEV_MODE:-}
     networks:
       bbb-net:
         ipv4_address: 10.7.7.11
diff --git a/docs/behind-nat.md b/docs/behind-nat.md
new file mode 100644
index 0000000..3453aad
--- /dev/null
+++ b/docs/behind-nat.md
@@ -0,0 +1,14 @@
+# Note if you use a Firewall / NAT
+Kurento binds somehow always to the external IP instead of the local one or `0.0.0.0`. For that reason you need to add your external IP to your interface.
+
+#### Temporary  way (until next reboot)
+```
+$ ip addr add 144.76.97.34/32 dev ens3
+```
+
+#### Permanent way
+Specific to your linux distribution. Use a search engine of your choice. ;)
+
+## Ports
+Also don't forget to forward all necassary ports listed in http://docs.bigbluebutton.org/2.2/configure-firewall.html
+
diff --git a/docs/development.md b/docs/development.md
new file mode 100644
index 0000000..4a72642
--- /dev/null
+++ b/docs/development.md
@@ -0,0 +1,45 @@
+# bbb-docker Development
+
+## Running
+you can run bbb-docker locally without any certificate issues with following `.env` configurations:
+
+```
+DEV_MODE=true
+
+ENABLE_HTTPS_PROXY=true
+#ENABLE_COTURN=true
+#ENABLE_GREENLIGHT=true
+#ENABLE_WEBHOOKS=true
+
+DOMAIN=10.7.7.1
+EXTERNAL_IP=10.7.7.1
+STUN_IP=216.93.246.18
+STUN_PORT=3478
+TURN_SERVER=turns:localhost:465?transport=tcp
+
+TURN_SECRET=SuperTurnSecret
+SHARED_SECRET=SuperSecret
+ETHERPAD_API_KEY=SuperEtherpadKey
+RAILS_SECRET=SuperRailsSecret
+
+# ====================================
+# CUSTOMIZATION
+# ====================================
+
+[... add rest of sample.env here ...]
+```
+
+- you can than start it with \
+  `$ ./scripts/compose up -d`
+- view the logs with \
+  `$ ./scripts/compose logs -f`
+- and access the API via \
+  https://mconf.github.io/api-mate/#server=https://10.7.7.1/bigbluebutton/api&sharedSecret=SuperSecret
+    * At some point your browser will warn you about an invalid certificate, but you can press _"Accept the Risk and Continue" / "Proceed to 10.7.7.1 (unsafe)"_
+
+## Changes
+- After doing some changes you usually must...
+  * rebuild the image(s): \
+    `$ ./scripts/compose build [containername]`
+  * restart changes image(s): \
+    `$ ./scripts/compose up -d`
\ No newline at end of file
diff --git a/docs/existing-web-server.md b/docs/existing-web-server.md
new file mode 100644
index 0000000..d4f4f33
--- /dev/null
+++ b/docs/existing-web-server.md
@@ -0,0 +1,43 @@
+# How to integrate into an existing Web server setup
+
+Since the non-dockerized version of BigBlueButton has [many requirements](https://docs.bigbluebutton.org/2.2/install.html#minimum-server-requirements), such as a specific Ubuntu version (16.04) as well as ports 80/443 not being in use by other applications, and considering that [a "clean" server dedicated for BigBlueButton is recommended](https://docs.bigbluebutton.org/2.2/install.html#before-you-install), you may enjoy the benefits of this dockerized version in order to run BigBlueButton on a server that is not completely dedicated to this software, on which a Web server may be already in use.
+
+You could dedicate a virtual host to BigBlueButton, allowing external access to it through a reverse proxy.
+
+> **Note.** The automatic HTTPS Proxy is not needed if you are going to run BigBlueButton behind a reverse proxy; in that case, you should be able to enable SSL for the virtual host you are going to dedicate to BigBlueButton, using your Web server features. Please notice that it will not be possible to install and use the integrated TURN server, since it requires the automatic HTTPS Proxy to be installed; therefore, if a TURN server is required, you should install and configure it by yourself. You can set BigBlueButton to use a TURN server by uncommenting and adjusting `TURN_SERVER` and `TURN_SECRET` in the `.env` file, which is created after completion of the setup script.
+
+## Installation
+1. Install BigBlueButton Docker [as explained above](#install). While running the setup script, please choose `n` when you're asked the following question: `Should an automatic HTTPS Proxy be included? (y/n)`.
+2. Now all the required Docker containers should be running. BigBlueButton listens to port 8080. Create a virtual host by which BigBlueButton will be publicly accessible (in this case, let's assume the following server name for the virtual host: `bbb.example.com`). Enable SSL for the new _https_ virtual host. Make sure that the SSL certificate you will be using is signed by a CA (Certificate Authority). You could generate an SSL certificate for free using Let's Encrypt. It is suggested to add some directives to the _http_ virtual host `bbb.example.com` to redirect all requests to the _https_ one.
+
+At this point, choose one of the following sections according to which Web server you're running ([Apache](#integration-with-apache)).
+
+Eventually, BigBlueButton should be publicly accessible on `https://bbb.example.com/`. If you chose to install Greenlight, then the previous URL should allow you to open its home page. The APIs will be accessible through `https://bbb.example.com/bigbluebutton/`.
+
+## Integration with nginx
+> *Not written yet. can you imagine writing down some instructions?*
+
+## Integration with Apache
+1. Make sure that the following Apache modules are in use: `proxy`, `rewrite`, `proxy_http`, `proxy_wstunnel`. On _apache2_, the following command activates these modules,  whenever they are not already enabled:
+```
+sudo a2enmod proxy rewrite proxy_http proxy_wstunnel
+```
+2. Add the following directives to the _https_ virtual host `bbb.example.com`:
+```
+ProxyPreserveHost On
+
+RewriteEngine On
+RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
+RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
+RewriteRule .* ws://127.0.0.1:8080%{REQUEST_URI} [P,QSA,L]
+
+<Location />
+	Require all granted
+	ProxyPass http://127.0.0.1:8080/
+	ProxyPassReverse http://127.0.0.1:8080/
+</Location>
+```
+3. Restart Apache:
+```
+service apache2 restart
+```
diff --git a/docs/upgrading.md b/docs/upgrading.md
new file mode 100644
index 0000000..f3a2bc5
--- /dev/null
+++ b/docs/upgrading.md
@@ -0,0 +1,21 @@
+# How To Upgrade bbb-docker
+
+## Backup
+if you use greenlight, create a database backup first
+```bash
+docker exec -t docker_postgres_1 pg_dumpall -c -U postgres > /root/greenlight_`date +%d-%m-%Y"_"%H_%M_%S`.sql
+```
+
+## Upgrading
+```bash
+# upgrade!
+./scripts/upgrade
+
+# restart updated services
+./scripts/compose up -d
+```
+
+
+## "no such file or directory: ./scripts/upgrade"
+If you're on an old version, you might get this error. 
+A simple `$ git pull` resolves that, by fetching a newer version which includes the upgrade script.
diff --git a/mod/core/Dockerfile b/mod/core/Dockerfile
index e0f42b4..4c7291a 100644
--- a/mod/core/Dockerfile
+++ b/mod/core/Dockerfile
@@ -28,7 +28,7 @@ RUN apt-get install -y supervisor apt-transport-https equivs libreoffice haveged
 # bbb repo & packages
 RUN LC_CTYPE=C.UTF-8 add-apt-repository ppa:bigbluebutton/support
 RUN sh -c 'wget https://ubuntu.bigbluebutton.org/repo/bigbluebutton.asc -O- | apt-key add -' \
-    && sh -c 'echo "deb https://packages-eu.bigbluebutton.org/xenial-22 bigbluebutton-xenial main" > /etc/apt/sources.list.d/bigbluebutton.list'
+    && sh -c 'echo "deb https://ubuntu.bigbluebutton.org/xenial-22 bigbluebutton-xenial main" > /etc/apt/sources.list.d/bigbluebutton.list'
 
 # create dummy packages to satisfy dependencies
 RUN equivs-control redis-server.control \
@@ -37,6 +37,10 @@ RUN equivs-control redis-server.control \
     && dpkg -i /*.deb \
     && rm /*.deb
 
+# this variable is not used, but it triggers
+# rebuilding from here on if changed
+ENV VERSION v2.2.22
+
 RUN apt-get update && apt-get install -y bbb-web \
                     bbb-fsesl-akka bbb-apps-akka bbb-transcode-akka bbb-apps \
                     bbb-apps-video bbb-apps-screenshare bbb-apps-video-broadcast \
diff --git a/mod/core/web/bigbluebutton.properties b/mod/core/web/bigbluebutton.properties
index d7893b8..b1f4064 100644
--- a/mod/core/web/bigbluebutton.properties
+++ b/mod/core/web/bigbluebutton.properties
@@ -146,7 +146,7 @@ defaultGuestPolicy=ALWAYS_ACCEPT
 #
 # native2ascii -encoding UTF8 bigbluebutton.properties bigbluebutton.properties
 #
-defaultWelcomeMessage=Welcome to <b>%%CONFNAME%%</b>!<br><br>For help on using BigBlueButton see these (short) <a href="event:http://www.bigbluebutton.org/html5"><u>tutorial videos</u></a>.<br><br>To join the audio bridge click the phone button.  Use a headset to avoid causing background noise for others.
+defaultWelcomeMessage={{ .Env.WELCOME_MESSAGE }}
 defaultWelcomeMessageFooter={{ .Env.WELCOME_FOOTER }}
 
 # Default maximum number of users a meeting can have.
@@ -297,7 +297,11 @@ beans.presentationService.testPresentationName=appkonference
 # Uploaded presentation file
 beans.presentationService.testUploadedPresentation=appkonference.txt
 # Default Uploaded presentation file
+{{ if isTrue .Env.DEV_MODE }}
+beans.presentationService.defaultUploadedPresentation=https://test.bigbluebutton.org/default.pdf
+{{else}}
 beans.presentationService.defaultUploadedPresentation=${bigbluebutton.web.serverURL}/default.pdf
+{{end}}
 
 presentationBaseURL=${bigbluebutton.web.serverURL}/bigbluebutton/presentation
 
diff --git a/mod/coturn/turnserver.conf b/mod/coturn/turnserver.conf
index 832897e..ddb8111 100644
--- a/mod/coturn/turnserver.conf
+++ b/mod/coturn/turnserver.conf
@@ -60,4 +60,12 @@ no-tlsv1
 no-tlsv1_1
 
 # To enable single filename logs you need to enable the simple-log flag
-syslog
\ No newline at end of file
+syslog
+
+
+# Allocate Address Family according 
+# If enabled then TURN server allocates address family according  the TURN 
+# Client <=> Server communication address family.
+# (By default Coturn works according RFC 6156.)
+# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
+keep-address-family
diff --git a/mod/freeswitch/Dockerfile b/mod/freeswitch/Dockerfile
index fb3bf26..a15c4fc 100644
--- a/mod/freeswitch/Dockerfile
+++ b/mod/freeswitch/Dockerfile
@@ -35,7 +35,6 @@ RUN apt-get update && apt-get install -y \
         freeswitch-mod-hash \
         freeswitch-mod-httapi \
         freeswitch-mod-local-stream \
-        freeswitch-mod-logfile \
         freeswitch-mod-loopback \
         freeswitch-mod-lua \
         freeswitch-mod-native-file \
@@ -49,7 +48,8 @@ RUN apt-get update && apt-get install -y \
         freeswitch-mod-spandsp \
         freeswitch-mod-tone-stream \
         freeswitch-mod-verto \
-        freeswitch-sounds-en-us-callie
+        freeswitch-sounds-en-us-callie \
+        iptables
 
 # Potentially missing
 # (included in bbb-freeswitch-core but not referenced in https://github.com/bigbluebutton/bigbluebutton/issues/9064)
diff --git a/mod/freeswitch/conf/autoload_configs/conference.conf.xml.tmpl b/mod/freeswitch/conf/autoload_configs/conference.conf.xml.tmpl
new file mode 100644
index 0000000..516b2c7
--- /dev/null
+++ b/mod/freeswitch/conf/autoload_configs/conference.conf.xml.tmpl
@@ -0,0 +1,284 @@
+<!-- http://wiki.freeswitch.org/wiki/Mod_conference -->
+<!-- None of these paths are real if you want any of these options you need to really set them up -->
+<configuration name="conference.conf" description="Audio Conference">
+  <!-- Advertise certain presence on startup . -->
+  <advertise>
+    <room name="3001@$${domain}" status="FreeSWITCH"/>
+  </advertise>
+
+  <!-- These are the default keys that map when you do not specify a caller control group -->
+  <!-- Note: none and default are reserved names for group names.  Disabled if dist-dtmf member flag is set. -->
+  <caller-controls>
+    <group name="default">
+      <control action="mute" digits="0"/>
+      <control action="deaf mute" digits="*"/>
+      <control action="energy up" digits="9"/>
+      <control action="energy equ" digits="8"/>
+      <control action="energy dn" digits="7"/>
+      <control action="vol talk up" digits="3"/>
+      <control action="vol talk zero" digits="2"/>
+      <control action="vol talk dn" digits="1"/>
+      <control action="vol listen up" digits="6"/>
+      <control action="vol listen zero" digits="5"/>
+      <control action="vol listen dn" digits="4"/>
+      <!--control action="hangup" digits="#"/ -->
+    </group>
+  </caller-controls>
+
+  <!-- Profiles are collections of settings you can reference by name. -->
+  <profiles>
+    <!--If no profile is specified it will default to "default"-->
+    <profile name="default">
+      <!-- Directory to drop CDR's
+           'auto' means $PREFIX/logs/conference_cdr/<confernece_uuid>.cdr.xml
+           a non-absolute path means $PREFIX/logs/<value>/<confernece_uuid>.cdr.xml
+           absolute path means <value>/<confernece_uuid>.cdr.xml
+      -->
+      <!-- <param name="cdr-log-dir" value="auto"/> -->
+
+      <!-- Domain (for presence) -->
+      <param name="domain" value="$${domain}"/>
+      <!-- Sample Rate-->
+      <param name="rate" value="8000"/>
+      <!-- Number of milliseconds per frame -->
+      <param name="interval" value="20"/>
+      <!-- Energy level required for audio to be sent to the other users -->
+      <param name="energy-level" value="100"/>
+
+      <!--Can be | delim of waste|mute|deaf|dist-dtmf waste will always transmit data to each channel
+          even during silence.  dist-dtmf propagates dtmfs to all other members, but channel controls
+          via dtmf will be disabled. -->
+      <!-- <param name="member-flags" value="waste"/> -->
+
+      <!-- Name of the caller control group to use for this profile -->
+      <!-- <param name="caller-controls" value="some name"/> -->
+      <!-- Name of the caller control group to use for the moderator in this profile -->
+      <!-- <param name="moderator-controls" value="some name"/> -->
+      <!-- TTS Engine to use -->
+      <!-- <param name="tts-engine" value="cepstral"/> -->
+      <!-- TTS Voice to use -->
+      <!-- <param name="tts-voice" value="david"/> -->
+
+      <!-- If TTS is enabled all audio-file params beginning with -->
+      <!-- 'say:' will be considered text to say with TTS -->
+      <!-- Override the default path here, after which you use relative paths in the other sound params -->
+      <!-- Note: The default path is the conference's first caller's sound_prefix -->
+      <!-- <param name="sound-prefix" value="$${sounds_dir}/en/us/callie"/> -->
+      <!-- File to play to acknowledge succees -->
+      <!-- <param name="ack-sound" value="beep.wav"/> -->
+      <!-- File to play to acknowledge failure -->
+      <!-- <param name="nack-sound" value="beeperr.wav"/> -->
+      <!-- File to play to acknowledge muted -->
+      <param name="muted-sound" value="conference/conf-muted.wav"/>
+      <!-- File to play to acknowledge unmuted -->
+      <param name="unmuted-sound" value="conference/conf-unmuted.wav"/>
+      <!-- File to play if you are alone in the conference -->
+      <param name="alone-sound" value="conference/conf-alone.wav"/>
+      <!-- File to play endlessly (nobody will ever be able to talk) -->
+      <!-- <param name="perpetual-sound" value="perpetual.wav"/> -->
+      <!-- File to play when you're alone (music on hold)-->
+      <param name="moh-sound" value="$${hold_music}"/>
+      <!-- File to play when you join the conference -->
+      <param name="enter-sound" value="tone_stream://%(200,0,500,600,700)"/>
+      <!-- File to play when you leave the conference -->
+      <param name="exit-sound" value="tone_stream://%(500,0,300,200,100,50,25)"/>
+      <!-- File to play when you are ejected from the conference -->
+      <param name="kicked-sound" value="conference/conf-kicked.wav"/>
+      <!-- File to play when the conference is locked -->
+      <param name="locked-sound" value="conference/conf-locked.wav"/>
+      <!-- File to play when the conference is locked during the call-->
+      <param name="is-locked-sound" value="conference/conf-is-locked.wav"/>
+      <!-- File to play when the conference is unlocked during the call-->
+      <param name="is-unlocked-sound" value="conference/conf-is-unlocked.wav"/>
+      <!-- File to play to prompt for a pin -->
+      <param name="pin-sound" value="conference/conf-pin.wav"/>
+      <!-- File to play to when the pin is invalid -->
+      <param name="bad-pin-sound" value="conference/conf-bad-pin.wav"/>
+      <!-- Conference pin -->
+      <!-- <param name="pin" value="12345"/> -->
+      <!-- <param name="moderator-pin" value="54321"/> -->
+      <!-- Max number of times the user can be prompted for PIN -->
+      <!-- <param name="pin-retries" value="3"/> -->
+      <!-- Default Caller ID Name for outbound calls -->
+      <param name="caller-id-name" value="$${outbound_caller_name}"/>
+      <!-- Default Caller ID Number for outbound calls -->
+      <param name="caller-id-number" value="$${outbound_caller_id}"/>
+      <!-- Suppress start and stop talking events -->
+      <!-- <param name="suppress-events" value="start-talking,stop-talking"/> -->
+      <!-- enable comfort noise generation -->
+      <param name="comfort-noise" value="true"/>
+      <!-- Uncomment auto-record to toggle recording every conference call. -->
+      <!-- Another valid value is   shout://user:pass@server.com/live.mp3   -->
+      <!--
+      <param name="auto-record" value="$${recordings_dir}/${conference_name}_${strftime(%Y-%m-%d-%H-%M-%S)}.wav"/>
+      -->
+
+      <!-- IVR digit machine timeouts -->
+      <!-- How much to wait between DTMF digits to match caller-controls -->
+      <!-- <param name="ivr-dtmf-timeout" value="500"/> -->
+      <!-- How much to wait for the first DTMF, 0 forever -->
+      <!-- <param name="ivr-input-timeout" value="0" /> -->
+      <!-- Delay before a conference is asked to be terminated -->
+      <!-- <param name="endconf-grace-time" value="120" /> -->
+      <!-- Can be | delim of wait-mod|audio-always|video-bridge|video-floor-only
+           wait_mod will wait until the moderator in,
+           audio-always will always mix audio from all members regardless they are talking or not -->
+      <!-- <param name="conference-flags" value="audio-always"/> -->
+      <!-- Allow live array sync for Verto -->
+      <!-- <param name="conference-flags" value="livearray-sync"/> -->
+    </profile>
+
+    <profile name="wideband">
+      <param name="domain" value="$${domain}"/>
+      <param name="rate" value="16000"/>
+      <param name="interval" value="20"/>
+      <param name="energy-level" value="100"/>
+      <!-- <param name="sound-prefix" value="$${sounds_dir}/en/us/callie"/> -->
+      <param name="muted-sound" value="conference/conf-muted.wav"/>
+      <param name="unmuted-sound" value="conference/conf-unmuted.wav"/>
+      <param name="alone-sound" value="conference/conf-alone.wav"/>
+      <param name="moh-sound" value="$${hold_music}"/>
+      <param name="enter-sound" value="tone_stream://%(200,0,500,600,700)"/>
+      <param name="exit-sound" value="tone_stream://%(500,0,300,200,100,50,25)"/>
+      <param name="kicked-sound" value="conference/conf-kicked.wav"/>
+      <param name="locked-sound" value="conference/conf-locked.wav"/>
+      <param name="is-locked-sound" value="conference/conf-is-locked.wav"/>
+      <param name="is-unlocked-sound" value="conference/conf-is-unlocked.wav"/>
+      <param name="pin-sound" value="conference/conf-pin.wav"/>
+      <param name="bad-pin-sound" value="conference/conf-bad-pin.wav"/>
+      <param name="caller-id-name" value="$${outbound_caller_name}"/>
+      <param name="caller-id-number" value="$${outbound_caller_id}"/>
+      <param name="comfort-noise" value="true"/>
+      <!-- <param name="tts-engine" value="flite"/> -->
+      <!-- <param name="tts-voice" value="kal16"/> -->
+    </profile>
+
+    <profile name="ultrawideband">
+      <param name="domain" value="$${domain}"/>
+      <param name="rate" value="32000"/>
+      <param name="interval" value="20"/>
+      <param name="energy-level" value="100"/>
+      <!-- <param name="sound-prefix" value="$${sounds_dir}/en/us/callie"/> -->
+      <param name="muted-sound" value="conference/conf-muted.wav"/>
+      <param name="unmuted-sound" value="conference/conf-unmuted.wav"/>
+      <param name="alone-sound" value="conference/conf-alone.wav"/>
+      <param name="moh-sound" value="$${hold_music}"/>
+      <param name="enter-sound" value="tone_stream://%(200,0,500,600,700)"/>
+      <param name="exit-sound" value="tone_stream://%(500,0,300,200,100,50,25)"/>
+      <param name="kicked-sound" value="conference/conf-kicked.wav"/>
+      <param name="locked-sound" value="conference/conf-locked.wav"/>
+      <param name="is-locked-sound" value="conference/conf-is-locked.wav"/>
+      <param name="is-unlocked-sound" value="conference/conf-is-unlocked.wav"/>
+      <param name="pin-sound" value="conference/conf-pin.wav"/>
+      <param name="bad-pin-sound" value="conference/conf-bad-pin.wav"/>
+      <param name="caller-id-name" value="$${outbound_caller_name}"/>
+      <param name="caller-id-number" value="$${outbound_caller_id}"/>
+      <param name="comfort-noise" value="true"/>
+
+      <!-- <param name="conference-flags" value="video-floor-only|rfc-4579|livearray-sync|auto-3d-position|transcode-video|minimize-video-encoding"/> -->
+
+      <!-- <param name="video-mode" value="mux"/> -->
+      <!-- <param name="video-layout-name" value="3x3"/> -->
+      <!-- <param name="video-layout-name" value="group:grid"/> -->
+      <!-- <param name="video-canvas-size" value="1280x720"/> -->
+      <!-- <param name="video-canvas-bgcolor" value="#333333"/> -->
+      <!-- <param name="video-layout-bgcolor" value="#000000"/> -->
+      <!-- <param name="video-codec-bandwidth" value="2mb"/> -->
+      <!-- <param name="video-fps" value="15"/> -->
+      <!-- <param name="video-auto-floor-msec" value="100"/> -->
+
+
+      <!-- <param name="tts-engine" value="flite"/> -->
+      <!-- <param name="tts-voice" value="kal16"/> -->
+    </profile>
+
+    <profile name="cdquality">
+      <param name="domain" value="$${domain}"/>
+      <param name="rate" value="48000"/>
+      <param name="interval" value="20"/>
+      <param name="energy-level" value="100"/>
+      <!-- <param name="sound-prefix" value="$${sounds_dir}/en/us/callie"/> -->
+      
+      {{if not (isTrue .Env.DISABLE_SOUND_MUTED) }}
+        <param name="muted-sound" value="conference/conf-muted.wav"/>
+        <param name="unmuted-sound" value="conference/conf-unmuted.wav"/>
+      {{end}}
+      {{if not (isTrue .Env.DISABLE_SOUND_ALONE) }}
+        <param name="alone-sound" value="conference/conf-alone.wav"/>
+      {{end}}
+<!--
+      <param name="moh-sound" value="$${hold_music}"/>
+      <param name="enter-sound" value="tone_stream://%(200,0,500,600,700)"/>
+      <param name="exit-sound" value="tone_stream://%(500,0,300,200,100,50,25)"/>
+      <param name="kicked-sound" value="conference/conf-kicked.wav"/>
+-->
+      <param name="locked-sound" value="conference/conf-locked.wav"/>
+      <param name="is-locked-sound" value="conference/conf-is-locked.wav"/>
+      <param name="is-unlocked-sound" value="conference/conf-is-unlocked.wav"/>
+      <param name="pin-sound" value="conference/conf-pin.wav"/>
+      <param name="bad-pin-sound" value="conference/conf-bad-pin.wav"/>
+      <param name="caller-id-name" value="$${outbound_caller_name}"/>
+      <param name="caller-id-number" value="$${outbound_caller_id}"/>
+      <!-- param name="comfort-noise" value="true"/ -->
+      <param name="comfort-noise" value="1400"/>
+
+      <!-- <param name="conference-flags" value="video-floor-only|rfc-4579|livearray-sync|auto-3d-position|minimize-video-encoding"/> -->
+
+      <!-- <param name="video-mode" value="mux"/> -->
+      <!-- <param name="video-layout-name" value="3x3"/> -->
+      <!-- <param name="video-layout-name" value="group:grid"/> -->
+      <!-- <param name="video-canvas-size" value="1920x1080"/> -->
+      <!-- <param name="video-canvas-bgcolor" value="#333333"/> -->
+      <!-- <param name="video-layout-bgcolor" value="#000000"/> -->
+      <!-- <param name="video-codec-bandwidth" value="2mb"/> -->
+      <!-- <param name="video-fps" value="15"/> -->
+
+    </profile>
+
+    <profile name="video-mcu-stereo">
+      <param name="domain" value="$${domain}"/>
+      <param name="rate" value="48000"/>
+      <param name="channels" value="2"/>
+      <param name="interval" value="20"/>
+      <param name="energy-level" value="100"/>
+      <!-- <param name="tts-engine" value="flite"/> -->
+      <!-- <param name="tts-voice" value="kal16"/> -->
+      <param name="muted-sound" value="conference/conf-muted.wav"/>
+      <param name="unmuted-sound" value="conference/conf-unmuted.wav"/>
+      <param name="alone-sound" value="conference/conf-alone.wav"/>
+      <param name="moh-sound" value="local_stream://stereo"/>
+      <param name="enter-sound" value="tone_stream://%(200,0,500,600,700)"/>
+      <param name="exit-sound" value="tone_stream://%(500,0,300,200,100,50,25)"/>
+      <param name="kicked-sound" value="conference/conf-kicked.wav"/>
+      <param name="locked-sound" value="conference/conf-locked.wav"/>
+      <param name="is-locked-sound" value="conference/conf-is-locked.wav"/>
+      <param name="is-unlocked-sound" value="conference/conf-is-unlocked.wav"/>
+      <param name="pin-sound" value="conference/conf-pin.wav"/>
+      <param name="bad-pin-sound" value="conference/conf-bad-pin.wav"/>
+      <param name="caller-id-name" value="$${outbound_caller_name}"/>
+      <param name="caller-id-number" value="$${outbound_caller_id}"/>
+      <param name="comfort-noise" value="false"/>
+      <param name="conference-flags" value="video-floor-only|rfc-4579|livearray-sync|minimize-video-encoding"/>
+      <param name="video-mode" value="mux"/>
+      <param name="video-layout-name" value="3x3"/>
+      <param name="video-layout-name" value="group:grid"/>
+      <param name="video-canvas-size" value="1920x1080"/>
+      <param name="video-canvas-bgcolor" value="#333333"/>
+      <param name="video-layout-bgcolor" value="#000000"/>
+      <param name="video-codec-bandwidth" value="1mb"/>
+      <param name="video-fps" value="15"/>
+    </profile>
+
+
+    <profile name="sla">
+      <param name="domain" value="$${domain}"/>
+      <param name="rate" value="16000"/>
+      <param name="interval" value="20"/>
+      <param name="caller-controls" value="none"/>
+      <param name="energy-level" value="200"/>
+      <param name="moh-sound" value="silence"/>
+      <param name="comfort-noise" value="true"/>
+    </profile>
+  </profiles>
+</configuration>
+
diff --git a/mod/freeswitch/conf/autoload_configs/modules.conf.xml b/mod/freeswitch/conf/autoload_configs/modules.conf.xml
new file mode 100644
index 0000000..d99e78a
--- /dev/null
+++ b/mod/freeswitch/conf/autoload_configs/modules.conf.xml
@@ -0,0 +1,144 @@
+<configuration name="modules.conf" description="Modules">
+  <modules>
+    <!-- Loggers (I'd load these first) -->
+    <load module="mod_console"/>
+    <!-- <load module="mod_graylog2"/> -->
+    <!-- <load module="mod_logfile"/> -->
+    <!-- <load module="mod_syslog"/> -->
+
+    <!--<load module="mod_yaml"/>-->
+
+    <!-- Multi-Faceted -->
+    <!-- mod_enum is a dialplan interface, an application interface and an api command interface -->
+    <load module="mod_enum"/>
+
+    <!-- XML Interfaces -->
+    <!-- <load module="mod_xml_rpc"/> -->
+    <!-- <load module="mod_xml_curl"/> -->
+    <!-- <load module="mod_xml_cdr"/> -->
+    <!-- <load module="mod_xml_radius"/> -->
+    <!-- <load module="mod_xml_scgi"/> -->
+
+    <!-- Event Handlers -->
+    <!-- <load module="mod_amqp"/> -->
+    <!-- <load module="mod_cdr_csv"/> -->
+    <!-- <load module="mod_cdr_sqlite"/> -->
+    <!-- <load module="mod_event_multicast"/> -->
+    <load module="mod_event_socket"/>
+    <!-- <load module="mod_event_zmq"/> -->
+    <!-- <load module="mod_zeroconf"/> -->
+    <!-- <load module="mod_erlang_event"/> -->
+    <!-- <load module="mod_smpp"/> -->
+    <!-- <load module="mod_snmp"/> -->
+
+    <!-- Directory Interfaces -->
+    <!-- <load module="mod_ldap"/> -->
+
+    <!-- Endpoints -->
+    <!-- <load module="mod_dingaling"/> -->
+    <!-- <load module="mod_portaudio"/> -->
+    <!-- <load module="mod_alsa"/> -->
+    <load module="mod_sofia"/>
+    <load module="mod_loopback"/>
+    <!-- <load module="mod_woomera"/> -->
+    <!-- <load module="mod_freetdm"/> -->
+    <!-- <load module="mod_unicall"/> -->
+    <!-- <load module="mod_skinny"/> -->
+    <!-- <load module="mod_khomp"/>   -->
+    <load module="mod_rtc"/>
+    <!-- <load module="mod_rtmp"/>   -->
+    <load module="mod_verto"/>
+
+    <!-- Applications -->
+    <load module="mod_commands"/>
+    <load module="mod_conference"/>
+    <!-- <load module="mod_curl"/> -->
+    <load module="mod_db"/>
+    <load module="mod_dptools"/>
+    <load module="mod_expr"/>
+    <load module="mod_fifo"/>
+    <load module="mod_hash"/>
+    <!--<load module="mod_mongo"/> -->
+    <!--load module="mod_voicemail"/>-->
+    <!--<load module="mod_directory"/>-->
+    <!--<load module="mod_distributor"/>-->
+    <!--<load module="mod_lcr"/>-->
+    <!--<load module="mod_easyroute"/>-->
+    <load module="mod_esf"/>
+    <load module="mod_fsv"/>
+    <!--<load module="mod_cluechoo"/>-->
+    <!--load module="mod_valet_parking"/>-->
+    <!--<load module="mod_fsk"/>-->
+    <!--<load module="mod_spy"/>-->
+    <!--<load module="mod_sms"/>-->
+    <!--<load module="mod_smpp"/>-->
+    <!--<load module="mod_random"/>-->
+    <load module="mod_httapi"/>
+    <!--<load module="mod_translate"/>-->
+
+    <!-- SNOM Module -->
+    <!--<load module="mod_snom"/>-->
+
+    <!-- This one only works on Linux for now -->
+    <!--<load module="mod_ladspa"/>-->
+
+    <!-- Dialplan Interfaces -->
+    <!-- <load module="mod_dialplan_directory"/> -->
+    <load module="mod_dialplan_xml"/>
+    <load module="mod_dialplan_asterisk"/>
+
+    <!-- Codec Interfaces -->
+    <load module="mod_spandsp"/>
+    <load module="mod_g723_1"/>
+    <load module="mod_g729"/>
+    <load module="mod_amr"/>
+    <!--<load module="mod_ilbc"/>-->
+    <!--<load module="mod_h26x"/>-->
+    <load module="mod_b64"/>
+    <!--<load module="mod_siren"/>-->
+    <!--<load module="mod_isac"/>-->
+    <load module="mod_opus"/>
+    <load module="mod_opusfile"/>
+
+    <!-- File Format Interfaces -->
+    <load module="mod_sndfile"/>
+    <load module="mod_native_file"/>
+    <load module="mod_png"/>
+    <!-- <load module="mod_shell_stream"/> -->
+    <!--For icecast/mp3 streams/files-->
+    <!--<load module="mod_shout"/>-->
+    <!--For local streams (play all the files in a directory)-->
+    <load module="mod_local_stream"/>
+    <load module="mod_tone_stream"/>
+
+    <!-- Timers -->
+    <!-- <load module="mod_timerfd"/> -->
+    <!-- <load module="mod_posix_timer"/> -->
+
+    <!-- Languages -->
+    <!-- <load module="mod_v8"/> -->
+    <!-- <load module="mod_perl"/> -->
+    <!-- <load module="mod_python"/> -->
+    <!-- <load module="mod_java"/> -->
+    <load module="mod_lua"/>
+
+    <!-- ASR /TTS -->
+    <!-- <load module="mod_flite"/> -->
+    <!-- <load module="mod_pocketsphinx"/> -->
+    <!-- <load module="mod_cepstral"/> -->
+    <!-- <load module="mod_tts_commandline"/> -->
+    <!-- <load module="mod_rss"/> -->
+
+    <!-- Say -->
+    <load module="mod_say_en"/>
+    <!-- <load module="mod_say_ru"/> -->
+    <!-- <load module="mod_say_zh"/> -->
+    <!-- <load module="mod_say_sv"/> -->
+
+    <!-- Third party modules -->
+    <!--<load module="mod_nibblebill"/>-->
+    <!--<load module="mod_callcenter"/>-->
+    <!--<load module="mod_av"/-->
+
+  </modules>
+</configuration>
diff --git a/mod/freeswitch/conf/sip_profiles/external-ipv6.xml b/mod/freeswitch/conf/sip_profiles/external-ipv6.xml
index a01b6cd..f1421ce 100644
--- a/mod/freeswitch/conf/sip_profiles/external-ipv6.xml
+++ b/mod/freeswitch/conf/sip_profiles/external-ipv6.xml
@@ -1,4 +1,113 @@
-<!-- 
-  IPv6 is disabled for now since there a some more configurations needed
-  to make it work beautifully
- -->
\ No newline at end of file
+<profile name="external-ipv6">
+  <!-- http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->
+  <!-- This profile is only for outbound registrations to providers -->
+  <gateways>
+    <X-PRE-PROCESS cmd="include" data="external-ipv6/*.xml"/>
+  </gateways>
+
+  <aliases>
+    <!--
+        <alias name="outbound"/>
+        <alias name="nat"/>
+    -->
+  </aliases>
+
+  <domains>
+    <!--<domain name="all" alias="false" parse="true"/>-->
+  </domains>
+
+  <settings>
+    <param name="debug" value="0"/>
+    <!-- If you want FreeSWITCH to shutdown if this profile fails to load, uncomment the next line. -->
+    <!-- <param name="shutdown-on-fail" value="true"/> -->
+    <param name="sip-trace" value="no"/>
+    <param name="sip-capture" value="no"/>
+    <param name="rfc2833-pt" value="101"/>
+    <!-- RFC 5626 : Send reg-id and sip.instance -->
+    <!--<param name="enable-rfc-5626" value="true"/> -->
+    <param name="sip-port" value="$${external_sip_port}"/>
+    <param name="dialplan" value="XML"/>
+    <param name="context" value="public"/>
+    <param name="dtmf-duration" value="2000"/>
+    <param name="inbound-codec-prefs" value="$${global_codec_prefs}"/>
+    <param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/>
+    <param name="hold-music" value="$${hold_music}"/>
+    <param name="rtp-timer-name" value="soft"/>
+    <!--<param name="enable-100rel" value="true"/>-->
+    <!--<param name="disable-srv503" value="true"/>-->
+    <!-- This could be set to "passive" -->
+    <param name="local-network-acl" value="localnet.auto"/>
+    <param name="manage-presence" value="false"/>
+
+    <!-- Added for Microsoft Edge support 
+    <param name="apply-candidate-acl" value="wan_v6.auto"/>
+    <param name="apply-candidate-acl" value="rfc1918.auto"/>
+    <param name="apply-candidate-acl" value="any_v6.auto"/>
+    <param name="apply-candidate-acl" value="wan_v4.auto"/>
+    <param name="apply-candidate-acl" value="any_v4.auto"/>
+    -->
+    <param name="apply-candidate-acl" value="deny_private_v6"/>
+
+    <!-- used to share presence info across sofia profiles
+         manage-presence needs to be set to passive on this profile
+         if you want it to behave as if it were the internal profile
+         for presence.
+    -->
+    <!-- Name of the db to use for this profile -->
+    <!--<param name="dbname" value="share_presence"/>-->
+    <!--<param name="presence-hosts" value="$${domain}"/>-->
+    <!--<param name="force-register-domain" value="$${domain}"/>-->
+    <!--all inbound reg will stored in the db using this domain -->
+    <!--<param name="force-register-db-domain" value="$${domain}"/>-->
+    <!-- ************************************************* -->
+
+    <!--<param name="aggressive-nat-detection" value="true"/>-->
+    <param name="inbound-codec-negotiation" value="generous"/>
+    <param name="nonce-ttl" value="60"/>
+    <param name="auth-calls" value="false"/>
+    <param name="inbound-late-negotiation" value="true"/>
+    <param name="inbound-zrtp-passthru" value="true"/> <!-- (also enables late negotiation) -->
+    <!--
+        DO NOT USE HOSTNAMES, ONLY IP ADDRESSES IN THESE SETTINGS!
+    -->
+    <param name="rtp-ip" value="$${external_ip_v6}"/>
+    <param name="sip-ip" value="$${local_ip_v6}"/>
+    <!-- Shouldn't set these on IPv6 -->
+    <!--<param name="ext-rtp-ip" value="auto-nat"/>-->
+    <!--<param name="ext-sip-ip" value="auto-nat"/>-->
+    <param name="rtp-timeout-sec" value="300"/>
+    <param name="rtp-hold-timeout-sec" value="1800"/>
+    <!--<param name="enable-3pcc" value="true"/>-->
+
+    <!-- TLS: disabled by default, set to "true" to enable -->
+    <param name="tls" value="$${external_ssl_enable}"/>
+    <!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
+    <param name="tls-only" value="false"/>
+    <!-- additional bind parameters for TLS -->
+    <param name="tls-bind-params" value="transport=tls"/>
+    <!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
+    <param name="tls-sip-port" value="$${external_tls_port}"/>
+    <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
+    <!--<param name="tls-cert-dir" value=""/>-->
+    <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
+    <param name="tls-passphrase" value=""/>
+    <!-- Verify the date on TLS certificates -->
+    <param name="tls-verify-date" value="true"/>
+    <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
+    <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'subjects_in', 'subjects_out' and 'subjects_all' for subject validation. Multiple policies can be split with a '|' pipe -->
+    <param name="tls-verify-policy" value="none"/>
+    <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
+    <param name="tls-verify-depth" value="2"/>
+    <!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
+    <param name="tls-verify-in-subjects" value=""/>
+    <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
+    <param name="tls-version" value="$${sip_tls_version}"/>
+    <param name="ws-binding" value=":5066"/>
+    <param name="wss-binding" value=":7443"/>
+    <param name="rtcp-audio-interval-msec" value="5000"/>
+    <param name="rtcp-video-interval-msec" value="5000"/>
+    <param name="dtmf-type" value="info"/>
+    <param name="liberal-dtmf" value="true"/>
+  </settings>
+</profile>
+
diff --git a/mod/freeswitch/conf/vars.xml.tmpl b/mod/freeswitch/conf/vars.xml.tmpl
index 04ef431..e8a070f 100644
--- a/mod/freeswitch/conf/vars.xml.tmpl
+++ b/mod/freeswitch/conf/vars.xml.tmpl
@@ -60,7 +60,8 @@
   -->
   <X-PRE-PROCESS cmd="set" data="local_ip_v4=10.7.7.1"/>
   <X-PRE-PROCESS cmd="set" data="local_ip_v6=::1"/>
-  <X-PRE-PROCESS cmd="set" data="external_ip_v4={{ .Env.EXTERNAL_IP }}"/>
+  <X-PRE-PROCESS cmd="set" data="external_ip_v4={{ .Env.EXTERNAL_IPv4 }}"/>
+  <X-PRE-PROCESS cmd="set" data="external_ip_v6={{ .Env.EXTERNAL_IPv6 }}"/>
   <X-PRE-PROCESS cmd="set" data="domain={{ .Env.DOMAIN }}"/>
   <X-PRE-PROCESS cmd="set" data="domain_name=$${domain}"/>
   <X-PRE-PROCESS cmd="set" data="hold_music=local_stream://moh"/>
@@ -300,7 +301,7 @@
        If unspecified, the bind_server_ip value is used.
        Used by: sofia.conf.xml dingaling.conf.xml
   -->
-  <X-PRE-PROCESS cmd="set" data="external_rtp_ip={{ .Env.EXTERNAL_IP }}"/>
+  <X-PRE-PROCESS cmd="set" data="external_rtp_ip={{ .Env.EXTERNAL_IPv4 }}"/>
 
   <!-- external_sip_ip
       Used as the public IP address for SDP.
@@ -313,7 +314,7 @@
        If unspecified, the bind_server_ip value is used.
        Used by: sofia.conf.xml dingaling.conf.xml
   -->
-  <X-PRE-PROCESS cmd="set" data="external_sip_ip={{ .Env.EXTERNAL_IP }}"/>
+  <X-PRE-PROCESS cmd="set" data="external_sip_ip={{ .Env.EXTERNAL_IPv4 }}"/>
 
   <!-- unroll-loops
        Used to turn on sip loopback unrolling.
diff --git a/mod/freeswitch/entrypoint.sh b/mod/freeswitch/entrypoint.sh
index 05dcec4..d252b27 100755
--- a/mod/freeswitch/entrypoint.sh
+++ b/mod/freeswitch/entrypoint.sh
@@ -1,5 +1,21 @@
 #!/bin/bash
 
+# remove all SIP (port 5060) iptable rules
+iptables -S INPUT | grep "\-\-dport 5060 " | cut -d " " -f 2- | xargs -rL1 iptables -D
+
+# block requests to 5060 (tcp/udp)
+iptables -A INPUT -p tcp --dport 5060 -s 0.0.0.0/0 -j REJECT
+iptables -A INPUT -p udp --dport 5060 -s 0.0.0.0/0 -j REJECT
+
+# allow some IPs 
+IFS=',' read -ra ADDR <<< "$SIP_IP_ALLOWLIST"
+for IP in "${ADDR[@]}"; do
+    # process "$i"
+    echo "allow port 5060/udp for $IP"
+    iptables -I INPUT  -p udp --dport 5060 -s $IP -j ACCEPT
+done
+
 dockerize \
     -template /etc/freeswitch/vars.xml.tmpl:/etc/freeswitch/vars.xml \
+    -template /etc/freeswitch/autoload_configs/conference.conf.xml.tmpl:/etc/freeswitch/autoload_configs/conference.conf.xml \
     /usr/bin/freeswitch -u freeswitch -g daemon -nonat -nf
diff --git a/mod/html5/Dockerfile b/mod/html5/Dockerfile
index 3276c5c..96d1e7b 100644
--- a/mod/html5/Dockerfile
+++ b/mod/html5/Dockerfile
@@ -14,7 +14,7 @@ USER meteor
 ENV METEOR_VERSION 1.8.1
 RUN curl -sL https://install.meteor.com?release=$METEOR_VERSION | sed s/--progress-bar/-sL/g | /bin/sh
 
-ENV TAG v2.2.16
+ENV TAG v2.2.22
 RUN cd ~ \
     && svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG/bigbluebutton-html5 \
     && mv ~/bigbluebutton-html5 ~/source \
@@ -51,4 +51,4 @@ USER meteor
 ENTRYPOINT ["/entrypoint.sh"]
 
 # lets set the tag again, so that it is include in the image for later version retrieval
-ENV TAG v2.2.14
+ENV TAG v2.2.22
diff --git a/mod/html5/entrypoint.sh b/mod/html5/entrypoint.sh
index 08be159..4bbb8d7 100755
--- a/mod/html5/entrypoint.sh
+++ b/mod/html5/entrypoint.sh
@@ -8,6 +8,11 @@ export ENVIRONMENT_TYPE=production
 export PORT=3000
 export LANG=en_US.UTF-8
 
+if [ "$DEV_MODE" == true ]; then
+    echo "DEV_MODE=true, disable TLS certificate rejecting"
+    export NODE_TLS_REJECT_UNAUTHORIZED=0
+fi
+
 rm -f /app/programs/server/assets/app/config/settings.yml
 dockerize \
     -template /app/programs/server/assets/app/config/settings.yml.tmpl:/app/programs/server/assets/app/config/settings.yml \
diff --git a/mod/html5/settings.yml b/mod/html5/settings.yml
index 0b20696..a6b8e77 100644
--- a/mod/html5/settings.yml
+++ b/mod/html5/settings.yml
@@ -4,14 +4,14 @@ public:
     desktopFontSize: 14px
     audioChatNotification: false
     autoJoin: true
-    listenOnlyMode: true
+    listenOnlyMode: {{ .Env.LISTEN_ONLY_MODE }}
     forceListenOnly: false
-    skipCheck: false
+    skipCheck: {{ .Env.DISABLE_ECHO_TEST }}
     clientTitle: {{ .Env.CLIENT_TITLE }}
     appName: BigBlueButton HTML5 Client
     bbbServerVersion: 2.2
-    copyright: "©2019 BigBlueButton Inc."
-    html5ClientBuild: 933
+    copyright: "©2020 BigBlueButton Inc."
+    html5ClientBuild: 992
     helpLink: https://bigbluebutton.org/html5/
     lockOnJoin: true
     cdn: ""
@@ -20,11 +20,15 @@ public:
     allowUserLookup: false
     enableNetworkInformation: false
     enableLimitOfViewersInWebcam: false
+    enableMultipleCameras: false
     enableTalkingIndicator: true
+    mirrorOwnWebcam: false
     viewersInWebcam: 8
     ipv4FallbackDomain: ""
     allowLogout: true
     allowFullscreen: true
+    remainingTimeThreshold: 30
+    remainingTimeAlertThreshold: 1
     defaultSettings:
       application:
         animations: true
@@ -83,6 +87,16 @@ public:
     packetLostThreshold: 10
   kurento:
     wsUrl: wss://{{ .Env.DOMAIN }}/bbb-webrtc-sfu
+    # Valid for video-provider. Time (ms) before its WS connection times out
+    # and tries to reconnect.
+    wsConnectionTimeout: 4000
+    cameraTimeouts:
+      # Base camera timeout: used as the camera *sharing* timeout and
+      # as the minimum camera subscribe reconnection timeout
+      baseTimeout: 15000
+      # Max timeout: used as the max camera subscribe reconnection timeout. Each
+      # subscribe reattempt increases the reconnection timer up to this
+      maxTimeout: 60000
     chromeDefaultExtensionKey: akgoaoikmbmhcopjgakkcepdgdgkjfbc
     chromeDefaultExtensionLink: https://chrome.google.com/webstore/detail/bigbluebutton-screenshare/akgoaoikmbmhcopjgakkcepdgdgkjfbc
     chromeExtensionKey: KEY
@@ -102,7 +116,49 @@ public:
         - window
         - screen
       firefoxScreenshareSource: window
+    # cameraProfiles is an array of:
+    # - id: profile identifier
+    #   name: human-readable profile name
+    #   bitrate
+    #   hidden: whether this profile will be hidden in the video preview dropdown
+    #   constraints: a video media constraints dictionary (without the video key)
     cameraProfiles:
+      - id: low-u30
+        name: low-u30
+        bitrate: 30
+        hidden: true
+        constraints:
+          frameRate: 3
+      - id: low-u25
+        name: low-u25
+        bitrate: 40
+        hidden: true
+        constraints:
+          frameRate: 3
+      - id: low-u20
+        name: low-u20
+        bitrate: 50
+        hidden: true
+        constraints:
+          frameRate: 5
+      - id: low-u15
+        name: low-u15
+        bitrate: 70
+        hidden: true
+        constraints:
+          frameRate: 8
+      - id: low-u12
+        name: low-u12
+        bitrate: 90
+        hidden: true
+        constraints:
+          frameRate: 10
+      - id: low-u8
+        name: low-u8
+        bitrate: 100
+        hidden: true
+        constraints:
+          frameRate: 10
       - id: low
         name: Low quality
         default: true
@@ -121,11 +177,29 @@ public:
         bitrate: 800
     enableScreensharing: true
     enableVideo: true
-    enableVideoStats: false
     enableVideoMenu: true
     enableListenOnly: true
-    autoShareWebcam: false
-    skipVideoPreview: false
+    autoShareWebcam: {{ .Env.AUTO_SHARE_WEBCAM }}
+    skipVideoPreview: {{ .Env.DISABLE_VIDEO_PREVIEW }}
+    # Entry `thresholds` is an array of:
+    # - threshold: minimum number of cameras being shared for profile to applied
+    #   profile: a camera profile id from the cameraProfiles configuration array
+    #            that will be applied to all cameras when threshold is hit
+    cameraQualityThresholds:
+      enabled: false
+      thresholds:
+        - threshold: 8
+          profile: low-u8
+        - threshold: 12
+          profile: low-u12
+        - threshold: 15
+          profile: low-u15
+        - threshold: 20
+          profile: low-u20
+        - threshold: 25
+          profile: low-u25
+        - threshold: 30
+          profile: low-u30
   pingPong:
     clearUsersInSeconds: 180
     pongTimeInSeconds: 15
@@ -146,8 +220,8 @@ public:
     lines: 2
     time: 5000
   chat:
-    enabled: true
-    startClosed: false
+    enabled: {{ .Env.CHAT_ENABLED }}
+    startClosed: {{ .Env.CHAT_START_CLOSED }}
     min_message_length: 1
     max_message_length: 5000
     grouping_messages_window: 10000
@@ -171,7 +245,7 @@ public:
     config:
       showLineNumbers: false
       showChat: false
-      noColors: false
+      noColors: true
       showControls: true
       rtl: false
   layout:
@@ -187,6 +261,7 @@ public:
     callHangupMaximumRetries: 10
     echoTestNumber: 'echo'
     relayOnlyOnReconnect: false
+    listenOnlyCallTimeout: 15000
   presentation:
     defaultPresentationFile: default.pdf
     panZoomThrottle: 32
diff --git a/mod/https/site-ipv4only.conf b/mod/https/site-ipv4only.conf
new file mode 100644
index 0000000..f5c21fb
--- /dev/null
+++ b/mod/https/site-ipv4only.conf
@@ -0,0 +1,28 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  '' close;
+}
+
+server {
+  listen 443 ssl http2 default_server;
+
+  # we at still serve https via IPv6 for the 
+  # case that an AAAA record is set.
+  listen [::]:443 ssl http2 default_server;
+
+  server_name _;
+
+  include resty-server-https.conf;
+
+  location / {
+    proxy_http_version 1.1;
+    proxy_pass http://127.0.0.1:8080;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_cache_bypass $http_upgrade;
+  }
+}
diff --git a/mod/https/site.conf b/mod/https/site.conf
new file mode 100644
index 0000000..a144563
--- /dev/null
+++ b/mod/https/site.conf
@@ -0,0 +1,28 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  '' close;
+}
+map $remote_addr $endpoint_addr {
+    "~:"    [::1];
+    default    127.0.0.1;
+}
+
+server {
+  listen 443 ssl http2 default_server;
+  listen [::]:443 ssl http2 default_server;
+  server_name _;
+
+  include resty-server-https.conf;
+
+  location / {
+    proxy_http_version 1.1;
+    proxy_pass http://$endpoint_addr:8080;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_cache_bypass $http_upgrade;
+  }
+}
diff --git a/mod/nginx/bbb/bbb-exporter.nginx b/mod/nginx/bbb/bbb-exporter.nginx
new file mode 100644
index 0000000..2a2be48
--- /dev/null
+++ b/mod/nginx/bbb/bbb-exporter.nginx
@@ -0,0 +1,4 @@
+location /bbb-exporter {
+        proxy_pass http://10.7.7.33:9688;
+        proxy_http_version 1.1;
+}
\ No newline at end of file
diff --git a/mod/nginx/bbb/client.nginx b/mod/nginx/bbb/client.nginx
new file mode 100644
index 0000000..2a4e787
--- /dev/null
+++ b/mod/nginx/bbb/client.nginx
@@ -0,0 +1,4 @@
+location = /client/guest-wait.html {
+    alias /etc/nginx/bbb/guest-wait.html;
+}
+
diff --git a/mod/nginx/bbb/guest-wait.html b/mod/nginx/bbb/guest-wait.html
new file mode 100644
index 0000000..c1c4b53
--- /dev/null
+++ b/mod/nginx/bbb/guest-wait.html
@@ -0,0 +1,81 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
+
+<head>
+  <title>Guest Lobby</title>
+  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+  <style></style>
+  
+  <script type="text/javascript">
+    function updateMessage(message) {
+      document.querySelector('#content > p').innerHTML = message;
+    }
+
+    function findSessionToken() {
+      return location.search
+        .substr(1)
+        .split('&')
+        .find(function(item) {
+          return item.split('=')[0] === 'sessionToken'
+        });
+    };
+
+    function fetchGuestWait(sessionToken) {
+      const GUEST_WAIT_ENDPOINT = '/bigbluebutton/api/guestWait';
+      return window.fetch(GUEST_WAIT_ENDPOINT+'?'+sessionToken+'&redirect=false')
+        .then(res => res.json())
+    };
+
+    function pollGuestStatus(token, attempt, limit, everyMs) {
+      setTimeout(function() {
+        var REDIRECT_STATUSES = ['ALLOW', 'DENY'];
+
+
+        if (attempt >= limit) {
+          updateMessage('TIMEOUT_MESSAGE_HERE');
+          return;
+        }
+
+        fetchGuestWait(token).then(function(data) {
+          console.log("data=" + JSON.stringify(data));
+          var status = data.response.guestStatus;
+
+          if (REDIRECT_STATUSES.includes(status)) {
+            window.location = data.response.url;
+            return;
+          }
+
+          return pollGuestStatus(token, attempt + 1, limit, everyMs);
+        })
+      }, everyMs);
+    };
+
+    window.onload = function() {
+      try {
+        var ATTEMPT_EVERY_MS = 5000;
+        var ATTEMPT_LIMIT = 100;
+
+        var sessionToken = findSessionToken();
+
+        if(!sessionToken) {
+          updateMessage('NO_SESSION_TOKEN_MESSAGE');
+          return;
+        }
+
+        pollGuestStatus(sessionToken, 0, ATTEMPT_LIMIT, ATTEMPT_EVERY_MS);
+      } catch (e) {
+        console.error(e);
+        updateMessage('GENERIC_ERROR_MESSAGE');
+      }
+    };
+  </script>
+</head>
+
+<body>
+  <div id="banner"></div>
+  <div id="content">
+    <p>Please wait for a moderator to approve you joining the meeting.</p>
+  </div>
+</body>
+
+</html>
diff --git a/mod/nginx/bbb/notes.nginx b/mod/nginx/bbb/notes.nginx
index 6a1b0ce..ea8705d 100644
--- a/mod/nginx/bbb/notes.nginx
+++ b/mod/nginx/bbb/notes.nginx
@@ -1,15 +1,24 @@
 # https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy
-location ~ "^\/pad\/p\/(\w+)$" {
-    rewrite                /pad/(.*) /$1 break;
-    rewrite                ^/pad$ /pad/ permanent;
+location /pad/p/ {
+    rewrite /pad/p/(.*) /p/$1 break;
+    rewrite ^/pad/p$ /pad/p/ permanent;
     proxy_pass             http://etherpad:9001;
     proxy_pass_header      Server;
     proxy_redirect         / /pad;
     proxy_set_header       Host $host;
     proxy_buffering off;
 
-    auth_request /bigbluebutton/connection/checkAuthorization;
-    auth_request_set $auth_status $upstream_status;
+    proxy_set_header X-Forwarded-Proto https; # for EP to set secure cookie flag when https is used
+    proxy_http_version 1.1;
+
+    # there is currently no viable source for building the
+    # bbb-etherpad including sesstiontokens which got introduced in v2.2.21
+    # https://github.com/bigbluebutton/bigbluebutton/issues/10159
+    #
+    # We disable the authentication for now.
+    
+    # auth_request /bigbluebutton/connection/checkAuthorization;
+    # auth_request_set $auth_status $upstream_status;
 }
 
 location /pad {
@@ -22,6 +31,13 @@ location /pad {
     proxy_buffering off;
 }
 
+location /pad/socket.io/socket.io.js {
+    rewrite /pad/socket.io/socket.io.js /socket.io/socket.io.js break;
+    proxy_pass http://etherpad:9001/;
+    proxy_set_header Host $host;
+    proxy_buffering off;
+}
+
 location /pad/socket.io {
     rewrite /pad/socket.io/(.*) /socket.io/$1 break;
     proxy_pass http://etherpad:9001/;
@@ -36,6 +52,9 @@ location /pad/socket.io {
     # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "Upgrade";
+
+    # auth_request /bigbluebutton/connection/checkAuthorization;
+    # auth_request_set $auth_status $upstream_status;
 }
 
 location /static {
diff --git a/mod/nginx/bbb/sip.nginx b/mod/nginx/bbb/sip.nginx
index 8e5e962..ee4993e 100644
--- a/mod/nginx/bbb/sip.nginx
+++ b/mod/nginx/bbb/sip.nginx
@@ -1,5 +1,5 @@
 location /ws {
-        proxy_pass https://host.docker.internal:7443;
+        proxy_pass https://$freeswitch_addr:7443;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "Upgrade";
@@ -9,4 +9,7 @@ location /ws {
         proxy_send_timeout 6h;
         client_body_timeout 6h;
         send_timeout 6h;
+        
+        auth_request /bigbluebutton/connection/checkAuthorization;
+        auth_request_set $auth_status $upstream_status;
 }
\ No newline at end of file
diff --git a/mod/nginx/bbb/webhooks.nginx b/mod/nginx/bbb/webhooks.nginx
new file mode 100644
index 0000000..533fc84
--- /dev/null
+++ b/mod/nginx/bbb/webhooks.nginx
@@ -0,0 +1,9 @@
+# Pass to the webhooks app all requests made to the webhooks API.
+location /bigbluebutton/api/hooks {
+    proxy_pass         http://10.7.7.15:3005;
+    proxy_redirect     default;
+    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header   X-Real-IP         $remote_addr;
+    proxy_set_header   Host              $http_host;
+    proxy_set_header   X-NginX-Proxy     true;
+}
diff --git a/mod/nginx/bigbluebutton b/mod/nginx/bigbluebutton
index bda71f4..78f54c9 100644
--- a/mod/nginx/bigbluebutton
+++ b/mod/nginx/bigbluebutton
@@ -1,8 +1,15 @@
-server {
-  listen 80 default_server;
-  server_name _;
-  access_log  /var/log/nginx/bigbluebutton.access.log;
+map $remote_addr $freeswitch_addr {
+    "~:"    [::1];
+    default    10.7.7.1;
+}
 
+server {
+  listen 8080 default_server;
+  listen [::]:8080 default_server;
+  server_name _;
+  access_log /dev/stdout;
+  absolute_redirect off;
+  
   # redirect to greenlight
   location = / {
       return 302 /b;
diff --git a/mod/webhooks/Dockerfile b/mod/webhooks/Dockerfile
new file mode 100644
index 0000000..36b1019
--- /dev/null
+++ b/mod/webhooks/Dockerfile
@@ -0,0 +1,26 @@
+FROM node:12-alpine
+
+# download dockerize
+ENV DOCKERIZE_VERSION v0.6.1
+RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
+    && tar -C /usr/local/bin -xzvf dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
+    && rm dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
+    && apk add subversion \
+    && mkdir /app \
+    && adduser -D -u 2002 -g webhooks webhooks \
+    && chown webhooks:webhooks /app
+
+USER webhooks
+
+
+ENV TAG v2.2.20
+RUN svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG/bbb-webhooks /app \
+    && rm -rf /app/.svn \
+    && cd /app && npm install --production
+
+COPY entrypoint.sh /entrypoint.sh
+COPY config.yml /app/config/default.yml.tmpl
+
+ENTRYPOINT /entrypoint.sh
+
+
diff --git a/mod/webhooks/config.yml b/mod/webhooks/config.yml
new file mode 100644
index 0000000..9f6f632
--- /dev/null
+++ b/mod/webhooks/config.yml
@@ -0,0 +1,69 @@
+# Shared secret of your BigBlueButton server.
+bbb:
+  serverDomain: {{ .Env.DOMAIN }}
+  sharedSecret: {{ .Env.SHARED_SECRET }}
+  # Whether to use Auth2.0 or not, Auth2.0 sends the sharedSecret whithin an Authorization header as a bearer
+  auth2_0: true  
+  apiPath: /bigbluebutton/api
+
+# The port in which the API server will run.
+server:
+  port: 3005
+
+# Web hooks configs
+hooks:
+  channels:
+    - from-akka-apps-redis-channel
+    - from-bbb-web-redis-channel
+    - from-akka-apps-chat-redis-channel
+    - bigbluebutton:from-bbb-apps:meeting
+    - bigbluebutton:from-bbb-apps:users
+    - bigbluebutton:from-bbb-apps:chat
+    - bigbluebutton:from-rap
+  # IP where permanent hook will post data (more than 1 URL means more than 1 permanent hook)
+  permanentURLs: []
+  # How many messages will be enqueued to be processed at the same time
+  queueSize: 10000
+  # Allow permanent hooks to receive raw message, which is the message straight from BBB
+  getRaw: false
+  # If set to higher than 1, will send events on the format:
+  # "event=[{event1},{event2}],timestamp=000" or "[{event1},{event2}]" (based on using auth2_0 or not)
+  # when there are more than 1 event on the queue at the moment of processing the queue.
+  multiEvent: 1
+  # Retry intervals for failed attempts for perform callback calls.
+  # In ms. Totals to around 5min.
+  retryIntervals:
+    - 100
+    - 500
+    - 1000
+    - 2000
+    - 4000
+    - 8000
+    - 10000
+    - 30000
+    - 60000
+    - 60000
+    - 60000
+    - 60000
+  # Reset permanent interval when exceeding maximum attemps
+  permanentIntervalReset: 8
+  # Hook's request module timeout for socket conn establishment and/or responses (ms)
+  requestTimeout: 5000
+
+# Mappings of internal to external meeting IDs
+mappings:
+  cleanupInterval: 10000 # 10 secs, in ms
+  timeout: 86400000 # 24 hours, in ms
+
+# Redis
+redis:
+  host: redis
+  port: 6379
+  keys:
+    hookPrefix: bigbluebutton:webhooks:hook
+    hooks: bigbluebutton:webhooks:hooks
+    mappings: bigbluebutton:webhooks:mappings
+    mappingPrefix: bigbluebutton:webhooks:mapping
+    eventsPrefix: bigbluebutton:webhooks:events
+    userMaps: bigbluebutton:webhooks:userMaps
+    userMapPrefix: bigbluebutton:webhooks:userMap
\ No newline at end of file
diff --git a/mod/webhooks/entrypoint.sh b/mod/webhooks/entrypoint.sh
new file mode 100755
index 0000000..79131c2
--- /dev/null
+++ b/mod/webhooks/entrypoint.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+export NODE_ENV=production
+cd /app
+dockerize \
+    -wait tcp://redis:6379 \
+    -template /app/config/default.yml.tmpl:/app/config/default.yml \
+    node app.js
+
diff --git a/sample.env b/sample.env
index d4157b8..8782e2a 100644
--- a/sample.env
+++ b/sample.env
@@ -15,6 +15,14 @@ ENABLE_COTURN=true
 # https://docs.bigbluebutton.org/greenlight/gl-overview.html
 ENABLE_GREENLIGHT=true
 
+# Enable Webhooks
+# used by some integrations
+#ENABLE_WEBHOOKS=true
+
+# Prometheus Exporter
+# serves the bigbluebutton-exporter under following URL:
+# https://yourdomain/bbb-exporter
+#ENABLE_PROMETHEUS_EXPORTER=true
 
 # ====================================
 # SECRETS
@@ -32,9 +40,12 @@ RAILS_SECRET=cdfbae48b197805a435ab7881da31c642ac1a7d4d5c006441efa8125ae63865ce7c
 
 DOMAIN=bbb.example.com
 
-EXTERNAL_IP=144.76.97.10
+EXTERNAL_IPv4=144.76.97.10
+EXTERNAL_IPv6=
 
-# setting the network interface speeds up kurentos WebRTC connection time
+# setting the network interface speeds up kurentos WebRTC connection time,
+# but currently also disables IPv6 for Kurento
+# (https://github.com/Kurento/bugtracker/issues/500)
 #NETWORK_INTERFACE=ens3
 
 # STUN SERVER
@@ -47,6 +58,12 @@ STUN_PORT=3478
 #TURN_SERVER=turns:turn.example.com:443?transport=tcp
 #TURN_SECRET=
 
+# Allowed SIP IPs
+# due to high traffic caused by bots, by default the SIP port is blocked.
+# but you can allow access by your providers IP or IP ranges (comma seperated)
+# Hint: if you want to allow requests from every IP, you can use 0.0.0.0/0
+SIP_IP_ALLOWLIST=
+
 
 # ====================================
 # CUSTOMIZATION
@@ -54,15 +71,40 @@ STUN_PORT=3478
 
 CLIENT_TITLE=BigBlueButton
 
-WELCOME_FOOTER=This server is running <a href="http://docs.bigbluebutton.org/" target="_blank"><u>BigBlueButton</u></a>.
+# use following lines to replace the default welcome message and footer
+WELCOME_MESSAGE=Welcome to <b>%%CONFNAME%%</b>!<br><br>For help on using BigBlueButton see these (short) <a href="https://www.bigbluebutton.org/html5" target="_blank"><u>tutorial videos</u></a>.<br><br>To join the audio bridge click the phone button.  Use a headset to avoid causing background noise for others.
+WELCOME_FOOTER=This server is running <a href="https://docs.bigbluebutton.org/" target="_blank"><u>BigBlueButton</u></a>.
 
 # use following line for an additional SIP dial-in message
-#WELCOME_FOOTER=This server is running <a href="http://docs.bigbluebutton.org/" target="_blank"><u>BigBlueButton</u></a>. <br><br>To join this meeting by phone, dial:<br>  INSERT_YOUR_PHONE_NUMBER_HERE<br>Then enter %%CONFNUM%% as the conference PIN number.
+#WELCOME_FOOTER=This server is running <a href="https://docs.bigbluebutton.org/" target="_blank"><u>BigBlueButton</u></a>. <br><br>To join this meeting by phone, dial:<br>  INSERT_YOUR_PHONE_NUMBER_HERE<br>Then enter %%CONFNUM%% as the conference PIN number.
 
 # for a different default presentation, place the pdf file in ./conf/ and
 # adjust the following path
 DEFAULT_PRESENTATION=./mod/nginx/default.pdf
 
+# set to false to disable listenOnlyMode
+LISTEN_ONLY_MODE=true
+
+# set to true to disable echo test
+DISABLE_ECHO_TEST=false
+
+# set to true to automatically share webcam
+AUTO_SHARE_WEBCAM=false
+
+# set to true to disable video preview for webcam sharing
+DISABLE_VIDEO_PREVIEW=false
+
+# set to false to disable chat
+CHAT_ENABLED=true
+
+# set to true to start chat closed
+CHAT_START_CLOSED=false
+
+# set to true to disable announcements "You are now (un-)muted"
+DISABLE_SOUND_MUTED=false
+
+# set to true to disable announcement "You are the only person in this conference" 
+DISABLE_SOUND_ALONE=false
 
 # ====================================
 # GREENLIGHT CONFIGURATION
diff --git a/scripts/compose b/scripts/compose
index 357df59..7d9d785 100755
--- a/scripts/compose
+++ b/scripts/compose
@@ -6,8 +6,33 @@ cd $(dirname $0)/..
 # load .env
 if [ -f .env ]
 then
-  # exclude WELCOME_FOOTER because it may contain invalid characters
-  export $(cat .env | sed 's/#.*//g' | grep -v "WELCOME_FOOTER" | xargs)
+  # exclude WELCOME_MESSAGE && WELCOME_FOOTER because it may contain invalid characters
+  export $(cat .env | sed 's/#.*//g' | grep -v "WELCOME_FOOTER" | grep -v "WELCOME_MESSAGE" | xargs)
+fi
+
+# check for non-optional environment variables,
+# which got introduced later and may miss in existing
+# .env files during upgrades
+if [ -z "$EXTERNAL_IPv4" ]; then
+    echo "ERROR: EXTERNAL_IPv4 is not set in .env"
+    echo "BBB won't work without it."
+    echo "this can happen if you did an manual upgrade without executing"
+    echo "   ./scripts/upgrade"
+    echo "try to run it again"
+    exit 1
+fi
+
+# set conditional variables
+export CERTIFICATE_DOMAINS=$DOMAIN
+export GREENLIGHT_ENDPOINT=https://$DOMAIN/bigbluebutton/api/
+if [ "$DEV_MODE" == true ]; then
+    export CERTIFICATE_DOMAINS="invalid"
+    export GREENLIGHT_ENDPOINT=http://10.7.7.1:8080/bigbluebutton/api/
+fi
+if [ ! -z "$EXTERNAL_IPv6" ]; then
+    export HTTPS_SITE_FILE="site.conf"
+else
+    export HTTPS_SITE_FILE="site-ipv4only.conf"
 fi
 
 # concatenate docker-compose file
@@ -24,4 +49,12 @@ if [ "$ENABLE_GREENLIGHT" == true ]; then
     COMPOSE_FILES="$COMPOSE_FILES -f docker-compose.greenlight.yml"
 fi
 
+if [ "$ENABLE_WEBHOOKS" == true ]; then
+    COMPOSE_FILES="$COMPOSE_FILES -f docker-compose.webhooks.yml"
+fi
+
+if [ "$ENABLE_PROMETHEUS_EXPORTER" == true ]; then
+    COMPOSE_FILES="$COMPOSE_FILES -f docker-compose.prometheus.yml"
+fi
+
 docker-compose $COMPOSE_FILES $@
diff --git a/scripts/setup b/scripts/setup
index dca0fbf..d04e93c 100755
--- a/scripts/setup
+++ b/scripts/setup
@@ -19,7 +19,8 @@ then
 fi
 
 
-EXTERNAL_IP=$(curl -s http://whatismyip.akamai.com)
+EXTERNAL_IPv4=$(curl -4 -s https://icanhazip.com)
+EXTERNAL_IPv6=$(curl -6 -s https://icanhazip.com || true)
 
 greenlight=""
 while [[ ! $greenlight =~ ^(y|n)$ ]]; do
@@ -46,22 +47,39 @@ done
 
 ip_correct=""
 while [[ ! $ip_correct =~ ^(y|n)$ ]]; do
-    read -p "Is $EXTERNAL_IP your external IPv4 address? (y/n): " ip_correct
+    read -p "Is $EXTERNAL_IPv4 your external IPv4 address? (y/n): " ip_correct
 done
 
 if [ ! "$ip_correct" == "y" ]
 then
-    EXTERNAL_IP=""
-    while [[ ! $EXTERNAL_IP =~ ^[1-9][0-9]{0,2}\.[1-9][0-9]{0,2}\.[1-9][0-9]{0,2}\.[1-9][0-9]{0,2}$ ]]; do
-        read -p "Please enter correct IPv4 address: " EXTERNAL_IP
+    EXTERNAL_IPv4=""
+    while [[ ! $EXTERNAL_IPv4 =~ ^[1-9][0-9]{0,2}\.[0-9]{0,3}\.[0-9]{0,3}\.[1-9][0-9]{0,2}$ ]]; do
+        read -p "Please enter correct IPv4 address: " EXTERNAL_IPv4
     done
 fi
 
+if [ -n "$EXTERNAL_IPv6" ]
+then
+    ip_correct=""
+    while [[ ! $ip_correct =~ ^(y|n)$ ]]; do
+        read -p "Is $EXTERNAL_IPv6 your external IPv6 address? (y/n): " ip_correct
+    done
+
+    if [ ! "$ip_correct" == "y" ]
+    then
+        EXTERNAL_IPv6=""
+        while [[ ! $EXTERNAL_IPv6 =~ ^[0-9a-z:]{3,39}$ ]]; do
+            read -p "Please enter correct IPv6 address: " EXTERNAL_IPv6
+        done
+    fi
+fi
+
 
 
 # write settings
 cp sample.env .env
-sed -i "s/EXTERNAL_IP=.*/EXTERNAL_IP=$EXTERNAL_IP/" .env
+sed -i "s/EXTERNAL_IPv4=.*/EXTERNAL_IPv4=$EXTERNAL_IPv4/" .env
+sed -i "s/EXTERNAL_IPv6=.*/EXTERNAL_IPv6=$EXTERNAL_IPv6/" .env
 sed -i "s/DOMAIN=.*/DOMAIN=$DOMAIN/" .env
 
 if [ ! "$greenlight" == "y" ]
@@ -79,7 +97,7 @@ then
     sed -i "s/.*TURN_SERVER=.*/TURN_SERVER=turns:$DOMAIN:465?transport=tcp/" .env
     TURN_SECRET=$(head /dev/urandom | tr -dc A-Za-f0-9 | head -c 32)
     sed -i "s/.*TURN_SECRET=.*/TURN_SECRET=$TURN_SECRET/" .env
-    sed -i "s/.*STUN_IP=.*/STUN_IP=$EXTERNAL_IP/" .env
+    sed -i "s/.*STUN_IP=.*/STUN_IP=$EXTERNAL_IPv4/" .env
 else
     sed -i "s/ENABLE_COTURN.*/#ENABLE_COTURN=true/" .env
 fi
diff --git a/scripts/upgrade b/scripts/upgrade
index f654839..07bdb12 100755
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -13,6 +13,9 @@ then
     RESTARTED=1 ./scripts/upgrade
 
 else
+    # update changed environment variable
+    sed -i 's/EXTERNAL_IP=/EXTERNAL_IPv4=/' .env
+
     echo ""
     echo "# pull newest bbb-webrtc-sfu"
     git submodule update --remote 
@@ -25,12 +28,8 @@ else
     echo ""
     echo "# rebuild images"
 
-    # rebuild core without caching, since the deb-packages might have changed
-    ./scripts/compose build --pull --no-cache core
-
-    # rebuild everything else only when modified
-    ./scripts/compose build --pull
-
+    # rebuild everything which got modified
+    ./scripts/compose build --pull    
 
     COMMIT_HASH=$(git rev-parse --short HEAD)
     BRANCH_NAME=$(git rev-parse --abbrev-ref HEAD)