Merge pull request #352 from tibroc/update-bbb-build

update bbb-build container tag

.gitignore

@@ -14,4 +14,13 @@ docker-compose.override.yml
 
 # App generated
 .env
+.env.bak
 postgres-data
+greenlight-data
+
+.cache/*/**
+!.cache/*/.gitkeep
+data/*
+!data/.gitkeep
+
+conf/bbb-html5.yml

.gitmodules

@@ -1,18 +1,27 @@
-[submodule "bbb-webrtc-sfu"]
-	path = mod/webrtc-sfu/bbb-webrtc-sfu
-	url = https://github.com/bigbluebutton/bbb-webrtc-sfu.git
-[submodule "mod/etherpad/bbb-etherpad-skin"]
-	path = mod/etherpad/bbb-etherpad-skin
+[submodule "repos/bbb-etherpad-skin"]
+	path = repos/bbb-etherpad-skin
 	url = https://github.com/alangecker/bbb-etherpad-skin
-[submodule "mod/etherpad/bbb-etherpad-plugin"]
-	path = mod/etherpad/bbb-etherpad-plugin
+[submodule "repos/bbb-etherpad-plugin"]
+	path = repos/bbb-etherpad-plugin
 	url = https://github.com/alangecker/bbb-etherpad-plugin
-[submodule "mod/bbb-pads/bbb-pads"]
-	path = mod/bbb-pads/bbb-pads
-	url = https://github.com/bigbluebutton/bbb-pads
-[submodule "mod/webhooks/bbb-webhooks"]
-	path = mod/webhooks/bbb-webhooks
+[submodule "repos/bbb-webhooks"]
+	path = repos/bbb-webhooks
 	url = https://github.com/bigbluebutton/bbb-webhooks
-[submodule "mod/nginx/bbb-playback"]
-	path = mod/nginx/bbb-playback
+[submodule "repos/bbb-playback"]
+	path = repos/bbb-playback
 	url = https://github.com/bigbluebutton/bbb-playback
+[submodule "repos/freeswitch"]
+	path = repos/freeswitch
+	url = https://github.com/signalwire/freeswitch.git
+[submodule "repos/bigbluebutton"]
+	path = repos/bigbluebutton
+	url = https://github.com/bigbluebutton/bigbluebutton.git
+[submodule "repos/bbb-webrtc-sfu"]
+	path = repos/bbb-webrtc-sfu
+	url = https://github.com/bigbluebutton/bbb-webrtc-sfu.git
+[submodule "repos/bbb-pads"]
+	path = repos/bbb-pads
+	url = https://github.com/bigbluebutton/bbb-pads.git
+[submodule "repos/bbb-webrtc-recorder"]
+	path = repos/bbb-webrtc-recorder
+	url = https://github.com/bigbluebutton/bbb-webrtc-recorder.git

CHANGELOG.md

@@ -1,6 +1,45 @@
 # Changelog
 
 ## Unreleased
+
+## Release v3.0.4 (2025-03-27)
+- update to 3.0.4 @tibroc [#347](https://github.com/bigbluebutton/docker/pull/347
+- fix not accepting length of dial in / voiceBridge numbers @alangecker
+- upgrade: migrate postgres & greenlight data @alangecker
+
+## Release v3.0.1 (2025-03-11)
+**Breaking change!** make sure to read the [upgrading notes](https://github.com/bigbluebutton/docker/blob/develop/docs/upgrading.md)
+
+- :tada: **BigBlueButton 3.0** [#313](https://github.com/bigbluebutton/docker/pull/313)
+
+
+## Release v2.7.3 (2023-12-08)
+
+**Breaking change!** make sure to read the [upgrading notes](https://github.com/bigbluebutton/docker/blob/develop/docs/upgrading.md)
+
+- BigBlueButton 2.7.3 @alangecker [#304](https://github.com/bigbluebutton/docker/pull/304)
+- use local sources instead of pulling inside container @alangecker [#307](https://github.com/bigbluebutton/docker/pull/307)
+- BigBlueButton 2.7.0 @alangecker [#291](https://github.com/bigbluebutton/docker/pull/291)
+- Update to ComposeV2 @leonidas-o [#271](https://github.com/bigbluebutton/docker/pull/271)
+- recordings: fix for missing `SHARED_SECRET` @ichdasich [#274](https://github.com/bigbluebutton/docker/issues/274) [#268](https://github.com/bigbluebutton/docker/issues/268)
+- Add RESOLVER_ADDRESS to env for docker-nginx-auto-ssl @pkolmann [#277](https://github.com/bigbluebutton/docker/pull/277)
+- Fix learning-dashboard @yanus [#262](https://github.com/bigbluebutton/docker/pull/262)
+
+## Release v2.6.0-2 (2023-04-04)
+- hotfix for broken freeswitch container due to enabled compresion with max file count == 1 [#260](https://github.com/bigbluebutton/docker/issues/260)
+
+## Release v2.6.0 (2023-04-03)
+- **Breaking change:** Greenlight v3 (see [upgrade note](docs/upgrading.md) @alangecker [#255](https://github.com/bigbluebutton/docker/pull/255) 
+- BigBlueButton v2.6 @alangecker [#255](https://github.com/bigbluebutton/docker/pull/255) 
+- Set client_max_body_size for greenlight @nr23730 [#252](https://github.com/bigbluebutton/docker/pull/252)
+- self building freeswitch (applying patches and independent from external apt repos) @alangecker
+- reduce amount of logs with senstivie data @alangecker
+
+## Release v2.5.8 (2022-11-06)
+- BBB 2.5.8 @alangecker [#238](https://github.com/bigbluebutton/docker/pull/238)
+- recordings: fix for missing ffmpeg filter @alangecker [#235](https://github.com/bigbluebutton/docker/issues/235) [#230](https://github.com/bigbluebutton/docker/pull/230)
+
+## Release v2.5.0 (2022-06-10)
 - BigBlueButton v2.5 @alangecker [#207](https://github.com/bigbluebutton/docker/pull/207)
 - central `tags.env` file with the tag names of most BBB components @alangecker
 - Usage of [official docker build images](https://gitlab.senfcall.de/senfcall-public/docker-bbb-build) for building @alangecker

README.md

@@ -1,9 +1,9 @@
 <img width="1012" alt="bbb-docker-banner" src="https://user-images.githubusercontent.com/1273169/141153216-0386cd4e-0aaf-473a-8f42-a048e52ed0d7.png">
 
 
-# 📦 BigBlueButton 2.5 Docker
+# 📦 BigBlueButton 3.0 Docker
 
-Version: 2.5.2 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigbluebutton/docker/issues)
+Version: 3.0.4 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigbluebutton/docker/issues) | [Upgrading](docs/upgrading.md) | [Development](docs/development.md)
 
 ## Features
 - Easy installation
@@ -13,49 +13,70 @@ Version: 2.5.2 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigblue
 - Full IPv6 support
 - Runs on any major linux distributon (Debian, Ubuntu, CentOS,...)
 
-## What is not implemented yet
-- bbb-lti
+## currently missing / broken
+- NAT support
+- bbb-transcription-controller
+- livekit
 
-## Install
-1. Install docker-ce & docker-compose
+## Requirements
+- 4GB of RAM
+- Linux (it will not work under Windows/WSL)
+- Root access (bbb-docker uses host networking, so it won't work with Kubernetes, any "CaaS"-Service, etc.)
+- Public IPv4 (expect issues with a firewall / NAT)
+- firewall allows internal networking (e.g. for ufw: `ufw allow 10.7.7.0/24`)
+- git installed
+
+## Install production server
+1. Ensure the requirements above are fulfilled (it really doesn't work without them)
+2. Install docker-ce & docker-compose-plugin
     1. follow instructions
         * Debian: https://docs.docker.com/engine/install/debian/
         * CentOS: https://docs.docker.com/engine/install/centos/
         * Fedora: https://docs.docker.com/engine/install/fedora/
         * Ubuntu: https://docs.docker.com/engine/install/ubuntu/
     2. Ensure docker works with `$ docker run hello-world`
-    3. Install docker-compose: https://docs.docker.com/compose/install/
-    4. Ensure docker-compose works and that you use a version ≥ 1.28 : `$ docker-compose --version`
-2. Clone this repository
+    3. Ensure you use a docker version ≥ 23.0 : `$ docker --version`
+3. Clone this repository
    ```sh
-   $ git clone --recurse-submodules https://github.com/bigbluebutton/docker.git bbb-docker
+   $ git clone https://github.com/bigbluebutton/docker.git bbb-docker
    $ cd bbb-docker
 
-   # use the more stable main branch (sometimes older)
+   # optional: use the more stable main branch (often much older)
    $ git checkout main 
    ```
-3. Run setup:
+4. Run setup:
    ```bash
    $ ./scripts/setup
    ```
-4. (optional) Make additional configuration adjustments
+5. (optional) Make additional configuration adjustments
    ```bash
    $ nano .env
    # always recreate the docker-compose.yml file after making any changes
    $ ./scripts/generate-compose
    ```
-5. Start containers:
+6. Start containers:
     ```bash
-    $ docker-compose up -d
+    $ docker compose up -d --no-build
     ```
-6. If you use greenlight, you can create an admin account with:
+7. If you use greenlight, you can create an admin account with:
     ```bash
-    $ docker-compose exec greenlight bundle exec rake admin:create
+    $ docker compose exec greenlight bundle exec rake admin:create
     ```
 
+## Development setup
+1. Clone this repository
+   ```sh
+   $  git clone --recurse-submodules https://github.com/bigbluebutton/docker.git bbb-dev
+   ```
+2. Start dev server
+   ```sh
+   $ cd bbb-dev
+   $ ./scripts/dev
+   ```
+3. Use API Mate with the link presented in the console to create & join a conference
+
+
 ## Further How-To's
-- [Upgrading](docs/upgrading.md)
-- [Running behind NAT](docs/behind-nat.md)
-- [BBB-Docker Development](docs/development.md)
+<!-- - [Running behind NAT](docs/behind-nat.md) -->
 - [Integration into an existing web server](docs/existing-web-server.md)
 

conf/dialplan_public/example.xml

@@ -1,17 +0,0 @@
-<!--
-<extension name="from_my_provider">
- <condition field="destination_number" expression="^EXTERNALDID">
-   <action application="answer"/>
-   <action application="sleep" data="500"/>
-   <action application="play_and_get_digits" data="5 5 3 7000 # conference/conf-pin.wav ivr/ivr-that_was_an_invalid_entry.wav pin \d+"/>
-   <action application="transfer" data="SEND_TO_CONFERENCE XML public"/>
- </condition>
-</extension>
-<extension name="check_if_conference_active">
- <condition field="${conference ${pin} list}" expression="/sofia/g" />
- <condition field="destination_number" expression="^SEND_TO_CONFERENCE$">
-   <action application="set" data="bbb_authorized=true"/>
-   <action application="transfer" data="${pin} XML default"/>
- </condition>
-</extension>
--->

dev.env

@@ -0,0 +1,170 @@
+# fixed environment for an working dev setup
+
+# enables
+# - html5: webpack dev server
+# - bbb-grahql-actions: watch & restart
+# - bbb-graphql-middleware: building on start
+DEV_MODE=true
+
+# accept self signed certificates 
+IGNORE_TLS_CERT_ERRORS=true
+
+# user and group used for 
+# this avoid any file permission issues with files 
+# created inside docker (e.g. node_modules)
+BBB_DEV_UID=1000
+BBB_DEV_GID=1000
+
+
+# ====================================
+# ADDITIONS to BigBlueButton
+# ====================================
+# (place a '#' before to disable them)
+
+# HTTPS Proxy
+# fully automated Lets Encrypt certificates
+ENABLE_HTTPS_PROXY=true
+# If your network doesn't allow access to DNS at 8.8.8.8 specify your own resolvers
+#RESOLVER_ADDRESS=x.x.x.x
+
+# Greenlight Frontend
+# https://docs.bigbluebutton.org/greenlight/gl-overview.html
+ENABLE_GREENLIGHT=true
+
+# Enable Webhooks
+# used by some integrations
+ENABLE_WEBHOOKS=true
+
+# Prometheus Exporter
+# serves the bigbluebutton-exporter under following URL:
+# https://yourdomain/bbb-exporter
+ENABLE_PROMETHEUS_EXPORTER=true
+#ENABLE_PROMETHEUS_EXPORTER_OPTIMIZATION=true
+
+# Recording
+# IMPORTANT: this is currently a big privacy issues, because it will
+# record everything which happens in the conference, even when the button
+# suggets, that it does not.
+# https://github.com/bigbluebutton/bigbluebutton/issues/9202
+# make sure that you get peoples consent, before they join a room
+ENABLE_RECORDING=true
+#REMOVE_OLD_RECORDING=false
+#RECORDING_MAX_AGE_DAYS=14
+
+# ====================================
+# SECRETS
+# ====================================
+# important! change these to any random values
+SHARED_SECRET=SuperSecret
+ETHERPAD_API_KEY=SuperEtherpadKey
+RAILS_SECRET=SuperRailsSecret_SuperRailsSecret
+POSTGRESQL_SECRET=SuperPostgresSecret
+FSESL_PASSWORD=SuperFreeswitchESLPassword
+#TURN_SECRET=
+
+
+# ====================================
+# CONNECTION
+# ====================================
+
+DOMAIN=10.7.7.1
+
+EXTERNAL_IPv4=10.7.7.1
+EXTERNAL_IPv6=
+
+# STUN SERVER
+# stun.freeswitch.org
+STUN_IP=147.182.188.245
+STUN_PORT=3478
+
+# Allowed SIP IPs
+# due to high traffic caused by bots, by default the SIP port is blocked.
+# but you can allow access by your providers IP or IP ranges (comma seperated)
+# Hint: if you want to allow requests from every IP, you can use 0.0.0.0/0
+SIP_IP_ALLOWLIST=0.0.0.0/0
+
+
+# ====================================
+# CUSTOMIZATION
+# ====================================
+
+# use following lines to replace the default welcome message and footer
+WELCOME_MESSAGE="Welcome to <b>%%CONFNAME%%</b>!<br><br>For help on using BigBlueButton see these (short) <a href='https://www.bigbluebutton.org/html5' target='_blank'><u>tutorial videos</u></a>.<br><br>To join the audio bridge click the speaker button.  Use a headset to avoid causing background noise for others."
+WELCOME_FOOTER="This server is running <a href='https://docs.bigbluebutton.org/'' target='_blank'><u>BigBlueButton</u></a>."
+
+# use following line for an additional SIP dial-in message
+#WELCOME_FOOTER="This server is running <a href='https://docs.bigbluebutton.org/' target='_blank'><u>BigBlueButton</u></a>. <br><br>To join this meeting by phone, dial:<br>  INSERT_YOUR_PHONE_NUMBER_HERE<br>Then enter %%CONFNUM%% as the conference PIN number."
+
+# for a different default presentation, place the pdf file in ./conf/ and
+# adjust the following path
+DEFAULT_PRESENTATION=./mod/nginx/default.pdf
+
+# language of sound announcements
+# options:
+# - en-ca-june - EN Canadian June
+# - en-us-allison - US English Allison
+# - en-us-callie - US English Callie (default)
+# - de-de-daedalus3 - German by Daedalus3 (https://github.com/Daedalus3/freeswitch-german-soundfiles)
+# - es-ar-mario - Spanish/Argentina Mario
+# - fr-ca-june - FR Canadian June
+# - pt-br-karina - Brazilian Portuguese Karina
+# - ru-RU-elena - RU Russian Elena
+# - ru-RU-kirill - RU Russian Kirill
+# - ru-RU-vika - RU Russian Viktoriya
+# - sv-se-jakob - Swedish (Sweden) Jakob
+# - zh-cn-sinmei - Chinese/China Sinmei
+# - zh-hk-sinmei - Chinese/Hong Kong Sinmei
+SOUNDS_LANGUAGE=en-us-callie
+
+# set to true to disable announcements "You are now (un-)muted"
+DISABLE_SOUND_MUTED=false
+
+# set to true to disable announcement "You are the only person in this conference"
+DISABLE_SOUND_ALONE=false
+
+# set to false to disable the learning dashboard
+ENABLE_LEARNING_DASHBOARD=true
+
+# ====================================
+# GREENLIGHT CONFIGURATION
+# ====================================
+
+### SMTP CONFIGURATION
+# Emails are required for the basic features of Greenlight to function.
+# Please refer to your SMTP provider to get the values for the variables below
+#SMTP_SENDER_EMAIL=
+#SMTP_SENDER_NAME=
+#SMTP_SERVER=
+#SMTP_PORT=
+#SMTP_DOMAIN=
+#SMTP_USERNAME=
+#SMTP_PASSWORD=
+#SMTP_AUTH=
+#SMTP_STARTTLS_AUTO=true
+#SMTP_STARTTLS=false
+#SMTP_TLS=false
+#SMTP_SSL_VERIFY=true
+
+### EXTERNAL AUTHENTICATION METHODS
+#
+#OPENID_CONNECT_CLIENT_ID=
+#OPENID_CONNECT_CLIENT_SECRET=
+#OPENID_CONNECT_ISSUER=
+#OPENID_CONNECT_REDIRECT=
+
+# To enable hCaptcha on the user sign up and sign in, define these 2 keys
+#HCAPTCHA_SITE_KEY=
+#HCAPTCHA_SECRET_KEY=
+
+# Set these if you are using a Simple Storage Service (S3)
+# Uncomment S3_ENDPOINT only if you are using a S3 OTHER than Amazon Web Service (AWS) S3.
+#S3_ACCESS_KEY_ID=
+#S3_SECRET_ACCESS_KEY=
+#S3_REGION=
+#S3_BUCKET=
+#S3_ENDPOINT=
+
+# Define the default locale language code (i.e. 'en' for English) from the fallowing list:
+#  [en, ar, fr, es]
+#DEFAULT_LOCALE=en
+

docker-compose.tmpl.yml

@@ -1,113 +1,76 @@
 {{/* if you read this, you can ignore the following lines */}}
-# auto generated by ./scripts/generate
+# auto generated by ./scripts/generate-compose
 # don't edit this directly.
 {{/* -------- */}}
 
-version: '3.6'
-
-# html5 templates
-x-html5-backend: &html5backend
-  build: 
-    context: mod/html5
-    args:
-      BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
-      TAG_HTML5: {{ .Env.TAG_HTML5 }}
-  image: alangecker/bbb-docker-html5:{{ .Env.TAG_HTML5 }}
-  restart: unless-stopped
-  depends_on:
-    - redis
-    - mongodb
-    - etherpad
-  environment: &html5backend-env
-    DOMAIN: ${DOMAIN}
-    CLIENT_TITLE: ${CLIENT_TITLE}
-    LISTEN_ONLY_MODE: ${LISTEN_ONLY_MODE:-true}
-    DISABLE_ECHO_TEST: ${DISABLE_ECHO_TEST:-false}
-    AUTO_SHARE_WEBCAM: ${AUTO_SHARE_WEBCAM:-false}
-    DISABLE_VIDEO_PREVIEW: ${DISABLE_VIDEO_PREVIEW:-false}
-    CHAT_ENABLED: ${CHAT_ENABLED:-true}
-    CHAT_START_CLOSED: ${CHAT_START_CLOSED:-false}
-    BREAKOUTROOM_LIMIT: ${BREAKOUTROOM_LIMIT:-8}
-    DEV_MODE: ${DEV_MODE:-}
-    BBB_HTML5_ROLE: backend
-
-x-html5-frontend: &html5frontend
-    <<: *html5backend
-    volumes:
-      - html5-static:/html5-static:rw
-    environment: &html5frontend-env
-      <<: *html5backend-env
-      BBB_HTML5_ROLE: frontend
-# =========================
+{{ $ignore_tls_cert_errors :=  or (isTrue .Env.DEV_MODE) (isTrue .Env.IGNORE_TLS_CERT_ERRORS)}}
 
 services:
+  {{ if isTrue .Env.DEV_MODE }}
+  html5-dev:
+    build: 
+      context: mod/html5-dev
+      args:
+        BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
+    user: ${BBB_DEV_UID}:${BBB_DEV_GID}
+    restart: unless-stopped
+    volumes:
+      - ./repos/bigbluebutton/bigbluebutton-html5:/app/:rw
+      - ./.cache/npm:/tmp/.npm:rw
+    network_mode: host
+  {{ end }}
+
   bbb-web:
     build: 
       context: mod/bbb-web
+      additional_contexts:
+        - src-web=./repos/bigbluebutton/bigbluebutton-web
+        - src-common-message=./repos/bigbluebutton/bbb-common-message
+        - src-common-web=./repos/bigbluebutton/bbb-common-web
       args:
         BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
-        TAG_COMMON_MESSAGE: {{ .Env.TAG_COMMON_MESSAGE }}
-        TAG_BBB_WEB: {{ .Env.TAG_BBB_WEB }}
-    image: alangecker/bbb-docker-web:{{ .Env.TAG_BBB_WEB }}
+    image: alangecker/bbb-docker-web:{{ .Env.TAG_BBB }}
     restart: unless-stopped
     depends_on:
         - redis
         - etherpad
+        - bbb-pads
+        - collabora
     healthcheck:
       test: wget --no-proxy --no-verbose --tries=1 --spider http://10.7.7.2:8090/bigbluebutton/api || exit 1
       start_period: 2m
     environment:
-      DEV_MODE: ${DEV_MODE:-}
+      IGNORE_TLS_CERT_ERRORS: {{ $ignore_tls_cert_errors }}
       DOMAIN: ${DOMAIN}
       ENABLE_RECORDING: ${ENABLE_RECORDING:-false}
       SHARED_SECRET: ${SHARED_SECRET}
       WELCOME_MESSAGE: ${WELCOME_MESSAGE:-}
       WELCOME_FOOTER: ${WELCOME_FOOTER}
       STUN_SERVER: stun:${STUN_IP}:${STUN_PORT}
-      TURN_SERVER: ${TURN_SERVER:-}
+      ENABLE_HTTPS_PROXY: ${ENABLE_HTTPS_PROXY:-false}
       TURN_SECRET: ${TURN_SECRET:-}
+      TURN_EXT_SERVER: ${TURN_EXT_SERVER:-}
+      TURN_EXT_SECRET: ${TURN_EXT_SECRET:-}
       ENABLE_LEARNING_DASHBOARD: ${ENABLE_LEARNING_DASHBOARD:-true}
-      NUMBER_OF_BACKEND_NODEJS_PROCESSES: {{ .Env.NUMBER_OF_BACKEND_NODEJS_PROCESSES }}
     volumes:
-      - bigbluebutton:/var/bigbluebutton
-      - vol-freeswitch:/var/freeswitch/meetings
+      - ./data/bigbluebutton:/var/bigbluebutton
+      - ./data/freeswitch-meetings:/var/freeswitch/meetings
     networks:
       bbb-net:
         ipv4_address: 10.7.7.2
 
 
-{{ range $i := loop 0 (atoi .Env.NUMBER_OF_BACKEND_NODEJS_PROCESSES) }}
-  html5-backend-{{ add $i 1 }}:
-    <<: *html5backend
-    environment:
-      <<: *html5backend-env
-      INSTANCE_ID: {{ add $i 1 }}
-      PORT: {{ add 4000 $i }}
-    networks:
-      bbb-net:
-        ipv4_address: 10.7.7.{{ add 100 $i }}
-{{end}}
-
-{{ range $i := loop 0 (atoi .Env.NUMBER_OF_FRONTEND_NODEJS_PROCESSES) }}
-  html5-frontend-{{ add $i 1 }}:
-    <<: *html5frontend
-    environment:
-      <<: *html5frontend-env
-      INSTANCE_ID: {{ add $i 1 }}
-      PORT: {{ add 4100 $i }}
-    networks:
-      bbb-net:
-        ipv4_address: 10.7.7.{{ add 200 $i }}
-{{end}}
-
-
   freeswitch:
     container_name: bbb-freeswitch
     build: 
       context: mod/freeswitch
+      additional_contexts:
+        - freeswitch=./repos/freeswitch/
+        - build-files=./repos/bigbluebutton/build/packages-template/bbb-freeswitch-core/
+        - fs-config=./repos/bigbluebutton/bbb-voice-conference/config/freeswitch/conf/
       args:
-        TAG_FS_CONFIG: {{ .Env.TAG_FS_CONFIG }}
-    image: alangecker/bbb-docker-freeswitch:{{ .Env.TAG_FS_CONFIG }}
+        BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
+    image: alangecker/bbb-docker-freeswitch:{{ .Env.TAG_FREESWITCH }}-{{ .Env.TAG_BBB }}
     restart: unless-stopped
     cap_add:
       - IPC_LOCK
@@ -125,41 +88,69 @@ services:
       DISABLE_SOUND_ALONE: ${DISABLE_SOUND_ALONE:-false}
       SOUNDS_LANGUAGE: ${SOUNDS_LANGUAGE:-en-us-callie}
       ESL_PASSWORD: ${FSESL_PASSWORD:-ClueCon}
+    {{ if .Env.SIP_IP_ALLOWLIST }}
+    ports:
+      - 5060:5060/udp
+    {{ end }}
     volumes:
-      - ./conf/sip_profiles:/etc/freeswitch/sip_profiles/external
-      - ./conf/dialplan_public:/etc/freeswitch/dialplan/public_docker
-      - vol-freeswitch:/var/freeswitch/meetings
-    network_mode: host
+      - ./conf/sip_profiles:/etc/freeswitch/sip_profiles/external-dialin
+      - ./data/freeswitch-meetings:/var/freeswitch/meetings
+    networks:
+      bbb-net:
+        ipv4_address: 10.7.7.10
+    logging:
+      # reduce logs to a minimum, so `docker compose logs -f` still works
+      driver: "local"
+      options:
+        max-size: "10k"
+        max-file: "1"
+        compress: "false"
 
   nginx:
     build:
       context: mod/nginx
+      additional_contexts:
+        - src-learning-dashboard=./repos/bigbluebutton/bbb-learning-dashboard
+        - src-playback=./repos/bbb-playback
+        - src-html5=./repos/bigbluebutton/bigbluebutton-html5
       args:
-        TAG_LEARNING_DASHBOARD: {{ .Env.TAG_LEARNING_DASHBOARD }}
-    image: alangecker/bbb-docker-nginx:1.21-{{ .Env.TAG_PLAYBACK }}-{{ .Env.TAG_LEARNING_DASHBOARD }}
+        BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
+        TAG_BBB: {{ .Env.TAG_BBB }}
+    image: alangecker/bbb-docker-nginx:{{ .Env.TAG_BBB }}-{{ .Env.TAG_PLAYBACK }}-1.25
     restart: unless-stopped
-    depends_on:
-      - etherpad
-      - webrtc-sfu
-      - html5-backend-1
     volumes:
-      - bigbluebutton:/var/bigbluebutton
-      - html5-static:/html5-static:ro
+      - ./data/bigbluebutton:/var/bigbluebutton
       - ${DEFAULT_PRESENTATION:-/dev/null}:/www/default.pdf
+
+      {{ if isTrue .Env.DEV_MODE }}
+      # overwrite html5 config 
+      - ./mod/nginx/bbb-html5.dev.nginx:/etc/nginx/bbb/bbb-html5.nginx:ro
+      {{ end }}
+    tmpfs:
+     - /tmp
     network_mode: host
     extra_hosts:
       - "host.docker.internal:10.7.7.1"
       - "bbb-web:10.7.7.2"
       - "etherpad:10.7.7.4"
       - "webrtc-sfu:10.7.7.1"
-      - "html5:10.7.7.11"
+      - "greenlight:10.7.7.21"
+      - "bbb-graphql-server:10.7.7.31"
+      - "bbb-graphql-middleware:10.7.7.32"
 
   etherpad:
-    build: mod/etherpad
-    image: alangecker/bbb-docker-etherpad:1.8.18-2
+    build: 
+      context: mod/etherpad
+      additional_contexts:
+        - plugin=./repos/bbb-etherpad-plugin
+        - skin=./repos/bbb-etherpad-skin
+      args:
+        TAG_ETHERPAD: "2.2.7"
+    image: alangecker/bbb-docker-etherpad:2.2.7-s{{ .Env.COMMIT_ETHERPAD_SKIN }}-p{{ .Env.COMMIT_ETHERPAD_PLUGIN }}
     restart: unless-stopped
     depends_on:
       - redis
+      - collabora
     environment:
       ETHERPAD_API_KEY: ${ETHERPAD_API_KEY}
     networks:
@@ -167,7 +158,10 @@ services:
         ipv4_address: 10.7.7.4
 
   bbb-pads:
-    build: mod/bbb-pads
+    build: 
+      context: mod/bbb-pads
+      additional_contexts:
+        - src=./repos/bbb-pads
     image: alangecker/bbb-docker-pads:{{ .Env.TAG_PADS }}
     restart: unless-stopped
     depends_on:
@@ -179,8 +173,31 @@ services:
       bbb-net:
         ipv4_address: 10.7.7.18
 
+  bbb-export-annotations:
+    build:
+      context: mod/bbb-export-annotations
+      additional_contexts:
+        src: ./repos/bigbluebutton/bbb-export-annotations
+    image: alangecker/bbb-docker-bbb-export-annotations:{{ .Env.TAG_BBB }}
+    restart: unless-stopped
+    depends_on:
+      - redis
+      - etherpad
+      - bbb-pads
+    networks:
+    # need connections to:
+    # https://github.com/bigbluebutton/bigbluebutton/blob/v2.7.0/bbb-export-annotations/config/settings.json
+    # "bbbWebAPI": "http://127.0.0.1:8090",    -> bbb-web
+    # "bbbPadsAPI": "http://127.0.0.1:9002",   -> bbb-pads
+      bbb-net:
+        ipv4_address: 10.7.7.19
+    volumes:
+      - ./data/bigbluebutton:/var/bigbluebutton
+    tmpfs:
+      - /tmp
+
   redis:
-    image: redis:7.0-alpine
+    image: redis:7.2-alpine
     restart: unless-stopped
     healthcheck:
       test: ["CMD", "redis-cli", "ping"]
@@ -191,34 +208,11 @@ services:
       bbb-net:
         ipv4_address: 10.7.7.5
 
-  mongodb:
-    container_name: bbb-mongodb
-    image: mongo:5.0
-    restart: unless-stopped
-    volumes:
-      - ./mod/mongo/mongod.conf:/etc/mongod.conf
-      - ./mod/mongo/init-replica.sh:/docker-entrypoint-initdb.d/init-replica.sh
-    tmpfs:
-      - /data/configdb
-      - /data/db
-    command: mongod --config /etc/mongod.conf --oplogSize 8 --replSet rs0 --noauth
-    healthcheck:
-      test: bash -c "if mongo --eval 'quit(db.runCommand({ ping':' 1 }).ok ? 0 ':' 2)'; then exit 0; fi; exit 1;"
-    networks:
-      bbb-net:
-        ipv4_address: 10.7.7.6
-
-  #  TODO: remove as soon as not required anymore by webrtc-sfu
-  kurento:
-    image: kurento/kurento-media-server:6.17
-    restart: unless-stopped
-    network_mode: host
-    volumes:
-      - vol-kurento:/var/kurento
-
   webrtc-sfu:
     build: 
       context: mod/webrtc-sfu
+      additional_contexts:
+        - source=./repos/bbb-webrtc-sfu
       args:
         BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
     image: alangecker/bbb-docker-webrtc-sfu:{{ .Env.TAG_WEBRTC_SFU }}
@@ -227,34 +221,32 @@ services:
       - redis
       - freeswitch
     environment:
-      CLIENT_HOST: 10.7.7.1
-      REDIS_HOST: 10.7.7.5
-      FREESWITCH_IP: 10.7.7.1
-      FREESWITCH_SIP_IP: ${EXTERNAL_IPv4}
-      ESL_IP: 10.7.7.1
       ESL_PASSWORD: ${FSESL_PASSWORD:-ClueCon}
-      # TODO: add mediasoup IPv6
-      # TODO: can listen to 0.0.0.0 for nat support? https://github.com/versatica/mediasoup/issues/487
-    {{ if .Env.EXTERNAL_IPv6 }}
-      MS_WEBRTC_LISTEN_IPS: '[{"ip":"{{ .Env.EXTERNAL_IPv6 }}", "announcedIp":"{{ .Env.EXTERNAL_IPv6 }}"}, {"ip":"${EXTERNAL_IPv4}", "announcedIp":"${EXTERNAL_IPv4}"}]'
-    {{else}}
+      {{ if .Env.EXTERNAL_IPv6 }}
+      MS_WEBRTC_LISTEN_IPS: '[{"ip":"::", "announcedIp":"${EXTERNAL_IPv6}"}, {"ip":"${EXTERNAL_IPv4}", "announcedIp":"${EXTERNAL_IPv4}"}]'
+      {{else}}
       MS_WEBRTC_LISTEN_IPS: '[{"ip":"${EXTERNAL_IPv4}", "announcedIp":"${EXTERNAL_IPv4}"}]'
-    {{end}}
-      MS_RTP_LISTEN_IP: '{"ip":"0.0.0.0", "announcedIp":"${EXTERNAL_IPv4}"}'
+      {{end}}
     volumes:
-      - vol-mediasoup:/var/mediasoup
+      - ./data/mediasoup:/var/mediasoup
     tmpfs:
       - /var/log/bbb-webrtc-sfu
     network_mode: host
+    security_opt:
+      - seccomp:unconfined # allow io_uring access for mediasoup
+    ulimits:
+      memlock: -1 # allow io_uring_register_buffers to allocate enough ram
 
   fsesl-akka:
     build: 
       context: mod/fsesl-akka
+      additional_contexts:
+        - src-common-message=./repos/bigbluebutton/bbb-common-message
+        - src-fsesl-client=./repos/bigbluebutton/bbb-fsesl-client
+        - src-fsesl-akka=./repos/bigbluebutton/akka-bbb-fsesl
       args:
         BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
-        TAG_COMMON_MESSAGE: {{ .Env.TAG_COMMON_MESSAGE }}
-        TAG_FSESL_AKKA: {{ .Env.TAG_FSESL_AKKA }}
-    image: alangecker/bbb-docker-fsesl-akka:{{ .Env.TAG_FSESL_AKKA }}
+    image: alangecker/bbb-docker-fsesl-akka:{{ .Env.TAG_BBB }}
     restart: unless-stopped
     depends_on:
       - redis
@@ -268,47 +260,134 @@ services:
   apps-akka:
     build: 
       context: mod/apps-akka
+      additional_contexts:
+        - src-common-message=./repos/bigbluebutton/bbb-common-message
+        - src-apps-akka=./repos/bigbluebutton/akka-bbb-apps
+        - src-config=./repos/bigbluebutton/bigbluebutton-html5/private/config/
       args:
         BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
-        TAG_COMMON_MESSAGE: {{ .Env.TAG_COMMON_MESSAGE }}
-        TAG_APPS_AKKA: {{ .Env.TAG_APPS_AKKA }}
-    image: alangecker/bbb-docker-apps-akka:{{ .Env.TAG_APPS_AKKA }}
+        TAG_BBB: {{ .Env.TAG_BBB }}
+    image: alangecker/bbb-docker-apps-akka:{{ .Env.TAG_BBB }}
     restart: unless-stopped
     depends_on:
       - redis
+      - postgres
     environment:
       DOMAIN: ${DOMAIN}
       SHARED_SECRET: ${SHARED_SECRET}
+      POSTGRES_PASSWORD: ${POSTGRESQL_SECRET:-password}
     volumes:
-      - vol-freeswitch:/var/freeswitch/meetings
+      - ./data/freeswitch-meetings:/var/freeswitch/meetings
+      - ./conf/bbb-html5.yml:/etc/bigbluebutton/bbb-html5.yml:ro
     networks:
       bbb-net:
         ipv4_address: 10.7.7.15
 
-  jodconverter:
-    build: mod/jodconverter
-    image: alangecker/bbb-docker-jodconverter:latest
+  bbb-graphql-server:
+    build:
+      context: mod/bbb-graphql-server
+      additional_contexts:
+        - src=./repos/bigbluebutton/bbb-graphql-server
+      args:
+        BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
+        GRAPHQL_ENGINE_TAG: v2.45.0
+    image: alangecker/bbb-docker-graphql-server:{{ .Env.TAG_BBB }}
+    depends_on:
+      - postgres
+      - bbb-web
+      - apps-akka
+      - bbb-graphql-actions
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: ${POSTGRESQL_SECRET:-password}
+      HASURA_GRAPHQL_ADMIN_SECRET: TODO_CHANGE_ME
+    networks:
+      bbb-net:
+        ipv4_address: 10.7.7.31
+
+
+  bbb-graphql-actions:
+    build:
+      context: mod/bbb-graphql-actions
+      {{ if isTrue .Env.DEV_MODE }}
+      dockerfile: Dockerfile.dev
+      {{ else }}
+      additional_contexts:
+        - src=./repos/bigbluebutton/bbb-graphql-actions
+      {{ end }}
+      args:
+        BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
+    image: alangecker/bbb-docker-graphql-actions:{{ .Env.TAG_BBB }}
+    restart: unless-stopped
+    depends_on:
+      - redis
+      - apps-akka
+    networks:
+      bbb-net:
+        ipv4_address: 10.7.7.30
+    {{ if isTrue .Env.DEV_MODE }}
+    volumes:
+      - ./repos/bigbluebutton/bbb-graphql-actions:/app/:rw
+      - ./.cache/npm:/tmp/.npm:rw
+    {{ end }}
+
+  bbb-graphql-middleware:
+    build:
+      context: mod/bbb-graphql-middleware
+      {{ if isTrue .Env.DEV_MODE }}
+      dockerfile: Dockerfile.dev
+      {{ else }}
+      additional_contexts:
+        - src=./repos/bigbluebutton/bbb-graphql-middleware
+      {{ end }}
+      args:
+        BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
+    image: alangecker/bbb-docker-graphql-middleware:{{ .Env.TAG_BBB }}
+    restart: unless-stopped
+    depends_on:
+      - bbb-graphql-server
+      - bbb-graphql-actions
+      - bbb-web
+      - redis
+    networks:
+      bbb-net:
+        ipv4_address: 10.7.7.32
+    extra_hosts:
+      - "nginx:10.7.7.1"
+
+    {{ if isTrue .Env.DEV_MODE }}
+    user: ${BBB_DEV_UID}:${BBB_DEV_GID}
+    volumes:
+      - ./repos/bigbluebutton/bbb-graphql-middleware:/app/:ro
+      - ./repos/bigbluebutton/bbb-graphql-middleware/config/config.yml:/usr/share/bbb-graphql-middleware/config.yml:ro
+      - ./mod/bbb-graphql-middleware/config.yml:/etc/bigbluebutton/bbb-graphql-middleware.yml:ro
+      - ./.cache/go:/gopath:rw
+      - ./.cache/go-build:/.cache/go-build:rw
+    {{ end }}
+
+  collabora:
+    image: collabora/code:latest
     restart: unless-stopped
     tmpfs:
       - /tmp
-    deploy:
-      resources:
-        limits:
-          memory: 512M
     networks:
       bbb-net:
         ipv4_address: 10.7.7.20
+    # disable logging (way to verbose)
+    logging:
+      driver: none
+
 
   periodic:
     build: mod/periodic
-    image: alangecker/bbb-docker-periodic:v2.5.0-rc.1
+    image: alangecker/bbb-docker-periodic:v3.0.0
     restart: unless-stopped
-    depends_on:
-      - mongodb
+
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - bigbluebutton:/var/bigbluebutton
-      - vol-mediasoup:/var/mediasoup
+      - ./data/bigbluebutton:/var/bigbluebutton
+      - ./data/mediasoup:/var/mediasoup
     tmpfs:
       - /var/log/bigbluebutton
     environment:
@@ -324,33 +403,57 @@ services:
   recordings:
     build: 
       context: mod/recordings
+      additional_contexts:
+        - record-core=./repos/bigbluebutton/record-and-playback/core
+        - presentation=./repos/bigbluebutton/record-and-playback/presentation
+        - bbb-conf=./repos/bigbluebutton/bigbluebutton-config
       args:
         BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
-        TAG_RECORDINGS: {{ .Env.TAG_RECORDINGS }}
-    image: alangecker/bbb-docker-recordings:{{ .Env.TAG_RECORDINGS }}
+        TAG_BBB_PRESENTATION_VIDEO: "5.0.0-beta.2"
+    image: alangecker/bbb-docker-recordings:{{ .Env.TAG_BBB }}
     restart: unless-stopped
     depends_on:
       - redis
       - bbb-pads
     environment:
       DOMAIN: ${DOMAIN}
+      SHARED_SECRET: ${SHARED_SECRET}
     volumes:
-      - bigbluebutton:/var/bigbluebutton
-      - vol-freeswitch:/var/freeswitch/meetings
-      - vol-mediasoup:/var/mediasoup
-      - vol-kurento:/var/kurento
+      - ./data/bigbluebutton:/var/bigbluebutton
+      - ./data/freeswitch-meetings:/var/freeswitch/meetings
+      - ./data/mediasoup:/var/mediasoup
+      - ./data/bbb-webrtc-recorder:/var/lib/bbb-webrtc-recorder
     tmpfs:
       - /var/log/bigbluebutton
       - /tmp
     networks:
       bbb-net:
         ipv4_address: 10.7.7.16
+
+  bbb-webrtc-recorder:
+    build:
+      context: mod/bbb-webrtc-recorder
+      additional_contexts:
+        - src=./repos/bbb-webrtc-recorder
+    image: alangecker/bbb-docker-webrtc-recorder:{{ .Env.TAG_WEBRTC_RECORDER }}
+    depends_on:
+      - redis
+    volumes: 
+      - ./data/bbb-webrtc-recorder:/var/lib/bbb-webrtc-recorder
+    # WebRTC connection to bbb-webrtc-sfu seem to 
+    # only to work via the external IP
+    network_mode: host
+    extra_hosts:
+      - "redis:10.7.7.5"
 {{end}}
 
 {{ if isTrue .Env.ENABLE_WEBHOOKS }}
   # webhooks
   webhooks:
-    build: mod/webhooks
+    build: 
+      context: mod/webhooks
+      additional_contexts:
+        - src=./repos/bbb-webhooks
     image: alangecker/bbb-docker-webhooks:{{ .Env.TAG_WEBHOOKS }}
     restart: unless-stopped
     environment:
@@ -364,77 +467,70 @@ services:
 {{end}}
 
 {{ if isTrue .Env.ENABLE_HTTPS_PROXY }}
-  # https
-  https_proxy:
-    image: valian/docker-nginx-auto-ssl
-    restart: unless-stopped
+
+  haproxy:
+    build: mod/haproxy
+    image: alangecker/bbb-haproxy:2.8.10
     volumes:
-      - ssl_data:/etc/resty-auto-ssl
-    {{ if .Env.EXTERNAL_IPv6 }}
-      - ./mod/https/site.conf:/etc/nginx/conf.d/bbb-docker.conf
-    {{else}}
-      - ./mod/https/site-ipv4only.conf:/etc/nginx/conf.d/bbb-docker.conf
-    {{end}}
+      - ./data/haproxy/letsencrypt:/etc/letsencrypt
+      - ./mod/haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg
+      - ./mod/haproxy/protocolmap:/etc/haproxy/protocolmap
     environment:
-      {{ if isTrue .Env.DEV_MODE }}
-      ALLOWED_DOMAINS: ""
-      {{else}}
-      ALLOWED_DOMAINS: ${DOMAIN}
-      {{end}}
+      - IGNORE_TLS_CERT_ERRORS={{$ignore_tls_cert_errors}}
+      - CERT1=${DOMAIN}
+      - EMAIL=${LETSENCRYPT_EMAIL}
     network_mode: host
 {{end}}
 
-{{ if isTrue .Env.ENABLE_COTURN }}
   # coturn
   coturn:
-    image: coturn/coturn:4.5-alpine
+    image: coturn/coturn:4.6-alpine
     restart: unless-stopped
     command:
       - "--external-ip=${EXTERNAL_IPv4}/${EXTERNAL_IPv4}"
       - "--external-ip=${EXTERNAL_IPv6:-::1}/${EXTERNAL_IPv6:-::1}"
       - "--static-auth-secret=${TURN_SECRET}"
+      - "--allowed-peer-ip=${EXTERNAL_IPv4}"
+      - "--relay-ip=${EXTERNAL_IPv4}"
+      - "--relay-ip=${EXTERNAL_IPv6:-::1}"
     volumes:
-      {{ if isTrue .Env.ENABLE_HTTPS_PROXY }}
-      - ssl_data:/etc/resty-auto-ssl
-      {{else}}
-      - ${COTURN_TLS_CERT_PATH}:/tmp/cert.pem
-      - ${COTURN_TLS_KEY_PATH}:/tmp/key.pem
-      {{end}}
-      - ./mod/coturn/entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
       - ./mod/coturn/turnserver.conf:/etc/coturn/turnserver.conf
-    environment:
-      ENABLE_HTTPS_PROXY:
-    user: root
     network_mode: host
-{{end}}
 
 
 {{ if isTrue .Env.ENABLE_GREENLIGHT }}
   # greenlight
   greenlight:
-    image: bigbluebutton/greenlight:v2
+    image: bigbluebutton/greenlight:v3.5.0
     restart: unless-stopped
     env_file: .env
+    depends_on:
+      - postgres
+      - redis
+
     environment:
-      DB_ADAPTER: postgresql
-      DB_HOST: postgres
-      DB_NAME: greenlight
-      DB_USERNAME: postgres
-      DB_PASSWORD: ${POSTGRESQL_SECRET:-password}
-      {{ if isTrue .Env.DEV_MODE }}
-      BIGBLUEBUTTON_ENDPOINT: http://10.7.7.1:48087/bigbluebutton/api/
+      DATABASE_URL: postgres://postgres:${POSTGRESQL_SECRET:-password}@postgres:5432/greenlight
+      REDIS_URL: redis://redis:6379
+      {{ if $ignore_tls_cert_errors }}
+      BIGBLUEBUTTON_ENDPOINT: http://10.7.7.1:48083/bigbluebutton/api
       {{else}}
-      BIGBLUEBUTTON_ENDPOINT: https://${DOMAIN}/bigbluebutton/api/
+      BIGBLUEBUTTON_ENDPOINT: https://${DOMAIN}/bigbluebutton/api
       {{end}}
       BIGBLUEBUTTON_SECRET: ${SHARED_SECRET}
       SECRET_KEY_BASE: ${RAILS_SECRET}
-    ports:
-      - 10.7.7.1:5000:80
+      RELATIVE_URL_ROOT: /
+    volumes:
+       - ./data/greenlight:/usr/src/app/storage
+    networks:
+      bbb-net:
+        ipv4_address: 10.7.7.21
+{{end}}
+
   postgres:
-    image: postgres:12-alpine
+    image: postgres:16-alpine
     restart: unless-stopped
     environment:
-      POSTGRES_DB: greenlight
+      POSTGRES_MULTIPLE_DATABASES: bbb_graphql,hasura_app,greenlight
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: ${POSTGRESQL_SECRET:-password}
     healthcheck:
@@ -443,8 +539,11 @@ services:
       timeout: 5s
       retries: 5
     volumes:
-      - ./postgres-data:/var/lib/postgresql/data
-{{end}}
+      - ./data/postgres:/var/lib/postgresql/data
+      - ./mod/postgres/initdb.sh:/docker-entrypoint-initdb.d/initdb.sh
+    networks:
+      bbb-net:
+        ipv4_address: 10.7.7.22
 
 {{ if isTrue .Env.ENABLE_PROMETHEUS_EXPORTER }}
   # prometheus
@@ -460,19 +559,13 @@ services:
         ipv4_address: 10.7.7.33
     {{ if isTrue .Env.ENABLE_PROMETHEUS_EXPORTER_OPTIMIZATION }}
     volumes:
-      - bigbluebutton:/var/bigbluebutton:ro
+      - ./data/bigbluebutton:/var/bigbluebutton:ro
     {{end}}
-{{end}}
 
-
-volumes:
-  bigbluebutton:
-  vol-freeswitch:
-  vol-kurento:
-  vol-mediasoup:
-  html5-static:
-{{ if isTrue .Env.ENABLE_HTTPS_PROXY }}
-  ssl_data:
+    # the exporter requires /etc/bigbluebutton/bigbluebutton-release
+    tmpfs:
+      - /etc/bigbluebutton:mode=777
+    entrypoint: sh -c 'echo "BIGBLUEBUTTON_RELEASE=2.7.3" > /etc/bigbluebutton/bigbluebutton-release && python server.py'
 {{end}}
 
 networks:

docs/development.md

@@ -1,81 +1,45 @@
 # bbb-docker Development
 
 ## Basics
-normally people start BBB with the pre-built docker images, but for developing you need to build them by yourself. For that you need to ensure that the submodules are also checked out:
+normally people start BBB with the pre-built docker images, but for developing you need to build them by yourself. For that you need to ensure that the submodules are also checked out
 
 ```sh
-$ git submodule update --init
+$ git clone --recurse-submodules https://github.com/bigbluebutton/docker.git bbb-dev
+$ cd bbb-dev
 ```
 
-
 ## Running
-you can run bbb-docker locally without any certificate issues with following `.env` configurations:
+you can now run bbb-docker locally by simply starting
 
-```
-DEV_MODE=true
-
-ENABLE_HTTPS_PROXY=true
-#ENABLE_COTURN=true
-#ENABLE_GREENLIGHT=true
-#ENABLE_WEBHOOKS=true
-#ENABLE_PROMETHEUS_EXPORTER=true
-#ENABLE_RECORDING=true
-
-DOMAIN=10.7.7.1
-EXTERNAL_IPv4=10.7.7.1
-STUN_IP=216.93.246.18
-STUN_PORT=3478
-TURN_SERVER=turns:localhost:5349?transport=tcp
-
-TURN_SECRET=SuperTurnSecret
-SHARED_SECRET=SuperSecret
-ETHERPAD_API_KEY=SuperEtherpadKey
-RAILS_SECRET=SuperRailsSecret
-
-# ====================================
-# CUSTOMIZATION
-# ====================================
-
-[... add rest of sample.env here ...]
+```sh
+$ ./scripts/dev
 ```
 
-- regenerate `docker-compose.yml` \
+Use the API Mate with the link presented in the console to create & join a conference.
+
+### Hints
+- the html5 component will watch and automatically reload on any changes 🚀
+- if you change anything in the other components, you need to
+  * manually rebuilt it \
+    `$ docker compose build CONTAINERNAME`
+  * restart it \
+    `$ docker compose up -d CONTAINERNAME`
+- if you change any variable in .env, always run following to rebuild the `docker-compose.yml``
   `$ ./scripts/generate-compose`
-- build the images \
-  `$ docker-compose build`
-- you can than start it with \
-  `$ docker-compose up -d`
 - view the logs with \
-  `$ docker-compose logs -f`
-- and access the API via \
-  https://mconf.github.io/api-mate/#server=https://10.7.7.1/bigbluebutton/api&sharedSecret=SuperSecret
-    * At some point your browser will warn you about an invalid certificate, but you can press _"Accept the Risk and Continue" / "Proceed to 10.7.7.1 (unsafe)"_
-
+  `$ docker compose logs -f`
+- At some point your browser will warn you about an invalid certificate, but you can press _"Accept the Risk and Continue" / "Proceed to 10.7.7.1 (unsafe)"_
 
 ## Notes
-- Joining a room via Greenlight currently leads to a "401 session not found" error (see https://github.com/alangecker/bigbluebutton-docker/issues/66). Use the API Mate instead
-
-## Changes
-- After doing some changes you usually must...
-  - recreate `docker-compose.yml` \
-    `$ ./scripts/generate-compose`
-  * rebuild the image(s): \
-    `$ docker-compose build [containername]`
-  * restart changes image(s): \
-    `$ docker-compose up -d`
-
+- Due to the self signed ssl certificate it is currently not possible to notify greenlight about recordings in dev mode
 
 ## How to do create a new update for a newer BBB release?
 This always consists out of following steps
 1. **Get an understanding about changes that happened and find out what changes to bbb-docker that require.** \
     * main source for that are the release notes in https://github.com/bigbluebutton/bigbluebutton/releases
 2. **Apply these changes to this project.** 
-    * Often you only need to update the TAGS in `tags.env`
-      * make sure only to switch to a newer tag if there were changes made avoid creating new (partialy big) images unnecessarily
-    * Also update submodules to the new state. 
-      * List of all submodules `git submodule`
-      * for the main submodules you can use `./scripts/checkout-submodules` to checkout the tags specified in `tags.env`
-      
+    * Often you only need to checkout the git submodules to the specific release tag
+      * List of all submodules: `git submodule`   
 3. Test everything (with firefox **and** chromium/chrome)
     * Audio
     * Video

docs/network-config.md

@@ -24,6 +24,7 @@ Services as configured.
 | coturn | network_mode: host | |
 | greenlight | | | ports: 10.7.7.1:5000:80
 | prometheus | bbb-net | 10.7.7.33 |
+| bbb-export-annotations | bbb-net | 10.7.7.19 |
 
 ```yml
 networks:  

docs/upgrading.md

@@ -1,22 +1,33 @@
 # How To Upgrade bbb-docker
 
-### Upgrading `v2.3.x` -> `v2.4.x`
-*Breaking change:* The nginx port changes from `8080` to the less common port `48087`, to avoid port conflicts (see [#133](https://github.com/bigbluebutton/docker/issues/133)). If you use an reverse proxy not included in this repo, ensure to update your config accordingly!
+### Breaking changes `v2.7.x` -> `v3.0.x`
+- **A setup behind NAT does currently not work!**
+- `LETSENCRYPT_EMAIL` is now required in `.env` when used with the integrated HAProxy
+- the greenlight postgres database is now called `greenlight` instead of `greenlight-v3`
 
-apart from that follow the guide below.
 
-### within `v2.4.x` or `v2.3.x`
-#### Backup
+### Breaking changes `v2.6.x` -> `v2.7.x`
+- We use now Docker Compose V2
+    * make sure you have docker ≥ 23.0 installed (`$ docker -v`)
+    * update all usages of `docker-compose` to `docker compose` in your scripts
+
+### Breaking changes `v2.5.x` -> `v2.6.x`
+- Greenlight got fully rewritten
+    * it is starting as a fresh installation. you can migrate your data with `./scripts/greenlight-migrate-v2-v3`
+    * some greenlight settings under `.env` have changed. compare your version with `sample.env`
+    * it is now served directly under `/` and not in `/b`. If you use an reverse proxy not included in this repo, ensure to update your config accordingly!
+
+### Backup
 if you use greenlight, create a database backup first
 ```bash
 docker exec -t docker_postgres_1 pg_dumpall -c -U postgres > /root/greenlight_`date +%d-%m-%Y"_"%H_%M_%S`.sql
 ```
 
-#### Upgrading
+### Upgrading
 ```bash
 # upgrade!
 ./scripts/upgrade
 
 # restart updated services
-docker-compose up -d
+docker compose up -d --no-build
 ```

mod/apps-akka/Dockerfile

@@ -1,20 +1,16 @@
 ARG BBB_BUILD_TAG
-FROM gitlab.senfcall.de:5050/senfcall-public/docker-bbb-build:$BBB_BUILD_TAG AS builder
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
 
-ARG TAG_COMMON_MESSAGE
+COPY --from=src-common-message / /bbb-common-message
 
-# download bbb-common-message
-RUN svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG_COMMON_MESSAGE/bbb-common-message /bbb-common-message \
-    && cd /bbb-common-message \
-    && ./deploy.sh \
-    && rm -rf /bbb-common-message
+# build bbb-common-message
+RUN cd /bbb-common-message && ./deploy.sh
 
 # ===================================================
 
 ARG TAG_APPS_AKKA
 
-RUN svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG_APPS_AKKA/akka-bbb-apps /source \
-    && rm -rf /source/.svn
+COPY --from=src-apps-akka / /source
 
 # compile and unzip bin
 RUN cd /source \
@@ -23,12 +19,25 @@ RUN cd /source \
 
 # ===================================================
 
+
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-settings
+RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64 && chmod a+x /usr/local/bin/yq
+COPY --from=src-config /settings.yml /settings.yml
+ARG TAG_BBB
+RUN yq e -i ".public.app.bbbServerVersion = \"$TAG_BBB\"" /settings.yml
+RUN yq e -i ".public.app.html5ClientBuild = \"$TAG_BBB\"" /settings.yml
+
+
+# ===================================================
+
 FROM alangecker/bbb-docker-base-java
 
+COPY --from=builder-settings /usr/local/bin/yq /usr/local/bin/yq
 COPY --from=builder /bbb-apps-akka-0.0.4 /bbb-apps-akka
 COPY bbb-apps-akka.conf /etc/bigbluebutton/bbb-apps-akka.conf.tmpl
 COPY logback.xml /bbb-apps-akka/conf/logback.xml
 COPY entrypoint.sh /entrypoint.sh
+COPY --from=builder-settings --chown=bigbluebutton:bigbluebutton /settings.yml /usr/share/bigbluebutton/html5-client/private/config/settings.yml
 
 USER bigbluebutton
 ENTRYPOINT /entrypoint.sh

mod/apps-akka/bbb-apps-akka.conf

@@ -8,7 +8,18 @@ redis {
 services {
   bbbWebAPI="https://DOMAIN/bigbluebutton/api"
   sharedSecret="SHARED_SECRET"
+  graphqlMiddlewareAPI = "http://10.7.7.32:8378"
 }
 http {
   interface = "0.0.0.0"
+}
+
+postgres {
+  properties = {
+      serverName = "postgres"
+      portNumber = "5432"
+      databaseName = "bbb_graphql"
+      user = "postgres"
+      password = "POSTGRES_PASSWORD"
+  }
 }

mod/apps-akka/entrypoint.sh

@@ -1,9 +1,17 @@
 #!/bin/sh -e
 
+# bbb-apps-akka.conf
 TARGET=/etc/bigbluebutton/bbb-apps-akka.conf
 cp /etc/bigbluebutton/bbb-apps-akka.conf.tmpl $TARGET
 sed -i "s/DOMAIN/$DOMAIN/" $TARGET
 sed -i "s/SHARED_SECRET/$SHARED_SECRET/" $TARGET
+sed -i "s/POSTGRES_PASSWORD/$POSTGRES_PASSWORD/" $TARGET
+
+
+# settings.yml
+TARGET=/usr/share/bigbluebutton/html5-client/private/config/settings.yml
+yq e -i ".public.kurento.wsUrl = \"wss://$DOMAIN/bbb-webrtc-sfu\"" $TARGET
+yq e -i ".public.pads.url = \"https://$DOMAIN/pad\"" $TARGET
 
 cd /bbb-apps-akka
 /bbb-apps-akka/bin/bbb-apps-akka

mod/apps-akka/logback.xml

@@ -9,8 +9,10 @@
     <logger name="akka" level="INFO" />
     <logger name="org.bigbluebutton" level="DEBUG" />
     <logger name="io.lettuce" level="INFO" />
+    <logger name="slick" level="INFO" />
 
-    <root level="DEBUG">
+
+    <root level="INFO">
         <appender-ref ref="STDOUT"/>
     </root>
 </configuration>

mod/base-java/Dockerfile

@@ -1,4 +1,4 @@
-FROM openjdk:11-jre-slim-bullseye
+FROM eclipse-temurin:17-jre-jammy
 
 RUN apt-get update && apt-get install -y \
         wget unzip gosu locales \
@@ -16,7 +16,7 @@ RUN groupadd -g 998 bigbluebutton \
     && chown bigbluebutton:bigbluebutton /etc/bigbluebutton
 
 # add dockerize
-ENV DOCKERIZE_VERSION v0.6.1
+ENV DOCKERIZE_VERSION v0.7.0
 RUN wget -q https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
     && tar -C /usr/local/bin -xzvf dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
     && rm dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz

mod/bbb-export-annotations/Dockerfile

@@ -0,0 +1,23 @@
+FROM node:22-bookworm-slim AS builder
+
+COPY --from=src / /bbb-export-annotations
+RUN cd /bbb-export-annotations && npm ci && npm install
+
+# --------------------
+
+FROM node:22-bookworm-slim
+
+RUN groupadd -g 998 bigbluebutton \
+    && useradd -m -u 998 -g bigbluebutton bigbluebutton
+
+RUN apt update && apt install -y \
+    nodejs npm cairosvg ghostscript imagemagick nodejs poppler-utils
+
+COPY --from=builder /bbb-export-annotations /bbb-export-annotations
+COPY ./config/settings.json /bbb-export-annotations/config/settings.json
+
+USER bigbluebutton
+WORKDIR /bbb-export-annotations
+ENV NODE_ENV=production
+
+ENTRYPOINT npm start

mod/bbb-export-annotations/config/settings.json

@@ -0,0 +1,40 @@
+{
+    "log": {
+      "level": "info",
+      "msgName": "PresAnnStatusMsg"
+    },
+    "shared": {
+      "presAnnDropboxDir": "/tmp/pres-ann-dropbox",
+      "cairosvg": "/usr/bin/cairosvg",
+      "ghostscript": "/usr/bin/gs"
+    },
+    "process": {
+      "maxImageWidth": 1440,
+      "maxImageHeight": 1080,
+      "pointsPerInch": 72,
+      "pixelsPerInch": 96,
+      "cairoSVGUnsafeFlag": false
+    },
+    "notifier": {
+      "pod_id": "DEFAULT_PRESENTATION_POD",
+      "is_downloadable": "false",
+      "msgName": "NewPresFileAvailableMsg"
+    },
+    "bbbWebAPI": "http://bbb-web:8090",
+    "bbbPadsAPI": "http://bbb-pads:9002",
+    "redis": {
+      "host": "redis",
+      "port": 6379,
+      "password": null,
+      "channels": {
+        "queue": "exportJobs",
+        "publish": "to-akka-apps-redis-channel"
+      }
+    },
+    "fonts": {
+      "draw": "/usr/local/share/fonts/CaveatBrush-Regular-2015-09-23.ttf",
+      "sans": "/usr/local/share/fonts/CrimsonPro[wght]-1.003.ttf",
+      "serif": "/usr/local/share/fonts/SourceSansPro-Regular-2.045.ttf",
+      "mono": "/usr/local/share/fonts/SourceCodePro-Regular-2.038.ttf"
+  }
+}

mod/bbb-graphql-actions/Dockerfile

@@ -0,0 +1,34 @@
+ARG BBB_BUILD_TAG
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
+
+COPY --from=src ./ /src
+RUN cd /src && \
+    npm ci --no-progress && \
+    npm run build
+
+# delete node_modules (it should create a fresh one inside /src/dist/)
+RUN rm -rf /src/node_modules
+
+RUN cd /src/dist && \
+    mv index.js bbb-graphql-actions.js && \
+    cp ../package.json ../package-lock.json . && \
+    npm ci --no-progress --omit=dev
+
+
+# ------------------------------
+FROM node:22-bookworm-slim
+
+RUN groupadd -g 2062 app \
+    && useradd -m -u 2063 -g app app
+
+USER app
+
+WORKDIR /app
+
+ENV SERVER_HOST 0.0.0.0
+ENV BBB_REDIS_HOST redis
+ENV NODE_ENV=production
+
+COPY --from=builder /src/dist /app
+
+CMD [ "node", "/app/bbb-graphql-actions.js" ]

mod/bbb-graphql-actions/Dockerfile.dev

@@ -0,0 +1,16 @@
+ARG BBB_BUILD_TAG
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
+
+RUN apt-get update && apt-get install -y gosu
+
+# allow any user to use node in /root/.nvm
+RUN chmod 755 /root
+
+COPY dev-entrypoint.sh /dev-entrypoint.sh
+ENTRYPOINT [ "/dev-entrypoint.sh" ]
+
+WORKDIR /app
+ENV SERVER_HOST 0.0.0.0
+ENV BBB_REDIS_HOST redis
+
+CMD [ "npm install && npm start" ]

mod/bbb-graphql-actions/dev-entrypoint.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# get owner of /app
+OWNER="$(stat -c '%u' "/app")"
+GROUP="$(stat -c '%g' "/app")"
+useradd --home-dir /tmp -u $OWNER user || /bin/true
+
+# run with same user to avoid any issues
+# with file permissions
+. /root/.nvm/nvm.sh
+gosu $OWNER:$GROUP bash -c "$@"
+

mod/bbb-graphql-middleware/Dockerfile

@@ -0,0 +1,12 @@
+ARG BBB_BUILD_TAG
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
+
+COPY --from=src / /src/
+RUN cd /src/ && CGO_ENABLED=0 go build -o bbb-graphql-middleware cmd/bbb-graphql-middleware/main.go
+
+# ------------------------------
+FROM alpine
+COPY --from=builder /src/bbb-graphql-middleware /app/bbb-graphql-middleware
+COPY --from=builder /src/config/config.yml /usr/share/bbb-graphql-middleware/config.yml
+COPY config.yml /etc/bigbluebutton/bbb-graphql-middleware.yml
+CMD [ "/app/bbb-graphql-middleware" ]

mod/bbb-graphql-middleware/Dockerfile.dev

@@ -0,0 +1,8 @@
+ARG BBB_BUILD_TAG
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
+
+WORKDIR /app
+
+ENV GOPATH /gopath
+
+CMD ["go", "run", "cmd/bbb-graphql-middleware/main.go", "--signal", "SIGTERM"]

mod/bbb-graphql-middleware/config.yml

@@ -0,0 +1,15 @@
+server:
+  listen_host: 0.0.0.0
+  listen_port: 8378
+redis:
+  host: redis
+  port: 6379
+  password: ""
+hasura:
+  url: ws://nginx:8185/v1/graphql
+graphql-actions:
+  url: http://bbb-graphql-actions:8093
+auth_hook:
+  url: http://bbb-web:8090/bigbluebutton/connection/checkGraphqlAuthorization
+session_vars_hook:
+  url: http://apps-akka:8901/userInfo

mod/bbb-graphql-server/Dockerfile

@@ -0,0 +1,25 @@
+ARG BBB_BUILD_TAG
+ARG GRAPHQL_ENGINE_TAG
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
+
+RUN curl -L https://github.com/hasura/graphql-engine/raw/stable/cli/get.sh | INSTALL_PATH=/usr/local/bin VERSION=v2.44.0 bash
+RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && chmod a+x /usr/local/bin/yq
+
+# ----------------------------
+FROM hasura/graphql-engine:$GRAPHQL_ENGINE_TAG
+
+# install netstat, required for start script
+RUN apt-get update && apt-get install -y net-tools gosu
+
+COPY --from=builder /usr/local/bin/yq /usr/local/bin/yq
+COPY --from=builder /usr/local/bin/hasura /usr/local/bin/hasura
+
+COPY --from=src /bbb_schema.sql /app/
+COPY --from=src /metadata /app/metadata
+
+COPY config.yaml /app/config.yaml
+COPY entrypoint.sh /entrypoint.sh
+COPY start.sh /app/start.sh
+
+ENTRYPOINT [ "/entrypoint.sh" ]
+CMD [ "/app/start.sh" ]

mod/bbb-graphql-server/config.yaml

@@ -0,0 +1,7 @@
+version: 3
+endpoint: http://localhost:8085
+admin_secret: bigbluebutton
+metadata_directory: metadata
+actions:
+  kind: synchronous
+  handler_webhook_baseurl: http://localhost:3000

mod/bbb-graphql-server/entrypoint.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# for psql
+export PGHOST=postgres
+export PGUSER="${POSTGRES_USER}"
+export PGPASSWORD="${POSTGRES_PASSWORD}"
+
+
+# for hasura
+export HASURA_GRAPHQL_DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/hasura_app
+export HASURA_GRAPHQL_METADATA_DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/hasura_app
+export HASURA_GRAPHQL_LOG_LEVEL=warn
+export HASURA_GRAPHQL_ENABLE_CONSOLE=false
+export HASURA_GRAPHQL_LIVE_QUERIES_MULTIPLEXED_REFETCH_INTERVAL=250
+export HASURA_GRAPHQL_LIVE_QUERIES_MULTIPLEXED_BATCH_SIZE=1000
+export HASURA_GRAPHQL_STREAMING_QUERIES_MULTIPLEXED_REFETCH_INTERVAL=100
+export HASURA_GRAPHQL_STREAMING_QUERIES_MULTIPLEXED_BATCH_SIZE=1000
+export HASURA_GRAPHQL_SERVER_PORT=8085
+export HASURA_GRAPHQL_ENABLE_TELEMETRY=false
+export HASURA_GRAPHQL_WEBSOCKET_KEEPALIVE=10
+export HASURA_GRAPHQL_AUTH_HOOK=http://apps-akka:8901/userInfo
+export HASURA_BBB_GRAPHQL_ACTIONS_ADAPTER_URL=http://bbb-graphql-actions:8093
+
+
+export HASURA_GRAPHQL_BBB_DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/bbb_graphql
+
+exec $@

mod/bbb-graphql-server/start.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+set -e
+
+cd /app/
+
+# patch database url
+# TODO: this should be possible upstream in BBB via an environment variable
+yq e -i ".[1].configuration.connection_info.database_url = \"$HASURA_GRAPHQL_BBB_DATABASE_URL\"" metadata/databases/databases.yaml
+
+sed -i "s/^admin_secret: .*/admin_secret: $HASURA_GRAPHQL_ADMIN_SECRET/g" /app/config.yaml
+
+echo "SELECT 'CREATE DATABASE hasura_app' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'hasura_app')\gexec" | psql
+
+echo "Restarting database bbb_graphql"
+psql -c "SELECT pg_terminate_backend(pg_stat_activity.pid) FROM pg_stat_activity WHERE datname = 'bbb_graphql'" > /dev/null
+psql -c "drop database if exists bbb_graphql with (force)"
+psql -c "create database bbb_graphql WITH TEMPLATE template0 LC_COLLATE 'C.UTF-8'"
+psql -c "alter database bbb_graphql set timezone to 'UTC'"
+
+echo "Creating tables in bbb_graphql"
+psql -U postgres -d bbb_graphql -q -f bbb_schema.sql --set ON_ERROR_STOP=on
+
+echo "Starting hasura-graphql-engine"
+gosu nobody graphql-engine serve &
+PID=$!
+
+sleep 1
+
+
+#Check if Hasura is ready before applying metadata
+while ! netstat -tuln | grep ":$HASURA_GRAPHQL_SERVER_PORT " > /dev/null; do
+    echo "Waiting for Hasura's port ($HASURA_GRAPHQL_SERVER_PORT) to be ready..."
+    sleep 1
+done
+
+echo "Applying new metadata to Hasura"
+/usr/local/bin/hasura metadata apply --skip-update-check
+
+wait "$PID"

mod/bbb-pads/Dockerfile

@@ -1,16 +1,16 @@
-FROM node:14.19.1-bullseye-slim AS builder
+FROM node:22-bookworm-slim AS builder
 
-COPY ./bbb-pads /bbb-pads
+COPY --from=src / /bbb-pads
 RUN cd /bbb-pads && rm -r .git && npm install --production
 
 
 RUN chmod 777 /bbb-pads/config
 # ------------------------------
 
-FROM node:14.19.1-bullseye-slim
+FROM node:22-bookworm-slim
 
 RUN apt update && apt install -y jq moreutils \
-    && useradd --uid 2003 --user-group bbb-pads
+    && useradd --uid 2003 --create-home --user-group bbb-pads
 
 COPY --from=builder /bbb-pads /bbb-pads
 USER bbb-pads

mod/bbb-web/Dockerfile

@@ -1,29 +1,19 @@
 ARG BBB_BUILD_TAG
-FROM gitlab.senfcall.de:5050/senfcall-public/docker-bbb-build:$BBB_BUILD_TAG AS builder
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
 
-ARG TAG_COMMON_MESSAGE
+COPY --from=src-common-message / /bbb-common-message
 
-# download bbb-common-message
-RUN svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG_COMMON_MESSAGE/bbb-common-message /bbb-common-message \
-    && cd /bbb-common-message \
-    && ./deploy.sh \
-    && rm -rf /bbb-common-message
+# build bbb-common-message
+RUN cd /bbb-common-message && ./deploy.sh
 
 # ===================================================
 
-ARG TAG_BBB_WEB
 
-# download bbb-common-web
-RUN svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG_BBB_WEB/bbb-common-web /bbb-common-web \
-    && rm -rf /bbb-common-message/.svn
+COPY --from=src-common-web / /bbb-common-web
+# build bbb-common-web
+RUN cd /bbb-common-web && ./deploy.sh
 
-# compile bbb-common-web
-RUN cd /bbb-common-web \
- && ./deploy.sh
-
-# download bbb-web
-RUN svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG_BBB_WEB/bigbluebutton-web /bbb-web \
-    && rm -rf /bbb-web/.svn
+COPY --from=src-web / /bbb-web
 
 # compile bbb-web
 RUN cd /bbb-web && grails assemble
@@ -38,7 +28,7 @@ RUN unzip -q /bbb-web/build/libs/bigbluebutton-0.10.0.war -d /dist
 # ===================================================
 FROM alangecker/bbb-docker-base-java
 
-# add blank presentation files and allow conversation to pdf/svg
+# add blank presentation files and allow conversion to pdf/svg
 RUN mkdir -p /usr/share/bigbluebutton/blank \
     && cd /usr/share/bigbluebutton/blank \
     && wget \
@@ -57,12 +47,10 @@ COPY --from=builder /dist /usr/share/bbb-web
 COPY --from=builder /bbb-web/pres-checker/lib /usr/share/prescheck/lib
 COPY --from=builder /bbb-web/pres-checker/run.sh /usr/share/prescheck/prescheck.sh
 
-COPY mocked-ps /usr/bin/ps
-
 # add entrypoint and templates
 COPY entrypoint.sh /entrypoint.sh
 COPY bbb-web.properties /etc/bigbluebutton/bbb-web.properties.tmpl
-COPY turn-stun-servers.xml /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml.tmpl
+COPY turn-stun-servers.xml /etc/bigbluebutton/turn-stun-servers.xml.tmpl
 COPY logback.xml /usr/share/bbb-web/WEB-INF/classes/logback.xml
 COPY office-convert.sh /usr/share/bbb-libreoffice-conversion/convert.sh
 

mod/bbb-web/bbb-web.properties

@@ -13,10 +13,14 @@ securitySalt={{ .Env.SHARED_SECRET }}
 
 redisHost=redis
 
-{{ if isTrue .Env.DEV_MODE }}
-beans.presentationService.defaultUploadedPresentation=https://test.bigbluebutton.org/default.pdf
+{{ if isTrue .Env.IGNORE_TLS_CERT_ERRORS }}
+beans.presentationService.defaultUploadedPresentation=https://test27.bigbluebutton.org/default.pdf
+# fetch presentations without HTTPS
+presentationBaseURL=http://{{ .Env.DOMAIN }}/bigbluebutton/presentation
 {{else}}
 beans.presentationService.defaultUploadedPresentation=${bigbluebutton.web.serverURL}/default.pdf
 {{end}}
 
-learningDashboardEnabled={{ .Env.ENABLE_LEARNING_DASHBOARD }}
+learningDashboardEnabled={{ .Env.ENABLE_LEARNING_DASHBOARD }}
+
+defaultNumDigitsForTelVoice=9

mod/bbb-web/entrypoint.sh

@@ -2,28 +2,30 @@
 set -e
 
 # create recording directory structure if it doesn't exist yet
+mkdir -p /var/bigbluebutton/recording/status
+mkdir -p /var/bigbluebutton/events
+mkdir -p /var/bigbluebutton/recording
 mkdir -p /var/bigbluebutton/recording/raw
 mkdir -p /var/bigbluebutton/recording/process
 mkdir -p /var/bigbluebutton/recording/publish
 mkdir -p /var/bigbluebutton/recording/status/recorded
 mkdir -p /var/bigbluebutton/recording/status/archived
 mkdir -p /var/bigbluebutton/recording/status/processed
-mkdir -p /var/bigbluebutton/recording/status/sanity
 mkdir -p /var/bigbluebutton/recording/status/ended
+mkdir -p /var/bigbluebutton/recording/status/sanity
 mkdir -p /var/bigbluebutton/recording/status/published
+mkdir -p /var/bigbluebutton/captions
 mkdir -p /var/bigbluebutton/captions/inbox
 mkdir -p /var/bigbluebutton/published
-mkdir -p /var/bigbluebutton/published/notes
 mkdir -p /var/bigbluebutton/deleted
 mkdir -p /var/bigbluebutton/unpublished
+mkdir -p /var/bigbluebutton/basic_stats
 chown -R bigbluebutton:bigbluebutton /var/bigbluebutton
 
-echo "$NUMBER_OF_BACKEND_NODEJS_PROCESSES" > /tmp/NUMBER_OF_BACKEND_NODEJS_PROCESSES
-
 cd /usr/share/bbb-web/
 dockerize \
     -template /etc/bigbluebutton/bbb-web.properties.tmpl:/etc/bigbluebutton/bbb-web.properties \
-    -template /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml.tmpl:/usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml \
-    gosu bigbluebutton java -Dgrails.env=prod -Dserver.address=0.0.0.0 -Dserver.port=8090 -Xms384m -Xmx384m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/bigbluebutton/diagnostics -cp WEB-INF/lib/*:/:WEB-INF/classes/:. org.springframework.boot.loader.WarLauncher
+    -template /etc/bigbluebutton/turn-stun-servers.xml.tmpl:/etc/bigbluebutton/turn-stun-servers.xml \
+    gosu bigbluebutton java -Dgrails.env=prod -Dserver.address=0.0.0.0 -Dserver.port=8090 -Dspring.main.allow-circular-references=true -Xms384m -Xmx384m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/bigbluebutton/diagnostics -cp WEB-INF/lib/*:/:WEB-INF/classes/:. org.springframework.boot.loader.WarLauncher
 
 

mod/bbb-web/logback.xml

@@ -22,7 +22,7 @@
 	<logger name="org.grails.commons" level="ERROR" />
 	<logger name="org.springframework" level="ERROR" />
 	
-	<root level="ERROR">
+	<root level="WARN">
 		<appender-ref ref="STDOUT" />
 	</root>
 </configuration>

mod/bbb-web/mocked-ps

@@ -1,8 +0,0 @@
-#!/bin/bash
-echo "(mocked-ps for HTML5LoadBalancingService.java)"
-
-# fake random process load to distribute meetings equally
-for i in `seq $(cat /tmp/NUMBER_OF_BACKEND_NODEJS_PROCESSES)`; do
-    randomLoad=$(echo $(( $RANDOM % 100 )))
-    echo " $randomLoad.1 /usr/share/node-v12.16.1-linux-x64/bin/node main.js NODEJS_BACKEND_INSTANCE_ID=$i"
-done

mod/bbb-web/office-convert.sh

@@ -7,6 +7,8 @@ PATH="/bin/:/usr/bin/"
 # Param 1: Input office file path (e.g. "/tmp/test.odt")
 # Param 2: Output pdf file path (e.g. "/tmp/test.pdf")
 # Param 3: Destination Format (pdf default)
+# Param 4: Timeout (secs) (optional)
+
 if (( $# == 0 )); then
 	echo "Missing parameter 1 (Input office file path)";
 	exit 1
@@ -16,15 +18,19 @@ elif (( $# == 1 )); then
 fi;
 
 
-source="${1}"
-dest="${2}"
+source="$1"
+dest="$2"
 
-#If output format is missing, define PDF
+# If output format is missing, define PDF
 convertTo="${3:-pdf}"
 
-curl -v -X POST "http://jodconverter:8080/lool/convert-to/$convertTo" \
-    -H "accept: application/octet-stream" \
-    -H "Content-Type: multipart/form-data" \
-    -F "data=@${source}" > "${dest}"
+# If timeout is missing, define 60
+timeoutSecs="${4:-60}"
+# Truncate timeout to max 3 digits (as expected by sudoers)
+timeoutSecs="${timeoutSecs:0:3}"
 
-exit 0
+# The timeout is important.
+
+timeout $(printf %03d $timeoutSecs)s curl -F "data=@${source}" -k https://collabora:9980/cool/convert-to/$convertTo > "${dest}"
+
+exit 0

mod/bbb-web/turn-stun-servers.xml

@@ -8,10 +8,26 @@
         <constructor-arg index="0" value="{{ .Env.STUN_SERVER }}"/>
     </bean>
 
-    {{if .Env.TURN_SERVER }}
-        <bean id="turn0" class="org.bigbluebutton.web.services.turn.TurnServer">
-            <constructor-arg index="0" value="{{ .Env.TURN_SECRET }}"/>
-            <constructor-arg index="1" value="{{ .Env.TURN_SERVER }}"/>
+    <bean id="turn0" class="org.bigbluebutton.web.services.turn.TurnServer">
+        <constructor-arg index="0" value="{{ .Env.TURN_SECRET }}"/>
+        <constructor-arg index="1" value="turn:{{ .Env.DOMAIN }}:3478"/>
+        <constructor-arg index="2" value="86400"/>
+    </bean>
+
+    {{if and (isTrue .Env.ENABLE_HTTPS_PROXY) (not (isTrue .Env.IGNORE_TLS_CERT_ERRORS))  }}
+    {{/* ignore when using a self signed certificate in dev mode */}}
+    <bean id="turn1" class="org.bigbluebutton.web.services.turn.TurnServer">
+        <constructor-arg index="0" value="{{ .Env.TURN_SECRET }}"/>
+        <constructor-arg index="1" value="turns:{{ .Env.DOMAIN }}:443?transport=tcp"/>
+        <constructor-arg index="2" value="86400"/>
+    </bean>
+    {{end}}
+
+
+    {{if .Env.TURN_EXT_SERVER }}
+        <bean id="turn2" class="org.bigbluebutton.web.services.turn.TurnServer">
+            <constructor-arg index="0" value="{{ .Env.TURN_EXT_SECRET }}"/>
+            <constructor-arg index="1" value="{{ .Env.TURN_EXT_SERVER }}"/>
             <constructor-arg index="2" value="86400"/>
         </bean>
     {{end}}
@@ -24,8 +40,14 @@
         </property>
         <property name="turnServers">
             <set>
-                {{if .Env.TURN_SERVER }}
                 <ref bean="turn0" />
+                
+                {{if and (isTrue .Env.ENABLE_HTTPS_PROXY) (not (isTrue .Env.IGNORE_TLS_CERT_ERRORS))  }}
+                <ref bean="turn1" />
+                {{end}}
+
+                {{if .Env.TURN_EXT_SERVER }}
+                <ref bean="turn2" />
                 {{end}}
             </set>
         </property>

mod/bbb-webrtc-recorder/Dockerfile

@@ -0,0 +1,40 @@
+# Build stage
+FROM golang:1.23 as builder
+
+ARG APP_VERSION=devel
+ARG GOMOD=github.com/bigbluebutton/bbb-webrtc-recorder
+
+WORKDIR /app
+
+COPY --from=src go.* ./
+
+RUN go mod tidy
+
+COPY --from=src . ./
+
+RUN APP_VERSION=$(cat ./VERSION | sed 's/ /-/g') \
+      go build -o ./build/bbb-webrtc-recorder \
+      -ldflags="-X '$GOMOD/internal.AppVersion=v${APP_VERSION1}'" \
+      ./cmd/bbb-webrtc-recorder
+
+
+RUN mv /app/build/bbb-webrtc-recorder /usr/bin/bbb-webrtc-recorder
+
+# Running stage
+FROM debian:bookworm-slim
+
+RUN apt-get update && apt-get install -y gosu
+
+# use same UID as in the recordings container
+RUN groupadd -g 998 bigbluebutton && useradd -m -u 998 -g bigbluebutton bigbluebutton
+
+# config
+ENV BBBRECORDER_PUBSUB_ADAPTERS_REDIS_ADDRESS=redis:6379
+ENV BBBRECORDER_PUBSUB_ADAPTERS_REDIS_NETWORK=tcp
+ENV BBBRECORDER_DEBUG=true
+
+# Copy the binary to the production image from the builder stage.
+COPY --from=builder /usr/bin/bbb-webrtc-recorder /usr/bin/bbb-webrtc-recorder
+COPY --from=builder /app/config/bbb-webrtc-recorder.yml /etc/bbb-webrtc-recorder/bbb-webrtc-recorder.yml
+
+CMD ["/bin/sh", "-c", "chown -R bigbluebutton:bigbluebutton /var/lib/bbb-webrtc-recorder && gosu bigbluebutton /usr/bin/bbb-webrtc-recorder"]

mod/coturn/entrypoint.sh

@@ -1,31 +0,0 @@
-#!/bin/sh
-set -e 
-apk add jq su-exec
-if [ "$ENABLE_HTTPS_PROXY" == true ]; then
-
-  while [ ! -f /etc/resty-auto-ssl/storage/file/*latest ]
-  do
-    echo "ERROR: certificate doesn't exist yet."
-    echo "Certificate gets create on the first request to the HTTPS proxy."
-    echo "We will try again..."
-    sleep 10
-  done
-
-  # extract cert
-  cat /etc/resty-auto-ssl/storage/file/*%3Alatest | jq -r '.fullchain_pem' > /tmp/cert.pem
-  cat /etc/resty-auto-ssl/storage/file/*%3Alatest | jq -r '.privkey_pem' > /tmp/key.pem
-fi
-
-if [ ! -f /tmp/cert.pem ] || [ ! -f /tmp/key.pem ]; then
-  echo "ERROR: certificate not found, but coturn relies on it."
-  echo "Use either auto HTTPS proxy or"
-  echo "provide path to certificates in .env file"
-  exit 1
-fi
-
-# If command starts with an option, prepend with turnserver binary.
-if [ "${1:0:1}" == '-' ]; then
-  set -- turnserver "$@"
-fi
-
-su-exec nobody $(eval "echo $@")

mod/coturn/turnserver.conf

@@ -1,73 +1,28 @@
-# Example coturn configuration for BigBlueButton
-
-# These are the two network ports used by the TURN server which the client
-# may connect to. We enable the standard unencrypted port 3478 for STUN,
 listening-port=3478
 
-# and since TLS over SMTP port (465) is now blocked by major browser vendors, 
-# we reverted to the most common coturn TLS port 5349, which has limitations
-# in restrictive firewall environments. For maximum client support run 
-# coturn on a dedicated host on port 443.
-tls-listening-port=5349
+# listening-ip=${INTERNAL_IP:-$IP}
+# relay-ip=${INTERNAL_IP:-$IP}
 
-# If the server has multiple IP addresses, you may wish to limit which
-# addresses coturn is using. Do that by setting this option (it can be
-# specified multiple times). The default is to listen on all addresses.
-# You do not normally need to set this option.
-#listening-ip=172.17.19.101
+min-port=32769
+max-port=65535
+# verbose
 
-# If the server is behind NAT, you need to specify the external IP address.
-# If there is only one external address, specify it like this:
-#external-ip=172.17.19.120
-# If you have multiple external addresses, you have to specify which
-# internal address each corresponds to, like this. The first address is the
-# external ip, and the second address is the corresponding internal IP.
-#external-ip=172.17.19.131/10.0.0.11
-#external-ip=172.17.18.132/10.0.0.12
-
-# Fingerprints in TURN messages are required for WebRTC
 fingerprint
-
-# The long-term credential mechanism is required for WebRTC
 lt-cred-mech
-
-# Configure coturn to use the "TURN REST API" method for validating time-
-# limited credentials. BigBlueButton will generate credentials in this
-# format. Note that the static-auth-secret value specified here must match
-# the configuration in BigBlueButton's turn-stun-servers.xml
-# You can generate a new random value by running the command:
-#   openssl rand -hex 16
 use-auth-secret
-# static-auth-secret=<random value>
+realm=bbb-docker
 
-# If the realm value is unspecified, it defaults to the TURN server hostname.
-# You probably want to configure it to a domain name that you control to
-# improve log output. There is no functional impact.
-realm=example.com
+keep-address-family
 
-# Configure TLS support.
-# Adjust these paths to match the locations of your certificate files
-cert=/tmp/cert.pem
-pkey=/tmp/key.pem
-# Limit the allowed ciphers to improve security
-# Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
-
-# Enable longer DH TLS key to improve security
-dh2066
-
-# All WebRTC-compatible web browsers support TLS 1.2 or later, so disable
-# older protocols
+no-cli
 no-tlsv1
 no-tlsv1_1
 
-# To enable single filename logs you need to enable the simple-log flag
-syslog
-#verbose
+# Block connections to IP ranges which shouldn't be reachable
+no-loopback-peers
+no-multicast-peers
 
-# Allocate Address Family according 
-# If enabled then TURN server allocates address family according  the TURN 
-# Client <=> Server communication address family.
-# (By default Coturn works according RFC 6156.)
-# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
-keep-address-family
+
+# we only need to allow peer connections from the machine itself (from mediasoup or freeswitch).
+denied-peer-ip=0.0.0.0-255.255.255.255
+denied-peer-ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

mod/etherpad/Dockerfile

@@ -1,26 +1,27 @@
-FROM etherpad/etherpad:1.8.18
+ARG TAG_ETHERPAD
+FROM etherpad/etherpad:$TAG_ETHERPAD
 
 USER root
 
-RUN apt-get update \
-    && apt-get install -y git curl
+RUN apk add git curl
 
 USER etherpad
 
-RUN npm install  \
-    ep_cursortrace@3.1.16 \
-    git+https://github.com/mconf/ep_pad_ttl.git#360136cd38493dd698435631f2373cbb7089082d \
-    git+https://github.com/mconf/ep_redis_publisher.git#a30a48e4bc1e501b5b102884b9a0b26c30798484 \
-    ep_disable_chat@0.0.8 \
+RUN pnpm run plugins i \
+    ep_disable_chat@0.0.10 \
     ep_auth_session@1.1.1 \
-# remove npm lockfile, because somehow it prevents etherpad from detecting the manual added plugin ep_bigbluebutton_patches
-    && rm package-lock.json
+    --github \
+        mconf/ep_cursortrace#56fb8c2b211cdda4fc8715ec99e1cb7b7d9eb851 \
+        mconf/ep_pad_ttl#360136cd38493dd698435631f2373cbb7089082d \
+        mconf/ep_redis_publisher#2b6e47c1c59362916a0b2961a29b259f2977b694
+
 
 # add skin from git submodule
-COPY --chown=etherpad:0 ./bbb-etherpad-skin /opt/etherpad-lite/src/static/skins/bigbluebutton
+COPY --chown=etherpad:0 --from=skin / /opt/etherpad-lite/src/static/skins/bigbluebutton
 
 # add plugin from git submodule
-COPY --chown=etherpad:0 ./bbb-etherpad-plugin /opt/etherpad-lite/node_modules/ep_bigbluebutton_patches
+COPY --chown=etherpad:0 --from=plugin / /ep_bigbluebutton_patches
+RUN pnpm run plugins i --path /ep_bigbluebutton_patches
 
 COPY settings.json /opt/etherpad-lite/settings.json
 COPY etherpad-export.sh /etherpad-export.sh

mod/etherpad/entrypoint.sh

@@ -1,5 +1,3 @@
-#!/bin/bash
+#!/bin/sh
 echo $ETHERPAD_API_KEY > /tmp/apikey
-export NODE_ENV=production
-
-node /opt/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js --apikey /tmp/apikey
+pnpm run prod --apikey /tmp/apikey

mod/etherpad/etherpad-export.sh

@@ -1,12 +1,9 @@
-#!/bin/bash
+#!/bin/sh
 src="$8"
 dest="$(echo $8 | sed -E -e 's/html|odt/'$7'/')"
 convertTo="$7"
 
 
-curl -v -X POST "http://jodconverter:8080/lool/convert-to/$convertTo" \
-    -H "accept: application/octet-stream" \
-    -H "Content-Type: multipart/form-data" \
-    -F "data=@$src" > $dest
+curl -v -F "data=@${src}" -k https://collabora:9980/cool/convert-to/$convertTo > "${dest}"
 
 exit 0

mod/etherpad/settings.json

@@ -89,7 +89,7 @@
  *
  *    "defaultPadText" : "${DEFAULT_PAD_TEXT}Line 1\nLine 2"
  */
-{
+ {
   /*
    * Name your instance!
    */
@@ -140,7 +140,7 @@
    * "full-width-editor" variant (by default editor is rendered as a page, with
    * a max-width of 900px).
    */
-  "skinVariants": "super-light-toolbar super-light-editor light-background",
+  "skinVariants": "",
 
   /*
    * IP and port which Etherpad should bind at.
@@ -162,6 +162,14 @@
    */
   "showSettingsInAdminPage": true,
 
+  /*
+   * Settings for cleanup of pads
+   */
+  "cleanup": {
+    "enabled": false,
+    "keepRevisions": 5
+  },
+
   /*
    * Node native SSL support
    *
@@ -198,8 +206,7 @@
 
   "dbType": "redis",
   "dbSettings": {
-    "host": "redis",
-    "port": 6379
+    "url": "redis://redis:6379"
   },
 
   /*
@@ -220,9 +227,10 @@
   */
 
   /*
-   * The default text of a pad
-   */
-  "defaultPadText" : "",
+  * The default text of a pad: A zero-width-space is used to work around an issue with Etherpad 1.9.1 where empty pads are not being created.
+  * See: https://github.com/ether/etherpad-lite/issues/5787
+  */
+   "defaultPadText" : "\u200b",
 
   /*
    * Default Pad behavior.
@@ -271,6 +279,14 @@
     "pageDown":  true
   },
 
+  /*
+   * Enables the use of a different server. We have a different one that syncs changes from the original server.
+   * It is hosted on GitHub and should not be blocked by many firewalls.
+   *  https://etherpad.org/ep_infos
+   */
+
+  "updateServer": "https://etherpad.org/ep_infos",
+
   /*
    * Should we suppress errors from being visible in the default Pad Text?
    */
@@ -323,14 +339,6 @@
    */
   "soffice": "/etherpad-export.sh",
 
-  /*
-   * Path to the Tidy executable.
-   *
-   * Tidy is used to improve the quality of exported pads.
-   * Setting it to null disables Tidy.
-   */
-  "tidyHtml": null,
-
   /*
    * Allow import of file types other than the supported ones:
    * txt, doc, docx, rtf, odt, html & htm
@@ -364,6 +372,22 @@
    * Settings controlling the session cookie issued by Etherpad.
    */
   "cookie": {
+    /*
+     * How often (in milliseconds) the key used to sign the express_sid cookie
+     * should be rotated. Long rotation intervals reduce signature verification
+     * overhead (because there are fewer historical keys to check) and database
+     * load (fewer historical keys to store, and less frequent queries to
+     * get/update the keys). Short rotation intervals are slightly more secure.
+     *
+     * Multiple Etherpad processes sharing the same database (table) is
+     * supported as long as the clock sync error is significantly less than this
+     * value.
+     *
+     * Key rotation can be disabled (not recommended) by setting this to 0 or
+     * null, or by disabling session expiration (see sessionLifetime).
+     */
+    "keyRotationInterval": 86400000, // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
+
     /*
      * Value of the SameSite cookie property. "Lax" is recommended unless
      * Etherpad will be embedded in an iframe from another site, in which case
@@ -375,7 +399,51 @@
      * significant usability drawbacks vs. "Lax". See
      * https://stackoverflow.com/q/41841880 for discussion.
      */
-    "sameSite": "None"
+    "sameSite": "None",
+
+    /*
+     * How long (in milliseconds) after navigating away from Etherpad before the
+     * user is required to log in again. (The express_sid cookie is set to
+     * expire at time now + sessionLifetime when first created, and its
+     * expiration time is periodically refreshed to a new now + sessionLifetime
+     * value.) If requireAuthentication is false then this value does not really
+     * matter.
+     *
+     * The "best" value depends on your users' usage patterns and the amount of
+     * convenience you desire. A long lifetime is more convenient (users won't
+     * have to log back in as often) but has some drawbacks:
+     *   - It increases the amount of state kept in the database.
+     *   - It might weaken security somewhat: The cookie expiration is refreshed
+     *     indefinitely without consulting authentication or authorization
+     *     hooks, so once a user has accessed a pad, the user can continue to
+     *     use the pad until the user leaves for longer than sessionLifetime.
+     *   - More historical keys (sessionLifetime / keyRotationInterval) must be
+     *     checked when verifying signatures.
+     *
+     * Session lifetime can be set to infinity (not recommended) by setting this
+     * to null or 0. Note that if the session does not expire, most browsers
+     * will delete the cookie when the browser exits, but a session record is
+     * kept in the database forever.
+     */
+    "sessionLifetime": 864000000, // = 10d * 24h/d * 60m/h * 60s/m * 1000ms/s
+
+    /*
+     * How long (in milliseconds) before the expiration time of an active user's
+     * session is refreshed (to now + sessionLifetime). This setting affects the
+     * following:
+     *   - How often a new session expiration time will be written to the
+     *     database.
+     *   - How often each user's browser will ping the Etherpad server to
+     *     refresh the expiration time of the session cookie.
+     *
+     * High values reduce the load on the database and the load from browsers,
+     * but can shorten the effective session lifetime if Etherpad is restarted
+     * or the user navigates away.
+     *
+     * Automatic session refreshes can be disabled (not recommended) by setting
+     * this to null.
+     */
+    "sessionRefreshInterval": 86400000 // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
   },
 
   /*
@@ -475,7 +543,7 @@
   /*
    * Restrict socket.io transport methods
    */
-  "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
+  "socketTransportProtocols" : ["websocket", "polling"],
 
   "socketIo": {
     /*
@@ -485,7 +553,7 @@
      * value to work properly, but increasing the value increases susceptibility
      * to denial of service attacks (malicious clients can exhaust memory).
      */
-    "maxHttpBufferSize": 10000
+    "maxHttpBufferSize": 50000
   },
 
   /*
@@ -539,7 +607,7 @@
     "windowMs": 90000,
 
     // maximum number of requests per IP to allow during the rate limit window
-    "max": 10
+    "max": 32
   },
 
   /*
@@ -550,6 +618,13 @@
    */
   "importMaxFileSize": 52428800, // 50 * 1024 * 1024
 
+  /*
+    The authentication method used by the server.
+    The default value is sso
+    If you want to use the old authentication system, change this to apikey
+   */
+  "authenticationMethod": "apikey",
+
   /*
    * From Etherpad 1.8.5 onwards, when Etherpad is in production mode commits from individual users are rate limited
    *
@@ -566,7 +641,6 @@
     "points": 100
   },
 
-
   /*
    * Toolbar buttons configuration.
    *
@@ -596,12 +670,54 @@
    */
   "loglevel": "INFO",
 
+    /*
+   * The log layout type to use.
+   *
+   * Valid values: basic, colored
+   */
+   "logLayoutType": "colored",
+
   /* Override any strings found in locale directories */
-  "customLocaleStrings": {},
+  "customLocaleStrings": {
+    "de": {
+      "pad.importExport.import_export": "Export",
+      "pad.toolbar.import_export.title": "Export zu verschiedenen Dateiformaten"
+    },
+    "en-gb": {
+      "pad.importExport.import_export": "Export",
+      "pad.toolbar.import_export.title": "Export to different file formats"
+    },
+    "en": {
+      "pad.importExport.import_export": "Export",
+      "pad.toolbar.import_export.title": "Export to different file formats"
+    },
+    "es": {
+      "pad.importExport.import_export": "Exportar",
+      "pad.toolbar.import_export.title": "Exportar a diferentes formatos de archivos"
+    },
+    "fr": {
+      "pad.importExport.import_export": "Exporter",
+      "pad.toolbar.import_export.title": "Exporter vers un format de fichier différent"
+    },
+    "it": {
+      "pad.importExport.import_export": "Esportazione",
+      "pad.toolbar.import_export.title": "Esporta a diversi formati di file"
+    },
+    "pt-br": {
+      "pad.importExport.import_export": "Exportar",
+      "pad.toolbar.import_export.title": "Exportar para diferentes formatos de arquivo"
+    },
+    "pt": {
+      "pad.importExport.import_export": "Exportar",
+      "pad.toolbar.import_export.title": "Exportar para diferentes formatos de ficheiro"
+    }
+  },
 
   /* Disable Admin UI tests */
-  "enableAdminUITests": false
-}
-
-
+  "enableAdminUITests": false,
 
+  /*
+   * Enable/Disable case-insensitive pad names.
+   */
+  "lowerCasePadIds": false
+}

mod/freeswitch/Dockerfile

@@ -1,66 +1,71 @@
-FROM debian:bullseye-slim
+ARG BBB_BUILD_TAG
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
 
-# install dependencies
+COPY --from=freeswitch / /build/freeswitch
+
+# install most recent git version for proper sparse-checkout support
+# https://stackoverflow.com/questions/72223738/failed-to-initialize-sparse-checkout
+RUN echo 'deb https://ppa.launchpadcontent.net/git-core/ppa/ubuntu focal main' > /etc/apt/sources.list.d/git-core-ppa.list && \
+    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A1715D88E1DF1F24 && \
+    apt-get update && \
+    apt-get install -y git
+
+# get build files for bbb-freeswitch (build/packages-template/bbb-freeswitch-core/)
+COPY --from=build-files / /build/
+
+# mock files expected by build.sh
+RUN mkdir -p /build/bbb-voice-conference/config/freeswitch/conf/ && \
+    touch \
+        /build/opts-build.sh \
+        /build/freeswitch.service.build \
+        /build/bbb-voice-conference/config/freeswitch/conf/a \
+        && \
+    echo "" > /usr/local/bin/fpm
+
+# build freeswitch
+RUN cd /build && ./build.sh
+
+
+# add english sounds
+RUN mkdir -p /build/staging/opt/freeswitch/share/freeswitch && \
+    wget https://ubuntu.bigbluebutton.org/sounds.tar.gz -O sounds.tar.gz && \
+    tar xvfz sounds.tar.gz -C /build/staging/opt/freeswitch/share/freeswitch && \
+    wget https://gitlab.senfcall.de/senfcall-public/mute-and-unmute-sounds/-/archive/master/mute-and-unmute-sounds-master.zip && \
+    unzip mute-and-unmute-sounds-master.zip && \
+    cd mute-and-unmute-sounds-master/sounds && \
+    find . -name "*.wav" -exec /bin/bash -c "sox -v 0.3  {} /tmp/tmp.wav; cp /tmp/tmp.wav /build/staging/opt/freeswitch/share/freeswitch/sounds/en/us/callie/conference/{}" \;
+
+# add bigblugbutton config
+ARG TAG_FS_CONFIG
+COPY --from=fs-config / /build/staging/opt/freeswitch/etc/freeswitch/
+
+# ===============================================
+
+# we are using ubuntu here, because libjpeg8 is required, but not available in debian
+FROM ubuntu:22.04
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-    subversion curl wget ca-certificates gnupg gnupg2 lsb-release unzip
+    apt-get install -y \
+        xmlstarlet wget iptables curl \
+        libfreetype6 libcurl4 libspeex1 libspeexdsp1 libopus0 libsndfile1 libopusfile0 liblua5.2-0 libjbig0 libldns3 libedit2 libtiff5 libpng16-16 libsqlite3-0 \
+    && \
+# install libopusenc0
+    wget -O /tmp/libopusenc0_0.2.1-1bbb2_amd64.deb https://launchpad.net/~bigbluebutton/+archive/ubuntu/support/+files/libopusenc0_0.2.1-1bbb2_amd64.deb \
+    && dpkg -i /tmp/libopusenc0_0.2.1-1bbb2_amd64.deb \
+    && rm /tmp/libopusenc0_0.2.1-1bbb2_amd64.deb
 
+# add dockerize
 COPY --from=alangecker/bbb-docker-base-java /usr/local/bin/dockerize /usr/local/bin/dockerize
 
+# copy over built freeswitch & config
+COPY --from=builder /build/staging/opt /opt
+COPY --from=builder /build/staging/etc /etc
 
-# install freeswitch
-RUN wget -q -O /usr/share/keyrings/freeswitch-archive-keyring.gpg https://freeswitch-mirror.chandi.it/repo/deb/debian-release/signalwire-freeswitch-repo.gpg && \
-    echo 'deb [signed-by=/usr/share/keyrings/freeswitch-archive-keyring.gpg] http://freeswitch-mirror.chandi.it/repo/deb/debian-release/ bullseye main' > /etc/apt/sources.list.d/freeswitch.list && \
-    apt-get update && \
-    apt-get install -y \
-        freeswitch \
-        freeswitch-mod-commands \
-        freeswitch-mod-conference \
-        freeswitch-mod-console \
-        freeswitch-mod-dialplan-xml \
-        freeswitch-mod-dptools \
-        freeswitch-mod-event-socket \
-        freeswitch-mod-native-file \
-        freeswitch-mod-opusfile \
-        freeswitch-mod-opus \
-        freeswitch-mod-sndfile \
-        freeswitch-mod-spandsp \
-        freeswitch-mod-sofia \
-        freeswitch-sounds-en-us-callie \
-        iptables
-
-# replace mute & unmute sounds
-RUN wget -q https://gitlab.senfcall.de/senfcall-public/mute-and-unmute-sounds/-/archive/master/mute-and-unmute-sounds-master.zip && \
-    unzip mute-and-unmute-sounds-master.zip && \
-    cd mute-and-unmute-sounds-master/sounds/ && \
-    find . -name "*.wav" -exec /bin/bash -c "echo {};sox -v 0.3 {} /tmp/tmp.wav; mv /tmp/tmp.wav /usr/share/freeswitch/sounds/en/us/callie/conference/{}" \; && \
-    cd ../.. && \
-    rm -r mute-and-unmute-sounds-master mute-and-unmute-sounds-master.zip
-
-
-# -- get official bbb freeswitch config
-# we use svn for retrieving the files since the repo is quite large,
-# git sparse-checkout is not yet available with buster and there
-# is no other sane way of downloading a single directory via git
-
-ARG TAG_FS_CONFIG
-RUN svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG_FS_CONFIG/bbb-voice-conference/config/freeswitch/conf /etc/freeswitch \
-    && rm -rf /etc/freeswitch/.svn
-
-# the current available freeswitch-mod-opusfile is broken,
-# it can't write any .opus files. The fix provided in
-# https://github.com/signalwire/freeswitch/pull/719/files
-# is not sufficient as the module still comes without opus
-# write support, so we rather switch to the binary built
-# by bigbluebutton and add its dependencies
-RUN wget -O /usr/lib/freeswitch/mod/mod_opusfile.so https://github.com/bbb-pkg/bbb-freeswitch-core/raw/43f3a47af1fcf5ea559e16bb28b900c925a7f2c3/opt/freeswitch/lib/freeswitch/mod/mod_opusfile.so \
-    && wget -O /tmp/libopusenc0_0.2.1-1bbb1_amd64.deb https://launchpad.net/~bigbluebutton/+archive/ubuntu/support/+files/libopusenc0_0.2.1-1bbb1_amd64.deb \
-    && dpkg -i /tmp/libopusenc0_0.2.1-1bbb1_amd64.deb \
-    && rm /tmp/libopusenc0_0.2.1-1bbb1_amd64.deb
-
-# add modifications
-COPY ./conf /etc/freeswitch/
-
+RUN ldconfig && \
+    ln -s /opt/freeswitch/conf /etc/freeswitch && \
+    groupadd freeswitch && \
+    useradd --home-dir /opt/freeswitch --shell /usr/sbin/nologin -g freeswitch freeswitch
 
 COPY ./entrypoint.sh /entrypoint.sh
+COPY ./conf /etc/freeswitch/
+
 ENTRYPOINT /entrypoint.sh

mod/freeswitch/conf/autoload_configs/acl.conf.xml

@@ -1,49 +0,0 @@
-<configuration name="acl.conf" description="Network Lists">
-  <network-lists>
-    <!--
-         These ACL's are automatically created on startup.
-         rfc1918.auto  - RFC1918 Space
-         nat.auto      - RFC1918 Excluding your local lan.
-         localnet.auto - ACL for your local lan.
-         loopback.auto - ACL for your local lan.
-    -->
-
-    <list name="lan" default="allow">
-      <node type="allow" cidr="127.0.0.1/32"/>
-      <node type="allow" cidr="10.130.218.147/32"/>
-      <node type="allow" cidr="10.0.0.0/8"/>
-      <node type="allow" cidr="192.168.0.0/16"/>      
-    </list>
-
-    <!--
-        custom "loopback" so that traffic from docker
-        containers is also considered as local
-    -->
-    <list name="loopback.custom" default="deny">
-      <node type="allow" cidr="127.0.0.1/32"/>
-      <node type="allow" cidr="10.0.0.0/8"/>
-      <node type="allow" cidr="192.168.0.0/16"/>
-      <node type="allow" cidr="172.16.0.0/12" />
-      <node type="allow" cidr="$${external_ip_v4}/32"/>
-    </list>
-
-    <list name="deny_private_v6" default="allow">
-      <node type="deny" cidr="0.0.0.0/0"/>
-      <node type="deny" cidr="fe80::/10"/>
-      <node type="deny" cidr="fc00::/7"/>
-    </list>
-    <!--
-        This will traverse the directory adding all users
-        with the cidr= tag to this ACL, when this ACL matches
-        the users variables and params apply as if they
-        digest authenticated.
-    -->
-    <list name="domains" default="allow">
-      <!-- domain= is special it scans the domain from the directory to build the ACL -->
-      <node type="allow" domain="$${domain}"/>
-      <!-- use cidr= if you wish to allow ip ranges to this domains acl. -->
-      <!-- <node type="allow" cidr="192.168.0.0/24"/> -->
-    </list>
-
-  </network-lists>
-</configuration>

mod/freeswitch/conf/autoload_configs/conference.conf.xml.tmpl

@@ -39,7 +39,7 @@
       <!-- Domain (for presence) -->
       <param name="domain" value="$${domain}"/>
       <!-- Sample Rate-->
-      <param name="rate" value="8000"/>
+      <param name="rate" value="48000"/>
       <!-- Number of milliseconds per frame -->
       <param name="interval" value="20"/>
       <!-- Energy level required for audio to be sent to the other users -->

mod/freeswitch/conf/autoload_configs/event_socket.conf.xml

@@ -4,7 +4,7 @@
     <param name="listen-ip" value="$${local_ip_v4}"/>
     <param name="listen-port" value="8021"/>
     <param name="password" value="$${esl_password}"/>
-    <param name="apply-inbound-acl" value="loopback.custom"/>
+    <param name="apply-inbound-acl" value="rfc1918.auto"/>
     <!--<param name="stop-on-bind-error" value="true"/>-->
   </settings>
-</configuration>
+</configuration>

mod/freeswitch/conf/autoload_configs/modules.conf.xml

@@ -2,7 +2,7 @@
   <modules>
     <!-- Loggers (I'd load these first) -->
     <load module="mod_console"/>
-    <load module="mod_logfile"/>
+    <!-- <load module="mod_logfile"/> -->
 
     <!-- Event Handlers -->
     <load module="mod_event_socket"/>
@@ -14,6 +14,7 @@
     <load module="mod_commands"/>
     <load module="mod_conference"/>
     <load module="mod_dptools"/>
+    <load module="mod_audio_fork"/>
 
     <!-- Dialplan Interfaces -->
     <load module="mod_dialplan_xml"/>

mod/freeswitch/conf/dialplan/public.xml

@@ -1,43 +0,0 @@
-<!--
-    NOTICE:
-    This context is usually accessed via the external sip profile listening on port 5080.
-    
-    It is recommended to have separate inbound and outbound contexts.  Not only for security
-    but clearing up why you would need to do such a thing.  You don't want outside un-authenticated
-    callers hitting your default context which allows dialing calls thru your providers and results 
-    in Toll Fraud.
--->
-
-<!-- http://wiki.freeswitch.org/wiki/Dialplan_XML -->
-<include>
-  <context name="public">
-
-    <extension name="unloop">
-      <condition field="${unroll_loops}" expression="^true$"/>
-      <condition field="${sip_looped_call}" expression="^true$">
-	<action application="deflect" data="${destination_number}"/>
-      </condition>
-    </extension>
-    <!--
-	Tag anything pass thru here as an outside_call so you can make sure not
-	to create any routing loops based on the conditions that it came from 
-	the outside of the switch.  
-    -->
-    <extension name="outside_call" continue="true">
-      <condition>
-	<action application="set" data="outside_call=true"/>
-	<action application="export" data="RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)}"/>
-      </condition>
-    </extension>
-
-    <!--
-        You can place files in the public directory to get included.
-    -->
-    <X-PRE-PROCESS cmd="include" data="public_docker/*.xml"/>
-    <X-PRE-PROCESS cmd="include" data="public/*.xml"/>
-
-
-  </context>
-
-</include>
-

mod/freeswitch/conf/dialplan/public/dialin.xml

@@ -0,0 +1,31 @@
+<include>
+  <extension name="from_my_provider">
+    <!-- match only calls from dial-in which haven't got transfered yet   -->
+    <condition field="destination_number" expression="^(?!SEND_TO_CONFERENCE).*$"/>
+    <condition field="${sofia_profile_name}" expression="^external-dialin$">
+      <action application="start_dtmf" />
+      <action application="answer"/>
+      <action application="sleep" data="1000"/>
+      <action application="play_and_get_digits" data="9 9 3 30000 # conference/conf-pin.wav ivr/ivr-that_was_an_invalid_entry.wav pin \d+"/>
+      <action application="set_profile_var" data="caller_id_name=${regex(${caller_id_name}|^.*(.{4})$|xxx-xxx-%1)}"/>
+      <action application="transfer" data="SEND_TO_CONFERENCE XML public"/>
+    </condition>
+  </extension>
+
+  <extension name="check_if_conference_active">
+    <condition field="${conference ${pin} list}" expression="/sofia/g" />
+    <condition field="destination_number" expression="^SEND_TO_CONFERENCE$">
+      <action application="set" data="bbb_authorized=true"/>
+      <action application="transfer" data="${pin} XML default"/>
+    </condition>
+  </extension>
+
+  <extension name="conf_bad_pin">
+    <condition field="${pin}" expression="^\d{5}$">
+      <action application="answer"/>
+      <action application="sleep" data="1000"/>
+      <action application="play_and_get_digits" data="9 9 3 30000 # conference/conf-bad-pin.wav ivr/ivr-that_was_an_invalid_entry.wav pin \d+"/>
+      <action application="transfer" data="SEND_TO_CONFERENCE XML public"/>
+    </condition>
+  </extension>
+</include>

mod/freeswitch/conf/sip_profiles/external-dialin.xml

@@ -0,0 +1,86 @@
+<profile name="external-dialin">
+  <!-- http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->
+  <!-- This profile is only for outbound registrations to providers -->
+  <gateways>
+    <X-PRE-PROCESS cmd="include" data="external-dialin/*.xml"/>
+  </gateways>
+
+  <aliases>
+    <!--
+        <alias name="outbound"/>
+        <alias name="nat"/>
+    -->
+  </aliases>
+
+  <domains>
+    <domain name="all" alias="false" parse="true"/>
+  </domains>
+
+  <settings>
+    <param name="debug" value="1"/>
+    <!-- If you want FreeSWITCH to shutdown if this profile fails to load, uncomment the next line. -->
+    <!-- <param name="shutdown-on-fail" value="true"/> -->
+    <param name="sip-trace" value="no"/>
+    <param name="sip-capture" value="no"/>
+    <param name="rfc2833-pt" value="101"/>
+    <!-- RFC 5626 : Send reg-id and sip.instance -->
+    <!--<param name="enable-rfc-5626" value="true"/> -->
+    <param name="sip-port" value="5060"/>
+    <param name="dialplan" value="XML"/>
+    <param name="context" value="public"/>
+    <param name="dtmf-duration" value="2000"/>
+    <param name="inbound-codec-prefs" value="$${global_codec_prefs}"/>
+    <param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/>
+    <param name="hold-music" value="$${hold_music}"/>
+    <param name="rtp-timer-name" value="soft"/>
+    <!--<param name="enable-100rel" value="true"/>-->
+    <!--<param name="disable-srv503" value="true"/>-->
+    <!-- This could be set to "passive" -->
+    <param name="local-network-acl" value="localnet.auto"/>
+    <param name="manage-presence" value="false"/>
+
+
+    <!-- Added for Microsoft Edge browser -->
+    <param name="apply-candidate-acl" value="localnet.auto"/>
+    <param name="apply-candidate-acl" value="wan_v4.auto"/>
+    <param name="apply-candidate-acl" value="rfc1918.auto"/>
+    <param name="apply-candidate-acl" value="any_v4.auto"/>
+
+    <!-- used to share presence info across sofia profiles
+         manage-presence needs to be set to passive on this profile
+         if you want it to behave as if it were the internal profile
+         for presence.
+    -->
+    <!-- Name of the db to use for this profile -->
+    <param name="dbname" value="sqlite://memory://file:external_dialin?mode=memory&amp;cache=shared"/>
+    <!--<param name="presence-hosts" value="$${domain}"/>-->
+    <!--<param name="force-register-domain" value="$${domain}"/>-->
+    <!--all inbound reg will stored in the db using this domain -->
+    <!--<param name="force-register-db-domain" value="$${domain}"/>-->
+    <!-- ************************************************* -->
+
+    <!--<param name="aggressive-nat-detection" value="true"/>-->
+    <param name="inbound-codec-negotiation" value="generous"/>
+    <param name="nonce-ttl" value="60"/>
+    <param name="auth-calls" value="false"/>
+    <param name="inbound-late-negotiation" value="true"/>
+    <param name="inbound-zrtp-passthru" value="true"/> <!-- (also enables late negotiation) -->
+
+    <param name="rtp-ip" value="$${local_ip_v4}"/>
+    <param name="sip-ip" value="$${local_ip_v4}"/>
+    <param name="ext-rtp-ip" value="$${external_ip_v4}"/>
+    <param name="ext-sip-ip" value="$${external_ip_v4}"/>
+
+    <param name="rtp-timeout-sec" value="300"/>
+    <param name="rtp-hold-timeout-sec" value="1800"/>
+    <param name="enable-3pcc" value="proxy"/>
+
+    <!-- enable rtcp on every channel also can be done per leg basis with rtcp_audio_interval_msec variable set to passthru to pass it across a call-->
+    <param name="rtcp-audio-interval-msec" value="5000"/>
+    <param name="rtcp-video-interval-msec" value="5000"/>
+
+    <!-- Cut down in the join time -->
+    <param name="dtmf-type" value="info"/>
+    <param name="liberal-dtmf" value="true"/>
+  </settings>
+</profile>

mod/freeswitch/conf/sip_profiles/external-ipv6.xml

@@ -1,113 +0,0 @@
-<profile name="external-ipv6">
-  <!-- http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->
-  <!-- This profile is only for outbound registrations to providers -->
-  <gateways>
-    <X-PRE-PROCESS cmd="include" data="external-ipv6/*.xml"/>
-  </gateways>
-
-  <aliases>
-    <!--
-        <alias name="outbound"/>
-        <alias name="nat"/>
-    -->
-  </aliases>
-
-  <domains>
-    <!--<domain name="all" alias="false" parse="true"/>-->
-  </domains>
-
-  <settings>
-    <param name="debug" value="0"/>
-    <!-- If you want FreeSWITCH to shutdown if this profile fails to load, uncomment the next line. -->
-    <!-- <param name="shutdown-on-fail" value="true"/> -->
-    <param name="sip-trace" value="no"/>
-    <param name="sip-capture" value="no"/>
-    <param name="rfc2833-pt" value="101"/>
-    <!-- RFC 5626 : Send reg-id and sip.instance -->
-    <!--<param name="enable-rfc-5626" value="true"/> -->
-    <param name="sip-port" value="$${external_sip_port}"/>
-    <param name="dialplan" value="XML"/>
-    <param name="context" value="public"/>
-    <param name="dtmf-duration" value="2000"/>
-    <param name="inbound-codec-prefs" value="$${global_codec_prefs}"/>
-    <param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/>
-    <param name="hold-music" value="$${hold_music}"/>
-    <param name="rtp-timer-name" value="soft"/>
-    <!--<param name="enable-100rel" value="true"/>-->
-    <!--<param name="disable-srv503" value="true"/>-->
-    <!-- This could be set to "passive" -->
-    <param name="local-network-acl" value="none"/>
-    <param name="manage-presence" value="false"/>
-
-    <!-- Added for Microsoft Edge support 
-    <param name="apply-candidate-acl" value="wan_v6.auto"/>
-    <param name="apply-candidate-acl" value="rfc1918.auto"/>
-    <param name="apply-candidate-acl" value="any_v6.auto"/>
-    <param name="apply-candidate-acl" value="wan_v4.auto"/>
-    <param name="apply-candidate-acl" value="any_v4.auto"/>
-    -->
-    <param name="apply-candidate-acl" value="deny_private_v6"/>
-
-    <!-- used to share presence info across sofia profiles
-         manage-presence needs to be set to passive on this profile
-         if you want it to behave as if it were the internal profile
-         for presence.
-    -->
-    <!-- Name of the db to use for this profile -->
-    <!--<param name="dbname" value="share_presence"/>-->
-    <!--<param name="presence-hosts" value="$${domain}"/>-->
-    <!--<param name="force-register-domain" value="$${domain}"/>-->
-    <!--all inbound reg will stored in the db using this domain -->
-    <!--<param name="force-register-db-domain" value="$${domain}"/>-->
-    <!-- ************************************************* -->
-
-    <!--<param name="aggressive-nat-detection" value="true"/>-->
-    <param name="inbound-codec-negotiation" value="generous"/>
-    <param name="nonce-ttl" value="60"/>
-    <param name="auth-calls" value="false"/>
-    <param name="inbound-late-negotiation" value="true"/>
-    <param name="inbound-zrtp-passthru" value="true"/> <!-- (also enables late negotiation) -->
-    <!--
-        DO NOT USE HOSTNAMES, ONLY IP ADDRESSES IN THESE SETTINGS!
-    -->
-    <param name="rtp-ip" value="$${external_ip_v6}"/>
-    <param name="sip-ip" value="$${local_ip_v6}"/>
-    <!-- Shouldn't set these on IPv6 -->
-    <!--<param name="ext-rtp-ip" value="auto-nat"/>-->
-    <!--<param name="ext-sip-ip" value="auto-nat"/>-->
-    <param name="rtp-timeout-sec" value="300"/>
-    <param name="rtp-hold-timeout-sec" value="1800"/>
-    <!--<param name="enable-3pcc" value="true"/>-->
-
-    <!-- TLS: disabled by default, set to "true" to enable -->
-    <param name="tls" value="$${external_ssl_enable}"/>
-    <!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
-    <param name="tls-only" value="false"/>
-    <!-- additional bind parameters for TLS -->
-    <param name="tls-bind-params" value="transport=tls"/>
-    <!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
-    <param name="tls-sip-port" value="$${external_tls_port}"/>
-    <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
-    <!--<param name="tls-cert-dir" value=""/>-->
-    <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
-    <param name="tls-passphrase" value=""/>
-    <!-- Verify the date on TLS certificates -->
-    <param name="tls-verify-date" value="true"/>
-    <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
-    <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'subjects_in', 'subjects_out' and 'subjects_all' for subject validation. Multiple policies can be split with a '|' pipe -->
-    <param name="tls-verify-policy" value="none"/>
-    <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
-    <param name="tls-verify-depth" value="2"/>
-    <!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
-    <param name="tls-verify-in-subjects" value=""/>
-    <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
-    <param name="tls-version" value="$${sip_tls_version}"/>
-    <param name="ws-binding" value=":5066"/>
-    <param name="wss-binding" value=":7443"/>
-    <param name="rtcp-audio-interval-msec" value="5000"/>
-    <param name="rtcp-video-interval-msec" value="5000"/>
-    <param name="dtmf-type" value="info"/>
-    <param name="liberal-dtmf" value="true"/>
-  </settings>
-</profile>
-

mod/freeswitch/conf/sip_profiles/external.xml

@@ -1,16 +1,6 @@
 <profile name="external">
   <!-- http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->
   <!-- This profile is only for outbound registrations to providers -->
-  <gateways>
-    <X-PRE-PROCESS cmd="include" data="external/*.xml"/>
-  </gateways>
-
-  <aliases>
-    <!--
-        <alias name="outbound"/>
-        <alias name="nat"/>
-    -->
-  </aliases>
 
   <domains>
     <domain name="all" alias="false" parse="true"/>
@@ -25,7 +15,13 @@
     <param name="rfc2833-pt" value="101"/>
     <!-- RFC 5626 : Send reg-id and sip.instance -->
     <!--<param name="enable-rfc-5626" value="true"/> -->
-    <param name="sip-port" value="$${external_sip_port}"/>
+
+    <!--
+        SIP port is not rquired, since we are using WS for the
+        internal connection and a seperate profile (external-dialin-xml)
+        for SIP dial in 
+    -->
+    <param name="sip-port" value="15060"/>
     <param name="dialplan" value="XML"/>
     <param name="context" value="public"/>
     <param name="dtmf-duration" value="2000"/>
@@ -36,7 +32,7 @@
     <!--<param name="enable-100rel" value="true"/>-->
     <!--<param name="disable-srv503" value="true"/>-->
     <!-- This could be set to "passive" -->
-    <param name="local-network-acl" value="none"/>
+    <param name="local-network-acl" value="localnet.auto"/>
     <param name="manage-presence" value="false"/>
 
 
@@ -52,7 +48,7 @@
          for presence.
     -->
     <!-- Name of the db to use for this profile -->
-    <!--<param name="dbname" value="share_presence"/>-->
+    <param name="dbname" value="sqlite://memory://file:external?mode=memory&amp;cache=shared"/>
     <!--<param name="presence-hosts" value="$${domain}"/>-->
     <!--<param name="force-register-domain" value="$${domain}"/>-->
     <!--all inbound reg will stored in the db using this domain -->
@@ -73,20 +69,12 @@
     <param name="ext-sip-ip" value="auto-nat"/>
     -->
 
-    <param name="rtp-ip" value="$${external_ip_v4}"/>
+    <param name="rtp-ip" value="$${local_ip_v4}"/>
     <param name="sip-ip" value="$${local_ip_v4}"/>
-    <param name="ext-rtp-ip" value="$${external_rtp_ip}"/>
-    <param name="ext-sip-ip" value="$${external_sip_ip}"/>
-
-    <!--
-      Listen only clients somehow run into this timeout
-      causing 
-        Hangup sofia/external/GLOBAL_AUDIO_76116@10.7.7.1 [CS_EXECUTE] [MEDIA_TIMEOUT]
-        [mcs-freeswitch] Dispatching conference new video floor event released 
-        [mcs-freeswitch] Received CHANNEL_HANGUP for
-    -->
-    <param name="rtp-timeout-sec" value="86400"/>
+    <param name="ext-rtp-ip" value="$${local_ip_v4}"/>
+    <param name="ext-sip-ip" value="$${local_ip_v4}"/>
 
+    <param name="rtp-timeout-sec" value="300"/>
     <param name="rtp-hold-timeout-sec" value="1800"/>
     <param name="enable-3pcc" value="proxy"/>
 
@@ -113,9 +101,8 @@
     <param name="tls-verify-in-subjects" value=""/>
     <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
     <param name="tls-version" value="$${sip_tls_version}"/>
-    <param name="ws-binding"  value="0.0.0.0:5066"/>
-    <param name="wss-binding"  value="$${local_ip_v4}:7443"/>
-    
+    <param name="ws-binding"  value=":5066"/>
+    <param name="wss-binding"  value=":7443"/>
 
     <!-- enable rtcp on every channel also can be done per leg basis with rtcp_audio_interval_msec variable set to passthru to pass it across a call-->
     <param name="rtcp-audio-interval-msec" value="5000"/>

mod/freeswitch/conf/vars.xml.tmpl

@@ -1,12 +1,15 @@
 <include>
-  <X-PRE-PROCESS cmd="set" data="esl_password={{ .Env.ESL_PASSWORD }}"/>
   <!-- Preprocessor Variables
        These are introduced when configuration strings must be consistent across modules.
        NOTICE: YOU CAN NOT COMMENT OUT AN X-PRE-PROCESS line, Remove the line instead.
+
        WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+
        YOU SHOULD CHANGE THIS default_password value if you don't want to be subject to any
        toll fraud in the future.  It's your responsibility to secure your own system.
+
        This default config is used to demonstrate the feature set of FreeSWITCH.
+
        WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
   -->
   <X-PRE-PROCESS cmd="set" data="default_password=1234"/>
@@ -15,6 +18,7 @@
       The following variables are set dynamically - calculated if possible by freeswitch - and
       are available to the config as $${variable}.  You can see their calculated value via fs_cli
       by entering eval $${variable}
+
       hostname
       local_ip_v4
       local_mask_v4
@@ -41,21 +45,24 @@
       nat_public_addr
       nat_private_addr
       nat_type
+
   -->
 
 
   <X-PRE-PROCESS cmd="set" data="sound_prefix={{ .Env.SOUNDS_PATH }}"/>
+  <X-PRE-PROCESS cmd="set" data="esl_password={{ .Env.ESL_PASSWORD }}"/>
+
 
   <!--
       This setting is what sets the default domain FreeSWITCH will use if all else fails.
+
       FreeSWICH will default to $${local_ip_v4} unless changed.  Changing this setting does
       affect the sip authentication.  Please review conf/directory/default.xml for more
       information on this topic.
   -->
-  <X-PRE-PROCESS cmd="set" data="local_ip_v4=10.7.7.1"/>
-  <X-PRE-PROCESS cmd="set" data="local_ip_v6=::1"/>
+  <X-PRE-PROCESS cmd="set" data="local_ip_v4=10.7.7.10"/>
   <X-PRE-PROCESS cmd="set" data="external_ip_v4={{ .Env.EXTERNAL_IPv4 }}"/>
-  <X-PRE-PROCESS cmd="set" data="external_ip_v6={{ .Env.EXTERNAL_IPv6 }}"/>
+
   <X-PRE-PROCESS cmd="set" data="domain={{ .Env.DOMAIN }}"/>
   <X-PRE-PROCESS cmd="set" data="domain_name=$${domain}"/>
   <X-PRE-PROCESS cmd="set" data="hold_music=local_stream://moh"/>
@@ -63,6 +70,7 @@
   <X-PRE-PROCESS cmd="set" data="rtp_sdes_suites=AEAD_AES_256_GCM_8|AEAD_AES_128_GCM_8|AES_CM_256_HMAC_SHA1_80|AES_CM_192_HMAC_SHA1_80|AES_CM_128_HMAC_SHA1_80|AES_CM_256_HMAC_SHA1_32|AES_CM_192_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_32|AES_CM_128_NULL_AUTH"/>
   <!--
       Enable ZRTP globally you can override this on a per channel basis
+
       http://wiki.freeswitch.org/wiki/ZRTP (on how to enable zrtp)
   -->
   <X-PRE-PROCESS cmd="set" data="zrtp_secure_media=true"/>
@@ -70,7 +78,9 @@
       NOTICE: When using SRTP it's critical that you do not offer or accept
       variable bit rate codecs, doing so would leak information and possibly
       compromise your SRTP stream. (FS-6404)
+
       Supported SRTP Crypto Suites:
+
       AEAD_AES_256_GCM_8
       ____________________________________________________________________________
       This algorithm is identical to AEAD_AES_256_GCM (see Section 5.2 of
@@ -78,6 +88,8 @@
       authentication tag with a length of 8 octets (64 bits) is used.
       An AEAD_AES_256_GCM_8 ciphertext is exactly 8 octets longer than its
       corresponding plaintext.
+
+
       AEAD_AES_128_GCM_8
       ____________________________________________________________________________
       This algorithm is identical to AEAD_AES_128_GCM (see Section 5.1 of
@@ -85,6 +97,8 @@
       authentication tag with a length of 8 octets (64 bits) is used.
       An AEAD_AES_128_GCM_8 ciphertext is exactly 8 octets longer than its
       corresponding plaintext.
+
+
       AES_CM_256_HMAC_SHA1_80 | AES_CM_192_HMAC_SHA1_80 | AES_CM_128_HMAC_SHA1_80
       ____________________________________________________________________________
       AES_CM_128_HMAC_SHA1_80 is the SRTP default AES Counter Mode cipher
@@ -92,18 +106,25 @@
       tag. The master-key length is 128 bits and has a default lifetime of
       a maximum of 2^48 SRTP packets or 2^31 SRTCP packets, whichever comes
       first.
+
+
       AES_CM_256_HMAC_SHA1_32 | AES_CM_192_HMAC_SHA1_32 | AES_CM_128_HMAC_SHA1_32
       ____________________________________________________________________________
       This crypto-suite is identical to AES_CM_128_HMAC_SHA1_80 except that
       the authentication tag is 32 bits. The length of the base64-decoded key and
       salt value for this crypto-suite MUST be 30 octets i.e., 240 bits; otherwise,
       the crypto attribute is considered invalid.
+
+
       AES_CM_128_NULL_AUTH
       ____________________________________________________________________________
       The SRTP default cipher (AES-128 Counter Mode), but to use no authentication
       method.  This policy is NOT RECOMMENDED unless it is unavoidable; see
       Section 7.5 of [RFC3711].
+
+
       SRTP variables that modify behaviors based on direction/leg:
+
       rtp_secure_media
       ____________________________________________________________________________
       possible values:
@@ -112,11 +133,16 @@
           forbidden - More useful for inbound to deny SAVP negotiation
           false     - implies forbidden
           true      - implies mandatory
+
       default if not set is accept SAVP inbound if offered.
+
+
       rtp_secure_media_inbound | rtp_secure_media_outbound
       ____________________________________________________________________________
       This is the same as rtp_secure_media, but would apply to either inbound
       or outbound offers specifically.
+
+
       How to specify crypto suites:
       ____________________________________________________________________________
       By default without specifying any crypto suites FreeSWITCH will offer
@@ -124,29 +150,39 @@
       endpoint has in common.  If you wish to force specific crypto suites you
       can do so by appending the suites in a comma separated list in the order
       that you wish to offer them in.
+
       Examples:
+
           rtp_secure_media=mandatory:AES_CM_256_HMAC_SHA1_80,AES_CM_256_HMAC_SHA1_32
           rtp_secure_media=true:AES_CM_256_HMAC_SHA1_80,AES_CM_256_HMAC_SHA1_32
           rtp_secure_media=optional:AES_CM_256_HMAC_SHA1_80
           rtp_secure_media=true:AES_CM_256_HMAC_SHA1_80
+
       Additionally you can narrow this down on either inbound or outbound by
       specifying as so:
+
           rtp_secure_media_inbound=true:AEAD_AES_256_GCM_8
           rtp_secure_media_inbound=mandatory:AEAD_AES_256_GCM_8
           rtp_secure_media_outbound=true:AEAD_AES_128_GCM_8
           rtp_secure_media_outbound=optional:AEAD_AES_128_GCM_8
+
+
       rtp_secure_media_suites
       ____________________________________________________________________________
-      Optionaly you can use rtp_secure_media_suites to dictate the suite list
+      Optionally you can use rtp_secure_media_suites to dictate the suite list
       and only use rtp_secure_media=[optional|mandatory|false|true] without having
       to dictate the suite list with the rtp_secure_media* variables.
   -->
   <!--
        Examples of codec options: (module must be compiled and loaded)
+
        codecname[@8000h|16000h|32000h[@XXi]]
-       XX is the frame size must be multples allowed for the codec
+
+       XX is the frame size must be multiples allowed for the codec
        FreeSWITCH can support 10-120ms on some codecs.
        We do not support exceeding the MTU of the RTP packet.
+
+
        iLBC@30i         - iLBC using mode=30 which will win in all cases.
        DVI4@8000h@20i   - IMA ADPCM 8kHz using 20ms ptime. (multiples of 10)
        DVI4@16000h@40i  - IMA ADPCM 16kHz using 40ms ptime. (multiples of 10)
@@ -173,17 +209,23 @@
        AAL2-G726-40     - Same as G726-40 but using AAL2 packing. (multiples of 10)
        LPC              - LPC10 using 90ms ptime (only supports 90ms at this time in FreeSWITCH)
        L16              - L16 isn't recommended for VoIP but you can do it. L16 can exceed the MTU rather quickly.
+
        These are the passthru audio codecs:
+
        G729             - G729 in passthru mode. (mod_g729)
        G723             - G723.1 in passthru mode. (mod_g723_1)
        AMR              - AMR in passthru mode. (mod_amr)
+
        These are the passthru video codecs: (mod_h26x)
+
        H261             - H.261 Video
        H263             - H.263 Video
        H263-1998        - H.263-1998 Video
        H263-2000        - H.263-2000 Video
        H264             - H.264 Video
+
        RTP Dynamic Payload Numbers currently used in FreeSWITCH and what for.
+
        96  - AMR
        97  - iLBC (30)
        98  - iLBC (20)
@@ -216,6 +258,7 @@
        125 -
        126 -
        127 - BV32
+
   -->
   <X-PRE-PROCESS cmd="set" data="global_codec_prefs=OPUS,speex@16000h@20i,speex@8000h@20i,G722,PCMU,PCMA"/>
   <X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=OPUS,speex@16000h@20i,G722,PCMU,PCMA"/>
@@ -232,7 +275,9 @@
   <X-PRE-PROCESS cmd="set" data="xmpp_server_profile=xmpps"/>
   <!--
        THIS IS ONLY USED FOR DINGALING
+
        bind_server_ip
+
        Can be an ip address, a dns name, or "auto".
        This determines an ip address available on this host to bind.
        If you are separating RTP and SIP traffic, you will want to have
@@ -242,6 +287,7 @@
   <X-PRE-PROCESS cmd="set" data="bind_server_ip=auto"/>
 
   <!-- NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
+
        If you're going to load test FreeSWITCH please input real IP addresses
        for external_rtp_ip and external_sip_ip
   -->
@@ -256,7 +302,7 @@
        If unspecified, the bind_server_ip value is used.
        Used by: sofia.conf.xml dingaling.conf.xml
   -->
-  <X-PRE-PROCESS cmd="set" data="external_rtp_ip={{ .Env.EXTERNAL_IPv4 }}"/>
+  <X-PRE-PROCESS cmd="set" data="external_rtp_ip=stun:stun.l.google.com:19302"/>
 
   <!-- external_sip_ip
       Used as the public IP address for SDP.
@@ -269,7 +315,7 @@
        If unspecified, the bind_server_ip value is used.
        Used by: sofia.conf.xml dingaling.conf.xml
   -->
-  <X-PRE-PROCESS cmd="set" data="external_sip_ip={{ .Env.EXTERNAL_IPv4 }}"/>
+  <X-PRE-PROCESS cmd="set" data="external_sip_ip=stun:stun.l.google.com:19302"/>
 
   <!-- unroll-loops
        Used to turn on sip loopback unrolling.
@@ -328,9 +374,11 @@
 
   <!--
        Digits Dialed filter: (FS-6940)
+
        The digits stream may contain valid credit card numbers or social security numbers, These digit
        filters will allow you to make a valant effort to stamp out sensitive information for
        PCI/HIPPA compliance. (see xml_cdr dialed_digits)
+
        df_us_ssn   = US Social Security Number pattern
        df_us_luhn  = Visa, MasterCard, American Express, Diners Club, Discover and JCB
   -->
@@ -342,6 +390,7 @@
   <!--
       Setting up your default sip provider is easy.
       Below are some values that should work in most cases.
+
       These are for conf/directory/default/example.com.xml
   -->
   <X-PRE-PROCESS cmd="set" data="default_provider=example.com"/>
@@ -354,16 +403,21 @@
 
   <!--
      SIP and TLS settings. http://wiki.freeswitch.org/wiki/Tls
+
      valid options: sslv2,sslv3,sslv23,tlsv1,tlsv1.1,tlsv1.2
+
      default: tlsv1,tlsv1.1,tlsv1.2
   -->
   <X-PRE-PROCESS cmd="set" data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/>
 
   <!--
      TLS cipher suite: default ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
+
      The actual ciphers supported will change per platform.
+
      openssl ciphers -v 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
-     Will show you what is available in your verion of openssl.
+
+     Will show you what is available in your version of openssl.
   -->
   <X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>
 
@@ -380,7 +434,7 @@
   <X-PRE-PROCESS cmd="set" data="external_ssl_enable=false"/>
 
   <!-- Video Settings -->
-  <!-- Setting the max bandwdith -->
+  <!-- Setting the max bandwidth -->
   <X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_in=1mb"/>
   <X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_out=1mb"/>
 
@@ -395,4 +449,5 @@
   <X-PRE-PROCESS cmd="set" data="video_mute_png=$${images_dir}/default-mute.png"/>
   <X-PRE-PROCESS cmd="set" data="video_no_avatar_png=$${images_dir}/default-avatar.png"/>
 
-</include>
+</include>
+

mod/freeswitch/entrypoint.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -e
 
 # remove all SIP (port 5060) iptable rules
 iptables -S INPUT | grep "\-\-dport 5060 " | cut -d " " -f 2- | xargs -rL1 iptables -D
@@ -15,13 +15,19 @@ for IP in "${ADDR[@]}"; do
     iptables -I INPUT  -p udp --dport 5060 -s $IP -j ACCEPT
 done
 
+mkdir -p /var/freeswitch/meetings
 chown -R freeswitch:daemon /var/freeswitch/meetings
 chmod 777 /var/freeswitch/meetings
-
+chown -R freeswitch:daemon /opt/freeswitch/var
+chown -R freeswitch:daemon /opt/freeswitch/etc
+chmod -R g-rwx,o-rwx /opt/freeswitch/etc
 
 # install freeswitch sounds if missing
-SOUNDS_DIR=/usr/share/freeswitch/sounds
-if [ "$SOUNDS_LANGUAGE" == "de-de-daedalus3" ]; then
+SOUNDS_DIR=/opt/freeswitch/share/freeswitch/sounds
+if [ "$SOUNDS_LANGUAGE" == "en-us-callie" ]; then
+    # default, is already installed
+    echo ""
+elif [ "$SOUNDS_LANGUAGE" == "de-de-daedalus3" ]; then
     if [ ! -d "$SOUNDS_DIR/de/de/daedalus3" ]; then
         echo "sounds package for de-de-daedalus3 not installed yet"
         wget -O /tmp/freeswitch-german-soundfiles.zip https://github.com/Daedalus3/freeswitch-german-soundfiles/archive/master.zip
@@ -36,10 +42,24 @@ if [ "$SOUNDS_LANGUAGE" == "de-de-daedalus3" ]; then
 
     fi
 else
-    SOUNDS_PACKAGE=$(echo "freeswitch-sounds-${SOUNDS_LANGUAGE}" | tr '[:upper:]' '[:lower:]')
-    if ! dpkg -s $SOUNDS_PACKAGE >/dev/null 2>&1; then
+    if [ ! -f $SOUNDS_DIR/$SOUNDS_LANGUAGE.installed ]; then
         echo "sounds package for $SOUNDS_LANGUAGE not installed yet"
-        apt-get install $SOUNDS_PACKAGE
+        
+        # get filename of latest release for this sound package
+        FILENAME=$(curl -s https://files.freeswitch.org/releases/sounds/ | grep -i $SOUNDS_LANGUAGE 2> /dev/null | awk -F'\"' '{print $8}' | grep -E '\-48000-.*\.gz$' | sort -V | tail -n 1)
+
+        if [ "$FILENAME" = "" ]; then
+            echo "Error: could not find sounds for language '$SOUNDS_LANGUAGE'"
+            echo "make sure to specify a value for SOUNDS_LANGUAGE which exists on https://files.freeswitch.org/releases/sounds/"
+            exit 1
+        fi
+        for bitrate in 8000 16000 32000 48000; do
+            URL=https://files.freeswitch.org/releases/sounds/$(echo $FILENAME | sed "s/48000/$bitrate/")
+            wget -O /tmp/sounds.tar.gz $URL
+            tar xvfz /tmp/sounds.tar.gz -C $SOUNDS_DIR
+        done
+
+        touch $SOUNDS_DIR/$SOUNDS_LANGUAGE.installed
     fi
 fi
 
@@ -49,4 +69,4 @@ export SOUNDS_PATH=$SOUNDS_DIR/$(echo "$SOUNDS_LANGUAGE" | sed 's|-|/|g')
 dockerize \
     -template /etc/freeswitch/vars.xml.tmpl:/etc/freeswitch/vars.xml \
     -template /etc/freeswitch/autoload_configs/conference.conf.xml.tmpl:/etc/freeswitch/autoload_configs/conference.conf.xml \
-    /usr/bin/freeswitch -u freeswitch -g daemon -nonat -nf
+    /opt/freeswitch/bin/freeswitch -u freeswitch -g daemon -nonat -nf

mod/fsesl-akka/Dockerfile

@@ -1,24 +1,16 @@
 ARG BBB_BUILD_TAG
-FROM gitlab.senfcall.de:5050/senfcall-public/docker-bbb-build:$BBB_BUILD_TAG AS builder
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
 
-ARG TAG_COMMON_MESSAGE
+COPY --from=src-common-message / /bbb-common-message
 
-# download bbb-common-message
-RUN svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG_COMMON_MESSAGE/bbb-common-message /bbb-common-message \
-    && cd /bbb-common-message \
-    && ./deploy.sh \
-    && rm -rf /bbb-common-message
+# build bbb-common-message
+RUN cd /bbb-common-message && ./deploy.sh
 
 # ===================================================
-ARG TAG_FSESL_AKKA
-RUN svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG_FSESL_AKKA/bbb-fsesl-client /bbb-fsesl-client \
-    && rm -rf /bbb-fsesl-client/.svn
+COPY --from=src-fsesl-client / /bbb-fsesl-client
+RUN cd /bbb-fsesl-client && ./deploy.sh
 
-RUN cd /bbb-fsesl-client \
-    && ./deploy.sh
-
-RUN svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG_FSESL_AKKA/akka-bbb-fsesl /source \
-    && rm -rf /source/.svn
+COPY --from=src-fsesl-akka / /source
 
 # compile and unzip bin
 RUN cd /source \

mod/fsesl-akka/bbb-fsesl-akka.conf

@@ -4,13 +4,13 @@ include "/bbb-fsesl-akka/conf/application.conf"
 
 freeswitch {
     esl {
-        host="10.7.7.1"
+        host="freeswitch"
         password="FSESL_PASSWORD"
     }
 }
 
 redis {
-  host="10.7.7.5"
+  host="redis"
 }
 
 http {

mod/fsesl-akka/logback.xml

@@ -11,8 +11,7 @@
     <logger name="org.freeswitch.esl" level="WARN" />
     <logger name="io.lettuce" level="INFO" />
     
-    <root level="DEBUG">
+    <root level="INFO">
         <appender-ref ref="STDOUT"/>
-        <appender-ref ref="FILE" />
     </root>
 </configuration>

mod/haproxy/Dockerfile

@@ -0,0 +1,4 @@
+FROM ghcr.io/tomdess/docker-haproxy-certbot:2.8.10
+
+# overwrite bootstrap.sh
+COPY bootstrap.sh /bootstrap.sh

mod/haproxy/bootstrap.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -e
+
+# save container environment variables to use it
+# in cron scripts
+
+declare -p | grep -Ev '^declare -[[:alpha:]]*r' > /container.env
+
+# when used with an IP, we'll also disable certbot
+if [[ "$CERT1" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+  IGNORE_TLS_CERT_ERRORS=true
+fi
+
+if [ "$IGNORE_TLS_CERT_ERRORS"  ] && [ "$IGNORE_TLS_CERT_ERRORS" != "false" ]; then
+    # use self signed certificate
+    if [ ! -f /etc/haproxy/certs/haproxy-10.7.7.1.pem ]; then
+        mkdir -p /etc/haproxy/certs
+        # generate self signed certificate
+        openssl req -x509 -nodes -days 700 -newkey rsa:2048 \
+        -keyout /tmp/domain.key -out /tmp/domain.crt \
+        -subj "/C=CA/ST=Quebec/L=Montreal/O=BigBlueButton Development/OU=bbb-docker/CN=10.7.7.1"
+
+        cat /tmp/domain.key /tmp/domain.crt | tee /etc/haproxy/certs/haproxy-10.7.7.1.pem >/dev/null
+    fi
+else
+    # obtain certificates from lets encrypt
+    /certs.sh
+fi
+supervisord -c /etc/supervisord.conf -n

mod/haproxy/haproxy.cfg

@@ -0,0 +1,80 @@
+global
+    log stdout format raw local0 debug
+
+    maxconn 20480
+    ############# IMPORTANT #################################
+    ## DO NOT SET CHROOT OTHERWISE YOU HAVE TO CHANGE THE  ##
+    ## acme-http01-webroot.lua file                        ##
+    # chroot /jail                                         ##
+    #########################################################
+    lua-load /etc/haproxy/acme-http01-webroot.lua
+    #
+    # SSL options
+	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+	ssl-default-bind-options ssl-min-ver TLSv1.2
+    tune.ssl.default-dh-param 4096
+
+
+    # workaround for bug #14 (Cert renewal blocks HAProxy indefinitely with Websocket connections)
+    hard-stop-after 3s
+
+
+# DNS runt-time resolution on backend hosts
+resolvers docker
+    nameserver dns "127.0.0.11:53"
+
+defaults
+    log global
+    mode http
+    timeout connect 5000ms
+    timeout client 50000ms
+    timeout server 50000ms
+    # option forwardfor
+    option httplog
+
+	option	dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+
+    # never fail on address resolution
+    default-server init-addr last,libc,none
+
+frontend http
+    bind *:80,[::]:80
+    mode http
+    acl url_acme_http01 path_beg /.well-known/acme-challenge/
+    http-request use-service lua.acme-http01 if METH_GET url_acme_http01
+    redirect scheme https code 301 if !{ ssl_fc }
+
+frontend nginx_or_turn
+  bind *:443,:::443 ssl crt /etc/haproxy/certs/ ssl-min-ver TLSv1.2 alpn h2,http/1.1,stun.turn
+  mode tcp
+  option tcplog
+  tcp-request content capture req.payload(0,1) len 1
+  log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq captured_user:%{+X}[capture.req.hdr(0)]"
+  tcp-request inspect-delay 30s
+  # We terminate SSL on haproxy. HTTP2 is a binary protocol. haproxy has to
+  # decide which protocol is spoken. This is negotiated by ALPN.
+  #
+  # Depending on the ALPN value traffic is redirected to either port 82 (HTTP2,
+  # ALPN value h2) or 81 (HTTP 1.0 or HTTP 1.1, ALPN value http/1.1 or no value)
+  # If no ALPN value is set, the first byte is inspected and depending on the
+  # value traffic is sent to either port 81 or coturn.
+  use_backend nginx-http2 if { ssl_fc_alpn h2 }
+  use_backend nginx if { ssl_fc_alpn http/1.1 }
+  use_backend turn if { ssl_fc_alpn stun.turn }
+  use_backend %[capture.req.hdr(0),map_str(/etc/haproxy/protocolmap,turn)]
+  default_backend turn
+
+backend turn
+  mode tcp
+  server localhost 10.7.7.1:3478 check
+
+backend nginx
+  mode tcp
+  server localhost 10.7.7.1:48081 send-proxy check
+
+backend nginx-http2
+  mode tcp
+  server localhost 10.7.7.1:48082 send-proxy check

mod/haproxy/protocolmap

@@ -0,0 +1,52 @@
+a nginx
+b nginx
+c nginx
+d nginx
+e nginx
+f nginx
+g nginx
+h nginx
+i nginx
+j nginx
+k nginx
+l nginx
+m nginx
+n nginx
+o nginx
+p nginx
+q nginx
+r nginx
+s nginx
+t nginx
+u nginx
+v nginx
+w nginx
+x nginx
+y nginx
+z nginx
+A nginx
+B nginx
+C nginx
+D nginx
+E nginx
+F nginx
+G nginx
+H nginx
+I nginx
+J nginx
+K nginx
+L nginx
+M nginx
+N nginx
+O nginx
+P nginx
+Q nginx
+R nginx
+S nginx
+T nginx
+U nginx
+V nginx
+W nginx
+X nginx
+Y nginx
+Z nginx

mod/html5-dev/Dockerfile

@@ -0,0 +1,13 @@
+ARG BBB_BUILD_TAG
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG
+
+
+# use /tmp as home dir as writeable directory for whatever UID we get
+ENV HOME /tmp
+
+# allow all user to access .nvm in root
+RUN chmod 755 /root
+
+WORKDIR /app
+COPY /entrypoint.sh /entrypoint.sh
+ENTRYPOINT /entrypoint.sh

mod/html5-dev/entrypoint.sh

@@ -0,0 +1,11 @@
+set -e
+
+# enable nvm
+. /root/.nvm/nvm.sh
+
+if [ -n  "$1" ]; then
+    exec "$@"
+else
+    npm install
+    npm start -- --host 0.0.0.0
+fi

mod/html5/Dockerfile

@@ -1,34 +0,0 @@
-ARG BBB_BUILD_TAG
-FROM gitlab.senfcall.de:5050/senfcall-public/docker-bbb-build:$BBB_BUILD_TAG AS builder
-
-# RUN groupadd -g 2000 meteor && useradd -m -u 2001 -g meteor meteor
-# USER meteor
-
-ARG TAG_HTML5
-RUN svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG_HTML5/bigbluebutton-html5 /source \
-    && cd /source \
-    && meteor npm ci --production \
-    && METEOR_DISABLE_OPTIMISTIC_CACHING=1 meteor build --architecture os.linux.x86_64 --allow-superuser  --directory /app \
-    && rm -rf /source
-
-RUN cd /app/bundle/programs/server \
-    && npm install --production
-    
-RUN sed -i "s/VERSION/$TAG_HTML5/" /app/bundle/programs/web.browser/head.html \
-    && find /app/bundle/programs/web.browser -name '*.js' -exec gzip -k -f -9 '{}' \; \
-    && find /app/bundle/programs/web.browser -name '*.css' -exec gzip -k -f -9 '{}' \; \
-    && find /app/bundle/programs/web.browser -name '*.wasm' -exec gzip -k -f -9 '{}' \;
-
-# ------------------------------
-
-FROM node:14.19.1-alpine
-
-RUN addgroup -g 2000 meteor && \
-    adduser -D -u 2001 -G meteor meteor && \
-    apk add su-exec
-COPY --from=alangecker/bbb-docker-base-java /usr/local/bin/dockerize /usr/local/bin/dockerize
-COPY --from=builder --chown=meteor:meteor /app/bundle /app
-COPY entrypoint.sh /entrypoint.sh
-COPY bbb-html5.yml /app/bbb-html5.yml.tmpl
-
-ENTRYPOINT ["/entrypoint.sh"]

mod/html5/bbb-html5.yml

@@ -1,24 +0,0 @@
-public:
-  app:
-    bbbServerVersion: {{ .Env.TAG_HTML5 }}-docker
-    listenOnlyMode: {{ .Env.LISTEN_ONLY_MODE }}
-    skipCheck: {{ .Env.DISABLE_ECHO_TEST }}
-    clientTitle: {{ .Env.CLIENT_TITLE }}
-    appName: BigBlueButton HTML5 Client (docker)
-    breakouts:
-      breakoutRoomLimit: {{ .Env.BREAKOUTROOM_LIMIT }}
-  kurento:
-    wsUrl: wss://{{ .Env.DOMAIN }}/bbb-webrtc-sfu
-    autoShareWebcam: {{ .Env.AUTO_SHARE_WEBCAM }}
-    skipVideoPreview: {{ .Env.DISABLE_VIDEO_PREVIEW }}
-  chat:
-    enabled: {{ .Env.CHAT_ENABLED }}
-    startClosed: {{ .Env.CHAT_START_CLOSED }}
-  pads:
-    url: https://{{ .Env.DOMAIN }}/pad
-private:
-  app:
-    host: 0.0.0.0
-  redis:
-    host: redis
-    port: '6379'

mod/html5/entrypoint.sh

@@ -1,43 +0,0 @@
-#!/bin/sh
-set -e
-
-cd /app
-export MONGO_OPLOG_URL=mongodb://10.7.7.6/local
-export MONGO_URL=mongodb://10.7.7.6/meteor
-export ROOT_URL=http://127.0.0.1/html5client
-export NODE_ENV=production
-export SERVER_WEBSOCKET_COMPRESSION=0
-export BIND_IP=0.0.0.0
-export LANG=en_US.UTF-8
-export INSTANCE_MAX=1
-export ENVIRONMENT_TYPE=production
-export NODE_VERSION=node-v14.19.1-linux-x64
-export BBB_HTML5_LOCAL_SETTINGS=/app/bbb-html5.yml
-
-if [ "$DEV_MODE" == true ]; then
-    echo "DEV_MODE=true, disable TLS certificate rejecting"
-    export NODE_TLS_REJECT_UNAUTHORIZED=0
-fi
-
-if [ "$BBB_HTML5_ROLE" == "backend" ]; then
-    PARAM=NODEJS_BACKEND_INSTANCE_ID=$INSTANCE_ID
-fi
-
-
-# if container is the first frontend, do some additional tasks
-if [ "$BBB_HTML5_ROLE" == "frontend" ] && [ "$INSTANCE_ID" == "1" ]; then
-
-
-    # copy static files into volume for direct access by nginx
-    # https://github.com/bigbluebutton/bigbluebutton/issues/10739
-    if [ -d "/html5-static" ]; then
-        rm -rf /html5-static/*
-        cp -r /app/programs/web.browser/* /html5-static
-    fi
-
-fi
-
-dockerize \
-    -template /app/bbb-html5.yml.tmpl:/app/bbb-html5.yml \
-    su-exec meteor \
-        node --max-old-space-size=2048 --max_semi_space_size=128 main.js $PARAM

mod/https/site-ipv4only.conf

@@ -1,33 +0,0 @@
-map $http_upgrade $connection_upgrade {
-  default upgrade;
-  '' close;
-}
-
-server {
-  listen 443 ssl http2 default_server;
-
-  # we at still serve https via IPv6 for the 
-  # case that an AAAA record is set.
-  listen [::]:443 ssl http2 default_server;
-
-  server_name _;
-
-  include resty-server-https.conf;
-
-  location / {
-    proxy_http_version 1.1;
-    proxy_pass http://127.0.0.1:48087;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
-    proxy_cache_bypass $http_upgrade;
-
-    proxy_read_timeout 6h;
-    proxy_send_timeout 6h;
-    client_body_timeout 6h;
-    send_timeout 6h;
-  }
-}

mod/https/site.conf

@@ -1,33 +0,0 @@
-map $http_upgrade $connection_upgrade {
-  default upgrade;
-  '' close;
-}
-map $remote_addr $endpoint_addr {
-    "~:"    [::1];
-    default    127.0.0.1;
-}
-
-server {
-  listen 443 ssl http2 default_server;
-  listen [::]:443 ssl http2 default_server;
-  server_name _;
-
-  include resty-server-https.conf;
-
-  location / {
-    proxy_http_version 1.1;
-    proxy_pass http://$endpoint_addr:48087;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
-    proxy_cache_bypass $http_upgrade;
-    
-    proxy_read_timeout 6h;
-    proxy_send_timeout 6h;
-    client_body_timeout 6h;
-    send_timeout 6h;
-  }
-}

mod/jodconverter/Dockerfile

@@ -1,17 +0,0 @@
-FROM eugenmayer/jodconverter:rest
-RUN echo "ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula select true" | debconf-set-selections
-RUN sed -i 's/main/main contrib/' /etc/apt/sources.list && apt-get update
-RUN apt-get update && apt -y install  --no-install-recommends \
-    fonts-arkpandora \
-    fonts-crosextra-carlito \
-    fonts-crosextra-caladea \
-    fonts-noto \
-    fonts-noto-cjk \
-    fonts-liberation \
-    fontconfig \
-    ttf-mscorefonts-installer
-
-
-# avoid "APPLICATION FAILED TO START. Config data location '/etc/app/' does not exist"
-# https://github.com/bigbluebutton/docker/issues/178
-CMD ["--spring.config.additional-location=optional:/etc/app/"]

mod/livekit/livekit.yaml

@@ -0,0 +1,15 @@
+port: 7880
+log_level: debug
+# when enabled, LiveKit will expose prometheus metrics on :6789/metrics
+#prometheus_port: 6789
+rtc:
+  port_range_start: 16384
+  port_range_end: 32768
+  use_external_ip: false
+redis:
+ # redis is recommended for production deploys
+  address: redis:6379
+
+keys:
+  # TODO: change keys
+  TEST: TEST

mod/mongo/init-replica.sh

@@ -1,26 +0,0 @@
-#!/bin/sh
-set -e
-
-
-host=${HOSTNAME:-$(hostname -f)}
-
-# shut down again
-mongod --pidfilepath /tmp/docker-entrypoint-temp-mongod.pid --shutdown
-# restart again binding to 0.0.0.0 to allow a replset with 10.7.7.6
-mongod --oplogSize 8 --replSet rs0 --noauth \
-   --config /tmp/docker-entrypoint-temp-config.json \
-   --bind_ip 0.0.0.0 --port 27017 \
-   --tlsMode disabled \
-   --logpath /proc/1/fd/1 --logappend \
-   --pidfilepath /tmp/docker-entrypoint-temp-mongod.pid --fork
-
-# init replset with defaults
-mongo 10.7.7.6 --eval "rs.initiate({
-   _id: 'rs0',
-   members: [ { _id: 0, host: '10.7.7.6:27017' } ]
-})"
-
-echo "Waiting to become a master"
-echo 'while (!db.isMaster().ismaster) { sleep(100); }' | mongo
-
-echo "I'm the master!"

mod/mongo/mongod.conf

@@ -1,33 +0,0 @@
-# mongod.conf
-
-# for documentation of all options, see:
-#   http://docs.mongodb.org/manual/reference/configuration-options/
-
-storage:
-  dbPath: /data/db
-  journal:
-   enabled: true
-  wiredTiger:
-    engineConfig:
-         cacheSizeGB: 1
-         journalCompressor: none
-         directoryForIndexes: true
-    collectionConfig:
-         blockCompressor: none
-    indexConfig:
-         prefixCompression: false
-
-
-net:
-  port: 27017
-  bindIp: 0.0.0.0
-
-
-replication:
-  replSetName: rs0
-
-setParameter:
-  diagnosticDataCollectionEnabled: false
-
-security:
-  javascriptEnabled: false

mod/nginx/Dockerfile

@@ -1,22 +1,49 @@
-FROM node:14-alpine AS builder
-
-RUN apk add subversion git
-
-# --------------------
-
-ARG TAG_LEARNING_DASHBOARD
-RUN svn checkout https://github.com/bigbluebutton/bigbluebutton/tags/$TAG_LEARNING_DASHBOARD/bbb-learning-dashboard /bbb-learning-dashboard && rm -r /bbb-learning-dashboard/.svn
+ARG BBB_BUILD_TAG
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-learning-dashboard
+COPY --from=src-learning-dashboard / /bbb-learning-dashboard
 RUN cd /bbb-learning-dashboard && npm ci && npm run build
 
-COPY ./bbb-playback /bbb-playback
-RUN cd /bbb-playback && npm ci && npm run build
+
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-playback
+COPY --from=src-playback / /bbb-playback
+RUN cd /bbb-playback && npm install && npm run-script build
+
+FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-html5
+COPY --from=src-html5 / /source
+RUN cd /source && CI=true npm ci
+RUN cd /source && DISABLE_ESLINT_PLUGIN=true npm run build-safari && npm run build
+RUN cd /source/dist && \
+    HASH=$(ls | grep -Eo 'bundle\.[a-f0-9]{20}\.js' | head -n 1 | grep -Eo '[a-f0-9]{20}') && \
+    if [ -z "$HASH" ]; then \
+      echo "Bundle hash not found."; \
+    else \
+      for FILE in *.safari.js *.safari.js.map; do \
+        if [[ "$FILE" == *"$HASH"* ]]; then \
+          continue; \
+        fi; \
+        PREFIX="${FILE%%.safari.js*}"; \
+        SUFFIX="${FILE#*.safari.js}"; \
+        NEW_NAME="${PREFIX}.${HASH}.safari.js${SUFFIX}"; \
+        echo "Renaming $FILE → $NEW_NAME"; \
+        mv "$FILE" "$NEW_NAME"; \
+      done; \
+    fi
+
+RUN find /source/dist -name '*.js' -exec gzip -k -f -9 '{}' \; \
+    && find /source/dist -name '*.css' -exec gzip -k -f -9 '{}' \; \
+    && find /source/dist -name '*.wasm' -exec gzip -k -f -9 '{}' \;
+
+RUN sed -i "s/VERSION/$BBB_BUILD_TAG/g" /source/dist/index.html && \
+    sed -i "s/VERSION/$BBB_BUILD_TAG/g" /source/dist/stylesheets/fonts.css
 
 # --------------------
 
-FROM nginx:1.21-alpine
+FROM nginx:1.27-alpine
 
-COPY --from=builder /bbb-learning-dashboard/build /www/learning-analytics-dashboard/
-COPY --from=builder /bbb-playback/build /www/playback/presentation/2.3
+COPY --from=builder-learning-dashboard /bbb-learning-dashboard/build /www/learning-analytics-dashboard/
+COPY --from=builder-playback /bbb-playback/build /www/playback/presentation/2.3
+COPY --from=builder-html5 /source/dist /usr/share/bigbluebutton/html5-client/
 COPY ./bbb /etc/nginx/bbb
 COPY ./bigbluebutton /etc/nginx/conf.d/default.conf
+COPY ./bbb-graphql-client-settings-cache.conf /etc/nginx/conf.d/bbb-graphql-client-settings-cache.conf
 COPY ./nginx.conf /etc/nginx/nginx.conf

mod/nginx/bbb-graphql-client-settings-cache.conf

@@ -0,0 +1 @@
+proxy_cache_path /tmp/hasura-client-settings-cache levels=1:2 keys_zone=client_settings_cache:64m inactive=2880m use_temp_path=off;

mod/nginx/bbb-html5.dev.nginx

@@ -0,0 +1,23 @@
+# serve locale index from prebuilt static files 
+location = /html5client/locales/ {
+  alias /usr/share/bigbluebutton/html5-client/locales/;
+  autoindex on;
+  autoindex_format json;
+
+  # Prevent browsers from caching
+  add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
+  add_header Pragma "no-cache";
+  add_header Expires 0;
+}
+
+# running from source (npm start)
+location /html5client/ {
+  rewrite /html5client/(.*) /$1 break;
+  gzip_static on;
+  proxy_pass http://10.7.7.1:3000/;
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection "Upgrade";
+  proxy_set_header Host $host;
+}
+

mod/nginx/bbb/bbb-html5.nginx

@@ -1,40 +1,13 @@
-location @html5client {
-  proxy_pass http://poolhtml5servers; # use for production
-  proxy_http_version 1.1;
-  proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "Upgrade";
+# running in production (static assets)
+location /html5client {
+    gzip_static on;
+    alias /usr/share/bigbluebutton/html5-client/;
+    index index.html;
+    try_files $uri $uri/ =404;
 }
 
 location /html5client/locales {
-   alias /html5-static/app/locales;
+  alias /usr/share/bigbluebutton/html5-client/locales;
+  autoindex on;
+  autoindex_format json;
 }
-
-location /html5client/compatibility {
-   alias /html5-static/app/compatibility;
-}
-
-location /html5client/resources {
-  alias /html5-static/app/resources;
-}
-
-location /html5client/svgs {
-  alias /html5-static/app/svgs;
-}
-
-location /html5client/fonts {
-  alias /html5-static/app/fonts;
-}
-
-location /html5client/wasm {
-  types {
-    application/wasm wasm;
-  }
-  gzip_static on;
-  alias /html5-static/app/wasm;
-}
-
-location /html5client/ {
-  alias /html5-static;
-  try_files $uri @html5client;
-}
-

mod/nginx/bbb/graphql.nginx

@@ -0,0 +1,39 @@
+# Websocket connection
+location /graphql {
+	proxy_http_version 1.1;
+	proxy_set_header Upgrade $http_upgrade;
+	proxy_set_header Connection "Upgrade";
+	proxy_set_header Host $host;
+	#proxy_pass         http://bbb-graphql-server:8085; #Hasura (it requires to change the location to /v1/graphql)
+	proxy_pass         http://bbb-graphql-middleware:8378; #Graphql Middleware
+}
+
+#Set cache system for client settings
+location /api/rest/clientSettings {
+    auth_request /bigbluebutton/connection/checkGraphqlAuthorization;
+    auth_request_set $meeting_id $sent_http_meeting_id;
+
+    proxy_cache client_settings_cache;
+    proxy_cache_key "$uri|$meeting_id";
+    proxy_cache_use_stale updating;
+    proxy_cache_valid 24h;
+    proxy_cache_lock on;
+    add_header X-Cached $upstream_cache_status;
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host $host;
+    proxy_pass http://127.0.0.1:8185; #Hasura
+}
+
+location /api/rest/userMetadata {
+    auth_request /bigbluebutton/connection/checkGraphqlAuthorization;
+    auth_request_set $meeting_id $sent_http_meeting_id;
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host $host;
+    proxy_pass http://127.0.0.1:8185; #Hasura
+}

mod/nginx/bbb/greenlight.nginx

@@ -1,34 +0,0 @@
-# Routes requests to Greenlight based on the '/b' prefix.
-# Use this file to route '/b' paths on your BigBlueButton server
-# to the Greenlight application. If you are using a different
-# subpath, you should change it here.
-
-
-location /b {
-  proxy_pass          http://host.docker.internal:5000;
-  proxy_set_header    Host              $host;
-  proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
-  proxy_set_header    X-Forwarded-Proto $scheme;
-  proxy_set_header    X-Forwarded-Ssl on;
-  proxy_http_version  1.1;
-}
-
-location /b/cable {
-  proxy_pass          http://host.docker.internal:5000;
-  proxy_set_header    Host              $host;
-  proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
-  proxy_set_header    X-Forwarded-Proto $scheme;
-  proxy_set_header    X-Forwarded-Ssl on;
-  proxy_set_header    Upgrade           $http_upgrade;
-  proxy_set_header    Connection        "Upgrade";
-  proxy_http_version  1.1;
-  proxy_read_timeout  6h;
-  proxy_send_timeout  6h;
-  client_body_timeout 6h;
-  send_timeout        6h;
-}
-
-# this is necessary for the preupload_presentation feature
-location /rails/active_storage {
-  return 301 /b$request_uri;
-}

mod/nginx/bbb/learning-dashboard.nginx

@@ -1,8 +1,3 @@
-location ~ /learning-analytics-dashboard/([0-9a-f]+-[0-9]+)/(.*) {
-    root /var/bigbluebutton/learning-analytics-dashboard/;
-    autoindex off;
-}
-
 location /learning-analytics-dashboard/ {
     alias /www/learning-analytics-dashboard/;
     autoindex off;

mod/nginx/bbb/livekit.nginx

@@ -0,0 +1,11 @@
+location /livekit/ {
+    proxy_pass http://127.0.0.1:7880/;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+
+    proxy_read_timeout 60s;
+    proxy_send_timeout 60s;
+    client_body_timeout 60s;
+    send_timeout 60s;
+}

mod/nginx/bbb/notes.nginx

@@ -15,7 +15,7 @@ location /pad/p/ {
 
     proxy_set_header X-Real-IP $remote_addr;  # http://wiki.nginx.org/HttpProxyModule
     proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
-    proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
+    proxy_set_header X-Forwarded-Proto $real_scheme; # for EP to set secure cookie flag when https is used
     proxy_http_version 1.1;
 
     auth_request /bigbluebutton/connection/checkAuthorization;
@@ -57,7 +57,7 @@ location /pad/socket.io {
     proxy_buffering off;
     proxy_set_header X-Real-IP $remote_addr;  # http://wiki.nginx.org/HttpProxyModule
     proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
-    proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
+    proxy_set_header X-Forwarded-Proto $real_scheme; # for EP to set secure cookie flag when https is used
     proxy_set_header Host $host;  # pass the host header
     proxy_http_version 1.1;  # recommended with keepalive connections
     # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html

mod/nginx/bbb/playback-video.nginx

@@ -0,0 +1,21 @@
+# This file is part of BigBlueButton.
+#
+# Copyright © BigBlueButton Inc. and by respective authors.
+#
+# BigBlueButton is free software: you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by the
+# Free Software Foundation, either version 3.0 of the License, or (at your
+# option) any later version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with BigBlueButton. If not, see <https://www.gnu.org/licenses>.
+
+location /playback/video/ {
+	alias /var/bigbluebutton/published/video/;
+	index index.html index.htm;
+}

mod/nginx/bbb/presentation-slides.nginx

@@ -20,34 +20,27 @@
 # causes tomcat to OOM. (ralam sept 20, 2018)
 
         location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/svg\/(?<page_num>\d+)$ {
-		default_type image/svg+xml;
+                default_type image/svg+xml;
                 alias    /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/svgs/slide$page_num.svg;
-                if ($bbb_loadbalancer_node) {
-                    add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
-                }
+                add_header 'Access-Control-Allow-Origin' '*' always;
         }
 
-        location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/slide\/(?<page_num>\d+)$ {
-                alias    /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/slide-$page_num.swf;
-                if ($bbb_loadbalancer_node) {
-                    add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
-                }
+        location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/pdf\/(?<job_id>[A-Za-z0-9]+)\/annotated_slides.pdf$ {
+                default_type application/pdf;
+                alias    /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/pdfs/$job_id/annotated_slides.pdf;
+                add_header 'Access-Control-Allow-Origin' '*' always;
         }
 
         location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/thumbnail\/(?<page_num>\d+)$ {
-		default_type image/png;
+                default_type image/png;
                 alias    /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/thumbnails/thumb-$page_num.png;
-                if ($bbb_loadbalancer_node) {
-                    add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
-                }
+                add_header 'Access-Control-Allow-Origin' '*' always;
         }
 
         location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/textfiles\/(?<page_num>\d+)$ {
-		default_type text/plain;
+                default_type text/plain;
                 alias    /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/textfiles/slide-$page_num.txt;
-                if ($bbb_loadbalancer_node) {
-                    add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
-                }
+                add_header 'Access-Control-Allow-Origin' '*' always;
         }
 
 

mod/nginx/bbb/recording-screenshare.nginx

@@ -0,0 +1,22 @@
+#
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
+#
+# Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+#
+
+        location /recording/screenshare {
+                alias    /var/bigbluebutton/published/screenshare;
+                index  index.html index.htm;
+        }

mod/nginx/bbb/sip.nginx

@@ -1,15 +0,0 @@
-location /ws {
-        proxy_pass https://$freeswitch_addr:7443;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_set_header X-Forwarded-Proto https;
-        proxy_set_header X-Forwarded-Ssl on; 
-        proxy_read_timeout 6h;
-        proxy_send_timeout 6h;
-        client_body_timeout 6h;
-        send_timeout 6h;
-        
-        auth_request /bigbluebutton/connection/checkAuthorization;
-        auth_request_set $auth_status $upstream_status;
-}

mod/nginx/bbb/slides.nginx

@@ -0,0 +1,28 @@
+
+#
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
+#
+# Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+#
+        location /playback/slides {
+                root    /var/bigbluebutton;
+                index  index.html index.htm;
+        }
+
+        location /slides {
+                root    /var/bigbluebutton/published;
+                index  index.html index.htm;
+        }
+

mod/nginx/bbb/verto.nginx

@@ -1,10 +0,0 @@
-location /verto {
-  proxy_pass https://host.docker.internal:8082;
-  proxy_http_version 1.1;
-  proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "Upgrade";
-  proxy_read_timeout 6h;
-  proxy_send_timeout 6h;
-  client_body_timeout 6h;
-  send_timeout 6h;
-}

mod/nginx/bbb/web.nginx

@@ -9,32 +9,16 @@
 
                     # Workaround IE refusal to set cookies in iframe
                     add_header P3P 'CP="No P3P policy available"';
-                    if ($bbb_loadbalancer_node) {
-                        add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
-                        add_header 'Access-Control-Allow-Credentials' 'true' always;
-                    }
 		}
 
 
 		location ~ "^\/bigbluebutton\/presentation\/(?<prestoken>[a-zA-Z0-9_-]+)/upload$" {
-			# Grails can't handle CORS OPTION preflight requests correctly -> lets do this in nginx
-			if ($request_method = 'OPTIONS') {
-				add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
-				add_header 'Access-Control-Allow-Credentials' 'true' always;
-				add_header 'Content-Type' 'text/plain; charset=utf-8';
-				add_header 'Content-Length' 0;
-				return 204;
-			}
 			proxy_pass         http://bbb-web:8090;
 			proxy_redirect     default;
 			proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
 
 			# Workaround IE refusal to set cookies in iframe
 			add_header P3P 'CP="No P3P policy available"';
-			if ($bbb_loadbalancer_node) {
-				add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
-				add_header 'Access-Control-Allow-Credentials' 'true' always;
-			}
 
 			# high limit for presentation as bbb-web will reject upload if larger than configured
 			client_max_body_size       1000m;
@@ -73,9 +57,6 @@
 			proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
 			# Workaround IE refusal to set cookies in iframe
 			add_header P3P 'CP="No P3P policy available"';
-			if ($bbb_loadbalancer_node) {
-				add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
-			}
 		}
 
 		location = /bigbluebutton/presentation/checkPresentation {
@@ -87,6 +68,7 @@
 			proxy_set_header        X-Original-URI $request_uri;
 			proxy_set_header	Content-Length "";
 			proxy_set_header	X-Original-Content-Length $http_content_length;
+			proxy_set_header	X-Original-Method $request_method;
 
 			# high limit for presentation as bbb-web will reject upload if larger than configured
 			client_max_body_size       1000m;
@@ -109,6 +91,17 @@
 			proxy_set_header         Content-Length "";
 			proxy_set_header         X-Original-URI $request_uri;
 		}
+
+		location = /bigbluebutton/connection/checkGraphqlAuthorization {
+			internal;
+			proxy_pass               http://bbb-web:8090;
+			proxy_pass_request_body  off;
+			proxy_set_header         Content-Length "";
+			proxy_set_header         X-Original-URI $request_uri;
+			# this is required for CORS preflight checks in cluster setup
+			proxy_set_header        X-Original-Method $request_method;
+		}
+
 		location = /bigbluebutton/connection/legacyCheckAuthorization {
 			internal;
 			proxy_pass               http://bbb-web:8090;
@@ -128,9 +121,6 @@
         location ~ "^/bigbluebutton\/textTrack\/(?<textTrackToken>[a-zA-Z0-9]+)\/(?<recordId>[a-zA-Z0-9_-]+)\/(?<textTrack>.+)$" {
             # Workaround IE refusal to set cookies in iframe
             add_header P3P 'CP="No P3P policy available"';
-            if ($bbb_loadbalancer_node) {
-                add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
-            }
 
             # Allow 30M uploaded presentation document.
             client_max_body_size       30m;
@@ -169,6 +159,18 @@
             proxy_set_header        X-Original-URI $request_uri;
         }
 
+        location /bigbluebutton/rtt-check {
+            default_type text/plain;
+            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
+            add_header Pragma "no-cache";
+            add_header Expires "0";
+            # this Header is required for cluster setups as the ping check is a
+            # CORS request. No cookies are required so we can just allow anyone
+            # to use this endpoint.
+            add_header 'Access-Control-Allow-Origin' '*';
+            return 200 "";
+        }
+
 	}
 
 	location @error403 {
@@ -177,4 +179,4 @@
             }
 
             return 403;
-	}
+	}

mod/nginx/bbb/webrtc-sfu.nginx

@@ -5,6 +5,7 @@ location /bbb-webrtc-sfu {
     auth_request_set $user_id $sent_http_user_id;
     auth_request_set $meeting_id $sent_http_meeting_id;
     auth_request_set $voice_bridge $sent_http_voice_bridge;
+    auth_request_set $user_name $sent_http_user_name;
 
     proxy_pass http://10.7.7.1:3008;
     proxy_http_version 1.1;
@@ -14,9 +15,11 @@ location /bbb-webrtc-sfu {
     proxy_set_header User-Id $user_id;
     proxy_set_header Meeting-Id $meeting_id;
     proxy_set_header Voice-Bridge $voice_bridge;
-    proxy_read_timeout 6h;
-    proxy_send_timeout 6h;
-    client_body_timeout 6h;
-    send_timeout 6h;
+    proxy_set_header User-Name $user_name;
+
+    proxy_read_timeout 60s;
+    proxy_send_timeout 60s;
+    client_body_timeout 60s;
+    send_timeout 60s;
 }
 

mod/nginx/bigbluebutton

@@ -1,40 +1,86 @@
-map $remote_addr $freeswitch_addr {
-    "~:"    [::1];
-    default    10.7.7.1;
-}
-
-upstream poolhtml5servers {
-  zone poolhtml5servers 32k;
-  least_conn;
-  server 10.7.7.200:4100 fail_timeout=10s max_fails=4 backup;
-  server 10.7.7.201:4101 fail_timeout=120s max_fails=1;
-  server 10.7.7.202:4102 fail_timeout=120s max_fails=1;
-  server 10.7.7.203:4103 fail_timeout=120s max_fails=1;
-  # TODO: set server list based on NUMBER_OF_FRONTEND_NODEJS_PROCESSES
-  # server 10.7.7.204:4104 fail_timeout=120s max_fails=1;
-  # server 10.7.7.205:4105 fail_timeout=120s max_fails=1;
-  # server 10.7.7.206:4106 fail_timeout=120s max_fails=1;
-  # server 10.7.7.207:4107 fail_timeout=120s max_fails=1;
-}
-
 server {
+  # proxied from HAProxy
+  listen 48082 http2 proxy_protocol;
+  listen 48081 proxy_protocol;
+
+  # optional ports for other reverse proxies
   listen 48087 default_server;
   listen [::]:48087 default_server;
+
   server_name _;
   access_log /dev/stdout;
   absolute_redirect off;
   root /www/;
   
+  # This variable is used instead of $scheme by bigbluebutton nginx include
+  # files, so $scheme can be overridden in reverse-proxy configurations.
+  set $real_scheme $scheme;
+
   # opt-out of google's floc tracking
   # https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
   add_header Permissions-Policy "interest-cohort=()";
 
-  # redirect to greenlight
-  location = / {
-      return 302 /b;
-  }
 
   # Include specific rules for record and playback
   include /etc/nginx/bbb/*.nginx;
 
+  # redirect old greenlight v2 room links
+  location ~ "/b/([a-z0-9\-]+)" {
+    return 302 /rooms/$1;
+  }
+
+  # serve default.pdf from /www/
+  location = /default.pdf {
+    try_files $uri =404;
+  }
+
+  location / {
+    proxy_pass          http://greenlight:3000;
+    proxy_set_header    Host              $host;
+    proxy_set_header    X-Forwarded-For   "127.0.0.1";
+    proxy_set_header    X-Forwarded-Proto $scheme;
+    proxy_set_header    X-Forwarded-Ssl on;
+    proxy_http_version  1.1;
+    client_max_body_size 1000m;
+  }
+
+  location /cable {
+    proxy_pass          http://greenlight:3000;
+    proxy_set_header    Host              $host;
+    proxy_set_header    X-Forwarded-For   "127.0.0.1";
+    proxy_set_header    X-Forwarded-Proto $scheme;
+    proxy_set_header    X-Forwarded-Ssl on;
+    proxy_set_header    Upgrade           $http_upgrade;
+    proxy_set_header    Connection        "Upgrade";
+    proxy_http_version  1.1;
+    proxy_read_timeout  6h;
+    proxy_send_timeout  6h;
+    client_body_timeout 6h;
+    send_timeout        6h;
+  }
 }
+
+upstream hasura {
+    least_conn;
+    server bbb-graphql-server:8085;
+    # you might want to add more bbb-graphql-server@ instances to balance the
+    # load to multiple bbb-graphql-server instances. Execute 
+    # `systemctl enable --now bbb-graphql-server@8086` and uncomment the
+    # following line:
+    # server 127.0.0.1:8086;
+}
+server {
+    listen 10.7.7.1:8185;
+    listen 127.0.0.1:8185;
+
+    root /var/www/html;
+
+    location / {
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+
+	    proxy_pass http://hasura;
+    }
+}

mod/nginx/nginx.conf

@@ -29,4 +29,25 @@ http {
     #gzip  on;
 
     include /etc/nginx/conf.d/*.conf;
+
+
+    server {
+        # additional server only used for greenlight in dev mode
+        # allows it to use the BBB API without failing 
+        # due to the self signed certificates
+        # 
+        # all other requests (e.g. /join) is then redirected
+        listen 48083 http2;
+        
+        location /bigbluebutton/api/join {
+            return 301 https://10.7.7.1$request_uri;
+        }
+        location /bigbluebutton/api {
+            proxy_pass http://127.0.0.1:48087;
+        }
+        location / {
+            return 301 https://10.7.7.1$request_uri;
+        }
+    }
+
 }

mod/periodic/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:bullseye-slim
+FROM debian:bookworm-slim
 
 # -- install docker cli
 COPY --from=library/docker:latest /usr/local/bin/docker /usr/bin/docker