Merge pull request #352 from tibroc/update-bbb-build

update bbb-build container tag

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 ## Unreleased
 
+## Release v3.0.4 (2025-03-27)
+- update to 3.0.4 @tibroc [#347](https://github.com/bigbluebutton/docker/pull/347
+- fix not accepting length of dial in / voiceBridge numbers @alangecker
+- upgrade: migrate postgres & greenlight data @alangecker
+
+## Release v3.0.1 (2025-03-11)
+**Breaking change!** make sure to read the [upgrading notes](https://github.com/bigbluebutton/docker/blob/develop/docs/upgrading.md)
+
+- :tada: **BigBlueButton 3.0** [#313](https://github.com/bigbluebutton/docker/pull/313)
+
+
 ## Release v2.7.3 (2023-12-08)
 
 **Breaking change!** make sure to read the [upgrading notes](https://github.com/bigbluebutton/docker/blob/develop/docs/upgrading.md)

README.md

@@ -3,7 +3,7 @@
 
 # 📦 BigBlueButton 3.0 Docker
 
-Version: 3.0.0-beta.5 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigbluebutton/docker/issues) | [Upgrading](docs/upgrading.md) | [Development](docs/development.md)
+Version: 3.0.4 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigbluebutton/docker/issues) | [Upgrading](docs/upgrading.md) | [Development](docs/development.md)
 
 ## Features
 - Easy installation
@@ -13,14 +13,20 @@ Version: 3.0.0-beta.5 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/
 - Full IPv6 support
 - Runs on any major linux distributon (Debian, Ubuntu, CentOS,...)
 
+## currently missing / broken
+- NAT support
+- bbb-transcription-controller
+- livekit
+
 ## Requirements
 - 4GB of RAM
 - Linux (it will not work under Windows/WSL)
 - Root access (bbb-docker uses host networking, so it won't work with Kubernetes, any "CaaS"-Service, etc.)
 - Public IPv4 (expect issues with a firewall / NAT)
 - firewall allows internal networking (e.g. for ufw: `ufw allow 10.7.7.0/24`)
+- git installed
 
-## Install
+## Install production server
 1. Ensure the requirements above are fulfilled (it really doesn't work without them)
 2. Install docker-ce & docker-compose-plugin
     1. follow instructions
@@ -35,7 +41,7 @@ Version: 3.0.0-beta.5 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/
    $ git clone https://github.com/bigbluebutton/docker.git bbb-docker
    $ cd bbb-docker
 
-   # use the more stable main branch (sometimes older)
+   # optional: use the more stable main branch (often much older)
    $ git checkout main 
    ```
 4. Run setup:
@@ -57,7 +63,20 @@ Version: 3.0.0-beta.5 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/
     $ docker compose exec greenlight bundle exec rake admin:create
     ```
 
+## Development setup
+1. Clone this repository
+   ```sh
+   $  git clone --recurse-submodules https://github.com/bigbluebutton/docker.git bbb-dev
+   ```
+2. Start dev server
+   ```sh
+   $ cd bbb-dev
+   $ ./scripts/dev
+   ```
+3. Use API Mate with the link presented in the console to create & join a conference
+
+
 ## Further How-To's
-- [Running behind NAT](docs/behind-nat.md)
+<!-- - [Running behind NAT](docs/behind-nat.md) -->
 - [Integration into an existing web server](docs/existing-web-server.md)
 

docker-compose.tmpl.yml

@@ -145,8 +145,8 @@ services:
         - plugin=./repos/bbb-etherpad-plugin
         - skin=./repos/bbb-etherpad-skin
       args:
-        TAG_ETHERPAD: "1.9.4"
-    image: alangecker/bbb-docker-etherpad:1.9.1-s{{ .Env.COMMIT_ETHERPAD_SKIN }}-p{{ .Env.COMMIT_ETHERPAD_PLUGIN }}
+        TAG_ETHERPAD: "2.2.7"
+    image: alangecker/bbb-docker-etherpad:2.2.7-s{{ .Env.COMMIT_ETHERPAD_SKIN }}-p{{ .Env.COMMIT_ETHERPAD_PLUGIN }}
     restart: unless-stopped
     depends_on:
       - redis
@@ -173,6 +173,29 @@ services:
       bbb-net:
         ipv4_address: 10.7.7.18
 
+  bbb-export-annotations:
+    build:
+      context: mod/bbb-export-annotations
+      additional_contexts:
+        src: ./repos/bigbluebutton/bbb-export-annotations
+    image: alangecker/bbb-docker-bbb-export-annotations:{{ .Env.TAG_BBB }}
+    restart: unless-stopped
+    depends_on:
+      - redis
+      - etherpad
+      - bbb-pads
+    networks:
+    # need connections to:
+    # https://github.com/bigbluebutton/bigbluebutton/blob/v2.7.0/bbb-export-annotations/config/settings.json
+    # "bbbWebAPI": "http://127.0.0.1:8090",    -> bbb-web
+    # "bbbPadsAPI": "http://127.0.0.1:9002",   -> bbb-pads
+      bbb-net:
+        ipv4_address: 10.7.7.19
+    volumes:
+      - ./data/bigbluebutton:/var/bigbluebutton
+    tmpfs:
+      - /tmp
+
   redis:
     image: redis:7.2-alpine
     restart: unless-stopped
@@ -267,7 +290,8 @@ services:
         - src=./repos/bigbluebutton/bbb-graphql-server
       args:
         BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
-        GRAPHQL_ENGINE_TAG: v2.44.0
+        GRAPHQL_ENGINE_TAG: v2.45.0
+    image: alangecker/bbb-docker-graphql-server:{{ .Env.TAG_BBB }}
     depends_on:
       - postgres
       - bbb-web
@@ -294,6 +318,7 @@ services:
       {{ end }}
       args:
         BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
+    image: alangecker/bbb-docker-graphql-actions:{{ .Env.TAG_BBB }}
     restart: unless-stopped
     depends_on:
       - redis
@@ -318,6 +343,7 @@ services:
       {{ end }}
       args:
         BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
+    image: alangecker/bbb-docker-graphql-middleware:{{ .Env.TAG_BBB }}
     restart: unless-stopped
     depends_on:
       - bbb-graphql-server
@@ -327,6 +353,8 @@ services:
     networks:
       bbb-net:
         ipv4_address: 10.7.7.32
+    extra_hosts:
+      - "nginx:10.7.7.1"
 
     {{ if isTrue .Env.DEV_MODE }}
     user: ${BBB_DEV_UID}:${BBB_DEV_GID}
@@ -353,7 +381,7 @@ services:
 
   periodic:
     build: mod/periodic
-    image: alangecker/bbb-docker-periodic:v2.7.0
+    image: alangecker/bbb-docker-periodic:v3.0.0
     restart: unless-stopped
 
     volumes:
@@ -446,6 +474,7 @@ services:
     volumes:
       - ./data/haproxy/letsencrypt:/etc/letsencrypt
       - ./mod/haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg
+      - ./mod/haproxy/protocolmap:/etc/haproxy/protocolmap
     environment:
       - IGNORE_TLS_CERT_ERRORS={{$ignore_tls_cert_errors}}
       - CERT1=${DOMAIN}
@@ -472,7 +501,7 @@ services:
 {{ if isTrue .Env.ENABLE_GREENLIGHT }}
   # greenlight
   greenlight:
-    image: bigbluebutton/greenlight:v3.4.1
+    image: bigbluebutton/greenlight:v3.5.0
     restart: unless-stopped
     env_file: .env
     depends_on:
@@ -480,7 +509,7 @@ services:
       - redis
 
     environment:
-      DATABASE_URL: postgres://postgres:${POSTGRESQL_SECRET:-password}@postgres:5432/greenlight-v3
+      DATABASE_URL: postgres://postgres:${POSTGRESQL_SECRET:-password}@postgres:5432/greenlight
       REDIS_URL: redis://redis:6379
       {{ if $ignore_tls_cert_errors }}
       BIGBLUEBUTTON_ENDPOINT: http://10.7.7.1:48083/bigbluebutton/api

docs/development.md

@@ -15,6 +15,8 @@ you can now run bbb-docker locally by simply starting
 $ ./scripts/dev
 ```
 
+Use the API Mate with the link presented in the console to create & join a conference.
+
 ### Hints
 - the html5 component will watch and automatically reload on any changes 🚀
 - if you change anything in the other components, you need to
@@ -26,10 +28,7 @@ $ ./scripts/dev
   `$ ./scripts/generate-compose`
 - view the logs with \
   `$ docker compose logs -f`
-- and access the API via \
-  https://mconf.github.io/api-mate/#server=https://10.7.7.1/bigbluebutton/api&sharedSecret=SuperSecret
-    * At some point your browser will warn you about an invalid certificate, but you can press _"Accept the Risk and Continue" / "Proceed to 10.7.7.1 (unsafe)"_
-
+- At some point your browser will warn you about an invalid certificate, but you can press _"Accept the Risk and Continue" / "Proceed to 10.7.7.1 (unsafe)"_
 
 ## Notes
 - Due to the self signed ssl certificate it is currently not possible to notify greenlight about recordings in dev mode

docs/network-config.md

@@ -24,6 +24,7 @@ Services as configured.
 | coturn | network_mode: host | |
 | greenlight | | | ports: 10.7.7.1:5000:80
 | prometheus | bbb-net | 10.7.7.33 |
+| bbb-export-annotations | bbb-net | 10.7.7.19 |
 
 ```yml
 networks:  

docs/upgrading.md

@@ -1,29 +1,29 @@
 # How To Upgrade bbb-docker
 
-### Upgrading from `v2.6.x`
-- **Breaking change:** We use now Docker Compose V2
+### Breaking changes `v2.7.x` -> `v3.0.x`
+- **A setup behind NAT does currently not work!**
+- `LETSENCRYPT_EMAIL` is now required in `.env` when used with the integrated HAProxy
+- the greenlight postgres database is now called `greenlight` instead of `greenlight-v3`
+
+
+### Breaking changes `v2.6.x` -> `v2.7.x`
+- We use now Docker Compose V2
     * make sure you have docker ≥ 23.0 installed (`$ docker -v`)
     * update all usages of `docker-compose` to `docker compose` in your scripts
 
-apart from that follow the guide (_within v2.7.x_) below.
-
-### Upgrading from `v2.5.x`
-
-- **Breaking change:** Greenlight got fully rewritten
+### Breaking changes `v2.5.x` -> `v2.6.x`
+- Greenlight got fully rewritten
     * it is starting as a fresh installation. you can migrate your data with `./scripts/greenlight-migrate-v2-v3`
     * some greenlight settings under `.env` have changed. compare your version with `sample.env`
     * it is now served directly under `/` and not in `/b`. If you use an reverse proxy not included in this repo, ensure to update your config accordingly!
 
-apart from that follow the guide below.
-
-### within `v2.7.x`
-#### Backup
+### Backup
 if you use greenlight, create a database backup first
 ```bash
 docker exec -t docker_postgres_1 pg_dumpall -c -U postgres > /root/greenlight_`date +%d-%m-%Y"_"%H_%M_%S`.sql
 ```
 
-#### Upgrading
+### Upgrading
 ```bash
 # upgrade!
 ./scripts/upgrade

mod/apps-akka/bbb-apps-akka.conf

@@ -8,6 +8,7 @@ redis {
 services {
   bbbWebAPI="https://DOMAIN/bigbluebutton/api"
   sharedSecret="SHARED_SECRET"
+  graphqlMiddlewareAPI = "http://10.7.7.32:8378"
 }
 http {
   interface = "0.0.0.0"

mod/bbb-export-annotations/Dockerfile

@@ -0,0 +1,23 @@
+FROM node:22-bookworm-slim AS builder
+
+COPY --from=src / /bbb-export-annotations
+RUN cd /bbb-export-annotations && npm ci && npm install
+
+# --------------------
+
+FROM node:22-bookworm-slim
+
+RUN groupadd -g 998 bigbluebutton \
+    && useradd -m -u 998 -g bigbluebutton bigbluebutton
+
+RUN apt update && apt install -y \
+    nodejs npm cairosvg ghostscript imagemagick nodejs poppler-utils
+
+COPY --from=builder /bbb-export-annotations /bbb-export-annotations
+COPY ./config/settings.json /bbb-export-annotations/config/settings.json
+
+USER bigbluebutton
+WORKDIR /bbb-export-annotations
+ENV NODE_ENV=production
+
+ENTRYPOINT npm start

mod/bbb-export-annotations/config/settings.json

@@ -0,0 +1,40 @@
+{
+    "log": {
+      "level": "info",
+      "msgName": "PresAnnStatusMsg"
+    },
+    "shared": {
+      "presAnnDropboxDir": "/tmp/pres-ann-dropbox",
+      "cairosvg": "/usr/bin/cairosvg",
+      "ghostscript": "/usr/bin/gs"
+    },
+    "process": {
+      "maxImageWidth": 1440,
+      "maxImageHeight": 1080,
+      "pointsPerInch": 72,
+      "pixelsPerInch": 96,
+      "cairoSVGUnsafeFlag": false
+    },
+    "notifier": {
+      "pod_id": "DEFAULT_PRESENTATION_POD",
+      "is_downloadable": "false",
+      "msgName": "NewPresFileAvailableMsg"
+    },
+    "bbbWebAPI": "http://bbb-web:8090",
+    "bbbPadsAPI": "http://bbb-pads:9002",
+    "redis": {
+      "host": "redis",
+      "port": 6379,
+      "password": null,
+      "channels": {
+        "queue": "exportJobs",
+        "publish": "to-akka-apps-redis-channel"
+      }
+    },
+    "fonts": {
+      "draw": "/usr/local/share/fonts/CaveatBrush-Regular-2015-09-23.ttf",
+      "sans": "/usr/local/share/fonts/CrimsonPro[wght]-1.003.ttf",
+      "serif": "/usr/local/share/fonts/SourceSansPro-Regular-2.045.ttf",
+      "mono": "/usr/local/share/fonts/SourceCodePro-Regular-2.038.ttf"
+  }
+}

mod/bbb-graphql-middleware/config.yml

@@ -6,7 +6,7 @@ redis:
   port: 6379
   password: ""
 hasura:
-  url: ws://bbb-graphql-server:8085/v1/graphql
+  url: ws://nginx:8185/v1/graphql
 graphql-actions:
   url: http://bbb-graphql-actions:8093
 auth_hook:

mod/bbb-pads/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:18-bookworm-slim AS builder
+FROM node:22-bookworm-slim AS builder
 
 COPY --from=src / /bbb-pads
 RUN cd /bbb-pads && rm -r .git && npm install --production
@@ -7,7 +7,7 @@ RUN cd /bbb-pads && rm -r .git && npm install --production
 RUN chmod 777 /bbb-pads/config
 # ------------------------------
 
-FROM node:18-bookworm-slim
+FROM node:22-bookworm-slim
 
 RUN apt update && apt install -y jq moreutils \
     && useradd --uid 2003 --create-home --user-group bbb-pads

mod/bbb-web/bbb-web.properties

@@ -21,4 +21,6 @@ presentationBaseURL=http://{{ .Env.DOMAIN }}/bigbluebutton/presentation
 beans.presentationService.defaultUploadedPresentation=${bigbluebutton.web.serverURL}/default.pdf
 {{end}}
 
-learningDashboardEnabled={{ .Env.ENABLE_LEARNING_DASHBOARD }}
+learningDashboardEnabled={{ .Env.ENABLE_LEARNING_DASHBOARD }}
+
+defaultNumDigitsForTelVoice=9

mod/bbb-web/entrypoint.sh

@@ -11,9 +11,11 @@ mkdir -p /var/bigbluebutton/recording/publish
 mkdir -p /var/bigbluebutton/recording/status/recorded
 mkdir -p /var/bigbluebutton/recording/status/archived
 mkdir -p /var/bigbluebutton/recording/status/processed
+mkdir -p /var/bigbluebutton/recording/status/ended
 mkdir -p /var/bigbluebutton/recording/status/sanity
 mkdir -p /var/bigbluebutton/recording/status/published
 mkdir -p /var/bigbluebutton/captions
+mkdir -p /var/bigbluebutton/captions/inbox
 mkdir -p /var/bigbluebutton/published
 mkdir -p /var/bigbluebutton/deleted
 mkdir -p /var/bigbluebutton/unpublished

mod/bbb-webrtc-recorder/Dockerfile

@@ -1,5 +1,5 @@
 # Build stage
-FROM golang:1.21 as builder
+FROM golang:1.23 as builder
 
 ARG APP_VERSION=devel
 ARG GOMOD=github.com/bigbluebutton/bbb-webrtc-recorder

mod/etherpad/Dockerfile

@@ -7,20 +7,21 @@ RUN apk add git curl
 
 USER etherpad
 
-RUN npm install \
-    ep_cursortrace@3.1.16 \
-    git+https://github.com/mconf/ep_pad_ttl.git#360136cd38493dd698435631f2373cbb7089082d \
-    git+https://github.com/mconf/ep_redis_publisher.git#2b6e47c1c59362916a0b2961a29b259f2977b694 \
-    ep_disable_chat@0.0.8 \
+RUN pnpm run plugins i \
+    ep_disable_chat@0.0.10 \
     ep_auth_session@1.1.1 \
-# remove npm lockfile, because somehow it prevents etherpad from detecting the manual added plugin ep_bigbluebutton_patches
-    && rm package-lock.json package.json
+    --github \
+        mconf/ep_cursortrace#56fb8c2b211cdda4fc8715ec99e1cb7b7d9eb851 \
+        mconf/ep_pad_ttl#360136cd38493dd698435631f2373cbb7089082d \
+        mconf/ep_redis_publisher#2b6e47c1c59362916a0b2961a29b259f2977b694
+
 
 # add skin from git submodule
 COPY --chown=etherpad:0 --from=skin / /opt/etherpad-lite/src/static/skins/bigbluebutton
 
 # add plugin from git submodule
-COPY --chown=etherpad:0 --from=plugin / /opt/etherpad-lite/node_modules/ep_bigbluebutton_patches
+COPY --chown=etherpad:0 --from=plugin / /ep_bigbluebutton_patches
+RUN pnpm run plugins i --path /ep_bigbluebutton_patches
 
 COPY settings.json /opt/etherpad-lite/settings.json
 COPY etherpad-export.sh /etherpad-export.sh

mod/etherpad/entrypoint.sh

@@ -1,5 +1,3 @@
 #!/bin/sh
 echo $ETHERPAD_API_KEY > /tmp/apikey
-export NODE_ENV=production
-
-node /opt/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js --apikey /tmp/apikey
+pnpm run prod --apikey /tmp/apikey

mod/etherpad/settings.json

@@ -140,7 +140,7 @@
    * "full-width-editor" variant (by default editor is rendered as a page, with
    * a max-width of 900px).
    */
-  "skinVariants": "super-light-toolbar super-light-editor light-background",
+  "skinVariants": "",
 
   /*
    * IP and port which Etherpad should bind at.
@@ -162,6 +162,14 @@
    */
   "showSettingsInAdminPage": true,
 
+  /*
+   * Settings for cleanup of pads
+   */
+  "cleanup": {
+    "enabled": false,
+    "keepRevisions": 5
+  },
+
   /*
    * Node native SSL support
    *
@@ -271,6 +279,14 @@
     "pageDown":  true
   },
 
+  /*
+   * Enables the use of a different server. We have a different one that syncs changes from the original server.
+   * It is hosted on GitHub and should not be blocked by many firewalls.
+   *  https://etherpad.org/ep_infos
+   */
+
+  "updateServer": "https://etherpad.org/ep_infos",
+
   /*
    * Should we suppress errors from being visible in the default Pad Text?
    */
@@ -323,14 +339,6 @@
    */
   "soffice": "/etherpad-export.sh",
 
-  /*
-   * Path to the Tidy executable.
-   *
-   * Tidy is used to improve the quality of exported pads.
-   * Setting it to null disables Tidy.
-   */
-  "tidyHtml": null,
-
   /*
    * Allow import of file types other than the supported ones:
    * txt, doc, docx, rtf, odt, html & htm
@@ -364,6 +372,22 @@
    * Settings controlling the session cookie issued by Etherpad.
    */
   "cookie": {
+    /*
+     * How often (in milliseconds) the key used to sign the express_sid cookie
+     * should be rotated. Long rotation intervals reduce signature verification
+     * overhead (because there are fewer historical keys to check) and database
+     * load (fewer historical keys to store, and less frequent queries to
+     * get/update the keys). Short rotation intervals are slightly more secure.
+     *
+     * Multiple Etherpad processes sharing the same database (table) is
+     * supported as long as the clock sync error is significantly less than this
+     * value.
+     *
+     * Key rotation can be disabled (not recommended) by setting this to 0 or
+     * null, or by disabling session expiration (see sessionLifetime).
+     */
+    "keyRotationInterval": 86400000, // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
+
     /*
      * Value of the SameSite cookie property. "Lax" is recommended unless
      * Etherpad will be embedded in an iframe from another site, in which case
@@ -375,7 +399,51 @@
      * significant usability drawbacks vs. "Lax". See
      * https://stackoverflow.com/q/41841880 for discussion.
      */
-    "sameSite": "None"
+    "sameSite": "None",
+
+    /*
+     * How long (in milliseconds) after navigating away from Etherpad before the
+     * user is required to log in again. (The express_sid cookie is set to
+     * expire at time now + sessionLifetime when first created, and its
+     * expiration time is periodically refreshed to a new now + sessionLifetime
+     * value.) If requireAuthentication is false then this value does not really
+     * matter.
+     *
+     * The "best" value depends on your users' usage patterns and the amount of
+     * convenience you desire. A long lifetime is more convenient (users won't
+     * have to log back in as often) but has some drawbacks:
+     *   - It increases the amount of state kept in the database.
+     *   - It might weaken security somewhat: The cookie expiration is refreshed
+     *     indefinitely without consulting authentication or authorization
+     *     hooks, so once a user has accessed a pad, the user can continue to
+     *     use the pad until the user leaves for longer than sessionLifetime.
+     *   - More historical keys (sessionLifetime / keyRotationInterval) must be
+     *     checked when verifying signatures.
+     *
+     * Session lifetime can be set to infinity (not recommended) by setting this
+     * to null or 0. Note that if the session does not expire, most browsers
+     * will delete the cookie when the browser exits, but a session record is
+     * kept in the database forever.
+     */
+    "sessionLifetime": 864000000, // = 10d * 24h/d * 60m/h * 60s/m * 1000ms/s
+
+    /*
+     * How long (in milliseconds) before the expiration time of an active user's
+     * session is refreshed (to now + sessionLifetime). This setting affects the
+     * following:
+     *   - How often a new session expiration time will be written to the
+     *     database.
+     *   - How often each user's browser will ping the Etherpad server to
+     *     refresh the expiration time of the session cookie.
+     *
+     * High values reduce the load on the database and the load from browsers,
+     * but can shorten the effective session lifetime if Etherpad is restarted
+     * or the user navigates away.
+     *
+     * Automatic session refreshes can be disabled (not recommended) by setting
+     * this to null.
+     */
+    "sessionRefreshInterval": 86400000 // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
   },
 
   /*
@@ -475,7 +543,7 @@
   /*
    * Restrict socket.io transport methods
    */
-  "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
+  "socketTransportProtocols" : ["websocket", "polling"],
 
   "socketIo": {
     /*
@@ -485,7 +553,7 @@
      * value to work properly, but increasing the value increases susceptibility
      * to denial of service attacks (malicious clients can exhaust memory).
      */
-    "maxHttpBufferSize": 10000
+    "maxHttpBufferSize": 50000
   },
 
   /*
@@ -550,6 +618,13 @@
    */
   "importMaxFileSize": 52428800, // 50 * 1024 * 1024
 
+  /*
+    The authentication method used by the server.
+    The default value is sso
+    If you want to use the old authentication system, change this to apikey
+   */
+  "authenticationMethod": "apikey",
+
   /*
    * From Etherpad 1.8.5 onwards, when Etherpad is in production mode commits from individual users are rate limited
    *
@@ -566,7 +641,6 @@
     "points": 100
   },
 
-
   /*
    * Toolbar buttons configuration.
    *
@@ -596,6 +670,13 @@
    */
   "loglevel": "INFO",
 
+    /*
+   * The log layout type to use.
+   *
+   * Valid values: basic, colored
+   */
+   "logLayoutType": "colored",
+
   /* Override any strings found in locale directories */
   "customLocaleStrings": {
     "de": {
@@ -633,8 +714,10 @@
   },
 
   /* Disable Admin UI tests */
-  "enableAdminUITests": false
-}
-
-
+  "enableAdminUITests": false,
 
+  /*
+   * Enable/Disable case-insensitive pad names.
+   */
+  "lowerCasePadIds": false
+}

mod/freeswitch/conf/dialplan/public/dialin.xml

@@ -1,6 +1,8 @@
 <include>
   <extension name="from_my_provider">
-    <condition field="destination_number" expression="^DIALIN">
+    <!-- match only calls from dial-in which haven't got transfered yet   -->
+    <condition field="destination_number" expression="^(?!SEND_TO_CONFERENCE).*$"/>
+    <condition field="${sofia_profile_name}" expression="^external-dialin$">
       <action application="start_dtmf" />
       <action application="answer"/>
       <action application="sleep" data="1000"/>

mod/haproxy/bootstrap.sh

@@ -7,6 +7,11 @@ set -e
 
 declare -p | grep -Ev '^declare -[[:alpha:]]*r' > /container.env
 
+# when used with an IP, we'll also disable certbot
+if [[ "$CERT1" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+  IGNORE_TLS_CERT_ERRORS=true
+fi
+
 if [ "$IGNORE_TLS_CERT_ERRORS"  ] && [ "$IGNORE_TLS_CERT_ERRORS" != "false" ]; then
     # use self signed certificate
     if [ ! -f /etc/haproxy/certs/haproxy-10.7.7.1.pem ]; then

mod/haproxy/haproxy.cfg

@@ -64,7 +64,7 @@ frontend nginx_or_turn
   use_backend nginx-http2 if { ssl_fc_alpn h2 }
   use_backend nginx if { ssl_fc_alpn http/1.1 }
   use_backend turn if { ssl_fc_alpn stun.turn }
-  # use_backend %[capture.req.hdr(0),map_str(/etc/haproxy/protocolmap,turn)]
+  use_backend %[capture.req.hdr(0),map_str(/etc/haproxy/protocolmap,turn)]
   default_backend turn
 
 backend turn

mod/haproxy/protocolmap

@@ -0,0 +1,52 @@
+a nginx
+b nginx
+c nginx
+d nginx
+e nginx
+f nginx
+g nginx
+h nginx
+i nginx
+j nginx
+k nginx
+l nginx
+m nginx
+n nginx
+o nginx
+p nginx
+q nginx
+r nginx
+s nginx
+t nginx
+u nginx
+v nginx
+w nginx
+x nginx
+y nginx
+z nginx
+A nginx
+B nginx
+C nginx
+D nginx
+E nginx
+F nginx
+G nginx
+H nginx
+I nginx
+J nginx
+K nginx
+L nginx
+M nginx
+N nginx
+O nginx
+P nginx
+Q nginx
+R nginx
+S nginx
+T nginx
+U nginx
+V nginx
+W nginx
+X nginx
+Y nginx
+Z nginx

mod/nginx/Dockerfile

@@ -11,14 +11,34 @@ RUN cd /bbb-playback && npm install && npm run-script build
 FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-html5
 COPY --from=src-html5 / /source
 RUN cd /source && CI=true npm ci
-RUN cd /source && DISABLE_ESLINT_PLUGIN=true npm run build
+RUN cd /source && DISABLE_ESLINT_PLUGIN=true npm run build-safari && npm run build
+RUN cd /source/dist && \
+    HASH=$(ls | grep -Eo 'bundle\.[a-f0-9]{20}\.js' | head -n 1 | grep -Eo '[a-f0-9]{20}') && \
+    if [ -z "$HASH" ]; then \
+      echo "Bundle hash not found."; \
+    else \
+      for FILE in *.safari.js *.safari.js.map; do \
+        if [[ "$FILE" == *"$HASH"* ]]; then \
+          continue; \
+        fi; \
+        PREFIX="${FILE%%.safari.js*}"; \
+        SUFFIX="${FILE#*.safari.js}"; \
+        NEW_NAME="${PREFIX}.${HASH}.safari.js${SUFFIX}"; \
+        echo "Renaming $FILE → $NEW_NAME"; \
+        mv "$FILE" "$NEW_NAME"; \
+      done; \
+    fi
+
 RUN find /source/dist -name '*.js' -exec gzip -k -f -9 '{}' \; \
     && find /source/dist -name '*.css' -exec gzip -k -f -9 '{}' \; \
     && find /source/dist -name '*.wasm' -exec gzip -k -f -9 '{}' \;
 
+RUN sed -i "s/VERSION/$BBB_BUILD_TAG/g" /source/dist/index.html && \
+    sed -i "s/VERSION/$BBB_BUILD_TAG/g" /source/dist/stylesheets/fonts.css
+
 # --------------------
 
-FROM nginx:1.25-alpine
+FROM nginx:1.27-alpine
 
 COPY --from=builder-learning-dashboard /bbb-learning-dashboard/build /www/learning-analytics-dashboard/
 COPY --from=builder-playback /bbb-playback/build /www/playback/presentation/2.3

mod/nginx/bbb-html5.dev.nginx

@@ -3,6 +3,11 @@ location = /html5client/locales/ {
   alias /usr/share/bigbluebutton/html5-client/locales/;
   autoindex on;
   autoindex_format json;
+
+  # Prevent browsers from caching
+  add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
+  add_header Pragma "no-cache";
+  add_header Expires 0;
 }
 
 # running from source (npm start)

mod/nginx/bbb/graphql.nginx

@@ -24,7 +24,7 @@ location /api/rest/clientSettings {
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "Upgrade";
     proxy_set_header Host $host;
-    proxy_pass http://bbb-graphql-server:8085; #Hasura
+    proxy_pass http://127.0.0.1:8185; #Hasura
 }
 
 location /api/rest/userMetadata {
@@ -35,5 +35,5 @@ location /api/rest/userMetadata {
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "Upgrade";
     proxy_set_header Host $host;
-    proxy_pass http://bbb-graphql-server:8085; #Hasura
+    proxy_pass http://127.0.0.1:8185; #Hasura
 }

mod/nginx/bbb/web.nginx

@@ -159,7 +159,7 @@
             proxy_set_header        X-Original-URI $request_uri;
         }
 
-        location /bigbluebutton/ping {
+        location /bigbluebutton/rtt-check {
             default_type text/plain;
             add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
             add_header Pragma "no-cache";

mod/nginx/bigbluebutton

@@ -59,3 +59,28 @@ server {
     send_timeout        6h;
   }
 }
+
+upstream hasura {
+    least_conn;
+    server bbb-graphql-server:8085;
+    # you might want to add more bbb-graphql-server@ instances to balance the
+    # load to multiple bbb-graphql-server instances. Execute 
+    # `systemctl enable --now bbb-graphql-server@8086` and uncomment the
+    # following line:
+    # server 127.0.0.1:8086;
+}
+server {
+    listen 10.7.7.1:8185;
+    listen 127.0.0.1:8185;
+
+    root /var/www/html;
+
+    location / {
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+
+	    proxy_pass http://hasura;
+    }
+}

mod/recordings/Dockerfile

@@ -38,7 +38,7 @@ ENV LANGUAGE en_US.UTF-8
 
 # compile and install mkclean
 RUN cd /tmp \
-    && wget https://netcologne.dl.sourceforge.net/project/matroska/mkclean/mkclean-0.8.10.tar.bz2 \
+    && wget https://phoenixnap.dl.sourceforge.net/project/matroska/mkclean/mkclean-0.8.10.tar.bz2 \
     && tar -xf /tmp/mkclean-0.8.10.tar.bz2 \
     && cd /tmp/mkclean-0.8.10 \
     && sed -i 's/\r//g' ./mkclean/configure.compiled \
@@ -54,7 +54,7 @@ RUN wget -q https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VE
     && rm dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz
 
 # add yq for bbb-record
-RUN  wget -q https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 -O /usr/bin/yq \
+RUN  wget -q https://github.com/mikefarah/yq/releases/download/v4.45.1/yq_linux_amd64 -O /usr/bin/yq \
     && chmod +x /usr/bin/yq
 
 RUN mkdir -p \

mod/webhooks/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:18-bookworm-slim AS builder
+FROM node:22-bookworm-slim AS builder
 
 
 RUN apt-get update && apt-get install -y git wget
@@ -12,7 +12,7 @@ RUN cd /bbb-webhooks && npm ci --omit=dev && rm -rf /bbb-webhooks./.git
 RUN chmod 777 /bbb-webhooks/config
 # ------------------------------
 
-FROM node:18-bookworm-slim
+FROM node:22-bookworm-slim
 RUN useradd --uid 2004 --user-group bbb-webhooks
 
 COPY --from=builder /usr/bin/yq /usr/bin/yq

mod/webrtc-sfu/Dockerfile

@@ -4,11 +4,17 @@ FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
 
 RUN useradd --uid 2004 --user-group webrtc-sfu 
 
+# cache packages
+COPY --from=source /package.json /cache/package.json
+RUN cd /cache && npm install --unsafe-perm
+
 COPY --from=source / /app
 
 ENV NODE_ENV production
 
+
 RUN cd /app \
+  && rm -rf /app/node_modules && cp -a /cache/node_modules /app/node_modules \
  && cp config/default.example.yml config/production.yml \
  && npm install --unsafe-perm \
  && npm cache clear --force \
@@ -18,7 +24,7 @@ RUN cd /app \
 
 
 # =============================
-FROM node:18-bookworm-slim
+FROM node:22-bookworm-slim
 RUN useradd --uid 2004 --user-group webrtc-sfu 
 ENV NODE_ENV production
 

repos/tags

@@ -3,11 +3,12 @@
 # used to determine submodule tags without the need for
 # checking out the whole submodule
 
-repos/bbb-etherpad-plugin 068ded5
+repos/bbb-etherpad-plugin 88f3f6b
 repos/bbb-etherpad-skin 8328b77
 repos/bbb-pads v1.5.3
-repos/bbb-playback v5.1.3
-repos/bbb-webhooks v3.3.0
-repos/bbb-webrtc-sfu v2.17.0-alpha.1
-repos/bigbluebutton v3.0.0-beta.5
+repos/bbb-playback v5.3.1
+repos/bbb-webhooks v3.3.1
+repos/bbb-webrtc-recorder v0.8.0
+repos/bbb-webrtc-sfu v2.17.0-beta.6
+repos/bigbluebutton v3.0.4
 repos/freeswitch v1.10.12

scripts/bbb-record

@@ -4,7 +4,7 @@ set -e
 cd $(dirname $0)/..
 
 # load .env
-. functions.sh
+. scripts/functions.sh
 load_env
 
 if [ ! "$ENABLE_RECORDING" == true ]; then

scripts/functions.sh

@@ -16,6 +16,8 @@ function ensure_submodules {
     
 }
 
+# this file should exist, otherwise it is created by docker
+# with the wrong permissions
 function ensure_bbbhtml5yml {
     if [ ! -f conf/bbb-html5.yml ]; then
 

scripts/generate-compose

@@ -18,7 +18,7 @@ if [ -z "$EXTERNAL_IPv4" ]; then
     exit 1
 fi
 
-if [ "$ENABLE_HTTPS_PROXY" ] && [ -z "$LETSENCRYPT_EMAIL" ]; then
+if [ "$ENABLE_HTTPS_PROXY" ] && [ -z "$LETSENCRYPT_EMAIL" ] && [ -z "$DEV_MODE" ]; then
     echo "ERROR: LETSENCRYPT_EMAIL is not set in .env"
     echo "you need to specify an email adress, otherwise the certificate"
     echo "retrieval will fail"
@@ -36,7 +36,7 @@ function get_tag {
 }
 
 # https://hub.docker.com/r/bigbluebutton/bbb-build
-BBB_BUILD_TAG=v3.0.x-release--2024-08-30-014114
+BBB_BUILD_TAG=v3.0.x-release
 
 docker run  \
     --rm  \

scripts/postgres-migrate

@@ -0,0 +1,57 @@
+#!/bin/bash -e
+
+OLD_DATA_DIR=$(realpath "$1")
+NEW_DATA_DIR=$(realpath "$2")
+NEW_POSTGRES_VERSION=$3
+
+if [ -d "$NEW_DATA_DIR" ]; then
+    echo "new postgres data directory $2 already exists. this is not expected"
+    exit 1
+fi
+
+
+OLD_PG_VERSION=$(cat "$OLD_DATA_DIR/PG_VERSION")
+
+
+
+echo spin up a temporary postgres instance on $OLD_DATA_DIR
+TEMP_CONTAINER_ID=$(docker run --detach --rm "-v=$OLD_DATA_DIR:/var/lib/postgresql/data"  -e POSTGRES_HOST_AUTH_METHOD=trust postgres:$OLD_PG_VERSION-alpine)
+
+until docker exec $TEMP_CONTAINER_ID psql -U postgres -c "select 1" > /dev/null 2>&1; do
+  echo "Waiting for postgres server..."
+  sleep 1
+done
+
+echo "find old greenlight database..."
+if docker exec $TEMP_CONTAINER_ID psql -U postgres -lqt | cut -d \| -f 1  | grep greenlight-v3; then
+    OLD_DATABASE=greenlight-v3
+elif docker exec $TEMP_CONTAINER_ID psql -U postgres -lqt | cut -d \| -f 1  | grep greenlight; then
+    OLD_DATABASE=greenlight
+fi
+echo "old database is called $OLD_DATABASE"
+echo ""
+
+echo "dumping data from old databse..."
+GREENLIGHT_DUMP=$(mktemp)
+docker exec $TEMP_CONTAINER_ID pg_dump -U postgres $OLD_DATABASE > $GREENLIGHT_DUMP
+docker stop $TEMP_CONTAINER_ID
+
+
+echo spin up a temporary postgres instance on $NEW_DATA_DIR
+TEMP_CONTAINER_ID=$(docker run --detach --rm "-v=$NEW_DATA_DIR:/var/lib/postgresql/data"  -e POSTGRES_HOST_AUTH_METHOD=trust postgres:$NEW_POSTGRES_VERSION-alpine)
+
+until docker exec $TEMP_CONTAINER_ID psql -U postgres -c "select 1" > /dev/null 2>&1; do
+  echo "Waiting for postgres server..."
+  sleep 1
+done
+
+echo "create all databases..."
+for database in "bbb_graphql" "hasura_app" "greenlight"; do
+    echo "creating $database"
+    docker exec $TEMP_CONTAINER_ID psql -U postgres -c "CREATE DATABASE $database;" -c "GRANT ALL PRIVILEGES ON DATABASE $database TO postgres;"
+done
+
+echo "restoring greenlight from dump..."
+cat $GREENLIGHT_DUMP | docker exec -i $TEMP_CONTAINER_ID psql -U postgres greenlight
+
+docker stop $TEMP_CONTAINER_ID

scripts/setup

@@ -137,9 +137,11 @@ fi
 if [ ! "$https_proxy" == "y" ]
 then
     sed -i "s/ENABLE_HTTPS_PROXY.*/#ENABLE_HTTPS_PROXY=true/" .env
-    sed -i "s/LETSENCRYPT_EMAIL=.*/LETSENCRYPT_EMAIL=$LETSENCRYPT_EMAIL/" .env
 fi
 
+sed -i "s/LETSENCRYPT_EMAIL=.*/LETSENCRYPT_EMAIL=$LETSENCRYPT_EMAIL/" .env
+
+
 if [ "$recording" == "y" ]
 then
     sed -i "s/#ENABLE_RECORDING.*/ENABLE_RECORDING=true/" .env

scripts/upgrade

@@ -24,7 +24,7 @@ else
     echo "# checking for old volumes & migrate them"
     COMPOSE_PREFIX=$(docker compose config | grep '^name:' | awk '{print $2}')
     
-    function migrate {
+    function migrate_vol {
         VOLUME=${COMPOSE_PREFIX}_${1}
         EXISTING=$(docker volume ls | grep $VOLUME | tail -n1 | awk '{print $2}')
         if [ -n "$EXISTING" ]; then
@@ -36,12 +36,25 @@ else
             docker volume rm $EXISTING
         fi  
     }
-    migrate bigbluebutton ./data/bigbluebutton
-    migrate vol-freeswitch ./data/freeswitch-meetings
-    migrate vol-mediasoup ./data/mediasoup
+    migrate_vol bigbluebutton ./data/bigbluebutton
+    migrate_vol vol-freeswitch ./data/freeswitch-meetings
+    migrate_vol vol-mediasoup ./data/mediasoup
 
-    # TODO: migrate postgres database
-    # TODO: migrate greenlight-data
+    if [ -d "./postgres-data" ]; then
+        echo "folder ./postgres-data still exists and probably uses postgres 12. migrating to a fresh postgres 16 data directory..."
+        docker compose down --remove-orphans
+        ./scripts/postgres-migrate ./postgres-data ./data/postgres 16
+        mv postgres-data postgres-data.automigrate-bak
+    fi
+
+    if [ -d "./greenlight-data" ]; then
+        if [ -d "./data/greenlight" ]; then
+            mv ./data/greenlight ./data/greenlight.automigrate-bak
+        fi
+        mv ./greenlight-data ./data/greenlight
+    fi
+
+    # TODO: ask for LETSENCRYPT_EMAIL
 
     echo ""
     echo "# pull newest images"