Wikimedia Meet

This is the technical documentation of Wikimedia Meet (https://meet.wmcloud.org) and how to contribute. Wikimedia meet enables Wikimedians to meet virtually without using commercial proprietary services like Zoom or Google Meet.


 * Documentation for its use is on Meta

Technical description
Wikimedia meet is a project in the Wikimedia Cloud called "meet". Its public DNS record is meet.wmcloud.org that resolves to 185.15.56.72 which is one of the public IPs of WMF (The Wikimedia Cloud public IPs). Three ports are used: 80 that just redirects to HTTPS, 443 that handles the web traffic (encrypted using Let's Encrypt) and 10000/UDP that handles the webRTC.

Current Installation
The current installation is jitsi meet on docker with internal authentication enabled. The instance is jitsi.meet.eqiad.wmflabs (a large instance) that serves as video bridge, the interface and everything else. The config can be found here (private repo, it contains secrets).

After changing the .env file, you need to wipe the config volume otherwise the containers won't pick it up.

Inside the jitsi node
And then create the account:

Web
Go to https://meet-auth.wmflabs.org/generate_token and put the Ticketmaster token that's given to you (if you don't know what that it, you don't have the rights). It gives you a long random string, use it in https://meet-auth.wmflabs.org/create to create account and it should be there in five minutes. The user-creating tickets (tokens) are one time use.

The codebase for the auth system can be found in here (private repo) and has three parts:
 * How does it work internally?
 * 1) The server: it's a flask server that's exposed to web on port 5000. This uses hashing and salting to protect the token plus it's only one-thread and sleeps two seconds for each authentication to avoid brute force. Once create user is succesful, it calls all of its clients (the jitsi server)
 * 2) The client(s): The client is insecure flask sever exposed on port 4000 (but not to public) that receives the request for creating users from the server and then add it to a file called user_to_create.json
 * 3) The cronjob: The cronjob is the bash file that reads from the json and runs the create account on the prosody docker container. The cronjob currently is being ran every minute

Note: Server is on meet-auth.eqiad.wmflabs but client is jitsi.eqiad.wmflabs

Monitoring

 * traffic of the public IP (Turnilo, NDA-LDAP protected)
 * nagf
 * Grafana