This is the technical documentation of Wikimedia Meet (https://meet.wmcloud.org) and how to contribute. Wikimedia meet enables Wikimedians to meet virtually without using commercial proprietary services like Zoom or Google Meet.
Wikimedia meet is a project in the Wikimedia Cloud called "meet". Its public DNS record is meet.wmcloud.org that resolves to 22.214.171.124 which is one of the public IPs of WMF (The Wikimedia Cloud public IPs). Three ports are used: 80 that just redirects to HTTPS, 443 that handles the web traffic (encrypted using Let's Encrypt) and 10000/UDP that handles the webRTC.
The current installation is jitsi meet on docker with internal authentication enabled. The instance is jitsi.meet.eqiad.wmflabs (a large instance) that serves as video bridge, the interface and everything else. The config can be found here (private repo, it contains secrets).
Note: After changing the .env file, you need to wipe the config volume otherwise the containers won't pick it up.
Creating new users
Inside the jitsi node
cd /srv/jitsi sudo docker-compose exec prosody /bin/bash
And then create the account:
prosodyctl --config /config/prosody.cfg.lua register TheDesiredUsername meet.jitsi TheDesiredPassword
Go to https://meet-auth.wmflabs.org/generate_token and put the Ticketmaster token that's given to you (if you don't know what that it, you don't have the rights). It gives you a long random string, use it in https://meet-auth.wmflabs.org/create to create account and it should be there in five minutes. The user-creating tickets (tokens) are one time use.
- How does it work internally?
The codebase for the auth system can be found in here (private repo) and has three parts:
- The server: it's a flask server that's exposed to web on port 5000. This uses hashing and salting to protect the token plus it's only one-thread and sleeps two seconds for each authentication to avoid brute force. Once create user is succesful, it calls all of its clients (the jitsi server)
- The client(s): The client is insecure flask sever exposed on port 4000 (but not to public) that receives the request for creating users from the server and then add it to a file called user_to_create.json
- The cronjob: The cronjob is the bash file that reads from the json and runs the create account on the prosody docker container. The cronjob currently is being ran every minute
* * * * * bash /srv/meet-auth/create_cron.sh >> /var/log/create_cron.out 2>> /var/log/create_cron.err
Note: Server is on meet-auth.eqiad.wmflabs but client is jitsi.eqiad.wmflabs