Add official docker images.

.dockerignore

@@ -1,5 +1,3 @@
 /bin
-/docker/janus
-/Dockerfile
+/docker/*/Dockerfile
 /docker-compose.yml
-/vendor

.github/workflows/docker-compose.yml

@@ -20,7 +20,7 @@ jobs:
       - uses: actions/checkout@v3
 
       - name: Pull Docker images
-        run: docker-compose pull
+        run: docker-compose -f docker/docker-compose.yml pull
 
   build:
     runs-on: ubuntu-latest
@@ -29,4 +29,4 @@ jobs:
       - uses: actions/checkout@v3
 
       - name: Build Docker images
-        run: docker-compose build
+        run: docker-compose -f docker/docker-compose.yml build

.github/workflows/docker.yml

@@ -7,7 +7,7 @@ on:
     branches: [ master ]
 
 jobs:
-  build:
+  server:
     runs-on: ubuntu-latest
 
     steps:
@@ -20,3 +20,19 @@ jobs:
         uses: docker/build-push-action@v3
         with:
           context: .
+          file: docker/server/Dockerfile
+
+  proxy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: docker/proxy/Dockerfile

Dockerfile

@@ -1,18 +0,0 @@
-FROM golang:1.18 AS builder
-
-WORKDIR /workdir
-
-COPY . .
-RUN apt-get -y update && apt-get -y install protobuf-compiler
-RUN make build
-
-FROM alpine:3.15
-
-ENV CONFIG=/config/server.conf
-RUN adduser -D spreedbackend && \
-    apk add --no-cache ca-certificates libc6-compat libstdc++
-USER spreedbackend
-COPY --from=builder /workdir/bin/signaling /usr/local/signaling
-COPY ./server.conf.in /config/server.conf
-
-CMD ["/bin/sh", "-c", "/usr/local/signaling --config=$CONFIG"]

README.md

@@ -88,13 +88,19 @@ systemctl start signaling.service
 
 ### Running with Docker
 
+Official docker containers for the signaling server and -proxy are available on
+Docker Hub at https://hub.docker.com/r/strukturag/nextcloud-spreed-signaling
+
+See the `README.md` in the `docker` subfolder for details.
+
+
 #### Docker Compose
 
 You will likely have to adjust the Janus command line options depending on the exact network configuration on your server. Refer to [Setup of Janus](#setup-of-janus) and the Janus documentation for how to configure your Janus server.
 
 Copy `server.conf.in` to `server.conf` and adjust it to your liking.
 
-If you're using the [docker-compose.yml](docker-compose.yml) configuration as is, the MCU Url must be set to `ws://localhost:8188`, the NATS Url must be set to `nats://localhost:4222`, and TURN Servers must be set to `turn:localhost:3478?transport=udp,turn:localhost:3478?transport=tcp`.
+If you're using the [docker-compose.yml](docker/docker-compose.yml) configuration as is, the MCU Url must be set to `ws://localhost:8188`, the NATS Url must be set to `nats://localhost:4222`, and TURN Servers must be set to `turn:localhost:3478?transport=udp,turn:localhost:3478?transport=tcp`.
 
 ```bash
 docker-compose build

docker/README.md

@@ -0,0 +1,123 @@
+# Docker images for nextcloud-spreed-signaling
+
+## Signaling server
+
+The image for the signaling server can be retrieved from
+
+    strukturag/nextcloud-spreed-signaling:<version>
+
+Replace `version` with the tag or commit you want to use.
+
+
+### Configuration
+
+The running container can be configured through different environment variables:
+
+- `CONFIG`: Optional name of configuration file to use.
+- `HTTP_LISTEN`: Address of HTTP listener.
+- `HTTPS_LISTEN`: Address of HTTPS listener.
+- `HTTPS_CERTIFICATE`: Name of certificate file for the HTTPS listener.
+- `HTTPS_KEY`: Name of private key file for the HTTPS listener.
+- `HASH_KEY`: Secret value used to generate checksums of sessions (32 or 64 bytes).
+- `BLOCK_KEY`: Key for encrypting data in the sessions (16, 24 or 32 bytes).
+- `INTERNAL_SHARED_SECRET_KEY`: Shared secret for connections from internal clients.
+- `BACKENDS`: Space-separated list of backend ids.
+- `BACKEND_<ID>_URL`: Url of backend `ID` (where `ID` is the uppercase backend id).
+- `BACKEND_<ID>_SHARED_SECRET`: Shared secret for backend `ID` (where `ID` is the uppercase backend id).
+- `BACKEND_<ID>_SESSION_LIMIT`: Optional session limit for backend `ID` (where `ID` is the uppercase backend id).
+- `BACKEND_<ID>_MAX_STREAM_BITRATE`: Optional maximum bitrate for audio/video streams in backend `ID` (where `ID` is the uppercase backend id).
+- `BACKEND_<ID>_MAX_SCREEN_BITRATE`: Optional maximum bitrate for screensharing streams in backend `ID` (where `ID` is the uppercase backend id).
+- `NATS_URL`: Optional URL of NATS server.
+- `ETCD_ENDPOINTS`: Static list of etcd endpoints (if etcd should be used).
+- `ETCD_DISCOVERY_SRV`: Alternative domain to use for DNS SRV configuration of etcd endpoints (if etcd should be used).
+- `ETCD_DISCOVERY_SERVICE`: Optional service name for DNS SRV configuration of etcd..
+- `ETCD_CLIENT_CERTIFICATE`: Filename of certificate for etcd client.
+- `ETCD_CLIENT_KEY`: Filename of private key for etcd client.
+- `ETCD_CLIENT_CA`: Filename of CA for etcd client.
+- `USE_JANUS`: Set to `1` if Janus should be used as WebRTC backend.
+- `JANUS_URL`: Url to Janus server (if `USE_JANUS` is set to `1`).
+- `USE_PROXY`: Set to `1` if proxy servers should be used as WebRTC backends.
+- `PROXY_TOKEN_ID`: Id of the token to use when connecting to proxy servers.
+- `PROXY_TOKEN_KEY`: Private key for the configured token id.
+- `PROXY_URLS`: Space-separated list of proxy URLs to connect to.
+- `PROXY_DNS_DISCOVERY`: Enable DNS discovery on hostnames of configured static URLs.
+- `PROXY_ETCD`: Set to `1` if etcd should be used to configure proxy connections.
+- `PROXY_KEY_PREFIX`: Key prefix of proxy entries.
+- `MAX_STREAM_BITRATE`: Optional global maximum bitrate for audio/video streams.
+- `MAX_SCREEN_BITRATE`: Optional global maximum bitrate for screensharing streams.
+- `TURN_API_KEY`: API key that Janus will need to send when requesting TURN credentials.
+- `TURN_SECRET`: The shared secret to use for generating TURN credentials.
+- `TURN_SERVERS`: A comma-separated list of TURN servers to use.
+- `GEOIP_LICENSE`: License key to use when downloading the MaxMind GeoIP database.
+- `GEOIP_URL`: Optional URL to download a MaxMind GeoIP database from.
+- `GEOIP_OVERRIDES`: Optional spae-separated list of overrides for GeoIP lookups.
+- `CONTINENT_OVERRIDES`: Optional spae-separated list of overrides for continent mappings.
+- `STATS_IPS`: Comma-separated list of IP addresses that are allowed to access the stats endpoint.
+- `GRPC_LISTEN`: IP and port to listen on for GRPC requests.
+- `GRPC_SERVER_CERTIFICATE`: Certificate to use for the GRPC server.
+- `GRPC_SERVER_KEY`: Private key to use for the GRPC server.
+- `GRPC_SERVER_CA`: CA certificate that is allowed to issue certificates of GRPC servers.
+- `GRPC_CLIENT_CERTIFICATE`: Certificate to use for the GRPC client.
+- `GRPC_CLIENT_KEY`: Private key to use for the GRPC client.
+- `GRPC_CLIENT_CA`: CA certificate that is allowed to issue certificates of GRPC clients.
+- `GRPC_TARGETS`: Comma-separated list of GRPC targets to connect to for clustering mode.
+- `GRPC_DNS_DISCOVERY`: Enable DNS discovery on hostnames of configured GRPC targets.
+- `GRPC_ETCD`: Set to `1` if etcd should be used to configure GRPC peers.
+- `GRPC_TARGET_PREFIX`: Key prefix of GRPC target entries.
+
+Example with two backends:
+
+    docker run \
+      ... \
+      -e BACKENDS="foo bar" \
+      -e BACKEND_FOO_URL=https://cloud.server1.tld \
+      -e BACKEND_FOO_SECRET=verysecret \
+      -e BACKEND_BAR_URL=https://cloud.server2.tld \
+      -e BACKEND_BAR_SECRET=moresecret \
+      ...
+
+See https://github.com/strukturag/nextcloud-spreed-signaling/blob/master/server.conf.in
+for further details on the different options.
+
+
+## Signaling proxy
+
+The image for the signaling proxy can be retrieved from
+
+    strukturag/nextcloud-spreed-signaling:<version>-proxy
+
+Replace `version` with the tag or commit you want to use.
+
+
+### Configuration
+
+The running container can be configured through different environment variables:
+
+- `CONFIG`: Optional name of configuration file to use.
+- `HTTP_LISTEN`: Address of HTTP listener.
+- `COUNTRY`: Optional ISO 3166 country this proxy is located at.
+- `JANUS_URL`: Url to Janus server.
+- `MAX_STREAM_BITRATE`: Optional maximum bitrate for audio/video streams.
+- `MAX_SCREEN_BITRATE`: Optional maximum bitrate for screensharing streams.
+- `ETCD_ENDPOINTS`: Static list of etcd endpoints (if etcd should be used).
+- `ETCD_DISCOVERY_SRV`: Alternative domain to use for DNS SRV configuration of etcd endpoints (if etcd should be used).
+- `ETCD_DISCOVERY_SERVICE`: Optional service name for DNS SRV configuration of etcd..
+- `ETCD_CLIENT_CERTIFICATE`: Filename of certificate for etcd client.
+- `ETCD_CLIENT_KEY`: Filename of private key for etcd client.
+- `ETCD_CLIENT_CA`: Filename of CA for etcd client.
+- `TOKENS_ETCD`: Set to `1` if etcd should be used to configure tokens.
+- `TOKEN_KEY_FORMAT`: Format of key name to retrieve the public key from, "%s" will be replaced with the token id.
+- `TOKENS`: Space-separated list of token ids.
+- `TOKEN_<ID>_KEY`: Filename of public key for token `ID` (where `ID` is the uppercase token id).
+
+Example with two tokens:
+
+    docker run \
+      ... \
+      -e TOKENS="foo signaling.server1.tld" \
+      -e TOKEN_FOO_KEY=/path/to/foo.key \
+      -e TOKEN_SIGNALING_SERVER1_TLD_KEY=/path/to/signaling.server1.tld.key \
+      ...
+
+See https://github.com/strukturag/nextcloud-spreed-signaling/blob/master/proxy.conf.in
+for further details on the different options.

docker/docker-compose.yml

@@ -2,7 +2,9 @@ version: '3'
 
 services:
   spreedbackend:
-    build: .
+    build:
+      context: ..
+      dockerfile: docker/server/Dockerfile
     volumes:
       - ./server.conf:/config/server.conf
     network_mode: host
@@ -19,7 +21,7 @@ services:
     network_mode: host
     restart: unless-stopped
   janus:
-    build: docker/janus
+    build: janus
     command: ["janus", "--full-trickle"]
     network_mode: host
     restart: unless-stopped

docker/proxy/Dockerfile

@@ -0,0 +1,25 @@
+FROM golang:1.19 AS builder
+
+WORKDIR /workdir
+
+COPY . .
+RUN apt-get -y update && \
+    apt-get -y install protobuf-compiler && \
+    if [ -d "vendor" ]; then GOPROXY=off make proxy -j$(nproc); else \
+    make proxy -j$(nproc); fi
+
+FROM alpine:3
+
+ENV CONFIG=/config/proxy.conf
+RUN adduser -D spreedbackend && \
+    apk add --no-cache bash ca-certificates libc6-compat libstdc++
+
+COPY --from=builder /workdir/bin/proxy /usr/bin/nextcloud-spreed-signaling-proxy
+COPY ./proxy.conf.in /config/proxy.conf.in
+COPY ./docker/proxy/entrypoint.sh /
+RUN chown spreedbackend /config
+
+USER spreedbackend
+
+ENTRYPOINT [ "/entrypoint.sh" ]
+CMD ["/bin/sh", "-c", "/usr/bin/nextcloud-spreed-signaling-proxy -config $CONFIG"]

docker/proxy/entrypoint.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+#
+# Standalone signaling server for the Nextcloud Spreed app.
+# Copyright (C) 2022 struktur AG
+#
+# @author Joachim Bauch <bauch@struktur.de>
+#
+# @license GNU AGPL version 3 or any later version
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+set -e
+
+if [ -z "$CONFIG" ]; then
+  echo "No configuration filename given in CONFIG environment variable"
+  exit 1
+fi
+
+if [ ! -f "$CONFIG" ]; then
+  echo "Preparing signaling proxy configuration in $CONFIG ..."
+  cp /config/proxy.conf.in "$CONFIG"
+
+  if [ ! -z "$HTTP_LISTEN" ]; then
+    sed -i "s|#listen = 127.0.0.1:9090|listen = $HTTP_LISTEN|" "$CONFIG"
+  fi
+
+  if [ ! -z "$COUNTRY" ]; then
+    sed -i "s|#country =.*|country = $COUNTRY|" "$CONFIG"
+  fi
+
+  HAS_ETCD=
+  if [ ! -z "$ETCD_ENDPOINTS" ]; then
+    sed -i "s|#endpoints =.*|endpoints = $ETCD_ENDPOINTS|" "$CONFIG"
+    HAS_ETCD=1
+  else
+    if [ ! -z "$ETCD_DISCOVERY_SRV" ]; then
+      sed -i "s|#discoverysrv =.*|discoverysrv = $ETCD_DISCOVERY_SRV|" "$CONFIG"
+      HAS_ETCD=1
+    fi
+    if [ ! -z "$ETCD_DISCOVERY_SERVICE" ]; then
+      sed -i "s|#discoveryservice =.*|discoveryservice = $ETCD_DISCOVERY_SERVICE|" "$CONFIG"
+    fi
+  fi
+  if [ ! -z "$HAS_ETCD" ]; then
+    if [ ! -z "$ETCD_CLIENT_KEY" ]; then
+      sed -i "s|#clientkey = /path/to/etcd-client.key|clientkey = $ETCD_CLIENT_KEY|" "$CONFIG"
+    fi
+    if [ ! -z "$ETCD_CLIENT_CERTIFICATE" ]; then
+      sed -i "s|#clientcert = /path/to/etcd-client.crt|clientcert = $ETCD_CLIENT_CERTIFICATE|" "$CONFIG"
+    fi
+    if [ ! -z "$ETCD_CLIENT_CA" ]; then
+      sed -i "s|#cacert = /path/to/etcd-ca.crt|cacert = $ETCD_CLIENT_CA|" "$CONFIG"
+    fi
+  fi
+
+  if [ ! -z "$JANUS_URL" ]; then
+    sed -i "s|url =.*|url = $JANUS_URL|" "$CONFIG"
+  else
+    sed -i "s|url =.*|#url =|" "$CONFIG"
+  fi
+  if [ ! -z "$MAX_STREAM_BITRATE" ]; then
+    sed -i "s|#maxstreambitrate =.*|maxstreambitrate = $MAX_STREAM_BITRATE|" "$CONFIG"
+  fi
+  if [ ! -z "$MAX_SCREEN_BITRATE" ]; then
+    sed -i "s|#maxscreenbitrate =.*|maxscreenbitrate = $MAX_SCREEN_BITRATE|" "$CONFIG"
+  fi
+
+  if [ ! -z "$TOKENS_ETCD" ]; then
+    if [ -z "$HAS_ETCD" ]; then
+      echo "No etcd endpoint configured, can't use etcd for proxy tokens"
+      exit 1
+    fi
+
+    sed -i "s|tokentype =.*|tokentype = etcd|" "$CONFIG"
+
+    if [ ! -z "$TOKEN_KEY_FORMAT" ]; then
+      sed -i "s|#keyformat =.*|keyformat = $TOKEN_KEY_FORMAT|" "$CONFIG"
+    fi
+  else
+    sed -i "s|\[tokens\]|#[tokens]|" "$CONFIG"
+    echo >> "$CONFIG"
+    echo "[tokens]" >> "$CONFIG"
+    for token in $TOKENS; do
+      declare var="TOKEN_${token^^}_KEY"
+      var=$(echo $var | sed "s|\.|_|")
+      if [ ! -z "${!var}" ]; then
+        echo "$token = ${!var}" >> "$CONFIG"
+      fi
+    done
+    echo >> "$CONFIG"
+  fi
+
+  if [ ! -z "$STATS_IPS" ]; then
+    sed -i "s|#allowed_ips =.*|allowed_ips = $STATS_IPS|" "$CONFIG"
+  fi
+fi
+
+echo "Starting signaling proxy with $CONFIG ..."
+exec "$@"

docker/server/Dockerfile

@@ -0,0 +1,25 @@
+FROM golang:1.19 AS builder
+
+WORKDIR /workdir
+
+COPY . .
+RUN apt-get -y update && \
+    apt-get -y install protobuf-compiler && \
+    if [ -d "vendor" ]; then GOPROXY=off make server -j$(nproc); else \
+    make server -j$(nproc); fi
+
+FROM alpine:3
+
+ENV CONFIG=/config/server.conf
+RUN adduser -D spreedbackend && \
+    apk add --no-cache bash ca-certificates libc6-compat libstdc++
+
+COPY --from=builder /workdir/bin/signaling /usr/bin/nextcloud-spreed-signaling
+COPY ./server.conf.in /config/server.conf.in
+COPY ./docker/server/entrypoint.sh /
+RUN chown spreedbackend /config
+
+USER spreedbackend
+
+ENTRYPOINT [ "/entrypoint.sh" ]
+CMD ["/bin/sh", "-c", "/usr/bin/nextcloud-spreed-signaling -config $CONFIG"]

docker/server/entrypoint.sh

@@ -0,0 +1,251 @@
+#!/bin/bash
+#
+# Standalone signaling server for the Nextcloud Spreed app.
+# Copyright (C) 2022 struktur AG
+#
+# @author Joachim Bauch <bauch@struktur.de>
+#
+# @license GNU AGPL version 3 or any later version
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+set -e
+
+if [ -z "$CONFIG" ]; then
+  echo "No configuration filename given in CONFIG environment variable"
+  exit 1
+fi
+
+if [ ! -f "$CONFIG" ]; then
+  echo "Preparing signaling server configuration in $CONFIG ..."
+  cp /config/server.conf.in "$CONFIG"
+
+  if [ ! -z "$HTTP_LISTEN" ]; then
+    sed -i "s|#listen = 127.0.0.1:8080|listen = $HTTP_LISTEN|" "$CONFIG"
+  fi
+  if [ ! -z "$HTTPS_LISTEN" ]; then
+    sed -i "s|#listen = 127.0.0.1:8443|listen = $HTTPS_LISTEN|" "$CONFIG"
+
+    if [ ! -z "$HTTPS_CERTIFICATE" ]; then
+      sed -i "s|certificate = /etc/nginx/ssl/server.crt|certificate = $HTTPS_CERTIFICATE|" "$CONFIG"
+    fi
+    if [ ! -z "$HTTPS_KEY" ]; then
+      sed -i "s|key = /etc/nginx/ssl/server.key|key = $HTTPS_KEY|" "$CONFIG"
+    fi
+  fi
+
+  if [ ! -z "$HASH_KEY" ]; then
+    sed -i "s|the-secret-for-session-checksums|$HASH_KEY|" "$CONFIG"
+  fi
+  if [ ! -z "$BLOCK_KEY" ]; then
+    sed -i "s|-encryption-key-|$BLOCK_KEY|" "$CONFIG"
+  fi
+  if [ ! -z "$INTERNAL_SHARED_SECRET_KEY" ]; then
+    sed -i "s|the-shared-secret-for-internal-clients|$INTERNAL_SHARED_SECRET_KEY|" "$CONFIG"
+  fi
+  if [ ! -z "$NATS_URL" ]; then
+    sed -i "s|#url = nats://localhost:4222|url = $NATS_URL|" "$CONFIG"
+  else
+    sed -i "s|#url = nats://localhost:4222|url = nats://loopback|" "$CONFIG"
+  fi
+
+  HAS_ETCD=
+  if [ ! -z "$ETCD_ENDPOINTS" ]; then
+    sed -i "s|#endpoints =.*|endpoints = $ETCD_ENDPOINTS|" "$CONFIG"
+    HAS_ETCD=1
+  else
+    if [ ! -z "$ETCD_DISCOVERY_SRV" ]; then
+      sed -i "s|#discoverysrv =.*|discoverysrv = $ETCD_DISCOVERY_SRV|" "$CONFIG"
+      HAS_ETCD=1
+    fi
+    if [ ! -z "$ETCD_DISCOVERY_SERVICE" ]; then
+      sed -i "s|#discoveryservice =.*|discoveryservice = $ETCD_DISCOVERY_SERVICE|" "$CONFIG"
+    fi
+  fi
+  if [ ! -z "$HAS_ETCD" ]; then
+    if [ ! -z "$ETCD_CLIENT_KEY" ]; then
+      sed -i "s|#clientkey = /path/to/etcd-client.key|clientkey = $ETCD_CLIENT_KEY|" "$CONFIG"
+    fi
+    if [ ! -z "$ETCD_CLIENT_CERTIFICATE" ]; then
+      sed -i "s|#clientcert = /path/to/etcd-client.crt|clientcert = $ETCD_CLIENT_CERTIFICATE|" "$CONFIG"
+    fi
+    if [ ! -z "$ETCD_CLIENT_CA" ]; then
+      sed -i "s|#cacert = /path/to/etcd-ca.crt|cacert = $ETCD_CLIENT_CA|" "$CONFIG"
+    fi
+  fi
+
+  if [ ! -z "$USE_JANUS" ]; then
+    sed -i "s|#type =$|type = janus|" "$CONFIG"
+    if [ ! -z "$JANUS_URL" ]; then
+      sed -i "/proxy URLs to connect to/{n;s|#url =$|url = $JANUS_URL|}" "$CONFIG"
+    fi
+  elif [ ! -z "$USE_PROXY" ]; then
+    sed -i "s|#type =$|type = proxy|" "$CONFIG"
+
+    if [ ! -z "$PROXY_ETCD" ]; then
+      if [ -z "$HAS_ETCD" ]; then
+        echo "No etcd endpoint configured, can't use etcd for proxy connections"
+        exit 1
+      fi
+
+      sed -i "s|#urltype = static|urltype = etcd|" "$CONFIG"
+
+      if [ ! -z "$PROXY_TOKEN_ID" ]; then
+        sed -i "s|#token_id =.*|token_id = $PROXY_TOKEN_ID|" "$CONFIG"
+      fi
+      if [ ! -z "$PROXY_TOKEN_KEY" ]; then
+        sed -i "s|#token_key =.*|token_key = $PROXY_TOKEN_KEY|" "$CONFIG"
+      fi
+      if [ ! -z "$PROXY_KEY_PREFIX" ]; then
+        sed -i "s|#keyprefix =.*|keyprefix = $PROXY_KEY_PREFIX|" "$CONFIG"
+      fi
+    else
+      if [ ! -z "$PROXY_URLS" ]; then
+        sed -i "/proxy URLs to connect to/{n;s|#url =$|url = $PROXY_URLS|}" "$CONFIG"
+      fi
+      if [ ! -z "$PROXY_DNS_DISCOVERY" ]; then
+        sed -i "/or deleted as necessary/{n;s|#dnsdiscovery =.*|dnsdiscovery = true|}" "$CONFIG"
+      fi
+    fi
+  fi
+
+  if [ ! -z "$MAX_STREAM_BITRATE" ]; then
+    sed -i "s|#maxstreambitrate =.*|maxstreambitrate = $MAX_STREAM_BITRATE|" "$CONFIG"
+  fi
+  if [ ! -z "$MAX_SCREEN_BITRATE" ]; then
+    sed -i "s|#maxscreenbitrate =.*|maxscreenbitrate = $MAX_SCREEN_BITRATE|" "$CONFIG"
+  fi
+
+  if [ ! -z "$TURN_API_KEY" ]; then
+    sed -i "s|the-api-key-for-the-rest-service|$TURN_API_KEY|" "$CONFIG"
+  fi
+  if [ ! -z "$TURN_SECRET" ]; then
+    sed -i "s|6d1c17a7-c736-4e22-b02c-e2955b7ecc64|$TURN_SECRET|" "$CONFIG"
+  fi
+  if [ ! -z "$TURN_SERVERS" ]; then
+    sed -i "s|#servers =.*|servers = $TURN_SERVERS|" "$CONFIG"
+  fi
+
+  if [ ! -z "$GEOIP_LICENSE" ]; then
+    sed -i "s|#license =.*|license = $GEOIP_LICENSE|" "$CONFIG"
+  fi
+  if [ ! -z "$GEOIP_URL" ]; then
+    sed -i "/looking up IP addresses/{n;s|#url =$|url = $GEOIP_URL|}" "$CONFIG"
+  fi
+
+  if [ ! -z "$STATS_IPS" ]; then
+    sed -i "s|#allowed_ips =.*|allowed_ips = $STATS_IPS|" "$CONFIG"
+  fi
+
+  if [ ! -z "$GRPC_LISTEN" ]; then
+    sed -i "s|#listen = 0.0.0.0:9090|listen = $GRPC_LISTEN|" "$CONFIG"
+
+    if [ ! -z "$GRPC_SERVER_CERTIFICATE" ]; then
+      sed -i "s|#servercertificate =.*|servercertificate = $GRPC_SERVER_CERTIFICATE|" "$CONFIG"
+    fi
+    if [ ! -z "$GRPC_SERVER_KEY" ]; then
+      sed -i "s|#serverkey =.*|serverkey = $GRPC_SERVER_KEY|" "$CONFIG"
+    fi
+    if [ ! -z "$GRPC_SERVER_CA" ]; then
+      sed -i "s|#serverca =.*|serverca = $GRPC_SERVER_CA|" "$CONFIG"
+    fi
+    if [ ! -z "$GRPC_CLIENT_CERTIFICATE" ]; then
+      sed -i "s|#clientcertificate =.*|clientcertificate = $GRPC_CLIENT_CERTIFICATE|" "$CONFIG"
+    fi
+    if [ ! -z "$GRPC_CLIENT_KEY" ]; then
+      sed -i "s|#clientkey = /path/to/grpc-client.key|clientkey = $GRPC_CLIENT_KEY|" "$CONFIG"
+    fi
+    if [ ! -z "$GRPC_CLIENT_CA" ]; then
+      sed -i "s|#clientca =.*|clientca = $GRPC_CLIENT_CA|" "$CONFIG"
+    fi
+    if [ ! -z "$GRPC_ETCD" ]; then
+      if [ -z "$HAS_ETCD" ]; then
+        echo "No etcd endpoint configured, can't use etcd for GRPC"
+        exit 1
+      fi
+
+      sed -i "s|#targettype =$|targettype = etcd|" "$CONFIG"
+
+      if [ ! -z "$GRPC_TARGET_PREFIX" ]; then
+        sed -i "s|#targetprefix =.*|targetprefix = $GRPC_TARGET_PREFIX|" "$CONFIG"
+      fi
+    else
+      if [ ! -z "$GRPC_TARGETS" ]; then
+        sed -i "s|#targets =.*|targets = $GRPC_TARGETS|" "$CONFIG"
+
+        if [ ! -z "$GRPC_DNS_DISCOVERY" ]; then
+          sed -i "/# deleted as necessary/{n;s|#dnsdiscovery =.*|dnsdiscovery = true|}" "$CONFIG"
+        fi
+      fi
+    fi
+  fi
+
+  if [ ! -z "$GEOIP_OVERRIDES" ]; then
+    sed -i "s|\[geoip-overrides\]|#[geoip-overrides]|" "$CONFIG"
+    echo >> "$CONFIG"
+    echo "[geoip-overrides]" >> "$CONFIG"
+    for override in $GEOIP_OVERRIDES; do
+      echo $override >> "$CONFIG"
+    done
+    echo >> "$CONFIG"
+  fi
+
+  if [ ! -z "$CONTINENT_OVERRIDES" ]; then
+    sed -i "s|\[continent-overrides\]|#[continent-overrides]|" "$CONFIG"
+    echo >> "$CONFIG"
+    echo "[continent-overrides]" >> "$CONFIG"
+    for override in $CONTINENT_OVERRIDES; do
+      echo $override >> "$CONFIG"
+    done
+    echo >> "$CONFIG"
+  fi
+
+  if [ ! -z "$BACKENDS" ]; then
+    sed -i "s|#backends = .*|backends = $BACKENDS|" "$CONFIG"
+
+    echo >> "$CONFIG"
+    for backend in $BACKENDS; do
+      echo "[$backend]" >> "$CONFIG"
+
+      declare var="BACKEND_${backend^^}_URL"
+      if [ ! -z "${!var}" ]; then
+        echo "url = ${!var}" >> "$CONFIG"
+      fi
+
+      declare var="BACKEND_${backend^^}_SHARED_SECRET"
+      if [ ! -z "${!var}" ]; then
+        echo "secret = ${!var}" >> "$CONFIG"
+      fi
+
+      declare var="BACKEND_${backend^^}_SESSION_LIMIT"
+      if [ ! -z "${!var}" ]; then
+        echo "sessionlimit = ${!var}" >> "$CONFIG"
+      fi
+
+      declare var="BACKEND_${backend^^}_MAX_STREAM_BITRATE"
+      if [ ! -z "${!var}" ]; then
+        echo "maxstreambitrate = ${!var}" >> "$CONFIG"
+      fi
+
+      declare var="BACKEND_${backend^^}_MAX_SCREEN_BITRATE"
+      if [ ! -z "${!var}" ]; then
+        echo "maxscreenbitrate = ${!var}" >> "$CONFIG"
+      fi
+      echo >> "$CONFIG"
+    done
+  fi
+fi
+
+echo "Starting signaling server with $CONFIG ..."
+exec "$@"