diff --git a/f7hpb.sh b/f7hpb.sh
new file mode 100644
index 0000000..75a3717
--- /dev/null
+++ b/f7hpb.sh
@@ -0,0 +1,113 @@
+#!/bin/bash
+# Установка F7_HPB (signaling, конфиг, systemd). Запускается на сервере HPB.
+# Использование: ./f7hpb.sh [/path/to/f7cloud-install.env]
+# Переменные можно передать через env-файл или ввести в диалоге, если не заданы.
+
+set -e
+ROLE="f7hpb"
+ERROR_LOG="/tmp/install-error-${ROLE}.log"
+
+log_error() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $*" >> "$ERROR_LOG"; echo "ERROR: $*" >&2; }
+log_warn()  { echo "[$(date '+%Y-%m-%d %H:%M:%S')] WARN: $*"  >> "$ERROR_LOG"; echo "WARN: $*"  >&2; }
+
+# Два режима: если переменная передана (не пустая) — использовать; иначе — запросить ввод.
+# Использование: get_var ИМЯ_ПЕРЕМЕННОЙ "Подсказка для пользователя"
+get_var() {
+    local name="$1"
+    local prompt="$2"
+    local val="${!name}"
+    if [ -z "$val" ]; then
+        read -rp "$prompt: " val
+        [ -z "$val" ] && { log_error "Переменная $name не задана."; exit 1; }
+        printf -v "$name" '%s' "$val"
+    fi
+}
+
+# Путь к env-файлу: аргумент скрипта или запрос
+ENV_FILE="${1:-}"
+get_var ENV_FILE "Путь к файлу конфигурации (например /path/to/f7cloud-install.env)"
+
+if [ ! -f "$ENV_FILE" ]; then
+    log_error "Файл конфигурации не найден: $ENV_FILE"
+    exit 1
+fi
+# shellcheck source=/dev/null
+set -a && source "$ENV_FILE" && set +a
+
+# Переменные из env или диалог, если не переданы
+get_var HPB_HASHKEY         "HPB hashkey"
+get_var HPB_BLOCKKEY        "HPB blockkey"
+get_var HPB_INTERNAL_SECRET "HPB internal_secret"
+get_var HPB_BACKEND_SECRET  "HPB backend secret"
+get_var F7CLOUD_URL "URL F7 Cloud (например https://cloud.example.com)"
+HPB_DOMAIN="${F7CLOUD_URL}"
+
+> "$ERROR_LOG"
+echo "=== Лог установки F7_HPB ===" >> "$ERROR_LOG"
+echo "Начало: $(date '+%Y-%m-%d %H:%M:%S')" >> "$ERROR_LOG"
+
+if ! command -v git >/dev/null 2>&1; then
+    echo "Установка git..."
+    apt-get update -qq && apt-get install -y git || { log_error "Не удалось установить git"; exit 1; }
+fi
+
+rm -rf /tmp/F7_HPB
+echo "Клонирование репозитория F7_HPB..."
+if ! (cd /tmp && git clone https://git.f7cloud.ru/root/F7_HPB.git); then
+    log_error "Не удалось клонировать репозиторий F7_HPB"
+    exit 1
+fi
+sleep 1
+if ! [ -d /tmp/F7_HPB ]; then
+    log_error "Директория /tmp/F7_HPB не существует после клонирования"
+    exit 1
+fi
+
+# Секреты должны быть в env (переданы из главного скрипта)
+if [ -f /tmp/hpb-secrets.env ]; then
+    # shellcheck source=/dev/null
+    set -a && source /tmp/hpb-secrets.env && set +a
+fi
+
+R=/tmp/F7_HPB
+mkdir -p /etc/f7cloud-spreed-signaling
+
+if [ -f "$R/server.conf.example" ]; then
+    cp "$R/server.conf.example" /etc/f7cloud-spreed-signaling/server.conf
+    sed -i "s|hashkey.*=.*|hashkey = \"${HPB_HASHKEY}\"|i" /etc/f7cloud-spreed-signaling/server.conf
+    sed -i "s|blockkey.*=.*|blockkey = \"${HPB_BLOCKKEY}\"|i" /etc/f7cloud-spreed-signaling/server.conf
+    sed -i "s|internal.*secret.*=.*|internal_secret = \"${HPB_INTERNAL_SECRET}\"|i" /etc/f7cloud-spreed-signaling/server.conf
+    sed -i "s|backend.*secret.*=.*|secret = \"${HPB_BACKEND_SECRET}\"|i" /etc/f7cloud-spreed-signaling/server.conf
+    sed -i "s|https://.*nextcloud|${F7CLOUD_URL}|i" /etc/f7cloud-spreed-signaling/server.conf
+    sed -i "s|https://.*hpb|https://${HPB_DOMAIN}|i" /etc/f7cloud-spreed-signaling/server.conf
+fi
+
+for bin in "$R/signaling-server" "$R/build/signaling-server" "$R/signaling-server-server"; do
+    [ -f "$bin" ] && cp "$bin" /usr/bin/ 2>/dev/null && chmod +x "/usr/bin/$(basename "$bin")" && break
+done
+find "$R" -maxdepth 2 -name "*.service" -exec cp {} /etc/systemd/system/ \;
+
+# Overlay: файлы и каталоги из репозитория на те же пути в системе
+if [ -d "$R/overlay" ]; then
+    echo "Установка overlay (nats, janus, coturn, бинарники)..."
+    [ -f "$R/overlay/etc/nats-server.conf" ] && cp "$R/overlay/etc/nats-server.conf" /etc/
+    [ -d "$R/overlay/etc/janus" ]          && cp -a "$R/overlay/etc/janus" /etc/
+    [ -d "$R/overlay/etc/coturn" ]         && cp -a "$R/overlay/etc/coturn" /etc/
+    [ -f "$R/overlay/usr/sbin/nats-server" ] && cp "$R/overlay/usr/sbin/nats-server" /usr/sbin/ && chmod +x /usr/sbin/nats-server
+    [ -f "$R/overlay/usr/bin/turnserver" ]   && cp "$R/overlay/usr/bin/turnserver" /usr/bin/   && chmod +x /usr/bin/turnserver
+    # Права для coturn: пользователь turnserver, каталоги 750
+    if [ -d /etc/coturn ]; then
+        getent passwd turnserver >/dev/null 2>&1 || (useradd -r -s /usr/sbin/nologin turnserver 2>/dev/null || true)
+        chown -R turnserver:turnserver /etc/coturn
+        find /etc/coturn -type d -exec chmod 750 {} \;
+        find /etc/coturn -type f -exec chmod 640 {} \;
+    fi
+fi
+
+systemctl daemon-reload 2>/dev/null || true
+systemctl enable f7cloud-spreed-signaling 2>/dev/null || systemctl enable signaling 2>/dev/null || true
+systemctl start f7cloud-spreed-signaling 2>/dev/null || systemctl start signaling 2>/dev/null || true
+
+echo "Конец: $(date '+%Y-%m-%d %H:%M:%S')" >> "$ERROR_LOG"
+echo "F7_HPB установлен. Лог ошибок: $ERROR_LOG"
+exit 0
diff --git a/overlay/etc/coturn/.gitkeep b/overlay/etc/coturn/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/overlay/etc/coturn/certs/.gitkeep b/overlay/etc/coturn/certs/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/overlay/etc/janus/janus.eventhandler.gelfevh.jcfg b/overlay/etc/janus/janus.eventhandler.gelfevh.jcfg
new file mode 100644
index 0000000..fe1340a
--- /dev/null
+++ b/overlay/etc/janus/janus.eventhandler.gelfevh.jcfg
@@ -0,0 +1,21 @@
+# This configures the GELF event handler. Appending necessary headers 
+# and sending messages via TCP or UDP
+
+general: {
+	enabled = false						# By default the module is not enabled
+	events = "all"
+										# Comma separated list of the events mask you're interested
+										# in. Valid values are none, sessions, handles, jsep, webrtc,
+										# media, plugins, transports, core, external and all. By
+										# default we subscribe to everything (all)
+
+	backend = "your.graylog.server"		# DNS or IP of your Graylog server
+	port = "12201"						# Port Graylog server is listening on
+	protocol = "tcp"					# tcp or udp transport type
+	max_message_len = 1024				# Note that we add 12 bytes of headers + standard UDP headers (8 bytes) 
+										# when calculating packet size based on MTU   
+
+	#compress = true					# Optionally, only for UDP transport, JSON messages can be compressed using zlib
+	#compression = 9					# In case, you can specify the compression factor, where 1 is
+										# the fastest (low compression), and 9 gives the best compression
+}
diff --git a/overlay/etc/janus/janus.eventhandler.mqttevh.jcfg b/overlay/etc/janus/janus.eventhandler.mqttevh.jcfg
new file mode 100644
index 0000000..3bf7578
--- /dev/null
+++ b/overlay/etc/janus/janus.eventhandler.mqttevh.jcfg
@@ -0,0 +1,57 @@
+# This configures the MQTT event handler. Events are sent either on
+# one topic or on a topic per event type.
+#
+# By default, configuration topics for handle and webrtc event types
+# with the base topic are configured to /janus/events, e.g.:
+#	/janus/events/handle
+#	/janus/events/webrtc
+
+general: {
+	enabled = false			# By default the module is not enabled
+	events = "all"			# Comma separated list of the events mask you're interested
+							# in. Valid values are none, sessions, handles, jsep, webrtc,
+							# media, plugins, transports, core, external and all. By
+							# default we subscribe to everything (all)
+	json = "indented"		# Whether the JSON messages should be indented (default),
+							# plain (no indentation) or compact (no indentation and no spaces)
+
+	url = "tcp://localhost:1883"	# The URL of the MQTT server. "tcp://" and "ssl://" protocols are supported.
+	#mqtt_version = "3.1.1"			# Protocol version. Available values: 3.1, 3.1.1 (default), 5.
+	client_id = "janus.example.com"	# Janus client id. You have to configure a unique ID (default: guest).
+	#keep_alive_interval = 20		# Keep connection for N seconds (default: 30)
+	#cleansession = 0				# Clean session flag (default: off)
+	#retain = 0						# Default MQTT retain flag for published events
+	#qos = 1						# Default MQTT QoS for published events
+	#max_inflight = 10				# Maximum number of inflight messages
+	#max_buffered = 100				# Maximum number of buffered messages
+	#disconnect_timeout = 100		# Seconds to wait before destroying client
+	#username = "guest"				# Username for authentication (default: no authentication)
+	#password = "guest"				# Password for authentication (default: no authentication)
+	#topic = "/janus/events"		# Base topic (default: /janus/events)
+	#addevent = true				# Whether we should add the event type to the base topic
+
+	#tls_enable = false				# Whether TLS support must be enabled
+
+	# Initial message sent to status topic
+	#connect_status = "{\"event\": \"connected\", \"eventhandler\": \"janus.eventhandler.mqttevh\"}"
+	# Message sent after disconnect or as LWT
+	#disconnect_status = "{\"event\": \"disconnected\"}"
+
+	#will_enabled = false							# Whether to enable LWT (default: false)
+	#will_retain = 1								# Whether LWT should be retained (default: 1)
+	#will_qos = 0									# QoS for LWT (default: 0)
+
+	# Additional parameters if "mqtts://" schema is used
+	#tls_verify_peer = true			# Whether peer verification must be enabled
+	#tls_verify_hostname = true		# Whether hostname verification must be enabled
+
+	# Certificates to use when TLS support is enabled, if needed
+	#tls_cacert = "/path/to/cacert.pem"
+	tls_client_cert = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+	tls_client_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
+	#tls_ciphers
+	#tls_version
+
+	# These options work with MQTT 5 only.
+	#add_user_properties = ()	# List of user property ["key", "value"] pairs to add.
+}
diff --git a/overlay/etc/janus/janus.eventhandler.nanomsgevh.jcfg b/overlay/etc/janus/janus.eventhandler.nanomsgevh.jcfg
new file mode 100644
index 0000000..1dfe499
--- /dev/null
+++ b/overlay/etc/janus/janus.eventhandler.nanomsgevh.jcfg
@@ -0,0 +1,30 @@
+# This configures the Nanomsg event handler. Since this plugin only
+# forwards each event it receives via Nanomsg, you simply need to
+# configure (i) which events to subscribe to, (ii) the address to use for
+# the communication, and (iii) whether the address should be used to bind
+# locally or to connect to a remote endpoint. Notice that the only supported
+# pattern is NN_PUBSUB, where the Nanomsg event handler is the publisher.
+
+general: {
+	enabled = false		# By default the module is not enabled
+	events = "all"		# Comma separated list of the events mask you're interested
+						# in. Valid values are none, sessions, handles, jsep, webrtc,
+						# media, plugins, transports, core, external and all. By
+						# default we subscribe to everything (all)
+	grouping = true		# Whether events should be sent individually (one per
+						# HTTP POST, JSON object), or if it's ok to group them
+						# (one or more per HTTP POST, JSON array with objects)
+						# The default is 'yes' to limit the number of connections.
+
+						# Address the plugin will send all events to as HTTP POST
+						# requests with an application/json payload. In case
+						# authentication is required to contact the backend, set
+						# the credentials as well (basic authentication only).
+	json = "indented"	# Whether the JSON messages should be indented (default),
+						# plain (no indentation) or compact (no indentation and no spaces)
+
+	#mode = "bind"						# Whether we should 'bind' to the specified
+										# address, or connect to it if remote (default)
+	address = "ipc:///tmp/janusevh.ipc"	# Address to use, refer to the Nanomsg documentation
+										# for more info on different transports you can use here
+}
diff --git a/overlay/etc/janus/janus.eventhandler.rabbitmqevh.jcfg b/overlay/etc/janus/janus.eventhandler.rabbitmqevh.jcfg
new file mode 100644
index 0000000..ea7f2d2
--- /dev/null
+++ b/overlay/etc/janus/janus.eventhandler.rabbitmqevh.jcfg
@@ -0,0 +1,34 @@
+# This configures the RabbitMQ event handler.
+
+general: {
+	enabled = false					# By default the module is not enabled
+	events = "all"					# Comma separated list of the events mask you're interested
+									# in. Valid values are none, sessions, handles, jsep, webrtc,
+									# media, plugins, transports, core, external and all. By
+									# default we subscribe to everything (all)
+	grouping = true					# Whether events should be sent individually , or if it's ok
+									# to group them. The default is 'yes' to limit the number of
+									# messages
+	json = "indented"				# Whether the JSON messages should be indented (default),
+									# plain (no indentation) or compact (no indentation and no spaces)
+
+	host = "localhost"				# The address of the RabbitMQ server
+	#port = 5672					# The port of the RabbitMQ server (5672 by default)
+	#username = "guest"				# Username to use to authenticate, if needed
+	#password = "guest"				# Password to use to authenticate, if needed
+	#vhost = "/"					# Virtual host to specify when logging in, if needed
+	#exchange = "janus-exchange"
+	route_key = "janus-events"		# Routing key to use when publishing messages
+	#exchange_type = "fanout" 		# Rabbitmq exchange_type can be one of the available types: direct, topic, headers and fanout (fanout by defualt).
+	#heartbeat = 60 				# Defines the seconds without communication that should pass before considering the TCP connection unreachable.
+	#declare_outgoing_queue = true # By default (for backwards compatibility), we declare an outgoing queue. Set this to false to disable that behavior
+
+	#ssl_enable = false				# Whether ssl support must be enabled
+	#ssl_verify_peer = true			# Whether peer verification must be enabled
+	#ssl_verify_hostname = true		# Whether hostname verification must be enabled
+
+	# Certificates to use when SSL support is enabled, if needed
+	#ssl_cacert = "/path/to/cacert.pem"
+	ssl_cert = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+	ssl_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
+}
diff --git a/overlay/etc/janus/janus.eventhandler.sampleevh.jcfg b/overlay/etc/janus/janus.eventhandler.sampleevh.jcfg
new file mode 100644
index 0000000..d32b7a5
--- /dev/null
+++ b/overlay/etc/janus/janus.eventhandler.sampleevh.jcfg
@@ -0,0 +1,44 @@
+# This configures the sample event handler. Since this plugin simply
+# forwards each event it receives via HTTP POST, you simply need to
+# configure (i) which events to subscribe to, and (ii) the address of
+# the web server which will receive the requests.
+
+general: {
+	enabled = false		# By default the module is not enabled
+	events = "all"		# Comma separated list of the events mask you're interested
+						# in. Valid values are none, sessions, handles, jsep, webrtc,
+						# media, plugins, transports, core, external and all. By
+						# default we subscribe to everything (all)
+	grouping = true		# Whether events should be sent individually (one per
+						# HTTP POST, JSON object), or if it's ok to group them
+						# (one or more per HTTP POST, JSON array with objects)
+						# The default is 'yes' to limit the number of connections.
+	json = "indented"	# Whether the JSON messages should be indented (default),
+						# plain (no indentation) or compact (no indentation and no spaces)
+
+	#compress = true	# Optionally, the JSON messages can be compressed using zlib
+	#compression = 9	# In case, you can specify the compression factor, where 1 is
+						# the fastest (low compression), and 9 gives the best compression
+
+						# Address the plugin will send all events to as HTTP POST
+						# requests with an application/json payload. In case
+						# authentication is required to contact the backend, set
+						# the credentials as well (basic authentication only).
+	backend = "http://your.webserver.here/and/a/path"
+	#backend_user = "myuser"
+	#backend_pwd = "mypwd"
+
+						# You can also configure how retransmissions should
+						# happen, after a failed attempt to deliver an event.
+						# Specifically, you can specify how many times a
+						# retransmission should be attempted (default=5) and
+						# which step is used, in milliseconds, for the exponential
+						# backoff before retrying (e.g, if step=100ms, then the
+						# the first retry will happen after 100ms, the second
+						# after 200ms, then 400ms, and so on). If the event cannot
+						# be retransmitted after the maximum number of attemps
+						# is reached, then it's lost. Beware that retransmissions
+						# will also delay pending events and increase the queue.
+	#max_retransmissions = 5
+	#retransmissions_backoff = 100
+}
diff --git a/overlay/etc/janus/janus.eventhandler.wsevh.jcfg b/overlay/etc/janus/janus.eventhandler.wsevh.jcfg
new file mode 100644
index 0000000..c5cc364
--- /dev/null
+++ b/overlay/etc/janus/janus.eventhandler.wsevh.jcfg
@@ -0,0 +1,31 @@
+# This configures the WebSockets event handler. Since this plugin only
+# forwards each event it receives via WebSockets, you simply need to
+# configure (i) which events to subscribe to, and (ii) the address of
+# the WebSockets server which will receive the requests.
+
+general: {
+	enabled = false		# By default the module is not enabled
+	events = "all"		# Comma separated list of the events mask you're interested
+						# in. Valid values are none, sessions, handles, jsep, webrtc,
+						# media, plugins, transports, core, external and all. By
+						# default we subscribe to everything (all)
+	grouping = true		# Whether events should be sent individually (one per
+						# HTTP POST, JSON object), or if it's ok to group them
+						# (one or more per HTTP POST, JSON array with objects)
+						# The default is 'yes' to limit the number of connections.
+
+	json = "indented"	# Whether the JSON messages should be indented (default),
+						# plain (no indentation) or compact (no indentation and no spaces)
+
+						# Address the plugin will send all events to as WebSocket
+						# messages. In case authentication is required to contact
+						# the backend, set the credentials as well.
+	backend = "ws://your.websocket.here"
+	# subprotocol = "your-subprotocol"
+
+						# In case you need to debug connection issues, you can configure
+						# the libwebsockets debugging level as a comma separated list of things
+						# to debug, supported values: err, warn, notice, info, debug, parser,
+						# header, ext, client, latency, user, count (plus 'none' and 'all')
+	#ws_logging = "err,warn"
+}
diff --git a/overlay/etc/janus/janus.jcfg b/overlay/etc/janus/janus.jcfg
new file mode 100644
index 0000000..4617c7d
--- /dev/null
+++ b/overlay/etc/janus/janus.jcfg
@@ -0,0 +1,437 @@
+# General configuration: folders where the configuration and the plugins
+# can be found, how output should be logged, whether Janus should run as
+# a daemon or in foreground, default interface to use, debug/logging level
+# and, if needed, shared apisecret and/or token authentication mechanism
+# between application(s) and Janus.
+general: {
+	configs_folder = "/etc/janus"			# Configuration files folder
+	plugins_folder = "/usr/lib/x86_64-linux-gnu/janus/plugins"			# Plugins folder
+	transports_folder = "/usr/lib/x86_64-linux-gnu/janus/transports"	# Transports folder
+	events_folder = "/usr/lib/x86_64-linux-gnu/janus/events"			# Event handlers folder
+	loggers_folder = "/usr/lib/x86_64-linux-gnu/janus/loggers"			# External loggers folder
+
+		# The next settings configure logging
+	#log_to_stdout = false					# Whether the Janus output should be written
+											# to stdout or not (default=true)
+	log_to_file = "/var/log/janus.log"		# Whether to use a log file or not
+	debug_level = 4							# Debug/logging level, valid values are 0-7
+	debug_timestamps = true					# Whether to show a timestamp for each log line
+	#debug_colors = false					# Whether colors should be disabled in the log
+	#debug_locks = true						# Whether to enable debugging of locks (very verbose!)
+	#log_prefix = "[janus] "				# In case you want log lines to be prefixed by some
+											# custom text, you can use the 'log_prefix' property.
+											# It supports terminal colors, meaning something like
+											# "[\x1b[32mjanus\x1b[0m] " would show a green "janus"
+											# string in square brackets (assuming debug_colors=true).
+
+		# This is what you configure if you want to launch Janus as a daemon
+	#daemonize = true						# Whether Janus should run as a daemon
+											# or not (default=run in foreground)
+	#pid_file = "/path/to/janus.pid"		# PID file to create when Janus has been
+											# started, and to destroy at shutdown
+
+		# There are different ways you can authenticate the Janus and Admin APIs
+	#api_secret = "janusrocks"		# String that all Janus requests must contain
+									# to be accepted/authorized by the Janus core.
+									# Useful if you're wrapping all Janus API requests
+									# in your servers (that is, not in the browser,
+									# where you do the things your way) and you
+									# don't want other application to mess with
+									# this Janus instance.
+	#token_auth = true				# Enable a token based authentication
+									# mechanism to force users to always provide
+									# a valid token in all requests. Useful if
+									# you want to authenticate requests from web
+									# users.
+	#token_auth_secret = "janus"	# Use HMAC-SHA1 signed tokens (with token_auth). Note that
+									# without this, the Admin API MUST
+									# be enabled, as tokens are added and removed
+									# through messages sent there.
+	admin_secret = "janusoverlord"	# String that all Janus requests must contain
+									# to be accepted/authorized by the admin/monitor.
+									# only needed if you enabled the admin API
+									# in any of the available transports.
+
+		# Generic settings
+	#interface = "1.2.3.4"			# Interface to use (will be used in SDP)
+	#server_name = "MyJanusInstance"# Public name of this Janus instance
+									# as it will appear in an info request
+	#session_timeout = 60			# How long (in seconds) we should wait before
+									# deciding a Janus session has timed out. A
+									# session times out when no request is received
+									# for session_timeout seconds (default=60s).
+									# Setting this to 0 will disable the timeout
+									# mechanism, which is NOT suggested as it may
+									# risk having orphaned sessions (sessions not
+									# controlled by any transport and never freed).
+									# To avoid timeouts, keep-alives can be used.
+	#candidates_timeout = 45		# How long (in seconds) we should keep hold of
+									# pending (trickle) candidates before discarding
+									# them (default=45s). Notice that setting this
+									# to 0 will NOT disable the timeout, but will
+									# be considered an invalid value and ignored.
+	#reclaim_session_timeout = 0	# How long (in seconds) we should wait for a
+									# janus session to be reclaimed after the transport
+									# is gone. After the transport is gone, a session
+									# times out when no request is received for
+									# reclaim_session_timeout seconds (default=0s).
+									# Setting this to 0 will disable the timeout
+									# mechanism, and sessions will be destroyed immediately
+									# if the transport is gone.
+	#recordings_tmp_ext = "tmp"		# The extension for recordings, in Janus, is
+									# .mjr, a custom format we devised ourselves.
+									# By default, we save to .mjr directly. If you'd
+									# rather the recording filename have a temporary
+									# extension while it's being saved, and only
+									# have the .mjr extension when the recording
+									# is over (e.g., to automatically trigger some
+									# external scripts), then uncomment and set the
+									# recordings_tmp_ext property to the extension
+									# to add to the base (e.g., tmp --> .mjr.tmp).
+	#event_loops = 8				# By default, Janus handles each have their own
+									# event loop and related thread for all the media
+									# routing and management. If for some reason you'd
+									# rather limit the number of loop/threads, and
+									# you want handles to share those, you can do that
+									# configuring the event_loops property: this will
+									# spawn the specified amount of threads at startup,
+									# run a separate event loop on each of them, and
+									# add new handles to one of them when attaching.
+									# Notice that, while cutting the number of threads
+									# and possibly reducing context switching, this
+									# might have an impact on the media delivery,
+									# especially if the available loops can't take
+									# care of all the handles and their media in time.
+									# As such, if you want to use this you should
+									# provision the correct value according to the
+									# available resources (e.g., CPUs available).
+	#allow_loop_indication = true	# In case a static number of event loops is
+									# configured as explained above, by default
+									# new handles will be allocated on one loop or
+									# another by the Janus core itself. In some cases
+									# it may be helpful to manually tell the Janus
+									# core which loop a handle should be added to,
+									# e.g., to group viewers of the same stream on
+									# the same loop. This is possible via the Janus
+									# API when performing the 'attach' request, but
+									# only if allow_loop_indication is set to true;
+									# it's set to false by default to avoid abuses.
+									# Don't change if you don't know what you're doing!
+	#opaqueid_in_api = true			# Opaque IDs set by applications are typically
+									# only passed to event handlers for correlation
+									# purposes, but not sent back to the user or
+									# application in the related Janus API responses
+									# or events; in case you need them to be in the
+									# Janus API too, set this property to 'true'.
+	#hide_dependencies = true		# By default, a call to the "info" endpoint of
+									# either the Janus or Admin API now also returns
+									# the versions of the main dependencies (e.g.,
+									# libnice, libsrtp, which crypto library is in
+									# use and so on). Should you want that info not
+									# to be disclose, set 'hide_dependencies' to true.
+	#exit_on_dl_error = false		# If a Janus shared libary cannot be loaded or an expected
+									# symbol is not found, exit immediately.
+
+		# The following is ONLY useful when debugging RTP/RTCP packets,
+		# e.g., to look at unencrypted live traffic with a browser. By
+		# default it is obviously disabled, as WebRTC mandates encryption.
+	#no_webrtc_encryption = true
+
+		# Janus provides ways via its API to specify custom paths to save
+		# files to (e.g., recordings, pcap captures and the like). In order
+		# to avoid people can mess with folders they're not supposed to,
+		# you can configure an array of folders that Janus should prevent
+		# creating files in. If the 'protected_folder' property below is
+		# commented, no folder is protected.
+		# Notice that at the moment this only covers attempts to start
+		# an .mjr recording and pcap/text2pcap packet captures.
+	protected_folders = [
+		"/bin",
+		"/boot",
+		"/dev",
+		"/etc",
+		"/initrd",
+		"/lib",
+		"/lib32",
+		"/lib64",
+		"/proc",
+		"/sbin",
+		"/sys",
+		"/usr",
+		"/var",
+			# We add what are usually the folders Janus is installed to
+			# as well: we don't just put "/opt/janus" because that would
+			# include folders like "/opt/janus/share" that is where
+			# recordings might be saved to by some plugins
+		"/opt/janus/bin",
+		"/opt/janus/etc",
+		"/opt/janus/include",
+		"/opt/janus/lib",
+		"/opt/janus/lib32",
+		"/opt/janus/lib64",
+		"/opt/janus/sbin"
+	]
+}
+
+# Certificate and key to use for DTLS (and passphrase if needed). If missing,
+# Janus will autogenerate a self-signed certificate to use. Notice that
+# self-signed certificates are fine for the purpose of WebRTC DTLS
+# connectivity, for the time being, at least until Identity Providers
+# are standardized and implemented in browsers. If for some reason you
+# want to enforce the DTLS stack in Janus to enforce valid certificates
+# from peers, though, you can do that setting 'dtls_accept_selfsigned' to
+# 'false' below: DO NOT TOUCH THAT IF YOU DO NOT KNOW WHAT YOU'RE DOING!
+# You can also configure the DTLS ciphers to offer: the default if not
+# set is "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK"
+# Finally, by default NIST P-256 certificates are generated (see #1997),
+# but RSA generation is still supported if you set 'rsa_private_key' to 'true'.
+certificates: {
+	#cert_pem = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+	#cert_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
+	#cert_pwd = "secretpassphrase"
+	#dtls_accept_selfsigned = false
+	#dtls_ciphers = "your-desired-openssl-ciphers"
+	#rsa_private_key = false
+}
+
+# Media-related stuff: you can configure whether if you want to enable IPv6
+# support (and link-local IPs), the minimum size of the NACK queue (in ms,
+# defaults to 200ms) for retransmissions no matter the RTT, the range of
+# ports to use for RTP and RTCP (by default, no range is envisaged), the
+# starting MTU for DTLS (1200 by default, it adapts automatically),
+# how much time, in seconds, should pass with no media (audio or
+# video) being received before Janus notifies you about this (default=1s,
+# 0 disables these events entirely), how many lost packets should trigger a
+# 'slowlink' event to users (default=0, disabled), and how often, in milliseconds,
+# to send the Transport Wide Congestion Control feedback information back
+# to senders, if negotiated (default=200ms). Finally, if you're using BoringSSL
+# you can customize the frequency of retransmissions: OpenSSL has a fixed
+# value of 1 second (the default), while BoringSSL can override that. Notice
+# that lower values (e.g., 100ms) will typically get you faster connection
+# times, but may not work in case the RTT of the user is high: as such,
+# you should pick a reasonable trade-off (usually 2*max expected RTT).
+media: {
+	#ipv6 = true
+	#ipv6_linklocal = true
+	#min_nack_queue = 500
+	#rtp_port_range = "20000-40000"
+	#dtls_mtu = 1200
+	#no_media_timer = 1
+	#slowlink_threshold = 4
+	#twcc_period = 100
+	#dtls_timeout = 500
+
+	# Janus can do some optimizations on the NACK queue, specifically when
+	# keyframes are involved. Namely, you can configure Janus so that any
+	# time a keyframe is sent to a user, the NACK buffer for that connection
+	# is emptied. This allows Janus to ignore NACK requests for packets
+	# sent shortly before the keyframe was sent, since it can be assumed
+	# that the keyframe will restore a complete working image for the user
+	# anyway (which is the main reason why video retransmissions are typically
+	# required). While this optimization is known to work fine in most cases,
+	# it can backfire in some edge cases, and so is disabled by default.
+	#nack_optimizations = true
+
+	# If you need DSCP packet marking and prioritization, you can configure
+	# the 'dscp' property to a specific values, and Janus will try to
+	# set it on all outgoing packets using libnice. Normally, the specs
+	# suggest to use different values depending on whether audio, video
+	# or data are used, but since all PeerConnections in Janus are bundled,
+	# we can only use one. You can refer to this document for more info:
+	# https://tools.ietf.org/html/draft-ietf-tsvwg-rtcweb-qos-18#page-6
+	# That said, DON'T TOUCH THIS IF YOU DON'T KNOW WHAT IT MEANS!
+	#dscp = 46
+}
+
+# NAT-related stuff: specifically, you can configure the STUN/TURN
+# servers to use to gather candidates if the gateway is behind a NAT,
+# and srflx/relay candidates are needed. In case STUN is not enough and
+# this is needed (it shouldn't), you can also configure Janus to use a
+# TURN server# please notice that this does NOT refer to TURN usage in
+# browsers, but in the gathering of relay candidates by Janus itself,
+# e.g., if you want to limit the ports used by a Janus instance on a
+# private machine. Furthermore, you can choose whether Janus should be
+# configured to do full-trickle (Janus also trickles its candidates to
+# users) rather than the default half-trickle (Janus supports trickle
+# candidates from users, but sends its own within the SDP), and whether
+# it should work in ICE-Lite mode (by default it doesn't). If libnice is
+# at least 0.1.15, you can choose which ICE nomination mode to use: valid
+# values are "regular" and "aggressive" (the default depends on the libnice
+# version itself; if we can set it, we set aggressive nomination). You can
+# also configure whether to use connectivity checks as keep-alives, which
+# might help detecting when a peer is no longer available (notice that
+# current libnice master is breaking connections after 50 seconds when
+# keepalive-conncheck is being used, so if you want to use it, better
+# sticking to 0.1.18 until the issue is addressed upstream). Finally,
+# you can also enable ICE-TCP support (beware that this may lead to problems
+# if you do not enable ICE Lite as well), choose which interfaces should
+# be used for gathering candidates, and enable or disable the
+# internal libnice debugging, if needed.
+nat: {
+	stun_server = "global-hpb.f7cloud.ru" # HAND-EDIT
+	stun_port = 5349 # HAND-EDIT PORT-EDIT (443)
+	nice_debug = false
+	full_trickle = true # HAND-EDIT
+	#ice_nomination = "regular"
+	#ice_keepalive_conncheck = true
+	#ice_lite = true
+	#ice_tcp = true
+
+	# By default Janus tries to resolve mDNS (.local) candidates: even
+	# though this is now done asynchronously and shouldn't keep the API
+	# busy, even in case mDNS resolution takes a long time to timeout,
+	# you can choose to drop all .local candidates instead, which is
+	# helpful in case you know clients will never be in the same private
+	# network as the one the Janus instance is running from. Notice that
+	# this will cause ICE to fail if mDNS is the only way to connect!
+	#ignore_mdns = true
+
+	# In case you're deploying Janus on a server which is configured with
+	# a 1:1 NAT (e.g., Amazon EC2), you might want to also specify the public
+	# address of the machine using the setting below. This will result in
+	# all host candidates (which normally have a private IP address) to
+	# be rewritten with the public address provided in the settings. As
+	# such, use the option with caution and only if you know what you're doing.
+	# Make sure you keep ICE Lite disabled, though, as it's not strictly
+	# speaking a publicly reachable server, and a NAT is still involved.
+	# If you'd rather keep the private IP address in place, rather than
+	# replacing it (and so have both of them as advertised candidates),
+	# then set the 'keep_private_host' property to true.
+	# Multiple public IP addresses can be specified as a comma separated list
+	# if the Janus is deployed in a DMZ between two 1-1 NAT for internal and
+	# external users.
+	#nat_1_1_mapping = "1.2.3.4"
+	#keep_private_host = true
+
+	# You can configure a TURN server in two different ways: specifying a
+	# statically configured TURN server, and thus provide the address of the
+	# TURN server, the transport (udp/tcp/tls) to use, and a set of valid
+	# credentials to authenticate. Notice that you should NEVER configure
+	# a TURN server for Janus unless it's really what you want! If you want
+	# *users* to use TURN, then you need to configure that on the client
+	# side, and NOT in Janus. The following TURN configuration should ONLY
+	# be enabled when Janus itself is sitting behind a restrictive firewall
+	# (e.g., it's part of a service installed on a box in a private home).
+	#turn_server = "myturnserver.com"
+	#turn_port = 3478
+	#turn_type = "udp"
+	#turn_user = "myuser"
+	#turn_pwd = "mypassword"
+
+	# You can also make use of the TURN REST API to get info on one or more
+	# TURN services dynamically. This makes use of the proposed standard of
+	# such an API (https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00)
+	# which is currently available in both rfc5766-turn-server and coturn.
+	# You enable this by specifying the address of your TURN REST API backend,
+	# the HTTP method to use (GET or POST) and, if required, the API key Janus
+	# must provide. The timeout can be configured in seconds, with a default of
+	# 10 seconds and a minimum of 1 second. Notice that the 'opaque_id' provided
+	# via Janus API will be used as the username for a specific PeerConnection
+	# by default; if that one is missing, the 'session_id' will be used as the
+	# username instead.
+	#turn_rest_api = "http://yourbackend.com/path/to/api"
+	turn_rest_api_key = "wU6fR0Eb0J4Aky5NuNeo3w==" # HAND-EDIT
+	#turn_rest_api_method = "GET"
+	#turn_rest_api_timeout = 10
+
+	# In case a TURN server is provided, you can allow applications to force
+	# Janus to use TURN (https://github.com/meetecho/janus-gateway/pull/2774).
+	# This is NOT allowed by default: only enable it if you know what you're doing.
+	#allow_force_relay = true
+
+	# You can also choose which interfaces should be explicitly used by the
+	# gateway for the purpose of ICE candidates gathering, thus excluding
+	# others that may be available. To do so, use the 'ice_enforce_list'
+	# setting and pass it a comma-separated list of interfaces or IP addresses
+	# to enforce. This is especially useful if the server hosting the gateway
+	# has several interfaces, and you only want a subset to be used. Any of
+	# the following examples are valid:
+	#     ice_enforce_list = "eth0"
+	#     ice_enforce_list = "eth0,eth1"
+	#     ice_enforce_list = "eth0,192.168."
+	#     ice_enforce_list = "eth0,192.168.0.1"
+	# By default, no interface is enforced, meaning Janus will try to use them all.
+	#ice_enforce_list = "eth0"
+
+	# In case you don't want to specify specific interfaces to use, but would
+	# rather tell Janus to use all the available interfaces except some that
+	# you don't want to involve, you can also choose which interfaces or IP
+	# addresses should be excluded and ignored by the gateway for the purpose
+	# of ICE candidates gathering. To do so, use the 'ice_ignore_list' setting
+	# and pass it a comma-separated list of interfaces or IP addresses to
+	# ignore. This is especially useful if the server hosting the gateway
+	# has several interfaces you already know will not be used or will simply
+	# always slow down ICE (e.g., virtual interfaces created by VMware).
+	# Partial strings are supported, which means that any of the following
+	# examples are valid:
+	#     ice_ignore_list = "vmnet8,192.168.0.1,10.0.0.1"
+	#     ice_ignore_list = "vmnet,192.168."
+	# Just beware that the ICE ignore list is not used if an enforce list
+	# has been configured. By default, Janus ignores all interfaces whose
+	# name starts with 'vmnet', to skip VMware interfaces:
+	ice_ignore_list = "vmnet"
+
+	# In case you want to allow Janus to start even if the configured STUN or TURN
+	# server is unreachable, you can set 'ignore_unreachable_ice_server' to true.
+	# WARNING: We do not recommend to ignore reachability problems, particularly
+	# if you run Janus in the cloud. Before enabling this flag, make sure your
+	# system is correctly configured and Janus starts after the network layer of
+	# your machine is ready. Note that Linux distributions offer such directives.
+	# You could use the following directive in systemd: 'After=network-online.target'
+	# https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=
+	#ignore_unreachable_ice_server = true
+}
+
+# You can choose which of the available plugins should be
+# enabled or not. Use the 'disable' directive to prevent Janus from
+# loading one or more plugins: use a comma separated list of plugin file
+# names to identify the plugins to disable. By default all available
+# plugins are enabled and loaded at startup.
+plugins: {
+	#disable = "libjanus_voicemail.so,libjanus_recordplay.so"
+}
+
+# You can choose which of the available transports should be enabled or
+# not. Use the 'disable' directive to prevent Janus from loading one
+# or more transport: use a comma separated list of transport file names
+# to identify the transports to disable. By default all available
+# transports are enabled and loaded at startup.
+transports: {
+	#disable = "libjanus_rabbitmq.so"
+}
+
+# As a core feature, Janus can log either on the standard output, or to
+# a local file. Should you need more advanced logging functionality, you
+# can make use of one of the custom loggers, or write one yourself. Use the
+# 'disable' directive to prevent Janus from loading one or more loggers:
+# use a comma separated list of logger file names to identify the loggers
+# to disable. By default all available loggers are enabled and loaded at startup.
+loggers: {
+	#disable = "libjanus_jsonlog.so"
+}
+
+# Event handlers allow you to receive live events from Janus happening
+# in core and/or plugins. Since this can require some more resources,
+# the feature is disabled by default. Setting broadcast to yes will
+# enable them. You can then choose which of the available event handlers
+# should be loaded or not. Use the 'disable' directive to prevent Janus
+# from loading one or more event handlers: use a comma separated list of
+# file names to identify the event handlers to disable. By default, if
+# broadcast is set to yes all available event handlers are enabled and
+# loaded at startup. Finally, you can choose how often media statistics
+# (packets sent/received, losses, etc.) should be sent: by default it's
+# once per second (audio and video statistics sent separately), but may
+# considered too verbose, or you may want to limit the number of events,
+# especially if you have many PeerConnections active. To change this,
+# just set 'stats_period' to the number of seconds that should pass in
+# between statistics for each handle. Setting it to 0 disables them (but
+# not other media-related events). By default Janus sends single media
+# statistic events per media (audio, video and simulcast layers as separate
+# events): if you'd rather receive a single containing all media stats in a
+# single array, set 'combine_media_stats' to true.
+events: {
+	#broadcast = true
+	#combine_media_stats = true
+	#disable = "libjanus_sampleevh.so"
+	#stats_period = 5
+}
diff --git a/overlay/etc/janus/janus.logger.jsonlog.jcfg b/overlay/etc/janus/janus.logger.jsonlog.jcfg
new file mode 100644
index 0000000..6b505c8
--- /dev/null
+++ b/overlay/etc/janus/janus.logger.jsonlog.jcfg
@@ -0,0 +1,16 @@
+# This configures the JSON-based file logger. This is a very simple logger
+# with no particular advantage over the existing, integrated, logging
+# functionality Janus provides, and so it's configuration is quite basic
+# as well: it's here mostly to provide a reference implementation for
+# developers willing to provide additional, and more complex, external loggers.
+
+general: {
+	enabled = false		# By default the module is not enabled
+
+	json = "indented"	# Since this logger simply writes each log line as
+						# a JSON object to a file, you can configure whether
+						# the JSON log lines should be indented (default),
+						# plain (no indentation) or compact (no indentation and no spaces)
+
+	filename = "/tmp/janus-log.json"	# Filename to save to
+}
diff --git a/overlay/etc/janus/janus.plugin.audiobridge.jcfg b/overlay/etc/janus/janus.plugin.audiobridge.jcfg
new file mode 100644
index 0000000..39d41d5
--- /dev/null
+++ b/overlay/etc/janus/janus.plugin.audiobridge.jcfg
@@ -0,0 +1,83 @@
+# room-<unique room ID>: {
+# description = "This is my awesome room"
+# is_private = true|false (whether this room should be in the public list, default=true)
+# secret = "<optional password needed for manipulating (e.g. destroying) the room>"
+# pin = "<optional password needed for joining the room>"
+# sampling_rate = <sampling rate> (e.g., 16000 for wideband mixing)
+# spatial_audio = true|false (if true, the mix will be stereo to spatially place users, default=false)
+# audiolevel_ext = true|false (whether the ssrc-audio-level RTP extension must
+#		be negotiated/used or not for new joins, default=true)
+# audiolevel_event = true|false (whether to emit event to other users or not, default=false)
+# audio_active_packets = 100 (number of packets with audio level, default=100, 2 seconds)
+# audio_level_average = 25 (average value of audio level, 127=muted, 0='too loud', default=25)
+# default_prebuffering = number of packets to buffer before decoding each particiant (default=6)
+# default_expectedloss = percent of packets we expect participants may miss, to help with FEC (default=0, max=20; automatically used for forwarders too)
+# default_bitrate = default bitrate in bps to use for the all participants (default=0, which means libopus decides; automatically used for forwarders too)
+# record = true|false (whether this room should be recorded, default=false)
+# record_file = "/path/to/recording.wav" (where to save the recording)
+# record_dir = "/path/to/" (path to save the recording to, makes record_file a relative path if provided)
+# mjrs = true|false (whether all participants in the room should be individually recorded to mjr files, default=false)
+# mjrs_dir = "/path/to/" (path to save the mjr files to)
+# allow_rtp_participants = true|false (whether participants should be allowed to join
+#		via plain RTP as well, rather than just WebRTC, default=false)
+# groups = optional, non-hierarchical, array of groups to tag participants, for external forwarding purposes only
+#
+#     The following lines are only needed if you want the mixed audio
+#     to be automatically forwarded via plain RTP to an external component
+#     (e.g., an ffmpeg script, or a gstreamer pipeline) for processing
+#     By default plain RTP is used, SRTP must be configured if needed
+# rtp_forward_id = numeric RTP forwarder ID for referencing it via API (optional: random ID used if missing)
+# rtp_forward_host = "<host address to forward RTP packets of mixed audio to>"
+# rtp_forward_host_family = "<ipv4|ipv6; by default, first family returned by DNS request>"
+# rtp_forward_port = port to forward RTP packets of mixed audio to
+# rtp_forward_ssrc = SSRC to use to use when streaming (optional: stream_id used if missing)
+# rtp_forward_codec = opus (default), pcma (A-Law) or pcmu (mu-Law)
+# rtp_forward_ptype = payload type to use when streaming (optional: only read for Opus, 100 used if missing)
+# rtp_forward_group = group of participants to forward, if enabled in the room (optional: forwards full mix if missing)
+# rtp_forward_srtp_suite = length of authentication tag (32 or 80)
+# rtp_forward_srtp_crypto = "<key to use as crypto (base64 encoded key as in SDES)>"
+# rtp_forward_always_on = true|false, whether silence should be forwarded when the room is empty (optional: false used if missing)
+#}
+
+general: {
+	#admin_key = "supersecret"		# If set, rooms can be created via API only
+									# if this key is provided in the request
+	#lock_rtp_forward = true		# Whether the admin_key above should be
+									# enforced for RTP forwarding requests too
+	#lock_play_file = true			# Whether the admin_key above should be
+									# enforced for playing .opus files too
+	#record_tmp_ext = "tmp"			# Optional temporary extension to add to filenames
+									# while recording: e.g., setting "tmp" would mean
+									# .wav --> .wav.tmp until the file is closed
+	#events = false					# Whether events should be sent to event
+									# handlers (default=true)
+
+	# By default, integers are used as a unique ID for both rooms and participants.
+	# In case you want to use strings instead (e.g., a UUID), set string_ids to true.
+	#string_ids = true
+
+	# Normally, all AudioBridge participants will join by negotiating a WebRTC
+	# PeerConnection: the plugin also supports adding participants that will
+	# use plain RTP, though, be it for supporting legacy users (e.g., SIP
+	# participants who an orchestrator can add to the bridge) or more simply
+	# to temporarily inject external audio in a room from a live source. To
+	# support plain RTP, the plugin needs to have a range of ports it can bind
+	# to: notice this should be configured so that it doesn't conflict with other
+	# plugins (e.g., Streaming, SIP, NoSIP) and applications (e.g., Janus itself).
+	# The default if you don't specify anything is 10000-60000.
+	#rtp_port_range = "50000-60000"
+	# In case we need to support plain RTP participants, we'll also need to know
+	# what local IP address to bind to for media. If no address is set in the
+	# property below, then one will be automatically guessed from the system.
+	#local_ip = "1.2.3.4"
+
+}
+
+room-1234: {
+	description = "Demo Room"
+	secret = "adminpwd"
+	sampling_rate = 16000
+	record = false
+	#record_dir = "/path/to/"
+	#record_file = "recording.wav"
+}
diff --git a/overlay/etc/janus/janus.plugin.duktape.jcfg b/overlay/etc/janus/janus.plugin.duktape.jcfg
new file mode 100644
index 0000000..555bb98
--- /dev/null
+++ b/overlay/etc/janus/janus.plugin.duktape.jcfg
@@ -0,0 +1,20 @@
+# The only things you configure in here are which JavaScipt file to load and,
+# optionally, the paths to add for searching libraries and a configuration
+# file, if the script will need it. For what concerns the libraries path,
+# by default this configuration file adds a path to where the JS samples
+# have been installed, as it contains a couple of helper libraries the
+# samples use; should you be interested in adding more, just add other
+# paths separated by a semicolon. Due to the syntax of the configuration
+# file, make sure you escape all semicolons with a trailing slash, in case.
+# The 'config' property is entirely script specific, instead: if your
+# script will need to rely on an XML configuration file in its initialization,
+# for instance, then set the 'config' property as the path to the file;
+# it will be passed, as is, to your script in the init() call. None of
+# the samples use this property, which is why it's commented out. 
+
+general: {
+	path = "/usr/share/janus/duktape"
+	script = "/usr/share/janus/duktape/echotest.js"
+	#script = "/usr/share/janus/duktape/videoroom.js"
+	#config = "/path/to/configfile"
+}
diff --git a/overlay/etc/janus/janus.plugin.echotest.jcfg b/overlay/etc/janus/janus.plugin.echotest.jcfg
new file mode 100644
index 0000000..cfc94d2
--- /dev/null
+++ b/overlay/etc/janus/janus.plugin.echotest.jcfg
@@ -0,0 +1,5 @@
+# events = true|false, whether events should be sent to event handlers
+
+general: {
+	#events = false
+}
diff --git a/overlay/etc/janus/janus.plugin.lua.jcfg b/overlay/etc/janus/janus.plugin.lua.jcfg
new file mode 100644
index 0000000..3438b51
--- /dev/null
+++ b/overlay/etc/janus/janus.plugin.lua.jcfg
@@ -0,0 +1,20 @@
+# The only things you configure in here are which lua script to load and,
+# optionally, the paths to add for searching libraries and a configuration
+# file, if the script will need it. For what concerns the libraries path,
+# by default this configuration file adds a path to where the Lua samples
+# have been installed, as it contains a couple of helper libraries the
+# samples use; should you be interested in adding more, just add other
+# paths separated by a semicolon. Due to the syntax of the configuration
+# file, make sure you escape all semicolons with a trailing slash, in case.
+# The 'config' property is entirely script specific, instead: if your
+# script will need to rely on an XML configuration file in its initialization,
+# for instance, then set the 'config' property as the path to the file;
+# it will be passed, as is, to your script in the init() call. None of
+# the samples use this property, which is why it's commented out. 
+
+general: {
+	path = "/usr/share/janus/lua"
+	script = "/usr/share/janus/lua/echotest.lua"
+	#script = "/usr/share/janus/lua/videoroom.lua"
+	#config = "/path/to/configfile"
+}
diff --git a/overlay/etc/janus/janus.plugin.nosip.jcfg b/overlay/etc/janus/janus.plugin.nosip.jcfg
new file mode 100644
index 0000000..48073ef
--- /dev/null
+++ b/overlay/etc/janus/janus.plugin.nosip.jcfg
@@ -0,0 +1,23 @@
+general: {
+	# Specify which local IP address to bind to for media.
+	# If not set it will be automatically guessed from the system
+	#local_ip = "1.2.3.4"
+
+	# Specify which (public) IP address to advertise in the SDP.
+	# If not set, the value above or anything autodetected will be used
+	#sdp_ip = "1.2.3.4"
+
+	# Range of ports to use for RTP/RTCP (default=10000-60000)
+	rtp_port_range = "20000-40000"
+
+	# Whether events should be sent to event handlers (default=true)
+	#events = false
+
+	# If you need DSCP packet marking and prioritization, you can configure
+	# the 'dscp_audio_rtp' and/or 'dscp_video_rtp' property to specific values,
+	# and the plugin will set it on all outgoing audio/video RTP packets.
+	# No packet marking is done if this parameter is undefined or equal to 0
+	#dscp_audio_rtp = 46
+	#dscp_video_rtp = 26
+
+}
diff --git a/overlay/etc/janus/janus.plugin.recordplay.jcfg b/overlay/etc/janus/janus.plugin.recordplay.jcfg
new file mode 100644
index 0000000..ca6bc76
--- /dev/null
+++ b/overlay/etc/janus/janus.plugin.recordplay.jcfg
@@ -0,0 +1,7 @@
+# path = where to place recordings in the file system
+# events = true|false, whether events should be sent to event handlers
+
+general: {
+	path = "/usr/share/janus/recordings"
+	#events = false
+}
diff --git a/overlay/etc/janus/janus.plugin.sip.jcfg b/overlay/etc/janus/janus.plugin.sip.jcfg
new file mode 100644
index 0000000..06b9b4a
--- /dev/null
+++ b/overlay/etc/janus/janus.plugin.sip.jcfg
@@ -0,0 +1,55 @@
+general: {
+	# Specify which local IP address to bind to for SIP stack.
+	# If not set it will be automatically guessed from the system
+	#local_ip = "1.2.3.4"
+
+	# Specify which local IP address to bind for the media stack.
+	# If not set it will be automatically set to the value of local_ip
+	#local_media_ip = "1.2.3.4"
+
+	# Specify which (public) IP address to advertise in the SDP.
+	# If not set, the value above or anything autodetected will be used
+	#sdp_ip = "1.2.3.4"
+
+	# Enable local keep-alives to keep the registration open. Keep-alives are
+	# sent in the form of OPTIONS requests, at the given interval inseconds.
+	# (0 to disable)
+	keepalive_interval = 120
+
+	# Indicate if the server is behind NAT. If so, the server will use STUN
+	# to guess its own public IP address and use it in the Contact header of
+	# outgoing requests
+	behind_nat = false
+
+	# User-Agent string to be used
+	# user_agent = "Cool WebRTC Gateway"
+
+	# Expiration time for registrations
+	register_ttl = 3600
+
+	# Range of ports to use for RTP/RTCP (default=10000-60000)
+	rtp_port_range = "20000-40000"
+
+	# Whether events should be sent to event handlers (default=true)
+	#events = false
+
+	# If you need DSCP packet marking and prioritization, you can configure
+	# the 'dscp_audio_rtp' and/or 'dscp_video_rtp' property to specific values,
+	# and the plugin will set it on all outgoing audio/video RTP packets.
+	# No packet marking is done if this parameter is undefined or equal to 0
+	#dscp_audio_rtp = 46
+	#dscp_video_rtp = 26
+
+	# In case you want to use SIPS for some sessions, Sofia may need to
+	# have access to a certificate to use: this is especially true for
+	# Sofia >= 1.13, which will fail to create the agent if no certificate
+	# is available. By default, Sofia looks for 'agent.pem' and 'cafile.pem'
+	# in the '$HOME/.sip/auth' folder, but you can specify a different
+	# one by uncommenting and setting the property below.
+	#sips_certs_dir = "/etc/sip/certs"
+
+	# Set the T1x64 timeout value (in milliseconds) used by the SIP transaction
+	# engine (default 32000 milliseconds)
+	sip_timer_t1x64 = 32000
+
+}
diff --git a/overlay/etc/janus/janus.plugin.streaming.jcfg b/overlay/etc/janus/janus.plugin.streaming.jcfg
new file mode 100644
index 0000000..e611b9c
--- /dev/null
+++ b/overlay/etc/janus/janus.plugin.streaming.jcfg
@@ -0,0 +1,323 @@
+# stream-name: {
+# type = rtp|live|ondemand|rtsp
+#        rtp = stream originated by an external tool (e.g., gstreamer or
+#              ffmpeg) and sent to the plugin via RTP
+#        live = local file streamed live to multiple listeners
+#               (multiple listeners = same streaming context)
+#        ondemand = local file streamed on-demand to a single listener
+#                   (multiple listeners = different streaming contexts)
+#        rtsp = stream originated by an external RTSP feed (only
+#               available if libcurl support was compiled)
+# id = <unique numeric ID> (if missing, a random one will be generated)
+# description = This is my awesome stream
+# metadata = An optional string that can contain any metadata (e.g., JSON)
+#		   associated with the stream you want users to receive
+# is_private = true|false (private streams don't appear when you do a 'list'
+#			request)
+# secret = <optional password needed for manipulating (e.g., destroying
+#			or enabling/disabling) the stream>
+# pin = <optional password needed for watching the stream>
+# filename = path to the local file to stream (only for live/ondemand)
+# audio = true|false (do/don't stream audio)
+# video = true|false (do/don't stream video)
+#    The following options are only valid for the 'rtp' type:
+# data = true|false (do/don't stream text via datachannels)
+# audioport = local port for receiving audio frames
+# audiortcpport = local port, if any, for receiving and sending audio RTCP feedback
+# audiomcast = multicast group port for receiving audio frames, if any
+# audioiface = network interface or IP address to bind to, if any (binds to all otherwise)
+# audiopt = <audio RTP payload type> (e.g., 111)
+# audiocodec = name of the audio codec (e.g., opus)
+# audioskew = true|false (whether the plugin should perform skew
+#		analisys and compensation on incoming audio RTP stream, EXPERIMENTAL)
+# videoport = local port for receiving video frames
+# videortcpport = local port, if any, for receiving and sending video RTCP feedback
+# videomcast = multicast group port for receiving video frames, if any
+# videoiface = network interface or IP address to bind to, if any (binds to all otherwise)
+# videopt = <video RTP payload type> (e.g., 100)
+# videocodec = name of the video codec (e.g., vp8)
+# videobufferkf = true|false (whether the plugin should store the latest
+#		keyframe and send it immediately for new viewers, EXPERIMENTAL)
+# videosimulcast = true|false (do|don't enable video simulcasting)
+# videoport2 = second local port for receiving video frames (only for rtp, and simulcasting)
+# videoport3 = third local port for receiving video frames (only for rtp, and simulcasting)
+# videoskew = true|false (whether the plugin should perform skew
+#		analisys and compensation on incoming video RTP stream, EXPERIMENTAL)
+# videosvc = true|false (whether the video will have SVC support; works only for VP9-SVC, default=false)
+# collision = in case of collision (more than one SSRC hitting the same port), the plugin
+#		will discard incoming RTP packets with a new SSRC unless this many milliseconds
+#		passed, which would then change the current SSRC (0=disabled)
+# dataport = local port for receiving data messages to relay
+# dataiface = network interface or IP address to bind to, if any (binds to all otherwise)
+# datatype = text|binary (type of data this mountpoint will relay, default=text)
+# databuffermsg = true|false (whether the plugin should store the latest
+#		message and send it immediately for new viewers)
+# threads = number of threads to assist with the relaying part, which can help
+#		if you expect a lot of viewers that may cause the RTP receiving part
+#		in the Streaming plugin to slow down and fail to catch up (default=0)
+#
+# In case you want to use SRTP for your RTP-based mountpoint, you'll need
+# to configure the SRTP-related properties as well, namely the suite to
+# use for hashing (32 or 80) and the crypto information for decrypting
+# the stream (as a base64 encoded string the way SDES does it). Notice
+# that with SRTP involved you'll have to pay extra attention to what you
+# feed the mountpoint, as you may risk getting SRTP decrypt errors:
+# srtpsuite = 32
+# srtpcrypto = WbTBosdVUZqEb6Htqhn+m3z7wUh4RJVR8nE15GbN
+#
+# The Streaming plugin can also be used to (re)stream media that has been
+# encrypted using something that can be consumed via Insertable Streams.
+# In that case, we only need to be aware of it, so that we can send the
+# info along with the SDP. How to decrypt the media is out of scope, and
+# up to the application since, again, this is end-to-end encryption and
+# so neither Janus nor the Streaming plugin have access to anything.
+# DO NOT SET THIS PROPERTY IF YOU DON'T KNOW WHAT YOU'RE DOING!
+# e2ee = true
+#
+# To allow mountpoints to negotiate the playout-delay RTP extension,
+# you can set the 'playoutdelay_ext' property to true: this way, any
+# subscriber can customize the playout delay of incoming video streams,
+# assuming the browser supports the RTP extension in the first place.
+# playoutdelay_ext = true
+#
+# The following options are only valid for the 'rtsp' type:
+# url = RTSP stream URL (only for restreaming RTSP)
+# rtsp_user = RTSP authorization username (only if type=rtsp)
+# rtsp_pwd = RTSP authorization password (only if type=rtsp)
+# rtsp_quirk = Some RTSP servers offer the stream using only the path, instead of the fully qualified URL.
+#		If set true, this boolean informs Janus that we should try a path-only DESCRIBE request if the initial request returns 404.
+# rtsp_failcheck = whether an error should be returned if connecting to the RTSP server fails (default=true)
+# rtspiface = network interface or IP address to bind to, if any (binds to all otherwise), when receiving RTSP streams
+# rtsp_reconnect_delay = after n seconds passed and no media assumed, the RTSP server has gone and schedule a reconnect (default=5s)
+# rtsp_session_timeout = by default the streaming plugin will check the RTSP connection with an OPTIONS query,
+# 		the value of the timeout comes from the RTSP session initializer and by default
+# 		this session timeout is the half of this value In some cases this value can be too high (for example more than one minute)
+# 		because of the media server. In that case this plugin will calculate the timeout with this
+# 		formula: timeout = min(session_timeout, rtsp_session_timeout / 2). (default=0s)
+# rtsp_timeout = communication timeout (CURLOPT_TIMEOUT) for cURL call gathering the RTSP information (default=10s)
+# rtsp_conn_timeout = connection timeout for cURL (CURLOPT_CONNECTTIMEOUT) call gathering the RTSP information (default=5s)
+#
+# Notice that, for 'rtsp' mountpoints, normally the plugin uses the exact
+# SDP codec and fmtp attributes the remote camera or RTSP server sent.
+# In case the values set remotely are known to conflict with WebRTC viewers,
+# you can override both using the settings introduced above.
+#
+# To test the 'gstreamer-sample' example, check the test_gstreamer.sh
+# script in the plugins/streams folder. The live and on-demand  audio
+# file streams, use a couple of files (radio.alaw, music.mulaw) that are
+# provided in the plugins/streams folder.
+#}
+
+general: {
+	#admin_key = "supersecret"		# If set, mountpoints can be created via API
+									# only if this key is provided in the request
+	#rtp_port_range = "20000-40000"	# Range of ports to use for RTP/RTCP when '0' is
+									# passed as port for a mountpoint (default=10000-60000)
+	#events = false					# Whether events should be sent to event
+									# handlers (default=true)
+
+	# By default, integers are used as a unique ID for both mountpoints. In case
+	# you want to use strings instead (e.g., a UUID), set string_ids to true.
+	#string_ids = true
+}
+
+#
+# This is an example of an RTP source stream, which is what you'll need
+# in the vast majority of cases: here, the Streaming plugin will bind to
+# some ports, and expect media to be sent by an external source (e.g.,
+# FFmpeg or Gstreamer). This sample listens on 5002 for audio (Opus) and
+# 5004 for video (VP8), which is what the sample gstreamer script in the
+# plugins/streams folder sends to. Whatever is sent to those ports will
+# be the source of a WebRTC broadcast users can subscribe to.
+#
+rtp-sample: {
+	type = "rtp"
+	id = 1
+	description = "Opus/VP8 live stream coming from external source"
+	metadata = "You can use this metadata section to put any info you want!"
+	audio = true
+	video = true
+	audioport = 5002
+	audiopt = 111
+	audiocodec = "opus"
+	videoport = 5004
+	videopt = 100
+	videocodec = "vp8"
+	secret = "adminpwd"
+}
+
+#
+# This is a better example that uses the new settings to configure a live
+# mountpoint to send multiple streams of the same type at the same time:
+# that is, not simulcasting, but different streams (e.g., two audio
+# streams and two video streams). To do so, you don't set the audio,
+# video and data properties inline, but use an array of properties instead,
+# each identifying a single stream to add, that will then translate to
+# a dedicated m-line in the SDP. For each stream, you specify the type,
+# a unique ID (mid), and can provide a short description (label) so that
+# the client side can know what's what when rendering the streams;
+# optionally, a msid to add to the SDP m-line can be provided as well. Notice
+# how the port/pt/codec/fmtp/etc. stuff is called just like that, without
+# any audio/video/data prefix: in fact, each media stream can be configured
+# the same way, and it's the type that allows us to differentiate them.
+# As such, you can use the same approach for creating regular mountpoints
+# as well (e.g., 1 audio and 1 video) in a much clearer, and cleaner, way.
+#
+multistream-test: {
+	type = "rtp"
+	id = 123
+	description = "Multistream test (1 audio, 2 video)"
+	metadata = "This is an example of a multistream mountpoint: you'll get an audio stream and two video feeds"
+	media = (
+		{
+			type = "audio"
+			mid = "a"
+			label = "Audio stream"
+			port = 5102
+			pt = 111
+			codec = "opus"
+		},
+		{
+			type = "video"
+			mid = "v1"
+			label = "Video stream #1"
+			port = 5104
+			pt = 100
+			codec = "vp8"
+		},
+		{
+			type = "video"
+			mid = "v2"
+			label = "Video stream #2"
+			port = 5106
+			pt = 100
+			codec = "vp8"
+		}
+	)
+	secret = "adminpwd"
+}
+
+#
+# This is a sample of the file-based streaming support. Specifically,
+# this simulates a radio broadcast by streaming (in a loop) raw a-Law
+# (that is, G.711) frames. Since type is "live", anyone subscribing to
+# this mountpoint will listen to the same broadcast as if it were live.
+# Notice that file-based streaming supports Opus files too, but no video.
+#
+file-live-sample: {
+	type = "live"
+	id = 2
+	description = "a-law file source (radio broadcast)"
+	filename = "/usr/share/janus/streams/radio.alaw"
+	audio = true
+	video = false
+	secret = "adminpwd"
+}
+
+#
+# This is another sample of the file-based streaming support, but using
+# the "ondemand" type instead. In this case, the file we're streaming
+# contains raw mu-Law (still G.711) frames. Since this is "ondemand",
+# anyone subscribing to this mountpoint will listen to their own version
+# of the stream, meaning that it will start from the beginning and then
+# loop when it's over. On-demand streaming supports Opus files as well.
+#
+file-ondemand-sample: {
+	type = "ondemand"
+	id = 3
+	description = "mu-law file source (music)"
+	filename = "/usr/share/janus/streams/music.mulaw"
+	audio = true
+	video = false
+	secret = "adminpwd"
+}
+
+#
+# All browsers also support H.264, often through Cisco's OpenH264 plugin.
+# The only profile that is definitely supported is the baseline one, which
+# means that if you try a higher one it might or might not work. No matter
+# which profile you encode, though, you can put a custom one in the SDP if
+# you override the fmtp SDP attribute via 'videofmtp'. The following is an
+# example of how to create a simple H.264 mountpoint: you can feed it via
+# an x264enc+rtph264pay pipeline in gstreamer, an ffmpeg script or other.
+#
+#h264-sample: {
+	#type = "rtp"
+	#id = 10
+	#description = "H.264 live stream coming from gstreamer"
+	#audio = false
+	#video = true
+	#videoport = 8004
+	#videopt = 126
+	#videocodec = "h264"
+	#videofmtp = "profile-level-id=42e01f;packetization-mode=1"
+	#secret = "adminpwd"
+#}
+
+#
+# The Streaming plugin also supports the broadcasting of datachannel
+# messages, either by themselves or along other audio/video streams (e.g.,
+# to add a subtitle to a stream you're sending). The following is an
+# example of how you can create a datachannel-only mountpoint: you can
+# feed it with any tool that can send UDP datagrams, e.g., netcat.
+# Notice that the 'rtp' type just indicates this is a live mountpoint:
+# datachannel messages will be sent as usual, and not use RTP at all.
+#
+#data-example: {
+	#type = "rtp"
+	#id = 15
+	#description = "Datachannel stream from an UDP source"
+	#audio = false
+	#video = false
+	#data = true
+	#dataport = 5008
+	#datatype = "text"
+	#secret = "adminpwd"
+#}
+
+#
+# This is a variation of the rtp-sample configuration for Opus/VP8 shown
+# before, where multicast support is used to receive the streams. You
+# need an external script to feed data on those ports, of course.
+#
+#rtp-multicast: {
+	#type = "rtp"
+	#id = 20
+	#description = "Opus/VP8 live multicast stream sample"
+	#audio = true
+	#video = true
+	#audioport = 5002
+	#audiomcast = "232.3.4.5"
+	#audiopt = 111
+	#audiocodec = "opus"
+	#videoport = 5004
+	#videomcast = "232.3.4.5"
+	#videopt = 100
+	#videocodec = "vp8"
+	#secret = "adminpwd"
+#}
+
+#
+# This is a sample configuration for an RTSP stream: you can specify
+# the url to connect to and whether or not authentication is needed
+# using the url/rtsp_user/rtsp_pwd settings (but notice that digest
+# authentication will only work if you installed libcurl >= 7.45.0)
+# NOTE WELL: the plugin does NOT transcode, so the RTSP stream MUST be
+# in a format the browser can digest (e.g., VP8 or H.264 baseline for video)
+# Again, you can override payload type, codec and/or fmtp, if needed.
+#
+#rtsp-test: {
+	#type = "rtsp"
+	#id = 99
+	#description = "RTSP Test"
+	#audio = false
+	#video = true
+	#url = "rtsp://127.0.0.1:8554/unicast"
+	#rtsp_user = "username"
+	#rtsp_pwd = "password"
+	#secret = "adminpwd"
+	#rtsp_reconnect_delay = 5
+	#rtsp_session_timeout = 0
+	#rtsp_timeout = 10
+	#rtsp_conn_timeout = 5
+#}
diff --git a/overlay/etc/janus/janus.plugin.textroom.jcfg b/overlay/etc/janus/janus.plugin.textroom.jcfg
new file mode 100644
index 0000000..f309683
--- /dev/null
+++ b/overlay/etc/janus/janus.plugin.textroom.jcfg
@@ -0,0 +1,30 @@
+# room-<unique room ID>: {
+# description = This is my awesome room
+# is_private = true|false (whether this room should be in the public list, default=true)
+# secret = <optional password needed for manipulating (e.g. destroying) the room>
+# pin = <optional password needed for joining the room>
+# history = <number of messages to store as a history, and send back to new participants (default=0, no history)>
+# post = <optional backend to contact via HTTP post for all incoming messages>
+#}
+
+general: {
+	#admin_key = "supersecret"		# If set, rooms can be created via API only
+									# if this key is provided in the request
+	json = "indented"				# Whether the data channel JSON messages should be indented (default),
+									# plain (no indentation) or compact (no indentation and no spaces)
+	#events = false					# Whether events should be sent to event
+									# handlers (default=true)
+
+	# By default, integers are used as a unique ID for rooms. In case you
+	# want to use strings instead (e.g., a UUID), set string_ids to true.
+	#string_ids = true
+}
+
+room-1234: {
+	description = "Demo Room"
+	# is_private = true
+	secret = "adminpwd"
+	# pin = "roompwd"
+	# history = 10
+	# post = "http://example.com/forward/here"
+}
diff --git a/overlay/etc/janus/janus.plugin.videocall.jcfg b/overlay/etc/janus/janus.plugin.videocall.jcfg
new file mode 100644
index 0000000..cfc94d2
--- /dev/null
+++ b/overlay/etc/janus/janus.plugin.videocall.jcfg
@@ -0,0 +1,5 @@
+# events = true|false, whether events should be sent to event handlers
+
+general: {
+	#events = false
+}
diff --git a/overlay/etc/janus/janus.plugin.videoroom.jcfg b/overlay/etc/janus/janus.plugin.videoroom.jcfg
new file mode 100644
index 0000000..07723e1
--- /dev/null
+++ b/overlay/etc/janus/janus.plugin.videoroom.jcfg
@@ -0,0 +1,95 @@
+# room-<unique room ID>: {
+# description = This is my awesome room
+# is_private = true|false (whether this room should be in the public list, default=true)
+# secret = <optional password needed for manipulating (e.g. destroying) the room>
+# pin = <optional password needed for joining the room>
+# require_pvtid = true|false (whether subscriptions are required to provide a valid private_id
+#			to associate with a publisher, default=false)
+# signed_tokens = true|false (whether access to the room requires signed tokens; default=false,
+#			only works if signed tokens are used in the core as well)
+# publishers = <max number of concurrent senders> (e.g., 6 for a video
+#              conference or 1 for a webinar)
+bitrate = 5000000
+# bitrate_cap = true|false (whether the above cap should act as a hard limit to
+#			dynamic bitrate changes by publishers; default=false, publishers can go beyond that)
+fir_freq = 5
+# audiocodec = opus|g722|pcmu|pcma|isac32|isac16 (audio codec(s) to force on publishers, default=opus
+#			can be a comma separated list in order of preference, e.g., opus,pcmu)
+videocodec = vp9
+#			can be a comma separated list in order of preference, e.g., vp9,vp8,h264)
+# vp9_profile = VP9-specific profile to prefer (e.g., "2" for "profile-id=2")
+# h264_profile = H.264-specific profile to prefer (e.g., "42e01f" for "profile-level-id=42e01f")
+# opus_fec = true|false (whether inband FEC must be negotiated; only works for Opus, default=true)
+# opus_dtx = true|false (whether DTX must be negotiated; only works for Opus, default=false)
+# video_svc = true|false (whether SVC support must be enabled; only works for VP9, default=false)
+# audiolevel_ext = true|false (whether the ssrc-audio-level RTP extension must
+#		be negotiated/used or not for new publishers, default=true)
+# audiolevel_event = true|false (whether to emit event to other users or not, default=false)
+# audio_active_packets = 100 (number of packets with audio level, default=100, 2 seconds)
+# audio_level_average = 25 (average value of audio level, 127=muted, 0='too loud', default=25)
+# videoorient_ext = true|false (whether the video-orientation RTP extension must
+#		be negotiated/used or not for new publishers, default=true)
+# playoutdelay_ext = true|false (whether the playout-delay RTP extension must
+#		be negotiated/used or not for new publishers, default=true)
+# transport_wide_cc_ext = true|false (whether the transport wide CC RTP extension must be
+#		negotiated/used or not for new publishers, default=true)
+# record = true|false (whether this room should be recorded, default=false)
+# rec_dir = <folder where recordings should be stored, when enabled>
+# lock_record = true|false (whether recording can only be started/stopped if the secret
+#            is provided, or using the global enable_recording request, default=false)
+# notify_joining = true|false (optional, whether to notify all participants when a new
+#               participant joins the room. The Videoroom plugin by design only notifies
+#               new feeds (publishers), and enabling this may result extra notification
+#               traffic. This flag is particularly useful when enabled with require_pvtid
+#               for admin to manage listening only participants. default=false)
+# require_e2ee = true|false (whether all participants are required to publish and subscribe
+#             using end-to-end media encryption, e.g., via Insertable Streams; default=false)
+# dummy_publisher = true|false (whether a dummy publisher should be created in this room,
+#                 with one separate m-line for each codec supported in the room; this is
+#                 useful when there's a need to create subscriptions with placeholders
+#                 for some or all m-lines, even when they aren't used yet; default=false)
+# dummy_streams = in case dummy_publisher is set to true, array of codecs to offer,
+#				optionally with a fmtp attribute to match (codec/fmtp properties).
+#				If not provided, all codecs enabled in the room are offered, with no fmtp.
+#				Notice that the fmtp is parsed, and only a few codecs are supported.
+#}
+
+general: {
+	#admin_key = "supersecret"		# If set, rooms can be created via API only
+									# if this key is provided in the request
+	#lock_rtp_forward = true		# Whether the admin_key above should be
+									# enforced for RTP forwarding requests too
+	#events = false					# Whether events should be sent to event
+									# handlers (default=true)
+
+	# By default, integers are used as a unique ID for both rooms and participants.
+	# In case you want to use strings instead (e.g., a UUID), set string_ids to true.
+	#string_ids = true
+}
+
+room-1234: {
+	description = "Demo Room"
+	secret = "adminpwd"
+	publishers = 6
+	bitrate = 128000
+	fir_freq = 10
+	#audiocodec = "opus"
+	#videocodec = "vp8"
+	record = false
+	#rec_dir = "/path/to/recordings-folder"
+}
+
+# This other demo room here is only there in case you want to play with
+# the VP9 SVC support. Notice that you'll need a Chrome launched with
+# the flag that enables that support, or otherwise you'll be using just
+# plain VP9 (which is good if you want to test how this indeed affect
+# what receivers will get, whether they're encoding SVC or not).
+room-5678: {
+	description = "VP9-SVC Demo Room"
+	secret = "adminpwd"
+	publishers = 6
+	bitrate = 512000
+	fir_freq = 10
+	videocodec = "vp9"
+	video_svc = true
+}
diff --git a/overlay/etc/janus/janus.plugin.voicemail.jcfg b/overlay/etc/janus/janus.plugin.voicemail.jcfg
new file mode 100644
index 0000000..e2dfe45
--- /dev/null
+++ b/overlay/etc/janus/janus.plugin.voicemail.jcfg
@@ -0,0 +1,11 @@
+# path = where to place recordings in the file system (should be in a
+#	properly configured web server, if you want the demo to work)
+# base = base path to use when returning the recording URI (use this
+#	to make sure the file in the path you chose is reachable via HTTP)
+# events = true|false, whether events should be sent to event handlers
+
+general: {
+	path = "/usr/share/janus/demos/voicemail/"
+	base = "/voicemail/"
+	events = true
+}
diff --git a/overlay/etc/janus/janus.transport.http.jcfg b/overlay/etc/janus/janus.transport.http.jcfg
new file mode 100644
index 0000000..2d401d5
--- /dev/null
+++ b/overlay/etc/janus/janus.transport.http.jcfg
@@ -0,0 +1,74 @@
+# Web server stuff: whether any should be enabled, which ports they
+# should use, whether security should be handled directly or demanded to
+# an external application (e.g., web frontend) and what should be the
+# base path for the Janus API protocol. Notice that by default
+# all the web servers will try and bind on both IPv4 and IPv6: if you
+# want to only bind to IPv4 addresses (e.g., because your system does not
+# support IPv6), you should set the web server 'ip' property to '0.0.0.0'.
+# To see debug logs from the HTTP server library, set 'mhd_debug'.
+general: {
+	#events = true					# Whether to notify event handlers about transport events (default=true)
+	json = "indented"				# Whether the JSON messages should be indented (default),
+									# plain (no indentation) or compact (no indentation and no spaces)
+	base_path = "/janus"			# Base path to bind to in the web server (plain HTTP only)
+	http = true						# Whether to enable the plain HTTP interface
+	port = 8088						# Web server HTTP port
+	interface = "lo" # HAND-EDIT	# Whether we should bind this server to a specific interface only
+	#ip = "192.168.0.1"				# Whether we should bind this server to a specific IP address (v4 or v6) only
+	https = false					# Whether to enable HTTPS (default=false)
+	#secure_port = 8089				# Web server HTTPS port, if enabled
+	#secure_interface = "eth0"		# Whether we should bind this server to a specific interface only
+	#secure_ip = "192.168.0.1"		# Whether we should bind this server to a specific IP address (v4 or v6) only
+	#acl = "127.,192.168.0."		# Only allow requests coming from this comma separated list of addresses
+	#mhd_connection_limit = 1020		# Open connections limit in libmicrohttpd (default=1020)
+	#mhd_debug = false					# Ask libmicrohttpd to write warning and error messages to stderr (default=false)
+}
+
+# Janus can also expose an admin/monitor endpoint, to allow you to check
+# which sessions are up, which handles they're managing, their current
+# status and so on. This provides a useful aid when debugging potential
+# issues in Janus. The configuration is pretty much the same as the one
+# already presented above for the webserver stuff, as the API is very
+# similar: choose the base bath for the admin/monitor endpoint (/admin
+# by default), ports, etc. Besides, you can specify
+# a secret that must be provided in all requests as a crude form of
+# authorization mechanism, and partial or full source IPs if you want to
+# limit access basing on IP addresses. For security reasons, this
+# endpoint is disabled by default, enable it by setting admin_http=true.
+admin: {
+	admin_base_path = "/admin"			# Base path to bind to in the admin/monitor web server (plain HTTP only)
+	admin_http = false					# Whether to enable the plain HTTP interface
+	admin_port = 7088					# Admin/monitor web server HTTP port
+	#admin_interface = "eth0"			# Whether we should bind this server to a specific interface only
+	#admin_ip = "192.168.0.1"			# Whether we should bind this server to a specific IP address (v4 or v6) only
+	admin_https = false					# Whether to enable HTTPS (default=false)
+	#admin_secure_port = 7889			# Admin/monitor web server HTTPS port, if enabled
+	#admin_secure_interface = "eth0"	# Whether we should bind this server to a specific interface only
+	#admin_secure_ip = "192.168.0.1"	# Whether we should bind this server to a specific IP address (v4 or v6) only
+	#admin_acl = "127.,192.168.0."		# Only allow requests coming from this comma separated list of addresses
+}
+
+# The HTTP servers created in Janus support CORS out of the box, but by
+# default they return a wildcard (*) in the 'Access-Control-Allow-Origin'
+# header. This works fine in most situations, except when we have to
+# respond to a credential request (withCredentials=true in the XHR). If
+# you need that, uncomment and set the 'allow_origin' below to specify
+# what must be returned in 'Access-Control-Allow-Origin'. More details:
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+# In case you want to enforce the Origin validation, rather than leave
+# it to browsers, you can set 'enforce_cors' to 'true' to have Janus
+# return a '403 Forbidden' for all requests that don't comply.
+cors: {
+	#allow_origin = "http://foo.example"
+	#enforce_cors = true
+}
+
+# Certificate and key to use for HTTPS, if enabled (and passphrase if needed).
+# You can also disable insecure protocols and ciphers by configuring the
+# 'ciphers' property accordingly (no limitation by default).
+certificates: {
+	cert_pem = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+	cert_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
+	#cert_pwd = "secretpassphrase"
+	#ciphers = "PFS:-VERS-TLS1.0:-VERS-TLS1.1:-3DES-CBC:-ARCFOUR-128"
+}
diff --git a/overlay/etc/janus/janus.transport.mqtt.jcfg b/overlay/etc/janus/janus.transport.mqtt.jcfg
new file mode 100644
index 0000000..5af9037
--- /dev/null
+++ b/overlay/etc/janus/janus.transport.mqtt.jcfg
@@ -0,0 +1,59 @@
+# Configuration of the MQTT additional transport for the Janus API.
+general: {
+	enabled = false						# Whether the support must be enabled
+	#events = true						# Whether to notify event handlers about transport events (default=true)
+	json = "indented"						# Whether the JSON messages should be indented (default),
+										# plain (no indentation) or compact (no indentation and no spaces)
+
+	url = "tcp://localhost:1883"		# The connection URL of the MQTT broker: if you want
+										# to use SSL, make sure you type ssl:// instead of tcp://,
+										# and that you configure the SSL settings below
+	#mqtt_version = "3.1.1"				# Protocol version. Available values: 3.1, 3.1.1 (default), 5.
+	#client_id = "guest"				# Client identifier
+	#username = "guest"					# Username to use to authenticate, if needed
+	#password = "guest"					# Password to use to authenticate, if needed
+	#keep_alive_interval = 20			# Keep connection for N seconds
+	#cleansession = 0					# Clean session flag
+	#max_inflight = 10					# Maximum number of inflight messages
+	#max_buffered = 100					# Maximum number of buffered messages
+	#disconnect_timeout = 100			# Milliseconds to wait before destroying client
+	subscribe_topic = "to-janus"		# Topic for incoming messages
+	#subscribe_qos = 1					# QoS for incoming messages
+	publish_topic = "from-janus"		# Topic for outgoing messages
+	#publish_qos = 1					# QoS for outgoing messages
+
+	#ssl_enabled = true					# Whether ssl support must be enabled
+	#verify_peer = true					# Whether peer verification must be enabled
+
+	# Certificates to use when SSL support is enabled, if needed
+	#cacertfile = /path/to/cacert.pem
+	certfile = /etc/ssl/certs/ssl-cert-snakeoil.pem
+	keyfile = /etc/ssl/private/ssl-cert-snakeoil.key
+
+	# These options work with MQTT 5 only.
+	#vacuum_interval = 60					# Interval for removing old transaction states in seconds.
+	#proxy_transaction_user_properties = []	# Array of user property names to copy from the incoming message.
+	#add_transaction_user_properties = ()	# List of user property ["key", "value"] pairs to add.
+}
+
+admin: {
+	#admin_enabled = false				# Whether the support must be enabled
+	subscribe_topic = "to-janus-admin"	# Topic for incoming admin messages
+	#subscribe_qos = 1					# QoS for incoming admin messages
+	publish_topic = "from-janus-admin"	# Topic for outgoing admin messages
+	#publish_qos = 1					# QoS for outgoing admin messages
+}
+
+status: {
+	enabled = false 			# Whether status messages must be enabled (default: false)
+
+	# Initial message sent to status topic. Nothing is being sent if not set.
+	#connect_message = "{\"online\": true}"
+
+	# Message sent after disconnect or as LWT. Nothing is being sent if not set.
+	#disconnect_message = "{\"online\": false}"
+
+	#topic = "status"			# Status topic (default: "status")
+	#qos = 1				  	# QoS for status messages (default: 1)
+	#retain = false				# Whether status messages should be retained (default: false)
+}
diff --git a/overlay/etc/janus/janus.transport.nanomsg.jcfg b/overlay/etc/janus/janus.transport.nanomsg.jcfg
new file mode 100644
index 0000000..05254f5
--- /dev/null
+++ b/overlay/etc/janus/janus.transport.nanomsg.jcfg
@@ -0,0 +1,29 @@
+# You can also control a Janus instance using Nanomsg sockets. The only
+# aspect you need to configure here is the address to use for the
+# communication, and whether the address should be used to bind locally
+# or to connect to a remote endpoint. Notice that the only supported
+# pattern is NN_PAIR, so you'll only be able to have a single client
+# controlling the API with this plugin. As usual, both Janus API and Admin
+# API endpoints can be configured.
+general: {
+	enabled = true						# Whether to enable the Nanomsg interface
+										# for Janus API clients
+	#events = true						# Whether to notify event handlers about transport events (default=true)
+	json = "indented"					# Whether the JSON messages should be indented (default),
+										# plain (no indentation) or compact (no indentation and no spaces)
+	#mode = "bind"						# Whether we should 'bind' to the specified
+										# address (default), or connect to it if remote
+	address = "ipc:///tmp/janus.ipc"	# Address to use (Janus API), refer
+										# to the Nanomsg documentation for more info
+										# on different transports you can use here
+}
+
+# As with other transport plugins, you can use Nanomsg to interact with
+# the Admin API as well: in case you're interested in it, a different
+# address needs to be provided.
+admin: {
+	admin_enabled = false				# Whether to enable the Nanomsg interface
+										# for Admin API clients
+	#admin_mode = "bind"
+	#admin_address = "ipc:///tmp/janus-admin.ipc"
+}
diff --git a/overlay/etc/janus/janus.transport.pfunix.jcfg b/overlay/etc/janus/janus.transport.pfunix.jcfg
new file mode 100644
index 0000000..d208982
--- /dev/null
+++ b/overlay/etc/janus/janus.transport.pfunix.jcfg
@@ -0,0 +1,23 @@
+# You can also control a Janus instance using Unix Sockets. The only
+# aspect you need to configure here is the path of the Unix Sockets
+# server. Notice that by default the interface is disabled, as you need
+# to specify the path(s) to bind to for the API(s).
+general: {
+	enabled = false					# Whether to enable the Unix Sockets interface
+									# for Janus API clients
+	#events = true					# Whether to notify event handlers about transport events (default=true)
+	json = "indented"				# Whether the JSON messages should be indented (default),
+									# plain (no indentation) or compact (no indentation and no spaces)
+	#path = "/path/to/ux-janusapi"	# Path to bind to (Janus API)
+	#type = "SOCK_SEQPACKET"		# SOCK_SEQPACKET (default) or SOCK_DGRAM?
+}
+
+# As with other transport plugins, you can use Unix Sockets to interact
+# with the Admin API as well: in case you're interested in it, a different
+# path needs to be provided.
+admin: {
+	admin_enabled = false					# Whether to enable the Unix Sockets interface
+											# for Admin API clients
+	#admin_path = "/path/to/ux-janusadmin"	# Path to bind to (Admin API)
+	#admin_type = "SOCK_SEQPACKET"			# SOCK_SEQPACKET (default) or SOCK_DGRAM?
+}
diff --git a/overlay/etc/janus/janus.transport.rabbitmq.jcfg b/overlay/etc/janus/janus.transport.rabbitmq.jcfg
new file mode 100644
index 0000000..6656738
--- /dev/null
+++ b/overlay/etc/janus/janus.transport.rabbitmq.jcfg
@@ -0,0 +1,64 @@
+# Configuration of the RabbitMQ additional transport for the Janus API.
+# This is only useful when you're wrapping Janus requests in your server
+# application, and handling the communication with clients your own way.
+# At the moment, only a single "application" can be handled at the same
+# time, meaning that Janus won't implement multiple queues to handle
+# multiple concurrent "application servers" taking advantage of its
+# features. Support for this is planned, though (e.g., through some kind
+# of negotiation to create queues on the fly). Right now, you can only
+# configure the address of the RabbitMQ server to use, and the queues to
+# make use of to receive (to-janus) and send (from-janus) messages
+# from/to an external application. If you're using the same RabbitMQ
+# server instance for multiple Janus instances, make sure you configure
+# different queues for each of them (e.g., from-janus-1/to-janus-1 and
+# from-janus-2/to-janus-2), or otherwise both the instances will make
+# use of the same queues and messages will get lost. The integration
+# is disabled by default, so set enabled=true if you want to use it.
+general: {
+	enabled = false						# Whether the support must be enabled
+	#events = true						# Whether to notify event handlers about transport events (default=true)
+	json = "indented"					# Whether the JSON messages should be indented (default),
+										# plain (no indentation) or compact (no indentation and no spaces)
+	host = "localhost"					# The address of the RabbitMQ server
+	#port = 5672						# The port of the RabbitMQ server (5672 by default)
+	#username = "guest"					# Username to use to authenticate, if needed
+	#password = "guest"					# Password to use to authenticate, if needed
+	#vhost = "/"						# Virtual host to specify when logging in, if needed
+
+	#janus_exchange = "janus-exchange"	# Exchange for outgoing messages, using default if not provided
+	#janus_exchange_type = "fanout"		# Rabbitmq exchange_type can be one of the available types: direct, topic, headers and fanout (fanout by defualt).
+	#queue_name = "janus-gateway"		# Queue name for incoming messages (if set and janus_exchange_type is topic/direct, to_janus will be the routing key the queue is bound to the exchange on)
+	to_janus = "to-janus"				# Name of the queue for incoming messages if queue_name isn't set, otherwise, the routing key that queue_name is bound to
+	from_janus = "from-janus"			# Routing key of the message sent from janus (as well as the name of the outgoing queue if declare_outgoing_queue = true)
+	#declare_outgoing_queue = true		# By default (for backwards compatibility), we declare an outgoing queue. Set this to false to disable that behavior
+	#queue_durable = false				# Whether or not incoming queue should remain after a RabbitMQ reboot
+	#queue_autodelete = false			# Whether or not incoming queue should autodelete after janus disconnects from RabbitMQ
+	#queue_exclusive = false			# Whether or not incoming queue should only allow one subscriber
+	#heartbeat = 60 				# Defines the seconds without communication that should pass before considering the TCP connection unreachable.
+
+	#ssl_enabled = false				# Whether ssl support must be enabled
+	#ssl_verify_peer = true				# Whether peer verification must be enabled
+	#ssl_verify_hostname = true			# Whether hostname verification must be enabled
+
+	# Certificates to use when SSL support is enabled, if needed
+	#ssl_cacert = "/path/to/cacert.pem"
+	ssl_cert = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+	ssl_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
+}
+
+# If you want to expose the Admin API via RabbitMQ as well, you need to
+# specify a different set of queues, as you cannot mix Janus API and
+# Admin API messaging. The same RabbitMQ server is supposed to be used.
+# Notice that by default the Admin API support via RabbitMQ is disabled.
+admin: {
+	#admin_enabled = false						# Whether the support must be enabled
+
+	#queue_name_admin = "janus-gateway-admin"	# Queue name for incoming admin messages (if set and janus_exchange_type is topic/direct, to_janus_admin will be the the routing key the queue is bound to the exchange on)
+	#to_janus_admin = "to-janus-admin"			# Name of the queue for incoming messages if queue_name_admin isn't set, otherwise, the routing key that queue_name_admin is bound to
+	#from_janus_admin = "from-janus-admin"		# Routing key of the message sent from janus  (as well as the name of the outgoing queue if declare_outgoing_queue_admin = true)
+	#declare_outgoing_queue_admin = true		# By default (for backwards compatibility), we declare an outgoing queue. Set this to false to disable that behavior
+	#queue_durable_admin = false				# Whether or not incoming queue should remain after a RabbitMQ reboot
+	#queue_autodelete_admin = false				# Whether or not incoming queue should autodelete after janus disconnects from RabbitMQ
+	#queue_exclusive_admin = false				# Whether or not incoming queue should only allow one subscriber
+
+}
diff --git a/overlay/etc/janus/janus.transport.websockets.jcfg b/overlay/etc/janus/janus.transport.websockets.jcfg
new file mode 100644
index 0000000..182bbea
--- /dev/null
+++ b/overlay/etc/janus/janus.transport.websockets.jcfg
@@ -0,0 +1,68 @@
+# WebSockets stuff: whether they should be enabled, which ports they
+# should use, and so on.
+general: {
+	#events = true					# Whether to notify event handlers about transport events (default=true)
+	json = "indented"				# Whether the JSON messages should be indented (default),
+									# plain (no indentation) or compact (no indentation and no spaces)
+	#pingpong_trigger = 30			# After how many seconds of idle, a PING should be sent
+	#pingpong_timeout = 10			# After how many seconds of not getting a PONG, a timeout should be detected
+
+	ws = true						# Whether to enable the WebSockets API
+	ws_port = 8188					# WebSockets server port
+	ws_interface = "lo" # HAND-EDIT	# Whether we should bind this server to a specific interface only
+	#ws_ip = "192.168.0.1"			# Whether we should bind this server to a specific IP address only
+	#ws_unix = "/run/ws.sock"		# Use WebSocket server over UNIX socket instead of TCP
+	wss = false						# Whether to enable secure WebSockets
+	#wss_port = 8989				# WebSockets server secure port, if enabled
+	#wss_interface = "eth0"			# Whether we should bind this server to a specific interface only
+	#wss_ip = "192.168.0.1"			# Whether we should bind this server to a specific IP address only
+	#wss_unix = "/run/wss.sock"		# Use WebSocket server over UNIX socket instead of TCP
+	#ws_logging = "err,warn"		# libwebsockets debugging level as a comma separated list of things
+									# to debug, supported values: err, warn, notice, info, debug, parser,
+									# header, ext, client, latency, user, count (plus 'none' and 'all')
+	#ws_acl = "127.,192.168.0."		# Only allow requests coming from this comma separated list of addresses
+}
+
+# If you want to expose the Admin API via WebSockets as well, you need to
+# specify a different server instance, as you cannot mix Janus API and
+# Admin API messaging. Notice that by default the Admin API support via
+# WebSockets is disabled.
+admin: {
+	admin_ws = false					# Whether to enable the Admin API WebSockets API
+	admin_ws_port = 7188				# Admin API WebSockets server port, if enabled
+	#admin_ws_interface = "eth0"		# Whether we should bind this server to a specific interface only
+	#admin_ws_ip = "192.168.0.1"		# Whether we should bind this server to a specific IP address only
+	#admin_ws_unix = "/run/aws.sock"	# Use WebSocket server over UNIX socket instead of TCP
+	admin_wss = false					# Whether to enable the Admin API secure WebSockets
+	#admin_wss_port = 7989				# Admin API WebSockets server secure port, if enabled
+	#admin_wss_interface = "eth0"		# Whether we should bind this server to a specific interface only
+	#admin_wss_ip = "192.168.0.1"		# Whether we should bind this server to a specific IP address only
+	#admin_wss_unix = "/run/awss.sock"	# Use WebSocket server over UNIX socket instead of TCP
+	#admin_ws_acl = "127.,192.168.0."	# Only allow requests coming from this comma separated list of addresses
+}
+
+# The HTTP servers created in Janus support CORS out of the box, but by
+# default they return a wildcard (*) in the 'Access-Control-Allow-Origin'
+# header. This works fine in most situations, except when we have to
+# respond to a credential request (withCredentials=true in the XHR). If
+# you need that, uncomment and set the 'allow_origin' below to specify
+# what must be returned in 'Access-Control-Allow-Origin'. More details:
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+# In case you want to enforce the Origin validation, rather than leave
+# it to browsers, you can set 'enforce_cors' to 'true' to have Janus
+# return a '403 Forbidden' for all requests that don't comply.
+cors: {
+	#allow_origin = "http://foo.example"
+	#enforce_cors = true
+}
+
+# Certificate and key to use for any secure WebSocket server, if enabled (and passphrase if needed).
+# You can also disable insecure protocols and ciphers by configuring the
+# 'ciphers' property accordingly (no limitation by default).
+# Examples of recommended cipher strings at https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html
+certificates: {
+	cert_pem = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+	cert_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
+	#cert_pwd = "secretpassphrase"
+	#ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
+}
diff --git a/overlay/etc/nats-server.conf b/overlay/etc/nats-server.conf
new file mode 100644
index 0000000..2366f33
--- /dev/null
+++ b/overlay/etc/nats-server.conf
@@ -0,0 +1,2 @@
+host: 127.0.0.1
+port: 4222
diff --git a/overlay/usr/bin/turnserver b/overlay/usr/bin/turnserver
new file mode 100755
index 0000000..cca3fe3
Binary files /dev/null and b/overlay/usr/bin/turnserver differ
diff --git a/overlay/usr/sbin/nats-server b/overlay/usr/sbin/nats-server
new file mode 100755
index 0000000..faab313
Binary files /dev/null and b/overlay/usr/sbin/nats-server differ