[__jitsi_meet*] Add parameters for secure domains

This is done with slight adaptations from the official guide at
https://jitsi.github.io/handbook/docs/devops-guide/secure-domain

Amongst other changes, we rely on Prosody's configuration parser only overwriting the parts of a VirtualHost that are explicitly specified in "later appearing" (lexicographically speaking) files.
This allows us to let Jitsi manage the main config file and adding the few customisations on top of it.
We also use the Plaintext authenticator as this is enough atm and is the easiest to manage in an idempotent fashion; support for other authentication mechanisms is possible, see Prosody's documentation for that.

type/__jitsi_meet/gencode-remote

@@ -3,3 +3,10 @@
 if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 	echo "service nginx reload"
 fi
+
+JITSI_HOST="${__object_id}"
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
+  echo "systemctl restart prosody"
+  echo "systemctl restart jicofo"
+  echo "systemctl restart jitsi-videobridge2"
+fi

type/__jitsi_meet/manifest

@@ -141,6 +141,32 @@ server {
 }
 EOF
 
+if [ -f "${__object}/parameter/secured-domains" ]; then
+  SECURED_DOMAINS_STATE='present'
+  SECURED_DOMAINS_STATE_JICOFO='replace'
+else
+  SECURED_DOMAINS_STATE='absent'
+  SECURED_DOMAINS_STATE_JICOFO='absent'
+fi
+
+__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
+  --owner prosody --group prosody --mode 0440 \
+  --state ${SECURED_DOMAINS_STATE} \
+  --source - <<EOF
+VirtualHost "${JITSI_HOST}"
+    authentication = "internal_plain"
+
+VirtualHost "guest.${JITSI_HOST}"
+    authentication = "anonymous"
+    c2s_require_encryption = false
+EOF
+
+__line jitsi_jicofo_secured_domains \
+  --file /etc/jitsi/jicofo/sip-communicator.properties \
+  --line "org.jitsi.jicofo.auth.URL=XMPP:${JITSI_HOST}" \
+  --regex "org.jitsi.jicofo.auth.URL=" \
+  --state ${SECURED_DOMAINS_STATE_JICOFO}
+
 # These two should be changed on new release
 PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
 PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"

type/__jitsi_meet/parameter/boolean

@@ -1 +1,2 @@
 disable-prometheus-exporter
+secured-domains

type/__jitsi_meet_domain/boolean

@@ -0,0 +1 @@
+secured-domains

type/__jitsi_meet_domain/files/config.js.sh

@@ -13,7 +13,14 @@ var config = {
         domain: '${JITSI_HOST}',
 
         // When using authentication, domain for guest users.
+$( if [ -n "${SECURED_DOMAINS}" ]; then cat<<EOF2
+        anonymousdomain: 'guest.${JITSI_HOST}',
+EOF2
+else cat <<EOF2
         // anonymousdomain: 'guest.example.com',
+EOF2
+fi
+)
 
         // Domain for authenticated users. Defaults to <domain>.
         // authdomain: '${JITSI_HOST}',

type/__jitsi_meet_domain/manifest

@@ -32,6 +32,9 @@ fi
 if [ -f "${__object}/parameter/disable-audio-levels" ]; then
 	DISABLE_AUDIO_LEVELS="YES"
 fi
+if [ -f "${__object}/parameter/secured-domains" ]; then
+	SECURED_DOMAINS="YES"
+fi
 
 if [ -z "${TURN_SERVER}" ]; then
 	TURN_SERVER="${__target_host}"

type/__jitsi_meet_domain/parameter/boolean

@@ -1,2 +1,3 @@
 disable-audio-levels
 enable-third-party-requests
+secured-domains

type/__jitsi_meet_user/man.rst

@@ -0,0 +1,54 @@
+cdist-type__jitsi_meet_user(7)
+=================================
+
+NAME
+----
+cdist-type__jitsi_meet_user - Setup users when using jitsi_meet instance with secure domain configuration
+
+DESCRIPTION
+-----------
+This type just places a file with a user and a password (plaintext) that will be used in a jitsi-meet instance with `secure domain configuration https://jitsi.github.io/handbook/docs/devops-guide/secure-domain`. There is a different from the official approach: to have an `internal_plain` authentication method to facilitate the auth management. That user will be able to create and join rooms on that instance as a moderator.
+
+You will also need to setup first the `__jitsi_meet_domain` and `__jitsi_meet` types.
+
+This type only works on De{bi,vu}an systems.
+
+REQUIRED PARAMETERS
+-------------------
+object id
+    The user that will be able to authenticate against a Jitsi-Meet instance with secure domain configuration
+
+passwd
+    The user's password in plaintext (beware that it is also stored as plaintext in the server)
+
+OPTIONAL PARAMETERS
+-------------------
+state
+    If user should be (default) present or absent
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup a Jitsi user for secure domain configuration
+    __jitsi_meet_user "user_1" --password "WeNeedGoodSecurity"
+
+SEE ALSO
+--------
+- `__jitsi_meet`
+- `__jitsi_meet_domain`
+
+
+AUTHORS
+-------
+Pedro <pedrodocs2021@cas.cat>
+Evilham <contact@evilham.com>
+
+COPYING
+-------
+Copyright \(C) 2021 Pedro. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+Copyright \(C) 2021 Evilham

type/__jitsi_meet_user/manifest

@@ -0,0 +1,15 @@
+#!/bin/sh -e
+
+PASSWD="$(cat "${__object}/parameter/password")"
+STATE="$(cat "${__object}/parameter/state")"
+
+USER="${__object_id}"
+FQDN="$(echo "${__target_host}" | sed 's/\./%2e/g' | sed 's/-/%2d/g')"
+FILENAME="/var/lib/prosody/${FQDN}/accounts/${USER}.dat"
+
+__file "${FILENAME}" --owner prosody --group prosody --mode 0440 \
+  --state "${STATE}" --source - <<EOF
+return {
+	["password"] = "${PASSWD}";
+};
+EOF

type/__jitsi_meet_user/parameter/default/state

@@ -0,0 +1 @@
+present

type/__jitsi_meet_user/parameter/optional

@@ -0,0 +1 @@
+state

type/__jitsi_meet_user/parameter/required

@@ -0,0 +1 @@
+password