[__jitsi_meet*] Add parameters for secure domains

This is done with slight adaptations from the official guide at
https://jitsi.github.io/handbook/docs/devops-guide/secure-domain

Amongst other changes, we rely on Prosody's configuration parser only overwriting the parts of a VirtualHost that are explicitly specified in "later appearing" (lexicographically speaking) files.
This allows us to let Jitsi manage the main config file and adding the few customisations on top of it.
We also use the Plaintext authenticator as this is enough atm and is the easiest to manage in an idempotent fashion; support for other authentication mechanisms is possible, see Prosody's documentation for that.
This commit is contained in:
pedro 2021-05-10 16:40:46 +02:00 committed by Evil Ham
parent ccd3f364e4
commit 87bc766115
12 changed files with 118 additions and 0 deletions

View file

@ -3,3 +3,10 @@
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
echo "service nginx reload" echo "service nginx reload"
fi fi
JITSI_HOST="${__object_id}"
if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
echo "systemctl restart prosody"
echo "systemctl restart jicofo"
echo "systemctl restart jitsi-videobridge2"
fi

View file

@ -141,6 +141,32 @@ server {
} }
EOF EOF
if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS_STATE='present'
SECURED_DOMAINS_STATE_JICOFO='replace'
else
SECURED_DOMAINS_STATE='absent'
SECURED_DOMAINS_STATE_JICOFO='absent'
fi
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
--owner prosody --group prosody --mode 0440 \
--state ${SECURED_DOMAINS_STATE} \
--source - <<EOF
VirtualHost "${JITSI_HOST}"
authentication = "internal_plain"
VirtualHost "guest.${JITSI_HOST}"
authentication = "anonymous"
c2s_require_encryption = false
EOF
__line jitsi_jicofo_secured_domains \
--file /etc/jitsi/jicofo/sip-communicator.properties \
--line "org.jitsi.jicofo.auth.URL=XMPP:${JITSI_HOST}" \
--regex "org.jitsi.jicofo.auth.URL=" \
--state ${SECURED_DOMAINS_STATE_JICOFO}
# These two should be changed on new release # These two should be changed on new release
PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5" PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745" PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"

View file

@ -1 +1,2 @@
disable-prometheus-exporter disable-prometheus-exporter
secured-domains

View file

@ -0,0 +1 @@
secured-domains

View file

@ -13,7 +13,14 @@ var config = {
domain: '${JITSI_HOST}', domain: '${JITSI_HOST}',
// When using authentication, domain for guest users. // When using authentication, domain for guest users.
$( if [ -n "${SECURED_DOMAINS}" ]; then cat<<EOF2
anonymousdomain: 'guest.${JITSI_HOST}',
EOF2
else cat <<EOF2
// anonymousdomain: 'guest.example.com', // anonymousdomain: 'guest.example.com',
EOF2
fi
)
// Domain for authenticated users. Defaults to <domain>. // Domain for authenticated users. Defaults to <domain>.
// authdomain: '${JITSI_HOST}', // authdomain: '${JITSI_HOST}',

View file

@ -32,6 +32,9 @@ fi
if [ -f "${__object}/parameter/disable-audio-levels" ]; then if [ -f "${__object}/parameter/disable-audio-levels" ]; then
DISABLE_AUDIO_LEVELS="YES" DISABLE_AUDIO_LEVELS="YES"
fi fi
if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS="YES"
fi
if [ -z "${TURN_SERVER}" ]; then if [ -z "${TURN_SERVER}" ]; then
TURN_SERVER="${__target_host}" TURN_SERVER="${__target_host}"

View file

@ -1,2 +1,3 @@
disable-audio-levels disable-audio-levels
enable-third-party-requests enable-third-party-requests
secured-domains

View file

@ -0,0 +1,54 @@
cdist-type__jitsi_meet_user(7)
=================================
NAME
----
cdist-type__jitsi_meet_user - Setup users when using jitsi_meet instance with secure domain configuration
DESCRIPTION
-----------
This type just places a file with a user and a password (plaintext) that will be used in a jitsi-meet instance with `secure domain configuration https://jitsi.github.io/handbook/docs/devops-guide/secure-domain`. There is a different from the official approach: to have an `internal_plain` authentication method to facilitate the auth management. That user will be able to create and join rooms on that instance as a moderator.
You will also need to setup first the `__jitsi_meet_domain` and `__jitsi_meet` types.
This type only works on De{bi,vu}an systems.
REQUIRED PARAMETERS
-------------------
object id
The user that will be able to authenticate against a Jitsi-Meet instance with secure domain configuration
passwd
The user's password in plaintext (beware that it is also stored as plaintext in the server)
OPTIONAL PARAMETERS
-------------------
state
If user should be (default) present or absent
EXAMPLES
--------
.. code-block:: sh
# Setup a Jitsi user for secure domain configuration
__jitsi_meet_user "user_1" --password "WeNeedGoodSecurity"
SEE ALSO
--------
- `__jitsi_meet`
- `__jitsi_meet_domain`
AUTHORS
-------
Pedro <pedrodocs2021@cas.cat>
Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2021 Pedro. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
Copyright \(C) 2021 Evilham

15
type/__jitsi_meet_user/manifest Executable file
View file

@ -0,0 +1,15 @@
#!/bin/sh -e
PASSWD="$(cat "${__object}/parameter/password")"
STATE="$(cat "${__object}/parameter/state")"
USER="${__object_id}"
FQDN="$(echo "${__target_host}" | sed 's/\./%2e/g' | sed 's/-/%2d/g')"
FILENAME="/var/lib/prosody/${FQDN}/accounts/${USER}.dat"
__file "${FILENAME}" --owner prosody --group prosody --mode 0440 \
--state "${STATE}" --source - <<EOF
return {
["password"] = "${PASSWD}";
};
EOF

View file

@ -0,0 +1 @@
present

View file

@ -0,0 +1 @@
state

View file

@ -0,0 +1 @@
password