Merge branch 'jitsi_secured_domains' into 'master'

See merge request ungleich-public/cdist-contrib!34
This commit is contained in:
evilham 2021-05-10 16:40:47 +02:00
commit a90c8b18e5
12 changed files with 118 additions and 0 deletions

View file

@ -3,3 +3,10 @@
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
echo "service nginx reload" echo "service nginx reload"
fi fi
JITSI_HOST="${__object_id}"
if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
echo "systemctl restart prosody"
echo "systemctl restart jicofo"
echo "systemctl restart jitsi-videobridge2"
fi

View file

@ -141,6 +141,32 @@ server {
} }
EOF EOF
if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS_STATE='present'
SECURED_DOMAINS_STATE_JICOFO='replace'
else
SECURED_DOMAINS_STATE='absent'
SECURED_DOMAINS_STATE_JICOFO='absent'
fi
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
--owner prosody --group prosody --mode 0440 \
--state ${SECURED_DOMAINS_STATE} \
--source - <<EOF
VirtualHost "${JITSI_HOST}"
authentication = "internal_plain"
VirtualHost "guest.${JITSI_HOST}"
authentication = "anonymous"
c2s_require_encryption = false
EOF
__line jitsi_jicofo_secured_domains \
--file /etc/jitsi/jicofo/sip-communicator.properties \
--line "org.jitsi.jicofo.auth.URL=XMPP:${JITSI_HOST}" \
--regex "org.jitsi.jicofo.auth.URL=" \
--state ${SECURED_DOMAINS_STATE_JICOFO}
# These two should be changed on new release # These two should be changed on new release
PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5" PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745" PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"

View file

@ -1 +1,2 @@
disable-prometheus-exporter disable-prometheus-exporter
secured-domains

View file

@ -0,0 +1 @@
secured-domains

View file

@ -13,7 +13,14 @@ var config = {
domain: '${JITSI_HOST}', domain: '${JITSI_HOST}',
// When using authentication, domain for guest users. // When using authentication, domain for guest users.
$( if [ -n "${SECURED_DOMAINS}" ]; then cat<<EOF2
anonymousdomain: 'guest.${JITSI_HOST}',
EOF2
else cat <<EOF2
// anonymousdomain: 'guest.example.com', // anonymousdomain: 'guest.example.com',
EOF2
fi
)
// Domain for authenticated users. Defaults to <domain>. // Domain for authenticated users. Defaults to <domain>.
// authdomain: '${JITSI_HOST}', // authdomain: '${JITSI_HOST}',

View file

@ -32,6 +32,9 @@ fi
if [ -f "${__object}/parameter/disable-audio-levels" ]; then if [ -f "${__object}/parameter/disable-audio-levels" ]; then
DISABLE_AUDIO_LEVELS="YES" DISABLE_AUDIO_LEVELS="YES"
fi fi
if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS="YES"
fi
if [ -z "${TURN_SERVER}" ]; then if [ -z "${TURN_SERVER}" ]; then
TURN_SERVER="${__target_host}" TURN_SERVER="${__target_host}"

View file

@ -1,2 +1,3 @@
disable-audio-levels disable-audio-levels
enable-third-party-requests enable-third-party-requests
secured-domains

View file

@ -0,0 +1,54 @@
cdist-type__jitsi_meet_user(7)
=================================
NAME
----
cdist-type__jitsi_meet_user - Setup users when using jitsi_meet instance with secure domain configuration
DESCRIPTION
-----------
This type just places a file with a user and a password (plaintext) that will be used in a jitsi-meet instance with `secure domain configuration https://jitsi.github.io/handbook/docs/devops-guide/secure-domain`. There is a different from the official approach: to have an `internal_plain` authentication method to facilitate the auth management. That user will be able to create and join rooms on that instance as a moderator.
You will also need to setup first the `__jitsi_meet_domain` and `__jitsi_meet` types.
This type only works on De{bi,vu}an systems.
REQUIRED PARAMETERS
-------------------
object id
The user that will be able to authenticate against a Jitsi-Meet instance with secure domain configuration
passwd
The user's password in plaintext (beware that it is also stored as plaintext in the server)
OPTIONAL PARAMETERS
-------------------
state
If user should be (default) present or absent
EXAMPLES
--------
.. code-block:: sh
# Setup a Jitsi user for secure domain configuration
__jitsi_meet_user "user_1" --password "WeNeedGoodSecurity"
SEE ALSO
--------
- `__jitsi_meet`
- `__jitsi_meet_domain`
AUTHORS
-------
Pedro <pedrodocs2021@cas.cat>
Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2021 Pedro. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
Copyright \(C) 2021 Evilham

15
type/__jitsi_meet_user/manifest Executable file
View file

@ -0,0 +1,15 @@
#!/bin/sh -e
PASSWD="$(cat "${__object}/parameter/password")"
STATE="$(cat "${__object}/parameter/state")"
USER="${__object_id}"
FQDN="$(echo "${__target_host}" | sed 's/\./%2e/g' | sed 's/-/%2d/g')"
FILENAME="/var/lib/prosody/${FQDN}/accounts/${USER}.dat"
__file "${FILENAME}" --owner prosody --group prosody --mode 0440 \
--state "${STATE}" --source - <<EOF
return {
["password"] = "${PASSWD}";
};
EOF

View file

@ -0,0 +1 @@
present

View file

@ -0,0 +1 @@
state

View file

@ -0,0 +1 @@
password