Merge branch 'jitsi_secured_domains' into 'master'

See merge request ungleich-public/cdist-contrib!34
2021-05-10 16:40:47 +02:00 · 2021-05-10 16:40:47 +02:00 · a90c8b18e5
commit a90c8b18e5
parent ccd3f364e4 87bc766115
12 changed files with 118 additions and 0 deletions
--- a/type/__jitsi_meet/gencode-remote
+++ b/type/__jitsi_meet/gencode-remote
@ -3,3 +3,10 @@
 if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 	echo "service nginx reload"
 fi
+
+JITSI_HOST="${__object_id}"
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
+  echo "systemctl restart prosody"
+  echo "systemctl restart jicofo"
+  echo "systemctl restart jitsi-videobridge2"
+fi
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@ -141,6 +141,32 @@ server {
 }
 EOF

+if [ -f "${__object}/parameter/secured-domains" ]; then
+  SECURED_DOMAINS_STATE='present'
+  SECURED_DOMAINS_STATE_JICOFO='replace'
+else
+  SECURED_DOMAINS_STATE='absent'
+  SECURED_DOMAINS_STATE_JICOFO='absent'
+fi
+
+__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
+  --owner prosody --group prosody --mode 0440 \
+  --state ${SECURED_DOMAINS_STATE} \
+  --source - <<EOF
+VirtualHost "${JITSI_HOST}"
+    authentication = "internal_plain"
+
+VirtualHost "guest.${JITSI_HOST}"
+    authentication = "anonymous"
+    c2s_require_encryption = false
+EOF
+
+__line jitsi_jicofo_secured_domains \
+  --file /etc/jitsi/jicofo/sip-communicator.properties \
+  --line "org.jitsi.jicofo.auth.URL=XMPP:${JITSI_HOST}" \
+  --regex "org.jitsi.jicofo.auth.URL=" \
+  --state ${SECURED_DOMAINS_STATE_JICOFO}
+
 # These two should be changed on new release
 PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
 PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
--- a/type/__jitsi_meet/parameter/boolean
+++ b/type/__jitsi_meet/parameter/boolean
@ -1 +1,2 @@
 disable-prometheus-exporter
+secured-domains
--- a/type/__jitsi_meet_domain/boolean
+++ b/type/__jitsi_meet_domain/boolean
@ -0,0 +1 @@
+secured-domains
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
@ -13,7 +13,14 @@ var config = {
        domain: '${JITSI_HOST}',

        // When using authentication, domain for guest users.
+$( if [ -n "${SECURED_DOMAINS}" ]; then cat<<EOF2
+        anonymousdomain: 'guest.${JITSI_HOST}',
+EOF2
+else cat <<EOF2
        // anonymousdomain: 'guest.example.com',
+EOF2
+fi
+)

        // Domain for authenticated users. Defaults to <domain>.
        // authdomain: '${JITSI_HOST}',
--- a/type/__jitsi_meet_domain/manifest
+++ b/type/__jitsi_meet_domain/manifest
@ -32,6 +32,9 @@ fi
 if [ -f "${__object}/parameter/disable-audio-levels" ]; then
 	DISABLE_AUDIO_LEVELS="YES"
 fi
+if [ -f "${__object}/parameter/secured-domains" ]; then
+	SECURED_DOMAINS="YES"
+fi

 if [ -z "${TURN_SERVER}" ]; then
 	TURN_SERVER="${__target_host}"
--- a/type/__jitsi_meet_domain/parameter/boolean
+++ b/type/__jitsi_meet_domain/parameter/boolean
@ -1,2 +1,3 @@
 disable-audio-levels
 enable-third-party-requests
+secured-domains
--- a/type/__jitsi_meet_user/man.rst
+++ b/type/__jitsi_meet_user/man.rst
@ -0,0 +1,54 @@
+cdist-type__jitsi_meet_user(7)
+=================================
+
+NAME
+----
+cdist-type__jitsi_meet_user - Setup users when using jitsi_meet instance with secure domain configuration
+
+DESCRIPTION
+-----------
+This type just places a file with a user and a password (plaintext) that will be used in a jitsi-meet instance with `secure domain configuration https://jitsi.github.io/handbook/docs/devops-guide/secure-domain`. There is a different from the official approach: to have an `internal_plain` authentication method to facilitate the auth management. That user will be able to create and join rooms on that instance as a moderator.
+
+You will also need to setup first the `__jitsi_meet_domain` and `__jitsi_meet` types.
+
+This type only works on De{bi,vu}an systems.
+
+REQUIRED PARAMETERS
+-------------------
+object id
+    The user that will be able to authenticate against a Jitsi-Meet instance with secure domain configuration
+
+passwd
+    The user's password in plaintext (beware that it is also stored as plaintext in the server)
+
+OPTIONAL PARAMETERS
+-------------------
+state
+    If user should be (default) present or absent
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup a Jitsi user for secure domain configuration
+    __jitsi_meet_user "user_1" --password "WeNeedGoodSecurity"
+
+SEE ALSO
+--------
+- `__jitsi_meet`
+- `__jitsi_meet_domain`
+
+
+AUTHORS
+-------
+Pedro <pedrodocs2021@cas.cat>
+Evilham <contact@evilham.com>
+
+COPYING
+-------
+Copyright \(C) 2021 Pedro. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+Copyright \(C) 2021 Evilham
--- a/type/__jitsi_meet_user/manifest
+++ b/type/__jitsi_meet_user/manifest
@ -0,0 +1,15 @@
+#!/bin/sh -e
+
+PASSWD="$(cat "${__object}/parameter/password")"
+STATE="$(cat "${__object}/parameter/state")"
+
+USER="${__object_id}"
+FQDN="$(echo "${__target_host}" | sed 's/\./%2e/g' | sed 's/-/%2d/g')"
+FILENAME="/var/lib/prosody/${FQDN}/accounts/${USER}.dat"
+
+__file "${FILENAME}" --owner prosody --group prosody --mode 0440 \
+  --state "${STATE}" --source - <<EOF
+return {
+	["password"] = "${PASSWD}";
+};
+EOF
--- a/type/__jitsi_meet_user/parameter/default/state
+++ b/type/__jitsi_meet_user/parameter/default/state
@ -0,0 +1 @@
+present
--- a/type/__jitsi_meet_user/parameter/optional
+++ b/type/__jitsi_meet_user/parameter/optional
@ -0,0 +1 @@
+state
--- a/type/__jitsi_meet_user/parameter/required
+++ b/type/__jitsi_meet_user/parameter/required
@ -0,0 +1 @@
+password