[__jitsi_meet] Unconfuse jitsi-version and secured domains

Closes #14 by committing to keeping the package up to date as promptly as
possible; else weird  things happen and there are no real good solutions for
this.  E.g. we have seen in the past that due to security issues, a jitsi
dependency  needs to be upgraded, but some package that jitsi-meet depends upon
also has an upper limit on that package's version.

A note was added to the manpage in order make it explicit that maintenance of
this type can be sponsored to ensure its proper functioning.

Closes #15 by using `__file`. This will also allow us to have more control over
jicofo's settings, which might be important when we start doing recordings.

Sponsored by:	lafede.cat
This commit is contained in:
evilham 2022-04-10 19:45:08 +02:00
parent af04f7464b
commit fa37ede84f
Signed by untrusted user: evilham
GPG key ID: AE3EE30D970886BF
6 changed files with 67 additions and 29 deletions

View file

@ -0,0 +1,34 @@
#!/bin/sh -eu
# Start
cat <<EOF
# Managed remotely, changes will be lost
# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
#available options, syntax, and default values.
jicofo {
xmpp: {
client: {
client-proxy: focus.${JITSI_HOST:?}
}
trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
}
bridge: {
brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
}
EOF
# Secured domains if needed
if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
cat <<EOF
authentication: {
enabled: true
type: XMPP
login-url: ${JITSI_HOST:?}
}
EOF
fi
# End
echo '}'

View file

@ -5,7 +5,7 @@ if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
fi
JITSI_HOST="${__object_id}"
if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then
echo "systemctl restart prosody"
echo "systemctl restart jicofo"
echo "systemctl restart jitsi-videobridge2"

View file

@ -28,6 +28,15 @@ You should apply your own rules here.
This type only works on De{bi,vu}an systems.
It is very important for this type to stay up to date with the software, as
otherwise new deployments or maintenance of existing instances might be
negatively affected.
If you can, please contribute updates to `__jitsi_meet` and
`__jitsi_meet_domain` promptly and regularly.
Alternatively, you can help finance that work; get in touch with the type
authors for that (see below).
NOTE: This type currently does not deal with setting up coturn.
For that, you might want to check `__coturn` in
https://code.ungleich.ch/ungleich-public/cdist-contrib
@ -43,11 +52,6 @@ turn-server
The hostname of the TURN server.
This will assume that it is listening with TLS on port 443.
jitsi-version
The jitsi-meet version of the Debian package to be installed.
While this can be specified, only the default value is known to work
properly with this type.
BOOLEAN PARAMETERS
------------------
@ -70,7 +74,7 @@ EXAMPLES
.. code-block:: sh
# Setup the firewall
# Setup the firewall
. "${__global}/type/__jitsi_meet/files/ufw"
export require="__ufw"
# Setup Jitsi on this host
@ -92,4 +96,4 @@ Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2021 Evilham.
Copyright \(C) 2022 Evilham.

View file

@ -13,8 +13,13 @@ esac
JITSI_HOST="${__target_host}"
# Currently unused, see below
# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
if [ -f "${__object}/parameter/jitsi-version" ]; then
# This has been deprecated and will be removed 'soon'
JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
else
# Note this won't be a parameter anymore, we won't let users stay behind
JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
fi
TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
@ -55,11 +60,12 @@ __debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
export require="${require} __debconf_set_selections/jitsi_meet"
# Install and upgrade packages as needed
__package_apt jitsi-meet
# We are not doing version pinning anymore because it breaks when
# the version is not the latest.
# This happens because dependencies cannot be properly resolved.
# --version "${JITSI_VERSION}"
# NOTE: we are doing version pinning again, but it breaks sometimes when
# the version is not the latest.
# This happens because dependencies might not be properly resolved.
# To avoid this, this type must be maintained up to date.
# If we don't use this, keeping Jitsi's up to date is very difficult.
__package_apt jitsi-meet --version "${JITSI_VERSION}"
# Proceed only after installation/upgrade has finished
export require="__package_apt/jitsi-meet"
@ -151,10 +157,8 @@ EOF
if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS_STATE='present'
SECURED_DOMAINS_STATE_JICOFO='present'
else
SECURED_DOMAINS_STATE='absent'
SECURED_DOMAINS_STATE_JICOFO='absent'
fi
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
@ -169,18 +173,10 @@ VirtualHost "guest.${JITSI_HOST}"
c2s_require_encryption = false
EOF
__block jitsi_jicofo_secured_domains \
--prefix "// begin cdist: jicofo_secured_domains" \
--suffix "// end cdist: jicofo_secured_domains" \
--file /etc/jitsi/jicofo/jicofo.conf \
--state "${SECURED_DOMAINS_STATE_JICOFO}" \
--text '-' <<EOF
authentication: {
enabled: true
type: XMPP
login-url: ${JITSI_HOST}
}
EOF
export SECURED_DOMAINS_STATE
export JITSI_HOST
"${__type}/files/jicofo.conf.sh" | \
__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
# These two should be changed on new release
PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"

View file

@ -0,0 +1,4 @@
Supporting different versions lead to strange issues in the life-time of a
Jitsi instance. Chiefly: difficulties upgrading.
If you are specifying this for a valid reason, please get in touch.