From 797f7c864814f69d0a138b3f415acfd4ca539121 Mon Sep 17 00:00:00 2001 From: Evilham Date: Sun, 8 May 2022 21:47:26 +0200 Subject: [PATCH] [__jitsi_meet] Improve manpage regarding ufw and SSH This documents the fact that this type does not make decisions about anything other than Jitsi-Meet itself and therefore care should be taken with the SSH port. Related to: https://code.ungleich.ch/ungleich-public/cdist-contrib/pulls/23 Reported by: @pedro --- type/__jitsi_meet/man.rst | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/type/__jitsi_meet/man.rst b/type/__jitsi_meet/man.rst index 876c218..03a4a35 100644 --- a/type/__jitsi_meet/man.rst +++ b/type/__jitsi_meet/man.rst @@ -21,10 +21,10 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up the web frontend (including TLS certificates) and its settings. You may want to use the `files/ufw` example manifest for a `__ufw`-based -firewall compatible with this type. -This file does not include rules for TCP port 9888, which exposes the -prometheus exporter if not disabled. -You should apply your own rules here. +firewall compatible with this type that allows all ports needed by Jitsi-Meet. +Note however that this will not deal with rules for SSH or for TCP port 9888, +which exposes the prometheus exporter if not disabled. +Remember to apply your own rules here, particularly regarding SSH. This type only works on De{bi,vu}an systems. @@ -76,9 +76,11 @@ EXAMPLES .. code-block:: sh - # Setup the firewall + # Setup the firewall for Jitsi-Meet . "${__global}/type/__jitsi_meet/files/ufw" export require="__ufw" + # Setup firewall SSH rules as necessary + __ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24' # Setup Jitsi on this host __jitsi_meet \ --turn-server "turn.exo.cat" \