Merge branch 'jitsi_secured_domains' into 'master'

See merge request ungleich-public/cdist-contrib!34
2021-05-10 16:40:47 +02:00 · 2021-05-10 16:40:47 +02:00 · a90c8b18e5
commit a90c8b18e5
parent ccd3f364e4 87bc766115
12 changed files with 118 additions and 0 deletions
--- a/type/__jitsi_meet/gencode-remote
+++ b/type/__jitsi_meet/gencode-remote
@ -3,3 +3,10 @@
 if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 	echo "service nginx reload"
 fi
 JITSI_HOST="${__object_id}"
 if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
  echo "systemctl restart prosody"
  echo "systemctl restart jicofo"
  echo "systemctl restart jitsi-videobridge2"
 fi
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@ -141,6 +141,32 @@ server {
 }
 EOF
 if [ -f "${__object}/parameter/secured-domains" ]; then
  SECURED_DOMAINS_STATE='present'
  SECURED_DOMAINS_STATE_JICOFO='replace'
 else
  SECURED_DOMAINS_STATE='absent'
  SECURED_DOMAINS_STATE_JICOFO='absent'
 fi
 __file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
  --owner prosody --group prosody --mode 0440 \
  --state ${SECURED_DOMAINS_STATE} \
  --source - <<EOF
 VirtualHost "${JITSI_HOST}"
    authentication = "internal_plain"
 VirtualHost "guest.${JITSI_HOST}"
    authentication = "anonymous"
    c2s_require_encryption = false
 EOF
 __line jitsi_jicofo_secured_domains \
  --file /etc/jitsi/jicofo/sip-communicator.properties \
  --line "org.jitsi.jicofo.auth.URL=XMPP:${JITSI_HOST}" \
  --regex "org.jitsi.jicofo.auth.URL=" \
  --state ${SECURED_DOMAINS_STATE_JICOFO}
 # These two should be changed on new release
 PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
 PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
--- a/type/__jitsi_meet/parameter/boolean
+++ b/type/__jitsi_meet/parameter/boolean
@ -1 +1,2 @@
 disable-prometheus-exporter
 secured-domains
--- a/type/__jitsi_meet_domain/boolean
+++ b/type/__jitsi_meet_domain/boolean
@ -0,0 +1 @@
 secured-domains
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
@ -13,7 +13,14 @@ var config = {
        domain: '${JITSI_HOST}',
        // When using authentication, domain for guest users.
 $( if [ -n "${SECURED_DOMAINS}" ]; then cat<<EOF2
        anonymousdomain: 'guest.${JITSI_HOST}',
 EOF2
 else cat <<EOF2
        // anonymousdomain: 'guest.example.com',
 EOF2
 fi
 )
        // Domain for authenticated users. Defaults to <domain>.
        // authdomain: '${JITSI_HOST}',
--- a/type/__jitsi_meet_domain/manifest
+++ b/type/__jitsi_meet_domain/manifest
@ -32,6 +32,9 @@ fi
 if [ -f "${__object}/parameter/disable-audio-levels" ]; then
 	DISABLE_AUDIO_LEVELS="YES"
 fi
 if [ -f "${__object}/parameter/secured-domains" ]; then
 	SECURED_DOMAINS="YES"
 fi
 if [ -z "${TURN_SERVER}" ]; then
 	TURN_SERVER="${__target_host}"
--- a/type/__jitsi_meet_domain/parameter/boolean
+++ b/type/__jitsi_meet_domain/parameter/boolean
@ -1,2 +1,3 @@
 disable-audio-levels
 enable-third-party-requests
 secured-domains
--- a/type/__jitsi_meet_user/man.rst
+++ b/type/__jitsi_meet_user/man.rst
@ -0,0 +1,54 @@
 cdist-type__jitsi_meet_user(7)
 =================================
 NAME
 ----
 cdist-type__jitsi_meet_user - Setup users when using jitsi_meet instance with secure domain configuration
 DESCRIPTION
 -----------
 This type just places a file with a user and a password (plaintext) that will be used in a jitsi-meet instance with `secure domain configuration https://jitsi.github.io/handbook/docs/devops-guide/secure-domain`. There is a different from the official approach: to have an `internal_plain` authentication method to facilitate the auth management. That user will be able to create and join rooms on that instance as a moderator.
 You will also need to setup first the `__jitsi_meet_domain` and `__jitsi_meet` types.
 This type only works on De{bi,vu}an systems.
 REQUIRED PARAMETERS
 -------------------
 object id
    The user that will be able to authenticate against a Jitsi-Meet instance with secure domain configuration
 passwd
    The user's password in plaintext (beware that it is also stored as plaintext in the server)
 OPTIONAL PARAMETERS
 -------------------
 state
    If user should be (default) present or absent
 EXAMPLES
 --------
 .. code-block:: sh
    # Setup a Jitsi user for secure domain configuration
    __jitsi_meet_user "user_1" --password "WeNeedGoodSecurity"
 SEE ALSO
 --------
 - `__jitsi_meet`
 - `__jitsi_meet_domain`
 AUTHORS
 -------
 Pedro <pedrodocs2021@cas.cat>
 Evilham <contact@evilham.com>
 COPYING
 -------
 Copyright \(C) 2021 Pedro. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
 Copyright \(C) 2021 Evilham
--- a/type/__jitsi_meet_user/manifest
+++ b/type/__jitsi_meet_user/manifest
@ -0,0 +1,15 @@
 #!/bin/sh -e
 PASSWD="$(cat "${__object}/parameter/password")"
 STATE="$(cat "${__object}/parameter/state")"
 USER="${__object_id}"
 FQDN="$(echo "${__target_host}" | sed 's/\./%2e/g' | sed 's/-/%2d/g')"
 FILENAME="/var/lib/prosody/${FQDN}/accounts/${USER}.dat"
 __file "${FILENAME}" --owner prosody --group prosody --mode 0440 \
  --state "${STATE}" --source - <<EOF
 return {
 	["password"] = "${PASSWD}";
 };
 EOF
--- a/type/__jitsi_meet_user/parameter/default/state
+++ b/type/__jitsi_meet_user/parameter/default/state
@ -0,0 +1 @@
 present
--- a/type/__jitsi_meet_user/parameter/optional
+++ b/type/__jitsi_meet_user/parameter/optional
@ -0,0 +1 @@
 state
--- a/type/__jitsi_meet_user/parameter/required
+++ b/type/__jitsi_meet_user/parameter/required
@ -0,0 +1 @@
 password
`@ -1 +1,2 @@`
	`disable-prometheus-exporter`	`disable-prometheus-exporter`
		`secured-domains`