[__jitsi_meet*] Add parameters for secure domains
This is done with slight adaptations from the official guide at https://jitsi.github.io/handbook/docs/devops-guide/secure-domain Amongst other changes, we rely on Prosody's configuration parser only overwriting the parts of a VirtualHost that are explicitly specified in "later appearing" (lexicographically speaking) files. This allows us to let Jitsi manage the main config file and adding the few customisations on top of it. We also use the Plaintext authenticator as this is enough atm and is the easiest to manage in an idempotent fashion; support for other authentication mechanisms is possible, see Prosody's documentation for that.
This commit is contained in:
parent
ccd3f364e4
commit
87bc766115
12 changed files with 118 additions and 0 deletions
|
@ -3,3 +3,10 @@
|
||||||
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
|
if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
|
||||||
echo "service nginx reload"
|
echo "service nginx reload"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
JITSI_HOST="${__object_id}"
|
||||||
|
if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
|
||||||
|
echo "systemctl restart prosody"
|
||||||
|
echo "systemctl restart jicofo"
|
||||||
|
echo "systemctl restart jitsi-videobridge2"
|
||||||
|
fi
|
||||||
|
|
|
@ -141,6 +141,32 @@ server {
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
if [ -f "${__object}/parameter/secured-domains" ]; then
|
||||||
|
SECURED_DOMAINS_STATE='present'
|
||||||
|
SECURED_DOMAINS_STATE_JICOFO='replace'
|
||||||
|
else
|
||||||
|
SECURED_DOMAINS_STATE='absent'
|
||||||
|
SECURED_DOMAINS_STATE_JICOFO='absent'
|
||||||
|
fi
|
||||||
|
|
||||||
|
__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
|
||||||
|
--owner prosody --group prosody --mode 0440 \
|
||||||
|
--state ${SECURED_DOMAINS_STATE} \
|
||||||
|
--source - <<EOF
|
||||||
|
VirtualHost "${JITSI_HOST}"
|
||||||
|
authentication = "internal_plain"
|
||||||
|
|
||||||
|
VirtualHost "guest.${JITSI_HOST}"
|
||||||
|
authentication = "anonymous"
|
||||||
|
c2s_require_encryption = false
|
||||||
|
EOF
|
||||||
|
|
||||||
|
__line jitsi_jicofo_secured_domains \
|
||||||
|
--file /etc/jitsi/jicofo/sip-communicator.properties \
|
||||||
|
--line "org.jitsi.jicofo.auth.URL=XMPP:${JITSI_HOST}" \
|
||||||
|
--regex "org.jitsi.jicofo.auth.URL=" \
|
||||||
|
--state ${SECURED_DOMAINS_STATE_JICOFO}
|
||||||
|
|
||||||
# These two should be changed on new release
|
# These two should be changed on new release
|
||||||
PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
|
PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
|
||||||
PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
|
PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
|
||||||
|
|
|
@ -1 +1,2 @@
|
||||||
disable-prometheus-exporter
|
disable-prometheus-exporter
|
||||||
|
secured-domains
|
||||||
|
|
1
type/__jitsi_meet_domain/boolean
Normal file
1
type/__jitsi_meet_domain/boolean
Normal file
|
@ -0,0 +1 @@
|
||||||
|
secured-domains
|
|
@ -13,7 +13,14 @@ var config = {
|
||||||
domain: '${JITSI_HOST}',
|
domain: '${JITSI_HOST}',
|
||||||
|
|
||||||
// When using authentication, domain for guest users.
|
// When using authentication, domain for guest users.
|
||||||
|
$( if [ -n "${SECURED_DOMAINS}" ]; then cat<<EOF2
|
||||||
|
anonymousdomain: 'guest.${JITSI_HOST}',
|
||||||
|
EOF2
|
||||||
|
else cat <<EOF2
|
||||||
// anonymousdomain: 'guest.example.com',
|
// anonymousdomain: 'guest.example.com',
|
||||||
|
EOF2
|
||||||
|
fi
|
||||||
|
)
|
||||||
|
|
||||||
// Domain for authenticated users. Defaults to <domain>.
|
// Domain for authenticated users. Defaults to <domain>.
|
||||||
// authdomain: '${JITSI_HOST}',
|
// authdomain: '${JITSI_HOST}',
|
||||||
|
|
|
@ -32,6 +32,9 @@ fi
|
||||||
if [ -f "${__object}/parameter/disable-audio-levels" ]; then
|
if [ -f "${__object}/parameter/disable-audio-levels" ]; then
|
||||||
DISABLE_AUDIO_LEVELS="YES"
|
DISABLE_AUDIO_LEVELS="YES"
|
||||||
fi
|
fi
|
||||||
|
if [ -f "${__object}/parameter/secured-domains" ]; then
|
||||||
|
SECURED_DOMAINS="YES"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -z "${TURN_SERVER}" ]; then
|
if [ -z "${TURN_SERVER}" ]; then
|
||||||
TURN_SERVER="${__target_host}"
|
TURN_SERVER="${__target_host}"
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
disable-audio-levels
|
disable-audio-levels
|
||||||
enable-third-party-requests
|
enable-third-party-requests
|
||||||
|
secured-domains
|
||||||
|
|
54
type/__jitsi_meet_user/man.rst
Normal file
54
type/__jitsi_meet_user/man.rst
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
cdist-type__jitsi_meet_user(7)
|
||||||
|
=================================
|
||||||
|
|
||||||
|
NAME
|
||||||
|
----
|
||||||
|
cdist-type__jitsi_meet_user - Setup users when using jitsi_meet instance with secure domain configuration
|
||||||
|
|
||||||
|
DESCRIPTION
|
||||||
|
-----------
|
||||||
|
This type just places a file with a user and a password (plaintext) that will be used in a jitsi-meet instance with `secure domain configuration https://jitsi.github.io/handbook/docs/devops-guide/secure-domain`. There is a different from the official approach: to have an `internal_plain` authentication method to facilitate the auth management. That user will be able to create and join rooms on that instance as a moderator.
|
||||||
|
|
||||||
|
You will also need to setup first the `__jitsi_meet_domain` and `__jitsi_meet` types.
|
||||||
|
|
||||||
|
This type only works on De{bi,vu}an systems.
|
||||||
|
|
||||||
|
REQUIRED PARAMETERS
|
||||||
|
-------------------
|
||||||
|
object id
|
||||||
|
The user that will be able to authenticate against a Jitsi-Meet instance with secure domain configuration
|
||||||
|
|
||||||
|
passwd
|
||||||
|
The user's password in plaintext (beware that it is also stored as plaintext in the server)
|
||||||
|
|
||||||
|
OPTIONAL PARAMETERS
|
||||||
|
-------------------
|
||||||
|
state
|
||||||
|
If user should be (default) present or absent
|
||||||
|
|
||||||
|
EXAMPLES
|
||||||
|
--------
|
||||||
|
|
||||||
|
.. code-block:: sh
|
||||||
|
|
||||||
|
# Setup a Jitsi user for secure domain configuration
|
||||||
|
__jitsi_meet_user "user_1" --password "WeNeedGoodSecurity"
|
||||||
|
|
||||||
|
SEE ALSO
|
||||||
|
--------
|
||||||
|
- `__jitsi_meet`
|
||||||
|
- `__jitsi_meet_domain`
|
||||||
|
|
||||||
|
|
||||||
|
AUTHORS
|
||||||
|
-------
|
||||||
|
Pedro <pedrodocs2021@cas.cat>
|
||||||
|
Evilham <contact@evilham.com>
|
||||||
|
|
||||||
|
COPYING
|
||||||
|
-------
|
||||||
|
Copyright \(C) 2021 Pedro. You can redistribute it
|
||||||
|
and/or modify it under the terms of the GNU General Public License as
|
||||||
|
published by the Free Software Foundation, either version 3 of the
|
||||||
|
License, or (at your option) any later version.
|
||||||
|
Copyright \(C) 2021 Evilham
|
15
type/__jitsi_meet_user/manifest
Executable file
15
type/__jitsi_meet_user/manifest
Executable file
|
@ -0,0 +1,15 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
PASSWD="$(cat "${__object}/parameter/password")"
|
||||||
|
STATE="$(cat "${__object}/parameter/state")"
|
||||||
|
|
||||||
|
USER="${__object_id}"
|
||||||
|
FQDN="$(echo "${__target_host}" | sed 's/\./%2e/g' | sed 's/-/%2d/g')"
|
||||||
|
FILENAME="/var/lib/prosody/${FQDN}/accounts/${USER}.dat"
|
||||||
|
|
||||||
|
__file "${FILENAME}" --owner prosody --group prosody --mode 0440 \
|
||||||
|
--state "${STATE}" --source - <<EOF
|
||||||
|
return {
|
||||||
|
["password"] = "${PASSWD}";
|
||||||
|
};
|
||||||
|
EOF
|
1
type/__jitsi_meet_user/parameter/default/state
Normal file
1
type/__jitsi_meet_user/parameter/default/state
Normal file
|
@ -0,0 +1 @@
|
||||||
|
present
|
1
type/__jitsi_meet_user/parameter/optional
Normal file
1
type/__jitsi_meet_user/parameter/optional
Normal file
|
@ -0,0 +1 @@
|
||||||
|
state
|
1
type/__jitsi_meet_user/parameter/required
Normal file
1
type/__jitsi_meet_user/parameter/required
Normal file
|
@ -0,0 +1 @@
|
||||||
|
password
|
Loading…
Reference in a new issue