[__jitsi_meet] Unconfuse jitsi-version and secured domains

Closes #14 by committing to keeping the package up to date as promptly as
possible; else weird  things happen and there are no real good solutions for
this.  E.g. we have seen in the past that due to security issues, a jitsi
dependency  needs to be upgraded, but some package that jitsi-meet depends upon
also has an upper limit on that package's version.

A note was added to the manpage in order make it explicit that maintenance of
this type can be sponsored to ensure its proper functioning.

Closes #15 by using `__file`. This will also allow us to have more control over
jicofo's settings, which might be important when we start doing recordings.

Sponsored by:	lafede.cat

type/__jitsi_meet/files/jicofo.conf.sh

@@ -0,0 +1,34 @@
+#!/bin/sh -eu
+
+# Start
+cat <<EOF
+# Managed remotely, changes will be lost
+
+# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
+#available options, syntax, and default values.
+jicofo {
+  xmpp: {
+    client: {
+      client-proxy: focus.${JITSI_HOST:?}
+    }
+    trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
+  }
+  bridge: {
+    brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
+  }
+EOF
+
+# Secured domains if needed
+if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
+cat <<EOF
+
+  authentication: {
+    enabled: true
+    type: XMPP
+    login-url: ${JITSI_HOST:?}
+  }
+EOF
+fi
+
+# End
+echo '}'

type/__jitsi_meet/gencode-remote

@@ -5,7 +5,7 @@ if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 fi
 
 JITSI_HOST="${__object_id}"
-if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then
   echo "systemctl restart prosody"
   echo "systemctl restart jicofo"
   echo "systemctl restart jitsi-videobridge2"

type/__jitsi_meet/man.rst

@@ -28,6 +28,15 @@ You should apply your own rules here.
 
 This type only works on De{bi,vu}an systems.
 
+It is very important for this type to stay up to date with the software, as
+otherwise new deployments or maintenance of existing instances might be
+negatively affected.
+If you can, please contribute updates to `__jitsi_meet` and
+`__jitsi_meet_domain` promptly and regularly.
+Alternatively, you can help finance that work; get in touch with the type
+authors for that (see below).
+
+
 NOTE: This type currently does not deal with setting up coturn.
       For that, you might want to check `__coturn` in
       https://code.ungleich.ch/ungleich-public/cdist-contrib
@@ -43,11 +52,6 @@ turn-server
     The hostname of the TURN server.
     This will assume that it is listening with TLS on port 443.
 
-jitsi-version
-    The jitsi-meet version of the Debian package to be installed.
-    While this can be specified, only the default value is known to work
-    properly with this type.
-
 
 BOOLEAN PARAMETERS
 ------------------
@@ -92,4 +96,4 @@ Evilham <contact@evilham.com>
 
 COPYING
 -------
-Copyright \(C) 2021 Evilham.
+Copyright \(C) 2022 Evilham.

type/__jitsi_meet/manifest

@@ -13,8 +13,13 @@ esac
 
 
 JITSI_HOST="${__target_host}"
-# Currently unused, see below
+if [ -f "${__object}/parameter/jitsi-version" ]; then
-# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
+	# This has been deprecated and will be removed 'soon'
+	JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
+else
+	# Note this won't be a parameter anymore, we won't let users stay behind
+	JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
+fi
 TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
 TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
 
@@ -55,11 +60,12 @@ __debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
 export require="${require} __debconf_set_selections/jitsi_meet"
 
 # Install and upgrade packages as needed
-__package_apt jitsi-meet
+#   NOTE: we are doing version pinning again, but it breaks sometimes when
-# We are not doing version pinning anymore because it breaks when
 #         the version is not the latest.
-# This happens because dependencies cannot be properly resolved.
+#         This happens because dependencies might not be properly resolved.
-# --version "${JITSI_VERSION}"
+#         To avoid this, this type must be maintained up to date.
+#         If we don't use this, keeping Jitsi's up to date is very difficult.
+__package_apt jitsi-meet --version "${JITSI_VERSION}"
 
 # Proceed only after installation/upgrade has finished
 export require="__package_apt/jitsi-meet"
@@ -151,10 +157,8 @@ EOF
 
 if [ -f "${__object}/parameter/secured-domains" ]; then
   SECURED_DOMAINS_STATE='present'
-  SECURED_DOMAINS_STATE_JICOFO='present'
 else
   SECURED_DOMAINS_STATE='absent'
-  SECURED_DOMAINS_STATE_JICOFO='absent'
 fi
 
 __file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
@@ -169,18 +173,10 @@ VirtualHost "guest.${JITSI_HOST}"
     c2s_require_encryption = false
 EOF
 
-__block jitsi_jicofo_secured_domains \
+export SECURED_DOMAINS_STATE
-  --prefix "// begin cdist: jicofo_secured_domains" \
+export JITSI_HOST
-  --suffix "// end   cdist: jicofo_secured_domains" \
+"${__type}/files/jicofo.conf.sh" | \
-  --file /etc/jitsi/jicofo/jicofo.conf \
+	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
-  --state "${SECURED_DOMAINS_STATE_JICOFO}" \
-  --text '-' <<EOF
-  authentication: {
-    enabled: true
-    type: XMPP
-    login-url: ${JITSI_HOST}
-  }
-EOF
 
 # These two should be changed on new release
 PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"

type/__jitsi_meet/parameter/deprecated/jitsi-version

@@ -0,0 +1,4 @@
+Supporting different versions lead to strange issues in the life-time of a
+Jitsi instance. Chiefly: difficulties upgrading.
+
+If you are specifying this for a valid reason, please get in touch.