From 87bc76611587a5c9c9663a421ecf24a9f2c3eea8 Mon Sep 17 00:00:00 2001 From: pedro Date: Mon, 10 May 2021 16:40:46 +0200 Subject: [PATCH] [__jitsi_meet*] Add parameters for secure domains This is done with slight adaptations from the official guide at https://jitsi.github.io/handbook/docs/devops-guide/secure-domain Amongst other changes, we rely on Prosody's configuration parser only overwriting the parts of a VirtualHost that are explicitly specified in "later appearing" (lexicographically speaking) files. This allows us to let Jitsi manage the main config file and adding the few customisations on top of it. We also use the Plaintext authenticator as this is enough atm and is the easiest to manage in an idempotent fashion; support for other authentication mechanisms is possible, see Prosody's documentation for that. --- type/__jitsi_meet/gencode-remote | 7 +++ type/__jitsi_meet/manifest | 26 +++++++++ type/__jitsi_meet/parameter/boolean | 1 + type/__jitsi_meet_domain/boolean | 1 + type/__jitsi_meet_domain/files/config.js.sh | 7 +++ type/__jitsi_meet_domain/manifest | 3 ++ type/__jitsi_meet_domain/parameter/boolean | 1 + type/__jitsi_meet_user/man.rst | 54 +++++++++++++++++++ type/__jitsi_meet_user/manifest | 15 ++++++ .../__jitsi_meet_user/parameter/default/state | 1 + type/__jitsi_meet_user/parameter/optional | 1 + type/__jitsi_meet_user/parameter/required | 1 + 12 files changed, 118 insertions(+) create mode 100644 type/__jitsi_meet_domain/boolean create mode 100644 type/__jitsi_meet_user/man.rst create mode 100755 type/__jitsi_meet_user/manifest create mode 100644 type/__jitsi_meet_user/parameter/default/state create mode 100644 type/__jitsi_meet_user/parameter/optional create mode 100644 type/__jitsi_meet_user/parameter/required diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote index 7a400b8..ae91f53 100755 --- a/type/__jitsi_meet/gencode-remote +++ b/type/__jitsi_meet/gencode-remote @@ -3,3 +3,10 @@ if grep -qE "^__file/etc/nginx" "${__messages_in}"; then echo "service nginx reload" fi + +JITSI_HOST="${__object_id}" +if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then + echo "systemctl restart prosody" + echo "systemctl restart jicofo" + echo "systemctl restart jitsi-videobridge2" +fi diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest index aa2bdf9..50e61c3 100755 --- a/type/__jitsi_meet/manifest +++ b/type/__jitsi_meet/manifest @@ -141,6 +141,32 @@ server { } EOF +if [ -f "${__object}/parameter/secured-domains" ]; then + SECURED_DOMAINS_STATE='present' + SECURED_DOMAINS_STATE_JICOFO='replace' +else + SECURED_DOMAINS_STATE='absent' + SECURED_DOMAINS_STATE_JICOFO='absent' +fi + +__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \ + --owner prosody --group prosody --mode 0440 \ + --state ${SECURED_DOMAINS_STATE} \ + --source - <. // authdomain: '${JITSI_HOST}', diff --git a/type/__jitsi_meet_domain/manifest b/type/__jitsi_meet_domain/manifest index b57b853..a7d5fec 100755 --- a/type/__jitsi_meet_domain/manifest +++ b/type/__jitsi_meet_domain/manifest @@ -32,6 +32,9 @@ fi if [ -f "${__object}/parameter/disable-audio-levels" ]; then DISABLE_AUDIO_LEVELS="YES" fi +if [ -f "${__object}/parameter/secured-domains" ]; then + SECURED_DOMAINS="YES" +fi if [ -z "${TURN_SERVER}" ]; then TURN_SERVER="${__target_host}" diff --git a/type/__jitsi_meet_domain/parameter/boolean b/type/__jitsi_meet_domain/parameter/boolean index a820841..fb485d1 100644 --- a/type/__jitsi_meet_domain/parameter/boolean +++ b/type/__jitsi_meet_domain/parameter/boolean @@ -1,2 +1,3 @@ disable-audio-levels enable-third-party-requests +secured-domains diff --git a/type/__jitsi_meet_user/man.rst b/type/__jitsi_meet_user/man.rst new file mode 100644 index 0000000..173aa8a --- /dev/null +++ b/type/__jitsi_meet_user/man.rst @@ -0,0 +1,54 @@ +cdist-type__jitsi_meet_user(7) +================================= + +NAME +---- +cdist-type__jitsi_meet_user - Setup users when using jitsi_meet instance with secure domain configuration + +DESCRIPTION +----------- +This type just places a file with a user and a password (plaintext) that will be used in a jitsi-meet instance with `secure domain configuration https://jitsi.github.io/handbook/docs/devops-guide/secure-domain`. There is a different from the official approach: to have an `internal_plain` authentication method to facilitate the auth management. That user will be able to create and join rooms on that instance as a moderator. + +You will also need to setup first the `__jitsi_meet_domain` and `__jitsi_meet` types. + +This type only works on De{bi,vu}an systems. + +REQUIRED PARAMETERS +------------------- +object id + The user that will be able to authenticate against a Jitsi-Meet instance with secure domain configuration + +passwd + The user's password in plaintext (beware that it is also stored as plaintext in the server) + +OPTIONAL PARAMETERS +------------------- +state + If user should be (default) present or absent + +EXAMPLES +-------- + +.. code-block:: sh + + # Setup a Jitsi user for secure domain configuration + __jitsi_meet_user "user_1" --password "WeNeedGoodSecurity" + +SEE ALSO +-------- +- `__jitsi_meet` +- `__jitsi_meet_domain` + + +AUTHORS +------- +Pedro +Evilham + +COPYING +------- +Copyright \(C) 2021 Pedro. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. +Copyright \(C) 2021 Evilham diff --git a/type/__jitsi_meet_user/manifest b/type/__jitsi_meet_user/manifest new file mode 100755 index 0000000..a4d1935 --- /dev/null +++ b/type/__jitsi_meet_user/manifest @@ -0,0 +1,15 @@ +#!/bin/sh -e + +PASSWD="$(cat "${__object}/parameter/password")" +STATE="$(cat "${__object}/parameter/state")" + +USER="${__object_id}" +FQDN="$(echo "${__target_host}" | sed 's/\./%2e/g' | sed 's/-/%2d/g')" +FILENAME="/var/lib/prosody/${FQDN}/accounts/${USER}.dat" + +__file "${FILENAME}" --owner prosody --group prosody --mode 0440 \ + --state "${STATE}" --source - <