[__jitsi_meet] Unconfuse jitsi-version and secured domains

Closes #14 by committing to keeping the package up to date as promptly as possible; else weird things happen and there are no real good solutions for this. E.g. we have seen in the past that due to security issues, a jitsi dependency needs to be upgraded, but some package that jitsi-meet depends upon also has an upper limit on that package's version. A note was added to the manpage in order make it explicit that maintenance of this type can be sponsored to ensure its proper functioning. Closes #15 by using `__file`. This will also allow us to have more control over jicofo's settings, which might be important when we start doing recordings. Sponsored by: lafede.cat
1 year ago · fa37ede84f
parent af04f7464b
commit fa37ede84f
6 changed files with 67 additions and 29 deletions
--- a/type/__jitsi_meet/files/jicofo.conf.sh
+++ b/type/__jitsi_meet/files/jicofo.conf.sh
@ -0,0 +1,34 @@
+#!/bin/sh -eu
+
+# Start
+cat <<EOF
+# Managed remotely, changes will be lost
+
+# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
+#available options, syntax, and default values.
+jicofo {
+  xmpp: {
+    client: {
+      client-proxy: focus.${JITSI_HOST:?}
+    }
+    trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
+  }
+  bridge: {
+    brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
+  }
+EOF
+
+# Secured domains if needed
+if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
+cat <<EOF
+
+  authentication: {
+    enabled: true
+    type: XMPP
+    login-url: ${JITSI_HOST:?}
+  }
+EOF
+fi
+
+# End
+echo '}'
--- a/type/__jitsi_meet/parameter/default/jitsi-version
+++ b/type/__jitsi_meet/parameter/default/jitsi-version
--- a/type/__jitsi_meet/gencode-remote
+++ b/type/__jitsi_meet/gencode-remote
@ -5,7 +5,7 @@ if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 fi

 JITSI_HOST="${__object_id}"
-if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then
  echo "systemctl restart prosody"
  echo "systemctl restart jicofo"
  echo "systemctl restart jitsi-videobridge2"
--- a/type/__jitsi_meet/man.rst
+++ b/type/__jitsi_meet/man.rst
@ -28,6 +28,15 @@ You should apply your own rules here.

 This type only works on De{bi,vu}an systems.

+It is very important for this type to stay up to date with the software, as
+otherwise new deployments or maintenance of existing instances might be
+negatively affected.
+If you can, please contribute updates to `__jitsi_meet` and
+`__jitsi_meet_domain` promptly and regularly.
+Alternatively, you can help finance that work; get in touch with the type
+authors for that (see below).
+
+
 NOTE: This type currently does not deal with setting up coturn.
      For that, you might want to check `__coturn` in
      https://code.ungleich.ch/ungleich-public/cdist-contrib
@ -43,11 +52,6 @@ turn-server
    The hostname of the TURN server.
    This will assume that it is listening with TLS on port 443.

-jitsi-version
-    The jitsi-meet version of the Debian package to be installed.
-    While this can be specified, only the default value is known to work
-    properly with this type.
-

 BOOLEAN PARAMETERS
 ------------------
@ -70,7 +74,7 @@ EXAMPLES

 .. code-block:: sh

-    # Setup the firewall 
+    # Setup the firewall
    . "${__global}/type/__jitsi_meet/files/ufw"
    export require="__ufw"
    # Setup Jitsi on this host
@ -92,4 +96,4 @@ Evilham <contact@evilham.com>

 COPYING
 -------
-Copyright \(C) 2021 Evilham.
+Copyright \(C) 2022 Evilham.
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@ -13,8 +13,13 @@ esac


 JITSI_HOST="${__target_host}"
-# Currently unused, see below
-# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
+if [ -f "${__object}/parameter/jitsi-version" ]; then
+	# This has been deprecated and will be removed 'soon'
+	JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
+else
+	# Note this won't be a parameter anymore, we won't let users stay behind
+	JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
+fi
 TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
 TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"

@ -55,11 +60,12 @@ __debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
 export require="${require} __debconf_set_selections/jitsi_meet"

 # Install and upgrade packages as needed
-__package_apt jitsi-meet
-# We are not doing version pinning anymore because it breaks when
-# the version is not the latest.
-# This happens because dependencies cannot be properly resolved.
-# --version "${JITSI_VERSION}"
+#   NOTE: we are doing version pinning again, but it breaks sometimes when
+#         the version is not the latest.
+#         This happens because dependencies might not be properly resolved.
+#         To avoid this, this type must be maintained up to date.
+#         If we don't use this, keeping Jitsi's up to date is very difficult.
+__package_apt jitsi-meet --version "${JITSI_VERSION}"

 # Proceed only after installation/upgrade has finished
 export require="__package_apt/jitsi-meet"
@ -151,10 +157,8 @@ EOF

 if [ -f "${__object}/parameter/secured-domains" ]; then
  SECURED_DOMAINS_STATE='present'
-  SECURED_DOMAINS_STATE_JICOFO='present'
 else
  SECURED_DOMAINS_STATE='absent'
-  SECURED_DOMAINS_STATE_JICOFO='absent'
 fi

 __file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
@ -169,18 +173,10 @@ VirtualHost "guest.${JITSI_HOST}"
    c2s_require_encryption = false
 EOF

-__block jitsi_jicofo_secured_domains \
-  --prefix "// begin cdist: jicofo_secured_domains" \
-  --suffix "// end   cdist: jicofo_secured_domains" \
-  --file /etc/jitsi/jicofo/jicofo.conf \
-  --state "${SECURED_DOMAINS_STATE_JICOFO}" \
-  --text '-' <<EOF
-  authentication: {
-    enabled: true
-    type: XMPP
-    login-url: ${JITSI_HOST}
-  }
-EOF
+export SECURED_DOMAINS_STATE
+export JITSI_HOST
+"${__type}/files/jicofo.conf.sh" | \
+	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'

 # These two should be changed on new release
 PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
--- a/type/__jitsi_meet/parameter/deprecated/jitsi-version
+++ b/type/__jitsi_meet/parameter/deprecated/jitsi-version
@ -0,0 +1,4 @@
+Supporting different versions lead to strange issues in the life-time of a
+Jitsi instance. Chiefly: difficulties upgrading.
+
+If you are specifying this for a valid reason, please get in touch.