From fa37ede84fd53fa0902cb74ab13dae5989cb5494 Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Sun, 10 Apr 2022 19:45:08 +0200
Subject: [PATCH] [__jitsi_meet] Unconfuse jitsi-version and secured domains

Closes #14 by committing to keeping the package up to date as promptly as
possible; else weird  things happen and there are no real good solutions for
this.  E.g. we have seen in the past that due to security issues, a jitsi
dependency  needs to be upgraded, but some package that jitsi-meet depends upon
also has an upper limit on that package's version.

A note was added to the manpage in order make it explicit that maintenance of
this type can be sponsored to ensure its proper functioning.

Closes #15 by using `__file`. This will also allow us to have more control over
jicofo's settings, which might be important when we start doing recordings.

Sponsored by:	lafede.cat
---
 type/__jitsi_meet/files/jicofo.conf.sh        | 34 +++++++++++++++++
 .../default => files}/jitsi-version           |  0
 type/__jitsi_meet/gencode-remote              |  2 +-
 type/__jitsi_meet/man.rst                     | 18 +++++----
 type/__jitsi_meet/manifest                    | 38 +++++++++----------
 .../parameter/deprecated/jitsi-version        |  4 ++
 6 files changed, 67 insertions(+), 29 deletions(-)
 create mode 100755 type/__jitsi_meet/files/jicofo.conf.sh
 rename type/__jitsi_meet/{parameter/default => files}/jitsi-version (100%)
 create mode 100644 type/__jitsi_meet/parameter/deprecated/jitsi-version

diff --git a/type/__jitsi_meet/files/jicofo.conf.sh b/type/__jitsi_meet/files/jicofo.conf.sh
new file mode 100755
index 0000000..61a782a
--- /dev/null
+++ b/type/__jitsi_meet/files/jicofo.conf.sh
@@ -0,0 +1,34 @@
+#!/bin/sh -eu
+
+# Start
+cat <<EOF
+# Managed remotely, changes will be lost
+
+# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
+#available options, syntax, and default values.
+jicofo {
+  xmpp: {
+    client: {
+      client-proxy: focus.${JITSI_HOST:?}
+    }
+    trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
+  }
+  bridge: {
+    brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
+  }
+EOF
+
+# Secured domains if needed
+if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
+cat <<EOF
+
+  authentication: {
+    enabled: true
+    type: XMPP
+    login-url: ${JITSI_HOST:?}
+  }
+EOF
+fi
+
+# End
+echo '}'
diff --git a/type/__jitsi_meet/parameter/default/jitsi-version b/type/__jitsi_meet/files/jitsi-version
similarity index 100%
rename from type/__jitsi_meet/parameter/default/jitsi-version
rename to type/__jitsi_meet/files/jitsi-version
diff --git a/type/__jitsi_meet/gencode-remote b/type/__jitsi_meet/gencode-remote
index ae91f53..7d181b7 100755
--- a/type/__jitsi_meet/gencode-remote
+++ b/type/__jitsi_meet/gencode-remote
@@ -5,7 +5,7 @@ if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 fi
 
 JITSI_HOST="${__object_id}"
-if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua|__file/etc/jitsi/jicofo/jicofo.conf)" "${__messages_in}"; then
   echo "systemctl restart prosody"
   echo "systemctl restart jicofo"
   echo "systemctl restart jitsi-videobridge2"
diff --git a/type/__jitsi_meet/man.rst b/type/__jitsi_meet/man.rst
index bf7cd86..b11fdc9 100644
--- a/type/__jitsi_meet/man.rst
+++ b/type/__jitsi_meet/man.rst
@@ -28,6 +28,15 @@ You should apply your own rules here.
 
 This type only works on De{bi,vu}an systems.
 
+It is very important for this type to stay up to date with the software, as
+otherwise new deployments or maintenance of existing instances might be
+negatively affected.
+If you can, please contribute updates to `__jitsi_meet` and
+`__jitsi_meet_domain` promptly and regularly.
+Alternatively, you can help finance that work; get in touch with the type
+authors for that (see below).
+
+
 NOTE: This type currently does not deal with setting up coturn.
       For that, you might want to check `__coturn` in
       https://code.ungleich.ch/ungleich-public/cdist-contrib
@@ -43,11 +52,6 @@ turn-server
     The hostname of the TURN server.
     This will assume that it is listening with TLS on port 443.
 
-jitsi-version
-    The jitsi-meet version of the Debian package to be installed.
-    While this can be specified, only the default value is known to work
-    properly with this type.
-
 
 BOOLEAN PARAMETERS
 ------------------
@@ -70,7 +74,7 @@ EXAMPLES
 
 .. code-block:: sh
 
-    # Setup the firewall 
+    # Setup the firewall
     . "${__global}/type/__jitsi_meet/files/ufw"
     export require="__ufw"
     # Setup Jitsi on this host
@@ -92,4 +96,4 @@ Evilham <contact@evilham.com>
 
 COPYING
 -------
-Copyright \(C) 2021 Evilham.
+Copyright \(C) 2022 Evilham.
diff --git a/type/__jitsi_meet/manifest b/type/__jitsi_meet/manifest
index 599af18..e9ed5c6 100755
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@@ -13,8 +13,13 @@ esac
 
 
 JITSI_HOST="${__target_host}"
-# Currently unused, see below
-# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
+if [ -f "${__object}/parameter/jitsi-version" ]; then
+	# This has been deprecated and will be removed 'soon'
+	JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
+else
+	# Note this won't be a parameter anymore, we won't let users stay behind
+	JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
+fi
 TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
 TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
 
@@ -55,11 +60,12 @@ __debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
 export require="${require} __debconf_set_selections/jitsi_meet"
 
 # Install and upgrade packages as needed
-__package_apt jitsi-meet
-# We are not doing version pinning anymore because it breaks when
-# the version is not the latest.
-# This happens because dependencies cannot be properly resolved.
-# --version "${JITSI_VERSION}"
+#   NOTE: we are doing version pinning again, but it breaks sometimes when
+#         the version is not the latest.
+#         This happens because dependencies might not be properly resolved.
+#         To avoid this, this type must be maintained up to date.
+#         If we don't use this, keeping Jitsi's up to date is very difficult.
+__package_apt jitsi-meet --version "${JITSI_VERSION}"
 
 # Proceed only after installation/upgrade has finished
 export require="__package_apt/jitsi-meet"
@@ -151,10 +157,8 @@ EOF
 
 if [ -f "${__object}/parameter/secured-domains" ]; then
   SECURED_DOMAINS_STATE='present'
-  SECURED_DOMAINS_STATE_JICOFO='present'
 else
   SECURED_DOMAINS_STATE='absent'
-  SECURED_DOMAINS_STATE_JICOFO='absent'
 fi
 
 __file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
@@ -169,18 +173,10 @@ VirtualHost "guest.${JITSI_HOST}"
     c2s_require_encryption = false
 EOF
 
-__block jitsi_jicofo_secured_domains \
-  --prefix "// begin cdist: jicofo_secured_domains" \
-  --suffix "// end   cdist: jicofo_secured_domains" \
-  --file /etc/jitsi/jicofo/jicofo.conf \
-  --state "${SECURED_DOMAINS_STATE_JICOFO}" \
-  --text '-' <<EOF
-  authentication: {
-    enabled: true
-    type: XMPP
-    login-url: ${JITSI_HOST}
-  }
-EOF
+export SECURED_DOMAINS_STATE
+export JITSI_HOST
+"${__type}/files/jicofo.conf.sh" | \
+	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
 
 # These two should be changed on new release
 PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
diff --git a/type/__jitsi_meet/parameter/deprecated/jitsi-version b/type/__jitsi_meet/parameter/deprecated/jitsi-version
new file mode 100644
index 0000000..288d647
--- /dev/null
+++ b/type/__jitsi_meet/parameter/deprecated/jitsi-version
@@ -0,0 +1,4 @@
+Supporting different versions lead to strange issues in the life-time of a
+Jitsi instance. Chiefly: difficulties upgrading.
+
+If you are specifying this for a valid reason, please get in touch.