Matrix Authentication Support for Jitsi

This extends the collection with support for seamless authentication at the Jitsi server using Matrix OpenID.

1. New role for installing the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service)
2. Changes to Jitsi role: Installing Jitsi Prosody Mods and configuring Jitsi Auth
3. Changes to Jitsi and nginx-proxy roles: Serving .well-known/element/jitsi from jitsi.DOMAIN
4. We updated the Jitsi documentation on authentication and added documentation for the user verification service.

roles/custom/matrix-jitsi/defaults/main.yml

@@ -13,14 +13,16 @@ matrix_jitsi_enable_jaas_components: false
 matrix_jitsi_enable_p2p: true
 matrix_jitsi_enable_av_moderation: true
 matrix_jitsi_enable_breakout_rooms: true
+matrix_jitsi_disable_gravatar: true
 
-# Authentication type, must be one of internal, jwt or ldap.
-# Currently only internal and ldap mechanisms are supported by this playbook.
+# Authentication type, must be one of internal, jwt, matrix or ldap.
+# Currently, only internal, matrix and ldap mechanisms are supported by this playbook.
+# matrix auth verifies against matrix openID, and requires a user-verification-service to run.
 matrix_jitsi_auth_type: internal
 
 # A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism.
 #
-# Accounts added here and subsquently removed will not be automatically removed
+# Accounts added here and subsequently removed will not be automatically removed
 # from the Prosody server until user account cleaning is integrated into the playbook.
 #
 # Example:
@@ -49,6 +51,23 @@ matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
 matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
 matrix_jitsi_ldap_start_tls: false
 
+# Auth type: matrix
+matrix_jitsi_prosody_auth_matrix_user_verification_repo_location: "https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification"
+matrix_jitsi_prosody_auth_matrix_user_verification_repo_target: "{{ matrix_jitsi_prosody_ext_path }}/prosody_auth_matrix_user_verification"
+matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0
+matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels: true
+matrix_jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}"
+# Should match domain, see https://github.com/vector-im/element-web/pull/15114/commits/0410a6b3be82a41457275e4d1ce879dea146e092
+matrix_jitsi_prosody_auth_matrix_jwt_app_id: "{{ matrix_server_fqn_jitsi }}"
+matrix_jitsi_prosody_auth_matrix_files:
+  - path: "mod_auth_matrix_user_verification.lua"
+    when: true
+  - path: "mod_matrix_power_sync.lua"
+    when: "{{ matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels }}"
+
+# Plugged in group_vars
+#matrix_jitsi_prosody_auth_matrix_uvs_auth_token:
+
 matrix_jitsi_timezone: UTC
 
 matrix_jitsi_xmpp_domain: meet.jitsi
@@ -180,6 +199,17 @@ matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_im
 matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
 matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config"
 matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom"
+matrix_jitsi_prosody_ext_path: "{{ matrix_jitsi_prosody_base_path }}/ext"
+
+# well known is currently only needed for auth type "matrix"
+matrix_jitsi_require_well_known: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}"
+matrix_jitsi_wellknown_element_jitsi_json: '{"auth": "openidtoken-jwt"}'
+
+#
+matrix_jitsi_muc_modules: |
+  {{
+    (['matrix_power_sync'] if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels | bool else [])
+  }}
 
 # A list of extra arguments to pass to the container
 matrix_jitsi_prosody_container_extra_arguments: []