Merge pull request #444 from teutat3s/jitsi_security_update

Jitsi security update

.gitignore

@@ -1,4 +1,5 @@
 /inventory/*
 !/inventory/.gitkeep
 !/inventory/host_vars/.gitkeep
+!/inventory/scripts
 /roles/*/files/scratchpad

docs/configuring-playbook-jitsi.md

@@ -25,6 +25,17 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
 matrix_jitsi_enabled: true
 ```
 
+## Securing your Jitsi instance with strong passwords
+
+Please use the bash script provided in this repo to generate strong passwords for your Jitsi instance.
+Execute the following commands in your terminal from the root of this repo:
+```bash
+cd inventory/scripts
+bash generate-jitsi-passwords.sh
+```
+
+The script will add the corresponding ansible variables and passwords generated with `openssl rand -hex 16` to the bottom of your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration.
+
 ## (Optional) configure internal Jitsi authentication and guests mode
 
 By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration.

inventory/scripts/generate-jitsi-passwords.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# This is a bash script for generating strong passwords for the Jitsi role in this ansible project:
+# https://github.com/spantaleev/matrix-docker-ansible-deploy
+
+# This script assumes that you followed the documentation at https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook.md and created a folder in the source code's directory like this: 'mkdir inventory/host_vars/matrix.<your-domain>'
+# it will put the generated passwords for Jitsi at the end of the vars.yml file in that directory
+
+function generatePassword() {
+    openssl rand -hex 16
+}
+
+# helper function to get the matrix domain in the host_vars directory
+function get_domain_dir() {
+	counter=0
+
+	for f in *; do
+	    counter=$(( counter + 1 ))
+	    if [ ! -d "$f" ]; then
+            echo "Error: could not find directory 'matrix.your.domain'"
+            echo "Did you create it already? Please first setup your matrix homeserver before running this script."
+            echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md"
+            exit 1
+        elif [[ "$counter" -gt 1 ]]; then
+            echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected."
+            echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook."
+            echo "Cannot continue script, exiting."
+            exit 1
+        fi
+
+	    # Will not set domain if zero or multiple directories are detected
+	    domain=$f
+	done
+}
+
+cd ../host_vars
+get_domain_dir
+
+JICOFO_COMPONENT_SECRET=$(generatePassword)
+JICOFO_AUTH_PASSWORD=$(generatePassword)
+JVB_AUTH_PASSWORD=$(generatePassword)
+JIBRI_RECORDER_PASSWORD=$(generatePassword)
+JIBRI_XMPP_PASSWORD=$(generatePassword)
+
+echo "" >> ../host_vars/${domain}/vars.yml
+echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml
+echo "matrix_jitsi_jicofo_component_secret: $JICOFO_COMPONENT_SECRET" >> ../host_vars/${domain}/vars.yml
+echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml
+echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml
+echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" >> ../host_vars/${domain}/vars.yml
+echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" >> ../host_vars/${domain}/vars.yml

roles/matrix-jitsi/defaults/main.yml

@@ -28,7 +28,7 @@ matrix_jitsi_jibri_recorder_user: recorder
 matrix_jitsi_jibri_recorder_password: recorder-password
 
 
-matrix_jitsi_web_docker_image: "jitsi/web:4101"
+matrix_jitsi_web_docker_image: "jitsi/web:4384"
 matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"
 
 matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
@@ -73,7 +73,7 @@ matrix_jitsi_web_interface_config_show_powered_by: false
 matrix_jitsi_web_interface_config_disable_transcription_subtitles: false
 matrix_jisti_web_interface_config_show_deep_linking_image: false
 
-matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101"
+matrix_jitsi_prosody_docker_image: "jitsi/prosody:4384"
 matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}"
 
 matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
@@ -86,7 +86,7 @@ matrix_jitsi_prosody_container_extra_arguments: []
 matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']
 
 
-matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4101"
+matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4384"
 matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"
 
 matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo"
@@ -103,7 +103,7 @@ matrix_jitsi_jicofo_auth_user: focus
 matrix_jitsi_jicofo_auth_password: passw0rd
 
 
-matrix_jitsi_jvb_docker_image: "jitsi/jvb:4101"
+matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384"
 matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"
 
 matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb"