Merge pull request #1446 from hypn0tick/master
Add support for creation of Jitsi internal authentication users in vars.yml
This commit is contained in:
commit
b1d8e39612
@ -41,13 +41,23 @@ If you're fine with such an open Jitsi instance, please skip to [Apply changes](
|
||||
|
||||
If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms.
|
||||
|
||||
Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
|
||||
Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
|
||||
|
||||
```yaml
|
||||
matrix_jitsi_enable_auth: true
|
||||
matrix_jitsi_enable_guests: true
|
||||
matrix_jitsi_prosody_auth_internal_accounts:
|
||||
- username: "jitsi-moderator"
|
||||
password: "secret-password"
|
||||
- username: "another-user"
|
||||
password: "another-password"
|
||||
```
|
||||
|
||||
**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook.
|
||||
|
||||
**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
|
||||
|
||||
|
||||
### (Optional) LDAP authentication
|
||||
|
||||
The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be:
|
||||
@ -122,19 +132,6 @@ You may want to **limit the maximum video resolution**, to save up resources on
|
||||
|
||||
Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`
|
||||
|
||||
## Required if configuring Jitsi with internal authentication: register new users
|
||||
|
||||
Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually.
|
||||
Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container:
|
||||
|
||||
```bash
|
||||
docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register <USERNAME> meet.jitsi <PASSWORD>
|
||||
```
|
||||
|
||||
Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host.
|
||||
|
||||
**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
|
||||
|
||||
|
||||
## Usage
|
||||
|
||||
|
@ -9,10 +9,23 @@ matrix_jitsi_enable_transcriptions: false
|
||||
matrix_jitsi_enable_p2p: true
|
||||
matrix_jitsi_enable_av_moderation: true
|
||||
|
||||
# Authentication type, must be one of internal, jwt or ldap. Currently only
|
||||
# internal and ldap are supported by this playbook.
|
||||
# Authentication type, must be one of internal, jwt or ldap.
|
||||
# Currently only internal and ldap mechanisms are supported by this playbook.
|
||||
matrix_jitsi_auth_type: internal
|
||||
|
||||
# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism.
|
||||
#
|
||||
# Accounts added here and subsquently removed will not be automatically removed
|
||||
# from the Prosody server until user account cleaning is integrated into the playbook.
|
||||
#
|
||||
# Example:
|
||||
# matrix_jitsi_prosody_auth_internal_accounts:
|
||||
# - username: "jitsi-moderator"
|
||||
# password: "secret-password"
|
||||
# - username: "another-user"
|
||||
# password: "another-password"
|
||||
matrix_jitsi_prosody_auth_internal_accounts: []
|
||||
|
||||
# Configuration options for LDAP authentication. For details see upstream:
|
||||
# https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap.
|
||||
# Defaults are taken from:
|
||||
@ -205,7 +218,6 @@ matrix_jitsi_jicofo_component_secret: ''
|
||||
matrix_jitsi_jicofo_auth_user: focus
|
||||
matrix_jitsi_jicofo_auth_password: ''
|
||||
|
||||
|
||||
matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}"
|
||||
matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
@ -4,7 +4,7 @@
|
||||
# Tasks related to setting up jitsi-prosody
|
||||
#
|
||||
|
||||
- name: Ensure Matrix jitsi-prosody path exists
|
||||
- name: Ensure Matrix jitsi-prosody environment exists
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
@ -25,14 +25,14 @@
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}"
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure jitsi-prosody environment variables file created
|
||||
- name: Ensure jitsi-prosody environment variables file is created
|
||||
template:
|
||||
src: "{{ role_path }}/templates/prosody/env.j2"
|
||||
dest: "{{ matrix_jitsi_prosody_base_path }}/env"
|
||||
mode: 0640
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure matrix-jitsi-prosody.service installed
|
||||
- name: Ensure matrix-jitsi-prosody.service file is installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
|
||||
@ -40,16 +40,24 @@
|
||||
register: matrix_jitsi_prosody_systemd_service_result
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation
|
||||
- name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed"
|
||||
|
||||
- name: Ensure authentication is properly configured
|
||||
include_tasks:
|
||||
file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml"
|
||||
when:
|
||||
- matrix_jitsi_enabled|bool
|
||||
- matrix_jitsi_enable_auth|bool
|
||||
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of jitsi-prosody (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Check existence of matrix-jitsi-prosody service
|
||||
- name: Ensure matrix-jitsi-prosody.service file exists
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
|
||||
register: matrix_jitsi_prosody_service_stat
|
||||
@ -64,13 +72,13 @@
|
||||
register: stopping_result
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-jitsi-prosody.service doesn't exist
|
||||
- name: Ensure matrix-jitsi-prosody.service file doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
|
||||
state: absent
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal
|
||||
- name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
|
||||
|
43
roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml
Normal file
43
roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml
Normal file
@ -0,0 +1,43 @@
|
||||
---
|
||||
#
|
||||
# Start Necessary Services
|
||||
#
|
||||
|
||||
- name: Ensure matrix-jitsi-prosody container is running
|
||||
systemd:
|
||||
state: started
|
||||
name: matrix-jitsi-prosody
|
||||
register: matrix_jitsi_prosody_start_result
|
||||
|
||||
|
||||
#
|
||||
# Tasks related to configuring Jitsi internal authentication
|
||||
#
|
||||
|
||||
- name: Ensure Jitsi internal authentication users are configured
|
||||
shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
|
||||
with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
|
||||
when:
|
||||
- matrix_jitsi_auth_type == "internal"
|
||||
- matrix_jitsi_prosody_auth_internal_accounts|length > 0
|
||||
|
||||
|
||||
#
|
||||
# Tasks related to configuring other Jitsi authentication mechanisms
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# Tasks related to cleaning after Jitsi authentication configuration
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
# Stop Necessary Services
|
||||
#
|
||||
- name: Ensure matrix-jitsi-prosody container is stopped if necessary
|
||||
systemd:
|
||||
state: stopped
|
||||
name: matrix-jitsi-prosody
|
||||
when: matrix_jitsi_prosody_start_result.changed|bool
|
@ -3,14 +3,14 @@
|
||||
- name: Fail if required Jitsi settings not defined
|
||||
fail:
|
||||
msg: >-
|
||||
You need to define a required configuration setting (`{{ item }}`) for using Jitsi.
|
||||
You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi.
|
||||
|
||||
If you're setting up Jitsi for the first time, you may have missed a step.
|
||||
Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
|
||||
|
||||
If you had setup Jitsi successfully before and it's just now that you're observing this failure,
|
||||
it means that your installation may be using some default passwords that the playbook used to define until now.
|
||||
This is not secure and we urge you to rebuild your Jitsi setup.
|
||||
If you had previously setup Jitsi successfully and are only now facing this error,
|
||||
it means that your installation is most likely using default passwords previously defined by the playbook.
|
||||
These defaults are insecure. Jitsi should be rebuilt with secure values.
|
||||
Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
|
||||
when: "vars[item] == ''"
|
||||
with_items:
|
||||
@ -19,6 +19,20 @@
|
||||
- "matrix_jitsi_jicofo_auth_password"
|
||||
- "matrix_jitsi_jvb_auth_password"
|
||||
|
||||
|
||||
- name: Fail if a Jitsi internal authentication account is not defined
|
||||
fail:
|
||||
msg: >-
|
||||
At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication.
|
||||
|
||||
If you're setting up Jitsi for the first time, you may have missed a step.
|
||||
Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
|
||||
when:
|
||||
- matrix_jitsi_enable_auth|bool
|
||||
- matrix_jitsi_auth_type == 'internal'
|
||||
- matrix_jitsi_prosody_auth_internal_accounts|length == 0
|
||||
|
||||
|
||||
- name: (Deprecation) Catch and report renamed settings
|
||||
fail:
|
||||
msg: >-
|
||||
|
Loading…
Reference in New Issue
Block a user