Merge pull request #1446 from hypn0tick/master

Add support for creation of Jitsi internal authentication users in vars.yml
2021-12-11 10:14:50 +02:00
parent fc55df9318 6568b68759
commit b1d8e39612
5 changed files with 102 additions and 28 deletions
--- a/roles/matrix-jitsi/defaults/main.yml
+++ b/roles/matrix-jitsi/defaults/main.yml
@ -9,10 +9,23 @@ matrix_jitsi_enable_transcriptions: false
 matrix_jitsi_enable_p2p: true
 matrix_jitsi_enable_av_moderation: true

-# Authentication type, must be one of internal, jwt or ldap. Currently only
-# internal and ldap are supported by this playbook.
+# Authentication type, must be one of internal, jwt or ldap.
+# Currently only internal and ldap mechanisms are supported by this playbook.
 matrix_jitsi_auth_type: internal

+# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism.
+#
+# Accounts added here and subsquently removed will not be automatically removed
+# from the Prosody server until user account cleaning is integrated into the playbook.
+#
+# Example:
+# matrix_jitsi_prosody_auth_internal_accounts:
+#  - username: "jitsi-moderator"
+#    password: "secret-password"
+#  - username: "another-user"
+#    password: "another-password"
+matrix_jitsi_prosody_auth_internal_accounts: []
+
 # Configuration options for LDAP authentication. For details see upstream:
 #   https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap.
 # Defaults are taken from:
@ -205,7 +218,6 @@ matrix_jitsi_jicofo_component_secret: ''
 matrix_jitsi_jicofo_auth_user: focus
 matrix_jitsi_jicofo_auth_password: ''

-
 matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}"
 matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"

--- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
@ -4,7 +4,7 @@
 # Tasks related to setting up jitsi-prosody
 #

- name: Ensure Matrix jitsi-prosody path exists
+- name: Ensure Matrix jitsi-prosody environment exists
  file:
    path: "{{ item.path }}"
    state: directory
@ -25,14 +25,14 @@
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}"
  when: matrix_jitsi_enabled|bool

- name: Ensure jitsi-prosody environment variables file created
+- name: Ensure jitsi-prosody environment variables file is created
  template:
    src: "{{ role_path }}/templates/prosody/env.j2"
    dest: "{{ matrix_jitsi_prosody_base_path }}/env"
    mode: 0640
  when: matrix_jitsi_enabled|bool

- name: Ensure matrix-jitsi-prosody.service installed
+- name: Ensure matrix-jitsi-prosody.service file is installed
  template:
    src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2"
    dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
@ -40,16 +40,24 @@
  register: matrix_jitsi_prosody_systemd_service_result
  when: matrix_jitsi_enabled|bool

- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation
+- name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation
  service:
    daemon_reload: yes
  when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed"

+- name: Ensure authentication is properly configured
+  include_tasks:
+    file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml"
+  when:
+    - matrix_jitsi_enabled|bool
+    - matrix_jitsi_enable_auth|bool
+
+
 #
 # Tasks related to getting rid of jitsi-prosody (if it was previously enabled)
 #

- name: Check existence of matrix-jitsi-prosody service
+- name: Ensure matrix-jitsi-prosody.service file exists
  stat:
    path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
  register: matrix_jitsi_prosody_service_stat
@ -64,13 +72,13 @@
  register: stopping_result
  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"

- name: Ensure matrix-jitsi-prosody.service doesn't exist
+- name: Ensure matrix-jitsi-prosody.service file doesn't exist
  file:
    path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
    state: absent
  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"

- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal
+- name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal
  service:
    daemon_reload: yes
  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
--- a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml
+++ b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml
@ -0,0 +1,43 @@
+---
+#
+# Start Necessary Services
+#
+
+- name: Ensure matrix-jitsi-prosody container is running
+  systemd:
+    state: started
+    name: matrix-jitsi-prosody
+  register: matrix_jitsi_prosody_start_result
+
+
+#
+# Tasks related to configuring Jitsi internal authentication
+#
+
+- name: Ensure Jitsi internal authentication users are configured
+  shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
+  with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
+  when:
+    - matrix_jitsi_auth_type == "internal"
+    - matrix_jitsi_prosody_auth_internal_accounts|length > 0
+
+
+#
+# Tasks related to configuring other Jitsi authentication mechanisms
+#
+
+
+
+#
+# Tasks related to cleaning after Jitsi authentication configuration
+#
+
+
+#
+# Stop Necessary Services
+#
+- name: Ensure matrix-jitsi-prosody container is stopped if necessary
+  systemd:
+    state: stopped
+    name: matrix-jitsi-prosody
+  when: matrix_jitsi_prosody_start_result.changed|bool
--- a/roles/matrix-jitsi/tasks/validate_config.yml
+++ b/roles/matrix-jitsi/tasks/validate_config.yml
@ -3,14 +3,14 @@
 - name: Fail if required Jitsi settings not defined
  fail:
    msg: >-
-      You need to define a required configuration setting (`{{ item }}`) for using Jitsi.
+      You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi.

      If you're setting up Jitsi for the first time, you may have missed a step.
      Refer to our setup instructions (docs/configuring-playbook-jitsi.md).

-      If you had setup Jitsi successfully before and it's just now that you're observing this failure,
-      it means that your installation may be using some default passwords that the playbook used to define until now.
-      This is not secure and we urge you to rebuild your Jitsi setup.
+      If you had previously setup Jitsi successfully and are only now facing this error,
+      it means that your installation is most likely using default passwords previously defined by the playbook.
+      These defaults are insecure. Jitsi should be rebuilt with secure values.
      Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
  when: "vars[item] == ''"
  with_items:
@ -19,6 +19,20 @@
    - "matrix_jitsi_jicofo_auth_password"
    - "matrix_jitsi_jvb_auth_password"

+
+- name: Fail if a Jitsi internal authentication account is not defined
+  fail:
+    msg: >-
+      At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication.
+      
+      If you're setting up Jitsi for the first time, you may have missed a step.
+      Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
+  when:
+    - matrix_jitsi_enable_auth|bool
+    - matrix_jitsi_auth_type == 'internal'
+    - matrix_jitsi_prosody_auth_internal_accounts|length == 0
+
+
 - name: (Deprecation) Catch and report renamed settings
  fail:
    msg: >-