diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 017cb4eb3..d6ff1c8a4 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -23,18 +23,16 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enabled: true + +# Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords, +# or define your own strong passwords manually. +matrix_jitsi_jicofo_component_secret: "" +matrix_jitsi_jicofo_auth_password: "" +matrix_jitsi_jvb_auth_password: "" +matrix_jitsi_jibri_recorder_password: "" +matrix_jitsi_jibri_xmpp_password: "" ``` -## Securing your Jitsi instance with strong passwords - -Please use the bash script provided in this repo to generate strong passwords for your Jitsi instance. -Execute the following commands in your terminal from the root of this repo: -```bash -cd inventory/scripts -bash generate-jitsi-passwords.sh -``` - -The script will add the corresponding ansible variables and passwords generated with `openssl rand -hex 16` to the bottom of your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration. ## (Optional) configure internal Jitsi authentication and guests mode @@ -66,11 +64,7 @@ docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua reg Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. -**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. The playbook can't yet rebuild all configuration files for some Jitsi services (like `matrix-jitsi-prosody`), which may cause such an error. **If you encounter this error**, we encourage you to: -- stop all Jitsi services (`systemctl stop matrix-jitsi-*`) -- remove the Jitsi Prosody configuration & data (`rm -rf /matrix/jitsi/prosody`) -- rebuild Jitsi configuration and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) -- try the previously-failing command once again +**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). ## Usage @@ -78,3 +72,21 @@ Run this command for each user you would like to create, replacing `` You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`. To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. + + +## Troubleshooting + +### Rebuilding your Jitsi installation + +**If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup. + +We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own. + +These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh. + +To rebuild your Jitsi configuration: + +- SSH into the server and do this: + - stop all Jitsi services (`systemctl stop matrix-jitsi-*`). + - remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`) +- ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/generate-jitsi-passwords.sh deleted file mode 100755 index ae6d471a8..000000000 --- a/inventory/scripts/generate-jitsi-passwords.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/env bash -# This is a bash script for generating strong passwords for the Jitsi role in this ansible project: -# https://github.com/spantaleev/matrix-docker-ansible-deploy - -# This script assumes that you followed the documentation at https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook.md and created a folder in the source code's directory like this: 'mkdir inventory/host_vars/matrix.' -# it will put the generated passwords for Jitsi at the end of the vars.yml file in that directory - -function generatePassword() { - openssl rand -hex 16 -} - -# helper function to get the matrix domain in the host_vars directory -function get_domain_dir() { - counter=0 - - for f in *; do - counter=$(( counter + 1 )) - if [ ! -d "$f" ]; then - echo "Error: could not find directory 'matrix.your.domain'" - echo "Did you create it already? Please first setup your matrix homeserver before running this script." - echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md" - exit 1 - elif [[ "$counter" -gt 1 ]]; then - echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected." - echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook." - echo "Cannot continue script, exiting." - exit 1 - fi - - # Will not set domain if zero or multiple directories are detected - domain=$f - done -} - -cd ../host_vars -get_domain_dir - -JICOFO_COMPONENT_SECRET=$(generatePassword) -JICOFO_AUTH_PASSWORD=$(generatePassword) -JVB_AUTH_PASSWORD=$(generatePassword) -JIBRI_RECORDER_PASSWORD=$(generatePassword) -JIBRI_XMPP_PASSWORD=$(generatePassword) - -echo "" >> ../host_vars/${domain}/vars.yml -echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jicofo_component_secret: $JICOFO_COMPONENT_SECRET" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" >> ../host_vars/${domain}/vars.yml diff --git a/inventory/scripts/jitsi-generate-passwords.sh b/inventory/scripts/jitsi-generate-passwords.sh new file mode 100755 index 000000000..eacfa7d88 --- /dev/null +++ b/inventory/scripts/jitsi-generate-passwords.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +# This is a bash script for generating strong passwords for the Jitsi role in this ansible project: +# https://github.com/spantaleev/matrix-docker-ansible-deploy + +function generatePassword() { + openssl rand -hex 16 +} + +echo "# If this script fails, it's likely because you don't have the openssl tool installed." +echo "# Install it before using this script, or simply create your own passwords manually." + +echo "" + +JICOFO_COMPONENT_SECRET=$(generatePassword) +JICOFO_AUTH_PASSWORD=$(generatePassword) +JVB_AUTH_PASSWORD=$(generatePassword) +JIBRI_RECORDER_PASSWORD=$(generatePassword) +JIBRI_XMPP_PASSWORD=$(generatePassword) + +echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:" +echo "" +echo "matrix_jitsi_jicofo_component_secret: "$JICOFO_COMPONENT_SECRET +echo "matrix_jitsi_jicofo_auth_password: "$JICOFO_AUTH_PASSWORD +echo "matrix_jitsi_jvb_auth_password: "$JVB_AUTH_PASSWORD +echo "matrix_jitsi_jibri_recorder_password: "$JIBRI_RECORDER_PASSWORD +echo "matrix_jitsi_jibri_xmpp_password: "$JIBRI_XMPP_PASSWORD diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 55f826773..83511c4c5 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -23,9 +23,9 @@ matrix_jitsi_recorder_domain: recorder.meet.jitsi matrix_jitsi_jibri_brewery_muc: jibribrewery matrix_jitsi_jibri_pending_timeout: 90 matrix_jitsi_jibri_xmpp_user: jibri -matrix_jitsi_jibri_xmpp_password: jibri-password +matrix_jitsi_jibri_xmpp_password: '' matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: recorder-password +matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_web_docker_image: "jitsi/web:4384" @@ -98,9 +98,9 @@ matrix_jitsi_jicofo_container_extra_arguments: [] # List of systemd services that matrix-jitsi-jicofo.service depends on matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] -matrix_jitsi_jicofo_component_secret: s3cr37 +matrix_jitsi_jicofo_component_secret: '' matrix_jitsi_jicofo_auth_user: focus -matrix_jitsi_jicofo_auth_password: passw0rd +matrix_jitsi_jicofo_auth_password: '' matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384" @@ -116,7 +116,7 @@ matrix_jitsi_jvb_container_extra_arguments: [] matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] matrix_jitsi_jvb_auth_user: jvb -matrix_jitsi_jvb_auth_password: passw0rd +matrix_jitsi_jvb_auth_password: '' # STUN servers used by JVB on the server-side, so it can discover its own external IP address. # Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. diff --git a/roles/matrix-jitsi/tasks/main.yml b/roles/matrix-jitsi/tasks/main.yml index 2bc4a57ff..e4f3508f3 100644 --- a/roles/matrix-jitsi/tasks/main.yml +++ b/roles/matrix-jitsi/tasks/main.yml @@ -2,6 +2,12 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_jitsi_enabled|bool" + tags: + - setup-all + - setup-jitsi + - import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" when: run_setup|bool tags: diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index e4d652eda..f442fc6e7 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -34,6 +34,13 @@ - logging.properties when: matrix_jitsi_enabled|bool +- name: Ensure jitsi-jvb environment variables file created + template: + src: "{{ role_path }}/templates/jvb/env.j2" + dest: "{{ matrix_jitsi_jvb_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + - name: Ensure matrix-jitsi-jvb.service installed template: src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml new file mode 100644 index 000000000..ea92c914d --- /dev/null +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -0,0 +1,21 @@ +--- + +- name: Fail if required Jitsi settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using Jitsi. + + If you're setting up Jitsi for the first time, you may have missed a step. + Refer to our setup instructions (docs/configuring-playbook-jitsi.md). + + If you had setup Jitsi successfully before and it's just now that you're observing this failure, + it means that your installation may be using some default passwords that the playbook used to define until now. + This is not secure and we urge you to rebuild your Jitsi setup. + Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). + when: "vars[item] == ''" + with_items: + - "matrix_jitsi_jibri_xmpp_password" + - "matrix_jitsi_jibri_recorder_password" + - "matrix_jitsi_jicofo_component_secret" + - "matrix_jitsi_jicofo_auth_password" + - "matrix_jitsi_jvb_auth_password" diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 new file mode 100644 index 000000000..423070dbd --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -0,0 +1 @@ +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 03aef079e..5df5807a7 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -14,6 +14,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \ --log-driver=none \ --network={{ matrix_docker_network }} \ + --env-file={{ matrix_jitsi_jvb_base_path }}/env \ {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ {% endif %}