Merge branch 'jitsi_security_update'
This commit is contained in:
commit
e290b1be95
@ -23,18 +23,16 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
|
||||
|
||||
```yaml
|
||||
matrix_jitsi_enabled: true
|
||||
|
||||
# Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords,
|
||||
# or define your own strong passwords manually.
|
||||
matrix_jitsi_jicofo_component_secret: ""
|
||||
matrix_jitsi_jicofo_auth_password: ""
|
||||
matrix_jitsi_jvb_auth_password: ""
|
||||
matrix_jitsi_jibri_recorder_password: ""
|
||||
matrix_jitsi_jibri_xmpp_password: ""
|
||||
```
|
||||
|
||||
## Securing your Jitsi instance with strong passwords
|
||||
|
||||
Please use the bash script provided in this repo to generate strong passwords for your Jitsi instance.
|
||||
Execute the following commands in your terminal from the root of this repo:
|
||||
```bash
|
||||
cd inventory/scripts
|
||||
bash generate-jitsi-passwords.sh
|
||||
```
|
||||
|
||||
The script will add the corresponding ansible variables and passwords generated with `openssl rand -hex 16` to the bottom of your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration.
|
||||
|
||||
## (Optional) configure internal Jitsi authentication and guests mode
|
||||
|
||||
@ -66,11 +64,7 @@ docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua reg
|
||||
|
||||
Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host.
|
||||
|
||||
**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. The playbook can't yet rebuild all configuration files for some Jitsi services (like `matrix-jitsi-prosody`), which may cause such an error. **If you encounter this error**, we encourage you to:
|
||||
- stop all Jitsi services (`systemctl stop matrix-jitsi-*`)
|
||||
- remove the Jitsi Prosody configuration & data (`rm -rf /matrix/jitsi/prosody`)
|
||||
- rebuild Jitsi configuration and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`)
|
||||
- try the previously-failing command once again
|
||||
**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
|
||||
|
||||
|
||||
## Usage
|
||||
@ -78,3 +72,21 @@ Run this command for each user you would like to create, replacing `<USERNAME>`
|
||||
You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`.
|
||||
|
||||
To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server.
|
||||
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Rebuilding your Jitsi installation
|
||||
|
||||
**If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup.
|
||||
|
||||
We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own.
|
||||
|
||||
These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh.
|
||||
|
||||
To rebuild your Jitsi configuration:
|
||||
|
||||
- SSH into the server and do this:
|
||||
- stop all Jitsi services (`systemctl stop matrix-jitsi-*`).
|
||||
- remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`)
|
||||
- ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`)
|
||||
|
@ -1,50 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# This is a bash script for generating strong passwords for the Jitsi role in this ansible project:
|
||||
# https://github.com/spantaleev/matrix-docker-ansible-deploy
|
||||
|
||||
# This script assumes that you followed the documentation at https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook.md and created a folder in the source code's directory like this: 'mkdir inventory/host_vars/matrix.<your-domain>'
|
||||
# it will put the generated passwords for Jitsi at the end of the vars.yml file in that directory
|
||||
|
||||
function generatePassword() {
|
||||
openssl rand -hex 16
|
||||
}
|
||||
|
||||
# helper function to get the matrix domain in the host_vars directory
|
||||
function get_domain_dir() {
|
||||
counter=0
|
||||
|
||||
for f in *; do
|
||||
counter=$(( counter + 1 ))
|
||||
if [ ! -d "$f" ]; then
|
||||
echo "Error: could not find directory 'matrix.your.domain'"
|
||||
echo "Did you create it already? Please first setup your matrix homeserver before running this script."
|
||||
echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md"
|
||||
exit 1
|
||||
elif [[ "$counter" -gt 1 ]]; then
|
||||
echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected."
|
||||
echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook."
|
||||
echo "Cannot continue script, exiting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Will not set domain if zero or multiple directories are detected
|
||||
domain=$f
|
||||
done
|
||||
}
|
||||
|
||||
cd ../host_vars
|
||||
get_domain_dir
|
||||
|
||||
JICOFO_COMPONENT_SECRET=$(generatePassword)
|
||||
JICOFO_AUTH_PASSWORD=$(generatePassword)
|
||||
JVB_AUTH_PASSWORD=$(generatePassword)
|
||||
JIBRI_RECORDER_PASSWORD=$(generatePassword)
|
||||
JIBRI_XMPP_PASSWORD=$(generatePassword)
|
||||
|
||||
echo "" >> ../host_vars/${domain}/vars.yml
|
||||
echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml
|
||||
echo "matrix_jitsi_jicofo_component_secret: $JICOFO_COMPONENT_SECRET" >> ../host_vars/${domain}/vars.yml
|
||||
echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml
|
||||
echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml
|
||||
echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" >> ../host_vars/${domain}/vars.yml
|
||||
echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" >> ../host_vars/${domain}/vars.yml
|
26
inventory/scripts/jitsi-generate-passwords.sh
Executable file
26
inventory/scripts/jitsi-generate-passwords.sh
Executable file
@ -0,0 +1,26 @@
|
||||
#!/usr/bin/env bash
|
||||
# This is a bash script for generating strong passwords for the Jitsi role in this ansible project:
|
||||
# https://github.com/spantaleev/matrix-docker-ansible-deploy
|
||||
|
||||
function generatePassword() {
|
||||
openssl rand -hex 16
|
||||
}
|
||||
|
||||
echo "# If this script fails, it's likely because you don't have the openssl tool installed."
|
||||
echo "# Install it before using this script, or simply create your own passwords manually."
|
||||
|
||||
echo ""
|
||||
|
||||
JICOFO_COMPONENT_SECRET=$(generatePassword)
|
||||
JICOFO_AUTH_PASSWORD=$(generatePassword)
|
||||
JVB_AUTH_PASSWORD=$(generatePassword)
|
||||
JIBRI_RECORDER_PASSWORD=$(generatePassword)
|
||||
JIBRI_XMPP_PASSWORD=$(generatePassword)
|
||||
|
||||
echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:"
|
||||
echo ""
|
||||
echo "matrix_jitsi_jicofo_component_secret: "$JICOFO_COMPONENT_SECRET
|
||||
echo "matrix_jitsi_jicofo_auth_password: "$JICOFO_AUTH_PASSWORD
|
||||
echo "matrix_jitsi_jvb_auth_password: "$JVB_AUTH_PASSWORD
|
||||
echo "matrix_jitsi_jibri_recorder_password: "$JIBRI_RECORDER_PASSWORD
|
||||
echo "matrix_jitsi_jibri_xmpp_password: "$JIBRI_XMPP_PASSWORD
|
@ -23,9 +23,9 @@ matrix_jitsi_recorder_domain: recorder.meet.jitsi
|
||||
matrix_jitsi_jibri_brewery_muc: jibribrewery
|
||||
matrix_jitsi_jibri_pending_timeout: 90
|
||||
matrix_jitsi_jibri_xmpp_user: jibri
|
||||
matrix_jitsi_jibri_xmpp_password: jibri-password
|
||||
matrix_jitsi_jibri_xmpp_password: ''
|
||||
matrix_jitsi_jibri_recorder_user: recorder
|
||||
matrix_jitsi_jibri_recorder_password: recorder-password
|
||||
matrix_jitsi_jibri_recorder_password: ''
|
||||
|
||||
|
||||
matrix_jitsi_web_docker_image: "jitsi/web:4384"
|
||||
@ -98,9 +98,9 @@ matrix_jitsi_jicofo_container_extra_arguments: []
|
||||
# List of systemd services that matrix-jitsi-jicofo.service depends on
|
||||
matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
|
||||
|
||||
matrix_jitsi_jicofo_component_secret: s3cr37
|
||||
matrix_jitsi_jicofo_component_secret: ''
|
||||
matrix_jitsi_jicofo_auth_user: focus
|
||||
matrix_jitsi_jicofo_auth_password: passw0rd
|
||||
matrix_jitsi_jicofo_auth_password: ''
|
||||
|
||||
|
||||
matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384"
|
||||
@ -116,7 +116,7 @@ matrix_jitsi_jvb_container_extra_arguments: []
|
||||
matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
|
||||
|
||||
matrix_jitsi_jvb_auth_user: jvb
|
||||
matrix_jitsi_jvb_auth_password: passw0rd
|
||||
matrix_jitsi_jvb_auth_password: ''
|
||||
|
||||
# STUN servers used by JVB on the server-side, so it can discover its own external IP address.
|
||||
# Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery.
|
||||
|
@ -2,6 +2,12 @@
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: "run_setup|bool and matrix_jitsi_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-jitsi
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
|
@ -34,6 +34,13 @@
|
||||
- logging.properties
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure jitsi-jvb environment variables file created
|
||||
template:
|
||||
src: "{{ role_path }}/templates/jvb/env.j2"
|
||||
dest: "{{ matrix_jitsi_jvb_base_path }}/env"
|
||||
mode: 0640
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure matrix-jitsi-jvb.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2"
|
||||
|
21
roles/matrix-jitsi/tasks/validate_config.yml
Normal file
21
roles/matrix-jitsi/tasks/validate_config.yml
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
|
||||
- name: Fail if required Jitsi settings not defined
|
||||
fail:
|
||||
msg: >-
|
||||
You need to define a required configuration setting (`{{ item }}`) for using Jitsi.
|
||||
|
||||
If you're setting up Jitsi for the first time, you may have missed a step.
|
||||
Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
|
||||
|
||||
If you had setup Jitsi successfully before and it's just now that you're observing this failure,
|
||||
it means that your installation may be using some default passwords that the playbook used to define until now.
|
||||
This is not secure and we urge you to rebuild your Jitsi setup.
|
||||
Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
|
||||
when: "vars[item] == ''"
|
||||
with_items:
|
||||
- "matrix_jitsi_jibri_xmpp_password"
|
||||
- "matrix_jitsi_jibri_recorder_password"
|
||||
- "matrix_jitsi_jicofo_component_secret"
|
||||
- "matrix_jitsi_jicofo_auth_password"
|
||||
- "matrix_jitsi_jvb_auth_password"
|
1
roles/matrix-jitsi/templates/jvb/env.j2
Normal file
1
roles/matrix-jitsi/templates/jvb/env.j2
Normal file
@ -0,0 +1 @@
|
||||
JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
|
@ -14,6 +14,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb
|
||||
ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \
|
||||
--log-driver=none \
|
||||
--network={{ matrix_docker_network }} \
|
||||
--env-file={{ matrix_jitsi_jvb_base_path }}/env \
|
||||
{% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %}
|
||||
-p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \
|
||||
{% endif %}
|
||||
|
Loading…
Reference in New Issue
Block a user