Undefine Jitsi secrets and require their (re-)definition

docs/configuring-playbook-jitsi.md

@@ -66,11 +66,7 @@ docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua reg
 
 Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host.
 
-**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. The playbook can't yet rebuild all configuration files for some Jitsi services (like `matrix-jitsi-prosody`), which may cause such an error. **If you encounter this error**, we encourage you to:
+**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
-- stop all Jitsi services (`systemctl stop matrix-jitsi-*`)
-- remove the Jitsi Prosody configuration & data (`rm -rf /matrix/jitsi/prosody`)
-- rebuild Jitsi configuration and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`)
-- try the previously-failing command once again
 
 
 ## Usage
@@ -78,3 +74,21 @@ Run this command for each user you would like to create, replacing `<USERNAME>`
 You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`.
 
 To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server.
+
+
+## Troubleshooting
+
+### Rebuilding your Jitsi installation
+
+**If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup.
+
+We normally don't require such manual intervention for other services, for Jitsi services generate a lot of configuration files on their own.
+
+These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh.
+
+To rebuild your Jitsi configuration:
+
+- SSH into the server and do this:
+  - stop all Jitsi services (`systemctl stop matrix-jitsi-*`).
+  - remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`)
+- ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`)

roles/matrix-jitsi/defaults/main.yml

@@ -23,9 +23,9 @@ matrix_jitsi_recorder_domain: recorder.meet.jitsi
 matrix_jitsi_jibri_brewery_muc: jibribrewery
 matrix_jitsi_jibri_pending_timeout: 90
 matrix_jitsi_jibri_xmpp_user: jibri
-matrix_jitsi_jibri_xmpp_password: jibri-password
+matrix_jitsi_jibri_xmpp_password: ''
 matrix_jitsi_jibri_recorder_user: recorder
-matrix_jitsi_jibri_recorder_password: recorder-password
+matrix_jitsi_jibri_recorder_password: ''
 
 
 matrix_jitsi_web_docker_image: "jitsi/web:4384"
@@ -98,9 +98,9 @@ matrix_jitsi_jicofo_container_extra_arguments: []
 # List of systemd services that matrix-jitsi-jicofo.service depends on
 matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
 
-matrix_jitsi_jicofo_component_secret: s3cr37
+matrix_jitsi_jicofo_component_secret: ''
 matrix_jitsi_jicofo_auth_user: focus
-matrix_jitsi_jicofo_auth_password: passw0rd
+matrix_jitsi_jicofo_auth_password: ''
 
 
 matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384"
@@ -116,7 +116,7 @@ matrix_jitsi_jvb_container_extra_arguments: []
 matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
 
 matrix_jitsi_jvb_auth_user: jvb
-matrix_jitsi_jvb_auth_password: passw0rd
+matrix_jitsi_jvb_auth_password: ''
 
 # STUN servers used by JVB on the server-side, so it can discover its own external IP address.
 # Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery.

roles/matrix-jitsi/tasks/main.yml

@@ -2,6 +2,12 @@
   tags:
     - always
 
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool and matrix_jitsi_enabled|bool"
+  tags:
+    - setup-all
+    - setup-jitsi
+
 - import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml"
   when: run_setup|bool
   tags:

roles/matrix-jitsi/tasks/validate_config.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Fail if required Jitsi settings not defined
+  fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`) for using Jitsi.
+
+      If you're setting up Jitsi for the first time, you may have missed a step.
+      Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
+
+      If you had setup Jitsi successfully before and it's just now that you're observing this failure,
+      it means that your installation may be using some default passwords that the playbook used to define until now.
+      This is not secure and we urge you to rebuild your Jitsi setup.
+      Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_jitsi_jibri_xmpp_password"
+    - "matrix_jitsi_jibri_recorder_password"
+    - "matrix_jitsi_jicofo_component_secret"
+    - "matrix_jitsi_jicofo_auth_password"
+    - "matrix_jitsi_jvb_auth_password"