Matrix Authentication Support for Jitsi

This extends the collection with support for seamless authentication at the Jitsi server using Matrix OpenID. 1. New role for installing the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) 2. Changes to Jitsi role: Installing Jitsi Prosody Mods and configuring Jitsi Auth 3. Changes to Jitsi and nginx-proxy roles: Serving .well-known/element/jitsi from jitsi.DOMAIN 4. We updated the Jitsi documentation on authentication and added documentation for the user verification service.
2025-06-26 03:07:51 +02:00 · 2023-01-04 13:45:37 +01:00
parent f400093865
commit 42e4e50f5b
25 changed files with 747 additions and 59 deletions
--- a/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml
+++ b/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml
@ -0,0 +1,17 @@
+---
+#
+# Tasks related to configuring Jitsi internal authentication on a running prosody instance.
+#
+
+- name: Ensure Jitsi internal authentication users are configured
+  ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
+  with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
+  when:
+    - matrix_jitsi_prosody_auth_internal_accounts|length > 0
+  register: matrix_jitsi_user_configuration_result
+  changed_when: matrix_jitsi_user_configuration_result.rc == 0
+  no_log: true
+
+#
+# Tasks related to clean up after configuring internal authentication.
+#
--- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml
+++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml
@ -1,42 +0,0 @@
---
-#
-# Start Necessary Services
-#
-
- name: Ensure matrix-jitsi-prosody container is running
-  ansible.builtin.systemd:
-    state: started
-    name: matrix-jitsi-prosody
-  register: matrix_jitsi_prosody_start_result
-
-
-#
-# Tasks related to configuring Jitsi internal authentication
-#
-
- name: Ensure Jitsi internal authentication users are configured
-  ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
-  with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
-  when:
-    - matrix_jitsi_auth_type == "internal"
-    - matrix_jitsi_prosody_auth_internal_accounts|length > 0
-  register: matrix_jitsi_user_configuration_result
-  changed_when: matrix_jitsi_user_configuration_result.rc == 0
-  no_log: true
-
-#
-# Tasks related to configuring other Jitsi authentication mechanisms
-#
-
-#
-# Tasks related to cleaning after Jitsi authentication configuration
-#
-
-#
-# Stop Necessary Services
-#
- name: Ensure matrix-jitsi-prosody container is stopped if necessary
-  ansible.builtin.systemd:
-    state: stopped
-    name: matrix-jitsi-prosody
-  when: matrix_jitsi_prosody_start_result.changed | bool
--- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml
+++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml
@ -0,0 +1,13 @@
+- name: Checkout Prosody Auth Matrix User Verification Plugin Repo
+  ansible.builtin.git:
+    repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}"
+    dest: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}"
+    version: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_version }}"
+
+- name: Install Prosody Auth Matrix User Verification Plugin
+  ansible.builtin.copy:
+    remote_src: yes
+    src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}"
+    dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}"
+  with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}"
+  when: item.when | bool
--- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml
+++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml
@ -0,0 +1,26 @@
+- name: Remove all files regarding prosody mod auth_matrix_user_verification and .well-known/element/jitsi
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  with_flattened:
+    - "{{ matrix_static_files_base_path }}/.well-known/element/jitsi"
+    - "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}"
+    - "{{ matrix_jitsi_prosody_auth_matrix_files | map(attribute='path') | map('regex_replace', '^', matrix_jitsi_prosody_plugins_path+'/') | list }}"
+  register: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled
+
+- name: Remove .well-known/element directory if empty
+  ansible.builtin.command:
+    argv:
+     - rmdir
+     - "{{ matrix_static_files_base_path }}/.well-known/element"
+    removes: "{{matrix_static_files_base_path}}/.well-known/element"
+  ignore_errors: yes
+
+- when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed
+  block:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Ensure prosody is restarted later on if currently running
+      set_fact:
+        matrix_jitsi_prosody_require_restart: "{{ true if ansible_facts.services['matrix-jitsi-prosody.service']['state'] == 'running' else false }}"
--- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml
+++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml
@ -0,0 +1,49 @@
+---
+#####
+#
+# This tasks file starts and stops (if state before was stopped) a prosody container during setup to run commands,
+# that require a running prosody container.
+# The task is called in ../setup_jitsi_prosody_install.yml.
+#
+# Important: The task is called conditionally, as to only start if really needed.
+# So if you add or change anything - remember to also change the 'when' in:  ../setup_jitsi_prosody_install.yml
+#
+#####
+
+#
+# Start Necessary Services
+#
+
+- name: Ensure matrix-jitsi-prosody container is running
+  ansible.builtin.systemd:
+    state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | d(false) | bool else 'started' }}"
+    name: matrix-jitsi-prosody
+  register: matrix_jitsi_prosody_start_result
+
+# If the flag was set, we can safely disable now.
+- name: Disable require restart flag
+  set_fact:
+    matrix_jitsi_prosody_require_restart: false
+
+#
+# Tasks related to configuring Jitsi internal authentication
+#
+
+- name: Ensure internal authentication is properly configured
+  ansible.builtin.include_tasks:
+    file: "{{ role_path }}/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml"
+  when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal"
+
+#
+# Tasks related to ...
+#
+
+
+#
+# Stop Necessary Services
+#
+- name: Ensure matrix-jitsi-prosody container is stopped if necessary
+  ansible.builtin.systemd:
+    state: stopped
+    name: matrix-jitsi-prosody
+  when: matrix_jitsi_prosody_start_result.changed | bool