Merge pull request #1446 from hypn0tick/master

Add support for creation of Jitsi internal authentication users in vars.yml
This commit is contained in:
Slavi Pantaleev 2021-12-11 10:14:50 +02:00 committed by GitHub
commit b1d8e39612
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 102 additions and 28 deletions

View File

@ -41,13 +41,23 @@ If you're fine with such an open Jitsi instance, please skip to [Apply changes](
If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms.
Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
```yaml
matrix_jitsi_enable_auth: true
matrix_jitsi_enable_guests: true
matrix_jitsi_prosody_auth_internal_accounts:
- username: "jitsi-moderator"
password: "secret-password"
- username: "another-user"
password: "another-password"
```
**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook.
**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
### (Optional) LDAP authentication
The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be:
@ -122,19 +132,6 @@ You may want to **limit the maximum video resolution**, to save up resources on
Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`
## Required if configuring Jitsi with internal authentication: register new users
Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually.
Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container:
```bash
docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register <USERNAME> meet.jitsi <PASSWORD>
```
Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host.
**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
## Usage

View File

@ -9,10 +9,23 @@ matrix_jitsi_enable_transcriptions: false
matrix_jitsi_enable_p2p: true
matrix_jitsi_enable_av_moderation: true
# Authentication type, must be one of internal, jwt or ldap. Currently only
# internal and ldap are supported by this playbook.
# Authentication type, must be one of internal, jwt or ldap.
# Currently only internal and ldap mechanisms are supported by this playbook.
matrix_jitsi_auth_type: internal
# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism.
#
# Accounts added here and subsquently removed will not be automatically removed
# from the Prosody server until user account cleaning is integrated into the playbook.
#
# Example:
# matrix_jitsi_prosody_auth_internal_accounts:
# - username: "jitsi-moderator"
# password: "secret-password"
# - username: "another-user"
# password: "another-password"
matrix_jitsi_prosody_auth_internal_accounts: []
# Configuration options for LDAP authentication. For details see upstream:
# https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap.
# Defaults are taken from:
@ -205,7 +218,6 @@ matrix_jitsi_jicofo_component_secret: ''
matrix_jitsi_jicofo_auth_user: focus
matrix_jitsi_jicofo_auth_password: ''
matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}"
matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"

View File

@ -4,7 +4,7 @@
# Tasks related to setting up jitsi-prosody
#
- name: Ensure Matrix jitsi-prosody path exists
- name: Ensure Matrix jitsi-prosody environment exists
file:
path: "{{ item.path }}"
state: directory
@ -25,14 +25,14 @@
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}"
when: matrix_jitsi_enabled|bool
- name: Ensure jitsi-prosody environment variables file created
- name: Ensure jitsi-prosody environment variables file is created
template:
src: "{{ role_path }}/templates/prosody/env.j2"
dest: "{{ matrix_jitsi_prosody_base_path }}/env"
mode: 0640
when: matrix_jitsi_enabled|bool
- name: Ensure matrix-jitsi-prosody.service installed
- name: Ensure matrix-jitsi-prosody.service file is installed
template:
src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
@ -40,16 +40,24 @@
register: matrix_jitsi_prosody_systemd_service_result
when: matrix_jitsi_enabled|bool
- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation
- name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation
service:
daemon_reload: yes
when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed"
- name: Ensure authentication is properly configured
include_tasks:
file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml"
when:
- matrix_jitsi_enabled|bool
- matrix_jitsi_enable_auth|bool
#
# Tasks related to getting rid of jitsi-prosody (if it was previously enabled)
#
- name: Check existence of matrix-jitsi-prosody service
- name: Ensure matrix-jitsi-prosody.service file exists
stat:
path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
register: matrix_jitsi_prosody_service_stat
@ -64,13 +72,13 @@
register: stopping_result
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
- name: Ensure matrix-jitsi-prosody.service doesn't exist
- name: Ensure matrix-jitsi-prosody.service file doesn't exist
file:
path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
state: absent
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal
- name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal
service:
daemon_reload: yes
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"

View File

@ -0,0 +1,43 @@
---
#
# Start Necessary Services
#
- name: Ensure matrix-jitsi-prosody container is running
systemd:
state: started
name: matrix-jitsi-prosody
register: matrix_jitsi_prosody_start_result
#
# Tasks related to configuring Jitsi internal authentication
#
- name: Ensure Jitsi internal authentication users are configured
shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
when:
- matrix_jitsi_auth_type == "internal"
- matrix_jitsi_prosody_auth_internal_accounts|length > 0
#
# Tasks related to configuring other Jitsi authentication mechanisms
#
#
# Tasks related to cleaning after Jitsi authentication configuration
#
#
# Stop Necessary Services
#
- name: Ensure matrix-jitsi-prosody container is stopped if necessary
systemd:
state: stopped
name: matrix-jitsi-prosody
when: matrix_jitsi_prosody_start_result.changed|bool

View File

@ -3,14 +3,14 @@
- name: Fail if required Jitsi settings not defined
fail:
msg: >-
You need to define a required configuration setting (`{{ item }}`) for using Jitsi.
You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi.
If you're setting up Jitsi for the first time, you may have missed a step.
Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
If you had setup Jitsi successfully before and it's just now that you're observing this failure,
it means that your installation may be using some default passwords that the playbook used to define until now.
This is not secure and we urge you to rebuild your Jitsi setup.
If you had previously setup Jitsi successfully and are only now facing this error,
it means that your installation is most likely using default passwords previously defined by the playbook.
These defaults are insecure. Jitsi should be rebuilt with secure values.
Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
when: "vars[item] == ''"
with_items:
@ -19,6 +19,20 @@
- "matrix_jitsi_jicofo_auth_password"
- "matrix_jitsi_jvb_auth_password"
- name: Fail if a Jitsi internal authentication account is not defined
fail:
msg: >-
At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication.
If you're setting up Jitsi for the first time, you may have missed a step.
Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
when:
- matrix_jitsi_enable_auth|bool
- matrix_jitsi_auth_type == 'internal'
- matrix_jitsi_prosody_auth_internal_accounts|length == 0
- name: (Deprecation) Catch and report renamed settings
fail:
msg: >-