Merge branch 'jitsi_security_update'

This commit is contained in:
Slavi Pantaleev 2020-04-08 16:57:14 +03:00
commit e290b1be95
9 changed files with 94 additions and 70 deletions

View File

@ -23,18 +23,16 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
```yaml ```yaml
matrix_jitsi_enabled: true matrix_jitsi_enabled: true
# Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords,
# or define your own strong passwords manually.
matrix_jitsi_jicofo_component_secret: ""
matrix_jitsi_jicofo_auth_password: ""
matrix_jitsi_jvb_auth_password: ""
matrix_jitsi_jibri_recorder_password: ""
matrix_jitsi_jibri_xmpp_password: ""
``` ```
## Securing your Jitsi instance with strong passwords
Please use the bash script provided in this repo to generate strong passwords for your Jitsi instance.
Execute the following commands in your terminal from the root of this repo:
```bash
cd inventory/scripts
bash generate-jitsi-passwords.sh
```
The script will add the corresponding ansible variables and passwords generated with `openssl rand -hex 16` to the bottom of your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration.
## (Optional) configure internal Jitsi authentication and guests mode ## (Optional) configure internal Jitsi authentication and guests mode
@ -66,11 +64,7 @@ docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua reg
Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host. Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host.
**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. The playbook can't yet rebuild all configuration files for some Jitsi services (like `matrix-jitsi-prosody`), which may cause such an error. **If you encounter this error**, we encourage you to: **If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
- stop all Jitsi services (`systemctl stop matrix-jitsi-*`)
- remove the Jitsi Prosody configuration & data (`rm -rf /matrix/jitsi/prosody`)
- rebuild Jitsi configuration and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`)
- try the previously-failing command once again
## Usage ## Usage
@ -78,3 +72,21 @@ Run this command for each user you would like to create, replacing `<USERNAME>`
You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`. You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`.
To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server.
## Troubleshooting
### Rebuilding your Jitsi installation
**If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup.
We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own.
These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh.
To rebuild your Jitsi configuration:
- SSH into the server and do this:
- stop all Jitsi services (`systemctl stop matrix-jitsi-*`).
- remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`)
- ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`)

View File

@ -1,50 +0,0 @@
#!/usr/bin/env bash
# This is a bash script for generating strong passwords for the Jitsi role in this ansible project:
# https://github.com/spantaleev/matrix-docker-ansible-deploy
# This script assumes that you followed the documentation at https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook.md and created a folder in the source code's directory like this: 'mkdir inventory/host_vars/matrix.<your-domain>'
# it will put the generated passwords for Jitsi at the end of the vars.yml file in that directory
function generatePassword() {
openssl rand -hex 16
}
# helper function to get the matrix domain in the host_vars directory
function get_domain_dir() {
counter=0
for f in *; do
counter=$(( counter + 1 ))
if [ ! -d "$f" ]; then
echo "Error: could not find directory 'matrix.your.domain'"
echo "Did you create it already? Please first setup your matrix homeserver before running this script."
echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md"
exit 1
elif [[ "$counter" -gt 1 ]]; then
echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected."
echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook."
echo "Cannot continue script, exiting."
exit 1
fi
# Will not set domain if zero or multiple directories are detected
domain=$f
done
}
cd ../host_vars
get_domain_dir
JICOFO_COMPONENT_SECRET=$(generatePassword)
JICOFO_AUTH_PASSWORD=$(generatePassword)
JVB_AUTH_PASSWORD=$(generatePassword)
JIBRI_RECORDER_PASSWORD=$(generatePassword)
JIBRI_XMPP_PASSWORD=$(generatePassword)
echo "" >> ../host_vars/${domain}/vars.yml
echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml
echo "matrix_jitsi_jicofo_component_secret: $JICOFO_COMPONENT_SECRET" >> ../host_vars/${domain}/vars.yml
echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml
echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml
echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" >> ../host_vars/${domain}/vars.yml
echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" >> ../host_vars/${domain}/vars.yml

View File

@ -0,0 +1,26 @@
#!/usr/bin/env bash
# This is a bash script for generating strong passwords for the Jitsi role in this ansible project:
# https://github.com/spantaleev/matrix-docker-ansible-deploy
function generatePassword() {
openssl rand -hex 16
}
echo "# If this script fails, it's likely because you don't have the openssl tool installed."
echo "# Install it before using this script, or simply create your own passwords manually."
echo ""
JICOFO_COMPONENT_SECRET=$(generatePassword)
JICOFO_AUTH_PASSWORD=$(generatePassword)
JVB_AUTH_PASSWORD=$(generatePassword)
JIBRI_RECORDER_PASSWORD=$(generatePassword)
JIBRI_XMPP_PASSWORD=$(generatePassword)
echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:"
echo ""
echo "matrix_jitsi_jicofo_component_secret: "$JICOFO_COMPONENT_SECRET
echo "matrix_jitsi_jicofo_auth_password: "$JICOFO_AUTH_PASSWORD
echo "matrix_jitsi_jvb_auth_password: "$JVB_AUTH_PASSWORD
echo "matrix_jitsi_jibri_recorder_password: "$JIBRI_RECORDER_PASSWORD
echo "matrix_jitsi_jibri_xmpp_password: "$JIBRI_XMPP_PASSWORD

View File

@ -23,9 +23,9 @@ matrix_jitsi_recorder_domain: recorder.meet.jitsi
matrix_jitsi_jibri_brewery_muc: jibribrewery matrix_jitsi_jibri_brewery_muc: jibribrewery
matrix_jitsi_jibri_pending_timeout: 90 matrix_jitsi_jibri_pending_timeout: 90
matrix_jitsi_jibri_xmpp_user: jibri matrix_jitsi_jibri_xmpp_user: jibri
matrix_jitsi_jibri_xmpp_password: jibri-password matrix_jitsi_jibri_xmpp_password: ''
matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_user: recorder
matrix_jitsi_jibri_recorder_password: recorder-password matrix_jitsi_jibri_recorder_password: ''
matrix_jitsi_web_docker_image: "jitsi/web:4384" matrix_jitsi_web_docker_image: "jitsi/web:4384"
@ -98,9 +98,9 @@ matrix_jitsi_jicofo_container_extra_arguments: []
# List of systemd services that matrix-jitsi-jicofo.service depends on # List of systemd services that matrix-jitsi-jicofo.service depends on
matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
matrix_jitsi_jicofo_component_secret: s3cr37 matrix_jitsi_jicofo_component_secret: ''
matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_user: focus
matrix_jitsi_jicofo_auth_password: passw0rd matrix_jitsi_jicofo_auth_password: ''
matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384" matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384"
@ -116,7 +116,7 @@ matrix_jitsi_jvb_container_extra_arguments: []
matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
matrix_jitsi_jvb_auth_user: jvb matrix_jitsi_jvb_auth_user: jvb
matrix_jitsi_jvb_auth_password: passw0rd matrix_jitsi_jvb_auth_password: ''
# STUN servers used by JVB on the server-side, so it can discover its own external IP address. # STUN servers used by JVB on the server-side, so it can discover its own external IP address.
# Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. # Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery.

View File

@ -2,6 +2,12 @@
tags: tags:
- always - always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup|bool and matrix_jitsi_enabled|bool"
tags:
- setup-all
- setup-jitsi
- import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" - import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml"
when: run_setup|bool when: run_setup|bool
tags: tags:

View File

@ -34,6 +34,13 @@
- logging.properties - logging.properties
when: matrix_jitsi_enabled|bool when: matrix_jitsi_enabled|bool
- name: Ensure jitsi-jvb environment variables file created
template:
src: "{{ role_path }}/templates/jvb/env.j2"
dest: "{{ matrix_jitsi_jvb_base_path }}/env"
mode: 0640
when: matrix_jitsi_enabled|bool
- name: Ensure matrix-jitsi-jvb.service installed - name: Ensure matrix-jitsi-jvb.service installed
template: template:
src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2"

View File

@ -0,0 +1,21 @@
---
- name: Fail if required Jitsi settings not defined
fail:
msg: >-
You need to define a required configuration setting (`{{ item }}`) for using Jitsi.
If you're setting up Jitsi for the first time, you may have missed a step.
Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
If you had setup Jitsi successfully before and it's just now that you're observing this failure,
it means that your installation may be using some default passwords that the playbook used to define until now.
This is not secure and we urge you to rebuild your Jitsi setup.
Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
when: "vars[item] == ''"
with_items:
- "matrix_jitsi_jibri_xmpp_password"
- "matrix_jitsi_jibri_recorder_password"
- "matrix_jitsi_jicofo_component_secret"
- "matrix_jitsi_jicofo_auth_password"
- "matrix_jitsi_jvb_auth_password"

View File

@ -0,0 +1 @@
JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}

View File

@ -14,6 +14,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb
ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \
--log-driver=none \ --log-driver=none \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
--env-file={{ matrix_jitsi_jvb_base_path }}/env \
{% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %}
-p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \
{% endif %} {% endif %}