Merge pull request #1446 from hypn0tick/master

Add support for creation of Jitsi internal authentication users in vars.yml
development
Slavi Pantaleev 3 years ago committed by GitHub
commit b1d8e39612
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -41,13 +41,23 @@ If you're fine with such an open Jitsi instance, please skip to [Apply changes](
If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms.
Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
```yaml ```yaml
matrix_jitsi_enable_auth: true matrix_jitsi_enable_auth: true
matrix_jitsi_enable_guests: true matrix_jitsi_enable_guests: true
matrix_jitsi_prosody_auth_internal_accounts:
- username: "jitsi-moderator"
password: "secret-password"
- username: "another-user"
password: "another-password"
``` ```
**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook.
**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
### (Optional) LDAP authentication ### (Optional) LDAP authentication
The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be: The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be:
@ -122,19 +132,6 @@ You may want to **limit the maximum video resolution**, to save up resources on
Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`
## Required if configuring Jitsi with internal authentication: register new users
Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually.
Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container:
```bash
docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register <USERNAME> meet.jitsi <PASSWORD>
```
Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host.
**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
## Usage ## Usage

@ -9,10 +9,23 @@ matrix_jitsi_enable_transcriptions: false
matrix_jitsi_enable_p2p: true matrix_jitsi_enable_p2p: true
matrix_jitsi_enable_av_moderation: true matrix_jitsi_enable_av_moderation: true
# Authentication type, must be one of internal, jwt or ldap. Currently only # Authentication type, must be one of internal, jwt or ldap.
# internal and ldap are supported by this playbook. # Currently only internal and ldap mechanisms are supported by this playbook.
matrix_jitsi_auth_type: internal matrix_jitsi_auth_type: internal
# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism.
#
# Accounts added here and subsquently removed will not be automatically removed
# from the Prosody server until user account cleaning is integrated into the playbook.
#
# Example:
# matrix_jitsi_prosody_auth_internal_accounts:
# - username: "jitsi-moderator"
# password: "secret-password"
# - username: "another-user"
# password: "another-password"
matrix_jitsi_prosody_auth_internal_accounts: []
# Configuration options for LDAP authentication. For details see upstream: # Configuration options for LDAP authentication. For details see upstream:
# https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. # https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap.
# Defaults are taken from: # Defaults are taken from:
@ -205,7 +218,6 @@ matrix_jitsi_jicofo_component_secret: ''
matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_user: focus
matrix_jitsi_jicofo_auth_password: '' matrix_jitsi_jicofo_auth_password: ''
matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}"
matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"

@ -4,7 +4,7 @@
# Tasks related to setting up jitsi-prosody # Tasks related to setting up jitsi-prosody
# #
- name: Ensure Matrix jitsi-prosody path exists - name: Ensure Matrix jitsi-prosody environment exists
file: file:
path: "{{ item.path }}" path: "{{ item.path }}"
state: directory state: directory
@ -25,14 +25,14 @@
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}"
when: matrix_jitsi_enabled|bool when: matrix_jitsi_enabled|bool
- name: Ensure jitsi-prosody environment variables file created - name: Ensure jitsi-prosody environment variables file is created
template: template:
src: "{{ role_path }}/templates/prosody/env.j2" src: "{{ role_path }}/templates/prosody/env.j2"
dest: "{{ matrix_jitsi_prosody_base_path }}/env" dest: "{{ matrix_jitsi_prosody_base_path }}/env"
mode: 0640 mode: 0640
when: matrix_jitsi_enabled|bool when: matrix_jitsi_enabled|bool
- name: Ensure matrix-jitsi-prosody.service installed - name: Ensure matrix-jitsi-prosody.service file is installed
template: template:
src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
@ -40,16 +40,24 @@
register: matrix_jitsi_prosody_systemd_service_result register: matrix_jitsi_prosody_systemd_service_result
when: matrix_jitsi_enabled|bool when: matrix_jitsi_enabled|bool
- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation - name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation
service: service:
daemon_reload: yes daemon_reload: yes
when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed"
- name: Ensure authentication is properly configured
include_tasks:
file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml"
when:
- matrix_jitsi_enabled|bool
- matrix_jitsi_enable_auth|bool
# #
# Tasks related to getting rid of jitsi-prosody (if it was previously enabled) # Tasks related to getting rid of jitsi-prosody (if it was previously enabled)
# #
- name: Check existence of matrix-jitsi-prosody service - name: Ensure matrix-jitsi-prosody.service file exists
stat: stat:
path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
register: matrix_jitsi_prosody_service_stat register: matrix_jitsi_prosody_service_stat
@ -64,13 +72,13 @@
register: stopping_result register: stopping_result
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
- name: Ensure matrix-jitsi-prosody.service doesn't exist - name: Ensure matrix-jitsi-prosody.service file doesn't exist
file: file:
path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
state: absent state: absent
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal - name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal
service: service:
daemon_reload: yes daemon_reload: yes
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"

@ -0,0 +1,43 @@
---
#
# Start Necessary Services
#
- name: Ensure matrix-jitsi-prosody container is running
systemd:
state: started
name: matrix-jitsi-prosody
register: matrix_jitsi_prosody_start_result
#
# Tasks related to configuring Jitsi internal authentication
#
- name: Ensure Jitsi internal authentication users are configured
shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
when:
- matrix_jitsi_auth_type == "internal"
- matrix_jitsi_prosody_auth_internal_accounts|length > 0
#
# Tasks related to configuring other Jitsi authentication mechanisms
#
#
# Tasks related to cleaning after Jitsi authentication configuration
#
#
# Stop Necessary Services
#
- name: Ensure matrix-jitsi-prosody container is stopped if necessary
systemd:
state: stopped
name: matrix-jitsi-prosody
when: matrix_jitsi_prosody_start_result.changed|bool

@ -3,14 +3,14 @@
- name: Fail if required Jitsi settings not defined - name: Fail if required Jitsi settings not defined
fail: fail:
msg: >- msg: >-
You need to define a required configuration setting (`{{ item }}`) for using Jitsi. You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi.
If you're setting up Jitsi for the first time, you may have missed a step. If you're setting up Jitsi for the first time, you may have missed a step.
Refer to our setup instructions (docs/configuring-playbook-jitsi.md). Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
If you had setup Jitsi successfully before and it's just now that you're observing this failure, If you had previously setup Jitsi successfully and are only now facing this error,
it means that your installation may be using some default passwords that the playbook used to define until now. it means that your installation is most likely using default passwords previously defined by the playbook.
This is not secure and we urge you to rebuild your Jitsi setup. These defaults are insecure. Jitsi should be rebuilt with secure values.
Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
when: "vars[item] == ''" when: "vars[item] == ''"
with_items: with_items:
@ -19,6 +19,20 @@
- "matrix_jitsi_jicofo_auth_password" - "matrix_jitsi_jicofo_auth_password"
- "matrix_jitsi_jvb_auth_password" - "matrix_jitsi_jvb_auth_password"
- name: Fail if a Jitsi internal authentication account is not defined
fail:
msg: >-
At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication.
If you're setting up Jitsi for the first time, you may have missed a step.
Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
when:
- matrix_jitsi_enable_auth|bool
- matrix_jitsi_auth_type == 'internal'
- matrix_jitsi_prosody_auth_internal_accounts|length == 0
- name: (Deprecation) Catch and report renamed settings - name: (Deprecation) Catch and report renamed settings
fail: fail:
msg: >- msg: >-

Loading…
Cancel
Save