From f798605836e46cc73daa8da937a7ea46d7778087 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 09:37:54 +0300 Subject: [PATCH 1/5] Undefine Jitsi secrets and require their (re-)definition --- docs/configuring-playbook-jitsi.md | 24 ++++++++++++++++---- roles/matrix-jitsi/defaults/main.yml | 10 ++++---- roles/matrix-jitsi/tasks/main.yml | 6 +++++ roles/matrix-jitsi/tasks/validate_config.yml | 21 +++++++++++++++++ 4 files changed, 51 insertions(+), 10 deletions(-) create mode 100644 roles/matrix-jitsi/tasks/validate_config.yml diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 017cb4eb..028d2b15 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -66,11 +66,7 @@ docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua reg Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. -**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. The playbook can't yet rebuild all configuration files for some Jitsi services (like `matrix-jitsi-prosody`), which may cause such an error. **If you encounter this error**, we encourage you to: -- stop all Jitsi services (`systemctl stop matrix-jitsi-*`) -- remove the Jitsi Prosody configuration & data (`rm -rf /matrix/jitsi/prosody`) -- rebuild Jitsi configuration and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) -- try the previously-failing command once again +**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). ## Usage @@ -78,3 +74,21 @@ Run this command for each user you would like to create, replacing `` You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`. To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. + + +## Troubleshooting + +### Rebuilding your Jitsi installation + +**If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup. + +We normally don't require such manual intervention for other services, for Jitsi services generate a lot of configuration files on their own. + +These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh. + +To rebuild your Jitsi configuration: + +- SSH into the server and do this: + - stop all Jitsi services (`systemctl stop matrix-jitsi-*`). + - remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`) +- ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 55f82677..83511c4c 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -23,9 +23,9 @@ matrix_jitsi_recorder_domain: recorder.meet.jitsi matrix_jitsi_jibri_brewery_muc: jibribrewery matrix_jitsi_jibri_pending_timeout: 90 matrix_jitsi_jibri_xmpp_user: jibri -matrix_jitsi_jibri_xmpp_password: jibri-password +matrix_jitsi_jibri_xmpp_password: '' matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: recorder-password +matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_web_docker_image: "jitsi/web:4384" @@ -98,9 +98,9 @@ matrix_jitsi_jicofo_container_extra_arguments: [] # List of systemd services that matrix-jitsi-jicofo.service depends on matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] -matrix_jitsi_jicofo_component_secret: s3cr37 +matrix_jitsi_jicofo_component_secret: '' matrix_jitsi_jicofo_auth_user: focus -matrix_jitsi_jicofo_auth_password: passw0rd +matrix_jitsi_jicofo_auth_password: '' matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384" @@ -116,7 +116,7 @@ matrix_jitsi_jvb_container_extra_arguments: [] matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] matrix_jitsi_jvb_auth_user: jvb -matrix_jitsi_jvb_auth_password: passw0rd +matrix_jitsi_jvb_auth_password: '' # STUN servers used by JVB on the server-side, so it can discover its own external IP address. # Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. diff --git a/roles/matrix-jitsi/tasks/main.yml b/roles/matrix-jitsi/tasks/main.yml index 2bc4a57f..e4f3508f 100644 --- a/roles/matrix-jitsi/tasks/main.yml +++ b/roles/matrix-jitsi/tasks/main.yml @@ -2,6 +2,12 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_jitsi_enabled|bool" + tags: + - setup-all + - setup-jitsi + - import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" when: run_setup|bool tags: diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml new file mode 100644 index 00000000..ea92c914 --- /dev/null +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -0,0 +1,21 @@ +--- + +- name: Fail if required Jitsi settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using Jitsi. + + If you're setting up Jitsi for the first time, you may have missed a step. + Refer to our setup instructions (docs/configuring-playbook-jitsi.md). + + If you had setup Jitsi successfully before and it's just now that you're observing this failure, + it means that your installation may be using some default passwords that the playbook used to define until now. + This is not secure and we urge you to rebuild your Jitsi setup. + Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). + when: "vars[item] == ''" + with_items: + - "matrix_jitsi_jibri_xmpp_password" + - "matrix_jitsi_jibri_recorder_password" + - "matrix_jitsi_jicofo_component_secret" + - "matrix_jitsi_jicofo_auth_password" + - "matrix_jitsi_jvb_auth_password" From 976ccf3880561346853c7cd9292f8b19b9a64a14 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 09:39:38 +0300 Subject: [PATCH 2/5] Fix typo --- docs/configuring-playbook-jitsi.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 028d2b15..c7245e92 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -82,7 +82,7 @@ To use it via riot-web (the one configured by the playbook at `https://riot.DOMA **If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup. -We normally don't require such manual intervention for other services, for Jitsi services generate a lot of configuration files on their own. +We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own. These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh. From 1b27e0f812c652eb91504c3d8af24264b10039ce Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 10:05:10 +0300 Subject: [PATCH 3/5] Make generate-jitsi-passwords.sh less magical --- docs/configuring-playbook-jitsi.md | 16 +++---- inventory/scripts/generate-jitsi-passwords.sh | 44 +++++-------------- 2 files changed, 17 insertions(+), 43 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index c7245e92..1a3f10c7 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -23,18 +23,16 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enabled: true -``` - -## Securing your Jitsi instance with strong passwords -Please use the bash script provided in this repo to generate strong passwords for your Jitsi instance. -Execute the following commands in your terminal from the root of this repo: -```bash -cd inventory/scripts -bash generate-jitsi-passwords.sh +# Run `bash inventory/scripts/generate-jitsi-passwords.sh` to generate these passwords, +# or define your own strong passwords manually. +matrix_jitsi_jicofo_component_secret: "" +matrix_jitsi_jicofo_auth_password: "" +matrix_jitsi_jvb_auth_password: "" +matrix_jitsi_jibri_recorder_password: "" +matrix_jitsi_jibri_xmpp_password: "" ``` -The script will add the corresponding ansible variables and passwords generated with `openssl rand -hex 16` to the bottom of your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration. ## (Optional) configure internal Jitsi authentication and guests mode diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/generate-jitsi-passwords.sh index ae6d471a..eacfa7d8 100755 --- a/inventory/scripts/generate-jitsi-passwords.sh +++ b/inventory/scripts/generate-jitsi-passwords.sh @@ -2,38 +2,14 @@ # This is a bash script for generating strong passwords for the Jitsi role in this ansible project: # https://github.com/spantaleev/matrix-docker-ansible-deploy -# This script assumes that you followed the documentation at https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook.md and created a folder in the source code's directory like this: 'mkdir inventory/host_vars/matrix.' -# it will put the generated passwords for Jitsi at the end of the vars.yml file in that directory - function generatePassword() { openssl rand -hex 16 } -# helper function to get the matrix domain in the host_vars directory -function get_domain_dir() { - counter=0 - - for f in *; do - counter=$(( counter + 1 )) - if [ ! -d "$f" ]; then - echo "Error: could not find directory 'matrix.your.domain'" - echo "Did you create it already? Please first setup your matrix homeserver before running this script." - echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md" - exit 1 - elif [[ "$counter" -gt 1 ]]; then - echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected." - echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook." - echo "Cannot continue script, exiting." - exit 1 - fi - - # Will not set domain if zero or multiple directories are detected - domain=$f - done -} +echo "# If this script fails, it's likely because you don't have the openssl tool installed." +echo "# Install it before using this script, or simply create your own passwords manually." -cd ../host_vars -get_domain_dir +echo "" JICOFO_COMPONENT_SECRET=$(generatePassword) JICOFO_AUTH_PASSWORD=$(generatePassword) @@ -41,10 +17,10 @@ JVB_AUTH_PASSWORD=$(generatePassword) JIBRI_RECORDER_PASSWORD=$(generatePassword) JIBRI_XMPP_PASSWORD=$(generatePassword) -echo "" >> ../host_vars/${domain}/vars.yml -echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jicofo_component_secret: $JICOFO_COMPONENT_SECRET" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" >> ../host_vars/${domain}/vars.yml +echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:" +echo "" +echo "matrix_jitsi_jicofo_component_secret: "$JICOFO_COMPONENT_SECRET +echo "matrix_jitsi_jicofo_auth_password: "$JICOFO_AUTH_PASSWORD +echo "matrix_jitsi_jvb_auth_password: "$JVB_AUTH_PASSWORD +echo "matrix_jitsi_jibri_recorder_password: "$JIBRI_RECORDER_PASSWORD +echo "matrix_jitsi_jibri_xmpp_password: "$JIBRI_XMPP_PASSWORD From dcce276b8696fda1460bffbb6040a365eaf19bc6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 10:05:43 +0300 Subject: [PATCH 4/5] Rename script file --- docs/configuring-playbook-jitsi.md | 2 +- ...{generate-jitsi-passwords.sh => jitsi-generate-passwords.sh} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename inventory/scripts/{generate-jitsi-passwords.sh => jitsi-generate-passwords.sh} (100%) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 1a3f10c7..d6ff1c8a 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -24,7 +24,7 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enabled: true -# Run `bash inventory/scripts/generate-jitsi-passwords.sh` to generate these passwords, +# Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords, # or define your own strong passwords manually. matrix_jitsi_jicofo_component_secret: "" matrix_jitsi_jicofo_auth_password: "" diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/jitsi-generate-passwords.sh similarity index 100% rename from inventory/scripts/generate-jitsi-passwords.sh rename to inventory/scripts/jitsi-generate-passwords.sh From 14786071afaf55ac56aecb2c2a33071af70da62c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 10:23:51 +0300 Subject: [PATCH 5/5] Pass JVB_AUTH_PASSWORD environment variable to make JVB startup happy We define this password in the `sip-communicator.properties` configuration file, so this is not needed for actually running JVB. However, it does a (useless) safety check during container startup, and we need to make that check happy. --- roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 7 +++++++ roles/matrix-jitsi/templates/jvb/env.j2 | 1 + .../matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 | 1 + 3 files changed, 9 insertions(+) create mode 100644 roles/matrix-jitsi/templates/jvb/env.j2 diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index e4d652ed..f442fc6e 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -34,6 +34,13 @@ - logging.properties when: matrix_jitsi_enabled|bool +- name: Ensure jitsi-jvb environment variables file created + template: + src: "{{ role_path }}/templates/jvb/env.j2" + dest: "{{ matrix_jitsi_jvb_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + - name: Ensure matrix-jitsi-jvb.service installed template: src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 new file mode 100644 index 00000000..423070db --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -0,0 +1 @@ +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 03aef079..5df5807a 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -14,6 +14,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \ --log-driver=none \ --network={{ matrix_docker_network }} \ + --env-file={{ matrix_jitsi_jvb_base_path }}/env \ {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ {% endif %}