diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f4e4c9f3..f7e8a949 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -41,13 +41,23 @@ If you're fine with such an open Jitsi instance, please skip to [Apply changes]( If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. -Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: +Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true +matrix_jitsi_prosody_auth_internal_accounts: + - username: "jitsi-moderator" + password: "secret-password" + - username: "another-user" + password: "another-password" ``` +**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook. + +**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). + + ### (Optional) LDAP authentication The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be: @@ -122,19 +132,6 @@ You may want to **limit the maximum video resolution**, to save up resources on Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` -## Required if configuring Jitsi with internal authentication: register new users - -Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually. -Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container: - -```bash -docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register meet.jitsi -``` - -Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. - -**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). - ## Usage diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index bef993e0..e233e016 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -9,10 +9,23 @@ matrix_jitsi_enable_transcriptions: false matrix_jitsi_enable_p2p: true matrix_jitsi_enable_av_moderation: true -# Authentication type, must be one of internal, jwt or ldap. Currently only -# internal and ldap are supported by this playbook. +# Authentication type, must be one of internal, jwt or ldap. +# Currently only internal and ldap mechanisms are supported by this playbook. matrix_jitsi_auth_type: internal +# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism. +# +# Accounts added here and subsquently removed will not be automatically removed +# from the Prosody server until user account cleaning is integrated into the playbook. +# +# Example: +# matrix_jitsi_prosody_auth_internal_accounts: +# - username: "jitsi-moderator" +# password: "secret-password" +# - username: "another-user" +# password: "another-password" +matrix_jitsi_prosody_auth_internal_accounts: [] + # Configuration options for LDAP authentication. For details see upstream: # https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. # Defaults are taken from: @@ -205,7 +218,6 @@ matrix_jitsi_jicofo_component_secret: '' matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' - matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 39a571ae..c1c7c7fc 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -4,7 +4,7 @@ # Tasks related to setting up jitsi-prosody # -- name: Ensure Matrix jitsi-prosody path exists +- name: Ensure Matrix jitsi-prosody environment exists file: path: "{{ item.path }}" state: directory @@ -25,14 +25,14 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" when: matrix_jitsi_enabled|bool -- name: Ensure jitsi-prosody environment variables file created +- name: Ensure jitsi-prosody environment variables file is created template: src: "{{ role_path }}/templates/prosody/env.j2" dest: "{{ matrix_jitsi_prosody_base_path }}/env" mode: 0640 when: matrix_jitsi_enabled|bool -- name: Ensure matrix-jitsi-prosody.service installed +- name: Ensure matrix-jitsi-prosody.service file is installed template: src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" @@ -40,16 +40,24 @@ register: matrix_jitsi_prosody_systemd_service_result when: matrix_jitsi_enabled|bool -- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation +- name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation service: daemon_reload: yes when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" +- name: Ensure authentication is properly configured + include_tasks: + file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" + when: + - matrix_jitsi_enabled|bool + - matrix_jitsi_enable_auth|bool + + # # Tasks related to getting rid of jitsi-prosody (if it was previously enabled) # -- name: Check existence of matrix-jitsi-prosody service +- name: Ensure matrix-jitsi-prosody.service file exists stat: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" register: matrix_jitsi_prosody_service_stat @@ -64,13 +72,13 @@ register: stopping_result when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure matrix-jitsi-prosody.service doesn't exist +- name: Ensure matrix-jitsi-prosody.service file doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" state: absent when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal +- name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal service: daemon_reload: yes when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml new file mode 100644 index 00000000..66fb7e5d --- /dev/null +++ b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml @@ -0,0 +1,43 @@ +--- +# +# Start Necessary Services +# + +- name: Ensure matrix-jitsi-prosody container is running + systemd: + state: started + name: matrix-jitsi-prosody + register: matrix_jitsi_prosody_start_result + + +# +# Tasks related to configuring Jitsi internal authentication +# + +- name: Ensure Jitsi internal authentication users are configured + shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" + with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + when: + - matrix_jitsi_auth_type == "internal" + - matrix_jitsi_prosody_auth_internal_accounts|length > 0 + + +# +# Tasks related to configuring other Jitsi authentication mechanisms +# + + + +# +# Tasks related to cleaning after Jitsi authentication configuration +# + + +# +# Stop Necessary Services +# +- name: Ensure matrix-jitsi-prosody container is stopped if necessary + systemd: + state: stopped + name: matrix-jitsi-prosody + when: matrix_jitsi_prosody_start_result.changed|bool \ No newline at end of file diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index d2887b12..a9d86764 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -3,14 +3,14 @@ - name: Fail if required Jitsi settings not defined fail: msg: >- - You need to define a required configuration setting (`{{ item }}`) for using Jitsi. + You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - If you had setup Jitsi successfully before and it's just now that you're observing this failure, - it means that your installation may be using some default passwords that the playbook used to define until now. - This is not secure and we urge you to rebuild your Jitsi setup. + If you had previously setup Jitsi successfully and are only now facing this error, + it means that your installation is most likely using default passwords previously defined by the playbook. + These defaults are insecure. Jitsi should be rebuilt with secure values. Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). when: "vars[item] == ''" with_items: @@ -19,6 +19,20 @@ - "matrix_jitsi_jicofo_auth_password" - "matrix_jitsi_jvb_auth_password" + +- name: Fail if a Jitsi internal authentication account is not defined + fail: + msg: >- + At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication. + + If you're setting up Jitsi for the first time, you may have missed a step. + Refer to our setup instructions (docs/configuring-playbook-jitsi.md). + when: + - matrix_jitsi_enable_auth|bool + - matrix_jitsi_auth_type == 'internal' + - matrix_jitsi_prosody_auth_internal_accounts|length == 0 + + - name: (Deprecation) Catch and report renamed settings fail: msg: >-