mirror of
				https://github.com/spantaleev/matrix-docker-ansible-deploy.git
				synced 2025-10-25 17:43:23 +00:00 
			
		
		
		
	Merge branch 'jitsi_security_update'
This commit is contained in:
		| @@ -23,18 +23,16 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: | ||||
|  | ||||
| ```yaml | ||||
| matrix_jitsi_enabled: true | ||||
|  | ||||
| # Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords, | ||||
| # or define your own strong passwords manually. | ||||
| matrix_jitsi_jicofo_component_secret: "" | ||||
| matrix_jitsi_jicofo_auth_password: "" | ||||
| matrix_jitsi_jvb_auth_password: "" | ||||
| matrix_jitsi_jibri_recorder_password: "" | ||||
| matrix_jitsi_jibri_xmpp_password: "" | ||||
| ``` | ||||
|  | ||||
| ## Securing your Jitsi instance with strong passwords | ||||
|  | ||||
| Please use the bash script provided in this repo to generate strong passwords for your Jitsi instance. | ||||
| Execute the following commands in your terminal from the root of this repo: | ||||
| ```bash | ||||
| cd inventory/scripts | ||||
| bash generate-jitsi-passwords.sh | ||||
| ``` | ||||
|  | ||||
| The script will add the corresponding ansible variables and passwords generated with `openssl rand -hex 16` to the bottom of your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration. | ||||
|  | ||||
| ## (Optional) configure internal Jitsi authentication and guests mode | ||||
|  | ||||
| @@ -66,11 +64,7 @@ docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua reg | ||||
|  | ||||
| Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host. | ||||
|  | ||||
| **If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. The playbook can't yet rebuild all configuration files for some Jitsi services (like `matrix-jitsi-prosody`), which may cause such an error. **If you encounter this error**, we encourage you to: | ||||
| - stop all Jitsi services (`systemctl stop matrix-jitsi-*`) | ||||
| - remove the Jitsi Prosody configuration & data (`rm -rf /matrix/jitsi/prosody`) | ||||
| - rebuild Jitsi configuration and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) | ||||
| - try the previously-failing command once again | ||||
| **If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). | ||||
|  | ||||
|  | ||||
| ## Usage | ||||
| @@ -78,3 +72,21 @@ Run this command for each user you would like to create, replacing `<USERNAME>` | ||||
| You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`. | ||||
|  | ||||
| To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. | ||||
|  | ||||
|  | ||||
| ## Troubleshooting | ||||
|  | ||||
| ### Rebuilding your Jitsi installation | ||||
|  | ||||
| **If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup. | ||||
|  | ||||
| We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own. | ||||
|  | ||||
| These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh. | ||||
|  | ||||
| To rebuild your Jitsi configuration: | ||||
|  | ||||
| - SSH into the server and do this: | ||||
|   - stop all Jitsi services (`systemctl stop matrix-jitsi-*`). | ||||
|   - remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`) | ||||
| - ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) | ||||
|   | ||||
| @@ -1,50 +0,0 @@ | ||||
| #!/usr/bin/env bash | ||||
| # This is a bash script for generating strong passwords for the Jitsi role in this ansible project: | ||||
| # https://github.com/spantaleev/matrix-docker-ansible-deploy | ||||
|  | ||||
| # This script assumes that you followed the documentation at https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook.md and created a folder in the source code's directory like this: 'mkdir inventory/host_vars/matrix.<your-domain>' | ||||
| # it will put the generated passwords for Jitsi at the end of the vars.yml file in that directory | ||||
|  | ||||
| function generatePassword() { | ||||
|     openssl rand -hex 16 | ||||
| } | ||||
|  | ||||
| # helper function to get the matrix domain in the host_vars directory | ||||
| function get_domain_dir() { | ||||
| 	counter=0 | ||||
|  | ||||
| 	for f in *; do | ||||
| 	    counter=$(( counter + 1 )) | ||||
| 	    if [ ! -d "$f" ]; then | ||||
|             echo "Error: could not find directory 'matrix.your.domain'" | ||||
|             echo "Did you create it already? Please first setup your matrix homeserver before running this script." | ||||
|             echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md" | ||||
|             exit 1 | ||||
|         elif [[ "$counter" -gt 1 ]]; then | ||||
|             echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected." | ||||
|             echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook." | ||||
|             echo "Cannot continue script, exiting." | ||||
|             exit 1 | ||||
|         fi | ||||
|  | ||||
| 	    # Will not set domain if zero or multiple directories are detected | ||||
| 	    domain=$f | ||||
| 	done | ||||
| } | ||||
|  | ||||
| cd ../host_vars | ||||
| get_domain_dir | ||||
|  | ||||
| JICOFO_COMPONENT_SECRET=$(generatePassword) | ||||
| JICOFO_AUTH_PASSWORD=$(generatePassword) | ||||
| JVB_AUTH_PASSWORD=$(generatePassword) | ||||
| JIBRI_RECORDER_PASSWORD=$(generatePassword) | ||||
| JIBRI_XMPP_PASSWORD=$(generatePassword) | ||||
|  | ||||
| echo "" >> ../host_vars/${domain}/vars.yml | ||||
| echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml | ||||
| echo "matrix_jitsi_jicofo_component_secret: $JICOFO_COMPONENT_SECRET" >> ../host_vars/${domain}/vars.yml | ||||
| echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml | ||||
| echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml | ||||
| echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" >> ../host_vars/${domain}/vars.yml | ||||
| echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" >> ../host_vars/${domain}/vars.yml | ||||
							
								
								
									
										26
									
								
								inventory/scripts/jitsi-generate-passwords.sh
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										26
									
								
								inventory/scripts/jitsi-generate-passwords.sh
									
									
									
									
									
										Executable file
									
								
							| @@ -0,0 +1,26 @@ | ||||
| #!/usr/bin/env bash | ||||
| # This is a bash script for generating strong passwords for the Jitsi role in this ansible project: | ||||
| # https://github.com/spantaleev/matrix-docker-ansible-deploy | ||||
|  | ||||
| function generatePassword() { | ||||
|     openssl rand -hex 16 | ||||
| } | ||||
|  | ||||
| echo "# If this script fails, it's likely because you don't have the openssl tool installed." | ||||
| echo "# Install it before using this script, or simply create your own passwords manually." | ||||
|  | ||||
| echo "" | ||||
|  | ||||
| JICOFO_COMPONENT_SECRET=$(generatePassword) | ||||
| JICOFO_AUTH_PASSWORD=$(generatePassword) | ||||
| JVB_AUTH_PASSWORD=$(generatePassword) | ||||
| JIBRI_RECORDER_PASSWORD=$(generatePassword) | ||||
| JIBRI_XMPP_PASSWORD=$(generatePassword) | ||||
|  | ||||
| echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:" | ||||
| echo "" | ||||
| echo "matrix_jitsi_jicofo_component_secret: "$JICOFO_COMPONENT_SECRET | ||||
| echo "matrix_jitsi_jicofo_auth_password: "$JICOFO_AUTH_PASSWORD | ||||
| echo "matrix_jitsi_jvb_auth_password: "$JVB_AUTH_PASSWORD | ||||
| echo "matrix_jitsi_jibri_recorder_password: "$JIBRI_RECORDER_PASSWORD | ||||
| echo "matrix_jitsi_jibri_xmpp_password: "$JIBRI_XMPP_PASSWORD | ||||
| @@ -23,9 +23,9 @@ matrix_jitsi_recorder_domain: recorder.meet.jitsi | ||||
| matrix_jitsi_jibri_brewery_muc: jibribrewery | ||||
| matrix_jitsi_jibri_pending_timeout: 90 | ||||
| matrix_jitsi_jibri_xmpp_user: jibri | ||||
| matrix_jitsi_jibri_xmpp_password: jibri-password | ||||
| matrix_jitsi_jibri_xmpp_password: '' | ||||
| matrix_jitsi_jibri_recorder_user: recorder | ||||
| matrix_jitsi_jibri_recorder_password: recorder-password | ||||
| matrix_jitsi_jibri_recorder_password: '' | ||||
|  | ||||
|  | ||||
| matrix_jitsi_web_docker_image: "jitsi/web:4384" | ||||
| @@ -98,9 +98,9 @@ matrix_jitsi_jicofo_container_extra_arguments: [] | ||||
| # List of systemd services that matrix-jitsi-jicofo.service depends on | ||||
| matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] | ||||
|  | ||||
| matrix_jitsi_jicofo_component_secret: s3cr37 | ||||
| matrix_jitsi_jicofo_component_secret: '' | ||||
| matrix_jitsi_jicofo_auth_user: focus | ||||
| matrix_jitsi_jicofo_auth_password: passw0rd | ||||
| matrix_jitsi_jicofo_auth_password: '' | ||||
|  | ||||
|  | ||||
| matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384" | ||||
| @@ -116,7 +116,7 @@ matrix_jitsi_jvb_container_extra_arguments: [] | ||||
| matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] | ||||
|  | ||||
| matrix_jitsi_jvb_auth_user: jvb | ||||
| matrix_jitsi_jvb_auth_password: passw0rd | ||||
| matrix_jitsi_jvb_auth_password: '' | ||||
|  | ||||
| # STUN servers used by JVB on the server-side, so it can discover its own external IP address. | ||||
| # Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. | ||||
|   | ||||
| @@ -2,6 +2,12 @@ | ||||
|   tags: | ||||
|     - always | ||||
|  | ||||
| - import_tasks: "{{ role_path }}/tasks/validate_config.yml" | ||||
|   when: "run_setup|bool and matrix_jitsi_enabled|bool" | ||||
|   tags: | ||||
|     - setup-all | ||||
|     - setup-jitsi | ||||
|  | ||||
| - import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" | ||||
|   when: run_setup|bool | ||||
|   tags: | ||||
|   | ||||
| @@ -34,6 +34,13 @@ | ||||
|     - logging.properties | ||||
|   when: matrix_jitsi_enabled|bool | ||||
|  | ||||
| - name: Ensure jitsi-jvb environment variables file created | ||||
|   template: | ||||
|     src: "{{ role_path }}/templates/jvb/env.j2" | ||||
|     dest: "{{ matrix_jitsi_jvb_base_path }}/env" | ||||
|     mode: 0640 | ||||
|   when: matrix_jitsi_enabled|bool | ||||
|  | ||||
| - name: Ensure matrix-jitsi-jvb.service installed | ||||
|   template: | ||||
|     src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" | ||||
|   | ||||
							
								
								
									
										21
									
								
								roles/matrix-jitsi/tasks/validate_config.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								roles/matrix-jitsi/tasks/validate_config.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| --- | ||||
|  | ||||
| - name: Fail if required Jitsi settings not defined | ||||
|   fail: | ||||
|     msg: >- | ||||
|       You need to define a required configuration setting (`{{ item }}`) for using Jitsi. | ||||
|  | ||||
|       If you're setting up Jitsi for the first time, you may have missed a step. | ||||
|       Refer to our setup instructions (docs/configuring-playbook-jitsi.md). | ||||
|  | ||||
|       If you had setup Jitsi successfully before and it's just now that you're observing this failure, | ||||
|       it means that your installation may be using some default passwords that the playbook used to define until now. | ||||
|       This is not secure and we urge you to rebuild your Jitsi setup. | ||||
|       Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). | ||||
|   when: "vars[item] == ''" | ||||
|   with_items: | ||||
|     - "matrix_jitsi_jibri_xmpp_password" | ||||
|     - "matrix_jitsi_jibri_recorder_password" | ||||
|     - "matrix_jitsi_jicofo_component_secret" | ||||
|     - "matrix_jitsi_jicofo_auth_password" | ||||
|     - "matrix_jitsi_jvb_auth_password" | ||||
							
								
								
									
										1
									
								
								roles/matrix-jitsi/templates/jvb/env.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								roles/matrix-jitsi/templates/jvb/env.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | ||||
| JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} | ||||
| @@ -14,6 +14,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb | ||||
| ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \ | ||||
| 			--log-driver=none \ | ||||
| 			--network={{ matrix_docker_network }} \ | ||||
| 			--env-file={{ matrix_jitsi_jvb_base_path }}/env \ | ||||
| 			{% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} | ||||
| 			-p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ | ||||
| 			{% endif %} | ||||
|   | ||||
		Reference in New Issue
	
	Block a user