Merge pull request #444 from teutat3s/jitsi_security_update

Jitsi security update
před 6 roky · 5a8068d8d1
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 /inventory/*
 !/inventory/.gitkeep
 !/inventory/host_vars/.gitkeep
 !/inventory/scripts
 /roles/*/files/scratchpad
--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@@ -25,6 +25,17 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
 matrix_jitsi_enabled: true
 ```
 ## Securing your Jitsi instance with strong passwords
 Please use the bash script provided in this repo to generate strong passwords for your Jitsi instance.
 Execute the following commands in your terminal from the root of this repo:
 ```bash
 cd inventory/scripts
 bash generate-jitsi-passwords.sh
 ```
 The script will add the corresponding ansible variables and passwords generated with `openssl rand -hex 16` to the bottom of your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration.
 ## (Optional) configure internal Jitsi authentication and guests mode
 By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration.
--- a/inventory/scripts/generate-jitsi-passwords.sh
+++ b/inventory/scripts/generate-jitsi-passwords.sh
@@ -0,0 +1,50 @@
 #!/usr/bin/env bash
 # This is a bash script for generating strong passwords for the Jitsi role in this ansible project:
 # https://github.com/spantaleev/matrix-docker-ansible-deploy
 # This script assumes that you followed the documentation at https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook.md and created a folder in the source code's directory like this: 'mkdir inventory/host_vars/matrix.<your-domain>'
 # it will put the generated passwords for Jitsi at the end of the vars.yml file in that directory
 function generatePassword() {
    openssl rand -hex 16
 }
 # helper function to get the matrix domain in the host_vars directory
 function get_domain_dir() {
 	counter=0
 	for f in *; do
 	    counter=$(( counter + 1 ))
 	    if [ ! -d "$f" ]; then
            echo "Error: could not find directory 'matrix.your.domain'"
            echo "Did you create it already? Please first setup your matrix homeserver before running this script."
            echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md"
            exit 1
        elif [[ "$counter" -gt 1 ]]; then
            echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected."
            echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook."
            echo "Cannot continue script, exiting."
            exit 1
        fi
 	    # Will not set domain if zero or multiple directories are detected
 	    domain=$f
 	done
 }
 cd ../host_vars
 get_domain_dir
 JICOFO_COMPONENT_SECRET=$(generatePassword)
 JICOFO_AUTH_PASSWORD=$(generatePassword)
 JVB_AUTH_PASSWORD=$(generatePassword)
 JIBRI_RECORDER_PASSWORD=$(generatePassword)
 JIBRI_XMPP_PASSWORD=$(generatePassword)
 echo "" >> ../host_vars/${domain}/vars.yml
 echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml
 echo "matrix_jitsi_jicofo_component_secret: $JICOFO_COMPONENT_SECRET" >> ../host_vars/${domain}/vars.yml
 echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml
 echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml
 echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" >> ../host_vars/${domain}/vars.yml
 echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" >> ../host_vars/${domain}/vars.yml
--- a/roles/matrix-jitsi/defaults/main.yml
+++ b/roles/matrix-jitsi/defaults/main.yml
@@ -28,7 +28,7 @@ matrix_jitsi_jibri_recorder_user: recorder
 matrix_jitsi_jibri_recorder_password: recorder-password
 matrix_jitsi_web_docker_image: "jitsi/web:4101"
 matrix_jitsi_web_docker_image: "jitsi/web:4384"
 matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"
 matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
@@ -73,7 +73,7 @@ matrix_jitsi_web_interface_config_show_powered_by: false
 matrix_jitsi_web_interface_config_disable_transcription_subtitles: false
 matrix_jisti_web_interface_config_show_deep_linking_image: false
 matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101"
 matrix_jitsi_prosody_docker_image: "jitsi/prosody:4384"
 matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}"
 matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
@@ -86,7 +86,7 @@ matrix_jitsi_prosody_container_extra_arguments: []
 matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']
 matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4101"
 matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4384"
 matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"
 matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo"
@@ -103,7 +103,7 @@ matrix_jitsi_jicofo_auth_user: focus
 matrix_jitsi_jicofo_auth_password: passw0rd
 matrix_jitsi_jvb_docker_image: "jitsi/jvb:4101"
 matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384"
 matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"
 matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb"