Merge branch 'master' into pub.solar

CHANGELOG.md

@@ -1,3 +1,14 @@
+# 2020-04-05
+
+## Private Jitsi support
+
+The [Jitsi support](#jitsi-support) we had landed a few weeks ago was working well, but it was always open to the whole world.
+
+Running such an open instance is not desirable to most people, so [teutat3s](https://github.com/teutat3s) has contributed support for making Jitsi use authentication.
+
+To make your Jitsi server more private, see the [configure internal Jitsi authentication and guests mode](docs/configuring-playbook-jitsi.md#optional-configure-internal-jitsi-authentication-and-guests-mode) section in our Jitsi documentation.
+
+
 # 2020-04-03
 
 ## (Potential Backward Compatibility Break) ma1sd replaces mxisd

docs/configuring-playbook-jitsi.md

@@ -25,8 +25,42 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
 matrix_jitsi_enabled: true
 ```
 
+## (Optional) configure internal Jitsi authentication and guests mode
+
+By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration.
+
+If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes).
+
+If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's `internal` authentication and guests mode. With this optional configuration, all meeting rooms have to be opened by at least one registered user, after that guests are free to join. If a registered host is not present yet, guests are put on hold into a waiting room.
+
+Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
+
+```yaml
+matrix_jitsi_enable_auth: true
+matrix_jitsi_enable_guests: true
+```
+
+## Apply changes
+
 Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`
 
+## Required if configuring Jitsi with its internal authentication: register new users
+
+Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually.
+Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container:
+
+```bash
+docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register <USERNAME> matrix-jitsi-web <PASSWORD>
+```
+
+Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host.
+
+**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. The playbook can't yet rebuild all configuration files for some Jitsi services (like `matrix-jitsi-prosody`), which may cause such an error. **If you encounter this error**, we encourage you to:
+- stop all Jitsi services (`systemctl stop matrix-jitsi-*`)
+- remove the Jitsi Prosody configuration & data (`rm -rf /matrix/jitsi/prosody`)
+- rebuild Jitsi configuration and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`)
+- try the previously-failing command once again
+
 
 ## Usage
 

docs/configuring-well-known.md

@@ -107,7 +107,9 @@ server {
 **For Caddy**, it would be something like this:
 
 ```caddy
-proxy /.well-known/matrix https://matrix.DOMAIN
+reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN {
+	header_up Host {http.reverse_proxy.upstream.hostport}
+}
 ```
 
 **For HAProxy**, it would be something like this:

roles/matrix-base/defaults/main.yml

@@ -33,6 +33,9 @@ matrix_systemd_path: "/etc/systemd/system"
 matrix_cron_path: "/etc/cron.d"
 matrix_local_bin_path: "/usr/local/bin"
 
+matrix_ntpd_package: "ntp"
+matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}"
+
 matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}"
 
 matrix_identity_server_url: ~

roles/matrix-base/tasks/server_base/setup.yml

@@ -18,8 +18,8 @@
     state: started
     enabled: yes
 
-- name: Ensure ntpd is started and autoruns
+- name: "Ensure {{ matrix_ntpd_service }} is started and autoruns"
   service:
-    name: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}"
+    name: "{{ matrix_ntpd_service }}"
     state: started
     enabled: yes

roles/matrix-base/tasks/server_base/setup_archlinux.yml

@@ -4,7 +4,7 @@
   pacman:
     name:
       - python-docker
-      - ntp
+      - "{{ matrix_ntpd_package }}"
       # TODO This needs to be verified. Which version do we need?
       - fuse3
       - python-dnspython

roles/matrix-base/tasks/server_base/setup_centos.yml

@@ -21,7 +21,7 @@
   yum:
     name:
       - docker-python
-      - ntp
+      - "{{ matrix_ntpd_package }}"
       - fuse
     state: latest
     update_cache: yes

roles/matrix-base/tasks/server_base/setup_debian.yml

@@ -28,7 +28,7 @@
   apt:
     name:
       - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker"
-      - ntp
+      - "{{ matrix_ntpd_package }}"
       - fuse
     state: latest
     update_cache: yes

roles/matrix-base/tasks/server_base/setup_raspbian.yml

@@ -28,7 +28,7 @@
   apt:
     name:
       - python-docker
-      - ntp
+      - "{{ matrix_ntpd_package }}"
       - fuse
     state: latest
     update_cache: yes

roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml

@@ -36,17 +36,19 @@
     dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}"
 #    version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
     force: "yes"
+  register: matrix_mautrix_facebook_git_pull_results
   when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build"
 
 - name: Ensure Mautrix Facebook Docker image is built
   docker_image:
     name: "{{ matrix_mautrix_facebook_docker_image }}"
     source: build
+    force_source: yes
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mautrix_facebook_docker_src_files_path }}"
       pull: yes
-  when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build"
+  when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build and matrix_mautrix_facebook_git_pull_results.changed"
 
 - name: Check if an old database file already exists
   stat:

roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml

@@ -35,17 +35,19 @@
     repo: https://github.com/tulir/mautrix-hangouts.git
     dest: "{{ matrix_mautrix_hangouts_docker_src_files_path }}"
     force: "yes"
+  register: matrix_mautrix_hangouts_git_pull_results
   when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build"
 
 - name: Ensure Mautrix Hangouts Docker image is built
   docker_image:
     name: "{{ matrix_mautrix_hangouts_docker_image }}"
     source: build
+    force_source: yes
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}"
       pull: yes
-  when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build"
+  when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build and matrix_mautrix_hangouts_git_pull_results.changed"
 
 - name: Check if an old database file already exists
   stat:

roles/matrix-jitsi/defaults/main.yml

@@ -52,8 +52,26 @@ matrix_jitsi_web_container_extra_arguments: []
 matrix_jitsi_web_systemd_required_services_list: ['docker.service']
 
 matrix_jitsi_web_config_defaultLanguage: 'en'
-matrix_jitsi_web_interface_config_lang_detection: false
+matrix_jitsi_web_config_start_with_audio_muted: false
+matrix_jitsi_web_config_start_with_video_muted: false
+matrix_jitsi_web_config_testing_enableFirefoxSimulcast: false
+matrix_jitsi_web_config_testing_p2pTestMode: false
 
+matrix_jitsi_web_interface_config_lang_detection: false
+matrix_jitsi_web_interface_config_show_jitsi_watermark: true
+matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org"
+matrix_jitsi_web_interface_config_show_brand_watermark: false
+matrix_jitsi_web_interface_config_brand_watermark_link: ""
+matrix_jitsi_web_interface_config_show_watermark_for_guests: true
+matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page: true
+matrix_jitsi_web_interface_config_display_welcome_page_content: true
+matrix_jitsi_web_interface_config_app_name: "Jitsi Meet"
+matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet"
+matrix_jitsi_web_interface_config_provider_name: "Jitsi"
+matrix_jitsi_web_interface_config_invitation_powered_by: true
+matrix_jitsi_web_interface_config_show_powered_by: false
+matrix_jitsi_web_interface_config_disable_transcription_subtitles: false
+matrix_jisti_web_interface_config_show_deep_linking_image: false
 
 matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101"
 matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}"

roles/matrix-jitsi/templates/web/config.js.j2

@@ -21,7 +21,7 @@ var config = {
         {% if matrix_jitsi_enable_auth %}
         {% if matrix_jitsi_enable_guests %}
         // When using authentication, domain for guest users.
-		anonymousdomain: '{{ matrix_jitsi_xmpp_guest_domain }}',
+        anonymousdomain: '{{ matrix_jitsi_xmpp_guest_domain }}',
         {% endif %}
 
         // Domain for authenticated users. Defaults to <domain>.
@@ -56,11 +56,11 @@ var config = {
 
     testing: {
         // Enables experimental simulcast support on Firefox.
-        enableFirefoxSimulcast: false,
+        enableFirefoxSimulcast: {{ matrix_jitsi_web_config_testing_enableFirefoxSimulcast|to_json }},
 
         // P2P test mode disables automatic switching to P2P when there are 2
         // participants in the conference.
-        p2pTestMode: false
+        p2pTestMode: {{ matrix_jitsi_web_config_testing_p2pTestMode|to_json }}
 
         // Enables the test specific features consumed by jitsi-meet-torture
         // testMode: false
@@ -93,6 +93,7 @@ var config = {
     // Start calls with audio muted. Unlike the option above, this one is only
     // applied locally. FIXME: having these 2 options is confusing.
     // startWithAudioMuted: false,
+    startWithAudioMuted: {{ matrix_jitsi_web_config_start_with_audio_muted|to_json }},
 
     // Enabling it (with #params) will disable local audio output of remote
     // participants and to enable it back a reload is needed.
@@ -137,6 +138,7 @@ var config = {
     // Start calls with video muted. Unlike the option above, this one is only
     // applied locally. FIXME: having these 2 options is confusing.
     // startWithVideoMuted: false,
+    startWithVideoMuted: {{ matrix_jitsi_web_config_start_with_video_muted|to_json }},
 
     // If set to true, prefer to use the H.264 video codec (if supported).
     // Note that it's not recommended to do this because simulcast is not

roles/matrix-jitsi/templates/web/interface_config.js.j2

@@ -16,22 +16,22 @@ var interfaceConfig = {
     TOOLBAR_ALWAYS_VISIBLE: false,
     DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
     DEFAULT_LOCAL_DISPLAY_NAME: 'me',
-    SHOW_JITSI_WATERMARK: true,
-    JITSI_WATERMARK_LINK: 'https://jitsi.org',
+    SHOW_JITSI_WATERMARK: {{ matrix_jitsi_web_interface_config_show_jitsi_watermark|to_json }},
+    JITSI_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_jitsi_watermark_link|to_json }},
 
     // if watermark is disabled by default, it can be shown only for guests
-    SHOW_WATERMARK_FOR_GUESTS: true,
-    SHOW_BRAND_WATERMARK: false,
-    BRAND_WATERMARK_LINK: '',
-    SHOW_POWERED_BY: false,
-    SHOW_DEEP_LINKING_IMAGE: false,
-    GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
-    DISPLAY_WELCOME_PAGE_CONTENT: true,
-    APP_NAME: 'Jitsi Meet',
-    NATIVE_APP_NAME: 'Jitsi Meet',
-    PROVIDER_NAME: 'Jitsi',
+    SHOW_WATERMARK_FOR_GUESTS: {{ matrix_jitsi_web_interface_config_show_watermark_for_guests|to_json }},
+    SHOW_BRAND_WATERMARK: {{ matrix_jitsi_web_interface_config_show_brand_watermark|to_json }},
+    BRAND_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_brand_watermark_link|to_json }},
+    SHOW_POWERED_BY: {{ matrix_jitsi_web_interface_config_show_powered_by|to_json }},
+    SHOW_DEEP_LINKING_IMAGE: {{ matrix_jisti_web_interface_config_show_deep_linking_image|to_json }},
+    GENERATE_ROOMNAMES_ON_WELCOME_PAGE: {{ matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page|to_json }},
+    DISPLAY_WELCOME_PAGE_CONTENT: {{ matrix_jitsi_web_interface_config_display_welcome_page_content|to_json }},
+    APP_NAME: {{ matrix_jitsi_web_interface_config_app_name|to_json }},
+    NATIVE_APP_NAME: {{ matrix_jitsi_web_interface_config_native_app_name|to_json }},
+    PROVIDER_NAME: {{ matrix_jitsi_web_interface_config_provider_name|to_json }},
     LANG_DETECTION: {{ matrix_jitsi_web_interface_config_lang_detection|to_json }}, // Allow i18n to detect the system language
-    INVITATION_POWERED_BY: true,
+    INVITATION_POWERED_BY: {{ matrix_jitsi_web_interface_config_invitation_powered_by|to_json }},
 
     /**
      * If we should show authentication block in profile
@@ -92,7 +92,7 @@ var interfaceConfig = {
      *
      * @type {boolean}
      */
-    DISABLE_TRANSCRIPTION_SUBTITLES: false,
+    DISABLE_TRANSCRIPTION_SUBTITLES: {{ matrix_jitsi_web_interface_config_disable_transcription_subtitles|to_json }},
 
     /**
      * Whether the ringing sound in the call/ring overlay is disabled. If