Merge branch 'master' into pub.solar

2020-04-08 16:12:50 +02:00 · 2020-04-08 16:12:50 +02:00 · c537c12e31
parent 925c9e99e5 e290b1be95
commit c537c12e31
10 changed files with 101 additions and 15 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,5 @@
 /inventory/*
 !/inventory/.gitkeep
 !/inventory/host_vars/.gitkeep
+!/inventory/scripts
 /roles/*/files/scratchpad
--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@ -23,8 +23,17 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:

 ```yaml
 matrix_jitsi_enabled: true
+
+# Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords,
+# or define your own strong passwords manually.
+matrix_jitsi_jicofo_component_secret: ""
+matrix_jitsi_jicofo_auth_password: ""
+matrix_jitsi_jvb_auth_password: ""
+matrix_jitsi_jibri_recorder_password: ""
+matrix_jitsi_jibri_xmpp_password: ""
 ```

+
 ## (Optional) configure internal Jitsi authentication and guests mode

 By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration.
@ -55,11 +64,7 @@ docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua reg

 Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host.

-**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. The playbook can't yet rebuild all configuration files for some Jitsi services (like `matrix-jitsi-prosody`), which may cause such an error. **If you encounter this error**, we encourage you to:
- stop all Jitsi services (`systemctl stop matrix-jitsi-*`)
- remove the Jitsi Prosody configuration & data (`rm -rf /matrix/jitsi/prosody`)
- rebuild Jitsi configuration and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`)
- try the previously-failing command once again
+**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).


 ## Usage
@ -67,3 +72,21 @@ Run this command for each user you would like to create, replacing `<USERNAME>`
 You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`.

 To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server.
+
+
+## Troubleshooting
+
+### Rebuilding your Jitsi installation
+
+**If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup.
+
+We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own.
+
+These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh.
+
+To rebuild your Jitsi configuration:
+
+- SSH into the server and do this:
+  - stop all Jitsi services (`systemctl stop matrix-jitsi-*`).
+  - remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`)
+- ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`)
--- a/docs/self-building.md
+++ b/docs/self-building.md
@ -4,7 +4,7 @@ The playbook supports the self-building of some of its components. This may be u

 To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file:
 ```yaml
-matrix_container_images_self_build = true
+matrix_container_images_self_build: true
 ```
 Setting that variable will self-build every role which supports self-building. Self-building can be set on a per-role basis as well.

--- a/inventory/scripts/jitsi-generate-passwords.sh
+++ b/inventory/scripts/jitsi-generate-passwords.sh
@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# This is a bash script for generating strong passwords for the Jitsi role in this ansible project:
+# https://github.com/spantaleev/matrix-docker-ansible-deploy
+
+function generatePassword() {
+    openssl rand -hex 16
+}
+
+echo "# If this script fails, it's likely because you don't have the openssl tool installed."
+echo "# Install it before using this script, or simply create your own passwords manually."
+
+echo ""
+
+JICOFO_COMPONENT_SECRET=$(generatePassword)
+JICOFO_AUTH_PASSWORD=$(generatePassword)
+JVB_AUTH_PASSWORD=$(generatePassword)
+JIBRI_RECORDER_PASSWORD=$(generatePassword)
+JIBRI_XMPP_PASSWORD=$(generatePassword)
+
+echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:"
+echo ""
+echo "matrix_jitsi_jicofo_component_secret: "$JICOFO_COMPONENT_SECRET
+echo "matrix_jitsi_jicofo_auth_password: "$JICOFO_AUTH_PASSWORD
+echo "matrix_jitsi_jvb_auth_password: "$JVB_AUTH_PASSWORD
+echo "matrix_jitsi_jibri_recorder_password: "$JIBRI_RECORDER_PASSWORD
+echo "matrix_jitsi_jibri_xmpp_password: "$JIBRI_XMPP_PASSWORD
--- a/roles/matrix-jitsi/defaults/main.yml
+++ b/roles/matrix-jitsi/defaults/main.yml
@ -23,12 +23,12 @@ matrix_jitsi_recorder_domain: recorder.meet.jitsi
 matrix_jitsi_jibri_brewery_muc: jibribrewery
 matrix_jitsi_jibri_pending_timeout: 90
 matrix_jitsi_jibri_xmpp_user: jibri
-matrix_jitsi_jibri_xmpp_password: jibri-password
+matrix_jitsi_jibri_xmpp_password: ''
 matrix_jitsi_jibri_recorder_user: recorder
-matrix_jitsi_jibri_recorder_password: recorder-password
+matrix_jitsi_jibri_recorder_password: ''


-matrix_jitsi_web_docker_image: "jitsi/web:4101"
+matrix_jitsi_web_docker_image: "jitsi/web:4384"
 matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"

 matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
@ -73,7 +73,7 @@ matrix_jitsi_web_interface_config_show_powered_by: false
 matrix_jitsi_web_interface_config_disable_transcription_subtitles: false
 matrix_jisti_web_interface_config_show_deep_linking_image: false

-matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101"
+matrix_jitsi_prosody_docker_image: "jitsi/prosody:4384"
 matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}"

 matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
@ -86,7 +86,7 @@ matrix_jitsi_prosody_container_extra_arguments: []
 matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']


-matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4101"
+matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4384"
 matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"

 matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo"
@ -98,12 +98,12 @@ matrix_jitsi_jicofo_container_extra_arguments: []
 # List of systemd services that matrix-jitsi-jicofo.service depends on
 matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']

-matrix_jitsi_jicofo_component_secret: s3cr37
+matrix_jitsi_jicofo_component_secret: ''
 matrix_jitsi_jicofo_auth_user: focus
-matrix_jitsi_jicofo_auth_password: passw0rd
+matrix_jitsi_jicofo_auth_password: ''


-matrix_jitsi_jvb_docker_image: "jitsi/jvb:4101"
+matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384"
 matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"

 matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb"
@ -116,7 +116,7 @@ matrix_jitsi_jvb_container_extra_arguments: []
 matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']

 matrix_jitsi_jvb_auth_user: jvb
-matrix_jitsi_jvb_auth_password: passw0rd
+matrix_jitsi_jvb_auth_password: ''

 # STUN servers used by JVB on the server-side, so it can discover its own external IP address.
 # Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery.
--- a/roles/matrix-jitsi/tasks/main.yml
+++ b/roles/matrix-jitsi/tasks/main.yml
@ -2,6 +2,12 @@
  tags:
    - always

+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool and matrix_jitsi_enabled|bool"
+  tags:
+    - setup-all
+    - setup-jitsi
+
 - import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml"
  when: run_setup|bool
  tags:
--- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml
@ -34,6 +34,13 @@
    - logging.properties
  when: matrix_jitsi_enabled|bool

+- name: Ensure jitsi-jvb environment variables file created
+  template:
+    src: "{{ role_path }}/templates/jvb/env.j2"
+    dest: "{{ matrix_jitsi_jvb_base_path }}/env"
+    mode: 0640
+  when: matrix_jitsi_enabled|bool
+
 - name: Ensure matrix-jitsi-jvb.service installed
  template:
    src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2"
--- a/roles/matrix-jitsi/tasks/validate_config.yml
+++ b/roles/matrix-jitsi/tasks/validate_config.yml
@ -0,0 +1,21 @@
+---
+
+- name: Fail if required Jitsi settings not defined
+  fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`) for using Jitsi.
+
+      If you're setting up Jitsi for the first time, you may have missed a step.
+      Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
+
+      If you had setup Jitsi successfully before and it's just now that you're observing this failure,
+      it means that your installation may be using some default passwords that the playbook used to define until now.
+      This is not secure and we urge you to rebuild your Jitsi setup.
+      Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_jitsi_jibri_xmpp_password"
+    - "matrix_jitsi_jibri_recorder_password"
+    - "matrix_jitsi_jicofo_component_secret"
+    - "matrix_jitsi_jicofo_auth_password"
+    - "matrix_jitsi_jvb_auth_password"
--- a/roles/matrix-jitsi/templates/jvb/env.j2
+++ b/roles/matrix-jitsi/templates/jvb/env.j2
@ -0,0 +1 @@
+JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
--- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
+++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
@ -14,6 +14,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb
 ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \
 			--log-driver=none \
 			--network={{ matrix_docker_network }} \
+			--env-file={{ matrix_jitsi_jvb_base_path }}/env \
 			{% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %}
 			-p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \
 			{% endif %}
				`@ -0,0 +1 @@`
				`JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}`