From 0b409eb0fa1743e21fb44a62011145453a6cc3bc Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 11 Jul 2021 15:02:12 +0200
Subject: jitsi/meet: add support for authentication

---
 dan/host_vars/ele-jitsi.yml                     | 35 ++++++++++++++-----------
 inventory/host_vars/ele-jitsi.yml               |  5 ++++
 roles/apps/jitsi/meet/defaults/main.yml         |  5 ++++
 roles/apps/jitsi/meet/tasks/main.yml            | 10 ++++++-
 roles/apps/jitsi/meet/templates/pod-spec.yml.j2 | 32 ++++++++++++++++++++++
 5 files changed, 70 insertions(+), 17 deletions(-)

diff --git a/dan/host_vars/ele-jitsi.yml b/dan/host_vars/ele-jitsi.yml
index d71e3c55..3ef1aa07 100644
--- a/dan/host_vars/ele-jitsi.yml
+++ b/dan/host_vars/ele-jitsi.yml
@@ -1,17 +1,20 @@
 $ANSIBLE_VAULT;1.2;AES256;dan
-34623034376362646263646135343634633661633838383032623565613333383532623530366538
-3035376538376264303234383335303232303462306137330a393738356537363239643466646533
-65343864643135643831323233336435373331366638396235306632646238623266663163653763
-3133323639393964620a373461303136623063346630316165636238616666326630346331366566
-61633131653666383038316630363130613337643830643031353337393230393035623239356261
-61633264643833643130316237333236636266333231636339353537353934353439336437633764
-62336330386237646339316330623634333230313263663338356134393033626230653764356663
-66666161623262613462343666393162623166363833653233333030613933633335643763323565
-37623266336562636561653632313134356261383533363436376434356264623030643437316235
-34353133343932653338656634613065316361396538323534656539383037663138333030323661
-31613265386333393961623465313132346662383530356366363862393262396238626666663531
-61353333313935636466656637633737343133303338343834646436613430643062356536343333
-36303761623731316633316164653339363861396436316136383861343065363863356562383932
-32616338353237323438616130386538306639626636346636303935623533323632386131613038
-36616230323834663266656465336138643538356365396533363764666165363833666534383166
-35376532386431396464
+37376463653363343963386430623631633766653236303632303262363339666536346538613938
+3739343265623563333764383665653930323961346437630a356335306364306331353736613036
+62643965613432333332623235646365396431323265303862393836303531623039353233623433
+3736303336383538620a656338336565343661633563346637373037333435653062303262643236
+33323433323931656162336237396535363863316165336462643833303335656238306237383338
+37323062653334393565306661663033653531666562623130326537666536333339663932363066
+31633530343439373336366161333965393531393634663666333865353563343037343933626263
+34313935333839326439343837653531356664373566373038333432363163386262653636396537
+32323162346664663435626463333761373166386639313663626338316662626166666131633632
+31366231336339366363636639363233366162666330646234306134316262666363656136646463
+65393561336234376433313937363030366435366434663830326438656262636465363762663036
+38646230636564383364346238393765386565313430353037356134643330353138383262373733
+61626365353931383064343938353238316263313834366337623836343132313535643135396635
+33636165386530623839333834313338613536363466333261343161383737306437366561383238
+37666662663231316338623331613961353663343639623138363830623731306530633937346163
+37323834376631396636373831396539386233623464653039613737316561646332306365663662
+66393737333561376431393831316331653236386639366531613736386364616130323435353532
+37656461386463323465653737373038616537353435653665656137333764393865343630346335
+623437643137663136616261383763313264
diff --git a/inventory/host_vars/ele-jitsi.yml b/inventory/host_vars/ele-jitsi.yml
index cb48b466..8f5d881b 100644
--- a/inventory/host_vars/ele-jitsi.yml
+++ b/inventory/host_vars/ele-jitsi.yml
@@ -37,3 +37,8 @@ jitsi_meet_hostname: remote.elev8.at
 jitsi_meet_p2p_enable: no
 
 jitsi_meet_secrets: "{{ vault_jitsi_meet_secrets }}"
+
+jitsi_meet_auth:
+  enable_guests: yes
+  users:
+    operator: "{{ vault_jitsi_meet_auth_user_passwords['operator'] }}"
diff --git a/roles/apps/jitsi/meet/defaults/main.yml b/roles/apps/jitsi/meet/defaults/main.yml
index c27726f0..9f249f0e 100644
--- a/roles/apps/jitsi/meet/defaults/main.yml
+++ b/roles/apps/jitsi/meet/defaults/main.yml
@@ -17,3 +17,8 @@ jitsi_meet_timezone: Europe/Vienna
 #   jicofo_component_secret: "" ### only needed for versions older than stable-5765-1
 #   jicofo_auth_password: ""
 #   jvb_auth_password: ""
+
+# jitsi_meet_auth:
+#   enable_guests: true
+#   users:
+#     foo: secret
diff --git a/roles/apps/jitsi/meet/tasks/main.yml b/roles/apps/jitsi/meet/tasks/main.yml
index 0efbf726..b433a900 100644
--- a/roles/apps/jitsi/meet/tasks/main.yml
+++ b/roles/apps/jitsi/meet/tasks/main.yml
@@ -14,8 +14,16 @@
     content: |
       #!/usr/bin/with-contenv bash
       sed -e 's#^\(component_interface\s*=\)#-- \1#g' -i /config/prosody.cfg.lua
+      {% if jitsi_meet_auth is defined %}
+
+      echo "authentication enabled:"
+      {%   for username, password in jitsi_meet_auth.users.items() %}
+      echo " * registering user: {{ username }}"
+      prosodyctl --config "/config/prosody.cfg.lua" register "{{ username }}" $XMPP_DOMAIN "{{ password }}"
+      {%   endfor %}
+      {% endif %}
     dest: "{{ jitsi_meet_base_path }}/{{ jitsi_meet_inst_name }}/scripts/prosody/cont-init.sh"
-    mode: 0755
+    mode: 0750
 
 - name: install pod manifest
   vars:
diff --git a/roles/apps/jitsi/meet/templates/pod-spec.yml.j2 b/roles/apps/jitsi/meet/templates/pod-spec.yml.j2
index 9de6659d..0d6905a0 100644
--- a/roles/apps/jitsi/meet/templates/pod-spec.yml.j2
+++ b/roles/apps/jitsi/meet/templates/pod-spec.yml.j2
@@ -22,6 +22,13 @@ containers:
     subPath: jicofo
     mountPath: /config
   env:
+{% if jitsi_meet_auth is defined %}
+  - name: ENABLE_AUTH
+    value: "1"
+  - name: AUTH_TYPE
+    value: "internal"
+
+{% endif %}
   - name: XMPP_SERVER
     value: 127.0.0.1
   - name: XMPP_DOMAIN
@@ -59,6 +66,7 @@ containers:
   - name: scripts
     subPath: prosody/cont-init.sh
     mountPath: /etc/cont-init.d/99-k8s
+    readOnly: yes
   - name: config
     subPath: prosody
     mountPath: /config
@@ -68,10 +76,23 @@ containers:
   - name: ENABLE_LOBBY
     value: "1"
 
+{% if jitsi_meet_auth is defined %}
+  - name: ENABLE_AUTH
+    value: "1"
+  - name: AUTH_TYPE
+    value: "internal"
+  - name: ENABLE_GUESTS
+    value: "{{ (jitsi_meet_auth.enable_guests | default(false)) | ternary('1', '0') }}"
+
+{% endif %}
   - name: XMPP_DOMAIN
     value: meet.jitsi
   - name: XMPP_AUTH_DOMAIN
     value: auth.meet.jitsi
+{% if jitsi_meet_auth is defined and (jitsi_meet_auth.enable_guests | default(false)) %}
+  - name: XMPP_GUEST_DOMAIN
+    value: guest.meet.jitsi
+{% endif %}
   - name: XMPP_MUC_DOMAIN
     value: muc.meet.jitsi
   - name: XMPP_INTERNAL_MUC_DOMAIN
@@ -121,10 +142,21 @@ containers:
   - name: ENABLE_P2P
     value: "{{ jitsi_meet_p2p_enable | ternary('true', 'false') }}"
 
+{% if jitsi_meet_auth is defined %}
+  - name: ENABLE_AUTH
+    value: "1"
+  - name: ENABLE_GUESTS
+    value: "{{ (jitsi_meet_auth.enable_guests | default(false)) | ternary('1', '0') }}"
+
+{% endif %}
   - name: XMPP_DOMAIN
     value: meet.jitsi
   - name: XMPP_AUTH_DOMAIN
     value: auth.meet.jitsi
+{% if jitsi_meet_auth is defined and (jitsi_meet_auth.enable_guests | default(false)) %}
+  - name: XMPP_GUEST_DOMAIN
+    value: guest.meet.jitsi
+{% endif %}
   - name: XMPP_MUC_DOMAIN
     value: muc.meet.jitsi
   - name: XMPP_BOSH_URL_BASE
-- 
cgit v1.2.3