diff --git a/README.md b/README.md index e019be4..f4a2442 100644 --- a/README.md +++ b/README.md @@ -185,6 +185,10 @@ Variable | Description | Example `JWT_APP_SECRET` | Application secret known only to your token | my_jitsi_app_secret `JWT_ACCEPTED_ISSUERS` | (Optional) Set asap_accepted_issuers as a comma separated list | my_web_client,my_app_client `JWT_ACCEPTED_AUDIENCES` | (Optional) Set asap_accepted_audiences as a comma separated list | my_server1,my_server2 +`JWT_ASAP_KEYSERVER` | (Optional) Set asap_keyserver to a url where public keys can be found | https://example.com/asap +`JWT_ALLOW_EMPTY` | (Optional) Allow anonymous users with no JWT while validating JWTs when provided | 0 +`JWT_AUTH_TYPE` | (Optional) Controls which module is used for processing incoming JWTs | token +`JWT_TOKEN_AUTH_MODULE` | (Optional) Controls which module is used for validating JWTs | token_verification This can be tested using the [jwt.io] debugger. Use the following samople payload: @@ -242,6 +246,8 @@ Variable | Description | Default value `XMPP_MODULES` | Custom Prosody modules for XMPP_DOMAIN (comma separated) | mod_info,mod_alert `XMPP_MUC_MODULES` | Custom Prosody modules for MUC component (comma separated) | mod_info,mod_alert `XMPP_INTERNAL_MUC_MODULES` | Custom Prosody modules for internal MUC component (comma separated) | mod_info,mod_alert +`GLOBAL_MODULES` | Custom prosodule modules to load in global configuration (comma separated) | mod_statistics,mod_alert +`GLOBAL_CONFIG` | Custom configuration string with escaped newlines | foo = bar;\nkey = val; `JICOFO_COMPONENT_SECRET` | XMPP component password for Jicofo | s3cr37 `JICOFO_AUTH_USER` | XMPP user for Jicofo client connections | focus `JICOFO_AUTH_PASSWORD` | XMPP password for Jicofo client connections | passw0rd @@ -267,6 +273,7 @@ Variable | Description | Default value `JIGASI_TRANSCRIBER_ADVERTISE_URL` | Jigasi post to the chat an url with transcription file | true `DISABLE_HTTPS` | Disable HTTPS, this can be useful if TLS connections are going to be handled outside of this setup | 1 `ENABLE_HTTP_REDIRECT` | Redirects HTTP traffic to HTTPS | 1 +`LOG_LEVEL` | Controls which logs are output from prosody and associated modules | info ### Running behind NAT or on a LAN environment diff --git a/docker-compose.yml b/docker-compose.yml index 23c7235..fab5a5a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -45,6 +45,8 @@ services: - AUTH_TYPE - ENABLE_AUTH - ENABLE_GUESTS + - GLOBAL_MODULES + - GLOBAL_CONFIG - LDAP_URL - LDAP_BASE - LDAP_BINDDN @@ -76,6 +78,11 @@ services: - JWT_APP_SECRET - JWT_ACCEPTED_ISSUERS - JWT_ACCEPTED_AUDIENCES + - JWT_ASAP_KEYSERVER + - JWT_ALLOW_EMPTY + - JWT_AUTH_TYPE + - JWT_TOKEN_AUTH_MODULE + - LOG_LEVEL - TZ networks: meet.jitsi: diff --git a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua index 839e9e7..40f1fd1 100644 --- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua +++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua @@ -4,6 +4,10 @@ http_default_host = "{{ .Env.XMPP_DOMAIN }}" {{ $ENABLE_AUTH := .Env.ENABLE_AUTH | default "0" | toBool }} {{ $AUTH_TYPE := .Env.AUTH_TYPE | default "internal" }} +{{ $JWT_ASAP_KEYSERVER := .Env.JWT_ASAP_KEYSERVER | default "" }} +{{ $JWT_ALLOW_EMPTY := .Env.JWT_ALLOW_EMPTY | default "0" | toBool }} +{{ $JWT_AUTH_TYPE := .Env.JWT_AUTH_TYPE | default "token" }} +{{ $JWT_TOKEN_AUTH_MODULE := .Env.JWT_TOKEN_AUTH_MODULE | default "token_verification" }} {{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") .Env.JWT_ACCEPTED_ISSUERS }} asap_accepted_issuers = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_ISSUERS) }}" } @@ -16,11 +20,15 @@ asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AU VirtualHost "{{ .Env.XMPP_DOMAIN }}" {{ if $ENABLE_AUTH }} {{ if eq $AUTH_TYPE "jwt" }} - authentication = "token" + authentication = "{{ $JWT_AUTH_TYPE }}" app_id = "{{ .Env.JWT_APP_ID }}" app_secret = "{{ .Env.JWT_APP_SECRET }}" - allow_empty_token = false - {{ else if eq $AUTH_TYPE "ldap" }} + allow_empty_token = {{ if $JWT_ALLOW_EMPTY }}true{{ else }}false{{ end }} + {{ if $JWT_ASAP_KEYSERVER }} + asap_key_server = "{{ .Env.JWT_ASAP_KEYSERVER }}" + {{ end }} + + {{ else if eq $AUTH_TYPE "ldap" }} authentication = "cyrus" cyrus_application_name = "xmpp" allow_unencrypted_plain_auth = true @@ -78,7 +86,7 @@ Component "{{ .Env.XMPP_MUC_DOMAIN }}" "muc" "{{ join "\";\n\"" (splitList "," .Env.XMPP_MUC_MODULES) }}"; {{ end }} {{ if eq $AUTH_TYPE "jwt" }} - "token_verification"; + "{{ $JWT_TOKEN_AUTH_MODULE }}"; {{ end }} } diff --git a/prosody/rootfs/defaults/prosody.cfg.lua b/prosody/rootfs/defaults/prosody.cfg.lua index 7ec5036..eb1038f 100644 --- a/prosody/rootfs/defaults/prosody.cfg.lua +++ b/prosody/rootfs/defaults/prosody.cfg.lua @@ -1,3 +1,5 @@ +{{ $LOG_LEVEL := .Env.LOG_LEVEL | default "info" }} + -- Prosody Example Configuration File -- -- Information on configuring Prosody can be found on our @@ -70,6 +72,9 @@ modules_enabled = { --"watchregistrations"; -- Alert admins of registrations --"motd"; -- Send a message to users when they log in --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. + {{ if .Env.GLOBAL_MODULES }} + "{{ join "\";\n\"" (splitList "," .Env.GLOBAL_MODULES) }}"; + {{ end }} }; https_ports = { } @@ -143,9 +148,13 @@ authentication = "internal_plain" -- Logs info and higher to /var/log -- Logs errors to syslog also log = { - { levels = {min = "info"}, to = "console"}; + { levels = {min = "{{ $LOG_LEVEL }}"}, to = "console"}; } +{{ if .Env.GLOBAL_CONFIG }} +{{ join "\n" (splitList "\\n" .Env.GLOBAL_CONFIG) }} +{{ end }} + component_interface = { "*" } data_path = "/config/data" diff --git a/prosody/rootfs/etc/cont-init.d/10-config b/prosody/rootfs/etc/cont-init.d/10-config index 2578f18..d334eaa 100644 --- a/prosody/rootfs/etc/cont-init.d/10-config +++ b/prosody/rootfs/etc/cont-init.d/10-config @@ -31,6 +31,7 @@ fi if [[ ! -f $PROSODY_CFG ]]; then cp -r /defaults/* /config + tpl /defaults/prosody.cfg.lua > $PROSODY_CFG tpl /defaults/conf.d/jitsi-meet.cfg.lua > /config/conf.d/jitsi-meet.cfg.lua prosodyctl --config $PROSODY_CFG register $JICOFO_AUTH_USER $XMPP_AUTH_DOMAIN $JICOFO_AUTH_PASSWORD