Add support for secrets

.gitignore

@@ -2,3 +2,5 @@
 .env
 .env.bak
 docker-compose.override.yml
+.secrets/
+.jitsi-meet-cfg/

base/rootfs/etc/cont-init.d/02-load-secrets

@@ -0,0 +1,46 @@
+#!/usr/bin/with-contenv bash
+set -euo pipefail
+
+# get the value from the secret passed to the container
+function _process_secret() {
+    local -r file="$(realpath "${1}")"
+    local -r env_dir="$(realpath "${2}")"
+    local -r name="$(basename "${file}")"
+    local -r env_path="${env_dir}/${name}"
+
+    cat "${file}" > "${env_path}"
+}
+
+function _load_secrets() {
+    local -r env_dir="/run/s6/container_environment"
+
+    [[ -d "${env_dir}" ]] || {
+        ret=${?}
+        echo "ERROR: directory: '${env_dir}' doesn't exist." 1>&2
+        echo "ERROR: please ensure you have s6-overlay installed." 1>&2
+        return $ret
+    }
+
+    # make all secrets available as environment variables
+    for file in /run/secrets/*; do
+        [[ -f "${file}" ]] || {
+            echo "INFO: skipping file '${file}'"
+            continue
+        }
+        _process_secret "${file}" "${env_dir}" || {
+            ret=${?}
+            echo "ERROR: file: '${file}' could not be processes." 1>&2
+            echo "ERROR: please confirm permissions." 1>&2
+            return $ret
+        }
+    done
+
+    return ${?}
+}
+
+_load_secrets
+declare -i rt="${?}"
+
+sync
+
+exit ${rt}

docker-compose.yml

@@ -18,7 +18,6 @@ services:
             - ANALYTICS_WHITELISTED_EVENTS
             - CALLSTATS_CUSTOM_SCRIPT_URL
             - CALLSTATS_ID
-            - CALLSTATS_SECRET
             - CHROME_EXTENSION_BANNER_JSON
             - CONFCODE_URL
             - CONFIG_EXTERNAL_CONNECT
@@ -127,6 +126,8 @@ services:
             - XMPP_MUC_DOMAIN
             - XMPP_RECORDER_DOMAIN
             - XMPP_PORT
+        secrets:
+            - CALLSTATS_SECRET
         networks:
             meet.jitsi:
 
@@ -153,18 +154,11 @@ services:
             - GLOBAL_CONFIG
             - GLOBAL_MODULES
             - JIBRI_RECORDER_USER
-            - JIBRI_RECORDER_PASSWORD
             - JIBRI_XMPP_USER
-            - JIBRI_XMPP_PASSWORD
             - JICOFO_AUTH_USER
-            - JICOFO_AUTH_PASSWORD
-            - JICOFO_COMPONENT_SECRET
             - JIGASI_XMPP_USER
-            - JIGASI_XMPP_PASSWORD
             - JVB_AUTH_USER
-            - JVB_AUTH_PASSWORD
             - JWT_APP_ID
-            - JWT_APP_SECRET
             - JWT_ACCEPTED_ISSUERS
             - JWT_ACCEPTED_AUDIENCES
             - JWT_ASAP_KEYSERVER
@@ -206,6 +200,14 @@ services:
             - XMPP_INTERNAL_MUC_MODULES
             - XMPP_RECORDER_DOMAIN
             - XMPP_PORT
+        secrets:
+            - JIBRI_RECORDER_PASSWORD
+            - JIBRI_XMPP_PASSWORD
+            - JICOFO_COMPONENT_SECRET
+            - JICOFO_AUTH_PASSWORD
+            - JIGASI_XMPP_PASSWORD
+            - JVB_AUTH_PASSWORD
+            - JWT_APP_SECRET
         networks:
             meet.jitsi:
                 aliases:
@@ -231,7 +233,6 @@ services:
             - ENABLE_SCTP
             - ENABLE_AUTO_LOGIN
             - JICOFO_AUTH_USER
-            - JICOFO_AUTH_PASSWORD
             - JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS
             - JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT
             - JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT
@@ -258,6 +259,8 @@ services:
             - XMPP_RECORDER_DOMAIN
             - XMPP_SERVER
             - XMPP_PORT
+        secrets:
+            - JICOFO_AUTH_PASSWORD
         depends_on:
             - prosody
         networks:
@@ -277,7 +280,6 @@ services:
             - ENABLE_COLIBRI_WEBSOCKET
             - ENABLE_OCTO
             - JVB_AUTH_USER
-            - JVB_AUTH_PASSWORD
             - JVB_BREWERY_MUC
             - JVB_PORT
             - JVB_MUC_NICKNAME
@@ -299,6 +301,8 @@ services:
             - XMPP_INTERNAL_MUC_DOMAIN
             - XMPP_SERVER
             - XMPP_PORT
+        secrets:
+            - JVB_AUTH_PASSWORD
         depends_on:
             - prosody
         networks:
@@ -307,3 +311,28 @@ services:
 # Custom network so all services can communicate using a FQDN
 networks:
     meet.jitsi:
+
+secrets:
+    CALLSTATS_SECRET:
+        file: ${SECRETS_DIR}/CALLSTATS_SECRET
+
+    JIBRI_RECORDER_PASSWORD:
+        file: ${SECRETS_DIR}/JIBRI_RECORDER_PASSWORD
+
+    JIBRI_XMPP_PASSWORD:
+        file: ${SECRETS_DIR}/JIBRI_XMPP_PASSWORD
+
+    JICOFO_AUTH_PASSWORD:
+        file: ${SECRETS_DIR}/JICOFO_AUTH_PASSWORD
+
+    JICOFO_COMPONENT_SECRET:
+        file: ${SECRETS_DIR}/JICOFO_COMPONENT_SECRET
+
+    JIGASI_XMPP_PASSWORD:
+        file: ${SECRETS_DIR}/JIGASI_XMPP_PASSWORD
+
+    JVB_AUTH_PASSWORD:
+        file: ${SECRETS_DIR}/JVB_AUTH_PASSWORD
+
+    JWT_APP_SECRET:
+        file: ${SECRETS_DIR}/JWT_APP_SECRET

env.example

@@ -8,22 +8,11 @@
 # You may skip the Jigasi and Jibri passwords if you are not using those
 # DO NOT reuse passwords
 #
-
-# XMPP password for Jicofo client connections
-JICOFO_AUTH_PASSWORD=
-
-# XMPP password for JVB client connections
-JVB_AUTH_PASSWORD=
-
-# XMPP password for Jigasi MUC client connections
-JIGASI_XMPP_PASSWORD=
-
-# XMPP recorder password for Jibri client connections
-JIBRI_RECORDER_PASSWORD=
-
-# XMPP password for Jibri client connections
-JIBRI_XMPP_PASSWORD=
-
+# THIS HAS BEEN MOVED INTO SECRETS. PLEASE RUN ./gen-passwords.sh TO GENERATE THE SECRETS.
+#
+# To retrieve the secrets, they will be located in the `.secrets` directory.
+#
+SECRETS_DIR=~/.secrets
 
 #
 # Basic configuration options

gen-passwords.sh

@@ -1,19 +1,33 @@
 #!/usr/bin/env bash
+set -euo pipefail
 
 function generatePassword() {
     openssl rand -hex 16
 }
 
-JICOFO_AUTH_PASSWORD=$(generatePassword)
-JVB_AUTH_PASSWORD=$(generatePassword)
-JIGASI_XMPP_PASSWORD=$(generatePassword)
-JIBRI_RECORDER_PASSWORD=$(generatePassword)
-JIBRI_XMPP_PASSWORD=$(generatePassword)
+function generateSecrets() {
+    source "${0%/*}/.env"
 
-sed -i.bak \
-    -e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \
-    -e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \
-    -e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \
-    -e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \
-    -e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \
-    "$(dirname "$0")/.env"
+    local -r secrets_dir="${SECRETS_DIR:-"${0%/*}/.secrets"}"
+    local -ar secrets=(
+        "CALLSTATS_SECRET"
+        "JIBRI_RECORDER_PASSWORD"
+        "JIBRI_XMPP_PASSWORD"
+        "JICOFO_AUTH_PASSWORD"
+        "JICOFO_COMPONENT_SECRET"
+        "JIGASI_XMPP_PASSWORD"
+        "JVB_AUTH_PASSWORD"
+        "JWT_APP_SECRET"
+    )
+
+    [[ -d "${secrets_dir}" ]] || mkdir -p "${secrets_dir}"
+
+    for name in "${secrets[@]}"; do
+        # skip if exists.
+        ! [[ -f "${secrets_dir}/${name}" ]] || continue
+
+        generatePassword > "${secrets_dir}/${name}"
+    done
+}
+
+generateSecrets