From 433098684cdb75f3e1dd7cb874d30684db69aab5 Mon Sep 17 00:00:00 2001
From: Jan Beilicke <dev@jotbe.io>
Date: Thu, 9 Apr 2020 22:17:52 +0200
Subject: [PATCH 1/3] Replaces Google's STUN servers

---
 defaults/main.yml      | 3 ++-
 templates/env.jitsi.j2 | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index c4b7667..e13235c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -7,4 +7,5 @@ jitsi_exposed_http_port: 8000
 jitsi_exposed_https_port: 8443
 jitsi_virtual_host: localhost
 jitsi_public_url: http://{{ jitsi_virtual_host }}
-jitsi_timezone: Europe/Amsterdam
\ No newline at end of file
+jitsi_timezone: Europe/Amsterdam
+jitsi_jvb_stun_servers: stun:stun.schlund.de:3478,stun:stun.t-online.de:3478,stun:stun.1und1.de:3478
\ No newline at end of file
diff --git a/templates/env.jitsi.j2 b/templates/env.jitsi.j2
index 5281d34..c4962bd 100644
--- a/templates/env.jitsi.j2
+++ b/templates/env.jitsi.j2
@@ -184,7 +184,7 @@ JVB_AUTH_USER=jvb
 JVB_AUTH_PASSWORD=passw0rd
 
 # STUN servers used to discover the server's public IP.
-JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302
+JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }}
 
 # Media port for the Jitsi Videobridge
 JVB_PORT=10000

From d356d759c808b361b4cb47d95193fee780bb1b1d Mon Sep 17 00:00:00 2001
From: Jan Beilicke <dev@jotbe.io>
Date: Sat, 11 Apr 2020 13:24:24 +0200
Subject: [PATCH 2/3] Removes default passwords. Please generate secure
 passwords and add the corresponding vars to your vault

---
 README.md              | 35 +++++++++++++++++++++++++----------
 templates/env.jitsi.j2 | 22 +++++++++++-----------
 2 files changed, 36 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index c0d10fa..858cfa4 100644
--- a/README.md
+++ b/README.md
@@ -14,16 +14,31 @@ Requirements
 Role Variables
 --------------
 
-| Variable                  | Description                                                                   | Default          |
-|---------------------------|-------------------------------------------------------------------------------|------------------|
-| docker_user               | The user who is going to manage/run the Docker Compose services               | deploy           |
-| jitsi_enable_letsencrypt  | Jitsi will take care of Let's Encrypt certificates                            | 0                |
-| *jitsi_letsencrypt_email* | E-Mail adress used for requesting certificates                                | Not set          |
-| jitsi_exposed_http_port   | Exposed container port for HTTP                                               | 8000             |
-| jitsi_exposed_https_port  | Exposed container port for HTTPS                                              | 8443             |
-| jitsi_public_url          | The public URL under which Jitsi Meet can be accessed                         | http://localhost |
-| jitsi_timezone            |                                                                               | Europe/Amsterdam |
-| jitsi_virtual_host        | The virtual host that is e.g. used by Traefik, usually part of the public url | localhost        |
+| Variable                      | Description                                                                     | Default                                                                              |
+| ---------------------------   | ------------------------------------------------------------------------------- | ------------------                                                                   |
+| docker_user                   | The user who is going to manage/run the Docker Compose services                 | deploy                                                                               |
+| *jitsi_letsencrypt_email*     | E-Mail adress used for requesting certificates                                  | Not set                                                                              |
+| jitsi_docker_host_address     |                                                                                 |                                                                                      |
+| jitsi_enable_letsencrypt      | Jitsi will take care of Let's Encrypt certificates                              | 0                                                                                    |
+| jitsi_exposed_http_port       | Exposed container port for HTTP                                                 | 8000                                                                                 |
+| jitsi_exposed_https_port      | Exposed container port for HTTPS                                                | 8443                                                                                 |
+| jitsi_jibri_recorder_password | Provide a secure password\*                                                     |                                                                                      |
+| jitsi_jibri_recorder_user     |                                                                                 |                                                                                      |
+| jitsi_jibri_xmpp_password     |                                                                                 |                                                                                      |
+| jitsi_jibri_xmpp_user         |                                                                                 |                                                                                      |
+| jitsi_jicofo_auth_password    |                                                                                 |                                                                                      |
+| jitsi_jicofo_auth_user        |                                                                                 |                                                                                      |
+| jitsi_jicofo_component_secret |                                                                                 |                                                                                      |
+| jitsi_jigasi_xmpp_password    |                                                                                 |                                                                                      |
+| jitsi_jigasi_xmpp_user        |                                                                                 |                                                                                      |
+| jitsi_jvb_auth_password       |                                                                                 |                                                                                      |
+| jitsi_jvb_auth_user           |                                                                                 |                                                                                      |
+| jitsi_jvb_stun_servers        |                                                                                 | stun:stun.schlund.de:3478,<br>stun:stun.t-online.de:3478,<br>stun:stun.1und1.de:3478 |
+| jitsi_public_url              | The public URL under which Jitsi Meet can be accessed                           | http://localhost                                                                     |
+| jitsi_timezone                |                                                                                 | Europe/Amsterdam                                                                     |
+| jitsi_virtual_host            | The virtual host that is e.g. used by Traefik, usually part of the public url   | localhost                                                                            |
+
+\* It is important to provide a dedicated secure password for each service. Generate passwords with e.g. `openssl rand -hex 16`
 
 Dependencies
 ------------
diff --git a/templates/env.jitsi.j2 b/templates/env.jitsi.j2
index c4962bd..3a2a843 100644
--- a/templates/env.jitsi.j2
+++ b/templates/env.jitsi.j2
@@ -178,10 +178,10 @@ XMPP_INTERNAL_MUC_MODULES=
 JVB_BREWERY_MUC=jvbbrewery
 
 # XMPP user for JVB client connections.
-JVB_AUTH_USER=jvb
+JVB_AUTH_USER={{ jitsi_jvb_auth_user }}
 
 # XMPP password for JVB client connections.
-JVB_AUTH_PASSWORD=passw0rd
+JVB_AUTH_PASSWORD={{ jitsi_jvb_auth_password }}
 
 # STUN servers used to discover the server's public IP.
 JVB_STUN_SERVERS={{ jitsi_jvb_stun_servers }}
@@ -198,22 +198,22 @@ JVB_TCP_PORT=4443
 #JVB_ENABLE_APIS=rest,colibri
 
 # XMPP component password for Jicofo.
-JICOFO_COMPONENT_SECRET=s3cr37
+JICOFO_COMPONENT_SECRET={{ jitsi_jicofo_component_secret }}
 
 # XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug.
-JICOFO_AUTH_USER=focus
+JICOFO_AUTH_USER={{ jitsi_jicofo_auth_user }}
 
 # XMPP password for Jicofo client connections.
-JICOFO_AUTH_PASSWORD=passw0rd
+JICOFO_AUTH_PASSWORD={{ jitsi_jicofo_auth_password }}
 
 # Base URL of Jicofo's reservation REST API
 #JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
 
 # XMPP user for Jigasi MUC client connections.
-JIGASI_XMPP_USER=jigasi
+JIGASI_XMPP_USER={{ jitsi_jigasi_xmpp_user }}
 
 # XMPP password for Jigasi MUC client connections.
-JIGASI_XMPP_PASSWORD=passw0rd
+JIGASI_XMPP_PASSWORD={{ jitsi_jigasi_xmpp_password }}
 
 # MUC name for the Jigasi pool.
 JIGASI_BREWERY_MUC=jigasibrewery
@@ -261,10 +261,10 @@ JIGASI_PORT_MAX=20050
 XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
 
 # XMPP recorder user for Jibri client connections.
-JIBRI_RECORDER_USER=recorder
+JIBRI_RECORDER_USER={{ jitsi_jibri_recorder_user }}
 
 # XMPP recorder password for Jibri client connections.
-JIBRI_RECORDER_PASSWORD=passw0rd
+JIBRI_RECORDER_PASSWORD={{ jitsi_jibri_recorder_password }}
 
 # Directory for recordings inside Jibri container.
 JIBRI_RECORDING_DIR=/config/recordings
@@ -273,10 +273,10 @@ JIBRI_RECORDING_DIR=/config/recordings
 JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
 
 # XMPP user for Jibri client connections.
-JIBRI_XMPP_USER=jibri
+JIBRI_XMPP_USER={{ jitsi_jibri_xmpp_user }}
 
 # XMPP password for Jibri client connections.
-JIBRI_XMPP_PASSWORD=passw0rd
+JIBRI_XMPP_PASSWORD={{ jitsi_jibri_xmpp_password }}
 
 # MUC name for the Jibri pool.
 JIBRI_BREWERY_MUC=jibribrewery

From a9aa130c606ec98807d6590da13c748c2b720a75 Mon Sep 17 00:00:00 2001
From: Jan Beilicke <dev@jotbe.io>
Date: Sat, 11 Apr 2020 13:39:58 +0200
Subject: [PATCH 3/3] Replaces the default STUN servers with the one from
 jitsi.net; Fixes PUBLIC_URL

---
 defaults/main.yml      | 2 +-
 templates/env.jitsi.j2 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index e13235c..79fdff6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -8,4 +8,4 @@ jitsi_exposed_https_port: 8443
 jitsi_virtual_host: localhost
 jitsi_public_url: http://{{ jitsi_virtual_host }}
 jitsi_timezone: Europe/Amsterdam
-jitsi_jvb_stun_servers: stun:stun.schlund.de:3478,stun:stun.t-online.de:3478,stun:stun.1und1.de:3478
\ No newline at end of file
+jitsi_jvb_stun_servers: meet-jit-si-turnrelay.jitsi.net:443
\ No newline at end of file
diff --git a/templates/env.jitsi.j2 b/templates/env.jitsi.j2
index 3a2a843..efb7ab6 100644
--- a/templates/env.jitsi.j2
+++ b/templates/env.jitsi.j2
@@ -15,7 +15,7 @@ HTTPS_PORT={{ jitsi_exposed_https_port }}
 TZ={{ jitsi_timezone }}
 
 # Public URL for the web service.
-PUBLIC_URL="{{ jitsi_public_url }}"
+PUBLIC_URL={{ jitsi_public_url }}
 VIRTUAL_HOST={{ jitsi_virtual_host }}
 
 # IP address of the Docker host. See the "Running on a LAN environment" section