From 9e9cee7991a65a0879ad93a67ca725b11074fb9a Mon Sep 17 00:00:00 2001
From: Aaron van Meerten <aaron.van.meerten@gmail.com>
Date: Wed, 5 Jun 2019 19:08:53 -0500
Subject: [PATCH 1/7] prosody: add asap keyserver, empty token

---
 prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
index a0fbe4f..7717da2 100644
--- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
+++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
@@ -1,9 +1,12 @@
 admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" }
 plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
 http_default_host = "{{ .Env.XMPP_DOMAIN }}"
-
+ 
 {{ $ENABLE_AUTH := .Env.ENABLE_AUTH | default "0" | toBool }}
 {{ $AUTH_TYPE := .Env.AUTH_TYPE | default "internal" }}
+{{ $JWT_ASAP_KEYSERVER := .Env.JWT_ASAP_KEYSERVER | default "" }}
+{{ $JWT_ALL_EMPTY := .Env.JWT_ALLOW_EMPTY | default "0" | toBool }}
+{{ $JWT_AUTH_TYPE := .Env.JWT_AUTH_TYPE | default "token" }}
 
 {{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") .Env.JWT_ACCEPTED_ISSUERS }}
 asap_accepted_issuers = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_ISSUERS) }}" }
@@ -16,11 +19,15 @@ asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AU
 VirtualHost "{{ .Env.XMPP_DOMAIN }}"
 {{ if $ENABLE_AUTH }}
   {{ if eq $AUTH_TYPE "jwt" }}
-    authentication = "token"
+    authentication = "{{ $JWT_AUTH_TYPE }}"
     app_id = "{{ .Env.JWT_APP_ID }}"
     app_secret = "{{ .Env.JWT_APP_SECRET }}"
-    allow_empty_token = false
-  {{ else if eq $AUTH_TYPE "ldap" }}
+    allow_empty_token = {{ if $JWT_ALL_EMPTY }}true{{ else }}false{{ end }}
+    {{ if $JWT_ASAP_KEYSERVER }}
+    asap_key_server = "{{ .Env.JWT_ASAP_KEYSERVER }}"
+    {{ end }}
+
+    {{ else if eq $AUTH_TYPE "ldap" }}
     authentication = "cyrus"
     cyrus_application_name = "xmpp"
     allow_unencrypted_plain_auth = true

From d6a949ca63b3d1db6de44f534bfaa0dbdaf21906 Mon Sep 17 00:00:00 2001
From: Aaron van Meerten <aaron.van.meerten@gmail.com>
Date: Wed, 5 Jun 2019 19:23:16 -0500
Subject: [PATCH 2/7] prosody: allow token auth module override

---
 prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
index 7717da2..2b53c7b 100644
--- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
+++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
@@ -7,6 +7,7 @@ http_default_host = "{{ .Env.XMPP_DOMAIN }}"
 {{ $JWT_ASAP_KEYSERVER := .Env.JWT_ASAP_KEYSERVER | default "" }}
 {{ $JWT_ALL_EMPTY := .Env.JWT_ALLOW_EMPTY | default "0" | toBool }}
 {{ $JWT_AUTH_TYPE := .Env.JWT_AUTH_TYPE | default "token" }}
+{{ $JWT_TOKEN_AUTH_MODULE := .Env.JWT_TOKEN_AUTH_MODULE | default "token_verification" }}
 
 {{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") .Env.JWT_ACCEPTED_ISSUERS }}
 asap_accepted_issuers = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_ISSUERS) }}" }
@@ -85,7 +86,7 @@ Component "{{ .Env.XMPP_MUC_DOMAIN }}" "muc"
         "{{ join "\";\n\"" (splitList "," .Env.XMPP_MUC_MODULES) }}";
         {{ end }}
         {{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
-        "token_verification";
+        "{{ $JWT_TOKEN_AUTH_MODULE }}";
         {{ end }}
     }
 

From dc374d363324645a43c8eda5c0115a958ccacdd4 Mon Sep 17 00:00:00 2001
From: Aaron van Meerten <aaron.van.meerten@gmail.com>
Date: Wed, 5 Jun 2019 19:55:51 -0500
Subject: [PATCH 3/7] prosody: tpl main prosody.cfg.lua

---
 prosody/rootfs/defaults/prosody.cfg.lua  | 12 +++++++++++-
 prosody/rootfs/etc/cont-init.d/10-config |  1 +
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/prosody/rootfs/defaults/prosody.cfg.lua b/prosody/rootfs/defaults/prosody.cfg.lua
index 7ec5036..c3fb072 100644
--- a/prosody/rootfs/defaults/prosody.cfg.lua
+++ b/prosody/rootfs/defaults/prosody.cfg.lua
@@ -1,3 +1,5 @@
+{{ $LOG_LEVEL := .Env.LOG_LEVEL | default "info" }}
+
 -- Prosody Example Configuration File
 --
 -- Information on configuring Prosody can be found on our
@@ -70,6 +72,9 @@ modules_enabled = {
 		--"watchregistrations"; -- Alert admins of registrations
 		--"motd"; -- Send a message to users when they log in
 		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+        {{ if .Env.GLOBAL_MODULES }}
+        "{{ join "\";\n\"" (splitList "," .Env.GLOBAL_MODULES) }}";
+        {{ end }}
 };
 
 https_ports = { }
@@ -143,9 +148,14 @@ authentication = "internal_plain"
 --  Logs info and higher to /var/log
 --  Logs errors to syslog also
 log = {
-	{ levels = {min = "info"}, to = "console"};
+	{ levels = {min = "{{ $LOG_LEVEL }}"}, to = "console"};
 }
 
+{{ if .Env.GLOBAL_CONFIG }}
+{{ join ";\n" (splitList "," .Env.GLOBAL_CONFIG) }};
+{{ end }}
+
+
 component_interface = { "*" }
 
 data_path = "/config/data"
diff --git a/prosody/rootfs/etc/cont-init.d/10-config b/prosody/rootfs/etc/cont-init.d/10-config
index 2578f18..d334eaa 100644
--- a/prosody/rootfs/etc/cont-init.d/10-config
+++ b/prosody/rootfs/etc/cont-init.d/10-config
@@ -31,6 +31,7 @@ fi
 
 if [[ ! -f $PROSODY_CFG ]]; then
     cp -r /defaults/* /config
+    tpl /defaults/prosody.cfg.lua > $PROSODY_CFG
     tpl /defaults/conf.d/jitsi-meet.cfg.lua > /config/conf.d/jitsi-meet.cfg.lua
 
     prosodyctl --config $PROSODY_CFG register $JICOFO_AUTH_USER $XMPP_AUTH_DOMAIN $JICOFO_AUTH_PASSWORD

From a39aa5d16d70a3084afb2d6c9200f771c6b88b91 Mon Sep 17 00:00:00 2001
From: Aaron van Meerten <aaron.van.meerten@gmail.com>
Date: Mon, 22 Jul 2019 17:39:09 -0500
Subject: [PATCH 4/7] change global config to split on \\n

---
 prosody/rootfs/defaults/prosody.cfg.lua | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/prosody/rootfs/defaults/prosody.cfg.lua b/prosody/rootfs/defaults/prosody.cfg.lua
index c3fb072..eb1038f 100644
--- a/prosody/rootfs/defaults/prosody.cfg.lua
+++ b/prosody/rootfs/defaults/prosody.cfg.lua
@@ -152,10 +152,9 @@ log = {
 }
 
 {{ if .Env.GLOBAL_CONFIG }}
-{{ join ";\n" (splitList "," .Env.GLOBAL_CONFIG) }};
+{{ join "\n" (splitList "\\n" .Env.GLOBAL_CONFIG) }}
 {{ end }}
 
-
 component_interface = { "*" }
 
 data_path = "/config/data"

From 48d8013bdd9e011d938e32253ac34324b5b77221 Mon Sep 17 00:00:00 2001
From: Aaron van Meerten <aaron.van.meerten@gmail.com>
Date: Mon, 19 Aug 2019 11:13:38 -0500
Subject: [PATCH 5/7] prosody: properly name ALLOW_EMPTY variable prosody: fix
 check for auth type when including jwt module

---
 prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
index 2b53c7b..40f1fd1 100644
--- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
+++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
@@ -1,11 +1,11 @@
 admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" }
 plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
 http_default_host = "{{ .Env.XMPP_DOMAIN }}"
- 
+
 {{ $ENABLE_AUTH := .Env.ENABLE_AUTH | default "0" | toBool }}
 {{ $AUTH_TYPE := .Env.AUTH_TYPE | default "internal" }}
 {{ $JWT_ASAP_KEYSERVER := .Env.JWT_ASAP_KEYSERVER | default "" }}
-{{ $JWT_ALL_EMPTY := .Env.JWT_ALLOW_EMPTY | default "0" | toBool }}
+{{ $JWT_ALLOW_EMPTY := .Env.JWT_ALLOW_EMPTY | default "0" | toBool }}
 {{ $JWT_AUTH_TYPE := .Env.JWT_AUTH_TYPE | default "token" }}
 {{ $JWT_TOKEN_AUTH_MODULE := .Env.JWT_TOKEN_AUTH_MODULE | default "token_verification" }}
 
@@ -23,7 +23,7 @@ VirtualHost "{{ .Env.XMPP_DOMAIN }}"
     authentication = "{{ $JWT_AUTH_TYPE }}"
     app_id = "{{ .Env.JWT_APP_ID }}"
     app_secret = "{{ .Env.JWT_APP_SECRET }}"
-    allow_empty_token = {{ if $JWT_ALL_EMPTY }}true{{ else }}false{{ end }}
+    allow_empty_token = {{ if $JWT_ALLOW_EMPTY }}true{{ else }}false{{ end }}
     {{ if $JWT_ASAP_KEYSERVER }}
     asap_key_server = "{{ .Env.JWT_ASAP_KEYSERVER }}"
     {{ end }}
@@ -85,7 +85,7 @@ Component "{{ .Env.XMPP_MUC_DOMAIN }}" "muc"
         {{ if .Env.XMPP_MUC_MODULES }}
         "{{ join "\";\n\"" (splitList "," .Env.XMPP_MUC_MODULES) }}";
         {{ end }}
-        {{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
+        {{ if eq $AUTH_TYPE "jwt" }}
         "{{ $JWT_TOKEN_AUTH_MODULE }}";
         {{ end }}
     }

From 397aa3a4b23338254a9b7af6951b2449d6e4befa Mon Sep 17 00:00:00 2001
From: Aaron van Meerten <aaron.van.meerten@gmail.com>
Date: Mon, 19 Aug 2019 11:21:13 -0500
Subject: [PATCH 6/7] docker-compose: adds comments and docker-compose entries
 for new shell variables

---
 README.md          | 5 +++++
 docker-compose.yml | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/README.md b/README.md
index a48c8cc..320dc30 100644
--- a/README.md
+++ b/README.md
@@ -180,6 +180,10 @@ Variable | Description | Example
 `JWT_APP_SECRET` | Application secret known only to your token | my_jitsi_app_secret
 `JWT_ACCEPTED_ISSUERS` | (Optional) Set asap_accepted_issuers as a comma separated list | my_web_client,my_app_client
 `JWT_ACCEPTED_AUDIENCES` | (Optional) Set asap_accepted_audiences as a comma separated list | my_server1,my_server2
+`JWT_ASAP_KEYSERVER` | (Optional) Set asap_keyserver to a url where public keys can be found | https://example.com/asap
+`JWT_ALLOW_EMPTY` | (Optional) Allow anonymous users with no JWT while validating JWTs when provided | 0
+`JWT_AUTH_TYPE` | (Optional) Controls which module is used for processing incoming JWTs | token
+`JWT_TOKEN_AUTH_MODULE` | (Optional) Controls which module is used for validating JWTs | token_verification
 
 This can be tested using the [jwt.io] debugger. Use the following samople payload:
 
@@ -237,6 +241,7 @@ Variable | Description | Default value
 `JIGASI_HEALTH_CHECK_INTERVAL` | Interval of healthcheck in milliseconds | 300000
 `DISABLE_HTTPS` | Disable HTTPS, this can be useful if TLS connections are going to be handled outside of this setup | 1
 `ENABLE_HTTP_REDIRECT` | Redirects HTTP traffic to HTTPS | 1
+`LOG_LEVEL` | Controls which logs are output from prosody and associated modules | info
 
 ### Running on a LAN environment
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 42337f9..9a9ec2c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -72,6 +72,11 @@ services:
             - JWT_APP_SECRET
             - JWT_ACCEPTED_ISSUERS
             - JWT_ACCEPTED_AUDIENCES
+            - JWT_ASAP_KEYSERVER
+            - JWT_ALLOW_EMPTY
+            - JWT_AUTH_TYPE
+            - JWT_TOKEN_AUTH_MODULE
+            - LOG_LEVEL
             - TZ
         networks:
             meet.jitsi:

From 412bc4b01ce2ce0282f4fa8eab649b7d9498438f Mon Sep 17 00:00:00 2001
From: Aaron van Meerten <aaron.van.meerten@gmail.com>
Date: Mon, 19 Aug 2019 11:25:36 -0500
Subject: [PATCH 7/7] prosody: documented global config and modules environment
 vars

---
 README.md          | 2 ++
 docker-compose.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 320dc30..6e993a2 100644
--- a/README.md
+++ b/README.md
@@ -219,6 +219,8 @@ Variable | Description | Default value
 `XMPP_MODULES` | Custom Prosody modules for XMPP_DOMAIN (comma separated) | mod_info,mod_alert
 `XMPP_MUC_MODULES` | Custom Prosody modules for MUC component (comma separated) | mod_info,mod_alert
 `XMPP_INTERNAL_MUC_MODULES` | Custom Prosody modules for internal MUC component (comma separated) | mod_info,mod_alert
+`GLOBAL_MODULES` | Custom prosodule modules to load in global configuration (comma separated) | mod_statistics,mod_alert
+`GLOBAL_CONFIG` | Custom configuration string with escaped newlines | foo = bar;\nkey = val;
 `JICOFO_COMPONENT_SECRET` | XMPP component password for Jicofo | s3cr37
 `JICOFO_AUTH_USER` | XMPP user for Jicofo client connections | focus
 `JICOFO_AUTH_PASSWORD` | XMPP password for Jicofo client connections | passw0rd
diff --git a/docker-compose.yml b/docker-compose.yml
index 9a9ec2c..7380d15 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -41,6 +41,8 @@ services:
             - AUTH_TYPE
             - ENABLE_AUTH
             - ENABLE_GUESTS
+            - GLOBAL_MODULES
+            - GLOBAL_CONFIG
             - LDAP_URL
             - LDAP_BASE
             - LDAP_BINDDN