From 46b98b5a7a54347cc28d863f179accbf22ca969c Mon Sep 17 00:00:00 2001
From: Aaron van Meerten <aaron.van.meerten@gmail.com>
Date: Wed, 3 Jan 2024 11:51:30 -0600
Subject: [PATCH] prosody: brewery mode for jvb/jicofo discovery muc

* prosody: brewery mode for jvb/jicofo discovery muc

* do not include c2s limits in brewery mode
---
 .../rootfs/defaults/conf.d/brewery.cfg.lua    | 36 +++++++++++++++++++
 prosody/rootfs/defaults/prosody.cfg.lua       | 14 +++++++-
 .../rules.d/jvb_muc_presence_filter.pfw       | 13 +++++++
 prosody/rootfs/etc/cont-init.d/10-config      | 23 +++++++++++-
 4 files changed, 84 insertions(+), 2 deletions(-)
 create mode 100644 prosody/rootfs/defaults/conf.d/brewery.cfg.lua
 create mode 100644 prosody/rootfs/defaults/rules.d/jvb_muc_presence_filter.pfw

diff --git a/prosody/rootfs/defaults/conf.d/brewery.cfg.lua b/prosody/rootfs/defaults/conf.d/brewery.cfg.lua
new file mode 100644
index 0000000..d225cb8
--- /dev/null
+++ b/prosody/rootfs/defaults/conf.d/brewery.cfg.lua
@@ -0,0 +1,36 @@
+{{ $REGION_NAME := .Env.PROSODY_REGION_NAME | default "default" -}}
+{{ $RELEASE_NUMBER := .Env.RELEASE_NUMBER | default "" -}}
+{{ $SHARD_NAME := .Env.SHARD | default "default" -}}
+{{ $JVB_XMPP_AUTH_DOMAIN := .Env.JVB_XMPP_AUTH_DOMAIN | default "auth.jvb.meet.jitsi" -}}
+{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN := .Env.JVB_XMPP_INTERNAL_MUC_DOMAIN | default "muc.jvb.meet.jitsi" -}}
+{{ $JVB_AUTH_USER := .Env.JVB_AUTH_USER | default "jvb" -}}
+
+admins = {
+    "focus@{{ $JVB_XMPP_AUTH_DOMAIN }}",
+    "{{ $JVB_AUTH_USER }}@{{ $JVB_XMPP_AUTH_DOMAIN }}"
+}
+
+plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
+
+VirtualHost "{{ $JVB_XMPP_AUTH_DOMAIN }}"
+    modules_enabled = {
+      "ping";
+    }
+    authentication = "internal_hashed"
+    ssl = {
+        key = "/config/certs/{{ $JVB_XMPP_AUTH_DOMAIN }}.key";
+        certificate = "/config/certs/{{ $JVB_XMPP_AUTH_DOMAIN }}.crt";
+    }
+
+Component "{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN }}" "muc"
+    modules_enabled = {
+      "ping",
+      "muc_hide_all";
+      "muc_filter_access";
+    }
+    storage = "memory"
+    muc_room_cache_size = 10000
+    muc_filter_whitelist="{{ $JVB_XMPP_AUTH_DOMAIN }}"
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
diff --git a/prosody/rootfs/defaults/prosody.cfg.lua b/prosody/rootfs/defaults/prosody.cfg.lua
index c72a06d..77e4512 100644
--- a/prosody/rootfs/defaults/prosody.cfg.lua
+++ b/prosody/rootfs/defaults/prosody.cfg.lua
@@ -99,7 +99,10 @@ modules_enabled = {
 		--"watchregistrations"; -- Alert admins of registrations
 		--"motd"; -- Send a message to users when they log in
 		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
-
+		{{ if eq .Env.PROSODY_MODE "brewery" -}}
+		"firewall"; -- Enable firewalling
+		"secure_interfaces";
+		{{ end -}}
 		{{ if $ENABLE_S2S -}}
 		"s2s_bidi";
 		"certs_s2soutinjection";
@@ -114,6 +117,13 @@ modules_enabled = {
 component_ports = { }
 https_ports = { }
 
+
+{{ if eq .Env.PROSODY_MODE "brewery" -}}
+firewall_scripts = {
+    "/config/rules.d/jvb_muc_presence_filter.pfw";
+};
+{{ end -}}
+
 -- These modules are auto-loaded, but should you want
 -- to disable them then uncomment them here:
 modules_disabled = {
@@ -129,6 +139,7 @@ modules_disabled = {
 -- For more information see http://prosody.im/doc/creating_accounts
 allow_registration = false;
 
+{{ if ne .Env.PROSODY_MODE "brewery" -}}
 -- Enable rate limits for incoming client and server connections
 limits = {
 {{ if ne $PROSODY_C2S_LIMIT "" }}
@@ -142,6 +153,7 @@ limits = {
   };
 {{ end }}
 }
+{{ end -}}
 
 --Prosody garbage collector settings
 --For more information see https://prosody.im/doc/advanced_gc
diff --git a/prosody/rootfs/defaults/rules.d/jvb_muc_presence_filter.pfw b/prosody/rootfs/defaults/rules.d/jvb_muc_presence_filter.pfw
new file mode 100644
index 0000000..2f7713a
--- /dev/null
+++ b/prosody/rootfs/defaults/rules.d/jvb_muc_presence_filter.pfw
@@ -0,0 +1,13 @@
+{{ $JVB_XMPP_AUTH_DOMAIN := .Env.JVB_XMPP_AUTH_DOMAIN | default "auth.jvb.meet.jitsi" -}}
+{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN := .Env.JVB_XMPP_INTERNAL_MUC_DOMAIN | default "muc.jvb.meet.jitsi" -}}
+{{ $JVB_AUTH_USER := .Env.JVB_AUTH_USER | default "jvb" -}}
+{{ $JVB_BREWERY_MUC := .Env.JVB_BREWERY_MUC | default "jvbbrewery" -}}
+# Drop all presence from a jvb in a MUC to a jvb
+FROM: {{ $JVB_BREWERY_MUC }}@{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN }}
+TO: {{ $JVB_AUTH_USER }}@{{ $JVB_XMPP_AUTH_DOMAIN }}
+KIND: presence
+# Seems safer to allow all "unavailable" to pass
+TYPE: available
+# Allow self-presence (code=110)
+NOT INSPECT: {http://jabber.org/protocol/muc#user}x/status@code=110
+DROP.
diff --git a/prosody/rootfs/etc/cont-init.d/10-config b/prosody/rootfs/etc/cont-init.d/10-config
index ce02571..b55196f 100644
--- a/prosody/rootfs/etc/cont-init.d/10-config
+++ b/prosody/rootfs/etc/cont-init.d/10-config
@@ -29,17 +29,35 @@ fi
 mkdir /config/certs
 cp -r /defaults/* /config
 
+[ -z "$PROSODY_MODE" ] && PROSODY_MODE="client"
+
 if [[ "$PROSODY_MODE" == "visitors" ]]; then
     echo "Prosody visitor mode, using alternate config"
     PROSODY_SITE_CFG="visitors.cfg.lua"
     rm /config/conf.d/jitsi-meet.cfg.lua
+    rm /config/conf.d/brewery.cfg.lua
     # force jicofo into auth domain for visitor-mode prosody
     [ -z "$XMPP_AUTH_DOMAIN" ] && XMPP_AUTH_DOMAIN="auth.meet.jitsi"
     export PROSODY_ADMINS="focus@$XMPP_AUTH_DOMAIN"
+elif [[ "$PROSODY_MODE" == "brewery" ]]; then
+    echo "Prosody brewery mode, using alternate config"
+    PROSODY_SITE_CFG="brewery.cfg.lua"
+    rm /config/conf.d/jitsi-meet.cfg.lua
+    rm /config/conf.d/visitors.cfg.lua
+    # force jicofo into auth domain for brewer prosody
+    [ -z "$JVB_XMPP_AUTH_DOMAIN" ] && JVB_XMPP_AUTH_DOMAIN="auth.meet.jitsi"
+    # ensure proper certs are generated
+    export XMPP_AUTH_DOMAIN="$JVB_XMPP_AUTH_DOMAIN"
+    # brewery mode requires C2S encryption
+    export C2S_REQUIRE_ENCRYPTION="true"
+
+    mkdir -p /config/rules.d
+    tpl /defaults/rules.d/jvb_muc_presence_filter.pfw > /config/rules.d/jvb_muc_presence_filter.pfw
 else
     echo "Prosody normal mode, using default config"
     PROSODY_SITE_CFG="jitsi-meet.cfg.lua"
     rm /config/conf.d/visitors.cfg.lua
+    rm /config/conf.d/brewery.cfg.lua
 fi
 tpl /defaults/prosody.cfg.lua > $PROSODY_CFG
 tpl /defaults/conf.d/$PROSODY_SITE_CFG > /config/conf.d/$PROSODY_SITE_CFG
@@ -60,7 +78,8 @@ fi
 
 prosodyctl --config $PROSODY_CFG register focus $XMPP_AUTH_DOMAIN $JICOFO_AUTH_PASSWORD
 
-if [[ "$PROSODY_MODE" != "visitors" ]]; then
+# if we are in client mode, we need to subscribe the focus user to the focus component proxy
+if [[ "$PROSODY_MODE" == "client" ]]; then
     prosodyctl --config $PROSODY_CFG mod_roster_command subscribe focus.$XMPP_DOMAIN focus@$XMPP_AUTH_DOMAIN
 fi
 
@@ -112,6 +131,8 @@ if [[ "$PROSODY_MODE" == "visitors" ]]; then
         # echo for using all default values
         echo | prosodyctl --config $PROSODY_CFG cert generate $FULL_VISITORS_XMPP_DOMAIN
     fi
+elif [[ "$PROSODY_MODE" == "brewery" ]]; then
+    echo "No need to generate certs for main XMPP domain in brewery mode"
 else
     if [[ ! -f /config/certs/$XMPP_DOMAIN.crt ]]; then
         # echo for using all default values