Commit f19af608 authored by Nicolas Dandrimont's avatar Nicolas Dandrimont

add streaming-frontend role

parent 2ed834c0
......@@ -112,8 +112,16 @@ streaming:
rtmp_publishers:
- 10.18.0.0/24
backend:
inventory_name: noc1st0
server_name: dc17-backend.video.debconf.org
data_root: /srv/streaming
frontend:
server_names:
- video.debconf.org
- as.video.debconf.org
- eu.video.debconf.org
- na.video.debconf.org
data_root: /srv/streaming-frontend
rooms:
- buzz
- rex
......
......@@ -53,3 +53,6 @@ encoder2
[streaming-backends]
noc1st0
[streaming-frontends]
noc1st0
---
- name: reload nginx
service: name=nginx state=reloaded
- name: restart nginx
service: name=nginx state=restarted
---
- name: install nginx packages
apt:
pkg: "{{ item }}"
state: latest
default_release: "{{ debian_version }}-backports"
with_items:
- nginx-extras
notify: restart nginx
- name: create nginx content directories
file:
path: "{{ item }}"
state: directory
owner: www-data
group: www-data
mode: 0755
with_items:
- "{{ streaming.frontend.data_root }}"
- "{{ streaming.frontend.data_root }}/www"
- "{{ streaming.frontend.data_root }}/hls"
- name: remove default html directory
file:
path: /var/www/html
state: absent
- name: disable nginx default configuration
file:
path: /etc/nginx/sites-enabled/default
state: absent
notify: reload nginx
- name: install nginx streaming frontend site configuration
template:
src: nginx/sites-enabled/streaming-frontend.conf.j2
dest: /etc/nginx/sites-enabled/streaming-frontend.conf
owner: root
group: root
mode: 0644
notify: reload nginx
- name: create index.html for streaming frontend
template:
src: index.html.j2
dest: "{{ streaming.frontend.data_root }}/www/index.html"
owner: www-data
group: www-data
mode: 0644
<html>
<head>
<title>DebConf17 streaming frontend on {{ inventory_hostname }}</title>
</head>
<body>
<p>Hello, I'm {{ inventory_hostname }}, a streaming frontend for DebConf17.</p>
</body>
</html>
# {{ ansible_managed }}
#
proxy_cache_path {{ streaming.frontend.data_root }}/hls levels=1:2 keys_zone=hls-cache:8m max_size=1000m inactive=600m;
server {
listen 80;
listen [::]:80;
root {{ streaming.frontend.data_root }}/www;
index index.html;
server_name {{ streaming.frontend.server_names|join(' ') }};
location /live {
# From http://enable-cors.org/server_nginx.html
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
}
{% for room in streaming.rooms %}
location ~ /live/{{ room }}-(?<segment>.*).ts$ {
proxy_pass https://{{ streaming.backend.server_name }}/live/{{ room }}-$segment.ts;
proxy_cache hls-cache;
proxy_cache_valid 200 5m;
proxy_cache_valid 404 5s;
}
location =/live/{{ room }}.m3u8 {
proxy_pass https://{{ streaming.backend.server_name }}/live/{{ room }}.m3u8;
}
{% endfor %}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/{{ streaming.frontend.server_names|first }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ streaming.frontend.server_names|first }}/privkey.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Certbot
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}
\ No newline at end of file
......@@ -68,3 +68,7 @@
- hosts: streaming-backends
roles:
- streaming-backend
- hosts: streaming-frontends
roles:
- streaming-frontend
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment