From f6d4bfa1062d82114a029c1d34db87c04267ddcd Mon Sep 17 00:00:00 2001
From: saibotk <git@saibotk.de>
Date: Mon, 14 Dec 2020 22:16:53 +0100
Subject: [PATCH] owncast: Add role

---
 owncast.yml                                | 27 +++++++
 roles/owncast/README.md                    | 35 +++++++++
 roles/owncast/defaults/main.yml            | 81 ++++++++++++++++++++
 roles/owncast/handlers/main.yml            | 31 ++++++++
 roles/owncast/meta/main.yml                | 17 +++++
 roles/owncast/tasks/main.yml               | 88 ++++++++++++++++++++++
 roles/owncast/templates/config.yaml        |  4 +
 roles/owncast/templates/docker-compose.yml | 72 ++++++++++++++++++
 8 files changed, 355 insertions(+)
 create mode 100644 owncast.yml
 create mode 100644 roles/owncast/README.md
 create mode 100644 roles/owncast/defaults/main.yml
 create mode 100644 roles/owncast/handlers/main.yml
 create mode 100644 roles/owncast/meta/main.yml
 create mode 100644 roles/owncast/tasks/main.yml
 create mode 100644 roles/owncast/templates/config.yaml
 create mode 100644 roles/owncast/templates/docker-compose.yml

diff --git a/owncast.yml b/owncast.yml
new file mode 100644
index 0000000..07edb56
--- /dev/null
+++ b/owncast.yml
@@ -0,0 +1,27 @@
+---
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- hosts: owncast
+  roles:
+    - docker
+    - docker_compose
+    - docker_cleanup
+    - traefik
+    - owncast
+  environment:
+    PYTHONPATH: /opt/python2/ansible-dependencies/lib/python2.7/site-packages
diff --git a/roles/owncast/README.md b/roles/owncast/README.md
new file mode 100644
index 0000000..ae627e6
--- /dev/null
+++ b/roles/owncast/README.md
@@ -0,0 +1,35 @@
+Owncast
+=========
+
+This will setup an [Owncast](https://owncast.online) container using their official image and traefik.
+
+Requirements
+------------
+
+You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
+
+**This role assumes that you have setup traefik with an endpoint called `websecure`.**
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
+
+### Global variables, that are used:
+
+- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
+- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
+
+Dependencies
+------------
+
+- docker
+- docker-compose
+- traefik
+
+License
+-------
+
+GPL-3.0-only
\ No newline at end of file
diff --git a/roles/owncast/defaults/main.yml b/roles/owncast/defaults/main.yml
new file mode 100644
index 0000000..3281ed5
--- /dev/null
+++ b/roles/owncast/defaults/main.yml
@@ -0,0 +1,81 @@
+---
+# Default variables for the owncast role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The install locations
+owncast_install_location: "/srv/owncast"
+owncast_config_location: "{{ owncast_install_location }}/config"
+
+# The certresolver for traefik to use on this domain
+owncast_certresolver: letsencrypt_http
+
+# The domain under which the server is made available using traefik
+owncast_domain: stream.example.com
+
+# The owncast container image and version to use
+owncast_image: docker.io/gabekangas/owncast
+# renovate: depName=docker.io/gabekangas/owncast
+owncast_image_version: "0.0.3"
+
+# The RTMP port
+owncast_stream_port: 1935
+
+# IPv6 ULA config for the bridge network used by docker-ipv6-nat
+owncast_ipv6:
+  enabled: false
+  subnet: "fd9e:21a7:a92c:1225::/64"
+
+# Application config below
+# See https://owncast.online/docs/configuration/ for more information and a full reference
+# Put the whole config into this object and it will be put into the file
+owncast_config:
+  instanceDetails:
+    name: Owncast
+    title: Owncast
+    summary: "This is brief summary of whom you are or what your stream is. You can edit this description in your config file."
+
+    logo: /img/logo.svg
+
+    tags:
+      - music
+      - software
+      - streaming
+
+    # https://owncast.online/docs/configuration/#external-links
+    # for full list of supported social links.  All optional.
+    socialHandles:
+      - platform: github
+        url: http://github.com/owncast/owncast
+
+  videoSettings:
+    # Change this value and keep it secure. Treat it like a password to your live stream.
+    streamingKey:
+
+    streamQualities:
+      - medium:
+        videoBitrate: 1200
+        encoderPreset: veryfast
+
+  # Set to true if you don't want the service checking for future releases.
+  disableUpgradeChecks: false
+
+  # Off by default.  You can optionally list yourself in the Owncast directory.
+  # Make sure your instanceURL is the public URL to your Owncast instance.
+  yp:
+    enabled: false
+    instanceURL: https://stream.myserver.org
diff --git a/roles/owncast/handlers/main.yml b/roles/owncast/handlers/main.yml
new file mode 100644
index 0000000..705aec0
--- /dev/null
+++ b/roles/owncast/handlers/main.yml
@@ -0,0 +1,31 @@
+---
+# Handlers file for the owncast role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020  saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+- name: restart owncast
+  docker_compose:
+    services:
+      - owncast
+    state: present
+    project_src: "{{ owncast_install_location }}"
+    restarted: yes
+  tags:
+    - docker
+    - owncast
+  become: true
diff --git a/roles/owncast/meta/main.yml b/roles/owncast/meta/main.yml
new file mode 100644
index 0000000..6dfbbc4
--- /dev/null
+++ b/roles/owncast/meta/main.yml
@@ -0,0 +1,17 @@
+galaxy_info:
+  author: saibotk
+  description: Deploys an owncast server.
+  license: GPL-3.0-only
+  min_ansible_version: 2.9
+
+  platforms:
+    - name: CentOS
+      versions:
+        - 7
+
+  galaxy_tags: []
+
+dependencies:
+  - docker
+  - docker_compose
+  - traefik
diff --git a/roles/owncast/tasks/main.yml b/roles/owncast/tasks/main.yml
new file mode 100644
index 0000000..a6a2005
--- /dev/null
+++ b/roles/owncast/tasks/main.yml
@@ -0,0 +1,88 @@
+---
+# Tasks file for the owncast roles
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Update default SELinux contexts
+  sefcontext:
+    target: '{{ item }}(/.*)?'
+    setype: "container_file_t"
+    state: present
+  with_items:
+    - "{{ owncast_config_location }}"
+  become: true
+
+- name: Create install directory
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0700'
+    owner: 'root'
+    group: 'root'
+  with_items:
+    - "{{ owncast_install_location }}"
+  become: true
+  tags:
+    - owncast
+
+- name: Create data directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0750'
+    owner: 'root'
+    group: 'root'
+    setype: "container_file_t"
+  with_items:
+    - "{{ owncast_config_location }}"
+  become: true
+  tags:
+    - owncast
+
+- name: Deploy owncast config
+  template:
+    src: "config.yaml"
+    dest: "{{ owncast_config_location }}/config.yaml"
+    mode: '0600'
+    owner: 'root'
+    group: 'root'
+    setype: "container_file_t"
+  notify: restart owncast
+  become: true
+
+- name: Deploy docker-compose.yml
+  template:
+    src: docker-compose.yml
+    dest: "{{ owncast_install_location }}/docker-compose.yml"
+    mode: '0600'
+    owner: 'root'
+    group: 'root'
+    validate: python2 -m compose -f %s config -q
+  tags:
+    - docker
+    - owncast
+  become: true
+
+- name: Compose owncast
+  docker_compose:
+    state: present
+    project_src: "{{ owncast_install_location }}"
+    pull: yes
+    remove_orphans: yes
+  tags:
+    - owncast
+  become: true
diff --git a/roles/owncast/templates/config.yaml b/roles/owncast/templates/config.yaml
new file mode 100644
index 0000000..e9e64ad
--- /dev/null
+++ b/roles/owncast/templates/config.yaml
@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+# Dynamic configuration
+
+{{ owncast_config | to_nice_yaml(indent=2) }}
diff --git a/roles/owncast/templates/docker-compose.yml b/roles/owncast/templates/docker-compose.yml
new file mode 100644
index 0000000..81fa0fa
--- /dev/null
+++ b/roles/owncast/templates/docker-compose.yml
@@ -0,0 +1,72 @@
+{{ ansible_managed | comment }}
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+version: '2.1'
+
+services:
+  owncast:
+    image: {{ owncast_image }}:{{ owncast_image_version }}
+    mem_limit: 1gb
+    memswap_limit: 1280mb
+    security_opt:
+      - no-new-privileges
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.owncast.rule=Host(`{{ owncast_domain }}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.owncast.entrypoints=websecure"
+      - "traefik.http.routers.owncast.tls.certresolver={{ owncast_certresolver }}"
+      - "traefik.http.routers.owncast.middlewares=owncast,compress"
+      - "traefik.http.routers.owncast.service=owncast"
+      - "traefik.http.services.owncast.loadbalancer.server.port=8080"
+      - "traefik.http.middlewares.owncast.headers.sslredirect=true"
+      - "traefik.http.middlewares.owncast.headers.stsSeconds=63072000"
+      - "traefik.http.middlewares.owncast.headers.referrerPolicy=no-referrer"
+
+{% if proxy_network is defined %}
+      - "traefik.docker.network={{ proxy_network }}"
+{% endif %}
+
+    volumes:
+      - "{{ owncast_config_location }}/config.yaml:/app/config.yaml:ro"
+
+    ports:
+      - "{{ owncast_stream_port }}:1935"
+
+    networks:
+      owncast-backend:
+{% if proxy_network is defined %}
+      {{ proxy_network }}:
+{% endif %}
+
+    restart: always
+
+networks:
+  owncast-backend:
+    driver: bridge
+{% if owncast_ipv6 is defined and owncast_ipv6.enabled %}
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ owncast_ipv6.subnet }}
+    enable_ipv6: true
+{% endif %}
+{% if proxy_network is defined %}
+  {{ proxy_network }}:
+    external: true
+{% endif %}