On 22.11.2017 01:38, Nicolas Dandrimont wrote: > [Please note and preserve Cc: to debconf-video@] > > The DebConf Video Team is currently holding a sprint to enhance its setup and > make it more future-proof and self-service. We have a few things that we would > like to do, with your help, to make this setup happen. > > 0/ Context > > We have standardized our machine setup around ansible, which we use to setup > the > machines used for mixing and recording in the conference environment as well > as > the cloud instances used for streaming. > > Streams are pushed to a streaming backend with RTMP; this backend converts the > RTMP stream to HLS, which is then distributed to clients through a few caching > HTTPS frontends that are geographically distributed. The html5/javascript > frontend uses a special geoip-resolving http(s) endpoint to point clients to > the proper geographically close mirror (stupid web player doesn't do sticky > redirects). > > I've been working on integrating the setup/teardown of the streaming network > with our ansible repository and here are the things that would be useful: > > 1/ DNS updates > > We would like to be able to update DNS entries for a subtree of debconf.org to > accommodate dynamic cloud instances. Our previous setup used > video.debconf.org, > but we would like to move *streaming* to *.live.debconf.org, which will allow > video.debconf.org to be reused for a static documentation / video player / > streaming player website. Could we enable the videoteam user on vittoria (or > another role user) to do so? > > 2/ Cloud instance spin-up/teardown > > I've written a small set of python3 scripts using the DigitalOcean API to > setup/teardown machines; As this needs an API key for our DigitalOcean > account, > we would like to allow a role user to run the scripts on vittoria. Ideally > this > role user would also be able to run ansible to set the machines up after they > spin up. If you think that's sensible I'll provide you with an update to the > debian.org metapackages for the needed dependencies.
Hey, you might remember me from debconf Cambridge 2 years ago, the ccc voc salesman ;-) If you say digitalOcean that sounds like payed servers. If you like we can talk about using ccc voc servers for debconf streaming. We have currently three location where we operate stream relays with 10 or 20 gigabit connectivity. A fourth location will be added to the end of the year. All traffic is donated, peering is very good https://www.peeringdb.com/net/2989 + DFN relays Currently we provide NGINX RTMP and icecast relays, everything is running debian stretch and h0lger also has already access to the infrastructure. On some parts we are still have some things to do from the stretch upgrade but most things are already update in the ansible git https://github.com/voc/cm/tree/master/ansible . Fine tuned version will be there after 34c3 If this sound interesting for you we can have a chat at 34c3 or e.g. a mumble in January > > 3/ TLS certificate distribution for the streaming network > > Our streams are now fully HTTPS. During DebConf17, we used certbot to generate > certificates manually on one of the machines (with the http-01 challenge) and > then used ansible to push the private and public keys to the rest of the > mirror > network. > > Would it be possible to integrate ourselves in your letsencrypt setup, having > a > way to provide the aforementioned videoteam role user with the tls key/cert > pair for pushing to the streaming network through ansible? > > The first iteration would use a static list of hostnames (TBD), until > letsencrypt supports wildcard certs which will allow us to just have one cert > for *.live.debconf.org, hopefully for our next events in 2018. > > Thanks for considering,
