l tv: add ssl via streaming.lassul.us

krebs/3modules/lass/default.nix

@@ -44,6 +44,7 @@ in {
           matrix              60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           paste               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           radio               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+          streaming           60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
         '';
       };
       nets = rec {

lass/2configs/tv.nix

@@ -32,7 +32,7 @@ nginxCfg = pkgs.writeText "nginx.conf" ''
           application/vnd.apple.mpegurl m3u8;
           video/mp2t ts;
         }
-        root /tmp;
+        root /var/lib/rtmp/tmp;
         add_header Cache-Control no-cache;
 
         # CORS setup
@@ -106,6 +106,11 @@ nginxCfg = pkgs.writeText "nginx.conf" ''
           </html>
         ''};
       }
+
+      location /records {
+        autoindex on;
+        root /var/lib/rtmp;
+      }
     }
   }
 
@@ -120,21 +125,128 @@ nginxCfg = pkgs.writeText "nginx.conf" ''
         live on;
 
         hls on;
-        hls_path /tmp/hls;
+        hls_path /var/lib/rtmp/tmp/hls;
+        hls_fragment 1;
+        hls_playlist_length 10;
 
         dash on;
-        dash_path /tmp/dash;
+        dash_path /var/lib/rtmp/tmp/dash;
       }
     }
   }
 '';
 
 in {
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."streaming.lassul.us" = {
+      enableACME = true;
+      addSSL = true;
+      locations."/hls".extraConfig = ''
+        # Serve HLS fragments
+        types {
+          application/vnd.apple.mpegurl m3u8;
+          video/mp2t ts;
+        }
+        root /var/lib/rtmp/tmp;
+
+        # Allow CORS preflight requests
+        if ($request_method = 'OPTIONS') {
+          add_header 'Access-Control-Allow-Origin' '*';
+          add_header 'Access-Control-Max-Age' 1728000;
+          add_header 'Content-Type' 'text/plain charset=UTF-8';
+          add_header 'Content-Length' 0;
+          return 204;
+        }
+
+        if ($request_method != 'OPTIONS') {
+          add_header Cache-Control no-cache;
+
+          # CORS setup
+          add_header 'Access-Control-Allow-Origin' '*' always;
+          add_header 'Access-Control-Expose-Headers' 'Content-Length';
+        }
+      '';
+      locations."/dash".extraConfig = ''
+        # Serve DASH fragments
+        types {
+          application/dash+xml mpd;
+          video/mp4 mp4;
+        }
+        root /var/lib/rtmp/tmp;
+
+        # Allow CORS preflight requests
+        if ($request_method = 'OPTIONS') {
+          add_header 'Access-Control-Allow-Origin' '*';
+          add_header 'Access-Control-Max-Age' 1728000;
+          add_header 'Content-Type' 'text/plain charset=UTF-8';
+          add_header 'Content-Length' 0;
+          return 204;
+        }
+        if ($request_method != 'OPTIONS') {
+          add_header Cache-Control no-cache;
+
+          # CORS setup
+          add_header 'Access-Control-Allow-Origin' '*' always;
+          add_header 'Access-Control-Expose-Headers' 'Content-Length';
+        }
+      '';
+      locations."= /dash.all.min.js".extraConfig = ''
+        default_type "text/javascript";
+        alias ${pkgs.fetchurl {
+          url = "http://cdn.dashjs.org/v3.2.0/dash.all.min.js";
+          sha256 = "16f0b40gdqsnwqi01s5sz9f1q86dwzscgc3m701jd1sczygi481c";
+        }};
+      '';
+      locations."= /player".extraConfig = ''
+        default_type "text/html";
+        alias ${pkgs.writeText "player.html" ''
+          <!DOCTYPE html>
+          <html lang="en">
+            <head>
+              <meta charset="utf-8">
+              <title>lassulus livestream</title>
+            </head>
+            <body>
+              <div>
+                <video id="player" controls></video>
+                </video>
+              </div>
+              <script src="/dash.all.min.js"></script>
+              <script>
+                (function(){
+                  var url = "/dash/nixos.mpd";
+                  var player = dashjs.MediaPlayer().create();
+                  player.initialize(document.querySelector("#player"), url, true);
+                })();
+              </script>
+            </body>
+          </html>
+        ''};
+      '';
+      locations."/records".extraConfig = ''
+        autoindex on;
+        root /var/lib/rtmp;
+      '';
+    };
+  };
+
+  fileSystems."/var/lib/rtmp/tmp" = {
+    device = "tmpfs";
+    fsType = "tmpfs";
+    options = [ "nosuid" "nodev" "noatime" ];
+  };
+
   users.users.rtmp = {
-    home = "/var/lib/rmtp";
+    home = "/var/lib/rtmp";
     uid = genid_uint31 "rtmp";
     isNormalUser = true;
     createHome = true;
+    openssh.authorizedKeys.keys = with config.krebs.users; [
+      mic92.pubkey
+      palo.pubkey
+    ];
   };
 
   systemd.services.nginx-rtmp = {
@@ -149,6 +261,14 @@ in {
       }}/bin/nginx -c ${nginxCfg} -p /var/lib/rtmp
     '';
     serviceConfig = {
+      ExecStartPre = pkgs.writers.writeDash "setup-rtmp" ''
+        mkdir -p /var/lib/rtmp/tmp/hls
+        mkdir -p /var/lib/rtmp/tmp/dash
+        chown rtmp:users /var/lib/rtmp/tmp/hls
+        chown rtmp:users /var/lib/rtmp/tmp/dash
+        chmod 755 /var/lib/rtmp/tmp/hls
+        chmod 755 /var/lib/rtmp/tmp/dash
+      '';
       User = "rtmp";
     };
   };