[Please note and preserve Cc: to debconf-video@] The DebConf Video Team is currently holding a sprint to enhance its setup and make it more future-proof and self-service. We have a few things that we would like to do, with your help, to make this setup happen. 0/ Context We have standardized our machine setup around ansible, which we use to setup the machines used for mixing and recording in the conference environment as well as the cloud instances used for streaming. Streams are pushed to a streaming backend with RTMP; this backend converts the RTMP stream to HLS, which is then distributed to clients through a few caching HTTPS frontends that are geographically distributed. The html5/javascript frontend uses a special geoip-resolving http(s) endpoint to point clients to the proper geographically close mirror (stupid web player doesn't do sticky redirects). I've been working on integrating the setup/teardown of the streaming network with our ansible repository and here are the things that would be useful: 1/ DNS updates We would like to be able to update DNS entries for a subtree of debconf.org to accommodate dynamic cloud instances. Our previous setup used video.debconf.org, but we would like to move *streaming* to *.live.debconf.org, which will allow video.debconf.org to be reused for a static documentation / video player / streaming player website. Could we enable the videoteam user on vittoria (or another role user) to do so? 2/ Cloud instance spin-up/teardown I've written a small set of python3 scripts using the DigitalOcean API to setup/teardown machines; As this needs an API key for our DigitalOcean account, we would like to allow a role user to run the scripts on vittoria. Ideally this role user would also be able to run ansible to set the machines up after they spin up. If you think that's sensible I'll provide you with an update to the debian.org metapackages for the needed dependencies. 3/ TLS certificate distribution for the streaming network Our streams are now fully HTTPS. During DebConf17, we used certbot to generate certificates manually on one of the machines (with the http-01 challenge) and then used ansible to push the private and public keys to the rest of the mirror network. Would it be possible to integrate ourselves in your letsencrypt setup, having a way to provide the aforementioned videoteam role user with the tls key/cert pair for pushing to the streaming network through ansible? The first iteration would use a static list of hostnames (TBD), until letsencrypt supports wildcard certs which will allow us to just have one cert for *.live.debconf.org, hopefully for our next events in 2018. Thanks for considering, -- Nicolas Dandrimont
Attachment:
signature.asc
Description: PGP signature