Re: DebConf Video streaming wishlist for MiniDebConf Cambridge and future events

To: Nicolas Dandrimont <olasd@debian.org>, debian-admin@lists.debian.org
Cc: debconf-video@lists.debian.org
Subject: Re: DebConf Video streaming wishlist for MiniDebConf Cambridge and future events
From: Julien Cristau <jcristau@debian.org>
Date: Wed, 22 Nov 2017 12:16:05 +0100
Message-id: <[🔎] 43a5154f-d99d-4da3-3125-52c42668484a@debian.org>
In-reply-to: <[🔎] 20171122003838.bcv2zmja5rz6yg3i@werner.olasd.eu>
References: <[🔎] 20171122003838.bcv2zmja5rz6yg3i@werner.olasd.eu>

[not speaking for DSA as a whole so there may be other ideas/concerns]

On 11/22/2017 01:38 AM, Nicolas Dandrimont wrote:
> I've been working on integrating the setup/teardown of the streaming network
> with our ansible repository and here are the things that would be useful:
> 
> 1/ DNS updates
> 
> We would like to be able to update DNS entries for a subtree of debconf.org to
> accommodate dynamic cloud instances. Our previous setup used video.debconf.org,
> but we would like to move *streaming* to *.live.debconf.org, which will allow
> video.debconf.org to be reused for a static documentation / video player /
> streaming player website. Could we enable the videoteam user on vittoria (or
> another role user) to do so?

Is the idea to have DNS updates triggered automatically or by humans?
If the former, I wonder if using a third party DNS provider's API would
be better than direct git commits to our repo.  We recently got access
to netnod's API thing, so that might be an option (haven't played with
it yet).  Something like route53 might be another.  If updates would be
triggered by humans then we could give those users access to the zone.

> 
> 2/ Cloud instance spin-up/teardown
> 
> I've written a small set of python3 scripts using the DigitalOcean API to
> setup/teardown machines; As this needs an API key for our DigitalOcean account,
> we would like to allow a role user to run the scripts on vittoria. Ideally this
> role user would also be able to run ansible to set the machines up after they
> spin up. If you think that's sensible I'll provide you with an update to the
> debian.org metapackages for the needed dependencies.
> 
Sounds fine to me.

> 3/ TLS certificate distribution for the streaming network
> 
> Our streams are now fully HTTPS. During DebConf17, we used certbot to generate
> certificates manually on one of the machines (with the http-01 challenge) and
> then used ansible to push the private and public keys to the rest of the mirror
> network.
> 
> Would it be possible to integrate ourselves in your letsencrypt setup, having a
> way to provide the aforementioned videoteam role user with the tls key/cert
> pair for pushing to the streaming network through ansible?
> 
I don't think that's a good way to go, our setup works for
puppet-managed hosts but sending out keys to the world seems a bit ick.

What are the actual requirements here?  If you have access to the DNS
zone per 1) above, would handling dns-01 challenge yourselves work just
as well?

Cheers,
Julien

Reply to:

Follow-Ups:
- Re: DebConf Video streaming wishlist for MiniDebConf Cambridge and future events
  - From: Nicolas Dandrimont <olasd@debian.org>

References:
- DebConf Video streaming wishlist for MiniDebConf Cambridge and future events
  - From: Nicolas Dandrimont <olasd@debian.org>

Prev by Date: DebConf Video streaming wishlist for MiniDebConf Cambridge and future events
Next by Date: Re: DebConf Video streaming wishlist for MiniDebConf Cambridge and future events
Previous by thread: DebConf Video streaming wishlist for MiniDebConf Cambridge and future events
Next by thread: Re: DebConf Video streaming wishlist for MiniDebConf Cambridge and future events
Index(es):
- Date
- Thread