Merge pull request #152 from pvarki/mediamtx

Add support for MediaMTX

Author: rambo

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.11.0
+current_version = 1.12.0
 commit = False
 tag = False
 

.gitmodules

@@ -28,3 +28,6 @@
 [submodule "battlelog"]
 	path = battlelog
 	url = git@github.com:pvarki/typescript-liveloki-app.git
+[submodule "mtxauthz"]
+	path = mtxauthz
+	url = git@github.com:pvarki/python-mediamtx-rmmtxauthz.git

README.rst

@@ -88,6 +88,9 @@ Example .env-file with the minimal information needed::
     KEYCLOAK_HTTPS_KEY_STORE_PASSWORD="input-secure-password"  # pragma: allowlist secret
     KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD="input-secure-password"  # pragma: allowlist secret
     BL_POSTGRES_PASSWORD="input-secure-password"  # pragma: allowlist secret
+    RMMTX_POSTGRES_PASSWORD="input-secure-password"  # pragma: allowlist secret
+
+Replace "intput-secure-password" with a good passphrase that is unique for each replacment.
 
 If you wish to use one deployment for longer than the *design lifetime* of 1-2 months you can change the following
 env variables. But do understand that this is **not recommended** and has **security implications**. If you do this

api

@@ -36,6 +36,22 @@ services:
     volumes:
       - "./api:/app"
 
+  rmmtx:
+    image: pvarki/rmapi:devel_shell${DOCKER_TAG_EXTRA:-}
+    build:
+      context: ./mtxauthz
+      dockerfile: Dockerfile
+      target: devel_shell
+    command: ["-c", "source /root/.profile  && poetry install && uvicorn --host 0.0.0.0 --port 8005 --log-level debug --factory rmmtxauthz.web.application:get_app --reload"]
+    healthcheck:
+      test: 'curl http://localhost:8005/api/v1/healthcheck || exit 1'
+      interval: 5s
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+    volumes:
+      - "./api:/app"
+
   rmuidev:
     image: pvarki/rmui:devel_shell${DOCKER_TAG_EXTRA:-}
     build:

docker-compose-dev.yml

@@ -27,6 +27,13 @@ x-ldap_admin_env: &ldap_admin_env
   LDAP_ADMIN_PASSWORD: &ldapadminpass ${LDAP_ADMIN_PASSWORD:-ldapadminpwd} # pragma: allowlist secret
   LDAP_ADMIN_USERNAME: &ldapadminuser admin
 
+x-mtxauthz_dbconfig_env: &rmmtx_dbconfig_env
+  RMMTX_DATABASE_DATABASE: &rmmtx_dbname ${RMMTX_DATABASE_DATABASE:-rmmtx}
+  RMMTX_DATABASE_HOST: postgres
+  RMMTX_DATABASE_USER: &rmmtx_dbuser ${RMMTX_DATABASE_USER:-rmmtx}
+  RMMTX_DATABASE_PASSWORD: &rmmtx_dbpass ${RMMTX_DATABASE_PASSWORD:-mtxauthzdbpwd} # pragma: allowlist secret
+  RMMTX_API_PASSWORD: &rmmtx_apipass ${RMMTX_API_PASSWORD:-rmmtxpasswd} # pragma: allowlist secret
+
 x-tak_dbconfig_env: &takdbconfig_env
   POSTGRES_DB: &takdbname ${TAK_DATABASE_NAME:-tak}
   POSTGRES_ADDRESS: postgres
@@ -49,6 +56,7 @@ x-postgres_env: &postgres_env
   RAESENMAEHER_PASSWORD: *rmdbpass # pragma: allowlist secret
   TAK_PASSWORD: *takdbpass # pragma: allowlist secret
   BATTLELOG_PASSWORD: *bldbpass # pragma: allowlist secret
+  RMMTX_PASSWORD: *rmmtx_dbpass # pragma: allowlist secret
 
 x-keycloak_users_env: &keycloak_users_env
   KEYCLOAK_CREATE_ADMIN_USER: true
@@ -114,8 +122,7 @@ x-takserver_env: &takserver_env
   TAKSERVER_KEYSTORE_PASS: *takserver_cert_pass
   CA_PASS: &tak_ca_pass ${TAK_CA_PASS:-takcacertpw} # pragma: allowlist secret
   KEYSTORE_PASS: *tak_ca_pass
-  TAK_OCSP_UPSTREAM: &ocsphost "ocsp"
-  TAK_OCSP_PORT: *oscpport
+  TAK_OCSP_ENABLE: "true"
   WEBTAK_ENABLE: "true"
 
 
@@ -128,9 +135,11 @@ services:
       target: production
     environment:
       MW_DOMAIN: *serverdomain
-      MW_PRODUCTS: "tak,kc,fake,bl"
+      MW_PRODUCTS: "tak,kc,fake,bl,rmmtx"
       MW_RASENMAEHER__API_PORT: *apiport
       MW_RASENMAEHER__USER_PORT: *apiport
+      MW_MTX__API_PORT: *productport
+      MW_MTX__USER_PORT: 9996
       MW_FAKE__API_PORT: *productport
       MW_FAKE__USER_PORT: *productport
       MW_TAK__API_PORT: *productport
@@ -144,11 +153,12 @@ services:
     ports:
       - "80:80" # For letsencrypt
     volumes:
+      - kraftwerk_data:/data/persistent
+      - kraftwerk_shared_rasenmaeher:/pvarkishares/rasenmaeher
       - kraftwerk_shared_fake:/pvarkishares/fake
       - kraftwerk_shared_tak:/pvarkishares/tak
-      - kraftwerk_shared_rasenmaeher:/pvarkishares/rasenmaeher
       - kraftwerk_shared_bl:/pvarkishares/bl
-      - kraftwerk_data:/data/persistent
+      - kraftwerk_shared_rmmtx:/pvarkishares/rmmtx
       - le_certs:/le_certs
       - ca_public:/ca_public
 
@@ -491,7 +501,7 @@ services:
       NGINX_UI_UPSTREAM: "rmui"
       NGINX_UI_UPSTREAM_PORT: ${NGINX_UI_UPSTREAM_PORT:-8002}
       NGINX_CERT_NAME: "rasenmaeher"
-      NGINX_OCSP_UPSTREAM: *ocsphost
+      NGINX_OCSP_UPSTREAM: "ocsp"
       DNS_RESOLVER_IP: *dnsresolver
       NGINX_TEMPLATE_DIR: "templates_rasenmaeher"
     networks:
@@ -618,6 +628,103 @@ services:
 # End: Battlelog #
 ####################
 
+###################
+# Begin: MediaMTX #
+###################
+  rmmtx:
+    image: pvarki/rmmtx:local${DOCKER_TAG_EXTRA:-}
+    build:
+      context: ./mtxauthz
+      dockerfile: Dockerfile
+      target: production
+    environment:
+      <<: [*rmmtx_dbconfig_env]
+      RMMTX_API_URL: https://mtx.${SERVER_DOMAIN:-localmaeher.dev.pvarki.fi}:9997
+      RMMTX_MTX_ADDRESS: mtx.${SERVER_DOMAIN:-localmaeher.dev.pvarki.fi}
+      LOG_CONSOLE_FORMATTER: "local"
+      RMMTX_LOG_LEVEL: "debug"
+      UVICORN_LOG_LEVEL: "debug"
+    ports:
+      - "8005:8005"  # NOTE: Do *NOT* expose this in production, always pass through NGinx proxy
+    networks:
+      - productnet
+      - intranet
+      - dbnet
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    volumes:
+      - ca_public:/ca_public
+      - kraftwerk_shared_rmmtx:/pvarki
+    depends_on:
+      rmnginx:
+        condition: service_healthy
+      rmapi:
+        condition: service_healthy
+      postgres:
+        condition: service_healthy
+    healthcheck:
+      test: 'rmmtxauthz healthcheck || exit 1'
+      interval: 5s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
+    restart: unless-stopped
+
+  mediamtx_cert_perms:  # FIXME: make a separate volume or something and copy the certs for correct user under it
+    image: bash:latest
+    volumes:
+      - le_certs:/le_certs
+    command: ["/usr/local/bin/bash", "-c", "chmod a+rwx -R /le_certs"]
+    depends_on:
+      miniwerk:
+        condition: service_completed_successfully
+
+  mediamtx:
+    image: bluenviron/mediamtx:1.12.3
+    networks:
+      - productnet
+      - intranet
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    volumes:
+      - ca_public:/ca_public
+      - le_certs:/le_certs
+      - ./mediamtx.yml:/mediamtx.yml
+    environment:
+      MTX_RTSPTRANSPORTS: "tcp"  # Can't do UDP without host mode network
+      MTX_WEBRTCADDITIONALHOSTS: *serverdomain
+    ports:
+      - "1936:1936"
+      - "8322:8322"
+      - "8890:8890"
+      - "9000:9000"
+      - "9001:9001"
+      - "9888:9888"
+      - "9889:9889"
+      - "9996:9996"
+      - "9997:9997"  # Control API
+      - "9998:9998"  # metrics: Do not expose in production
+      - "9999:9999"  # pprof: Do not expose in production
+      - "8890:8890/udp"
+      - "8189:8189/udp"
+    depends_on:
+      rmmtx:
+        condition: service_healthy
+      mediamtx_cert_perms:
+        condition: service_completed_successfully
+    healthcheck:
+      test: 'true'  # FIXME: Proper check
+      interval: 5s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
+    restart: unless-stopped
+#################
+# End: MediaMTX #
+#################
+
+
+
 ##############
 # Begin: TAK #
 ##############
@@ -828,10 +935,12 @@ services:
       NGINX_BL_UPSTREAM_PORT: "3000"
       NGINX_TAK_UPSTREAM: "takconfig"  # Due to the sidecar thing we must use the config container as host
       NGINX_TAK_UPSTREAM_PORT: "8003"
+      NGINX_RMMTX_UPSTREAM: "rmmtx"
+      NGINX_RMMTX_UPSTREAM_PORT: "8005"
       NGINX_CERT_NAME: "rasenmaeher"
       NGINX_TEMPLATE_DIR: "templates_consolidated"
       CFSSL_OCSP_BIND_PORT: *oscpport
-      NGINX_OCSP_UPSTREAM: *ocsphost
+      NGINX_OCSP_UPSTREAM: "ocsp"
       DNS_RESOLVER_IP: *dnsresolver
     networks:
       - productnet
@@ -843,11 +952,13 @@ services:
       nginx_templates:
         condition: service_completed_successfully
       rmfpapi:
-        condition: service_healthy
+        condition: service_started
       blapi:
-        condition: service_healthy
+        condition: service_started
       takrmapi:
-        condition: service_healthy
+        condition: service_started
+      rmmtx:
+        condition: service_started
     healthcheck:
       test: 'curl -s localhost:5666/healthcheck || exit 1'
       interval: 5s
@@ -892,3 +1003,4 @@ volumes:
   nginx_templates:
   kraftwerk_shared_bl:
   blapi_data:
+  kraftwerk_shared_rmmtx: