ott and stuff

.gitignore

@@ -4,4 +4,5 @@ registry/
 .vault-password
 *.private
 *.secret
-mail.txt
+mail.txt
+containers/opentogethertube

.vscode/tasks.json

@@ -160,6 +160,29 @@
             "panel": "dedicated"
         }
     },
+    {
+        "label": "Deploy: ott",
+        "type": "shell",
+        "command": "make deploy-ott",
+        "group": "build",
+        "presentation": {
+            "reveal": "always",
+            "panel": "dedicated"
+        }
+    },
+    {
+        "label": "Build & Push: ott",
+        "type": "shell",
+        "command": "make push-ott",
+        "group": "build",
+        "presentation": {
+            "reveal": "always",
+            "panel": "dedicated"
+        },
+        "options": {
+            "cwd": "${workspaceFolder}/containers/ott"
+        }
+    }
     // {
     //     "label": "Build & Push: <template>",
     //     "type": "shell",

containers/ott/makefile

@@ -0,0 +1,7 @@
+REGISTRY := git.secretbee.buzz
+
+build-ott:
+	cd opentogethertube && podman build --platform linux/arm64 -t $(REGISTRY)/bee/ott:latest --target docker-stage -f deploy/monolith.Dockerfile .
+
+push-ott: build-ott
+	podman push $(REGISTRY)/bee/ott:latest

playbooks/autodns/autodns.yml

@@ -10,4 +10,12 @@
               3865666132613130380a623737663837343438333837626338346565653735613435313164373663
               33316231366334623461303263386136656234613133373361353262346366636133396134663838
               3733353465643235653337306434396366623935303862633737
+
+$ANSIBLE_VAULT;1.1;AES256
+65666463616462633533663835383164353566326437333336616266333864333465613732346633
+6534633837373937393563633966343738316562653930610a346461613236653266303237306663
+66663234313832373939346539386633316465373861663862646537303662313564363038303164
+3865666132613130380a623737663837343438333837626338346565653735613435313164373663
+33316231366334623461303263386136656234613133373361353262346366636133396134663838
+3733353465643235653337306434396366623935303862633737
   tasks:

playbooks/letsencrypt/letsencrypt.yml

@@ -17,6 +17,7 @@
         - mail.secretbee.buzz
         - matrix.secretbee.buzz
         - gallery.secretbee.buzz
+        - ott.secretbee.buzz
 
     - name: Change permission on live
       ansible.builtin.file:

playbooks/nginx/sites-enabled/ott.secretbee.buzz

@@ -0,0 +1,33 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name ott.secretbee.buzz;
+
+    ssl_certificate /etc/letsencrypt/live/ott.secretbee.buzz/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/ott.secretbee.buzz/privkey.pem;
+    #deny all;
+
+    location / {
+        proxy_pass http://localhost:8080;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_cache_bypass $http_upgrade;
+        proxy_pass_header Set-Cookie;
+
+        # optional, but recommended if you have problem with clients disconnecting and reconnecting frequently
+        proxy_connect_timeout 7d;
+        proxy_read_timeout 7d;
+        proxy_send_timeout 7d;
+
+        proxy_socket_keepalive on;
+    }
+}

playbooks/ott/docker-compose.yml

@@ -0,0 +1,59 @@
+version: "3.7"
+services:
+  opentogethertube:
+    image: dyc3/opentogethertube:latest
+    container_name: opentogethertube
+    environment:
+      - PORT=8080
+      - REDIS_HOST=redis_db
+      - REDIS_PORT=6379
+      - FFPROBE_PATH=/usr/bin/ffprobe
+      # postgres
+      - POSTGRES_USER=opentogethertube
+      - POSTGRES_DB=opentogethertube
+      - POSTGRES_HOST=postgres_db
+      - POSTGRES_PASSWORD=postgres
+      - DOCKER=1
+    volumes:
+      - ./env:/app/env
+    ports:
+      - 8080:8080
+    links:
+      - redis_db
+      - postgres_db
+    depends_on:
+      - redis_db
+      - postgres_db
+
+  redis_db:
+    container_name: opentogethertube_redis
+    image: redis
+    healthcheck:
+      test: "redis-cli ping"
+    expose:
+      - 6379
+    volumes:
+      - db-data-redis:/data
+    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
+
+  postgres_db:
+    container_name: opentogethertube_postgres
+    image: postgres:15-bullseye
+    environment:
+      - POSTGRES_DB=opentogethertube
+      - POSTGRES_USER=opentogethertube
+      - POSTGRES_PASSWORD=postgres
+    healthcheck:
+      test: "pg_isready -U opentogethertube"
+    expose:
+      - 5432
+    volumes:
+      - db-data-postgres:/var/lib/postgresql/data
+    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
+
+# shared volume
+volumes:
+  db-data-redis:
+    driver: local
+  db-data-postgres:
+    driver: local

playbooks/ott/ott-db.container.j2

@@ -0,0 +1,18 @@
+[Unit]
+Description=OpenTogetherTube Postgres
+
+[Container]
+ContainerName=ott-db
+Image=docker.io/library/postgres:15-bullseye
+Network=ott.network
+Volume=/home/ott/data/postgres:/var/lib/postgresql/data
+Environment=POSTGRES_USER=opentogethertube
+Environment=POSTGRES_PASSWORD={{ ott_db_password }}
+Environment=POSTGRES_DB=opentogethertube
+HealthCmd=pg_isready -U opentogethertube
+
+[Service]
+Restart=on-failure
+
+[Install]
+WantedBy=default.target

playbooks/ott/ott-redis.container

@@ -0,0 +1,20 @@
+[Unit]
+Description=OpenTogetherTube Redis
+
+[Container]
+ContainerName=ott-redis
+Image=docker.io/library/redis:7-alpine
+Network=ott.network
+# Run as the in-image redis uid/gid (999) and let Podman chown the bind-mount
+# source to the matching mapped host uid (:U). Without this, redis-server drops
+# to the redis user but /data stays root-owned in the userns, so RDB saves fail
+# with EPERM.
+User=999:999
+Volume=/home/ott/data/redis:/data:U
+HealthCmd=redis-cli ping
+
+[Service]
+Restart=on-failure
+
+[Install]
+WantedBy=default.target

playbooks/ott/ott-server.container.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=OpenTogetherTube Server
+Requires=ott-db.service ott-redis.service
+After=ott-db.service ott-redis.service
+
+[Container]
+ContainerName=ott-server
+Image=git.secretbee.buzz/bee/ott:latest
+Network=ott.network
+PublishPort=127.0.0.1:8080:8080
+Volume=/home/ott/data/env:/app/env
+Environment=PORT=8080
+Environment=DOCKER=1
+Environment=FFPROBE_PATH=/usr/bin/ffprobe
+Environment=REDIS_HOST=ott-redis
+Environment=REDIS_PORT=6379
+Environment=DB_MODE=postgres
+Environment=POSTGRES_HOST=ott-db
+Environment=POSTGRES_PORT=5432
+Environment=POSTGRES_DB=opentogethertube
+Environment=POSTGRES_USER=opentogethertube
+Environment=POSTGRES_PASSWORD={{ ott_db_password }}
+
+[Service]
+Restart=on-failure
+
+[Install]
+WantedBy=default.target

playbooks/ott/ott.yml

@@ -0,0 +1,157 @@
+- name: OpenTogetherTube
+  hosts: beepi
+  become: true
+  vars:
+    user: ott
+    user_home: /home/ott
+    ott_db_password: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              33383832303231323133626563623336323137383136623335653063623365616334613338373832
+              3862613733313565343164383437373165343134303637620a386438383839623431363163366137
+              31653061353731346261383565373433623938383033306332303035323762353761393435306661
+              6332663866323861330a653634666464316539396665626366386565306233346563303839616639
+              61363334373265633930636635663339343461383061353963633762326664376464
+    ott_api_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              66616532636462386435626536656136366664643539653639393931653337303061326139356138
+              3665663430643332653931646637373733376639363262360a396430633663623135383731396430
+              34666563333239326131623337653765633132383136633231393561326566326536663135333035
+              3937626134376264340a323437626435373330376636353538653736376432643261393364303434
+              38656639303335633534613832313334373762336364343163623338393037323933343134366238
+              3532356231333830373063313936373830393035643731653735
+    google_api_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              65336339346437343062633462393630356139623334353033653937306631336661383138613538
+              3735333930613365326366393461343462656530616462350a613636623738653232373266303031
+              36643835383361386161323431323562346666366236666163643936613538616633303663323132
+              3063366466353937390a633162663635373962313464363166653339353662613162376534623634
+              66336137383963326461306530636439376465646633356139333739333536396639373861613866
+              3862376437303236373564393461336263346634393834376562
+    ott_session_secret: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              34376530366330626433306637633034663237326234373738613934356131386466323530303333
+              6264303933366264623564316638383365643134663437650a326165383538376636323237663962
+              36366362663930633231346230643132386565373733633262303234326636373864626362393031
+              6534313162396137630a326532663037323161316339643163366532626632336632616535303734
+              37356562626337366638313666326135343837323665343233363833663961373939336562343462
+              31323638383336313466643137643037343265613534333963366336666133303031316231313061
+              63376166666261316436356435623365343335643133326465386239396136363739366635653037
+              33363965666364376364393132643562633831316361346562386662666637343263363064346136
+              6162
+  tasks:
+    - name: Install dependencies
+      ansible.builtin.apt:
+        name: "{{ item }}"
+        state: present
+      loop:
+        - podman
+        - systemd-container
+        - passt
+
+    - name: Create user
+      ansible.builtin.user:
+        name: "{{ user }}"
+        home: "{{ user_home }}"
+        shell: /usr/sbin/nologin
+        create_home: true
+      register: user_info
+
+    - name: Enable linger
+      ansible.builtin.command:
+        cmd: "loginctl enable-linger {{ user }}"
+        creates: "/var/lib/systemd/linger/{{ user }}"
+
+    - name: Create quadlet directory
+      ansible.builtin.file:
+        path: "{{ user_home }}/.config/containers/systemd"
+        state: directory
+        owner: "{{ user }}"
+        group: "{{ user }}"
+        mode: '0755'
+
+    - name: Create data directories
+      ansible.builtin.file:
+        path: "{{ user_home }}/data/{{ item }}"
+        state: directory
+        owner: "{{ user }}"
+        group: "{{ user }}"
+        mode: '0755'
+      loop:
+        - postgres
+        - redis
+        - env
+
+    - name: Copy production.toml
+      ansible.builtin.template:
+        src: production.toml.j2
+        dest: "{{ user_home }}/data/env/production.toml"
+        owner: "{{ user }}"
+        group: "{{ user }}"
+        mode: '0600'
+
+    - name: Copy network
+      ansible.builtin.copy:
+        dest: "{{ user_home }}/.config/containers/systemd/ott.network"
+        content: "[Network]\n"
+        owner: "{{ user }}"
+        group: "{{ user }}"
+        mode: '0644'
+
+    - name: Deploy db quadlet
+      ansible.builtin.template:
+        src: ott-db.container.j2
+        dest: "{{ user_home }}/.config/containers/systemd/ott-db.container"
+        owner: "{{ user }}"
+        group: "{{ user }}"
+        mode: '0600'
+
+    - name: Deploy redis quadlet
+      ansible.builtin.copy:
+        src: ott-redis.container
+        dest: "{{ user_home }}/.config/containers/systemd/ott-redis.container"
+        owner: "{{ user }}"
+        group: "{{ user }}"
+        mode: '0644'
+
+    - name: Deploy server quadlet
+      ansible.builtin.template:
+        src: ott-server.container.j2
+        dest: "{{ user_home }}/.config/containers/systemd/ott-server.container"
+        owner: "{{ user }}"
+        group: "{{ user }}"
+        mode: '0600'
+
+    - name: Reload user systemd
+      become: true
+      become_user: "{{ user }}"
+      environment:
+        XDG_RUNTIME_DIR: "/run/user/{{ user_info.uid }}"
+        DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ user_info.uid }}/bus"
+      ansible.builtin.systemd:
+        daemon_reload: true
+        scope: user
+
+    - name: Start user manager
+      ansible.builtin.systemd:
+        name: "user@{{ user_info.uid }}.service"
+        state: started
+
+    - name: Start ott-server
+      become: true
+      become_user: "{{ user }}"
+      environment:
+        XDG_RUNTIME_DIR: "/run/user/{{ user_info.uid }}"
+        DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ user_info.uid }}/bus"
+      ansible.builtin.systemd:
+        name: ott-server.service
+        state: started
+        scope: user
+
+    - name: Debug
+      ansible.builtin.debug:
+        msg:
+          - "Service status: systemctl --user --machine {{ user_info.name }}@.host status ott-server"
+          - "Read logs: sudo journalctl _UID={{ user_info.uid }} -n 200 --no-pager"
+          - "Shell: machinectl shell {{ user_info.name }}@.host /bin/bash"
+      tags:
+        - always

playbooks/ott/production.toml.j2

@@ -0,0 +1,15 @@
+hostname="localhost:8080"
+
+log = { level="info" }
+
+api_key="{{ ott_api_key }}"
+session_secret="{{ ott_api_key }}"
+
+[info_extractor.youtube]
+api_key="{{ google_api_key }}"
+
+[add_preview.search]
+enabled=false
+
+[users]
+enable_registration=false