Add mediacache role | refs #32914

ansible/playbooks/site.yml

@@ -24,6 +24,8 @@
   tags: worker
 - import_playbook: mediaserver.yml
   tags: server
+- import_playbook: mediacache.yml
+  tags: mediacache
 - import_playbook: mediavault.yml
   tags: vault
 - import_playbook: mediaimport.yml

ansible/roles/mediacache/defaults/main.yml

+---
+
+# MediaCache data folder
+mediacache_folder: '/var/cache/nginx/mediacache'
+# MediaCache size in Gb
+mediacache_size: '10'
+
+server_firewall_enabled: true
+server_ferm_rules_filename: mediacache
+server_ferm_input_rules:
+  - proto:
+      - tcp
+    dport:
+      - 80
+      - 443
+server_ferm_output_rules: []
+server_ferm_global_settings:
+
+...

ansible/roles/mediacache/handlers/main.yml

+---
+
+- name: mscontroller restart
+  command:
+    cmd: mscontroller.py restart
+
+- name: restart nginx
+  systemd:
+    name: nginx
+    state: restarted
+
+- name: restart nginx on mediaservers
+  systemd:
+    name: nginx
+    state: restarted
+  delegate_to: "{{ item }}"
+  delegate_facts: true
+  loop: "{{ groups['mediaserver'] }}"
+...

ansible/roles/mediacache/meta/main.yml

+---
+
+dependencies:
+  - role: base
+  - role: nginx
+
+...

ansible/roles/mediacache/tasks/main.yml

+---
+
+- fail: msg="Please define the MediaCache DNS (mc_url variable) in your inventory for each MediaCache server"
+  when: (mc_url is not defined) or (mc_url|length == 0)
+
+- fail: msg="Please define the MediaServer DNS (ms_url variable) in your inventory for each MediaCache server"
+  when: (ms_url is not defined) or (ms_url|length == 0)
+
+- name: resolve domain name to localhost
+  when: not in_docker
+  lineinfile:
+    path: /etc/hosts
+    line: '127.0.1.1 {{ mc_url }}'
+    backup: true
+
+- name: prepare mediacache site configuration in nginx
+  template:
+    src: mediacache.j2
+    dest: /etc/nginx/sites-available/mediacache.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: create mediacache data directory
+  file:
+    dest: '{{ mediacache_folder }}'
+    state: directory
+    owner: nginx
+    group: root
+    mode: '0700'
+
+- name: create mediacache site directory
+  file:
+    dest: /var/www/mediacache
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: prepare mediacache site index
+  template:
+    src: index.j2
+    dest: /var/www/mediacache/index.html
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: activate nginx mediacache configuration
+  notify: restart nginx
+  file:
+    src: /etc/nginx/sites-available/mediacache.conf
+    dest: /etc/nginx/sites-enabled/mediacache.conf
+    state: link
+
+- name: authorize mediacache on mediaserver
+  notify: restart nginx on mediaservers
+  lineinfile:
+    path: /etc/nginx/conf.d/mediaserver-securelink.conf
+    line: "{{'\t'}}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} 1;"
+    insertafter: '^geo'
+  delegate_to: "{{ item }}"
+  delegate_facts: true
+  loop: "{{ groups['mediaserver'] }}"
+ 
+# FIREWALL
+
+- name: firewall
+  when: server_firewall_enabled
+  vars:
+    ferm_rules_filename: "{{ server_ferm_rules_filename }}"
+    ferm_input_rules: "{{ server_ferm_input_rules }}"
+    ferm_output_rules: "{{ server_ferm_output_rules }}"
+    ferm_global_settings: "{{ server_ferm_global_settings }}"
+  include_role:
+    name: ferm-configure
+
+- meta: flush_handlers
+
+...
+

ansible/roles/mediacache/templates/index.j2

+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+    <head>
+        <title>UbiCast cache server</title>
+        <style>
+            html { background: #222; color: #ddd; }
+            body { margin: 0 auto; max-width: 500px; }
+            a { color: #5cf; text-decoration: none; }
+            a:hover { text-decoration: underline; }
+        </style>
+    </head>
+    <body>
+        <h1>UbiCast cache server</h1>
+        <hr/>
+        <p>Powered by UbiCast -- <a href="https://www.ubicast.eu">https://www.ubicast.eu</a></p>
+    </body>
+</html>

ansible/roles/mediacache/templates/mediacache.j2

+proxy_cache_path {{ mediacache_folder }} levels=1:2 keys_zone=mediacache:10m max_size={{ mediacache_size }}g inactive=300s;
+
+server {
+    listen 80 default_server;
+
+    server_name {{ mc_url }};
+
+    location /.well-known/acme-challenge {
+        default_type "text/plain";
+        root /var/www/letsencrypt;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+}
+
+server {
+    listen 443 default_server ssl backlog=15000;
+
+    server_name {{ mc_url }};
+    root /var/www/mediacache/;
+
+    location /crossdomain {
+
+    }
+
+    location /streaming/ {
+        # Live; expiration headers are defined by upstream (nginx/wowza)
+        rewrite ^/(.*)$ /$1? break;
+        proxy_pass https://{{ ms_url }};
+        proxy_cache mediacache;
+
+        # do not consider secure urls as new files
+        proxy_cache_key $scheme$proxy_host$uri;
+
+        # only one request at a time will be allowed to populate a new cache element
+        proxy_cache_lock on;
+
+        # hide upstream X-Cache header
+        proxy_hide_header X-Cache;
+
+        # add own X-Cache header
+        add_header X-Cache $upstream_cache_status;
+
+        # rm cookie
+        proxy_hide_header       Set-Cookie;
+        proxy_ignore_headers    Set-Cookie;
+
+    }
+
+    location /resources/ {
+        # VOD
+        location ~ \.(m3u8|ts|mp4|mp3|oga|ogv|ogg|mov|flv)$ {
+            rewrite ^/(.*)$ /$1? break;
+            proxy_pass https://{{ ms_url }};
+            proxy_cache mediacache;
+
+            # do not consider secure urls as new files
+            proxy_cache_key $scheme$proxy_host$uri;
+
+            # only one request at a time will be allowed to populate a new cache element
+            proxy_cache_lock on;
+
+            # how long should the data be kept in the cache
+            proxy_cache_valid 200 7d;
+
+            # instruct browser to cache this
+            expires 7d;
+
+            # headers
+            proxy_ignore_headers "Cache-Control" "X-Accel-Expires" "Expires";
+            add_header X-Cache $upstream_cache_status;
+
+            # rm cookie
+            proxy_hide_header       Set-Cookie;
+            proxy_ignore_headers    Set-Cookie;
+
+        }
+
+    }
+
+    location / {
+        # only urls to video and audio files are allowed, discard any requested path for other urls
+        rewrite ^/(.*)$ /index.html? break;
+
+    }
+
+}