diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 71bf1f0348a..f39c749ac4a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -108,6 +108,15 @@ updates: labels: - 3. to review - dependencies +- package-ecosystem: "docker" + directory: "/Containers/talk-recording" + schedule: + interval: "daily" + time: "12:00" + open-pull-requests-limit: 10 + labels: + - 3. to review + - dependencies - package-ecosystem: "docker" directory: "/Containers/watchtower" schedule: diff --git a/.github/workflows/talk.yml b/.github/workflows/talk.yml new file mode 100644 index 00000000000..79834ce5238 --- /dev/null +++ b/.github/workflows/talk.yml @@ -0,0 +1,46 @@ +name: talk-update + +on: + workflow_dispatch: + schedule: + - cron: '00 12 * * *' + +jobs: + run_update: + name: update talk + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Run talk-update + run: | + # Spreed + spreed_version="$( + git ls-remote https://github.com/nextcloud/spreed v*.*.* \ + | cut -d/ -f3 \ + | sort -V \ + | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \ + | tail -1 + )" + sed -i "s|git clone --recursive https://github.com/nextcloud/spreed --branch .* /src; \\\|git clone --recursive https://github.com/nextcloud/spreed --depth=1 --single-branch --branch $spreed_version /src; \\\|" ./Containers/talk-recording/Dockerfile + curl -L "https://raw.githubusercontent.com/nextcloud/spreed/$spreed_version/recording/server.conf.in" -o Containers/talk-recording/recording.conf + + # Signaling + signaling_version="$( + git ls-remote https://github.com/strukturag/nextcloud-spreed-signaling v*.*.* \ + | cut -d/ -f3 \ + | sort -V \ + | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \ + | tail -1 + )" + curl -L "https://raw.githubusercontent.com/strukturag/nextcloud-spreed-signaling/$signaling_version/server.conf.in" -o Containers/talk/server.conf.in + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v5 + with: + commit-message: talk-update automated change + signoff: true + title: talk update + body: Automated talk container update + labels: dependencies, 3. to review + milestone: next + branch: talk-container-update diff --git a/Containers/talk-recording/Dockerfile b/Containers/talk-recording/Dockerfile new file mode 100644 index 00000000000..1d2e69606f1 --- /dev/null +++ b/Containers/talk-recording/Dockerfile @@ -0,0 +1,43 @@ +FROM python:3.11.3-alpine3.18 + +COPY --chmod=775 start.sh /start.sh +COPY --chmod=664 recording.conf /etc/recording.conf + +RUN set -ex; \ + apk add --no-cache \ + ca-certificates \ + tzdata \ + bash \ + xvfb \ + ffmpeg \ + firefox \ + libpulse \ + bind-tools \ + netcat-openbsd \ + git \ + wget \ + shadow \ + openssl; \ + # chromium chromium-chromedriver? + apk add --no-cache geckodriver --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing; \ + useradd -d /tmp --system recording; \ +# Give root a random password + echo "root:$(openssl rand -base64 12)" | chpasswd; \ + git clone --recursive https://github.com/nextcloud/spreed --depth=1 --single-branch --branch v16.0.3 /src; \ + mv -v /src/recording/pyproject.toml /src/recording/src/pyproject.toml; \ + python3 -m pip install /src/recording/src; \ + rm -rf /src; \ + chown recording:recording-R \ + /tmp; \ + apk del --no-cache \ + git \ + wget \ + shadow \ + openssl; + +USER recording +ENTRYPOINT ["/start.sh"] +CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/etc/recording.conf"] + +HEALTHCHECK CMD nc -z localhost 1234 || exit 1 +LABEL com.centurylinklabs.watchtower.monitor-only="true" diff --git a/Containers/talk-recording/recording.conf b/Containers/talk-recording/recording.conf new file mode 100644 index 00000000000..5495333cc96 --- /dev/null +++ b/Containers/talk-recording/recording.conf @@ -0,0 +1,111 @@ +[logs] +# Log level based on numeric values of Python logging levels: +# - Critical: 50 +# - Error: 40 +# - Warning: 30 +# - Info: 20 +# - Debug: 10 +# - Not set: 0 +#level = 20 + +[http] +# IP and port to listen on for HTTP requests. +listen = 0.0.0.0:1234 + +[backend] +# Allow any hostname as backend endpoint. This is extremely insecure and should +# only be used during development. +#allowall = false + +# Common shared secret for requests from and to the backend servers if +# "allowall" is enabled. This must be the same value as configured in the +# Nextcloud admin ui. +#secret = the-shared-secret + +# Comma-separated list of backend ids allowed to connect. +#backends = backend-id, another-backend + +# If set to "true", certificate validation of backend endpoints will be skipped. +# This should only be enabled during development, e.g. to work with self-signed +# certificates. +# Overridable by backend. +#skipverify = false + +# Maximum allowed size in bytes for messages sent by the backend. +# Overridable by backend. +#maxmessagesize = 1024 + +# Width for recorded videos. +# Overridable by backend. +#videowidth = 1920 + +# Height for recorded videos. +# Overridable by backend. +#videoheight = 1080 + +# Temporary directory used to store recordings until uploaded. It must be +# writable by the user running the recording server. +# Overridable by backend. +#directory = /tmp + +# Backend configurations as defined in the "[backend]" section above. The +# section names must match the ids used in "backends" above. +#[backend-id] +# URL of the Nextcloud instance +#url = https://cloud.domain.invalid + +# Shared secret for requests from and to the backend servers. This must be the +# same value as configured in the Nextcloud admin ui. +#secret = the-shared-secret + +#[another-backend] +# URL of the Nextcloud instance +#url = https://cloud.otherdomain.invalid + +# Shared secret for requests from and to the backend servers. This must be the +# same value as configured in the Nextcloud admin ui. +#secret = the-shared-secret + +[signaling] +# Common shared secret for authenticating as an internal client of signaling +# servers if a specific secret is not set for a signaling server. This must be +# the same value as configured in the signaling server configuration file. +#internalsecret = the-shared-secret-for-internal-clients + +# Comma-separated list of signaling servers with specific internal secrets. +#signalings = signaling-id, another-signaling + +# Signaling server configurations as defined in the "[signaling]" section above. +# The section names must match the ids used in "signalings" above. +#[signaling-id] +# URL of the signaling server +#url = https://signaling.domain.invalid + +# Shared secret for authenticating as an internal client of signaling servers. +# This must be the same value as configured in the signaling server +# configuration file. +#internalsecret = the-shared-secret-for-internal-clients + +#[another-signaling] +# URL of the signaling server +#url = https://signaling.otherdomain.invalid + +# Shared secret for authenticating as an internal client of signaling servers. +# This must be the same value as configured in the signaling server +# configuration file. +#internalsecret = the-shared-secret-for-internal-clients + +[ffmpeg] +# The options given to FFmpeg to encode the audio output. The options given here +# fully override the default options for the audio output. +#outputaudio = -c:a libopus + +# The options given to FFmpeg to encode the video output. The options given here +# fully override the default options for the video output. +#outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M + +# The extension of the file for audio only recordings. +#extensionaudio = .ogg + +# The extension of the file for audio and video recordings. +#extensionvideo = .webm diff --git a/Containers/talk-recording/start.sh b/Containers/talk-recording/start.sh new file mode 100644 index 00000000000..907e1f82268 --- /dev/null +++ b/Containers/talk-recording/start.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +# Variables +if [ -z "$NC_DOMAIN" ]; then + echo "You need to provide the NC_DOMAIN." + exit 1 +elif [ -z "$RECORDING_SECRET" ]; then + echo "You need to provide the RECORDING_SECRET." + exit 1 +elif [ -z "$INTERNAL_SECRET" ]; then + echo "You need to provide the INTERNAL_SECRET." + exit 1 +fi + +cat << RECORDING_CONF > "/etc/recording.conf" +[logs] +level = 30 + +[http] +listen = 0.0.0.0:1234 + +[backend] +allowall = false +# TODO: remove secret below when https://github.com/nextcloud/spreed/issues/9580 is fixed +secret = ${RECORDING_SECRET} +backends = backend-1 +skipverify = false +maxmessagesize = 1024 +videowidth = 1920 +videoheight = 1080 +directory = /tmp + +[backend-1] +url = https://${NC_DOMAIN} +secret = ${RECORDING_SECRET} +skipverify = false + +[signaling] +signalings = signaling-1 + +[signaling-1] +url = https://${NC_DOMAIN}/standalone-signaling/ +internalsecret = ${INTERNAL_SECRET} + +[ffmpeg] +# outputaudio = -c:a libopus +# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M +extensionaudio = .ogg +extensionvideo = .webm +RECORDING_CONF + +exec "$@" diff --git a/Containers/talk/Dockerfile b/Containers/talk/Dockerfile index bc6ab53db8a..1d5f38993aa 100644 --- a/Containers/talk/Dockerfile +++ b/Containers/talk/Dockerfile @@ -63,7 +63,7 @@ ENV TALK_PORT=3478 USER talk ENTRYPOINT ["start.sh"] -CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"] +CMD ["supervisord", "-c", "/supervisord.conf"] HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT") || exit 1 LABEL com.centurylinklabs.watchtower.monitor-only="true" diff --git a/Containers/talk/start.sh b/Containers/talk/start.sh index eac736167cd..fc0ca93bb60 100644 --- a/Containers/talk/start.sh +++ b/Containers/talk/start.sh @@ -10,6 +10,9 @@ elif [ -z "$TURN_SECRET" ]; then elif [ -z "$SIGNALING_SECRET" ]; then echo "You need to provide the SIGNALING_SECRET." exit 1 +elif [ -z "$INTERNAL_SECRET" ]; then + echo "You need to provide the INTERNAL_SECRET." + exit 1 fi set -x @@ -63,7 +66,7 @@ hashkey = $(openssl rand -hex 16) blockkey = $(openssl rand -hex 16) [clients] -internalsecret = $(openssl rand -hex 16) +internalsecret = ${INTERNAL_SECRET} [backend] backends = backend-1