turn-stack/65_bbox.sh at main · yboujraf/turn-stack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/env bash
set -euo pipefail
source ./90_lib.sh; load_env

[[ "${BBOX_ENABLE}" == "true" ]] || { info "BBox disabled; skipping"; exit 0; }

log "BBox: deps"
ensure_nginx_base
ensure_snap_certbot_cf

log "BBox: cert"
issue_cert "${BBOX_DOMAIN}" "${BBOX_PROPAGATION_SECONDS:-${CF_PROPAGATION_SECONDS:-30}}"

log "BBox: site & vhost"
WEBROOT=/var/www/bbox
mkdir -p "$WEBROOT"
cat > "$WEBROOT/index.html" <<'HTML'
<!doctype html>
<html><head><meta charset="utf-8"><title>Live</title></head>
<body>
<h1>Live</h1>
<p>Placeholder viewer page for Broadcast-Box.</p>
</body></html>
HTML

D='$'
cat > "/etc/nginx/sites-available/${BBOX_DOMAIN}.conf" <<NGX
server {
    listen 80; listen [::]:80;
    server_name ${BBOX_DOMAIN};
    return 301 https://${D}host${D}request_uri;
}
server {
    listen 443 ssl http2; listen [::]:443 ssl http2;
    server_name ${BBOX_DOMAIN};
    ssl_certificate     /etc/letsencrypt/live/${BBOX_DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${BBOX_DOMAIN}/privkey.pem;
    root /var/www/bbox;
    index index.html;
    # location /whip { proxy_pass http://127.0.0.1:8088/whip; proxy_http_version 1.1; }
    # location /api/ { proxy_pass http://127.0.0.1:8090/; }
}
NGX

if [[ "${BBOX_AUTH_ENABLE}" == "true" ]]; then
  HTPASS=/etc/nginx/.htpasswd-bbox
  build_htpasswd "${BBOX_AUTH_USERS}" "$HTPASS"
  realm="${BBOX_AUTH_REALM_TEMPLATE//%HOSTNAME%/${BBOX_DOMAIN}}"
  sed -i "/server_name ${BBOX_DOMAIN};/a \
    auth_basic \"${realm}\";\n    auth_basic_user_file ${HTPASS};\n" "/etc/nginx/sites-available/${BBOX_DOMAIN}.conf"
fi

nginx_enable_site "${BBOX_DOMAIN}"

log "BBox: report"
report_cert "${BBOX_DOMAIN}" || true
info "HTTP: $(curl_head https://${BBOX_DOMAIN})"