Commit Graph

104 Commits

Author SHA1 Message Date
dakriy 2985d8554a
feat(legacy): trused header sso auth (#3095)
### Description

Allows LibreTime to support Trusted Header SSO Authentication.

**This is a new feature**:

Yes

**I have updated the documentation to reflect these changes**:

Yes

### Testing Notes

**What I did:**

I spun up an Authelia/Traefik pair and configured them to protect
LibreTime according to Authelia's documentation, I then tested that you
could log in via the trusted headers, and tested that old methods of
authentication were not affected.

**How you can replicate my testing:**

Using the following `docker-compose.yml` file

```yml
services:
  postgres:
    image: postgres:15
    networks:
      - internal
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: ${POSTGRES_USER:-libretime}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-libretime} # Change me !
    healthcheck:
      test: pg_isready -U libretime

  rabbitmq:
    image: rabbitmq:3.13-alpine
    networks:
      - internal
    environment:
      RABBITMQ_DEFAULT_VHOST: ${RABBITMQ_DEFAULT_VHOST:-/libretime}
      RABBITMQ_DEFAULT_USER: ${RABBITMQ_DEFAULT_USER:-libretime}
      RABBITMQ_DEFAULT_PASS: ${RABBITMQ_DEFAULT_PASS:-libretime} # Change me !
    healthcheck:
      test: nc -z 127.0.0.1 5672

  playout:
    image: ghcr.io/libretime/libretime-playout:${LIBRETIME_VERSION:-latest}
    networks:
      - internal
    init: true
    ulimits:
      nofile: 1024
    depends_on:
      - rabbitmq
    volumes:
      - ${LIBRETIME_CONFIG_FILEPATH:-./config.yml}:/etc/libretime/config.yml:ro
      - libretime_playout:/app
    environment:
      LIBRETIME_GENERAL_PUBLIC_URL: http://nginx:8080

  liquidsoap:
    image: ghcr.io/libretime/libretime-playout:${LIBRETIME_VERSION:-latest}
    networks:
      - internal
    command: /usr/local/bin/libretime-liquidsoap
    init: true
    ulimits:
      nofile: 1024
    ports:
      - 8001:8001
      - 8002:8002
    depends_on:
      - rabbitmq
    volumes:
      - ${LIBRETIME_CONFIG_FILEPATH:-./config.yml}:/etc/libretime/config.yml:ro
      - libretime_playout:/app
    environment:
      LIBRETIME_GENERAL_PUBLIC_URL: http://nginx:8080

  analyzer:
    image: ghcr.io/libretime/libretime-analyzer:${LIBRETIME_VERSION:-latest}
    networks:
      - internal
    init: true
    ulimits:
      nofile: 1024
    depends_on:
      - rabbitmq
    volumes:
      - ${LIBRETIME_CONFIG_FILEPATH:-./config.yml}:/etc/libretime/config.yml:ro
      - libretime_storage:/srv/libretime
    environment:
      LIBRETIME_GENERAL_PUBLIC_URL: http://nginx:8080

  worker:
    image: ghcr.io/libretime/libretime-worker:${LIBRETIME_VERSION:-latest}
    networks:
      - internal
    init: true
    ulimits:
      nofile: 1024
    depends_on:
      - rabbitmq
    volumes:
      - ${LIBRETIME_CONFIG_FILEPATH:-./config.yml}:/etc/libretime/config.yml:ro
    environment:
      LIBRETIME_GENERAL_PUBLIC_URL: http://nginx:8080

  api:
    image: ghcr.io/libretime/libretime-api:${LIBRETIME_VERSION:-latest}
    networks:
      - internal
    init: true
    ulimits:
      nofile: 1024
    depends_on:
      - postgres
      - rabbitmq
    volumes:
      - ${LIBRETIME_CONFIG_FILEPATH:-./config.yml}:/etc/libretime/config.yml:ro
      - libretime_storage:/srv/libretime

  legacy:
    image: ghcr.io/libretime/libretime-legacy:${LIBRETIME_VERSION:-latest}
    networks:
      - internal
    init: true
    ulimits:
      nofile: 1024
    depends_on:
      - postgres
      - rabbitmq
    volumes:
      - ${LIBRETIME_CONFIG_FILEPATH:-./config.yml}:/etc/libretime/config.yml:ro
      - libretime_assets:/var/www/html
      - libretime_storage:/srv/libretime

  nginx:
    image: nginx
    networks:
      - internal
      - net
    ports:
      - 8080:8080
    depends_on:
      - legacy
    volumes:
      - libretime_assets:/var/www/html:ro
      - libretime_storage:/srv/libretime:ro
      - ${NGINX_CONFIG_FILEPATH:-./nginx.conf}:/etc/nginx/conf.d/default.conf:ro
    labels:
      - 'traefik.enable=true'
      - 'traefik.docker.network=libretime_net'
      - 'traefik.http.routers.libretime.rule=Host(`libretime.example.com`)'
      - 'traefik.http.routers.libretime.entrypoints=https'
      - 'traefik.http.routers.libretime.tls=true'
      - 'traefik.http.routers.libretime.tls.options=default'
      - 'traefik.http.routers.libretime.middlewares=authelia@docker'
      - 'traefik.http.services.libretime.loadbalancer.server.port=8080'

  icecast:
    image: ghcr.io/libretime/icecast:2.4.4
    networks:
      - internal
    ports:
      - 8000:8000
    environment:
      ICECAST_SOURCE_PASSWORD: ${ICECAST_SOURCE_PASSWORD:-hackme} # Change me !
      ICECAST_ADMIN_PASSWORD: ${ICECAST_ADMIN_PASSWORD:-hackme} # Change me !
      ICECAST_RELAY_PASSWORD: ${ICECAST_RELAY_PASSWORD:-hackme} # Change me !

  traefik:
    image: traefik:v2.11.12
    container_name: traefik
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
      - 'traefik.http.routers.api.entrypoints=https'
      - 'traefik.http.routers.api.service=api@internal'
      - 'traefik.http.routers.api.tls=true'
      - 'traefik.http.routers.api.tls.options=default'
      - 'traefik.http.routers.api.middlewares=authelia@docker'
    ports:
      - '80:80'
      - '443:443'
    command:
      - '--api'
      - '--providers.docker=true'
      - '--providers.docker.exposedByDefault=false'
      - '--entrypoints.http=true'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.http.http.redirections.entrypoint.to=https'
      - '--entrypoints.http.http.redirections.entrypoint.scheme=https'
      - '--entrypoints.https=true'
      - '--entrypoints.https.address=:443'
      - '--log=true'
      - '--log.level=DEBUG'

  authelia:
    image: authelia/authelia
    container_name: authelia
    networks:
      - net
    volumes:
      - ./authelia:/config
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.authelia.rule=Host(`auth.example.com`)'
      - 'traefik.http.routers.authelia.entrypoints=https'
      - 'traefik.http.routers.authelia.tls=true'
      - 'traefik.http.routers.authelia.tls.options=default'
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth'  # yamllint disable-line rule:line-length
      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
      - 'traefik.http.services.authelia.loadbalancer.server.port=9091'
    restart: unless-stopped
    environment:
      - TZ=America/Los_Angeles

volumes:
  postgres_data: {}
  libretime_storage: {}
  libretime_assets: {}
  libretime_playout: {}

networks:
  internal:
  net:
```

The following libretime dev config modification:
```yml
general:
  public_url: https://libretime.example.com
  auth: LibreTime_Auth_Adaptor_Header

header_auth:
  group_map:
    host: lt-host
    program_manager: lt-pm
    admin: lt-admin
    superadmin: lt-superadmin
```

And the following authelia config file:

```yml
---
###############################################################
#                   Authelia configuration                    #
###############################################################

server:
  address: 'tcp://:9091'
  buffers:
    read: 16384
    write: 16384

log:
  level: 'debug'

totp:
  issuer: 'authelia.com'

identity_validation:
  reset_password:
    jwt_secret: 'a_very_important_secret'

authentication_backend:
  file:
    path: '/config/users_database.yml'

access_control:
  default_policy: 'deny'
  rules:
    - domain: 'traefik.example.com'
      policy: 'one_factor'
    - domain: 'libretime.example.com'
      policy: 'one_factor'

session:
  secret: 'insecure_session_secret'

  cookies:
    - name: 'authelia_session'
      domain: 'example.com'  # Should match whatever your root protected domain is
      authelia_url: 'https://auth.example.com'
      expiration: '1 hour'  # 1 hour
      inactivity: '5 minutes'  # 5 minutes

regulation:
  max_retries: 3
  find_time: '2 minutes'
  ban_time: '5 minutes'

storage:
  encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
  local:
    path: '/config/db.sqlite3'

notifier:
  filesystem:
    filename: '/config/notification.txt'
...
```

And the following authelia users database:

```yml
---
###############################################################
#                         Users Database                      #
###############################################################

# This file can be used if you do not have an LDAP set up.

# List of users
users:
  test:
    disabled: false
    displayname: "First Last"
    password: "$argon2id$v=19$m=16,t=2,p=1$SWVVVzcySlRLUEFkWWh2eA$qPs1ZmzmDXR/9WckDzIN9Q"
    email: test@example.com
    groups:
      - admins
      - dev
      - lt-admin
...
```

add the following entries to your `hosts` file:

```
127.0.0.1 traefik.example.com
127.0.0.1 auth.example.com
127.0.0.1 libretime.example.com
```

Then visit `libretime.example.com` in your browser, and login as the
user `test` with password of `password`. You should then be taken to the
LibreTime homepage, and when you click on login, you should be
automatically logged in.

### **Links**

https://www.authelia.com/integration/trusted-header-sso/introduction/
https://doc.traefik.io/traefik/middlewares/http/forwardauth/

---------

Co-authored-by: Kyle Robbertze <paddatrapper@users.noreply.github.com>
2024-12-07 10:21:57 +00:00
Harry W 70735d4431
docs: use new docker compose command (#3054)
Improve the Docker install documentation, along with the `docker
compose` commands.
2024-07-06 10:48:30 +01:00
Kyle Robbertze 6432efd791
docs: fix typo (#3027)
Minor typo that was being picked up by pre-commit
2024-06-05 16:54:12 +01:00
Jonas L f1c7dd89f1
docs: prevent reverse proxy from constraining the upload limits (#2984)
### Description

The upload limits settings are configured in the libretime nginx config,
but must also be part of the reverse proxy.
2024-04-13 15:12:07 +02:00
Thomas Göttgens feca75b28b
docs: get libfdk-aac from non-free source for debian 11 (#2954)
Co-authored-by: Jonas L <jooola@users.noreply.github.com>
2024-02-29 22:08:51 +01:00
Thomas Göttgens b14469722e
docs(playout): close warning box properly (#2911) 2024-01-20 17:06:35 +00:00
Kyle Robbertze 54ec07d2bd
docs: fix broken link to install guide (#2908)
### Description

Follow up to #2904
2024-01-19 17:12:30 +00:00
Thomas Göttgens b6c3ece7d9
docs(playout): add a tutorial to enable AAC in liquidsoap (#2904)
Documentation update regarding #2184

---------

Co-authored-by: Thomas Göttgens <tgoettgens@mail.com>
2024-01-19 16:58:22 +00:00
Jonas L 4603c1759f
feat!: use nginx to serve media files (#2860)
Closes #2522

To reduce the strain on the API service, we moved the media file serving
to the Nginx web server. The API is still handling the authentication,
but delegates the serving using the `X-Accel-Redirect` header.

BREAKING CHANGE: The media file serving is now handled by Nginx instead
of the API service. The `storage.path` field is now used in the Nginx
configuration, so make sure to update the Nginx configuration file if
you change it.
2023-12-30 18:59:15 +01:00
Jonas L f72b7f9c97
feat(installer)!: change default listen port to 8080 (#2852)
Closes #2575
Closes #2543

BREAKING CHANGE: The default listen port for the installer is now
`8080`. We recommend that you put a reverse proxy in front of LibreTime.
2023-12-29 17:49:07 +01:00
Jonas L 35d7eace13
feat(installer)!: remove the `--update-nginx` flag (#2851)
### Description

Related to #2543

BREAKING CHANGE: The `--update-nginx` flag was removed from the
installer. The nginx configuration deployed by the installer will now
always be overwritten. Make sure to move your customizations to a
reverse proxy configuration.
2023-12-29 15:55:35 +01:00
maxtim 06af18b84e
feat(playout): configure device for alsa and pulseaudio system outputs (#2654)
### Description

Add hardware configuration to liquidsoap so that users may
set hardware output in config.yml.

---------

Co-authored-by: jo <ljonas@riseup.net>
2023-12-29 15:22:43 +01:00
Jonas L 083ee3f1dd
feat!: default system output is now `pulseaudio` (#2842)
BREAKING CHANGE: The default system output
(`stream.outputs.system[].kind`) changed from `alsa` to `pulseaudio`.
Make sure to update your configuration file if you rely on the default
system output.

Closes #2542
2023-12-27 18:23:40 +01:00
Jonas L 0d2d1a2673
feat!: the `general.secret_key` configuration field is now required (#2841)
BREAKING CHANGE: The `general.secret_key` configuration field is now
required. Make sure to update your configuration file and add a secret
key.

Closes #2426
2023-12-27 18:15:47 +01:00
Jonas L b2e512cbcd
feat: add mobile devices stream config field (#2744) 2023-10-14 08:13:04 +01:00
jo c2c0be1fbc feat(api): add email configuration 2023-06-02 07:44:34 +01:00
Jonas L e207b6e388
docs: be consistent with example domain (#2568) 2023-05-26 14:00:34 +01:00
jo 17fb1c45df docs: install using a reverse proxy by default 2023-05-26 13:46:46 +01:00
jo f74062a622 docs: fix icecast certificates bundle command 2023-05-26 13:46:46 +01:00
jo d25e0dd171 docs: remove setup without reverse proxy 2023-05-26 13:46:46 +01:00
Jonas L d9663c0a4e
docs: split airtime migration into more steps (#2565) 2023-05-25 14:59:08 +01:00
Jonas L a67a8a880c
docs: improve airtime migration guide (#2564) 2023-05-25 14:46:20 +01:00
jo d01edc4dce
Merge branch 'stable' 2023-05-01 10:16:56 +02:00
Jonas L 7f1492aac0
docs: fix broken link (#2532) 2023-04-28 12:07:45 +01:00
jo b2fc3a5ecf feat(playout): allow harbor ssl configuration 2023-04-24 14:58:34 +01:00
jo 8764feded9 docs: ensure example values are replaced 2023-04-24 14:58:34 +01:00
jo 2fd5b50229 docs: add certbot setup guide 2023-04-21 20:47:43 +01:00
jo a375e5b917 docs: improve install guides 2023-04-21 20:47:43 +01:00
jo ca449c1a3b docs: improve reverse proxy docs 2023-04-21 20:47:43 +01:00
Jonas L 5a8e8d298d
docs: docker config template install with envsubst (#2517) 2023-04-21 17:35:01 +01:00
jo 19bcc251e2 docs: split install guide per install method 2023-04-21 16:59:23 +01:00
jo ff03dad9a8 docs: rename setup to install 2023-04-21 16:59:23 +01:00
jo 8052622e69 docs: move configuration documentation 2023-04-21 16:59:23 +01:00
jo 5ca0788388 docs: move release docs in the release section 2023-04-12 16:50:04 +01:00
jo 755848482d feat: set icecast mount default charset to UTF-8
On first install, configure icecast to use utf-8 as default charset for it's mounts.

Fixes #2501
2023-04-12 11:42:51 +01:00
jo 49d4fafa0c
Merge branch 'stable' 2023-04-03 12:31:50 +02:00
jo a9b7513bc0 docs: split developer and contributor manual 2023-04-03 11:10:01 +01:00
jo bc745617fb docs: fix database backup and restore commands
The commands should now work out of the box when copy pasted on most systems. The previous one required the users to read the docs and the man pages.
2023-03-22 09:14:56 +00:00
jo f722cec2eb docs: upgrade by migrating to a new server 2023-03-22 09:14:56 +00:00
Jonas L d800c5e280
feat: use secret_key config field instead of api_key (#2444)
Fixes #2426
2023-03-22 09:14:11 +00:00
Jonas L f318ab8a2b
docs: add instructions for the sentry setup (#2441) 2023-03-15 13:13:37 +00:00
jo c290aece92 docs: docker-compose env variables setup 2023-03-15 11:52:00 +00:00
Jonas L 32e0c2a15e
docs: remove warning about docker install (#2411) 2023-02-28 09:07:00 +02:00
jo 9384df7be2
Merge branch '3.0.x' into main 2023-02-26 20:16:38 +01:00
Jonas L 0aa2a92d3f
docs: add pulseaudio output in containers tutorial (#2166) 2023-02-26 20:39:10 +02:00
jo e92be34e2a fix(installer): only setup nginx on first install
Users usually want to setup a ssl certificate for LibreTime. Disabling any nginx config change unless it is the first install should prevent breaking a possible certbot setup.
2023-02-03 14:59:58 +01:00
jo 79febaddf8 docs: add small faq for troubleshooting 2023-02-02 08:23:03 +02:00
jo 8431888b9c docs: check logs before checking services status 2023-02-02 08:23:03 +02:00
Jonas L 2f78318abb
chore: add test-stream-input tool (#2202) 2022-10-03 17:53:58 +02:00
jo 50809a933c docs: fix vale linting errors
- are not > aren't
- auto-_ > auto _
- avoid backend
- cannot > can't
- do not > don't
- does not > doesn't
- ignore emoji code
- has not > hasn't
- ignore Microsoft.GeneralURL
- is not > isn't
- it is > it's
- no exclamation point
- put code inside code blocks
- put commit sha inside code blocks
- put exception message in code blocks
- remove slang
- should not > shouldn't
- they are > they're
- we are > we're
- will not > won't
2022-09-26 09:13:25 +02:00