2985d8554a
feat(legacy): trused header sso auth ( #3095 )
...
### Description
Allows LibreTime to support Trusted Header SSO Authentication.
**This is a new feature**:
Yes
**I have updated the documentation to reflect these changes**:
Yes
### Testing Notes
**What I did:**
I spun up an Authelia/Traefik pair and configured them to protect
LibreTime according to Authelia's documentation, I then tested that you
could log in via the trusted headers, and tested that old methods of
authentication were not affected.
**How you can replicate my testing:**
Using the following `docker-compose.yml` file
```yml
services:
postgres:
image: postgres:15
networks:
- internal
volumes:
- postgres_data:/var/lib/postgresql/data
environment:
POSTGRES_USER: ${POSTGRES_USER:-libretime}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-libretime} # Change me !
healthcheck:
test: pg_isready -U libretime
rabbitmq:
image: rabbitmq:3.13-alpine
networks:
- internal
environment:
RABBITMQ_DEFAULT_VHOST: ${RABBITMQ_DEFAULT_VHOST:-/libretime}
RABBITMQ_DEFAULT_USER: ${RABBITMQ_DEFAULT_USER:-libretime}
RABBITMQ_DEFAULT_PASS: ${RABBITMQ_DEFAULT_PASS:-libretime} # Change me !
healthcheck:
test: nc -z 127.0.0.1 5672
playout:
image: ghcr.io/libretime/libretime-playout:${LIBRETIME_VERSION:-latest}
networks:
- internal
init: true
ulimits:
nofile: 1024
depends_on:
- rabbitmq
volumes:
- ${LIBRETIME_CONFIG_FILEPATH:-./config.yml}:/etc/libretime/config.yml:ro
- libretime_playout:/app
environment:
LIBRETIME_GENERAL_PUBLIC_URL: http://nginx:8080
liquidsoap:
image: ghcr.io/libretime/libretime-playout:${LIBRETIME_VERSION:-latest}
networks:
- internal
command: /usr/local/bin/libretime-liquidsoap
init: true
ulimits:
nofile: 1024
ports:
- 8001:8001
- 8002:8002
depends_on:
- rabbitmq
volumes:
- ${LIBRETIME_CONFIG_FILEPATH:-./config.yml}:/etc/libretime/config.yml:ro
- libretime_playout:/app
environment:
LIBRETIME_GENERAL_PUBLIC_URL: http://nginx:8080
analyzer:
image: ghcr.io/libretime/libretime-analyzer:${LIBRETIME_VERSION:-latest}
networks:
- internal
init: true
ulimits:
nofile: 1024
depends_on:
- rabbitmq
volumes:
- ${LIBRETIME_CONFIG_FILEPATH:-./config.yml}:/etc/libretime/config.yml:ro
- libretime_storage:/srv/libretime
environment:
LIBRETIME_GENERAL_PUBLIC_URL: http://nginx:8080
worker:
image: ghcr.io/libretime/libretime-worker:${LIBRETIME_VERSION:-latest}
networks:
- internal
init: true
ulimits:
nofile: 1024
depends_on:
- rabbitmq
volumes:
- ${LIBRETIME_CONFIG_FILEPATH:-./config.yml}:/etc/libretime/config.yml:ro
environment:
LIBRETIME_GENERAL_PUBLIC_URL: http://nginx:8080
api:
image: ghcr.io/libretime/libretime-api:${LIBRETIME_VERSION:-latest}
networks:
- internal
init: true
ulimits:
nofile: 1024
depends_on:
- postgres
- rabbitmq
volumes:
- ${LIBRETIME_CONFIG_FILEPATH:-./config.yml}:/etc/libretime/config.yml:ro
- libretime_storage:/srv/libretime
legacy:
image: ghcr.io/libretime/libretime-legacy:${LIBRETIME_VERSION:-latest}
networks:
- internal
init: true
ulimits:
nofile: 1024
depends_on:
- postgres
- rabbitmq
volumes:
- ${LIBRETIME_CONFIG_FILEPATH:-./config.yml}:/etc/libretime/config.yml:ro
- libretime_assets:/var/www/html
- libretime_storage:/srv/libretime
nginx:
image: nginx
networks:
- internal
- net
ports:
- 8080:8080
depends_on:
- legacy
volumes:
- libretime_assets:/var/www/html:ro
- libretime_storage:/srv/libretime:ro
- ${NGINX_CONFIG_FILEPATH:-./nginx.conf}:/etc/nginx/conf.d/default.conf:ro
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=libretime_net'
- 'traefik.http.routers.libretime.rule=Host(`libretime.example.com`)'
- 'traefik.http.routers.libretime.entrypoints=https'
- 'traefik.http.routers.libretime.tls=true'
- 'traefik.http.routers.libretime.tls.options=default'
- 'traefik.http.routers.libretime.middlewares=authelia@docker'
- 'traefik.http.services.libretime.loadbalancer.server.port=8080'
icecast:
image: ghcr.io/libretime/icecast:2.4.4
networks:
- internal
ports:
- 8000:8000
environment:
ICECAST_SOURCE_PASSWORD: ${ICECAST_SOURCE_PASSWORD:-hackme} # Change me !
ICECAST_ADMIN_PASSWORD: ${ICECAST_ADMIN_PASSWORD:-hackme} # Change me !
ICECAST_RELAY_PASSWORD: ${ICECAST_RELAY_PASSWORD:-hackme} # Change me !
traefik:
image: traefik:v2.11.12
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- net
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
- 'traefik.http.routers.api.entrypoints=https'
- 'traefik.http.routers.api.service=api@internal'
- 'traefik.http.routers.api.tls=true'
- 'traefik.http.routers.api.tls.options=default'
- 'traefik.http.routers.api.middlewares=authelia@docker'
ports:
- '80:80'
- '443:443'
command:
- '--api'
- '--providers.docker=true'
- '--providers.docker.exposedByDefault=false'
- '--entrypoints.http=true'
- '--entrypoints.http.address=:80'
- '--entrypoints.http.http.redirections.entrypoint.to=https'
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
- '--entrypoints.https=true'
- '--entrypoints.https.address=:443'
- '--log=true'
- '--log.level=DEBUG'
authelia:
image: authelia/authelia
container_name: authelia
networks:
- net
volumes:
- ./authelia:/config
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`auth.example.com`)'
- 'traefik.http.routers.authelia.entrypoints=https'
- 'traefik.http.routers.authelia.tls=true'
- 'traefik.http.routers.authelia.tls.options=default'
- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth ' # yamllint disable-line rule:line-length
- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
- 'traefik.http.services.authelia.loadbalancer.server.port=9091'
restart: unless-stopped
environment:
- TZ=America/Los_Angeles
volumes:
postgres_data: {}
libretime_storage: {}
libretime_assets: {}
libretime_playout: {}
networks:
internal:
net:
```
The following libretime dev config modification:
```yml
general:
public_url: https://libretime.example.com
auth: LibreTime_Auth_Adaptor_Header
header_auth:
group_map:
host: lt-host
program_manager: lt-pm
admin: lt-admin
superadmin: lt-superadmin
```
And the following authelia config file:
```yml
---
###############################################################
# Authelia configuration #
###############################################################
server:
address: 'tcp://:9091'
buffers:
read: 16384
write: 16384
log:
level: 'debug'
totp:
issuer: 'authelia.com'
identity_validation:
reset_password:
jwt_secret: 'a_very_important_secret'
authentication_backend:
file:
path: '/config/users_database.yml'
access_control:
default_policy: 'deny'
rules:
- domain: 'traefik.example.com'
policy: 'one_factor'
- domain: 'libretime.example.com'
policy: 'one_factor'
session:
secret: 'insecure_session_secret'
cookies:
- name: 'authelia_session'
domain: 'example.com' # Should match whatever your root protected domain is
authelia_url: 'https://auth.example.com '
expiration: '1 hour' # 1 hour
inactivity: '5 minutes' # 5 minutes
regulation:
max_retries: 3
find_time: '2 minutes'
ban_time: '5 minutes'
storage:
encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
local:
path: '/config/db.sqlite3'
notifier:
filesystem:
filename: '/config/notification.txt'
...
```
And the following authelia users database:
```yml
---
###############################################################
# Users Database #
###############################################################
# This file can be used if you do not have an LDAP set up.
# List of users
users:
test:
disabled: false
displayname: "First Last"
password: "$argon2id$v=19$m=16,t=2,p=1$SWVVVzcySlRLUEFkWWh2eA$qPs1ZmzmDXR/9WckDzIN9Q"
email: test@example.com
groups:
- admins
- dev
- lt-admin
...
```
add the following entries to your `hosts` file:
```
127.0.0.1 traefik.example.com
127.0.0.1 auth.example.com
127.0.0.1 libretime.example.com
```
Then visit `libretime.example.com` in your browser, and login as the
user `test` with password of `password`. You should then be taken to the
LibreTime homepage, and when you click on login, you should be
automatically logged in.
### **Links**
https://www.authelia.com/integration/trusted-header-sso/introduction/
https://doc.traefik.io/traefik/middlewares/http/forwardauth/
---------
Co-authored-by: Kyle Robbertze <paddatrapper@users.noreply.github.com>
2024-12-07 10:21:57 +00:00
70735d4431
docs: use new docker compose command ( #3054 )
...
Improve the Docker install documentation, along with the `docker
compose` commands.
2024-07-06 10:48:30 +01:00
6432efd791
docs: fix typo ( #3027 )
...
Minor typo that was being picked up by pre-commit
2024-06-05 16:54:12 +01:00
f1c7dd89f1
docs: prevent reverse proxy from constraining the upload limits ( #2984 )
...
### Description
The upload limits settings are configured in the libretime nginx config,
but must also be part of the reverse proxy.
2024-04-13 15:12:07 +02:00
feca75b28b
docs: get libfdk-aac from non-free source for debian 11 ( #2954 )
...
Co-authored-by: Jonas L <jooola@users.noreply.github.com>
2024-02-29 22:08:51 +01:00
b14469722e
docs(playout): close warning box properly ( #2911 )
2024-01-20 17:06:35 +00:00
54ec07d2bd
docs: fix broken link to install guide ( #2908 )
...
### Description
Follow up to #2904
2024-01-19 17:12:30 +00:00
b6c3ece7d9
docs(playout): add a tutorial to enable AAC in liquidsoap ( #2904 )
...
Documentation update regarding #2184
---------
Co-authored-by: Thomas Göttgens <tgoettgens@mail.com>
2024-01-19 16:58:22 +00:00
4603c1759f
feat!: use nginx to serve media files ( #2860 )
...
Closes #2522
To reduce the strain on the API service, we moved the media file serving
to the Nginx web server. The API is still handling the authentication,
but delegates the serving using the `X-Accel-Redirect` header.
BREAKING CHANGE: The media file serving is now handled by Nginx instead
of the API service. The `storage.path` field is now used in the Nginx
configuration, so make sure to update the Nginx configuration file if
you change it.
2023-12-30 18:59:15 +01:00
f72b7f9c97
feat(installer)!: change default listen port to 8080 ( #2852 )
...
Closes #2575
Closes #2543
BREAKING CHANGE: The default listen port for the installer is now
`8080`. We recommend that you put a reverse proxy in front of LibreTime.
2023-12-29 17:49:07 +01:00
35d7eace13
feat(installer)!: remove the `--update-nginx` flag ( #2851 )
...
### Description
Related to #2543
BREAKING CHANGE: The `--update-nginx` flag was removed from the
installer. The nginx configuration deployed by the installer will now
always be overwritten. Make sure to move your customizations to a
reverse proxy configuration.
2023-12-29 15:55:35 +01:00
06af18b84e
feat(playout): configure device for alsa and pulseaudio system outputs ( #2654 )
...
### Description
Add hardware configuration to liquidsoap so that users may
set hardware output in config.yml.
---------
Co-authored-by: jo <ljonas@riseup.net>
2023-12-29 15:22:43 +01:00
083ee3f1dd
feat!: default system output is now `pulseaudio` ( #2842 )
...
BREAKING CHANGE: The default system output
(`stream.outputs.system[].kind`) changed from `alsa` to `pulseaudio`.
Make sure to update your configuration file if you rely on the default
system output.
Closes #2542
2023-12-27 18:23:40 +01:00
0d2d1a2673
feat!: the `general.secret_key` configuration field is now required ( #2841 )
...
BREAKING CHANGE: The `general.secret_key` configuration field is now
required. Make sure to update your configuration file and add a secret
key.
Closes #2426
2023-12-27 18:15:47 +01:00
b2e512cbcd
feat: add mobile devices stream config field ( #2744 )
2023-10-14 08:13:04 +01:00
c2c0be1fbc
feat(api): add email configuration
2023-06-02 07:44:34 +01:00
e207b6e388
docs: be consistent with example domain ( #2568 )
2023-05-26 14:00:34 +01:00
17fb1c45df
docs: install using a reverse proxy by default
2023-05-26 13:46:46 +01:00
f74062a622
docs: fix icecast certificates bundle command
2023-05-26 13:46:46 +01:00
d25e0dd171
docs: remove setup without reverse proxy
2023-05-26 13:46:46 +01:00
d9663c0a4e
docs: split airtime migration into more steps ( #2565 )
2023-05-25 14:59:08 +01:00
a67a8a880c
docs: improve airtime migration guide ( #2564 )
2023-05-25 14:46:20 +01:00
d01edc4dce
Merge branch 'stable'
2023-05-01 10:16:56 +02:00
7f1492aac0
docs: fix broken link ( #2532 )
2023-04-28 12:07:45 +01:00
b2fc3a5ecf
feat(playout): allow harbor ssl configuration
2023-04-24 14:58:34 +01:00
8764feded9
docs: ensure example values are replaced
2023-04-24 14:58:34 +01:00
2fd5b50229
docs: add certbot setup guide
2023-04-21 20:47:43 +01:00
a375e5b917
docs: improve install guides
2023-04-21 20:47:43 +01:00
ca449c1a3b
docs: improve reverse proxy docs
2023-04-21 20:47:43 +01:00
5a8e8d298d
docs: docker config template install with envsubst ( #2517 )
2023-04-21 17:35:01 +01:00
19bcc251e2
docs: split install guide per install method
2023-04-21 16:59:23 +01:00
ff03dad9a8
docs: rename setup to install
2023-04-21 16:59:23 +01:00
8052622e69
docs: move configuration documentation
2023-04-21 16:59:23 +01:00
5ca0788388
docs: move release docs in the release section
2023-04-12 16:50:04 +01:00
755848482d
feat: set icecast mount default charset to UTF-8
...
On first install, configure icecast to use utf-8 as default charset for it's mounts.
Fixes #2501
2023-04-12 11:42:51 +01:00
49d4fafa0c
Merge branch 'stable'
2023-04-03 12:31:50 +02:00
a9b7513bc0
docs: split developer and contributor manual
2023-04-03 11:10:01 +01:00
bc745617fb
docs: fix database backup and restore commands
...
The commands should now work out of the box when copy pasted on most systems. The previous one required the users to read the docs and the man pages.
2023-03-22 09:14:56 +00:00
f722cec2eb
docs: upgrade by migrating to a new server
2023-03-22 09:14:56 +00:00
d800c5e280
feat: use secret_key config field instead of api_key ( #2444 )
...
Fixes #2426
2023-03-22 09:14:11 +00:00
f318ab8a2b
docs: add instructions for the sentry setup ( #2441 )
2023-03-15 13:13:37 +00:00
c290aece92
docs: docker-compose env variables setup
2023-03-15 11:52:00 +00:00
32e0c2a15e
docs: remove warning about docker install ( #2411 )
2023-02-28 09:07:00 +02:00
9384df7be2
Merge branch '3.0.x' into main
2023-02-26 20:16:38 +01:00
0aa2a92d3f
docs: add pulseaudio output in containers tutorial ( #2166 )
2023-02-26 20:39:10 +02:00
e92be34e2a
fix(installer): only setup nginx on first install
...
Users usually want to setup a ssl certificate for LibreTime. Disabling any nginx config change unless it is the first install should prevent breaking a possible certbot setup.
2023-02-03 14:59:58 +01:00
79febaddf8
docs: add small faq for troubleshooting
2023-02-02 08:23:03 +02:00
8431888b9c
docs: check logs before checking services status
2023-02-02 08:23:03 +02:00
2f78318abb
chore: add test-stream-input tool ( #2202 )
2022-10-03 17:53:58 +02:00
50809a933c
docs: fix vale linting errors
...
- are not > aren't
- auto-_ > auto _
- avoid backend
- cannot > can't
- do not > don't
- does not > doesn't
- ignore emoji code
- has not > hasn't
- ignore Microsoft.GeneralURL
- is not > isn't
- it is > it's
- no exclamation point
- put code inside code blocks
- put commit sha inside code blocks
- put exception message in code blocks
- remove slang
- should not > shouldn't
- they are > they're
- we are > we're
- will not > won't
2022-09-26 09:13:25 +02:00
dakriy
Harry W
Kyle Robbertze
Jonas L
Thomas Göttgens
maxtim
jo