alessionossa/00_multistream-setup-scripts-web.md

## 00_multistream-setup-scripts-web.md

      
    Raw
  

              00_multistream-setup-scripts-web.md
            
          
    https://devblog.nossa.me/2020/06/creating-a-portable-multistream-setup.html
Scripts needs a .yaml configuration file with specific data.
liveconfig.yml (for StreamServer.sh):
keys:
  yt: '<YOUR-YOTUBE-PERSISTENT-KEY>'
  fb: '<YOUR-FB-PERSISTENT-KEY>'

connconfig.yml (for ConnectionServer.sh):
wg:
  client: 
    pubkey: '<CLIENT-PUBLIC-KEY>'
    allowedIp: '10.11.0.3/24'
    name: 'PC'

To download and prepare the scripts, you can use these commands (eventually, as scripts for cloud-init).
StreamServer.sh
(curl https://gist.githubusercontent.com/alessionossa/e52ac7d629006f18a44ce0f8340d1faa/raw/StreamServer.sh) > streamsetup.sh
chmod 755 setup.sh

touch liveconfig.yml
cat > liveconfig.yml <<EOF
keys:
  yt: '<YOUR-YOTUBE-PERSISTENT-KEY>'
  fb: '<YOUR-FB-PERSISTENT-KEY>'
EOF

ConnectionServer.sh
(curl https://gist.githubusercontent.com/alessionossa/e52ac7d629006f18a44ce0f8340d1faa/raw/ConnectionServer.sh) > connsetup.sh
chmod 755 setup.sh

touch connconfig.yml
cat > connconfig.yml <<EOF
wg:
  client: 
    pubkey: '<CLIENT-PUBLIC-KEY>'
    allowedIp: '10.11.0.3/24'
    name: 'PC'
EOF


## ConnectionServer.sh
#!/bin/bash
set -euo pipefail

# Parse variables from YAML config file. https://stackoverflow.com/questions/5014632/how-can-i-parse-a-yaml-file-from-a-linux-shell-script/21189044#21189044
function parse_yaml {
  local prefix=$2
  local s='[[:space:]]*' w='[a-zA-Z0-9_]*' fs=$(echo @|tr @ '\034')
  sed -ne "s|^\($s\):|\1|" \
      -e "s|^\($s\)\($w\)$s:$s[\"']\(.*\)[\"']$s\$|\1$fs\2$fs\3|p" \
      -e "s|^\($s\)\($w\)$s:$s\(.*\)$s\$|\1$fs\2$fs\3|p"  $1 |
  awk -F$fs '{
      indent = length($1)/2;
      vname[indent] = $2;
      for (i in vname) {if (i > indent) {delete vname[i]}}
      if (length($3) > 0) {
        vn=""; for (i=0; i<indent; i++) {vn=(vn)(vname[i])("_")}
        printf("%s%s%s=\"%s\"\n", "'$prefix'",vn, $2, $3);
      }
  }'
}

eval $(parse_yaml connconfig.yml "")

# Setup WireGuard
apt-get update -qq
if [ $(lsb_release -rs) = "20.04" ]; then
  apt install -y wireguard
else
  echo "Installing wireguard from repository"
  add-apt-repository ppa:wireguard/wireguard
  apt-get update
  apt-get install -y wireguard
fi

umask 077
PRIVATE_KEY=$(wg genkey)
PUB_KEY=$(echo "$PRIVATE_KEY" | wg pubkey)

grep -q 'net.ipv4.ip_forward' /etc/sysctl.conf && sed -i -E 's/^#?net.ipv4.ip_forward=[01]?/net.ipv4.ip_forward=1/' /etc/sysctl.conf || echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p

cat > /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = 10.11.0.1/24
ListenPort = 51820
PrivateKey = $PRIVATE_KEY

# note - substitute eth0 in the following lines to match the Internet-facing interface
# if the server is behind a router and receive traffic via NAT, this iptables rules are not needed
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# $wg_client_name
PublicKey = $wg_client_pubkey
AllowedIPs = $wg_client_allowedIp
EOF

systemctl enable wg-quick@wg0.service

# Setup Engarde
echo "\n\nStart installing engarde..."
wget "https://engarde.linuxzogno.org/builds/master/linux/amd64/engarde-server"
install ./engarde-server /usr/bin/

(curl https://raw.githubusercontent.com/porech/engarde/scripts-testing/scripts/engarde-enable) > /usr/bin/engrade-enable
(curl https://raw.githubusercontent.com/porech/engarde/scripts-testing/scripts/engarde-server%40.service) > /etc/systemd/system/engarde-server@.service

mkdir -p /etc/engarde
touch /etc/engarde/basic.yml
cat > /etc/engarde/basic.yml <<EOF
server:
  listenAddr: "0.0.0.0:59402"
  dstAddr: "127.0.0.1:51820"
EOF

systemctl enable engarde-server@basic

# Secure VPS with Firewall
echo "Setting up firewall..."
ufw allow OpenSSH
# WireGuard
sudo ufw allow 51820/udp
# engarde
ufw allow 59402/udp
ufw --force enable

# Print public key for client setup
echo "Server public key:"
echo $PUB_KEY
echo "All setup. Reboot..."
sleep 2
reboot

## StreamServer.sh
#!/bin/bash
set -euo pipefail

# Parse variables from YAML config file. https://stackoverflow.com/questions/5014632/how-can-i-parse-a-yaml-file-from-a-linux-shell-script/21189044#21189044
function parse_yaml {
  local prefix=$2
  local s='[[:space:]]*' w='[a-zA-Z0-9_]*' fs=$(echo @|tr @ '\034')
  sed -ne "s|^\($s\):|\1|" \
      -e "s|^\($s\)\($w\)$s:$s[\"']\(.*\)[\"']$s\$|\1$fs\2$fs\3|p" \
      -e "s|^\($s\)\($w\)$s:$s\(.*\)$s\$|\1$fs\2$fs\3|p"  $1 |
  awk -F$fs '{
      indent = length($1)/2;
      vname[indent] = $2;
      for (i in vname) {if (i > indent) {delete vname[i]}}
      if (length($3) > 0) {
        vn=""; for (i=0; i<indent; i++) {vn=(vn)(vname[i])("_")}
        printf("%s%s%s=\"%s\"\n", "'$prefix'",vn, $2, $3);
      }
  }'
}

eval $(parse_yaml liveconfig.yml "")

# Setup Nginx with RTMP module
apt-get update -qq

apt-get install -qq -y nginx
apt-get install -qq -y libnginx-mod-rtmp

cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old
cat > /etc/nginx/nginx.conf <<EOF
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
}

rtmp {
	server {
		listen 1935;
		chunk_size 4096;

		application live {
			live on;
			record off;

			push rtmp://a.rtmp.youtube.com/live2/$keys_yt;
			push rtmp://127.0.0.1:19350/rtmp/$keys_fb;

		}
	}
}
EOF

# Setup Stunnel4 for Facebook Live
echo "Installing Stunnel4..."
apt-get install -y stunnel4
echo "Installed"

# Change ENABLE settings or add if not exists. This enables stunnel init script to run on startup
grep -q 'ENABLE' /etc/default/stunnel4 && sed -i -E 's/^#?ENABLE=[01]?/ENABLE=1/' /etc/default/stunnel4 || echo 'ENABLE=1' >> /etc/default/stunnel4

cat > /etc/stunnel/stunnel.conf <<EOF
pid = /var/run/stunnel4/stunnel.pid
output = /var/log/stunnel4/stunnel.log

setuid = stunnel4
setgid = stunnel4

# https://www.stunnel.org/faq.html
#socket = r:TCP_NODELAY=1
#socket = l:TCP_NODELAY=1

debug = 4

[fb-live]
client = yes
accept = 127.0.0.1:19350
connect = live-api-s.facebook.com:443
verifyChain = no
EOF

echo "Enabling stunell4.service..."
systemctl enable stunnel4.service

# Secure VPS with Firewall
echo "Setting up firewall..."
ufw allow OpenSSH
ufw allow 1935
ufw --force enable

echo "All setup. Reboot..."
sleep 2
reboot
	#!/bin/bash
	set -euo pipefail

	# Parse variables from YAML config file. https://stackoverflow.com/questions/5014632/how-can-i-parse-a-yaml-file-from-a-linux-shell-script/21189044#21189044
	function parse_yaml {
	local prefix=$2
	local s='[[:space:]]' w='[a-zA-Z0-9_]' fs=$(echo @\|tr @ '\034')
	sed -ne "s\|^\($s\):\|\1\|" \
	-e "s\|^\($s\)\($w\)$s:$s[\"']\(.*\)[\"']$s\$\|\1$fs\2$fs\3\|p" \
	-e "s\|^\($s\)\($w\)$s:$s\(.*\)$s\$\|\1$fs\2$fs\3\|p" $1 \|
	awk -F$fs '{
	indent = length($1)/2;
	vname[indent] = $2;
	for (i in vname) {if (i > indent) {delete vname[i]}}
	if (length($3) > 0) {
	vn=""; for (i=0; i<indent; i++) {vn=(vn)(vname[i])("_")}
	printf("%s%s%s=\"%s\"\n", "'$prefix'",vn, $2, $3);
	}
	}'
	}

	eval $(parse_yaml connconfig.yml "")

	# Setup WireGuard
	apt-get update -qq
	if [ $(lsb_release -rs) = "20.04" ]; then
	apt install -y wireguard
	else
	echo "Installing wireguard from repository"
	add-apt-repository ppa:wireguard/wireguard
	apt-get update
	apt-get install -y wireguard
	fi

	umask 077
	PRIVATE_KEY=$(wg genkey)
	PUB_KEY=$(echo "$PRIVATE_KEY" \| wg pubkey)

	grep -q 'net.ipv4.ip_forward' /etc/sysctl.conf && sed -i -E 's/^#?net.ipv4.ip_forward=[01]?/net.ipv4.ip_forward=1/' /etc/sysctl.conf \|\| echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
	sysctl -p

	cat > /etc/wireguard/wg0.conf <<EOF
	[Interface]
	Address = 10.11.0.1/24
	ListenPort = 51820
	PrivateKey = $PRIVATE_KEY

	# note - substitute eth0 in the following lines to match the Internet-facing interface
	# if the server is behind a router and receive traffic via NAT, this iptables rules are not needed
	PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

	[Peer]
	# $wg_client_name
	PublicKey = $wg_client_pubkey
	AllowedIPs = $wg_client_allowedIp
	EOF

	systemctl enable wg-quick@wg0.service

	# Setup Engarde
	echo "\n\nStart installing engarde..."
	wget "https://engarde.linuxzogno.org/builds/master/linux/amd64/engarde-server"
	install ./engarde-server /usr/bin/

	(curl https://raw.githubusercontent.com/porech/engarde/scripts-testing/scripts/engarde-enable) > /usr/bin/engrade-enable
	(curl https://raw.githubusercontent.com/porech/engarde/scripts-testing/scripts/engarde-server%40.service) > /etc/systemd/system/engarde-server@.service

	mkdir -p /etc/engarde
	touch /etc/engarde/basic.yml
	cat > /etc/engarde/basic.yml <<EOF
	server:
	listenAddr: "0.0.0.0:59402"
	dstAddr: "127.0.0.1:51820"
	EOF

	systemctl enable engarde-server@basic

	# Secure VPS with Firewall
	echo "Setting up firewall..."
	ufw allow OpenSSH
	# WireGuard
	sudo ufw allow 51820/udp
	# engarde
	ufw allow 59402/udp
	ufw --force enable

	# Print public key for client setup
	echo "Server public key:"
	echo $PUB_KEY
	echo "All setup. Reboot..."
	sleep 2
	reboot