initial commit

config/mediamtx.yml

@@ -0,0 +1,89 @@
+# MediaMTX configuration for game-stream-app
+# Spawned as a subprocess by obs-script/game_stream.py when OBS starts streaming.
+
+###############################################################################
+# Global
+###############################################################################
+
+logLevel: info
+logDestinations: [stdout]
+readTimeout: 10s
+writeTimeout: 10s
+writeQueueSize: 512
+
+###############################################################################
+# API (used by the OBS script dock to poll viewer count / stream status)
+###############################################################################
+
+api: yes
+apiAddress: 127.0.0.1:9997
+
+###############################################################################
+# WebRTC (WHIP ingest + WHEP playback)
+###############################################################################
+
+webrtc: yes
+# HTTP listener for WHIP/WHEP signaling (SDP exchange).
+# NPM proxies /whep/* and the OBS WHIP target (localhost) to this.
+webrtcAddress: :8889
+webrtcEncryption: no   # TLS is handled at NPM; this listener is LAN/localhost only
+# Dedicated UDP port for SRTP media. NPM Stream forwards public UDP 8189 here.
+webrtcLocalUDPAddress: :8189
+# No TCP fallback - we only want a single UDP path for simplicity.
+webrtcLocalTCPAddress: ''
+# Tell browsers to send media to the public hostname.
+# Replace stream.hetherman.cloud if your public hostname differs.
+webrtcAdditionalHosts:
+  - stream.hetherman.cloud
+# Public STUN helps browsers discover their own reflexive candidates when
+# behind NAT; the server side does not need it but it speeds up ICE.
+webrtcICEServers2:
+  - url: stun:stun.l.google.com:19302
+# Disable trickle handshake complications - plain offer/answer is enough.
+webrtcHandshakeTimeout: 10s
+webrtcTrackGatherTimeout: 2s
+
+###############################################################################
+# HLS (fallback for clients where WebRTC fails)
+###############################################################################
+
+hls: yes
+hlsAddress: :8888
+hlsEncryption: no
+hlsAlwaysRemux: no
+hlsVariant: lowLatency
+hlsSegmentCount: 7
+hlsSegmentDuration: 200ms
+hlsPartDuration: 200ms
+hlsSegmentMaxSize: 50M
+hlsAllowOrigin: '*'
+hlsTrustedProxies: []
+
+###############################################################################
+# Disabled protocols (reduce attack surface)
+###############################################################################
+
+rtsp: no
+rtmp: no
+srt: no
+
+###############################################################################
+# Paths
+###############################################################################
+
+pathDefaults:
+  # Drop publishers that connect but never send media.
+  sourceOnDemand: no
+
+paths:
+  # The single stream path. OBS publishes here via WHIP
+  # (http://localhost:8889/game/whip), friends watch via WHEP
+  # (https://stream.hetherman.cloud/whep/game/whep).
+  game:
+    source: publisher
+    # Only the local OBS instance is allowed to publish.
+    # External hijack attempts are blocked at this layer, independent of NPM.
+    publishIPs:
+      - 127.0.0.1/32
+      - ::1/128
+    # No reader restrictions - NPM + Authentik gate reads at the edge.

config/npm-advanced.conf

@@ -0,0 +1,47 @@
+# Paste this snippet into the "Advanced" tab of the NPM Proxy Host for
+# stream.hetherman.cloud. It enables Authentik Forward Auth via the
+# goauthentik.io outpost, so every request is gated before hitting the
+# frontend, WHEP signaling, HLS, or the MediaMTX API.
+#
+# Requires an Authentik Proxy Provider of type "Forward auth (single
+# application)" with external host https://stream.hetherman.cloud and an
+# Application bound to the `stream-viewers` group.
+
+# Forward every incoming request to the Authentik outpost for validation.
+auth_request                 /outpost.goauthentik.io/auth/nginx;
+error_page       401         = @goauthentik_proxy_signin;
+
+# Propagate user identity headers set by the outpost back to the browser
+# (and optionally to upstream if you ever want to read the user in MediaMTX).
+auth_request_set $auth_cookie        $upstream_http_set_cookie;
+add_header       Set-Cookie          $auth_cookie;
+auth_request_set $authentik_username $upstream_http_x_authentik_username;
+auth_request_set $authentik_groups   $upstream_http_x_authentik_groups;
+auth_request_set $authentik_email    $upstream_http_x_authentik_email;
+
+# The outpost endpoint itself must be reachable un-gated so that the
+# auth_request subrequest and the sign-in redirect can complete.
+location /outpost.goauthentik.io {
+    # All traffic to /outpost.goauthentik.io is proxied to the Authentik host.
+    # Point this at your Authentik outpost URL.
+    proxy_pass              https://auth.hetherman.cloud/outpost.goauthentik.io;
+    proxy_set_header        Host                  $host;
+    proxy_set_header        X-Original-URL        $scheme://$http_host$request_uri;
+    proxy_set_header        X-Forwarded-For       $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto     $scheme;
+    proxy_set_header        X-Forwarded-Host      $http_host;
+    proxy_set_header        X-Forwarded-Uri       $request_uri;
+    proxy_set_header        X-Forwarded-Ssl       on;
+    add_header              Set-Cookie            $auth_cookie;
+    proxy_pass_request_body off;
+    proxy_set_header        Content-Length        "";
+}
+
+# When auth_request returns 401, send the browser to the outpost sign-in page
+# and preserve the original request URL so the user lands back where they
+# started after logging in.
+location @goauthentik_proxy_signin {
+    internal;
+    add_header Set-Cookie $auth_cookie;
+    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
+}