pass secrets to workflow

* Update README.md

.github/workflows/ci.yml

@@ -0,0 +1,20 @@
+---
+name: "CI"
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**/README.md'
+jobs:
+  pre-commit:
+    uses: ./.github/workflows/pre-commit.yml
+  test:
+    uses: ./.github/workflows/python.yml
+    needs: [pre-commit]
+  release:
+    uses: ./.github/workflows/docker-build-push.yml
+    secrets: inherit # pass all secrets
+    needs: [test]
+    if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request'

.github/workflows/docker-build-push.yml

@@ -0,0 +1,52 @@
+name: Docker build and push
+
+on:
+  workflow_call:
+  push:
+    tags:
+      - v*.*.*
+
+jobs:
+  release:
+    name: Build & release to DockerHub
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          # List of Docker images to use as base name for tags
+          images: |
+            mediacms/mediacms
+          # Generate Docker tags based on the following events/attributes
+          # Set latest tag for default branch
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+          labels: |
+            org.opencontainers.image.title=MediaCMS
+            org.opencontainers.image.description=MediaCMS is a modern, fully featured open source video and media CMS, written in Python/Django and React, featuring a REST API.
+            org.opencontainers.image.vendor=MediaCMS
+            org.opencontainers.image.url=https://mediacms.io/
+            org.opencontainers.image.source=https://github.com/mediacms-io/mediacms
+            org.opencontainers.image.licenses=AGPL-3.0
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2.2.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/lint_test.yml

@@ -1,15 +0,0 @@
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-jobs:
-  pre-commit:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v3
-    - uses: pre-commit/action@v3.0.0
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pre-commit.yml

@@ -1,13 +1,11 @@
 name: pre-commit
 
 on:
-  pull_request:
-  push:
-    branches:
-      - main
+  workflow_call:
 
 jobs:
   pre-commit:
+    name: Pre-Commit
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3

.github/workflows/python.yml

@@ -1,14 +1,11 @@
 name: Python Tests
 
 on:
-  pull_request:
-  push:
-    branches:
-      - main
+  workflow_call:
 
 jobs:
   build:
-
+    name: Build & test via docker-compose
     runs-on: ubuntu-latest
 
     steps:

README.md

@@ -92,18 +92,22 @@ There are two ways to run MediaCMS, through Docker Compose and through installin
 * [Single Server](docs/admins_docs.md#2-server-installation) page
 * [Docker Compose](docs/admins_docs.md#3-docker-installation) page
 
+  A complete guide can be found on the blog post [How to self-host and share your videos in 2021](https://medium.com/@MediaCMS.io/how-to-self-host-and-share-your-videos-in-2021-14067e3b291b).
+
 ## Configuration
 
 Visit [Configuration](docs/admins_docs.md#5-configuration) page.
 
 
 ## Documentation
+
 * [Users documentation](docs/user_docs.md) page
 * [Administrators documentation](docs/admins_docs.md) page
 * [Developers documentation](docs/developers_docs.md) page
 
 
 ## Technology
+
 This software uses the following list of awesome technologies: Python, Django, Django Rest Framework, Celery, PostgreSQL, Redis, Nginx, uWSGI, React, Fine Uploader, video.js, FFMPEG, Bento4
 
 
@@ -127,4 +131,5 @@ If you like the project, here's a few things you can do
 
 
 ## Contact
+
 info@mediacms.io

deploy/local_install/selinux-mediacms.te

@@ -0,0 +1,34 @@
+module selinux-mediacms 1.0;
+
+require {
+	type init_t;
+	type var_t;
+	type redis_port_t;
+	type postgresql_port_t;
+	type httpd_t;
+	type httpd_sys_content_t;
+	type httpd_sys_rw_content_t;
+	class file { append create execute execute_no_trans getattr ioctl lock open read rename setattr unlink write };
+	class dir { add_name remove_name rmdir };
+	class tcp_socket name_connect;
+	class lnk_file read;
+}
+
+#============= httpd_t ==============
+
+allow httpd_t var_t:file { getattr open read };
+
+#============= init_t ==============
+allow init_t postgresql_port_t:tcp_socket name_connect;
+
+allow init_t redis_port_t:tcp_socket name_connect;
+
+allow init_t httpd_sys_content_t:dir rmdir;
+
+allow init_t httpd_sys_content_t:file { append create execute execute_no_trans ioctl lock open read rename setattr unlink write };
+
+allow init_t httpd_sys_content_t:lnk_file read;
+
+allow init_t httpd_sys_rw_content_t:dir { add_name remove_name rmdir };
+
+allow init_t httpd_sys_rw_content_t:file { create ioctl lock open read setattr unlink write };

docs/admins_docs.md

@@ -4,7 +4,7 @@
 - [1. Welcome](#1-welcome)
 - [2. Server Installaton](#2-server-installation)
 - [3. Docker Installation](#3-docker-installation)
-- [4. Docker Deployement options](#4-docker-deployment-options)
+- [4. Docker Deployment options](#4-docker-deployment-options)
 - [5. Configuration](#5-configuration)
 - [6. Manage pages](#6-manage-pages)
 - [7. Django admin dashboard](#7-django-admin-dashboard)

install-rhel.sh

@@ -0,0 +1,302 @@
+#!/bin/bash
+# should be run as root on a rhel8-like system
+
+function update_permissions
+{
+	# fix permissions of /srv/mediacms directory
+	chown -R nginx:root $1
+}
+
+echo "Welcome to the MediacMS installation!";
+
+if [ `id -u` -ne 0 ]; then
+	echo "Please run as root user"
+	exit
+fi
+
+
+while true; do
+    read -p "
+This script will attempt to perform a system update, install required dependencies, and configure PostgreSQL, NGINX, Redis and a few other utilities.
+It is expected to run on a new system **with no running instances of any these services**. Make sure you check the script before you continue. Then enter y or n
+" yn
+    case $yn in
+        [Yy]* ) echo "OK!"; break;;
+        [Nn]* ) echo "Have a great day"; exit;;
+        * ) echo "Please answer y or n.";;
+    esac
+done
+
+# update configuration files
+
+sed -i 's/\/home\/mediacms\.io\/mediacms\/Bento4-SDK-1-6-0-637\.x86_64-unknown-linux\/bin\/mp4hls/\/srv\/mediacms\/bento4\/bin\/mp4hls/g' cms/settings.py
+sed -i 's/www-data/nginx/g;s/\/home\/mediacms\.io\/mediacms\/logs/\/var\/log\/mediacms/g;s/\/home\/mediacms\.io\/mediacms/\/srv\/mediacms/g;s/\/home\/mediacms\.io\/bin/\/srv\/mediacms\/virtualenv\/bin/g' deploy/local_install/celery_*.service
+sed -i 's/\/home\/mediacms\.io\/mediacms/\/srv\/mediacms/g' deploy/local_install/mediacms.io
+sed -i 's/\/home\/mediacms\.io\/bin/\/srv\/mediacms\/virtualenv\/bin/g;s/\/home\/mediacms\.io\/mediacms/\/srv\/mediacms/g' deploy/local_install/mediacms.service
+sed -i 's/\/home\/mediacms\.io\/mediacms/\/var\/log\/mediacms/g' deploy/local_install/mediacms_logrorate
+sed -i 's/www-data/nginx/g' deploy/local_install/nginx.conf
+sed -i 's/www-data/nginx/g;s/\/home\/mediacms\.io\/mediacms\/logs/\/var\/log\/mediacms/g;s/\/home\/mediacms\.io\/mediacms/\/srv\/mediacms/g;s/\/home\/mediacms\.io/\/srv\/mediacms\/virtualenv/g' deploy/local_install/uwsgi.ini
+
+osVersion=
+
+if [[ -f /etc/os-release ]]; then
+	osVersion=$(grep ^ID /etc/os-release)
+fi
+
+if [[ $osVersion == *"fedora"* ]] || [[ $osVersion == *"rhel"*  ]] || [[ $osVersion == *"centos"* ]] || [[ *"rocky"* ]]; then
+	dnf install -y epel-release https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-8.noarch.rpm yum-utils
+	yum-config-manager --enable powertools
+	dnf install -y python3-virtualenv python39-devel redis postgresql postgresql-server nginx git gcc vim unzip ImageMagick python3-certbot-nginx certbot wget xz ffmpeg policycoreutils-devel cmake gcc gcc-c++ wget git bsdtar
+else
+    echo "unsupported or unknown os"
+    exit -1
+fi
+
+# fix permissions of /srv/mediacms directory
+update_permissions /srv/mediacms/
+
+read -p "Enter portal URL, or press enter for localhost : " FRONTEND_HOST
+read -p "Enter portal name, or press enter for 'MediaCMS : " PORTAL_NAME
+
+[ -z "$PORTAL_NAME" ] && PORTAL_NAME='MediaCMS'
+[ -z "$FRONTEND_HOST" ] && FRONTEND_HOST='localhost'
+
+echo "Configuring postgres"
+if [ ! command -v postgresql-setup > /dev/null 2>&1 ]; then
+        echo "Something went wrong, the command 'postgresql-setup' was not found in the system path."
+        exit -1
+fi
+
+postgresql-setup --initdb
+
+# set authentication method for mediacms user to scram-sha-256
+sed -i 's/.*password_encryption.*/password_encryption = scram-sha-256/' /var/lib/pgsql/data/postgresql.conf
+sed -i '/# IPv4 local connections:/a host\tmediacms\tmediacms\t127.0.0.1/32\tscram-sha-256' /var/lib/pgsql/data/pg_hba.conf
+
+systemctl enable postgresql.service --now
+
+su -c "psql -c \"CREATE DATABASE mediacms\"" postgres
+su -c "psql -c \"CREATE USER mediacms WITH ENCRYPTED PASSWORD 'mediacms'\"" postgres
+su -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE mediacms TO mediacms\"" postgres
+
+echo 'Creating python virtualenv on /srv/mediacms/virtualenv/'
+
+mkdir /srv/mediacms/virtualenv/
+cd /srv/mediacms/virtualenv/
+virtualenv . --python=python3
+source  /srv/mediacms/virtualenv/bin/activate
+cd /srv/mediacms/
+pip install -r requirements.txt
+
+systemctl enable redis.service --now
+
+SECRET_KEY=`python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'`
+
+# remove http or https prefix
+FRONTEND_HOST=`echo "$FRONTEND_HOST" | sed -r 's/http:\/\///g'`
+FRONTEND_HOST=`echo "$FRONTEND_HOST" | sed -r 's/https:\/\///g'`
+
+FRONTEND_HOST_HTTP_PREFIX='http://'$FRONTEND_HOST
+
+echo 'FRONTEND_HOST='\'"$FRONTEND_HOST_HTTP_PREFIX"\' >> cms/local_settings.py
+echo 'PORTAL_NAME='\'"$PORTAL_NAME"\' >> cms/local_settings.py
+echo "SSL_FRONTEND_HOST = FRONTEND_HOST.replace('http', 'https')" >> cms/local_settings.py
+
+echo 'SECRET_KEY='\'"$SECRET_KEY"\' >> cms/local_settings.py
+echo "LOCAL_INSTALL = True" >> cms/local_settings.py
+
+mkdir /var/log/mediacms/
+mkdir pids
+
+update_permissions /var/log/mediacms/
+
+python manage.py migrate
+python manage.py loaddata fixtures/encoding_profiles.json
+python manage.py loaddata fixtures/categories.json
+python manage.py collectstatic --noinput
+
+ADMIN_PASS=`python -c "import secrets;chars = 'abcdefghijklmnopqrstuvwxyz0123456789';print(''.join(secrets.choice(chars) for i in range(10)))"`
+echo "from users.models import User; User.objects.create_superuser('admin', 'admin@example.com', '$ADMIN_PASS')" | python manage.py shell
+
+echo "from django.contrib.sites.models import Site; Site.objects.update(name='$FRONTEND_HOST', domain='$FRONTEND_HOST')" | python manage.py shell
+
+update_permissions /srv/mediacms/
+
+cp deploy/local_install/celery_long.service /etc/systemd/system/celery_long.service
+cp deploy/local_install/celery_short.service /etc/systemd/system/celery_short.service
+cp deploy/local_install/celery_beat.service /etc/systemd/system/celery_beat.service
+cp deploy/local_install/mediacms.service /etc/systemd/system/mediacms.service
+
+mkdir -p /etc/letsencrypt/live/$FRONTEND_HOST
+mkdir -p /etc/nginx/sites-enabled
+mkdir -p /etc/nginx/sites-available
+mkdir -p /etc/nginx/dhparams/
+rm -rf /etc/nginx/conf.d/default.conf
+rm -rf /etc/nginx/sites-enabled/default
+cp deploy/local_install/mediacms.io_fullchain.pem /etc/letsencrypt/live/$FRONTEND_HOST/fullchain.pem
+cp deploy/local_install/mediacms.io_privkey.pem /etc/letsencrypt/live/$FRONTEND_HOST/privkey.pem
+cp deploy/local_install/mediacms.io /etc/nginx/sites-available/mediacms.io
+ln -s /etc/nginx/sites-available/mediacms.io /etc/nginx/sites-enabled/mediacms.io
+cp deploy/local_install/uwsgi_params /etc/nginx/sites-enabled/uwsgi_params
+cp deploy/local_install/nginx.conf /etc/nginx/
+
+# attempt to get a valid certificate for specified domain
+while true ; do
+        echo "Would you like to run [c]ertbot, or [s]kip?"
+        read -p " : " certbotConfig
+
+        case $certbotConfig in
+        [cC*] )
+		if [ "$FRONTEND_HOST" != "localhost" ]; then
+			systemctl start
+			echo 'attempt to get a valid certificate for specified url $FRONTEND_HOST'
+			certbot --nginx -n --agree-tos --register-unsafely-without-email -d $FRONTEND_HOST
+			certbot --nginx -n --agree-tos --register-unsafely-without-email -d $FRONTEND_HOST
+			# unfortunately for some reason it needs to be run two times in order to create the entries
+			# and directory structure!!!
+			systemctl stop nginx
+
+			# Generate individual DH params
+			openssl dhparam -out /etc/nginx/dhparams/dhparams.pem 4096
+		fi
+
+                break
+                ;;
+        [sS*] )
+		echo "will not call certbot utility to update ssl certificate for url 'localhost', using default ssl certificate"
+		cp deploy/local_install/dhparams.pem /etc/nginx/dhparams/dhparams.pem
+
+                break
+                ;;
+        * )
+                echo "Unknown option: $certbotConfig"
+                ;;
+        esac
+done
+
+# configure bento4 utility installation, for HLS
+while true ; do
+	echo "Configuring Bento4"
+	echo "Would you like to [d]ownload a pre-compiled bento4 binary, or [b]uild it now?"
+	read -p "b/d : " bentoConfig
+
+	case $bentoConfig in
+	[bB*] )
+		echo "Building bento4 from source"
+		git clone -b v1.6.0-640 https://github.com/axiomatic-systems/Bento4 /srv/mediacms/bento4
+		cd /srv/mediacms/bento4/
+		mkdir bin
+		cd /srv/mediacms/bento4/bin/
+		cmake -DCMAKE_BUILD_TYPE=Release ..
+		make -j$(nproc)
+
+		chmod +x ../Source/Python/utils/mp4-hls.py
+
+		echo -e '#!/bin/bash' >> mp4hls
+		echo -e 'BASEDIR=$(pwd)' >> mp4hls
+		echo -e 'exec python3 "$BASEDIR/../Source/Python/utils/mp4-hls.py"' >> mp4hls
+
+		chmod +x mp4hls
+
+		break
+		;;
+	[dD*] )
+		cd /srv/mediacms/
+		wget http://zebulon.bok.net/Bento4/binaries/Bento4-SDK-1-6-0-637.x86_64-unknown-linux.zip
+		bsdtar -xf Bento4-SDK-1-6-0-637.x86_64-unknown-linux.zip -s '/Bento4-SDK-1-6-0-637.x86_64-unknown-linux/bento4/'
+
+		break
+		;;
+	* )
+		echo "Unknown option: $bentoConfig"
+		;;
+	esac
+done
+
+mkdir /srv/mediacms/media_files/hls
+
+# update permissions
+
+update_permissions /srv/mediacms/
+
+# configure selinux
+
+while true ; do
+        echo "Configuring SELinux"
+        echo "Would you like to [d]isable SELinux until next reboot, [c]onfigure our SELinux module, or [s]kip and not do any SELinux confgiguration?"
+        read -p "d/c/s : " seConfig
+
+        case $seConfig in
+        [Dd]* )
+                echo "Disabling SELinux until next reboot"
+                break
+                ;;
+        [Cc]* )
+                echo "Configuring custom mediacms selinux module"
+
+		semanage fcontext -a -t bin_t /srv/mediacms/virtualenv/bin/
+		semanage fcontext -a -t httpd_sys_content_t "/srv/mediacms(/.*)?"
+		restorecon -FRv /srv/mediacms/
+
+		sebools=(httpd_can_network_connect httpd_graceful_shutdown httpd_can_network_relay nis_enabled httpd_setrlimit domain_can_mmap_files)
+
+		for bool in "${sebools[@]}"
+		do
+			setsebool -P $bool 1
+		done
+
+		cd /srv/mediacms/deploy/local_install/
+		make -f /usr/share/selinux/devel/Makefile selinux-mediacms.pp
+		semodule -i selinux-mediacms.pp
+
+                break
+                ;;
+        [Ss]* )
+                echo "Skipping SELinux configuration"
+                break
+                ;;
+        * )
+                echo "Unknown option: $seConfig"
+                ;;
+        esac
+done
+
+# configure firewall
+if command -v firewall-cmd > /dev/null 2>&1 ; then
+	while true ; do
+	        echo "Configuring firewall"
+	        echo "Would you like to configure http, https, or skip and not do any firewall configuration?"
+	        read -p "http/https/skip : " fwConfig
+
+		case $fwConfig in
+	        http )
+	                echo "Opening port 80 until next reboot"
+			firewall-cmd --add-port=80/tcp
+	                break
+	                ;;
+	        https )
+			echo "Opening port 443 permanently"
+			firewall-cmd --add-port=443/tcp --permanent
+			firewall-cmd --reload
+	                break
+	                ;;
+	        skip )
+	                echo "Skipping firewall configuration"
+	                break
+	                ;;
+	        * )
+	                echo "Unknown option: $fwConfig"
+	                ;;
+	        esac
+	done
+
+fi
+
+systemctl daemon-reload
+systemctl start celery_long.service
+systemctl start celery_short.service
+systemctl start celery_beat.service
+systemctl start mediacms.service
+systemctl start nginx.service
+
+echo 'MediaCMS installation completed, open browser on http://'"$FRONTEND_HOST"' and login with user admin and password '"$ADMIN_PASS"''