feat: Add domain_name variable and Caddy reverse proxy configuration for TLS support

Author: 02loveslollipop

infra/terraform/media_relay/README.md

@@ -5,8 +5,10 @@ This module provisions everything required to host the relay on a single EC2 ins
 ## What gets created
 
 - Security group exposing TCP `8554`, `1935`, `8888`, `8889`, `9998`, `9999` and UDP `8200` to the CIDR list you supply.
+- When `domain_name` is set, TCP `80` and `443` are also opened for the TLS proxy.
 - EC2 instance (default `t3.small`) running in the chosen subnet/VPC.
 - User data script that installs Docker and runs Mediamtx with the configuration rendered from Terraform inputs.
+- Optional Caddy reverse proxy that fetches Let's Encrypt certificates for the supplied domain and fronts the Mediamtx HTTP/WebRTC endpoints.
 - Elastic IP associated with the instance for a stable ingress point.
 	- If you supply `existing_eip_allocation_id`, the module reuses that Elastic IP instead of allocating a new one.
 
@@ -24,6 +26,7 @@ Key variables:
 | `key_name` | EC2 key pair used for SSH access | `orion` |
 | `existing_eip_allocation_id` | Allocation ID of an existing Elastic IP to reuse | `null` |
 | `mediamtx_version` | Container tag pulled from Docker Hub | `1.15.3` |
+| `domain_name` | FQDN used to request a Let's Encrypt certificate (enables the Caddy TLS proxy) | `null` |
 | `tags` | Extra tags applied to every resource | `{}` |
 
 ## Scaling & updates
@@ -55,6 +58,7 @@ publish_pass  = "change-me"
 viewer_user   = "any"
 viewer_pass   = ""
 allowed_cidrs = ["203.0.113.0/24", "198.51.100.10/32"]
+#domain_name   = "stream.example.com"
 #existing_eip_allocation_id = "eipalloc-0123456789abcdef0"
 ```
 

infra/terraform/media_relay/main.tf

@@ -36,7 +36,9 @@ data "aws_eip" "existing" {
 
 locals {
   subnet_id = var.subnet_id != null ? var.subnet_id : data.aws_subnets.selected.ids[0]
-  tcp_ports = [8554, 1935, 8888, 8889, 9998, 9999]
+  base_tcp_ports    = [8554, 1935, 8888, 8889, 9998, 9999]
+  extra_http_ports  = var.domain_name != null ? [80, 443] : []
+  tcp_ports         = concat(local.base_tcp_ports, local.extra_http_ports)
   udp_ports = [8200]
   port_rules = concat(
     [for p in local.tcp_ports : {
@@ -77,9 +79,15 @@ locals {
     viewer_pass  = var.viewer_pass
   })
 
+  caddy_config = var.domain_name != null ? templatefile("${path.module}/templates/Caddyfile.tpl", {
+    domain_name = var.domain_name
+  }) : ""
+
   user_data = templatefile("${path.module}/templates/user_data.sh.tpl", {
     mediamtx_config = local.mediamtx_config
     mediamtx_version = var.mediamtx_version
+    domain_name      = var.domain_name != null ? var.domain_name : ""
+    caddy_config     = local.caddy_config
   })
 }
 

infra/terraform/media_relay/templates/Caddyfile.tpl

@@ -0,0 +1,8 @@
+${domain_name} {
+  encode gzip
+
+  @hls path /hls*
+  reverse_proxy @hls http://127.0.0.1:8888
+
+  reverse_proxy * http://127.0.0.1:8889
+}

infra/terraform/media_relay/templates/user_data.sh.tpl

@@ -31,3 +31,24 @@ fi
   -p 8200:8200/udp \
   -v /opt/mediamtx/mediamtx.yml:/mediamtx.yml:ro \
   bluenviron/mediamtx:${mediamtx_version}
+
+%{ if domain_name != "" }
+mkdir -p /opt/caddy /opt/caddy/data /opt/caddy/config
+cat <<'EOF' >/opt/caddy/Caddyfile
+${caddy_config}
+EOF
+
+/usr/bin/docker pull caddy:2
+if /usr/bin/docker ps -a --format '{{.Names}}' | grep -q '^caddy$'; then
+  /usr/bin/docker rm -f caddy
+fi
+
+/usr/bin/docker run -d \
+  --name caddy \
+  --restart unless-stopped \
+  --network host \
+  -v /opt/caddy/Caddyfile:/etc/caddy/Caddyfile:ro \
+  -v /opt/caddy/data:/data \
+  -v /opt/caddy/config:/config \
+  caddy:2
+%{ endif }

infra/terraform/media_relay/terraform.tfvars.example

@@ -5,6 +5,7 @@ publish_pass  = "password"
 viewer_user   = "any"
 viewer_pass   = ""
 allowed_cidrs = ["0.0.0.0/0"]
+#domain_name   = "rtsp.02labs.me"
 instance_type = "t3.small"
 #key_name      = "orion"
 #existing_eip_allocation_id = "eipalloc-0123456789abcdef0"

infra/terraform/media_relay/variables.tf

@@ -87,3 +87,9 @@ variable "log_level" {
   type        = string
   default     = "info"
 }
+
+variable "domain_name" {
+  description = "Fully qualified domain name to secure with Let's Encrypt (enables the Caddy reverse proxy)"
+  type        = string
+  default     = null
+}