Martyn's random musings

Do you want to try an Owncast stream but don't have a VPS and don't want to spend money on it? How about we set up one on Oracle's “Always-Free” Tier?

First question out of the way: Is Oracle's “Always-Free” Tier good enough to run Owncast. Simple answer: yes.

Longer answer you can skip if that satisfies you : We can either run their VM.Standard.E2.1.Micro class machine which has 1Gb ram and a 2Ghz vCPU (ish) and that should be enough or an ARM machine with up to 4 CPUs and 24 Gb or RAM. Given Owncast has an arm distribution, that's pretty incredible and works perfectly fine for Owncast.

Is this the best way to set up Owncast on Oracle? No! I'm doing this the easy way, and as an SRE person I would say “nooooo, don't do that, this is production, no clickops”, but I'm making this easy for streamers who are not so techie.

So, without further rambling, here's the prerequisites and the how-to.

Prerequisites: – A credit card that Oracle accepts. Seems to be Visa, Mastercard and Amex. Not sure if debit cards for those networks work, but I see no reason why not, they're mostly after ID verification here to stop spammers and bots creating accounts. – A domain name that you can control – that can be annoying, but you should be able to use a service like afraid.org if you don't have your own domain name. You probably do want a real domain name as a streamer though, just saying...

So from the top:

1. Sign up for an Oracle cloud free account – https://signup.cloud.oracle.com – The steps are really quite simple and other than the card payment which was less than a euro for me and refunded, painless. Be sure to choose the region closest to you as your home region because that will cut down latency to the Owncast box.
2. Sign into your Oracle cloud account. Note that it's frustrating that they use two different usernames. The first is sent to you in the email, and you need to enter that to get to the real login page, then the second is your email address.
3. Navigate to create an instance – Burger menu –> Compute –> Instances then click Compartment and choose the one marked (root) and click “Create Instance”
4. Change the shape of the instance to meet our needs. I suggest using Ubuntu as they don't have Debian (my usual preference) and I recommend using half of your free tier allowance, allows you to use the other half if you need to try a new version out for instance.
   • Click “Edit” next to Image and shape
   • Click “Change Image” and select “Canonical Ubuntu” and click “Select Image”
   • Click “Change Shape” and select “Ampere” and “VM.Standard.A1.Flex”. Scroll down a little and change the “Number of OCPUs” to 2. The Memory should automatically change to 12, but if it doesn't set that as well. It's overkill but better than being too strict. Click “Select Shape”
   • Under “Add SSH keys” either click on the “Save private key” and “Save public key” links or if you know what an ssh key is and you already have one, click on upload or paste public keys.
   • Click “Create”
5. Once your newly created machine has booted, you should then allow web traffic to it. This is in a couple of places (well done to Oracle for making this secure by default, but it makes for a longer document here!)
   • In the instance page click on the blue link next to “Virtual cloud network” under Instance details.
   • Scroll down to “Security Lists” on the left hand side
   • Click “Add Ingress Rules” and fill in the following details :
   • – Source Type : CIDR
   • – Source CIDR : 0.0.0.0/0
   • – IP Protocol : TCP
   • – Source Port Range : LEAVE BLANK
   • – Destination Port Range : 80
   • – Description : (Optional but my recommendation) HTTP
   • Click + Another Ingress Rule and fill in almost the same details
   • – Source Type : CIDR
   • – Source CIDR : 0.0.0.0/0
   • – IP Protocol : TCP
   • – Source Port Range : LEAVE BLANK
   • – Destination Port Range : 443 This is the difference from the previous rule
   • – Description : (Optional but my recommendation) HTTPS
   • Click + Another Ingress Rule and fill in almost the same details
   • – Source Type : CIDR
   • – Source CIDR : 0.0.0.0/0
   • – IP Protocol : TCP
   • – Source Port Range : LEAVE BLANK
   • – Destination Port Range : 1935 This is the difference from the previous rule
   • – Description : (Optional but my recommendation) RTMP
   • Click Add Ingress Rules
   • Go back to the Burger menu, click Networking and Virtual Cloud Networks.
   • Click the VCN in the table (blue text, should be something like vcn-20220909-2138)
   • Click on Network Security Groups, click Create Network Security Group and give it a Name (I chose allowown because it's, allowing owncast, I'm creative like that) and click Next.
   • Enter almost exactly all the above stuff over again. 2/3 of network access is then done...:
   • – Direction: Ingress
   • – Source Type : CIDR
   • – Source CIDR : 0.0.0.0/0
   • – IP Protocol : TCP
   • – Source Port Range : LEAVE BLANK
   • – Destination Port Range : 80
   • – Description : (Optional but my recommendation) HTTP
   • + Another rule
   • – Direction: Ingress
   • – Source CIDR : 0.0.0.0/0
   • – IP Protocol : TCP
   • – Source Port Range : LEAVE BLANK
   • – Destination Port Range : 443 This is the difference from the previous rule
   • – Description : (Optional but my recommendation) HTTPS
   • + Another rule
   • – Direction: Ingress
   • – Source CIDR : 0.0.0.0/0
   • – IP Protocol : TCP
   • – Source Port Range : LEAVE BLANK
   • – Destination Port Range : 1935 This is the difference from the previous rule
   • – Description : (Optional but my recommendation) RTMP
   • Create
   • Now we need to assign it to the instance NIC so Burger Menu –> Compute –> Instances
   • Click on the instance in the table
   • Network Security Groups: edit
   • + Another network security group
   • Select a value –> allowown –> Save changes
6. Now is a good time to assign a DNS name to the IP of the machine. This is pretty much out of scope but make an A record to the Public IP address listed in the instance machine. I'll use your.domain.here for an example from here.
7. Okay, so all the “infrastructure” is done now, we just need to connect to the machine by ssh and install Owncast and Caddy (this does the https stuff for us). First, connect via SSH to the Public IP of your machine using the ssh key you downloaded or used in creation. Again, fairly well documented elsewhere, feel free to use PuTTY or other client, but this is somewhat out of scope here.
   • If you're on windows, the simplest thing is to install the openssh client : https://www.howtogeek.com/336775/how-to-enable-and-use-windows-10s-built-in-ssh-commands/ – On mac or linux, it's already installed.
   • run on your local computer ssh -i {private key file} ubuntu@{IP From above}
8. The third and final network allow is to edit the iptables firewall on the ubuntu virtual machine. This is annoyingly a text edit, here's a sed line that should work, but you basically need to duplicate the line that ends with 22 -j ACCEPT three times, and change on the new lines 22 to 80, 443 and 1935.
   • Copy pasta: sudo sed -i s/"\(^.*22 -j ACCEPT\)"/"\1\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT"/ /etc/iptables/rules.v4
   • OR sudo nano /etc/iptables/rules.v4, duplicate the 22 line with 80 and 443 instead. LEAVE THE 22 LINE THERE!
   • sudo iptables-restore < /etc/iptables/rules.v4

From here I'm repeating some stuff from the official install docs here so feel free to check if there's updated instructions.

1. Stay connected to your virtual machine in oracle and run the following commands to get owncast up and running :
2. curl -s https://owncast.online/install.sh | bash
3. curl https://files.martyn.berlin/blog/oracle-owncast-systemd-unit.txt | sudo tee /etc/systemd/system/owncast.service †
4. sudo systemctl daemon-reload
5. sudo systemctl enable owncast
6. sudo systemctl start owncast
7. Stay connected and now it's the following commands from (Caddy's install docs)[https://caddyserver.com/docs/install#debian-ubuntu-raspbian]
8. sudo apt install -y apt-transport-https
9. curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
10. curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
11. sudo apt update
12. sudo apt install caddy
13. Create a Caddyfile for owncast :
14. curl https://files.martyn.berlin/blog/oracle-owncast-caddyfile.txt | sudo tee /etc/caddy/Caddyfile ‡ – Switch the hostname for yours (your.domain.here) : sudo sed -i /etc/caddy/Caddyfile s/streams\.martyn\.berlin/your.domain.here/g (again, you are welcome to use nano, vim etc. if you prefer!)
15. sudo systemctl daemon-reload
16. sudo systemctl enable caddy`
17. sudo systemctl stop caddy
18. sudo systemctl start caddy

Viola! all done! You can proceed to login http://your.domain.here/admin/ with user “admin” and password “abc123” (PLEASE CHANGE THIS as soon as you do!). Your stream key is the admin password.

Change the admin password (stream key), add extra resolutions, edit your home page, all the usual things, and you're good to go.

Final thoughts

This is a free way of getting your own owncast setup and will get you a working system, that should do you fine. What it doesn't do is updates, backups and helping you fix it if things go wrong. That might be fine for you, it might not. I'm just enabling you to give it a go.

I might terraform this at some point, and I long for a day where there's a good free-tier kubernetes where a lot of the above is nicely abstracted away, but here we are.

† Contents of that file in case it goes missing :

[Unit]
Description=Owncast Service

[Service]
Type=simple
User=ubuntu
WorkingDirectory=/home/ubuntu/owncast
ExecStart=/home/ubuntu/owncast/owncast
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

‡ The caddyfile contents :

streams.martyn.berlin {
encode gzip
reverse_proxy 127.0.0.1:8080
tls webmaster@mydomain.com
}