[github/Chocobozzz/PeerTube.git] / support / doc / production.md

# Production guide

## Installation

### Dependencies

Follow the steps of the [dependencies guide](dependencies.md).

### PeerTube user

Create a `peertube` user with `/home/peertube` home:

```
$ sudo useradd -m -d /home/peertube -s /bin/bash -p peertube peertube
$ sudo passwd peertube
```

### Database

Create production database and peertube user:

```
$ sudo -u postgres createuser -P peertube
$ sudo -u postgres createdb -O peertube peertube_prod
```

### Prepare PeerTube directory

```
$ VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag_name | cut -d '"' -f 4) && \
    cd /home/peertube && \
    sudo -u peertube mkdir config storage versions && \
    cd versions && \
    sudo -u peertube wget -q "https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.zip" && \
    sudo -u peertube unzip peertube-${VERSION}.zip && sudo -u peertube rm peertube-${VERSION}.zip && \
    cd ../ && sudo -u peertube ln -s versions/peertube-${VERSION} ./peertube-latest && \
    cd ./peertube-latest && sudo -u peertube yarn install --production --pure-lockfile
```

### PeerTube configuration

Copy example configuration:

```
$ cd /home/peertube && sudo -u peertube cp peertube-latest/config/production.yaml.example config/production.yaml
```

Then edit the `config/production.yaml` file according to your webserver
configuration.

### Webserver

Copy the nginx configuration template:

```
$ sudo cp /home/peertube/peertube-latest/support/nginx/peertube /etc/nginx/sites-available/peertube
```

Then modify the webserver configuration file. Please pay attention to the `alias` keys of the static locations.
It should correspond to the paths of your storage directories (set in the configuration file inside the `storage` key).

```
$ sudo vim /etc/nginx/sites-available/peertube
```

If you want to set https with Let's Encrypt please follow the steps of [this guide](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04).

An example of the nginx configuration could be:

```
server {
  listen 80;
  listen [::]:80;
  server_name peertube.example.com;

  access_log /var/log/nginx/peertube.example.com.access.log;
  error_log /var/log/nginx/peertube.example.com.error.log;

  rewrite ^ https://$server_name$request_uri? permanent;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name peertube.example.com;

  # For example with Let's Encrypt
  ssl_certificate      /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/peertube.example.com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/peertube.example.com/chain.pem;

  access_log /var/log/nginx/peertube.example.com.access.log;
  error_log /var/log/nginx/peertube.example.com.error.log;

  location ^~ '/.well-known/acme-challenge' {
    default_type "text/plain";
    root /var/www/certbot;
  }

  location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
    add_header Cache-Control "public, max-age=31536000, immutable";

    alias /home/peertube/peertube-latest/client/dist/$1;
  }

  location ~ ^/static/(thumbnails|avatars)/(.*)$ {
    add_header Cache-Control "public, max-age=31536000, immutable";

    alias /home/peertube/storage/$1/$2;
  }

  location / {
    proxy_pass http://localhost:9000;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # For the video upload
    client_max_body_size 8G;
    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    proxy_read_timeout          600;
    send_timeout                600;
  }

  # Bypass PeerTube webseed route for better performances
  location /static/webseed {
    if ($request_method = 'OPTIONS') {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;
      return 204;
    }

    if ($request_method = 'GET') {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

      # Don't spam access log file with byte range requests
      access_log off;
    }

    alias /home/peertube/storage/videos;
  }

  # Websocket tracker
  location /tracker/socket {
    # Peers send a message to the tracker every 15 minutes
    # Don't close the websocket before this time
    proxy_read_timeout 1200s;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_pass http://localhost:9000;
  }
}
```


Activate the configuration file:

```
$ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
$ sudo systemctl reload nginx
```

### Systemd

Copy the nginx configuration template:

```
$ sudo cp /home/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/
```

Update the service file:

```
$ sudo vim /etc/systemd/system/peertube.service
```

It should look like this:

```
[Unit]
Description=PeerTube daemon
After=network.target

[Service]
Type=simple
Environment=NODE_ENV=production
Environment=NODE_CONFIG_DIR=/home/peertube/config
User=peertube
Group=peertube
ExecStart=/usr/bin/npm start
WorkingDirectory=/home/peertube/peertube-latest
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=peertube
Restart=always

[Install]
WantedBy=multi-user.target
```


Tell systemd to reload its config:

```
$ sudo systemctl daemon-reload
```

If you want to start PeerTube on boot:

```
$ sudo systemctl enable peertube
```

### Run

```
$ sudo systemctl start peertube
$ sudo journalctl -feu peertube
```

### Administrator

The administrator password is automatically generated and can be found in the
logs. You can set another password with:

```
$ cd /home/peertube/peertube-latest && NODE_CONFIG_DIR=/home/peertube/config NODE_ENV=production npm run reset-password -- -u root
```

## Upgrade

Make a SQL backup:

```
$ SQL_BACKUP_PATH="backup/sql-peertube_prod-$(date -Im).bak" && \
    cd /home/peertube && sudo -u peertube mkdir -p backup && \
    sudo pg_dump -U peertube -W -h localhost -F c peertube_prod -f "$SQL_BACKUP_PATH"
```

Update your configuration file. **If some keys are missing, your upgraded PeerTube won't start!**

```
$ diff <(curl -s https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/config/production.yaml.example) /home/peertube/config/production.yaml
```

Upgrade PeerTube:

```
$ VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag_name | cut -d '"' -f 4) && \
    cd /home/peertube/versions && \
    sudo -u peertube wget -q "https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.zip" && \
    sudo -u peertube unzip -o peertube-${VERSION}.zip && sudo -u peertube rm peertube-${VERSION}.zip && \
    cd ../ && sudo rm ./peertube-latest && sudo -u peertube ln -s versions/peertube-${VERSION} ./peertube-latest && \
    cd ./peertube-latest && sudo -u peertube yarn install --production --pure-lockfile && \
    sudo systemctl restart peertube
```

Things went wrong? Change `peertube-latest` destination to the previous version and restore your SQL backup:

```
$ OLD_VERSION="v0.42.42" && SQL_BACKUP_PATH="backup/sql-peertube_prod-2018-01-19T10:18+01:00.bak" && \
    cd /home/peertube && rm ./peertube-latest && \
    sudo -u peertube ln -s "versions/peertube-$OLD_VERSION" peertube-latest && \
    pg_restore -U peertube -c -d peertube_prod "$SQL_BACKUP_PATH"
    sudo systemctl restart peertube
```
Commit	Line	Data
63bfad7e C	1	# Production guide
	2
	3	## Installation
	4
	5	### Dependencies
	6
	7	Follow the steps of the [dependencies guide](dependencies.md).
	8
	9	### PeerTube user
	10
	11	Create a `peertube` user with `/home/peertube` home:
	12
afe81767	13	```
d2000ca6 C	14	$ sudo useradd -m -d /home/peertube -s /bin/bash -p peertube peertube
d2000ca6 C	15	$ sudo passwd peertube
63bfad7e C	16	```
	17
	18	### Database
	19
	20	Create production database and peertube user:
	21
afe81767	22	```
d2000ca6 C	23	$ sudo -u postgres createuser -P peertube
d2000ca6 C	24	$ sudo -u postgres createdb -O peertube peertube_prod
63bfad7e C	25	```
63bfad7e C	26
d2000ca6	27	### Prepare PeerTube directory
63bfad7e	28
afe81767	29	```
2d13b299	30	$ VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest \| grep tag_name \| cut -d '"' -f 4) && \
d2000ca6 C	31	cd /home/peertube && \
	32	sudo -u peertube mkdir config storage versions && \
	33	cd versions && \
fd206f0b	34	sudo -u peertube wget -q "https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.zip" && \
2d13b299 C	35	sudo -u peertube unzip peertube-${VERSION}.zip && sudo -u peertube rm peertube-${VERSION}.zip && \
2d13b299 C	36	cd ../ && sudo -u peertube ln -s versions/peertube-${VERSION} ./peertube-latest && \
d2000ca6	37	cd ./peertube-latest && sudo -u peertube yarn install --production --pure-lockfile
63bfad7e C	38	```
	39
	40	### PeerTube configuration
	41
	42	Copy example configuration:
	43
afe81767	44	```
d2000ca6	45	$ cd /home/peertube && sudo -u peertube cp peertube-latest/config/production.yaml.example config/production.yaml
63bfad7e C	46	```
	47
	48	Then edit the `config/production.yaml` file according to your webserver
d2000ca6	49	configuration.
63bfad7e C	50
	51	### Webserver
	52
	53	Copy the nginx configuration template:
	54
afe81767	55	```
a5c57bf3	56	$ sudo cp /home/peertube/peertube-latest/support/nginx/peertube /etc/nginx/sites-available/peertube
63bfad7e C	57	```
63bfad7e C	58
5668bf2e C	59	Then modify the webserver configuration file. Please pay attention to the `alias` keys of the static locations.
5668bf2e C	60	It should correspond to the paths of your storage directories (set in the configuration file inside the `storage` key).
63bfad7e	61
afe81767	62	```
63bfad7e C	63	$ sudo vim /etc/nginx/sites-available/peertube
	64	```
	65
	66	If you want to set https with Let's Encrypt please follow the steps of [this guide](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04).
	67
	68	An example of the nginx configuration could be:
	69
	70	```
	71	server {
	72	listen 80;
	73	listen [::]:80;
	74	server_name peertube.example.com;
	75
	76	access_log /var/log/nginx/peertube.example.com.access.log;
	77	error_log /var/log/nginx/peertube.example.com.error.log;
	78
	79	rewrite ^ https://$server_name$request_uri? permanent;
	80	}
	81
	82	server {
	83	listen 443 ssl http2;
	84	listen [::]:443 ssl http2;
	85	server_name peertube.example.com;
	86
	87	# For example with Let's Encrypt
	88	ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
	89	ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
	90	ssl_trusted_certificate /etc/letsencrypt/live/peertube.example.com/chain.pem;
	91
	92	access_log /var/log/nginx/peertube.example.com.access.log;
	93	error_log /var/log/nginx/peertube.example.com.error.log;
	94
	95	location ^~ '/.well-known/acme-challenge' {
	96	default_type "text/plain";
	97	root /var/www/certbot;
	98	}
	99
5668bf2e C	100	location ~ ^/client/(.*\.(js\|css\|woff2\|otf\|ttf\|woff\|eot))$ {
	101	add_header Cache-Control "public, max-age=31536000, immutable";
	102
	103	alias /home/peertube/peertube-latest/client/dist/$1;
	104	}
	105
2e866cc7	106	location ~ ^/static/(thumbnails\|avatars)/(.*)$ {
5668bf2e C	107	add_header Cache-Control "public, max-age=31536000, immutable";
	108
	109	alias /home/peertube/storage/$1/$2;
	110	}
	111
63bfad7e C	112	location / {
	113	proxy_pass http://localhost:9000;
	114	proxy_set_header X-Real-IP $remote_addr;
	115	proxy_set_header Host $host;
	116	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	117
	118	# For the video upload
	119	client_max_body_size 8G;
	120	proxy_connect_timeout 600;
	121	proxy_send_timeout 600;
	122	proxy_read_timeout 600;
	123	send_timeout 600;
	124	}
	125
	126	# Bypass PeerTube webseed route for better performances
	127	location /static/webseed {
	128	if ($request_method = 'OPTIONS') {
	129	add_header 'Access-Control-Allow-Origin' '*';
	130	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
	131	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
	132	add_header 'Access-Control-Max-Age' 1728000;
	133	add_header 'Content-Type' 'text/plain charset=UTF-8';
	134	add_header 'Content-Length' 0;
	135	return 204;
	136	}
	137
	138	if ($request_method = 'GET') {
	139	add_header 'Access-Control-Allow-Origin' '*';
	140	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
	141	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
5668bf2e C	142
	143	# Don't spam access log file with byte range requests
	144	access_log off;
63bfad7e C	145	}
63bfad7e C	146
d2000ca6	147	alias /home/peertube/storage/videos;
63bfad7e C	148	}
	149
	150	# Websocket tracker
	151	location /tracker/socket {
	152	# Peers send a message to the tracker every 15 minutes
	153	# Don't close the websocket before this time
	154	proxy_read_timeout 1200s;
	155	proxy_set_header Upgrade $http_upgrade;
	156	proxy_set_header Connection "upgrade";
	157	proxy_http_version 1.1;
	158	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	159	proxy_set_header Host $host;
	160	proxy_pass http://localhost:9000;
	161	}
	162	}
	163	```
	164
	165
	166	Activate the configuration file:
	167
afe81767	168	```
63bfad7e C	169	$ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
	170	$ sudo systemctl reload nginx
	171	```
	172
	173	### Systemd
	174
	175	Copy the nginx configuration template:
	176
afe81767	177	```
9625507f	178	$ sudo cp /home/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/
63bfad7e C	179	```
	180
	181	Update the service file:
	182
afe81767	183	```
d2000ca6	184	$ sudo vim /etc/systemd/system/peertube.service
63bfad7e C	185	```
	186
	187	It should look like this:
	188
	189	```
	190	[Unit]
	191	Description=PeerTube daemon
	192	After=network.target
	193
	194	[Service]
	195	Type=simple
	196	Environment=NODE_ENV=production
d2000ca6	197	Environment=NODE_CONFIG_DIR=/home/peertube/config
63bfad7e C	198	User=peertube
	199	Group=peertube
	200	ExecStart=/usr/bin/npm start
d2000ca6	201	WorkingDirectory=/home/peertube/peertube-latest
63bfad7e C	202	StandardOutput=syslog
	203	StandardError=syslog
	204	SyslogIdentifier=peertube
	205	Restart=always
	206
	207	[Install]
	208	WantedBy=multi-user.target
	209	```
	210
	211
	212	Tell systemd to reload its config:
	213
afe81767	214	```
d2000ca6	215	$ sudo systemctl daemon-reload
63bfad7e C	216	```
63bfad7e C	217
6b2ef589 C	218	If you want to start PeerTube on boot:
	219
	220	```
9625507f	221	$ sudo systemctl enable peertube
6b2ef589 C	222	```
6b2ef589 C	223
63bfad7e C	224	### Run
63bfad7e C	225
afe81767	226	```
d2000ca6 C	227	$ sudo systemctl start peertube
d2000ca6 C	228	$ sudo journalctl -feu peertube
63bfad7e C	229	```
	230
	231	### Administrator
	232
	233	The administrator password is automatically generated and can be found in the
	234	logs. You can set another password with:
	235
afe81767	236	```
451ce964	237	$ cd /home/peertube/peertube-latest && NODE_CONFIG_DIR=/home/peertube/config NODE_ENV=production npm run reset-password -- -u root
63bfad7e C	238	```
	239
	240	## Upgrade
	241
c7a9f34f C	242	Make a SQL backup:
	243
	244	```
	245	$ SQL_BACKUP_PATH="backup/sql-peertube_prod-$(date -Im).bak" && \
	246	cd /home/peertube && sudo -u peertube mkdir -p backup && \
	247	sudo pg_dump -U peertube -W -h localhost -F c peertube_prod -f "$SQL_BACKUP_PATH"
	248	```
	249
23e27dd5 C	250	Update your configuration file. If some keys are missing, your upgraded PeerTube won't start!
	251
	252	```
	253	$ diff <(curl -s https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/config/production.yaml.example) /home/peertube/config/production.yaml
	254	```
	255
c7a9f34f C	256	Upgrade PeerTube:
c7a9f34f C	257
afe81767	258	```
2d13b299 C	259	$ VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest \| grep tag_name \| cut -d '"' -f 4) && \
2d13b299 C	260	cd /home/peertube/versions && \
fd206f0b	261	sudo -u peertube wget -q "https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.zip" && \
e28d531f	262	sudo -u peertube unzip -o peertube-${VERSION}.zip && sudo -u peertube rm peertube-${VERSION}.zip && \
48cf691d	263	cd ../ && sudo rm ./peertube-latest && sudo -u peertube ln -s versions/peertube-${VERSION} ./peertube-latest && \
2d13b299 C	264	cd ./peertube-latest && sudo -u peertube yarn install --production --pure-lockfile && \
2d13b299 C	265	sudo systemctl restart peertube
63bfad7e	266	```
c7a9f34f C	267
	268	Things went wrong? Change `peertube-latest` destination to the previous version and restore your SQL backup:
	269
	270	```
	271	$ OLD_VERSION="v0.42.42" && SQL_BACKUP_PATH="backup/sql-peertube_prod-2018-01-19T10:18+01:00.bak" && \
	272	cd /home/peertube && rm ./peertube-latest && \
	273	sudo -u peertube ln -s "versions/peertube-$OLD_VERSION" peertube-latest && \
	274	pg_restore -U peertube -c -d peertube_prod "$SQL_BACKUP_PATH"
	275	sudo systemctl restart peertube
	276	```