[github/Chocobozzz/PeerTube.git] / support / doc / production.md

# Production guide

## Installation

### Dependencies

Follow the steps of the [dependencies guide](dependencies.md).

### PeerTube user

Create a `peertube` user with `/var/www/peertube` home:

```
$ sudo useradd -m -d /var/www/peertube -s /bin/bash -p peertube peertube
```

Set its password:
```
$ sudo passwd peertube
```

### Database

Create the production database and a peertube user inside PostgreSQL:

```
$ sudo -u postgres createuser -P peertube
$ sudo -u postgres createdb -O peertube peertube_prod
```

### Prepare PeerTube directory

Fetch the latest tagged version of Peertube
```
$ VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag_name | cut -d '"' -f 4) && echo "Latest Peertube version is $VERSION"
```

Open the peertube directory, create a few required directories
```
$ cd /var/www/peertube && sudo -u peertube mkdir config storage versions && cd versions
```

Download the latest version of the Peertube client, unzip it and remove the zip
```
$ sudo -u peertube wget -q "https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.zip"
$ sudo -u peertube unzip peertube-${VERSION}.zip && sudo -u peertube rm peertube-${VERSION}.zip
```

Install Peertube
```
$ cd ../ && sudo -u peertube ln -s versions/peertube-${VERSION} ./peertube-latest
$ cd ./peertube-latest && sudo -u peertube yarn install --production --pure-lockfile
```

### PeerTube configuration

Copy example configuration:

```
$ cd /var/www/peertube && sudo -u peertube cp peertube-latest/config/production.yaml.example config/production.yaml
```

Then edit the `config/production.yaml` file according to your webserver
configuration.

### Webserver

Copy the nginx configuration template:

```
$ sudo cp /var/www/peertube/peertube-latest/support/nginx/peertube /etc/nginx/sites-available/peertube
```

Then modify the webserver configuration file. Please pay attention to the `alias` keys of the static locations.
It should correspond to the paths of your storage directories (set in the configuration file inside the `storage` key).

```
$ sudo vim /etc/nginx/sites-available/peertube
```

If you want to set https with Let's Encrypt please follow the steps of [this guide](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04).

An example of the nginx configuration could be:

```
server {
  listen 80;
  listen [::]:80;
  server_name peertube.example.com;

  access_log /var/log/nginx/peertube.example.com.access.log;
  error_log /var/log/nginx/peertube.example.com.error.log;

  rewrite ^ https://$server_name$request_uri? permanent;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name peertube.example.com;

  # For example with Let's Encrypt
  ssl_certificate      /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/peertube.example.com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/peertube.example.com/chain.pem;

  access_log /var/log/nginx/peertube.example.com.access.log;
  error_log /var/log/nginx/peertube.example.com.error.log;

  location ^~ '/.well-known/acme-challenge' {
    default_type "text/plain";
    root /var/www/certbot;
  }

  location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
    add_header Cache-Control "public, max-age=31536000, immutable";

    alias /var/www/peertube/peertube-latest/client/dist/$1;
  }

  location ~ ^/static/(thumbnails|avatars)/(.*)$ {
    add_header Cache-Control "public, max-age=31536000, immutable";

    alias /var/www/peertube/storage/$1/$2;
  }

  location / {
    proxy_pass http://localhost:9000;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # For the video upload
    client_max_body_size 8G;
    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    proxy_read_timeout          600;
    send_timeout                600;
  }

  # Bypass PeerTube webseed route for better performances
  location /static/webseed {
    if ($request_method = 'OPTIONS') {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;
      return 204;
    }

    if ($request_method = 'GET') {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

      # Don't spam access log file with byte range requests
      access_log off;
    }

    alias /var/www/peertube/storage/videos;
  }

  # Websocket tracker
  location /tracker/socket {
    # Peers send a message to the tracker every 15 minutes
    # Don't close the websocket before this time
    proxy_read_timeout 1200s;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_pass http://localhost:9000;
  }
}
```


Activate the configuration file:

```
$ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
$ sudo systemctl reload nginx
```

### Systemd

Copy the nginx configuration template:

```
$ sudo cp /var/www/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/
```

Update the service file:

```
$ sudo vim /etc/systemd/system/peertube.service
```

It should look like this:

```
[Unit]
Description=PeerTube daemon
After=network.target

[Service]
Type=simple
Environment=NODE_ENV=production
Environment=NODE_CONFIG_DIR=/var/www/peertube/config
User=peertube
Group=peertube
ExecStart=/usr/bin/npm start
WorkingDirectory=/var/www/peertube/peertube-latest
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=peertube
Restart=always

[Install]
WantedBy=multi-user.target
```


Tell systemd to reload its config:

```
$ sudo systemctl daemon-reload
```

If you want to start PeerTube on boot:

```
$ sudo systemctl enable peertube
```

### Run

```
$ sudo systemctl start peertube
$ sudo journalctl -feu peertube
```

### Administrator

The administrator password is automatically generated and can be found in the
logs. You can set another password with:

```
$ cd /var/www/peertube/peertube-latest && NODE_CONFIG_DIR=/var/www/peertube/config NODE_ENV=production npm run reset-password -- -u root
```

## Upgrade

Make a SQL backup:

```
$ SQL_BACKUP_PATH="backup/sql-peertube_prod-$(date -Im).bak" && \
    cd /var/www/peertube && sudo -u peertube mkdir -p backup && \
    sudo pg_dump -U peertube -W -h localhost -F c peertube_prod -f "$SQL_BACKUP_PATH"
```

Update your configuration file. **If some keys are missing, your upgraded PeerTube won't start!**

```
$ diff <(curl -s https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/config/production.yaml.example) /var/www/peertube/config/production.yaml
```

Upgrade PeerTube:

```
$ VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag_name | cut -d '"' -f 4) && \
    cd /var/www/peertube/versions && \
    sudo -u peertube wget -q "https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.zip" && \
    sudo -u peertube unzip -o peertube-${VERSION}.zip && sudo -u peertube rm peertube-${VERSION}.zip && \
    cd ../ && sudo rm ./peertube-latest && sudo -u peertube ln -s versions/peertube-${VERSION} ./peertube-latest && \
    cd ./peertube-latest && sudo -u peertube yarn install --production --pure-lockfile && \
    sudo systemctl restart peertube
```

Things went wrong? Change `peertube-latest` destination to the previous version and restore your SQL backup:

```
$ OLD_VERSION="v0.42.42" && SQL_BACKUP_PATH="backup/sql-peertube_prod-2018-01-19T10:18+01:00.bak" && \
    cd /var/www/peertube && rm ./peertube-latest && \
    sudo -u peertube ln -s "versions/peertube-$OLD_VERSION" peertube-latest && \
    pg_restore -U peertube -c -d peertube_prod "$SQL_BACKUP_PATH"
    sudo systemctl restart peertube
```
Commit	Line	Data
	1	# Production guide
	2
	3	## Installation
	4
	5	### Dependencies
	6
	7	Follow the steps of the [dependencies guide](dependencies.md).
	8
	9	### PeerTube user
	10
	11	Create a `peertube` user with `/var/www/peertube` home:
	12
	13	```
	14	$ sudo useradd -m -d /var/www/peertube -s /bin/bash -p peertube peertube
	15	```
	16
	17	Set its password:
	18	```
	19	$ sudo passwd peertube
	20	```
	21
	22	### Database
	23
	24	Create the production database and a peertube user inside PostgreSQL:
	25
	26	```
	27	$ sudo -u postgres createuser -P peertube
	28	$ sudo -u postgres createdb -O peertube peertube_prod
	29	```
	30
	31	### Prepare PeerTube directory
	32
	33	Fetch the latest tagged version of Peertube
	34	```
	35	$ VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest \| grep tag_name \| cut -d '"' -f 4) && echo "Latest Peertube version is $VERSION"
	36	```
	37
	38	Open the peertube directory, create a few required directories
	39	```
	40	$ cd /var/www/peertube && sudo -u peertube mkdir config storage versions && cd versions
	41	```
	42
	43	Download the latest version of the Peertube client, unzip it and remove the zip
	44	```
	45	$ sudo -u peertube wget -q "https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.zip"
	46	$ sudo -u peertube unzip peertube-${VERSION}.zip && sudo -u peertube rm peertube-${VERSION}.zip
	47	```
	48
	49	Install Peertube
	50	```
	51	$ cd ../ && sudo -u peertube ln -s versions/peertube-${VERSION} ./peertube-latest
	52	$ cd ./peertube-latest && sudo -u peertube yarn install --production --pure-lockfile
	53	```
	54
	55	### PeerTube configuration
	56
	57	Copy example configuration:
	58
	59	```
	60	$ cd /var/www/peertube && sudo -u peertube cp peertube-latest/config/production.yaml.example config/production.yaml
	61	```
	62
	63	Then edit the `config/production.yaml` file according to your webserver
	64	configuration.
	65
	66	### Webserver
	67
	68	Copy the nginx configuration template:
	69
	70	```
	71	$ sudo cp /var/www/peertube/peertube-latest/support/nginx/peertube /etc/nginx/sites-available/peertube
	72	```
	73
	74	Then modify the webserver configuration file. Please pay attention to the `alias` keys of the static locations.
	75	It should correspond to the paths of your storage directories (set in the configuration file inside the `storage` key).
	76
	77	```
	78	$ sudo vim /etc/nginx/sites-available/peertube
	79	```
	80
	81	If you want to set https with Let's Encrypt please follow the steps of [this guide](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04).
	82
	83	An example of the nginx configuration could be:
	84
	85	```
	86	server {
	87	listen 80;
	88	listen [::]:80;
	89	server_name peertube.example.com;
	90
	91	access_log /var/log/nginx/peertube.example.com.access.log;
	92	error_log /var/log/nginx/peertube.example.com.error.log;
	93
	94	rewrite ^ https://$server_name$request_uri? permanent;
	95	}
	96
	97	server {
	98	listen 443 ssl http2;
	99	listen [::]:443 ssl http2;
	100	server_name peertube.example.com;
	101
	102	# For example with Let's Encrypt
	103	ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
	104	ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
	105	ssl_trusted_certificate /etc/letsencrypt/live/peertube.example.com/chain.pem;
	106
	107	access_log /var/log/nginx/peertube.example.com.access.log;
	108	error_log /var/log/nginx/peertube.example.com.error.log;
	109
	110	location ^~ '/.well-known/acme-challenge' {
	111	default_type "text/plain";
	112	root /var/www/certbot;
	113	}
	114
	115	location ~ ^/client/(.*\.(js\|css\|woff2\|otf\|ttf\|woff\|eot))$ {
	116	add_header Cache-Control "public, max-age=31536000, immutable";
	117
	118	alias /var/www/peertube/peertube-latest/client/dist/$1;
	119	}
	120
	121	location ~ ^/static/(thumbnails\|avatars)/(.*)$ {
	122	add_header Cache-Control "public, max-age=31536000, immutable";
	123
	124	alias /var/www/peertube/storage/$1/$2;
	125	}
	126
	127	location / {
	128	proxy_pass http://localhost:9000;
	129	proxy_set_header X-Real-IP $remote_addr;
	130	proxy_set_header Host $host;
	131	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	132
	133	# For the video upload
	134	client_max_body_size 8G;
	135	proxy_connect_timeout 600;
	136	proxy_send_timeout 600;
	137	proxy_read_timeout 600;
	138	send_timeout 600;
	139	}
	140
	141	# Bypass PeerTube webseed route for better performances
	142	location /static/webseed {
	143	if ($request_method = 'OPTIONS') {
	144	add_header 'Access-Control-Allow-Origin' '*';
	145	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
	146	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
	147	add_header 'Access-Control-Max-Age' 1728000;
	148	add_header 'Content-Type' 'text/plain charset=UTF-8';
	149	add_header 'Content-Length' 0;
	150	return 204;
	151	}
	152
	153	if ($request_method = 'GET') {
	154	add_header 'Access-Control-Allow-Origin' '*';
	155	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
	156	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
	157
	158	# Don't spam access log file with byte range requests
	159	access_log off;
	160	}
	161
	162	alias /var/www/peertube/storage/videos;
	163	}
	164
	165	# Websocket tracker
	166	location /tracker/socket {
	167	# Peers send a message to the tracker every 15 minutes
	168	# Don't close the websocket before this time
	169	proxy_read_timeout 1200s;
	170	proxy_set_header Upgrade $http_upgrade;
	171	proxy_set_header Connection "upgrade";
	172	proxy_http_version 1.1;
	173	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	174	proxy_set_header Host $host;
	175	proxy_pass http://localhost:9000;
	176	}
	177	}
	178	```
	179
	180
	181	Activate the configuration file:
	182
	183	```
	184	$ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
	185	$ sudo systemctl reload nginx
	186	```
	187
	188	### Systemd
	189
	190	Copy the nginx configuration template:
	191
	192	```
	193	$ sudo cp /var/www/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/
	194	```
	195
	196	Update the service file:
	197
	198	```
	199	$ sudo vim /etc/systemd/system/peertube.service
	200	```
	201
	202	It should look like this:
	203
	204	```
	205	[Unit]
	206	Description=PeerTube daemon
	207	After=network.target
	208
	209	[Service]
	210	Type=simple
	211	Environment=NODE_ENV=production
	212	Environment=NODE_CONFIG_DIR=/var/www/peertube/config
	213	User=peertube
	214	Group=peertube
	215	ExecStart=/usr/bin/npm start
	216	WorkingDirectory=/var/www/peertube/peertube-latest
	217	StandardOutput=syslog
	218	StandardError=syslog
	219	SyslogIdentifier=peertube
	220	Restart=always
	221
	222	[Install]
	223	WantedBy=multi-user.target
	224	```
	225
	226
	227	Tell systemd to reload its config:
	228
	229	```
	230	$ sudo systemctl daemon-reload
	231	```
	232
	233	If you want to start PeerTube on boot:
	234
	235	```
	236	$ sudo systemctl enable peertube
	237	```
	238
	239	### Run
	240
	241	```
	242	$ sudo systemctl start peertube
	243	$ sudo journalctl -feu peertube
	244	```
	245
	246	### Administrator
	247
	248	The administrator password is automatically generated and can be found in the
	249	logs. You can set another password with:
	250
	251	```
	252	$ cd /var/www/peertube/peertube-latest && NODE_CONFIG_DIR=/var/www/peertube/config NODE_ENV=production npm run reset-password -- -u root
	253	```
	254
	255	## Upgrade
	256
	257	Make a SQL backup:
	258
	259	```
	260	$ SQL_BACKUP_PATH="backup/sql-peertube_prod-$(date -Im).bak" && \
	261	cd /var/www/peertube && sudo -u peertube mkdir -p backup && \
	262	sudo pg_dump -U peertube -W -h localhost -F c peertube_prod -f "$SQL_BACKUP_PATH"
	263	```
	264
	265	Update your configuration file. If some keys are missing, your upgraded PeerTube won't start!
	266
	267	```
	268	$ diff <(curl -s https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/config/production.yaml.example) /var/www/peertube/config/production.yaml
	269	```
	270
	271	Upgrade PeerTube:
	272
	273	```
	274	$ VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest \| grep tag_name \| cut -d '"' -f 4) && \
	275	cd /var/www/peertube/versions && \
	276	sudo -u peertube wget -q "https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.zip" && \
	277	sudo -u peertube unzip -o peertube-${VERSION}.zip && sudo -u peertube rm peertube-${VERSION}.zip && \
	278	cd ../ && sudo rm ./peertube-latest && sudo -u peertube ln -s versions/peertube-${VERSION} ./peertube-latest && \
	279	cd ./peertube-latest && sudo -u peertube yarn install --production --pure-lockfile && \
	280	sudo systemctl restart peertube
	281	```
	282
	283	Things went wrong? Change `peertube-latest` destination to the previous version and restore your SQL backup:
	284
	285	```
	286	$ OLD_VERSION="v0.42.42" && SQL_BACKUP_PATH="backup/sql-peertube_prod-2018-01-19T10:18+01:00.bak" && \
	287	cd /var/www/peertube && rm ./peertube-latest && \
	288	sudo -u peertube ln -s "versions/peertube-$OLD_VERSION" peertube-latest && \
	289	pg_restore -U peertube -c -d peertube_prod "$SQL_BACKUP_PATH"
	290	sudo systemctl restart peertube
	291	```