From afd4ee86ddb97f8d49585fddd318bedcd3ad55b8 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Wed, 30 Dec 2020 16:53:11 +0100 Subject: [PATCH] Remove traefik docker support --- support/doc/docker.md | 27 ++++++-- support/docker/production/.env | 6 -- support/docker/production/Dockerfile.nginx | 4 +- support/docker/production/config/traefik.toml | 67 ------------------- .../production/docker-compose.traefik.yml | 27 -------- support/docker/production/docker-compose.yml | 40 +++++++---- support/docker/production/entrypoint.nginx.sh | 10 +-- support/nginx/peertube | 27 ++++---- 8 files changed, 71 insertions(+), 137 deletions(-) delete mode 100644 support/docker/production/config/traefik.toml delete mode 100644 support/docker/production/docker-compose.traefik.yml diff --git a/support/doc/docker.md b/support/doc/docker.md index 6f61c38d0..36da94f55 100644 --- a/support/doc/docker.md +++ b/support/doc/docker.md @@ -56,14 +56,33 @@ Other environment variables are used in [/support/docker/production/config/custom-environment-variables.yaml](https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/custom-environment-variables.yaml) and can be intuited from usage. -#### Testing local Docker setup +#### Webserver -To test locally your Docker setup, you must add your domain (``) in `/etc/hosts`: +*The docker compose file includes a configured web server. You can skip this part and comment the appropriate section in the docker compose if you use another webserver/proxy.* + +Install the template that the nginx container will use. +The container will generate the configuration by replacing `${WEBSERVER_HOST}` and `${PEERTUBE_HOST}` using your docker compose env file. + +It will also generate a TLS certificate at startup and schedule a renew + +```shell +mkdir -p docker-volume/nginx +curl https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/support/nginx/peertube > docker-volume/nginx/peertube ``` -127.0.0.1 localhost mydomain.tld + +You need to manually generate the first SSL/TLS certificate using Let's Encrypt: + +```shell +mkdir -p docker-volume/certbot +docker run -it --rm --name certbot -p 80:80 -v "$(pwd)/docker-volume/certbot/conf:/etc/letsencrypt" certbot/certbot certonly --standalone ``` -#### You can use the regular `up` command to set it up +The docker-compose will automatically renew this certificate and reload nginx. + + +#### Test your setup + +Run your containers: ```shell docker-compose up diff --git a/support/docker/production/.env b/support/docker/production/.env index 86356d5a3..3e19c3817 100644 --- a/support/docker/production/.env +++ b/support/docker/production/.env @@ -41,12 +41,6 @@ OPENDKIM_DOMAINS==peertube # see https://github.com/wader/postfix-relay/pull/18 OPENDKIM_RequireSafeKeys=no -# Let's Encrypt service configuration -TRAEFIK_ACME_EMAIL= -# If you need to obtain ACME certificates for more than one DOMAIN -# pass them as a comma separated string -TRAEFIK_ACME_DOMAINS= - # /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\ #PEERTUBE_SIGNUP_ENABLED=true #PEERTUBE_TRANSCODING_ENABLED=true diff --git a/support/docker/production/Dockerfile.nginx b/support/docker/production/Dockerfile.nginx index 36ae3c3bc..1d685eee6 100644 --- a/support/docker/production/Dockerfile.nginx +++ b/support/docker/production/Dockerfile.nginx @@ -3,6 +3,6 @@ FROM nginx:alpine COPY entrypoint.nginx.sh . RUN chmod +x entrypoint.nginx.sh -EXPOSE 80 +EXPOSE 80 443 ENTRYPOINT [] -CMD ["/bin/sh", "entrypoint.nginx.sh"] \ No newline at end of file +CMD ["/bin/sh", "entrypoint.nginx.sh"] diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml deleted file mode 100644 index c0a7cf840..000000000 --- a/support/docker/production/config/traefik.toml +++ /dev/null @@ -1,67 +0,0 @@ -# Uncomment this line in order to enable debugging through logs -# debug = true -defaultEntryPoints = ["http", "https"] - -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.redirect] - entryPoint = "https" - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - MinVersion = "VersionTLS12" - CurvePreferences = [ - "CurveP521", - "CurveP384", - "CurveP256" - ] - PreferServerCipherSuites = true - CipherSuites = [ - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA" - ] - FrameDeny = false # here we don't want to deny frames since we have an embed - STSIncludeSubdomains = true - STSSeconds = 315360000 - STSPreload = true - ContentTypeNosniff = true - BrowserXssFilter = true - - -# Enable ACME (Let's Encrypt): automatic SSL. -[acme] - -# File or key used for certificates storage. -# -# Required -# -storage = "/etc/acme.json" -# or `storage = "traefik/acme/account"` if using KV store. - -# Entrypoint to proxy acme apply certificates to. -# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443 -# -# Required -# -entryPoint = "https" - -# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge -# -# Optional but recommend -# -[acme.httpChallenge] - - # EntryPoint to use for the challenges. - # - # Required - # - entryPoint = "http" - -[docker] - exposedByDefault = false \ No newline at end of file diff --git a/support/docker/production/docker-compose.traefik.yml b/support/docker/production/docker-compose.traefik.yml deleted file mode 100644 index bbea75783..000000000 --- a/support/docker/production/docker-compose.traefik.yml +++ /dev/null @@ -1,27 +0,0 @@ -version: "3.3" - -services: - - # The reverse-proxy only does SSL termination and automatic certificate generation. You can - # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels. - reverse-proxy: - image: traefik:v1.7 - network_mode: "host" - command: - - "--docker" # Tells Træfik to listen to docker - - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email - - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list - ports: - - "80:80" # serving HTTP - - "443:443" # serving HTTPS - volumes: - - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events - - ./docker-volume/traefik/acme.json:/etc/acme.json - - ./docker-volume/traefik/traefik.toml:/traefik.toml - restart: "always" - - webserver: - labels: - traefik.enable: "true" - traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" - traefik.port: "80" diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml index bce9426d2..4ad1a8756 100644 --- a/support/docker/production/docker-compose.yml +++ b/support/docker/production/docker-compose.yml @@ -2,19 +2,18 @@ version: "3.3" services: - # The webserver is not required, but recommended since a lot of optimizations went to its - # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL, - # so use it in production in tandem with an SSL-terminating reverse-proxy. + # You can comment this webserver section if you want to use another webserver/proxy webserver: - image: chocobozzz/peertube:webserver - build: - context: . - dockerfile: Dockerfile.nginx + image: chocobozzz/peertube-webserver:latest + # If you don't want to use the official image and build one from sources: + # build: + # context: . + # dockerfile: Dockerfile.nginx env_file: - .env - # If you provide your own reverse-proxy, otherwise not suitable for production: - #ports: - # - "9000:80" # serving HTTP + ports: + - "80:80" + - "443:443" volumes: - type: bind # Switch sources if you downloaded the whole repository @@ -23,15 +22,29 @@ services: target: /etc/nginx/conf.d/peertube.template - assets:/var/www/peertube/peertube-latest/client/dist:ro - ./docker-volume/data:/var/www/peertube/storage + - certbot-www:/var/www/certbot + - ./docker-volume/certbot/conf:/etc/letsencrypt depends_on: - peertube restart: "always" + # You can comment this certbot section if you want to use another webserver/proxy + certbot: + container_name: certbot + image: certbot/certbot + volumes: + - ./docker-volume/certbot/conf:/etc/letsencrypt + - certbot-www:/var/www/certbot + restart: unless-stopped + entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;" + depends_on: + - webserver + peertube: # If you don't want to use the official image and build one from sources: - #build: - # context: . - # dockerfile: ./support/docker/production/Dockerfile.buster + # build: + # context: . + # dockerfile: ./support/docker/production/Dockerfile.buster image: chocobozzz/peertube:production-buster env_file: - .env @@ -79,3 +92,4 @@ networks: volumes: assets: + certbot-www: diff --git a/support/docker/production/entrypoint.nginx.sh b/support/docker/production/entrypoint.nginx.sh index 670ce84a3..ad26aa0e2 100644 --- a/support/docker/production/entrypoint.nginx.sh +++ b/support/docker/production/entrypoint.nginx.sh @@ -4,12 +4,14 @@ set -e # Process the nginx template SOURCE_FILE="/etc/nginx/conf.d/peertube.template" TARGET_FILE="/etc/nginx/conf.d/default.conf" -export WEBSERVER_HOST="default_server" +export WEBSERVER_HOST="$PEERTUBE_WEBSERVER_HOSTNAME" export PEERTUBE_HOST="peertube:9000" envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE -# Remove HTTPS/SSL from nginx conf since this image is meant as a webserver _behind_ a reverse-proxy doing TLS termination itself -sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET_FILE +while :; do + sleep 12h & wait $!; + nginx -s reload; +done & -nginx -g "daemon off;" \ No newline at end of file +nginx -g 'daemon off;' diff --git a/support/nginx/peertube b/support/nginx/peertube index 641d254af..31a690e29 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube @@ -4,18 +4,17 @@ # OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream. # THIRD PARTY MODULES: None. -# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose. -#server { -# listen 80; -# listen [::]:80; -# server_name ${WEBSERVER_HOST}; -# -# location /.well-known/acme-challenge/ { -# default_type "text/plain"; -# root /var/www/certbot; -# } -# location / { return 301 https://$host$request_uri; } -#} +server { + listen 80; + listen [::]:80; + server_name ${WEBSERVER_HOST}; + + location /.well-known/acme-challenge/ { + default_type "text/plain"; + root /var/www/certbot; + } + location / { return 301 https://$host$request_uri; } +} upstream backend { server ${PEERTUBE_HOST}; @@ -33,8 +32,8 @@ server { # Certificates # you need a certificate to run in production. see https://letsencrypt.org/ ## - ssl_certificate /etc/letsencrypt/live/peertube/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem; + ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem; location ^~ '/.well-known/acme-challenge' { default_type "text/plain"; -- 2.41.0