Remove traefik docker support

6 files changed, 35 insertions, 119 deletions

diff --git a/support/docker/production/.env b/support/docker/production/.env
index 86356d5a3..3e19c3817 100644
--- a/support/docker/production/.env
+++ b/support/docker/production/.env
@@ -41,12 +41,6 @@ OPENDKIM_DOMAINS=<MY DOMAIN>=peertube
 # see https://github.com/wader/postfix-relay/pull/18
 OPENDKIM_RequireSafeKeys=no
 
-# Let's Encrypt service configuration
-TRAEFIK_ACME_EMAIL=<MY EMAIL ADDRESS>
-# If you need to obtain ACME certificates for more than one DOMAIN
-# pass them as a comma separated string
-TRAEFIK_ACME_DOMAINS=<MY DOMAIN>
-
 # /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\
 #PEERTUBE_SIGNUP_ENABLED=true
 #PEERTUBE_TRANSCODING_ENABLED=true
diff --git a/support/docker/production/Dockerfile.nginx b/support/docker/production/Dockerfile.nginx
index 36ae3c3bc..1d685eee6 100644
--- a/support/docker/production/Dockerfile.nginx
+++ b/support/docker/production/Dockerfile.nginx
@@ -3,6 +3,6 @@ FROM nginx:alpine
 COPY entrypoint.nginx.sh .
 RUN chmod +x entrypoint.nginx.sh
 
-EXPOSE 80
+EXPOSE 80 443
 ENTRYPOINT []
-CMD ["/bin/sh", "entrypoint.nginx.sh"]
\ No newline at end of file
+CMD ["/bin/sh", "entrypoint.nginx.sh"]
diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml
deleted file mode 100644
index c0a7cf840..000000000
--- a/support/docker/production/config/traefik.toml
+++ /dev/null
@@ -1,67 +0,0 @@
-# Uncomment this line in order to enable debugging through logs
-# debug = true
-defaultEntryPoints = ["http", "https"]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-    [entryPoints.http.redirect]
-    entryPoint = "https"
-  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-    MinVersion = "VersionTLS12"
-    CurvePreferences = [
-      "CurveP521",
-      "CurveP384",
-      "CurveP256"
-    ]
-    PreferServerCipherSuites = true
-    CipherSuites = [
-      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
-      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-      "TLS_RSA_WITH_AES_256_GCM_SHA384",
-      "TLS_RSA_WITH_AES_256_CBC_SHA"
-    ]
-    FrameDeny = false # here we don't want to deny frames since we have an embed
-    STSIncludeSubdomains = true
-    STSSeconds = 315360000
-    STSPreload = true
-    ContentTypeNosniff = true
-    BrowserXssFilter = true
-
-
-# Enable ACME (Let's Encrypt): automatic SSL.
-[acme]
-
-# File or key used for certificates storage.
-#
-# Required
-#
-storage = "/etc/acme.json"
-# or `storage = "traefik/acme/account"` if using KV store.
-
-# Entrypoint to proxy acme apply certificates to.
-# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
-#
-# Required
-#
-entryPoint = "https"
-
-# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
-#
-# Optional but recommend
-#
-[acme.httpChallenge]
-
-  # EntryPoint to use for the challenges.
-  #
-  # Required
-  #
-  entryPoint = "http"
-
-[docker]
-  exposedByDefault = false
\ No newline at end of file
diff --git a/support/docker/production/docker-compose.traefik.yml b/support/docker/production/docker-compose.traefik.yml
deleted file mode 100644
index bbea75783..000000000
--- a/support/docker/production/docker-compose.traefik.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-version: "3.3"
-
-services:
-
-  # The reverse-proxy only does SSL termination and automatic certificate generation. You can
-  # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels.
-  reverse-proxy:
-    image: traefik:v1.7
-    network_mode: "host"
-    command:
-      - "--docker"                                # Tells Træfik to listen to docker
-      - "--acme.email=${TRAEFIK_ACME_EMAIL}"      # Let's Encrypt ACME email
-      - "--acme.domains=${TRAEFIK_ACME_DOMAINS}"  # Let's Encrypt ACME domain list
-    ports:
-      - "80:80"    # serving HTTP
-      - "443:443"  # serving HTTPS
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events
-      - ./docker-volume/traefik/acme.json:/etc/acme.json
-      - ./docker-volume/traefik/traefik.toml:/traefik.toml
-    restart: "always"
-
-  webserver:
-    labels:
-      traefik.enable: "true"
-      traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}"
-      traefik.port: "80"
diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml
index bce9426d2..4ad1a8756 100644
--- a/support/docker/production/docker-compose.yml
+++ b/support/docker/production/docker-compose.yml
@@ -2,19 +2,18 @@ version: "3.3"
 
 services:
 
-  # The webserver is not required, but recommended since a lot of optimizations went to its
-  # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL,
-  # so use it in production in tandem with an SSL-terminating reverse-proxy.
+  # You can comment this webserver section if you want to use another webserver/proxy
   webserver:
-    image: chocobozzz/peertube:webserver
-    build:
-      context: .
-      dockerfile: Dockerfile.nginx
+    image: chocobozzz/peertube-webserver:latest
+    # If you don't want to use the official image and build one from sources:
+    # build:
+    #   context: .
+    #   dockerfile: Dockerfile.nginx
     env_file:
       - .env
-    # If you provide your own reverse-proxy, otherwise not suitable for production:
-    #ports:
-    #  - "9000:80" # serving HTTP
+    ports:
+     - "80:80"
+     - "443:443"
     volumes:
       - type: bind
         # Switch sources if you downloaded the whole repository
@@ -23,15 +22,29 @@ services:
         target: /etc/nginx/conf.d/peertube.template
       - assets:/var/www/peertube/peertube-latest/client/dist:ro
       - ./docker-volume/data:/var/www/peertube/storage
+      - certbot-www:/var/www/certbot
+      - ./docker-volume/certbot/conf:/etc/letsencrypt
     depends_on:
       - peertube
     restart: "always"
 
+  # You can comment this certbot section if you want to use another webserver/proxy
+  certbot:
+    container_name: certbot
+    image: certbot/certbot
+    volumes:
+      - ./docker-volume/certbot/conf:/etc/letsencrypt
+      - certbot-www:/var/www/certbot
+    restart: unless-stopped
+    entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;"
+    depends_on:
+      - webserver
+
   peertube:
     # If you don't want to use the official image and build one from sources:
-    #build:
-    #  context: .
-    #  dockerfile: ./support/docker/production/Dockerfile.buster
+    # build:
+    #   context: .
+    #   dockerfile: ./support/docker/production/Dockerfile.buster
     image: chocobozzz/peertube:production-buster
     env_file:
       - .env
@@ -79,3 +92,4 @@ networks:
 
 volumes:
   assets:
+  certbot-www:
diff --git a/support/docker/production/entrypoint.nginx.sh b/support/docker/production/entrypoint.nginx.sh
index 670ce84a3..ad26aa0e2 100644
--- a/support/docker/production/entrypoint.nginx.sh
+++ b/support/docker/production/entrypoint.nginx.sh
@@ -4,12 +4,14 @@ set -e
 # Process the nginx template
 SOURCE_FILE="/etc/nginx/conf.d/peertube.template"
 TARGET_FILE="/etc/nginx/conf.d/default.conf"
-export WEBSERVER_HOST="default_server"
+export WEBSERVER_HOST="$PEERTUBE_WEBSERVER_HOSTNAME"
 export PEERTUBE_HOST="peertube:9000"
 
 envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE
 
-# Remove HTTPS/SSL from nginx conf since this image is meant as a webserver _behind_ a reverse-proxy doing TLS termination itself
-sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET_FILE
+while :; do
+  sleep 12h & wait $!;
+  nginx -s reload;
+done &
 
-nginx -g "daemon off;"
\ No newline at end of file
+nginx -g 'daemon off;'