8 files changed, 71 insertions, 137 deletions
diff --git a/support/doc/docker.md b/support/doc/docker.md
index 6f61c38d0..36da94f55 100644
--- a/support/doc/docker.md
+++ b/support/doc/docker.md
@@ -56,14 +56,33 @@ Other environment variables are used in
 [/support/docker/production/config/custom-environment-variables.yaml](https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/custom-environment-variables.yaml) and can be
 intuited from usage.
-#### Testing local Docker setup
+#### Webserver
-To test locally your Docker setup, you must add your domain (`<MY DOMAIN>`) in `/etc/hosts`:
+*The docker compose file includes a configured web server. You can skip this part and comment the appropriate section in the docker compose if you use another webserver/proxy.*
+Install the template that the nginx container will use.
+The container will generate the configuration by replacing `${WEBSERVER_HOST}` and `${PEERTUBE_HOST}` using your docker compose env file.
+It will also generate a TLS certificate at startup and schedule a renew
+```shell
+mkdir -p docker-volume/nginx
+curl https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/support/nginx/peertube > docker-volume/nginx/peertube
 ```
-127.0.0.1       localhost   mydomain.tld
+You need to manually generate the first SSL/TLS certificate using Let's Encrypt:
+```shell
+mkdir -p docker-volume/certbot
+docker run -it --rm --name certbot -p 80:80 -v "$(pwd)/docker-volume/certbot/conf:/etc/letsencrypt" certbot/certbot certonly --standalone
 ```
-#### You can use the regular `up` command to set it up
+The docker-compose will automatically renew this certificate and reload nginx.
+#### Test your setup
+Run your containers:
 ```shell
 docker-compose up
diff --git a/support/docker/production/.env b/support/docker/production/.env
index 86356d5a3..3e19c3817 100644
--- a/support/docker/production/.env
+++ b/support/docker/production/.env
@@ -41,12 +41,6 @@ OPENDKIM_DOMAINS=<MY DOMAIN>=peertube
 # see https://github.com/wader/postfix-relay/pull/18
 OPENDKIM_RequireSafeKeys=no
-# Let's Encrypt service configuration
-TRAEFIK_ACME_EMAIL=<MY EMAIL ADDRESS>
-# If you need to obtain ACME certificates for more than one DOMAIN
-# pass them as a comma separated string
-TRAEFIK_ACME_DOMAINS=<MY DOMAIN>
 # /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\
 #PEERTUBE_SIGNUP_ENABLED=true
 #PEERTUBE_TRANSCODING_ENABLED=true
diff --git a/support/docker/production/Dockerfile.nginx b/support/docker/production/Dockerfile.nginx
index 36ae3c3bc..1d685eee6 100644
--- a/support/docker/production/Dockerfile.nginx
+++ b/support/docker/production/Dockerfile.nginx
@@ -3,6 +3,6 @@ FROM nginx:alpine
 COPY entrypoint.nginx.sh .
 RUN chmod +x entrypoint.nginx.sh
-EXPOSE 80
+EXPOSE 80 443
 ENTRYPOINT []
-CMD ["/bin/sh", "entrypoint.nginx.sh"]
-\ No newline at end of file
+CMD ["/bin/sh", "entrypoint.nginx.sh"]
diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml
deleted file mode 100644
index c0a7cf840..000000000
--- a/support/docker/production/config/traefik.toml
+++ /dev/null
@@ -1,67 +0,0 @@
-# Uncomment this line in order to enable debugging through logs
-# debug = true
-defaultEntryPoints = ["http", "https"]
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-    [entryPoints.http.redirect]
-    entryPoint = "https"
-  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-    MinVersion = "VersionTLS12"
-    CurvePreferences = [
-      "CurveP521",
-      "CurveP384",
-      "CurveP256"
-    ]
-    PreferServerCipherSuites = true
-    CipherSuites = [
-      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
-      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-      "TLS_RSA_WITH_AES_256_GCM_SHA384",
-      "TLS_RSA_WITH_AES_256_CBC_SHA"
-    ]
-    FrameDeny = false # here we don't want to deny frames since we have an embed
-    STSIncludeSubdomains = true
-    STSSeconds = 315360000
-    STSPreload = true
-    ContentTypeNosniff = true
-    BrowserXssFilter = true
-# Enable ACME (Let's Encrypt): automatic SSL.
-[acme]
-# File or key used for certificates storage.
-#
-# Required
-#
-storage = "/etc/acme.json"
-# or `storage = "traefik/acme/account"` if using KV store.
-# Entrypoint to proxy acme apply certificates to.
-# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
-#
-# Required
-#
-entryPoint = "https"
-# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
-#
-# Optional but recommend
-#
-[acme.httpChallenge]
-  # EntryPoint to use for the challenges.
-  #
-  # Required
-  #
-  entryPoint = "http"
-[docker]
-  exposedByDefault = false
-\ No newline at end of file
diff --git a/support/docker/production/docker-compose.traefik.yml b/support/docker/production/docker-compose.traefik.yml
deleted file mode 100644
index bbea75783..000000000
--- a/support/docker/production/docker-compose.traefik.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-version: "3.3"
-services:
-  # The reverse-proxy only does SSL termination and automatic certificate generation. You can
-  # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels.
-  reverse-proxy:
-    image: traefik:v1.7
-    network_mode: "host"
-    command:
-      - "--docker"                                # Tells Træfik to listen to docker
-      - "--acme.email=${TRAEFIK_ACME_EMAIL}"      # Let's Encrypt ACME email
-      - "--acme.domains=${TRAEFIK_ACME_DOMAINS}"  # Let's Encrypt ACME domain list
-    ports:
-      - "80:80"    # serving HTTP
-      - "443:443"  # serving HTTPS
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events
-      - ./docker-volume/traefik/acme.json:/etc/acme.json
-      - ./docker-volume/traefik/traefik.toml:/traefik.toml
-    restart: "always"
-  webserver:
-    labels:
-      traefik.enable: "true"
-      traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}"
-      traefik.port: "80"
diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml
index bce9426d2..4ad1a8756 100644
--- a/support/docker/production/docker-compose.yml
+++ b/support/docker/production/docker-compose.yml
@@ -2,19 +2,18 @@ version: "3.3"
 services:
-  # The webserver is not required, but recommended since a lot of optimizations went to its
+  # You can comment this webserver section if you want to use another webserver/proxy
-  # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL,
-  # so use it in production in tandem with an SSL-terminating reverse-proxy.
  webserver:
-    image: chocobozzz/peertube:webserver
+    image: chocobozzz/peertube-webserver:latest
-    build:
+    # If you don't want to use the official image and build one from sources:
-      context: .
+    # build:
-      dockerfile: Dockerfile.nginx
+    #   context: .
+    #   dockerfile: Dockerfile.nginx
    env_file:
      - .env
-    # If you provide your own reverse-proxy, otherwise not suitable for production:
+    ports:
-    #ports:
+     - "80:80"
-    #  - "9000:80" # serving HTTP
+     - "443:443"
    volumes:
      - type: bind
        # Switch sources if you downloaded the whole repository
@@ -23,15 +22,29 @@ services:
        target: /etc/nginx/conf.d/peertube.template
      - assets:/var/www/peertube/peertube-latest/client/dist:ro
      - ./docker-volume/data:/var/www/peertube/storage
+      - certbot-www:/var/www/certbot
+      - ./docker-volume/certbot/conf:/etc/letsencrypt
    depends_on:
      - peertube
    restart: "always"
+  # You can comment this certbot section if you want to use another webserver/proxy
+  certbot:
+    container_name: certbot
+    image: certbot/certbot
+    volumes:
+      - ./docker-volume/certbot/conf:/etc/letsencrypt
+      - certbot-www:/var/www/certbot
+    restart: unless-stopped
+    entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;"
+    depends_on:
+      - webserver
  peertube:
    # If you don't want to use the official image and build one from sources:
-    #build:
+    # build:
-    #  context: .
+    #   context: .
-    #  dockerfile: ./support/docker/production/Dockerfile.buster
+    #   dockerfile: ./support/docker/production/Dockerfile.buster
    image: chocobozzz/peertube:production-buster
    env_file:
      - .env
@@ -79,3 +92,4 @@ networks:
 volumes:
  assets:
+  certbot-www:
diff --git a/support/docker/production/entrypoint.nginx.sh b/support/docker/production/entrypoint.nginx.sh
index 670ce84a3..ad26aa0e2 100644
--- a/support/docker/production/entrypoint.nginx.sh
+++ b/support/docker/production/entrypoint.nginx.sh
@@ -4,12 +4,14 @@ set -e
 # Process the nginx template
 SOURCE_FILE="/etc/nginx/conf.d/peertube.template"
 TARGET_FILE="/etc/nginx/conf.d/default.conf"
-export WEBSERVER_HOST="default_server"
+export WEBSERVER_HOST="$PEERTUBE_WEBSERVER_HOSTNAME"
 export PEERTUBE_HOST="peertube:9000"
 envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE
-# Remove HTTPS/SSL from nginx conf since this image is meant as a webserver _behind_ a reverse-proxy doing TLS termination itself
+while :; do
-sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET_FILE
+  sleep 12h & wait $!;
+  nginx -s reload;
+done &
-nginx -g "daemon off;"
-\ No newline at end of file
+nginx -g 'daemon off;'
diff --git a/support/nginx/peertube b/support/nginx/peertube
index 641d254af..31a690e29 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -4,18 +4,17 @@
 # OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream.
 # THIRD PARTY MODULES:   None.
-# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
+server {
-#server {
+  listen 80;
-#  listen 80;
+  listen [::]:80;
-#  listen [::]:80;
+  server_name ${WEBSERVER_HOST};
-#  server_name ${WEBSERVER_HOST};
-#
+  location /.well-known/acme-challenge/ {
-#  location /.well-known/acme-challenge/ {
+    default_type "text/plain";
-#    default_type "text/plain";
+    root /var/www/certbot;
-#    root /var/www/certbot;
+  }
-#  }
+  location / { return 301 https://$host$request_uri; }
-#  location / { return 301 https://$host$request_uri; }
+}
-#}
 upstream backend {
  server ${PEERTUBE_HOST};
@@ -33,8 +32,8 @@ server {
  # Certificates
  # you need a certificate to run in production. see https://letsencrypt.org/
  ##
-  ssl_certificate     /etc/letsencrypt/live/peertube/fullchain.pem;
+  ssl_certificate     /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem;
+  ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
  location ^~ '/.well-known/acme-challenge' {
    default_type "text/plain";

diff --git a/support/doc/docker.md b/support/doc/docker.md index 6f61c38d0..36da94f55 100644 --- a/support/doc/docker.md +++ b/support/doc/docker.md
@@ -56,14 +56,33 @@ Other environment variables are used in
56	[/support/docker/production/config/custom-environment-variables.yaml](https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/custom-environment-variables.yaml) and can be	56	[/support/docker/production/config/custom-environment-variables.yaml](https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/custom-environment-variables.yaml) and can be
57	intuited from usage.	57	intuited from usage.
58		58
59	#### Testing local Docker setup	59	#### Webserver
60		60
61	To test locally your Docker setup, you must add your domain (`<MY DOMAIN>`) in `/etc/hosts`:	61	The docker compose file includes a configured web server. You can skip this part and comment the appropriate section in the docker compose if you use another webserver/proxy.
		62
		63	Install the template that the nginx container will use.
		64	The container will generate the configuration by replacing `${WEBSERVER_HOST}` and `${PEERTUBE_HOST}` using your docker compose env file.
		65
		66	It will also generate a TLS certificate at startup and schedule a renew
		67
		68	```shell
		69	mkdir -p docker-volume/nginx
		70	curl https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/support/nginx/peertube > docker-volume/nginx/peertube
62	```	71	```
63	127.0.0.1 localhost mydomain.tld	72
		73	You need to manually generate the first SSL/TLS certificate using Let's Encrypt:
		74
		75	```shell
		76	mkdir -p docker-volume/certbot
		77	docker run -it --rm --name certbot -p 80:80 -v "$(pwd)/docker-volume/certbot/conf:/etc/letsencrypt" certbot/certbot certonly --standalone
64	```	78	```
65		79
66	#### You can use the regular `up` command to set it up	80	The docker-compose will automatically renew this certificate and reload nginx.
		81
		82
		83	#### Test your setup
		84
		85	Run your containers:
67		86
68	```shell	87	```shell
69	docker-compose up	88	docker-compose up


diff --git a/support/docker/production/.env b/support/docker/production/.env index 86356d5a3..3e19c3817 100644 --- a/support/docker/production/.env +++ b/support/docker/production/.env
@@ -41,12 +41,6 @@ OPENDKIM_DOMAINS=<MY DOMAIN>=peertube
41	# see https://github.com/wader/postfix-relay/pull/18	41	# see https://github.com/wader/postfix-relay/pull/18
42	OPENDKIM_RequireSafeKeys=no	42	OPENDKIM_RequireSafeKeys=no
43		43
44	# Let's Encrypt service configuration
45	TRAEFIK_ACME_EMAIL=<MY EMAIL ADDRESS>
46	# If you need to obtain ACME certificates for more than one DOMAIN
47	# pass them as a comma separated string
48	TRAEFIK_ACME_DOMAINS=<MY DOMAIN>
49
50	# /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\	44	# /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\
51	#PEERTUBE_SIGNUP_ENABLED=true	45	#PEERTUBE_SIGNUP_ENABLED=true
52	#PEERTUBE_TRANSCODING_ENABLED=true	46	#PEERTUBE_TRANSCODING_ENABLED=true


diff --git a/support/docker/production/Dockerfile.nginx b/support/docker/production/Dockerfile.nginx index 36ae3c3bc..1d685eee6 100644 --- a/support/docker/production/Dockerfile.nginx +++ b/support/docker/production/Dockerfile.nginx
@@ -3,6 +3,6 @@ FROM nginx:alpine
3	COPY entrypoint.nginx.sh .	3	COPY entrypoint.nginx.sh .
4	RUN chmod +x entrypoint.nginx.sh	4	RUN chmod +x entrypoint.nginx.sh
5		5
6	EXPOSE 80	6	EXPOSE 80 443
7	ENTRYPOINT []	7	ENTRYPOINT []
8	CMD ["/bin/sh", "entrypoint.nginx.sh"] \ No newline at end of file	8	CMD ["/bin/sh", "entrypoint.nginx.sh"]


diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml deleted file mode 100644 index c0a7cf840..000000000 --- a/support/docker/production/config/traefik.toml +++ /dev/null
@@ -1,67 +0,0 @@
1	# Uncomment this line in order to enable debugging through logs
2	# debug = true
3	defaultEntryPoints = ["http", "https"]
4
5	[entryPoints]
6	[entryPoints.http]
7	address = ":80"
8	[entryPoints.http.redirect]
9	entryPoint = "https"
10	[entryPoints.https]
11	address = ":443"
12	[entryPoints.https.tls]
13	MinVersion = "VersionTLS12"
14	CurvePreferences = [
15	"CurveP521",
16	"CurveP384",
17	"CurveP256"
18	]
19	PreferServerCipherSuites = true
20	CipherSuites = [
21	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
22	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
23	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
24	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
25	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
26	"TLS_RSA_WITH_AES_256_GCM_SHA384",
27	"TLS_RSA_WITH_AES_256_CBC_SHA"
28	]
29	FrameDeny = false # here we don't want to deny frames since we have an embed
30	STSIncludeSubdomains = true
31	STSSeconds = 315360000
32	STSPreload = true
33	ContentTypeNosniff = true
34	BrowserXssFilter = true
35
36
37	# Enable ACME (Let's Encrypt): automatic SSL.
38	[acme]
39
40	# File or key used for certificates storage.
41	#
42	# Required
43	#
44	storage = "/etc/acme.json"
45	# or `storage = "traefik/acme/account"` if using KV store.
46
47	# Entrypoint to proxy acme apply certificates to.
48	# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
49	#
50	# Required
51	#
52	entryPoint = "https"
53
54	# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
55	#
56	# Optional but recommend
57	#
58	[acme.httpChallenge]
59
60	# EntryPoint to use for the challenges.
61	#
62	# Required
63	#
64	entryPoint = "http"
65
66	[docker]
67	exposedByDefault = false \ No newline at end of file


diff --git a/support/docker/production/docker-compose.traefik.yml b/support/docker/production/docker-compose.traefik.yml deleted file mode 100644 index bbea75783..000000000 --- a/support/docker/production/docker-compose.traefik.yml +++ /dev/null
@@ -1,27 +0,0 @@
1	version: "3.3"
2
3	services:
4
5	# The reverse-proxy only does SSL termination and automatic certificate generation. You can
6	# replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels.
7	reverse-proxy:
8	image: traefik:v1.7
9	network_mode: "host"
10	command:
11	- "--docker" # Tells Træfik to listen to docker
12	- "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email
13	- "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list
14	ports:
15	- "80:80" # serving HTTP
16	- "443:443" # serving HTTPS
17	volumes:
18	- /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events
19	- ./docker-volume/traefik/acme.json:/etc/acme.json
20	- ./docker-volume/traefik/traefik.toml:/traefik.toml
21	restart: "always"
22
23	webserver:
24	labels:
25	traefik.enable: "true"
26	traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}"
27	traefik.port: "80"


diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml index bce9426d2..4ad1a8756 100644 --- a/support/docker/production/docker-compose.yml +++ b/support/docker/production/docker-compose.yml
@@ -2,19 +2,18 @@ version: "3.3"
2		2
3	services:	3	services:
4		4
5	# The webserver is not required, but recommended since a lot of optimizations went to its	5	# You can comment this webserver section if you want to use another webserver/proxy
6	# nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL,
7	# so use it in production in tandem with an SSL-terminating reverse-proxy.
8	webserver:	6	webserver:
9	image: chocobozzz/peertube:webserver	7	image: chocobozzz/peertube-webserver:latest
10	build:	8	# If you don't want to use the official image and build one from sources:
11	context: .	9	# build:
12	dockerfile: Dockerfile.nginx	10	# context: .
		11	# dockerfile: Dockerfile.nginx
13	env_file:	12	env_file:
14	- .env	13	- .env
15	# If you provide your own reverse-proxy, otherwise not suitable for production:	14	ports:
16	#ports:	15	- "80:80"
17	# - "9000:80" # serving HTTP	16	- "443:443"
18	volumes:	17	volumes:
19	- type: bind	18	- type: bind
20	# Switch sources if you downloaded the whole repository	19	# Switch sources if you downloaded the whole repository
@@ -23,15 +22,29 @@ services:
23	target: /etc/nginx/conf.d/peertube.template	22	target: /etc/nginx/conf.d/peertube.template
24	- assets:/var/www/peertube/peertube-latest/client/dist:ro	23	- assets:/var/www/peertube/peertube-latest/client/dist:ro
25	- ./docker-volume/data:/var/www/peertube/storage	24	- ./docker-volume/data:/var/www/peertube/storage
		25	- certbot-www:/var/www/certbot
		26	- ./docker-volume/certbot/conf:/etc/letsencrypt
26	depends_on:	27	depends_on:
27	- peertube	28	- peertube
28	restart: "always"	29	restart: "always"
29		30
		31	# You can comment this certbot section if you want to use another webserver/proxy
		32	certbot:
		33	container_name: certbot
		34	image: certbot/certbot
		35	volumes:
		36	- ./docker-volume/certbot/conf:/etc/letsencrypt
		37	- certbot-www:/var/www/certbot
		38	restart: unless-stopped
		39	entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;"
		40	depends_on:
		41	- webserver
		42
30	peertube:	43	peertube:
31	# If you don't want to use the official image and build one from sources:	44	# If you don't want to use the official image and build one from sources:
32	#build:	45	# build:
33	# context: .	46	# context: .
34	# dockerfile: ./support/docker/production/Dockerfile.buster	47	# dockerfile: ./support/docker/production/Dockerfile.buster
35	image: chocobozzz/peertube:production-buster	48	image: chocobozzz/peertube:production-buster
36	env_file:	49	env_file:
37	- .env	50	- .env
@@ -79,3 +92,4 @@ networks:
79		92
80	volumes:	93	volumes:
81	assets:	94	assets:
		95	certbot-www:


diff --git a/support/docker/production/entrypoint.nginx.sh b/support/docker/production/entrypoint.nginx.sh index 670ce84a3..ad26aa0e2 100644 --- a/support/docker/production/entrypoint.nginx.sh +++ b/support/docker/production/entrypoint.nginx.sh
@@ -4,12 +4,14 @@ set -e
4	# Process the nginx template	4	# Process the nginx template
5	SOURCE_FILE="/etc/nginx/conf.d/peertube.template"	5	SOURCE_FILE="/etc/nginx/conf.d/peertube.template"
6	TARGET_FILE="/etc/nginx/conf.d/default.conf"	6	TARGET_FILE="/etc/nginx/conf.d/default.conf"
7	export WEBSERVER_HOST="default_server"	7	export WEBSERVER_HOST="$PEERTUBE_WEBSERVER_HOSTNAME"
8	export PEERTUBE_HOST="peertube:9000"	8	export PEERTUBE_HOST="peertube:9000"
9		9
10	envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE	10	envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE
11		11
12	# Remove HTTPS/SSL from nginx conf since this image is meant as a webserver _behind_ a reverse-proxy doing TLS termination itself	12	while :; do
13	sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET_FILE	13	sleep 12h & wait $!;
		14	nginx -s reload;
		15	done &
14		16
15	nginx -g "daemon off;" \ No newline at end of file	17	nginx -g 'daemon off;'


diff --git a/support/nginx/peertube b/support/nginx/peertube index 641d254af..31a690e29 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube
@@ -4,18 +4,17 @@
4	# OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream.	4	# OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream.
5	# THIRD PARTY MODULES: None.	5	# THIRD PARTY MODULES: None.
6		6
7	# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.	7	server {
8	#server {	8	listen 80;
9	# listen 80;	9	listen [::]:80;
10	# listen [::]:80;	10	server_name ${WEBSERVER_HOST};
11	# server_name ${WEBSERVER_HOST};	11
12	#	12	location /.well-known/acme-challenge/ {
13	# location /.well-known/acme-challenge/ {	13	default_type "text/plain";
14	# default_type "text/plain";	14	root /var/www/certbot;
15	# root /var/www/certbot;	15	}
16	# }	16	location / { return 301 https://$host$request_uri; }
17	# location / { return 301 https://$host$request_uri; }	17	}
18	#}
19		18
20	upstream backend {	19	upstream backend {
21	server ${PEERTUBE_HOST};	20	server ${PEERTUBE_HOST};
@@ -33,8 +32,8 @@ server {
33	# Certificates	32	# Certificates
34	# you need a certificate to run in production. see https://letsencrypt.org/	33	# you need a certificate to run in production. see https://letsencrypt.org/
35	##	34	##
36	ssl_certificate /etc/letsencrypt/live/peertube/fullchain.pem;	35	ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
37	ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem;	36	ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
38		37
39	location ^~ '/.well-known/acme-challenge' {	38	location ^~ '/.well-known/acme-challenge' {
40	default_type "text/plain";	39	default_type "text/plain";