7 files changed, 63 insertions, 34 deletions

diff --git a/support/docker/production/.env b/support/docker/production/.env
index 8af161b2a..802d6b2ca 100644
--- a/support/docker/production/.env
+++ b/support/docker/production/.env
@@ -3,10 +3,13 @@ PEERTUBE_DB_PASSWORD=postgres_password
 PEERTUBE_WEBSERVER_HOSTNAME=domain.tld
 PEERTUBE_WEBSERVER_PORT=443
 PEERTUBE_WEBSERVER_HTTPS=true
-PEERTUBE_TRUST_PROXY=127.0.0.1
+# If you need more than one IP as trust_proxy
+# pass them as a comma separated array:
+PEERTUBE_TRUST_PROXY=["127.0.0.1"]
+#PEERTUBE_TRUST_PROXY=["127.0.0.1", "loopback", "192.168.1.0/24"]
 PEERTUBE_SMTP_USERNAME=
 PEERTUBE_SMTP_PASSWORD=
-PEERTUBE_SMTP_HOSTNAME=
+PEERTUBE_SMTP_HOSTNAME=postfix
 PEERTUBE_SMTP_PORT=25
 PEERTUBE_SMTP_FROM=noreply@domain.tld
 PEERTUBE_SMTP_TLS=true
@@ -15,3 +18,4 @@ PEERTUBE_ADMIN_EMAIL=admin@domain.tld
 # /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\
 #PEERTUBE_SIGNUP_ENABLED=true
 #PEERTUBE_TRANSCODING_ENABLED=true
+#PEERTUBE_CONTACT_FORM_ENABLED=true
diff --git a/support/docker/production/Dockerfile.stretch b/support/docker/production/Dockerfile.stretch
index 911d064f6..81468bb4f 100644
--- a/support/docker/production/Dockerfile.stretch
+++ b/support/docker/production/Dockerfile.stretch
@@ -20,32 +20,11 @@ RUN groupadd -r peertube \
     && useradd -r -g peertube -m peertube
 
 # grab gosu for easy step-down from root
-# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.10
-RUN set -ex; \
-    \
-    fetchDeps='ca-certificates wget'; \
-    apt-get update; \
-    apt-get install -y --no-install-recommends $fetchDeps; \
-    rm -rf /var/lib/apt/lists/*; \
-    \
-    dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
-    wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
-    wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
-    export GNUPGHOME="$(mktemp -d)"; \
-    for server in $(shuf -e ha.pool.sks-keyservers.net \
-                            hkp://p80.pool.sks-keyservers.net:80 \
-                            keyserver.ubuntu.com \
-                            hkp://keyserver.ubuntu.com:80 \
-                            pgp.mit.edu) ; do \
-        gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
-    done; \
-    gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-    rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-    chmod +x /usr/local/bin/gosu; \
-    gosu nobody true; \
-    \
-    apt-get purge -y --auto-remove wget
+RUN set -eux; \
+        apt-get update; \
+        apt-get install -y gosu; \
+        rm -rf /var/lib/apt/lists/*; \
+        gosu nobody true
 
 # Install PeerTube
 WORKDIR /app
diff --git a/support/docker/production/config/custom-environment-variables.yaml b/support/docker/production/config/custom-environment-variables.yaml
index daf885813..8604939aa 100644
--- a/support/docker/production/config/custom-environment-variables.yaml
+++ b/support/docker/production/config/custom-environment-variables.yaml
@@ -7,7 +7,9 @@ webserver:
     __name: "PEERTUBE_WEBSERVER_HTTPS"
     __format: "json"
 
-trust_proxy: "PEERTUBE_TRUST_PROXY"
+trust_proxy:
+  __name: "PEERTUBE_TRUST_PROXY"
+  __format: "json"
 
 database:
   hostname: "PEERTUBE_DB_HOSTNAME"
@@ -48,6 +50,11 @@ user:
 admin:
   email: "PEERTUBE_ADMIN_EMAIL"
 
+contact_form:
+  enabled:
+    __name: "PEERTUBE_CONTACT_FORM_ENABLED"
+    __format: "json"
+
 signup:
   enabled:
     __name: "PEERTUBE_SIGNUP_ENABLED"
@@ -56,6 +63,26 @@ signup:
     __name: "PEERTUBE_SIGNUP_LIMIT"
     __format: "json"
 
+search:
+  remote_uri:
+    users:
+      __name: "PEERTUBE_SEARCH_REMOTEURI_USERS"
+      __format: "json"
+    anonymous:
+      __name: "PEERTUBE_SEARCH_REMOTEURI_ANONYMOUS"
+      __format: "json"
+
+import:
+  videos:
+    http:
+      enabled:
+        __name: "PEERTUBE_IMPORT_VIDEOS_HTTP"
+        __format: "json"
+    torrent:
+      enabled:
+        __name: "PEERTUBE_IMPORT_VIDEOS_TORRENT"
+        __format: "json"
+
 transcoding:
   enabled:
     __name: "PEERTUBE_TRANSCODING_ENABLED"
@@ -79,9 +106,11 @@ transcoding:
     1080:
       __name: "PEERTUBE_TRANSCODING_1080P"
       __format: "json"
-    
 
 instance:
   name: "PEERTUBE_INSTANCE_NAME"
   description: "PEERTUBE_INSTANCE_DESCRIPTION"
   terms: "PEERTUBE_INSTANCE_TERMS"
+
+services:
+  csp-logger: "PEERTUBE_SERVICES_CSPLOGGER"
diff --git a/support/docker/production/config/production.yaml b/support/docker/production/config/production.yaml
index 4970bbcca..846c838e8 100644
--- a/support/docker/production/config/production.yaml
+++ b/support/docker/production/config/production.yaml
@@ -32,8 +32,10 @@ redis:
 
 # From the project root directory
 storage:
+  tmp: '../data/tmp/'
   avatars: '../data/avatars/'
   videos: '../data/videos/'
+  redundancy: '../data/redundancy/'
   logs: '../data/logs/'
   previews: '../data/previews/'
   thumbnails: '../data/thumbnails/'
diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml
index 882c95548..6abced3db 100644
--- a/support/docker/production/config/traefik.toml
+++ b/support/docker/production/config/traefik.toml
@@ -1,9 +1,12 @@
 # Uncomment this line in order to enable debugging through logs
 # debug = true
 defaultEntryPoints = ["http", "https"]
+
 [entryPoints]
   [entryPoints.http]
   address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
   [entryPoints.https]
   address = ":443"
     [entryPoints.https.tls]
diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml
index 220c19fba..1b0a28ffb 100644
--- a/support/docker/production/docker-compose.yml
+++ b/support/docker/production/docker-compose.yml
@@ -4,16 +4,19 @@ services:
 
   reverse-proxy:
     image: traefik
-    command: --api --docker # Enables the web UI and tells Træfik to listen to docker
+    command: --docker # Tells Træfik to listen to docker
     ports:
       - "80:80"     # The HTTP port
       - "443:443"   # The HTTPS port
-      - "8080:8080" # The Web UI (enabled by --api)
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
       - ./docker-volume/traefik/acme.json:/etc/acme.json
       - ./docker-volume/traefik/traefik.toml:/traefik.toml
     restart: "always"
+    # If you want to use the Traefik dashboard, you should expose it on a 
+    # subdomain with HTTPS and authentification:
+    # https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f
+    # https://github.com/containous/traefik/issues/880#issuecomment-310301168
 
   peertube:
     # If you don't want to use the official image and build one from sources
@@ -38,6 +41,7 @@ services:
     depends_on:
       - postgres
       - redis
+      - postfix
     restart: "always"
 
   postgres:
@@ -59,3 +63,11 @@ services:
     restart: "always"
     labels:
       traefik.enable: "false"
+
+  postfix:
+    image: mwader/postfix-relay
+    environment:
+      - POSTFIX_myhostname=${PEERTUBE_WEBSERVER_HOSTNAME}
+    labels:
+      traefik.enable: "false"
+    restart: "always"
diff --git a/support/docker/production/docker-entrypoint.sh b/support/docker/production/docker-entrypoint.sh
index 6dbbfddf6..7dd626b9f 100755
--- a/support/docker/production/docker-entrypoint.sh
+++ b/support/docker/production/docker-entrypoint.sh
@@ -9,7 +9,7 @@ fi
 # Always copy default and custom env configuration file, in cases where new keys were added
 cp /app/config/default.yaml /config
 cp /app/support/docker/production/config/custom-environment-variables.yaml /config
-chown -R peertube:peertube /config
+find /config ! -user peertube -exec chown peertube:peertube {} \;
 
 # first arg is `-f` or `--some-option`
 # or first arg is `something.conf`
@@ -19,7 +19,7 @@ fi
 
 # allow the container to be started with `--user`
 if [ "$1" = 'npm' -a "$(id -u)" = '0' ]; then
-    chown -R peertube:peertube /data
+    find /data ! -user peertube -exec  chown peertube:peertube {} \;
     exec gosu peertube "$0" "$@"
 fi