aboutsummaryrefslogtreecommitdiffhomepage
path: root/support
diff options
context:
space:
mode:
Diffstat (limited to 'support')
-rw-r--r--support/doc/docker.md27
-rw-r--r--support/docker/production/.env6
-rw-r--r--support/docker/production/Dockerfile.nginx4
-rw-r--r--support/docker/production/config/traefik.toml67
-rw-r--r--support/docker/production/docker-compose.traefik.yml27
-rw-r--r--support/docker/production/docker-compose.yml40
-rw-r--r--support/docker/production/entrypoint.nginx.sh10
-rw-r--r--support/nginx/peertube27
8 files changed, 71 insertions, 137 deletions
diff --git a/support/doc/docker.md b/support/doc/docker.md
index 6f61c38d0..36da94f55 100644
--- a/support/doc/docker.md
+++ b/support/doc/docker.md
@@ -56,14 +56,33 @@ Other environment variables are used in
56[/support/docker/production/config/custom-environment-variables.yaml](https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/custom-environment-variables.yaml) and can be 56[/support/docker/production/config/custom-environment-variables.yaml](https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/custom-environment-variables.yaml) and can be
57intuited from usage. 57intuited from usage.
58 58
59#### Testing local Docker setup 59#### Webserver
60 60
61To test locally your Docker setup, you must add your domain (`<MY DOMAIN>`) in `/etc/hosts`: 61*The docker compose file includes a configured web server. You can skip this part and comment the appropriate section in the docker compose if you use another webserver/proxy.*
62
63Install the template that the nginx container will use.
64The container will generate the configuration by replacing `${WEBSERVER_HOST}` and `${PEERTUBE_HOST}` using your docker compose env file.
65
66It will also generate a TLS certificate at startup and schedule a renew
67
68```shell
69mkdir -p docker-volume/nginx
70curl https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/support/nginx/peertube > docker-volume/nginx/peertube
62``` 71```
63127.0.0.1 localhost mydomain.tld 72
73You need to manually generate the first SSL/TLS certificate using Let's Encrypt:
74
75```shell
76mkdir -p docker-volume/certbot
77docker run -it --rm --name certbot -p 80:80 -v "$(pwd)/docker-volume/certbot/conf:/etc/letsencrypt" certbot/certbot certonly --standalone
64``` 78```
65 79
66#### You can use the regular `up` command to set it up 80The docker-compose will automatically renew this certificate and reload nginx.
81
82
83#### Test your setup
84
85Run your containers:
67 86
68```shell 87```shell
69docker-compose up 88docker-compose up
diff --git a/support/docker/production/.env b/support/docker/production/.env
index 86356d5a3..3e19c3817 100644
--- a/support/docker/production/.env
+++ b/support/docker/production/.env
@@ -41,12 +41,6 @@ OPENDKIM_DOMAINS=<MY DOMAIN>=peertube
41# see https://github.com/wader/postfix-relay/pull/18 41# see https://github.com/wader/postfix-relay/pull/18
42OPENDKIM_RequireSafeKeys=no 42OPENDKIM_RequireSafeKeys=no
43 43
44# Let's Encrypt service configuration
45TRAEFIK_ACME_EMAIL=<MY EMAIL ADDRESS>
46# If you need to obtain ACME certificates for more than one DOMAIN
47# pass them as a comma separated string
48TRAEFIK_ACME_DOMAINS=<MY DOMAIN>
49
50# /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\ 44# /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\
51#PEERTUBE_SIGNUP_ENABLED=true 45#PEERTUBE_SIGNUP_ENABLED=true
52#PEERTUBE_TRANSCODING_ENABLED=true 46#PEERTUBE_TRANSCODING_ENABLED=true
diff --git a/support/docker/production/Dockerfile.nginx b/support/docker/production/Dockerfile.nginx
index 36ae3c3bc..1d685eee6 100644
--- a/support/docker/production/Dockerfile.nginx
+++ b/support/docker/production/Dockerfile.nginx
@@ -3,6 +3,6 @@ FROM nginx:alpine
3COPY entrypoint.nginx.sh . 3COPY entrypoint.nginx.sh .
4RUN chmod +x entrypoint.nginx.sh 4RUN chmod +x entrypoint.nginx.sh
5 5
6EXPOSE 80 6EXPOSE 80 443
7ENTRYPOINT [] 7ENTRYPOINT []
8CMD ["/bin/sh", "entrypoint.nginx.sh"] \ No newline at end of file 8CMD ["/bin/sh", "entrypoint.nginx.sh"]
diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml
deleted file mode 100644
index c0a7cf840..000000000
--- a/support/docker/production/config/traefik.toml
+++ /dev/null
@@ -1,67 +0,0 @@
1# Uncomment this line in order to enable debugging through logs
2# debug = true
3defaultEntryPoints = ["http", "https"]
4
5[entryPoints]
6 [entryPoints.http]
7 address = ":80"
8 [entryPoints.http.redirect]
9 entryPoint = "https"
10 [entryPoints.https]
11 address = ":443"
12 [entryPoints.https.tls]
13 MinVersion = "VersionTLS12"
14 CurvePreferences = [
15 "CurveP521",
16 "CurveP384",
17 "CurveP256"
18 ]
19 PreferServerCipherSuites = true
20 CipherSuites = [
21 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
22 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
23 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
24 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
25 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
26 "TLS_RSA_WITH_AES_256_GCM_SHA384",
27 "TLS_RSA_WITH_AES_256_CBC_SHA"
28 ]
29 FrameDeny = false # here we don't want to deny frames since we have an embed
30 STSIncludeSubdomains = true
31 STSSeconds = 315360000
32 STSPreload = true
33 ContentTypeNosniff = true
34 BrowserXssFilter = true
35
36
37# Enable ACME (Let's Encrypt): automatic SSL.
38[acme]
39
40# File or key used for certificates storage.
41#
42# Required
43#
44storage = "/etc/acme.json"
45# or `storage = "traefik/acme/account"` if using KV store.
46
47# Entrypoint to proxy acme apply certificates to.
48# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
49#
50# Required
51#
52entryPoint = "https"
53
54# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
55#
56# Optional but recommend
57#
58[acme.httpChallenge]
59
60 # EntryPoint to use for the challenges.
61 #
62 # Required
63 #
64 entryPoint = "http"
65
66[docker]
67 exposedByDefault = false \ No newline at end of file
diff --git a/support/docker/production/docker-compose.traefik.yml b/support/docker/production/docker-compose.traefik.yml
deleted file mode 100644
index bbea75783..000000000
--- a/support/docker/production/docker-compose.traefik.yml
+++ /dev/null
@@ -1,27 +0,0 @@
1version: "3.3"
2
3services:
4
5 # The reverse-proxy only does SSL termination and automatic certificate generation. You can
6 # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels.
7 reverse-proxy:
8 image: traefik:v1.7
9 network_mode: "host"
10 command:
11 - "--docker" # Tells Træfik to listen to docker
12 - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email
13 - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list
14 ports:
15 - "80:80" # serving HTTP
16 - "443:443" # serving HTTPS
17 volumes:
18 - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events
19 - ./docker-volume/traefik/acme.json:/etc/acme.json
20 - ./docker-volume/traefik/traefik.toml:/traefik.toml
21 restart: "always"
22
23 webserver:
24 labels:
25 traefik.enable: "true"
26 traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}"
27 traefik.port: "80"
diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml
index bce9426d2..4ad1a8756 100644
--- a/support/docker/production/docker-compose.yml
+++ b/support/docker/production/docker-compose.yml
@@ -2,19 +2,18 @@ version: "3.3"
2 2
3services: 3services:
4 4
5 # The webserver is not required, but recommended since a lot of optimizations went to its 5 # You can comment this webserver section if you want to use another webserver/proxy
6 # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL,
7 # so use it in production in tandem with an SSL-terminating reverse-proxy.
8 webserver: 6 webserver:
9 image: chocobozzz/peertube:webserver 7 image: chocobozzz/peertube-webserver:latest
10 build: 8 # If you don't want to use the official image and build one from sources:
11 context: . 9 # build:
12 dockerfile: Dockerfile.nginx 10 # context: .
11 # dockerfile: Dockerfile.nginx
13 env_file: 12 env_file:
14 - .env 13 - .env
15 # If you provide your own reverse-proxy, otherwise not suitable for production: 14 ports:
16 #ports: 15 - "80:80"
17 # - "9000:80" # serving HTTP 16 - "443:443"
18 volumes: 17 volumes:
19 - type: bind 18 - type: bind
20 # Switch sources if you downloaded the whole repository 19 # Switch sources if you downloaded the whole repository
@@ -23,15 +22,29 @@ services:
23 target: /etc/nginx/conf.d/peertube.template 22 target: /etc/nginx/conf.d/peertube.template
24 - assets:/var/www/peertube/peertube-latest/client/dist:ro 23 - assets:/var/www/peertube/peertube-latest/client/dist:ro
25 - ./docker-volume/data:/var/www/peertube/storage 24 - ./docker-volume/data:/var/www/peertube/storage
25 - certbot-www:/var/www/certbot
26 - ./docker-volume/certbot/conf:/etc/letsencrypt
26 depends_on: 27 depends_on:
27 - peertube 28 - peertube
28 restart: "always" 29 restart: "always"
29 30
31 # You can comment this certbot section if you want to use another webserver/proxy
32 certbot:
33 container_name: certbot
34 image: certbot/certbot
35 volumes:
36 - ./docker-volume/certbot/conf:/etc/letsencrypt
37 - certbot-www:/var/www/certbot
38 restart: unless-stopped
39 entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;"
40 depends_on:
41 - webserver
42
30 peertube: 43 peertube:
31 # If you don't want to use the official image and build one from sources: 44 # If you don't want to use the official image and build one from sources:
32 #build: 45 # build:
33 # context: . 46 # context: .
34 # dockerfile: ./support/docker/production/Dockerfile.buster 47 # dockerfile: ./support/docker/production/Dockerfile.buster
35 image: chocobozzz/peertube:production-buster 48 image: chocobozzz/peertube:production-buster
36 env_file: 49 env_file:
37 - .env 50 - .env
@@ -79,3 +92,4 @@ networks:
79 92
80volumes: 93volumes:
81 assets: 94 assets:
95 certbot-www:
diff --git a/support/docker/production/entrypoint.nginx.sh b/support/docker/production/entrypoint.nginx.sh
index 670ce84a3..ad26aa0e2 100644
--- a/support/docker/production/entrypoint.nginx.sh
+++ b/support/docker/production/entrypoint.nginx.sh
@@ -4,12 +4,14 @@ set -e
4# Process the nginx template 4# Process the nginx template
5SOURCE_FILE="/etc/nginx/conf.d/peertube.template" 5SOURCE_FILE="/etc/nginx/conf.d/peertube.template"
6TARGET_FILE="/etc/nginx/conf.d/default.conf" 6TARGET_FILE="/etc/nginx/conf.d/default.conf"
7export WEBSERVER_HOST="default_server" 7export WEBSERVER_HOST="$PEERTUBE_WEBSERVER_HOSTNAME"
8export PEERTUBE_HOST="peertube:9000" 8export PEERTUBE_HOST="peertube:9000"
9 9
10envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE 10envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE
11 11
12# Remove HTTPS/SSL from nginx conf since this image is meant as a webserver _behind_ a reverse-proxy doing TLS termination itself 12while :; do
13sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET_FILE 13 sleep 12h & wait $!;
14 nginx -s reload;
15done &
14 16
15nginx -g "daemon off;" \ No newline at end of file 17nginx -g 'daemon off;'
diff --git a/support/nginx/peertube b/support/nginx/peertube
index 641d254af..31a690e29 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -4,18 +4,17 @@
4# OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream. 4# OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream.
5# THIRD PARTY MODULES: None. 5# THIRD PARTY MODULES: None.
6 6
7# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose. 7server {
8#server { 8 listen 80;
9# listen 80; 9 listen [::]:80;
10# listen [::]:80; 10 server_name ${WEBSERVER_HOST};
11# server_name ${WEBSERVER_HOST}; 11
12# 12 location /.well-known/acme-challenge/ {
13# location /.well-known/acme-challenge/ { 13 default_type "text/plain";
14# default_type "text/plain"; 14 root /var/www/certbot;
15# root /var/www/certbot; 15 }
16# } 16 location / { return 301 https://$host$request_uri; }
17# location / { return 301 https://$host$request_uri; } 17}
18#}
19 18
20upstream backend { 19upstream backend {
21 server ${PEERTUBE_HOST}; 20 server ${PEERTUBE_HOST};
@@ -33,8 +32,8 @@ server {
33 # Certificates 32 # Certificates
34 # you need a certificate to run in production. see https://letsencrypt.org/ 33 # you need a certificate to run in production. see https://letsencrypt.org/
35 ## 34 ##
36 ssl_certificate /etc/letsencrypt/live/peertube/fullchain.pem; 35 ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
37 ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem; 36 ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
38 37
39 location ^~ '/.well-known/acme-challenge' { 38 location ^~ '/.well-known/acme-challenge' {
40 default_type "text/plain"; 39 default_type "text/plain";