diff options
Diffstat (limited to 'support')
-rw-r--r-- | support/doc/docker.md | 27 | ||||
-rw-r--r-- | support/docker/production/.env | 6 | ||||
-rw-r--r-- | support/docker/production/Dockerfile.nginx | 4 | ||||
-rw-r--r-- | support/docker/production/config/traefik.toml | 67 | ||||
-rw-r--r-- | support/docker/production/docker-compose.traefik.yml | 27 | ||||
-rw-r--r-- | support/docker/production/docker-compose.yml | 40 | ||||
-rw-r--r-- | support/docker/production/entrypoint.nginx.sh | 10 | ||||
-rw-r--r-- | support/nginx/peertube | 27 |
8 files changed, 71 insertions, 137 deletions
diff --git a/support/doc/docker.md b/support/doc/docker.md index 6f61c38d0..36da94f55 100644 --- a/support/doc/docker.md +++ b/support/doc/docker.md | |||
@@ -56,14 +56,33 @@ Other environment variables are used in | |||
56 | [/support/docker/production/config/custom-environment-variables.yaml](https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/custom-environment-variables.yaml) and can be | 56 | [/support/docker/production/config/custom-environment-variables.yaml](https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/custom-environment-variables.yaml) and can be |
57 | intuited from usage. | 57 | intuited from usage. |
58 | 58 | ||
59 | #### Testing local Docker setup | 59 | #### Webserver |
60 | 60 | ||
61 | To test locally your Docker setup, you must add your domain (`<MY DOMAIN>`) in `/etc/hosts`: | 61 | *The docker compose file includes a configured web server. You can skip this part and comment the appropriate section in the docker compose if you use another webserver/proxy.* |
62 | |||
63 | Install the template that the nginx container will use. | ||
64 | The container will generate the configuration by replacing `${WEBSERVER_HOST}` and `${PEERTUBE_HOST}` using your docker compose env file. | ||
65 | |||
66 | It will also generate a TLS certificate at startup and schedule a renew | ||
67 | |||
68 | ```shell | ||
69 | mkdir -p docker-volume/nginx | ||
70 | curl https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/support/nginx/peertube > docker-volume/nginx/peertube | ||
62 | ``` | 71 | ``` |
63 | 127.0.0.1 localhost mydomain.tld | 72 | |
73 | You need to manually generate the first SSL/TLS certificate using Let's Encrypt: | ||
74 | |||
75 | ```shell | ||
76 | mkdir -p docker-volume/certbot | ||
77 | docker run -it --rm --name certbot -p 80:80 -v "$(pwd)/docker-volume/certbot/conf:/etc/letsencrypt" certbot/certbot certonly --standalone | ||
64 | ``` | 78 | ``` |
65 | 79 | ||
66 | #### You can use the regular `up` command to set it up | 80 | The docker-compose will automatically renew this certificate and reload nginx. |
81 | |||
82 | |||
83 | #### Test your setup | ||
84 | |||
85 | Run your containers: | ||
67 | 86 | ||
68 | ```shell | 87 | ```shell |
69 | docker-compose up | 88 | docker-compose up |
diff --git a/support/docker/production/.env b/support/docker/production/.env index 86356d5a3..3e19c3817 100644 --- a/support/docker/production/.env +++ b/support/docker/production/.env | |||
@@ -41,12 +41,6 @@ OPENDKIM_DOMAINS=<MY DOMAIN>=peertube | |||
41 | # see https://github.com/wader/postfix-relay/pull/18 | 41 | # see https://github.com/wader/postfix-relay/pull/18 |
42 | OPENDKIM_RequireSafeKeys=no | 42 | OPENDKIM_RequireSafeKeys=no |
43 | 43 | ||
44 | # Let's Encrypt service configuration | ||
45 | TRAEFIK_ACME_EMAIL=<MY EMAIL ADDRESS> | ||
46 | # If you need to obtain ACME certificates for more than one DOMAIN | ||
47 | # pass them as a comma separated string | ||
48 | TRAEFIK_ACME_DOMAINS=<MY DOMAIN> | ||
49 | |||
50 | # /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\ | 44 | # /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\ |
51 | #PEERTUBE_SIGNUP_ENABLED=true | 45 | #PEERTUBE_SIGNUP_ENABLED=true |
52 | #PEERTUBE_TRANSCODING_ENABLED=true | 46 | #PEERTUBE_TRANSCODING_ENABLED=true |
diff --git a/support/docker/production/Dockerfile.nginx b/support/docker/production/Dockerfile.nginx index 36ae3c3bc..1d685eee6 100644 --- a/support/docker/production/Dockerfile.nginx +++ b/support/docker/production/Dockerfile.nginx | |||
@@ -3,6 +3,6 @@ FROM nginx:alpine | |||
3 | COPY entrypoint.nginx.sh . | 3 | COPY entrypoint.nginx.sh . |
4 | RUN chmod +x entrypoint.nginx.sh | 4 | RUN chmod +x entrypoint.nginx.sh |
5 | 5 | ||
6 | EXPOSE 80 | 6 | EXPOSE 80 443 |
7 | ENTRYPOINT [] | 7 | ENTRYPOINT [] |
8 | CMD ["/bin/sh", "entrypoint.nginx.sh"] \ No newline at end of file | 8 | CMD ["/bin/sh", "entrypoint.nginx.sh"] |
diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml deleted file mode 100644 index c0a7cf840..000000000 --- a/support/docker/production/config/traefik.toml +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | # Uncomment this line in order to enable debugging through logs | ||
2 | # debug = true | ||
3 | defaultEntryPoints = ["http", "https"] | ||
4 | |||
5 | [entryPoints] | ||
6 | [entryPoints.http] | ||
7 | address = ":80" | ||
8 | [entryPoints.http.redirect] | ||
9 | entryPoint = "https" | ||
10 | [entryPoints.https] | ||
11 | address = ":443" | ||
12 | [entryPoints.https.tls] | ||
13 | MinVersion = "VersionTLS12" | ||
14 | CurvePreferences = [ | ||
15 | "CurveP521", | ||
16 | "CurveP384", | ||
17 | "CurveP256" | ||
18 | ] | ||
19 | PreferServerCipherSuites = true | ||
20 | CipherSuites = [ | ||
21 | "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", | ||
22 | "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", | ||
23 | "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", | ||
24 | "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", | ||
25 | "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", | ||
26 | "TLS_RSA_WITH_AES_256_GCM_SHA384", | ||
27 | "TLS_RSA_WITH_AES_256_CBC_SHA" | ||
28 | ] | ||
29 | FrameDeny = false # here we don't want to deny frames since we have an embed | ||
30 | STSIncludeSubdomains = true | ||
31 | STSSeconds = 315360000 | ||
32 | STSPreload = true | ||
33 | ContentTypeNosniff = true | ||
34 | BrowserXssFilter = true | ||
35 | |||
36 | |||
37 | # Enable ACME (Let's Encrypt): automatic SSL. | ||
38 | [acme] | ||
39 | |||
40 | # File or key used for certificates storage. | ||
41 | # | ||
42 | # Required | ||
43 | # | ||
44 | storage = "/etc/acme.json" | ||
45 | # or `storage = "traefik/acme/account"` if using KV store. | ||
46 | |||
47 | # Entrypoint to proxy acme apply certificates to. | ||
48 | # WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443 | ||
49 | # | ||
50 | # Required | ||
51 | # | ||
52 | entryPoint = "https" | ||
53 | |||
54 | # Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge | ||
55 | # | ||
56 | # Optional but recommend | ||
57 | # | ||
58 | [acme.httpChallenge] | ||
59 | |||
60 | # EntryPoint to use for the challenges. | ||
61 | # | ||
62 | # Required | ||
63 | # | ||
64 | entryPoint = "http" | ||
65 | |||
66 | [docker] | ||
67 | exposedByDefault = false \ No newline at end of file | ||
diff --git a/support/docker/production/docker-compose.traefik.yml b/support/docker/production/docker-compose.traefik.yml deleted file mode 100644 index bbea75783..000000000 --- a/support/docker/production/docker-compose.traefik.yml +++ /dev/null | |||
@@ -1,27 +0,0 @@ | |||
1 | version: "3.3" | ||
2 | |||
3 | services: | ||
4 | |||
5 | # The reverse-proxy only does SSL termination and automatic certificate generation. You can | ||
6 | # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels. | ||
7 | reverse-proxy: | ||
8 | image: traefik:v1.7 | ||
9 | network_mode: "host" | ||
10 | command: | ||
11 | - "--docker" # Tells Træfik to listen to docker | ||
12 | - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email | ||
13 | - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list | ||
14 | ports: | ||
15 | - "80:80" # serving HTTP | ||
16 | - "443:443" # serving HTTPS | ||
17 | volumes: | ||
18 | - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events | ||
19 | - ./docker-volume/traefik/acme.json:/etc/acme.json | ||
20 | - ./docker-volume/traefik/traefik.toml:/traefik.toml | ||
21 | restart: "always" | ||
22 | |||
23 | webserver: | ||
24 | labels: | ||
25 | traefik.enable: "true" | ||
26 | traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" | ||
27 | traefik.port: "80" | ||
diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml index bce9426d2..4ad1a8756 100644 --- a/support/docker/production/docker-compose.yml +++ b/support/docker/production/docker-compose.yml | |||
@@ -2,19 +2,18 @@ version: "3.3" | |||
2 | 2 | ||
3 | services: | 3 | services: |
4 | 4 | ||
5 | # The webserver is not required, but recommended since a lot of optimizations went to its | 5 | # You can comment this webserver section if you want to use another webserver/proxy |
6 | # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL, | ||
7 | # so use it in production in tandem with an SSL-terminating reverse-proxy. | ||
8 | webserver: | 6 | webserver: |
9 | image: chocobozzz/peertube:webserver | 7 | image: chocobozzz/peertube-webserver:latest |
10 | build: | 8 | # If you don't want to use the official image and build one from sources: |
11 | context: . | 9 | # build: |
12 | dockerfile: Dockerfile.nginx | 10 | # context: . |
11 | # dockerfile: Dockerfile.nginx | ||
13 | env_file: | 12 | env_file: |
14 | - .env | 13 | - .env |
15 | # If you provide your own reverse-proxy, otherwise not suitable for production: | 14 | ports: |
16 | #ports: | 15 | - "80:80" |
17 | # - "9000:80" # serving HTTP | 16 | - "443:443" |
18 | volumes: | 17 | volumes: |
19 | - type: bind | 18 | - type: bind |
20 | # Switch sources if you downloaded the whole repository | 19 | # Switch sources if you downloaded the whole repository |
@@ -23,15 +22,29 @@ services: | |||
23 | target: /etc/nginx/conf.d/peertube.template | 22 | target: /etc/nginx/conf.d/peertube.template |
24 | - assets:/var/www/peertube/peertube-latest/client/dist:ro | 23 | - assets:/var/www/peertube/peertube-latest/client/dist:ro |
25 | - ./docker-volume/data:/var/www/peertube/storage | 24 | - ./docker-volume/data:/var/www/peertube/storage |
25 | - certbot-www:/var/www/certbot | ||
26 | - ./docker-volume/certbot/conf:/etc/letsencrypt | ||
26 | depends_on: | 27 | depends_on: |
27 | - peertube | 28 | - peertube |
28 | restart: "always" | 29 | restart: "always" |
29 | 30 | ||
31 | # You can comment this certbot section if you want to use another webserver/proxy | ||
32 | certbot: | ||
33 | container_name: certbot | ||
34 | image: certbot/certbot | ||
35 | volumes: | ||
36 | - ./docker-volume/certbot/conf:/etc/letsencrypt | ||
37 | - certbot-www:/var/www/certbot | ||
38 | restart: unless-stopped | ||
39 | entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;" | ||
40 | depends_on: | ||
41 | - webserver | ||
42 | |||
30 | peertube: | 43 | peertube: |
31 | # If you don't want to use the official image and build one from sources: | 44 | # If you don't want to use the official image and build one from sources: |
32 | #build: | 45 | # build: |
33 | # context: . | 46 | # context: . |
34 | # dockerfile: ./support/docker/production/Dockerfile.buster | 47 | # dockerfile: ./support/docker/production/Dockerfile.buster |
35 | image: chocobozzz/peertube:production-buster | 48 | image: chocobozzz/peertube:production-buster |
36 | env_file: | 49 | env_file: |
37 | - .env | 50 | - .env |
@@ -79,3 +92,4 @@ networks: | |||
79 | 92 | ||
80 | volumes: | 93 | volumes: |
81 | assets: | 94 | assets: |
95 | certbot-www: | ||
diff --git a/support/docker/production/entrypoint.nginx.sh b/support/docker/production/entrypoint.nginx.sh index 670ce84a3..ad26aa0e2 100644 --- a/support/docker/production/entrypoint.nginx.sh +++ b/support/docker/production/entrypoint.nginx.sh | |||
@@ -4,12 +4,14 @@ set -e | |||
4 | # Process the nginx template | 4 | # Process the nginx template |
5 | SOURCE_FILE="/etc/nginx/conf.d/peertube.template" | 5 | SOURCE_FILE="/etc/nginx/conf.d/peertube.template" |
6 | TARGET_FILE="/etc/nginx/conf.d/default.conf" | 6 | TARGET_FILE="/etc/nginx/conf.d/default.conf" |
7 | export WEBSERVER_HOST="default_server" | 7 | export WEBSERVER_HOST="$PEERTUBE_WEBSERVER_HOSTNAME" |
8 | export PEERTUBE_HOST="peertube:9000" | 8 | export PEERTUBE_HOST="peertube:9000" |
9 | 9 | ||
10 | envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE | 10 | envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE |
11 | 11 | ||
12 | # Remove HTTPS/SSL from nginx conf since this image is meant as a webserver _behind_ a reverse-proxy doing TLS termination itself | 12 | while :; do |
13 | sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET_FILE | 13 | sleep 12h & wait $!; |
14 | nginx -s reload; | ||
15 | done & | ||
14 | 16 | ||
15 | nginx -g "daemon off;" \ No newline at end of file | 17 | nginx -g 'daemon off;' |
diff --git a/support/nginx/peertube b/support/nginx/peertube index 641d254af..31a690e29 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube | |||
@@ -4,18 +4,17 @@ | |||
4 | # OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream. | 4 | # OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream. |
5 | # THIRD PARTY MODULES: None. | 5 | # THIRD PARTY MODULES: None. |
6 | 6 | ||
7 | # Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose. | 7 | server { |
8 | #server { | 8 | listen 80; |
9 | # listen 80; | 9 | listen [::]:80; |
10 | # listen [::]:80; | 10 | server_name ${WEBSERVER_HOST}; |
11 | # server_name ${WEBSERVER_HOST}; | 11 | |
12 | # | 12 | location /.well-known/acme-challenge/ { |
13 | # location /.well-known/acme-challenge/ { | 13 | default_type "text/plain"; |
14 | # default_type "text/plain"; | 14 | root /var/www/certbot; |
15 | # root /var/www/certbot; | 15 | } |
16 | # } | 16 | location / { return 301 https://$host$request_uri; } |
17 | # location / { return 301 https://$host$request_uri; } | 17 | } |
18 | #} | ||
19 | 18 | ||
20 | upstream backend { | 19 | upstream backend { |
21 | server ${PEERTUBE_HOST}; | 20 | server ${PEERTUBE_HOST}; |
@@ -33,8 +32,8 @@ server { | |||
33 | # Certificates | 32 | # Certificates |
34 | # you need a certificate to run in production. see https://letsencrypt.org/ | 33 | # you need a certificate to run in production. see https://letsencrypt.org/ |
35 | ## | 34 | ## |
36 | ssl_certificate /etc/letsencrypt/live/peertube/fullchain.pem; | 35 | ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem; |
37 | ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem; | 36 | ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem; |
38 | 37 | ||
39 | location ^~ '/.well-known/acme-challenge' { | 38 | location ^~ '/.well-known/acme-challenge' { |
40 | default_type "text/plain"; | 39 | default_type "text/plain"; |