From 1a9b141d835cf3bfe9bdca67f881b520975f9058 Mon Sep 17 00:00:00 2001 From: Rigel Kent Date: Tue, 3 Mar 2020 00:29:52 +0100 Subject: Add nginx behind traefik in docker-compose + image updates - support/docker/production/docker-compose.yml: addition of a nginx image reusing support/nginx/peertube nginx conf to improve performance, and lessen setup differences between the docker-compose install and the typical production install. - support/docker/production/docker-compose.yml: postgres 10 -> postgres 12, redis 4 -> redis 5. Postgres major updates implies manual upgrade. - support/nginx/peertube: HTTP -> HTTPS redirection is now commented by default, to allow its reuse in support/docker/production/docker-compose.yml. --- support/docker/production/Dockerfile.buster | 4 +- support/docker/production/Dockerfile.nginx | 8 +++ support/docker/production/config/traefik.toml | 2 +- support/docker/production/docker-compose.yml | 72 ++++++++++++++++++-------- support/docker/production/docker-entrypoint.sh | 26 ---------- support/docker/production/entrypoint.nginx.sh | 17 ++++++ support/docker/production/entrypoint.sh | 26 ++++++++++ 7 files changed, 103 insertions(+), 52 deletions(-) create mode 100644 support/docker/production/Dockerfile.nginx delete mode 100755 support/docker/production/docker-entrypoint.sh create mode 100644 support/docker/production/entrypoint.nginx.sh create mode 100755 support/docker/production/entrypoint.sh (limited to 'support/docker/production') diff --git a/support/docker/production/Dockerfile.buster b/support/docker/production/Dockerfile.buster index 414bf9aac..5af8aa29a 100644 --- a/support/docker/production/Dockerfile.buster +++ b/support/docker/production/Dockerfile.buster @@ -38,8 +38,8 @@ ENV NODE_CONFIG_DIR /config VOLUME /data VOLUME /config -COPY ./support/docker/production/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh -ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"] +COPY ./support/docker/production/entrypoint.sh /usr/local/bin/entrypoint.sh +ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] # Run the application CMD ["npm", "start"] diff --git a/support/docker/production/Dockerfile.nginx b/support/docker/production/Dockerfile.nginx new file mode 100644 index 000000000..36ae3c3bc --- /dev/null +++ b/support/docker/production/Dockerfile.nginx @@ -0,0 +1,8 @@ +FROM nginx:alpine + +COPY entrypoint.nginx.sh . +RUN chmod +x entrypoint.nginx.sh + +EXPOSE 80 +ENTRYPOINT [] +CMD ["/bin/sh", "entrypoint.nginx.sh"] \ No newline at end of file diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml index 1d7d207fd..d2437fdf8 100644 --- a/support/docker/production/config/traefik.toml +++ b/support/docker/production/config/traefik.toml @@ -61,4 +61,4 @@ entryPoint = "https" # # Required # - entryPoint = "http" + entryPoint = "http" \ No newline at end of file diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml index e937c8b9c..62be02467 100644 --- a/support/docker/production/docker-compose.yml +++ b/support/docker/production/docker-compose.yml @@ -2,44 +2,65 @@ version: "3.3" services: + # The reverse-proxy only does SSL termination and automatic certificate generation. You can + # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels. reverse-proxy: image: traefik:v1.7 network_mode: "host" command: - - "--docker" # Tells Træfik to listen to docker - - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email - - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list + - "--docker" # Tells Træfik to listen to docker + - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email + - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list ports: - - "80:80" # The HTTP port - - "443:443" # The HTTPS port + - "80:80" # The HTTP port + - "443:443" # The HTTPS port volumes: - - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events + - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events - ./docker-volume/traefik/acme.json:/etc/acme.json - ./docker-volume/traefik/traefik.toml:/traefik.toml restart: "always" - # If you want to use the Traefik dashboard, you should expose it on a - # subdomain with HTTPS and authentification: - # https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f - # https://github.com/containous/traefik/issues/880#issuecomment-310301168 - peertube: - # If you don't want to use the official image and build one from sources - # build: - # context: . - # dockerfile: ./support/docker/production/Dockerfile.buster - image: chocobozzz/peertube:production-buster + # The webserver is not required, but recommended since a lot of optimizations went to its + # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL, + # so use it in production in tandem with an SSL-terminating reverse-proxy like above. + webserver: + build: + context: . + dockerfile: Dockerfile.nginx env_file: - .env - # Traefik labels are suggested as an example for people using Traefik, - # remove them if you are using another reverse proxy. + # If you provide your own reverse-proxy, otherwise not suitable for production: + #ports: + # - "80:80" + volumes: + - type: bind + # Switch sources if you downloaded the nginx configuration without the whole repository + #source: ./peertube + source: ../../nginx/peertube + target: /etc/nginx/conf.d/peertube.template + - assets:/var/www/peertube/peertube-latest/client/dist:ro + - ./docker-volume/data:/var/www/peertube/storage + depends_on: + - peertube + restart: "always" labels: traefik.enable: "true" traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" - traefik.port: "9000" - # If you don't want to use a reverse proxy (not suitable for production!) - # ports: - # - "80:9000" + traefik.port: "80" + + peertube: + # If you don't want to use the official image and build one from sources: + #build: + # context: . + # dockerfile: ./support/docker/production/Dockerfile.buster + image: chocobozzz/peertube:production-buster + env_file: + - .env + # If you provide your own webserver and reverse-proxy, otherwise not suitable for production: + #ports: + # - "80:9000" volumes: + - assets:/app/client/dist - ./docker-volume/data:/data - ./docker-volume/config:/config depends_on: @@ -47,6 +68,8 @@ services: - redis - postfix restart: "always" + labels: + traefik.enable: "false" postgres: image: postgres:10-alpine @@ -59,7 +82,7 @@ services: traefik.enable: "false" redis: - image: redis:4-alpine + image: redis:5-alpine volumes: - ./docker-volume/redis:/data restart: "always" @@ -82,3 +105,6 @@ networks: driver: default config: - subnet: 172.18.0.0/16 + +volumes: + assets: diff --git a/support/docker/production/docker-entrypoint.sh b/support/docker/production/docker-entrypoint.sh deleted file mode 100755 index 7dd626b9f..000000000 --- a/support/docker/production/docker-entrypoint.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -set -e - -# Populate config directory -if [ -z "$(ls -A /config)" ]; then - cp /app/support/docker/production/config/* /config -fi - -# Always copy default and custom env configuration file, in cases where new keys were added -cp /app/config/default.yaml /config -cp /app/support/docker/production/config/custom-environment-variables.yaml /config -find /config ! -user peertube -exec chown peertube:peertube {} \; - -# first arg is `-f` or `--some-option` -# or first arg is `something.conf` -if [ "${1#-}" != "$1" ] || [ "${1%.conf}" != "$1" ]; then - set -- npm "$@" -fi - -# allow the container to be started with `--user` -if [ "$1" = 'npm' -a "$(id -u)" = '0' ]; then - find /data ! -user peertube -exec chown peertube:peertube {} \; - exec gosu peertube "$0" "$@" -fi - -exec "$@" diff --git a/support/docker/production/entrypoint.nginx.sh b/support/docker/production/entrypoint.nginx.sh new file mode 100644 index 000000000..744385ec8 --- /dev/null +++ b/support/docker/production/entrypoint.nginx.sh @@ -0,0 +1,17 @@ +#!/bin/sh +set -e + +# Process nginx template +SOURCE="/etc/nginx/conf.d/peertube.template" +TARGET="/etc/nginx/conf.d/default.conf" +export WEBSERVER_HOST="default_server" +export PEERTUBE_HOST="peertube:9000" + +envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE > $TARGET + +# Remove HTTPS/SSL from nginx conf +sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET + +cat $TARGET + +nginx -g "daemon off;" \ No newline at end of file diff --git a/support/docker/production/entrypoint.sh b/support/docker/production/entrypoint.sh new file mode 100755 index 000000000..7dd626b9f --- /dev/null +++ b/support/docker/production/entrypoint.sh @@ -0,0 +1,26 @@ +#!/bin/sh +set -e + +# Populate config directory +if [ -z "$(ls -A /config)" ]; then + cp /app/support/docker/production/config/* /config +fi + +# Always copy default and custom env configuration file, in cases where new keys were added +cp /app/config/default.yaml /config +cp /app/support/docker/production/config/custom-environment-variables.yaml /config +find /config ! -user peertube -exec chown peertube:peertube {} \; + +# first arg is `-f` or `--some-option` +# or first arg is `something.conf` +if [ "${1#-}" != "$1" ] || [ "${1%.conf}" != "$1" ]; then + set -- npm "$@" +fi + +# allow the container to be started with `--user` +if [ "$1" = 'npm' -a "$(id -u)" = '0' ]; then + find /data ! -user peertube -exec chown peertube:peertube {} \; + exec gosu peertube "$0" "$@" +fi + +exec "$@" -- cgit v1.2.3