From afd4ee86ddb97f8d49585fddd318bedcd3ad55b8 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Wed, 30 Dec 2020 16:53:11 +0100 Subject: Remove traefik docker support --- support/docker/production/.env | 6 -- support/docker/production/Dockerfile.nginx | 4 +- support/docker/production/config/traefik.toml | 67 ---------------------- .../docker/production/docker-compose.traefik.yml | 27 --------- support/docker/production/docker-compose.yml | 40 ++++++++----- support/docker/production/entrypoint.nginx.sh | 10 ++-- 6 files changed, 35 insertions(+), 119 deletions(-) delete mode 100644 support/docker/production/config/traefik.toml delete mode 100644 support/docker/production/docker-compose.traefik.yml (limited to 'support/docker') diff --git a/support/docker/production/.env b/support/docker/production/.env index 86356d5a3..3e19c3817 100644 --- a/support/docker/production/.env +++ b/support/docker/production/.env @@ -41,12 +41,6 @@ OPENDKIM_DOMAINS==peertube # see https://github.com/wader/postfix-relay/pull/18 OPENDKIM_RequireSafeKeys=no -# Let's Encrypt service configuration -TRAEFIK_ACME_EMAIL= -# If you need to obtain ACME certificates for more than one DOMAIN -# pass them as a comma separated string -TRAEFIK_ACME_DOMAINS= - # /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\ #PEERTUBE_SIGNUP_ENABLED=true #PEERTUBE_TRANSCODING_ENABLED=true diff --git a/support/docker/production/Dockerfile.nginx b/support/docker/production/Dockerfile.nginx index 36ae3c3bc..1d685eee6 100644 --- a/support/docker/production/Dockerfile.nginx +++ b/support/docker/production/Dockerfile.nginx @@ -3,6 +3,6 @@ FROM nginx:alpine COPY entrypoint.nginx.sh . RUN chmod +x entrypoint.nginx.sh -EXPOSE 80 +EXPOSE 80 443 ENTRYPOINT [] -CMD ["/bin/sh", "entrypoint.nginx.sh"] \ No newline at end of file +CMD ["/bin/sh", "entrypoint.nginx.sh"] diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml deleted file mode 100644 index c0a7cf840..000000000 --- a/support/docker/production/config/traefik.toml +++ /dev/null @@ -1,67 +0,0 @@ -# Uncomment this line in order to enable debugging through logs -# debug = true -defaultEntryPoints = ["http", "https"] - -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.redirect] - entryPoint = "https" - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - MinVersion = "VersionTLS12" - CurvePreferences = [ - "CurveP521", - "CurveP384", - "CurveP256" - ] - PreferServerCipherSuites = true - CipherSuites = [ - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA" - ] - FrameDeny = false # here we don't want to deny frames since we have an embed - STSIncludeSubdomains = true - STSSeconds = 315360000 - STSPreload = true - ContentTypeNosniff = true - BrowserXssFilter = true - - -# Enable ACME (Let's Encrypt): automatic SSL. -[acme] - -# File or key used for certificates storage. -# -# Required -# -storage = "/etc/acme.json" -# or `storage = "traefik/acme/account"` if using KV store. - -# Entrypoint to proxy acme apply certificates to. -# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443 -# -# Required -# -entryPoint = "https" - -# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge -# -# Optional but recommend -# -[acme.httpChallenge] - - # EntryPoint to use for the challenges. - # - # Required - # - entryPoint = "http" - -[docker] - exposedByDefault = false \ No newline at end of file diff --git a/support/docker/production/docker-compose.traefik.yml b/support/docker/production/docker-compose.traefik.yml deleted file mode 100644 index bbea75783..000000000 --- a/support/docker/production/docker-compose.traefik.yml +++ /dev/null @@ -1,27 +0,0 @@ -version: "3.3" - -services: - - # The reverse-proxy only does SSL termination and automatic certificate generation. You can - # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels. - reverse-proxy: - image: traefik:v1.7 - network_mode: "host" - command: - - "--docker" # Tells Træfik to listen to docker - - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email - - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list - ports: - - "80:80" # serving HTTP - - "443:443" # serving HTTPS - volumes: - - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events - - ./docker-volume/traefik/acme.json:/etc/acme.json - - ./docker-volume/traefik/traefik.toml:/traefik.toml - restart: "always" - - webserver: - labels: - traefik.enable: "true" - traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" - traefik.port: "80" diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml index bce9426d2..4ad1a8756 100644 --- a/support/docker/production/docker-compose.yml +++ b/support/docker/production/docker-compose.yml @@ -2,19 +2,18 @@ version: "3.3" services: - # The webserver is not required, but recommended since a lot of optimizations went to its - # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL, - # so use it in production in tandem with an SSL-terminating reverse-proxy. + # You can comment this webserver section if you want to use another webserver/proxy webserver: - image: chocobozzz/peertube:webserver - build: - context: . - dockerfile: Dockerfile.nginx + image: chocobozzz/peertube-webserver:latest + # If you don't want to use the official image and build one from sources: + # build: + # context: . + # dockerfile: Dockerfile.nginx env_file: - .env - # If you provide your own reverse-proxy, otherwise not suitable for production: - #ports: - # - "9000:80" # serving HTTP + ports: + - "80:80" + - "443:443" volumes: - type: bind # Switch sources if you downloaded the whole repository @@ -23,15 +22,29 @@ services: target: /etc/nginx/conf.d/peertube.template - assets:/var/www/peertube/peertube-latest/client/dist:ro - ./docker-volume/data:/var/www/peertube/storage + - certbot-www:/var/www/certbot + - ./docker-volume/certbot/conf:/etc/letsencrypt depends_on: - peertube restart: "always" + # You can comment this certbot section if you want to use another webserver/proxy + certbot: + container_name: certbot + image: certbot/certbot + volumes: + - ./docker-volume/certbot/conf:/etc/letsencrypt + - certbot-www:/var/www/certbot + restart: unless-stopped + entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;" + depends_on: + - webserver + peertube: # If you don't want to use the official image and build one from sources: - #build: - # context: . - # dockerfile: ./support/docker/production/Dockerfile.buster + # build: + # context: . + # dockerfile: ./support/docker/production/Dockerfile.buster image: chocobozzz/peertube:production-buster env_file: - .env @@ -79,3 +92,4 @@ networks: volumes: assets: + certbot-www: diff --git a/support/docker/production/entrypoint.nginx.sh b/support/docker/production/entrypoint.nginx.sh index 670ce84a3..ad26aa0e2 100644 --- a/support/docker/production/entrypoint.nginx.sh +++ b/support/docker/production/entrypoint.nginx.sh @@ -4,12 +4,14 @@ set -e # Process the nginx template SOURCE_FILE="/etc/nginx/conf.d/peertube.template" TARGET_FILE="/etc/nginx/conf.d/default.conf" -export WEBSERVER_HOST="default_server" +export WEBSERVER_HOST="$PEERTUBE_WEBSERVER_HOSTNAME" export PEERTUBE_HOST="peertube:9000" envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE -# Remove HTTPS/SSL from nginx conf since this image is meant as a webserver _behind_ a reverse-proxy doing TLS termination itself -sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET_FILE +while :; do + sleep 12h & wait $!; + nginx -s reload; +done & -nginx -g "daemon off;" \ No newline at end of file +nginx -g 'daemon off;' -- cgit v1.2.3