From afd4ee86ddb97f8d49585fddd318bedcd3ad55b8 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Wed, 30 Dec 2020 16:53:11 +0100
Subject: Remove traefik docker support

---
 support/doc/docker.md                              | 27 +++++++--
 support/docker/production/.env                     |  6 --
 support/docker/production/Dockerfile.nginx         |  4 +-
 support/docker/production/config/traefik.toml      | 67 ----------------------
 .../docker/production/docker-compose.traefik.yml   | 27 ---------
 support/docker/production/docker-compose.yml       | 40 ++++++++-----
 support/docker/production/entrypoint.nginx.sh      | 10 ++--
 support/nginx/peertube                             | 27 +++++----
 8 files changed, 71 insertions(+), 137 deletions(-)
 delete mode 100644 support/docker/production/config/traefik.toml
 delete mode 100644 support/docker/production/docker-compose.traefik.yml

(limited to 'support')

diff --git a/support/doc/docker.md b/support/doc/docker.md
index 6f61c38d0..36da94f55 100644
--- a/support/doc/docker.md
+++ b/support/doc/docker.md
@@ -56,14 +56,33 @@ Other environment variables are used in
 [/support/docker/production/config/custom-environment-variables.yaml](https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/custom-environment-variables.yaml) and can be
 intuited from usage.
 
-#### Testing local Docker setup
+#### Webserver
 
-To test locally your Docker setup, you must add your domain (`<MY DOMAIN>`) in `/etc/hosts`:
+*The docker compose file includes a configured web server. You can skip this part and comment the appropriate section in the docker compose if you use another webserver/proxy.*
+
+Install the template that the nginx container will use.
+The container will generate the configuration by replacing `${WEBSERVER_HOST}` and `${PEERTUBE_HOST}` using your docker compose env file.
+
+It will also generate a TLS certificate at startup and schedule a renew
+
+```shell
+mkdir -p docker-volume/nginx
+curl https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/support/nginx/peertube > docker-volume/nginx/peertube
 ```
-127.0.0.1       localhost   mydomain.tld
+
+You need to manually generate the first SSL/TLS certificate using Let's Encrypt:
+
+```shell
+mkdir -p docker-volume/certbot
+docker run -it --rm --name certbot -p 80:80 -v "$(pwd)/docker-volume/certbot/conf:/etc/letsencrypt" certbot/certbot certonly --standalone
 ```
 
-#### You can use the regular `up` command to set it up
+The docker-compose will automatically renew this certificate and reload nginx.
+
+
+#### Test your setup
+
+Run your containers:
 
 ```shell
 docker-compose up
diff --git a/support/docker/production/.env b/support/docker/production/.env
index 86356d5a3..3e19c3817 100644
--- a/support/docker/production/.env
+++ b/support/docker/production/.env
@@ -41,12 +41,6 @@ OPENDKIM_DOMAINS=<MY DOMAIN>=peertube
 # see https://github.com/wader/postfix-relay/pull/18
 OPENDKIM_RequireSafeKeys=no
 
-# Let's Encrypt service configuration
-TRAEFIK_ACME_EMAIL=<MY EMAIL ADDRESS>
-# If you need to obtain ACME certificates for more than one DOMAIN
-# pass them as a comma separated string
-TRAEFIK_ACME_DOMAINS=<MY DOMAIN>
-
 # /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\
 #PEERTUBE_SIGNUP_ENABLED=true
 #PEERTUBE_TRANSCODING_ENABLED=true
diff --git a/support/docker/production/Dockerfile.nginx b/support/docker/production/Dockerfile.nginx
index 36ae3c3bc..1d685eee6 100644
--- a/support/docker/production/Dockerfile.nginx
+++ b/support/docker/production/Dockerfile.nginx
@@ -3,6 +3,6 @@ FROM nginx:alpine
 COPY entrypoint.nginx.sh .
 RUN chmod +x entrypoint.nginx.sh
 
-EXPOSE 80
+EXPOSE 80 443
 ENTRYPOINT []
-CMD ["/bin/sh", "entrypoint.nginx.sh"]
\ No newline at end of file
+CMD ["/bin/sh", "entrypoint.nginx.sh"]
diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml
deleted file mode 100644
index c0a7cf840..000000000
--- a/support/docker/production/config/traefik.toml
+++ /dev/null
@@ -1,67 +0,0 @@
-# Uncomment this line in order to enable debugging through logs
-# debug = true
-defaultEntryPoints = ["http", "https"]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-    [entryPoints.http.redirect]
-    entryPoint = "https"
-  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-    MinVersion = "VersionTLS12"
-    CurvePreferences = [
-      "CurveP521",
-      "CurveP384",
-      "CurveP256"
-    ]
-    PreferServerCipherSuites = true
-    CipherSuites = [
-      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
-      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-      "TLS_RSA_WITH_AES_256_GCM_SHA384",
-      "TLS_RSA_WITH_AES_256_CBC_SHA"
-    ]
-    FrameDeny = false # here we don't want to deny frames since we have an embed
-    STSIncludeSubdomains = true
-    STSSeconds = 315360000
-    STSPreload = true
-    ContentTypeNosniff = true
-    BrowserXssFilter = true
-
-
-# Enable ACME (Let's Encrypt): automatic SSL.
-[acme]
-
-# File or key used for certificates storage.
-#
-# Required
-#
-storage = "/etc/acme.json"
-# or `storage = "traefik/acme/account"` if using KV store.
-
-# Entrypoint to proxy acme apply certificates to.
-# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
-#
-# Required
-#
-entryPoint = "https"
-
-# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
-#
-# Optional but recommend
-#
-[acme.httpChallenge]
-
-  # EntryPoint to use for the challenges.
-  #
-  # Required
-  #
-  entryPoint = "http"
-
-[docker]
-  exposedByDefault = false
\ No newline at end of file
diff --git a/support/docker/production/docker-compose.traefik.yml b/support/docker/production/docker-compose.traefik.yml
deleted file mode 100644
index bbea75783..000000000
--- a/support/docker/production/docker-compose.traefik.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-version: "3.3"
-
-services:
-
-  # The reverse-proxy only does SSL termination and automatic certificate generation. You can
-  # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels.
-  reverse-proxy:
-    image: traefik:v1.7
-    network_mode: "host"
-    command:
-      - "--docker"                                # Tells Træfik to listen to docker
-      - "--acme.email=${TRAEFIK_ACME_EMAIL}"      # Let's Encrypt ACME email
-      - "--acme.domains=${TRAEFIK_ACME_DOMAINS}"  # Let's Encrypt ACME domain list
-    ports:
-      - "80:80"    # serving HTTP
-      - "443:443"  # serving HTTPS
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events
-      - ./docker-volume/traefik/acme.json:/etc/acme.json
-      - ./docker-volume/traefik/traefik.toml:/traefik.toml
-    restart: "always"
-
-  webserver:
-    labels:
-      traefik.enable: "true"
-      traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}"
-      traefik.port: "80"
diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml
index bce9426d2..4ad1a8756 100644
--- a/support/docker/production/docker-compose.yml
+++ b/support/docker/production/docker-compose.yml
@@ -2,19 +2,18 @@ version: "3.3"
 
 services:
 
-  # The webserver is not required, but recommended since a lot of optimizations went to its
-  # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL,
-  # so use it in production in tandem with an SSL-terminating reverse-proxy.
+  # You can comment this webserver section if you want to use another webserver/proxy
   webserver:
-    image: chocobozzz/peertube:webserver
-    build:
-      context: .
-      dockerfile: Dockerfile.nginx
+    image: chocobozzz/peertube-webserver:latest
+    # If you don't want to use the official image and build one from sources:
+    # build:
+    #   context: .
+    #   dockerfile: Dockerfile.nginx
     env_file:
       - .env
-    # If you provide your own reverse-proxy, otherwise not suitable for production:
-    #ports:
-    #  - "9000:80" # serving HTTP
+    ports:
+     - "80:80"
+     - "443:443"
     volumes:
       - type: bind
         # Switch sources if you downloaded the whole repository
@@ -23,15 +22,29 @@ services:
         target: /etc/nginx/conf.d/peertube.template
       - assets:/var/www/peertube/peertube-latest/client/dist:ro
       - ./docker-volume/data:/var/www/peertube/storage
+      - certbot-www:/var/www/certbot
+      - ./docker-volume/certbot/conf:/etc/letsencrypt
     depends_on:
       - peertube
     restart: "always"
 
+  # You can comment this certbot section if you want to use another webserver/proxy
+  certbot:
+    container_name: certbot
+    image: certbot/certbot
+    volumes:
+      - ./docker-volume/certbot/conf:/etc/letsencrypt
+      - certbot-www:/var/www/certbot
+    restart: unless-stopped
+    entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;"
+    depends_on:
+      - webserver
+
   peertube:
     # If you don't want to use the official image and build one from sources:
-    #build:
-    #  context: .
-    #  dockerfile: ./support/docker/production/Dockerfile.buster
+    # build:
+    #   context: .
+    #   dockerfile: ./support/docker/production/Dockerfile.buster
     image: chocobozzz/peertube:production-buster
     env_file:
       - .env
@@ -79,3 +92,4 @@ networks:
 
 volumes:
   assets:
+  certbot-www:
diff --git a/support/docker/production/entrypoint.nginx.sh b/support/docker/production/entrypoint.nginx.sh
index 670ce84a3..ad26aa0e2 100644
--- a/support/docker/production/entrypoint.nginx.sh
+++ b/support/docker/production/entrypoint.nginx.sh
@@ -4,12 +4,14 @@ set -e
 # Process the nginx template
 SOURCE_FILE="/etc/nginx/conf.d/peertube.template"
 TARGET_FILE="/etc/nginx/conf.d/default.conf"
-export WEBSERVER_HOST="default_server"
+export WEBSERVER_HOST="$PEERTUBE_WEBSERVER_HOSTNAME"
 export PEERTUBE_HOST="peertube:9000"
 
 envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE
 
-# Remove HTTPS/SSL from nginx conf since this image is meant as a webserver _behind_ a reverse-proxy doing TLS termination itself
-sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET_FILE
+while :; do
+  sleep 12h & wait $!;
+  nginx -s reload;
+done &
 
-nginx -g "daemon off;"
\ No newline at end of file
+nginx -g 'daemon off;'
diff --git a/support/nginx/peertube b/support/nginx/peertube
index 641d254af..31a690e29 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -4,18 +4,17 @@
 # OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream.
 # THIRD PARTY MODULES:   None.
 
-# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
-#server {
-#  listen 80;
-#  listen [::]:80;
-#  server_name ${WEBSERVER_HOST};
-#
-#  location /.well-known/acme-challenge/ {
-#    default_type "text/plain";
-#    root /var/www/certbot;
-#  }
-#  location / { return 301 https://$host$request_uri; }
-#}
+server {
+  listen 80;
+  listen [::]:80;
+  server_name ${WEBSERVER_HOST};
+
+  location /.well-known/acme-challenge/ {
+    default_type "text/plain";
+    root /var/www/certbot;
+  }
+  location / { return 301 https://$host$request_uri; }
+}
 
 upstream backend {
   server ${PEERTUBE_HOST};
@@ -33,8 +32,8 @@ server {
   # Certificates
   # you need a certificate to run in production. see https://letsencrypt.org/
   ##
-  ssl_certificate     /etc/letsencrypt/live/peertube/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem;
+  ssl_certificate     /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
 
   location ^~ '/.well-known/acme-challenge' {
     default_type "text/plain";
-- 
cgit v1.2.3