1
0
Fork 0

Remove traefik docker support

This commit is contained in:
Chocobozzz 2020-12-30 16:53:11 +01:00
parent 83d4aba676
commit afd4ee86dd
No known key found for this signature in database
GPG key ID: 583A612D890159BE
8 changed files with 72 additions and 138 deletions

View file

@ -56,14 +56,33 @@ Other environment variables are used in
[/support/docker/production/config/custom-environment-variables.yaml](https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/custom-environment-variables.yaml) and can be
intuited from usage.
#### Testing local Docker setup
#### Webserver
To test locally your Docker setup, you must add your domain (`<MY DOMAIN>`) in `/etc/hosts`:
```
127.0.0.1 localhost mydomain.tld
*The docker compose file includes a configured web server. You can skip this part and comment the appropriate section in the docker compose if you use another webserver/proxy.*
Install the template that the nginx container will use.
The container will generate the configuration by replacing `${WEBSERVER_HOST}` and `${PEERTUBE_HOST}` using your docker compose env file.
It will also generate a TLS certificate at startup and schedule a renew
```shell
mkdir -p docker-volume/nginx
curl https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/support/nginx/peertube > docker-volume/nginx/peertube
```
#### You can use the regular `up` command to set it up
You need to manually generate the first SSL/TLS certificate using Let's Encrypt:
```shell
mkdir -p docker-volume/certbot
docker run -it --rm --name certbot -p 80:80 -v "$(pwd)/docker-volume/certbot/conf:/etc/letsencrypt" certbot/certbot certonly --standalone
```
The docker-compose will automatically renew this certificate and reload nginx.
#### Test your setup
Run your containers:
```shell
docker-compose up

View file

@ -41,12 +41,6 @@ OPENDKIM_DOMAINS=<MY DOMAIN>=peertube
# see https://github.com/wader/postfix-relay/pull/18
OPENDKIM_RequireSafeKeys=no
# Let's Encrypt service configuration
TRAEFIK_ACME_EMAIL=<MY EMAIL ADDRESS>
# If you need to obtain ACME certificates for more than one DOMAIN
# pass them as a comma separated string
TRAEFIK_ACME_DOMAINS=<MY DOMAIN>
# /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\
#PEERTUBE_SIGNUP_ENABLED=true
#PEERTUBE_TRANSCODING_ENABLED=true

View file

@ -3,6 +3,6 @@ FROM nginx:alpine
COPY entrypoint.nginx.sh .
RUN chmod +x entrypoint.nginx.sh
EXPOSE 80
EXPOSE 80 443
ENTRYPOINT []
CMD ["/bin/sh", "entrypoint.nginx.sh"]
CMD ["/bin/sh", "entrypoint.nginx.sh"]

View file

@ -1,67 +0,0 @@
# Uncomment this line in order to enable debugging through logs
# debug = true
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
MinVersion = "VersionTLS12"
CurvePreferences = [
"CurveP521",
"CurveP384",
"CurveP256"
]
PreferServerCipherSuites = true
CipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA"
]
FrameDeny = false # here we don't want to deny frames since we have an embed
STSIncludeSubdomains = true
STSSeconds = 315360000
STSPreload = true
ContentTypeNosniff = true
BrowserXssFilter = true
# Enable ACME (Let's Encrypt): automatic SSL.
[acme]
# File or key used for certificates storage.
#
# Required
#
storage = "/etc/acme.json"
# or `storage = "traefik/acme/account"` if using KV store.
# Entrypoint to proxy acme apply certificates to.
# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
#
# Required
#
entryPoint = "https"
# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
#
# Optional but recommend
#
[acme.httpChallenge]
# EntryPoint to use for the challenges.
#
# Required
#
entryPoint = "http"
[docker]
exposedByDefault = false

View file

@ -1,27 +0,0 @@
version: "3.3"
services:
# The reverse-proxy only does SSL termination and automatic certificate generation. You can
# replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels.
reverse-proxy:
image: traefik:v1.7
network_mode: "host"
command:
- "--docker" # Tells Træfik to listen to docker
- "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email
- "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list
ports:
- "80:80" # serving HTTP
- "443:443" # serving HTTPS
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events
- ./docker-volume/traefik/acme.json:/etc/acme.json
- ./docker-volume/traefik/traefik.toml:/traefik.toml
restart: "always"
webserver:
labels:
traefik.enable: "true"
traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}"
traefik.port: "80"

View file

@ -2,19 +2,18 @@ version: "3.3"
services:
# The webserver is not required, but recommended since a lot of optimizations went to its
# nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL,
# so use it in production in tandem with an SSL-terminating reverse-proxy.
# You can comment this webserver section if you want to use another webserver/proxy
webserver:
image: chocobozzz/peertube:webserver
build:
context: .
dockerfile: Dockerfile.nginx
image: chocobozzz/peertube-webserver:latest
# If you don't want to use the official image and build one from sources:
# build:
# context: .
# dockerfile: Dockerfile.nginx
env_file:
- .env
# If you provide your own reverse-proxy, otherwise not suitable for production:
#ports:
# - "9000:80" # serving HTTP
ports:
- "80:80"
- "443:443"
volumes:
- type: bind
# Switch sources if you downloaded the whole repository
@ -23,15 +22,29 @@ services:
target: /etc/nginx/conf.d/peertube.template
- assets:/var/www/peertube/peertube-latest/client/dist:ro
- ./docker-volume/data:/var/www/peertube/storage
- certbot-www:/var/www/certbot
- ./docker-volume/certbot/conf:/etc/letsencrypt
depends_on:
- peertube
restart: "always"
# You can comment this certbot section if you want to use another webserver/proxy
certbot:
container_name: certbot
image: certbot/certbot
volumes:
- ./docker-volume/certbot/conf:/etc/letsencrypt
- certbot-www:/var/www/certbot
restart: unless-stopped
entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;"
depends_on:
- webserver
peertube:
# If you don't want to use the official image and build one from sources:
#build:
# context: .
# dockerfile: ./support/docker/production/Dockerfile.buster
# build:
# context: .
# dockerfile: ./support/docker/production/Dockerfile.buster
image: chocobozzz/peertube:production-buster
env_file:
- .env
@ -79,3 +92,4 @@ networks:
volumes:
assets:
certbot-www:

View file

@ -4,12 +4,14 @@ set -e
# Process the nginx template
SOURCE_FILE="/etc/nginx/conf.d/peertube.template"
TARGET_FILE="/etc/nginx/conf.d/default.conf"
export WEBSERVER_HOST="default_server"
export WEBSERVER_HOST="$PEERTUBE_WEBSERVER_HOSTNAME"
export PEERTUBE_HOST="peertube:9000"
envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE
# Remove HTTPS/SSL from nginx conf since this image is meant as a webserver _behind_ a reverse-proxy doing TLS termination itself
sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET_FILE
while :; do
sleep 12h & wait $!;
nginx -s reload;
done &
nginx -g "daemon off;"
nginx -g 'daemon off;'

View file

@ -4,18 +4,17 @@
# OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream.
# THIRD PARTY MODULES: None.
# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
#server {
# listen 80;
# listen [::]:80;
# server_name ${WEBSERVER_HOST};
#
# location /.well-known/acme-challenge/ {
# default_type "text/plain";
# root /var/www/certbot;
# }
# location / { return 301 https://$host$request_uri; }
#}
server {
listen 80;
listen [::]:80;
server_name ${WEBSERVER_HOST};
location /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/certbot;
}
location / { return 301 https://$host$request_uri; }
}
upstream backend {
server ${PEERTUBE_HOST};
@ -33,8 +32,8 @@ server {
# Certificates
# you need a certificate to run in production. see https://letsencrypt.org/
##
ssl_certificate /etc/letsencrypt/live/peertube/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
location ^~ '/.well-known/acme-challenge' {
default_type "text/plain";