Remove traefik docker support
This commit is contained in:
parent
83d4aba676
commit
afd4ee86dd
8 changed files with 72 additions and 138 deletions
|
@ -56,14 +56,33 @@ Other environment variables are used in
|
|||
[/support/docker/production/config/custom-environment-variables.yaml](https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/custom-environment-variables.yaml) and can be
|
||||
intuited from usage.
|
||||
|
||||
#### Testing local Docker setup
|
||||
#### Webserver
|
||||
|
||||
To test locally your Docker setup, you must add your domain (`<MY DOMAIN>`) in `/etc/hosts`:
|
||||
```
|
||||
127.0.0.1 localhost mydomain.tld
|
||||
*The docker compose file includes a configured web server. You can skip this part and comment the appropriate section in the docker compose if you use another webserver/proxy.*
|
||||
|
||||
Install the template that the nginx container will use.
|
||||
The container will generate the configuration by replacing `${WEBSERVER_HOST}` and `${PEERTUBE_HOST}` using your docker compose env file.
|
||||
|
||||
It will also generate a TLS certificate at startup and schedule a renew
|
||||
|
||||
```shell
|
||||
mkdir -p docker-volume/nginx
|
||||
curl https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/support/nginx/peertube > docker-volume/nginx/peertube
|
||||
```
|
||||
|
||||
#### You can use the regular `up` command to set it up
|
||||
You need to manually generate the first SSL/TLS certificate using Let's Encrypt:
|
||||
|
||||
```shell
|
||||
mkdir -p docker-volume/certbot
|
||||
docker run -it --rm --name certbot -p 80:80 -v "$(pwd)/docker-volume/certbot/conf:/etc/letsencrypt" certbot/certbot certonly --standalone
|
||||
```
|
||||
|
||||
The docker-compose will automatically renew this certificate and reload nginx.
|
||||
|
||||
|
||||
#### Test your setup
|
||||
|
||||
Run your containers:
|
||||
|
||||
```shell
|
||||
docker-compose up
|
||||
|
|
|
@ -41,12 +41,6 @@ OPENDKIM_DOMAINS=<MY DOMAIN>=peertube
|
|||
# see https://github.com/wader/postfix-relay/pull/18
|
||||
OPENDKIM_RequireSafeKeys=no
|
||||
|
||||
# Let's Encrypt service configuration
|
||||
TRAEFIK_ACME_EMAIL=<MY EMAIL ADDRESS>
|
||||
# If you need to obtain ACME certificates for more than one DOMAIN
|
||||
# pass them as a comma separated string
|
||||
TRAEFIK_ACME_DOMAINS=<MY DOMAIN>
|
||||
|
||||
# /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\
|
||||
#PEERTUBE_SIGNUP_ENABLED=true
|
||||
#PEERTUBE_TRANSCODING_ENABLED=true
|
||||
|
|
|
@ -3,6 +3,6 @@ FROM nginx:alpine
|
|||
COPY entrypoint.nginx.sh .
|
||||
RUN chmod +x entrypoint.nginx.sh
|
||||
|
||||
EXPOSE 80
|
||||
EXPOSE 80 443
|
||||
ENTRYPOINT []
|
||||
CMD ["/bin/sh", "entrypoint.nginx.sh"]
|
||||
CMD ["/bin/sh", "entrypoint.nginx.sh"]
|
||||
|
|
|
@ -1,67 +0,0 @@
|
|||
# Uncomment this line in order to enable debugging through logs
|
||||
# debug = true
|
||||
defaultEntryPoints = ["http", "https"]
|
||||
|
||||
[entryPoints]
|
||||
[entryPoints.http]
|
||||
address = ":80"
|
||||
[entryPoints.http.redirect]
|
||||
entryPoint = "https"
|
||||
[entryPoints.https]
|
||||
address = ":443"
|
||||
[entryPoints.https.tls]
|
||||
MinVersion = "VersionTLS12"
|
||||
CurvePreferences = [
|
||||
"CurveP521",
|
||||
"CurveP384",
|
||||
"CurveP256"
|
||||
]
|
||||
PreferServerCipherSuites = true
|
||||
CipherSuites = [
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA"
|
||||
]
|
||||
FrameDeny = false # here we don't want to deny frames since we have an embed
|
||||
STSIncludeSubdomains = true
|
||||
STSSeconds = 315360000
|
||||
STSPreload = true
|
||||
ContentTypeNosniff = true
|
||||
BrowserXssFilter = true
|
||||
|
||||
|
||||
# Enable ACME (Let's Encrypt): automatic SSL.
|
||||
[acme]
|
||||
|
||||
# File or key used for certificates storage.
|
||||
#
|
||||
# Required
|
||||
#
|
||||
storage = "/etc/acme.json"
|
||||
# or `storage = "traefik/acme/account"` if using KV store.
|
||||
|
||||
# Entrypoint to proxy acme apply certificates to.
|
||||
# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
|
||||
#
|
||||
# Required
|
||||
#
|
||||
entryPoint = "https"
|
||||
|
||||
# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
|
||||
#
|
||||
# Optional but recommend
|
||||
#
|
||||
[acme.httpChallenge]
|
||||
|
||||
# EntryPoint to use for the challenges.
|
||||
#
|
||||
# Required
|
||||
#
|
||||
entryPoint = "http"
|
||||
|
||||
[docker]
|
||||
exposedByDefault = false
|
|
@ -1,27 +0,0 @@
|
|||
version: "3.3"
|
||||
|
||||
services:
|
||||
|
||||
# The reverse-proxy only does SSL termination and automatic certificate generation. You can
|
||||
# replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels.
|
||||
reverse-proxy:
|
||||
image: traefik:v1.7
|
||||
network_mode: "host"
|
||||
command:
|
||||
- "--docker" # Tells Træfik to listen to docker
|
||||
- "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email
|
||||
- "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list
|
||||
ports:
|
||||
- "80:80" # serving HTTP
|
||||
- "443:443" # serving HTTPS
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events
|
||||
- ./docker-volume/traefik/acme.json:/etc/acme.json
|
||||
- ./docker-volume/traefik/traefik.toml:/traefik.toml
|
||||
restart: "always"
|
||||
|
||||
webserver:
|
||||
labels:
|
||||
traefik.enable: "true"
|
||||
traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}"
|
||||
traefik.port: "80"
|
|
@ -2,19 +2,18 @@ version: "3.3"
|
|||
|
||||
services:
|
||||
|
||||
# The webserver is not required, but recommended since a lot of optimizations went to its
|
||||
# nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL,
|
||||
# so use it in production in tandem with an SSL-terminating reverse-proxy.
|
||||
# You can comment this webserver section if you want to use another webserver/proxy
|
||||
webserver:
|
||||
image: chocobozzz/peertube:webserver
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Dockerfile.nginx
|
||||
image: chocobozzz/peertube-webserver:latest
|
||||
# If you don't want to use the official image and build one from sources:
|
||||
# build:
|
||||
# context: .
|
||||
# dockerfile: Dockerfile.nginx
|
||||
env_file:
|
||||
- .env
|
||||
# If you provide your own reverse-proxy, otherwise not suitable for production:
|
||||
#ports:
|
||||
# - "9000:80" # serving HTTP
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
volumes:
|
||||
- type: bind
|
||||
# Switch sources if you downloaded the whole repository
|
||||
|
@ -23,15 +22,29 @@ services:
|
|||
target: /etc/nginx/conf.d/peertube.template
|
||||
- assets:/var/www/peertube/peertube-latest/client/dist:ro
|
||||
- ./docker-volume/data:/var/www/peertube/storage
|
||||
- certbot-www:/var/www/certbot
|
||||
- ./docker-volume/certbot/conf:/etc/letsencrypt
|
||||
depends_on:
|
||||
- peertube
|
||||
restart: "always"
|
||||
|
||||
# You can comment this certbot section if you want to use another webserver/proxy
|
||||
certbot:
|
||||
container_name: certbot
|
||||
image: certbot/certbot
|
||||
volumes:
|
||||
- ./docker-volume/certbot/conf:/etc/letsencrypt
|
||||
- certbot-www:/var/www/certbot
|
||||
restart: unless-stopped
|
||||
entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;"
|
||||
depends_on:
|
||||
- webserver
|
||||
|
||||
peertube:
|
||||
# If you don't want to use the official image and build one from sources:
|
||||
#build:
|
||||
# context: .
|
||||
# dockerfile: ./support/docker/production/Dockerfile.buster
|
||||
# build:
|
||||
# context: .
|
||||
# dockerfile: ./support/docker/production/Dockerfile.buster
|
||||
image: chocobozzz/peertube:production-buster
|
||||
env_file:
|
||||
- .env
|
||||
|
@ -79,3 +92,4 @@ networks:
|
|||
|
||||
volumes:
|
||||
assets:
|
||||
certbot-www:
|
||||
|
|
|
@ -4,12 +4,14 @@ set -e
|
|||
# Process the nginx template
|
||||
SOURCE_FILE="/etc/nginx/conf.d/peertube.template"
|
||||
TARGET_FILE="/etc/nginx/conf.d/default.conf"
|
||||
export WEBSERVER_HOST="default_server"
|
||||
export WEBSERVER_HOST="$PEERTUBE_WEBSERVER_HOSTNAME"
|
||||
export PEERTUBE_HOST="peertube:9000"
|
||||
|
||||
envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE
|
||||
|
||||
# Remove HTTPS/SSL from nginx conf since this image is meant as a webserver _behind_ a reverse-proxy doing TLS termination itself
|
||||
sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET_FILE
|
||||
while :; do
|
||||
sleep 12h & wait $!;
|
||||
nginx -s reload;
|
||||
done &
|
||||
|
||||
nginx -g "daemon off;"
|
||||
nginx -g 'daemon off;'
|
||||
|
|
|
@ -4,18 +4,17 @@
|
|||
# OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream.
|
||||
# THIRD PARTY MODULES: None.
|
||||
|
||||
# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
|
||||
#server {
|
||||
# listen 80;
|
||||
# listen [::]:80;
|
||||
# server_name ${WEBSERVER_HOST};
|
||||
#
|
||||
# location /.well-known/acme-challenge/ {
|
||||
# default_type "text/plain";
|
||||
# root /var/www/certbot;
|
||||
# }
|
||||
# location / { return 301 https://$host$request_uri; }
|
||||
#}
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name ${WEBSERVER_HOST};
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
default_type "text/plain";
|
||||
root /var/www/certbot;
|
||||
}
|
||||
location / { return 301 https://$host$request_uri; }
|
||||
}
|
||||
|
||||
upstream backend {
|
||||
server ${PEERTUBE_HOST};
|
||||
|
@ -33,8 +32,8 @@ server {
|
|||
# Certificates
|
||||
# you need a certificate to run in production. see https://letsencrypt.org/
|
||||
##
|
||||
ssl_certificate /etc/letsencrypt/live/peertube/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
|
||||
|
||||
location ^~ '/.well-known/acme-challenge' {
|
||||
default_type "text/plain";
|
||||
|
|
Loading…
Reference in a new issue