Various improvements

This commit is contained in:
Felix Ableitner 2020-04-01 18:37:31 +02:00
parent 25bf6757ac
commit 32c3103945
12 changed files with 162 additions and 181 deletions

3
.gitignore vendored
View file

@ -1,3 +1,4 @@
passwords/
peertube.retry
inventory
prod
.idea/

View file

@ -1,4 +1,4 @@
# Peertube setup with Ansible and Docker-Compose
# peertube.social
This repo lets you easily setup a Peertube server based on docker-compose.

View file

@ -1,5 +1,8 @@
[defaults]
inventory=inventory
inventory=prod
[privilege_escalation]
become = True
[ssh_connection]
pipelining = True

7
files/docker-daemon.json Normal file
View file

@ -0,0 +1,7 @@
{
"log-driver": "json-file",
"log-opts": {
"max-file": "10",
"max-size": "100m"
}
}

16
group_vars/prod.yml Normal file
View file

@ -0,0 +1,16 @@
domain: peertube.social
cache_size_gb: 15
letsencrypt_contact_email: !vault |
$ANSIBLE_VAULT;1.1;AES256
34396662626434663938383434663832613934666366356630326339643566623831626139363361
3266616131373866366130653235386163643362313538620a306538386331346165323632343536
63313833623463316266383533366434383839353134663432323137383661643432363836333862
3264396433366662660a613531326164653336623666356633643935303731346365653666336236
3364
postgres_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
37666539623134376633623438636664323464313333333762303562663965663762333836396439
3030383263346432633336616139373131633161313435650a653037346238383835343664393766
37316234373533363131376338393832353363383931663035613030623631343364336362303536
6363353665343463350a353631356565316638303565663933393338386131346663623932323463
62393934383936346566663338636137303132313039353137666561303039373961

View file

@ -1,8 +0,0 @@
[peertube]
# define the username and hostname that you use for ssh connection, and specify the domain
myuser@example.com domain=example.com cache_size_gb=15 letsencrypt_contact_email=your@email.com
# you can also use a host that is defined in your ssh config
myserver domain=example.com cache_size_gb=15 letsencrypt_contact_email=your@email.com
[all:vars]
ansible_connection=ssh

View file

@ -1,134 +0,0 @@
---
- hosts: all
become: yes
# Install python if required
# https://www.josharcher.uk/code/ansible-python-connection-failure-ubuntu-server-1604/
gather_facts: False
pre_tasks:
- name: install python for Ansible
raw: test -e /usr/bin/python || (yum -y update && yum install -y python-minimal python-setuptools)
args:
executable: /bin/bash
register: output
changed_when: output.stdout != ""
- setup: # gather facts
tasks:
- name: Install epel-release
yum:
name: epel-release
state: latest
- name: Install yum utils
yum:
name: yum-utils
state: latest
- name: Install device-mapper-persistent-data
yum:
name: device-mapper-persistent-data
state: latest
- name: Install lvm2
yum:
name: lvm2
state: latest
- name: Add Docker repo
get_url:
url: https://download.docker.com/linux/centos/docker-ce.repo
dest: /etc/yum.repos.d/docer-ce.repo
become: yes
- name: Install Docker
package:
name: docker-ce
state: latest
become: yes
- name: Start Docker service
service:
name: docker
state: started
enabled: yes
become: yes
- name: Install Python PIP
yum:
name: python-pip
state: latest
become: yes
- name: Install Docker Compose
command: "pip install docker-compose"
- name: Install certbot
yum:
name: certbot
state: latest
- name: create peertube folder
file: path={{item.path}} state=directory
with_items:
- { path: '/peertube/volumes/' }
- { path: '/peertube/volumes/certbot/' }
- { path: '/peertube/volumes/config/' }
- name: add all template files
template: src={{item.src}} dest={{item.dest}}
with_items:
- { src: 'templates/docker-compose.yml', dest: '/peertube/docker-compose.yml' }
- { src: 'templates/env', dest: '/peertube/.env' }
- { src: 'templates/nginx.conf', dest: '/peertube/nginx.conf' }
vars:
postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}"
- name: set env file permissions
file:
path: "/peertube/.env"
state: touch
mode: 0600
access_time: preserve
modification_time: preserve
- name: add peertube config
get_url:
url: https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/production.yaml
dest: /peertube/volumes/config/production.yaml
mode: 0644
force: no
- name: request letsencrypt certificates
command: certbot certonly --standalone --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}'
args:
creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem'
- name: enable and start docker service
systemd:
name: docker
enabled: yes
state: started
- name: start docker-compose
docker_compose:
project_src: /peertube/
state: present
pull: yes
- name: renew certbot certificates
cron:
special_time=daily
name=certbot-renew
user=root
job="certbot certonly --webroot --webroot-path=/peertube/volumes/certbot/ -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'"
- name: fetch root password
shell: "docker-compose -f /peertube/docker-compose.yml logs peertube | grep 'User password' | awk 'NF{ print $NF }'"
register: password
changed_when: False
- name: print root password
debug:
msg: "The admin login is user=root, password={{ password.stdout }}"
when: password.stdout != ""

View file

@ -19,37 +19,39 @@
apt:
pkg: ['docker-compose', 'docker.io', 'certbot']
- name: copy docker config
copy: src='files/docker-daemon.json' dest='/etc/docker/daemon.json' mode='0644'
- name: create peertube folder
file: path={{item.path}} state=directory
with_items:
- { path: '/peertube/volumes/' }
- { path: '/peertube/volumes/certbot/' }
- name: get latest peertube version from github
uri:
url: https://api.github.com/repos/Chocobozzz/PeerTube/releases/latest
return_content: true
register: peertube_version_response
check_mode: no
- debug:
msg: "Using Peertube version {{ peertube_version_response.json.tag_name }}"
- name: check to make sure the specified tag exists
docker_image:
name: "chocobozzz/peertube:{{ peertube_version_response.json.tag_name }}-buster"
source: pull
- name: add all template files
template: src={{item.src}} dest={{item.dest}}
template: src={{item.src}} dest={{item.dest}} mode={{item.mode}}
with_items:
- { src: 'templates/docker-compose.yml', dest: '/peertube/docker-compose.yml' }
- { src: 'templates/env', dest: '/peertube/.env' }
- { src: 'templates/nginx.conf', dest: '/peertube/nginx.conf' }
- { src: 'templates/docker-compose.yml.j2', dest: '/peertube/docker-compose.yml', mode: '0644' }
- { src: 'templates/nginx.conf.j2', dest: '/peertube/nginx.conf', mode: '0644' }
- { src: 'templates/env.j2', dest: '/peertube/.env', mode: '0600' }
- { src: 'templates/peertube-production.yaml.j2', dest: '/peertube/volumes/config/production.yaml', mode: '0600' }
vars:
postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}"
- name: set env file permissions
file:
path: "/peertube/.env"
state: touch
mode: 0600
access_time: preserve
modification_time: preserve
# NOTE: disabled because `force: no` is broken for get_url
# https://github.com/ansible/ansible/issues/64016
#- name: add peertube config
# get_url:
# url: https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/support/docker/production/config/production.yaml
# dest: /peertube/volumes/config/production.yaml
# mode: 0644
# force: no
peertube_version: "{{ peertube_version_response.json.tag_name }}"
- name: request letsencrypt certificates
command: certbot certonly --standalone --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}'
@ -68,19 +70,11 @@
state: present
pull: yes
# TODO: might need to restart peertube if production.yaml was changed
- name: renew certbot certificates
cron:
special_time=daily
name=certbot-renew
user=root
job="certbot certonly --webroot --webroot-path=/peertube/volumes/certbot/ -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'"
- name: fetch root password
shell: "docker-compose -f /peertube/docker-compose.yml logs peertube | grep 'User password' | awk 'NF{ print $NF }'"
register: password
changed_when: False
- name: print root password
debug:
msg: "The admin login is user=root, password={{ password.stdout }}"
when: password.stdout != ""

View file

@ -1,12 +1,11 @@
version: "3.3"
services:
nginx:
image: nginx:1.17-alpine
ports:
- "80:80" # The HTTP port
- "443:443" # The HTTPS port
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./volumes/certbot/:/var/www/certbot/
@ -17,7 +16,7 @@ services:
restart: "always"
peertube:
image: chocobozzz/peertube:v2.1.1-buster
image: chocobozzz/peertube:{{ peertube_version }}-buster
env_file:
- .env
volumes:

View file

@ -0,0 +1,103 @@
listen:
hostname: '0.0.0.0'
port: 9000
# Correspond to your reverse proxy "listen" configuration
webserver:
https: true
hostname: 'peertube.social'
port: 443
# Proxies to trust to get real client IP
# If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
# If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
trust_proxy:
- 'loopback'
- 'linklocal'
- 'uniquelocal'
# Your database name will be "peertube"+database.suffix
database:
hostname: 'postgres'
port: 5432
suffix: ''
# Redis server for short time storage
redis:
hostname: 'redis'
port: 6379
auth: null
db: 0
# SMTP server to send emails
smtp:
hostname: postfix
port: 25 # If you use StartTLS: 587
username: null
password: null
tls: true # If you use StartTLS: false
disable_starttls: false
ca_file: null # Used for self signed certificates
from_address: 'info@peertube.social'
email:
body:
signature: "The PeerTube.social team"
subject:
prefix: "[PeerTube]"
# From the project root directory
storage:
tmp: '/data/tmp/' # Used to download data (imports etc), store uploaded files before processing...
avatars: '/data/avatars/'
videos: '/data-external/videos/'
redundancy: '/data-external/redundancy/'
logs: '/data/logs/'
previews: '/data/previews/'
thumbnails: '/data/thumbnails/'
torrents: '/data/torrents/'
captions: '/data/captions/'
cache: '/data/cache/'
streaming_playlists: '/data/streaming-playlists/'
plugins: '/data/plugins/'
log:
level: 'warning' # debug/info/warning/error
anonymizeIP: true
search:
remote_uri: # Add ability to fetch remote videos/actors by their URI, that may not be federated with your instance
users: false
anonymous: false
trending:
videos:
interval_days: 7 # Compute trending videos for the last x days
# Cache remote videos on your server, to help other instances to broadcast the video
# You can define multiple caches using different sizes/strategies
# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
redundancy:
videos:
check_interval: '1 hour' # How often you want to check new videos to cache
strategies:
-
size: '20GB'
# Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
min_lifetime: '12 hours'
strategy: 'most-views' # Cache videos that have the most views
-
size: '20GB'
# Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
min_lifetime: '12 hours'
strategy: 'trending' # Cache trending videos
-
size: '0GB'
# Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
min_lifetime: '24 hours'
strategy: 'recently-added' # Cache recently added videos
min_views: 10 # Having at least x views
csp:
enabled: true
report_only: true