From 32c3103945ed65347c0bd6592c99ae7dbe7c6f83 Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Wed, 1 Apr 2020 18:37:31 +0200 Subject: [PATCH] Various improvements --- .gitignore | 3 +- README.md | 2 +- ansible.cfg | 5 +- files/docker-daemon.json | 7 + group_vars/prod.yml | 16 +++ inventory.example | 8 -- peertube-centos.yml | 134 ------------------ peertube-ubuntu.yml => peertube.yml | 58 ++++---- ...cker-compose.yml => docker-compose.yml.j2} | 7 +- templates/{env => env.j2} | 0 templates/{nginx.conf => nginx.conf.j2} | 0 templates/peertube-production.yaml.j2 | 103 ++++++++++++++ 12 files changed, 162 insertions(+), 181 deletions(-) create mode 100644 files/docker-daemon.json create mode 100644 group_vars/prod.yml delete mode 100644 inventory.example delete mode 100644 peertube-centos.yml rename peertube-ubuntu.yml => peertube.yml (55%) rename templates/{docker-compose.yml => docker-compose.yml.j2} (91%) rename templates/{env => env.j2} (100%) rename templates/{nginx.conf => nginx.conf.j2} (100%) create mode 100644 templates/peertube-production.yaml.j2 diff --git a/.gitignore b/.gitignore index 2434e9f..d90ddbd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ passwords/ peertube.retry -inventory +prod +.idea/ diff --git a/README.md b/README.md index 15e2617..0aa0175 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Peertube setup with Ansible and Docker-Compose +# peertube.social This repo lets you easily setup a Peertube server based on docker-compose. diff --git a/ansible.cfg b/ansible.cfg index 960a7c4..b0e331b 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,8 @@ [defaults] -inventory=inventory +inventory=prod + +[privilege_escalation] +become = True [ssh_connection] pipelining = True diff --git a/files/docker-daemon.json b/files/docker-daemon.json new file mode 100644 index 0000000..55ac195 --- /dev/null +++ b/files/docker-daemon.json @@ -0,0 +1,7 @@ +{ + "log-driver": "json-file", + "log-opts": { + "max-file": "10", + "max-size": "100m" + } +} diff --git a/group_vars/prod.yml b/group_vars/prod.yml new file mode 100644 index 0000000..8b43ab1 --- /dev/null +++ b/group_vars/prod.yml @@ -0,0 +1,16 @@ +domain: peertube.social +cache_size_gb: 15 +letsencrypt_contact_email: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34396662626434663938383434663832613934666366356630326339643566623831626139363361 + 3266616131373866366130653235386163643362313538620a306538386331346165323632343536 + 63313833623463316266383533366434383839353134663432323137383661643432363836333862 + 3264396433366662660a613531326164653336623666356633643935303731346365653666336236 + 3364 +postgres_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 37666539623134376633623438636664323464313333333762303562663965663762333836396439 + 3030383263346432633336616139373131633161313435650a653037346238383835343664393766 + 37316234373533363131376338393832353363383931663035613030623631343364336362303536 + 6363353665343463350a353631356565316638303565663933393338386131346663623932323463 + 62393934383936346566663338636137303132313039353137666561303039373961 \ No newline at end of file diff --git a/inventory.example b/inventory.example deleted file mode 100644 index c4108da..0000000 --- a/inventory.example +++ /dev/null @@ -1,8 +0,0 @@ -[peertube] -# define the username and hostname that you use for ssh connection, and specify the domain -myuser@example.com domain=example.com cache_size_gb=15 letsencrypt_contact_email=your@email.com -# you can also use a host that is defined in your ssh config -myserver domain=example.com cache_size_gb=15 letsencrypt_contact_email=your@email.com - -[all:vars] -ansible_connection=ssh diff --git a/peertube-centos.yml b/peertube-centos.yml deleted file mode 100644 index c728927..0000000 --- a/peertube-centos.yml +++ /dev/null @@ -1,134 +0,0 @@ ---- -- hosts: all - become: yes - - # Install python if required - # https://www.josharcher.uk/code/ansible-python-connection-failure-ubuntu-server-1604/ - gather_facts: False - pre_tasks: - - name: install python for Ansible - raw: test -e /usr/bin/python || (yum -y update && yum install -y python-minimal python-setuptools) - args: - executable: /bin/bash - register: output - changed_when: output.stdout != "" - - setup: # gather facts - - tasks: - - name: Install epel-release - yum: - name: epel-release - state: latest - - - name: Install yum utils - yum: - name: yum-utils - state: latest - - - name: Install device-mapper-persistent-data - yum: - name: device-mapper-persistent-data - state: latest - - - name: Install lvm2 - yum: - name: lvm2 - state: latest - - - name: Add Docker repo - get_url: - url: https://download.docker.com/linux/centos/docker-ce.repo - dest: /etc/yum.repos.d/docer-ce.repo - become: yes - - - name: Install Docker - package: - name: docker-ce - state: latest - become: yes - - - name: Start Docker service - service: - name: docker - state: started - enabled: yes - become: yes - - - name: Install Python PIP - yum: - name: python-pip - state: latest - become: yes - - - name: Install Docker Compose - command: "pip install docker-compose" - - - name: Install certbot - yum: - name: certbot - state: latest - - - name: create peertube folder - file: path={{item.path}} state=directory - with_items: - - { path: '/peertube/volumes/' } - - { path: '/peertube/volumes/certbot/' } - - { path: '/peertube/volumes/config/' } - - - name: add all template files - template: src={{item.src}} dest={{item.dest}} - with_items: - - { src: 'templates/docker-compose.yml', dest: '/peertube/docker-compose.yml' } - - { src: 'templates/env', dest: '/peertube/.env' } - - { src: 'templates/nginx.conf', dest: '/peertube/nginx.conf' } - vars: - postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}" - - - name: set env file permissions - file: - path: "/peertube/.env" - state: touch - mode: 0600 - access_time: preserve - modification_time: preserve - - - name: add peertube config - get_url: - url: https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/config/production.yaml - dest: /peertube/volumes/config/production.yaml - mode: 0644 - force: no - - - name: request letsencrypt certificates - command: certbot certonly --standalone --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' - args: - creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem' - - - name: enable and start docker service - systemd: - name: docker - enabled: yes - state: started - - - name: start docker-compose - docker_compose: - project_src: /peertube/ - state: present - pull: yes - - - name: renew certbot certificates - cron: - special_time=daily - name=certbot-renew - user=root - job="certbot certonly --webroot --webroot-path=/peertube/volumes/certbot/ -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'" - - - name: fetch root password - shell: "docker-compose -f /peertube/docker-compose.yml logs peertube | grep 'User password' | awk 'NF{ print $NF }'" - register: password - changed_when: False - - - name: print root password - debug: - msg: "The admin login is user=root, password={{ password.stdout }}" - when: password.stdout != "" diff --git a/peertube-ubuntu.yml b/peertube.yml similarity index 55% rename from peertube-ubuntu.yml rename to peertube.yml index 49142f3..30f0ded 100644 --- a/peertube-ubuntu.yml +++ b/peertube.yml @@ -19,37 +19,39 @@ apt: pkg: ['docker-compose', 'docker.io', 'certbot'] + - name: copy docker config + copy: src='files/docker-daemon.json' dest='/etc/docker/daemon.json' mode='0644' + - name: create peertube folder file: path={{item.path}} state=directory with_items: - { path: '/peertube/volumes/' } - { path: '/peertube/volumes/certbot/' } + - name: get latest peertube version from github + uri: + url: https://api.github.com/repos/Chocobozzz/PeerTube/releases/latest + return_content: true + register: peertube_version_response + check_mode: no + + - debug: + msg: "Using Peertube version {{ peertube_version_response.json.tag_name }}" + + - name: check to make sure the specified tag exists + docker_image: + name: "chocobozzz/peertube:{{ peertube_version_response.json.tag_name }}-buster" + source: pull + - name: add all template files - template: src={{item.src}} dest={{item.dest}} + template: src={{item.src}} dest={{item.dest}} mode={{item.mode}} with_items: - - { src: 'templates/docker-compose.yml', dest: '/peertube/docker-compose.yml' } - - { src: 'templates/env', dest: '/peertube/.env' } - - { src: 'templates/nginx.conf', dest: '/peertube/nginx.conf' } + - { src: 'templates/docker-compose.yml.j2', dest: '/peertube/docker-compose.yml', mode: '0644' } + - { src: 'templates/nginx.conf.j2', dest: '/peertube/nginx.conf', mode: '0644' } + - { src: 'templates/env.j2', dest: '/peertube/.env', mode: '0600' } + - { src: 'templates/peertube-production.yaml.j2', dest: '/peertube/volumes/config/production.yaml', mode: '0600' } vars: - postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}" - - - name: set env file permissions - file: - path: "/peertube/.env" - state: touch - mode: 0600 - access_time: preserve - modification_time: preserve - - # NOTE: disabled because `force: no` is broken for get_url - # https://github.com/ansible/ansible/issues/64016 - #- name: add peertube config - # get_url: - # url: https://raw.githubusercontent.com/Chocobozzz/PeerTube/develop/support/docker/production/config/production.yaml - # dest: /peertube/volumes/config/production.yaml - # mode: 0644 - # force: no + peertube_version: "{{ peertube_version_response.json.tag_name }}" - name: request letsencrypt certificates command: certbot certonly --standalone --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' @@ -68,19 +70,11 @@ state: present pull: yes + # TODO: might need to restart peertube if production.yaml was changed + - name: renew certbot certificates cron: special_time=daily name=certbot-renew user=root job="certbot certonly --webroot --webroot-path=/peertube/volumes/certbot/ -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'" - - - name: fetch root password - shell: "docker-compose -f /peertube/docker-compose.yml logs peertube | grep 'User password' | awk 'NF{ print $NF }'" - register: password - changed_when: False - - - name: print root password - debug: - msg: "The admin login is user=root, password={{ password.stdout }}" - when: password.stdout != "" diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml.j2 similarity index 91% rename from templates/docker-compose.yml rename to templates/docker-compose.yml.j2 index d03d47e..735aa5c 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml.j2 @@ -1,12 +1,11 @@ version: "3.3" services: - nginx: image: nginx:1.17-alpine ports: - - "80:80" # The HTTP port - - "443:443" # The HTTPS port + - "80:80" + - "443:443" volumes: - ./nginx.conf:/etc/nginx/nginx.conf - ./volumes/certbot/:/var/www/certbot/ @@ -17,7 +16,7 @@ services: restart: "always" peertube: - image: chocobozzz/peertube:v2.1.1-buster + image: chocobozzz/peertube:{{ peertube_version }}-buster env_file: - .env volumes: diff --git a/templates/env b/templates/env.j2 similarity index 100% rename from templates/env rename to templates/env.j2 diff --git a/templates/nginx.conf b/templates/nginx.conf.j2 similarity index 100% rename from templates/nginx.conf rename to templates/nginx.conf.j2 diff --git a/templates/peertube-production.yaml.j2 b/templates/peertube-production.yaml.j2 new file mode 100644 index 0000000..1cb59e2 --- /dev/null +++ b/templates/peertube-production.yaml.j2 @@ -0,0 +1,103 @@ +listen: + hostname: '0.0.0.0' + port: 9000 + +# Correspond to your reverse proxy "listen" configuration +webserver: + https: true + hostname: 'peertube.social' + port: 443 + +# Proxies to trust to get real client IP +# If you run PeerTube just behind a local proxy (nginx), keep 'loopback' +# If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet) +trust_proxy: + - 'loopback' + - 'linklocal' + - 'uniquelocal' + +# Your database name will be "peertube"+database.suffix +database: + hostname: 'postgres' + port: 5432 + suffix: '' + +# Redis server for short time storage +redis: + hostname: 'redis' + port: 6379 + auth: null + db: 0 + +# SMTP server to send emails +smtp: + hostname: postfix + port: 25 # If you use StartTLS: 587 + username: null + password: null + tls: true # If you use StartTLS: false + disable_starttls: false + ca_file: null # Used for self signed certificates + from_address: 'info@peertube.social' + +email: + body: + signature: "The PeerTube.social team" + subject: + prefix: "[PeerTube]" + +# From the project root directory +storage: + tmp: '/data/tmp/' # Used to download data (imports etc), store uploaded files before processing... + avatars: '/data/avatars/' + videos: '/data-external/videos/' + redundancy: '/data-external/redundancy/' + logs: '/data/logs/' + previews: '/data/previews/' + thumbnails: '/data/thumbnails/' + torrents: '/data/torrents/' + captions: '/data/captions/' + cache: '/data/cache/' + streaming_playlists: '/data/streaming-playlists/' + plugins: '/data/plugins/' + +log: + level: 'warning' # debug/info/warning/error + anonymizeIP: true + +search: + remote_uri: # Add ability to fetch remote videos/actors by their URI, that may not be federated with your instance + users: false + anonymous: false + +trending: + videos: + interval_days: 7 # Compute trending videos for the last x days + +# Cache remote videos on your server, to help other instances to broadcast the video +# You can define multiple caches using different sizes/strategies +# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following +redundancy: + videos: + check_interval: '1 hour' # How often you want to check new videos to cache + strategies: + - + size: '20GB' + # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances) + min_lifetime: '12 hours' + strategy: 'most-views' # Cache videos that have the most views + - + size: '20GB' + # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances) + min_lifetime: '12 hours' + strategy: 'trending' # Cache trending videos + - + size: '0GB' + # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances) + min_lifetime: '24 hours' + strategy: 'recently-added' # Cache recently added videos + min_views: 10 # Having at least x views + +csp: + enabled: true + report_only: true