forked from nutomic/peertube.social
Removed traefik and switched back to only nginx
This commit is contained in:
parent
d714997f58
commit
f0a0144896
4 changed files with 53 additions and 107 deletions
27
peertube.yml
27
peertube.yml
|
@ -16,10 +16,13 @@
|
|||
tasks:
|
||||
- name: install dependencies
|
||||
apt:
|
||||
pkg: ['docker-compose', 'docker.io']
|
||||
pkg: ['docker-compose', 'docker.io', 'certbot']
|
||||
|
||||
- name: create peertube folder
|
||||
file: path=/peertube/volumes/traefik/ state=directory mode=0755
|
||||
file: path={{item.path}} state=directory
|
||||
with_items:
|
||||
- { path: '/peertube/volumes/' }
|
||||
- { path: '/peertube/volumes/certbot/' }
|
||||
|
||||
- name: add all template files
|
||||
template: src={{item.src}} dest={{item.dest}}
|
||||
|
@ -27,20 +30,16 @@
|
|||
- { src: 'templates/docker-compose.yml', dest: '/peertube/docker-compose.yml' }
|
||||
- { src: 'templates/env', dest: '/peertube/.env' }
|
||||
- { src: 'templates/nginx.conf', dest: '/peertube/nginx.conf' }
|
||||
- { src: 'templates/traefik.toml', dest: '/peertube/traefik.toml' }
|
||||
vars:
|
||||
postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}"
|
||||
|
||||
- name: set traefik data file and env file permissions
|
||||
- name: set env file permissions
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
path: "/peertube/.env"
|
||||
state: touch
|
||||
mode: 0600
|
||||
access_time: preserve
|
||||
modification_time: preserve
|
||||
with_items:
|
||||
- { path: '/peertube/volumes/traefik/acme.json' }
|
||||
- { path: '/peertube/.env' }
|
||||
|
||||
- name: add peertube config
|
||||
get_url:
|
||||
|
@ -49,6 +48,11 @@
|
|||
mode: 0644
|
||||
force: no
|
||||
|
||||
- name: request letsencrypt certificates
|
||||
command: certbot certonly --standalone --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}'
|
||||
args:
|
||||
creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem'
|
||||
|
||||
- name: enable and start docker service
|
||||
systemd:
|
||||
name: docker
|
||||
|
@ -61,6 +65,13 @@
|
|||
state: present
|
||||
pull: yes
|
||||
|
||||
- name: renew certbot certificates
|
||||
cron:
|
||||
special_time=daily
|
||||
name=certbot-renew
|
||||
user=root
|
||||
job="certbot certonly --webroot --webroot-path=/peertube/volumes/certbot/ -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'"
|
||||
|
||||
- name: fetch root password
|
||||
shell: "docker-compose -f /peertube/docker-compose.yml logs peertube | grep 'User password' | awk 'NF{ print $NF }'"
|
||||
register: password
|
||||
|
|
|
@ -2,42 +2,22 @@ version: "3.3"
|
|||
|
||||
services:
|
||||
|
||||
traefik:
|
||||
image: traefik:1.7-alpine
|
||||
command: --docker # Tells Træfik to listen to docker
|
||||
nginx:
|
||||
image: nginx:1.17-alpine
|
||||
ports:
|
||||
- "80:80" # The HTTP port
|
||||
- "443:443" # The HTTPS port
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- ./volumes/traefik/acme.json:/etc/acme.json
|
||||
- ./traefik.toml:/traefik.toml
|
||||
depends_on:
|
||||
- nginx
|
||||
restart: "always"
|
||||
# Required for view counter to work correctly
|
||||
# https://github.com/Chocobozzz/PeerTube/issues/1643#issuecomment-464789666
|
||||
network_mode: "host"
|
||||
# If you want to use the Traefik dashboard, you should expose it on a
|
||||
# subdomain with HTTPS and authentification:
|
||||
# https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f
|
||||
# https://github.com/containous/traefik/issues/880#issuecomment-310301168
|
||||
|
||||
nginx:
|
||||
image: nginx:1.15-alpine
|
||||
volumes:
|
||||
- ./nginx.conf:/etc/nginx/nginx.conf
|
||||
- ./volumes/certbot/:/var/www/certbot/
|
||||
- /etc/letsencrypt/:/etc/letsencrypt/:ro
|
||||
- ./volumes-large:/data-external:ro
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.frontend.rule=Host:${PEERTUBE_WEBSERVER_HOSTNAME}
|
||||
- traefik.port=9000
|
||||
depends_on:
|
||||
- peertube
|
||||
restart: "always"
|
||||
|
||||
peertube:
|
||||
image: chocobozzz/peertube:v1.3.0-rc.2-stretch
|
||||
image: chocobozzz/peertube:v1.3.1-stretch
|
||||
env_file:
|
||||
- .env
|
||||
volumes:
|
||||
|
|
|
@ -3,16 +3,44 @@ events {
|
|||
}
|
||||
|
||||
http {
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name {{domain}};
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=peertube_cache:10m max_size={{ cache_size_gb }}g use_temp_path=off;
|
||||
|
||||
server {
|
||||
listen 9000;
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name {{domain}};
|
||||
|
||||
# Block all requests from Gab instances
|
||||
if ($http_user_agent ~* "GabSocial") {
|
||||
return 404;
|
||||
}
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
|
||||
|
||||
# Various TLS hardening settings
|
||||
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_session_timeout 10m;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
# Hide nginx version
|
||||
server_tokens off;
|
||||
|
||||
|
|
|
@ -1,73 +0,0 @@
|
|||
# Uncomment this line in order to enable debugging through logs
|
||||
# debug = true
|
||||
defaultEntryPoints = ["http", "https"]
|
||||
|
||||
[entryPoints]
|
||||
[entryPoints.http]
|
||||
address = ":80"
|
||||
[entryPoints.http.redirect]
|
||||
entryPoint = "https"
|
||||
[entryPoints.https]
|
||||
address = ":443"
|
||||
[entryPoints.https.tls]
|
||||
MinVersion = "VersionTLS12"
|
||||
CurvePreferences = [
|
||||
"CurveP521",
|
||||
"CurveP384",
|
||||
"CurveP256"
|
||||
]
|
||||
PreferServerCipherSuites = true
|
||||
CipherSuites = [
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA"
|
||||
]
|
||||
|
||||
# Enable ACME (Let's Encrypt): automatic SSL.
|
||||
[acme]
|
||||
|
||||
# Email address used for registration.
|
||||
#
|
||||
# Required
|
||||
#
|
||||
email = "{{ letsencrypt_contact_email }}"
|
||||
|
||||
# File or key used for certificates storage.
|
||||
#
|
||||
# Required
|
||||
#
|
||||
storage = "/etc/acme.json"
|
||||
# or `storage = "traefik/acme/account"` if using KV store.
|
||||
|
||||
# Entrypoint to proxy acme apply certificates to.
|
||||
# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
|
||||
#
|
||||
# Required
|
||||
#
|
||||
entryPoint = "https"
|
||||
|
||||
# Domains list.
|
||||
#
|
||||
[[acme.domains]]
|
||||
main = "{{ domain }}"
|
||||
|
||||
# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
|
||||
#
|
||||
# Optional but recommend
|
||||
#
|
||||
[acme.httpChallenge]
|
||||
|
||||
# EntryPoint to use for the challenges.
|
||||
#
|
||||
# Required
|
||||
#
|
||||
entryPoint = "http"
|
||||
|
||||
[docker]
|
||||
endpoint = "unix:///var/run/docker.sock"
|
||||
watch = true
|
||||
exposedbydefault = false
|
Loading…
Reference in a new issue