Removed traefik and switched back to only nginx

This commit is contained in:
Felix Ableitner 2019-07-15 00:10:48 +02:00
parent d714997f58
commit f0a0144896
4 changed files with 53 additions and 107 deletions

View file

@ -16,10 +16,13 @@
tasks:
- name: install dependencies
apt:
pkg: ['docker-compose', 'docker.io']
pkg: ['docker-compose', 'docker.io', 'certbot']
- name: create peertube folder
file: path=/peertube/volumes/traefik/ state=directory mode=0755
file: path={{item.path}} state=directory
with_items:
- { path: '/peertube/volumes/' }
- { path: '/peertube/volumes/certbot/' }
- name: add all template files
template: src={{item.src}} dest={{item.dest}}
@ -27,20 +30,16 @@
- { src: 'templates/docker-compose.yml', dest: '/peertube/docker-compose.yml' }
- { src: 'templates/env', dest: '/peertube/.env' }
- { src: 'templates/nginx.conf', dest: '/peertube/nginx.conf' }
- { src: 'templates/traefik.toml', dest: '/peertube/traefik.toml' }
vars:
postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}"
- name: set traefik data file and env file permissions
- name: set env file permissions
file:
path: "{{ item.path }}"
path: "/peertube/.env"
state: touch
mode: 0600
access_time: preserve
modification_time: preserve
with_items:
- { path: '/peertube/volumes/traefik/acme.json' }
- { path: '/peertube/.env' }
- name: add peertube config
get_url:
@ -49,6 +48,11 @@
mode: 0644
force: no
- name: request letsencrypt certificates
command: certbot certonly --standalone --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}'
args:
creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem'
- name: enable and start docker service
systemd:
name: docker
@ -61,6 +65,13 @@
state: present
pull: yes
- name: renew certbot certificates
cron:
special_time=daily
name=certbot-renew
user=root
job="certbot certonly --webroot --webroot-path=/peertube/volumes/certbot/ -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'"
- name: fetch root password
shell: "docker-compose -f /peertube/docker-compose.yml logs peertube | grep 'User password' | awk 'NF{ print $NF }'"
register: password

View file

@ -2,42 +2,22 @@ version: "3.3"
services:
traefik:
image: traefik:1.7-alpine
command: --docker # Tells Træfik to listen to docker
nginx:
image: nginx:1.17-alpine
ports:
- "80:80" # The HTTP port
- "443:443" # The HTTPS port
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./volumes/traefik/acme.json:/etc/acme.json
- ./traefik.toml:/traefik.toml
depends_on:
- nginx
restart: "always"
# Required for view counter to work correctly
# https://github.com/Chocobozzz/PeerTube/issues/1643#issuecomment-464789666
network_mode: "host"
# If you want to use the Traefik dashboard, you should expose it on a
# subdomain with HTTPS and authentification:
# https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f
# https://github.com/containous/traefik/issues/880#issuecomment-310301168
nginx:
image: nginx:1.15-alpine
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./volumes/certbot/:/var/www/certbot/
- /etc/letsencrypt/:/etc/letsencrypt/:ro
- ./volumes-large:/data-external:ro
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:${PEERTUBE_WEBSERVER_HOSTNAME}
- traefik.port=9000
depends_on:
- peertube
restart: "always"
peertube:
image: chocobozzz/peertube:v1.3.0-rc.2-stretch
image: chocobozzz/peertube:v1.3.1-stretch
env_file:
- .env
volumes:

View file

@ -3,16 +3,44 @@ events {
}
http {
server {
listen 80;
server_name {{domain}};
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=peertube_cache:10m max_size={{ cache_size_gb }}g use_temp_path=off;
server {
listen 9000;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{domain}};
# Block all requests from Gab instances
if ($http_user_agent ~* "GabSocial") {
return 404;
}
ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
# Various TLS hardening settings
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# Hide nginx version
server_tokens off;

View file

@ -1,73 +0,0 @@
# Uncomment this line in order to enable debugging through logs
# debug = true
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
MinVersion = "VersionTLS12"
CurvePreferences = [
"CurveP521",
"CurveP384",
"CurveP256"
]
PreferServerCipherSuites = true
CipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA"
]
# Enable ACME (Let's Encrypt): automatic SSL.
[acme]
# Email address used for registration.
#
# Required
#
email = "{{ letsencrypt_contact_email }}"
# File or key used for certificates storage.
#
# Required
#
storage = "/etc/acme.json"
# or `storage = "traefik/acme/account"` if using KV store.
# Entrypoint to proxy acme apply certificates to.
# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
#
# Required
#
entryPoint = "https"
# Domains list.
#
[[acme.domains]]
main = "{{ domain }}"
# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
#
# Optional but recommend
#
[acme.httpChallenge]
# EntryPoint to use for the challenges.
#
# Required
#
entryPoint = "http"
[docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
exposedbydefault = false