forked from nutomic/peertube.social
Removed traefik and switched back to only nginx
This commit is contained in:
parent
d714997f58
commit
f0a0144896
4 changed files with 53 additions and 107 deletions
27
peertube.yml
27
peertube.yml
|
@ -16,10 +16,13 @@
|
||||||
tasks:
|
tasks:
|
||||||
- name: install dependencies
|
- name: install dependencies
|
||||||
apt:
|
apt:
|
||||||
pkg: ['docker-compose', 'docker.io']
|
pkg: ['docker-compose', 'docker.io', 'certbot']
|
||||||
|
|
||||||
- name: create peertube folder
|
- name: create peertube folder
|
||||||
file: path=/peertube/volumes/traefik/ state=directory mode=0755
|
file: path={{item.path}} state=directory
|
||||||
|
with_items:
|
||||||
|
- { path: '/peertube/volumes/' }
|
||||||
|
- { path: '/peertube/volumes/certbot/' }
|
||||||
|
|
||||||
- name: add all template files
|
- name: add all template files
|
||||||
template: src={{item.src}} dest={{item.dest}}
|
template: src={{item.src}} dest={{item.dest}}
|
||||||
|
@ -27,20 +30,16 @@
|
||||||
- { src: 'templates/docker-compose.yml', dest: '/peertube/docker-compose.yml' }
|
- { src: 'templates/docker-compose.yml', dest: '/peertube/docker-compose.yml' }
|
||||||
- { src: 'templates/env', dest: '/peertube/.env' }
|
- { src: 'templates/env', dest: '/peertube/.env' }
|
||||||
- { src: 'templates/nginx.conf', dest: '/peertube/nginx.conf' }
|
- { src: 'templates/nginx.conf', dest: '/peertube/nginx.conf' }
|
||||||
- { src: 'templates/traefik.toml', dest: '/peertube/traefik.toml' }
|
|
||||||
vars:
|
vars:
|
||||||
postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}"
|
postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}"
|
||||||
|
|
||||||
- name: set traefik data file and env file permissions
|
- name: set env file permissions
|
||||||
file:
|
file:
|
||||||
path: "{{ item.path }}"
|
path: "/peertube/.env"
|
||||||
state: touch
|
state: touch
|
||||||
mode: 0600
|
mode: 0600
|
||||||
access_time: preserve
|
access_time: preserve
|
||||||
modification_time: preserve
|
modification_time: preserve
|
||||||
with_items:
|
|
||||||
- { path: '/peertube/volumes/traefik/acme.json' }
|
|
||||||
- { path: '/peertube/.env' }
|
|
||||||
|
|
||||||
- name: add peertube config
|
- name: add peertube config
|
||||||
get_url:
|
get_url:
|
||||||
|
@ -49,6 +48,11 @@
|
||||||
mode: 0644
|
mode: 0644
|
||||||
force: no
|
force: no
|
||||||
|
|
||||||
|
- name: request letsencrypt certificates
|
||||||
|
command: certbot certonly --standalone --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}'
|
||||||
|
args:
|
||||||
|
creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem'
|
||||||
|
|
||||||
- name: enable and start docker service
|
- name: enable and start docker service
|
||||||
systemd:
|
systemd:
|
||||||
name: docker
|
name: docker
|
||||||
|
@ -61,6 +65,13 @@
|
||||||
state: present
|
state: present
|
||||||
pull: yes
|
pull: yes
|
||||||
|
|
||||||
|
- name: renew certbot certificates
|
||||||
|
cron:
|
||||||
|
special_time=daily
|
||||||
|
name=certbot-renew
|
||||||
|
user=root
|
||||||
|
job="certbot certonly --webroot --webroot-path=/peertube/volumes/certbot/ -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'"
|
||||||
|
|
||||||
- name: fetch root password
|
- name: fetch root password
|
||||||
shell: "docker-compose -f /peertube/docker-compose.yml logs peertube | grep 'User password' | awk 'NF{ print $NF }'"
|
shell: "docker-compose -f /peertube/docker-compose.yml logs peertube | grep 'User password' | awk 'NF{ print $NF }'"
|
||||||
register: password
|
register: password
|
||||||
|
|
|
@ -2,42 +2,22 @@ version: "3.3"
|
||||||
|
|
||||||
services:
|
services:
|
||||||
|
|
||||||
traefik:
|
nginx:
|
||||||
image: traefik:1.7-alpine
|
image: nginx:1.17-alpine
|
||||||
command: --docker # Tells Træfik to listen to docker
|
|
||||||
ports:
|
ports:
|
||||||
- "80:80" # The HTTP port
|
- "80:80" # The HTTP port
|
||||||
- "443:443" # The HTTPS port
|
- "443:443" # The HTTPS port
|
||||||
volumes:
|
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
||||||
- ./volumes/traefik/acme.json:/etc/acme.json
|
|
||||||
- ./traefik.toml:/traefik.toml
|
|
||||||
depends_on:
|
|
||||||
- nginx
|
|
||||||
restart: "always"
|
|
||||||
# Required for view counter to work correctly
|
|
||||||
# https://github.com/Chocobozzz/PeerTube/issues/1643#issuecomment-464789666
|
|
||||||
network_mode: "host"
|
|
||||||
# If you want to use the Traefik dashboard, you should expose it on a
|
|
||||||
# subdomain with HTTPS and authentification:
|
|
||||||
# https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f
|
|
||||||
# https://github.com/containous/traefik/issues/880#issuecomment-310301168
|
|
||||||
|
|
||||||
nginx:
|
|
||||||
image: nginx:1.15-alpine
|
|
||||||
volumes:
|
volumes:
|
||||||
- ./nginx.conf:/etc/nginx/nginx.conf
|
- ./nginx.conf:/etc/nginx/nginx.conf
|
||||||
|
- ./volumes/certbot/:/var/www/certbot/
|
||||||
|
- /etc/letsencrypt/:/etc/letsencrypt/:ro
|
||||||
- ./volumes-large:/data-external:ro
|
- ./volumes-large:/data-external:ro
|
||||||
labels:
|
|
||||||
- traefik.enable=true
|
|
||||||
- traefik.frontend.rule=Host:${PEERTUBE_WEBSERVER_HOSTNAME}
|
|
||||||
- traefik.port=9000
|
|
||||||
depends_on:
|
depends_on:
|
||||||
- peertube
|
- peertube
|
||||||
restart: "always"
|
restart: "always"
|
||||||
|
|
||||||
peertube:
|
peertube:
|
||||||
image: chocobozzz/peertube:v1.3.0-rc.2-stretch
|
image: chocobozzz/peertube:v1.3.1-stretch
|
||||||
env_file:
|
env_file:
|
||||||
- .env
|
- .env
|
||||||
volumes:
|
volumes:
|
||||||
|
|
|
@ -3,16 +3,44 @@ events {
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name {{domain}};
|
||||||
|
location /.well-known/acme-challenge/ {
|
||||||
|
root /var/www/certbot;
|
||||||
|
}
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=peertube_cache:10m max_size={{ cache_size_gb }}g use_temp_path=off;
|
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=peertube_cache:10m max_size={{ cache_size_gb }}g use_temp_path=off;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 9000;
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
server_name {{domain}};
|
||||||
|
|
||||||
# Block all requests from Gab instances
|
# Block all requests from Gab instances
|
||||||
if ($http_user_agent ~* "GabSocial") {
|
if ($http_user_agent ~* "GabSocial") {
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
|
||||||
|
|
||||||
|
# Various TLS hardening settings
|
||||||
|
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||||
|
ssl_session_timeout 10m;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
# Hide nginx version
|
# Hide nginx version
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
|
|
||||||
|
|
|
@ -1,73 +0,0 @@
|
||||||
# Uncomment this line in order to enable debugging through logs
|
|
||||||
# debug = true
|
|
||||||
defaultEntryPoints = ["http", "https"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.redirect]
|
|
||||||
entryPoint = "https"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
MinVersion = "VersionTLS12"
|
|
||||||
CurvePreferences = [
|
|
||||||
"CurveP521",
|
|
||||||
"CurveP384",
|
|
||||||
"CurveP256"
|
|
||||||
]
|
|
||||||
PreferServerCipherSuites = true
|
|
||||||
CipherSuites = [
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
|
||||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
|
||||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
|
||||||
"TLS_RSA_WITH_AES_256_CBC_SHA"
|
|
||||||
]
|
|
||||||
|
|
||||||
# Enable ACME (Let's Encrypt): automatic SSL.
|
|
||||||
[acme]
|
|
||||||
|
|
||||||
# Email address used for registration.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
email = "{{ letsencrypt_contact_email }}"
|
|
||||||
|
|
||||||
# File or key used for certificates storage.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
storage = "/etc/acme.json"
|
|
||||||
# or `storage = "traefik/acme/account"` if using KV store.
|
|
||||||
|
|
||||||
# Entrypoint to proxy acme apply certificates to.
|
|
||||||
# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
entryPoint = "https"
|
|
||||||
|
|
||||||
# Domains list.
|
|
||||||
#
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "{{ domain }}"
|
|
||||||
|
|
||||||
# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
|
|
||||||
#
|
|
||||||
# Optional but recommend
|
|
||||||
#
|
|
||||||
[acme.httpChallenge]
|
|
||||||
|
|
||||||
# EntryPoint to use for the challenges.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
entryPoint = "http"
|
|
||||||
|
|
||||||
[docker]
|
|
||||||
endpoint = "unix:///var/run/docker.sock"
|
|
||||||
watch = true
|
|
||||||
exposedbydefault = false
|
|
Loading…
Reference in a new issue