From b8f3e6b00b3300f4ebf37bf77711739964c9e5d6 Mon Sep 17 00:00:00 2001 From: Rigel Kent Date: Mon, 22 Jun 2020 13:06:54 +0200 Subject: [PATCH] move traefik to its own override file --- support/doc/docker-traefik.md | 44 ++++++++++++ support/doc/docker.md | 71 +++++-------------- .../production/docker-compose.traefik.yml | 27 +++++++ support/docker/production/docker-compose.yml | 32 ++------- support/docker/production/entrypoint.nginx.sh | 10 +-- 5 files changed, 100 insertions(+), 84 deletions(-) create mode 100644 support/doc/docker-traefik.md create mode 100644 support/docker/production/docker-compose.traefik.yml diff --git a/support/doc/docker-traefik.md b/support/doc/docker-traefik.md new file mode 100644 index 000000000..fcd63364a --- /dev/null +++ b/support/doc/docker-traefik.md @@ -0,0 +1,44 @@ +### Docker + Traefik + +After following the [docker guide](/support/doc/docker.md), you can choose to run traefik +as your reverse-proxy. + +#### Create the reverse proxy configuration directory + +```shell +mkdir -p ./docker-volume/traefik +``` + +#### Get the latest reverse proxy configuration + +```shell +curl https://raw.githubusercontent.com/chocobozzz/PeerTube/master/support/docker/production/config/traefik.toml > ./docker-volume/traefik/traefik.toml +``` + +View the source of the file you're about to download: [traefik.toml](https://github.com/Chocobozzz/PeerTube/blob/master/support/docker/production/config/traefik.toml) + +#### Create Let's Encrypt ACME certificates as JSON file + +```shell +touch ./docker-volume/traefik/acme.json +``` +Needs to have file mode 600: +```shell +chmod 600 ./docker-volume/traefik/acme.json +``` + +#### Update the reverse proxy configuration + +```shell +$EDITOR ./docker-volume/traefik/traefik.toml +``` + +~~You must replace `` and `` to enable Let's Encrypt SSL Certificates creation.~~ Now included in `.env` file with `TRAEFIK_ACME_EMAIL` and `TRAEFIK_ACME_DOMAINS` variables used through traefik service command value of `docker-compose.yml` file. + +More at: https://docs.traefik.io/v1.7 + +#### Run with traefik + +```shell +docker-compose -f {docker-compose.yml,docker-compose.traefik.yml} up -d +``` diff --git a/support/doc/docker.md b/support/doc/docker.md index fc89e4c4c..e55aee9fc 100644 --- a/support/doc/docker.md +++ b/support/doc/docker.md @@ -1,48 +1,21 @@ # Docker guide -You can quickly get a server running using Docker. You need to have -[docker](https://www.docker.com/community-edition) and +This guide requires [docker](https://www.docker.com/community-edition) and [docker-compose](https://docs.docker.com/compose/install/) installed. ## Production ### Install -**PeerTube does not support webserver host change**. Keep in mind your domain name is definitive after your first PeerTube start. - -PeerTube needs a PostgreSQL and a Redis instance to work correctly. If you want -to quickly set up a full environment, either for trying the service or in -production, you can use a `docker-compose` setup. +**PeerTube does not support webserver host change**. Keep in mind your domain +name is definitive after your first PeerTube start. #### Go to your peertube workdir + ```shell cd /your/peertube/directory ``` -#### Create the reverse proxy configuration directory - -```shell -mkdir -p ./docker-volume/traefik -``` - -#### Get the latest reverse proxy configuration - -```shell -curl https://raw.githubusercontent.com/chocobozzz/PeerTube/master/support/docker/production/config/traefik.toml > ./docker-volume/traefik/traefik.toml -``` - -View the source of the file you're about to download: [traefik.toml](https://github.com/Chocobozzz/PeerTube/blob/master/support/docker/production/config/traefik.toml) - -#### Create Let's Encrypt ACME certificates as JSON file - -```shell -touch ./docker-volume/traefik/acme.json -``` -Needs to have file mode 600: -```shell -chmod 600 ./docker-volume/traefik/acme.json -``` - #### Get the latest Compose file ```shell @@ -51,7 +24,6 @@ curl https://raw.githubusercontent.com/chocobozzz/PeerTube/master/support/docker View the source of the file you're about to download: [docker-compose.yml](https://github.com/Chocobozzz/PeerTube/blob/master/support/docker/production/docker-compose.yml) - #### Get the latest env_file ```shell @@ -60,27 +32,18 @@ curl https://raw.githubusercontent.com/Chocobozzz/PeerTube/master/support/docker View the source of the file you're about to download: [.env](https://github.com/Chocobozzz/PeerTube/blob/master/support/docker/production/.env) -#### Update the reverse proxy configuration - -```shell -vim ./docker-volume/traefik/traefik.toml -``` - -~~You must replace `` and `` to enable Let's Encrypt SSL Certificates creation.~~ Now included in `.env` file with `TRAEFIK_ACME_EMAIL` and `TRAEFIK_ACME_DOMAINS` variables used through traefik service command value of `docker-compose.yml` file. - -More at: https://docs.traefik.io/v1.7 - #### Tweak the `docker-compose.yml` file there according to your needs ```shell -vim ./docker-compose.yml +$EDITOR ./docker-compose.yml ``` #### Then tweak the `.env` file to change the environment variables ```shell -vim ./.env +$EDITOR ./.env ``` + In the downloaded example [.env](https://github.com/Chocobozzz/PeerTube/blob/master/support/docker/production/.env), you must replace: - `` - `` @@ -103,10 +66,12 @@ To test locally your Docker setup, you must add your domain (``) in ` ```shell docker-compose up ``` -### Obtaining Your Automatically Generated Admin Credentials -Now that you've installed your PeerTube instance you'll want to grep your peertube container's logs for the `root` password. -You're going to want to run `docker-compose logs peertube | grep -A1 root` to search the log output for your new PeerTube's instance admin credentials which will look something like this. -```BASH + +### Obtaining your automatically-generated admin credentials + +Now that you've installed your PeerTube instance you'll want to grep your peertube container's logs for the `root` password. You're going to want to run `docker-compose logs peertube | grep -A1 root` to search the log output for your new PeerTube's instance admin credentials which will look something like this. + +```bash user@s:~/peertube|master⚡ ⇒ docker-compose logs peertube | grep -A1 root peertube_1 | [example.com:443] 2019-11-16 04:26:06.082 info: Username: root @@ -114,9 +79,12 @@ peertube_1 | [example.com:443] 2019-11-16 04:26:06.083 info: User password: abc ``` ### Obtaining Your Automatically Generated DKIM DNS TXT Record + [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) signature sending and RSA keys generation are enabled by the default Postfix image `mwader/postfix-relay` with [OpenDKIM](http://www.opendkim.org/). -Run `cat ./docker-volume/opendkim/keys/*/*.txt` to display your DKIM DNS TXT Record containing the public key to configure to your domain : -```BASH + +Run `cat ./docker-volume/opendkim/keys/*/*.txt` to display your DKIM DNS TXT Record containing the public key to configure to your domain : + +```bash user@s:~/peertube|master⚡ ⇒ cat ./docker-volume/opendkim/keys/*/*.txt peertube._domainkey.mydomain.tld. IN TXT ( "v=DKIM1; h=sha256; k=rsa; " @@ -154,5 +122,4 @@ $ docker build . -f ./support/docker/production/Dockerfile.buster ## Development -We don't have a Docker image for development. See [the CONTRIBUTING guide](https://github.com/Chocobozzz/PeerTube/blob/master/.github/CONTRIBUTING.md#develop) -for more information on how you can hack PeerTube! +We don't have a Docker image for development. See [the CONTRIBUTING guide](https://github.com/Chocobozzz/PeerTube/blob/master/.github/CONTRIBUTING.md#develop) for more information on how you can hack PeerTube! diff --git a/support/docker/production/docker-compose.traefik.yml b/support/docker/production/docker-compose.traefik.yml new file mode 100644 index 000000000..bbea75783 --- /dev/null +++ b/support/docker/production/docker-compose.traefik.yml @@ -0,0 +1,27 @@ +version: "3.3" + +services: + + # The reverse-proxy only does SSL termination and automatic certificate generation. You can + # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels. + reverse-proxy: + image: traefik:v1.7 + network_mode: "host" + command: + - "--docker" # Tells Træfik to listen to docker + - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email + - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list + ports: + - "80:80" # serving HTTP + - "443:443" # serving HTTPS + volumes: + - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events + - ./docker-volume/traefik/acme.json:/etc/acme.json + - ./docker-volume/traefik/traefik.toml:/traefik.toml + restart: "always" + + webserver: + labels: + traefik.enable: "true" + traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" + traefik.port: "80" diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml index 51de964e8..d17dbd0df 100644 --- a/support/docker/production/docker-compose.yml +++ b/support/docker/production/docker-compose.yml @@ -2,27 +2,9 @@ version: "3.3" services: - # The reverse-proxy only does SSL termination and automatic certificate generation. You can - # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels. - reverse-proxy: - image: traefik:v1.7 - network_mode: "host" - command: - - "--docker" # Tells Træfik to listen to docker - - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email - - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list - ports: - - "80:80" # The HTTP port - - "443:443" # The HTTPS port - volumes: - - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events - - ./docker-volume/traefik/acme.json:/etc/acme.json - - ./docker-volume/traefik/traefik.toml:/traefik.toml - restart: "always" - # The webserver is not required, but recommended since a lot of optimizations went to its # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL, - # so use it in production in tandem with an SSL-terminating reverse-proxy like above. + # so use it in production in tandem with an SSL-terminating reverse-proxy. webserver: build: context: . @@ -31,7 +13,7 @@ services: - .env # If you provide your own reverse-proxy, otherwise not suitable for production: #ports: - # - "80:80" + # - "9000:80" # serving HTTP volumes: - type: bind # Switch sources if you downloaded the nginx configuration without the whole repository @@ -43,10 +25,6 @@ services: depends_on: - peertube restart: "always" - labels: - traefik.enable: "true" - traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" - traefik.port: "80" peertube: # If you don't want to use the official image and build one from sources: @@ -58,7 +36,7 @@ services: - .env # If you provide your own webserver and reverse-proxy, otherwise not suitable for production: #ports: - # - "80:9000" + # - "80:9000" # serving HTTP volumes: - assets:/app/client/dist - ./docker-volume/data:/data @@ -70,7 +48,7 @@ services: restart: "always" postgres: - image: postgres:12-alpine + image: postgres:10-alpine env_file: - .env volumes: @@ -96,7 +74,7 @@ networks: ipam: driver: default config: - - subnet: 172.18.0.0/16 + - subnet: 172.18.0.0/16 volumes: assets: diff --git a/support/docker/production/entrypoint.nginx.sh b/support/docker/production/entrypoint.nginx.sh index 903806936..4d2ead966 100644 --- a/support/docker/production/entrypoint.nginx.sh +++ b/support/docker/production/entrypoint.nginx.sh @@ -1,15 +1,15 @@ #!/bin/sh set -e -# Process nginx template -SOURCE="/etc/nginx/conf.d/peertube.template" -TARGET="/etc/nginx/conf.d/default.conf" +# Process the nginx template +SOURCE_FILE="/etc/nginx/conf.d/peertube.template" +TARGET_FILE="/etc/nginx/conf.d/default.conf" export WEBSERVER_HOST="default_server" export PEERTUBE_HOST="peertube:9000" -envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE > $TARGET +envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE_FILE > $TARGET_FILE # Remove HTTPS/SSL from nginx conf -sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET +sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET_FILE nginx -g "daemon off;" \ No newline at end of file