From f0a01448969b5476e31430e7fb14c2118dd19b74 Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Mon, 15 Jul 2019 00:10:48 +0200 Subject: [PATCH] Removed traefik and switched back to only nginx --- peertube.yml | 27 +++++++++---- templates/docker-compose.yml | 30 +++------------ templates/nginx.conf | 30 ++++++++++++++- templates/traefik.toml | 73 ------------------------------------ 4 files changed, 53 insertions(+), 107 deletions(-) delete mode 100644 templates/traefik.toml diff --git a/peertube.yml b/peertube.yml index 2c2c6ce..f37e07e 100644 --- a/peertube.yml +++ b/peertube.yml @@ -16,10 +16,13 @@ tasks: - name: install dependencies apt: - pkg: ['docker-compose', 'docker.io'] + pkg: ['docker-compose', 'docker.io', 'certbot'] - name: create peertube folder - file: path=/peertube/volumes/traefik/ state=directory mode=0755 + file: path={{item.path}} state=directory + with_items: + - { path: '/peertube/volumes/' } + - { path: '/peertube/volumes/certbot/' } - name: add all template files template: src={{item.src}} dest={{item.dest}} @@ -27,20 +30,16 @@ - { src: 'templates/docker-compose.yml', dest: '/peertube/docker-compose.yml' } - { src: 'templates/env', dest: '/peertube/.env' } - { src: 'templates/nginx.conf', dest: '/peertube/nginx.conf' } - - { src: 'templates/traefik.toml', dest: '/peertube/traefik.toml' } vars: postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}" - - name: set traefik data file and env file permissions + - name: set env file permissions file: - path: "{{ item.path }}" + path: "/peertube/.env" state: touch mode: 0600 access_time: preserve modification_time: preserve - with_items: - - { path: '/peertube/volumes/traefik/acme.json' } - - { path: '/peertube/.env' } - name: add peertube config get_url: @@ -49,6 +48,11 @@ mode: 0644 force: no + - name: request letsencrypt certificates + command: certbot certonly --standalone --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' + args: + creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem' + - name: enable and start docker service systemd: name: docker @@ -61,6 +65,13 @@ state: present pull: yes + - name: renew certbot certificates + cron: + special_time=daily + name=certbot-renew + user=root + job="certbot certonly --webroot --webroot-path=/peertube/volumes/certbot/ -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'" + - name: fetch root password shell: "docker-compose -f /peertube/docker-compose.yml logs peertube | grep 'User password' | awk 'NF{ print $NF }'" register: password diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index fe11465..12bc4d3 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -2,42 +2,22 @@ version: "3.3" services: - traefik: - image: traefik:1.7-alpine - command: --docker # Tells Træfik to listen to docker + nginx: + image: nginx:1.17-alpine ports: - "80:80" # The HTTP port - "443:443" # The HTTPS port - volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - - ./volumes/traefik/acme.json:/etc/acme.json - - ./traefik.toml:/traefik.toml - depends_on: - - nginx - restart: "always" - # Required for view counter to work correctly - # https://github.com/Chocobozzz/PeerTube/issues/1643#issuecomment-464789666 - network_mode: "host" - # If you want to use the Traefik dashboard, you should expose it on a - # subdomain with HTTPS and authentification: - # https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f - # https://github.com/containous/traefik/issues/880#issuecomment-310301168 - - nginx: - image: nginx:1.15-alpine volumes: - ./nginx.conf:/etc/nginx/nginx.conf + - ./volumes/certbot/:/var/www/certbot/ + - /etc/letsencrypt/:/etc/letsencrypt/:ro - ./volumes-large:/data-external:ro - labels: - - traefik.enable=true - - traefik.frontend.rule=Host:${PEERTUBE_WEBSERVER_HOSTNAME} - - traefik.port=9000 depends_on: - peertube restart: "always" peertube: - image: chocobozzz/peertube:v1.3.0-rc.2-stretch + image: chocobozzz/peertube:v1.3.1-stretch env_file: - .env volumes: diff --git a/templates/nginx.conf b/templates/nginx.conf index 60270a3..7aca70e 100644 --- a/templates/nginx.conf +++ b/templates/nginx.conf @@ -3,16 +3,44 @@ events { } http { + + server { + listen 80; + server_name {{domain}}; + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + location / { + return 301 https://$host$request_uri; + } + } + proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=peertube_cache:10m max_size={{ cache_size_gb }}g use_temp_path=off; server { - listen 9000; + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{domain}}; # Block all requests from Gab instances if ($http_user_agent ~* "GabSocial") { return 404; } + ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem; + + # Various TLS hardening settings + # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + # Hide nginx version server_tokens off; diff --git a/templates/traefik.toml b/templates/traefik.toml deleted file mode 100644 index bacba12..0000000 --- a/templates/traefik.toml +++ /dev/null @@ -1,73 +0,0 @@ -# Uncomment this line in order to enable debugging through logs -# debug = true -defaultEntryPoints = ["http", "https"] - -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.redirect] - entryPoint = "https" - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - MinVersion = "VersionTLS12" - CurvePreferences = [ - "CurveP521", - "CurveP384", - "CurveP256" - ] - PreferServerCipherSuites = true - CipherSuites = [ - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA" - ] - -# Enable ACME (Let's Encrypt): automatic SSL. -[acme] - -# Email address used for registration. -# -# Required -# -email = "{{ letsencrypt_contact_email }}" - -# File or key used for certificates storage. -# -# Required -# -storage = "/etc/acme.json" -# or `storage = "traefik/acme/account"` if using KV store. - -# Entrypoint to proxy acme apply certificates to. -# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443 -# -# Required -# -entryPoint = "https" - -# Domains list. -# -[[acme.domains]] - main = "{{ domain }}" - -# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge -# -# Optional but recommend -# -[acme.httpChallenge] - - # EntryPoint to use for the challenges. - # - # Required - # - entryPoint = "http" - -[docker] -endpoint = "unix:///var/run/docker.sock" -watch = true -exposedbydefault = false