Removed traefik and switched back to only nginx

2024-11-24 23:38:20 -05:00 · 2019-07-15 00:10:48 +02:00 · 2019-07-15 00:10:48 +02:00 · f0a0144896
commit f0a0144896
parent d714997f58
4 changed files with 53 additions and 107 deletions
--- a/peertube.yml
+++ b/peertube.yml
@ -16,10 +16,13 @@
  tasks:
  - name: install dependencies
    apt:
-      pkg: ['docker-compose', 'docker.io']
+      pkg: ['docker-compose', 'docker.io', 'certbot']

  - name: create peertube folder
-    file: path=/peertube/volumes/traefik/ state=directory mode=0755
+    file: path={{item.path}} state=directory
+    with_items:
+      - { path: '/peertube/volumes/' }
+      - { path: '/peertube/volumes/certbot/' }

  - name:  add all template files
    template: src={{item.src}} dest={{item.dest}}
@ -27,20 +30,16 @@
      - { src: 'templates/docker-compose.yml', dest: '/peertube/docker-compose.yml' }
      - { src: 'templates/env', dest: '/peertube/.env' }
      - { src: 'templates/nginx.conf', dest: '/peertube/nginx.conf' }
-      - { src: 'templates/traefik.toml', dest: '/peertube/traefik.toml' }
    vars:
      postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}"

-  - name: set traefik data file and env file permissions
+  - name: set env file permissions
    file:
-      path: "{{ item.path }}"
+      path: "/peertube/.env"
      state: touch
      mode: 0600
      access_time: preserve
      modification_time: preserve
-    with_items:
-      - { path: '/peertube/volumes/traefik/acme.json' }
-      - { path: '/peertube/.env' }

  - name: add peertube config
    get_url:
@ -49,6 +48,11 @@
      mode: 0644
      force: no

+  - name: request letsencrypt certificates
+    command: certbot certonly --standalone --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}'
+    args:
+      creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem'
+
  - name: enable and start docker service
    systemd:
      name: docker
@ -61,6 +65,13 @@
      state: present
      pull: yes

+  - name: renew certbot certificates
+    cron:
+      special_time=daily
+      name=certbot-renew
+      user=root
+      job="certbot certonly --webroot --webroot-path=/peertube/volumes/certbot/ -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'"
+
  - name: fetch root password
    shell: "docker-compose -f /peertube/docker-compose.yml logs peertube | grep 'User password' | awk 'NF{ print $NF }'"
    register: password
--- a/templates/docker-compose.yml
+++ b/templates/docker-compose.yml
@ -2,42 +2,22 @@ version: "3.3"

 services:

-  traefik:
-    image: traefik:1.7-alpine
-    command: --docker # Tells Træfik to listen to docker
+  nginx:
+    image: nginx:1.17-alpine
    ports:
      - "80:80"     # The HTTP port
      - "443:443"   # The HTTPS port
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./volumes/traefik/acme.json:/etc/acme.json
-      - ./traefik.toml:/traefik.toml
-    depends_on:
-      - nginx
-    restart: "always"
-    # Required for view counter to work correctly
-    # https://github.com/Chocobozzz/PeerTube/issues/1643#issuecomment-464789666
-    network_mode: "host"
-    # If you want to use the Traefik dashboard, you should expose it on a 
-    # subdomain with HTTPS and authentification:
-    # https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f
-    # https://github.com/containous/traefik/issues/880#issuecomment-310301168
-
-  nginx:
-    image: nginx:1.15-alpine
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
+      - ./volumes/certbot/:/var/www/certbot/
+      - /etc/letsencrypt/:/etc/letsencrypt/:ro
      - ./volumes-large:/data-external:ro
-    labels:
-      - traefik.enable=true
-      - traefik.frontend.rule=Host:${PEERTUBE_WEBSERVER_HOSTNAME}
-      - traefik.port=9000
    depends_on:
      - peertube
    restart: "always"

  peertube:
-    image: chocobozzz/peertube:v1.3.0-rc.2-stretch
+    image: chocobozzz/peertube:v1.3.1-stretch
    env_file:
      - .env
    volumes:
--- a/templates/nginx.conf
+++ b/templates/nginx.conf
@ -3,16 +3,44 @@ events {
 }

 http {
+
+    server {
+        listen 80;
+        server_name {{domain}};
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=peertube_cache:10m max_size={{ cache_size_gb }}g use_temp_path=off;

    server {
-        listen 9000;
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name {{domain}};

        # Block all requests from Gab instances
        if ($http_user_agent ~* "GabSocial") {
            return 404;
        }

+        ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
+
+        # Various TLS hardening settings
+        # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+        ssl_session_timeout  10m;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_tickets off;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
        # Hide nginx version
        server_tokens off;

--- a/templates/traefik.toml
+++ b/templates/traefik.toml
@ -1,73 +0,0 @@
-# Uncomment this line in order to enable debugging through logs
-# debug = true
-defaultEntryPoints = ["http", "https"]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-    [entryPoints.http.redirect]
-    entryPoint = "https"
-  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-    MinVersion = "VersionTLS12"
-    CurvePreferences = [
-      "CurveP521",
-      "CurveP384",
-      "CurveP256"
-    ]
-    PreferServerCipherSuites = true
-    CipherSuites = [
-      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
-      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-      "TLS_RSA_WITH_AES_256_GCM_SHA384",
-      "TLS_RSA_WITH_AES_256_CBC_SHA"
-    ]
-
-# Enable ACME (Let's Encrypt): automatic SSL.
-[acme]
-
-# Email address used for registration.
-#
-# Required
-#
-email = "{{ letsencrypt_contact_email }}"
-
-# File or key used for certificates storage.
-#
-# Required
-#
-storage = "/etc/acme.json"
-# or `storage = "traefik/acme/account"` if using KV store.
-
-# Entrypoint to proxy acme apply certificates to.
-# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
-#
-# Required
-#
-entryPoint = "https"
-
-# Domains list.
-#
-[[acme.domains]]
-  main = "{{ domain }}"
-
-# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
-#
-# Optional but recommend
-#
-[acme.httpChallenge]
-
-  # EntryPoint to use for the challenges.
-  #
-  # Required
-  #
-  entryPoint = "http"
-
-[docker]
-endpoint = "unix:///var/run/docker.sock"
-watch = true
-exposedbydefault = false