forked from 0k/0k-charms
15 changed files with 706 additions and 0 deletions
@ -0,0 +1,94 @@ |
#+PROPERTY: Effort_ALL 0 0:30 1:00 2:00 0.5d 1d 1.5d 2d 3d 4d 5d |
#+PROPERTY: Max_effort_ALL 0 0:30 1:00 2:00 0.5d 1d 1.5d 2d 3d 4d 5d |
#+PROPERTY: header-args:python :var filename=(buffer-file-name) |
#+PROPERTY: header-args:sh :var filename=(buffer-file-name) |
#+LATEX_HEADER: \usepackage[margin=0.5in]{geometry} |
#+LaTeX_CLASS: article |
#+OPTIONS: H:8 ^:nil prop:("Effort" "Max_effort") tags:not-in-toc |
#+COLUMNS: %50ITEM %Effort(Min Effort) %Max_effort(Max Effort) |
#+begin_LaTeX |
\hypersetup{ |
linkcolor=blue, |
pdfborder={0 0 0 0} |
} |
#+end_LaTeX |
#+TITLE: Peertube charm management |
#+LATEX: \pagebreak |
Keep information related to the usage and the development of the charm. |
#+LATEX: \pagebreak |
#+LATEX: \pagebreak |
* Todos |
** TODO Logrotatability |
Peertube uses ``winston`` nodejs logging mecanism, and has what I |
understand, hard-written transports to file: |
Content of =server/helpers/logger.ts= |
#+BEGIN_SRC ts |
... |
const logger = winston.createLogger({ |
format: winston.format.combine( |
labelFormatter, |
winston.format.splat() |
), |
transports: [ |
new winston.transports.File({ |
filename: path.join(CONFIG.STORAGE.LOG_DIR, 'peertube.log'), |
handleExceptions: true, |
maxsize: 1024 * 1024 * 12, |
maxFiles: 5, |
format: winston.format.combine( |
winston.format.timestamp(), |
jsonLoggerFormat |
) |
}), |
new winston.transports.Console({ |
handleExceptions: true, |
format: winston.format.combine( |
timestampFormatter, |
winston.format.colorize(), |
consoleLoggerFormat |
) |
}) |
], |
exitOnError: true |
}) |
This will ensure some part of the rotation. Which is bad. |
We don't want peertube to manage the logs. So depending on what we |
want to do in the future with the managing of logs, I'll need to patch |
peertube to probably use only stdout, and/or send it to rsyslog. |
For now, situation of log rotation with all charm is using logrotate, |
but I know this might not be the perfect solution as I'd like to stick |
to =logs are streams=, and avoid having to find mecanism of reloading |
application after rotation. |
A good solution would be to use the stdout/stderr of the application, |
and have a generic solution using ``docker logs`` json output. |
** TODO changing root password |
This will probably require also a patch, as the password is set for |
user 'root' automatically and is to be read in the logs (duh !). |
We can't initialise the application (and ask for postgres table, and |
root user to be created, then quit). So we can't do that in the |
=hooks/init= script in a reasonable manner. |
There is a special ``npm run reset-password`` with odd arguments that |
can reset root password, only if database already populated. |
I need a patch to simply set password from base server configuration. |
@ -0,0 +1,20 @@ |
PEERTUBE_DB_USERNAME=postgres_user |
PEERTUBE_DB_PASSWORD=postgres_password |
# If you need more than one IP as trust_proxy |
# pass them as a comma separated array: |
#PEERTUBE_TRUST_PROXY=["", "loopback", ""] |
PEERTUBE_SMTP_FROM=noreply@domain.tld |
PEERTUBE_ADMIN_EMAIL=admin@domain.tld |
# /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\ |
@ -0,0 +1,100 @@ |
FROM alpine:3.7 AS common |
RUN apk add gnupg ffmpeg |
# Add peertube user |
RUN addgroup -S peertube && \ |
adduser -S -G peertube -h /var/lib/peertube peertube |
FROM common AS builder |
## |
## Download target release |
## |
RUN apk add wget |
COPY ./*.patch /tmp |
RUN mkdir -p /opt/apps/peertube && \ |
cd /opt/apps/peertube && \ |
wget${PEERTUBE_RELEASE}/peertube-${PEERTUBE_RELEASE}.tar.xz && \ |
tar -xJf peertube-${PEERTUBE_RELEASE}.tar.xz && \ |
rm peertube-${PEERTUBE_RELEASE}.tar.xz && \ |
mv peertube-${PEERTUBE_RELEASE}/* . && \ |
rmdir peertube-${PEERTUBE_RELEASE} && \ |
cat /tmp/*.patch | patch -p1 && \ |
mkdir -p /etc/peertube /var/lib/peertube && \ |
ln -sf /var/lib/peertube /opt/apps/peertube/storage |
RUN apk add yarn ## Build command |
RUN apk add git build-base python bash ## Build deps |
RUN chown -R peertube:peertube /opt/apps/peertube |
USER peertube |
RUN cd /opt/apps/peertube && \ |
yarn install --production --pure-lockfile && \ |
yarn cache clean |
## XXXvlab: without this in current docker version, it'll |
## permeate in next image to be built. |
USER root |
# RUN apk add nodejs yarn |
# |
## Source build (very long) |
# |
# ## To download source |
# RUN apk add git |
# RUN git clone /tmp/peertube --depth 1 |
# ## for installation of dependencies |
# RUN apk add build-base python |
# RUN cd /tmp/peertube && \ |
# yarn install --pure-lockfile |
# ## for scripts run by ``npm run build`` |
# RUN apk add bash |
# RUN cd /tmp/peertube && \ |
# npm run build |
# RUN cd /tmp/peertube && \ |
# rm -r ./node_modules ./client/node_modules && \ |
# yarn install --pure-lockfile --production && \ |
# yarn cache clean |
FROM common |
# Install PeerTube |
COPY --from=builder /opt/apps/peertube /opt/apps/peertube |
# RUN mkdir -p /var/lib/peertube /etc/peertube && \ |
# chown -R peertube:peertube /var/lib/peertube /etc/peertube |
# ENV PEERTUBE_APP_DIR=/opt/apps/peertube |
# ENV PEERTUBE_DATA_DIR=/var/lib/peertube |
## This is important to set config dir of peertube |
ENV NODE_CONFIG_DIR=/etc/peertube |
VOLUME /var/lib/peertube |
VOLUME /etc/peertube |
EXPOSE 9000 |
RUN apk add nodejs-npm |
## runtime deps |
RUN apk add openssl |
USER peertube |
WORKDIR /opt/apps/peertube |
CMD ["npm", "start"] |
@ -0,0 +1,26 @@ |
diff --git a/dist/server/initializers/checker-before-init.js b/dist/server/initializers/checker-before-init.js
index 7ff18d0..c75dff2 100644
--- a/dist/server/initializers/checker-before-init.js
+++ b/dist/server/initializers/checker-before-init.js
@@ -15,7 +15,7 @@ function checkMissedConfig() {
const required = ['listen.port', 'listen.hostname', |
'webserver.https', 'webserver.hostname', 'webserver.port', |
'trust_proxy', |
- 'database.hostname', 'database.port', 'database.suffix', 'database.username', 'database.password', 'database.pool.max',
+ 'database.hostname', 'database.port', 'database.dbname', 'database.username', 'database.password', 'database.pool.max',
'smtp.hostname', 'smtp.port', 'smtp.username', 'smtp.password', 'smtp.tls', 'smtp.from_address', |
'storage.avatars', 'storage.videos', 'storage.logs', 'storage.previews', 'storage.thumbnails', 'storage.torrents', 'storage.cache', |
'log.level', |
diff --git a/dist/server/initializers/constants.js b/dist/server/initializers/constants.js
index d5a3350..7efaabd 100644
--- a/dist/server/initializers/constants.js
+++ b/dist/server/initializers/constants.js
@@ -143,7 +143,7 @@ const CONFIG = {
HOSTNAME: config.get('listen.hostname') |
}, |
- DBNAME: 'peertube' + config.get('database.suffix'),
+ DBNAME: config.get('database.dbname'),
HOSTNAME: config.get('database.hostname'), |
PORT: config.get('database.port'), |
USERNAME: config.get('database.username'), |
@ -0,0 +1,73 @@ |
version: "3.3" |
services: |
reverse-proxy: |
image: traefik |
command: --docker # Tells Træfik to listen to docker |
ports: |
- "80:80" # The HTTP port |
- "443:443" # The HTTPS port |
volumes: |
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events |
- ./docker-volume/traefik/acme.json:/etc/acme.json |
- ./docker-volume/traefik/traefik.toml:/traefik.toml |
restart: "always" |
# If you want to use the Traefik dashboard, you should expose it on a |
# subdomain with HTTPS and authentification: |
# |
# |
peertube: |
# If you don't want to use the official image and build one from sources |
# build: |
# context: . |
# dockerfile: ./support/docker/production/Dockerfile.stretch |
image: chocobozzz/peertube:production-stretch |
env_file: |
- .env |
# Traefik labels are suggested as an example for people using Traefik, |
# remove them if you are using another reverse proxy. |
labels: |
traefik.enable: "true" |
traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" |
traefik.port: "9000" |
# If you don't want to use a reverse proxy (not suitable for production!) |
# ports: |
# - "80:9000" |
volumes: |
- ./docker-volume/data:/data |
- ./docker-volume/config:/config |
depends_on: |
- postgres |
- redis |
- postfix |
restart: "always" |
postgres: |
image: postgres:10-alpine |
environment: |
POSTGRES_DB: peertube |
volumes: |
- ./docker-volume/db:/var/lib/postgresql/data |
restart: "always" |
labels: |
traefik.enable: "false" |
redis: |
image: redis:4-alpine |
volumes: |
- ./docker-volume/redis:/data |
restart: "always" |
labels: |
traefik.enable: "false" |
postfix: |
image: mwader/postfix-relay |
environment: |
labels: |
traefik.enable: "false" |
restart: "always" |
@ -0,0 +1,87 @@ |
#!/bin/bash |
## Init is run on host |
## For now it is run every time the script is launched, but |
## it should be launched only once after build. |
## Accessible variables are: |
## - SERVICE_NAME Name of current service |
## - DOCKER_BASE_IMAGE Base image from which this service might be built if any |
## - SERVICE_DATASTORE Location on host of the DATASTORE of this service |
## - SERVICE_CONFIGSTORE Location on host of the CONFIGSTORE of this service |
set -e |
peertube_uid=$(docker_get_uid "$SERVICE_NAME" "peertube") |
PEERTUBE_APP_DIR=/opt/apps/peertube |
PEERTUBE_DATA_DIR=/var/lib/peertube |
PEERTUBE_LOG_DIR=/var/log/peertube |
PEERTUBE_CACHE_DIR=/var/cache/peertube |
PEERTUBE_CONFIG_DIR=/etc/peertube |
mkdir -p "$HOST_CONFIG_DIR" |
## Always copy default and custom env configuration file, in cases where new keys were added |
ln -sf "$PEERTUBE_APP_DIR"/config/default.yaml "$HOST_CONFIG_DIR" |
cat <<EOF > "$HOST_CONFIG_DIR/local.yaml" |
listen: |
hostname: '' |
port: 9000 |
storage: |
avatars: '$PEERTUBE_DATA_DIR/avatars/' |
videos: '$PEERTUBE_DATA_DIR/videos/' |
redundancy: '$PEERTUBE_DATA_DIR/redundancy/' |
previews: '$PEERTUBE_DATA_DIR/previews/' |
thumbnails: '$PEERTUBE_DATA_DIR/thumbnails/' |
torrents: '$PEERTUBE_DATA_DIR/torrents/' |
captions: '$PEERTUBE_DATA_DIR/captions/' |
logs: '/var/log/peertube/' |
cache: '/var/cache/peertube/' |
tmp: '/var/tmp/peertube/' |
instance services import transcoding |
user signup admin cache redundancy |
trending search log |
) |
for section in "${VALID_SECTION[@]}"; do |
if val=$(options-get "$section" 2>/dev/null); then |
yaml_key_val_str "$section" "$val" |
fi |
done >> "$HOST_CONFIG_DIR/local.yaml" |
if ! [ -e "$HOST_DATA_DIR/config.json" ]; then |
touch "$HOST_DATA_DIR/config.json" |
fi |
ln -sf "$PEERTUBE_DATA_DIR"/config.json "$HOST_CONFIG_DIR/local-prod.json" |
dirs=(/var/tmp/peertube /var/cache/peertube |
host_dirs=() |
for dir in "${dirs[@]}"; do |
host_dirs+=("$SERVICE_DATASTORE$dir") |
done |
mkdir -p "${host_dirs[@]}" |
find "${host_dirs[@]}" \! -user "$peertube_uid" \ |
-exec chown -v "$peertube_uid" {} + || true |
true |
@ -0,0 +1,25 @@ |
#!/bin/bash |
set -e |
PEERTUBE_CONFIG_DIR=/etc/peertube |
PASSWORD="$(relation-get password)" |
USER="$(relation-get user)" |
DBNAME="$(relation-get dbname)" |
cat <<EOF >> "$HOST_CONFIG_DIR/local.yaml" |
database: |
hostname: '$TARGET_SERVICE_NAME' |
## We had to patch peertube to have a direct dbname (doh!) |
dbname: '$DBNAME' |
port: 5432 |
username: '$USER' |
password: '$PASSWORD' |
info "Configured $SERVICE_NAME code for $TARGET_SERVICE_NAME access." |
@ -0,0 +1,24 @@ |
#!/bin/bash |
set -e |
PEERTUBE_CONFIG_DIR=/etc/peertube |
password=$(relation-get password) || { |
err "Can't get password for '$SERVICE_NAME' from '$TARGET_SERVICE_NAME'." |
exit 1 |
} |
cat <<EOF >> "$HOST_CONFIG_DIR/local.yaml" |
## XXXvlab: to be added by redis relation |
redis: |
hostname: '$TARGET_SERVICE_NAME' |
port: 6379 |
auth: $password |
info "Configured $SERVICE_NAME code for $TARGET_SERVICE_NAME access." |
@ -0,0 +1,22 @@ |
#!/bin/bash |
set -e |
PEERTUBE_CONFIG_DIR=/etc/peertube |
domain=$(relation-get domain) || { |
err "Can't get domain value." |
exit 1 |
} |
cat <<EOF >> "$HOST_CONFIG_DIR/local.yaml" |
webserver: |
https: true |
hostname: '$domain' |
port: 443 |
info "Configured $SERVICE_NAME code for $TARGET_SERVICE_NAME access." |
@ -0,0 +1,135 @@ |
description: "PeerTube Server" |
maintainer: "Valentin Lab <>" |
## XXXvlab: docker uses the 'build' directory or the 'image:' option here. |
#docker-image: chocobozzz/peertube:production-stretch ## YYY: to save in our docker-registry |
data-resources: |
- /var/lib/peertube |
- /var/log/peertube |
- /var/cache/peertube |
config-resources: |
- /etc/peertube |
## XXXvlab: options here are the one provided to the server as |
## defaults BUT that can be changed from within the web |
## interface. |
default-options: |
# If enabled, the video will be transcoded to mp4 (x264) with "faststart" flag |
# In addition, if some resolutions are enabled the mp4 video file will be transcoded to these new resolutions. |
# Please, do not disable transcoding since many uploaded videos will not work |
transcoding: |
enabled: true |
threads: 1 |
resolutions: # Only created if the original video has a higher resolution, uses more storage! |
240p: true |
360p: true |
480p: true |
720p: true |
1080p: true |
import: |
# Add ability for your users to import remote videos (from YouTube, torrent...) |
videos: |
http: # Classic HTTP or all sites supported by youtube-dl |
enabled: true |
torrent: # Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file) |
enabled: true |
signup: |
enabled: true |
uses: |
postgres-database: |
constraint: required |
auto: summon |
solves: |
database: "main storage" |
default-options: |
extensions: |
- pg_trgm |
- unaccent |
redis-database: |
constraint: required |
auto: summon |
solves: |
database: "short time storage" |
# log-rotate: |
# constraint: recommended |
# auto: pair |
# solves: |
# disk-leak: "/var/log/peertube" |
web-proxy: |
constraint: required |
auto: pair |
solves: |
proxy: "Public access" |
default-options: |
apache-custom-rules: |
- | |
## From |
Protocols h2 http/1.1 |
# HSTS (mod_headers is required) (63072000 seconds = 2 years) (only activate it knowingly) |
#Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" |
Header always set X-Content-Type-Options nosniff |
Header always set X-Robots-Tag none |
Header always set X-XSS-Protection "1; mode=block" |
# Hard limit, PeerTube does not support videos > 4GB |
LimitRequestBody 4294967294 |
# Set caching on assets for 1 year |
<FilesMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$> |
Header append Cache-Control "public, max-age=31536000, immutable" |
</FilesMatch> |
AliasMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ /var/www/peertube/peertube-latest/client/dist/$1 |
# Set caching on image files for 1 year |
<FilesMatch ^/static/(thumbnails|avatars)/(.*)$> |
Header append Cache-Control "public, max-age=31536000, immutable" |
</FilesMatch> |
AliasMatch ^/static/(thumbnails|avatars)/(.*)$ /var/www/peertube/storage/$1/$2 |
# Bypass PeerTube webseed route for better performances |
Alias /static/webseed /var/www/peertube/storage/videos |
<Location /static/webseed> |
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client |
SetOutputFilter RATE_LIMIT |
SetEnv rate-limit 800 |
SetEnvIf Request_Method "GET" GETMETH=1 |
Header set Access-Control-Allow-Origin "*" env=GETMETH |
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH |
Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH |
Header set toto "foo" env=GETMETH |
SetEnvIf GETMETH "1" dontlog |
SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1 |
Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH |
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH |
Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH |
Header set Access-Control-Max-Age "1000" env=OPTIONSMETH |
Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH |
Header set Content-Length "0" env=OPTIONSMETH |
</Location> |
<Location /videos/embed> |
Header unset X-Frame-Options |
</Location> |
ProxyPreserveHost On |
ProxyRequests On |
ProxyTimeout 600 |
# Websocket tracker |
RewriteEngine On |
RewriteCond %{HTTP:Upgrade} websocket [NC] |
RewriteRule /(.*) ws://$1 [P,L] |
# <Location /> |
# ProxyPass |
# </Location> |
@ -0,0 +1,18 @@ |
## is a simple copy of postgres:10-alpine |
FROM as common |
RUN apk add redis |
RUN mkdir -p /var/lib/redis |
RUN chown -R redis:redis /var/lib/redis |
RUN echo -e "include /etc/redis-local.conf\n" >> /etc/redis.conf |
VOLUME ["/var/lib/redis"] |
# Expose the ports for redis |
EXPOSE 6379 |
USER redis |
ENTRYPOINT ["redis-server", "/etc/redis.conf"] |
@ -0,0 +1,59 @@ |
#!/bin/bash |
## Init is run on host |
## For now it is run every time the script is launched, but |
## it should be launched only once after build. |
## Accessible variables are: |
## - SERVICE_NAME Name of current service |
## - DOCKER_BASE_IMAGE Base image from which this service might be built if any |
## - SERVICE_DATASTORE Location on host of the DATASTORE of this service |
## - SERVICE_CONFIGSTORE Location on host of the CONFIGSTORE of this service |
set -e |
uid=$(docker_get_uid "$SERVICE_NAME" "redis") |
CONFIG=$SERVICE_CONFIGSTORE/etc/redis-local.conf |
PASSWORD=$(options-get password 2>/dev/null) || { |
if [ -e "$CONFIG" ]; then |
PASSWORD=$(grep ^requirepass "$CONFIG" | sed -r 's/^requirepass\s+(.+)$/\1/g') |
fi |
if [ -z "$ADMIN_PASSWORD" ]; then |
info "Generating odoo admin password" |
PASSWORD=$(gen_password 64) |
fi |
} |
mkdir -p "$(dirname "$CONFIG")" |
cat <<EOF > "$CONFIG" |
daemonize no |
loglevel notice |
logfile "" |
bind |
requirepass $PASSWORD |
chown -v "$uid" "$CONFIG" |
dirs=(/var/log/redis /var/lib/redis) |
host_dirs=() |
for dir in "${dirs[@]}"; do |
host_dirs+=("$SERVICE_DATASTORE$dir") |
done |
mkdir -p "${host_dirs[@]}" |
find "${host_dirs[@]}" \! -user "$uid" \ |
-exec chown -v "$uid" {} + || true |
config_hash=$(cat "$CONFIG" | md5_compat) || exit 1 |
init-config-add " |
labels: |
- compose.config_hash=$config_hash |
" |
@ -0,0 +1,12 @@ |
#!/bin/bash |
CONFIG=$SERVICE_CONFIGSTORE/etc/redis-local.conf |
set -e |
PASSWORD=$(grep ^requirepass "$CONFIG" | sed -r 's/^requirepass\s+(.+)$/\1/g') |
relation-set password "$PASSWORD" |
true |
@ -0,0 +1,9 @@ |
summary: "Redis server" |
maintainer: "Valentin Lab <>" |
data-resources: |
- /var/lib/redis |
- /var/log/redis |
config-resources: |
- /etc/redis-local.conf |
provides: |
redis-database: |
Reference in new issue