New role to install + upgrade PeerTube
gitea/ansible-roles/pipeline/head This commit looks good Details

This commit is contained in:
Mathieu Gauthier-Pilote 2023-04-07 09:07:59 -04:00
parent d35f2bcae7
commit 0535c40455
21 changed files with 1492 additions and 344 deletions

View File

@ -0,0 +1,49 @@
peertube
=====
Ce rôle installe un serveur peertube.
Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle peertube sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
Requis
------
...
Variables du rôle
-----------------
Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
Dépendances
------------
Ce rôle Ansible dépend des rôles suivants :
- nodejs
Exemple de playbook
-------------------
```
- name: "Déployer un serveur peertube"
hosts:
- all
vars:
# Supplanter ici les variables du rôle
domains: ['votre-vrai-domaine.org']
service: 'mon-peertube'
roles:
- { role: webapps/peertube , tags: "peertube" }
```
Licence
-------
GPLv3
Infos sur l'auteur
------------------
Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.

View File

@ -1,10 +1,49 @@
# Peertube
peertube
=====
This depends on the following roles
This role installs or upgrades the server for peertube.
- certbot
- evolinux-base
- nginx
- nodejs
- postgresql
- redis
FRENCH: Voir le fichier LISEZMOI.md pour le français.
Requirements
------------
...
Role Variables
--------------
Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
Dependencies
------------
This Ansible role depends on the following other roles:
- nodejs
Example Playbook
----------------
```
- name: "Deploy a peertube server"
hosts:
- all
vars:
# Overwrite the role variables here
domains: ['your-real-domain.org']
service: 'my-peertube'
roles:
- { role: webapps/peertube , tags: "peertube" }
```
License
-------
GPLv3
Author Information
------------------
Mathieu Gauthier-Pilote, sys. admin. at Evolix.

View File

@ -1,18 +1,14 @@
---
peertube_version: "latest-24"
peertube_archive_name: "{{ peertube_version }}.tar.bz2"
peertube_releases_baseurl: ""
peertube_instance_name: "peertube"
peertube_user: "{{ peertube_instance_name }}"
peertube_domains: []
peertube_home: "/home/{{ peertube_user }}"
peertube_webroot: "{{ peertube_home }}/peertube"
peertube_data: "{{ peertube_webroot }}/data"
peertube_db_user: "{{ peertube_user }}"
peertube_db_name: "{{ peertube_instance_name }}"
peertube_admin_login: "admin"
peertube_admin_password: ""
# defaults file for vars
system_dep: "['curl', 'python3-dev', 'python-is-python3', 'python3-psycopg2','certbot', 'nginx', 'ffmpeg', 'postgresql', 'postgresql-contrib', 'openssl', 'g++', 'make', 'redis-server', 'git', 'unzip', 'acl']"
version: 'v5.1.0'
download_url: "https://github.com/Chocobozzz/PeerTube/releases/download/{{ version }}/peertube-{{ version }}.zip"
domains: ['example.domain.org']
service_home: '/var/www/peertube'
db_host: 'localhost'
db_port: '5432'
db_name: "{{ service }}"
db_user: "{{ service }}"
db_password: 'UQ6_CHANGE_ME_Gzb'
pt_secret: 'd98a73_CHANGE_ME_c00c7c'
pt_host: '127.0.0.1:9000'

View File

@ -1,15 +1,2 @@
---
- name: reload php-fpm
service:
name: php7.3-fpm
state: reloaded
- name: reload nginx
service:
name: nginx
state: reloaded
- name: reload apache
service:
name: apache2
state: reloaded
# handlers file

View File

@ -1 +1,52 @@
---
galaxy_info:
author: Mathieu Gauthier-Pilote
description: sys. admin.
company: Evolix
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license GPL-3.0-only
min_ansible_version: 2.10
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View File

@ -1,33 +0,0 @@
---
- name: "Get PHP Version"
shell: 'php -v | grep "PHP [0-9]." | sed -E "s/PHP ([0-9]\.[0-9]).*/\1/g;"'
register: shell_php
check_mode: no
- name: "Set variables"
set_fact:
php_version: "{{ shell_php.stdout }}"
- name: Apply specific PHP settings (apache)
ini_file:
path: "/etc/php/{{ php_version }}/apache2/conf.d/zzz-evolinux-custom.ini"
section: ''
option: "{{ item.option }}"
value: "{{ item.value }}"
notify: reload apache
with_items:
- {option: 'allow_url_fopen', value: 'On'}
- {option: 'disable_functions', value: ''}
- {option: 'max_execution_time', value: '300'}
- {option: 'memory_limit', value: '512M'}
- name: Apply specific PHP settings (cli)
ini_file:
path: "/etc/php/{{ php_version }}/cli/conf.d/zzz-evolinux-custom.ini"
section: ''
option: "{{ item.option }}"
value: "{{ item.value }}"
with_items:
- {option: 'allow_url_fopen', value: 'On'}
- {option: 'apc.enable_cli', value: 'On'}

View File

@ -1,23 +0,0 @@
---
- name: Copy Apache vhost
template:
src: apache-vhost.conf.j2
dest: "/etc/apache2/sites-available/{{ nextcloud_instance_name }}.conf"
mode: "0640"
notify: reload apache
tags:
- nextcloud
- name: Enable Apache vhost
file:
src: "/etc/apache2/sites-available/{{ nextcloud_instance_name }}.conf"
dest: "/etc/apache2/sites-enabled/{{ nextcloud_instance_name }}.conf"
state: link
notify: reload apache
tags:
- nextcloud
# - name: Generate ssl config
# shell:
# cmd: "/usr/local/sbin/vhost-domains {{ nextcloud_instance_name }} | /usr/local/sbin/make-csr {{ nextcloud_instance_name }}"
# creates: "/etc/nginx/ssl/{{ nextcloud_instance_name }}.conf"

View File

@ -1,37 +0,0 @@
---
- name: Retrieve Nextcloud archive
get_url:
url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}"
dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}"
force: no
tags:
- nextcloud
- name: Retrieve Nextcloud sha256 checksum
get_url:
url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}.sha256"
dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}.sha256"
force: no
tags:
- nextcloud
- name: Verify Nextcloud sha256 checksum
command: "sha256sum -c {{ nextcloud_archive_name }}.sha256"
changed_when: "False"
args:
chdir: "{{ nextcloud_home }}"
tags:
- nextcloud
- name: Extract Nextcloud archive
unarchive:
src: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}"
dest: "{{ nextcloud_home }}"
creates: "{{ nextcloud_home }}/nextcloud"
remote_src: True
mode: "0750"
owner: "{{ nextcloud_user }}"
group: "{{ nextcloud_user }}"
tags:
- nextcloud

View File

@ -1,81 +0,0 @@
---
- block:
- name: Generate admin password
command: 'apg -n 1 -m 16 -M lcN'
register: nextcloud_admin_password_apg
check_mode: no
changed_when: False
- debug:
var: nextcloud_admin_password_apg
- set_fact:
nextcloud_admin_password: "{{ nextcloud_admin_password_apg.stdout }}"
tags:
- nextcloud
when: nextcloud_admin_password | length == 0
- name: Get Nextcloud Status
shell: "php ./occ status --output json | grep -v 'Nextcloud is not installed'"
args:
chdir: "{{ nextcloud_webroot }}"
become_user: "{{ nextcloud_user }}"
register: nc_status
check_mode: no
tags:
- nextcloud
- name: Install Nextcloud
command: "php ./occ maintenance:install --database mysql --database-name {{ nextcloud_db_name | mandatory }} --database-user {{ nextcloud_db_user | mandatory }} --database-pass {{ nextcloud_db_pass | mandatory }} --admin-user {{ nextcloud_admin_login | mandatory }} --admin-pass {{ nextcloud_admin_password | mandatory }} --data-dir {{ nextcloud_data | mandatory }}"
args:
chdir: "{{ nextcloud_webroot }}"
creates: "{{ nextcloud_home }}/config/config.php"
become_user: "{{ nextcloud_user }}"
when: (nc_status.stdout | from_json).installed == false
tags:
- nextcloud
- name: Configure Nextcloud Mysql password
replace:
dest: "{{ nextcloud_home }}/nextcloud/config/config.php"
regexp: "'dbpassword' => '([^']*)',"
replace: "'dbpassword' => '{{ nextcloud_db_pass }}',"
tags:
- nextcloud
- name: Configure Nextcloud cron
cron:
name: 'Nextcloud'
minute: "*/5"
job: "php -f {{ nextcloud_webroot }}/cron.php"
user: "{{ nextcloud_user }}"
tags:
- nextcloud
- name: Erase previously trusted domains config
command: "php ./occ config:system:set trusted_domains"
args:
chdir: "{{ nextcloud_webroot }}"
become_user: "{{ nextcloud_user }}"
tags:
- nextcloud
- name: Configure trusted domains
command: "php ./occ config:system:set trusted_domains {{ item.0 }} --value {{ item.1 }}"
args:
chdir: "{{ nextcloud_webroot }}"
with_indexed_items:
- "{{ nextcloud_domains }}"
become_user: "{{ nextcloud_user }}"
tags:
- nextcloud
#- name: Configure memcache local to APCu
# command: "php ./occ config:system:set memcache.local --value '\\OC\\Memcache\\APCu'"
# args:
# chdir: "{{ nextcloud_webroot }}"
# become_user: "{{ nextcloud_user }}"
# tags:
# - nextcloud

View File

@ -1,24 +1,143 @@
---
- name: Install dependencies
apt:
# tasks file for peertube install
- name: Add bullseye-backports repo into sources list (for redis)
apt_repository:
repo: deb http://mirror.evolix.org/debian bullseye-backports main
state: present
name:
- ffmpeg
- python3-dev
- python-is-python3
- g++
- make
tags:
- peertube
- include: apache-system.yml
- name: Install main system dependencies
apt:
name: "{{ system_dep }}"
- include: user.yml
- name: Upgrade redis-server to the latest version from bullseye-backports
apt:
name: redis-server
state: latest
default_release: bullseye-backports
update_cache: yes
- include: archive.yml
- name: Add UNIX account
user:
name: "{{ service }}"
home: "{{ service_home }}"
shell: /bin/bash
- include: apache-vhost.yml
- name: Add PostgreSQL user
postgresql_user:
name: "{{ db_user }}"
password: "{{ db_password }}"
no_password_changes: true
become_user: postgres
- include: mysql-user.yml
- name: Add PostgreSQL database
postgresql_db:
name: "{{ db_name }}"
owner: "{{ db_user }}"
template: template0
encoding: UTF-8
become_user: postgres
- include: config.yml
- name: Add dirs required by peertube
file:
path: "{{ item }}"
state: directory
loop:
- "~/config"
- "~/storage"
- "~/versions"
become_user: "{{ service }}"
- name: Unarchive peertube archive
unarchive:
src: "{{ download_url }}"
dest: ~/versions
remote_src: yes
become_user: "{{ service }}"
- name: Symbolic link to unarchived version
file:
src: "~/versions/peertube-{{ version }}"
dest: "~/peertube-latest"
state: link
become_user: "{{ service }}"
- name: Install PeerTube nodejs deps (via yarn)
shell: "yarn install --production --pure-lockfile"
args:
chdir: "~/peertube-latest"
become_user: "{{ service }}"
- name: Copy default.yaml to prod dir
copy:
src: "~/peertube-latest/config/default.yaml"
dest: "~/config/default.yaml"
remote_src: true
become_user: "{{ service }}"
- name: Template peertube conf file
template:
src: "production.yaml.j2"
dest: "~/config/production.yaml"
become_user: "{{ service }}"
- name: Template peertube systemd unit
template:
src: "peertube.service.j2"
dest: "/etc/systemd/system/{{ service }}.service"
- name: Start peertube systemd unit
service:
name: "{{ service }}"
enabled: true
state: started
#~ - name: Check if SSL certificate is present and register result
#~ stat:
#~ path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
#~ register: ssl
#~ - name: Generate certificate only if required (first time)
#~ block:
#~ - name: Template vhost without SSL for successfull LE challengce
#~ template:
#~ src: "vhost.conf.j2"
#~ dest: "/etc/nginx/sites-available/{{ service }}.conf"
#~ - name: Enable temporary nginx vhost for peertube
#~ file:
#~ src: "/etc/nginx/sites-available/{{ service }}.conf"
#~ dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
#~ state: link
#~ - name: Reload nginx conf
#~ service:
#~ name: nginx
#~ state: reloaded
#~ - name: Make sure /var/lib/letsencrypt exists and has correct permissions
#~ file:
#~ path: /var/lib/letsencrypt
#~ state: directory
#~ mode: '0755'
#~ - name: Generate certificate with certbot
#~ shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
#~ when: ssl.stat.exists == true
#~ - name: (Re)check if SSL certificate is present and register result
#~ stat:
#~ path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
#~ register: ssl
- name: (Re)template conf file for nginx vhost with SSL
template:
src: "vhost.conf.j2"
dest: "/etc/nginx/sites-available/{{ service }}.conf"
- name: Enable nginx vhost for peertube
file:
src: "/etc/nginx/sites-available/{{ service }}.conf"
dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
state: link
- name: Reload nginx conf
service:
name: nginx
state: reloaded

View File

@ -1,40 +0,0 @@
---
- name: Create a new database
community.postgresql.postgresql_db:
name: "{{ peertube_db_name }}"
tags:
- peertube
- name: Generate Postgres password
command: 'apg -n 1 -m 16 -M lcN'
register: peertube_db_pass_apg
check_mode: no
changed_when: False
tags:
- peertube
- name: Connect to peertube database, create peertube user, and grant access to database
community.postgresql.postgresql_user:
db: "{{ peertube_db_name }}"
name: "{{ peertube_db_user }}"
password: "{{ peertube_db_pass_apg.stdout }}"
priv: "ALL"
tags:
- peertube
- name: Store credentials in my.cnf
ini_file:
dest: "{{ nextcloud_home }}/.my.cnf"
owner: "{{ nextcloud_user }}"
group: "{{ nextcloud_user }}"
mode: "0600"
section: client
option: "{{ item.option }}"
value: "{{ item.value }}"
loop:
- { option: "user", value: "{{ nextcloud_db_user }}" }
- { option: "database", value: "{{ nextcloud_db_name }}" }
- { option: "password", value: "{{ nextcloud_db_pass }}" }
tags:
- nextcloud

View File

@ -0,0 +1,75 @@
---
# tasks file for peertube upgrade
- name: Stop peertube systemd unit
service:
name: "{{ service }}"
state: stopped
- name: Dump database to a file with compression
postgresql_db:
name: "{{ db_name }}"
state: dump
target: "~/{{ db_name }}.sql.gz"
become_user: postgres
- name: Unarchive new peertube archive
unarchive:
src: "{{ download_url }}"
dest: ~/versions
remote_src: yes
become_user: "{{ service }}"
- name: Symbolic link to new version
file:
src: "~/versions/peertube-{{ version }}"
dest: "~/peertube-latest"
state: link
become_user: "{{ service }}"
- name: Install PeerTube nodejs deps (via yarn)
shell: "yarn install --production --pure-lockfile"
args:
chdir: "~/peertube-latest"
become_user: "{{ service }}"
- name: Copy default.yaml to prod dir
copy:
src: "~/peertube-latest/config/default.yaml"
dest: "~/config/default.yaml"
remote_src: true
become_user: "{{ service }}"
- name: Template peertube conf file
template:
src: "production.yaml.j2"
dest: "~/config/production.yaml"
become_user: "{{ service }}"
- name: Restart peertube systemd unit
systemd:
name: "{{ service }}"
daemon_reload: true
state: restarted
- name: Retemplate conf file for nginx vhost
template:
src: "vhost.conf.j2"
dest: "/etc/nginx/sites-available/{{ service }}.conf"
- name: Reload nginx conf
service:
name: nginx
state: reloaded
- name: Define variable to skip next task by default
set_fact:
keep_db_dump: true
- name: Remove database dump
file:
path: "~/{{ db_name }}.sql.gz"
state: absent
become_user: postgres
when: keep_db_dump is undefined
tags: clean

View File

@ -1,33 +0,0 @@
---
- name: Create {{ peertube_user }} unix group
group:
name: "{{ peertube_user | mandatory }}"
state: present
tags:
- peertube
- name: Create {{ peertube_user | mandatory }} unix user
user:
name: "{{ peertube_user | mandatory }}"
group: "{{ peertube_user | mandatory }}"
home: "{{ peertube_home | mandatory }}"
shell: '/bin/bash'
create_home: True
state: present
mode: "0755"
tags:
- peertube
- name: Create top-level directories
file:
dest: "{{ item }}"
state: directory
mode: "0700"
owner: "{{ peertube_user }}"
group: "{{ peertube_user }}"
loop:
- "{{ peertube_home }}/log"
- "{{ peertube_home }}/tmp"
- "{{ peertube_home }}/data"
tags:
- peertube

View File

@ -1,41 +0,0 @@
<VirtualHost *:80 *:443>
ServerName {{ nextcloud_domains[0] }}
{% for domain_alias in nextcloud_domains[1:] %}
ServerAlias {{ domain_alias }}
{% endfor %}
# SSLEngine on
# SSLCertificateFile /etc/letsencrypt/live/{{ nextcloud_instance_name }}/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/{{ nextcloud_instance_name }}/privkey.pem
DocumentRoot {{ nextcloud_webroot }}/
<Directory {{ nextcloud_webroot }}/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
# SSL Redirect
# RewriteEngine On
# RewriteCond %{HTTPS} !=on
# RewriteCond %{HTTP:X-Forwarded-Proto} !=https
# RewriteRule ^ https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
# ITK
AssignUserID {{ nextcloud_user }} {{ nextcloud_user }}
# LOG
CustomLog /var/log/apache2/access.log vhost_combined
ErrorLog /var/log/apache2/error.log
# PHP
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f {{ nextcloud_user }}"
php_admin_value open_basedir "/usr/share/php:{{ nextcloud_home }}:/tmp"
</VirtualHost>

View File

@ -0,0 +1,8 @@
# In a video server, we are often sending files to a client
# which can't accept it as fast as our local network connection
# could produce packets. To prevent packet loss and buffer bloat,
# it's especially important to use a modern CoDel scheduler which
# knows how to delay outgoing packets to match slower client links.
net.core.default_qdisc = fq_codel
net.ipv4.tcp_congestion_control = bbr

View File

@ -0,0 +1,35 @@
[Unit]
Description=PeerTube daemon
After=network.target postgresql.service redis-server.service
[Service]
Type=simple
Environment=NODE_ENV=production
Environment=NODE_CONFIG_DIR={{ service_home }}/config
User={{ service }}
Group={{ service }}
ExecStart=/usr/bin/node dist/server
WorkingDirectory={{ service_home }}/peertube-latest
SyslogIdentifier=peertube
Restart=always
; Some security directives.
; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
ProtectSystem=full
; Sets up a new /dev mount for the process and only adds API pseudo devices
; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
; by default because it may not work on devices like the Raspberry Pi.
PrivateDevices=false
; Ensures that the service process and all its children can never gain new
; privileges through execve().
NoNewPrivileges=true
; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
; by this unit. Make sure that you do not depend on data inside these folders.
ProtectHome=true
; Drops the sys admin capability from the daemon.
CapabilityBoundingSet=~CAP_SYS_ADMIN
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,790 @@
listen:
hostname: '127.0.0.1'
port: 9000
# Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL)
webserver:
https: false
hostname: '{{ domains| first }}'
port: 80
# Secrets you need to generate the first time you run PeerTube
secrets:
# Generate one using `openssl rand -hex 32`
peertube: '{{ pt_secret }}'
rates_limit:
api:
# 50 attempts in 10 seconds
window: 10 seconds
max: 50
login:
# 15 attempts in 5 min
window: 5 minutes
max: 15
signup:
# 2 attempts in 5 min (only succeeded attempts are taken into account)
window: 5 minutes
max: 2
ask_send_email:
# 3 attempts in 5 min
window: 5 minutes
max: 3
receive_client_log:
# 10 attempts in 10 min
window: 10 minutes
max: 10
oauth2:
token_lifetime:
access_token: '1 day'
refresh_token: '2 weeks'
# Proxies to trust to get real client IP
# If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
# If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
trust_proxy:
- 'loopback'
# Your database name will be database.name OR 'peertube'+database.suffix
database:
hostname: '{{ db_host }}'
port: {{ db_port }}
ssl: false
suffix: ''
name: '{{ db_name }}'
username: '{{ db_user }}'
password: '{{ db_password }}'
pool:
max: 5
# Redis server for short time storage
# You can also specify a 'socket' path to a unix socket but first need to
# set 'hostname' and 'port' to null
redis:
hostname: 'localhost'
port: 6379
auth: null
db: 0
# SMTP server to send emails
smtp:
# smtp or sendmail
transport: smtp
# Path to sendmail command. Required if you use sendmail transport
sendmail: null
hostname: null
port: 465 # If you use StartTLS: 587
username: null
password: null
tls: true # If you use StartTLS: false
disable_starttls: false
ca_file: null # Used for self signed certificates
from_address: 'admin@example.com'
email:
body:
signature: 'PeerTube'
subject:
prefix: '[PeerTube]'
# Update default PeerTube values
# Set by API when the field is not provided and put as default value in client
defaults:
# Change default values when publishing a video (upload/import/go Live)
publish:
download_enabled: true
comments_enabled: true
# public = 1, unlisted = 2, private = 3, internal = 4
privacy: 1
# CC-BY = 1, CC-SA = 2, CC-ND = 3, CC-NC = 4, CC-NC-SA = 5, CC-NC-ND = 6, Public Domain = 7
# You can also choose a custom licence value added by a plugin
# No licence by default
licence: null
p2p:
# Enable P2P by default in PeerTube client
# Can be enabled/disabled by anonymous users and logged in users
webapp:
enabled: true
# Enable P2P by default in PeerTube embed
# Can be enabled/disabled by URL option
embed:
enabled: true
# From the project root directory
storage:
tmp: '/var/www/peertube/storage/tmp/' # Use to download data (imports etc), store uploaded files before and during processing...
bin: '/var/www/peertube/storage/bin/'
avatars: '/var/www/peertube/storage/avatars/'
videos: '/var/www/peertube/storage/videos/'
streaming_playlists: '/var/www/peertube/storage/streaming-playlists/'
redundancy: '/var/www/peertube/storage/redundancy/'
logs: '/var/www/peertube/storage/logs/'
previews: '/var/www/peertube/storage/previews/'
thumbnails: '/var/www/peertube/storage/thumbnails/'
torrents: '/var/www/peertube/storage/torrents/'
captions: '/var/www/peertube/storage/captions/'
cache: '/var/www/peertube/storage/cache/'
plugins: '/var/www/peertube/storage/plugins/'
well_known: '/var/www/peertube/storage/well-known/'
# Overridable client files in client/dist/assets/images:
# - logo.svg
# - favicon.png
# - default-playlist.jpg
# - default-avatar-account.png
# - default-avatar-video-channel.png
# - and icons/*.png (PWA)
# Could contain for example assets/images/favicon.png
# If the file exists, peertube will serve it
# If not, peertube will fallback to the default file
client_overrides: '/var/www/peertube/storage/client-overrides/'
static_files:
# Require and check user authentication when accessing private files (internal/private video files)
private_files_require_auth: true
object_storage:
enabled: false
# Without protocol, will default to HTTPS
endpoint: '' # 's3.amazonaws.com' or 's3.fr-par.scw.cloud' for example
region: 'us-east-1'
upload_acl:
# Set this ACL on each uploaded object of public/unlisted videos
# Use null if your S3 provider does not support object ACL
public: 'public-read'
# Set this ACL on each uploaded object of private/internal videos
# PeerTube can proxify requests to private objects so your users can access them
# Use null if your S3 provider does not support object ACL
private: 'private'
proxy:
# If private files (private/internal video files) have a private ACL, users can't access directly the ressource
# PeerTube can proxify requests between your object storage service and your users
# If you disable PeerTube proxy, ensure you use your own proxy that is able to access the private files
# Or you can also set a public ACL for private files in object storage if you don't want to use a proxy
proxify_private_files: true
credentials:
# You can also use AWS_ACCESS_KEY_ID env variable
access_key_id: ''
# You can also use AWS_SECRET_ACCESS_KEY env variable
secret_access_key: ''
# Maximum amount to upload in one request to object storage
max_upload_part: 100MB
streaming_playlists:
bucket_name: 'streaming-playlists'
# Allows setting all buckets to the same value but with a different prefix
prefix: '' # Example: 'streaming-playlists:'
# Base url for object URL generation, scheme and host will be replaced by this URL
# Useful when you want to use a CDN/external proxy
base_url: '' # Example: 'https://mirror.example.com'
# Same settings but for webtorrent videos
videos:
bucket_name: 'videos'
prefix: ''
base_url: ''
log:
level: 'info' # 'debug' | 'info' | 'warn' | 'error'
rotation:
enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
max_file_size: 12MB
max_files: 20
anonymize_ip: false
log_ping_requests: true
log_tracker_unknown_infohash: true
prettify_sql: false
# Accept warn/error logs coming from the client
accept_client_log: true
# Support of Open Telemetry metrics and tracing
# For more information: https://docs.joinpeertube.org/maintain/observability
open_telemetry:
metrics:
enabled: false
http_request_duration:
# You can disable HTTP request duration metric that can have a high tag cardinality
enabled: true
# Create a prometheus exporter server on this port so prometheus server can scrape PeerTube metrics
prometheus_exporter:
hostname: '127.0.0.1'
port: 9091
tracing:
enabled: false
# Send traces to a Jaeger compatible endpoint
jaeger_exporter:
endpoint: ''
trending:
videos:
interval_days: 7 # Compute trending videos for the last x days for 'most-viewed' algorithm
algorithms:
enabled:
- 'hot' # Adaptation of Reddit's 'Hot' algorithm
- 'most-viewed' # Number of views in the last x days
- 'most-liked' # Global views since the upload of the video
default: 'most-viewed'
# Cache remote videos on your server, to help other instances to broadcast the video
# You can define multiple caches using different sizes/strategies
# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
redundancy:
videos:
check_interval: '1 hour' # How often you want to check new videos to cache
strategies: # Just uncomment strategies you want
# -
# size: '10GB'
# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
# min_lifetime: '48 hours'
# strategy: 'most-views' # Cache videos that have the most views
# -
# size: '10GB'
# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
# min_lifetime: '48 hours'
# strategy: 'trending' # Cache trending videos
# -
# size: '10GB'
# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
# min_lifetime: '48 hours'
# strategy: 'recently-added' # Cache recently added videos
# min_views: 10 # Having at least x views
# Other instances that duplicate your content
remote_redundancy:
videos:
# 'nobody': Do not accept remote redundancies
# 'anybody': Accept remote redundancies from anybody
# 'followings': Accept redundancies from instance followings
accept_from: 'anybody'
csp:
enabled: false
report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
report_uri:
security:
# Set the X-Frame-Options header to help to mitigate clickjacking attacks
frameguard:
enabled: true
# Set x-powered-by HTTP header to "PeerTube"
# Can help remote software to know this is a PeerTube instance
powered_by_header:
enabled: true
tracker:
# If you disable the tracker, you disable the P2P on your PeerTube instance
enabled: true
# Only handle requests on your videos
# If you set this to false it means you have a public tracker
# Then, it is possible that clients overload your instance with external torrents
private: true
# Reject peers that do a lot of announces (could improve privacy of TCP/UDP peers)
reject_too_many_announces: false
history:
videos:
# If you want to limit users videos history
# -1 means there is no limitations
# Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
max_age: -1
views:
videos:
# PeerTube creates a database entry every hour for each video to track views over a period of time
# This is used in particular by the Trending page
# PeerTube could remove old remote video views if you want to reduce your database size (video view counter will not be altered)
# -1 means no cleanup
# Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
remote:
max_age: '30 days'
# PeerTube buffers local video views before updating and federating the video
local_buffer_update_interval: '30 minutes'
ip_view_expiration: '1 hour'
# Used to get country location of views of local videos
geo_ip:
enabled: true
country:
database_url: 'https://dbip.mirror.framasoft.org/files/dbip-country-lite-latest.mmdb'
plugins:
# The website PeerTube will ask for available PeerTube plugins and themes
# This is an unmoderated plugin index, so only install plugins/themes you trust
index:
enabled: true
check_latest_versions_interval: '12 hours' # How often you want to check new plugins/themes versions
url: 'https://packages.joinpeertube.org'
federation:
videos:
federate_unlisted: false
# Add a weekly job that cleans up remote AP interactions on local videos (shares, rates and comments)
# It removes objects that do not exist anymore, and potentially fix their URLs
cleanup_remote_interactions: true
peertube:
check_latest_version:
# Check and notify admins of new PeerTube versions
enabled: true
# You can use a custom URL if your want, that respect the format behind https://joinpeertube.org/api/v1/versions.json
url: 'https://joinpeertube.org/api/v1/versions.json'
webadmin:
configuration:
edition:
# Set this to false if you don't want to allow config edition in the web interface by instance admins
allowed: true
# XML, Atom or JSON feeds
feeds:
videos:
# Default number of videos displayed in feeds
count: 20
comments:
# Default number of comments displayed in feeds
count: 20
###############################################################################
#
# From this point, almost all following keys can be overridden by the web interface
# (local-production.json file). If you need to change some values, prefer to
# use the web interface because the configuration will be automatically
# reloaded without any need to restart PeerTube
#
# /!\ If you already have a local-production.json file, modification of some of
# the following keys will have no effect /!\
#
###############################################################################
cache:
previews:
size: 500 # Max number of previews you want to cache
captions:
size: 500 # Max number of video captions/subtitles you want to cache
torrents:
size: 500 # Max number of video torrents you want to cache
admin:
# Used to generate the root user at first startup
# And to receive emails from the contact form
email: 'admin@example.com'
contact_form:
enabled: true
signup:
enabled: false
limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited
minimum_age: 16 # Used to configure the signup form
# Users fill a form to register so moderators can accept/reject the registration
requires_approval: true
requires_email_verification: false
filters:
cidr: # You can specify CIDR ranges to whitelist (empty = no filtering) or blacklist
whitelist: []
blacklist: []
user:
# Default value of maximum video bytes the user can upload (does not take into account transcoded files)
# Byte format is supported ("1GB" etc)
# -1 == unlimited
video_quota: -1
video_quota_daily: -1
video_channels:
max_per_user: 20 # Allows each user to create up to 20 video channels.
# If enabled, the video will be transcoded to mp4 (x264) with `faststart` flag
# In addition, if some resolutions are enabled the mp4 video file will be transcoded to these new resolutions
# Please, do not disable transcoding since many uploaded videos will not work
transcoding:
enabled: true
# Allow your users to upload .mkv, .mov, .avi, .wmv, .flv, .f4v, .3g2, .3gp, .mts, m2ts, .mxf, .nut videos
allow_additional_extensions: true
# If a user uploads an audio file, PeerTube will create a video by merging the preview file and the audio file
allow_audio_files: true
# Amount of threads used by ffmpeg for 1 transcoding job
threads: 1
# Amount of transcoding jobs to execute in parallel
concurrency: 1
# Choose the transcoding profile
# New profiles can be added by plugins
# Available in core PeerTube: 'default'
profile: 'default'
resolutions: # Only created if the original video has a higher resolution, uses more storage!
0p: false # audio-only (creates mp4 without video stream, always created when enabled)
144p: false
240p: false
360p: false
480p: false
720p: false
1080p: false
1440p: false
2160p: false
# Transcode and keep original resolution, even if it's above your maximum enabled resolution
always_transcode_original_resolution: true
# Generate videos in a WebTorrent format (what we do since the first PeerTube release)
# If you also enabled the hls format, it will multiply videos storage by 2
# If disabled, breaks federation with PeerTube instances < 2.1
webtorrent:
enabled: false
# /!\ Requires ffmpeg >= 4.1
# Generate HLS playlists and fragmented MP4 files. Better playback than with WebTorrent:
# * Resolution change is smoother
# * Faster playback in particular with long videos
# * More stable playback (less bugs/infinite loading)
# If you also enabled the webtorrent format, it will multiply videos storage by 2
hls:
enabled: true
live:
enabled: false
# Limit lives duration
# -1 == unlimited
max_duration: -1 # For example: '5 hours'
# Limit max number of live videos created on your instance
# -1 == unlimited
max_instance_lives: 20
# Limit max number of live videos created by a user on your instance
# -1 == unlimited
max_user_lives: 3
# Allow your users to save a replay of their live
# PeerTube will transcode segments in a video file
# If the user daily/total quota is reached, PeerTube will stop the live
# /!\ transcoding.enabled (and not live.transcoding.enabled) has to be true to create a replay
allow_replay: true
# Allow your users to change latency settings (small latency/default/high latency)
# Small latency live streams cannot use P2P
# High latency live streams can increase P2P ratio
latency_setting:
enabled: true
# Your firewall should accept traffic from this port in TCP if you enable live
rtmp:
enabled: true
# Listening hostname/port for RTMP server
# '::' to listen on IPv6 and IPv4, '0.0.0.0' to listen on IPv4
# Use null to automatically listen on '::' if IPv6 is available, or '0.0.0.0' otherwise
hostname: null
port: 1935
# Public hostname of your RTMP server
# Use null to use the same value than `webserver.hostname`
public_hostname: null
rtmps:
enabled: false
# Listening hostname/port for RTMPS server
# '::' to listen on IPv6 and IPv4, '0.0.0.0' to listen on IPv4
# Use null to automatically listen on '::' if IPv6 is available, or '0.0.0.0' otherwise
hostname: null
port: 1936
# Absolute paths
key_file: ''
cert_file: ''
# Public hostname of your RTMPS server
# Use null to use the same value than `webserver.hostname`
public_hostname: null
# Allow to transcode the live streaming in multiple live resolutions
transcoding:
enabled: true
threads: 2
# Choose the transcoding profile
# New profiles can be added by plugins
# Available in core PeerTube: 'default'
profile: 'default'
resolutions:
144p: false
240p: false
360p: false
480p: false
720p: false
1080p: false
1440p: false
2160p: false
# Also transcode original resolution, even if it's above your maximum enabled resolution
always_transcode_original_resolution: true
video_studio:
# Enable video edition by users (cut, add intro/outro, add watermark etc)
# If enabled, users can create transcoding tasks as they wish
enabled: false
import:
# Add ability for your users to import remote videos (from YouTube, torrent...)
videos:
# Amount of import jobs to execute in parallel
concurrency: 1
# Set a custom video import timeout to not block import queue
timeout: '2 hours'
# Classic HTTP or all sites supported by youtube-dl https://rg3.github.io/youtube-dl/supportedsites.html
http:
# We recommend to use a HTTP proxy if you enable HTTP import to prevent private URL access from this server
# See https://docs.joinpeertube.org/maintain/configuration#security for more information
enabled: false
youtube_dl_release:
# Direct download URL to youtube-dl binary
# Github releases API is also supported
# Examples:
# * https://api.github.com/repos/ytdl-org/youtube-dl/releases
# * https://api.github.com/repos/yt-dlp/yt-dlp/releases
# * https://yt-dl.org/downloads/latest/youtube-dl
url: 'https://api.github.com/repos/yt-dlp/yt-dlp/releases'
# Release binary name: 'yt-dlp' or 'youtube-dl'
name: 'yt-dlp'
# Path to the python binary to execute for youtube-dl or yt-dlp
python_path: '/usr/bin/python3'
# IPv6 is very strongly rate-limited on most sites supported by youtube-dl
force_ipv4: false
# Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file)
torrent:
# We recommend to only enable magnet URI/torrent import if you trust your users
# See https://docs.joinpeertube.org/maintain/configuration#security for more information
enabled: false
# Add ability for your users to synchronize their channels with external channels, playlists, etc.
video_channel_synchronization:
enabled: false
max_per_user: 10
check_interval: 1 hour
# Number of latest published videos to check and to potentially import when syncing a channel
videos_limit_per_synchronization: 10
# Max number of videos to import when the user asks for full sync
full_sync_videos_limit: 1000
auto_blacklist:
# New videos automatically blacklisted so moderators can review before publishing
videos:
of_users:
enabled: false
# Instance settings
instance:
name: 'PeerTube'
short_description: 'PeerTube, an ActivityPub-federated video streaming platform using P2P directly in your web browser.'
description: 'Welcome to this PeerTube instance!' # Support markdown
terms: 'No terms for now.' # Support markdown
code_of_conduct: '' # Supports markdown
# Who moderates the instance? What is the policy regarding NSFW videos? Political videos? etc
moderation_information: '' # Supports markdown
# Why did you create this instance?
creation_reason: '' # Supports Markdown
# Who is behind the instance? A single person? A non profit?
administrator: '' # Supports Markdown
# How long do you plan to maintain this instance?
maintenance_lifetime: '' # Supports Markdown
# How will you pay the PeerTube instance server? With your own funds? With users donations? Advertising?
business_model: '' # Supports Markdown
# If you want to explain on what type of hardware your PeerTube instance runs
# Example: '2 vCore, 2GB RAM...'
hardware_information: '' # Supports Markdown
# What are the main languages of your instance? To interact with your users for example
# Uncomment or add the languages you want
# List of supported languages: https://peertube.cpy.re/api/v1/videos/languages
languages:
# - en
# - es
# - fr
# You can specify the main categories of your instance (dedicated to music, gaming or politics etc)
# Uncomment or add the category ids you want
# List of supported categories: https://peertube.cpy.re/api/v1/videos/categories
categories:
# - 1 # Music
# - 2 # Films
# - 3 # Vehicles
# - 4 # Art
# - 5 # Sports
# - 6 # Travels
# - 7 # Gaming
# - 8 # People
# - 9 # Comedy
# - 10 # Entertainment
# - 11 # News & Politics
# - 12 # How To
# - 13 # Education
# - 14 # Activism
# - 15 # Science & Technology
# - 16 # Animals
# - 17 # Kids
# - 18 # Food
default_client_route: '/videos/trending'
# Whether or not the instance is dedicated to NSFW content
# Enabling it will allow other administrators to know that you are mainly federating sensitive content
# Moreover, the NSFW checkbox on video upload will be automatically checked by default
is_nsfw: false
# By default, `do_not_list` or `blur` or `display` NSFW videos
# Could be overridden per user with a setting
default_nsfw_policy: 'do_not_list'
customizations:
javascript: '' # Directly your JavaScript code (without <script> tags). Will be eval at runtime
css: '' # Directly your CSS code (without <style> tags). Will be injected at runtime
# Robot.txt rules. To disallow robots to crawl your instance and disallow indexation of your site, add `/` to `Disallow:`
robots: |
User-agent: *
Disallow:
# /.well-known/security.txt rules. This endpoint is cached, so you may have to wait a few hours before viewing your changes
# To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string
securitytxt:
'# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:'
services:
# Cards configuration to format video in Twitter
twitter:
username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
# If true, a video player will be embedded in the Twitter feed on PeerTube video share
# If false, we use an image link card that will redirect on your PeerTube instance
# Change it to `true`, and then test on https://cards-dev.twitter.com/validator to see if you are whitelisted
whitelisted: false
followers:
instance:
# Allow or not other instances to follow yours
enabled: true
# Whether or not an administrator must manually validate a new follower
manual_approval: false
followings:
instance:
# If you want to automatically follow back new instance followers
# If this option is enabled, use the mute feature instead of deleting followings
# /!\ Don't enable this if you don't have a reactive moderation team /!\
auto_follow_back:
enabled: false
# If you want to automatically follow instances of the public index
# If this option is enabled, use the mute feature instead of deleting followings
# /!\ Don't enable this if you don't have a reactive moderation team /!\
auto_follow_index:
enabled: false
# Host your own using https://framagit.org/framasoft/peertube/instances-peertube#peertube-auto-follow
index_url: ''
theme:
default: 'default'
broadcast_message:
enabled: false
message: '' # Support markdown
level: 'info' # 'info' | 'warning' | 'error'
dismissable: false
search:
# Add ability to fetch remote videos/actors by their URI, that may not be federated with your instance
# If enabled, the associated group will be able to "escape" from the instance follows
# That means they will be able to follow channels, watch videos, list videos of non followed instances
remote_uri:
users: true
anonymous: false
# Use a third party index instead of your local index, only for search results
# Useful to discover content outside of your instance
# If you enable search_index, you must enable remote_uri search for users
# If you do not enable remote_uri search for anonymous user, your instance will redirect the user on the origin instance
# instead of loading the video locally
search_index:
enabled: false
# URL of the search index, that should use the same search API and routes
# than PeerTube: https://docs.joinpeertube.org/api/rest-reference.html
# You should deploy your own with https://framagit.org/framasoft/peertube/search-index,
# and can use https://search.joinpeertube.org/ for tests, but keep in mind the latter is an unmoderated search index
url: ''
# You can disable local search, so users only use the search index
disable_local_search: false
# If you did not disable local search, you can decide to use the search index by default
is_default_search: false
# PeerTube client/interface configuration
client:
videos:
miniature:
# By default PeerTube client displays author username
prefer_author_display_name: false
display_author_avatar: false
resumable_upload:
# Max size of upload chunks, e.g. '90MB'
# If null, it will be calculated based on network speed
max_chunk_size: null
menu:
login:
# If you enable only one external auth plugin
# You can automatically redirect your users on this external platform when they click on the login button
redirect_on_single_external_auth: false

View File

@ -0,0 +1,278 @@
# Minimum Nginx version required: 1.13.0 (released Apr 25, 2017)
# Please check your Nginx installation features the following modules via 'nginx -V':
# STANDARD HTTP MODULES: Core, Proxy, Rewrite, Access, Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream, AIO Multithreading.
# THIRD PARTY MODULES: None.
#server {
# listen 80;
# listen [::]:80;
# server_name {{ domains | first }};
# location /.well-known/acme-challenge/ {
# default_type "text/plain";
# root /var/www/certbot;
# }
# location / { return 301 https://$host$request_uri; }
#}
upstream backend {
server {{ pt_host }};
}
server {
#listen 443 ssl http2;
#listen [::]:443 ssl http2;
listen 80;
listen [::]:80;
server_name {{ domains | first }};
access_log /var/log/nginx/{{ service }}.access.log; # reduce I/0 with buffer=10m flush=5m
error_log /var/log/nginx/{{ service }}.error.log;
##
# Certificates
# you need a certificate to run in production. see https://letsencrypt.org/
##
#ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem;
location ^~ '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/certbot;
}
##
# Security hardening (as of Nov 15, 2020)
# based on Mozilla Guideline v5.6
##
#ssl_protocols TLSv1.2 TLSv1.3;
#ssl_prefer_server_ciphers on;
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
#ssl_session_timeout 1d; # defaults to 5m
#ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
#ssl_session_tickets off;
#ssl_stapling on;
#ssl_stapling_verify on;
# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
##
# Application
##
location @api {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 100k; # default is 1M
proxy_connect_timeout 10m;
proxy_send_timeout 10m;
proxy_read_timeout 10m;
send_timeout 10m;
proxy_pass http://backend;
}
location / {
try_files /dev/null @api;
}
location = /api/v1/videos/upload-resumable {
client_max_body_size 0;
proxy_request_buffering off;
try_files /dev/null @api;
}
location ~ ^/api/v1/videos/(upload|([^/]+/studio/edit))$ {
limit_except POST HEAD { deny all; }
# This is the maximum upload size, which roughly matches the maximum size of a video file.
# Note that temporary space is needed equal to the total size of all concurrent uploads.
# This data gets stored in /var/lib/nginx by default, so you may want to put this directory
# on a dedicated filesystem.
client_max_body_size 12G; # default is 1M
add_header X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
try_files /dev/null @api;
}
location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) {
client_max_body_size 6M; # default is 1M
add_header X-File-Maximum-Size 4M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
try_files /dev/null @api;
}
##
# Websocket
##
location @api_websocket {
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://backend;
}
location /socket.io {
try_files /dev/null @api_websocket;
}
location /tracker/socket {
# Peers send a message to the tracker every 15 minutes
# Don't close the websocket before then
proxy_read_timeout 15m; # default is 60s
try_files /dev/null @api_websocket;
}
# Plugin websocket routes
location ~ ^/plugins/[^/]+(/[^/]+)?/ws/ {
try_files /dev/null @api_websocket;
}
##
# Performance optimizations
# For extra performance please refer to https://github.com/denji/nginx-tuning
##
root {{ service_home }}/storage;
# Enable compression for JS/CSS/HTML, for improved client load times.
# It might be nice to compress JSON/XML as returned by the API, but
# leaving that out to protect against potential BREACH attack.
gzip on;
gzip_vary on;
gzip_types # text/html is always compressed by HttpGzipModule
text/css
application/javascript
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
gzip_min_length 1000; # default is 20 bytes
gzip_buffers 16 8k;
gzip_comp_level 2; # default is 1
client_body_timeout 30s; # default is 60
client_header_timeout 10s; # default is 60
send_timeout 10s; # default is 60
keepalive_timeout 10s; # default is 75
resolver_timeout 10s; # default is 30
reset_timedout_connection on;
proxy_ignore_client_abort on;
tcp_nopush on; # send headers in one piece
tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time
# If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
# See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
#client_body_temp_path /var/www/peertube/storage/nginx/;
# Bypass PeerTube for performance reasons. Optional.
# Should be consistent with client-overrides assets list in /server/controllers/client.ts
location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$ {
add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
root {{ service_home }};
try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 @api;
}
# Bypass PeerTube for performance reasons. Optional.
location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
alias {{ service_home }}/peertube-latest/client/dist/$1;
}
# Bypass PeerTube for performance reasons. Optional.
location ~ ^/static/(thumbnails|avatars)/ {
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin '*';
add_header Access-Control-Allow-Methods 'GET, OPTIONS';
add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header Access-Control-Max-Age 1728000; # Preflight request can be cached 20 days
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
add_header Access-Control-Allow-Origin '*';
add_header Access-Control-Allow-Methods 'GET, OPTIONS';
add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header Cache-Control "public, max-age=7200"; # Cache response 2 hours
rewrite ^/static/(.*)$ /$1 break;
try_files $uri @api;
}
location ~ ^(/static/(webseed|streaming-playlists)/private/)|^/download {
# We can't rate limit a try_files directive, so we need to duplicate @api
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_limit_rate 5M;
proxy_pass http://backend;
}
# Bypass PeerTube for performance reasons. Optional.
location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
limit_rate_after 5M;
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
set $peertube_limit_rate 800k;
# Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
if ($request_uri ~ -fragmented.mp4$) {
set $peertube_limit_rate 5M;
}
# Use this line with nginx >= 1.17.0
limit_rate $peertube_limit_rate;
# Or this line with nginx < 1.17.0
# set $limit_rate $peertube_limit_rate;
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin '*';
add_header Access-Control-Allow-Methods 'GET, OPTIONS';
add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header Access-Control-Max-Age 1728000; # Preflight request can be cached 20 days
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method = 'GET') {
add_header Access-Control-Allow-Origin '*';
add_header Access-Control-Allow-Methods 'GET, OPTIONS';
add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
# Don't spam access log file with byte range requests
access_log off;
}
# Enabling the sendfile directive eliminates the step of copying the data into the buffer
# and enables direct copying data from one file descriptor to another.
sendfile on;
sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
aio threads;
rewrite ^/static/webseed/(.*)$ /videos/$1 break;
rewrite ^/static/(.*)$ /$1 break;
try_files $uri @api;
}
}

View File

@ -0,0 +1,2 @@
localhost

View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- peertube

View File

@ -0,0 +1,2 @@
---
# vars file