adding minimum config eventually

ab65f01d · popi · 49c5be93 · ab65f01d · ab65f01d · ab65f01d
Commit ab65f01d authored Jul 23, 2018 by popi
9 changed files
--- a/README.md
+++ b/README.md
@@ -8,19 +8,26 @@ If you do not kwow what is peertube, see https://purr.rigelk.eu/lang/en/docs/get
 Playbook
 --------
 The `peertube` role installs all required packages and further downloads and install Peertube on a Debian server (>= Stretch).
-This is just an automation of the official documentation to install Peertube on Debian. https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/production.md (up to [here](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/production.md#peertube-configuration) )
+This is just an automation of the official documentation to install Peertube on Debian that you can found at: https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/production.md
+
+The playbook will set up a minimal configuration for Peertube and Nginx in the scenario of being behind a reverse proxy (=> **no HTTPS** is done on the host).
+
+Whenever needed, passwords are generated dynamically and stored in ~/%s.credentials.txt so that Ansible reuse them on next run (idempotent).

 Requirements
 ------------

 OS: Debian Stretch (tested successfully in LXC container)

-Read **carefully** the output of the play as well as the official documentation to finish configuring your instance once Peertube is installed.
+Read **carefully** the output of the play as well as the official documentation. Review the resulting configuration files in `/var/www/peertube/config/production.yaml`. 
+
+PeerTube **does not support webserver host change**. Keep in mind your domain name is definitive after your first PeerTube start.

 Role Variables
 --------------

 - **app_user**: user for running the peertube instance. Set to `peertube` as per documentation.
+- **app_domain**: the FQDN for your resulting Peertube instance.

 Dependencies
 ------------

--- a/hosts
+++ b/hosts
 [peertube]
-your-server
+anthurium
--- a/peertube.yml
+++ b/peertube.yml
 ---

-## playbook to install peertube latest beta on Debian
+## playbook to install and configure peertube latest beta on Debian
+
+## passwords for app_user and postgresql are generated dynamically and 
+## written in ~/<username>.credentials.txt
+
 - hosts: peertube
  become: yes
  tags: peertube

+  vars_prompt:
+    name: app_domain
+    prompt: Full qualified domain name for you Peertube instance? (cannot be changed once Peertube is started, so choose carefully).
+    private: no
+
  vars:
    app_user: peertube

-  vars_prompt:
-    name: peertube_password
-    prompt: "Enter the password you wish to set for peertube PostGreSQL user"
-    private: yes
-
  roles:
    - peertube


--- a/roles/peertube/handlers/main.yml
+++ b/roles/peertube/handlers/main.yml
 ---
-# handlers file for peertube
\ No newline at end of file
+# handlers file for peertube
+
+- name: reload systemd
+  become: yes
+  systemd: daemon_reload=yes
+  changed_when: True
+
+- name: reload nginx
+  become: yes
+  service: name=nginx state=reloaded
+  changed_when: True
+
+...
--- a/roles/peertube/tasks/config.yml
+++ b/roles/peertube/tasks/config.yml
+---
+
+- name: set up main config file
+  tags: config
+  template:
+    src: production.yaml.tpl
+    dest: /var/www/peertube/config/production.yaml
+    owner: "{{ app_user }}"
+    group: "{{ app_user }}"
+    mode: 0600
+
+- name: set up nginx config file (behind reverse proxy)
+  tags: config
+  template:
+    src: nginx-behind-reverse.conf
+    dest:  /etc/nginx/sites-available/peertube
+    owner: root
+    group: root
+    mode: 0644
+
+- name: create symbolic link to sites-enable for nginx config file
+  tags: config
+  file:
+    state: link
+    src: /etc/nginx/sites-available/peertube
+    path: /etc/nginx/sites-enabled/peertube
+  notify: reload nginx
+    
+- name: set up systemd service unit for peertube
+  tags: config
+  copy:
+    remote_src: yes
+    src: /var/www/peertube/peertube-latest/support/systemd/peertube.service
+    dest: /etc/systemd/system/
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload systemd
+
+- name: set up service unit peertube on startup
+  tags: config
+  systemd:
+    enabled: yes
+    name: peertube
+
+- debug:
+  tags: config
+  msg: "Peertube is almost ready to run!\nPlease REVIEW the main config file and complete it accordingly.\n\nWhen ready, use the following command to start it and control journalctl output:\n$ sudo systemctl start peertube\n$ sudo journalctl -feu peertube\n\nOnce the testing period is over and all is well, consider lowering log level to warning." 
+  
+...
--- a/roles/peertube/tasks/install.yml
+++ b/roles/peertube/tasks/install.yml
@@ -86,7 +86,7 @@
  become_user: postgres
  postgresql_user:
    name: peertube
-    password: "{{ peertube_password }}"
+    password: "{{ lookup('password', '~/%s.credentials.txt chars=ascii_letters,digits' % 'pgsql_user' )}}"
    db: peertube_prod
    login_user: postgres

@@ -159,7 +159,7 @@
  shell: cd /var/www/peertube/peertube-latest && yarn install --production --pure-lockfile

 - name: Installation is finished, configuration is left to the user
-  tags: config
+  tags: install
  debug:
-    msg: "Installation complete!\n\nPlease not that 'certbot' was NOT installed (not required if you are using a reverse proxy for your web apps).\n\nFollow the end of the install documenation to configure and start your peertube instance:\nhttps://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/production.md#peertube-configuration"
+    msg: "Installation complete!\n\nPlease not that 'certbot' was NOT installed (not required if you are using a reverse proxy for your web apps).\n\nNext is to set up a minimum working configuration..."
 ...
--- a/roles/peertube/tasks/main.yml
+++ b/roles/peertube/tasks/main.yml
 ---

 - import_tasks: install.yml
+- import_tasks: config.yml

 ...
--- a/roles/peertube/templates/nginx-behind-reverse.conf
+++ b/roles/peertube/templates/nginx-behind-reverse.conf
+server {
+  listen 80;
+  listen [::]:80;
+  server_name {{ app_domain }};
+
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Robots-Tag none;
+  
+  access_log /var/log/nginx/{{ app_domain }}.access.log;
+  error_log /var/log/nginx/{{ app_domain }}.error.log;
+
+  #location ^~ '/.well-known/acme-challenge' {
+  #  default_type "text/plain";
+  #  root /var/www/certbot;
+  #}
+
+  location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+
+    alias /var/www/peertube/peertube-latest/client/dist/$1;
+  }
+
+  location ~ ^/static/(thumbnails|avatars)/(.*)$ {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+
+    alias /var/www/peertube/storage/$1/$2;
+  }
+
+  location / {
+    proxy_pass http://localhost:9000;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+    # Hard limit, PeerTube does not support videos > 4GB
+    client_max_body_size 4G;
+    proxy_connect_timeout       600;
+    proxy_send_timeout          600;
+    proxy_read_timeout          600;
+    send_timeout                600;
+  }
+
+  # Bypass PeerTube webseed route for better performances
+  location /static/webseed {
+    # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
+    limit_rate 800k;
+
+    if ($request_method = 'OPTIONS') {
+      add_header 'Access-Control-Allow-Origin' '*';
+      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
+      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+      add_header 'Access-Control-Max-Age' 1728000;
+      add_header 'Content-Type' 'text/plain charset=UTF-8';
+      add_header 'Content-Length' 0;
+      return 204;
+    }
+
+    if ($request_method = 'GET') {
+      add_header 'Access-Control-Allow-Origin' '*';
+      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
+      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+
+      # Don't spam access log file with byte range requests
+      access_log off;
+    }
+
+    alias /var/www/peertube/storage/videos;
+  }
+
+  # Websocket tracker
+  location /tracker/socket {
+    # Peers send a message to the tracker every 15 minutes
+    # Don't close the websocket before this time
+    proxy_read_timeout 1200s;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_http_version 1.1;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+    proxy_pass http://localhost:9000;
+  }
+}
+
--- a/roles/peertube/templates/production.yaml.tpl
+++ b/roles/peertube/templates/production.yaml.tpl
+listen:
+  hostname: 'localhost'
+  port: 9000
+
+# Correspond to your reverse proxy "listen" configuration
+webserver:
+  https: true
+  hostname: '{{ app_domain }}'
+  port: 443
+
+# Proxies to trust to get real client IP
+# If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
+# If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
+trust_proxy:
+  - 'loopback'
+
+# Your database name will be "peertube"+database.suffix
+database:
+  hostname: 'localhost'
+  port: 5432
+  suffix: '_prod'
+  username: 'peertube'
+  password: "{{ lookup('password', '~/%s.credentials.txt chars=ascii_letters,digits' % 'pgsql_user' )}}"
+
+
+# Redis server for short time storage
+redis:
+  hostname: 'localhost'
+  port: 6379
+  auth: null
+  db: 0
+
+# SMTP server to send emails
+smtp:
+  hostname: null
+  port: 465 # If you use StartTLS: 587
+  username: null
+  password: null
+  tls: true # If you use StartTLS: false
+  disable_starttls: false
+  ca_file: null # Used for self signed certificates
+  from_address: 'admin@example.com'
+
+# From the project root directory
+storage:
+  avatars: '/var/www/peertube/storage/avatars/'
+  videos: '/var/www/peertube/storage/videos/'
+  logs: '/var/www/peertube/storage/logs/'
+  previews: '/var/www/peertube/storage/previews/'
+  thumbnails: '/var/www/peertube/storage/thumbnails/'
+  torrents: '/var/www/peertube/storage/torrents/'
+  cache: '/var/www/peertube/storage/cache/'
+
+log:
+  level: 'info' # debug/info/warning/error
+
+
+###############################################################################
+#
+# From this point, all the following keys can be overridden by the web interface
+# (local-production.json file). If you need to change some values, prefer to
+# use the web interface because the configuration will be automatically
+# reloaded without any need to restart PeerTube.
+#
+# /!\ If you already have a local-production.json file, the modification of the
+# following keys will have no effect /!\.
+#
+###############################################################################
+
+cache:
+  previews:
+    size: 100 # Max number of previews you want to cache
+
+admin:
+  email: 'admin@example.com'
+
+signup:
+  enabled: false
+  limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited
+  filters:
+    cidr: # You can specify CIDR ranges to whitelist (empty = no filtering) or blacklist
+      whitelist: []
+      blacklist: []
+
+user:
+  # Default value of maximum video BYTES the user can upload (does not take into account transcoded files).
+  # -1 == unlimited
+  video_quota: -1
+
+# If enabled, the video will be transcoded to mp4 (x264) with "faststart" flag
+# In addition, if some resolutions are enabled the mp4 video file will be transcoded to these new resolutions.
+# Please, do not disable transcoding since many uploaded videos will not work
+transcoding:
+  enabled: true
+  threads: 1
+  resolutions: # Only created if the original video has a higher resolution, uses more storage!
+    240p: false
+    360p: false
+    480p: false
+    720p: false
+    1080p: false
+
+# Instance settings
+instance:
+  name: 'PeerTube'
+  short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.'
+  description: '' # Support markdown
+  terms: '' # Support markdown
+  default_client_route: '/videos/trending'
+  # By default, "do_not_list" or "blur" or "display" NSFW videos
+  # Could be overridden per user with a setting
+  default_nsfw_policy: 'do_not_list'
+  customizations:
+    javascript: '' # Directly your JavaScript code (without <script> tags). Will be eval at runtime
+    css: '' # Directly your CSS code (without <style> tags). Will be injected at runtime
+  # Robot.txt rules. To disallow robots to crawl your instance and disallow indexation of your site, add '/' to "Disallow:'
+  robots: |
+    User-agent: *
+    Disallow: ''
+
+services:
+  # Cards configuration to format video in Twitter
+  twitter:
+    username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
+    # If true, a video player will be embedded in the Twitter feed on PeerTube video share
+    # If false, we use an image link card that will redirect on your PeerTube instance
+    # Test on https://cards-dev.twitter.com/validator to see if you are whitelisted
+    whitelisted: false
+