diff --git a/defaults/main.yml b/defaults/main.yml index 59fb729..39caba8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,11 +1,137 @@ --- # defaults file for peertube -peertube_tld: localhost +peertube_tld: '{{ inventory_hostname }}' +#peertube_alias: [] +peertube_user: peertube +peertube_group: peertube peertube_version: v1.0.0-beta.3 peertube_user_path: /var/www/peertube -peertube_proxy_handle_https: no -peertube_proxy_ips: [] - +peertube_proxy_handle_https: yes +peertube_trust_proxy: + - loopback peertube_dbuser_password: "{{ lookup('password', 'credentials/peertube/db-' + inventory_hostname) }}" peertube_user_password_hashed: "{{ lookup('password', 'credentials/peertube/user-' + inventory_hostname) |password_hash('sha512') }}" peertube_web_admin_password: "{{ lookup('password', 'credentials/peertube/web-admin-' + inventory_hostname) }}" +peertube_admin_email: 'admin@example.com' +peertube_postgres_user: postgres +peertube_db: peertube +peertube_dbuser: peertube +peertube_theme: default +#Version 9 from Stretch and 12 from Buster +peertube_nodejs_version: 12 +peertube_listen: + hostname: localhost + port: 9000 + +peertube_webserver: + https: true + hostname: '{{ peertube_tld }}' + port: 443 + +peertube_database: + hostname: 'localhost' + port: 5432 + ssl: false + suffix: '_prod' + username: '{{ peertube_dbuser }}' + password: '{{ peertube_dbuser_password }}' + pool: + max: 5 + +peertube_storage: + tmp: '/tmp/' + avatars: '/avatars/' + videos: '/videos/' + streaming_playlists: '/streaming_playlists/' + redundancy: '/redundancy/' + logs: '/logs/' + previews: '/previews/' + thumbnails: '/thumbnails/' + torrents: '/torrents/' + captions: '/captions/' + cache: '/cache/' + plugins: '/plugin/' + client_overrides: '/client_overrides/' + +peertube_smtp: + transport: smtp + sendmail: null + hostname: correo.com + port: 465 + username: no-response@correo.com + password: + tls: true + disable_starttls: false + ca_file: null + from_address: + +peertube_ldap: [] +# url: "ldaps://ldap.com.yy:636" +# weight: "100" +# bind_dn: "cn=admin,ou=group,dc=ldap,dc=com,dc=yy" +# custom_ca: "" +# search_base: "ou=group,dc=ldap,dc=com,dc=yy" +# group_filter: !unsafe "(member={{dn}})" +# insecure_tls: false +# mail_property: "mail" +# search_filter: !unsafe "(cn={{username}})" +# bind_credentials: "xxxxx" +# username_property: "cn" + +#If insecure_tls: true +#peertube_ldap_url: ldap.com.yy +#peertube_tls_cert_src: /home/cert/fullchain.pem +#peertube_tls_cert_dest: /var/www/peertube/config/fullchain.pem + +peertube_instance: + name: 'Peertube' + short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.' + description: 'Welcome to this PeerTube instance!' + terms: 'No terms for now.' + code_of_conduct: + creation_reason: '' + administrator: '' + maintenance_lifetime: '' + moderation_information: '' + business_model: '' + hardware_information: '' + +peertube_live: + enabled: true + max_duration: -1 + max_instance_lives: 20 + max_user_lives: 3 + allow_replay: true + rtmp: + port: 1935 + transcoding: + enabled: true + threads: 2 + resolutions: + very_small: false #240p + small: false #360p + normal: false #480p + standard: false #720p + hd: false #1080p + hhd: false #1440p + full_hd: false #2160p + +peertube_plugins: [] +# - peertube-plugin-auth-ldap +# - peertube-plugin-bittube-logo-favicon +# - peertube-theme-noussommes + +peertube_sql_extras: + - sentences.sql + +peertube_video_quota: -1 +peertube_video_quota_daily: -1 + +peertube_import: + videos: + http: false + force_ipv4: false + proxy: + enable: false + url: "" + torrent: false diff --git a/meta/.galaxy_install_info b/meta/.galaxy_install_info new file mode 100644 index 0000000..61519bb --- /dev/null +++ b/meta/.galaxy_install_info @@ -0,0 +1 @@ +{install_date: 'Mon May 3 18:36:23 2021', version: install_buster} diff --git a/meta/main.yml b/meta/main.yml index ed55560..bbd9e0e 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -18,5 +18,4 @@ galaxy_info: - web - peertube -dependencies: - - kwoodson.yedit +dependencies: [] diff --git a/tasks/certbot.yml b/tasks/certbot.yml new file mode 100644 index 0000000..e015351 --- /dev/null +++ b/tasks/certbot.yml @@ -0,0 +1,22 @@ + +- name: Install certbot + apt: + pkg: python-certbot-nginx + state: latest + register: certbot_installed + when: peertube_proxy_handle_https != 'yes' + +- name: Install Letsencrypt certificate + shell: | + certbot certonly -n \ + --authenticator standalone \ + --installer nginx \ + -d {{ peertube_tld }} \ + {% if peertube_alias is defined %}{% for item in peertube_alias %} -d {{ item }}{% endfor %}{% endif %} \ + -m {{ peertube_admin_email }} \ + --agree-tos \ + --pre-hook "systemctl stop nginx" \ + --post-hook "systemctl start nginx" + when: + - certbot_installed is changed + - peertube_proxy_handle_https != 'yes' diff --git a/tasks/copy_ldap_key_tls.yml b/tasks/copy_ldap_key_tls.yml new file mode 100644 index 0000000..a886816 --- /dev/null +++ b/tasks/copy_ldap_key_tls.yml @@ -0,0 +1,42 @@ + + +- name: USER | Create SSH key on ldap server + user: + name: root + generate_ssh_key: yes + ssh_key_bits: "{{ peertube_ssh_key_bits | default (omit) }}" + ssh_key_comment: "root@{{ inventory_hostname }}" + delegate_to: '{{ peertube_ldap_url }}' + +- name: COMMAND | Extract SSH ldap server pub key + command: "cat /root/.ssh/id_rsa.pub" + register: cat + changed_when: false + delegate_to: "{{ peertube_ldap_url }}" + +- name: Add SSH server pub key to peertube + authorized_key: + user: root + state: present + key: "{{ cat.stdout }}" + +- name: SHELL | ssh public key of peertube + shell: "ssh-keyscan {{ inventory_hostname }}" + register: ssh_known_host_results + ignore_errors: yes + delegate_to: "{{ peertube_ldap_url }}" + become_user: root + +- name: KNOWN_HOSTS | add or update client key to known_hosts in server + known_hosts: + path: '/root/.ssh/known_hosts' + name: "{{ inventory_hostname }}" + key: "{{ ssh_known_host_results.stdout }}" + state: present + delegate_to: "{{ peertube_ldap_url }}" + become_user: root + +- name: Copy the file certtificate + become: True + shell: "rsync -arvz {{ peertube_tls_cert_src }} root@{{ inventory_hostname }}:{{ peertube_tls_cert_dest }}" + delegate_to: '{{ peertube_ldap_url }}' diff --git a/tasks/install_configure_peertube.yml b/tasks/install_configure_peertube.yml new file mode 100644 index 0000000..89be8b9 --- /dev/null +++ b/tasks/install_configure_peertube.yml @@ -0,0 +1,121 @@ + +- name: Add peertube user + user: + name: '{{ peertube_user }}' + home: "{{ peertube_user_path }}" + shell: /bin/bash + password: "{{ peertube_user_password_hashed }}" + +- name: Create required directories + file: + path: "{{ peertube_user_path }}/{{ item }}" + state: directory + owner: '{{ peertube_user }}' + group: '{{ peertube_group }}' + mode: 0755 + loop: + - config + - storage + - versions + +- stat: path={{ peertube_user_path }}/versions/peertube-{{ peertube_version }} + register: peertube_version_dir + +- name: Download and extract Peertube + unarchive: + src: "https://github.com/Chocobozzz/PeerTube/releases/download/{{ peertube_version }}/peertube-{{ peertube_version }}.zip" + dest: "{{ peertube_user_path }}/versions" + remote_src: yes + owner: '{{ peertube_user }}' + group: '{{ peertube_group }}' + when: peertube_version_dir.stat.exists == False + register: fresh_install + +- stat: path={{ peertube_user_path }}/peertube-latest + register: peertube_latest_dir + +- name: Create symlink peertube-latest + file: + src: "{{ peertube_user_path }}/versions/peertube-{{ peertube_version }}" + dest: "{{ peertube_user_path }}/peertube-latest" + state: link + owner: '{{ peertube_user }}' + group: '{{ peertube_group }}' + when: peertube_latest_dir.stat.exists == False + +- name: Change owner of all peertube directories # seems setting owner on unarchive is not enough… + file: + path: "{{ peertube_user_path }}" + owner: '{{ peertube_user }}' + group: '{{ peertube_group }}' + recurse: yes + +- name: Copy configuration peertube + template: + src: "production.yaml.j2" + dest: '{{ peertube_user_path }}/config/production.yaml' + owner: '{{ peertube_user }}' + group: '{{ peertube_group }}' + mode: 0644 + notify: + - restart peertube daemon + +- name: Install Stretch backports repo + apt_repository: + repo: deb http://ftp.debian.org/debian stretch-backports main + state: present + when: + - (ansible_distribution_major_version == "9") + register: backports_installed + +- name: Change apt_preference + copy: + content: 'APT::Default-Release "stable";' + dest: /etc/apt/apt.conf.d/99apt_default + mode: 644 + when: backports_installed is changed + +- name: Install Peertube daemon + template: + src: peertube.service + dest: /etc/systemd/system/ + notify: + - install peertube daemon + +- name: Enabled service Peertube + service: + name: peertube + enabled: yes + notify: install peertube daemon + +- name: Update dependencies + become: true + become_user: '{{ peertube_user }}' + shell: '{{ item }}' + loop: + - cd "{{ peertube_user_path }}/peertube-latest" && npm install + - cd "{{ peertube_user_path }}/peertube-latest/client" && npm install + - cd "{{ peertube_user_path }}/peertube-latest" && yarn install --production --pure-lockfile + - cd "{{ peertube_user_path }}/peertube-latest/client" && yarn install --pure-lockfile + when: + - fresh_install + +- name: Install plugins npm package + shell: cd {{ peertube_user_path }}/peertube-latest && sudo -u peertube NODE_CONFIG_DIR={{ peertube_user_path }}/config NODE_ENV=production npm run plugin:install -- --npm-name {{ item }} + loop: "{{ peertube_plugins }}" + +- name: Copy additional SQL queries + template: + src: sql/{{ item }} + dest: /tmp/{{ item }} + owner: '{{ peertube_user }}' + group: '{{ peertube_group }}' + mode: 0755 + loop: "{{ peertube_sql_extras }}" + +- name: Run additional SQL queries + become: yes + become_user: '{{ peertube_postgres_user }}' + command: psql -d peertube_prod -U postgres -f '/tmp/{{ item }}' + loop: "{{ peertube_sql_extras }}" + notify: restart peertube daemon diff --git a/tasks/install_dependencies.yml b/tasks/install_dependencies.yml new file mode 100644 index 0000000..0945eff --- /dev/null +++ b/tasks/install_dependencies.yml @@ -0,0 +1,48 @@ +--- + +# Configure nodejs +- name: Install apt key + apt_key: + url: '{{ item }}' + state: present + loop: + - https://deb.nodesource.com/gpgkey/nodesource.gpg.key + - https://dl.yarnpkg.com/debian/pubkey.gpg + +- name: Add apt repository + apt_repository: + repo: '{{ item }}' + state: present + filename: nodeandyarnsource + loop: + - deb https://deb.nodesource.com/node_"{{ peertube_nodejs_version }}".x "{{ ansible_distribution_release }}" main + - deb https://dl.yarnpkg.com/debian/ stable main + +- name: Install NodeJS + apt: + update_cache: yes + pkg: nodejs + state: present + +- name: Install dependencies + apt: + name: '{{ item }}' + state: latest + loop: + - curl + - sudo + - unzip + - vim + - nginx + - ffmpeg + - postgresql + - openssl + - g++ + - make + - redis-server + - git + - python-psycopg2 + - build-essential + - apt-transport-https + - python-ruamel.yaml + - yarn diff --git a/tasks/main.yml b/tasks/main.yml index 7079cf0..9ecd977 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,280 +1,13 @@ ---- -# TODO: -# - use include_tasks to group them -- name: Install dependencies - apt: pkg={{item}} state=latest - with_items: - - curl - - sudo - - unzip - - vim - - nginx - - ffmpeg - - postgresql - - openssl - - g++ - - make - - redis-server - - git - - python-psycopg2 - - build-essential # for bcrypt? - - apt-transport-https # for node apt repository - - python-ruamel.yaml -# Configure nodejs -- name: Install NodeJS apt key - apt_key: - url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key - state: present +- include_tasks: install_dependencies.yml -- name: Add NodeJS apt repository - apt_repository: - repo: deb https://deb.nodesource.com/node_9.x "{{ ansible_distribution_release }}" main - state: present - filename: nodesource +- include_tasks: postgres.yml -- name: Install NodeJS - apt: - update_cache: yes - pkg: nodejs - state: latest +- include_tasks: certbot.yml -- name: Install Yarn apt key - apt_key: - url: https://dl.yarnpkg.com/debian/pubkey.gpg - state: present +- include_tasks: nginx.yml -- name: Add Yarn apt repo - apt_repository: - repo: deb https://dl.yarnpkg.com/debian/ stable main - state: present - filename: yarn +- include_tasks: install_configure_peertube.yml -- name: Install Yarn - apt: - update_cache: yes - pkg: yarn - state: latest - -- name: Add peertube user - user: - name: peertube - home: "{{ peertube_user_path }}" - shell: /bin/bash - password: "{{ peertube_user_password_hashed }}" - -- name: Add peertube user in Postgres - become: yes - become_user: postgres - postgresql_user: - name: peertube - password: "{{ peertube_dbuser_password }}" - -- name: Add Postgres database - become: yes - become_user: postgres - postgresql_db: - name: peertube_prod - owner: peertube - -- name: Create required directories - file: - path: "{{ peertube_user_path }}/{{ item }}" - state: directory - owner: peertube - group: peertube - mode: 0755 - with_items: - - config - - storage - - versions - -- stat: path={{ peertube_user_path }}/versions/peertube-{{ peertube_version }} - register: peertube_version_dir - -- name: Download and extract Peertube - unarchive: - src: "https://github.com/Chocobozzz/PeerTube/releases/download/{{ peertube_version }}/peertube-{{ peertube_version }}.zip" - dest: "{{ peertube_user_path }}/versions" - remote_src: yes - owner: peertube - group: peertube - when: peertube_version_dir.stat.exists == False - register: fresh_install - -- stat: path={{ peertube_user_path }}/peertube-latest - register: peertube_latest_dir - -- name: Create symlink peertube-latest - file: - src: "{{ peertube_user_path }}/versions/peertube-{{ peertube_version }}" - dest: "{{ peertube_user_path }}/peertube-latest" - state: link - owner: peertube - group: peertube - when: peertube_latest_dir.stat.exists == False - -- name: Change owner of all peertube directories # seems setting owner on unarchive is not enough… - file: - path: "{{ peertube_user_path }}" - owner: peertube - group: peertube - recurse: yes - -- name: Yarn install - become: true - become_user: peertube - shell: | - cd "{{ peertube_user_path }}/peertube-latest" - yarn install --production --pure-lockfile - when: fresh_install is changed - -- name: Copy production.yaml - copy: - src: "{{ peertube_user_path }}/peertube-latest/config/production.yaml.example" - dest: "{{ peertube_user_path }}/config/production.yaml" - remote_src: yes - force: no - owner: peertube - group: peertube - mode: 0644 - notify: - - restart peertube daemon - -- name: Edit production.yaml - yedit: - src: "{{ peertube_user_path }}/config/production.yaml" - edits: - - key: webserver.hostname - value: "{{ peertube_tld }}" - - key: database.password - value: "{{ peertube_dbuser_password }}" - - key: smtp.from_address - value: "admin@{{ peertube_tld }}" - - key: storage.avatars - value: "{{ peertube_user_path }}/storage/avatars/" - - key: storage.videos - value: "{{ peertube_user_path }}/storage/videos/" - - key: storage.logs - value: "{{ peertube_user_path }}/storage/logs/" - - key: storage.previews - value: "{{ peertube_user_path }}/storage/previews/" - - key: storage.thumbnails - value: "{{ peertube_user_path }}/storage/thumbnails/" - - key: storage.torrents - value: "{{ peertube_user_path }}/storage/torrents/" - - key: storage.cache - value: "{{ peertube_user_path }}/storage/cache/" - - key: admin.email - value: "admin@{{ peertube_tld }}" - - key: instance.name - value: "{{ peertube_tld }}" - notify: - - restart peertube daemon - -- name: Add proxy production.yaml - yedit: - src: "{{ peertube_user_path }}/config/production.yaml" - append: yes - key: trust_proxy - value: "{{ item }}" - loop: "{{ peertube_proxy_ips }}" - when: peertube_proxy_ips != [] - notify: - - restart peertube daemon - -- name: Copy nginx conf file - template: - src: "nginx-peertube" - dest: /etc/nginx/sites-available/peertube - mode: 0644 - notify: - - reload nginx - -- name: Enable nginx conf file - file: - src: /etc/nginx/sites-available/peertube - dest: /etc/nginx/sites-enabled/peertube - state: link - notify: - - reload nginx - -- name: Install Stretch backports repo - apt_repository: - repo: deb http://ftp.debian.org/debian stretch-backports main - state: present - when: - - (ansible_distribution_major_version == "9") - register: backports_installed - -- name: Change apt_preference - copy: - content: 'APT::Default-Release "stable";' - dest: /etc/apt/apt.conf.d/99apt_default - mode: 644 - when: backports_installed is changed - -- name: Install certbot - apt: - pkg: python-certbot-nginx - state: latest - default_release: stretch-backports - register: certbot_installed - when: peertube_proxy_handle_https != 'yes' - -- name: Install Letsencrypt certificate - shell: | - certbot certonly -n \ - --authenticator standalone \ - --installer nginx \ - -d {{ peertube_tld }} \ - -m {{ admin_email }} \ - --agree-tos \ - --pre-hook "systemctl stop nginx" \ - --post-hook "systemctl start nginx" - when: - - certbot_installed is changed - - peertube_proxy_handle_https != 'yes' - -- name: Insert Let's encrypt certificates in nginx - blockinfile: - dest: /etc/nginx/sites-available/peertube - marker: " # {mark} let's encrypt configuration" - block: |2- - ssl_certificate /etc/letsencrypt/live/{{ peertube_tld }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ peertube_tld }}/privkey.pem; - - insertbefore: ".*# Security hardening.*" - state: present - when: peertube_proxy_handle_https != 'yes' - -- name: Reload nginx - service: name=nginx state=reloaded - -- name: Install Peertube daemon - template: - src: peertube.service - dest: /etc/systemd/system/ - notify: - - install peertube daemon - -- name: Add tools in $PATH - become: true - become_user: peertube - lineinfile: - path: "{{ peertube_user_path }}/.bashrc" - state: present - line: 'export PATH="$PATH:{{ peertube_user_path }}/peertube-latest/dist/server/tools/"' - -- name: Change admin password - become: true - become_user: peertube - shell: |-1 - cd "{{ peertube_user_path }}/peertube-latest" - yarn add commander - # FIXME escape characters - echo "{{ peertube_web_admin_password }}" | NODE_CONFIG_DIR={{ peertube_user_path }}/config NODE_ENV=production npm run reset-password -- -u root - when: - - peertube_version_dir.stat.exists == False - - fresh_install # is changed - - peertube_web_admin_password is defined +- include_tasks: copy_ldap_key_tls.yml + when: not peertube_ldap.insecure_tls diff --git a/tasks/nginx.yml b/tasks/nginx.yml new file mode 100644 index 0000000..1c891af --- /dev/null +++ b/tasks/nginx.yml @@ -0,0 +1,23 @@ + +- name: Copy nginx conf file + template: + src: "nginx-peertube" + dest: /etc/nginx/sites-available/peertube + mode: 0644 + notify: + - reload nginx + +- name: Enable nginx conf file + file: + src: /etc/nginx/sites-available/peertube + dest: /etc/nginx/sites-enabled/peertube + state: link + notify: + - reload nginx + +- name: Remove default nginx conf file + file: + path: /etc/nginx/sites-enabled/default + state: absent + notify: + - reload nginx diff --git a/tasks/postgres.yml b/tasks/postgres.yml new file mode 100644 index 0000000..7666355 --- /dev/null +++ b/tasks/postgres.yml @@ -0,0 +1,24 @@ + +- name: Add peertube user in Postgres + become: yes + become_user: "{{ peertube_postgres_user }}" + postgresql_user: + name: "{{ peertube_dbuser }}" + password: "{{ peertube_dbuser_password }}" + +- name: Add Postgres database + become: yes + become_user: "{{ peertube_postgres_user }}" + postgresql_db: + name: '{{ peertube_db }}_prod' + owner: '{{ peertube_dbuser }}' + +- name: Add pg_trgm and unaccent + become: yes + become_user: "{{ peertube_postgres_user }}" + postgresql_ext: + name: '{{ item }}' + db: '{{ peertube_db }}_prod' + loop: + - pg_trgm + - unaccent diff --git a/templates/nginx-peertube b/templates/nginx-peertube index 6c488eb..1782a92 100644 --- a/templates/nginx-peertube +++ b/templates/nginx-peertube @@ -11,7 +11,55 @@ server { default_type "text/plain"; root /var/www/certbot; } - location / { return 301 https://$host$request_uri; } + return 301 https://{{ peertube_tld }}; +} +{% endif %} + +{% if peertube_alias is defined %} +server { + {% if peertube_proxy_handle_https != 'yes' %} + listen 443 ssl http2; + listen [::]:443 ssl http2; + {% else %} + listen 80; + listen [::]:80; + {% endif %} + server_name {% for item in peertube_alias %} {{ item }}{% endfor %}; + + {% if peertube_proxy_handle_https != 'yes' %} + ssl_certificate /etc/letsencrypt/live/{{ peertube_tld }}/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ peertube_tld }}/privkey.pem; + # Security hardening (as of 11/02/2018) + ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0 + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; # Requires nginx >= 1.5.9 + ssl_stapling on; # Requires nginx >= 1.3.7 + ssl_stapling_verify on; # Requires nginx => 1.3.7 + {% endif %} + + # Configure with your resolvers + # resolver $DNS-IP-1 $DNS-IP-2 valid=300s; + # resolver_timeout 5s; + + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + + access_log /var/log/nginx/{{ peertube_tld }}.access.log; + error_log /var/log/nginx/{{ peertube_tld }}.error.log; + + {% if peertube_proxy_handle_https != 'yes' %} + location ^~ '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/www/certbot; + } + {% endif %} + return 301 https://{{ peertube_tld }}; } {% endif %} @@ -24,8 +72,9 @@ server { listen [::]:80; {% endif %} server_name {{ peertube_tld }}; - {% if peertube_proxy_handle_https != 'yes' %} + ssl_certificate /etc/letsencrypt/live/{{ peertube_tld }}/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ peertube_tld }}/privkey.pem; # Security hardening (as of 11/02/2018) ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0 ssl_prefer_server_ciphers on; diff --git a/templates/production.yaml.j2 b/templates/production.yaml.j2 new file mode 100644 index 0000000..994adad --- /dev/null +++ b/templates/production.yaml.j2 @@ -0,0 +1,505 @@ +listen: + hostname: '{{peertube_listen.hostname}}' + port: {{ peertube_listen.port }} + +# Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL) +webserver: + https: {{ peertube_webserver.https }} + hostname: {{ peertube_webserver.hostname }} + port: {{ peertube_webserver.port }} + +rates_limit: + api: + # 50 attempts in 10 seconds + window: 10 seconds + max: 50 + login: + # 15 attempts in 5 min + window: 5 minutes + max: 15 + signup: + # 2 attempts in 5 min (only succeeded attempts are taken into account) + window: 5 minutes + max: 2 + ask_send_email: + # 3 attempts in 5 min + window: 5 minutes + max: 3 + +# Proxies to trust to get real client IP +# If you run PeerTube just behind a local proxy (nginx), keep 'loopback' +# If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet) +trust_proxy: +{% for item in peertube_trust_proxy %} + - '{{ item }}' +{% endfor %} + +# Your database name will be database.name OR "peertube"+database.suffix +database: + hostname: '{{ peertube_database.hostname }}' + port: {{ peertube_database.port }} + ssl: {{ peertube_database.ssl }} + suffix: '{{ peertube_database.suffix }}' + username: '{{ peertube_database.username }}' + password: '{{ peertube_database.password }}' + pool: + max: {{ peertube_database.pool.max }} + +# Redis server for short time storage +# You can also specify a 'socket' path to a unix socket but first need to +# comment out hostname and port +redis: + hostname: 'localhost' + port: 6379 + auth: null + db: 0 + +# SMTP server to send emails +smtp: + # smtp or sendmail + transport: {{ peertube_smtp.transport }} + # Path to sendmail command. Required if you use sendmail transport + sendmail: {{ peertube_smtp.sendmail }} + hostname: {{ peertube_smtp.hostname }} + port: {{ peertube_smtp.port }} + username: {{ peertube_smtp.username }} + password: {{ peertube_smtp.password }} + tls: {{ peertube_smtp.tls }} + disable_starttls: {{ peertube_smtp.disable_starttls }} + ca_file: {{ peertube_smtp.ca_file }} + from_address: '{{ peertube_smtp.from_address }}' + +email: + body: + signature: "PeerTube" + subject: + prefix: "[PeerTube]" + +# From the project root directory +storage: + tmp: '{{ peertube_user_path }}/storage{{ peertube_storage.tmp }}' + avatars: '{{ peertube_user_path }}/storage{{ peertube_storage.avatars }}' + videos: '{{ peertube_user_path }}/storage{{ peertube_storage.videos }}' + streaming_playlists: '{{ peertube_user_path }}/storage{{ peertube_storage.streaming_playlists }}' + redundancy: '{{ peertube_user_path }}/storage{{ peertube_storage.redundancy }}' + logs: '{{ peertube_user_path }}/storage{{ peertube_storage.logs }}' + previews: '{{ peertube_user_path }}/storage{{ peertube_storage.previews }}' + thumbnails: '{{ peertube_user_path }}/storage{{ peertube_storage.thumbnails }}' + torrents: '{{ peertube_user_path }}/storage{{ peertube_storage.torrents }}' + captions: '{{ peertube_user_path }}/storage{{ peertube_storage.captions }}' + cache: '{{ peertube_user_path }}/storage{{ peertube_storage.cache }}' + plugins: '{{ peertube_user_path }}/storage{{ peertube_storage.plugins }}' + # Overridable client files : logo.svg, favicon.png and icons/*.png (PWA) in client/dist/assets/images + # Could contain for example assets/images/favicon.png + # If the file exists, peertube will serve it + # If not, peertube will fallback to the default fil + client_overrides: '{{ peertube_user_path }}/storage{{ peertube_storage.client_overrides }}' + +log: + level: 'info' # debug/info/warning/error + rotation: + enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate + maxFileSize: 12MB + maxFiles: 20 + anonymizeIP: false + log_ping_requests: true + prettify_sql: false + +trending: + videos: + interval_days: 7 # Compute trending videos for the last x days + algorithms: + enabled: + - 'best' # adaptation of Reddit's 'Best' algorithm (Hot minus History) + - 'hot' # adaptation of Reddit's 'Hot' algorithm + - 'most-viewed' # default, used initially by PeerTube as the trending page + - 'most-liked' + default: 'most-viewed' + +# Cache remote videos on your server, to help other instances to broadcast the video +# You can define multiple caches using different sizes/strategies +# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following +redundancy: + videos: + check_interval: '1 hour' # How often you want to check new videos to cache + strategies: # Just uncomment strategies you want +# - +# size: '10GB' +# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances) +# min_lifetime: '48 hours' +# strategy: 'most-views' # Cache videos that have the most views +# - +# size: '10GB' +# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances) +# min_lifetime: '48 hours' +# strategy: 'trending' # Cache trending videos +# - +# size: '10GB' +# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances) +# min_lifetime: '48 hours' +# strategy: 'recently-added' # Cache recently added videos +# min_views: 10 # Having at least x views + +# Other instances that duplicate your content +remote_redundancy: + videos: + # 'nobody': Do not accept remote redundancies + # 'anybody': Accept remote redundancies from anybody + # 'followings': Accept redundancies from instance followings + accept_from: 'anybody' + +csp: + enabled: false + report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk! + report_uri: + +tracker: + # If you disable the tracker, you disable the P2P aspect of PeerTube + enabled: true + # Only handle requests on your videos. + # If you set this to false it means you have a public tracker. + # Then, it is possible that clients overload your instance with external torrents + private: true + # Reject peers that do a lot of announces (could improve privacy of TCP/UDP peers) + reject_too_many_announces: false + +history: + videos: + # If you want to limit users videos history + # -1 means there is no limitations + # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database) + max_age: -1 + +views: + videos: + # PeerTube creates a database entry every hour for each video to track views over a period of time + # This is used in particular by the Trending page + # PeerTube could remove old remote video views if you want to reduce your database size (video view counter will not be altered) + # -1 means no cleanup + # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database) + remote: + max_age: '30 days' + +plugins: + # The website PeerTube will ask for available PeerTube plugins and themes + # This is an unmoderated plugin index, so only install plugins/themes you trust + index: + enabled: true + check_latest_versions_interval: '12 hours' # How often you want to check new plugins/themes versions + url: 'https://packages.joinpeertube.org' + +federation: + videos: + federate_unlisted: false + # Add a weekly job that cleans up remote AP interactions on local videos (shares, rates and comments) + # It removes objects that do not exist anymore, and potentially fix their URLs + # This setting is opt-in because due to an old bug in PeerTube, remote rates sent by instance before PeerTube 3.0 will be deleted + # We still suggest you to enable this setting even if your users will loose most of their video's likes/dislikes + cleanup_remote_interactions: false + +peertube: + check_latest_version: + # Check and notify admins of new PeerTube versions + enabled: true + # You can use a custom URL if your want, that respect the format behind https://joinpeertube.org/api/v1/versions.json + url: 'https://joinpeertube.org/api/v1/versions.json' + + +############################################################################### +# +# From this point, all the following keys can be overridden by the web interface +# (local-production.json file). If you need to change some values, prefer to +# use the web interface because the configuration will be automatically +# reloaded without any need to restart PeerTube. +# +# /!\ If you already have a local-production.json file, the modification of the +# following keys will have no effect /!\. +# +############################################################################### + +cache: + previews: + size: 500 # Max number of previews you want to cache + captions: + size: 500 # Max number of video captions/subtitles you want to cache + torrents: + size: 500 # Max number of video torrents you want to cache + +admin: + # Used to generate the root user at first startup + # And to receive emails from the contact form + email: '{{ peertube_admin_email }}' + +contact_form: + enabled: true + +signup: + enabled: false + limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited + requires_email_verification: false + filters: + cidr: # You can specify CIDR ranges to whitelist (empty = no filtering) or blacklist + whitelist: [] + blacklist: [] + +user: + # Default value of maximum video BYTES the user can upload (does not take into account transcoded files). + # -1 == unlimited + video_quota: {{ peertube_video_quota }} + video_quota_daily: {{ peertube_video_quota_daily }} + +# If enabled, the video will be transcoded to mp4 (x264) with "faststart" flag +# In addition, if some resolutions are enabled the mp4 video file will be transcoded to these new resolutions. +# Please, do not disable transcoding since many uploaded videos will not work +transcoding: + enabled: true + # Allow your users to upload .mkv, .mov, .avi, .wmv, .flv, .f4v, .3g2, .3gp, .mts, m2ts, .mxf, .nut videos + allow_additional_extensions: true + # If a user uploads an audio file, PeerTube will create a video by merging the preview file and the audio file + allow_audio_files: true + threads: 1 + # Amount of transcoding jobs to execute in parallel + concurrency: 1 + + # Choose the transcoding profile + # New profiles can be added by plugins + # Available in core PeerTube: 'default' + profile: 'default' + + resolutions: # Only created if the original video has a higher resolution, uses more storage! + 0p: false # audio-only (creates mp4 without video stream, always created when enabled) + 240p: false + 360p: false + 480p: false + 720p: false + 1080p: false + 1440p: false + 2160p: false + + # Generate videos in a WebTorrent format (what we do since the first PeerTube release) + # If you also enabled the hls format, it will multiply videos storage by 2 + # If disabled, breaks federation with PeerTube instances < 2.1 + webtorrent: + enabled: true + + # /!\ Requires ffmpeg >= 4.1 + # Generate HLS playlists and fragmented MP4 files. Better playback than with WebTorrent: + # * Resolution change is smoother + # * Faster playback in particular with long videos + # * More stable playback (less bugs/infinite loading) + # If you also enabled the webtorrent format, it will multiply videos storage by 2 + hls: + enabled: false + +live: + enabled: {{ peertube_live.enabled }} + + # Limit lives duration + # Set null to disable duration limit + max_duration: {{ peertube_live.max_duration }} # For example: '5 hours' + + # Limit max number of live videos created on your instance + # -1 == unlimited + max_instance_lives: {{ peertube_live.max_instance_lives }} + + # Limit max number of live videos created by a user on your instance + # -1 == unlimited + max_user_lives: {{ peertube_live.max_user_lives }} + + # Allow your users to save a replay of their live + # PeerTube will transcode segments in a video file + # If the user daily/total quota is reached, PeerTube will stop the live + # /!\ transcoding.enabled (and not live.transcoding.enabled) has to be true to create a replay + allow_replay: {{ peertube_live.allow_replay }} + + # Your firewall should accept traffic from this port in TCP if you enable live + rtmp: + port: {{ peertube_live.rtmp.port }} + + # Allow to transcode the live streaming in multiple live resolutions + transcoding: + enabled: {{ peertube_live.transcoding.enabled }} + threads: {{ peertube_live.transcoding.threads }} + # Choose the transcoding profile + # New profiles can be added by plugins + # Available in core PeerTube: 'default' + profile: 'default' + + resolutions: + 240p: {{ peertube_live.transcoding.resolutions.very_small }} + 360p: {{ peertube_live.transcoding.resolutions.small }} + 480p: {{ peertube_live.transcoding.resolutions.normal }} + 720p: {{ peertube_live.transcoding.resolutions.standard }} + 1080p: {{ peertube_live.transcoding.resolutions.hd }} + 1440p: {{ peertube_live.transcoding.resolutions.hhd }} + 2160p: {{ peertube_live.transcoding.resolutions.full_hd }} + +import: + # Add ability for your users to import remote videos (from YouTube, torrent...) + videos: + # Amount of import jobs to execute in parallel + concurrency: 1 + + http: # Classic HTTP or all sites supported by youtube-dl https://rg3.github.io/youtube-dl/supportedsites.html + enabled: {{ peertube_import.videos.http }} + + # IPv6 is very strongly rate-limited on most sites supported by youtube-dl + force_ipv4: {{ peertube_import.videos.force_ipv4 }} + + # You can use an HTTP/HTTPS/SOCKS proxy with youtube-dl + proxy: + enabled: {{ peertube_import.videos.proxy.enable }} + url: {{ peertube_import.videos.proxy.url }} + torrent: # Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file) + enabled: {{ peertube_import.videos.torrent }} + +auto_blacklist: + # New videos automatically blacklisted so moderators can review before publishing + videos: + of_users: + enabled: false + +# Instance settings +instance: + name: '{{ peertube_instance.name }}' + short_description: '{{ peertube_instance.short_description }}' + description: '{{ peertube_instance.description }}' + terms: '{{ peertube_instance.terms }}' + code_of_conduct: '{{ peertube_instance.code_of_conduct }}' + + # Who moderates the instance? What is the policy regarding NSFW videos? Political videos? etc + moderation_information: '{{ peertube_instance.moderation_information }}' + + # Why did you create this instance? + creation_reason: '{{ peertube_instance.creation_reason }}' + + # Who is behind the instance? A single person? A non profit? + administrator: '{{ peertube_instance.administrator }}' + + # How long do you plan to maintain this instance? + maintenance_lifetime: '{{ peertube_instance.maintenance_lifetime }}' + + # How will you pay the PeerTube instance server? With your own funds? With users donations? Advertising? + business_model: '{{ peertube_instance.business_model }}' + + # If you want to explain on what type of hardware your PeerTube instance runs + # Example: "2 vCore, 2GB RAM..." + hardware_information: '{{ peertube_instance.hardware_information }}' + + # What are the main languages of your instance? To interact with your users for example + # Uncomment or add the languages you want + # List of supported languages: https://peertube.cpy.re/api/v1/videos/languages + languages: +# - en +# - es +# - fr + + # You can specify the main categories of your instance (dedicated to music, gaming or politics etc) + # Uncomment or add the category ids you want + # List of supported categories: https://peertube.cpy.re/api/v1/videos/categories + categories: +# - 1 # Music +# - 2 # Films +# - 3 # Vehicles +# - 4 # Art +# - 5 # Sports +# - 6 # Travels +# - 7 # Gaming +# - 8 # People +# - 9 # Comedy +# - 10 # Entertainment +# - 11 # News & Politics +# - 12 # How To +# - 13 # Education +# - 14 # Activism +# - 15 # Science & Technology +# - 16 # Animals +# - 17 # Kids +# - 18 # Food + + default_client_route: '/videos/trending' + + # Whether or not the instance is dedicated to NSFW content + # Enabling it will allow other administrators to know that you are mainly federating sensitive content + # Moreover, the NSFW checkbox on video upload will be automatically checked by default + is_nsfw: false + # By default, "do_not_list" or "blur" or "display" NSFW videos + # Could be overridden per user with a setting + default_nsfw_policy: 'do_not_list' + + customizations: + javascript: '' # Directly your JavaScript code (without