Disroot-Ansible/peertube
10
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

first commit

Browse source
This commit is contained in:
meaz 2023-12-20 14:04:10 +01:00
commit 0581fc5d62
Signed by: meaz
GPG key ID: CD7A47B2F1ED43B4
16 changed files with 1389 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
.vagrant

19
LICENSE Normal file
View file

@ -0,0 +1,19 @@
MIT License Copyright (c) 2021 "Stichting Disroot.org"
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next
paragraph) shall be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

13
Playbooks/peertube.yml Normal file
View file

@ -0,0 +1,13 @@
---
- hosts: peertube
roles:
- nginx
- postgresql
- peertube
vars_files:
- ../defaults/main.yml
vars:
- ansible_python_interpreter: "/usr/bin/python3"

42
README.md Normal file
View file

@ -0,0 +1,42 @@
# Peertube - Ansible role
This role covers deployment, configuration and software updates of Peertube. This role is released under MIT Licence and we give no warranty for this piece of software. Currently supported OS - Debian.
You can deploy test instance using `Vagrantfile` attached to the role.
Then simply:
`vagrant up`
`ansible-playbook -b Playbooks/peertube.yml`
Then you can then access Peertube from your computer on `http://192.168.33.15` (but patient as it takes about 2 minutes to be up and ready.)
## Playbook
The playbook includes postgresql and nginx roles and deploys entire stack needed to run lemmy. Additional roles are also available in the Ansible roles repos in git.
## Tags
You can use tags when you deploy:
- `config`: to deploy just config
- `password`: to change root user password
## CHANGELOG
- **20.12.2023** - Role creation
## Still need to be fixed or done:
- At the moment, we have redis-server version 6.0.16 but we have messages in logs that say that it is highly recommended to use a minimum Redis version of 6.2.0
- Do we need to set `trust_proxy` in config file for local machine? At the moment, it works without.
- Some optionnal config on nginx are commented out coz otherwise we get some issues (like not being able to watch a video)
- Make a SQL backup from Ansible? Here is what is in official documentation:
```
SQL_BACKUP_PATH="backup/sql-peertube_prod-$(date -Im).bak" && \
cd /var/www/peertube && sudo -u peertube mkdir -p backup && \
sudo -u postgres pg_dump -F c peertube_prod | sudo -u peertube tee "$SQL_BACKUP_PATH" >/dev/null
```

20
Vagrantfile vendored Normal file
View file

@ -0,0 +1,20 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
#config.ssh.insert_key = false
config.vm.define "peertube" do |peertube|
peertube.vm.box = "generic/debian11"
peertube.vm.provider :libvirt do |libvirt|
libvirt.memory = 256
end
peertube.vm.network "forwarded_port", guest: 80, host: 8888, host_ip: "192.168.33.15"
peertube.vm.network "forwarded_port", guest: 443, host: 4443, host_ip: "192.168.33.15"
peertube.vm.network "private_network", ip: "192.168.33.15"
config.vm.provision "shell", inline: "apt install acl"
end
end

136
defaults/main.yml Normal file
View file

@ -0,0 +1,136 @@
---
peertube_user: 'peertube'
peertube_group: 'peertube'
peertube_app_dir: '/var/www/peertube'
peertube_nodejs_version: '18'
peertube_apt_list:
- curl
- sudo
- unzip
- vim
- redis-server
- ffmpeg
#- yarn # installed with npm
- nodejs
- python3-dev
- python-is-python3
## following needed?
- openssl
- g++
- make
- git
- cron
- wget
peertube_version: 'v6.0.2'
peertube_root_password: 'changeme'
## Config file production.yaml
peertube_listen_hostname: '127.0.0.1'
peertube_listen_port: '9000'
peertube_webserver_https: 'false'
peertube_webserver_hostname: '192.168.33.15' # should be hostname if not using vagrant
peertube_webserver_port: '80'
peertube_secrets: 'b76ef980043e9297ff47a7fa531bb66648d2e9bb990ab29f445019645c45b005' # Generate one using `openssl rand -hex 32`
peertube_db_host: '127.0.0.1'
peertube_db_port: '5432'
peertube_db_suffix: ''
peertube_db_name: 'peertube{{ peertube_db_suffix }}'
peertube_db_user: 'peertubeadmin'
peertube_db_passwd: 'changeme'
peertube_db_ssl: 'false'
peertube_redis_hostname: '127.0.0.1'
peertube_redis_port: '6379'
peertube_smtp_transport: 'smtp'
peertube_smtp_hostname: 'example.com'
peertube_smtp_port: '465'
peertube_smtp_username: 'username'
peertube_smtp_password: 'changeme'
peertube_smtp_tls: 'true'
peertube_smtp_disable_starttls: 'false'
peertube_smtp_ca_file: 'null'
peertube_smtp_from_address: 'noreply@example.com'
peertube_admin_email: 'admin@example.com'
peertube_webadmin_allowed: 'true'
peertube_instance_name: 'PeerTube'
peertube_instance_short_description: 'PeerTube, an ActivityPub-federated video streaming platform using P2P directly in your web browser.'
peertube_instance_description: 'Welcome to this PeerTube instance!'
peertube_instance_terms: 'No terms for now.'
peertube_instance_code_of_conduct: ''
peertube_instance_moderation_information: ''
peertube_instance_creation_reason: ''
peertube_instance_administrator: ''
peertube_instance_maintenance_lifetime: ''
peertube_instance_business_model: ''
peertube_instance_hardware_information: ''
#Postgres
postgresql_version: 13
postgresql_listen_addresses:
- "127.0.0.1"
postgresql_pg_hba_default:
- { type: local, database: all, user: '{{ postgresql_admin_user }}', address: '', method: '{{ postgresql_default_auth_method }}', comment: '' }
- { type: local, database: all, user: all, address: '', method: '{{ postgresql_default_auth_method }}', comment: '"local" is for Unix domain socket connections only' }
- { type: host, database: all, user: all, address: '127.0.0.1/32', method: '{{ postgresql_default_auth_method_hosts }}', comment: 'IPv4 local connections:' }
postgresql_databases:
- name: '{{ peertube_db_name }}'
owner: '{{ peertube_db_user }}' # optional; specify the owner of the database
uuid_ossp: yes
postgresql_database_extensions:
- db: '{{ peertube_db_name }}'
extensions:
- unaccent
- pg_trgm
# hstore: no # flag to install the hstore extension on this database (yes/no)
#uuid_ossp: yes # flag to install the uuid-ossp extension on this database (yes/no)
#citext: yes # flag to install the citext extension on this database (yes/no)
postgresql_users:
- name: '{{ peertube_db_user }}'
pass: '{{ peertube_db_passwd }}'
encrypted: yes # denotes if the password is already encrypted.
postgresql_user_privileges:
- name: '{{ peertube_db_user }}' # user name
db: '{{ peertube_db_name }}' # database
priv: "ALL" # privilege string format: example: INSERT,UPDATE/table:SELECT/anothertable:ALL
role_attr_flags: "" # role attribute flags
#NGINX SETUP
nginx_default_vhost_ssl: 'peertube.example.com'
nginx_default_vhost: 'peertube.example.com'
nginx_HSTS_policy: 'true'
##NGINX VHOST
nginx_vhosts:
- name: 'peertube.example.com'
template: 'peertube'
upstream_proto: 'http'
upstream_port: '9000'
upstream_name: 'localhost'
proto: 'http'
listen: '80'
root: '{{ peertube_app_dir }}'
use_error_log: 'true'
nginx_error_log_level: 'warn'
redirect_https: 'true'
letsencrypt: 'false'
secure_site: 'false'
state: 'enable'
selfsigned: 'false'

6
handlers/main.yml Normal file
View file

@ -0,0 +1,6 @@
---
- name: restart peertube
service:
name: peertube
state: restarted

56
tasks/configure.yml Normal file
View file

@ -0,0 +1,56 @@
---
- name: '[CONFIGURE] - Create config dir'
file:
path: '{{ peertube_app_dir }}/config'
owner: '{{ peertube_user }}'
group: '{{ peertube_group }}'
state: directory
recurse: yes
tags:
- config
- name: '[CONFIGURE] - Copy default config file'
copy:
src: '{{ peertube_app_dir }}/peertube-latest/config/default.yaml'
dest: '{{ peertube_app_dir }}/config/default.yaml'
owner: '{{ peertube_user }}'
group: '{{ peertube_group }}'
remote_src: yes
tags:
- config
- name: '[CONFIGURE] - Deploy Peertube production config'
template:
src: config/production.yaml.j2
dest: "{{ peertube_app_dir }}/config/production.yaml"
owner: '{{ peertube_user }}'
group: '{{ peertube_group }}'
mode: 0644
notify:
restart peertube
tags:
- config
- name: '[CONFIGURE] - Set sysctl rules'
sysctl:
name: "net.ipv6.conf.all.disable_ipv6"
value: 'fq_codel'
sysctl_file: '/etc/sysctl.d/30-peertube-tcp.conf'
sysctl_set: 'yes'
state: 'present'
reload: 'yes'
tags:
- config
- name: '[CONFIGURE] - Set sysctl rules'
sysctl:
name: "net.ipv4.tcp_congestion_control"
value: 'bbr'
sysctl_file: '/etc/sysctl.d/30-peertube-tcp.conf'
sysctl_set: 'yes'
state: 'present'
reload: 'yes'
tags:
- config

78
tasks/installapp.yml Normal file
View file

@ -0,0 +1,78 @@
---
- name: '[INSTALL] - Check if Peertube symlink file exists'
stat:
path: "{{ peertube_app_dir }}/peertube-latest"
register: peertube_symlink_installed
- name: '[INSTALL] - Check Peertube version installed'
shell: readlink -f {{ peertube_app_dir }}/peertube-latest | cut -d'-' -f2
become: true
become_user: "{{ peertube_user }}"
when: peertube_symlink_installed.stat.exists
register: peertube_installed_version
- name: '[INSTALL] - Create {{ peertube_app_dir }}/config'
file:
path: "{{ peertube_app_dir }}/config"
state: directory
owner: '{{ peertube_user }}'
group: '{{ peertube_group }}'
mode: 0750
- name: '[INSTALL] - Create {{ peertube_app_dir }}/storage'
file:
path: "{{ peertube_app_dir }}/storage"
state: directory
owner: '{{ peertube_user }}'
group: '{{ peertube_group }}'
mode: 0744
- name: '[INSTALL] - Create {{ peertube_app_dir }}/versions'
file:
path: "{{ peertube_app_dir }}/versions"
state: directory
owner: '{{ peertube_user }}'
group: '{{ peertube_group }}'
mode: 0744
- name: "[INSTALL] - Download peertube release"
unarchive:
src: "https://github.com/Chocobozzz/PeerTube/releases/download/{{ peertube_version }}/peertube-{{ peertube_version }}.zip"
dest: "{{ peertube_app_dir }}/versions"
owner: '{{ peertube_user }}'
group: '{{ peertube_group }}'
remote_src: yes
when: not peertube_symlink_installed.stat.exists or peertube_installed_version.stdout != peertube_version
- name: "[INSTALL] - Remove any previous symbolic link to peertube-latest"
file:
path: "{{ peertube_app_dir }}/peertube-latest"
state: absent
when: peertube_symlink_installed.stat.exists
- name: "[INSTALL] - Create a symbolic link to peertube-latest"
file:
src: "{{ peertube_app_dir }}/versions/peertube-{{ peertube_version }}"
dest: "{{ peertube_app_dir }}/peertube-latest"
owner: '{{ peertube_user }}'
group: '{{ peertube_group }}'
state: link
- name: "[INSTALL] - Gives permission to peertube on peertube-latest" # needed?
file:
path: "{{ peertube_app_dir }}/versions/peertube-{{ peertube_version }}"
owner: '{{ peertube_user }}'
group: '{{ peertube_group }}'
state: directory
recurse: yes
- name: '[INSTALL] - Install peertube'
shell: yarn install --production --pure-lockfile
args:
chdir: "{{ peertube_app_dir }}/versions/peertube-{{ peertube_version }}"
become: true
become_user: "{{ peertube_user }}"
when: not peertube_symlink_installed.stat.exists or peertube_installed_version.stdout != peertube_version
notify:
restart peertube

23
tasks/installdeps.yml Normal file
View file

@ -0,0 +1,23 @@
---
- name: '[INSTALLDEPS] - Add Nodesource apt key'
apt_key:
url: https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x1655A0AB68576280
id: "68576280"
state: present
- name: '[INSTALLDEPS] - Add repository for nodejs'
apt_repository:
repo: deb https://deb.nodesource.com/node_{{ peertube_nodejs_version }}.x {{ ansible_distribution_release }} main
state: present
filename: 'nodesource'
- name: '[INSTALLDEPS] - Install dependencies'
apt:
name: '{{ peertube_apt_list }}'
update_cache: yes
- name: '[INSTALLDEPS] - Install yarn'
npm:
name: yarn
global: yes

23
tasks/main.yml Normal file
View file

@ -0,0 +1,23 @@
---
- name: '[Main] - Create user'
include_tasks: user.yml
- name: '[Main] - Install dependencies'
include_tasks: installdeps.yml
- name: Install the app
include_tasks: installapp.yml
- name: Deploy configuration
include_tasks: configure.yml
tags:
- config
- name: Deploy systemd
include_tasks: systemd.yml
- name: Set password for root
include_tasks: password.yml
tags:
- password

23
tasks/password.yml Normal file
View file

@ -0,0 +1,23 @@
---
- name: "[PASSWORD] - Start peertube"
service:
name: peertube
state: restarted
tags:
- password
- name: "[PASSWORD] - Pause for 2 minutes for peertube to start"
pause:
minutes: 2
tags:
- password
- name: '[PASSWORD] - Set root password'
shell: NODE_CONFIG_DIR={{ peertube_app_dir }}/config NODE_ENV=production sh -c 'echo "{{ peertube_root_password }}" | npm run reset-password -- -u root'
args:
chdir: "{{ peertube_app_dir }}/peertube-latest"
become: true
become_user: "{{ peertube_user }}"
tags:
- password

23
tasks/systemd.yml Normal file
View file

@ -0,0 +1,23 @@
---
- name: "[SYSTEMD] - Deploy Systemd config"
template:
src: etc/systemd/system/peertube.service.j2
dest: /etc/systemd/system/peertube.service
owner: root
group: root
mode: 0644
register: peertube
- name: "[SYSTEMD] - Enable systemd"
service:
name: peertube
enabled: yes
notify:
restart peertube
- name: "[SYSTEMD] - Daemon-reload"
systemd:
daemon_reload: yes
name: peertube
when: peertube.changed

22
tasks/user.yml Normal file
View file

@ -0,0 +1,22 @@
---
- name: '[USER] - Create {{ peertube_app_dir }}'
file:
path: "{{ peertube_app_dir }}"
state: directory
#mode: 0744
recurse: yes
- name: '[USER] - Add peertube user'
user:
name: '{{ peertube_user }}'
shell: /bin/bash
home: '{{ peertube_app_dir }}'
- name: '[USER] - Chown {{ peertube_app_dir }} to peertube'
file:
path: "{{ peertube_app_dir }}"
state: directory
owner: '{{ peertube_user }}'
group: '{{ peertube_group }}'
mode: 0744

871
templates/config/production.yaml.j2 Normal file
View file

@ -0,0 +1,871 @@
listen:
hostname: '{{ peertube_listen_hostname }}'
port: {{ peertube_listen_port }}
# Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL)
webserver:
https: {{ peertube_webserver_https }}
hostname: '{{ peertube_webserver_hostname }}'
port: {{ peertube_webserver_port }}
# Secrets you need to generate the first time you run PeerTube
secrets:
# Generate one using `openssl rand -hex 32`
peertube: '{{ peertube_secrets }}'
rates_limit:
api:
# 50 attempts in 10 seconds
window: 10 seconds
max: 50
login:
# 15 attempts in 5 min
window: 5 minutes
max: 15
signup:
# 2 attempts in 5 min (only succeeded attempts are taken into account)
window: 5 minutes
max: 2
ask_send_email:
# 3 attempts in 5 min
window: 5 minutes
max: 3
receive_client_log:
# 10 attempts in 10 min
window: 10 minutes
max: 10
plugins:
# 500 attempts in 10 seconds (we also serve plugin static files)
window: 10 seconds
max: 500
well_known:
# 200 attempts in 10 seconds
window: 10 seconds
max: 200
feeds:
# 50 attempts in 10 seconds
window: 10 seconds
max: 50
activity_pub:
# 500 attempts in 10 seconds (we can have many AP requests)
window: 10 seconds
max: 500
client: # HTML files generated by PeerTube
# 500 attempts in 10 seconds (to not break crawlers)
window: 10 seconds
max: 500
oauth2:
token_lifetime:
access_token: '1 day'
refresh_token: '2 weeks'
# Proxies to trust to get real client IP
# If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
# If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
trust_proxy:
- 'loopback'
# Your database name will be database.name OR 'peertube'+database.suffix
database:
hostname: '{{ peertube_db_host }}'
port: {{ peertube_db_port }}
ssl: {{ peertube_db_ssl }}
suffix: '{{ peertube_db_suffix }}'
username: '{{ peertube_db_user }}'
password: '{{ peertube_db_passwd }}'
pool:
max: 5
# Redis server for short time storage
# You can also specify a 'socket' path to a unix socket but first need to
# set 'hostname' and 'port' to null
redis:
hostname: '{{ peertube_redis_hostname }}'
port: {{ peertube_redis_port }}
auth: null # Used by both standalone and sentinel
db: 0
sentinel:
enabled: false
enable_tls: false
master_name: ''
sentinels:
- hostname: ''
port: 26379
# SMTP server to send emails
smtp:
# smtp or sendmail
transport: {{ peertube_smtp_transport }}
# Path to sendmail command. Required if you use sendmail transport
sendmail: null
hostname: {{ peertube_smtp_hostname }}
port: {{ peertube_smtp_port }} # If you use StartTLS: 587
username: {{ peertube_smtp_username }}
password: {{ peertube_smtp_password }}
tls: {{ peertube_smtp_tls }} # If you use StartTLS: false
disable_starttls: {{ peertube_smtp_disable_starttls }}
ca_file: {{ peertube_smtp_ca_file }} # Used for self signed certificates
from_address: '{{ peertube_smtp_from_address }}'
email:
body:
signature: 'PeerTube'
subject:
prefix: '[PeerTube]'
# Update default PeerTube values
# Set by API when the field is not provided and put as default value in client
defaults:
# Change default values when publishing a video (upload/import/go Live)
publish:
download_enabled: true
comments_enabled: true
# public = 1, unlisted = 2, private = 3, internal = 4
privacy: 1
# CC-BY = 1, CC-SA = 2, CC-ND = 3, CC-NC = 4, CC-NC-SA = 5, CC-NC-ND = 6, Public Domain = 7
# You can also choose a custom licence value added by a plugin
# No licence by default
licence: null
p2p:
# Enable P2P by default in PeerTube client
# Can be enabled/disabled by anonymous users and logged in users
webapp:
enabled: true
# Enable P2P by default in PeerTube embed
# Can be enabled/disabled by URL option
embed:
enabled: true
# From the project root directory
storage:
tmp: '{{ peertube_app_dir }}/storage/tmp/' # Use to download data (imports etc), store uploaded files before and during processing...
tmp_persistent: '{{ peertube_app_dir }}/storage/tmp-persistent/' # As tmp but the directory is not cleaned up between PeerTube restarts
bin: '{{ peertube_app_dir }}/storage/bin/'
avatars: '{{ peertube_app_dir }}/storage/avatars/'
web_videos: '{{ peertube_app_dir }}/storage/web-videos/'
streaming_playlists: '{{ peertube_app_dir }}/storage/streaming-playlists/'
redundancy: '{{ peertube_app_dir }}/storage/redundancy/'
logs: '{{ peertube_app_dir }}/storage/logs/'
previews: '{{ peertube_app_dir }}/storage/previews/'
thumbnails: '{{ peertube_app_dir }}/storage/thumbnails/'
storyboards: '{{ peertube_app_dir }}/storage/storyboards/'
torrents: '{{ peertube_app_dir }}/storage/torrents/'
captions: '{{ peertube_app_dir }}/storage/captions/'
cache: '{{ peertube_app_dir }}/storage/cache/'
plugins: '{{ peertube_app_dir }}/storage/plugins/'
well_known: '{{ peertube_app_dir }}/storage/well-known/'
# Overridable client files in client/dist/assets/images:
# - logo.svg
# - favicon.png
# - default-playlist.jpg
# - default-avatar-account.png
# - default-avatar-video-channel.png
# - and icons/*.png (PWA)
# Could contain for example assets/images/favicon.png
# If the file exists, peertube will serve it
# If not, peertube will fallback to the default file
client_overrides: '{{ peertube_app_dir }}/storage/client-overrides/'
static_files:
# Require and check user authentication when accessing private files (internal/private video files)
private_files_require_auth: true
object_storage:
enabled: false
# Without protocol, will default to HTTPS
endpoint: '' # 's3.amazonaws.com' or 's3.fr-par.scw.cloud' for example
region: 'us-east-1'
upload_acl:
# Set this ACL on each uploaded object of public/unlisted videos
# Use null if your S3 provider does not support object ACL
public: 'public-read'
# Set this ACL on each uploaded object of private/internal videos
# PeerTube can proxify requests to private objects so your users can access them
# Use null if your S3 provider does not support object ACL
private: 'private'
proxy:
# If private files (private/internal video files) have a private ACL, users can't access directly the ressource
# PeerTube can proxify requests between your object storage service and your users
# If you disable PeerTube proxy, ensure you use your own proxy that is able to access the private files
# Or you can also set a public ACL for private files in object storage if you don't want to use a proxy
proxify_private_files: true
credentials:
# You can also use AWS_ACCESS_KEY_ID env variable
access_key_id: ''
# You can also use AWS_SECRET_ACCESS_KEY env variable
secret_access_key: ''
# Maximum amount to upload in one request to object storage
max_upload_part: 100MB
streaming_playlists:
bucket_name: 'streaming-playlists'
# Allows setting all buckets to the same value but with a different prefix
prefix: '' # Example: 'streaming-playlists:'
# Base url for object URL generation, scheme and host will be replaced by this URL
# Useful when you want to use a CDN/external proxy
base_url: '' # Example: 'https://mirror.example.com'
# Same settings but for web videos
web_videos:
bucket_name: 'web-videos'
prefix: ''
base_url: ''
log:
level: 'info' # 'debug' | 'info' | 'warn' | 'error'
rotation:
enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
max_file_size: 12MB
max_files: 20
anonymize_ip: false
log_ping_requests: true
log_tracker_unknown_infohash: true
# If you have many concurrent requests, you can disable HTTP requests logging to reduce PeerTube CPU load
log_http_requests: true
prettify_sql: false
# Accept warn/error logs coming from the client
accept_client_log: true
# Support of Open Telemetry metrics and tracing
# For more information: https://docs.joinpeertube.org/maintain/observability
open_telemetry:
metrics:
enabled: false
http_request_duration:
# You can disable HTTP request duration metric that can have a high tag cardinality
enabled: true
# Create a prometheus exporter server on this port so prometheus server can scrape PeerTube metrics
prometheus_exporter:
hostname: '127.0.0.1'
port: 9091
tracing:
# If tracing is enabled, you must provide --experimental-loader=@opentelemetry/instrumentation/hook.mjs flag to the node binary
enabled: false
# Send traces to a Jaeger compatible endpoint
jaeger_exporter:
endpoint: ''
trending:
videos:
interval_days: 7 # Compute trending videos for the last x days for 'most-viewed' algorithm
algorithms:
enabled:
- 'hot' # Adaptation of Reddit's 'Hot' algorithm
- 'most-viewed' # Number of views in the last x days
- 'most-liked' # Global views since the upload of the video
default: 'most-viewed'
# Cache remote videos on your server, to help other instances to broadcast the video
# You can define multiple caches using different sizes/strategies
# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
redundancy:
videos:
check_interval: '1 hour' # How often you want to check new videos to cache
strategies: # Just uncomment strategies you want
# -
# size: '10GB'
# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
# min_lifetime: '48 hours'
# strategy: 'most-views' # Cache videos that have the most views
# -
# size: '10GB'
# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
# min_lifetime: '48 hours'
# strategy: 'trending' # Cache trending videos
# -
# size: '10GB'
# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
# min_lifetime: '48 hours'
# strategy: 'recently-added' # Cache recently added videos
# min_views: 10 # Having at least x views
# Other instances that duplicate your content
remote_redundancy:
videos:
# 'nobody': Do not accept remote redundancies
# 'anybody': Accept remote redundancies from anybody
# 'followings': Accept redundancies from instance followings
accept_from: 'anybody'
csp:
enabled: false
report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
report_uri:
security:
# Set the X-Frame-Options header to help to mitigate clickjacking attacks
frameguard:
enabled: true
# Set x-powered-by HTTP header to "PeerTube"
# Can help remote software to know this is a PeerTube instance
powered_by_header:
enabled: true
tracker:
# If you disable the tracker, you disable the P2P on your PeerTube instance
enabled: true
# Only handle requests on your videos
# If you set this to false it means you have a public tracker
# Then, it is possible that clients overload your instance with external torrents
private: true
# Reject peers that do a lot of announces (could improve privacy of TCP/UDP peers)
reject_too_many_announces: false
history:
videos:
# If you want to limit users videos history
# -1 means there is no limitations
# Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
max_age: -1
views:
videos:
# PeerTube creates a database entry every hour for each video to track views over a period of time
# This is used in particular by the Trending page
# PeerTube could remove old remote video views if you want to reduce your database size (video view counter will not be altered)
# -1 means no cleanup
# Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
remote:
max_age: '30 days'
# PeerTube buffers local video views before updating and federating the video
local_buffer_update_interval: '30 minutes'
ip_view_expiration: '1 hour'
# Used to get country location of views of local videos
geo_ip:
enabled: true
country:
database_url: 'https://dbip.mirror.framasoft.org/files/dbip-country-lite-latest.mmdb'
plugins:
# The website PeerTube will ask for available PeerTube plugins and themes
# This is an unmoderated plugin index, so only install plugins/themes you trust
index:
enabled: true
check_latest_versions_interval: '12 hours' # How often you want to check new plugins/themes versions
url: 'https://packages.joinpeertube.org'
federation:
# Some federated software such as Mastodon may require an HTTP signature to access content
sign_federated_fetches: true
videos:
federate_unlisted: false
# Add a weekly job that cleans up remote AP interactions on local videos (shares, rates and comments)
# It removes objects that do not exist anymore, and potentially fix their URLs
cleanup_remote_interactions: true
peertube:
check_latest_version:
# Check and notify admins of new PeerTube versions
enabled: true
# You can use a custom URL if your want, that respect the format behind https://joinpeertube.org/api/v1/versions.json
url: 'https://joinpeertube.org/api/v1/versions.json'
webadmin:
configuration:
edition:
# Set this to false if you don't want to allow config edition in the web interface by instance admins
allowed: {{ peertube_webadmin_allowed }}
# XML, Atom or JSON feeds
feeds:
videos:
# Default number of videos displayed in feeds
count: 20
comments:
# Default number of comments displayed in feeds
count: 20
remote_runners:
# Consider jobs that are processed by a remote runner as stalled after this period of time without any update
stalled_jobs:
live: '30 seconds'
vod: '2 minutes'
thumbnails:
# When automatically generating a thumbnail from the video
generation_from_video:
# How many frames to analyze at the middle of the video to select the most appropriate one
# Increasing this value will increase CPU and memory usage when generating the thumbnail, especially for high video resolution
# Minimum value is 2
frames_to_analyze: 50
###############################################################################
#
# From this point, almost all following keys can be overridden by the web interface
# (local-production.json file). If you need to change some values, prefer to
# use the web interface because the configuration will be automatically
# reloaded without any need to restart PeerTube
#
# /!\ If you already have a local-production.json file, modification of some of
# the following keys will have no effect /!\
#
###############################################################################
cache:
previews:
size: 500 # Max number of previews you want to cache
captions:
size: 500 # Max number of video captions/subtitles you want to cache
torrents:
size: 500 # Max number of video torrents you want to cache
storyboards:
size: 500 # Max number of video storyboards you want to cache
admin:
# Used to generate the root user at first startup
# And to receive emails from the contact form
email: '{{ peertube_admin_email }}'
contact_form:
enabled: true
signup:
enabled: false
limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited
minimum_age: 16 # Used to configure the signup form
# Users fill a form to register so moderators can accept/reject the registration
requires_approval: true
requires_email_verification: false
filters:
cidr: # You can specify CIDR ranges to whitelist (empty = no filtering) or blacklist
whitelist: []
blacklist: []
user:
history:
videos:
# Enable or disable video history by default for new users.
enabled: true
# Default value of maximum video bytes the user can upload (does not take into account transcoded files)
# Byte format is supported ("1GB" etc)
# -1 == unlimited
video_quota: -1
video_quota_daily: -1
default_channel_name: 'Main $1 channel' # The placeholder $1 is used to represent the user's username
video_channels:
max_per_user: 20 # Allows each user to create up to 20 video channels.
# If enabled, the video will be transcoded to mp4 (x264) with `faststart` flag
# In addition, if some resolutions are enabled the mp4 video file will be transcoded to these new resolutions
# Please, do not disable transcoding since many uploaded videos will not work
transcoding:
enabled: true
# Allow your users to upload .mkv, .mov, .avi, .wmv, .flv, .f4v, .3g2, .3gp, .mts, m2ts, .mxf, .nut videos
allow_additional_extensions: true
# If a user uploads an audio file, PeerTube will create a video by merging the preview file and the audio file
allow_audio_files: true
# Enable remote runners to transcode your videos
# If enabled, your instance won't transcode the videos itself
# At least 1 remote runner must be configured to transcode your videos
remote_runners:
enabled: false
# Amount of threads used by ffmpeg for 1 local transcoding job
threads: 1
# Amount of local transcoding jobs to execute in parallel
concurrency: 1
# Choose the local transcoding profile
# New profiles can be added by plugins
# Available in core PeerTube: 'default'
profile: 'default'
resolutions: # Only created if the original video has a higher resolution, uses more storage!
0p: false # audio-only (creates mp4 without video stream, always created when enabled)
144p: false
240p: false
360p: false
480p: false
720p: false
1080p: false
1440p: false
2160p: false
# Transcode and keep original resolution, even if it's above your maximum enabled resolution
always_transcode_original_resolution: true
# Generate videos in a web compatible format
# If you also enabled the hls format, it will multiply videos storage by 2
# If disabled, breaks federation with PeerTube instances < 2.1
web_videos:
enabled: false
# /!\ Requires ffmpeg >= 4.1
# Generate HLS playlists and fragmented MP4 files. Better playback than with Web Videos:
# * Resolution change is smoother
# * Faster playback in particular with long videos
# * More stable playback (less bugs/infinite loading)
# If you also enabled the web videos format, it will multiply videos storage by 2
hls:
enabled: true
live:
enabled: false
# Limit lives duration
# -1 == unlimited
max_duration: -1 # For example: '5 hours'
# Limit max number of live videos created on your instance
# -1 == unlimited
max_instance_lives: 20
# Limit max number of live videos created by a user on your instance
# -1 == unlimited
max_user_lives: 3
# Allow your users to save a replay of their live
# PeerTube will transcode segments in a video file
# If the user daily/total quota is reached, PeerTube will stop the live
# /!\ transcoding.enabled (and not live.transcoding.enabled) has to be true to create a replay
allow_replay: true
# Allow your users to change latency settings (small latency/default/high latency)
# Small latency live streams cannot use P2P
# High latency live streams can increase P2P ratio
latency_setting:
enabled: true
# Your firewall should accept traffic from this port in TCP if you enable live
rtmp:
enabled: true
# Listening hostname/port for RTMP server
# '::' to listen on IPv6 and IPv4, '0.0.0.0' to listen on IPv4
# Use null to automatically listen on '::' if IPv6 is available, or '0.0.0.0' otherwise
hostname: null
port: 1935
# Public hostname of your RTMP server
# Use null to use the same value than `webserver.hostname`
public_hostname: null
rtmps:
enabled: false
# Listening hostname/port for RTMPS server
# '::' to listen on IPv6 and IPv4, '0.0.0.0' to listen on IPv4
# Use null to automatically listen on '::' if IPv6 is available, or '0.0.0.0' otherwise
hostname: null
port: 1936
# Absolute paths
key_file: ''
cert_file: ''
# Public hostname of your RTMPS server
# Use null to use the same value than `webserver.hostname`
public_hostname: null
# Allow to transcode the live streaming in multiple live resolutions
transcoding:
enabled: true
# Enable remote runners to transcode your videos
# If enabled, your instance won't transcode the videos itself
# At least 1 remote runner must be configured to transcode your videos
remote_runners:
enabled: false
# Amount of threads used by ffmpeg per live when using local transcoding
threads: 2
# Choose the local transcoding profile
# New profiles can be added by plugins
# Available in core PeerTube: 'default'
profile: 'default'
resolutions:
144p: false
240p: false
360p: false
480p: false
720p: false
1080p: false
1440p: false
2160p: false
# Also transcode original resolution, even if it's above your maximum enabled resolution
always_transcode_original_resolution: true
video_studio:
# Enable video edition by users (cut, add intro/outro, add watermark etc)
# If enabled, users can create transcoding tasks as they wish
enabled: false
# Enable remote runners to transcode studio tasks
# If enabled, your instance won't transcode the videos itself
# At least 1 remote runner must be configured to transcode your videos
remote_runners:
enabled: false
video_file:
update:
# Add ability for users to replace the video file of an existing video
enabled: false
import:
# Add ability for your users to import remote videos (from YouTube, torrent...)
videos:
# Amount of import jobs to execute in parallel
concurrency: 1
# Set a custom video import timeout to not block import queue
timeout: '2 hours'
# Classic HTTP or all sites supported by youtube-dl https://rg3.github.io/youtube-dl/supportedsites.html
http:
# We recommend to use a HTTP proxy if you enable HTTP import to prevent private URL access from this server
# See https://docs.joinpeertube.org/maintain/configuration#security for more information
enabled: false
youtube_dl_release:
# Direct download URL to youtube-dl binary
# Github releases API is also supported
# Examples:
# * https://api.github.com/repos/ytdl-org/youtube-dl/releases
# * https://api.github.com/repos/yt-dlp/yt-dlp/releases
# * https://yt-dl.org/downloads/latest/youtube-dl
url: 'https://api.github.com/repos/yt-dlp/yt-dlp/releases'
# Release binary name: 'yt-dlp' or 'youtube-dl'
name: 'yt-dlp'
# Path to the python binary to execute for youtube-dl or yt-dlp
python_path: '/usr/bin/python3'
# IPv6 is very strongly rate-limited on most sites supported by youtube-dl
force_ipv4: false
# Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file)
torrent:
# We recommend to only enable magnet URI/torrent import if you trust your users
# See https://docs.joinpeertube.org/maintain/configuration#security for more information
enabled: false
# Add ability for your users to synchronize their channels with external channels, playlists, etc
video_channel_synchronization:
enabled: false
max_per_user: 10
check_interval: 1 hour
# Number of latest published videos to check and to potentially import when syncing a channel
videos_limit_per_synchronization: 10
# Max number of videos to import when the user asks for full sync
full_sync_videos_limit: 1000
auto_blacklist:
# New videos automatically blacklisted so moderators can review before publishing
videos:
of_users:
enabled: false
# Instance settings
instance:
name: '{{ peertube_instance_name }}'
short_description: '{{ peertube_instance_short_description }}'
description: '{{ peertube_instance_description }}' # Support markdown
terms: '{{ peertube_instance_terms }}' # Support markdown
code_of_conduct: '{{ peertube_instance_code_of_conduct }}' # Supports markdown
# Who moderates the instance? What is the policy regarding NSFW videos? Political videos? etc
moderation_information: '{{ peertube_instance_moderation_information }}' # Supports markdown
# Why did you create this instance?
creation_reason: '{{ peertube_instance_creation_reason }}' # Supports Markdown
# Who is behind the instance? A single person? A non profit?
administrator: '{{ peertube_instance_administrator }}' # Supports Markdown
# How long do you plan to maintain this instance?
maintenance_lifetime: '{{ peertube_instance_maintenance_lifetime }}' # Supports Markdown
# How will you pay the PeerTube instance server? With your own funds? With users donations? Advertising?
business_model: '{{ peertube_instance_business_model }}' # Supports Markdown
# If you want to explain on what type of hardware your PeerTube instance runs
# Example: '2 vCore, 2GB RAM...'
hardware_information: '{{ peertube_instance_hardware_information }}' # Supports Markdown
# What are the main languages of your instance? To interact with your users for example
# Uncomment or add the languages you want
# List of supported languages: https://peertube.cpy.re/api/v1/videos/languages
languages:
# - en
# - es
# - fr
# You can specify the main categories of your instance (dedicated to music, gaming or politics etc)
# Uncomment or add the category ids you want
# List of supported categories: https://peertube.cpy.re/api/v1/videos/categories
categories:
# - 1 # Music
# - 2 # Films
# - 3 # Vehicles
# - 4 # Art
# - 5 # Sports
# - 6 # Travels
# - 7 # Gaming
# - 8 # People
# - 9 # Comedy
# - 10 # Entertainment
# - 11 # News & Politics
# - 12 # How To
# - 13 # Education
# - 14 # Activism
# - 15 # Science & Technology
# - 16 # Animals
# - 17 # Kids
# - 18 # Food
default_client_route: '/videos/trending'
# Whether or not the instance is dedicated to NSFW content
# Enabling it will allow other administrators to know that you are mainly federating sensitive content
# Moreover, the NSFW checkbox on video upload will be automatically checked by default
is_nsfw: false
# By default, `do_not_list` or `blur` or `display` NSFW videos
# Could be overridden per user with a setting
default_nsfw_policy: 'do_not_list'
customizations:
javascript: '' # Directly your JavaScript code (without <script> tags). Will be eval at runtime
css: '' # Directly your CSS code (without <style> tags). Will be injected at runtime
# Robot.txt rules. To disallow robots to crawl your instance and disallow indexation of your site, add `/` to `Disallow:`
robots: |
User-agent: *
Disallow:
# /.well-known/security.txt rules. This endpoint is cached, so you may have to wait a few hours before viewing your changes
# To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string
securitytxt: |
Contact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md
Expires: 2025-12-31T11:00:00.000Z'
services:
# Cards configuration to format video in Twitter
twitter:
username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
# If true, a video player will be embedded in the Twitter feed on PeerTube video share
# If false, we use an image link card that will redirect on your PeerTube instance
# Change it to `true`, and then test on https://cards-dev.twitter.com/validator to see if you are whitelisted
whitelisted: false
followers:
instance:
# Allow or not other instances to follow yours
enabled: true
# Whether or not an administrator must manually validate a new follower
manual_approval: false
followings:
instance:
# If you want to automatically follow back new instance followers
# If this option is enabled, use the mute feature instead of deleting followings
# /!\ Don't enable this if you don't have a reactive moderation team /!\
auto_follow_back:
enabled: false
# If you want to automatically follow instances of the public index
# If this option is enabled, use the mute feature instead of deleting followings
# /!\ Don't enable this if you don't have a reactive moderation team /!\
auto_follow_index:
enabled: false
# Host your own using https://framagit.org/framasoft/peertube/instances-peertube#peertube-auto-follow
index_url: ''
theme:
default: 'default'
broadcast_message:
enabled: false
message: '' # Support markdown
level: 'info' # 'info' | 'warning' | 'error'
dismissable: false
search:
# Add ability to fetch remote videos/actors by their URI, that may not be federated with your instance
# If enabled, the associated group will be able to "escape" from the instance follows
# That means they will be able to follow channels, watch videos, list videos of non followed instances
remote_uri:
users: true
anonymous: false
# Use a third party index instead of your local index, only for search results
# Useful to discover content outside of your instance
# If you enable search_index, you must enable remote_uri search for users
# If you do not enable remote_uri search for anonymous user, your instance will redirect the user on the origin instance
# instead of loading the video locally
search_index:
enabled: false
# URL of the search index, that should use the same search API and routes
# than PeerTube: https://docs.joinpeertube.org/api-rest-reference.html
# You should deploy your own with https://framagit.org/framasoft/peertube/search-index,
# and can use https://search.joinpeertube.org/ for tests, but keep in mind the latter is an unmoderated search index
url: ''
# You can disable local search in the client, so users only use the search index
disable_local_search: false
# If you did not disable local search in the client, you can decide to use the search index by default
is_default_search: false
# PeerTube client/interface configuration
client:
videos:
miniature:
# By default PeerTube client displays author username
prefer_author_display_name: false
display_author_avatar: false
resumable_upload:
# Max size of upload chunks, e.g. '90MB'
# If null, it will be calculated based on network speed
max_chunk_size: null
menu:
login:
# If you enable only one external auth plugin
# You can automatically redirect your users on this external platform when they click on the login button
redirect_on_single_external_auth: false

33
templates/etc/systemd/system/peertube.service.j2 Normal file
View file

@ -0,0 +1,33 @@
[Unit]
Description=PeerTube daemon
After=network.target postgresql.service redis-server.service
[Service]
Type=simple
Environment=NODE_ENV=production
Environment=NODE_CONFIG_DIR={{ peertube_app_dir }}/config
User={{ peertube_user }}
Group={{ peertube_group}}
ExecStart=/usr/bin/node dist/server
WorkingDirectory={{ peertube_app_dir }}/peertube-latest
SyslogIdentifier=peertube
Restart=always
; Some security directives.
; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
ProtectSystem=full
; Sets up a new /dev mount for the process and only adds API pseudo devices
; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
; by default because it may not work on devices like the Raspberry Pi.
PrivateDevices=false
; Ensures that the service process and all its children can never gain new
; privileges through execve().
NoNewPrivileges=true
; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
; by this unit. Make sure that you do not depend on data inside these folders.
ProtectHome=true
; Drops the sys admin capability from the daemon.
CapabilityBoundingSet=~CAP_SYS_ADMIN
[Install]
WantedBy=multi-user.target