1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/peertube_ynh.git synced 2024-09-03 19:56:29 +02:00

Update nginx and configuration

This commit is contained in:
Florent 2022-12-15 11:11:11 +01:00
parent f8899fe44c
commit babab28592
4 changed files with 67 additions and 8 deletions

View file

@ -78,6 +78,11 @@ location /tracker/socket {
try_files /dev/null @api_websocket;
}
# Plugin websocket routes
location ~ ^/plugins/[^/]+(/[^/]+)?/ws/ {
try_files /dev/null @api_websocket;
}
##
# Performance optimizations
# For extra performance please refer to https://github.com/denji/nginx-tuning
@ -154,6 +159,18 @@ location ~ ^/static/(thumbnails|avatars)/ {
try_files $uri @api;
}
location ~ ^(/static/(webseed|streaming-playlists)/private/)|^/download {
# We can't rate limit a try_files directive, so we need to duplicate @api
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_limit_rate 5M;
proxy_pass http://127.0.0.1:__PORT__;
}
# Bypass PeerTube for performance reasons. Optional.
location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
limit_rate_after 5M;
@ -167,9 +184,9 @@ location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
}
# Use this line with nginx >= 1.17.0
# limit_rate $peertube_limit_rate;
limit_rate $peertube_limit_rate;
# Or this line if your nginx < 1.17.0
set $limit_rate $peertube_limit_rate;
# set $limit_rate $peertube_limit_rate;
if ($request_method = 'OPTIONS') {
more_set_headers "Access-Control-Allow-Origin : *";

View file

@ -8,6 +8,12 @@ webserver:
hostname: '__DOMAIN__'
port: 443
# Secrets you need to generate the first time you run PeerTube
secrets:
# Generate one using `openssl rand -hex 32`
peertube: '__SECRETS_PEERTUBE__'
rates_limit:
api:
# 50 attempts in 10 seconds
@ -120,6 +126,7 @@ storage:
captions: '__DATADIR__/captions/'
cache: '__DATADIR__/cache/'
plugins: '__DATADIR__/plugins/'
well_known: '__DATADIR__/well-known/'
# Overridable client files in client/dist/assets/images:
# - logo.svg
# - favicon.png
@ -132,6 +139,10 @@ storage:
# If not, peertube will fallback to the default file
client_overrides: '__DATADIR__/client-overrides/'
static_files:
# Require and check user authentication when accessing private files (internal/private video files)
private_files_require_auth: true
object_storage:
enabled: false
@ -140,8 +151,19 @@ object_storage:
region: 'us-east-1'
# Set this ACL on each uploaded object
upload_acl: 'public-read'
upload_acl:
# Set this ACL on each uploaded object of public/unlisted videos
public: 'public-read'
# Set this ACL on each uploaded object of private/internal videos
# PeerTube can proxify requests to private objects so your users can access them
private: 'private'
proxy:
# If private files (private/internal video files) have a private ACL, users can't access directly the ressource
# PeerTube can proxify requests between your object storage service and your users
# If you disable PeerTube proxy, ensure you use your own proxy that is able to access the private files
# Or you can also set a public ACL for private files in object storage if you don't want to use a proxy
proxify_private_files: true
credentials:
# You can also use AWS_ACCESS_KEY_ID env variable
@ -186,13 +208,15 @@ log:
# Accept warn/error logs coming from the client
accept_client_log: true
# Highly experimental support of Open Telemetry
# Support of Open Telemetry metrics and tracing
# For more information: https://docs.joinpeertube.org/maintain-observability
open_telemetry:
metrics:
enabled: false
# Create a prometheus exporter server on this port so prometheus server can scrape PeerTube metrics
prometheus_exporter:
hostname: '127.0.0.1'
port: 9091
tracing:
@ -567,6 +591,9 @@ import:
# Number of latest published videos to check and to potentially import when syncing a channel
videos_limit_per_synchronization: 10
# Max number of videos to import when the user asks for full sync
full_sync_videos_limit: 1000
auto_blacklist:
# New videos automatically blacklisted so moderators can review before publishing
videos:
@ -648,7 +675,8 @@ instance:
robots: |
User-agent: *
Disallow:
# Security.txt rules. To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string
# /.well-known/security.txt rules. This endpoint is cached, so you may have to wait a few hours before viewing your changes
# To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string
securitytxt:
'# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:'
@ -713,9 +741,9 @@ search:
# You should deploy your own with https://framagit.org/framasoft/peertube/search-index,
# and can use https://search.joinpeertube.org/ for tests, but keep in mind the latter is an unmoderated search index
url: ''
# You can disable local search, so users only use the search index
# You can disable local search in the client, so users only use the search index
disable_local_search: false
# If you did not disable local search, you can decide to use the search index by default
# If you did not disable local search in the client, you can decide to use the search index by default
is_default_search: false
# PeerTube client/interface configuration

View file

@ -35,6 +35,7 @@ app=$YNH_APP_INSTANCE_NAME
admin_mail=$(ynh_user_get_info --username=$admin --key="mail")
admin_pass=$(ynh_string_random --length=24)
secrets_peertube=$(openssl rand -hex 32)
# Define app's data directory
datadir="/home/yunohost.app/${app}/storage"
@ -57,6 +58,7 @@ ynh_script_progression --message="Storing installation settings..."
ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=admin --value=$admin
ynh_app_setting_set --app=$app --key=secrets_peertube --value=$secrets_peertube
#=================================================
# STANDARD MODIFICATIONS

View file

@ -30,6 +30,7 @@ db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd)
datadir=$(ynh_app_setting_get --app=$app --key=datadir)
admin_mail=$(ynh_user_get_info --username=$admin --key="mail")
redis_db=$(ynh_app_setting_get --app=$app --key=redis_db)
secrets_peertube=$(ynh_app_setting_get --app=$app --key=secrets_peertube)
#=================================================
# CHECK VERSION
@ -205,6 +206,16 @@ chmod 750 "$datadir"
chmod -R o-rwx "$datadir"
chown -R $app:www-data "$datadir"
#=================================================
# Generate secrets if they don't exist
#=================================================
if [ -z "$secrets_peertube" ]; then
ynh_script_progression --message="Generating and storing PeerTube secrets..."
secrets_peertube=$(openssl rand -hex 32)
ynh_app_setting_set --app=$app --key=secrets_peertube --value=$secrets_peertube
fi
#=================================================
# BUILD YARN DEPENDENCIES
#=================================================
@ -285,6 +296,7 @@ if ynh_compare_current_package_version --comparison lt --version 4.2.0~ynh1; the
popd
fi
#=================================================
# STOP SYSTEMD SERVICE
#=================================================