Peertube sur Debian 10 avec Apache
Mise en place
Mise en place des pre-requis
Il nous faut du nodejs, du yarn, du redis et du postgresql
apt install curl
curl -sL https://deb.nodesource.com/setup_10.x | bash -E -
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
apt update
apt install unzip xz-utils nodejs yarn ffmpeg postgresql postgresql-contrib postgresql postgresql-client g++ make redis-server
Création d'un utilisateur spécifique
Peertube va fonctionner en local sur le port 9000 (par défaut) et avec un utilisateur dédié.
mkdir -p /var/www/peertube.aukfood.net
useradd -s /bin/bash -d /var/www/peertube.aukfood.net peertube
chown -R peertube.peertube /var/www/peertube.aukfood.net
chmod 2770 /var/www/peertube.aukfood.net
Création de la bdd
Il faut créer une base de donnée postgresql pour l'application. NB ne pas oublier en prod de rajouter un backup de la base de données.
su - postgres
createuser peertube -d -P -R
createdb -O peertube peertube
psql -c "CREATE EXTENSION pg_trgm;" peertube
psql -c "CREATE EXTENSION unaccent;" peertube
exit
Création des répertoires
su - peertube
mkdir -p config storage versions etc var/log/apache2
cd versions
Téléchargement de la dernière version
VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag_name | cut -d '"' -f 4)
wget -q "https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.tar.xz"
tar -xJf peertube-${VERSION}.tar.xz
rm -f peertube-${VERSION}.tar.xz
cd ../
ln -s versions/peertube-${VERSION} ./peertube-latest
cd ./peertube-latest
Installation
Il suffit maintenant de lancer l'installation de Peertube
yarn install --production --pure-lockfile
cp ./config/production.yaml.example ../../config/production.yaml
cp ./config/local-test.json ../../config/local-production.json
Configuration et démarrage
Configuration
Le fichier de configuration est $HOME/config/production.yaml
Adapter la configuration
...
webserver:
https: true
hostname: 'ppertube.aukfood.net'
port: 443
...
database:
hostname: 'localhost'
port: 5432
suffix: ''
username: 'peertube'
password: 'peertube'
...
storage:
tmp: '/var/www/peertube.aukfood.net/storage/tmp/' # Used to download data (imports etc), store uploaded files before processing...
avatars: '/var/www/peertube.aukfood.net/storage/avatars/'
videos: '/var/www/peertube.aukfood.net/storage/videos/'
streaming_playlists: '/var/www/peertube.aukfood.net/storage/streaming-playlists/'
redundancy: '/var/www/peertube.aukfood.net/storage/videos/'
logs: '/var/www/peertube.aukfood.net/storage/logs/'
previews: '/var/www/peertube.aukfood.net/storage/previews/'
thumbnails: '/var/www/peertube.aukfood.net/storage/thumbnails/'
torrents: '/var/www/peertube.aukfood.net/storage/torrents/'
captions: '/var/www/peertube.aukfood.net/storage/captions/'
cache: '/var/www/peertube.aukfood.net/storage/cache/'
plugins: '/var/www/peertube.aukfood.net/storage/plugins/'
...
instance:
name: 'PeerTube AukFood'
short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.'
description: 'Peertube AukFood, nos vidéos à nous' # Support markdown
Un peu d'optimisation sysctl :
cp /var/www/peertube.aukfood.net/peertube-latest/support/sysctl.d/30-peertube-tcp.conf /etc/sysctl.d/
Démarrage
Il faut mettre en place les scripts pour le démarrage de peertube.
Modifier le fichier /etc/systemd/system/peertube.service en fonctione de votre installation.
cp /var/www/peertube.aukfood.net/peertube-latest/support/systemd/peertube.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable peertube
systemctl start peertube
systemctl status peertube
Mot de passe admin
Il faut générer un mot de passe admin (root par défaut)
su - peertube
cd peertube-latest
NODE_CONFIG_DIR=/var/www/peertube.aukfood.net/config NODE_ENV=production npm run reset-password -- -u root
Proxy Apache
En frontal on met en place un proxy Apache et un certificat SSL Let's Encrypt
Installation d'Apache et des modules nécessaires
apt install apache2
a2enmod proxy proxy_http proxy_wstunnel ssl http2 rewrite headers
Rajouter l'utilisateur www-data dans le groupe peertube ça peut servir 🙂
Vhost Apache fichier etc/apache.conf
<VirtualHost *:80>
ServerName peertube.aukfood.net
Redirect Permanent / https://peertube.aukfood.net/
</VirtualHost>
<VirtualHost *:443>
ServerName peertube.aukfood.net
LogLevel debug
ErrorLog "|/usr/bin/rotatelogs -lc /var/www/peertube.aukfood.net/var/log/apache2/error.%Y.%m.%d 86400"
CustomLog "|/usr/bin/rotatelogs -lc /var/www/peertube.aukfood.net/var/log/apache2/access.%Y.%m.%d 86400" combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/peertube.aukfood.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/peertube.aukfood.net/privkey.pem
# HSTS (mod_headers is required) (63072000 seconds = 2 years) (only activate it knowingly)
#Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Content-Type-Options nosniff
Header always set X-Robots-Tag none
Header always set X-XSS-Protection "1; mode=block"
# Activate http/2
Protocols h2 h2c http/1.1
H2Push on
H2PushPriority * after
H2PushPriority text/css before
H2PushPriority image/jpeg after 32
H2PushPriority image/png after 32
H2PushPriority application/javascript interleaved
# Hard limit, PeerTube does not support videos > 4GB
LimitRequestBody 4294967294
# Set caching on assets for 1 year
<FilesMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$>
Header append Cache-Control "public, max-age=31536000, immutable"
</FilesMatch>
AliasMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ /var/www/peertube.aukfood.net/peertube-latest/client/dist/$1
# Set caching on image files for 1 year
<FilesMatch ^/static/(thumbnails|avatars)/(.*)$>
Header append Cache-Control "public, max-age=31536000, immutable"
</FilesMatch>
AliasMatch ^/static/(thumbnails|avatars)/(.*)$ /var/www/peertube.aukfood.net/storage/$1/$2
# Bypass PeerTube webseed route for better performances
Alias /static/webseed /var/www/peertube.aukfood.net/storage/videos
<Location /static/webseed>
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 800
SetEnvIf Request_Method "GET" GETMETH=1
Header set Access-Control-Allow-Origin "*" env=GETMETH
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH
Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH
Header set toto "foo" env=GETMETH
SetEnvIf GETMETH "1" dontlog
SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1
Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH
Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH
Header set Access-Control-Max-Age "1000" env=OPTIONSMETH
Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH
Header set Content-Length "0" env=OPTIONSMETH
</Location>
<Location /videos/embed>
Header unset X-Frame-Options
</Location>
ProxyPreserveHost On
ProxyRequests On
ProxyTimeout 600
# Websocket tracker
RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L]
<Location />
ProxyPass http://127.0.0.1:9000/
</Location>
</VirtualHost>
# Security configuration
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
# Requires Apache >= 2.4
SSLCompression off
# To use stapling, we have to enable it globally
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# OCSP Stapling requires Apache >= 2.3.3
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLSessionTickets off # Requires Apache >= 2.4.11
Pour finir il suffit de créer le certificat SSL et activer le vhost Apache. Et ça tourne ...
Je me permet de citer ici les sources qui m'ont permis de mettre en place cette installation :
https://blog.zergy.net/index.php?article27/installer-peertube-sur-debian-9-stretchhttps://docs.joinpeertube.org/#/