TeamPiped-mirror
/
Piped-Docker
mirror of https://github.com/TeamPiped/Piped-Docker.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Made several improvements and changes to streamline install 

- unified the Nginx configuration into a single file
- added SSL settings to Nginx
- all hosts are configured using variables on the docker-compose file
- changes on the main nginx.conf done by sed on a docker-entrypoint.d
  script
- changes to the hardcoded URLs on the javascript done by a script in
  docker-entrypoint.d
- nginx now exposes port 80 and 443, dispensing wit yet another proxy
This commit is contained in:
Bento Silveira 2023-07-22 22:27:53 -03:00 committed by Nerdeiro da Silva
parent 90e6b80c7c
commit 3645de32d2
No known key found for this signature in database
GPG Key ID: E50EFBA12C1ED3CD
16 changed files with 194 additions and 219 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,3 +1 @@
config/
data/
/docker-compose.yml

6
README.md
View File

@ -1,3 +1,7 @@
# Piped-Docker
See https://piped-docs.kavin.rocks/docs/self-hosting/#docker-compose-caddy-aio-script
### Creating Self-signed certificate
https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs#generating-ssl-certificates

16
template/config.properties → config/config.properties
View File

@ -4,8 +4,14 @@ PORT: 8080
# The number of workers to use for the server
HTTP_WORKERS: 2
# Proxy
PROXY_PART: https://PROXY_HOSTNAME
# Public Frontend URL - You should set this on the docker-compose file
# FRONTEND_URL: https://FRONTEND_HOSTNAME
# Public API URL - You should set this on the docker-compose file
# API_URL: https://BACKEND_HOSTNAME
# Proxy - You should set this on the docker-compose file
# PROXY_PART: https://PROXY_HOSTNAME
# Outgoing HTTP Proxy - eg: 127.0.0.1:8118
#HTTP_PROXY: 127.0.0.1:8118
@ -14,12 +20,6 @@ PROXY_PART: https://PROXY_HOSTNAME
CAPTCHA_BASE_URL: https://api.capmonster.cloud/
CAPTCHA_API_KEY: INSERT_HERE
# Public API URL
API_URL: https://BACKEND_HOSTNAME
# Public Frontend URL
FRONTEND_URL: https://FRONTEND_HOSTNAME
# Enable haveibeenpwned compromised password API
COMPROMISED_PASSWORD_CHECK: true

73
config/piped.conf.template Normal file
View File

@ -0,0 +1,73 @@
server {
listen *:80;
listen [::]:80;
server_name ${FRONTEND_HOSTNAME} ${BACKEND_HOSTNAME} ${PROXY_HOSTNAME};
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header 'Referrer-Policy' 'no-referrer';
# enforce https
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name ${FRONTEND_HOSTNAME};
include snippets/ssl.conf;
# Path to the root of your installation
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Connection "keep-alive";
proxy_pass http://piped-frontend;
}
}
proxy_cache_path /tmp/pipedapi_cache levels=1:2 keys_zone=pipedapi:4m max_size=2g inactive=60m use_temp_path=off;
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name ${BACKEND_HOSTNAME};
include snippets/ssl.conf;
# Path to the root of your installation
location / {
proxy_cache pipedapi;
proxy_pass http://piped-backend:8080;
proxy_http_version 1.1;
proxy_set_header Connection "keep-alive";
}
}
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name ${PROXY_HOSTNAME};
include snippets/ssl.conf;
location ~ (/videoplayback|/api/v4/|/api/manifest/) {
include snippets/ytproxy.conf;
add_header Cache-Control private always;
proxy_pass http://unix:/var/run/ytproxy/actix.sock;
}
location / {
include snippets/ytproxy.conf;
add_header Cache-Control "public, max-age=604800";
proxy_pass http://unix:/var/run/ytproxy/actix.sock;
}
}

24
config/piped.crt Normal file
View File

@ -0,0 +1,24 @@
-----BEGIN CERTIFICATE-----
MIID/zCCAuegAwIBAgIUdqkJshly/62rDQeqUUqyQiU5yJ8wDQYJKoZIhvcNAQEL
BQAwgY4xCzAJBgNVBAYTAkJSMQswCQYDVQQIDAJTUDESMBAGA1UEBwwJU2FvIFBh
dWxvMRAwDgYDVQQKDAdleGFtcGxlMRQwEgYDVQQLDAtkZXZlbG9wbWVudDEWMBQG
A1UEAwwNKi5leGFtcGxlLmNvbTEeMBwGCSqGSIb3DQEJARYPbWFpbC5leG1wbGUu
Y29tMB4XDTIzMDcyMjIxMzkzMloXDTI0MDcyMTIxMzkzMlowgY4xCzAJBgNVBAYT
AkJSMQswCQYDVQQIDAJTUDESMBAGA1UEBwwJU2FvIFBhdWxvMRAwDgYDVQQKDAdl
eGFtcGxlMRQwEgYDVQQLDAtkZXZlbG9wbWVudDEWMBQGA1UEAwwNKi5leGFtcGxl
LmNvbTEeMBwGCSqGSIb3DQEJARYPbWFpbC5leG1wbGUuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Q4tR+qHr5wNuFvp18+B5rLSrZWrqb/9zZaE
65mTk70J7Wfa5kt+8wf7N7590ecazXcbuCnFmCBIMZGdZNE02C/0AQvgKKCmORhj
XDRlWupilguS6dMXhffgisZ/Dent9cQjZIFkOJ0ZNILbarPkQBvhdkFrn302Nujc
uF4cYrHvUa3WmtoUZspWqPKkl0AluOPTYm2QLGdT1M+nmr8AZs7JplYrBzT65fy/
Nvtl+VxVcGqRrTVDmsWJIO8Gx/NW/7wfK6GQxWYeUotXNZmBrr5jOB0YttMQrgUn
QydSpK6qrVWEBr8IaR+jS+eXJmWrEi0QBn6npwvx0+g+Jt5jWQIDAQABo1MwUTAd
BgNVHQ4EFgQU7+AGX4fm74vjDt4+9nyB0ElAIkgwHwYDVR0jBBgwFoAU7+AGX4fm
74vjDt4+9nyB0ElAIkgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAI4k5IYFkqMvmw1Nd53umzhSIayT+T54VHBz59ty5OR0m+6FpoZaon5+FnWlq
5otCrOjGG6jzhku+PMsaU8iBcgfAJpZASicuCFXBcc6yAGveTvnHFAwlhEoI5oI/
95tkh1hMy3hDZmMvYCOGnvS7vVY2JqPCFvgfRaMAaoe8gnlPOTx97fnnn/8+Aazi
puny/PYud3vaIfCzLWA/8Zo+r47sRlLkQQ9hrgcjrRW7oT+PHmY/31SWP+mFxwF7
v6FVArSABFRObkhgiFL3APKLnx34hWEA/8TpRryuYQdz7BYkUzJHpxzzn91KeLdm
492KHQ71tVy6zV5iB1aev8nVYw==
-----END CERTIFICATE-----

28
config/piped.key Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVDi1H6oevnA24
W+nXz4HmstKtlaupv/3NloTrmZOTvQntZ9rmS37zB/s3vn3R5xrNdxu4KcWYIEgx
kZ1k0TTYL/QBC+AooKY5GGNcNGVa6mKWC5Lp0xeF9+CKxn8N6e31xCNkgWQ4nRk0
gttqs+RAG+F2QWuffTY26Ny4Xhxise9Rrdaa2hRmylao8qSXQCW449NibZAsZ1PU
z6eavwBmzsmmVisHNPrl/L82+2X5XFVwapGtNUOaxYkg7wbH81b/vB8roZDFZh5S
i1c1mYGuvmM4HRi20xCuBSdDJ1KkrqqtVYQGvwhpH6NL55cmZasSLRAGfqenC/HT
6D4m3mNZAgMBAAECggEAGaZVST0xDLFK7ZETPAodZ3rL5l4Ihq04jxG5+utIWxb9
JPnF3sfkBrpFQlbKqwSZs3bNfYR553CrgFw5iLOvGv/a7m1RlVKR8HnBLI6aTTG+
oLXQABqL0HMhM1PmY/Rv05DDegwh1rcDG9FNPTFfH2C76hLCNDdM2Zt7Ry79V9w/
rfZPGJgQS1ji7whLEGmv+z8JFOpw4rxtgvMUG+M73v5bS9j6VWZ0FLMKoXChvQka
gTP4UtjW2sHPBHVPFVhba0UPzLPY87uvY2esvIqC11NhPLs0oXBv9EnlgDzi4/gF
zwY4TpByBJ+2LOEU3QC0ezW4wz3M/p5NQjDMu9I3IQKBgQD/2nUVynNccMlW7STH
zTihukg9paweCrElncSwluwf0jf3/0EizDbfCPRMBM5la5J8+mYEH/Lxa+XjpVhn
CSnfDCRa68iwr+1wyn6YA0hvTHARbSVw74P3UnUafVAdhDlF9WGqQ6HUnMDHArSD
u/x6q4J3daGegXn8EdLWUlB/JQKBgQDVLXCGtMjOkAUT+42uTavf+0PnogkX5KuY
VYXmwrF3MCDmefkfYnyJK2Luecag+nSoK9Sc553DkCAoGiyreDPNXKNIYLGxDPMo
d4hcrt6Ol9W7PTpzQoE3Lz8Bm2N3zuyblV0xRsGOOTQirMSz052CTD+nhlUkxvrl
EJnzVBoHJQKBgAMRianzPaL0L1X9jh1fVriJ1Wf33rKVij5bQAqmJLrU+Jre0tcp
/9Z48wUeYaNRwPYCwsp136IJmz45s2+46mmkaaM1hLipw31A0HfeQjYjgoyS9IoA
NWL3+DOTISzZcx5lrQAvw3cbUiyQ2b1iucp22B+6p2+ROfdN92tenVyJAoGANAqO
wOPbbcns427yrI2bmuddMWv2KlYRqfOe57G53y3pqjo2nfnOCzKDSVKDMgNSfUeN
9Ov6MKa7ou6Y3xdOFiE6X03zsxRFPCjKKk4qWMcqTzZoUYD3yIAJMpw7kSD71BOH
l6L9V3oRhzGEJ55OgmOY2o3JtVu6HjeKTcPHQt0CgYEAtpjb6sajZhM1sDlT2N/R
V9t+k+N9dRDy8acpGRxm5HGhqJMev6PTowGqCxex+F/meDioCoybNYa7JPAwwDvt
XzqUrgCIceQ2TLGETQLDgfu325aJo/WRQZrnrN0XY0Gc4wnI/GXUmz2VcVALLYfb
jmPy4nc4xejo/H+MyUc8Ksw=
-----END PRIVATE KEY-----

0
template/pipedapi.conf → config/pipedapi.conf
View File

12
config/ssl.conf Normal file
View File

@ -0,0 +1,12 @@
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/piped.crt;
ssl_certificate_key /etc/nginx/ssl/piped.key;
add_header 'Referrer-Policy' 'no-referrer';
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

21
template/ytproxy.conf → config/ytproxy.conf
View File

@ -1,18 +1,17 @@
proxy_buffering on;
proxy_buffers 1024 16k;
proxy_set_header X-Forwarded-For "";
proxy_set_header CF-Connecting-IP "";
proxy_hide_header "alt-svc";
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
access_log off;
aio threads=default;
aio_write on;
directio 16m;
proxy_buffering on;
proxy_buffers 1024 16k;
proxy_hide_header "alt-svc";
proxy_hide_header Cache-Control;
proxy_hide_header etag;
proxy_http_version 1.1;
proxy_set_header Connection keep-alive;
proxy_max_temp_file_size 32m;
access_log off;
proxy_pass http://unix:/var/run/ytproxy/actix.sock;
proxy_set_header CF-Connecting-IP "";
proxy_set_header Connection keep-alive;
proxy_set_header X-Forwarded-For "";
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;

55
template/docker-compose.caddy.yml → docker-compose.yml
View File

@ -1,50 +1,58 @@
version: "3"
services:
pipedfrontend:
piped-frontend:
image: 1337kavin/piped-frontend:latest
container_name: piped-frontend
restart: unless-stopped
depends_on:
- piped
container_name: piped-frontend
entrypoint: ash -c 'sed -i s/pipedapi.kavin.rocks/BACKEND_HOSTNAME/g /usr/share/nginx/html/assets/* && /docker-entrypoint.sh && nginx -g "daemon off;"'
- piped-backend
environment:
- BACKEND_HOSTNAME=backend-host.example.com
volumes:
- ./entrypoint.d/host_replace.envsh:/docker-entrypoint.d/99-host_replace.envsh
piped-proxy:
image: 1337kavin/piped-proxy:latest
container_name: piped-proxy
restart: unless-stopped
environment:
- UDS=1
volumes:
- piped-proxy:/app/socket
container_name: piped-proxy
piped:
- piped-proxy:/app/socket:z
piped-backend:
image: 1337kavin/piped:latest
container_name: piped-backend
restart: unless-stopped
environment:
- FRONTEND_URL=https://frontend-host.example.com
- API_URL=https://backend-host.example.com
- PROXY_PART=https://proxy-host.example.com
volumes:
- ./config/config.properties:/app/config.properties:ro
depends_on:
- postgres
container_name: piped-backend
nginx:
image: nginx:mainline-alpine
restart: unless-stopped
volumes:
- ./config/nginx.conf:/etc/nginx/nginx.conf:ro
- ./config/pipedapi.conf:/etc/nginx/conf.d/pipedapi.conf:ro
container_name: nginx
depends_on:
- piped
caddy:
image: caddy:2-alpine
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "443:443/udp"
environment:
- FRONTEND_HOSTNAME=frontend-host.example.com
- BACKEND_HOSTNAME=backend-host.example.com
- PROXY_HOSTNAME=proxy-host.example.com
volumes:
- ./config/Caddyfile:/etc/caddy/Caddyfile:ro
- caddy_data:/data
- piped-proxy:/var/run/ytproxy
container_name: caddy
- ./config/piped.conf.template:/etc/nginx/templates/piped.conf.template:ro
- ./config/ytproxy.conf:/etc/nginx/snippets/ytproxy.conf:ro
- ./config/ssl.conf:/etc/nginx/snippets/ssl.conf
- ./config/piped.key:/etc/nginx/ssl/piped.key
- ./config/piped.crt:/etc/nginx/ssl/piped.crt
- piped-proxy:/var/run/ytproxy:z
depends_on:
- piped-backend
- piped-proxy
- piped-frontend
postgres:
image: postgres:15
restart: unless-stopped
@ -54,7 +62,6 @@ services:
- POSTGRES_DB=piped
- POSTGRES_USER=piped
- POSTGRES_PASSWORD=changeme
container_name: postgres
watchtower:
image: containrrr/watchtower
restart: always
@ -64,8 +71,6 @@ services:
environment:
- WATCHTOWER_CLEANUP=true
- WATCHTOWER_INCLUDE_RESTARTING=true
container_name: watchtower
command: piped-frontend piped-backend piped-proxy nginx caddy postgres watchtower
command: piped-frontend piped-backend piped-proxy nginx postgres watchtower
volumes:
caddy_data: null
piped-proxy: null

4
entrypoint.d/host_replace.envsh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/sh
sed -i 's/pipedapi.kavin.rocks/'$BACKEND_HOSTNAME'/g' /usr/share/nginx/html/assets/*
sed -i '/user/s/nginx/root' /etc/nginx/nginx.conf

47
template/Caddyfile
View File

@ -1,47 +0,0 @@
(global) {
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000;
# keep referrer data off
Referrer-Policy no-referrer
# prevent for appearing in search engine for private instances (option)
#X-Robots-Tag noindex
}
}
FRONTEND_HOSTNAME {
reverse_proxy pipedfrontend:80
import global
}
BACKEND_HOSTNAME {
reverse_proxy nginx:80
import global
}
PROXY_HOSTNAME {
@ytproxy path /videoplayback* /api/v4/* /api/manifest/*
import global
route {
header @ytproxy {
Cache-Control private always
}
header / {
Cache-Control "public, max-age=604800"
}
reverse_proxy unix//var/run/ytproxy/actix.sock {
header_up -CF-Connecting-IP
header_up -X-Forwarded-For
header_down -etag
header_down -alt-svc
}
}
}

66
template/docker-compose.nginx.yml
View File

@ -1,66 +0,0 @@
version: "3"
services:
pipedfrontend:
image: 1337kavin/piped-frontend:latest
restart: unless-stopped
depends_on:
- piped
container_name: piped-frontend
entrypoint: ash -c 'sed -i s/pipedapi.kavin.rocks/BACKEND_HOSTNAME/g /usr/share/nginx/html/assets/* && /docker-entrypoint.sh && nginx -g "daemon off;"'
piped-proxy:
image: 1337kavin/piped-proxy:latest
restart: unless-stopped
environment:
- UDS=1
volumes:
- piped-proxy:/app/socket
container_name: piped-proxy
piped:
image: 1337kavin/piped:latest
restart: unless-stopped
volumes:
- ./config/config.properties:/app/config.properties:ro
depends_on:
- postgres
container_name: piped-backend
nginx:
image: nginx:mainline-alpine
restart: unless-stopped
ports:
- "8080:80"
volumes:
- ./config/nginx.conf:/etc/nginx/nginx.conf:ro
- ./config/pipedapi.conf:/etc/nginx/conf.d/pipedapi.conf:ro
- ./config/pipedproxy.conf:/etc/nginx/conf.d/pipedproxy.conf:ro
- ./config/pipedfrontend.conf:/etc/nginx/conf.d/pipedfrontend.conf:ro
- ./config/ytproxy.conf:/etc/nginx/snippets/ytproxy.conf:ro
- piped-proxy:/var/run/ytproxy
container_name: nginx
depends_on:
- piped
- piped-proxy
- pipedfrontend
postgres:
image: postgres:15
restart: unless-stopped
volumes:
- ./data/db:/var/lib/postgresql/data
environment:
- POSTGRES_DB=piped
- POSTGRES_USER=piped
- POSTGRES_PASSWORD=changeme
container_name: postgres
watchtower:
image: containrrr/watchtower
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /etc/timezone:/etc/timezone:ro
environment:
- WATCHTOWER_CLEANUP=true
- WATCHTOWER_INCLUDE_RESTARTING=true
container_name: watchtower
command: piped-frontend piped-backend piped-proxy varnish nginx postgres watchtower
volumes:
piped-proxy: null

33
template/nginx.conf
View File

@ -1,33 +0,0 @@
user root;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nodelay on;
keepalive_timeout 65;
resolver 127.0.0.11 ipv6=off valid=10s;
include /etc/nginx/conf.d/*.conf;
}

12
template/pipedfrontend.conf
View File

@ -1,12 +0,0 @@
server {
listen 80;
server_name FRONTEND_HOSTNAME;
set $backend "http://pipedfrontend:80";
location / {
proxy_pass $backend;
proxy_http_version 1.1;
proxy_set_header Connection "keep-alive";
}
}

14
template/pipedproxy.conf
View File

@ -1,14 +0,0 @@
server {
listen 80;
server_name PROXY_HOSTNAME;
location ~ (/videoplayback|/api/v4/|/api/manifest/) {
include snippets/ytproxy.conf;
add_header Cache-Control private always;
}
location / {
include snippets/ytproxy.conf;
add_header Cache-Control "public, max-age=604800";
}
}