Help review docker compose yaml and process

Hello,

I realize that on Issue with fresh docker install (invalid client) I may have been trying to cover too much ground asking different questions. I would like to take a step back and cover the first one, the setup. Would anyone be so kind to check if what I am doing is right please?

From the top, I have following these instructions:

  • SSH into server
  • make a peertube root folder
  • curl the compose yaml file and env
  • then the following tree (if I dont I get the error:

« Error response from daemon: invalid mount config for type « bind »: bind source path does not exist: /home/user/docker/feditubo/docker-volume/nginx/peertube »

  • docker-volume/certbot/conf
  • docker-volume/data
  • docker-volume/conf
  • docker-volume/db
  • docker-volume/nginx
  • In short, all the directories mentioned in the compose yaml file

Here is my compose yaml file:

services:

You can comment this webserver section if you want to use another webserver/proxy or test PeerTube in local

webserver:
image: chocobozzz/peertube-webserver:latest
# If you don’t want to use the official image and build one from sources:
# build:
# context: .
# dockerfile: ./support/docker/production/Dockerfile.nginx
env_file:
- .env
ports:
- « 800:80 »
- « 4433:443 »
volumes:
- type: bind
# Switch sources if you downloaded the whole repository
#source: …/…/nginx/peertube
source: ./docker-volume/nginx/peertube
target: /etc/nginx/conf.d/peertube.template
- assets:/var/www/peertube/peertube-latest/client/dist:ro
- ./docker-volume/data:/var/www/peertube/storage
- certbot-www:/var/www/certbot
- ./docker-volume/certbot/conf:/etc/letsencrypt
depends_on:
- peertube
restart: « always »

You can comment this certbot section if you want to use another webserver/proxy or test PeerTube in local

certbot:

container_name: certbot

image: certbot/certbot

volumes:

- ./docker-volume/certbot/conf:/etc/letsencrypt

- certbot-www:/var/www/certbot

restart: unless-stopped

entrypoint: /bin/sh -c « trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait ${!}; done; »

depends_on:

- webserver

peertube:
# If you don’t want to use the official image and build one from sources:
# build:
# context: .
# dockerfile: ./support/docker/production/Dockerfile.bookworm
image: chocobozzz/peertube:production-bookworm
# Use a static IP for this container because nginx does not handle proxy host change without reload
# This container could be restarted on crash or until the postgresql database is ready for connection
networks:
default:
ipv4_address: 172.24.0.42
ipv6_address: fdab:e4b3:21a2:ef1b::42
env_file:
- .env

ports:
 - "1935:1935" # Comment if you don't want to use the live feature
 - "9000:9000" # Uncomment if you use another webserver/proxy or test PeerTube in local, otherwise not suitable for production
volumes:
  # Remove the following line if you want to use another webserver/proxy or test PeerTube in local
  # - assets:/app/client/dist
  - ./docker-volume/data:/data
  - ./docker-volume/config:/config
depends_on:
  - postgres
  - redis
  - postfix
restart: "always"

postgres:
image: postgres:13-alpine
env_file:
- .env
volumes:
- ./docker-volume/db:/var/lib/postgresql/data
restart: « always »

redis:
image: redis:6-alpine
volumes:
- ./docker-volume/redis:/data
restart: « always »

postfix:
image: mwader/postfix-relay
env_file:
- .env
volumes:
- ./docker-volume/opendkim/keys:/etc/opendkim/keys
restart: « always »

networks:
default:
enable_ipv6: true
ipam:
driver: default
config:
- subnet: 172.24.0.0/16
- subnet: fdab:e4b3:21a2:ef1b::/64

volumes:
assets:
certbot-www:

what did I change?

  • Port 80 to 800 because its taken already
  • Port 443 to 4433 because its taken already
  • Commented the cerbot section since I am planning to use Nginx Proxy Manager with letsencrypt (already done)
  • I changed the IPV4 address from 172.18.0.42 to 172.24.0.42 because its taken (probably a stupid question but… Do I need to change the IPV6 too?)
  • Uncommented 9000 since I am planning to use it
  • Commented - assets:/app/client/dist
  • Changed 172.18.0.0/16 to 172.24.0.0/16 because its taken already

my .env:

Database / Postgres service configuration

POSTGRES_USER=somecoolusername

POSTGRES_PASSWORD=somecoolpassword

Postgres database name « peertube »

POSTGRES_DB=peertube

The database name used by PeerTube will be PEERTUBE_DB_NAME (only if set) OR ‹ peertube ›+PEERTUBE_DB_SUFFIX

#PEERTUBE_DB_NAME=

#PEERTUBE_DB_SUFFIX=_prod

Database username and password used by PeerTube must match Postgres’, so they are copied:

PEERTUBE_DB_USERNAME=$POSTGRES_USER

PEERTUBE_DB_PASSWORD=$POSTGRES_PASSWORD

PEERTUBE_DB_SSL=false

Default to Postgres service name « postgres » in docker-compose.yml

PEERTUBE_DB_HOSTNAME=postgres

PeerTube server configuration

If you test PeerTube in local: use « peertube.localhost » and add this domain to your host file resolving on 127.0.0.1

PEERTUBE_WEBSERVER_HOSTNAME=mywanip

If you just want to test PeerTube on local

PEERTUBE_WEBSERVER_PORT=9000

PEERTUBE_WEBSERVER_HTTPS=true

If you need more than one IP as trust_proxy

pass them as a comma separated array:

PEERTUBE_TRUST_PROXY=[« 127.0.0.1 », « loopback », « 172.24.0.0/16 »]

Generate one using openssl rand -hex 32

PEERTUBE_SECRET=somecoolsecret

E-mail configuration

If you use a Custom SMTP server

#PEERTUBE_SMTP_USERNAME=

#PEERTUBE_SMTP_PASSWORD=

Default to Postfix service name « postfix » in docker-compose.yml

May be the hostname of your Custom SMTP server

PEERTUBE_SMTP_HOSTNAME=postfix

PEERTUBE_SMTP_PORT=25

PEERTUBE_SMTP_FROM=noreply@mydomain

PEERTUBE_SMTP_TLS=false

PEERTUBE_SMTP_DISABLE_STARTTLS=false

PEERTUBE_ADMIN_EMAIL=admin@mydomain

Postfix service configuration

POSTFIX_myhostname=mydomain

If you need to generate a list of sub/DOMAIN keys

pass them as a whitespace separated string =

OPENDKIM_DOMAINS=mydomain=peertube

see Add OPENDKIM env config support by wader · Pull Request #18 · wader/postfix-relay · GitHub

OPENDKIM_RequireSafeKeys=no

PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PUBLIC=« public-read »

PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PRIVATE=« private »

#PEERTUBE_LOG_LEVEL=info

/!\ Prefer to use the PeerTube admin interface to set the following configurations /!\

#PEERTUBE_SIGNUP_ENABLED=true

#PEERTUBE_TRANSCODING_ENABLED=true

#PEERTUBE_CONTACT_FORM_ENABLED=true

  • I save both file, docker compose up, go to mydomain (which is npm pointing to mywanip:9000)

  • extract the root password:

docker compose logs peertube | grep -A1 root
peertube-1 | [95.216.202.44:9000] 2025-01-14 20:16:28.210 info: Username: root
peertube-1 | [95.216.202.44:9000] 2025-01-14 20:16:28.211 info: User password: supercooldefaultpassword

And I get the errors I have described in Issue with fresh docker install (invalid client)

First error:

peertube-1   | [mydomain:9000] 2025-01-04 21:17:59.148 error: Client log: Backend returned code 400, errorMessage is: Invalid client: client is invalid {
peertube-1   |   "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
peertube-1   |   "meta": "{\"url\":\"http://ip:9000/api/v1/users/token\"}",
peertube-1   |   "url": "http://ip:9000/login"
peertube-1   | }

Second error:

peertube-1 | [mydomain:9000] 2025-01-04 21:14:17.715 error: Client log: Error: Cannot retrieve OAuth Client credentials: Getting client tokens for host myip:9000 is forbidden.
peertube-1 | Ensure you have correctly configured PeerTube (config/ directory), in particular the « webserver » section. {
peertube-1 | « userAgent »: « Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 »,
peertube-1 | « url »: « http://myip:9000/login »
peertube-1 | }

Am I following correctly the official docker setup instructions? I honestly ask; and I am just started to get familiar with docker. I learn every day… I use to use a Peertube installed via YunoHost.

Regarding the possible fix of the login error, I have absolutely no idea how to apply a patch / commit to a docker installation

I have no clue how to apply this Use $http_host instead of $host · Chocobozzz/PeerTube@6a03b50 · GitHub to my setup

Thank you very much for your time and help.

Update the file in ./docker-volume/nginx/peertube

ah I see. Makes sense.
I had to rename the « file » (which was a directory) to peertube.file so I wouldnt get this error:

Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting « /home/kireek/docker/feditubo/docker-volume/nginx/peertube » to rootfs at « /etc/nginx/conf.d/peertube.template »: mount /home/kireek/docker/feditubo/docker-volume/nginx/peertube:/etc/nginx/conf.d/peertube.template (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

But its there. And unfortunately I still get the same error:

I have tried again with both domain name and wan ip. I have the pem files under both directory for cerbot/conf

image

but:
image

I have found the issue. This is ONLY happening while I access through the reverse proxy, nginx proxy manager. If I go to wan:9000, I can login perfectly.

I assume, I need some « advanced settings » for the proxy host in npm? Unfortunately I cannot find it on the official documentation, or through some googling.
I have found this: Is there an example config for running peertube behind nginx reverse proxy? · Issue #692 · Chocobozzz/PeerTube · GitHub
However, the configuration file mentioned, is the one you told me to put into docker-storage/nginx/peertube.file

So, I can not be, I assume, with my lack of knowledge, the same config I should be putting here:

I am sorry. I know dealing with newbies is patience consuming.

Thanks for all your help.

I have tried applying the following configuration to my reverse proxy:

but to no avail

proxy_cache_bypass        $http_upgrade;
proxy_set_header Upgrade      $http_upgrade;
proxy_set_header Connection      "upgrade";
proxy_set_header Host     $host;
proxy_set_header X-Real-IP     $remote_addr;
proxy_set_header X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;

I have tried again with both wan and domain in PEERTUBE_WEBSERVER_HOSTNAME

I have also been trying to use the provided nginx (800 and 4433 in my case) instead of whatever is running behind port 9000, but I cant even access it…


When trying to access http://wan:800, it says its not found. and when https://wan:4433, it says there is a certificate issue

Which then made me try cerbot, but I cannot get it to work


(I have the domain pointed to port 82 when that runs)

Sorry. I dont want to make the same mistake as in last topic; trying to cover too much ground. But I also dont want to leave out any information that could be relevant to my situation.

If I could understand how to make peertube work behind Nginx Proxy Manager that would be wonderful. I know it is not recommended to use in production whatever is running behind 9000; but it will be a single user peertube. So I dont worry about performance much; I dont need the provided nginx 800/4433.

Thanks!

Please let me know how can I improve my support request.
My goal is to have wan:9000 working under domain, behind Nginx proxy manager in https.

Regards,

This is of course not my business), but I would recommend using the classic installation and configuration, which is much easier to understand and manage than docker.

If I understand well, you try to use port 82 for nginx. That won’t work because Cerbot need port 80 to use HTTP-10 challenge.
https://letsencrypt.org/docs/challenge-types/#http-01-challenge

fair point. unfortunately i am very found of managing my server with this tool, and I would rather not compromise the base os of the server with any app, nothing against peertube in particular. actually i just moved away from a debian VPS, to a docker VPS because I want doing anything at all at the base level.

Yes I understand / read that.

I was hoping that setting the port on npm was enough but no…
Anyways, I made the port 80 available, and was able to make it work.


I have moved from x-001 to x just in case (x was occupied with the certificates I had manually moved generated from npm)

but…
nothing changes


both with wan (direct access) and domain (through reverse proxy)

From https://letsencrypt.org/docs/challenge-types/#http-01-challenge
Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443.

If you already have a service using port 443, you will have (as far as I know) to use nginx as a revers-proxy for this service.

Thats okay, please read my previous message; after making 80 available on the host, I was able to have certbot working.

And I do have already a reverse proxy in place. This is the whole point of this topic.
I managed to have Peertube working, but not behind Nginx Proxy Manager.

image
Your trying to connect to port 4433, your cert won’t work for that port.

that port is occupied by nginx proxy manager. If I remove, it breaks.
isnt the point of a reverse proxy, to be able to set application to whatever port? Honest question, I am fairly new to this.

If your using nginx proxy manager don’t use nginx proxy from peertube.
In docker-compose file
# You can comment this webserver section if you want to use another webserver/proxy or test PeerTube in local.
# You can comment this certbot section if you want to use another webserver/proxy or test PeerTube in local

You have to comment all the part for webserver: and certbot:.
You will use nginx proxy manager instead for doing redirection and cert job.

Reverse-proxy will redirect for exemple peertube.domain.com to your docker running peertube on port 9000, service.domain.com to docker running service on port XXX.
You can host as many service you want.

right,
but when I do that (comment webserver / cerbot) and point NPM to wan:9000, I cannot login. And I get the two errors I have shared in my first post
(invalid client and cannot get token)

I’m sorry I can’t help you with nginx proxy manager, I don’t know how it work and how to configure it.

I appreciate you helping!