Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

roles/web-app-peertube/Administration.md

@@ -0,0 +1,29 @@
+# Administration 
+
+## track docker container status
+```bash
+watch -n 2 "docker ps  -a | grep peertube"
+```
+
+## clean rebuild
+```bash
+cd {{path_docker_compose_instances}}peertube/ &&
+docker-compose down 
+docker volume rm peertube_assets peertube_config peertube_data peertube_database peertube_redis
+docker-compose up -d 
+```
+
+## access terminal
+```bash
+docker-compose exec -it application /bin/bash
+```
+
+## update config
+```bash
+apt update && apt install nano && nano ./config/default.yaml
+```
+
+## get root pasword
+```bash
+docker logs peertube-application-1 | grep -A1 root
+```

roles/web-app-peertube/README.md

@@ -0,0 +1,45 @@
+# PeerTube
+
+## Description
+
+PeerTube is a decentralized, open‑source video hosting platform that empowers creators to share videos without relying on centralized services. It leverages federated architecture and peer-to-peer technologies to provide scalable, secure, and community‑driven video streaming.
+
+## Overview
+
+This Docker Compose deployment sets up PeerTube with integrated support for essential services such as a PostgreSQL database, Redis cache, and an Nginx reverse proxy for secure HTTPS termination and domain routing. The configuration supports advanced security settings, modular service scaling, and automated environment injection.
+
+## Core Software Features
+
+- **Decentralized Video Hosting:**  
+  Distribute video hosting across multiple instances to enhance resilience and avoid single‑point control.
+
+- **Scalability and Performance:**  
+  Efficiently manage video transcoding, live streaming, and storage through containerized microservices.
+
+- **Customizable Configuration:**  
+  Tailor settings such as storage, email delivery, and administrative parameters using environment variables and configuration files.
+
+- **Secure and Private:**  
+  Built‑in support for TLS, secure SMTP integration, and strict administrative controls to ensure data protection.
+
+- **Federated Communication:**  
+  Designed to operate within a federated network, enabling seamless sharing and interconnection with other PeerTube instances.
+
+## Documentation & Administration
+
+- [Administration.md](./Administration.md)  
+  Contains manual operations for container management, configuration updates, and administrative commands.
+
+- [Upgrade.md](./Upgrade.md)  
+  Provides guidance for upgrading your PeerTube deployment.
+
+## Other Resources
+
+- [PeerTube Official Documentation](https://docs.joinpeertube.org/install-docker)
+- [PeerTube GitHub Issues](https://github.com/Chocobozzz/PeerTube/issues/3091)
+- [OIDC Plugin Installation Guide](https://chatgpt.com/c/67a4f448-4be8-800f-8639-4c15cb2fb44e)
+
+## Credits
+
+Developed and maintained by **Kevin Veen-Birkenbach**  
+Learn more at [www.veen.world](https://www.veen.world)

roles/web-app-peertube/Setup.md

@@ -0,0 +1,6 @@
+# Setup Peertube
+
+## Change Root Administrator Password
+```bash
+docker exec -it -u peertube peertube npm run reset-password -- -u root
+```

roles/web-app-peertube/Todo.md

@@ -0,0 +1,3 @@
+# Todos
+- [DKIM activate](https://docs.joinpeertube.org/install/docker)
+- The plugin needs to be manually activated in the admin interface. would be nice if this is automatized as well

roles/web-app-peertube/Upgrade.md

@@ -0,0 +1,2 @@
+# upgrade version
+- https://docs.joinpeertube.org/install/docker

roles/web-app-peertube/meta/main.yml

@@ -0,0 +1,32 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: >
+    Transform your video hosting experience with Peertube, a decentralized platform built for scalability,
+    innovation, and community collaboration.
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Linux
+      versions:
+        - all
+  galaxy_tags:
+    - peertube
+    - video-hosting
+    - docker
+    - compose
+    - decentralized
+    - open-source
+    - video platform
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
+  logo:
+    class: "fa-solid fa-video"  
+  run_after:
+    - web-app-keycloak

roles/web-app-peertube/meta/schema.yml

@@ -0,0 +1,5 @@
+credentials:
+  secret:
+    description: "PeerTube secret used for session signing and CSRF protection"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"

roles/web-app-peertube/tasks/create-domains.yml

@@ -0,0 +1,9 @@
+- name: "include role for {{application_id}} to receive certs & do modification routines"
+  include_role:
+    name: webserver-composer
+
+- name: configure {{domain}}.conf
+  template: 
+    src:  "templates/peertube.conf.j2"
+    dest: "{{nginx.directories.http.servers}}{{domain}}.conf"
+  notify: restart nginx

roles/web-app-peertube/tasks/disable-oidc.yml

@@ -0,0 +1,5 @@
+- name: "Uninstall auth-openid-connect plugin for Peertube"
+  command: >
+    docker exec {{ container_name }} \
+    npm run plugin:uninstall -- --npm-name {{oidc_plugin}}
+  ignore_errors: true

roles/web-app-peertube/tasks/enable-oidc.yml

@@ -0,0 +1,33 @@
+- name: "Load OIDC Settings vor Peertube"
+  include_vars: vars/oidc-settings.yml
+  changed_when: false
+
+- name: Check if OIDC plugin is already installed
+  command: >
+    docker exec {{ container_name }} test -d /data/plugins/data/peertube-plugin-auth-openid-connect
+  register: peertube_oidc_plugin_check
+  failed_when:  false
+  changed_when: false
+
+- name: "Install auth-openid-connect plugin for Peertube"
+  command: >
+    docker exec {{ container_name }} \
+    npm run plugin:install -- --npm-name {{oidc_plugin}}
+  when: peertube_oidc_plugin_check.rc != 0
+  notify: docker compose up
+
+- name: "Update the settings column of the auth-openid-connect plugin"
+  community.postgresql.postgresql_query:
+    db: "{{ database_name }}"
+    login_user: "{{ database_username }}"
+    login_password: "{{ database_password }}"
+    login_host: "127.0.0.1"
+    login_port: "{{ database_port }}"
+    query: |
+      UPDATE public.plugin
+      SET settings = '{{ oidc_settings | to_json }}',
+      enabled = TRUE,
+      uninstalled = FALSE
+      WHERE name = 'auth-openid-connect';
+  notify: docker compose up
+  when: peertube_oidc_plugin_check.rc != 0

roles/web-app-peertube/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: "include service-rdbms-central"
+  include_role: 
+    name: service-rdbms-central
+  
+- name: "include create-domains.yml for peertube"
+  include_tasks: create-domains.yml
+  loop: "{{ domains.peertube }}"
+  loop_control:
+    loop_var: domain
+  vars:
+    http: "{{ ports.localhost.http[application_id] }}"
+
+- name: "Install and activate auth-openid-connect plugin if OIDC is enabled"
+  include_tasks: enable-oidc.yml
+  when: applications | is_feature_enabled('oidc',application_id)
+
+- name: "Deinstall and disable auth-openid-connect plugin if OIDC is enabled"
+  include_tasks: disable-oidc.yml
+  when: applications | is_feature_enabled('oidc',application_id)

roles/web-app-peertube/templates/docker-compose.yml.j2

@@ -0,0 +1,24 @@
+{% include 'roles/docker-compose/templates/base.yml.j2' %}
+
+  application:
+{% set container_port = 9000 %}
+    image: chocobozzz/peertube:production-{{ applications[application_id].version }}
+    container_name: {{ container_name }}
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+    ports:
+     - "1935:1935"  # @todo Add to ports
+     - "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}" 
+    volumes:
+      - assets:/app/client/dist
+      - data:/data
+      - config:/config
+{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+{% include 'roles/docker-container/templates/healthcheck/tcp.yml.j2' %}
+{% include 'roles/docker-compose/templates/volumes.yml.j2' %}
+  assets:
+  data:
+  redis:
+  config:
+
+{% include 'roles/docker-compose/templates/networks.yml.j2' %}

roles/web-app-peertube/templates/env.j2

@@ -0,0 +1,24 @@
+# Database / Postgres service configuration
+POSTGRES_USER={{database_username}}
+POSTGRES_PASSWORD={{database_password}}
+POSTGRES_DB={{database_name}}
+PEERTUBE_DB_USERNAME={{database_username}}
+PEERTUBE_DB_PASSWORD={{database_password}}
+PEERTUBE_DB_SSL=false
+PEERTUBE_DB_HOSTNAME={{database_host}}
+
+# PeerTube server configuration
+PEERTUBE_WEBSERVER_HOSTNAME={{domains | get_domain(application_id)}}
+PEERTUBE_TRUST_PROXY=["127.0.0.1", "loopback"]
+
+PEERTUBE_SECRET={{applications[application_id].credentials.secret}}
+
+# E-mail configuration
+PEERTUBE_SMTP_USERNAME={{ users['no-reply'].email }}
+PEERTUBE_SMTP_PASSWORD={{ users['no-reply'].mailu_token }}
+PEERTUBE_SMTP_HOSTNAME={{system_email.host}}
+PEERTUBE_SMTP_PORT={{system_email.port}}
+PEERTUBE_SMTP_FROM={{ users['no-reply'].email }}
+PEERTUBE_SMTP_TLS={{ system_email.tls | lower }}
+PEERTUBE_SMTP_DISABLE_STARTTLS={{ 'false' if system_email.start_tls else 'true' }}
+PEERTUBE_ADMIN_EMAIL={{ users['no-reply'].email }}

roles/web-app-peertube/templates/peertube.conf.j2

@@ -0,0 +1,82 @@
+server {
+  server_name {{domain}};
+
+  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+
+  {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
+  
+  {% include 'roles/webserver-proxy-core/templates/headers/content_security_policy.conf.j2' %}
+  
+  ##
+  # Application
+  ##
+
+  location @api {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host            $host;
+    proxy_set_header X-Real-IP       $remote_addr;
+
+    client_max_body_size  100k; # default is 1M
+
+    proxy_connect_timeout 10m;
+    proxy_send_timeout    10m;
+    proxy_read_timeout    10m;
+    send_timeout          10m;
+
+    #adapt
+    proxy_pass http://127.0.0.1:{{ports.localhost.http[application_id]}};
+  }
+
+  location / {
+    try_files /dev/null @api;
+  }
+
+  location = /api/v1/videos/upload-resumable {
+    client_max_body_size    0;
+    proxy_request_buffering off;
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/videos/(upload|([^/]+/studio/edit))$ {
+    limit_except POST HEAD { deny all; }
+    client_max_body_size  12G; # default is 1M
+    add_header            X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) {
+    client_max_body_size                      6M; # default is 1M
+    add_header            X-File-Maximum-Size 4M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  ##
+  # Websocket
+  ##
+
+  location @api_websocket {
+    proxy_http_version 1.1;
+    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   Host            $host;
+    proxy_set_header   X-Real-IP       $remote_addr;
+    proxy_set_header   Upgrade         $http_upgrade;
+    proxy_set_header   Connection      "upgrade";
+
+    proxy_pass http://127.0.0.1:{{ports.localhost.http[application_id]}};
+  }
+
+  location /socket.io {
+    try_files /dev/null @api_websocket;
+  }
+
+  location /tracker/socket {
+    # Peers send a message to the tracker every 15 minutes
+    # Don't close the websocket before then
+    proxy_read_timeout 15m; # default is 60s
+
+    try_files /dev/null @api_websocket;
+  }
+}

roles/web-app-peertube/vars/configuration.yml

@@ -0,0 +1,33 @@
+version:              "bookworm"
+features:
+  matomo:             true
+  css:                false
+  portfolio_iframe:   true
+  central_database:   true
+  oidc:               true
+csp:
+  flags:
+    script-src-elem:
+      unsafe-inline:  true
+    script-src:
+      unsafe-inline:  true
+    style-src:
+      unsafe-inline:  true
+  whitelist:
+    frame-ancestors:
+      - "*"
+    media-src:
+      - "blob:"
+    font-src:
+      - "data:"
+domains:
+  canonical:
+    - "video.{{ primary_domain }}"
+  aliases:
+    - "videos.{{ primary_domain }}"
+docker:
+  services:
+    redis:
+      enabled: true
+    database: 
+      enabled: true

roles/web-app-peertube/vars/main.yml

@@ -0,0 +1,4 @@
+application_id: "peertube"
+database_type:  "postgres"
+container_name: "{{ application_id }}"
+oidc_plugin:    "peertube-plugin-auth-openid-connect"

roles/web-app-peertube/vars/oidc-settings.yml

@@ -0,0 +1,12 @@
+oidc_settings: |
+  {
+    "scope": "openid email profile",
+    "desktop-id": "{{ oidc.client.id }}",
+    "discover-url": "{{ oidc.client.discovery_document }}",
+    "desktop-secret": "{{ oidc.client.secret }}",
+    "mail-property": "email",
+    "auth-display-name": "{{ oidc.button_text }}",
+    "username-property": "{{ oidc.attributes.username }}",
+    "signature-algorithm": "RS256",
+    "display-name-property": "{{ oidc.attributes.username }}"
+  }