Completely revamped the install process

.gitignore

@@ -1,3 +1 @@
-config/
 data/
-/docker-compose.yml

README.md

@@ -1,3 +1,70 @@
 # Piped-Docker
 
-See https://piped-docs.kavin.rocks/docs/self-hosting/#docker-compose-caddy-aio-script
+## General notes
+
+### Requirements
+
+To Self-host Piped you're going to need the following resources:
+
+- Three DNS entries, one for each of the three modules: Frontend, Backend (API) and Youtube Proxy.
+- An SSL certificate for HTTPS. An exemple is supplied, but you should create your own or get one from Let's Encrypt
+- A container manager - Docker or Podman - with the corresponding \*-composer.
+
+For an instance serving only a private network, you most likely going to use a self-signed certificate, since Let's Encrypt needs access to the server on port 80 to validate that you actually owns it.
+
+### Note to selfhosters running Proxmox
+
+If you're going to selfhost Piped on an LXC container created by Proxmox, note that They're perfectly capable of running both Docker an Podman containers. This is called nesting, the act of running containers inside containers.
+
+There are one caveat, tho. It has to do with how services are started on LXC. Those containers normaly don't have a non-root user, so you login directly as root with SSH. Some people might be tempted to create a normal user and then use `sudo` to become root. This will cause you a lot of pain, because by doing that, you won't have a d-bus session running, d-bus is started as user unit by Systemd, but this doesn't run when you `sudo` to the user, only when you login directly as the user. I haven't tested this with Docker, but Podman breaks a little in this scenario, so if you're running Podman inside an LXC container, SSH as root from the beginning.
+
+WAIT!!! Can't I run Podman without being root ? Well, the Nginx reverse proxy the Piped uses to distribute requests to frontend, backend or ytproxy listens on ports 80 and 443, so you need to be root in order to open those. If you want to run rootless, you're gonna have to tinker a little, but you'll be on uncharted waters, sorry.
+
+## Configuration
+
+### Creating Self-signed certificate
+
+To create your own certificate, follow the instructions on this [DigitalOcean tutorial](https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs#generating-ssl-certificates), placing the files on the `config/` directory, replacing `piped.key` and `piped.crt` with the ones you created. To save you some time, you can use this command:
+
+    cd config/
+    openssl req -newkey rsa:2048 -nodes -keyout piped.key -x509 -days 365 -out piped.crt
+
+Answer all the question with appropriate values, the **only important field** that you should pay attention to is "**Common Name (e.g. server FQDN or YOUR name) []**", this should be "*.yourdomain.tld", meaning this certificate will server for all three hosts needed for Piped.
+
+### Configuring Piped
+
+All configurations should preferably be done using environment variables. All of them are listed on the [[configuration.env]] file.
+
+The most important to set up are the FQDN (Fully Qualified Domain Names) of the three services. These names should be configured on the variables BACKEND_HOSTNAME, FRONTEND_HOSTNAME and PROXY_HOSTNAME **without** "https:\/\/", slashes or anything other than the FQDN. The URLs **with** "https:\/\/" should be configured in the variables FRONTEND_URL, API_URL and PROXY_PART.
+
+There are other settings that you can change in the file too, such as support for Captcha, registration, etc., just look for them on the config file.
+
+### Configuring Postgres
+
+Piped uses PostgreSQL. It is the only DB supported and it's included in the composer file. If you want to use an external Postgre instead, put the relevant information on the appropriate variables and comment the `postgres` service on the composer file. If you decide to use the included DB, these variables will be used both to create the database and to configure the Hibernate library used by the backend.
+
+## Running
+
+After you finish creating the certificate and setting up the environment variables, run the project with one of the following commands:
+
+- Docker
+
+    docker-compose up -d
+
+- Podman
+
+    podman-compose up -d
+
+Once all the containers finish starting, test if it's working by pointing your browser to https://frontend.yourdomain.tld and confirm that Piped loads the "Trending" page.
+
+## Debuging
+
+In case of problems, you can check the logs with \*-compose logs <container>. For exemple:
+
+    docker-compose logs nginx   # For docker users
+
+    or
+
+    podman-compose logs piped-backend   # for Podman users
+
+If you need really verbose logs from Nginx, it is possible to enable debug mode, but it requires forcing the container to run `nginx-debug` instead of plain `nging` and adding a `error_log ... debug;` statement to [[config/piped.conf.template]].

config/piped.conf.template

@@ -0,0 +1,73 @@
+server {
+    listen *:80;
+#    listen [::]:80;
+    server_name ${FRONTEND_HOSTNAME} ${BACKEND_HOSTNAME} ${PROXY_HOSTNAME};
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header 'Referrer-Policy' 'no-referrer';
+    # enforce https
+
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+
+    listen *:443 ssl http2;
+#    listen [::]:443 ssl http2;
+
+    server_name ${FRONTEND_HOSTNAME};
+
+    include snippets/ssl.conf;
+
+    # Path to the root of your installation
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Connection "keep-alive";
+        proxy_pass http://piped-frontend;
+    }
+}
+
+proxy_cache_path /tmp/pipedapi_cache levels=1:2 keys_zone=pipedapi:4m max_size=2g inactive=60m use_temp_path=off;
+
+server {
+
+    listen *:443 ssl http2;
+#    listen [::]:443 ssl http2;
+
+    server_name ${BACKEND_HOSTNAME};
+
+    include snippets/ssl.conf;
+
+    # Path to the root of your installation
+    location / {
+        proxy_cache pipedapi;
+        proxy_pass http://piped-backend:8080;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "keep-alive";
+    }
+}
+
+server {
+    listen *:443 ssl http2;
+#    listen [::]:443 ssl http2;
+
+    server_name ${PROXY_HOSTNAME};
+
+    include snippets/ssl.conf;
+
+    location ~ (/videoplayback|/api/v4/|/api/manifest/) {
+        include snippets/ytproxy.conf;
+
+        add_header Cache-Control private always;
+        proxy_pass http://unix:/var/run/ytproxy/actix.sock;
+    }
+
+    location / {
+        include snippets/ytproxy.conf;
+
+        add_header Cache-Control "public, max-age=604800";
+        proxy_pass http://unix:/var/run/ytproxy/actix.sock;
+    }
+}

config/piped.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID/zCCAuegAwIBAgIUdqkJshly/62rDQeqUUqyQiU5yJ8wDQYJKoZIhvcNAQEL
+BQAwgY4xCzAJBgNVBAYTAkJSMQswCQYDVQQIDAJTUDESMBAGA1UEBwwJU2FvIFBh
+dWxvMRAwDgYDVQQKDAdleGFtcGxlMRQwEgYDVQQLDAtkZXZlbG9wbWVudDEWMBQG
+A1UEAwwNKi5leGFtcGxlLmNvbTEeMBwGCSqGSIb3DQEJARYPbWFpbC5leG1wbGUu
+Y29tMB4XDTIzMDcyMjIxMzkzMloXDTI0MDcyMTIxMzkzMlowgY4xCzAJBgNVBAYT
+AkJSMQswCQYDVQQIDAJTUDESMBAGA1UEBwwJU2FvIFBhdWxvMRAwDgYDVQQKDAdl
+eGFtcGxlMRQwEgYDVQQLDAtkZXZlbG9wbWVudDEWMBQGA1UEAwwNKi5leGFtcGxl
+LmNvbTEeMBwGCSqGSIb3DQEJARYPbWFpbC5leG1wbGUuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Q4tR+qHr5wNuFvp18+B5rLSrZWrqb/9zZaE
+65mTk70J7Wfa5kt+8wf7N7590ecazXcbuCnFmCBIMZGdZNE02C/0AQvgKKCmORhj
+XDRlWupilguS6dMXhffgisZ/Dent9cQjZIFkOJ0ZNILbarPkQBvhdkFrn302Nujc
+uF4cYrHvUa3WmtoUZspWqPKkl0AluOPTYm2QLGdT1M+nmr8AZs7JplYrBzT65fy/
+Nvtl+VxVcGqRrTVDmsWJIO8Gx/NW/7wfK6GQxWYeUotXNZmBrr5jOB0YttMQrgUn
+QydSpK6qrVWEBr8IaR+jS+eXJmWrEi0QBn6npwvx0+g+Jt5jWQIDAQABo1MwUTAd
+BgNVHQ4EFgQU7+AGX4fm74vjDt4+9nyB0ElAIkgwHwYDVR0jBBgwFoAU7+AGX4fm
+74vjDt4+9nyB0ElAIkgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AQEAI4k5IYFkqMvmw1Nd53umzhSIayT+T54VHBz59ty5OR0m+6FpoZaon5+FnWlq
+5otCrOjGG6jzhku+PMsaU8iBcgfAJpZASicuCFXBcc6yAGveTvnHFAwlhEoI5oI/
+95tkh1hMy3hDZmMvYCOGnvS7vVY2JqPCFvgfRaMAaoe8gnlPOTx97fnnn/8+Aazi
+puny/PYud3vaIfCzLWA/8Zo+r47sRlLkQQ9hrgcjrRW7oT+PHmY/31SWP+mFxwF7
+v6FVArSABFRObkhgiFL3APKLnx34hWEA/8TpRryuYQdz7BYkUzJHpxzzn91KeLdm
+492KHQ71tVy6zV5iB1aev8nVYw==
+-----END CERTIFICATE-----

config/piped.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVDi1H6oevnA24
+W+nXz4HmstKtlaupv/3NloTrmZOTvQntZ9rmS37zB/s3vn3R5xrNdxu4KcWYIEgx
+kZ1k0TTYL/QBC+AooKY5GGNcNGVa6mKWC5Lp0xeF9+CKxn8N6e31xCNkgWQ4nRk0
+gttqs+RAG+F2QWuffTY26Ny4Xhxise9Rrdaa2hRmylao8qSXQCW449NibZAsZ1PU
+z6eavwBmzsmmVisHNPrl/L82+2X5XFVwapGtNUOaxYkg7wbH81b/vB8roZDFZh5S
+i1c1mYGuvmM4HRi20xCuBSdDJ1KkrqqtVYQGvwhpH6NL55cmZasSLRAGfqenC/HT
+6D4m3mNZAgMBAAECggEAGaZVST0xDLFK7ZETPAodZ3rL5l4Ihq04jxG5+utIWxb9
+JPnF3sfkBrpFQlbKqwSZs3bNfYR553CrgFw5iLOvGv/a7m1RlVKR8HnBLI6aTTG+
+oLXQABqL0HMhM1PmY/Rv05DDegwh1rcDG9FNPTFfH2C76hLCNDdM2Zt7Ry79V9w/
+rfZPGJgQS1ji7whLEGmv+z8JFOpw4rxtgvMUG+M73v5bS9j6VWZ0FLMKoXChvQka
+gTP4UtjW2sHPBHVPFVhba0UPzLPY87uvY2esvIqC11NhPLs0oXBv9EnlgDzi4/gF
+zwY4TpByBJ+2LOEU3QC0ezW4wz3M/p5NQjDMu9I3IQKBgQD/2nUVynNccMlW7STH
+zTihukg9paweCrElncSwluwf0jf3/0EizDbfCPRMBM5la5J8+mYEH/Lxa+XjpVhn
+CSnfDCRa68iwr+1wyn6YA0hvTHARbSVw74P3UnUafVAdhDlF9WGqQ6HUnMDHArSD
+u/x6q4J3daGegXn8EdLWUlB/JQKBgQDVLXCGtMjOkAUT+42uTavf+0PnogkX5KuY
+VYXmwrF3MCDmefkfYnyJK2Luecag+nSoK9Sc553DkCAoGiyreDPNXKNIYLGxDPMo
+d4hcrt6Ol9W7PTpzQoE3Lz8Bm2N3zuyblV0xRsGOOTQirMSz052CTD+nhlUkxvrl
+EJnzVBoHJQKBgAMRianzPaL0L1X9jh1fVriJ1Wf33rKVij5bQAqmJLrU+Jre0tcp
+/9Z48wUeYaNRwPYCwsp136IJmz45s2+46mmkaaM1hLipw31A0HfeQjYjgoyS9IoA
+NWL3+DOTISzZcx5lrQAvw3cbUiyQ2b1iucp22B+6p2+ROfdN92tenVyJAoGANAqO
+wOPbbcns427yrI2bmuddMWv2KlYRqfOe57G53y3pqjo2nfnOCzKDSVKDMgNSfUeN
+9Ov6MKa7ou6Y3xdOFiE6X03zsxRFPCjKKk4qWMcqTzZoUYD3yIAJMpw7kSD71BOH
+l6L9V3oRhzGEJ55OgmOY2o3JtVu6HjeKTcPHQt0CgYEAtpjb6sajZhM1sDlT2N/R
+V9t+k+N9dRDy8acpGRxm5HGhqJMev6PTowGqCxex+F/meDioCoybNYa7JPAwwDvt
+XzqUrgCIceQ2TLGETQLDgfu325aJo/WRQZrnrN0XY0Gc4wnI/GXUmz2VcVALLYfb
+jmPy4nc4xejo/H+MyUc8Ksw=
+-----END PRIVATE KEY-----

config/ssl.conf

@@ -0,0 +1,12 @@
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+ssl_certificate /etc/nginx/ssl/piped.crt;
+ssl_certificate_key /etc/nginx/ssl/piped.key;
+
+add_header 'Referrer-Policy' 'no-referrer';
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Robots-Tag none;
+add_header X-Download-Options noopen;
+add_header X-Permitted-Cross-Domain-Policies none;

template/ytproxy.conf → config/ytproxy.conf

@@ -1,18 +1,17 @@
-proxy_buffering on;
-proxy_buffers 1024 16k;
-proxy_set_header X-Forwarded-For "";
-proxy_set_header CF-Connecting-IP "";
-proxy_hide_header "alt-svc";
-sendfile on;
-sendfile_max_chunk 512k;
-tcp_nopush on;
+access_log off;
 aio threads=default;
 aio_write on;
 directio 16m;
+proxy_buffering on;
+proxy_buffers 1024 16k;
+proxy_hide_header "alt-svc";
 proxy_hide_header Cache-Control;
 proxy_hide_header etag;
 proxy_http_version 1.1;
-proxy_set_header Connection keep-alive;
 proxy_max_temp_file_size 32m;
-access_log off;
-proxy_pass http://unix:/var/run/ytproxy/actix.sock;
+proxy_set_header CF-Connecting-IP "";
+proxy_set_header Connection keep-alive;
+proxy_set_header X-Forwarded-For "";
+sendfile on;
+sendfile_max_chunk 512k;
+tcp_nopush on;

configuration.env

@@ -0,0 +1,63 @@
+###########################
+# Hostname settings       #
+###########################
+
+# Fully Qualified names of the services used by Piped
+BACKEND_HOSTNAME=backend-host.example.com
+FRONTEND_HOSTNAME=frontend-host.example.com
+PROXY_HOSTNAME=proxy-host.example.com
+
+###########################
+# API container settings  #
+###########################
+
+# Port the API server will listen on.
+# this is used by other containers in this compose project and will
+# listen only on the docker/podman network.
+# If you need the API listening publicly, publish it using
+#   port:
+#     - <ext-port>:<int-port>
+# on the piped-backend service.
+PORT=8080
+
+# The number of workers to use for the server
+HTTP_WORKERS=2
+
+# iFull URLs for the services. These need to be configured
+# on your DNS service
+FRONTEND_URL=https://frontend-host.example.com
+API_URL=https://backend-host.example.com
+PROXY_PART=https://proxy-host.example.com
+
+# Outgoing HTTP Proxy - eg: 127.0.0.1:8118
+#HTTP_PROXY=127.0.0.1:8118
+
+# Captcha Parameters
+CAPTCHA_BASE_URL=https://api.capmonster.cloud/
+CAPTCHA_API_KEY=INSERT_HERE
+
+# Enable haveibeenpwned compromised password API
+COMPROMISED_PASSWORD_CHECK=true
+
+# Disable Registration
+DISABLE_REGISTRATION=false
+
+# Feed Retention Time in Days
+FEED_RETENTION=30
+
+###########################
+# database settings       #
+###########################
+
+# Settings for the Postgres database
+POSTGRES_DB=piped
+POSTGRES_HOST=postgres
+POSTGRES_USER=piped
+POSTGRES_PASSWORD=changeme
+
+###########################
+# Watchtower settings     #
+###########################
+
+WATCHTOWER_CLEANUP=true
+WATCHTOWER_INCLUDE_RESTARTING=true