PeerTube is a tool for hosting and sharing online videos. It is based on ActivityPub. Hence, the tool is open source, peer-to-peer, decentralised and federated.
This guide walks you step by step until you get a PeerTube published as a service on the Edge that can be accessed on the Internet.
Make sure that all of the mandatory prerequisites have been met before progressing further.
In addition, one needs to consider the following requirements that are specific to PeerTube.
More detailed sizing guidelines can be found in the PeerTube FAQ.
Keep in mind that in contrast to many other applications recommended by The Liberated Edge, PeerTube needs to do video transcoding, which is a CPU intensive operation.
This means that your Server on The Edge needs at least 2 CPU cores available for PeerTube, so maybe a machine with a less capable CPU, e.g. Raspberry Pi, may struggle to perform well.
Videos hosted by your instance of PeerTube need a lot of disk space. Consider the disk space needed by a video uploaded by you in a given resolution. Transcoding would generate versions of this same video in other resolutions. Add the space needed for them and you will get the total free disk space that is necessary for a video to be hosted.
Because of federation and content caching it may be that you need additional disk space.
The recommended type of storage seems to be SSD.
We are still experimenting with streaming and throughput. Once we have some useful data to share, we will add more details.
| Name | Source | Description |
|---|---|---|
| <CONTAINER_NAME> | User input | The name of the Linux container where the app will be run. |
| <DB_PASSWORD> | User input | The password for logging in with the peertube database user in the database. |
| <IP_ADDRESS__EDGE_SERVER_VPN> | IP address in VPN | The IPv4 address of the the Server on The Edge in the VPN. |
| <ROOT_PWD__CONTAINER> | User input | The password of the root user in the container. |
| <IP_ADDRESS__CONTAINER> | Generated | The IPv4 address of the contaier run by the server on the Edge. |
| <IP_ADDRESS_INET_GW> | Linux VPS Admin Panel | The public and static IP address of the Internet Gateway. |
| <PEERTUBE_SECRET> | openssl rand -hex 32 |
The peertube application secret |
| <PEERTUBE_DOMAIN> | User input | The host for the A record created with your domain registrar, e.g. pt.myowndomain.net. |
| <PEERTUBE_ADMIN_EMAIL> | User input | The email address of the PeerTube instance admin user. |
Run the following commands on your server on the Edge.
incus launch images:debian/bookworm/cloud <CONTAINER_NAME>
incus exec <CONTAINER_NAME> bash
You may need to change the default MTU for HTTPS connections to function. Run
ip link set dev eth0 mtu 1000if you findapt updateorapt upgradestuck for long time. This setting is non persistent and it is lost when the container reboots.
apt update && apt upgrade && apt install fish curl wget unzip
If you are not already within the container, run the following command on your server on the Edge to log in as
root.
incus exec <CONTAINER_NAME> fish
passwd
Set a password for the root user and make a (mental) note of it. It will be denoted with a variable <ROOT_PWD__CONTAINER>.
From here on the root user will use fish as default shell.
chsh -s /usr/bin/fish
Let's create the peertube user and set a system password for it.
useradd -m -d /var/www/peertube -s /usr/bin/fish -p peertube peertube
usermod -aG sudo peertube
passwd peertube
The ability to establish SSH connections from the server on the Edge to the container is key for the upcoming Ansible automation. There is an Ansible connection driver for Linux containers with limited capabilities. The default Ansible connection driver through SSH is much more robust and powerful.
You can perform this step now or in future, when you make up your mind to give the automated solutions for system and application maintanence a try.
In order to complete this stage you need to perform the following commands in the container run by the server on the Edge.
apt update && apt install openssh-server
vi /etc/ssh/sshd_config
Add the following line to the file.
PermitRootLogin yes
systemctl enable ssh
systemctl start ssh
systemctl restart ssh
Run the following commands on your server on the Edge, i.e. outside of the container.
Run ssh-keygen only if you haven't generated SSH private and public keys on the server on the Edge. Otherwise use the already existing pair.
ssh-keygen
incus ls | grep <CONTAINER_NAME>
Make a note of the IPV4 value <IP_ADDRESS__CONTAINER>.
ssh-copy-id root@<IP_ADDRESS__CONTAINER>
Pass the password for the root user in the container as prompted.
From here on SSH connection as the
rootuser will be possible from the server on the Edge to the container. Containers are not visible and accessible to any other network devices.
Run the following commands on your server on the Edge.
incus exec <CONTAINER_NAME> fish
Let's harden the setup of the ssh server running in the container by disabling the password for logging in with root.
vi /etc/ssh/sshd_config
Delete the line PermitRootLogin yes.
Append the line PermitRootLogin prohibit-password.
systemctl restart ssh
You should have a fully functional Linux container named
<CONTAINER_NAME>that has also a non-administrative userpeertube. In addition, the server on the Edge listens for SSH connections with therootuser. You know all login credentials.
In order to complete this stage you need to perform the following commands in the container run by the server on the Edge.
If you are not already within the container, run the following command on your server on the Edge to log in as
root.
incus exec <CONTAINER_NAME> fish
sudo su - peertube
cd ~
curl -sL https://git.io/fisher | source && fisher install jorgebucaran/fisher
Installs the fish plugin manager.
fisher install jorgebucaran/nvm.fish
Installs and the latest LTS version of node.js. Later versions are not supported yet.
nvm install lts
nvm use lts
corepack enable
apt update && apt install redis-server
systemctl enable redis-server
systemctl restart redis-server
In order to verify working redis setup issue the following command
redis-cli ping. Redis should returnPONG.
In order to complete this stage you need to perform the following commands in the container run by the server on the Edge.
If you are not already within the container, run the following command on your server on the Edge to log in as
root.
incus exec <CONTAINER_NAME> fish
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc|sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/postgresql.gpg
apt update && apt install postgresql-15
In order to enable data checksums we need to delete the existing cluster and initialize it again.
rm -rf /var/lib/postgresql/15/main
mkdir /var/lib/postgresql/15/main
chown -R postgres:postgres /var/lib/postgresql/15/main
chmod 700 /var/lib/postgresql/15/main
sudo -u postgres /usr/lib/postgresql/15/bin/initdb \
-D /var/lib/postgresql/15/main/ \
--locale=C.UTF-8 --encoding=UTF8 --data-checksums
systemctl enable postgresql@15-main.service
systemctl start postgresql@15-main.service
Verify that the stage has been completed successfully by running the following command in the container. Its output should indicate that the service is running.
systemctl status postgresql@15-main.service
In order to complete this stage you need to perform the following commands in the container run by the server on the Edge.
If you are not already within the container, run the following command on your server on the Edge to log in as
root.
incus exec <CONTAINER_NAME> fish
Take a not of the password for the database user. It will be denoted with a variable <DB_PASSWORD>.
sudo -u postgres createuser peertube --interactive --pwprompt
Take a note of the password <DB_PASSWORD>.
sudo -u postgres createdb peertube -O peertube --encoding='utf-8'
Enable PostgreSQL extensions needed by PeerTube.
sudo -u postgres psql -c "CREATE EXTENSION pg_trgm;" peertube
sudo -u postgres psql -c "CREATE EXTENSION unaccent;" peertube
In order to complete this stage you need to perform the following commands in the container run by the server on the Edge.
If you are not already within the container, run the following command on your server on the Edge to log in as
root.
incus exec <CONTAINER_NAME> fish
sudo su - peertube
cd ~
mkdir tls
openssl req -x509 -nodes -newkey rsa:4096 -days 365 \
-keyout tls/key.pem \
-out tls/cert.pem
If you are not already within the container, run the following command on your server on the Edge to log in as
root.
incus exec <CONTAINER_NAME> fish
apt update && apt install ffmpeg
sudo su - peertube
set VERSION $(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag_name | cut -d '"' -f 4) && echo "Latest Peertube version is $VERSION"
cd ~
mkdir config storage versions
chmod 750 config/
Download the latest version of PeerTube.
cd versions
wget "https://github.com/Chocobozzz/PeerTube/releases/download/$VERSION/peertube-$VERSION.zip"
unzip -q "peertube-$VERSION.zip" && rm "peertube-$VERSION.zip"
cd ~
ln -s "versions/peertube-$VERSION" ./peertube-latest
This environment variable is a temporary solution for issue.
export UV_USE_IO_URING=0
cd ./peertube-latest && yarn install --production --pure-lockfile
sudo su - peertube
cd /var/www/peertube/peertube-latest/scripts
nvm use lts
./upgrade.sh
If you are not already within the container, run the following command on your server on the Edge to log in as
root.
incus exec <CONTAINER_NAME> fish
sudo -u peertube
cd ~
cp peertube-latest/config/production.yaml.example config/production.yaml
Edit the production.yaml file.
vi peertube-latest/config/production.yaml
Make sure to substitute the variables enclosed in <...> with the real values matching your setup.
webserver:
https: true
hostname: '<PEERTUBE_DOMAIN>'
port: 443
...
secrets:
# Generate one using `openssl rand -hex 32`
peertube: '<PEERTUBE_SECRET>'
...
database:
hostname: 'localhost'
port: 5432
ssl: false
suffix: ''
username: 'peertube'
password: '<DB_PASSWORD>'
pool:
max: 5
...
admin:
# Used to generate the root user at first startup
# And to receive emails from the contact form
email: '<PEERTUBE_ADMIN_EMAIL>'
If you are not already within the container, run the following command on your server on the Edge to log in as
root.
incus exec <CONTAINER_NAME> fish
PeerTube has its own systemd service file that we need to copy to /etc/systemd/system.
cp /var/www/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/
sudo -u peertube
Note down and copy the path to the node executable file.
which node
exit
As a root user in the container edit the file.
vi /etc/systemd/system/peertube.service
Replace the path to the node executable with the path to your version installed via nvm.
ExecStart=/usr/bin/node dist/server
Because
nodehas been installed throughnvmits path will be weird. An example for this line in the systemd service file could be:ExacStart=/var/www/peertube/.local/share/nvm/v18.17.1/bin/node dist/server
systemctl enable peertube.service
systemctl start peertube.service
systemctl status peertube.service
You should be able to run a successful HTTP request against the local PeerTube server running within the container.
curl http://localhost:9000
PeerTube needs to be run behind a local web server in order to
support HTTPS with self signed TLS certificates. Extensive support is provided out of the box but one still needs to tweak a bit the respective nginx site configuration.
If you are not already within the container, run the following command on your server on the Edge to log in as
root.
incus exec <CONTAINER_NAME> fish
apt update && apt upgrade && apt install nginx-extras
cp /var/www/peertube/peertube-latest/support/nginx/peertube /etc/nginx/sites-available/peertube
Do not forget to subsitute the peertube domain variable enclosed in <...>.
sed -i 's/${WEBSERVER_HOST}/<PEERTUBE_DOMAIN>/g' /etc/nginx/sites-available/peertube
sed -i 's/${PEERTUBE_HOST}/127.0.0.1:9000/g' /etc/nginx/sites-available/peertube
Edit /etc/nginx/sites-available/peertube in a way that the private key and certificates match exactly the lines below.
ssl_certificate /var/www/peertube/tls/cert.pem;
ssl_certificate_key /var/www/peertube/tls/key.pem;
ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
systemctl enable nginx
systemctl reload nginx
systemctl start nginx
Make sure that the web server is started.
systemctl status nginx
From here on the PeerTube server instance should be accessible within the container through HTTPS.
curl -k https://localhost
In a terminal on on the server on the Edge run the following command to forward incoming HTTPS connections on port 14443 of the server to port 443 on the container.
incus config device add <CONTAINER_NAME> \
https-14443-443 proxy listen=tcp:0.0.0.0:14443 \
connect=tcp:127.0.0.1:443
From here on the PeerTube server instance should be accessible from the Server on the Edge and any other device in the same network.
curl -k https://localhost:14443
Make sure that you have created an A domain record for <PEERTUBE_DOMAIN> with your domain registrar and you have waited for this record to become active.
If you use a domain name and that's not picked up by the domain name servers yet, Caddy will not be able to serve HTTPS requests because of Let's Encrypt (An SSL certificate authority) failing to verify the validity (ownership over) of the domain.
ssh mycelium@<IP_ADDRESS__INET_GW>
sudo su -
Add the following to /etc/caddy/Caddyfile.
Do not forget to substitute the variables enclosed in
<...>with the values matching your setup.
<PEERTUBE_DOMAIN> {
reverse_proxy https://<IP_ADDRESS__EDGE_SERVER_VPN>:14443 {
transport http {
tls_insecure_skip_verify
}
}
}
systemctl reload caddy
If everything is configured well, you should be able to access the PeerTube server through its domain name by using a web browser by typing
https://<PEERTUBE_DOMAIN>in the address bar.
You will need to log in with the administrator account that's created automatically when starting the PeerTube systemd service for the first time.
The password is generated automatically by PeerTube and you can see it logged. You will need to use this password to log in as well as <PEERTUBE_ADMIN_EMAIL>.
journalctl and scroll down to the end. Look for the value of "User password".journalctl -u peertube.service | less
In a web browser navigate to https://<PEERTUBE_DOMAIN>.
Login with the instance as an Administrator using <PEERTUBE_ADMIN_EMAIL> and the user password from step 1 above.
PeerTube has a large number of configuration options that you may need to learn about and configure, e.g. video transcoding, live streams, email, etc. When you first log in with your Admin account PeerTube will offer a number of learning resources and technical documentation. They will also offer to proceed with configuring the instance in a more visual way.