add new piped (hopefully faster) instance

.github/workflows/piped.yml

@@ -0,0 +1,46 @@
+name: deploy-piped
+
+on:
+  push:
+    paths:
+      - '.github/workflows/piped.yml'
+      - 'piped/**'
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment:
+      name: piped
+      url: https://piped.aosus.link
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Tailscale
+        uses: tailscale/github-action@ce41a99162202a647a4b24c30c558a567b926709
+        with:
+          authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
+          hostname: Github-actions
+          version: ${{ vars.TAILSCALE_VERSION }}
+
+      - name: Add secrets to config files
+        env:
+          POSTGRES_PASSWORD: ${{ secrets.piped_postgres_password }}
+        run: |
+          sed -i "s/(piped_postgres_password)/$POSTGRES_PASSWORD/g" $GITHUB_WORKSPACE/piped/config.properties
+
+      - name: Start Deployment
+        uses: FarisZR/docker-compose-gitops-action@v1
+        env:
+          POSTGRES_PASSWORD: ${{ secrets.piped_postgres_password }}
+        with:
+          remote_docker_host: ${{ secrets.server_address }}
+          tailscale_ssh: true # no need for manual private and public keys
+          upload_directory: true # upload docker directory
+          docker_compose_directory: piped # directory to upload
+          compose_file_path: piped/docker-compose.yml
+          args: -p piped up -d --remove-orphans

caddy/configs/piped.caddy

@@ -0,0 +1,76 @@
+(piped-global) {
+	header {
+		# disable FLoC tracking
+		Permissions-Policy interest-cohort=()
+
+		# enable HSTS
+		Strict-Transport-Security max-age=31536000;
+
+		# keep referrer data off
+		Referrer-Policy no-referrer
+	}
+}
+
+piped.aosus.link {
+	# aosus settings
+	respond /robots.txt 200 {
+		body "User-agent: *
+Disallow: /"
+	}    
+	header {
+        X-Robots-Tag "noindex, noarchive, nofollow, nosnippet"
+		X-XSS-Protection "1; mode=block"
+    }
+	# end aosus settings
+	reverse_proxy pipedfrontend:80
+	import piped-global
+	encode zstd gzip
+}
+
+api.piped.aosus.link {
+	# aosus settings
+	respond /robots.txt 200 {
+		body "User-agent: *
+Disallow: /"
+	}    
+	header {
+        X-Robots-Tag "noindex, noarchive, nofollow, nosnippet"
+		X-XSS-Protection "1; mode=block"
+    }
+	# end aosus settings
+	reverse_proxy piped-nginx:80
+	import piped-global
+	encode zstd gzip
+}
+
+proxy.piped.aosus.link {
+	@ytproxy path /videoplayback* /api/v4/* /api/manifest/*
+	import piped-global
+	# aosus settings
+	respond /robots.txt 200 {
+		body "User-agent: *
+Disallow: /"
+	}    
+	header {
+        X-Robots-Tag "noindex, noarchive, nofollow, nosnippet"
+		X-XSS-Protection "1; mode=block"
+    }
+	# end aosus settings
+	route {
+		header @ytproxy {
+			Cache-Control private always
+		}
+
+		header / {
+			Cache-Control "public, max-age=604800"
+		}
+
+		reverse_proxy unix//var/run/ytproxy/actix.sock {
+			header_up -CF-Connecting-IP
+			header_up -X-Forwarded-For
+			header_down -etag
+			header_down -alt-svc
+		}
+	}
+	encode zstd gzip
+}

caddy/docker-compose.yml

@@ -24,6 +24,7 @@ services:
       - /home/aosus/caddy/configs:/etc/caddy/configs:ro
       - data:/data
       - config:/config
+      - piped-proxy:/var/run/ytproxy
     networks:
       web:
       discourse:
@@ -33,4 +34,6 @@ configs:
 
 volumes:
   data:
-  config:
+  config:
+  piped_piped-proxy:
+    external: true

piped/config.properties

@@ -0,0 +1,41 @@
+# The port to Listen on.
+PORT: 8080
+
+# The number of workers to use for the server
+HTTP_WORKERS: 8
+
+# Proxy
+PROXY_PART: https://proxy.piped.aosus.link
+
+# Outgoing HTTP Proxy - eg: 127.0.0.1:8118
+#HTTP_PROXY: 127.0.0.1:8118
+
+# Captcha Parameters
+#CAPTCHA_BASE_URL: https://api.capmonster.cloud/
+#CAPTCHA_API_KEY: INSERT_HERE
+
+# Public API URL
+API_URL: https://api.piped.aosus.link
+
+# Public Frontend URL
+FRONTEND_URL: https://piped.aosus.link
+
+# Enable haveibeenpwned compromised password API
+COMPROMISED_PASSWORD_CHECK: true
+
+# Disable Registration
+DISABLE_REGISTRATION: false
+
+# Feed Retention Time in Days
+FEED_RETENTION: 30
+
+# Hibernate properties
+hibernate.connection.url: jdbc:postgresql://postgres:5432/piped
+hibernate.connection.driver_class: org.postgresql.Driver
+hibernate.dialect: org.hibernate.dialect.PostgreSQLDialect
+hibernate.connection.username: piped
+hibernate.connection.password: (piped_postgres_password)
+
+# Frontend configuration
+frontend.statusPageUrl:https://status.aosus.org
+frontend.donationUrl:https://opencollective.com/aosus

piped/config/Caddyfile

@@ -0,0 +1,47 @@
+(global) {
+	header {
+		# disable FLoC tracking
+		Permissions-Policy interest-cohort=()
+
+		# enable HSTS
+		Strict-Transport-Security max-age=31536000;
+
+		# keep referrer data off
+		Referrer-Policy no-referrer
+
+		# prevent for appearing in search engine for private instances (option)
+		#X-Robots-Tag noindex
+	}
+}
+
+piped.aosus.org {
+	reverse_proxy pipedfrontend:80
+	import global
+}
+
+api.piped.aosus.org {
+	reverse_proxy nginx:80
+	import global
+}
+
+proxy.piped.aosus.org {
+	@ytproxy path /videoplayback* /api/v4/* /api/manifest/*
+	import global
+
+	route {
+		header @ytproxy {
+			Cache-Control private always
+		}
+
+		header / {
+			Cache-Control "public, max-age=604800"
+		}
+
+		reverse_proxy unix//var/run/ytproxy/actix.sock {
+			header_up -CF-Connecting-IP
+			header_up -X-Forwarded-For
+			header_down -etag
+			header_down -alt-svc
+		}
+	}
+}

piped/config/nginx.conf

@@ -0,0 +1,31 @@
+user root;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log notice;
+pid /var/run/nginx.pid;
+
+
+events {
+    worker_connections 1024;
+}
+
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /var/log/nginx/access.log main;
+
+    sendfile on;
+    tcp_nodelay on;
+
+    keepalive_timeout 65;
+
+    resolver 127.0.0.11 ipv6=off valid=10s;
+
+    include /etc/nginx/conf.d/*.conf;
+}

piped/config/pipedapi.conf

@@ -0,0 +1,15 @@
+proxy_cache_path /tmp/pipedapi_cache levels=1:2 keys_zone=pipedapi:4m max_size=2g inactive=60m use_temp_path=off;
+
+server {
+    listen 80;
+    server_name api.piped.aosus.link;
+
+    set $backend "http://piped:8080";
+
+    location / {
+        proxy_cache pipedapi;
+        proxy_pass $backend;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "keep-alive";
+    }
+}

piped/config/pipedfrontend.conf

@@ -0,0 +1,12 @@
+server {
+    listen 80;
+    server_name piped.aosus.link;
+
+    set $backend "http://pipedfrontend:80";
+
+    location / {
+        proxy_pass $backend;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "keep-alive";
+    }
+}

piped/config/pipedproxy.conf

@@ -0,0 +1,14 @@
+server {
+    listen 80;
+    server_name proxy.piped.aosus.link;
+
+    location ~ (/videoplayback|/api/v4/|/api/manifest/) {
+        include snippets/ytproxy.conf;
+        add_header Cache-Control private always;
+    }
+
+    location / {
+        include snippets/ytproxy.conf;
+        add_header Cache-Control "public, max-age=604800";
+    }
+}

piped/config/ytproxy.conf

@@ -0,0 +1,18 @@
+proxy_buffering on;
+proxy_buffers 1024 16k;
+proxy_set_header X-Forwarded-For "";
+proxy_set_header CF-Connecting-IP "";
+proxy_hide_header "alt-svc";
+sendfile on;
+sendfile_max_chunk 512k;
+tcp_nopush on;
+aio threads=default;
+aio_write on;
+directio 16m;
+proxy_hide_header Cache-Control;
+proxy_hide_header etag;
+proxy_http_version 1.1;
+proxy_set_header Connection keep-alive;
+proxy_max_temp_file_size 32m;
+access_log off;
+proxy_pass http://unix:/var/run/ytproxy/actix.sock;