Merge pull request #275439 from RaghavSood/nitter/guest-accounts

nitter: unstable-2023-10-31 -> unstable-2023-12-03 (guest accounts support)

5 files changed, 76 insertions, 15 deletions

diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
index ddaf116649c15..b036f40f4dc80 100644
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -39,6 +39,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `k9s` was updated to v0.29. There have been breaking changes in the config file format, check out the [changelog](https://github.com/derailed/k9s/releases/tag/v0.29.0) for details.
 
+- `nitter` requires a `guest_accounts.jsonl` to be provided as a path or loaded into the default location at `/var/lib/nitter/guest_accounts.jsonl`. See [Guest Account Branch Deployment](https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment) for details.
+
 - Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)
 
 - `mkosi` was updated to v19. Parts of the user interface have changed. Consult the
diff --git a/nixos/modules/services/misc/nitter.nix b/nixos/modules/services/misc/nitter.nix
index c2c462d46bb5b..d2cf7c0de2b77 100644
--- a/nixos/modules/services/misc/nitter.nix
+++ b/nixos/modules/services/misc/nitter.nix
@@ -304,6 +304,23 @@ in
         '';
       };
 
+      guestAccounts = mkOption {
+        type = types.path;
+        default = "/var/lib/nitter/guest_accounts.jsonl";
+        description = lib.mdDoc ''
+          Path to the guest accounts file.
+
+          This file contains a list of guest accounts that can be used to
+          access the instance without logging in. The file is in JSONL format,
+          where each line is a JSON object with the following fields:
+
+          {"oauth_token":"some_token","oauth_token_secret":"some_secret_key"}
+
+          See https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment
+          for more information on guest accounts and how to generate them.
+        '';
+      };
+
       redisCreateLocally = mkOption {
         type = types.bool;
         default = true;
@@ -333,8 +350,12 @@ in
         after = [ "network-online.target" ];
         serviceConfig = {
           DynamicUser = true;
+          LoadCredential="guestAccountsFile:${cfg.guestAccounts}";
           StateDirectory = "nitter";
-          Environment = [ "NITTER_CONF_FILE=/var/lib/nitter/nitter.conf" ];
+          Environment = [
+            "NITTER_CONF_FILE=/var/lib/nitter/nitter.conf"
+            "NITTER_ACCOUNTS_FILE=%d/guestAccountsFile"
+          ];
           # Some parts of Nitter expect `public` folder in working directory,
           # see https://github.com/zedeus/nitter/issues/414
           WorkingDirectory = "${cfg.package}/share/nitter";
diff --git a/nixos/tests/nitter.nix b/nixos/tests/nitter.nix
index 8bc55ba8c69fc..114f1aac7c7af 100644
--- a/nixos/tests/nitter.nix
+++ b/nixos/tests/nitter.nix
@@ -1,13 +1,28 @@
 import ./make-test-python.nix ({ pkgs, ... }:
 
+let
+  # In a real deployment this should naturally not common from the nix store
+  # and be seeded via agenix or as a non-nix managed file.
+  #
+  # These credentials are from the nitter wiki and are expired. We must provide
+  # credentials in the correct format, otherwise nitter fails to start. They
+  # must not be valid, as unauthorized errors are handled gracefully.
+  guestAccountFile = pkgs.writeText "guest_accounts.jsonl" ''
+    {"oauth_token":"1719213587296620928-BsXY2RIJEw7fjxoNwbBemgjJhueK0m","oauth_token_secret":"N0WB0xhL4ng6WTN44aZO82SUJjz7ssI3hHez2CUhTiYqy"}
+  '';
+in
 {
   name = "nitter";
   meta.maintainers = with pkgs.lib.maintainers; [ erdnaxe ];
 
   nodes.machine = {
-    services.nitter.enable = true;
-    # Test CAP_NET_BIND_SERVICE
-    services.nitter.server.port = 80;
+    services.nitter = {
+      enable = true;
+      # Test CAP_NET_BIND_SERVICE
+      server.port = 80;
+      # Provide dummy guest accounts
+      guestAccounts = guestAccountFile;
+    };
   };
 
   testScript = ''
diff --git a/pkgs/by-name/ni/nitter/lock.json b/pkgs/by-name/ni/nitter/lock.json
index 5e059f869af09..2a9106dc9ff42 100644
--- a/pkgs/by-name/ni/nitter/lock.json
+++ b/pkgs/by-name/ni/nitter/lock.json
@@ -62,11 +62,11 @@
       "packages": [
         "jsony"
       ],
-      "path": "/nix/store/bzcq8q439rdsqhhihikzv3rsx4l4ybdm-source",
-      "rev": "ea811be",
-      "sha256": "1720iqsxjhqmhw1zhhs7d2ncdz25r8fqadls1p1iry1wfikjlnba",
+      "path": "/nix/store/l84av0wdc0s4r4alsvkaxcxhpd6j4bzg-source",
+      "rev": "1de1f08",
+      "sha256": "0rj205cs3v6g80h8ys9flbdq4wyd1csmkwdxv0lz21972zcsrcfh",
       "srcDir": "src",
-      "url": "https://github.com/treeform/jsony/archive/ea811be.tar.gz"
+      "url": "https://github.com/treeform/jsony/archive/1de1f08.tar.gz"
     },
     {
       "method": "fetchzip",
@@ -95,11 +95,22 @@
       "packages": [
         "nimcrypto"
       ],
-      "path": "/nix/store/dnj20qh97ylf57nka9wbxs735wbw7yxv-source",
-      "rev": "4014ef9",
-      "sha256": "1kgqr2lqaffglc1fgbanwcvhkqcbbd20d5b6w4lf0nksfl9c357a",
+      "path": "/nix/store/zyr8zwh7vaiycn1s4r8cxwc71f2k5l0h-source",
+      "rev": "a079df9",
+      "sha256": "1dmdmgb6b9m5f8dyxk781nnd61dsk3hdxqks7idk9ncnpj9fng65",
       "srcDir": "",
-      "url": "https://github.com/cheatfate/nimcrypto/archive/4014ef9.tar.gz"
+      "url": "https://github.com/cheatfate/nimcrypto/archive/a079df9.tar.gz"
+    },
+    {
+      "method": "fetchzip",
+      "packages": [
+        "oauth"
+      ],
+      "path": "/nix/store/bwmrrzs6xpwizmww35461x3lqpgd0942-source",
+      "rev": "b8c163b",
+      "sha256": "0k5slyzjngbdr6g0b0dykhqmaf8r8n2klbkg2gpid4ckm8hg62v5",
+      "srcDir": "src",
+      "url": "https://github.com/CORDEA/oauth/archive/b8c163b.tar.gz"
     },
     {
       "method": "fetchzip",
@@ -159,6 +170,18 @@
     {
       "method": "fetchzip",
       "packages": [
+        "sha1"
+      ],
+      "path": "/nix/store/a6a0ycxsaxpqks42aq9wicj8ars7z7ai-source",
+      "ref": "master",
+      "rev": "92ccc5800bb0ac4865b275a2ce3c1544e98b48bc",
+      "sha256": "00zvvd8ssy22srg74xzapknmgmi82v534npjdrk5805shswfhqdm",
+      "srcDir": "",
+      "url": "https://github.com/onionhammer/sha1/archive/92ccc5800bb0ac4865b275a2ce3c1544e98b48bc.tar.gz"
+    },
+    {
+      "method": "fetchzip",
+      "packages": [
         "supersnappy"
       ],
       "path": "/nix/store/kibhdjpd3mvn9adsp67amj35a7zrnk6y-source",
diff --git a/pkgs/by-name/ni/nitter/package.nix b/pkgs/by-name/ni/nitter/package.nix
index 6b63037e103d4..d3fc03b25acea 100644
--- a/pkgs/by-name/ni/nitter/package.nix
+++ b/pkgs/by-name/ni/nitter/package.nix
@@ -8,13 +8,13 @@
 
 buildNimPackage (finalAttrs: prevAttrs: {
   pname = "nitter";
-  version = "unstable-2023-10-31";
+  version = "unstable-2023-12-03";
 
   src = fetchFromGitHub {
     owner = "zedeus";
     repo = "nitter";
-    rev = "b62d73dbd373f08af07c7a79efcd790d3bc1a49c";
-    hash = "sha256-yCD7FbqWZMY0fyFf9Q3Ka06nw5Ha7jYLpmPONAhEVIM=";
+    rev = "583c858cdf3486451ed6a0627640844f27009dbe";
+    hash = "sha256-3E6nfmOFhQ2bjwGMWdTmZ38Fg/SE36s6fxYDXwSJaTw=";
   };
 
   lockFile = ./lock.json;