diff options
| author | Ryan Lahfa <masterancpp@gmail.com> | 2022-12-23 19:48:00 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-23 19:48:00 +0100 |
| commit | 2994edb9e4cb781e49201bd949c42f61fcf5ee03 (patch) | |
| tree | 2b3c7e9b108bfedbddf65520e106d162465c875a /nixos | |
| parent | 9938dec682124e16e88a078ce2ebd5ceed60fabc (diff) | |
| parent | 70437d1ad3da100fff0ee04a44cc67163ef09334 (diff) | |
Merge pull request #205955 from Izorkin/update-peertube
peertube: 4.3.1 -> 5.0.0
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2305.section.xml | 20 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2305.section.md | 6 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/peertube.nix | 121 | ||||
| -rw-r--r-- | nixos/tests/web-apps/peertube.nix | 7 |
4 files changed, 136 insertions, 18 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index b410a660c5518..ab1a63c807991 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -290,6 +290,26 @@ </listitem> <listitem> <para> + <literal>services.peertube</literal> now requires you to + specify the secret file + <literal>secrets.secretsFile</literal>. It can be generated by + running <literal>openssl rand -hex 32</literal>. Before + upgrading, read the release notes for PeerTube: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <link xlink:href="https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0">Release + v5.0.0</link> + </para> + </listitem> + </itemizedlist> + <para> + And backup your data. + </para> + </listitem> + <listitem> + <para> The module <literal>services.headscale</literal> was refactored to be compliant with <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 911575d8ab530..76e2a1f8b4329 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -80,6 +80,12 @@ In addition to numerous new and upgraded packages, this release has the followin - `mastodon` now supports connection to a remote `PostgreSQL` database. +- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`. + Before upgrading, read the release notes for PeerTube: + - [Release v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0) + + And backup your data. + - The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed: - Most settings has been migrated under [services.headscale.settings](#opt-services.headscale.settings) which is an attribute-set that diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index 4dbcb09d2ae28..7e418f2869c85 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -161,6 +161,18 @@ in { description = lib.mdDoc "Configure nginx as a reverse proxy for peertube."; }; + secrets = { + secretsFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/run/secrets/peertube"; + description = lib.mdDoc '' + Secrets to run PeerTube. + Generate one using `openssl rand -hex 32` + ''; + }; + }; + database = { createLocally = lib.mkOption { type = lib.types.bool; @@ -201,7 +213,7 @@ in { passwordFile = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; - example = "/run/keys/peertube/password-posgressql-db"; + example = "/run/keys/peertube/password-postgresql"; description = lib.mdDoc "Password for PostgreSQL database."; }; }; @@ -282,6 +294,11 @@ in { prevent this. ''; } + { assertion = cfg.secrets.secretsFile != null; + message = '' + <option>services.peertube.secrets.secretsFile</option> needs to be set. + ''; + } { assertion = !(cfg.redis.enableUnixSocket && (cfg.redis.host != null || cfg.redis.port != null)); message = '' <option>services.peertube.redis.createLocally</option> and redis network connection (<option>services.peertube.redis.host</option> or <option>services.peertube.redis.port</option>) enabled. Disable either of them. @@ -349,6 +366,7 @@ in { captions = lib.mkDefault "/var/lib/peertube/storage/captions/"; cache = lib.mkDefault "/var/lib/peertube/storage/cache/"; plugins = lib.mkDefault "/var/lib/peertube/storage/plugins/"; + well_known = lib.mkDefault "/var/lib/peertube/storage/well_known/"; client_overrides = lib.mkDefault "/var/lib/peertube/storage/client-overrides/"; }; import = { @@ -417,6 +435,10 @@ in { #!/bin/sh umask 077 cat > /var/lib/peertube/config/local.yaml <<EOF + ${lib.optionalString (cfg.secrets.secretsFile != null) '' + secrets: + peertube: '$(cat ${cfg.secrets.secretsFile})' + ''} ${lib.optionalString ((!cfg.database.createLocally) && (cfg.database.passwordFile != null)) '' database: password: '$(cat ${cfg.database.passwordFile})' @@ -443,6 +465,7 @@ in { RestartSec = 20; TimeoutSec = 60; WorkingDirectory = cfg.package; + SyslogIdentifier = "peertube"; # User and group User = cfg.user; Group = cfg.group; @@ -548,9 +571,14 @@ in { ''; }; + locations."~ ^/plugins/[^/]+(/[^/]+)?/ws/" = { + tryFiles = "/dev/null @api_websocket"; + priority = 1230; + }; + locations."@api_websocket" = { proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; - priority = 1230; + priority = 1240; extraConfig = '' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -581,7 +609,7 @@ in { ''; }; - locations."~ ^/lazy-static/(avatars|banners)/" = { + locations."^~ /lazy-static/avatars/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.avatars; priority = 1330; @@ -599,6 +627,26 @@ in { add_header Cache-Control 'public, max-age=7200'; rewrite ^/lazy-static/avatars/(.*)$ /$1 break; + ''; + }; + + locations."^~ /lazy-static/banners/" = { + tryFiles = "$uri @api"; + root = cfg.settings.storage.avatars; + priority = 1340; + extraConfig = '' + if ($request_method = 'OPTIONS') { + ${nginxCommonHeaders} + add_header Access-Control-Max-Age 1728000; + add_header Cache-Control 'no-cache'; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + + ${nginxCommonHeaders} + add_header Cache-Control 'public, max-age=7200'; + rewrite ^/lazy-static/banners/(.*)$ /$1 break; ''; }; @@ -606,7 +654,7 @@ in { locations."^~ /lazy-static/previews/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.previews; - priority = 1340; + priority = 1350; extraConfig = '' if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} @@ -624,10 +672,34 @@ in { ''; }; + locations."^~ /static/streaming-playlists/private/" = { + proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; + priority = 1410; + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_limit_rate 5M; + ''; + }; + + locations."^~ /static/webseed/private/" = { + proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; + priority = 1420; + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_limit_rate 5M; + ''; + }; + locations."^~ /static/thumbnails/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.thumbnails; - priority = 1350; + priority = 1430; extraConfig = '' if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} @@ -648,8 +720,14 @@ in { locations."^~ /static/redundancy/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.redundancy; - priority = 1360; + priority = 1440; extraConfig = '' + set $peertube_limit_rate 800k; + + if ($request_uri ~ -fragmented.mp4$) { + set $peertube_limit_rate 5M; + } + if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} add_header Access-Control-Max-Age 1728000; @@ -662,15 +740,14 @@ in { access_log off; } + aio threads; sendfile on; sendfile_max_chunk 1M; + limit_rate $peertube_limit_rate; limit_rate_after 5M; - set $peertube_limit_rate 800k; - set $limit_rate $peertube_limit_rate; - rewrite ^/static/redundancy/(.*)$ /$1 break; ''; }; @@ -678,8 +755,14 @@ in { locations."^~ /static/streaming-playlists/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.streaming_playlists; - priority = 1370; + priority = 1450; extraConfig = '' + set $peertube_limit_rate 800k; + + if ($request_uri ~ -fragmented.mp4$) { + set $peertube_limit_rate 5M; + } + if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} add_header Access-Control-Max-Age 1728000; @@ -697,20 +780,24 @@ in { sendfile on; sendfile_max_chunk 1M; + limit_rate $peertube_limit_rate; limit_rate_after 5M; - set $peertube_limit_rate 5M; - set $limit_rate $peertube_limit_rate; - rewrite ^/static/streaming-playlists/(.*)$ /$1 break; ''; }; - locations."~ ^/static/webseed/" = { + locations."^~ /static/webseed/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.videos; - priority = 1380; + priority = 1460; extraConfig = '' + set $peertube_limit_rate 800k; + + if ($request_uri ~ -fragmented.mp4$) { + set $peertube_limit_rate 5M; + } + if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} add_header Access-Control-Max-Age 1728000; @@ -728,11 +815,9 @@ in { sendfile on; sendfile_max_chunk 1M; + limit_rate $peertube_limit_rate; limit_rate_after 5M; - set $peertube_limit_rate 800k; - set $limit_rate $peertube_limit_rate; - rewrite ^/static/webseed/(.*)$ /$1 break; ''; }; diff --git a/nixos/tests/web-apps/peertube.nix b/nixos/tests/web-apps/peertube.nix index ecc45bff2e2ca..0e5f39c08a023 100644 --- a/nixos/tests/web-apps/peertube.nix +++ b/nixos/tests/web-apps/peertube.nix @@ -41,6 +41,9 @@ import ../make-test-python.nix ({pkgs, ...}: server = { pkgs, ... }: { environment = { etc = { + "peertube/secrets-peertube".text = '' + 063d9c60d519597acef26003d5ecc32729083965d09181ef3949200cbe5f09ee + ''; "peertube/password-posgressql-db".text = '' 0gUN0C1mgST6czvjZ8T9 ''; @@ -67,6 +70,10 @@ import ../make-test-python.nix ({pkgs, ...}: localDomain = "peertube.local"; enableWebHttps = false; + secrets = { + secretsFile = "/etc/peertube/secrets-peertube"; + }; + database = { host = "192.168.2.10"; name = "peertube_local"; |