From 1915c85b9efb31c766281e0377ef08690a5f1e0b Mon Sep 17 00:00:00 2001 From: Izorkin Date: Tue, 13 Dec 2022 19:43:30 +0300 Subject: peertube: 4.3.1 -> 5.0.0 --- nixos/modules/services/web-apps/peertube.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos') diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index 4dbcb09d2ae28..cd7ece51f83ec 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -349,6 +349,7 @@ in { captions = lib.mkDefault "/var/lib/peertube/storage/captions/"; cache = lib.mkDefault "/var/lib/peertube/storage/cache/"; plugins = lib.mkDefault "/var/lib/peertube/storage/plugins/"; + well_known = lib.mkDefault "/var/lib/peertube/storage/well_known/"; client_overrides = lib.mkDefault "/var/lib/peertube/storage/client-overrides/"; }; import = { -- cgit 1.4.1 From 32673128e560e76c642ac5fd07fa60f174beaf5a Mon Sep 17 00:00:00 2001 From: Izorkin Date: Tue, 13 Dec 2022 21:02:09 +0300 Subject: nixos/peertube: update nginx configuration --- nixos/modules/services/web-apps/peertube.nix | 96 +++++++++++++++++++++++----- 1 file changed, 79 insertions(+), 17 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index cd7ece51f83ec..170bc700f7757 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -549,9 +549,14 @@ in { ''; }; + locations."~ ^/plugins/[^/]+(/[^/]+)?/ws/" = { + tryFiles = "/dev/null @api_websocket"; + priority = 1230; + }; + locations."@api_websocket" = { proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; - priority = 1230; + priority = 1240; extraConfig = '' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -582,7 +587,7 @@ in { ''; }; - locations."~ ^/lazy-static/(avatars|banners)/" = { + locations."^~ /lazy-static/avatars/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.avatars; priority = 1330; @@ -600,6 +605,26 @@ in { add_header Cache-Control 'public, max-age=7200'; rewrite ^/lazy-static/avatars/(.*)$ /$1 break; + ''; + }; + + locations."^~ /lazy-static/banners/" = { + tryFiles = "$uri @api"; + root = cfg.settings.storage.avatars; + priority = 1340; + extraConfig = '' + if ($request_method = 'OPTIONS') { + ${nginxCommonHeaders} + add_header Access-Control-Max-Age 1728000; + add_header Cache-Control 'no-cache'; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + + ${nginxCommonHeaders} + add_header Cache-Control 'public, max-age=7200'; + rewrite ^/lazy-static/banners/(.*)$ /$1 break; ''; }; @@ -607,7 +632,7 @@ in { locations."^~ /lazy-static/previews/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.previews; - priority = 1340; + priority = 1350; extraConfig = '' if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} @@ -625,10 +650,34 @@ in { ''; }; + locations."^~ /static/streaming-playlists/private/" = { + proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; + priority = 1410; + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_limit_rate 5M; + ''; + }; + + locations."^~ /static/webseed/private/" = { + proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; + priority = 1420; + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_limit_rate 5M; + ''; + }; + locations."^~ /static/thumbnails/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.thumbnails; - priority = 1350; + priority = 1430; extraConfig = '' if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} @@ -649,8 +698,14 @@ in { locations."^~ /static/redundancy/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.redundancy; - priority = 1360; + priority = 1440; extraConfig = '' + set $peertube_limit_rate 800k; + + if ($request_uri ~ -fragmented.mp4$) { + set $peertube_limit_rate 5M; + } + if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} add_header Access-Control-Max-Age 1728000; @@ -663,15 +718,14 @@ in { access_log off; } + aio threads; sendfile on; sendfile_max_chunk 1M; + limit_rate $peertube_limit_rate; limit_rate_after 5M; - set $peertube_limit_rate 800k; - set $limit_rate $peertube_limit_rate; - rewrite ^/static/redundancy/(.*)$ /$1 break; ''; }; @@ -679,8 +733,14 @@ in { locations."^~ /static/streaming-playlists/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.streaming_playlists; - priority = 1370; + priority = 1450; extraConfig = '' + set $peertube_limit_rate 800k; + + if ($request_uri ~ -fragmented.mp4$) { + set $peertube_limit_rate 5M; + } + if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} add_header Access-Control-Max-Age 1728000; @@ -698,20 +758,24 @@ in { sendfile on; sendfile_max_chunk 1M; + limit_rate $peertube_limit_rate; limit_rate_after 5M; - set $peertube_limit_rate 5M; - set $limit_rate $peertube_limit_rate; - rewrite ^/static/streaming-playlists/(.*)$ /$1 break; ''; }; - locations."~ ^/static/webseed/" = { + locations."^~ /static/webseed/" = { tryFiles = "$uri @api"; root = cfg.settings.storage.videos; - priority = 1380; + priority = 1460; extraConfig = '' + set $peertube_limit_rate 800k; + + if ($request_uri ~ -fragmented.mp4$) { + set $peertube_limit_rate 5M; + } + if ($request_method = 'OPTIONS') { ${nginxCommonHeaders} add_header Access-Control-Max-Age 1728000; @@ -729,11 +793,9 @@ in { sendfile on; sendfile_max_chunk 1M; + limit_rate $peertube_limit_rate; limit_rate_after 5M; - set $peertube_limit_rate 800k; - set $limit_rate $peertube_limit_rate; - rewrite ^/static/webseed/(.*)$ /$1 break; ''; }; -- cgit 1.4.1 From 9195f02b49e238e6444c3da006f21c489ab5d970 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Tue, 13 Dec 2022 22:07:10 +0300 Subject: nixos/peertube: add secretsFile option --- nixos/modules/services/web-apps/peertube.nix | 21 +++++++++++++++++++++ nixos/tests/web-apps/peertube.nix | 7 +++++++ 2 files changed, 28 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index 170bc700f7757..c01bfca173a1a 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -161,6 +161,18 @@ in { description = lib.mdDoc "Configure nginx as a reverse proxy for peertube."; }; + secrets = { + secretsFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/run/secrets/peertube"; + description = lib.mdDoc '' + Secrets to run PeerTube. + Generate one using `openssl rand -hex 32` + ''; + }; + }; + database = { createLocally = lib.mkOption { type = lib.types.bool; @@ -282,6 +294,11 @@ in { prevent this. ''; } + { assertion = cfg.secrets.secretsFile != null; + message = '' + needs to be set. + ''; + } { assertion = !(cfg.redis.enableUnixSocket && (cfg.redis.host != null || cfg.redis.port != null)); message = '' and redis network connection ( or ) enabled. Disable either of them. @@ -418,6 +435,10 @@ in { #!/bin/sh umask 077 cat > /var/lib/peertube/config/local.yaml < Date: Wed, 21 Dec 2022 14:49:26 +0300 Subject: nixos/peertube: fix typo --- nixos/modules/services/web-apps/peertube.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index c01bfca173a1a..347807f40bff4 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -213,7 +213,7 @@ in { passwordFile = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; - example = "/run/keys/peertube/password-posgressql-db"; + example = "/run/keys/peertube/password-postgresql"; description = lib.mdDoc "Password for PostgreSQL database."; }; }; -- cgit 1.4.1 From 37bea1a0893a92c4913d50bea4a72eadc1b1be28 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Wed, 21 Dec 2022 14:54:04 +0300 Subject: nixos/peertube: add SyslogIdentifier --- nixos/modules/services/web-apps/peertube.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos') diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index 347807f40bff4..7e418f2869c85 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -465,6 +465,7 @@ in { RestartSec = 20; TimeoutSec = 60; WorkingDirectory = cfg.package; + SyslogIdentifier = "peertube"; # User and group User = cfg.user; Group = cfg.group; -- cgit 1.4.1 From 70437d1ad3da100fff0ee04a44cc67163ef09334 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Thu, 22 Dec 2022 22:06:24 +0300 Subject: nixos/peertube: add release notes --- .../manual/from_md/release-notes/rl-2305.section.xml | 20 ++++++++++++++++++++ nixos/doc/manual/release-notes/rl-2305.section.md | 6 ++++++ 2 files changed, 26 insertions(+) (limited to 'nixos') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index b410a660c5518..ab1a63c807991 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -288,6 +288,26 @@ remote PostgreSQL database. + + + services.peertube now requires you to + specify the secret file + secrets.secretsFile. It can be generated by + running openssl rand -hex 32. Before + upgrading, read the release notes for PeerTube: + + + + + Release + v5.0.0 + + + + + And backup your data. + + The module services.headscale was diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 911575d8ab530..76e2a1f8b4329 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -80,6 +80,12 @@ In addition to numerous new and upgraded packages, this release has the followin - `mastodon` now supports connection to a remote `PostgreSQL` database. +- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`. + Before upgrading, read the release notes for PeerTube: + - [Release v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0) + + And backup your data. + - The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed: - Most settings has been migrated under [services.headscale.settings](#opt-services.headscale.settings) which is an attribute-set that -- cgit 1.4.1