commit 2994edb9e4cb781e49201bd949c42f61fcf5ee03 · pyrox.dev/nixpkgs

+20

nixos/doc/manual/from_md/release-notes/rl-2305.section.xml

··· 290 290 </listitem> 291 291 <listitem> 292 292 <para> 293 + <literal>services.peertube</literal> now requires you to 294 + specify the secret file 295 + <literal>secrets.secretsFile</literal>. It can be generated by 296 + running <literal>openssl rand -hex 32</literal>. Before 297 + upgrading, read the release notes for PeerTube: 298 + </para> 299 + <itemizedlist spacing="compact"> 300 + <listitem> 301 + <para> 302 + <link xlink:href="https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0">Release 303 + v5.0.0</link> 304 + </para> 305 + </listitem> 306 + </itemizedlist> 307 + <para> 308 + And backup your data. 309 + </para> 310 + </listitem> 311 + <listitem> 312 + <para> 293 313 The module <literal>services.headscale</literal> was 294 314 refactored to be compliant with 295 315 <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC

+6

nixos/doc/manual/release-notes/rl-2305.section.md

··· 80 80 81 81 - `mastodon` now supports connection to a remote `PostgreSQL` database. 82 82 83 + - `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`. 84 + Before upgrading, read the release notes for PeerTube: 85 + - [Release v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0) 86 + 87 + And backup your data. 88 + 83 89 - The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed: 84 90 85 91 - Most settings has been migrated under [services.headscale.settings](#opt-services.headscale.settings) which is an attribute-set that

+103 -18

nixos/modules/services/web-apps/peertube.nix

··· 161 161 description = lib.mdDoc "Configure nginx as a reverse proxy for peertube."; 162 162 }; 163 163 164 + secrets = { 165 + secretsFile = lib.mkOption { 166 + type = lib.types.nullOr lib.types.path; 167 + default = null; 168 + example = "/run/secrets/peertube"; 169 + description = lib.mdDoc '' 170 + Secrets to run PeerTube. 171 + Generate one using `openssl rand -hex 32` 172 + ''; 173 + }; 174 + }; 175 + 164 176 database = { 165 177 createLocally = lib.mkOption { 166 178 type = lib.types.bool; ··· 201 213 passwordFile = lib.mkOption { 202 214 type = lib.types.nullOr lib.types.path; 203 215 default = null; 204 - example = "/run/keys/peertube/password-posgressql-db"; 216 + example = "/run/keys/peertube/password-postgresql"; 205 217 description = lib.mdDoc "Password for PostgreSQL database."; 206 218 }; 207 219 }; ··· 282 294 prevent this. 283 295 ''; 284 296 } 297 + { assertion = cfg.secrets.secretsFile != null; 298 + message = '' 299 + <option>services.peertube.secrets.secretsFile</option> needs to be set. 300 + ''; 301 + } 285 302 { assertion = !(cfg.redis.enableUnixSocket && (cfg.redis.host != null || cfg.redis.port != null)); 286 303 message = '' 287 304 <option>services.peertube.redis.createLocally</option> and redis network connection (<option>services.peertube.redis.host</option> or <option>services.peertube.redis.port</option>) enabled. Disable either of them. ··· 349 366 captions = lib.mkDefault "/var/lib/peertube/storage/captions/"; 350 367 cache = lib.mkDefault "/var/lib/peertube/storage/cache/"; 351 368 plugins = lib.mkDefault "/var/lib/peertube/storage/plugins/"; 369 + well_known = lib.mkDefault "/var/lib/peertube/storage/well_known/"; 352 370 client_overrides = lib.mkDefault "/var/lib/peertube/storage/client-overrides/"; 353 371 }; 354 372 import = { ··· 417 435 #!/bin/sh 418 436 umask 077 419 437 cat > /var/lib/peertube/config/local.yaml <<EOF 438 + ${lib.optionalString (cfg.secrets.secretsFile != null) '' 439 + secrets: 440 + peertube: '$(cat ${cfg.secrets.secretsFile})' 441 + ''} 420 442 ${lib.optionalString ((!cfg.database.createLocally) && (cfg.database.passwordFile != null)) '' 421 443 database: 422 444 password: '$(cat ${cfg.database.passwordFile})' ··· 443 465 RestartSec = 20; 444 466 TimeoutSec = 60; 445 467 WorkingDirectory = cfg.package; 468 + SyslogIdentifier = "peertube"; 446 469 # User and group 447 470 User = cfg.user; 448 471 Group = cfg.group; ··· 548 571 ''; 549 572 }; 550 573 574 + locations."~ ^/plugins/[^/]+(/[^/]+)?/ws/" = { 575 + tryFiles = "/dev/null @api_websocket"; 576 + priority = 1230; 577 + }; 578 + 551 579 locations."@api_websocket" = { 552 580 proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; 553 - priority = 1230; 581 + priority = 1240; 554 582 555 583 extraConfig = '' 556 584 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ··· 581 609 ''; 582 610 }; 583 611 584 - locations."~ ^/lazy-static/(avatars|banners)/" = { 612 + locations."^~ /lazy-static/avatars/" = { 585 613 tryFiles = "$uri @api"; 586 614 root = cfg.settings.storage.avatars; 587 615 priority = 1330; ··· 599 627 add_header Cache-Control 'public, max-age=7200'; 600 628 601 629 rewrite ^/lazy-static/avatars/(.*)$ /$1 break; 630 + ''; 631 + }; 632 + 633 + locations."^~ /lazy-static/banners/" = { 634 + tryFiles = "$uri @api"; 635 + root = cfg.settings.storage.avatars; 636 + priority = 1340; 637 + extraConfig = '' 638 + if ($request_method = 'OPTIONS') { 639 + ${nginxCommonHeaders} 640 + add_header Access-Control-Max-Age 1728000; 641 + add_header Cache-Control 'no-cache'; 642 + add_header Content-Type 'text/plain charset=UTF-8'; 643 + add_header Content-Length 0; 644 + return 204; 645 + } 646 + 647 + ${nginxCommonHeaders} 648 + add_header Cache-Control 'public, max-age=7200'; 649 + 602 650 rewrite ^/lazy-static/banners/(.*)$ /$1 break; 603 651 ''; 604 652 }; ··· 606 654 locations."^~ /lazy-static/previews/" = { 607 655 tryFiles = "$uri @api"; 608 656 root = cfg.settings.storage.previews; 609 - priority = 1340; 657 + priority = 1350; 610 658 extraConfig = '' 611 659 if ($request_method = 'OPTIONS') { 612 660 ${nginxCommonHeaders} ··· 624 672 ''; 625 673 }; 626 674 675 + locations."^~ /static/streaming-playlists/private/" = { 676 + proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; 677 + priority = 1410; 678 + extraConfig = '' 679 + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 680 + proxy_set_header Host $host; 681 + proxy_set_header X-Real-IP $remote_addr; 682 + 683 + proxy_limit_rate 5M; 684 + ''; 685 + }; 686 + 687 + locations."^~ /static/webseed/private/" = { 688 + proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; 689 + priority = 1420; 690 + extraConfig = '' 691 + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 692 + proxy_set_header Host $host; 693 + proxy_set_header X-Real-IP $remote_addr; 694 + 695 + proxy_limit_rate 5M; 696 + ''; 697 + }; 698 + 627 699 locations."^~ /static/thumbnails/" = { 628 700 tryFiles = "$uri @api"; 629 701 root = cfg.settings.storage.thumbnails; 630 - priority = 1350; 702 + priority = 1430; 631 703 extraConfig = '' 632 704 if ($request_method = 'OPTIONS') { 633 705 ${nginxCommonHeaders} ··· 648 720 locations."^~ /static/redundancy/" = { 649 721 tryFiles = "$uri @api"; 650 722 root = cfg.settings.storage.redundancy; 651 - priority = 1360; 723 + priority = 1440; 652 724 extraConfig = '' 725 + set $peertube_limit_rate 800k; 726 + 727 + if ($request_uri ~ -fragmented.mp4$) { 728 + set $peertube_limit_rate 5M; 729 + } 730 + 653 731 if ($request_method = 'OPTIONS') { 654 732 ${nginxCommonHeaders} 655 733 add_header Access-Control-Max-Age 1728000; ··· 662 740 663 741 access_log off; 664 742 } 743 + 665 744 aio threads; 666 745 sendfile on; 667 746 sendfile_max_chunk 1M; 668 747 748 + limit_rate $peertube_limit_rate; 669 749 limit_rate_after 5M; 670 - 671 - set $peertube_limit_rate 800k; 672 - set $limit_rate $peertube_limit_rate; 673 750 674 751 rewrite ^/static/redundancy/(.*)$ /$1 break; 675 752 ''; ··· 678 755 locations."^~ /static/streaming-playlists/" = { 679 756 tryFiles = "$uri @api"; 680 757 root = cfg.settings.storage.streaming_playlists; 681 - priority = 1370; 758 + priority = 1450; 682 759 extraConfig = '' 760 + set $peertube_limit_rate 800k; 761 + 762 + if ($request_uri ~ -fragmented.mp4$) { 763 + set $peertube_limit_rate 5M; 764 + } 765 + 683 766 if ($request_method = 'OPTIONS') { 684 767 ${nginxCommonHeaders} 685 768 add_header Access-Control-Max-Age 1728000; ··· 697 780 sendfile on; 698 781 sendfile_max_chunk 1M; 699 782 783 + limit_rate $peertube_limit_rate; 700 784 limit_rate_after 5M; 701 785 702 - set $peertube_limit_rate 5M; 703 - set $limit_rate $peertube_limit_rate; 704 - 705 786 rewrite ^/static/streaming-playlists/(.*)$ /$1 break; 706 787 ''; 707 788 }; 708 789 709 - locations."~ ^/static/webseed/" = { 790 + locations."^~ /static/webseed/" = { 710 791 tryFiles = "$uri @api"; 711 792 root = cfg.settings.storage.videos; 712 - priority = 1380; 793 + priority = 1460; 713 794 extraConfig = '' 795 + set $peertube_limit_rate 800k; 796 + 797 + if ($request_uri ~ -fragmented.mp4$) { 798 + set $peertube_limit_rate 5M; 799 + } 800 + 714 801 if ($request_method = 'OPTIONS') { 715 802 ${nginxCommonHeaders} 716 803 add_header Access-Control-Max-Age 1728000; ··· 728 815 sendfile on; 729 816 sendfile_max_chunk 1M; 730 817 818 + limit_rate $peertube_limit_rate; 731 819 limit_rate_after 5M; 732 - 733 - set $peertube_limit_rate 800k; 734 - set $limit_rate $peertube_limit_rate; 735 820 736 821 rewrite ^/static/webseed/(.*)$ /$1 break; 737 822 '';

+7

nixos/tests/web-apps/peertube.nix

··· 41 41 server = { pkgs, ... }: { 42 42 environment = { 43 43 etc = { 44 + "peertube/secrets-peertube".text = '' 45 + 063d9c60d519597acef26003d5ecc32729083965d09181ef3949200cbe5f09ee 46 + ''; 44 47 "peertube/password-posgressql-db".text = '' 45 48 0gUN0C1mgST6czvjZ8T9 46 49 ''; ··· 66 69 enable = true; 67 70 localDomain = "peertube.local"; 68 71 enableWebHttps = false; 72 + 73 + secrets = { 74 + secretsFile = "/etc/peertube/secrets-peertube"; 75 + }; 69 76 70 77 database = { 71 78 host = "192.168.2.10";

+6 -6

pkgs/servers/peertube/default.nix

··· 6 6 if stdenv.hostPlatform.system == "x86_64-linux" then "linux-x64" 7 7 else throw "Unsupported architecture: ${stdenv.hostPlatform.system}"; 8 8 9 - bcrypt_version = "5.0.1"; 9 + bcrypt_version = "5.1.0"; 10 10 bcrypt_lib = fetchurl { 11 11 url = "https://github.com/kelektiv/node.bcrypt.js/releases/download/v${bcrypt_version}/bcrypt_lib-v${bcrypt_version}-napi-v3-${arch}-glibc.tar.gz"; 12 - hash = "sha256-3R3dBZyPansTuM77Nmm3f7BbTDkDdiT2HQIrti2Ottc="; 12 + hash = "sha256-I1ceMi7h6flvKBmMIU1qjAU1S6z5MzguHDul3g1zMKw="; 13 13 }; 14 14 15 15 in stdenv.mkDerivation rec { 16 16 pname = "peertube"; 17 - version = "4.3.1"; 17 + version = "5.0.0"; 18 18 19 19 src = fetchFromGitHub { 20 20 owner = "Chocobozzz"; 21 21 repo = "PeerTube"; 22 22 rev = "v${version}"; 23 - hash = "sha256-r3Bi7QLzDKo3/idEY7fYIxTJPULNvAS6hy19Hko2qHE="; 23 + hash = "sha256-Z2l0I/vVEx4ivC87N26QaUnQjySU/XRFW3biEwl7Od0="; 24 24 }; 25 25 26 26 yarnOfflineCacheServer = fetchYarnDeps { 27 27 yarnLock = "${src}/yarn.lock"; 28 - hash = "sha256-BimtZpU3aZepvlMfhJ/u0trk1rUsGlzjYk2G90fstII="; 28 + hash = "sha256-EVviTrgSZYsi68hJIlSC9ArQS3aVp6EQNKbkVx12WJk="; 29 29 }; 30 30 31 31 yarnOfflineCacheTools = fetchYarnDeps { ··· 35 35 36 36 yarnOfflineCacheClient = fetchYarnDeps { 37 37 yarnLock = "${src}/client/yarn.lock"; 38 - hash = "sha256-IKMu+gQa+d30+yXjHCu/oQOQXL6kTN9WxDI/Y5IL1E8="; 38 + hash = "sha256-ehA1W1bDXzApTpkWH7MEAQ9Ek73q3En76/LdvJhxh2Q="; 39 39 }; 40 40 41 41 nativeBuildInputs = [ brotli fixup_yarn_lock jq nodejs which yarn ];