upgrade peertube

This commit is contained in:
Emmanuel Garette 2022-10-17 18:17:28 +02:00
parent 856607fc52
commit 8b3bcd14a1
7 changed files with 150 additions and 78 deletions

7
seed/peertube/UPGRADE.md Normal file
View file

@ -0,0 +1,7 @@
peertube-plugin-auth-openid-connect
===================================
Modify version in:
- peertube/manual/image/postinstall/peertube.sh
- peertube/templates/peertube.service
- peertube/dictionaries/30_peertube.xml

View file

@ -63,7 +63,7 @@
<fill name="calc_oauth2_client_external">
<param type="variable">revprox_client_external_domainnames</param>
<param type="variable">revprox_client_location</param>
<param>plugins/auth-openid-connect/0.0.7/auth/openid-connect</param>
<param>plugins/auth-openid-connect/0.1.0/auth/openid-connect</param>
<target>oauth2_client_external</target>
</fill>
<fill name="calc_value">

View file

@ -1,60 +0,0 @@
--- peertube_plugins/node_modules/peertube-plugin-auth-openid-connect/main.js
+++ peertube_plugins/node_modules/peertube-plugin-auth-openid-connect/main.js
@@ -110,6 +110,14 @@ async function register ({
descriptionHTML: 'Will only allow login for users whose group array contains this group'
})
+ registerSetting({
+ name: 'signature-algorithm',
+ label: 'Token signature algorithm',
+ type: 'input',
+ private: true,
+ default: 'RS256'
+ })
+
const router = getRouter()
router.use('/code-cb', (req, res) => handleCb(peertubeHelpers, settingsManager, req, res))
@@ -159,7 +167,8 @@ async function loadSettingsAndCreateClient (registerExternalAuth, unregisterExte
'scope',
'discover-url',
'client-id',
- 'client-secret'
+ 'client-secret',
+ 'signature-algorithm'
])
if (!settings['discover-url']) {
@@ -188,6 +197,8 @@ async function loadSettingsAndCreateClient (registerExternalAuth, unregisterExte
} else {
clientOptions.token_endpoint_auth_method = 'none'
}
+ clientOptions.id_token_signed_response_alg = settings['signature-algorithm']
+ clientOptions.authorization_signed_response_alg = settings['signature-algorithm']
store.client = new issuer.Client(clientOptions)
--- peertube/dist/server/helpers/custom-validators/activitypub/actor.js.ori 2022-04-06 13:58:17.752681849 +0000
+++ peertube/dist/server/helpers/custom-validators/activitypub/actor.js 2022-04-06 13:58:22.268682531 +0000
@@ -43,8 +43,8 @@
function isActorPrivateKeyValid(privateKey) {
return (0, misc_1.exists)(privateKey) &&
typeof privateKey === 'string' &&
- privateKey.startsWith('-----BEGIN RSA PRIVATE KEY-----') &&
- privateKey.includes('-----END RSA PRIVATE KEY-----') &&
+ privateKey.startsWith('-----BEGIN PRIVATE KEY-----') &&
+ privateKey.includes('-----END PRIVATE KEY-----') &&
validator_1.default.isLength(privateKey, constants_1.CONSTRAINTS_FIELDS.ACTORS.PRIVATE_KEY);
}
exports.isActorPrivateKeyValid = isActorPrivateKeyValid;
--- peertube/node_modules/pem/lib/pem.js.ori 2022-04-06 13:59:36.232693763 +0000
+++ peertube/node_modules/pem/lib/pem.js 2022-04-06 13:59:48.916695687 +0000
@@ -74,7 +74,7 @@
params.push(keyBitsize)
- openssl.exec(params, 'RSA PRIVATE KEY', function (sslErr, key) {
+ openssl.exec(params, 'PRIVATE KEY', function (sslErr, key) {
function done (err) {
if (err) {
return callback(err)

View file

@ -8,7 +8,7 @@ echo "nameserver 9.9.9.9" > /etc/resolv.conf
PLUGINS_DIR=$PLUGINS_DIR
mkdir -p "\$PLUGINS_DIR"
cd "\$PLUGINS_DIR"
yarn add peertube-plugin-auth-openid-connect@0.0.7 --production
yarn add peertube-plugin-auth-openid-connect@0.1.0 --production
mkdir -p "\$PLUGINS_DIR/data/peertube-plugin-auth-openid-connect"
chown peertube: "\$PLUGINS_DIR/data"
chown peertube: "\$PLUGINS_DIR/data/peertube-plugin-auth-openid-connect"
@ -23,5 +23,5 @@ rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.."
patch -p0 < "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/peertube.patch"
#patch -p0 < "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/peertube.patch"
cd -

View file

@ -1,3 +1,4 @@
PKG="$PKG peertube yarnpkg"
PKG="$PKG peertube peertube-tools yarnpkg"
#PKG="$PKG peertube yarnpkg"
COPR="https://copr.fedorainfracloud.org/coprs/daftaupe/peertube/repo/fedora-36/daftaupe-peertube-fedora-36.repo"
FUSION=true

View file

@ -2,4 +2,4 @@
Environment=PGPASSFILE=/usr/local/lib/secrets/postgresql.pass
ExecStartPost=+/usr/bin/timeout 90 sh -c 'while ! /usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "SELECT * FROM plugin;"; do sleep 1; done'
ExecStartPost=+/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "DELETE FROM plugin;"
ExecStartPost=+/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "INSERT INTO plugin (name, type, version, enabled, uninstalled, \"peertubeEngine\", description, homepage, settings, \"createdAt\", \"updatedAt\") VALUES ('auth-openid-connect', '1', '0.0.7', true, false, '>=2.2.0', 'Add OpenID connect support to login form in PeerTube.', 'https://framagit.org/framasoft/peertube/official-plugins/tree/master/peertube-plugin-auth-openid-connect', '{\"scope\": \"openid email profile\", \"client-id\": \"%%oauth2_client_id\", \"discover-url\": \"https://%%oauth2_client_server_domainname/.well-known/openid-configuration\", \"client-secret\": \"%%oauth2_client_secret\", \"mail-property\": \"email\", \"auth-display-name\": \"OpenID Connect\", \"username-property\": \"nickname\", \"signature-algorithm\": \"%%oauth2_client_token_signature_algo\", \"display-name-property\": \"email\"}', '2022-04-05 18:12:34.832+02', '2022-04-05 18:12:34.832+02')"
ExecStartPost=+/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "INSERT INTO plugin (name, type, version, enabled, uninstalled, \"peertubeEngine\", description, homepage, settings, \"createdAt\", \"updatedAt\") VALUES ('auth-openid-connect', '1', '0.1.0', true, false, '>=2.2.0', 'Add OpenID connect support to login form in PeerTube.', 'https://framagit.org/framasoft/peertube/official-plugins/tree/master/peertube-plugin-auth-openid-connect', '{\"scope\": \"openid email profile\", \"client-id\": \"%%oauth2_client_id\", \"discover-url\": \"https://%%oauth2_client_server_domainname/.well-known/openid-configuration\", \"client-secret\": \"%%oauth2_client_secret\", \"mail-property\": \"email\", \"auth-display-name\": \"OpenID Connect\", \"username-property\": \"nickname\", \"signature-algorithm\": \"%%oauth2_client_token_signature_algo\", \"display-name-property\": \"email\"}', '2022-04-05 18:12:34.832+02', '2022-04-05 18:12:34.832+02')"

View file

@ -28,6 +28,10 @@ rates_limit:
# 3 attempts in 5 min
window: 5 minutes
max: 3
receive_client_log:
# 10 attempts in 10 min
window: 10 minutes
max: 10
# Proxies to trust to get real client IP
# If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
@ -49,7 +53,7 @@ database:
# Redis server for short time storage
# You can also specify a 'socket' path to a unix socket but first need to
# comment out hostname and port
# set 'hostname' and 'port' to null
redis:
hostname: '%%redis_client_server_domainname'
port: 6379
@ -95,11 +99,13 @@ defaults:
licence: null
p2p:
# Enable P2P by default
# Enable P2P by default in PeerTube client
# Can be enabled/disabled by anonymous users and logged in users
webapp:
enabled: true
# Enable P2P by default in PeerTube embed
# Can be enabled/disabled by URL option
embed:
enabled: true
@ -138,6 +144,9 @@ object_storage:
region: 'us-east-1'
# Set this ACL on each uploaded object
upload_acl: 'public-read'
credentials:
# You can also use AWS_ACCESS_KEY_ID env variable
access_key_id: ''
@ -145,7 +154,10 @@ object_storage:
secret_access_key: ''
# Maximum amount to upload in one request to object storage
# GNUNUX max_upload_part: 100MB
#>GNUNUX
max_upload_part: 2GB
#<GNUNUX
streaming_playlists:
bucket_name: 'streaming-playlists'
@ -165,20 +177,46 @@ object_storage:
log:
level: 'info' # 'debug' | 'info' | 'warn' | 'error'
rotation:
# GNUNUX enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
#>GNUNUX
enabled : false # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
#<GNUNUX
max_file_size: 12MB
max_files: 20
anonymize_ip: false
log_ping_requests: true
log_tracker_unknown_infohash: true
prettify_sql: false
# Accept warn/error logs coming from the client
accept_client_log: true
# Highly experimental support of Open Telemetry
open_telemetry:
metrics:
enabled: false
# Create a prometheus exporter server on this port so prometheus server can scrape PeerTube metrics
prometheus_exporter:
port: 9091
tracing:
enabled: false
# Send traces to a Jaeger compatible endpoint
jaeger_exporter:
endpoint: ''
trending:
videos:
interval_days: 7 # Compute trending videos for the last x days
algorithms:
enabled:
- 'best' # adaptation of Reddit's 'Best' algorithm (Hot minus History)
- 'hot' # adaptation of Reddit's 'Hot' algorithm
- 'most-viewed' # default, used initially by PeerTube as the trending page
- 'most-liked'
@ -227,7 +265,7 @@ security:
enabled: true
tracker:
# If you disable the tracker, you disable the P2P aspect of PeerTube
# If you disable the tracker, you disable the P2P on your PeerTube instance
enabled: true
# Only handle requests on your videos
# If you set this to false it means you have a public tracker
@ -258,11 +296,21 @@ views:
ip_view_expiration: '1 hour'
# Used to get country location of views of local videos
geo_ip:
enabled: true
country:
database_url: 'https://dbip.mirror.framasoft.org/files/dbip-country-lite-latest.mmdb'
plugins:
# The website PeerTube will ask for available PeerTube plugins and themes
# This is an unmoderated plugin index, so only install plugins/themes you trust
index:
# GNUNUX enabled: true
#>GNUNUX
enabled: false
#<GNUNUX
check_latest_versions_interval: '12 hours' # How often you want to check new plugins/themes versions
url: 'https://packages.joinpeertube.org'
@ -277,7 +325,10 @@ federation:
peertube:
check_latest_version:
# Check and notify admins of new PeerTube versions
# GNUNUX enabled: true
#>GNUNUX
enabled: false
#<GNUNUX
# You can use a custom URL if your want, that respect the format behind https://joinpeertube.org/api/v1/versions.json
url: 'https://joinpeertube.org/api/v1/versions.json'
@ -285,17 +336,30 @@ webadmin:
configuration:
edition:
# Set this to false if you don't want to allow config edition in the web interface by instance admins
# GNUNUX allowed: true
#>GNUNUX
allowed: false
#<GNUNUX
# XML, Atom or JSON feeds
feeds:
videos:
# Default number of videos displayed in feeds
count: 20
comments:
# Default number of comments displayed in feeds
count: 20
###############################################################################
#
# From this point, all the following keys can be overridden by the web interface
# From this point, almost all following keys can be overridden by the web interface
# (local-production.json file). If you need to change some values, prefer to
# use the web interface because the configuration will be automatically
# reloaded without any need to restart PeerTube
#
# /!\ If you already have a local-production.json file, the modification of the
# following keys will have no effect /!\
# /!\ If you already have a local-production.json file, modification of some of
# the following keys will have no effect /!\
#
###############################################################################
@ -368,6 +432,9 @@ transcoding:
1440p: false
2160p: false
# Transcode and keep original resolution, even if it's above your maximum enabled resolution
always_transcode_original_resolution: true
# Generate videos in a WebTorrent format (what we do since the first PeerTube release)
# If you also enabled the hls format, it will multiply videos storage by 2
# If disabled, breaks federation with PeerTube instances < 2.1
@ -404,19 +471,43 @@ live:
# /!\ transcoding.enabled (and not live.transcoding.enabled) has to be true to create a replay
allow_replay: true
# Allow your users to change latency settings (small latency/default/high latency)
# Small latency live streams cannot use P2P
# High latency live streams can increase P2P ratio
latency_setting:
enabled: true
# Your firewall should accept traffic from this port in TCP if you enable live
rtmp:
enabled: true
# Listening hostname/port for RTMP server
# '::' to listen on IPv6 and IPv4, '0.0.0.0' to listen on IPv4
# Use null to automatically listen on '::' if IPv6 is available, or '0.0.0.0' otherwise
hostname: null
port: 1935
# Public hostname of your RTMP server
# Use null to use the same value than `webserver.hostname`
public_hostname: null
rtmps:
enabled: false
# Listening hostname/port for RTMPS server
# '::' to listen on IPv6 and IPv4, '0.0.0.0' to listen on IPv4
# Use null to automatically listen on '::' if IPv6 is available, or '0.0.0.0' otherwise
hostname: null
port: 1936
# Absolute path
# Absolute paths
key_file: ''
# Absolute path
cert_file: ''
# Public hostname of your RTMPS server
# Use null to use the same value than `webserver.hostname`
public_hostname: null
# Allow to transcode the live streaming in multiple live resolutions
transcoding:
enabled: true
@ -437,17 +528,31 @@ live:
1440p: false
2160p: false
# Also transcode original resolution, even if it's above your maximum enabled resolution
always_transcode_original_resolution: true
video_studio:
# Enable video edition by users (cut, add intro/outro, add watermark etc)
# If enabled, users can create transcoding tasks as they wish
enabled: false
import:
# Add ability for your users to import remote videos (from YouTube, torrent...)
videos:
# Amount of import jobs to execute in parallel
concurrency: 1
# Set a custom video import timeout to not block import queue
timeout: '2 hours'
# Classic HTTP or all sites supported by youtube-dl https://rg3.github.io/youtube-dl/supportedsites.html
http:
# We recommend to use a HTTP proxy if you enable HTTP import to prevent private URL access from this server
# See https://docs.joinpeertube.org/maintain-configuration?id=security for more information
# GNUNUX enabled: false
#>GNUNUX
enabled: true
#<GNUNUX
youtube_dl_release:
# Direct download URL to youtube-dl binary
@ -455,11 +560,11 @@ import:
# Examples:
# * https://api.github.com/repos/ytdl-org/youtube-dl/releases
# * https://api.github.com/repos/yt-dlp/yt-dlp/releases
url: 'https://yt-dl.org/downloads/latest/youtube-dl'
# * https://yt-dl.org/downloads/latest/youtube-dl
url: 'https://api.github.com/repos/yt-dlp/yt-dlp/releases'
# youtube-dl binary name
# yt-dlp is also supported
name: 'youtube-dl'
# Release binary name: 'yt-dlp' or 'youtube-dl'
name: 'yt-dlp'
# Path to the python binary to execute for youtube-dl or yt-dlp
python_path: '/usr/bin/python3'
@ -473,6 +578,17 @@ import:
# See https://docs.joinpeertube.org/maintain-configuration?id=security for more information
enabled: false
# Add ability for your users to synchronize their channels with external channels, playlists, etc.
video_channel_synchronization:
enabled: false
max_per_user: 10
check_interval: 1 hour
# Number of latest published videos to check and to potentially import when syncing a channel
videos_limit_per_synchronization: 10
auto_blacklist:
# New videos automatically blacklisted so moderators can review before publishing
videos:
@ -512,7 +628,10 @@ instance:
languages:
# - en
# - es
# GNUNUX - fr
#>GNUNUX
- fr
#<GNUNUX
# You can specify the main categories of your instance (dedicated to music, gaming or politics etc)
# Uncomment or add the category ids you want
@ -630,6 +749,11 @@ client:
miniature:
# By default PeerTube client displays author username
prefer_author_display_name: false
display_author_avatar: false
resumable_upload:
# Max size of upload chunks, e.g. '90MB'
# If null, it will be calculated based on network speed
max_chunk_size: null
menu:
login: