Update renovate.json5

| datasource      | package             | from  | to    |
| --------------- | ------------------- | ----- | ----- |
| github-releases | Chocobozzz/PeerTube | 6.3.2 | 6.3.3 |

CHANGELOG.md

@@ -247,3 +247,123 @@
 [2.10.2]
 * Remove invokation of 5.0 upgade script
 
+[2.11.0]
+* Update PeerTube to 5.1.0
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.1.0)
+* **IMPORTANT**: If your instance has signup enabled, user registration approval is automatically enabled by the default configuration of this release. You can change this setting in your production.yaml or in the configuration page in the web admin
+Update web browsers support list:
+  * Drop support of Safari 11 on iOS
+  * Drop support of Safari 11 on desktop
+  * Drop support of Firefox 68 on desktop
+* Implement user registration approval (https://docs.joinpeertube.org/admin/managing-users#registration-approval) #5544
+* Add "back to live" button in player
+* Add Icelandic & Ukrainian locales
+* Add Global views default trending algorithm option in admin configuration #5471
+
+[2.12.0]
+* Update PeerTube to 5.2.0
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.2.0)
+* Implement remote transcoding for VOD videos, Live streams and Studio editions tada #5769
+* If enabled, remote PeerTube runners can process these high CPU jobs
+* Admin documentation: https://docs.joinpeertube.org/admin/remote-runners
+* PeerTube runner CLI documentation: https://docs.joinpeertube.org/maintain/tools#peertube-runner
+* Demonstration video: https://peertube2.cpy.re/w/oJwHHYwt4oKjKhLNh2diAY
+* Architecture documentation: https://docs.joinpeertube.org/contribute/architecture#remote-vod-live-transcoding
+* Add Podcast RSS feed support: #5487
+* Add ability to set custom privacy for live replays #5692
+* Render images of markdown fields in About page #5732
+* Admin can disable user video history by default #5728
+* Improve global accessibility
+
+[2.12.1]
+* Update PeerTube to 5.2.1
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.2.1)
+* Fix loading spinner displayed forever on Chrome
+* Fix broken replay with long live name
+* Fix fps transcoding on remote runners
+* Fix terms/code of conduct link toggle
+
+[2.13.0]
+* Update base image to 4.2.0
+
+[2.14.0]
+* Update PeerTube to 6.0.2
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.0.2)
+* [Important breaking changes in 6.0](https://github.com/Chocobozzz/PeerTube/blob/develop/CHANGELOG.md#v600). Some keys in `production.yaml` have been renamed (for example, object storage keys).
+
+[2.15.0]
+* Migrate to OIDC login
+
+[2.15.1]
+* Update PeerTube to 6.0.3
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.0.3)
+* Fix HTML meta tags with attributes that contain quotes
+* Fix time parsing resulting in broken video start time in some cases
+* Fix WebTorrent video import crash
+* Reload Discover page on logout
+* Fix privacy error when updating a live, even if the privacy has not changed
+* Fix invalid remote live state change notification that causes the player to reload
+* Don't apply big play button skin to settings menu
+* Fix downloading video files from object storage with some video names (that include emojis, quotes etc)
+
+[2.15.2]
+* Update PeerTube to 6.0.4
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.0.4)
+* Important: Prevent XSS injection in embed. Thanks Syst3m0ver!
+
+[2.16.0]
+* Update PeerTube to 6.1.0
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.1.0)
+* Compact ActivityPub JSON-LD objects before using them to prevent incorrect access control @tesaguri
+* Protect ActivityPub information related to private/internal/blocked videos
+
+[2.17.0]
+* Update PeerTube to 6.2.0
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.2.0)
+
+[2.17.1]
+* Update PeerTube to 6.2.1
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.2.1)
+* Fix stuck runner jobs due to DB concurrency issue
+* Respect OS orientation settings in PWA
+* Fix "No results" not displayed on no video results
+* Do not display "Download" option on lives
+* Fix invalid current password error when updating user password
+* Fix slow hotkeys detection
+* Fix hidden runner jobs tab when remote runner is only enabled for transcription
+* Fix broken HLS P2P by correctly updating HLS infohash on privacy update
+* Fix videos filters pastille labels for categories and languages
+
+[3.0.0]
+* After the update to refresh metadata: run the `migrate` command in a webterminal into the app.
+* Update PeerTube to 6.3.0
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.3.0)
+
+[3.0.1]
+* Update PeerTube to 6.3.1
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.3.1)
+* Fix player settings button on mobile
+* Fix removed audio when splitting audio and video streams on existing videos when running HLS transcoding
+
+[3.0.2]
+* Update PeerTube to 6.3.2
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.3.2)
+* Fix 403 error when downloading private/internal video
+* Don't crash video federation and live replay generation on missing thumbnail/preview
+* Fix advanced search input with multiple automatic search tokens
+* Fix player "Copy URL" when the video is fullscreen
+* Fix account videos search
+* Add missing max transcoding fps config in admin
+* Don't add mobile buttons if the player controls are disabled
+
+[3.0.3]
+* Update PeerTube to 6.3.3
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.3.3)
+* Fix broken thumbnails on live replay
+* Fix detecting portrait rotation of some video
+* Don't allow to select a frame from a live to set the thumbnail
+* Fix lost video stream with specific transcoding settings and video input
+* Fix creating playlist without thumbnail when using the REST API
+* Fix .mov video upload on some Windows versions
+* Fix video-plugin-metadata.result client plugin hook
+

CloudronManifest.json

@@ -1,6 +1,6 @@
 {
-  "version": "2.10.2",
-  "upstreamVersion": "5.0.1",
+  "version": "3.0.3",
+  "upstreamVersion": "6.3.3",
   "id": "org.joinpeertube.cloudronapp",
   "title": "PeerTube",
   "author": "PeerTube developers",
@@ -10,7 +10,7 @@
   "tagline": "Take back control of your videos",
   "icon": "file://logo.png",
   "healthCheckPath": "/",
-  "httpPort": 9000,
+  "httpPort": 80,
   "tcpPorts": {
     "RTMP_PORT": {
       "title": "RTMP Port",
@@ -23,13 +23,25 @@
     "localstorage": {},
     "postgresql": {},
     "redis": {},
-    "sendmail": { "supportsDisplayName": false },
-    "ldap": {}
+    "sendmail": {
+      "supportsDisplayName": false
+    },
+    "oidc": {
+      "loginRedirectUri": "/plugins/auth-openid-connect/router/code-cb"
+    }
   },
-  "memoryLimit": 536870912,
+  "memoryLimit": 1073741824,
   "forumUrl": "https://forum.cloudron.io/category/91/peertube",
   "optionalSso": true,
-  "tags": [ "video", "youtube", "vimeo", "blog", "instagram", "media", "federated" ],
+  "tags": [
+    "video",
+    "youtube",
+    "vimeo",
+    "blog",
+    "instagram",
+    "media",
+    "federated"
+  ],
   "mediaLinks": [
     "https://screenshots.cloudron.io/org.joinpeertube.cloudronapp/peertube-screenshot.jpg",
     "https://screenshots.cloudron.io/org.joinpeertube.cloudronapp/home.png",
@@ -38,7 +50,6 @@
   "changelog": "file://CHANGELOG.md",
   "postInstallMessage": "file://POSTINSTALL.md",
   "documentationUrl": "https://docs.cloudron.io/apps/peertube/",
-  "minBoxVersion": "7.2.0",
+  "minBoxVersion": "7.4.0",
   "manifestVersion": 2
 }
-

Dockerfile

@@ -1,27 +1,22 @@
-FROM cloudron/base:4.0.0@sha256:31b195ed0662bdb06a6e8a5ddbedb6f191ce92e8bee04c03fb02dd4e9d0286df
+FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4
 
 RUN mkdir -p /app/code/server /app/pkg
 WORKDIR /app/code/server
 
-# https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/dependencies.md
-ARG NODEJS_VERSION=16.13.2
-RUN mkdir -p /usr/local/node-${NODEJS_VERSION} && \
-    curl -L https://nodejs.org/dist/v${NODEJS_VERSION}/node-v${NODEJS_VERSION}-linux-x64.tar.gz | tar zxf - --strip-components 1 -C /usr/local/node-${NODEJS_VERSION}
-ENV PATH /usr/local/node-${NODEJS_VERSION}/bin:$PATH
-
 RUN apt update && apt install -y prosody && rm -rf /var/cache/apt /var/lib/apt/lists
 
-ARG VERSION=5.0.1
+ARG NODE_VERSION=20.15.1
+RUN mkdir -p /usr/local/node-${NODE_VERSION} && curl -L https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.gz | tar zxf - --strip-components 1 -C /usr/local/node-${NODE_VERSION}
+ENV PATH /usr/local/node-${NODE_VERSION}/bin:$PATH
+
+# renovate: datasource=github-releases depName=Chocobozzz/PeerTube versioning=semver extractVersion=^v(?<version>.+)$
+ARG PEERTUBE_VERSION=6.3.3
 
 # install peertube. the chown is required for some reason for ffmpeg. it fails with EROFS without it when transcoding
-RUN curl -sL https://github.com/Chocobozzz/PeerTube/releases/download/v${VERSION}/peertube-v${VERSION}.tar.xz | tar --strip-components 1 -Jxvf - && \
+RUN curl -sL https://github.com/Chocobozzz/PeerTube/releases/download/v${PEERTUBE_VERSION}/peertube-v${PEERTUBE_VERSION}.tar.xz | tar --strip-components 1 -Jxvf - && \
     yarn install --production --pure-lockfile
 
-RUN mkdir /app/code/cli && \
-    curl -L https://github.com/Chocobozzz/PeerTube/archive/v${VERSION}.tar.gz | tar -zxvf - --strip-components=1 -C /app/code/cli && \
-    cd /app/code/cli && \
-    NOCLIENT=1 yarn install --pure-lockfile && \
-    npm run setup:cli
+RUN npm install -g @peertube/peertube-cli
 
 # the json is created and managed by web ui. it overrides the yaml file (https://github.com/lorenwest/node-config/wiki/Configuration-Files)
 RUN ln -sf /app/data/production.yaml /app/code/server/config/production.yaml && \
@@ -31,7 +26,8 @@ RUN ln -sf /app/data/production.yaml /app/code/server/config/production.yaml &&
 RUN curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl && chmod +x /usr/local/bin/youtube-dl
 
 # required when installing plugins/themes that use node-gyp
-RUN rm -rf /home/cloudron/.cache && ln -s /run/peertube/cache /home/cloudron/.cache
+RUN rm -rf /home/cloudron/.cache && ln -s /run/peertube/cache /home/cloudron/.cache && \
+    rm -rf /home/cloudron/.npm && ln -s /run/peertube/npm /home/cloudron/.npm
 
 COPY production.yaml.example start.sh /app/pkg/
 
@@ -40,5 +36,20 @@ ENV NODE_CONFIG_DIR /app/code/server/config
 
 RUN printf '#!/bin/bash\n\ncd /app/code/cli && node dist/server/tools/peertube.js $@\n' > /usr/bin/peertube && chmod +x /usr/bin/peertube
 
+# remove with next releases
+RUN printf '#!/bin/bash\n\ncd /app/code/server && NODE_ENV=production node dist/scripts/migrations/peertube-6.3.js $@\n' > /usr/bin/migrate && chmod +x /usr/bin/migrate
+
+# add nginx config
+RUN rm /etc/nginx/sites-enabled/*
+RUN ln -sf /dev/stdout /var/log/nginx/access.log
+RUN ln -sf /dev/stderr /var/log/nginx/error.log
+RUN ln -sf /run/peertube-nginx.conf /etc/nginx/sites-enabled/peertube.conf
+COPY nginx/readonlyrootfs.conf /etc/nginx/conf.d/readonlyrootfs.conf
+COPY nginx/peertube.conf /app/pkg/peertube-nginx.conf
+
+# supervisor
+COPY supervisor/ /etc/supervisor/conf.d/
+RUN sed -e 's,^logfile=.*$,logfile=/run/supervisord.log,' -i /etc/supervisor/supervisord.conf
+
 CMD [ "/app/pkg/start.sh" ]
 

nginx/peertube.conf

@@ -0,0 +1,217 @@
+upstream backend {
+  server 127.0.0.1:9000;
+}
+
+server {
+  listen 80;
+  server_name default_server;
+
+  ##
+  # Application
+  ##
+
+  location @api {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host            $host;
+    proxy_set_header X-Real-IP       $remote_addr;
+
+    client_max_body_size  100k; # default is 1M
+
+    proxy_connect_timeout 10m;
+    proxy_send_timeout    10m;
+    proxy_read_timeout    10m;
+    send_timeout          10m;
+
+    proxy_pass http://backend;
+  }
+
+  location / {
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/videos/(upload-resumable|([^/]+/source/replace-resumable))$ {
+    client_max_body_size    0;
+    proxy_request_buffering off;
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/users/[^/]+/imports/import-resumable$ {
+    client_max_body_size    0;
+    proxy_request_buffering off;
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/videos/(upload|([^/]+/studio/edit))$ {
+    limit_except POST HEAD { deny all; }
+
+    # This is the maximum upload size, which roughly matches the maximum size of a video file.
+    # Note that temporary space is needed equal to the total size of all concurrent uploads.
+    # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
+    # on a dedicated filesystem.
+    client_max_body_size                      12G; # default is 1M
+    add_header            X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/runners/jobs/[^/]+/(update|success)$ {
+    client_max_body_size                      12G; # default is 1M
+    add_header            X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) {
+    client_max_body_size                      6M; # default is 1M
+    add_header            X-File-Maximum-Size 4M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  ##
+  # Websocket
+  ##
+
+  location @api_websocket {
+    proxy_http_version 1.1;
+    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   Host            $host;
+    proxy_set_header   X-Real-IP       $remote_addr;
+    proxy_set_header   Upgrade         $http_upgrade;
+    proxy_set_header   Connection      "upgrade";
+
+    proxy_pass http://backend;
+  }
+
+  location /socket.io {
+    try_files /dev/null @api_websocket;
+  }
+
+  location /tracker/socket {
+    # Peers send a message to the tracker every 15 minutes
+    # Don't close the websocket before then
+    proxy_read_timeout 15m; # default is 60s
+
+    try_files /dev/null @api_websocket;
+  }
+
+  # Plugin websocket routes
+  location ~ ^/plugins/[^/]+(/[^/]+)?/ws/ {
+    try_files /dev/null @api_websocket;
+  }
+
+  ##
+  # Performance optimizations
+  # For extra performance please refer to https://github.com/denji/nginx-tuning
+  ##
+
+  #  root /var/www/peertube/storage;
+  root /app/data/storage;
+
+  # Enable compression for JS/CSS/HTML, for improved client load times.
+  # It might be nice to compress JSON/XML as returned by the API, but
+  # leaving that out to protect against potential BREACH attack.
+  gzip              on;
+  gzip_vary         on;
+  gzip_types        # text/html is always compressed by HttpGzipModule
+                    text/css
+                    application/javascript
+                    font/truetype
+                    font/opentype
+                    application/vnd.ms-fontobject
+                    image/svg+xml;
+  gzip_min_length   1000; # default is 20 bytes
+  gzip_buffers      16 8k;
+  gzip_comp_level   2; # default is 1
+
+  client_body_timeout       30s; # default is 60
+  client_header_timeout     10s; # default is 60
+  send_timeout              10s; # default is 60
+  keepalive_timeout         10s; # default is 75
+  resolver_timeout          10s; # default is 30
+  reset_timedout_connection on;
+  proxy_ignore_client_abort on;
+
+  tcp_nopush                on; # send headers in one piece
+  tcp_nodelay               on; # don't buffer data sent, good for small data bursts in real time
+
+  # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
+  # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
+  #client_body_temp_path /var/www/peertube/storage/nginx/;
+
+  # Bypass PeerTube for performance reasons. Optional.
+  # Should be consistent with client-overrides assets list in client.ts server controller
+  location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$ {
+    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
+
+    root /app/code/server;
+
+    #    try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 @api;
+    try_files /app/data/storage/client-overrides/$1 /app/code/server/client/dist/$1 @api;
+  }
+
+  # Bypass PeerTube for performance reasons. Optional.
+  location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
+    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
+
+    #    alias /var/www/peertube/peertube-latest/client/dist/$1;
+    alias /app/code/server/client/dist/$1;
+  }
+
+  location ~ ^(/static/(webseed|web-videos|streaming-playlists/hls)/private/)|^/download {
+    # We can't rate limit a try_files directive, so we need to duplicate @api
+
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host            $host;
+    proxy_set_header X-Real-IP       $remote_addr;
+
+    proxy_limit_rate 5M;
+
+    proxy_pass http://backend;
+  }
+
+  # Bypass PeerTube for performance reasons. Optional.
+  location ~ ^/static/(webseed|web-videos|redundancy|streaming-playlists)/ {
+    limit_rate_after            5M;
+
+    set $peertube_limit_rate  5M;
+
+    # Use this line with nginx >= 1.17.0
+    limit_rate $peertube_limit_rate;
+    # Or this line with nginx < 1.17.0
+    # set $limit_rate $peertube_limit_rate;
+
+    if ($request_method = 'OPTIONS') {
+      add_header Access-Control-Allow-Origin  '*';
+      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
+      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+      add_header Access-Control-Max-Age       1728000; # Preflight request can be cached 20 days
+      add_header Content-Type                 'text/plain charset=UTF-8';
+      add_header Content-Length               0;
+      return 204;
+    }
+
+    if ($request_method = 'GET') {
+      add_header Access-Control-Allow-Origin  '*';
+      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
+      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+
+      # Don't spam access log file with byte range requests
+      access_log off;
+    }
+
+    # Enabling the sendfile directive eliminates the step of copying the data into the buffer
+    # and enables direct copying data from one file descriptor to another.
+    sendfile on;
+    sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
+    aio threads;
+
+    # web-videos is the name of the directory mapped to the `storage.web_videos` key in your PeerTube configuration
+    rewrite ^/static/webseed/(.*)$ /web-videos/$1 break;
+    rewrite ^/static/(.*)$         /$1        break;
+
+    try_files $uri @api;
+  }
+}

nginx/readonlyrootfs.conf

@@ -0,0 +1,7 @@
+# this is already in a http block
+
+client_body_temp_path /run/nginx;
+proxy_temp_path /run/nginx;
+fastcgi_temp_path /run/nginx;
+uwsgi_temp_path /run/nginx;
+scgi_temp_path /run/nginx;

production.yaml.example

@@ -76,12 +76,13 @@ email:
 storage:
   tmp: '/app/data/storage/tmp/' # Use to download data (imports etc), store uploaded files before processing...
   avatars: '/app/data/storage/avatars/'
-  videos: '/app/data/storage/videos/'
+  web_videos: '/app/data/storage/web-videos/'
   streaming_playlists: '/app/data/storage/streaming-playlists/'
   redundancy: '/app/data/storage/redundancy/'
   logs: '/app/data/storage/logs/'
   previews: '/app/data/storage/previews/'
   thumbnails: '/app/data/storage/thumbnails/'
+  storyboards: '/app/data/storage/storyboards/'
   torrents: '/app/data/storage/torrents/'
   captions: '/app/data/storage/captions/'
   cache: '/app/data/storage/cache/'
@@ -240,7 +241,7 @@ transcoding:
   # Generate videos in a WebTorrent format (what we do since the first PeerTube release)
   # If you also enabled the hls format, it will multiply videos storage by 2
   # If disabled, breaks federation with PeerTube instances < 2.1
-  webtorrent:
+  web_videos:
     enabled: true
 
   # /!\ Requires ffmpeg >= 4.1

renovate.json5

@@ -0,0 +1,4 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": ["local>devops/renovator//default.renovate.json5"]
+}

start.sh

@@ -2,21 +2,48 @@
 
 set -eu
 
-mkdir -p /app/data/storage /run/peertube/cache
+mkdir -p /app/data/storage /run/peertube/cache /run/peertube/npm /tmp/peertube
 
 # do not rely on WORKDIR
 cd /app/code/server
 
-update_ldap() {
-    echo "==> Updating Ldap credentials"
+migrate_ldap_to_oidc() {
+    USERS_TO_MIGRATE=$(PGPASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} -AXqtc "SELECT count(*) FROM \"user\" u WHERE \"pluginAuth\"='peertube-plugin-auth-ldap'")
+    echo "==> Migrating users to OIDC";
+    echo "      Users to migrate: ${USERS_TO_MIGRATE}"
+    if [ ${USERS_TO_MIGRATE} -gt 0 ]; then
+        PGPASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} -c "UPDATE \"user\" SET \"pluginAuth\"='peertube-plugin-auth-openid-connect' WHERE \"pluginAuth\"='peertube-plugin-auth-ldap'"
+    fi
+
+    LDAP_PLUGIN_INSTALLED=$(PGPASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} -AXqtc "SELECT count(*) FROM \"plugin\" WHERE name='auth-ldap'")
+    if [ ${LDAP_PLUGIN_INSTALLED} -gt 0 ]; then
+        echo "==> Uninstalling LDAP plugin"
+        gosu cloudron:cloudron npm run plugin:uninstall -- -n peertube-plugin-auth-ldap
+
+        echo "==> Deleting LDAP settings"
+        PGPASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} -c "DELETE FROM \"plugin\" WHERE name='auth-ldap'"
+    fi
+}
+
+install_oidc() {
+    # https://docs.joinpeertube.org/maintain-tools?id=cli-wrapper . Note that we have to restart peertube when installed this way
+    if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+        echo "==> Installing OIDC plugin"
+        gosu cloudron:cloudron npm run plugin:install -- -n peertube-plugin-auth-openid-connect -v 0.1.1
+        update_oidc
+    fi
+}
+
+update_oidc() {
+    echo "==> Updating OIDC config"
 
     PGPASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} \
-        -c "UPDATE plugin SET settings='{\"url\": \"${CLOUDRON_LDAP_URL}\", \"weight\": 100, \"insecure-tls\": false, \"bind-dn\": \"${CLOUDRON_LDAP_BIND_DN}\", \"bind-credentials\": \"${CLOUDRON_LDAP_BIND_PASSWORD}\", \"search-base\": \"${CLOUDRON_LDAP_USERS_BASE_DN}\", \"mail-property\": \"mail\", \"search-filter\": \"(|(mail={{username}})(username={{username}}))\", \"username-property\": \"username\"}' WHERE name='auth-ldap'"
+        -c "UPDATE plugin SET settings='{\"scope\": \"openid email profile\", \"client-id\": \"${CLOUDRON_OIDC_CLIENT_ID}\", \"discover-url\": \"${CLOUDRON_OIDC_DISCOVERY_URL}\", \"client-secret\": \"${CLOUDRON_OIDC_CLIENT_SECRET}\", \"mail-property\": \"email\", \"auth-display-name\": \"Cloudron\", \"username-property\": \"preferred_username\", \"signature-algorithm\": \"RS256\", \"display-name-property\": \"name\"}' WHERE name='auth-openid-connect'"
 }
 
 first_time_setup() {
     echo "==> Starting peertube to run migrations on first run"
-    npm start &  # be wary of https://stackoverflow.com/questions/70738567/why-does-running-npm-run-script-as-root-switch-user
+    gosu cloudron:cloudron npm start &  # be wary of https://stackoverflow.com/questions/70738567/why-does-running-npm-run-script-as-root-switch-user
     sleep 10
 
     while ! curl --silent --output /dev/null --fail http://localhost:9000/; do
@@ -28,14 +55,12 @@ first_time_setup() {
     sleep 5
 
     echo "==> Reset root password"
-    echo "changeme" | npm run reset-password -- -u root
+    echo "changeme" | gosu cloudron:cloudron npm run reset-password -- -u root
+    sleep 5  # the above command seems to spawn a separate process to change password in background
 
-    # https://docs.joinpeertube.org/maintain-tools?id=cli-wrapper . Note that we have to restart peertube when installed this way
-    if [[ -n "${CLOUDRON_LDAP_SERVER:-}" ]]; then
-        echo "==> Installing LDAP plugin"
-        npm run plugin:install -- -n peertube-plugin-auth-ldap -v 0.0.10
-        update_ldap
-    fi
+    install_oidc
+
+    echo "==> First time setup complete"
 }
 
 update_config() {
@@ -73,8 +98,33 @@ update_config() {
     # ensure settings which were later added
     yq eval ".storage.bin = \"/app/data/storage/bin/\"" -i /app/data/production.yaml
     yq eval ".storage.well_known = \"/app/data/storage/well_known/\"" -i /app/data/production.yaml
+    yq eval ".storage.tmp_persistent = \"/app/data/storage/tmp_persistent/\"" -i /app/data/production.yaml
+
+    # changes for 6.0.0
+    yq eval ".storage.storyboards = \"/app/data/storage/storyboards/\"" -i /app/data/production.yaml
+    if [[ -d "/app/data/storage/videos" ]]; then
+        echo "==> Migrate videos/ to videos-web/"
+        mv /app/data/storage/videos /app/data/storage/web-videos
+    fi
+    yq eval ".storage.web_videos = \"/app/data/storage/web-videos/\"" -i /app/data/production.yaml
+    yq eval "del(.storage.videos)" -i /app/data/production.yaml
+    yq eval "del(.transcoding.webtorrent)" -i /app/data/production.yaml
+    yq eval ".transcoding.web_videos.enabled = true" -i /app/data/production.yaml
+
+    # changes for 6.1.0
+    yq eval ".storage.original_video_files = \"/app/data/storage/original_video_files/\"" -i /app/data/production.yaml
 }
 
+echo "==> Changing ownership"
+chown -R cloudron:cloudron /app/data /run/peertube /tmp/peertube
+
+# Set eviction policy to prevent warnings - https://docs.bullmq.io/guide/going-to-production#max-memory-policy
+while ! REDISCLI_AUTH="${CLOUDRON_REDIS_PASSWORD}" redis-cli -h "${CLOUDRON_REDIS_HOST}" -p "${CLOUDRON_REDIS_PORT}" ping >/dev/null; do
+    echo "==> Waiting for redis"
+    sleep 5
+done
+REDISCLI_AUTH="${CLOUDRON_REDIS_PASSWORD}"  redis-cli -h "${CLOUDRON_REDIS_HOST}" -p "${CLOUDRON_REDIS_PORT}" CONFIG SET maxmemory-policy noeviction
+
 # cd /var/www/peertube/peertube-latest/scripts && sudo -H -u peertube ./upgrade.sh
 if [[ ! -f "/app/data/production.yaml" ]]; then
     echo "==> First run. creating config"
@@ -84,11 +134,16 @@ if [[ ! -f "/app/data/production.yaml" ]]; then
     first_time_setup
 else
     update_config
-
-    [[ -n "${CLOUDRON_LDAP_SERVER:-}" ]] && update_ldap
+    if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+        install_oidc
+        migrate_ldap_to_oidc
+        update_oidc
+    fi
 fi
 
-chown -R cloudron:cloudron /app/data /run/peertube
+echo "==> Configuring nginx"
+cp /app/pkg/peertube-nginx.conf /run/peertube-nginx.conf
 
 echo "==> Starting PeerTube"
-exec gosu cloudron:cloudron npm start
+#exec gosu cloudron:cloudron npm start
+exec /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i PeerTube

supervisor/nginx.conf

@@ -0,0 +1,11 @@
+[program:nginx]
+priority=100
+directory=/tmp
+command=/usr/sbin/nginx -g "daemon off;"
+user=root
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

supervisor/peertube.conf

@@ -0,0 +1,11 @@
+[program:peertube]
+directory=/app/code/server
+user=cloudron
+environment=HOME="/home/cloudron",USER="cloudron"
+command=npm start
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

test/package.json

@@ -10,10 +10,11 @@
   "license": "ISC",
   "devDependencies": {
     "expect.js": "^0.3.1",
-    "mocha": "^10.2.0"
+    "mocha": "^10.7.3"
   },
   "dependencies": {
-    "chromedriver": "^110.0.0",
-    "selenium-webdriver": "^4.8.1"
+    "chromedriver": "^129.0.2",
+    "safetydance": "^2.4.0",
+    "selenium-webdriver": "^4.25.0"
   }
 }

test/test.js

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 
-/* jshint esversion: 8 */
 /* global describe */
 /* global before */
 /* global after */
+/* global afterEach */
 /* global it */
 
 'use strict';
@@ -12,7 +12,9 @@ require('chromedriver');
 
 const execSync = require('child_process').execSync,
     expect = require('expect.js'),
+    fs = require('fs'),
     path = require('path'),
+    safe = require('safetydance'),
     util = require('util'),
     { Builder, By, Key, until } = require('selenium-webdriver'),
     { Options } = require('selenium-webdriver/chrome');
@@ -25,30 +27,62 @@ if (!process.env.USERNAME || !process.env.PASSWORD || !process.env.EMAIL) {
 describe('Application life cycle test', function () {
     this.timeout(0);
 
-    const LOCATION = 'test';
+    const LOCATION = process.env.LOCATION || 'test';
     const TEST_TIMEOUT = parseInt(process.env.TEST_TIMEOUT, 10) || 30000;
     const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
 
-    var browser;
-    var app;
-    var username = process.env.USERNAME;
-    var password = process.env.PASSWORD;
-    var email = process.env.EMAIL;
+    let browser;
+    let app;
+    let host_os;
+    let username = process.env.USERNAME;
+    let password = process.env.PASSWORD;
+    let email = process.env.EMAIL;
+    let athenticated_by_oidc = false;
 
     before(function () {
-        browser = new Builder().forBrowser('chrome').setChromeOptions(new Options().windowSize({ width: 1280, height: 1024 })).build();
+        const chromeOptions = new Options().windowSize({ width: 1280, height: 1024 });
+        if (process.env.CI) chromeOptions.addArguments('no-sandbox', 'disable-dev-shm-usage', 'headless');
+        browser = new Builder().forBrowser('chrome').setChromeOptions(chromeOptions).build();
+        if (!fs.existsSync('./screenshots')) fs.mkdirSync('./screenshots');
     });
 
     after(function () {
         browser.quit();
     });
 
+    afterEach(async function () {
+        if (!process.env.CI || !app) return;
+
+        const currentUrl = await browser.getCurrentUrl();
+        if (!currentUrl.includes(app.domain)) return;
+        expect(this.currentTest.title).to.be.a('string');
+
+        const screenshotData = await browser.takeScreenshot();
+        fs.writeFileSync(`./screenshots/${new Date().getTime()}-${this.currentTest.title.replaceAll(' ', '_')}.png`, screenshotData, 'base64');
+    });
+
+    async function clearCache() {
+        await browser.manage().deleteAllCookies();
+        await browser.quit();
+        browser = null;
+        const chromeOptions = new Options().windowSize({ width: 1280, height: 1024 });
+        if (process.env.CI) chromeOptions.addArguments('no-sandbox', 'disable-dev-shm-usage', 'headless');
+        chromeOptions.addArguments(`--user-data-dir=${await fs.promises.mkdtemp('/tmp/test-')}`); // --profile-directory=Default
+        browser = new Builder().forBrowser('chrome').setChromeOptions(chromeOptions).build();
+    }
+
     function getAppInfo() {
-        var inspect = JSON.parse(execSync('cloudron inspect'));
+        let inspect = JSON.parse(execSync('cloudron inspect'));
         app = inspect.apps.filter(function (a) { return a.location.indexOf(LOCATION) === 0; })[0];
         expect(app).to.be.an('object');
     }
 
+    async function getOS() {
+        if (typeof(host_os) == 'undefined' || host_os == null)
+            host_os = String(await execSync('uname -s')).trim();
+        return host_os;
+    }
+
     async function waitForElement(elem) {
         await browser.wait(until.elementLocated(elem), TEST_TIMEOUT);
         await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT);
@@ -68,9 +102,31 @@ describe('Application life cycle test', function () {
         await waitForElement(By.xpath('//a[contains(@href, "/my-library")]'));
     }
 
+    async function loginOIDC(username, password) {
+        browser.manage().deleteAllCookies();
+        await browser.get(`https://${app.fqdn}/login`);
+        await browser.sleep(2000);
+
+        await browser.wait(until.elementLocated(By.xpath('//a[contains(., "Cloudron")]')), TEST_TIMEOUT);
+        await browser.findElement(By.xpath('//a[contains(., "Cloudron")]')).click();
+        await browser.sleep(2000);
+
+        if (!athenticated_by_oidc) {
+            await waitForElement(By.id('inputUsername'));
+            await browser.findElement(By.id('inputUsername')).sendKeys(username);
+            await browser.findElement(By.id('inputPassword')).sendKeys(password);
+            await browser.findElement(By.id('loginSubmitButton')).click();
+
+            athenticated_by_oidc = true;
+        }
+        await browser.sleep(20000);
+        await waitForElement(By.xpath('//a[contains(@href, "/my-library")]'));
+    }
+
     async function closeAccountSetupDialog() {
         await browser.get('https://' + app.fqdn);
 
+        await waitForElement(By.xpath('//span[contains(text(), "show me this anymore")]'));
         await browser.findElement(By.xpath('//span[contains(text(), "show me this anymore")]')).click();
         await browser.findElement(By.xpath('//a[contains(text(), "Set up")]')).click();
         await browser.sleep(3000);
@@ -82,25 +138,30 @@ describe('Application life cycle test', function () {
         await browser.sleep(2000);
         await browser.findElement(By.xpath('//div[@class="logged-in-display-name"]')).click();
         await browser.sleep(2000);
-        await browser.findElement(By.xpath('//a[contains(text(), "Log out")]')).click();
+        await browser.findElement(By.xpath('//button[contains(text(), "Log out")]')).click();
         await browser.sleep(2000);
     }
 
     async function completeSetup() {
-        var button;
+        let button;
 
         await browser.get(`https://${app.fqdn}`);
-        await waitForElement(By.xpath('//a[contains(text(), "Configure my instance")]'));
+        await browser.sleep(2000);
+
+        const [error] = await safe(waitForElement(By.xpath('//a[contains(text(), "Configure my instance")]')));
+        if (error) return; // sometimes it doesn't appear, maybe it's cached in local storage
         await browser.findElement(By.xpath('//a[contains(text(), "Configure my instance")]')).click(); // this opens a new window
 
-        console.log('Close the newly opened tab. Will wait for 60 seconds');
-        await browser.sleep(60000);
+        await browser.sleep(2000);
+        await closeTab();
     }
 
     async function uploadVideo() {
-        browser.get('https://' + app.fqdn + '/videos/upload');
-        await browser.sleep(2000);
-        await browser.findElement(By.xpath('//input[@id="videofile" and @type="file"]')).sendKeys(path.resolve(__dirname, './Cloudron Test Video.mp4'));
+        await browser.get(`https://${app.fqdn}/videos/upload#upload`);
+        await browser.sleep(3000);
+        await browser.wait(until.elementLocated(By.id('videofile')), TEST_TIMEOUT); // do not do element visible check . it fails, no clue why
+        await browser.findElement(By.id('videofile')).sendKeys(path.resolve(__dirname, './Cloudron Test Video.mp4'));
+        console.log('waiting 10 seconds for upload');
         await browser.sleep(10000); // wait for upload
 
         await waitForElement(By.xpath('//div[@class="submit-container"]//span[text()="Publish"]'));
@@ -116,6 +177,13 @@ describe('Application life cycle test', function () {
         await waitForElement(By.xpath('//a[contains(@title, "Cloudron Test Video")]'));
     }
 
+    async function closeTab() {
+        const handles = await browser.getAllWindowHandles();
+        await browser.switchTo().window(handles[1]);
+        await browser.close();
+        await browser.switchTo().window(handles[0]);
+    }
+
     xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
     it('install app', async function () {
         execSync('cloudron install --location ' + LOCATION, EXEC_ARGS);
@@ -129,7 +197,7 @@ describe('Application life cycle test', function () {
     it('video exists', videoExists);
     it('logout', logout);
 
-    it('can login', login.bind(null, username, password));
+    it('can OIDC login', loginOIDC.bind(null, username, password));
     it('can close account setup dialog', closeAccountSetupDialog);
     it('logout', logout);
 
@@ -147,7 +215,7 @@ describe('Application life cycle test', function () {
     it('video exists', videoExists);
     it('logout', logout);
 
-    it('can login', login.bind(null, username, password));
+    it('can OIDC login', loginOIDC.bind(null, username, password));
     it('logout', logout);
 
     it('can restart app', function () {
@@ -157,7 +225,7 @@ describe('Application life cycle test', function () {
     it('video exists', videoExists);
     it('logout', logout);
 
-    it('can login', login.bind(null, username, password));
+    it('can OIDC login', loginOIDC.bind(null, username, password));
     it('logout', logout);
 
     // this is not supported for federation
@@ -168,7 +236,7 @@ describe('Application life cycle test', function () {
     it('video exists', videoExists);
     it('logout', logout);
 
-    it('can login', login.bind(null, username, password));
+    it('can OIDC login', loginOIDC.bind(null, username, password));
     it('logout', logout);
 
     it('uninstall app', async function () {
@@ -210,7 +278,8 @@ describe('Application life cycle test', function () {
     it('video exists', videoExists);
     it('logout', logout);
 
-    it('can login', login.bind(null, username, password));
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('can close account setup dialog', closeAccountSetupDialog);
     it('logout', logout);
 
     it('uninstall app', async function () {