Update nginx config according to upstream

instance name or originator it seems

863477173e/server/lib/emailer.ts (L138)

CHANGELOG.md

@@ -200,3 +200,120 @@
 * Enable tracing export using a Jaeger exporter
 * Automatically rebuild native plugin modules on NodeJS ABI change
 
+[2.8.1]
+* Update PeerTube to 4.3.1
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v4.3.1)
+* Prevent XSS in sort select on pages that list videos. Thanks to Anthony Roth who reported the vulnerability!
+* Fix broken embed player on live reload
+* Fix channel follow when manually approve instance followers is enabled
+* Fix input with number overflow on small screen
+* Fix moderation dropdown overflow on mobile
+
+[2.9.0]
+* Update PeerTube to 5.0.0
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0)
+* Support object storage for live streams tada
+* Support Two Factor authentication (OTP) tada
+* Add explanation on disk space used for user quota admin config #5305
+* Display channel in my videos list
+* Show which playlists videos are added to in my videos list
+* Add Channels link in left menu
+* Add ... after the truncated video name in miniature
+* Add object storage info badge in videos admin overview
+* Add links to video files in videos admin overview
+* Better indicate the live ended in embed by displaying a message and the live preview
+* Force live autoplay by muting the video if necessary when the user was waiting for the live
+* Handle network issues in video player #5138
+* Cache chunks to upload in server to resume upload later #5224
+* Add ability to serve custom static files under /.well-known URL path #5214
+* Use account/channel avatar in account/channel RSS feeds #5325
+* Add filter to sort videos by name #5351
+* Add ability to configure OpenTelemetry Prometheus exporter listening hostname
+
+[2.10.0]
+* Update base image to 4.0.0
+
+[2.10.1]
+* Update PeerTube to 5.0.1
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.1)
+* Fix HLS player infinite loading when the live stream/video ends
+* Do not autoplay live without autoplay setting
+* Fix private/internal video playback from Cloudflare object storage
+* Fix local channel stats/OpenTelemetry metric
+* Also display dropdown for videos from the homepage
+* Fix broken P2P with live stream coming from object storage
+* Fix responsive of table pagination
+
+[2.10.2]
+* Remove invokation of 5.0 upgade script
+
+[2.11.0]
+* Update PeerTube to 5.1.0
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.1.0)
+* **IMPORTANT**: If your instance has signup enabled, user registration approval is automatically enabled by the default configuration of this release. You can change this setting in your production.yaml or in the configuration page in the web admin
+Update web browsers support list:
+  * Drop support of Safari 11 on iOS
+  * Drop support of Safari 11 on desktop
+  * Drop support of Firefox 68 on desktop
+* Implement user registration approval (https://docs.joinpeertube.org/admin/managing-users#registration-approval) #5544
+* Add "back to live" button in player
+* Add Icelandic & Ukrainian locales
+* Add Global views default trending algorithm option in admin configuration #5471
+
+[2.12.0]
+* Update PeerTube to 5.2.0
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.2.0)
+* Implement remote transcoding for VOD videos, Live streams and Studio editions tada #5769
+* If enabled, remote PeerTube runners can process these high CPU jobs
+* Admin documentation: https://docs.joinpeertube.org/admin/remote-runners
+* PeerTube runner CLI documentation: https://docs.joinpeertube.org/maintain/tools#peertube-runner
+* Demonstration video: https://peertube2.cpy.re/w/oJwHHYwt4oKjKhLNh2diAY
+* Architecture documentation: https://docs.joinpeertube.org/contribute/architecture#remote-vod-live-transcoding
+* Add Podcast RSS feed support: #5487
+* Add ability to set custom privacy for live replays #5692
+* Render images of markdown fields in About page #5732
+* Admin can disable user video history by default #5728
+* Improve global accessibility
+
+[2.12.1]
+* Update PeerTube to 5.2.1
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.2.1)
+* Fix loading spinner displayed forever on Chrome
+* Fix broken replay with long live name
+* Fix fps transcoding on remote runners
+* Fix terms/code of conduct link toggle
+
+[2.13.0]
+* Update base image to 4.2.0
+
+[2.14.0]
+* Update PeerTube to 6.0.2
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.0.2)
+* [Important breaking changes in 6.0](https://github.com/Chocobozzz/PeerTube/blob/develop/CHANGELOG.md#v600). Some keys in `production.yaml` have been renamed (for example, object storage keys).
+
+[2.15.0]
+* Migrate to OIDC login
+
+[2.15.1]
+* Update PeerTube to 6.0.3
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.0.3)
+* Fix HTML meta tags with attributes that contain quotes
+* Fix time parsing resulting in broken video start time in some cases
+* Fix WebTorrent video import crash
+* Reload Discover page on logout
+* Fix privacy error when updating a live, even if the privacy has not changed
+* Fix invalid remote live state change notification that causes the player to reload
+* Don't apply big play button skin to settings menu
+* Fix downloading video files from object storage with some video names (that include emojis, quotes etc)
+
+[2.15.2]
+* Update PeerTube to 6.0.4
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.0.4)
+* Important: Prevent XSS injection in embed. Thanks Syst3m0ver!
+
+[2.16.0]
+* Update PeerTube to 6.1.0
+* [Full changelog](https://github.com/Chocobozzz/PeerTube/releases/tag/v6.1.0)
+* Compact ActivityPub JSON-LD objects before using them to prevent incorrect access control @tesaguri
+* Protect ActivityPub information related to private/internal/blocked videos
+

CloudronManifest.json

@@ -1,6 +1,6 @@
 {
-  "version": "2.8.0",
-  "upstreamVersion": "4.3.0",
+  "version": "2.16.0",
+  "upstreamVersion": "6.1.0",
   "id": "org.joinpeertube.cloudronapp",
   "title": "PeerTube",
   "author": "PeerTube developers",
@@ -10,7 +10,7 @@
   "tagline": "Take back control of your videos",
   "icon": "file://logo.png",
   "healthCheckPath": "/",
-  "httpPort": 9000,
+  "httpPort": 80,
   "tcpPorts": {
     "RTMP_PORT": {
       "title": "RTMP Port",
@@ -23,10 +23,10 @@
     "localstorage": {},
     "postgresql": {},
     "redis": {},
-    "sendmail": {},
-    "ldap": {}
+    "sendmail": { "supportsDisplayName": false },
+    "oidc": { "loginRedirectUri": "/plugins/auth-openid-connect/router/code-cb" }
   },
-  "memoryLimit": 536870912,
+  "memoryLimit": 1073741824,
   "forumUrl": "https://forum.cloudron.io/category/91/peertube",
   "optionalSso": true,
   "tags": [ "video", "youtube", "vimeo", "blog", "instagram", "media", "federated" ],
@@ -38,7 +38,7 @@
   "changelog": "file://CHANGELOG.md",
   "postInstallMessage": "file://POSTINSTALL.md",
   "documentationUrl": "https://docs.cloudron.io/apps/peertube/",
-  "minBoxVersion": "7.1.0",
+  "minBoxVersion": "7.4.0",
   "manifestVersion": 2
 }
 

Dockerfile

@@ -1,26 +1,17 @@
-FROM cloudron/base:3.2.0@sha256:ba1d566164a67c266782545ea9809dc611c4152e27686fd14060332dd88263ea
+FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4
 
 RUN mkdir -p /app/code/server /app/pkg
 WORKDIR /app/code/server
 
-# we require ffmpeg 4.4.1 - https://github.com/Chocobozzz/PeerTube/releases/tag/v4.0.0
-# https://lindevs.com/install-ffmpeg-on-ubuntu/
-RUN apt update && \
-    add-apt-repository -y ppa:savoury1/ffmpeg4 && \
-    apt install -y ffmpeg prosody && \
-    rm -rf /var/cache/apt /var/lib/apt/lists
+RUN apt update && apt install -y prosody && rm -rf /var/cache/apt /var/lib/apt/lists
 
-ARG VERSION=4.3.0
+ARG VERSION=6.1.0
 
 # install peertube. the chown is required for some reason for ffmpeg. it fails with EROFS without it when transcoding
 RUN curl -sL https://github.com/Chocobozzz/PeerTube/releases/download/v${VERSION}/peertube-v${VERSION}.tar.xz | tar --strip-components 1 -Jxvf - && \
     yarn install --production --pure-lockfile
 
-RUN mkdir /app/code/cli && \
-    curl -L https://github.com/Chocobozzz/PeerTube/archive/v${VERSION}.tar.gz | tar -zxvf - --strip-components=1 -C /app/code/cli && \
-    cd /app/code/cli && \
-    NOCLIENT=1 yarn install --pure-lockfile && \
-    npm run setup:cli
+RUN npm install -g @peertube/peertube-cli
 
 # the json is created and managed by web ui. it overrides the yaml file (https://github.com/lorenwest/node-config/wiki/Configuration-Files)
 RUN ln -sf /app/data/production.yaml /app/code/server/config/production.yaml && \
@@ -30,7 +21,8 @@ RUN ln -sf /app/data/production.yaml /app/code/server/config/production.yaml &&
 RUN curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl && chmod +x /usr/local/bin/youtube-dl
 
 # required when installing plugins/themes that use node-gyp
-RUN rm -rf /home/cloudron/.cache && ln -s /run/peertube/cache /home/cloudron/.cache
+RUN rm -rf /home/cloudron/.cache && ln -s /run/peertube/cache /home/cloudron/.cache && \
+    rm -rf /home/cloudron/.npm && ln -s /run/peertube/npm /home/cloudron/.npm
 
 COPY production.yaml.example start.sh /app/pkg/
 
@@ -39,5 +31,18 @@ ENV NODE_CONFIG_DIR /app/code/server/config
 
 RUN printf '#!/bin/bash\n\ncd /app/code/cli && node dist/server/tools/peertube.js $@\n' > /usr/bin/peertube && chmod +x /usr/bin/peertube
 
+
+# add nginx config
+RUN rm /etc/nginx/sites-enabled/*
+RUN ln -sf /dev/stdout /var/log/nginx/access.log
+RUN ln -sf /dev/stderr /var/log/nginx/error.log
+RUN ln -sf /run/peertube-nginx.conf /etc/nginx/sites-enabled/peertube.conf
+COPY nginx/readonlyrootfs.conf /etc/nginx/conf.d/readonlyrootfs.conf
+COPY nginx/peertube.conf /app/pkg/peertube-nginx.conf
+
+# supervisor
+COPY supervisor/ /etc/supervisor/conf.d/
+RUN sed -e 's,^logfile=.*$,logfile=/run/supervisord.log,' -i /etc/supervisor/supervisord.conf
+
 CMD [ "/app/pkg/start.sh" ]
 

nginx/peertube.conf

@@ -0,0 +1,217 @@
+upstream backend {
+  server 127.0.0.1:9000;
+}
+
+server {
+  listen 80;
+  server_name default_server;
+
+  ##
+  # Application
+  ##
+
+  location @api {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host            $host;
+    proxy_set_header X-Real-IP       $remote_addr;
+
+    client_max_body_size  100k; # default is 1M
+
+    proxy_connect_timeout 10m;
+    proxy_send_timeout    10m;
+    proxy_read_timeout    10m;
+    send_timeout          10m;
+
+    proxy_pass http://backend;
+  }
+
+  location / {
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/videos/(upload-resumable|([^/]+/source/replace-resumable))$ {
+    client_max_body_size    0;
+    proxy_request_buffering off;
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/users/[^/]+/imports/import-resumable$ {
+    client_max_body_size    0;
+    proxy_request_buffering off;
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/videos/(upload|([^/]+/studio/edit))$ {
+    limit_except POST HEAD { deny all; }
+
+    # This is the maximum upload size, which roughly matches the maximum size of a video file.
+    # Note that temporary space is needed equal to the total size of all concurrent uploads.
+    # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
+    # on a dedicated filesystem.
+    client_max_body_size                      12G; # default is 1M
+    add_header            X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/runners/jobs/[^/]+/(update|success)$ {
+    client_max_body_size                      12G; # default is 1M
+    add_header            X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) {
+    client_max_body_size                      6M; # default is 1M
+    add_header            X-File-Maximum-Size 4M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  ##
+  # Websocket
+  ##
+
+  location @api_websocket {
+    proxy_http_version 1.1;
+    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   Host            $host;
+    proxy_set_header   X-Real-IP       $remote_addr;
+    proxy_set_header   Upgrade         $http_upgrade;
+    proxy_set_header   Connection      "upgrade";
+
+    proxy_pass http://backend;
+  }
+
+  location /socket.io {
+    try_files /dev/null @api_websocket;
+  }
+
+  location /tracker/socket {
+    # Peers send a message to the tracker every 15 minutes
+    # Don't close the websocket before then
+    proxy_read_timeout 15m; # default is 60s
+
+    try_files /dev/null @api_websocket;
+  }
+
+  # Plugin websocket routes
+  location ~ ^/plugins/[^/]+(/[^/]+)?/ws/ {
+    try_files /dev/null @api_websocket;
+  }
+
+  ##
+  # Performance optimizations
+  # For extra performance please refer to https://github.com/denji/nginx-tuning
+  ##
+
+  #  root /var/www/peertube/storage;
+  root /app/data/storage;
+
+  # Enable compression for JS/CSS/HTML, for improved client load times.
+  # It might be nice to compress JSON/XML as returned by the API, but
+  # leaving that out to protect against potential BREACH attack.
+  gzip              on;
+  gzip_vary         on;
+  gzip_types        # text/html is always compressed by HttpGzipModule
+                    text/css
+                    application/javascript
+                    font/truetype
+                    font/opentype
+                    application/vnd.ms-fontobject
+                    image/svg+xml;
+  gzip_min_length   1000; # default is 20 bytes
+  gzip_buffers      16 8k;
+  gzip_comp_level   2; # default is 1
+
+  client_body_timeout       30s; # default is 60
+  client_header_timeout     10s; # default is 60
+  send_timeout              10s; # default is 60
+  keepalive_timeout         10s; # default is 75
+  resolver_timeout          10s; # default is 30
+  reset_timedout_connection on;
+  proxy_ignore_client_abort on;
+
+  tcp_nopush                on; # send headers in one piece
+  tcp_nodelay               on; # don't buffer data sent, good for small data bursts in real time
+
+  # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
+  # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
+  #client_body_temp_path /var/www/peertube/storage/nginx/;
+
+  # Bypass PeerTube for performance reasons. Optional.
+  # Should be consistent with client-overrides assets list in client.ts server controller
+  location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$ {
+    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
+
+    root /app/code/server;
+
+    #    try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 @api;
+    try_files /app/data/storage/client-overrides/$1 /app/code/server/client/dist/$1 @api;
+  }
+
+  # Bypass PeerTube for performance reasons. Optional.
+  location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
+    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
+
+    #    alias /var/www/peertube/peertube-latest/client/dist/$1;
+    alias /app/code/server/client/dist/$1;
+  }
+
+  location ~ ^(/static/(webseed|web-videos|streaming-playlists/hls)/private/)|^/download {
+    # We can't rate limit a try_files directive, so we need to duplicate @api
+
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host            $host;
+    proxy_set_header X-Real-IP       $remote_addr;
+
+    proxy_limit_rate 5M;
+
+    proxy_pass http://backend;
+  }
+
+  # Bypass PeerTube for performance reasons. Optional.
+  location ~ ^/static/(webseed|web-videos|redundancy|streaming-playlists)/ {
+    limit_rate_after            5M;
+
+    set $peertube_limit_rate  5M;
+
+    # Use this line with nginx >= 1.17.0
+    limit_rate $peertube_limit_rate;
+    # Or this line with nginx < 1.17.0
+    # set $limit_rate $peertube_limit_rate;
+
+    if ($request_method = 'OPTIONS') {
+      add_header Access-Control-Allow-Origin  '*';
+      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
+      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+      add_header Access-Control-Max-Age       1728000; # Preflight request can be cached 20 days
+      add_header Content-Type                 'text/plain charset=UTF-8';
+      add_header Content-Length               0;
+      return 204;
+    }
+
+    if ($request_method = 'GET') {
+      add_header Access-Control-Allow-Origin  '*';
+      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
+      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+
+      # Don't spam access log file with byte range requests
+      access_log off;
+    }
+
+    # Enabling the sendfile directive eliminates the step of copying the data into the buffer
+    # and enables direct copying data from one file descriptor to another.
+    sendfile on;
+    sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
+    aio threads;
+
+    # web-videos is the name of the directory mapped to the `storage.web_videos` key in your PeerTube configuration
+    rewrite ^/static/webseed/(.*)$ /web-videos/$1 break;
+    rewrite ^/static/(.*)$         /$1        break;
+
+    try_files $uri @api;
+  }
+}

nginx/readonlyrootfs.conf

@@ -0,0 +1,7 @@
+# this is already in a http block
+
+client_body_temp_path /run/nginx;
+proxy_temp_path /run/nginx;
+fastcgi_temp_path /run/nginx;
+uwsgi_temp_path /run/nginx;
+scgi_temp_path /run/nginx;

production.yaml.example

@@ -76,12 +76,13 @@ email:
 storage:
   tmp: '/app/data/storage/tmp/' # Use to download data (imports etc), store uploaded files before processing...
   avatars: '/app/data/storage/avatars/'
-  videos: '/app/data/storage/videos/'
+  web_videos: '/app/data/storage/web-videos/'
   streaming_playlists: '/app/data/storage/streaming-playlists/'
   redundancy: '/app/data/storage/redundancy/'
   logs: '/app/data/storage/logs/'
   previews: '/app/data/storage/previews/'
   thumbnails: '/app/data/storage/thumbnails/'
+  storyboards: '/app/data/storage/storyboards/'
   torrents: '/app/data/storage/torrents/'
   captions: '/app/data/storage/captions/'
   cache: '/app/data/storage/cache/'
@@ -240,7 +241,7 @@ transcoding:
   # Generate videos in a WebTorrent format (what we do since the first PeerTube release)
   # If you also enabled the hls format, it will multiply videos storage by 2
   # If disabled, breaks federation with PeerTube instances < 2.1
-  webtorrent:
+  web_videos:
     enabled: true
 
   # /!\ Requires ffmpeg >= 4.1

start.sh

@@ -2,22 +2,48 @@
 
 set -eu
 
-mkdir -p /app/data/storage /run/peertube/cache
+mkdir -p /app/data/storage /run/peertube/cache /run/peertube/npm /tmp/peertube
 
 # do not rely on WORKDIR
 cd /app/code/server
 
-update_ldap() {
-    echo "==> Updating Ldap credentials"
+migrate_ldap_to_oidc() {
+    USERS_TO_MIGRATE=$(PGPASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} -AXqtc "SELECT count(*) FROM \"user\" u WHERE \"pluginAuth\"='peertube-plugin-auth-ldap'")
+    echo "==> Migrating users to OIDC";
+    echo "      Users to migrate: ${USERS_TO_MIGRATE}"
+    if [ ${USERS_TO_MIGRATE} -gt 0 ]; then
+        PGPASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} -c "UPDATE \"user\" SET \"pluginAuth\"='peertube-plugin-auth-openid-connect' WHERE \"pluginAuth\"='peertube-plugin-auth-ldap'"
+    fi
+
+    LDAP_PLUGIN_INSTALLED=$(PGPASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} -AXqtc "SELECT count(*) FROM \"plugin\" WHERE name='auth-ldap'")
+    if [ ${LDAP_PLUGIN_INSTALLED} -gt 0 ]; then
+        echo "==> Uninstalling LDAP plugin"
+        gosu cloudron:cloudron npm run plugin:uninstall -- -n peertube-plugin-auth-ldap
+
+        echo "==> Deleting LDAP settings"
+        PGPASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} -c "DELETE FROM \"plugin\" WHERE name='auth-ldap'"
+    fi
+}
+
+install_oidc() {
+    # https://docs.joinpeertube.org/maintain-tools?id=cli-wrapper . Note that we have to restart peertube when installed this way
+    if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+        echo "==> Installing OIDC plugin"
+        gosu cloudron:cloudron npm run plugin:install -- -n peertube-plugin-auth-openid-connect -v 0.1.1
+        update_oidc
+    fi
+}
+
+update_oidc() {
+    echo "==> Updating OIDC config"
 
     PGPASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} \
-        -c "UPDATE plugin SET settings='{\"url\": \"${CLOUDRON_LDAP_URL}\", \"weight\": 100, \"insecure-tls\": false, \"bind-dn\": \"${CLOUDRON_LDAP_BIND_DN}\", \"bind-credentials\": \"${CLOUDRON_LDAP_BIND_PASSWORD}\", \"search-base\": \"${CLOUDRON_LDAP_USERS_BASE_DN}\", \"mail-property\": \"mail\", \"search-filter\": \"(|(mail={{username}})(username={{username}}))\", \"username-property\": \"username\"}' WHERE name='auth-ldap'"
+        -c "UPDATE plugin SET settings='{\"scope\": \"openid email profile\", \"client-id\": \"${CLOUDRON_OIDC_CLIENT_ID}\", \"discover-url\": \"${CLOUDRON_OIDC_DISCOVERY_URL}\", \"client-secret\": \"${CLOUDRON_OIDC_CLIENT_SECRET}\", \"mail-property\": \"email\", \"auth-display-name\": \"Cloudron\", \"username-property\": \"preferred_username\", \"signature-algorithm\": \"RS256\", \"display-name-property\": \"name\"}' WHERE name='auth-openid-connect'"
 }
 
 first_time_setup() {
     echo "==> Starting peertube to run migrations on first run"
-    npm start &  # be wary of https://stackoverflow.com/questions/70738567/why-does-running-npm-run-script-as-root-switch-user
-    peertube_pid=$!
+    gosu cloudron:cloudron npm start &  # be wary of https://stackoverflow.com/questions/70738567/why-does-running-npm-run-script-as-root-switch-user
     sleep 10
 
     while ! curl --silent --output /dev/null --fail http://localhost:9000/; do
@@ -25,22 +51,26 @@ first_time_setup() {
         sleep 5
     done
 
-    kill -SIGTERM ${peertube_pid} # this kills the process group
+    killall -SIGTERM peertube # this kills the process group
+    sleep 5
 
     echo "==> Reset root password"
-    echo "changeme" | npm run reset-password -- -u root
+    echo "changeme" | gosu cloudron:cloudron npm run reset-password -- -u root
+    sleep 5  # the above command seems to spawn a separate process to change password in background
 
-    # https://docs.joinpeertube.org/maintain-tools?id=cli-wrapper . Note that we have to restart peertube when installed this way
-    if [[ -n "${CLOUDRON_LDAP_SERVER:-}" ]]; then
-        echo "==> Installing LDAP plugin"
-        npm run plugin:install -- -n peertube-plugin-auth-ldap -v 0.0.10
-        update_ldap
-    fi
+    install_oidc
+
+    echo "==> First time setup complete"
 }
 
 update_config() {
     echo "==> Ensure and updating configs"
 
+    # version 5 needs this now
+    if [[ `yq eval '.secrets | has("peertube")' /app/data/production.yaml` != "true" ]]; then
+        yq eval ".secrets.peertube = \"`openssl rand -hex 32`\"" -i /app/data/production.yaml
+    fi
+
     yq eval ".webserver.hostname = \"${CLOUDRON_APP_DOMAIN}\"" -i /app/data/production.yaml
 
     # database
@@ -65,9 +95,36 @@ update_config() {
     yq eval ".smtp.disable_starttls = true" -i /app/data/production.yaml
     yq eval ".smtp.from_address = \"${CLOUDRON_MAIL_FROM}\"" -i /app/data/production.yaml
 
+    # ensure settings which were later added
     yq eval ".storage.bin = \"/app/data/storage/bin/\"" -i /app/data/production.yaml
+    yq eval ".storage.well_known = \"/app/data/storage/well_known/\"" -i /app/data/production.yaml
+    yq eval ".storage.tmp_persistent = \"/app/data/storage/tmp_persistent/\"" -i /app/data/production.yaml
+
+    # changes for 6.0.0
+    yq eval ".storage.storyboards = \"/app/data/storage/storyboards/\"" -i /app/data/production.yaml
+    if [[ -d "/app/data/storage/videos" ]]; then
+        echo "==> Migrate videos/ to videos-web/"
+        mv /app/data/storage/videos /app/data/storage/web-videos
+    fi
+    yq eval ".storage.web_videos = \"/app/data/storage/web-videos/\"" -i /app/data/production.yaml
+    yq eval "del(.storage.videos)" -i /app/data/production.yaml
+    yq eval "del(.transcoding.webtorrent)" -i /app/data/production.yaml
+    yq eval ".transcoding.web_videos.enabled = true" -i /app/data/production.yaml
+
+    # changes for 6.1.0
+    yq eval ".storage.original_video_files = \"/app/data/storage/original_video_files/\"" -i /app/data/production.yaml
 }
 
+echo "==> Changing ownership"
+chown -R cloudron:cloudron /app/data /run/peertube /tmp/peertube
+
+# Set eviction policy to prevent warnings - https://docs.bullmq.io/guide/going-to-production#max-memory-policy
+while ! REDISCLI_AUTH="${CLOUDRON_REDIS_PASSWORD}" redis-cli -h "${CLOUDRON_REDIS_HOST}" -p "${CLOUDRON_REDIS_PORT}" ping >/dev/null; do
+    echo "==> Waiting for redis"
+    sleep 5
+done
+REDISCLI_AUTH="${CLOUDRON_REDIS_PASSWORD}"  redis-cli -h "${CLOUDRON_REDIS_HOST}" -p "${CLOUDRON_REDIS_PORT}" CONFIG SET maxmemory-policy noeviction
+
 # cd /var/www/peertube/peertube-latest/scripts && sudo -H -u peertube ./upgrade.sh
 if [[ ! -f "/app/data/production.yaml" ]]; then
     echo "==> First run. creating config"
@@ -77,11 +134,16 @@ if [[ ! -f "/app/data/production.yaml" ]]; then
     first_time_setup
 else
     update_config
-
-    [[ -n "${CLOUDRON_LDAP_SERVER:-}" ]] && update_ldap
+    if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+        install_oidc
+        migrate_ldap_to_oidc
+        update_oidc
+    fi
 fi
 
-chown -R cloudron:cloudron /app/data /run/peertube
+echo "==> Configuring nginx"
+cp /app/pkg/peertube-nginx.conf /run/peertube-nginx.conf
 
 echo "==> Starting PeerTube"
-exec gosu cloudron:cloudron npm start
+#exec gosu cloudron:cloudron npm start
+exec /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i PeerTube

supervisor/nginx.conf

@@ -0,0 +1,11 @@
+[program:nginx]
+priority=100
+directory=/tmp
+command=/usr/sbin/nginx -g "daemon off;"
+user=root
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

supervisor/peertube.conf

@@ -0,0 +1,11 @@
+[program:peertube]
+directory=/app/code/server
+user=cloudron
+environment=HOME="/home/cloudron",USER="cloudron"
+command=npm start
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

test/package.json

@@ -10,11 +10,11 @@
   "license": "ISC",
   "devDependencies": {
     "expect.js": "^0.3.1",
-    "mocha": "^10.0.0"
+    "mocha": "^10.4.0"
   },
   "dependencies": {
-    "chromedriver": "^105.0.1",
-    "selenium-server-standalone-jar": "^3.141.59",
-    "selenium-webdriver": "^4.4.0"
+    "chromedriver": "^124.0.1",
+    "safetydance": "^2.4.0",
+    "selenium-webdriver": "^4.20.0"
   }
 }

test/test.js

@@ -12,7 +12,9 @@ require('chromedriver');
 
 const execSync = require('child_process').execSync,
     expect = require('expect.js'),
+    readlinePromises = require('readline/promises'),
     path = require('path'),
+    safe = require('safetydance'),
     util = require('util'),
     { Builder, By, Key, until } = require('selenium-webdriver'),
     { Options } = require('selenium-webdriver/chrome');
@@ -29,11 +31,13 @@ describe('Application life cycle test', function () {
     const TEST_TIMEOUT = parseInt(process.env.TEST_TIMEOUT, 10) || 30000;
     const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
 
-    var browser;
-    var app;
-    var username = process.env.USERNAME;
-    var password = process.env.PASSWORD;
-    var email = process.env.EMAIL;
+    let browser;
+    let app;
+    let host_os;
+    let username = process.env.USERNAME;
+    let password = process.env.PASSWORD;
+    let email = process.env.EMAIL;
+    let athenticated_by_oidc = false;
 
     before(function () {
         browser = new Builder().forBrowser('chrome').setChromeOptions(new Options().windowSize({ width: 1280, height: 1024 })).build();
@@ -44,11 +48,17 @@ describe('Application life cycle test', function () {
     });
 
     function getAppInfo() {
-        var inspect = JSON.parse(execSync('cloudron inspect'));
+        let inspect = JSON.parse(execSync('cloudron inspect'));
         app = inspect.apps.filter(function (a) { return a.location.indexOf(LOCATION) === 0; })[0];
         expect(app).to.be.an('object');
     }
 
+    async function getOS() {
+        if (typeof(host_os) == 'undefined' || host_os == null)
+            host_os = String(await execSync('uname -s')).trim();
+        return host_os;
+    }
+
     async function waitForElement(elem) {
         await browser.wait(until.elementLocated(elem), TEST_TIMEOUT);
         await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT);
@@ -68,9 +78,31 @@ describe('Application life cycle test', function () {
         await waitForElement(By.xpath('//a[contains(@href, "/my-library")]'));
     }
 
+    async function loginOIDC(username, password) {
+        browser.manage().deleteAllCookies();
+        await browser.get(`https://${app.fqdn}/login`);
+        await browser.sleep(2000);
+
+        await browser.wait(until.elementLocated(By.xpath('//a[contains(., "Cloudron")]')), TEST_TIMEOUT);
+        await browser.findElement(By.xpath('//a[contains(., "Cloudron")]')).click();
+        await browser.sleep(2000);
+
+        if (!athenticated_by_oidc) {
+            await waitForElement(By.id('inputUsername'));
+            await browser.findElement(By.id('inputUsername')).sendKeys(username);
+            await browser.findElement(By.id('inputPassword')).sendKeys(password);
+            await browser.findElement(By.id('loginSubmitButton')).click();
+
+            athenticated_by_oidc = true;
+        }
+        await browser.sleep(20000);
+        await waitForElement(By.xpath('//a[contains(@href, "/my-library")]'));
+    }
+
     async function closeAccountSetupDialog() {
         await browser.get('https://' + app.fqdn);
 
+        await waitForElement(By.xpath('//span[contains(text(), "show me this anymore")]'));
         await browser.findElement(By.xpath('//span[contains(text(), "show me this anymore")]')).click();
         await browser.findElement(By.xpath('//a[contains(text(), "Set up")]')).click();
         await browser.sleep(3000);
@@ -82,28 +114,40 @@ describe('Application life cycle test', function () {
         await browser.sleep(2000);
         await browser.findElement(By.xpath('//div[@class="logged-in-display-name"]')).click();
         await browser.sleep(2000);
-        await browser.findElement(By.xpath('//a[contains(text(), "Log out")]')).click();
+        await browser.findElement(By.xpath('//button[contains(text(), "Log out")]')).click();
         await browser.sleep(2000);
     }
 
     async function completeSetup() {
-        var button;
+        let button;
 
         await browser.get(`https://${app.fqdn}`);
-        await waitForElement(By.xpath('//a[contains(text(), "Configure my instance")]'));
+        await browser.sleep(2000);
+
+        const [error] = await safe(waitForElement(By.xpath('//a[contains(text(), "Configure my instance")]')));
+        if (error) return; // sometimes it doesn't appear, maybe it's cached in local storage
         await browser.findElement(By.xpath('//a[contains(text(), "Configure my instance")]')).click(); // this opens a new window
 
-        console.log('Close the newly opened tab. Will wait for 10 seconds');
-        await browser.sleep(10000);
+        const say_cmd = await getOS() == "Darwin" ? "say" : "spd-say";
+        execSync(`${say_cmd} "Close the newly opened configuration tab."`);
+
+        const rl = readlinePromises.createInterface({ input: process.stdin, output: process.stdout });
+        await rl.question('Is tab closed? ');
     }
 
     async function uploadVideo() {
-        browser.get('https://' + app.fqdn + '/videos/upload');
-        await browser.sleep(2000);
-        await browser.findElement(By.xpath('//input[@id="videofile" and @type="file"]')).sendKeys(path.resolve(__dirname, './Cloudron Test Video.mp4'));
+        await browser.get(`https://${app.fqdn}/videos/upload#upload`);
+        await browser.sleep(3000);
+        await browser.wait(until.elementLocated(By.id('videofile')), TEST_TIMEOUT); // do not do element visible check . it fails, no clue why
+        await browser.findElement(By.id('videofile')).sendKeys(path.resolve(__dirname, './Cloudron Test Video.mp4'));
+        console.log('waiting 10 seconds for upload');
         await browser.sleep(10000); // wait for upload
+
         await waitForElement(By.xpath('//div[@class="submit-container"]//span[text()="Publish"]'));
-        await browser.findElement(By.xpath('//div[@class="submit-container"]//span[text()="Publish"]')).click();
+        let button = browser.findElement(By.xpath('//div[@class="submit-container"]//span[text()="Publish"]'));
+        await browser.executeScript('arguments[0].scrollIntoView(false)', button);
+        await browser.sleep(2000);
+        await button.click();
         await browser.sleep(2000);
     }
 
@@ -115,7 +159,7 @@ describe('Application life cycle test', function () {
     xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
     it('install app', async function () {
         execSync('cloudron install --location ' + LOCATION, EXEC_ARGS);
-        await sleep(10000); // takes a bit to create root user in background
+        await sleep(40000); // takes a bit to create root user in background
     });
 
     it('can get app information', getAppInfo);
@@ -125,7 +169,7 @@ describe('Application life cycle test', function () {
     it('video exists', videoExists);
     it('logout', logout);
 
-    it('can login', login.bind(null, username, password));
+    it('can OIDC login', loginOIDC.bind(null, username, password));
     it('can close account setup dialog', closeAccountSetupDialog);
     it('logout', logout);
 
@@ -143,7 +187,7 @@ describe('Application life cycle test', function () {
     it('video exists', videoExists);
     it('logout', logout);
 
-    it('can login', login.bind(null, username, password));
+    it('can OIDC login', loginOIDC.bind(null, username, password));
     it('logout', logout);
 
     it('can restart app', function () {
@@ -153,7 +197,7 @@ describe('Application life cycle test', function () {
     it('video exists', videoExists);
     it('logout', logout);
 
-    it('can login', login.bind(null, username, password));
+    it('can OIDC login', loginOIDC.bind(null, username, password));
     it('logout', logout);
 
     // this is not supported for federation
@@ -164,7 +208,7 @@ describe('Application life cycle test', function () {
     it('video exists', videoExists);
     it('logout', logout);
 
-    it('can login', login.bind(null, username, password));
+    it('can OIDC login', loginOIDC.bind(null, username, password));
     it('logout', logout);
 
     it('uninstall app', async function () {
@@ -206,7 +250,8 @@ describe('Application life cycle test', function () {
     it('video exists', videoExists);
     it('logout', logout);
 
-    it('can login', login.bind(null, username, password));
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('can close account setup dialog', closeAccountSetupDialog);
     it('logout', logout);
 
     it('uninstall app', async function () {