chore: publish 6.0.1+v6.0.0-bookworm release

- Use `file_env` for db_password
- Add missing `PEERTUBE_SECRET`
- Add `generate_secret` local abra command

.drone.yml

@@ -3,10 +3,13 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: peertube
+      generate_secrets: true
+      networks:
+       - proxy
       purge: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
@@ -14,16 +17,25 @@ steps:
       DOMAIN: peertube.swarm-test.autonomic.zone
       STACK_NAME: peertube
       LETS_ENCRYPT_ENV: production
+      NGINX_CONFIG_VERSION: v1
+      APP_ENTRYPOINT_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
 trigger:
   branch:
     - main
 ---
 kind: pipeline
-name: recipe release
+name: generate recipe catalogue
 steps:
   - name: release a new version
-    image: thecoopcloud/drone-abra:latest
+    image: plugins/downstream
     settings:
-      command: recipe peertube release
-      deploy_key:
-        from_secret: abra_bot_deploy_key
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -2,6 +2,7 @@ TYPE=peertube
 
 DOMAIN=peertube.example.com              # <= EDIT THIS
 LETS_ENCRYPT_ENV=production
+COMPOSE_FILE=compose.yml
 
 PEERTUBE_WEBSERVER_PORT=443
 PEERTUBE_WEBSERVER_HTTPS=true
@@ -12,6 +13,10 @@ PEERTUBE_CONTACT_FORM_ENABLED=false
 
 SECRET_DB_PASSWORD_VERSION=v1
 
+# Comment out these lines if you want to store the peertube secret in a config file instead of a docker secret
+COMPOSE_FILE="$COMPOSE_FILE:compose.peertube-secret.yml"
+SECRET_PEERTUBE_SECRET_VERSION=v1
+
 ## Webseed backend
 #
 #  If no NGINX_WEBSEED option is enabled, videos will be served
@@ -45,3 +50,6 @@ SECRET_DB_PASSWORD_VERSION=v1
 
 ## Live chat settings
 #PEERTUBE_LIVE_CHAT_ENABLED=1
+
+## Healthcheck settings
+PEERTUBE_LOG_PING_REQUESTS=false

README.md

@@ -20,12 +20,13 @@ An ActivityPub-federated video streaming platform using P2P directly in your web
 
 1. Set up Docker Swarm and [`abra`]
 2. Deploy [`coop-cloud/traefik`]
-3. `abra app new peertube --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
-4. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to
+3. `abra app new peertube`
+4. `abra app cmd -l YOURAPPDOMAIN generate_secret`
+5. `abra app secret generate YOURAPPDOMAIN -a`
+6. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
    your Docker swarm box
-5. `abra app YOURAPPDOMAIN deploy`
-6. Open the configured domain in your browser to finish set-up
+7. `abra app deploy YOURAPPDOMAIN`
+8. Open the configured domain in your browser to finish set-up
 
 ## Host-mode networking
 
@@ -40,8 +41,8 @@ This will avoid issues like [`#7`](https://git.coopcloud.tech/coop-cloud/peertub
 ## Email
 
 1. Deploy [`coop-cloud/postfix-relay`] or use an external SMTP relay
-2. `abra app YOURAPPDOMAIN config`, and uncomment the email lines and adjust as needed
-3. `abra app YOURAPPDOMAIN deploy`
+2. `abra app config YOURAPPDOMAIN`, and uncomment the email lines and adjust as needed
+3. `abra app deploy YOURAPPDOMAIN`
 
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
 [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik

abra.sh

@@ -1,7 +1,11 @@
 # shellcheck disable=SC2034,SC2145
 
-export NGINX_CONFIG_VERSION=v3
-export APP_ENTRYPOINT_VERSION=v5
+export NGINX_CONFIG_VERSION=v5
+export APP_ENTRYPOINT_VERSION=v7
+
+generate_secret() {
+  abra app secret insert "$APP_NAME" peertube_secret v1 "$(openssl rand -hex 32)" --chaos
+}
 
 sub_npm() {
   abra__service_="app"

compose.peertube-secret.yml

@@ -0,0 +1,14 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - PEERTUBE_SECRET_FILE=/run/secrets/peertube_secret
+    secrets:
+      - peertube_secret
+
+secrets:
+  peertube_secret:
+    external: true
+    name: ${STACK_NAME}_peertube_secret_${SECRET_PEERTUBE_SECRET_VERSION}

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   web:
-    image: nginx:1.20.0
+    image: nginx:1.27.4
     networks:
       - proxy
       - internal
@@ -27,6 +27,11 @@ services:
     deploy:
       restart_policy:
         condition: on-failure
+      update_config:
+        failure_action: rollback
+        order: start-first
+      rollback_config:
+        order: start-first
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
@@ -35,15 +40,16 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
 
   app:
-    image: chocobozzz/peertube:v4.2.2-bullseye
+    image: chocobozzz/peertube:v6.0.0-bookworm
     environment:
       - PEERTUBE_ADMIN_EMAIL
       - PEERTUBE_CONTACT_FORM_ENABLED
       - PEERTUBE_DB_HOSTNAME=db
-      - PEERTUBE_DB_PASSWORD_FILE=/run/secrets/db_password
       - PEERTUBE_DB_PORT=5432
       - PEERTUBE_DB_USERNAME=peertube
+      - PEERTUBE_DB_PASSWORD_FILE=/run/secrets/db_password
       - PEERTUBE_LIVE_CHAT_ENABLED
+      - PEERTUBE_LOG_PING_REQUESTS
       - PEERTUBE_REDIS_HOSTNAME=cache
       - PEERTUBE_SIGNUP_ENABLED
       - PEERTUBE_SMTP_ENABLED
@@ -62,39 +68,48 @@ services:
       - source: app_entrypoint
         target: /docker-entrypoint.sh
         mode: 0555
-    command: npm start
+    command: node dist/server
     healthcheck:
-      test: 'nodejs -e "http.get(''http://localhost:9000/api/v1/ping'', (res) => { console.log(''status: '', res.statusCode); if (res.statusCode == 200) { process.exit(0); } else { process.exit(1); } });"'
-      interval: 1m
-      timeout: 30s
-      retries: 3
-      start_period: 1m
+      test: curl -f http://localhost:9000/v1/api/ping || exit 1
+      interval: 10s
+      timeout: 3s
+      retries: 20
     entrypoint: /docker-entrypoint.sh
     networks:
       - internal
     deploy:
       labels:
-        - "coop-cloud.${STACK_NAME}.version=2.2.0+v4.2.2-bullseye"
+        - "coop-cloud.${STACK_NAME}.version=6.0.1+v6.0.0-bookworm"
 
   db:
-    image: postgres:10-alpine
+    image: pgautoupgrade/pgautoupgrade:17-alpine
     environment:
       - POSTGRES_USER=peertube
-      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
       - POSTGRES_DB=peertube
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
     secrets:
       - db_password
     volumes:
       - postgres-data:/var/lib/postgresql/data
     networks:
       - internal
+    healthcheck:
+      test: pg_isready -U peertube
+      interval: 10s
+      timeout: 5s
+      retries: 10
 
   cache:
-    image: redis:4-alpine
+    image: redis:7-alpine
     volumes:
       - redis-data:/data
     networks:
       - internal
+    healthcheck:
+      test: redis-cli ping
+      interval: 10s
+      timeout: 5s
+      retries: 10
 
 networks:
   internal:

entrypoint.sh.tmpl

@@ -25,6 +25,7 @@ file_env() {
 }
 
 file_env "PEERTUBE_DB_PASSWORD"
+file_env "PEERTUBE_SECRET"
 
 {{ if eq (env "PEERTUBE_SMTP_ENABLED") "1" }}
 file_env "PEERTUBE_SMTP_PASSWORD"

nginx.conf.tmpl

@@ -39,7 +39,7 @@ http {
       try_files /dev/null @api;
     }
 
-    location = /api/v1/videos/upload-resumable {
+    location ~ ^/api/v1/videos/(upload-resumable|([^/]+/source/replace-resumable))$ {
       client_max_body_size    0;
       proxy_request_buffering off;
 
@@ -148,31 +148,24 @@ http {
       alias /var/www/peertube/peertube-latest/client/dist/$1;
     }
 
-    # Bypass PeerTube for performance reasons. Optional.
-    location ~ ^/static/(thumbnails|avatars)/ {
-      if ($request_method = 'OPTIONS') {
-        add_header Access-Control-Allow-Origin  '*';
-        add_header Access-Control-Allow-Methods 'GET, OPTIONS';
-        add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
-        add_header Access-Control-Max-Age       1728000; # Preflight request can be cached 20 days
-        add_header Content-Type                 'text/plain charset=UTF-8';
-        add_header Content-Length               0;
-        return 204;
-      }
+    # Plugin websocket routes
+    location ~ ^/plugins/[^/]+(/[^/]+)?/ws/ {
+      try_files /dev/null @api_websocket;
+    }
 
-      add_header Access-Control-Allow-Origin    '*';
-      add_header Access-Control-Allow-Methods   'GET, OPTIONS';
-      add_header Access-Control-Allow-Headers   'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
-      add_header Cache-Control                  "public, max-age=7200"; # Cache response 2 hours
-
-      rewrite ^/static/(.*)$ /$1 break;
-
-      try_files $uri @api;
+      location ~ ^(/static/(webseed|web-videos|streaming-playlists)/private/)|^/download {
+      #We can't rate limit a try_files directive, so we need to duplicate @api
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Host            $host;
+      proxy_set_header X-Real-IP       $remote_addr;
+      
+      proxy_limit_rate 5M;
+      proxy_pass http://backend;
     }
 
     # Bypass PeerTube for performance reasons. Optional.
-    location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
-      limit_rate_after            5M;
+      location ~ ^/static/(webseed|web-videos|redundancy|streaming-playlists)/ {
+	limit_rate_after            5M;
 
       # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
       set $peertube_limit_rate    800k;

release/3.0.0+v4.3.0-bullseye

@@ -0,0 +1,4 @@
+Redis needs to be ugpraded to >= 6 and you can't downgrade afterwards, so
+beware!
+
+-- @decentral1se / Autonomic

release/4.0.0+v5.0.1-bullseye

@@ -0,0 +1,14 @@
+This will break your deployment!
+You need to add new lines to /config/production.yaml as shown here:
+https://github.com/Chocobozzz/PeerTube/blob/v5.0.0/config/production.yaml.example#L14
+https://github.com/Chocobozzz/PeerTube/blob/v5.0.0/config/production.yaml.example#L153
+
+you can do that from the host as the file is inside a volume. It should be in /var/lib/docker/volumes/<peertube stack name>_app-config/_data/production.yaml on your host machine. It's important to save the secret that you're putting in the file somewhere else, as the container has write access to the file, and it's possible it could overwrite it, causing the secret to disappear. We don't know what happens to your data if you lose that secret.
+
+You'll also have to run a migration as described in https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0
+
+abra app run <app name> app bash -u peertube
+and when inside the container:
+node dist/scripts/migrations/peertube-5.0.js
+
+knoflook & decentralise @ Autonomic Co-op

release/5.0.0+v5.2.1-bullseye

@@ -0,0 +1,9 @@
+WARNING! ⚠️ 
+
+This release includes several major Postgres version updates, please make even more sure to take a database backup than usual
+
+Also, `PEERTUBE_SECRET `can now be stored in Docker, instead of just in a config file. To enable this behaviour:
+
+1. Extract the secret from the config file using `abra app run $STACK_NAME app grep peertube: /config/production.yaml | cut -d'"' -f2`
+2. Run `abra app secret insert $STACK_NAME peertube_secret v1`
+3. Run `abra app config $STACK_NAME`, and set `COMPOSE_FILE=compose.yml:compose.peertube-secret.yml`