dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/peertube: update nginx configuration

Browse Source
This commit is contained in:
Izorkin 2023-12-12 17:47:47 +03:00
parent b0b1f73473
commit 937220442c
No known key found for this signature in database
GPG Key ID: 1436C1B3F3679F09
1 changed files with 137 additions and 140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

277
nixos/modules/services/web-apps/peertube.nix
View File

@ -61,14 +61,16 @@ let
eval -- "\$@"
'';
nginxCommonHeaders = lib.optionalString cfg.enableWebHttps ''
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains';
'' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 ''
add_header Alt-Svc 'h3=":443"; ma=86400';
'' + ''
add_header Access-Control-Allow-Origin '*';
add_header Access-Control-Allow-Methods 'GET, OPTIONS';
add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
nginxCommonHeaders = lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.forceSSL ''
add_header Strict-Transport-Security 'max-age=31536000';
'' + lib.optionalString (config.services.nginx.virtualHosts.${cfg.localDomain}.quic && config.services.nginx.virtualHosts.${cfg.localDomain}.http3) ''
add_header Alt-Svc 'h3=":$server_port"; ma=604800';
'';
nginxCommonHeadersExtra = ''
add_header Access-Control-Allow-Origin '*';
add_header Access-Control-Allow-Methods 'GET, OPTIONS';
add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
'';
in {
@ -487,6 +489,9 @@ in {
services.nginx = lib.mkIf cfg.configureNginx {
enable = true;
upstreams."peertube".servers = {
"127.0.0.1:${toString cfg.listenHttp}".fail_timeout = "0";
};
virtualHosts."${cfg.localDomain}" = {
root = "/var/lib/peertube/www";
@ -496,14 +501,14 @@ in {
priority = 1110;
};
locations."= /api/v1/videos/upload-resumable" = {
locations."~ ^/api/v1/videos/(upload-resumable|([^/]+/source/replace-resumable))$" = {
tryFiles = "/dev/null @api";
priority = 1120;
extraConfig = ''
client_max_body_size 0;
proxy_request_buffering off;
'';
client_max_body_size 0;
proxy_request_buffering off;
'' + nginxCommonHeaders;
};
locations."~ ^/api/v1/videos/(upload|([^/]+/studio/edit))$" = {
@ -512,13 +517,11 @@ in {
priority = 1130;
extraConfig = ''
client_max_body_size 12G;
add_header X-File-Maximum-Size 8G always;
'' + lib.optionalString cfg.enableWebHttps ''
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains';
'' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 ''
add_header Alt-Svc 'h3=":443"; ma=86400';
'';
limit_except POST HEAD { deny all; }
client_max_body_size 12G;
add_header X-File-Maximum-Size 8G always;
'' + nginxCommonHeaders;
};
locations."~ ^/api/v1/runners/jobs/[^/]+/(update|success)$" = {
@ -527,13 +530,9 @@ in {
priority = 1135;
extraConfig = ''
client_max_body_size 12G;
add_header X-File-Maximum-Size 8G always;
'' + lib.optionalString cfg.enableWebHttps ''
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains';
'' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 ''
add_header Alt-Svc 'h3=":443"; ma=86400';
'';
client_max_body_size 12G;
add_header X-File-Maximum-Size 8G always;
'' + nginxCommonHeaders;
};
locations."~ ^/api/v1/(videos|video-playlists|video-channels|users/me)" = {
@ -541,32 +540,28 @@ in {
priority = 1140;
extraConfig = ''
client_max_body_size 6M;
add_header X-File-Maximum-Size 4M always;
'' + lib.optionalString cfg.enableWebHttps ''
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains';
'' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 ''
add_header Alt-Svc 'h3=":443"; ma=86400';
'';
client_max_body_size 6M;
add_header X-File-Maximum-Size 4M always;
'' + nginxCommonHeaders;
};
locations."@api" = {
proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}";
proxyPass = "http://peertube";
priority = 1150;
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 10m;
proxy_connect_timeout 10m;
proxy_send_timeout 10m;
proxy_read_timeout 10m;
proxy_send_timeout 10m;
proxy_read_timeout 10m;
client_max_body_size 100k;
send_timeout 10m;
'';
client_max_body_size 100k;
send_timeout 10m;
''+ nginxCommonHeaders;
};
# Websocket
@ -580,7 +575,7 @@ in {
priority = 1220;
extraConfig = ''
proxy_read_timeout 15m;
proxy_read_timeout 15m;
'';
};
@ -590,84 +585,82 @@ in {
};
locations."@api_websocket" = {
proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}";
proxyPass = "http://peertube";
priority = 1240;
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
'';
'' + nginxCommonHeaders;
};
# Bypass PeerTube for performance reasons.
locations."~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$" = {
tryFiles = "/client-overrides/$1 /client/$1 $1";
priority = 1310;
extraConfig = nginxCommonHeaders;
};
locations."~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$" = {
alias = "${cfg.package}/client/dist/$1";
priority = 1320;
extraConfig = ''
add_header Cache-Control 'public, max-age=604800, immutable';
'' + lib.optionalString cfg.enableWebHttps ''
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains';
'' + lib.optionalString config.services.nginx.virtualHosts.${cfg.localDomain}.http3 ''
add_header Alt-Svc 'h3=":443"; ma=86400';
'';
add_header Cache-Control 'public, max-age=604800, immutable';
'' + nginxCommonHeaders;
};
locations."^~ /download/" = {
proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}";
proxyPass = "http://peertube";
priority = 1410;
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_limit_rate 5M;
'';
proxy_limit_rate 5M;
'' + nginxCommonHeaders;
};
locations."^~ /static/streaming-playlists/private/" = {
proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}";
locations."^~ /static/streaming-playlists/hls/private/" = {
proxyPass = "http://peertube";
priority = 1420;
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_limit_rate 5M;
'';
proxy_limit_rate 5M;
'' + nginxCommonHeaders;
};
locations."^~ /static/web-videos/private/" = {
proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}";
proxyPass = "http://peertube";
priority = 1430;
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_limit_rate 5M;
'';
proxy_limit_rate 5M;
'' + nginxCommonHeaders;
};
locations."^~ /static/webseed/private/" = {
proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}";
proxyPass = "http://peertube";
priority = 1440;
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_limit_rate 5M;
'';
proxy_limit_rate 5M;
'' + nginxCommonHeaders;
};
locations."^~ /static/redundancy/" = {
@ -675,33 +668,35 @@ in {
root = cfg.settings.storage.redundancy;
priority = 1450;
extraConfig = ''
set $peertube_limit_rate 800k;
set $peertube_limit_rate 800k;
if ($request_uri ~ -fragmented.mp4$) {
set $peertube_limit_rate 5M;
set $peertube_limit_rate 5M;
}
if ($request_method = 'OPTIONS') {
${nginxCommonHeaders}
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
${nginxCommonHeadersExtra}
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method = 'GET') {
${nginxCommonHeaders}
${nginxCommonHeadersExtra}
access_log off;
access_log off;
}
aio threads;
sendfile on;
sendfile_max_chunk 1M;
aio threads;
sendfile on;
sendfile_max_chunk 1M;
limit_rate $peertube_limit_rate;
limit_rate_after 5M;
limit_rate $peertube_limit_rate;
limit_rate_after 5M;
rewrite ^/static/redundancy/(.*)$ /$1 break;
rewrite ^/static/redundancy/(.*)$ /$1 break;
'';
};
@ -710,68 +705,72 @@ in {
root = cfg.settings.storage.streaming_playlists;
priority = 1460;
extraConfig = ''
set $peertube_limit_rate 800k;
set $peertube_limit_rate 800k;
if ($request_uri ~ -fragmented.mp4$) {
set $peertube_limit_rate 5M;
set $peertube_limit_rate 5M;
}
if ($request_method = 'OPTIONS') {
${nginxCommonHeaders}
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
${nginxCommonHeadersExtra}
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method = 'GET') {
${nginxCommonHeaders}
${nginxCommonHeadersExtra}
access_log off;
access_log off;
}
aio threads;
sendfile on;
sendfile_max_chunk 1M;
aio threads;
sendfile on;
sendfile_max_chunk 1M;
limit_rate $peertube_limit_rate;
limit_rate_after 5M;
limit_rate $peertube_limit_rate;
limit_rate_after 5M;
rewrite ^/static/streaming-playlists/(.*)$ /$1 break;
rewrite ^/static/streaming-playlists/(.*)$ /$1 break;
'';
};
locations."^~ /static/web-videos/" = {
tryFiles = "$uri @api";
root = cfg.settings.storage.streaming_playlists;
root = cfg.settings.storage.web_videos;
priority = 1470;
extraConfig = ''
set $peertube_limit_rate 800k;
set $peertube_limit_rate 800k;
if ($request_uri ~ -fragmented.mp4$) {
set $peertube_limit_rate 5M;
set $peertube_limit_rate 5M;
}
if ($request_method = 'OPTIONS') {
${nginxCommonHeaders}
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
${nginxCommonHeadersExtra}
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method = 'GET') {
${nginxCommonHeaders}
${nginxCommonHeadersExtra}
access_log off;
access_log off;
}
aio threads;
sendfile on;
sendfile_max_chunk 1M;
aio threads;
sendfile on;
sendfile_max_chunk 1M;
limit_rate $peertube_limit_rate;
limit_rate_after 5M;
limit_rate $peertube_limit_rate;
limit_rate_after 5M;
rewrite ^/static/streaming-playlists/(.*)$ /$1 break;
rewrite ^/static/web-videos/(.*)$ /$1 break;
'';
};
@ -780,39 +779,37 @@ in {
root = cfg.settings.storage.web_videos;
priority = 1480;
extraConfig = ''
set $peertube_limit_rate 800k;
set $peertube_limit_rate 800k;
if ($request_uri ~ -fragmented.mp4$) {
set $peertube_limit_rate 5M;
set $peertube_limit_rate 5M;
}
if ($request_method = 'OPTIONS') {
${nginxCommonHeaders}
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
${nginxCommonHeadersExtra}
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method = 'GET') {
${nginxCommonHeaders}
${nginxCommonHeadersExtra}
access_log off;
access_log off;
}
aio threads;
sendfile on;
sendfile_max_chunk 1M;
aio threads;
sendfile on;
sendfile_max_chunk 1M;
limit_rate $peertube_limit_rate;
limit_rate_after 5M;
limit_rate $peertube_limit_rate;
limit_rate_after 5M;
rewrite ^/static/webseed/(.*)$ /web-videos/$1 break;
rewrite ^/static/webseed/(.*)$ /web-videos/$1 break;
'';
};
extraConfig = lib.optionalString cfg.enableWebHttps ''
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains';
'';
};
};