nixos/peertube: init service

[Izorkin]

Motivation for this change

Add only peertube service without package.
Updating service configuration from this PR - #106492

cc @stevenroose @mohe2015 @matthiasbeyer @aanderse @Mic92

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[SuperSandro2000]

Why not socket?

[Izorkin]

The socket is specified by the parameter redis.enableUnixSocket. Used by default.

[mohe2015]

Great work but I'm a perfectionist :D

[mohe2015]

Is there a reason to verify this? Is there a case where enabling createLocally is useful without actually using the database? Also this wouldn't work if you would like to use unix socket for redis locally but still want to get the database created.

[Izorkin]

I tested with different combinations of parameters - it works correctly in all cases.

[mohe2015]

I don't know if you have finished this PR yet but do you want to add a settings option (with settingsFormat)? Then these options may be set in there. But I think this is not easy if you also want to access options from there so maybe do this after everything else.

[Izorkin]

I've tried creating a complete config using settingsFormat = pkgs.formats.yaml {}; As a result, peertube gave a configuration error.

[aanderse]

Do you need any help with this? Using settings instead of extraConfig would be nice.

[Izorkin]

With settingsFormat = pkgs.formats.yaml {}; files generated with this format:

{
  "database": {
    "hostname": "localhost",
    "port": "5432",
    "name": "peertube_test",
    "username": "peertube_test"
  },
  "listen": {
    "hostname": "127.0.0.1",
    "port": "9000"
  },

Needed this format:

database:
  hostname: 'localhost'
  port: 5432
  name: 'peertube_test'
  username: 'peertube_test'
listen:
  hostname: 'localhost'
  port: 9000

[mohe2015]

YAML is a superset of JSON so this should be fine although it looks pretty odd. If it doesn't work then there is probably a bug in peertube

[mohe2015]

I need to go to bed now but master...mohe2015:my-add-peertube-service contains some changes that you may want to incorporate.

[mohe2015]

@Izorkin I added some more commits to master...mohe2015:my-add-peertube-service maybe you find some of them useful.

[Izorkin]

@mohe2015 With install -d -m 0700 /var/lib/peertube/config Such an error is possible;

апр 12 16:32:05 tech 3psh6fqih1n7k4q0fas997k995z3hm67-peertube-pre-start.sh[19089]: /nix/store/3psh6fqih1n7k4q0fas997k995z3hm67-peertube-pre-start.sh: строка 4: /var/lib/peertube/config/local.yaml: Permission denied
апр 12 16:32:05 tech 3psh6fqih1n7k4q0fas997k995z3hm67-peertube-pre-start.sh[19090]: ln: failed to access '/var/lib/peertube/config/default.yaml': Permission denied
апр 12 16:32:05 tech 3psh6fqih1n7k4q0fas997k995z3hm67-peertube-pre-start.sh[19091]: ln: failed to access '/var/lib/peertube/config/production.yaml': Permission denied

For example, if someone changed the permissions on a directory or file.

Are these options to be disabled by default?:

    redis.createLocally = false;
    database.createLocally = false;
    smtp.createLocally = false;

[Izorkin]

@mohe2015 with this variant configuration:

...
redis:
  hostname: '127.0.0.1'
  port: 6379
  socket: '/run/redis/redis.sock'
...

Not working connections to redis with socket. Needed clean hostname.

[mohe2015]

@mohe2015 With install -d -m 0700 /var/lib/peertube/config Such an error is possible;

апр 12 16:32:05 tech 3psh6fqih1n7k4q0fas997k995z3hm67-peertube-pre-start.sh[19089]: /nix/store/3psh6fqih1n7k4q0fas997k995z3hm67-peertube-pre-start.sh: строка 4: /var/lib/peertube/config/local.yaml: Permission denied
апр 12 16:32:05 tech 3psh6fqih1n7k4q0fas997k995z3hm67-peertube-pre-start.sh[19090]: ln: failed to access '/var/lib/peertube/config/default.yaml': Permission denied
апр 12 16:32:05 tech 3psh6fqih1n7k4q0fas997k995z3hm67-peertube-pre-start.sh[19091]: ln: failed to access '/var/lib/peertube/config/production.yaml': Permission denied

For example, if someone changed the permissions on a directory or file.

What about running ExecStartPre as root (with the +) and using

install --directory --mode=0700 --owner=${cfg.user} --group=${cfg.group} /var/lib/peertube/config

Are these options to be disabled by default?:

    redis.createLocally = false;
    database.createLocally = false;
    smtp.createLocally = false;

I think this may be useful so it doesn't create databases / starts services unexpectedly but I don't know.

[mohe2015]

@mohe2015 with this variant configuration:

...
redis:
  hostname: '127.0.0.1'
  port: 6379
  socket: '/run/redis/redis.sock'
...

Not working connections to redis with socket. Needed clean hostname.

What about 6f4bc2d combined with the other parts?

[Izorkin]

What about running ExecStartPre as root (with the +) and using

Better not to give root rights.
systemd.tmpfiles.rules automatically monitors directory permissions, and automatically fixes.

What about 6f4bc2d combined with the other parts?

And needed return:

          redis:
            auth: '$(cat ${cfg.redis.passwordFile})'

[mohe2015]

What about running ExecStartPre as root (with the +) and using

Better not to give root rights.
systemd.tmpfiles.rules automatically monitors directory permissions, and automatically fixes.

Ok fine, keep using tmpfiles.

What about 6f4bc2d combined with the other parts?

And needed return:

          redis:
            auth: '$(cat ${cfg.redis.passwordFile})'

I can clean this up but I think I have the part you mean in 66af696#diff-4777ecc9c39f65314c4616d1287b6082fac99fefff66fe2251688dbf467ffca3L289
(see next comment)

[mohe2015]

Izorkin/nixpkgs@add-peertube-service...mohe2015:my-add-peertube-service so mohe2015@7e6ba9a

[Izorkin]

@mohe2015 update PR without add assertions.
Don't need rename enableUnixSocket to unixSocket. The value /run/redis/redis.sock is always fixed.

[Izorkin]

@mohe2015 it seems that this function is not working.

{ assertion = cfg.redis.enableUnixSocket || (cfg.redis.host == null && cfg.redis.port == null);

[mohe2015]

I added another assertion I didn't test yet: Izorkin@d4dcbb7

[mohe2015]

Then I think it could be simplified to Izorkin@15fcc67 but I'm not sure.

[mohe2015]

If somebody sets createLocally and a foreign host I don't think that should be checked.

[Izorkin]

Then I think it could be simplified to Izorkin@15fcc67 but I'm not sure.

I think it's better to leave the current variant

[happysalada]

Ok, I wanted to test running the service once, but there is something on staging-next that needs attention.
This PR looks fine, and since there are many maintainers, I'm sure we will be able to add some manual instructions at some later point.
I think this PR has waited long enough.

[Izorkin]

Thanks!

[vcunat]

The package won't build, apparently. (on Hydra and locally)

I just built successfully peertube on darwin 2 hours ago, did anything change ?

Note that as-merged the package specifies only x86_64-linux in meta.platforms, so Hydra and nix generally won't attempt to build on others.

[mohe2015]

The package won't build, apparently. (on Hydra and locally)

I just built successfully peertube on darwin 2 hours ago, did anything change ?

Note that as-merged the package specifies only x86_64-linux in meta.platforms, so Hydra and nix generally won't attempt to build on others.

That's super weird because I built from the latest pushed version I'm pretty sure. Unfortunately I can not look into it right now - hopefully later today. I hope it doesn't block the channel (just build failure not evaluation failure) so we don't need to revert if will be likely fixed today

[vcunat]

This certainly won't block channels, we have many packages failing all the time. Actually I have 2/2 successful builds on master locally (EDIT: + 1/1 on Hydra), so perhaps something in staging-next branch is breaking it 🤷🏽 (2/2 failures locally) EDIT: either way, this discussion thread should be aware about the issues.

[happysalada]

Yeah, master builds peertube without a problem
https://peertube.union.rocks/ (just deployed to make sure, the configuration is showing some errors, I'm still trying to understand what the minimum configuration required is).

[happysalada]

If one of the maintainers has the bandwidth, it would be good to test building peertube with the next staging-next
#141684
just to verify that something there is not breaking it.
(if you need information on how to do this, let me know).

[mohe2015]

The minimum should be

{
  services.peertube = {
    enable = true;
    localDomain = "peertube.localhost";
    serviceEnvironmentFile = "/etc/nixos/secrets/peertube-root"; # don't do this
    database = {
      createLocally = true;
    };
    redis = {
      createLocally = true;
    };
  };
  networking.extraHosts =
    ''
      127.0.0.1 peertube.localhost
  '';
}

(at least it works for me

[mohe2015]

According to https://www.freedesktop.org/software/systemd/man/systemd.unit.html and my testing we need to add wants here in a followup PR.

Edit: I mean the lines below not the network.target

[mohe2015]

If one of the maintainers has the bandwidth, it would be good to test building peertube with the next staging-next #141684 just to verify that something there is not breaking it. (if you need information on how to do this, let me know).

Can reproduce... Will try to investigate.

wait I got the following - wasn't there something about this with Rust? (I think I saw what I mean on the rust repo and not here)

Error: write EPIPE
peertube>     at afterWriteDispatched (node:internal/stream_base_commons:164:15)
peertube>     at writeGeneric (node:internal/stream_base_commons:155:3)
peertube>     at Socket._writeGeneric (node:net:795:11)
peertube>     at Socket._write (node:net:807:8)
peertube>     at writeOrBuffer (node:internal/streams/writable:389:12)
peertube>     at _write (node:internal/streams/writable:330:10)
peertube>     at Socket.Writable.write (node:internal/streams/writable:334:10)
peertube>     at Object.writeToStdin (/build/source/client/node_modules/esbuild/lib/main.js:1723:19)
peertube>     at sendRequest (/build/source/client/node_modules/esbuild/lib/main.js:617:14)
peertube>     at start (/build/source/client/node_modules/esbuild/lib/main.js:1252:9)
peertube>     at Object.transform2 [as transform] (/build/source/client/node_modules/esbuild/lib/main.js:1302:5)
peertube>     at /build/source/client/node_modules/esbuild/lib/main.js:1779:55
peertube>     at new Promise (<anonymous>)
peertube>     at Object.transform (/build/source/client/node_modules/esbuild/lib/main.js:1779:14)
peertube>     at Object.transform (/build/source/client/node_modules/esbuild/lib/main.js:1631:62)
peertube>     at minify (/build/source/client/node_modules/@angular-devkit/build-angular/src/webpack/configs/styles.js:276:58)
peertube> Emitted 'error' event on Socket instance at:
peertube>     at emitErrorNT (node:internal/streams/destroy:157:8)
peertube>     at emitErrorCloseNT (node:internal/streams/destroy:122:3)
peertube>     at processTicksAndRejections (node:internal/process/task_queues:83:21)
peertube>     at runNextTicks (node:internal/process/task_queues:65:3)
peertube>     at processImmediate (node:internal/timers:437:9) {
peertube>   errno: -32,
peertube>   code: 'EPIPE',
peertube>   syscall: 'write'

[mohe2015]

Okay now I get the error that's on hydra.

[vcunat]

I was getting (those?) EPIPE errors locally.

[happysalada]

The error on staging has to do with the coreutils upgrade.
If you want to test without the coreutils upgrade, the switch is d008d01#diff-ab5748dc9567516fefba8344056b51ec1866adeace380f46e58a7af3d619ea22R4218
You have to change the conditional to use version 8.
Since this is a change to coreutils it might take a while to rebuild everything.

[mohe2015]

Also if I'm on linux? Edit: seems like yes

Only 389 more to go...

[vcunat]

I only have a few dozen to go, on a 32-threaded box.

[vcunat]

It truly seems that the issue disappears with reverting the coreutils update #139541. (EDIT: 2/2 attempts succeeded)

[mohe2015]

Still building ([4/366/389]) - do you have an idea what tool / what is the problem?

[vcunat]

I don't have a clue.

[mohe2015]

Can somebody confirm /nix/store/1danz1kww3bg64439bx7p7sx63am8na0-peertube-3.4.1 is the derivation? Because that one built for me.

from 3db3126

[vcunat]

Yes, I built that one a few times. The content hash is always different, though.

derivation '/nix/store/c3hv4pg7nhxjav5qd64kp1g0kfn5q41w-peertube-3.4.1.drv' may not be deterministic: output '/nix/store/1danz1kww3bg64439bx7p7sx63am8na0-peertube-3.4.1' differs

[mohe2015]

Okay, so reverting works. Interesting.

[mohe2015]

Just for the lulz I will try to bisect (will update this - tell me if I could improve something):

On top of https://github.com/mohe2015/nixpkgs/tree/staging-coreutils-regression:

nix build -L --out-link ../persistent-peertube .#peertube
sudo nix-store --gc --print-roots | grep persistent-peertube
sudo nix-collect-garbage -d # probably breaks everything (seems like it doesn't keep build dependencies?)
git clone git://git.sv.gnu.org/coreutils
cd coreutils
git bisect start
git bisect good v8.32
git bisect bad v9.0
# edit that rev in pkgs/tools/misc/coreutils/default.nix and also remove sha256
nix build --impure -L .#testPeertube

Edit: I'm stupid I need to wrap dependencies not peertube itself.

[mohe2015]

Well it didn't work...

Edit: Maybe because replaceDependency is not recursive? Or I missed a dependency? I should not have trusted that v9.0 does actually come out bad with that approach because then I would've spottet this way earlier.

[vcunat]

Anyway, it seems very likely that the issue is in coreutils and not in anything around peertube.

[makefu]

@happysalada hey, i just wanted to say thank you (and all participating maintainers) for your effort in packaging peertube and even putting it into a service!
Cheers

[happysalada]

And in turn I give all my ❤️ to @Izorkin @mohe2015 @stevenroose @matthiasbeyer @immae for doing all the heavy lifting! This was a lot of work! Thank you again!