我在nixos中运行nitter软件包时遇到了麻烦,它抱怨速率限制,所以我用source package code来抓取git的最新版本,但还是遇到了同样的错误:
Starting Nitter
Starting Nitter at http://mymachine
Connected to Redis at localhost:7777
fetching token failed: No SSL/TLS CA certificates found.
RateLimitError: rate limited在做了一些调查之后,nim似乎找不到ca证书。我添加了cacerts nixos包,甚至openssl包,但nitter仍然无法加载默认的cacerts。我的services/nitter.nix的设置如下:
{ pkgs, lib, nimPackages, fetchFromGitHub, ... }:
with pkgs;
let
nitter-git = nimPackages.buildNimPackage {
pname = "nitter";
version = "unstable-2022-10-17";
src = fetchFromGitHub {
owner = "zedeus";
repo = "nitter";
rev = "2ac3afa5b273a502d7632e9346c7c3bc9283fb48";
hash = "sha256-fdzVfzmEFIej6Kb/K9MQyvbN8aN3hO7RetHL53cD59k=";
};
buildInputs = with nimPackages; [
flatty
jester
jsony
karax
markdown
nimcrypto
packedjson
redis
redpool
sass
supersnappy
zippy
];
nimBinOnly = true;
nimFlags = ["-d:ssl"];
postBuild = ''
nim c --hint[Processing]:off -r tools/gencss
nim c --hint[Processing]:off -r tools/rendermd
'';
postInstall = ''
mkdir -p $out/share/nitter
cp -r public $out/share/nitter/public
'';
meta = with lib; {
homepage = "https://github.com/zedeus/nitter";
description = "Alternative Twitter front-end";
license = licenses.agpl3Only;
maintainers = with maintainers; [ erdnaxe ];
mainProgram = "nitter";
};
};
redis-run = writeTextFile {
name = "redis-run";
executable = true;
destination = "/etc/s6/redis/run";
text = ''
#!/bin/sh
echo "Starting Redis on 7777"
exec redis-server --port 7777
'';
};
redis-finish = writeTextFile {
name = "redis-finish";
executable = true;
destination = "/etc/s6/redis/finish";
text = ''
#!/bin/sh
echo "Stopping Redis"
'';
};
nitter-run = writeTextFile {
name = "nitter-run";
executable = true;
destination = "/etc/s6/nitter/run";
text = ''
#!/bin/sh
echo "Starting Nitter"
exec nitter
'';
};
nitter-finish = writeTextFile {
name = "nitter-finish";
executable = true;
destination = "/etc/s6/nitter/finish";
text = ''
#!/bin/sh
echo "Stopping Nitter"
'';
};
nitter-conf = writeTextFile {
name = "nitter-conf";
executable = true;
destination = "/etc/nitter.conf";
text = ''
[Server]
address = "0.0.0.0"
port = 8182
https = false # disable to enable cookies when not using https
httpMaxConnections = 100
staticDir = "/share/nitter/public"
title = "nitter"
hostname = "myhost"
[Cache]
listMinutes = 240 # how long to cache list info (not the tweets, so keep it high)
rssMinutes = 10 # how long to cache rss queries
redisHost = "localhost" # Change to "nitter-redis" if using docker-compose
redisPort = 7777
redisPassword = ""
redisConnections = 20 # connection pool size
redisMaxConnections = 30
# max, new connections are opened when none are available, but if the pool size
# goes above this, they're closed when released. don't worry about this unless
# you receive tons of requests per second
[Config]
hmacKey = "somereallylongrandomkeyhere" # random key for cryptographic signing of video urls
base64Media = false # use base64 encoding for proxied media urls
enableRSS = true # set this to false to disable RSS feeds
enableDebug = false # enable request logs and debug endpoints
proxy = "" # http/https url, SOCKS proxies are not supported
proxyAuth = ""
tokenCount = 10
# minimum amount of usable tokens. tokens are used to authorize API requests,
# but they expire after ~1 hour, and have a limit of 187 requests.
# the limit gets reset every 15 minutes, and the pool is filled up so there's
# always at least $tokenCount usable tokens. again, only increase this if
# you receive major bursts all the time
# Change default preferences here, see src/prefs_impl.nim for a complete list
[Preferences]
theme = "Nitter"
replaceTwitter = ""
replaceYouTube = "piped.kavin.rocks"
replaceReddit = "teddit.net"
replaceInstagram = ""
proxyVideos = true
hlsPlayback = false
infiniteScroll = false
'';
};
in
dockerTools.buildLayeredImage {
name = "nitter";
contents = [ nitter-git s6 redis git busybox cacert openssl
redis-run redis-finish nitter-run nitter-finish
nitter-conf ];
config = {
Entrypoint = [ "/bin/s6-svscan" "/etc/s6" ];
Env = [ "NITTER_CONF_FILE=/etc/nitter.conf" ];
Volumes = {};
};
}并使用以下services.nix调用此模块:
let
config = import ./config.nix;
pkgs = config.pkgs;
nitter = import ./services/nitter.nix;
in rec {
serviceimages = pkgs.writeText "images.ini" ''
nitter=${nitter(pkgs)}
'';
}我使用nixos20.05进行配置:
{
# nixos-22.05 / https://status.nixos.org/
pkgs = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/8de8b98839d1f20089582cfe1a81207258fcc1f1.tar.gz") {};
}我运行nix-build services.nix,在result中获取nitter的结果路径,然后运行docker load < [tar.gz file path],或者运行zcat [tar.gz file path] | podman load,然后使用[docker|podman] run --rm --name nitter -p 8182:8182 -it localhost/nitter:<thelonghashthatgetsreturnedfromload>运行它
如果我将--entrypoint设置为/bin/sh,我会看到从nix商店安装了一个证书包。
# ls /etc/ssl/certs/ca-bundle.crt -l
lrwxrwxrwx 1 0 0 87 Jan 1 1980 /etc/ssl/certs/ca-bundle.crt -> /nix/store/rqiiybq5hryzyk3v84mi8cgwjcxm9bi4-nss-cacert-3.83/etc/ssl/certs/ca-bundle.crt正如您从nitter构建文件中看到的,我尝试设置nimFlags = ["-d:ssl"];并将openssl作为依赖项,但nitter似乎仍然无法加载CA证书。
1条答案
按热度按时间ruarlubt1#
感谢对这个问题的评论,我发现了一些东西。查看
strace nitter,我发现应用程序正在显式地查找libssl库:对二进制文件本身运行
ldd可以确认libssl是动态加载的,这意味着它不会从nix存储中加载:由于无法加载
libssl,应用程序运行时将遍历一系列已知路径来查找证书存储区,其中没有一个路径是nix将其bundle符号链接放置到nix存储区的位置。我修改了
nitter-run启动脚本,创建了一个符号链接,指向nix cacert包放置其链接的位置(因此是指向nix store的链接):..现在Nitter启动并工作了!这显然是一个黑客解决方案。我将尝试找到nitter nix包的解决方案,并提交一个拉请求。