我在nixos中运行nitter包时遇到问题。它抱怨利率限制。因此,我使用源代码包试图获取git的最新版本,但仍然遇到了同样的错误:
Starting Nitter
Starting Nitter at http://mymachine
Connected to Redis at localhost:7777
fetching token failed: No SSL/TLS CA certificates found.
RateLimitError: rate limited
经过一番挖掘,尼姆似乎找不到证书了。我添加了cacerts-nixos包,甚至添加了openssl包,但nitter仍然无法加载默认的cacerts。我的services/nitter.nix设置如下:
{ pkgs, lib, nimPackages, fetchFromGitHub, ... }:
with pkgs;
let
nitter-git = nimPackages.buildNimPackage {
pname = "nitter";
version = "unstable-2022-10-17";
src = fetchFromGitHub {
owner = "zedeus";
repo = "nitter";
rev = "2ac3afa5b273a502d7632e9346c7c3bc9283fb48";
hash = "sha256-fdzVfzmEFIej6Kb/K9MQyvbN8aN3hO7RetHL53cD59k=";
};
buildInputs = with nimPackages; [
flatty
jester
jsony
karax
markdown
nimcrypto
packedjson
redis
redpool
sass
supersnappy
zippy
];
nimBinOnly = true;
nimFlags = ["-d:ssl"];
postBuild = ''
nim c --hint[Processing]:off -r tools/gencss
nim c --hint[Processing]:off -r tools/rendermd
'';
postInstall = ''
mkdir -p $out/share/nitter
cp -r public $out/share/nitter/public
'';
meta = with lib; {
homepage = "https://github.com/zedeus/nitter";
description = "Alternative Twitter front-end";
license = licenses.agpl3Only;
maintainers = with maintainers; [ erdnaxe ];
mainProgram = "nitter";
};
};
redis-run = writeTextFile {
name = "redis-run";
executable = true;
destination = "/etc/s6/redis/run";
text = ''
#!/bin/sh
echo "Starting Redis on 7777"
exec redis-server --port 7777
'';
};
redis-finish = writeTextFile {
name = "redis-finish";
executable = true;
destination = "/etc/s6/redis/finish";
text = ''
#!/bin/sh
echo "Stopping Redis"
'';
};
nitter-run = writeTextFile {
name = "nitter-run";
executable = true;
destination = "/etc/s6/nitter/run";
text = ''
#!/bin/sh
echo "Starting Nitter"
exec nitter
'';
};
nitter-finish = writeTextFile {
name = "nitter-finish";
executable = true;
destination = "/etc/s6/nitter/finish";
text = ''
#!/bin/sh
echo "Stopping Nitter"
'';
};
nitter-conf = writeTextFile {
name = "nitter-conf";
executable = true;
destination = "/etc/nitter.conf";
text = ''
[Server]
address = "0.0.0.0"
port = 8182
https = false # disable to enable cookies when not using https
httpMaxConnections = 100
staticDir = "/share/nitter/public"
title = "nitter"
hostname = "myhost"
[Cache]
listMinutes = 240 # how long to cache list info (not the tweets, so keep it high)
rssMinutes = 10 # how long to cache rss queries
redisHost = "localhost" # Change to "nitter-redis" if using docker-compose
redisPort = 7777
redisPassword = ""
redisConnections = 20 # connection pool size
redisMaxConnections = 30
# max, new connections are opened when none are available, but if the pool size
# goes above this, they're closed when released. don't worry about this unless
# you receive tons of requests per second
[Config]
hmacKey = "somereallylongrandomkeyhere" # random key for cryptographic signing of video urls
base64Media = false # use base64 encoding for proxied media urls
enableRSS = true # set this to false to disable RSS feeds
enableDebug = false # enable request logs and debug endpoints
proxy = "" # http/https url, SOCKS proxies are not supported
proxyAuth = ""
tokenCount = 10
# minimum amount of usable tokens. tokens are used to authorize API requests,
# but they expire after ~1 hour, and have a limit of 187 requests.
# the limit gets reset every 15 minutes, and the pool is filled up so there's
# always at least $tokenCount usable tokens. again, only increase this if
# you receive major bursts all the time
# Change default preferences here, see src/prefs_impl.nim for a complete list
[Preferences]
theme = "Nitter"
replaceTwitter = ""
replaceYouTube = "piped.kavin.rocks"
replaceReddit = "teddit.net"
replaceInstagram = ""
proxyVideos = true
hlsPlayback = false
infiniteScroll = false
'';
};
in
dockerTools.buildLayeredImage {
name = "nitter";
contents = [ nitter-git s6 redis git busybox cacert openssl
redis-run redis-finish nitter-run nitter-finish
nitter-conf ];
config = {
Entrypoint = [ "/bin/s6-svscan" "/etc/s6" ];
Env = [ "NITTER_CONF_FILE=/etc/nitter.conf" ];
Volumes = {};
};
}
我使用以下services.nix:调用该模块
let
config = import ./config.nix;
pkgs = config.pkgs;
nitter = import ./services/nitter.nix;
in rec {
serviceimages = pkgs.writeText "images.ini" ''
nitter=${nitter(pkgs)}
'';
}
我使用nixos 20.05进行配置:
{
# nixos-22.05 / https://status.nixos.org/
pkgs = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/8de8b98839d1f20089582cfe1a81207258fcc1f1.tar.gz") {};
}
我运行nix-build services.nix,在result中获取nitter的结果路径并运行docker load < [tar.gz file path],或者运行zcat [tar.gz file path] | podman load并使用[docker|podman] run --rm --name nitter -p 8182:8182 -it localhost/nitter:<thelonghashthatgetsreturnedfromload>运行它
如果我将--entrypoint设置为/bin/sh,我确实看到从nix存储安装了一个cert捆绑包。
# ls /etc/ssl/certs/ca-bundle.crt -l
lrwxrwxrwx 1 0 0 87 Jan 1 1980 /etc/ssl/certs/ca-bundle.crt -> /nix/store/rqiiybq5hryzyk3v84mi8cgwjcxm9bi4-nss-cacert-3.83/etc/ssl/certs/ca-bundle.crt
从nitter构建文件中可以看到,我尝试设置nimFlags = ["-d:ssl"];并将openssl作为依赖项,但nitter似乎仍然无法加载CA证书。
感谢大家对这个问题的评论,我发现了一些东西。查看strace nitter,我发现应用程序明确地在查找libssl库:
newfstatat(AT_FDCWD, "libssl.so.1.1", 0x7ffd42493590, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "libssl.so.1.1", 0x7ffd42493590, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "libssl.so.1.0.2", 0x7ffd42493590, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "libssl.so.1.1", 0x7ffd42493590, 0) = -1 ENOENT (No such file or directory)
...
...
...
newfstatat(AT_FDCWD, "libssl.so.38", 0x7ffd424935f0, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "libssl.so.10", 0x7ffd424935f0, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "libssl.so", 0x7ffd424935f0, 0) = -1 ENOENT (No such file or directory)
在二进制文件本身上运行ldd可以确认libssl是动态加载的,这意味着它不会从nix存储区加载:
ldd /nix/store/yg7y3bmyr4xni78mqf71jq8apxsrj3mv-nitter-unstable-2022-06-04/bin/nitter
linux-vdso.so.1 (0x00007ffd575a1000)
libm.so.6 => /nix/store/c6f52mvbv0d8rd3rlslsvy7v4g3pmm7p-glibc-2.35-163/lib/libm.so.6 (0x00007f331a054000)
librt.so.1 => /nix/store/c6f52mvbv0d8rd3rlslsvy7v4g3pmm7p-glibc-2.35-163/lib/librt.so.1 (0x00007f331a04f000)
libdl.so.2 => /nix/store/c6f52mvbv0d8rd3rlslsvy7v4g3pmm7p-glibc-2.35-163/lib/libdl.so.2 (0x00007f331a04a000)
libc.so.6 => /nix/store/c6f52mvbv0d8rd3rlslsvy7v4g3pmm7p-glibc-2.35-163/lib/libc.so.6 (0x00007f3319e41000)
/nix/store/c6f52mvbv0d8rd3rlslsvy7v4g3pmm7p-glibc-2.35-163/lib/ld-linux-x86-64.so.2 => /nix/store/c6f52mvbv0d8rd3rlslsvy7v4g3pmm7p-glibc-2.35-163/lib64/ld-linux-x86-64.so.2 (0x00007f331a136000)
由于无法加载libssl,应用程序运行时只需通过已知路径列表来查找证书存储。它们都不是nix将其捆绑符号链接放入nix存储的地方。
newfstatat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", 0x7ffd42492e20, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/etc/ssl/ca-bundle.pem", 0x7ffd42492e20, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/etc/pki/tls/certs/ca-bundle.crt", 0x7ffd42492e20, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/share/ssl/certs/ca-bundle.crt", 0x7ffd42492e20, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/etc/pki/tls/certs", 0x7ffd42492e20, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/data/data/com.termux/files/usr/etc/tls/cert.pem", 0x7ffd42492e20, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/system/etc/security/cacerts", 0x7ffd42492e20, 0) = -1 ENOENT (No such file or directory)
write(1, "fetching token failed: No SSL/TL"..., 57fetching token failed: No SSL/TLS CA certificates found.
我更改了nitter-run启动脚本,创建了一个符号链接,指向nix-cacert包放置链接的位置(因此是指向nix-store链接的链接(:
#!/bin/sh
ln -s /etc/ssl/certs/ca-bundle.crt /etc/ssl/ca-bundle.pem
echo "Starting Nitter"
exec nitter
现在尼特开始工作了!这显然是一个破解的解决方案。我将尝试找到nitter-nix包的解决方案,并提交一个pull请求。