2026-06-15 02:22:27 +02:00
|
|
|
from pathlib import Path
|
|
|
|
|
|
2026-06-13 23:56:34 +02:00
|
|
|
from pydantic import model_validator
|
2026-06-11 01:01:37 +02:00
|
|
|
from pydantic_settings import BaseSettings, SettingsConfigDict
|
|
|
|
|
|
2026-06-13 23:56:34 +02:00
|
|
|
# Shipped placeholder; production must override it. Used by the startup guard below.
|
|
|
|
|
_DEFAULT_SECRET_KEY = "change-me-session-key"
|
|
|
|
|
|
2026-06-11 01:01:37 +02:00
|
|
|
|
2026-06-15 02:22:27 +02:00
|
|
|
def _version_from_file() -> str:
|
|
|
|
|
"""The committed VERSION file (copied into the image at /app/VERSION) is the single
|
|
|
|
|
source of truth for the app version; falls back to 'dev' for un-built/local runs."""
|
|
|
|
|
for p in (Path(__file__).resolve().parents[1] / "VERSION", Path("VERSION")):
|
|
|
|
|
try:
|
|
|
|
|
v = p.read_text(encoding="utf-8").strip()
|
|
|
|
|
if v:
|
|
|
|
|
return v
|
|
|
|
|
except OSError:
|
|
|
|
|
continue
|
|
|
|
|
return "dev"
|
|
|
|
|
|
|
|
|
|
|
2026-06-11 01:01:37 +02:00
|
|
|
class Settings(BaseSettings):
|
|
|
|
|
model_config = SettingsConfigDict(env_file=".env", extra="ignore")
|
|
|
|
|
|
chore: rebrand Subfeed -> Siftlode
Rename all user-facing references (UI wordmark Sift+lode, titles, app name,
legal pages, onboarding wizard, emails, README/docs) and infra paths
(/srv/subfeed -> /srv/siftlode, image tag, deploy script, backup filenames).
Internal identifiers kept on purpose: Postgres user/db "subfeed", logger
namespace, localStorage keys, and the subfeed_pgdata volume (renaming would
orphan the migrated production data).
2026-06-14 04:40:22 +02:00
|
|
|
app_name: str = "Siftlode"
|
2026-06-15 02:22:27 +02:00
|
|
|
# Version from the committed VERSION file (an explicit APP_VERSION env still overrides);
|
|
|
|
|
# git_sha/build_date are injected at image build time. Surfaced by /api/version.
|
|
|
|
|
app_version: str = _version_from_file()
|
2026-06-15 00:06:57 +02:00
|
|
|
git_sha: str = "unknown"
|
|
|
|
|
build_date: str = ""
|
2026-06-11 01:01:37 +02:00
|
|
|
|
2026-06-21 06:53:12 +02:00
|
|
|
database_url: str = "postgresql+psycopg://siftlode:siftlode@db:5432/siftlode"
|
2026-06-11 01:01:37 +02:00
|
|
|
|
|
|
|
|
# Session cookie signing key.
|
2026-06-13 23:56:34 +02:00
|
|
|
secret_key: str = _DEFAULT_SECRET_KEY
|
2026-06-11 01:01:37 +02:00
|
|
|
# Fernet key (urlsafe base64, 32 bytes) for encrypting stored refresh tokens.
|
|
|
|
|
token_encryption_key: str = ""
|
|
|
|
|
|
|
|
|
|
google_client_id: str = ""
|
|
|
|
|
google_client_secret: str = ""
|
|
|
|
|
oauth_redirect_url: str = "http://localhost:8080/auth/callback"
|
|
|
|
|
|
|
|
|
|
# Comma-separated invite list / admin list of Google account emails.
|
|
|
|
|
allowed_emails: str = ""
|
|
|
|
|
admin_emails: str = ""
|
|
|
|
|
|
2026-06-19 14:03:11 +02:00
|
|
|
# Whether anyone may submit an email+password registration (still gated by email
|
|
|
|
|
# verification + admin approval before they can sign in). Admin-tunable via the DB.
|
|
|
|
|
allow_registration: bool = True
|
|
|
|
|
|
2026-06-11 01:01:37 +02:00
|
|
|
# Origin of a separately served frontend dev server (enables CORS). Empty in production.
|
|
|
|
|
frontend_origin: str = ""
|
|
|
|
|
|
2026-06-12 01:43:07 +02:00
|
|
|
# --- Outbound email (onboarding: access-request + approval notices) ---
|
|
|
|
|
# Gmail SMTP + App Password by default. All optional: if unset, email is skipped
|
|
|
|
|
# (fail-soft) and onboarding still works via in-app notifications.
|
|
|
|
|
smtp_host: str = ""
|
|
|
|
|
smtp_port: int = 587
|
|
|
|
|
smtp_user: str = ""
|
|
|
|
|
smtp_password: str = ""
|
chore: rebrand Subfeed -> Siftlode
Rename all user-facing references (UI wordmark Sift+lode, titles, app name,
legal pages, onboarding wizard, emails, README/docs) and infra paths
(/srv/subfeed -> /srv/siftlode, image tag, deploy script, backup filenames).
Internal identifiers kept on purpose: Postgres user/db "subfeed", logger
namespace, localStorage keys, and the subfeed_pgdata volume (renaming would
orphan the migrated production data).
2026-06-14 04:40:22 +02:00
|
|
|
smtp_from: str = "" # e.g. "Siftlode <addr@gmail.com>"; falls back to smtp_user
|
2026-06-12 01:43:07 +02:00
|
|
|
|
2026-06-11 01:22:07 +02:00
|
|
|
# --- Sync / YouTube Data API ---
|
|
|
|
|
# Optional API key for public reads (channels/videos/playlistItems). When set it is
|
|
|
|
|
# preferred for shared backfill/enrichment so it doesn't depend on a specific user.
|
|
|
|
|
youtube_api_key: str = ""
|
2026-06-26 00:32:17 +02:00
|
|
|
# Optional HTTP(S) proxy for outbound YouTube Data API calls. Set this to send the
|
2026-07-01 12:46:50 +02:00
|
|
|
# scheduler's googleapis traffic through a fixed-IP host so an IP-restricted API key
|
|
|
|
|
# keeps working even when this host's public IP is dynamic.
|
2026-06-26 00:32:17 +02:00
|
|
|
youtube_api_proxy: str = ""
|
2026-06-11 01:22:07 +02:00
|
|
|
# Daily quota budget (units). Default leaves headroom under the 10,000/day free limit.
|
|
|
|
|
quota_daily_budget: int = 9000
|
2026-06-29 22:29:54 +02:00
|
|
|
# Per-user cap on live YouTube searches per day. With the official API (search_source="api")
|
|
|
|
|
# each search.list costs 100 units, so the shared budget only affords ~80-90/day total; with
|
|
|
|
|
# the zero-quota scrape source it's a pure anti-abuse rate limit. Admin-tunable.
|
2026-06-29 02:01:31 +02:00
|
|
|
search_daily_limit_per_user: int = 70
|
2026-06-29 22:29:54 +02:00
|
|
|
# Source for live YouTube search: "scrape" (InnerTube, no API quota) or "api" (search.list,
|
|
|
|
|
# 100 units/page). Scrape is the default; flip to "api" if scraping is blocked/breaks.
|
|
|
|
|
search_source: str = "scrape"
|
2026-06-11 01:22:07 +02:00
|
|
|
# Recent-first backfill: how far back to fetch on the first pass per channel.
|
feat: M2 (part 2) — RSS poller, backfill, enrichment, scheduler
- Free per-channel RSS reader for quota-less fresh-video detection
- Recent-first backfill (configurable: 100 videos / 1 year) plus resumable deep
backfill from the uploads playlist
- Enrichment via videos.list: duration, view/like counts, category, topics,
language, Shorts heuristic and livestream/premiere classification
- Reusable sync runners + APScheduler jobs (rss / enrich / backfill), all
quota-aware with a reserve so backfill never starves fresh enrichment
- Manual triggers: POST /api/sync/{rss,backfill,enrich}
- Exact insert counting via RETURNING with in-batch de-duplication
2026-06-11 01:36:41 +02:00
|
|
|
backfill_recent_max_videos: int = 100
|
2026-06-11 01:22:07 +02:00
|
|
|
backfill_recent_max_days: int = 365
|
|
|
|
|
|
fix: address reader-UI feedback (shorts, search, tags, login, UX)
- Shorts: confirm via youtube.com/shorts/<id> probe (SOCS cookie bypasses the
consent redirect) instead of a 60s heuristic; concurrent probing, shorts_probed
flag, scheduled refinement (migration 0005)
- Search: match title + channel name only (descriptions caused noisy results)
- Faceted tag filtering: AND across categories (language AND topic narrows),
OR within a category; any/all toggle applies to topics
- Language detection: majority vote over individual titles (fixes misdetections
like multipoleguy -> English; drops bogus Polish/Romanian)
- Login: drop forced consent so returning sign-in is quick (select_account)
- Feed cards: clickable channel name (opens channel), persistent saved badge,
undo toast on hide, Hidden view to restore; tag chips show counts in tooltip
2026-06-11 03:07:49 +02:00
|
|
|
# Shorts are confirmed by probing youtube.com/shorts/<id>. Only videos at or below
|
|
|
|
|
# this duration (and not livestreams) are probed; longer videos are never Shorts.
|
|
|
|
|
shorts_probe_max_seconds: int = 180
|
|
|
|
|
shorts_probe_batch: int = 150
|
|
|
|
|
shorts_probe_interval_minutes: int = 2
|
feat: M2 (part 2) — RSS poller, backfill, enrichment, scheduler
- Free per-channel RSS reader for quota-less fresh-video detection
- Recent-first backfill (configurable: 100 videos / 1 year) plus resumable deep
backfill from the uploads playlist
- Enrichment via videos.list: duration, view/like counts, category, topics,
language, Shorts heuristic and livestream/premiere classification
- Reusable sync runners + APScheduler jobs (rss / enrich / backfill), all
quota-aware with a reserve so backfill never starves fresh enrichment
- Manual triggers: POST /api/sync/{rss,backfill,enrich}
- Exact insert counting via RETURNING with in-batch de-duplication
2026-06-11 01:36:41 +02:00
|
|
|
# videos.list accepts up to 50 ids per call.
|
|
|
|
|
enrich_batch_size: int = 50
|
|
|
|
|
|
|
|
|
|
# --- Background scheduler ---
|
|
|
|
|
scheduler_enabled: bool = True
|
|
|
|
|
rss_poll_minutes: int = 20
|
|
|
|
|
enrich_interval_minutes: int = 3
|
|
|
|
|
backfill_interval_minutes: int = 10
|
|
|
|
|
# Keep this many quota units in reserve so scheduled backfill never starves
|
|
|
|
|
# interactive syncs / enrichment of fresh videos.
|
|
|
|
|
backfill_quota_reserve: int = 2000
|
|
|
|
|
|
2026-06-11 01:57:19 +02:00
|
|
|
# --- Auto-tagging / feed defaults ---
|
|
|
|
|
# Number of recent video titles sampled per channel for language detection.
|
|
|
|
|
autotag_title_sample: int = 40
|
|
|
|
|
autotag_interval_minutes: int = 30
|
2026-06-11 03:28:45 +02:00
|
|
|
subscriptions_resync_minutes: int = 360
|
2026-06-15 19:37:03 +02:00
|
|
|
playlist_sync_minutes: int = 360
|
2026-06-19 15:25:13 +02:00
|
|
|
# How often the shared demo account is auto-reset to a clean baseline (communal sandbox).
|
|
|
|
|
demo_reset_minutes: int = 720
|
2026-06-18 03:20:28 +02:00
|
|
|
# --- Maintenance / validation job ---
|
|
|
|
|
# Runs once a day by default (admin-tunable via the Scheduler dashboard). Grace periods
|
|
|
|
|
# are in days because that's the granularity that matters; the rolling re-validation
|
|
|
|
|
# re-checks the least-recently-checked N videos per run (1 unit / 50 videos), so on a
|
|
|
|
|
# ~233k catalog ~15000/day ≈ a 15-day full cycle for ~300 quota units.
|
|
|
|
|
maintenance_interval_minutes: int = 1440
|
|
|
|
|
maintenance_revalidate_batch: int = 15000
|
|
|
|
|
# Grace before a flagged-unavailable video is hard-deleted (cascades to states/playlist
|
|
|
|
|
# items). Deleted/private/paywalled get a recovery window; abandoned upcoming and
|
|
|
|
|
# confirmed-dead stuck-live have no age grace (deleted on the sweep that confirms them).
|
|
|
|
|
maintenance_grace_days: int = 7
|
feat(channels): channel-explore backend — about metadata, ephemeral provenance, cleanup
Adds the backend for a dedicated channel page + ephemeral browsing of un-subscribed
channels:
- migration 0033: channels.{total_view_count,published_at,banner_url,external_links,
from_explore}, videos.via_explore, explored_channels (per-user, grace-clocked).
- enrich channels with part=brandingSettings (banner/links) + statistics.viewCount +
snippet.publishedAt — no extra quota.
- GET /api/channels/{id}: About detail + this user's relationship; lazy-enriches the new
About fields (published_at sentinel).
- POST /api/channels/{id}/explore (require_human, quota-reserve guarded): records the
exploration, flags the channel ephemeral unless followed, ingests one page of uploads
(via_explore) + enriches; returns next_page_token for load-more.
- feed: per-explorer gate — a via_explore video is visible only to users who explored or
subscribe to its channel, so exploration never leaks into everyone's catalog.
- subscribe = keep: clears from_explore + via_explore on the channel's videos.
- scheduler explore_cleanup job + explore_grace_days config: hard-delete explored-but-
unkept channels and their untouched ephemeral videos after a grace period.
2026-06-30 02:52:44 +02:00
|
|
|
# --- Channel-explore cleanup job ---
|
|
|
|
|
# Runs daily by default (admin-tunable via the Scheduler dashboard). An explored-but-never-
|
|
|
|
|
# kept channel (no subscription, no per-user state on its videos) is hard-deleted this many
|
|
|
|
|
# days after it was last explored — the grace clock is ExploredChannel.created_at.
|
|
|
|
|
explore_cleanup_minutes: int = 1440
|
|
|
|
|
explore_grace_days: int = 7
|
2026-07-01 00:42:32 +02:00
|
|
|
# How long an un-kept live-search result (a via_search video nobody watched / saved /
|
|
|
|
|
# subscribed to) is kept before the same cleanup job removes it — "as if never added".
|
|
|
|
|
search_grace_days: int = 7
|
2026-06-11 01:57:19 +02:00
|
|
|
# live_status values hidden from the feed by default. Completed-stream VODs
|
|
|
|
|
# ("was_live") are real watchable content and stay visible.
|
|
|
|
|
feed_default_hidden_live: str = "live,upcoming"
|
|
|
|
|
|
feat(downloads): M1 — schema, config, worker container, deps
- models: MediaAsset (shared file cache, unique on source+format_sig), DownloadJob
(per-user request), DownloadProfile (presets), DownloadShare (ACL), DownloadQuota
- migrations 0036 (5 tables) + 0037 (6 builtin presets)
- sysconfig 'downloads' group (per-user defaults, retention/GC, layout, worker concurrency)
- config: DOWNLOAD_ROOT / WORKER_ENABLED env + download defaults
- deps: yt-dlp in requirements, ffmpeg in Dockerfile runtime stage
- worker: dedicated container (python -m app.worker), thin idle entry (loop lands in M2)
- localdev compose: worker service + downloads bind-mount; gitignore downloads/
2026-07-02 23:57:40 +02:00
|
|
|
# --- Download center (yt-dlp) ---
|
|
|
|
|
# Root directory (inside the container) for downloaded media — a Docker volume/bind mount.
|
|
|
|
|
# Env-only (a mount path can't live in the DB). The worker lays a Plex-style tree under it.
|
|
|
|
|
download_root: str = "/downloads"
|
|
|
|
|
# Whether THIS process runs the download worker loop. On for the dedicated worker
|
|
|
|
|
# container, off for the API (which keeps the scheduler). Mirrors scheduler_enabled.
|
|
|
|
|
worker_enabled: bool = False
|
2026-07-03 04:40:10 +02:00
|
|
|
# Base URL of the bgutil PO-token provider sidecar. When set, the download worker asks it
|
|
|
|
|
# for YouTube Proof-of-Origin tokens (bypasses bot-detection + unlocks high-quality
|
|
|
|
|
# formats). Empty disables it (yt-dlp still works, but may hit "confirm you're not a bot").
|
|
|
|
|
download_pot_base_url: str = "http://bgutil-pot:4416"
|
2026-07-03 23:01:09 +02:00
|
|
|
# yt-dlp player clients (comma-separated). PRIMARY = android_vr: high-quality DASH, no PO
|
|
|
|
|
# token / JS runtime needed, reliable for normal use. On a bot/DRM/format failure (YouTube's
|
|
|
|
|
# per-client responses are flaky, and android_vr can get bot-flagged under heavy load) the
|
|
|
|
|
# worker retries with the FALLBACK set — the POT-capable web clients (web needs the token +
|
|
|
|
|
# Deno) plus android for audio. Both admin-tunable when YouTube shifts what works.
|
|
|
|
|
download_player_clients: str = "android_vr"
|
|
|
|
|
download_player_clients_fallback: str = "web_safari,web,android"
|
|
|
|
|
|
|
|
|
|
@staticmethod
|
|
|
|
|
def _clients(raw: str) -> list[str]:
|
|
|
|
|
return [c.strip() for c in raw.split(",") if c.strip()]
|
2026-07-03 04:40:10 +02:00
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
def player_client_list(self) -> list[str]:
|
2026-07-03 23:01:09 +02:00
|
|
|
return self._clients(self.download_player_clients)
|
|
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
def player_client_fallback_list(self) -> list[str]:
|
|
|
|
|
return self._clients(self.download_player_clients_fallback)
|
feat(downloads): M1 — schema, config, worker container, deps
- models: MediaAsset (shared file cache, unique on source+format_sig), DownloadJob
(per-user request), DownloadProfile (presets), DownloadShare (ACL), DownloadQuota
- migrations 0036 (5 tables) + 0037 (6 builtin presets)
- sysconfig 'downloads' group (per-user defaults, retention/GC, layout, worker concurrency)
- config: DOWNLOAD_ROOT / WORKER_ENABLED env + download defaults
- deps: yt-dlp in requirements, ffmpeg in Dockerfile runtime stage
- worker: dedicated container (python -m app.worker), thin idle entry (loop lands in M2)
- localdev compose: worker service + downloads bind-mount; gitignore downloads/
2026-07-02 23:57:40 +02:00
|
|
|
# How many downloads the worker runs concurrently (claimed via FOR UPDATE SKIP LOCKED).
|
|
|
|
|
download_worker_concurrency: int = 2
|
|
|
|
|
# How often (empty pending queue) the worker polls for a new job, in seconds.
|
|
|
|
|
download_poll_seconds: int = 5
|
feat(downloads): M3 — per-user quota + retention GC
- downloads/quota.py: per-user limits (DownloadQuota row or sysconfig defaults; unlimited
bypass), footprint = distinct ready-asset bytes the user holds, check_enqueue (max_jobs +
max_bytes hard at enqueue), at_concurrency_limit (worker-side max_concurrent), usage snapshot
- downloads/gc.py: run_download_gc — pre-expiry warning (once, gc_notified flag), TTL deletion
(files + row; FK SET NULL orphans holders' jobs -> 'expired'), LRU eviction over a total-cache
cap; notifies holders on each event
- migration 0038: media_assets.gc_notified
- config/sysconfig: download_total_max_bytes (0=unlimited) in the downloads group
- service.enqueue enforces quota; worker claim skips users at their concurrency limit
- scheduler: download_gc job registered (default 360 min, admin-tunable)
Verified on localdev: footprint accounting, max_jobs block, pre-expiry warning (notifies all
holders), TTL deletion (asset+files gone, dirs pruned, jobs orphaned, holders notified).
2026-07-03 00:26:40 +02:00
|
|
|
# Total cache size cap across ALL users (bytes). When >0 and exceeded, the GC evicts the
|
|
|
|
|
# least-recently-accessed ready assets until under it. 0 = unlimited (disk is the limit).
|
|
|
|
|
download_total_max_bytes: int = 0
|
feat(downloads): M1 — schema, config, worker container, deps
- models: MediaAsset (shared file cache, unique on source+format_sig), DownloadJob
(per-user request), DownloadProfile (presets), DownloadShare (ACL), DownloadQuota
- migrations 0036 (5 tables) + 0037 (6 builtin presets)
- sysconfig 'downloads' group (per-user defaults, retention/GC, layout, worker concurrency)
- config: DOWNLOAD_ROOT / WORKER_ENABLED env + download defaults
- deps: yt-dlp in requirements, ffmpeg in Dockerfile runtime stage
- worker: dedicated container (python -m app.worker), thin idle entry (loop lands in M2)
- localdev compose: worker service + downloads bind-mount; gitignore downloads/
2026-07-02 23:57:40 +02:00
|
|
|
# Default per-user quota (admin-tunable; a per-user download_quotas row overrides).
|
|
|
|
|
download_default_max_bytes: int = 5_368_709_120 # 5 GiB
|
|
|
|
|
download_default_max_concurrent: int = 2
|
|
|
|
|
download_default_max_jobs: int = 50
|
|
|
|
|
# Retention: an asset expires this many days after its last access; the GC job then
|
|
|
|
|
# deletes it (once no job references it) after an additional grace window.
|
|
|
|
|
download_retention_days: int = 30
|
|
|
|
|
download_gc_grace_days: int = 2
|
|
|
|
|
download_gc_minutes: int = 360
|
|
|
|
|
# On-disk layout: "plex" (Channel/Season YYYY/… [id].ext + .nfo/poster) or "flat".
|
|
|
|
|
download_layout: str = "plex"
|
|
|
|
|
# Default SponsorBlock (skip sponsor segments) for new custom profiles.
|
|
|
|
|
sponsorblock_default: bool = False
|
|
|
|
|
|
feat(plex): P0 backend foundations — catalog model, config, client
Optional Plex module groundwork (design locked 2026-07-05): plays the LOCAL
physical file; Plex is metadata + optional watch-sync only.
- models + migration 0044: plex_libraries/plex_shows/plex_seasons/plex_items
(playable leaf, ffprobe playability class, markers, weighted FTS search_vector)
+ plex_states (per-user watch state, mirrors video_states)
- sysconfig 'plex' group + config.py env defaults (server url/token[secret]/
path-map/libraries/sync-interval/max-transcodes)
- app/plex/client.py (PlexClient httpx: server info, sections, items, metadata
+markers, image) + app/plex/paths.py (Plex→local path map + file resolve)
- routes/plex.py admin POST /api/plex/test (verify connection + list sections)
2026-07-05 01:35:08 +02:00
|
|
|
# --- Plex integration (optional) ---
|
|
|
|
|
# The Plex module plays the LOCAL physical media file directly (our own ffmpeg/direct-serve);
|
|
|
|
|
# Plex is used only for metadata + optional watch-state sync. Requires the Plex server to be
|
|
|
|
|
# reachable from THIS host and its media reachable on a local mount (see plex_path_map).
|
|
|
|
|
plex_enabled: bool = False
|
|
|
|
|
# Base URL of the Plex Media Server reachable from this host, e.g. http://192.168.1.112:32400.
|
|
|
|
|
plex_server_url: str = ""
|
|
|
|
|
# Plex server admin token (X-Plex-Token). Server-side only (metadata + image proxy); never
|
|
|
|
|
# sent to the browser. Stored encrypted when set via the admin Config page.
|
|
|
|
|
plex_server_token: str = ""
|
|
|
|
|
# Path map: Plex's on-disk media paths → this host's read-only mount, so Siftlode can open the
|
|
|
|
|
# physical file for direct playback. Newline/comma-separated "plexPrefix=localPrefix" pairs;
|
|
|
|
|
# the longest matching prefix wins. E.g. "/data=/plex-media". Empty = identical on both sides.
|
|
|
|
|
plex_path_map: str = ""
|
|
|
|
|
# Which Plex library section keys are exposed (comma-separated). Empty = all enabled sections.
|
|
|
|
|
plex_libraries: str = ""
|
|
|
|
|
# Stable client identifier Siftlode presents to Plex (X-Plex-Client-Identifier).
|
|
|
|
|
plex_client_id: str = "siftlode-server"
|
|
|
|
|
# How often the catalog sync job mirrors Plex metadata, in minutes.
|
|
|
|
|
plex_sync_interval_min: int = 360
|
|
|
|
|
# Max concurrent transcodes for the P3 fallback. Low by default — CPU-only transcode is
|
|
|
|
|
# expensive; direct-serve (browser-compatible files) has no such limit.
|
|
|
|
|
plex_max_transcodes: int = 1
|
feat(plex): P2 streaming backend — direct 206 + seek-restart HLS remux
Validated end-to-end on a real remux file (h264+ac3 mkv). The riskiest part of the
Plex epic — on-the-fly playback from the local file — now proven.
- app/plex/stream.py: seek-restart HLS session model (one ffmpeg per item, restarted
at a seek offset via -ss). Video stream-COPY (I/O-bound, CPU-light — fine on the
GPU-less prod host) + audio→aac only when not already aac. Maps first video+audio,
drops subtitles (no VTT rendition clutter). Session cap + idle reaper.
- routes: POST /stream/{rk}/session?start= (direct→raw url, remux→HLS session,
transcode→501 P3), GET /stream/{rk}/file (206 range, direct), /index.m3u8, /seg_n.ts.
- KEY FINDINGS (hard-won): (1) ffmpeg -hls_playlist_type VOD does NOT write the
playlist mid-run (only at finalize) → use EVENT (append-only, appears immediately),
which suits the seek-restart model; (2) naive per-segment copy + keyframe-indexed
extraction are both unreliable (non-uniform/imprecise segments) — ffmpeg's own HLS
muxer is the only correct segmenter; (3) dev slowness was the Windows /downloads
bind-mount write + SMB read → PLEX_HLS_DIR env points scratch at fast container-local
/var/tmp on dev (prod keeps download_root, fast local disk).
2026-07-05 04:16:45 +02:00
|
|
|
# Where on-the-fly HLS remux segments are written (transient, reaped). Empty → a `.plex-hls`
|
|
|
|
|
# dir under download_root. On localdev the download_root is a slow Windows bind-mount, so point
|
|
|
|
|
# this at a fast container-local path (e.g. /var/tmp/plex-hls); prod's download_root is fast
|
|
|
|
|
# local disk, so the default is fine there.
|
|
|
|
|
plex_hls_dir: str = ""
|
feat(plex): P0 backend foundations — catalog model, config, client
Optional Plex module groundwork (design locked 2026-07-05): plays the LOCAL
physical file; Plex is metadata + optional watch-sync only.
- models + migration 0044: plex_libraries/plex_shows/plex_seasons/plex_items
(playable leaf, ffprobe playability class, markers, weighted FTS search_vector)
+ plex_states (per-user watch state, mirrors video_states)
- sysconfig 'plex' group + config.py env defaults (server url/token[secret]/
path-map/libraries/sync-interval/max-transcodes)
- app/plex/client.py (PlexClient httpx: server info, sections, items, metadata
+markers, image) + app/plex/paths.py (Plex→local path map + file resolve)
- routes/plex.py admin POST /api/plex/test (verify connection + list sections)
2026-07-05 01:35:08 +02:00
|
|
|
|
2026-06-11 01:01:37 +02:00
|
|
|
@property
|
|
|
|
|
def allowed_email_set(self) -> set[str]:
|
|
|
|
|
return {e.strip().lower() for e in self.allowed_emails.split(",") if e.strip()}
|
|
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
def admin_email_set(self) -> set[str]:
|
|
|
|
|
return {e.strip().lower() for e in self.admin_emails.split(",") if e.strip()}
|
|
|
|
|
|
2026-06-19 19:52:02 +02:00
|
|
|
@property
|
|
|
|
|
def app_base(self) -> str:
|
|
|
|
|
"""Public origin of the deployed app, derived from the OAuth redirect URL
|
|
|
|
|
(.../auth/callback). The single source for user-facing links (verification, reset,
|
|
|
|
|
approval emails); dev and prod differ, so links must always come from config."""
|
|
|
|
|
u = self.oauth_redirect_url
|
|
|
|
|
return u.split("/auth/")[0] if "/auth/" in u else u.rstrip("/")
|
|
|
|
|
|
2026-06-13 23:56:34 +02:00
|
|
|
@property
|
|
|
|
|
def session_https_only(self) -> bool:
|
|
|
|
|
"""Mark the session cookie Secure when we're served over HTTPS. We treat an
|
|
|
|
|
https OAUTH_REDIRECT_URL as the signal for 'real deployment' vs local dev."""
|
|
|
|
|
return self.oauth_redirect_url.lower().startswith("https://")
|
|
|
|
|
|
|
|
|
|
@model_validator(mode="after")
|
|
|
|
|
def _enforce_production_secrets(self) -> "Settings":
|
|
|
|
|
"""Fail fast rather than boot a public instance with the shipped placeholder
|
|
|
|
|
signing key (which would let anyone forge an admin session) or without token
|
|
|
|
|
encryption. Local dev (http redirect URL) keeps the convenient defaults."""
|
|
|
|
|
if not self.session_https_only:
|
|
|
|
|
return self # local/dev: allow the placeholder defaults
|
|
|
|
|
if self.secret_key == _DEFAULT_SECRET_KEY or len(self.secret_key) < 32:
|
|
|
|
|
raise ValueError(
|
|
|
|
|
"SECRET_KEY must be a unique random value of at least 32 chars in "
|
|
|
|
|
"production (an https OAUTH_REDIRECT_URL was detected). Generate one "
|
|
|
|
|
'with: python -c "import secrets; print(secrets.token_urlsafe(48))"'
|
|
|
|
|
)
|
|
|
|
|
if not self.token_encryption_key:
|
|
|
|
|
raise ValueError(
|
|
|
|
|
"TOKEN_ENCRYPTION_KEY must be set in production so refresh tokens are "
|
|
|
|
|
"encrypted at rest. Generate one with: "
|
|
|
|
|
'python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"'
|
|
|
|
|
)
|
|
|
|
|
return self
|
|
|
|
|
|
2026-06-11 01:01:37 +02:00
|
|
|
|
|
|
|
|
settings = Settings()
|