X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fwebsites%2Ftools%2Fpeertube.nix;fp=nixops%2Fmodules%2Fwebsites%2Ftools%2Fpeertube.nix;h=e15f6384082530d00c72f97fcf87102fd5f3f2e4;hb=f3a8fab524e384e0b5cad3df6506a27b2f405ebc;hp=0000000000000000000000000000000000000000;hpb=bf3b7671904b8a8bf4da4eba30564140387499f9;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/nixops/modules/websites/tools/peertube.nix b/nixops/modules/websites/tools/peertube.nix new file mode 100644 index 0000000..e15f638 --- /dev/null +++ b/nixops/modules/websites/tools/peertube.nix @@ -0,0 +1,225 @@ +{ lib, pkgs, config, myconfig, mylibs, ... }: +let + peertube = pkgs.webapps.peertube; + varDir = "/var/lib/peertube"; + env = myconfig.env.tools.peertube; + cfg = config.services.myWebsites.tools.peertube; +in { + options.services.myWebsites.tools.peertube = { + enable = lib.mkEnableOption "enable Peertube's website"; + }; + + config = lib.mkIf cfg.enable { + ids.uids.peertube = env.user.uid; + ids.gids.peertube = env.user.gid; + + users.users.peertube = { + name = "peertube"; + uid = config.ids.uids.peertube; + group = "peertube"; + description = "Peertube user"; + home = varDir; + useDefaultShell = true; + extraGroups = [ "keys" ]; + }; + + users.groups.peertube.gid = config.ids.gids.peertube; + + systemd.services.peertube = { + description = "Peertube"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "postgresql.service" ]; + wants = [ "postgresql.service" ]; + + environment.NODE_CONFIG_DIR = "${varDir}/config"; + environment.NODE_ENV = "production"; + environment.HOME = peertube; + + path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ]; + + script = '' + exec npm run start + ''; + + serviceConfig = { + User = "peertube"; + Group = "peertube"; + WorkingDirectory = peertube; + PrivateTmp = true; + ProtectHome = true; + ProtectControlGroups = true; + Restart = "always"; + Type = "simple"; + TimeoutSec = 60; + }; + + unitConfig.RequiresMountsFor = varDir; + }; + + mySecrets.keys = [{ + dest = "webapps/tools-peertube"; + user = "peertube"; + group = "peertube"; + permissions = "0640"; + text = '' + listen: + hostname: 'localhost' + port: ${env.listenPort} + webserver: + https: true + hostname: 'peertube.immae.eu' + port: 443 + trust_proxy: + - 'loopback' + database: + hostname: '${env.postgresql.socket}' + port: 5432 + suffix: '_prod' + username: '${env.postgresql.user}' + password: '${env.postgresql.password}' + pool: + max: 5 + redis: + socket: '${env.redis.socket}' + auth: null + db: ${env.redis.db_index} + ldap: + enable: true + ldap_only: false + url: ldaps://${env.ldap.host}/${env.ldap.base} + bind_dn: ${env.ldap.dn} + bind_password: ${env.ldap.password} + base: ${env.ldap.base} + mail_entry: "mail" + user_filter: "${env.ldap.filter}" + smtp: + transport: sendmail + sendmail: '/run/wrappers/bin/sendmail' + hostname: null + port: 465 # If you use StartTLS: 587 + username: null + password: null + tls: true # If you use StartTLS: false + disable_starttls: false + ca_file: null # Used for self signed certificates + from_address: 'peertube@tools.immae.eu' + storage: + tmp: '${varDir}/storage/tmp/' + avatars: '${varDir}/storage/avatars/' + videos: '${varDir}/storage/videos/' + redundancy: '${varDir}/storage/videos/' + logs: '${varDir}/storage/logs/' + previews: '${varDir}/storage/previews/' + thumbnails: '${varDir}/storage/thumbnails/' + torrents: '${varDir}/storage/torrents/' + captions: '${varDir}/storage/captions/' + cache: '${varDir}/storage/cache/' + log: + level: 'info' + search: + remote_uri: + users: true + anonymous: false + trending: + videos: + interval_days: 7 + redundancy: + videos: + check_interval: '1 hour' # How often you want to check new videos to cache + strategies: # Just uncomment strategies you want + # Following are saved in local-production.json + cache: + previews: + size: 500 # Max number of previews you want to cache + captions: + size: 500 # Max number of video captions/subtitles you want to cache + admin: + email: 'peertube@tools.immae.eu' + contact_form: + enabled: true + signup: + enabled: false + limit: 10 + requires_email_verification: false + filters: + cidr: + whitelist: [] + blacklist: [] + user: + video_quota: -1 + video_quota_daily: -1 + transcoding: + enabled: false + allow_additional_extensions: true + threads: 1 + resolutions: + 240p: false + 360p: false + 480p: true + 720p: true + 1080p: true + hls: + enabled: false + import: + videos: + http: + enabled: true + torrent: + enabled: false + instance: + name: 'Immae’s PeerTube' + short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.' + description: ''' + terms: ''' + default_client_route: '/videos/trending' + default_nsfw_policy: 'blur' + customizations: + javascript: ''' + css: ''' + robots: | + User-agent: * + Disallow: + securitytxt: + "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" + services: + # You can provide a reporting endpoint for Content Security Policy violations + csp-logger: + twitter: + username: '@_immae' + whitelisted: false + ''; + }]; + + system.activationScripts.peertube = { + deps = [ "users" ]; + text = '' + install -m 0750 -o peertube -g peertube -d ${varDir} + install -m 0750 -o peertube -g peertube -d ${varDir}/config + ln -sf /var/secrets/webapps/tools-peertube ${varDir}/config/production.yaml + ''; + }; + + services.myWebsites.tools.modules = [ + "headers" "proxy" "proxy_http" "proxy_wstunnel" + ]; + security.acme.certs."eldiron".extraDomains."peertube.immae.eu" = null; + services.myWebsites.tools.vhostConfs.peertube = { + certName = "eldiron"; + hosts = [ "peertube.immae.eu" ]; + root = null; + extraConfig = [ '' + ProxyPass / http://localhost:${env.listenPort}/ + ProxyPassReverse / http://localhost:${env.listenPort}/ + + ProxyPreserveHost On + RequestHeader set X-Real-IP %{REMOTE_ADDR}s + + ProxyPass /tracker/socket ws://127.0.0.1:${env.listenPort}/tracker/socket + ProxyPassReverse /tracker/socket ws://127.0.0.1:${env.listenPort}/tracker/socket + + ProxyPass /socket.io ws://127.0.0.1:${env.listenPort}/socket.io + ProxyPassReverse /socket.io ws://127.0.0.1:${env.listenPort}/socket.io + '' ]; + }; + }; +}