[perso/Immae/Config/Nix.git] / modules / private / websites / syden / peertube.nix

{ lib, pkgs, config, ... }:
let
  scfg = config.myServices.websites.syden.peertube;
  name = "peertube";
  dataDir = "/var/lib/syden_peertube";
  package = (pkgs.mylibs.flakeCompat ../../../../flakes/private/peertube).packages.x86_64-linux.peertube_syden;
  env = config.myEnv.tools.syden_peertube;
in
{
  options.myServices.websites.syden.peertube.enable = lib.mkEnableOption "enable Syden's website";

  config = lib.mkIf scfg.enable {
    services.duplyBackup.profiles.syden_peertube = {
      rootDir = dataDir;
      remotes = ["eriomem" "ovh"];
    };
    users.users.peertube = {
      uid = config.ids.uids.peertube;
      group = "peertube";
      description = "Peertube user";
      useDefaultShell = true;
      extraGroups = [ "keys" ];
    };
    users.groups.peertube.gid = config.ids.gids.peertube;

    secrets.keys."websites/syden/peertube" = {
      user = "peertube";
      group = "peertube";
      permissions = "0640";
      text = ''
        listen:
          hostname: 'localhost'
          port: ${toString env.listenPort}
        webserver:
          https: true
          hostname: 'record-links.immae.eu'
          port: 443
        database:
          hostname: '${env.postgresql.socket}'
          port: 5432
          suffix: '_syden'
          username: '${env.postgresql.user}'
          password: '${env.postgresql.password}'
          pool:
            max: 5
        redis:
          socket: '${env.redis.socket}'
          auth: null
          db: ${env.redis.db}
        smtp:
          transport: sendmail
          sendmail: '/run/wrappers/bin/sendmail'
          from_address: 'peertube@tools.immae.eu'
        storage:
          tmp: '${dataDir}/storage/tmp/'
          avatars: '${dataDir}/storage/avatars/'
          videos: '${dataDir}/storage/videos/'
          streaming_playlists: '${dataDir}/storage/streaming-playlists/'
          redundancy: '${dataDir}/storage/videos/'
          logs: '${dataDir}/storage/logs/'
          previews: '${dataDir}/storage/previews/'
          thumbnails: '${dataDir}/storage/thumbnails/'
          torrents: '${dataDir}/storage/torrents/'
          captions: '${dataDir}/storage/captions/'
          cache: '${dataDir}/storage/cache/'
          plugins: '${dataDir}/storage/plugins/'
          client_overrides: '${dataDir}/storage/client-overrides/'
        '';
    };

    services.filesWatcher.syden_peertube = {
      restart = true;
      paths = [ config.secrets.fullPaths."websites/syden/peertube" ];
    };

    systemd.services.syden_peertube = {
      description = "Peertube";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "postgresql.service" ];
      wants = [ "postgresql.service" ];

      environment.NODE_CONFIG_DIR = "${dataDir}/config";
      environment.NODE_ENV = "production";
      environment.HOME = package;

      path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ];

      script = ''
        install -m 0750 -d ${dataDir}/config
        ln -sf ${config.secrets.fullPaths."websites/syden/peertube"} ${dataDir}/config/production.yaml
        ln -sf ${package}/config/default.yaml ${dataDir}/config/default.yaml
        exec npm run start
      '';

      serviceConfig = {
        User = "peertube";
        Group = "peertube";
        WorkingDirectory = package;
        StateDirectory = "syden_peertube";
        StateDirectoryMode = 0750;
        PrivateTmp = true;
        ProtectHome = true;
        ProtectControlGroups = true;
        Restart = "always";
        Type = "simple";
        TimeoutSec = 60;
      };

      unitConfig.RequiresMountsFor = dataDir;
    };

    services.websites.env.production.vhostConfs.syden_peertube = {
      certName     = "syden";
      addToCerts   = true;
      certMainHost = "record-links.immae.eu";
      hosts        = [ "record-links.immae.eu" ];
      root         = null;
      extraConfig  = [ ''
          RewriteEngine On

          RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
          RewriteCond %{QUERY_STRING} transport=websocket    [NC]
          RewriteRule /(.*)           ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]

          RewriteCond %{REQUEST_URI}  ^/tracker/socket       [NC]
          RewriteRule /(.*)           ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]

          ProxyPass /        http://localhost:${toString env.listenPort}/
          ProxyPassReverse / http://localhost:${toString env.listenPort}/

          ProxyPreserveHost On
          RequestHeader set X-Real-IP %{REMOTE_ADDR}s
      '' ];
    };
  };
}
Commit	Line	Data
8a05c7fb IB	1	{ lib, pkgs, config, ... }:
	2	let
	3	scfg = config.myServices.websites.syden.peertube;
	4	name = "peertube";
	5	dataDir = "/var/lib/syden_peertube";
3d11eafc	6	package = (pkgs.mylibs.flakeCompat ../../../../flakes/private/peertube).packages.x86_64-linux.peertube_syden;
8a05c7fb IB	7	env = config.myEnv.tools.syden_peertube;
	8	in
	9	{
	10	options.myServices.websites.syden.peertube.enable = lib.mkEnableOption "enable Syden's website";
	11
	12	config = lib.mkIf scfg.enable {
	13	services.duplyBackup.profiles.syden_peertube = {
	14	rootDir = dataDir;
5a61f6ad	15	remotes = ["eriomem" "ovh"];
8a05c7fb IB	16	};
	17	users.users.peertube = {
	18	uid = config.ids.uids.peertube;
	19	group = "peertube";
	20	description = "Peertube user";
	21	useDefaultShell = true;
	22	extraGroups = [ "keys" ];
	23	};
	24	users.groups.peertube.gid = config.ids.gids.peertube;
	25
4c4652aa	26	secrets.keys."websites/syden/peertube" = {
8a05c7fb IB	27	user = "peertube";
	28	group = "peertube";
	29	permissions = "0640";
	30	text = ''
	31	listen:
	32	hostname: 'localhost'
	33	port: ${toString env.listenPort}
	34	webserver:
	35	https: true
a8c07ade	36	hostname: 'record-links.immae.eu'
8a05c7fb IB	37	port: 443
	38	database:
	39	hostname: '${env.postgresql.socket}'
	40	port: 5432
	41	suffix: '_syden'
	42	username: '${env.postgresql.user}'
	43	password: '${env.postgresql.password}'
	44	pool:
	45	max: 5
	46	redis:
	47	socket: '${env.redis.socket}'
	48	auth: null
	49	db: ${env.redis.db}
	50	smtp:
	51	transport: sendmail
	52	sendmail: '/run/wrappers/bin/sendmail'
	53	from_address: 'peertube@tools.immae.eu'
	54	storage:
	55	tmp: '${dataDir}/storage/tmp/'
	56	avatars: '${dataDir}/storage/avatars/'
	57	videos: '${dataDir}/storage/videos/'
	58	streaming_playlists: '${dataDir}/storage/streaming-playlists/'
	59	redundancy: '${dataDir}/storage/videos/'
	60	logs: '${dataDir}/storage/logs/'
	61	previews: '${dataDir}/storage/previews/'
	62	thumbnails: '${dataDir}/storage/thumbnails/'
	63	torrents: '${dataDir}/storage/torrents/'
	64	captions: '${dataDir}/storage/captions/'
	65	cache: '${dataDir}/storage/cache/'
	66	plugins: '${dataDir}/storage/plugins/'
ce950269	67	client_overrides: '${dataDir}/storage/client-overrides/'
8a05c7fb	68	'';
4c4652aa	69	};
8a05c7fb IB	70
	71	services.filesWatcher.syden_peertube = {
	72	restart = true;
d3452fc5	73	paths = [ config.secrets.fullPaths."websites/syden/peertube" ];
8a05c7fb IB	74	};
	75
	76	systemd.services.syden_peertube = {
	77	description = "Peertube";
	78	wantedBy = [ "multi-user.target" ];
	79	after = [ "network.target" "postgresql.service" ];
	80	wants = [ "postgresql.service" ];
	81
	82	environment.NODE_CONFIG_DIR = "${dataDir}/config";
	83	environment.NODE_ENV = "production";
	84	environment.HOME = package;
	85
	86	path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ];
	87
	88	script = ''
	89	install -m 0750 -d ${dataDir}/config
d3452fc5	90	ln -sf ${config.secrets.fullPaths."websites/syden/peertube"} ${dataDir}/config/production.yaml
8a05c7fb IB	91	ln -sf ${package}/config/default.yaml ${dataDir}/config/default.yaml
	92	exec npm run start
	93	'';
	94
	95	serviceConfig = {
	96	User = "peertube";
	97	Group = "peertube";
	98	WorkingDirectory = package;
	99	StateDirectory = "syden_peertube";
	100	StateDirectoryMode = 0750;
	101	PrivateTmp = true;
	102	ProtectHome = true;
	103	ProtectControlGroups = true;
	104	Restart = "always";
	105	Type = "simple";
	106	TimeoutSec = 60;
	107	};
	108
	109	unitConfig.RequiresMountsFor = dataDir;
	110	};
	111
	112	services.websites.env.production.vhostConfs.syden_peertube = {
d3452fc5 IB	113	certName = "syden";
d3452fc5 IB	114	addToCerts = true;
a8c07ade IB	115	certMainHost = "record-links.immae.eu";
a8c07ade IB	116	hosts = [ "record-links.immae.eu" ];
d3452fc5 IB	117	root = null;
d3452fc5 IB	118	extraConfig = [ ''
8a05c7fb IB	119	RewriteEngine On
	120
	121	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	122	RewriteCond %{QUERY_STRING} transport=websocket [NC]
	123	RewriteRule /(.*) ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]
	124
	125	RewriteCond %{REQUEST_URI} ^/tracker/socket [NC]
	126	RewriteRule /(.*) ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]
	127
	128	ProxyPass / http://localhost:${toString env.listenPort}/
	129	ProxyPassReverse / http://localhost:${toString env.listenPort}/
	130
	131	ProxyPreserveHost On
	132	RequestHeader set X-Real-IP %{REMOTE_ADDR}s
	133	'' ];
	134	};
	135	};
	136	}