[perso/Immae/Config/Nix.git] / modules / private / websites / syden / peertube.nix

{ lib, pkgs, config, ... }:
let
  scfg = config.myServices.websites.syden.peertube;
  name = "peertube";
  dataDir = "/var/lib/syden_peertube";
  package = (pkgs.mylibs.flakeCompat ../../../../flakes/private/peertube).packages.x86_64-linux.peertube_syden;
  env = config.myEnv.tools.syden_peertube;
in
{
  options.myServices.websites.syden.peertube.enable = lib.mkEnableOption "enable Syden's website";

  config = lib.mkIf scfg.enable {
    users.users.peertube = {
      uid = config.ids.uids.peertube;
      group = "peertube";
      description = "Peertube user";
      useDefaultShell = true;
      extraGroups = [ "keys" ];
    };
    users.groups.peertube.gid = config.ids.gids.peertube;

    secrets.keys."websites/syden/peertube" = {
      user = "peertube";
      group = "peertube";
      permissions = "0640";
      text = ''
        listen:
          hostname: 'localhost'
          port: ${toString env.listenPort}
        webserver:
          https: true
          hostname: 'record-links.immae.eu'
          port: 443
        database:
          hostname: '${env.postgresql.socket}'
          port: 5432
          suffix: '_syden'
          username: '${env.postgresql.user}'
          password: '${env.postgresql.password}'
          pool:
            max: 5
        redis:
          socket: '${env.redis.socket}'
          auth: null
          db: ${env.redis.db}
        smtp:
          transport: sendmail
          sendmail: '/run/wrappers/bin/sendmail'
          from_address: 'peertube@tools.immae.eu'
        storage:
          tmp: '${dataDir}/storage/tmp/'
          avatars: '${dataDir}/storage/avatars/'
          videos: '${dataDir}/storage/videos/'
          streaming_playlists: '${dataDir}/storage/streaming-playlists/'
          redundancy: '${dataDir}/storage/videos/'
          logs: '${dataDir}/storage/logs/'
          previews: '${dataDir}/storage/previews/'
          thumbnails: '${dataDir}/storage/thumbnails/'
          torrents: '${dataDir}/storage/torrents/'
          captions: '${dataDir}/storage/captions/'
          cache: '${dataDir}/storage/cache/'
          plugins: '${dataDir}/storage/plugins/'
          client_overrides: '${dataDir}/storage/client-overrides/'
        '';
    };

    services.filesWatcher.syden_peertube = {
      restart = true;
      paths = [ config.secrets.fullPaths."websites/syden/peertube" ];
    };

    systemd.services.syden_peertube = {
      description = "Peertube";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "postgresql.service" ];
      wants = [ "postgresql.service" ];

      environment.NODE_CONFIG_DIR = "${dataDir}/config";
      environment.NODE_ENV = "production";
      environment.HOME = package;

      path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ];

      script = ''
        install -m 0750 -d ${dataDir}/config
        ln -sf ${config.secrets.fullPaths."websites/syden/peertube"} ${dataDir}/config/production.yaml
        ln -sf ${package}/config/default.yaml ${dataDir}/config/default.yaml
        exec npm run start
      '';

      serviceConfig = {
        User = "peertube";
        Group = "peertube";
        WorkingDirectory = package;
        StateDirectory = "syden_peertube";
        StateDirectoryMode = 0750;
        PrivateTmp = true;
        ProtectHome = true;
        ProtectControlGroups = true;
        Restart = "always";
        Type = "simple";
        TimeoutSec = 60;
      };

      unitConfig.RequiresMountsFor = dataDir;
    };

    services.websites.env.production.vhostConfs.syden_peertube = {
      certName     = "syden";
      addToCerts   = true;
      certMainHost = "record-links.immae.eu";
      hosts        = [ "record-links.immae.eu" ];
      root         = null;
      extraConfig  = [ ''
          RewriteEngine On

          RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
          RewriteCond %{QUERY_STRING} transport=websocket    [NC]
          RewriteRule /(.*)           ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]

          RewriteCond %{REQUEST_URI}  ^/tracker/socket       [NC]
          RewriteRule /(.*)           ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]

          ProxyPass /        http://localhost:${toString env.listenPort}/
          ProxyPassReverse / http://localhost:${toString env.listenPort}/

          ProxyPreserveHost On
          RequestHeader set X-Real-IP %{REMOTE_ADDR}s
      '' ];
    };
  };
}
Commit	Line	Data
8a05c7fb IB	1	{ lib, pkgs, config, ... }:
	2	let
	3	scfg = config.myServices.websites.syden.peertube;
	4	name = "peertube";
	5	dataDir = "/var/lib/syden_peertube";
3d11eafc	6	package = (pkgs.mylibs.flakeCompat ../../../../flakes/private/peertube).packages.x86_64-linux.peertube_syden;
8a05c7fb IB	7	env = config.myEnv.tools.syden_peertube;
	8	in
	9	{
	10	options.myServices.websites.syden.peertube.enable = lib.mkEnableOption "enable Syden's website";
	11
	12	config = lib.mkIf scfg.enable {
8a05c7fb IB	13	users.users.peertube = {
	14	uid = config.ids.uids.peertube;
	15	group = "peertube";
	16	description = "Peertube user";
	17	useDefaultShell = true;
	18	extraGroups = [ "keys" ];
	19	};
	20	users.groups.peertube.gid = config.ids.gids.peertube;
	21
4c4652aa	22	secrets.keys."websites/syden/peertube" = {
8a05c7fb IB	23	user = "peertube";
	24	group = "peertube";
	25	permissions = "0640";
	26	text = ''
	27	listen:
	28	hostname: 'localhost'
	29	port: ${toString env.listenPort}
	30	webserver:
	31	https: true
a8c07ade	32	hostname: 'record-links.immae.eu'
8a05c7fb IB	33	port: 443
	34	database:
	35	hostname: '${env.postgresql.socket}'
	36	port: 5432
	37	suffix: '_syden'
	38	username: '${env.postgresql.user}'
	39	password: '${env.postgresql.password}'
	40	pool:
	41	max: 5
	42	redis:
	43	socket: '${env.redis.socket}'
	44	auth: null
	45	db: ${env.redis.db}
	46	smtp:
	47	transport: sendmail
	48	sendmail: '/run/wrappers/bin/sendmail'
	49	from_address: 'peertube@tools.immae.eu'
	50	storage:
	51	tmp: '${dataDir}/storage/tmp/'
	52	avatars: '${dataDir}/storage/avatars/'
	53	videos: '${dataDir}/storage/videos/'
	54	streaming_playlists: '${dataDir}/storage/streaming-playlists/'
	55	redundancy: '${dataDir}/storage/videos/'
	56	logs: '${dataDir}/storage/logs/'
	57	previews: '${dataDir}/storage/previews/'
	58	thumbnails: '${dataDir}/storage/thumbnails/'
	59	torrents: '${dataDir}/storage/torrents/'
	60	captions: '${dataDir}/storage/captions/'
	61	cache: '${dataDir}/storage/cache/'
	62	plugins: '${dataDir}/storage/plugins/'
ce950269	63	client_overrides: '${dataDir}/storage/client-overrides/'
8a05c7fb	64	'';
4c4652aa	65	};
8a05c7fb IB	66
	67	services.filesWatcher.syden_peertube = {
	68	restart = true;
d3452fc5	69	paths = [ config.secrets.fullPaths."websites/syden/peertube" ];
8a05c7fb IB	70	};
	71
	72	systemd.services.syden_peertube = {
	73	description = "Peertube";
	74	wantedBy = [ "multi-user.target" ];
	75	after = [ "network.target" "postgresql.service" ];
	76	wants = [ "postgresql.service" ];
	77
	78	environment.NODE_CONFIG_DIR = "${dataDir}/config";
	79	environment.NODE_ENV = "production";
	80	environment.HOME = package;
	81
	82	path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ];
	83
	84	script = ''
	85	install -m 0750 -d ${dataDir}/config
d3452fc5	86	ln -sf ${config.secrets.fullPaths."websites/syden/peertube"} ${dataDir}/config/production.yaml
8a05c7fb IB	87	ln -sf ${package}/config/default.yaml ${dataDir}/config/default.yaml
	88	exec npm run start
	89	'';
	90
	91	serviceConfig = {
	92	User = "peertube";
	93	Group = "peertube";
	94	WorkingDirectory = package;
	95	StateDirectory = "syden_peertube";
	96	StateDirectoryMode = 0750;
	97	PrivateTmp = true;
	98	ProtectHome = true;
	99	ProtectControlGroups = true;
	100	Restart = "always";
	101	Type = "simple";
	102	TimeoutSec = 60;
	103	};
	104
	105	unitConfig.RequiresMountsFor = dataDir;
	106	};
	107
	108	services.websites.env.production.vhostConfs.syden_peertube = {
d3452fc5 IB	109	certName = "syden";
d3452fc5 IB	110	addToCerts = true;
a8c07ade IB	111	certMainHost = "record-links.immae.eu";
a8c07ade IB	112	hosts = [ "record-links.immae.eu" ];
d3452fc5 IB	113	root = null;
d3452fc5 IB	114	extraConfig = [ ''
8a05c7fb IB	115	RewriteEngine On
	116
	117	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	118	RewriteCond %{QUERY_STRING} transport=websocket [NC]
	119	RewriteRule /(.*) ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]
	120
	121	RewriteCond %{REQUEST_URI} ^/tracker/socket [NC]
	122	RewriteRule /(.*) ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]
	123
	124	ProxyPass / http://localhost:${toString env.listenPort}/
	125	ProxyPassReverse / http://localhost:${toString env.listenPort}/
	126
	127	ProxyPreserveHost On
	128	RequestHeader set X-Real-IP %{REMOTE_ADDR}s
	129	'' ];
	130	};
	131	};
	132	}