Use attrs for secrets instead of lists

[perso/Immae/Config/Nix.git] / modules / private / websites / tools / peertube / default.nix

{ lib, pkgs, config,  ... }:
let
  env = config.myEnv.tools.peertube;
  cfg = config.myServices.websites.tools.peertube;
  pcfg = config.services.peertube;
in {
  options.myServices.websites.tools.peertube = {
    enable = lib.mkEnableOption "enable Peertube's website";
  };

  config = lib.mkIf cfg.enable {
    services.duplyBackup.profiles.peertube = {
      rootDir = pcfg.dataDir;
    };
    services.peertube = {
      enable = true;
      configFile = config.secrets.fullPaths."webapps/tools-peertube";
    };
    users.users.peertube.extraGroups = [ "keys" ];

    secrets.keys."webapps/tools-peertube" = {
      user = "peertube";
      group = "peertube";
      permissions = "0640";
      text = ''
        listen:
          hostname: 'localhost'
          port: ${toString config.myEnv.ports.peertube}
        webserver:
          https: true
          hostname: 'peertube.immae.eu'
          port: 443
        database:
          hostname: '${env.postgresql.socket}'
          port: 5432
          suffix: '_prod'
          username: '${env.postgresql.user}'
          password: '${env.postgresql.password}'
          pool:
            max: 5
        redis:
          socket: '${env.redis.socket}'
          auth: null
          db: ${env.redis.db}
        smtp:
          transport: sendmail
          sendmail: '/run/wrappers/bin/sendmail'
          from_address: 'peertube@tools.immae.eu'
        storage:
          tmp: '${pcfg.dataDir}/storage/tmp/'
          avatars: '${pcfg.dataDir}/storage/avatars/'
          videos: '${pcfg.dataDir}/storage/videos/'
          streaming_playlists: '${pcfg.dataDir}/storage/streaming-playlists/'
          redundancy: '${pcfg.dataDir}/storage/videos/'
          logs: '${pcfg.dataDir}/storage/logs/'
          previews: '${pcfg.dataDir}/storage/previews/'
          thumbnails: '${pcfg.dataDir}/storage/thumbnails/'
          torrents: '${pcfg.dataDir}/storage/torrents/'
          captions: '${pcfg.dataDir}/storage/captions/'
          cache: '${pcfg.dataDir}/storage/cache/'
          plugins: '${pcfg.dataDir}/storage/plugins/'
          client_overrides: '${pcfg.dataDir}/storage/client-overrides/'
        '';
    };

    services.websites.env.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    services.filesWatcher.peertube = {
      restart = true;
      paths = [ pcfg.configFile ];
    };

    services.websites.env.tools.vhostConfs.peertube = {
      certName    = "eldiron";
      addToCerts  = true;
      hosts       = [ "peertube.immae.eu" ];
      root        = null;
      extraConfig = [ ''
          RewriteEngine On

          RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
          RewriteCond %{QUERY_STRING} transport=websocket    [NC]
          RewriteRule /(.*)           ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]

          RewriteCond %{REQUEST_URI}  ^/tracker/socket       [NC]
          RewriteRule /(.*)           ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]

          ProxyPass /        http://localhost:${toString env.listenPort}/
          ProxyPassReverse / http://localhost:${toString env.listenPort}/

          ProxyPreserveHost On
          RequestHeader set X-Real-IP %{REMOTE_ADDR}s
      '' ];
    };
  };
}