[perso/Immae/Config/Nix.git] / modules / private / websites / tools / peertube / default.nix

{ lib, pkgs, config,  ... }:
let
  env = config.myEnv.tools.peertube;
  cfg = config.myServices.websites.tools.peertube;
  pcfg = config.services.peertube;
in {
  options.myServices.websites.tools.peertube = {
    enable = lib.mkEnableOption "enable Peertube's website";
  };

  config = lib.mkIf cfg.enable {
    services.duplyBackup.profiles.peertube = {
      rootDir = pcfg.dataDir;
    };
    services.peertube = {
      enable = true;
      configFile = "/var/secrets/webapps/tools-peertube";
      package = pkgs.webapps.peertube.override { ldap = true; sendmail = true; light = "fr-FR"; };
    };
    users.users.peertube.extraGroups = [ "keys" ];

    secrets.keys = [{
      dest = "webapps/tools-peertube";
      user = "peertube";
      group = "peertube";
      permissions = "0640";
      text = ''
        listen:
          hostname: 'localhost'
          port: ${toString config.myEnv.ports.peertube}
        webserver:
          https: true
          hostname: 'peertube.immae.eu'
          port: 443
        rates_limit:
          api:
            # 50 attempts in 10 seconds
            window: 10 seconds
            max: 50
          login:
            # 15 attempts in 5 min
            window: 5 minutes
            max: 15
          signup:
            # 2 attempts in 5 min (only succeeded attempts are taken into account)
            window: 5 minutes
            max: 2
          ask_send_email:
            # 3 attempts in 5 min
            window: 5 minutes
            max: 3
        trust_proxy:
          - 'loopback'
        database:
          hostname: '${env.postgresql.socket}'
          port: 5432
          suffix: '_prod'
          username: '${env.postgresql.user}'
          password: '${env.postgresql.password}'
          pool:
            max: 5
        redis:
          socket: '${env.redis.socket}'
          auth: null
          db: ${env.redis.db}
        auth:
          local:
            enabled: true
          ldap:
            enabled: true
            ldap_only: false
            url: ldaps://${env.ldap.host}/${env.ldap.base}
            bind_dn: ${env.ldap.dn}
            bind_password: ${env.ldap.password}
            base: ${env.ldap.base}
            mail_entry: "mail"
            user_filter: "${env.ldap.filter}"
        smtp:
          transport: sendmail
          sendmail: '/run/wrappers/bin/sendmail'
          hostname: null
          port: 465 # If you use StartTLS: 587
          username: null
          password: null
          tls: true # If you use StartTLS: false
          disable_starttls: false
          ca_file: null # Used for self signed certificates
          from_address: 'peertube@tools.immae.eu'
        email:
          body:
            signature: "PeerTube"
          subject:
            prefix: "[PeerTube]"
        storage:
          tmp: '${pcfg.dataDir}/storage/tmp/'
          avatars: '${pcfg.dataDir}/storage/avatars/'
          videos: '${pcfg.dataDir}/storage/videos/'
          streaming_playlists: '${pcfg.dataDir}/storage/streaming-playlists/'
          redundancy: '${pcfg.dataDir}/storage/videos/'
          logs: '${pcfg.dataDir}/storage/logs/'
          previews: '${pcfg.dataDir}/storage/previews/'
          thumbnails: '${pcfg.dataDir}/storage/thumbnails/'
          torrents: '${pcfg.dataDir}/storage/torrents/'
          captions: '${pcfg.dataDir}/storage/captions/'
          cache: '${pcfg.dataDir}/storage/cache/'
          plugins: '${pcfg.dataDir}/storage/plugins/'
        log:
          level: 'info'
          rotation:
            enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
            maxFileSize: 12MB
            maxFiles: 20
          anonymizeIP: false
        search:
          remote_uri:
            users: true
            anonymous: false
        trending:
          videos:
            interval_days: 7
        redundancy:
          videos:
            check_interval: '1 hour' # How often you want to check new videos to cache
            strategies: # Just uncomment strategies you want
        csp:
          enabled: false
          report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
          report_uri:
        tracker:
          enabled: true
          private: true
          reject_too_many_announces: false
        history:
          videos:
            max_age: -1
        views:
          videos:
            remote:
              max_age: -1
        plugins:
          index:
            enabled: true
            check_latest_versions_interval: '12 hours'
            url: 'https://packages.joinpeertube.org'
        # Following are saved in local-production.json
        cache:
          previews:
            size: 500 # Max number of previews you want to cache
          captions:
            size: 500 # Max number of video captions/subtitles you want to cache
        admin:
          email: 'peertube@tools.immae.eu'
        contact_form:
          enabled: true
        signup:
          enabled: false
          limit: 10
          requires_email_verification: false
          filters:
            cidr:
              whitelist: []
              blacklist: []
        user:
          video_quota: -1
          video_quota_daily: -1
        transcoding:
          enabled: false
          allow_additional_extensions: true
          allow_audio_files: true
          threads: 1
          resolutions:
            0p: false
            240p: false
            360p: false
            480p: true
            720p: true
            1080p: true
            2160p: false
          webtorrent:
            enabled: true
          hls:
            enabled: false
        import:
          videos:
            http:
              enabled: true
            torrent:
              enabled: false
        auto_blacklist:
          videos:
            of_users:
              enabled: false
        instance:
          name: 'Immae&#x2019;s PeerTube'
          short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.'
          description: '''
          terms: '''
          code_of_conduct: '''
          moderation_information: '''
          creation_reason: '''
          administrator: '''
          maintenance_lifetime: '''
          business_model: '''
          hardware_information: '''
          languages:
          categories:
          default_client_route: '/videos/trending'
          is_nsfw: false
          default_nsfw_policy: 'do_not_list'
          customizations:
            javascript: '''
            css: '''
          robots: |
            User-agent: *
            Disallow:
          securitytxt:
            "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
        services:
          twitter:
            username: '@_immae'
            whitelisted: false
        followers:
          instance:
            enabled: true
            manual_approval: false
        followings:
          instance:
            auto_follow_back:
              enabled: false
            auto_follow_index:
              enabled: false
              index_url: 'https://instances.joinpeertube.org'
        theme:
          default: 'default'
        '';
    }];

    services.websites.env.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    services.filesWatcher.peertube = {
      restart = true;
      paths = [ pcfg.configFile ];
    };

    services.websites.env.tools.vhostConfs.peertube = {
      certName    = "eldiron";
      addToCerts  = true;
      hosts       = [ "peertube.immae.eu" ];
      root        = null;
      extraConfig = [ ''
          RewriteEngine On

          RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
          RewriteCond %{QUERY_STRING} transport=websocket    [NC]
          RewriteRule /(.*)           ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]

          RewriteCond %{REQUEST_URI}  ^/tracker/socket       [NC]
          RewriteRule /(.*)           ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]

          ProxyPass /        http://localhost:${toString env.listenPort}/
          ProxyPassReverse / http://localhost:${toString env.listenPort}/

          ProxyPreserveHost On
          RequestHeader set X-Real-IP %{REMOTE_ADDR}s
      '' ];
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
f3a8fab5	2	let
ab8f306d	3	env = config.myEnv.tools.peertube;
4288c2f2	4	cfg = config.myServices.websites.tools.peertube;
d42bbbe6	5	pcfg = config.services.peertube;
f3a8fab5	6	in {
4288c2f2	7	options.myServices.websites.tools.peertube = {
f3a8fab5 IB	8	enable = lib.mkEnableOption "enable Peertube's website";
	9	};
	10
	11	config = lib.mkIf cfg.enable {
d880826a IB	12	services.duplyBackup.profiles.peertube = {
	13	rootDir = pcfg.dataDir;
	14	};
d42bbbe6 IB	15	services.peertube = {
	16	enable = true;
	17	configFile = "/var/secrets/webapps/tools-peertube";
b639cc33	18	package = pkgs.webapps.peertube.override { ldap = true; sendmail = true; light = "fr-FR"; };
f3a8fab5	19	};
d42bbbe6	20	users.users.peertube.extraGroups = [ "keys" ];
f3a8fab5	21
1a718805	22	secrets.keys = [{
f3a8fab5 IB	23	dest = "webapps/tools-peertube";
	24	user = "peertube";
	25	group = "peertube";
	26	permissions = "0640";
	27	text = ''
	28	listen:
	29	hostname: 'localhost'
ab8f306d	30	port: ${toString config.myEnv.ports.peertube}
f3a8fab5 IB	31	webserver:
	32	https: true
	33	hostname: 'peertube.immae.eu'
	34	port: 443
b639cc33 IB	35	rates_limit:
	36	api:
	37	# 50 attempts in 10 seconds
	38	window: 10 seconds
	39	max: 50
	40	login:
	41	# 15 attempts in 5 min
	42	window: 5 minutes
	43	max: 15
	44	signup:
	45	# 2 attempts in 5 min (only succeeded attempts are taken into account)
	46	window: 5 minutes
	47	max: 2
	48	ask_send_email:
	49	# 3 attempts in 5 min
	50	window: 5 minutes
	51	max: 3
f3a8fab5 IB	52	trust_proxy:
	53	- 'loopback'
	54	database:
	55	hostname: '${env.postgresql.socket}'
	56	port: 5432
	57	suffix: '_prod'
	58	username: '${env.postgresql.user}'
	59	password: '${env.postgresql.password}'
	60	pool:
	61	max: 5
	62	redis:
	63	socket: '${env.redis.socket}'
	64	auth: null
ab8f306d	65	db: ${env.redis.db}
b639cc33 IB	66	auth:
	67	local:
	68	enabled: true
	69	ldap:
	70	enabled: true
	71	ldap_only: false
	72	url: ldaps://${env.ldap.host}/${env.ldap.base}
	73	bind_dn: ${env.ldap.dn}
	74	bind_password: ${env.ldap.password}
	75	base: ${env.ldap.base}
	76	mail_entry: "mail"
	77	user_filter: "${env.ldap.filter}"
f3a8fab5 IB	78	smtp:
	79	transport: sendmail
	80	sendmail: '/run/wrappers/bin/sendmail'
	81	hostname: null
	82	port: 465 # If you use StartTLS: 587
	83	username: null
	84	password: null
	85	tls: true # If you use StartTLS: false
	86	disable_starttls: false
	87	ca_file: null # Used for self signed certificates
	88	from_address: 'peertube@tools.immae.eu'
b639cc33 IB	89	email:
	90	body:
	91	signature: "PeerTube"
	92	subject:
	93	prefix: "[PeerTube]"
f3a8fab5	94	storage:
d42bbbe6 IB	95	tmp: '${pcfg.dataDir}/storage/tmp/'
	96	avatars: '${pcfg.dataDir}/storage/avatars/'
	97	videos: '${pcfg.dataDir}/storage/videos/'
b639cc33	98	streaming_playlists: '${pcfg.dataDir}/storage/streaming-playlists/'
d42bbbe6 IB	99	redundancy: '${pcfg.dataDir}/storage/videos/'
	100	logs: '${pcfg.dataDir}/storage/logs/'
	101	previews: '${pcfg.dataDir}/storage/previews/'
	102	thumbnails: '${pcfg.dataDir}/storage/thumbnails/'
	103	torrents: '${pcfg.dataDir}/storage/torrents/'
	104	captions: '${pcfg.dataDir}/storage/captions/'
	105	cache: '${pcfg.dataDir}/storage/cache/'
b639cc33	106	plugins: '${pcfg.dataDir}/storage/plugins/'
f3a8fab5 IB	107	log:
f3a8fab5 IB	108	level: 'info'
b639cc33 IB	109	rotation:
	110	enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
	111	maxFileSize: 12MB
	112	maxFiles: 20
	113	anonymizeIP: false
f3a8fab5 IB	114	search:
	115	remote_uri:
	116	users: true
	117	anonymous: false
	118	trending:
	119	videos:
	120	interval_days: 7
	121	redundancy:
	122	videos:
	123	check_interval: '1 hour' # How often you want to check new videos to cache
	124	strategies: # Just uncomment strategies you want
b639cc33 IB	125	csp:
	126	enabled: false
	127	report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
	128	report_uri:
	129	tracker:
	130	enabled: true
	131	private: true
	132	reject_too_many_announces: false
	133	history:
	134	videos:
	135	max_age: -1
	136	views:
	137	videos:
	138	remote:
	139	max_age: -1
	140	plugins:
	141	index:
	142	enabled: true
	143	check_latest_versions_interval: '12 hours'
	144	url: 'https://packages.joinpeertube.org'
f3a8fab5 IB	145	# Following are saved in local-production.json
	146	cache:
	147	previews:
	148	size: 500 # Max number of previews you want to cache
	149	captions:
	150	size: 500 # Max number of video captions/subtitles you want to cache
	151	admin:
	152	email: 'peertube@tools.immae.eu'
	153	contact_form:
	154	enabled: true
	155	signup:
	156	enabled: false
	157	limit: 10
	158	requires_email_verification: false
	159	filters:
	160	cidr:
	161	whitelist: []
	162	blacklist: []
	163	user:
	164	video_quota: -1
	165	video_quota_daily: -1
	166	transcoding:
	167	enabled: false
	168	allow_additional_extensions: true
b639cc33	169	allow_audio_files: true
f3a8fab5 IB	170	threads: 1
f3a8fab5 IB	171	resolutions:
b639cc33	172	0p: false
f3a8fab5 IB	173	240p: false
	174	360p: false
	175	480p: true
	176	720p: true
	177	1080p: true
b639cc33 IB	178	2160p: false
	179	webtorrent:
	180	enabled: true
f3a8fab5 IB	181	hls:
	182	enabled: false
	183	import:
	184	videos:
	185	http:
	186	enabled: true
	187	torrent:
	188	enabled: false
b639cc33 IB	189	auto_blacklist:
	190	videos:
	191	of_users:
	192	enabled: false
f3a8fab5 IB	193	instance:
	194	name: 'Immae’s PeerTube'
	195	short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.'
	196	description: '''
	197	terms: '''
b639cc33 IB	198	code_of_conduct: '''
	199	moderation_information: '''
	200	creation_reason: '''
	201	administrator: '''
	202	maintenance_lifetime: '''
	203	business_model: '''
	204	hardware_information: '''
	205	languages:
	206	categories:
f3a8fab5	207	default_client_route: '/videos/trending'
b639cc33 IB	208	is_nsfw: false
b639cc33 IB	209	default_nsfw_policy: 'do_not_list'
f3a8fab5 IB	210	customizations:
	211	javascript: '''
	212	css: '''
	213	robots: \|
	214	User-agent: *
	215	Disallow:
	216	securitytxt:
	217	"# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
	218	services:
f3a8fab5 IB	219	twitter:
	220	username: '@_immae'
	221	whitelisted: false
b639cc33 IB	222	followers:
	223	instance:
	224	enabled: true
	225	manual_approval: false
	226	followings:
	227	instance:
	228	auto_follow_back:
	229	enabled: false
	230	auto_follow_index:
	231	enabled: false
	232	index_url: 'https://instances.joinpeertube.org'
	233	theme:
	234	default: 'default'
f3a8fab5 IB	235	'';
	236	}];
	237
29f8cb85	238	services.websites.env.tools.modules = [
f3a8fab5 IB	239	"headers" "proxy" "proxy_http" "proxy_wstunnel"
f3a8fab5 IB	240	];
17f6eae9 IB	241	services.filesWatcher.peertube = {
	242	restart = true;
	243	paths = [ pcfg.configFile ];
	244	};
	245
29f8cb85	246	services.websites.env.tools.vhostConfs.peertube = {
f3a8fab5	247	certName = "eldiron";
7df420c2	248	addToCerts = true;
f3a8fab5 IB	249	hosts = [ "peertube.immae.eu" ];
	250	root = null;
	251	extraConfig = [ ''
f826c67c IB	252	RewriteEngine On
	253
	254	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	255	RewriteCond %{QUERY_STRING} transport=websocket [NC]
ab8f306d	256	RewriteRule /(.*) ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]
f826c67c IB	257
f826c67c IB	258	RewriteCond %{REQUEST_URI} ^/tracker/socket [NC]
ab8f306d	259	RewriteRule /(.*) ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]
f826c67c	260
ab8f306d IB	261	ProxyPass / http://localhost:${toString env.listenPort}/
ab8f306d IB	262	ProxyPassReverse / http://localhost:${toString env.listenPort}/
f3a8fab5 IB	263
	264	ProxyPreserveHost On
	265	RequestHeader set X-Real-IP %{REMOTE_ADDR}s
f3a8fab5 IB	266	'' ];
	267	};
	268	};
	269	}