]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - nixops/modules/websites/tools/peertube.nix
Pre-generate certificates with acme
[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / peertube.nix
1 { lib, pkgs, config, myconfig, ... }:
2 let
3 env = myconfig.env.tools.peertube;
4 cfg = config.services.myWebsites.tools.peertube;
5 pcfg = config.services.peertube;
6 in {
7 options.services.myWebsites.tools.peertube = {
8 enable = lib.mkEnableOption "enable Peertube's website";
9 };
10
11 config = lib.mkIf cfg.enable {
12 services.peertube = {
13 enable = true;
14 configFile = "/var/secrets/webapps/tools-peertube";
15 package = pkgs.webapps.peertube.override { ldap = true; };
16 };
17 users.users.peertube.extraGroups = [ "keys" ];
18
19 secrets.keys = [{
20 dest = "webapps/tools-peertube";
21 user = "peertube";
22 group = "peertube";
23 permissions = "0640";
24 text = ''
25 listen:
26 hostname: 'localhost'
27 port: ${env.listenPort}
28 webserver:
29 https: true
30 hostname: 'peertube.immae.eu'
31 port: 443
32 trust_proxy:
33 - 'loopback'
34 database:
35 hostname: '${env.postgresql.socket}'
36 port: 5432
37 suffix: '_prod'
38 username: '${env.postgresql.user}'
39 password: '${env.postgresql.password}'
40 pool:
41 max: 5
42 redis:
43 socket: '${env.redis.socket}'
44 auth: null
45 db: ${env.redis.db_index}
46 ldap:
47 enable: true
48 ldap_only: false
49 url: ldaps://${env.ldap.host}/${env.ldap.base}
50 bind_dn: ${env.ldap.dn}
51 bind_password: ${env.ldap.password}
52 base: ${env.ldap.base}
53 mail_entry: "mail"
54 user_filter: "${env.ldap.filter}"
55 smtp:
56 transport: sendmail
57 sendmail: '/run/wrappers/bin/sendmail'
58 hostname: null
59 port: 465 # If you use StartTLS: 587
60 username: null
61 password: null
62 tls: true # If you use StartTLS: false
63 disable_starttls: false
64 ca_file: null # Used for self signed certificates
65 from_address: 'peertube@tools.immae.eu'
66 storage:
67 tmp: '${pcfg.dataDir}/storage/tmp/'
68 avatars: '${pcfg.dataDir}/storage/avatars/'
69 videos: '${pcfg.dataDir}/storage/videos/'
70 redundancy: '${pcfg.dataDir}/storage/videos/'
71 logs: '${pcfg.dataDir}/storage/logs/'
72 previews: '${pcfg.dataDir}/storage/previews/'
73 thumbnails: '${pcfg.dataDir}/storage/thumbnails/'
74 torrents: '${pcfg.dataDir}/storage/torrents/'
75 captions: '${pcfg.dataDir}/storage/captions/'
76 cache: '${pcfg.dataDir}/storage/cache/'
77 log:
78 level: 'info'
79 search:
80 remote_uri:
81 users: true
82 anonymous: false
83 trending:
84 videos:
85 interval_days: 7
86 redundancy:
87 videos:
88 check_interval: '1 hour' # How often you want to check new videos to cache
89 strategies: # Just uncomment strategies you want
90 # Following are saved in local-production.json
91 cache:
92 previews:
93 size: 500 # Max number of previews you want to cache
94 captions:
95 size: 500 # Max number of video captions/subtitles you want to cache
96 admin:
97 email: 'peertube@tools.immae.eu'
98 contact_form:
99 enabled: true
100 signup:
101 enabled: false
102 limit: 10
103 requires_email_verification: false
104 filters:
105 cidr:
106 whitelist: []
107 blacklist: []
108 user:
109 video_quota: -1
110 video_quota_daily: -1
111 transcoding:
112 enabled: false
113 allow_additional_extensions: true
114 threads: 1
115 resolutions:
116 240p: false
117 360p: false
118 480p: true
119 720p: true
120 1080p: true
121 hls:
122 enabled: false
123 import:
124 videos:
125 http:
126 enabled: true
127 torrent:
128 enabled: false
129 instance:
130 name: 'Immae’s PeerTube'
131 short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.'
132 description: '''
133 terms: '''
134 default_client_route: '/videos/trending'
135 default_nsfw_policy: 'blur'
136 customizations:
137 javascript: '''
138 css: '''
139 robots: |
140 User-agent: *
141 Disallow:
142 securitytxt:
143 "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
144 services:
145 # You can provide a reporting endpoint for Content Security Policy violations
146 csp-logger:
147 twitter:
148 username: '@_immae'
149 whitelisted: false
150 '';
151 }];
152
153 services.myWebsites.tools.modules = [
154 "headers" "proxy" "proxy_http" "proxy_wstunnel"
155 ];
156 security.acme.certs."eldiron".extraDomains."peertube.immae.eu" = null;
157 services.myWebsites.tools.vhostConfs.peertube = {
158 certName = "eldiron";
159 hosts = [ "peertube.immae.eu" ];
160 root = null;
161 extraConfig = [ ''
162 RewriteEngine On
163
164 RewriteCond %{REQUEST_URI} ^/socket.io [NC]
165 RewriteCond %{QUERY_STRING} transport=websocket [NC]
166 RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L]
167
168 RewriteCond %{REQUEST_URI} ^/tracker/socket [NC]
169 RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L]
170
171 ProxyPass / http://localhost:${env.listenPort}/
172 ProxyPassReverse / http://localhost:${env.listenPort}/
173
174 ProxyPreserveHost On
175 RequestHeader set X-Real-IP %{REMOTE_ADDR}s
176 '' ];
177 };
178 };
179 }