]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - nixops/modules/websites/tools/peertube.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Purify peertube derivation
[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / peertube.nix
1 { lib, pkgs, config, myconfig, mylibs, ... }:
2 let
3 peertube = pkgs.webapps.peertube.override { ldap = true; };
4 varDir = "/var/lib/peertube";
5 env = myconfig.env.tools.peertube;
6 cfg = config.services.myWebsites.tools.peertube;
7 in {
8 options.services.myWebsites.tools.peertube = {
9 enable = lib.mkEnableOption "enable Peertube's website";
10 };
11
12 config = lib.mkIf cfg.enable {
13 ids.uids.peertube = env.user.uid;
14 ids.gids.peertube = env.user.gid;
15
16 users.users.peertube = {
17 name = "peertube";
18 uid = config.ids.uids.peertube;
19 group = "peertube";
20 description = "Peertube user";
21 home = varDir;
22 useDefaultShell = true;
23 extraGroups = [ "keys" ];
24 };
25
26 users.groups.peertube.gid = config.ids.gids.peertube;
27
28 systemd.services.peertube = {
29 description = "Peertube";
30 wantedBy = [ "multi-user.target" ];
31 after = [ "network.target" "postgresql.service" ];
32 wants = [ "postgresql.service" ];
33
34 environment.NODE_CONFIG_DIR = "${varDir}/config";
35 environment.NODE_ENV = "production";
36 environment.HOME = peertube;
37
38 path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ];
39
40 script = ''
41 exec npm run start
42 '';
43
44 serviceConfig = {
45 User = "peertube";
46 Group = "peertube";
47 WorkingDirectory = peertube;
48 PrivateTmp = true;
49 ProtectHome = true;
50 ProtectControlGroups = true;
51 Restart = "always";
52 Type = "simple";
53 TimeoutSec = 60;
54 };
55
56 unitConfig.RequiresMountsFor = varDir;
57 };
58
59 mySecrets.keys = [{
60 dest = "webapps/tools-peertube";
61 user = "peertube";
62 group = "peertube";
63 permissions = "0640";
64 text = ''
65 listen:
66 hostname: 'localhost'
67 port: ${env.listenPort}
68 webserver:
69 https: true
70 hostname: 'peertube.immae.eu'
71 port: 443
72 trust_proxy:
73 - 'loopback'
74 database:
75 hostname: '${env.postgresql.socket}'
76 port: 5432
77 suffix: '_prod'
78 username: '${env.postgresql.user}'
79 password: '${env.postgresql.password}'
80 pool:
81 max: 5
82 redis:
83 socket: '${env.redis.socket}'
84 auth: null
85 db: ${env.redis.db_index}
86 ldap:
87 enable: true
88 ldap_only: false
89 url: ldaps://${env.ldap.host}/${env.ldap.base}
90 bind_dn: ${env.ldap.dn}
91 bind_password: ${env.ldap.password}
92 base: ${env.ldap.base}
93 mail_entry: "mail"
94 user_filter: "${env.ldap.filter}"
95 smtp:
96 transport: sendmail
97 sendmail: '/run/wrappers/bin/sendmail'
98 hostname: null
99 port: 465 # If you use StartTLS: 587
100 username: null
101 password: null
102 tls: true # If you use StartTLS: false
103 disable_starttls: false
104 ca_file: null # Used for self signed certificates
105 from_address: 'peertube@tools.immae.eu'
106 storage:
107 tmp: '${varDir}/storage/tmp/'
108 avatars: '${varDir}/storage/avatars/'
109 videos: '${varDir}/storage/videos/'
110 redundancy: '${varDir}/storage/videos/'
111 logs: '${varDir}/storage/logs/'
112 previews: '${varDir}/storage/previews/'
113 thumbnails: '${varDir}/storage/thumbnails/'
114 torrents: '${varDir}/storage/torrents/'
115 captions: '${varDir}/storage/captions/'
116 cache: '${varDir}/storage/cache/'
117 log:
118 level: 'info'
119 search:
120 remote_uri:
121 users: true
122 anonymous: false
123 trending:
124 videos:
125 interval_days: 7
126 redundancy:
127 videos:
128 check_interval: '1 hour' # How often you want to check new videos to cache
129 strategies: # Just uncomment strategies you want
130 # Following are saved in local-production.json
131 cache:
132 previews:
133 size: 500 # Max number of previews you want to cache
134 captions:
135 size: 500 # Max number of video captions/subtitles you want to cache
136 admin:
137 email: 'peertube@tools.immae.eu'
138 contact_form:
139 enabled: true
140 signup:
141 enabled: false
142 limit: 10
143 requires_email_verification: false
144 filters:
145 cidr:
146 whitelist: []
147 blacklist: []
148 user:
149 video_quota: -1
150 video_quota_daily: -1
151 transcoding:
152 enabled: false
153 allow_additional_extensions: true
154 threads: 1
155 resolutions:
156 240p: false
157 360p: false
158 480p: true
159 720p: true
160 1080p: true
161 hls:
162 enabled: false
163 import:
164 videos:
165 http:
166 enabled: true
167 torrent:
168 enabled: false
169 instance:
170 name: 'Immae’s PeerTube'
171 short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.'
172 description: '''
173 terms: '''
174 default_client_route: '/videos/trending'
175 default_nsfw_policy: 'blur'
176 customizations:
177 javascript: '''
178 css: '''
179 robots: |
180 User-agent: *
181 Disallow:
182 securitytxt:
183 "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
184 services:
185 # You can provide a reporting endpoint for Content Security Policy violations
186 csp-logger:
187 twitter:
188 username: '@_immae'
189 whitelisted: false
190 '';
191 }];
192
193 system.activationScripts.peertube = {
194 deps = [ "users" ];
195 text = ''
196 install -m 0750 -o peertube -g peertube -d ${varDir}
197 install -m 0750 -o peertube -g peertube -d ${varDir}/config
198 ln -sf /var/secrets/webapps/tools-peertube ${varDir}/config/production.yaml
199 '';
200 };
201
202 services.myWebsites.tools.modules = [
203 "headers" "proxy" "proxy_http" "proxy_wstunnel"
204 ];
205 security.acme.certs."eldiron".extraDomains."peertube.immae.eu" = null;
206 services.myWebsites.tools.vhostConfs.peertube = {
207 certName = "eldiron";
208 hosts = [ "peertube.immae.eu" ];
209 root = null;
210 extraConfig = [ ''
211 ProxyPass / http://localhost:${env.listenPort}/
212 ProxyPassReverse / http://localhost:${env.listenPort}/
213
214 ProxyPreserveHost On
215 RequestHeader set X-Real-IP %{REMOTE_ADDR}s
216
217 ProxyPass /tracker/socket ws://127.0.0.1:${env.listenPort}/tracker/socket
218 ProxyPassReverse /tracker/socket ws://127.0.0.1:${env.listenPort}/tracker/socket
219
220 ProxyPass /socket.io ws://127.0.0.1:${env.listenPort}/socket.io
221 ProxyPassReverse /socket.io ws://127.0.0.1:${env.listenPort}/socket.io
222 '' ];
223 };
224 };
225 }
My infrastructure configuration