{ lib, pkgs, config, ... }: let env = config.myEnv.tools.peertube; cfg = config.myServices.websites.tools.peertube; pcfg = config.services.peertube; in { options.myServices.websites.tools.peertube = { enable = lib.mkEnableOption "enable Peertube's website"; }; config = lib.mkIf cfg.enable { services.duplyBackup.profiles.peertube = { rootDir = pcfg.dataDir; }; services.peertube = { enable = true; configFile = "/var/secrets/webapps/tools-peertube"; package = pkgs.webapps.peertube.override { ldap = true; sendmail = true; light = "fr-FR"; }; }; users.users.peertube.extraGroups = [ "keys" ]; secrets.keys = [{ dest = "webapps/tools-peertube"; user = "peertube"; group = "peertube"; permissions = "0640"; text = '' listen: hostname: 'localhost' port: ${toString config.myEnv.ports.peertube} webserver: https: true hostname: 'peertube.immae.eu' port: 443 rates_limit: api: # 50 attempts in 10 seconds window: 10 seconds max: 50 login: # 15 attempts in 5 min window: 5 minutes max: 15 signup: # 2 attempts in 5 min (only succeeded attempts are taken into account) window: 5 minutes max: 2 ask_send_email: # 3 attempts in 5 min window: 5 minutes max: 3 trust_proxy: - 'loopback' database: hostname: '${env.postgresql.socket}' port: 5432 suffix: '_prod' username: '${env.postgresql.user}' password: '${env.postgresql.password}' pool: max: 5 redis: socket: '${env.redis.socket}' auth: null db: ${env.redis.db} auth: local: enabled: true ldap: enabled: true ldap_only: false url: ldaps://${env.ldap.host}/${env.ldap.base} bind_dn: ${env.ldap.dn} bind_password: ${env.ldap.password} base: ${env.ldap.base} mail_entry: "mail" user_filter: "${env.ldap.filter}" smtp: transport: sendmail sendmail: '/run/wrappers/bin/sendmail' hostname: null port: 465 # If you use StartTLS: 587 username: null password: null tls: true # If you use StartTLS: false disable_starttls: false ca_file: null # Used for self signed certificates from_address: 'peertube@tools.immae.eu' email: body: signature: "PeerTube" subject: prefix: "[PeerTube]" storage: tmp: '${pcfg.dataDir}/storage/tmp/' avatars: '${pcfg.dataDir}/storage/avatars/' videos: '${pcfg.dataDir}/storage/videos/' streaming_playlists: '${pcfg.dataDir}/storage/streaming-playlists/' redundancy: '${pcfg.dataDir}/storage/videos/' logs: '${pcfg.dataDir}/storage/logs/' previews: '${pcfg.dataDir}/storage/previews/' thumbnails: '${pcfg.dataDir}/storage/thumbnails/' torrents: '${pcfg.dataDir}/storage/torrents/' captions: '${pcfg.dataDir}/storage/captions/' cache: '${pcfg.dataDir}/storage/cache/' plugins: '${pcfg.dataDir}/storage/plugins/' log: level: 'info' rotation: enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate maxFileSize: 12MB maxFiles: 20 anonymizeIP: false search: remote_uri: users: true anonymous: false trending: videos: interval_days: 7 redundancy: videos: check_interval: '1 hour' # How often you want to check new videos to cache strategies: # Just uncomment strategies you want csp: enabled: false report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk! report_uri: tracker: enabled: true private: true reject_too_many_announces: false history: videos: max_age: -1 views: videos: remote: max_age: -1 plugins: index: enabled: true check_latest_versions_interval: '12 hours' url: 'https://packages.joinpeertube.org' # Following are saved in local-production.json cache: previews: size: 500 # Max number of previews you want to cache captions: size: 500 # Max number of video captions/subtitles you want to cache admin: email: 'peertube@tools.immae.eu' contact_form: enabled: true signup: enabled: false limit: 10 requires_email_verification: false filters: cidr: whitelist: [] blacklist: [] user: video_quota: -1 video_quota_daily: -1 transcoding: enabled: false allow_additional_extensions: true allow_audio_files: true threads: 1 resolutions: 0p: false 240p: false 360p: false 480p: true 720p: true 1080p: true 2160p: false webtorrent: enabled: true hls: enabled: false import: videos: http: enabled: true torrent: enabled: false auto_blacklist: videos: of_users: enabled: false instance: name: 'Immae’s PeerTube' short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.' description: ''' terms: ''' code_of_conduct: ''' moderation_information: ''' creation_reason: ''' administrator: ''' maintenance_lifetime: ''' business_model: ''' hardware_information: ''' languages: categories: default_client_route: '/videos/trending' is_nsfw: false default_nsfw_policy: 'do_not_list' customizations: javascript: ''' css: ''' robots: | User-agent: * Disallow: securitytxt: "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" services: twitter: username: '@_immae' whitelisted: false followers: instance: enabled: true manual_approval: false followings: instance: auto_follow_back: enabled: false auto_follow_index: enabled: false index_url: 'https://instances.joinpeertube.org' theme: default: 'default' ''; }]; services.websites.env.tools.modules = [ "headers" "proxy" "proxy_http" "proxy_wstunnel" ]; services.filesWatcher.peertube = { restart = true; paths = [ pcfg.configFile ]; }; services.websites.env.tools.vhostConfs.peertube = { certName = "eldiron"; addToCerts = true; hosts = [ "peertube.immae.eu" ]; root = null; extraConfig = [ '' RewriteEngine On RewriteCond %{REQUEST_URI} ^/socket.io [NC] RewriteCond %{QUERY_STRING} transport=websocket [NC] RewriteRule /(.*) ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L] RewriteCond %{REQUEST_URI} ^/tracker/socket [NC] RewriteRule /(.*) ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L] ProxyPass / http://localhost:${toString env.listenPort}/ ProxyPassReverse / http://localhost:${toString env.listenPort}/ ProxyPreserveHost On RequestHeader set X-Real-IP %{REMOTE_ADDR}s '' ]; }; }; }