From 4a65e38be86fb755b0ab57027b0d3b7d28c9b096 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 15 Apr 2019 01:42:17 +0200 Subject: [PATCH] Move peertube configuration to secure location Related issue: https://git.immae.eu/mantisbt/view.php?id=122 --- .../websites/tools/peertube/default.nix | 18 +- .../websites/tools/peertube/peertube.nix | 250 +++++++++--------- 2 files changed, 138 insertions(+), 130 deletions(-) diff --git a/nixops/modules/websites/tools/peertube/default.nix b/nixops/modules/websites/tools/peertube/default.nix index c4f3817..dbdeb76 100644 --- a/nixops/modules/websites/tools/peertube/default.nix +++ b/nixops/modules/websites/tools/peertube/default.nix @@ -29,8 +29,8 @@ in { systemd.services.peertube = { description = "Peertube"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "postgresql.service" ]; - wants = [ "postgresql.service" ]; + after = [ "network.target" "postgresql.service" "tools-peertube-key.service" ]; + wants = [ "postgresql.service" "tools-peertube-key.service" ]; environment.NODE_CONFIG_DIR = "${peertube.varDir}/config"; environment.NODE_ENV = "production"; @@ -57,12 +57,20 @@ in { unitConfig.RequiresMountsFor = peertube.varDir; }; + deployment.keys.tools-peertube = { + destDir = "/run/keys/webapps"; + user = "peertube"; + group = "peertube"; + permissions = "0700"; + text = peertube.config; + }; + system.activationScripts.peertube = { deps = [ "users" ]; text = '' - install -m 0755 -o peertube -g peertube -d ${peertube.varDir} - install -m 0755 -o peertube -g peertube -d ${peertube.varDir}/config - install -m 0644 -o peertube -g peertube -T ${peertube.config} ${peertube.varDir}/config/production.yaml + install -m 0750 -o peertube -g peertube -d ${peertube.varDir} + install -m 0750 -o peertube -g peertube -d ${peertube.varDir}/config + install -m 0640 -o peertube -g peertube -T /run/keys/webapps/tools-peertube ${peertube.varDir}/config/production.yaml ''; }; diff --git a/nixops/modules/websites/tools/peertube/peertube.nix b/nixops/modules/websites/tools/peertube/peertube.nix index ba49e2b..d2be5b6 100644 --- a/nixops/modules/websites/tools/peertube/peertube.nix +++ b/nixops/modules/websites/tools/peertube/peertube.nix @@ -57,133 +57,133 @@ let ''; buildInputs = [ pkgs.yarn pkgs.git pkgs.python ]; }; - config = writeText "production.yaml" '' - listen: - hostname: 'localhost' - port: ${env.listenPort} - webserver: - https: true - hostname: 'peertube.immae.eu' - port: 443 - trust_proxy: - - 'loopback' - database: - hostname: '${env.postgresql.socket}' - port: 5432 - suffix: '_prod' - username: '${env.postgresql.user}' - password: '${env.postgresql.password}' - pool: - max: 5 - redis: - socket: '${env.redis.socket}' - auth: null - db: ${env.redis.db_index} - ldap: - enable: true - ldap_only: false - url: ldaps://${env.ldap.host}/${env.ldap.base} - bind_dn: ${env.ldap.dn} - bind_password: ${env.ldap.password} - base: ${env.ldap.base} - mail_entry: "mail" - user_filter: "${env.ldap.filter}" - smtp: - transport: sendmail - sendmail: '/run/wrappers/bin/sendmail' - hostname: null - port: 465 # If you use StartTLS: 587 - username: null - password: null - tls: true # If you use StartTLS: false - disable_starttls: false - ca_file: null # Used for self signed certificates - from_address: 'peertube@tools.immae.eu' - storage: - tmp: '${varDir}/storage/tmp/' - avatars: '${varDir}/storage/avatars/' - videos: '${varDir}/storage/videos/' - redundancy: '${varDir}/storage/videos/' - logs: '${varDir}/storage/logs/' - previews: '${varDir}/storage/previews/' - thumbnails: '${varDir}/storage/thumbnails/' - torrents: '${varDir}/storage/torrents/' - captions: '${varDir}/storage/captions/' - cache: '${varDir}/storage/cache/' - log: - level: 'info' - search: - remote_uri: - users: true - anonymous: false - trending: - videos: - interval_days: 7 - redundancy: - videos: - check_interval: '1 hour' # How often you want to check new videos to cache - strategies: # Just uncomment strategies you want - # Following are saved in local-production.json - cache: - previews: - size: 500 # Max number of previews you want to cache - captions: - size: 500 # Max number of video captions/subtitles you want to cache - admin: - email: 'peertube@tools.immae.eu' - contact_form: + config = '' + listen: + hostname: 'localhost' + port: ${env.listenPort} + webserver: + https: true + hostname: 'peertube.immae.eu' + port: 443 + trust_proxy: + - 'loopback' + database: + hostname: '${env.postgresql.socket}' + port: 5432 + suffix: '_prod' + username: '${env.postgresql.user}' + password: '${env.postgresql.password}' + pool: + max: 5 + redis: + socket: '${env.redis.socket}' + auth: null + db: ${env.redis.db_index} + ldap: + enable: true + ldap_only: false + url: ldaps://${env.ldap.host}/${env.ldap.base} + bind_dn: ${env.ldap.dn} + bind_password: ${env.ldap.password} + base: ${env.ldap.base} + mail_entry: "mail" + user_filter: "${env.ldap.filter}" + smtp: + transport: sendmail + sendmail: '/run/wrappers/bin/sendmail' + hostname: null + port: 465 # If you use StartTLS: 587 + username: null + password: null + tls: true # If you use StartTLS: false + disable_starttls: false + ca_file: null # Used for self signed certificates + from_address: 'peertube@tools.immae.eu' + storage: + tmp: '${varDir}/storage/tmp/' + avatars: '${varDir}/storage/avatars/' + videos: '${varDir}/storage/videos/' + redundancy: '${varDir}/storage/videos/' + logs: '${varDir}/storage/logs/' + previews: '${varDir}/storage/previews/' + thumbnails: '${varDir}/storage/thumbnails/' + torrents: '${varDir}/storage/torrents/' + captions: '${varDir}/storage/captions/' + cache: '${varDir}/storage/cache/' + log: + level: 'info' + search: + remote_uri: + users: true + anonymous: false + trending: + videos: + interval_days: 7 + redundancy: + videos: + check_interval: '1 hour' # How often you want to check new videos to cache + strategies: # Just uncomment strategies you want + # Following are saved in local-production.json + cache: + previews: + size: 500 # Max number of previews you want to cache + captions: + size: 500 # Max number of video captions/subtitles you want to cache + admin: + email: 'peertube@tools.immae.eu' + contact_form: + enabled: true + signup: + enabled: false + limit: 10 + requires_email_verification: false + filters: + cidr: + whitelist: [] + blacklist: [] + user: + video_quota: -1 + video_quota_daily: -1 + transcoding: + enabled: false + allow_additional_extensions: true + threads: 1 + resolutions: + 240p: false + 360p: false + 480p: true + 720p: true + 1080p: true + hls: + enabled: false + import: + videos: + http: enabled: true - signup: + torrent: enabled: false - limit: 10 - requires_email_verification: false - filters: - cidr: - whitelist: [] - blacklist: [] - user: - video_quota: -1 - video_quota_daily: -1 - transcoding: - enabled: false - allow_additional_extensions: true - threads: 1 - resolutions: - 240p: false - 360p: false - 480p: true - 720p: true - 1080p: true - hls: - enabled: false - import: - videos: - http: - enabled: true - torrent: - enabled: false - instance: - name: 'Immae’s PeerTube' - short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.' - description: ''' - terms: ''' - default_client_route: '/videos/trending' - default_nsfw_policy: 'blur' - customizations: - javascript: ''' - css: ''' - robots: | - User-agent: * - Disallow: - securitytxt: - "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" - services: - # You can provide a reporting endpoint for Content Security Policy violations - csp-logger: - twitter: - username: '@_immae' - whitelisted: false - ''; + instance: + name: 'Immae’s PeerTube' + short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.' + description: ''' + terms: ''' + default_client_route: '/videos/trending' + default_nsfw_policy: 'blur' + customizations: + javascript: ''' + css: ''' + robots: | + User-agent: * + Disallow: + securitytxt: + "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" + services: + # You can provide a reporting endpoint for Content Security Policy violations + csp-logger: + twitter: + username: '@_immae' + whitelisted: false + ''; in { inherit varDir webappDir config listenPort; -- 2.41.0