From f3a8fab524e384e0b5cad3df6506a27b2f405ebc Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 9 May 2019 10:55:01 +0200 Subject: [PATCH] Add peertube (impure) derivation to pkgs --- nixops/modules/websites/default.nix | 2 +- nixops/modules/websites/tools/peertube.nix | 225 ++++++++++++++++++ .../websites/tools/peertube/default.nix | 101 -------- .../websites/tools/peertube/peertube.nix | 190 --------------- pkgs/impure/peertube/default.nix | 58 +++++ .../tools => pkgs/impure}/peertube/ldap.patch | 0 .../impure}/peertube/ldap_yarn.patch | 0 .../impure}/peertube/peertube.json | 0 .../impure}/peertube/sendmail.patch | 0 .../impure}/peertube/yarn-packages.nix | 0 pkgs/webapps/default.nix | 1 + 11 files changed, 285 insertions(+), 292 deletions(-) create mode 100644 nixops/modules/websites/tools/peertube.nix delete mode 100644 nixops/modules/websites/tools/peertube/default.nix delete mode 100644 nixops/modules/websites/tools/peertube/peertube.nix create mode 100644 pkgs/impure/peertube/default.nix rename {nixops/modules/websites/tools => pkgs/impure}/peertube/ldap.patch (100%) rename {nixops/modules/websites/tools => pkgs/impure}/peertube/ldap_yarn.patch (100%) rename {nixops/modules/websites/tools => pkgs/impure}/peertube/peertube.json (100%) rename {nixops/modules/websites/tools => pkgs/impure}/peertube/sendmail.patch (100%) rename {nixops/modules/websites/tools => pkgs/impure}/peertube/yarn-packages.nix (100%) diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix index e40c8f4..555e780 100644 --- a/nixops/modules/websites/default.nix +++ b/nixops/modules/websites/default.nix @@ -130,7 +130,7 @@ in ./tools/mediagoblin.nix ./tools/diaspora.nix ./tools/ether.nix - ./tools/peertube + ./tools/peertube.nix # built using: # sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix # Removed allGranted diff --git a/nixops/modules/websites/tools/peertube.nix b/nixops/modules/websites/tools/peertube.nix new file mode 100644 index 0000000..e15f638 --- /dev/null +++ b/nixops/modules/websites/tools/peertube.nix @@ -0,0 +1,225 @@ +{ lib, pkgs, config, myconfig, mylibs, ... }: +let + peertube = pkgs.webapps.peertube; + varDir = "/var/lib/peertube"; + env = myconfig.env.tools.peertube; + cfg = config.services.myWebsites.tools.peertube; +in { + options.services.myWebsites.tools.peertube = { + enable = lib.mkEnableOption "enable Peertube's website"; + }; + + config = lib.mkIf cfg.enable { + ids.uids.peertube = env.user.uid; + ids.gids.peertube = env.user.gid; + + users.users.peertube = { + name = "peertube"; + uid = config.ids.uids.peertube; + group = "peertube"; + description = "Peertube user"; + home = varDir; + useDefaultShell = true; + extraGroups = [ "keys" ]; + }; + + users.groups.peertube.gid = config.ids.gids.peertube; + + systemd.services.peertube = { + description = "Peertube"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "postgresql.service" ]; + wants = [ "postgresql.service" ]; + + environment.NODE_CONFIG_DIR = "${varDir}/config"; + environment.NODE_ENV = "production"; + environment.HOME = peertube; + + path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ]; + + script = '' + exec npm run start + ''; + + serviceConfig = { + User = "peertube"; + Group = "peertube"; + WorkingDirectory = peertube; + PrivateTmp = true; + ProtectHome = true; + ProtectControlGroups = true; + Restart = "always"; + Type = "simple"; + TimeoutSec = 60; + }; + + unitConfig.RequiresMountsFor = varDir; + }; + + mySecrets.keys = [{ + dest = "webapps/tools-peertube"; + user = "peertube"; + group = "peertube"; + permissions = "0640"; + text = '' + listen: + hostname: 'localhost' + port: ${env.listenPort} + webserver: + https: true + hostname: 'peertube.immae.eu' + port: 443 + trust_proxy: + - 'loopback' + database: + hostname: '${env.postgresql.socket}' + port: 5432 + suffix: '_prod' + username: '${env.postgresql.user}' + password: '${env.postgresql.password}' + pool: + max: 5 + redis: + socket: '${env.redis.socket}' + auth: null + db: ${env.redis.db_index} + ldap: + enable: true + ldap_only: false + url: ldaps://${env.ldap.host}/${env.ldap.base} + bind_dn: ${env.ldap.dn} + bind_password: ${env.ldap.password} + base: ${env.ldap.base} + mail_entry: "mail" + user_filter: "${env.ldap.filter}" + smtp: + transport: sendmail + sendmail: '/run/wrappers/bin/sendmail' + hostname: null + port: 465 # If you use StartTLS: 587 + username: null + password: null + tls: true # If you use StartTLS: false + disable_starttls: false + ca_file: null # Used for self signed certificates + from_address: 'peertube@tools.immae.eu' + storage: + tmp: '${varDir}/storage/tmp/' + avatars: '${varDir}/storage/avatars/' + videos: '${varDir}/storage/videos/' + redundancy: '${varDir}/storage/videos/' + logs: '${varDir}/storage/logs/' + previews: '${varDir}/storage/previews/' + thumbnails: '${varDir}/storage/thumbnails/' + torrents: '${varDir}/storage/torrents/' + captions: '${varDir}/storage/captions/' + cache: '${varDir}/storage/cache/' + log: + level: 'info' + search: + remote_uri: + users: true + anonymous: false + trending: + videos: + interval_days: 7 + redundancy: + videos: + check_interval: '1 hour' # How often you want to check new videos to cache + strategies: # Just uncomment strategies you want + # Following are saved in local-production.json + cache: + previews: + size: 500 # Max number of previews you want to cache + captions: + size: 500 # Max number of video captions/subtitles you want to cache + admin: + email: 'peertube@tools.immae.eu' + contact_form: + enabled: true + signup: + enabled: false + limit: 10 + requires_email_verification: false + filters: + cidr: + whitelist: [] + blacklist: [] + user: + video_quota: -1 + video_quota_daily: -1 + transcoding: + enabled: false + allow_additional_extensions: true + threads: 1 + resolutions: + 240p: false + 360p: false + 480p: true + 720p: true + 1080p: true + hls: + enabled: false + import: + videos: + http: + enabled: true + torrent: + enabled: false + instance: + name: 'Immae’s PeerTube' + short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.' + description: ''' + terms: ''' + default_client_route: '/videos/trending' + default_nsfw_policy: 'blur' + customizations: + javascript: ''' + css: ''' + robots: | + User-agent: * + Disallow: + securitytxt: + "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" + services: + # You can provide a reporting endpoint for Content Security Policy violations + csp-logger: + twitter: + username: '@_immae' + whitelisted: false + ''; + }]; + + system.activationScripts.peertube = { + deps = [ "users" ]; + text = '' + install -m 0750 -o peertube -g peertube -d ${varDir} + install -m 0750 -o peertube -g peertube -d ${varDir}/config + ln -sf /var/secrets/webapps/tools-peertube ${varDir}/config/production.yaml + ''; + }; + + services.myWebsites.tools.modules = [ + "headers" "proxy" "proxy_http" "proxy_wstunnel" + ]; + security.acme.certs."eldiron".extraDomains."peertube.immae.eu" = null; + services.myWebsites.tools.vhostConfs.peertube = { + certName = "eldiron"; + hosts = [ "peertube.immae.eu" ]; + root = null; + extraConfig = [ '' + ProxyPass / http://localhost:${env.listenPort}/ + ProxyPassReverse / http://localhost:${env.listenPort}/ + + ProxyPreserveHost On + RequestHeader set X-Real-IP %{REMOTE_ADDR}s + + ProxyPass /tracker/socket ws://127.0.0.1:${env.listenPort}/tracker/socket + ProxyPassReverse /tracker/socket ws://127.0.0.1:${env.listenPort}/tracker/socket + + ProxyPass /socket.io ws://127.0.0.1:${env.listenPort}/socket.io + ProxyPassReverse /socket.io ws://127.0.0.1:${env.listenPort}/socket.io + '' ]; + }; + }; +} diff --git a/nixops/modules/websites/tools/peertube/default.nix b/nixops/modules/websites/tools/peertube/default.nix deleted file mode 100644 index 1ad79d7..0000000 --- a/nixops/modules/websites/tools/peertube/default.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ lib, pkgs, config, myconfig, mylibs, ... }: -let - peertube = pkgs.callPackage ./peertube.nix { - inherit (mylibs) fetchedGithub; - env = myconfig.env.tools.peertube; - }; - - cfg = config.services.myWebsites.tools.peertube; -in { - options.services.myWebsites.tools.peertube = { - enable = lib.mkEnableOption "enable Peertube's website"; - }; - - config = lib.mkIf cfg.enable { - ids.uids.peertube = myconfig.env.tools.peertube.user.uid; - ids.gids.peertube = myconfig.env.tools.peertube.user.gid; - - users.users.peertube = { - name = "peertube"; - uid = config.ids.uids.peertube; - group = "peertube"; - description = "Peertube user"; - home = peertube.varDir; - useDefaultShell = true; - extraGroups = [ "keys" ]; - }; - - users.groups.peertube.gid = config.ids.gids.peertube; - - systemd.services.peertube = { - description = "Peertube"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "postgresql.service" ]; - wants = [ "postgresql.service" ]; - - environment.NODE_CONFIG_DIR = "${peertube.varDir}/config"; - environment.NODE_ENV = "production"; - environment.HOME = peertube.webappDir; - - path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ]; - - script = '' - exec npm run start - ''; - - serviceConfig = { - User = "peertube"; - Group = "peertube"; - WorkingDirectory = peertube.webappDir; - PrivateTmp = true; - ProtectHome = true; - ProtectControlGroups = true; - Restart = "always"; - Type = "simple"; - TimeoutSec = 60; - }; - - unitConfig.RequiresMountsFor = peertube.varDir; - }; - - mySecrets.keys = [{ - dest = "webapps/tools-peertube"; - user = "peertube"; - group = "peertube"; - permissions = "0640"; - text = peertube.config; - }]; - - system.activationScripts.peertube = { - deps = [ "users" ]; - text = '' - install -m 0750 -o peertube -g peertube -d ${peertube.varDir} - install -m 0750 -o peertube -g peertube -d ${peertube.varDir}/config - ln -sf /var/secrets/webapps/tools-peertube ${peertube.varDir}/config/production.yaml - ''; - }; - - services.myWebsites.tools.modules = [ - "headers" "proxy" "proxy_http" "proxy_wstunnel" - ]; - security.acme.certs."eldiron".extraDomains."peertube.immae.eu" = null; - services.myWebsites.tools.vhostConfs.peertube = { - certName = "eldiron"; - hosts = [ "peertube.immae.eu" ]; - root = null; - extraConfig = [ '' - ProxyPass / http://localhost:${peertube.listenPort}/ - ProxyPassReverse / http://localhost:${peertube.listenPort}/ - - ProxyPreserveHost On - RequestHeader set X-Real-IP %{REMOTE_ADDR}s - - ProxyPass /tracker/socket ws://127.0.0.1:${peertube.listenPort}/tracker/socket - ProxyPassReverse /tracker/socket ws://127.0.0.1:${peertube.listenPort}/tracker/socket - - ProxyPass /socket.io ws://127.0.0.1:${peertube.listenPort}/socket.io - ProxyPassReverse /socket.io ws://127.0.0.1:${peertube.listenPort}/socket.io - '' ]; - }; - }; -} diff --git a/nixops/modules/websites/tools/peertube/peertube.nix b/nixops/modules/websites/tools/peertube/peertube.nix deleted file mode 100644 index d2be5b6..0000000 --- a/nixops/modules/websites/tools/peertube/peertube.nix +++ /dev/null @@ -1,190 +0,0 @@ -{ env, fetchedGithub, fetchurl, fetchzip, stdenv, writeText, pkgs, cacert }: -let - varDir = "/var/lib/peertube"; - listenPort = env.listenPort; - # Doesn't seem to work - # patchedPackages = stdenv.mkDerivation (fetchedGithub ./peertube.json // rec { - # patches = [ ./ldap.patch ]; - # installPhase = '' - # mkdir $out - # cp package.json yarn.lock $out/ - # ''; - # }); - # yarnModules = pkgs.yarn2nix.mkYarnModules { - # name = "peertube-yarn-modules"; - # packageJSON = "${patchedPackages}/package.json"; - # yarnLock = "${patchedPackages}/yarn.lock"; - # yarnNix = ./yarn-packages.nix; - # }; - patchedServer = stdenv.mkDerivation (fetchedGithub ./peertube.json // rec { - __noChroot = true; - patches = [ - ./ldap.patch - ./sendmail.patch - ]; - buildPhase = '' - export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt - export HOME=$PWD - yarn install --pure-lockfile - npm run build:server - ''; - installPhase = '' - mkdir $out - cp -a dist/server $out - ''; - buildInputs = [ pkgs.python pkgs.git pkgs.yarn pkgs.nodejs ]; - }); - webappDir = stdenv.mkDerivation rec { - __noChroot = true; - version = "v1.2.0"; - name = "peertube-${version}"; - src = fetchzip { - url = "https://github.com/Chocobozzz/PeerTube/releases/download/${version}/${name}.zip"; - sha256 = "18fp3fy1crw67gdpc29nr38b5zy2f68l70w47zwp7dzhd8bbbipp"; - }; - patches = [ ./ldap_yarn.patch ]; - buildPhase = '' - export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt - export HOME=$PWD - yarn install --production --pure-lockfile - rm -rf dist/server && cp -a ${patchedServer}/server dist - ''; - installPhase = '' - mkdir $out - cp -a * $out - ''; - buildInputs = [ pkgs.yarn pkgs.git pkgs.python ]; - }; - config = '' - listen: - hostname: 'localhost' - port: ${env.listenPort} - webserver: - https: true - hostname: 'peertube.immae.eu' - port: 443 - trust_proxy: - - 'loopback' - database: - hostname: '${env.postgresql.socket}' - port: 5432 - suffix: '_prod' - username: '${env.postgresql.user}' - password: '${env.postgresql.password}' - pool: - max: 5 - redis: - socket: '${env.redis.socket}' - auth: null - db: ${env.redis.db_index} - ldap: - enable: true - ldap_only: false - url: ldaps://${env.ldap.host}/${env.ldap.base} - bind_dn: ${env.ldap.dn} - bind_password: ${env.ldap.password} - base: ${env.ldap.base} - mail_entry: "mail" - user_filter: "${env.ldap.filter}" - smtp: - transport: sendmail - sendmail: '/run/wrappers/bin/sendmail' - hostname: null - port: 465 # If you use StartTLS: 587 - username: null - password: null - tls: true # If you use StartTLS: false - disable_starttls: false - ca_file: null # Used for self signed certificates - from_address: 'peertube@tools.immae.eu' - storage: - tmp: '${varDir}/storage/tmp/' - avatars: '${varDir}/storage/avatars/' - videos: '${varDir}/storage/videos/' - redundancy: '${varDir}/storage/videos/' - logs: '${varDir}/storage/logs/' - previews: '${varDir}/storage/previews/' - thumbnails: '${varDir}/storage/thumbnails/' - torrents: '${varDir}/storage/torrents/' - captions: '${varDir}/storage/captions/' - cache: '${varDir}/storage/cache/' - log: - level: 'info' - search: - remote_uri: - users: true - anonymous: false - trending: - videos: - interval_days: 7 - redundancy: - videos: - check_interval: '1 hour' # How often you want to check new videos to cache - strategies: # Just uncomment strategies you want - # Following are saved in local-production.json - cache: - previews: - size: 500 # Max number of previews you want to cache - captions: - size: 500 # Max number of video captions/subtitles you want to cache - admin: - email: 'peertube@tools.immae.eu' - contact_form: - enabled: true - signup: - enabled: false - limit: 10 - requires_email_verification: false - filters: - cidr: - whitelist: [] - blacklist: [] - user: - video_quota: -1 - video_quota_daily: -1 - transcoding: - enabled: false - allow_additional_extensions: true - threads: 1 - resolutions: - 240p: false - 360p: false - 480p: true - 720p: true - 1080p: true - hls: - enabled: false - import: - videos: - http: - enabled: true - torrent: - enabled: false - instance: - name: 'Immae’s PeerTube' - short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.' - description: ''' - terms: ''' - default_client_route: '/videos/trending' - default_nsfw_policy: 'blur' - customizations: - javascript: ''' - css: ''' - robots: | - User-agent: * - Disallow: - securitytxt: - "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" - services: - # You can provide a reporting endpoint for Content Security Policy violations - csp-logger: - twitter: - username: '@_immae' - whitelisted: false - ''; -in - { - inherit varDir webappDir config listenPort; - } diff --git a/pkgs/impure/peertube/default.nix b/pkgs/impure/peertube/default.nix new file mode 100644 index 0000000..89fcb04 --- /dev/null +++ b/pkgs/impure/peertube/default.nix @@ -0,0 +1,58 @@ +{ stdenv, fetchzip, cacert, mylibs, python, git, yarn, nodejs }: +let + # Doesn't seem to work + # patchedPackages = stdenv.mkDerivation (fetchedGithub ./peertube.json // rec { + # patches = [ ./ldap.patch ]; + # installPhase = '' + # mkdir $out + # cp package.json yarn.lock $out/ + # ''; + # }); + # yarnModules = pkgs.yarn2nix.mkYarnModules { + # name = "peertube-yarn-modules"; + # packageJSON = "${patchedPackages}/package.json"; + # yarnLock = "${patchedPackages}/yarn.lock"; + # yarnNix = ./yarn-packages.nix; + # }; + patchedServer = stdenv.mkDerivation (mylibs.fetchedGithub ./peertube.json // rec { + __noChroot = true; + patches = [ + ./ldap.patch + ./sendmail.patch + ]; + buildPhase = '' + export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt + export HOME=$PWD + yarn install --pure-lockfile + npm run build:server + ''; + installPhase = '' + mkdir $out + cp -a dist/server $out + ''; + buildInputs = [ python git yarn nodejs ]; + }); +in +stdenv.mkDerivation rec { + __noChroot = true; + version = "v1.2.0"; + name = "peertube-${version}"; + src = fetchzip { + url = "https://github.com/Chocobozzz/PeerTube/releases/download/${version}/${name}.zip"; + sha256 = "18fp3fy1crw67gdpc29nr38b5zy2f68l70w47zwp7dzhd8bbbipp"; + }; + patches = [ ./ldap_yarn.patch ]; + buildPhase = '' + export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt + export HOME=$PWD + yarn install --production --pure-lockfile + rm -rf dist/server && cp -a ${patchedServer}/server dist + ''; + installPhase = '' + mkdir $out + cp -a * $out + ''; + buildInputs = [ yarn git python ]; +} diff --git a/nixops/modules/websites/tools/peertube/ldap.patch b/pkgs/impure/peertube/ldap.patch similarity index 100% rename from nixops/modules/websites/tools/peertube/ldap.patch rename to pkgs/impure/peertube/ldap.patch diff --git a/nixops/modules/websites/tools/peertube/ldap_yarn.patch b/pkgs/impure/peertube/ldap_yarn.patch similarity index 100% rename from nixops/modules/websites/tools/peertube/ldap_yarn.patch rename to pkgs/impure/peertube/ldap_yarn.patch diff --git a/nixops/modules/websites/tools/peertube/peertube.json b/pkgs/impure/peertube/peertube.json similarity index 100% rename from nixops/modules/websites/tools/peertube/peertube.json rename to pkgs/impure/peertube/peertube.json diff --git a/nixops/modules/websites/tools/peertube/sendmail.patch b/pkgs/impure/peertube/sendmail.patch similarity index 100% rename from nixops/modules/websites/tools/peertube/sendmail.patch rename to pkgs/impure/peertube/sendmail.patch diff --git a/nixops/modules/websites/tools/peertube/yarn-packages.nix b/pkgs/impure/peertube/yarn-packages.nix similarity index 100% rename from nixops/modules/websites/tools/peertube/yarn-packages.nix rename to pkgs/impure/peertube/yarn-packages.nix diff --git a/pkgs/webapps/default.nix b/pkgs/webapps/default.nix index 11bd0ce..84e39ff 100644 --- a/pkgs/webapps/default.nix +++ b/pkgs/webapps/default.nix @@ -65,6 +65,7 @@ rec { lib.attrsets.genAttrs names (name: callPackage (./nextcloud/apps + "/${name}.nix") { buildApp = nextcloud.buildApp; }); + peertube = callPackage ../impure/peertube { inherit mylibs; }; phpldapadmin = callPackage ./phpldapadmin {}; rompr = callPackage ./rompr { inherit mylibs; }; -- 2.41.0