aboutsummaryrefslogtreecommitdiff
path: root/nixops
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-15 01:42:17 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-15 01:42:17 +0200
commit4a65e38be86fb755b0ab57027b0d3b7d28c9b096 (patch)
tree734ca1be22341383e409965e4da9f73b391f42ff /nixops
parent5f08b34c5247ee0c4de2a9264d059b69271e3473 (diff)
downloadNix-4a65e38be86fb755b0ab57027b0d3b7d28c9b096.tar.gz
Nix-4a65e38be86fb755b0ab57027b0d3b7d28c9b096.tar.zst
Nix-4a65e38be86fb755b0ab57027b0d3b7d28c9b096.zip
Move peertube configuration to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
-rw-r--r--nixops/modules/websites/tools/peertube/default.nix18
-rw-r--r--nixops/modules/websites/tools/peertube/peertube.nix250
2 files changed, 138 insertions, 130 deletions
diff --git a/nixops/modules/websites/tools/peertube/default.nix b/nixops/modules/websites/tools/peertube/default.nix
index c4f3817..dbdeb76 100644
--- a/nixops/modules/websites/tools/peertube/default.nix
+++ b/nixops/modules/websites/tools/peertube/default.nix
@@ -29,8 +29,8 @@ in {
29 systemd.services.peertube = { 29 systemd.services.peertube = {
30 description = "Peertube"; 30 description = "Peertube";
31 wantedBy = [ "multi-user.target" ]; 31 wantedBy = [ "multi-user.target" ];
32 after = [ "network.target" "postgresql.service" ]; 32 after = [ "network.target" "postgresql.service" "tools-peertube-key.service" ];
33 wants = [ "postgresql.service" ]; 33 wants = [ "postgresql.service" "tools-peertube-key.service" ];
34 34
35 environment.NODE_CONFIG_DIR = "${peertube.varDir}/config"; 35 environment.NODE_CONFIG_DIR = "${peertube.varDir}/config";
36 environment.NODE_ENV = "production"; 36 environment.NODE_ENV = "production";
@@ -57,12 +57,20 @@ in {
57 unitConfig.RequiresMountsFor = peertube.varDir; 57 unitConfig.RequiresMountsFor = peertube.varDir;
58 }; 58 };
59 59
60 deployment.keys.tools-peertube = {
61 destDir = "/run/keys/webapps";
62 user = "peertube";
63 group = "peertube";
64 permissions = "0700";
65 text = peertube.config;
66 };
67
60 system.activationScripts.peertube = { 68 system.activationScripts.peertube = {
61 deps = [ "users" ]; 69 deps = [ "users" ];
62 text = '' 70 text = ''
63 install -m 0755 -o peertube -g peertube -d ${peertube.varDir} 71 install -m 0750 -o peertube -g peertube -d ${peertube.varDir}
64 install -m 0755 -o peertube -g peertube -d ${peertube.varDir}/config 72 install -m 0750 -o peertube -g peertube -d ${peertube.varDir}/config
65 install -m 0644 -o peertube -g peertube -T ${peertube.config} ${peertube.varDir}/config/production.yaml 73 install -m 0640 -o peertube -g peertube -T /run/keys/webapps/tools-peertube ${peertube.varDir}/config/production.yaml
66 ''; 74 '';
67 }; 75 };
68 76
diff --git a/nixops/modules/websites/tools/peertube/peertube.nix b/nixops/modules/websites/tools/peertube/peertube.nix
index ba49e2b..d2be5b6 100644
--- a/nixops/modules/websites/tools/peertube/peertube.nix
+++ b/nixops/modules/websites/tools/peertube/peertube.nix
@@ -57,133 +57,133 @@ let
57 ''; 57 '';
58 buildInputs = [ pkgs.yarn pkgs.git pkgs.python ]; 58 buildInputs = [ pkgs.yarn pkgs.git pkgs.python ];
59 }; 59 };
60 config = writeText "production.yaml" '' 60 config = ''
61 listen: 61 listen:
62 hostname: 'localhost' 62 hostname: 'localhost'
63 port: ${env.listenPort} 63 port: ${env.listenPort}
64 webserver: 64 webserver:
65 https: true 65 https: true
66 hostname: 'peertube.immae.eu' 66 hostname: 'peertube.immae.eu'
67 port: 443 67 port: 443
68 trust_proxy: 68 trust_proxy:
69 - 'loopback' 69 - 'loopback'
70 database: 70 database:
71 hostname: '${env.postgresql.socket}' 71 hostname: '${env.postgresql.socket}'
72 port: 5432 72 port: 5432
73 suffix: '_prod' 73 suffix: '_prod'
74 username: '${env.postgresql.user}' 74 username: '${env.postgresql.user}'
75 password: '${env.postgresql.password}' 75 password: '${env.postgresql.password}'
76 pool: 76 pool:
77 max: 5 77 max: 5
78 redis: 78 redis:
79 socket: '${env.redis.socket}' 79 socket: '${env.redis.socket}'
80 auth: null 80 auth: null
81 db: ${env.redis.db_index} 81 db: ${env.redis.db_index}
82 ldap: 82 ldap:
83 enable: true 83 enable: true
84 ldap_only: false 84 ldap_only: false
85 url: ldaps://${env.ldap.host}/${env.ldap.base} 85 url: ldaps://${env.ldap.host}/${env.ldap.base}
86 bind_dn: ${env.ldap.dn} 86 bind_dn: ${env.ldap.dn}
87 bind_password: ${env.ldap.password} 87 bind_password: ${env.ldap.password}
88 base: ${env.ldap.base} 88 base: ${env.ldap.base}
89 mail_entry: "mail" 89 mail_entry: "mail"
90 user_filter: "${env.ldap.filter}" 90 user_filter: "${env.ldap.filter}"
91 smtp: 91 smtp:
92 transport: sendmail 92 transport: sendmail
93 sendmail: '/run/wrappers/bin/sendmail' 93 sendmail: '/run/wrappers/bin/sendmail'
94 hostname: null 94 hostname: null
95 port: 465 # If you use StartTLS: 587 95 port: 465 # If you use StartTLS: 587
96 username: null 96 username: null
97 password: null 97 password: null
98 tls: true # If you use StartTLS: false 98 tls: true # If you use StartTLS: false
99 disable_starttls: false 99 disable_starttls: false
100 ca_file: null # Used for self signed certificates 100 ca_file: null # Used for self signed certificates
101 from_address: 'peertube@tools.immae.eu' 101 from_address: 'peertube@tools.immae.eu'
102 storage: 102 storage:
103 tmp: '${varDir}/storage/tmp/' 103 tmp: '${varDir}/storage/tmp/'
104 avatars: '${varDir}/storage/avatars/' 104 avatars: '${varDir}/storage/avatars/'
105 videos: '${varDir}/storage/videos/' 105 videos: '${varDir}/storage/videos/'
106 redundancy: '${varDir}/storage/videos/' 106 redundancy: '${varDir}/storage/videos/'
107 logs: '${varDir}/storage/logs/' 107 logs: '${varDir}/storage/logs/'
108 previews: '${varDir}/storage/previews/' 108 previews: '${varDir}/storage/previews/'
109 thumbnails: '${varDir}/storage/thumbnails/' 109 thumbnails: '${varDir}/storage/thumbnails/'
110 torrents: '${varDir}/storage/torrents/' 110 torrents: '${varDir}/storage/torrents/'
111 captions: '${varDir}/storage/captions/' 111 captions: '${varDir}/storage/captions/'
112 cache: '${varDir}/storage/cache/' 112 cache: '${varDir}/storage/cache/'
113 log: 113 log:
114 level: 'info' 114 level: 'info'
115 search: 115 search:
116 remote_uri: 116 remote_uri:
117 users: true 117 users: true
118 anonymous: false 118 anonymous: false
119 trending: 119 trending:
120 videos: 120 videos:
121 interval_days: 7 121 interval_days: 7
122 redundancy: 122 redundancy:
123 videos: 123 videos:
124 check_interval: '1 hour' # How often you want to check new videos to cache 124 check_interval: '1 hour' # How often you want to check new videos to cache
125 strategies: # Just uncomment strategies you want 125 strategies: # Just uncomment strategies you want
126 # Following are saved in local-production.json 126 # Following are saved in local-production.json
127 cache: 127 cache:
128 previews: 128 previews:
129 size: 500 # Max number of previews you want to cache 129 size: 500 # Max number of previews you want to cache
130 captions: 130 captions:
131 size: 500 # Max number of video captions/subtitles you want to cache 131 size: 500 # Max number of video captions/subtitles you want to cache
132 admin: 132 admin:
133 email: 'peertube@tools.immae.eu' 133 email: 'peertube@tools.immae.eu'
134 contact_form: 134 contact_form:
135 enabled: true
136 signup:
137 enabled: false
138 limit: 10
139 requires_email_verification: false
140 filters:
141 cidr:
142 whitelist: []
143 blacklist: []
144 user:
145 video_quota: -1
146 video_quota_daily: -1
147 transcoding:
148 enabled: false
149 allow_additional_extensions: true
150 threads: 1
151 resolutions:
152 240p: false
153 360p: false
154 480p: true
155 720p: true
156 1080p: true
157 hls:
158 enabled: false
159 import:
160 videos:
161 http:
135 enabled: true 162 enabled: true
136 signup: 163 torrent:
137 enabled: false 164 enabled: false
138 limit: 10 165 instance:
139 requires_email_verification: false 166 name: 'Immae&#x2019;s PeerTube'
140 filters: 167 short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.'
141 cidr: 168 description: '''
142 whitelist: [] 169 terms: '''
143 blacklist: [] 170 default_client_route: '/videos/trending'
144 user: 171 default_nsfw_policy: 'blur'
145 video_quota: -1 172 customizations:
146 video_quota_daily: -1 173 javascript: '''
147 transcoding: 174 css: '''
148 enabled: false 175 robots: |
149 allow_additional_extensions: true 176 User-agent: *
150 threads: 1 177 Disallow:
151 resolutions: 178 securitytxt:
152 240p: false 179 "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
153 360p: false 180 services:
154 480p: true 181 # You can provide a reporting endpoint for Content Security Policy violations
155 720p: true 182 csp-logger:
156 1080p: true 183 twitter:
157 hls: 184 username: '@_immae'
158 enabled: false 185 whitelisted: false
159 import: 186 '';
160 videos:
161 http:
162 enabled: true
163 torrent:
164 enabled: false
165 instance:
166 name: 'Immae’s PeerTube'
167 short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.'
168 description: '''
169 terms: '''
170 default_client_route: '/videos/trending'
171 default_nsfw_policy: 'blur'
172 customizations:
173 javascript: '''
174 css: '''
175 robots: |
176 User-agent: *
177 Disallow:
178 securitytxt:
179 "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
180 services:
181 # You can provide a reporting endpoint for Content Security Policy violations
182 csp-logger:
183 twitter:
184 username: '@_immae'
185 whitelisted: false
186 '';
187in 187in
188 { 188 {
189 inherit varDir webappDir config listenPort; 189 inherit varDir webappDir config listenPort;