diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-15 01:42:17 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-15 01:42:17 +0200 |
commit | 4a65e38be86fb755b0ab57027b0d3b7d28c9b096 (patch) | |
tree | 734ca1be22341383e409965e4da9f73b391f42ff /nixops | |
parent | 5f08b34c5247ee0c4de2a9264d059b69271e3473 (diff) | |
download | Nix-4a65e38be86fb755b0ab57027b0d3b7d28c9b096.tar.gz Nix-4a65e38be86fb755b0ab57027b0d3b7d28c9b096.tar.zst Nix-4a65e38be86fb755b0ab57027b0d3b7d28c9b096.zip |
Move peertube configuration to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
-rw-r--r-- | nixops/modules/websites/tools/peertube/default.nix | 18 | ||||
-rw-r--r-- | nixops/modules/websites/tools/peertube/peertube.nix | 250 |
2 files changed, 138 insertions, 130 deletions
diff --git a/nixops/modules/websites/tools/peertube/default.nix b/nixops/modules/websites/tools/peertube/default.nix index c4f3817..dbdeb76 100644 --- a/nixops/modules/websites/tools/peertube/default.nix +++ b/nixops/modules/websites/tools/peertube/default.nix | |||
@@ -29,8 +29,8 @@ in { | |||
29 | systemd.services.peertube = { | 29 | systemd.services.peertube = { |
30 | description = "Peertube"; | 30 | description = "Peertube"; |
31 | wantedBy = [ "multi-user.target" ]; | 31 | wantedBy = [ "multi-user.target" ]; |
32 | after = [ "network.target" "postgresql.service" ]; | 32 | after = [ "network.target" "postgresql.service" "tools-peertube-key.service" ]; |
33 | wants = [ "postgresql.service" ]; | 33 | wants = [ "postgresql.service" "tools-peertube-key.service" ]; |
34 | 34 | ||
35 | environment.NODE_CONFIG_DIR = "${peertube.varDir}/config"; | 35 | environment.NODE_CONFIG_DIR = "${peertube.varDir}/config"; |
36 | environment.NODE_ENV = "production"; | 36 | environment.NODE_ENV = "production"; |
@@ -57,12 +57,20 @@ in { | |||
57 | unitConfig.RequiresMountsFor = peertube.varDir; | 57 | unitConfig.RequiresMountsFor = peertube.varDir; |
58 | }; | 58 | }; |
59 | 59 | ||
60 | deployment.keys.tools-peertube = { | ||
61 | destDir = "/run/keys/webapps"; | ||
62 | user = "peertube"; | ||
63 | group = "peertube"; | ||
64 | permissions = "0700"; | ||
65 | text = peertube.config; | ||
66 | }; | ||
67 | |||
60 | system.activationScripts.peertube = { | 68 | system.activationScripts.peertube = { |
61 | deps = [ "users" ]; | 69 | deps = [ "users" ]; |
62 | text = '' | 70 | text = '' |
63 | install -m 0755 -o peertube -g peertube -d ${peertube.varDir} | 71 | install -m 0750 -o peertube -g peertube -d ${peertube.varDir} |
64 | install -m 0755 -o peertube -g peertube -d ${peertube.varDir}/config | 72 | install -m 0750 -o peertube -g peertube -d ${peertube.varDir}/config |
65 | install -m 0644 -o peertube -g peertube -T ${peertube.config} ${peertube.varDir}/config/production.yaml | 73 | install -m 0640 -o peertube -g peertube -T /run/keys/webapps/tools-peertube ${peertube.varDir}/config/production.yaml |
66 | ''; | 74 | ''; |
67 | }; | 75 | }; |
68 | 76 | ||
diff --git a/nixops/modules/websites/tools/peertube/peertube.nix b/nixops/modules/websites/tools/peertube/peertube.nix index ba49e2b..d2be5b6 100644 --- a/nixops/modules/websites/tools/peertube/peertube.nix +++ b/nixops/modules/websites/tools/peertube/peertube.nix | |||
@@ -57,133 +57,133 @@ let | |||
57 | ''; | 57 | ''; |
58 | buildInputs = [ pkgs.yarn pkgs.git pkgs.python ]; | 58 | buildInputs = [ pkgs.yarn pkgs.git pkgs.python ]; |
59 | }; | 59 | }; |
60 | config = writeText "production.yaml" '' | 60 | config = '' |
61 | listen: | 61 | listen: |
62 | hostname: 'localhost' | 62 | hostname: 'localhost' |
63 | port: ${env.listenPort} | 63 | port: ${env.listenPort} |
64 | webserver: | 64 | webserver: |
65 | https: true | 65 | https: true |
66 | hostname: 'peertube.immae.eu' | 66 | hostname: 'peertube.immae.eu' |
67 | port: 443 | 67 | port: 443 |
68 | trust_proxy: | 68 | trust_proxy: |
69 | - 'loopback' | 69 | - 'loopback' |
70 | database: | 70 | database: |
71 | hostname: '${env.postgresql.socket}' | 71 | hostname: '${env.postgresql.socket}' |
72 | port: 5432 | 72 | port: 5432 |
73 | suffix: '_prod' | 73 | suffix: '_prod' |
74 | username: '${env.postgresql.user}' | 74 | username: '${env.postgresql.user}' |
75 | password: '${env.postgresql.password}' | 75 | password: '${env.postgresql.password}' |
76 | pool: | 76 | pool: |
77 | max: 5 | 77 | max: 5 |
78 | redis: | 78 | redis: |
79 | socket: '${env.redis.socket}' | 79 | socket: '${env.redis.socket}' |
80 | auth: null | 80 | auth: null |
81 | db: ${env.redis.db_index} | 81 | db: ${env.redis.db_index} |
82 | ldap: | 82 | ldap: |
83 | enable: true | 83 | enable: true |
84 | ldap_only: false | 84 | ldap_only: false |
85 | url: ldaps://${env.ldap.host}/${env.ldap.base} | 85 | url: ldaps://${env.ldap.host}/${env.ldap.base} |
86 | bind_dn: ${env.ldap.dn} | 86 | bind_dn: ${env.ldap.dn} |
87 | bind_password: ${env.ldap.password} | 87 | bind_password: ${env.ldap.password} |
88 | base: ${env.ldap.base} | 88 | base: ${env.ldap.base} |
89 | mail_entry: "mail" | 89 | mail_entry: "mail" |
90 | user_filter: "${env.ldap.filter}" | 90 | user_filter: "${env.ldap.filter}" |
91 | smtp: | 91 | smtp: |
92 | transport: sendmail | 92 | transport: sendmail |
93 | sendmail: '/run/wrappers/bin/sendmail' | 93 | sendmail: '/run/wrappers/bin/sendmail' |
94 | hostname: null | 94 | hostname: null |
95 | port: 465 # If you use StartTLS: 587 | 95 | port: 465 # If you use StartTLS: 587 |
96 | username: null | 96 | username: null |
97 | password: null | 97 | password: null |
98 | tls: true # If you use StartTLS: false | 98 | tls: true # If you use StartTLS: false |
99 | disable_starttls: false | 99 | disable_starttls: false |
100 | ca_file: null # Used for self signed certificates | 100 | ca_file: null # Used for self signed certificates |
101 | from_address: 'peertube@tools.immae.eu' | 101 | from_address: 'peertube@tools.immae.eu' |
102 | storage: | 102 | storage: |
103 | tmp: '${varDir}/storage/tmp/' | 103 | tmp: '${varDir}/storage/tmp/' |
104 | avatars: '${varDir}/storage/avatars/' | 104 | avatars: '${varDir}/storage/avatars/' |
105 | videos: '${varDir}/storage/videos/' | 105 | videos: '${varDir}/storage/videos/' |
106 | redundancy: '${varDir}/storage/videos/' | 106 | redundancy: '${varDir}/storage/videos/' |
107 | logs: '${varDir}/storage/logs/' | 107 | logs: '${varDir}/storage/logs/' |
108 | previews: '${varDir}/storage/previews/' | 108 | previews: '${varDir}/storage/previews/' |
109 | thumbnails: '${varDir}/storage/thumbnails/' | 109 | thumbnails: '${varDir}/storage/thumbnails/' |
110 | torrents: '${varDir}/storage/torrents/' | 110 | torrents: '${varDir}/storage/torrents/' |
111 | captions: '${varDir}/storage/captions/' | 111 | captions: '${varDir}/storage/captions/' |
112 | cache: '${varDir}/storage/cache/' | 112 | cache: '${varDir}/storage/cache/' |
113 | log: | 113 | log: |
114 | level: 'info' | 114 | level: 'info' |
115 | search: | 115 | search: |
116 | remote_uri: | 116 | remote_uri: |
117 | users: true | 117 | users: true |
118 | anonymous: false | 118 | anonymous: false |
119 | trending: | 119 | trending: |
120 | videos: | 120 | videos: |
121 | interval_days: 7 | 121 | interval_days: 7 |
122 | redundancy: | 122 | redundancy: |
123 | videos: | 123 | videos: |
124 | check_interval: '1 hour' # How often you want to check new videos to cache | 124 | check_interval: '1 hour' # How often you want to check new videos to cache |
125 | strategies: # Just uncomment strategies you want | 125 | strategies: # Just uncomment strategies you want |
126 | # Following are saved in local-production.json | 126 | # Following are saved in local-production.json |
127 | cache: | 127 | cache: |
128 | previews: | 128 | previews: |
129 | size: 500 # Max number of previews you want to cache | 129 | size: 500 # Max number of previews you want to cache |
130 | captions: | 130 | captions: |
131 | size: 500 # Max number of video captions/subtitles you want to cache | 131 | size: 500 # Max number of video captions/subtitles you want to cache |
132 | admin: | 132 | admin: |
133 | email: 'peertube@tools.immae.eu' | 133 | email: 'peertube@tools.immae.eu' |
134 | contact_form: | 134 | contact_form: |
135 | enabled: true | ||
136 | signup: | ||
137 | enabled: false | ||
138 | limit: 10 | ||
139 | requires_email_verification: false | ||
140 | filters: | ||
141 | cidr: | ||
142 | whitelist: [] | ||
143 | blacklist: [] | ||
144 | user: | ||
145 | video_quota: -1 | ||
146 | video_quota_daily: -1 | ||
147 | transcoding: | ||
148 | enabled: false | ||
149 | allow_additional_extensions: true | ||
150 | threads: 1 | ||
151 | resolutions: | ||
152 | 240p: false | ||
153 | 360p: false | ||
154 | 480p: true | ||
155 | 720p: true | ||
156 | 1080p: true | ||
157 | hls: | ||
158 | enabled: false | ||
159 | import: | ||
160 | videos: | ||
161 | http: | ||
135 | enabled: true | 162 | enabled: true |
136 | signup: | 163 | torrent: |
137 | enabled: false | 164 | enabled: false |
138 | limit: 10 | 165 | instance: |
139 | requires_email_verification: false | 166 | name: 'Immae’s PeerTube' |
140 | filters: | 167 | short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.' |
141 | cidr: | 168 | description: ''' |
142 | whitelist: [] | 169 | terms: ''' |
143 | blacklist: [] | 170 | default_client_route: '/videos/trending' |
144 | user: | 171 | default_nsfw_policy: 'blur' |
145 | video_quota: -1 | 172 | customizations: |
146 | video_quota_daily: -1 | 173 | javascript: ''' |
147 | transcoding: | 174 | css: ''' |
148 | enabled: false | 175 | robots: | |
149 | allow_additional_extensions: true | 176 | User-agent: * |
150 | threads: 1 | 177 | Disallow: |
151 | resolutions: | 178 | securitytxt: |
152 | 240p: false | 179 | "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" |
153 | 360p: false | 180 | services: |
154 | 480p: true | 181 | # You can provide a reporting endpoint for Content Security Policy violations |
155 | 720p: true | 182 | csp-logger: |
156 | 1080p: true | 183 | twitter: |
157 | hls: | 184 | username: '@_immae' |
158 | enabled: false | 185 | whitelisted: false |
159 | import: | 186 | ''; |
160 | videos: | ||
161 | http: | ||
162 | enabled: true | ||
163 | torrent: | ||
164 | enabled: false | ||
165 | instance: | ||
166 | name: 'Immae’s PeerTube' | ||
167 | short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.' | ||
168 | description: ''' | ||
169 | terms: ''' | ||
170 | default_client_route: '/videos/trending' | ||
171 | default_nsfw_policy: 'blur' | ||
172 | customizations: | ||
173 | javascript: ''' | ||
174 | css: ''' | ||
175 | robots: | | ||
176 | User-agent: * | ||
177 | Disallow: | ||
178 | securitytxt: | ||
179 | "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" | ||
180 | services: | ||
181 | # You can provide a reporting endpoint for Content Security Policy violations | ||
182 | csp-logger: | ||
183 | twitter: | ||
184 | username: '@_immae' | ||
185 | whitelisted: false | ||
186 | ''; | ||
187 | in | 187 | in |
188 | { | 188 | { |
189 | inherit varDir webappDir config listenPort; | 189 | inherit varDir webappDir config listenPort; |