aboutsummaryrefslogtreecommitdiff
path: root/nixops/modules/websites/tools/peertube/default.nix
blob: 1ad79d7acd2c19a42300a1e39da0d28fa95f8be3 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
{ lib, pkgs, config, myconfig, mylibs, ... }:
let
  peertube = pkgs.callPackage ./peertube.nix {
    inherit (mylibs) fetchedGithub;
    env = myconfig.env.tools.peertube;
  };

  cfg = config.services.myWebsites.tools.peertube;
in {
  options.services.myWebsites.tools.peertube = {
    enable = lib.mkEnableOption "enable Peertube's website";
  };

  config = lib.mkIf cfg.enable {
    ids.uids.peertube = myconfig.env.tools.peertube.user.uid;
    ids.gids.peertube = myconfig.env.tools.peertube.user.gid;

    users.users.peertube = {
      name = "peertube";
      uid = config.ids.uids.peertube;
      group = "peertube";
      description = "Peertube user";
      home = peertube.varDir;
      useDefaultShell = true;
      extraGroups = [ "keys" ];
    };

    users.groups.peertube.gid = config.ids.gids.peertube;

    systemd.services.peertube = {
      description = "Peertube";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "postgresql.service" ];
      wants = [ "postgresql.service" ];

      environment.NODE_CONFIG_DIR = "${peertube.varDir}/config";
      environment.NODE_ENV = "production";
      environment.HOME = peertube.webappDir;

      path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ];

      script = ''
        exec npm run start
      '';

      serviceConfig = {
        User = "peertube";
        Group = "peertube";
        WorkingDirectory = peertube.webappDir;
        PrivateTmp = true;
        ProtectHome = true;
        ProtectControlGroups = true;
        Restart = "always";
        Type = "simple";
        TimeoutSec = 60;
      };

      unitConfig.RequiresMountsFor = peertube.varDir;
    };

    mySecrets.keys = [{
      dest = "webapps/tools-peertube";
      user = "peertube";
      group = "peertube";
      permissions = "0640";
      text = peertube.config;
    }];

    system.activationScripts.peertube = {
      deps = [ "users" ];
      text = ''
        install -m 0750 -o peertube -g peertube -d ${peertube.varDir}
        install -m 0750 -o peertube -g peertube -d ${peertube.varDir}/config
        ln -sf /var/secrets/webapps/tools-peertube ${peertube.varDir}/config/production.yaml
        '';
    };

    services.myWebsites.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    security.acme.certs."eldiron".extraDomains."peertube.immae.eu" = null;
    services.myWebsites.tools.vhostConfs.peertube = {
      certName    = "eldiron";
      hosts       = [ "peertube.immae.eu" ];
      root        = null;
      extraConfig = [ ''
          ProxyPass /        http://localhost:${peertube.listenPort}/
          ProxyPassReverse / http://localhost:${peertube.listenPort}/

          ProxyPreserveHost On
          RequestHeader set X-Real-IP %{REMOTE_ADDR}s

          ProxyPass /tracker/socket        ws://127.0.0.1:${peertube.listenPort}/tracker/socket
          ProxyPassReverse /tracker/socket ws://127.0.0.1:${peertube.listenPort}/tracker/socket

          ProxyPass /socket.io        ws://127.0.0.1:${peertube.listenPort}/socket.io
          ProxyPassReverse /socket.io ws://127.0.0.1:${peertube.listenPort}/socket.io
      '' ];
    };
  };
}