v.lor.sh/configuration.nix

{ config, pkgs, lib, ... }:
let
  secrets = import ./secrets.nix;

  ldap = pkgs.buildGoModule rec {
    name = "ldap";
    src = ./ldap;
    vendorHash = "sha256-HlsVCWs7Q4kBAtRpt3U323tRmgWdQxZlpfMZ/cSlw4Q=";
  };

  image = "chocobozzz/peertube:production-bullseye";

  s3cmd = pkgs.writeShellScript "s3cmd" ''
    ${pkgs.s3cmd}/bin/s3cmd \
      --access_key='${secrets.backup.accessKey}' \
      --secret_key='${secrets.backup.secretKey}' \
      --host='${secrets.backup.host}' \
      --host-bucket='${secrets.backup.hostBucket}' \
      $@
  '';

  bucket = secrets.backup.bucket;

  domainName = "v.lor.sh";
  hostName = builtins.replaceStrings [ "." ] [ "-" ] "${domainName}";
in {
  imports = [ ./hardware-configuration.nix ];

  boot.loader = {
    efi.canTouchEfiVariables = true;
    grub = {
      enable = true;
      efiSupport = true;
      device = "nodev";
      mirroredBoots = [{
        devices = [ "nodev" ];
        path = "/boot-fallback";
      }];
    };
  };

  networking = {
    hostName = hostName;
    hostId = (builtins.substring 0 8 (builtins.readFile "/etc/machine-id"));

    useDHCP = false;

    interfaces.eno1 = {
      ipv4 = secrets.ipv4;
      ipv6 = secrets.ipv6;
    };

    nameservers = [ "1.1.1.1" ];

    firewall = {
      enable = true;
      allowedTCPPorts = [ 80 443 1935 ];
    };
  };

  users.extraUsers.root.openssh.authorizedKeys.keys = secrets.pubkeys;

  services.openssh.enable = true;

  environment.systemPackages = with pkgs; [ vim htop git tmux ];

  systemd.services."peertube-ldap" = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    environment = {
      AUTH_URL = secrets.peertube.auth.url;
      AUTH_SECRET = secrets.peertube.auth.secret;
      LDAP_USER = secrets.peertube.ldap.user;
      LDAP_PASS = secrets.peertube.ldap.password;
    };
    serviceConfig = {
      Restart = "always";
      RestartSec = 30;
      ExecStart = "${ldap}/bin/ldap";
      User = "peertube";
    };
  };

  services.caddy = {
    enable = true;
    virtualHosts."${domainName}".extraConfig = ''
      encode gzip

      root * /dev/null
      reverse_proxy localhost:9000

      header {
          Strict-Transport-Security "max-age=31536000;"
      }
    '';
  };

  system.activationScripts.peertube = ''
    mkdir -p /var/lib/peertube/{storage,config}
    cat > /var/lib/peertube/config/local.yml <<EOF
    instance:
      name: 'v.lor.sh'
      terms: 'See [lor.sh/about](https://lor.sh/about). Only original content is allowed.'

    smtp:
      transport: smtp
      hostname: 'smtp.eu.mailgun.org'
      port: 587
      username: 'peertube@m.lor.sh'
      password: '${secrets.smtpPassword}'
      tls: false
      disable_starttls: false
      from_address: 'peertube@m.lor.sh'

    redis:
      hostname: '${hostName}'

    object_storage:
      enabled: true
      endpoint: 'https://sos-ch-gva-2.exo.io'
      region: 'ch-gva-2'

      upload_acl:
        public: 'public-read'
        private: 'private'

      proxy:
        proxify_private_files: true

      credentials:
        access_key_id: '${secrets.peertube.s3.id}'
        secret_access_key: '${secrets.peertube.s3.key}'

      max_upload_part: 128MB

      streaming_playlists:
        bucket_name: 'v-lor-sh'
        prefix: 'streaming-playlists/'
        base_url: 'https://sos-ch-gva-2.exo.io/v-lor-sh'

      videos:
        bucket_name: 'v-lor-sh'
        prefix: 'videos/'
        base_url: 'https://sos-ch-gva-2.exo.io/v-lor-sh'

    transcoding:
      resolutions:
        0p: true
        144p: true
        480p: true
        720p: true
        1080p: true
        2160p: true

    live:
      enabled: true
      transcoding:
        threads: 4
        resolutions:
          480p: true
          1080p: true
    EOF
  '';

  users.users.peertube = {
    isSystemUser = true;
    group = "peertube";
  };

  users.groups.peertube = { };

  systemd.services.peertube-init-db = {
    description = "Initialization database for PeerTube daemon";
    after = [ "network.target" "postgresql.service" ];
    requires = [ "postgresql.service" ];
    before = [ "docker-peertube.service" ];
    wantedBy = [ "docker-peertube.service" ];
    script = ''
      ${pkgs.postgresql}/bin/psql peertube -c '\q' && exit 0
      ${pkgs.postgresql}/bin/createuser -w peertube
      ${pkgs.postgresql}/bin/psql -c "ALTER USER peertube WITH PASSWORD '${secrets.peertube.db.password}'";

      ${pkgs.postgresql}/bin/createdb -O peertube -E UTF8 -T template0 peertube
      ${pkgs.postgresql}/bin/psql -c "CREATE EXTENSION pg_trgm;" peertube
      ${pkgs.postgresql}/bin/psql -c "CREATE EXTENSION unaccent;" peertube
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "postgres";
      Group = "postgres";
    };
  };

  services.postgresql = {
    enable = true;
    enableTCPIP = true;
  };

  services.postgresqlBackup = {
    enable = true;
    databases = [ "peertube" ];
    compression = "gzip";
  };

  systemd.services.postgresqlBackup-peertube.serviceConfig.ExecStartPost =
    pkgs.writeShellScript "backup-to-s3" ''
      cd /var/backup/postgresql

      ${pkgs.gnupg}/bin/gpg --batch --passphrase '${secrets.backup.password}' \
                            --symmetric peertube.sql.gz

      ${s3cmd} rm ${bucket}/peertube.prev.sql.gz.gpg
      ${s3cmd} mv ${bucket}/peertube.sql.gz.gpg ${bucket}/peertube.prev.sql.gz.gpg
      ${s3cmd} put peertube.sql.gz.gpg ${bucket}/

      rm peertube.sql.gz.gpg
    '';

  services.redis.servers.peertube = {
    enable = true;
    bind = "127.0.0.1";
    port = 6379;
  };

  virtualisation.oci-containers.backend = "docker";
  virtualisation.docker.liveRestore = false;

  virtualisation.oci-containers.containers = {
    peertube = {
      image = image;
      environment = {
        PEERTUBE_SECRET = "${secrets.peertube.secret}";
        PEERTUBE_WEBSERVER_HOSTNAME = domainName;
        PEERTUBE_DB_USERNAME = "peertube";
        PEERTUBE_DB_PASSWORD = secrets.peertube.db.password;
        PEERTUBE_DB_HOSTNAME = hostName;
        PEERTUBE_ADMIN_EMAIL = secrets.peertube.admin.email;
      };
      volumes = [
        "/var/lib/peertube/storage:/data"
        "/var/lib/peertube/config:/config"
      ];
      extraOptions = [ "--network=host" "--pull=always" ];
    };
  };

  systemd.services.docker-peertube.serviceConfig.TimeoutStopSec = lib.mkForce 4;
  systemd.services.docker-peertube.serviceConfig.RestartSec = lib.mkForce 16;

  services.zfs = {
    autoScrub.enable = true;
    trim.enable = true;
  };

  time.timeZone = "UTC";

  system.autoUpgrade = {
    enable = true;
    allowReboot = true;
  };

  system.stateVersion = "22.11";

  nix = {
    optimise.automatic = true;
    gc = {
      automatic = true;
      options = "--delete-older-than 7d";
    };
  };
}