269 lines
6.5 KiB
Nix
269 lines
6.5 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
let
|
|
secrets = import ./secrets.nix;
|
|
|
|
image = "chocobozzz/peertube:production-bookworm";
|
|
|
|
s3cmd = pkgs.writeShellScript "s3cmd" ''
|
|
${pkgs.s3cmd}/bin/s3cmd \
|
|
--access_key='${secrets.backup.accessKey}' \
|
|
--secret_key='${secrets.backup.secretKey}' \
|
|
--host='${secrets.backup.host}' \
|
|
--host-bucket='${secrets.backup.hostBucket}' \
|
|
$@
|
|
'';
|
|
|
|
bucket = secrets.backup.bucket;
|
|
|
|
domainName = "v.lor.sh";
|
|
hostName = builtins.replaceStrings [ "." ] [ "-" ] "${domainName}";
|
|
in {
|
|
imports = [ ./hardware-configuration.nix ];
|
|
|
|
boot.loader = {
|
|
efi.canTouchEfiVariables = true;
|
|
grub = {
|
|
enable = true;
|
|
efiSupport = true;
|
|
device = "nodev";
|
|
mirroredBoots = [{
|
|
devices = [ "nodev" ];
|
|
path = "/boot-fallback";
|
|
}];
|
|
};
|
|
};
|
|
|
|
networking = {
|
|
hostName = hostName;
|
|
hostId = (builtins.substring 0 8 (builtins.readFile "/etc/machine-id"));
|
|
|
|
useDHCP = false;
|
|
|
|
interfaces.eno1 = {
|
|
ipv4 = secrets.ipv4;
|
|
ipv6 = secrets.ipv6;
|
|
};
|
|
|
|
nameservers = [ "1.1.1.1" ];
|
|
|
|
firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ 80 443 1935 ];
|
|
};
|
|
};
|
|
|
|
users.extraUsers.root.openssh.authorizedKeys.keys = secrets.pubkeys;
|
|
|
|
services.openssh.enable = true;
|
|
|
|
environment.systemPackages = with pkgs; [ vim htop git tmux jq ];
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
virtualHosts."${domainName}".extraConfig = ''
|
|
encode gzip
|
|
|
|
root * /dev/null
|
|
reverse_proxy localhost:9000
|
|
|
|
header {
|
|
Strict-Transport-Security "max-age=31536000;"
|
|
}
|
|
'';
|
|
};
|
|
|
|
system.activationScripts.peertube = ''
|
|
mkdir -p /var/lib/peertube/{storage,config}
|
|
cat > /var/lib/peertube/config/local.yml <<EOF
|
|
instance:
|
|
name: 'v.lor.sh'
|
|
terms: 'See [lor.sh/about](https://lor.sh/about). Only original content is allowed.'
|
|
|
|
smtp:
|
|
transport: smtp
|
|
hostname: 'smtp.eu.mailgun.org'
|
|
port: 587
|
|
username: 'peertube@m.lor.sh'
|
|
password: '${secrets.smtpPassword}'
|
|
tls: false
|
|
disable_starttls: false
|
|
from_address: 'peertube@m.lor.sh'
|
|
|
|
redis:
|
|
hostname: '127.0.0.1'
|
|
|
|
object_storage:
|
|
enabled: true
|
|
endpoint: 'https://sos-ch-gva-2.exo.io'
|
|
region: 'ch-gva-2'
|
|
|
|
upload_acl:
|
|
public: 'public-read'
|
|
private: 'private'
|
|
|
|
proxy:
|
|
proxify_private_files: true
|
|
|
|
credentials:
|
|
access_key_id: '${secrets.peertube.s3.id}'
|
|
secret_access_key: '${secrets.peertube.s3.key}'
|
|
|
|
max_upload_part: 128MB
|
|
|
|
streaming_playlists:
|
|
bucket_name: 'v-lor-sh'
|
|
prefix: 'streaming-playlists/'
|
|
base_url: 'https://sos-ch-gva-2.exo.io/v-lor-sh'
|
|
|
|
web_videos:
|
|
bucket_name: 'v-lor-sh'
|
|
prefix: 'web-videos/'
|
|
base_url: 'https://sos-ch-gva-2.exo.io/v-lor-sh'
|
|
|
|
user_exports:
|
|
bucket_name: 'v-lor-sh'
|
|
prefix: 'user-exports/'
|
|
base_url: 'https://sos-ch-gva-2.exo.io/v-lor-sh'
|
|
|
|
original_video_files:
|
|
bucket_name: 'v-lor-sh'
|
|
prefix: 'original-video-files/'
|
|
base_url: 'https://sos-ch-gva-2.exo.io/v-lor-sh'
|
|
|
|
transcoding:
|
|
resolutions:
|
|
0p: true
|
|
144p: true
|
|
480p: true
|
|
720p: true
|
|
1080p: true
|
|
2160p: true
|
|
|
|
live:
|
|
enabled: true
|
|
transcoding:
|
|
threads: 4
|
|
resolutions:
|
|
0p: true
|
|
144p: true
|
|
480p: true
|
|
1080p: true
|
|
|
|
video_transcription:
|
|
enabled: true
|
|
engine: 'whisper-ctranslate2'
|
|
model: 'large-v3'
|
|
|
|
EOF
|
|
'';
|
|
|
|
users.users.peertube = {
|
|
isSystemUser = true;
|
|
group = "peertube";
|
|
};
|
|
|
|
users.groups.peertube = { };
|
|
|
|
systemd.services.peertube-init-db = {
|
|
description = "Initialization database for PeerTube daemon";
|
|
after = [ "network.target" "postgresql.service" ];
|
|
requires = [ "postgresql.service" ];
|
|
before = [ "docker-peertube.service" ];
|
|
wantedBy = [ "docker-peertube.service" ];
|
|
script = ''
|
|
${pkgs.postgresql}/bin/psql peertube -c '\q' && exit 0
|
|
${pkgs.postgresql}/bin/createuser -w peertube
|
|
${pkgs.postgresql}/bin/psql -c "ALTER USER peertube WITH PASSWORD '${secrets.peertube.db.password}'";
|
|
|
|
${pkgs.postgresql}/bin/createdb -O peertube -E UTF8 -T template0 peertube
|
|
${pkgs.postgresql}/bin/psql -c "CREATE EXTENSION pg_trgm;" peertube
|
|
${pkgs.postgresql}/bin/psql -c "CREATE EXTENSION unaccent;" peertube
|
|
'';
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
User = "postgres";
|
|
Group = "postgres";
|
|
};
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
enableTCPIP = true;
|
|
};
|
|
|
|
services.postgresqlBackup = {
|
|
enable = true;
|
|
databases = [ "peertube" ];
|
|
compression = "gzip";
|
|
};
|
|
|
|
systemd.services.postgresqlBackup-peertube.serviceConfig.ExecStartPost =
|
|
pkgs.writeShellScript "backup-to-s3" ''
|
|
cd /var/backup/postgresql
|
|
|
|
${pkgs.gnupg}/bin/gpg --batch --passphrase '${secrets.backup.password}' \
|
|
--symmetric peertube.sql.gz
|
|
|
|
${s3cmd} rm ${bucket}/peertube.prev.sql.gz.gpg
|
|
${s3cmd} mv ${bucket}/peertube.sql.gz.gpg ${bucket}/peertube.prev.sql.gz.gpg
|
|
${s3cmd} put peertube.sql.gz.gpg ${bucket}/
|
|
|
|
rm peertube.sql.gz.gpg
|
|
'';
|
|
|
|
services.redis.servers.peertube = {
|
|
enable = true;
|
|
bind = "127.0.0.1";
|
|
port = 6379;
|
|
};
|
|
|
|
virtualisation.oci-containers.backend = "docker";
|
|
virtualisation.docker.liveRestore = false;
|
|
|
|
virtualisation.oci-containers.containers = {
|
|
peertube = {
|
|
image = image;
|
|
environment = {
|
|
PEERTUBE_SECRET = "${secrets.peertube.secret}";
|
|
PEERTUBE_WEBSERVER_HOSTNAME = domainName;
|
|
PEERTUBE_DB_USERNAME = "peertube";
|
|
PEERTUBE_DB_PASSWORD = secrets.peertube.db.password;
|
|
PEERTUBE_DB_HOSTNAME = hostName;
|
|
PEERTUBE_ADMIN_EMAIL = secrets.peertube.admin.email;
|
|
};
|
|
volumes = [
|
|
"/var/lib/peertube/storage:/data"
|
|
"/var/lib/peertube/config:/config"
|
|
];
|
|
extraOptions = [ "--network=host" "--pull=always" ];
|
|
};
|
|
};
|
|
|
|
systemd.services.docker-peertube.serviceConfig.TimeoutStopSec = lib.mkForce 4;
|
|
systemd.services.docker-peertube.serviceConfig.RestartSec = lib.mkForce 16;
|
|
|
|
services.zfs = {
|
|
autoScrub.enable = true;
|
|
trim.enable = true;
|
|
};
|
|
|
|
time.timeZone = "UTC";
|
|
|
|
systemd.services.nixos-upgrade.path = lib.mkAfter [ pkgs.bash ];
|
|
|
|
system.autoUpgrade = {
|
|
enable = true;
|
|
allowReboot = true;
|
|
};
|
|
|
|
system.stateVersion = "22.11";
|
|
|
|
nix = {
|
|
optimise.automatic = true;
|
|
gc = {
|
|
automatic = true;
|
|
options = "--delete-older-than 7d";
|
|
};
|
|
};
|
|
}
|