208 lines
4.9 KiB
Nix
208 lines
4.9 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
let
|
|
secrets = import ./secrets.nix;
|
|
|
|
ldap = pkgs.buildGoModule rec {
|
|
name = "ldap";
|
|
src = ./ldap;
|
|
vendorHash = "sha256-HlsVCWs7Q4kBAtRpt3U323tRmgWdQxZlpfMZ/cSlw4Q=";
|
|
};
|
|
|
|
image =
|
|
"chocobozzz/peertube@" +
|
|
"sha256:3bd126fc8b66a6a12593d73f74d0a3ffc7fc3206e5e9ebf39c8a8e0ca5408194";
|
|
|
|
domainName = "v.lor.sh";
|
|
hostName = builtins.replaceStrings [ "." ] [ "-" ] "${domainName}";
|
|
in {
|
|
imports = [ ./hardware-configuration.nix ];
|
|
|
|
boot.loader = {
|
|
efi.canTouchEfiVariables = true;
|
|
grub = {
|
|
enable = true;
|
|
efiSupport = true;
|
|
device = "nodev";
|
|
mirroredBoots = [{
|
|
devices = [ "nodev" ];
|
|
path = "/boot-fallback";
|
|
}];
|
|
};
|
|
};
|
|
|
|
networking = {
|
|
hostName = hostName;
|
|
hostId = (builtins.substring 0 8 (builtins.readFile "/etc/machine-id"));
|
|
|
|
useDHCP = false;
|
|
|
|
interfaces.eno1 = {
|
|
ipv4 = secrets.ipv4;
|
|
ipv6 = secrets.ipv6;
|
|
};
|
|
|
|
nameservers = [ "1.1.1.1" ];
|
|
|
|
firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ 80 443 ];
|
|
};
|
|
};
|
|
|
|
users.extraUsers.root.openssh.authorizedKeys.keys = secrets.pubkeys;
|
|
|
|
services.openssh.enable = true;
|
|
|
|
environment.systemPackages = with pkgs; [ vim htop git tmux ];
|
|
|
|
systemd.services."peertube-ldap" = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
environment = {
|
|
AUTH_URL = secrets.peertube.auth.url;
|
|
AUTH_SECRET = secrets.peertube.auth.secret;
|
|
LDAP_USER = secrets.peertube.ldap.user;
|
|
LDAP_PASS = secrets.peertube.ldap.password;
|
|
};
|
|
serviceConfig = {
|
|
Restart = "always";
|
|
RestartSec = 30;
|
|
ExecStart = "${ldap}/bin/ldap";
|
|
User = "peertube";
|
|
};
|
|
};
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
virtualHosts."${domainName}".extraConfig = ''
|
|
encode gzip
|
|
|
|
root * /dev/null
|
|
reverse_proxy localhost:9000
|
|
|
|
header {
|
|
Strict-Transport-Security "max-age=31536000;"
|
|
}
|
|
'';
|
|
};
|
|
|
|
system.activationScripts.peertube = ''
|
|
mkdir -p /var/lib/peertube/{storage,config}
|
|
cat > /var/lib/peertube/config/local.yml <<EOF
|
|
redis:
|
|
hostname: '${hostName}'
|
|
|
|
object_storage:
|
|
enabled: true
|
|
endpoint: 'https://sos-ch-gva-2.exo.io'
|
|
region: 'ch-gva-2'
|
|
|
|
upload_acl:
|
|
public: 'public-read'
|
|
private: 'private'
|
|
|
|
proxy:
|
|
proxify_private_files: true
|
|
|
|
credentials:
|
|
access_key_id: '${secrets.peertube.s3.id}'
|
|
secret_access_key: '${secrets.peertube.s3.key}'
|
|
|
|
max_upload_part: 2GB
|
|
|
|
streaming_playlists:
|
|
bucket_name: 'v-lor-sh'
|
|
prefix: 'streaming-playlists/'
|
|
base_url: 'https://v-lor-sh.sos-ch-gva-2.exoscale-cdn.com'
|
|
|
|
videos:
|
|
bucket_name: 'v-lor-sh'
|
|
prefix: 'videos/'
|
|
base_url: 'https://v-lor-sh.sos-ch-gva-2.exoscale-cdn.com'
|
|
EOF
|
|
'';
|
|
|
|
users.users.peertube = {
|
|
isSystemUser = true;
|
|
group = "peertube";
|
|
};
|
|
|
|
users.groups.peertube = { };
|
|
|
|
systemd.services.peertube-init-db = {
|
|
description = "Initialization database for PeerTube daemon";
|
|
after = [ "network.target" "postgresql.service" ];
|
|
requires = [ "postgresql.service" ];
|
|
before = [ "docker-peertube.service" ];
|
|
wantedBy = [ "docker-peertube.service" ];
|
|
script = ''
|
|
${pkgs.postgresql}/bin/psql peertube -c '\q' && exit 0
|
|
${pkgs.postgresql}/bin/createuser -w peertube
|
|
${pkgs.postgresql}/bin/psql -c "ALTER USER peertube WITH PASSWORD '${secrets.peertube.db.password}'";
|
|
|
|
${pkgs.postgresql}/bin/createdb -O peertube -E UTF8 -T template0 peertube
|
|
${pkgs.postgresql}/bin/psql -c "CREATE EXTENSION pg_trgm;" peertube
|
|
${pkgs.postgresql}/bin/psql -c "CREATE EXTENSION unaccent;" peertube
|
|
'';
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
User = "postgres";
|
|
Group = "postgres";
|
|
};
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
enableTCPIP = true;
|
|
};
|
|
|
|
services.redis.servers.peertube = {
|
|
enable = true;
|
|
bind = "127.0.0.1";
|
|
port = 6379;
|
|
};
|
|
|
|
virtualisation.oci-containers.backend = "docker";
|
|
|
|
virtualisation.oci-containers.containers = {
|
|
peertube = {
|
|
image = image;
|
|
environment = {
|
|
PEERTUBE_SECRET = "${secrets.peertube.secret}";
|
|
PEERTUBE_WEBSERVER_HOSTNAME = domainName;
|
|
PEERTUBE_DB_USERNAME = "peertube";
|
|
PEERTUBE_DB_PASSWORD = secrets.peertube.db.password;
|
|
PEERTUBE_DB_HOSTNAME = hostName;
|
|
PEERTUBE_ADMIN_EMAIL = secrets.peertube.admin.email;
|
|
};
|
|
volumes = [
|
|
"/var/lib/peertube/storage:/data"
|
|
"/var/lib/peertube/config:/config"
|
|
];
|
|
extraOptions = [ "--network=host" ];
|
|
};
|
|
};
|
|
|
|
services.zfs = {
|
|
autoScrub.enable = true;
|
|
trim.enable = true;
|
|
};
|
|
|
|
time.timeZone = "UTC";
|
|
|
|
system.autoUpgrade = {
|
|
enable = true;
|
|
allowReboot = true;
|
|
};
|
|
|
|
system.stateVersion = "22.11";
|
|
|
|
nix = {
|
|
optimise.automatic = true;
|
|
gc = {
|
|
automatic = true;
|
|
options = "--delete-older-than 7d";
|
|
};
|
|
};
|
|
}
|