let snakeoil_key = { id = "GK1f9feea9960f6f95ff404c9b"; secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; }; in { config, lib, pkgs, ... }: { networking.firewall.allowedTCPPorts = [ 80 9000 ]; services.garage = { ensureBuckets = { peertube-videos = { website = true; corsRules = { enable = true; allowedHeaders = [ "*" ]; allowedMethods = [ "GET" ]; allowedOrigins = [ "*" ]; }; }; peertube-playlists = { website = true; corsRules = { enable = true; allowedHeaders = [ "*" ]; allowedMethods = [ "GET" ]; allowedOrigins = [ "*" ]; }; }; }; ensureKeys = { peertube = { inherit (snakeoil_key) id secret; ensureAccess = { peertube-videos = { read = true; write = true; owner = true; }; peertube-playlists = { read = true; write = true; owner = true; }; }; }; }; }; services.peertube = { settings = { object_storage = { enabled = true; endpoint = "http://s3.garage.localhost:3900"; region = "garage"; # not supported by garage # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube proxy.proxyify_private_files = false; web_videos = { bucket_name = "peertube-videos"; prefix = ""; base_url = "http://peertube-videos.web.garage.localhost:3902"; }; videos = { bucket_name = "peertube-videos"; prefix = ""; base_url = "http://peertube-videos.web.garage.localhost:3902"; }; streaming_playlists = { bucket_name = "peertube-playlists"; prefix = ""; base_url = "http://peertube-playlists.web.garage.localhost:3902"; }; }; }; serviceEnvironmentFile = "/etc/peertube-env"; }; environment.etc.peertube-env.text = '' AWS_ACCESS_KEY_ID=${snakeoil_key.id} AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret} ''; # these configurations only apply when producing a VM (e.g. nixos-rebuild build-vm) virtualisation.vmVariant = { config, ... }: { services.peertube = { enable = true; # redirects to localhost, but allows it to have a proper domain name localDomain = "peertube.localhost"; enableWebHttps = false; settings = { listen.hostname = "0.0.0.0"; instance.name = "PeerTube Test VM"; }; # TODO: use agenix secrets.secretsFile = pkgs.writeText "secret" '' 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 ''; # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. redis.createLocally = true; database.createLocally = true; configureNginx = true; }; virtualisation.forwardPorts = [ { from = "host"; host.port = 9000; guest.port = 9000; } ]; }; }