From a1cfcf1d71685ec85b1103ba7df0d54624c7784f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 14 Feb 2025 18:44:35 +0100 Subject: [PATCH] Same treatment for Peertube --- deployment/flake-part.nix | 11 +- services/fediversity/default.nix | 12 +-- services/fediversity/peertube.nix | 119 --------------------- services/fediversity/peertube/default.nix | 123 ++++++++++++++++++++++ services/fediversity/peertube/options.nix | 28 +++++ services/vm/peertube-vm.nix | 11 +- 6 files changed, 164 insertions(+), 140 deletions(-) delete mode 100644 services/fediversity/peertube.nix create mode 100644 services/fediversity/peertube/default.nix create mode 100644 services/fediversity/peertube/options.nix diff --git a/deployment/flake-part.nix b/deployment/flake-part.nix index 79052860..a0e42ae5 100644 --- a/deployment/flake-part.nix +++ b/deployment/flake-part.nix @@ -100,11 +100,12 @@ in fediversity = { enable = true; domain = "fedi103.abundos.eu"; - peertube.enable = true; - - temp.peertubeSecretsFile = pkgs.writeText "secret" '' - 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 - ''; + peertube = { + enable = true; + secretsFile = pkgs.writeText "secret" '' + 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 + ''; + }; }; } ); diff --git a/services/fediversity/default.nix b/services/fediversity/default.nix index 16b0c261..a8c9f69b 100644 --- a/services/fediversity/default.nix +++ b/services/fediversity/default.nix @@ -10,7 +10,7 @@ in ./garage ./mastodon ./pixelfed.nix - ./peertube.nix + ./peertube ]; options = { @@ -28,7 +28,6 @@ in }; pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration"; - peertube.enable = mkEnableOption "default Fediversity PeerTube configuration"; temp = mkOption { description = "options that are only used while developing; should be removed eventually"; @@ -39,11 +38,6 @@ in description = "number of cores; should be obtained from NixOps4"; type = types.int; }; - - peertubeSecretsFile = mkOption { - description = "should it be provided by NixOps4? or maybe we should just ask for a main secret from which to derive all the others?"; - type = types.path; - }; }; }; }; @@ -61,10 +55,6 @@ in type = types.str; default = "pixelfed.${config.fediversity.domain}"; }; - peertube.domain = mkOption { - type = types.str; - default = "peertube.${config.fediversity.domain}"; - }; }; }; }; diff --git a/services/fediversity/peertube.nix b/services/fediversity/peertube.nix deleted file mode 100644 index 6105a7d3..00000000 --- a/services/fediversity/peertube.nix +++ /dev/null @@ -1,119 +0,0 @@ -let - snakeoil_key = { - id = "GK1f9feea9960f6f95ff404c9b"; - secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; - }; -in - -{ config, lib, ... }: - -lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { - networking.firewall.allowedTCPPorts = [ - 80 - 443 - - ## For Live streaming and Live streaming when RTMPS is enabled. - 1935 - 1936 - ]; - - fediversity.garage = { - ensureBuckets = { - peertube-videos = { - website = true; - # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want - corsRules = { - enable = true; - allowedHeaders = [ "*" ]; - allowedMethods = [ "GET" ]; - allowedOrigins = [ "*" ]; - }; - }; - # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want - peertube-playlists = { - website = true; - corsRules = { - enable = true; - allowedHeaders = [ "*" ]; - allowedMethods = [ "GET" ]; - allowedOrigins = [ "*" ]; - }; - }; - }; - ensureKeys = { - peertube = { - inherit (snakeoil_key) id secret; - ensureAccess = { - peertube-videos = { - read = true; - write = true; - owner = true; - }; - peertube-playlists = { - read = true; - write = true; - owner = true; - }; - }; - }; - }; - }; - - services.peertube = { - enable = true; - localDomain = config.fediversity.internal.peertube.domain; - - # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. - redis.createLocally = true; - database.createLocally = true; - - secrets.secretsFile = config.fediversity.temp.peertubeSecretsFile; - - settings = { - object_storage = { - enabled = true; - endpoint = config.fediversity.garage.api.url; - region = "garage"; - upload_acl.public = null; # Garage does not support ACL - upload_acl.private = null; # Garage does not support ACL - - # not supported by garage - # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube - proxy.proxyify_private_files = false; - - web_videos = rec { - bucket_name = "peertube-videos"; - prefix = ""; - base_url = config.fediversity.garage.web.urlForBucket bucket_name; - }; - videos = rec { - bucket_name = "peertube-videos"; - prefix = ""; - base_url = config.fediversity.garage.web.urlForBucket bucket_name; - }; - streaming_playlists = rec { - bucket_name = "peertube-playlists"; - prefix = ""; - base_url = config.fediversity.garage.web.urlForBucket bucket_name; - }; - }; - }; - serviceEnvironmentFile = "/etc/peertube-env"; - }; - environment.etc.peertube-env.text = '' - AWS_ACCESS_KEY_ID=${snakeoil_key.id} - AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret} - ''; - - ## Proxying through Nginx - - services.peertube = { - configureNginx = true; - listenWeb = 443; - enableWebHttps = true; - }; - services.nginx.virtualHosts.${config.services.peertube.localDomain} = { - forceSSL = true; - enableACME = true; - }; -} diff --git a/services/fediversity/peertube/default.nix b/services/fediversity/peertube/default.nix new file mode 100644 index 00000000..e649c568 --- /dev/null +++ b/services/fediversity/peertube/default.nix @@ -0,0 +1,123 @@ +let + snakeoil_key = { + id = "GK1f9feea9960f6f95ff404c9b"; + secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; + }; +in + +{ config, lib, ... }: + +{ + imports = [ ./options.nix ]; + + config = lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { + networking.firewall.allowedTCPPorts = [ + 80 + 443 + + ## For Live streaming and Live streaming when RTMPS is enabled. + 1935 + 1936 + ]; + + fediversity.garage = { + ensureBuckets = { + peertube-videos = { + website = true; + # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want + corsRules = { + enable = true; + allowedHeaders = [ "*" ]; + allowedMethods = [ "GET" ]; + allowedOrigins = [ "*" ]; + }; + }; + # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want + peertube-playlists = { + website = true; + corsRules = { + enable = true; + allowedHeaders = [ "*" ]; + allowedMethods = [ "GET" ]; + allowedOrigins = [ "*" ]; + }; + }; + }; + ensureKeys = { + peertube = { + inherit (snakeoil_key) id secret; + ensureAccess = { + peertube-videos = { + read = true; + write = true; + owner = true; + }; + peertube-playlists = { + read = true; + write = true; + owner = true; + }; + }; + }; + }; + }; + + services.peertube = { + enable = true; + localDomain = config.fediversity.peertube.domain; + + # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. + redis.createLocally = true; + database.createLocally = true; + + secrets.secretsFile = config.fediversity.peertube.secretsFile; + + settings = { + object_storage = { + enabled = true; + endpoint = config.fediversity.garage.api.url; + region = "garage"; + upload_acl.public = null; # Garage does not support ACL + upload_acl.private = null; # Garage does not support ACL + + # not supported by garage + # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube + proxy.proxyify_private_files = false; + + web_videos = rec { + bucket_name = "peertube-videos"; + prefix = ""; + base_url = config.fediversity.garage.web.urlForBucket bucket_name; + }; + videos = rec { + bucket_name = "peertube-videos"; + prefix = ""; + base_url = config.fediversity.garage.web.urlForBucket bucket_name; + }; + streaming_playlists = rec { + bucket_name = "peertube-playlists"; + prefix = ""; + base_url = config.fediversity.garage.web.urlForBucket bucket_name; + }; + }; + }; + serviceEnvironmentFile = "/etc/peertube-env"; + }; + environment.etc.peertube-env.text = '' + AWS_ACCESS_KEY_ID=${snakeoil_key.id} + AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret} + ''; + + ## Proxying through Nginx + + services.peertube = { + configureNginx = true; + listenWeb = 443; + enableWebHttps = true; + }; + services.nginx.virtualHosts.${config.services.peertube.localDomain} = { + forceSSL = true; + enableACME = true; + }; + }; +} diff --git a/services/fediversity/peertube/options.nix b/services/fediversity/peertube/options.nix new file mode 100644 index 00000000..feedcad5 --- /dev/null +++ b/services/fediversity/peertube/options.nix @@ -0,0 +1,28 @@ +{ config, lib, ... }: + +let + inherit (lib) mkOption mkEnableOption; + inherit (lib.types) types; + +in +{ + options.fediversity.peertube = { + enable = mkEnableOption "Enable a PeerTube server on the machine"; + + domain = mkOption { + type = types.str; + description = "Internal option — change at your own risk"; + default = "peertube.${config.fediversity.domain}"; + }; + + secretsFile = mkOption { + type = types.path; + description = '' + Internal option — change at your own risk + + FIXME: should it be provided by NixOps4? + or maybe we should just ask for a main secret from which to derive all the others? + ''; + }; + }; +} diff --git a/services/vm/peertube-vm.nix b/services/vm/peertube-vm.nix index 0e2c9922..758d64be 100644 --- a/services/vm/peertube-vm.nix +++ b/services/vm/peertube-vm.nix @@ -10,11 +10,12 @@ fediversity = { enable = true; domain = "localhost"; - peertube.enable = true; - - temp.peertubeSecretsFile = pkgs.writeText "secret" '' - 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 - ''; + peertube = { + enable = true; + secretsFile = pkgs.writeText "secret" '' + 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 + ''; + }; }; services.peertube = {