{ lib, pkgs, ... }: let inherit (lib) readFile; inherit (pkgs) writeText; in { applications.peertube = { description = '' ActivityPub-federated video streaming platform using P2P directly in your web browser ''; module.options = import ../sharedOptions.nix { inherit pkgs lib; serviceDocName = "Peertube"; defaults = { domain = "peertube.fediversity.net"; s3AccessKeyFile = writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b"; s3SecretKeyFile = writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a1"; }; } // { secretsFile = lib.mkOption { # FIXME type enforced by upstream module type = lib.types.path; default = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24"; }; }; implementation = cfg: lib.optionalAttrs cfg.enable { "peertube-bucket".garage = { ensureBuckets = { peertube-videos = { website = true; # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want corsRules = { enable = true; allowedHeaders = [ "*" ]; allowedMethods = [ "GET" ]; allowedOrigins = [ "*" ]; }; }; # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want peertube-playlists = { website = true; corsRules = { enable = true; allowedHeaders = [ "*" ]; allowedMethods = [ "GET" ]; allowedOrigins = [ "*" ]; }; }; }; ensureKeys = { peertube = { inherit (cfg) s3AccessKeyFile s3SecretKeyFile; ensureAccess = { peertube-videos = { read = true; write = true; owner = true; }; peertube-playlists = { read = true; write = true; owner = true; }; }; }; }; nixos-configuration = garage: { services.peertube = { settings.object_storage = { enabled = true; endpoint = garage.api.url; region = "garage"; upload_acl.public = null; # Garage does not support ACL upload_acl.private = null; # Garage does not support ACL # not supported by garage # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube proxy.proxyify_private_files = false; web_videos = rec { bucket_name = "peertube-videos"; prefix = ""; base_url = garage.web.urlForBucket bucket_name; }; videos = rec { bucket_name = "peertube-videos"; prefix = ""; base_url = garage.web.urlForBucket bucket_name; }; streaming_playlists = rec { bucket_name = "peertube-playlists"; prefix = ""; base_url = garage.web.urlForBucket bucket_name; }; }; }; }; }; "codez".nixos-module.module = { config, ... }: { networking.firewall.allowedTCPPorts = [ 80 443 ## For Live streaming and Live streaming when RTMPS is enabled. 1935 1936 ]; ## FIXME: secrets management; we should have a service that writes the ## `.env` files based on all the secrets that we need to put there. environment.etc.peertube-env.text = '' AWS_ACCESS_KEY_ID=${readFile cfg.s3AccessKeyFile} AWS_SECRET_ACCESS_KEY=${readFile cfg.s3SecretKeyFile} ''; services.peertube = { enable = true; localDomain = cfg.domain; # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. redis.createLocally = true; database.createLocally = true; secrets.secretsFile = cfg.secretsFile; serviceEnvironmentFile = "/etc/peertube-env"; ## Proxying through Nginx configureNginx = true; listenWeb = 443; enableWebHttps = true; }; services.nginx.virtualHosts.${config.services.peertube.localDomain} = { forceSSL = true; enableACME = true; }; }; }; }; }