kiara/Fediversity
1
0
Fork 0
forked from fediversity/fediversity
Code Pull requests Activity
Fediversity/services/fediversity/peertube/default.nix
Kiara Grouwstra 9a25a04bfa specify _class module attributes to explicitly declare module types (#398) 
closes #93.

note that this includes classes:

- `nixos`
- `nixosTest`
- `nixops4Resource`
- `nixops4Deployment`

.. and my (made-up, as per the [docs](https://ryantm.github.io/nixpkgs/module-system/module-system/#module-system-lib-evalModules-param-class)):

- `nix-unit`
- `package`

.. while i did not manage to cover:

- service tests, given `pkgs.nixosTest` seemed to not actually like `_class = "nixosTest"` (?!)

... nor #93's mentioned destructured arguments for that matter, as per Fediversity/Fediversity#93 (comment) - let me know if that is still desired as well.

Reviewed-on: Fediversity/Fediversity#398
Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Co-authored-by: Kiara Grouwstra <kiara@procolix.eu>
Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>
2025-06-23 17:24:54 +02:00

137 lines
4.1 KiB
Nix
Raw Permalink Blame History

{ config, lib, ... }:
let
inherit (lib) mkIf mkMerge readFile;
in
{
_class = "nixos";
imports = [ ./options.nix ];
config = mkMerge [
(mkIf
(
config.fediversity.garage.enable
&& config.fediversity.peertube.s3AccessKeyFile != null
&& config.fediversity.peertube.s3SecretKeyFile != null
)
{
fediversity.garage = {
ensureBuckets = {
peertube-videos = {
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
peertube-playlists = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
peertube = {
inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
peertube-videos = {
read = true;
write = true;
owner = true;
};
peertube-playlists = {
read = true;
write = true;
owner = true;
};
};
};
};
};
}
)
(mkIf config.fediversity.peertube.enable {
networking.firewall.allowedTCPPorts = [
80
443
## For Live streaming and Live streaming when RTMPS is enabled.
1935
1936
];
services.peertube = {
enable = true;
localDomain = config.fediversity.peertube.domain;
# TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
redis.createLocally = true;
database.createLocally = true;
secrets.secretsFile = config.fediversity.peertube.secretsFile;
settings = {
object_storage = {
enabled = true;
endpoint = config.fediversity.garage.api.url;
region = "garage";
upload_acl.public = null; # Garage does not support ACL
upload_acl.private = null; # Garage does not support ACL
# not supported by garage
# SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
proxy.proxyify_private_files = false;
web_videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
streaming_playlists = rec {
bucket_name = "peertube-playlists";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
};
};
serviceEnvironmentFile = "/etc/peertube-env";
};
## FIXME: secrets management; we should have a service that writes the
## `.env` files based on all the secrets that we need to put there.
environment.etc.peertube-env.text = ''
AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile}
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile}
'';
## Proxying through Nginx
services.peertube = {
configureNginx = true;
listenWeb = 443;
enableWebHttps = true;
};
services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
forceSSL = true;
enableACME = true;
};
})
];
}
View git blame Copy permalink