kiara/Fediversity
1
0
Fork 0
forked from fediversity/fediversity
Code Pull requests Activity
Fediversity/deployment/fediversity/applications/peertube/default.nix
Kiara Grouwstra c296bdab0a
deploy separate operator applications thru data model 
Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>
2025-11-22 17:55:10 +01:00

146 lines
4.9 KiB
Nix
Raw Blame History

{
lib,
pkgs,
...
}:
let
inherit (lib) readFile;
inherit (pkgs) writeText;
in
{
applications.peertube = {
description = ''
ActivityPub-federated video streaming platform using P2P directly in your web browser
'';
module.options =
import ../sharedOptions.nix {
inherit pkgs lib;
serviceDocName = "Peertube";
defaults = {
domain = "peertube.fediversity.net";
s3AccessKeyFile = writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
s3SecretKeyFile = writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a1";
};
}
// {
secretsFile = lib.mkOption {
# FIXME type enforced by upstream module
type = lib.types.path;
default = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
};
};
implementation =
cfg:
lib.optionalAttrs cfg.enable {
"peertube-bucket".garage = {
ensureBuckets = {
peertube-videos = {
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
peertube-playlists = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
peertube = {
inherit (cfg) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
peertube-videos = {
read = true;
write = true;
owner = true;
};
peertube-playlists = {
read = true;
write = true;
owner = true;
};
};
};
};
nixos-configuration = garage: {
services.peertube = {
settings.object_storage = {
enabled = true;
endpoint = garage.api.url;
region = "garage";
upload_acl.public = null; # Garage does not support ACL
upload_acl.private = null; # Garage does not support ACL
# not supported by garage
# SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
proxy.proxyify_private_files = false;
web_videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = garage.web.urlForBucket bucket_name;
};
videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = garage.web.urlForBucket bucket_name;
};
streaming_playlists = rec {
bucket_name = "peertube-playlists";
prefix = "";
base_url = garage.web.urlForBucket bucket_name;
};
};
};
};
};
"codez".nixos-module.module =
{
config,
...
}:
{
networking.firewall.allowedTCPPorts = [
80
443
## For Live streaming and Live streaming when RTMPS is enabled.
1935
1936
];
## FIXME: secrets management; we should have a service that writes the
## `.env` files based on all the secrets that we need to put there.
environment.etc.peertube-env.text = ''
AWS_ACCESS_KEY_ID=${readFile cfg.s3AccessKeyFile}
AWS_SECRET_ACCESS_KEY=${readFile cfg.s3SecretKeyFile}
'';
services.peertube = {
enable = true;
localDomain = cfg.domain;
# TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
redis.createLocally = true;
database.createLocally = true;
secrets.secretsFile = cfg.secretsFile;
serviceEnvironmentFile = "/etc/peertube-env";
## Proxying through Nginx
configureNginx = true;
listenWeb = 443;
enableWebHttps = true;
};
services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
forceSSL = true;
enableACME = true;
};
};
};
};
}
View git blame Copy permalink