lois/Fediversity
1
0
Fork 0
forked from fediversity/fediversity
Code Pull requests Activity

Same treatment for Peertube

Browse source
This commit is contained in:
Nicolas Jeannerod 2025-02-14 18:44:35 +01:00
parent ca6642c8d4
commit a1cfcf1d71
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
6 changed files with 164 additions and 140 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
deployment/flake-part.nix
View file

@ -100,11 +100,12 @@ in
fediversity = {
enable = true;
domain = "fedi103.abundos.eu";
peertube.enable = true;
temp.peertubeSecretsFile = pkgs.writeText "secret" ''
574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
'';
peertube = {
enable = true;
secretsFile = pkgs.writeText "secret" ''
574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
'';
};
};
}
);

12
services/fediversity/default.nix
View file

@ -10,7 +10,7 @@ in
./garage
./mastodon
./pixelfed.nix
./peertube.nix
./peertube
];
options = {
@ -28,7 +28,6 @@ in
};
pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration";
peertube.enable = mkEnableOption "default Fediversity PeerTube configuration";
temp = mkOption {
description = "options that are only used while developing; should be removed eventually";
@ -39,11 +38,6 @@ in
description = "number of cores; should be obtained from NixOps4";
type = types.int;
};
peertubeSecretsFile = mkOption {
description = "should it be provided by NixOps4? or maybe we should just ask for a main secret from which to derive all the others?";
type = types.path;
};
};
};
};
@ -61,10 +55,6 @@ in
type = types.str;
default = "pixelfed.${config.fediversity.domain}";
};
peertube.domain = mkOption {
type = types.str;
default = "peertube.${config.fediversity.domain}";
};
};
};
};

119
services/fediversity/peertube.nix
View file

@ -1,119 +0,0 @@
let
snakeoil_key = {
id = "GK1f9feea9960f6f95ff404c9b";
secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
in
{ config, lib, ... }:
lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
networking.firewall.allowedTCPPorts = [
80
443
## For Live streaming and Live streaming when RTMPS is enabled.
1935
1936
];
fediversity.garage = {
ensureBuckets = {
peertube-videos = {
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
peertube-playlists = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
peertube = {
inherit (snakeoil_key) id secret;
ensureAccess = {
peertube-videos = {
read = true;
write = true;
owner = true;
};
peertube-playlists = {
read = true;
write = true;
owner = true;
};
};
};
};
};
services.peertube = {
enable = true;
localDomain = config.fediversity.internal.peertube.domain;
# TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
redis.createLocally = true;
database.createLocally = true;
secrets.secretsFile = config.fediversity.temp.peertubeSecretsFile;
settings = {
object_storage = {
enabled = true;
endpoint = config.fediversity.garage.api.url;
region = "garage";
upload_acl.public = null; # Garage does not support ACL
upload_acl.private = null; # Garage does not support ACL
# not supported by garage
# SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
proxy.proxyify_private_files = false;
web_videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
streaming_playlists = rec {
bucket_name = "peertube-playlists";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
};
};
serviceEnvironmentFile = "/etc/peertube-env";
};
environment.etc.peertube-env.text = ''
AWS_ACCESS_KEY_ID=${snakeoil_key.id}
AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret}
'';
## Proxying through Nginx
services.peertube = {
configureNginx = true;
listenWeb = 443;
enableWebHttps = true;
};
services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
forceSSL = true;
enableACME = true;
};
}

123
services/fediversity/peertube/default.nix Normal file
View file

@ -0,0 +1,123 @@
let
snakeoil_key = {
id = "GK1f9feea9960f6f95ff404c9b";
secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
in
{ config, lib, ... }:
{
imports = [ ./options.nix ];
config = lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
networking.firewall.allowedTCPPorts = [
80
443
## For Live streaming and Live streaming when RTMPS is enabled.
1935
1936
];
fediversity.garage = {
ensureBuckets = {
peertube-videos = {
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
peertube-playlists = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
peertube = {
inherit (snakeoil_key) id secret;
ensureAccess = {
peertube-videos = {
read = true;
write = true;
owner = true;
};
peertube-playlists = {
read = true;
write = true;
owner = true;
};
};
};
};
};
services.peertube = {
enable = true;
localDomain = config.fediversity.peertube.domain;
# TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
redis.createLocally = true;
database.createLocally = true;
secrets.secretsFile = config.fediversity.peertube.secretsFile;
settings = {
object_storage = {
enabled = true;
endpoint = config.fediversity.garage.api.url;
region = "garage";
upload_acl.public = null; # Garage does not support ACL
upload_acl.private = null; # Garage does not support ACL
# not supported by garage
# SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
proxy.proxyify_private_files = false;
web_videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
streaming_playlists = rec {
bucket_name = "peertube-playlists";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
};
};
serviceEnvironmentFile = "/etc/peertube-env";
};
environment.etc.peertube-env.text = ''
AWS_ACCESS_KEY_ID=${snakeoil_key.id}
AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret}
'';
## Proxying through Nginx
services.peertube = {
configureNginx = true;
listenWeb = 443;
enableWebHttps = true;
};
services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
forceSSL = true;
enableACME = true;
};
};
}

28
services/fediversity/peertube/options.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, ... }:
let
inherit (lib) mkOption mkEnableOption;
inherit (lib.types) types;
in
{
options.fediversity.peertube = {
enable = mkEnableOption "Enable a PeerTube server on the machine";
domain = mkOption {
type = types.str;
description = "Internal option change at your own risk";
default = "peertube.${config.fediversity.domain}";
};
secretsFile = mkOption {
type = types.path;
description = ''
Internal option change at your own risk
FIXME: should it be provided by NixOps4?
or maybe we should just ask for a main secret from which to derive all the others?
'';
};
};
}

11
services/vm/peertube-vm.nix
View file

@ -10,11 +10,12 @@
fediversity = {
enable = true;
domain = "localhost";
peertube.enable = true;
temp.peertubeSecretsFile = pkgs.writeText "secret" ''
574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
'';
peertube = {
enable = true;
secretsFile = pkgs.writeText "secret" ''
574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
'';
};
};
services.peertube = {