From a1cfcf1d71685ec85b1103ba7df0d54624c7784f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?=
<nicolas.jeannerod@moduscreate.com>
Date: Fri, 14 Feb 2025 18:44:35 +0100
Subject: [PATCH] Same treatment for Peertube
---
deployment/flake-part.nix | 11 +-
services/fediversity/default.nix | 12 +--
services/fediversity/peertube.nix | 119 ---------------------
services/fediversity/peertube/default.nix | 123 ++++++++++++++++++++++
services/fediversity/peertube/options.nix | 28 +++++
services/vm/peertube-vm.nix | 11 +-
6 files changed, 164 insertions(+), 140 deletions(-)
delete mode 100644 services/fediversity/peertube.nix
create mode 100644 services/fediversity/peertube/default.nix
create mode 100644 services/fediversity/peertube/options.nix
diff --git a/deployment/flake-part.nix b/deployment/flake-part.nix
index 79052860..a0e42ae5 100644
--- a/deployment/flake-part.nix
+++ b/deployment/flake-part.nix
@@ -100,11 +100,12 @@ in
fediversity = {
enable = true;
domain = "fedi103.abundos.eu";
- peertube.enable = true;
-
- temp.peertubeSecretsFile = pkgs.writeText "secret" ''
- 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
- '';
+ peertube = {
+ enable = true;
+ secretsFile = pkgs.writeText "secret" ''
+ 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
+ '';
+ };
};
}
);
diff --git a/services/fediversity/default.nix b/services/fediversity/default.nix
index 16b0c261..a8c9f69b 100644
--- a/services/fediversity/default.nix
+++ b/services/fediversity/default.nix
@@ -10,7 +10,7 @@ in
./garage
./mastodon
./pixelfed.nix
- ./peertube.nix
+ ./peertube
];
options = {
@@ -28,7 +28,6 @@ in
};
pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration";
- peertube.enable = mkEnableOption "default Fediversity PeerTube configuration";
temp = mkOption {
description = "options that are only used while developing; should be removed eventually";
@@ -39,11 +38,6 @@ in
description = "number of cores; should be obtained from NixOps4";
type = types.int;
};
-
- peertubeSecretsFile = mkOption {
- description = "should it be provided by NixOps4? or maybe we should just ask for a main secret from which to derive all the others?";
- type = types.path;
- };
};
};
};
@@ -61,10 +55,6 @@ in
type = types.str;
default = "pixelfed.${config.fediversity.domain}";
};
- peertube.domain = mkOption {
- type = types.str;
- default = "peertube.${config.fediversity.domain}";
- };
};
};
};
diff --git a/services/fediversity/peertube.nix b/services/fediversity/peertube.nix
deleted file mode 100644
index 6105a7d3..00000000
--- a/services/fediversity/peertube.nix
+++ /dev/null
@@ -1,119 +0,0 @@
-let
- snakeoil_key = {
- id = "GK1f9feea9960f6f95ff404c9b";
- secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
- };
-in
-
-{ config, lib, ... }:
-
-lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
- networking.firewall.allowedTCPPorts = [
- 80
- 443
-
- ## For Live streaming and Live streaming when RTMPS is enabled.
- 1935
- 1936
- ];
-
- fediversity.garage = {
- ensureBuckets = {
- peertube-videos = {
- website = true;
- # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
- corsRules = {
- enable = true;
- allowedHeaders = [ "*" ];
- allowedMethods = [ "GET" ];
- allowedOrigins = [ "*" ];
- };
- };
- # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
- peertube-playlists = {
- website = true;
- corsRules = {
- enable = true;
- allowedHeaders = [ "*" ];
- allowedMethods = [ "GET" ];
- allowedOrigins = [ "*" ];
- };
- };
- };
- ensureKeys = {
- peertube = {
- inherit (snakeoil_key) id secret;
- ensureAccess = {
- peertube-videos = {
- read = true;
- write = true;
- owner = true;
- };
- peertube-playlists = {
- read = true;
- write = true;
- owner = true;
- };
- };
- };
- };
- };
-
- services.peertube = {
- enable = true;
- localDomain = config.fediversity.internal.peertube.domain;
-
- # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
- redis.createLocally = true;
- database.createLocally = true;
-
- secrets.secretsFile = config.fediversity.temp.peertubeSecretsFile;
-
- settings = {
- object_storage = {
- enabled = true;
- endpoint = config.fediversity.garage.api.url;
- region = "garage";
- upload_acl.public = null; # Garage does not support ACL
- upload_acl.private = null; # Garage does not support ACL
-
- # not supported by garage
- # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
- proxy.proxyify_private_files = false;
-
- web_videos = rec {
- bucket_name = "peertube-videos";
- prefix = "";
- base_url = config.fediversity.garage.web.urlForBucket bucket_name;
- };
- videos = rec {
- bucket_name = "peertube-videos";
- prefix = "";
- base_url = config.fediversity.garage.web.urlForBucket bucket_name;
- };
- streaming_playlists = rec {
- bucket_name = "peertube-playlists";
- prefix = "";
- base_url = config.fediversity.garage.web.urlForBucket bucket_name;
- };
- };
- };
- serviceEnvironmentFile = "/etc/peertube-env";
- };
- environment.etc.peertube-env.text = ''
- AWS_ACCESS_KEY_ID=${snakeoil_key.id}
- AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret}
- '';
-
- ## Proxying through Nginx
-
- services.peertube = {
- configureNginx = true;
- listenWeb = 443;
- enableWebHttps = true;
- };
- services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
- forceSSL = true;
- enableACME = true;
- };
-}
diff --git a/services/fediversity/peertube/default.nix b/services/fediversity/peertube/default.nix
new file mode 100644
index 00000000..e649c568
--- /dev/null
+++ b/services/fediversity/peertube/default.nix
@@ -0,0 +1,123 @@
+let
+ snakeoil_key = {
+ id = "GK1f9feea9960f6f95ff404c9b";
+ secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
+ };
+in
+
+{ config, lib, ... }:
+
+{
+ imports = [ ./options.nix ];
+
+ config = lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
+ networking.firewall.allowedTCPPorts = [
+ 80
+ 443
+
+ ## For Live streaming and Live streaming when RTMPS is enabled.
+ 1935
+ 1936
+ ];
+
+ fediversity.garage = {
+ ensureBuckets = {
+ peertube-videos = {
+ website = true;
+ # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
+ corsRules = {
+ enable = true;
+ allowedHeaders = [ "*" ];
+ allowedMethods = [ "GET" ];
+ allowedOrigins = [ "*" ];
+ };
+ };
+ # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
+ peertube-playlists = {
+ website = true;
+ corsRules = {
+ enable = true;
+ allowedHeaders = [ "*" ];
+ allowedMethods = [ "GET" ];
+ allowedOrigins = [ "*" ];
+ };
+ };
+ };
+ ensureKeys = {
+ peertube = {
+ inherit (snakeoil_key) id secret;
+ ensureAccess = {
+ peertube-videos = {
+ read = true;
+ write = true;
+ owner = true;
+ };
+ peertube-playlists = {
+ read = true;
+ write = true;
+ owner = true;
+ };
+ };
+ };
+ };
+ };
+
+ services.peertube = {
+ enable = true;
+ localDomain = config.fediversity.peertube.domain;
+
+ # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
+ redis.createLocally = true;
+ database.createLocally = true;
+
+ secrets.secretsFile = config.fediversity.peertube.secretsFile;
+
+ settings = {
+ object_storage = {
+ enabled = true;
+ endpoint = config.fediversity.garage.api.url;
+ region = "garage";
+ upload_acl.public = null; # Garage does not support ACL
+ upload_acl.private = null; # Garage does not support ACL
+
+ # not supported by garage
+ # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
+ proxy.proxyify_private_files = false;
+
+ web_videos = rec {
+ bucket_name = "peertube-videos";
+ prefix = "";
+ base_url = config.fediversity.garage.web.urlForBucket bucket_name;
+ };
+ videos = rec {
+ bucket_name = "peertube-videos";
+ prefix = "";
+ base_url = config.fediversity.garage.web.urlForBucket bucket_name;
+ };
+ streaming_playlists = rec {
+ bucket_name = "peertube-playlists";
+ prefix = "";
+ base_url = config.fediversity.garage.web.urlForBucket bucket_name;
+ };
+ };
+ };
+ serviceEnvironmentFile = "/etc/peertube-env";
+ };
+ environment.etc.peertube-env.text = ''
+ AWS_ACCESS_KEY_ID=${snakeoil_key.id}
+ AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret}
+ '';
+
+ ## Proxying through Nginx
+
+ services.peertube = {
+ configureNginx = true;
+ listenWeb = 443;
+ enableWebHttps = true;
+ };
+ services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
+ forceSSL = true;
+ enableACME = true;
+ };
+ };
+}
diff --git a/services/fediversity/peertube/options.nix b/services/fediversity/peertube/options.nix
new file mode 100644
index 00000000..feedcad5
--- /dev/null
+++ b/services/fediversity/peertube/options.nix
@@ -0,0 +1,28 @@
+{ config, lib, ... }:
+
+let
+ inherit (lib) mkOption mkEnableOption;
+ inherit (lib.types) types;
+
+in
+{
+ options.fediversity.peertube = {
+ enable = mkEnableOption "Enable a PeerTube server on the machine";
+
+ domain = mkOption {
+ type = types.str;
+ description = "Internal option — change at your own risk";
+ default = "peertube.${config.fediversity.domain}";
+ };
+
+ secretsFile = mkOption {
+ type = types.path;
+ description = ''
+ Internal option — change at your own risk
+
+ FIXME: should it be provided by NixOps4?
+ or maybe we should just ask for a main secret from which to derive all the others?
+ '';
+ };
+ };
+}
diff --git a/services/vm/peertube-vm.nix b/services/vm/peertube-vm.nix
index 0e2c9922..758d64be 100644
--- a/services/vm/peertube-vm.nix
+++ b/services/vm/peertube-vm.nix
@@ -10,11 +10,12 @@
fediversity = {
enable = true;
domain = "localhost";
- peertube.enable = true;
-
- temp.peertubeSecretsFile = pkgs.writeText "secret" ''
- 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
- '';
+ peertube = {
+ enable = true;
+ secretsFile = pkgs.writeText "secret" ''
+ 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
+ '';
+ };
};
services.peertube = {