dot013/spacestation
1
0
Fork 0
Code Issues Pull Requests Activity
Files
9ad046f2be03d46f12ce91db2b74171e1face7ba
spacestation/capytal/videos.nix

163 lines
4.7 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}: let
cfg = config.services.peertube;
systemCallsList = [
"@cpu-emulation"
"@debug"
"@keyring"
"@ipc"
"@memlock"
"@mount"
"@obsolete"
"@privileged"
"@setuid"
];
cfgService = {
# Proc filesystem
ProtectProc = "invisible";
# Access write directories
UMask = "0027";
# Capabilities
CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
RestrictNamespaces = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
};
in {
services.peertube = {
enable = true;
# localDomain = "watch.capytal.cc";
localDomain = "watch-test.capytal.cc";
listenWeb = 9945;
listenHttp = 9945;
enableWebHttps = false;
database = {
# createLocally = true;
host = "/run/postgresql";
port = config.services.postgresql.settings.port;
passwordFile = config.sops.secrets."peertube/database/password".path;
};
redis.createLocally = true;
configureNginx = true;
settings = {
signup.enabled = false;
object_storage = {
enabled = true;
endpoint = "localhost:3461";
region = "garage";
videos = {
bucket_name = "peertube";
prefix = "hls-videos:";
};
streaming_playlists = {
bucket_name = "peertube";
prefix = "streaming-playlists:";
};
user_exports = {
bucket_name = "peertube";
prefix = "user-exports:";
};
original_video_files = {
bucket_name = "peertube";
prefix = "original-video-files:";
};
captions = {
bucket_name = "peertube";
prefix = "captions:";
};
};
webserver = {
hostname = cfg.localDomain;
port = lib.mkForce 443;
};
};
secrets.secretsFile = config.sops.secrets."peertube/secretsFile".path;
serviceEnvironmentFile = config.sops.secrets."peertube/environment".path;
# TODO: Set up postfix server for forms and contact
};
# TODO: Commit this to upstream nixpkgs?
# HACK: services.peertube.database.createLocally option doesn't respect port
systemd.services.peertube-init-db = {
description = "Initialization database for PeerTube daemon";
after = [
"network.target"
"postgresql.service"
];
requires = ["postgresql.service"];
script = let
psqlSetupCommands = pkgs.writeText "peertube-init.sql" ''
SELECT 'CREATE USER "${cfg.database.user}"' WHERE NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '${cfg.database.user}')\gexec
SELECT 'CREATE DATABASE "${cfg.database.name}" OWNER "${cfg.database.user}" TEMPLATE template0 ENCODING UTF8' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '${cfg.database.name}')\gexec
\c '${cfg.database.name}'
CREATE EXTENSION IF NOT EXISTS pg_trgm;
CREATE EXTENSION IF NOT EXISTS unaccent;
'';
in "${config.services.postgresql.package}/bin/psql -f ${psqlSetupCommands} -p ${toString config.services.postgresql.settings.port}";
serviceConfig =
{
Type = "oneshot";
WorkingDirectory = cfg.package;
# User and group
User = "postgres";
Group = "postgres";
# Sandboxing
RestrictAddressFamilies = ["AF_UNIX"];
MemoryDenyWriteExecute = true;
# System Call Filtering
SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ ["@resources"]);
}
// cfgService;
};
services.anubis.instances."peertube" = {
settings = {
BIND = ":${toString (cfg.listenWeb + 2)}";
BIND_NETWORK = "tcp";
METRICS_BIND = ":${toString (cfg.listenWeb + 3)}";
METRICS_BIND_NETWORK = "tcp";
SERVE_ROBOTS_TXT = true;
TARGET = "http://localhost:${toString cfg.listenWeb}";
ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/peertube/hex_file".path;
};
};
services.caddy.virtualHosts = {
":${toString (cfg.listenWeb + 1)}" = {
extraConfig = ''
reverse_proxy http://localhost${config.services.anubis.instances."peertube".settings.BIND} {
header_up X-Http-Version {http.request.proto}
header_up X-Real-Ip {remote_host}
}
'';
};
};
}
Reference in New Issue View Git Blame Copy Permalink