diff --git a/flake.lock b/flake.lock index 76a0e3b..cae033b 100644 --- a/flake.lock +++ b/flake.lock @@ -1022,6 +1022,22 @@ "type": "github" } }, + "nixpkgs-peertube": { + "locked": { + "lastModified": 1708065087, + "narHash": "sha256-/Lc6TYtIJo/tCWLjErYqbMHNph3zp0ImkcHGES8aJV8=", + "owner": "Izorkin", + "repo": "nixpkgs", + "rev": "937220442c4c20a1b37add5387f20294b34e18f7", + "type": "github" + }, + "original": { + "owner": "Izorkin", + "ref": "update-peertube", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1702780907, @@ -1307,6 +1323,7 @@ "nix-gaming": "nix-gaming", "nixos-m1": "nixos-m1", "nixpkgs": "nixpkgs_11", + "nixpkgs-peertube": "nixpkgs-peertube", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur", "secrets": "secrets", @@ -1639,11 +1656,11 @@ "nixpkgs": "nixpkgs_12" }, "locked": { - "lastModified": 1710043304, - "narHash": "sha256-CrYHn6pIjvSUG2KPWXV7DWgZpmxV9ZdJv7UZuehVEvc=", + "lastModified": 1710691902, + "narHash": "sha256-Wx28gVRVPnES/JUT6m5V9TDeVkISIgYdghIy0noPOek=", "owner": "natsukagami", "repo": "youmubot", - "rev": "13683aa2297e7c3fb495a24987a96bd4dda09bbe", + "rev": "94dc225b86539a83be0c55c930cd6a4dab639f8d", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d2bddac..713ff7b 100644 --- a/flake.nix +++ b/flake.nix @@ -53,6 +53,9 @@ nixos-m1.url = github:tpwrules/nixos-apple-silicon; nixos-m1.inputs.nixpkgs.follows = "nixpkgs"; + # Nixpkgs with new peertube, see #273769 + nixpkgs-peertube.url = "github:Izorkin/nixpkgs/update-peertube"; + # --- # DEPLOYMENT ONLY! secrets secrets.url = "git+ssh://git@github.com/natsukagami/nix-deploy-secrets"; diff --git a/modules/cloud/traefik/default.nix b/modules/cloud/traefik/default.nix index de30858..6a98728 100644 --- a/modules/cloud/traefik/default.nix +++ b/modules/cloud/traefik/default.nix @@ -20,6 +20,24 @@ let in valueType; + # https://www.cloudflare.com/ips/ + trustedIPs = + let + files = [ + (pkgs.fetchurl { + url = "https://www.cloudflare.com/ips-v4"; + hash = "sha256-8Cxtg7wBqwroV3Fg4DbXAMdFU1m84FTfiE5dfZ5Onns="; + }) + (pkgs.fetchurl { + url = "https://www.cloudflare.com/ips-v6"; + hash = "sha256-np054+g7rQDE3sr9U8Y/piAp89ldto3pN9K+KCNMoKk="; + }) + ]; + + readLines = path: lib.splitString "\n" (builtins.readFile path); + in + lib.concatMap readLines files; + cfg = config.cloud.traefik; in { @@ -57,6 +75,7 @@ in }; ## HTTPS entrypoint: ok! entrypoints.https.address = ":443"; + entrypoints.https.forwardedHeaders.trustedIPs = trustedIPs; ## IMAP and SMTP entrypoints.imap.address = ":993"; entrypoints.smtp-submission.address = ":587"; diff --git a/nki-personal-do/peertube.nix b/nki-personal-do/peertube.nix index 71ed984..1366ff5 100644 --- a/nki-personal-do/peertube.nix +++ b/nki-personal-do/peertube.nix @@ -1,30 +1,80 @@ -{ cfg, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let secrets = config.sops.secrets; + cfg = config.services.peertube; host = "peertube.dtth.ch"; port = 19878; in { + sops.secrets."peertube" = { owner = cfg.user; }; + sops.secrets."peertube-env" = { owner = cfg.user; }; # database cloud.postgresql.databases = [ "peertube" ]; # traefik cloud.traefik.hosts.peertube = { inherit port host; + noCloudflare = true; }; services.peertube = { enable = true; enableWebHttps = true; - listenWeb = "443"; + listenWeb = 443; listenHttp = port; localDomain = host; + secrets.secretsFile = secrets."peertube".path; + serviceEnvironmentFile = secrets."peertube-env".path; + # Databases redis.createLocally = true; database = { host = "/run/postgresql"; }; + + # S3 + settings.object_storage = { + enabled = true; + + region = "auto"; + + proxy.proxify_private_files = false; + + web_videos = { + bucket_name = "dtthtube"; + prefix = "web-videos/"; + base_url = "https://content.peertube.dtth.ch"; + }; + streaming_playlists = { + bucket_name = "dtthtube"; + prefix = "hls-playlists/"; + base_url = "https://content.peertube.dtth.ch"; + }; + }; + + # Storage + settings.client.videos = { + resumable_upload.max_chunk_size = "90MB"; + }; + settings.storage = { + storyboards = "/var/lib/peertube/storage/storyboards/"; + tmp = "/mnt/data/peertube/tmp/"; + tmp_persistent = "/mnt/data/peertube/tmp_persistent/"; + web_videos = "/mnt/data/peertube/web-videos/"; + }; + + # Trust proxy + settings.trust_proxy = [ "loopback" ] ++ config.services.traefik.staticConfigOptions.entrypoints.https.forwardedHeaders.trustedIPs; + + # Federation + settings.federation = { + sign_federated_fetches = true; + videos.federate_unlisted = true; + videos.cleanup_remote_interactions = true; + }; + + dataDirs = [ "/var/lib/peertube" "/mnt/data/peertube" ]; }; } diff --git a/nki-personal-do/secrets/secrets.yaml b/nki-personal-do/secrets/secrets.yaml index 9bc0dcf..4d132be 100644 --- a/nki-personal-do/secrets/secrets.yaml +++ b/nki-personal-do/secrets/secrets.yaml @@ -38,6 +38,8 @@ matrix-synapse-dtth: vaultwarden-env: ENC[AES256_GCM,data:BhUj7o+CiBW/EWIpp2WWmjsGgaGGQdksK5otdRUNQyObGuk0OxZsfzx7B24fMqDN5aPac/q2uAedkLGMUSdtqW42NjUo6XCo+ADrB9BWYeVstwKeYT9WAA40NMAP3L0c4i26Ice1C0Bh7K8CZAvG0lyzGeMCmt8lMRabePngEhLetAfW5EEV69x6h1yvVUgtcIuA35AiBMu2kQQllTmAF4GryleOBzOFhP6CiDopwpk+7qYq30YzOMJJNdH5w+MU+VogmRnBs7Z537Uf2IbT/zJjW0jFvBGLe9jetq6KNTB/Cnz2Jm7+c8UB,iv:ItcMYZB+XoQQcST4/+QfaQl6DPW1/Neh691xTzdm31s=,tag:fzifm2gVvLR4bvK64VNi2A==,type:str] invidious: ENC[AES256_GCM,data:pCRlBaHRJyOHj2t04V6DkGVAPuAc8hz+Sn24nQ3IvcXNIdaYijpy,iv:ZPrP6guN7oyOfys7tmIAX1M86cpHUwp9wh3OSHdPSHM=,tag:oxo2TZk/UOB0xKlpapNCVg==,type:str] invidious-rotator-env: ENC[AES256_GCM,data:Q5c/sga+Nn0C7bKkTphob3tWNvKE1Zz0CIbXIayc73cfEsUgOIZdrm8BlAW7,iv:f0ccZsjNJ9UQCcfN/lZQdtxSg9ADFuykb8qw07c1xFI=,tag:4mUzgOHOE16FPhSTlbx+Rw==,type:str] +peertube: ENC[AES256_GCM,data:YWySVZVTC26qPMcgSV5v4Vp1u69jGt7VV2ElQBSxvG/R589PCJRDgBqjjLBLMrrnP/wo6o6xNoyLCSfzMQYoFnM=,iv:97gNEJ84u4Mt5GTlVV29MNHUHQRkaMK47ULNUx+HTUE=,tag:LGVWeaTaSQ3GgaIpav66EA==,type:str] +peertube-env: ENC[AES256_GCM,data:AOAaojV5b2VRvOXKVTkFvFcGpMP2U5oGONZIyrWd17xFdFNY9gIXUwvQsj+VbzAj6a0gzoUgnY15lS3iMmjk2ZvO11bz1fooPByqb5pVaBUTRTv7f0lJzI+EQ0SWmcwbpmPJUSaOCY+v+0gSh3dBBIoZD1em4RYRoX1m9092XqjXmhjYa+y/2mp8V8sbnHZnM9eLaNQDx3p8nJq/Qnw7kreUbKsMSq8TMhpEBK8Q1/h58kUarDYfoTsJWnaizgbF6vLuenU4GZsvwqIQYTddh/mhdJYr1uNr5LolozoqxYReh7G2jRFmFe2BNwhZ9NHdVLIPwDT6tcVi0go3WQt/KX1NXf6mzJzqog==,iv:UWPe0wUC1ZfFBVLnksycoy0/e31t/jJyE73Av+Y0UjY=,tag:7+vpJtvrSaZjX7wQa20fkw==,type:str] sops: kms: [] gcp_kms: [] @@ -71,8 +73,8 @@ sops: by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-14T00:30:02Z" - mac: ENC[AES256_GCM,data:ObYeCKufpLE+atS3Iv8f6hkfq3AbwrYZcsgN/efk98F45tm9BFBbmzT4hWw1nHvA7Qw9fv+y/CjAZOb7/EIGaTdBtBP5pWMlZ8rTCpiY5UZr79p6O+/HNIZgmhd9iWH1k8Xarc118C0vfc7QgcJbTq0y+5DnaI/qdWBXn/RFOLg=,iv:SJBjGzwzMJBaUHyS9PQAxKJuuQp6Rkd6GtIqqwD1+C0=,tag:/dRybluTO+R43ZQhIX8Y5g==,type:str] + lastmodified: "2024-03-29T21:19:24Z" + mac: ENC[AES256_GCM,data:IxriC26V1jmtD8NSqSB0s7YfUgclBBAfnqnCQ7LdKNTBXzjcZPJyHzI76ZPKmRYtqlQEdnuHU+xX+CH+dBXsqNR2st8EKm8FSkrguNAKEpJeSWU97g3rlFTgKPMCeduxOp6lp25yHmYCOJ1k+1FKqYvEs3rbT8eEKJ+kGQA4S84=,iv:NXcZ29bL3/jSWmssS1066j7gzP4/hjyjy0i7AwrTB2M=,tag:rv4LdgDznx26SCsWUjaPgw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/overlay.nix b/overlay.nix index 6c0ab9f..7f6354d 100644 --- a/overlay.nix +++ b/overlay.nix @@ -3,6 +3,7 @@ let overlay-unstable = final: prev: { unstable = import nixpkgs-unstable { config.allowUnfree = true; system = prev.system; }; x86 = import nixpkgs-unstable { system = prev.system; config.allowUnsupportedSystem = true; }; + nixpkgs-peertube = import inputs.nixpkgs-peertube { system = prev.system; }; }; overlay-needs-unstable = final: prev: { # override some packages that needs unstable that cannot be changed in the setup. @@ -11,6 +12,8 @@ let # Typst updates really quickly. typst = final.unstable.typst; typst-lsp = final.unstable.typst-lsp; + + peertube = final.nixpkgs-peertube.peertube; }; overlay-imported = final: prev: { sway = prev.sway.override { sway-unwrapped = final.swayfx-unwrapped; };