Add peertube-runner service to nki-home

nki-home/configuration.nix

@@ -18,6 +18,7 @@ with lib;
       ../modules/services/edns
       # Other services
       ../modules/personal/u2f.nix
+      ./peertube-runner.nix
     ];
 
   # Kernel

nki-home/peertube-runner.nix

@@ -0,0 +1,67 @@
+{ config, pkgs, lib, ... }:
+let
+  user = "peertube-runner-nodejs";
+  instance = "systemd-instance";
+in
+{
+  sops.secrets."peertube/dtth-key" = {
+    restartUnits = [ "peertube-runner.service" ];
+  };
+  users.groups.${user} = { };
+  users.users.${user} = {
+    isSystemUser = true;
+    group = user;
+  };
+  sops.templates."peertube-config.toml".owner = user;
+  sops.templates."peertube-config.toml".content = ''
+    [jobs]
+    concurrency = 2
+
+    [ffmpeg]
+    threads = 12
+    nice = 20
+
+    [[registeredInstances]]
+    url = "https://peertube.dtth.ch"
+    runnerToken = "${config.sops.placeholder."peertube/dtth-key"}"
+    runnerName = "kagamipc"
+  '';
+
+  environment.etc."${user}/${instance}/config.toml".source = config.sops.templates."peertube-config.toml".path;
+
+
+  systemd.services.peertube-runner = {
+    description = "PeerTube runner daemon";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    requires = [ ];
+
+    serviceConfig =
+      {
+        ExecStart = "${lib.getExe' pkgs.peertube.runner "peertube-runner"} server --id ${instance}";
+        User = user;
+        RuntimeDirectory = user;
+        StateDirectory = user;
+        CacheDirectory = user;
+        # Hardening
+        ProtectSystem = "full";
+        PrivateDevices = false;
+        NoNewPrivileges = true;
+        ProtectHome = true;
+        CapabilityBoundingSet = "~CAP_SYS_ADMIN";
+      };
+
+    environment = {
+      NODE_ENV = "production";
+      # Override XDG values to fit env-path
+      # https://github.com/sindresorhus/env-paths/blob/main/index.js
+      XDG_DATA_HOME = "/run";
+      XDG_CONFIG_HOME = "/etc";
+      XDG_CACHE_HOME = "/var/cache";
+      XDG_STATE_HOME = "/var/lib";
+    };
+
+    path = with pkgs; [ nodejs ffmpeg ];
+  };
+}
+

nki-home/secrets/secrets.yaml

@@ -11,6 +11,8 @@ scrobble:
 dtth-wg:
     private-key: ENC[AES256_GCM,data:ySxPGzOplKwNLxRnPNw7If7xzxMwRkwTasT7FaQE9n5YB04R+gaQVjDqPqg=,iv:f5t94bUoo9sCGGwWytiuhg5jcKjzRjbR3Q0OIM28VDU=,tag:fJos9Hb9XytQbfGaPMa1/A==,type:str]
     preshared-key: ENC[AES256_GCM,data:96q0ZfvPz4pb53XvTGameVkcETamYH8Xbv69672RBdacH6QjRCCVvPnBTfA=,iv:Q2Yonb07/Uu6KidhMgRX4zJuNU1ZySNC7g/5TwpMU80=,tag:1qQQdk20yIQlGZmX+/25RA==,type:str]
+peertube:
+    dtth-key: ENC[AES256_GCM,data:Gu7qOisVBZrFXKBr51165FJ7Ej4hV+lIf3AMC02R3UFNXOnTHF2xC8E=,iv:F83FuD1VjZEJFMcx3gkQuKCpJmYdHtO15fRHkYdMxJM=,tag:ScH42Tr5ZsIo9JMnXhylSw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -44,8 +46,8 @@ sops:
             bUhIT0Z2b1dVWGNyS1hRVFRyZTA4d00KchP7EhSOMwBl5vFuuskzosRoi8jUu1sw
             hVjJNF2a40ewgkQgVAoWEzirHbknbQORzmepDDRth7Bve3UQU64+GA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-29T13:03:22Z"
-    mac: ENC[AES256_GCM,data:ZNDRS6LLy89TZoW27c57RMnjs6M/GBH0XfKKlrhys8gL7+I0V/++ry59VDbLxvqS4nPR4C5hk777+B5dqnseyYW2xRT3NKYxocCQu5kO6A8L/wB00j3bm3SSIGwLcKJPibEqi7ymU53K0bmZdjRMChkBwv3CnDNkM3Dc6rvZ2DM=,iv:Z1ZjnYW1Yk+oEzNknQDytTengjKxcud95LZTFfKMnpw=,tag:pnZ+UGQWuRCKoTll00oUKA==,type:str]
+    lastmodified: "2024-04-18T13:34:51Z"
+    mac: ENC[AES256_GCM,data:cinVE1pHSgjCRPIDwANzR0oHw7zdN8DVDQKkhXT5j+dGiaFzNvLoYyMcEsjoxAjEdup3YMo+Vg6I4C94AUCrTn7N9BGjnGFVQz3m9q13zORi1+HWam0VItBzJm1iIo8x0PPs79OBaIHVUFAz8r4DW46P/LQISl9MQSDpCCTjVVk=,iv:2VAehWaoh2lNZM8jlmt+dqo5eeHfcr++eAdQfm/tCcM=,tag:QSnbObe3046AnFpK3Y01Eg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1