pyrox.dev / nixpkgs
lol
fork atom

nixos/peertube: add secretsFile option

Izorkin 9195f02b 32673128

options
unified split
Changed files
+28
nixos
modules
services
web-apps
peertube.nix
tests
web-apps
peertube.nix
+21
nixos/modules/services/web-apps/peertube.nix 
···

       
161

       
161

       
 

       
      description = lib.mdDoc "Configure nginx as a reverse proxy for peertube.";


     

       
162

       
162

       
 

       
    };


     

       
163

       
163

       
 

       



     

       

       
164

       
+

       
    secrets = {


     

       

       
165

       
+

       
      secretsFile = lib.mkOption {


     

       

       
166

       
+

       
        type = lib.types.nullOr lib.types.path;


     

       

       
167

       
+

       
        default = null;


     

       

       
168

       
+

       
        example = "/run/secrets/peertube";


     

       

       
169

       
+

       
        description = lib.mdDoc ''


     

       

       
170

       
+

       
          Secrets to run PeerTube.


     

       

       
171

       
+

       
          Generate one using `openssl rand -hex 32`


     

       

       
172

       
+

       
        '';


     

       

       
173

       
+

       
      };


     

       

       
174

       
+

       
    };


     

       

       
175

       
+

       



     

       
164

       
176

       
 

       
    database = {


     

       
165

       
177

       
 

       
      createLocally = lib.mkOption {


     

       
166

       
178

       
 

       
        type = lib.types.bool;


     
···

       
280

       
292

       
 

       
            <option>services.peertube.serviceEnvironmentFile</option> points to


     

       
281

       
293

       
 

       
            a file in the Nix store. You should use a quoted absolute path to


     

       
282

       
294

       
 

       
            prevent this.


     

       

       
295

       
+

       
          '';


     

       

       
296

       
+

       
      }


     

       

       
297

       
+

       
      { assertion = cfg.secrets.secretsFile != null;


     

       

       
298

       
+

       
          message = ''


     

       

       
299

       
+

       
            <option>services.peertube.secrets.secretsFile</option> needs to be set.


     

       
283

       
300

       
 

       
          '';


     

       
284

       
301

       
 

       
      }


     

       
285

       
302

       
 

       
      { assertion = !(cfg.redis.enableUnixSocket && (cfg.redis.host != null || cfg.redis.port != null));


     
···

       
418

       
435

       
 

       
        #!/bin/sh


     

       
419

       
436

       
 

       
        umask 077


     

       
420

       
437

       
 

       
        cat > /var/lib/peertube/config/local.yaml <<EOF


     

       

       
438

       
+

       
        ${lib.optionalString (cfg.secrets.secretsFile != null) ''


     

       

       
439

       
+

       
        secrets:


     

       

       
440

       
+

       
          peertube: '$(cat ${cfg.secrets.secretsFile})'


     

       

       
441

       
+

       
        ''}


     

       
421

       
442

       
 

       
        ${lib.optionalString ((!cfg.database.createLocally) && (cfg.database.passwordFile != null)) ''


     

       
422

       
443

       
 

       
        database:


     

       
423

       
444

       
 

       
          password: '$(cat ${cfg.database.passwordFile})'
+7
nixos/tests/web-apps/peertube.nix 
···

       
41

       
41

       
 

       
    server = { pkgs, ... }: {


     

       
42

       
42

       
 

       
      environment = {


     

       
43

       
43

       
 

       
        etc = {


     

       

       
44

       
+

       
          "peertube/secrets-peertube".text = ''


     

       

       
45

       
+

       
            063d9c60d519597acef26003d5ecc32729083965d09181ef3949200cbe5f09ee


     

       

       
46

       
+

       
          '';


     

       
44

       
47

       
 

       
          "peertube/password-posgressql-db".text = ''


     

       
45

       
48

       
 

       
            0gUN0C1mgST6czvjZ8T9


     

       
46

       
49

       
 

       
          '';


     
···

       
66

       
69

       
 

       
        enable = true;


     

       
67

       
70

       
 

       
        localDomain = "peertube.local";


     

       
68

       
71

       
 

       
        enableWebHttps = false;


     

       

       
72

       
+

       



     

       

       
73

       
+

       
        secrets = {


     

       

       
74

       
+

       
          secretsFile = "/etc/peertube/secrets-peertube";


     

       

       
75

       
+

       
        };


     

       
69

       
76

       
 

       



     

       
70

       
77

       
 

       
        database = {


     

       
71

       
78

       
 

       
          host = "192.168.2.10";