diff options
author | Izorkin <izorkin@elven.pw> | 2022-12-13 22:07:10 +0300 |
---|---|---|
committer | Izorkin <izorkin@elven.pw> | 2022-12-23 20:47:04 +0300 |
commit | 9195f02b49e238e6444c3da006f21c489ab5d970 (patch) | |
tree | d720ae6d42474ce579bbdbb10f798abab482e3df /nixos | |
parent | 32673128e560e76c642ac5fd07fa60f174beaf5a (diff) |
nixos/peertube: add secretsFile option
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/web-apps/peertube.nix | 21 | ||||
-rw-r--r-- | nixos/tests/web-apps/peertube.nix | 7 |
2 files changed, 28 insertions, 0 deletions
diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index 170bc700f7757..c01bfca173a1a 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -161,6 +161,18 @@ in { description = lib.mdDoc "Configure nginx as a reverse proxy for peertube."; }; + secrets = { + secretsFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/run/secrets/peertube"; + description = lib.mdDoc '' + Secrets to run PeerTube. + Generate one using `openssl rand -hex 32` + ''; + }; + }; + database = { createLocally = lib.mkOption { type = lib.types.bool; @@ -282,6 +294,11 @@ in { prevent this. ''; } + { assertion = cfg.secrets.secretsFile != null; + message = '' + <option>services.peertube.secrets.secretsFile</option> needs to be set. + ''; + } { assertion = !(cfg.redis.enableUnixSocket && (cfg.redis.host != null || cfg.redis.port != null)); message = '' <option>services.peertube.redis.createLocally</option> and redis network connection (<option>services.peertube.redis.host</option> or <option>services.peertube.redis.port</option>) enabled. Disable either of them. @@ -418,6 +435,10 @@ in { #!/bin/sh umask 077 cat > /var/lib/peertube/config/local.yaml <<EOF + ${lib.optionalString (cfg.secrets.secretsFile != null) '' + secrets: + peertube: '$(cat ${cfg.secrets.secretsFile})' + ''} ${lib.optionalString ((!cfg.database.createLocally) && (cfg.database.passwordFile != null)) '' database: password: '$(cat ${cfg.database.passwordFile})' diff --git a/nixos/tests/web-apps/peertube.nix b/nixos/tests/web-apps/peertube.nix index ecc45bff2e2ca..0e5f39c08a023 100644 --- a/nixos/tests/web-apps/peertube.nix +++ b/nixos/tests/web-apps/peertube.nix @@ -41,6 +41,9 @@ import ../make-test-python.nix ({pkgs, ...}: server = { pkgs, ... }: { environment = { etc = { + "peertube/secrets-peertube".text = '' + 063d9c60d519597acef26003d5ecc32729083965d09181ef3949200cbe5f09ee + ''; "peertube/password-posgressql-db".text = '' 0gUN0C1mgST6czvjZ8T9 ''; @@ -67,6 +70,10 @@ import ../make-test-python.nix ({pkgs, ...}: localDomain = "peertube.local"; enableWebHttps = false; + secrets = { + secretsFile = "/etc/peertube/secrets-peertube"; + }; + database = { host = "192.168.2.10"; name = "peertube_local"; |