nixos/peertube: add secretsFile option

2024-11-10 08:39:08 +03:00 · 2022-12-13 22:07:10 +03:00 · 2022-12-13 22:07:10 +03:00 · 9195f02b49
commit 9195f02b49
parent 32673128e5
2 changed files with 28 additions and 0 deletions
--- a/nixos/modules/services/web-apps/peertube.nix
+++ b/nixos/modules/services/web-apps/peertube.nix
@ -161,6 +161,18 @@ in {
      description = lib.mdDoc "Configure nginx as a reverse proxy for peertube.";
    };

+    secrets = {
+      secretsFile = lib.mkOption {
+        type = lib.types.nullOr lib.types.path;
+        default = null;
+        example = "/run/secrets/peertube";
+        description = lib.mdDoc ''
+          Secrets to run PeerTube.
+          Generate one using `openssl rand -hex 32`
+        '';
+      };
+    };
+
    database = {
      createLocally = lib.mkOption {
        type = lib.types.bool;
@ -282,6 +294,11 @@ in {
            prevent this.
          '';
      }
+      { assertion = cfg.secrets.secretsFile != null;
+          message = ''
+            <option>services.peertube.secrets.secretsFile</option> needs to be set.
+          '';
+      }
      { assertion = !(cfg.redis.enableUnixSocket && (cfg.redis.host != null || cfg.redis.port != null));
          message = ''
            <option>services.peertube.redis.createLocally</option> and redis network connection (<option>services.peertube.redis.host</option> or <option>services.peertube.redis.port</option>) enabled. Disable either of them.
@ -418,6 +435,10 @@ in {
        #!/bin/sh
        umask 077
        cat > /var/lib/peertube/config/local.yaml <<EOF
+        ${lib.optionalString (cfg.secrets.secretsFile != null) ''
+        secrets:
+          peertube: '$(cat ${cfg.secrets.secretsFile})'
+        ''}
        ${lib.optionalString ((!cfg.database.createLocally) && (cfg.database.passwordFile != null)) ''
        database:
          password: '$(cat ${cfg.database.passwordFile})'
--- a/nixos/tests/web-apps/peertube.nix
+++ b/nixos/tests/web-apps/peertube.nix
@ -41,6 +41,9 @@ import ../make-test-python.nix ({pkgs, ...}:
    server = { pkgs, ... }: {
      environment = {
        etc = {
+          "peertube/secrets-peertube".text = ''
+            063d9c60d519597acef26003d5ecc32729083965d09181ef3949200cbe5f09ee
+          '';
          "peertube/password-posgressql-db".text = ''
            0gUN0C1mgST6czvjZ8T9
          '';
@ -67,6 +70,10 @@ import ../make-test-python.nix ({pkgs, ...}:
        localDomain = "peertube.local";
        enableWebHttps = false;

+        secrets = {
+          secretsFile = "/etc/peertube/secrets-peertube";
+        };
+
        database = {
          host = "192.168.2.10";
          name = "peertube_local";