Fix(system/service/invidious): Copy their script, to remove shell escape

The default ExecStart implementation in the module, escapes all stings.
This does not work for us because we need to use the `$CREDENTIALS_DIR`
environment variable, for the credentials deployed in den
`LoadCredential` option

1 files changed, 28 insertions, 1 deletions

diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix
index 8b69c2e..f51fc3d 100644
--- a/system/services/invidious/default.nix
+++ b/system/services/invidious/default.nix
@@ -1,4 +1,11 @@
-{config, ...}: {
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.invidious;
+in {
   services.invidious = {
     enable = true;
     database = {
@@ -14,5 +21,25 @@
   };
   systemd.services.invidious.serviceConfig = {
     LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}";
+
+    script = let
+      # taken from the invidious module
+      settingsFormat = pkgs.formats.json {};
+      settingsFile = settingsFormat.generate "invidious-settings" cfg.settings;
+
+      jqFilter =
+        "."
+        + lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\""
+        + " | .[0]"
+        + lib.optionalString (cfg.extraSettingsFile != null) " * .[1]";
+
+      # don't escape extraSettingsFile, to allow variable substitution
+      jqFiles =
+        settingsFile
+        + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\"";
+    in ''
+      export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})"
+      exec ${cfg.package}/bin/invidious
+    '';
   };
 }