diff options
| -rw-r--r-- | system/secrets/default.nix | 6 | ||||
| -rw-r--r-- | system/secrets/invidious/hmac.tix | 14 | ||||
| -rw-r--r-- | system/secrets/secrets.nix | 14 | ||||
| -rw-r--r-- | system/services/default.nix | 1 | ||||
| -rw-r--r-- | system/services/invidious/default.nix | 48 |
5 files changed, 76 insertions, 7 deletions
diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 5cd401c..2269672 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -13,6 +13,12 @@ owner = "matrix-synapse"; group = "matrix-synapse"; }; + invidiousHmac = { + file = ./invidious/hmac.tix; + mode = "700"; + owner = "root"; + group = "root"; + }; }; }; } diff --git a/system/secrets/invidious/hmac.tix b/system/secrets/invidious/hmac.tix new file mode 100644 index 0000000..f760fa9 --- /dev/null +++ b/system/secrets/invidious/hmac.tix @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZGJGNzVGUWhsVTJFUGds +dFZmVnRnY1NrVTZBWEt2eFp1YU4yM0xoOUgwClZZNDNFQlp2aEx1eHVqbE5ZU29t +dVpMcStrMXd5WEFOaDJUVlVuUnJ4YkkKLT4gWDI1NTE5IEZSTVFhdk83RGRNWWdZ +bmQyd0FNTWhrUUxSRjVOQjAvWSsyU1Z4OWFvVUUKdkIraVRtRW5mUnZFbVRkcDBw +ME5NTDVkRUo1b0d1Z2xERWZnS0tMLzFhYwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +d09jY1doam1nc3B3MEVqN0grM3JWZzFwMW5WU2ZYdGh0TUZnM0VVdzJBSQppL3Qv +T0VDOTc1U3gyaTB6YVV4dDhEVU1OMzdlMnV2dC9zMVl1VkdkRmlBCi0+IGc/SEJa +aDZoLWdyZWFzZSBKPW1xOFRaIE9DUCBdfl1HXVUKL0I4MTJZT1ljOXE3cUtTR0Fv +S3E2UHcvYWxhUlU5QkdXVWZyUjU0SlcveG9GcjZZV242QXVwaDBQTjN0VldBCi0t +LSB6S0E2SWtmaXBnRkI5aFNIOU9VWkdhOHQrQ0x0MzJ3TC9aNkpJSTY5eDkwClOc +N6wSpWFX87Vbr+J8Sxn9O6uRbYAyNDmiJk5mDqYaqy/+PRPTx0gbmqRz911sW5Zx +aBKfDzSPjNx0CSKKL7ioTYlRrW0YyQ== +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index 2fd4132..194ed3c 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -3,15 +3,15 @@ let sils = "age1vuhaey7kd9l76y6f9weeqmde3s4kjw38869ju6u3027yece2r3rqssjxst"; server1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnqsfIZjelH7rcvFvnLR5zUZuC8thsBupBlvjcMRBUm"; -in { - "keycloak/passwd.tix".publicKeys = [ - soispha - sils - server1 - ]; - "matrix-synapse/passwd.tix".publicKeys = [ + + allSecrets = [ soispha sils server1 ]; +in { + "keycloak/passwd.tix".publicKeys = allSecrets; + "matrix-synapse/passwd.tix".publicKeys = allSecrets; + "invidious/passwd.tix".publicKeys = allSecrets; + "invidious/settings.tix".publicKeys = allSecrets; } diff --git a/system/services/default.nix b/system/services/default.nix index 8f5540f..6c2670d 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,6 +1,7 @@ {...}: { imports = [ ./fail2ban + ./invidious ./keycloak ./mail ./matrix diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix new file mode 100644 index 0000000..a1d202c --- /dev/null +++ b/system/services/invidious/default.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.services.invidious; +in { + services.invidious = { + enable = true; + database = { + createLocally = true; + }; + domain = "invidious.vhack.eu"; + nginx.enable = true; + extraSettingsFile = "$CREDENTIALS_DIRECTORY/hmac"; + + settings = { + check_tables = true; + }; + }; + systemd.services.invidious.serviceConfig = { + LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; + + ExecStart = let + # taken from the invidious module + settingsFormat = pkgs.formats.json {}; + settingsFile = settingsFormat.generate "invidious-settings" cfg.settings; + + jqFilter = + "." + + lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\"" + + " | .[0]" + + lib.optionalString (cfg.extraSettingsFile != null) " * .[1]"; + + # don't escape extraSettingsFile, to allow variable substitution + jqFiles = + settingsFile + + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; + in + lib.mkForce (pkgs.writeScript "start-invidious" '' + #! ${pkgs.dash}/bin/dash + + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" + exec ${cfg.package}/bin/invidious + ''); + }; +} |