summary refs log tree commit diff stats
diff options
context:
space:
mode:
-rw-r--r--system/secrets/default.nix12
-rw-r--r--system/secrets/invidious/passwd.tix16
-rw-r--r--system/secrets/invidious/settings.tix14
-rw-r--r--system/secrets/secrets.nix2
-rw-r--r--system/services/default.nix1
-rw-r--r--system/services/invidious/default.nix12
6 files changed, 57 insertions, 0 deletions
diff --git a/system/secrets/default.nix b/system/secrets/default.nix
index 5cd401c..515c3e7 100644
--- a/system/secrets/default.nix
+++ b/system/secrets/default.nix
@@ -13,6 +13,18 @@
         owner = "matrix-synapse";
         group = "matrix-synapse";
       };
+      invidious = {
+        file = ./invidious/passwd.tix;
+        mode = "700";
+        owner = "invidious";
+        group = "invidious";
+      };
+      invidiousSettings = {
+        file = ./invidious/settings.tix;
+        mode = "700";
+        owner = "invidious";
+        group = "invidious";
+      };
     };
   };
 }
diff --git a/system/secrets/invidious/passwd.tix b/system/secrets/invidious/passwd.tix
new file mode 100644
index 0000000..beaee32
--- /dev/null
+++ b/system/secrets/invidious/passwd.tix
@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeHpwZFZEWXc0cGxZZ2dV
+WDkvUmVFWXE5azZ1VlREM090bWJ6elgxR3hFCmhnNkhWZWVqdmxEcUJVTnFZaGw1
+YnVOYmpYOGd5YU1EaDlmc0ZrNk0zT0EKLT4gWDI1NTE5IEwyL1ptVzJ2bUdvSW1n
+TzNod1BKZHQ3YXhUMkl5ZzRiT2Y3aUt0NGw4RVUKWTF3ampTMG1DYTBYTFcwNEp6
+bkFWbGl6WEVCcVdhQnVWY0piQ1VHMzk0SQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg
+TnFGVkQxTndPZ1l4c2J5dzNmT1YrZ0dQYytIMmtxaTN2Y01uZFdXOThqWQo2TDkv
+MUJzc3BON1JwbGN3OW44WWZ5WUxWdWU2UnpJczVYVHBsdUFmdllJCi0+IHg5YmFB
+eS1ncmVhc2UgYl9hXWlgIC5fIGpLaU1wWiN4ICczCkVmOHRibWptbDBxOS9Ic1VC
+L0tFQXo5Sk45TDFlQlB5bnFleUF0dFlMSmdvd2dmUlZ3Ci0tLSBIN0MvMEduQVlR
+bDVTQUxvZjB2TTljdjZkbGphN1l1QnZESWNZUjZzd1dVCmCWuxwFj1FyTEFasr8X
+apyuQkXs6Cvfx82qMvwE1G4SLOEulJjVp/VDcICQ8RE8BE0HJGRjG64FqdtbHY2K
+tPMADqfz/jt7kbXKSwB6zOHE9VNcTrGl+mx2Ki8HUG8GElj+hE2m0cWdGijcsGVW
+lo2HKPa7F/d9vBUC9sLYo8U5VrnIRhBN1s4ECfAa4vj2RSsCZePCHkJMH7qFPGuC
+PZST
+-----END AGE ENCRYPTED FILE-----
diff --git a/system/secrets/invidious/settings.tix b/system/secrets/invidious/settings.tix
new file mode 100644
index 0000000..fe80a7d
--- /dev/null
+++ b/system/secrets/invidious/settings.tix
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNzBJNXhlcGVJWk1nZERp
+QXJrSEtxY2tyY0FwZnN6ZFB6dGVxZVVsdWtjCjI5cE85ZHhoRVBqcjdZaG9BWFJK
+b09GblVERUZsR2ZPaW9aU1NCc25GM00KLT4gWDI1NTE5IHZwL3YraVBBVXVFVmpR
+TENiaFoxdTJhUCtWcEFkU0ptaERpbEl1aGw3M00KWUozUTZxYm4rclN6L1IrTi9k
+eEF0dVlYVEVNTnZ4Y0tUU0hwV2U0bXVCSQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg
+QkpGQ1RkVWhNQTFyMS9qRGYrT2s2djJHMEI0eFI5R3ZMVlRsa1JoMXIwawpRVG5z
+TnZWMWhQSGxlL0VnUng1N0QvbTFuNS9WZmhnK3ZnVTdoMmtsejVJCi0+IDJNPHpY
+LWdyZWFzZSBdVyBYZ3s8IG8ve0ByIHlrIkZkMwo4bmJOZU5yd3loSDlURWorZ0VZ
+bWF2dHdLNkQ1ZUx5STZSa3dibVRsTCtQekdKWCtYNWlOR3BVQm5MRmQ2Z085Cmkw
+OGhJU2kzR21MNk1OdkpHY29Gc21rNEh6VEZKWGkyCi0tLSBSemVvc2hlSnEyYUVM
+UXRPSWtrd1hEcWtVTm95dzVFU085Y09adlFwYnhFCrbJEjFMSSaKqhW2GwuRilaw
+N3U8GF22F10XHXyg+8csPFOpowRdS7ZBS52leGe/ve7oiVO5SBd3v7yWXa6ZInxo
+-----END AGE ENCRYPTED FILE-----
diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix
index 11c0655..194ed3c 100644
--- a/system/secrets/secrets.nix
+++ b/system/secrets/secrets.nix
@@ -12,4 +12,6 @@ let
 in {
   "keycloak/passwd.tix".publicKeys = allSecrets;
   "matrix-synapse/passwd.tix".publicKeys = allSecrets;
+  "invidious/passwd.tix".publicKeys = allSecrets;
+  "invidious/settings.tix".publicKeys = allSecrets;
 }
diff --git a/system/services/default.nix b/system/services/default.nix
index 8f5540f..6c2670d 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -1,6 +1,7 @@
 {...}: {
   imports = [
     ./fail2ban
+    ./invidious
     ./keycloak
     ./mail
     ./matrix
diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix
new file mode 100644
index 0000000..50a32e8
--- /dev/null
+++ b/system/services/invidious/default.nix
@@ -0,0 +1,12 @@
+{config, ...}: {
+  services.invidious = {
+    enable = true;
+    database = {
+      createLocally = true;
+      passwordFile = "${config.age.secrets.invidious.path}";
+    };
+    domain = "invidious.vhack.eu";
+    nginx.enable = true;
+    extraSettingsFile = "${config.age.secrets.invidiousSettings.path}";
+  };
+}