2 files changed, 49 insertions, 0 deletions

diff --git a/system/services/default.nix b/system/services/default.nix
index 8f5540f..6c2670d 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -1,6 +1,7 @@
 {...}: {
   imports = [
     ./fail2ban
+    ./invidious
     ./keycloak
     ./mail
     ./matrix
diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix
new file mode 100644
index 0000000..a1d202c
--- /dev/null
+++ b/system/services/invidious/default.nix
@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.invidious;
+in {
+  services.invidious = {
+    enable = true;
+    database = {
+      createLocally = true;
+    };
+    domain = "invidious.vhack.eu";
+    nginx.enable = true;
+    extraSettingsFile = "$CREDENTIALS_DIRECTORY/hmac";
+
+    settings = {
+      check_tables = true;
+    };
+  };
+  systemd.services.invidious.serviceConfig = {
+    LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}";
+
+    ExecStart = let
+      # taken from the invidious module
+      settingsFormat = pkgs.formats.json {};
+      settingsFile = settingsFormat.generate "invidious-settings" cfg.settings;
+
+      jqFilter =
+        "."
+        + lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\""
+        + " | .[0]"
+        + lib.optionalString (cfg.extraSettingsFile != null) " * .[1]";
+
+      # don't escape extraSettingsFile, to allow variable substitution
+      jqFiles =
+        settingsFile
+        + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\"";
+    in
+      lib.mkForce (pkgs.writeScript "start-invidious" ''
+        #! ${pkgs.dash}/bin/dash
+
+        export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})"
+        exec ${cfg.package}/bin/invidious
+      '');
+  };
+}