From 317575461a640ddc601751741bc6da92a3edb867 Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 7 Aug 2023 12:40:14 +0200 Subject: Feat(system): Add invidious --- system/services/invidious/default.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 system/services/invidious/default.nix (limited to 'system/services/invidious/default.nix') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix new file mode 100644 index 0000000..50a32e8 --- /dev/null +++ b/system/services/invidious/default.nix @@ -0,0 +1,12 @@ +{config, ...}: { + services.invidious = { + enable = true; + database = { + createLocally = true; + passwordFile = "${config.age.secrets.invidious.path}"; + }; + domain = "invidious.vhack.eu"; + nginx.enable = true; + extraSettingsFile = "${config.age.secrets.invidiousSettings.path}"; + }; +} -- cgit 1.4.1 From 704232eab7b89ec235bdc9978eb6f35a30258060 Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 7 Aug 2023 12:47:13 +0200 Subject: Fix(system/services/invidious): Specifiy database host --- system/services/invidious/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'system/services/invidious/default.nix') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 50a32e8..fd10eec 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -4,6 +4,7 @@ database = { createLocally = true; passwordFile = "${config.age.secrets.invidious.path}"; + host = "localhost"; }; domain = "invidious.vhack.eu"; nginx.enable = true; -- cgit 1.4.1 From 96857910fa87e996945bc3f2e5b6f4ef4a6166ea Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 7 Aug 2023 13:04:27 +0200 Subject: Fix(system): Binary substitution for debugging --- system/secrets/default.nix | 6 +++--- system/services/invidious/default.nix | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'system/services/invidious/default.nix') diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 515c3e7..3b8029f 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -21,9 +21,9 @@ }; invidiousSettings = { file = ./invidious/settings.tix; - mode = "700"; - owner = "invidious"; - group = "invidious"; + #mode = "700"; + #owner = "invidious"; + #group = "invidious"; }; }; }; diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index fd10eec..d03dee4 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -3,8 +3,8 @@ enable = true; database = { createLocally = true; - passwordFile = "${config.age.secrets.invidious.path}"; - host = "localhost"; + #passwordFile = "${config.age.secrets.invidious.path}"; + #host = "localhost"; }; domain = "invidious.vhack.eu"; nginx.enable = true; -- cgit 1.4.1 From 320cc252c1e59de8fed8993b3a527839bc0963a6 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 09:28:16 +0200 Subject: Refactor(system/secrets/invidious): Remove unneeded files and improve names --- system/secrets/default.nix | 10 ++-------- system/secrets/invidious/hmac.tix | 14 ++++++++++++++ system/secrets/invidious/passwd.tix | 16 ---------------- system/secrets/invidious/settings.tix | 14 -------------- system/services/invidious/default.nix | 4 +--- 5 files changed, 17 insertions(+), 41 deletions(-) create mode 100644 system/secrets/invidious/hmac.tix delete mode 100644 system/secrets/invidious/passwd.tix delete mode 100644 system/secrets/invidious/settings.tix (limited to 'system/services/invidious/default.nix') diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 345354c..2269672 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -13,15 +13,9 @@ owner = "matrix-synapse"; group = "matrix-synapse"; }; - invidious = { - file = ./invidious/passwd.tix; + invidiousHmac = { + file = ./invidious/hmac.tix; mode = "700"; - owner = "invidious"; - group = "invidious"; - }; - invidiousSettings = { - file = ./invidious/settings.tix; - mode = "744"; owner = "root"; group = "root"; }; diff --git a/system/secrets/invidious/hmac.tix b/system/secrets/invidious/hmac.tix new file mode 100644 index 0000000..f760fa9 --- /dev/null +++ b/system/secrets/invidious/hmac.tix @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZGJGNzVGUWhsVTJFUGds +dFZmVnRnY1NrVTZBWEt2eFp1YU4yM0xoOUgwClZZNDNFQlp2aEx1eHVqbE5ZU29t +dVpMcStrMXd5WEFOaDJUVlVuUnJ4YkkKLT4gWDI1NTE5IEZSTVFhdk83RGRNWWdZ +bmQyd0FNTWhrUUxSRjVOQjAvWSsyU1Z4OWFvVUUKdkIraVRtRW5mUnZFbVRkcDBw +ME5NTDVkRUo1b0d1Z2xERWZnS0tMLzFhYwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +d09jY1doam1nc3B3MEVqN0grM3JWZzFwMW5WU2ZYdGh0TUZnM0VVdzJBSQppL3Qv +T0VDOTc1U3gyaTB6YVV4dDhEVU1OMzdlMnV2dC9zMVl1VkdkRmlBCi0+IGc/SEJa +aDZoLWdyZWFzZSBKPW1xOFRaIE9DUCBdfl1HXVUKL0I4MTJZT1ljOXE3cUtTR0Fv +S3E2UHcvYWxhUlU5QkdXVWZyUjU0SlcveG9GcjZZV242QXVwaDBQTjN0VldBCi0t +LSB6S0E2SWtmaXBnRkI5aFNIOU9VWkdhOHQrQ0x0MzJ3TC9aNkpJSTY5eDkwClOc +N6wSpWFX87Vbr+J8Sxn9O6uRbYAyNDmiJk5mDqYaqy/+PRPTx0gbmqRz911sW5Zx +aBKfDzSPjNx0CSKKL7ioTYlRrW0YyQ== +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/invidious/passwd.tix b/system/secrets/invidious/passwd.tix deleted file mode 100644 index beaee32..0000000 --- a/system/secrets/invidious/passwd.tix +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeHpwZFZEWXc0cGxZZ2dV -WDkvUmVFWXE5azZ1VlREM090bWJ6elgxR3hFCmhnNkhWZWVqdmxEcUJVTnFZaGw1 -YnVOYmpYOGd5YU1EaDlmc0ZrNk0zT0EKLT4gWDI1NTE5IEwyL1ptVzJ2bUdvSW1n -TzNod1BKZHQ3YXhUMkl5ZzRiT2Y3aUt0NGw4RVUKWTF3ampTMG1DYTBYTFcwNEp6 -bkFWbGl6WEVCcVdhQnVWY0piQ1VHMzk0SQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -TnFGVkQxTndPZ1l4c2J5dzNmT1YrZ0dQYytIMmtxaTN2Y01uZFdXOThqWQo2TDkv -MUJzc3BON1JwbGN3OW44WWZ5WUxWdWU2UnpJczVYVHBsdUFmdllJCi0+IHg5YmFB -eS1ncmVhc2UgYl9hXWlgIC5fIGpLaU1wWiN4ICczCkVmOHRibWptbDBxOS9Ic1VC -L0tFQXo5Sk45TDFlQlB5bnFleUF0dFlMSmdvd2dmUlZ3Ci0tLSBIN0MvMEduQVlR -bDVTQUxvZjB2TTljdjZkbGphN1l1QnZESWNZUjZzd1dVCmCWuxwFj1FyTEFasr8X -apyuQkXs6Cvfx82qMvwE1G4SLOEulJjVp/VDcICQ8RE8BE0HJGRjG64FqdtbHY2K -tPMADqfz/jt7kbXKSwB6zOHE9VNcTrGl+mx2Ki8HUG8GElj+hE2m0cWdGijcsGVW -lo2HKPa7F/d9vBUC9sLYo8U5VrnIRhBN1s4ECfAa4vj2RSsCZePCHkJMH7qFPGuC -PZST ------END AGE ENCRYPTED FILE----- diff --git a/system/secrets/invidious/settings.tix b/system/secrets/invidious/settings.tix deleted file mode 100644 index f760fa9..0000000 --- a/system/secrets/invidious/settings.tix +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZGJGNzVGUWhsVTJFUGds -dFZmVnRnY1NrVTZBWEt2eFp1YU4yM0xoOUgwClZZNDNFQlp2aEx1eHVqbE5ZU29t -dVpMcStrMXd5WEFOaDJUVlVuUnJ4YkkKLT4gWDI1NTE5IEZSTVFhdk83RGRNWWdZ -bmQyd0FNTWhrUUxSRjVOQjAvWSsyU1Z4OWFvVUUKdkIraVRtRW5mUnZFbVRkcDBw -ME5NTDVkRUo1b0d1Z2xERWZnS0tMLzFhYwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -d09jY1doam1nc3B3MEVqN0grM3JWZzFwMW5WU2ZYdGh0TUZnM0VVdzJBSQppL3Qv -T0VDOTc1U3gyaTB6YVV4dDhEVU1OMzdlMnV2dC9zMVl1VkdkRmlBCi0+IGc/SEJa -aDZoLWdyZWFzZSBKPW1xOFRaIE9DUCBdfl1HXVUKL0I4MTJZT1ljOXE3cUtTR0Fv -S3E2UHcvYWxhUlU5QkdXVWZyUjU0SlcveG9GcjZZV242QXVwaDBQTjN0VldBCi0t -LSB6S0E2SWtmaXBnRkI5aFNIOU9VWkdhOHQrQ0x0MzJ3TC9aNkpJSTY5eDkwClOc -N6wSpWFX87Vbr+J8Sxn9O6uRbYAyNDmiJk5mDqYaqy/+PRPTx0gbmqRz911sW5Zx -aBKfDzSPjNx0CSKKL7ioTYlRrW0YyQ== ------END AGE ENCRYPTED FILE----- diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index d03dee4..7a37f50 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -3,11 +3,9 @@ enable = true; database = { createLocally = true; - #passwordFile = "${config.age.secrets.invidious.path}"; - #host = "localhost"; }; domain = "invidious.vhack.eu"; nginx.enable = true; - extraSettingsFile = "${config.age.secrets.invidiousSettings.path}"; + extraSettingsFile = "${config.age.secrets.invidiousHmac.path}"; }; } -- cgit 1.4.1 From b39d8005c6315ceb9e3e6068a854a21dfa80ab97 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 09:43:50 +0200 Subject: Fix(system/services/invidious): Check tables on startup --- system/services/invidious/default.nix | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'system/services/invidious/default.nix') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 7a37f50..17ba0c1 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -7,5 +7,9 @@ domain = "invidious.vhack.eu"; nginx.enable = true; extraSettingsFile = "${config.age.secrets.invidiousHmac.path}"; + + settings = { + check_tables = true; + }; }; } -- cgit 1.4.1 From c525e36a3dd0345e3ef04b9e2669264b4ec7daa2 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 09:54:23 +0200 Subject: Fix(system/services/invidious): Set correct access permissions on hmac --- system/services/invidious/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'system/services/invidious/default.nix') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 17ba0c1..8b69c2e 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -6,10 +6,13 @@ }; domain = "invidious.vhack.eu"; nginx.enable = true; - extraSettingsFile = "${config.age.secrets.invidiousHmac.path}"; + extraSettingsFile = "$CREDENTIALS_DIRECTORY/hmac"; settings = { check_tables = true; }; }; + systemd.services.invidious.serviceConfig = { + LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; + }; } -- cgit 1.4.1 From 542bb5d7b8e3dfe22826fe0af3272b8b2a8b925a Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 10:31:46 +0200 Subject: Fix(system/service/invidious): Copy their script, to remove shell escape The default ExecStart implementation in the module, escapes all stings. This does not work for us because we need to use the `$CREDENTIALS_DIR` environment variable, for the credentials deployed in den `LoadCredential` option --- system/services/invidious/default.nix | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'system/services/invidious/default.nix') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 8b69c2e..f51fc3d 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -1,4 +1,11 @@ -{config, ...}: { +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.services.invidious; +in { services.invidious = { enable = true; database = { @@ -14,5 +21,25 @@ }; systemd.services.invidious.serviceConfig = { LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; + + script = let + # taken from the invidious module + settingsFormat = pkgs.formats.json {}; + settingsFile = settingsFormat.generate "invidious-settings" cfg.settings; + + jqFilter = + "." + + lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\"" + + " | .[0]" + + lib.optionalString (cfg.extraSettingsFile != null) " * .[1]"; + + # don't escape extraSettingsFile, to allow variable substitution + jqFiles = + settingsFile + + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; + in '' + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" + exec ${cfg.package}/bin/invidious + ''; }; } -- cgit 1.4.1 From df87e1dfd15cbd229ad3a7df3ded7544aadee75a Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 10:37:43 +0200 Subject: Fix(system/services/invidious): Force the new script option to be applied --- system/services/invidious/default.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'system/services/invidious/default.nix') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index f51fc3d..e9ac768 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -22,7 +22,7 @@ in { systemd.services.invidious.serviceConfig = { LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; - script = let + ExecStart = let # taken from the invidious module settingsFormat = pkgs.formats.json {}; settingsFile = settingsFormat.generate "invidious-settings" cfg.settings; @@ -37,9 +37,10 @@ in { jqFiles = settingsFile + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; - in '' - export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" - exec ${cfg.package}/bin/invidious - ''; + in + lib.mkForce (pkgs.writeScript "start-invidious" '' + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" + exec ${cfg.package}/bin/invidious + ''); }; } -- cgit 1.4.1 From 08eb7736c7e1897885e9e28a09bbc3510e572f8f Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 18:05:17 +0200 Subject: Fix(system/services/invidious): Add interpreter to start script --- system/services/invidious/default.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'system/services/invidious/default.nix') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index e9ac768..a1d202c 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -39,6 +39,8 @@ in { + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; in lib.mkForce (pkgs.writeScript "start-invidious" '' + #! ${pkgs.dash}/bin/dash + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" exec ${cfg.package}/bin/invidious ''); -- cgit 1.4.1