feat: add po_token and visitor_data secret

Been having some invidious issues. So going to try to add `po_token` and `visitor_data` to the config to smooth things out. NOTE: There are privacy implications here. Going to eat it for now. Also kudos to whoever made the services.invidious.extraSettingsFile option. You are my hero.
ajaxbits · Sep 24, 2024 · 1ad8119 · 1ad8119
1 parent 8eb4b88
commit 1ad8119
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 27 deletions.
diff --git a/components/mediacenter/invidious/default.nix b/components/mediacenter/invidious/default.nix
@@ -1,24 +1,27 @@
 {
   lib,
   config,
+  self,
   pkgsUnstable,
   ...
-}: let
+}:
+let
   inherit (lib) mkIf optionalString;
 
   cfg = config.components.mediacenter.invidious;
   caddyEnabled = config.components.caddy.enable;
-in {
+
+  user = "invidious";
+  group = user;
+in
+{
   config = mkIf cfg.enable {
     services.invidious = {
       enable = true;
       package = pkgsUnstable.invidious;
 
       domain = optionalString caddyEnabled "yt.ajax.casa";
-      address =
-        if caddyEnabled
-        then "127.0.0.1"
-        else "0.0.0.0";
+      address = if caddyEnabled then "127.0.0.1" else "0.0.0.0";
       port = 3111;
 
       settings = {
@@ -39,27 +42,45 @@ in {
       environment.DISABLE_WEBP = "1";
     };
 
-    services.caddy.virtualHosts = mkIf caddyEnabled (let
-      inherit (config.services.invidious) address domain port;
-    in {
-      "https://${domain}".extraConfig = ''
-        encode gzip zstd
-        reverse_proxy http://${address}:${toString port}
-        import cloudflare
+    users.users.${user} = {
+      inherit group;
+      isSystemUser = true;
+    };
+    users.groups.${group} = { };
+
+    services.caddy.virtualHosts = mkIf caddyEnabled (
+      let
+        inherit (config.services.invidious) address domain port;
+      in
+      {
+        "https://${domain}".extraConfig = ''
+          encode gzip zstd
+          reverse_proxy http://${address}:${toString port}
+          import cloudflare
 
-        @ytproxy path_regexp ytproxy ^/videoplayback|^/vi/|^/ggpht/|^/sb/
-        reverse_proxy @ytproxy unix//run/http3-ytproxy/socket/http-proxy.sock {
-            header_up X-Forwarded-For ""
-            header_up CF-Connecting-IP ""
-            header_down -alt-svc
-            header_down -Cache-Control
-            header_down -etag
-            header_down Cache-Control "private"
-            transport http {
-                versions 1.1
-            }
-        }
-      '';
-    });
+          @ytproxy path_regexp ytproxy ^/videoplayback|^/vi/|^/ggpht/|^/sb/
+          reverse_proxy @ytproxy unix//run/http3-ytproxy/socket/http-proxy.sock {
+              header_up X-Forwarded-For ""
+              header_up CF-Connecting-IP ""
+              header_down -alt-svc
+              header_down -Cache-Control
+              header_down -etag
+              header_down Cache-Control "private"
+              transport http {
+                  versions 1.1
+              }
+          }
+        '';
+      }
+    );
+
+    age.secrets = {
+      "invidious/extraSettingsFile" = {
+        file = "${self}/invidious/extraSettingsFile.age";
+        mode = "440";
+        owner = user;
+        inherit group;
+      };
+    };
   };
 }
diff --git a/secrets/invidious/extraSettingsFile.age b/secrets/invidious/extraSettingsFile.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -19,6 +19,9 @@ in {
   # immich
   "immich/.env.age".publicKeys = allKeys;
 
+  # invidious
+  "invidious/extraSettingsFile.age".publicKeys = allKeys;
+
   # libation
   "libation/Settings.json.age".publicKeys = allKeys;
   "libation/AccountsSettings.json.age".publicKeys = allKeys;