diff --git a/components/mediacenter/invidious/default.nix b/components/mediacenter/invidious/default.nix index 92cf8a8..b075378 100644 --- a/components/mediacenter/invidious/default.nix +++ b/components/mediacenter/invidious/default.nix @@ -1,65 +1,98 @@ { lib, config, + self, pkgsUnstable, ... -}: let +}: +let inherit (lib) mkIf optionalString; cfg = config.components.mediacenter.invidious; caddyEnabled = config.components.caddy.enable; -in { + + user = "invidious"; + group = user; +in +{ config = mkIf cfg.enable { services.invidious = { enable = true; package = pkgsUnstable.invidious; domain = optionalString caddyEnabled "yt.ajax.casa"; - address = - if caddyEnabled - then "127.0.0.1" - else "0.0.0.0"; + address = if caddyEnabled then "127.0.0.1" else "0.0.0.0"; port = 3111; settings = { - db.user = "invidious"; + db.user = user; https_only = caddyEnabled; external_port = optionalString caddyEnabled 443; popular_enabled = false; }; + extraSettingsFile = config.age.secrets."invidious/config.extra.yml".path; + http3-ytproxy = { enable = true; package = pkgsUnstable.http3-ytproxy; }; }; - systemd.services.http3-ytproxy = { - serviceConfig.User = mkIf caddyEnabled config.services.caddy.user; - environment.DISABLE_WEBP = "1"; + systemd.services = { + http3-ytproxy = { + serviceConfig.User = mkIf caddyEnabled config.services.caddy.user; + environment.DISABLE_WEBP = "1"; + }; + invidious.serviceConfig = { + User = user; + Group = group; + }; + }; + + users.users.${user} = { + inherit group; + isSystemUser = true; }; + users.groups.${group} = { }; + + services.caddy.virtualHosts = mkIf caddyEnabled ( + let + inherit (config.services.invidious) address domain port; + in + { + "https://${domain}".extraConfig = '' + encode gzip zstd + reverse_proxy http://${address}:${toString port} + import cloudflare - services.caddy.virtualHosts = mkIf caddyEnabled (let - inherit (config.services.invidious) address domain port; - in { - "https://${domain}".extraConfig = '' - encode gzip zstd - reverse_proxy http://${address}:${toString port} - import cloudflare + log { + output discard + } - @ytproxy path_regexp ytproxy ^/videoplayback|^/vi/|^/ggpht/|^/sb/ - reverse_proxy @ytproxy unix//run/http3-ytproxy/socket/http-proxy.sock { - header_up X-Forwarded-For "" - header_up CF-Connecting-IP "" - header_down -alt-svc - header_down -Cache-Control - header_down -etag - header_down Cache-Control "private" - transport http { - versions 1.1 - } - } - ''; - }); + @ytproxy path_regexp ytproxy ^/videoplayback|^/vi/|^/ggpht/|^/sb/ + reverse_proxy @ytproxy unix//run/http3-ytproxy/socket/http-proxy.sock { + header_up X-Forwarded-For "" + header_up CF-Connecting-IP "" + header_down -alt-svc + header_down -Cache-Control + header_down -etag + header_down Cache-Control "private" + transport http { + versions 1.1 + } + } + ''; + } + ); + + age.secrets = { + "invidious/extraSettingsFile" = { + file = "${self}/secrets/invidious/extraSettingsFile.age"; + mode = "440"; + owner = user; + inherit group; + }; + }; }; } diff --git a/secrets/invidious/extraSettingsFile.age b/secrets/invidious/extraSettingsFile.age new file mode 100644 index 0000000..5566c8c Binary files /dev/null and b/secrets/invidious/extraSettingsFile.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3055258..d67a8d6 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -19,6 +19,9 @@ in { # immich "immich/.env.age".publicKeys = allKeys; + # invidious + "invidious/extraSettingsFile.age".publicKeys = allKeys; + # libation "libation/Settings.json.age".publicKeys = allKeys; "libation/AccountsSettings.json.age".publicKeys = allKeys;