From 4441b320a4dc9f598e50b0872f7fdcca582679a8 Mon Sep 17 00:00:00 2001 From: Alex Jackson Date: Tue, 24 Sep 2024 10:33:12 -0500 Subject: [PATCH] feat: add po_token and visitor_data to invidious Been having some invidious issues. So going to try to add `po_token` and `visitor_data` to the config to smooth things out. NOTE: There are privacy implications here. Going to eat it for now. Also kudos to whoever made the services.invidious.extraSettingsFile option. You are my hero. --- components/mediacenter/invidious/default.nix | 95 +++++++++++++------ secrets/invidious/extraSettingsFile.age | Bin 0 -> 776 bytes secrets/secrets.nix | 3 + 3 files changed, 67 insertions(+), 31 deletions(-) create mode 100644 secrets/invidious/extraSettingsFile.age diff --git a/components/mediacenter/invidious/default.nix b/components/mediacenter/invidious/default.nix index 92cf8a8..b075378 100644 --- a/components/mediacenter/invidious/default.nix +++ b/components/mediacenter/invidious/default.nix @@ -1,65 +1,98 @@ { lib, config, + self, pkgsUnstable, ... -}: let +}: +let inherit (lib) mkIf optionalString; cfg = config.components.mediacenter.invidious; caddyEnabled = config.components.caddy.enable; -in { + + user = "invidious"; + group = user; +in +{ config = mkIf cfg.enable { services.invidious = { enable = true; package = pkgsUnstable.invidious; domain = optionalString caddyEnabled "yt.ajax.casa"; - address = - if caddyEnabled - then "127.0.0.1" - else "0.0.0.0"; + address = if caddyEnabled then "127.0.0.1" else "0.0.0.0"; port = 3111; settings = { - db.user = "invidious"; + db.user = user; https_only = caddyEnabled; external_port = optionalString caddyEnabled 443; popular_enabled = false; }; + extraSettingsFile = config.age.secrets."invidious/config.extra.yml".path; + http3-ytproxy = { enable = true; package = pkgsUnstable.http3-ytproxy; }; }; - systemd.services.http3-ytproxy = { - serviceConfig.User = mkIf caddyEnabled config.services.caddy.user; - environment.DISABLE_WEBP = "1"; + systemd.services = { + http3-ytproxy = { + serviceConfig.User = mkIf caddyEnabled config.services.caddy.user; + environment.DISABLE_WEBP = "1"; + }; + invidious.serviceConfig = { + User = user; + Group = group; + }; + }; + + users.users.${user} = { + inherit group; + isSystemUser = true; }; + users.groups.${group} = { }; + + services.caddy.virtualHosts = mkIf caddyEnabled ( + let + inherit (config.services.invidious) address domain port; + in + { + "https://${domain}".extraConfig = '' + encode gzip zstd + reverse_proxy http://${address}:${toString port} + import cloudflare - services.caddy.virtualHosts = mkIf caddyEnabled (let - inherit (config.services.invidious) address domain port; - in { - "https://${domain}".extraConfig = '' - encode gzip zstd - reverse_proxy http://${address}:${toString port} - import cloudflare + log { + output discard + } - @ytproxy path_regexp ytproxy ^/videoplayback|^/vi/|^/ggpht/|^/sb/ - reverse_proxy @ytproxy unix//run/http3-ytproxy/socket/http-proxy.sock { - header_up X-Forwarded-For "" - header_up CF-Connecting-IP "" - header_down -alt-svc - header_down -Cache-Control - header_down -etag - header_down Cache-Control "private" - transport http { - versions 1.1 - } - } - ''; - }); + @ytproxy path_regexp ytproxy ^/videoplayback|^/vi/|^/ggpht/|^/sb/ + reverse_proxy @ytproxy unix//run/http3-ytproxy/socket/http-proxy.sock { + header_up X-Forwarded-For "" + header_up CF-Connecting-IP "" + header_down -alt-svc + header_down -Cache-Control + header_down -etag + header_down Cache-Control "private" + transport http { + versions 1.1 + } + } + ''; + } + ); + + age.secrets = { + "invidious/extraSettingsFile" = { + file = "${self}/secrets/invidious/extraSettingsFile.age"; + mode = "440"; + owner = user; + inherit group; + }; + }; }; } diff --git a/secrets/invidious/extraSettingsFile.age b/secrets/invidious/extraSettingsFile.age new file mode 100644 index 0000000000000000000000000000000000000000..5566c8ccd2f8583f0132dbae1122668f035220e2 GIT binary patch literal 776 zcmZY2S!>e(003YSL5v7Kh{!}%QBml+HC=kdW7ww0k}hr1CTSbI(k|)Nq;1-!NfW$a zUJp(Yil9Tq3%n3Fl%Z^*bBYgM;N2;xQyelCMW!fI-}U+H20iA}LzK zSV8xp@jT!um=mfmkqJR~jE*Y)4%w&_g;vST7U_(PsGy8FB}r&Pg6V%ZKIVWjq$x$J z5nGlG1k4H+Ot8Tysg#6Bg`@mRLWGNMPeIqiep@an`T)dh*8>HfGQ3jOtqHW>$g`3? zOv$*7DIgrHMhKL%u?ULe|81B=F{H`n38mUvIaZKJp&Z~C%Fa{Gj3?+)3_9!qsdfT| zDhvZ9DJy`Nvr3W(IWZX|IEN@ign+8W(}7HcU?Nhc5@YPvaGF&_mHc;$CH!SfGg+f> z#)t+nibxV^I_PRkrgfIY9r3uCcPnk45|U{3bs#xeLIHv(@wgj=^=4Gj++GGQw#QPi zE8;YQ1vv`kHCs4~lg+r*Z3QeAiwO&eaaiq|#5t z$> z;O`!O%$T=w-5KzGYOL<%sD7XnI0PAQtn-=1u1kXr?;fn}-rx6dG***lKI>UtPjKiA z{rqZe)vF`l_bjbm?H<|ksC@YD_~r4p)sw=f^};3$eScP@TCVTZrp}-ErT2gO_<2!{ R-P-eFV(zK_CDnt~`oCKTGSdJ6 literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3055258..d67a8d6 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -19,6 +19,9 @@ in { # immich "immich/.env.age".publicKeys = allKeys; + # invidious + "invidious/extraSettingsFile.age".publicKeys = allKeys; + # libation "libation/Settings.json.age".publicKeys = allKeys; "libation/AccountsSettings.json.age".publicKeys = allKeys;