From 4bcd6661c9463fb5c13aa7b6c4aa19ed6b7425c5 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Sun, 18 Feb 2024 19:49:55 -0800 Subject: [PATCH] fix(invidious): database setup --- modules/nixos/postgres.nix | 3 +++ nixos/invidious.nix | 5 +++-- nixos/postgres.nix | 7 ++++++- nixos/secrets/postgres.yaml | 6 +++--- 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/modules/nixos/postgres.nix b/modules/nixos/postgres.nix index 0047bce8..7e809f8b 100644 --- a/modules/nixos/postgres.nix +++ b/modules/nixos/postgres.nix @@ -74,4 +74,7 @@ in { mkIf user.authentication.enable user.authentication.authentication ) cfg.ensureUsers); }; + config.networking.firewall.interfaces.local = mkIf cfg.enable { + allowedTCPPorts = mkIf (any (user: user.authentication.local.allow) cfg.ensureUsers) [ cfg.port ]; + }; } diff --git a/nixos/invidious.nix b/nixos/invidious.nix index 6f12cff6..6d5d3975 100644 --- a/nixos/invidious.nix +++ b/nixos/invidious.nix @@ -1,5 +1,6 @@ { config, lib, ... }: let inherit (lib.modules) mkForce; + cfg = config.services.invidious; in { sops.secrets = let commonSecret = { @@ -10,7 +11,7 @@ in { invidious_hmac_key = commonSecret; }; - networking.firewall.allowedTCPPorts = [ 3000 ]; + networking.firewall.interfaces.local.allowedTCPPorts = [ cfg.port ]; users.groups.invidious = {}; users.users.invidious = { isSystemUser = true; @@ -28,7 +29,7 @@ in { external_port = 443; hsts = false; db = { - user = "kemal"; + user = "invidious"; dbname = "invidious"; }; }; diff --git a/nixos/postgres.nix b/nixos/postgres.nix index e6e819bf..64f41f43 100644 --- a/nixos/postgres.nix +++ b/nixos/postgres.nix @@ -8,13 +8,18 @@ in { services.postgresql = { enable = mkDefault true; - ensureDatabases = ["hass" "dex"]; + ensureDatabases = ["hass" "invidious" "dex"]; ensureUsers = [ { name = "hass"; ensureDBOwnership = true; authentication.tailscale.allow = !config.services.home-assistant.enable; } + { + name = "invidious"; + ensureDBOwnership = true; + authentication.local.allow = true; + } { name = "dex"; ensureDBOwnership = true; diff --git a/nixos/secrets/postgres.yaml b/nixos/secrets/postgres.yaml index 3aa4c147..dd5bd7fe 100644 --- a/nixos/secrets/postgres.yaml +++ b/nixos/secrets/postgres.yaml @@ -1,4 +1,4 @@ -postgresql-init: ENC[AES256_GCM,data:nBxJExClBwSTR5QLvnVs1H3l49pMz14LlfZzn1zleTd7Udez+qBv9rNtMnRcirSg0WPriFtSBQekOywok0DVy5EpCgRXMxGoj1vMUoyP3axWv/+6w4olc8iGHoiKxdN8tpM56FkYFUG8MI43mfiaRKEqmUHXUA3VJeJT25PJxcA7eR0dRFWmZ6t2UBQmhaoG6TlGlgfheC5iAk4aApfSOa287Zw5sKowfZpcFpouNnivN2h4JabB8G0o9xESxxGQ8rnPIkyLHTDEyzsNvw==,iv:vG7Jou8gxKDeVZz46fnGXKM27jxXUlXW375STT5zkaI=,tag:/SXHY71iPWM9da0lMBDAsA==,type:str] +postgresql-init: ENC[AES256_GCM,data:fW9g0WKVHTO9blqlEXLJejyQUqC3na/Xh6Il2GNfuX6c2LfRjfFSeour4qt2envtPO+WanGl+ueE1AMck5t02TjqrN4a6DsQpAIGFVE7L4ajp/13Gp308pY4Xu7OKHjkGpzVBATKgLDZkoU8yAkqKZCBEU3d4xegp8pgnsLSpb/LndKiITjhTe2IJOSkIJd9twSsra8JQWRYCW8WjZZ9YOe5nqtU+56b/zb0CxVhhln0jU/3e5s7pfblfou2TnvnFezswjNTIGftNU1wOaxSCA==,iv:hjKNZ4EbPpl5YIcaWJYLKJzxuOmMjL4AtfUeL4vm5QA=,tag:mYcu4cRUnZeLgeISfaxXPQ==,type:str] sops: shamir_threshold: 1 kms: [] @@ -33,8 +33,8 @@ sops: a3l3bUx5NzdqUGd1TEpGY3UvQWt4TU0KB4MAjvI43FaOiGhWTkwPpeMMiAnX4v3L rLZDdc/vegF10FKTNJdxdq1E7ccMaV1KwjQkJoOJnWe6teKLjGOFkA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-18T19:48:39Z" - mac: ENC[AES256_GCM,data:Dw0kOxKVreKSPqX6QpUDqf199H/4ZtbpBHtzn6y4w7dcwwk2ghuM8eTku9+dc4re9/AlT0N0WyXC9W39hizLso0V8s9Q36rfzT6X9ZmUV5jLzILHJQvLdzDpgaV1J7UTHReOolSbMK4Y6tpkUoYoCBkfTvi+2OAd/9ElTj5NBTM=,iv:Jw6w0MoTwsq0F+W/uSehHrE+fUUhUfdiBqeLS2rV3/w=,tag:AQSY+cLhh/H5aFXvBvepTg==,type:str] + lastmodified: "2024-02-19T03:46:45Z" + mac: ENC[AES256_GCM,data:FMzWnFllHDpgIoDJIKS7aWpUSVNH0+ij0+AIzl3qtjeuzmUUluDtEes6yAR8g/Daq+nxiMRnsse0HfUqZeT0rVVEpqvQB4Wsoq+G9qj8mmEUrHJzjU5rSDWV8uf5F1BsZbvF13VBulh/RWsmWjps+z6vyJ7uM1QjS3hSF2k3hSM=,iv:tpH8XjoTtNzPOOIosObpsvOAzZO7ywK9xjow3xTOJqY=,tag:BTzezbH9zZDZBzy1x+AJ1w==,type:str] pgp: - created_at: "2024-01-19T19:08:55Z" enc: |-