fix(invidious): database setup

2026-02-09 04:19:19 -08:00 · 2024-02-18 19:49:55 -08:00 · 2024-02-18 19:49:55 -08:00 · 4bcd6661c9
commit 4bcd6661c9
parent aa59293596
4 changed files with 15 additions and 6 deletions
--- a/modules/nixos/postgres.nix
+++ b/modules/nixos/postgres.nix
@ -74,4 +74,7 @@ in {
      mkIf user.authentication.enable user.authentication.authentication
    ) cfg.ensureUsers);
  };
+  config.networking.firewall.interfaces.local = mkIf cfg.enable {
+    allowedTCPPorts = mkIf (any (user: user.authentication.local.allow) cfg.ensureUsers) [ cfg.port ];
+  };
 }
--- a/nixos/invidious.nix
+++ b/nixos/invidious.nix
@ -1,5 +1,6 @@
 { config, lib, ... }: let
  inherit (lib.modules) mkForce;
+  cfg = config.services.invidious;
 in {
  sops.secrets = let
    commonSecret = {
@ -10,7 +11,7 @@ in {
    invidious_hmac_key = commonSecret;
  };

-  networking.firewall.allowedTCPPorts = [ 3000 ];
+  networking.firewall.interfaces.local.allowedTCPPorts = [ cfg.port ];
  users.groups.invidious = {};
  users.users.invidious = {
    isSystemUser = true;
@ -28,7 +29,7 @@ in {
      external_port = 443;
      hsts = false;
      db = {
-        user = "kemal";
+        user = "invidious";
        dbname = "invidious";
      };
    };
--- a/nixos/postgres.nix
+++ b/nixos/postgres.nix
@ -8,13 +8,18 @@
 in {
  services.postgresql = {
    enable = mkDefault true;
-    ensureDatabases = ["hass" "dex"];
+    ensureDatabases = ["hass" "invidious" "dex"];
    ensureUsers = [
      {
        name = "hass";
        ensureDBOwnership = true;
        authentication.tailscale.allow = !config.services.home-assistant.enable;
      }
+      {
+        name = "invidious";
+        ensureDBOwnership = true;
+        authentication.local.allow = true;
+      }
      {
        name = "dex";
        ensureDBOwnership = true;
--- a/nixos/secrets/postgres.yaml
+++ b/nixos/secrets/postgres.yaml
@ -1,4 +1,4 @@
-postgresql-init: ENC[AES256_GCM,data:nBxJExClBwSTR5QLvnVs1H3l49pMz14LlfZzn1zleTd7Udez+qBv9rNtMnRcirSg0WPriFtSBQekOywok0DVy5EpCgRXMxGoj1vMUoyP3axWv/+6w4olc8iGHoiKxdN8tpM56FkYFUG8MI43mfiaRKEqmUHXUA3VJeJT25PJxcA7eR0dRFWmZ6t2UBQmhaoG6TlGlgfheC5iAk4aApfSOa287Zw5sKowfZpcFpouNnivN2h4JabB8G0o9xESxxGQ8rnPIkyLHTDEyzsNvw==,iv:vG7Jou8gxKDeVZz46fnGXKM27jxXUlXW375STT5zkaI=,tag:/SXHY71iPWM9da0lMBDAsA==,type:str]
+postgresql-init: ENC[AES256_GCM,data:fW9g0WKVHTO9blqlEXLJejyQUqC3na/Xh6Il2GNfuX6c2LfRjfFSeour4qt2envtPO+WanGl+ueE1AMck5t02TjqrN4a6DsQpAIGFVE7L4ajp/13Gp308pY4Xu7OKHjkGpzVBATKgLDZkoU8yAkqKZCBEU3d4xegp8pgnsLSpb/LndKiITjhTe2IJOSkIJd9twSsra8JQWRYCW8WjZZ9YOe5nqtU+56b/zb0CxVhhln0jU/3e5s7pfblfou2TnvnFezswjNTIGftNU1wOaxSCA==,iv:hjKNZ4EbPpl5YIcaWJYLKJzxuOmMjL4AtfUeL4vm5QA=,tag:mYcu4cRUnZeLgeISfaxXPQ==,type:str]
 sops:
    shamir_threshold: 1
    kms: []
@ -33,8 +33,8 @@ sops:
            a3l3bUx5NzdqUGd1TEpGY3UvQWt4TU0KB4MAjvI43FaOiGhWTkwPpeMMiAnX4v3L
            rLZDdc/vegF10FKTNJdxdq1E7ccMaV1KwjQkJoOJnWe6teKLjGOFkA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-18T19:48:39Z"
-    mac: ENC[AES256_GCM,data:Dw0kOxKVreKSPqX6QpUDqf199H/4ZtbpBHtzn6y4w7dcwwk2ghuM8eTku9+dc4re9/AlT0N0WyXC9W39hizLso0V8s9Q36rfzT6X9ZmUV5jLzILHJQvLdzDpgaV1J7UTHReOolSbMK4Y6tpkUoYoCBkfTvi+2OAd/9ElTj5NBTM=,iv:Jw6w0MoTwsq0F+W/uSehHrE+fUUhUfdiBqeLS2rV3/w=,tag:AQSY+cLhh/H5aFXvBvepTg==,type:str]
+    lastmodified: "2024-02-19T03:46:45Z"
+    mac: ENC[AES256_GCM,data:FMzWnFllHDpgIoDJIKS7aWpUSVNH0+ij0+AIzl3qtjeuzmUUluDtEes6yAR8g/Daq+nxiMRnsse0HfUqZeT0rVVEpqvQB4Wsoq+G9qj8mmEUrHJzjU5rSDWV8uf5F1BsZbvF13VBulh/RWsmWjps+z6vyJ7uM1QjS3hSF2k3hSM=,iv:tpH8XjoTtNzPOOIosObpsvOAzZO7ywK9xjow3xTOJqY=,tag:BTzezbH9zZDZBzy1x+AJ1w==,type:str]
    pgp:
        - created_at: "2024-01-19T19:08:55Z"
          enc: |-