From 4d96e07d0ea9a257f8c620c9fe0518ff0d26d53d Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Mon, 19 Feb 2024 11:31:40 -0800
Subject: [PATCH] fix(invidious): domain cookies

---
 nixos/access/invidious.nix        | 25 ++++++++++++++++++++++---
 nixos/invidious.nix               |  4 ++--
 nixos/secrets/home-assistant.yaml |  6 +++---
 3 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/nixos/access/invidious.nix b/nixos/access/invidious.nix
index 41ed95ff..73e0e5aa 100644
--- a/nixos/access/invidious.nix
+++ b/nixos/access/invidious.nix
@@ -4,7 +4,9 @@
   ...
 }: let
   inherit (lib.options) mkOption;
-  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
+  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
+  inherit (lib.lists) optional;
+  inherit (lib.strings) replaceStrings concatStringsSep;
   inherit (config.services.nginx) virtualHosts;
   inherit (config.services) tailscale;
   cfg = config.services.invidious;
@@ -32,6 +34,12 @@ in {
       url = mkOptionDefault "http://localhost:${toString cfg.port}";
     };
     virtualHosts = let
+      invidiousDomains = [
+        access.domain
+        access.localDomain
+      ] ++ optional tailscale.enable access.tailDomain;
+      contentSecurityPolicy' = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src 'self'; media-src 'self' blob: https://*.googlevideo.com:443 https://*.youtube.com:443; child-src 'self' blob:; frame-src 'self'; frame-ancestors 'none'";
+      contentSecurityPolicy = replaceStrings [ "'self'" ] [ "'self' ${concatStringsSep " " invidiousDomains}" ] contentSecurityPolicy';
       extraConfig = ''
         # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
         send_timeout 100m;
@@ -42,9 +50,13 @@ in {
       location = {
         proxy.websocket.enable = true;
         proxyPass = access.url;
+        extraConfig = ''
+          proxy_hide_header content-security-policy;
+          add_header content-security-policy "${contentSecurityPolicy}";
+        '';
       };
     in {
-      ${access.domain} = {
+      ${access.domain} = { config, ... }: {
         vouch.enable = true;
         locations."/" = location;
         kTLS = mkDefault true;
@@ -53,7 +65,14 @@ in {
       ${access.localDomain} = { config, ... }: {
         serverAliases = mkIf tailscale.enable [ access.tailDomain ];
         local.enable = true;
-        locations."/" = location;
+        locations."/" = mkMerge [
+          location
+          {
+            extraConfig = ''
+              proxy_cookie_domain ${access.domain} $host;
+            '';
+          }
+        ];
         useACMEHost = mkDefault virtualHosts.${access.domain}.useACMEHost;
         addSSL = mkIf (config.useACMEHost != null) (mkDefault true);
         kTLS = mkDefault true;
diff --git a/nixos/invidious.nix b/nixos/invidious.nix
index 6d5d3975..4b6b73ed 100644
--- a/nixos/invidious.nix
+++ b/nixos/invidious.nix
@@ -25,7 +25,7 @@ in {
     enable = true;
     hmacKeyFile = config.sops.secrets.invidious_hmac_key.path;
     settings = {
-      domain = "yt.gensokyo.zone";
+      domain = "yt.${config.networking.domain}";
       external_port = 443;
       hsts = false;
       db = {
@@ -34,7 +34,7 @@ in {
       };
     };
     database = {
-      host = "postgresql.local.gensokyo.zone";
+      host = "postgresql.local.${config.networking.domain}";
       passwordFile = config.sops.secrets.invidious_db_password.path;
       createLocally = false;
     };
diff --git a/nixos/secrets/home-assistant.yaml b/nixos/secrets/home-assistant.yaml
index 01de7294..549a83f4 100644
--- a/nixos/secrets/home-assistant.yaml
+++ b/nixos/secrets/home-assistant.yaml
@@ -1,4 +1,4 @@
-ha-secrets: ENC[AES256_GCM,data:JeoPXUOzj2bjCLqJjqr2UCJcaNMzQgLVUX1Oajl5JCQdpsVm0z4xNu+3PR4l/i/FsmTaJIM2Ls1ep11E85pPf7EqjZLY3s7+Z9Wv/zO0hPFULMPuXN34fj2I6EKsO1WtoIiPbo7Q3IDzjae4M45lD2wC06f2N6SNOuJ59sgJeix6YGrv5fM0tlsHsVUFyy6qm7zmdE15XiqUkMRdtuxn07BbzCuDghA9SOT3NluywjoLTI/qDTilgplrBjHohs6b+TCxnv0uI2v5MjdaGDz8SOuJWFDMee4WlR0slphQmbsrAyQeOgwOnUEuJgZ09/tebMJ5ZUwL/l7JK9QhGB/+1WI3H03MbOlki4r0kRjVFzU95mvxrOnlanBL2/4uBQplcVvTVrKkpN/JiJKPm8xRw0L6ZHAdYfPa0mTghr7Wb7Vu0jNszo8mBzoiL1+BH3Ub5TkfOf17ecbuQqLn+HPsqMCE2/PdMra4XerKJItTUT6AW3NFEMvLRrrz7g3mQsMYRA3S7I5Y3RsK3VuuAX1hdn12YnEgljI0AkUrGzKyKD2sm/un7uKN1mhXyYqwh65y2fiOkpd+vhvBWGYm1mEO3gmPtJJwXXsKOSPTizCU4U7S7T7lV6dqN/HZxQi9beaq4Fbe9nzK8OVZyVVr8QAc+m6/B4d7M4VBUgr1HcPOjKHc9jXhwuMRLkeVp8v/XhW2XbLSgDixPFiwt1+YgjqUkDhYkGqRo/9aLkflGGcrA+c7Y5U43O+z4KCuKtLJKGORF6JMRaQ=,iv:J9Tr8LSAmSw9k+PRMZyKETLl4hsUxOOwgKP5ksfvmHg=,tag:ImO+Rxqj3kAoD+NUE/iYMQ==,type:str]
+ha-secrets: ENC[AES256_GCM,data:UveikMv6J0Mhc4sUTb4DfGlDE2k7DLtapJk1vw7tUL62ESlbUnW1386ombobu6u7Mk+V4S4K+ystLr01XJYzUvCe1EUYhNq+S/gSXfJtvBqO9D2BHus3hXmBJ1/y+YPZasFrmXHgidtKKfSFSo1863BOX5zBlnX94bHmTF5dRcLNSIDNmwQ8sT6UWy0iqBhngsK6dXx592Fx7/NngyGHBUdGOuP14EmcSzoegQ67N8yCasiQDc1d4WoVCBIp+LqLOdUs1ISeZoJz82CrVlDa/I4ZqgSBQ01El0/Ru0wCjoYkyJBK3EtKEaPWd3s3hgF1wFJwLgfL5MEIrMYcfHwrkmXcraWSltYoshcNZD7VqcxqB6XETRoXknUf+taa/HkRd9Fl06H9jiVK1mGM/FZF4FxtQkpiEaasjTKURPC4XPbwBPu8fOfqG3c8vAlZPf0A1DGPIo+N/4XCQS7s2XQmjHpix4xYfnOHyswYG6F4a+1shb3RhIeYlyUl1misAcm/TyX4eOrl79dcjI83jfUigi7MoqnpTffXRTo3SDg/WNTPdh7jJwR8oNfy43obpCYGV3LIM0ODMJOxNxg7Unj+VHCBgyjJAxm7je+00CfbuPx/Nx1GthZCiIRLHTum+yzURMjklzor+1OJAEnEdRCbS61QItKWwpzsRe/uspFp2zWjpL2OSYg2ATDttAyjuP/s356tRYY0Jy872OwkwwxK0hBByGK57o0Uh71dCVoK4c3HfEqy5bQ+ztjQ9zY7j9wvcSo1xmS2PJ1Cug==,iv:LRZ0WDCcGuYROOIH89gvIejPVAmJ/e/obs+SdXCrnE4=,tag:oYP1ZUVGDaUHtMys25A0Nw==,type:str]
 ha-integration: ENC[AES256_GCM,data:9egkjswlnbxvffLqp/VJ7rstVjNpvEnFG/pc2qu9a7EM0Vc/zhg92ajQGmbB18jKSvzvBrvNEsBxFol5w9pEA8gkgNFwilSlirQ5B3ArAM5GlUFMx7dAyS1S6Qnt5KNwXIi9xP0Ai9X9yTeov/bzOOuFp/3ZU2xJsA68lSEgP83Tj5kgcmYg7V+gy28oLTzFjmNzfzn8+ONVa8O5CXdCwpbTSGd/o+PIOVcOH9bSVObuJmT2hNiBnVUq3bS8UNOxP8N1iMrvgQJOh3SaFYOxDkjX3dDrRm1ejINlR1v2yvBAlKKKd6kNRSsW2mEwhVX15qog2dh2gqx/GzXq3h9Drpf/iLPm2r4rhUVN8k2MioE8pE4Atic08xgLCOPPsLPCgGe+lkch/9gHkRg1yQDLVtiXXpiAOb79/+eQYtjqv7KYU7yr1ikaFSnUtYUCUjLGehTNBuIWL7b6H7n4g31jFPyWosBJcmj2k6QEGt38mv027ZftWGmVYqVAudgOWY+Iz3zeJUXoZpfE9dcSq8kaXagLFqajKlK3ULzknef9BywOo/QkfUQMcC5fJatBFbP9ggG4l3rXwqHtwqkaKZ3fxPsJ08M78RKeaqy3unOef7U23OmVpklBZGioa0pFQ+IUdkA27XipNxuxZRjuDTtmK/RRohsqd5dsssa4MGhdWkMjGt0ktJuk4gxhwabF2DcP5T+HYSC0crmt7ZMXbwrqA/9aA1Di3A8H1j4riuidxJT4Ws+XJPNYBR08UiB93VbC//0/Uc3XcFFFjj3bwxRJb7ePFdnbfu+Pnv1jVLs6Rx9PXP7nWIWTM4+xWiPTqh6fPDHRVvrUEELO4O2tMpRWr1P3Av55pWv9vpJ4C6qcC8NWXNvHHcQMoJx/kTTHfv9A4HjBwrL5pwLCHyo3qqCTtpIRuONo1QN6y5VSuS3CLyEtmq0sKxSegLztOPD4HclaMzmLNkfR02O9iHcC6+r+iXICVgoVQgL7wslWaIAEX+CUamHZKJ2+DTbwQGwIVLrhQ1yWG6PhcBFuNMvLGNSunwi5GzDpvLCQ1GeDQn8IHAv94a7tlxPMvdV+aQFotRAKww9LTu/ooFXxTro+PctmA2xGpsCTOwqmWZEmvS8O49A8eZ7FEpnLNSQ0/vmKmsCJaMO36FP2sNFukfs2YHxdiDYTZbnWDrvVeGQ2hKAzTJt24jkXk6LhHt05snD/TJFGZh1FvJ2OGLY0pnptu2zvano4SB6h9+nHJmEbrPq7/isL0knmvMyuEpLBE9yUKjbOizEJTBOyLhze70Rv9XjiBTVzA2I+WLr1EPyx/OlX39eLwc9pfZdevU/CUJaSvWJTpS2jBa4KSQnmlZEAOeXPnD+xGyTsbAOaMHZv7TIbfBOQRd6avVpsS8p86RaB0rGLvFy+AYMPgmOK6BN0VOblHCaE3gxOBRpoVssCglOkr4rB+UB9zbbSc2zVZg5m+TCdTjQjznVyvOJQ/v7qm9cOSME0Frsbbk+gpXwTjfV8TzvK7u9n8xKXBhC+uqBb8r2KdTi+3gE6roqZLaUrKeTGzj0qkVWYoPXde2X03XRCWEXoN4/LQFrY4OT0W9c+r96WGySUgOl3AJAjHpfWZBuWNGsKTIaj22Lc825kc8iajOUwR9dUoIky1GwNPTMtAvglANABPWxrI/aPglnIOdUNNUupcA/abcMIpor0dUk+7J23vgpRIyyh/iOzg+3ax/QIsyQtmCVhVa9DYWxC5TFGxlRXaQ7yDLzr8ryDV+jb5mYbKqTIDYApO+48ML2U+bH1kCDNwcszG+Ywxy3TPCNugiz2439ZxC6FQaHBqvISUAKt/qhJn/3KKIYAtJR6mLe2NMMb9ui2CswMEfuWUllYu9iN2qJeq2K9dgpkOO1Syw0Q2842qMd5ZMbdPOhdbkuhDf5yxt+kFtNJU598dyKSF1b7nKH4ftIC7qu9HSWLiC5m+gTrbNB2Rjrruum1/Ko0QPGJYbALxhqqPDqaMboS6RSR19/SBQQJYNpwO6Y93kwubdki74Lm9bIIk0dNinBm0Cb7CsiASl5Wdmfikkncln29uOOAB5ArqtcMX3kunvGcTymSd75AHlqpj3bnYCskl19VXxlkrfkEg+o0ExArTHqIfYSNvMzUYKP+dsTWcjGA22E6iXTbFHjloHIXoYLsh4VfnmHj/2zdnWGCxi0l7bAmUzAioYoA/nfAgerfqJFFzns+c24HhTllrxv3m2YbxKKPt51beHUfVaNmLlF/g46ogu/PwyjnUJPw0FSGq68lwzpO8Icsi6xg3CdsF+iVG+MtXt0w9rxqqDyB/S1GDWChYXt8ZyrkjFaZvPhP400U5M4Cbry/AOf1msk8U1LuDzUxvmglsO+qbe3UqesQvTBCUaaiFTaUqs7wvzByHvvCmYAZjzmvW2kDVoR0mi5nB+dh0nU2FztFeOtXrDtH95UpaAPCVIP2x9wg9VKKvWFFGrZjrwRKmhDxWUjNjK0AOeWXG9hSLVWskKovWmXB1T7G73/WTwS6DqAtPQY2+aWsXALvBMIso92MlutGDTBZxzvKhYiZtEHzXDTxhRmT6dBQ8eDMnjECspocQYPh8BarjPtCriCIfS0s6L0jcYigiuyHvE7f+yXzTFmM+NM15Vgp/2MtbrQ+nCh7rbGNTS8A257cofW10dZDCH3j7ZXhrGDV8L4TgdxGZKCCsvh4GbJ0n0hvXLM0irel2Dc94l1TAnMN7cFvyvHyS3y0CezSYQ3sE65PTxg12lSE7k8ni49DLs1+gaMJ2rQFKyOtWmyTp+9//VPl6oC1akqsphyyVt68wvNRWPzxO1E1d1mPKMJCkLuUiG3rLayFXHsgMOz8zoEX9oKm+w9TcjqORPL7BOCn237yvvxhGuHtKN8zOeDVhfB7vJd1qvuYLzoeaJV6mN1YmIbNIPDgs17l5o2/+FaURFHUKFOUvvQHsFEjsHaJQ+ES7QwwgLqMysUv//dh2VLsY4DG5CvYkiUXc+fCBdUF9XS0S7mEp05M13ERzaYnn+S8fXZ330EcD/p0zll97wp2RjYaBwfQNh1IZVVzoQXkmleAtPAlQ9SO7cBXVyuENg==,iv:3TMjBTRdPOr/dRJv8Xj1F/hQbHjEvzQ+Ye7gNsk9TkM=,tag:PnVZ9jaE8HU9g8xxtOP9Wg==,type:str]
 sops:
     shamir_threshold: 1
@@ -34,8 +34,8 @@ sops:
             SDdYSzBGZUY3azVKUExldVFZY1FJMFkKXbPHYjiMOlG3x4Zgi2IfWPCmf+zajdPD
             nrdh39ln8is/2U6U2EjNL5/7pJVYMyO2zMPYlta6rGdBflT5yu/Ubg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-16T19:18:20Z"
-    mac: ENC[AES256_GCM,data:ax4tNBIzzP8PV0JYBdEYP31w0+SmLZiM6mTwImOR6zAzfE9sX6q77CWGR+0QAO2pfC4R/nppjHgTbESdUH1X0HKdjJw2uiF0bUFom2ELaMGylqxV0llAQ1iqKHkLF8hHciRz8IS/zf247+8iZmOlZqWazUwlozAJW7A27d7R66U=,iv:sm0x1u0xz9B9Kk94GCn6sniqJ4rnTnSSDRdsYeAUqL4=,tag:KrTOdc86LAB+x+PfV/9krg==,type:str]
+    lastmodified: "2024-02-18T19:47:20Z"
+    mac: ENC[AES256_GCM,data:wHZAnRkcnhZS4484OuYisN0F1+iIiwE5oFhzlbVz3Tic3xiBVXVTtvYwf3YCJHhcoNC4+dd+TSAOfQZIt6HJhTPSKxq0J17LaIOi8JDiiVHr403FdD1/Iw1SOAchFAe65Y7Y/26niT+nvi/9hSV0UDIe1mFfY8NYYKcPDqvoiFU=,iv:sbi19BkKErpqy/8itZh9Ln5vT+ycEJH9BS5p5jyB/FM=,tag:wRsilL5OIj3/cPJrJaPktg==,type:str]
     pgp:
         - created_at: "2024-01-19T19:08:54Z"
           enc: |-