diff --git a/nixos/access/invidious.nix b/nixos/access/invidious.nix new file mode 100644 index 00000000..f4b8a88d --- /dev/null +++ b/nixos/access/invidious.nix @@ -0,0 +1,55 @@ +{ + config, + lib, + ... +}: let + inherit (lib.options) mkOption; + inherit (lib.modules) mkIf mkDefault mkOptionDefault; + cfg = config.services.invidious; + access = config.services.nginx.access.invidious; +in { + options.services.nginx.access.invidious = with lib.types; { + url = mkOption { + type = str; + }; + domain = mkOption { + type = str; + default = "invidious.${config.networking.domain}"; + }; + localDomain = mkOption { + type = str; + default = "invidious.local.${config.networking.domain}"; + }; + }; + config.services.nginx = { + access.invidious = mkIf cfg.enable { + url = mkOptionDefault "http://localhost:${cfg.port}"; + }; + virtualHosts = let + extraConfig = '' + # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause + send_timeout 100m; + # Buffering off send to the client as soon as the data is received from invidious. + proxy_redirect off; + proxy_buffering off; + ''; + location = { + proxy.websocket.enable = true; + proxyPass = access.url; + }; + in { + ${access.domain} = { + vouch.enable = true; + locations."/" = location; + kTLS = mkDefault true; + inherit extraConfig; + }; + ${access.localDomain} = { + local.enable = true; + locations."/" = location; + kTLS = mkDefault true; + inherit extraConfig; + }; + }; + }; +} diff --git a/nixos/invidious.nix b/nixos/invidious.nix new file mode 100644 index 00000000..fb310681 --- /dev/null +++ b/nixos/invidious.nix @@ -0,0 +1,29 @@ +{ config, ... }: { + sops.secrets = { + invidious_db_password = { + sopsFile = ./secrets/invidious.yaml; + owner = "invidious"; + }; + invidious_hmac_key = { + sopsFile = ./secrets/invidious.yaml; + owner = "invidious"; + }; + }; + services.invidious = { + enable = true; + hmacKeyFile = config.sops.secrets.invidious_hmac_key.path; + settings = { + domain = "yt.gensokyo.zone"; + hsts = false; + db = { + user = "kemal"; + dbname = "invidious"; + }; + }; + database = { + host = "postgresql.local.gensokyo.zone"; + passwordFile = config.sops.secrets.invidious_db_password.path; + createLocally = false; + }; + }; +} diff --git a/nixos/secrets/invidious.yaml b/nixos/secrets/invidious.yaml new file mode 100644 index 00000000..2be75cf1 --- /dev/null +++ b/nixos/secrets/invidious.yaml @@ -0,0 +1,94 @@ +invidious_db_password: ENC[AES256_GCM,data:Gbn+SylFlWnmYMECoafeAADas/73tSNZjyc/Bg249Hk=,iv:KL+hK93OY+OJJ/muYKY9yGy9tzZMw5CFC8SWLi7N/wY=,tag:ZhQu+kR9p69QV6GezHh+VQ==,type:str] +invidious_hmac_key: ENC[AES256_GCM,data:DYcQGVrokhta0mLjRqnRoqU1sz4=,iv:BMP1epRdLM95leWHuivPhvsB8JrfxHnzwl7ERlo6rOo=,tag:qhsuH/jLNPapJrcgHmXVWw==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWb2JSdURiWHNQL05SSnMz + ODNSNWM3bzZ5RlZ6VmdmN0Q1WkIrMkFuY0dFCmJtcFEvdTNzdDRaeDd6SStZelJO + Q1Zja2FZdldDM29PVVoyQm5zbDF0SHcKLS0tIC9vbytTVkE0SG9BZDhNQUZOU0l3 + VTRGMXF0a2x6TXhvaUcwK2RCUkVQMm8KdvL1hPLM8cdvj93/41Y991VispqJliLM + WFg7+RJb+XK/991WUvY2J0bDQL57n7Lgvy1oQ3/Z2TKLq7bkZtRiAA== + -----END AGE ENCRYPTED FILE----- + - recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMmZ2QmlvUmZXditjRmln + b21RWmUyeDB3WGJKMWRZTUJIRjN0SFI0d0ZNClg2cmdOS1dORlI2Q2hkMlhEL1Ru + M0hncS9jUkYwcVY2ZVcxeStrMFp4ME0KLS0tIHM4MWNqS3lNdXZhRFFITlBPVVhq + VUpBRnpxajA1V3c5ZFl6ODBYby82czAKCaTyQd23v0tC7TS+2e/jt3Iv/dUBTHBn + y3aAFrwzMZ8hmnpMFBJ8wGlNuKpHXn6wgjmZYuwmWLA75wXJtCQJMQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NlMvdTh0cHc5U21pOTVt + cUlPZldDOHhMZEQrbFY5TG9kYU03TERLdWdzCjZwMWpQbjU0Z1hCRG8zb2w5QW5a + dERNRVExRDFrVFIyYm82QVJpZjJiWkEKLS0tIHlLTGtyamtpNHRjZVRvRDZPRVpS + ZEVMM1RlYnlCVExoc08vbnBYeGVOVUEKVHxiDpN3PElfn1mrpKAx97RMSF0tYNeO + L3KQVVBV04Z7NQkbbXjxjwD0zMC13W0uVa603oXrB2yCa2CHhOQijA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3L3ZyNm0ra0JxdUdyNGZo + SFdjMTNkZTNpcFh3clRCdks5eDV4NC9OVW1BCkFvcmJYNGU1MlJEVDduY21VNGlo + dDR0NS85bGcxUnZGRE8rTldvanR6MjgKLS0tIEtxdnBId1BGQ3RzWkVFUkNscSsy + cEtwSlExSzZ0OGludlh1a2NxdTV6OWcKDGSsUvH98fXwTwjj1pe7lxx360isDuxF + o2CnthZYovGuUroNXGsfbDzStrI4qFKXCFvueYft4Bkiz/JjiS7O6g== + -----END AGE ENCRYPTED FILE----- + - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSzBNOXhyQWM0RFQxbld0 + aCtaZ2dham5uOHJZK05hQ0FmRjgvbll3elM0CktnMDhuNVUvcWptRUJkRm42Y3Ev + RTQzMkZMb25MUGpKZWxDTnk1dTVVclkKLS0tIHoyb0t4YU1BYTI4RG1BdUJOTVRP + VFBGYURkMlZoYzB3b0tGOGViMzRiM1EKgic/koesbVYaFrResfFMFlS9Q5xcrg4t + ePxYvz6AuP/AAYdvRUgKAP/kmD4yhIiTMxRJ4F0GH8/toHO6kgESbQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-18T20:36:57Z" + mac: ENC[AES256_GCM,data:MZhK+8aBNymB569jhgnxj8pJTg/0yg/JxLHjsFmlZxqtg5qXY1fOfMy8R7lvAMhcaG458DATwUNduS4z7KpN3y5g1bXpw5qKsOmzzPYpTjcluLA4d+kci6frHZkBiTcSWjcQZ8UJ/iW4VdFWjcHhTBpgGQQ0yrY6d/UfRlBCro8=,iv:sK1UyP+pJJiV6tKU1x9ZKEPZMUMI84Z/rwnx6o1BNek=,tag:17HveiT+h3+V4ofiiOIiIA==,type:str] + pgp: + - created_at: "2024-02-18T19:52:52Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UARAAgOm211nxupi+r4w6bklXHBohdxkFDGJrkg21x8xZYNFN + A6DYVxSuy2Fa9aj/20ZzItD+PVyoOtLN97bXwCAyZs15LV/py4ecZL9AkjPFb55v + G286r19Z7vUx51xWEJY+wROgugu0tqvgHWXidzpczgryifE5zcpMIIszqpFhlzqk + oCeGk7eHyc3+PnmXLUtfb+AVTHnr8uKhnUuAvHsRN/OyDwgbHfh2YXJCWtHLLJLY + 0ECfXpAdFLm8af9pT1PsjANrrH7xb16PsMJGlXJ6xusEKf1Xq6UhOJD6qOC+MJPr + Q7ID+lFMnzVpLSXS7+7EXC/lfVib0Ro5NuWKrvOf9TjjTjMeDMsV2VZ0pcSekICr + kEI8Dd6kXrf5xWm7opKtrARmqRrzucAWiUlAT3zL34eds2OCKvd8Lq/Im2ZlYrsB + l2NTan/yd5gL3W9RIYfFPamNCwcrweSRLf8QOBPeZ9y8EYIq1W50QP62N6glOmGz + LgXHIr0zNV5dDgphOiGp64WozhKHNkIVck9E7jSPxifZnoAEeELhINdgooeK/qGr + C4rsFc19vkZt1LmciMDs2GfqGRGPpI4oCSCVdLL+EJ6P9+4Oq7qd5RqaKER2LL6i + D25dlOoSO3lY//A89DAWGHsaJvXDelHIXKcz30blCk98iYuLyuOz9lKzEr0eIJrS + XgEWSZip/bIhZib17eQjvGVn8ktcuDMzkwQfSuyDSbQM2lDjo12N0PfXmZh1EvaB + WUlyAhSLFe+MzTPIX2u/LQvWPky9Ooh492DDe46pjlOJtAttBfMlBKHdnYZFp6U= + =PoDa + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + - created_at: "2024-02-18T19:52:52Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA2W9MER3HLb7AQgAxekA9Zyr891+3AhJfodxSTMly8f1KkFOloEgUR+8oBKp + KNHyFkzsdqT8v7Ge7kxV8hZW4mSM7hYEKkLWHKRxdH5htGSkerVBSmHquaX/JnSJ + URv5jkn/8zctcOMyRLXMasMYNWNwNWhEGMSrTFmzZUfXjocPHFUtAlaiDCa6iYGB + A6SjQIBf0/NfOuGbZjuqYD+WxjnfkJnDuFHfHEDqq0qOu3XK/04b/PxthtH+lFmz + HUOkakoopErrQrxovamnp7RVw9QezURYlFy9urkvq7o5CgZJ3cg7fCQcz/K7COoc + LxUG3zPdN0Ar9UcMHfzdeYYB14UR4HOFhZ30rrilHdJeARon3/Ik5T05JNnphCQM + iSO1GPevu7csOFFmIMOAKOMAdAhfYvWJm6Jo4cJqRwSw73nr3OlBEFnEhr1TYCnW + Qt234FPHSda5tYFnqkObTv/ror1zOLSTQGxfz+OaGQ== + =/jVk + -----END PGP MESSAGE----- + fp: 65BD3044771CB6FB + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/secrets/postgres.yaml b/nixos/secrets/postgres.yaml index 7cdf3f3e..3aa4c147 100644 --- a/nixos/secrets/postgres.yaml +++ b/nixos/secrets/postgres.yaml @@ -1,4 +1,4 @@ -postgresql-init: ENC[AES256_GCM,data:qIZZDcUb4eva7lZ4VCUu+Jl8K37KN37+HQ+6/WisZkDrxshUI5hhrYM0ypGFW0L/W9K9hRHaKGuBqYSeLoXwObT+K4J5VshO+H6PNDjuWkmho5Q/dVENs6AOLcLtxWC3Uz/kcH368yR13F64dCGAzlbSLxcP2bxgfdMbOhQvar9OD602i7TW,iv:BJvjQUcohdBLYxuz+rUsulMbGBwH6axuxOIDhVZET3Y=,tag:yDUwUS6DmiQV7FHtWmRVIg==,type:str] +postgresql-init: ENC[AES256_GCM,data:nBxJExClBwSTR5QLvnVs1H3l49pMz14LlfZzn1zleTd7Udez+qBv9rNtMnRcirSg0WPriFtSBQekOywok0DVy5EpCgRXMxGoj1vMUoyP3axWv/+6w4olc8iGHoiKxdN8tpM56FkYFUG8MI43mfiaRKEqmUHXUA3VJeJT25PJxcA7eR0dRFWmZ6t2UBQmhaoG6TlGlgfheC5iAk4aApfSOa287Zw5sKowfZpcFpouNnivN2h4JabB8G0o9xESxxGQ8rnPIkyLHTDEyzsNvw==,iv:vG7Jou8gxKDeVZz46fnGXKM27jxXUlXW375STT5zkaI=,tag:/SXHY71iPWM9da0lMBDAsA==,type:str] sops: shamir_threshold: 1 kms: [] @@ -33,8 +33,8 @@ sops: a3l3bUx5NzdqUGd1TEpGY3UvQWt4TU0KB4MAjvI43FaOiGhWTkwPpeMMiAnX4v3L rLZDdc/vegF10FKTNJdxdq1E7ccMaV1KwjQkJoOJnWe6teKLjGOFkA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-21T18:25:21Z" - mac: ENC[AES256_GCM,data:b9eqSdZYccvK5WPQmP6/5X5raNFkqSu4sCOJZhL8OOSIfrvdbbJ9xJ7hZ2rsGp8XNxMPcofvLFb/JVwWIZOw1TOIiiyCwK+XfaRA7lcyTi3Kd9P8OADejo222ek/QgaAUzE7D8+q9PTSbLLgrfbvFCuwXJoEEslbjIh6UToziPY=,iv:0yK0y/QhYz8jAJqtMMkNmTPY0rTeonOhneyfdFJRoVw=,tag:e85Y3S7YgfB8EAb1TZSPYg==,type:str] + lastmodified: "2024-02-18T19:48:39Z" + mac: ENC[AES256_GCM,data:Dw0kOxKVreKSPqX6QpUDqf199H/4ZtbpBHtzn6y4w7dcwwk2ghuM8eTku9+dc4re9/AlT0N0WyXC9W39hizLso0V8s9Q36rfzT6X9ZmUV5jLzILHJQvLdzDpgaV1J7UTHReOolSbMK4Y6tpkUoYoCBkfTvi+2OAd/9ElTj5NBTM=,iv:Jw6w0MoTwsq0F+W/uSehHrE+fUUhUfdiBqeLS2rV3/w=,tag:AQSY+cLhh/H5aFXvBvepTg==,type:str] pgp: - created_at: "2024-01-19T19:08:55Z" enc: |- diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index d8aff520..eb26e733 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -33,6 +33,7 @@ in { nixos.access.kitchencam nixos.access.proxmox nixos.access.plex + nixos.access.invidious nixos.samba ./reisen-ssh.nix ]; @@ -112,6 +113,12 @@ in { ]) ]; }; + ${access.invidious.domain} = { + inherit (nginx) group; + extraDomainNames = mkMerge [ + access.invidious.localDomain + ]; + }; }; services.nginx = let @@ -132,6 +139,9 @@ in { streamPort = 41081; useACMEHost = access.kitchencam.domain; }; + access.invidious = { + url = "http://${mediabox.networking.access.hostnameForNetwork.local}:${mediabox.services.invidious.port}"; + }; virtualHosts = { ${access.kanidm.domain} = { useACMEHost = access.kanidm.domain; @@ -154,6 +164,13 @@ in { proxyOrigin = "http://${tei.networking.access.hostnameForNetwork.tail}:${toString vouch-proxy.settings.vouch.port}"; }; }; + ${access.invidious.domain} = { + vouch = { + authUrl = vouch-proxy.authUrl; + url = vouch-proxy.url; + proxyOrigin = "http://${tei.networking.access.hostnameForNetwork.tail}:${toString vouch-proxy.settings.vouch.port}"; + }; + }; }; };