feat: invidious, first attempt

nixos/access/invidious.nix

@@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
+  cfg = config.services.invidious;
+  access = config.services.nginx.access.invidious;
+in {
+  options.services.nginx.access.invidious = with lib.types; {
+    url = mkOption {
+      type = str;
+    };
+    domain = mkOption {
+      type = str;
+      default = "invidious.${config.networking.domain}";
+    };
+    localDomain = mkOption {
+      type = str;
+      default = "invidious.local.${config.networking.domain}";
+    };
+  };
+  config.services.nginx = {
+    access.invidious = mkIf cfg.enable {
+      url = mkOptionDefault "http://localhost:${cfg.port}";
+    };
+    virtualHosts = let
+      extraConfig = ''
+        # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
+        send_timeout 100m;
+        # Buffering off send to the client as soon as the data is received from invidious.
+        proxy_redirect off;
+        proxy_buffering off;
+      '';
+      location = {
+        proxy.websocket.enable = true;
+        proxyPass = access.url;
+      };
+    in {
+      ${access.domain} = {
+        vouch.enable = true;
+        locations."/" = location;
+        kTLS = mkDefault true;
+        inherit extraConfig;
+      };
+      ${access.localDomain} = {
+        local.enable = true;
+        locations."/" = location;
+        kTLS = mkDefault true;
+        inherit extraConfig;
+      };
+    };
+  };
+}

nixos/invidious.nix

@@ -0,0 +1,29 @@
+{ config, ... }: {
+  sops.secrets = {
+    invidious_db_password = {
+      sopsFile = ./secrets/invidious.yaml;
+      owner = "invidious";
+    };
+    invidious_hmac_key = {
+      sopsFile = ./secrets/invidious.yaml;
+      owner = "invidious";
+    };
+  };
+  services.invidious = {
+    enable = true;
+    hmacKeyFile = config.sops.secrets.invidious_hmac_key.path;
+    settings = {
+      domain = "yt.gensokyo.zone";
+      hsts = false;
+      db = {
+        user = "kemal";
+        dbname = "invidious";
+      };
+    };
+    database = {
+      host = "postgresql.local.gensokyo.zone";
+      passwordFile = config.sops.secrets.invidious_db_password.path;
+      createLocally = false;
+    };
+  };
+}

nixos/secrets/invidious.yaml

@@ -0,0 +1,94 @@
+invidious_db_password: ENC[AES256_GCM,data:Gbn+SylFlWnmYMECoafeAADas/73tSNZjyc/Bg249Hk=,iv:KL+hK93OY+OJJ/muYKY9yGy9tzZMw5CFC8SWLi7N/wY=,tag:ZhQu+kR9p69QV6GezHh+VQ==,type:str]
+invidious_hmac_key: ENC[AES256_GCM,data:DYcQGVrokhta0mLjRqnRoqU1sz4=,iv:BMP1epRdLM95leWHuivPhvsB8JrfxHnzwl7ERlo6rOo=,tag:qhsuH/jLNPapJrcgHmXVWw==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWb2JSdURiWHNQL05SSnMz
+            ODNSNWM3bzZ5RlZ6VmdmN0Q1WkIrMkFuY0dFCmJtcFEvdTNzdDRaeDd6SStZelJO
+            Q1Zja2FZdldDM29PVVoyQm5zbDF0SHcKLS0tIC9vbytTVkE0SG9BZDhNQUZOU0l3
+            VTRGMXF0a2x6TXhvaUcwK2RCUkVQMm8KdvL1hPLM8cdvj93/41Y991VispqJliLM
+            WFg7+RJb+XK/991WUvY2J0bDQL57n7Lgvy1oQ3/Z2TKLq7bkZtRiAA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMmZ2QmlvUmZXditjRmln
+            b21RWmUyeDB3WGJKMWRZTUJIRjN0SFI0d0ZNClg2cmdOS1dORlI2Q2hkMlhEL1Ru
+            M0hncS9jUkYwcVY2ZVcxeStrMFp4ME0KLS0tIHM4MWNqS3lNdXZhRFFITlBPVVhq
+            VUpBRnpxajA1V3c5ZFl6ODBYby82czAKCaTyQd23v0tC7TS+2e/jt3Iv/dUBTHBn
+            y3aAFrwzMZ8hmnpMFBJ8wGlNuKpHXn6wgjmZYuwmWLA75wXJtCQJMQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NlMvdTh0cHc5U21pOTVt
+            cUlPZldDOHhMZEQrbFY5TG9kYU03TERLdWdzCjZwMWpQbjU0Z1hCRG8zb2w5QW5a
+            dERNRVExRDFrVFIyYm82QVJpZjJiWkEKLS0tIHlLTGtyamtpNHRjZVRvRDZPRVpS
+            ZEVMM1RlYnlCVExoc08vbnBYeGVOVUEKVHxiDpN3PElfn1mrpKAx97RMSF0tYNeO
+            L3KQVVBV04Z7NQkbbXjxjwD0zMC13W0uVa603oXrB2yCa2CHhOQijA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3L3ZyNm0ra0JxdUdyNGZo
+            SFdjMTNkZTNpcFh3clRCdks5eDV4NC9OVW1BCkFvcmJYNGU1MlJEVDduY21VNGlo
+            dDR0NS85bGcxUnZGRE8rTldvanR6MjgKLS0tIEtxdnBId1BGQ3RzWkVFUkNscSsy
+            cEtwSlExSzZ0OGludlh1a2NxdTV6OWcKDGSsUvH98fXwTwjj1pe7lxx360isDuxF
+            o2CnthZYovGuUroNXGsfbDzStrI4qFKXCFvueYft4Bkiz/JjiS7O6g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSzBNOXhyQWM0RFQxbld0
+            aCtaZ2dham5uOHJZK05hQ0FmRjgvbll3elM0CktnMDhuNVUvcWptRUJkRm42Y3Ev
+            RTQzMkZMb25MUGpKZWxDTnk1dTVVclkKLS0tIHoyb0t4YU1BYTI4RG1BdUJOTVRP
+            VFBGYURkMlZoYzB3b0tGOGViMzRiM1EKgic/koesbVYaFrResfFMFlS9Q5xcrg4t
+            ePxYvz6AuP/AAYdvRUgKAP/kmD4yhIiTMxRJ4F0GH8/toHO6kgESbQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-18T20:36:57Z"
+    mac: ENC[AES256_GCM,data:MZhK+8aBNymB569jhgnxj8pJTg/0yg/JxLHjsFmlZxqtg5qXY1fOfMy8R7lvAMhcaG458DATwUNduS4z7KpN3y5g1bXpw5qKsOmzzPYpTjcluLA4d+kci6frHZkBiTcSWjcQZ8UJ/iW4VdFWjcHhTBpgGQQ0yrY6d/UfRlBCro8=,iv:sK1UyP+pJJiV6tKU1x9ZKEPZMUMI84Z/rwnx6o1BNek=,tag:17HveiT+h3+V4ofiiOIiIA==,type:str]
+    pgp:
+        - created_at: "2024-02-18T19:52:52Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UARAAgOm211nxupi+r4w6bklXHBohdxkFDGJrkg21x8xZYNFN
+            A6DYVxSuy2Fa9aj/20ZzItD+PVyoOtLN97bXwCAyZs15LV/py4ecZL9AkjPFb55v
+            G286r19Z7vUx51xWEJY+wROgugu0tqvgHWXidzpczgryifE5zcpMIIszqpFhlzqk
+            oCeGk7eHyc3+PnmXLUtfb+AVTHnr8uKhnUuAvHsRN/OyDwgbHfh2YXJCWtHLLJLY
+            0ECfXpAdFLm8af9pT1PsjANrrH7xb16PsMJGlXJ6xusEKf1Xq6UhOJD6qOC+MJPr
+            Q7ID+lFMnzVpLSXS7+7EXC/lfVib0Ro5NuWKrvOf9TjjTjMeDMsV2VZ0pcSekICr
+            kEI8Dd6kXrf5xWm7opKtrARmqRrzucAWiUlAT3zL34eds2OCKvd8Lq/Im2ZlYrsB
+            l2NTan/yd5gL3W9RIYfFPamNCwcrweSRLf8QOBPeZ9y8EYIq1W50QP62N6glOmGz
+            LgXHIr0zNV5dDgphOiGp64WozhKHNkIVck9E7jSPxifZnoAEeELhINdgooeK/qGr
+            C4rsFc19vkZt1LmciMDs2GfqGRGPpI4oCSCVdLL+EJ6P9+4Oq7qd5RqaKER2LL6i
+            D25dlOoSO3lY//A89DAWGHsaJvXDelHIXKcz30blCk98iYuLyuOz9lKzEr0eIJrS
+            XgEWSZip/bIhZib17eQjvGVn8ktcuDMzkwQfSuyDSbQM2lDjo12N0PfXmZh1EvaB
+            WUlyAhSLFe+MzTPIX2u/LQvWPky9Ooh492DDe46pjlOJtAttBfMlBKHdnYZFp6U=
+            =PoDa
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+        - created_at: "2024-02-18T19:52:52Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA2W9MER3HLb7AQgAxekA9Zyr891+3AhJfodxSTMly8f1KkFOloEgUR+8oBKp
+            KNHyFkzsdqT8v7Ge7kxV8hZW4mSM7hYEKkLWHKRxdH5htGSkerVBSmHquaX/JnSJ
+            URv5jkn/8zctcOMyRLXMasMYNWNwNWhEGMSrTFmzZUfXjocPHFUtAlaiDCa6iYGB
+            A6SjQIBf0/NfOuGbZjuqYD+WxjnfkJnDuFHfHEDqq0qOu3XK/04b/PxthtH+lFmz
+            HUOkakoopErrQrxovamnp7RVw9QezURYlFy9urkvq7o5CgZJ3cg7fCQcz/K7COoc
+            LxUG3zPdN0Ar9UcMHfzdeYYB14UR4HOFhZ30rrilHdJeARon3/Ik5T05JNnphCQM
+            iSO1GPevu7csOFFmIMOAKOMAdAhfYvWJm6Jo4cJqRwSw73nr3OlBEFnEhr1TYCnW
+            Qt234FPHSda5tYFnqkObTv/ror1zOLSTQGxfz+OaGQ==
+            =/jVk
+            -----END PGP MESSAGE-----
+          fp: 65BD3044771CB6FB
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

nixos/secrets/postgres.yaml

@@ -1,4 +1,4 @@
-postgresql-init: ENC[AES256_GCM,data:qIZZDcUb4eva7lZ4VCUu+Jl8K37KN37+HQ+6/WisZkDrxshUI5hhrYM0ypGFW0L/W9K9hRHaKGuBqYSeLoXwObT+K4J5VshO+H6PNDjuWkmho5Q/dVENs6AOLcLtxWC3Uz/kcH368yR13F64dCGAzlbSLxcP2bxgfdMbOhQvar9OD602i7TW,iv:BJvjQUcohdBLYxuz+rUsulMbGBwH6axuxOIDhVZET3Y=,tag:yDUwUS6DmiQV7FHtWmRVIg==,type:str]
+postgresql-init: ENC[AES256_GCM,data:nBxJExClBwSTR5QLvnVs1H3l49pMz14LlfZzn1zleTd7Udez+qBv9rNtMnRcirSg0WPriFtSBQekOywok0DVy5EpCgRXMxGoj1vMUoyP3axWv/+6w4olc8iGHoiKxdN8tpM56FkYFUG8MI43mfiaRKEqmUHXUA3VJeJT25PJxcA7eR0dRFWmZ6t2UBQmhaoG6TlGlgfheC5iAk4aApfSOa287Zw5sKowfZpcFpouNnivN2h4JabB8G0o9xESxxGQ8rnPIkyLHTDEyzsNvw==,iv:vG7Jou8gxKDeVZz46fnGXKM27jxXUlXW375STT5zkaI=,tag:/SXHY71iPWM9da0lMBDAsA==,type:str]
 sops:
     shamir_threshold: 1
     kms: []
@@ -33,8 +33,8 @@ sops:
             a3l3bUx5NzdqUGd1TEpGY3UvQWt4TU0KB4MAjvI43FaOiGhWTkwPpeMMiAnX4v3L
             rLZDdc/vegF10FKTNJdxdq1E7ccMaV1KwjQkJoOJnWe6teKLjGOFkA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-21T18:25:21Z"
+    lastmodified: "2024-02-18T19:48:39Z"
-    mac: ENC[AES256_GCM,data:b9eqSdZYccvK5WPQmP6/5X5raNFkqSu4sCOJZhL8OOSIfrvdbbJ9xJ7hZ2rsGp8XNxMPcofvLFb/JVwWIZOw1TOIiiyCwK+XfaRA7lcyTi3Kd9P8OADejo222ek/QgaAUzE7D8+q9PTSbLLgrfbvFCuwXJoEEslbjIh6UToziPY=,iv:0yK0y/QhYz8jAJqtMMkNmTPY0rTeonOhneyfdFJRoVw=,tag:e85Y3S7YgfB8EAb1TZSPYg==,type:str]
+    mac: ENC[AES256_GCM,data:Dw0kOxKVreKSPqX6QpUDqf199H/4ZtbpBHtzn6y4w7dcwwk2ghuM8eTku9+dc4re9/AlT0N0WyXC9W39hizLso0V8s9Q36rfzT6X9ZmUV5jLzILHJQvLdzDpgaV1J7UTHReOolSbMK4Y6tpkUoYoCBkfTvi+2OAd/9ElTj5NBTM=,iv:Jw6w0MoTwsq0F+W/uSehHrE+fUUhUfdiBqeLS2rV3/w=,tag:AQSY+cLhh/H5aFXvBvepTg==,type:str]
     pgp:
         - created_at: "2024-01-19T19:08:55Z"
           enc: |-

systems/hakurei/nixos.nix

@@ -33,6 +33,7 @@ in {
     nixos.access.kitchencam
     nixos.access.proxmox
     nixos.access.plex
+    nixos.access.invidious
     nixos.samba
     ./reisen-ssh.nix
   ];
@@ -112,6 +113,12 @@ in {
         ])
       ];
     };
+    ${access.invidious.domain} = {
+      inherit (nginx) group;
+      extraDomainNames = mkMerge [
+        access.invidious.localDomain
+      ];
+    };
   };
 
   services.nginx = let
@@ -132,6 +139,9 @@ in {
       streamPort = 41081;
       useACMEHost = access.kitchencam.domain;
     };
+    access.invidious = {
+      url = "http://${mediabox.networking.access.hostnameForNetwork.local}:${mediabox.services.invidious.port}";
+    };
     virtualHosts = {
       ${access.kanidm.domain} = {
         useACMEHost = access.kanidm.domain;
@@ -154,6 +164,13 @@ in {
           proxyOrigin = "http://${tei.networking.access.hostnameForNetwork.tail}:${toString vouch-proxy.settings.vouch.port}";
         };
       };
+      ${access.invidious.domain} = {
+        vouch = {
+          authUrl = vouch-proxy.authUrl;
+          url = vouch-proxy.url;
+          proxyOrigin = "http://${tei.networking.access.hostnameForNetwork.tail}:${toString vouch-proxy.settings.vouch.port}";
+        };
+      };
     };
   };