gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: invidious, first attempt

Browse source
This commit is contained in:
Kat Inskip 2024-02-18 12:39:03 -08:00
parent 585c758254
commit 51c54d1ddf
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
5 changed files with 198 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

55
nixos/access/invidious.nix Normal file
View file

@ -0,0 +1,55 @@
{
config,
lib,
...
}: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
cfg = config.services.invidious;
access = config.services.nginx.access.invidious;
in {
options.services.nginx.access.invidious = with lib.types; {
url = mkOption {
type = str;
};
domain = mkOption {
type = str;
default = "invidious.${config.networking.domain}";
};
localDomain = mkOption {
type = str;
default = "invidious.local.${config.networking.domain}";
};
};
config.services.nginx = {
access.invidious = mkIf cfg.enable {
url = mkOptionDefault "http://localhost:${cfg.port}";
};
virtualHosts = let
extraConfig = ''
# Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
send_timeout 100m;
# Buffering off send to the client as soon as the data is received from invidious.
proxy_redirect off;
proxy_buffering off;
'';
location = {
proxy.websocket.enable = true;
proxyPass = access.url;
};
in {
${access.domain} = {
vouch.enable = true;
locations."/" = location;
kTLS = mkDefault true;
inherit extraConfig;
};
${access.localDomain} = {
local.enable = true;
locations."/" = location;
kTLS = mkDefault true;
inherit extraConfig;
};
};
};
}

29
nixos/invidious.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, ... }: {
sops.secrets = {
invidious_db_password = {
sopsFile = ./secrets/invidious.yaml;
owner = "invidious";
};
invidious_hmac_key = {
sopsFile = ./secrets/invidious.yaml;
owner = "invidious";
};
};
services.invidious = {
enable = true;
hmacKeyFile = config.sops.secrets.invidious_hmac_key.path;
settings = {
domain = "yt.gensokyo.zone";
hsts = false;
db = {
user = "kemal";
dbname = "invidious";
};
};
database = {
host = "postgresql.local.gensokyo.zone";
passwordFile = config.sops.secrets.invidious_db_password.path;
createLocally = false;
};
};
}

94
nixos/secrets/invidious.yaml Normal file
View file

@ -0,0 +1,94 @@
invidious_db_password: ENC[AES256_GCM,data:Gbn+SylFlWnmYMECoafeAADas/73tSNZjyc/Bg249Hk=,iv:KL+hK93OY+OJJ/muYKY9yGy9tzZMw5CFC8SWLi7N/wY=,tag:ZhQu+kR9p69QV6GezHh+VQ==,type:str]
invidious_hmac_key: ENC[AES256_GCM,data:DYcQGVrokhta0mLjRqnRoqU1sz4=,iv:BMP1epRdLM95leWHuivPhvsB8JrfxHnzwl7ERlo6rOo=,tag:qhsuH/jLNPapJrcgHmXVWw==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWb2JSdURiWHNQL05SSnMz
ODNSNWM3bzZ5RlZ6VmdmN0Q1WkIrMkFuY0dFCmJtcFEvdTNzdDRaeDd6SStZelJO
Q1Zja2FZdldDM29PVVoyQm5zbDF0SHcKLS0tIC9vbytTVkE0SG9BZDhNQUZOU0l3
VTRGMXF0a2x6TXhvaUcwK2RCUkVQMm8KdvL1hPLM8cdvj93/41Y991VispqJliLM
WFg7+RJb+XK/991WUvY2J0bDQL57n7Lgvy1oQ3/Z2TKLq7bkZtRiAA==
-----END AGE ENCRYPTED FILE-----
- recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMmZ2QmlvUmZXditjRmln
b21RWmUyeDB3WGJKMWRZTUJIRjN0SFI0d0ZNClg2cmdOS1dORlI2Q2hkMlhEL1Ru
M0hncS9jUkYwcVY2ZVcxeStrMFp4ME0KLS0tIHM4MWNqS3lNdXZhRFFITlBPVVhq
VUpBRnpxajA1V3c5ZFl6ODBYby82czAKCaTyQd23v0tC7TS+2e/jt3Iv/dUBTHBn
y3aAFrwzMZ8hmnpMFBJ8wGlNuKpHXn6wgjmZYuwmWLA75wXJtCQJMQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NlMvdTh0cHc5U21pOTVt
cUlPZldDOHhMZEQrbFY5TG9kYU03TERLdWdzCjZwMWpQbjU0Z1hCRG8zb2w5QW5a
dERNRVExRDFrVFIyYm82QVJpZjJiWkEKLS0tIHlLTGtyamtpNHRjZVRvRDZPRVpS
ZEVMM1RlYnlCVExoc08vbnBYeGVOVUEKVHxiDpN3PElfn1mrpKAx97RMSF0tYNeO
L3KQVVBV04Z7NQkbbXjxjwD0zMC13W0uVa603oXrB2yCa2CHhOQijA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3L3ZyNm0ra0JxdUdyNGZo
SFdjMTNkZTNpcFh3clRCdks5eDV4NC9OVW1BCkFvcmJYNGU1MlJEVDduY21VNGlo
dDR0NS85bGcxUnZGRE8rTldvanR6MjgKLS0tIEtxdnBId1BGQ3RzWkVFUkNscSsy
cEtwSlExSzZ0OGludlh1a2NxdTV6OWcKDGSsUvH98fXwTwjj1pe7lxx360isDuxF
o2CnthZYovGuUroNXGsfbDzStrI4qFKXCFvueYft4Bkiz/JjiS7O6g==
-----END AGE ENCRYPTED FILE-----
- recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSzBNOXhyQWM0RFQxbld0
aCtaZ2dham5uOHJZK05hQ0FmRjgvbll3elM0CktnMDhuNVUvcWptRUJkRm42Y3Ev
RTQzMkZMb25MUGpKZWxDTnk1dTVVclkKLS0tIHoyb0t4YU1BYTI4RG1BdUJOTVRP
VFBGYURkMlZoYzB3b0tGOGViMzRiM1EKgic/koesbVYaFrResfFMFlS9Q5xcrg4t
ePxYvz6AuP/AAYdvRUgKAP/kmD4yhIiTMxRJ4F0GH8/toHO6kgESbQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-18T20:36:57Z"
mac: ENC[AES256_GCM,data:MZhK+8aBNymB569jhgnxj8pJTg/0yg/JxLHjsFmlZxqtg5qXY1fOfMy8R7lvAMhcaG458DATwUNduS4z7KpN3y5g1bXpw5qKsOmzzPYpTjcluLA4d+kci6frHZkBiTcSWjcQZ8UJ/iW4VdFWjcHhTBpgGQQ0yrY6d/UfRlBCro8=,iv:sK1UyP+pJJiV6tKU1x9ZKEPZMUMI84Z/rwnx6o1BNek=,tag:17HveiT+h3+V4ofiiOIiIA==,type:str]
pgp:
- created_at: "2024-02-18T19:52:52Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UARAAgOm211nxupi+r4w6bklXHBohdxkFDGJrkg21x8xZYNFN
A6DYVxSuy2Fa9aj/20ZzItD+PVyoOtLN97bXwCAyZs15LV/py4ecZL9AkjPFb55v
G286r19Z7vUx51xWEJY+wROgugu0tqvgHWXidzpczgryifE5zcpMIIszqpFhlzqk
oCeGk7eHyc3+PnmXLUtfb+AVTHnr8uKhnUuAvHsRN/OyDwgbHfh2YXJCWtHLLJLY
0ECfXpAdFLm8af9pT1PsjANrrH7xb16PsMJGlXJ6xusEKf1Xq6UhOJD6qOC+MJPr
Q7ID+lFMnzVpLSXS7+7EXC/lfVib0Ro5NuWKrvOf9TjjTjMeDMsV2VZ0pcSekICr
kEI8Dd6kXrf5xWm7opKtrARmqRrzucAWiUlAT3zL34eds2OCKvd8Lq/Im2ZlYrsB
l2NTan/yd5gL3W9RIYfFPamNCwcrweSRLf8QOBPeZ9y8EYIq1W50QP62N6glOmGz
LgXHIr0zNV5dDgphOiGp64WozhKHNkIVck9E7jSPxifZnoAEeELhINdgooeK/qGr
C4rsFc19vkZt1LmciMDs2GfqGRGPpI4oCSCVdLL+EJ6P9+4Oq7qd5RqaKER2LL6i
D25dlOoSO3lY//A89DAWGHsaJvXDelHIXKcz30blCk98iYuLyuOz9lKzEr0eIJrS
XgEWSZip/bIhZib17eQjvGVn8ktcuDMzkwQfSuyDSbQM2lDjo12N0PfXmZh1EvaB
WUlyAhSLFe+MzTPIX2u/LQvWPky9Ooh492DDe46pjlOJtAttBfMlBKHdnYZFp6U=
=PoDa
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2024-02-18T19:52:52Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQgAxekA9Zyr891+3AhJfodxSTMly8f1KkFOloEgUR+8oBKp
KNHyFkzsdqT8v7Ge7kxV8hZW4mSM7hYEKkLWHKRxdH5htGSkerVBSmHquaX/JnSJ
URv5jkn/8zctcOMyRLXMasMYNWNwNWhEGMSrTFmzZUfXjocPHFUtAlaiDCa6iYGB
A6SjQIBf0/NfOuGbZjuqYD+WxjnfkJnDuFHfHEDqq0qOu3XK/04b/PxthtH+lFmz
HUOkakoopErrQrxovamnp7RVw9QezURYlFy9urkvq7o5CgZJ3cg7fCQcz/K7COoc
LxUG3zPdN0Ar9UcMHfzdeYYB14UR4HOFhZ30rrilHdJeARon3/Ik5T05JNnphCQM
iSO1GPevu7csOFFmIMOAKOMAdAhfYvWJm6Jo4cJqRwSw73nr3OlBEFnEhr1TYCnW
Qt234FPHSda5tYFnqkObTv/ror1zOLSTQGxfz+OaGQ==
=/jVk
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.8.1

6
nixos/secrets/postgres.yaml
View file

@ -1,4 +1,4 @@
postgresql-init: ENC[AES256_GCM,data:qIZZDcUb4eva7lZ4VCUu+Jl8K37KN37+HQ+6/WisZkDrxshUI5hhrYM0ypGFW0L/W9K9hRHaKGuBqYSeLoXwObT+K4J5VshO+H6PNDjuWkmho5Q/dVENs6AOLcLtxWC3Uz/kcH368yR13F64dCGAzlbSLxcP2bxgfdMbOhQvar9OD602i7TW,iv:BJvjQUcohdBLYxuz+rUsulMbGBwH6axuxOIDhVZET3Y=,tag:yDUwUS6DmiQV7FHtWmRVIg==,type:str]
postgresql-init: ENC[AES256_GCM,data:nBxJExClBwSTR5QLvnVs1H3l49pMz14LlfZzn1zleTd7Udez+qBv9rNtMnRcirSg0WPriFtSBQekOywok0DVy5EpCgRXMxGoj1vMUoyP3axWv/+6w4olc8iGHoiKxdN8tpM56FkYFUG8MI43mfiaRKEqmUHXUA3VJeJT25PJxcA7eR0dRFWmZ6t2UBQmhaoG6TlGlgfheC5iAk4aApfSOa287Zw5sKowfZpcFpouNnivN2h4JabB8G0o9xESxxGQ8rnPIkyLHTDEyzsNvw==,iv:vG7Jou8gxKDeVZz46fnGXKM27jxXUlXW375STT5zkaI=,tag:/SXHY71iPWM9da0lMBDAsA==,type:str]
sops:
shamir_threshold: 1
kms: []
@ -33,8 +33,8 @@ sops:
a3l3bUx5NzdqUGd1TEpGY3UvQWt4TU0KB4MAjvI43FaOiGhWTkwPpeMMiAnX4v3L
rLZDdc/vegF10FKTNJdxdq1E7ccMaV1KwjQkJoOJnWe6teKLjGOFkA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-21T18:25:21Z"
mac: ENC[AES256_GCM,data:b9eqSdZYccvK5WPQmP6/5X5raNFkqSu4sCOJZhL8OOSIfrvdbbJ9xJ7hZ2rsGp8XNxMPcofvLFb/JVwWIZOw1TOIiiyCwK+XfaRA7lcyTi3Kd9P8OADejo222ek/QgaAUzE7D8+q9PTSbLLgrfbvFCuwXJoEEslbjIh6UToziPY=,iv:0yK0y/QhYz8jAJqtMMkNmTPY0rTeonOhneyfdFJRoVw=,tag:e85Y3S7YgfB8EAb1TZSPYg==,type:str]
lastmodified: "2024-02-18T19:48:39Z"
mac: ENC[AES256_GCM,data:Dw0kOxKVreKSPqX6QpUDqf199H/4ZtbpBHtzn6y4w7dcwwk2ghuM8eTku9+dc4re9/AlT0N0WyXC9W39hizLso0V8s9Q36rfzT6X9ZmUV5jLzILHJQvLdzDpgaV1J7UTHReOolSbMK4Y6tpkUoYoCBkfTvi+2OAd/9ElTj5NBTM=,iv:Jw6w0MoTwsq0F+W/uSehHrE+fUUhUfdiBqeLS2rV3/w=,tag:AQSY+cLhh/H5aFXvBvepTg==,type:str]
pgp:
- created_at: "2024-01-19T19:08:55Z"
enc: |-

17
systems/hakurei/nixos.nix
View file

@ -33,6 +33,7 @@ in {
nixos.access.kitchencam
nixos.access.proxmox
nixos.access.plex
nixos.access.invidious
nixos.samba
./reisen-ssh.nix
];
@ -112,6 +113,12 @@ in {
])
];
};
${access.invidious.domain} = {
inherit (nginx) group;
extraDomainNames = mkMerge [
access.invidious.localDomain
];
};
};
services.nginx = let
@ -132,6 +139,9 @@ in {
streamPort = 41081;
useACMEHost = access.kitchencam.domain;
};
access.invidious = {
url = "http://${mediabox.networking.access.hostnameForNetwork.local}:${mediabox.services.invidious.port}";
};
virtualHosts = {
${access.kanidm.domain} = {
useACMEHost = access.kanidm.domain;
@ -154,6 +164,13 @@ in {
proxyOrigin = "http://${tei.networking.access.hostnameForNetwork.tail}:${toString vouch-proxy.settings.vouch.port}";
};
};
${access.invidious.domain} = {
vouch = {
authUrl = vouch-proxy.authUrl;
url = vouch-proxy.url;
proxyOrigin = "http://${tei.networking.access.hostnameForNetwork.tail}:${toString vouch-proxy.settings.vouch.port}";
};
};
};
};