From aa59293596dfd3b796484d1116bb3aeeb40896c4 Mon Sep 17 00:00:00 2001
From: Kat Inskip <kat@inskip.me>
Date: Sun, 18 Feb 2024 19:19:52 -0800
Subject: [PATCH] feat: invidious?

---
 nixos/invidious.nix          | 28 +++++++++++++++++++++-------
 nixos/secrets/invidious.yaml |  6 +++---
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/nixos/invidious.nix b/nixos/invidious.nix
index 25e2bd4c..6f12cff6 100644
--- a/nixos/invidious.nix
+++ b/nixos/invidious.nix
@@ -1,17 +1,31 @@
-{ config, ... }: {
-  sops.secrets = {
-    invidious_db_password = {
+{ config, lib, ... }: let
+  inherit (lib.modules) mkForce;
+in {
+  sops.secrets = let
+    commonSecret = {
       sopsFile = ./secrets/invidious.yaml;
-    };
-    invidious_hmac_key = {
-      sopsFile = ./secrets/invidious.yaml;
-    };
+      owner = "invidious";
+    }; in {
+    invidious_db_password = commonSecret;
+    invidious_hmac_key = commonSecret;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 3000 ];
+  users.groups.invidious = {};
+  users.users.invidious = {
+    isSystemUser = true;
+    group = "invidious";
+  };
+  systemd.services.invidious.serviceConfig = {
+    DynamicUser = mkForce false;
+    User = "invidious";
   };
   services.invidious = {
     enable = true;
     hmacKeyFile = config.sops.secrets.invidious_hmac_key.path;
     settings = {
       domain = "yt.gensokyo.zone";
+      external_port = 443;
       hsts = false;
       db = {
         user = "kemal";
diff --git a/nixos/secrets/invidious.yaml b/nixos/secrets/invidious.yaml
index 2be75cf1..f9a37cd7 100644
--- a/nixos/secrets/invidious.yaml
+++ b/nixos/secrets/invidious.yaml
@@ -1,5 +1,5 @@
 invidious_db_password: ENC[AES256_GCM,data:Gbn+SylFlWnmYMECoafeAADas/73tSNZjyc/Bg249Hk=,iv:KL+hK93OY+OJJ/muYKY9yGy9tzZMw5CFC8SWLi7N/wY=,tag:ZhQu+kR9p69QV6GezHh+VQ==,type:str]
-invidious_hmac_key: ENC[AES256_GCM,data:DYcQGVrokhta0mLjRqnRoqU1sz4=,iv:BMP1epRdLM95leWHuivPhvsB8JrfxHnzwl7ERlo6rOo=,tag:qhsuH/jLNPapJrcgHmXVWw==,type:str]
+invidious_hmac_key: ENC[AES256_GCM,data:rk7zi/8EVNLXuB1peF3IX9nVh+692ap6ILp00RcKy3iYOOFyj3NO,iv:CUcv7qAgLR1yskM9Rxp7Iq8ggorhqsCfm0MfaxW3wAc=,tag:w8kEZ8a5UCEHdklU+LO2tg==,type:str]
 sops:
     shamir_threshold: 1
     kms: []
@@ -52,8 +52,8 @@ sops:
             VFBGYURkMlZoYzB3b0tGOGViMzRiM1EKgic/koesbVYaFrResfFMFlS9Q5xcrg4t
             ePxYvz6AuP/AAYdvRUgKAP/kmD4yhIiTMxRJ4F0GH8/toHO6kgESbQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-18T20:36:57Z"
-    mac: ENC[AES256_GCM,data:MZhK+8aBNymB569jhgnxj8pJTg/0yg/JxLHjsFmlZxqtg5qXY1fOfMy8R7lvAMhcaG458DATwUNduS4z7KpN3y5g1bXpw5qKsOmzzPYpTjcluLA4d+kci6frHZkBiTcSWjcQZ8UJ/iW4VdFWjcHhTBpgGQQ0yrY6d/UfRlBCro8=,iv:sK1UyP+pJJiV6tKU1x9ZKEPZMUMI84Z/rwnx6o1BNek=,tag:17HveiT+h3+V4ofiiOIiIA==,type:str]
+    lastmodified: "2024-02-19T03:08:36Z"
+    mac: ENC[AES256_GCM,data:i/MaGACLwIXapTXpqNVAF4lsZ3sYehIF236PNEmYTqQp5mvJgD1dwcM8W1JL2sWqS+8g2cl4be48iUzYaepKz5wPEdhqlpxN0UHaHk4O72HFJy1kdOEKqomqNa/UGMMVJp65oEB5GoT9Ab8r2BPgcxRjqf8KvH2mPNqCQrUAeIk=,iv:zLW0i8+fUaO0nk5KEtbsqiPy40K+MMEU5oc9whps4lM=,tag:CKLe2JGn+ZnRAJzv6+2NMA==,type:str]
     pgp:
         - created_at: "2024-02-18T19:52:52Z"
           enc: |-