diff --git a/agenix/hosts/sail/config.nix b/agenix/hosts/sail/config.nix index be7b5a2..97bf05c 100644 --- a/agenix/hosts/sail/config.nix +++ b/agenix/hosts/sail/config.nix @@ -88,6 +88,16 @@ group = "freshrss"; }; + invidious-database-password = { + file = ./invidious/databasePassword.age; + }; + + invidious-auth = { + file = ./invidious/auth.age; + owner = "nginx"; + group = "nginx"; + }; + nitter-config = { file = ./nitter/config.age; mode = "444"; diff --git a/agenix/hosts/sail/invidious/auth.age b/agenix/hosts/sail/invidious/auth.age new file mode 100644 index 0000000..685e874 --- /dev/null +++ b/agenix/hosts/sail/invidious/auth.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBUb0JZ +eHpReHFhOHVXS0NFTFBzL3hsR1EwZ3pNZXBLNzR6SEJDcFRUc3drCkFmTEdXeVBp +ZGtER0JsU2ZDOHRtYm1XdGxnVjhHa3BOajBHUWN3TlhsSTQKLT4gc3NoLWVkMjU1 +MTkgTmJWNGh3IEZWR21Ndmo0Z2VPZU1ObHBjd1RpcEpGSytuNi9YQWU1ckIrWFBN +WmowRHMKdlQxdDY4c1U5eE04ZHlaakZiU3ViS085SDY2Zld4Y3VsbGtmYytvVVRG +NAotPiBSZm5bNExBbi1ncmVhc2UgRS9GPwoxaGRFMjVxNkgwakNPU21BY2xsODlz +bExEVEhBay9va0t1Y0NLUQotLS0gUXUyTVdEZHovaEEzK3c0bHh5S2hWYjRGWUNl +dzMvdDdhTVFMTysraENiVQq4fwe+dA0aQXZAGZd3oTKeWsZEoj9rpUiSorWPMiWv +5monAQZHX0TakOLoWCSg6fmEKOGteGJKJ3H7zhIJ9FMF5y69R52buiJ685XOlH+I +lgjR+22m5P6sEDKMjPtS02I5VL+3RiV595sw+9Perfdny2I= +-----END AGE ENCRYPTED FILE----- diff --git a/agenix/hosts/sail/invidious/databasePassword.age b/agenix/hosts/sail/invidious/databasePassword.age new file mode 100644 index 0000000..d45d9f9 --- /dev/null +++ b/agenix/hosts/sail/invidious/databasePassword.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBDZnJ6 +dzJPOENmN3RzTHpaZ2ZQYWFWcnpvZTdFMDYvNGFWWnhOSExZQ2x3CnVNWlMzeE8x +TnF0WFpsMEZBYTZsZHgxWXRRMUJQaVhFd3M4YzBtOTZyTUEKLT4gc3NoLWVkMjU1 +MTkgTmJWNGh3IFBkSU1pdEg4azBiMSttd3hjamszY0gxZ1V2MzJoNld1NW1vUEJQ +akp0aHcKenVrVEVCUGVKU1NHampmVHJFSUxTLzg1blJTSjhHVHloVUJhVk0wOGxH +bwotPiBeIzZdJ1w/LWdyZWFzZSAsY1A8IH05IDg6fCAnazsKSndsWTZiNXhIS0U4 +RVprYWljUERTbmU3YmhEdG5zWlZDK0tqdlpGREhRRzRpdGREOG5lSnorVDhURitQ +RkZ2YwpIaWh1R0EKLS0tIGN0dk9jbW5NQjB6RVFmVTAvV0tjc3NVeFUxVG1ad3Zi +QkpiTnhNZ24rL1EKOHbV6kpVX0mHPs26by8JewBSR9qNYIsPb2WIVMWlPBMBCITZ +AZpWceKeWUW+28372rADqJJanFbM5VQjX036QzYoGOD8QpCf1g== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets.nix b/secrets.nix index 5bfbd0a..d4eb181 100644 --- a/secrets.nix +++ b/secrets.nix @@ -29,6 +29,9 @@ in "agenix/hosts/sail/freshrss/userPassword.age".publicKeys = sail; "agenix/hosts/sail/freshrss/databasePassword.age".publicKeys = sail; + "agenix/hosts/sail/invidious/databasePassword.age".publicKeys = sail; + "agenix/hosts/sail/invidious/auth.age".publicKeys = sail; + "agenix/hosts/sail/nitter/config.age".publicKeys = sail; "agenix/hosts/sail/nitter/auth.age".publicKeys = sail; diff --git a/system/hosts/sail.nix b/system/hosts/sail.nix index 77b1325..f0a933e 100644 --- a/system/hosts/sail.nix +++ b/system/hosts/sail.nix @@ -23,6 +23,8 @@ in (import ../nixos/freshrss.nix (args // { inherit secret; })) + ../nixos/invidious.nix + (import ../nixos/libreddit.nix (args // { inherit secret; })) (import ../nixos/mastodon.nix (args // { inherit secret; })) diff --git a/system/nixos/invidious.nix b/system/nixos/invidious.nix new file mode 100644 index 0000000..04eace0 --- /dev/null +++ b/system/nixos/invidious.nix @@ -0,0 +1,55 @@ +{ config, ... }: + +let + fqdn = "yt.daniel.sx"; +in +{ + services.invidious = { + enable = true; + + domain = fqdn; + port = 8007; + + database = { + createLocally = false; + host = "10.99.99.3"; + port = 5432; + passwordFile = config.age.secrets.invidious-database-password.path; + }; + + settings = { + db = { + user = "invidious"; + dbname = "invidious"; + }; + + host_binding = "127.0.0.1"; + + https_only = true; + + statistics_enabled = false; + + registration_enabled = true; + login_enabled = true; + captcha_enabled = false; + admins = [ "daniel" ]; + + use_pubsub_feeds = false; + }; + + nginx.enable = false; + }; + + services.nginx.virtualHosts."${fqdn}" = { + http3 = true; + + onlySSL = true; + useACMEHost = "daniel.sx"; + basicAuthFile = config.age.secrets.invidious-auth.path; + + locations."/" = { + recommendedProxySettings = true; + proxyPass = "http://127.0.0.1:8007"; + }; + }; +}