invidious: init

agenix/hosts/sail/config.nix

@@ -88,6 +88,16 @@
       group = "freshrss";
     };
 
+    invidious-database-password = {
+      file = ./invidious/databasePassword.age;
+    };
+
+    invidious-auth = {
+      file = ./invidious/auth.age;
+      owner = "nginx";
+      group = "nginx";
+    };
+
     nitter-config = {
       file = ./nitter/config.age;
       mode = "444";

agenix/hosts/sail/invidious/auth.age

@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBUb0JZ
+eHpReHFhOHVXS0NFTFBzL3hsR1EwZ3pNZXBLNzR6SEJDcFRUc3drCkFmTEdXeVBp
+ZGtER0JsU2ZDOHRtYm1XdGxnVjhHa3BOajBHUWN3TlhsSTQKLT4gc3NoLWVkMjU1
+MTkgTmJWNGh3IEZWR21Ndmo0Z2VPZU1ObHBjd1RpcEpGSytuNi9YQWU1ckIrWFBN
+WmowRHMKdlQxdDY4c1U5eE04ZHlaakZiU3ViS085SDY2Zld4Y3VsbGtmYytvVVRG
+NAotPiBSZm5bNExBbi1ncmVhc2UgRS9GPwoxaGRFMjVxNkgwakNPU21BY2xsODlz
+bExEVEhBay9va0t1Y0NLUQotLS0gUXUyTVdEZHovaEEzK3c0bHh5S2hWYjRGWUNl
+dzMvdDdhTVFMTysraENiVQq4fwe+dA0aQXZAGZd3oTKeWsZEoj9rpUiSorWPMiWv
+5monAQZHX0TakOLoWCSg6fmEKOGteGJKJ3H7zhIJ9FMF5y69R52buiJ685XOlH+I
+lgjR+22m5P6sEDKMjPtS02I5VL+3RiV595sw+9Perfdny2I=
+-----END AGE ENCRYPTED FILE-----

agenix/hosts/sail/invidious/databasePassword.age

@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBDZnJ6
+dzJPOENmN3RzTHpaZ2ZQYWFWcnpvZTdFMDYvNGFWWnhOSExZQ2x3CnVNWlMzeE8x
+TnF0WFpsMEZBYTZsZHgxWXRRMUJQaVhFd3M4YzBtOTZyTUEKLT4gc3NoLWVkMjU1
+MTkgTmJWNGh3IFBkSU1pdEg4azBiMSttd3hjamszY0gxZ1V2MzJoNld1NW1vUEJQ
+akp0aHcKenVrVEVCUGVKU1NHampmVHJFSUxTLzg1blJTSjhHVHloVUJhVk0wOGxH
+bwotPiBeIzZdJ1w/LWdyZWFzZSAsY1A8IH05IDg6fCAnazsKSndsWTZiNXhIS0U4
+RVprYWljUERTbmU3YmhEdG5zWlZDK0tqdlpGREhRRzRpdGREOG5lSnorVDhURitQ
+RkZ2YwpIaWh1R0EKLS0tIGN0dk9jbW5NQjB6RVFmVTAvV0tjc3NVeFUxVG1ad3Zi
+QkpiTnhNZ24rL1EKOHbV6kpVX0mHPs26by8JewBSR9qNYIsPb2WIVMWlPBMBCITZ
+AZpWceKeWUW+28372rADqJJanFbM5VQjX036QzYoGOD8QpCf1g==
+-----END AGE ENCRYPTED FILE-----

secrets.nix

@@ -29,6 +29,9 @@ in
   "agenix/hosts/sail/freshrss/userPassword.age".publicKeys = sail;
   "agenix/hosts/sail/freshrss/databasePassword.age".publicKeys = sail;
 
+  "agenix/hosts/sail/invidious/databasePassword.age".publicKeys = sail;
+  "agenix/hosts/sail/invidious/auth.age".publicKeys = sail;
+
   "agenix/hosts/sail/nitter/config.age".publicKeys = sail;
   "agenix/hosts/sail/nitter/auth.age".publicKeys = sail;
 

system/hosts/sail.nix

@@ -23,6 +23,8 @@ in
 
     (import ../nixos/freshrss.nix (args // { inherit secret; }))
 
+    ../nixos/invidious.nix
+
     (import ../nixos/libreddit.nix (args // { inherit secret; }))
 
     (import ../nixos/mastodon.nix (args // { inherit secret; }))

system/nixos/invidious.nix

@@ -0,0 +1,55 @@
+{ config, ... }:
+
+let
+  fqdn = "yt.daniel.sx";
+in
+{
+  services.invidious = {
+    enable = true;
+
+    domain = fqdn;
+    port = 8007;
+
+    database = {
+      createLocally = false;
+      host = "10.99.99.3";
+      port = 5432;
+      passwordFile = config.age.secrets.invidious-database-password.path;
+    };
+
+    settings = {
+      db = {
+        user = "invidious";
+        dbname = "invidious";
+      };
+
+      host_binding = "127.0.0.1";
+
+      https_only = true;
+
+      statistics_enabled = false;
+
+      registration_enabled = true;
+      login_enabled = true;
+      captcha_enabled = false;
+      admins = [ "daniel" ];
+
+      use_pubsub_feeds = false;
+    };
+
+    nginx.enable = false;
+  };
+
+  services.nginx.virtualHosts."${fqdn}" = {
+    http3 = true;
+
+    onlySSL = true;
+    useACMEHost = "daniel.sx";
+    basicAuthFile = config.age.secrets.invidious-auth.path;
+
+    locations."/" = {
+      recommendedProxySettings = true;
+      proxyPass = "http://127.0.0.1:8007";
+    };
+  };
+}