feat: invidious hosting

2024-08-23 00:30:11 +02:00 · 2024-08-23 00:30:11 +02:00 · b9c23c3039
parent 0694bbf697
commit b9c23c3039
11 changed files with 55 additions and 2 deletions
--- a/config/services/invidious.nix
+++ b/config/services/invidious.nix
@ -0,0 +1,24 @@
 { config, ... }:
 {
  services.invidious = {
    enable = true;
    domain = "yt.${config.secrets.secrets.global.domains.web}";
    settings = {
      external_port = 443;
      https_only = true;
    };
  };
  environment.persistence."/persist".directories = [
    { directory = "/var/lib/private/invidious"; }
    {
      directory = "/var/lib/postgresql";
      user = "postgres";
      group = "postgres";
    }
  ];
  wireguard.elisabeth = {
    client.via = "elisabeth";
    firewallRuleForNode.elisabeth.allowedTCPPorts = [ 3000 ];
  };
 }
--- a/config/services/kanidm.nix
+++ b/config/services/kanidm.nix
@ -140,6 +140,7 @@ in
      groups."ollama.access" = { };
      groups."adguardhome.access" = { };
      groups."octoprint.access" = { };
      groups."invidious.access" = { };
      systems.oauth2.oauth2-proxy = {
        displayName = "Oauth2-Proxy";
@ -170,6 +171,11 @@ in
          "email"
          "profile"
        ];
        scopeMaps."invidious.access" = [
          "openid"
          "email"
          "profile"
        ];
        preferShortUsername = true;
        claimMaps.groups = {
          joinType = "array";
@ -178,6 +184,7 @@ in
          valuesByGroup."firefly.access" = [ "firefly_access" ];
          valuesByGroup."ollama.access" = [ "ollama_access" ];
          valuesByGroup."octoprint.access" = [ "octoprint_access" ];
          valuesByGroup."invidious.access" = [ "invidious_access" ];
        };
      };
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -30,6 +30,7 @@ let
        homebox = "homebox";
        octoprint = "print";
        pr-tracker = "tracker";
        invidious = "yt";
      };
    in
    "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
@ -180,6 +181,7 @@ in
      (proxyProtect "oauth2-proxy" { } false)
      (blockOf "paperless" { maxBodySize = "5G"; })
      (proxyProtect "ttrss" { port = 80; } true)
      (proxyProtect "invidious" { } true)
      (blockOf "yourspotify" { port = 80; })
      #(blockOf "homebox" {})
      (blockOf "pr-tracker" { })
@ -310,6 +312,7 @@ in
    // mkContainer "murmur" { }
    #// mkContainer "homebox" {}
    // mkContainer "pr-tracker" { }
    // mkContainer "invidious" { }
    // mkContainer "ttrss" { }
    // mkContainer "firefly" { }
    // mkContainer "yourspotify" { }
--- a/hosts/elisabeth/secrets/invidious/host.pub
+++ b/hosts/elisabeth/secrets/invidious/host.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGadvYM2iRdTri9xboKlTHG91mE/agT5YwQdJhnB94uj
--- a/hosts/elisabeth/secrets/kanidm/secrets.nix.age
+++ b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@ -18,7 +18,7 @@
        name:
        let
          pkgs = config.pkgs.x86_64-linux;
-          stateVersion = "23.05";
+          stateVersion = "24.05";
        in
        inputs.nixpkgs.lib.nixosSystem {
          specialArgs = {
--- a/secrets/secrets.nix.age
+++ b/secrets/secrets.nix.age
--- a/secrets/wireguard/elisabeth/keys/elisabeth-invidious.age
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-invidious.age
--- a/secrets/wireguard/elisabeth/keys/elisabeth-invidious.pub
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-invidious.pub
@ -0,0 +1 @@
 34nMC0dvuS70Rn+685ExtKqQcEHdJvUzVvTcTZNwoVM=
--- a/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-invidious.age
+++ b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-invidious.age
@ -0,0 +1,16 @@
 age-encryption.org/v1
 -> X25519 rqjulMMqQvFeDApkCZo4KQvgVbmZ/TLOpy3fe9CQCTc
 j3JoyoBWSZtVDka4qqquips0HmZakBuToEjNe+ZEccQ
 -> piv-p256 ZFgiIw A4e5w+3n+gkOMBeSI5VklW1kJ3846byVint8b7HGer4Z
 jY/O+b0JwsNxpSvEtrWB1IaeVACDagAaqfLmoy9VGrw
 -> piv-p256 XTQkUA A8WfkKXTvoJ4M4gX/t3xaK8wy2pZbLO9dBHrlUqKJHjr
 I6WsWbqg+DIrOR7cJCk5cHz4gz0d44RhcNSqUU/9VSA
 -> piv-p256 ZFgiIw Axn28eRfih6xjAKMw9ZFXHN4jKs013d2IhmLTAwl1Ixq
 RldIXTSGdfjC5o4xzOttzyX89zAsuJGitSeoyts62mo
 -> piv-p256 5vmPtQ A7sqh4eBJsdzALHPVdbk2WJ5YH0M8iSBX/wP8DtI7Mpm
 tq6yVRXYXKwQD3qbvvBdF4AuFehgvgS7lq2DkI5hI6Y
 -> s?-grease 38 Pego6HDg _|QaxRe
 rexAgfgN8bC3JvURMFuCxfHxnIQ88B2hvka0BmvM7XJSWA8gAGLxjhOr0sw6iygG
 6R+lshVeDfexCFxX4KWENEVzb9f4JWCqcGA
 --- NtjNfHsaetHNRBHHwX0ncFGEb5hewYNhg8/WmJCLg80
 Où<EFBFBD>ÎJÀZ¡»uóÖ#ù|4|«/kd¥å	óçêínÄÝ^@ß…3{—õ85Gtû‚å¼þò0mÐ.!Ç×¹ÿ€ÇXú½!¤ÃQ
--- a/users/patrick/firefox.nix
+++ b/users/patrick/firefox.nix
@ -39,7 +39,8 @@
          "media.rdd-ffmpeg.enabled" = true;
          "gfx.x11-egl.force-enabled" = true;
          # enable if grapics card support av1
-          "media.av1.enabled" = false;
+          # invidious kinda depends on av1
          "media.av1.enabled" = true;
          "widget.dmabuf.force-enabled" = true;
          # General
          "browser.toolbars.bookmarks.visibility" = "never"; # Never show the bookmark toolbar
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGadvYM2iRdTri9xboKlTHG91mE/agT5YwQdJhnB94uj`
		`@ -0,0 +1 @@`
							`34nMC0dvuS70Rn+685ExtKqQcEHdJvUzVvTcTZNwoVM=`