feat: invidious hosting

2024-08-23 00:30:11 +02:00 · 2024-08-23 00:30:11 +02:00 · b9c23c3039
parent 0694bbf697
commit b9c23c3039
11 changed files with 55 additions and 2 deletions
--- a/config/services/invidious.nix
+++ b/config/services/invidious.nix
@ -0,0 +1,24 @@
+{ config, ... }:
+{
+  services.invidious = {
+    enable = true;
+    domain = "yt.${config.secrets.secrets.global.domains.web}";
+    settings = {
+      external_port = 443;
+      https_only = true;
+    };
+  };
+  environment.persistence."/persist".directories = [
+    { directory = "/var/lib/private/invidious"; }
+    {
+      directory = "/var/lib/postgresql";
+      user = "postgres";
+      group = "postgres";
+    }
+  ];
+
+  wireguard.elisabeth = {
+    client.via = "elisabeth";
+    firewallRuleForNode.elisabeth.allowedTCPPorts = [ 3000 ];
+  };
+}
--- a/config/services/kanidm.nix
+++ b/config/services/kanidm.nix
@ -140,6 +140,7 @@ in
      groups."ollama.access" = { };
      groups."adguardhome.access" = { };
      groups."octoprint.access" = { };
+      groups."invidious.access" = { };

      systems.oauth2.oauth2-proxy = {
        displayName = "Oauth2-Proxy";
@ -170,6 +171,11 @@ in
          "email"
          "profile"
        ];
+        scopeMaps."invidious.access" = [
+          "openid"
+          "email"
+          "profile"
+        ];
        preferShortUsername = true;
        claimMaps.groups = {
          joinType = "array";
@ -178,6 +184,7 @@ in
          valuesByGroup."firefly.access" = [ "firefly_access" ];
          valuesByGroup."ollama.access" = [ "ollama_access" ];
          valuesByGroup."octoprint.access" = [ "octoprint_access" ];
+          valuesByGroup."invidious.access" = [ "invidious_access" ];
        };
      };

--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -30,6 +30,7 @@ let
        homebox = "homebox";
        octoprint = "print";
        pr-tracker = "tracker";
+        invidious = "yt";
      };
    in
    "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
@ -180,6 +181,7 @@ in
      (proxyProtect "oauth2-proxy" { } false)
      (blockOf "paperless" { maxBodySize = "5G"; })
      (proxyProtect "ttrss" { port = 80; } true)
+      (proxyProtect "invidious" { } true)
      (blockOf "yourspotify" { port = 80; })
      #(blockOf "homebox" {})
      (blockOf "pr-tracker" { })
@ -310,6 +312,7 @@ in
    // mkContainer "murmur" { }
    #// mkContainer "homebox" {}
    // mkContainer "pr-tracker" { }
+    // mkContainer "invidious" { }
    // mkContainer "ttrss" { }
    // mkContainer "firefly" { }
    // mkContainer "yourspotify" { }
--- a/hosts/elisabeth/secrets/invidious/host.pub
+++ b/hosts/elisabeth/secrets/invidious/host.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGadvYM2iRdTri9xboKlTHG91mE/agT5YwQdJhnB94uj
--- a/hosts/elisabeth/secrets/kanidm/secrets.nix.age
+++ b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@ -18,7 +18,7 @@
        name:
        let
          pkgs = config.pkgs.x86_64-linux;
-          stateVersion = "23.05";
+          stateVersion = "24.05";
        in
        inputs.nixpkgs.lib.nixosSystem {
          specialArgs = {
--- a/secrets/secrets.nix.age
+++ b/secrets/secrets.nix.age
--- a/secrets/wireguard/elisabeth/keys/elisabeth-invidious.age
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-invidious.age
--- a/secrets/wireguard/elisabeth/keys/elisabeth-invidious.pub
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-invidious.pub
@ -0,0 +1 @@
+34nMC0dvuS70Rn+685ExtKqQcEHdJvUzVvTcTZNwoVM=
--- a/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-invidious.age
+++ b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-invidious.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 rqjulMMqQvFeDApkCZo4KQvgVbmZ/TLOpy3fe9CQCTc
+j3JoyoBWSZtVDka4qqquips0HmZakBuToEjNe+ZEccQ
+-> piv-p256 ZFgiIw A4e5w+3n+gkOMBeSI5VklW1kJ3846byVint8b7HGer4Z
+jY/O+b0JwsNxpSvEtrWB1IaeVACDagAaqfLmoy9VGrw
+-> piv-p256 XTQkUA A8WfkKXTvoJ4M4gX/t3xaK8wy2pZbLO9dBHrlUqKJHjr
+I6WsWbqg+DIrOR7cJCk5cHz4gz0d44RhcNSqUU/9VSA
+-> piv-p256 ZFgiIw Axn28eRfih6xjAKMw9ZFXHN4jKs013d2IhmLTAwl1Ixq
+RldIXTSGdfjC5o4xzOttzyX89zAsuJGitSeoyts62mo
+-> piv-p256 5vmPtQ A7sqh4eBJsdzALHPVdbk2WJ5YH0M8iSBX/wP8DtI7Mpm
+tq6yVRXYXKwQD3qbvvBdF4AuFehgvgS7lq2DkI5hI6Y
+-> s?-grease 38 Pego6HDg _|QaxRe
+rexAgfgN8bC3JvURMFuCxfHxnIQ88B2hvka0BmvM7XJSWA8gAGLxjhOr0sw6iygG
+6R+lshVeDfexCFxX4KWENEVzb9f4JWCqcGA
+--- NtjNfHsaetHNRBHHwX0ncFGEb5hewYNhg8/WmJCLg80
+Où<EFBFBD>ÎJÀZ¡»uóÖ#ù|4|«/kd¥å	óçêínÄÝ^@ß…3{—õ85Gtû‚å¼þò0mÐ.!Ç×¹ÿ€ÇXú½!¤ÃQ
--- a/users/patrick/firefox.nix
+++ b/users/patrick/firefox.nix
@ -39,7 +39,8 @@
          "media.rdd-ffmpeg.enabled" = true;
          "gfx.x11-egl.force-enabled" = true;
          # enable if grapics card support av1
-          "media.av1.enabled" = false;
+          # invidious kinda depends on av1
+          "media.av1.enabled" = true;
          "widget.dmabuf.force-enabled" = true;
          # General
          "browser.toolbars.bookmarks.visibility" = "never"; # Never show the bookmark toolbar
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGadvYM2iRdTri9xboKlTHG91mE/agT5YwQdJhnB94uj`
				`@ -0,0 +1 @@`
				`34nMC0dvuS70Rn+685ExtKqQcEHdJvUzVvTcTZNwoVM=`