{ config, pkgs, ... }: { sops.secrets.invidious-extra-settings = { sopsFile = ../../secrets.yaml; group = "keys"; # not ideal, but required since the invidious user is dynamic mode = "440"; }; systemd.services.invidious.serviceConfig.SupplementaryGroups = [ "keys" ]; services.invidious = { enable = true; package = pkgs.unstable.invidious.overrideAttrs (o: o // { patches = (o.patches or [ ]) ++ [ ./0001-Prefer-opus-audio-streams-in-listen-mode.patch ]; }); nginx.enable = true; domain = "iv.sbruder.xyz"; settings = { host_binding = "127.0.0.1"; log_level = "Warn"; default_user_preferences = { # allow higher qualities quality = "dash"; quality_dash = "auto"; # humane volume volume = 50; # no “popular” content feed_menu = [ "Subscriptions" "Playlists" ]; default_home = ""; # search on / }; disable_proxy = [ "downloads" ]; # legal precaution local = true; # no external requests use_pubsub_feeds = true; modified_source_code_url = "https://github.com/sbruder/invidious/tree/patches"; }; extraSettingsFile = config.sops.secrets.invidious-extra-settings.path; }; systemd.services.invidious.serviceConfig = { Restart = "on-failure"; }; services.nginx.virtualHosts."iv.sbruder.xyz" = { locations = { "/robots.txt".return = "200 'User-agent: *\\nDisallow: /'"; "/privacy".return = "301 'https://sbruder.xyz/#privacy'"; "/feed/popular".return = "403"; # leaks data about its users }; }; }