nixos-config/machines/renge/services/invidious/default.nix

70 lines
2 KiB
Nix

# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
{
sops.secrets.invidious-extra-settings = {
sopsFile = ../../secrets.yaml;
group = "keys"; # not ideal, but required since the invidious user is dynamic
mode = "440";
};
systemd.services.invidious.serviceConfig.SupplementaryGroups = [ "keys" ];
services.invidious = {
enable = true;
package = pkgs.unstable.invidious.overrideAttrs (o: o // {
patches = (o.patches or [ ]) ++ [
./0001-Prefer-opus-audio-streams-in-listen-mode.patch
];
});
nginx.enable = true;
domain = "iv.sbruder.xyz";
settings = {
host_binding = "127.0.0.1";
log_level = "Warn";
default_user_preferences = {
# allow higher qualities
quality = "dash";
quality_dash = "auto";
# humane volume
volume = 50;
# no “popular” content
feed_menu = [ "Subscriptions" "Playlists" ];
default_home = ""; # search on /
};
disable_proxy = [ "downloads" ]; # legal precaution
local = true; # no external requests
use_pubsub_feeds = true;
modified_source_code_url = "https://github.com/sbruder/invidious/tree/patches";
https_only = lib.mkForce true;
# this can be removed
# when this service is re-deployed on a host with state version ≥ 24.05
db.user = "invidious";
};
extraSettingsFile = config.sops.secrets.invidious-extra-settings.path;
};
systemd.services.invidious.serviceConfig = {
Restart = "on-failure";
};
services.nginx.virtualHosts."iv.sbruder.xyz" = {
enableACME = false;
forceSSL = false;
extraConfig = ''
allow ${config.sbruder.wireguard.home.subnet};
deny all;
'';
locations = {
"/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
"/privacy".return = "301 'https://sbruder.xyz/#privacy'";
"/feed/popular".return = "403"; # leaks data about its users
};
};
}