nixos-config/machines/renge/services/invidious/default.nix

# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, pkgs, ... }:

{
  sops.secrets.invidious-extra-settings = {
    sopsFile = ../../secrets.yaml;
    group = "keys"; # not ideal, but required since the invidious user is dynamic
    mode = "440";
  };
  systemd.services.invidious.serviceConfig.SupplementaryGroups = [ "keys" ];

  services.invidious = {
    enable = true;
    package = pkgs.unstable.invidious.overrideAttrs (o: o // {
      patches = (o.patches or [ ]) ++ [
        ./0001-Prefer-opus-audio-streams-in-listen-mode.patch
      ];
    });
    nginx.enable = true;
    domain = "iv.sbruder.xyz";
    settings = {
      host_binding = "127.0.0.1";
      log_level = "Warn";
      default_user_preferences = {
        # allow higher qualities
        quality = "dash";
        quality_dash = "auto";

        # humane volume
        volume = 50;

        # no “popular” content
        feed_menu = [ "Subscriptions" "Playlists" ];
        default_home = ""; # search on /
      };
      disable_proxy = [ "downloads" ]; # legal precaution
      local = true; # no external requests
      use_pubsub_feeds = true;
      modified_source_code_url = "https://github.com/sbruder/invidious/tree/patches";
      https_only = lib.mkForce true;
    };
    extraSettingsFile = config.sops.secrets.invidious-extra-settings.path;
  };

  systemd.services.invidious.serviceConfig = {
    Restart = "on-failure";
  };

  services.nginx.virtualHosts."iv.sbruder.xyz" = {
    enableACME = false;
    forceSSL = false;
    extraConfig = ''
      allow ${config.sbruder.wireguard.home.subnet};
      deny all;
    '';
    locations = {
      "/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
      "/privacy".return = "301 'https://sbruder.xyz/#privacy'";
      "/feed/popular".return = "403"; # leaks data about its users
    };
  };
}