add sops, add secrets, add cinny, add restic, add invidious container

modules/nixos/virtualisation/podman/invidious/config/config.yml

@@ -1,246 +0,0 @@
-#########################################
-#
-#  Database and other external servers
-#
-#########################################
-
-##
-## Database configuration with separate parameters.
-## This setting is MANDATORY, unless 'database_url' is used.
-##
-db:
-  user: philipp
-  password: s3cr3tp4ssw0rd
-  host: invidious-db
-  port: 5432
-  dbname: invidious
-
-##
-## Enable automatic table integrity check. This will create
-## the required tables and columns if anything is missing.
-##
-## Accepted values: true, false
-## Default: false
-##
-check_tables: true
-
-
-##
-## Path to an external signature resolver, used to emulate
-## the Youtube client's Javascript. If no such server is
-## available, some videos will not be playable.
-##
-## Accepted values: a path to a UNIX socket or "<IP>:<Port>"
-## Default: <none>
-##
-signature_server: signature-helper:12999
-
-
-#########################################
-#
-#  Server config
-#
-#########################################
-
-# -----------------------------
-#  Network (inbound)
-# -----------------------------
-
-##
-## Port to listen on for incoming connections.
-##
-## Note: Ports lower than 1024 requires either root privileges
-## (not recommended) or the "CAP_NET_BIND_SERVICE" capability
-## (See https://stackoverflow.com/a/414258 and `man capabilities`)
-##
-## Accepted values: 1-65535
-## Default: 3000
-##
-port: 3000
-
-##
-## Interface address to listen on for incoming connections.
-##
-## Accepted values: a valid IPv4 or IPv6 address.
-## default: 0.0.0.0  (listen on all interfaces)
-##
-host_binding: 0.0.0.0
-
-##
-## Domain name under which this instance is hosted. This is
-## used to craft absolute URLs to the instance (e.g in the API).
-## The domain MUST be defined if your instance is accessed from
-## a domain name (like 'example.com').
-##
-## Accepted values: a fully qualified domain name (FQDN)
-## Default: <none>
-##
-domain: inv.monapona.dev
-
-##
-## Tell Invidious that it is behind a proxy that provides only
-## HTTPS, so all links must use the https:// scheme. This
-## setting MUST be set to true if invidious is behind a
-## reverse proxy serving HTTPs.
-##
-## Accepted values: true, false
-## Default: false
-##
-https_only: true
-
-
-# -----------------------------
-#  Network (outbound)
-# -----------------------------
-
-
-##
-## Send Google session informations. This is useful when Invidious is blocked
-## by the message "This helps protect our community."
-## See https://github.com/iv-org/invidious/issues/4734.
-##
-## Warning: These strings gives much more identifiable information to Google!
-##
-## Accepted values: String
-## Default: <none>
-##
-po_token: ""
-visitor_data: ""
-
-# -----------------------------
-#  Users and accounts
-# -----------------------------
-
-##
-## Enable/Disable the captcha challenge on the login page.
-##
-## Note: this is a basic captcha challenge that doesn't
-## depend on any third parties.
-##
-## Accepted values: true, false
-## Default: true
-##
-captcha_enabled: false
-
-##
-## List of usernames that will be granted administrator rights.
-## A user with administrator rights will be able to change the
-## server configuration options listed below in /preferences,
-## in addition to the usual user preferences.
-##
-## Server-wide settings:
-##   - popular_enabled
-##   - captcha_enabled
-##   - login_enabled
-##   - registration_enabled
-##   - statistics_enabled
-## Default user preferences:
-##   - default_home
-##   - feed_menu
-##
-## Accepted values: an array of strings
-## Default: [""]
-##
-admins: ["spaenny"]
-
-##
-## Note: This parameter is mandatory and should be a random string.
-## Such random string can be generated on linux with the following
-## command: `pwgen 20 1`
-##
-## Accepted values: a string
-## Default: <none>
-##
-hmac_key: "gNcPHs+DWI4TTZLtHh3EbXWeISHsgUgBFnGpgW4yU9Q="
-
-
-#########################################
-#
-#  Default user preferences
-#
-#########################################
-
-default_user_preferences:
-
-  ##
-  ## Default geographical location for content.
-  ##
-  ## Accepted values:
-  ##   AE, AR, AT, AU, AZ, BA, BD, BE, BG, BH, BO, BR, BY, CA, CH, CL, CO, CR,
-  ##   CY, CZ, DE, DK, DO, DZ, EC, EE, EG, ES, FI, FR, GB, GE, GH, GR, GT, HK,
-  ##   HN, HR, HU, ID, IE, IL, IN, IQ, IS, IT, JM, JO, JP, KE, KR, KW, KZ, LB,
-  ##   LI, LK, LT, LU, LV, LY, MA, ME, MK, MT, MX, MY, NG, NI, NL, NO, NP, NZ,
-  ##   OM, PA, PE, PG, PH, PK, PL, PR, PT, PY, QA, RO, RS, RU, SA, SE, SG, SI,
-  ##   SK, SN, SV, TH, TN, TR, TW, TZ, UA, UG, US, UY, VE, VN, YE, ZA, ZW
-  ##
-  ## Default: US
-  ##
-  region: DE
-
-  ##
-  ## Default feed to display on the home page.
-  ##
-  ## Note: setting this option to "Popular" has no
-  ## effect when 'popular_enabled' is set to false.
-  ##
-  ## Accepted values: Popular, Trending, Subscriptions, Playlists, <none>
-  ## Default: Popular
-  ##
-  default_home: Subscriptions
-
-  # -----------------------------
-  #  Video player behavior
-  # -----------------------------
-
-  ##
-  ## Automatically play videos on page load.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  autoplay: true
-
-  ##
-  ## Automatically load the "next" video (either next in
-  ## playlist or proposed) when the current video ends.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  continue: true
-
-
-  # -----------------------------
-  #  Video playback settings
-  # -----------------------------
-
-  ##
-  ## Default video quality.
-  ##
-  ## Accepted values: dash, hd720, medium, small
-  ## Default: hd720
-  ##
-  quality: dash
-
-  ##
-  ## Default dash video quality.
-  ##
-  ## Note: this setting only takes effet if the
-  ## 'quality' parameter is set to "dash".
-  ##
-  ## Accepted values:
-  ##    auto, best, 4320p, 2160p, 1440p, 1080p,
-  ##    720p, 480p, 360p, 240p, 144p, worst
-  ## Default: auto
-  ##
-  quality_dash: best
-
-  ##
-  ## Save the playback position
-  ## Allow to continue watching at the previous position when
-  ## watching the same video.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  save_player_pos: true

modules/nixos/virtualisation/podman/invidious/config/db.env

@@ -1,3 +0,0 @@
-POSTGRES_USER=philipp
-POSTGRES_PASSWORD=s3cr3tp4ssw0rd
-POSTGRES_DB=invidious

modules/nixos/virtualisation/podman/invidious/default.nix

@@ -1,6 +1,5 @@
 {
   lib,
-  pkgs,
   config,
   namespace,
   ...
@@ -16,6 +15,18 @@ in
   };
 
   config = mkIf cfg.enable {
+    sops.secrets.invidious-db = {
+      format = "dotenv";
+      sopsFile = ../../../../../secrets/invidious-db.env;
+      key = "";
+    };
+
+    sops.secrets.invidious-config = {
+      format = "yaml";
+      sopsFile = ../../../../../secrets/invidious-config.yaml;
+      key = "";
+    };
+
     security.unprivilegedUsernsClone = true;
 
     virtualisation = {
@@ -36,9 +47,7 @@ in
       invidious = {
         image = "quay.io/invidious/invidious:latest-arm64";
         hostname = "invidious";
-        volumes = [
-          "/home/philipp/nix-config/modules/nixos/virtualisation/podman/invidious/config/config.yml:/invidious/config/config.yml"
-        ];
+        volumes = [ "/run/secrets/invidious-config:/invidious/config/config.yml" ];
         ports = [
           "192.168.1.202:3000:3000"
           "[fd00:192:168:1::202]:3000:3000"
@@ -61,9 +70,7 @@ in
           "/home/philipp/nix-config/modules/nixos/virtualisation/podman/invidious/config/sql:/config/sql"
           "/home/philipp/nix-config/modules/nixos/virtualisation/podman/invidious/init-invidious-db.sh:/docker-entrypoint-initdb.d/init-invidious-db.sh"
         ];
-        environmentFiles = [
-          /home/philipp/nix-config/modules/nixos/virtualisation/podman/invidious/config/db.env
-        ];
+        environmentFiles = [ /run/secrets/invidious-db ];
       };
     };
   };