about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--nixos/kanata/configuration.nix12
-rw-r--r--nixos/kanata/secrets/secrets.yaml5
2 files changed, 15 insertions, 2 deletions
diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix
index c575e06..ee0c15a 100644
--- a/nixos/kanata/configuration.nix
+++ b/nixos/kanata/configuration.nix
@@ -96,6 +96,8 @@ in
   sops.secrets.grafana-admin-pass = { owner = "grafana"; };
   sops.secrets.cf-kusanari-kanata-credentials = { owner = "cloudflared"; };
   sops.secrets.nitter-account-jsonl = { };
+  # TODO: insecure?
+  sops.secrets.invidious-hmac = { mode = "0444"; };
 
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
@@ -143,6 +145,7 @@ in
         "dns.kusanari.network" = "http://localhost:4000";
         "metrics.kusanari.network" = "http://localhost:4001";
         "nitter.kusanari.network" = "http://localhost:4002";
+        "invidious.kusanari.network" = "http://localhost:4003";
 
         # Nginx pre-configured routes
         # NOTE: Routes with port 80 or 443 will NOT create corresponding nginx virtualHosts.
@@ -174,6 +177,7 @@ in
             "jellyfin"
             "dns"
             "metrics"
+            "invidious"
           ];
         };
       };
@@ -213,6 +217,14 @@ in
       realHost = "nitter.kusanari.network";
       secrets.nitter-guest-accounts = config.sops.secrets.nitter-account-jsonl.path;
     };
+
+    services.invidious = {
+      enable = true;
+
+      domain = "kusanari.network";
+      realHost = "invidious.kusanari.network";
+      secrets.invidious-hmac-key = config.sops.secrets.invidious-hmac.path;
+    };
   };
 
   # This option defines the first version of NixOS you have installed on this particular machine,
diff --git a/nixos/kanata/secrets/secrets.yaml b/nixos/kanata/secrets/secrets.yaml
index c24ab8f..d6ca875 100644
--- a/nixos/kanata/secrets/secrets.yaml
+++ b/nixos/kanata/secrets/secrets.yaml
@@ -7,6 +7,7 @@ grafana-admin-pass: ENC[AES256_GCM,data:waHiV4NyatwQrvRkws8FQut49/ryh9srNSshUbvm
 cf-kusanari-kanata-credentials: ENC[AES256_GCM,data:whwnxMT9JS3iDHbGTk2FoeDBiug26JoRWlyA3sOij861PVJZBEvQJubXD2E5hSwJhyoMIUpb8wgnvB/6GhznouwWfsNh7I39wcaxvHArTNkW+LXrAu8m7ra5dtSUHhPUQifLNYB/TsKHsB+TMhc5IMD6hAHs4uraZHmF1cej8PufTDKDLHjwVwDDJSP1ujQaUrRUvp4NUc8ImVCwnG0PYCVv,iv:umi4Yj11E6+BriksGLzvm+YW7NuARmRtvHz2cixILQA=,tag:+LQs2veOW0CmSKCUNtd9KA==,type:str]
 nitter-account-jsonl: ENC[AES256_GCM,data:a7nSbFcG+E5xXnY4moLAu1ULujjZ8czGGLQNqaLZtFISG5Fc/0mMwRxKdArp9pwdUrteSUWzoKlkeTfsHsoS4TmPMuna/nLKSjBV1bvPdOuBEIi6IP9o6zb9izUvcwTAcMiWPjeRYNyLy5p9tvdIQ0MmRmd5UW9WUILLs7r5dmIK/ssNgYf89jJsdhBRpzOmjOtBbzn2uTA6+3s7ldswSWhAP94654Hrbg1IKxvefAgAqm+/2aNvY1Jxh71bNlWH+/WNBtH7pC24NeNWjiNHKzGhix2UecmcQ5/CEo8DBa6mg4gpe9i+VxzHhl3NJoFrfuicFT2ebTEjv8p7ZXLF3ZRgscXXb9YJ5CjmVILiUh/yYqM2jzSLbGHKIetlNFlmNkAYXN3j+A4w4Jiu4lVA3jwFPVxk92pSHi7hhib5gP3P20Zfbr89zk9tGIBQVDWo4p1LrwumH6aCq+XaIPAHOspFheIteZUJ1q0V2vylrBfkrj+ISDQ94aWgSKC74dynGL4joH4DJ2g6xSh26FMNlvBR7Mwg1PpfmJKx0I3iROoEc3RCPdxaoPiJNL7gpRlHV2a5H+ZCgpuWxcQ=,iv:joZcbUidniBqGu9Lkg6wd+mBdmgU/inbPEOlXewU5U4=,tag:y8Uv4zxuTAsTKB+OB4S6Xw==,type:str]
 acme-credentials: ENC[AES256_GCM,data:6SIuFH3sRcz/Z855br7VgFKEEA1crztKmhVd3chK7ERJpfG9pTxxX0mAxG3aK5OhXwZpDMp0YkxtEphdkb5m0ZU=,iv:bUMtK0SvtrNwlhuY1k0dNVIOcJgM1OLjmbl+X+Zj01E=,tag:x6kdGrSsImZlpHrPnEAmXA==,type:str]
+invidious-hmac: ENC[AES256_GCM,data:uIw4aQm6oYd5heSxrJnt6Nvc+fTPLMSEDtDyZ/ayogl6qx/gPg==,iv:8AVzwO9peE0UC70nLxBxHKzTcitrzvBvy120fdQD1+c=,tag:rr7MOqgOFFxXN8W+9MKvLg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -31,8 +32,8 @@ sops:
             YkRGS2ZBbm1keWpUQUFOWDRtTWZVa0EKc+lKEP0L/yoFLx6p1zbWfifPWc7Y9Qqh
             qccODSyHqzwdriHLxXuw9SCnF+SeA721te6+pDVhJj8vqv2UqHiATw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-02T18:48:14Z"
-    mac: ENC[AES256_GCM,data:YOxc3pObGAcGy4tenuxsOTLr8uKMud/z/MarbTTZFv2VKT0DQPOdMVMWL52Ho4B2JcmAPzDjKhtOyLQi9VTA3NAEJyuroqsQri9G2atd8KluCv6puKO+ZjYyDvYlgErCfpAdhUs3xU53HEKKqicqMGc/qg2h+LEdYE4ECW+1/Mk=,iv:B0PcNaedmI+AoQu6nR5TpHi7BjLV3XP5ZLpEERMqw3k=,tag:Dpr7fbK7w6sbMCb8uK9LWA==,type:str]
+    lastmodified: "2024-02-03T10:47:06Z"
+    mac: ENC[AES256_GCM,data:CjpuqcU0X7SPnnyomY3+RtdlrJn5UTlJHiizUo6FTdcgv0k23FTw7v9dYbIMOeP+3PUDhykTB9cHwNgc2gsMSQQXJVuRaTD47kPqc7Scxb7gcZ3EURNN7Dwt7gwDVlWRqRWtazKGYX9AIfboDHRI4F1No3LIjTayzaYO1tjXADA=,iv:vP/nOuO0vC5q4g0o8qqHXGLd/Q64X0RGCw6cpeTZ6ik=,tag:0BFv8bXa3JbOZyDSBIaPew==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1