Skip to content

Commit

Permalink
nixos/invidious: add options for configuring inv-sig-helper
Browse files Browse the repository at this point in the history
  • Loading branch information
999eagle authored and GaetanLepage committed Sep 28, 2024
1 parent 6485f89 commit ced0da1
Show file tree
Hide file tree
Showing 2 changed files with 81 additions and 0 deletions.
60 changes: 60 additions & 0 deletions nixos/modules/services/web-apps/invidious.nix
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,41 @@ let
};
};

sigHelperConfig = lib.mkIf cfg.sig-helper.enable {
services.invidious.settings.signature_server = "tcp://${cfg.sig-helper.listenAddress}";
systemd.services.invidious-sig-helper = {
script = ''
exec ${lib.getExe cfg.sig-helper.package} --tcp "${cfg.sig-helper.listenAddress}"
'';
wantedBy = [ "multi-user.target" ];
before = [ "invidious.service" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
serviceConfig = {
User = "invidious-sig-helper";
DynamicUser = true;
Restart = "always";

PrivateTmp = true;
PrivateUsers = true;
ProtectSystem = true;
ProtectProc = "invisible";
ProtectHome = true;
PrivateDevices = true;
NoNewPrivileges = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
CapabilityBoundingSet = "";
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" "@network-io" ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
};
};
};

nginxConfig = lib.mkIf cfg.nginx.enable {
services.invidious.settings = {
https_only = config.services.nginx.virtualHosts.${cfg.domain}.forceSSL;
Expand Down Expand Up @@ -392,12 +427,37 @@ in

package = lib.mkPackageOptionMD pkgs "http3-ytproxy" { };
};

sig-helper = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to enable and configure inv-sig-helper to emulate the youtube client's javascript. This is required
to make certain videos playable.
This will download and run completely untrusted javascript from youtube! While this service is sandboxed,
this may still be an issue!
'';
};

package = lib.mkPackageOption pkgs "inv-sig-helper" { };

listenAddress = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1:2999";
description = ''
The IP address/port where inv-sig-helper should listen.
'';
};
};
};

config = lib.mkIf cfg.enable (lib.mkMerge [
serviceConfig
localDatabaseConfig
nginxConfig
ytproxyConfig
sigHelperConfig
]);
}
21 changes: 21 additions & 0 deletions nixos/tests/invidious.nix
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,19 @@ import ./make-test-python.nix ({ pkgs, ... }: {
};
networking.hosts."127.0.0.1" = [ "invidious.example.com" ];
};
nginx-sig-helper.configuration = {
services.invidious = {
nginx.enable = true;
domain = "invidious.example.com";
sig-helper.enable = true;
settings.log_level = "Trace";
};
services.nginx.virtualHosts."invidious.example.com" = {
forceSSL = false;
enableACME = false;
};
networking.hosts."127.0.0.1" = [ "invidious.example.com" ];
};
nginx-scale.configuration = {
services.invidious = {
nginx.enable = true;
Expand Down Expand Up @@ -116,6 +129,14 @@ import ./make-test-python.nix ({ pkgs, ... }: {
curl_assert_status_code("http://invidious.example.com/vi/dQw4w9WgXcQ/mqdefault.jpg", 502)
machine.succeed("journalctl -eu http3-ytproxy.service | grep -o 'dQw4w9WgXcQ'")
activate_specialisation("nginx-sig-helper")
machine.wait_for_unit("invidious-sig-helper.service")
# we can't really test the sig helper that well without internet connection...
# invidious does connect to the sig helper though and crashes when the sig helper is not available
machine.wait_for_open_port(80)
curl_assert_status_code("http://invidious.example.com/search", 200)
machine.succeed("journalctl -eu invidious.service | grep -o \"SigHelper: Using helper at 'tcp://127.0.0.1:2999'\"")
postgres_tcp.wait_for_unit("postgresql.service")
activate_specialisation("postgres-tcp")
machine.wait_for_open_port(port)
Expand Down

0 comments on commit ced0da1

Please sign in to comment.