Fix invidious env

2026-05-15 15:41:37 +02:00
parent 3e05dfbc07
commit a94e8beb37
4 changed files with 167 additions and 41 deletions
--- a/modules/server/containers/apps/invidious.nix
+++ b/modules/server/containers/apps/invidious.nix
@@ -13,7 +13,6 @@ let
    tag = pkgs.invidious.version;
    config = {
      Entrypoint = [ "${patchedInvidious}/bin/invidious" ];
-      Cmd = [ "--config" "/etc/invidious/config.yml" ];
      ExposedPorts = { "3000/tcp" = {}; };
    };
  };
@@ -21,6 +20,10 @@ let
 in {
  sops = true;
  db = true;
+  paths = [{
+    path="${serverCfg.configPath}/invidious";
+    mode = "0755";
+  }];

  containers = {
    server = builder.mkContainer {
@@ -28,48 +31,33 @@ in {
      imageStream = invidiousImage;
      port = 3000;
      secret = name;
-      extraEnv = {
-        INVIDIOUS_DATABASE_URL = "postgres://invidious_user:\${DB_PASS}@${builder.host}/invidious_db";
-        INVIDIOUS_HMAC_KEY = "\${HMAC_KEY}";
-        INVIDIOUS_COMPANION_URL = "http://invidious-companion:8282/companion";
-        INVIDIOUS_PO_TOKEN = "\${PO_TOKEN}";
-        INVIDIOUS_VISITOR_DATA = "\${VISITOR_DATA}";
-        INVIDIOUS_PORT = "3000";
-        INVIDIOUS_COMPANION_KEY = "\${INVIDIOUS_KEY}";
-        INVIDIOUS_DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
-        # INVIDIOUS_CONFIG: |
-        #     channel_threads: 1
-        #     check_tables: true
-        #     feed_threads: 1
-        #     hmac_key: 1058f1474503055f8663dd99dbae561b9a5b3f1e
-        #     db:
-        #       dbname: invidious
-        #       user: kemal
-        #       password: xXrmHRHXcZLF2yDhF2ER4LhZ7FDgW5fb
-        #       host: postgres_inv
-        #       port: 5432
-        #     full_refresh: false
-        #     https_only: true
-        #     domain: yt.helcel.net
-        #     external_port: 80
-        #     invidious_companion:
-        #     - private_url: "http://invidious-companion:8282/companion"
-        #     invidious_companion_key: "fee4cai"
-
-        #     visitor_data: CgtzS3RSVUN
-        #     po_token: MnR6UWTyMu4mYnppjHRmSLk
-        #registration_enabled: false
+      overrides = {
+        Cmd = [ "--config" "/data/config.yml" ];
+        volumes = [
+          "${serverCfg.configPath}/invidious:/data:ro"
+        ];
      };
    };

    companion = builder.mkContainer {
      image = "quay.io/invidious/invidious-companion:latest";
      port = 8282;
-        # - SERVER_SECRET_KEY=fee4caePhoVohjei
-        # cap_drop:
-        # - ALL
-      # security_opt:
-      #   - no-new-privileges:true
+      secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY
+      extraOptions = [
+        "--cap-drop=all"
+        "--security-opt=no-new-privileges"
+      ];
    };
  };
+
+  setup = {
+    trigger = "server";
+    envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
+    script = pkgs.writeShellScript "setup" ''
+      export DB_HOST=${builder.host}
+      export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}
+
+      ${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.configPath}/invidious/config.yml"
+    '';
+  };
 }