nixconfig/modules/server/containers/apps/invidious.nix

{ config, containerCfg, pkgs, lib, builder, name, ... }:
let 
  serverCfg = config.syscfg.server;

  patchedInvidious = pkgs.invidious.overrideAttrs (oldAttrs: {
    # If using a standard .patch file:
    # patches = (oldAttrs.patches or []) ++ [ ./your-file-replacement.patch ];

    postPatch = (oldAttrs.postPatch or "") + ''
      cp ${../data/invidious/login.cr} src/invidious/routes/login.cr
    '';
  });

  image = pkgs.dockerTools.streamLayeredImage {
    name = "invidious-custom";
    tag = "1.0.0";
    # Include both patched invidious and companion/helper packages
    contents = [ 
      patchedInvidious 
      pkgs.inv-sig-helper # The companion signature helper tool
      pkgs.bashInteractive 
    ];
    config = {
      # Point to your custom invidious binary location
      Entrypoint = [ "${patchedInvidious}/bin/invidious" ];
      Cmd = [ "--config" "/etc/invidious/config.yml" ];
      ExposedPorts = {
        "3000/tcp" = {}; # Default Invidious web UI port
      };
    };
  };

in {
  sops = true;
  db = true;

  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      imageStream = invidiousImage;
      port = 3000;
      secret = name;
      extraEnv = {
        INVIDIOUS_DATABASE_URL = "postgres://invidious_user:\${DB_PASS}@${builder.host}/invidious_db";
        INVIDIOUS_HMAC_KEY = "\${HMAC_KEY}";
        INVIDIOUS_COMPANION_URL = "http://invidious-companion:12999";
        INVIDIOUS_PO_TOKEN = "\${PO_TOKEN}";
        INVIDIOUS_VISITOR_DATA = "\${VISITOR_DATA}";
        INVIDIOUS_PORT = "3000";
        INVIDIOUS_COMPANION_KEY = "\${INVIDIOUS_KEY}";
        INVIDIOUS_DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
        # INVIDIOUS_CONFIG: |
        #     channel_threads: 1
        #     check_tables: true
        #     feed_threads: 1
        #     hmac_key: 1058f1474503055f8663dd99dbae561b9a5b3f1e
        #     db:
        #       dbname: invidious
        #       user: kemal
        #       password: xXrmHRHXcZLF2yDhF2ER4LhZ7FDgW5fb
        #       host: postgres_inv
        #       port: 5432
        #     full_refresh: false
        #     https_only: true
        #     domain: yt.helcel.net
        #     external_port: 80
        #     invidious_companion:
        #     - private_url: "http://invidious-companion:8282/companion"
        #     invidious_companion_key: "fee4cai"

        #     visitor_data: CgtzS3RSVUN
        #     po_token: MnR6UWTyMu4mYnppjHRmSLk
        #registration_enabled: false
      };
    };

    companion = builder.mkContainer {
      image = "quay.io/invidious/invidious-companion:latest";
      port = 8282;
        # - SERVER_SECRET_KEY=fee4caePhoVohjei
        # cap_drop:
        # - ALL
      # security_opt:
      #   - no-new-privileges:true
    };
  };
}