gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/invidious: generate hmac_key automatically

Browse Source 
This change also generates the invidious config by putting JSON
snippets into a bash array and then using jq to merge them all into
a single configuration where later elements override previous
elements.
This commit is contained in:
Sophie Tauchert
2023-08-10 15:59:15 +02:00
parent 3984fbf02b
commit 1a3b7f61b2
1 changed files with 52 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
nixos/modules/services/web-apps/invidious.nix
View File

@@ -7,6 +7,9 @@ let
settingsFile = settingsFormat.generate "invidious-settings" cfg.settings; settingsFile = settingsFormat.generate "invidious-settings" cfg.settings;
generatedHmacKeyFile = "/var/lib/invidious/hmac_key";
generateHmac = cfg.hmacKeyFile == null;
serviceConfig = { serviceConfig = {
systemd.services.invidious = { systemd.services.invidious = {
description = "Invidious (An alternative YouTube front-end)"; description = "Invidious (An alternative YouTube front-end)";
@@ -14,22 +17,47 @@ let
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
script = preStart = lib.optionalString generateHmac ''
let if [[ ! -e "${generatedHmacKeyFile}" ]]; then
jqFilter = "." ${pkgs.pwgen}/bin/pwgen 20 1 > "${generatedHmacKeyFile}"
+ lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\"" chmod 0600 "${generatedHmacKeyFile}"
+ " | .[0]" fi
+ lib.optionalString (cfg.extraSettingsFile != null) " * .[1]"; '';
jqFiles = [ settingsFile ] ++ lib.optional (cfg.extraSettingsFile != null) cfg.extraSettingsFile;
in script = ''
configParts=()
'' ''
export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${lib.escapeShellArgs jqFiles})" # autogenerated hmac_key
+ lib.optionalString generateHmac ''
configParts+=("$(${pkgs.jq}/bin/jq -R '{"hmac_key":.}' <"${generatedHmacKeyFile}")")
''
# generated settings file
+ ''
configParts+=("$(< ${lib.escapeShellArg settingsFile})")
''
# optional database password file
+ lib.optionalString (cfg.database.host != null) ''
configParts+=("$(${pkgs.jq}/bin/jq -R '{"db":{"password":.}}' ${lib.escapeShellArg cfg.database.passwordFile})")
''
# optional extra settings file
+ lib.optionalString (cfg.extraSettingsFile != null) ''
configParts+=("$(< ${lib.escapeShellArg cfg.extraSettingsFile})")
''
# explicitly specified hmac key file
+ lib.optionalString (cfg.hmacKeyFile != null) ''
configParts+=("$(< ${lib.escapeShellArg cfg.hmacKeyFile})")
''
# merge all parts into a single configuration with later elements overriding previous elements
+ ''
export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s 'reduce .[] as $item ({}; . * $item)' <<<"''${configParts[*]}")"
exec ${cfg.package}/bin/invidious exec ${cfg.package}/bin/invidious
''; '';
serviceConfig = { serviceConfig = {
RestartSec = "2s"; RestartSec = "2s";
DynamicUser = true; DynamicUser = true;
StateDirectory = "invidious";
StateDirectoryMode = "0750";
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
PrivateDevices = true; PrivateDevices = true;
@@ -171,6 +199,18 @@ in
''; '';
}; };
hmacKeyFile = lib.mkOption {
type = types.nullOr types.path;
default = null;
description = lib.mdDoc ''
A path to a file containing the `hmac_key`. If `null`, a key will be generated automatically on first
start.
If non-`null`, this option overrides any `hmac_key` specified in {option}`services.invidious.settings` or
via {option}`services.invidious.extraSettingsFile`.
'';
};
extraSettingsFile = lib.mkOption { extraSettingsFile = lib.mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;