diff --git a/hosts/hetzner-vm/modules/piped/backend.nix b/hosts/hetzner-vm/modules/piped/backend.nix index df5bad2..cea451d 100644 --- a/hosts/hetzner-vm/modules/piped/backend.nix +++ b/hosts/hetzner-vm/modules/piped/backend.nix @@ -4,8 +4,8 @@ let cfg = config.services.piped; backend_config = { - PORT = cfg.backendPort; - HTTP_WORKERS = 2; + PORT = cfg.internalBackendPort; + HTTP_WORKERS = cfg.httpWorkers; PROXY_PART = "https://${cfg.proxyDomain}"; API_URL = "https://${cfg.backendDomain}"; FRONTEND_URL = "https://${cfg.frontendDomain}"; @@ -48,7 +48,7 @@ let in { config = lib.mkIf (cfg.enable && !cfg.disableBackend) { - systemd.tmpfiles.rules = [ "d /run/piped-backend - root root" ]; + systemd.tmpfiles.rules = [ "d /run/piped-backend - piped piped" ]; systemd.services.piped-backend = { wantedBy = [ "multi-user.target" ]; @@ -66,6 +66,20 @@ in { ""} ''}"; ExecStart = "${pkgs.piped-backend}/bin/piped-backend"; + + RestartSec = "5s"; + User = "piped"; + + CapabilityBoundingSet = ""; + PrivateDevices = true; + PrivateUsers = true; + ProtectHome = true; + ProtectKernelLogs = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; }; }; @@ -93,7 +107,7 @@ in { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://127.0.0.1:${toString cfg.backendPort}"; + proxyPass = "http://127.0.0.1:${toString cfg.internalBackendPort}"; }; }; }; diff --git a/hosts/hetzner-vm/modules/piped/default.nix b/hosts/hetzner-vm/modules/piped/default.nix index b154877..2a8ffa0 100644 --- a/hosts/hetzner-vm/modules/piped/default.nix +++ b/hosts/hetzner-vm/modules/piped/default.nix @@ -32,6 +32,18 @@ in { description = "Don't host proxy"; }; + proxyIPv4Only = mkOption { + type = types.bool; + default = false; + description = "Only use IPv4 querying youtube's servers for proxy"; + }; + + httpWorkers = mkOption { + type = types.number; + default = 2; + description = "Number of workers for HTTP backend tasks"; + }; + feedRetentionDays = mkOption { type = types.number; default = 30; @@ -151,13 +163,22 @@ in { description = "Matrix access token file"; }; - backendPort = mkOption { + internalBackendPort = mkOption { type = types.number; default = 3001; }; + + internalProxyPort = mkOption { + type = types.number; + default = 3002; + }; }; - config = (lib.mkIf cfg.enable) { - environment.systemPackages = with pkgs; [ piped-proxy ]; + config = lib.mkIf (cfg.enable && (!cfg.disableBackend || !cfg.disableProxy)) { + users.users."piped" = { + isSystemUser = true; + group = "piped"; + }; + users.groups.piped = { }; }; } diff --git a/hosts/hetzner-vm/modules/piped/proxy.nix b/hosts/hetzner-vm/modules/piped/proxy.nix index 2e8fa80..37f501c 100644 --- a/hosts/hetzner-vm/modules/piped/proxy.nix +++ b/hosts/hetzner-vm/modules/piped/proxy.nix @@ -24,18 +24,27 @@ let ''; in { config = lib.mkIf (cfg.enable && !cfg.disableProxy) { - systemd.tmpfiles.rules = [ - "d /run/piped-proxy - nginx nginx" - "d /run/piped-proxy/socket - nginx nginx" - ]; - systemd.services.piped-proxy = { wantedBy = [ "multi-user.target" ]; - environment.UDS = "1"; + environment.BIND = "0.0.0.0:${toString cfg.internalProxyPort}"; + environment.IPV4_ONLY = lib.mkIf cfg.proxyIPv4Only "1"; serviceConfig = { - User = "nginx"; WorkingDirectory = "/run/piped-proxy"; ExecStart = "${pkgs.piped-proxy}/bin/piped-proxy"; + + RestartSec = "5s"; + User = "piped"; + + CapabilityBoundingSet = ""; + PrivateDevices = true; + PrivateUsers = true; + ProtectHome = true; + ProtectKernelLogs = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; }; }; @@ -43,13 +52,13 @@ in { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://unix:/run/piped-proxy/socket/actix.sock"; + proxyPass = "http://localhost:${toString cfg.internalProxyPort}"; extraConfig = proxy_nginx_extras + '' add_header Cache-Control "public, max-age=604800"; ''; }; locations."~ (/videoplayback|/api/v4/|/api/manifest/)" = { - proxyPass = "http://unix:/run/piped-proxy/socket/actix.sock"; + proxyPass = "http://localhost:${toString cfg.internalProxyPort}"; extraConfig = proxy_nginx_extras + '' add_header Cache-Control private always; ''; diff --git a/hosts/hetzner-vm/ports.nix b/hosts/hetzner-vm/ports.nix index b300a59..04c5edd 100644 --- a/hosts/hetzner-vm/ports.nix +++ b/hosts/hetzner-vm/ports.nix @@ -11,6 +11,7 @@ invidious = 3000; piped-backend = 3012; + piped-proxy = 3013; smtp = 25; submission = 587; diff --git a/hosts/hetzner-vm/profiles/piped.nix b/hosts/hetzner-vm/profiles/piped.nix index 130e38e..d112054 100644 --- a/hosts/hetzner-vm/profiles/piped.nix +++ b/hosts/hetzner-vm/profiles/piped.nix @@ -6,6 +6,7 @@ in { frontendDomain = "piped.owo.monster"; backendDomain = "backend.piped.owo.monster"; proxyDomain = "proxy.piped.owo.monster"; - backendPort = ports.piped-backend; + internalBackendPort = ports.piped-backend; + internalProxyPort = ports.piped-proxy; }; }