piped-{backend,frontend,proxy} & nixos module

flake.nix

@@ -10,7 +10,8 @@
     #nix-darwin-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
 
     # update whenever
-    nixpkgs-fixed.url = "github:nixos/nixpkgs/?branch=nixos-unstable&rev=20fc948445a6c22d4e8d5178e9a6bc6e1f5417c8";
+    nixpkgs-fixed.url =
+      "github:nixos/nixpkgs/?branch=nixos-unstable&rev=20fc948445a6c22d4e8d5178e9a6bc6e1f5417c8";
 
     nur.url = "github:nix-community/NUR";
 

home/backup-apps.nix

@@ -1,5 +1 @@
-{pkgs, ...}: {
-  home.packages = with pkgs; [
-    gitlab_archiver
-  ];
-}
+{ pkgs, ... }: { home.packages = with pkgs; [ gitlab_archiver ]; }

home/dev/all/extra.nix

@@ -7,8 +7,6 @@
     tmux
     socat
     file
-    (pkgs.busybox.override {
-      enableAppletSymlinks = false;
-    })
+    (pkgs.busybox.override { enableAppletSymlinks = false; })
   ];
 }

hosts/buildbox/hardware.nix

@@ -4,7 +4,8 @@
     [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
   boot.kernelModules = [ "kvm-amd" ];
 
-  boot.initrd.services.swraid.mdadmConf = config.environment.etc."mdadm.conf".text;
+  boot.initrd.services.swraid.mdadmConf =
+    config.environment.etc."mdadm.conf".text;
 
   fileSystems."/" = {
     device = "/dev/disk/by-label/root";
@@ -21,6 +22,6 @@
     efiSupport = false;
     version = 2;
     device = "nodev";
-    devices = [ "/dev/sda" "/dev/sdb"];
+    devices = [ "/dev/sda" "/dev/sdb" ];
   };
 }

hosts/buildbox/networking.nix

@@ -19,7 +19,7 @@
     networks.eth0 = {
       name = "eth0";
       address = [ "144.76.97.18" ];
-      gateway = [  "144.76.97.1" ];
+      gateway = [ "144.76.97.1" ];
     };
   };
 }

hosts/hetzner-vm/hetzner-vm.nix

@@ -5,6 +5,7 @@
     users.root
 
     hosts.hetzner-vm.modules.mailserver
+    hosts.hetzner-vm.modules.piped
 
     profiles.base
     profiles.sshd
@@ -13,6 +14,7 @@
 
     hosts.hetzner-vm.profiles.restic
     hosts.hetzner-vm.profiles.invidious
+    hosts.hetzner-vm.profiles.piped
     hosts.hetzner-vm.profiles.quassel
     hosts.hetzner-vm.profiles.mpd
     hosts.hetzner-vm.profiles.mailserver

hosts/hetzner-vm/modules/mailserver/default.nix

@@ -95,7 +95,7 @@ in {
           };
         };
       });
-      default = {};
+      default = { };
     };
   };
 }

hosts/hetzner-vm/modules/piped/backend.nix

@@ -0,0 +1,70 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.piped;
+
+  backend_config = {
+    PORT = cfg.backend_port;
+    HTTP_WORKERS = 2;
+    PROXY_PART = "https://${cfg.proxy_domain}"; # TODO: fix
+    API_URL = "https://${cfg.backend_domain}";
+    FRONTEND_URL = "https://${cfg.frontend_domain}";
+    DISABLE_REGISTRATION = false;
+    COMPROMISED_PASSWORD_CHECK = false;
+    FEED_RETENTION = 30;
+    "hibernate.connection.url" = "jdbc:postgresql://localhost:5432/piped";
+    "hibernate.connection.driver_class" = "org.postgresql.Driver";
+    "hibernate.dialect" = "org.hibernate.dialect.PostgreSQLDialect";
+    "hibernate.connection.username" = "piped";
+    "hibernate.connection.password" = "password";
+  };
+
+  cfgToString = v: if builtins.isBool v then boolToString v else toString v;
+  backend_config_file = pkgs.writeText "config.properties"
+    (concatStringsSep "\n"
+      (mapAttrsToList (n: v: "${n}:${cfgToString v}") backend_config));
+
+in {
+  config = (lib.mkIf cfg.enable) {
+    systemd.tmpfiles.rules = [ "d /run/piped-backend - root root" ];
+
+    systemd.services.piped-backend = {
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        WorkingDirectory = "/run/piped-backend";
+        ExecStartPre = "${pkgs.writeShellScript "piped-backend-init" ''
+          cp ${backend_config_file} /run/piped-backend/config.properties
+        ''}";
+        ExecStart = "${pkgs.piped-backend}/bin/piped-backend";
+      };
+    };
+
+    systemd.services.piped-password = {
+      serviceConfig.Type = "oneshot";
+      wantedBy = [ "piped-backend.service" ];
+      wants = [ "postgresql.service" ];
+      after = [ "postgresql.service" ];
+      script = ''
+        ${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD 'password';"
+      '';
+      serviceConfig.User = "postgres";
+    };
+
+    services.postgresql = {
+      enable = true;
+      ensureUsers = [{
+        name = "piped";
+        ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
+      }];
+      ensureDatabases = [ "piped" ];
+    };
+
+    services.nginx.virtualHosts."${cfg.backend_domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.backend_port}";
+      };
+    };
+  };
+}

hosts/hetzner-vm/modules/piped/default.nix

@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let cfg = config.services.piped;
+in {
+  options.services.piped = {
+    enable = mkEnableOption "piped";
+
+    frontend_domain = mkOption { type = types.str; };
+    backend_domain = mkOption { type = types.str; };
+    proxy_domain = mkOption { type = types.str; };
+
+    backend_port = mkOption {
+      type = types.number;
+      default = 3001;
+    };
+  };
+
+  config = (lib.mkIf cfg.enable) {
+    environment.systemPackages = with pkgs; [ piped-proxy ];
+  };
+}

hosts/hetzner-vm/modules/piped/frontend.nix

@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.piped;
+  frontend-package =
+    (pkgs.piped-frontend.override { backendDomain = cfg.backend_domain; });
+
+in {
+  config = (lib.mkIf cfg.enable) {
+    services.nginx.virtualHosts."${cfg.frontend_domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = { root = "${frontend-package}/share/piped-frontend"; };
+    };
+  };
+}

hosts/hetzner-vm/modules/piped/proxy.nix

@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.piped;
+
+  proxy_nginx_extras = ''
+    proxy_buffering on;
+    proxy_buffers 1024 16k;
+    proxy_set_header X-Forwarded-For "";
+    proxy_set_header CF-Connecting-IP "";
+    proxy_hide_header "alt-svc";
+    sendfile on;
+    sendfile_max_chunk 512k;
+    tcp_nopush on;
+    aio threads=default;
+    aio_write on;
+    directio 16m;
+    proxy_hide_header Cache-Control;
+    proxy_hide_header etag;
+    proxy_http_version 1.1;
+    proxy_set_header Connection keep-alive;
+    proxy_max_temp_file_size 32m;
+    access_log off;
+  '';
+in {
+  systemd.tmpfiles.rules = [
+    "d /run/piped-proxy - nginx nginx"
+    "d /run/piped-proxy/socket - nginx nginx"
+  ];
+
+  systemd.services.piped-proxy = {
+    wantedBy = [ "multi-user.target" ];
+    environment.UDS = "1";
+    serviceConfig = {
+      User = "nginx";
+      WorkingDirectory = "/run/piped-proxy";
+      ExecStart = "${pkgs.piped-proxy}/bin/piped-proxy";
+    };
+  };
+
+  services.nginx.virtualHosts."${cfg.proxy_domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://unix:/run/piped-proxy/socket/actix.sock";
+      extraConfig = proxy_nginx_extras + ''
+        add_header Cache-Control "public, max-age=604800";
+      '';
+    };
+    locations."~ (/videoplayback|/api/v4/|/api/manifest/)" = {
+      proxyPass = "http://unix:/run/piped-proxy/socket/actix.sock";
+      extraConfig = proxy_nginx_extras + ''
+        add_header Cache-Control private always;
+      '';
+    };
+  };
+}

hosts/hetzner-vm/ports.nix

@@ -10,6 +10,8 @@
 
   invidious = 3000;
 
+  piped-backend = 3012;
+
   smtp = 25;
   submission = 587;
   submission_ssl = 465;

hosts/hetzner-vm/profiles/invidious.nix

@@ -36,7 +36,7 @@ in {
 
   systemd.services.invidious.serviceConfig = {
     Restart = "always";
-    RuntimeMaxSec = "${toString (60*60*2)}";
+    RuntimeMaxSec = "${toString (60 * 60 * 2)}";
   };
 
   services.nginx.virtualHosts."invidious.owo.monster" = {

hosts/hetzner-vm/profiles/piped.nix

@@ -0,0 +1,11 @@
+{ ... }:
+let ports = (import ../ports.nix { });
+in {
+  services.piped = {
+    enable = true;
+    frontend_domain = "piped.owo.monster";
+    backend_domain = "backend.piped.owo.monster";
+    proxy_domain = "proxy.piped.owo.monster";
+    backend_port = ports.piped-backend;
+  };
+}

hosts/storage/profiles/rclone-serve.nix

@@ -116,7 +116,7 @@ in {
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
-  services.nginx.clientMaxBodySize = "${toString (8192*4)}m";
+  services.nginx.clientMaxBodySize = "${toString (8192 * 4)}m";
 
   services.nginx.virtualHosts."storage-webdav.owo.monster" = {
     forceSSL = true;

hosts/storage/secrets.nix

@@ -29,7 +29,7 @@
         sed -i "s/$replace_account/$api_account/" "$3"
         sed -i "s/$replace_key/$api_key/" "$3"
       }
-    
+
       simple_get_replace_crypt() {
         password=$(simple_get "$1" .password | replace_slash_for_sed)
         salt=$(simple_get "$1" .salt | replace_slash_for_sed)

hosts/tablet/tablet.nix

@@ -51,43 +51,43 @@
     supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
     mandatoryFeatures = [ ];
   }];
-  nix.distributedBuilds = true;
+  nix.distributedBuilds = true; # true;
   nix.extraOptions = "builders-use-substitutes = true";
 
-  services.telegraf = {
-    enable = true;
-    extraConfig = {
-      inputs.mem = { };
-      inputs.systemd_units = { pattern = ""; };
-      outputs.websocket = {
-        url = "ws://127.0.0.1:9002/test";
-        use_text_frames = true;
-        data_format = "json";
-      };
-      outputs.file = {
-        files = [ "/tmp/telegraf-output" ];
-        data_format = "json";
-        flush_interval = "1s";
-        flush_jitter = "1s";
-        metric_batch_size = 10;
-      };
-    };
-  };
+  #services.telegraf = {
+  #  enable = true;
+  #  extraConfig = {
+  #    inputs.mem = { };
+  #    inputs.systemd_units = { pattern = ""; };
+  #    outputs.websocket = {
+  #      url = "ws://127.0.0.1:9002/test";
+  #      use_text_frames = true;
+  #      data_format = "json";
+  #    };
+  #    outputs.file = {
+  #      files = [ "/tmp/telegraf-output" ];
+  #      data_format = "json";
+  #      flush_interval = "1s";
+  #      flush_jitter = "1s";
+  #      metric_batch_size = 10;
+  #    };
+  #  };
+  #};
 
-  services.datadog-agent = {
-    enable = true;
-    apiKeyFile = "/tmp/key";
-    site = "datadoghq.eu";
-    checks = {
-      systemd = {
-        init_config = null;
-        instances = [{ unit_names = [ "postgresql.service" "none.service" ]; }];
-      };
-    };
-  };
-  systemd.services.datadog-agent.environment = {
-    ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH = "go1.19";
-  };
+  #services.datadog-agent = {
+  #  enable = true;
+  #  apiKeyFile = "/tmp/key";
+  #  site = "datadoghq.eu";
+  #  checks = {
+  #    systemd = {
+  #      init_config = null;
+  #      instances = [{ unit_names = [ "postgresql.service" "none.service" ]; }];
+  #    };
+  #  };
+  #};
+  #systemd.services.datadog-agent.environment = {
+  #  ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH = "go1.19";
+  #};
 
   networking.hostName = "tablet";
   time.timeZone = "Europe/London";

overlay/default.nix

@@ -7,5 +7,8 @@ final: prev: {
     lsquic = final.callPackage ./invidious/lsquic.nix { };
     videojs = final.callPackage ./invidious/videojs.nix { };
   };
-  misskey-static = final.callPackage ./misskey {};
+  misskey-static = final.callPackage ./misskey { };
+  piped-backend = final.callPackage ./piped/backend { };
+  piped-frontend = final.callPackage ./piped/frontend { };
+  piped-proxy = final.callPackage ./piped/proxy { };
 }

overlay/invidious/default.nix

@@ -1,4 +1,5 @@
-{ lib, stdenv, crystal, fetchFromGitHub, librsvg, pkg-config, libxml2, openssl, shards, sqlite, lsquic, videojs, nixosTests }:
+{ lib, stdenv, crystal, fetchFromGitHub, librsvg, pkg-config, libxml2, openssl
+, shards, sqlite, lsquic, videojs, nixosTests }:
 let
   # All versions, revisions, and checksums are stored in ./versions.json.
   # The update process is the following:
@@ -13,8 +14,7 @@ let
   #       the same version of lsquic and lsquic requires the boringssl
   #       commit mentioned in its README
   versions = builtins.fromJSON (builtins.readFile ./versions.json);
-in
-crystal.buildCrystalPackage rec {
+in crystal.buildCrystalPackage rec {
   pname = "invidious";
   inherit (versions.invidious) version;
 
@@ -25,41 +25,56 @@ crystal.buildCrystalPackage rec {
     inherit (versions.invidious) rev sha256;
   };
 
-  postPatch =
-    let
-      # Replacing by the value (templates) of the variables ensures that building
-      # fails if upstream changes the way the metadata is formatted.
-      branchTemplate = ''{{ "#{`git branch | sed -n '/* /s///p'`.strip}" }}'';
-      commitTemplate = ''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit`.strip}" }}'';
-      versionTemplate = ''{{ "#{`git log -1 --format=%ci | awk '{print $1}' | sed s/-/./g`.strip}" }}'';
-      # This always uses the latest commit which invalidates the cache even if
-      # the assets were not changed
-      assetCommitTemplate = ''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit -- assets`.strip}" }}'';
-    in
-    ''
-      for d in ${videojs}/*; do ln -s "$d" assets/videojs; done
+  postPatch = let
+    # Replacing by the value (templates) of the variables ensures that building
+    # fails if upstream changes the way the metadata is formatted.
+    branchTemplate = ''{{ "#{`git branch | sed -n '/* /s///p'`.strip}" }}'';
+    commitTemplate =
+      ''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit`.strip}" }}'';
+    versionTemplate = ''
+      {{ "#{`git log -1 --format=%ci | awk '{print $1}' | sed s/-/./g`.strip}" }}'';
+    # This always uses the latest commit which invalidates the cache even if
+    # the assets were not changed
+    assetCommitTemplate = ''
+      {{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit -- assets`.strip}" }}'';
+  in ''
+    for d in ${videojs}/*; do ln -s "$d" assets/videojs; done
 
-      # Use the version metadata from the derivation instead of using git at
-      # build-time
-      substituteInPlace src/invidious.cr \
-          --replace ${lib.escapeShellArg branchTemplate} '"master"' \
-          --replace ${lib.escapeShellArg commitTemplate} '"${lib.substring 0 7 versions.invidious.rev}"' \
-          --replace ${lib.escapeShellArg versionTemplate} '"${lib.replaceChars ["-"] ["."] (lib.substring 9 10 version)}"' \
-          --replace ${lib.escapeShellArg assetCommitTemplate} '"${lib.substring 0 7 versions.invidious.rev}"'
+    # Use the version metadata from the derivation instead of using git at
+    # build-time
+    substituteInPlace src/invidious.cr \
+        --replace ${lib.escapeShellArg branchTemplate} '"master"' \
+        --replace ${lib.escapeShellArg commitTemplate} '"${
+          lib.substring 0 7 versions.invidious.rev
+        }"' \
+        --replace ${lib.escapeShellArg versionTemplate} '"${
+          lib.replaceChars [ "-" ] [ "." ] (lib.substring 9 10 version)
+        }"' \
+        --replace ${lib.escapeShellArg assetCommitTemplate} '"${
+          lib.substring 0 7 versions.invidious.rev
+        }"'
 
-      # Patch the assets and locales paths to be absolute
-      substituteInPlace src/invidious.cr \
-          --replace 'public_folder "assets"' 'public_folder "${placeholder "out"}/share/invidious/assets"'
-      substituteInPlace src/invidious/helpers/i18n.cr \
-          --replace 'File.read("locales/' 'File.read("${placeholder "out"}/share/invidious/locales/'
+    # Patch the assets and locales paths to be absolute
+    substituteInPlace src/invidious.cr \
+        --replace 'public_folder "assets"' 'public_folder "${
+          placeholder "out"
+        }/share/invidious/assets"'
+    substituteInPlace src/invidious/helpers/i18n.cr \
+        --replace 'File.read("locales/' 'File.read("${
+          placeholder "out"
+        }/share/invidious/locales/'
 
-      # Reference sql initialisation/migration scripts by absolute path
-      substituteInPlace src/invidious/database/base.cr \
-            --replace 'config/sql' '${placeholder "out"}/share/invidious/config/sql'
+    # Reference sql initialisation/migration scripts by absolute path
+    substituteInPlace src/invidious/database/base.cr \
+          --replace 'config/sql' '${
+            placeholder "out"
+          }/share/invidious/config/sql'
 
-      substituteInPlace src/invidious/user/captcha.cr \
-          --replace 'Process.run(%(rsvg-convert' 'Process.run(%(${lib.getBin librsvg}/bin/rsvg-convert'
-    '';
+    substituteInPlace src/invidious/user/captcha.cr \
+        --replace 'Process.run(%(rsvg-convert' 'Process.run(%(${
+          lib.getBin librsvg
+        }/bin/rsvg-convert'
+  '';
 
   nativeBuildInputs = [ pkg-config shards ];
   buildInputs = [ libxml2 openssl sqlite ];

overlay/invidious/lsquic.nix

@@ -1,4 +1,5 @@
-{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, fetchurl, cmake, zlib, perl, libevent }:
+{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, fetchurl, cmake, zlib, perl
+, libevent }:
 let
   versions = builtins.fromJSON (builtins.readFile ./versions.json);
 
@@ -28,28 +29,31 @@ let
       # version does not yet include fixes for gcc11 build errors, they
       # must be backported
       (fetchGitilesPatch {
-        name = "fix-mismatch-between-header-and-implementation-of-bn_sqr_comba8.patch";
-        url = "https://boringssl.googlesource.com/boringssl/+/139adff9b27eaf0bdaac664ec4c9a7db2fe3f920";
+        name =
+          "fix-mismatch-between-header-and-implementation-of-bn_sqr_comba8.patch";
+        url =
+          "https://boringssl.googlesource.com/boringssl/+/139adff9b27eaf0bdaac664ec4c9a7db2fe3f920";
         sha256 = "05sp602dvh50v46jkzmh4sf4wqnq5bwy553596g2rhxg75bailjj";
       })
       (fetchGitilesPatch {
         name = "use-an-unsized-helper-for-truncated-SHA-512-variants.patch";
-        url = "https://boringssl.googlesource.com/boringssl/+/a24ab549e6ae246b391155d7bed3790ac0e07de2";
+        url =
+          "https://boringssl.googlesource.com/boringssl/+/a24ab549e6ae246b391155d7bed3790ac0e07de2";
         sha256 = "0483jkpg4g64v23ln2blb74xnmzdjcn3r7w4zk7nfg8j3q5f9lxm";
       })
-/*
-      # the following patch is too complex, so we will modify the build flags
-      # of crypto/fipsmodule/CMakeFiles/fipsmodule.dir/bcm.c.o in preBuild
-      # and turn off -Werror=stringop-overflow
-      (fetchGitilesPatch {
-        name = "make-md32_common.h-single-included-and-use-an-unsized-helper-for-SHA-256.patch";
-        url = "https://boringssl.googlesource.com/boringssl/+/597ffef971dd980b7de5e97a0c9b7ca26eec94bc";
-        sha256 = "1y0bkkdf1ccd6crx326agp01q22clm4ai4p982y7r6dkmxmh52qr";
-      })
-*/
+      /* # the following patch is too complex, so we will modify the build flags
+            # of crypto/fipsmodule/CMakeFiles/fipsmodule.dir/bcm.c.o in preBuild
+            # and turn off -Werror=stringop-overflow
+            (fetchGitilesPatch {
+              name = "make-md32_common.h-single-included-and-use-an-unsized-helper-for-SHA-256.patch";
+              url = "https://boringssl.googlesource.com/boringssl/+/597ffef971dd980b7de5e97a0c9b7ca26eec94bc";
+              sha256 = "1y0bkkdf1ccd6crx326agp01q22clm4ai4p982y7r6dkmxmh52qr";
+            })
+      */
       (fetchGitilesPatch {
         name = "fix-array-parameter-warnings.patch";
-        url = "https://boringssl.googlesource.com/boringssl/+/92c6fbfc4c44dc8462d260d836020d2b793e7804";
+        url =
+          "https://boringssl.googlesource.com/boringssl/+/92c6fbfc4c44dc8462d260d836020d2b793e7804";
         sha256 = "0h4sl95i8b0dj0na4ngf50wg54raxyjxl1zzwdc810abglp10vnv";
       })
     ];
@@ -60,8 +64,7 @@ let
           -i build.ninja
     '';
   });
-in
-stdenv.mkDerivation rec {
+in stdenv.mkDerivation rec {
   pname = "lsquic";
   version = versions.lsquic.version;
 
@@ -106,6 +109,11 @@ stdenv.mkDerivation rec {
     description = "A library for QUIC and HTTP/3 (version for Invidious)";
     homepage = "https://github.com/litespeedtech/lsquic";
     maintainers = with maintainers; [ infinisil sbruder ];
-    license = with licenses; [ openssl isc mit bsd3 ]; # statically links against boringssl, so has to include its licenses
+    license = with licenses; [
+      openssl
+      isc
+      mit
+      bsd3
+    ]; # statically links against boringssl, so has to include its licenses
   };
 }

overlay/invidious/videojs.nix

@@ -1,9 +1,7 @@
 { stdenvNoCC, cacert, crystal, openssl, pkg-config, invidious }:
 
-let
-  versions = builtins.fromJSON (builtins.readFile ./versions.json);
-in
-stdenvNoCC.mkDerivation {
+let versions = builtins.fromJSON (builtins.readFile ./versions.json);
+in stdenvNoCC.mkDerivation {
   name = "videojs";
 
   inherit (invidious) src;

overlay/piped/backend/default.nix

@@ -0,0 +1,99 @@
+{ stdenv, runtimeShell, fetchFromGitHub, makeWrapper, openjdk17, gradle, perl
+, writeText }:
+let
+  meta = builtins.fromJSON (builtins.readFile ../meta.json);
+
+  pname = "piped-backend";
+  rev = "${meta.backend.rev}";
+  version = "latest-${rev}";
+
+  src = fetchFromGitHub {
+    owner = "TeamPiped";
+    repo = "Piped-Backend";
+    inherit rev;
+    sha256 = "${meta.backend.sha256}";
+  };
+
+  deps = stdenv.mkDerivation {
+    pname = "${pname}-deps";
+    inherit src version;
+    nativeBuildInputs = [ gradle openjdk17 perl ];
+
+    buildPhase = ''
+      export GRADLE_USER_HOME=$(mktemp -d);
+      gradle --no-daemon assemble shadowJar
+    '';
+
+    # perl code mavenizes paths (com.squareup.okio/okio/1.13.0/a9283170b7305c8d92d25aff02a6ab7e45d06cbe/okio-1.13.0.jar -> com/squareup/okio/okio/1.13.0/okio-1.13.0.jar)
+    installPhase = ''
+      find $GRADLE_USER_HOME/caches/modules-2 -type f -regex '.*\.\(jar\|pom\)' \
+        | perl -pe 's#(.*/([^/]+)/([^/]+)/([^/]+)/[0-9a-f]{30,40}/([^/\s]+))$# ($x = $2) =~ tr|\.|/|; "install -Dm444 $1 \$out/$x/$3/$4/$5" #e' \
+        | sh
+    '';
+
+    dontStrip = true;
+
+    outputHashAlgo = "sha256";
+    outputHashMode = "recursive";
+    outputHash = "sha256-fERSbMTJcvf1fG+H1yg2TFwdsq6+mkTzj/LvutgLAQs=";
+  };
+
+  gradleInit = writeText "init.gradle" ''
+    logger.lifecycle 'Replacing Maven repositories with ${deps}...'
+    gradle.projectsLoaded {
+      rootProject.allprojects {
+        buildscript {
+          repositories {
+            clear()
+            maven { url '${deps}' }
+          }
+        }
+        repositories {
+          clear()
+          maven { url '${deps}' }
+        }
+      }
+    }
+    settingsEvaluated { settings ->
+      settings.pluginManagement {
+        repositories {
+          maven { url '${deps}' }
+        }
+      }
+    }
+  '';
+
+in stdenv.mkDerivation rec {
+  inherit pname version src;
+
+  nativeBuildInputs = [ gradle openjdk17 ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    export GRADLE_USER_HOME=$(mktemp -d)
+
+    gradle --offline --init-script ${gradleInit} shadowJar
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    ls -R build
+
+    mkdir -p "$out/share/piped-backend"
+    cp build/libs/piped-1.0-all.jar "$out/share/piped-backend"
+
+    mkdir -p "$out/bin"
+    cat  <<EOF >$out/bin/piped-backend
+    #!${runtimeShell}
+    export JAVA_HOME=${openjdk17}
+    exec ${openjdk17}/bin/java -jar "$out/share/piped-backend/piped-1.0-all.jar" "\$@"
+    EOF
+    chmod a+x "$out/bin/piped-backend"
+
+    runHook postInstall
+  '';
+}

overlay/piped/frontend/default.nix

@@ -0,0 +1,41 @@
+{ stdenv, nodejs, nodePackages, mkYarnPackage, rsync, fetchFromGitHub
+, backendDomain ? "CHANGE_ME", }:
+let
+  meta = builtins.fromJSON (builtins.readFile ../meta.json);
+  rev = meta.frontend.rev;
+in mkYarnPackage rec {
+  pname = "piped-frontend";
+  version = "latest-${rev}";
+  src = fetchFromGitHub {
+    owner = "TeamPiped";
+    repo = "Piped";
+    inherit rev;
+    sha256 = "${meta.frontend.sha256}";
+  };
+
+  packageJSON = "${src}/package.json";
+  yarnLock = "${src}/yarn.lock";
+  yarnNix = ./yarn.nix;
+
+  patchPhase = ''
+    sed -i "s#pipedapi.kavin.rocks#${backendDomain}#g" src/main.js
+    sed -i "s#pipedapi.kavin.rocks#${backendDomain}#g" src/components/PreferencesPage.vue
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+    yarn --offline build
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p "$out/share/piped-frontend"
+    ${rsync}/bin/rsync --recursive deps/piped/dist/ "$out/share/piped-frontend"
+
+    runHook postInstall
+  '';
+
+  doDist = false;
+}

overlay/piped/meta.json

@@ -0,0 +1,14 @@
+{
+  "frontend": {
+    "rev": "0acd6bfd2aef1e0e9a03ecae377a212005625c1b",
+    "sha256": "sha256-NY87NolGIZDc9tZKOR/VCWsC/dWCOWrBJdimu2RHMkY="
+  },
+  "backend": {
+    "rev": "d3725f0007672a1d67bf84c364dfb1784d967df8",
+    "sha256": "sha256-8oyV98yZhWeddlmSsWtMJ2vgHEdMzzQqTgyoKwtX5Xg="
+  },
+  "proxy": {
+    "rev": "d3725f0007672a1d67bf84c364dfb1784d967df8",
+    "sha256": "sha256-a+/Hg60uxcTY/QYr6bH3CENPitNnrmZjfMxMPxeZpbE="
+  }
+}

overlay/piped/proxy/default.nix

@@ -0,0 +1,17 @@
+{ rustPlatform, fetchFromGitHub }:
+let
+  meta = builtins.fromJSON (builtins.readFile ../meta.json);
+  rev = meta.proxy.rev;
+in rustPlatform.buildRustPackage rec {
+  pname = "piped-proxy";
+  version = "latest-${rev}";
+  src = fetchFromGitHub {
+    owner = "TeamPiped";
+    repo = "piped-proxy";
+    inherit rev;
+    sha256 = "${meta.proxy.sha256}";
+  };
+
+  cargoLock = { lockFile = "${src}/Cargo.lock"; };
+  doCheck = false;
+}

overlay/piped/update.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl jq git moreutils yarn2nix nix nix-prefetch
+set -euo pipefail
+
+BASE_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+cd "${BASE_DIR}"
+
+json_get() {
+    jq -r "$1" < 'meta.json'
+}
+
+json_set() {
+    jq --arg x "$2" "$1 = \$x" < 'meta.json' | sponge 'meta.json'
+}
+
+# Frontend
+old_frontend_rev=$(json_get '.frontend.rev')
+new_frontend_rev=$(curl -L "https://api.github.com/repos/TeamPiped/Piped/commits" 2>/dev/null | jq ".[0].sha" -r)
+if [ "$new_frontend_rev" != "$old_frontend_rev" ]; then
+    echo "Frontend is out of date. Updating..."
+    json_set '.frontend.rev' "$new_frontend_rev"
+    new_frontend_sha256=$(nix-prefetch fetchFromGitHub --owner TeamPiped --repo Piped --rev "$new_frontend_rev")
+    json_set '.frontend.sha256' "$new_frontend_sha256"
+
+    TMP=$(mktemp -d)
+    pushd "$TMP"
+        git clone https://github.com/TeamPiped/Piped
+        pushd Piped
+            git reset --hard "$new_frontend_rev"
+            yarn2nix > "${BASE_DIR}/frontend/yarn.nix"
+        popd
+    popd
+fi
+
+# Backend
+old_backend_rev=$(json_get '.backend.rev')
+new_backend_rev=$(curl -L "https://api.github.com/repos/TeamPiped/Piped-Backend/commits" 2>/dev/null | jq ".[0].sha" -r)
+if [ "$new_backend_rev" != "$old_backend_rev" ]; then
+    echo "Backend is out of date. Updating..."
+    json_set '.backend.rev' "$new_backend_rev"
+    new_backend_sha256=$(nix-prefetch fetchFromGitHub --owner TeamPiped --repo Piped-Backend --rev "$new_backend_rev")
+    json_set '.backend.sha256' "$new_backend_sha256"
+fi
+
+# Proxy
+old_proxy_rev=$(json_get '.proxy.rev')
+new_proxy_rev=$(curl -L "https://api.github.com/repos/TeamPiped/piped-proxy/commits" 2>/dev/null | jq ".[0].sha" -r)
+if [ "$new_proxy_rev" != "$old_proxy_rev" ]; then
+    echo "Proxy is out of date. Updating..."
+    json_set '.proxy.rev' "$new_backend_rev"
+    new_proxy_sha256=$(nix-prefetch fetchFromGitHub --owner TeamPiped --repo piped-proxy --rev "$new_proxy_rev")
+    json_set '.proxy.sha256' "$new_proxy_sha256"
+fi
+
+

scripts/update.sh

@@ -6,4 +6,5 @@ cd $REPO_ROOT
 
 ./overlay/invidious/update.sh
 ./overlay/misskey/update.sh
+./overlay/piped/update.sh
 nix flake update

treeConfig.nix

@@ -6,6 +6,7 @@
 
       "hosts/*/services".functor.enable = true;
       "hosts/hetzner-vm/modules/mailserver".functor.enable = true;
+      "hosts/hetzner-vm/modules/piped".functor.enable = true;
       "hosts/raspberry/services/music-friend".functor.enable = true;
       "hosts/*/home".functor.enable = true;
       "hosts/*/profiles".functor.enable = true;