stuff & possibly things, maybe a shenanigan or two idk

deployNodes.nix

@@ -1,11 +1,12 @@
 { nixosConfigurations, deploy-rs, ... }:
 let activateNixOS_x64_64-linux = deploy-rs.lib.x86_64-linux.activate.nixos;
 in {
-  lappy = {
-    hostname = "lappy.tailscale-internal.genderfucked.monster";
+  tablet = {
+    hostname = "tablet.internal.genderfucked.monster";
     profiles.system = {
       user = "root";
-      path = activateNixOS_x64_64-linux nixosConfigurations.lappy;
+      sshUser = "root";
+      path = activateNixOS_x64_64-linux nixosConfigurations.tablet;
     };
   };
   hetzner-vm = {

flake.lock

@@ -9,11 +9,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1668166163,
-        "narHash": "sha256-XCuM+n98KcG0v+DT1HolGCO3j5FOBUjV4K8YcZsVeQw=",
+        "lastModified": 1668453806,
+        "narHash": "sha256-rDyF0essyFdCIo336gI6nPjWhjoczGn701D1JID5wl8=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "b011f13bc577b978f52aaefde5605332f7bca7e9",
+        "rev": "be40823735bbdc40c1f6b7725c8b74d5a85d8023",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "utils": "utils_3"
       },
       "locked": {
-        "lastModified": 1667981810,
-        "narHash": "sha256-p27zd5M+OkfND46gzbGkaHlNBZsYe95M48OJuFeuuSY=",
+        "lastModified": 1668332334,
+        "narHash": "sha256-YT1qcE/MCqBO1Bi/Yr6GcFpNKsvmzrBKh8juyXDbxQc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6ce3493a3c5c6a8f4cfa6f5f88723272e0cfd335",
+        "rev": "bc90de24d898655542589237cc0a6ada7564cb6c",
         "type": "github"
       },
       "original": {
@@ -137,11 +137,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1667991831,
-        "narHash": "sha256-DHgEsLZI044B9T4AjA3K6+yB9/DqLr4dyA7OIx0FG7o=",
+        "lastModified": 1668596599,
+        "narHash": "sha256-rhHyZTGI31/OfgYa9xF49UTchDXTI94pEsSNa0fOkpk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "872fceeed60ae6b7766cc0a4cd5bf5901b9098ec",
+        "rev": "b457130e8a21608675ddf12c7d85227b22a27112",
         "type": "github"
       },
       "original": {
@@ -153,11 +153,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1668255064,
-        "narHash": "sha256-JWVzaBAC9eL+Eg/SG71ZPSDQQd/eO9sS2YNGrlDDEH4=",
+        "lastModified": 1668680510,
+        "narHash": "sha256-5O/8cXku2/JxY3AglxnzWRb3I8kFZSQRh3YHLeegYA8=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "9a0be7d4b9de779707b8788c6bdaaf23160a7975",
+        "rev": "6970572e6143893eab37a8aacfe9dd872d48a867",
         "type": "github"
       },
       "original": {

hosts/hetzner-vm/hetzner-vm.nix

@@ -17,7 +17,7 @@
     hosts.hetzner-vm.profiles.mpd
     hosts.hetzner-vm.profiles.mailserver
     hosts.hetzner-vm.profiles.gitlab-static-sites
-    hosts.hetzner-vm.profiles.lappy-dev
+    #hosts.hetzner-vm.profiles.lappy-dev
     hosts.hetzner-vm.profiles.misskey
     hosts.hetzner-vm.profiles.wireguard
 

hosts/tablet/profiles/harry-vpn.nix

@@ -1,4 +1,6 @@
-{ pkgs, ... }: {
+{ config, pkgs, ... }:
+let secrets = config.services.secrets.secrets;
+in {
   environment.systemPackages = with pkgs; [ wireguard-tools ];
   networking.wg-quick.interfaces = {
     wg-harry-vpn = {
@@ -6,10 +8,11 @@
       address = [ "185.186.9.71/26" "2a0b:6b84:2022:6::1/64" ];
       dns = [ "8.8.8.8" ];
       mtu = 1280;
-      privateKeyFile = "/secrets/harry_vpn_wg_priv";
+      privateKeyFile = "${secrets.wg_harry_priv.path}";
 
       peers = [{
         publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc=";
+        presharedKeyFile = "${secrets.wg_harry_preshared.path}";
         allowedIPs = [ "0.0.0.0/0" "::/0" ];
         endpoint = "185.186.9.1:8081";
         persistentKeepalive = 25;

hosts/tablet/profiles/wireguard.nix

@@ -1,16 +1,18 @@
-{ ... }:
-let secrets-db = (import ../secrets-db.nix { });
+{ config, ... }:
+let secrets = config.services.secrets.secrets;
 in {
+
+  networking.firewall.trustedInterfaces = [ "wg0" ];
   networking.wg-quick.interfaces = {
     wg0 = {
       address = [ "10.69.42.2/32" ];
-      privateKeyFile = "${secrets-db.wg_priv.path}";
+      privateKeyFile = "${secrets.wg_priv.path}";
 
       peers = [
         # hetzner-vm
         {
           publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
-          presharedKeyFile = "${secrets-db.wg_preshared_hetzner-vm.path}";
+          presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
           allowedIPs = [ "10.69.42.1/32" ];
           endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
           persistentKeepalive = 25;
@@ -18,7 +20,7 @@ in {
         # vault
         {
           publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
-          presharedKeyFile = "${secrets-db.wg_preshared_vault.path}";
+          presharedKeyFile = "${secrets.wg_preshared_vault.path}";
           allowedIPs = [ "10.69.42.3/32" ];
           endpoint = "vault.servers.genderfucked.monster:51820";
           persistentKeepalive = 25;
@@ -26,7 +28,7 @@ in {
         # storage
         {
           publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg=";
-          presharedKeyFile = "${secrets-db.wg_preshared_storage.path}";
+          presharedKeyFile = "${secrets.wg_preshared_storage.path}";
           allowedIPs = [ "10.69.42.4/32" ];
           endpoint = "storage.servers.genderfucked.monster:51820";
           persistentKeepalive = 25;

hosts/tablet/secrets-db.nix

@@ -1,39 +0,0 @@
-{ }: {
-  # Manually Created, Not Stored In Vault
-  usb_encryption_passphrase = {
-    user = "root";
-    group = "root";
-    permissions = "660";
-    path = "/secrets/usb_encryption_passphrase";
-  };
-  music_stream_password = {
-    user = "chaos";
-    group = "users";
-    permissions = "660";
-    path = "/secrets/music_stream_password";
-  };
-  wg_priv = {
-    user = "root";
-    group = "root";
-    permissions = "660";
-    path = "/secrets/wg_priv";
-  };
-  wg_preshared_hetzner-vm = {
-    user = "root";
-    group = "root";
-    permissions = "660";
-    path = "/secrets/wg_preshared_hetzner-vm";
-  };
-  wg_preshared_vault = {
-    user = "root";
-    group = "root";
-    permissions = "660";
-    path = "/secrets/wg_preshared_vault";
-  };
-  wg_preshared_storage = {
-    user = "root";
-    group = "root";
-    permissions = "660";
-    path = "/secrets/wg_preshared_storage";
-  };
-}

hosts/tablet/secrets.nix

@@ -1,54 +1,45 @@
-{ pkgs, ... }:
-let secrets-db = (import ./secrets-db.nix { });
-in {
-  systemd.tmpfiles.rules = [ "d /secrets - root root" ];
-  environment.systemPackages = [
-    (pkgs.writeShellScriptBin "init-secrets" ''
-      set -e -o pipefail
-
-      VAULT_ADDR_DEFAULT="https://vault.owo.monster"
-      [ -z "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"
-
-      export PATH=$PATH:${pkgs.vault}/bin
-      export PATH=$PATH:${pkgs.jq}/bin
-
-      kv_get() {
-        vault kv get -format json $1
-      }
-
-      simple_get() {
-        kv_get $1 | jq .data.data$2 -r
-      }
-
-      file=${secrets-db.music_stream_password.path}
-      echo $file
-      simple_get "/api-keys/music-stream" .password > $file
-      chown ${secrets-db.music_stream_password.user}:${secrets-db.music_stream_password.group} $file
-      chmod ${secrets-db.music_stream_password.permissions} $file
-
-      file=${secrets-db.wg_priv.path}
-      echo $file
-      simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $file
-      chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file
-      chmod ${secrets-db.wg_priv.permissions} $file
-
-      file=${secrets-db.wg_preshared_hetzner-vm.path}
-      echo $file
-      simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $file
-      chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file
-      chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file
-
-      file=${secrets-db.wg_preshared_vault.path}
-      echo $file
-      simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $file
-      chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file
-      chmod ${secrets-db.wg_preshared_vault.permissions} $file
-
-      file=${secrets-db.wg_preshared_storage.path}
-      echo $file
-      simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $file
-      chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file
-      chmod ${secrets-db.wg_preshared_storage.permissions} $file
-    '')
-  ];
+{ pkgs, ... }: {
+  services.secrets = {
+    enable = true;
+    secrets = {
+      usb_encryption_passphrase = { manual = true; };
+      music_stream_password = {
+        user = "chaos";
+        group = "users";
+        fetchScript = ''
+          simple_get "/api-keys/music-stream" .password > $secretFile
+        '';
+      };
+      wg_priv = {
+        fetchScript = ''
+          simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $secretFile
+        '';
+      };
+      wg_preshared_hetzner-vm = {
+        fetchScript = ''
+          simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $secretFile
+        '';
+      };
+      wg_preshared_vault = {
+        fetchScript = ''
+          simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $secretFile
+        '';
+      };
+      wg_preshared_storage = {
+        fetchScript = ''
+          simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $secretFile
+        '';
+      };
+      wg_harry_priv = {
+        fetchScript = ''
+          simple_get "/private-public-keys/wireguard/harry/tablet" .private > $secretFile
+        '';
+      };
+      wg_harry_preshared = {
+        fetchScript = ''
+          simple_get "/private-public-keys/wireguard/harry/tablet" .preshared_keys.main > $secretFile
+        '';
+      };
+    };
+  };
 }

hosts/tablet/tablet.nix

@@ -36,21 +36,6 @@
 
   networking.enableIPv6 = false;
 
-  # let vscode, vivaldi, etc work.
-  security.unprivilegedUsernsClone = true;
-
-  nix.settings.auto-optimise-store = true;
-  nix.gc = {
-    automatic = true;
-    dates = "daily";
-    options = "--delete-older-than 30d";
-  };
-
-  nix.extraOptions = ''
-    keep-outputs = true
-    keep-derivations = true
-  '';
-
   networking.hostName = "tablet";
   time.timeZone = "Europe/London";
 

hosts/vault/secrets.nix

@@ -1,64 +1,46 @@
 { pkgs, ... }:
 let secrets-db = (import ./secrets-db.nix { });
 in {
-  systemd.tmpfiles.rules = [ "d /secrets - root root" ];
-  environment.systemPackages = [
-    (pkgs.writeShellScriptBin "init-secrets" ''
-      set -e -o pipefail
-
-      VAULT_ADDR_DEFAULT="https://vault.owo.monster"
-      [ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"
-
-      export PATH=$PATH:${pkgs.vault}/bin
-      export PATH=$PATH:${pkgs.jq}/bin
-
-      kv_get() {
-        vault kv get -format json $1
-      }
-
-      simple_get() {
-        kv_get $1 | jq .data.data$2 -r
-      }
-
-      simple_get "/private-public-keys/restic/Vault" .password > /secrets/restic_password 
-      chown ${secrets-db.restic_password.user}:${secrets-db.restic_password.group} /secrets/restic_password 
-      chmod ${secrets-db.restic_password.permissions} /secrets/restic_password
-
-      RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Vault" .username)
-      RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .password)
-      echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > /secrets/restic_env
-      chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} /secrets/restic_env 
-      chmod ${secrets-db.restic_env.permissions} /secrets/restic_env
-
-      file=${secrets-db.wg_priv.path}
-      echo $file
-      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > $file
-      chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file
-      chmod ${secrets-db.wg_priv.permissions} $file
-
-      file=${secrets-db.wg_preshared_hetzner-vm.path}
-      echo $file
-      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > $file
-      chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file
-      chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file
-
-      file=${secrets-db.wg_preshared_tablet.path}
-      echo $file
-      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.tablet > $file
-      chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file
-      chmod ${secrets-db.wg_preshared_tablet.permissions} $file
-
-      file=${secrets-db.wg_preshared_storage.path}
-      echo $file
-      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.storage > $file
-      chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file
-      chmod ${secrets-db.wg_preshared_storage.permissions} $file
-
-      file=${secrets-db.wg_preshared_iphone8.path}
-      echo $file
-      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > $file
-      chown ${secrets-db.wg_preshared_iphone8.user}:${secrets-db.wg_preshared_iphone8.group} $file
-      chmod ${secrets-db.wg_preshared_iphone8.permissions} $file
-    '')
-  ];
+  services.secrets = {
+    enable = true;
+    secrets = {
+      restic_password = {
+        fetchScript = ''
+          simple_get "/private-public-keys/restic/Vault" .password > $secretFile
+        '';
+      };
+      restic_env = {
+        fetchScript = ''
+          RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Vault" .username)
+          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .password)
+          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > $secretFile
+        '';
+      };
+      wg_priv = {
+        fetchScript = ''
+          simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > $secretFile
+        '';
+      };
+      wg_preshared_hetzner-vm = {
+        fetchScript = ''
+          simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > $secretFile
+        '';
+      };
+      wg_preshared_tablet = {
+        fetchScript = ''
+          simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.tablet > $secretFile
+        '';
+      };
+      wg_preshared_storage = {
+        fetchScript = ''
+          simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.storage > $secretFile
+        '';
+      };
+      wg_preshared_iphone8 = {
+        fetchScript = ''
+          simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > $secretFile
+        '';
+      };
+    };
+  };
 }

overlay/default.nix

@@ -1,8 +1,11 @@
 final: prev: {
   comic-sans = final.callPackage ./comic-sans { };
   comic-code = final.callPackage ./comic-code { };
-  zar = final.callPackage ./zar { };
-  gobar = final.callPackage ./gobar { };
   roc-toolkit-patched = final.callPackage ./roc-toolkit-patched { };
   roc-send-pcm = final.callPackage ./roc-send-pcm { };
+  invidious = final.callPackage ./invidious {
+    lsquic = final.callPackage ./invidious/lsquic.nix { };
+    videojs = final.callPackage ./invidious/videojs.nix { };
+  };
+
 }

overlay/invidious-latest/default.nix

@@ -1,106 +0,0 @@
-{ lib, crystal, fetchFromGitHub, librsvg, pkg-config, libxml2, openssl, sqlite
-, lsquic, shards }:
-let
-  # When updating, always update the following:
-  #  * the git revision
-  #  * the version attribute
-  #  * the source hash (sha256)
-  # If the shards.lock file changed, also the following:
-  #  * shards.nix (by running `crystal2nix` in invidious’ source tree)
-  #  * If the lsquic.cr dependency changed: lsquic in lsquic.nix (version, sha256)
-  #  * If the lsquic version changed: boringssl' in lsquic.nix (version, sha256)
-  rev = "d928b9eaadc8298f2e92a766fdd10c79e6048858";
-in crystal.buildCrystalPackage rec {
-  pname = "invidious";
-  version = "master";
-
-  src = fetchFromGitHub {
-    owner = "iv-org";
-    repo = pname;
-    inherit rev;
-    sha256 = "sha256-WojYv9HMqS3UcZFewgE/svbpqeAY6BIyAtxAMfdn1xk=";
-  };
-
-  postPatch = let
-    # Replacing by the value (templates) of the variables ensures that building
-    # fails if upstream changes the way the metadata is formatted.
-    branchTemplate = ''{{ "#{`git branch | sed -n '/* /s///p'`.strip}" }}'';
-    commitTemplate =
-      ''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit`.strip}" }}'';
-    versionTemplate = ''
-      {{ "#{`git log -1 --format=%ci | awk '{print $1}' | sed s/-/./g`.strip}" }}'';
-    # This always uses the latest commit which invalidates the cache even if
-    # the assets were not changed
-    assetCommitTemplate = ''
-      {{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit -- assets`.strip}" }}'';
-  in ''
-    # Use the version metadata from the derivation instead of using git at
-    # build-time
-    substituteInPlace src/invidious.cr \
-        --replace ${lib.escapeShellArg branchTemplate} '"master"' \
-        --replace ${lib.escapeShellArg commitTemplate} '"${
-          lib.substring 0 7 rev
-        }"' \
-        --replace ${lib.escapeShellArg versionTemplate} '"${
-          lib.replaceChars [ "-" ] [ "." ] (lib.substring 9 10 version)
-        }"' \
-        --replace ${lib.escapeShellArg assetCommitTemplate} '"${
-          lib.substring 0 7 rev
-        }"'
-
-    # Patch the assets and locales paths to be absolute
-    substituteInPlace src/invidious.cr \
-        --replace 'public_folder "assets"' 'public_folder "${
-          placeholder "out"
-        }/share/invidious/assets"'
-    substituteInPlace src/invidious/helpers/i18n.cr \
-        --replace 'File.read("locales/' 'File.read("${
-          placeholder "out"
-        }/share/invidious/locales/'
-
-    # Reference sql initialisation/migration scripts by absolute path
-    substituteInPlace src/invidious/database/base.cr \
-          --replace 'config/sql' '${
-            placeholder "out"
-          }/share/invidious/config/sql'
-
-    substituteInPlace src/invidious/users.cr \
-        --replace 'Process.run(%(rsvg-convert' 'Process.run(%(${
-          lib.getBin librsvg
-        }/bin/rsvg-convert'
-  '';
-
-  # shards required for spectator
-  nativeBuildInputs = [ pkg-config shards ];
-  buildInputs = [ libxml2 openssl sqlite ];
-
-  format = "crystal";
-  shardsFile = ./shards.nix;
-  crystalBinaries.invidious.src = "src/invidious.cr";
-
-  postConfigure = ''
-    # lib includes nix store paths which can’t be patched, so the links have to
-    # be dereferenced first.
-    cp -rL lib lib2
-    rm -r lib
-    mv lib2 lib
-    chmod +w -R lib
-    cp ${lsquic}/lib/liblsquic.a lib/lsquic/src/lsquic/ext
-  '';
-
-  postInstall = ''
-    mkdir -p $out/share/invidious/config
-
-    # Copy static parts
-    cp -r assets locales $out/share/invidious
-    cp -r config/sql $out/share/invidious/config
-  '';
-
-  # Invidious tries to open config/config.yml and connect to the database, even
-  # when running --help. This specifies a minimal configuration in an
-  # environment variable. Even though the database is bogus, --help still
-  # works.
-  installCheckPhase = ''
-    INVIDIOUS_CONFIG="database_url: sqlite3:///dev/null" $out/bin/invidious --help
-  '';
-}

overlay/invidious-latest/lsquic.nix

@@ -1,63 +0,0 @@
-{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, cmake, zlib, perl, libevent
-}:
-let
-  # lsquic requires a specific boringssl version (noted in its README)
-  boringssl' = boringssl.overrideAttrs (old: rec {
-    version = "251b5169fd44345f455438312ec4e18ae07fd58c";
-    src = fetchgit {
-      url = "https://boringssl.googlesource.com/boringssl";
-      rev = version;
-      sha256 = "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A=";
-    };
-  });
-in stdenv.mkDerivation rec {
-  pname = "lsquic";
-  version = "2.18.1";
-
-  src = fetchFromGitHub {
-    owner = "litespeedtech";
-    repo = pname;
-    rev = "v${version}";
-    sha256 = "sha256-hG8cUvhbCNeMOsKkaJlgGpzUrIx47E/WhmPIdI5F3qM=";
-    fetchSubmodules = true;
-  };
-
-  nativeBuildInputs = [ cmake perl ];
-  buildInputs = [ boringssl' libevent zlib ];
-
-  cmakeFlags = [
-    "-DBORINGSSL_DIR=${lib.getDev boringssl'}"
-    "-DBORINGSSL_LIB_crypto=${lib.getLib boringssl'}/lib/libcrypto.a"
-    "-DBORINGSSL_LIB_ssl=${lib.getLib boringssl'}/lib/libssl.a"
-    "-DZLIB_LIB=${zlib}/lib/libz.so"
-  ];
-
-  # adapted from lsquic.cr’s Dockerfile
-  # (https://github.com/iv-org/lsquic.cr/blob/master/docker/Dockerfile)
-  installPhase = ''
-    runHook preInstall
-
-    mkdir combinedlib
-    cd combinedlib
-    ar -x ${lib.getLib boringssl'}/lib/libssl.a
-    ar -x ${lib.getLib boringssl'}/lib/libcrypto.a
-    ar -x ../src/liblsquic/liblsquic.a
-    ar rc liblsquic.a *.o
-    ranlib liblsquic.a
-    install -D liblsquic.a $out/lib/liblsquic.a
-
-    runHook postInstall
-  '';
-
-  meta = with lib; {
-    description = "A library for QUIC and HTTP/3 (version for Invidious)";
-    homepage = "https://github.com/litespeedtech/lsquic";
-    maintainers = with maintainers; [ infinisil sbruder ];
-    license = with licenses; [
-      openssl
-      isc
-      mit
-      bsd3
-    ]; # statically links against boringssl, so has to include its licenses
-  };
-}

overlay/invidious/default.nix

@@ -0,0 +1,123 @@
+{ lib, stdenv, crystal, fetchFromGitHub, librsvg, pkg-config, libxml2, openssl, shards, sqlite, lsquic, videojs, nixosTests }:
+let
+  # All versions, revisions, and checksums are stored in ./versions.json.
+  # The update process is the following:
+  #   * pick the latest commit
+  #   * update .invidious.rev, .invidious.version, and .invidious.sha256
+  #   * prefetch the videojs dependencies with scripts/fetch-player-dependencies.cr
+  #     and update .videojs.sha256 (they are normally fetched during build
+  #     but nix's sandboxing does not allow that)
+  #   * if shard.lock changed
+  #     * recreate shards.nix by running crystal2nix
+  #     * update lsquic and boringssl if necessarry, lsquic.cr depends on
+  #       the same version of lsquic and lsquic requires the boringssl
+  #       commit mentioned in its README
+  versions = builtins.fromJSON (builtins.readFile ./versions.json);
+in
+crystal.buildCrystalPackage rec {
+  pname = "invidious";
+  inherit (versions.invidious) version;
+
+  src = fetchFromGitHub {
+    owner = "iv-org";
+    repo = pname;
+    fetchSubmodules = true;
+    inherit (versions.invidious) rev sha256;
+  };
+
+  postPatch =
+    let
+      # Replacing by the value (templates) of the variables ensures that building
+      # fails if upstream changes the way the metadata is formatted.
+      branchTemplate = ''{{ "#{`git branch | sed -n '/* /s///p'`.strip}" }}'';
+      commitTemplate = ''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit`.strip}" }}'';
+      versionTemplate = ''{{ "#{`git log -1 --format=%ci | awk '{print $1}' | sed s/-/./g`.strip}" }}'';
+      # This always uses the latest commit which invalidates the cache even if
+      # the assets were not changed
+      assetCommitTemplate = ''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit -- assets`.strip}" }}'';
+    in
+    ''
+      for d in ${videojs}/*; do ln -s "$d" assets/videojs; done
+
+      # Use the version metadata from the derivation instead of using git at
+      # build-time
+      substituteInPlace src/invidious.cr \
+          --replace ${lib.escapeShellArg branchTemplate} '"master"' \
+          --replace ${lib.escapeShellArg commitTemplate} '"${lib.substring 0 7 versions.invidious.rev}"' \
+          --replace ${lib.escapeShellArg versionTemplate} '"${lib.replaceChars ["-"] ["."] (lib.substring 9 10 version)}"' \
+          --replace ${lib.escapeShellArg assetCommitTemplate} '"${lib.substring 0 7 versions.invidious.rev}"'
+
+      # Patch the assets and locales paths to be absolute
+      substituteInPlace src/invidious.cr \
+          --replace 'public_folder "assets"' 'public_folder "${placeholder "out"}/share/invidious/assets"'
+      substituteInPlace src/invidious/helpers/i18n.cr \
+          --replace 'File.read("locales/' 'File.read("${placeholder "out"}/share/invidious/locales/'
+
+      # Reference sql initialisation/migration scripts by absolute path
+      substituteInPlace src/invidious/database/base.cr \
+            --replace 'config/sql' '${placeholder "out"}/share/invidious/config/sql'
+
+      substituteInPlace src/invidious/user/captcha.cr \
+          --replace 'Process.run(%(rsvg-convert' 'Process.run(%(${lib.getBin librsvg}/bin/rsvg-convert'
+    '';
+
+  nativeBuildInputs = [ pkg-config shards ];
+  buildInputs = [ libxml2 openssl sqlite ];
+
+  format = "crystal";
+  shardsFile = ./shards.nix;
+  crystalBinaries.invidious = {
+    src = "src/invidious.cr";
+    options = [
+      #"--release"
+      "--debug"
+      "--progress"
+      "--verbose"
+      #"--no-debug"
+      "-Dskip_videojs_download"
+      "-Ddisable_quic"
+    ];
+  };
+
+  dontStrip = true;
+
+  postConfigure = ''
+    # lib includes nix store paths which can’t be patched, so the links have to
+    # be dereferenced first.
+    cp -rL lib lib2
+    rm -r lib
+    mv lib2 lib
+    chmod +w -R lib
+    cp ${lsquic}/lib/liblsquic.a lib/lsquic/src/lsquic/ext
+  '';
+
+  postInstall = ''
+    mkdir -p $out/share/invidious/config
+
+    # Copy static parts
+    cp -r assets locales $out/share/invidious
+    cp -r config/sql $out/share/invidious/config
+  '';
+
+  # Invidious tries to open config/config.yml and connect to the database, even
+  # when running --help. This specifies a minimal configuration in an
+  # environment variable. Even though the database is bogus, --help still
+  # works.
+  installCheckPhase = ''
+    INVIDIOUS_CONFIG="database_url: sqlite3:///dev/null" $out/bin/invidious --help
+  '';
+
+  passthru = {
+    inherit lsquic;
+    tests = { inherit (nixosTests) invidious; };
+    updateScript = ./update.sh;
+  };
+
+  meta = with lib; {
+    description = "An open source alternative front-end to YouTube";
+    homepage = "https://invidious.io/";
+    license = licenses.agpl3;
+    maintainers = with maintainers; [ infinisil sbruder ];
+    broken = stdenv.isDarwin && stdenv.isAarch64;
+  };
+}

overlay/invidious/lsquic.nix

@@ -0,0 +1,111 @@
+{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, fetchurl, cmake, zlib, perl, libevent }:
+let
+  versions = builtins.fromJSON (builtins.readFile ./versions.json);
+
+  fetchGitilesPatch = { name, url, sha256 }:
+    fetchurl {
+      url = "${url}%5E%21?format=TEXT";
+      inherit name sha256;
+      downloadToTemp = true;
+      postFetch = ''
+        base64 -d < $downloadedFile > $out
+      '';
+    };
+
+  # lsquic requires a specific boringssl version (noted in its README)
+  boringssl' = boringssl.overrideAttrs ({ preBuild, ... }: {
+    version = versions.boringssl.rev;
+    src = fetchgit {
+      url = "https://boringssl.googlesource.com/boringssl";
+      inherit (versions.boringssl) rev sha256;
+    };
+
+    patches = [
+      # Use /etc/ssl/certs/ca-certificates.crt instead of /etc/ssl/cert.pem
+      ./use-etc-ssl-certs.patch
+
+      # because lsquic requires that specific boringssl version and that
+      # version does not yet include fixes for gcc11 build errors, they
+      # must be backported
+      (fetchGitilesPatch {
+        name = "fix-mismatch-between-header-and-implementation-of-bn_sqr_comba8.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/139adff9b27eaf0bdaac664ec4c9a7db2fe3f920";
+        sha256 = "05sp602dvh50v46jkzmh4sf4wqnq5bwy553596g2rhxg75bailjj";
+      })
+      (fetchGitilesPatch {
+        name = "use-an-unsized-helper-for-truncated-SHA-512-variants.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/a24ab549e6ae246b391155d7bed3790ac0e07de2";
+        sha256 = "0483jkpg4g64v23ln2blb74xnmzdjcn3r7w4zk7nfg8j3q5f9lxm";
+      })
+/*
+      # the following patch is too complex, so we will modify the build flags
+      # of crypto/fipsmodule/CMakeFiles/fipsmodule.dir/bcm.c.o in preBuild
+      # and turn off -Werror=stringop-overflow
+      (fetchGitilesPatch {
+        name = "make-md32_common.h-single-included-and-use-an-unsized-helper-for-SHA-256.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/597ffef971dd980b7de5e97a0c9b7ca26eec94bc";
+        sha256 = "1y0bkkdf1ccd6crx326agp01q22clm4ai4p982y7r6dkmxmh52qr";
+      })
+*/
+      (fetchGitilesPatch {
+        name = "fix-array-parameter-warnings.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/92c6fbfc4c44dc8462d260d836020d2b793e7804";
+        sha256 = "0h4sl95i8b0dj0na4ngf50wg54raxyjxl1zzwdc810abglp10vnv";
+      })
+    ];
+
+    preBuild = ''
+      ${preBuild}
+      sed -e '/^build crypto\/fipsmodule\/CMakeFiles\/fipsmodule\.dir\/bcm\.c\.o:/,/^ *FLAGS =/ s/^ *FLAGS = -Werror/& -Wno-error=stringop-overflow/' \
+          -i build.ninja
+    '';
+  });
+in
+stdenv.mkDerivation rec {
+  pname = "lsquic";
+  version = versions.lsquic.version;
+
+  src = fetchFromGitHub {
+    owner = "litespeedtech";
+    repo = pname;
+    rev = "v${version}";
+    inherit (versions.lsquic) sha256;
+    fetchSubmodules = true;
+  };
+
+  nativeBuildInputs = [ cmake perl ];
+  buildInputs = [ boringssl' libevent zlib ];
+
+  cmakeFlags = [
+    "-DBORINGSSL_DIR=${lib.getDev boringssl'}"
+    "-DBORINGSSL_LIB_crypto=${lib.getLib boringssl'}/lib/libcrypto.a"
+    "-DBORINGSSL_LIB_ssl=${lib.getLib boringssl'}/lib/libssl.a"
+    "-DZLIB_LIB=${zlib}/lib/libz.so"
+  ];
+
+  # adapted from lsquic.cr’s Dockerfile
+  # (https://github.com/iv-org/lsquic.cr/blob/master/docker/Dockerfile)
+  installPhase = ''
+    runHook preInstall
+
+    mkdir combinedlib
+    cd combinedlib
+    ar -x ${lib.getLib boringssl'}/lib/libssl.a
+    ar -x ${lib.getLib boringssl'}/lib/libcrypto.a
+    ar -x ../src/liblsquic/liblsquic.a
+    ar rc liblsquic.a *.o
+    ranlib liblsquic.a
+    install -D liblsquic.a $out/lib/liblsquic.a
+
+    runHook postInstall
+  '';
+
+  passthru.boringssl = boringssl';
+
+  meta = with lib; {
+    description = "A library for QUIC and HTTP/3 (version for Invidious)";
+    homepage = "https://github.com/litespeedtech/lsquic";
+    maintainers = with maintainers; [ infinisil sbruder ];
+    license = with licenses; [ openssl isc mit bsd3 ]; # statically links against boringssl, so has to include its licenses
+  };
+}

overlay/invidious/shards.nix

@@ -20,14 +20,14 @@
   exception_page = {
     owner = "crystal-loot";
     repo = "exception_page";
-    rev = "v0.2.0";
-    sha256 = "0nlgnh5iykbr1v2132342k2mz6s2laws6nkgqsqlwhhcr4gb4jcx";
+    rev = "v0.2.2";
+    sha256 = "1c8askb9b7621jjz5pjj6b8pdbhw3r1l3dym6swg1saspf5j3jwi";
   };
   kemal = {
     owner = "kemalcr";
     repo = "kemal";
-    rev = "v1.1.0";
-    sha256 = "07vlvddy4mba9li2bvskzqzywwq55cyvlgkz13q6dsl4zfgc96ca";
+    rev = "v1.1.2";
+    sha256 = "1149q4qw0zrws5asqqr4snrdi67xsmisdcq58zcrbgqgsxgly9d0";
   };
   kilt = {
     owner = "jeromegn";
@@ -62,8 +62,8 @@
   spectator = {
     owner = "icy-arctic-fox";
     repo = "spectator";
-    rev = "v0.10.3";
-    sha256 = "0gh9g7ycn17n4g4sr728c8fdrrznx68alhpkwhcrzxxn2hgsp46v";
+    rev = "v0.10.4";
+    sha256 = "0rcxq2nbslvwrd8m9ajw6dzaw3hagxmkdy9s8p34cgnr4c9dijdq";
   };
   sqlite3 = {
     owner = "crystal-lang";
@@ -71,4 +71,10 @@
     rev = "v0.18.0";
     sha256 = "03nnvpchhq9f9ywsm3pk2rrj4a3figw7xs96zdziwgr5znkz6x93";
   };
+  ameba = {
+    owner = "crystal-ameba";
+    repo = "ameba";
+    rev = "v0.14.3";
+    sha256 = "1cfr95xi6hsyxw1wlrh571hc775xhwmssk3k14i8b7dgbwfmm5x1";
+  };
 }

overlay/invidious/update.sh

@@ -0,0 +1,96 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl crystal crystal2nix jq git moreutils nix nix-prefetch pkg-config
+git_url='https://github.com/iv-org/invidious.git'
+git_branch='master'
+git_dir='/var/tmp/invidious.git'
+pkg='invidious'
+
+set -euo pipefail
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+info() {
+    if [ -t 2 ]; then
+        set -- '\033[32m%s\033[39m\n' "$@"
+    else
+        set -- '%s\n' "$@"
+    fi
+    printf "$@" >&2
+}
+
+json_get() {
+    jq -r "$1" < 'versions.json'
+}
+
+json_set() {
+    jq --arg x "$2" "$1 = \$x" < 'versions.json' | sponge 'versions.json'
+}
+
+old_rev=$(json_get '.invidious.rev')
+old_version=$(json_get '.invidious.version')
+today=$(LANG=C date -u +'%Y-%m-%d')
+
+info "fetching $git_url..."
+if [ ! -d "$git_dir" ]; then
+    git init --initial-branch="$git_branch" "$git_dir"
+    git -C "$git_dir" remote add origin "$git_url"
+fi
+git -C "$git_dir" fetch origin "$git_branch"
+
+# use latest commit before today, we should not call the version *today*
+# because there might still be commits coming
+# use the day of the latest commit we picked as version
+new_rev=$(git -C "$git_dir" log -n 1 --format='format:%H' --before="${today}T00:00:00Z" "origin/$git_branch")
+new_version="unstable-$(TZ=UTC git -C "$git_dir" log -n 1 --date='format-local:%Y-%m-%d' --format='%cd' "$new_rev")"
+info "latest commit before $today: $new_rev"
+
+if [ "$new_rev" = "$old_rev" ]; then
+    info "$pkg is up-to-date."
+    exit
+fi
+
+json_set '.invidious.version' "$new_version"
+json_set '.invidious.rev' "$new_rev"
+new_sha256=$(nix-prefetch -I 'nixpkgs=../../..' "$pkg")
+json_set '.invidious.sha256' "$new_sha256"
+commit_msg="$pkg: $old_version -> $new_version"
+
+# fetch video.js dependencies
+info "Running scripts/fetch-player-dependencies.cr..."
+git -C "$git_dir" reset --hard "$new_rev"
+(cd "$git_dir" && crystal run scripts/fetch-player-dependencies.cr -- --minified)
+rm -f "$git_dir/assets/videojs/.gitignore"
+videojs_new_sha256=$(nix-hash --type sha256 --base32 "$git_dir/assets/videojs")
+json_set '.videojs.sha256' "$videojs_new_sha256"
+
+if git -C "$git_dir" diff-tree --quiet "${old_rev}..${new_rev}" -- 'shard.lock'; then
+    info "shard.lock did not change since $old_rev."
+else
+    info "Updating shards.nix..."
+    crystal2nix -- "$git_dir/shard.lock"  # argv's index seems broken
+
+    lsquic_old_version=$(json_get '.lsquic.version')
+    # lsquic.cr's version tracks lsquic's, so lsquic must be updated to the
+    # version in the shards file
+    lsquic_new_version=$(nix eval --raw -f 'shards.nix' lsquic.rev \
+        | sed -e 's/^v//' -e 's/-[0-9]*$//')
+    if [ "$lsquic_old_version" != "$lsquic_new_version" ]; then
+        info "Updating lsquic to $lsquic_new_version..."
+        json_set '.lsquic.version' "$lsquic_new_version"
+        lsquic_new_sha256=$(nix-prefetch -I 'nixpkgs=../../..' "${pkg}.lsquic")
+        json_set '.lsquic.sha256' "$lsquic_new_sha256"
+
+        info "Updating boringssl..."
+        # lsquic specifies the boringssl commit it requires in its README
+        boringssl_new_rev=$(curl -LSsf "https://github.com/litespeedtech/lsquic/raw/v${lsquic_new_version}/README.md" \
+            | grep -Pom1 '(?<=^git checkout ).*')
+        json_set '.boringssl.rev' "$boringssl_new_rev"
+        boringssl_new_sha256=$(nix-prefetch -I 'nixpkgs=../../..' "${pkg}.lsquic.boringssl")
+        json_set '.boringssl.sha256' "$boringssl_new_sha256"
+        commit_msg="$commit_msg
+
+lsquic: $lsquic_old_version -> $lsquic_new_version"
+    fi
+fi
+
+git commit --verbose --message "$commit_msg" -- versions.json shards.nix

overlay/invidious/use-etc-ssl-certs.patch

@@ -0,0 +1,13 @@
+diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c
+index d2bc3e5c1..329580075 100644
+--- a/crypto/x509/x509_def.c
++++ b/crypto/x509/x509_def.c
+@@ -67,7 +67,7 @@
+ 
+ #define X509_CERT_AREA          OPENSSLDIR
+ #define X509_CERT_DIR           OPENSSLDIR "/certs"
+-#define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
++#define X509_CERT_FILE          "/etc/ssl/certs/ca-certificates.crt"
+ #define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+ #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
+ #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"

overlay/invidious/versions.json

@@ -0,0 +1,18 @@
+{
+  "boringssl": {
+    "rev": "251b5169fd44345f455438312ec4e18ae07fd58c",
+    "sha256": "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A="
+  },
+  "invidious": {
+    "rev": "09942dee6621e7047a63dffcc61b3bbf78cef2c6",
+    "sha256": "sha256-0Cb1Qsn6vnrzd4pZm1GZxlVQNn5dYKUR/xWMCG37GSk=",
+    "version": "unstable-2022-11-02"
+  },
+  "lsquic": {
+    "sha256": "sha256-hG8cUvhbCNeMOsKkaJlgGpzUrIx47E/WhmPIdI5F3qM=",
+    "version": "2.18.1"
+  },
+  "videojs": {
+    "sha256": "0m09pc9acpzhfwwvc9dayl60nn28skmmglgvmlp48dlkqgfbgc27"
+  }
+}

overlay/invidious/videojs.nix

@@ -0,0 +1,18 @@
+{ stdenvNoCC, cacert, crystal, openssl, pkg-config, invidious }:
+
+let
+  versions = builtins.fromJSON (builtins.readFile ./versions.json);
+in
+stdenvNoCC.mkDerivation {
+  name = "videojs";
+
+  inherit (invidious) src;
+
+  builder = ./videojs.sh;
+
+  nativeBuildInputs = [ cacert crystal openssl pkg-config ];
+
+  outputHashAlgo = "sha256";
+  outputHashMode = "recursive";
+  outputHash = versions.videojs.sha256;
+}

overlay/invidious/videojs.sh

@@ -0,0 +1,9 @@
+source $stdenv/setup
+
+unpackPhase
+cd source
+# this helper downloads the videojs files and checks their checksums
+# against videojs-dependencies.yml so it should be pure
+crystal run scripts/fetch-player-dependencies.cr -- --minified
+rm -f assets/videojs/.gitignore
+mv assets/videojs "$out"

presets/nixos/desktop.nix

@@ -19,7 +19,6 @@
       home.apps.pavucontrol
       home.apps.mpv
 
-      home.apps.vivaldi
       home.apps.firefox
       home.apps.telegram
       home.apps.quassel

profiles/nix-gc.nix

@@ -3,6 +3,6 @@
   nix.gc = {
     automatic = true;
     dates = "daily";
-    options = "--delete-older-than 1d";
+    options = "--delete-older-than 10d";
   };
 }

scripts/update.sh

@@ -3,5 +3,5 @@
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 REPO_ROOT="${SCRIPT_DIR}/.."
 cd $REPO_ROOT
-
+./overlay/invidious/update.sh
 nix flake update

wg.key

@@ -1 +0,0 @@
-qCxTpFUKxcRZOg+uWUgphnr8+tfoy33IOpuuuDWZUEQ=

wg.pub

@@ -1 +0,0 @@
-+gZf6RttTQHh/kdYrucasSJgDFpyIaG1UdickV4Mfj4=