chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

stuff & possibly things, maybe a shenanigan or two idk

Browse source
This commit is contained in:
Chaos 2022-11-17 22:25:41 +00:00
parent ca7f4f5811
commit ce4a0b2486
No known key found for this signature in database
25 changed files with 523 additions and 373 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
deployNodes.nix
View file

@ -1,11 +1,12 @@
{ nixosConfigurations, deploy-rs, ... }:
let activateNixOS_x64_64-linux = deploy-rs.lib.x86_64-linux.activate.nixos;
in {
lappy = {
hostname = "lappy.tailscale-internal.genderfucked.monster";
tablet = {
hostname = "tablet.internal.genderfucked.monster";
profiles.system = {
user = "root";
path = activateNixOS_x64_64-linux nixosConfigurations.lappy;
sshUser = "root";
path = activateNixOS_x64_64-linux nixosConfigurations.tablet;
};
};
hetzner-vm = {

24
flake.lock
View file

@ -9,11 +9,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1668166163,
"narHash": "sha256-XCuM+n98KcG0v+DT1HolGCO3j5FOBUjV4K8YcZsVeQw=",
"lastModified": 1668453806,
"narHash": "sha256-rDyF0essyFdCIo336gI6nPjWhjoczGn701D1JID5wl8=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "b011f13bc577b978f52aaefde5605332f7bca7e9",
"rev": "be40823735bbdc40c1f6b7725c8b74d5a85d8023",
"type": "github"
},
"original": {
@ -100,11 +100,11 @@
"utils": "utils_3"
},
"locked": {
"lastModified": 1667981810,
"narHash": "sha256-p27zd5M+OkfND46gzbGkaHlNBZsYe95M48OJuFeuuSY=",
"lastModified": 1668332334,
"narHash": "sha256-YT1qcE/MCqBO1Bi/Yr6GcFpNKsvmzrBKh8juyXDbxQc=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "6ce3493a3c5c6a8f4cfa6f5f88723272e0cfd335",
"rev": "bc90de24d898655542589237cc0a6ada7564cb6c",
"type": "github"
},
"original": {
@ -137,11 +137,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1667991831,
"narHash": "sha256-DHgEsLZI044B9T4AjA3K6+yB9/DqLr4dyA7OIx0FG7o=",
"lastModified": 1668596599,
"narHash": "sha256-rhHyZTGI31/OfgYa9xF49UTchDXTI94pEsSNa0fOkpk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "872fceeed60ae6b7766cc0a4cd5bf5901b9098ec",
"rev": "b457130e8a21608675ddf12c7d85227b22a27112",
"type": "github"
},
"original": {
@ -153,11 +153,11 @@
},
"nur": {
"locked": {
"lastModified": 1668255064,
"narHash": "sha256-JWVzaBAC9eL+Eg/SG71ZPSDQQd/eO9sS2YNGrlDDEH4=",
"lastModified": 1668680510,
"narHash": "sha256-5O/8cXku2/JxY3AglxnzWRb3I8kFZSQRh3YHLeegYA8=",
"owner": "nix-community",
"repo": "NUR",
"rev": "9a0be7d4b9de779707b8788c6bdaaf23160a7975",
"rev": "6970572e6143893eab37a8aacfe9dd872d48a867",
"type": "github"
},
"original": {

2
hosts/hetzner-vm/hetzner-vm.nix
View file

@ -17,7 +17,7 @@
hosts.hetzner-vm.profiles.mpd
hosts.hetzner-vm.profiles.mailserver
hosts.hetzner-vm.profiles.gitlab-static-sites
hosts.hetzner-vm.profiles.lappy-dev
#hosts.hetzner-vm.profiles.lappy-dev
hosts.hetzner-vm.profiles.misskey
hosts.hetzner-vm.profiles.wireguard

7
hosts/tablet/profiles/harry-vpn.nix
View file

@ -1,4 +1,6 @@
{ pkgs, ... }: {
{ config, pkgs, ... }:
let secrets = config.services.secrets.secrets;
in {
environment.systemPackages = with pkgs; [ wireguard-tools ];
networking.wg-quick.interfaces = {
wg-harry-vpn = {
@ -6,10 +8,11 @@
address = [ "185.186.9.71/26" "2a0b:6b84:2022:6::1/64" ];
dns = [ "8.8.8.8" ];
mtu = 1280;
privateKeyFile = "/secrets/harry_vpn_wg_priv";
privateKeyFile = "${secrets.wg_harry_priv.path}";
peers = [{
publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc=";
presharedKeyFile = "${secrets.wg_harry_preshared.path}";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "185.186.9.1:8081";
persistentKeepalive = 25;

14
hosts/tablet/profiles/wireguard.nix
View file

@ -1,16 +1,18 @@
{ ... }:
let secrets-db = (import ../secrets-db.nix { });
{ config, ... }:
let secrets = config.services.secrets.secrets;
in {
networking.firewall.trustedInterfaces = [ "wg0" ];
networking.wg-quick.interfaces = {
wg0 = {
address = [ "10.69.42.2/32" ];
privateKeyFile = "${secrets-db.wg_priv.path}";
privateKeyFile = "${secrets.wg_priv.path}";
peers = [
# hetzner-vm
{
publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
presharedKeyFile = "${secrets-db.wg_preshared_hetzner-vm.path}";
presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
allowedIPs = [ "10.69.42.1/32" ];
endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
persistentKeepalive = 25;
@ -18,7 +20,7 @@ in {
# vault
{
publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
presharedKeyFile = "${secrets-db.wg_preshared_vault.path}";
presharedKeyFile = "${secrets.wg_preshared_vault.path}";
allowedIPs = [ "10.69.42.3/32" ];
endpoint = "vault.servers.genderfucked.monster:51820";
persistentKeepalive = 25;
@ -26,7 +28,7 @@ in {
# storage
{
publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg=";
presharedKeyFile = "${secrets-db.wg_preshared_storage.path}";
presharedKeyFile = "${secrets.wg_preshared_storage.path}";
allowedIPs = [ "10.69.42.4/32" ];
endpoint = "storage.servers.genderfucked.monster:51820";
persistentKeepalive = 25;

39
hosts/tablet/secrets-db.nix
View file

@ -1,39 +0,0 @@
{ }: {
# Manually Created, Not Stored In Vault
usb_encryption_passphrase = {
user = "root";
group = "root";
permissions = "660";
path = "/secrets/usb_encryption_passphrase";
};
music_stream_password = {
user = "chaos";
group = "users";
permissions = "660";
path = "/secrets/music_stream_password";
};
wg_priv = {
user = "root";
group = "root";
permissions = "660";
path = "/secrets/wg_priv";
};
wg_preshared_hetzner-vm = {
user = "root";
group = "root";
permissions = "660";
path = "/secrets/wg_preshared_hetzner-vm";
};
wg_preshared_vault = {
user = "root";
group = "root";
permissions = "660";
path = "/secrets/wg_preshared_vault";
};
wg_preshared_storage = {
user = "root";
group = "root";
permissions = "660";
path = "/secrets/wg_preshared_storage";
};
}

97
hosts/tablet/secrets.nix
View file

@ -1,54 +1,45 @@
{ pkgs, ... }:
let secrets-db = (import ./secrets-db.nix { });
in {
systemd.tmpfiles.rules = [ "d /secrets - root root" ];
environment.systemPackages = [
(pkgs.writeShellScriptBin "init-secrets" ''
set -e -o pipefail
VAULT_ADDR_DEFAULT="https://vault.owo.monster"
[ -z "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"
export PATH=$PATH:${pkgs.vault}/bin
export PATH=$PATH:${pkgs.jq}/bin
kv_get() {
vault kv get -format json $1
}
simple_get() {
kv_get $1 | jq .data.data$2 -r
}
file=${secrets-db.music_stream_password.path}
echo $file
simple_get "/api-keys/music-stream" .password > $file
chown ${secrets-db.music_stream_password.user}:${secrets-db.music_stream_password.group} $file
chmod ${secrets-db.music_stream_password.permissions} $file
file=${secrets-db.wg_priv.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $file
chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file
chmod ${secrets-db.wg_priv.permissions} $file
file=${secrets-db.wg_preshared_hetzner-vm.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $file
chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file
chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file
file=${secrets-db.wg_preshared_vault.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $file
chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file
chmod ${secrets-db.wg_preshared_vault.permissions} $file
file=${secrets-db.wg_preshared_storage.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $file
chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file
chmod ${secrets-db.wg_preshared_storage.permissions} $file
'')
];
{ pkgs, ... }: {
services.secrets = {
enable = true;
secrets = {
usb_encryption_passphrase = { manual = true; };
music_stream_password = {
user = "chaos";
group = "users";
fetchScript = ''
simple_get "/api-keys/music-stream" .password > $secretFile
'';
};
wg_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $secretFile
'';
};
wg_preshared_hetzner-vm = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $secretFile
'';
};
wg_preshared_vault = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $secretFile
'';
};
wg_preshared_storage = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $secretFile
'';
};
wg_harry_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/harry/tablet" .private > $secretFile
'';
};
wg_harry_preshared = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/harry/tablet" .preshared_keys.main > $secretFile
'';
};
};
};
}

15
hosts/tablet/tablet.nix
View file

@ -36,21 +36,6 @@
networking.enableIPv6 = false;
# let vscode, vivaldi, etc work.
security.unprivilegedUsernsClone = true;
nix.settings.auto-optimise-store = true;
nix.gc = {
automatic = true;
dates = "daily";
options = "--delete-older-than 30d";
};
nix.extraOptions = ''
keep-outputs = true
keep-derivations = true
'';
networking.hostName = "tablet";
time.timeZone = "Europe/London";

98
hosts/vault/secrets.nix
View file

@ -1,64 +1,46 @@
{ pkgs, ... }:
let secrets-db = (import ./secrets-db.nix { });
in {
systemd.tmpfiles.rules = [ "d /secrets - root root" ];
environment.systemPackages = [
(pkgs.writeShellScriptBin "init-secrets" ''
set -e -o pipefail
VAULT_ADDR_DEFAULT="https://vault.owo.monster"
[ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"
export PATH=$PATH:${pkgs.vault}/bin
export PATH=$PATH:${pkgs.jq}/bin
kv_get() {
vault kv get -format json $1
}
simple_get() {
kv_get $1 | jq .data.data$2 -r
}
simple_get "/private-public-keys/restic/Vault" .password > /secrets/restic_password
chown ${secrets-db.restic_password.user}:${secrets-db.restic_password.group} /secrets/restic_password
chmod ${secrets-db.restic_password.permissions} /secrets/restic_password
services.secrets = {
enable = true;
secrets = {
restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/Vault" .password > $secretFile
'';
};
restic_env = {
fetchScript = ''
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Vault" .username)
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .password)
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > /secrets/restic_env
chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} /secrets/restic_env
chmod ${secrets-db.restic_env.permissions} /secrets/restic_env
file=${secrets-db.wg_priv.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > $file
chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file
chmod ${secrets-db.wg_priv.permissions} $file
file=${secrets-db.wg_preshared_hetzner-vm.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > $file
chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file
chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file
file=${secrets-db.wg_preshared_tablet.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.tablet > $file
chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file
chmod ${secrets-db.wg_preshared_tablet.permissions} $file
file=${secrets-db.wg_preshared_storage.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.storage > $file
chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file
chmod ${secrets-db.wg_preshared_storage.permissions} $file
file=${secrets-db.wg_preshared_iphone8.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > $file
chown ${secrets-db.wg_preshared_iphone8.user}:${secrets-db.wg_preshared_iphone8.group} $file
chmod ${secrets-db.wg_preshared_iphone8.permissions} $file
'')
];
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > $secretFile
'';
};
wg_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > $secretFile
'';
};
wg_preshared_hetzner-vm = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > $secretFile
'';
};
wg_preshared_tablet = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.tablet > $secretFile
'';
};
wg_preshared_storage = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.storage > $secretFile
'';
};
wg_preshared_iphone8 = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > $secretFile
'';
};
};
};
}

7
overlay/default.nix
View file

@ -1,8 +1,11 @@
final: prev: {
comic-sans = final.callPackage ./comic-sans { };
comic-code = final.callPackage ./comic-code { };
zar = final.callPackage ./zar { };
gobar = final.callPackage ./gobar { };
roc-toolkit-patched = final.callPackage ./roc-toolkit-patched { };
roc-send-pcm = final.callPackage ./roc-send-pcm { };
invidious = final.callPackage ./invidious {
lsquic = final.callPackage ./invidious/lsquic.nix { };
videojs = final.callPackage ./invidious/videojs.nix { };
};
}

106
overlay/invidious-latest/default.nix
View file

@ -1,106 +0,0 @@
{ lib, crystal, fetchFromGitHub, librsvg, pkg-config, libxml2, openssl, sqlite
, lsquic, shards }:
let
# When updating, always update the following:
# * the git revision
# * the version attribute
# * the source hash (sha256)
# If the shards.lock file changed, also the following:
# * shards.nix (by running `crystal2nix` in invidious source tree)
# * If the lsquic.cr dependency changed: lsquic in lsquic.nix (version, sha256)
# * If the lsquic version changed: boringssl' in lsquic.nix (version, sha256)
rev = "d928b9eaadc8298f2e92a766fdd10c79e6048858";
in crystal.buildCrystalPackage rec {
pname = "invidious";
version = "master";
src = fetchFromGitHub {
owner = "iv-org";
repo = pname;
inherit rev;
sha256 = "sha256-WojYv9HMqS3UcZFewgE/svbpqeAY6BIyAtxAMfdn1xk=";
};
postPatch = let
# Replacing by the value (templates) of the variables ensures that building
# fails if upstream changes the way the metadata is formatted.
branchTemplate = ''{{ "#{`git branch | sed -n '/* /s///p'`.strip}" }}'';
commitTemplate =
''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit`.strip}" }}'';
versionTemplate = ''
{{ "#{`git log -1 --format=%ci | awk '{print $1}' | sed s/-/./g`.strip}" }}'';
# This always uses the latest commit which invalidates the cache even if
# the assets were not changed
assetCommitTemplate = ''
{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit -- assets`.strip}" }}'';
in ''
# Use the version metadata from the derivation instead of using git at
# build-time
substituteInPlace src/invidious.cr \
--replace ${lib.escapeShellArg branchTemplate} '"master"' \
--replace ${lib.escapeShellArg commitTemplate} '"${
lib.substring 0 7 rev
}"' \
--replace ${lib.escapeShellArg versionTemplate} '"${
lib.replaceChars [ "-" ] [ "." ] (lib.substring 9 10 version)
}"' \
--replace ${lib.escapeShellArg assetCommitTemplate} '"${
lib.substring 0 7 rev
}"'
# Patch the assets and locales paths to be absolute
substituteInPlace src/invidious.cr \
--replace 'public_folder "assets"' 'public_folder "${
placeholder "out"
}/share/invidious/assets"'
substituteInPlace src/invidious/helpers/i18n.cr \
--replace 'File.read("locales/' 'File.read("${
placeholder "out"
}/share/invidious/locales/'
# Reference sql initialisation/migration scripts by absolute path
substituteInPlace src/invidious/database/base.cr \
--replace 'config/sql' '${
placeholder "out"
}/share/invidious/config/sql'
substituteInPlace src/invidious/users.cr \
--replace 'Process.run(%(rsvg-convert' 'Process.run(%(${
lib.getBin librsvg
}/bin/rsvg-convert'
'';
# shards required for spectator
nativeBuildInputs = [ pkg-config shards ];
buildInputs = [ libxml2 openssl sqlite ];
format = "crystal";
shardsFile = ./shards.nix;
crystalBinaries.invidious.src = "src/invidious.cr";
postConfigure = ''
# lib includes nix store paths which cant be patched, so the links have to
# be dereferenced first.
cp -rL lib lib2
rm -r lib
mv lib2 lib
chmod +w -R lib
cp ${lsquic}/lib/liblsquic.a lib/lsquic/src/lsquic/ext
'';
postInstall = ''
mkdir -p $out/share/invidious/config
# Copy static parts
cp -r assets locales $out/share/invidious
cp -r config/sql $out/share/invidious/config
'';
# Invidious tries to open config/config.yml and connect to the database, even
# when running --help. This specifies a minimal configuration in an
# environment variable. Even though the database is bogus, --help still
# works.
installCheckPhase = ''
INVIDIOUS_CONFIG="database_url: sqlite3:///dev/null" $out/bin/invidious --help
'';
}

63
overlay/invidious-latest/lsquic.nix
View file

@ -1,63 +0,0 @@
{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, cmake, zlib, perl, libevent
}:
let
# lsquic requires a specific boringssl version (noted in its README)
boringssl' = boringssl.overrideAttrs (old: rec {
version = "251b5169fd44345f455438312ec4e18ae07fd58c";
src = fetchgit {
url = "https://boringssl.googlesource.com/boringssl";
rev = version;
sha256 = "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A=";
};
});
in stdenv.mkDerivation rec {
pname = "lsquic";
version = "2.18.1";
src = fetchFromGitHub {
owner = "litespeedtech";
repo = pname;
rev = "v${version}";
sha256 = "sha256-hG8cUvhbCNeMOsKkaJlgGpzUrIx47E/WhmPIdI5F3qM=";
fetchSubmodules = true;
};
nativeBuildInputs = [ cmake perl ];
buildInputs = [ boringssl' libevent zlib ];
cmakeFlags = [
"-DBORINGSSL_DIR=${lib.getDev boringssl'}"
"-DBORINGSSL_LIB_crypto=${lib.getLib boringssl'}/lib/libcrypto.a"
"-DBORINGSSL_LIB_ssl=${lib.getLib boringssl'}/lib/libssl.a"
"-DZLIB_LIB=${zlib}/lib/libz.so"
];
# adapted from lsquic.crs Dockerfile
# (https://github.com/iv-org/lsquic.cr/blob/master/docker/Dockerfile)
installPhase = ''
runHook preInstall
mkdir combinedlib
cd combinedlib
ar -x ${lib.getLib boringssl'}/lib/libssl.a
ar -x ${lib.getLib boringssl'}/lib/libcrypto.a
ar -x ../src/liblsquic/liblsquic.a
ar rc liblsquic.a *.o
ranlib liblsquic.a
install -D liblsquic.a $out/lib/liblsquic.a
runHook postInstall
'';
meta = with lib; {
description = "A library for QUIC and HTTP/3 (version for Invidious)";
homepage = "https://github.com/litespeedtech/lsquic";
maintainers = with maintainers; [ infinisil sbruder ];
license = with licenses; [
openssl
isc
mit
bsd3
]; # statically links against boringssl, so has to include its licenses
};
}

123
overlay/invidious/default.nix Normal file
View file

@ -0,0 +1,123 @@
{ lib, stdenv, crystal, fetchFromGitHub, librsvg, pkg-config, libxml2, openssl, shards, sqlite, lsquic, videojs, nixosTests }:
let
# All versions, revisions, and checksums are stored in ./versions.json.
# The update process is the following:
# * pick the latest commit
# * update .invidious.rev, .invidious.version, and .invidious.sha256
# * prefetch the videojs dependencies with scripts/fetch-player-dependencies.cr
# and update .videojs.sha256 (they are normally fetched during build
# but nix's sandboxing does not allow that)
# * if shard.lock changed
# * recreate shards.nix by running crystal2nix
# * update lsquic and boringssl if necessarry, lsquic.cr depends on
# the same version of lsquic and lsquic requires the boringssl
# commit mentioned in its README
versions = builtins.fromJSON (builtins.readFile ./versions.json);
in
crystal.buildCrystalPackage rec {
pname = "invidious";
inherit (versions.invidious) version;
src = fetchFromGitHub {
owner = "iv-org";
repo = pname;
fetchSubmodules = true;
inherit (versions.invidious) rev sha256;
};
postPatch =
let
# Replacing by the value (templates) of the variables ensures that building
# fails if upstream changes the way the metadata is formatted.
branchTemplate = ''{{ "#{`git branch | sed -n '/* /s///p'`.strip}" }}'';
commitTemplate = ''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit`.strip}" }}'';
versionTemplate = ''{{ "#{`git log -1 --format=%ci | awk '{print $1}' | sed s/-/./g`.strip}" }}'';
# This always uses the latest commit which invalidates the cache even if
# the assets were not changed
assetCommitTemplate = ''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit -- assets`.strip}" }}'';
in
''
for d in ${videojs}/*; do ln -s "$d" assets/videojs; done
# Use the version metadata from the derivation instead of using git at
# build-time
substituteInPlace src/invidious.cr \
--replace ${lib.escapeShellArg branchTemplate} '"master"' \
--replace ${lib.escapeShellArg commitTemplate} '"${lib.substring 0 7 versions.invidious.rev}"' \
--replace ${lib.escapeShellArg versionTemplate} '"${lib.replaceChars ["-"] ["."] (lib.substring 9 10 version)}"' \
--replace ${lib.escapeShellArg assetCommitTemplate} '"${lib.substring 0 7 versions.invidious.rev}"'
# Patch the assets and locales paths to be absolute
substituteInPlace src/invidious.cr \
--replace 'public_folder "assets"' 'public_folder "${placeholder "out"}/share/invidious/assets"'
substituteInPlace src/invidious/helpers/i18n.cr \
--replace 'File.read("locales/' 'File.read("${placeholder "out"}/share/invidious/locales/'
# Reference sql initialisation/migration scripts by absolute path
substituteInPlace src/invidious/database/base.cr \
--replace 'config/sql' '${placeholder "out"}/share/invidious/config/sql'
substituteInPlace src/invidious/user/captcha.cr \
--replace 'Process.run(%(rsvg-convert' 'Process.run(%(${lib.getBin librsvg}/bin/rsvg-convert'
'';
nativeBuildInputs = [ pkg-config shards ];
buildInputs = [ libxml2 openssl sqlite ];
format = "crystal";
shardsFile = ./shards.nix;
crystalBinaries.invidious = {
src = "src/invidious.cr";
options = [
#"--release"
"--debug"
"--progress"
"--verbose"
#"--no-debug"
"-Dskip_videojs_download"
"-Ddisable_quic"
];
};
dontStrip = true;
postConfigure = ''
# lib includes nix store paths which cant be patched, so the links have to
# be dereferenced first.
cp -rL lib lib2
rm -r lib
mv lib2 lib
chmod +w -R lib
cp ${lsquic}/lib/liblsquic.a lib/lsquic/src/lsquic/ext
'';
postInstall = ''
mkdir -p $out/share/invidious/config
# Copy static parts
cp -r assets locales $out/share/invidious
cp -r config/sql $out/share/invidious/config
'';
# Invidious tries to open config/config.yml and connect to the database, even
# when running --help. This specifies a minimal configuration in an
# environment variable. Even though the database is bogus, --help still
# works.
installCheckPhase = ''
INVIDIOUS_CONFIG="database_url: sqlite3:///dev/null" $out/bin/invidious --help
'';
passthru = {
inherit lsquic;
tests = { inherit (nixosTests) invidious; };
updateScript = ./update.sh;
};
meta = with lib; {
description = "An open source alternative front-end to YouTube";
homepage = "https://invidious.io/";
license = licenses.agpl3;
maintainers = with maintainers; [ infinisil sbruder ];
broken = stdenv.isDarwin && stdenv.isAarch64;
};
}

111
overlay/invidious/lsquic.nix Normal file
View file

@ -0,0 +1,111 @@
{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, fetchurl, cmake, zlib, perl, libevent }:
let
versions = builtins.fromJSON (builtins.readFile ./versions.json);
fetchGitilesPatch = { name, url, sha256 }:
fetchurl {
url = "${url}%5E%21?format=TEXT";
inherit name sha256;
downloadToTemp = true;
postFetch = ''
base64 -d < $downloadedFile > $out
'';
};
# lsquic requires a specific boringssl version (noted in its README)
boringssl' = boringssl.overrideAttrs ({ preBuild, ... }: {
version = versions.boringssl.rev;
src = fetchgit {
url = "https://boringssl.googlesource.com/boringssl";
inherit (versions.boringssl) rev sha256;
};
patches = [
# Use /etc/ssl/certs/ca-certificates.crt instead of /etc/ssl/cert.pem
./use-etc-ssl-certs.patch
# because lsquic requires that specific boringssl version and that
# version does not yet include fixes for gcc11 build errors, they
# must be backported
(fetchGitilesPatch {
name = "fix-mismatch-between-header-and-implementation-of-bn_sqr_comba8.patch";
url = "https://boringssl.googlesource.com/boringssl/+/139adff9b27eaf0bdaac664ec4c9a7db2fe3f920";
sha256 = "05sp602dvh50v46jkzmh4sf4wqnq5bwy553596g2rhxg75bailjj";
})
(fetchGitilesPatch {
name = "use-an-unsized-helper-for-truncated-SHA-512-variants.patch";
url = "https://boringssl.googlesource.com/boringssl/+/a24ab549e6ae246b391155d7bed3790ac0e07de2";
sha256 = "0483jkpg4g64v23ln2blb74xnmzdjcn3r7w4zk7nfg8j3q5f9lxm";
})
/*
# the following patch is too complex, so we will modify the build flags
# of crypto/fipsmodule/CMakeFiles/fipsmodule.dir/bcm.c.o in preBuild
# and turn off -Werror=stringop-overflow
(fetchGitilesPatch {
name = "make-md32_common.h-single-included-and-use-an-unsized-helper-for-SHA-256.patch";
url = "https://boringssl.googlesource.com/boringssl/+/597ffef971dd980b7de5e97a0c9b7ca26eec94bc";
sha256 = "1y0bkkdf1ccd6crx326agp01q22clm4ai4p982y7r6dkmxmh52qr";
})
*/
(fetchGitilesPatch {
name = "fix-array-parameter-warnings.patch";
url = "https://boringssl.googlesource.com/boringssl/+/92c6fbfc4c44dc8462d260d836020d2b793e7804";
sha256 = "0h4sl95i8b0dj0na4ngf50wg54raxyjxl1zzwdc810abglp10vnv";
})
];
preBuild = ''
${preBuild}
sed -e '/^build crypto\/fipsmodule\/CMakeFiles\/fipsmodule\.dir\/bcm\.c\.o:/,/^ *FLAGS =/ s/^ *FLAGS = -Werror/& -Wno-error=stringop-overflow/' \
-i build.ninja
'';
});
in
stdenv.mkDerivation rec {
pname = "lsquic";
version = versions.lsquic.version;
src = fetchFromGitHub {
owner = "litespeedtech";
repo = pname;
rev = "v${version}";
inherit (versions.lsquic) sha256;
fetchSubmodules = true;
};
nativeBuildInputs = [ cmake perl ];
buildInputs = [ boringssl' libevent zlib ];
cmakeFlags = [
"-DBORINGSSL_DIR=${lib.getDev boringssl'}"
"-DBORINGSSL_LIB_crypto=${lib.getLib boringssl'}/lib/libcrypto.a"
"-DBORINGSSL_LIB_ssl=${lib.getLib boringssl'}/lib/libssl.a"
"-DZLIB_LIB=${zlib}/lib/libz.so"
];
# adapted from lsquic.crs Dockerfile
# (https://github.com/iv-org/lsquic.cr/blob/master/docker/Dockerfile)
installPhase = ''
runHook preInstall
mkdir combinedlib
cd combinedlib
ar -x ${lib.getLib boringssl'}/lib/libssl.a
ar -x ${lib.getLib boringssl'}/lib/libcrypto.a
ar -x ../src/liblsquic/liblsquic.a
ar rc liblsquic.a *.o
ranlib liblsquic.a
install -D liblsquic.a $out/lib/liblsquic.a
runHook postInstall
'';
passthru.boringssl = boringssl';
meta = with lib; {
description = "A library for QUIC and HTTP/3 (version for Invidious)";
homepage = "https://github.com/litespeedtech/lsquic";
maintainers = with maintainers; [ infinisil sbruder ];
license = with licenses; [ openssl isc mit bsd3 ]; # statically links against boringssl, so has to include its licenses
};
}

18
overlay/invidious-latest/shards.nix → overlay/invidious/shards.nix
View file

@ -20,14 +20,14 @@
exception_page = {
owner = "crystal-loot";
repo = "exception_page";
rev = "v0.2.0";
sha256 = "0nlgnh5iykbr1v2132342k2mz6s2laws6nkgqsqlwhhcr4gb4jcx";
rev = "v0.2.2";
sha256 = "1c8askb9b7621jjz5pjj6b8pdbhw3r1l3dym6swg1saspf5j3jwi";
};
kemal = {
owner = "kemalcr";
repo = "kemal";
rev = "v1.1.0";
sha256 = "07vlvddy4mba9li2bvskzqzywwq55cyvlgkz13q6dsl4zfgc96ca";
rev = "v1.1.2";
sha256 = "1149q4qw0zrws5asqqr4snrdi67xsmisdcq58zcrbgqgsxgly9d0";
};
kilt = {
owner = "jeromegn";
@ -62,8 +62,8 @@
spectator = {
owner = "icy-arctic-fox";
repo = "spectator";
rev = "v0.10.3";
sha256 = "0gh9g7ycn17n4g4sr728c8fdrrznx68alhpkwhcrzxxn2hgsp46v";
rev = "v0.10.4";
sha256 = "0rcxq2nbslvwrd8m9ajw6dzaw3hagxmkdy9s8p34cgnr4c9dijdq";
};
sqlite3 = {
owner = "crystal-lang";
@ -71,4 +71,10 @@
rev = "v0.18.0";
sha256 = "03nnvpchhq9f9ywsm3pk2rrj4a3figw7xs96zdziwgr5znkz6x93";
};
ameba = {
owner = "crystal-ameba";
repo = "ameba";
rev = "v0.14.3";
sha256 = "1cfr95xi6hsyxw1wlrh571hc775xhwmssk3k14i8b7dgbwfmm5x1";
};
}

96
overlay/invidious/update.sh Executable file
View file

@ -0,0 +1,96 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl crystal crystal2nix jq git moreutils nix nix-prefetch pkg-config
git_url='https://github.com/iv-org/invidious.git'
git_branch='master'
git_dir='/var/tmp/invidious.git'
pkg='invidious'
set -euo pipefail
cd "$(dirname "${BASH_SOURCE[0]}")"
info() {
if [ -t 2 ]; then
set -- '\033[32m%s\033[39m\n' "$@"
else
set -- '%s\n' "$@"
fi
printf "$@" >&2
}
json_get() {
jq -r "$1" < 'versions.json'
}
json_set() {
jq --arg x "$2" "$1 = \$x" < 'versions.json' | sponge 'versions.json'
}
old_rev=$(json_get '.invidious.rev')
old_version=$(json_get '.invidious.version')
today=$(LANG=C date -u +'%Y-%m-%d')
info "fetching $git_url..."
if [ ! -d "$git_dir" ]; then
git init --initial-branch="$git_branch" "$git_dir"
git -C "$git_dir" remote add origin "$git_url"
fi
git -C "$git_dir" fetch origin "$git_branch"
# use latest commit before today, we should not call the version *today*
# because there might still be commits coming
# use the day of the latest commit we picked as version
new_rev=$(git -C "$git_dir" log -n 1 --format='format:%H' --before="${today}T00:00:00Z" "origin/$git_branch")
new_version="unstable-$(TZ=UTC git -C "$git_dir" log -n 1 --date='format-local:%Y-%m-%d' --format='%cd' "$new_rev")"
info "latest commit before $today: $new_rev"
if [ "$new_rev" = "$old_rev" ]; then
info "$pkg is up-to-date."
exit
fi
json_set '.invidious.version' "$new_version"
json_set '.invidious.rev' "$new_rev"
new_sha256=$(nix-prefetch -I 'nixpkgs=../../..' "$pkg")
json_set '.invidious.sha256' "$new_sha256"
commit_msg="$pkg: $old_version -> $new_version"
# fetch video.js dependencies
info "Running scripts/fetch-player-dependencies.cr..."
git -C "$git_dir" reset --hard "$new_rev"
(cd "$git_dir" && crystal run scripts/fetch-player-dependencies.cr -- --minified)
rm -f "$git_dir/assets/videojs/.gitignore"
videojs_new_sha256=$(nix-hash --type sha256 --base32 "$git_dir/assets/videojs")
json_set '.videojs.sha256' "$videojs_new_sha256"
if git -C "$git_dir" diff-tree --quiet "${old_rev}..${new_rev}" -- 'shard.lock'; then
info "shard.lock did not change since $old_rev."
else
info "Updating shards.nix..."
crystal2nix -- "$git_dir/shard.lock" # argv's index seems broken
lsquic_old_version=$(json_get '.lsquic.version')
# lsquic.cr's version tracks lsquic's, so lsquic must be updated to the
# version in the shards file
lsquic_new_version=$(nix eval --raw -f 'shards.nix' lsquic.rev \
| sed -e 's/^v//' -e 's/-[0-9]*$//')
if [ "$lsquic_old_version" != "$lsquic_new_version" ]; then
info "Updating lsquic to $lsquic_new_version..."
json_set '.lsquic.version' "$lsquic_new_version"
lsquic_new_sha256=$(nix-prefetch -I 'nixpkgs=../../..' "${pkg}.lsquic")
json_set '.lsquic.sha256' "$lsquic_new_sha256"
info "Updating boringssl..."
# lsquic specifies the boringssl commit it requires in its README
boringssl_new_rev=$(curl -LSsf "https://github.com/litespeedtech/lsquic/raw/v${lsquic_new_version}/README.md" \
| grep -Pom1 '(?<=^git checkout ).*')
json_set '.boringssl.rev' "$boringssl_new_rev"
boringssl_new_sha256=$(nix-prefetch -I 'nixpkgs=../../..' "${pkg}.lsquic.boringssl")
json_set '.boringssl.sha256' "$boringssl_new_sha256"
commit_msg="$commit_msg
lsquic: $lsquic_old_version -> $lsquic_new_version"
fi
fi
git commit --verbose --message "$commit_msg" -- versions.json shards.nix

13
overlay/invidious/use-etc-ssl-certs.patch Normal file
View file

@ -0,0 +1,13 @@
diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c
index d2bc3e5c1..329580075 100644
--- a/crypto/x509/x509_def.c
+++ b/crypto/x509/x509_def.c
@@ -67,7 +67,7 @@
#define X509_CERT_AREA OPENSSLDIR
#define X509_CERT_DIR OPENSSLDIR "/certs"
-#define X509_CERT_FILE OPENSSLDIR "/cert.pem"
+#define X509_CERT_FILE "/etc/ssl/certs/ca-certificates.crt"
#define X509_PRIVATE_DIR OPENSSLDIR "/private"
#define X509_CERT_DIR_EVP "SSL_CERT_DIR"
#define X509_CERT_FILE_EVP "SSL_CERT_FILE"

18
overlay/invidious/versions.json Normal file
View file

@ -0,0 +1,18 @@
{
"boringssl": {
"rev": "251b5169fd44345f455438312ec4e18ae07fd58c",
"sha256": "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A="
},
"invidious": {
"rev": "09942dee6621e7047a63dffcc61b3bbf78cef2c6",
"sha256": "sha256-0Cb1Qsn6vnrzd4pZm1GZxlVQNn5dYKUR/xWMCG37GSk=",
"version": "unstable-2022-11-02"
},
"lsquic": {
"sha256": "sha256-hG8cUvhbCNeMOsKkaJlgGpzUrIx47E/WhmPIdI5F3qM=",
"version": "2.18.1"
},
"videojs": {
"sha256": "0m09pc9acpzhfwwvc9dayl60nn28skmmglgvmlp48dlkqgfbgc27"
}
}

18
overlay/invidious/videojs.nix Normal file
View file

@ -0,0 +1,18 @@
{ stdenvNoCC, cacert, crystal, openssl, pkg-config, invidious }:
let
versions = builtins.fromJSON (builtins.readFile ./versions.json);
in
stdenvNoCC.mkDerivation {
name = "videojs";
inherit (invidious) src;
builder = ./videojs.sh;
nativeBuildInputs = [ cacert crystal openssl pkg-config ];
outputHashAlgo = "sha256";
outputHashMode = "recursive";
outputHash = versions.videojs.sha256;
}

9
overlay/invidious/videojs.sh Normal file
View file

@ -0,0 +1,9 @@
source $stdenv/setup
unpackPhase
cd source
# this helper downloads the videojs files and checks their checksums
# against videojs-dependencies.yml so it should be pure
crystal run scripts/fetch-player-dependencies.cr -- --minified
rm -f assets/videojs/.gitignore
mv assets/videojs "$out"

1
presets/nixos/desktop.nix
View file

@ -19,7 +19,6 @@
home.apps.pavucontrol
home.apps.mpv
home.apps.vivaldi
home.apps.firefox
home.apps.telegram
home.apps.quassel

2
profiles/nix-gc.nix
View file

@ -3,6 +3,6 @@
nix.gc = {
automatic = true;
dates = "daily";
options = "--delete-older-than 1d";
options = "--delete-older-than 10d";
};
}

2
scripts/update.sh
View file

@ -3,5 +3,5 @@
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
REPO_ROOT="${SCRIPT_DIR}/.."
cd $REPO_ROOT
./overlay/invidious/update.sh
nix flake update

1
wg.key
View file

@ -1 +0,0 @@
qCxTpFUKxcRZOg+uWUgphnr8+tfoy33IOpuuuDWZUEQ=

1
wg.pub
View file

@ -1 +0,0 @@
+gZf6RttTQHh/kdYrucasSJgDFpyIaG1UdickV4Mfj4=