From ed4a7f3fae9c26c8807197c51612a514b26954ab Mon Sep 17 00:00:00 2001 From: laniakea Date: Sun, 12 Apr 2026 10:09:24 +0300 Subject: [PATCH] hardening invidious: updating iv.nix --- server/iv.nix | 104 +++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 87 insertions(+), 17 deletions(-) diff --git a/server/iv.nix b/server/iv.nix index 66996cb..45cdeab 100644 --- a/server/iv.nix +++ b/server/iv.nix @@ -9,6 +9,14 @@ let arch = "amd64"; sha256 = "sha256-QsKu0XyHYvad/saO4zDrHZU9o4GzihK30pMITYpcVoI="; }; + securityHeaders = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "no-referrer" always; + add_header Permissions-Policy "interest-cohort=()" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + ''; in { services.invidious = { @@ -21,6 +29,22 @@ in https_only = true; registration_enabled = false; statistics_enabled = false; + login_enabled = false; + captcha_enabled = false; + admins = []; + + use_innertube_for_captions = true; + force_resolve = "ipv6"; + use_pubsub_feeds = true; + enable_user_notifications = false; + + invidious_companion = [ + { + private_url = "http://127.0.0.1:3001"; + public_url = "https://iv.itamar.site/companion"; + } + ]; + default_user_preferences = { locale = "en-US"; dark_mode = "dark"; @@ -33,12 +57,39 @@ in autoplay = false; comments = ["youtube" ""]; related_videos = true; + annotations = false; + annotations_subscribed = false; + extend_desc = false; + show_nick = false; }; }; }; - virtualisation.docker.enable = true; + systemd.services.invidious = { + serviceConfig = { + Nice = "10"; + MemoryMax = "1G"; + MemorySwapMax = "0"; + PrivateTmp = true; + ProtectHome = true; + ProtectSystem = "strict"; + NoNewPrivileges = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + SystemCallFilter = "@system-service"; + SystemCallErrorNumber = "EPERM"; + CapabilityBoundingSet = ""; + AmbientCapabilities = ""; + }; + }; + virtualisation.docker.enable = true; virtualisation.oci-containers = { backend = "docker"; containers.invidious-companion = { @@ -47,26 +98,45 @@ in ports = [ "127.0.0.1:3001:8282" ]; environmentFiles = [ "/var/lib/invidious/companion-env" ]; volumes = [ "/var/lib/invidious-companion-cache:/var/tmp/youtubei.js" ]; - extraOptions = [ "--no-healthcheck" ]; + extraOptions = [ + "--no-healthcheck" + "--read-only" + "--tmpfs=/tmp" + "--security-opt=no-new-privileges" + "--cap-drop=ALL" + ]; }; }; - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - virtualHosts."iv.itamar.site" = { - enableACME = true; - forceSSL = true; + services.nginx.commonHttpConfig = lib.mkAfter '' + limit_req_zone $binary_remote_addr zone=invidious:10m rate=3r/s; + access_log off; + log_not_found off; + ''; + + services.nginx.virtualHosts."iv.itamar.site" = { + enableACME = true; + forceSSL = true; + + extraConfig = '' + server_tokens off; + ${securityHeaders} + ''; + + locations."= /robots.txt".extraConfig = '' + return 200 "User-agent: *\nDisallow: /\n"; + add_header Content-Type text/plain; + ${securityHeaders} + ''; + + locations."/api/v1/auth/notifications" = { + priority = 500; + return = "403"; }; - }; - security.acme = { - acceptTerms = true; - defaults.email = "admin@itamar.site"; + locations."/".extraConfig = '' + limit_req zone=invidious burst=20 nodelay; + limit_req_status 429; + ''; }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; }