itamar/flakes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

hardening invidious: updating iv.nix

Browse source
This commit is contained in:
itamar 2026-04-12 10:09:24 +03:00
parent ee9afc74c2
commit ed4a7f3fae
No known key found for this signature in database
GPG key ID: D8277CDCD4F544E9
1 changed files with 87 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

100
server/iv.nix
View file

@ -9,6 +9,14 @@ let
arch = "amd64"; arch = "amd64";
sha256 = "sha256-QsKu0XyHYvad/saO4zDrHZU9o4GzihK30pMITYpcVoI="; sha256 = "sha256-QsKu0XyHYvad/saO4zDrHZU9o4GzihK30pMITYpcVoI=";
}; };
securityHeaders = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "no-referrer" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
'';
in in
{ {
services.invidious = { services.invidious = {
@ -21,6 +29,22 @@ in
https_only = true; https_only = true;
registration_enabled = false; registration_enabled = false;
statistics_enabled = false; statistics_enabled = false;
login_enabled = false;
captcha_enabled = false;
admins = [];
use_innertube_for_captions = true;
force_resolve = "ipv6";
use_pubsub_feeds = true;
enable_user_notifications = false;
invidious_companion = [
{
private_url = "http://127.0.0.1:3001";
public_url = "https://iv.itamar.site/companion";
}
];
default_user_preferences = { default_user_preferences = {
locale = "en-US"; locale = "en-US";
dark_mode = "dark"; dark_mode = "dark";
@ -33,12 +57,39 @@ in
autoplay = false; autoplay = false;
comments = ["youtube" ""]; comments = ["youtube" ""];
related_videos = true; related_videos = true;
annotations = false;
annotations_subscribed = false;
extend_desc = false;
show_nick = false;
}; };
}; };
}; };
systemd.services.invidious = {
serviceConfig = {
Nice = "10";
MemoryMax = "1G";
MemorySwapMax = "0";
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
NoNewPrivileges = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
CapabilityBoundingSet = "";
AmbientCapabilities = "";
};
};
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
virtualisation.oci-containers = { virtualisation.oci-containers = {
backend = "docker"; backend = "docker";
containers.invidious-companion = { containers.invidious-companion = {
@ -47,26 +98,45 @@ in
ports = [ "127.0.0.1:3001:8282" ]; ports = [ "127.0.0.1:3001:8282" ];
environmentFiles = [ "/var/lib/invidious/companion-env" ]; environmentFiles = [ "/var/lib/invidious/companion-env" ];
volumes = [ "/var/lib/invidious-companion-cache:/var/tmp/youtubei.js" ]; volumes = [ "/var/lib/invidious-companion-cache:/var/tmp/youtubei.js" ];
extraOptions = [ "--no-healthcheck" ]; extraOptions = [
"--no-healthcheck"
"--read-only"
"--tmpfs=/tmp"
"--security-opt=no-new-privileges"
"--cap-drop=ALL"
];
}; };
}; };
services.nginx = { services.nginx.commonHttpConfig = lib.mkAfter ''
enable = true; limit_req_zone $binary_remote_addr zone=invidious:10m rate=3r/s;
recommendedTlsSettings = true; access_log off;
recommendedOptimisation = true; log_not_found off;
recommendedGzipSettings = true; '';
recommendedProxySettings = true;
virtualHosts."iv.itamar.site" = { services.nginx.virtualHosts."iv.itamar.site" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
};
extraConfig = ''
server_tokens off;
${securityHeaders}
'';
locations."= /robots.txt".extraConfig = ''
return 200 "User-agent: *\nDisallow: /\n";
add_header Content-Type text/plain;
${securityHeaders}
'';
locations."/api/v1/auth/notifications" = {
priority = 500;
return = "403";
}; };
security.acme = { locations."/".extraConfig = ''
acceptTerms = true; limit_req zone=invidious burst=20 nodelay;
defaults.email = "admin@itamar.site"; limit_req_status 429;
'';
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ];
} }