hardening invidious: updating iv.nix

server/iv.nix

@@ -9,6 +9,14 @@ let
     arch = "amd64";
     sha256 = "sha256-QsKu0XyHYvad/saO4zDrHZU9o4GzihK30pMITYpcVoI=";
   };
+  securityHeaders = ''
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Referrer-Policy "no-referrer" always;
+    add_header Permissions-Policy "interest-cohort=()" always;
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+  '';
 in
 {
   services.invidious = {
@@ -21,6 +29,22 @@ in
       https_only = true;
       registration_enabled = false;
       statistics_enabled = false;
+      login_enabled = false;
+      captcha_enabled = false;
+      admins = [];
+
+      use_innertube_for_captions = true;
+      force_resolve = "ipv6";
+      use_pubsub_feeds = true;
+      enable_user_notifications = false;
+
+      invidious_companion = [
+        {
+          private_url = "http://127.0.0.1:3001";
+          public_url = "https://iv.itamar.site/companion";
+        }
+      ];
+
       default_user_preferences = {
         locale = "en-US";
         dark_mode = "dark";
@@ -33,12 +57,39 @@ in
         autoplay = false;
         comments = ["youtube" ""];
         related_videos = true;
+        annotations = false;
+        annotations_subscribed = false;
+        extend_desc = false;
+        show_nick = false;
       };
     };
   };
 
+  systemd.services.invidious = {
+    serviceConfig = {
+      Nice = "10";
+      MemoryMax = "1G";
+      MemorySwapMax = "0";
+      PrivateTmp = true;
+      ProtectHome = true;
+      ProtectSystem = "strict";
+      NoNewPrivileges = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+      RestrictNamespaces = true;
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      RestrictRealtime = true;
+      SystemCallFilter = "@system-service";
+      SystemCallErrorNumber = "EPERM";
+      CapabilityBoundingSet = "";
+      AmbientCapabilities = "";
+    };
+  };
+
   virtualisation.docker.enable = true;
-
   virtualisation.oci-containers = {
     backend = "docker";
     containers.invidious-companion = {
@@ -47,26 +98,45 @@ in
       ports = [ "127.0.0.1:3001:8282" ];
       environmentFiles = [ "/var/lib/invidious/companion-env" ];
       volumes = [ "/var/lib/invidious-companion-cache:/var/tmp/youtubei.js" ];
-      extraOptions = [ "--no-healthcheck" ];
+      extraOptions = [
+        "--no-healthcheck"
+        "--read-only"
+        "--tmpfs=/tmp"
+        "--security-opt=no-new-privileges"
+        "--cap-drop=ALL"
+      ];
     };
   };
 
-  services.nginx = {
-    enable = true;
-    recommendedTlsSettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedProxySettings = true;
-    virtualHosts."iv.itamar.site" = {
+  services.nginx.commonHttpConfig = lib.mkAfter ''
+    limit_req_zone $binary_remote_addr zone=invidious:10m rate=3r/s;
+    access_log off;
+    log_not_found off;
+  '';
+
+  services.nginx.virtualHosts."iv.itamar.site" = {
     enableACME = true;
     forceSSL = true;
-    };
+
+    extraConfig = ''
+      server_tokens off;
+      ${securityHeaders}
+    '';
+
+    locations."= /robots.txt".extraConfig = ''
+      return 200 "User-agent: *\nDisallow: /\n";
+      add_header Content-Type text/plain;
+      ${securityHeaders}
+    '';
+
+    locations."/api/v1/auth/notifications" = {
+      priority = 500;
+      return = "403";
     };
 
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "admin@itamar.site";
+    locations."/".extraConfig = ''
+      limit_req zone=invidious burst=20 nodelay;
+      limit_req_status 429;
+    '';
   };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }