{ config, pkgs, lib, ... }: let companionImage = pkgs.dockerTools.pullImage { imageName = "quay.io/invidious/invidious-companion"; imageDigest = "sha256:1f59440ef39c4a3377be6d9dc76a7adebb7cfc9b7be03f671dd06741d01be491"; finalImageName = "invidious-companion"; finalImageTag = "latest"; os = "linux"; arch = "amd64"; sha256 = "sha256-QsKu0XyHYvad/saO4zDrHZU9o4GzihK30pMITYpcVoI="; }; securityHeaders = '' add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "no-referrer" always; add_header Permissions-Policy "interest-cohort=()" always; add_header Cross-Origin-Opener-Policy "same-origin" always; ''; in { services.invidious = { enable = true; domain = "iv.itamar.site"; port = 3002; nginx.enable = true; extraSettingsFile = "/var/lib/invidious/companion-secret.yaml"; settings = { https_only = true; registration_enabled = false; statistics_enabled = false; login_enabled = false; captcha_enabled = false; admins = []; use_innertube_for_captions = true; force_resolve = "ipv6"; use_pubsub_feeds = true; enable_user_notifications = false; invidious_companion = [ { private_url = "http://127.0.0.1:3001"; public_url = "https://iv.itamar.site/companion"; } ]; default_user_preferences = { locale = "en-US"; dark_mode = "dark"; thin_mode = false; default_home = "feed"; feed_menu = ["Popular" "Trending" "Subscriptions" "Playlists"]; player_style = "invidious"; quality = "hd720"; volume = 100; autoplay = false; comments = ["youtube" ""]; related_videos = true; annotations = false; annotations_subscribed = false; extend_desc = false; show_nick = false; }; }; }; systemd.services.invidious = { serviceConfig = { Nice = "10"; MemoryMax = "1G"; MemorySwapMax = "0"; PrivateTmp = true; ProtectHome = true; ProtectSystem = "strict"; NoNewPrivileges = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; SystemCallFilter = "@system-service"; SystemCallErrorNumber = "EPERM"; CapabilityBoundingSet = ""; AmbientCapabilities = ""; }; }; virtualisation.docker.enable = true; virtualisation.oci-containers = { backend = "docker"; containers.invidious-companion = { image = "invidious-companion:latest"; imageFile = companionImage; ports = [ "127.0.0.1:3001:8282" ]; environmentFiles = [ "/var/lib/invidious/companion-env" ]; volumes = [ "/var/lib/invidious-companion-cache:/var/tmp/youtubei.js" ]; extraOptions = [ "--no-healthcheck" "--read-only" "--tmpfs=/tmp" "--security-opt=no-new-privileges" "--cap-drop=ALL" ]; }; }; services.nginx.commonHttpConfig = lib.mkAfter '' limit_req_zone $binary_remote_addr zone=invidious:10m rate=3r/s; access_log off; log_not_found off; ''; services.nginx.virtualHosts."iv.itamar.site" = { enableACME = true; forceSSL = true; extraConfig = '' server_tokens off; ${securityHeaders} ''; locations."= /robots.txt".extraConfig = '' return 200 "User-agent: *\nDisallow: /\n"; add_header Content-Type text/plain; ${securityHeaders} ''; locations."/api/v1/auth/notifications" = { priority = 500; return = "403"; }; locations."/".extraConfig = '' limit_req zone=invidious burst=20 nodelay; limit_req_status 429; ''; }; }