fix: invidious

hosts/fw/modules/web/invidious.nix

@@ -1,9 +1,15 @@
 { config, pkgs, lib, ... }:
 
+with lib;
 {
   # Invidious - Privacy-focused YouTube frontend
   # Replaces Piped with native NixOS service
 
+  # Secret for Invidious companion authentication
+  sops.secrets.invidious-companion-key = {
+    key = "invidious-companion-key";
+  };
+
   # Main Invidious service
   services.invidious = {
     enable = true;
@@ -52,6 +58,115 @@
     };
   };
 
+  # Use Podman for OCI containers
+  virtualisation.oci-containers.backend = "podman";
+
+  # Create Invidious network for container communication
+  systemd.services.init-invidious-network = {
+    description = "Create Podman network for Invidious companion";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "podman-invidious-companion.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      ${pkgs.podman}/bin/podman network exists invidious-net || \
+      ${pkgs.podman}/bin/podman network create --interface-name=podman2 --subnet=10.90.0.0/24 invidious-net
+    '';
+  };
+
+  # Create systemd tmpfiles directory for Invidious config
+  systemd.tmpfiles.rules = [
+    "d /var/lib/invidious 0755 root root - -"
+    "d /run/invidious-companion 0700 root root - -"
+  ];
+
+  # Generate companion environment file with secret key
+  systemd.services.invidious-companion-env-generate = {
+    description = "Generate Invidious companion environment file";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "podman-invidious-companion.service" ];
+    after = [ "init-invidious-network.service" ];
+    requires = [ "init-invidious-network.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      COMPANION_KEY=$(cat ${config.sops.secrets.invidious-companion-key.path})
+      cat > /run/invidious-companion/env <<EOF
+PORT=8282
+HOST=0.0.0.0
+SERVER_SECRET_KEY=$COMPANION_KEY
+EOF
+      chmod 600 /run/invidious-companion/env
+    '';
+  };
+
+  # Invidious Companion container (handles PO token generation and video streams)
+  virtualisation.oci-containers.containers.invidious-companion = {
+    image = "quay.io/invidious/invidious-companion:latest";
+    ports = [ "127.0.0.1:8282:8282" ];
+    volumes = [
+      "invidious-companion-cache:/var/tmp:rw"
+    ];
+    environmentFiles = [
+      "/run/invidious-companion/env"
+    ];
+    extraOptions = [
+      "--pull=newer"
+      "--network=invidious-net"
+      "--cap-drop=ALL"
+      "--security-opt=no-new-privileges:true"
+      "--read-only"
+    ];
+  };
+
+  # Ensure companion container depends on env file generation
+  systemd.services."podman-invidious-companion" = {
+    after = mkAfter [ "invidious-companion-env-generate.service" ];
+    requires = mkAfter [ "invidious-companion-env-generate.service" ];
+  };
+
+  # Generate Invidious companion config with actual secret key
+  systemd.services.invidious-companion-config-generate = {
+    description = "Generate Invidious companion configuration";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "invidious.service" ];
+    after = [ "init-invidious-network.service" ];
+    requires = [ "init-invidious-network.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      mkdir -p /var/lib/invidious
+      COMPANION_KEY=$(cat ${config.sops.secrets.invidious-companion-key.path})
+      cat > /var/lib/invidious/companion-config.json <<EOF
+{
+  "invidious_companion": [
+    {
+      "private_url": "http://127.0.0.1:8282/companion"
+    }
+  ],
+  "invidious_companion_key": "$COMPANION_KEY"
+}
+EOF
+      chmod 644 /var/lib/invidious/companion-config.json
+      chown root:root /var/lib/invidious/companion-config.json
+    '';
+  };
+
+  # Configure Invidious to use companion via extraSettingsFile
+  services.invidious.extraSettingsFile = "/var/lib/invidious/companion-config.json";
+
+  # Ensure Invidious service depends on companion config generation
+  systemd.services.invidious = {
+    after = mkAfter [ "invidious-companion-config-generate.service" ];
+    requires = mkAfter [ "invidious-companion-config-generate.service" ];
+  };
+
   # Override nginx vhost configuration
   services.nginx.virtualHosts."invidious.cloonar.com" = {
     acmeRoot = null;