fix: piped

hosts/fw/modules/dnsmasq.nix

@@ -91,8 +91,8 @@
         "/omada.cloonar.com/${config.networkPrefix}.97.2"
         "/web-02.cloonar.com/${config.networkPrefix}.97.5"
         "/pla.cloonar.com/${config.networkPrefix}.97.5"
-        # "/piped.cloonar.com/${config.networkPrefix}.97.5"  # Replaced by Invidious
+        "/piped.cloonar.com/${config.networkPrefix}.97.5"  # Replaced by Invidious
-        # "/pipedapi.cloonar.com/${config.networkPrefix}.97.5"  # Replaced by Invidious
+        "/pipedapi.cloonar.com/${config.networkPrefix}.97.5"  # Replaced by Invidious
         "/invidious.cloonar.com/${config.networkPrefix}.97.5"
         "/fivefilters.cloonar.com/${config.networkPrefix}.97.5"
         "/n8n.cloonar.com/${config.networkPrefix}.97.5"

hosts/fw/modules/web/default.nix

@@ -61,9 +61,9 @@ in {
           ./proxies.nix
           # ./matrix.nix
           ./n8n.nix
-          # ./piped.nix  # Replaced by Invidious
+          ./piped.nix  # Replaced by Invidious
-          ./invidious.nix
+          # ./invidious.nix
-          ./invidious-init-user.nix
+          # ./invidious-init-user.nix
         ];
 
         networkPrefix = config.networkPrefix;

hosts/fw/modules/web/invidious.nix

@@ -18,8 +18,11 @@
     # Enable nginx reverse proxy with automatic TLS
     nginx.enable = true;
 
-    # Signature helper disabled - crashes with current YouTube player patterns
+    # Enable http3-ytproxy for video/image proxying
-    # Re-enable once inv-sig-helper is updated to handle new YouTube obfuscation
+    # Handles /videoplayback, /vi/, /ggpht/, /sb/ paths
+    http3-ytproxy.enable = true;
+
+    # Signature helper - crashes with current YouTube player format
     # sig-helper = {
     #   enable = true;
     # };
@@ -42,12 +45,46 @@
       # Optional: Instance customization
       default_home = "Popular";
       feed_menu = [ "Popular" "Trending" "Subscriptions" ];
+
+      # YouTube compatibility settings
+      use_quic = true;
+      force_resolve = "ipv4";
     };
   };
 
   # Override nginx vhost configuration
   services.nginx.virtualHosts."invidious.cloonar.com" = {
     acmeRoot = null;
+
+    # Complete http3-ytproxy configuration with proper headers and buffering
+    # This overrides the minimal config from the NixOS module
+    locations."~ (^/videoplayback|^/vi/|^/ggpht/|^/sb/)" = {
+      proxyPass = "http://unix:/run/http3-ytproxy/socket/http-proxy.sock";
+      extraConfig = ''
+        # Enable buffering for large video files
+        proxy_buffering on;
+        proxy_buffers 1024 16k;
+        proxy_buffer_size 128k;
+        proxy_busy_buffers_size 256k;
+
+        # Use HTTP/1.1 with keepalive for better performance
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+
+        # Hide headers that might cause issues
+        proxy_hide_header Cache-Control;
+        proxy_hide_header etag;
+        proxy_hide_header "alt-svc";
+
+        # Optimize for large file transfers
+        sendfile on;
+        sendfile_max_chunk 512k;
+        tcp_nopush on;
+
+        # Disable access logging for video traffic
+        access_log off;
+      '';
+    };
   };
 
   # Firewall configuration for Invidious

hosts/fw/modules/web/piped.nix

@@ -19,7 +19,7 @@ let
   backendConfig = pkgs.writeText "config.properties" ''
     # Database configuration
     # 10.88.0.1 is the default Podman bridge gateway IP
-    hibernate.connection.url=jdbc:postgresql://10.88.0.1:5432/${dbName}
+    hibernate.connection.url=jdbc:postgresql://10.89.0.1:5432/${dbName}
     hibernate.connection.driver_class=org.postgresql.Driver
     hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
     hibernate.connection.username=${dbUser}
@@ -126,7 +126,8 @@ in
   services.postgresqlBackup.databases = [ dbName ];
 
   # Allow Podman containers to connect to PostgreSQL
-  networking.firewall.interfaces."podman0".allowedTCPPorts = [ 5432 ];
+  networking.firewall.interfaces."podman1".allowedTCPPorts = [ 5432 ];
+  networking.firewall.interfaces."podman1".allowedUDPPorts = [ 53 5432 ];
 
   # Setup database password (runs before containers start)
   systemd.services.piped-db-init = {
@@ -170,6 +171,25 @@ in
   # Use Podman for OCI containers
   virtualisation.oci-containers.backend = "podman";
 
+  # Create Piped network for container-to-container communication
+  systemd.services.init-piped-network = {
+    description = "Create Podman network for Piped services";
+    wantedBy = [ "multi-user.target" ];
+    before = [
+      "podman-piped-backend.service"
+      "podman-piped-bg-helper.service"
+      "podman-piped-proxy.service"
+    ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      ${pkgs.podman}/bin/podman network exists piped-net || \
+      ${pkgs.podman}/bin/podman network create --interface-name=podman1 --subnet=10.89.0.0/24 piped-net
+    '';
+  };
+
   # Piped Backend Podman container (using custom image with iOS compatibility fixes)
   virtualisation.oci-containers.containers.piped-backend = {
     image = "git.cloonar.com/infrastructure/piped-backend:latest";
@@ -179,8 +199,8 @@ in
     ];
     extraOptions = [
       "--pull=newer"
-      # Using default bridge network - connects to PostgreSQL via 10.88.0.1
+      "--network=podman"  # Default bridge for PostgreSQL access at 10.88.0.1
-      # Also connects to bg-helper via container name resolution
+      "--network=piped-net"  # Custom network for DNS resolution to bg-helper
     ];
   };
 
@@ -196,7 +216,7 @@ in
     ports = [ "127.0.0.1:${toString bgHelperPort}:3000" ];
     extraOptions = [
       "--pull=newer"
-      # Using default bridge network - accessible by backend via container name
+      "--network=piped-net"
     ];
   };
 
@@ -209,6 +229,7 @@ in
     };
     extraOptions = [
       "--pull=newer"
+      "--network=piped-net"
     ];
   };
 

hosts/web-arm/modules/blackbox-exporter.nix

@@ -33,6 +33,8 @@ in {
         "updns.cloonar.com"
         "feeds.jordanrannells.com"
         "invidious.cloonar.com"
+        "piped.cloonar.com"
+        "pipedapi.cloonar.com"
       ];
     };
     # Systemd service for Blackbox Exporter