{ config, pkgs, ... }: let pythonWithBcrypt = pkgs.python3.withPackages (ps: [ ps.bcrypt ]); in { # Invidious admin user initialization # Creates the initial admin user directly in the PostgreSQL database # Secret for admin user password sops.secrets."invidious-admin-password" = { sopsFile = ./secrets.yaml; }; # One-time service to create admin user systemd.services.invidious-init-admin-user = { description = "Initialize Invidious admin user"; after = [ "invidious.service" "postgresql.service" ]; wants = [ "invidious.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; User = "postgres"; RemainAfterExit = true; LoadCredential = [ "admin_password:${config.sops.secrets."invidious-admin-password".path}" ]; }; script = '' # Wait for Invidious to initialize the database schema sleep 5 # Check if user already exists USER_EXISTS=$(${pkgs.postgresql}/bin/psql -d invidious -tAc "SELECT COUNT(*) FROM users WHERE email = 'admin@cloonar.com';") if [ "$USER_EXISTS" -eq "0" ]; then echo "Creating admin user..." # Read password from credential and trim whitespace PASSWORD=$(cat $CREDENTIALS_DIRECTORY/admin_password | tr -d '\n\r') # Truncate to 55 characters (Invidious password limit) PASSWORD="''${PASSWORD:0:55}" # Generate bcrypt hash HASH=$(${pythonWithBcrypt}/bin/python3 -c "import bcrypt; import sys; print(bcrypt.hashpw('$PASSWORD'.encode(), bcrypt.gensalt(rounds=10)).decode())") # Generate random token TOKEN=$(head -c 32 /dev/urandom | base64 | tr -d '/+=' | head -c 32) # Insert user into database ${pkgs.postgresql}/bin/psql -d invidious <<-SQL INSERT INTO users (email, password, preferences, updated, notifications, subscriptions, watched, token) VALUES ('admin@cloonar.com', '$HASH', '{}', NOW(), ARRAY[]::text[], ARRAY[]::text[], ARRAY[]::text[], '$TOKEN') ON CONFLICT (email) DO NOTHING; SQL echo "Admin user created successfully" else echo "Admin user already exists, skipping..." fi ''; }; }