Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
b57342f53e97f60e94bc691bc8f1d25b8c020750
nixos/hosts/fw/modules/web/invidious-init-user.nix

62 lines
2.0 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
let
pythonWithBcrypt = pkgs.python3.withPackages (ps: [ ps.bcrypt ]);
in
{
# Invidious admin user initialization
# Creates the initial admin user directly in the PostgreSQL database
# Secret for admin user password
sops.secrets."invidious-admin-password" = {
sopsFile = ./secrets.yaml;
};
# One-time service to create admin user
systemd.services.invidious-init-admin-user = {
description = "Initialize Invidious admin user";
after = [ "invidious.service" "postgresql.service" ];
wants = [ "invidious.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
User = "postgres";
RemainAfterExit = true;
LoadCredential = [ "admin_password:${config.sops.secrets."invidious-admin-password".path}" ];
};
script = ''
# Wait for Invidious to initialize the database schema
sleep 5
# Check if user already exists
USER_EXISTS=$(${pkgs.postgresql}/bin/psql -d invidious -tAc "SELECT COUNT(*) FROM users WHERE email = 'admin@cloonar.com';")
if [ "$USER_EXISTS" -eq "0" ]; then
echo "Creating admin user..."
# Read password from credential
PASSWORD=$(cat $CREDENTIALS_DIRECTORY/admin_password)
# Generate bcrypt hash
HASH=$(${pythonWithBcrypt}/bin/python3 -c "import bcrypt; import sys; print(bcrypt.hashpw('$PASSWORD'.encode(), bcrypt.gensalt(rounds=10)).decode())")
# Generate random token
TOKEN=$(head -c 32 /dev/urandom | base64 | tr -d '/+=' | head -c 32)
# Insert user into database
${pkgs.postgresql}/bin/psql -d invidious <<-SQL
INSERT INTO users (email, password, preferences, updated, notifications, subscriptions, watched, token)
VALUES ('admin@cloonar.com', '$HASH', '{}', NOW(), ARRAY[]::text[], ARRAY[]::text[], ARRAY[]::text[], '$TOKEN')
ON CONFLICT (email) DO NOTHING;
SQL
echo "Admin user created successfully"
else
echo "Admin user already exists, skipping..."
fi
'';
};
}
Reference in New Issue View Git Blame Copy Permalink