invidious: pass configuration in INVIDIOUS_CONFIG as YAML (#448855)

}:

let

  cfg = config.services.invidious;

  # To allow injecting secrets with jq, json (instead of yaml) is used

  settingsFormat = pkgs.formats.json { };

  inherit (lib) types;

  # This need to be JSON to reduce number of

  # breaking changes, for backwards

  # compatibility with pre-25.11

  settingsFormat = pkgs.formats.json { };

  settingsFile = settingsFormat.generate "invidious-settings" cfg.settings;

  generatedHmacKeyFile = "/var/lib/invidious/hmac_key";

  generateHmac = cfg.hmacKeyFile == null;

  commonInvidousServiceConfig = {

  commonInvidiousServiceConfig = {

    description = "Invidious (An alternative YouTube front-end)";

    wants = [ "network-online.target" ];

    after = [ "network-online.target" ] ++ lib.optional cfg.database.createLocally "postgresql.target";

      RuntimeRandomizedExtraSec = lib.mkDefault "5min";

    };

  };

  mkInvidiousService =

  configScript =

    scaleIndex:

    lib.foldl' lib.recursiveUpdate commonInvidousServiceConfig [

      # only generate the hmac file in the first service

      (lib.optionalAttrs (scaleIndex == 0) {

        preStart = lib.optionalString generateHmac ''

          if [[ ! -e "${generatedHmacKeyFile}" ]]; then

            ${pkgs.pwgen}/bin/pwgen 20 1 > "${generatedHmacKeyFile}"

            chmod 0600 "${generatedHmacKeyFile}"

          fi

        '';

      })

      # configure the secondary services to run after the first service

      (lib.optionalAttrs (scaleIndex > 0) {

        after = commonInvidousServiceConfig.after ++ [ "invidious.service" ];

        wants = commonInvidousServiceConfig.wants ++ [ "invidious.service" ];

      })

      {

        script = ''

    ''

      configParts=()

    ''

    # autogenerated hmac_key

    ''

    # generated settings file

    + ''

          configParts+=("$(< ${lib.escapeShellArg settingsFile})")

      configParts+=("$(< ${settingsFile})")

    ''

    # optional database password file

    + lib.optionalString (cfg.database.host != null) ''

          configParts+=("$(${pkgs.jq}/bin/jq -R '{"db":{"password":.}}' ${lib.escapeShellArg cfg.database.passwordFile})")

      configParts+=("$(${pkgs.jq}/bin/jq -R '{"db":{"password":.}}' ${cfg.database.passwordFile})")

    ''

    # optional extra settings file

    + lib.optionalString (cfg.extraSettingsFile != null) ''

    ''

    # merge all parts into a single configuration with later elements overriding previous elements

    + ''

          export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s 'reduce .[] as $item ({}; . * $item)' <<<"''${configParts[*]}")"

      mergedConfig="$(${pkgs.jq}/bin/jq -s 'reduce .[] as $item ({}; . * $item)' <<<"''${configParts[*]}")"

      export INVIDIOUS_CONFIG=$(echo "$mergedConfig" | ${pkgs.yq-go}/bin/yq -P)

      exec ${cfg.package}/bin/invidious

    '';

      }

  mkInvidiousService =

    scaleIndex:

    lib.foldl' lib.recursiveUpdate commonInvidiousServiceConfig [

      # only generate the hmac file in the first service

      (lib.optionalAttrs (scaleIndex == 0) {

        preStart = lib.optionalString generateHmac ''

          if [[ ! -e "${generatedHmacKeyFile}" ]]; then

            ${pkgs.pwgen}/bin/pwgen 20 1 > "${generatedHmacKeyFile}"

            chmod 0600 "${generatedHmacKeyFile}"

          fi

        '';

      })

      # configure the secondary services to run after the first service

      (lib.optionalAttrs (scaleIndex > 0) {

        after = commonInvidiousServiceConfig.after ++ [ "invidious.service" ];

        wants = commonInvidiousServiceConfig.wants ++ [ "invidious.service" ];

      })

      { script = configScript scaleIndex; }

    ];

  serviceConfig = {