From 542bb5d7b8e3dfe22826fe0af3272b8b2a8b925a Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 10:31:46 +0200 Subject: Fix(system/service/invidious): Copy their script, to remove shell escape The default ExecStart implementation in the module, escapes all stings. This does not work for us because we need to use the `$CREDENTIALS_DIR` environment variable, for the credentials deployed in den `LoadCredential` option --- system/services/invidious/default.nix | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'system') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 8b69c2e..f51fc3d 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -1,4 +1,11 @@ -{config, ...}: { +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.services.invidious; +in { services.invidious = { enable = true; database = { @@ -14,5 +21,25 @@ }; systemd.services.invidious.serviceConfig = { LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; + + script = let + # taken from the invidious module + settingsFormat = pkgs.formats.json {}; + settingsFile = settingsFormat.generate "invidious-settings" cfg.settings; + + jqFilter = + "." + + lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\"" + + " | .[0]" + + lib.optionalString (cfg.extraSettingsFile != null) " * .[1]"; + + # don't escape extraSettingsFile, to allow variable substitution + jqFiles = + settingsFile + + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; + in '' + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" + exec ${cfg.package}/bin/invidious + ''; }; } -- cgit 1.4.1