From 73d5c32427473152f630c10cca4e7b2157fd785c Mon Sep 17 00:00:00 2001
From: Aaron Bieber <aaron@bolddaemon.com>
Date: Fri, 9 Aug 2024 14:23:32 -0600
Subject: [PATCH] box: setup invidious on tailnet

tailnet: poke holes for work to rimgo and invidious
---
 configs/tailnet.nix   |  4 +++-
 hosts/box/default.nix | 21 +++++++--------------
 2 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/configs/tailnet.nix b/configs/tailnet.nix
index f824d6a..bcbde40 100644
--- a/configs/tailnet.nix
+++ b/configs/tailnet.nix
@@ -24,6 +24,8 @@ let
           tv = "100.118.196.38";
           ollama = "100.121.227.121";
           display = "100.77.35.34";
+          rimgo = "100.121.77.91";
+          invidious = "100.71.57.99";
         };
 
         tagOwners = {
@@ -59,7 +61,7 @@ let
           {
             "action" = "accept";
             "src" = [ "tag:work" ];
-            "dst" = [ "console:2222" "startpage:443" ];
+            "dst" = [ "console:2222" "startpage:443" "rimgo:443" "invidious:443" ];
           }
           {
             "action" = "accept";
diff --git a/hosts/box/default.nix b/hosts/box/default.nix
index 665e15f..1c21f28 100644
--- a/hosts/box/default.nix
+++ b/hosts/box/default.nix
@@ -101,8 +101,6 @@ in
     graph_key = mkNginxSecret;
     bw_cert = mkNginxSecret;
     bw_key = mkNginxSecret;
-    invidious_cert = mkNginxSecret;
-    invidious_key = mkNginxSecret;
     readarr_cert = mkNginxSecret;
     readarr_key = mkNginxSecret;
     home_cert = mkNginxSecret;
@@ -266,6 +264,12 @@ in
     };
     ts-reverse-proxy = {
       servers = {
+        "invidious-service" = {
+          enable = true;
+          reverseName = "invidious";
+          reversePort = config.services.invidious.port;
+          reverseIP = config.services.invidious.address;
+        };
         "rimgo-service" = {
           enable = true;
           reverseName = "rimgo";
@@ -484,7 +488,7 @@ in
           host = lib.mkForce "127.0.0.1";
           port = 5432;
         };
-        domain = "invidious.bold.daemon";
+        domain = "invidious.otter-alligator.ts.net";
         https_only = true;
         popular_enabled = false;
         statistics_enabled = false;
@@ -898,17 +902,6 @@ in
             proxyWebsockets = true;
           };
         };
-        "invidious.bold.daemon" = {
-          forceSSL = true;
-          sslCertificateKey = "${config.sops.secrets.invidious_key.path}";
-          sslCertificate = "${config.sops.secrets.invidious_cert.path}";
-          locations."/" = {
-            proxyPass = "http://127.0.0.1:${
-              toString config.services.invidious.port
-            }";
-            proxyWebsockets = true;
-          };
-        };
         "box.otter-alligator.ts.net" = {
           forceSSL = true;
           sslCertificateKey = "/etc/nixos/secrets/box.otter-alligator.ts.net.key";