From bd84463d425ce6d70ed75cc3fc6a8cc1d056392e Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Wed, 20 Jul 2022 17:00:03 +0800 Subject: [PATCH] tasks/multimedia-archive: update to service change We'll also start using sops-nix to manage the secrets required for extractors that have authentication. --- .../tasks/multimedia-archive/default.nix | 39 +++++++++++++---- secrets/multimedia-archive.yaml | 42 +++++++++++++++++++ 2 files changed, 73 insertions(+), 8 deletions(-) create mode 100644 secrets/multimedia-archive.yaml diff --git a/modules/nixos/tasks/multimedia-archive/default.nix b/modules/nixos/tasks/multimedia-archive/default.nix index b0f0b541..270221c9 100644 --- a/modules/nixos/tasks/multimedia-archive/default.nix +++ b/modules/nixos/tasks/multimedia-archive/default.nix @@ -12,7 +12,7 @@ in let yt-dlp-args = [ # Make a global list of successfully downloaded videos as a cache for yt-dlp. - "--download-archive '${config.services.yt-dlp.archivePath}/videos'" + "--download-archive" "${config.services.yt-dlp.archivePath}/videos" # No overwriting of videos and related files. "--no-force-overwrites" @@ -23,27 +23,28 @@ in # Embed chapter markers, if possible. "--embed-chapters" - # Write the subtitle file. + # Write the subtitle file with the preferred languages. "--write-subs" + "--sub-langs" "en.*,ja,ko,zh.*,fr,pt.*" # Write the description in a separate file. "--write-description" # The global output for all of the jobs. - "--output '%(uploader,artist,creator|Unknown)s/%(release_date>%F,upload_date>%F|Unknown)s-%(title)s.%(ext)s'" + "--output" "%(uploader,artist,creator|Unknown)s/%(release_date>%F,upload_date>%F|Unknown)s-%(title)s.%(ext)s" # Select only the most optimal format for my usecases. - "--format '(webm,mkv,mp4)[height<=?1280]'" + "--format" "(webm,mkv,mp4)[height<=?1280]" # Prefer MKV whenever possible for video formats. - "--merge-output-format mkv" + "--merge-output-format" "mkv" # Don't download any videos that are originally live streams. - "--match-filters '!was_live'" + "--match-filters" "!was_live" # Prefer Vorbis when audio-only downloads are used. - "--audio-format vorbis" - "--audio-quality 2" + "--audio-format" "vorbis" + "--audio-quality" "2" ]; yt-dlp-archive-variant = pkgs.writeScriptBin "yt-dlp-archive-variant" '' ${pkgs.yt-dlp}/bin/yt-dlp ${lib.escapeShellArgs yt-dlp-args} @@ -74,6 +75,18 @@ in in { environment.systemPackages = [ yt-dlp-archive-variant ]; + + sops.secrets = + let + getKey = key: { + inherit key; + sopsFile = lib.getSecret "multimedia-archive.yaml"; + }; + in + { + "multimedia-archive/secrets-config" = getKey "secrets-config"; + }; + fileSystems."${mountName}" = { device = "/dev/disk/by-uuid/6ba86a30-5fa4-41d9-8354-fa8af0f57f49"; fsType = "btrfs"; @@ -164,8 +177,18 @@ in # Write metadata to separate JSON files. "--write-metadata" + + # The config file that contains the secrets for various services. + # We're putting as a separate config file instead of configuring it + # in the service properly since secrets decrypted by sops-nix cannot + # be read in Nix. + "--config" "${config.sops.secrets."multimedia-archive/secrets-config".path}" ]; + settings.extractor = { + filename = "{date:%F}-{title}.{extension}"; + }; + jobs = { arts = { urls = [ diff --git a/secrets/multimedia-archive.yaml b/secrets/multimedia-archive.yaml new file mode 100644 index 00000000..93023c16 --- /dev/null +++ b/secrets/multimedia-archive.yaml @@ -0,0 +1,42 @@ +secrets-config: ENC[AES256_GCM,data:DuOZXDbxX+ODhY/9P+bGBMVdl/OXKvv64WpncryJRR7cjYoOJtNKb6TrzUkZoCaO6kGdbZRhv0/EDkPwbyIsEWVcjGPAI14r3Wl1nly8pSnSpEuMUVAGQuix3zAnSw60WPlDuILZLNsneAB5,iv:LFt1959lDZn1xo4VMjX9O95BJ6rSUMwiXY/aHzzTrQU=,tag:UJFAJJ4pggSfbKNkzroudw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1say65zc678yc03tx4zexp20c9gvskvwrm4390j4x2jkepn97duhq9ptuj9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0QlhCVFBzc25aVkJXWGdu + K1c1c2ZUQW5yTzNXN08wMHNBcGM4bEQ3YlhBCnUwOUpLZnR5V2h3YUl5SlNtVHhh + SmFuaVNDRURkd2xQYTBEemljNXdaZVEKLS0tIHBBMmEwR2gzaEViRmZlaXBNQkZi + TGlkQ3hBQmFscU9ZTnFQVjBZN0JEeEUKZ+KJl9JRhMMmxXyW6OhCRceaiMqMP+0y + oenqVW9r3yCaCw2kJSbzV2BbUar7fLYEeKDsOx+8Fe0KZFsiY2neFA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dm9xugju4q5gx0zty8ckw655ea904c64gv9qw9fn3lu507ck8uzsag59y8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBST3Fla3EwTE8vVmlmbVlY + K2NaWDQ0WjAwZjhyQ1gwaVg0Q1dQU0JpN3dnCmxVcHRlTng0Ynp3eEJvb2JxQ1Fx + TXFQVVBOdnJQRHVNbWZYMjcza2lWTnMKLS0tIDZxaElMaFFCUWRGZzBnNmgxdFBz + MThjTXJzYU1MMDhCQ2hKdlN5ZTE3bm8KP9Su9bTmFkOwFa5EdYTh9jOUjmNESgza + Ngr+vPML9S1ssMNmR596y0qkbdYdJlOWx8sURbHaWxZvk4u3/m6+qw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-07-20T08:16:17Z" + mac: ENC[AES256_GCM,data:KOCuxHeg4VEcuzF5SWVRx5ahWAvFb+eGOyTvv5sNgA9JE7ectven0REXMM+2Qytn9+UmVVFRH4SSV89YB0BI2x2+GL+hLuLYIRCJ1/s4p9B+LIRfz6rqeo/w0ETHT+b2JjRhC99igHwksD+bLnHQo9XFcNvT2gDxvOaX+mSurSQ=,iv:+zrR7lSHLEhgtNR3/IMSnzBFoE59NJ/CzuoVz/KdauI=,tag:H59qLT3SLo4yYrzJexTryA==,type:str] + pgp: + - created_at: "2022-07-20T05:01:15Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DFV150TdUJTsSAQdAR0ATG8vfRp7urdbmLo0OW3OpzqIoCnjO0WMMSDa7O00w + H54xE+m7rEPmblCrpcDks4G957R6Pk53cPzY8NtiNg1TNPCFf75s2jx6Mqr1RWtZ + 1GYBCQIQupykx2Am0Vi4VKbmzx9ZELAH8IGyunxqr8xpYf3bGhfbDPfgKrFoO4U9 + tKRio96L5UJx2qoY8vtIHB9PrbRoALNJaytmiDGj48rf1MUNubayDWbjPh9FISjB + Jpy89DizGzo= + =xcTu + -----END PGP MESSAGE----- + fp: 8FCE86932583783E515B6FE55F2B001E20ED3763 + unencrypted_suffix: _unencrypted + version: 3.7.3