apu local dhcp lease dns and invidious

modules/services/default.nix

@@ -32,5 +32,6 @@
     ./voidauth.nix
     ./gitea.nix
     ./dhcp-dns-sync
+    ./invidious-companion.nix
   ];
 }

modules/services/dhcp-dns-sync/default.nix

@@ -6,6 +6,11 @@
 }:
 let
   cfg = config.modules.services.dhcp-dns-sync;
+  ownAddress = (
+    lib.elemAt (lib.splitString "/"
+      config.systemd.network.networks."30-${cfg.interface}".networkConfig.Address
+    ) 0
+  );
 
   dhcp-leases-to-unbound =
     pkgs.runCommand "dhcp-leases-to-unbound"
@@ -59,9 +64,10 @@ in
     users.groups.dhcp-dns-sync = { };
 
     # Ensure directories and files exist with proper permissions
+    # Directory needs to be group-writable for unbound group
     systemd.tmpfiles.rules = [
-      "d /var/lib/unbound 0755 unbound unbound -"
-      "f ${cfg.unboundConfigPath} 0644 dhcp-dns-sync dhcp-dns-sync -"
+      "d /var/lib/unbound 0775 unbound unbound -"
+      "f ${cfg.unboundConfigPath} 0644 dhcp-dns-sync unbound -"
     ];
 
     # Extend Unbound configuration to include generated file
@@ -69,6 +75,8 @@ in
       server = {
         local-zone = [ "${cfg.domain}. static" ];
         include = cfg.unboundConfigPath;
+        local-data = [ ''"apu.home.arpa. IN A ${ownAddress}"'' ];
+        local-data-ptr = [ ''"${ownAddress} apu.home.arpa."'' ];
       };
     };
 
@@ -88,7 +96,7 @@ in
       serviceConfig = {
         Type = "oneshot";
         User = "dhcp-dns-sync";
-        Group = "dhcp-dns-sync";
+        Group = "unbound";
         # Allow access to networkctl via D-Bus
         SupplementaryGroups = [ "systemd-network" ];
         # Read/write paths

modules/services/dhcp-dns-sync/dhcp-leases-to-unbound.cr

@@ -58,13 +58,6 @@ def sanitize_hostname(hostname : String) : String?
   sanitized
 end
 
-def reverse_ptr(ip : String) : String?
-  parts = ip.split('.')
-  return nil unless parts.size == 4
-
-  "#{parts[3]}.#{parts[2]}.#{parts[1]}.#{parts[0]}.in-addr.arpa."
-end
-
 def generate_unbound_config(leases : Array(Lease), domain : String) : String
   lines = [] of String
 
@@ -82,22 +75,29 @@ def generate_unbound_config(leases : Array(Lease), domain : String) : String
     # A record
     lines << %{local-data: "#{fqdn} IN A #{lease.address}"}
 
-    # PTR record
-    if ptr = reverse_ptr(lease.address)
-      lines << %{local-data-ptr: "#{ptr} #{fqdn}"}
-    end
+    # PTR record - local-data-ptr expects IP in normal form, unbound reverses it
+    lines << %{local-data-ptr: "#{lease.address} #{fqdn}"}
   end
 
   lines.join("\n") + "\n"
 end
 
 def get_leases(interface : String, networkctl_path : String? = nil) : Array(Lease)
-  cmd = networkctl_path ? "#{networkctl_path} status #{interface} --json=short" : "networkctl status #{interface} --json=short"
-  output = `#{cmd}`
-  raise "networkctl failed (exit code #{$?.exit_status}): #{output}" unless $?.success?
+  cmd = networkctl_path ? "#{networkctl_path}" : "networkctl"
+  args = ["status", interface, "--json=short"]
 
-  status = NetworkStatus.from_json(output)
-  status.dhcp_server.try(&.leases) || [] of Lease
+  Process.run(cmd, args, output: Process::Redirect::Pipe, error: Process::Redirect::Pipe) do |process|
+    result = process.wait
+    output = process.output.to_s
+
+    unless result.success?
+      error = process.error.to_s
+      raise "networkctl failed (exit code #{result.exit_code}): #{error.empty? ? output : error}"
+    end
+
+    status = NetworkStatus.from_json(output)
+    status.dhcp_server.try(&.leases) || [] of Lease
+  end
 end
 
 def write_if_changed(content : String, path : String) : Bool
@@ -151,13 +151,18 @@ OptionParser.parse do |parser|
 end
 
 def reload_unbound(unbound_control_path : String?)
-  cmd = unbound_control_path ? "#{unbound_control_path} reload" : "unbound-control reload"
+  cmd = unbound_control_path ? "#{unbound_control_path}" : "unbound-control"
   puts "Reloading Unbound..."
-  result = system(cmd)
-  unless result
-    # Fallback to systemctl
-    system("systemctl reload unbound")
+
+  Process.run(cmd, ["reload"], output: Process::Redirect::Pipe, error: Process::Redirect::Pipe) do |process|
+    result = process.wait
+
+    unless result.success?
+      raise "unbound reload failed (exit code #{result.exit_code}): #{process.error}"
+    end
   end
+
+  puts "Unbound reloaded successfully."
 end
 
 begin

modules/services/invidious-companion.nix

@@ -0,0 +1,99 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.invidious-companion;
+  companionRelease = "release-master";
+  hostPlatform = pkgs.stdenv.hostPlatform.system;
+
+  # Invidious Companion package - fetches binary release and patches for NixOS
+  unwrappedCompanion = pkgs.stdenv.mkDerivation {
+    pname = "unwrapped-invidious-companion";
+    version = companionRelease;
+
+    src =
+      let
+        archMap = {
+          x86_64-linux = "x86_64-unknown-linux-gnu";
+          aarch64-linux = "aarch64-unknown-linux-gnu";
+        };
+        platform = archMap.${hostPlatform} or (throw "Unsupported platform: ${hostPlatform}");
+      in
+      pkgs.fetchzip {
+        url = "https://github.com/iv-org/invidious-companion/releases/download/${companionRelease}/invidious_companion-${platform}.tar.gz";
+        sha256 = cfg.binaryHash;
+      };
+
+    dontStrip = true;
+    dontPatchELF = true;
+
+    installPhase = ''
+      mkdir -p $out/bin
+      cp invidious_companion $out/bin/invidious_companion
+      chmod +x $out/bin/invidious_companion
+    '';
+  };
+
+  invidiousCompanion = pkgs.buildFHSEnv {
+    name = "invidious-companion";
+    targetPkgs = pkgs: [ unwrappedCompanion ];
+    runScript = "invidious_companion";
+    meta = {
+      description = "Invidious companion for handling video streams";
+      homepage = "https://github.com/iv-org/invidious-companion";
+      license = lib.licenses.agpl3Only;
+    };
+  };
+in
+{
+  options.services.invidious-companion = {
+    enable = lib.mkEnableOption "Enable Invidious Companion service";
+    host = lib.mkOption {
+      type = lib.types.str;
+      default = "localhost";
+    };
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 8282;
+      description = "Port for Invidious Companion to listen on";
+    };
+    secretKeyFile = lib.mkOption {
+      type = lib.types.str;
+      description = "Path to file containing the companion secret key";
+    };
+    binaryHash = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "SHA256 hash of the invidious companion binary release";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.invidious-companion = {
+      description = "Invidious Companion - video stream handler";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = "invidious";
+        Group = "invidious";
+        DynamicUser = true;
+        ExecStart = lib.getExe invidiousCompanion;
+        Environment = [
+          "HOST=${cfg.host}"
+          "PORT=${toString cfg.port}"
+          "TMPDIR=/var/cache/invidious-companion"
+        ];
+        EnvironmentFile = [ cfg.secretKeyFile ];
+        CacheDirectory = "invidious-companion";
+        WorkingDirectory = "%C/invidious-companion";
+        Restart = "always";
+        RestartSec = 5;
+      };
+    };
+  };
+}

modules/services/invidious.nix

@@ -1,4 +1,8 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  ...
+}:
 let
   cfg = config.services.invidious;
   fqdn = "${cfg.subdomain}.${config.networking.domain}";
@@ -32,5 +36,14 @@ in
         vHosts.${fqdn}.locations."/".proxyPort = cfg.port;
       };
     };
+
+    systemd.services.invidious.serviceConfig.DynamicUser = lib.mkForce false;
+
+    users.groups.invidious = { };
+    users.users.invidious = {
+      isSystemUser = true;
+      group = "invidious";
+      description = "Invidious user";
+    };
   };
 }