commit d21fb0fe10bd4f0e28dfcf9bf683a43300178ac7 Author: Minecon724 Date: Tue Mar 25 17:25:31 2025 +0100 Initial commit diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..c6a46cd --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "smart-ipv6-rotator"] + path = smart-ipv6-rotator + url = https://github.com/iv-org/smart-ipv6-rotator diff --git a/README.md b/README.md new file mode 100644 index 0000000..a189dc5 --- /dev/null +++ b/README.md @@ -0,0 +1,13 @@ +### Checklist + +1. Replace IP addressses in `docker-compose.yml` and `reset.sh` +2. Make sure `reset.sh` works +3. In `nginx`: + - `openssl dhparam -out dhparam.pem 3072` (takes up to a few minutes, you can do the two below steps in the meantime) + - `openssl req -new -x509 -days 365 -noenc -out snakeoil.pem -keyout snakeoil.key` (keep pressing Enter) + - Replace hostname in `conf.d/companion.conf` +4. `docker compose up -d` and [issue a certificate](https://git.m724.eu/Minecon724/dream-setup/src/branch/master/CERTIFICATE.md) +5. Schedule `reset.sh` + + +**TODO** automate all that diff --git a/config.toml b/config.toml new file mode 100644 index 0000000..c56b95b --- /dev/null +++ b/config.toml @@ -0,0 +1,55 @@ +##### +# The configuration options listed below are able to be enabled as needed. +# The values in this example are the defaults. Some values can alternatively +# be set using an environment variable. +# +# In order to enable an option, make sure you uncomment both the option +# and the block header for the section it belongs to. Any other commented +# options will continue to use default values. +# See https://toml.io/en/ for details on the configuration format. +##### + +# [server] +# port = 8282 # env variable: PORT +# host = "127.0.0.1" # env variable: HOST +# # secret key needs to be 16 characters long or more +# secret_key = "CHANGE_ME" # env variable: SERVER_SECRET_KEY +# verify_requests = false + +# [cache] +# enabled = true +# # will get cached in /var/tmp/youtubei.js if you specify /var/tmp +# # you need to change the --allow-write from deno run too +# directory = "/var/tmp" + +# [networking] +# #proxy = "" # env variable: PROXY +# # Enable YouTube new video format UMP +# ump = false + +### +# Network call timeouts when talking to YouTube. +# Should only be used when connections are hanging unexpectedly. +### +# [networking.fetch] +# timeout_ms = + +### +# Network call retries when talking to YouTube, using +# https://docs.deno.com/examples/exponential_backoff/ +### +# [networking.fetch.retry] +# enabled = false # enable retries on calls to YouTube +# times = 1 # max number of times to retry +# initial_debounce = 0 # minimum wait after first call (ms) +# debounce_multiplier = 0 # how much to back off after each retry (multiplier of initial_debounce) + +# [jobs] + +# [jobs.youtube_session] +# po_token_enabled = true # whether to generate PO tokens +# frequency = "*/5 * * * *" # frequency of PO token refresh in cron format + +# [youtube_session] +# oauth_enabled = false +# cookies = "" diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..d03ca82 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,50 @@ +services: + companion: + image: quay.io/invidious/invidious-companion:latest + restart: unless-stopped + cap_drop: + - ALL + read_only: true + # cache for youtube library + volumes: + - companioncache:/var/tmp/youtubei.js:rw + - ./config.toml:/app/config/config.toml:ro + security_opt: + - no-new-privileges:true + + acme: + image: neilpang/acme.sh:latest # https://github.com/acmesh-official/acme.sh/wiki/Run-acme.sh-in-docker + restart: unless-stopped + volumes: + - acme-data:/acme.sh + - ssl-certs:/etc/ssl + - ./html:/var/www/html + command: daemon + + nginx: + image: nginx:alpine-slim # https://hub.docker.com/_/nginx + restart: unless-stopped + volumes: + - ./nginx:/etc/nginx + - ./html:/var/www/html:ro + - ssl-certs:/etc/ssl:ro + ports: + - "203.0.113.1:80:80" + - "[2001:db8::1]:80:80" + - "203.0.113.1:443:443" + - "[2001:db8::1]:443:443" + - "203.0.113.1:443:443/udp" + - "[2001:db8::1]:443:443/udp" + +volumes: + companioncache: + acme-data: + ssl-certs: + +networks: + default: + enable_ipv6: true + ipam: + config: + - subnet: 2001:db9::/112 + gateway: 2001:db9::1 diff --git a/nginx/conf.d/companion.conf b/nginx/conf.d/companion.conf new file mode 100644 index 0000000..75b6f8b --- /dev/null +++ b/nginx/conf.d/companion.conf @@ -0,0 +1,30 @@ +server { + listen 443 ssl; + listen 443 quic; + listen [::]:443 ssl; + listen [::]:443 quic; + + server_name example.com; + + ssl_certificate /etc/ssl/example.com/fullchain.pem; + ssl_certificate_key /etc/ssl/example.com/key.pem; + + proxy_max_temp_file_size 0; + + location / { + proxy_pass http://companion:8282; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; # so Invidious knows domain + proxy_http_version 1.1; + proxy_set_header Connection ""; + # TODO cors header to restrict to instance? + } + + location /youtubei/v1/player { + proxy_pass http://companion:8282; + } + + location /.well-known/acme-challenge { + root /var/www/html/example.com; + } +} diff --git a/nginx/mime.types b/nginx/mime.types new file mode 100644 index 0000000..8d37c86 --- /dev/null +++ b/nginx/mime.types @@ -0,0 +1,98 @@ +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/avif avif; + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; + application/vnd.wap.wmlc wmlc; + application/wasm wasm; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..925e687 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,84 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_user [$time_local] "$request" ' + '$status $body_bytes_sent bytes "$http_referer" ' + '"$http_x_forwarded_for"'; + + # While I removed PII from the above log format, still better not logging + access_log /dev/null main; # /var/log/nginx/access.log main; + + + server_tokens off; + + sendfile on; + tcp_nopush on; + + quic_retry on; + quic_gso on; + ssl_early_data on; # READ https://blog.cloudflare.com/introducing-0-rtt/#whats-the-catch + + keepalive_timeout 65; + + gzip on; + gzip_types *; + gzip_min_length 1000; + gzip_proxied any; + + http2 on; + + add_header Alt-Svc 'h3=":443"; ma=86400'; + + # modern configuration + ssl_protocols TLSv1.3; + ssl_ecdh_curve X25519:prime256v1:secp384r1; + ssl_prefer_server_ciphers off; + + # Make sure to generate it first + ssl_dhparam dhparam.pem; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # replace with the IP address of your resolver; + # async 'resolver' is important for proper operation of OCSP stapling + resolver [2001:4860:4860::8888] [2001:4860:4860::8844]; + + # If certificates are marked OCSP Must-Staple, consider managing the + # OCSP stapling cache with an external script, e.g. certbot-ocsp-fetcher + + # HTTPS redirect + server { + listen 80 default_server; + listen [::]:80 default_server; + + return 301 https://$host$request_uri; + } + + # default HTTPS server + server { + listen 443 ssl default_server; + listen 443 quic reuseport default_server; + listen [::]:443 ssl default_server; + + server_name _; + + # Make sure to generate + ssl_certificate snakeoil.pem; + ssl_certificate_key snakeoil.key; + } + + include /etc/nginx/conf.d/*.conf; +} diff --git a/reset.sh b/reset.sh new file mode 100755 index 0000000..ab1dcaf --- /dev/null +++ b/reset.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +echo "Rotating IP..." +python3 smart-ipv6-rotator/smart-ipv6-rotator.py run --ipv6range=2001:db8::/32 + +docker compose restart companion diff --git a/smart-ipv6-rotator b/smart-ipv6-rotator new file mode 160000 index 0000000..6c72861 --- /dev/null +++ b/smart-ipv6-rotator @@ -0,0 +1 @@ +Subproject commit 6c7286107b48e91ccfebe02a95478dc1606b532e