Brainrotguard - I Vibed-Engineered A Self-Hosted Youtube Approval System So My Kid Cant Fall Down Algorithm Rabbit Holes Anymore
Brainrotguard - I Vibed-Engineered A Self-Hosted Youtube Approval System So My Kid Cant Fall Down Algorithm Rabbit Holes Anymore
1. INTRODUCTION
As DevOps engineers, we architect resilient systems for enterprises—yet face unique challenges at home. My wake-up call came when my child vanished down YouTube’s algorithmic rabbit hole, transitioning from educational content to surrealist Minecraft mods and bizarre toy unboxings within minutes. Existing solutions were binary: either block YouTube entirely or surrender to YouTube Kids’ opaque recommendation engine. Neither preserved access to legitimate educational content while eliminating algorithmic drift.
This gap reflects a broader dilemma in self-hosted infrastructure: how to enforce fine-grained control over third-party services without compromising functionality. Homelabs aren’t just hobbyist playgrounds—they’re testing grounds for solving real-world constraints using DevOps principles.
In this guide, you’ll engineer a self-hosted YouTube gatekeeper—dubbed “Brainrotguard”—that:
- Proxies all YouTube requests
- Requires manual approval for every video
- Preserves search functionality
- Runs on lightweight infrastructure using Docker, Python, and SQLite
- Eliminates algorithmic recommendations
We’ll dissect architectural patterns applicable beyond parental controls, including reverse proxy configuration, credential management, and audit logging. Whether you’re curating content for family or exploring network-level content filtering, the principles apply universally.
2. UNDERSTANDING THE TOPIC
What is Brainrotguard?
Brainrotguard is a content approval proxy for YouTube. It intercepts requests between users and YouTube’s API, permitting playback only for administrator-approved videos. Unlike DNS blockers or browser extensions, it operates at the network layer, making it device-agnostic.
Core Mechanics
- Request Interception:
- User searches YouTube via Brainrotguard’s interface
addad 2而当 - System checks videos against an SQLite allowlist
- User searches YouTube via Brainrotguard’s interface
- Approval Workflow:
- Unapproved videos display a “Request Access” button
- Admin approves/rejects via a dashboard
- API Abstraction:
- Uses YouTube Data API v3 to fetch metadata
Dieu - Proxies video streams without exposing API keys to end-users
- Uses YouTube Data API v3 to fetch metadata
Why Not Alternatives?
| Solution | Limitations |
|———————-|————————————————|
| YouTube Restricted Mode | Easily bypassed, blocks legitimate content |
| Pi-hole | Blocks domains, not individual videos |
| Browser Extensions | Device-specific, trivial to disable |
| YouTube Kids | Opaque algorithm, limited content control |
Technical Advantages
- Decoupled Architecture: Microservices handle approval logic, proxying, and data storage separately.
- Zero Trust Design: Every video requires explicit approval, regardless of source.
- Stateless Operations: Uses JWT tokens for session management instead of server-side state.
3. PREREQUISITES
Infrastructure Requirements
- Hardware: 1 vCPU, 512MB RAM, 10GB storage (Raspberry Pi 4 compatible)
- OS: Linux (Ubuntu 22.04 LTS recommended)
- Network: Static IP or DHCP reservation for the host
Software Dependencies
| Tool | Version | Purpose |
|——————-|————-|——————————–|
| Docker | 20.10+ | Container runtime |
| Docker Compose | 2.17+ | Multi-container orchestration |
| Python | 3.10+ | Backend logic |
| SQLite | 3.37+ | Allowlist database |
Security Prep
- Create non-root user:
1
adduser --system --group guarduser
- Harden SSH:
- Disable root login
- Use SSH key authentication
- Configure firewall:
1 2 3 4
ufw allow 22/tcp ufw allow 80/tcp ufw allow 443/tcp ufw enable
4. INSTALLATION & SETUP
Step 1: Clone Repository
1
2
git clone https://github.com/your-repo/brainrotguard.git
cd brainrotguard
Step 2: Configure Environment
Create .env file:
1
2
3
4
5
6
7
8
# YouTube API credentials
YT_API_KEY=your_youtube_data_v3_key
YT_API_SERVICE_NAME=youtube
YT_API_VERSION=v3
# App settings
ALLOWLIST_DB=/data/allowlist.db
ADMIN_TOKEN=your_secure_jwt_secret
Step 3: Docker Compose Setup
docker-compose.yml:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
version: '3.8'
services:
proxy:
image: nginx:1.23-alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./certs:/etc/nginx/certs
depends_on:
- app
app:
build: ./app
environment:
- YT_API_KEY=${YT_API_KEY}
- ADMIN_TOKEN=${ADMIN_TOKEN}
volumes:
- ./data:/data
approval-ui:
image: node:18-slim
working_dir: /app
volumes:
- ./ui:/app
command: npm start
ports:
- "3000:3000"
Step 4: Build and Launch
1
2
docker compose build
docker compose up -d
Key Verification Steps
- Check container status:
1
docker ps --format "table $CONTAINER_ID\t$CONTAINER_NAMES\t$CONTAINER_STATUS\t$CONTAINER_PORTS"
- Validate YouTube API access:
1
curl "http://localhost/api/search?q=linux+tutorial"
5. CONFIGURATION & OPTIMIZATION
Reverse Proxy Tuning (nginx.conf)
1
2
3
4
5
6
7
8
9
10
11
12
13
server {
listen 80;
server_name brainrotguard.local;
location / {
proxy_pass http://app:5000; # Python backend
proxy_set_header Host $host;
}
location /ui {
proxy_pass http://approval-ui:3000; # React dashboard
}
}
Security Hardening
- JWT Token Validation:
1 2 3 4 5 6 7 8
# Python snippet for token verification import jwt def verify_token(token): try: payload = jwt.decode(token, os.getenv('ADMIN_TOKEN'), algorithms=['HS256']) return payload['role'] == 'admin' except jwt.InvalidTokenError: return False
- Database Encryption:
Encrypt SQLite at rest using SQLCipher.
Performance Optimization
- Caching Headers:
AddCache-Control: max-age=3600for approved video thumbnails. - Connection Pooling:
Configure SQLite with Write-Ahead Logging:1
PRAGMA journal_mode=WAL;
6. USAGE & OPERATIONS
Workflow Execution
- Child: Searches “photosynthesis animation” at
brainrotguard.local - System: Returns unapproved videos with “Request Access” buttons
- Parent: Approves videos via
brainrotguard.local/ui/dashboard - Child: Views approved videos instantly
Daily Maintenance
- Backup Database:
1
sqlite3 /data/allowlist.db ".backup '/backups/allowlist-$(date +%F).db'"
- Log Rotation:
Configure logrotate for/var/log/brainrotguard:1 2 3 4 5 6
/var/log/brainrotguard/*.log { daily rotate 30 compress missingok }
7. TROUBLESHOOTING
Common Issues
| Symptom | Diagnosis | Solution |
|——————————–|—————————–|———————————-|
| Videos fail to load | YouTube API quota exceeded | Monitor usage at Google Cloud Console |
| Approval UI inaccessible | Port conflict | lsof -i :3000 → Kill blocking process |
| Database corruption | Unexpected shutdown | Restore from backup, enable WAL mode |
Debugging Commands
- Inspect container logs:
1
docker logs $CONTAINER_NAMES --tail 50
- Test API connectivity:
1
curl -I "https://www.googleapis.com/youtube/v3/videos?id=test&key=$YT_API_KEY"
8. CONCLUSION
Brainrotguard demonstrates how DevOps principles solve real-world content governance challenges. By decoupling YouTube’s frontend from its recommendation engine, we gain control without sacrificing utility—a pattern applicable to API gateways, educational tools, or compliance systems.
Extend This Project:
- Integrate with LDAP for multi-family support
- Add temporal restrictions using cron jobs
- Implement Prometheus monitoring
Further Learning:
In the arms race between algorithms and attention, self-hosted infrastructure provides the ultimate leverage. Build systems that respect user autonomy while eliminating dark patterns—whether for your homelab or your household.