nixos-config/modules/media-proxy.nix

54 lines
1.7 KiB
Nix
Raw Permalink Normal View History

# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
let
services = {
"media" = config.sops.secrets.media-proxy-auth.path;
2022-09-23 00:14:45 +02:00
"media-sb" = config.sops.secrets.media-proxy-auth.path;
"torrent" = config.sops.secrets.torrent-proxy-auth.path;
2023-10-04 17:02:16 +02:00
"sturzbach" = config.sops.secrets.torrent-proxy-auth.path;
};
in
{
options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
2021-01-06 13:09:29 +01:00
config = lib.mkIf config.sbruder.media-proxy.enable {
sops.secrets = {
torrent-proxy-auth.owner = "nginx";
media-proxy-auth.owner = "nginx";
2021-01-06 13:09:29 +01:00
};
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton config.users.groups.keys.name;
2021-01-06 13:09:29 +01:00
# otherwise name resolution fails
systemd.services.nginx.after = [ "network-online.target" ];
2021-01-06 13:09:29 +01:00
services.nginx = {
enable = true;
commonHttpConfig = ''
map $http_referer $media_proxy_referer {
~^http://.*\.localhost/ "";
default $http_referer;
}
'';
virtualHosts = lib.mapAttrs'
(name: secret: lib.nameValuePair "${name}.localhost" {
locations."/" = {
proxyPass = "https://${name}.sbruder.de/";
proxyWebsockets = true;
# they interfere here, as the host needs to be changed
recommendedProxySettings = false;
extraConfig = ''
proxy_buffering off;
include ${secret};
charset utf-8;
proxy_set_header Referer $media_proxy_referer;
proxy_set_header Origin $media_proxy_referer;
'';
};
})
services;
};
};
}