Add media-proxy

This also adds secrets management for nginx. It is far from perfect (e.g. nginx does not get reloaded when a secret changes).
2020-12-31 15:44:24 +01:00 · 2020-12-31 15:44:24 +01:00 · cb913a9b00
parent e6b770875c
commit cb913a9b00
5 changed files with 86 additions and 0 deletions
--- a/machines/nunotaba/configuration.nix
+++ b/machines/nunotaba/configuration.nix
@ -12,6 +12,7 @@
    gpu.intel.enable = true;
    gui.enable = true;
    libvirt.enable = true;
    media-proxy.enable = true;
    restic.enable = true;
    ssd.enable = true;
    wireguard.home = {
--- a/machines/sayuri/configuration.nix
+++ b/machines/sayuri/configuration.nix
@ -12,6 +12,7 @@
    gpu.amd.enable = true;
    gui.enable = true;
    libvirt.enable = true;
    media-proxy.enable = true;
    restic = {
      enable = true;
      extraPaths = [
--- a/modules/default.nix
+++ b/modules/default.nix
@ -17,7 +17,9 @@
    ./grub.nix
    ./libvirt.nix
    ./locales.nix
    ./media-proxy.nix
    ./network-manager.nix
    ./nginx.nix
    ./office.nix
    ./prometheus/node_exporter.nix
    ./pubkeys.nix
--- a/modules/media-proxy.nix
+++ b/modules/media-proxy.nix
@ -0,0 +1,42 @@
 { config, lib, pkgs, ... }:
 let
  port = 8888;
  services = {
    "media" = <secrets/media-proxy-auth>;
    "scan" = <secrets/media-proxy-auth>;
    "torrent" = <secrets/torrent-proxy-auth>;
  };
 in
 {
  options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
  config.services.nginx = lib.mkIf config.sbruder.media-proxy.enable {
    enable = true;
    secrets = builtins.attrValues services;
    virtualHosts.media-proxy = {
      serverName = "localhost";
      listen = [
        { inherit port; addr = "127.0.0.1"; }
        { inherit port; addr = "[::1]"; }
      ];
      locations = {
        "/".extraConfig = ''
          rewrite ^/__assets/(.*)$ /media/__assets/$1;
        '';
      } // lib.mapAttrs'
        (name: secret: {
          name = "/${name}/";
          value = {
            proxyPass = "https://${name}.sbruder.de/";
            proxyWebsockets = true;
            extraConfig = ''
              proxy_buffering off;
              include /run/nginx/secrets/${lib.last (lib.splitString "/" (toString secret))};
              charset utf-8;
            '';
          };
        })
        services;
    };
  };
 }
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -0,0 +1,40 @@
 { config, lib, ... }:
 let
  cfg = config.services.nginx;
 in
 {
  options.services.nginx.secrets = lib.mkOption {
    type = with lib.types; listOf (either str path);
    default = [ ];
    description = "Secrets to be copied to `/run/nginx/secrets/`";
  };
  config.systemd = lib.mkIf (lib.length cfg.secrets != 0) {
    services = {
      nginx-secrets = {
        description = "Secrets for nginx";
        wantedBy = [ "nginx.service" ];
        partOf = [ "nginx.service" ];
        serviceConfig.Type = "oneshot";
        script = ''
          rm -rf /run/nginx/secrets
          install -o ${cfg.user} -g ${cfg.group} -m 700 -d /run/nginx/secrets
        '' + lib.concatStrings (map
          (secret: ''
            install -o ${cfg.user} -g ${cfg.group} -m 600 ${toString secret} /run/nginx/secrets
          '')
          cfg.secrets);
      };
      nginx.after = [ "nginx-secrets.service" ];
    };
    paths.nginx-secrets = {
      wantedBy = [ "nginx-secrets.service" ];
      partOf = [ "nginx-secrets.service" ];
      pathConfig = {
        PathModified = "/var/src/secrets";
        Unit = "nginx-secrets.service";
      };
    };
  };
 }