Add media-proxy

This also adds secrets management for nginx. It is far from perfect
(e.g. nginx does not get reloaded when a secret changes).
This commit is contained in:
Simon Bruder 2020-12-31 15:44:24 +01:00
parent e6b770875c
commit cb913a9b00
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
5 changed files with 86 additions and 0 deletions

View file

@ -12,6 +12,7 @@
gpu.intel.enable = true;
gui.enable = true;
libvirt.enable = true;
media-proxy.enable = true;
restic.enable = true;
ssd.enable = true;
wireguard.home = {

View file

@ -12,6 +12,7 @@
gpu.amd.enable = true;
gui.enable = true;
libvirt.enable = true;
media-proxy.enable = true;
restic = {
enable = true;
extraPaths = [

View file

@ -17,7 +17,9 @@
./grub.nix
./libvirt.nix
./locales.nix
./media-proxy.nix
./network-manager.nix
./nginx.nix
./office.nix
./prometheus/node_exporter.nix
./pubkeys.nix

42
modules/media-proxy.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, lib, pkgs, ... }:
let
port = 8888;
services = {
"media" = <secrets/media-proxy-auth>;
"scan" = <secrets/media-proxy-auth>;
"torrent" = <secrets/torrent-proxy-auth>;
};
in
{
options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
config.services.nginx = lib.mkIf config.sbruder.media-proxy.enable {
enable = true;
secrets = builtins.attrValues services;
virtualHosts.media-proxy = {
serverName = "localhost";
listen = [
{ inherit port; addr = "127.0.0.1"; }
{ inherit port; addr = "[::1]"; }
];
locations = {
"/".extraConfig = ''
rewrite ^/__assets/(.*)$ /media/__assets/$1;
'';
} // lib.mapAttrs'
(name: secret: {
name = "/${name}/";
value = {
proxyPass = "https://${name}.sbruder.de/";
proxyWebsockets = true;
extraConfig = ''
proxy_buffering off;
include /run/nginx/secrets/${lib.last (lib.splitString "/" (toString secret))};
charset utf-8;
'';
};
})
services;
};
};
}

40
modules/nginx.nix Normal file
View file

@ -0,0 +1,40 @@
{ config, lib, ... }:
let
cfg = config.services.nginx;
in
{
options.services.nginx.secrets = lib.mkOption {
type = with lib.types; listOf (either str path);
default = [ ];
description = "Secrets to be copied to `/run/nginx/secrets/`";
};
config.systemd = lib.mkIf (lib.length cfg.secrets != 0) {
services = {
nginx-secrets = {
description = "Secrets for nginx";
wantedBy = [ "nginx.service" ];
partOf = [ "nginx.service" ];
serviceConfig.Type = "oneshot";
script = ''
rm -rf /run/nginx/secrets
install -o ${cfg.user} -g ${cfg.group} -m 700 -d /run/nginx/secrets
'' + lib.concatStrings (map
(secret: ''
install -o ${cfg.user} -g ${cfg.group} -m 600 ${toString secret} /run/nginx/secrets
'')
cfg.secrets);
};
nginx.after = [ "nginx-secrets.service" ];
};
paths.nginx-secrets = {
wantedBy = [ "nginx-secrets.service" ];
partOf = [ "nginx-secrets.service" ];
pathConfig = {
PathModified = "/var/src/secrets";
Unit = "nginx-secrets.service";
};
};
};
}