Add media-proxy

This also adds secrets management for nginx. It is far from perfect (e.g. nginx does not get reloaded when a secret changes).
2020-12-31 15:44:24 +01:00 · 2020-12-31 15:44:24 +01:00 · cb913a9b00
parent e6b770875c
commit cb913a9b00
5 changed files with 86 additions and 0 deletions
--- a/machines/nunotaba/configuration.nix
+++ b/machines/nunotaba/configuration.nix
@ -12,6 +12,7 @@
    gpu.intel.enable = true;
    gui.enable = true;
    libvirt.enable = true;
+    media-proxy.enable = true;
    restic.enable = true;
    ssd.enable = true;
    wireguard.home = {
--- a/machines/sayuri/configuration.nix
+++ b/machines/sayuri/configuration.nix
@ -12,6 +12,7 @@
    gpu.amd.enable = true;
    gui.enable = true;
    libvirt.enable = true;
+    media-proxy.enable = true;
    restic = {
      enable = true;
      extraPaths = [
--- a/modules/default.nix
+++ b/modules/default.nix
@ -17,7 +17,9 @@
    ./grub.nix
    ./libvirt.nix
    ./locales.nix
+    ./media-proxy.nix
    ./network-manager.nix
+    ./nginx.nix
    ./office.nix
    ./prometheus/node_exporter.nix
    ./pubkeys.nix
--- a/modules/media-proxy.nix
+++ b/modules/media-proxy.nix
@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+let
+  port = 8888;
+  services = {
+    "media" = <secrets/media-proxy-auth>;
+    "scan" = <secrets/media-proxy-auth>;
+    "torrent" = <secrets/torrent-proxy-auth>;
+  };
+in
+{
+  options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
+
+  config.services.nginx = lib.mkIf config.sbruder.media-proxy.enable {
+    enable = true;
+    secrets = builtins.attrValues services;
+    virtualHosts.media-proxy = {
+      serverName = "localhost";
+      listen = [
+        { inherit port; addr = "127.0.0.1"; }
+        { inherit port; addr = "[::1]"; }
+      ];
+      locations = {
+        "/".extraConfig = ''
+          rewrite ^/__assets/(.*)$ /media/__assets/$1;
+        '';
+      } // lib.mapAttrs'
+        (name: secret: {
+          name = "/${name}/";
+          value = {
+            proxyPass = "https://${name}.sbruder.de/";
+            proxyWebsockets = true;
+            extraConfig = ''
+              proxy_buffering off;
+              include /run/nginx/secrets/${lib.last (lib.splitString "/" (toString secret))};
+              charset utf-8;
+            '';
+          };
+        })
+        services;
+    };
+  };
+}
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -0,0 +1,40 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.nginx;
+in
+{
+  options.services.nginx.secrets = lib.mkOption {
+    type = with lib.types; listOf (either str path);
+    default = [ ];
+    description = "Secrets to be copied to `/run/nginx/secrets/`";
+  };
+
+  config.systemd = lib.mkIf (lib.length cfg.secrets != 0) {
+    services = {
+      nginx-secrets = {
+        description = "Secrets for nginx";
+        wantedBy = [ "nginx.service" ];
+        partOf = [ "nginx.service" ];
+        serviceConfig.Type = "oneshot";
+
+        script = ''
+          rm -rf /run/nginx/secrets
+          install -o ${cfg.user} -g ${cfg.group} -m 700 -d /run/nginx/secrets
+        '' + lib.concatStrings (map
+          (secret: ''
+            install -o ${cfg.user} -g ${cfg.group} -m 600 ${toString secret} /run/nginx/secrets
+          '')
+          cfg.secrets);
+      };
+      nginx.after = [ "nginx-secrets.service" ];
+    };
+    paths.nginx-secrets = {
+      wantedBy = [ "nginx-secrets.service" ];
+      partOf = [ "nginx-secrets.service" ];
+      pathConfig = {
+        PathModified = "/var/src/secrets";
+        Unit = "nginx-secrets.service";
+      };
+    };
+  };
+}