# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, pkgs, ... }:
let
  services = {
    "media" = config.sops.secrets.media-proxy-auth.path;
    "media-sb" = config.sops.secrets.media-proxy-auth.path;
    "torrent" = config.sops.secrets.torrent-proxy-auth.path;
    "sturzbach" = config.sops.secrets.torrent-proxy-auth.path;
  };
in
{
  options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";

  config = lib.mkIf config.sbruder.media-proxy.enable {
    sops.secrets = {
      torrent-proxy-auth.owner = "nginx";
      media-proxy-auth.owner = "nginx";
    };
    systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton config.users.groups.keys.name;

    # otherwise name resolution fails
    systemd.services.nginx.after = [ "network-online.target" ];
    services.nginx = {
      enable = true;
      commonHttpConfig = ''
        map $http_referer $media_proxy_referer {
            ~^http://.*\.localhost/ "";
            default                  $http_referer;
        }
      '';
      virtualHosts = lib.mapAttrs'
        (name: secret: lib.nameValuePair "${name}.localhost" {
          locations."/" = {
            proxyPass = "https://${name}.sbruder.de/";
            proxyWebsockets = true;
            # they interfere here, as the host needs to be changed
            recommendedProxySettings = false;
            extraConfig = ''
              proxy_buffering off;
              include ${secret};
              charset utf-8;
              proxy_set_header Referer $media_proxy_referer;
              proxy_set_header Origin $media_proxy_referer;
            '';
          };
        })
        services;
    };
  };
}