{ config, lib, pkgs, ... }: let port = 8888; services = { "media" = config.sops.secrets.media-proxy-auth.path; "torrent" = config.sops.secrets.torrent-proxy-auth.path; "torrent.okarin" = config.sops.secrets.torrent-proxy-auth.path; }; in { options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy"; config = lib.mkIf config.sbruder.media-proxy.enable { sops.secrets = { torrent-proxy-auth.owner = "nginx"; media-proxy-auth.owner = "nginx"; }; systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton config.users.groups.keys.name; # otherwise name resolution fails systemd.services.nginx.after = [ "network-online.target" ]; services.nginx = { enable = true; commonHttpConfig = '' map $http_referer $media_proxy_referer { ~^http://localhost:8888/ ""; default $http_referer; } ''; virtualHosts.media-proxy = { serverName = "localhost"; listen = [ { inherit port; addr = "127.0.0.1"; } { inherit port; addr = "[::1]"; } ]; locations = { "/".extraConfig = '' rewrite ^/__nginx-interactive-index-assets__/(.*)$ /media/__nginx-interactive-index-assets__/$1; ''; } // lib.mapAttrs' (name: secret: { name = "/${name}/"; value = { proxyPass = "https://${name}.sbruder.de/"; proxyWebsockets = true; extraConfig = '' proxy_buffering off; include ${secret}; charset utf-8; proxy_set_header Referer $media_proxy_referer; proxy_set_header Origin $media_proxy_referer; ''; }; }) services; }; }; }; }