nixos-config/modules/media-proxy.nix

{ config, lib, pkgs, ... }:
let
  port = 8888;
  services = {
    "media" = config.sops.secrets.media-proxy-auth.path;
    "torrent" = config.sops.secrets.torrent-proxy-auth.path;
  };
in
{
  options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";

  config = lib.mkIf config.sbruder.media-proxy.enable {
    sops.secrets = {
      torrent-proxy-auth.owner = "nginx";
      media-proxy-auth.owner = "nginx";
    };
    systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton config.users.groups.keys.name;

    # otherwise name resolution fails
    systemd.services.nginx.after = [ "network-online.target" ];
    services.nginx = {
      enable = true;
      commonHttpConfig = ''
        map $http_referer $media_proxy_referer {
            ~^http://localhost:8888/ "";
            default                  $http_referer;
        }
      '';
      virtualHosts.media-proxy = {
        serverName = "localhost";
        listen = [
          { inherit port; addr = "127.0.0.1"; }
          { inherit port; addr = "[::1]"; }
        ];
        locations = {
          "/".extraConfig = ''
            rewrite ^/__nginx-interactive-index-assets__/(.*)$ /media/__nginx-interactive-index-assets__/$1;
          '';
        } // lib.mapAttrs'
          (name: secret: {
            name = "/${name}/";
            value = {
              proxyPass = "https://${name}.sbruder.de/";
              proxyWebsockets = true;
              extraConfig = ''
                proxy_buffering off;
                include ${secret};
                charset utf-8;
                proxy_set_header Referer $media_proxy_referer;
                proxy_set_header Origin $media_proxy_referer;
              '';
            };
          })
          services;
      };
    };
  };
}