55 lines
1.8 KiB
Nix
55 lines
1.8 KiB
Nix
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
let
|
|
services = {
|
|
"media" = config.sops.secrets.media-proxy-auth.path;
|
|
"media-sb" = config.sops.secrets.media-proxy-auth.path;
|
|
"torrent" = config.sops.secrets.torrent-proxy-auth.path;
|
|
"sturzbach" = config.sops.secrets.torrent-proxy-auth.path;
|
|
};
|
|
in
|
|
{
|
|
options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
|
|
|
|
config = lib.mkIf config.sbruder.media-proxy.enable {
|
|
sops.secrets = {
|
|
torrent-proxy-auth.owner = "nginx";
|
|
media-proxy-auth.owner = "nginx";
|
|
};
|
|
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton config.users.groups.keys.name;
|
|
|
|
# otherwise name resolution fails
|
|
systemd.services.nginx.after = [ "network-online.target" ];
|
|
systemd.services.nginx.wants = [ "network-online.target" ];
|
|
services.nginx = {
|
|
enable = true;
|
|
commonHttpConfig = ''
|
|
map $http_referer $media_proxy_referer {
|
|
~^http://.*\.localhost/ "";
|
|
default $http_referer;
|
|
}
|
|
'';
|
|
virtualHosts = lib.mapAttrs'
|
|
(name: secret: lib.nameValuePair "${name}.localhost" {
|
|
locations."/" = {
|
|
proxyPass = "https://${name}.sbruder.de/";
|
|
proxyWebsockets = true;
|
|
# they interfere here, as the host needs to be changed
|
|
recommendedProxySettings = false;
|
|
extraConfig = ''
|
|
proxy_buffering off;
|
|
include ${secret};
|
|
charset utf-8;
|
|
proxy_set_header Referer $media_proxy_referer;
|
|
proxy_set_header Origin $media_proxy_referer;
|
|
'';
|
|
};
|
|
})
|
|
services;
|
|
};
|
|
};
|
|
}
|