nixos-config/modules/media-proxy.nix
Simon Bruder f945341668
Relicense
This applies the REUSE specification to the repository, so the licensing
information can be tracked for every file individually.
2024-01-13 14:35:31 +01:00

54 lines
1.7 KiB
Nix

# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
let
services = {
"media" = config.sops.secrets.media-proxy-auth.path;
"media-sb" = config.sops.secrets.media-proxy-auth.path;
"torrent" = config.sops.secrets.torrent-proxy-auth.path;
"sturzbach" = config.sops.secrets.torrent-proxy-auth.path;
};
in
{
options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
config = lib.mkIf config.sbruder.media-proxy.enable {
sops.secrets = {
torrent-proxy-auth.owner = "nginx";
media-proxy-auth.owner = "nginx";
};
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton config.users.groups.keys.name;
# otherwise name resolution fails
systemd.services.nginx.after = [ "network-online.target" ];
services.nginx = {
enable = true;
commonHttpConfig = ''
map $http_referer $media_proxy_referer {
~^http://.*\.localhost/ "";
default $http_referer;
}
'';
virtualHosts = lib.mapAttrs'
(name: secret: lib.nameValuePair "${name}.localhost" {
locations."/" = {
proxyPass = "https://${name}.sbruder.de/";
proxyWebsockets = true;
# they interfere here, as the host needs to be changed
recommendedProxySettings = false;
extraConfig = ''
proxy_buffering off;
include ${secret};
charset utf-8;
proxy_set_header Referer $media_proxy_referer;
proxy_set_header Origin $media_proxy_referer;
'';
};
})
services;
};
};
}