Simon Bruder
f945341668
This applies the REUSE specification to the repository, so the licensing information can be tracked for every file individually.
54 lines
1.7 KiB
Nix
54 lines
1.7 KiB
Nix
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
let
|
|
services = {
|
|
"media" = config.sops.secrets.media-proxy-auth.path;
|
|
"media-sb" = config.sops.secrets.media-proxy-auth.path;
|
|
"torrent" = config.sops.secrets.torrent-proxy-auth.path;
|
|
"sturzbach" = config.sops.secrets.torrent-proxy-auth.path;
|
|
};
|
|
in
|
|
{
|
|
options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
|
|
|
|
config = lib.mkIf config.sbruder.media-proxy.enable {
|
|
sops.secrets = {
|
|
torrent-proxy-auth.owner = "nginx";
|
|
media-proxy-auth.owner = "nginx";
|
|
};
|
|
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton config.users.groups.keys.name;
|
|
|
|
# otherwise name resolution fails
|
|
systemd.services.nginx.after = [ "network-online.target" ];
|
|
services.nginx = {
|
|
enable = true;
|
|
commonHttpConfig = ''
|
|
map $http_referer $media_proxy_referer {
|
|
~^http://.*\.localhost/ "";
|
|
default $http_referer;
|
|
}
|
|
'';
|
|
virtualHosts = lib.mapAttrs'
|
|
(name: secret: lib.nameValuePair "${name}.localhost" {
|
|
locations."/" = {
|
|
proxyPass = "https://${name}.sbruder.de/";
|
|
proxyWebsockets = true;
|
|
# they interfere here, as the host needs to be changed
|
|
recommendedProxySettings = false;
|
|
extraConfig = ''
|
|
proxy_buffering off;
|
|
include ${secret};
|
|
charset utf-8;
|
|
proxy_set_header Referer $media_proxy_referer;
|
|
proxy_set_header Origin $media_proxy_referer;
|
|
'';
|
|
};
|
|
})
|
|
services;
|
|
};
|
|
};
|
|
}
|