{ config, lib, pkgs, ... }: with lib; let cfg = config.services.piped; proxy_nginx_extras = '' proxy_buffering on; proxy_buffers 1024 16k; proxy_set_header X-Forwarded-For ""; proxy_set_header CF-Connecting-IP ""; proxy_hide_header "alt-svc"; sendfile on; sendfile_max_chunk 512k; tcp_nopush on; aio threads=default; aio_write on; directio 16m; proxy_hide_header Cache-Control; proxy_hide_header etag; proxy_http_version 1.1; proxy_set_header Connection keep-alive; proxy_max_temp_file_size 32m; access_log off; ''; in { config = lib.mkIf (cfg.enable && !cfg.disableProxy) { systemd.services.piped-proxy = { wantedBy = [ "multi-user.target" ]; environment.BIND = "0.0.0.0:${toString cfg.internalProxyPort}"; environment.IPV4_ONLY = lib.mkIf cfg.proxyIPv4Only "1"; serviceConfig = { WorkingDirectory = "/run/piped-proxy"; ExecStart = "${pkgs.piped-proxy}/bin/piped-proxy"; RestartSec = "5s"; User = "piped"; CapabilityBoundingSet = ""; PrivateDevices = true; PrivateUsers = true; ProtectHome = true; ProtectKernelLogs = true; ProtectProc = "invisible"; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; }; }; services.nginx.virtualHosts."${cfg.proxyDomain}" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:${toString cfg.internalProxyPort}"; extraConfig = proxy_nginx_extras + '' add_header Cache-Control "public, max-age=604800"; ''; }; locations."~ (/videoplayback|/api/v4/|/api/manifest/)" = { proxyPass = "http://localhost:${toString cfg.internalProxyPort}"; extraConfig = proxy_nginx_extras + '' add_header Cache-Control private always; ''; }; }; }; }