{ config, lib, pkgs, ... }: with lib; let cfg = config.services.piped; proxy_nginx_extras = '' proxy_buffering on; proxy_buffers 1024 16k; proxy_set_header X-Forwarded-For ""; proxy_set_header CF-Connecting-IP ""; proxy_hide_header "alt-svc"; sendfile on; sendfile_max_chunk 512k; tcp_nopush on; aio threads=default; aio_write on; directio 16m; proxy_hide_header Cache-Control; proxy_hide_header etag; proxy_http_version 1.1; proxy_set_header Connection keep-alive; proxy_max_temp_file_size 32m; access_log off; ''; in { config = mkIf (cfg.enable && !cfg.disableProxy) { systemd.services.piped-proxy = { wantedBy = ["multi-user.target"]; environment.BIND = "0.0.0.0:${toString cfg.internalProxyPort}"; environment.IPV4_ONLY = mkIf cfg.proxyIPv4Only "1"; serviceConfig = { WorkingDirectory = "/run/piped-proxy"; ExecStart = "${pkgs.piped-proxy}/bin/piped-proxy"; RestartSec = "5s"; User = "piped"; CapabilityBoundingSet = ""; PrivateDevices = true; PrivateUsers = true; ProtectHome = true; ProtectKernelLogs = true; ProtectProc = "invisible"; RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; RestrictNamespaces = true; SystemCallArchitectures = "native"; SystemCallFilter = ["@system-service" "~@privileged" "~@resources"]; }; }; services.nginx.virtualHosts."${cfg.proxyDomain}" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:${toString cfg.internalProxyPort}"; extraConfig = proxy_nginx_extras + '' add_header Cache-Control "public, max-age=604800"; ''; }; locations."~ (/videoplayback|/api/v4/|/api/manifest/)" = { proxyPass = "http://localhost:${toString cfg.internalProxyPort}"; extraConfig = proxy_nginx_extras + '' add_header Cache-Control private always; ''; }; }; }; }