depot/ops/nixos/lib/emfminiserv.nix

# SPDX-FileCopyrightText: 2024 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ depot, pkgs, lib, config, ... }:

let
  emfminiserv = depot.go.emfminiserv;

  cfg = config.my.emfminiserv;
in
{
  options.my.emfminiserv = {
    enable = lib.mkEnableOption "emfminiserv";
    hostname = lib.mkOption {
      type = lib.types.str;
      default = "prerelease.voc.emf.camp";
    };
    listenAddresses = lib.mkOption {
      type = lib.types.nullOr (lib.types.listOf lib.types.str);
      default = null;
    };
    serveDir = lib.mkOption {
      type = lib.types.str;
      default = "/store/emf/2024/video/output/";
    };
  };

  config = lib.mkMerge [
    (lib.mkIf cfg.enable {
      users.groups.hackyplayer = {};

      systemd.services.emfminiserv = {
        serviceConfig = {
          User = "emfminiserv";
          Group = "hackyplayer";
          RuntimeDirectory = "emfminiserv";
          DynamicUser = true;
          ExecStart = "${emfminiserv}/bin/emfminiserv -http_listen_unix /run/emfminiserv/listen.sock -base_dir '${cfg.serveDir}'";
          EnvironmentFile = config.my.vault.secrets.emfminiserv-environment.path;
        };
        wantedBy = [ "multi-user.target" ];
      };

      my.vault.secrets.emfminiserv-environment = {
        reloadOrRestartUnits = ["emfminiserv.service"];
        group = "hackyplayer";
        template = ''
          {{ with secret "kv/apps/emfminiserv" }}
          {{ .Data.data.environment }}
          {{ end }}
        '';
      };

      environment.systemPackages = [
        (pkgs.writeShellApplication {
          name = "emfminiserv";
          text = ''
            read -ra vars < <(xargs <"${config.my.vault.secrets.emfminiserv-environment.path}")
            export "''${vars[@]}"
            exec "${emfminiserv}/bin/emfminiserv" -base_dir '${cfg.serveDir}' "$@"
          '';
        })
      ];

      services.caddy = {
        enable = true;
        virtualHosts."${cfg.hostname}" = {
          listenAddresses = lib.mkIf (cfg.listenAddresses != null) cfg.listenAddresses;
          extraConfig = ''
            reverse_proxy unix//run/emfminiserv/listen.sock {
              @accel header X-Accel-Redir *
              handle_response @accel {
                root    * ${cfg.serveDir}
                rewrite * {rp.header.X-Accel-Redir}
                method  * GET
                file_server
              }
            }
          '';
        };
      };
      systemd.services.caddy.serviceConfig.SupplementaryGroups = lib.mkAfter [ "hackyplayer" ];
    })
  ];
}