fix(hakurei): kitchen

2026-02-09 12:29:19 -08:00 · 2024-02-10 14:02:03 -08:00 · 2024-02-10 14:02:03 -08:00 · ca48f9407e
commit ca48f9407e
parent b4e6cdac9d
2 changed files with 44 additions and 13 deletions
--- a/nixos/access/kitchencam.nix
+++ b/nixos/access/kitchencam.nix
@ -4,11 +4,17 @@
  ...
 }: let
  inherit (lib.options) mkOption;
-  inherit (lib.modules) mkIf mkDefault;
+  inherit (lib.modules) mkIf mkMerge mkDefault;
+  inherit (lib.lists) concatMap;
+  inherit (config.services) nginx;
  inherit (config.services.nginx) virtualHosts;
  access = config.services.nginx.access.kitchencam;
 in {
  options.services.nginx.access.kitchencam = with lib.types; {
+    streamPort = mkOption {
+      type = port;
+      default = 8081;
+    };
    host = mkOption {
      type = str;
      default = "kitchencam.local.${config.networking.domain}";
@ -19,7 +25,7 @@ in {
    };
    streamUrl = mkOption {
      type = str;
-      default = "http://${access.host}:8081";
+      default = "http://${access.host}:${toString access.streamPort}";
    };
    domain = mkOption {
      type = str;
@ -40,36 +46,60 @@ in {
  };
  config.services.nginx = {
    virtualHosts = let
+      addSSL = access.useACMEHost != null || virtualHosts.${access.domain}.addSSL || virtualHosts.${access.domain}.forceSSL;
      extraConfig = ''
        proxy_redirect off;
        proxy_buffering off;
      '';
      locations = {
        "/" = {
-          proxy.websocket.enable = true;
          proxyPass = access.url;
        };
-        "/stream" = {
-          proxy.websocket.enable = true;
+        "~ ^/[0-9]+/(stream|motion|substream|current|source|status\\.json)$" = {
          proxyPass = access.streamUrl;
+          inherit extraConfig;
+        };
+        "~ ^/(stream|motion|substream|current|source|cameras\\.json|status\\.json)$" = {
+          proxyPass = access.streamUrl;
+          inherit extraConfig;
        };
      };
+      streamListen = { config, ... }: {
+        listen = concatMap (addr: [
+          (mkIf config.addSSL {
+            inherit addr;
+            port = 443;
+            ssl = true;
+          })
+          {
+            inherit addr;
+            port = 80;
+          }
+          {
+            inherit addr;
+            port = access.streamPort;
+          }
+        ]) nginx.defaultListenAddresses;
+      };
    in {
-      ${access.domain} = {
+      ${access.domain} = mkMerge [ {
        vouch.enable = true;
        kTLS = mkDefault true;
        inherit (access) useACMEHost;
-        forceSSL = mkDefault (access.useACMEHost != null);
-        inherit locations extraConfig;
-      };
-      ${access.localDomain} = {
+        addSSL = mkDefault (access.useACMEHost != null);
+        inherit locations;
+      } streamListen ];
+      ${access.localDomain} = mkMerge [ {
        serverAliases = mkIf config.services.tailscale.enable [ access.tailDomain ];
        inherit (virtualHosts.${access.domain}) useACMEHost;
-        addSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.addSSL || virtualHosts.${access.domain}.forceSSL);
+        addSSL = mkDefault addSSL;
        kTLS = mkDefault true;
        local.enable = true;
-        inherit locations extraConfig;
-      };
+        inherit locations;
+      } streamListen ];
    };
  };
+  config.networking.firewall.allowedTCPPorts = [
+    access.streamPort
+  ];
 }
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@ -127,6 +127,7 @@ in {
      host = "idp.local.${config.networking.domain}";
    };
    access.kitchencam = {
+      streamPort = 41081;
      useACMEHost = access.kitchencam.domain;
    };
    virtualHosts = {