From ca48f9407e7cd627a8f0f57e59b492898fcbb86b Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Sat, 10 Feb 2024 14:02:03 -0800
Subject: [PATCH] fix(hakurei): kitchen

---
 nixos/access/kitchencam.nix | 56 ++++++++++++++++++++++++++++---------
 systems/hakurei/nixos.nix   |  1 +
 2 files changed, 44 insertions(+), 13 deletions(-)

diff --git a/nixos/access/kitchencam.nix b/nixos/access/kitchencam.nix
index 65524353..a3d36e5e 100644
--- a/nixos/access/kitchencam.nix
+++ b/nixos/access/kitchencam.nix
@@ -4,11 +4,17 @@
   ...
 }: let
   inherit (lib.options) mkOption;
-  inherit (lib.modules) mkIf mkDefault;
+  inherit (lib.modules) mkIf mkMerge mkDefault;
+  inherit (lib.lists) concatMap;
+  inherit (config.services) nginx;
   inherit (config.services.nginx) virtualHosts;
   access = config.services.nginx.access.kitchencam;
 in {
   options.services.nginx.access.kitchencam = with lib.types; {
+    streamPort = mkOption {
+      type = port;
+      default = 8081;
+    };
     host = mkOption {
       type = str;
       default = "kitchencam.local.${config.networking.domain}";
@@ -19,7 +25,7 @@ in {
     };
     streamUrl = mkOption {
       type = str;
-      default = "http://${access.host}:8081";
+      default = "http://${access.host}:${toString access.streamPort}";
     };
     domain = mkOption {
       type = str;
@@ -40,36 +46,60 @@ in {
   };
   config.services.nginx = {
     virtualHosts = let
+      addSSL = access.useACMEHost != null || virtualHosts.${access.domain}.addSSL || virtualHosts.${access.domain}.forceSSL;
       extraConfig = ''
         proxy_redirect off;
         proxy_buffering off;
       '';
       locations = {
         "/" = {
-          proxy.websocket.enable = true;
           proxyPass = access.url;
         };
-        "/stream" = {
-          proxy.websocket.enable = true;
+        "~ ^/[0-9]+/(stream|motion|substream|current|source|status\\.json)$" = {
           proxyPass = access.streamUrl;
+          inherit extraConfig;
+        };
+        "~ ^/(stream|motion|substream|current|source|cameras\\.json|status\\.json)$" = {
+          proxyPass = access.streamUrl;
+          inherit extraConfig;
         };
       };
+      streamListen = { config, ... }: {
+        listen = concatMap (addr: [
+          (mkIf config.addSSL {
+            inherit addr;
+            port = 443;
+            ssl = true;
+          })
+          {
+            inherit addr;
+            port = 80;
+          }
+          {
+            inherit addr;
+            port = access.streamPort;
+          }
+        ]) nginx.defaultListenAddresses;
+      };
     in {
-      ${access.domain} = {
+      ${access.domain} = mkMerge [ {
         vouch.enable = true;
         kTLS = mkDefault true;
         inherit (access) useACMEHost;
-        forceSSL = mkDefault (access.useACMEHost != null);
-        inherit locations extraConfig;
-      };
-      ${access.localDomain} = {
+        addSSL = mkDefault (access.useACMEHost != null);
+        inherit locations;
+      } streamListen ];
+      ${access.localDomain} = mkMerge [ {
         serverAliases = mkIf config.services.tailscale.enable [ access.tailDomain ];
         inherit (virtualHosts.${access.domain}) useACMEHost;
-        addSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.addSSL || virtualHosts.${access.domain}.forceSSL);
+        addSSL = mkDefault addSSL;
         kTLS = mkDefault true;
         local.enable = true;
-        inherit locations extraConfig;
-      };
+        inherit locations;
+      } streamListen ];
     };
   };
+  config.networking.firewall.allowedTCPPorts = [
+    access.streamPort
+  ];
 }
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 62440749..2471d0c3 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -127,6 +127,7 @@ in {
       host = "idp.local.${config.networking.domain}";
     };
     access.kitchencam = {
+      streamPort = 41081;
       useACMEHost = access.kitchencam.domain;
     };
     virtualHosts = {