From 251f404699eebac8966e9da0312e8230c52425fe Mon Sep 17 00:00:00 2001
From: Madeleine Sydney <lomiskiam@gmail.com>
Date: Sun, 9 Mar 2025 11:03:20 -0600
Subject: [PATCH] feat(copyparty): Allow reading of /var/lib/slskd

---
 modules/nixos/deertopia/authelia.nix  | 18 ------------------
 modules/nixos/deertopia/copyparty.nix | 16 +++++++++++++---
 2 files changed, 13 insertions(+), 21 deletions(-)

diff --git a/modules/nixos/deertopia/authelia.nix b/modules/nixos/deertopia/authelia.nix
index 770f2c5..cf596af 100644
--- a/modules/nixos/deertopia/authelia.nix
+++ b/modules/nixos/deertopia/authelia.nix
@@ -148,23 +148,5 @@ in {
            locations."/api/authz".proxyPass = "$upstream";
          };
        };
-
-       # TODO: Remove this.  It's only used for a quick demo for myself.  The
-       # domain choice is arbitrary.  It's just one I happen to have set up.
-       sydnix.deertopia.nginx.vhosts."ldap" = {
-         directory = null;
-         vhost = {
-           forceSSL = true;
-           enableACME = true;
-           extraConfig = ''
-            include ${./authelia/authelia-location.conf};
-           '';
-           locations."/".extraConfig = ''
-             include ${./authelia/authelia-authrequest.conf};
-             include ${./authelia/proxy.conf};
-             root /persist/deertopia.net/ldap;
-           '';
-         };
-       };
      });
 }
diff --git a/modules/nixos/deertopia/copyparty.nix b/modules/nixos/deertopia/copyparty.nix
index 2816bac..38f3aef 100644
--- a/modules/nixos/deertopia/copyparty.nix
+++ b/modules/nixos/deertopia/copyparty.nix
@@ -29,13 +29,23 @@ in {
     services.copyparty = {
       enable = true;
       settings = {
-        # These three options are necessary for SSO integration.  No idea what
-        # they do. }:)
-        xff-src = "lan";
+        # These three options (`idp-h-usr`, `idp-h-grp`, `xff-src`) are
+        # necessary for SSO integration.
+
+        # The HTTP headers (provided by the coproxy) where Copyparty can expect
+        # to find the user's name and groups.
         idp-h-usr = "remote-user";
         idp-h-grp = "remote-groups";
+        # For security reasons, Copyparty will only acknowledge those headers
+        # when the request comes from a known IP address specified here.  In our
+        # case, we tell it to accept requests from any private IP.
+        xff-src = "lan";
       };
       volumes = {
+        "/Soulseek" = {
+          path = "/var/lib/slskd";
+          access.r = "*";
+        };
         "/Jellyfin" = {
           path = "/persist/vault/jellyfin";
           # View and upload, but no deleting.