sydnix/modules/nixos/deertopia/copyparty.nix

{ config, lib, pkgs, ... }@inputs:

let cfg = config.sydnix.deertopia.copyparty;
in {
  options.sydnix.deertopia.copyparty = {
    enable = lib.mkEnableOption "Copyparty";
    port = lib.mkOption {
      type = lib.types.port;
      description = ''
        Port on which Copyparty is to listen.
      '';
      default = 3923;
    };
  };

  imports = [ ./copyparty/vault.nix ];

  config = lib.mkIf cfg.enable {
    sydnix.deertopia.copyparty.vault.enable = true;

    sydnix.impermanence.directories = [
      "/var/lib/copyparty"
    ];

    nixpkgs.overlays = [ inputs.copyparty.overlays.default ];

    # HACK: Ad-hoc permissions, as typical.
    users.users.copyparty.extraGroups = [
      "media"
    ];

    # HACK: Make files created by copyparty.service initialise with the mode
    # 775.
    systemd.services.copyparty.serviceConfig.UMask = lib.mkForce "002";

    services.copyparty = {
      enable = true;
      settings = {
        # These three options (`idp-h-usr`, `idp-h-grp`, `xff-src`) are
        # necessary for SSO integration.

        # The HTTP headers (provided by the coproxy) where Copyparty can expect
        # to find the user's name and groups.
        idp-h-usr = "remote-user";
        idp-h-grp = "remote-groups";
        # For security reasons, Copyparty will only acknowledge those headers
        # when the request comes from a known IP address specified here.  In our
        # case, we tell it to accept requests from any private IP.
        xff-src = "lan";
      };
      volumes = {
        "/Soulseek" = {
          path = "/var/lib/slskd";
          access.r = "*";
        };
        "/Media library" = {
          path = "/media/library";
          # View and upload, but no deleting.
          access.rw = "*";
          access.rwmd = "@jellyfin-admin";
        };
        "/Torrents" = {
          path = "/media/torrents";
          access.r = "*";
          access.rwmd = "@jellyfin-admin";
        };
      };
    };

    sydnix.deertopia.nginx.vhosts."files" = {
      directory = null;
      vhost = {
        forceSSL = true;
        enableACME = true;
        extraConfig = ''
          include ${./authelia/authelia-location.conf};
          # Increase limit of upload sizes.
          client_max_body_size 20G;
        '';
        locations."/".extraConfig = ''
          include ${./authelia/authelia-authrequest.conf};
          include ${./authelia/proxy.conf};
          proxy_pass http://localhost:${builtins.toString cfg.port};
        '';
      };
    };
  };
}