Implement media proxy

misskey-service.nix

@@ -50,19 +50,17 @@ in {
       credentialsFile = "/etc/nixos-secrets/namecheap-acme";
       group = "nginx";
     };
+    certs."STAR.egirls.gay" = {
+      domain = "*.egirls.gay";
+      dnsProvider = "namecheap";
+      credentialsFile = "/etc/nixos-secrets/namecheap-acme";
+      group = "nginx";
+    };
   };
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
-  services.nginx = {
+  services.nginx = let
-    enable = true;
-    recommendedProxySettings = true;
-
-    upstreams."misskey".extraConfig = ''
-      server unix:/var/run/misskey/misskey.sock;
-    '';
-
-    virtualHosts."egirls.gay" = {
     listen = [
       {
         port = 443;
@@ -74,6 +72,49 @@ in {
         addr = "0.0.0.0";
       }
     ];
+  in {
+    enable = true;
+    recommendedProxySettings = true;
+
+    upstreams."misskey".extraConfig = ''
+      server unix:/var/run/misskey/misskey.sock;
+    '';
+
+    virtualHosts."media.egirls.gay" = {
+      inherit listen;
+
+      forceSSL = true;
+      useACMEHost = "STAR.egirls.gay";
+
+      extraConfig = ''
+        client_max_body_size 1m;
+      '';
+
+      locations."/".extraConfig = ''
+        set $bucket rub-um5oh2ac4yi9c2mf.misskey.egirls.gay;
+        set $region us-east-1;
+
+        proxy_pass https://storage.us-east-1.linodeobjects.com;
+        proxy_set_header Host $bucket.us-east-1.linodeobjects.com;
+        proxy_http_version 1.1;
+        proxy_redirect off;
+        proxy_intercept_errors on;
+        error_page 400 401 403 404 406 409 410 /404;
+
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_cache off;
+      '';
+
+      locations."/404".extraConfig = ''
+        return 404 "not found";
+      '';
+    };
+
+    virtualHosts."egirls.gay" = {
+      inherit listen;
 
       forceSSL = true;
       useACMEHost = "egirls.gay";