5 files changed, 113 insertions, 6 deletions

diff --git a/flake.lock b/flake.lock

index 18097bf..90aeaca 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1428,11 +1428,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748918445,
-        "narHash": "sha256-KyQ6TA3JkcoveyeiVIL+J0Okxuno9Fy1GNZ9/9sdRKQ=",
+        "lastModified": 1748981743,
+        "narHash": "sha256-0eOWD48VOpfQWLT0uMO8k4jPmWHtrxYw9ueDU5+6dOA=",
         "ref": "refs/heads/main",
-        "rev": "006ada2e8a31d8c57273bb1cafe976354ebd6244",
-        "revCount": 41,
+        "rev": "2034f459d416afdead72e590f870567452b2c62a",
+        "revCount": 52,
         "type": "git",
         "url": "https://cgit.rory.gay/school/nodejs-final-assignment.git/"
       },
diff --git a/host/Rory-ovh/services/nginx/nginx.nix b/host/Rory-ovh/services/nginx/nginx.nix

index 453816f..5cd68da 100755
--- a/host/Rory-ovh/services/nginx/nginx.nix
+++ b/host/Rory-ovh/services/nginx/nginx.nix
@@ -70,6 +70,8 @@ in
         # #matrix...
         # "conduit.rory.gay" = import ./rory.gay/conduit.nix;
         "matrix.rory.gay" = import ./rory.gay/matrix.nix { inherit config; };
+        "safensound.rory.gay" = import ./rory.gay/safensound.nix { inherit config; };
+        "api.safensound.rory.gay" = import ./rory.gay/api.safensound.nix { inherit config; };
         "stream.rory.gay" = import ./rory.gay/stream.nix { inherit config; };
         # "pcpoc.rory.gay" = import ./rory.gay/pcpoc.nix;
         # "matrixunittests.rory.gay" = import ./rory.gay/matrixunittests.nix;
diff --git a/host/Rory-ovh/services/nginx/rory.gay/api.safensound.nix b/host/Rory-ovh/services/nginx/rory.gay/api.safensound.nix
new file mode 100755

index 0000000..b0ff075
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/api.safensound.nix
@@ -0,0 +1,72 @@
+{ config }: 
+{
+  enableACME = !config.virtualisation.isVmVariant;
+  addSSL = !config.virtualisation.isVmVariant;
+  locations."/" = {
+    #proxyPass = "http://127.0.0.1:9001";
+    proxyPass = "http://localhost:7645";
+    extraConfig = ''
+      if ($request_method = 'OPTIONS') {
+        more_set_headers 'Access-Control-Allow-Origin: *';
+        more_set_headers 'Access-Control-Allow-Methods: *';
+        #
+        # Custom headers and headers various browsers *should* be OK with but aren't
+        #
+        more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+        #
+        # Tell client that this pre-flight info is valid for 20 days
+        #
+        more_set_headers 'Access-Control-Max-Age: 1728000';
+        more_set_headers 'Content-Type: text/plain; charset=utf-8';
+        more_set_headers 'Content-Length: 0';
+        return 204;
+      }
+    '';
+  };
+
+  locations."= /.well-known/matrix/server".extraConfig = ''
+    more_set_headers 'Content-Type application/json';
+    more_set_headers 'Access-Control-Allow-Origin *';
+    return 200 '${builtins.toJSON { "m.server" = "matrix.rory.gay:443"; }}';
+  '';
+  locations."= /.well-known/matrix/client".extraConfig = ''
+    more_set_headers 'Content-Type application/json';
+    more_set_headers 'Access-Control-Allow-Origin *';
+    return 200 '${
+      builtins.toJSON {
+        "m.homeserver".base_url = "https://matrix.rory.gay";
+        "org.matrix.msc3575.proxy".url = "https://matrix.rory.gay";
+      }
+    }';
+  '';
+  locations."= /.well-known/matrix/support".extraConfig = ''
+    more_set_headers 'Content-Type application/json';
+    more_set_headers 'Access-Control-Allow-Origin *';
+    return 200 '${
+      builtins.toJSON {
+        admins = [
+          {
+            matrix_id = "@emma:rory.gay";
+            role = "admin";
+          }
+          {
+            matrix_id = "@alicia:rory.gay";
+            role = "admin";
+          }
+          {
+            matrix_id = "@root:rory.gay";
+            role = "admin";
+          }
+          {
+            matrix_id = "@rory:rory.gay";
+            role = "admin";
+          }
+        ];
+      }
+    }';
+  '';
+
+  locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
+    proxyPass = "http://localhost:8100";
+  };
+}
diff --git a/host/Rory-ovh/services/nginx/rory.gay/safensound.nix b/host/Rory-ovh/services/nginx/rory.gay/safensound.nix
new file mode 100755

index 0000000..9208129
--- /dev/null
+++ b/host/Rory-ovh/services/nginx/rory.gay/safensound.nix
@@ -0,0 +1,30 @@
+{ config }: 
+{
+  enableACME = !config.virtualisation.isVmVariant;
+  addSSL = !config.virtualisation.isVmVariant;
+#  quic = true;
+  http3 = !config.virtualisation.isVmVariant;
+  http3_hq = !config.virtualisation.isVmVariant;
+  kTLS = !config.virtualisation.isVmVariant;
+  root = "/data/nginx/html_safensound";
+#  reuseport = true;
+  extraConfig = ''
+    brotli off;
+    brotli_static off;
+  '';
+  locations = {
+    "/" = {
+      index = "index.html";
+      extraConfig = ''
+        more_set_headers 'Access-Control-Allow-Origin: *';
+        more_set_headers 'Access-Control-Allow-Methods: *';
+        more_set_headers 'Access-Control-Allow-Headers: *';
+        more_set_headers 'Access-Control-Expose-Headers: *';
+        more_set_headers 'Access-Control-Max-Age' 1728000;
+
+        # default to /index.html if file not found
+        try_files $uri $uri/ /index.html;
+      '';
+    };
+  };
+}
diff --git a/host/Rory-ovh/services/safensound.nix b/host/Rory-ovh/services/safensound.nix

index 4cf5388..69f301a 100644
--- a/host/Rory-ovh/services/safensound.nix
+++ b/host/Rory-ovh/services/safensound.nix
@@ -19,7 +19,10 @@
 
   services.safensound = {
     enable = true;
-    dbCredentialsPath = "/";
-    jwtSecretPath = "/";
+    dbCredentialsPath = "/data/secrets/safensound-mongodb";
+    port = 7645;
+    logRequests = "-";
+    logQueries = true;
+    logAuth = true;
   };
 }