diff options
| -rw-r--r-- | modules/server/default.nix | 2 | ||||
| -rw-r--r-- | modules/server/owncast-integration/default.nix | 18 | ||||
| -rw-r--r-- | modules/server/owncast-integration/hook.cgi.sh | 41 |
3 files changed, 60 insertions, 1 deletions
diff --git a/modules/server/default.nix b/modules/server/default.nix index f59ea9662667..388d5b8da63c 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -1,7 +1,7 @@ { pkgs, ... }: { - imports = [ ../nix ../ssh ../users ]; + imports = [ ../nix ./owncast-integration ../ssh ../users ]; security.sudo.wheelNeedsPassword = false; diff --git a/modules/server/owncast-integration/default.nix b/modules/server/owncast-integration/default.nix new file mode 100644 index 000000000000..5d931188a8cb --- /dev/null +++ b/modules/server/owncast-integration/default.nix @@ -0,0 +1,18 @@ +{ lib, pkgs, ... }: + +{ + services.nginx.virtualHosts.default.locations."= /owncast" = { + proxyPass = "http://unix:/run/cgiserver/owncast-integration.sock"; + }; + + systemd.sockets.owncast-integration = { + wantedBy = [ "sockets.target" ]; + socketConfig.ListenStream = "/run/cgiserver/owncast-integration.sock"; + }; + + systemd.services.owncast-integration = { + path = with pkgs; [ curl jq libressl.nc ]; + serviceConfig.ExecStart = "${lib.getExe pkgs.cgiserver} -r /owncast ${pkgs.bash}/bin/sh ${./hook.cgi.sh}"; + serviceConfig.LoadCredential = [ "owncast-inbound" "owncast-outbound" ]; + }; +} diff --git a/modules/server/owncast-integration/hook.cgi.sh b/modules/server/owncast-integration/hook.cgi.sh new file mode 100644 index 000000000000..a11891a384bc --- /dev/null +++ b/modules/server/owncast-integration/hook.cgi.sh @@ -0,0 +1,41 @@ +#!/bin/sh -e + +echo "Content-Type:text/plain" + +if [ "$REQUEST_METHOD" != POST ]; then + echo "Status:405 Method Not Allowed" + echo + exit +fi + +# case and printenv are used here to ensure there isn't a test +# subprocess with the secret visible in its argv. +case "$(printenv HTTP_AUTHORIZATION | sed -n 's/^basic //ip' | base64 -d)" in + "$(cat -- "$CREDENTIALS_DIRECTORY/owncast-inbound")") + ;; + *) + echo "Status:401 Unauthorized" + echo + exit + ;; +esac + +echo "Status:204 No Content" +echo + +if [ "$(jq -r .type)" = STREAM_STARTED ]; then + nc -N ::1 18770 <<EOF +📺 Development stream started on https://live.qyliss.net/! +EOF + + ( + sleep 3600 + ( + printf "Authorization: Bearer " + cat -- "$CREDENTIALS_DIRECTORY/owncast-outbound" + ) | curl -sSH @- \ + --json '{"body":"My work is mostly funded through individual donations. Please consider supporting development of Spectrum and related projects via https://github.com/sponsors/alyssais or https://liberapay.com/qyliss. Thank you!"}' \ + --fail-with-body \ + https://live.qyliss.net/api/integrations/chat/system + ) & +fi |