From 7f96093aaae206600ed52619c0dd3db0b97d1c52 Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Mon, 25 Mar 2024 14:45:09 +0100
Subject: modules/owncast-integration: init

---
 modules/server/default.nix                     |  2 +-
 modules/server/owncast-integration/default.nix | 18 +++++++++++
 modules/server/owncast-integration/hook.cgi.sh | 41 ++++++++++++++++++++++++++
 3 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 modules/server/owncast-integration/default.nix
 create mode 100644 modules/server/owncast-integration/hook.cgi.sh

diff --git a/modules/server/default.nix b/modules/server/default.nix
index f59ea9662667..388d5b8da63c 100644
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@@ -1,7 +1,7 @@
 { pkgs, ... }:
 
 {
-  imports = [ ../nix ../ssh ../users ];
+  imports = [ ../nix ./owncast-integration ../ssh ../users ];
 
   security.sudo.wheelNeedsPassword = false;
 
diff --git a/modules/server/owncast-integration/default.nix b/modules/server/owncast-integration/default.nix
new file mode 100644
index 000000000000..5d931188a8cb
--- /dev/null
+++ b/modules/server/owncast-integration/default.nix
@@ -0,0 +1,18 @@
+{ lib, pkgs, ... }:
+
+{
+  services.nginx.virtualHosts.default.locations."= /owncast" = {
+    proxyPass = "http://unix:/run/cgiserver/owncast-integration.sock";
+  };
+
+  systemd.sockets.owncast-integration = {
+    wantedBy = [ "sockets.target" ];
+    socketConfig.ListenStream = "/run/cgiserver/owncast-integration.sock";
+  };
+
+  systemd.services.owncast-integration = {
+    path = with pkgs; [ curl jq libressl.nc ];
+    serviceConfig.ExecStart = "${lib.getExe pkgs.cgiserver} -r /owncast ${pkgs.bash}/bin/sh ${./hook.cgi.sh}";
+    serviceConfig.LoadCredential = [ "owncast-inbound" "owncast-outbound" ];
+  };
+}
diff --git a/modules/server/owncast-integration/hook.cgi.sh b/modules/server/owncast-integration/hook.cgi.sh
new file mode 100644
index 000000000000..a11891a384bc
--- /dev/null
+++ b/modules/server/owncast-integration/hook.cgi.sh
@@ -0,0 +1,41 @@
+#!/bin/sh -e
+
+echo "Content-Type:text/plain"
+
+if [ "$REQUEST_METHOD" != POST ]; then
+    echo "Status:405 Method Not Allowed"
+    echo
+    exit
+fi
+
+# case and printenv are used here to ensure there isn't a test
+# subprocess with the secret visible in its argv.
+case "$(printenv HTTP_AUTHORIZATION | sed -n 's/^basic //ip' | base64 -d)" in
+    "$(cat -- "$CREDENTIALS_DIRECTORY/owncast-inbound")")
+	;;
+    *)
+	echo "Status:401 Unauthorized"
+	echo
+	exit
+	;;
+esac
+
+echo "Status:204 No Content"
+echo
+
+if [ "$(jq -r .type)" = STREAM_STARTED ]; then
+    nc -N ::1 18770 <<EOF
+📺 Development stream started on https://live.qyliss.net/!
+EOF
+
+    (
+	sleep 3600
+	(
+	    printf "Authorization: Bearer "
+	    cat -- "$CREDENTIALS_DIRECTORY/owncast-outbound"
+	) | curl -sSH @- \
+		 --json '{"body":"My work is mostly funded through individual donations.  Please consider supporting development of Spectrum and related projects via https://github.com/sponsors/alyssais or https://liberapay.com/qyliss.  Thank you!"}' \
+		 --fail-with-body \
+		 https://live.qyliss.net/api/integrations/chat/system
+    ) &
+fi
-- 
cgit 1.4.1