nixos-config/config/services/akkoma/mediaproxy.nix

{
  services.nginx = {
    enable = true;
    commonHttpConfig = "proxy_cache_path /var/cache/mediacache levels=2:2:2 keys_zone=akkoma_media_cache:25m inactive=1y use_temp_path=off min_free=10G;";
    virtualHosts."mail.chir.rs".listen = [
      {
        addr = "127.0.0.1";
        port = 24153;
      }
    ];
    virtualHosts."mediaproxy.int.chir.rs" = {
      listen = [
        {
          addr = "127.0.0.1";
          port = 24154;
        }
      ];
      extraConfig = ''
        location ~ ^/(media|proxy) {
          proxy_cache        akkoma_media_cache;
          proxy_cache_key    $host$uri$is_args$args;
          proxy_http_version 1.1;
          proxy_cache_valid  206 301 302 304 1h;
          proxy_cache_valid  200 1y;
          proxy_cache_use_stale error timeout invalid_header updating;
          proxy_ignore_client_abort on;
          proxy_buffering    on;
          proxy_cache_lock on;
          proxy_pass         http://127.0.0.1:4000;
        }
      '';
    };
  };
  systemd.tmpfiles.rules = [
    "d '/var/cache/mediacache' 0750 nginx nginx - -"
  ];
  systemd.services.nginx.serviceConfig.ReadWritePaths = ["/var/cache/mediacache"];
  services.nginx.validateConfig = false;
}