# Paste this snippet into the "Advanced" tab of the NPM Proxy Host for
# stream.hetherman.cloud. It enables Authentik Forward Auth via the
# goauthentik.io outpost, so every request is gated before hitting the
# frontend, WHEP signaling, and HLS.
#
# IMPORTANT: Remove all Custom Locations from the NPM GUI (/whep, /hls, /v3).
# They are defined here instead so that:
#   - /whep/ and /hls/ use trailing-slash proxy_pass to strip the prefix
#     before forwarding to MediaMTX (otherwise MediaMTX sees the wrong path).
#   - /v3/ has auth_request off without a duplicate location block conflict.
# Duplicate location blocks (GUI + advanced) cause the wrong one to win.
#
# Requires an Authentik Proxy Provider of type "Forward auth (single
# application)" with external host https://stream.hetherman.cloud and an
# Application bound to the `stream-viewers` group.
port_in_redirect off;

# Forward every other request to the Authentik outpost for validation.
# Must be declared before the location blocks so it applies server-wide.
auth_request                 /outpost.goauthentik.io/auth/nginx;
error_page       401         = @goauthentik_proxy_signin;

# Propagate user identity headers set by the outpost back to the browser.
auth_request_set $auth_cookie        $upstream_http_set_cookie;
add_header       Set-Cookie          $auth_cookie;
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups   $upstream_http_x_authentik_groups;
auth_request_set $authentik_email    $upstream_http_x_authentik_email;

# WHEP signaling (WebRTC SDP exchange).
# Trailing slash on both sides strips /whep prefix: /whep/game/whep -> /game/whep
location /whep/ {
    proxy_pass        http://192.168.50.254:48889/;
    proxy_http_version 1.1;
    proxy_set_header  Host $host;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
}

# HLS fallback.
# Trailing slash strips /hls prefix: /hls/game/index.m3u8 -> /game/index.m3u8
location /hls/ {
    proxy_pass        http://192.168.50.254:48888/;
    proxy_http_version 1.1;
    proxy_set_header  Host $host;
    proxy_set_header  X-Forwarded-Proto $scheme;
}

# MediaMTX API - no auth required, stream status only, no sensitive data.
# Trailing slash strips /v3 prefix: /v3/paths/get/game -> /paths/get/game
location /v3/ {
    auth_request off;
    proxy_pass http://192.168.50.254:19997/;
}

# The outpost endpoint itself must be reachable un-gated so that the
# auth_request subrequest and the sign-in redirect can complete.
location /outpost.goauthentik.io {
    proxy_pass              http://192.168.50.224:30140/outpost.goauthentik.io;
    proxy_set_header        Host                  $host;
    proxy_set_header        X-Original-URL        $scheme://$http_host$request_uri;
    proxy_set_header        X-Forwarded-For       $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto     $scheme;
    proxy_set_header        X-Forwarded-Host      $http_host;
    proxy_set_header        X-Forwarded-Uri       $request_uri;
    proxy_set_header        X-Forwarded-Ssl       on;
    add_header              Set-Cookie            $auth_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length        "";
}

# When auth_request returns 401, redirect to the outpost sign-in page.
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}