From 25568db129babe22e87bc2fc05a672ff392733cb Mon Sep 17 00:00:00 2001
From: schweby <schweby@posteo.net>
Date: Thu, 15 Apr 2021 10:05:56 +0200
Subject: [PATCH] hainich/nginx: disable interest cohort globally

---
 hosts/hainich/services/nginx.nix | 45 ++++++++++++++++++--------------
 1 file changed, 25 insertions(+), 20 deletions(-)

diff --git a/hosts/hainich/services/nginx.nix b/hosts/hainich/services/nginx.nix
index 6e2879b..98d0c58 100644
--- a/hosts/hainich/services/nginx.nix
+++ b/hosts/hainich/services/nginx.nix
@@ -25,27 +25,32 @@
   };
 
   networking.firewall.allowedTCPPorts = [ 1935 ];
-  services.nginx.appendConfig = ''
-  rtmp {
-    server {
-      listen 1935;
-      application cutiestream {
-        live on;
-        allow publish all;
-        allow play all;
+  services.nginx = {
+    appendHttpConfig = ''
+      add_header Permissions-Policy "interest-cohort=()";
+    '';
+    appendConfig = ''
+      rtmp {
+        server {
+          listen 1935;
+          application cutiestream {
+            live on;
+            allow publish all;
+            allow play all;
+          }
+          application ingest {
+            live on;
+    
+            record all;
+            record_path /data/ingest;
+            record_unique on;
+    
+    #        include /var/secrets/ingest.conf;
+          }
+        }
       }
-      application ingest {
-        live on;
-
-        record all;
-        record_path /data/ingest;
-        record_unique on;
-
-#        include /var/secrets/ingest.conf;
-      }
-    }
-  }
-  '';
+    '';
+  };
 
   systemd.services.nginx.serviceConfig.ReadWriteDirectories = "/data/ingest /var/secrets";
 }