From e79b8de1758f8409ebeaa9d35d0b3b7bd4a1c267 Mon Sep 17 00:00:00 2001
From: Sheppy <sheppy@atlantishq.de>
Date: Sat, 21 Mar 2026 22:26:58 +0000
Subject: [PATCH] feat: support multi stream map & better errors

---
 nginx.py                               | 10 ++++++++++
 templates/nginx_stream_ssl_map.conf.j2 |  6 ++++++
 2 files changed, 16 insertions(+)

diff --git a/nginx.py b/nginx.py
index 171bd1b..de7226a 100644
--- a/nginx.py
+++ b/nginx.py
@@ -34,8 +34,10 @@ def dump_config(vmList, masterAddress):
         for vmo in vmList:
             relevant_subdomains = filter(lambda x: x.get("no-terminate-ssl"), vmo.subdomains)
             for s in relevant_subdomains:
+
                 # print(s, "ssl_target_port", s.get("ssl_target_port"))
                 # build the map contents #
+
                 if s.get("include-subdomains"):
                     match = "~.*{}".format(s.get("name"))
                 else:
@@ -44,6 +46,14 @@ def dump_config(vmList, masterAddress):
                 geo_restriction = s.get("network-restriction")
                 if geo_restriction:
                     network_restrictions.update({ match: geo_restriction })
+                    with open("templates/nginx_stream_ssl_map.conf.j2") as test:
+                        test_string = f"geo ${geo_restriction}"
+                        if test_string not in test.read():
+                            msg = f"{test_string} not defined in stream map."
+                            msg += "\nYou need to define it in "
+                            msg += "'templates/nginx_stream_ssl_map.conf.j2' first.\n"
+                            msg += "See geo \"$priviledged_networks {{...}}\" as an example"
+                            raise ValueError(msg)
 
 
                 ssl_target_port = s.get("ssl_target_port") or 443
diff --git a/templates/nginx_stream_ssl_map.conf.j2 b/templates/nginx_stream_ssl_map.conf.j2
index af1d604..009e3d8 100644
--- a/templates/nginx_stream_ssl_map.conf.j2
+++ b/templates/nginx_stream_ssl_map.conf.j2
@@ -32,10 +32,16 @@ map $block_connection $proxy_target {
 
 map $ssl_preread_server_name $is_restricted {
     default 0;
+    {% for pattern, selected_network in network_restrictions.items() %}
+    {{ pattern }} 1;
+    {% endfor %}
     ~^immich-ml\.services\.atlantishq\.de$ 1;
 }
 
 map $ssl_preread_server_name $selected_network {
+    {% for pattern, selected_network in network_restrictions.items() %}
+    {{ pattern }} ${{ selected_network}};
+    {% endfor %}
     ~^immich-ml\.services\.atlantishq\.de$ $priviledged_networks;
 }