plex: port to new options

This commit is contained in:
Giulio De Pasquale 2023-06-26 20:49:52 +02:00
parent 8cde2f28fb
commit 559d02720b

View File

@ -1,11 +1,8 @@
{ pkgs, config, lib, ... }: { pkgs, config, ... }:
let let
domain = "plex.giugl.io"; domain = "media.giugl.io";
port = 32400; port = 32400;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall = { architect.firewall = {
@ -16,30 +13,25 @@ in
services.plex = { services.plex = {
enable = true; enable = true;
package = pkgs.unstablePkgs.plex; package = pkgs.unstablePkgs.plex;
# dataDir = "/plex"; dataDir = "/plex";
}; };
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
locations = {
"/" = {
inherit port;
services.nginx = { proxyWebsockets = true;
enable = true; # allowLan = true;
# give a name to the virtual host. It also becomes the server name. # allow = [
virtualHosts.${domain} = { # wireguard.net
forceSSL = true; # tailscale.net
enableACME = true; # ];
http2 = true;
extraConfig = '' extraConfig = ''
#Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
send_timeout 100m; send_timeout 100m;
# Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# Forward real ip and host to Plex # Forward real ip and host to Plex
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -74,27 +66,15 @@ in
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model; proxy_set_header X-Plex-Model $http_x_plex_model;
# Websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Buffering off send to the client as soon as the data is received from Plex. # Buffering off send to the client as soon as the data is received from Plex.
proxy_redirect off; proxy_redirect off;
proxy_buffering off; proxy_buffering off;
add_header 'Content-Security-Policy' 'upgrade-insecure-requests'; add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
''; '';
locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
}; };
}; };
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups.media.members = [ "plex" ]; users.groups.media.members = [ "plex" ];
} }