plex: port to new options

2023-06-26 20:49:52 +02:00 · 2023-06-26 20:49:52 +02:00 · 559d02720b
commit 559d02720b
parent 8cde2f28fb
1 changed files with 53 additions and 73 deletions
--- a/hosts/architect/plex.nix
+++ b/hosts/architect/plex.nix
@ -1,11 +1,8 @@
-{ pkgs, config, lib, ... }:
+{ pkgs, config, ... }:
 let
-  domain = "plex.giugl.io";
+  domain = "media.giugl.io";
  port = 32400;
  utilities = import ./utilities.nix { inherit lib config; };
  inherit (utilities) architectInterfaceAddress;
 in
 {
  architect.firewall = {
@ -16,85 +13,68 @@ in
  services.plex = {
    enable = true;
    package = pkgs.unstablePkgs.plex;
-    #    dataDir = "/plex";
+    dataDir = "/plex";
  };
  architect.vhost.${domain} = with config.architect.networks; {
    dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
    locations = {
      "/" = {
        inherit port;
-  services.nginx = {
+        proxyWebsockets = true;
-    enable = true;
+        # allowLan = true;        
-    # give a name to the virtual host. It also becomes the server name.
+        # allow = [
-    virtualHosts.${domain} = {
+        #   wireguard.net
-      forceSSL = true;
+        #   tailscale.net
-      enableACME = true;
+        # ];
-      http2 = true;
+        extraConfig = ''
-      extraConfig = ''
+          #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
-        #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
+            send_timeout 100m;
          send_timeout 100m;
-        # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
+          # Forward real ip and host to Plex
-          ssl_stapling on;
+            proxy_set_header X-Real-IP $remote_addr;
-          ssl_stapling_verify on;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $server_addr;
            proxy_set_header Referer $server_addr;
            proxy_set_header Origin $server_addr; 
-          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+          # Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
-          ssl_prefer_server_ciphers on;
+            gzip on;
-        #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
+            gzip_vary on;
-          ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+            gzip_min_length 1000;
            gzip_proxied any;
            gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
            gzip_disable "MSIE [1-6]\.";
-        # Forward real ip and host to Plex
+          # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
-          proxy_set_header X-Real-IP $remote_addr;
+          # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            client_max_body_size 100M;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header Host $server_addr;
          proxy_set_header Referer $server_addr;
          proxy_set_header Origin $server_addr; 
-        # Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
+          # Plex headers
-          gzip on;
+            proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
-          gzip_vary on;
+            proxy_set_header X-Plex-Device $http_x_plex_device;
-          gzip_min_length 1000;
+            proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
-          gzip_proxied any;
+            proxy_set_header X-Plex-Platform $http_x_plex_platform;
-          gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
+            proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
-          gzip_disable "MSIE [1-6]\.";
+            proxy_set_header X-Plex-Product $http_x_plex_product;
            proxy_set_header X-Plex-Token $http_x_plex_token;
            proxy_set_header X-Plex-Version $http_x_plex_version;
            proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
            proxy_set_header X-Plex-Provides $http_x_plex_provides;
            proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
            proxy_set_header X-Plex-Model $http_x_plex_model;
-        # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
+          # Buffering off send to the client as soon as the data is received from Plex.
-        # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
+            proxy_redirect off;
-          client_max_body_size 100M;
+            proxy_buffering off;
-        # Plex headers
+            add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
-          proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
+        '';
-          proxy_set_header X-Plex-Device $http_x_plex_device;
+      };
          proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
          proxy_set_header X-Plex-Platform $http_x_plex_platform;
          proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
          proxy_set_header X-Plex-Product $http_x_plex_product;
          proxy_set_header X-Plex-Token $http_x_plex_token;
          proxy_set_header X-Plex-Version $http_x_plex_version;
          proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
          proxy_set_header X-Plex-Provides $http_x_plex_provides;
          proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
          proxy_set_header X-Plex-Model $http_x_plex_model;
        # Websockets
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
        # Buffering off send to the client as soon as the data is received from Plex.
          proxy_redirect off;
          proxy_buffering off;
          add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
      '';
      locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
    };
  };
  networking.extraHosts = ''
    ${architectInterfaceAddress "lan"} ${domain}
    ${architectInterfaceAddress "wireguard"} ${domain}
    ${architectInterfaceAddress "tailscale"} ${domain}
  '';
  users.groups.media.members = [ "plex" ];
 }