plex: port to new options
This commit is contained in:
parent
8cde2f28fb
commit
559d02720b
@ -1,11 +1,8 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
{ pkgs, config, ... }:
|
||||
|
||||
let
|
||||
domain = "plex.giugl.io";
|
||||
domain = "media.giugl.io";
|
||||
port = 32400;
|
||||
|
||||
utilities = import ./utilities.nix { inherit lib config; };
|
||||
inherit (utilities) architectInterfaceAddress;
|
||||
in
|
||||
{
|
||||
architect.firewall = {
|
||||
@ -16,30 +13,25 @@ in
|
||||
services.plex = {
|
||||
enable = true;
|
||||
package = pkgs.unstablePkgs.plex;
|
||||
# dataDir = "/plex";
|
||||
dataDir = "/plex";
|
||||
};
|
||||
|
||||
architect.vhost.${domain} = with config.architect.networks; {
|
||||
dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
|
||||
locations = {
|
||||
"/" = {
|
||||
inherit port;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
# give a name to the virtual host. It also becomes the server name.
|
||||
virtualHosts.${domain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
http2 = true;
|
||||
proxyWebsockets = true;
|
||||
# allowLan = true;
|
||||
# allow = [
|
||||
# wireguard.net
|
||||
# tailscale.net
|
||||
# ];
|
||||
extraConfig = ''
|
||||
#Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
|
||||
send_timeout 100m;
|
||||
|
||||
# Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
#Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
||||
|
||||
# Forward real ip and host to Plex
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
@ -74,27 +66,15 @@ in
|
||||
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
|
||||
proxy_set_header X-Plex-Model $http_x_plex_model;
|
||||
|
||||
# Websockets
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
||||
# Buffering off send to the client as soon as the data is received from Plex.
|
||||
proxy_redirect off;
|
||||
proxy_buffering off;
|
||||
|
||||
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
|
||||
'';
|
||||
locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
|
||||
};
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
${architectInterfaceAddress "lan"} ${domain}
|
||||
${architectInterfaceAddress "wireguard"} ${domain}
|
||||
${architectInterfaceAddress "tailscale"} ${domain}
|
||||
'';
|
||||
};
|
||||
|
||||
users.groups.media.members = [ "plex" ];
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user