plex: port to new options

hosts/architect/plex.nix

@@ -1,11 +1,8 @@
-{ pkgs, config, lib, ... }:
+{ pkgs, config, ... }:
 
 let
-  domain = "plex.giugl.io";
+  domain = "media.giugl.io";
   port = 32400;
-  
-  utilities = import ./utilities.nix { inherit lib config; };
-  inherit (utilities) architectInterfaceAddress;
 in
 {
   architect.firewall = {
@@ -16,30 +13,25 @@ in
   services.plex = {
     enable = true;
     package = pkgs.unstablePkgs.plex;
-    #    dataDir = "/plex";
+    dataDir = "/plex";
   };
 
+  architect.vhost.${domain} = with config.architect.networks; {
+    dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
+    locations = {
+      "/" = {
+        inherit port;
 
-  services.nginx = {
-    enable = true;
-    # give a name to the virtual host. It also becomes the server name.
-    virtualHosts.${domain} = {
-      forceSSL = true;
-      enableACME = true;
-      http2 = true;
+        proxyWebsockets = true;
+        # allowLan = true;        
+        # allow = [
+        #   wireguard.net
+        #   tailscale.net
+        # ];
         extraConfig = ''
           #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
             send_timeout 100m;
 
-        # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
-          ssl_stapling on;
-          ssl_stapling_verify on;
-
-          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-          ssl_prefer_server_ciphers on;
-        #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
-          ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
-
           # Forward real ip and host to Plex
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -74,27 +66,15 @@ in
             proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
             proxy_set_header X-Plex-Model $http_x_plex_model;
 
-        # Websockets
-          proxy_http_version 1.1;
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection "upgrade";
-
           # Buffering off send to the client as soon as the data is received from Plex.
             proxy_redirect off;
             proxy_buffering off;
 
             add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
         '';
-      locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
       };
     };
-  
-  networking.extraHosts = ''
-    ${architectInterfaceAddress "lan"} ${domain}
-    ${architectInterfaceAddress "wireguard"} ${domain}
-    ${architectInterfaceAddress "tailscale"} ${domain}
-  '';
+  };
 
   users.groups.media.members = [ "plex" ];
-
 }