flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687647567,
+        "lastModified": 1685599623,
-        "narHash": "sha256-Ua90LZYJO7/7KW/KK/AqijhIekd+wxPwbVKXuBYzJeQ=",
+        "narHash": "sha256-Tob4CMOVHue0D3RzguDBCtUmX5ji2PsdbQDbIOIKvsc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6ca1e16eb3016c94b7ac16699e1d4158bd4e39a4",
+        "rev": "93db05480c0c0f30382d3e80779e8386dcb4f9dd",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
     },
     "nixos-unstable": {
       "locked": {
-        "lastModified": 1687681650,
+        "lastModified": 1686226982,
-        "narHash": "sha256-M2If+gRcfpmaJy/XbfSsRzLlPpoU4nr0NHnKKl50fd8=",
+        "narHash": "sha256-nLuiPoeiVfqqzeq9rmXxpybh77VS37dsY/k8N2LoxVg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1c9db9710cb23d60570ad4d7ab829c2d34403de3",
+        "rev": "a64b73e07d4aa65cfcbda29ecf78eaf9e72e44bd",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1687787337,
+        "lastModified": 1686353867,
-        "narHash": "sha256-+OROprXvGAeFG8oHogwCR2E/PmWE4d6CSoTyGw0CQhw=",
+        "narHash": "sha256-M6fe0+CiZTagmr2KM1pEaB+wwlSC+FY7nTJ4FGRctsw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "09798f0dd4c11b431765275893d9d395c1e203b8",
+        "rev": "bdbe3803330045c7b3f84b9df6ab7f8471d909ec",
         "type": "github"
       },
       "original": {

hosts/architect/default.nix

@@ -33,7 +33,7 @@ in
     ./invidious.nix
     #    ./lidarr.nix
     #    ./navidrome.nix
-    # ./jellyfin.nix
+    ./jellyfin.nix
     ./prosody.nix
     ./deluge.nix
     #./calibre.nix
@@ -42,7 +42,7 @@ in
     #    ./runas.nix
     ./tailscale.nix
     #    ./searx.nix
-    ./plex.nix
+    #./plex.nix
     ./headscale.nix
   ];
 

hosts/architect/nextcloud.nix

@@ -18,16 +18,6 @@ in
     nginx.virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
-      extraConfig = ''
-        aio threads;
-        directio 1M;
-        output_buffers 3 1M;
-
-        sendfile on;
-        sendfile_max_chunk 0;
-
-        autoindex on;
-      '';
     };
 
     mysql = {
@@ -47,7 +37,7 @@ in
       enable = true;
       hostName = domain;
       https = true;
-      package = pkgs.unstablePkgs.nextcloud27;
+      package = pkgs.unstablePkgs.nextcloud26;
       datadir = "/services/nextcloud";
       configureRedis = true;
       caching = {

hosts/architect/options.nix

@@ -108,11 +108,6 @@ in
                   description = "IP address or CIDR block to allow.";
                 };
 
-                path = mkOption {
-                  type = types.str;
-                  default = "";
-                };
-
                 deny = mkOption {
                   type = types.listOf types.str;
                   default = [ ];
@@ -137,7 +132,7 @@ in
         enableACME = true;
         locations = mapAttrs
           (path: location: {
-            proxyPass = "http://${location.host}:${toString location.port}${location.path}";
+            proxyPass = "http://${location.host}:${toString location.port}";
             proxyWebsockets = location.proxyWebsockets;
             extraConfig = ''
               ${optionalString location.allowLan "deny 10.0.0.1;"}

hosts/architect/plex.nix

@@ -1,8 +1,11 @@
-{ pkgs, config, ... }:
+{ pkgs, config, lib, ... }:
 
 let
-  domain = "media.giugl.io";
+  domain = "plex.giugl.io";
   port = 32400;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   architect.firewall = {
@@ -13,68 +16,85 @@ in
   services.plex = {
     enable = true;
     package = pkgs.unstablePkgs.plex;
-    dataDir = "/plex";
+    #    dataDir = "/plex";
   };
 
-  architect.vhost.${domain} = with config.architect.networks; {
-    dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
-    locations = {
-      "/" = {
-        inherit port;
 
-        proxyWebsockets = true;
+  services.nginx = {
-        # allowLan = true;        
+    enable = true;
-        # allow = [
+    # give a name to the virtual host. It also becomes the server name.
-        #   wireguard.net
+    virtualHosts.${domain} = {
-        #   tailscale.net
+      forceSSL = true;
-        # ];
+      enableACME = true;
-        extraConfig = ''
+      http2 = true;
-          #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
+      extraConfig = ''
-            send_timeout 100m;
+        #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
+          send_timeout 100m;
 
-          # Forward real ip and host to Plex
+        # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
-            proxy_set_header X-Real-IP $remote_addr;
+          ssl_stapling on;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          ssl_stapling_verify on;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header Host $server_addr;
-            proxy_set_header Referer $server_addr;
-            proxy_set_header Origin $server_addr; 
 
-          # Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
+          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-            gzip on;
+          ssl_prefer_server_ciphers on;
-            gzip_vary on;
+        #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
-            gzip_min_length 1000;
+          ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
-            gzip_proxied any;
-            gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
-            gzip_disable "MSIE [1-6]\.";
 
-          # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
+        # Forward real ip and host to Plex
-          # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
+          proxy_set_header X-Real-IP $remote_addr;
-            client_max_body_size 100M;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Host $server_addr;
+          proxy_set_header Referer $server_addr;
+          proxy_set_header Origin $server_addr; 
 
-          # Plex headers
+        # Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
-            proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
+          gzip on;
-            proxy_set_header X-Plex-Device $http_x_plex_device;
+          gzip_vary on;
-            proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
+          gzip_min_length 1000;
-            proxy_set_header X-Plex-Platform $http_x_plex_platform;
+          gzip_proxied any;
-            proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
+          gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
-            proxy_set_header X-Plex-Product $http_x_plex_product;
+          gzip_disable "MSIE [1-6]\.";
-            proxy_set_header X-Plex-Token $http_x_plex_token;
-            proxy_set_header X-Plex-Version $http_x_plex_version;
-            proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
-            proxy_set_header X-Plex-Provides $http_x_plex_provides;
-            proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
-            proxy_set_header X-Plex-Model $http_x_plex_model;
 
-          # Buffering off send to the client as soon as the data is received from Plex.
+        # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
-            proxy_redirect off;
+        # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
-            proxy_buffering off;
+          client_max_body_size 100M;
 
-            add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
+        # Plex headers
-        '';
+          proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
-      };
+          proxy_set_header X-Plex-Device $http_x_plex_device;
+          proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
+          proxy_set_header X-Plex-Platform $http_x_plex_platform;
+          proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
+          proxy_set_header X-Plex-Product $http_x_plex_product;
+          proxy_set_header X-Plex-Token $http_x_plex_token;
+          proxy_set_header X-Plex-Version $http_x_plex_version;
+          proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
+          proxy_set_header X-Plex-Provides $http_x_plex_provides;
+          proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
+          proxy_set_header X-Plex-Model $http_x_plex_model;
+
+        # Websockets
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+
+        # Buffering off send to the client as soon as the data is received from Plex.
+          proxy_redirect off;
+          proxy_buffering off;
+
+          add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
+      '';
+      locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
     };
   };
   
+  networking.extraHosts = ''
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
+  '';
+
   users.groups.media.members = [ "plex" ];
+
 }