5 changed files with 87 additions and 82 deletions
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1687647567,
-        "narHash": "sha256-Ua90LZYJO7/7KW/KK/AqijhIekd+wxPwbVKXuBYzJeQ=",
+        "lastModified": 1685599623,
+        "narHash": "sha256-Tob4CMOVHue0D3RzguDBCtUmX5ji2PsdbQDbIOIKvsc=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6ca1e16eb3016c94b7ac16699e1d4158bd4e39a4",
+        "rev": "93db05480c0c0f30382d3e80779e8386dcb4f9dd",
        "type": "github"
      },
      "original": {
@ -23,11 +23,11 @@
    },
    "nixos-unstable": {
      "locked": {
-        "lastModified": 1687681650,
-        "narHash": "sha256-M2If+gRcfpmaJy/XbfSsRzLlPpoU4nr0NHnKKl50fd8=",
+        "lastModified": 1686226982,
+        "narHash": "sha256-nLuiPoeiVfqqzeq9rmXxpybh77VS37dsY/k8N2LoxVg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1c9db9710cb23d60570ad4d7ab829c2d34403de3",
+        "rev": "a64b73e07d4aa65cfcbda29ecf78eaf9e72e44bd",
        "type": "github"
      },
      "original": {
@ -39,11 +39,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1687787337,
-        "narHash": "sha256-+OROprXvGAeFG8oHogwCR2E/PmWE4d6CSoTyGw0CQhw=",
+        "lastModified": 1686353867,
+        "narHash": "sha256-M6fe0+CiZTagmr2KM1pEaB+wwlSC+FY7nTJ4FGRctsw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "09798f0dd4c11b431765275893d9d395c1e203b8",
+        "rev": "bdbe3803330045c7b3f84b9df6ab7f8471d909ec",
        "type": "github"
      },
      "original": {
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@ -33,7 +33,7 @@ in
    ./invidious.nix
    #    ./lidarr.nix
    #    ./navidrome.nix
-    # ./jellyfin.nix
+    ./jellyfin.nix
    ./prosody.nix
    ./deluge.nix
    #./calibre.nix
@ -42,7 +42,7 @@ in
    #    ./runas.nix
    ./tailscale.nix
    #    ./searx.nix
-    ./plex.nix
+    #./plex.nix
    ./headscale.nix
  ];

--- a/hosts/architect/nextcloud.nix
+++ b/hosts/architect/nextcloud.nix
@ -18,16 +18,6 @@ in
    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
-      extraConfig = ''
-        aio threads;
-        directio 1M;
-        output_buffers 3 1M;
-
-        sendfile on;
-        sendfile_max_chunk 0;
-
-        autoindex on;
-      '';
    };

    mysql = {
@ -47,7 +37,7 @@ in
      enable = true;
      hostName = domain;
      https = true;
-      package = pkgs.unstablePkgs.nextcloud27;
+      package = pkgs.unstablePkgs.nextcloud26;
      datadir = "/services/nextcloud";
      configureRedis = true;
      caching = {
--- a/hosts/architect/options.nix
+++ b/hosts/architect/options.nix
@ -108,11 +108,6 @@ in
                  description = "IP address or CIDR block to allow.";
                };

-                path = mkOption {
-                  type = types.str;
-                  default = "";
-                };
-
                deny = mkOption {
                  type = types.listOf types.str;
                  default = [ ];
@ -137,7 +132,7 @@ in
        enableACME = true;
        locations = mapAttrs
          (path: location: {
-            proxyPass = "http://${location.host}:${toString location.port}${location.path}";
+            proxyPass = "http://${location.host}:${toString location.port}";
            proxyWebsockets = location.proxyWebsockets;
            extraConfig = ''
              ${optionalString location.allowLan "deny 10.0.0.1;"}
--- a/hosts/architect/plex.nix
+++ b/hosts/architect/plex.nix
@ -1,8 +1,11 @@
-{ pkgs, config, ... }:
+{ pkgs, config, lib, ... }:

 let
-  domain = "media.giugl.io";
+  domain = "plex.giugl.io";
  port = 32400;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
  architect.firewall = {
@ -13,25 +16,30 @@ in
  services.plex = {
    enable = true;
    package = pkgs.unstablePkgs.plex;
-    dataDir = "/plex";
+    #    dataDir = "/plex";
  };

-  architect.vhost.${domain} = with config.architect.networks; {
-    dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
-    locations = {
-      "/" = {
-        inherit port;

-        proxyWebsockets = true;
-        # allowLan = true;        
-        # allow = [
-        #   wireguard.net
-        #   tailscale.net
-        # ];
+  services.nginx = {
+    enable = true;
+    # give a name to the virtual host. It also becomes the server name.
+    virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      http2 = true;
      extraConfig = ''
        #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
          send_timeout 100m;

+        # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
+          ssl_stapling on;
+          ssl_stapling_verify on;
+
+          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+          ssl_prefer_server_ciphers on;
+        #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
+          ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+
        # Forward real ip and host to Plex
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -66,15 +74,27 @@ in
          proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
          proxy_set_header X-Plex-Model $http_x_plex_model;

+        # Websockets
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+
        # Buffering off send to the client as soon as the data is received from Plex.
          proxy_redirect off;
          proxy_buffering off;

          add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
      '';
-      };
+      locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
    };
  };
  
+  networking.extraHosts = ''
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
+  '';
+
  users.groups.media.members = [ "plex" ];
+
 }