diff --git a/ops/nixos/cofractal-ams01/default.nix b/ops/nixos/cofractal-ams01/default.nix index 3521c6f35c..845f025bd5 100644 --- a/ops/nixos/cofractal-ams01/default.nix +++ b/ops/nixos/cofractal-ams01/default.nix @@ -35,7 +35,19 @@ let _apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value)); }; }; - vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve // vhostsConfig.int.other; + vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve // vhostsConfig.int.other // { + "https://plex.lukegb.xyz" = { + extraConfig = '' + tls /var/lib/acme/plex.lukegb.xyz/fullchain.pem /var/lib/acme/plex.lukegb.xyz/privkey.pem + redir https://plex.lukegb.xyz:32400{uri} + ''; + }; + "http://plex.lukegb.xyz" = { + extraConfig = '' + redir https://plex.lukegb.xyz:32400{uri} + ''; + }; + }; hostBase = { extraConfig = '' ${bind} @@ -55,6 +67,12 @@ in ../lib/plex.nix ]; + my.plex.customTLS = { + enable = true; + domain = "plex.lukegb.xyz"; + }; + users.users.caddy.extraGroups = lib.mkAfter [ "plexcert" ]; + # Otherwise _this_ machine won't enumerate things properly. boot.zfs.devNodes = "/dev/disk/by-id"; @@ -145,11 +163,14 @@ in }; firewall.interfaces.bond0.allowedTCPPorts = [ 32400 # Plex - 4001 # IPFS + 4001 # IPFS + 80 # HTTP + 443 # HTTPS ]; firewall.interfaces.bond0.allowedUDPPorts = [ 34197 # factorio - 4001 # IPFS + 4001 # IPFS + 443 # HTTP/3 ]; }; systemd.network.networks."40-bond0".linkConfig.RequiredForOnline = "yes"; diff --git a/ops/nixos/lib/plex.nix b/ops/nixos/lib/plex.nix index 8dcb7a6229..ad74d99331 100644 --- a/ops/nixos/lib/plex.nix +++ b/ops/nixos/lib/plex.nix @@ -2,18 +2,65 @@ # # SPDX-License-Identifier: Apache-2.0 -{ depot, ... }: -{ +{ depot, config, pkgs, lib, ... }: +let + cfg = config.my.plex; +in { imports = [ ./content.nix ]; - users.users.plex.extraGroups = [ "content" ]; - - services.plex = { - enable = true; - dataDir = "/store/plex"; - openFirewall = true; - package = depot.nix.pkgs.plex-pass; + options.my.plex = { + customTLS = { + enable = lib.mkEnableOption "plex TLS issuance"; + domain = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + }; }; + + config = lib.mkMerge [{ + users.users.plex.extraGroups = [ "content" ]; + + services.plex = { + enable = true; + dataDir = "/store/plex"; + openFirewall = true; + package = depot.nix.pkgs.plex-pass; + }; + } (lib.mkIf (cfg.customTLS.enable) { + users.groups.plexcert = {}; + users.users.plex.extraGroups = lib.mkAfter [ "plexcert" ]; + my.vault.acmeCertificates."${cfg.customTLS.domain}" = { + group = "plexcert"; + hostnames = [ cfg.customTLS.domain ]; + reloadOrRestartUnits = [ "plex.service" ]; + }; + systemd.services.plex.serviceConfig.ExecStartPre = let + certPath = "/var/lib/acme/${cfg.customTLS.domain}"; + preStartScriptMkData = pkgs.writeScript "plex-pre-start-acme" '' + #!${pkgs.bash}/bin/bash + + # From https://github.com/NixOS/nixpkgs/blob/ef176dcf7e76c3639571d7c6051246c8fbadf12a/nixos/modules/services/misc/plex.nix#L123-L131 + + # Create data directory if it doesn't exist + if ! test -d "$PLEX_DATADIR"; then + echo "Creating initial Plex data directory in: $PLEX_DATADIR" + install -d -m 0755 -o "${config.services.plex.user}" -g "${config.services.plex.group}" "$PLEX_DATADIR" + fi + ''; + preStartScriptP12 = pkgs.writeScript "plex-copy-cert-to-p12" '' + #!${pkgs.bash}/bin/bash + + umask 0077 + "${pkgs.openssl}/bin/openssl" pkcs12 -export \ + -out "${config.services.plex.dataDir}/cert.p12" \ + -in "${certPath}/fullchain.pem" \ + -inkey "${certPath}/privkey.pem" \ + -certfile "${certPath}/chain.pem" \ + -passout pass:password + ''; + in lib.mkForce [ "!${preStartScriptMkData}" "${preStartScriptP12}" ]; + })]; }