cofractal-ams01/plex: give it a hostname and a TLS cert to match

This commit is contained in:
Luke Granger-Brown 2023-10-13 20:44:20 +00:00
parent ac0d2c58ed
commit 80154c5673
2 changed files with 80 additions and 12 deletions

View file

@ -35,7 +35,19 @@ let
_apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value)); _apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value));
}; };
}; };
vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve // vhostsConfig.int.other; vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve // vhostsConfig.int.other // {
"https://plex.lukegb.xyz" = {
extraConfig = ''
tls /var/lib/acme/plex.lukegb.xyz/fullchain.pem /var/lib/acme/plex.lukegb.xyz/privkey.pem
redir https://plex.lukegb.xyz:32400{uri}
'';
};
"http://plex.lukegb.xyz" = {
extraConfig = ''
redir https://plex.lukegb.xyz:32400{uri}
'';
};
};
hostBase = { hostBase = {
extraConfig = '' extraConfig = ''
${bind} ${bind}
@ -55,6 +67,12 @@ in
../lib/plex.nix ../lib/plex.nix
]; ];
my.plex.customTLS = {
enable = true;
domain = "plex.lukegb.xyz";
};
users.users.caddy.extraGroups = lib.mkAfter [ "plexcert" ];
# Otherwise _this_ machine won't enumerate things properly. # Otherwise _this_ machine won't enumerate things properly.
boot.zfs.devNodes = "/dev/disk/by-id"; boot.zfs.devNodes = "/dev/disk/by-id";
@ -146,10 +164,13 @@ in
firewall.interfaces.bond0.allowedTCPPorts = [ firewall.interfaces.bond0.allowedTCPPorts = [
32400 # Plex 32400 # Plex
4001 # IPFS 4001 # IPFS
80 # HTTP
443 # HTTPS
]; ];
firewall.interfaces.bond0.allowedUDPPorts = [ firewall.interfaces.bond0.allowedUDPPorts = [
34197 # factorio 34197 # factorio
4001 # IPFS 4001 # IPFS
443 # HTTP/3
]; ];
}; };
systemd.network.networks."40-bond0".linkConfig.RequiredForOnline = "yes"; systemd.network.networks."40-bond0".linkConfig.RequiredForOnline = "yes";

View file

@ -2,12 +2,25 @@
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
{ depot, ... }: { depot, config, pkgs, lib, ... }:
{ let
cfg = config.my.plex;
in {
imports = [ imports = [
./content.nix ./content.nix
]; ];
options.my.plex = {
customTLS = {
enable = lib.mkEnableOption "plex TLS issuance";
domain = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
};
};
config = lib.mkMerge [{
users.users.plex.extraGroups = [ "content" ]; users.users.plex.extraGroups = [ "content" ];
services.plex = { services.plex = {
@ -16,4 +29,38 @@
openFirewall = true; openFirewall = true;
package = depot.nix.pkgs.plex-pass; package = depot.nix.pkgs.plex-pass;
}; };
} (lib.mkIf (cfg.customTLS.enable) {
users.groups.plexcert = {};
users.users.plex.extraGroups = lib.mkAfter [ "plexcert" ];
my.vault.acmeCertificates."${cfg.customTLS.domain}" = {
group = "plexcert";
hostnames = [ cfg.customTLS.domain ];
reloadOrRestartUnits = [ "plex.service" ];
};
systemd.services.plex.serviceConfig.ExecStartPre = let
certPath = "/var/lib/acme/${cfg.customTLS.domain}";
preStartScriptMkData = pkgs.writeScript "plex-pre-start-acme" ''
#!${pkgs.bash}/bin/bash
# From https://github.com/NixOS/nixpkgs/blob/ef176dcf7e76c3639571d7c6051246c8fbadf12a/nixos/modules/services/misc/plex.nix#L123-L131
# Create data directory if it doesn't exist
if ! test -d "$PLEX_DATADIR"; then
echo "Creating initial Plex data directory in: $PLEX_DATADIR"
install -d -m 0755 -o "${config.services.plex.user}" -g "${config.services.plex.group}" "$PLEX_DATADIR"
fi
'';
preStartScriptP12 = pkgs.writeScript "plex-copy-cert-to-p12" ''
#!${pkgs.bash}/bin/bash
umask 0077
"${pkgs.openssl}/bin/openssl" pkcs12 -export \
-out "${config.services.plex.dataDir}/cert.p12" \
-in "${certPath}/fullchain.pem" \
-inkey "${certPath}/privkey.pem" \
-certfile "${certPath}/chain.pem" \
-passout pass:password
'';
in lib.mkForce [ "!${preStartScriptMkData}" "${preStartScriptP12}" ];
})];
} }