cofractal-ams01/plex: give it a hostname and a TLS cert to match
This commit is contained in:
parent
ac0d2c58ed
commit
80154c5673
2 changed files with 80 additions and 12 deletions
|
@ -35,7 +35,19 @@ let
|
||||||
_apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value));
|
_apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value));
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve // vhostsConfig.int.other;
|
vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve // vhostsConfig.int.other // {
|
||||||
|
"https://plex.lukegb.xyz" = {
|
||||||
|
extraConfig = ''
|
||||||
|
tls /var/lib/acme/plex.lukegb.xyz/fullchain.pem /var/lib/acme/plex.lukegb.xyz/privkey.pem
|
||||||
|
redir https://plex.lukegb.xyz:32400{uri}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"http://plex.lukegb.xyz" = {
|
||||||
|
extraConfig = ''
|
||||||
|
redir https://plex.lukegb.xyz:32400{uri}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
hostBase = {
|
hostBase = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
${bind}
|
${bind}
|
||||||
|
@ -55,6 +67,12 @@ in
|
||||||
../lib/plex.nix
|
../lib/plex.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
my.plex.customTLS = {
|
||||||
|
enable = true;
|
||||||
|
domain = "plex.lukegb.xyz";
|
||||||
|
};
|
||||||
|
users.users.caddy.extraGroups = lib.mkAfter [ "plexcert" ];
|
||||||
|
|
||||||
# Otherwise _this_ machine won't enumerate things properly.
|
# Otherwise _this_ machine won't enumerate things properly.
|
||||||
boot.zfs.devNodes = "/dev/disk/by-id";
|
boot.zfs.devNodes = "/dev/disk/by-id";
|
||||||
|
|
||||||
|
@ -146,10 +164,13 @@ in
|
||||||
firewall.interfaces.bond0.allowedTCPPorts = [
|
firewall.interfaces.bond0.allowedTCPPorts = [
|
||||||
32400 # Plex
|
32400 # Plex
|
||||||
4001 # IPFS
|
4001 # IPFS
|
||||||
|
80 # HTTP
|
||||||
|
443 # HTTPS
|
||||||
];
|
];
|
||||||
firewall.interfaces.bond0.allowedUDPPorts = [
|
firewall.interfaces.bond0.allowedUDPPorts = [
|
||||||
34197 # factorio
|
34197 # factorio
|
||||||
4001 # IPFS
|
4001 # IPFS
|
||||||
|
443 # HTTP/3
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
systemd.network.networks."40-bond0".linkConfig.RequiredForOnline = "yes";
|
systemd.network.networks."40-bond0".linkConfig.RequiredForOnline = "yes";
|
||||||
|
|
|
@ -2,12 +2,25 @@
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
{ depot, ... }:
|
{ depot, config, pkgs, lib, ... }:
|
||||||
{
|
let
|
||||||
|
cfg = config.my.plex;
|
||||||
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./content.nix
|
./content.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
options.my.plex = {
|
||||||
|
customTLS = {
|
||||||
|
enable = lib.mkEnableOption "plex TLS issuance";
|
||||||
|
domain = lib.mkOption {
|
||||||
|
type = lib.types.nullOr lib.types.str;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkMerge [{
|
||||||
users.users.plex.extraGroups = [ "content" ];
|
users.users.plex.extraGroups = [ "content" ];
|
||||||
|
|
||||||
services.plex = {
|
services.plex = {
|
||||||
|
@ -16,4 +29,38 @@
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
package = depot.nix.pkgs.plex-pass;
|
package = depot.nix.pkgs.plex-pass;
|
||||||
};
|
};
|
||||||
|
} (lib.mkIf (cfg.customTLS.enable) {
|
||||||
|
users.groups.plexcert = {};
|
||||||
|
users.users.plex.extraGroups = lib.mkAfter [ "plexcert" ];
|
||||||
|
my.vault.acmeCertificates."${cfg.customTLS.domain}" = {
|
||||||
|
group = "plexcert";
|
||||||
|
hostnames = [ cfg.customTLS.domain ];
|
||||||
|
reloadOrRestartUnits = [ "plex.service" ];
|
||||||
|
};
|
||||||
|
systemd.services.plex.serviceConfig.ExecStartPre = let
|
||||||
|
certPath = "/var/lib/acme/${cfg.customTLS.domain}";
|
||||||
|
preStartScriptMkData = pkgs.writeScript "plex-pre-start-acme" ''
|
||||||
|
#!${pkgs.bash}/bin/bash
|
||||||
|
|
||||||
|
# From https://github.com/NixOS/nixpkgs/blob/ef176dcf7e76c3639571d7c6051246c8fbadf12a/nixos/modules/services/misc/plex.nix#L123-L131
|
||||||
|
|
||||||
|
# Create data directory if it doesn't exist
|
||||||
|
if ! test -d "$PLEX_DATADIR"; then
|
||||||
|
echo "Creating initial Plex data directory in: $PLEX_DATADIR"
|
||||||
|
install -d -m 0755 -o "${config.services.plex.user}" -g "${config.services.plex.group}" "$PLEX_DATADIR"
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
preStartScriptP12 = pkgs.writeScript "plex-copy-cert-to-p12" ''
|
||||||
|
#!${pkgs.bash}/bin/bash
|
||||||
|
|
||||||
|
umask 0077
|
||||||
|
"${pkgs.openssl}/bin/openssl" pkcs12 -export \
|
||||||
|
-out "${config.services.plex.dataDir}/cert.p12" \
|
||||||
|
-in "${certPath}/fullchain.pem" \
|
||||||
|
-inkey "${certPath}/privkey.pem" \
|
||||||
|
-certfile "${certPath}/chain.pem" \
|
||||||
|
-passout pass:password
|
||||||
|
'';
|
||||||
|
in lib.mkForce [ "!${preStartScriptMkData}" "${preStartScriptP12}" ];
|
||||||
|
})];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue