cofractal-ams01/plex: give it a hostname and a TLS cert to match

ops/nixos/cofractal-ams01/default.nix

@@ -35,7 +35,19 @@ let
       _apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value));
     };
   };
-  vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve // vhostsConfig.int.other;
+  vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve // vhostsConfig.int.other // {
+    "https://plex.lukegb.xyz" = {
+      extraConfig = ''
+        tls /var/lib/acme/plex.lukegb.xyz/fullchain.pem /var/lib/acme/plex.lukegb.xyz/privkey.pem
+        redir https://plex.lukegb.xyz:32400{uri}
+      '';
+    };
+    "http://plex.lukegb.xyz" = {
+      extraConfig = ''
+        redir https://plex.lukegb.xyz:32400{uri}
+      '';
+    };
+  };
   hostBase = {
     extraConfig = ''
       ${bind}
@@ -55,6 +67,12 @@ in
     ../lib/plex.nix
   ];
 
+  my.plex.customTLS = {
+    enable = true;
+    domain = "plex.lukegb.xyz";
+  };
+  users.users.caddy.extraGroups = lib.mkAfter [ "plexcert" ];
+
   # Otherwise _this_ machine won't enumerate things properly.
   boot.zfs.devNodes = "/dev/disk/by-id";
 
@@ -146,10 +164,13 @@ in
     firewall.interfaces.bond0.allowedTCPPorts = [
       32400  # Plex
       4001   # IPFS
+      80     # HTTP
+      443    # HTTPS
     ];
     firewall.interfaces.bond0.allowedUDPPorts = [
       34197  # factorio
       4001   # IPFS
+      443    # HTTP/3
     ];
   };
   systemd.network.networks."40-bond0".linkConfig.RequiredForOnline = "yes";

ops/nixos/lib/plex.nix

@@ -2,12 +2,25 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-{ depot, ... }:
-{
+{ depot, config, pkgs, lib, ... }:
+let
+  cfg = config.my.plex;
+in {
   imports = [
     ./content.nix
   ];
 
+  options.my.plex = {
+    customTLS = {
+      enable = lib.mkEnableOption "plex TLS issuance";
+      domain = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+      };
+    };
+  };
+
+  config = lib.mkMerge [{
     users.users.plex.extraGroups = [ "content" ];
 
     services.plex = {
@@ -16,4 +29,38 @@
       openFirewall = true;
       package = depot.nix.pkgs.plex-pass;
     };
+  } (lib.mkIf (cfg.customTLS.enable) {
+    users.groups.plexcert = {};
+    users.users.plex.extraGroups = lib.mkAfter [ "plexcert" ];
+    my.vault.acmeCertificates."${cfg.customTLS.domain}" = {
+      group = "plexcert";
+      hostnames = [ cfg.customTLS.domain ];
+      reloadOrRestartUnits = [ "plex.service" ];
+    };
+    systemd.services.plex.serviceConfig.ExecStartPre = let
+      certPath = "/var/lib/acme/${cfg.customTLS.domain}";
+      preStartScriptMkData = pkgs.writeScript "plex-pre-start-acme" ''
+        #!${pkgs.bash}/bin/bash
+
+        # From https://github.com/NixOS/nixpkgs/blob/ef176dcf7e76c3639571d7c6051246c8fbadf12a/nixos/modules/services/misc/plex.nix#L123-L131
+
+        # Create data directory if it doesn't exist
+        if ! test -d "$PLEX_DATADIR"; then
+          echo "Creating initial Plex data directory in: $PLEX_DATADIR"
+          install -d -m 0755 -o "${config.services.plex.user}" -g "${config.services.plex.group}" "$PLEX_DATADIR"
+        fi
+      '';
+      preStartScriptP12 = pkgs.writeScript "plex-copy-cert-to-p12" ''
+        #!${pkgs.bash}/bin/bash
+
+        umask 0077
+        "${pkgs.openssl}/bin/openssl" pkcs12 -export \
+          -out "${config.services.plex.dataDir}/cert.p12" \
+          -in "${certPath}/fullchain.pem" \
+          -inkey "${certPath}/privkey.pem" \
+          -certfile "${certPath}/chain.pem" \
+          -passout pass:password
+      '';
+    in lib.mkForce [ "!${preStartScriptMkData}" "${preStartScriptP12}" ];
+  })];
 }