# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ depot, config, pkgs, lib, ... }:
let
cfg = config.my.plex;
in {
imports = [
./content.nix
];
options.my.plex = {
customTLS = {
enable = lib.mkEnableOption "plex TLS issuance";
domain = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
};
};
config = lib.mkMerge [{
users.users.plex.extraGroups = [ "content" ];
services.plex = {
enable = true;
dataDir = "/store/plex";
openFirewall = true;
package = depot.nix.pkgs.plex-pass;
};
} (lib.mkIf (cfg.customTLS.enable) {
users.groups.plexcert = {};
users.users.plex.extraGroups = lib.mkAfter [ "plexcert" ];
my.vault.acmeCertificates."${cfg.customTLS.domain}" = {
group = "plexcert";
hostnames = [ cfg.customTLS.domain ];
reloadOrRestartUnits = [ "plex.service" ];
};
systemd.services.plex.serviceConfig.ExecStartPre = let
certPath = "/var/lib/acme/${cfg.customTLS.domain}";
preStartScriptMkData = pkgs.writeScript "plex-pre-start-acme" ''
#!${pkgs.bash}/bin/bash
# From https://github.com/NixOS/nixpkgs/blob/ef176dcf7e76c3639571d7c6051246c8fbadf12a/nixos/modules/services/misc/plex.nix#L123-L131
# Create data directory if it doesn't exist
if ! test -d "$PLEX_DATADIR"; then
echo "Creating initial Plex data directory in: $PLEX_DATADIR"
install -d -m 0755 -o "${config.services.plex.user}" -g "${config.services.plex.group}" "$PLEX_DATADIR"
fi
'';
preStartScriptP12 = pkgs.writeScript "plex-copy-cert-to-p12" ''
#!${pkgs.bash}/bin/bash
umask 0077
"${pkgs.openssl}/bin/openssl" pkcs12 -export \
-out "${config.services.plex.dataDir}/cert.p12" \
-in "${certPath}/fullchain.pem" \
-inkey "${certPath}/privkey.pem" \
-certfile "${certPath}/chain.pem" \
-passout pass:password
'';
in lib.mkForce [ "!${preStartScriptMkData}" "${preStartScriptP12}" ];
})];
}