depot/ops/nixos/lib/plex.nix

# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ depot, config, pkgs, lib, ... }:
let
  cfg = config.my.plex;
in {
  imports = [
    ./content.nix
  ];

  options.my.plex = {
    customTLS = {
      enable = lib.mkEnableOption "plex TLS issuance";
      domain = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        default = null;
      };
    };
  };

  config = lib.mkMerge [{
    users.users.plex.extraGroups = [ "content" ];

    services.plex = {
      enable = true;
      dataDir = "/store/plex";
      openFirewall = true;
      package = depot.nix.pkgs.plex-pass;
    };
  } (lib.mkIf (cfg.customTLS.enable) {
    users.groups.plexcert = {};
    users.users.plex.extraGroups = lib.mkAfter [ "plexcert" ];
    my.vault.acmeCertificates."${cfg.customTLS.domain}" = {
      group = "plexcert";
      hostnames = [ cfg.customTLS.domain ];
      reloadOrRestartUnits = [ "plex.service" ];
    };
    systemd.services.plex.serviceConfig.ExecStartPre = let
      certPath = "/var/lib/acme/${cfg.customTLS.domain}";
      preStartScriptMkData = pkgs.writeScript "plex-pre-start-acme" ''
        #!${pkgs.bash}/bin/bash

        # From https://github.com/NixOS/nixpkgs/blob/ef176dcf7e76c3639571d7c6051246c8fbadf12a/nixos/modules/services/misc/plex.nix#L123-L131

        # Create data directory if it doesn't exist
        if ! test -d "$PLEX_DATADIR"; then
          echo "Creating initial Plex data directory in: $PLEX_DATADIR"
          install -d -m 0755 -o "${config.services.plex.user}" -g "${config.services.plex.group}" "$PLEX_DATADIR"
        fi
      '';
      preStartScriptP12 = pkgs.writeScript "plex-copy-cert-to-p12" ''
        #!${pkgs.bash}/bin/bash

        umask 0077
        "${pkgs.openssl}/bin/openssl" pkcs12 -export \
          -out "${config.services.plex.dataDir}/cert.p12" \
          -in "${certPath}/fullchain.pem" \
          -inkey "${certPath}/privkey.pem" \
          -certfile "${certPath}/chain.pem" \
          -passout pass:password
      '';
    in lib.mkForce [ "!${preStartScriptMkData}" "${preStartScriptP12}" ];
  })];
}