ngp.computer / nixos
Configuration for my NixOS based systems and Home Manager
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

ADD plex, nginx, acme

Noah Pederson fd6e0658 2ef86a60

+94
+1
packages.nix
··· 94 94 "spotify" 95 95 "obsidian" 96 96 "tailscale" 97 + "plexmediaserver" 97 98 ]; 98 99 }
+93
services.nix
··· 112 112 } 113 113 ''; 114 114 }; 115 + 116 + security.acme = { 117 + acceptTerms = true; 118 + defaults.email = "noah@packetlost.dev"; 119 + certs."plex.packetlostandfound.us" = { 120 + group = "nas"; 121 + dnsProvider = "nextdns"; 122 + }; 123 + }; 124 + 125 + services.plex = { 126 + enable = false; 127 + openFirewall = false; # we proxy this with nginx 128 + group = "nas"; 129 + user = "noah"; 130 + }; 131 + 132 + # Nginx Reverse SSL Proxy 133 + services.nginx = { 134 + enable = true; 135 + # give a name to the virtual host. It also becomes the server name. 136 + virtualHosts."plex.packetlostandfound.us" = { 137 + # Since we want a secure connection, we force SSL 138 + forceSSL = true; 139 + 140 + # http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/ 141 + http2 = true; 142 + 143 + # Provide the ssl cert and key for the vhost 144 + sslCertificate = "/var/lib/acme/plex.packetlostandfound.us/fullchain.pem"; 145 + sslCertificateKey = "/var/lib/acme/plex.packetlostandfound.us/key.pem"; 146 + extraConfig = '' 147 + 148 + #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause 149 + send_timeout 100m; 150 + 151 + # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ 152 + ssl_stapling on; 153 + ssl_stapling_verify on; 154 + 155 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 156 + ssl_prefer_server_ciphers on; 157 + #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384. 158 + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 159 + 160 + # Forward real ip and host to Plex 161 + proxy_set_header X-Real-IP $remote_addr; 162 + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 163 + proxy_set_header X-Forwarded-Proto $scheme; 164 + proxy_set_header Host $server_addr; 165 + proxy_set_header Referer $server_addr; 166 + proxy_set_header Origin $server_addr; 167 + 168 + # Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. 169 + gzip on; 170 + gzip_vary on; 171 + gzip_min_length 1000; 172 + gzip_proxied any; 173 + gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; 174 + gzip_disable "MSIE [1-6]\."; 175 + 176 + # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones. 177 + # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more 178 + client_max_body_size 100M; 179 + 180 + # Plex headers 181 + proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; 182 + proxy_set_header X-Plex-Device $http_x_plex_device; 183 + proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; 184 + proxy_set_header X-Plex-Platform $http_x_plex_platform; 185 + proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; 186 + proxy_set_header X-Plex-Product $http_x_plex_product; 187 + proxy_set_header X-Plex-Token $http_x_plex_token; 188 + proxy_set_header X-Plex-Version $http_x_plex_version; 189 + proxy_set_header X-Plex-Nocache $http_x_plex_nocache; 190 + proxy_set_header X-Plex-Provides $http_x_plex_provides; 191 + proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; 192 + proxy_set_header X-Plex-Model $http_x_plex_model; 193 + 194 + # Websockets 195 + proxy_http_version 1.1; 196 + proxy_set_header Upgrade $http_upgrade; 197 + proxy_set_header Connection "upgrade"; 198 + 199 + # Buffering off send to the client as soon as the data is received from Plex. 200 + proxy_redirect off; 201 + proxy_buffering off; 202 + ''; 203 + locations."/" = { 204 + proxyPass = "http://localhost:32400/"; 205 + }; 206 + }; 207 + }; 115 208 }