fix plex

2026-03-10 10:40:29 +01:00 · 2026-03-09 22:30:42 +01:00 · 2026-03-09 22:30:42 +01:00 · 07c949f7ff
commit 07c949f7ff
parent 6e1e8c1b8f
2 changed files with 63 additions and 21 deletions
--- a/hosts/thegeneralist-central/plex/default.nix
+++ b/hosts/thegeneralist-central/plex/default.nix
@ -23,32 +23,29 @@ let
    nativeBuildInputs = [ pkgs.dpkg ];

    unpackPhase = ''
-      runHook preUnpack
      dpkg-deb -x $src .
-      runHook postUnpack
    '';

    installPhase = ''
-      runHook preInstall
-      mkdir -p $out
-      cp -r usr/* $out/
-      runHook postInstall
-    '';
-  };
-in
-{
-  services.plex = {
-    enable = true;
-    package = plex;
-    # openFirewall = true;
+  mkdir -p $out
+  cp -r usr/* $out/
+
+  mkdir -p $out/bin
+  cat > $out/bin/plexmediaserver <<EOF
+#!${pkgs.runtimeShell}
+
+export PLEX_MEDIA_SERVER_HOME=$out/lib/plexmediaserver
+export PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR="\$PLEX_DATADIR/Library/Application Support/Plex Media Server"
+export LD_LIBRARY_PATH=$out/lib/plexmediaserver
+
+exec "$out/lib/plexmediaserver/Plex Media Server" "\$@"
+EOF
+
+  chmod +x $out/bin/plexmediaserver
+'';
  };

-  networking.firewall.interfaces."tailscale0" = {
-    allowedTCPPorts = [ 3005 8324 32469 80 443 ];
-    allowedUDPPorts = [ 1900 5353 32410 32412 32413 32414 ];
-  };
-
-  services.nginx.virtualHosts.${domain} = ssl // {
+  config = ssl // {
    listen = [
      {
        addr = "100.86.129.23";
@ -85,7 +82,52 @@ in
        # Buffering off send to the client as soon as the data is received from Plex.
        proxy_redirect off;
        proxy_buffering off;
+        proxy_set_header   X-Real-IP           $remote_addr;
+        proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto   $scheme;
+        proxy_set_header   Host                $host;
      '';
    };
  };
+in
+{
+  services.plex = {
+    enable = true;
+    package = plex;
+    dataDir = "/var/lib/plex";
+    # openFirewall = true;
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/plex/Library/Application\\040Support/Plex\\ Media\\ Server 0755 plex plex -"
+    "f /var/lib/plex/Library/Application\\040Support/Plex\\ Media\\ Server/Preferences.xml 0644 plex plex -"
+  ];
+
+  systemd.services.plex-fix-perms = {
+    description = "Fix Plex library permissions";
+    wants = [ "plex.service" ]; # Plex depends on this
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = ''
+        mkdir -p "/var/lib/plex/Library/Application Support/Plex Media Server"
+        chown -R plex:plex "/var/lib/plex/Library/Application Support/Plex Media Server"
+      '';
+    };
+  };
+
+  networking.firewall.interfaces."tailscale0" = {
+    allowedTCPPorts = [ 3005 8324 32469 80 443 ];
+    allowedUDPPorts = [ 1900 5353 32410 32412 32413 32414 ];
+  };
+
+  services.nginx.virtualHosts = {
+    ${domain} = config;
+    "100.86.129.23" = config;
+  };
+
+  systemd.services."plex".serviceConfig = {
+    Wants = [ "tailscaled.service" ];
+    After = [ "network-online.target" "tailscaled.service" ];
+  };
 }
--- a/modules/linux/tailscale.nix
+++ b/modules/linux/tailscale.nix
@ -6,7 +6,7 @@
    useRoutingFeatures = "both";
    openFirewall = true; # or false?
    extraUpFlags = [ "--ssh" ];
-    extraSetFlags = [ "--advertise-exit-node" ];
+    extraSetFlags = [ "--advertise-routes=172.16.223.0/24" "--advertise-exit-node" ];
    disableTaildrop = false;
    authKeyFile = config.age.secrets.tailscaleMarshall.path;
  };