Finished setup

nixos/acme.nix

@@ -1,8 +0,0 @@
-_: {
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      email = "acme@gensokyo.zone";
-    };
-  };
-}

nixos/bazarr.nix

@@ -6,7 +6,6 @@
     };
 
     nginx.virtualHosts."bazarr.gensokyo.zone" = {
-      enableACME = true;
       locations."/".proxyPass = "http://localhost:${toString config.services.bazarr.listenPort}";
     };
   };

nixos/cloudflared.nix

@@ -1,4 +1,8 @@
-{ config, lib, ... }: let
+{
+  config,
+  lib,
+  ...
+}: let
   inherit (lib.modules) mkDefault;
 in {
   config.services.cloudflared.enable = mkDefault true;

nixos/jackett.nix

@@ -4,7 +4,6 @@ _: {
       enable = true;
     };
     nginx.virtualHosts."jackett.gensokyo.zone" = {
-      enableACME = true;
       locations."/".proxyPass = "http://localhost:9117/";
     };
   };

nixos/ombi.nix

@@ -5,7 +5,6 @@
       port = 5000;
     };
     nginx.virtualHosts."ombi.gensokyo.zone" = {
-      enableACME = true;
       locations."/".proxyPass = "http://localhost:${toString config.services.ombi.port}";
     };
   };

nixos/plex.nix

@@ -4,7 +4,26 @@ _: {
       enable = true;
     };
     nginx.virtualHosts."plex.gensokyo.zone" = {
-      enableACME = true;
+      extraConfig = ''
+        # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
+        send_timeout 100m;
+        # Plex headers
+        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
+        proxy_set_header X-Plex-Device $http_x_plex_device;
+        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
+        proxy_set_header X-Plex-Platform $http_x_plex_platform;
+        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
+        proxy_set_header X-Plex-Product $http_x_plex_product;
+        proxy_set_header X-Plex-Token $http_x_plex_token;
+        proxy_set_header X-Plex-Version $http_x_plex_version;
+        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
+        proxy_set_header X-Plex-Provides $http_x_plex_provides;
+        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
+        proxy_set_header X-Plex-Model $http_x_plex_model;
+        # Buffering off send to the client as soon as the data is received from Plex.
+        proxy_redirect off;
+        proxy_buffering off;
+      '';
       locations."/".proxyPass = "http://localhost:32400";
     };
   };
@@ -23,7 +42,7 @@ _: {
   # Tautulli and Ombi will also be reverse proxied, presumably
 
   networking.firewall = {
-    allowedTCPPorts = [8324 32469];
+    allowedTCPPorts = [32400 8324 32469 8181 5000];
     allowedUDPPorts = [1900 5353 32410 32412 32413 32414];
   };
 }

nixos/radarr.nix

@@ -4,7 +4,6 @@ _: {
       enable = true;
     };
     nginx.virtualHosts."radarr.gensokyo.zone" = {
-      enableACME = true;
       locations."/".proxyPass = "http://localhost:7878";
     };
   };

nixos/sonarr.nix

@@ -5,7 +5,6 @@ _: {
     };
 
     nginx.virtualHosts."sonarr.gensokyo.zone" = {
-      enableACME = true;
       locations."/".proxyPass = "http://localhost:8989";
     };
   };

nixos/tailscale.nix

@@ -27,14 +27,14 @@ in {
 
     services.tailscale.enable = mkDefault true;
 
-    sops.secrets.tailscale-key = mkIf config.services.tailscale.enable { };
+    sops.secrets.tailscale-key = mkIf config.services.tailscale.enable {};
     systemd.services.tailscale-autoconnect = mkIf config.services.tailscale.enable rec {
       description = "Automatic connection to Tailscale";
 
       # make sure tailscale is running before trying to connect to tailscale
       after = wants ++ wantedBy;
-      wants = [ "network-pre.target" ];
-      wantedBy = [ "tailscaled.service" ];
+      wants = ["network-pre.target"];
+      wantedBy = ["tailscaled.service"];
 
       # set this service as a oneshot job
       serviceConfig = {
@@ -44,25 +44,26 @@ in {
       # have the job run this shell script
       script = let
         fixResolved = optionalString config.services.resolved.enable ''
-          resolvectl revert ${config.services.tailscale.interfaceName} || false
+          resolvectl revert ${config.services.tailscale.interfaceName} || true
         '';
         advertiseExitNode = optionalString cfg.advertiseExitNode " --advertise-exit-node";
-      in with pkgs; ''
-        # wait for tailscaled to settle
-        sleep 5
+      in
+        with pkgs; ''
+          # wait for tailscaled to settle
+          sleep 5
 
-        ${fixResolved}
+          ${fixResolved}
 
-        # check if we are already authenticated to tailscale
-        status="$(${getExe tailscale} status -json | ${getExe jq} -r .BackendState)"
-        if [[ $status = Running ]]; then
-          # if so, then do nothing
-          exit 0
-        fi
+          # check if we are already authenticated to tailscale
+          status="$(${getExe tailscale} status -json | ${getExe jq} -r .BackendState)"
+          if [[ $status = Running ]]; then
+            # if so, then do nothing
+            exit 0
+          fi
 
-        # otherwise authenticate with tailscale
-        ${getExe tailscale} up${advertiseExitNode} -authkey $(cat ${config.sops.secrets.tailscale-key.path})
-      '';
+          # otherwise authenticate with tailscale
+          ${getExe tailscale} up${advertiseExitNode} -authkey $(cat ${config.sops.secrets.tailscale-key.path})
+        '';
     };
   };
 }

nixos/tautulli.nix

@@ -5,8 +5,7 @@
       port = 8181;
     };
 
-    nginx.virtualHosts."tautuli.gensokyo.zone" = {
-      enableACME = true;
+    nginx.virtualHosts."tautulli.gensokyo.zone" = {
       locations."/".proxyPass = "http://localhost:${toString config.services.tautulli.port}";
     };
   };

systems/mediabox/nixos.nix

@@ -1,4 +1,5 @@
 {
+  config,
   meta,
   lib,
   ...
@@ -6,15 +7,12 @@
   imports = with meta; [
     nixos.reisen-ct
     nixos.sops
-    nixos.tailscale
     nixos.nginx
-    nixos.acme
     nixos.cloudflared
 
-    /*
-      # media
+    # media
     nixos.plex
-    nixos.tautuli
+    nixos.tautulli
     nixos.ombi
 
     # yarr harr fiddle dee dee >w<
@@ -22,9 +20,30 @@
     nixos.sonarr
     nixos.bazarr
     nixos.jackett
-    */
   ];
 
+  sops.secrets.cloudflare_mediabox_tunnel = {
+    owner = config.services.cloudflared.user;
+  };
+
+  services.cloudflared = let
+    tunnelId = "9295ed6e-4743-45c1-83b1-6c252ae5580a";
+  in {
+    tunnels.${tunnelId} = {
+      default = "http_status:404";
+      credentialsFile = config.sops.secrets.cloudflare_mediabox_tunnel.path;
+      ingress = {
+        "plex.gensokyo.zone".service = "http://localhost:32400";
+        "tautuli.gensokyo.zone".service = "http://localhost:8181";
+        "ombi.gensokyo.zone".service = "http://localhost:3579";
+        "sonarr.gensokyo.zone".service = "http://localhost:8989";
+        "radarr.gensokyo.zone".service = "http://localhost:7878";
+        "bazarr.gensokyo.zone".service = "http://localhost:6767";
+        "jackett.gensokyo.zone".service = "http://localhost:9117";
+      };
+    };
+  };
+
   sops.defaultSopsFile = ./secrets.yaml;
 
   system.stateVersion = "21.05";

systems/mediabox/secrets.yaml

@@ -1,4 +1,5 @@
 tailscale-key: ENC[AES256_GCM,data:TnXZW2c5NhMYHutOdDn8NG5RcdcNTzcTXuC27Ir+OO/4abF0rCEts1A=,iv:OK2nUBJ6LyP9w9L05JGtHe5rxmfoNyk8+zF6M6jYIG8=,tag:McbAMcTJ93C5OluGzYMvCw==,type:str]
+cloudflare_mediabox_tunnel: ENC[AES256_GCM,data:8evCY9lil+SYHTfaHOj8ULYFAX9Q5HHj/caZtfEsG30UiLZCThLWAXUA0FmKgIr8TNAz1tt9ySAaoUyDUFs6leV+FNqUv6fsJGKXQ039+s5YiGZzbKpG6EltDjJ8DYLl8JXuxMxOCsbbAsuhCmzUC8T2jbduxrb1f+nu7e7W6c+j8/5+ujH+Bk3mcd65s5/29Z6bwRhHjCwLDqNwnsI84FOIf8O9JrVXbfWmL33/plxo/xVwo7muffHFPFah8zIMNglg+teM,iv:YBRiJ2WzXsntH13Jv9o8XaNe12hS+VyKjAsbBc3o0EQ=,tag:hLywh0v+SfPkE7p+PLQItw==,type:str]
 sops:
     shamir_threshold: 1
     kms: []
@@ -15,8 +16,8 @@ sops:
             aDVRZTJtTzh5aElnN3hpcitZWmluQ3MK/je9HcOaN+DiSi2JsCThRXOEbydNQcRM
             ZBjYlbtPILMjrn4NoUtxnwbmm7vNgGdXVu7EDfQ0OxjWbo9Cv95WZg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-11T22:46:33Z"
-    mac: ENC[AES256_GCM,data:lfx0h0sXAM7o5ig7NoqLUNY62B9vxZj2cWMHtfXbCfDIXUt72ybfbjuT0RE9YPnVyzKtVcLzbJwq1ls3LoPLohAAYsqH2C2Qpi3M5sf3vaVHheXAAdcn2ivk9i/PyfiXX8NBkVun2VJp6t7EZs76Xxwznt6vHzjXOZbMeV9wpC8=,iv:wd68KvHD8p2Qe+qfXlQmoIB+wW6GQErKKlsCxt9UflI=,tag:bBkX/j3NE5HQ/J/Yc/FrtA==,type:str]
+    lastmodified: "2024-01-12T05:09:30Z"
+    mac: ENC[AES256_GCM,data:WBT09CBeXUGOPP7OeJHPOEXVjP39jY+XyvDBniHlWOUFsHQn8N9wCRQ9OfJflw5CHmpxRlQvlzROhEoXvx4dgrEzDB0s6tkoTPkXAsMvTZAJVPl99XcOtmAodzAtn6ejsVnKp5f5EGKEubENsK1RvgzKS4oUoA18l8cAgvnq3kQ=,iv:XM54p8iSKzUNUSUbvanhYtjVrfTTWO3Wjyxnw8UFQ+k=,tag:2kPmBVFBoowqfymQCHAFvQ==,type:str]
     pgp:
         - created_at: "2024-01-11T22:30:58Z"
           enc: |-

systems/tewi/cloudflared.nix

@@ -1,4 +1,8 @@
-{ config, lib, ... }: let
+{
+  config,
+  lib,
+  ...
+}: let
   inherit (config) services;
   apartment = "131222b0-9db0-4168-96f5-7d45ec51c3be";
 in {