feat(tilo): add Plex configuration for Tilo

hosts/tilo/configuration.nix

@@ -31,10 +31,6 @@
           443 # HTTPS
           25565 # Minecraft
         ];
-        extraCommands = ''
-          iptables -I INPUT 1 -i 172.16.0.0/12 -p tcp -d 172.17.0.1 -j ACCEPT
-          iptables -I INPUT 1 -i 172.16.0.0/12 -p tcp -d 172.17.0.1 -j ACCEPT
-        '';
       };
     };
     packages.nix = {
@@ -43,6 +39,10 @@
     };
     services = {
       endlessh.enable = true;
+      plex = {
+        enable = true;
+        dataDir = "/tank/web/stacks/plex/plex-config";
+      };
       ssh = {
         enable = true;
         allowedUsers = ["phundrak"];

system/services/default.nix

@@ -2,6 +2,7 @@
   imports = [
     ./endlessh.nix
     ./fwupd.nix
+    ./plex.nix
     ./printing.nix
     ./ssh.nix
     ./sunshine.nix

system/services/plex.nix

@@ -0,0 +1,35 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.system.services.plex;
+in {
+  options.system.services.plex = {
+    enable = mkEnableOption "Enable Plex";
+    group = mkOption {
+      type = types.string;
+      default = "users";
+      example = "users";
+      description = "Group under which Plex runs";
+    };
+    dataDir = mkOption {
+      type = types.string;
+      example = "/tank/plex-config";
+    };
+    user = mkOption {
+      type = types.string;
+      default = "phundrak";
+    };
+  };
+  config = {
+    services.plex = mkIf cfg.enable {
+      inherit (cfg) enable user group dataDir;
+      openFirewall = cfg.enable;
+    };
+    boot.kernel.sysctl = {
+      "kernel.unprivileged_userns_clone" = 1;
+    };
+  };
+}

users/phundrak/host/tilo.nix

@@ -1,7 +1,7 @@
 {config, ...}: {
   imports = [../light-home.nix];
   home = {
-    cli.nh.flake = "${config.home.homeDirectory}/nixos";
+    cli.nh.flake = "/tank/phundrak/nixos";
     phundrak.sshKey = {
       content = builtins.readFile ../../../keys/id_tilo.pub;
       # file = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";