# Setup

The included configuration

- [ ] <span style="white-space: pre-wrap;">configure tailscale API key and update </span>`<span class="editor-theme-code">env</span>`
- [ ] <span style="white-space: pre-wrap;">configure drkno/plexsso </span>`<span class="editor-theme-code">config.json</span>`

```
config.json
```

- [ ] `<span class="editor-theme-code">docker-conmpose up -d</span>`
- [ ] obtain the Tailscale IP address from the logs

```
docker logs tailscale | grep full
```

- [ ] launch your browser to http://tailscale-ip:81
    - [ ] login to Nginx Proxy Manager with the default credentials
    - [ ] update the admin credentials
    - [ ] create a new proxy host for`<span class="editor-theme-code"> tld.com, *.tld.com</span>`
        - [ ] request a new SSL certificate using DNS Validation
        
        <table><colgroup><col style="width: 210px;"></col><col style="width: 210px;"></col><col style="width: 210px;"></col><col style="width: 210px;"></col></colgroup><tbody><tr><td>[![Screenshot 2024-12-21 at 02.49.50.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-01/scaled-1680-/screenshot-2024-12-21-at-02-49-50-png.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-01/scaled-1680-/screenshot-2024-12-21-at-02-49-50-png.png)
        
        </td><td>[![Screenshot 2024-12-21 at 02.49.50.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-01/scaled-1680-/screenshot-2024-12-21-at-02-49-50-png.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-01/scaled-1680-/screenshot-2024-12-21-at-02-49-50-png.png)
        
        </td><td>[![Screenshot 2024-12-21 at 02.49.50.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-01/scaled-1680-/screenshot-2024-12-21-at-02-49-50-png.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-01/scaled-1680-/screenshot-2024-12-21-at-02-49-50-png.png)
        
        </td><td>[![Screenshot 2024-12-21 at 02.49.50.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-01/scaled-1680-/screenshot-2024-12-21-at-02-49-50-png.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-01/scaled-1680-/screenshot-2024-12-21-at-02-49-50-png.png)
        
        </td></tr></tbody></table>
    - [ ] create a new proxy host for secure.tld.com, \*.secure.tld.com
        - [ ] request a new SSL certificate using DNS Validation
        - [ ] update the Advanced config
        
        <table><colgroup><col style="width: 210px;"></col><col style="width: 210px;"></col><col style="width: 210px;"></col><col style="width: 210px;"></col></colgroup><tbody><tr><td></td><td></td><td></td><td></td></tr></tbody></table>

```
# the advanced rule for the secure domain checks for the drkno/plexsso cookie
# if the cookie is present, the request is forwarded normally
# if the cookie is missing, the user is redirected to the SSO url

location ~* ^/$ {

set $subdomain "";
  if ($host ~* ^([^.]+)\.) 
    { set $subdomain $1; }
  if ($http_cookie !~* "AdminDomain") 
    { return 302 https://sso.tld.com/$subdomain.secure;}
}

# the $subdomain.secure URI ensues that once authentication is complete, the user
# is redirected to the requested host
```

- - [ ] create a new proxy host for admin.tld.com, \*.admin.tld.com
        - [ ] request a new SSL certificate using DNS Validation
        - [ ] update the Advanced config
        
        <table><colgroup><col style="width: 210px;"></col><col style="width: 210px;"></col><col style="width: 210px;"></col><col style="width: 210px;"></col></colgroup><tbody><tr><td></td><td></td><td></td><td></td></tr></tbody></table>

```
# for the admin wildcard subdomain, any requests are checked for the
# source network - so any request via the Tailscale connection will be
# allowed, but any valid connection will pass through to the internal proxy

location ~* ^/$ {
  allow 172.250.250.0/24;
  deny all;
}
```

- [ ] <span style="white-space: pre-wrap;">update your DNS </span>

```
# only configure wildcard domains in DNS, to reduce visbility of 
# services that you are running behind your proxy

tld.com - A - 999.999.999.999
*.tld.com - CNAME tld.com

secure.tld.com - CNAME - tld.com
*.secure.tld.com - CNAME - tld.com

admin.tld.com - A - 000.000.000.000
*.admin.tld.com - CNAME - admin.tld.com
```