madslundt / docker-cloud-media-scripts

Upload and stream media from the cloud with or without encryption. Cache all new and recently streamed media locally to access quickly and reduce API calls
MIT License
100 stars 34 forks source link
cloud-data cloud-storage google-drive mount plex plex-media-server plexdrive rclone union


Default settings use ~100GB for local media, remove atleast 80 GB and Plexdrive chunks and cache are removed after 24 hours:

docker create \
    --name cloud-media-scripts \
    -v /media:/local-media:shared \
    -v /mnt/external/media:/local-decrypt:shared \
    -v /configurations:/config \
    -v /mnt/external/plexdrive:/chunks \
    -v /logs:/log \
    --privileged --cap-add=MKNOD --cap-add=SYS_ADMIN --device=/dev/fuse \

If you have more space you can increase REMOVE_LOCAL_FILES_WHEN_SPACE_EXCEEDS_GB, FREEUP_ATLEAST_GB and either increase CLEAR_CHUNK_AGE or add CLEAR_CHUNK_MAX_SIZE.


docker create \
    --name cloud-media-scripts \
    -v /media:/local-media:shared \
    -v /mnt/external/media:/local-decrypt:shared \
    -v /configurations:/config \
    -v /mnt/external/plexdrive:/chunks \
    -v /logs:/log \
    -e CLEAR_CHUNK_MAX_SIZE="1000G" \
    -e FREEUP_ATLEAST_GB="1000" \
    --privileged --cap-add=MKNOD --cap-add=SYS_ADMIN --device=/dev/fuse \


The parameters are split into two halves, separated by a colon, the left hand side representing the host and the right the container side. For example with a volume -v external:internal - what this shows is the volume mapping from internal to external of the container. Example -v /media:/local-media would expose directory /local-media from inside the container to be accessible from the host's directory /media.

OBS: Some of the volumes need to have :shared appended to it for it to work. This is needed to have the files visible for the host. Example -v /media:/local-media:shared.

:shared is also needed on if you mount these folders to your other Docker containers.

Before creating the docker container (with the :shared appends), run the command sudo mount --make-shared /volume1 (remember to change /volume1 to match your setup). Thanks to freakshock88 for pointing this out


Environment variables:

--privileged --cap-add=MKNOD --cap-add=SYS_ADMIN --device=/dev/fuse must be there for fuse to work within the container.

If using docker-compose:

privileged: true
     - /dev/fuse
     - MKNOD
     - SYS_ADMIN


After the docker image has been setup and running, Rclone and Plexdrive need to be configured.


Setup Rclone run docker exec -ti <DOCKER_CONTAINER> rclone_setup

With encryption

3 remotes are needed when using encryption:

  1. First one is for the Google drive connection
  2. Second one is for the Google drive on-the-fly encryption/decryption
  3. Third and last one is for the local encryption/decryption

    • Endpoint to your cloud storage.
    • Create new remote [Press N]
    • Give it a name example gd
    • Choose Google Drive [Press 8]
    • If you have a client id paste it here or leave it blank
    • Choose headless machine [Press N]
    • Open the url in your browser and enter the verification code
    • Encryption and decryption for your cloud storage.
    • Create new remote [Press N]
    • Give it the same name as specified in the environment variable RCLONE_CLOUD_ENDPOINT but without colon (:) (default gd-crypt)
    • Choose Encrypt/Decrypt a remote [Press 5]
    • Enter the name of the endpoint created in cloud-storage appended with a colon (:) and the subfolder on your cloud. Example gd:/Media or just gd: if you have your files in root in the cloud.
    • Choose how to encrypt filenames. I prefer option 2 Encrypt the filenames
    • Choose to either generate your own or random password. I prefer to enter my own.
    • Choose to enter pass phrase for the salt or leave it blank. I prefer to enter my own.
    • Encryption and decryption for your local storage.
    • Create new remote [Press N]
    • Give it the same name as specified in the environment variable RCLONE_LOCAL_ENDPOINT but without colon (:) (default local-crypt)
    • Choose Encrypt/Decrypt a remote [Press 5]
    • Enter the encrypted folder: /cloud-encrypt. If you are using subdirectory append it to it. Example /cloud-encrypt/Media
    • Choose the same filename encrypted as you did with the cloud storage.
    • Enter the same password as you did with the cloud storage.
    • Enter the same pass phrase as you did with the cloud storage.

Without encryption

1 remote is needed to connect rclone to Google drive:

Rclone documentation if needed click here


Setup Plexdrive to the cloud. Run the command docker exec -ti <DOCKER_CONTAINER> plexdrive_setup

Plexdrive documentation if needed click here


Upload local files to cloud run: docker exec <DOCKER_CONTAINER> cloudupload

Remove local files run docker exec <DOCKER_CONTAINER> rmlocal

Check if everything is running docker exec <DOCKER_CONTAINER> check

Empty trash on Plex Media Server but only if mount is up docker exec <DOCKER_CONTAINER> emptytrash

cloudupload and rmlocal can be ran with arguments. All arguments are passed to rclone. For example it is possible to run docker exec <DOCKER_CONTAINER> cloudupload -v to get verbose on the rclone operations in cloudupload.

Cron jobs

Setup cron jobs to upload and remove local files:

How this works?

Following services are used to sync, encrypt/decrypt and mount media:

When using encryption this gives us a total of 5 directories:

When NOT using encryption this gives us a total of 4 directories:

All Cloud data is mounted to /cloud-encrypt. This folder is then decrypted and mounted to /cloud-decrypt. If ENCRYPT_MEDIA is turned off cloud data is mounted directly to /cloud-decrypt. d A local folder (/local-decrypt) containing local media that is yet to be uploaded to the cloud. /local-decrypt and /cloud-decrypt is then mounted to a third folder (/local-media) with certain permissions - /local-decrypt with Read/Write permissions and /cloud-decrypt with Read-only permission.

Everytime new media is retrieved it should be added to /local-media. By adding files to /local-media it is added to /local-decrypt because of the Read/Write permissions. That is why a cronjob is needed to upload local files from /local-decrypt.

By having a cronjob to rmlocal it will sooner or later move media from /local-decrypt depending on the REMOVE_LOCAL_FILES_BASED_ON setting. Media is only removed from /local-decrypt and still appears in /local-media because it is still be accessable from the cloud.

If REMOVE_LOCAL_FILES_BASED_ON is set to space it will only remove content (if local media size has exceeded REMOVE_LOCAL_FILES_WHEN_SPACE_EXCEEDS_GB) starting from the oldest accessed file and will only free up atleast FREEUP_ATLEAST_GB. If time is set it will only remove files older than REMOVE_LOCAL_FILES_AFTER_DAYS. If instant is set it will remove all files when running.

Media is never deleted locally before being uploaded successful to the cloud.

UML diagram


Rclone 1.39 is currently used and tested.

Rclone is used to encrypt, decrypt and upload files to the cloud. It mounts and decrypts Plexdrive to a different folder (/cloud-decrypt) and later encrypts and uploads from a local folder (/local-decrypt) to the cloud.

Rclone creates one config file in /config: config.json. This is used to stored Google Drive api keys and encryption/decryption keys.


Plexdrive 4.0.0 is currently used and tested.

Plexdrive is used to mount Google Drive to a local folder (/cloud-encrypt).

Plexdrive create two files in /config: config.json and token.json. These are used to store Google Drive api keys.


UnionFS is used to mount both cloud and local media to a local folder (/local-media).

The reason for these permissions are that when writing to the local folder (/local-media) it will not try to write it directly to the cloud storage /cloud-decrypt, but instead to the local storage (/local-decrypt). Later this will be encrypted and uploaded to the cloud by Rclone.

Build Dockerfile


docker build -t cloud-media-scripts .

Test run

docker run --name cloud-media-scripts -d cloud-media-scripts

If you want to support the project or just buy me a beer I accept Paypal and bitcoins.


BitCoin address: 18fXu7Ty9RB4prZCpD8CDD1AyhHaRS1ef3