74 lines
1.8 KiB
Nix
74 lines
1.8 KiB
Nix
|
{ config, lib, pkgs, ...}:
|
||
|
|
||
|
let
|
||
|
cfg = config.shb.jellyfin;
|
||
|
in
|
||
|
{
|
||
|
options.shb.jellyfin = {
|
||
|
enable = lib.mkEnableOption "shb jellyfin";
|
||
|
};
|
||
|
|
||
|
config = lib.mkIf cfg.enable {
|
||
|
services.jellyfin.enable = true;
|
||
|
|
||
|
networking.firewall = {
|
||
|
# from https://jellyfin.org/docs/general/networking/index.html, for auto-discovery
|
||
|
allowedUDPPorts = [ 1900 7359 ];
|
||
|
};
|
||
|
|
||
|
users.groups = {
|
||
|
media = {
|
||
|
name = "media";
|
||
|
members = [ "jellyfin" ];
|
||
|
};
|
||
|
jellyfin = {
|
||
|
members = [ "backup" ];
|
||
|
};
|
||
|
};
|
||
|
|
||
|
shb.reverseproxy.sites.jellyfin = {
|
||
|
frontend = {
|
||
|
acl = {
|
||
|
acl_jellyfin = "hdr_beg(host) jellyfin.";
|
||
|
acl_jellyfin_network_allowed = "src 127.0.0.1";
|
||
|
acl_jellyfin_restricted_page = "path_beg /metrics";
|
||
|
};
|
||
|
http-request = {
|
||
|
deny = "if acl_jellyfin acl_jellyfin_restricted_page !acl_jellyfin_network_allowed";
|
||
|
};
|
||
|
use_backend = "if acl_jellyfin";
|
||
|
};
|
||
|
# TODO: enable /metrics and block from outside https://jellyfin.org/docs/general/networking/monitoring/#prometheus-metrics
|
||
|
backend = {
|
||
|
servers = [
|
||
|
{
|
||
|
name = "jellyfin1";
|
||
|
address = "127.0.0.1:8091";
|
||
|
forwardfor = false;
|
||
|
balance = "roundrobin";
|
||
|
check = {
|
||
|
inter = "5s";
|
||
|
downinter = "15s";
|
||
|
fall = "3";
|
||
|
rise = "3";
|
||
|
};
|
||
|
httpcheck = "GET /health";
|
||
|
}
|
||
|
];
|
||
|
};
|
||
|
};
|
||
|
|
||
|
shb.backup.instances.jellyfin = {
|
||
|
sourceDirectories = [
|
||
|
"/var/lib/jellyfin"
|
||
|
];
|
||
|
};
|
||
|
|
||
|
systemd.services.jellyfin.serviceConfig = {
|
||
|
# Setup permissions needed for backups, as the backup user is member of the jellyfin group.
|
||
|
UMask = lib.mkForce "0027";
|
||
|
StateDirectoryMode = lib.mkForce "0750";
|
||
|
};
|
||
|
};
|
||
|
}
|