diff --git a/README.md b/README.md index 53409af..a4d5949 100644 --- a/README.md +++ b/README.md @@ -31,11 +31,11 @@ services. Also, the design will be extendable to allow users to add services not - [X] Backup support. - [X] Home Assistant. - [ ] Export metrics to Prometheus. - - [X] LDAP auth through homeassistant_user LDAP group. + - [X] LDAP auth through `homeassistant_user` LDAP group. - [ ] SSO auth. - [X] Backup support. - [X] Jellyfin - [ ] Export metrics to Prometheus. - - [X] LDAP auth, unfortunately we need to configure this manually. + - [X] LDAP auth through `jellyfin_user` and `jellyfin_admin` LDAP groups. - [ ] SSO auth. - [X] Backup support. diff --git a/modules/jellyfin.nix b/modules/jellyfin.nix index 6d60653..66f1823 100644 --- a/modules/jellyfin.nix +++ b/modules/jellyfin.nix @@ -4,6 +4,18 @@ let cfg = config.shb.jellyfin; fqdn = "${cfg.subdomain}.${cfg.domain}"; + + template = file: newPath: replacements: + let + templatePath = newPath + ".template"; + + sedPatterns = lib.strings.concatStringsSep " " (lib.attrsets.mapAttrsToList (from: to: "\"s|${from}|${to}|\"") replacements); + in + '' + ln -fs ${file} ${templatePath} + rm ${newPath} || : + sed ${sedPatterns} ${templatePath} > ${newPath} + ''; in { options.shb.jellyfin = { @@ -20,6 +32,30 @@ in type = lib.types.str; example = "domain.com"; }; + + ldapHost = lib.mkOption { + type = lib.types.str; + description = "host serving the LDAP server"; + example = "127.0.0.1"; + }; + + ldapPort = lib.mkOption { + type = lib.types.int; + description = "port where the LDAP server is listening"; + example = 389; + }; + + dcdomain = lib.mkOption { + type = lib.types.str; + description = "dc domain for ldap."; + example = "dc=mydomain,dc=com"; + }; + + sopsFile = lib.mkOption { + type = lib.types.path; + description = "Sops file location"; + example = "secrets/jellyfin.yaml"; + }; }; config = lib.mkIf cfg.enable { @@ -147,6 +183,14 @@ in ''; }; + sops.secrets."jellyfin/ldap_password" = { + inherit (cfg) sopsFile; + mode = "0440"; + owner = "jellyfin"; + group = "jellyfin"; + restartUnits = [ "jellyfin.service" ]; + }; + shb.backup.instances.jellyfin = { sourceDirectories = [ "/var/lib/jellyfin" @@ -162,6 +206,45 @@ in ]; }]; + # LDAP config but you need to install the plugin by hand + + systemd.services.jellyfin.preStart = + let + ldapConfig = pkgs.writeText "LDAP-Auth.xml" '' + + + ${cfg.ldapHost} + ${builtins.toString cfg.ldapPort} + false + false + false + uid=admin,ou=people,${cfg.dcdomain} + %LDAP_PASSWORD% + ou=people,${cfg.dcdomain} + (memberof=cn=jellyfin_user,ou=groups,${cfg.dcdomain}) + ou=people,${cfg.dcdomain} + (memberof=cn=jellyfin_admin,ou=groups,${cfg.dcdomain}) + false + uid, cn, mail, displayName + + + + true + false + uid + userPassword + true + + + + ''; + in + template ldapConfig "/var/lib/jellyfin/plugins/configurations/LDAP-Auth.xml" { + "%LDAP_PASSWORD%" = "$(cat /run/secrets/jellyfin/ldap_password)"; + }; + + # For backup + systemd.services.jellyfin.serviceConfig = { # Setup permissions needed for backups, as the backup user is member of the jellyfin group. UMask = lib.mkForce "0027";