1
0
Fork 0
selfhostblocks/modules/jellyfin.nix
2023-07-10 18:36:25 -07:00

73 lines
1.8 KiB
Nix

{ config, lib, pkgs, ...}:
let
cfg = config.shb.jellyfin;
in
{
options.shb.jellyfin = {
enable = lib.mkEnableOption "shb jellyfin";
};
config = lib.mkIf cfg.enable {
services.jellyfin.enable = true;
networking.firewall = {
# from https://jellyfin.org/docs/general/networking/index.html, for auto-discovery
allowedUDPPorts = [ 1900 7359 ];
};
users.groups = {
media = {
name = "media";
members = [ "jellyfin" ];
};
jellyfin = {
members = [ "backup" ];
};
};
shb.reverseproxy.sites.jellyfin = {
frontend = {
acl = {
acl_jellyfin = "hdr_beg(host) jellyfin.";
acl_jellyfin_network_allowed = "src 127.0.0.1";
acl_jellyfin_restricted_page = "path_beg /metrics";
};
http-request = {
deny = "if acl_jellyfin acl_jellyfin_restricted_page !acl_jellyfin_network_allowed";
};
use_backend = "if acl_jellyfin";
};
# TODO: enable /metrics and block from outside https://jellyfin.org/docs/general/networking/monitoring/#prometheus-metrics
backend = {
servers = [
{
name = "jellyfin1";
address = "127.0.0.1:8091";
forwardfor = false;
balance = "roundrobin";
check = {
inter = "5s";
downinter = "15s";
fall = "3";
rise = "3";
};
httpcheck = "GET /health";
}
];
};
};
shb.backup.instances.jellyfin = {
sourceDirectories = [
"/var/lib/jellyfin"
];
};
systemd.services.jellyfin.serviceConfig = {
# Setup permissions needed for backups, as the backup user is member of the jellyfin group.
UMask = lib.mkForce "0027";
StateDirectoryMode = lib.mkForce "0750";
};
};
}