diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix
index bab1f00..1047dc0 100644
--- a/hosts/architect/jellyfin.nix
+++ b/hosts/architect/jellyfin.nix
@@ -6,6 +6,9 @@ let
   auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in
 {
+  disabledModules = [ "services/misc/jellyfin.nix" ];
+  imports = [ ./modules/jellyfin.nix ];
+
   services = {
     jellyfin = {
       enable = true;
@@ -16,15 +19,31 @@ in
     nginx.virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
-      extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; };
+      extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } +
+        ''
+          # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+          #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
+          # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+          proxy_buffering off;
+        '';
 
       locations."/" = {
         proxyPass = "http://127.0.0.1:8096";
+        #        extraConfig = ''
+        #          allow 10.0.0.0/24;
+        #          allow 10.3.0.0/24;
+        #          deny all;
+        #        '';
       };
 
       locations."/socket" = {
         proxyPass = "http://127.0.0.1:8096";
         proxyWebsockets = true;
+        #        extraConfig = ''
+        #          allow 10.0.0.0/24;
+        #          allow 10.3.0.0/24;
+        #          deny all;
+        #        '';
       };
     };
   };
diff --git a/hosts/architect/modules/jellyfin.nix b/hosts/architect/modules/jellyfin.nix
new file mode 100644
index 0000000..e62b076
--- /dev/null
+++ b/hosts/architect/modules/jellyfin.nix
@@ -0,0 +1,128 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let cfg = config.services.jellyfin;
+in {
+  options = {
+    services.jellyfin = {
+      enable = mkEnableOption "Jellyfin Media Server";
+
+      user = mkOption {
+        type = types.str;
+        default = "jellyfin";
+        description = "User account under which Jellyfin runs.";
+      };
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.jellyfin;
+        example = literalExample "pkgs.jellyfin";
+        description = ''
+          Jellyfin package to use.
+        '';
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "jellyfin";
+        description = "Group under which jellyfin runs.";
+      };
+
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Open the default ports in the firewall for the media server. The
+          HTTP/HTTPS ports can be changed in the Web UI, so this option should
+          only be used if they are unchanged.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.jellyfin = {
+      description = "Jellyfin Media Server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = rec {
+        User = cfg.user;
+        Group = cfg.group;
+        StateDirectory = "/jellyfin";
+        CacheDirectory = "/jellyfin/cache";
+        ExecStart =
+          "${cfg.package}/bin/jellyfin --datadir '/jellyfin' --cachedir '/jellyfin/cache'";
+        Restart = "on-failure";
+
+        # Security options:
+
+        NoNewPrivileges = true;
+
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = "";
+
+       # # ProtectClock= adds DeviceAllow=char-rtc r
+       # DeviceAllow = [
+       #   "char-drm r"
+       #   "/dev/nvidia0 r"
+       #   "/dev/nvidiactl r"
+       #   "/dev/nvidia-uvm r"
+       #   "/dev/nvidia-uvm-tools r"
+       # ];
+        DeviceAllow = "";
+        LockPersonality = true;
+
+        PrivateTmp = true;
+        PrivateUsers = true;
+
+#        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+
+        RemoveIPC = true;
+
+        RestrictNamespaces = true;
+       # # AF_NETLINK needed because Jellyfin monitors the network connection
+        RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ];
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+
+        SystemCallArchitectures = "native";
+        SystemCallErrorNumber = "EPERM";
+        SystemCallFilter = [
+          "@system-service"
+          "~@cpu-emulation"
+          "~@debug"
+          "~@keyring"
+          "~@memlock"
+          "~@obsolete"
+          "~@privileged"
+          "~@setuid"
+        ];
+      };
+    };
+
+    users.users = mkIf (cfg.user == "jellyfin") {
+      jellyfin = {
+        group = cfg.group;
+        isSystemUser = true;
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "jellyfin") { jellyfin = { }; };
+
+    networking.firewall = mkIf cfg.openFirewall {
+      # from https://jellyfin.org/docs/general/networking/index.html
+      allowedTCPPorts = [ 8096 8920 ];
+      allowedUDPPorts = [ 1900 7359 ];
+    };
+
+  };
+
+  meta.maintainers = with lib.maintainers; [ minijackson ];
+}