diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix
index 1047dc0..bab1f00 100644
--- a/hosts/architect/jellyfin.nix
+++ b/hosts/architect/jellyfin.nix
@@ -6,9 +6,6 @@ let
   auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in
 {
-  disabledModules = [ "services/misc/jellyfin.nix" ];
-  imports = [ ./modules/jellyfin.nix ];
-
   services = {
     jellyfin = {
       enable = true;
@@ -19,31 +16,15 @@ in
     nginx.virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
-      extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } +
-        ''
-          # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
-          #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
-          # Disable buffering when the nginx proxy gets very resource heavy upon streaming
-          proxy_buffering off;
-        '';
+      extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; };
 
       locations."/" = {
         proxyPass = "http://127.0.0.1:8096";
-        #        extraConfig = ''
-        #          allow 10.0.0.0/24;
-        #          allow 10.3.0.0/24;
-        #          deny all;
-        #        '';
       };
 
       locations."/socket" = {
         proxyPass = "http://127.0.0.1:8096";
         proxyWebsockets = true;
-        #        extraConfig = ''
-        #          allow 10.0.0.0/24;
-        #          allow 10.3.0.0/24;
-        #          deny all;
-        #        '';
       };
     };
   };
diff --git a/hosts/architect/modules/jellyfin.nix b/hosts/architect/modules/jellyfin.nix
deleted file mode 100644
index e62b076..0000000
--- a/hosts/architect/modules/jellyfin.nix
+++ /dev/null
@@ -1,128 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-let cfg = config.services.jellyfin;
-in {
-  options = {
-    services.jellyfin = {
-      enable = mkEnableOption "Jellyfin Media Server";
-
-      user = mkOption {
-        type = types.str;
-        default = "jellyfin";
-        description = "User account under which Jellyfin runs.";
-      };
-
-      package = mkOption {
-        type = types.package;
-        default = pkgs.jellyfin;
-        example = literalExample "pkgs.jellyfin";
-        description = ''
-          Jellyfin package to use.
-        '';
-      };
-
-      group = mkOption {
-        type = types.str;
-        default = "jellyfin";
-        description = "Group under which jellyfin runs.";
-      };
-
-      openFirewall = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Open the default ports in the firewall for the media server. The
-          HTTP/HTTPS ports can be changed in the Web UI, so this option should
-          only be used if they are unchanged.
-        '';
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    systemd.services.jellyfin = {
-      description = "Jellyfin Media Server";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-
-      serviceConfig = rec {
-        User = cfg.user;
-        Group = cfg.group;
-        StateDirectory = "/jellyfin";
-        CacheDirectory = "/jellyfin/cache";
-        ExecStart =
-          "${cfg.package}/bin/jellyfin --datadir '/jellyfin' --cachedir '/jellyfin/cache'";
-        Restart = "on-failure";
-
-        # Security options:
-
-        NoNewPrivileges = true;
-
-        AmbientCapabilities = "";
-        CapabilityBoundingSet = "";
-
-       # # ProtectClock= adds DeviceAllow=char-rtc r
-       # DeviceAllow = [
-       #   "char-drm r"
-       #   "/dev/nvidia0 r"
-       #   "/dev/nvidiactl r"
-       #   "/dev/nvidia-uvm r"
-       #   "/dev/nvidia-uvm-tools r"
-       # ];
-        DeviceAllow = "";
-        LockPersonality = true;
-
-        PrivateTmp = true;
-        PrivateUsers = true;
-
-#        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-
-        RemoveIPC = true;
-
-        RestrictNamespaces = true;
-       # # AF_NETLINK needed because Jellyfin monitors the network connection
-        RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ];
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-
-        SystemCallArchitectures = "native";
-        SystemCallErrorNumber = "EPERM";
-        SystemCallFilter = [
-          "@system-service"
-          "~@cpu-emulation"
-          "~@debug"
-          "~@keyring"
-          "~@memlock"
-          "~@obsolete"
-          "~@privileged"
-          "~@setuid"
-        ];
-      };
-    };
-
-    users.users = mkIf (cfg.user == "jellyfin") {
-      jellyfin = {
-        group = cfg.group;
-        isSystemUser = true;
-      };
-    };
-
-    users.groups = mkIf (cfg.group == "jellyfin") { jellyfin = { }; };
-
-    networking.firewall = mkIf cfg.openFirewall {
-      # from https://jellyfin.org/docs/general/networking/index.html
-      allowedTCPPorts = [ 8096 8920 ];
-      allowedUDPPorts = [ 1900 7359 ];
-    };
-
-  };
-
-  meta.maintainers = with lib.maintainers; [ minijackson ];
-}