diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index 1047dc0..bab1f00 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -6,9 +6,6 @@ let auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; in { - disabledModules = [ "services/misc/jellyfin.nix" ]; - imports = [ ./modules/jellyfin.nix ]; - services = { jellyfin = { enable = true; @@ -19,31 +16,15 @@ in nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; - extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } + - '' - # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. - #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; - # Disable buffering when the nginx proxy gets very resource heavy upon streaming - proxy_buffering off; - ''; + extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; }; locations."/" = { proxyPass = "http://127.0.0.1:8096"; - # extraConfig = '' - # allow 10.0.0.0/24; - # allow 10.3.0.0/24; - # deny all; - # ''; }; locations."/socket" = { proxyPass = "http://127.0.0.1:8096"; proxyWebsockets = true; - # extraConfig = '' - # allow 10.0.0.0/24; - # allow 10.3.0.0/24; - # deny all; - # ''; }; }; }; diff --git a/hosts/architect/modules/jellyfin.nix b/hosts/architect/modules/jellyfin.nix deleted file mode 100644 index e62b076..0000000 --- a/hosts/architect/modules/jellyfin.nix +++ /dev/null @@ -1,128 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let cfg = config.services.jellyfin; -in { - options = { - services.jellyfin = { - enable = mkEnableOption "Jellyfin Media Server"; - - user = mkOption { - type = types.str; - default = "jellyfin"; - description = "User account under which Jellyfin runs."; - }; - - package = mkOption { - type = types.package; - default = pkgs.jellyfin; - example = literalExample "pkgs.jellyfin"; - description = '' - Jellyfin package to use. - ''; - }; - - group = mkOption { - type = types.str; - default = "jellyfin"; - description = "Group under which jellyfin runs."; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - Open the default ports in the firewall for the media server. The - HTTP/HTTPS ports can be changed in the Web UI, so this option should - only be used if they are unchanged. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - systemd.services.jellyfin = { - description = "Jellyfin Media Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = rec { - User = cfg.user; - Group = cfg.group; - StateDirectory = "/jellyfin"; - CacheDirectory = "/jellyfin/cache"; - ExecStart = - "${cfg.package}/bin/jellyfin --datadir '/jellyfin' --cachedir '/jellyfin/cache'"; - Restart = "on-failure"; - - # Security options: - - NoNewPrivileges = true; - - AmbientCapabilities = ""; - CapabilityBoundingSet = ""; - - # # ProtectClock= adds DeviceAllow=char-rtc r - # DeviceAllow = [ - # "char-drm r" - # "/dev/nvidia0 r" - # "/dev/nvidiactl r" - # "/dev/nvidia-uvm r" - # "/dev/nvidia-uvm-tools r" - # ]; - DeviceAllow = ""; - LockPersonality = true; - - PrivateTmp = true; - PrivateUsers = true; - -# ProtectClock = true; - ProtectControlGroups = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - - RemoveIPC = true; - - RestrictNamespaces = true; - # # AF_NETLINK needed because Jellyfin monitors the network connection - RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ]; - RestrictRealtime = true; - RestrictSUIDSGID = true; - - SystemCallArchitectures = "native"; - SystemCallErrorNumber = "EPERM"; - SystemCallFilter = [ - "@system-service" - "~@cpu-emulation" - "~@debug" - "~@keyring" - "~@memlock" - "~@obsolete" - "~@privileged" - "~@setuid" - ]; - }; - }; - - users.users = mkIf (cfg.user == "jellyfin") { - jellyfin = { - group = cfg.group; - isSystemUser = true; - }; - }; - - users.groups = mkIf (cfg.group == "jellyfin") { jellyfin = { }; }; - - networking.firewall = mkIf cfg.openFirewall { - # from https://jellyfin.org/docs/general/networking/index.html - allowedTCPPorts = [ 8096 8920 ]; - allowedUDPPorts = [ 1900 7359 ]; - }; - - }; - - meta.maintainers = with lib.maintainers; [ minijackson ]; -}