jellyfin: Cleanup derivation

2023-02-11 03:18:52 +01:00 · 2023-02-11 03:18:52 +01:00 · 554e5651a7
commit 554e5651a7
parent b341bee052
2 changed files with 1 additions and 148 deletions
--- a/hosts/architect/jellyfin.nix
+++ b/hosts/architect/jellyfin.nix
@ -6,9 +6,6 @@ let
  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in
 {
-  disabledModules = [ "services/misc/jellyfin.nix" ];
-  imports = [ ./modules/jellyfin.nix ];
-
  services = {
    jellyfin = {
      enable = true;
@ -19,31 +16,15 @@ in
    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
-      extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } +
-        ''
-          # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
-          #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
-          # Disable buffering when the nginx proxy gets very resource heavy upon streaming
-          proxy_buffering off;
-        '';
+      extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; };

      locations."/" = {
        proxyPass = "http://127.0.0.1:8096";
-        #        extraConfig = ''
-        #          allow 10.0.0.0/24;
-        #          allow 10.3.0.0/24;
-        #          deny all;
-        #        '';
      };

      locations."/socket" = {
        proxyPass = "http://127.0.0.1:8096";
        proxyWebsockets = true;
-        #        extraConfig = ''
-        #          allow 10.0.0.0/24;
-        #          allow 10.3.0.0/24;
-        #          deny all;
-        #        '';
      };
    };
  };
--- a/hosts/architect/modules/jellyfin.nix
+++ b/hosts/architect/modules/jellyfin.nix
@ -1,128 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-let cfg = config.services.jellyfin;
-in {
-  options = {
-    services.jellyfin = {
-      enable = mkEnableOption "Jellyfin Media Server";
-
-      user = mkOption {
-        type = types.str;
-        default = "jellyfin";
-        description = "User account under which Jellyfin runs.";
-      };
-
-      package = mkOption {
-        type = types.package;
-        default = pkgs.jellyfin;
-        example = literalExample "pkgs.jellyfin";
-        description = ''
-          Jellyfin package to use.
-        '';
-      };
-
-      group = mkOption {
-        type = types.str;
-        default = "jellyfin";
-        description = "Group under which jellyfin runs.";
-      };
-
-      openFirewall = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Open the default ports in the firewall for the media server. The
-          HTTP/HTTPS ports can be changed in the Web UI, so this option should
-          only be used if they are unchanged.
-        '';
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    systemd.services.jellyfin = {
-      description = "Jellyfin Media Server";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-
-      serviceConfig = rec {
-        User = cfg.user;
-        Group = cfg.group;
-        StateDirectory = "/jellyfin";
-        CacheDirectory = "/jellyfin/cache";
-        ExecStart =
-          "${cfg.package}/bin/jellyfin --datadir '/jellyfin' --cachedir '/jellyfin/cache'";
-        Restart = "on-failure";
-
-        # Security options:
-
-        NoNewPrivileges = true;
-
-        AmbientCapabilities = "";
-        CapabilityBoundingSet = "";
-
-       # # ProtectClock= adds DeviceAllow=char-rtc r
-       # DeviceAllow = [
-       #   "char-drm r"
-       #   "/dev/nvidia0 r"
-       #   "/dev/nvidiactl r"
-       #   "/dev/nvidia-uvm r"
-       #   "/dev/nvidia-uvm-tools r"
-       # ];
-        DeviceAllow = "";
-        LockPersonality = true;
-
-        PrivateTmp = true;
-        PrivateUsers = true;
-
-#        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-
-        RemoveIPC = true;
-
-        RestrictNamespaces = true;
-       # # AF_NETLINK needed because Jellyfin monitors the network connection
-        RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ];
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-
-        SystemCallArchitectures = "native";
-        SystemCallErrorNumber = "EPERM";
-        SystemCallFilter = [
-          "@system-service"
-          "~@cpu-emulation"
-          "~@debug"
-          "~@keyring"
-          "~@memlock"
-          "~@obsolete"
-          "~@privileged"
-          "~@setuid"
-        ];
-      };
-    };
-
-    users.users = mkIf (cfg.user == "jellyfin") {
-      jellyfin = {
-        group = cfg.group;
-        isSystemUser = true;
-      };
-    };
-
-    users.groups = mkIf (cfg.group == "jellyfin") { jellyfin = { }; };
-
-    networking.firewall = mkIf cfg.openFirewall {
-      # from https://jellyfin.org/docs/general/networking/index.html
-      allowedTCPPorts = [ 8096 8920 ];
-      allowedUDPPorts = [ 1900 7359 ];
-    };
-
-  };
-
-  meta.maintainers = with lib.maintainers; [ minijackson ];
-}