From f2e33628c04ba2b09d0bccb46ccd939ba146195f Mon Sep 17 00:00:00 2001
From: Giulio De Pasquale <git@depasquale.giugl.io>
Date: Mon, 5 Jun 2023 03:11:46 +0200
Subject: [PATCH] jellyfin: vhost

---
 hosts/architect/jellyfin.nix | 55 +++++++++++++++---------------------
 1 file changed, 22 insertions(+), 33 deletions(-)

diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix
index b61a73d..5d319e3 100644
--- a/hosts/architect/jellyfin.nix
+++ b/hosts/architect/jellyfin.nix
@@ -3,52 +3,41 @@
 let
   domain = "media.giugl.io";
   port = 8096;
-  
-  utilities = import ./utilities.nix { inherit lib config; };
-  inherit (utilities) architectInterfaceAddress;
+  allowLan = true;
 in
 {
   # needed since StateDirectory does not accept symlinks
   systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce "";
 
-  services = {
-    jellyfin = {
-      enable = true;
-      group = "media";
-      package = pkgs.unstablePkgs.jellyfin;
-    };
+  architect.vhost.${domain} = with config.architect.networks; {
+    dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
+    locations = {
+      "/" = {
+        inherit port allowLan;
 
-    nginx.virtualHosts.${domain} = {
-      forceSSL = true;
-      enableACME = true;
-      extraConfig = ''
-        # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
-        #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
-        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
-        proxy_buffering off;
-
-        allow ${config.architect.networks.lan.net};
-        allow ${config.architect.networks.tailscale.net};
-        deny all;
-      '';
-
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString port}";
+        allow = [
+          wireguard.net
+          tailscale.net
+        ];
       };
 
-      locations."/socket" = {
-        proxyPass = "http://127.0.0.1:${toString port}";
+      "/socket" = {
+        inherit port allowLan;
+
         proxyWebsockets = true;
+        allow = [
+          wireguard.net
+          tailscale.net
+        ];
       };
     };
   };
 
-
-  networking.extraHosts = ''
-    ${architectInterfaceAddress "lan"} ${domain}
-    ${architectInterfaceAddress "wireguard"} ${domain}
-    ${architectInterfaceAddress "tailscale"} ${domain}
-  '';
+  services.jellyfin = {
+    enable = true;
+    group = "media";
+    package = pkgs.unstablePkgs.jellyfin;
+  };
 
   users.groups = {
     media.members = [ "jellyfin" ];