From f2e33628c04ba2b09d0bccb46ccd939ba146195f Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 03:11:46 +0200 Subject: [PATCH] jellyfin: vhost --- hosts/architect/jellyfin.nix | 55 +++++++++++++++--------------------- 1 file changed, 22 insertions(+), 33 deletions(-) diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index b61a73d..5d319e3 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -3,52 +3,41 @@ let domain = "media.giugl.io"; port = 8096; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; + allowLan = true; in { # needed since StateDirectory does not accept symlinks systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce ""; - services = { - jellyfin = { - enable = true; - group = "media"; - package = pkgs.unstablePkgs.jellyfin; - }; + architect.vhost.${domain} = with config.architect.networks; { + dnsInterfaces = [ "lan" "wireguard" "tailscale" ]; + locations = { + "/" = { + inherit port allowLan; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - extraConfig = '' - # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. - #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; - # Disable buffering when the nginx proxy gets very resource heavy upon streaming - proxy_buffering off; - - allow ${config.architect.networks.lan.net}; - allow ${config.architect.networks.tailscale.net}; - deny all; - ''; - - locations."/" = { - proxyPass = "http://127.0.0.1:${toString port}"; + allow = [ + wireguard.net + tailscale.net + ]; }; - locations."/socket" = { - proxyPass = "http://127.0.0.1:${toString port}"; + "/socket" = { + inherit port allowLan; + proxyWebsockets = true; + allow = [ + wireguard.net + tailscale.net + ]; }; }; }; - - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "wireguard"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; + services.jellyfin = { + enable = true; + group = "media"; + package = pkgs.unstablePkgs.jellyfin; + }; users.groups = { media.members = [ "jellyfin" ];