Add jellyfin host

2023-08-01 23:02:11 +02:00 · 2023-08-01 23:02:11 +02:00 · 693c6da88a
parent 8a16dd0af2
commit 693c6da88a
9 changed files with 141 additions and 0 deletions
--- a/hosts.nix
+++ b/hosts.nix
@ -34,6 +34,9 @@ in
    jackett = {
      site = "vs";
    };
+    jellyfin = {
+      site = "vs";
+    };
    nitter = {
      site = "vs";
    };
--- a/hosts/jellyfin/configuration.nix
+++ b/hosts/jellyfin/configuration.nix
@ -0,0 +1,17 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "jellyfin";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 ];
+    };
+  };
+
+  system.stateVersion = "23.05";
+}
--- a/hosts/jellyfin/default.nix
+++ b/hosts/jellyfin/default.nix
@ -0,0 +1,10 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+    ./secrets.nix
+    ./jellyfin.nix
+    ./nginx.nix
+  ];
+}
--- a/hosts/jellyfin/hardware-configuration.nix
+++ b/hosts/jellyfin/hardware-configuration.nix
@ -0,0 +1,16 @@
+{ ... }:
+{
+  fileSystems."/mnt/media" = {
+    device = "//10.202.46.5/media";
+    fsType = "cifs";
+    options = [ 
+      "username=jellyfin" 
+      "credentials=/secrets/samba-credentials.secret"
+      "iocharset=utf8"
+      "vers=3.1.1"
+      "uid=jellyfin"
+      "gid=jellyfin"
+      "_netdev"
+    ];
+  };
+}
--- a/hosts/jellyfin/jellyfin.nix
+++ b/hosts/jellyfin/jellyfin.nix
@ -0,0 +1,6 @@
+{ ... }:
+{
+  services.jellyfin = {
+    enable = true;
+  };
+}
--- a/hosts/jellyfin/nginx.nix
+++ b/hosts/jellyfin/nginx.nix
@ -0,0 +1,65 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."jellyfin.grzb.de" = {
+      forceSSL = true;
+      enableACME = true;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 443;
+          ssl = true;
+        }
+      ];
+      locations."= /" = {
+        return = "302 https://$host/web/";
+      };
+      locations."/" = {
+        proxyPass = "http://localhost:8096/";
+        extraConfig = ''
+          # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+          proxy_buffering off;
+        '';
+      };
+      locations."= /web/" = {
+        proxyPass = "http://localhost:8096/web/index.html";
+      };
+      locations."/socket" = {
+        proxyPass = "http://localhost:8096/socket";
+        proxyWebsockets = true;
+      };
+      extraConfig = ''
+        client_max_body_size 20M;
+
+        # Security / XSS Mitigation Headers
+        # NOTE: X-Frame-Options may cause issues with the webOS app
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Content-Type-Options "nosniff";
+
+        # COOP/COEP. Disable if you use external plugins/images/assets
+        add_header Cross-Origin-Opener-Policy "same-origin" always;
+        add_header Cross-Origin-Embedder-Policy "require-corp" always;
+        add_header Cross-Origin-Resource-Policy "same-origin" always;
+
+        # Permissions policy. May cause issues on some clients
+        add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+        # Tell browsers to use per-origin process isolation
+        add_header Origin-Agent-Cluster "?1" always;
+
+        # Content Security Policy
+        # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+        # Enforces https content and restricts JS/CSS to origin
+        # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+        # NOTE: The default CSP headers may cause issues with the webOS app
+        #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
+      '';
+    };
+  };
+}
--- a/hosts/jellyfin/secrets.nix
+++ b/hosts/jellyfin/secrets.nix
@ -0,0 +1,11 @@
+{ ... }:
+{
+  deployment.keys."samba-credentials.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "jellyfin/samba-credentials" ];
+    destDir = "/secrets";
+    user = "root";
+    group = "root";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}
--- a/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix
@ -0,0 +1,12 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."jellyfin.grzb.de" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://jellyfin.vs.grzb.de:80";
+    };
+  };
+}
--- a/hosts/web-public-2/virtualHosts/default.nix
+++ b/hosts/web-public-2/virtualHosts/default.nix
@ -1,6 +1,7 @@
 { ... }:
 {
  imports = [
+    ./acme-challenge.nix
    ./anisync.grzb.de.nix
    ./birdsite.nekover.se.nix
    ./element.nekover.se.nix