diff --git a/hosts.nix b/hosts.nix index 133f155..4cac023 100644 --- a/hosts.nix +++ b/hosts.nix @@ -34,6 +34,9 @@ in jackett = { site = "vs"; }; + jellyfin = { + site = "vs"; + }; nitter = { site = "vs"; }; diff --git a/hosts/jellyfin/configuration.nix b/hosts/jellyfin/configuration.nix new file mode 100644 index 0000000..7d058cd --- /dev/null +++ b/hosts/jellyfin/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "jellyfin"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/jellyfin/default.nix b/hosts/jellyfin/default.nix new file mode 100644 index 0000000..9c80166 --- /dev/null +++ b/hosts/jellyfin/default.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ./secrets.nix + ./jellyfin.nix + ./nginx.nix + ]; +} diff --git a/hosts/jellyfin/hardware-configuration.nix b/hosts/jellyfin/hardware-configuration.nix new file mode 100644 index 0000000..764a903 --- /dev/null +++ b/hosts/jellyfin/hardware-configuration.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + fileSystems."/mnt/media" = { + device = "//10.202.46.5/media"; + fsType = "cifs"; + options = [ + "username=jellyfin" + "credentials=/secrets/samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=jellyfin" + "gid=jellyfin" + "_netdev" + ]; + }; +} diff --git a/hosts/jellyfin/jellyfin.nix b/hosts/jellyfin/jellyfin.nix new file mode 100644 index 0000000..89deaaa --- /dev/null +++ b/hosts/jellyfin/jellyfin.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.jellyfin = { + enable = true; + }; +} diff --git a/hosts/jellyfin/nginx.nix b/hosts/jellyfin/nginx.nix new file mode 100644 index 0000000..7d70066 --- /dev/null +++ b/hosts/jellyfin/nginx.nix @@ -0,0 +1,65 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts."jellyfin.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."= /" = { + return = "302 https://$host/web/"; + }; + locations."/" = { + proxyPass = "http://localhost:8096/"; + extraConfig = '' + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + ''; + }; + locations."= /web/" = { + proxyPass = "http://localhost:8096/web/index.html"; + }; + locations."/socket" = { + proxyPass = "http://localhost:8096/socket"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 20M; + + # Security / XSS Mitigation Headers + # NOTE: X-Frame-Options may cause issues with the webOS app + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + + # COOP/COEP. Disable if you use external plugins/images/assets + add_header Cross-Origin-Opener-Policy "same-origin" always; + add_header Cross-Origin-Embedder-Policy "require-corp" always; + add_header Cross-Origin-Resource-Policy "same-origin" always; + + # Permissions policy. May cause issues on some clients + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; + + # Tell browsers to use per-origin process isolation + add_header Origin-Agent-Cluster "?1" always; + + # Content Security Policy + # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + # Enforces https content and restricts JS/CSS to origin + # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. + # NOTE: The default CSP headers may cause issues with the webOS app + #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; + ''; + }; + }; +} diff --git a/hosts/jellyfin/secrets.nix b/hosts/jellyfin/secrets.nix new file mode 100644 index 0000000..c1c22c6 --- /dev/null +++ b/hosts/jellyfin/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."samba-credentials.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "jellyfin/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix new file mode 100644 index 0000000..d16de8f --- /dev/null +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.nginx.virtualHosts."jellyfin.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://jellyfin.vs.grzb.de:80"; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/default.nix b/hosts/web-public-2/virtualHosts/default.nix index f6aadad..c5ec5ef 100644 --- a/hosts/web-public-2/virtualHosts/default.nix +++ b/hosts/web-public-2/virtualHosts/default.nix @@ -1,6 +1,7 @@ { ... }: { imports = [ + ./acme-challenge.nix ./anisync.grzb.de.nix ./birdsite.nekover.se.nix ./element.nekover.se.nix