refactor: moved nixos modules to dendrite pattern

2026-04-07 15:39:45 -05:00 · 2026-04-07 15:39:45 -05:00 · 0ea11e0236
commit 0ea11e0236
parent df8dd110ad
219 changed files with 4802 additions and 4820 deletions
--- a/modules/nixos/programs/jellyfin/default.nix
+++ b/modules/nixos/programs/jellyfin/default.nix
@ -0,0 +1,12 @@
+{config, ...}: let
+  mod = config.flake.nixosModules;
+in {
+  flake.nixosModules.jellyfin = {
+    imports = [
+      mod.jellyfin-service
+      mod.jellyfin-proxy
+      mod.jellyfin-fail2ban
+      mod.jellyfin-storage
+    ];
+  };
+}
--- a/modules/nixos/programs/jellyfin/fail2ban.nix
+++ b/modules/nixos/programs/jellyfin/fail2ban.nix
@ -0,0 +1,34 @@
+{...}: {
+  flake.nixosModules.jellyfin-fail2ban = {
+    lib,
+    pkgs,
+    config,
+    ...
+  }: {
+    config = lib.mkIf (config.services.jellyfin.enable && config.services.fail2ban.enable) {
+      environment.etc = {
+        "fail2ban/filter.d/jellyfin.local".text = (
+          pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+            [Definition]
+            failregex = "^.*Authentication request for .* has been denied \\\\\\(IP: \\\"<ADDR>\\\"\\\\\\)\\\\\\."
+          '')
+        );
+      };
+
+      services.fail2ban = {
+        jails = {
+          jellyfin-iptables.settings = {
+            enabled = true;
+            filter = "jellyfin";
+            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+            logpath = "${config.services.jellyfin.dataDir}/log/*.log";
+            backend = "auto";
+            findtime = 600;
+            bantime = 600;
+            maxretry = 5;
+          };
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/programs/jellyfin/jellyfin.nix
+++ b/modules/nixos/programs/jellyfin/jellyfin.nix
@ -0,0 +1,34 @@
+{...}: {
+  flake.nixosModules.jellyfin-service = {
+    lib,
+    pkgs,
+    config,
+    ...
+  }: let
+    jellyfinPort = 8096;
+    dlanPort = 1900;
+  in {
+    options.services.jellyfin = {
+      media_directory = lib.mkOption {
+        type = lib.types.str;
+        description = "directory jellyfin media will be hosted at";
+        default = "/srv/jellyfin/media";
+      };
+    };
+
+    config = lib.mkIf config.services.jellyfin.enable {
+      environment.systemPackages = [
+        pkgs.jellyfin
+        pkgs.jellyfin-web
+        pkgs.jellyfin-ffmpeg
+      ];
+
+      networking.firewall.allowedTCPPorts = [jellyfinPort dlanPort];
+
+      systemd.tmpfiles.rules = [
+        "d ${config.services.jellyfin.media_directory} 2770 jellyfin jellyfin_media"
+        "A ${config.services.jellyfin.media_directory} -    -        -               - u:jellyfin:rwX,g:jellyfin_media:rwX,o::-"
+      ];
+    };
+  };
+}
--- a/modules/nixos/programs/jellyfin/proxy.nix
+++ b/modules/nixos/programs/jellyfin/proxy.nix
@ -0,0 +1,43 @@
+{...}: {
+  flake.nixosModules.jellyfin-proxy = {
+    lib,
+    config,
+    ...
+  }: let
+    jellyfinPort = 8096;
+  in {
+    options.services.jellyfin = {
+      domain = lib.mkOption {
+        type = lib.types.str;
+        description = "domain that jellyfin will be hosted at";
+        default = "jellyfin.arpa";
+      };
+      extraDomains = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = "extra domains that should be configured for jellyfin";
+        default = [];
+      };
+      reverseProxy = {
+        enable = lib.mkOption {
+          type = lib.types.bool;
+          default = config.services.jellyfin.enable && config.services.reverseProxy.enable;
+        };
+      };
+    };
+
+    config = lib.mkIf config.services.jellyfin.reverseProxy.enable {
+      services.reverseProxy.services.jellyfin = {
+        target = "http://localhost:${toString jellyfinPort}";
+        domain = config.services.jellyfin.domain;
+        extraDomains = config.services.jellyfin.extraDomains;
+
+        settings = {
+          forwardHeaders.enable = true;
+          maxBodySize = 20;
+          noSniff.enable = true;
+          proxyBuffering.enable = false;
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/programs/jellyfin/storage.nix
+++ b/modules/nixos/programs/jellyfin/storage.nix
@ -0,0 +1,58 @@
+{...}: {
+  flake.nixosModules.jellyfin-storage = {
+    lib,
+    config,
+    ...
+  }: let
+    jellyfin_data_directory = "/var/lib/jellyfin";
+    jellyfin_cache_directory = "/var/cache/jellyfin";
+  in {
+    options.services.jellyfin.impermanence.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = config.services.jellyfin.enable && config.storage.impermanence.enable;
+    };
+
+    config = lib.mkIf config.services.jellyfin.enable {
+      storage.datasets.replicate = {
+        "system/root" = {
+          directories = {
+            "${jellyfin_data_directory}" = lib.mkIf config.services.jellyfin.impermanence.enable {
+              enable = true;
+              owner.name = "jellyfin";
+              group.name = "jellyfin";
+            };
+            "${jellyfin_cache_directory}" = lib.mkIf config.services.jellyfin.impermanence.enable {
+              enable = true;
+              owner.name = "jellyfin";
+              group.name = "jellyfin";
+            };
+          };
+        };
+        "system/media" = {
+          mount = "/persist/replicate/system/media";
+
+          directories."${config.services.jellyfin.media_directory}" = lib.mkIf config.services.jellyfin.impermanence.enable {
+            enable = true;
+            owner.name = "jellyfin";
+            group.name = "jellyfin_media";
+            owner.permissions = {
+              read = true;
+              write = true;
+              execute = true;
+            };
+            group.permissions = {
+              read = true;
+              write = true;
+              execute = true;
+            };
+            other.permissions = {
+              read = false;
+              write = false;
+              execute = false;
+            };
+          };
+        };
+      };
+    };
+  };
+}