147 lines
4.4 KiB
Nix
147 lines
4.4 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
config,
|
|
...
|
|
}: let
|
|
jellyfinPort = 8096;
|
|
dlanPort = 1900;
|
|
jellyfin_data_directory = "/var/lib/jellyfin";
|
|
jellyfin_cache_directory = "/var/cache/jellyfin";
|
|
in {
|
|
options.services.jellyfin = {
|
|
subdomain = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "subdomain of base domain that jellyfin will be hosted at";
|
|
default = "jellyfin";
|
|
};
|
|
extraSubdomains = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
description = "ex subdomain of base domain that jellyfin will be hosted at";
|
|
default = [];
|
|
};
|
|
media_directory = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "directory jellyfin media will be hosted at";
|
|
default = "/srv/jellyfin/media";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf config.services.jellyfin.enable (
|
|
lib.mkMerge [
|
|
{
|
|
environment.systemPackages = [
|
|
pkgs.jellyfin
|
|
pkgs.jellyfin-web
|
|
pkgs.jellyfin-ffmpeg
|
|
];
|
|
|
|
networking.firewall.allowedTCPPorts = [jellyfinPort dlanPort];
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d ${config.services.jellyfin.media_directory} 2770 jellyfin jellyfin_media"
|
|
"A ${config.services.jellyfin.media_directory} - - - - u:jellyfin:rwX,g:jellyfin_media:rwX,o::-"
|
|
];
|
|
}
|
|
(lib.mkIf config.host.reverse_proxy.enable {
|
|
host.reverse_proxy.subdomains.jellyfin = {
|
|
target = "http://localhost:${toString jellyfinPort}";
|
|
|
|
subdomain = config.services.jellyfin.subdomain;
|
|
extraSubdomains = config.services.jellyfin.extraSubdomains;
|
|
|
|
forwardHeaders.enable = true;
|
|
|
|
extraConfig = ''
|
|
client_max_body_size 20M;
|
|
add_header X-Content-Type-Options "nosniff";
|
|
|
|
proxy_buffering off;
|
|
'';
|
|
};
|
|
})
|
|
(lib.mkIf config.services.fail2ban.enable {
|
|
environment.etc = {
|
|
"fail2ban/filter.d/jellyfin.local".text = (
|
|
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
|
|
[Definition]
|
|
failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\."
|
|
'')
|
|
);
|
|
};
|
|
|
|
services.fail2ban = {
|
|
jails = {
|
|
jellyfin-iptables.settings = {
|
|
enabled = true;
|
|
filter = "jellyfin";
|
|
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
|
|
logpath = "${config.services.jellyfin.dataDir}/log/*.log";
|
|
backend = "auto";
|
|
findtime = 600;
|
|
bantime = 600;
|
|
maxretry = 5;
|
|
};
|
|
};
|
|
};
|
|
})
|
|
(lib.mkIf config.host.impermanence.enable {
|
|
fileSystems."/persist/system/jellyfin".neededForBoot = true;
|
|
|
|
host.storage.pool.extraDatasets = {
|
|
# sops age key needs to be available to pre persist for user generation
|
|
"persist/system/jellyfin" = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/persist/system/jellyfin";
|
|
options = {
|
|
atime = "off";
|
|
relatime = "off";
|
|
canmount = "on";
|
|
};
|
|
};
|
|
};
|
|
|
|
assertions = [
|
|
{
|
|
assertion = config.services.jellyfin.dataDir == jellyfin_data_directory;
|
|
message = "jellyfin data directory does not match persistence";
|
|
}
|
|
{
|
|
assertion = config.services.jellyfin.cacheDir == jellyfin_cache_directory;
|
|
message = "jellyfin cache directory does not match persistence";
|
|
}
|
|
];
|
|
|
|
environment.persistence = {
|
|
"/persist/system/root" = {
|
|
directories = [
|
|
{
|
|
directory = jellyfin_data_directory;
|
|
user = "jellyfin";
|
|
group = "jellyfin";
|
|
}
|
|
{
|
|
directory = jellyfin_cache_directory;
|
|
user = "jellyfin";
|
|
group = "jellyfin";
|
|
}
|
|
];
|
|
};
|
|
|
|
"/persist/system/jellyfin" = {
|
|
enable = true;
|
|
hideMounts = true;
|
|
directories = [
|
|
{
|
|
directory = config.services.jellyfin.media_directory;
|
|
user = "jellyfin";
|
|
group = "jellyfin_media";
|
|
mode = "1770";
|
|
}
|
|
];
|
|
};
|
|
};
|
|
})
|
|
]
|
|
);
|
|
}
|