nixos-configuration/hosts/iron/services/jellyfin.nix

args@{ lib, pkgs, custom-utils, ... }:
let
  ports = import ../ports.nix args;
in
{
  services.jellyfin = {
    enable = true;
  };
  systemd.services.jellyfin = {
    serviceConfig = {
      ###MemoryDenyWriteExecute = true;
      BindPaths = [
        "/var/cache/jellyfin"
        "/var/lib/jellyfin"
      ];
      BindReadOnlyPaths = [
        "/nix/store"
        "/filebitch/pub/Filme"
        "/filebitch/pub/Serien"
        "/var/lib/qbittorrent/downloads"
      ];
      CapabilityBoundingSet = "";
      #IPAddressAllow = "localhost";
      #IPAddressDeny = "any";
      LockPersonality = true;
      PrivateDevices = lib.mkForce true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "noaccess";
      ProtectSystem = "strict";
      ReadWritePaths = "";
      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RootDirectory = "/run/jellyfin";
      RuntimeDirectory = "jellyfin";
      StateDirectory = "jellyfin";
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged"
      ];
      WorkingDirectory = "/var/lib/jellyfin";
    };
  };
  services.nginx.virtualHosts."jellyfin.jalr.de" = {
    enableACME = true;
    forceSSL = true;
    kTLS = true;
    extraConfig = ''
      client_max_body_size 20m;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
      # add_header X-Frame-Options "SAMEORIGIN";
      # add_header X-XSS-Protection "1; mode=block";
      # add_header X-Content-Type-Options "nosniff";
      location / {
        proxy_pass http://127.0.0.1:${toString ports.jellyfin.tcp};
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_buffering off;
      }
      location = /web/ {
        proxy_pass http://127.0.0.1:${toString ports.jellyfin.tcp}/web/index.html;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
      }
      location /socket {
        proxy_pass http://127.0.0.1:${toString ports.jellyfin.tcp};
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
      }
    '';
  };
}