jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos-configuration/hosts/iron/services/jellyfin/default.nix
Jakob Lechner e199dc603b Enable hardware-accelerated transcoding
2025-10-28 04:04:44 +01:00

129 lines
3.9 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
inherit (config.networking) ports;
logoPng = pkgs.stdenvNoCC.mkDerivation {
name = "broflix.png";
src = ./broflix.svg;
dontBuild = true;
dontUnpack = true;
installPhase = ''
export PATH="$PATH:${pkgs.lib.makeBinPath [pkgs.imagemagick]}"
convert \
-background transparent \
$src \
-resize 1302x \
$out
'';
};
in
{
imports = [
./rar2fs.nix
];
services.jellyfin = {
enable = true;
};
systemd.services.jellyfin = {
serviceConfig = {
###MemoryDenyWriteExecute = true;
BindPaths = [
"/dev/dri/renderD128"
"/var/cache/jellyfin"
"/var/lib/jellyfin"
];
BindReadOnlyPaths = [
"/etc/resolv.conf"
"/etc/ssl"
"/etc/static/ssl"
"/filebitch/pub/Filme"
"/filebitch/pub/Serien"
"/nix/store"
"/run/opengl-driver"
"/var/lib/qBittorrent/downloads"
];
CapabilityBoundingSet = "";
DeviceAllow = "/dev/dri/renderD128 rw";
#IPAddressAllow = "localhost";
#IPAddressDeny = "any";
LockPersonality = true;
PrivateDevices = false;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "noaccess";
ProtectSystem = "strict";
ReadWritePaths = "";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RootDirectory = "/run/jellyfin";
RuntimeDirectory = "jellyfin";
StateDirectory = "jellyfin";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
WorkingDirectory = "/var/lib/jellyfin";
};
};
services.nginx.virtualHosts."jellyfin.jalr.de" = {
enableACME = true;
forceSSL = true;
kTLS = true;
extraConfig = ''
client_max_body_size 20m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# add_header X-Frame-Options "SAMEORIGIN";
# add_header X-XSS-Protection "1; mode=block";
# add_header X-Content-Type-Options "nosniff";
location / {
proxy_pass http://127.0.0.1:${toString ports.jellyfin.tcp};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
}
location = /web/broflix.svg {
alias ${./broflix.svg};
}
location = /web/assets/img/banner-light.png {
alias ${logoPng};
}
location = /web/assets/img/banner-dark.png {
alias ${logoPng};
}
location = /web/ {
proxy_pass http://127.0.0.1:${toString ports.jellyfin.tcp}/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location /socket {
proxy_pass http://127.0.0.1:${toString ports.jellyfin.tcp};
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
'';
};
}
Reference in a new issue View git blame Copy permalink