Jellyfin

systems/x86_64-linux/stargate/services/jellyfin.nix

@@ -0,0 +1,66 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.custom; {
+  sops.secrets."services/jellyfin" = {
+    owner = config.services.jellyfin.user;
+    group = config.services.jellyfin.group;
+  };
+  services.declarative-jellyfin = {
+    enable = true;
+    openFirewall = true;
+    users = {
+      admin = {
+        mutable = false;
+        permissions.isAdministrator = true;
+        hashedPasswordFile = config.sops.secrets."services/jellyfin".path;
+      };
+    };
+    plugins = [
+      {
+        name = "intro skipper";
+        url = "https://github.com/intro-skipper/intro-skipper/releases/download/10.10/v1.10.10.19/intro-skipper-v1.10.10.19.zip";
+        version = "1.10.10.19";
+        targetAbi = "10.10.7.0"; # Required as intro-skipper doesn't provide a meta.json file
+        sha256 = "sha256:12hby8vkb6q2hn97a596d559mr9cvrda5wiqnhzqs41qg6i8p2fd";
+      }
+    ];
+    system = {
+      serverName = "Jellyfin Homeserver for Bees";
+      # Use Hardware Acceleration for trickplay image generation
+      trickplayOptions = {
+        enableHwAcceleration = true;
+        enableHwEncoding = true;
+      };
+      UICulture = "ru";
+    };
+    encoding = {
+      enableHardwareEncoding = true;
+      hardwareAccelerationType = "vaapi";
+      enableDecodingColorDepth10Hevc = true; # enable if your system supports
+      allowHevcEncoding = true; # enable if your system supports
+      allowAv1Encoding = true; # enable if your system supports
+      hardwareDecodingCodecs = [
+        # enable the codecs your system supports
+        "h264"
+        "hevc"
+        "mpeg2video"
+        "vc1"
+        "vp9"
+        "av1"
+      ];
+    };
+  };
+  users.users.${config.services.jellyfin.user}.extraGroups = ["video" "render"];
+}

systems/x86_64-linux/stargate/services/nginx.nix

@@ -85,6 +85,39 @@ in {
           proxyPass = "http://${cfg.address}:${builtins.toString cfg.port}";
         };
       };
+      "jellyfin.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+          client_max_body_size 20M;
+
+          # Comment next line to allow TLSv1.0 and TLSv1.1 if you have very old clients
+          ssl_protocols TLSv1.3 TLSv1.2;
+
+          # Security / XSS Mitigation Headers
+          add_header X-Content-Type-Options "nosniff";
+
+          # Permissions policy. May cause issues with some clients
+          add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+          # Content Security Policy
+          add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; font-src 'self'";
+        '';
+
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8096";
+          extraConfig = ''
+            # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+            proxy_buffering off;
+          '';
+        };
+
+        locations."/socket" = {
+          proxyPass = "http://127.0.0.1:8096";
+          proxyWebsockets = true;
+        };
+      };
     };
   };