Jellyfin

systems/x86_64-linux/stargate/services/nginx.nix

@@ -85,6 +85,39 @@ in {
           proxyPass = "http://${cfg.address}:${builtins.toString cfg.port}";
         };
       };
+      "jellyfin.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+          client_max_body_size 20M;
+
+          # Comment next line to allow TLSv1.0 and TLSv1.1 if you have very old clients
+          ssl_protocols TLSv1.3 TLSv1.2;
+
+          # Security / XSS Mitigation Headers
+          add_header X-Content-Type-Options "nosniff";
+
+          # Permissions policy. May cause issues with some clients
+          add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+          # Content Security Policy
+          add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; font-src 'self'";
+        '';
+
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8096";
+          extraConfig = ''
+            # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+            proxy_buffering off;
+          '';
+        };
+
+        locations."/socket" = {
+          proxyPass = "http://127.0.0.1:8096";
+          proxyWebsockets = true;
+        };
+      };
     };
   };