nixfiles/hosts/hetzner-arm/containers/jellyfin/default.nix

{
  self,
  hostPath,
  tree,
  inputs,
  pkgs,
  config,
  ...
}: let
  containerName = "jellyfin";

  containerAddresses = import "${hostPath}/data/containerAddresses.nix";

  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.${containerName};
in {
  containers.jellyfin = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;

    bindMounts = {
      "/dev/fuse" = {
        hostPath = "/dev/fuse";
        isReadOnly = false;
      };
    };

    # Allow rclone mount in container
    allowedDevices = [
      {
        modifier = "rwm";
        node = "/dev/fuse";
      }
      {
        modifier = "rwm";
        node = "/dev/mapper/control";
      }
    ];

    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
    };

    config = {...}: {
      nixpkgs.pkgs = pkgs;

      imports = with tree;
        [
          presets.nixos.containerBase
          ./secrets.nix
        ]
        ++ (with hosts.hetzner-arm.containers.jellyfin.profiles; [
          mediaMount
          jellyfin
          restic
        ]);

      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
    };
  };

  services.nginx.virtualHosts."jellyfin.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      client_max_body_size 512M;

      # Security / XSS Mitigation Headers
      # NOTE: X-Frame-Options may cause issues with the webOS app
      add_header X-Frame-Options "SAMEORIGIN";
      add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
      add_header X-Content-Type-Options "nosniff";

      # COOP/COEP. Disable if you use external plugins/images/assets
      add_header Cross-Origin-Opener-Policy "same-origin" always;
      add_header Cross-Origin-Embedder-Policy "require-corp" always;
      add_header Cross-Origin-Resource-Policy "same-origin" always;

      # Permissions policy. May cause issues on some clients
      add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;

      # Tell browsers to use per-origin process isolation
      add_header Origin-Agent-Cluster "?1" always;
    '';

    locations."/" = {
      proxyPass = "http://${containerIP}:8096";
      proxyWebsockets = true;
      extraConfig = ''
        proxy_buffering off;
      '';
    };
  };
}
add jellyfin and rclone fuse mount capability finally 2023-10-31 19:40:51 +00:00			`{`
			`self,`
			`hostPath,`
			`tree,`
			`inputs,`
			`pkgs,`
			`config,`
			`...`
			`}: let`
			`containerName = "jellyfin";`

			`containerAddresses = import "${hostPath}/data/containerAddresses.nix";`

			`hostIP = containerAddresses.host;`
			`containerIP = containerAddresses.containers.${containerName};`
			`in {`
			`containers.jellyfin = {`
			`autoStart = true;`
			`privateNetwork = true;`
			`hostAddress = hostIP;`
			`localAddress = containerIP;`

			`bindMounts = {`
			`"/dev/fuse" = {`
			`hostPath = "/dev/fuse";`
			`isReadOnly = false;`
			`};`
			`};`

			`# Allow rclone mount in container`
			`allowedDevices = [`
			`{`
			`modifier = "rwm";`
			`node = "/dev/fuse";`
			`}`
			`{`
			`modifier = "rwm";`
			`node = "/dev/mapper/control";`
			`}`
			`];`

			`specialArgs = {`
			`inherit inputs;`
			`inherit tree;`
			`inherit self;`
			`inherit hostPath;`
			`};`

			`config = {...}: {`
			`nixpkgs.pkgs = pkgs;`

			`imports = with tree;`
			`[`
			`presets.nixos.containerBase`
			`./secrets.nix`
			`]`
			`++ (with hosts.hetzner-arm.containers.jellyfin.profiles; [`
			`mediaMount`
			`jellyfin`
			`restic`
			`]);`

			`home-manager.users.root.home.stateVersion = "23.05";`
			`system.stateVersion = "23.05";`
			`};`
			`};`

			`services.nginx.virtualHosts."jellyfin.owo.monster" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`extraConfig = ''`
			`client_max_body_size 512M;`

			`# Security / XSS Mitigation Headers`
			`# NOTE: X-Frame-Options may cause issues with the webOS app`
			`add_header X-Frame-Options "SAMEORIGIN";`
			`add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous`
			`add_header X-Content-Type-Options "nosniff";`

			`# COOP/COEP. Disable if you use external plugins/images/assets`
			`add_header Cross-Origin-Opener-Policy "same-origin" always;`
			`add_header Cross-Origin-Embedder-Policy "require-corp" always;`
			`add_header Cross-Origin-Resource-Policy "same-origin" always;`

			`# Permissions policy. May cause issues on some clients`
			`add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;`

			`# Tell browsers to use per-origin process isolation`
			`add_header Origin-Agent-Cluster "?1" always;`
			`'';`

			`locations."/" = {`
			`proxyPass = "http://${containerIP}:8096";`
			`proxyWebsockets = true;`
			`extraConfig = ''`
			`proxy_buffering off;`
			`'';`
			`};`
			`};`
			`}`