fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

JF: Add option to allow incoming conns to a JF server running on vpn

Browse Source
This commit is contained in:
rasmus-kirk
2024-02-26 16:02:32 +01:00
parent c9eb47ce1c
commit ff170eaeda
1 changed files with 70 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixarr/jellyfin/default.nix
+70 -21
View File
@@ -24,27 +24,66 @@ in {
''; '';
expose = { expose = {
enable = mkEnableOption '' vpn = {
Expose the Jellyfin web service to the internet. enable = mkEnableOption ''
**Required options:**
- `nixarr.jellyfin.vpn.enable`
- `nixarr.jellyfin.expose.vpn.port`
**Important:** Do _not_ enable this without setting up Jellyfin Expose the Jellyfin web service to the internet, allowing anyone to
authentication through localhost first! access it.
'';
upnp.enable = mkEnableOption '' **Important:** Do _not_ enable this without setting up Jellyfin
Use UPNP to try to open ports 80 and 443 on your router. authentication through localhost first!
''; '';
domainName = mkOption { port = {
type = types.nullOr types.str; type = with types; nullOr port;
default = null; default = null;
description = "**REQUIRED:** The domain name to host Jellyfin on."; description = ''
**Required options:** `nixarr.jellyfin.expose.vpn.enable`
The port to access jellyfin on. Get this port from your VPN provider.
**Important:** Do _not_ enable this without setting up Jellyfin
authentication through localhost first!
'';
};
}; };
acmeMail = mkOption { https = {
type = types.nullOr types.str; enable = mkEnableOption ''
default = null; **Required options:**
description = "**REQUIRED:** The ACME mail required for the letsencrypt bot.";
- `nixarr.jellyfin.expose.https.acmeMail`
- `nixarr.jellyfin.expose.https.domainName`
**Conflicting options:** `nixarr.jellyfin.vpn.enable`
Expose the Jellyfin web service to the internet with https support,
allowing anyone to access it.
**Important:** Do _not_ enable this without setting up Jellyfin
authentication through localhost first!
'';
upnp.enable = mkEnableOption ''
Use UPNP to try to open ports 80 and 443 on your router.
'';
domainName = mkOption {
type = types.nullOr types.str;
default = null;
description = "The domain name to host Jellyfin on.";
};
acmeMail = mkOption {
type = types.nullOr types.str;
default = null;
description = "The ACME mail required for the letsencrypt bot.";
};
}; };
}; };
}; };
@@ -67,23 +106,23 @@ in {
configDir = "${cfg.stateDir}/config"; configDir = "${cfg.stateDir}/config";
}; };
networking.firewall = mkIf cfg.expose.enable { networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443]; allowedTCPPorts = [80 443];
}; };
util-nixarr.upnp = mkIf cfg.expose.upnp.enable { util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true; enable = true;
openTcpPorts = [80 443]; openTcpPorts = [80 443];
}; };
services.nginx = mkIf (cfg.expose.enable || cfg.vpn.enable) { services.nginx = mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true; enable = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.domainName}" = mkIf cfg.expose.enable { virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = mkIf cfg.expose.https.enable {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
@@ -106,9 +145,19 @@ in {
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}"; proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
}; };
}; };
virtualHosts."${config.util-nixarr.vpn.address}:${builtins.toString cfg.expose.vpn.port}" = mkIf cfg.expose.vpn.enable {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
};
}; };
security.acme = mkIf cfg.expose.enable { security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true; acceptTerms = true;
defaults.email = cfg.expose.acmeMail; defaults.email = cfg.expose.acmeMail;
}; };