fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

JF: Add option to allow incoming conns to a JF server running on vpn

Browse Source
This commit is contained in:
rasmus-kirk
2024-02-26 16:02:32 +01:00
parent c9eb47ce1c
commit ff170eaeda
1 changed files with 70 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixarr/jellyfin/default.nix
+57 -8
View File
@@ -24,13 +24,51 @@ in {
'';
expose = {
vpn = {
enable = mkEnableOption ''
Expose the Jellyfin web service to the internet.
**Required options:**
- `nixarr.jellyfin.vpn.enable`
- `nixarr.jellyfin.expose.vpn.port`
Expose the Jellyfin web service to the internet, allowing anyone to
access it.
**Important:** Do _not_ enable this without setting up Jellyfin
authentication through localhost first!
'';
port = {
type = with types; nullOr port;
default = null;
description = ''
**Required options:** `nixarr.jellyfin.expose.vpn.enable`
The port to access jellyfin on. Get this port from your VPN provider.
**Important:** Do _not_ enable this without setting up Jellyfin
authentication through localhost first!
'';
};
};
https = {
enable = mkEnableOption ''
**Required options:**
- `nixarr.jellyfin.expose.https.acmeMail`
- `nixarr.jellyfin.expose.https.domainName`
**Conflicting options:** `nixarr.jellyfin.vpn.enable`
Expose the Jellyfin web service to the internet with https support,
allowing anyone to access it.
**Important:** Do _not_ enable this without setting up Jellyfin
authentication through localhost first!
'';
upnp.enable = mkEnableOption ''
Use UPNP to try to open ports 80 and 443 on your router.
'';
@@ -38,13 +76,14 @@ in {
domainName = mkOption {
type = types.nullOr types.str;
default = null;
description = "**REQUIRED:** The domain name to host Jellyfin on.";
description = "The domain name to host Jellyfin on.";
};
acmeMail = mkOption {
type = types.nullOr types.str;
default = null;
description = "**REQUIRED:** The ACME mail required for the letsencrypt bot.";
description = "The ACME mail required for the letsencrypt bot.";
};
};
};
};
@@ -67,23 +106,23 @@ in {
configDir = "${cfg.stateDir}/config";
};
networking.firewall = mkIf cfg.expose.enable {
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};
util-nixarr.upnp = mkIf cfg.expose.upnp.enable {
util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true;
openTcpPorts = [80 443];
};
services.nginx = mkIf (cfg.expose.enable || cfg.vpn.enable) {
services.nginx = mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.domainName}" = mkIf cfg.expose.enable {
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = mkIf cfg.expose.https.enable {
enableACME = true;
forceSSL = true;
locations."/" = {
@@ -106,9 +145,19 @@ in {
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
};
virtualHosts."${config.util-nixarr.vpn.address}:${builtins.toString cfg.expose.vpn.port}" = mkIf cfg.expose.vpn.enable {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
};
};
security.acme = mkIf cfg.expose.enable {
security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true;
defaults.email = cfg.expose.acmeMail;
};