{ pkgs, config, lib, ... }: let cfg = config.modules.services.jellyfin; ids = 701; default_port = 8096; data_dir = "/var/lib/jellyfin"; in { options.modules.services.jellyfin = { enable = lib.mkEnableOption "enables jellyfin"; # set port options port = lib.mkOption { type = lib.types.int; default = 7101; description = "set port for jellyfin (default: ${toString default_port}"; }; backup = lib.mkOption { type = lib.types.bool; default = true; }; }; config = lib.mkIf cfg.enable { # declare jellyfin group users.groups.jellyfin = { gid = ids; }; # declare jellyfin user users.users.jellyfin = { description = "jellyfin media server user"; uid = ids; isSystemUser = true; home = data_dir; createHome = true; group = "jellyfin"; extraGroups = [ "media" "video" "render" ]; }; # enable the jellyfin service services.jellyfin = { enable = true; openFirewall = true; # Opens 8096/8920 automatically user = "jellyfin"; # Default: jellyfin group = "jellyfin"; # Default: jellyfin dataDir = "/var/lib/jellyfin"; # Config + metadata storage }; # override umask to make permissions work out systemd.services.jellyfin.serviceConfig = { UMask = lib.mkForce "0007"; }; # open firewall # networking.firewall.allowedTCPPorts = [ cfg.port ]; # internal reverse proxy entry services.nginx.virtualHosts."jellyfin.snowbelle.lan" = { enableACME = false; forceSSL = false; sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; # external reverse proxy entry services.nginx.virtualHosts."media.blakedheld.xyz" = { enableACME = false; forceSSL = true; sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; # add to backups modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; }; }