jana/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

media

Browse source
This commit is contained in:
Jana Dönszelmann 2025-08-03 16:18:32 +02:00
parent 552eceaf18
commit d35531c1bd
No known key found for this signature in database
15 changed files with 365 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

11
fili/services/media/default.nix
View file

@ -1 +1,10 @@
_: { }
_: {
imports = [
./overseerr.nix
./radarr.nix
./sonarr.nix
./torrent.nix
./jackett.nix
./plex.nix
];
}

19
fili/services/media/jackett.nix Normal file
View file

@ -0,0 +1,19 @@
_: {
services.nginx = {
virtualHosts."jackett.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:9117";
};
};
};
services.jackett = {
enable = true;
group = "jellyfin";
user = "jellyfin";
};
}

22
fili/services/media/overseerr.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, ... }:
let
port = 11002;
in
{
config.networking.firewall.allowedTCPPorts = [ port ];
config.virtualisation.oci-containers.containers = {
overseerr = {
image = "mirror.gcr.io/fallenbagel/jellyseerr:develop";
environment = {
PORT = "5555";
TZ = "Europe/Amsterdam";
LOG_LEVEL = "debug";
};
extraOptions = [ "--network=host" ];
volumes = [
"/var/lib/microvms/rr/storage/data/overseerr:/app/config"
];
};
};
}

82
fili/services/media/plex.nix Normal file
View file

@ -0,0 +1,82 @@
_: {
services.plex = {
enable = true;
openFirewall = true;
user = "jellyfin";
};
users.groups.jellyfin = { };
users.users.jellyfin = {
isSystemUser = true;
group = "jellyfin";
extraGroups = [ "storage" ];
};
services.nginx = {
virtualHosts."media.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
extraConfig = ''
#Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
send_timeout 100m;
# Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# Forward real ip and host to Plex
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $server_addr;
proxy_set_header Referer $server_addr;
proxy_set_header Origin $server_addr;
# Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
gzip_disable "MSIE [1-6]\.";
# Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
# Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
client_max_body_size 100M;
# Plex headers
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
# Websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Buffering off send to the client as soon as the data is received from Plex.
proxy_redirect off;
proxy_buffering off;
'';
locations."/" = {
proxyPass = "http://[::1]:32400";
};
};
};
}

20
fili/services/media/radarr.nix Normal file
View file

@ -0,0 +1,20 @@
{ ... }:
{
services.nginx = {
virtualHosts."radarr.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:7878";
};
};
};
services.radarr = {
enable = true;
group = "jellyfin";
user = "jellyfin";
};
}

19
fili/services/media/sonarr.nix Normal file
View file

@ -0,0 +1,19 @@
_: {
services.nginx = {
virtualHosts."sonarr.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:8989";
};
};
};
services.sonarr = {
enable = true;
group = "jellyfin";
user = "jellyfin";
};
}

125
fili/services/media/torrent.nix Normal file
View file

@ -0,0 +1,125 @@
{
config,
pkgs,
...
}:
{
sops.secrets.mullvad = {
sopsFile = ../../../secrets/mullvad.yaml;
owner = "root";
format = "yaml";
};
vpnNamespaces.mullvad = {
enable = true;
wireguardConfigFile = config.sops.secrets.mullvad.path;
accessibleFrom = [
"192.168.0.0/16"
];
portMappings = [
{
from = 9091;
to = 9091;
} # UI Port.
{
from = 5432;
to = 5432;
} # DB Port.
];
openVPNPorts = [
{
port = 50901;
protocol = "both";
}
{
port = 50902;
protocol = "both";
}
{
port = 50903;
protocol = "both";
}
{
port = 50904;
protocol = "both";
}
{
port = 50905;
protocol = "both";
}
{
port = 50906;
protocol = "both";
}
{
port = 50907;
protocol = "both";
}
{
port = 50908;
protocol = "both";
}
{
port = 50909;
protocol = "both";
}
];
};
# proxy."dl.donsz.nl" = {
# port = 9091;
# to = "192.168.15.1";
# authenticated = true;
# };
services.nginx = {
virtualHosts."dl.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.15.1:9091";
};
};
};
systemd.services.transmission.vpnConfinement = {
enable = true;
vpnNamespace = "mullvad";
};
services.transmission = {
enable = true;
package = pkgs.transmission_4;
webHome = pkgs.stdenv.mkDerivation {
name = "flood-modified";
version = "1.0";
src = pkgs.flood-for-transmission;
installPhase = ''
mkdir -p $out
cp -r ./* $out
cp ./config.json.defaults $out/config.json
'';
};
home = "/var/lib/transmission";
user = "jellyfin";
group = "jellyfin";
settings = {
download-dir = "/storage/storage/torrents";
incomplete-dir-enabled = false;
# incomplete-dir = "/storage/storage/torrents";
rpc-bind-address = "192.168.15.1";
rpc-host-whitelist-enabled = false;
rpc-whitelist-enabled = false;
rpc-port = 9091;
peer-port = 50909;
cache-size-mb = 2048;
preallocation = 1;
};
};
}