{ config, pkgs, lib, inputs, mkDomain, ... }: # don't mount if local VM lib.mkIf (!config.virtualisation.isVmVariant) { # Jellyfin /**/ disabledModules = [ "services/misc/jellyfin.nix" ]; #imports = [ ]; imports = [ "${inputs.unstable}/nixos/modules/services/misc/jellyfin.nix" ]; services.jellyfin.package = pkgs.unstable.jellyfin; /**/ services.jellyfin = { enable = true; # don't enable unless you intend to first-time-setup the admin user # from https://jellyfin.org/docs/general/networking/index.html: # - 8096/tcp is used by default for HTTP traffic. You can change this in the dashboard. # - 8920/tcp is used by default for HTTPS traffic. You can change this in the dashboard. # - 1900/udp is used for service auto-discovery. This is not configurable. # - 7359/udp is also used for auto-discovery. This is not configurable. openFirewall = false; # I do it manually below: # TODO: configure initial collections and extensions }; # firewall - not needed? /* networking.firewall = lib.mkIf config.services.jellyfin.enable { # TODO: does this overwrite rules set by other stuff? should i use ++ ? #allowedTCPPorts = [ 8096 8920 ]; allowedUDPPorts = [ 1900 7359 ]; # TODO: Only if behind a NAT? }; */ services.nginx.virtualHosts.${mkDomain "jellyfin"} = lib.mkIf config.services.jellyfin.enable { forceSSL = true; # addSSL = true; enableACME = true; #useACMEHost = acmeDomain; locations."/" = { proxyPass = "http://127.0.0.1:8096"; proxyWebsockets = true; }; }; # Allow Jellyfin access to VAAPI users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ]; systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false; systemd.services.jellyfin.serviceConfig.DeviceAllow = lib.mkForce [ "/dev/dri/renderD128" ]; }