7.2 KiB
Jellyfin Service
Defined in /modules/services/jellyfin.nix.
This NixOS module is a service that sets up a Jellyfin instance.
Compared to the stock module from nixpkgs, this one sets up, in a fully declarative manner the initial wizard with an admin user and LDAP and SSO integration.
Features
- Declarative creation of admin user.
- Declarative selection of listening port.
- Access through subdomain using reverse proxy. Manual.
- Access through HTTPS using reverse proxy. Manual.
- Declarative LDAP configuration although plugin must be installed manually. Manual.
- Declarative SSO configuration although plugin must be installed manually. Manual.
- Backup through the backup block. Manual.
Usage
Initial Configuration
The following snippet enables Jellyfin and makes it available under the jellyfin.example.com endpoint.
shb.jellyfin = {
enable = true;
subdomain = "jellyfin";
domain = "example.com";
admin = {
username = "admin";
password.result = config.shb.sops.secret.jellyfinAdminPassword.result;
};
};
shb.sops.secret.jellyfinAdminPassword.request = config.shb.jellyfin.admin.password.request;
This assumes secrets are setup with SOPS as mentioned in the secrets setup section of the manual.
Jellyfin through HTTPS
:::: {.note} We will build upon the Initial Configuration section, so please follow that first. ::::
If the shb.ssl block is used (see manual on how to set it up),
the instance will be reachable at https://jellyfin.example.com.
Here is an example with Let's Encrypt certificates, validated using the HTTP method. First, set the global configuration for your domain:
shb.certs.certs.letsencrypt."example.com" = {
domain = "example.com";
group = "nginx";
reloadServices = [ "nginx.service" ];
adminEmail = "myemail@mydomain.com";
};
Then you can tell Jellyfin to use those certificates.
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "jellyfin.example.com" ];
shb.jellyfin = {
ssl = config.shb.certs.certs.letsencrypt."example.com";
};
With LDAP Support
:::: {.note} We will build upon the HTTPS section, so please follow that first. ::::
We will use the LLDAP block provided by Self Host Blocks. Assuming it has been set already, add the following configuration:
shb.jellyfin.ldap
enable = true;
host = "127.0.0.1";
port = config.shb.lldap.ldapPort;
dcdomain = config.shb.lldap.dcdomain;
adminPassword.result = config.shb.sops.secrets."jellyfin/ldap/adminPassword".result
};
shb.sops.secrets."jellyfin/ldap/adminPassword" = {
request = config.shb.jellyfin.ldap.adminPassword.request;
settings.key = "ldap/userPassword";
};
The shb.jellyfin.ldap.adminPasswordFile must be the same
as the shb.lldap.ldapUserPasswordFile which is achieved
with the key option.
The other secrets can be randomly generated with
nix run nixpkgs#openssl -- rand -hex 64.
Then, install the plugin LDAP-Auth. It should be available from the official repository already. No manual configuration of the plugin is needed, just installation. Note that the version tested with is 19.0.0.0. If your version differs, it could lead to some configuration mismatch. If that's the case, please open an issue or join the support channel.
And that's it.
Now, go to the LDAP server at http://ldap.example.com,
create the jellyfin_user and jellyfin_admin groups,
create a user and add it to one or both groups.
When that's done, go back to the Jellyfin server at
http://jellyfin.example.com and login with that user.
Work is in progress to make the creation of the LDAP user and group declarative too.
With SSO Support
:::: {.note} We will build upon the LDAP section, so please follow that first. ::::
We will use the SSO block provided by Self Host Blocks. Assuming it has been set already, add the following configuration:
shb.jellyfin.sso = {
enable = true;
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
secretFile = <path/to/oidcJellyfinSharedSecret>;
secretFileForAuthelia = <path/to/oidcJellyfinSharedSecret>;
};
Passing the ssl option will auto-configure nginx to force SSL connections with the given
certificate.
The shb.jellyfin.sso.secretFile and shb.jellyfin.sso.secretFileForAuthelia options
must have the same content. The former is a file that must be owned by the jellyfin user while
the latter must be owned by the authelia user. I want to avoid needing to define the same secret
twice with a future secrets SHB block.
Then, install the plugin SSO-Auth. It should be available from the official repository already. No manual configuration of the plugin is needed, just installation. Note that the version tested with is 3.5.2.4. If your version differs, it could lead to some configuration mismatch. If that's the case, please open an issue or join the support channel.
Backup
Backing up Jellyfin using the Restic block is done like so:
shb.restic.instances."jellyfin" = {
request = config.shb.jellyfin.backup;
settings = {
enable = true;
};
};
The name "jellyfin" in the instances can be anything.
The config.shb.jellyfin.backup option provides what directories to backup.
You can define any number of Restic instances to backup Jellyfin multiple times.
You will then need to configure more options like the repository,
as explained in the restic documentation.
Debug
In case of an issue, check the logs for systemd service jellyfin.service.
Enable verbose logging by setting the shb.jellyfin.debug boolean to true.
Options Reference
id-prefix: services-jellyfin-options-
list-id: selfhostblocks-service-jellyfin-options
source: @OPTIONS_JSON@