selfhostblocks/modules/services/jellyfin/docs/default.md
2025-09-27 21:25:40 +02:00

6.1 KiB

Jellyfin Service

Defined in /modules/services/jellyfin.nix.

This NixOS module is a service that sets up a Jellyfin instance.

Compared to the stock module from nixpkgs, this one sets up, in a fully declarative manner the initial wizard with an admin user and LDAP and SSO integration.

Features

Usage

Initial Configuration

The following snippet enables Jellyfin and makes it available under the jellyfin.example.com endpoint.

shb.jellyfin = {
  enable = true;
  subdomain = "jellyfin";
  domain = "example.com";

  admin = {
    username = "admin";
    password.result = config.shb.sops.secret.jellyfinAdminPassword.result;
  };
};

shb.sops.secret.jellyfinAdminPassword.request = config.shb.jellyfin.admin.password.request;

This assumes secrets are setup with SOPS as mentioned in the secrets setup section of the manual.

Jellyfin through HTTPS

:::: {.note} We will build upon the Initial Configuration section, so please follow that first. ::::

If the shb.ssl block is used (see manual on how to set it up), the instance will be reachable at https://jellyfin.example.com.

Here is an example with Let's Encrypt certificates, validated using the HTTP method. First, set the global configuration for your domain:

shb.certs.certs.letsencrypt."example.com" = {
  domain = "example.com";
  group = "nginx";
  reloadServices = [ "nginx.service" ];
  adminEmail = "myemail@mydomain.com";
};

Then you can tell Jellyfin to use those certificates.

shb.certs.certs.letsencrypt."example.com".extraDomains = [ "jellyfin.example.com" ];

shb.jellyfin = {
  ssl = config.shb.certs.certs.letsencrypt."example.com";
};

With LDAP Support

:::: {.note} We will build upon the HTTPS section, so please follow that first. ::::

We will use the LLDAP block provided by Self Host Blocks. Assuming it has been set already, add the following configuration:

shb.jellyfin.ldap
  enable = true;
  host = "127.0.0.1";
  port = config.shb.lldap.ldapPort;
  dcdomain = config.shb.lldap.dcdomain;
  adminPassword.result = config.shb.sops.secrets."jellyfin/ldap/adminPassword".result
};

shb.sops.secrets."jellyfin/ldap/adminPassword" = {
  request = config.shb.jellyfin.ldap.adminPassword.request;
  settings.key = "ldap/userPassword";
};

The shb.jellyfin.ldap.adminPasswordFile must be the same as the shb.lldap.ldapUserPasswordFile which is achieved with the key option. The other secrets can be randomly generated with nix run nixpkgs#openssl -- rand -hex 64.

And that's it. Now, go to the LDAP server at http://ldap.example.com, create the jellyfin_user and jellyfin_admin groups, create a user and add it to one or both groups. When that's done, go back to the Jellyfin server at http://jellyfin.example.com and login with that user.

Work is in progress to make the creation of the LDAP user and group declarative too.

With SSO Support

:::: {.note} We will build upon the LDAP section, so please follow that first. ::::

We will use the SSO block provided by Self Host Blocks. Assuming it has been set already, add the following configuration:

shb.jellyfin.sso = {
  enable = true;
  endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";

  secretFile = <path/to/oidcJellyfinSharedSecret>;
  secretFileForAuthelia = <path/to/oidcJellyfinSharedSecret>;
};

Passing the ssl option will auto-configure nginx to force SSL connections with the given certificate.

The shb.jellyfin.sso.secretFile and shb.jellyfin.sso.secretFileForAuthelia options must have the same content. The former is a file that must be owned by the jellyfin user while the latter must be owned by the authelia user. I want to avoid needing to define the same secret twice with a future secrets SHB block.

Backup

Backing up Jellyfin using the Restic block is done like so:

shb.restic.instances."jellyfin" = {
  request = config.shb.jellyfin.backup;
  settings = {
    enable = true;
  };
};

The name "jellyfin" in the instances can be anything. The config.shb.jellyfin.backup option provides what directories to backup. You can define any number of Restic instances to backup Jellyfin multiple times.

You will then need to configure more options like the repository, as explained in the restic documentation.

Debug

In case of an issue, check the logs for systemd service jellyfin.service.

Enable verbose logging by setting the shb.jellyfin.debug boolean to true.

Options Reference

id-prefix: services-jellyfin-options-
list-id: selfhostblocks-service-jellyfin-options
source: @OPTIONS_JSON@