WIP: lindberg: Add jellyfin nixos container #140
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "jellyfin"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
@ -5,0 +4,4 @@qois.backup-client.includePaths = ["/mnt/data""/var/lib/jellyfin""/var/lib/nixos-containers"TODO: Verify that there is only the machine id etc. in this folder, and nothing else that we might not want to backup.
@ -49,1 +50,3 @@internalInterfaces = [ "vms-nat" ];internalInterfaces = ["vms-nat""ve-jellyfin"Change this to "ve-*" so that it works when we add more containers.
@ -63,6 +68,11 @@ inallowedTCPPorts = [ 53 ];};networking.firewall.interfaces."ve-jellyfin" = {Create a config that maps the
nat.internalInterfaces, so that interfaces don't have to be specified manually.@ -0,0 +1,63 @@# JellyfinJellyfin media server running as a NixOS container (systemd-nspawn) on `lindberg`, configured via [nixflix](https://kiriwalawren.github.io/nixflix/reference/).This module should be hos agnostic - remove lindberg references.
Do, however, explain about the subdomains of the primary domain.
@ -0,0 +32,4 @@Before deploying, create both secrets on lindberg:```bashsops private/nixos-configurations/lindberg/secrets.sops.yamlExplain this without referencing lindberg - show the
sops setcommands to do this without manual copy-paste (see nixos-configurations/setup.md on how to do that).@ -0,0 +34,4 @@# Admin user: password is read at runtime from /run/jellyfin-admin-password,# which is materialized by jellyfin-credential-setup.service below.nixflix.jellyfin.users.admin = {password._secret = "/run/jellyfin-admin-password";TODO: Explain in the readme how to get this login as an admin (sops get ...)
@ -0,0 +64,4 @@};# API key read from systemd credential passed by the container host via --load-credential.# Create: sops private/nixos-configurations/lindberg/secrets.sops.yamlAlready documented in README.md, remove here.
@ -0,0 +73,4 @@"jellyfin-api-key:jellyfin-api-key"];# Reverse proxy via nixflix's nginx module: it builds the virtual hostRemove this self-explanory comments...
@ -0,0 +76,4 @@# Reverse proxy via nixflix's nginx module: it builds the virtual host# "${subdomain}.${domain}" with proxyPass, websockets, buffering off, and# forceSSL via mkVirtualHost, and auto-derives knownProxies/localNetworkAddresses.# We layer per-host ACME (instead of nixflix's wildcard useACMEHost pattern) and kTLS on top.Why not nixflix useACMEHost? It should do the same?
@ -0,0 +39,4 @@sslCertificateKey = "${certs}/${jellyfinDomain}.key.pem";};networking.extraHosts = "127.0.0.1 ${jellyfinDomain}";Set with
networking.hosts. Check if nixflix or our module doesn't do this out of the box.@ -99,2 +114,4 @@};containerDomains = mkOption {description = "Full domain to container-name mappings; IPs taken from lindberg-containers-nat network";TODO: This doesn't currently work in some cases, as we also run a loadbalancer on cyprianspitz. Can cyprianspitz route these ip's over the backplane?
Addressed the review feedback in commits d34ad10..5481642.
What changed
nixos-modules/jellyfin/default.nixd34ad10nixos-modules/jellyfin/README.mdhost-agnostic, switched tosops setwith a$SECRETS_FILEplaceholder, added an Admin Login section386d64enetworking.extraHostsin the test withnixflix.nginx.addHostsEntries = trueso nixflix'smkVirtualHostsadds the entry itself18c2aa8internalInterfacesandnetworking.firewall.interfacesto the iptables wildcardve-+so any future container's veth is matched automatically0867212vpn.qo.is/cyprianspitz-nginxpattern: addedqois.loadbalancer.containerHost(defaultlindberg); on the container hostcontainerDomainsbackends still resolve to the container IP, on every other LB they forward tocontainerHost's backplane IP, so cyprianspitz transparently proxies to lindberg's LB. Avoids extending wireguard AllowedIPs (wgautomesh hard-codesaddress/32and overwrites any local override on every endpoint change).5481642enableACME = trueto stay consistent withcloud,vault,git,attic,nixpkgs-cache,grafana,static-page,vpn-server. nixflix'snixflix.nginx.enableACMEresolves touseACMEHost = "${nixflix.nginx.domain}"(nixflix/lib/mkVirtualHosts.nix:50), which expects a separately-configuredsecurity.acme.certs."media.qo.is"(wildcard via DNS-01). We do not have wildcard ACME formedia.qo.is, so the per-host HTTP-01 cert avoids new ACME plumbing.Deployment order
Post-deploy checks
On
lindberg:If anything beyond machine-id shows up under
/var/lib/nixos-containers/jellyfin/, narrowqois.backup-client.includePathsor add toexcludePaths.On
cyprianspitz:End to end, from an off-network client (resolving the domain to cyprianspitz's public IP):
Rollback
deploy-rsmagic-rollback is enabled by default — failed activations revert automatically after 30 s. Manual rollback:deploy --rollback.View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.