Skip to content

Commit

Permalink
JF: Add option to allow incoming conns to a JF server running on vpn
Browse files Browse the repository at this point in the history
  • Loading branch information
@rasmus-kirk
rasmus-kirk committed Feb 26, 2024
1 parent c9eb47c commit ff170ea
Showing 1 changed file with 71 additions and 22 deletions.
93 changes: 71 additions & 22 deletions nixarr/jellyfin/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,27 +24,66 @@ in {
'';

expose = {
enable = mkEnableOption ''
Expose the Jellyfin web service to the internet.
vpn = {
enable = mkEnableOption ''
**Required options:**
- `nixarr.jellyfin.vpn.enable`
- `nixarr.jellyfin.expose.vpn.port`
Expose the Jellyfin web service to the internet, allowing anyone to
access it.
**Important:** Do _not_ enable this without setting up Jellyfin
authentication through localhost first!
'';

port = {
type = with types; nullOr port;
default = null;
description = ''
**Required options:** `nixarr.jellyfin.expose.vpn.enable`
The port to access jellyfin on. Get this port from your VPN provider.
**Important:** Do _not_ enable this without setting up Jellyfin
authentication through localhost first!
'';
};
};

**Important:** Do _not_ enable this without setting up Jellyfin
authentication through localhost first!
'';
https = {
enable = mkEnableOption ''
**Required options:**
- `nixarr.jellyfin.expose.https.acmeMail`
- `nixarr.jellyfin.expose.https.domainName`
upnp.enable = mkEnableOption ''
Use UPNP to try to open ports 80 and 443 on your router.
'';
**Conflicting options:** `nixarr.jellyfin.vpn.enable`
Expose the Jellyfin web service to the internet with https support,
allowing anyone to access it.
**Important:** Do _not_ enable this without setting up Jellyfin
authentication through localhost first!
'';

domainName = mkOption {
type = types.nullOr types.str;
default = null;
description = "**REQUIRED:** The domain name to host Jellyfin on.";
};

acmeMail = mkOption {
type = types.nullOr types.str;
default = null;
description = "**REQUIRED:** The ACME mail required for the letsencrypt bot.";
upnp.enable = mkEnableOption ''
Use UPNP to try to open ports 80 and 443 on your router.
'';

domainName = mkOption {
type = types.nullOr types.str;
default = null;
description = "The domain name to host Jellyfin on.";
};

acmeMail = mkOption {
type = types.nullOr types.str;
default = null;
description = "The ACME mail required for the letsencrypt bot.";
};
};
};
};
Expand All @@ -67,23 +106,23 @@ in {
configDir = "${cfg.stateDir}/config";
};

networking.firewall = mkIf cfg.expose.enable {
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};

util-nixarr.upnp = mkIf cfg.expose.upnp.enable {
util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true;
openTcpPorts = [80 443];
};

services.nginx = mkIf (cfg.expose.enable || cfg.vpn.enable) {
services.nginx = mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true;

recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;

virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.domainName}" = mkIf cfg.expose.enable {
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = mkIf cfg.expose.https.enable {
enableACME = true;
forceSSL = true;
locations."/" = {
Expand All @@ -106,9 +145,19 @@ in {
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
};

virtualHosts."${config.util-nixarr.vpn.address}:${builtins.toString cfg.expose.vpn.port}" = mkIf cfg.expose.vpn.enable {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
};
};

security.acme = mkIf cfg.expose.enable {
security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true;
defaults.email = cfg.expose.acmeMail;
};
Expand Down

0 comments on commit ff170ea

Please sign in to comment.