diff --git a/hosts/library/default.nix b/hosts/library/default.nix
index e242106..410cd17 100644
--- a/hosts/library/default.nix
+++ b/hosts/library/default.nix
@@ -25,6 +25,54 @@ with lib.my;
 
   system.stateVersion = "22.11";
 
+  systemd.services.vps1-tunnel = {
+    enable = true;
+    description = "vps1.mesh.vimium.net SSH tunnel";
+    after = [
+      "network-online.target"
+      "podman-jellyfin.service"
+    ];
+    wants = [ "network-online.target" ];
+    serviceConfig = {
+      Type=Simple;
+      ExecStart='''
+        ssh \
+          -NT
+          -o ExitOnForwardFailure=yes \
+          -o ServerAliveInterval=60 \
+          -o TCPKeepAlive=no \
+          -i %h/.ssh/id_jellyfin \
+          -R localhost:8096:localhost:8096 \
+          jellyfin@vps1.mesh.vimium.net
+      ''';
+      Restart=on-failure;
+    };
+    wantedBy = [ "default.target" ];
+  };
+
+  virtualisation.podman.enable = true;
+  virtualisation.oci-containers.containers = {
+    jellyfin = {
+      user = "1000:1000";
+      image = "docker.io/jellyfin/jellyfin:10.8.10";
+      autoStart = true;
+      ports = "8096:8096/tcp";
+      volumes = [
+        "jellyfin-cache:/cache:Z"
+        "jellyfin-config:/config:Z"
+      ];
+      extraOptions = [
+        "--detach"
+        "--label io.containers.autoupdate=registry"
+        "--privileged"
+        "--userns keep-id"
+        "--group-add=989"
+        "--mount type=bind,source=/mnt/library,target=/library"
+        "--device /dev/dri:/dev/dri"
+      ];
+    };
+  };
+
   modules = {
     security = {
       gpg.enable = true;
diff --git a/hosts/library/hardware-configuration.nix b/hosts/library/hardware-configuration.nix
index 2231255..2533906 100644
--- a/hosts/library/hardware-configuration.nix
+++ b/hosts/library/hardware-configuration.nix
@@ -43,11 +43,21 @@
       fsType = "zfs";
     };
 
+  fileSystems."/var/lib/containers/storage" =
+    { device = "rpool/system/var/lib/containers/storage";
+      fsType = "zfs";
+    };
+
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/E63E-8E75";
       fsType = "vfat";
     };
 
+  fileSystems."/mnt/library" =
+    { device = "library";
+      fsType = "zfs";
+    };
+
   swapDevices = [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
diff --git a/hosts/server.nix b/hosts/server.nix
index cbc3cf1..71422b9 100644
--- a/hosts/server.nix
+++ b/hosts/server.nix
@@ -32,5 +32,8 @@ with lib.my;
     neovim
   ];
 
-  modules.networking.tailscale.enable = true;
+  modules.networking.tailscale = {
+    enable = true;
+    restrictSSH = false;
+  };
 }
diff --git a/modules/networking/tailscale.nix b/modules/networking/tailscale.nix
index 0544f9b..fafd533 100644
--- a/modules/networking/tailscale.nix
+++ b/modules/networking/tailscale.nix
@@ -6,11 +6,12 @@ let cfg = config.modules.networking.tailscale;
 in {
   options.modules.networking.tailscale = {
     enable = mkBoolOpt false;
+    restrictSSH = mkBoolOpt true;
   };
 
   config = mkIf cfg.enable {
     services.tailscale.enable = true;
-    services.openssh.openFirewall = false;
+    services.openssh.openFirewall = !cfg.restrictSSH;
     networking.firewall = {
       checkReversePath = "loose";
       trustedInterfaces = [ "tailscale0" ];