Add jellyfin container configuration

2023-05-09 20:13:54 +01:00
parent 7e02d58328
commit 1d551d6ea7
4 changed files with 64 additions and 2 deletions
--- a/hosts/library/default.nix
+++ b/hosts/library/default.nix
@ -25,6 +25,54 @@ with lib.my;

  system.stateVersion = "22.11";

+  systemd.services.vps1-tunnel = {
+    enable = true;
+    description = "vps1.mesh.vimium.net SSH tunnel";
+    after = [
+      "network-online.target"
+      "podman-jellyfin.service"
+    ];
+    wants = [ "network-online.target" ];
+    serviceConfig = {
+      Type=Simple;
+      ExecStart='''
+        ssh \
+          -NT
+          -o ExitOnForwardFailure=yes \
+          -o ServerAliveInterval=60 \
+          -o TCPKeepAlive=no \
+          -i %h/.ssh/id_jellyfin \
+          -R localhost:8096:localhost:8096 \
+          jellyfin@vps1.mesh.vimium.net
+      ''';
+      Restart=on-failure;
+    };
+    wantedBy = [ "default.target" ];
+  };
+
+  virtualisation.podman.enable = true;
+  virtualisation.oci-containers.containers = {
+    jellyfin = {
+      user = "1000:1000";
+      image = "docker.io/jellyfin/jellyfin:10.8.10";
+      autoStart = true;
+      ports = "8096:8096/tcp";
+      volumes = [
+        "jellyfin-cache:/cache:Z"
+        "jellyfin-config:/config:Z"
+      ];
+      extraOptions = [
+        "--detach"
+        "--label io.containers.autoupdate=registry"
+        "--privileged"
+        "--userns keep-id"
+        "--group-add=989"
+        "--mount type=bind,source=/mnt/library,target=/library"
+        "--device /dev/dri:/dev/dri"
+      ];
+    };
+  };
+
  modules = {
    security = {
      gpg.enable = true;
--- a/hosts/library/hardware-configuration.nix
+++ b/hosts/library/hardware-configuration.nix
@ -43,11 +43,21 @@
      fsType = "zfs";
    };

+  fileSystems."/var/lib/containers/storage" =
+    { device = "rpool/system/var/lib/containers/storage";
+      fsType = "zfs";
+    };
+
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/E63E-8E75";
      fsType = "vfat";
    };

+  fileSystems."/mnt/library" =
+    { device = "library";
+      fsType = "zfs";
+    };
+
  swapDevices = [ ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
--- a/hosts/server.nix
+++ b/hosts/server.nix
@ -32,5 +32,8 @@ with lib.my;
    neovim
  ];

-  modules.networking.tailscale.enable = true;
+  modules.networking.tailscale = {
+    enable = true;
+    restrictSSH = false;
+  };
 }
--- a/modules/networking/tailscale.nix
+++ b/modules/networking/tailscale.nix
@ -6,11 +6,12 @@ let cfg = config.modules.networking.tailscale;
 in {
  options.modules.networking.tailscale = {
    enable = mkBoolOpt false;
+    restrictSSH = mkBoolOpt true;
  };

  config = mkIf cfg.enable {
    services.tailscale.enable = true;
-    services.openssh.openFirewall = false;
+    services.openssh.openFirewall = !cfg.restrictSSH;
    networking.firewall = {
      checkReversePath = "loose";
      trustedInterfaces = [ "tailscale0" ];