waffentrager: valkyrie: jellyfin and wireguard related changes

2024-09-15 21:44:06 +02:00 · 2024-09-15 21:44:06 +02:00 · 1f822e8211
parent f8acddeb2c
commit 1f822e8211
3 changed files with 125 additions and 25 deletions
--- a/configurations/host/valkyrie/secrets/private/default.nix
+++ b/configurations/host/valkyrie/secrets/private/default.nix
--- a/configurations/host/waffentrager/secrets/secrets.yaml
+++ b/configurations/host/waffentrager/secrets/secrets.yaml
@ -1,4 +1,4 @@
-ireguard: ENC[AES256_GCM,data:wBeMFAZ1Dib84bIzQ3m0DiVpz92ZqvJiDz+IXV5rLtJ3OjpNFqbiTSVZnlU=,iv:mJqbXafDv0FqUlY1s69DXbcN7Sd+rxas7IPefFKsMNE=,tag:Ic94bnY0MULfow70KkBWmA==,type:str]
+wireguard: ENC[AES256_GCM,data:fFQKj78HGLDmslDST+usAZxWDanHkUORBgIeOb7lQN4EPXdz6mQODHhn1ek=,iv:/BbbiFlfk8fMX4yFgVXuYkxitbRJqai5PHku2wZUFw4=,tag:cutoXkApljbB3bgSvaS1LQ==,type:str]
 nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdPnMcg=,iv:STh3k5wUwx3AfSDTPCXhuXbPb3d+Vi1cAaQN2a9eW1w=,tag:Ef/Z2Idvl6575Jvs2GDJ8A==,type:str]
 jwt: ENC[AES256_GCM,data:1Qn7DaBZr8vEa8VZiv2BpwePPOBYRTdHEiDv0asUbvhCtfHvhG4mX5/plyRPlQok6FLEjEzKZTEdnvyyOtFEgA==,iv:kqfHkEr0jkKAro9gQup6CeopQnjfMGhEqbVL81wnDgc=,tag:gP/WACy5cOzzmQOh1v8wsQ==,type:str]
 lldap-database: ENC[AES256_GCM,data:rNLS4WwvqRd3TFWDXaf8UmDTRsHZNPPS,iv:URV4Oz4ik2vHb03+Zh7ND+AbozSmoXpxENpvad4yvRI=,tag:6TbuMCnHwtTaG5mMWVN/mQ==,type:str]
@ -33,8 +33,8 @@ sops:
            eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F
            ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-10T12:55:49Z"
+    lastmodified: "2024-09-13T18:29:55Z"
-    mac: ENC[AES256_GCM,data:/YXB4vQxd5+ZZrkqKFVYIcNJF4j8PricarHyi0ESi4HXr00Efnat+NnoM74Sy/ukrKIJOKBKVVWmmEW8uFCK4H+kJrMkdagALhsjMkeMSB23cmP8nLbCus5QPhX3bSpkZwYNuspmEYN1cQCHvaLC5Eus+YIi92L+KqHsWJS71iM=,iv:OIwGUDG63wbaxCaLpkior76Ckyql2c4was4PXEc1miY=,tag:lwM1QRCEc6zX9a+yv0mN8A==,type:str]
+    mac: ENC[AES256_GCM,data:djOmSpNrZoFgUK4JlueCUpZtvHldVEsH90ASO+strLJ7wd1MEFdQaYyNonvTaUUzJQkUncyX3cXdO9Aoj9B6CPSKAuSKE7LRScCCXn+OezwUB5d5m/jLy4KmRhtADO0QHap4+/3fXzOupsHyZpVMIjwUw4tJ9MZMT8iMtbaHv2A=,iv:x4RaxRelUOyyTWpTLFRik92TibE+2mFctz/OYHvBoZA=,tag:S9dIzTc7rVBSFXUISuEDAQ==,type:str]
    pgp:
        - created_at: "2024-03-21T18:15:00Z"
          enc: |-
--- a/configurations/host/waffentrager/services/multimedia/jellyfin.nix
+++ b/configurations/host/waffentrager/services/multimedia/jellyfin.nix
@ -7,12 +7,13 @@
      cfg = config.waffentragerService.jellyfin;
    in
    lib.mkIf cfg.enable {
-      services.jellyfin = {
+      services.jellyfin = rec {
        enable = true;
        openFirewall = true;
        user = "materus";
        group = "nextcloud";
        dataDir = config.waffentragerService.elements.jellyfinDir;
        cacheDir = "${dataDir}/cache";
      };
      /*
      services.jellyseerr = {
@ -20,30 +21,129 @@
        openFirewall = true;
      };*/
-      services.nginx.virtualHosts = {
+      services.nginx = {
-        "noot.materus.pl" = {
+        appendHttpConfig = ''
-          sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+          map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
-          sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+          map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
-          sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+        '';
-          addSSL = true;
+        proxyCachePath."jellyfin" = {
-          http2 = false;
+          enable = true;
-          http3 = true;
+          maxSize = "1g";
-          locations."/" = {
+          levels = "1:2";
-            proxyPass = "http://127.0.0.1:8096";
+          keysZoneName = "jellyfin";
          keysZoneSize = "100m";
          inactive = "1d";
          useTempPath = false;
        };
        virtualHosts = {
          "noot.materus.pl" = {
            extraConfig = ''
-              client_max_body_size 2G;
+              client_max_body_size 20M;
-              include ${config.services.nginx.package}/conf/fastcgi.conf;
+              add_header X-Frame-Options "SAMEORIGIN";
-              include ${config.services.nginx.package}/conf/fastcgi_params;
+              add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
-              proxy_http_version 1.1;
+              add_header X-Content-Type-Options "nosniff";
-              proxy_set_header    Host                $host;
+              add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
              proxy_set_header    X-Real-IP           $remote_addr;
              proxy_set_header    X-Forwarded-Ssl     on;
              proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
              proxy_set_header    X-Forwarded-Proto   $scheme;
            '';
-          };
+            sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
            sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
            sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
            addSSL = true;
            http2 = false;
            http3 = true;
            locations."~ /Items/(.*)/Images" = {
              proxyPass = "http://127.0.0.1:8096";
              extraConfig = ''
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Forwarded-Host $http_host;
                proxy_cache jellyfin;
                proxy_cache_revalidate on;
                proxy_cache_lock on;
              '';
            };
            locations."~ ^/web/htmlVideoPlayer-plugin.[0-9a-z]+.chunk.js$" = {
              proxyPass = "http://127.0.0.1:8096";
              extraConfig = ''
                proxy_set_header Accept-Encoding "";
                sub_filter_types *;
                sub_filter 'return u=30' 'return u=600';
                sub_filter 'return u=6' 'return u=60';
                sub_filter 'maxBufferLength:u' 'maxBufferLength:u,maxBufferSize:180000000';
                sub_filter_once on;
              '';
            };
            locations."~* ^/Videos/(.*)/(?!live)" = {
              proxyPass = "http://127.0.0.1:8096";
              extraConfig = ''
                # Set size of a slice (this amount will be always requested from the backend by nginx)
                # Higher value means more latency, lower more overhead
                # This size is independent of the size clients/browsers can request
                slice 2m;
                proxy_cache jellyfin;
                proxy_cache_valid 200 206 301 302 30d;
                proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
                proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
                proxy_connect_timeout 15s;
                proxy_http_version 1.1;
                proxy_set_header Connection "";
                # Transmit slice range to the backend
                proxy_set_header Range $slice_range;
                # This saves bandwidth between the proxy and jellyfin, as a file is only downloaded one time instead of multiple times when multiple clients want to at the same time
                # The first client will trigger the download, the other clients will have to wait until the slice is cached
                # Esp. practical during SyncPlay
                proxy_cache_lock on;
                proxy_cache_lock_age 60s;
                proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=$slice_range";
              '';
            };
            locations."/" = {
              proxyPass = "http://127.0.0.1:8096";
              extraConfig = ''
                proxy_pass_request_headers on;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host $http_host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $http_connection;
              '';
            };
            locations."/socket" = {
              proxyPass = "http://127.0.0.1:8096";
              extraConfig = ''
                proxy_pass_request_headers on;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Forwarded-Host $http_host;
              '';
            };
          };
        };
      };
    };