diff --git a/nixos/hosts/hephaestus/configuration.nix b/nixos/hosts/hephaestus/configuration.nix index d4e9afd..33f40df 100644 --- a/nixos/hosts/hephaestus/configuration.nix +++ b/nixos/hosts/hephaestus/configuration.nix @@ -9,6 +9,7 @@ ./hardware-configuration.nix ../../services/jokesites.nix ../../services/files.nix + ../../services/jellyfin-proxy.nix ]; # Bootloader. diff --git a/nixos/services/jellyfin-proxy.nix b/nixos/services/jellyfin-proxy.nix new file mode 100644 index 0000000..5b36ab0 --- /dev/null +++ b/nixos/services/jellyfin-proxy.nix @@ -0,0 +1,28 @@ +{ config, pkgs, ... }: { + imports = [ + ./nginx.nix + (import ../acme/get-cert.nix { domain = "*.polsevev.dev"; }) + ]; + + services.nginx.virtualHosts."jellyfin.polsevev.dev" = { + http2 = true; + extraConfig = '' + client_max_body_size 20M; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; + add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; + ''; + locations."/" = { + proxyPass = "http://100.64.0.5:8096"; + recommendedProxySettings = true; + }; + locations."/socket" = { + proxyPass = "http://100.64.0.5:8096"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + useACMEHost = "wildcard.polsevev.dev"; + forceSSL = true; + }; +}