Move jellyfin proxy to nixos

nixos/hosts/hephaestus/configuration.nix

@@ -9,6 +9,7 @@
     ./hardware-configuration.nix
     ../../services/jokesites.nix
     ../../services/files.nix
+    ../../services/jellyfin-proxy.nix
   ];
 
   # Bootloader.

nixos/services/jellyfin-proxy.nix

@@ -0,0 +1,28 @@
+{ config, pkgs, ... }: {
+  imports = [
+    ./nginx.nix
+    (import ../acme/get-cert.nix { domain = "*.polsevev.dev"; })
+  ];
+
+  services.nginx.virtualHosts."jellyfin.polsevev.dev" = {
+    http2 = true;
+    extraConfig = ''
+      client_max_body_size 20M;
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-Content-Type-Options "nosniff";
+      add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+      add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
+    '';
+    locations."/" = {
+      proxyPass = "http://100.64.0.5:8096";
+      recommendedProxySettings = true;
+    };
+    locations."/socket" = {
+      proxyPass = "http://100.64.0.5:8096";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+    };
+    useACMEHost = "wildcard.polsevev.dev";
+    forceSSL = true;
+  };
+}