homelab/nixos/services/jellyfin-proxy.nix

{ config, pkgs, ... }: {
  imports = [
    ./nginx.nix
    (import ../acme/get-cert.nix { domain = "*.polsevev.dev"; })
  ];

  services.nginx.virtualHosts."jellyfin.polsevev.dev" = {
    http2 = true;
    extraConfig = ''
      client_max_body_size 20M;
      add_header X-Frame-Options "SAMEORIGIN";
      add_header X-Content-Type-Options "nosniff";
      add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
      add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
    '';
    locations."/" = {
      proxyPass = "http://100.64.0.5:8096";
      recommendedProxySettings = true;
    };
    locations."/socket" = {
      proxyPass = "http://100.64.0.5:8096";
      proxyWebsockets = true;
      recommendedProxySettings = true;
    };
    useACMEHost = "wildcard.polsevev.dev";
    forceSSL = true;
  };
}