Skip to content

Commit

Permalink
feat(jellyfin): working sso
Browse files Browse the repository at this point in the history
  • Loading branch information
@sbulav
sbulav committed Nov 22, 2024
1 parent b06c471 commit 1ce0169
Show file tree
Hide file tree
Showing 8 changed files with 62 additions and 52 deletions.
6 changes: 3 additions & 3 deletions nix/flake.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion nix/homes/x86_64-linux/sab@nz/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ in {
wlogout = enabled;
hyprlock = disabled;
wezterm = enabled;
wallpaper = "${wallpapers}/share/wallpapers/catppuccin/lake-purple.jpg";
wallpaper = "${wallpapers}/share/wallpapers/unorganized/left.jpg";

waypaper = {
enable = true;
Expand Down
67 changes: 23 additions & 44 deletions nix/modules/nixos/containers/jellyfin/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ in {
host = "${cfg.host}";
url = "http://${cfg.localAddress}:8096";
route_enabled = cfg.enable;
middleware = ["secure-headers-jellyfin" "authelia"];
})
(import ../shared/shared-adguard-dns-rewrite.nix
{
Expand Down Expand Up @@ -72,6 +73,12 @@ in {
};

config = {pkgs, ...}: {
# networking.hosts = {
# #TODO: remove this once migrated
# "${cfg.hostAddress}" = [
# "authelia.sbulav.ru"
# ];
# };
systemd.tmpfiles.rules = [
"d /var/lib/jellyfin 700 jellyfin jellyfin -"
];
Expand Down Expand Up @@ -100,10 +107,12 @@ in {
<EnableAllFolders>true</EnableAllFolders>
<EnabledFolders />
<AdminRoles>
<string>jellyfin-admins</string>
<string>admins</string>
</AdminRoles>
<Roles>
<string>users</string>
<string>jellyfin-users</string>
<string>dev</string>
</Roles>
<EnableFolderRoles>false</EnableFolderRoles>
<EnableLiveTvRoles>false</EnableLiveTvRoles>
Expand Down Expand Up @@ -134,45 +143,19 @@ in {
text = ''
<?xml version="1.0" encoding="utf-8"?>
<BrandingOptions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<LoginDisclaimer>&lt;a href="https://${cfg.host}/SSO/OID/p/authelia" class="raised cancel block emby-button authentik-sso"&gt;
Sign in with Authelia&amp;nbsp;
&lt;img alt="OpenID Connect (authelia)" title="OpenID Connect (authelia)" class="oauth-login-image" src="https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.png"&gt;
&lt;/a&gt;
&lt;a href="https://${cfg.host}/SSOViews/linking" class="raised cancel block emby-button authentik-sso"&gt;
Link Authentik config&amp;nbsp;
&lt;/a&gt;
&lt;a href="https://${config.${namespace}.containers.authelia.host}" class="raised cancel block emby-button authentik-sso"&gt;
Authelia config&amp;nbsp;
&lt;/a&gt;
</LoginDisclaimer>
<CustomCss>
/* Hide this in lieu of authentik link */
.emby-button.block.btnForgotPassword {
display: none;
}
<LoginDisclaimer>&lt;form action="https://${cfg.host}/sso/OID/start/authelia"&gt;
&lt;button class="raised block emby-button button-submit"&gt;
Sign in with SSO
&lt;/button&gt;
&lt;/form&gt;</LoginDisclaimer>
<CustomCss>a.raised.emby-button {
padding: 0.9em 1em;
color: inherit !important;
}
/* Make links look like buttons */
a.raised.emby-button {
padding: 0.9em 1em;
color: inherit !important;
}
/* Let disclaimer take full width */
.disclaimerContainer {
display: block;
}
/* Optionally, apply some styling to the `.authentik-sso` class, probably let users configure this */
.authentik-sso {
/* idk set a background image or something lol */
}
.oauth-login-image {
height: 24px;
position: absolute;
top: 12px;
}
</CustomCss>
.disclaimerContainer {
display: block;
}</CustomCss>
<SplashscreenEnabled>true</SplashscreenEnabled>
</BrandingOptions>
'';
Expand All @@ -182,7 +165,7 @@ in {
mkdir -p /var/lib/jellyfin/plugins
CLIENT_SECRET="$(cat ${config.sops.secrets."jellyfin/oidc_client_secret".path})"
sed "s/CLIENT_SECRET_REPLACE/$CLIENT_SECRET/" ${ssoConfig} > /var/lib/jellyfin/plugins/configurations/SSO-Auth.xml
cat ${brandingConfig} > /var/lib/jellyfin/plugins/configurations/brandingConfig.xml
cat ${brandingConfig} > /var/lib/jellyfin/config/branding.xml
'';

networking = {
Expand All @@ -192,11 +175,7 @@ in {
allowedTCPPorts = [8096 8920];
allowedUDPPorts = [1900 7359];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "24.11";
};
};
Expand Down
4 changes: 2 additions & 2 deletions nix/modules/nixos/containers/shared/shared-traefik-route.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
app ? "test",
host ? "test.sbulav.ru",
url ? "http://localhost:80",
middleware ? "auth-chain",
middleware ? ["auth-chain"],
route_enabled ? false,
...
}: {
Expand All @@ -14,7 +14,7 @@
entrypoints = ["websecure"];
rule = "Host(`${host}`)";
service = "${app}";
middlewares = ["${middleware}"];
middlewares = middleware;
tls = {
certResolver = "production";
};
Expand Down
1 change: 1 addition & 0 deletions nix/modules/nixos/containers/traefik/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ in {
./middleware_authelia.nix
./middleware_allow-lan.nix
./middleware_secure-headers.nix
./middleware_secure-headers-jellyfin.nix
(import ../shared/shared-adguard-dns-rewrite.nix
{
host = "traefik.${cfg.domain}";
Expand Down
30 changes: 30 additions & 0 deletions nix/modules/nixos/containers/traefik/middleware_secure-headers-jellyfin.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
containers.traefik.config.services.traefik.dynamicConfigOptions.http.middlewares.secure-headers-jellyfin = {
headers = {
sslRedirect = true;
accessControlMaxAge = "100";
stsSeconds = "31536000"; # force browsers to only connect over https
stsIncludeSubdomains = true; # force browsers to only connect over https
stsPreload = true; # force browsers to only connect over https
forceSTSHeader = true; # force browsers to only connect over https
contentTypeNosniff = true; # sets x-content-type-options header value to "nosniff", reduces risk of drive-by downloads
frameDeny = false; # sets x-frame-options header value to "deny", prevents attacker from spoofing website in order to fool users into clicking something that is not there
browserXssFilter = true; # sets x-xss-protection header value to "1; mode=block", which prevents page from loading if detecting a cross-site scripting attack
contentSecurityPolicy = [
# sets content-security-policy header to suggested value
"default-src"
"self"
];
referrerPolicy = "same-origin";
addVaryHeader = true;
customResponseHeaders = {
X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex";
server = "";
X-Forwarded-Proto = "https";
};
sslProxyHeaders = {
X-Forwarded-Proto = "https";
};
};
};
}
2 changes: 1 addition & 1 deletion nix/systems/x86_64-linux/nz/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
wallpapers = inputs.wallpapers-nix.packages.${pkgs.system}.full;
in {
imports = [./hardware-configuration.nix];
system.wallpaper = "${wallpapers}/share/wallpapers/catppuccin/lake-purple.jpg";
system.wallpaper = "${wallpapers}/share/wallpapers/unorganized/left.jpg";
# Enable Bootloader
system.boot.efi.enable = true;
system.battery.enable = true; # Only for laptops, they will still work without it, just improves battery life
Expand Down
2 changes: 1 addition & 1 deletion nix/systems/x86_64-linux/nz/hardware-configuration.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@
"100.87.128.100" = ["vault-c7.pyn.ru"];
"100.91.128.100" = ["vault-c11.pyn.ru"];
"100.92.128.100" = ["vault-c12.pyn.ru"];
"192.168.89.206" = ["serverz"];
"192.168.89.206" = ["serverz" "jellyfin2.sbulav.ru" "authelia.sbulav.ru"];
};
networking.interfaces.wlp3s0.ipv4.routes = [
{
Expand Down

0 comments on commit 1ce0169

Please sign in to comment.