diff --git a/nix/flake.lock b/nix/flake.lock
index b1ec74e..05e990f 100644
--- a/nix/flake.lock
+++ b/nix/flake.lock
@@ -906,11 +906,11 @@
"nixpkgs": "nixpkgs_4"
},
"locked": {
- "lastModified": 1712154137,
- "narHash": "sha256-lVJq5t53BJJaAAPiHh++F38UjwVTem3Vy7ajVNaxsU0=",
+ "lastModified": 1732289594,
+ "narHash": "sha256-xPMPmNHiatMQPFCKcP/53JELPPbOAzTzS5enOpDi2Pw=",
"owner": "sbulav",
"repo": "wallpapers-nix",
- "rev": "8a4a30599ac2f452bb2e2717cd5b815d1a56f036",
+ "rev": "e35fc1755dc731f1b466904c82538dcd25493296",
"type": "github"
},
"original": {
diff --git a/nix/homes/x86_64-linux/sab@nz/default.nix b/nix/homes/x86_64-linux/sab@nz/default.nix
index 43c121e..ed47bce 100644
--- a/nix/homes/x86_64-linux/sab@nz/default.nix
+++ b/nix/homes/x86_64-linux/sab@nz/default.nix
@@ -27,7 +27,7 @@ in {
wlogout = enabled;
hyprlock = disabled;
wezterm = enabled;
- wallpaper = "${wallpapers}/share/wallpapers/catppuccin/lake-purple.jpg";
+ wallpaper = "${wallpapers}/share/wallpapers/unorganized/left.jpg";
waypaper = {
enable = true;
diff --git a/nix/modules/nixos/containers/jellyfin/default.nix b/nix/modules/nixos/containers/jellyfin/default.nix
index d4735d4..7b4d1d8 100644
--- a/nix/modules/nixos/containers/jellyfin/default.nix
+++ b/nix/modules/nixos/containers/jellyfin/default.nix
@@ -24,6 +24,7 @@ in {
host = "${cfg.host}";
url = "http://${cfg.localAddress}:8096";
route_enabled = cfg.enable;
+ middleware = ["secure-headers-jellyfin" "authelia"];
})
(import ../shared/shared-adguard-dns-rewrite.nix
{
@@ -72,6 +73,12 @@ in {
};
config = {pkgs, ...}: {
+ # networking.hosts = {
+ # #TODO: remove this once migrated
+ # "${cfg.hostAddress}" = [
+ # "authelia.sbulav.ru"
+ # ];
+ # };
systemd.tmpfiles.rules = [
"d /var/lib/jellyfin 700 jellyfin jellyfin -"
];
@@ -100,10 +107,12 @@ in {
true
+ jellyfin-admins
admins
- users
+ jellyfin-users
+ dev
false
false
@@ -134,45 +143,19 @@ in {
text = ''
- <a href="https://${cfg.host}/SSO/OID/p/authelia" class="raised cancel block emby-button authentik-sso">
- Sign in with Authelia
- <img alt="OpenID Connect (authelia)" title="OpenID Connect (authelia)" class="oauth-login-image" src="https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.png">
- </a>
- <a href="https://${cfg.host}/SSOViews/linking" class="raised cancel block emby-button authentik-sso">
- Link Authentik config
- </a>
- <a href="https://${config.${namespace}.containers.authelia.host}" class="raised cancel block emby-button authentik-sso">
- Authelia config
- </a>
-
-
- /* Hide this in lieu of authentik link */
- .emby-button.block.btnForgotPassword {
- display: none;
- }
+ <form action="https://${cfg.host}/sso/OID/start/authelia">
+ <button class="raised block emby-button button-submit">
+ Sign in with SSO
+ </button>
+ </form>
+ a.raised.emby-button {
+ padding: 0.9em 1em;
+ color: inherit !important;
+ }
- /* Make links look like buttons */
- a.raised.emby-button {
- padding: 0.9em 1em;
- color: inherit !important;
- }
-
- /* Let disclaimer take full width */
- .disclaimerContainer {
- display: block;
- }
-
- /* Optionally, apply some styling to the `.authentik-sso` class, probably let users configure this */
- .authentik-sso {
- /* idk set a background image or something lol */
- }
-
- .oauth-login-image {
- height: 24px;
- position: absolute;
- top: 12px;
- }
-
+ .disclaimerContainer {
+ display: block;
+ }
true
'';
@@ -182,7 +165,7 @@ in {
mkdir -p /var/lib/jellyfin/plugins
CLIENT_SECRET="$(cat ${config.sops.secrets."jellyfin/oidc_client_secret".path})"
sed "s/CLIENT_SECRET_REPLACE/$CLIENT_SECRET/" ${ssoConfig} > /var/lib/jellyfin/plugins/configurations/SSO-Auth.xml
- cat ${brandingConfig} > /var/lib/jellyfin/plugins/configurations/brandingConfig.xml
+ cat ${brandingConfig} > /var/lib/jellyfin/config/branding.xml
'';
networking = {
@@ -192,11 +175,7 @@ in {
allowedTCPPorts = [8096 8920];
allowedUDPPorts = [1900 7359];
};
- # Use systemd-resolved inside the container
- # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
- useHostResolvConf = lib.mkForce false;
};
- services.resolved.enable = true;
system.stateVersion = "24.11";
};
};
diff --git a/nix/modules/nixos/containers/shared/shared-traefik-route.nix b/nix/modules/nixos/containers/shared/shared-traefik-route.nix
index 87cda6c..deb8e67 100644
--- a/nix/modules/nixos/containers/shared/shared-traefik-route.nix
+++ b/nix/modules/nixos/containers/shared/shared-traefik-route.nix
@@ -3,7 +3,7 @@
app ? "test",
host ? "test.sbulav.ru",
url ? "http://localhost:80",
- middleware ? "auth-chain",
+ middleware ? ["auth-chain"],
route_enabled ? false,
...
}: {
@@ -14,7 +14,7 @@
entrypoints = ["websecure"];
rule = "Host(`${host}`)";
service = "${app}";
- middlewares = ["${middleware}"];
+ middlewares = middleware;
tls = {
certResolver = "production";
};
diff --git a/nix/modules/nixos/containers/traefik/default.nix b/nix/modules/nixos/containers/traefik/default.nix
index 971462c..a74d332 100644
--- a/nix/modules/nixos/containers/traefik/default.nix
+++ b/nix/modules/nixos/containers/traefik/default.nix
@@ -20,6 +20,7 @@ in {
./middleware_authelia.nix
./middleware_allow-lan.nix
./middleware_secure-headers.nix
+ ./middleware_secure-headers-jellyfin.nix
(import ../shared/shared-adguard-dns-rewrite.nix
{
host = "traefik.${cfg.domain}";
diff --git a/nix/modules/nixos/containers/traefik/middleware_secure-headers-jellyfin.nix b/nix/modules/nixos/containers/traefik/middleware_secure-headers-jellyfin.nix
new file mode 100644
index 0000000..61f2ae2
--- /dev/null
+++ b/nix/modules/nixos/containers/traefik/middleware_secure-headers-jellyfin.nix
@@ -0,0 +1,30 @@
+{
+ containers.traefik.config.services.traefik.dynamicConfigOptions.http.middlewares.secure-headers-jellyfin = {
+ headers = {
+ sslRedirect = true;
+ accessControlMaxAge = "100";
+ stsSeconds = "31536000"; # force browsers to only connect over https
+ stsIncludeSubdomains = true; # force browsers to only connect over https
+ stsPreload = true; # force browsers to only connect over https
+ forceSTSHeader = true; # force browsers to only connect over https
+ contentTypeNosniff = true; # sets x-content-type-options header value to "nosniff", reduces risk of drive-by downloads
+ frameDeny = false; # sets x-frame-options header value to "deny", prevents attacker from spoofing website in order to fool users into clicking something that is not there
+ browserXssFilter = true; # sets x-xss-protection header value to "1; mode=block", which prevents page from loading if detecting a cross-site scripting attack
+ contentSecurityPolicy = [
+ # sets content-security-policy header to suggested value
+ "default-src"
+ "self"
+ ];
+ referrerPolicy = "same-origin";
+ addVaryHeader = true;
+ customResponseHeaders = {
+ X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex";
+ server = "";
+ X-Forwarded-Proto = "https";
+ };
+ sslProxyHeaders = {
+ X-Forwarded-Proto = "https";
+ };
+ };
+ };
+}
diff --git a/nix/systems/x86_64-linux/nz/default.nix b/nix/systems/x86_64-linux/nz/default.nix
index 9ccff20..02ed847 100644
--- a/nix/systems/x86_64-linux/nz/default.nix
+++ b/nix/systems/x86_64-linux/nz/default.nix
@@ -7,7 +7,7 @@
wallpapers = inputs.wallpapers-nix.packages.${pkgs.system}.full;
in {
imports = [./hardware-configuration.nix];
- system.wallpaper = "${wallpapers}/share/wallpapers/catppuccin/lake-purple.jpg";
+ system.wallpaper = "${wallpapers}/share/wallpapers/unorganized/left.jpg";
# Enable Bootloader
system.boot.efi.enable = true;
system.battery.enable = true; # Only for laptops, they will still work without it, just improves battery life
diff --git a/nix/systems/x86_64-linux/nz/hardware-configuration.nix b/nix/systems/x86_64-linux/nz/hardware-configuration.nix
index 77dcfd9..2817d45 100644
--- a/nix/systems/x86_64-linux/nz/hardware-configuration.nix
+++ b/nix/systems/x86_64-linux/nz/hardware-configuration.nix
@@ -66,7 +66,7 @@
"100.87.128.100" = ["vault-c7.pyn.ru"];
"100.91.128.100" = ["vault-c11.pyn.ru"];
"100.92.128.100" = ["vault-c12.pyn.ru"];
- "192.168.89.206" = ["serverz"];
+ "192.168.89.206" = ["serverz" "jellyfin2.sbulav.ru" "authelia.sbulav.ru"];
};
networking.interfaces.wlp3s0.ipv4.routes = [
{