Table of Contents
Defined in /modules/services/jellyfin.nix.
This NixOS module is a service that sets up a Jellyfin instance.
Compared to the stock module from nixpkgs, this one sets up, in a fully declarative manner the initial wizard with an admin user and LDAP and SSO integration.
The following snippet enables Jellyfin and makes it available under the jellyfin.example.com endpoint.
shb.jellyfin = {
enable = true;
subdomain = "jellyfin";
domain = "example.com";
admin = {
username = "admin";
password.result = config.shb.sops.secret.jellyfinAdminPassword.result;
};
};
shb.sops.secret.jellyfinAdminPassword.request = config.shb.jellyfin.admin.password.request;
This assumes secrets are setup with SOPS as mentioned in the secrets setup section of the manual.
We will build upon the Initial Configuration section, so please follow that first.
If the shb.ssl block is used (see manual on how to set it up),
the instance will be reachable at https://jellyfin.example.com.
Here is an example with Let’s Encrypt certificates, validated using the HTTP method. First, set the global configuration for your domain:
shb.certs.certs.letsencrypt."example.com" = {
domain = "example.com";
group = "nginx";
reloadServices = [ "nginx.service" ];
adminEmail = "myemail@mydomain.com";
};
Then you can tell Jellyfin to use those certificates.
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "jellyfin.example.com" ];
shb.jellyfin = {
ssl = config.shb.certs.certs.letsencrypt."example.com";
};
We will build upon the HTTPS section, so please follow that first.
We will use the LLDAP block provided by Self Host Blocks. Assuming it has been set already, add the following configuration:
shb.jellyfin.ldap
enable = true;
host = "127.0.0.1";
port = config.shb.ldap.ldapPort;
dcdomain = config.shb.ldap.dcdomain;
adminPassword.result = config.shb.sops.secrets."jellyfin/ldap/adminPassword".result
};
shb.sops.secrets."jellyfin/ldap/adminPassword" = {
request = config.shb.jellyfin.ldap.adminPassword.request;
settings.key = "ldap/userPassword";
};
The shb.jellyfin.ldap.adminPasswordFile must be the same
as the shb.ldap.ldapUserPasswordFile which is achieved
with the key option.
The other secrets can be randomly generated with
nix run nixpkgs#openssl -- rand -hex 64.
And that’s it.
Now, go to the LDAP server at http://ldap.example.com,
create the jellyfin_user and jellyfin_admin groups,
create a user and add it to one or both groups.
When that’s done, go back to the Jellyfin server at
http://jellyfin.example.com and login with that user.
Work is in progress to make the creation of the LDAP user and group declarative too.
We will build upon the LDAP section, so please follow that first.
We will use the SSO block provided by Self Host Blocks. Assuming it has been set already, add the following configuration:
shb.jellyfin.sso = {
enable = true;
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
secretFile = <path/to/oidcJellyfinSharedSecret>;
secretFileForAuthelia = <path/to/oidcJellyfinSharedSecret>;
};
Passing the ssl option will auto-configure nginx to force SSL connections with the given
certificate.
The shb.jellyfin.sso.secretFile and shb.jellyfin.sso.secretFileForAuthelia options
must have the same content. The former is a file that must be owned by the jellyfin user while
the latter must be owned by the authelia user. I want to avoid needing to define the same secret
twice with a future secrets SHB block.
Backing up Jellyfin using the Restic block is done like so:
shb.restic.instances."jellyfin" = {
request = config.shb.jellyfin.backup;
settings = {
enable = true;
};
};
The name "jellyfin" in the instances can be anything.
The config.shb.jellyfin.backup option provides what directories to backup.
You can define any number of Restic instances to backup Jellyfin multiple times.
You will then need to configure more options like the repository,
as explained in the restic documentation.
In case of an issue, check the logs for systemd service jellyfin.service.
Enable verbose logging by setting the shb.jellyfin.debug boolean to true.
shb.jellyfin.enable
Whether to enable shb jellyfin.
Type: boolean
Default:
false
Example:
true
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.admin
Default admin user info. Only needed if LDAP or SSO is not configured.
Type: null or (submodule)
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.admin.password
Password of the default admin user.
Type: submodule
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.admin.password.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.admin.password.request.group
Linux group owning the secret file.
Type: string
Default:
"jellyfin"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.admin.password.request.mode
Mode of the secret file.
Type: string
Default:
"0440"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.admin.password.request.owner
Linux user owning the secret file.
Type: string
Default:
"jellyfin"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.admin.password.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"jellyfin.service"
]
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.admin.password.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.admin.password.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.admin.username
Username of the default admin user.
Type: string
Default:
"jellyfin"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.backup
Backup configuration.
Type: submodule
Default:
{ }
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.backup.request
Request part of the backup contract.
Options set by the requester module enforcing how to backup files.
Type: submodule
Default: { user = jellyfin; sourceDirectories = [ “services.jellyfin.dataDir” ]; excludePatterns = [ ]; hooks.beforeBackup = [ ]; hooks.afterBackup = [ ]; };
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.backup.request.excludePatterns
File patterns to exclude.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.backup.request.hooks
Hooks to run around the backup.
Type: submodule
Default:
{ }
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.backup.request.hooks.afterBackup
Hooks to run after backup.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.backup.request.hooks.beforeBackup
Hooks to run before backup.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.backup.request.sourceDirectories
Directories to backup.
Type: non-empty (list of string)
Default: [ “services.jellyfin.dataDir” ]
Example:
"/var/lib/vaultwarden"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.backup.request.user
Unix user doing the backups.
Type: string
Default:
"jellyfin"
Example:
"vaultwarden"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.backup.result
Result part of the backup contract.
Options set by the provider module that indicates the name of the backup and restor scripts.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.backup.result.backupService
Name of service backing up the database.
This script can be ran manually to backup the database:
$ systemctl start backup.service
Type: string
Default:
"backup.service"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.backup.result.restoreScript
Name of script that can restore the database. One can then list snapshots with:
$ restore snapshots
And restore the database with:
$ restore restore latest
Type: string
Default:
"restore"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.debug
Enable debug logging
Type: boolean
Default:
false
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.domain
Domain to serve sites under.
Type: string
Example:
"domain.com"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap
LDAP configuration.
Type: submodule
Default:
{ }
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.enable
Whether to enable LDAP.
Type: boolean
Default:
false
Example:
true
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.adminGroup
LDAP admin group
Type: string
Default:
"jellyfin_admin"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.adminPassword
LDAP admin password.
Type: submodule
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.adminPassword.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.adminPassword.request.group
Linux group owning the secret file.
Type: string
Default:
"jellyfin"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.adminPassword.request.mode
Mode of the secret file.
Type: string
Default:
"0440"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.adminPassword.request.owner
Linux user owning the secret file.
Type: string
Default:
"jellyfin"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.adminPassword.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"jellyfin.service"
]
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.adminPassword.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.adminPassword.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.dcdomain
DC domain for LDAP.
Type: string
Example:
"dc=mydomain,dc=com"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.host
Host serving the LDAP server.
Type: string
Example:
"127.0.0.1"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.port
Port where the LDAP server is listening.
Type: signed integer
Example:
389
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ldap.userGroup
LDAP user group
Type: string
Default:
"jellyfin_user"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.port
Listen on port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8096
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ssl
Path to SSL files
Type: null or (anything)
Default:
null
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ssl.paths
Paths where the files for the certificate will be located.
This option is the contract output of the shb.certs.certs SSL block.
Type: anything
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ssl.paths.cert
Path to the cert file.
Type: absolute path
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ssl.paths.key
Path to the key file.
Type: absolute path
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.ssl.systemdService
Systemd oneshot service used to generate the certificate. Ends with the .service suffix.
Use this if downstream services must wait for the certificates to be generated before starting.
Type: string
Example:
"cert-generator.service"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso
SSO configuration.
Type: submodule
Default:
{ }
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.enable
Whether to enable SSO.
Type: boolean
Default:
false
Example:
true
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.adminUserGroup
OIDC admin group
Type: string
Default:
"jellyfin_admin"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.authorization_policy
Require one factor (password) or two factor (device) authentication.
Type: one of “one_factor”, “two_factor”
Default:
"one_factor"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.clientID
Client ID for the OIDC endpoint
Type: string
Default:
"jellyfin"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.endpoint
OIDC endpoint for SSO
Type: string
Example:
"https://authelia.example.com"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.provider
OIDC provider name
Type: string
Default:
"Authelia"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecret
OIDC shared secret for Jellyfin.
Type: submodule
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecret.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecret.request.group
Linux group owning the secret file.
Type: string
Default:
"jellyfin"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecret.request.mode
Mode of the secret file.
Type: string
Default:
"0440"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecret.request.owner
Linux user owning the secret file.
Type: string
Default:
"jellyfin"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecret.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"jellyfin.service"
]
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecret.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecret.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecretForAuthelia
OIDC shared secret for Authelia.
Type: submodule
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecretForAuthelia.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default: { mode = 0400; owner = config.shb.authelia.autheliaUser; group = root; restartUnits = [ ]; }
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecretForAuthelia.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecretForAuthelia.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecretForAuthelia.request.owner
Linux user owning the secret file.
Type: string
Default: config.shb.authelia.autheliaUser
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecretForAuthelia.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecretForAuthelia.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.sharedSecretForAuthelia.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.sso.userGroup
OIDC user group
Type: string
Default:
"jellyfin_user"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|
shb.jellyfin.subdomain
Subdomain under which home-assistant will be served.
Type: string
Example:
"jellyfin"
Declared by:
<selfhostblocks/modules/services/jellyfin.nix>
|