added jellyfin

config/hosts/crime/configuration.nix

@@ -1,5 +1,6 @@
 { config, pkgs, ... }: {
   imports = [
+    ./nginx.nix
     ../../common
     ../../common-lxc.nix
     ../../common-nginx.nix
@@ -15,4 +16,6 @@
       "2a0f:be01:0:100::1337/128"
     ];
   };
+
+  services.jellyfin.enable = true;
 }

config/hosts/crime/nginx.nix

@@ -0,0 +1,70 @@
+{ config, pkgs, ... }:
+let 
+  extraConfig = ''
+    add_header Strict-Transport-Security    $hsts_header;
+    add_header X-Content-Type-Options       "nosniff" always;
+    add_header X-XSS-Protection             "1; mode=block" always;
+    #add_header X-Frame-Options              "SAMEORIGIN" always;
+    add_header Referrer-Policy              "same-origin" always;
+  '';
+  proxyConfig = ''
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Protocol $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+  '';
+  jellyAddr = "[::1]";
+  jellyWeb = {
+    forceSSl = true;
+    http3 = true;
+    quic = true;
+    inherit extraConfig;
+
+    locations = {
+      "= /".return = "302 https://$host/web/";
+      "/" = {
+        proxyPass = "http://${jellyAddr}:8096";
+        extraConfig = ''
+          ${proxyConfig}
+          proxy_buffering on;
+        '';
+      };
+      "= /web/" = {
+        proxyPass = "http://${jellyAddr}:8096/web/index.html"
+        extraConfig = proxyConfig;
+      };
+      "/socket" = {
+        proxyPass = "http://${jellyAddr}:8096"
+        proxyWebsockets = true;
+        extraConfig = proxyConfig;
+      };
+    };
+  };
+in {
+  services.nginx = {
+    virtualHosts = {
+      "fentanyl.trade" = jellyWeb // {
+        enableACME = true;
+      };
+      "frotti.ng" = jellyWeb // {
+        useACMEHost = "fentanyl.trade";
+      };
+    };
+    createHost = {
+      "watch.kyouma.net" = { redirectTo = "fentanyl.trade"; };
+      "redirect" = {
+        default = true;
+        reuseport = true;
+        useACMEHost = "fentanyl.trade";
+        extraConfig = ''
+          return 403;
+        '';
+      };
+    };
+  };
+  security.acme.certs = {
+    "fentanyl.trade" = { extraDomainNames = [ "frotti.ng" "watch.kyouma.net" ]; };
+  };
+}

config/hosts/web-dus/configuration.nix

@@ -29,7 +29,7 @@ in {
   };
   services.vyosBld = {
     enable = true;
-    output = "/nix/var/www/kyouma.net/vyos";
+    output = "/var/www/kyouma.net/vyos";
     buildFlags = {
       architecture = "amd64";
       build-by = "noc@kyouma.net";
@@ -57,7 +57,7 @@ in {
       "miau.zip" = { root = kyouma-www.default; };
       "www.miau.zip" = { redirectTo = "miau.zip"; };
       "www.kyouma.net" = { redirectTo = "kyouma.net"; };
-      "emily.cat" = { root = "/nix/var/www/emily.cat/_site"; };
+      "emily.cat" = { root = "/var/www/emily.cat/_site"; };
       "www.emily.cat" = { redirectTo = "kyouma.net"; };
       "www.cocaine.trade" = { redirectTo = "cocaine.trade"; };
 
@@ -70,7 +70,7 @@ in {
         '';
       };
       "cocaine.trade" = {
-        root = "/nix/var/www/basti/cocaine.trade";
+        root = "/var/www/basti/cocaine.trade";
         extraConfig = ''error_page 404 /404.html;'';
         locations."/" = {
           index = "index.html";
@@ -80,7 +80,7 @@ in {
       };
       "files.cocaine.trade" = {
         useACMEHost = "cocaine.trade";
-        root = "/nix/var/www/basti/files.cocaine.trade";
+        root = "/var/www/basti/files.cocaine.trade";
         locations."/".extraConfig = autoIndex;
       };
       "kyouma.net" = {
@@ -92,7 +92,7 @@ in {
             extraConfig = autoIndex;
           };
           "/ihk/" = {
-            root = "/nix/var/www/kyouma.net/ihk";
+            root = "/var/www/kyouma.net/ihk";
             extraConfig = autoIndex;
           };
         };