1 files changed, 20 insertions, 52 deletions
diff --git a/makefu/2configs/home/jellyfin.nix b/makefu/2configs/home/jellyfin.nix
index acfdb2599..e613a05fc 100644
--- a/makefu/2configs/home/jellyfin.nix
+++ b/makefu/2configs/home/jellyfin.nix
@@ -1,66 +1,34 @@
 { lib, config, ... }:
+let
+  port = 8096;
+in
 {
         services.jellyfin.enable = true;
-        services.jellyfin.openFirewall = true;
+        # services.jellyfin.openFirewall = true;
+        networking.firewall.interfaces.wiregrill = {
+          allowedTCPPorts = [ 80 port 8920 ];
+          allowedUDPPorts = [ 1900 7359 ];
+        };
         state = [ "/var/lib/jellyfin" ];
         users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];
 
         systemd.services.jellyfin = {
-
         after = [ "media-cloud.mount" ];
         serviceConfig = rec {
+          RequiresMountFor = [ "/media/cloud" ];
           SupplementaryGroups = lib.mkForce [ "video" "render" "download" ];
           UMask = lib.mkForce "0077";
-
-
-        Type = lib.mkForce "simple";
-        StateDirectory = lib.mkForce "jellyfin";
-        StateDirectoryMode = lib.mkForce "0700";
-        CacheDirectory = lib.mkForce "jellyfin";
-        CacheDirectoryMode = lib.mkForce "0700";
-        WorkingDirectory = lib.mkForce "/var/lib/jellyfin";
-        Restart = lib.mkForce "on-failure";
-        TimeoutSec = lib.mkForce 15;
-        SuccessExitStatus = lib.mkForce ["0" "143"];
-
-        # Security options:
-        NoNewPrivileges = lib.mkForce true;
-        SystemCallArchitectures = lib.mkForce "native";
-        # AF_NETLINK needed because Jellyfin monitors the network connection
-        RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
-        RestrictNamespaces = lib.mkForce false;
-        RestrictRealtime = lib.mkForce true;
-        RestrictSUIDSGID = lib.mkForce true;
-        ProtectControlGroups = lib.mkForce false;
-        ProtectHostname = lib.mkForce true;
-        ProtectKernelLogs = lib.mkForce false;
-        ProtectKernelModules = lib.mkForce false;
-        ProtectKernelTunables = lib.mkForce false;
-        LockPersonality = lib.mkForce true;
-        PrivateTmp = lib.mkForce false;
-        # needed for hardware accelaration
-        PrivateDevices = lib.mkForce false;
-        PrivateUsers = lib.mkForce true;
-        RemoveIPC = lib.mkForce true;
-
-        SystemCallFilter = lib.mkForce [
-          "~@clock"
-          "~@aio"
-          "~@chown"
-          "~@cpu-emulation"
-          "~@debug"
-          "~@keyring"
-          "~@memlock"
-          "~@module"
-          "~@mount"
-          "~@obsolete"
-          "~@privileged"
-          "~@raw-io"
-          "~@reboot"
-          "~@setuid"
-          "~@swap"
-        ];
-        SystemCallErrorNumber = lib.mkForce "EPERM";
       };
     };
+  services.nginx.virtualHosts."jelly" = {
+    serverAliases = [
+      "jelly.lan" "movies.lan"
+      "jelly.makefu.w"  "makefu.omo.w"
+    ];
+
+    locations."/" = {
+      proxyPass = "http://localhost:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
 }