challenger: start migrating from voyager. Add nginx. Add jellyfin.

hosts/challenger/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports =
@@ -8,6 +8,9 @@
       ./hardware-configuration.nix
       ./exports.nix
       ./filesystems.nix
+
+      ./services/nginx.nix
+      ./services/jellyfin.nix
   ];
 
   networking = {
@@ -32,6 +35,14 @@
   virtualisation.docker.enable = true;
   virtualisation.oci-containers.backend = "docker";
 
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+       "nvidia-x11"
+       "nvidia-settings"
+  ];
+  hardware.nvidia.modesetting.enable = true;
+  hardware.opengl.enable = true;
+  services.xserver.videoDrivers = ["nvidia"];
+
   system.stateVersion = "24.05";
 }
 

hosts/challenger/filesystems.nix

@@ -6,7 +6,10 @@
 
   # Local zfs
   boot = {
-    # zfs.extraPools = [ "tank" ];
+    zfs = {
+      extraPools = [ "tank" ];
+      requestEncryptionCredentials = false;
+    };
     supportedFilesystems = [ "zfs" ];
     kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
   };

hosts/challenger/services/jellyfin.nix

@@ -0,0 +1,44 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # Jellyfin - Media Streaming platform
+  services.jellyfin.enable = true;
+
+  users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
+
+  systemd.services.jellyfin.serviceConfig = {
+    DeviceAllow = lib.mkForce [ "/dev/dri/card0" ];
+  };
+
+  services.nginx.virtualHosts."jellyfin.home.feal.no" = {
+    serverAliases = [ "jf.feal.no" ];
+    locations = {
+      "= /" = {
+        return = "302 http://$host/web/";
+      };
+
+      "/" = {
+        proxyPass = "http://127.0.0.1:8096";
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+      };
+
+      "/socket" = {
+        proxyPass = "http://127.0.0.1:8096";
+        proxyWebsockets = true;
+      };
+    };
+
+    extraConfig = ''
+      add_header X-XSS-Protection "1; mode=block";
+      add_header X-Content-Type-Options "nosniff";
+      add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+    '';
+  };
+
+  fileSystems."/tank/media/jellyfin/Music" = {
+    device = "tank/media/music";
+    fsType = "zfs";
+  };
+}

hosts/challenger/services/nginx.nix

@@ -0,0 +1,21 @@
+{ config, values, ... }:
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    clientMaxBodySize = "100m";
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  /* security.acme = { */
+  /*   acceptTerms = true; */
+  /*   email = "felix@albrigtsen.it"; */
+  /* }; */
+}