services/jellyfin: LDAP + marisa proxy:

2026-02-09 12:29:19 -08:00 · 2021-09-22 03:32:25 +01:00 · 2021-09-22 03:32:25 +01:00 · a81432f8ab
commit a81432f8ab
parent 06654639b6
4 changed files with 62 additions and 7 deletions
--- a/config/hosts/marisa.nix
+++ b/config/hosts/marisa.nix
@ -4,6 +4,7 @@
    services.dnscrypt-proxy
    profiles.network
    services.nginx
+    services.access
    users.kat.server
  ];

--- a/config/services/access.nix
+++ b/config/services/access.nix
@ -0,0 +1,24 @@
+{ config, lib, meta, ... }: {
+  deploy.tf.dns.records.services_media_forward = {
+    inherit (config.network.dns) zone;
+    domain = "media";
+    cname = { inherit (config.network.addresses.public) target; };
+  };
+
+  services.nginx.virtualHosts = {
+    "media.${config.network.dns.domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations = {
+        "/jellyfin/".proxyPass = "http://${meta.network.nodes.yukari.network.addresses.wireguard.nixos.ipv4.address}:8096/jellyfin/";
+        "/jellyfin/socket" = {
+          proxyPass = "http://${meta.network.nodes.yukari.network.addresses.wireguard.nixos.ipv4.address}:8096/jellyfin/";
+          extraConfig = ''
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+          '';
+        };
+      };
+    };
+  };
+}
--- a/config/services/jellyfin.nix
+++ b/config/services/jellyfin.nix
@ -20,10 +20,15 @@
      from = 32768;
      to = 60999;
    }];
-    private.tcp.ranges = [{
-      from = 32768;
-      to = 60999;
-    }];
+    private.tcp = {
+      ports = [
+        8096
+      ];
+      ranges = [{
+        from = 32768;
+        to = 60999;
+      }];
+    };
  };

  services.jellyfin.enable = true;
--- a/config/services/openldap/default.nix
+++ b/config/services/openldap/default.nix
@ -14,6 +14,12 @@
        olcTLSCertificateKeyFile = "/var/lib/acme/domain-auth/key.pem";
      };
      children = {
+        "cn=module" = {
+          attrs = {
+            objectClass = "olcModuleList";
+            olcModuleLoad = "memberof";
+          };
+        };
        "cn=schema" = {
          attrs = {
            cn = "schema";
@ -26,6 +32,21 @@
          "${pkgs.openldap}/etc/schema/nis.ldif"
          ];
        };
+        "olcOverlay=memberof,olcDatabase={1}mdb" = {
+          attrs = {
+            objectClass = [
+              "olcOverlayConfig"
+              "olcMemberOf"
+              "olcConfig"
+            ];
+            olcOverlay = "memberof";
+            olcMemberOfDangling = "ignore";
+            olcMemberOfGroupOC = "groupOfNames";
+            olcMemberOfMemberAD = "member";
+            olcMemberOfMemberOfAD = "memberOf";
+            olcMemberOfRefint = "TRUE";
+          };
+        };
        "olcDatabase={-1}frontend" = {
          attrs = {
            objectClass = [
@ -76,9 +97,13 @@
              ''{3}to dn.subtree="ou=services,dc=kittywit,dc=ch"
                   by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
                   by dn.subtree="ou=services,dc=kittywit,dc=ch" read
-                     by * none''
-              ''{4}to attrs=mail by self read''
-              ''{5}to * by * read''
+                       by * none''
+              ''{4}to dn.subtree="ou=groups,dc=kittywit,dc=ch"
+                  by dn.subtree="ou=users,dc=kittywit,dc=ch" read
+                  by dn.subtree="ou=services,dc=kittywit,dc=ch" read
+                       by * none''
+              ''{5}to attrs=mail by self read''
+              ''{6}to * by * read''
            ];
          };
        };