From 4084e764e49905d093907029c13886d1a19bf304 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sun, 24 Sep 2023 16:48:19 +0200
Subject: [PATCH] add nginx proxy to jellyfin

---
 bundles/jellyfin/metadata.py              | 29 +++++++++++++++++++----
 data/powerdns/files/bind-zones/kunbox.net |  3 +++
 nodes/home/nas.py                         |  9 +++++++
 3 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/bundles/jellyfin/metadata.py b/bundles/jellyfin/metadata.py
index b675d93..5728913 100644
--- a/bundles/jellyfin/metadata.py
+++ b/bundles/jellyfin/metadata.py
@@ -13,6 +13,11 @@ defaults = {
             },
         },
     },
+    'backups': {
+        'paths': {
+            f'/var/lib/jellyfin/{x}' for x in ('data', 'metadata', 'plugins', 'root')
+        },
+    },
     'icinga2_api': {
         'transmission': {
             'services': {
@@ -26,13 +31,27 @@ defaults = {
 
 
 @metadata_reactor.provides(
-    'firewall/port_rules',
+    'nginx/vhosts/jellyfin',
 )
-def firewall(metadata):
+def nginx(metadata):
+    if not node.has_bundle('nginx'):
+        raise DoNotRunAgain
+
+    if 'jellyfin' not in metadata.get('nginx/vhosts', {}):
+        return {}
+
     return {
-        'firewall': {
-            'port_rules': {
-                '8096': atomic(metadata.get('jellyfin/restrict-to', {'*'})),
+        'nginx': {
+            'vhosts': {
+                'jellyfin': {
+                    'do_not_add_content_security_headers': True,
+                    'locations': {
+                        '/': {
+                            'target': 'http://127.0.0.1:8096',
+                            'websockets': True,
+                        },
+                    },
+                },
             },
         },
     }
diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net
index c7b110a..3e77354 100644
--- a/data/powerdns/files/bind-zones/kunbox.net
+++ b/data/powerdns/files/bind-zones/kunbox.net
@@ -27,6 +27,9 @@ _acme-challenge.home IN CNAME   _acme-challenge.home.kunbox.net.le.kunbox.net.
 ; aurto, keep old name
 aurto               IN  CNAME   aurto.htz-cloud
 
+; stuff running at home
+jellyfin.home       IN  CNAME   nas.home
+
 ; Mail servers
 mta-sts             IN  CNAME   carlene
 
diff --git a/nodes/home/nas.py b/nodes/home/nas.py
index fee7979..818d9b3 100644
--- a/nodes/home/nas.py
+++ b/nodes/home/nas.py
@@ -17,6 +17,7 @@ nodes['home.nas'] = {
     },
     'groups': {
         'debian-bullseye',
+        'webserver',
     },
     'metadata': {
         'interfaces': {
@@ -135,6 +136,14 @@ nodes['home.nas'] = {
                 },
             },
         },
+        'nginx': {
+            'vhosts': {
+                'jellyfin': {
+                    'domain': 'jellyfin.home.kunbox.net',
+                    'ssl': '_.home.kunbox.net',
+                },
+            },
+        },
         'rsyslogd': {
             'restrict-to': {
                 'home',