Add jellyfin

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-05 16:41:54 +01:00
parent e24997677d
commit bf49eac272
43 changed files with 1666 additions and 86 deletions
--- a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
@@ -68,7 +68,7 @@ in
            identity_validation.reset_password.jwt_secret =
              hmConfig.sops.placeholder."authelia/resetPasswordJwt";

-            definitions.user_attributes.is_admin.expression = "\"admins\" in groups";
+            definitions.user_attributes.is_admin.expression = "\"admin\" in groups";

            identity_providers.oidc = {
              hmac_secret = hmConfig.sops.placeholder."authelia/oidcHmac";
@@ -81,7 +81,7 @@ in
                  rules = [
                    {
                      policy = "two_factor";
-                      subject = [ "group:admins" ];
+                      subject = [ "group:admin" ];
                    }
                  ];
                };
@@ -91,7 +91,7 @@ in
                  rules = [
                    {
                      policy = "one_factor";
-                      subject = [ "group:admins" ];
+                      subject = [ "group:admin" ];
                    }
                  ];
                };
@@ -134,10 +134,11 @@ in
              password = hmConfig.sops.placeholder."authelia/users/karaolidis";
              email = "nick@karaolidis.com";
              groups = [
-                "admins"
+                "admin"
+                "media"
                "vaultwarden"
                "nextcloud"
-                "media"
+                "jellyfin"
                "gitea"
                "outline"
                "shlink"
@@ -149,7 +150,7 @@ in
    };

    virtualisation.quadlet = {
-      networks.authelia.networkConfig.internal = true;
+      networks.authelia = { };

      volumes = {
        authelia-redis = { };
@@ -159,24 +160,24 @@ in

      containers = {
        authelia-init = {
-          containerConfig =
-            let
-              entrypoint = pkgs.writeTextFile {
-                name = "entrypoint.sh";
-                executable = true;
-                text = builtins.readFile ./init-entrypoint.sh;
-              };
-            in
-            {
-              image = "docker-archive:${selfPkgs.docker-yq}";
-              volumes = [
+          containerConfig = {
+            image = "docker-archive:${selfPkgs.docker-yq}";
+            volumes =
+              let
+                entrypoint = pkgs.writeTextFile {
+                  name = "entrypoint.sh";
+                  executable = true;
+                  text = builtins.readFile ./init-entrypoint.sh;
+                };
+              in
+              [
                "${volumes.authelia.ref}:/etc/authelia"
                "${hmConfig.sops.templates.authelia-users.path}:/etc/authelia/users.yaml.default:ro"
                "${hmConfig.sops.templates.authelia.path}:/etc/authelia/conf.d/authelia.yaml:ro"
                "${entrypoint}:/entrypoint.sh:ro"
              ];
-              entrypoint = "/entrypoint.sh";
-            };
+            entrypoint = "/entrypoint.sh";
+          };

          serviceConfig = {
            Type = "oneshot";
--- a/hosts/jupiter/users/storm/configs/console/podman/authelia/init-entrypoint.sh
+++ b/hosts/jupiter/users/storm/configs/console/podman/authelia/init-entrypoint.sh
@@ -1,5 +1,8 @@
 #!/bin/sh

+set -o errexit
+set -o nounset
+
 touch /etc/authelia/users.yaml
 # shellcheck disable=SC2016
 yq eval-all '. as $item ireduce ({}; . * $item)' /etc/authelia/users.yaml /etc/authelia/users.yaml.default -i