server-configuration/services/jellyfin.nix

{
  lib,
  pkgs,
  config,
  ...
}: let
  host = "127.0.0.1";
  port = 8096;
  jellyfin =
    if config.services.mullvad-vpn.enable == true
    then
      pkgs.callPackage ({...}:
        pkgs.stdenv.mkDerivation {
          pname = "jellyfin-excluded";
          version = "1.0.0";

          phases = ["installPhase"];

          buildInputs = [pkgs.jellyfin];

          # Define the install phase
          installPhase = ''
            mkdir -p $out/bin
            # Create a wrapper script
            echo "${pkgs.mullvad-vpn}/bin/mullvad-exclude ${pkgs.jellyfin}/bin/jellyfin \"$@\"" > $out/bin/jellyfin-excluded
            chmod +x $out/bin/jellyfin-excluded
          '';

          # Specify the output
          meta = with pkgs.lib; {
            description = "A wrapper for the hello command";
            mainProgram = "jellyfin-excluded";
            license = licenses.mit;
          };
        }) {}
    else pkgs.jellyfin;
in {
  # Enable VAAPI
  config.nixpkgs.config.packageOverrides = pkgs: {
    vaapiIntel = pkgs.vaapiIntel.override {enableHybridCodec = true;};
  };
  config.hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      intel-media-driver
      intel-vaapi-driver
      vaapiVdpau
      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
      vpl-gpu-rt # QSV on 11th gen or newer
    ];
  };

  # Create folder for media
  config.system.activationScripts."jellyfinMediaFolder" = lib.stringAfter ["var"] ''
    mkdir -p /media
    chmod -R 775 /media
    chown -R jellyfin:jellyfin /media
  '';

  # Enable Jellyfin
  config.services.jellyfin = {
    enable = true;
    package = jellyfin;
    openFirewall = false; # We want jellyfin behind a reverse proxy
  };

  # Route subdomain traffic to jellyfin
  # services.caddy.virtualHosts."jf.spoodythe.one" = {
  #   enable = true;
  #   extraConfig = ''
  #     reverse_proxy * ${host}:${toString port}
  #   '';
  # };

  config.services.nginx.
    virtualHosts."media.spoodythe.one" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
      extraConfig = ''
        # Websocket support
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
      '';
    };
  };

  # Open port 80 and 443 for reverse proxy
  config.networking.firewall.allowedTCPPorts = [port 80 443];
  config.networking.firewall.allowedUDPPorts = [port 80 443];
}