Add jellyfin

Customised the forward auth in authelia to ignore Authorization headers as authelia was failing to parse the Authorization: MediaBrowser headers that jellyfin uses.

2-nomad-config/2-ingress/authelia.nomad.hcl

@@ -63,6 +63,12 @@ job "authelia" {
         data = <<EOF
 server:
   address: tcp://0.0.0.0:{{ env "NOMAD_PORT_http" }}/
+  endpoints:
+    authz:
+      forward-auth:
+        implementation: 'ForwardAuth'
+        authn_strategies:
+          - name: 'CookieSession'
 theme: "auto"
 identity_validation:
   reset_password:

2-nomad-config/jellyfin.nomad.hcl

@@ -0,0 +1,88 @@
+job "jellyfin" {
+  group "jellyfin" {
+    count = 1
+
+    network {
+      port "http" {
+        to = 8096
+      }
+    }
+
+    task "jellyfin" {
+      driver = "docker"
+
+      config {
+        image = "lscr.io/linuxserver/jellyfin:latest"
+        ports = ["http"]
+      }
+
+      service {
+        name = "jellyfin"
+        port = "http"
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.jellyfin.middlewares=auth@file",
+          "traefik.http.routers.jellyfin-token.rule=Host(`c3ll7nbevl5j4j8rcnfxnr95q48fuayz-jellyfin.othrayte.one`)",
+        ]
+
+        check {
+          name     = "alive"
+          type     = "tcp"
+          port     = "http"
+          interval = "10s"
+          timeout  = "2s"
+        }
+      }
+
+      env {
+        PUID = 1000
+        PGID = 1000
+        TZ   = "Australia/Melbourne"
+
+        JELLYFIN_PublishedServerUrl = "https://jellyfin.othrayte.one"
+      }
+
+      volume_mount {
+        volume      = "unraid_appdata_jellyfin"
+        destination = "/config"
+        read_only   = false
+      }
+
+      volume_mount {
+        volume      = "unraid_media_jellyfin"
+        destination = "/data"
+        read_only   = false
+      }
+
+      resources {
+        cpu    = 500
+        memory = 2048
+      }
+    }
+
+    volume "unraid_appdata_jellyfin" {
+      type            = "csi"
+      read_only       = false
+      source          = "unraid_appdata_jellyfin"
+      access_mode     = "single-node-writer"
+      attachment_mode = "file-system"
+
+      mount_options {
+        mount_flags = ["uid=1000", "gid=1000"]
+      }
+    }
+
+    volume "unraid_media_jellyfin" {
+      type            = "csi"
+      read_only       = false
+      source          = "unraid_media_jellyfin"
+      access_mode     = "single-node-writer"
+      attachment_mode = "file-system"
+
+      mount_options {
+        mount_flags = ["nobrl", "uid=1000", "gid=1000"]
+      }
+    }
+  }
+}

2-nomad-config/jellyfin.tf

@@ -0,0 +1,55 @@
+
+resource "nomad_job" "jellyfin" {
+  jobspec = file("jellyfin.nomad.hcl")
+}
+
+resource "nomad_csi_volume_registration" "unraid_appdata_jellyfin" {
+  #Note: Before chaning the definition of this volume you need to stop the jobs that are using it
+  depends_on = [data.nomad_plugin.smb]
+  plugin_id  = "smb"
+
+  volume_id = "unraid_appdata_jellyfin"
+  name      = "unraid_appdata_jellyfin"
+
+  external_id = "unraid_appdata_jellyfin"
+
+  capability {
+    access_mode     = "single-node-writer"
+    attachment_mode = "file-system"
+  }
+
+  context = {
+    source = "//betelgeuse-seven-unraid.lan/appdata"
+    subDir = "jellyfin" # Note: Needs to be manually created on the share
+  }
+
+  secrets = {
+    "username" = "nomad"
+    "password" = data.sops_file.secrets.data["unraid.nomad"]
+  }
+}
+
+resource "nomad_csi_volume_registration" "unraid_media_jellyfin" {
+  #Note: Before chaning the definition of this volume you need to stop the jobs that are using it
+  depends_on = [data.nomad_plugin.smb]
+  plugin_id  = "smb"
+
+  volume_id = "unraid_media_jellyfin"
+  name      = "unraid_media_jellyfin"
+
+  external_id = "unraid_media_jellyfin"
+
+  capability {
+    access_mode     = "single-node-writer"
+    attachment_mode = "file-system"
+  }
+
+  context = {
+    source = "//betelgeuse-seven-unraid.lan/media"
+  }
+
+  secrets = {
+    "username" = "nomad"
+    "password" = data.sops_file.secrets.data["unraid.nomad"]
+  }
+}