galanthus: Tailscale services declaratively, Jellyfin no container

Tailscale services can now be declared in Nix, which also eliminates my need for containers completely. Jellyfin hardware encoding can now also be implemented using the Nix module. Hardware support now implemented with nixos-hardware.
2026-02-05 11:41:00 +01:00 · 2026-02-05 11:41:00 +01:00 · aaf705b7d6
commit aaf705b7d6
parent 6addf51d68
6 changed files with 88 additions and 111 deletions
--- a/modules/nixos/jellyfin.nix
+++ b/modules/nixos/jellyfin.nix
@ -1,91 +1,40 @@
+{ pkgs, ... }:
 {
-  containers.jellyfin = {
-    autoStart = true;
-    allowedDevices = [
-      {
-        node = "/dev/dri/card0";
-        modifier = "rw";
-      }
-      {
-        node = "/dev/dri/renderD128";
-        modifier = "rw";
-      }
-    ];
-    bindMounts = {
-      "/media" = {
-        hostPath = "/mnt/sdb1/media";
-        isReadOnly = false;
+  services = {
+    jellyfin = {
+      enable = true; # port = 8096
+
+      hardwareAcceleration = {
+        enable = true;
+        type = "qsv";
+        device = "/dev/dri/renderD128";
      };
-      "/dev/dri/card0" = {
-        hostPath = "/dev/dri/card0";
-        isReadOnly = false;
-      };
-      "/dev/dri/renderD128" = {
-        hostPath = "/dev/dri/renderD128";
-        isReadOnly = false;
+
+      # forceEncodingConfig = true;
+
+      transcoding = {
+        enableHardwareEncoding = true;
      };
    };
+  };

-    config =
-      { pkgs, ... }:
-      {
-        services = {
-          jellyfin = {
-            enable = true; # port = 8096
-          };
-
-          tailscale = {
-            enable = true;
-            useRoutingFeatures = "server";
-            interfaceName = "userspace-networking";
-          };
-        };
-
-        environment.systemPackages = with pkgs; [
-          jellyfin
-          jellyfin-web
-          jellyfin-ffmpeg
-          libva-utils
+  ## Grab EPG data daily
+  systemd = {
+    services = {
+      epg = {
+        script = "${pkgs.nodejs}/bin/npm run --prefix /media/TV/epg/ grab -- --channels=custom.channels.xml";
+        path = [
+          pkgs.bash
+          pkgs.nodejs
        ];
-
-        ## Hardware transcoding
-        nixpkgs.config.allowUnfree = true;
-
-        hardware.graphics = {
-          enable = true;
-          extraPackages = with pkgs; [
-            ## Intel Core i5 Skylake
-            intel-ocl
-            intel-media-driver
-            intel-compute-runtime-legacy1
-          ];
+        serviceConfig = {
+          Type = "oneshot";
+          User = "root";
        };
-
-        ## Grab EPG data daily
-        systemd = {
-          services = {
-            epg = {
-              script = "${pkgs.nodejs}/bin/npm run --prefix /media/TV/epg/ grab -- --channels=custom.channels.xml";
-              path = [
-                pkgs.bash
-                pkgs.nodejs
-              ];
-              serviceConfig = {
-                Type = "oneshot";
-                User = "root";
-              };
-              startAt = "daily"; # Creates a timer
-            };
-            jellyfin.environment.LIBVA_DRIVER_NAME = "iHD";
-          };
-          timers.epg.timerConfig.Persistent = true;
-        };
-
-        environment.sessionVariables = {
-          LIBVA_DRIVER_NAME = "iHD";
-        };
-
-        system.stateVersion = "24.05";
+        startAt = "daily"; # Creates a timer
      };
+      jellyfin.environment.LIBVA_DRIVER_NAME = "iHD";
+    };
+    timers.epg.timerConfig.Persistent = true;
  };
 }
--- a/modules/nixos/samba.nix
+++ b/modules/nixos/samba.nix
@ -9,7 +9,6 @@
      global = {
        "vfs objects" = "catia fruit streams_xattr";
        # "fruit:model" = "MacPro7,1@ECOLOR=226,226,224";
-        "fruit:model" = "MacSamba";
      };

      TimeMachine = {
--- a/modules/nixos/tailscale.nix
+++ b/modules/nixos/tailscale.nix
@ -4,29 +4,34 @@
    enable = true;
    useRoutingFeatures = "both";
    extraUpFlags = [ "--ssh" ];
+
+    serve = {
+      enable = true;
+      services = {
+        cloud = {
+          endpoints = {
+            "tcp:443" = "https://localhost:3923";
+          };
+        };
+        jellyfin = {
+          endpoints = {
+            "tcp:443" = "https://localhost:8096";
+          };
+        };
+      };
+    };
  };

  networking = {
    nftables.enable = true;
    firewall = {
      enable = true;
-      # Always allow traffic from your Tailscale network
      trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ];
-      # Allow the Tailscale UDP port through the firewall
      allowedUDPPorts = [ config.services.tailscale.port ];
-      checkReversePath = "loose";
    };
  };

-  # 2. Force tailscaled to use nftables (Critical for clean nftables-only systems)
-  # This avoids the "iptables-compat" translation layer issues.
  systemd.services.tailscaled.serviceConfig.Environment = [
    "TS_DEBUG_FIREWALL_MODE=nftables"
  ];
-
-  # 3. Optimization: Prevent systemd from waiting for network online
-  # (Optional but recommended for faster boot with VPNs)
-  # systemd.network.wait-online.enable = false;
-  # boot.initrd.systemd.network.wait-online.enable = false;
-  systemd.network.wait-online.ignoredInterfaces = [ "${config.services.tailscale.interfaceName}" ];
 }