diff --git a/hieradata/roles/apps/media/jellyfin.yaml b/hieradata/roles/apps/media/jellyfin.yaml
new file mode 100644
index 0000000..8a761bd
--- /dev/null
+++ b/hieradata/roles/apps/media/jellyfin.yaml
@@ -0,0 +1,48 @@
+---
+hiera_include:
+  - jellyfin
+  - profiles::nginx::simpleproxy
+
+# manage jellyfin
+jellyfin::params::service_enable: true
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - jellyfin.main.unkin.net
+  - jellyfin.service.consul
+  - jellyfin.query.consul
+  - "jellyfin.service.%{facts.country}-%{facts.region}.consul"
+
+# manage a simple nginx reverse proxy
+profiles::nginx::simpleproxy::nginx_vhost: 'jellyfin.query.consul'
+profiles::nginx::simpleproxy::nginx_aliases:
+  - jellyfin.main.unkin.net
+  - jellyfin.service.consul
+  - jellyfin.query.consul
+  - "jellyfin.service.%{facts.country}-%{facts.region}.consul"
+profiles::nginx::simpleproxy::proxy_port: 8096
+profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
+profiles::nginx::simpleproxy::proxy_path: '/'
+
+# configure consul service
+nginx::client_max_body_size: 10M
+consul::services:
+  jellyfin:
+    service_name: 'jellyfin'
+    tags:
+      - 'media'
+      - 'jellyfin'
+    address: "%{facts.networking.ip}"
+    port: 443
+    checks:
+      - id: 'jellyfin_http_check'
+        name: 'jellyfin HTTP Check'
+        http: "https://%{facts.networking.fqdn}:443"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: jellyfin
+    disposition: write
diff --git a/site/profiles/manifests/media/jellyfin.pp b/site/profiles/manifests/media/jellyfin.pp
new file mode 100644
index 0000000..9502e0d
--- /dev/null
+++ b/site/profiles/manifests/media/jellyfin.pp
@@ -0,0 +1,31 @@
+# profiles::media::jellyfin
+class profiles::media::jellyfin (
+  Stdlib::Absolutepath $media_root = '/shared/media',
+) {
+
+  include profiles::ceph::client
+
+  # manage the sharedvol
+  profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media":
+    mount       => $media_root,
+    keyring     => '/etc/ceph/ceph.client.media.keyring',
+    cephfs_name => 'media',
+    cephfs_fs   => 'mediafs',
+    require     => Profiles::Ceph::Keyring['media'],
+  }
+
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
+    service => 'be_jellyfin',
+    ports   => [443],
+    options => [
+      "cookie ${facts['networking']['hostname']}",
+      'ssl',
+      'verify none',
+      'check',
+      'inter 2s',
+      'rise 3',
+      'fall 2',
+    ]
+  }
+}
diff --git a/site/roles/manifests/apps/media/jellyfin.pp b/site/roles/manifests/apps/media/jellyfin.pp
new file mode 100644
index 0000000..0a40853
--- /dev/null
+++ b/site/roles/manifests/apps/media/jellyfin.pp
@@ -0,0 +1,11 @@
+# jellyfin server profile
+class roles::apps::media::jellyfin {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+    include profiles::media::jellyfin
+  }
+}