hieradata/country/au/region/syd1/infra/halb/haproxy.yaml

@@ -11,6 +11,7 @@ profiles::haproxy::mappings:
       - 'lidarr.main.unkin.net be_lidarr'
       - 'readarr.main.unkin.net be_readarr'
       - 'prowlarr.main.unkin.net be_prowlarr'
+      - 'jellyfin.main.unkin.net be_jellyfin'
   fe_https:
     ensure: present
     mappings:
@@ -21,6 +22,7 @@ profiles::haproxy::mappings:
       - 'lidarr.main.unkin.net be_lidarr'
       - 'readarr.main.unkin.net be_readarr'
       - 'prowlarr.main.unkin.net be_prowlarr'
+      - 'jellyfin.main.unkin.net be_jellyfin'
 
 profiles::haproxy::frontends:
   fe_http:
@@ -153,6 +155,22 @@ profiles::haproxy::backends:
         - set-header X-Forwarded-Port %[dst_port]
         - add-header X-Forwarded-Proto https if { dst_port 443 }
       redirect: 'scheme https if !{ ssl_fc }'
+  be_jellyfin:
+    description: Backend for au-syd1 jellyfin
+    collect_exported: false # handled in custom function
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+        - http-keep-alive
+        - prefer-last-server
+      cookie: SRVNAME insert indirect nocache
+      http-reuse: always
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 443 }
+      redirect: 'scheme https if !{ ssl_fc }'
 
 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
@@ -167,6 +185,7 @@ profiles::pki::vault::alt_names:
   - lidarr.main.unkin.net
   - readarr.main.unkin.net
   - prowlarr.main.unkin.net
+  - jellyfin.main.unkin.net
 
 # additional cnames
 profiles::haproxy::dns::cnames:

hieradata/roles/apps/media/jellyfin.yaml

@@ -0,0 +1,48 @@
+---
+hiera_include:
+  - jellyfin
+  - profiles::nginx::simpleproxy
+
+# manage jellyfin
+jellyfin::params::service_enable: true
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - jellyfin.main.unkin.net
+  - jellyfin.service.consul
+  - jellyfin.query.consul
+  - "jellyfin.service.%{facts.country}-%{facts.region}.consul"
+
+# manage a simple nginx reverse proxy
+profiles::nginx::simpleproxy::nginx_vhost: 'jellyfin.query.consul'
+profiles::nginx::simpleproxy::nginx_aliases:
+  - jellyfin.main.unkin.net
+  - jellyfin.service.consul
+  - jellyfin.query.consul
+  - "jellyfin.service.%{facts.country}-%{facts.region}.consul"
+profiles::nginx::simpleproxy::proxy_port: 8096
+profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
+profiles::nginx::simpleproxy::proxy_path: '/'
+
+# configure consul service
+nginx::client_max_body_size: 10M
+consul::services:
+  jellyfin:
+    service_name: 'jellyfin'
+    tags:
+      - 'media'
+      - 'jellyfin'
+    address: "%{facts.networking.ip}"
+    port: 443
+    checks:
+      - id: 'jellyfin_http_check'
+        name: 'jellyfin HTTP Check'
+        http: "https://%{facts.networking.fqdn}:443"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: jellyfin
+    disposition: write

modules/jellyfin/manifests/init.pp

@@ -0,0 +1,11 @@
+# manage jellyfin
+class jellyfin (
+  $packages           = $jellyfin::params::packages,
+  $service_enable     = $jellyfin::params::service_enable,
+) inherits jellyfin::params {
+
+  include jellyfin::install
+  include jellyfin::service
+
+  Class['jellyfin::install'] -> Class['jellyfin::service']
+}

modules/jellyfin/manifests/install.pp

@@ -0,0 +1,14 @@
+# install jellyfin
+class jellyfin::install (
+  $packages      = $jellyfin::packages,
+) {
+
+  $_packages = $packages ? {
+    Array   => true,
+    default => false,
+  }
+
+  if $_packages {
+    ensure_packages($packages, {ensure => 'installed'})
+  }
+}

modules/jellyfin/manifests/params.pp

@@ -0,0 +1,13 @@
+# jellyfin params
+class jellyfin::params (
+  Array[String]             $packages = [
+    'jellyfin',
+    'jellyfin-web',
+    'jellyfin-server',
+    'SDL2',
+    'ffmpeg',
+    'ffmpeg-devel',
+  ],
+  String                    $service_name    = 'jellyfin',
+  Boolean                   $service_enable  = true,
+) { }

modules/jellyfin/manifests/service.pp

@@ -0,0 +1,10 @@
+# manage jellyfin service
+class jellyfin::service (
+  $service_enable = $jellyfin::service_enable,
+  $service_name   = $jellyfin::service_name,
+) {
+  service{$service_name:
+    ensure => $service_enable,
+    enable => $service_enable,
+  }
+}

site/profiles/manifests/media/jellyfin.pp

@@ -0,0 +1,31 @@
+# profiles::media::jellyfin
+class profiles::media::jellyfin (
+  Stdlib::Absolutepath $media_root = '/shared/media',
+) {
+
+  include profiles::ceph::client
+
+  # manage the sharedvol
+  profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media":
+    mount       => $media_root,
+    keyring     => '/etc/ceph/ceph.client.media.keyring',
+    cephfs_name => 'media',
+    cephfs_fs   => 'mediafs',
+    require     => Profiles::Ceph::Keyring['media'],
+  }
+
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
+    service => 'be_jellyfin',
+    ports   => [443],
+    options => [
+      "cookie ${facts['networking']['hostname']}",
+      'ssl',
+      'verify none',
+      'check',
+      'inter 2s',
+      'rise 3',
+      'fall 2',
+    ]
+  }
+}

site/roles/manifests/apps/media/jellyfin.pp

@@ -0,0 +1,11 @@
+# jellyfin server profile
+class roles::apps::media::jellyfin {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+    include profiles::media::jellyfin
+  }
+}