{ lib, pkgs, configVars, ... }: let pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; containerName = "jellyfin"; containerIp = configVars.networking.addresses.jellyfin.ip; gatewayIp = configVars.networking.addresses.gateway.ip; in { environment.persistence."/persist" = { hideMounts = true; directories = [ "/var/lib/nixos-containers/${containerName}" ]; }; networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; containers.${containerName} = { autoStart = true; privateNetwork = true; hostBridge = "br0"; nixpkgs = pkgs.path; bindMounts = { "/var/lib/jellyfin" = { hostPath = "/media/main-ssd/jellyfin"; isReadOnly = false; }; "/var/lib/jellyfin/data/media" = { hostPath = "/media/media"; isReadOnly = true; }; }; config = { pkgs, lib, ... }: { networking = { defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ { "address" = "${containerIp}"; "prefixLength" = 24; } ]; firewall = { enable = true; allowedTCPPorts = [ 8096 ]; }; useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; services.jellyfin = { enable = true; openFirewall = true; user="jellyfin"; }; environment.systemPackages = [ pkgs.jellyfin pkgs.jellyfin-web pkgs.jellyfin-ffmpeg ]; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; users.users.root = { openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); }; system.stateVersion = "24.05"; }; }; }