sam-6174/jellytin

Jellytin

Put your local Jellyfin server in a tin, and securely serve it up on the internet 🚀

Intro

This project is especially helpful if you:

1. Have a local Jellyfin server that you want to access over the internet
2. Do not currently have any infrastructure to expose services to the internet
3. Wish to hide + secure Jellyfin behind an identity provider
4. Wish to use Jellyfin clients (Android, etc.)

If you're wondering, "why can't I just expose my Jellyfin server to the internet?" I recommend reading Collection of potential security issues in Jellyfin

The final deployment looks like this:

👤 -> VPS -> Nginx -> Tailscale -> Nginx -> Authentik -> Jellyfin

Dependencies

• Virtual Private Server (VPS)
  • BuyKVM is $2/month, but any VPS with an IPv4 address will do
  • Additional layer of security, e.g. hide your personal IP
• Nginx Proxy Manager
  • Management UI for Nginx
• Tailscale
  • Tunnel from VPS to your local network
• Authentik
  • Provide authentication via LDAP, SSO, etc.
• Jellyfin
  • You should already have a Jellyfin server

Future Improvements

1. Keep an eye on Jellyfin's SSO plugin and incorporate it here, once it is stable and no longer "100% alpha software."

2. Await NPM's Fail2Ban feature request.

3. Await NPM's CrowdSec feature request.

Footnote

If you're using a Raspberry Pi, then you will need the 64-bit OS.

Instructions

Install docker & docker-compose

• Skip if already installed on your system
• Otherwise, install via ./docker_install.sh

Deploy Authentik

• Deploy via ./authentik/
• Generalize yourself with Outposts, Providers, & Applications
  • tl;dr to deploy an application in Authentik, you need an Outpost to service a Provider, which services an Application

Deploy Nginx Proxy Manager

• Deploy via ./nginx_proxy_manager/

Purchase & Configure Cloudflare Domain

• Configure via ./docs/cloudflare_domain.md

Harden Your VPS

• Harden via ./docs/vps_harden.md

Configure Tailscale

• Configure via ./docs/tailscale_configure.md

Deploy VPS Tunnel

• Deploy via ./vps_tunnel/

Deploy NPM Tunnel

• Deploy via ./npm_tunnel/

Configure Tunnel Routing

• Configure via ./docs/vps_routing.md

Configure Nginx -> Authentik

• Configure via ./docs/npm_to_authentik.md

Configure Authentik -> Jellyfin

• Configure via ./docs/authentik_to_jellyfin.md

Deploy Authentik LDAP Service

• Deploy via ./authentik_ldap/

Configure Jellyfin for LDAP Authentication

• Configure via ./docs/jellyfin_ldap.md

Create Jellyfin Users via Authentik

• Create via ./docs/jellyfin_ldap_users.md

Configure NPM to Enable Jellyfin Client Apps

• Configure via ./docs/jellyfin_client_whitelist.md

---

The End 🎉

You can use the helper script at ./all.sh to control this stack.