Jellytin

Put your local Jellyfin server in a tin, and securely serve it up on the internet 🚀

Intro

This project is especially helpful if you:

Have a local Jellyfin server that you want to access over the internet
Do not currently have any infrastructure to expose services to the internet
Wish to hide + secure Jellyfin behind an identity provider
Wish to use Jellyfin clients (Android, etc.)

If you're wondering, "why can't I just expose my Jellyfin server to the internet?" I recommend reading Collection of potential security issues in Jellyfin

The final deployment looks like this:

👤 -> VPS -> Nginx -> Tailscale -> Nginx -> Authentik -> Jellyfin

Dependencies

Virtual Private Server (VPS)
- BuyKVM is $2/month, but any VPS with an IPv4 address will do
- Additional layer of security, e.g. hide your personal IP
Nginx Proxy Manager
- Management UI for Nginx
Tailscale
- Tunnel from VPS to your local network
Authentik
- Provide authentication via LDAP, SSO, etc.
Jellyfin
- You should already have a Jellyfin server

Future Improvements

Keep an eye on Jellyfin's SSO plugin and incorporate it here, once it is stable and no longer "100% alpha software."
Await NPM's Fail2Ban feature request.
Await NPM's CrowdSec feature request.

Footnote

If you're using a Raspberry Pi, then you will need the 64-bit OS.

Instructions

Install `docker` & `docker-compose`

Skip if already installed on your system
Otherwise, install via ./docker_install.sh

Deploy Authentik

Deploy via ./authentik/
Generalize yourself with Outposts, Providers, & Applications
- tl;dr to deploy an application in Authentik, you need an Outpost to service a Provider, which services an Application

Deploy Nginx Proxy Manager

Deploy via ./nginx_proxy_manager/

Purchase & Configure Cloudflare Domain

Configure via ./docs/cloudflare_domain.md

Harden Your VPS

Harden via ./docs/vps_harden.md

Configure Tailscale

Configure via ./docs/tailscale_configure.md

Deploy VPS Tunnel

Deploy via ./vps_tunnel/

Deploy NPM Tunnel

Deploy via ./npm_tunnel/

Configure Tunnel Routing

Configure via ./docs/vps_routing.md

Configure Nginx -> Authentik

Configure via ./docs/npm_to_authentik.md

Configure Authentik -> Jellyfin

Configure via ./docs/authentik_to_jellyfin.md

Deploy Authentik LDAP Service

Deploy via ./authentik_ldap/

Configure Jellyfin for LDAP Authentication

Configure via ./docs/jellyfin_ldap.md

Create Jellyfin Users via Authentik

Create via ./docs/jellyfin_ldap_users.md

Configure NPM to Enable Jellyfin Client Apps

Configure via ./docs/jellyfin_client_whitelist.md

The End 🎉

You can use the helper script at ./all.sh to control this stack.

jellytin
jellytin copied to clipboard

Metadata

Jellytin

Intro

Dependencies

Future Improvements

Footnote

Instructions

Install `docker` & `docker-compose`

Deploy Authentik

Deploy Nginx Proxy Manager

Purchase & Configure Cloudflare Domain

Harden Your VPS

Configure Tailscale

Deploy VPS Tunnel

Deploy NPM Tunnel

Configure Tunnel Routing

Configure Nginx -> Authentik

Configure Authentik -> Jellyfin

Deploy Authentik LDAP Service

Configure Jellyfin for LDAP Authentication

Create Jellyfin Users via Authentik

Configure NPM to Enable Jellyfin Client Apps

The End 🎉

← Metadata

Owner

Metadata

jellytin jellytin copied to clipboard

Metadata

Jellytin

Intro

Dependencies

Future Improvements

Footnote

Instructions

Install docker & docker-compose

Deploy Authentik

Deploy Nginx Proxy Manager

Purchase & Configure Cloudflare Domain

Harden Your VPS

Configure Tailscale

Deploy VPS Tunnel

Deploy NPM Tunnel

Configure Tunnel Routing

Configure Nginx -> Authentik

Configure Authentik -> Jellyfin

Deploy Authentik LDAP Service

Configure Jellyfin for LDAP Authentication

Create Jellyfin Users via Authentik

Configure NPM to Enable Jellyfin Client Apps

The End 🎉

← Metadata

Owner

Metadata

jellytin
jellytin copied to clipboard

Install `docker` & `docker-compose`