Multimedia:Jellyfin: Difference between revisions

In their own words, "Jellyfin is the volunteer-built media solution that puts you in control of your media. Stream to any device from your own server, with no strings attached. Your media, your server, your way." More information on Multimedia:Jellyfin can be found on their website.

This service was setup to enable multimedia streaming both locally and externally from my home as a replacement to Plex. Authorized users can navigate to my Jellyfin server and login. Access is managed locally and given to close friends and family members.

This guide is intended for those attempting Jellyfin setup on a fresh server. For more information about the infrastructure behind this service, please see Servers:SAD-JELLY01.

1. Install and configure a virtual machine according to the directions located at Servers:SAD-Jelly01. This is an Authentication:Active Directory bound server as it must communicate with the back end file server Servers:SAD-FILES01 to pull media files. For security reasons, this server has read-only permissions to the multimedia share enabled by Users and Groups:sg_multimedia_ro.
2. Once the server is bound to the domain, add the following repos to the server by using the following commands:

# Fedora EPEL Repo
sudo dnf install --nogpgcheck https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E %rhel).noarch.rpm
# RPM Fusion Non-Free
sudo dnf install --nogpgcheck https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-$(rpm -E %rhel).noarch.rpm https://mirrors.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-$(rpm -E %rhel).noarch.rpm
# Activate CRB Repo
dnf config-manager --set-enabled crb 

3. Install the Jellyfin server and associated packages:

sudo dnf install jellyfin jellyfin-server jellyfin-web jellyfin-firewalld

4. Enable Jellyfin to start at boot with the following command:

sudo systemctl enable --now jellyfin

5. Allow Jellyfin through the firewall

# Add an exception to firewalld
sudo firewall-cmd --permanent --add-service=jellyfin
# Restart firewalld
sudo firewall-cmd --reload

6. Start Jellyfin for the first time and ensure the service is running.

# Start the Jellyfin service
sudo systemctl start jellyfin
# Check to see if the service is running
sudo systemctl status jellyfin

7. In your web browser navigate to http://SERVER-IP:8096. You may also use the server's hostname or a CNAME if you have it setup. Ensure you can reach the Jellyfin setup wizard and continue on to Post-Install Configuration.

Mount a SMB Network Drive on Rocky Linux

In my environment, all files are stored on Servers:SAD-FILES01. To access multimedia files, I created the service account Users and Groups:svc_jellyfin and gave it membership to service group Users and Groups:sg_multimedia_ro. This enables svc_jellyfin to have read-only access to the files stored in the Multimedia share. Once the service account has access to the files, I proceeded to map the share in the fstab file and mount the disk:

1. Create a mount point for the share:

mkdir /mnt/multimedia

2. Install the necessary packages to mount Samba shares:

sudo dnf install cifs-utils samba-client

3. Open the fstab file and add the following line. You may need to change some values depending on the environment:

# Open the fstab
sudo vi /etc/fstab
# Add the mount point
//10.1.30.30/Multimedia /mnt/multimedia cifs credentials=/etc/samba/credentials,uid=1000,gid=1000,vers=3.0 0 0
# Save and close the file
(esc) wq!

4. We must define the credentials of Users and Groups:svc_jellyfin in the file located at /etc/samba/credentials:

# Open the file
sudo vi /etc/samba/credentials
# Add the credentials
username=svc_jellyfin
password=TYPE PASSWORD HERE
# Save and exit
(esc) wq!
# Give the file proper permissions
sudo chmod 600 /etc/samba/credentials

5. Run the mount command and ensure the share is mounted. You may need to troubleshoot mounting, but this process worked fine in my environment.

# Mount the share
sudo mount -a
# Navigate to /mnt/Multimedia and ensure files are available
cd /mnt/Multimedia
ls -ln
<files should show up>

6. You may now proceed to the Jellyfin setup wizard and complete setup by mapping libraries to the filesystem as you see fit.

Port-Forward Jellyfin behind HAProxy

By utilizing Security:HaProxy on Servers:SAD-HME-FW01, I can safely port forward Jellyfin to the internet so my users and I can access content. I only have to open port 443 for all of my services behind HaProxy and traffic is routed using the rules configured below. Additionally, HaProxy enables me to issue SSL certificates via Security: ACME Client to all of my services. Please note, this guide only covers configuring the Jellyfin proxy, not all of the services that are utilized.

1. Login to the firewall and navigate to Services, click on HaProxy, then click on Settings. Navigate to each tab at the top and configure as documented.
2. Real Servers
   1. Click the + button and enter the following settings:
      1. Enabled: Checked
      2. Name or Prefix: stream
      3. Description: stream.sysadminafterdark.com
      4. Type: Static
      5. FDQN or IP (Type the IP of your Jellyfin server): 10.1.53.5
      6. Port: 8096
      7. Mode: Active
      8. SSL: Unchecked
      9. SSL SNI: (Blank)
      10. Verify SSL Certificate: Unchecked
      11. SSL Verify CA: Nothing Selected
      12. Click Save, then click Apply.
3. Virtual Services - Backend Pools
   1. Click the + button and enter the following settings:
      1. Name or Prefix: stream
      2. Description: stream.sysadminafterdark.com
      3. Mode: HTTP (Layer 7)
      4. Balancing Algorithm: Source IP Hash
      5. Servers: stream (select from list)
      6. Everything else can be left blank or at defaults. Click Save, then click Apply.
4. Vertical Services - Public Services
   1. This is HaProxy's Public Web Pool configuration settings. All rules utilize this configuration for ssl offload, routing traffic to the correct server and only needs to be setup or configured once. At the time of writing this is not yet documented. Please see Security:HaProxy in the future for configuring HaProxy.
   2. However, we must add the rules we defined above to the Select Rules dropdown. Click the dropdown and ensure all of your servers, including "stream" is selected and click save.
5. Rules and Checks - Conditions
   1. Click the + button and enter the following settings:
      1. Name: Stream
      2. Description: stream.sysadminafterdark.com
      3. Condition Type: Host Starts With
      4. Host Prefix: stream.sysadminafterdark.com
      5. All other settings do not need configured. Click Save, then click Apply.
6. Rules and Checks - Rules
   1. Click the + button and enter the following settings:
      1. Name: stream
      2. Description: stream.sysadminafterdark.com
      3. Test Type: IF
      4. Select Conditions: stream
      5. Logical Operator: AND
      6. Execute function: Use Specified Backend Pool
      7. Use Backend Pool: stream
      8. Click Save, then click Apply.

Cloudflare Configuration

According to Cloudflare's TOS, formally section 2.8, it is against their policy to cache large amounts of multimedia data on their servers. You can read more about this on their blog article Goodbye, section 2.8 and hello to Cloudflare’s new terms of service. I have no interest in caching data, however, I still need to protect my origin IP. Nothing in their TOS states routing large amounts of data is against their policy. Keeping this in mind, I created a proxyed DNS record to point to my firewall (See above HAProxy documentation) and disabled caching for this URL.

1. Create a public DNS record on Cloudflare
   1. Login to the Cloudflare dashboard and select your domain.
   2. On the sidebar, click DNS then click Records.
   3. Click the blue Add Record button. Create a new A record that points to the public IP of the firewall, a name (such as stream), and ensure the proxy status is on.
2. Turn caching off for this URL to be complaint with Cloudflare TOS.
   1. On the sidebar, navigate to Caching then click on Cache Rules.
   2. Click the blue Create Rule button and fill in the following information:
      1. Rule Name: Bypass Cache - Jellyfin
      2. Select the Custom Filter Expression radio button
      3. Field: Hostname
      4. Operator: Equals
      5. Value: stream.sysadminafterdark.com
      6. Then: Bypass Cache
      7. Click the blue Deploy button.

We are now compliant with Cloudflare terms of service and we can protect our origin URL.

Updates to Jellyfin are processed through the repos added during the above process. No further action at this time is needed to maintain this service other than regular monthly updates.

This setup guide has successfully been deployed to sysadminafterdark production.