History
In their own words, "Jellyfin is the volunteer-built media solution that puts you in control of your media. Stream to any device from your own server, with no strings attached. Your media, your server, your way." More information on Multimedia:Jellyfin can be found on their website.
This service was setup to enable multimedia streaming both locally and externally from my home as a replacement to Plex. Authorized users can navigate to my Jellyfin server and login. Access is managed locally and given to close friends and family members.
Deployment
This guide is intended for those attempting Jellyfin setup on a fresh server. For more information about the infrastructure behind this service, please see Servers:SAD-JELLY01.
- Install and configure a virtual machine according to the directions located at Servers:SAD-Jelly01. This is an Authentication:Active Directory bound server as it must communicate with the back end file server Servers:SAD-FILES01 to pull media files. For security reasons, this server has read-only permissions to the multimedia share enabled by Users and Groups:sg_multimedia_ro.
- Once the server is bound to the domain, add the following repos to the server by using the following commands:
# Fedora EPEL Repo sudo dnf install --nogpgcheck https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E %rhel).noarch.rpm # RPM Fusion Non-Free sudo dnf install --nogpgcheck https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-$(rpm -E %rhel).noarch.rpm https://mirrors.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-$(rpm -E %rhel).noarch.rpm # Activate CRB Repo dnf config-manager --set-enabled crb
- Install the Jellyfin server and associated packages:
sudo dnf install jellyfin jellyfin-server jellyfin-web jellyfin-firewalld
- Enable Jellyfin to start at boot with the following command:
sudo systemctl enable --now jellyfin
- Allow Jellyfin through the firewall
# Add an exception to firewalld sudo firewall-cmd --permanent --add-service=jellyfin # Restart firewalld sudo firewall-cmd --reload
- Start Jellyfin for the first time and ensure the service is running.
# Start the Jellyfin service sudo systemctl start jellyfin # Check to see if the service is running sudo systemctl status jellyfin
- In your web browser navigate to http://SERVER-IP:8096. You may also use the server's hostname or a CNAME if you have it setup. Ensure you can reach the Jellyfin setup wizard and continue on to Post-Install Configuration.
Post-Install Configuration
Mount a SMB Network Drive on Rocky Linux
In my environment, all files are stored on Servers:SAD-FILES01. To access multimedia files, I created the service account Users and Groups:svc_jellyfin and gave it membership to service group Users and Groups:sg_multimedia_ro. This enables svc_jellyfin to have read-only access to the files stored in the Multimedia share. Once the service account has access to the files, I proceeded to map the share in the fstab file and mount the disk:
- Create a mount point for the share:
mkdir /mnt/multimedia
- Install the necessary packages to mount Samba shares:
sudo dnf install cifs-utils samba-client
- Open the fstab file and add the following line. You may need to change some values depending on the environment:
# Open the fstab sudo vi /etc/fstab # Add the mount point //10.1.30.30/Multimedia /mnt/multimedia cifs credentials=/etc/samba/credentials,uid=1000,gid=1000,vers=3.0 0 0 # Save and close the file (esc) wq!
- We must define the credentials of Users and Groups:svc_jellyfin in the file located at /etc/samba/credentials:
# Open the file sudo vi /etc/samba/credentials # Add the credentials username=svc_jellyfin password=TYPE PASSWORD HERE # Save and exit (esc) wq! # Give the file proper permissions sudo chmod 600 /etc/samba/credentials
- Run the mount command and ensure the share is mounted. You may need to troubleshoot mounting, but this process worked fine in my environment.
# Mount the share sudo mount -a # Navigate to /mnt/Multimedia and ensure files are available cd /mnt/Multimedia ls -ln <files should show up>
- You may now proceed to the Jellyfin setup wizard and complete setup by mapping libraries to the filesystem as you see fit.
Port-Forward Jellyfin behind HAProxy
By utilizing Security:HaProxy on Servers:SAD-HME-FW01, I can safely port forward Jellyfin to the internet so my users and I can access content. I only have to open port 443 for all of my services behind HaProxy and traffic is routed using the rules below, which has already been done. Additionally, HaProxy enables me to issue SSL certificates via Security: ACME Client to all of my services.
Cloudflare Configuration
According to Cloudflare's TOS, formally section 2.8, it is against their policy to cache large amounts of multimedia data on their servers. You can read more about this on their blog article Goodbye, section 2.8 and hello to Cloudflare’s new terms of service. I have no interest in caching data, however, I still need to protect my origin IP. Nothing in their TOS states routing large amounts of data is against their policy. Keeping this in mind, I created a proxyed DNS record to point to my firewall (See above HAProxy documentation) and disabled caching for this URL.
- Create a public DNS record on Cloudflare
- Login to the Cloudflare dashboard and select your domain.
- On the sidebar, click DNS then click Records.
- Click the blue Add Record button. Create a new A record that points to the public IP of the firewall, a name (such as stream), and ensure the proxy status is on.
- Turn caching off for this URL to be complaint with Cloudflare TOS.
- On the sidebar, navigate to Caching then click on Cache Rules.
- Click the blue Create Rule button and fill in the following information:
- Rule Name: Bypass Cache - Jellyfin
- Select the Custom Filter Expression radio button
- Field: Hostname
- Operator: Equals
- Value: stream.sysadminafterdark.com
- Then: Bypass Cache
- Click the blue Deploy button.
We are now compliant with Cloudflare terms of service and we can protect our origin URL.
Updates
Updates to Jellyfin are processed through the repos added during the above process. No further action at this time is needed to maintain this service other than regular monthly updates.
Status
This setup guide has successfully been deployed to sysadminafterdark production.