From f7685b5f4957dd3db0c3459bcd4c2dbfc673a79c Mon Sep 17 00:00:00 2001
From: Jaculabilis <jaculabilis@git.alogoulogoi.com>
Date: Tue, 11 Mar 2025 13:32:23 +0000
Subject: [PATCH] empyrean: add secure revproxy to jellyfin

---
 machine/empyrean/default.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/machine/empyrean/default.nix b/machine/empyrean/default.nix
index c313fb3..bf9773f 100644
--- a/machine/empyrean/default.nix
+++ b/machine/empyrean/default.nix
@@ -123,7 +123,16 @@
           proxy_read_timeout 600s;
           proxy_send_timeout 600s;
           send_timeout 600s;
-          access_log /var/log/nginx/access_immich.log;
+        '';
+      };
+      "jellyfin.secure.ktvb.site" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://10.22.20.8:8096";
+        extraConfig = ''
+          # enable mTLS
+          ssl_verify_client on;
+          ssl_client_certificate /etc/nginx/client-ca.crt;
         '';
       };
       # mirror revproxy