fix(jellyfin): configure known proxies and reverse proxy headers per Jellyfin docs

Amp-Thread-ID: https://ampcode.com/threads/T-019c12b1-e861-773b-8f74-64b6c2255a5f
Co-authored-by: Amp <amp@ampcode.com>

3 files changed, 54 insertions, 1 deletions

diff --git a/f3s/jellyfin/helm-chart/templates/configmap.yaml b/f3s/jellyfin/helm-chart/templates/configmap.yaml
new file mode 100644
index 0000000..8cbcc4f
--- /dev/null
+++ b/f3s/jellyfin/helm-chart/templates/configmap.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: jellyfin-network-config
+  namespace: services
+data:
+  network.xml: |
+    <?xml version="1.0" encoding="utf-8"?>
+    <NetworkConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+      <RequireHttps>false</RequireHttps>
+      <CertificatePath />
+      <CertificatePassword />
+      <BaseUrl />
+      <PublicHttpsPort>8920</PublicHttpsPort>
+      <HttpServerPortNumber>8096</HttpServerPortNumber>
+      <HttpsPortNumber>8920</HttpsPortNumber>
+      <EnableHttps>false</EnableHttps>
+      <PublicPort>8096</PublicPort>
+      <UPnPCreateHttpPortMap>false</UPnPCreateHttpPortMap>
+      <UDPPortRange />
+      <EnableIPV6>false</EnableIPV6>
+      <EnableIPV4>true</EnableIPV4>
+      <EnableSSDPTracing>false</EnableSSDPTracing>
+      <SSDPTracingFilter />
+      <UDPSendCount>2</UDPSendCount>
+      <UDPSendDelay>100</UDPSendDelay>
+      <IgnoreVirtualInterfaces>true</IgnoreVirtualInterfaces>
+      <VirtualInterfaceNames>vEthernet*</VirtualInterfaceNames>
+      <GatewayMonitorPeriod>60</GatewayMonitorPeriod>
+      <TrustAllIP6Interfaces>false</TrustAllIP6Interfaces>
+      <HDHomerunPortRange />
+      <PublishedServerUriBySubnet />
+      <AutoDiscoveryTracing>false</AutoDiscoveryTracing>
+      <AutoDiscovery>true</AutoDiscovery>
+      <RemoteIPFilter />
+      <IsRemoteIPFilterBlacklist>false</IsRemoteIPFilterBlacklist>
+      <EnableUPnP>false</EnableUPnP>
+      <EnableRemoteAccess>true</EnableRemoteAccess>
+      <LocalNetworkSubnets />
+      <LocalNetworkAddresses />
+      <KnownProxies>
+        <ProxyAddress>10.0.0.0/8</ProxyAddress>
+        <ProxyAddress>192.168.0.0/16</ProxyAddress>
+      </KnownProxies>
+      <EnablePublishedServerUriByRequest>false</EnablePublishedServerUriByRequest>
+    </NetworkConfiguration>
diff --git a/f3s/jellyfin/helm-chart/templates/deployment.yaml b/f3s/jellyfin/helm-chart/templates/deployment.yaml
index a90bbed..c646e8f 100644
--- a/f3s/jellyfin/helm-chart/templates/deployment.yaml
+++ b/f3s/jellyfin/helm-chart/templates/deployment.yaml
@@ -33,6 +33,9 @@ spec:
               mountPath: /media/libraries
             - name: jellyfin-data
               mountPath: /data
+            - name: network-config
+              mountPath: /config/config/network.xml
+              subPath: network.xml
       volumes:
         - name: jellyfin-config
           persistentVolumeClaim:
@@ -43,6 +46,9 @@ spec:
         - name: jellyfin-data
           persistentVolumeClaim:
             claimName: jellyfin-data-pvc
+        - name: network-config
+          configMap:
+            name: jellyfin-network-config
 ---
 apiVersion: v1
 kind: Service
diff --git a/f3s/jellyfin/helm-chart/templates/ingress.yaml b/f3s/jellyfin/helm-chart/templates/ingress.yaml
index 6c5571b..3ea2291 100644
--- a/f3s/jellyfin/helm-chart/templates/ingress.yaml
+++ b/f3s/jellyfin/helm-chart/templates/ingress.yaml
@@ -16,7 +16,7 @@ spec:
         - name: jellyfin-server
           port: 8096
 ---
-# Middleware to add X-Forwarded-Proto header so Jellyfin knows it's HTTPS
+# Middleware to add headers for reverse proxy (relayd TLS offloading)
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -26,3 +26,4 @@ spec:
   headers:
     customRequestHeaders:
       X-Forwarded-Proto: https
+      X-Forwarded-Host: jellyfin.f3s.buetow.org