josephembrey
released this
2026-03-24 16:46:05 -04:00
| 25 commits to main since this release
Added
auth, localDomain, localAuth options on all 27 web-exposed services.
Every service with a Caddy reverse proxy now has:
auth (bool) — toggle Authelia forward-auth on the public domain (default true for most services, false for jellyfin, miniflux, forgejo, webhook)
localDomain (nullable string) — LAN FQDN for Caddy, automatically excluded
from Cloudflare DNS records and tunnel ingress
localAuth (bool) — toggle Authelia on the local domain (default false)
Smart localDomain filtering in cloudflare/dns, cloudflare/tunnel, and
pihole. These modules now collect all localDomain values from enabled services
and exclude them from public DNS and tunnel ingress, regardless of naming
convention. The .local. heuristic is kept as a fallback for non-module Caddy
hosts.
Flake checks output with module evaluation test — verifies all 48 modules
evaluate without errors. Run with nix flake check.
Forgejo CI workflow (.forgejo/workflows/check.yml) — runs nix flake check
on every push.
Flake formatter output — alejandra available via nix fmt.
Plex media group option — josephembrey.plex.group (default "media") and meta.groups = [cfg.group], matching the pattern used by all other media services.
Caddy Authelia assertion — when caddy's auth.address points to the default
Authelia address (127.0.0.1:9091), an assertion verifies that josephembrey.authelia is enabled. Prevents silent 502 errors from a missing
auth backend.
Jellyfin backward compatibility shim — mkRemovedOptionModule for the old josephembrey.jellyfin.domains option with a migration message pointing to domain/localDomain.
Changed
Breaking: josephembrey.jellyfin.domains replaced with domain/localDomain.
The old domains (list of strings) option is removed. Use domain for the
public FQDN and localDomain for LAN access. Existing configs using domains
will get a clear error message with migration instructions.
Media group GID aligned to 1200 across all media services (audiobookshelf,
bazarr, calibre, jellyfin, radarr, sabnzbd, sonarr, plex). Previously services
used lib.mkDefault 2000 while the registry module set 1200 — the registry
always won in practice, but the inconsistency was confusing. All services now
agree on 1200.
docs/OPTIONS.md updated with the new domain option pattern.
CLAUDE.md key rules updated to reflect conditional auth.
README.md jellyfin example updated from domains to localDomain.
Fixed
Caddy response buffering for media streaming — flush_interval -1 added to
jellyfin, audiobookshelf, and immich reverse proxy blocks. Caddy no longer
buffers response bodies before forwarding, which caused video/audio stutter
especially over higher-latency connections (e.g., WireGuard gateway).
Redundant cfg.enable removed from 11 impermanence guards (10 media
services + podman). These guards were inside config = lib.mkIf cfg.enable (lib.mkMerge [...]) which already gates on enable. Plex correctly retains the
check (different config structure).
Crosswatch caddy port — public domain block now uses the ${port} variable
instead of hardcoded 8787, matching the localDomain block.
Cloudflare DNS .local. filter — the DNS module now excludes .local.
domains from auto-discovered DNS records, matching the existing tunnel filter.
josephembrey released this