# Jellyfin — self-hosted media server (LAN-only)
# Deploy path on nullstone: /opt/docker/jellyfin/
# Domain: tv.s8n.ru (LAN-only via Pi-hole local DNS + no-guest middleware)
#
# Notes:
# - GTX 1660 Ti present but nvidia-smi failing on host. CPU transcode only
#   until driver is fixed; revisit hwaccel after fix.
# - Media mounted read-only into container; write only to /config + /cache.
# - userns: host matches nullstone Docker convention (host UID 1000 owns volumes).
# - Cert via existing letsencrypt resolver (Gandi DNS-01) — works without
#   public A record.

services:
  jellyfin:
    image: jellyfin/jellyfin:10.10.3
    container_name: jellyfin
    restart: unless-stopped
    user: "1000:1000"
    environment:
      - TZ=Europe/London
      - JELLYFIN_PublishedServerUrl=https://tv.s8n.ru
    volumes:
      - /home/docker/jellyfin/config:/config
      - /home/docker/jellyfin/cache:/cache
      - /home/user/media:/media:ro
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.jellyfin.rule=Host(`tv.s8n.ru`)"
      - "traefik.http.routers.jellyfin.entrypoints=websecure"
      - "traefik.http.routers.jellyfin.tls=true"
      - "traefik.http.routers.jellyfin.tls.certresolver=letsencrypt"
      - "traefik.http.routers.jellyfin.middlewares=security-headers@file,no-guest@file"
      - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"

networks:
  proxy:
    external: true