fix container

common/common.nix

@@ -33,6 +33,8 @@
     wget kakoune htop git dnsutils tmux nethogs iotop
   ];
 
+  nixpkgs.config.allowUnfree = true;
+
   users.mutableUsers = false;
   users.users.googlebot = {
     isNormalUser = true;

common/pc/de.nix

@@ -23,14 +23,6 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    # allow specific unfree packages
-    nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
-      "tigervnc" "font-bh-lucidatypewriter" # tigervnc
-      "steam" "steam-original" "steam-runtime" # TODO move to steam.nix
-      "discord" # TODO move to discord.nix
-      "chromium" "chrome-widevine-cdm" "chromium-unwrapped" # widevine support
-    ];
-
     # vulkan
     hardware.opengl.driSupport = true;
     hardware.opengl.driSupport32Bit = true;

common/zerotier.nix

@@ -7,5 +7,8 @@ in {
     services.zerotierone.joinNetworks = [
       "565799d8f6d654c0"
     ];
+    networking.firewall.allowedUDPPorts = [
+      9993
+    ];
   };
 }

machines/mitty/configuration.nix

@@ -26,11 +26,30 @@
 
   services.nginx.enable = true;
 
-  zerotier.enable = true;
+  services.zerotier.enable = true;
 
   containers.jellyfin = {
+    ephemeral = true;
+    autoStart = true;
+    bindMounts = {
+      "/var/lib" = {
+        hostPath = "/var/lib/";
+        isReadOnly = false;
+      };
+    };
+    bindMounts = {
+      "/secret" = {
+        hostPath = "/secret";
+        isReadOnly = true;
+      };
+    };
+    privateNetwork = true;
+    hostAddress = "172.16.100.1";
+    localAddress = "172.16.100.2";
+    config = { config, pkgs, ... }: {
+      imports = [ ../../common/common.nix ];
       pia.enable = true;
-    zerotier.enable = true;
+      services.zerotier.enable = true;
       nixpkgs.pkgs = pkgs;
 
       services.radarr.enable = true;
@@ -39,6 +58,11 @@
       services.deluge.enable = true;
       services.deluge.web.enable = true;
     };
+  };
+
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = [ "ve-*" ];
+  networking.nat.externalInterface = "ens3";
 
   security.acme.acceptTerms = true;
   security.acme.email = "letsencrypt+5@tar.ninja";