Jellyfin - Media Server¶

Jellyfin is a self-hosted media server for movies, TV shows, and music.

Quick Reference¶

Property	Value
URL (External)	https://jellyfin.bogocat.com
URL (Internal)	http://10.89.97.97:8096
Location	LXC 113
Auth	LDAP + OAuth (SSO plugin)

Architecture¶

┌─────────────────────────────────────────────────────────────┐
│                       Jellyfin                              │
│                     (LXC 113)                               │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│  ┌─────────────────────────────────────────────────────┐   │
│  │                 Authentication                       │   │
│  │                                                      │   │
│  │   ┌─────────────┐          ┌─────────────────────┐  │   │
│  │   │    LDAP     │          │    SSO Plugin       │  │   │
│  │   │  (Authentik)│          │  (OAuth/Authentik)  │  │   │
│  │   └──────┬──────┘          └──────────┬──────────┘  │   │
│  │          │                            │             │   │
│  │    Password only              MFA enforced          │   │
│  │    (no MFA)                   (full Authentik)      │   │
│  │          │                            │             │   │
│  │          └────────────┬───────────────┘             │   │
│  │                       ▼                             │   │
│  │              User Session Created                   │   │
│  └─────────────────────────────────────────────────────┘   │
│                                                             │
│  Storage: NFS mounts for media libraries                    │
└─────────────────────────────────────────────────────────────┘

Authentication¶

Dual Auth Design (LDAP + OAuth)¶

Jellyfin supports two authentication paths, each serving different use cases:

Path	Protocol	MFA	Use Case
LDAP	LDAP via Authentik	No	Smart TVs, Roku, mobile apps, Kodi
OAuth	OIDC via SSO plugin	Yes	Web browsers

Why dual auth? - Many Jellyfin clients (smart TV apps, Roku, Kodi) don't support OAuth flows - These devices need simple username/password authentication - LDAP provides this while still centralizing user management in Authentik

Security Tradeoff¶

┌─────────────────────────────────────────────────────────────────────┐
│                    LDAP = MFA Bypass Risk                           │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  INTERNET                                                           │
│      │                                                              │
│      ├─────► LDAP Login ─────► Password Only ─────► ACCESS          │
│      │       (devices)         NO MFA              (risk)           │
│      │                                                              │
│      └─────► OAuth Login ────► Authentik ─────────► ACCESS          │
│              (browsers)        MFA ENFORCED         (secure)        │
│                                                                     │
│  Attack Vector: Brute force / credential stuffing via LDAP          │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

Risk Assessment¶

Factor	Assessment
Exposure	LDAP auth available externally at jellyfin.bogocat.com
Brute Force Protection	Authentik rate limiting (5 attempts = lockout)
Blast Radius	Media server only - no path to other services
Likelihood	Low - requires knowing/guessing specific password
Impact	Medium - attacker gets media access, not infrastructure

Verdict: Acceptable risk for homelab. Strong unique password is sufficient mitigation.

Hardening Checklist¶

[x] Admin password is unique (not used anywhere else)
[x] Admin password is strong (20+ chars, random)
[x] SSO plugin installed for OAuth option
[x] Authentik rate limiting active
[ ] Optional: Disable LDAP auth for admin account
[ ] Optional: Monitor Authentik logs for failed LDAP attempts

Optional: Disable LDAP for Admin¶

For extra security, the admin account can use local auth only (not LDAP), forcing OAuth for admin access:

In Jellyfin Admin → Users → Admin user
Disable "Allow authentication with LDAP"
Admin must now use OAuth (with MFA) to log in

Regular users can still use LDAP for device access.

LDAP Configuration¶

Authentik LDAP Provider:

Setting	Value
Provider Name	`jellyfin-ldap`
Base DN	`DC=ldap,DC=goauthentik,DC=io`
Bind Mode	Cached

Jellyfin LDAP Plugin Settings:

Setting	Value
LDAP Server	`10.89.97.218`
LDAP Port	`389`
Bind User DN	`cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io`
Base DN	`dc=ldap,dc=goauthentik,dc=io`

SSO Plugin Configuration¶

The Jellyfin SSO plugin enables OAuth login via Authentik.

Authentik Setup: 1. Create OAuth2/OIDC provider for Jellyfin 2. Redirect URI: https://jellyfin.bogocat.com/sso/OID/redirect/authentik

Plugin Settings: - Provider: Authentik - Client ID/Secret from Authentik - Enables "Sign in with Authentik" button on login page

Network Path¶

Internet → VPS Caddy → Direct to LXC (10.89.97.97:8096)
                       (NOT through K8s ingress)

Note: Jellyfin runs on LXC, not K8s, so it doesn't benefit from K8s-level forward auth. Authentication is handled by Jellyfin itself via LDAP/SSO plugins.

Maintenance¶

Access LXC¶

# From Proxmox host
pct enter 113

# Or SSH
ssh root@10.89.97.97

Check Logs¶

# Jellyfin logs
journalctl -u jellyfin -f

# Or in web UI: Admin → Logs

Restart Service¶

systemctl restart jellyfin

Backup¶

Configuration: /var/lib/jellyfin/
Media: NFS mount (backed up via ZFS snapshots on NAS)

Authentik SSO - LDAP provider setup
Security & Pentesting - Auth type legend
VPS Reverse Proxy - External access