services: add jellyfin, archivebox, custom dns

- `internal.thegeneralist01.com` and `archive.thegeneralist01.com` are
  not public. I have Split DNS enabled on them (in Tailscale), with the
  IP of the DNS server set to a private Tailscale IP of my home server;
- CoreDNS (also on my home server) is used to resolve the two private
  domains' IPs to the home server itself;
- nginx only listens to its machine's (home server's) Tailscale IP;
- Therefore, all of it is hermetic!

hosts/thegeneralist-central/jellyfin/default.nix

@@ -0,0 +1,60 @@
+{ pkgs, ... }:
+let
+  acmeDomain = "thegeneralist01.com";
+  domain = "internal.${acmeDomain}";
+
+  ssl = {
+    forceSSL = true;
+    quic = true;
+    useACMEHost = domain;
+  };
+in
+{
+  environment.systemPackages = with pkgs; [
+    jellyfin
+    jellyfin-web
+    jellyfin-ffmpeg
+  ];
+
+  services.jellyfin = {
+    enable = true;
+    package = pkgs.jellyfin;
+    group = "jellyfin";
+    user = "jellyfin";
+
+    cacheDir  = "/mnt/usb/jellyfin/cache";
+    dataDir   = "/mnt/usb/jellyfin/data";
+    configDir = "/mnt/usb/jellyfin/data/config";
+    logDir    = "/mnt/usb/jellyfin/data/log";
+  };
+
+  services.nginx.virtualHosts.${domain} = ssl // {
+    listen = [
+      {
+        addr = "100.86.129.23";
+        port = 443;
+        ssl = true;
+      }
+      {
+        addr = "100.86.129.23";
+        port = 80;
+      }
+    ];
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8096";
+      recommendedProxySettings = true;
+      extraConfig = ''
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        # tell nginx not to buffer the response. send it as it comes.
+        proxy_buffering off;
+
+        # give jellyfin plenty of time to transcode
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+      '';
+    };
+  };
+}