jellarr: set known proxy for nginx

[booxter]

No description provided.

[Copilot]

Pull request overview

Updates the jellarr NixOS service configuration to trust an nginx reverse proxy when determining the real client IP.

Changes:

• Adds a knownProxies allow-list entry for localhost (127.0.0.1) so proxied requests can be trusted.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This only trusts the IPv4 loopback. If nginx connects to the upstream over IPv6 (source ::1), the proxy may not be recognized and client IP handling can be wrong. Consider including \"::1\" as well (or using a CIDR that covers both loopback families, if supported by this option).

Suggested change

	knownProxies = [ "127.0.0.1" ];
	knownProxies = [ "127.0.0.1" "::1" ];

[Copilot]

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

If nginx connects to the backend over IPv6 loopback, requests will originate from ::1 rather than 127.0.0.1, and the proxy headers may not be trusted as intended. Consider including \"::1\" in knownProxies as well (or otherwise ensure nginx always uses IPv4 loopback).

Suggested change

	knownProxies = [ "127.0.0.1" ];
	knownProxies = [ "127.0.0.1" "::1" ];

[Copilot]

This introduces a security-relevant trust boundary (which sources are allowed to supply forwarded client IP headers). Add a short comment explaining why localhost is correct here (e.g., nginx is colocated and the backend is only reachable from localhost), to prevent future changes (like exposing the port or running behind a different proxy) from silently relying on an outdated assumption.

Suggested change

	network = {
	network = {
	# Only trust X-Forwarded-For from the local reverse proxy (nginx),
	# which is colocated on this host and reaches Jellyfin only via localhost.