diff --git a/docker_swarm/roles/media/docker-stack.yml.j2 b/docker_swarm/roles/media/docker-stack.yml.j2
index 96bf1c6..e49a603 100644
--- a/docker_swarm/roles/media/docker-stack.yml.j2
+++ b/docker_swarm/roles/media/docker-stack.yml.j2
@@ -49,40 +49,6 @@ volumes:
   jellyfin_cache:
 
 services:
-  jellyfin:
-    image: jellyfin/jellyfin:10.8.13-1
-    network_mode: 'host'
-    volumes:
-      - jellyfin_cache:/cache
-      - type: volume
-        source: jellyfin_config
-        target: /config
-        volume:
-          nocopy: true
-      - type: volume
-        source: media
-        target: /media
-        volume:
-          nocopy: true
-    # Alternative address used for autodiscovery
-    environment:
-      - JELLYFIN_PublishedServerUrl=http://media.kun.is:444
-    # Optional - may be necessary for docker healthcheck to pass if running in host network mode
-    # extra_hosts:
-    #   - "host.docker.internal:host-gateway"
-    networks:
-      - traefik
-    deploy:
-      labels:
-        - traefik.enable=true
-        - traefik.http.routers.jellyfin.entrypoints=websecure
-        - traefik.http.routers.jellyfin.rule=Host(`media.kun.is`)
-        - traefik.http.routers.jellyfin.tls=true
-        - traefik.http.routers.jellyfin.tls.certresolver=letsencrypt
-        - traefik.http.routers.jellyfin.service=jellyfin
-        - traefik.http.services.jellyfin.loadbalancer.server.port=8096
-        - traefik.docker.network=traefik
-
   transmission:
     image: lscr.io/linuxserver/transmission:latest
     ports:
diff --git a/docker_swarm/roles/traefik/docker-stack.yml.j2 b/docker_swarm/roles/traefik/docker-stack.yml.j2
index b289f56..c9f4f1d 100644
--- a/docker_swarm/roles/traefik/docker-stack.yml.j2
+++ b/docker_swarm/roles/traefik/docker-stack.yml.j2
@@ -120,6 +120,12 @@ services:
         - traefik.http.routers.forgejo.rule=Host(`git.kun.is`)
         - traefik.http.routers.forgejo.tls=true
         - traefik.http.routers.forgejo.tls.certresolver=letsencrypt
+
+        - traefik.http.routers.jellyfin.entrypoints=websecure
+        - traefik.http.routers.jellyfin.service=k3s@file
+        - traefik.http.routers.jellyfin.rule=Host(`media.kun.is`)
+        - traefik.http.routers.jellyfin.tls=true
+        - traefik.http.routers.jellyfin.tls.certresolver=letsencrypt
     volumes:
       - type: bind
         source: /var/run/docker.sock
diff --git a/nix/flake/kubenix/default.nix b/nix/flake/kubenix/default.nix
index ff90232..ebb874d 100644
--- a/nix/flake/kubenix/default.nix
+++ b/nix/flake/kubenix/default.nix
@@ -19,6 +19,7 @@
           ./paperless-ngx.nix
           ./kitchenowl.nix
           ./forgejo.nix
+          ./media.nix
         ];
         kubernetes.kubeconfig = "~/.kube/config";
         kubenix.project = "home";
diff --git a/nix/flake/kubenix/media.nix b/nix/flake/kubenix/media.nix
new file mode 100644
index 0000000..84f9f77
--- /dev/null
+++ b/nix/flake/kubenix/media.nix
@@ -0,0 +1,129 @@
+{
+  kubernetes.resources = {
+    configMaps.jellyfin-env.data.JELLYFIN_PublishedServerUrl = "https://media.kun.is";
+
+    deployments.jellyfin = {
+      metadata.labels = {
+        app = "media";
+        component = "jellyfin";
+      };
+
+      spec = {
+        selector.matchLabels = {
+          app = "media";
+          component = "jellyfin";
+        };
+
+        template = {
+          metadata.labels = {
+            app = "media";
+            component = "jellyfin";
+          };
+
+          spec = {
+            containers.jellyfin = {
+              image = "jellyfin/jellyfin:10.8.13-1";
+              envFrom = [{ configMapRef.name = "jellyfin-env"; }];
+
+              ports = [{
+                containerPort = 8096;
+                protocol = "TCP";
+              }];
+
+              volumeMounts = [
+                {
+                  name = "config";
+                  mountPath = "/config";
+                }
+                {
+                  name = "media";
+                  mountPath = "/media";
+                }
+              ];
+            };
+
+            volumes = [
+              {
+                name = "config";
+                persistentVolumeClaim.claimName = "jellyfin-config";
+              }
+              {
+                name = "media";
+                persistentVolumeClaim.claimName = "media";
+              }
+            ];
+          };
+        };
+      };
+    };
+
+    persistentVolumes = {
+      jellyfin-config.spec = {
+        capacity.storage = "1Mi";
+        accessModes = [ "ReadWriteMany" ];
+
+        nfs = {
+          server = "lewis.hyp";
+          path = "/mnt/data/nfs/jellyfin/config";
+        };
+      };
+
+      media.spec = {
+        capacity.storage = "1Mi";
+        accessModes = [ "ReadWriteMany" ];
+
+        nfs = {
+          server = "lewis.hyp";
+          path = "/mnt/data/nfs/media";
+        };
+      };
+    };
+
+    persistentVolumeClaims = {
+      jellyfin-config.spec = {
+        accessModes = [ "ReadWriteMany" ];
+        storageClassName = "";
+        resources.requests.storage = "1Mi";
+        volumeName = "jellyfin-config";
+      };
+
+      media.spec = {
+        accessModes = [ "ReadWriteMany" ];
+        storageClassName = "";
+        resources.requests.storage = "1Mi";
+        volumeName = "media";
+      };
+    };
+
+    services.jellyfin.spec = {
+      selector = {
+        app = "media";
+        component = "jellyfin";
+      };
+
+      ports = [{
+        protocol = "TCP";
+        port = 80;
+        targetPort = 8096;
+      }];
+    };
+
+    ingresses.jellyfin.spec = {
+      ingressClassName = "traefik";
+
+      rules = [{
+        host = "media.kun.is";
+
+        http.paths = [{
+          path = "/";
+          pathType = "Prefix";
+
+          backend.service = {
+            name = "jellyfin";
+            port.number = 80;
+          };
+        }];
+      }];
+    };
+  };
+}