jellyfin: init

1 files changed, 60 insertions, 0 deletions

diff --git a/usecases/server/jellyfin.nix b/usecases/server/jellyfin.nix
new file mode 100644
index 0000000..6f62c34
--- /dev/null
+++ b/usecases/server/jellyfin.nix
@@ -0,0 +1,60 @@
+inputs:
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    (inputs.nixpkgs-unstable.outPath + "/nixos/modules/services/misc/jellyfin.nix")
+  ];
+
+  disabledModules = [ "services/misc/jellyfin.nix" ];
+
+  options = with lib; {
+    services.jellyfin.allowedPaths = mkOption {
+      type = with types; listOf str;
+      description = ''
+        A list of paths that Jellyfin is allowed to read
+      '';
+    };
+  };
+
+  config = {
+    services.jellyfin = {
+      enable = true;
+      package = pkgs.unstable.jellyfin;
+    };
+
+    networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
+      8096
+    ];
+
+    systemd.services.jellyfin.serviceConfig = {
+      # TODO: remove when #108224 is merged
+
+      # Allows access to drm devices for transcoding with hardware acceleration
+      SupplementaryGroups = [ "video" ];
+      # char-drm Allows ffmpeg to transcode with hardware acceleration
+      DeviceAllow = lib.mkForce [ "char-drm rw" ];
+
+      PrivateDevices = lib.mkForce false;
+
+      # ================================
+
+      # Personal:
+      ProtectHome = true;
+      ProtectSystem = "strict";
+
+      BindReadOnlyPaths = [
+        "/nix/store"
+
+        "/etc/ssl/certs"
+        "/etc/static/ssl/certs"
+      ] ++ lib.optional config.hardware.opengl.enable [
+        "/run/opengl-driver"
+      ] ++ config.services.jellyfin.allowedPaths;
+
+      RuntimeDirectory = "jellyfin";
+      RootDirectory = "/run/jellyfin";
+    };
+  };
+}