2 files changed, 64 insertions, 0 deletions
diff --git a/flake.nix b/flake.nix
index 3006e5b..e2fc4b5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -78,6 +78,7 @@
        fail2ban = (import ./usecases/server/fail2ban.nix inputs);
        gotifyServer = (import ./usecases/server/gotify-server.nix inputs);
        hydraServer = (import ./usecases/server/hydra-server.nix inputs);
+        jellyfin = (import ./usecases/server/jellyfin.nix inputs);
        monitoringTarget = (import ./usecases/server/monitoring-target.nix inputs);
        radicale = (import ./usecases/server/radicale.nix inputs);
        smartd = (import ./usecases/server/smartd.nix inputs);
@@ -175,6 +176,7 @@
              self.nixosModules.usecases.server.ankisyncd
              self.nixosModules.usecases.server.gotifyServer
              self.nixosModules.usecases.server.hydraServer
+              self.nixosModules.usecases.server.jellyfin
              self.nixosModules.usecases.server.radicale
              self.nixosModules.usecases.server.zfs
@@ -189,6 +191,8 @@
                    "secret-key"
                    "testServer:0d5jJjOxIoe6sTr2YKWkQxsM3ZcW+9GAk52yYNVxfYBUxS2nUfzfQk5Jo0OwHnT95bTLXCVNQETGV4m6KHsVCA==";
                };
+                services.jellyfin.allowedPaths = [];
              }
            ];
          };
diff --git a/usecases/server/jellyfin.nix b/usecases/server/jellyfin.nix
new file mode 100644
index 0000000..6f62c34
--- /dev/null
+++ b/usecases/server/jellyfin.nix
@@ -0,0 +1,60 @@
+inputs:
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    (inputs.nixpkgs-unstable.outPath + "/nixos/modules/services/misc/jellyfin.nix")
+  ];
+  disabledModules = [ "services/misc/jellyfin.nix" ];
+  options = with lib; {
+    services.jellyfin.allowedPaths = mkOption {
+      type = with types; listOf str;
+      description = ''
+        A list of paths that Jellyfin is allowed to read
+      '';
+    };
+  };
+  config = {
+    services.jellyfin = {
+      enable = true;
+      package = pkgs.unstable.jellyfin;
+    };
+    networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
+      8096
+    ];
+    systemd.services.jellyfin.serviceConfig = {
+      # TODO: remove when #108224 is merged
+      # Allows access to drm devices for transcoding with hardware acceleration
+      SupplementaryGroups = [ "video" ];
+      # char-drm Allows ffmpeg to transcode with hardware acceleration
+      DeviceAllow = lib.mkForce [ "char-drm rw" ];
+      PrivateDevices = lib.mkForce false;
+      # ================================
+      # Personal:
+      ProtectHome = true;
+      ProtectSystem = "strict";
+      BindReadOnlyPaths = [
+        "/nix/store"
+        "/etc/ssl/certs"
+        "/etc/static/ssl/certs"
+      ] ++ lib.optional config.hardware.opengl.enable [
+        "/run/opengl-driver"
+      ] ++ config.services.jellyfin.allowedPaths;
+      RuntimeDirectory = "jellyfin";
+      RootDirectory = "/run/jellyfin";
+    };
+  };
+}

diff --git a/flake.nix b/flake.nix index 3006e5b..e2fc4b5 100644 --- a/flake.nix +++ b/flake.nix
@@ -78,6 +78,7 @@
78	fail2ban = (import ./usecases/server/fail2ban.nix inputs);	78	fail2ban = (import ./usecases/server/fail2ban.nix inputs);
79	gotifyServer = (import ./usecases/server/gotify-server.nix inputs);	79	gotifyServer = (import ./usecases/server/gotify-server.nix inputs);
80	hydraServer = (import ./usecases/server/hydra-server.nix inputs);	80	hydraServer = (import ./usecases/server/hydra-server.nix inputs);
		81	jellyfin = (import ./usecases/server/jellyfin.nix inputs);
81	monitoringTarget = (import ./usecases/server/monitoring-target.nix inputs);	82	monitoringTarget = (import ./usecases/server/monitoring-target.nix inputs);
82	radicale = (import ./usecases/server/radicale.nix inputs);	83	radicale = (import ./usecases/server/radicale.nix inputs);
83	smartd = (import ./usecases/server/smartd.nix inputs);	84	smartd = (import ./usecases/server/smartd.nix inputs);
@@ -175,6 +176,7 @@
175	self.nixosModules.usecases.server.ankisyncd	176	self.nixosModules.usecases.server.ankisyncd
176	self.nixosModules.usecases.server.gotifyServer	177	self.nixosModules.usecases.server.gotifyServer
177	self.nixosModules.usecases.server.hydraServer	178	self.nixosModules.usecases.server.hydraServer
		179	self.nixosModules.usecases.server.jellyfin
178	self.nixosModules.usecases.server.radicale	180	self.nixosModules.usecases.server.radicale
179	self.nixosModules.usecases.server.zfs	181	self.nixosModules.usecases.server.zfs
180		182
@@ -189,6 +191,8 @@
189	"secret-key"	191	"secret-key"
190	"testServer:0d5jJjOxIoe6sTr2YKWkQxsM3ZcW+9GAk52yYNVxfYBUxS2nUfzfQk5Jo0OwHnT95bTLXCVNQETGV4m6KHsVCA==";	192	"testServer:0d5jJjOxIoe6sTr2YKWkQxsM3ZcW+9GAk52yYNVxfYBUxS2nUfzfQk5Jo0OwHnT95bTLXCVNQETGV4m6KHsVCA==";
191	};	193	};
		194
		195	services.jellyfin.allowedPaths = [];
192	}	196	}
193	];	197	];
194	};	198	};


diff --git a/usecases/server/jellyfin.nix b/usecases/server/jellyfin.nix new file mode 100644 index 0000000..6f62c34 --- /dev/null +++ b/usecases/server/jellyfin.nix
@@ -0,0 +1,60 @@
		1	inputs:
		2
		3	{ config, lib, pkgs, ... }:
		4
		5	{
		6	imports = [
		7	(inputs.nixpkgs-unstable.outPath + "/nixos/modules/services/misc/jellyfin.nix")
		8	];
		9
		10	disabledModules = [ "services/misc/jellyfin.nix" ];
		11
		12	options = with lib; {
		13	services.jellyfin.allowedPaths = mkOption {
		14	type = with types; listOf str;
		15	description = ''
		16	A list of paths that Jellyfin is allowed to read
		17	'';
		18	};
		19	};
		20
		21	config = {
		22	services.jellyfin = {
		23	enable = true;
		24	package = pkgs.unstable.jellyfin;
		25	};
		26
		27	networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
		28	8096
		29	];
		30
		31	systemd.services.jellyfin.serviceConfig = {
		32	# TODO: remove when #108224 is merged
		33
		34	# Allows access to drm devices for transcoding with hardware acceleration
		35	SupplementaryGroups = [ "video" ];
		36	# char-drm Allows ffmpeg to transcode with hardware acceleration
		37	DeviceAllow = lib.mkForce [ "char-drm rw" ];
		38
		39	PrivateDevices = lib.mkForce false;
		40
		41	# ================================
		42
		43	# Personal:
		44	ProtectHome = true;
		45	ProtectSystem = "strict";
		46
		47	BindReadOnlyPaths = [
		48	"/nix/store"
		49
		50	"/etc/ssl/certs"
		51	"/etc/static/ssl/certs"
		52	] ++ lib.optional config.hardware.opengl.enable [
		53	"/run/opengl-driver"
		54	] ++ config.services.jellyfin.allowedPaths;
		55
		56	RuntimeDirectory = "jellyfin";
		57	RootDirectory = "/run/jellyfin";
		58	};
		59	};
		60	}