From cc6d84beb848060535f006854927e7ea8126a98a Mon Sep 17 00:00:00 2001
From: Minijackson <minijackson@riseup.net>
Date: Sun, 30 May 2021 18:21:08 +0200
Subject: jellyfin: init

---
 flake.nix                    |  4 +++
 usecases/server/jellyfin.nix | 60 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 usecases/server/jellyfin.nix

diff --git a/flake.nix b/flake.nix
index 3006e5b..e2fc4b5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -78,6 +78,7 @@
         fail2ban = (import ./usecases/server/fail2ban.nix inputs);
         gotifyServer = (import ./usecases/server/gotify-server.nix inputs);
         hydraServer = (import ./usecases/server/hydra-server.nix inputs);
+        jellyfin = (import ./usecases/server/jellyfin.nix inputs);
         monitoringTarget = (import ./usecases/server/monitoring-target.nix inputs);
         radicale = (import ./usecases/server/radicale.nix inputs);
         smartd = (import ./usecases/server/smartd.nix inputs);
@@ -175,6 +176,7 @@
               self.nixosModules.usecases.server.ankisyncd
               self.nixosModules.usecases.server.gotifyServer
               self.nixosModules.usecases.server.hydraServer
+              self.nixosModules.usecases.server.jellyfin
               self.nixosModules.usecases.server.radicale
               self.nixosModules.usecases.server.zfs
 
@@ -189,6 +191,8 @@
                     "secret-key"
                     "testServer:0d5jJjOxIoe6sTr2YKWkQxsM3ZcW+9GAk52yYNVxfYBUxS2nUfzfQk5Jo0OwHnT95bTLXCVNQETGV4m6KHsVCA==";
                 };
+
+                services.jellyfin.allowedPaths = [];
               }
             ];
           };
diff --git a/usecases/server/jellyfin.nix b/usecases/server/jellyfin.nix
new file mode 100644
index 0000000..6f62c34
--- /dev/null
+++ b/usecases/server/jellyfin.nix
@@ -0,0 +1,60 @@
+inputs:
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    (inputs.nixpkgs-unstable.outPath + "/nixos/modules/services/misc/jellyfin.nix")
+  ];
+
+  disabledModules = [ "services/misc/jellyfin.nix" ];
+
+  options = with lib; {
+    services.jellyfin.allowedPaths = mkOption {
+      type = with types; listOf str;
+      description = ''
+        A list of paths that Jellyfin is allowed to read
+      '';
+    };
+  };
+
+  config = {
+    services.jellyfin = {
+      enable = true;
+      package = pkgs.unstable.jellyfin;
+    };
+
+    networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
+      8096
+    ];
+
+    systemd.services.jellyfin.serviceConfig = {
+      # TODO: remove when #108224 is merged
+
+      # Allows access to drm devices for transcoding with hardware acceleration
+      SupplementaryGroups = [ "video" ];
+      # char-drm Allows ffmpeg to transcode with hardware acceleration
+      DeviceAllow = lib.mkForce [ "char-drm rw" ];
+
+      PrivateDevices = lib.mkForce false;
+
+      # ================================
+
+      # Personal:
+      ProtectHome = true;
+      ProtectSystem = "strict";
+
+      BindReadOnlyPaths = [
+        "/nix/store"
+
+        "/etc/ssl/certs"
+        "/etc/static/ssl/certs"
+      ] ++ lib.optional config.hardware.opengl.enable [
+        "/run/opengl-driver"
+      ] ++ config.services.jellyfin.allowedPaths;
+
+      RuntimeDirectory = "jellyfin";
+      RootDirectory = "/run/jellyfin";
+    };
+  };
+}
-- 
cgit v1.2.3