From cc6d84beb848060535f006854927e7ea8126a98a Mon Sep 17 00:00:00 2001 From: Minijackson Date: Sun, 30 May 2021 18:21:08 +0200 Subject: jellyfin: init --- usecases/server/jellyfin.nix | 60 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 usecases/server/jellyfin.nix (limited to 'usecases') diff --git a/usecases/server/jellyfin.nix b/usecases/server/jellyfin.nix new file mode 100644 index 0000000..6f62c34 --- /dev/null +++ b/usecases/server/jellyfin.nix @@ -0,0 +1,60 @@ +inputs: + +{ config, lib, pkgs, ... }: + +{ + imports = [ + (inputs.nixpkgs-unstable.outPath + "/nixos/modules/services/misc/jellyfin.nix") + ]; + + disabledModules = [ "services/misc/jellyfin.nix" ]; + + options = with lib; { + services.jellyfin.allowedPaths = mkOption { + type = with types; listOf str; + description = '' + A list of paths that Jellyfin is allowed to read + ''; + }; + }; + + config = { + services.jellyfin = { + enable = true; + package = pkgs.unstable.jellyfin; + }; + + networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [ + 8096 + ]; + + systemd.services.jellyfin.serviceConfig = { + # TODO: remove when #108224 is merged + + # Allows access to drm devices for transcoding with hardware acceleration + SupplementaryGroups = [ "video" ]; + # char-drm Allows ffmpeg to transcode with hardware acceleration + DeviceAllow = lib.mkForce [ "char-drm rw" ]; + + PrivateDevices = lib.mkForce false; + + # ================================ + + # Personal: + ProtectHome = true; + ProtectSystem = "strict"; + + BindReadOnlyPaths = [ + "/nix/store" + + "/etc/ssl/certs" + "/etc/static/ssl/certs" + ] ++ lib.optional config.hardware.opengl.enable [ + "/run/opengl-driver" + ] ++ config.services.jellyfin.allowedPaths; + + RuntimeDirectory = "jellyfin"; + RootDirectory = "/run/jellyfin"; + }; + }; +} -- cgit v1.2.3