stockholm/makefu/2configs/home/jellyfin.nix

{ lib, config, ... }:
{
        services.jellyfin.enable = true;
        services.jellyfin.openFirewall = true;
        state = [ "/var/lib/jellyfin" ];
        users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];

        systemd.services.jellyfin = {

        after = [ "media-cloud.mount" ];
        serviceConfig = rec {
          SupplementaryGroups = lib.mkForce [ "video" "render" "download" ];
          UMask = lib.mkForce "0077";


        Type = lib.mkForce "simple";
        StateDirectory = lib.mkForce "jellyfin";
        StateDirectoryMode = lib.mkForce "0700";
        CacheDirectory = lib.mkForce "jellyfin";
        CacheDirectoryMode = lib.mkForce "0700";
        WorkingDirectory = lib.mkForce "/var/lib/jellyfin";
        Restart = lib.mkForce "on-failure";
        TimeoutSec = lib.mkForce 15;
        SuccessExitStatus = lib.mkForce ["0" "143"];

        # Security options:
        NoNewPrivileges = lib.mkForce true;
        SystemCallArchitectures = lib.mkForce "native";
        # AF_NETLINK needed because Jellyfin monitors the network connection
        RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
        RestrictNamespaces = lib.mkForce false;
        RestrictRealtime = lib.mkForce true;
        RestrictSUIDSGID = lib.mkForce true;
        ProtectControlGroups = lib.mkForce false;
        ProtectHostname = lib.mkForce true;
        ProtectKernelLogs = lib.mkForce false;
        ProtectKernelModules = lib.mkForce false;
        ProtectKernelTunables = lib.mkForce false;
        LockPersonality = lib.mkForce true;
        PrivateTmp = lib.mkForce false;
        # needed for hardware accelaration
        PrivateDevices = lib.mkForce false;
        PrivateUsers = lib.mkForce true;
        RemoveIPC = lib.mkForce true;

        SystemCallFilter = lib.mkForce [
          "~@clock"
          "~@aio"
          "~@chown"
          "~@cpu-emulation"
          "~@debug"
          "~@keyring"
          "~@memlock"
          "~@module"
          "~@mount"
          "~@obsolete"
          "~@privileged"
          "~@raw-io"
          "~@reboot"
          "~@setuid"
          "~@swap"
        ];
        SystemCallErrorNumber = lib.mkForce "EPERM";
      };
    };
}
ma home: init jellyfin 2022-06-06 19:08:36 +00:00			`{ lib, config, ... }:`
			`{`
			`services.jellyfin.enable = true;`
			`services.jellyfin.openFirewall = true;`
			`state = [ "/var/lib/jellyfin" ];`
ma home: add 3dprint, update jellyfin and music 2022-09-23 21:43:58 +00:00			`users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];`

			`systemd.services.jellyfin = {`

			`after = [ "media-cloud.mount" ];`
			`serviceConfig = rec {`
			`SupplementaryGroups = lib.mkForce [ "video" "render" "download" ];`
			`UMask = lib.mkForce "0077";`


			`Type = lib.mkForce "simple";`
			`StateDirectory = lib.mkForce "jellyfin";`
			`StateDirectoryMode = lib.mkForce "0700";`
			`CacheDirectory = lib.mkForce "jellyfin";`
			`CacheDirectoryMode = lib.mkForce "0700";`
			`WorkingDirectory = lib.mkForce "/var/lib/jellyfin";`
			`Restart = lib.mkForce "on-failure";`
			`TimeoutSec = lib.mkForce 15;`
			`SuccessExitStatus = lib.mkForce ["0" "143"];`

			`# Security options:`
			`NoNewPrivileges = lib.mkForce true;`
			`SystemCallArchitectures = lib.mkForce "native";`
			`# AF_NETLINK needed because Jellyfin monitors the network connection`
			`RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];`
			`RestrictNamespaces = lib.mkForce false;`
			`RestrictRealtime = lib.mkForce true;`
			`RestrictSUIDSGID = lib.mkForce true;`
			`ProtectControlGroups = lib.mkForce false;`
			`ProtectHostname = lib.mkForce true;`
			`ProtectKernelLogs = lib.mkForce false;`
			`ProtectKernelModules = lib.mkForce false;`
			`ProtectKernelTunables = lib.mkForce false;`
			`LockPersonality = lib.mkForce true;`
			`PrivateTmp = lib.mkForce false;`
			`# needed for hardware accelaration`
			`PrivateDevices = lib.mkForce false;`
			`PrivateUsers = lib.mkForce true;`
			`RemoveIPC = lib.mkForce true;`

			`SystemCallFilter = lib.mkForce [`
			`"~@clock"`
			`"~@aio"`
			`"~@chown"`
			`"~@cpu-emulation"`
			`"~@debug"`
			`"~@keyring"`
			`"~@memlock"`
			`"~@module"`
			`"~@mount"`
			`"~@obsolete"`
			`"~@privileged"`
			`"~@raw-io"`
			`"~@reboot"`
			`"~@setuid"`
			`"~@swap"`
			`];`
			`SystemCallErrorNumber = lib.mkForce "EPERM";`
			`};`
			`};`
ma home: init jellyfin 2022-06-06 19:08:36 +00:00			`}`