From 68db37f6c413530f35589d1da2ea758ac274d752 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 23 Sep 2022 23:43:58 +0200 Subject: [PATCH] ma home: add 3dprint, update jellyfin and music --- makefu/2configs/home/3dprint.nix | 45 ++++++++++++++++++++++ makefu/2configs/home/jellyfin.nix | 64 +++++++++++++++++++++++++++++-- makefu/2configs/home/music.nix | 6 +-- 3 files changed, 106 insertions(+), 9 deletions(-) create mode 100644 makefu/2configs/home/3dprint.nix diff --git a/makefu/2configs/home/3dprint.nix b/makefu/2configs/home/3dprint.nix new file mode 100644 index 000000000..859a18840 --- /dev/null +++ b/makefu/2configs/home/3dprint.nix @@ -0,0 +1,45 @@ +{ pkgs, ... }: +{ + services.mjpg-streamer = { + enable = true; + inputPlugin = "input_uvc.so -d /dev/web_cam -r 1280x960"; + }; + users.users.octoprint.extraGroups = [ "video" ]; + # allow octoprint to access /dev/vchiq + # also ensure that the webcam always comes up under the same name + services.udev.extraRules = '' + SUBSYSTEM=="vchiq",GROUP="video",MODE="0660" + SUBSYSTEM=="video4linux", ATTR{name}=="UVC Camera (046d:0825)",SYMLINK+="web_cam", MODE="0666", GROUP="video" + ''; + systemd.services.octoprint = { + path = [ pkgs.libraspberrypi ]; + }; + services.octoprint = { + enable = true; + plugins = plugins: with plugins;[ + costestimation + displayprogress + mqtt + stlviewer + themeify + # octolapse + (buildPlugin rec { + pname = "OctoPrint-HomeAssistant"; + version = "3.6.2"; + src = pkgs.fetchFromGitHub { + owner = "cmroche"; + repo = pname; + rev = version; + hash = "sha256-oo9OBmHoJFNGK7u9cVouMuBuUcUxRUrY0ppRq0OS1ro="; + }; + }) + ]; + extraConfig.plugins.mqtt.broker = { + url = "omo.lan"; + # TODO TODO TODO + username = "hass"; + password = "lksue43jrf"; + # TODO TODO TODO + }; + }; +} diff --git a/makefu/2configs/home/jellyfin.nix b/makefu/2configs/home/jellyfin.nix index 672a483e5..acfdb2599 100644 --- a/makefu/2configs/home/jellyfin.nix +++ b/makefu/2configs/home/jellyfin.nix @@ -2,9 +2,65 @@ { services.jellyfin.enable = true; services.jellyfin.openFirewall = true; - #users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ]; state = [ "/var/lib/jellyfin" ]; - systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false; - systemd.services.jellyfin.serviceConfig.DeviceAllow = lib.mkForce ["char-drm rwm" "char-nvidia-frontend" "char-nvidia-uvm"]; - systemd.services.jellyfin.serviceConfig.SupplementaryGroups = [ "video" "render" "download" ]; + users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ]; + + systemd.services.jellyfin = { + + after = [ "media-cloud.mount" ]; + serviceConfig = rec { + SupplementaryGroups = lib.mkForce [ "video" "render" "download" ]; + UMask = lib.mkForce "0077"; + + + Type = lib.mkForce "simple"; + StateDirectory = lib.mkForce "jellyfin"; + StateDirectoryMode = lib.mkForce "0700"; + CacheDirectory = lib.mkForce "jellyfin"; + CacheDirectoryMode = lib.mkForce "0700"; + WorkingDirectory = lib.mkForce "/var/lib/jellyfin"; + Restart = lib.mkForce "on-failure"; + TimeoutSec = lib.mkForce 15; + SuccessExitStatus = lib.mkForce ["0" "143"]; + + # Security options: + NoNewPrivileges = lib.mkForce true; + SystemCallArchitectures = lib.mkForce "native"; + # AF_NETLINK needed because Jellyfin monitors the network connection + RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; + RestrictNamespaces = lib.mkForce false; + RestrictRealtime = lib.mkForce true; + RestrictSUIDSGID = lib.mkForce true; + ProtectControlGroups = lib.mkForce false; + ProtectHostname = lib.mkForce true; + ProtectKernelLogs = lib.mkForce false; + ProtectKernelModules = lib.mkForce false; + ProtectKernelTunables = lib.mkForce false; + LockPersonality = lib.mkForce true; + PrivateTmp = lib.mkForce false; + # needed for hardware accelaration + PrivateDevices = lib.mkForce false; + PrivateUsers = lib.mkForce true; + RemoveIPC = lib.mkForce true; + + SystemCallFilter = lib.mkForce [ + "~@clock" + "~@aio" + "~@chown" + "~@cpu-emulation" + "~@debug" + "~@keyring" + "~@memlock" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + "~@raw-io" + "~@reboot" + "~@setuid" + "~@swap" + ]; + SystemCallErrorNumber = lib.mkForce "EPERM"; + }; + }; } diff --git a/makefu/2configs/home/music.nix b/makefu/2configs/home/music.nix index 7f5a425d2..7dd8ca6e1 100644 --- a/makefu/2configs/home/music.nix +++ b/makefu/2configs/home/music.nix @@ -22,10 +22,6 @@ in locations."/".proxyPass = "http://localhost:${toString port}"; locations."/".proxyWebsockets = true; - extraConfig = '' - if ( $server_addr != "${internal-ip}" ) { - return 403; - } - ''; }; + networking.firewall.allowedTCPPorts = [ port ]; }