ma home: add 3dprint, update jellyfin and music

2022-09-23 23:43:58 +02:00 · 2022-09-23 23:43:58 +02:00 · 68db37f6c4
commit 68db37f6c4
parent 3e8f855f60
3 changed files with 106 additions and 9 deletions
--- a/makefu/2configs/home/3dprint.nix
+++ b/makefu/2configs/home/3dprint.nix
@ -0,0 +1,45 @@
 { pkgs, ... }:
 {
  services.mjpg-streamer = {
    enable = true;
    inputPlugin = "input_uvc.so -d /dev/web_cam -r 1280x960";
  };
  users.users.octoprint.extraGroups = [ "video" ];
  # allow octoprint to access /dev/vchiq
  # also ensure that the webcam always comes up under the same name
  services.udev.extraRules = ''
    SUBSYSTEM=="vchiq",GROUP="video",MODE="0660"
    SUBSYSTEM=="video4linux", ATTR{name}=="UVC Camera (046d:0825)",SYMLINK+="web_cam", MODE="0666", GROUP="video"
  '';
  systemd.services.octoprint = {
    path = [ pkgs.libraspberrypi ];
  };
  services.octoprint = {
    enable = true;
    plugins = plugins: with plugins;[
      costestimation
      displayprogress
      mqtt
      stlviewer
      themeify
      # octolapse
      (buildPlugin rec {
        pname = "OctoPrint-HomeAssistant";
        version = "3.6.2";
        src = pkgs.fetchFromGitHub {
          owner = "cmroche";
          repo = pname;
          rev = version;
          hash = "sha256-oo9OBmHoJFNGK7u9cVouMuBuUcUxRUrY0ppRq0OS1ro=";
        };
      })
    ];
    extraConfig.plugins.mqtt.broker = {
      url = "omo.lan";
      # TODO TODO TODO
      username = "hass";
      password = "lksue43jrf";
      # TODO TODO TODO
    };
  };
 }
--- a/makefu/2configs/home/jellyfin.nix
+++ b/makefu/2configs/home/jellyfin.nix
@ -2,9 +2,65 @@
 {
        services.jellyfin.enable = true;
        services.jellyfin.openFirewall = true;
        #users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];
        state = [ "/var/lib/jellyfin" ];
-        systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false;
+        users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];
-        systemd.services.jellyfin.serviceConfig.DeviceAllow = lib.mkForce ["char-drm rwm" "char-nvidia-frontend" "char-nvidia-uvm"];
+
-        systemd.services.jellyfin.serviceConfig.SupplementaryGroups = [ "video" "render" "download" ];
+        systemd.services.jellyfin = {
        after = [ "media-cloud.mount" ];
        serviceConfig = rec {
          SupplementaryGroups = lib.mkForce [ "video" "render" "download" ];
          UMask = lib.mkForce "0077";
        Type = lib.mkForce "simple";
        StateDirectory = lib.mkForce "jellyfin";
        StateDirectoryMode = lib.mkForce "0700";
        CacheDirectory = lib.mkForce "jellyfin";
        CacheDirectoryMode = lib.mkForce "0700";
        WorkingDirectory = lib.mkForce "/var/lib/jellyfin";
        Restart = lib.mkForce "on-failure";
        TimeoutSec = lib.mkForce 15;
        SuccessExitStatus = lib.mkForce ["0" "143"];
        # Security options:
        NoNewPrivileges = lib.mkForce true;
        SystemCallArchitectures = lib.mkForce "native";
        # AF_NETLINK needed because Jellyfin monitors the network connection
        RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
        RestrictNamespaces = lib.mkForce false;
        RestrictRealtime = lib.mkForce true;
        RestrictSUIDSGID = lib.mkForce true;
        ProtectControlGroups = lib.mkForce false;
        ProtectHostname = lib.mkForce true;
        ProtectKernelLogs = lib.mkForce false;
        ProtectKernelModules = lib.mkForce false;
        ProtectKernelTunables = lib.mkForce false;
        LockPersonality = lib.mkForce true;
        PrivateTmp = lib.mkForce false;
        # needed for hardware accelaration
        PrivateDevices = lib.mkForce false;
        PrivateUsers = lib.mkForce true;
        RemoveIPC = lib.mkForce true;
        SystemCallFilter = lib.mkForce [
          "~@clock"
          "~@aio"
          "~@chown"
          "~@cpu-emulation"
          "~@debug"
          "~@keyring"
          "~@memlock"
          "~@module"
          "~@mount"
          "~@obsolete"
          "~@privileged"
          "~@raw-io"
          "~@reboot"
          "~@setuid"
          "~@swap"
        ];
        SystemCallErrorNumber = lib.mkForce "EPERM";
      };
    };
 }
--- a/makefu/2configs/home/music.nix
+++ b/makefu/2configs/home/music.nix
@ -22,10 +22,6 @@ in
    locations."/".proxyPass = "http://localhost:${toString port}";
    locations."/".proxyWebsockets = true;
    extraConfig = ''
      if ( $server_addr != "${internal-ip}" ) {
        return 403;
      }
    '';
  };
  networking.firewall.allowedTCPPorts = [ port ];
 }