ma home: add 3dprint, update jellyfin and music

2022-09-23 23:43:58 +02:00 · 2022-09-23 23:43:58 +02:00 · 68db37f6c4
commit 68db37f6c4
parent 3e8f855f60
3 changed files with 106 additions and 9 deletions
--- a/makefu/2configs/home/3dprint.nix
+++ b/makefu/2configs/home/3dprint.nix
@ -0,0 +1,45 @@
+{ pkgs, ... }:
+{
+  services.mjpg-streamer = {
+    enable = true;
+    inputPlugin = "input_uvc.so -d /dev/web_cam -r 1280x960";
+  };
+  users.users.octoprint.extraGroups = [ "video" ];
+  # allow octoprint to access /dev/vchiq
+  # also ensure that the webcam always comes up under the same name
+  services.udev.extraRules = ''
+    SUBSYSTEM=="vchiq",GROUP="video",MODE="0660"
+    SUBSYSTEM=="video4linux", ATTR{name}=="UVC Camera (046d:0825)",SYMLINK+="web_cam", MODE="0666", GROUP="video"
+  '';
+  systemd.services.octoprint = {
+    path = [ pkgs.libraspberrypi ];
+  };
+  services.octoprint = {
+    enable = true;
+    plugins = plugins: with plugins;[
+      costestimation
+      displayprogress
+      mqtt
+      stlviewer
+      themeify
+      # octolapse
+      (buildPlugin rec {
+        pname = "OctoPrint-HomeAssistant";
+        version = "3.6.2";
+        src = pkgs.fetchFromGitHub {
+          owner = "cmroche";
+          repo = pname;
+          rev = version;
+          hash = "sha256-oo9OBmHoJFNGK7u9cVouMuBuUcUxRUrY0ppRq0OS1ro=";
+        };
+      })
+    ];
+    extraConfig.plugins.mqtt.broker = {
+      url = "omo.lan";
+      # TODO TODO TODO
+      username = "hass";
+      password = "lksue43jrf";
+      # TODO TODO TODO
+    };
+  };
+}
--- a/makefu/2configs/home/jellyfin.nix
+++ b/makefu/2configs/home/jellyfin.nix
@ -2,9 +2,65 @@
 {
        services.jellyfin.enable = true;
        services.jellyfin.openFirewall = true;
-        #users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];
        state = [ "/var/lib/jellyfin" ];
-        systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false;
-        systemd.services.jellyfin.serviceConfig.DeviceAllow = lib.mkForce ["char-drm rwm" "char-nvidia-frontend" "char-nvidia-uvm"];
-        systemd.services.jellyfin.serviceConfig.SupplementaryGroups = [ "video" "render" "download" ];
+        users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];
+
+        systemd.services.jellyfin = {
+
+        after = [ "media-cloud.mount" ];
+        serviceConfig = rec {
+          SupplementaryGroups = lib.mkForce [ "video" "render" "download" ];
+          UMask = lib.mkForce "0077";
+
+
+        Type = lib.mkForce "simple";
+        StateDirectory = lib.mkForce "jellyfin";
+        StateDirectoryMode = lib.mkForce "0700";
+        CacheDirectory = lib.mkForce "jellyfin";
+        CacheDirectoryMode = lib.mkForce "0700";
+        WorkingDirectory = lib.mkForce "/var/lib/jellyfin";
+        Restart = lib.mkForce "on-failure";
+        TimeoutSec = lib.mkForce 15;
+        SuccessExitStatus = lib.mkForce ["0" "143"];
+
+        # Security options:
+        NoNewPrivileges = lib.mkForce true;
+        SystemCallArchitectures = lib.mkForce "native";
+        # AF_NETLINK needed because Jellyfin monitors the network connection
+        RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
+        RestrictNamespaces = lib.mkForce false;
+        RestrictRealtime = lib.mkForce true;
+        RestrictSUIDSGID = lib.mkForce true;
+        ProtectControlGroups = lib.mkForce false;
+        ProtectHostname = lib.mkForce true;
+        ProtectKernelLogs = lib.mkForce false;
+        ProtectKernelModules = lib.mkForce false;
+        ProtectKernelTunables = lib.mkForce false;
+        LockPersonality = lib.mkForce true;
+        PrivateTmp = lib.mkForce false;
+        # needed for hardware accelaration
+        PrivateDevices = lib.mkForce false;
+        PrivateUsers = lib.mkForce true;
+        RemoveIPC = lib.mkForce true;
+
+        SystemCallFilter = lib.mkForce [
+          "~@clock"
+          "~@aio"
+          "~@chown"
+          "~@cpu-emulation"
+          "~@debug"
+          "~@keyring"
+          "~@memlock"
+          "~@module"
+          "~@mount"
+          "~@obsolete"
+          "~@privileged"
+          "~@raw-io"
+          "~@reboot"
+          "~@setuid"
+          "~@swap"
+        ];
+        SystemCallErrorNumber = lib.mkForce "EPERM";
+      };
+    };
 }
--- a/makefu/2configs/home/music.nix
+++ b/makefu/2configs/home/music.nix
@ -22,10 +22,6 @@ in

    locations."/".proxyPass = "http://localhost:${toString port}";
    locations."/".proxyWebsockets = true;
-    extraConfig = ''
-      if ( $server_addr != "${internal-ip}" ) {
-        return 403;
-      }
-    '';
  };
+  networking.firewall.allowedTCPPorts = [ port ];
 }